volatility_2.6+git20170711.b3db0cc/0000755000000000000000000000000013131215405015135 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/AUTHORS.txt0000644000000000000000000000141213131215405017021 0ustar rootroot=============================================== This file identifies core Volatility authors. All lists are alphabetical. =============================================== Volatility 2.6: ------------ Mike Auty Andrew Case Michael Hale Ligh Jamie Levy AAron Walters Nick L. Petroni, Jr. Volatility 2.4, 2.5: ------------ Mike Auty Andrew Case Michael Hale Ligh Jamie Levy AAron Walters Volatility 2.0, 2.1, 2.2, 2.3: ------------ Mike Auty Andrew Case Michael Cohen Brendan Dolan-Gavitt Michael Hale Ligh Jamie Levy AAron Walters Volatility 1.3: ------------ AAron Walters Volatile Systems LLC Brendan Dolan-Gavitt Volatools Basic authors: ------------ AAron Walters Komoku, Inc. Nick L. Petroni, Jr. Komoku, Inc. volatility_2.6+git20170711.b3db0cc/MANIFEST.in0000644000000000000000000000053413131215405016675 0ustar rootrootinclude *.txt include *.win include MANIFEST.in include setup.py include resources/* include pyinstaller/*.py include volatility/*.py include contrib/plugins/*.py include contrib/plugins/aspaces/*.py include tools/*.py include tools/linux/* include tools/linux/pmem/* include tools/mac/*.py include vol.py include Makefile include pyinstaller.spec volatility_2.6+git20170711.b3db0cc/resources/0000755000000000000000000000000013131215405017147 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/resources/volatility.svg0000644000000000000000000001072413131215405022074 0ustar rootroot image/svg+xml V volatility_2.6+git20170711.b3db0cc/resources/volatility.ico0000644000000000000000000014603513131215405022054 0ustar rootroot (L``,e@@(u00 EhPNG  IHDRkXTgAMA asRGB cHRMz&u0`:pQ<PLTE       !!# "$!#$"$%#%'$'(&()'*+)+-*,-+-.,./-/1.02/3425646859:8;=:<>;=?<>@=@A?AC@CEBDFCFHEGIFHIGJLIMNLNPMOQNPROQSPSTRTVSVWUVXUWYVZ\Y\^[^`]ac`cebdecfhehjgikhkmjlnkmolnpmoqnrtqsurtvsvxuwyvz|y|~{ &.-25:6==>DFEILOMRUWUYW[]a_cfgghgjhlpqrwty{~~}ÿltRNSV& pHYs oy vpAgg܊uIDATxoǕǟ{WYeEcJb[cJ XIɢbpRR" [n6% 24(QyC,*Ԉ;S^3o93wfy3syIZ% $EH;$K/*_L@(2 ;y-d1?|=00l&% .!(@ @e!e¦Pi HAzܧ^)3H @;4|q/t@w߭G}wA`7zkˢKH {ņȻyo6uXD`*G? @Ϳֶ칖2@F~r=py }=| Ƚ|v{kOzB0\I9xPzzT9\c4I7Qڪ"@) 5h`SeGo NΚ(J @Ƹ;0/Sί,r `oAxИ1^ ;;Gk-f}gm=l 3ſhp Ĺ0VX+T'p6)GmNvi0U:O3:,"CV.1^oz!PZ~)5l¬0riV;Aq(4j =CWW(vߡ]K`LǗh,K@mOkIzuDIއ4v[뚮msYd~M?KrƾDƤNSW<9;8>RmZF^,SɱO hLP\U`+%R+(PpP] p&rꝹ=5JH7pi+!;0yK37tJ/~ڥ\/: ~{W񺿿zf&H} ,\<9i!*W`uo%9 J מTKъl4^,BU8}M:232 oHc&/-Rsq$T㗷7IeP}9i& 'ep$4ոNME6Hj/,On|/p̭13EiڹHY㞉x@5+je5W QqNx@9ZjhpvR58Y} (jR{,eH2"$O8pLt/2G8I8KאxVjgufUXE4\\j_a9(aS'^M?hw[ZIhZx^4U8 2b'VAKk@ZKM = +~gRZZ.&h4=b?U6$ȷ@>S5As.G=ƀPgp#Xl`̂gl]QkyZs d0@[_غjُ-PE1 X!c_?.z)-d68Ǭ77EqzmmAeG[8ZڜH=@t_ N]`"䕉cjIlZr~ڵk 3v`@MK޸ٙO4}p\˕/>=Ǭ5{zWvSD?w Xw N78Tw?'T^T'HukyA[|~?--ɘܒ?!V"ěKw\9+,/RY_88jEo=K\grџ-vl7~ަW.*h^p7e>`0 -3kQ`|Rup4~e Z>@ΐˍhrp>oo+9 g/ j23G@$>BǸ1$i&e0l3u4!0q`̯`V3K~<!M`R6>` O T#p# K; 2q|y0"h[D,a4E5CQSO} irp YEv㲄Kģ'Lȸc9QW0bq\#i.,1H>`Epe ۿ a,GFK-CNwX"q @Xo)8 \cœ\CLȨLc9"ҵܦ, f~DɄ n3= X9 ^?JƴV`)(]. 3(^QEn]"_u 8zeBFBp0@;ٍCY @LȈ\.rAȈ4w X/l ڞ_<7ZvS WiW)!d}<vp#s4V- z85 i~+:\l?6uzyd8tY/@LM\N&klZcYΎ|x5!do6e/*??R\ xdIrqτXl0K?x,?rS.7fn,kg?(|@LHA9,0 pA0XX-q5Mņ uf-_ R`6Wp(k4xA'@& xq9hZ ˲vv dB: \c H_q x81  aeY;TCdBz2ڠȲ`\A2!9*Nq~5!c2rL'yL²vvLkBFυѵ;L Xr]% KQfwx^I$ yVhda2!,A8I >~kYR^2J cj?'(L&D fXy_۞ Aے Й«|mLuxם'bn P&e\à`v rl*!J@9u$Hz|WK8 >/Bp{,9 Ʉ Q%=ΓGq-d\;(n'[gI(2 9 2Q~:OέhYdB&އۚ?xjW`L|Y\e9[~lL5aIy|:dB ѣ ?9M. ɄWN||ESwwLA9xnT@({eQ`LJ+] hX(5 X^/"m ~_ʱLџeϢp L g'P4 pWmi AL~DY1f;w-2!{-?ϰ;< x & qh8'AgBW#Zaf|;y9{FwകL /GVe!9Aq:b+gN0P6>ۄ3^íU`X6`_ g£(Ӆ>Mtj-JK6Kx/"OQ]Z-{$K6 }ӥv-g_BZ@@"S)gf䪣$+sBtImKhkFaD3+ːd@4WzpMs@9Gs@{#mTd=hAb![S2Ŏ.Ƌw)}Oy:'@bIvuꙧ4`jL*W鐿 @&kV Dh;]m dcjҔ?t^ @!pVcU.4V֫Ph/hʣ늑-еR7bwθLKXYk!uJ\}AeW;P VM7x>2ԹL_J@tDw2ԚYpQaBmme1GwrAȬݜS8Nno0W6UuslmC_^Ria5mvCMꝇ!׻okӽ*}?ZV%yPm/Yroim^ָnfRp!O:">≓a% r;}ըxh2 &?C+{=-}iAcam{&Bo>@X|+RC!ft0f`#W߮A}oV(HB ė{5OfkW<=A$#(Zw.{x;jƜ{?RCH 2Pz񶟄57<B75 Hдg) =AB#U4<ų(mL)L(PjJ\)CX%tEXtdate:create2011-02-15T00:10:03+00:00|%tEXtdate:modify2011-02-14T23:55:40+00:00tIENDB`(@   "$##%$$'%%(&&)'(+)*-++-,,.-/200312433644756978:99;::=;>@?@BABECDGEEHFGIHJLJKNLLOMMPNNQOORPPSQTVUUWVUXVVYWY\Z\_]^a__b``caadbdfeegffiggjhiljjmkknllomnqoqtrrussvttwuuxvvywwzxx{yy|zz}{{~|&!-.516;==D>EFMINPURVX][`bfbghhjplqqtw|z|~~~ţzE,  %=qܦL :Ս> 1}Ђ2%pj4w  &-( B܆=qãzElܡNܿt& xܳ-#qȂ2܍qՇKqJ~.98n )E ܪ-z܆&NB܆@܃7ܪxܧ n !48?p'(܍XWWWWWDܲyܓPPPPPP[ܯ-AUPPPPPPP܍ܡ&ܴPPPPPPPPfqKaPPPPPPPPR9܆QPPPPPPPPP :)ܕPPPPPPPPPPWvwVPPPPPPPPPPP* 8ܷPPPPPPPPPPPPb܆jbPPPPPPPPPPPPQJQPPPPPPPPPPPPPܡ܃ܖPPPPPPPPPPPPPPU-22qWPPPPPPPPPPPPPPPܭܹPPPPPPPPPPPPPPPP^܍#dPPPPPPPPPPPPPPPPQm>>qQPPPPPPPPPPPPRPPPPkܭ ܗPPPPPPPPPPPPQPPPPTܦXPPPPPPPPPPPP^XPPPPEKLOܻPPPPPPPPPPPPPܗPPPP[ܣfPPPPPPPPPPPPTQPPPP RPPPPPPPPPPPPkdPPPPf:zܣ=ܙPPPPPPPPPPPPPܺPPPPR܆HzqYPPPPPPPPPPPP\WPPPPܰ.HܽPPPPPPPPPPPPPܗPPPPW*fPPPPPPPPPPPPSQPPPPRPPPPPPPPPPPPhdPPPPb1 ܚPPPPPPPPPPPPPܹPPPPQ=[PPPPPPPPPPPP[WPPPPHܾPPPPPPPPPPPPPܖPPPPUl&hPPPPPPPPPPPPRQPPPPs-SPPPPPPPPPPPPfdPPPP^{~(ܜPPPPPPPPPPPPPܹPPPPQv\PPPPPPPPPPPPYWPPPPknPPPPPPPPPPPPPܖPPPPTL kPPPPPPPPPPPPQQPPPP@TPPPPPPPPPPPPddPPPP[6%ܝPPPPPPPPPPPPPܷPPPPP=]PPPPPPPPPPPPWWPPPPfqzQPPPPPPPPPPPPܖPPPPR&܍EܒPPPPPPPPPPPPQQPPPP܏>ܳTPPPPPPPPPPPPb_PPPPSHq ܞPPPPPPPPPPPPPܕPPPPP;t^PPPPPPPPPPPPVܷPPPPPSܱ ܉&ܾPPPPPPPPPPPPPܝPPPPPPYo:dPPPPPPPPPPPPPePPPPPPPb!0ܶQPPPPPPPPPPPPTܷRPPPPPPPP_}2ܴRPPPPPPPPPPPPPQܜQPPPPPPPPPPR{0ܢhdVPPPPPPPPPPPPPPPPQY`iܖgaTPPPPPPPPPPPPPPQZ-{%fPPPPPPPPPPPPPPPPPPPPPPPPgUPPPPPPPPPPPPPPPPPPP`qfPPPPPPPPPPPPPPPPPPPPPPPPgUPPPPPPPPPPPPPPPPPPP`H#ܿ~fPPPPPPPPPPPPPPPPPPPPPPPPgUPPPPPPPPPPPPPPPPPPP`s4ܼܵ: ܲnܭvB.Fܤl" -xNܦ- ܊AL 1-L4܀ܿ?܀ܡ'LMz1-B8qƍܦ n8ܑJ-܋ vܑHܤ"MܯܑJܭ.(ܑH:D-ܑHH܁mܑJ{-ALEܑHܱo!-9 ܑJܣܬ*JܑJ܍ܐKܑH܎ t܇2JܑJ܎#s׍> JܑH܎.}ܦKJܑJ܎ :ܑܱHܑJܑHܑHܑJܑHܑJܑJܑHܑJܑHܑH̦???????????????????????(`$00    ! #!!$""$#$'%%(&&('')(*-+,.--/..1//200311323644755866977988;9:=;>@??A@@BABECCFDDGEEHFFIGGIHIKJKNLLOMMPNNQOPSQQTRRTSSUTTVUUWVVYWX[YY\ZZ][\_]]`^`caceddfeegffhggjhjmkknllommpnnqopsqsvttwuvywwzxz|{|}& ..62==D>EFLINPTQVX][^`fbggikqqtw|z|~}~~~zQA,,AQ{̂9:x++zߊ!ߥ%-AMA.'߱5QO9F%v߰r"H߬RP߇CBq3߮2t8 ߒ > !*==1HqrN|ߋߢ~{J߼UUUUZF .iUUUUU*%߁WUUUUUaߜUUUUUUU߯vu^UUUUUUUlnz ߽UUUUUUUUX OjUUUUUUUUU|SWUUUUUUUUU]tߞUUUUUUUUUUU߇w"$_UUUUUUUUUUUh(zUUUUUUUUUUUUVv~lUUUUUUUUUYUUU߲2YUUUUUUUUUVUU[4oߟUUUUUUUUU\fUUUR߉`UUUUUUUUU߸UUUdߩJUUUUUUUUUV[UUV P89pUUUUUUUUUfߗUUU2>"IYUUUUUUUUUVUUYD(rߠUUUUUUUUU[eUUUTbUUUUUUUUU߸UUUa|VUUUUUUUUV[UUUߌ߭ߔUUUUUUUUUeߗUUUkߩߐZUUUUUUUUUVUUXߐߡUUUUUUUUUZeUUU߬cUUUUUUUUUߵUUU]ߩVUUUUUUUUV[UUUߋߕUUUUUUUUUcߗUUUh|rZUUUUUUUUUVUUVT$IߵUUUUUUUUUYfUUUF*98dUUUUUUUUUߵUUUZ2>JVUUUUUUUUVWUUU PߊߖUUUUUUUUUabUUUZߦTZUUUUUUUUU^UUUUdP2ߛUUUUUUUUUVVUUUUUp4~߷VUUUUUUUUUV߾ZUUUUUUU]߱xߛf]UUUUUUUUUUUUX`gjߚ_XUUUUUUUUUUUZt$!bUUUUUUUUUUUUUUUUUUdUUUUUUUUUUUUUU`(tbUUUUUUUUUUUUUUUUUUdUUUUUUUUUUUUUU`߆wߺ߻R~xq  wqR|߭߃"-'' MH ߥ|߇MTTR.884"߳ߴ&@ 6=ߍCu.4:߫*xߎ>6=߳:߰N4:ߴJJq4=߬TNߴ=T6=A߫+ 6:߫.ߏ% 4=߫&|. 5=߫.|̈́:5:߬:5=5:5:5=5=5:5=5:B F????????????(@uu  !!!%%%'''(((+++,,,---...///111333444555666777888:::===>>>AAAEEEHHHIIIJJJLLLMMMPPPSSSVVVXXXZZZ\\\___fffgggkkklllooossstttuuuxxxzzz|||}}} ((,,//0033667788>>??CCDDEEFFGGJJKKQQUUZZ\\aaddeeiimmqqssttvvwwzz{{ѱ~Cީ>*: ~<+6@y;1"y "yՊ8"6>/- >/ / 3"DDDyy nDDDb ODDDD61<-DDDDDs ]DDDDDOC(88DDDDDDDoDDDDDDDZy<"PDDDDDMDD>wDDDDDDPDl_DDDDDMsDJ@yDDDDDDmDD-+vDDDDDD_DU6RDDDDDYDD@DDDDDDPDg~eDDDDDJsDG&CDDDDDDjDD-yDDDDDD]DSy/>=- =<ޱ// 6"<3C&-y~&ީ61@&5 y("<<&(w"ф&&&"&66y???????(0`  !!!$$$&&&'''***+++,,,...000111333666777888<<<>>>???@@@IIIMMMOOOQQQRRRTTTXXXYYYZZZ[[[\\\```aaabbbdddeeefffggghhhiiijjjmmmrrrxxxyyyzzz{{{|||}}}~~~!!##,,0099>>??@@BBMMQQRRWW]]__ggiillnnpprrww{{յ}q#6## A*Aŀ- t/w(@#F/> Fwqcf# 4TII A:III_t _IIII:0%IIIIIl IIIIITq VIIIIaIn(:+IIII]I[!{aIIII]IIIIIRIg(wIIIIjRQ0AVIIIIjI@6IIIIZIY@:bIIII[I0AOIIIQIc(w!{IIIIePI:+VIIIIVIX gIIIIOוIII]F( IIIIIIIITIIIIIIIr0!llkkkklkllkkkklk:>w 0 Fn#nr06A!A-t)-A- {(?nr)F>{o????( @ !!!%%%((()))***---///111222444555999:::===>>>@@@CCCDDDEEEJJJKKKNNNOOORRRTTTUUUVVVWWWXXXeeekkknnnooossstttuuuyyyzzz||| ""##++//11::;;>>??TTUU[[__eeggkkoo}nf+[N uO u]-/|% P7--Yigkvq--?5PSA-/|6e%*B"1-<[;ME"^--f1sMU8-3>@'+kv_--:|s:-ZQ Qr<<<<\Y<<=qigO n%!M uk'v~vGVi VI d`MnI *v~cvJ cvI SE??( mmmcccwwwVVVIII<<<hhh;;;??@@[[??TTThhhllhhpp``|||FFvvIII55nnnZZZCCCCC>>>LLL>>>AAAsss???LLLQQQ???aaaϰpqrstuvwxyz{|}~`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFGHIJKLMNO0123456789:;<=>? !"#$%&'()*+,-./ ??volatility_2.6+git20170711.b3db0cc/.gitattributes0000644000000000000000000000001413131215405020023 0ustar rootroot* text=auto volatility_2.6+git20170711.b3db0cc/.gitignore0000644000000000000000000000074513131215405017133 0ustar rootroot*.py[cod] # Pycharm ide library .idea *.swp # C extensions *.so # Packages *.egg *.egg-info dist build eggs parts bin var sdist develop-eggs .installed.cfg lib lib64 # Installer logs pip-log.txt # Unit test / coverage reports .coverage .tox nosetests.xml # Translations *.mo # Mr Developer .mr.developer.cfg .project .pydevproject .svn/ .DS_Store # compressed files *.zip *.7z *.rar *.tar.gz *.gz # common memory extensions: *.vmem *.mem *.img *.dmp *.sys *.bin *.001 *.raw volatility_2.6+git20170711.b3db0cc/pyinstaller.spec0000644000000000000000000000175713131215405020371 0ustar rootroot# -*- mode: python -*- import sys projpath = os.path.dirname(os.path.abspath(SPEC)) def get_plugins(list): for item in list: if item[0].startswith('volatility.plugins') and not (item[0] == 'volatility.plugins' and '__init__.py' in item[1]): yield item exeext = ".exe" if sys.platform.startswith("win") else "" a = Analysis([os.path.join(projpath, 'vol.py')], pathex = [HOMEPATH], hookspath = [os.path.join(projpath, 'pyinstaller')]) pyz = PYZ(a.pure) plugins = Tree(os.path.join(projpath, 'volatility', 'plugins'), os.path.join('plugins')) exe = EXE(pyz, a.scripts + [('u', '', 'OPTION')], a.binaries, a.zipfiles, a.datas, plugins, name = os.path.join(projpath, 'dist', 'pyinstaller', 'volatility' + exeext), debug = False, strip = False, upx = True, icon = os.path.join(projpath, 'resources', 'volatility.ico'), console = 1) volatility_2.6+git20170711.b3db0cc/pyinstaller/0000755000000000000000000000000013131215405017503 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/pyinstaller/hook-volatility.py0000644000000000000000000000133113131215405023211 0ustar rootroot import os projpath = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) modules = set(['volatility.plugins']) for dirpath, _dirnames, filenames in os.walk(os.path.join(projpath, 'volatility', 'plugins')): dirpath = dirpath[len(os.path.join(projpath, 'volatility', 'plugins')):] if dirpath and dirpath[0] == os.path.sep: dirpath = dirpath[1:] for filename in filenames: path = os.path.join(dirpath, os.path.splitext(filename)[0]) if "/." in path: continue if "__" in path: continue path = path.replace("-", "_") path = path.replace(os.path.sep, ".") modules.add("volatility.plugins." + path) hiddenimports = list(modules) volatility_2.6+git20170711.b3db0cc/pyinstaller/hook-openpyxl.py0000755000000000000000000000070013131215405022671 0ustar rootroot# Openpyxl hook # # This currently contains the hardcoded location for the .constants.json file # It could be improved by carrying out a search, or using sys.path # # This also requires the openpyxl module to be modified with the following patch: # import sys # if hasattr(sys, '_MEIPASS'): # here = sys._MEIPASS import os import sys datas = [] for path in sys.path: datas.append((os.path.join(path, "openpyxl", ".constants.json"), "")) volatility_2.6+git20170711.b3db0cc/pyinstaller/hook-distorm3.py0000755000000000000000000000102613131215405022561 0ustar rootroot# Distorm3 hook # # This currently contains the hardcoded location for the standard distorm3.dll install # It could be improved by carrying out a search, or using sys.path # # This also requires the distorm3 module to be modified with the following patch: # import sys # if hasattr(sys, '_MEIPASS'): # _distorm_path = sys._MEIPASS import os import sys datas = [] for path in sys.path: datas.append((os.path.join(path, "distorm3", "distorm3.dll"), "")) datas.append((os.path.join(path, "distorm3", "libdistorm3.so"), "")) volatility_2.6+git20170711.b3db0cc/pyinstaller/hook-yara.py0000644000000000000000000000017013131215405021745 0ustar rootrootimport os import sys datas = [] for path in sys.path: datas.append(("yara.pyd", "")) datas.append(("yara.so", ""))volatility_2.6+git20170711.b3db0cc/volatility/0000755000000000000000000000000013131215405017335 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/utils.py0000644000000000000000000001253513131215405021055 0ustar rootroot# Volatility # # Authors: # Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.exceptions as exceptions import volatility.registry as registry import volatility.addrspace as addrspace import volatility.debug as debug import socket import itertools #pylint: disable-msg=C0111 def load_as(config, astype = 'virtual', **kwargs): """Loads an address space by stacking valid ASes on top of each other (priority order first)""" base_as = None error = exceptions.AddrSpaceError() # Start off requiring another round found = True ## A full iteration through all the classes without anyone ## selecting us means we are done: while found: debug.debug("Voting round") found = False for cls in sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values(), key = lambda x: x.order if hasattr(x, 'order') else 10): debug.debug("Trying {0} ".format(cls)) try: base_as = cls(base_as, config, astype = astype, **kwargs) debug.debug("Succeeded instantiating {0}".format(base_as)) found = True break except addrspace.ASAssertionError, e: debug.debug("Failed instantiating {0}: {1}".format(cls.__name__, e), 2) error.append_reason(cls.__name__, e) continue except Exception, e: debug.debug("Failed instantiating (exception): {0}".format(e)) error.append_reason(cls.__name__ + " - EXCEPTION", e) continue if not isinstance(base_as, addrspace.AbstractVirtualAddressSpace) and (astype == 'virtual'): base_as = None if base_as is None: raise error return base_as def Hexdump(data, width = 16): """ Hexdump function shared by various plugins """ for offset in xrange(0, len(data), width): row_data = data[offset:offset + width] translated_data = [x if ord(x) < 127 and ord(x) > 32 else "." for x in row_data] hexdata = " ".join(["{0:02x}".format(ord(x)) for x in row_data]) yield offset, hexdata, translated_data def remove_unprintable(str): return ''.join([c for c in str if (ord(c) > 31 or ord(c) == 9) and ord(c) <= 126]) # Compensate for Windows python not supporting socket.inet_ntop and some # Linux systems (i.e. OpenSuSE 11.2 w/ Python 2.6) not supporting IPv6. def inet_ntop(address_family, packed_ip): def inet_ntop4(packed_ip): if not isinstance(packed_ip, str): raise TypeError("must be string, not {0}".format(type(packed_ip))) if len(packed_ip) != 4: raise ValueError("invalid length of packed IP address string") return "{0}.{1}.{2}.{3}".format(*[ord(x) for x in packed_ip]) def inet_ntop6(packed_ip): if not isinstance(packed_ip, str): raise TypeError("must be string, not {0}".format(type(packed_ip))) if len(packed_ip) != 16: raise ValueError("invalid length of packed IP address string") words = [] for i in range(0, 16, 2): words.append((ord(packed_ip[i]) << 8) | ord(packed_ip[i + 1])) # Replace a run of 0x00s with None numlen = [(k, len(list(g))) for k, g in itertools.groupby(words)] max_zero_run = sorted(sorted(numlen, key = lambda x: x[1], reverse = True), key = lambda x: x[0])[0] words = [] for k, l in numlen: if (k == 0) and (l == max_zero_run[1]) and not (None in words): words.append(None) else: for i in range(l): words.append(k) # Handle encapsulated IPv4 addresses encapsulated = "" if (words[0] is None) and (len(words) == 3 or (len(words) == 4 and words[1] == 0xffff)): words = words[:-2] encapsulated = inet_ntop4(packed_ip[-4:]) # If we start or end with None, then add an additional : if words[0] is None: words = [None] + words if words[-1] is None: words += [None] # Join up everything we've got using :s return ":".join(["{0:x}".format(w) if w is not None else "" for w in words]) + encapsulated if address_family == socket.AF_INET: return inet_ntop4(packed_ip) elif address_family == socket.AF_INET6: return inet_ntop6(packed_ip) raise socket.error("[Errno 97] Address family not supported by protocol") def iterfind(data, string): """This function is called by the search_process_memory() method of windows, linux, and mac process objects""" offset = data.find(string, 0) while offset >= 0: yield offset offset = data.find(string, offset + len(string)) volatility_2.6+git20170711.b3db0cc/volatility/obj.py0000644000000000000000000013405513131215405020471 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Copyright (C) 2005,2006 4tphi Research # Author: {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111,W0613 import sys if __name__ == '__main__': sys.path.append(".") sys.path.append("..") import cPickle as pickle # pickle implementation must match that in volatility.cache import struct, copy, operator import volatility.debug as debug import volatility.fmtspec as fmtspec import volatility.exceptions as exceptions import volatility.plugins.overlays.native_types as native_types ## Curry is now a standard python feature import functools Curry = functools.partial import traceback class classproperty(property): def __get__(self, cls, owner): # We don't think pylint knows what it's talking about here return self.fget.__get__(None, owner)() #pylint: disable-msg=E1101 def get_bt_string(_e = None): return ''.join(traceback.format_stack()[:-3]) class NoneObject(object): """ A magical object which is like None but swallows bad dereferences, __getattribute__, iterators etc to return itself. Instantiate with the reason for the error. """ def __init__(self, reason = '', strict = False): if not hasattr(sys, "frozen"): debug.debug("None object instantiated: " + reason, 2) self.reason = reason self.strict = strict if strict: self.bt = get_bt_string() def __str__(self): ## If we are strict we blow up here if self.strict: debug.error("Strict NoneObject string failure: {0} n{1}".format(self.reason, self.bt)) sys.exit(0) else: debug.warning("NoneObject as string: {0}".format(self.reason)) return "" def write(self, data): """Write procedure only ever returns False""" return False def __repr__(self): return "" ## Behave like an empty set def __iter__(self): return self def __len__(self): return 0 def __format__(self, formatspec): spec = fmtspec.FormatSpec(string = formatspec, altform = False, formtype = 's', fill = "-", align = ">") return format('-', str(spec)) def next(self): raise StopIteration() def __getattr__(self, attr): # By returning self for any unknown attribute # and ensuring the self is callable, we cover both properties and methods # Override NotImplemented functions in object with self return self def __bool__(self): return False def __nonzero__(self): return False def __eq__(self, other): return (other is None) def __ne__(self, other): return not self.__eq__(other) ## Make us subscriptable obj[j] def __getitem__(self, item): return self def __call__(self, *arg, **kwargs): return self def __int__(self): return -1 # These must be defined explicitly, # due to the way new style objects bypass __getattribute__ for speed # See http://docs.python.org/reference/datamodel.html#new-style-special-lookup __add__ = __call__ __sub__ = __call__ __mul__ = __call__ __floordiv__ = __call__ __mod__ = __call__ __divmod__ = __call__ __pow__ = __call__ __lshift__ = __call__ __rshift__ = __call__ __and__ = __call__ __xor__ = __call__ __or__ = __call__ __radd__ = __call__ __rsub__ = __call__ __rmul__ = __call__ __rfloordiv__ = __call__ __rmod__ = __call__ __rdivmod__ = __call__ __rpow__ = __call__ __rlshift__ = __call__ __rrshift__ = __call__ __rand__ = __call__ __rxor__ = __call__ __ror__ = __call__ class InvalidOffsetError(exceptions.VolatilityException): """Simple placeholder to identify invalid offsets""" pass def Object(theType, offset, vm, name = None, **kwargs): """ A function which instantiates the object named in theType (as a string) from the type in profile passing optional args of kwargs. """ name = name or theType offset = int(offset) try: if vm.profile.has_type(theType): result = vm.profile.types[theType](offset = offset, vm = vm, name = name, **kwargs) return result except InvalidOffsetError: ## If we cant instantiate the object here, we just error out: return NoneObject("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name), strict = vm.profile.strict) ## If we get here we have no idea what the type is supposed to be? ## This is a serious error. debug.warning("Cant find object {0} in profile {1}?".format(theType, vm.profile)) class BaseObject(object): # We have **kwargs here, but it's unclear if it's a good idea # Benefit is objects will never fail with duff parameters # Downside is typos won't show up and be difficult to diagnose def __init__(self, theType, offset, vm, native_vm = None, parent = None, name = None, **kwargs): self._vol_theType = theType self._vol_offset = offset self._vol_vm = vm self._vol_native_vm = native_vm self._vol_parent = parent self._vol_name = name if not self.obj_vm.is_valid_address(self.obj_offset): raise InvalidOffsetError("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, self.obj_name)) @property def obj_type(self): return self._vol_theType @property def obj_vm(self): return self._vol_vm @property def obj_offset(self): return self._vol_offset @property def obj_parent(self): return self._vol_parent @property def obj_name(self): return self._vol_name @property def obj_native_vm(self): return self._vol_native_vm or self._vol_vm def set_native_vm(self, native_vm): """Sets the native_vm """ self._vol_native_vm = native_vm def rebase(self, offset): # If it's needed, we should be using the __getstate__ and __setstate__ functions raise DeprecationWarning("The rebase function has been deprecated and will be removed in future versions") def proxied(self, attr): return None def newattr(self, attr, value): """Sets a new attribute after the object has been created""" return BaseObject.__setattr__(self, attr, value) def write(self, value): """Function for writing the object back to disk""" pass def __getattr__(self, attr): """ This is only useful for proper methods (not ones that start with __ ) """ ## Search for the attribute of the proxied object proxied = self.proxied(attr) # Don't do a __nonzero__ check on proxied or things like '' will fail if proxied is None: raise AttributeError("Unable to resolve attribute {0} on {1}".format(attr, self.obj_name)) return getattr(proxied, attr) def __setattr__(self, attr, value): try: object.__setattr__(self, attr, value) except AttributeError: pass def __nonzero__(self): """ This method is called when we test the truth value of an Object. In volatility we consider an object to have True truth value only when its a valid object. Its possible for example to have a Pointer object which is not valid - this will have a truth value of False. You should be testing for validity like this: if X: # object is valid Do not test for validity like this: if int(X) == 0: or if X is None: ..... the later form is not going to work when X is a NoneObject. """ result = self.obj_vm.is_valid_address(self.obj_offset) return result def __eq__(self, other): return self.v() == other or ((self.__class__ == other.__class__) and (self.obj_offset == other.obj_offset) and (self.obj_vm == other.obj_vm)) def __ne__(self, other): return not self.__eq__(other) def __hash__(self): # This should include the critical components of self.obj_vm return hash(self.obj_name) ^ hash(self.obj_offset) def m(self, memname): raise AttributeError("No member {0}".format(memname)) def is_valid(self): return self.obj_vm.is_valid_address(self.obj_offset) def dereference(self): return NoneObject("Can't dereference {0}".format(self.obj_name), self.obj_vm.profile.strict) def dereference_as(self, derefType, **kwargs): # Make sure we use self.obj_native_vm to automatically # dereference from the highest available VM if self.obj_native_vm.is_valid_address(self.v()): return Object(derefType, self.v(), self.obj_native_vm, parent = self, **kwargs) else: return NoneObject("Invalid offset {0} for dereferencing {1} as {2}".format(self.v(), self.obj_name, derefType)) def cast(self, castString): return Object(castString, self.obj_offset, self.obj_vm) def v(self): """ Do the actual reading and decoding of this member """ return NoneObject("No value for {0}".format(self.obj_name), self.obj_vm.profile.strict) def __format__(self, formatspec): return format(self.v(), formatspec) def __str__(self): return str(self.v()) def __repr__(self): return "[{0} {1}] @ 0x{2:08X}".format(self.__class__.__name__, self.obj_name or '', self.obj_offset) def d(self): """Display diagnostic information""" return self.__repr__() def __getstate__(self): """ This controls how we pickle and unpickle the objects """ try: thetype = self._vol_theType.__name__ except AttributeError: thetype = self._vol_theType # Note: we lose the parent attribute here result = dict(offset = self.obj_offset, name = self.obj_name, vm = self.obj_vm, native_vm = self.obj_native_vm, theType = thetype) ## Introspect the kwargs for the constructor and store in the dict try: for arg in self.__init__.func_code.co_varnames: if (arg not in result and arg not in "self parent profile args".split()): result[arg] = self.__dict__[arg] except KeyError: debug.post_mortem() raise pickle.PicklingError("Object {0} at 0x{1:08x} cannot be cached because of missing attribute {2}".format(self.obj_name, self.obj_offset, arg)) return result def __setstate__(self, state): ## What we want to do here is to instantiate a new object and then copy it into ourselves #new_object = Object(state['theType'], state['offset'], state['vm'], name = state['name']) new_object = Object(**state) if not new_object: raise pickle.UnpicklingError("Object {0} at 0x{1:08x} invalid".format(state['name'], state['offset'])) ## (Scudette) Im not sure how much of a hack this is - we ## basically take over all the new object's members. This is ## needed because __setstate__ can not return a new object, ## but must update the current object instead. I'm sure ikelos ## will object!!! I am open to suggestions ... self.__dict__ = new_object.__dict__ def CreateMixIn(mixin): def make_method(name): def method(self, *args, **kw): proxied = self.proxied(name) try: ## Try to coerce the other in case its also a proxied ## class args = list(args) args[0] = args[0].proxied(name) except (AttributeError, IndexError): pass try: method = getattr(operator, name) args = [proxied] + args except AttributeError: method = getattr(proxied, name) return method(*args, **kw) return method for name in mixin._specials: setattr(mixin, name, make_method(name)) class NumericProxyMixIn(object): """ This MixIn implements the numeric protocol """ _specials = [ ## Number protocols '__add__', '__sub__', '__mul__', '__floordiv__', '__mod__', '__divmod__', '__pow__', '__lshift__', '__rshift__', '__and__', '__xor__', '__or__', '__div__', '__truediv__', '__radd__', '__rsub__', '__rmul__', '__rdiv__', '__rtruediv__', '__rfloordiv__', '__rmod__', '__rdivmod__', '__rpow__', '__rlshift__', '__rrshift__', '__rand__', '__rxor__', '__ror__', '__neg__', '__pos__', '__abs__', '__invert__', '__int__', '__long__', '__float__', '__oct__', '__hex__', ## Comparisons '__lt__', '__le__', '__eq__', '__ne__', '__ge__', '__gt__', '__index__', ## Formatting '__format__', ] CreateMixIn(NumericProxyMixIn) class NativeType(BaseObject, NumericProxyMixIn): def __init__(self, theType, offset, vm, format_string = None, **kwargs): BaseObject.__init__(self, theType, offset, vm, **kwargs) NumericProxyMixIn.__init__(self) self.format_string = format_string def write(self, data): """Writes the data back into the address space""" output = struct.pack(self.format_string, data) return self.obj_vm.write(self.obj_offset, output) def proxied(self, attr): return self.v() def size(self): return struct.calcsize(self.format_string) def v(self): data = self.obj_vm.read(self.obj_offset, self.size()) if not data: return NoneObject("Unable to read {0} bytes from {1}".format(self.size(), self.obj_offset)) try: (val,) = struct.unpack(self.format_string, data) except struct.error: return NoneObject("struct.error {0} bytes from {1}".format(self.size(), self.obj_offset)) # Ensure that integer NativeTypes are converted to longs # to avoid integer boundaries when doing __rand__ proxying # (see issue 265) if isinstance(val, int): val = long(val) return val def cdecl(self): return self.obj_name def __repr__(self): return " [{0}]: {1}".format(self._vol_theType, self.v()) def d(self): return " [{0} {1} | {2}]: {3}".format(self.__class__.__name__, self.obj_name or '', self._vol_theType, self.v()) class BitField(NativeType): """ A class splitting an integer into a bunch of bit. """ def __init__(self, theType, offset, vm, start_bit = 0, end_bit = 32, native_type = None, **kwargs): # Defaults to profile-endian address, but can be overridden by native_type format_string = vm.profile.native_types.get(native_type, vm.profile.native_types['address'])[1] NativeType.__init__(self, theType, offset, vm, format_string = format_string, **kwargs) self.start_bit = start_bit self.end_bit = end_bit self.native_type = native_type # Store this for proper caching def v(self): i = NativeType.v(self) return (i & ((1 << self.end_bit) - 1)) >> self.start_bit def write(self, data): data = data << self.start_bit return NativeType.write(self, data) class Pointer(NativeType): def __init__(self, theType, offset, vm, target = None, **kwargs): # Default to profile-endian address # We don't allow native_type overriding for pointers since we can't dereference invalid pointers anyway # You can define a POINTER_64 in 32-bit windows, it becomes a signed pointer for use with special pointers like -1. # However, in that case it's unlikely to dereference properly either # We can always change this later if it becomes necessary to handle such unusual circumstances NativeType.__init__(self, theType, offset, vm, format_string = vm.profile.native_types['address'][1], **kwargs) if theType: self.target = Curry(Object, theType) else: self.target = target def __getstate__(self): ## This one is too complicated to pickle right now raise pickle.PicklingError("Pointer objects do not support caching") def is_valid(self): """ Returns if what we are pointing to is valid """ return self.obj_native_vm.is_valid_address(self.v()) def dereference(self): offset = self.v() if self.obj_native_vm.is_valid_address(offset): # Make sure we use self.obj_native_vm to automatically # dereference from the highest available VM result = self.target(offset = offset, vm = self.obj_native_vm, parent = self.obj_parent, name = self.obj_name) return result else: return NoneObject("Pointer {0} invalid".format(self.obj_name), self.obj_vm.profile.strict) def cdecl(self): return "Pointer {0}".format(self.v()) def __nonzero__(self): return bool(self.is_valid()) def __repr__(self): target = self.dereference() return "<{0} pointer to [0x{1:08X}]>".format(target.__class__.__name__, self.v()) def d(self): target = self.dereference() return "<{0} {1} pointer to [0x{2:08X}]>".format(target.__class__.__name__, self.obj_name or '', self.v()) def __getattr__(self, attr): ## We just dereference ourself result = self.dereference() #if isinstance(result, CType): # return result.m(attr) return getattr(result, attr) def m(self, memname): # Look for children on the dereferenced object result = self.dereference() return result.m(memname) class Pointer32(Pointer): def __init__(self, theType, offset, vm, target = None, **kwargs): # Default to profile-endian address # Sometimes we need a 32bit pointer on a 64bit system NativeType.__init__(self, theType, offset, vm, format_string = "".format(",".join(result)) def d(self): result = [ x.__str__() for x in self ] return "".format(self.__class__.__name__, self.obj_name or '', ",".join(result)) def __eq__(self, other): # Check we can carry out further tests for equality/inequality if not (hasattr(other, '__len__') and hasattr(other, '__getitem__')): return False if self.count != len(other): return False for i in range(self.count): if not self[i] == other[i]: return False return True def __getitem__(self, pos): ## Check for slice object if isinstance(pos, slice): start, stop, step = pos.indices(self.count) return [self[i] for i in xrange(start, stop, step)] # Handle negative values if pos >= self.count or pos <= -self.count: raise IndexError("array index out of range") if pos < 0: pos = self.count - pos ## Check if the offset is valid offset = self.original_offset + pos * self.current.size() if self.obj_vm.is_valid_address(offset): # Ensure both the true VM and offsetlayer are copied across return self.target(offset = offset, vm = self.obj_vm, native_vm = self.obj_native_vm, parent = self, name = "{0} {1}".format(self.obj_name, pos)) else: return NoneObject("Array {0} invalid member {1}".format(self.obj_name, pos), self.obj_vm.profile.strict) def __setitem__(self, pos, value): ## Get the item, then try writing to it item = self.__getitem__(pos) if item != None: item.write(value) class CType(BaseObject): """ A CType is an object which represents a c struct """ def __init__(self, theType, offset, vm, name = None, members = None, struct_size = 0, **kwargs): """ This must be instantiated with a dict of members. The keys are the offsets, the values are Curried Object classes that will be instantiated when accessed. """ if not members: # Warn rather than raise an error, since some types (_HARDWARE_PTE, for example) are generated without members debug.debug("No members specified for CType {0} named {1}".format(theType, name), level = 2) members = {} self.members = members self.struct_size = struct_size BaseObject.__init__(self, theType, offset, vm, name = name, **kwargs) self.__initialized = True def size(self): return self.struct_size def __repr__(self): return "[{0} {1}] @ 0x{2:08X}".format(self.__class__.__name__, self.obj_name or '', self.obj_offset) def d(self): result = self.__repr__() + "\n" for k in self.members.keys(): result += " {0} -\n {1}\n".format(k, self.m(k)) return result def v(self): """ When a struct is evaluated we just return our offset. """ # Ensure that proxied offsets are converted to longs # to avoid integer boundaries when doing __rand__ proxying # (see issue 265) return long(self.obj_offset) def m(self, attr): if attr in self.members: # Allow the element to be a callable rather than a list - this is # useful for aliasing member names element = self.members[attr] if callable(element): return element(self) offset, cls = element elif attr.find('__') > 0 and attr[attr.find('__'):] in self.members: offset, cls = self.members[attr[attr.find('__'):]] else: ## hmm - tough choice - should we raise or should we not #return NoneObject("Struct {0} has no member {1}".format(self.obj_name, attr)) raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr)) if callable(offset): ## If offset is specified as a callable its an absolute ## offset offset = int(offset(self)) else: ## Otherwise its relative to the start of our struct offset = int(offset) + int(self.obj_offset) try: result = cls(offset = offset, vm = self.obj_vm, parent = self, name = attr, native_vm = self.obj_native_vm) except InvalidOffsetError, e: return NoneObject(str(e)) return result def __getattr__(self, attr): return self.m(attr) def __setattr__(self, attr, value): """Change underlying members""" # Special magic to allow initialization if not self.__dict__.has_key('_CType__initialized'): # this test allows attributes to be set in the __init__ method return BaseObject.__setattr__(self, attr, value) elif self.__dict__.has_key(attr): # any normal attributes are handled normally return BaseObject.__setattr__(self, attr, value) else: obj = self.m(attr) if hasattr(obj, 'write'): if not obj.write(value): raise ValueError("Error writing value to member " + attr) return # If you hit this, consider using obj.newattr('attr', value) raise ValueError("Attribute " + attr + " was set after object initialization") class VolatilityMagic(BaseObject): """Class to contain Volatility Magic value""" # TODO: At some point, make it possible to use these without requiring .v() # by making them inherit from NumericProxyMixIn when they're supposed to be numeric values def __init__(self, theType, offset, vm, value = None, configname = None, **kwargs): try: BaseObject.__init__(self, theType, offset, vm, **kwargs) except InvalidOffsetError: pass # If we've been given a configname override, # then override the value with the one from the config self.configname = configname if self.configname: configval = getattr(self.obj_vm.get_config(), self.configname) # Check the configvalue is actually set to something if configval: value = configval self.value = value def v(self): # We explicitly want to check for None, # in case the user wants a value # that gives not self.value = True if self.value is None: return self.get_best_suggestion() else: return self.value def __str__(self): return self.v() def get_suggestions(self): """Returns a list of possible suggestions for the value These should be returned in order of likelihood, since the first one will be taken as the best suggestion This is also to avoid a complete scan of the memory address space, since """ if self.value: yield self.value for x in self.generate_suggestions(): yield x def generate_suggestions(self): raise StopIteration("No suggestions available") def get_best_suggestion(self): """Returns the best suggestion for a list of possible suggestsions""" for val in self.get_suggestions(): return val else: return NoneObject("No suggestions available") def VolMagic(vm): """Convenience function to save people typing out an actual obj.Object call""" return Object("VOLATILITY_MAGIC", 0x0, vm = vm) #### This must live here, otherwise there are circular dependency issues ## ## The Profile relies on several classes in obj.py, because ## it needs to parse legacy list formats into appropriate types ## Leaving a deprecated obj.Profile object would create a circular dependency ## ## Profiles are the interface for creating/interpreting ## objects class Profile(object): native_mapping = {'32bit': native_types.x86_native_types, '64bit': native_types.x64_native_types} def __init__(self, strict = False): self.strict = strict self._mods = [] # The "output" variables self.types = {} self.object_classes = {} self.native_types = {} # Place for modifications to extend profiles with additional (profile-specific) information self.additional = {} # Set up the "input" data self.vtypes = {} # Carry out the inital setup self.reset() @property def applied_modifications(self): return self._mods def clear(self): """ Clears out the input vtypes and object_classes, and only the base object types """ # Prepopulate object_classes with base classes self.object_classes = {'BitField': BitField, 'Pointer': Pointer, 'Pointer32':Pointer32, 'Void': Void, 'Array': Array, 'CType': CType, 'VolatilityMagic': VolatilityMagic} # Ensure VOLATILITY_MAGIC is always present in vtypes self.vtypes = {'VOLATILITY_MAGIC' : [0x0, {}]} # Clear out the ordering that modifications were applied (since now, none were) self._mods = [] def reset(self): """ Resets the profile's vtypes to those automatically loaded """ # Clear everything out self.clear() # Setup the initial vtypes and native_types self.load_vtypes() # Run through any modifications (new vtypes/overlays, object_classes) self.load_modifications() # Recompile self.compile() def load_vtypes(self): """ Identifies the module from which to load the vtypes Eventually this could do the importing directly, and avoid having the profiles loaded in memory all at once. """ ntvar = self.metadata.get('memory_model', '32bit') self.native_types = copy.deepcopy(self.native_mapping.get(ntvar)) vtype_module = self.metadata.get('vtype_module', None) if not vtype_module: debug.warning("No vtypes specified for this profile") else: module = sys.modules.get(vtype_module, None) # Try to locate the _types dictionary for i in dir(module): if i.endswith('_types'): self.vtypes.update(getattr(module, i)) def load_modifications(self): """ Find all subclasses of the modification type and applies them Each modification object can specify the metadata with which it can work Allowing the overlay to decide which profile it should act on """ # Collect together all the applicable modifications mods = {} for i in self._get_subclasses(ProfileModification): modname = i.__name__ instance = i() # Leave abstract modifications out of the dependency tree # Also don't consider the base ProfileModification object if not modname.startswith("Abstract") and i != ProfileModification: if modname in mods: raise RuntimeError("Duplicate profile modification name {0} found".format(modname)) mods[instance.__class__.__name__] = instance # Run through the modifications in dependency order self._mods = [] for modname in self._resolve_mod_dependencies(mods.values()): mod = mods.get(modname, None) # We check for invalid/mistyped modification names, AbstractModifications should be caught by this too if not mod: # Note, this does not allow for optional dependencies raise RuntimeError("No concrete ProfileModification found for " + modname) if mod.check(self): debug.debug("Applying modification from " + mod.__class__.__name__) self._mods.append(mod.__class__.__name__) mod.modification(self) def compile(self): """ Compiles the vtypes, overlays, object_classes, etc into a types dictionary We populate as we go, so that _list_to_type can refer to existing classes rather than Curry everything. If the compile fails, the profile will be left in a bad/unusable state """ # Load the native types self.types = {} for nt, value in self.native_types.items(): if type(value) == list: self.types[nt] = Curry(NativeType, nt, format_string = value[1]) # Go through the vtypes, creating the stubs for object creation at # a later point by the Object factory for name in self.vtypes.keys(): self.types[name] = self._convert_members(name) # Add in any object_classes that had no defined members, for completeness for name in self.object_classes.keys(): if name not in self.types: self.types[name] = Curry(self.object_classes[name], name) @property def metadata(self): """ Returns a read-only dictionary copy of the metadata associated with a profile """ prefix = '_md_' result = {} for i in dir(self): if i.startswith(prefix): result[i[len(prefix):]] = getattr(self, i) return result def _get_subclasses(self, cls): """Returns a list of all subclasses""" for i in cls.__subclasses__(): for c in self._get_subclasses(i): yield c yield cls def _get_dummy_obj(self, name): """ Returns a dummy object/profile for use in determining size and offset of substructures. This is done since profile are effectively a compiled language, so reading the value from self.vtypes may not be accurate. """ class dummy(object): profile = self name = 'dummy' def is_valid_address(self, _offset): """States that every address is valid, since we tend not to care""" return True def read(self, _addr, _length): """Returns no data when reading""" return None tmp = self.types[name](offset = 0, name = name, vm = dummy(), parent = None) return tmp def has_type(self, theType): """ Returns a simple check of whether the type is in the profile """ return theType in self.types def get_obj_offset(self, name, member): """ Returns a members offset within the struct """ tmp = self._get_dummy_obj(name) offset, _cls = tmp.members[member] return offset def get_obj_size(self, name): """Returns the size of a struct""" tmp = self._get_dummy_obj(name) return tmp.size() def obj_has_member(self, name, member): """Returns whether an object has a certain member""" tmp = self._get_dummy_obj(name) return hasattr(tmp, member) def merge_overlay(self, overlay): """Applies an overlay to the profile's vtypes""" for k, v in overlay.items(): if k not in self.vtypes: debug.warning("Overlay structure {0} not present in vtypes".format(k)) else: self.vtypes[k] = self._apply_overlay(self.vtypes[k], v) def add_types(self, vtypes, overlay = None): """ Add in a deprecated function that mimics the previous add_types function """ debug.warning("Deprecation warning: A plugin is making use of profile.add_types") self.vtypes.update(vtypes) if overlay: self.merge_overlay(overlay) self.compile() def apply_overlay(self, *args, **kwargs): """ Calls the old apply_overlay function with a deprecation warning """ debug.warning("Deprecation warning: A plugin is making use of profile.apply_overlay") return self._apply_overlay(*args, **kwargs) def _apply_overlay(self, type_member, overlay): """ Update the overlay with the missing information from type. Basically if overlay has None in any slot it gets applied from vtype. We make extensive use of copy.deepcopy to ensure we don't modify the original variables. Some of the calls may not be necessary (specifically the return of type_member and overlay) but this saves us the concern that things will get changed later and have a difficult-to-track down knock-on effect. """ # If we've been called without an overlay, # the end result should be a complete copy of the type_member if not overlay: return copy.deepcopy(type_member) if isinstance(type_member, dict): result = copy.deepcopy(type_member) for k, v in overlay.items(): if k not in type_member: result[k] = v else: result[k] = self._apply_overlay(type_member[k], v) elif isinstance(overlay, list): # If we're changing the underlying type, skip looking any further if len(overlay) != len(type_member): return copy.deepcopy(overlay) result = [] # Otherwise go through every item for i in range(len(overlay)): if overlay[i] == None: result.append(type_member[i]) else: result.append(self._apply_overlay(type_member[i], overlay[i])) else: return copy.deepcopy(overlay) return result def _resolve_mod_dependencies(self, mods): """ Resolves the modification dependencies, providing an ordered list of all modifications whose only dependencies are in earlier lists """ # Convert the before/after to a directed graph result = [] data = {} for mod in mods: before, after = mod.dependencies(self) data[mod.__class__.__name__] = data.get(mod.__class__.__name__, set([])).union(set(before)) for a in after: data[a] = data.get(a, set([])).union(set([mod.__class__.__name__])) # Ignore self dependencies for k, v in data.items(): v.discard(k) # Fill out any items not in the original data list, as having no dependencies extra_items_in_deps = reduce(set.union, data.values()) - set(data.keys()) for item in extra_items_in_deps: data.update({item:set()}) while True: # Pull out all the items with no dependencies nodeps = set([item for item, dep in data.items() if not dep]) # If there's none left then we're done if not nodeps: break result.append(sorted(nodeps)) # Any items we just returned, remove from all dependencies for item, dep in data.items(): if item not in nodeps: data[item] = (dep - nodeps) else: data.pop(item) # Check there's no dependencies left, if there are we've got a cycle if data: debug.warning("A cyclic dependency exists amongst {0}".format(data)) raise StopIteration # Finally, after having checked for no cycles, flatten and return the results for s in result: for i in s: yield i def _list_to_type(self, name, typeList, typeDict = None): """ Parses a specification list and returns a VType object. This function is a bit complex because we support lots of different list types for backwards compatibility. """ ## This supports plugin memory objects: try: kwargs = typeList[1] if type(kwargs) == dict: ## We have a list of the form [ ClassName, dict(.. args ..) ] return Curry(Object, theType = typeList[0], name = name, **kwargs) except (TypeError, IndexError), _e: pass ## This is of the form [ 'void' ] if typeList[0] == 'void': return Curry(Void, None, name = name) ## This is of the form [ 'pointer' , [ 'foobar' ]] if typeList[0] == 'pointer': try: target = typeList[1] except IndexError: raise RuntimeError("Syntax Error in pointer type defintion for name {0}".format(name)) return Curry(Pointer, None, name = name, target = self._list_to_type(name, target, typeDict)) ## This is of the form [ 'pointer32' , [ 'foobar' ]] if typeList[0] == 'pointer32': try: target = typeList[1] except IndexError: raise RuntimeError("Syntax Error in pointer type defintion for name {0}".format(name)) return Curry(Pointer32, None, name = name, target = self._list_to_type(name, target, typeDict)) ## This is an array: [ 'array', count, ['foobar'] ] if typeList[0] == 'array': return Curry(Array, None, name = name, count = typeList[1], target = self._list_to_type(name, typeList[2], typeDict)) ## This is a list which refers to a type which is already defined if typeList[0] in self.types: return Curry(self.types[typeList[0]], name = name) ## Does it refer to a type which will be defined in future? in ## this case we just curry the Object function to provide ## it on demand. This allows us to define structures ## recursively. ##if typeList[0] in typeDict: try: tlargs = typeList[1] except IndexError: tlargs = {} obj_name = typeList[0] if type(tlargs) == dict: return Curry(Object, obj_name, name = name, **tlargs) ## If we get here we have no idea what this list is #raise RuntimeError("Error in parsing list {0}".format(typeList)) debug.warning("Unable to find a type for {0}, assuming int".format(typeList[0])) return Curry(self.types['int'], name = name) def _convert_members(self, cname): """ Convert the structure named by cname from the c description present in vtypes into a list of members that can be used for later parsing. cname is the name of the struct. We expect the vtypes value to be a list of the following format [ Size of struct, members_dict ] members_dict is a dict of all members (fields) in this struct. The key is the member name, and the value is a list of this form: [ offset_from_start_of_struct, specification_list ] The specification list has the form specified by self._list_to_type() above. We return an object that is a CType or has been overridden by object_classes. """ size, raw_members = self.vtypes.get(cname) members = {} for k, v in raw_members.items(): if callable(v): members[k] = v elif v[0] == None: debug.warning("{0} has no offset in object {1}. Check that vtypes has a concrete definition for it.".format(k, cname)) else: members[k] = (v[0], self._list_to_type(k, v[1], self.vtypes)) ## Allow the plugins to over ride the class constructor here if self.object_classes and cname in self.object_classes: cls = self.object_classes[cname] else: cls = CType return Curry(cls, cname, members = members, struct_size = size) class ProfileModification(object): """ Class for modifying profiles for additional functionality """ before = [] after = [] conditions = {} def check(self, profile): """ Returns True or False as to whether the Modification should be applied """ result = True for k, v in self.conditions.items(): result = result and v(profile.metadata.get(k, None)) return result def dependencies(self, profile): """ Returns a list of modifications that should go before this, and modifications that need to be after this """ return self.before, self.after def modification(self, profile): """ Abstract function for modifying the profile """ volatility_2.6+git20170711.b3db0cc/volatility/constants.py0000644000000000000000000000220013131215405021715 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # Blocksize was chosen to make it aligned # on 8 bytes # Optimized by Michael Cohen import os, sys VERSION = "2.6" SCAN_BLOCKSIZE = 1024 * 1024 * 10 PLUGINPATH = os.path.dirname(__file__) # If we're in a pyinstaller executable if hasattr(sys, "frozen"): try: PLUGINPATH = sys._MEIPASS #pylint: disable-msg=W0212,E1101 except ImportError: pass PLUGINPATH = os.path.join(PLUGINPATH, 'plugins') volatility_2.6+git20170711.b3db0cc/volatility/timefmt.py0000644000000000000000000001072513131215405021361 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os, time, calendar import datetime import volatility.conf as conf import volatility.debug as debug try: import pytz tz_pytz = True except ImportError: tz_pytz = False config = conf.ConfObject() class OffsetTzInfo(datetime.tzinfo): """Timezone implementation that allows offsets specified in seconds""" def __init__(self, offset = None, *args, **kwargs): """Accepts offset in seconds""" self.offset = offset datetime.tzinfo.__init__(self, *args, **kwargs) def set_offset(self, offset): """Simple setter for offset""" self.offset = offset def utcoffset(self, dt): """Returns the offset from UTC""" if self.offset is None: return None return datetime.timedelta(seconds = self.offset) + self.dst(dt) def dst(self, _dt): """We almost certainly can't know about DST, so we say it's always off""" # FIXME: Maybe we can know or make guesses about DST? return datetime.timedelta(0) def tzname(self, _dt): """Return a useful timezone name""" if self.offset is None: return "UNKNOWN" return "" class UTC(datetime.tzinfo): """Concrete instance of the UTC timezone""" def utcoffset(self, _dt): """Returns an offset from UTC of 0""" return datetime.timedelta(0) def dst(self, _dt): """Returns no daylight savings offset""" return datetime.timedelta(0) def tzname(self, _dt): """Returns the timezone name""" return "UTC" def display_datetime(dt, custom_tz = None): """Returns a string from a datetime according to the display TZ (or a custom one""" timeformat = "%Y-%m-%d %H:%M:%S %Z%z" if dt.tzinfo is not None and dt.tzinfo.utcoffset(dt) is not None: if custom_tz is not None: dt = dt.astimezone(custom_tz) elif config.TZ is not None: if isinstance(config.TZ, str): secs = calendar.timegm(dt.timetuple()) os.environ['TZ'] = config.TZ time.tzset() # Remove the %z which appears not to work timeformat = timeformat[:-2] return time.strftime(timeformat, time.localtime(secs)) else: dt = dt.astimezone(config.tz) return ("{0:" + timeformat + "}").format(dt) def tz_from_string(_option, _opt_str, value, parser): """Stores a tzinfo object from a string""" if value is not None: if value[0] in ['+', '-']: # Handed a numeric offset, create an OffsetTzInfo valarray = [value[i:i + 2] for i in range(1, len(value), 2)] multipliers = [3600, 60] offset = 0 for i in range(min(len(valarray), len(multipliers))): offset += int(valarray[i]) * multipliers[i] if value[0] == '-': offset = -offset timezone = OffsetTzInfo(offset = offset) else: # Value is a lookup, choose pytz over time.tzset if tz_pytz: try: timezone = pytz.timezone(value) except pytz.UnknownTimeZoneError: debug.error("Unknown display timezone specified") else: if not hasattr(time, 'tzset'): debug.error("This operating system doesn't support tzset, please either specify an offset (eg. +1000) or install pytz") timezone = value parser.values.tz = timezone config.add_option("TZ", action = "callback", callback = tz_from_string, cache_invalidator = False, help = "Sets the (Olson) timezone for displaying timestamps using pytz (if installed) or tzset", default = None, nargs = 1, type = str) volatility_2.6+git20170711.b3db0cc/volatility/addrspace.py0000755000000000000000000003637713131215405021660 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Original Source: # Copyright (C) 2004,2005,2006 4tphi Research # Author: {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.com @organization: Volatility Foundation Alias for all address spaces """ #pylint: disable-msg=C0111 import fractions import volatility.obj as obj import volatility.registry as registry import volatility.debug as debug ## Make sure the profiles are cached so we only parse it once. This is ## important since it allows one module to update the profile for ## another module. PROFILES = {} class ASAssertionError(AssertionError): def __init__(self, *args, **kwargs): AssertionError.__init__(self, *args, **kwargs) def check_valid_profile(option, _opt_str, value, parser): """Checks to make sure the selected profile is valid""" # PROFILES may not have been created yet, # but the callback should get called once it has # during the final parse of the config options profs = registry.get_plugin_classes(obj.Profile) if profs: try: profs[value] except KeyError: debug.error("Invalid profile " + value + " selected") setattr(parser.values, option.dest, value) class BaseAddressSpace(object): """ This is the base class of all Address Spaces. """ def __init__(self, base, config, *_args, **_kwargs): """ base is the AS we will be stacking on top of, opts are options which we may use. """ self.base = base self.name = "Unnamed AS" self._config = config self.profile = self._set_profile(config.PROFILE) @staticmethod def register_options(config): ## By default load the profile that the user asked for config.add_option("PROFILE", default = "WinXPSP2x86", type = 'str', nargs = 1, action = "callback", callback = check_valid_profile, help = "Name of the profile to load (use --info to see a list of supported profiles)") config.add_option("LOCATION", default = None, short_option = 'l', help = "A URN location from which to load an address space") def get_config(self): """Returns the config object used by the vm for use in other vms""" return self._config def _set_profile(self, profile_name): ## Load the required profile if profile_name == None: raise ASAssertionError, "You must set a profile!" if profile_name in PROFILES: ret = PROFILES[profile_name] else: profs = registry.get_plugin_classes(obj.Profile) if profile_name in profs: ret = profs[profile_name]() PROFILES[profile_name] = ret else: raise ASAssertionError, "Invalid profile " + profile_name + " selected" if not self.is_valid_profile(ret): raise ASAssertionError, "Incompatible profile " + profile_name + " selected" return ret def is_valid_profile(self, profile): #pylint: disable-msg=W0613 """Determines whether a selected profile is compatible with this address space""" return True def as_assert(self, assertion, error = None): """Duplicate for the assert command (so that optimizations don't disable them) It had to be called as_assert, since assert is a keyword """ if not assertion: if error == None: error = "Instantiation failed for unspecified reason" raise ASAssertionError, error def __eq__(self, other): return (self.__class__ == other.__class__ and self.profile == other.profile and self.base == other.base) def __ne__(self, other): return not self == other def read(self, addr, length): """ Read some data from a certain offset """ def zread(self, addr, length): """ Read data from a certain offset padded with \x00 where data is not available """ def get_available_addresses(self): """ Return a generator of address ranges as (offset, size) covered by this AS sorted by offset. The address ranges produced must be disjoint (no overlaps) and not be continuous (there must be a gap between two ranges). """ raise StopIteration def is_valid_address(self, _addr): """ Tell us if the address is valid """ return True def write(self, _addr, _buf): if not self._config.WRITE: return False raise NotImplementedError("Write support for this type of Address Space has not been implemented") def __getstate__(self): """ Serialise this address space efficiently """ ## FIXME: Note that types added/overridden in the config.PROFILE may bleed through ## into other plugins from the cache. This needs fixing. return dict(name = self.__class__.__name__, base = self.base, config = self._config) def __setstate__(self, state): self.__init__(**state) @classmethod def address_mask(cls, addr): """Masks an address value for this address space""" return addr @classmethod def address_compare(cls, a, b): """Compares two addresses, a and b, and return -1 if a is less than b, 0 if they're equal and 1 if a is greater than b""" return cmp(cls.address_mask(a), cls.address_mask(b)) @classmethod def address_equality(cls, a, b): """Compare two addresses and returns True if they're the same, or False if they're not""" return cls.address_compare(a, b) == 0 def physical_space(self): """Return the underlying physical layer, if there is one. This cycles through the base address spaces and returns the first one that's not an ancestor of a virtual space. """ b = self.base while b: if not isinstance(b, AbstractVirtualAddressSpace): return b b = b.base return self class AbstractDiscreteAllocMemory(BaseAddressSpace): """A class based on memory stored as discrete allocations. """ minimum_size = None alignment_gcd = None def __init__(self, base, config, *args, **kwargs): BaseAddressSpace.__init__(self, base, config, *args, **kwargs) def translate(self, vaddr): raise NotImplementedError("This is an abstract method and should not be referenced directly") def get_available_allocs(self): """A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset""" raise NotImplementedError("This is an abstract method and should not be referenced directly") def calculate_alloc_stats(self): """Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread. """ available_allocs = list(self.get_available_allocs()) self.minimum_size = int(min([size for _, size in available_allocs])) accumulator = self.minimum_size for start, _ in available_allocs: if accumulator is None and start > 1: accumulator = start if accumulator and start > 0: accumulator = fractions.gcd(accumulator, start) self.alignment_gcd = int(accumulator) # Pick an arbitrary cut-off that'll lead to too many reads if self.alignment_gcd < 0x4: debug.warning("Alignment of " + self.__class__.__name__ + " is too small, plugins will be extremely slow") def _read(self, addr, length, pad = False): """Reads length bytes at the address addr If pad is False, this can return None if some of the address space is empty If pad is True, any read errors result in "\x00" bytes filling the missing read locations """ if not self.alignment_gcd or not self.minimum_size: self.calculate_alloc_stats() position = addr remaining = length buff = [] lenbuff = 0 read = self.base.zread if pad else self.base.read # For each allocation... while remaining > 0: # Determine whether we're within an alloc or not alloc_remaining = (self.alignment_gcd - (addr % self.alignment_gcd)) # Try to jump out early paddr = self.translate(position) datalen = min(remaining, alloc_remaining) if paddr is None: if not pad: return None buff.append("\x00" * datalen) lenbuff += datalen else: # This accounts for a special edge case # when the address is valid in this address space # but not in the underlying (base) address space. # We have seen this happen with IA32/FileAddr if self.base.is_valid_address(paddr): data = read(paddr, datalen) else: if not pad: return obj.NoneObject("Could not read_chunks from addr " + hex(position) + " of size " + hex(datalen)) data = "\x00" * datalen buff.append(data) lenbuff += len(data) position += datalen remaining -= datalen assert (addr + length == position + remaining), "Address + length != position + remaining (" + hex(addr + length) + " != " + hex(position + remaining) + ") in " + self.base.__class__.__name__ assert (position - addr == lenbuff), "Position - address != len(buff) (" + str(position - addr) + " != " + str(lenbuff) + ") in " + self.base.__class__.__name__ return "".join(buff) def read(self, addr, length): ''' This method reads 'length' bytes from the specified 'addr'. If any range is unavailable it returns None. ''' return self._read(addr, length, False) def zread(self, addr, length): ''' This method reads 'length' bytes from the specified 'addr'. If any range is unavailable it pads the region with zeros. ''' return self._read(addr, length, True) class AbstractRunBasedMemory(AbstractDiscreteAllocMemory): """A class based on memory stored as separate segments. @var runs: Stores an ordered list of the segments or runs A run is a tuple of (input/domain/virtual address, output/range/physical address, size of segment) """ def __init__(self, base, config, *args, **kwargs): AbstractDiscreteAllocMemory.__init__(self, base, config, *args, **kwargs) self.runs = [] self.header = None def get_runs(self): """Get the memory block info""" return self.runs def get_header(self): """Get the header info""" return self.header def translate(self, addr): """Find the offset in the file where a memory address can be found. @param addr: a memory address """ for input_addr, output_addr, length in self.runs: if addr >= input_addr and addr < input_addr + length: return output_addr + (addr - input_addr) # Since runs are in order, we can bail out early if we're # looking for something before the start of the current one if addr < input_addr: return None return None def get_available_allocs(self): """Get a list of accessible physical memory regions""" for input_addr, _, length in self.runs: yield input_addr, length def get_available_addresses(self): """Get a list of physical memory runs""" # Since runs are in order and not contiguous # we can reuse the output from available_allocs return self.get_available_allocs() def is_valid_address(self, phys_addr): """Check if a physical address is in the file. @param phys_addr: a physical address """ return self.translate(phys_addr) is not None def get_address_range(self): """ This relates to the logical address range that is indexable """ # Runs must not be empty (input_address, _, length) = self.runs[-1] size = input_address + length (start, _, _) = self.runs[0] return [start, size] def write(self, phys_addr, buf): """This is mostly for support of raw2dmp so that it can modify the kernel CONTEXT after the crash dump has been written to disk""" if not self._config.WRITE: return False file_addr = self.translate(phys_addr) if file_addr is None: return False return self.base.write(file_addr, buf) class AbstractVirtualAddressSpace(AbstractDiscreteAllocMemory): """Base Ancestor for all Virtual address spaces, as determined by astype""" def __init__(self, base, config, astype = 'virtual', *args, **kwargs): AbstractDiscreteAllocMemory.__init__(self, base, config, astype = astype, *args, **kwargs) self.as_assert(astype == 'virtual' or astype == 'any', "User requested non-virtual AS") def vtop(self, vaddr): raise NotImplementedError("This is an abstract method and should not be referenced directly") def translate(self, vaddr): return self.vtop(vaddr) ## This is a specialised AS for use internally - Its used to provide ## transparent support for a string buffer so types can be ## instantiated off the buffer. class BufferAddressSpace(BaseAddressSpace): def __init__(self, config, base_offset = 0, data = '', **kwargs): BaseAddressSpace.__init__(self, None, config, **kwargs) self.fname = "Buffer" self.data = data self.base_offset = base_offset def assign_buffer(self, data, base_offset = 0): self.base_offset = base_offset self.data = data def is_valid_address(self, addr): if self.data == None: return False return not (addr < self.base_offset or addr > self.base_offset + len(self.data)) def read(self, addr, length): offset = addr - self.base_offset return self.data[offset: offset + length] def zread(self, addr, length): return self.read(addr, length) def write(self, addr, data): if not self._config.WRITE: return False self.data = self.data[:addr] + data + self.data[addr + len(data):] return True def get_available_addresses(self): yield (self.base_offset, len(self.data)) volatility_2.6+git20170711.b3db0cc/volatility/renderers/0000755000000000000000000000000013131215405021326 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/renderers/basic.py0000644000000000000000000000172213131215405022763 0ustar rootroot__author__ = 'mike' import volatility.utils as utils class Bytes(bytes): """String class to allow us to encode binary data""" def __new__(cls, data): if data == None: return str.__new__(cls, "-") return str.__new__(cls, data.encode("hex")) class Address(long): """Integer class to allow renderers to differentiate between addresses and numbers""" def __new__(cls, number): return long.__new__(cls, number) class Address64(long): """Integer class to allow renderers to differentiate between addresses and numbers""" def __new__(cls, number): return long.__new__(cls, number) class Hex(long): """Integer class to allow renderers to differentiate between addresses and numbers""" def __new__(cls, number): return long.__new__(cls, number) class Renderer(object): def render(self, outfd, grid): """Renders the content, ideally to outfd, but this is not strictly necessary""" volatility_2.6+git20170711.b3db0cc/volatility/renderers/dot.py0000644000000000000000000000311513131215405022466 0ustar rootrootfrom volatility import debug from volatility.renderers.basic import Renderer __author__ = 'mike' class DotRenderer(Renderer): def __init__(self, renderers_func, config): self._config = config self._columns = None self._text_cell_renderers_func = renderers_func self._text_cell_renderers = None def description(self, node): output = [] for column in self._columns: text = self._text_cell_renderers[column.index].render(node.values[column.index]) output.append((column.name + ": " + text).replace("|", "_").replace("\"", "_")) return "|".join(output) def _add_node(self, node, data): outfd, accumulator = data accumulator[node] = max(accumulator.values()) + 1 outfd.write(" Node" + str(accumulator[node]) + " [label=\"{" + self.description(node) + "}\"];\n") if accumulator[node.parent] != 0: outfd.write(" Node" + str(accumulator[node.parent]) + " -> Node" + str(accumulator[node]) + ";\n") return (outfd, accumulator) def render(self, outfd, grid): """Renders the TreeGrid in data out to the output file from the config options""" self._columns = grid.columns self._text_cell_renderers = self._text_cell_renderers_func(self._columns) if grid.max_depth() <= 1: debug.warning("Dot output will be unhelpful since the TreeGrid is a flat list") outfd.write("digraph output {\n node[shape = Mrecord];\n # rankdir=LR;\n") grid.visit(None, self._add_node, (outfd, {None: 0})) outfd.write("}\n") volatility_2.6+git20170711.b3db0cc/volatility/renderers/xlsx.py0000644000000000000000000000350113131215405022675 0ustar rootrootfrom volatility import debug from volatility.renderers.basic import Renderer __author__ = "gleeda" try: from openpyxl.workbook import Workbook from openpyxl.writer.excel import ExcelWriter from openpyxl.cell import get_column_letter from openpyxl.styles import Color, Fill, Style, PatternFill, Border, Side, Alignment, Protection, Font from openpyxl.cell import Cell from openpyxl import load_workbook has_openpyxl = True except ImportError: has_openpyxl = False class XLSXRenderer(Renderer): def __init__(self, renderers_func, config): if not has_openpyxl: debug.error("You must install OpenPyxl 2.1.2 for xlsx format:\n\thttps://pypi.python.org/pypi/openpyxl") self._config = config self._columns = None self._text_cell_renderers_func = renderers_func self._text_cell_renderers = None self._wb = Workbook(optimized_write = True) self._ws = self._wb.create_sheet() def description(self): output = [] for column in self._columns: output.append((column.name)) return output def _add_row(self, node, data): accumulator = data accumulator[node] = max(accumulator.values()) + 1 self._ws.append(list(node.values)) return accumulator def render(self, outfd, grid): """Renders the TreeGrid in data out to the output file from the config options""" if not self._config.OUTPUT_FILE: debug.error("Please specify a valid output file using --output-file") self._columns = grid.columns self._text_cell_renderers = self._text_cell_renderers_func(self._columns) self._ws.append(self.description()) grid.visit(None, self._add_row, {None: 0}) self._wb.save(filename = self._config.OUTPUT_FILE) volatility_2.6+git20170711.b3db0cc/volatility/renderers/sqlite.py0000644000000000000000000000627513131215405023213 0ustar rootroot# Volatility # Copyright (C) 2008-2015 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # from volatility.renderers.basic import Renderer, Bytes from volatility import debug import sqlite3 class SqliteRenderer(Renderer): def __init__(self, plugin_name, config): self._plugin_name = plugin_name self._config = config self._db = None self._accumulator = [0,[]] column_types = [(str, "TEXT"), (int, "TEXT"), (float, "TEXT"), (Bytes, "BLOB")] def _column_type(self, col_type): for (t, v) in self.column_types: if issubclass(col_type, t): return v return "TEXT" def _sanitize_name(self, name): return name def render(self, outfd, grid): if not self._config.OUTPUT_FILE: debug.error("Please specify a valid output file using --output-file") self._db = sqlite3.connect(self._config.OUTPUT_FILE, isolation_level = None) create = "CREATE TABLE IF NOT EXISTS " + self._plugin_name + "( id INTEGER, " + \ ", ".join(['"' + self._sanitize_name(i.name) + '" ' + self._column_type(i.type) for i in grid.columns]) + ")" self._db.execute(create) def _add_multiple_row(node, accumulator): accumulator[0] = accumulator[0] + 1 #id accumulator[1].append([accumulator[0]] + [str(v) for v in node.values]) if len(accumulator[1]) > 20000: self._db.execute("BEGIN TRANSACTION") insert = "INSERT INTO " + self._plugin_name + " (id, " + \ ", ".join(['"' + self._sanitize_name(i.name) + '"' for i in grid.columns]) + ") " + \ " VALUES (?, " + ", ".join(["?"] * len(node.values)) + ")" self._db.executemany(insert, accumulator[1]) accumulator = [accumulator[0], []] self._db.execute("COMMIT TRANSACTION") self._accumulator = accumulator return accumulator grid.populate(_add_multiple_row, self._accumulator) #Insert last nodes if len(self._accumulator[1]) > 0: self._db.execute("BEGIN TRANSACTION") insert = "INSERT INTO " + self._plugin_name + " (id, " + \ ", ".join(['"' + self._sanitize_name(i.name) + '"' for i in grid.columns]) + ") " + \ " VALUES (?, " + ", ".join(["?"] * (len(self._accumulator[1][0])-1)) + ")" self._db.executemany(insert, self._accumulator[1]) self._db.execute("COMMIT TRANSACTION") volatility_2.6+git20170711.b3db0cc/volatility/renderers/__init__.py0000644000000000000000000002756713131215405023460 0ustar rootroot"""Renderers Renderers display the unified output format in some manner (be it text or file or graphical output""" import collections import types Column = collections.namedtuple('Column', ['index', 'name', 'type']) class TreePopulationError(StandardError): """Exception class for accessing functions on an partially populated tree.""" pass class TreeNode(collections.Sequence): """Class representing a particular node in a tree grid""" def __init__(self, path, treegrid, parent, values): if not isinstance(treegrid, TreeGrid): raise TypeError("Treegrid must be an instance of TreeGrid") self._treegrid = treegrid self._parent = parent self._path = path self._validate_values(values) self._values = treegrid.RowStructure(*values) def __repr__(self): return "" def __getitem__(self, item): return self._treegrid.children(self).__getitem__(item) def __len__(self): return len(self._treegrid.children(self)) def _validate_values(self, values): """A function for raising exceptions if a given set of values is invalid according to the column properties.""" if not (isinstance(values, list) and len(values) == len(self._treegrid.columns)): raise TypeError( "Values must be a list of objects made up of simple types and number the same as the columns") for index in range(len(self._treegrid.columns)): column = self._treegrid.columns[index] if not isinstance(values[index], column.type): if not (type(values[index]) == long and column.type == int): raise TypeError( "Values item with index " + repr(index) + " is the wrong type for column " + \ repr(column.name) + " (got " + str(type(values[index])) + " but expected " + \ str(column.type) + ")") @property def values(self): """Returns the list of values from the particular node, based on column.index""" return self._values @property def path(self): """Returns a path identifying string This should be seen as opaque by external classes, Parsing of path locations based on this string are not guaranteed to remain stable. """ return self._path @property def parent(self): """Returns the parent node of this node or None""" return self._parent @property def path_depth(self): """Return the path depth of the current node""" return len(self.path.split(TreeGrid.path_sep)) def path_changed(self, path, added = False): """Updates the path based on the addition or removal of a node higher up in the tree This should only be called by the containing TreeGrid and expects to only be called for affected nodes. """ components = self._path.split(TreeGrid.path_sep) changed = path.split(TreeGrid.path_sep) changed_index = len(changed) - 1 if int(components[changed_index]) >= int(changed[-1]): components[changed_index] = str(int(components[changed_index]) + (1 if added else -1)) self._path = TreeGrid.path_sep.join(components) class TreeGrid(object): """Class providing the interface for a TreeGrid (which contains TreeNodes) The structure of a TreeGrid is designed to maintain the structure of the tree in a single object. For this reason each TreeNode does not hold its children, they are managed by the top level object. This leaves the Nodes as simple data carries and prevents them being used to manipulate the tree as a whole. This is a data structure, and is not expected to be modified much once created. Carrying the children under the parent makes recursion easier, but then every node is its own little tree and must have all the supporting tree functions. It also allows for a node to be present in several different trees, and to create cycles. """ simple_types = set([int, long, str, float, bytes]) path_sep = "|" def __init__(self, columns, generator): """Constructs a TreeGrid object using a specific set of columns The TreeGrid itself is a root element, that can have children but no values. The TreeGrid does *not* contain any information about formatting, these are up to the renderers and plugins. :param columns: A list of column tuples made up of (name, type). :param generator: A generator that populates the tree/grid structure """ self._populated = False self._children = [] converted_columns = [] if len(columns) < 1: raise ValueError("Columns must be a list containing at least one column") for (name, column_type) in columns: is_simple_type = False for stype in self.simple_types: is_simple_type = is_simple_type or issubclass(column_type, stype) if not is_simple_type: raise TypeError("Column " + name + "'s type " + column_type.__class__.__name__ + " is not a simple type") converted_columns.append(Column(len(converted_columns), name, column_type)) self.RowStructure = collections.namedtuple("RowStructure", [self._sanitize(column.name) for column in converted_columns]) self._columns = converted_columns if generator is None: generator = [] generator = iter(generator) self._generator = generator def _sanitize(self, text): output = "" for letter in text.lower(): if letter != ' ': output += (letter if letter in '0123456789abcdefghiljklmnopqrstuvwxyz_' else '_') return output def populate(self, func = None, initial_accumulator = None): """Generator that returns the next available Node This is equivalent to a one-time visit. """ accumulator = initial_accumulator if func is None: func = lambda _x, _y: None if not self.populated: prev_nodes = [] for (level, item) in self._generator: parent_index = min(len(prev_nodes), level) parent = prev_nodes[parent_index - 1] if parent_index > 0 else None treenode = self._append(parent, item) prev_nodes = prev_nodes[0: parent_index] + [treenode] accumulator = func(treenode, accumulator) self._populated = True @property def populated(self): """Indicates that population has completed and the tree may now be manipulated separately""" return self._populated @property def columns(self): """Returns the available columns and their ordering and types""" return self._columns def children(self, node): """Returns the subnodes of a particular node in order""" return [node for node, _ in self._find_children(node)] def _find_children(self, node): """Returns the children list associated with a particular node Returns None if the node does not exist """ children = self._children try: if node is not None: for path_component in node.path.split(self.path_sep): _, children = children[int(path_component)] except IndexError: return [] return children def values(self, node): """Returns the values for a particular node The values returned are mutable, """ if node is None: raise ValueError("Node must be a valid node within the TreeGrid") return node.values def _append(self, parent, values): """Adds a new node at the top level if parent is None, or under the parent node otherwise, after all other children.""" parent_path = "" children = self._find_children(parent) if parent is not None: parent_path = parent.path + self.path_sep newpath = parent_path + str(len(children)) tree_item = TreeNode(newpath, self, parent, values) children.append((tree_item, [])) return tree_item def _insert(self, parent, position, values): """Inserts an element into the tree at a specific position""" parent_path = "" children = self._find_children(parent) if parent is not None: parent_path = parent.path + self.path_sep newpath = parent_path + str(position) tree_item = TreeNode(newpath, self, parent, values) for node, _ in children[position:]: self.visit(node, lambda child, _: child.path_changed(newpath, True)) children.insert(position, (tree_item, [])) return tree_item def is_ancestor(self, node, descendant): """Returns true if descendent is a child, grandchild, etc of node""" return descendant.path.startswith(node.path) def path_depth(self, node): """Returns the path depth of a particular node""" return node.path_depth def max_depth(self): """Returns the maximum depth of the tree""" return self.visit(None, lambda n, a: max(a, self.path_depth(n)), ) def path_is_valid(self, node): """Returns True is a given path is valid for this treegrid""" return node in self.children(node.parent) def visit(self, node, function, initial_accumulator = None, sort_key = None): """Visits all the nodes in a tree, calling function on each one. function should have the signature function(node, accumulator) and return new_accumulator If accumulators are not needed, the function must still accept a second parameter. The order of that the nodes are visited is always depth first, however, the order children are traversed can be set based on a sort_key function which should accept a node's values and return something that can be sorted to receive the desired order (similar to the sort/sorted key). We use the private _find_children function so that we don't have to re-traverse the tree for every node we descend further down """ if not self.populated: self.populate() # Find_nodes is path dependent, whereas _visit is not # So in case the function modifies the node's path, find the nodes first children = self._find_children(node) accumulator = initial_accumulator # We split visit into two, so that we don't have to keep calling find_children to traverse the tree if node is not None: accumulator = function(node, initial_accumulator) if children is not None: if sort_key is not None: children = sorted(children, key = lambda (x, y): sort_key(x.values)) accumulator = self._visit(children, function, accumulator, sort_key) return accumulator def _visit(self, list_of_children, function, accumulator, sort_key = None): """Visits all the nodes in a tree, calling function on each one""" if list_of_children is not None: for n, children in list_of_children: accumulator = function(n, accumulator) if sort_key is not None: children = sorted(children, key = lambda (x, y): sort_key(x.values)) accumulator = self._visit(children, function, accumulator, sort_key) return accumulator class ColumnSortKey(object): def __init__(self, treegrid, column_name): self._index = None for i in treegrid.columns: if i.name.lower() == column_name.lower(): self._index = i.index if self._index is None: raise ValueError("Column " + column_name + " not found in TreeGrid columns") def key(self, values): """The key function passed as the sort key""" return values[self._index] volatility_2.6+git20170711.b3db0cc/volatility/renderers/text.py0000644000000000000000000001714313131215405022672 0ustar rootrootimport math import sys from volatility import renderers from volatility.fmtspec import FormatSpec from volatility.renderers import ColumnSortKey from volatility.renderers.basic import Address, Address64, Hex, Renderer __author__ = 'mike' class CellRenderer(object): """Class to handle rendering of a particular cell in a text grid""" # The minimum width that the renderer will produce for a value width = 0 def render(self, value): """Returns the rendering of an individual value""" return value class FormatCellRenderer(CellRenderer): """Class to handle rendering each cell of a grid""" def __init__(self, format_spec): if not isinstance(format_spec, FormatSpec): fs = FormatSpec() fs.from_string(format_spec) format_spec = fs self._format_spec = format_spec def render(self, value): """Render an individual cell""" return ("{0:" + str(self._format_spec) + "}").format(value) @property def width(self): return self._format_spec.minwidth @width.setter def width(self, value): self._format_spec.minwidth = max(value, self._format_spec.minwidth) def __repr__(self): return "" class TextRenderer(Renderer): min_column_width = 5 def __init__(self, cell_renderers_func, max_width = 200, sort_column = None, config = None): """Accepts a cell_renderer function, an optional maximum width and optional sort column. The signature of the cell_renderers_function is: def cell_renderers(self, TreeGridcolumns): return [cell_renderer, cell_renderer, ...] """ self._cell_renderers_func = cell_renderers_func self._cell_renderers = None self.max_width = max_width self.sort_column = sort_column self._config = config def partition_width(self, widths): """Determines if the widths are over the maximum available space, and if so shrinks them""" if math.fsum(widths) + (len(widths) - 1) > self.max_width: remainder = (int(math.fsum(widths)) + (len(widths) - 1)) - self.max_width # Take from the largest column first, eventually evening out for i in range(remainder): col_index = widths.index(max(widths)) widths[col_index] -= 1 return widths def _elide(self, string, length): """Ensures that strings passed as value are returned no longer than max_width characters long, elided if necessary""" if length == -1: return string if len(string) < length: return (" " * (length - len(string))) + string elif len(string) == length: return string else: if length < self.min_column_width: return string even = ((length + 1) % 2) length = (length - 3) / 2 return string[:length + even] + "..." + string[-length:] def _validate_grid(self, grid): if not isinstance(grid, renderers.TreeGrid): raise TypeError("Grid must be of type TreeGrid") self._cell_renderers = self._cell_renderers_func(grid.columns) if not isinstance(self._cell_renderers, list): raise TypeError("cell_renderers must be of type list") for item in self._cell_renderers: if not isinstance(item, CellRenderer): raise TypeError("Items within the cell_renderers list must be of type CellRenderer") def render(self, outfd, grid): """Renders a text grid based on the contents of each element""" sort_key = None if self.sort_column: sort_key = ColumnSortKey(grid, self.sort_column).key self._validate_grid(grid)# Determine number of columns # if self._config and self._config.VERBOSE: # qtr = QuickTextRenderer(self._cell_renderers_func) # output = sys.stdout # output.write("Immediate (verbose) output:\n") # qtr.render(output, grid) # output.write("\n") # output.flush() grid_depth = grid.visit(None, lambda x, y: max(y, grid.path_depth(x)), 0) # Determine max width of each column grid_max_widths = [0] * len(grid.columns) def gridwidth(node, accumulator = None): for vindex in range(len(node.values)): entry = self._cell_renderers[vindex].render(node.values[vindex]) accumulator[vindex] = max(len(entry), accumulator[vindex]) return accumulator grid.visit(None, gridwidth, grid_max_widths) if grid_depth > 1: grid_max_widths = [grid_depth * 1] + grid_max_widths # Figure out how to partition the available widths new_grid_widths = self.partition_width(grid_max_widths) # If the grid_max_widths have not been limited, if new_grid_widths == grid_max_widths: for i in range(len(grid.columns)): index = i + (1 if grid_depth > 1 else 0) grid_max_widths[index] = max(grid_max_widths[index], len(grid.columns[i].name)) for i in range(len(grid.columns)): index = i + (1 if grid_depth > 1 else 0) self._cell_renderers[i].width = grid_max_widths[index] grid_max_widths[index] = self._cell_renderers[i].width cols = [] for index in range(len(grid_max_widths)): if grid_depth > 1: if index == 0: cols += [" " * grid_max_widths[index]] continue else: column = grid.columns[index - 1] else: column = grid.columns[index] cols += [ self._elide(("{0:<" + str(grid_max_widths[index]) + "}").format(column.name), grid_max_widths[index])] outfd.write(" ".join(cols) + "\r\n") def print_row(node, accumulator): row = [] for index in range(len(grid_max_widths)): if grid_depth > 1: if index == 0: row += [(" " * (grid.path_depth(node) - 1)) + ">" + ( " " * (grid_max_widths[0] - grid.path_depth(node)))] continue else: column = grid.columns[index - 1] else: column = grid.columns[index] column_text = self._cell_renderers[column.index].render(node.values[column.index]) row += [self._elide(column_text, grid_max_widths[index])] accumulator += [" ".join(row)] return accumulator output = [] grid.visit(None, print_row, output, sort_key = sort_key) outfd.write("\r\n".join(output) + "\r\n") class GrepTextRenderer(TextRenderer): def render(self, outfd, grid): self._validate_grid(grid) # Determine max width of each column grid_max_widths = [0] * len(grid.columns) # If the grid_max_widths have not been limited, headers = [] for i in range(len(grid.columns)): grid_max_widths[i] = max(grid_max_widths[i], len(grid.columns[i].name)) headers += [grid.columns[i].name] outfd.write("|".join(headers) + "\n") def print_row(node, outfd): outfd.write(">" * grid.path_depth(node)) for column in grid.columns: outfd.write("|" + self._cell_renderers[column.index].render(node.values[column.index])) outfd.write("\n") outfd.flush() return outfd grid.populate(print_row, outfd) volatility_2.6+git20170711.b3db0cc/volatility/renderers/html.py0000644000000000000000000000444313131215405022651 0ustar rootrootimport StringIO from volatility.renderers.basic import Renderer try: import ujson as json except ImportError: import json __author__ = 'mike' class HTMLRenderer(Renderer): def __init__(self): pass def render(self, outfd, data): """Renders the treegrid to HTML""" column_titles = ", \n".join(["{ \"title\": \"" + column.name + "\"}" for column in data.columns]) json = StringIO.StringIO() JSONRenderer().render(json, data) outfd.write("""
""" + "\n") class JSONRenderer(Renderer): def render_row(self, node, accumulator): return accumulator + [node.values] def render(self, outfd, data): """Renderers a treegrid as columns/row items in JSON format""" # TODO: Implement tree structure in JSON if data.max_depth() > 1: raise NotImplementedError("JSON output for trees has not yet been implemented") # TODO: Output (basic) type information in JSON json_input = {"columns": [column.name for column in data.columns], "rows": data.visit(None, self.render_row, [])} return outfd.write(json.dumps(json_input)) volatility_2.6+git20170711.b3db0cc/volatility/fmtspec.py0000644000000000000000000000667413131215405021365 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re class FormatSpec(object): def __init__(self, string = '', **kwargs): self.fill = '' self.align = '' self.sign = '' self.altform = False self.minwidth = -1 self.precision = -1 self.formtype = '' if string != '': self.from_string(string) # Ensure we parse the remaining arguments after the string to that they override self.from_specs(**kwargs) def from_specs(self, fill = None, align = None, sign = None, altform = None, minwidth = None, precision = None, formtype = None): ## Allow setting individual elements using kwargs if fill is not None: self.fill = fill if align is not None: self.align = align if sign is not None: self.sign = sign if altform is not None: self.altform = altform if minwidth is not None: self.minwidth = minwidth if precision is not None: self.precision = precision if formtype is not None: self.formtype = formtype def from_string(self, formatspec): # Format specifier regular expression regexp = "\A(.[<>=^]|[<>=^])?([-+ ]|\(\))?(#?)(0?)(\d*)(\.\d+)?(.)?\Z" match = re.search(regexp, formatspec) if match is None: raise ValueError("Invalid format specification: " + formatspec) if match.group(1): fillalign = match.group(1) if len(fillalign) > 1: self.fill = fillalign[0] self.align = fillalign[1] elif fillalign: self.align = fillalign if match.group(2): self.sign = match.group(2) if match.group(3): self.altform = len(match.group(3)) > 0 if len(match.group(4)): if not self.fill: self.fill = "0" if not self.align: self.align = "=" if match.group(5): self.minwidth = int(match.group(5)) if match.group(6): self.precision = int(match.group(6)[1:]) if match.group(7): self.formtype = match.group(7) def to_string(self): formatspec = "" if self.align: formatspec = self.fill + self.align formatspec += self.sign if self.sign == '(': formatspec += ')' if self.altform: formatspec += '#' if self.minwidth >= 0: formatspec += str(self.minwidth) if self.precision >= 0: formatspec += '.' + str(self.precision) formatspec += self.formtype return formatspec def __str__(self): return self.to_string() def __repr__(self): return "" volatility_2.6+git20170711.b3db0cc/volatility/scan.py0000644000000000000000000001530013131215405020632 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Derived from source in PyFlag developed by: # Copyright 2004: Commonwealth of Australia. # Michael Cohen # David Collett # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # Special thanks to Michael Cohen for ideas and comments! # #pylint: disable-msg=C0111 """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.net @organization: Volatility Foundation """ import volatility.debug as debug import volatility.registry as registry import volatility.addrspace as addrspace import volatility.constants as constants import volatility.conf as conf ########### Following is the new implementation of the scanning ########### framework. The old framework was based on PyFlag's ########### scanning framework which is probably too complex for this. class BaseScanner(object): """ A more thorough scanner which checks every byte """ checks = [] def __init__(self, window_size = 8): self.buffer = addrspace.BufferAddressSpace(conf.DummyConfig(), data = '\x00' * 1024) self.window_size = window_size self.constraints = [] self.error_count = 0 def check_addr(self, found): """ This calls all our constraints on the offset found and returns the number of contraints that matched. We shortcut the loop as soon as its obvious that there will not be sufficient matches to fit the criteria. This allows for an early exit and a speed boost. """ cnt = 0 for check in self.constraints: ## constraints can raise for an error try: val = check.check(found) except Exception: debug.b() val = False if not val: cnt = cnt + 1 if cnt > self.error_count: return False return True overlap = 20 def scan(self, address_space, offset = 0, maxlen = None): self.buffer.profile = address_space.profile current_offset = offset ## Build our constraints from the specified ScannerCheck ## classes: self.constraints = [] for class_name, args in self.checks: check = registry.get_plugin_classes(ScannerCheck)[class_name](self.buffer, **args) self.constraints.append(check) ## Which checks also have skippers? skippers = [ c for c in self.constraints if hasattr(c, "skip") ] for (range_start, range_size) in sorted(address_space.get_available_addresses()): # Jump to the next available point to scan from # self.base_offset jumps up to be at least range_start current_offset = max(range_start, current_offset) range_end = range_start + range_size # If we have a maximum length, we make sure it's less than the range_end if maxlen: range_end = min(range_end, offset + maxlen) while (current_offset < range_end): # We've now got range_start <= self.base_offset < range_end # Figure out how much data to read l = min(constants.SCAN_BLOCKSIZE + self.overlap, range_end - current_offset) # Populate the buffer with data # We use zread to scan what we can because there are often invalid # pages in the DTB data = address_space.zread(current_offset, l) self.buffer.assign_buffer(data, current_offset) ## Run checks throughout this block of data i = 0 while i < l: if self.check_addr(i + current_offset): ## yield the offset to the start of the memory ## (after the pool tag) yield i + current_offset ## Where should we go next? By default we go 1 byte ## ahead, but if some of the checkers have skippers, ## we may actually go much farther. Checkers with ## skippers basically tell us that there is no way ## they can match anything before the skipped result, ## so there is no point in trying them on all the data ## in between. This optimization is useful to really ## speed things up. FIXME - currently skippers assume ## that the check must match, therefore we can skip ## the unmatchable region, but its possible that a ## scanner needs to match only some checkers. skip = 1 for s in skippers: skip = max(skip, s.skip(data, i)) i += skip current_offset += min(constants.SCAN_BLOCKSIZE, l) class DiscontigScanner(BaseScanner): def scan(self, address_space, offset = 0, maxlen = None): debug.warning("DiscontigScanner has been deprecated, all functionality is now contained in BaseScanner") for match in BaseScanner.scan(self, address_space, offset, maxlen): yield match class ScannerCheck(object): """ A scanner check is a special class which is invoked on an AS to check for a specific condition. The main method is def check(self, offset): This will return True if the condition is true or False otherwise. This class is the base class for all checks. """ def __init__(self, address_space, **_kwargs): self.address_space = address_space def object_offset(self, offset, address_space): return offset def check(self, _offset): return False ## If you want to speed up the scanning define this method - it ## will be used to skip the data which is obviously not going to ## match. You will need to return the number of bytes from offset ## to skip to. We take the maximum number of bytes to guarantee ## that all checks have a chance of passing. #def skip(self, data, offset): # return -1 volatility_2.6+git20170711.b3db0cc/volatility/win32/0000755000000000000000000000000013131215405020277 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/win32/hashdump.py0000644000000000000000000002554713131215405022477 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ import volatility.obj as obj import volatility.win32.rawreg as rawreg import volatility.win32.hive as hive from Crypto.Hash import MD5, MD4 from Crypto.Cipher import ARC4, DES from struct import unpack, pack odd_parity = [ 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31, 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62, 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94, 97, 97, 98, 98, 100, 100, 103, 103, 104, 104, 107, 107, 109, 109, 110, 110, 112, 112, 115, 115, 117, 117, 118, 118, 121, 121, 122, 122, 124, 124, 127, 127, 128, 128, 131, 131, 133, 133, 134, 134, 137, 137, 138, 138, 140, 140, 143, 143, 145, 145, 146, 146, 148, 148, 151, 151, 152, 152, 155, 155, 157, 157, 158, 158, 161, 161, 162, 162, 164, 164, 167, 167, 168, 168, 171, 171, 173, 173, 174, 174, 176, 176, 179, 179, 181, 181, 182, 182, 185, 185, 186, 186, 188, 188, 191, 191, 193, 193, 194, 194, 196, 196, 199, 199, 200, 200, 203, 203, 205, 205, 206, 206, 208, 208, 211, 211, 213, 213, 214, 214, 217, 217, 218, 218, 220, 220, 223, 223, 224, 224, 227, 227, 229, 229, 230, 230, 233, 233, 234, 234, 236, 236, 239, 239, 241, 241, 242, 242, 244, 244, 247, 247, 248, 248, 251, 251, 253, 253, 254, 254 ] # Permutation matrix for boot key p = [ 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 ] # Constants for SAM decrypt algorithm aqwerty = "!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\0" anum = "0123456789012345678901234567890123456789\0" antpassword = "NTPASSWORD\0" almpassword = "LMPASSWORD\0" lmkey = "KGS!@#$%" empty_lm = "aad3b435b51404eeaad3b435b51404ee".decode('hex') empty_nt = "31d6cfe0d16ae931b73c59d7e0c089c0".decode('hex') def str_to_key(s): key = [] key.append(ord(s[0]) >> 1) key.append(((ord(s[0]) & 0x01) << 6) | (ord(s[1]) >> 2)) key.append(((ord(s[1]) & 0x03) << 5) | (ord(s[2]) >> 3)) key.append(((ord(s[2]) & 0x07) << 4) | (ord(s[3]) >> 4)) key.append(((ord(s[3]) & 0x0F) << 3) | (ord(s[4]) >> 5)) key.append(((ord(s[4]) & 0x1F) << 2) | (ord(s[5]) >> 6)) key.append(((ord(s[5]) & 0x3F) << 1) | (ord(s[6]) >> 7)) key.append(ord(s[6]) & 0x7F) for i in range(8): key[i] = (key[i] << 1) key[i] = odd_parity[key[i]] return "".join(chr(k) for k in key) def sid_to_key(sid): s1 = "" s1 += chr(sid & 0xFF) s1 += chr((sid >> 8) & 0xFF) s1 += chr((sid >> 16) & 0xFF) s1 += chr((sid >> 24) & 0xFF) s1 += s1[0] s1 += s1[1] s1 += s1[2] s2 = s1[3] + s1[0] + s1[1] + s1[2] s2 += s2[0] + s2[1] + s2[2] return str_to_key(s1), str_to_key(s2) def hash_lm(pw): pw = pw[:14].upper() pw = pw + ('\0' * (14 - len(pw))) d1 = DES.new(str_to_key(pw[:7]), DES.MODE_ECB) d2 = DES.new(str_to_key(pw[7:]), DES.MODE_ECB) return d1.encrypt(lmkey) + d2.encrypt(lmkey) def hash_nt(pw): return MD4.new(pw.encode('utf-16-le')).digest() def find_control_set(sysaddr): root = rawreg.get_root(sysaddr) if not root: return 1 csselect = rawreg.open_key(root, ["Select"]) if not csselect: return 1 for v in rawreg.values(csselect): if v.Name == "Current": return v.Data return 1 def get_bootkey(sysaddr): cs = find_control_set(sysaddr) lsa_base = ["ControlSet{0:03}".format(cs), "Control", "Lsa"] lsa_keys = ["JD", "Skew1", "GBG", "Data"] root = rawreg.get_root(sysaddr) if not root: return None lsa = rawreg.open_key(root, lsa_base) if not lsa: return None bootkey = "" for lk in lsa_keys: key = rawreg.open_key(lsa, [lk]) class_data = sysaddr.read(key.Class, key.ClassLength) if class_data == None: return "" bootkey += class_data.decode('utf-16-le').decode('hex') bootkey_scrambled = "" for i in range(len(bootkey)): bootkey_scrambled += bootkey[p[i]] return bootkey_scrambled def get_hbootkey(samaddr, bootkey): sam_account_path = ["SAM", "Domains", "Account"] if not bootkey: return None root = rawreg.get_root(samaddr) if not root: return None sam_account_key = rawreg.open_key(root, sam_account_path) if not sam_account_key: return None F = None for v in rawreg.values(sam_account_key): if v.Name == 'F': F = samaddr.read(v.Data, v.DataLength) if not F: return None md5 = MD5.new() md5.update(F[0x70:0x80] + aqwerty + bootkey + anum) rc4_key = md5.digest() rc4 = ARC4.new(rc4_key) hbootkey = rc4.encrypt(F[0x80:0xA0]) return hbootkey def get_user_keys(samaddr): user_key_path = ["SAM", "Domains", "Account", "Users"] root = rawreg.get_root(samaddr) if not root: return [] user_key = rawreg.open_key(root, user_key_path) if not user_key: return [] return [k for k in rawreg.subkeys(user_key) if k.Name != "Names"] def decrypt_single_hash(rid, hbootkey, enc_hash, lmntstr): (des_k1, des_k2) = sid_to_key(rid) d1 = DES.new(des_k1, DES.MODE_ECB) d2 = DES.new(des_k2, DES.MODE_ECB) md5 = MD5.new() md5.update(hbootkey[:0x10] + pack(" # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ import struct import volatility.obj as obj import volatility.win32.rawreg as rawreg import volatility.win32.hive as hive import volatility.win32.hashdump as hashdump from Crypto.Hash import MD5, SHA256 from Crypto.Cipher import ARC4, DES, AES def decrypt_aes(secret, key): """ Based on code from http://lab.mediaservice.net/code/cachedump.rb """ sha = SHA256.new() sha.update(key) for _i in range(1, 1000 + 1): sha.update(secret[28:60]) aeskey = sha.digest() data = "" for i in range(60, len(secret), 16): aes = AES.new(aeskey, AES.MODE_CBC, '\x00' * 16) buf = secret[i : i + 16] if len(buf) < 16: buf += (16 - len(buf)) * "\00" data += aes.decrypt(buf) return data def get_lsa_key(addr_space, secaddr, bootkey): if not bootkey: return None root = rawreg.get_root(secaddr) if not root: return None volmag = obj.VolMagic(addr_space) enc_reg_key = rawreg.open_key(root, ["Policy", volmag.PolicyKey.v()]) if not enc_reg_key: return None enc_reg_value = enc_reg_key.ValueList.List.dereference()[0] if not enc_reg_value: return None obf_lsa_key = secaddr.read(enc_reg_value.Data, enc_reg_value.DataLength) if not obf_lsa_key: return None if addr_space.profile.metadata.get('major', 0) == 5: md5 = MD5.new() md5.update(bootkey) for _i in range(1000): md5.update(obf_lsa_key[60:76]) rc4key = md5.digest() rc4 = ARC4.new(rc4key) lsa_key = rc4.decrypt(obf_lsa_key[12:60]) lsa_key = lsa_key[0x10:0x20] else: lsa_key = decrypt_aes(obf_lsa_key, bootkey) lsa_key = lsa_key[68:100] return lsa_key def decrypt_secret(secret, key): """Python implementation of SystemFunction005. Decrypts a block of data with DES using given key. Note that key can be longer than 7 bytes.""" decrypted_data = '' j = 0 # key index for i in range(0, len(secret), 8): enc_block = secret[i:i + 8] block_key = key[j:j + 7] des_key = hashdump.str_to_key(block_key) des = DES.new(des_key, DES.MODE_ECB) enc_block = enc_block + "\x00" * int(abs(8 - len(enc_block)) % 8) decrypted_data += des.decrypt(enc_block) j += 7 if len(key[j:j + 7]) < 7: j = len(key[j:j + 7]) (dec_data_len,) = struct.unpack(" # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation Tool: This tool generates a crash dump from a image of ram """ #pylint: disable-msg=C0111 #from forensics.object import get_obj_offset #from forensics.win32.info import find_psactiveprocesshead #from forensics.win32.info import find_psloadedmodulelist #from forensics.win32.info import find_mmpfndatabase #from forensics.win32.info import find_kddebuggerdatablock #from forensics.win32.info import find_systemtime #from forensics.win32.info import find_suitemask #from forensics.win32.tasks import process_list #from forensics.win32.tasks import process_addr_space #from forensics.win32.tasks import peb_number_processors #from forensics.win32.tasks import process_peb #from forensics.win32.tasks import * dump_hdr = "" # 0x00 dump_hdr += "\x50\x41\x47\x45\x44\x55\x4D\x50\x0F\x00\x00\x00\x28\x0A\x00\x00" # 0x10 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x20 dump_hdr += "\x4C\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x30 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x41\x47\x45" # 0x40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x00\x41\x47\x45" # 0x60 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x70 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x80 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x90 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xa0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xb0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xc0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xd0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xe0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xf0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x100 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x110 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x120 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x130 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x140 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x150 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x160 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x170 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x180 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x190 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1a0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1b0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1c0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1f0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x200 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x210 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x220 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x230 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x240 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x250 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x260 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x270 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x280 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x290 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2a0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2b0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2c0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2f0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x300 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x310 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x320 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x330 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x340 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x350 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x360 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x370 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x380 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x390 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3a0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3b0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3c0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3f0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x400 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x410 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x420 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x430 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x440 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x450 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x460 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x470 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x480 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x490 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4a0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4b0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4c0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4f0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x500 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x510 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x520 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x530 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x540 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x550 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x560 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x570 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x580 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x590 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x5a0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x5b0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x5c0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x5d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x5e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x41\x47\x45" # 0x5f0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x600 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x610 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x620 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x630 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x640 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x650 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x660 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x670 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x680 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x690 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6a0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6b0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6c0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6d0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6e0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6F0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x700 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x710 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x720 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x730 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x740 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x750 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x760 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x770 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x780 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x790 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x7a0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x7b0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x7c0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x00\x41\x47\x45" # 0x7d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x7e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x7f0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x800 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x810 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x820 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x830 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x840 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x850 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x860 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x870 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x880 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x890 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8a0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8b0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8c0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8d0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8e0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8f0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x900 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x910 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x920 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x930 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x940 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x950 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x960 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x970 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x980 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x990 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9a0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9b0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9c0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9d0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9e0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9f0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA90 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAa0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAb0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAc0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAd0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAe0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAf0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb90 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xba0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xbb0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xbc0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xbd0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xbe0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xbf0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc90 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xca0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xcb0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xcc0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xcd0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xce0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xcf0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd90 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xda0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xdb0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xdc0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xdd0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xde0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xdf0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe90 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xea0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xeb0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xec0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xed0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xee0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xef0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xf60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xf70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xf80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x01\x00\x00\x00\x50\x41\x47\x45" # 0xF90 dump_hdr += "\x50\x41\x47\x45\x01\x00\x00\x00\x10\x01\x00\x00\x00\x00\x00\x00" # 0xFA0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x50\x41\x47\x45\x00\x41\x47\x45" # 0xFB0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x00\x00\x00\x00\x00\x00\x00\x00" # 0xFC0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x50\x41\x47\x45\x50\x41\x47\x45" # 0xFD0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xFE0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xFF0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" num_of_runs = 0x00000001 base_page = 0x00000000 pae_enabled = 0x01 #def find_numberprocessors(addr_space, types): # # NumberOfProcessorsDict = dict() # all_tasks = process_list(addr_space, types) # # for task in all_tasks: # # if not addr_space.is_valid_address(task): # continue # # process_address_space = process_addr_space(addr_space, types, task, addr_space.base.fname) # if process_address_space is None: # continue # # peb = process_peb(addr_space, types, task) # # try: # if not process_address_space.is_valid_address(peb): # continue # except: # continue # # NumberOfProcessors = peb_number_processors(process_address_space, types, peb) # if NumberOfProcessors in NumberOfProcessorsDict: # NumberOfProcessorsDict[NumberOfProcessors] += 1 # else: # NumberOfProcessorsDict[NumberOfProcessors] = 1 # # MaxNumberOfProcessors = max([ (NumberOfProcessorsDict[x], x) for x in NumberOfProcessorsDict])[1] # # return MaxNumberOfProcessors # #def write_char_phys(value, member_list, hdr, types): # # (offset, _current_type) = get_obj_offset(types, member_list) # new_hdr = hdr[:offset] + struct.pack('=B', value) + hdr[offset+1:] # return new_hdr # #def write_long_phys(value, member_list, hdr, types): # # (offset, _current_type) = get_obj_offset(types, member_list) # new_hdr = hdr[:offset] + struct.pack('=I', value) + hdr[offset+4:] # return new_hdr # #def write_long_long_phys(value, member_list, hdr, types): # # (offset, _current_type) = get_obj_offset(types, member_list) # new_hdr = hdr[:offset] + struct.pack('=Q', value) + hdr[offset+8:] # return new_hdr # #def dd_to_crash(addr_space, types, _symbol_table, opts): # # outfile = opts.outfile # filename = opts.filename # # DirectoryTableBaseValue = addr_space.pgd_vaddr # # PsActiveProcessHead = find_psactiveprocesshead(addr_space, types) # # PsLoadedModuleList = find_psloadedmodulelist(addr_space, types) # # MmPfnDatabase = find_mmpfndatabase(addr_space, types) # # KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types) # # NumberOfProcessors = find_numberprocessors(addr_space, types) # # SuiteMask = find_suitemask(addr_space, types) # # SystemTime = find_systemtime(addr_space, types) # # num_pages = os.path.getsize(filename)/4096 # # new_hdr = write_long_phys(DirectoryTableBaseValue, ['_DMP_HEADER', 'DirectoryTableBase'], dump_hdr, types) # new_hdr = write_long_phys(PsLoadedModuleList, ['_DMP_HEADER', 'PsLoadedModuleList'], new_hdr, types) # new_hdr = write_long_phys(PsActiveProcessHead, ['_DMP_HEADER', 'PsActiveProcessHead'], new_hdr, types) # new_hdr = write_long_phys(KdDebuggerDataBlock, ['_DMP_HEADER', 'KdDebuggerDataBlock'], new_hdr, types) # new_hdr = write_long_phys(NumberOfProcessors, ['_DMP_HEADER', 'NumberProcessors'], new_hdr, types) # new_hdr = write_long_phys(MmPfnDatabase, ['_DMP_HEADER', 'PfnDataBase'], new_hdr, types) # new_hdr = write_long_phys(SuiteMask, ['_DMP_HEADER', 'SuiteMask'], new_hdr, types) # new_hdr = write_long_long_phys(SystemTime, ['_DMP_HEADER', 'SystemTime'], new_hdr, types) # # if addr_space.pae == True: # new_hdr = write_char_phys(pae_enabled, ['_DMP_HEADER', 'PaeEnabled'], new_hdr, types) # # new_hdr = new_hdr[:100] + struct.pack('=I', num_of_runs) + \ # struct.pack('=I', num_pages) + \ # struct.pack('=I', 0x00000000) + \ # struct.pack('=I', num_pages) + \ # new_hdr[116:] # # MI = open(outfile, 'wb') # MI.write("%s" % new_hdr) # # FILEOPEN = open(filename, 'rb') # # offset = 0 # end = os.path.getsize(filename) # # while offset <= end: # fdata = FILEOPEN.read(0x1000) # if fdata == None: # break # MI.write("%s"%fdata) # # progress.update(offset) # offset += 0x1000 # # print # # FILEOPEN.close() # MI.close() # # return volatility_2.6+git20170711.b3db0cc/volatility/win32/modules.py0000644000000000000000000000213513131215405022322 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Nick Petroni @license: GNU General Public License 2.0 @contact: awalters@4tphi.net, npetroni@4tphi.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.win32.tasks as tasks def lsmod(addr_space): """ A Generator for modules """ for m in tasks.get_kdbg(addr_space).modules(): yield m volatility_2.6+git20170711.b3db0cc/volatility/win32/hive.py0000644000000000000000000002240213131215405021604 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ import volatility.obj as obj import volatility.addrspace as addrspace import struct import sys FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)]) CI_TYPE_MASK = 0x80000000 CI_TYPE_SHIFT = 0x1F CI_TABLE_MASK = 0x7FE00000 CI_TABLE_SHIFT = 0x15 CI_BLOCK_MASK = 0x1FF000 CI_BLOCK_SHIFT = 0x0C CI_OFF_MASK = 0x0FFF CI_OFF_SHIFT = 0x0 BLOCK_SIZE = 0x1000 class HiveAddressSpace(addrspace.BaseAddressSpace): def __init__(self, base, config, hive_addr, **kwargs): addrspace.BaseAddressSpace.__init__(self, base, config) self.base = base self.hive = obj.Object("_HHIVE", hive_addr, base) self.baseblock = self.hive.BaseBlock.v() self.flat = self.hive.Flat.v() > 0 def __getstate__(self): result = addrspace.BaseAddressSpace.__getstate__(self) result['hive_addr'] = self.hive.obj_offset return result def vtop(self, vaddr): # If the hive is listed as "flat", it is all contiguous in memory # so we can just calculate it relative to the base block. if self.flat: return self.baseblock + vaddr + BLOCK_SIZE + 4 ci_type = (vaddr & CI_TYPE_MASK) >> CI_TYPE_SHIFT ci_table = (vaddr & CI_TABLE_MASK) >> CI_TABLE_SHIFT ci_block = (vaddr & CI_BLOCK_MASK) >> CI_BLOCK_SHIFT ci_off = (vaddr & CI_OFF_MASK) >> CI_OFF_SHIFT block = self.hive.Storage[ci_type].Map.Directory[ci_table].Table[ci_block].BlockAddress return block + ci_off + 4 def read(self, vaddr, length, zero = False): length = int(length) vaddr = int(vaddr) first_block = BLOCK_SIZE - vaddr % BLOCK_SIZE full_blocks = ((length + (vaddr % BLOCK_SIZE)) / BLOCK_SIZE) - 1 left_over = (length + vaddr) % BLOCK_SIZE paddr = self.vtop(vaddr) if paddr == None and zero: if length < first_block: return "\0" * length else: stuff_read = "\0" * first_block elif paddr == None: return None else: if length < first_block: stuff_read = self.base.read(paddr, length) if not stuff_read and zero: return "\0" * length else: return stuff_read stuff_read = self.base.read(paddr, first_block) if not stuff_read and zero: stuff_read = "\0" * first_block elif not stuff_read: return None new_vaddr = vaddr + first_block for _i in range(0, full_blocks): paddr = self.vtop(new_vaddr) if paddr == None and zero: stuff_read = stuff_read + "\0" * BLOCK_SIZE elif paddr == None: return None else: new_stuff = self.base.read(paddr, BLOCK_SIZE) if not new_stuff and zero: new_stuff = "\0" * BLOCK_SIZE elif not new_stuff: return None else: stuff_read = stuff_read + new_stuff new_vaddr = new_vaddr + BLOCK_SIZE if left_over > 0: paddr = self.vtop(new_vaddr) if paddr == None and zero: stuff_read = stuff_read + "\0" * left_over elif paddr == None: return None else: new_stuff = self.base.read(paddr, left_over) if new_stuff == None: return None stuff_read = stuff_read + new_stuff return stuff_read def zread(self, addr, length): return self.read(addr, length, True) def read_long_phys(self, addr): string = self.base.read(addr, 4) (longval,) = struct.unpack('=I', string) return longval def is_valid_address(self, addr): if not addr: return False vaddr = self.vtop(addr) if not vaddr: return False return self.base.is_valid_address(vaddr) def save(self, outf, summary = sys.stdout): baseblock = self.base.read(self.baseblock, BLOCK_SIZE) if baseblock: outf.write(baseblock) else: outf.write("\0" * BLOCK_SIZE) length = self.hive.Storage[0].Length.v() for i in range(0, length, BLOCK_SIZE): data = None paddr = self.vtop(i) if paddr: paddr = paddr - 4 data = self.base.read(paddr, BLOCK_SIZE) else: summary.write("No mapping found for index {0:x}, filling with NULLs\n".format(i)) if not data: summary.write("Physical layer returned None for index {0:x}, filling with NULL\n".format(i)) data = '\0' * BLOCK_SIZE outf.write(data) def stats(self, stable = True): if stable: stor = 0 ci = lambda x: x else: stor = 1 ci = lambda x: x | 0x80000000 length = self.hive.Storage[stor].Length.v() total_blocks = length / BLOCK_SIZE bad_blocks_reg = 0 bad_blocks_mem = 0 for i in range(0, length, BLOCK_SIZE): i = ci(i) data = None paddr = self.vtop(i) - 4 if paddr: data = self.base.read(paddr, BLOCK_SIZE) else: bad_blocks_reg += 1 continue if not data: bad_blocks_mem += 1 print "{0} bytes in hive.".format(length) print "{0} blocks not loaded by CM, {1} blocks paged out, {2} total blocks.".format(bad_blocks_reg, bad_blocks_mem, total_blocks) if total_blocks: print "Total of {0:.2f}% of hive unreadable.".format(((bad_blocks_reg + bad_blocks_mem) / float(total_blocks)) * 100) return (bad_blocks_reg, bad_blocks_mem, total_blocks) class HiveFileAddressSpace(addrspace.BaseAddressSpace): def __init__(self, base, config): addrspace.BaseAddressSpace.__init__(self, base, config) self.base = base def vtop(self, vaddr): return vaddr + BLOCK_SIZE + 4 def read(self, vaddr, length, zero = False): first_block = BLOCK_SIZE - vaddr % BLOCK_SIZE full_blocks = ((length + (vaddr % BLOCK_SIZE)) / BLOCK_SIZE) - 1 left_over = (length + vaddr) % BLOCK_SIZE paddr = self.vtop(vaddr) if paddr == None and zero: if length < first_block: return "\0" * length else: stuff_read = "\0" * first_block elif paddr == None: return None else: if length < first_block: stuff_read = self.base.read(paddr, length) if not stuff_read and zero: return "\0" * length else: return stuff_read stuff_read = self.base.read(paddr, first_block) if not stuff_read and zero: stuff_read = "\0" * first_block new_vaddr = vaddr + first_block for _i in range(0, full_blocks): paddr = self.vtop(new_vaddr) if paddr == None and zero: stuff_read = stuff_read + "\0" * BLOCK_SIZE elif paddr == None: return None else: new_stuff = self.base.read(paddr, BLOCK_SIZE) if not new_stuff and zero: new_stuff = "\0" * BLOCK_SIZE elif not new_stuff: return None else: stuff_read = stuff_read + new_stuff new_vaddr = new_vaddr + BLOCK_SIZE if left_over > 0: paddr = self.vtop(new_vaddr) if paddr == None and zero: stuff_read = stuff_read + "\0" * left_over elif paddr == None: return None else: stuff_read = stuff_read + self.base.read(paddr, left_over) return stuff_read def zread(self, addr, length): return self.read(addr, length, True) def read_long_phys(self, addr): string = self.base.read(addr, 4) (longval,) = struct.unpack('=I', string) return longval def is_valid_address(self, vaddr): paddr = self.vtop(vaddr) if not paddr: return False return self.base.is_valid_address(paddr) volatility_2.6+git20170711.b3db0cc/volatility/win32/network.py0000644000000000000000000001576013131215405022353 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.win32 as win32 import volatility.obj as obj module_versions_xp = { 'MP' : { 'TCBTableOff' : [0x497e8], 'SizeOff' : [0x3f7c8], 'AddrObjTableOffset' : [0x48760], 'AddrObjTableSizeOffset' : [0x48764], }, 'UP' : { 'TCBTableOff' : [0x495e8], 'SizeOff' : [0x3f5bc], 'AddrObjTableOffset' : [0x48560], 'AddrObjTableSizeOffset' : [0x48564], }, '2180' : { 'TCBTableOff' : [0x493e8], 'SizeOff' : [0x3f3b0], 'AddrObjTableOffset' : [0x48360], 'AddrObjTableSizeOffset' : [0x48364], }, '3244' : { 'TCBTableOff' : [0x496E8], 'SizeOff' : [0x3F6BC], 'AddrObjTableOffset' : [0x48660], 'AddrObjTableSizeOffset' : [0x48664], }, '3394': { 'TCBTableOff': [0x49768], 'SizeOff': [0x3F73C], 'AddrObjTableOffset': [0x486E0], 'AddrObjTableSizeOffset': [0x486E4], }, '5625' : { 'TCBTableOff' : [0x49ae8], 'SizeOff' : [0x3fac8], 'AddrObjTableOffset' : [0x48a60], 'AddrObjTableSizeOffset' : [0x48a64], }, '2111' : { 'TCBTableOff' : [0x49A68], 'SizeOff' : [0x3FA48], 'AddrObjTableOffset' : [0x489E0], 'AddrObjTableSizeOffset' : [0x489E4], }, } module_versions_2003 = { # w2003 sp0 '3790' : { 'TCBTableOff' : [0x4c6c8], 'SizeOff' : [0x4312c], 'AddrObjTableOffset' : [0x4bba0], 'AddrObjTableSizeOffset' : [0x4bba4], }, # w2003 sp1 '1830' : { 'TCBTableOff' : [0x4e428], 'SizeOff' : [0x44140], 'AddrObjTableOffset' : [0x4d4e4], 'AddrObjTableSizeOffset' : [0x4d4e8], }, # w2003 sp2 '3959' : { 'TCBTableOff' : [0x7c548], 'SizeOff' : [0x50308], 'AddrObjTableOffset' : [0x5ada4], 'AddrObjTableSizeOffset' : [0x5ada8], }, # w2003 sp2 '4573' : { 'TCBTableOff' : [0x7f0ac], 'SizeOff' : [0x52328], 'AddrObjTableOffset' : [0x5cf04], 'AddrObjTableSizeOffset' : [0x5cf08], }, # w2003 sp2 x64 '3959_x64' : { 'TCBTableOff' : [0x000c8d30], 'SizeOff' : [0x0009b4a0], 'AddrObjTableOffset' : [0x000a4880], 'AddrObjTableSizeOffset' : [0x000a4888], }, # w2003 sp1 x64 '1830_x64' : { 'TCBTableOff' : [0x8f2d0], 'SizeOff' : [0x861cc], 'AddrObjTableOffset' : [0x8c4c0], 'AddrObjTableSizeOffset' : [0x8c4c8], }, # w2003 sp2 x64 (unknown build number) 'unk_1_x64' : { 'TCBTableOff' : [0xCD2D8], 'SizeOff' : [0x9E4A0], 'AddrObjTableOffset' : [0xa78E0], 'AddrObjTableSizeOffset' : [0xa78E8], }, } ## Define the maxiumum number of sockets that we expect to see on a given system. ## Due to the way we currently iterate over possible offsets, its easy to pick ## the wrong one and end up creating an array of up to 0xFFFFFFFF objects, even ## though there's no possibility of ever having that many active at one time. ## This can lead to a MemoryError, which is bad. The limit we've chosen (2 million) ## is based on 65535 for TCP, 65535 for UDP, for each of up to 100 IP addresses; ## then rounded up to the nearest million. Its not perfect, but it should prevent ## memory errors until we redesign the way we find socket and connection objects. MAX_SOCKETS = 2000000 def determine_connections(addr_space): """Determines all connections for each module""" all_modules = win32.modules.lsmod(addr_space) version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) if version <= (5, 1): module_versions = module_versions_xp else: module_versions = module_versions_2003 for m in all_modules: if str(m.BaseDllName).lower() == 'tcpip.sys': for attempt in module_versions: table_size = obj.Object( "long", offset = m.DllBase + module_versions[attempt]['SizeOff'][0], vm = addr_space) table_addr = obj.Object( "address", offset = m.DllBase + module_versions[attempt]['TCBTableOff'][0], vm = addr_space) if table_size > 0: table = obj.Object("Array", offset = table_addr, vm = addr_space, count = table_size, target = obj.Curry(obj.Pointer, '_TCPT_OBJECT')) if table: for entry in table: conn = entry.dereference() seen = set() while conn.is_valid() and conn.obj_offset not in seen: yield conn seen.add(conn.obj_offset) conn = conn.Next.dereference() def determine_sockets(addr_space): """Determines all sockets for each module""" all_modules = win32.modules.lsmod(addr_space) if addr_space.profile.metadata.get('major', 0) <= 5.1 and addr_space.profile.metadata.get('minor', 0) == 1: module_versions = module_versions_xp else: module_versions = module_versions_2003 for m in all_modules: if str(m.BaseDllName).lower() == 'tcpip.sys': for attempt in module_versions: table_size = obj.Object( "unsigned long", offset = m.DllBase + module_versions[attempt]['AddrObjTableSizeOffset'][0], vm = addr_space) table_addr = obj.Object( "address", offset = m.DllBase + module_versions[attempt]['AddrObjTableOffset'][0], vm = addr_space) if int(table_size) > 0 and int(table_size) < MAX_SOCKETS: table = obj.Object("Array", offset = table_addr, vm = addr_space, count = table_size, target = obj.Curry(obj.Pointer, "_ADDRESS_OBJECT")) if table: for entry in table: sock = entry.dereference() seen = set() while sock.is_valid() and sock.obj_offset not in seen: yield sock seen.add(sock.obj_offset) sock = sock.Next.dereference() volatility_2.6+git20170711.b3db0cc/volatility/win32/domcachedump.py0000644000000000000000000001225713131215405023311 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ #pylint: disable-msg=C0111 import volatility.obj as obj import volatility.win32.rawreg as rawreg import volatility.win32.hive as hive import volatility.win32.lsasecrets as lsasecrets import volatility.win32.hashdump as hashdump from Crypto.Hash import HMAC from Crypto.Cipher import ARC4, AES from struct import unpack def get_nlkm(addr_space, secaddr, lsakey): return lsasecrets.get_secret_by_name(addr_space, secaddr, 'NL$KM', lsakey) def decrypt_hash(edata, nlkm, ch, xp = True): if xp: hmac_md5 = HMAC.new(nlkm, ch) rc4key = hmac_md5.digest() rc4 = ARC4.new(rc4key) data = rc4.encrypt(edata) else: # based on Based on code from http://lab.mediaservice.net/code/cachedump.rb aes = AES.new(nlkm[16:32], AES.MODE_CBC, ch) data = "" for i in range(0, len(edata), 16): buf = edata[i : i + 16] if len(buf) < 16: buf += (16 - len(buf)) * "\00" data += aes.decrypt(buf) return data def parse_cache_entry(cache_data): (uname_len, domain_len) = unpack(" # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ import volatility.debug as debug import volatility.obj as obj import struct ROOT_INDEX = 0x20 LH_SIG = "lh" LF_SIG = "lf" RI_SIG = "ri" NK_SIG = "nk" VK_SIG = "vk" BIG_DATA_MAGIC = 0x3fd8 KEY_FLAGS = { "KEY_IS_VOLATILE" : 0x01, "KEY_HIVE_EXIT" : 0x02, "KEY_HIVE_ENTRY" : 0x04, "KEY_NO_DELETE" : 0x08, "KEY_SYM_LINK" : 0x10, "KEY_COMP_NAME" : 0x20, "KEY_PREFEF_HANDLE" : 0x40, "KEY_VIRT_MIRRORED" : 0x80, "KEY_VIRT_TARGET" : 0x100, "KEY_VIRTUAL_STORE" : 0x200, } VALUE_TYPES = dict(enumerate([ "REG_NONE", "REG_SZ", "REG_EXPAND_SZ", "REG_BINARY", "REG_DWORD", "REG_DWORD_BIG_ENDIAN", "REG_LINK", "REG_MULTI_SZ", "REG_RESOURCE_LIST", "REG_FULL_RESOURCE_DESCRIPTOR", "REG_RESOURCE_REQUIREMENTS_LIST", "REG_QWORD", ])) def get_root(address_space, stable = True): if stable: return obj.Object("_CM_KEY_NODE", ROOT_INDEX, address_space) else: return obj.Object("_CM_KEY_NODE", ROOT_INDEX | 0x80000000, address_space) def open_key(root, key): if key == []: return root if not root.is_valid(): return None keyname = key.pop(0) for s in subkeys(root): if s.Name.upper() == keyname.upper(): return open_key(s, key) debug.debug("Couldn't find subkey {0} of {1}".format(keyname, root.Name), 1) return obj.NoneObject("Couldn't find subkey {0} of {1}".format(keyname, root.Name)) def read_sklist(sk): if (sk.Signature.v() == LH_SIG or sk.Signature.v() == LF_SIG): for i in sk.List: yield i elif sk.Signature.v() == RI_SIG: for i in range(sk.Count): # Read and dereference the pointer ptr_off = sk.List.obj_offset + (i * 4) if not sk.obj_vm.is_valid_address(ptr_off): continue ssk_off = obj.Object("unsigned int", ptr_off, sk.obj_vm) if not sk.obj_vm.is_valid_address(ssk_off): continue ssk = obj.Object("_CM_KEY_INDEX", ssk_off, sk.obj_vm) # this protects against a cycle seen in win10x86_14393 where # one of a key's subkey entries pointed back at itself if ssk == sk: break for i in read_sklist(ssk): yield i # Note: had to change SubKeyLists to be array of 2 pointers in vtypes.py def subkeys(key): if not key.is_valid(): return for index in range(2): if int(key.SubKeyCounts[index]) > 0: sk_off = key.SubKeyLists[index] sk = obj.Object("_CM_KEY_INDEX", sk_off, key.obj_vm) if not sk or not sk.is_valid(): pass else: for i in read_sklist(sk): if i.Signature.v() == NK_SIG and i.Parent.dereference().Name == key.Name: yield i def values(key): return [ v for v in key.ValueList.List.dereference() if v.Signature.v() == VK_SIG ] def key_flags(key): return [ k for k in KEY_FLAGS if key.Flags & KEY_FLAGS[k] ] value_formats = {"REG_DWORD": "L", "REG_QWORD": " 4: valdata = None else: valdata = val.obj_vm.read(val.Data.obj_offset, inline_len) elif val.obj_vm.hive.Version == 5 and val.DataLength > 0x4000: # Value is a BIG_DATA block, stored in chunked format datalen = val.DataLength big_data = obj.Object("_CM_BIG_DATA", val.Data, val.obj_vm) valdata = "" thelist = [] if not big_data.Count or big_data.Count > 0x80000000: thelist = [] else: for i in range(big_data.Count): ptr_off = big_data.List + (i * 4) chunk_addr = obj.Object("unsigned int", ptr_off, val.obj_vm) if not val.obj_vm.is_valid_address(chunk_addr): continue thelist.append(chunk_addr) for chunk in thelist: amount_to_read = min(BIG_DATA_MAGIC, datalen) chunk_data = val.obj_vm.read(chunk, amount_to_read) if not chunk_data: valdata = None break valdata += chunk_data datalen -= amount_to_read else: valdata = val.obj_vm.read(val.Data, val.DataLength) valtype = VALUE_TYPES.get(val.Type.v(), "REG_UNKNOWN") if valdata == None: return (valtype, obj.NoneObject("Value data is unreadable")) if valtype in ["REG_DWORD", "REG_DWORD_BIG_ENDIAN", "REG_QWORD"]: if len(valdata) != struct.calcsize(value_formats[valtype]): return (valtype, obj.NoneObject("Value data did not match the expected data size for a {0}".format(valtype))) if valtype in ["REG_SZ", "REG_EXPAND_SZ", "REG_LINK"]: valdata = valdata.decode('utf-16-le', "ignore") elif valtype == "REG_MULTI_SZ": valdata = valdata.decode('utf-16-le', "ignore").split('\0') elif valtype in ["REG_DWORD", "REG_DWORD_BIG_ENDIAN", "REG_QWORD"]: valdata = struct.unpack(value_formats[valtype], valdata)[0] return (valtype, valdata) def walk(root): yield root for k in subkeys(root): for j in walk(k): yield j volatility_2.6+git20170711.b3db0cc/volatility/win32/__init__.py0000644000000000000000000000000013131215405022376 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/win32/xpress.py0000644000000000000000000001237013131215405022200 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # The source code in this file was inspired by the work of Matthieu Suiche, # http://sandman.msuiche.net/, and the information presented released as # part of the Microsoft Interoperability Initiative: # http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-DRSR%5D.pdf # A special thanks to Matthieu for all his help! """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ #pylint: disable-msg=C0111 from struct import unpack from struct import error as StructError def recombine(outbuf): return "".join(outbuf[k] for k in sorted(outbuf.keys())) def xpress_decode(inputBuffer): outputBuffer = {} outputIndex = 0 inputIndex = 0 indicatorBit = 0 nibbleIndex = 0 # we are decoding the entire input here, so I have changed # the check to see if we're at the end of the output buffer # with a check to see if we still have any input left. while inputIndex < len(inputBuffer): if (indicatorBit == 0): # in pseudocode this was indicatorBit = ..., but that makes no # sense, so I think this was intended... try: indicator = unpack(". # """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 from bisect import bisect_right def get_kdbg(addr_space): """A function designed to return the KDBG structure from an address space. First we try scanning for KDBG and if that fails, we try scanning for KPCR and bouncing back to KDBG from there. Also note, both the primary and backup methods rely on the 4-byte KDBG.Header.OwnerTag. If someone overwrites this value, then neither method will succeed. The same is true even if a user specifies --kdbg, because we check for the OwnerTag even in that case. """ # we can use the hard coded KPCR value instead of scanning for KDBG # like back in the old days of version 1.x # this works for XP/2003 x86 # all other machines that do not have hardcoded KPCR values # will fall back on the previous methodology if obj.VolMagic(addr_space).KPCR.value: kpcr = obj.Object("_KPCR", offset = obj.VolMagic(addr_space).KPCR.value, vm = addr_space) kdbg = kpcr.get_kdbg() if kdbg.is_valid(): return kdbg kdbg_magic = obj.VolMagic(addr_space).KDBG for kdbg in kdbg_magic.get_suggestions(): if kdbg.is_valid(): return kdbg # skip the KPCR backup method for x64 memmode = addr_space.profile.metadata.get('memory_model', '32bit') version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) if memmode == '32bit' or version <= (6, 1): # Fall back to finding it via the KPCR. We cannot # accept the first/best suggestion, because only # the KPCR for the first CPU allows us to find KDBG. for kpcr_off in obj.VolMagic(addr_space).KPCR.get_suggestions(): kpcr = obj.Object("_KPCR", offset = kpcr_off, vm = addr_space) kdbg = kpcr.get_kdbg() if kdbg.is_valid(): return kdbg return obj.NoneObject("KDDEBUGGER structure not found using either KDBG signature or KPCR pointer") def pslist(addr_space): """ A Generator for _EPROCESS objects """ for p in get_kdbg(addr_space).processes(): yield p def find_space(addr_space, procs, mod_base): """Search for an address space (usually looking for a GUI process)""" if addr_space.is_valid_address(mod_base): return addr_space for proc in procs: ps_ad = proc.get_process_address_space() if ps_ad != None: if ps_ad.is_valid_address(mod_base): return ps_ad return None def find_module(modlist, mod_addrs, addr): """Uses binary search to find what module a given address resides in. This is much faster than a series of linear checks if you have to do it many times. Note that modlist and mod_addrs must be sorted in order of the module base address. NOTE: the mod_addrs and addr parameters must already be masked for the address space""" pos = bisect_right(mod_addrs, addr) - 1 if pos == -1: return None mod = modlist[mod_addrs[pos]] if (mod.obj_vm.address_compare(addr, mod.DllBase) != -1 and mod.obj_vm.address_compare(addr, mod.DllBase + mod.SizeOfImage) == -1): return mod else: return None volatility_2.6+git20170711.b3db0cc/volatility/debug.py0000644000000000000000000000523413131215405021001 0ustar rootroot# Volatility # # Authors: # Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ General debugging framework """ import pdb import sys import inspect import logging import volatility.conf config = volatility.conf.ConfObject() config.add_option("DEBUG", short_option = 'd', default = 0, cache_invalidator = False, action = 'count', help = "Debug volatility") # Largest debug value used + 1 MAX_DEBUG = 3 def setup(level = 0): """Sets up the global logging environment""" formatstr = "%(levelname)-8s: %(name)-20s: %(message)s" logging.basicConfig(format = formatstr) rootlogger = logging.getLogger('') rootlogger.setLevel(logging.DEBUG + 1 - level) for i in range(1, 9): logging.addLevelName(logging.DEBUG - i, "DEBUG" + str(i)) def debug(msg, level = 1): """Logs a message at the DEBUG level""" log(msg, logging.DEBUG + 1 - level) def info(msg): """Logs a message at the INFO level""" log(msg, logging.INFO) def warning(msg): """Logs a message at the WARNING level""" log(msg, logging.WARNING) def error(msg): log(msg, logging.ERROR) sys.exit(1) def critical(msg): log(msg, logging.CRITICAL) sys.exit(1) def log(msg, level): modname = "volatility.py" try: frm = inspect.currentframe() modname = "volatility.debug" while modname == "volatility.debug": frm = frm.f_back mod = inspect.getfile(frm) modname = mod.__name__ except AttributeError: pass finally: del frm _log(msg, modname, level) def _log(msg, facility, loglevel): """Outputs a debugging message""" logger = logging.getLogger(facility) logger.log(loglevel, msg) def b(level = 1): """Enters the debugger at the call point""" if config.DEBUG >= level: pdb.set_trace() trace = b def post_mortem(level = 1): """Provides a command line interface to python after an exception's occurred""" if config.DEBUG >= level: pdb.post_mortem() volatility_2.6+git20170711.b3db0cc/volatility/dwarf.py0000644000000000000000000003340413131215405021016 0ustar rootroot# Volatility # Copyright (C) 2010 Brendan Dolan-Gavitt # Copyright (c) 2011 Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re class DWARFParser(object): """A parser for DWARF files.""" # Nasty, but appears to parse the lines we need dwarf_header_regex = re.compile( r'<(?P\d+)><(?P[0-9+]+)><(?P\w+)>') dwarf_key_val_regex = re.compile( '\s*(?P\w+)<(?P[^>]*)>') dwarf_header_regex2 = re.compile(r'<(?P\d+)><(?P0x[0-9a-fA-F]+([+]0x[0-9a-fA-F]+)?)><(?P\w+)>') sz2tp = {8: 'long long', 4: 'int', 2: 'short', 1: 'char'} tp2vol = { '_Bool': 'unsigned char', 'char': 'char', 'float': 'float', 'double': 'double', 'long double': 'double', 'int': 'int', 'long int': 'long', 'long long int': 'long long', 'long long unsigned int': 'unsigned long long', 'long unsigned int': 'unsigned long', 'short int': 'short', 'short unsigned int': 'unsigned short', 'signed char': 'signed char', 'unsigned char': 'unsigned char', 'unsigned int': 'unsigned int', 'sizetype' : 'unsigned long', } def __init__(self, data = None): self.current_level = -1 self.name_stack = [] self.id_to_name = {} self.all_vtypes = {} self.vtypes = {} self.enums = {} self.all_vars = {} self.vars = {} self.all_local_vars = [] self.local_vars = [] self.anons = 0 self.base = 10 if data: for line in data.splitlines(): self.feed_line(line) def resolve(self, memb): """Lookup anonymous member and replace it with a well known one.""" # Reference to another type if isinstance(memb, str) and memb.startswith('<'): if memb[1:3] == "0x": memb = "<0x" + memb[3:].lstrip('0') resolved = self.id_to_name[memb[1:]] return self.resolve(resolved) elif isinstance(memb, list): return [self.resolve(r) for r in memb] else: # Literal return memb def resolve_refs(self): """Replace references with types.""" for v in self.vtypes: for m in self.vtypes[v][1]: self.vtypes[v][1][m] = self.resolve(self.vtypes[v][1][m]) return self.vtypes def deep_replace(self, t, search, repl): """Recursively replace anonymous references.""" if t == search: return repl elif isinstance(t, list): return [self.deep_replace(x, search, repl) for x in t] else: return t def get_deepest(self, t): if isinstance(t, list): if len(t) == 1: return t[0] else: for part in t: res = self.get_deepest(part) if res: return res return None return None def base_type_name(self, data): """Replace references to base types.""" if 'DW_AT_name' in data: return self.tp2vol[data['DW_AT_name'].strip('"')] else: sz = int(data['DW_AT_byte_size'], self.base) if data['DW_AT_encoding'] == 'DW_ATE_unsigned': return 'unsigned ' + self.sz2tp[sz] else: return self.sz2tp[sz] def feed_line(self, line): """Accepts another line from the input. A DWARF line looks like: <2><1442> DW_AT_name ... The header is level, statement_id, and kind followed by key value pairs. """ # Does the header match? m = self.dwarf_header_regex.match(line) if self.dwarf_header_regex2.match(line): m = self.dwarf_header_regex2.match(line) self.base = 16 if m: parsed = m.groupdict() parsed['data'] = {} # Now parse the key value pairs while m: i = m.end() m = self.dwarf_key_val_regex.search(line, i) if m: d = m.groupdict() parsed['data'][d['keyname']] = d['val'] if parsed['kind'] in ('DW_TAG_formal_parameter', 'DW_TAG_variable'): self.process_variable(parsed['data']) else: self.process_statement(**parsed) #pylint: disable-msg=W0142 def process_statement(self, kind, level, data, statement_id): """Process a single parsed statement.""" new_level = int(level) if new_level > self.current_level: self.current_level = new_level self.name_stack.append([]) elif new_level < self.current_level: self.name_stack = self.name_stack[:new_level + 1] self.current_level = new_level self.name_stack[-1] = [kind, statement_id] try: parent_kind, parent_name = self.name_stack[-2] except IndexError: parent_kind, parent_name = (None, None) if kind == 'DW_TAG_compile_unit': self.finalize() self.vtypes = {} self.vars = {} self.all_local_vars += self.local_vars self.local_vars = [] self.id_to_name = {} elif kind == 'DW_TAG_structure_type': name = data.get('DW_AT_name', "__unnamed_%s" % statement_id).strip('"') self.name_stack[-1][1] = name self.id_to_name[statement_id] = [name] # If it's just a forward declaration, we want the name around, # but there won't be a size if 'DW_AT_declaration' not in data: self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ] elif kind == 'DW_TAG_union_type': name = data.get('DW_AT_name', "__unnamed_%s" % statement_id).strip('"') self.name_stack[-1][1] = name self.id_to_name[statement_id] = [name] if 'DW_AT_declaration' not in data: self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ] elif kind == 'DW_TAG_array_type': self.name_stack[-1][1] = statement_id self.id_to_name[statement_id] = data['DW_AT_type'] elif kind == 'DW_TAG_enumeration_type': name = data.get('DW_AT_name', "__unnamed_%s" % statement_id).strip('"') self.name_stack[-1][1] = name self.id_to_name[statement_id] = [name] # If it's just a forward declaration, we want the name around, # but there won't be a size if 'DW_AT_declaration' not in data: sz = int(data['DW_AT_byte_size'], self.base) self.enums[name] = [sz, {}] elif kind == 'DW_TAG_pointer_type': self.id_to_name[statement_id] = ['pointer', data.get('DW_AT_type', ['void'])] elif kind == 'DW_TAG_base_type': self.id_to_name[statement_id] = [self.base_type_name(data)] elif kind == 'DW_TAG_volatile_type': self.id_to_name[statement_id] = data.get('DW_AT_type', ['void']) elif kind == 'DW_TAG_const_type': self.id_to_name[statement_id] = data.get('DW_AT_type', ['void']) elif kind == 'DW_TAG_typedef': self.id_to_name[statement_id] = data['DW_AT_type'] elif kind == 'DW_TAG_subroutine_type': self.id_to_name[statement_id] = ['void'] # Don't need these elif kind == 'DW_TAG_variable' and level == '1': if 'DW_AT_location' in data: split = data['DW_AT_location'].split() if len(split) > 1: loc = int(split[1], 0) self.vars[data['DW_AT_name']] = [loc, data['DW_AT_type']] elif kind == 'DW_TAG_subprogram': # IDEK pass elif kind == 'DW_TAG_member' and parent_kind == 'DW_TAG_structure_type': name = data.get('DW_AT_name', "__unnamed_%s" % statement_id).strip('"') try: off = int(data['DW_AT_data_member_location'].split()[1]) except: d = data['DW_AT_data_member_location'] idx = d.find("(") if idx != -1: d = d[:idx] off = int(d) if 'DW_AT_bit_size' in data and 'DW_AT_bit_offset' in data: full_size = int(data['DW_AT_byte_size'], self.base) * 8 stbit = int(data['DW_AT_bit_offset'], self.base) edbit = stbit + int(data['DW_AT_bit_size'], self.base) stbit = full_size - stbit edbit = full_size - edbit stbit, edbit = edbit, stbit assert stbit < edbit memb_tp = ['BitField', dict(start_bit = stbit, end_bit = edbit)] else: memb_tp = data['DW_AT_type'] self.vtypes[parent_name][1][name] = [off, memb_tp] elif kind == 'DW_TAG_member' and parent_kind == 'DW_TAG_union_type': name = data.get('DW_AT_name', "__unnamed_%s" % statement_id).strip('"') self.vtypes[parent_name][1][name] = [0, data['DW_AT_type']] elif kind == 'DW_TAG_enumerator' and parent_kind == 'DW_TAG_enumeration_type': name = data['DW_AT_name'].strip('"') try: val = int(data['DW_AT_const_value']) except ValueError: val = int(data['DW_AT_const_value'].split('(')[0], self.base) self.enums[parent_name][1][name] = val elif kind == 'DW_TAG_subrange_type' and parent_kind == 'DW_TAG_array_type': if 'DW_AT_upper_bound' in data: try: sz = int(data['DW_AT_upper_bound']) except ValueError: try: sz = int(data['DW_AT_upper_bound'].split('(')[0]) except ValueError: # Give up sz = 0 sz += 1 else: sz = 0 tp = self.id_to_name[parent_name] self.id_to_name[parent_name] = ['array', sz, tp] else: pass #print "Skipping unsupported tag %s" % parsed['kind'] def process_variable(self, data): """Process a local variable.""" if ('DW_AT_name' in data and 'DW_AT_decl_line' in data and 'DW_AT_type' in data): self.local_vars.append( (data['DW_AT_name'], int(data['DW_AT_decl_line'], self.base), data['DW_AT_decl_file'].split()[1], data['DW_AT_type'])) def finalize(self): """Finalize the output.""" if self.vtypes: self.vtypes = self.resolve_refs() self.all_vtypes.update(self.vtypes) if self.vars: self.vars = dict(((k, self.resolve(v)) for k, v in self.vars.items())) self.all_vars.update(self.vars) if self.local_vars: self.local_vars = [ (name, lineno, decl_file, self.resolve(tp)) for (name, lineno, decl_file, tp) in self.local_vars ] self.all_local_vars += self.local_vars # Get rid of unneeded unknowns (shades of Rumsfeld here) # Needs to be done in fixed point fashion changed = True while changed: changed = False s = set() for m in self.all_vtypes: for t in self.all_vtypes[m][1].values(): s.add(self.get_deepest(t)) for m in self.all_vars: s.add(self.get_deepest(self.all_vars[m][1])) for v in list(self.all_vtypes): if v.startswith('__unnamed_') and v not in s: del self.all_vtypes[v] changed = True # Merge the enums into the types directly: for t in self.all_vtypes: for m in list(self.all_vtypes[t][1]): memb = self.all_vtypes[t][1][m] d = self.get_deepest(memb) if d in self.enums: sz = self.enums[d][0] vals = dict((v, k) for k, v in self.enums[d][1].items()) self.all_vtypes[t][1][m] = self.deep_replace( memb, [d], ['Enumeration', dict(target = self.sz2tp[sz], choices = vals)] ) return self.all_vtypes def print_output(self): self.finalize() print "linux_types = {" for t in self.all_vtypes: print " '%s': [ %#x, {" % (t, self.all_vtypes[t][0]) for m in sorted(self.all_vtypes[t][1], key = lambda m: self.all_vtypes[t][1][m][0]): print " '%s': [%#x, %s]," % (m, self.all_vtypes[t][1][m][0], self.all_vtypes[t][1][m][1]) print "}]," print "}" print print "linux_gvars = {" for v in sorted(self.all_vars, key = lambda v: self.all_vars[v][0]): print " '%s': [%#010x, %s]," % (v, self.all_vars[v][0], self.all_vars[v][1]) print "}" if __name__ == '__main__': import sys dp = DWARFParser(open(sys.argv[1], "rb").read()) dp.print_output() volatility_2.6+git20170711.b3db0cc/volatility/__init__.py0000644000000000000000000000000113131215405021435 0ustar rootroot volatility_2.6+git20170711.b3db0cc/volatility/plugins/0000755000000000000000000000000013131215405021016 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/win10cookie.py0000644000000000000000000000344613131215405023527 0ustar rootroot# Volatility # Copyright (C) 2007-2015 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.common as common import volatility.utils as utils import volatility.obj as obj class Win10Cookie(common.AbstractWindowsCommand): """Find the ObHeaderCookie value for Windows 10""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) @staticmethod def register_options(config): config.add_option('COOKIE', default = None, type = 'int', help = "Specify the address of nt!ObHeaderCookie (valid for Windows 10 only)") @staticmethod def is_valid_profile(profile): meta = profile.metadata vers = (meta.get("major", 0), meta.get("minor", 0)) # this algorithm only applies to Windows 10 or greater return meta.get('os', '') == 'windows' and vers >= (6, 4) def calculate(self): address_space = utils.load_as(self._config) cookie = obj.VolMagic(address_space).ObHeaderCookie.v() yield cookie def render_text(self, outfd, data): for cookie in data: print cookievolatility_2.6+git20170711.b3db0cc/volatility/plugins/verinfo.py0000644000000000000000000001337613131215405023052 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re import sre_constants import struct import volatility.plugins.procdump as procdump import volatility.win32 as win32 import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug import volatility.exceptions as exceptions from volatility.renderers import TreeGrid class VerInfo(procdump.ProcDump): """Prints out the version information from PE images""" def __init__(self, config, *args, **kwargs): procdump.ProcDump.__init__(self, config, *args, **kwargs) config.remove_option("OFFSET") config.remove_option("PID") config.add_option("OFFSET", short_option = "o", type = 'int', help = "Offset of the module to print the version information for") config.add_option('REGEX', short_option = "r", default = None, help = 'Dump modules matching REGEX') config.add_option('IGNORE-CASE', short_option = 'i', action = 'store_true', help = 'ignore case in pattern match', default = False) def calculate(self): """Returns a unique list of modules""" addr_space = utils.load_as(self._config) if self._config.REGEX is not None: try: if self._config.IGNORE_CASE: module_pattern = re.compile(self._config.REGEX, flags = sre_constants.SRE_FLAG_IGNORECASE) else: module_pattern = re.compile(self._config.REGEX) except sre_constants.error, e: debug.error('Regular expression parsing error: {0}'.format(e)) if self._config.OFFSET is not None: if not addr_space.is_valid_address(self._config.OFFSET): debug.error("Specified offset is not valid for the provided address space") pefile = obj.Object("_IMAGE_DOS_HEADER", self._config.OFFSET, addr_space) if pefile.is_valid(): yield None, pefile raise StopIteration tasks = win32.tasks.pslist(addr_space) for task in tasks: process_space = task.get_process_address_space() for module in task.get_load_modules(): if self._config.REGEX is not None: if not (module_pattern.search(str(module.FullDllName)) or module_pattern.search(str(module.BaseDllName))): continue pefile = obj.Object("_IMAGE_DOS_HEADER", module.DllBase, process_space) if pefile.is_valid(): yield module, pefile def unified_output(self, data): return TreeGrid([("Module", str), ("FileVersion", str), ("ProductVersion", str), ("Flags", str), ("OS", str), ("FileType", str), ("FileDate", str), ("InfoString", str)], self.generator(data)) def generator(self, data): for module, pefile in data: if module: name = str(module.FullDllName) vinfo = pefile.get_version_info() if vinfo != None: fileversion = "{0}".format(vinfo.FileInfo.file_version()) prodversion = "{0}".format(vinfo.FileInfo.product_version()) flags = "{0}".format(vinfo.FileInfo.flags()) os = "{0}".format(vinfo.FileInfo.FileOS) filetype = "{0}".format(vinfo.FileInfo.file_type()) filedate = "{0}".format(vinfo.FileInfo.FileDate or '') infostring = "" for string, value in vinfo.get_file_strings(): infostring += "{0} : {1}".format(string, value) yield (0, [name, fileversion, prodversion, flags, os, filetype, filedate, infostring]) else: yield (0, [name, "", "", "", "", "", "", ""]) def render_text(self, outfd, data): """Renders the text""" for module, pefile in data: if module: outfd.write(str(module.FullDllName)) outfd.write("\n") vinfo = pefile.get_version_info() if vinfo != None: outfd.write(" File version : {0}\n".format(vinfo.FileInfo.file_version())) outfd.write(" Product version : {0}\n".format(vinfo.FileInfo.product_version())) outfd.write(" Flags : {0}\n".format(vinfo.FileInfo.flags())) outfd.write(" OS : {0}\n".format(vinfo.FileInfo.FileOS)) outfd.write(" File Type : {0}\n".format(vinfo.FileInfo.file_type())) outfd.write(" File Date : {0}\n".format(vinfo.FileInfo.FileDate or '')) for string, value in vinfo.get_file_strings(): outfd.write(" {0} : {1}\n".format(string, value)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/connections.py0000644000000000000000000000756113131215405023723 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 import volatility.plugins.common as common import volatility.win32.network as network import volatility.cache as cache import volatility.utils as utils import volatility.debug as debug from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class Connections(common.AbstractWindowsCommand): """ Print list of open connections [Windows XP and 2003 Only] --------------------------------------------- This module follows the handle table in tcpip.sys and prints current connections. Note that if you are using a hibernated image this might not work because Windows closes all connections before hibernating. You might find it more effective to do connscan instead. """ def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, cache_invalidator = False, help = "Physical Offset", action = "store_true") @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) def unified_output(self, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" return TreeGrid([("Offset{0}".format(offsettype), Address), ("LocalAddress", str), ("RemoteAddress", str), ("PID", int)], self.generator(data)) def generator(self, data): for conn in data: if not self._config.PHYSICAL_OFFSET: offset = conn.obj_offset else: offset = conn.obj_vm.vtop(conn.obj_offset) local = "{0}:{1}".format(conn.LocalIpAddress, conn.LocalPort) remote = "{0}:{1}".format(conn.RemoteIpAddress, conn.RemotePort) yield (0, [Address(offset), str(local), str(remote), int(conn.Pid)]) def render_text(self, outfd, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("Local Address", "25"), ("Remote Address", "25"), ("Pid", "") ]) for conn in data: if not self._config.PHYSICAL_OFFSET: offset = conn.obj_offset else: offset = conn.obj_vm.vtop(conn.obj_offset) local = "{0}:{1}".format(conn.LocalIpAddress, conn.LocalPort) remote = "{0}:{1}".format(conn.RemoteIpAddress, conn.RemotePort) self.table_row(outfd, offset, local, remote, conn.Pid) @cache.CacheDecorator("tests/connections") def calculate(self): addr_space = utils.load_as(self._config) if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") return network.determine_connections(addr_space) volatility_2.6+git20170711.b3db0cc/volatility/plugins/kdbgscan.py0000644000000000000000000002714013131215405023150 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.scan as scan import volatility.cache as cache import volatility.plugins.common as common import volatility.addrspace as addrspace import volatility.registry as registry import volatility.utils as utils import volatility.exceptions as exceptions class MultiStringFinderCheck(scan.ScannerCheck): """ Checks for multiple strings per page """ def __init__(self, address_space, needles = None): scan.ScannerCheck.__init__(self, address_space) if not needles: needles = [] self.needles = needles self.maxlen = 0 for needle in needles: self.maxlen = max(self.maxlen, len(needle)) if not self.maxlen: raise RuntimeError("No needles of any length were found for the " + self.__class__.__name__) def check(self, offset): verify = self.address_space.read(offset, self.maxlen) for match in self.needles: if verify[:len(match)] == match: return True return False def skip(self, data, offset): nextval = len(data) for needle in self.needles: dindex = data.find(needle, offset + 1) if dindex > -1: nextval = min(nextval, dindex) return nextval - offset class MultiPrefixFinderCheck(MultiStringFinderCheck): """ Checks for multiple strings per page, finishing at the offset """ def check(self, offset): verify = self.address_space.read(offset - self.maxlen, self.maxlen) for match in self.needles: if verify.endswith(match): return True return False class KDBGScanner(scan.BaseScanner): checks = [ ] def __init__(self, window_size = 8, needles = None): oses = set() arches = set() for needle in needles: header = str(needle).split('KDBG') arches.add(header[0]) oses.add('KDBG' + header[1]) self.checks = [ ("PoolTagCheck", {'tag': "KDBG"}), ("MultiPrefixFinderCheck", {'needles':arches}), ("MultiStringFinderCheck", {'needles':oses})] scan.BaseScanner.__init__(self, window_size) def scan(self, address_space, offset = 0, maxlen = None): for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen): # Compensate for KDBG appearing within the searched for structure # (0x10 should really be the offset of OwnerTag from with the structure, # however we don't know which profile to read it from, so it's hardwired) # NOTE: this will not work correctly for _KDDEBUGGER_DATA32 structures # however they're only necessary for NT or older offset = offset - 0x10 yield offset class KDBGScan(common.AbstractWindowsCommand): """Search for and dump potential KDBG values""" @staticmethod def register_options(config): config.add_option('KDBG', short_option = 'g', default = None, type = 'int', help = "Specify a KDBG virtual address (Note: for 64-bit Windows 8 and above this is the address of KdCopyDataBlock)") config.add_option("FORCE", default = False, action = "store_true", help = "Force utilization of suspect profile") @cache.CacheDecorator(lambda self: "tests/kdbgscan/kdbg={0}".format(self._config.KDBG)) def calculate(self): """Determines the address space""" profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ] encrypted_kdbg_profiles = [] proflens = {} maxlen = 0 origprofile = self._config.PROFILE for p in profilelist: self._config.update('PROFILE', p) buf = addrspace.BufferAddressSpace(self._config) if buf.profile.metadata.get('os', 'unknown') == 'windows': proflens[p] = str(obj.VolMagic(buf).KDBGHeader) maxlen = max(maxlen, len(proflens[p])) if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and (buf.profile.metadata.get('major', 0), buf.profile.metadata.get('minor', 0)) >= (6, 2)): encrypted_kdbg_profiles.append(p) self._config.update('PROFILE', origprofile) # keep track of the number of potential KDBGs we find count = 0 if origprofile not in encrypted_kdbg_profiles: scanner = KDBGScanner(needles = proflens.values()) aspace = utils.load_as(self._config, astype = 'any') suspects = [] for offset in scanner.scan(aspace): val = aspace.read(offset, maxlen + 0x10) for l in proflens: if val.find(proflens[l]) >= 0: kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace) suspects.append((l, kdbg)) count += 1 for p, k in suspects: if not self._config.FORCE: yield p, k continue self._config.update("PROFILE", p) nspace = utils.load_as(self._config, astype = "any") for offset in scanner.scan(nspace): val = nspace.read(offset, maxlen + 0x10) if val.find(proflens[p]) >= 0: kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = nspace) yield p, kdbg self._config.update('PROFILE', origprofile) # only perform the special win8/2012 scan if we didn't find # any others and if a virtual x64 address space is available if count == 0: if origprofile in encrypted_kdbg_profiles: encrypted_kdbg_profiles = [origprofile] for profile in encrypted_kdbg_profiles: self._config.update('PROFILE', profile) aspace = utils.load_as(self._config, astype = 'any') if hasattr(aspace, 'vtop'): for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions(): yield profile, kdbg def render_text(self, outfd, data): """Renders the KPCR values as text""" for profile, kdbg in data: outfd.write("*" * 50 + "\n") outfd.write("Instantiating KDBG using: {0} {1} ({2}.{3}.{4} {5})\n".format( kdbg.obj_vm.name, kdbg.obj_vm.profile.__class__.__name__, kdbg.obj_vm.profile.metadata.get('major', 0), kdbg.obj_vm.profile.metadata.get('minor', 0), kdbg.obj_vm.profile.metadata.get('build', 0), kdbg.obj_vm.profile.metadata.get('memory_model', '32bit'), )) # Will spaces with vtop always have a dtb also? has_vtop = hasattr(kdbg.obj_native_vm, 'vtop') # Always start out with the virtual and physical offsets if has_vtop: outfd.write("{0:<30}: {1:#x}\n".format("Offset (V)", kdbg.obj_offset)) outfd.write("{0:<30}: {1:#x}\n".format("Offset (P)", kdbg.obj_native_vm.vtop(kdbg.obj_offset))) else: outfd.write("{0:<30}: {1:#x}\n".format("Offset (P)", kdbg.obj_offset)) if hasattr(kdbg, 'KdCopyDataBlock'): outfd.write("{0:<30}: {1:#x}\n".format("KdCopyDataBlock (V)", kdbg.KdCopyDataBlock)) if hasattr(kdbg, 'block_encoded'): outfd.write("{0:<30}: {1}\n".format("Block encoded", "Yes" if kdbg.block_encoded == 1 else "No")) if hasattr(kdbg, 'wait_never'): outfd.write("{0:<30}: {1:#x}\n".format("Wait never", kdbg.wait_never)) if hasattr(kdbg, 'wait_always'): outfd.write("{0:<30}: {1:#x}\n".format("Wait always", kdbg.wait_always)) # These fields can be gathered without dereferencing # any pointers, thus they're available always outfd.write("{0:<30}: {1}\n".format("KDBG owner tag check", str(kdbg.is_valid()))) outfd.write("{0:<30}: {1}\n".format("Profile suggestion (KDBGHeader)", profile)) verinfo = kdbg.dbgkd_version64() if verinfo: outfd.write("{0:<30}: {1:#x} (Major: {2}, Minor: {3})\n".format( "Version64", verinfo.obj_offset, verinfo.MajorVersion, verinfo.MinorVersion)) # Print details only available when a DTB can be found # and we have an AS with vtop. if has_vtop: outfd.write("{0:<30}: {1}\n".format("Service Pack (CmNtCSDVersion)", kdbg.ServicePack)) outfd.write("{0:<30}: {1}\n".format("Build string (NtBuildLab)", kdbg.NtBuildLab.dereference())) try: num_tasks = len(list(kdbg.processes())) except AttributeError: num_tasks = 0 try: num_modules = len(list(kdbg.modules())) except AttributeError: num_modules = 0 cpu_blocks = list(kdbg.kpcrs()) outfd.write("{0:<30}: {1:#x} ({2} processes)\n".format( "PsActiveProcessHead", kdbg.PsActiveProcessHead, num_tasks)) outfd.write("{0:<30}: {1:#x} ({2} modules)\n".format( "PsLoadedModuleList", kdbg.PsLoadedModuleList, num_modules)) outfd.write("{0:<30}: {1:#x} (Matches MZ: {2})\n".format( "KernelBase", kdbg.KernBase, str(kdbg.obj_native_vm.read(kdbg.KernBase, 2) == "MZ"))) try: dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = kdbg.KernBase, vm = kdbg.obj_native_vm) nt_header = dos_header.get_nt_header() except (ValueError, exceptions.SanityCheckException): pass else: outfd.write("{0:<30}: {1}\n".format( "Major (OptionalHeader)", nt_header.OptionalHeader.MajorOperatingSystemVersion)) outfd.write("{0:<30}: {1}\n".format( "Minor (OptionalHeader)", nt_header.OptionalHeader.MinorOperatingSystemVersion)) for kpcr in cpu_blocks: outfd.write("{0:<30}: {1:#x} (CPU {2})\n".format( "KPCR", kpcr.obj_offset, kpcr.ProcessorBlock.Number)) else: outfd.write("{0:<30}: {1:#x}\n".format("PsActiveProcessHead", kdbg.PsActiveProcessHead)) outfd.write("{0:<30}: {1:#x}\n".format("PsLoadedModuleList", kdbg.PsLoadedModuleList)) outfd.write("{0:<30}: {1:#x}\n".format("KernelBase", kdbg.KernBase)) outfd.write("\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/sockets.py0000644000000000000000000000761413131215405023053 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 from volatility import renderers import volatility.plugins.common as common import volatility.debug as debug from volatility.renderers.basic import Address import volatility.win32 as win32 import volatility.utils as utils import volatility.protos as protos class Sockets(common.AbstractWindowsCommand): """Print list of open sockets""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, cache_invalidator = False, help = "Physical Offset", action = "store_true") @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) text_sort_column = "port" def unified_output(self, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" return renderers.TreeGrid( [("Offset{0}".format(offsettype), Address), ("PID", int), ("Port", int), ("Proto", int), ("Protocol", str), ("Address", str), ("Create Time", str) ], self.generator(data)) def generator(self, data): for sock in data: if not self._config.PHYSICAL_OFFSET: offset = sock.obj_offset else: offset = sock.obj_vm.vtop(sock.obj_offset) yield (0, [Address(offset), int(sock.Pid), int(sock.LocalPort), int(sock.Protocol), str(protos.protos.get(sock.Protocol.v(), "-")), str(sock.LocalIpAddress), str(sock.CreateTime)]) def render_text(self, outfd, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("PID", ">8"), ("Port", ">6"), ("Proto", ">6"), ("Protocol", "15"), ("Address", "15"), ("Create Time", "") ]) for sock in data: if not self._config.PHYSICAL_OFFSET: offset = sock.obj_offset else: offset = sock.obj_vm.vtop(sock.obj_offset) self.table_row(outfd, offset, sock.Pid, sock.LocalPort, sock.Protocol, protos.protos.get(sock.Protocol.v(), "-"), sock.LocalIpAddress, sock.CreateTime) def calculate(self): addr_space = utils.load_as(self._config) if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") return win32.network.determine_sockets(addr_space) volatility_2.6+git20170711.b3db0cc/volatility/plugins/privileges.py0000644000000000000000000002016213131215405023542 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2012, 2013 Cem Gurkok # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Cem Gurkok @license: GNU General Public License 2.0 @contact: cemgurkok@gmail.com @organization: Volatility Foundation """ import re import volatility.renderers as renderers import volatility.utils as utils import volatility.obj as obj import volatility.debug as debug import volatility.plugins.taskmods as taskmods class TokenXP2003(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x < 6} def modification(self, profile): profile.merge_overlay({"_TOKEN" : [None, {'Privileges': [None, ['pointer', ['array', lambda x: x.PrivilegeCount, ['_LUID_AND_ATTRIBUTES']]]], }]}) PRIVILEGE_INFO = { 2: ('SeCreateTokenPrivilege', "Create a token object"), 3: ('SeAssignPrimaryTokenPrivilege', "Replace a process-level token"), 4: ('SeLockMemoryPrivilege', "Lock pages in memory"), 5: ('SeIncreaseQuotaPrivilege', "Increase quotas"), 6: ('SeMachineAccountPrivilege', "Add workstations to the domain"), 7: ('SeTcbPrivilege', "Act as part of the operating system"), 8: ('SeSecurityPrivilege', "Manage auditing and security log"), 9: ('SeTakeOwnershipPrivilege', "Take ownership of files/objects"), 10: ('SeLoadDriverPrivilege', "Load and unload device drivers"), 11: ('SeSystemProfilePrivilege', "Profile system performance"), 12: ('SeSystemtimePrivilege', "Change the system time"), 13: ('SeProfileSingleProcessPrivilege', "Profile a single process"), 14: ('SeIncreaseBasePriorityPrivilege', "Increase scheduling priority"), 15: ('SeCreatePagefilePrivilege', "Create a pagefile"), 16: ('SeCreatePermanentPrivilege', "Create permanent shared objects"), 17: ('SeBackupPrivilege', "Backup files and directories"), 18: ('SeRestorePrivilege', "Restore files and directories"), 19: ('SeShutdownPrivilege', "Shut down the system"), 20: ('SeDebugPrivilege', "Debug programs"), 21: ('SeAuditPrivilege', "Generate security audits"), 22: ('SeSystemEnvironmentPrivilege', "Edit firmware environment values"), 23: ('SeChangeNotifyPrivilege', "Receive notifications of changes to files or directories"), 24: ('SeRemoteShutdownPrivilege', "Force shutdown from a remote system"), 25: ('SeUndockPrivilege', "Remove computer from docking station"), 26: ('SeSyncAgentPrivilege', "Synch directory service data"), 27: ('SeEnableDelegationPrivilege', "Enable user accounts to be trusted for delegation"), 28: ('SeManageVolumePrivilege', "Manage the files on a volume"), 29: ('SeImpersonatePrivilege', "Impersonate a client after authentication"), 30: ('SeCreateGlobalPrivilege', "Create global objects"), 31: ('SeTrustedCredManAccessPrivilege', "Access Credential Manager as a trusted caller"), 32: ('SeRelabelPrivilege', "Modify the mandatory integrity level of an object"), 33: ('SeIncreaseWorkingSetPrivilege', "Allocate more memory for user applications"), 34: ('SeTimeZonePrivilege', "Adjust the time zone of the computer's internal clock"), 35: ('SeCreateSymbolicLinkPrivilege', "Required to create a symbolic link"), } class Privs(taskmods.DllList): "Display process privileges" def __init__(self, config, *args): taskmods.DllList.__init__(self, config, *args) config.add_option("SILENT", short_option = "s", default = False, help = "Suppress less meaningful results", action = "store_true") config.add_option('REGEX', short_option = 'r', help = 'Show privileges matching REGEX', action = 'store', type = 'string') def generator(self, data): if self._config.REGEX: priv_re = re.compile(self._config.REGEX, re.I) for task in data: for value, present, enabled, default in task.get_token().privileges(): # Skip privileges whose bit positions cannot be # translated to a privilege name try: name, desc = PRIVILEGE_INFO[int(value)] except KeyError: continue # If we're operating in silent mode, only print privileges # that have been explicitly enabled by the process or that # appear to have been DKOM'd via Ceasar's proposed attack. if self._config.SILENT: if not ((enabled and not default) or (enabled and not present)): continue # Set the attributes attributes = [] if present: attributes.append("Present") if enabled: attributes.append("Enabled") if default: attributes.append("Default") if self._config.REGEX: if not priv_re.search(name): continue yield (0, [int(task.UniqueProcessId), str(task.ImageFileName), int(value), str(name), ",".join(attributes), str(desc)]) def unified_output(self, data): return renderers.TreeGrid([("Pid", int), ("Process", str), ("Value", int), ("Privilege", str), ("Attributes", str), ("Description", str)], self.generator(data)) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Process", "16"), ("Value", "6"), ("Privilege", "36"), ("Attributes", "24"), ("Description", "")]) if self._config.REGEX: priv_re = re.compile(self._config.REGEX, re.I) for task in data: for value, present, enabled, default in task.get_token().privileges(): # Skip privileges whose bit positions cannot be # translated to a privilege name try: name, desc = PRIVILEGE_INFO[int(value)] except KeyError: continue # If we're operating in silent mode, only print privileges # that have been explicitly enabled by the process or that # appear to have been DKOM'd via Ceasar's proposed attack. if self._config.SILENT: if not ((enabled and not default) or (enabled and not present)): continue # Set the attributes attributes = [] if present: attributes.append("Present") if enabled: attributes.append("Enabled") if default: attributes.append("Default") if self._config.REGEX: if not priv_re.search(name): continue self.table_row(outfd, task.UniqueProcessId, task.ImageFileName, value, name, ",".join(attributes), desc) volatility_2.6+git20170711.b3db0cc/volatility/plugins/envars.py0000644000000000000000000001240613131215405022671 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.taskmods as taskmods import volatility.plugins.registry.registryapi as registryapi from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class Envars(taskmods.DllList): "Display process environment variables" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option("SILENT", short_option = 's', default = False, help = "Suppress common and non-persistent variables", action = "store_true") def _get_silent_vars(self): """Enumerate persistent & common variables. This function collects the global (all users) and user-specific environment variables from the registry. Any variables in a process env block that does not exist in the persistent list was explicitly set with the SetEnvironmentVariable() API. """ values = [] regapi = registryapi.RegistryApi(self._config) ccs = regapi.reg_get_currentcontrolset() ## The global variables for value, _ in regapi.reg_yield_values( hive_name = 'system', key = '{0}\\Control\\Session Manager\\Environment'.format(ccs)): values.append(value) ## The user-specific variables regapi.reset_current() for value, _ in regapi.reg_yield_values( hive_name = 'ntuser.dat', key = 'Environment'): values.append(value) ## The volatile user variables for value, _ in regapi.reg_yield_values( hive_name = 'ntuser.dat', key = 'Volatile Environment'): values.append(value) ## These are variables set explicitly but are ## common enough to ignore safely. values.extend(["ProgramFiles", "CommonProgramFiles", "SystemDrive", "SystemRoot", "ProgramData", "PUBLIC", "ALLUSERSPROFILE", "COMPUTERNAME", "SESSIONNAME", "USERNAME", "USERPROFILE", "PROMPT", "USERDOMAIN", "AppData", "CommonFiles", "CommonDesktop", "CommonProgramGroups", "CommonStartMenu", "CommonStartUp", "Cookies", "DesktopDirectory", "Favorites", "History", "NetHood", "PersonalDocuments", "RecycleBin", "StartMenu", "Templates", "AltStartup", "CommonFavorites", "ConnectionWizard", "DocAndSettingRoot", "InternetCache", "windir", "Path", "HOMEDRIVE", "PROCESSOR_ARCHITECTURE", "NUMBER_OF_PROCESSORS", "ProgramFiles(x86)", "CommonProgramFiles(x86)", "CommonProgramW6432", "PSModulePath", "PROCESSOR_IDENTIFIER", "FP_NO_HOST_CHECK", "LOCALAPPDATA", "TMP", "ProgramW6432", ]) return values def unified_output(self, data): return TreeGrid([("Pid", int), ("Process", str), ("Block", Address), ("Variable", str), ("Value", str)], self.generator(data)) def generator(self, data): if self._config.SILENT: silent_vars = self._get_silent_vars() for task in data: for var, val in task.environment_variables(): if self._config.SILENT: if var in silent_vars: continue yield (0, [int(task.UniqueProcessId), str(task.ImageFileName), Address(task.Peb.ProcessParameters.Environment), str(var), str(val)]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Process", "20"), ("Block", "[addrpad]"), ("Variable", "30"), ("Value", ""), ]) if self._config.SILENT: silent_vars = self._get_silent_vars() for task in data: for var, val in task.environment_variables(): if self._config.SILENT: if var in silent_vars: continue self.table_row(outfd, task.UniqueProcessId, task.ImageFileName, task.Peb.ProcessParameters.Environment, var, val ) volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/0000755000000000000000000000000013131215405022666 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/lsadump.py0000644000000000000000000001670413131215405024715 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.win32.lsasecrets as lsasecrets import volatility.win32.hashdump as hashdumpmod import volatility.win32.domcachedump as domcachedumpmod import volatility.debug as debug import volatility.cache as cache import volatility.utils as utils import volatility.plugins.common as common import volatility.plugins.registry.registryapi as registryapi from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Bytes class LSADump(common.AbstractWindowsCommand): """Dump (decrypted) LSA secrets from the registry""" # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'Brendan Dolan-Gavitt' meta_info['copyright'] = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt' meta_info['contact'] = 'bdolangavitt@wesleyan.edu' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://moyix.blogspot.com/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '1.0' def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SYS-OFFSET', short_option = 'y', type = 'int', help = 'SYSTEM hive offset (virtual)') config.add_option('SEC-OFFSET', short_option = 's', type = 'int', help = 'SECURITY hive offset (virtual)') @cache.CacheDecorator(lambda self: "tests/lsadump/sys_offset={0}/sec_offset={1}".format(self._config.SYS_OFFSET, self._config.SEC_OFFSET)) def calculate(self): addr_space = utils.load_as(self._config) if not self._config.sys_offset or not self._config.sec_offset: regapi = registryapi.RegistryApi(self._config) for offset in regapi.all_offsets: name = regapi.all_offsets[offset].lower().split("\\")[-1] if "system" == name: self._config.update("SYS_OFFSET", offset) elif "security" == name: self._config.update("SEC_OFFSET", offset) secrets = lsasecrets.get_memory_secrets(addr_space, self._config, self._config.sys_offset, self._config.sec_offset) if not secrets: debug.error("Unable to read LSA secrets from registry") return secrets def render_text(self, outfd, data): for k in data: outfd.write(k + "\n") for offset, hex, chars in utils.Hexdump(data[k]): outfd.write("{0:#010x} {1:<48} {2}\n".format(offset, hex, ''.join(chars))) outfd.write("\n") def unified_output(self, data): return TreeGrid([("Item", str), ("Data", Bytes)], self.generator(data)) def generator(self, data): for k in data: yield (0, [str(k), Bytes(data[k])]) class HashDump(common.AbstractWindowsCommand): """Dumps passwords hashes (LM/NTLM) from memory""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SYS-OFFSET', short_option = 'y', type = 'int', help = 'SYSTEM hive offset (virtual)') config.add_option('SAM-OFFSET', short_option = 's', type = 'int', help = 'SAM hive offset (virtual)') @cache.CacheDecorator(lambda self: "tests/hashdump/sys_offset={0}/sam_offset={1}".format(self._config.SYS_OFFSET, self._config.SAM_OFFSET)) def calculate(self): addr_space = utils.load_as(self._config) if not self._config.sys_offset or not self._config.sam_offset: regapi = registryapi.RegistryApi(self._config) for offset in regapi.all_offsets: name = regapi.all_offsets[offset].lower().split("\\")[-1] if "system" == name: self._config.update("SYS_OFFSET", offset) elif "sam" == name: self._config.update("SAM_OFFSET", offset) hashes = hashdumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sam_offset) if not hashes: debug.error("Unable to read hashes from registry") return hashes def render_text(self, outfd, data): for d in data: if d == None: debug.debug("Unable to read hashes from registry") else: outfd.write(d + "\n") # Note: we may want to break up the different fields # in addition to storing the constructed hash. # for now we're just yielding the hash # Also applies to CacheDump def unified_output(self, data): return TreeGrid([("Hash", str)], self.generator(data)) def generator(self, data): for d in data: yield (0, [str(d)]) class CacheDump(common.AbstractWindowsCommand): """Dumps cached domain hashes from memory""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SYS-OFFSET', short_option = 'y', type = 'int', help = 'SYSTEM hive offset (virtual)') config.add_option('SEC-OFFSET', short_option = 's', type = 'int', help = 'SECURITY hive offset (virtual)') def calculate(self): addr_space = utils.load_as(self._config) if not self._config.sys_offset or not self._config.sec_offset: regapi = registryapi.RegistryApi(self._config) for offset in regapi.all_offsets: name = regapi.all_offsets[offset].lower().split("\\")[-1] if "system" == name: self._config.update("SYS_OFFSET", offset) elif "security" == name: self._config.update("SEC_OFFSET", offset) hashes = domcachedumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sec_offset) if hashes == None: debug.error("Unable to read hashes from registry") return hashes def render_text(self, outfd, data): for d in data: if d == None: debug.debug("Unable to read hashes from registry") else: outfd.write(d + "\n") def unified_output(self, data): return TreeGrid([("Hash", str)], self.generator(data)) def generator(self, data): for d in data: yield (0, [str(d)]) volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/shutdown.py0000644000000000000000000001054113131215405025114 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.plugins.registry.registryapi as registryapi from volatility.renderers import TreeGrid import volatility.plugins.common as common import volatility.addrspace as addrspace import volatility.obj as obj import volatility.debug as debug import volatility.utils as utils import datetime import struct class ShutdownTime(common.AbstractWindowsCommand): "Print ShutdownTime of machine from registry" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', help = 'Hive offset (virtual)', type = 'int') self.regapi = None def calculate(self): addr_space = utils.load_as(self._config) self.regapi = registryapi.RegistryApi(self._config) result = {} if not self._config.HIVE_OFFSET: self.regapi.set_current("SYSTEM") else: name = obj.Object("_CMHIVE", vm = addr_space, offset = self._config.HIVE_OFFSET).get_name() self.regapi.all_offsets[self._config.HIVE_OFFSET] = name self.regapi.current_offsets[self._config.HIVE_OFFSET] = name self.regapi.reset_current() currentcs = self.regapi.reg_get_currentcontrolset() if currentcs == None: currentcs = "ControlSet001" shutdownkey = currentcs + "\\Control\\Windows" key = self.regapi.reg_get_key("system", shutdownkey) value = self.regapi.reg_get_value("system", shutdownkey, "ShutdownTime", given_root = key) result["key"] = key result["hive"] = "SYSTEM" result["valuename"] = "ShutdownTime" result["value"] = value result["timestamp"] = "" if value != None: try: bufferas = addrspace.BufferAddressSpace(self._config, data = value) result["timestamp"] = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True) except (struct.error, TypeError): pass yield result def unified_output(self, data): return TreeGrid([("Registry", str), ("KeyPath", str), ("LastWrite", str), ("ValueName", str), ("Value", str), ], self.generator(data)) def generator(self, data): for result in data: if result["key"]: yield (0, [str(result["hive"]), str(self.regapi.reg_get_key_path(result["key"])), str(result["key"].LastWriteTime), str(result["valuename"]), str(result["timestamp"] if result["timestamp"] else result["value"]) ]) def render_text(self, outfd, data): keyfound = False for result in data: if result["key"]: keyfound = True outfd.write("Registry: {0}\n".format(result["hive"])) outfd.write("Key Path: {0}\n".format(self.regapi.reg_get_key_path(result["key"]))) outfd.write("Key Last updated: {0}\n".format(result["key"].LastWriteTime)) outfd.write("Value Name: {0}\n".format(result["valuename"])) outfd.write("Value: {0}\n\n".format(result["timestamp"] if result["timestamp"] else result["value"])) if not keyfound: outfd.write("The requested key could not be found in the hive(s) searched\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/userassist.py0000644000000000000000000004447713131215405025465 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.plugins.registry.registryapi as registryapi from volatility.renderers import TreeGrid import volatility.plugins.common as common import volatility.addrspace as addrspace import volatility.obj as obj import volatility.debug as debug import volatility.utils as utils import datetime # for Windows 7 userassist info check out Didier Stevens' article # from Into the Boxes issue 0x0: # http://intotheboxes.wordpress.com/2010/01/01/into-the-boxes-issue-0x0/ ua_win7_vtypes = { '_VOLUSER_ASSIST_TYPES' : [ 0x48, { 'Count': [0x04, ['unsigned int']], 'FocusCount': [0x08, ['unsigned int']], 'FocusTime': [0x0C, ['unsigned int']], 'LastUpdated' : [0x3C, ['WinTimeStamp', dict(is_utc = True)]] } ], } ua_vtypes = { '_VOLUSER_ASSIST_TYPES' : [ 0x10, { 'ID': [0x0, ['unsigned int']], 'CountStartingAtFive': [0x04, ['unsigned int']], 'LastUpdated' : [0x08, ['WinTimeStamp', dict(is_utc = True)]] } ], } class UserAssistVTypes(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows'} def modification(self, profile): profile.vtypes.update(ua_vtypes) class UserAssistWin7VTypes(obj.ProfileModification): before = ['UserAssistVTypes'] conditions = {'os': lambda x : x == 'windows', 'major': lambda x : x == 6, 'minor': lambda x : x >= 1} def modification(self, profile): profile.vtypes.update(ua_win7_vtypes) # taken from http://msdn.microsoft.com/en-us/library/dd378457%28v=vs.85%29.aspx folder_guids = { "{de61d971-5ebc-4f02-a3a9-6c82895e5c04}":"Add or Remove Programs (Control Panel)", "{724EF170-A42D-4FEF-9F26-B60E846FBA4F}":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", "{a305ce99-f527-492b-8b1a-7e76fa98d6e4}":"Installed Updates", "{9E52AB10-F80D-49DF-ACB8-4330F5687855}":"%LOCALAPPDATA%\\Microsoft\\Windows\\Burn\\Burn", "{df7266ac-9274-4867-8d55-3bd661de872d}":"Programs and Features", "{D0384E7D-BAC3-4797-8F14-CBA229B392B5}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", "{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}":"%ALLUSERSPROFILE%\\OEM Links", "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs", "{A4115719-D62E-491D-AA7C-E74B8BE3B067}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu", "{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", "{B94237E7-57AC-4347-9151-B08C6C32D1F7}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Templates", "{0AC0837C-BBF8-452A-850D-79D08E667CA7}":"(My) Computer", "{4bfefb45-347d-4006-a5be-ac0cb0567192}":"Conflicts", "{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}":"Network Connections", "{56784854-C6CB-462b-8169-88E350ACB882}":"%USERPROFILE%\\Contacts", "{82A74AEB-AEB4-465C-A014-D097EE346D63}":"Control Panel", "{2B0F765D-C0E9-4171-908E-08A611B84FF6}":"%APPDATA%\\Microsoft\\Windows\\Cookies", "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}":"Desktop", "{5CE4A5E9-E4EB-479D-B89F-130C02886155}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\DeviceMetadataStore", "{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Documents.library-ms", "{374DE290-123F-4565-9164-39C4925E467B}":"%USERPROFILE%\\Downloads", "{1777F761-68AD-4D8A-87BD-30B759FA33DD}":"%USERPROFILE%\\Favorites", "{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}":"%windir%\\Fonts", "{CAC52C1A-B53D-4edc-92D7-6B2E8AC19434}":"Games", "{054FAE61-4DD8-4787-80B6-090220C4B700}":"GameExplorer", "{D9DC8A3B-B784-432E-A781-5A1130A75963}":"%LOCALAPPDATA%\\Microsoft\\Windows\\History", "{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}":"Homegroup", "{BCB5256F-79F6-4CEE-B725-DC34E402FD46}":"%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", "{352481E8-33BE-4251-BA85-6007CAEDCF9D}":"%LOCALAPPDATA%\\Microsoft\\Windows\\Temporary Internet Files", "{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}":"The Internet", "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}":"%APPDATA%\\Microsoft\\Windows\\Libraries", "{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}":"%USERPROFILE%\\Links", "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}":"%LOCALAPPDATA% (%USERPROFILE%\\AppData\\Local)", "{A520A1A4-1780-4FF6-BD18-167343C5AF16}":"%USERPROFILE%\\AppData\\LocalLow", "{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}":"%windir%\\resources\\0409 (code page)", "{4BD8D571-6D19-48D3-BE97-422220080E43}":"%USERPROFILE%\\Music", "{2112AB0A-C86A-4FFE-A368-0DE96E47012E}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Music.library-ms", "{C5ABBF53-E17F-4121-8900-86626FC2C973}":"%APPDATA%\\Microsoft\\Windows\\Network Shortcuts", "{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}":"Network", "{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}":"%LOCALAPPDATA%\\Microsoft\\Windows Photo Gallery\\Original Images", "{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}":"%USERPROFILE%\\Pictures\\Slide Shows", "{A990AE9F-A03B-4E80-94BC-9912D7504104}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Pictures.library-ms", "{33E28130-4E1E-4676-835A-98395C3BC3BB}":"%USERPROFILE%\\Pictures", "{DE92C1C7-837F-4F69-A3BB-86E631204A23}":"%USERPROFILE%\\Music\\Playlists", "{76FC4E2D-D6AD-4519-A663-37BD56068185}":"Printers", "{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}":"%APPDATA%\\Microsoft\\Windows\\Printer Shortcuts", "{5E6C858F-0E22-4760-9AFE-EA3317B67173}":"%USERPROFILE% (%SystemDrive%\\Users\\%USERNAME%)", "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}":"%ALLUSERSPROFILE% (%ProgramData%, %SystemDrive%\\ProgramData)", "{905e63b6-c1bf-494e-b29c-65b732d3d21a}":"%ProgramFiles%", "{6D809377-6AF0-444b-8957-A3773F02200E}":"%ProgramFiles%", "{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}":"%ProgramFiles%", "{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}":"%ProgramFiles%\\Common Files", "{6365D5A7-0F0D-45E5-87F6-0DA56B6A4F7D}":"%ProgramFiles%\\Common Files", "{DE974D24-D9C6-4D3E-BF91-F4455120B917}":"%ProgramFiles%\\Common Files", "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs", "{DFDF76A2-C82A-4D63-906A-5644AC457385}":"%PUBLIC% (%SystemDrive%\\Users\\Public)", "{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}":"%PUBLIC%\\Desktop", "{ED4824AF-DCE4-45A8-81E2-FC7965083634}":"%PUBLIC%\\Documents", "{3D644C9B-1FB8-4f30-9B45-F670235F79C0}":"%PUBLIC%\\Downloads", "{DEBF2536-E1A8-4c59-B6A2-414586476AEA}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\GameExplorer", "{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Libraries", "{3214FAB5-9757-4298-BB61-92A9DEAA44FF}":"%PUBLIC%\\Music", "{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}":"%PUBLIC%\\Pictures", "{E555AB60-153B-4D17-9F04-A5FE99FC15EC}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Ringtones", "{2400183A-6185-49FB-A2D8-4A392A602BA3}":"%PUBLIC%\\Videos", "{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}":"%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch", "{AE50C081-EBD2-438A-8655-8A092E34987A}":"%APPDATA%\\Microsoft\\Windows\\Recent", "{1A6FDBA2-F42D-4358-A798-B74D745926C5}":"%PUBLIC%\\RecordedTV.library-ms", "{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}":"Recycle Bin", "{8AD10C31-2ADB-4296-A8F7-E4701232C972}":"%windir%\\Resources", "{C870044B-F49E-4126-A9C3-B52A1FF411E8}":"%LOCALAPPDATA%\\Microsoft\\Windows\\Ringtones", "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}":"%APPDATA% (%USERPROFILE%\\AppData\\Roaming)", "{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}":"%PUBLIC%\\Music\\Sample Music", "{C4900540-2379-4C75-844B-64E6FAF8716B}":"%PUBLIC%\\Pictures\\Sample Pictures", "{15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5}":"%PUBLIC%\\Music\\Sample Playlists", "{859EAD94-2E85-48AD-A71A-0969CB56A6CD}":"%PUBLIC%\\Videos\\Sample Videos", "{4C5C32FF-BB9D-43b0-B5B4-2D72E54EAAA4}":"%USERPROFILE%\\Saved Games", "{7d1d3a04-debb-4115-95cf-2f29da2920da}":"%USERPROFILE%\\Searches", "{ee32e446-31ca-4aba-814f-a5ebd2fd6d5e}":"Offline Files", "{98ec0e18-2098-4d44-8644-66979315a281}":"Microsoft Office Outlook", "{190337d1-b8ca-4121-a639-6d472d16972a}":"Search Results", "{8983036C-27C0-404B-8F08-102D10DCFD74}":"%APPDATA%\\Microsoft\\Windows\\SendTo", "{7B396E54-9EC5-4300-BE0A-2482EBAE1A26}":"%ProgramFiles%\\Windows Sidebar\\Gadgets", "{A75D362E-50FC-4fb7-AC2C-A8BEAA314493}":"%LOCALAPPDATA%\\Microsoft\\Windows Sidebar\\Gadgets", "{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}":"%APPDATA%\\Microsoft\\Windows\\Start Menu", "{B97D20BB-F46A-4C97-BA10-5E3608430854}":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", "{43668BF8-C14E-49B2-97C9-747784D784B7}":"Sync Center", "{289a9a43-be44-4057-a41b-587a76d7e7f9}":"Sync Results", "{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}":"Sync Setup", "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}":"%windir%\\system32", "{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}":"%windir%\\system32", "{A63293E8-664E-48DB-A079-DF759E0509F7}":"%APPDATA%\\Microsoft\\Windows\\Templates", "{9E3995AB-1F9C-4F13-B827-48B24B6C7174}":"%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", "{0762D272-C50A-4BB0-A382-697DCD729B80}":"%SystemDrive%\\Users", "{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}":"%LOCALAPPDATA%\\Programs", "{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}":"%LOCALAPPDATA%\\Programs\\Common", "{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}":"The user's full name", "{A302545D-DEFF-464b-ABE8-61C8648D939B}":"Libraries", "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}":"%USERPROFILE%\\Videos", "{491E922F-5643-4AF4-A7EB-4E7A138D8174}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Videos.library-ms", "{F38BF404-1D43-42F2-9305-67DE0B28FC23}":"%windir%", } class UserAssist(common.AbstractWindowsCommand): "Print userassist registry keys and information" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', help = 'Hive offset (virtual)', type = 'int') self.regapi = None def calculate(self): addr_space = utils.load_as(self._config) self.regapi = registryapi.RegistryApi(self._config) win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) >= 1 skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist" if not self._config.HIVE_OFFSET: self.regapi.set_current("ntuser.dat") else: name = obj.Object("_CMHIVE", vm = addr_space, offset = self._config.HIVE_OFFSET).get_name() self.regapi.all_offsets[self._config.HIVE_OFFSET] = name self.regapi.current_offsets[self._config.HIVE_OFFSET] = name for key, name in self.regapi.reg_yield_key(None, skey): for guidkey in self.regapi.reg_get_all_subkeys(None, None, given_root = key): for count in self.regapi.reg_get_all_subkeys(None, None, given_root = guidkey): if count.Name == "Count": yield win7, name, count def parse_data_dict(self, dat_raw): item = {} item["ID"] = -1 item["focus"] = -1 item["time"] = "N/A" bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw) uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas) if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None: return None if hasattr(uadata, "ID"): item["ID"] = int(uadata.ID) if hasattr(uadata, "Count"): item["count"] = int(uadata.Count) else: item["count"] = int(uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5) if hasattr(uadata, "FocusCount"): seconds = (uadata.FocusTime + 500) / 1000.0 time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime item["focus"] = int(uadata.FocusCount) item["time"] = str(time) item["lastupdate"] = str(uadata.LastUpdated) return item def parse_data(self, dat_raw): bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw) uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas) if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None: return None output = "" if hasattr(uadata, "ID"): output = "\n{0:15} {1}".format("ID:", uadata.ID) if hasattr(uadata, "Count"): output += "\n{0:15} {1}".format("Count:", uadata.Count) else: output += "\n{0:15} {1}".format("Count:", uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5) if hasattr(uadata, "FocusCount"): seconds = (uadata.FocusTime + 500) / 1000.0 time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime output += "\n{0:15} {1}\n{2:15} {3}".format("Focus Count:", uadata.FocusCount, "Time Focused:", time) output += "\n{0:15} {1}\n".format("Last updated:", uadata.LastUpdated) return output def unified_output(self, data): return TreeGrid([("Registry", str), ("Path", str), ("LastWrite", str), ("Subkey", str), ("Value", str), ("ID", int), ("Count", int), ("FocusCount", int), ("TimeFocused", str), ("LastUpdated", str) ], self.generator(data)) def generator(self, data): keyfound = False for win7, reg, key in data: if key: keyfound = True for s in self.regapi.reg_get_all_subkeys(None, None, given_root = key): if s.Name == None: item = "Unknown subkey: " + s.Name.reason else: item = s.Name yield (0, [str(reg), str(self.regapi.reg_get_key_path(key)), str(key.LastWriteTime), str(item), "", -1, -1, "N/A", "N/A"]) for subname, dat in self.regapi.reg_yield_values(None, None, given_root = key, thetype = "REG_BINARY"): dat_raw = dat try: subname = subname.encode('rot_13') except UnicodeDecodeError: pass if win7: guid = subname.split("\\")[0] if guid in folder_guids: subname = subname.replace(guid, folder_guids[guid]) dat = self.parse_data_dict(dat_raw) if dat: yield (0, [str(reg), str(self.regapi.reg_get_key_path(key)), str(key.LastWriteTime), "", str(subname), dat["ID"], dat["count"], dat["focus"], dat["time"], dat["lastupdate"]]) else: yield (0, [str(reg), str(self.regapi.reg_get_key_path(key)), str(key.LastWriteTime), "", str(subname), -1, -1, -1, "-", "-"]) if not keyfound: debug.error("The requested key could not be found in the hive(s) searched") def render_text(self, outfd, data): keyfound = False for win7, reg, key in data: if key: keyfound = True outfd.write("----------------------------\n") outfd.write("Registry: {0}\n".format(reg)) outfd.write("Path: {0}\n".format(self.regapi.reg_get_key_path(key))) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for s in self.regapi.reg_get_all_subkeys(None, None, given_root = key): if s.Name == None: outfd.write(" Unknown subkey: " + s.Name.reason + "\n") else: outfd.write(" {0}\n".format(s.Name)) outfd.write("\n") outfd.write("Values:\n") for subname, dat in self.regapi.reg_yield_values(None, None, given_root = key, thetype = "REG_BINARY"): dat_raw = dat dat = "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)]) try: subname = subname.encode('rot_13') except UnicodeDecodeError: pass if win7: guid = subname.split("\\")[0] if guid in folder_guids: subname = subname.replace(guid, folder_guids[guid]) d = self.parse_data(dat_raw) if d != None: dat = "{0}Raw Data:\n{1}".format(d, dat) else: dat = "Raw Data:\n{0}".format(dat) outfd.write("\n{0:13} {1:15} : {2}\n".format("REG_BINARY", subname, dat)) if not keyfound: outfd.write("The requested key could not be found in the hive(s) searched\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/printkey.py0000644000000000000000000002367413131215405025121 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.obj as obj import volatility.win32.hive as hivemod import volatility.win32.rawreg as rawreg import volatility.debug as debug import volatility.utils as utils import volatility.commands as commands import volatility.plugins.common as common import volatility.plugins.registry.hivelist as hivelist from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Bytes def vol(k): return bool(k.obj_offset & 0x80000000) class PrintKey(hivelist.HiveList): "Print a registry key, and its subkeys and values" # Declare meta information associated with this plugin meta_info = commands.Command.meta_info meta_info['author'] = 'Brendan Dolan-Gavitt' meta_info['copyright'] = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt' meta_info['contact'] = 'bdolangavitt@wesleyan.edu' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://moyix.blogspot.com/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '1.0' def __init__(self, config, *args, **kwargs): hivelist.HiveList.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', help = 'Hive offset (virtual)', type = 'int') config.add_option('KEY', short_option = 'K', help = 'Registry Key', type = 'str') def calculate(self): addr_space = utils.load_as(self._config) if not self._config.HIVE_OFFSET: hive_offsets = [h.obj_offset for h in hivelist.HiveList.calculate(self)] else: hive_offsets = [self._config.HIVE_OFFSET] for hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) name = obj.Object("_CMHIVE", vm = addr_space, offset = hoff).get_name() root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: debug.error("Unable to find root key. Is the hive offset correct?") else: if self._config.KEY: yield name, rawreg.open_key(root, self._config.KEY.split('\\')) else: yield name, root def voltext(self, key): return "(V)" if vol(key) else "(S)" def render_text(self, outfd, data): outfd.write("Legend: (S) = Stable (V) = Volatile\n\n") keyfound = False for reg, key in data: if key: keyfound = True outfd.write("----------------------------\n") outfd.write("Registry: {0}\n".format(reg)) outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key))) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for s in rawreg.subkeys(key): if s.Name == None: outfd.write(" Unknown subkey at {0:#x}\n".format(s.obj_offset)) else: outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s))) outfd.write("\n") outfd.write("Values:\n") for v in rawreg.values(key): tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)]) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v))) if not keyfound: outfd.write("The requested key could not be found in the hive(s) searched\n") def unified_output(self, data): return TreeGrid([("Registry", str), ("KeyName", str), ("KeyStability", str), ("LastWrite", str), ("Subkeys", str), ("SubkeyStability", str), ("ValType", str), ("ValName", str), ("ValStability", str), ("ValData", str)], self.generator(data)) def generator(self, data): for reg, key in data: if key: subkeys = list(rawreg.subkeys(key)) values = list(rawreg.values(key)) yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), "-", "-", "-", "-", "-", "-"]) if subkeys: for s in subkeys: if s.Name == None: yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), str("Unknown subkey: {0}".format(s.Name.reason)), "-", "-", "-", "-", "-"]) else: yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), str("{0}".format(s.Name)), str("{0:3s}".format(self.voltext(s))), "-", "-", "-", "-"]) if values: for v in values: tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = Bytes(dat) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), "-", "-", str(tp), str("{0}".format(v.Name)), str("{0:3s}".format(self.voltext(v))), str(dat)]) class HiveDump(common.AbstractWindowsCommand): """Prints out a hive""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', type = 'int', help = 'Hive offset (virtual)') def calculate(self): addr_space = utils.load_as(self._config) if not self._config.hive_offset: debug.error("A Hive offset must be provided (--hive-offset)") h = hivemod.HiveAddressSpace(addr_space, self._config, self._config.hive_offset) return rawreg.get_root(h) def render_text(self, outfd, data): outfd.write("{0:20s} {1}\n".format("Last Written", "Key")) self.print_key(outfd, '', data) def unified_output(self, data): return TreeGrid([("LastWritten", str), ("Key", str)], self.generator(data)) def generator(self, data): path = str(data.Name) keys = [(data, path)] for key, path in keys: if key: yield (0, [str("{0}".format(key.LastWriteTime)), str(path)]) for s in rawreg.subkeys(key): item = "{0}\\{1}".format(path, s.Name) keys.append((s, item)) def print_key(self, outfd, keypath, key): if key.Name != None: outfd.write("{0:20s} {1}\n".format(key.LastWriteTime, keypath + "\\" + key.Name)) for k in rawreg.subkeys(key): self.print_key(outfd, keypath + "\\" + key.Name, k) volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/amcache.py0000644000000000000000000001615013131215405024624 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.plugins.registry.registryapi as registryapi from volatility.renderers import TreeGrid import volatility.plugins.common as common import volatility.addrspace as addrspace import volatility.obj as obj import volatility.debug as debug import volatility.utils as utils import datetime import struct # Taken from http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html fileitems = { "0":"Product Name", "1":"Company Name", "2":"File version number only", "3":"Language code", "4":"SwitchBackContext", "5":"File Version", "6":"File Size", "7":"SizeOfImage", #PE Header field "8":"Hash of PE Header", "9":"Checksum", #PE Header field "a":"UNKNOWN", "b":"UNKNOWN", "c":"File Description", "d":"UNKNOWN", "f":"CompileTime", "10":"UNKNOWN", "11":"LastModified", "12":"Created", "15":"Path", "16":"UNKNOWN", "17":"LastModified", "100":"ProgramID", "101":"SHA1 of file", } # Taken from http://www.swiftforensics.com/2013/12/amcachehve-part-2.html programsitems = { "0":"Program Name", "1":"Program Version", "2":"Publisher", "3":"Languge Code", "4":"UNKNOWN", "5":"UNKNOWN", "6":"Entry Type", "7":"Registry Uninstall Key", "8":"UNKNOWN", "9":"UNKNOWN", "a":"Install Date", "b":"UNKNOWN", "c":"UNKNOWN", "d":"List of File Paths", "f":"Product Code", "10":"Package Code", "11":"MSI Product Code", "12":"MSI Package Code", "13":"UNKNOWN", "Files":"List of Files in this package", } class AmCache(common.AbstractWindowsCommand): "Print AmCache information" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', help = 'Hive offset (virtual)', type = 'int') self.regapi = None def calculate(self): addr_space = utils.load_as(self._config) self.regapi = registryapi.RegistryApi(self._config) filekey = "root\\file" progkey = "root\\programs" if not self._config.HIVE_OFFSET: self.regapi.set_current("Amcache.hve") else: name = obj.Object("_CMHIVE", vm = addr_space, offset = self._config.HIVE_OFFSET).get_name() self.regapi.all_offsets[self._config.HIVE_OFFSET] = name self.regapi.current_offsets[self._config.HIVE_OFFSET] = name for key, name in self.regapi.reg_yield_key(None, filekey): for guidkey in self.regapi.reg_get_all_subkeys(None, None, given_root = key): result = {} for thefile in self.regapi.reg_get_all_subkeys(None, None, given_root = guidkey): result["hive"] = name for vname, value in self.regapi.reg_yield_values(None, None, thetype = None, given_root = thefile): result["valuename"] = vname result["value"] = value result["key"] = thefile result["description"] = fileitems.get(str(vname), "UNKNOWN") result["timestamp"] = "" if str(vname) in ["11", "12", "17"]: try: bufferas = addrspace.BufferAddressSpace(self._config, data = struct.pack(" # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 or later @contact: jamie@memoryanalysis.net @organization: Volatile Systems """ import volatility.plugins.registry.registryapi as registryapi import volatility.debug as debug import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.addrspace as addrspace from volatility.renderers import TreeGrid # Windows XP types taken from RegRipper auditpol plugin auditpol_type_xp = { 'AuditPolDataXP' : [ None, { 'Enabled' : [ 0x0, ['unsigned char']], 'System' : [ 0x4, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Logons' : [0x8, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Files' : [0xc, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'UserRights': [0x10, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Process': [0x14, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'PolicyChange': [0x18, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AccountManagement': [0x1c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DirectoryAccess': [0x20, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AccountLogon': [0x24, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], } ], } # Vista and Windows 7 structures taken from http://www.kazamiya.net/files/PolAdtEv_Structure_en_rev2.pdf auditpol_type_vista = { 'AuditPolDataVista' : [ None, { # System 'SecurityState' : [ 0xc, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SecuritySystem' : [ 0xe, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SystemIntegrity' : [0x10, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'IPSecDriver': [0x12, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SystemOther': [0x14, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # Logon/Logoff 'Logon': [0x16, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Logoff': [0x18, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AccountLockout': [0x1a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'IPSecMainMode': [0x1c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SpecialLogon': [0x1e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'IPSecQuickMode': [0x20, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'IPSecExtended': [0x22, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'LogonOther': [0x24, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'NetworkPolicyServer': [0x26, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # File Object 'FileSystem': [0x28, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Registry': [0x2a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'KernelObject': [0x2c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SAM': [0x2e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'ObjectOther': [0x30, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Certification': [0x32, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Application': [0x34, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'HandleManipulation': [0x36, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'FileShare': [0x38, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'PacketDrop': [0x3a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'PlatformConnection': [0x3c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # Privelege Use 'Sensitive': [0x3e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'NonSensitive': [0x40, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'PrivilegeOther': [0x42, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], #Detailed Tracking 'ProcessCreation': [0x44, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'ProcessTermination': [0x46, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DPAPI': [0x48, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'RPC': [0x4a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # Policy Change 'AuditPolicyChange': [0x4c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AuthenticationPolicyChange': [0x4e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AuthorizationPolicyChange': [0x50, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'MPSSVCRule': [0x52, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'FilteringPlatformPolicyChange': [0x54, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'PolicyOther': [0x56, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # Account Management 'UserAccount': [0x58, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'ComputerAccount': [0x5a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SecurityGroup': [0x5c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DistributionGroup': [0x5e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'ApplicationGroup': [0x60, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AccountOther': [0x62, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # DS ACcess 'DirectoryServiceAccess': [0x64, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DirectoryServiceChange': [0x66, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DirectoryServiceReplication': [0x68, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DetailedDirServReplication': [0x6a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # Account Logon 'CredentialValidation': [0x6c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'KerberosOperations': [0x6e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AccountLogonOther': [0x70, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'KerberosAuthentication': [0x72, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], } ], } auditpol_type_win7 = { 'AuditPolData7' : [ None, { # System 'SecurityState' : [ 0xc, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SecuritySystem' : [ 0xe, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SystemIntegrity' : [0x10, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'IPSecDriver': [0x12, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SystemOther': [0x14, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # Logon/Logoff 'Logon': [0x16, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Logoff': [0x18, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AccountLockout': [0x1a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'IPSecMainMode': [0x1c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SpecialLogon': [0x1e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'IPSecQuickMode': [0x20, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'IPSecExtended': [0x22, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'LogonOther': [0x24, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'NetworkPolicyServer': [0x26, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # File Object 'FileSystem': [0x28, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Registry': [0x2a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'KernelObject': [0x2c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SAM': [0x2e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'ObjectOther': [0x30, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Certification': [0x32, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Application': [0x34, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'HandleManipulation': [0x36, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'FileShare': [0x38, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'PacketDrop': [0x3a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'PlatformConnection': [0x3c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DetailedFileShare': [0x3e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # Privelege Use 'Sensitive': [0x40, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'NonSensitive': [0x42, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'PrivilegeOther': [0x44, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], #Detailed Tracking 'ProcessCreation': [0x46, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'ProcessTermination': [0x48, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DPAPI': [0x4a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'RPC': [0x4c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # Policy Change 'AuditPolicyChange': [0x4e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AuthenticationPolicyChange': [0x50, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AuthorizationPolicyChange': [0x52, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'MPSSVCRule': [0x54, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'FilteringPlatformPolicyChange': [0x56, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'PolicyOther': [0x58, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # Account Management 'UserAccount': [0x5a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'ComputerAccount': [0x5c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'SecurityGroup': [0x5e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DistributionGroup': [0x60, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'ApplicationGroup': [0x62, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AccountOther': [0x64, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # DS ACcess 'DirectoryServiceAccess': [0x66, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DirectoryServiceChange': [0x68, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DirectoryServiceReplication': [0x6a, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'DetailedDirServReplication': [0x6c, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], # Account Logon 'CredentialValidation': [0x6e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'KerberosOperations': [0x70, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'AccountLogonOther': [0x72, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'KerberosAuthentication': [0x74, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], } ], } auditpol_type_win8 = { 'AuditPolData8' : [ None, { 'Logon': [22, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Logoff': [24, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Sensitive': [70, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'ProcessCreation': [76, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], }], } auditpol_type_win10 = { 'AuditPolData10' : [ None, { 'Logon': [0x16, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Logoff': [0x18, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'Sensitive': [0x48, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], 'ProcessCreation': [0x4e, ['Enumeration', dict(target = 'unsigned short', choices = {0x00: "Not Logged", 0x01: "S", 0x02: "F", 0x03: "S/F"})]], }], } # this are not used, but left here since they are more descriptive class AuditPolDataXP(obj.CType): def __str__(self): audit = "Disabled" if int(self.Enabled) != 0: audit = "Enabled" msg = "Auditing is {0}\n\tAudit System Events: {1}\n\tAudit Logon Events: {2}\n\tAudit Object Access: {3}\n\t".format( audit, self.System, self.Logons, self.Files) msg += "Audit Privilege Use: {0}\n\tAudit Process Tracking: {1}\n\tAudit Policy Change: {2}\n\tAudit Account Management: {3}\n\t".format( self.UserRights, self.Process, self.PolicyChange, self.AccountManagement) msg += "Audit Dir Service Access: {0}\n\tAudit Account Logon Events: {1}\n".format(self.DirectoryAccess, self.AccountLogon) return msg class AuditPolDataVista(obj.CType): def __str__(self): msg = "System Events:\n\tSecurity State Change: {0}\n\tSecurity System Extention: {1}\n\tSystem Integrity: {2}\n\t".format( self.SecurityState, self.SecuritySystem, self.SystemIntegrity) msg += "IPSec Driver: {0}\n\tOther System Events: {1}\n".format( self.IPSecDriver, self.SystemOther) msg += "Logon/Logoff Events:\n\tLogon: {0}\n\tLogoff: {1}\n\tAccount Lockout: {2}\n\t".format( self.Logon, self.Logoff, self.AccountLockout) msg += "IPSec Main Mode: {0}\n\tSpecial Logon: {1}\n\tIPSec Quick Mode: {2}\n\tIPSec Extended Mode: {3}\n\t".format( self.IPSecMainMode, self.SpecialLogon, self.IPSecQuickMode, self.IPSecExtended) msg += "Other Logon Events: {0}\n\tNetwork Policy Server: {1}\n".format( self.LogonOther, self.NetworkPolicyServer) msg += "Object Access Events:\n\tFile System: {0}\n\tRegistry: {1}\n\tKernel Object: {2}\n\t".format( self.FileSystem, self.Registry, self.KernelObject) msg += "SAM: {0}\n\tOther Object Events: {1}\n\tCertification Services: {2}\n\tApplication Generated: {3}\n\t".format( self.SAM, self.ObjectOther, self.Certification, self.Application) msg += "Handle Manipulation: {0}\n\tFile Share: {1}\n\tFiltering Platform Packet Drop: {2}\n\t".format( self.HandleManipulation, self.FileShare, self.PacketDrop) msg += "Filtering Platform Connection: {0}\nPrivelege Use:\n\t".format( self.PlatformConnection) msg += "Sensitive: {0}\n\tNon Sensitive{1}\n\tOther Privilege Use Events{2}\nDetailed Tracking:\n\t".format( self.Sensitive, self.NonSensitive, self.PrivilegeOther) msg += "Process Creation: {0}\n\tProcess Termination: {1}\n\tDPAPI Activity: {2}\n\tRPC Events\n".format( self.ProcessCreation, self.ProcessTermination, self.DPAPI, self.RPC) msg += "Policy Change Events:\n\tAudit Policy Change: {0}\n\tAuthentication Policy Change: {1}\n\t".format( self.AuditPolicyChange, self.AuthenticationPolicyChange) msg += "Authorization Policy Change: {0}\n\tMPSSVC Rule: {1}\n\tFiltering Platform Policy Change: {2}\n\t".format( self.AuthorizationPolicyChange, self.MPSSVCRule, self.FilteringPlatformPolicyChange) msg += "Other Policy Events: {0}\nAccount Management Events:\n\tUser Account Management: {1}\n\t".format( self.PolicyOther, self.UserAccount) msg += "Computer Account Management: {0}\n\tSecurity Group Management: {1}\n\tDistribution Group Management: {2}\n\t".format( self.ComputerAccount, self.SecurityGroup, self.DistributionGroup) msg += "Application Group Management: {0}\n\tOther Account Management Events: {1}\nDS Access Events:\n\t".format( self.ApplicationGroup, self.AccountOther) msg += "Directory Service Access: {0}\n\tDirectory Service Changes: {1}\n\tDirectory Service Replication: {2}\n\t".format( self.DirectoryServiceAccess, self.DirectoryServiceChange, self.DirectoryServiceReplication) msg += "Detailed Directory Service Replication: {0}\nAccount Logon Events:\n\tCredential Validation: {1}\n\t".format( self.DetailedDirServReplication, self.CredentialValidation) msg += "Kerberos Service Ticket Operations: {0}\n\tOther Account Logon Events: {1}\n\tKerberos Authentication Service: {2}\n".format( self.KerberosOperations, self.AccountLogonOther, self.KerberosAuthentication) return msg class AuditPolData8(obj.CType): def __str__(self): msg = "\nLogon: {0}\n\tLogoff: {1}\n\tSensitive Privilegs: {2}\n\tProcess Creation: {3}\n\t".format( self.Logon, self.Logoff, self.Sensitive, self.ProcessCreation) return msg class AuditPolData10(obj.CType): def __str__(self): msg = "\nLogon: {0}\n\tLogoff: {1}\n\tSensitive Privilegs: {2}\n\tProcess Creation: {3}\n\t".format( self.Logon, self.Logoff, self.Sensitive, self.ProcessCreation) return msg class AuditPolData7(obj.CType): def __str__(self): msg = "System Events:\n\tSecurity State Change: {0}\n\tSecurity System Extention: {1}\n\tSystem Integrity: {2}\n\t".format( self.SecurityState, self.SecuritySystem, self.SystemIntegrity) msg += "IPSec Driver: {0}\n\tOther System Events: {1}\n".format( self.IPSecDriver, self.SystemOther) msg += "Logon/Logoff Events:\n\tLogon: {0}\n\tLogoff: {1}\n\tAccount Lockout: {2}\n\t".format( self.Logon, self.Logoff, self.AccountLockout) msg += "IPSec Main Mode: {0}\n\tSpecial Logon: {1}\n\tIPSec Quick Mode: {2}\n\tIPSec Extended Mode: {3}\n\t".format( self.IPSecMainMode, self.SpecialLogon, self.IPSecQuickMode, self.IPSecExtended) msg += "Other Logon Events: {0}\n\tNetwork Policy Server: {1}\n".format( self.LogonOther, self.NetworkPolicyServer) msg += "Object Access Events:\n\tFile System: {0}\n\tRegistry: {1}\n\tKernel Object: {2}\n\t".format( self.FileSystem, self.Registry, self.KernelObject) msg += "SAM: {0}\n\tOther Object Events: {1}\n\tCertification Services: {2}\n\tApplication Generated: {3}\n\t".format( self.SAM, self.ObjectOther, self.Certification, self.Application) msg += "Handle Manipulation: {0}\n\tFile Share: {1}\n\tFiltering Platform Packet Drop: {2}\n\t".format( self.HandleManipulation, self.FileShare, self.PacketDrop) msg += "Filtering Platform Connection: {0}\n\tDetailed File Share: {1}\nPrivelege Use:\n\t".format( self.PlatformConnection, self.DetailedFileShare) msg += "Sensitive: {0}\n\tNon Sensitive{1}\n\tOther Privilege Use Events{2}\nDetailed Tracking:\n\t".format( self.Sensitive, self.NonSensitive, self.PrivilegeOther) msg += "Process Creation: {0}\n\tProcess Termination: {1}\n\tDPAPI Activity: {2}\n\tRPC Events\n".format( self.ProcessCreation, self.ProcessTermination, self.DPAPI, self.RPC) msg += "Policy Change Events:\n\tAudit Policy Change: {0}\n\tAuthentication Policy Change: {1}\n\t".format( self.AuditPolicyChange, self.AuthenticationPolicyChange) msg += "Authorization Policy Change: {0}\n\tMPSSVC Rule: {1}\n\tFiltering Platform Policy Change: {2}\n\t".format( self.AuthorizationPolicyChange, self.MPSSVCRule, self.FilteringPlatformPolicyChange) msg += "Other Policy Events: {0}\nAccount Management Events:\n\tUser Account Management: {1}\n\t".format( self.PolicyOther, self.UserAccount) msg += "Computer Account Management: {0}\n\tSecurity Group Management: {1}\n\tDistribution Group Management: {2}\n\t".format( self.ComputerAccount, self.SecurityGroup, self.DistributionGroup) msg += "Application Group Management: {0}\n\tOther Account Management Events: {1}\nDS Access Events:\n\t".format( self.ApplicationGroup, self.AccountOther) msg += "Directory Service Access: {0}\n\tDirectory Service Changes: {1}\n\tDirectory Service Replication: {2}\n\t".format( self.DirectoryServiceAccess, self.DirectoryServiceChange, self.DirectoryServiceReplication) msg += "Detailed Directory Service Replication: {0}\nAccount Logon Events:\n\tCredential Validation: {1}\n\t".format( self.DetailedDirServReplication, self.CredentialValidation) msg += "Kerberos Service Ticket Operations: {0}\n\tOther Account Logon Events: {1}\n\tKerberos Authentication Service: {2}\n".format( self.KerberosOperations, self.AccountLogonOther, self.KerberosAuthentication) return msg class AuditpolTypesXP(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x <= 1} def modification(self, profile): profile.object_classes.update({ 'AuditPolDataXP': AuditPolDataXP, }) profile.vtypes.update(auditpol_type_xp) class AuditpolTypesVista(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0} def modification(self, profile): profile.object_classes.update({ 'AuditPolDataVista': AuditPolDataVista, }) profile.vtypes.update(auditpol_type_vista) class AudipolWin7(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1} def modification(self, profile): profile.object_classes.update({ 'AuditPolData7': AuditPolData7, }) profile.vtypes.update(auditpol_type_win7) class AudipolWin8(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 2 or x == 3 } def modification(self, profile): profile.object_classes.update({ 'AuditPolData8': AuditPolData8, }) profile.vtypes.update(auditpol_type_win8) class AudipolWin10(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 4} def modification(self, profile): profile.object_classes.update({ 'AuditPolData10': AuditPolData10, }) profile.vtypes.update(auditpol_type_win10) class Auditpol(common.AbstractWindowsCommand): """Prints out the Audit Policies from HKLM\\SECURITY\\Policy\\PolAdtEv""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HEX', short_option = 'H', default = False, help = 'Output HEX of Policy\\PolAdtEv key', action = "store_true") @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'unknown').lower() == 'windows' def get_yield(self, ap): for k in ap.members.keys(): yield (0, ["{0}".format(k), "{0}".format(ap.m(k))]) def calculate(self): addr_space = utils.load_as(self._config) regapi = registryapi.RegistryApi(self._config) regapi.reset_current() version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'): bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw) if version <= (5, 1): ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas) elif version <= (6, 0): ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas) elif version == (6, 1): ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas) elif version == (6, 2) or version == (6, 3): ap = obj.Object("AuditPolData8", offset = 0, vm = bufferas) else: ap = obj.Object("AuditPolData10", offset = 0, vm = bufferas) if ap == None: debug.error("No AuditPol data found") yield data_raw, ap def unified_output(self, data): return TreeGrid([("Item", str), ("Detail", str)], self.generator(data)) def generator(self, data): first = True for data_raw, ap in data: if first and hasattr(ap, "Enabled"): first = False audit = "Disabled" if int(ap.Enabled) != 0: audit = "Enabled" yield (0, ["GeneralAuditing", audit]) for k in ap.members.keys(): if k != "Enabled": yield (0, ["{0}".format(k), "{0}".format(ap.m(k))]) if self._config.HEX: # for now, not sure how to handle hexdump data raw = "\n".join(["{0:010x}: {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data_raw)]) print raw def render_text(self, outfd, data): for data_raw, ap in data: if self._config.HEX: raw = "\n".join(["{0:010x}: {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data_raw)]) outfd.write(raw + "\n\n") outfd.write("{0}\n".format(str(ap))) volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/__init__.py0000644000000000000000000000000013131215405024765 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/dumpregistry.py0000644000000000000000000000652013131215405026001 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2012 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (Gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ import volatility.debug as debug import volatility.plugins.common as common import volatility.plugins.registry.registryapi as registryapi import volatility.win32.hive as hivemod import volatility.utils as utils import volatility.obj as obj import os class DumpRegistry(common.AbstractWindowsCommand): ''' Dumps registry files out to disk ''' def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', default = None, help = 'Hive offset (virtual)', action = 'store', type = 'int') config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump extracted files') def fixname(self, name, offset): name = name.split("\\")[-1].strip() name = name.replace(".", "") name = name.replace("/", "") name = name.replace(" ", "_") name = name.replace("[", "") name = name.replace("]", "") name = "registry.0x{0:x}.{1}.reg".format(offset, name) return name def calculate(self): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") addr_space = utils.load_as(self._config) if self._config.HIVE_OFFSET: name = obj.Object("_CMHIVE", vm = addr_space, offset = self._config.HIVE_OFFSET).get_name() yield self.fixname(name, self._config.HIVE_OFFSET), hivemod.HiveAddressSpace(addr_space, self._config, self._config.HIVE_OFFSET) else: regapi = registryapi.RegistryApi(self._config) for offset in regapi.all_offsets: name = self.fixname(regapi.all_offsets[offset], offset) yield name, hivemod.HiveAddressSpace(addr_space, self._config, offset) def render_text(self, outfd, data): header = "*" * 50 for name, hive in data: of_path = os.path.join(self._config.DUMP_DIR, name.split("\\")[-1].strip()) regout = open(of_path, "wb") outfd.write("{0}\n".format(header)) outfd.write("Writing out registry: {0}\n\n".format(name)) hive.save(regout, outfd) regout.close() outfd.write("{0}\n".format(header)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/shimcache.py0000644000000000000000000002657613131215405025204 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ import volatility.plugins.registry.registryapi as registryapi from volatility.renderers import TreeGrid import volatility.debug as debug import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.addrspace as addrspace # Structures taken from the ShimCache Whitepaper: https://blog.mandiant.com/archives/2459 #### SHIMRECS #### shimrecs_type_xp = { 'ShimRecords' : [ None, { 'Magic' : [ 0x0, ['unsigned int']], #0xDEADBEEF 'NumRecords' : [ 0x8, ['short']], 'Entries' : [0x190, ['array', lambda x: x.NumRecords, ['AppCompatCacheEntry']]], } ], } shimrecs_type_2003vista = { 'ShimRecords' : [ None, { 'Magic' : [ 0x0, ['unsigned int']], #0xBADC0FFE 'NumRecords' : [ 0x4, ['int']], 'Entries' : [0x8, ['array', lambda x: x.NumRecords, ['AppCompatCacheEntry']]], } ], } shimrecs_type_win7 = { 'ShimRecords' : [ None, { 'Magic' : [ 0x0, ['unsigned int']], #0xBADC0FEE 'NumRecords' : [ 0x4, ['int']], 'Entries' : [0x80, ['array', lambda x: x.NumRecords, ['AppCompatCacheEntry']]], } ], } #### APPCOMPAT TYPES #### appcompat_type_xp_x86 = { 'AppCompatCacheEntry' : [ 0x228, { 'Path' : [ 0x0, ['NullString', dict(length = 0x208, encoding = 'utf8')]], 'LastModified' : [ 0x210, ['WinTimeStamp', dict(is_utc = True)]], 'FileSize': [0x218, ['long long']], 'LastUpdate' : [ 0x220, ['WinTimeStamp', dict(is_utc = True)]], } ], } appcompat_type_2003_x86 = { 'AppCompatCacheEntry' : [ 0x18, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x4, ['unsigned int']], 'LastModified' : [ 0x8, ['WinTimeStamp', dict(is_utc = True)]], 'FileSize': [0x10, ['_LARGE_INTEGER']], } ], } appcompat_type_vista_x86 = { 'AppCompatCacheEntry' : [ 0x18, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x4, ['unsigned int']], 'LastModified' : [ 0x8, ['WinTimeStamp', dict(is_utc = True)]], 'InsertFlags' : [0x10, ['unsigned int']], 'Flags' : [0x14, ['unsigned int']], } ], } appcompat_type_win7_x86 = { 'AppCompatCacheEntry' : [ 0x20, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x4, ['unsigned int']], 'LastModified' : [ 0x8, ['WinTimeStamp', dict(is_utc = True)]], 'InsertFlags' : [0x10, ['unsigned int']], 'ShimFlags' : [0x14, ['unsigned int']], 'BlobSize' : [0x18, ['unsigned int']], 'BlobOffset' : [0x1c, ['unsigned int']], } ], } appcompat_type_2003_x64 = { 'AppCompatCacheEntry' : [ 0x20, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x8, ['unsigned long long']], 'LastModified' : [ 0x10, ['WinTimeStamp', dict(is_utc = True)]], 'FileSize': [0x18, ['_LARGE_INTEGER']], } ], } appcompat_type_vista_x64 = { 'AppCompatCacheEntry' : [ 0x20, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x8, ['unsigned int']], 'LastModified' : [ 0x10, ['WinTimeStamp', dict(is_utc = True)]], 'InsertFlags' : [0x18, ['unsigned int']], 'Flags' : [0x1c, ['unsigned int']], } ], } appcompat_type_win7_x64 = { 'AppCompatCacheEntry' : [ 0x30, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x8, ['unsigned long long']], 'LastModified' : [ 0x10, ['WinTimeStamp', dict(is_utc = True)]], 'InsertFlags' : [0x18, ['unsigned int']], 'ShimFlags' : [0x1c, ['unsigned int']], 'BlobSize' : [0x20, ['unsigned long long']], 'BlobOffset' : [0x28, ['unsigned long long']], } ], } class ShimCacheTypesXPx86(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x == 1, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_xp) profile.vtypes.update(appcompat_type_xp_x86) class ShimCacheTypes2003x86(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x == 2, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_2003vista) profile.vtypes.update(appcompat_type_2003_x86) class ShimCacheTypesVistax86(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_2003vista) profile.vtypes.update(appcompat_type_vista_x86) class ShimCacheTypesWin7x86(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_win7) profile.vtypes.update(appcompat_type_win7_x86) class ShimCacheTypes2003x64(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x == 2, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_2003vista) profile.vtypes.update(appcompat_type_2003_x64) class ShimCacheTypesVistax64(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_2003vista) profile.vtypes.update(appcompat_type_vista_x64) class ShimCacheTypesWin7x64(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_win7) profile.vtypes.update(appcompat_type_win7_x64) class ShimCache(common.AbstractWindowsCommand): """Parses the Application Compatibility Shim Cache registry key""" def __init__(self, config, *args, **kwargs): self._addrspace = None common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'unknown').lower() == 'windows' @staticmethod def remove_unprintable(item): return ''.join([str(c) for c in item if (ord(c) > 31 or ord(c) == 9) and ord(c) <= 126]) @staticmethod def get_entries(addr_space, regapi): regapi.reset_current() currentcs = regapi.reg_get_currentcontrolset() if currentcs == None: currentcs = "ControlSet001" version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) xp = False if version <= (5, 1): key = currentcs + "\\Control\\Session Manager\\AppCompatibility" xp = True else: key = currentcs + "\\Control\\Session Manager\\AppCompatCache" data_raw = regapi.reg_get_value('system', key, "AppCompatCache") if data_raw == None or len(data_raw) < 0x1c: debug.warning("No ShimCache data found") raise StopIteration bufferas = addrspace.BufferAddressSpace(addr_space.get_config(), data = data_raw) shimdata = obj.Object("ShimRecords", offset = 0, vm = bufferas) if shimdata == None: debug.warning("No ShimCache data found") raise StopIteration if shimdata.Magic not in [0xDEADBEEF, 0xBADC0FFE, 0xBADC0FEE]: debug.warning("ShimRecords.Magic value {0:X} is not valid".format(shimdata.Magic)) raise StopIteration for e in shimdata.Entries: if xp: yield e.Path, e.LastModified, e.LastUpdate else: yield ShimCache.remove_unprintable(bufferas.read(int(e.PathOffset), int(e.Length))), e.LastModified, None def calculate(self): addr_space = utils.load_as(self._config) regapi = registryapi.RegistryApi(self._config) for entry in self.get_entries(addr_space, regapi): yield entry def unified_output(self, data): # blank header in case there is no shimcache data return TreeGrid([("Last Modified", str), ("Last Update", str), ("Path", str), ], self.generator(data)) def generator(self, data): for path, lm, lu in data: if lu: yield (0, [str(lm), str(lu), str(path).strip()]) else: yield (0, [str(lm), "-", str(path).strip()]) def render_text(self, outfd, data): first = True for path, lm, lu in data: if lu: if first: self.table_header(outfd, [("Last Modified", "30"), ("Last Update", "30"), ("Path", ""), ]) first = False outfd.write("{0:30} {1:30} {2}\n".format(lm, lu, path)) else: if first: self.table_header(outfd, [("Last Modified", "30"), ("Path", ""), ]) first = False outfd.write("{0:30} {1}\n".format(lm, path)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/hivescan.py0000644000000000000000000000620313131215405025041 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.utils as utils import volatility.poolscan as poolscan import volatility.plugins.common as common import volatility.plugins.bigpagepools as bigpools from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class PoolScanHive(poolscan.PoolScanner): """Pool scanner for registry hives""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.struct_name = "_CMHIVE" self.pooltag = "CM10" size = self.address_space.profile.get_obj_size("_CMHIVE") self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= size)), ] class HiveScan(common.AbstractScanCommand): """Pool scanner for registry hives""" scanners = [PoolScanHive] # Declare meta information associated with this plugin meta_info = dict( author = 'Brendan Dolan-Gavitt', copyright = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', contact = 'bdolangavitt@wesleyan.edu', license = 'GNU General Public License 2.0', url = 'http://moyix.blogspot.com/', os = 'WIN_32_XP_SP2', version = '1.0', ) def calculate(self): addr_space = utils.load_as(self._config) metadata = addr_space.profile.metadata version = (metadata.get("major", 0), metadata.get("minor", 0)) arch = metadata.get("memory_model", "32bit") if version >= (6, 3) and arch == "64bit": for pool in bigpools.BigPagePoolScanner(addr_space).scan(["CM10"]): yield pool.Va.dereference_as("_CMHIVE") else: for result in self.scan_results(addr_space): yield result def unified_output(self, data): return TreeGrid([("Offset(P)", Address)], self.generator(data)) def generator(self, data): for hive in data: yield(0, [Address(hive.obj_offset)]) def render_text(self, outfd, data): self.table_header(outfd, [('Offset(P)', '[addrpad]')]) for hive in data: self.table_row(outfd, hive.obj_offset) volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/hivelist.py0000644000000000000000000001032713131215405025072 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.plugins.registry.hivescan as hs import volatility.obj as obj import volatility.utils as utils import volatility.cache as cache from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class HiveList(hs.HiveScan): """Print list of registry hives. You can supply the offset of a specific hive. Otherwise this module will use the results from hivescan automatically. """ # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'Brendan Dolan-Gavitt' meta_info['copyright'] = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt' meta_info['contact'] = 'bdolangavitt@wesleyan.edu' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://moyix.blogspot.com/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '1.0' def unified_output(self, data): return TreeGrid([("Virtual", Address), ("Physical", Address), ("Name", str)], self.generator(data)) def generator(self, data): hive_offsets = [] for hive in data: if hive.Hive.Signature == 0xbee0bee0 and hive.obj_offset not in hive_offsets: name = hive.get_name() # Spec of 10 rather than 8 width, since the # puts 0x at the start, which is included in the width yield (0, [Address(hive.obj_offset), Address(hive.obj_vm.vtop(hive.obj_offset)), str(name)]) hive_offsets.append(hive.obj_offset) def render_text(self, outfd, result): self.table_header(outfd, [('Virtual', '[addrpad]'), ('Physical', '[addrpad]'), ('Name', ''), ]) hive_offsets = [] for hive in result: if hive.Hive.Signature == 0xbee0bee0 and hive.obj_offset not in hive_offsets: name = hive.get_name() # Spec of 10 rather than 8 width, since the # puts 0x at the start, which is included in the width self.table_row(outfd, hive.obj_offset, hive.obj_vm.vtop(hive.obj_offset), name) hive_offsets.append(hive.obj_offset) @cache.CacheDecorator("tests/hivelist") def calculate(self): flat = utils.load_as(self._config, astype = 'physical') addr_space = utils.load_as(self._config) hives = hs.HiveScan.calculate(self) ## The first hive is normally given in physical address space ## - so we instantiate it using the flat address space. We ## then read the Flink of the list to locate the address of ## the first hive in virtual address space. hmm I wish we ## could go from physical to virtual memory easier. for hive in hives: if hive.HiveList.Flink.v(): start_hive_offset = hive.HiveList.Flink.v() - addr_space.profile.get_obj_offset('_CMHIVE', 'HiveList') ## Now instantiate the first hive in virtual address space as normal start_hive = obj.Object("_CMHIVE", start_hive_offset, addr_space) for hive in start_hive.HiveList: yield hive volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/shellbags.py0000644000000000000000000012542613131215405025216 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2012 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (Gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ import volatility.utils as utils import volatility.plugins.common as common import volatility.plugins.registry.registryapi as registryapi import volatility.obj as obj import volatility.addrspace as addrspace import volatility.plugins.overlays.basic as basic import volatility.timefmt as timefmt from volatility.renderers import TreeGrid import struct import datetime ''' Some references for further reading, all of which were used for building this plugin: http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf Windows Shell Item format specification (pdf) by Joachim Metz http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using shellbag information to reconstruct user activities (pdf) by Yuandong Zhu, Pavel Gladyshev and Joshua James http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics by Willi Ballenthin https://github.com/504ensicsLabs/registrydecoder/blob/master/templates/template_files/ShellBagMRU.py ShellBagMRU.py from Registry Decoder by Kevin Moore http://code.google.com/p/regripper/wiki/ShellBags Shellbags RegRipper plugin by Harlan Carvey ''' EXT_VERSIONS = { "0x0003":"Windows XP", "0x0007":"Windows Vista", "0x0008":"Windows 7", } # http://support.microsoft.com/kb/813711 BAG_KEYS = [ "Software\\Microsoft\\Windows\\Shell", "Software\\Microsoft\\Windows\\ShellNoRoam", ] USERDAT_KEYS = [ "Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\Shell", "Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam", "Local Settings\\Software\\Microsoft\\Windows\\Shell", "Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam", ] # These are abbreviated only because there can be more than one in output # so it gets cluttered FILE_ATTRS = { 0x00000001:"RO", #Is read-Only 0x00000002:"HID", #Is hidden 0x00000004:"SYS", #Is a system file or directory 0x00000008:"VOL", #Is a volume label 0x00000010:"DIR", #Is a directory 0x00000020:"ARC", #Should be archived 0x00000040:"DEV", #Is a device 0x00000080:"NORM", #Is normal None of the other flags should be set 0x00000100:"TEMP", #Is temporary 0x00000200:"SPARSE", #Is a sparse file 0x00000400:"RP", #Is a reparse point or symbolic link 0x00000800:"COM", #Is compressed 0x00001000:"OFFLINE", #Is offline The data of the file is stored on an offline storage. 0x00002000:"NI", #Do not index content The content of the file or directory should not be indexed by the indexing service. 0x00004000:"ENC", #Is encrypted 0x00010000:"VIR", #Is virtual } # GUIDs and FOLDER_IDs copied from Will Ballenthin's shellbags parser: # https://github.com/williballenthin/shellbags KNOWN_GUIDS = { "031e4825-7b94-4dc3-b131-e946b44c8dd5": "Libraries", "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7": "CSIDL_SYSTEM", "208d2c60-3aea-1069-a2d7-08002b30309d": "My Network Places", "20d04fe0-3aea-1069-a2d8-08002b30309d": "My Computer", "21ec2020-3aea-1069-a2dd-08002b30309d": "{Unknown CSIDL}", "22877a6d-37a1-461a-91b0-dbda5aaebc99": "{Unknown CSIDL}", "2400183a-6185-49fb-a2d8-4a392a602ba3": "Public Videos", "2559a1f1-21d7-11d4-bdaf-00c04f60b9f0": "{Unknown CSIDL}", "2559a1f3-21d7-11d4-bdaf-00c04f60b9f0": "{Unknown CSIDL}", "26ee0668-a00a-44d7-9371-beb064c98683": "{Unknown CSIDL}", "3080f90e-d7ad-11d9-bd98-0000947b0257": "{Unknown CSIDL}", "3214fab5-9757-4298-bb61-92a9deaa44ff": "Public Music", "33e28130-4e1e-4676-835a-98395c3bc3bb": "Pictures", "374de290-123f-4565-9164-39c4925e467b": "Downloads", "4336a54d-038b-4685-ab02-99bb52d3fb8b": "{Unknown CSIDL}", "450d8fba-ad25-11d0-98a8-0800361b1103": "My Documents", "4bd8d571-6d19-48d3-be97-422220080e43": "Music", "5399e694-6ce5-4d6c-8fce-1d8870fdcba0": "Control Panel", "59031a47-3f72-44a7-89c5-5595fe6b30ee": "Users", "645ff040-5081-101b-9f08-00aa002f954e": "Recycle Bin", "724ef170-a42d-4fef-9f26-b60e846fba4f": "Administrative Tools", "7b0db17d-9cd2-4a93-9733-46cc89022e7c": "Documents Library", "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e": "Program Files (x86)", "871c5380-42a0-1069-a2ea-08002b30309d": "Internet Explorer (Homepage)", "905e63b6-c1bf-494e-b29c-65b732d3d21a": "Program Files", "9e52ab10-f80d-49df-acb8-4330f5687855": "Temporary Burn Folder", "a305ce99-f527-492b-8b1a-7e76fa98d6e4": "Installed Updates", "b4bfcc3a-db2c-424c-b029-7fe99a87c641": "Desktop", "b6ebfb86-6907-413c-9af7-4fc2abf07cc5": "Public Pictures", "c1bae2d0-10df-4334-bedd-7aa20b227a9d": "Common OEM Links", "cce6191f-13b2-44fa-8d14-324728beef2c": "{Unknown CSIDL}", "d0384e7d-bac3-4797-8f14-cba229b392b5": "Common Administrative Tools", "d65231b0-b2f1-4857-a4ce-a8e7c6ea7d27": "System32 (x86)", "de61d971-5ebc-4f02-a3a9-6c82895e5c04": "Get Programs", "df7266ac-9274-4867-8d55-3bd661de872d": "Programs and Features", "dfdf76a2-c82a-4d63-906a-5644ac457385": "Public", "de974d24-d9c6-4d3e-bf91-f4455120b917": "Common Files", "ed228fdf-9ea8-4870-83b1-96b02cfe0d52": "My Games", "f02c1a0d-be21-4350-88b0-7367fc96ef3c": "Network", "f38bf404-1d43-42f2-9305-67de0b28fc23": "Windows", "f3ce0f7c-4901-4acc-8648-d5d44b04ef8f": "Users Files", "fdd39ad0-238f-46af-adb4-6c85480369c7": "Documents", # Control Panel Items "d20ea4e1-3957-11d2-a40b-0c5020524153": "Administrative Tools", "9c60de1e-e5fc-40f4-a487-460851a8d915": "AutoPlay", "d9ef8727-cac2-4e60-809e-86f80a666c91": "BitLocker Drive Encryption", "b2c761c6-29bc-4f19-9251-e6195265baf1": "Color Management", "e2e7934b-dce5-43c4-9576-7fe4f75e7480": "Date and Time", "17cd9488-1228-4b2f-88ce-4298e93e0966": "Default Programs", "74246bfc-4c96-11d0-abef-0020af6b0b7a": "Device Manager", "d555645e-d4f8-4c29-a827-d93c859c4f2a": "Ease of Access Center", "6dfd7c5c-2451-11d3-a299-00c04f8ef6af": "Folder Options", "93412589-74d4-4e4e-ad0e-e0cb621440fd": "Fonts", "259ef4b1-e6c9-4176-b574-481532c9bce8": "Game Controllers", "15eae92e-f17a-4431-9f28-805e482dafd4": "Get Programs", "87d66a43-7b11-4a28-9811-c86ee395acf7": "Indexing Options", "a3dd4f92-658a-410f-84fd-6fbbbef2fffe": "Internet Options", "a304259d-52b8-4526-8b1a-a1d6cecc8243": "iSCSI Initiator", "725be8f7-668e-4c7b-8f90-46bdb0936430": "Keyboard", "6c8eec18-8d75-41b2-a177-8831d59d2d50": "Mouse", "8e908fc9-becc-40f6-915b-f4ca0e70d03d": "Network and Sharing Center", "d24f75aa-4f2b-4d07-a3c4-469b3d9030c4": "Offline Files", "96ae8d84-a250-4520-95a5-a47a7e3c548b": "Parental Controls", "5224f545-a443-4859-ba23-7b5a95bdc8ef": "People Near Me", "78f3955e-3b90-4184-bd14-5397c15f1efc": "Performance Information and Tools", "ed834ed6-4b5a-4bfe-8f11-a626dcb6a921": "Personalization", "025a5937-a6be-4686-a844-36fe4bec8b6d": "Power Options", "7b81be6a-ce2b-4676-a29e-eb907a5126c5": "Programs and Features", "00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3": "Scanners and Cameras", "9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf": "Sync Center", "bb06c0e4-d293-4f75-8a90-cb05b6477eee": "System ", "80f3f1d5-feca-45f3-bc32-752c152e456e": "Tablet PC Settings", "0df44eaa-ff21-4412-828e-260a8728e7f1": "Taskbar and Start Menu", "d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3": "Text to Speech", "60632754-c523-4b62-b45c-4172da012619": "User Accounts", "be122a0e-4503-11da-8bde-f66bad1e3f3a": "Windows Anytime Upgrade", "78cb147a-98ea-4aa6-b0df-c8681f69341c": "Windows CardSpace", "d8559eb9-20c0-410e-beda-7ed416aecc2a": "Windows Defender", "4026492f-2f69-46b8-b9bf-5654fc07e423": "Windows Firewall", "5ea4f148-308c-46d7-98a9-49041b1dd468": "Windows Mobility Center", "e95a4861-d57a-4be1-ad0f-35267e261739": "Windows SideShow", "36eef7db-88ad-4e81-ad49-0e313f0c35f8": "Windows Update", # Vista Control Panel Items "7a979262-40ce-46ff-aeee-7884ac3b6136": "Add Hardware", "f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d": "Sound", "b98a2bea-7d42-4558-8bd1-832f41bac6fd": "Backup and Restore Center", "3e7efb4c-faf1-453d-89eb-56026875ef90": "Windows Marketplace", "a0275511-0e86-4eca-97c2-ecd8f1221d08": "Infrared", "f82df8f7-8b9f-442e-a48c-818ea735ff9b": "Pen and Input Devices", "40419485-c444-4567-851a-2dd7bfa1684d": "Phone and Modem", "2227a280-3aea-1069-a2de-08002b30309d": "Printers", "fcfeecae-ee1b-4849-ae50-685dcf7717ec": "Problem Reports and Solutions", "62d8ed13-c9d0-4ce8-a914-47dd628fb1b0": "Regional and Language Options", "087da31b-0dd3-4537-8e23-64a18591f88b": "Windows Security Center", "58e3c745-d971-4081-9034-86e34b30836a": "Speech Recognition Options", # Windows 7 Control Panel Items "bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6": "Action Center", "0142e4d0-fb7a-11dc-ba4a-000ffe7ab428": "Biometric Devices", "1206f5f1-0569-412c-8fec-3204630dfb70": "Credential Manager", "00c6d95f-329c-409a-81d7-c46c66ea7f33": "Default Location", "37efd44d-ef8d-41b1-940d-96973a50e9e0": "Desktop Gadgets", "a8a91a66-3a7d-4424-8d24-04e180695c7a": "Devices and Printers", "c555438b-3c23-4769-a71f-b6d3d9b6053a": "Display", "cb1b7f8c-c50a-4176-b604-9e24dee8d4d1": "Getting Started", "67ca7650-96e6-4fdd-bb43-a8e774f73a57": "HomeGroup", "e9950154-c418-419e-a90a-20c5287ae24b": "Location and Other Sensors", "05d7b0f4-2121-4eff-bf6b-ed3f69b894d9": "Notification Area Icons", "9fe63afd-59cf-4419-9775-abcc3849f861": "Recovery", "241d7c96-f8bf-4f85-b01f-e2b043341a4b": "RemoteApp and Desktop Connections", "c58c4893-3be0-4b45-abb5-a63e4b8c8651": "Troubleshooting", # Folder Types "0b2baaeb-0042-4dca-aa4d-3ee8648d03e5": "Pictures Library", "36011842-dccc-40fe-aa3d-6177ea401788": "Documents Search Results", "3f2a72a7-99fa-4ddb-a5a8-c604edf61d6b": "Music Library", "4dcafe13-e6a7-4c28-be02-ca8c2126280d": "Pictures Search Results", "5c4f28b5-f869-4e84-8e60-f11db97c5cc7": "Generic (All folder items)", "5f4eab9a-6833-4f61-899d-31cf46979d49": "Generic Library", "5fa96407-7e77-483c-ac93-691d05850de8": "Videos", "631958a6-ad0f-4035-a745-28ac066dc6ed": "Videos Library", "71689ac1-cc88-45d0-8a22-2943c3e7dfb3": "Music Search Results", "7d49d726-3c21-4f05-99aa-fdc2c9474656": "Documents", "7fde1a1e-8b31-49a5-93b8-6be14cfa4943": "Generic Search Results", "80213e82-bcfd-4c4f-8817-bb27601267a9": "Compressed Folder (zip folder)", "94d6ddcc-4a68-4175-a374-bd584a510b78": "Music", "b3690e58-e961-423b-b687-386ebfd83239": "Pictures", "ea25fbd7-3bf7-409e-b97f-3352240903f4": "Videos Search Results", "fbb3477e-c9e4-4b3b-a2ba-d3f5d3cd46f9": "Documents Library", } FOLDER_IDS = { 0x00:"EXPLORER", 0x42:"LIBRARIES", 0x44:"USERS", 0x48:"MY_DOCUMENTS", 0x50:"MY_COMPUTER", 0x58:"NETWORK", 0x60:"RECYCLE_BIN", 0x68:"EXPLORER", 0x70:"UKNOWN", 0x78:"RECYCLE_BIN", 0x80:"MY_GAMES", } SHELL_ITEM_TYPES = { 0x00:"UNKNOWN_00", #Varied 0x01:"UNKNOWN_01", 0x2e:"UNKNOWN_2E", # DEVICE from ShellBagMRU.py in RegistryDecoder 0x31:"FILE_ENTRY", # Folder 0x32:"FILE_ENTRY", # Zip file 0xb1:"FILE_ENTRY", # Hidden folder 0x1f:"FOLDER_ENTRY", # System folder 0x2f:"VOLUME_NAME", 0x41:"NETWORK_VOLUME_NAME", # Windows Domain 0x42:"NETWORK_VOLUME_NAME", # Computer Name 0x46:"NETWORK_VOLUME_NAME", # MS Windows Network 0x47:"NETWORK_VOLUME_NAME", # Entire Network 0xc3:"NETWORK_SHARE", # Remote Share 0x61:"URI", 0x71:"CONTROL_PANEL", 0x74:"UNKNOWN_74", # System protected folder } FLAGS = { 0x02:"has network volume name", 0x80:"has unknown 16-bit value", } ##### Type overrides for output below ##### # http://msdn.microsoft.com/en-us/library/aa379358%28v=vs.85%29.aspx # http://msdn.microsoft.com/en-us/library/cc248286%28v=prot.10%29.aspx ''' '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], ''' class _GUID(obj.CType): def __str__(self): return "{0:08x}-{1:04x}-{2:04x}-{3:02x}{4:02x}-{5:02x}{6:02x}{7:02x}{8:02x}{9:02x}{10:02x}".format(self.Data1, self.Data2, self.Data3, self.Data4[0], self.Data4[1], self.Data4[2], self.Data4[3], self.Data4[4], self.Data4[5], self.Data4[6], self.Data4[7]) class ITEMPOS(obj.CType): def get_file_attrs(self): fileattrs = "" if self.Size >= 0x15: for f in FILE_ATTRS: if self.Attributes.FileAttrs & f == f: fileattrs += FILE_ATTRS[f] + ", " fileattrs = fileattrs.rstrip(", ") return fileattrs def body(self, details): return "0|[{6}SHELLBAGS ITEMPOS] Name: {3}/Attrs: {4}/{5}|0|---------------|0|0|0|{0}|{1}|{2}|{2}\n".format( self.Attributes.AccessDate.v(), self.Attributes.ModifiedDate.v(), self.Attributes.CreatedDate.v(), str(self.Attributes.UnicodeFilename), self.get_file_attrs(), details, self.obj_vm._config.MACHINE) def __str__(self): return "{0:<14} {1:30} {2:30} {3:30} {4:25} {5}".format(self.Attributes.FileName, str(self.Attributes.ModifiedDate), str(self.Attributes.CreatedDate), str(self.Attributes.AccessDate), self.get_file_attrs(), str(self.Attributes.UnicodeFilename)) def get_items(self): items = {} items["FileName"] = str(self.Attributes.FileName) items["Modified"] = str(self.Attributes.ModifiedDate) items["Create"] = str(self.Attributes.CreatedDate) items["Access"] = str(self.Attributes.AccessDate) items["Attributes"] = self.get_file_attrs() items["Unicode"] = str(self.Attributes.UnicodeFilename) return items def get_header(self): return [("File Name", "14s"), ("Modified Date", "30"), ("Create Date", "30"), ("Access Date", "30"), ("File Attr", "25"), ("Unicode Name", ""), ] class FILE_ENTRY(ITEMPOS): def get_file_attrs(self): fileattrs = "" for f in FILE_ATTRS: if self.Attributes.FileAttrs & f == f: fileattrs += FILE_ATTRS[f] + ", " fileattrs = fileattrs.rstrip(", ") return fileattrs def body(self, details): return "0|[{6}SHELLBAGS FILE_ENTRY] Name: {3}/Attrs: {4}/{5}|0|---------------|0|0|0|{0}|{1}|{2}|{2}\n".format( self.Attributes.AccessDate.v(), self.Attributes.ModifiedDate.v(), self.Attributes.CreatedDate.v(), str(self.Attributes.UnicodeFilename), self.get_file_attrs(), details, self.obj_vm._config.MACHINE) def __str__(self): return "{0:<14} {1:30} {2:30} {3:30} {4:25}".format(self.Attributes.FileName, str(self.Attributes.ModifiedDate), str(self.Attributes.CreatedDate), str(self.Attributes.AccessDate), self.get_file_attrs()) def get_items(self): items = {} items["FileName"] = str(self.Attributes.FileName) items["Modified"] = str(self.Attributes.ModifiedDate) items["Create"] = str(self.Attributes.CreatedDate) items["Access"] = str(self.Attributes.AccessDate) items["Attributes"] = self.get_file_attrs() return items def get_header(self): return [("File Name", "14s"), ("Modified Date", "30"), ("Create Date", "30"), ("Access Date", "30"), ("File Attr", "25"), ("Path", ""), ] class FOLDER_ENTRY(obj.CType): def get_folders(self): folder_ids = "" for f in FOLDER_IDS: if self.Flags & f == f: folder_ids += FOLDER_IDS[f] + ", " folder_ids = folder_ids.rstrip(", ") return folder_ids def __str__(self): return "{0:<14} {1:40} {2:20} {3}".format("Folder Entry", str(self.GUID), KNOWN_GUIDS.get(str(self.GUID), "Unknown GUID"), self.get_folders()) def get_header(self): return [("Entry Type", "14s"), ("GUID", "40"), ("GUID Description", "20"), ("Folder IDs", ""), ] class _VOLUSER_ASSIST_TYPES(obj.CType): def get_header(self): if hasattr(self, "Count") and hasattr(self, "FocusCount"): return [("Entry Type", "14s"), ("Count", "5"), ("Focus Count", "5"), ("Time Focused", "20"), ("Last Update", ""), ] else: return [("Entry Type", "14s"), ("ID", "10"), ("Count", "10"), ("Last Update", ""), ] def __str__(self): if hasattr(self, "Count") and hasattr(self, "FocusCount"): return "{0:<14} {1:5} {2:5} {3:20} {4}".format("UserAssist", self.Count, self.FocusCount, self.FocusTime, self.LastUpdated) else: return "{0:<14} {1:5} {2:5} {3}".format("UserAssist", self.ID, self.CountStartingAtFive, self.LastUpdated) def body(self, reg, key, subname, lastwrite): ID = "N/A" count = "N/A" fc = "N/A" tf = "N/A" if hasattr(self, "ID"): ID = "{0}".format(self.ID) if hasattr(self, "Count"): count = "{0}".format(self.Count) else: count = "{0}".format(self.CountStartingAtFive if self.CountStartingAtFive < 5 else self.CountStartingAtFive - 5) if hasattr(self, "FocusCount"): seconds = (self.FocusTime + 500) / 1000.0 time = datetime.timedelta(seconds = seconds) if seconds > 0 else self.FocusTime fc = "{0}".format(self.FocusCount) tf = "{0}".format(time) subname = subname.replace("|", "%7c") return "0|[SHELLBAGS USERASSIST] Registry: {1}/Key: {7}/Value: {2}/LW: {8}/ID: {3}/Count: {4}/FocusCount: {5}/TimeFocused: {6}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( self.LastUpdated.v(), reg, subname, ID, count, fc, tf, key, lastwrite) class CONTROL_PANEL(FOLDER_ENTRY): def __str__(self): return "{0:<14} {1:40} {2:20} {3}".format("Control Panel", str(self.GUID), KNOWN_GUIDS.get(str(self.GUID), "Unknown GUID"), self.get_folders()) # taken from http://code.google.com/p/registrydecoder/source/browse/trunk/templates/template_files/ShellBagMRU.py#388 class UNKNOWN_00(FOLDER_ENTRY): def __str__(self): if self.DataSize == 0x1a: return "{0:<14} {1:40} {2:20} {3}".format("Folder", str(self.GUID), KNOWN_GUIDS.get(str(self.GUID), "Unknown GUID"), self.get_folders()) #elif self.DataSize in [0xa4, 0xb4, 0x7a, 0xc4, 0x9a, 0x30]: # TODO: this is not clear yet # return "{0:<14} {1:40} {2:20} {3}".format("Device Property", # str(self.Name), "", "") # TODO: fix this for other types like "AugM" and 1SPS else: return "{0:<14} {1:40} {2:20} {3}".format("Folder (unsupported)", "This property is not yet supported", "", "") class VOLUME_NAME(obj.CType): def __str__(self): return "{0:14} {1}".format("Volume Name", self.Name) def get_header(self): return [("Entry Type", "14s"), ("Path", ""), ] class NETWORK_VOLUME_NAME(obj.CType): def get_flags(self): flags = "" for f in FLAGS: if self.Flags & f == f: flags += FLAGS[f] + ", " flags = flags.rstrip(", ") return flags def __str__(self): return "{0:25} {1:20} {2} |".format("Network Volume Name", self.Description, self.Name) def get_header(self): return [("Entry Type", "25s"), ("Description", "20"), ("Name | Full Path", ""), ] class NETWORK_SHARE(NETWORK_VOLUME_NAME): def __str__(self): return "{0:25} {1:20} {2}".format("Network Volume Share", self.Description, self.Name) ##### End Type Overrides ##### class NullString(basic.String): def __str__(self): result = self.obj_vm.zread(self.obj_offset, self.length).split("\x00\x00")[0].replace("\x00", "") if not result: result = "" return result def v(self): result = self.obj_vm.zread(self.obj_offset, self.length).split("\x00\x00")[0].replace("\x00", "") if not result: return obj.NoneObject("Cannot read string length {0} at {1:#x}".format(self.length, self.obj_offset)) return result shell_item_types = { 'SHELLITEM': [ None, { 'Size' : [ 0x0, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], # SHELL_ITEM_TYPES } ], 'FOLDER_ENTRY': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], # FOLDER_IDS 'GUID': [ 0x4, ['_GUID']], } ], 'VOLUME_NAME': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Name': [ 0x3, ['String', dict(length = 22)]], } ], 'NETWORK_VOLUME_NAME': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x4, ['unsigned char']], 'Name': [ 0x5, ['String', dict(length = 255)]], 'Description': [ lambda x: x.Name.obj_offset + len(x.Name), ['String', dict(length = 4096)]], } ], 'URI': [ None, { 'Flags': [ 0x3, ['unsigned char']], 'UString': [ 0x8, ['String', dict(length = 4096)]], # other stuff here not filled in... } ], 'CONTROL_PANEL': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], 'GUID': [ 0xe, ['_GUID']], } ], 'NETWORK_SHARE': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x4, ['unsigned char']], 'Name': [ 0x5, ['String', dict(length = 255)]], 'Description': [ lambda x: x.Name.obj_offset + len(x.Name), ['String', dict(length = 4096)]], } ], # These "OTHER" types are really not clear yet... 'UNKNOWN_00': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], 'DataSize': [ 0x4, ['unsigned short']], #size of the following data 'FolderAugM': [ 0x4, ['String', dict(length = 4)]], 'PropertyList': [ 0xa, ['unsigned short']], 'IdentifierSize': [ 0xc, ['unsigned short']], 'GUID': [ 0xe, ['_GUID']], #'NameLength': [ 0x42, ['unsigned short']], # size of following data #'Name': [ 0x4a, ['String', dict(length = lambda x: x.NameLength * 2)]], } ], 'UNKNOWN_01': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], 'Unknown': [ 0x4, ['unsigned int']], } ], 'UNKNOWN_2E': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], 'GUID': [ 0x4, ['_GUID']], } ], 'UNKNOWN_74': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], 'Attributes' : [12, ['ATTRIBUTES']], } ], } itempos_types_XP = { 'ATTRIBUTES': [ None, { 'ModifiedDate': [ 0x0, ['DosDate', dict(is_utc = True)]], 'FileAttrs': [ 0x4, ['unsigned short']], 'FileName': [ 0x6, ['String', dict(length = 255)]], # 8.3 File name although sometimes it's longer than 14 chars 'FDataSize': [ lambda x: x.FileName.obj_offset + len(x.FileName) + (1 if len(x.FileName) % 2 == 1 else 2), ['unsigned short']], 'EVersion': [ lambda x: x.FDataSize.obj_offset + 2, ['unsigned short']], 'Unknown1': [ lambda x: x.EVersion.obj_offset + 2, ['unsigned short']], 'Unknown2': [ lambda x: x.Unknown1.obj_offset + 2, ['unsigned short']], # 0xBEEF 'CreatedDate': [ lambda x: x.Unknown2.obj_offset + 2, ['DosDate', dict(is_utc = True)]], 'AccessDate': [ lambda x: x.CreatedDate.obj_offset + 4, ['DosDate', dict(is_utc = True)]], 'Unknown3': [ lambda x: x.AccessDate.obj_offset + 4, ['unsigned int']], 'UnicodeFilename': [ lambda x: x.Unknown3.obj_offset + 4, ['NullString', dict(length = 4096, encoding = 'utf8')]], } ], 'ITEMPOS' : [ None, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'FileSize' : [ 0x4, ['short']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], 'FILE_ENTRY': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], # Type: 0x31, 0x32, 0xb1 'Flags': [ 0x3, ['unsigned char']], 'FileSize': [ 0x4, ['int']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], } class ShellBagsTypesXP(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5} def modification(self, profile): profile.object_classes.update({ 'NullString': NullString, '_GUID':_GUID, 'ITEMPOS':ITEMPOS, 'FILE_ENTRY':FILE_ENTRY, 'FOLDER_ENTRY':FOLDER_ENTRY, 'CONTROL_PANEL':CONTROL_PANEL, 'VOLUME_NAME':VOLUME_NAME, 'NETWORK_VOLUME_NAME':NETWORK_VOLUME_NAME, 'NETWORK_SHARE':NETWORK_SHARE, 'UNKNOWN_00':UNKNOWN_00, '_VOLUSER_ASSIST_TYPES':_VOLUSER_ASSIST_TYPES, }) profile.vtypes.update(shell_item_types) profile.vtypes.update(itempos_types_XP) itempos_types_Vista = { 'ATTRIBUTES' : [ None, { 'ModifiedDate': [ 0x0, ['DosDate', dict(is_utc = True)]], 'FileAttrs': [ 0x4, ['unsigned short']], 'FileName': [ 0x6, ['String', dict(length = 255)]], 'FDataSize': [ lambda x: x.FileName.obj_offset + len(x.FileName) + (1 if len(x.FileName) % 2 == 1 else 2), ['unsigned short']], 'EVersion': [ lambda x: x.FDataSize.obj_offset + 2, ['unsigned short']], 'Unknown1': [ lambda x: x.EVersion.obj_offset + 2, ['unsigned short']], 'Unknown2': [ lambda x: x.Unknown1.obj_offset + 2, ['unsigned short']], # 0xBEEF 'CreatedDate': [ lambda x: x.Unknown2.obj_offset + 2, ['DosDate', dict(is_utc = True)]], 'AccessDate': [ lambda x: x.CreatedDate.obj_offset + 4, ['DosDate', dict(is_utc = True)]], 'Unknown3': [ lambda x: x.AccessDate.obj_offset + 4, ['unsigned int']], 'FileReference': [ lambda x: x.Unknown3.obj_offset + 4, ['unsigned long long']], #MFT entry index 0-6, Sequence number 6-7 'Unknown4': [ lambda x: x.FileReference.obj_offset + 8, ['unsigned long long']], 'LongStringSize': [ lambda x: x.Unknown4.obj_offset + 8, ['unsigned short']], 'UnicodeFilename': [ lambda x: x.LongStringSize.obj_offset + 2, ['NullString', dict(length = 4096, encoding = 'utf8')]], 'AdditionalLongString': [ lambda x: x.UnicodeFilename.obj_offset + len(x.UnicodeFilename), ['NullString', dict(length = (lambda k: k.LongStringSize), encoding = 'utf8')]], } ], 'ITEMPOS' : [ None, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'FileSize' : [ 0x4, ['short']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], 'FILE_ENTRY': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], # Type: 0x31, 0x32, 0xb1 'Flags': [ 0x3, ['unsigned char']], 'FileSize': [ 0x4, ['int']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], } class ShellBagsTypesVista(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0} def modification(self, profile): profile.object_classes.update({ 'NullString': NullString, '_GUID':_GUID, 'ITEMPOS':ITEMPOS, 'FILE_ENTRY':FILE_ENTRY, 'FOLDER_ENTRY':FOLDER_ENTRY, 'CONTROL_PANEL':CONTROL_PANEL, 'VOLUME_NAME':VOLUME_NAME, 'NETWORK_VOLUME_NAME':NETWORK_VOLUME_NAME, 'NETWORK_SHARE':NETWORK_SHARE, 'UNKNOWN_00':UNKNOWN_00, '_VOLUSER_ASSIST_TYPES':_VOLUSER_ASSIST_TYPES, }) profile.vtypes.update(shell_item_types) profile.vtypes.update(itempos_types_Vista) itempos_types_Win7 = { 'ATTRIBUTES': [ None, { 'ModifiedDate': [ 0x0, ['DosDate', dict(is_utc = True)]], 'FileAttrs': [ 0x4, ['unsigned short']], 'FileName': [ 0x6, ['String', dict(length = 255)]], 'FDataSize': [ lambda x: x.FileName.obj_offset + len(x.FileName) + (1 if len(x.FileName) % 2 == 1 else 2), ['unsigned short']], 'EVersion': [ lambda x: x.FDataSize.obj_offset + 2, ['unsigned short']], 'Unknown1': [ lambda x: x.EVersion.obj_offset + 2, ['unsigned short']], 'Unknown2': [ lambda x: x.Unknown1.obj_offset + 2, ['unsigned short']], # 0xBEEF 'CreatedDate': [ lambda x: x.Unknown2.obj_offset + 2, ['DosDate', dict(is_utc = True)]], 'AccessDate': [ lambda x: x.CreatedDate.obj_offset + 4, ['DosDate', dict(is_utc = True)]], 'Unknown3': [ lambda x: x.AccessDate.obj_offset + 4, ['unsigned int']], 'FileReference': [ lambda x: x.Unknown3.obj_offset + 4, ['unsigned long long']], #MFT entry index 0-6, Sequence number 6-7 'Unknown4': [ lambda x: x.FileReference.obj_offset + 8, ['unsigned long long']], 'LongStringSize': [ lambda x: x.Unknown4.obj_offset + 8, ['unsigned short']], 'Unknown5': [ lambda x: x.LongStringSize.obj_offset + 2, ['unsigned int']], 'UnicodeFilename': [ lambda x: x.Unknown5.obj_offset + 4, ['NullString', dict(length = 4096, encoding = 'utf8')]], 'AdditionalLongString': [ lambda x: x.UnicodeFilename.obj_offset + len(x.UnicodeFilename), ['NullString', dict(length = (lambda k: k.LongStringSize), encoding = 'utf8')]], } ], 'ITEMPOS' : [ None, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'FileSize' : [ 0x4, ['short']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], 'FILE_ENTRY': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], # Type: 0x31, 0x32, 0xb1 'Flags': [ 0x3, ['unsigned char']], 'FileSize': [ 0x4, ['int']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], } class ShellBagsTypesWin7(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 1} def modification(self, profile): profile.object_classes.update({ 'NullString': NullString, '_GUID':_GUID, 'ITEMPOS':ITEMPOS, 'FILE_ENTRY':FILE_ENTRY, 'FOLDER_ENTRY':FOLDER_ENTRY, 'CONTROL_PANEL':CONTROL_PANEL, 'VOLUME_NAME':VOLUME_NAME, 'NETWORK_VOLUME_NAME':NETWORK_VOLUME_NAME, 'NETWORK_SHARE':NETWORK_SHARE, 'UNKNOWN_00':UNKNOWN_00, '_VOLUSER_ASSIST_TYPES':_VOLUSER_ASSIST_TYPES, }) profile.vtypes.update(shell_item_types) profile.vtypes.update(itempos_types_Win7) class ShellBags(common.AbstractWindowsCommand): """Prints ShellBags info""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("MACHINE", default = "", help = "Machine name to add to timeline header") self.supported = ["FILE_ENTRY", "FOLDER_ENTRY", "CONTROL_PANEL", "VOLUME_NAME", "NETWORK_VOLUME_NAME", "NETWORK_SHARE", "UNKNOWN_00"] self.paths = {} def rreplace(self, s, old, new, occurrence): li = s.rsplit(old, occurrence) return new.join(li) def parse_key(self, regapi, reg, thekey, given_root = None): items = {} # a dictionary of shellbag objects indexed by value name for value, data in regapi.reg_yield_values(None, thekey, thetype = 'REG_BINARY', given_root = given_root): if data == None or thekey.find("S-") != -1 or str(value).startswith("LastKnownState") or thekey.lower().find("cmi-create") != -1: continue if str(value).startswith("ItemPos"): items[str(value)] = [] bufferas = addrspace.BufferAddressSpace(self._config, data = data) i = 0x18 while i < len(data) - 0x10: item = obj.Object("ITEMPOS", offset = i, vm = bufferas) if item != None and item.Size >= 0x15: items[str(value)].append(item) i += item.Size + 0x8 elif str(value).lower().startswith("mrulistex"): list = {} bufferas = addrspace.BufferAddressSpace(self._config, data = data) i = 0 while i < len(data) - 4: list[obj.Object("int", offset = i, vm = bufferas).v()] = (i / 4) i += 4 items["MruListEx"] = list elif len(data) >= 0x10: bufferas = addrspace.BufferAddressSpace(self._config, data = data) item = obj.Object("SHELLITEM", offset = 0, vm = bufferas) thetype = SHELL_ITEM_TYPES.get(int(item.Type), None) if thetype != None: if thetype == "UNKNOWN_00" and len(data) == bufferas.profile.get_obj_size("_VOLUSER_ASSIST_TYPES"): # this is UserAssist Data item = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas) try: value = value.encode('rot_13') except UnicodeDecodeError: pass else: if bufferas.profile.get_obj_size(thetype) > len(data): continue item = obj.Object(thetype, offset = 0, vm = bufferas) if hasattr(item, "DataSize") and item.DataSize <= 0: continue if thetype in self.supported: temp = "" if hasattr(item, "Attributes"): temp = str(item.Attributes.UnicodeFilename) elif hasattr(item, "Name"): temp = str(item.Name) self.paths[reg + ":" + thekey + ":" + str(value)] = temp items[str(value)] = [] items[str(value)].append(item) return items def calculate(self): addr_space = utils.load_as(self._config) version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) if self._config.MACHINE != "": self._config.update("MACHINE", "{0} ".format(self._config.MACHINE)) #set our current registry of interest and get its path regapi = registryapi.RegistryApi(self._config) regapi.reset_current() #scan for registries and populate them: print "Scanning for registries...." regapi.set_current('ntuser.dat') shellbag_data = [] print "Gathering shellbag items and building path tree..." seen = {} for bk in BAG_KEYS: for cat, current_path in regapi.reg_yield_key("ntuser.dat", bk): keys = [(k, bk + "\\" + k.Name) for k in regapi.reg_get_all_subkeys("ntuser.dat", key = None, given_root = cat)] for key, start in keys: if key.Name: if seen.get(start + "\\" + k.Name, None) != None: continue seen[start + "\\" + k.Name] = key.obj_offset subkeys = [k for k in regapi.reg_get_all_subkeys("ntuser.dat", key = None, given_root = key)] for k in subkeys: keys.append((k, start + "\\" + k.Name)) items = self.parse_key(regapi, current_path, start, given_root = key) if len(items) > 0: shellbag_data.append((start, current_path, key, items)) if version >= (6, 0): regapi.reset_current() regapi.set_current("UsrClass.dat") seen = {} for bk in USERDAT_KEYS: for cat, current_path in regapi.reg_yield_key("UsrClass.dat", bk): keys = [(k, bk + "\\" + k.Name) for k in regapi.reg_get_all_subkeys("UsrClass.dat", key = None, given_root = cat)] for key, start in keys: if key.Name: if seen.get(start + "\\" + k.Name, None) != None: continue seen[start + "\\" + k.Name] = key.obj_offset subkeys = [k for k in regapi.reg_get_all_subkeys("UsrClass.dat", key = None, given_root = key)] for k in subkeys: keys.append((k, start + "\\" + k.Name)) items = self.parse_key(regapi, current_path, start, given_root = key) if len(items) > 0: shellbag_data.append((start, current_path, key, items)) return shellbag_data def build_path(self, reg, key, item): path = "" if hasattr(item, "Attributes"): path = str(item.Attributes.UnicodeFilename) elif hasattr(item, "Name"): path = str(item.Name) else: return path while key != "": parent = self.rreplace(key, "\\" + key.split("\\")[-1], "", 1) prev = self.paths.get(reg + ":" + parent + ":" + key.split("\\")[-1], "") if prev == "": break path = prev + "\\" + path key = parent return path def render_body(self, outfd, data): for name, reg, key, items in data: for item in items: if item == "MruListEx": continue for shell in items[item]: if type(shell) == ITEMPOS or type(shell) == FILE_ENTRY: full_path = self.build_path(reg, name, shell).replace("\\\\", "\\") outfd.write("{0}".format(shell.body("FullPath: {0}/Registry: {1}/Key: {2}/LW: {3}".format(full_path, reg, name, str(key.LastWriteTime))))) elif type(shell) == _VOLUSER_ASSIST_TYPES: outfd.write("{0}".format(shell.body(reg, name, item, str(key.LastWriteTime)))) def unified_output(self, data): return TreeGrid([("Registry", str), ("Key", str), ("LastWrite", str), ("FileName", str), ("Create", str), ("Access", str), ("Attributes", str), ("Unicode", str), ("Path", str), ], self.generator(data)) def generator(self, data): for name, reg, key, items in data: if not key: continue for item in items: if item == "MruListEx": continue for shell in items[item]: full_path = "" if type(shell) == ITEMPOS or type(shell) == FILE_ENTRY: full_path = self.build_path(reg, name, shell).replace("\\\\", "\\") things = shell.get_items() yield (0, [str(reg), str(name), str(key.LastWriteTime), things.get("FileName", ""), things.get("Create", ""), things.get("Access", ""), things.get("Attributes", ""), things.get("Unicode", ""), str(full_path)]) def render_text(self, outfd, data): border = "*" * 75 for name, reg, key, items in data: if not key: continue first = True mru = items.get("MruListEx", None) mruheader = [("Value", "7"), ("Mru", "5")] if mru else [("Value", "25")] for item in items: if item == "MruListEx": continue for shell in items[item]: full_path = "" if type(shell) != ITEMPOS and type(shell) != VOLUME_NAME: full_path = self.build_path(reg, name, shell).replace("\\\\", "\\") if first: outfd.write(border + "\n") outfd.write("Registry: " + reg + "\n") outfd.write("Key: " + name + "\n") outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) curheader = shell.get_header() self.table_header(outfd, mruheader + curheader) first = False if curheader != shell.get_header(): curheader = shell.get_header() outfd.write("\n") self.table_header(outfd, mruheader + curheader) if mru: outfd.write("{0:7} {1:<5} {2} {3}\n".format(item, mru[int(item)], str(shell), full_path)) else: outfd.write("{0:25} {1} {2}\n".format(item, str(shell), full_path)) if not first: outfd.write(border + "\n\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/registry/registryapi.py0000644000000000000000000003064413131215405025611 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (Gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ import volatility.utils as utils import volatility.win32.hive as hivemod import volatility.win32.rawreg as rawreg import volatility.win32.hashdump as hashdump import volatility.utils as utils import volatility.plugins.registry.hivelist as hl from heapq import nlargest class RegistryApi(object): """A wrapper several highly used Registry functions""" def __init__(self, config): self._config = config self.addr_space = utils.load_as(self._config) self.all_offsets = {} self.current_offsets = {} self.populate_offsets() def print_offsets(self): ''' this is just in case we want to check our offsets and which hive(s) was/were chosen ''' for item in self.all_offsets: print "0x{0:x}".format(item), self.all_offsets[item] for item in self.current_offsets: print 'current', "0x{0:x}".format(item), self.current_offsets[item] def populate_offsets(self): ''' get all hive offsets so we don't have to scan again... ''' hive_offsets = [] hiveroot = hl.HiveList(self._config).calculate() for hive in hiveroot: if hive.is_valid() and hive.obj_offset not in hive_offsets: hive_offsets.append(hive.obj_offset) self.all_offsets[hive.obj_offset] = hive.get_name() def reg_get_currentcontrolset(self, fullname = True): ''' get the CurrentControlSet If fullname is not specified, we only get the number like "1" or "2" etc The default is ControlSet00{#} so we can append it to the desired key path We return None if it fails, so you need to verify before using. ''' for offset in self.all_offsets: name = self.all_offsets[offset] + " " if name.lower().find("\\system ") != -1: sysaddr = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) if fullname: return "ControlSet00{0}".format(hashdump.find_control_set(sysaddr)) else: return hashdump.find_control_set(sysaddr) return None def set_current(self, hive_name = None, user = None): ''' if we find a hive that fits the given criteria, save its offset so we don't have to scan again. this can be reset using reset_current if context changes ''' for item in self.all_offsets: name = self.all_offsets[item] + " " if user == None and hive_name == None: #no particular preference: all hives self.current_offsets[item] = name elif user != None and name.lower().find('\\' + user.lower() + '\\') != -1 and name.lower().find("\\" + "ntuser.dat ") != -1: #user's NTUSER.DAT hive self.current_offsets[item] = name elif hive_name != None and hive_name.lower() == 'hklm' \ and (name.lower().find("\\security ") != -1 or name.lower().find("\\system ") != -1 \ or name.lower().find("\\software ") != -1 or name.lower().find("\\sam ") != -1): #any HKLM hive self.current_offsets[item] = name elif hive_name != None and name.lower().find("\\" + hive_name.lower() + " ") != -1 and user == None: #a particular hive indicated by hive_name if hive_name.lower() == "system" and name.lower().find("\\syscache.hve ") == -1: self.current_offsets[item] = name elif hive_name.lower() != "system": self.current_offsets[item] = name def reset_current(self): ''' this is in case we switch to a different hive/user/context ''' self.current_offsets = {} def reg_get_key(self, hive_name, key, user = None, given_root = None): ''' Returns a key from a requested hive; assumes this is from a single hive if more than one hive is specified, the hive/key found is returned ''' if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) if key: for offset in self.current_offsets: if given_root == None: h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) else: root = given_root if root != None: k = rawreg.open_key(root, key.split('\\')) if k: return k return None def reg_get_key_path(self, key): ''' Takes in a key object and traverses back through its family to build the path ''' path = key.Name while key.Parent and key.Parent & 0xffffffff > 0x20: key = key.Parent.dereference() if utils.remove_unprintable(str(key.Name)) != "": path = "{0}\\{1}".format(key.Name, path) return path def reg_yield_key(self, hive_name, key, user = None, given_root = None): ''' Use this function if you are collecting keys from more than one hive ''' if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) if key: for offset in self.current_offsets: name = self.current_offsets[offset] if given_root == None: h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) else: root = given_root if root != None: k = rawreg.open_key(root, key.split('\\')) if k: yield k, name def reg_enum_key(self, hive_name, key, user = None): ''' This function enumerates the requested key ''' k = self.reg_get_key(hive_name, key, user) if k: for s in rawreg.subkeys(k): if s.Name: item = key + '\\' + s.Name yield item def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None): ''' This function enumerates the subkeys of the requested key ''' if key or given_root: k = given_root if given_root != None else self.reg_get_key(hive_name, key) if k: for s in rawreg.subkeys(k): if s.Name: yield s def reg_yield_values(self, hive_name, key, thetype = None, given_root = None, raw = False): ''' This function yields all values for a requested registry key ''' if key or given_root: h = given_root if given_root != None else self.reg_get_key(hive_name, key) if h != None: for v in rawreg.values(h): tp, dat = rawreg.value_data(v) if thetype == None or tp == thetype: if raw: yield v, dat else: yield v.Name, dat def reg_get_value(self, hive_name, key, value, strcmp = None, given_root = None): ''' This function returns the requested value of a registry key ''' if value != None: if given_root == None and key != None: given_root = self.reg_get_key(hive_name, key) if given_root != None: for v in rawreg.values(given_root): if value == v.Name: tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or strcmp == None: # We want raw data return dat else: # This is a string comparison dat = str(dat) dat = dat.strip() dat = ''.join([x for x in dat if ord(x) != 0]) #get rid of funky nulls for string comparison if strcmp == dat: return dat return None def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False): ''' This function enumerates all keys in specified hives and collects lastwrite times. ''' keys = [] if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) # Collect the root keys for offset in self.current_offsets: reg_name = self.current_offsets[offset] h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) if not root: pass else: time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime if reg: if start and end and str(time) >= start and str(time) <= end: yield (time, reg_name, root.Name) elif start == None and end == None: yield (time, reg_name, root.Name) else: if start and end and str(time) >= start and str(time) <= end: yield (time, root.Name) elif start == None and end == None: yield (time, root.Name) for s in rawreg.subkeys(root): if reg: keys.append([s, reg_name, root.Name + "\\" + s.Name]) else: keys.append([s, root.Name + "\\" + s.Name]) # Get subkeys if reg: for k, reg_name, name in keys: time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime if start and end and str(time) >= start and str(time) <= end: yield (time, reg_name, name) elif start == None and end == None: yield (time, reg_name, name) for s in rawreg.subkeys(k): if name and s.Name: item = name + '\\' + s.Name keys.append([s, reg_name, item]) else: for k, name in keys: time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime if start and end and str(time) >= start and str(time) <= end: yield (time, name) elif start == None and end == None: yield (time, name) for s in rawreg.subkeys(k): if name and s.Name: item = name + '\\' + s.Name keys.append([s, item]) def reg_get_last_modified(self, hive_name, count = 1, user = None, start = None, end = None, reg = False): ''' Wrapper function using reg_get_all_keys. These functions can take a WHILE since all subkeys have to be collected before you can compare lastwrite times. ''' data = nlargest(count, self.reg_get_all_keys(hive_name, user, start, end, reg)) if reg: for t, regname, name in data: yield (t, regname, name) else: for t, name in data: yield (t, name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/dumpcerts.py0000644000000000000000000002531113131215405023400 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Authors: # Michael Hale Ligh # # Contributors/References: # ## Based on sslkeyfinder: http://www.trapkit.de/research/sslkeyfinder/ # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os, sys, subprocess import volatility.obj as obj import volatility.debug as debug import volatility.plugins.procdump as procdump import volatility.utils as utils import volatility.win32.tasks as tasks import volatility.plugins.malware.malfind as malfind from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Bytes try: import yara has_yara = True except ImportError: has_yara = False #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _X509_PUBLIC_CERT(obj.CType): """Class for x509 public key certificates""" @property def Size(self): """ The certificate size (in bytes) is a product of this object's Size1 and Size2 members. """ return (self.Size1 << 8 & 0xFFFF) + self.Size2 def object_as_string(self): """ Get the object's data as a string. in this case its the certificate header and body. """ return self.obj_vm.zread(self.obj_offset, self.Size + 4) def is_valid(self): """ This implements the check described in sslfinder: http://www.trapkit.de/research/sslkeyfinder/ """ if not obj.CType.is_valid(self): return False return self.Size < 0xFFF def as_openssl(self, file_name): """ Represent this object as openssl-parsed certificate. Since OpenSSL does not accept DERs from STDIN, we have to redirect it to a file first. @param file_name: a file on disk where this object has been dumped. the caller should ensure that the file exists before calling this function. """ return subprocess.Popen( ['openssl', 'x509', '-in', file_name, '-inform', 'DER', '-text'], stdout = subprocess.PIPE, stderr = subprocess.PIPE ).communicate()[0] class _PKCS_PRIVATE_CERT(_X509_PUBLIC_CERT): """Class for PKCS private key certificates""" def as_openssl(self, file_name): return subprocess.Popen( ['openssl', 'rsa', '-check', '-in', file_name, '-inform', 'DER', '-text'], stdout = subprocess.PIPE, stderr = subprocess.PIPE ).communicate()[0] class SSLKeyModification(obj.ProfileModification): """Applies to all windows profiles (maybe linux?)""" conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.vtypes.update({ '_X509_PUBLIC_CERT': [ None, { 'Size1': [ 0x2, ['unsigned char']], 'Size2': [ 0x3, ['unsigned char']], }], '_PKCS_PRIVATE_CERT': [ None, { 'Size1': [ 0x2, ['unsigned char']], 'Size2': [ 0x3, ['unsigned char']], }], }) profile.object_classes.update({ '_X509_PUBLIC_CERT': _X509_PUBLIC_CERT, '_PKCS_PRIVATE_CERT': _PKCS_PRIVATE_CERT, }) # Inherit from ProcDump for access to the --dump-dir option class DumpCerts(procdump.ProcDump): """Dump RSA private and public SSL keys""" # Wildcard signatures to scan for rules = {} if has_yara: rules = yara.compile(sources = { 'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}', 'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}', }) # These signature names map to these data structures type_map = { 'x509' : '_X509_PUBLIC_CERT', 'pkcs' : '_PKCS_PRIVATE_CERT', } def __init__(self, config, *args, **kwargs): procdump.ProcDump.__init__(self, config, *args, **kwargs) config.remove_option("UNSAFE") config.add_option("SSL", short_option = 's', default = False, help = "Use OpenSSL for certificate parsing", action = "store_true") config.add_option("PHYSICAL", short_option = 'P', default = False, help = "Scan across physical space (in deallocated/freed storage)", action = "store_true") def calculate(self): addr_space = utils.load_as(self._config) if not has_yara: debug.error("You must install yara to use this plugin") if not self._config.DUMP_DIR: debug.error("You must supply a --dump-dir parameter") if self._config.PHYSICAL: # Find the FileAddressSpace while addr_space.__class__.__name__ != "FileAddressSpace": addr_space = addr_space.base scanner = malfind.DiscontigYaraScanner(address_space = addr_space, rules = DumpCerts.rules) for hit, address in scanner.scan(): cert = obj.Object(DumpCerts.type_map.get(hit.rule), vm = scanner.address_space, offset = address, ) if cert.is_valid(): yield None, cert else: for process in self.filter_tasks(tasks.pslist(addr_space)): scanner = malfind.VadYaraScanner(task = process, rules = DumpCerts.rules) for hit, address in scanner.scan(): cert = obj.Object(DumpCerts.type_map.get(hit.rule), vm = scanner.address_space, offset = address, ) if cert.is_valid(): yield process, cert def get_parsed_fields(self, openssl, fields = ["O", "OU"]): """ Get fields from the parsed openssl output. @param openssl: the output of an openssl command @param fields: fields of the SSL public or private key certificate that you want to get. @returns: a tuple of the field found and the field value. """ for line in openssl.split("\n"): if "Subject:" in line: line = line[line.find("Subject:") + 10:] pairs = line.split(",") for pair in pairs: try: val, var = pair.split("=") except ValueError: continue val = val.strip() var = var.strip() if val in fields: yield (val, var) def unified_output(self, data): return TreeGrid([("Pid", int), ("Process", str), ("Address", Address), ("Type", str), ("Length", int), ("File", str), ("Subject", str), ("Cert", Bytes)], self.generator(data)) def generator(self, data): for process, cert in data: if cert.obj_name == "_X509_PUBLIC_CERT": ext = ".crt" else: ext = ".key" if process: file_name = "{0}-{1:x}{2}".format(process.UniqueProcessId, cert.obj_offset, ext) else: file_name = "phys.{0:x}{1}".format(cert.obj_offset, ext) full_path = os.path.join(self._config.DUMP_DIR, file_name) with open(full_path, "wb") as cert_file: cert_file.write(cert.object_as_string()) parsed_subject = "" if self._config.SSL: openssl_string = cert.as_openssl(full_path) parsed_subject = '/'.join([v[1] for v in self.get_parsed_fields(openssl_string)]) yield (0, [int(process.UniqueProcessId if process else -1), str(process.ImageFileName if process else "-"), Address(cert.obj_offset), str(cert.obj_name), int(cert.Size), str(file_name), str(parsed_subject), Bytes(cert.object_as_string())]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Process", "16"), ("Address", "[addrpad]"), ("Type", "20"), ("Length", "8"), ("File", "24"), ("Subject", "")]) for process, cert in data: if cert.obj_name == "_X509_PUBLIC_CERT": ext = ".crt" else: ext = ".key" if process: file_name = "{0}-{1:x}{2}".format(process.UniqueProcessId, cert.obj_offset, ext) else: file_name = "phys.{0:x}{1}".format(cert.obj_offset, ext) full_path = os.path.join(self._config.DUMP_DIR, file_name) with open(full_path, "wb") as cert_file: cert_file.write(cert.object_as_string()) parsed_subject = "" if self._config.SSL: openssl_string = cert.as_openssl(full_path) parsed_subject = '/'.join([v[1] for v in self.get_parsed_fields(openssl_string)]) self.table_row(outfd, process.UniqueProcessId if process else "-", process.ImageFileName if process else "-", cert.obj_offset, cert.obj_name, cert.Size, file_name, parsed_subject) volatility_2.6+git20170711.b3db0cc/volatility/plugins/moddump.py0000644000000000000000000001246113131215405023041 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # Additional Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import re from volatility import renderers import volatility.plugins.procdump as procdump import volatility.cache as cache from volatility.renderers.basic import Address import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.utils as utils import volatility.debug as debug class ModDump(procdump.ProcDump): """Dump a kernel driver to an executable file sample""" def __init__(self, config, *args, **kwargs): procdump.ProcDump.__init__(self, config, *args, **kwargs) config.remove_option("PID") config.remove_option("OFFSET") config.remove_option("NAME") config.add_option('REGEX', short_option = 'r', help = 'Dump modules matching REGEX', action = 'store', type = 'string') config.add_option('IGNORE-CASE', short_option = 'i', help = 'Ignore case in pattern match', action = 'store_true', default = False) config.add_option('BASE', short_option = 'b', default = None, help = 'Dump driver with BASE address (in hex)', action = 'store', type = 'int') @cache.CacheDecorator(lambda self: "tests/moddump/regex={0}/ignore-case={1}/base={2}".format(self._config.REGEX, self._config.IGNORE_CASE, self._config.BASE)) def calculate(self): addr_space = utils.load_as(self._config) if self._config.REGEX: try: if self._config.IGNORE_CASE: mod_re = re.compile(self._config.REGEX, re.I) else: mod_re = re.compile(self._config.REGEX) except re.error, e: debug.error('Error parsing regular expression: {0}'.format(e)) mods = dict((mod.DllBase.v(), mod) for mod in modules.lsmod(addr_space)) # We need the process list to find spaces for some drivers. Enumerate them here # instead of inside the find_space function, so we only have to do it once. procs = list(tasks.pslist(addr_space)) if self._config.BASE: if mods.has_key(self._config.BASE): mod_name = mods[self._config.BASE].BaseDllName else: mod_name = "UNKNOWN" yield addr_space, procs, int(self._config.BASE), mod_name else: for mod in mods.values(): if self._config.REGEX: if not mod_re.search(str(mod.FullDllName or '')) and not mod_re.search(str(mod.BaseDllName or '')): continue yield addr_space, procs, mod.DllBase.v(), mod.BaseDllName def generator(self, data): for addr_space, procs, mod_base, mod_name in data: space = tasks.find_space(addr_space, procs, mod_base) if space == None: result = "Error: Cannot acquire AS" else: dump_file = "driver.{0:x}.sys".format(mod_base) result = self.dump_pe(space, mod_base, dump_file) yield (0, [Address(mod_base), str(mod_name), str(result)]) def unified_output(self, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") tg = renderers.TreeGrid([("Module Base", Address), ("Module Name", str), ("Result", str)], self.generator(data)) return tg def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") self.table_header(outfd, [("Module Base", "[addrpad]"), ("Module Name", "20"), ("Result", "")]) for addr_space, procs, mod_base, mod_name in data: space = tasks.find_space(addr_space, procs, mod_base) if space == None: result = "Error: Cannot acquire AS" else: dump_file = "driver.{0:x}.sys".format(mod_base) result = self.dump_pe(space, mod_base, dump_file) self.table_row(outfd, mod_base, mod_name, result) volatility_2.6+git20170711.b3db0cc/volatility/plugins/crashinfo.py0000644000000000000000000002014013131215405023341 0ustar rootroot# Volatility # Copyright (C) 2009-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.plugins.common as common import volatility.cache as cache import volatility.debug as debug import volatility.obj as obj from volatility.renderers import TreeGrid from volatility.renderers.basic import Address import datetime class _DMP_HEADER(obj.CType): """A class for crash dumps""" @property def SystemUpTime(self): """Returns a string uptime""" # Some utilities write PAGEPAGE to this field when # creating the dump header. if self.m('SystemUpTime') == 0x4547415045474150: return obj.NoneObject("No uptime recorded") # 1 uptime is 100ns so convert that to microsec msec = self.m('SystemUpTime') / 10 return datetime.timedelta(microseconds = msec) class CrashInfoModification(obj.ProfileModification): """Applies overlays for crash dump headers""" conditions = {'os': lambda x: x == 'windows'} before = ["WindowsVTypes", "WindowsObjectClasses"] def modification(self, profile): profile.merge_overlay({ '_DMP_HEADER' : [ None, { 'Comment' : [ None, ['String', dict(length = 128)]], 'DumpType' : [ None, ['Enumeration', dict(choices = {0x1: "Full Dump", 0x2: "Kernel Dump", 0x5: "BitMap Dump"})]], 'SystemTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], '_DMP_HEADER64' : [ None, { 'Comment' : [ None, ['String', dict(length = 128)]], 'DumpType' : [ None, ['Enumeration', dict(choices = {0x1: "Full Dump", 0x2: "Kernel Dump", 0x5: "BitMap Dump"})]], 'SystemTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], }) ## Both x86 and x64 use the same structure for now, just ## so they can share the same SystemUpTime property. profile.object_classes.update({'_DMP_HEADER' : _DMP_HEADER, '_DMP_HEADER64' : _DMP_HEADER}) class CrashInfo(common.AbstractWindowsCommand): """Dump crash-dump information""" target_as = ['WindowsCrashDumpSpace32', 'WindowsCrashDumpSpace64', 'WindowsCrashDumpSpace64BitMap'] @cache.CacheDecorator("tests/crashinfo") def calculate(self): """Determines the address space""" addr_space = utils.load_as(self._config, astype = 'physical') result = None adrs = addr_space while adrs: if adrs.__class__.__name__ in self.target_as: result = adrs adrs = adrs.base if result is None: debug.error("Memory Image could not be identified as {0}".format(self.target_as)) return result def unified_output(self, data): return TreeGrid([("HeaderName", str), ("Majorversion", Address), ("Minorversion", Address), ("KdSecondaryVersion", Address), ("DirectoryTableBase", Address), ("PfnDataBase", Address), ("PsLoadedModuleList", Address), ("PsActiveProcessHead", Address), ("MachineImageType", Address), ("NumberProcessors", Address), ("BugCheckCode", Address), ("PaeEnabled", Address), ("KdDebuggerDataBlock", Address), ("ProductType", Address), ("SuiteMask", Address), ("WriterStatus", Address), ("Comment", str), ("DumpType", str), ("SystemTime", str), ("SystemUpTime", str), ("NumRuns", int)], self.generator(data)) def generator(self, data): hdr = data.get_header() pae = -1 if hdr.obj_name != "_DMP_HEADER64": pae = hdr.PaeEnabled yield (0, [str(hdr.obj_name), Address(hdr.MajorVersion), Address(hdr.MinorVersion), Address(hdr.KdSecondaryVersion), Address(hdr.DirectoryTableBase), Address(hdr.PfnDataBase), Address(hdr.PsLoadedModuleList), Address(hdr.PsActiveProcessHead), Address(hdr.MachineImageType), Address(hdr.NumberProcessors), Address(hdr.BugCheckCode), Address(pae), Address(hdr.KdDebuggerDataBlock), Address(hdr.ProductType), Address(hdr.SuiteMask), Address(hdr.WriterStatus), str(hdr.Comment), str(hdr.DumpType), str(hdr.SystemTime or ''), str(hdr.SystemUpTime or ''), len(data.get_runs())]) def render_text(self, outfd, data): """Renders the crashdump header as text""" hdr = data.get_header() runs = data.get_runs() outfd.write("{0}:\n".format(hdr.obj_name)) outfd.write(" Majorversion: 0x{0:08x} ({1})\n".format(hdr.MajorVersion, hdr.MajorVersion)) outfd.write(" Minorversion: 0x{0:08x} ({1})\n".format(hdr.MinorVersion, hdr.MinorVersion)) outfd.write(" KdSecondaryVersion 0x{0:08x}\n".format(hdr.KdSecondaryVersion)) outfd.write(" DirectoryTableBase 0x{0:08x}\n".format(hdr.DirectoryTableBase)) outfd.write(" PfnDataBase 0x{0:08x}\n".format(hdr.PfnDataBase)) outfd.write(" PsLoadedModuleList 0x{0:08x}\n".format(hdr.PsLoadedModuleList)) outfd.write(" PsActiveProcessHead 0x{0:08x}\n".format(hdr.PsActiveProcessHead)) outfd.write(" MachineImageType 0x{0:08x}\n".format(hdr.MachineImageType)) outfd.write(" NumberProcessors 0x{0:08x}\n".format(hdr.NumberProcessors)) outfd.write(" BugCheckCode 0x{0:08x}\n".format(hdr.BugCheckCode)) if hdr.obj_name != "_DMP_HEADER64": outfd.write(" PaeEnabled 0x{0:08x}\n".format(hdr.PaeEnabled)) outfd.write(" KdDebuggerDataBlock 0x{0:08x}\n".format(hdr.KdDebuggerDataBlock)) outfd.write(" ProductType 0x{0:08x}\n".format(hdr.ProductType)) outfd.write(" SuiteMask 0x{0:08x}\n".format(hdr.SuiteMask)) outfd.write(" WriterStatus 0x{0:08x}\n".format(hdr.WriterStatus)) outfd.write(" Comment {0}\n".format(hdr.Comment)) outfd.write(" DumpType {0}\n".format(hdr.DumpType)) outfd.write(" SystemTime {0}\n".format(str(hdr.SystemTime or ''))) outfd.write(" SystemUpTime {0}\n".format(str(hdr.SystemUpTime or ''))) outfd.write("\nPhysical Memory Description:\n") outfd.write("Number of runs: {0}\n".format(len(runs))) outfd.write("FileOffset Start Address Length\n") foffset = 0x1000 if hdr.obj_name == "_DMP_HEADER64": foffset = 0x2000 run = [] ## FIXME. These runs differ for x86 vs x64. This is a reminder ## for MHL or AW to fix it. for run in runs: outfd.write("{0:08x} {1:08x} {2:08x}\n".format(foffset, run[0], run[2])) foffset += (run[2]) outfd.write("{0:08x} {1:08x}\n".format(foffset - 0x1000, (run[0] + run[2] - 0x1000))) volatility_2.6+git20170711.b3db0cc/volatility/plugins/evtlogs.py0000644000000000000000000003253013131215405023056 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ import volatility.utils as utils import volatility.plugins.getsids as getsids import volatility.plugins.registry.registryapi as registryapi import volatility.plugins.getservicesids as getservicesids import volatility.plugins.common as common import volatility.utils as utils import volatility.win32.tasks as tasks import volatility.addrspace as addrspace import volatility.obj as obj import volatility.debug as debug import os, datetime, ntpath from volatility.renderers import TreeGrid # for more information on Event Log structures see WFA 2E pg 260-263 by Harlan Carvey evt_log_types = { 'EVTLogHeader' : [ 0x30, { 'HeaderSize' : [ 0x0, ['unsigned int']], 'Magic' : [ 0x4, ['int']], #LfLe 'OffsetOldest' : [ 0x10, ['unsigned int']], #offset of oldest record 'OffsetNextToWrite' : [ 0x14, ['unsigned int']], #offset of next record to be written 'NextID' : [ 0x18, ['int']], #next event record ID 'OldestID' : [ 0x1c, ['int']], #oldest event record ID 'MaxSize' : [ 0x20, ['unsigned int']], #maximum size of event record (from registry) 'RetentionTime' : [ 0x28, ['int']], #retention time of records (from registry) 'RecordSize' : [ 0x2c, ['unsigned int']], #size of the record (repeat of DWORD at offset 0) } ], 'EVTRecordStruct' : [ 0x38, { 'RecordLength' : [ 0x0, ['unsigned int']], 'Magic' : [ 0x4, ['int']], #LfLe 'RecordNumber' : [ 0x8, ['int']], 'TimeGenerated' : [ 0xc, ['UnixTimeStamp', dict(is_utc = True)]], 'TimeWritten' : [ 0x10, ['UnixTimeStamp', dict(is_utc = True)]], 'EventID' : [ 0x14, ['unsigned short']], #specific to event source and uniquely identifies the event 'EventType' : [ 0x18, ['Enumeration', dict(target = 'unsigned short', choices = {0x01: "Error", 0x02: "Warning", 0x04: "Info", 0x08: "Success", 0x10: "Failure"})]], 'NumStrings' : [ 0x1a, ['unsigned short']], #number of description strings in even message 'EventCategory' : [ 0x1c, ['unsigned short']], 'ReservedFlags' : [ 0x1e, ['unsigned short']], 'ClosingRecordNum' : [ 0x20, ['int']], 'StringOffset' : [ 0x24, ['unsigned int']], #offset w/in record of description strings 'SidLength' : [ 0x28, ['unsigned int']], #length of SID: if 0 no SID is present 'SidOffset' : [ 0x2c, ['unsigned int']], #offset w/in record to start of SID (if present) 'DataLength' : [ 0x30, ['unsigned int']], #length of binary data of record 'DataOffset' : [ 0x34, ['unsigned int']], #offset of data w/in record } ], } class EVTObjectTypes(obj.ProfileModification): before = ["WindowsVTypes"] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x >= 1} def modification(self, profile): profile.vtypes.update(evt_log_types) class EvtLogs(common.AbstractWindowsCommand): """Extract Windows Event Logs (XP/2003 only)""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SAVE-EVT', short_option = 'S', default = False, action = 'store_true', help = 'Save the raw .evt files also') config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump executable files') self.extrasids = {} @staticmethod def is_valid_profile(profile): """This plugin is valid on XP and 2003""" return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) def load_user_sids(self): """Load the user SIDs from the registry""" regapi = registryapi.RegistryApi(self._config) regapi.set_current("SOFTWARE") for k1 in regapi.reg_enum_key('SOFTWARE', 'Microsoft\\Windows NT\\CurrentVersion\\ProfileList'): val = regapi.reg_get_value('SOFTWARE', k1, 'ProfileImagePath') sid = k1.split("\\")[-1] if val != None: ## Strip NULLs in the value self.extrasids[sid] = " (User: " + val.split("\\")[-1].replace("\x00", "") + ")" def get_sid_string(self, data): """Take a buffer of data from the event record and parse it as a SID. @param data: buffer of data from SidOffset of the event record to SidOffset + SidLength. @returns: sid string """ sid_name = "" bufferas = addrspace.BufferAddressSpace(self._config, data = data) sid = obj.Object("_SID", offset = 0, vm = bufferas) id_auth = "" for i in sid.IdentifierAuthority.Value: id_auth = i sid_string = "S-" + "-".join(str(i) for i in (sid.Revision, id_auth) + tuple(sid.SubAuthority)) if sid_string in getsids.well_known_sids: sid_name = " ({0})".format(getsids.well_known_sids[sid_string]) else: sid_name_re = getsids.find_sid_re(sid_string, getsids.well_known_sid_re) if sid_name_re: sid_name = " ({0})".format(sid_name_re) else: sid_name = self.extrasids.get(sid_string, "") sid_string += sid_name return sid_string def calculate(self): addr_space = utils.load_as(self._config) if not self.is_valid_profile(addr_space.profile): debug.error("This plugin only works on XP and 2003") ## When verbose is specified, we recalculate the list of SIDs for ## services in the registry. Otherwise, we take the list from the ## pre-populated dictionary in getservicesids.py if self._config.VERBOSE: ssids = getservicesids.GetServiceSids(self._config).calculate() for sid, service in ssids: self.extrasids[sid] = " (Service: " + service + ")" else: for sid, service in getservicesids.servicesids.items(): self.extrasids[sid] = " (Service: " + service + ")" ## Get the user's SIDs from the registry self.load_user_sids() for proc in tasks.pslist(addr_space): if str(proc.ImageFileName).lower() == "services.exe": for vad, process_space in proc.get_vads(vad_filter = proc._mapped_file_filter): if vad.FileObject.FileName: name = str(vad.FileObject.FileName).lower() if name.endswith(".evt"): ## Maybe check the length is reasonable, though probably there won't ## ever be event logs that are multiple GB or TB in size. data = process_space.zread(vad.Start, vad.Length) yield name, data def parse_evt_info(self, name, buf, rawtime = False): loc = buf.find("LfLe") ## Skip the EVTLogHeader at offset 4. Here you can also parse ## and print the header values if you like. if loc == 4: loc = buf.find("LfLe", loc + 1) while loc != -1: ## This record's data (and potentially the data for records ## that follow it, so we'll be careful to chop it in the right ## places before future uses). rec = buf[loc - 4:] ## Use a buffer AS to instantiate the object bufferas = addrspace.BufferAddressSpace(self._config, data = rec) evtlog = obj.Object("EVTRecordStruct", offset = 0, vm = bufferas) rec_size = bufferas.profile.get_obj_size("EVTRecordStruct") ## Calculate the SID string. If the SidLength is zero, the next ## field (list of strings) starts at StringOffset. If the SidLength ## is non-zero, use the data of length SidLength to determine the ## SID string and the next field starts at SidOffet. if evtlog.SidLength == 0: end = evtlog.StringOffset sid_string = "N/A" else: ## detect manged records based on invalid SID length if evtlog.SidLength > 68: loc = buf.find("LfLe", loc + 1) continue ## these should be appropriately sized SIDs end = evtlog.SidOffset sid_string = self.get_sid_string(rec[end:end + evtlog.SidLength]) computer_name = "" source = "" items = rec[rec_size:end].split("\x00\x00") source = utils.remove_unprintable(items[0]) if len(items) > 1: computer_name = utils.remove_unprintable(items[1]) strings = rec[evtlog.StringOffset:].split("\x00\x00", evtlog.NumStrings) messages = [] for s in range(min(len(strings), evtlog.NumStrings)): messages.append(utils.remove_unprintable(strings[s])) # We'll just say N/A if there are no messages, otherwise join them # together with semi-colons. if messages: msg = ";".join(messages) msg = msg.replace("|", "%7c") else: msg = "N/A" # Records with an invalid timestamp are ignored entirely if evtlog.TimeWritten != None: fields = [ str(evtlog.TimeWritten) if not rawtime else evtlog.TimeWritten, ntpath.basename(name), computer_name, sid_string, source, str(evtlog.EventID), str(evtlog.EventType), msg] yield fields ## Scan to the next record signature loc = buf.find("LfLe", loc + 1) def unified_output(self, data): return TreeGrid([("TimeWritten", str), ("LogFile", str), ("ComputerName", str), ("SID", str), ("Source", str), ("EventID", str), ("EventType", str)], self.generator(data)) def generator(self, data): if self._config.DUMP_DIR and not self._config.SAVE_EVT: debug.error("Please add --save-evt flag to dump EVT files") if self._config.SAVE_EVT and self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if self._config.SAVE_EVT and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for name, buf in data: ## Dump the raw event log so it can be parsed with other tools if self._config.SAVE_EVT: ofname = ntpath.basename(name) fh = open(os.path.join(self._config.DUMP_DIR, ofname), 'wb') fh.write(buf) fh.close() print 'Saved raw .evt file to {0}'.format(ofname) for fields in self.parse_evt_info(name, buf): yield (0, [str(fields[0]), str(fields[1]), str(fields[2]), str(fields[3]), str(fields[4]), str(fields[5]), str(fields[6])]) def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for name, buf in data: ## We can use the ntpath module instead of manually replacing the slashes ofname = ntpath.basename(name) ## Dump the raw event log so it can be parsed with other tools if self._config.SAVE_EVT: fh = open(os.path.join(self._config.DUMP_DIR, ofname), 'wb') fh.write(buf) fh.close() outfd.write('Saved raw .evt file to {0}\n'.format(ofname)) ## Now dump the parsed, pipe-delimited event records to a file ofname = ofname.replace(".evt", ".txt") fh = open(os.path.join(self._config.DUMP_DIR, ofname), 'wb') for fields in self.parse_evt_info(name, buf): fh.write('|'.join(fields) + "\n") fh.close() outfd.write('Parsed data sent to {0}\n'.format(ofname)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/objtypescan.py0000644000000000000000000000711313131215405023713 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # from volatility import renderers import volatility.plugins.common as common from volatility.renderers.basic import Hex, Address import volatility.utils as utils import volatility.poolscan as poolscan import volatility.obj as obj class ObjectTypeScanner(poolscan.PoolScanner): """Pool scanner for object type objects""" def __init__(self, address_space, **kwargs): poolscan.PoolScanner.__init__(self, address_space, **kwargs) self.struct_name = "_OBJECT_TYPE" self.object_type = "Type" self.pooltag = obj.VolMagic(address_space).ObjectTypePoolTag.v() size = 0xc8 # self.address_space.profile.get_obj_size("_OBJECT_TYPE") self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= size)), ('CheckPoolType', dict(paged = False, non_paged = True, free = True)), #('CheckPoolIndex', dict(value = 0)), ] class ObjectTypeKeyModification(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.merge_overlay({ '_OBJECT_TYPE': [ None, {'Key': [ None, ['String', dict(length = 4)]]}] }) class ObjTypeScan(common.AbstractScanCommand): """Scan for Windows object type objects""" scanners = [ObjectTypeScanner] def unified_output(self, data): def generator(data): for object_type in data: yield (0, [ Address(object_type.obj_offset), Hex(object_type.TotalNumberOfObjects), Hex(object_type.TotalNumberOfHandles), str(object_type.Key), str(object_type.Name or ''), str(object_type.TypeInfo.PoolType)]) return renderers.TreeGrid( [("Offset", Address), ("nObjects", Hex), ("nHandles", Hex), ("Key", str), ("Name", str), ("PoolType", str)], generator(data)) def render_text(self, outfd, data): self.table_header(outfd, [("Offset", "[addrpad]"), ("nObjects", "[addr]"), ("nHandles", "[addr]"), ("Key", "8"), ("Name", "30"), ("PoolType", "20")]) for object_type in data: self.table_row(outfd, object_type.obj_offset, object_type.TotalNumberOfObjects, object_type.TotalNumberOfHandles, str(object_type.Key), str(object_type.Name or ''), object_type.TypeInfo.PoolType) volatility_2.6+git20170711.b3db0cc/volatility/plugins/taskmods.py0000644000000000000000000004014613131215405023222 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Additional Authors: # Michael Cohen # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 import os, re import volatility.plugins.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Hex import volatility.win32 as win32 import volatility.obj as obj import volatility.debug as debug import volatility.utils as utils import volatility.cache as cache class DllList(common.AbstractWindowsCommand, cache.Testable): """Print list of loaded dlls for each process""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) cache.Testable.__init__(self) config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS offset (in hex) in the physical address space', action = 'store', type = 'int') config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') config.add_option('NAME', short_option = 'n', default = None, help = 'Operate on these process names (regex)', action = 'store', type = 'str') def unified_output(self, data): return TreeGrid([("Pid", int), ("Base", Address), ("Size", Hex), ("LoadCount", Hex), ("LoadTime", str), ("Path", str)], self.generator(data)) def generator(self, data): for task in data: pid = task.UniqueProcessId if task.Peb: for m in task.get_load_modules(): yield (0, [int(pid), Address(m.DllBase), Hex(m.SizeOfImage), Hex(m.LoadCount), str(m.load_time()), str(m.FullDllName or '')]) else: yield (0, [int(pid), Address(0), Hex(0), Hex(0), "", "Error reading PEB for pid"]) def render_text(self, outfd, data): for task in data: pid = task.UniqueProcessId outfd.write("*" * 72 + "\n") outfd.write("{0} pid: {1:6}\n".format(task.ImageFileName, pid)) if task.Peb: ## REMOVE this after 2.4, since we have the cmdline plugin now outfd.write("Command line : {0}\n".format(str(task.Peb.ProcessParameters.CommandLine or ''))) if task.IsWow64: outfd.write("Note: use ldrmodules for listing DLLs in Wow64 processes\n") outfd.write("{0}\n".format(str(task.Peb.CSDVersion or ''))) outfd.write("\n") self.table_header(outfd, [("Base", "[addrpad]"), ("Size", "[addr]"), ("LoadCount", "[addr]"), ("LoadTime", "<30"), ("Path", ""), ]) for m in task.get_load_modules(): self.table_row(outfd, m.DllBase, m.SizeOfImage, m.LoadCount, str(m.load_time()), str(m.FullDllName or '')) else: outfd.write("Unable to read PEB for task.\n") def filter_tasks(self, tasks): """ Reduce the tasks based on the user selectable PIDS parameter. Returns a reduced list or the full list if config.PIDS not specified. """ if self._config.PID is not None: try: pidlist = [int(p) for p in self._config.PID.split(',')] except ValueError: debug.error("Invalid PID {0}".format(self._config.PID)) pids = [t for t in tasks if t.UniqueProcessId in pidlist] if len(pids) == 0: debug.error("Cannot find PID {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.PID)) return pids if self._config.NAME is not None: try: name_re = re.compile(self._config.NAME, re.I) except re.error: debug.error("Invalid name {0}".format(self._config.NAME)) names = [t for t in tasks if name_re.search(str(t.ImageFileName))] if len(names) == 0: debug.error("Cannot find name {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.NAME)) return names return tasks @staticmethod def virtual_process_from_physical_offset(addr_space, offset): """ Returns a virtual process from a physical offset in memory """ # Since this is a physical offset, we find the process flat_addr_space = utils.load_as(addr_space.get_config(), astype = 'physical') flateproc = obj.Object("_EPROCESS", offset, flat_addr_space) # then use the virtual address of its first thread to get into virtual land # (Note: the addr_space and flat_addr_space use the same config, so should have the same profile) tleoffset = addr_space.profile.get_obj_offset("_ETHREAD", "ThreadListEntry") # start out with the member offset given to us from the profile offsets = [tleoffset] # if (and only if) we're dealing with 64-bit Windows 7 SP1 # then add the other commonly seen member offset to the list meta = addr_space.profile.metadata major = meta.get("major", 0) minor = meta.get("minor", 0) build = meta.get("build", 0) version = (major, minor, build) if meta.get("memory_model") == "64bit" and version == (6, 1, 7601): offsets.append(tleoffset + 8) ## use the member offset from the profile for ofs in offsets: ethread = obj.Object("_ETHREAD", offset = flateproc.ThreadListHead.Flink.v() - ofs, vm = addr_space) # and ask for the thread's process to get an _EPROCESS with a virtual address space virtual_process = ethread.owning_process() # Sanity check the bounce. See Issue 154. if virtual_process and offset == addr_space.vtop(virtual_process.obj_offset): return virtual_process return obj.NoneObject("Unable to bounce back from virtual _ETHREAD to virtual _EPROCESS") @cache.CacheDecorator(lambda self: "tests/pslist/pid={0}/offset={1}".format(self._config.PID, self._config.OFFSET)) def calculate(self): """Produces a list of processes, or just a single process based on an OFFSET""" addr_space = utils.load_as(self._config) if self._config.OFFSET != None: tasks = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)] else: tasks = self.filter_tasks(win32.tasks.pslist(addr_space)) return tasks class PSList(DllList): """ Print all running processes by following the EPROCESS lists """ def __init__(self, config, *args, **kwargs): DllList.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, cache_invalidator = False, help = "Display physical offsets instead of virtual", action = "store_true") def render_text(self, outfd, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("Name", "20s"), ("PID", ">6"), ("PPID", ">6"), ("Thds", ">6"), ("Hnds", ">8"), ("Sess", ">6"), ("Wow64", ">6"), ("Start", "30"), ("Exit", "30")] ) for task in data: # PHYSICAL_OFFSET must STRICTLY only be used in the results. If it's used for anything else, # it needs to have cache_invalidator set to True in the options if not self._config.PHYSICAL_OFFSET: offset = task.obj_offset else: offset = task.obj_vm.vtop(task.obj_offset) self.table_row(outfd, offset, task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, task.ActiveThreads, task.ObjectTable.HandleCount, task.SessionId, task.IsWow64, str(task.CreateTime or ''), str(task.ExitTime or ''), ) def render_dot(self, outfd, data): objects = set() links = set() for eprocess in data: label = "{0} | {1} |".format(eprocess.UniqueProcessId, eprocess.ImageFileName) if eprocess.ExitTime: label += "exited\\n{0}".format(eprocess.ExitTime) options = ' style = "filled" fillcolor = "lightgray" ' else: label += "running" options = '' objects.add('pid{0} [label="{1}" shape="record" {2}];\n'.format(eprocess.UniqueProcessId, label, options)) links.add("pid{0} -> pid{1} [];\n".format(eprocess.InheritedFromUniqueProcessId, eprocess.UniqueProcessId)) ## Now write the dot file outfd.write("digraph processtree { \ngraph [rankdir = \"TB\"];\n") for link in links: outfd.write(link) for item in objects: outfd.write(item) outfd.write("}") def unified_output(self, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" return TreeGrid([("Offset{0}".format(offsettype), Address), ("Name", str), ("PID", int), ("PPID", int), ("Thds", int), ("Hnds", int), ("Sess", int), ("Wow64", int), ("Start", str), ("Exit", str)], self.generator(data)) def generator(self, data): for task in data: # PHYSICAL_OFFSET must STRICTLY only be used in the results. If it's used for anything else, # it needs to have cache_invalidator set to True in the options if not self._config.PHYSICAL_OFFSET: offset = task.obj_offset else: offset = task.obj_vm.vtop(task.obj_offset) yield (0, [Address(offset), str(task.ImageFileName), int(task.UniqueProcessId), int(task.InheritedFromUniqueProcessId), int(task.ActiveThreads), int(task.ObjectTable.HandleCount), int(task.SessionId), int(task.IsWow64), str(task.CreateTime or ''), str(task.ExitTime or '')]) # Inherit from files just for the config options (__init__) class MemMap(DllList): """Print the memory map""" def unified_output(self, data): return TreeGrid([("Process", str), ("PID", int), ("Virtual", Address), ("Physical", Address), ("Size", Address), ("DumpFileOffset", Address)], self.generator(data)) def generator(self, data): for pid, task, pagedata in data: task_space = task.get_process_address_space() proc = "{0}".format(task.ImageFileName) offset = 0 if pagedata: for p in pagedata: pa = task_space.vtop(p[0]) # pa can be 0, according to the old memmap, but can't == None(NoneObject) if pa != None: data = task_space.read(p[0], p[1]) if data != None: yield (0, [proc, int(pid), Address(p[0]), Address(pa), Address(p[1]), Address(offset)]) offset += p[1] def render_text(self, outfd, data): first = True for pid, task, pagedata in data: if not first: outfd.write("*" * 72 + "\n") task_space = task.get_process_address_space() outfd.write("{0} pid: {1:6}\n".format(task.ImageFileName, pid)) first = False offset = 0 if pagedata: self.table_header(outfd, [("Virtual", "[addrpad]"), ("Physical", "[addrpad]"), ("Size", "[addr]"), ("DumpFileOffset", "[addr]")]) for p in pagedata: pa = task_space.vtop(p[0]) # pa can be 0, according to the old memmap, but can't == None(NoneObject) if pa != None: data = task_space.read(p[0], p[1]) if data != None: self.table_row(outfd, p[0], pa, p[1], offset) offset += p[1] else: outfd.write("Unable to read pages for task.\n") @cache.CacheDecorator(lambda self: "tests/memmap/pid={0}/offset={1}".format(self._config.PID, self._config.OFFSET)) def calculate(self): tasks = DllList.calculate(self) for task in tasks: if task.UniqueProcessId: pid = task.UniqueProcessId task_space = task.get_process_address_space() pages = task_space.get_available_pages() yield pid, task, pages class MemDump(MemMap): """Dump the addressable memory for a process""" def __init__(self, config, *args, **kwargs): MemMap.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump memory') def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for pid, task, pagedata in data: outfd.write("*" * 72 + "\n") task_space = task.get_process_address_space() outfd.write("Writing {0} [{1:6}] to {2}.dmp\n".format(task.ImageFileName, pid, str(pid))) f = open(os.path.join(self._config.DUMP_DIR, str(pid) + ".dmp"), 'wb') if pagedata: for p in pagedata: data = task_space.read(p[0], p[1]) if data == None: if self._config.verbose: outfd.write("Memory Not Accessible: Virtual Address: 0x{0:x} Size: 0x{1:x}\n".format(p[0], p[1])) else: f.write(data) else: outfd.write("Unable to read pages for task.\n") f.close() volatility_2.6+git20170711.b3db0cc/volatility/plugins/getsids.py0000644000000000000000000002414713131215405023042 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # Additional Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # # Based heavily upon the getsids plugin by Moyix # http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/getsids.py """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ import volatility.plugins.registry.registryapi as registryapi import volatility.plugins.taskmods as taskmods import volatility.plugins.getservicesids as getservicesids import volatility.utils as utils from volatility import renderers import re, ntpath def find_sid_re(sid_string, sid_re_list): for reg, name in sid_re_list: if reg.search(sid_string): return name well_known_sid_re = [ (re.compile(r'S-1-5-[0-9-]+-500$'), 'Administrator'), (re.compile(r'S-1-5-[0-9-]+-501$'), 'Guest'), (re.compile(r'S-1-5-[0-9-]+-502$'), 'KRBTGT'), (re.compile(r'S-1-5-[0-9-]+-512$'), 'Domain Admins'), (re.compile(r'S-1-5-[0-9-]+-513$'), 'Domain Users'), (re.compile(r'S-1-5-[0-9-]+-514$'), 'Domain Guests'), (re.compile(r'S-1-5-[0-9-]+-515$'), 'Domain Computers'), (re.compile(r'S-1-5-[0-9-]+-516$'), 'Domain Controllers'), (re.compile(r'S-1-5-[0-9-]+-517$'), 'Cert Publishers'), (re.compile(r'S-1-5-[0-9-]+-520$'), 'Group Policy Creator Owners'), (re.compile(r'S-1-5-[0-9-]+-533$'), 'RAS and IAS Servers'), (re.compile(r'S-1-5-5-[0-9]+-[0-9]+'), 'Logon Session'), (re.compile(r'S-1-5-21-[0-9-]+-518$'), 'Schema Admins'), (re.compile(r'S-1-5-21-[0-9-]+-519$'), 'Enterprise Admins'), (re.compile(r'S-1-5-21-[0-9-]+-553$'), 'RAS Servers'), (re.compile(r'S-1-5-21-[0-9-]+-498$'), 'Enterprise Read-Only Domain Controllers'), (re.compile(r'S-1-5-21-[0-9-]+-521$'), 'Read-Only Domain Controllers'), (re.compile(r'S-1-5-21-[0-9-]+-522$'), 'Cloneable Domain Controllers'), (re.compile(r'S-1-5-21-[0-9-]+-525$'), 'Protected Users'), (re.compile(r'S-1-5-21-[0-9-]+-553$'), 'Remote Access Services (RAS)'), ] well_known_sids = { 'S-1-0': 'Null Authority', 'S-1-0-0': 'Nobody', 'S-1-1': 'World Authority', 'S-1-1-0': 'Everyone', 'S-1-2': 'Local Authority', 'S-1-2-0': 'Local (Users with the ability to log in locally)', 'S-1-2-1': 'Console Logon (Users who are logged onto the physical console)', 'S-1-3': 'Creator Authority', 'S-1-3-0': 'Creator Owner', 'S-1-3-1': 'Creator Group', 'S-1-3-2': 'Creator Owner Server', 'S-1-3-3': 'Creator Group Server', 'S-1-3-4': 'Owner Rights', 'S-1-4': 'Non-unique Authority', 'S-1-5': 'NT Authority', 'S-1-5-1': 'Dialup', 'S-1-5-2': 'Network', 'S-1-5-3': 'Batch', 'S-1-5-4': 'Interactive', 'S-1-5-6': 'Service', 'S-1-5-7': 'Anonymous', 'S-1-5-8': 'Proxy', 'S-1-5-9': 'Enterprise Domain Controllers', 'S-1-5-10': 'Principal Self', 'S-1-5-11': 'Authenticated Users', 'S-1-5-12': 'Restricted Code', 'S-1-5-13': 'Terminal Server Users', 'S-1-5-14': 'Remote Interactive Logon', 'S-1-5-15': 'This Organization', 'S-1-5-17': 'This Organization (Used by the default IIS user)', 'S-1-5-18': 'Local System', 'S-1-5-19': 'NT Authority', 'S-1-5-20': 'NT Authority', 'S-1-5-32-544': 'Administrators', 'S-1-5-32-545': 'Users', 'S-1-5-32-546': 'Guests', 'S-1-5-32-547': 'Power Users', 'S-1-5-32-548': 'Account Operators', 'S-1-5-32-549': 'Server Operators', 'S-1-5-32-550': 'Print Operators', 'S-1-5-32-551': 'Backup Operators', 'S-1-5-32-552': 'Replicators', 'S-1-5-32-554': 'BUILTIN\\Pre-Windows 2000 Compatible Access', 'S-1-5-32-555': 'BUILTIN\\Remote Desktop Users', 'S-1-5-32-556': 'BUILTIN\\Network Configuration Operators', 'S-1-5-32-557': 'BUILTIN\\Incoming Forest Trust Builders', 'S-1-5-32-558': 'BUILTIN\\Performance Monitor Users', 'S-1-5-32-559': 'BUILTIN\\Performance Log Users', 'S-1-5-32-560': 'BUILTIN\\Windows Authorization Access Group', 'S-1-5-32-561': 'BUILTIN\\Terminal Server License Servers', 'S-1-5-32-562': 'BUILTIN\\Distributed COM Users', 'S-1-5-32-568': 'BUILTIN\\IIS IUSRS', 'S-1-5-32-569': 'Cryptographic Operators', 'S-1-5-32-573': 'BUILTIN\\Event Log Readers', 'S-1-5-32-574': 'BUILTIN\\Certificate Service DCOM Access', 'S-1-5-33': 'Write Restricted', 'S-1-5-64-10': 'NTLM Authentication', 'S-1-5-64-14': 'SChannel Authentication', 'S-1-5-64-21': 'Digest Authentication', 'S-1-5-80': 'NT Service', 'S-1-5-86-1544737700-199408000-2549878335-3519669259-381336952': 'WMI (Local Service)', 'S-1-5-86-615999462-62705297-2911207457-59056572-3668589837': 'WMI (Network Service)', 'S-1-5-1000': 'Other Organization', 'S-1-16-0': 'Untrusted Mandatory Level', 'S-1-16-4096': 'Low Mandatory Level', 'S-1-16-8192': 'Medium Mandatory Level', 'S-1-16-8448': 'Medium Plus Mandatory Level', 'S-1-16-12288': 'High Mandatory Level', 'S-1-16-16384': 'System Mandatory Level', 'S-1-16-20480': 'Protected Process Mandatory Level', 'S-1-16-28672': 'Secure Process Mandatory Level', 'S-1-5-21-0-0-0-496': 'Compounded Authentication', 'S-1-5-21-0-0-0-497': 'Claims Valid', 'S-1-5-32-575': 'RDS Remote Application Services', 'S-1-5-32-576': 'RDS Endpoint Servers', 'S-1-5-32-577': 'RDS Management Servers', 'S-1-5-32-578': 'Hyper-V Admins', 'S-1-5-32-579': 'Access Control Assistance Ops', 'S-1-5-32-580': 'Remote Management Users', 'S-1-5-65-1': 'This Organization Certificate (Kerberos PAC)', 'S-1-5-84-0-0-0-0-0': 'Usermode Drivers', 'S-1-5-113': 'Local Account', 'S-1-5-114': 'Local Account (Member of Administrators)', 'S-1-5-1000': 'Other Organization', 'S-1-15-2-1': 'Application Package Context', 'S-1-18-1': 'Authentication Authority Asserted Identity', 'S-1-18-2': 'Service Asserted Identity', } class GetSIDs(taskmods.DllList): """Print the SIDs owning each process""" # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'Brendan Dolan-Gavitt' meta_info['copyright'] = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt' meta_info['contact'] = 'bdolangavitt@wesleyan.edu' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://moyix.blogspot.com/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '1.0' def lookup_user_sids(self): regapi = registryapi.RegistryApi(self._config) regapi.set_current("hklm") key = "Microsoft\\Windows NT\\CurrentVersion\\ProfileList" val = "ProfileImagePath" sids = {} for subkey in regapi.reg_get_all_subkeys(None, key = key): sid = str(subkey.Name) path = regapi.reg_get_value(None, key = "", value = val, given_root = subkey) if path: path = str(path).replace("\x00", "") user = ntpath.basename(path) sids[sid] = user return sids def unified_output(self, data): def generator(data): user_sids = self.lookup_user_sids() for task in data: token = task.get_token() if not token: yield (0, [int(task.UniqueProcessId), str(task.ImageFileName), "Token unreadable", ""]) continue for sid_string in token.get_sids(): if sid_string in well_known_sids: sid_name = well_known_sids[sid_string] elif sid_string in getservicesids.servicesids: sid_name = getservicesids.servicesids[sid_string] elif sid_string in user_sids: sid_name = user_sids[sid_string] else: sid_name_re = find_sid_re(sid_string, well_known_sid_re) if sid_name_re: sid_name = sid_name_re else: sid_name = "" yield (0, [int(task.UniqueProcessId), str(task.ImageFileName), str(sid_string), str(sid_name)]) return renderers.TreeGrid( [("PID", int), ("Process", str), ("SID", str), ("Name", str), ], generator(data)) def render_text(self, outfd, data): """Renders the sids as text""" user_sids = self.lookup_user_sids() for task in data: token = task.get_token() if not token: outfd.write("{0} ({1}): Token unreadable\n".format(task.ImageFileName, int(task.UniqueProcessId))) continue for sid_string in token.get_sids(): if sid_string in well_known_sids: sid_name = " ({0})".format(well_known_sids[sid_string]) elif sid_string in getservicesids.servicesids: sid_name = " ({0})".format(getservicesids.servicesids[sid_string]) elif sid_string in user_sids: sid_name = " ({0})".format(user_sids[sid_string]) else: sid_name_re = find_sid_re(sid_string, well_known_sid_re) if sid_name_re: sid_name = " ({0})".format(sid_name_re) else: sid_name = "" outfd.write("{0} ({1}): {2}{3}\n".format(task.ImageFileName, task.UniqueProcessId, sid_string, sid_name)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/patcher.py0000644000000000000000000002013313131215405023015 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import sys import timeit import binascii import xml.etree.cElementTree as etree import volatility.commands as commands import volatility.debug as debug import volatility.utils as utils PAGESIZE = 4096 #XML Example file format # # # # # DEADBEEFC0FFEE # ... # # # BEEFF00DEE # # ... # # class MultiPageScanner(object): """Scans a page at a time through the address space Designed to minimize reads/writes to the address space """ def __init__(self, patchers, full = False): self.patchers = list(patchers) self.maxlen = 0 self.remove_patchers = not full def use_fullpage(self, address_space): """Calibrate the scanner to ensure fastest speed""" # Define the calibration functions timeit_fullpage = lambda: list(self.scan_page(address_space, 0, True)) timeit_nonfullpage = lambda: list(self.scan_page(address_space, 0, False)) with_fullpage = timeit.repeat(timeit_fullpage, number = 100) without_fullpage = timeit.repeat(timeit_nonfullpage, number = 100) return min(with_fullpage) < min(without_fullpage) def scan(self, address_space, outfd): """Scans through the pages""" page_offset = 0 sys.stdout.write("Calibrating for speed: ") sys.stdout.flush() fullpage = self.use_fullpage(address_space) if fullpage: sys.stdout.write("Reading full pages\n") else: sys.stdout.write("Reading patch locations per page\n") sys.stdout.flush() done = False while address_space.is_valid_address(page_offset + PAGESIZE) and not done: sys.stdout.write("\rScanning: {0:08X}".format(page_offset)) sys.stdout.flush() # Run through any patchers that didn't fail for patcher in self.scan_page(address_space, page_offset, fullpage): outfd.write("\rPatching {0} at page {1:x}\n".format(patcher.get_name(), page_offset)) patcher.patch(address_space, page_offset) if self.remove_patchers: self.patchers.remove(patcher) # Stop if we've got nothing left to look for if not len(self.patchers): done = True # Jump to the next page page_offset += PAGESIZE sys.stdout.write("\n") def scan_page(self, address_space, page_offset, fullpage = False): """Runs through patchers for a single page""" if fullpage: pagedata = address_space.read(page_offset, PAGESIZE) for patcher in self.patchers: for offset, data in patcher.get_constraints(): if fullpage: testdata = pagedata[offset:offset + len(data)] else: testdata = address_space.read(page_offset + offset, len(data)) if data != testdata: break else: yield patcher class PatcherObject(object): """Simple object to hold patching data""" def __init__(self, name): self.name = name self.patches = set() self.constraints = set() def add_constraint(self, offset, data): """Adds a constraint to the constraintlist""" # Ensure that all offsets are within PAGESIZE self.constraints.add((offset % PAGESIZE, data)) def add_patch(self, offset, patch): """Adds a patch to the patchlist""" # Ensure that all offsets are within PAGESIZE self.patches.add((offset % PAGESIZE, patch)) def patch(self, addr_space, page_offset): """Writes to the address space""" result = True for offset, patch, in self.patches: result = result and addr_space.write(page_offset + offset, patch) return result def get_patches(self): """Returns the list of patches for this patcher""" return self.patches def get_constraints(self): return self.constraints def get_name(self): """Returns the name of the patcher""" return self.name class Patcher(commands.Command): """Patches memory based on page scans""" def __init__(self, config, *args, **kwargs): commands.Command.__init__(self, config, *args, **kwargs) config.add_option('XML-INPUT', short_option = 'x', help = 'Input XML file for patching binaries') def calculate(self): """Calculates the patchers""" addr_space = utils.load_as(self._config, astype = 'physical') scanner = MultiPageScanner(self.parse_patchfile()) return scanner, addr_space def render_text(self, outfd, data): """Renders the text and carries out the patching""" scanner, addr_space = data scanner.scan(addr_space, outfd) def get_offset(self, tag): """Returns the offset from a tag""" offset = tag.get('offset', None) if not offset: return None base = 10 if offset.startswith('0x'): offset = offset[2:] base = 16 return int(offset, base) def parse_patchfile(self): """Parses the patch XML data""" if not self._config.WRITE: print "Warning: WRITE support not enabled, no patching will occur" if self._config.XML_INPUT is None: debug.error("No XML input file was specified") try: root = etree.parse(self._config.XML_INPUT).getroot() except SyntaxError, e: debug.error("XML input file was improperly formed: " + str(e)) for element in root: if element.tag == 'patchinfo': if element.get('method', 'nomethod') == 'pagescan': patcher = PatcherObject(element.get('name', 'Unlabelled')) constraints = None for tag in element: if tag.tag == 'constraints': constraints = tag if tag.tag == 'patches': patches = tag if constraints is None: debug.error("Patch input file does not contain any valid constraints") # Parse the patches section for tag in patches: if tag.tag == 'setbytes': offset = self.get_offset(tag) data = binascii.a2b_hex(tag.text) if offset is not None and len(data): patcher.add_patch(offset, data) if not len(patcher.get_patches()): # No patches, no point adding this break # Parse the constraints section for c in constraints: if c.tag == 'match': offset = self.get_offset(c) data = binascii.a2b_hex(c.text) if offset is not None and len(data): patcher.add_constraint(offset, data) yield patcher else: debug.error("Unsupported patchinfo method " + element.method) volatility_2.6+git20170711.b3db0cc/volatility/plugins/multiscan.py0000644000000000000000000000434113131215405023371 0ustar rootrootimport volatility.plugins.common as common import volatility.utils as utils import volatility.plugins.filescan as filescan import volatility.plugins.modscan as modscan import volatility.plugins.gui.atoms as atoms import volatility.plugins.gui.windowstations as windowstations import volatility.plugins.sockscan as sockscan import volatility.plugins.connscan as connscan import volatility.plugins.netscan as netscan import volatility.plugins.malware.callbacks as callbacks class MultiScan(common.AbstractScanCommand): """Scan for various objects at once""" def __init__(self, config, *args, **kwargs): common.AbstractScanCommand.__init__(self, config, *args, **kwargs) self.scanners = [ filescan.PoolScanFile, filescan.PoolScanDriver, filescan.PoolScanSymlink, filescan.PoolScanMutant, filescan.PoolScanProcess, modscan.PoolScanModule, modscan.PoolScanThread, atoms.PoolScanAtom, windowstations.PoolScanWind, ] def calculate(self): addr_space = utils.load_as(self._config) version = (addr_space.profile.metadata.get("major", 0), addr_space.profile.metadata.get("minor", 0)) if version < (6, 0): self.scanners.append(sockscan.PoolScanSocket) self.scanners.append(connscan.PoolScanConn) else: self.scanners.append(netscan.PoolScanUdpEndpoint) self.scanners.append(netscan.PoolScanTcpListener) self.scanners.append(netscan.PoolScanTcpEndpoint) self.scanners.append(callbacks.PoolScanDbgPrintCallback) self.scanners.append(callbacks.PoolScanRegistryCallback) self.scanners.append(callbacks.PoolScanPnp9) self.scanners.append(callbacks.PoolScanPnpD) self.scanners.append(callbacks.PoolScanPnpC) self.scanners.append(callbacks.PoolScanFSCallback) self.scanners.append(callbacks.PoolScanShutdownCallback) self.scanners.append(callbacks.PoolScanGenericCallback) for objct in self.scan_results(addr_space): yield objct def render_text(self, outfd, data): for objct in data: print objctvolatility_2.6+git20170711.b3db0cc/volatility/plugins/bigpagepools.py0000644000000000000000000001777313131215405024062 0ustar rootroot# Volatility # Copyright (C) Michael Ligh # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA import volatility.plugins.common as common import volatility.utils as utils import volatility.win32.tasks as tasks import volatility.obj as obj import volatility.debug as debug from volatility.renderers import TreeGrid from volatility.renderers.basic import Address #-------------------------------------------------------------------------------- # Profile Modifications #-------------------------------------------------------------------------------- class PoolTrackTypeOverlay(obj.ProfileModification): # This ensures _POOL_DESCRIPTOR will be available, # so we can copy the PoolType enumeration before = ['WindowsVTypes'] # PoolType didn't exist until Vista conditions = {'os': lambda x: x == 'windows', 'major': lambda x : x >= 6} def modification(self, profile): profile.merge_overlay({ '_POOL_TRACKER_BIG_PAGES': [ None, { 'PoolType': [ None, profile.vtypes['_POOL_DESCRIPTOR'][1]['PoolType'][1]], 'Key': [ None, ['String', dict(length = 4)]], }], }) #-------------------------------------------------------------------------------- # Volatility Magic #-------------------------------------------------------------------------------- class BigPageTableMagic(obj.ProfileModification): """Determine the distance to the big page pool trackers""" conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): m = profile.metadata distance_map = { (5, 1, '32bit') : [[8, 12]], (5, 2, '32bit') : [[24, 28]], (5, 2, '64bit') : [[48, 56]], (6, 0, '32bit') : [[20, 24]], (6, 0, '64bit') : [[40, 48]], (6, 1, '32bit') : [[20, 24]], (6, 1, '64bit') : [[40, 48]], (6, 2, '32bit') : [[92, 88]], (6, 2, '64bit') : [[-5200, -5224]], (6, 3, '32bit') : [[116, 120]], (6, 4, '64bit') : [[208, 184], [168, 192], [176, 168], [48, 40], [32, 24], [24, 48], [56, 32]], (6, 4, '32bit') : [[-168, -164]], } version = (m.get('major', 0), m.get('minor', 0), m.get('memory_model', '32bit')) distance = distance_map.get(version) if distance == None: if version == (6, 3, '64bit'): if m.get('build', 0) == 9601: distance = [[-5192, -5200], [-5224, -5232]] else: distance = [[-5200, -5176], [-5224, -5232], [-5192, -5200]] profile.merge_overlay({ 'VOLATILITY_MAGIC': [ None, { 'BigPageTable': [ 0, [ 'BigPageTable', dict(distance = distance)]], }]}) profile.object_classes.update({'BigPageTable': BigPageTable}) class BigPageTable(obj.VolatilityMagic): """Find the directory of big page pools""" def __init__(self, *args, **kwargs): # Remove the value kwarg since overlaying one # on the other would give the value precedence kwargs.pop('value', None) # Save the distance argument for later self.distance = kwargs.get('distance', None) obj.VolatilityMagic.__init__(self, *args, **kwargs) def generate_suggestions(self): """The nt!PoolBigPageTable and nt!PoolBigPageTableSize are found relative to nt!PoolTrackTable""" track_table = tasks.get_kdbg(self.obj_vm).PoolTrackTable for pair in self.distance: table_base = obj.Object("address", offset = track_table - pair[0], vm = self.obj_vm) table_size = obj.Object("address", offset = track_table - pair[1], vm = self.obj_vm) if table_size != 0 and self.obj_vm.is_valid_address(table_base): break debug.debug("Distance Map: {0}".format(repr(self.distance))) debug.debug("PoolTrackTable: {0:#x}".format(track_table)) debug.debug("PoolBigPageTable: {0:#x} => {1:#x}".format(table_base.obj_offset, table_base)) debug.debug("PoolBigPageTableSize: {0:#x} => {1:#x}".format(table_size.obj_offset, table_size)) yield table_base, table_size #-------------------------------------------------------------------------------- # Big Page Pool Scanner #-------------------------------------------------------------------------------- class BigPagePoolScanner(object): """Scanner for big page pools""" def __init__(self, kernel_space): self.kernel_space = kernel_space def scan(self, tags = []): """ Scan for the pools by tag. @param tags: a list of pool tags to scan for, or empty for scanning for all tags. """ (table_base, table_size) = \ obj.VolMagic(self.kernel_space).BigPageTable.v() pools = obj.Object('Array', targetType = '_POOL_TRACKER_BIG_PAGES', offset = table_base, count = table_size, vm = self.kernel_space ) for pool in pools: if pool.Va.is_valid(): if not tags or pool.Key in tags: yield pool #-------------------------------------------------------------------------------- # BigPools Plugin #-------------------------------------------------------------------------------- class BigPools(common.AbstractWindowsCommand): """Dump the big page pools using BigPagePoolScanner""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('TAGS', short_option = 't', help = 'Pool tag to find') def calculate(self): kernel_space = utils.load_as(self._config) if self._config.TAGS: tags = [tag for tag in self._config.TAGS.split(",")] else: tags = [] for pool in BigPagePoolScanner(kernel_space).scan(tags): yield pool def unified_output(self, data): return TreeGrid([("Allocation", Address), ("Tag", str), ("PoolType", str), ("NumberOfBytes", str)], self.generator(data)) def generator(self, data): for entry in data: # Not available until Vista pool_type = "" if hasattr(entry, 'PoolType'): pool_type = entry.PoolType # Not available until Vista num_bytes = "" if hasattr(entry, 'NumberOfBytes'): num_bytes = hex(entry.NumberOfBytes) yield (0, [Address(entry.Va), str(entry.Key), str(pool_type), str(num_bytes)]) def render_text(self, outfd, data): self.table_header(outfd, [("Allocation", "[addrpad]"), ("Tag", "8"), ("PoolType", "26"), ("NumberOfBytes", "")]) for entry in data: # Not available until Vista pool_type = "" if hasattr(entry, 'PoolType'): pool_type = entry.PoolType # Not available until Vista num_bytes = "" if hasattr(entry, 'NumberOfBytes'): num_bytes = hex(entry.NumberOfBytes) self.table_row(outfd, entry.Va, entry.Key, pool_type, num_bytes) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/0000755000000000000000000000000013131215405022155 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/linux_yarascan.py0000644000000000000000000001175513131215405025560 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.malware.malfind as malfind import volatility.plugins.linux.pslist as pslist import volatility.plugins.linux.common as linux_common import volatility.utils as utils import volatility.debug as debug import re try: import yara has_yara = True except ImportError: has_yara = False class VmaYaraScanner(malfind.BaseYaraScanner): """A scanner over all memory regions of a process.""" def __init__(self, task = None, **kwargs): """Scan the process address space through the VMAs. Args: task: The task_struct object for this task. """ self.task = task malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs) def scan(self, offset = 0, maxlen = None): for vma in self.task.get_proc_maps(): for match in malfind.BaseYaraScanner.scan(self, vma.vm_start, vma.vm_end - vma.vm_start): yield match class linux_yarascan(malfind.YaraScan): """A shell in the Linux memory image""" @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'linux' def filter_tasks(self): tasks = pslist.linux_pslist(self._config).calculate() if self._config.PID is not None: try: pidlist = [int(p) for p in self._config.PID.split(',')] except ValueError: debug.error("Invalid PID {0}".format(self._config.PID)) pids = [t for t in tasks if t.pid in pidlist] if len(pids) == 0: debug.error("Cannot find PID {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.PID)) return pids if self._config.NAME is not None: try: name_re = re.compile(self._config.NAME, re.I) except re.error: debug.error("Invalid name {0}".format(self._config.NAME)) names = [t for t in tasks if name_re.search(str(t.comm))] if len(names) == 0: debug.error("Cannot find name {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.NAME)) return names return tasks def calculate(self): ## we need this module imported if not has_yara: debug.error("Please install Yara from https://plusvic.github.io/yara/") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces linux_common.set_plugin_members(self) if self._config.KERNEL: ## the start of kernel memory taken from VolatilityLinuxIntelValidAS if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": kernel_start = 0xc0000000 else: kernel_start = 0xffffffff80000000 scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space) for hit, address in scanner.scan(start_offset = kernel_start): yield (None, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) else: tasks = self.filter_tasks() for task in tasks: scanner = VmaYaraScanner(task = task, rules = rules) for hit, address in scanner.scan(): yield (task, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) def render_text(self, outfd, data): for task, address, hit, buf in data: if task: outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format( task.comm, task.pid, hit.rule, address)) else: outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address)) outfd.write("".join(["{0:#010x} {1:<48} {2}\n".format( address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/process_hollow.py0000644000000000000000000001077413131215405025602 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.addrspace as addrspace import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_process_hollow(linux_pslist.linux_pslist): """Checks for signs of process hollowing""" def __init__(self, config, *args, **kwargs): linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs) self._config.add_option('BASE', short_option = 'b', default = None, help = 'The address of the ELF file in memory', action = 'store', type='long' ) self._config.add_option('PATH', short_option = 'P', default = None, help = 'The path of the known good file', action = 'store', type='str') # TODO: # make aware of if application or library # check the class, then do offset + base based on that def calculate(self): linux_common.set_plugin_members(self) if not self._config.BASE: debug.error("No base address specified.") if not self._config.PATH: debug.error("No known-good path specified.") fd = open(self._config.PATH, "rb") known_good = fd.read() fd.close() bufferas = addrspace.BufferAddressSpace(self._config, data = known_good) elf_hdr = obj.Object("elf_hdr", offset = 0, vm = bufferas) tasks = linux_pslist.linux_pslist.calculate(self) for task in tasks: proc_as = task.get_process_address_space() for vma in task.get_proc_maps(): if self._config.BASE != vma.vm_start: continue for sym in elf_hdr.symbols(): if sym.st_value == 0 or (sym.st_info & 0xf) != 2: continue symname = elf_hdr.symbol_name(sym) sym_offset = sym.st_value # in the same vma if vma.vm_start < sym.st_value < vma.vm_end: vm_start = vma.vm_start sym_offset = sym_offset - vm_start full_address = sym.st_value else: next_vma = vma.vm_next if next_vma.vm_start < sym.st_value < next_vma.vm_end: vm_start = next_vma.vm_start sym_offset = sym.st_value - vm_start full_address = sym.st_value else: full_address = vma.vm_start + sym.st_value mem_buffer = proc_as.read(vm_start + sym_offset, sym.st_size) if sym.st_value > vma.vm_start: disk_off = sym.st_value - vm_start else: disk_off = sym.st_value disk_buffer = bufferas.read(disk_off, sym.st_size) # bad if mem_buffer != None and disk_buffer != mem_buffer: yield task, symname, full_address elif mem_buffer == None: print "Function %s paged out in memory" % symname def render_text(self, outfd, data): self.table_header(outfd, [("Task", "16"), ("PID", "6"), ("Symbol Name", "32"), ("Symbol Address", "[addrpad]"), ]) for (task, symname, address) in data: self.table_row(outfd, str(task.comm), task.pid, symname, address) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/recover_filesystem.py0000644000000000000000000000714113131215405026443 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.find_file as linux_find_file class linux_recover_filesystem(linux_common.AbstractLinuxCommand): """Recovers the entire cached file system from memory""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') def _fix_metadata(self, file_path, file_dentry): inode = file_dentry.d_inode if inode and inode.is_valid(): ents = file_path.split("/") out_path = os.path.join(self._config.DUMP_DIR, *ents) os.chmod(out_path, inode.i_mode & 00777) os.chown(out_path, inode.i_uid, inode.i_gid) os.utime(out_path, (inode.i_atime.tv_sec, inode.i_mtime.tv_sec)) def _write_file(self, ff, file_path, file_dentry): inode = file_dentry.d_inode if inode and inode.is_valid() and not inode.is_dir(): ents = file_path.split("/") out_path = os.path.join(self._config.DUMP_DIR, *ents) try: fd = open(out_path, "wb") except IOError, e: debug.warning("Unable to process file: %s : %s" % (out_path, str(e))) return for page in ff.get_file_contents(inode): fd.write(page) fd.close() def _make_path(self, file_path, file_dentry): inode = file_dentry.d_inode if inode.is_dir(): ents = file_path.split("/") else: ents = file_path.split("/")[:-1] out_path = os.path.join(self._config.DUMP_DIR, *ents) try: os.makedirs(out_path) except OSError: pass def calculate(self): linux_common.set_plugin_members(self) num_files = 0 if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("Please specify an existing output dir (--dump-dir)") ff = linux_find_file.linux_find_file(self._config) for (_, _, file_path, file_dentry) in ff.walk_sbs(): self._make_path(file_path, file_dentry) self._write_file(ff, file_path, file_dentry) self._fix_metadata(file_path, file_dentry) num_files = num_files + 1 yield num_files def render_text(self, outfd, data): for (num_files) in data: outfd.write("Recovered %d files\n" % num_files) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/malfind.py0000644000000000000000000000543513131215405024150 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.utils as utils import volatility.plugins.malware.malfind as malfind import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_malfind(linux_pslist.linux_pslist): """Looks for suspicious process mappings""" def render_text(self, outfd, data): linux_common.set_plugin_members(self) if self.addr_space.profile.metadata.get('memory_model', '32bit') == '32bit': bits = '32bit' else: bits = '64bit' for task in data: proc_as = task.get_process_address_space() for vma in task.get_proc_maps(): if vma.is_suspicious(): fname = vma.vm_name(task) if fname == "[vdso]": continue prots = vma.protection() flags = vma.flags() content = proc_as.zread(vma.vm_start, 64) outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format( task.comm, task.pid, vma.vm_start, fname)) outfd.write("Protection: {0}\n".format(prots)) outfd.write("Flags: {0}\n".format(str(flags))) outfd.write("\n") outfd.write("{0}\n".format("\n".join( ["{0:#016x} {1:<48} {2}".format(vma.vm_start + o, h, ''.join(c)) for o, h, c in utils.Hexdump(content) ]))) outfd.write("\n") outfd.write("\n".join( ["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(content, vma.vm_start, bits = bits) ])) outfd.write("\n\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/sk_buff_cache.py0000644000000000000000000000537213131215405025300 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.debug as debug import volatility.plugins.linux.common as linux_common from volatility.plugins.linux.slab_info import linux_slabinfo class linux_sk_buff_cache(linux_common.AbstractLinuxCommand): """Recovers packets from the sk_buff kmem_cache""" def __init__(self, config, *args, **kwargs): self.edir = None linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('UNALLOCATED', short_option = 'u', default = False, help = 'Show unallocated', action = 'store_true') self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'output directory for recovered packets', action = 'store', type = 'str') def write_sk_buff(self, s): pkt_len = s.len # keep sane sized packets if 0 < pkt_len < 0x6400000: start = s.data data = self.addr_space.zread(start, pkt_len) fname = "{0:x}".format(s.obj_offset) fd = open(os.path.join(self.edir, fname), "wb") fd.write(data) fd.close() yield "Wrote {0:d} bytes to {1:s}".format(pkt_len, fname) def walk_cache(self, cache_name): cache = linux_slabinfo(self._config).get_kmem_cache(cache_name, self._config.UNALLOCATED, struct_name = "sk_buff") if not cache: return for s in cache: for msg in self.write_sk_buff(s): yield msg def calculate(self): linux_common.set_plugin_members(self) self.edir = self._config.DUMP_DIR if not self.edir: debug.error("No output directory given.") for msg in self.walk_cache("skbuff_head_cache"): yield msg for msg in self.walk_cache("skbuff_fclone_cache"): yield msg def render_text(self, outfd, data): for msg in data: outfd.write("{0:s}\n".format(msg)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/psenv.py0000644000000000000000000000331413131215405023663 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers import TreeGrid class linux_psenv(linux_pslist.linux_pslist): '''Gathers processes along with their static environment variables''' def unified_output(self, data): return TreeGrid([("Name", str), ("Pid", int), ("Environment", str)], self.generator(data)) def generator(self, data): for task in data: yield (0, [str(task.comm), int(task.pid), str(task.get_environment())]) def render_text(self, outfd, data): outfd.write("{0:6s} {1:6s} {2:12s}\n".format("Name", "Pid", "Environment")) for task in data: outfd.write("{0:17s} {1:6s} {2:s}\n".format(str(task.comm), str(task.pid), task.get_environment())) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/kernel_opened_files.py0000644000000000000000000001110313131215405026517 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers.basic import Address from volatility.renderers import TreeGrid class linux_kernel_opened_files(linux_common.AbstractLinuxCommand): """Lists files that are opened from within the kernel""" def _walk_node_hash(self, node): last_node = None cnt = 0 hash_offset = self.addr_space.profile.get_obj_offset("dentry", "d_hash") while node.is_valid() and node != last_node: if cnt > 0: yield node, cnt dentry = obj.Object("dentry", offset = node.v() - hash_offset, vm = self.addr_space) cnt = cnt + 1 last_node = node node = dentry.d_hash.next def _walk_node_node(self, node): last_node = None cnt = 0 while node.is_valid() and node != last_node: if cnt > 0: yield node, cnt cnt = cnt + 1 last_node = node node = node.next def _walk_node(self, node): last_node = None yield node, 0 for node, cnt in self._walk_node_node(node): yield node, cnt for node, cnt in self._walk_node_hash(node): yield node, cnt def _gather_dcache(self): d_hash_shift = obj.Object("unsigned int", offset =self.addr_space.profile.get_symbol("d_hash_shift"), vm = self.addr_space) loop_max = 1 << d_hash_shift d_htable_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("dentry_hashtable"), vm = self.addr_space) arr = obj.Object(theType = "Array", targetType = "hlist_bl_head", offset = d_htable_ptr, vm = self.addr_space, count = loop_max) hash_offset = self.addr_space.profile.get_obj_offset("dentry", "d_hash") dents = {} for list_head in arr: if not list_head.first.is_valid(): continue node = obj.Object("hlist_bl_node", offset = list_head.first & ~1, vm = self.addr_space) for node, cnt in self._walk_node(node): dents[node.v() - hash_offset] = 0 return dents def _compare_filps(self): dcache = self._gather_dcache() tasks = linux_pslist.linux_pslist(self._config).calculate() for task in tasks: for filp, i in task.lsof(): val = filp.dentry.v() if not val in dcache: yield val procs = linux_pslist.linux_pslist(self._config).calculate() for proc in procs: for vma in proc.get_proc_maps(): if vma.vm_file: val = vma.vm_file.dentry.v() if not val in dcache: yield val def calculate(self): linux_common.set_plugin_members(self) for dentry_offset in self._compare_filps(): dentry = obj.Object("dentry", offset = dentry_offset, vm = self.addr_space) if dentry.d_count > 0 and dentry.d_inode.is_reg() and dentry.d_flags == 128: yield dentry def generator(self,data): for dentry in data: yield(0,Address(dentry.obj_offset),str(dentry.get_partial_path())) def unified_output(self, data): return TreeGrid([("Offset (V)",Address), ("Partial File Path",str)], self.generator(data)) def render_text(self, outfd, data): self.table_header(outfd, [("Offset (V)", "[addrpad]"), ("Partial File Path", "")]) for dentry in data: self.table_row(outfd, dentry.obj_offset, dentry.get_partial_path()) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/lsof.py0000644000000000000000000000413113131215405023471 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com """ import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers.basic import Address from volatility.renderers import TreeGrid class linux_lsof(linux_pslist.linux_pslist): """Lists file descriptors and their path""" def unified_output(self, data): return TreeGrid([("Offset",Address), ("Name",str), ("Pid", int), ("FD", int), ("Path", str)], self.generator(data)) def generator(self, data): for task in data: for filp, fd in task.lsof(): yield (0, [Address(task.obj_offset),str(task.comm),int(task.pid), int(fd), str(linux_common.get_path(task, filp))]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset","#018x"), ("Name","30"), ("Pid", "8"), ("FD", "8"), ("Path", "")]) for task in data: for filp, fd in task.lsof(): self.table_row(outfd, Address(task.obj_offset), str(task.comm), task.pid, fd, linux_common.get_path(task, filp))volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/vma_cache.py0000644000000000000000000000524413131215405024442 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common from volatility.plugins.linux.slab_info import linux_slabinfo class linux_vma_cache(linux_common.AbstractLinuxCommand): """Gather VMAs from the vm_area_struct cache""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('UNALLOCATED', short_option = 'u', default = False, help = 'Show unallocated', action = 'store_true') def calculate(self): linux_common.set_plugin_members(self) has_owner = self.profile.obj_has_member("mm_struct", "owner") cache = linux_slabinfo(self._config).get_kmem_cache("vm_area_struct", self._config.UNALLOCATED) for vm in cache: start = vm.vm_start end = vm.vm_end if has_owner and vm.vm_mm and vm.vm_mm.is_valid(): task = vm.vm_mm.owner (task_name, pid) = (task.comm, task.pid) else: (task_name, pid) = ("", "") if vm.vm_file and vm.vm_file.is_valid(): path = vm.vm_file.dentry.get_partial_path() else: path = "" yield task_name, pid, start, end, path def render_text(self, outfd, data): self.table_header(outfd, [("Process", "16"), ("PID", "6"), ("Start", "[addrpad]"), ("End", "[addrpad]"), ("Path", "")]) for task_name, pid, start, end, path in data: self.table_row(outfd, task_name, pid, start, end, path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/iomem.py0000644000000000000000000000403313131215405023635 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common class linux_iomem(linux_common.AbstractLinuxCommand): """Provides output similar to /proc/iomem""" def yield_resource(self, io_res, depth = 0): if not io_res: #print "null" return [] name = io_res.name.dereference_as("String", length = linux_common.MAX_STRING_LENGTH) start = io_res.start end = io_res.end output = [(depth, name, start, end)] output += self.yield_resource(io_res.child, depth + 1) output += self.yield_resource(io_res.sibling, depth) return output def calculate(self): linux_common.set_plugin_members(self) io_ptr = self.addr_space.profile.get_symbol("iomem_resource") io_res = obj.Object("resource", offset = io_ptr, vm = self.addr_space) for r in self.yield_resource(io_res.child): yield r def render_text(self, outfd, data): for output in data: depth, name, start, end = output outfd.write("{0:35s}\t0x{1:<16X}\t0x{2:<16X}\n".format((" " * depth) + name, start, end)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/enumerate_files.py0000644000000000000000000000375713131215405025712 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.find_file as linux_find_file from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_enumerate_files(linux_common.AbstractLinuxCommand): """Lists files referenced by the filesystem cache""" def calculate(self): linux_common.set_plugin_members(self) for (_, _, file_path, file_dentry)in linux_find_file.linux_find_file(self._config).walk_sbs(): inode = file_dentry.d_inode yield inode, inode.i_ino, file_path def unified_output(self, data): return TreeGrid([("Inode Address", Address), ("Inode Number", int), ("Path", str)], self.generator(data)) def generator(self, data): for inode, inum, path in data: yield (0, [Address(inode.v()), int(inum), str(path)]) def render_text(self, outfd, data): self.table_header(outfd, [("Inode Address", "[addr]"), ("Inode Number", "25"), ("Path", "")]) for inode, inum, path in data: self.table_row(outfd, inode, inum, path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/lime.py0000644000000000000000000000344113131215405023457 0ustar rootroot# Volatility # Copyright (C) 2009-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.crashinfo as crashinfo import volatility.plugins.linux.common as linux_common class LiMEInfo(linux_common.AbstractLinuxCommand): """Dump Lime file format information""" target_as = ['LimeAddressSpace'] def calculate(self): """Determines the address space""" linux_common.set_plugin_members(self) result = None adrs = self.addr_space while adrs: if adrs.__class__.__name__ in self.target_as: result = adrs adrs = adrs.base if result is None: debug.error("Memory Image could not be identified as {0}".format(self.target_as)) return result def render_text(self, outfd, data): self.table_header(outfd, [("Memory Start", "[addrpad]"), ("Memory End", "[addrpad]"), ("Size", "[addrpad]")]) for seg in data.runs: self.table_row(outfd, seg[0], seg[0] + seg[2] - 1, seg[2]) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/check_modules.py0000644000000000000000000000602413131215405025336 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.lsmod as linux_lsmod import volatility.plugins.linux.common as linux_common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_check_modules(linux_common.AbstractLinuxCommand): """Compares module list to sysfs info, if available""" def get_kset_modules(self): module_kset_addr = self.profile.get_symbol("module_kset") if not module_kset_addr: debug.error("This command is not supported by this profile.") ret = {} module_kset = obj.Object("kset", offset = module_kset_addr, vm = self.addr_space) for kobj in module_kset.list.list_of_type("kobject", "entry"): kobj_off = self.profile.get_obj_offset("module_kobject", "kobj") mod_kobj = obj.Object("module_kobject", offset = kobj.v() - kobj_off, vm = self.addr_space) mod = mod_kobj.mod name = kobj.name.dereference_as("String", length = 32) if name.is_valid() and kobj.kref.refcount.counter > 2: ret[str(name)] = mod return ret def calculate(self): linux_common.set_plugin_members(self) kset_modules = self.get_kset_modules() lsmod_modules = set([str(module.name) for (module, params, sects) in linux_lsmod.linux_lsmod(self._config).calculate()]) for mod_name in set(kset_modules.keys()).difference(lsmod_modules): yield kset_modules[mod_name] def unified_output(self, data): return TreeGrid([("ModuleAddress", Address), ("ModuleName", str)], self.generator(data)) def generator(self, data): for mod in data: yield (0, [Address(mod), str(mod.name)]) def render_text(self, outfd, data): self.table_header(outfd, [("Module Address", "[address]"), ("Core Address", "[address]"), ("Init Address", "[addreess]"), ("Module Name", "24")]) for mod in data: self.table_row(outfd, mod, mod.module_core, mod.module_init, str(mod.name)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/dentry_cache.py0000644000000000000000000000472113131215405025163 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.common as linux_common from volatility.plugins.linux.slab_info import linux_slabinfo class linux_dentry_cache(linux_common.AbstractLinuxCommand): """Gather files from the dentry cache""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('UNALLOCATED', short_option = 'u', default = False, help = 'Show unallocated', action = 'store_true') def make_body(self, dentry): """Create a pipe-delimited bodyfile from a dentry structure. MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime """ path = dentry.get_partial_path() or "" i = dentry.d_inode if i: ret = [0, path, i.i_ino, 0, i.i_uid, i.i_gid, i.i_size, i.i_atime, i.i_mtime, 0, i.i_ctime] else: ret = [0, path] + [0] * 8 ret = "|".join([str(val) for val in ret]) return ret def calculate(self): linux_common.set_plugin_members(self) cache = linux_slabinfo(self._config).get_kmem_cache("dentry", self._config.UNALLOCATED) # support for old kernels if cache == []: cache = linux_slabinfo(self._config).get_kmem_cache("dentry_cache", self._config.UNALLOCATED, struct_name = "dentry") for dentry in cache: yield self.make_body(dentry) def render_text(self, outfd, data): for bodyline in data: outfd.write(bodyline + "\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/process_info.py0000644000000000000000000006366513131215405025240 0ustar rootroot# # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA """ @author: Edwin Smulders @license: GNU General Public License 2.0 or later @contact: mail@edwinsmulders.eu """ import struct import collections import itertools import volatility.plugins.linux.pslist as linux_pslist import volatility.plugins.linux.proc_maps as linux_proc_maps import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.threads as linux_threads # Because we want to address registers like "registers.eip" # TODO: replace with linux_info_regs registers = collections.namedtuple('registers', [ 'r15', 'r14', 'r13', 'r12', 'rbp', 'rbx', 'r11', 'r10', 'r9', 'r8', 'rax', 'rcx', 'rdx', 'rsi', 'rdi', 'unknown', 'rip', 'cs', 'eflags', 'rsp', 'ss' ]) # TODO: these were the initial registers, they might be valid for x86 # To investigate: view kernel stack using this module # compare using "info r" in gdb. # registers = collections.namedtuple('registers', # ['bla1', 'bla2','bla3','bla4', 'ebx', 'ecx', 'edx', # 'esi', 'edi', 'ebp', # 'eax', 'eds', 'ees', # 'efs', 'egs', 'orig_eax', # 'eip', 'ecs', 'flags', # 'esp', 'ess', # ]) #test #registers = collections.namedtuple('registers', ['ebx', 'ecx', 'edx', 'esi', 'edi', 'ebp', 'eax', 'eds', 'ees', 'efs', 'egs', 'orig_eax', 'eip', 'ecs', 'flags', 'esp', 'ess']) address_size = 8 # Helper functions def null_list(pages, size): """ Split a section (divided by pages) on 0-bytes. @param pages: a list of pages @param size: total size of the section @return: a list of strings """ res = [] for page in pages: if size > 4096: size -= 4096 else: page = page[:size] for s in page.split('\0'): if s != "": res.append(s) return res def int_list(pages, size): """ Split a range into integers. Will split into words (e.g. 4 or 8 bytes). @param pages: a list of pages @param size: total size of the section @return: a list of word-sized integers """ if address_size == 4: fmt = ". # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.common as linux_common import volatility.obj as obj from volatility.renderers import TreeGrid class linux_cpuinfo(linux_common.AbstractLinuxIntelCommand): """Prints info about each active processor""" def calculate(self): linux_common.set_plugin_members(self) cpus = self.online_cpus() if len(cpus) > 1 and self.get_per_cpu_symbol("cpu_info"): func = self.get_info_smp elif self.get_per_cpu_symbol("boot_cpu_data"): func = self.get_info_single else: raise AttributeError, "Unable to get CPU info for memory capture" for (i, cpu) in func(): yield i, cpu.x86_vendor_id, cpu.x86_model_id def get_info_single(self): cpu = obj.Object("cpuinfo_x86", offset = self.addr_space.profile.get_symbol("boot_cpu_data"), vm = self.addr_space) yield 0, cpu def get_info_smp(self): """ pulls the per_cpu cpu info will break apart the per_cpu code if a future plugin needs it """ for i, cpu in self.walk_per_cpu_var("cpu_info", "cpuinfo_x86"): yield i, cpu def get_per_cpu_symbol(self, sym_name, module = "kernel"): """ In 2.6.3x, Linux changed how the symbols for per_cpu variables were named This handles both formats so plugins needing per-cpu vars are cleaner """ ret = self.addr_space.profile.get_symbol(sym_name, module = module) if not ret: ret = self.addr_space.profile.get_symbol("per_cpu__" + sym_name, module = module) return ret def online_cpus(self): """ returns a list of online cpus (the processor numbers) """ cpu_online_bits_addr = self.addr_space.profile.get_symbol("cpu_online_bits") cpu_present_map_addr = self.addr_space.profile.get_symbol("cpu_present_map") cpu_present_mask_addr = self.addr_space.profile.get_symbol("__cpu_present_mask") #later kernels.. if cpu_online_bits_addr: bmap = obj.Object("unsigned long", offset = cpu_online_bits_addr, vm = self.addr_space) elif cpu_present_map_addr: bmap = obj.Object("unsigned long", offset = cpu_present_map_addr, vm = self.addr_space) elif cpu_present_mask_addr: bmap = obj.Object("unsigned long", offset = cpu_present_mask_addr, vm = self.addr_space) else: raise AttributeError, "Unable to determine number of online CPUs for memory capture" cpus = [] for i in range(32): if bmap & (1 << i): cpus.append(i) return cpus def walk_per_cpu_var(self, per_var, var_type): cpus = self.online_cpus() # get the highest numbered cpu max_cpu = cpus[-1] + 1 offset_var = self.addr_space.profile.get_symbol("__per_cpu_offset") per_offsets = obj.Object(theType = 'Array', targetType = 'unsigned long', count = max_cpu, offset = offset_var, vm = self.addr_space) for i in range(max_cpu): offset = per_offsets[i] cpu_var = self.get_per_cpu_symbol(per_var) addr = cpu_var + offset.v() var = obj.Object(var_type, offset = addr, vm = self.addr_space) yield i, var def unified_output(self, data): return TreeGrid([("Processor", int), ("Vendor", str), ("Model", str)], self.generator(data)) def generator(self, data): for i, vendor_id, model_id in data: yield (0, [int(i), str(vendor_id), str(model_id)]) def render_text(self, outfd, data): self.table_header(outfd, [("Processor", "12"), ("Vendor", "16"), ("Model", "")]) for i, vendor_id, model_id in data: self.table_row(outfd, str(i), vendor_id, model_id) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/netstat.py0000644000000000000000000000452713131215405024221 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import socket import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsof as linux_lsof import volatility.plugins.linux.pslist as linux_pslist class linux_netstat(linux_pslist.linux_pslist): """Lists open sockets""" def __init__(self, config, *args, **kwargs): linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs) self._config.add_option('IGNORE_UNIX', short_option = 'U', default = None, help = 'ignore unix sockets', action = 'store_true') # its a socket! def render_text(self, outfd, data): linux_common.set_plugin_members(self) if not self.addr_space.profile.has_type("inet_sock"): # ancient (2.6.9) centos kernels do not have inet_sock in debug info raise AttributeError, "Given profile does not have inet_sock, please file a bug if the kernel version is > 2.6.11" for task in data: for ents in task.netstat(): if ents[0] == socket.AF_INET: (_, proto, saddr, sport, daddr, dport, state) = ents[1] outfd.write("{0:8s} {1:<16}:{2:>5} {3:<16}:{4:>5} {5:<15s} {6:>17s}/{7:<5d}\n".format(proto, saddr, sport, daddr, dport, state, task.comm, task.pid)) elif ents[0] == 1 and not self._config.IGNORE_UNIX: (name, inum) = ents[1] outfd.write("UNIX {0:<8d} {1:>17s}/{2:<5d} {3:s}\n".format(inum, task.comm, task.pid, name)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/arp.py0000644000000000000000000001063713131215405023320 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import socket import volatility.plugins.linux.common as linux_common import volatility.obj as obj class a_ent(object): def __init__(self, ip, mac, devname): self.ip = ip self.mac = mac self.devname = devname # based off pykdump # not 100% this works, will need some testing to verify class linux_arp(linux_common.AbstractLinuxCommand): """Print the ARP table""" def calculate(self): linux_common.set_plugin_members(self) neigh_tables_addr = self.addr_space.profile.get_symbol("neigh_tables") hasnext = True try: self.addr_space.profile.get_obj_offset("neigh_table", "next") except KeyError: hasnext = False if hasnext == True: ntables_ptr = obj.Object("Pointer", offset = neigh_tables_addr, vm = self.addr_space) tables = linux_common.walk_internal_list("neigh_table", "next", ntables_ptr) else: tables_arr = obj.Object(theType="Array", targetType="Pointer", offset = neigh_tables_addr, vm = self.addr_space, count = 4) tables = [t.dereference_as("neigh_table") for t in tables_arr] for ntable in tables: for aent in self.handle_table(ntable): yield aent def handle_table(self, ntable): ret = [] # FIXME: Consider using kernel version metadata rather than checking hasattr if hasattr(ntable, 'hash_mask'): hash_size = ntable.hash_mask hash_table = ntable.hash_buckets elif hasattr(ntable.nht, 'hash_mask'): hash_size = ntable.nht.hash_mask hash_table = ntable.nht.hash_buckets else: try: hash_size = (1 << ntable.nht.hash_shift) except OverflowError: return [] hash_table = ntable.nht.hash_buckets if not self.addr_space.is_valid_address(hash_table): return [] buckets = obj.Object(theType = 'Array', offset = hash_table, vm = self.addr_space, targetType = 'Pointer', count = hash_size) if not buckets or hash_size > 50000: return [] for i in range(hash_size): if buckets[i]: neighbor = obj.Object("neighbour", offset = buckets[i], vm = self.addr_space) ret.append(self.walk_neighbor(neighbor)) # collapse all lists into one return sum(ret, []) def walk_neighbor(self, neighbor): seen = [] ret = [] ctr = 0 for n in linux_common.walk_internal_list("neighbour", "next", neighbor): if n.obj_offset in seen: break seen.append(n.obj_offset) if ctr > 1024: break ctr = ctr + 1 # get the family from each neighbour in order to work with ipv4 and 6 family = n.tbl.family if family == socket.AF_INET: ip = obj.Object("IpAddress", offset = n.primary_key.obj_offset, vm = self.addr_space).v() elif family == socket.AF_INET6: ip = obj.Object("Ipv6Address", offset = n.primary_key.obj_offset, vm = self.addr_space).v() else: ip = '?' if n.dev.is_valid(): mac = ":".join(["{0:02x}".format(x) for x in n.ha][:n.dev.addr_len]) devname = n.dev.name ret.append(a_ent(ip, mac, devname)) return ret def render_text(self, outfd, data): for ent in data: outfd.write("[{0:42s}] at {1:20s} on {2:s}\n".format(ent.ip, ent.mac, ent.devname)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/dump_map.py0000644000000000000000000000613613131215405024337 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os.path import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.proc_maps as linux_proc_maps class linux_dump_map(linux_proc_maps.linux_proc_maps): """ Writes selected memory mappings to disk """ def __init__(self, config, *args, **kwargs): linux_proc_maps.linux_proc_maps.__init__(self, config, *args, **kwargs) self._config.add_option('VMA', short_option = 's', default = None, help = 'Filter by VMA starting address', action = 'store', type = 'long') self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') def read_addr_range(self, task, start, end): pagesize = 4096 # set the as with our new dtb so we can read from userland proc_as = task.get_process_address_space() # xrange doesn't support longs :( while start < end: page = proc_as.zread(start, pagesize) yield page start = start + pagesize def render_text(self, outfd, data): if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("Please specify an existing output dir (--dump-dir)") self.table_header(outfd, [("Task", "10"), ("VM Start", "[addrpad]"), ("VM End", "[addrpad]"), ("Length", "[addr]"), ("Path", "")]) for (task, vma) in data: if not self._config.VMA or vma.vm_start == self._config.VMA: file_name = "task.{0}.{1:#x}.vma".format(task.pid, vma.vm_start) file_path = os.path.join(self._config.DUMP_DIR, file_name) outfile = open(file_path, "wb+") for page in self.read_addr_range(task, vma.vm_start, vma.vm_end): outfile.write(page) outfile.close() self.table_row(outfd, task.pid, vma.vm_start, vma.vm_end, vma.vm_end - vma.vm_start, file_path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/proc_maps.py0000644000000000000000000000673213131215405024522 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_proc_maps(linux_pslist.linux_pslist): """Gathers process memory maps""" def calculate(self): linux_common.set_plugin_members(self) tasks = linux_pslist.linux_pslist.calculate(self) for task in tasks: if task.mm: for vma in task.get_proc_maps(): yield task, vma def unified_output(self, data): return TreeGrid([("Offset",Address), ("Pid", int), ("Name",str), ("Start", Address), ("End", Address), ("Flags", str), ("Pgoff", Address), ("Major", int), ("Minor", int), ("Inode", int), ("Path", str)], self.generator(data)) def generator(self, data): for task, vma in data: (fname, major, minor, ino, pgoff) = vma.info(task) yield (0, [Address(task.obj_offset), int(task.pid), str(task.comm), Address(vma.vm_start), Address(vma.vm_end), str(vma.vm_flags), Address(pgoff), int(major), int(minor), int(ino), str(fname)]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset","#018x"), ("Pid", "8"), ("Name","20"), ("Start", "#018x"), ("End", "#018x"), ("Flags", "6"), ("Pgoff", "[addr]"), ("Major", "6"), ("Minor", "6"), ("Inode", "10"), ("File Path", ""), ]) for task, vma in data: (fname, major, minor, ino, pgoff) = vma.info(task) self.table_row(outfd, task.obj_offset, task.pid, task.comm, vma.vm_start, vma.vm_end, str(vma.vm_flags), pgoff, major, minor, ino, fname) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/ifconfig.py0000644000000000000000000000740513131215405024321 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.common as linux_common import volatility.debug as debug import volatility.obj as obj from volatility.renderers import TreeGrid class linux_ifconfig(linux_common.AbstractLinuxCommand): """Gathers active interfaces""" def _get_devs_base(self): net_device_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("dev_base"), vm = self.addr_space) net_device = net_device_ptr.dereference_as("net_device") for net_dev in linux_common.walk_internal_list("net_device", "next", net_device): yield net_dev def _get_devs_namespace(self): nslist_addr = self.addr_space.profile.get_symbol("net_namespace_list") nethead = obj.Object("list_head", offset = nslist_addr, vm = self.addr_space) # walk each network namespace # http://www.linuxquestions.org/questions/linux-kernel-70/accessing-ip-address-from-kernel-ver-2-6-31-13-module-815578/ for net in nethead.list_of_type("net", "list"): # walk each device in the current namespace for net_dev in net.dev_base_head.list_of_type("net_device", "dev_list"): yield net_dev def _gather_net_dev_info(self, net_dev): mac_addr = net_dev.mac_addr promisc = str(net_dev.promisc) in_dev = obj.Object("in_device", offset = net_dev.ip_ptr, vm = self.addr_space) for dev in in_dev.devices(): ip_addr = dev.ifa_address.cast('IpAddress') name = dev.ifa_label yield (name, ip_addr, mac_addr, promisc) def calculate(self): linux_common.set_plugin_members(self) # newer kernels if self.addr_space.profile.get_symbol("net_namespace_list"): func = self._get_devs_namespace elif self.addr_space.profile.get_symbol("dev_base"): func = self._get_devs_base else: debug.error("Unable to determine ifconfig information") for net_dev in func(): for (name, ip_addr, mac_addr, promisc) in self._gather_net_dev_info(net_dev): yield (name, ip_addr, mac_addr, promisc) def unified_output(self, data): return TreeGrid([("Interface", str), ("IP", str), ("MAC", str), ("Promiscuous", str)], self.generator(data)) def generator(self, data): for (name, ip_addr, mac_addr, promisc) in data: yield (0, [str(name), str(ip_addr), str(mac_addr), str(promisc)]) def render_text(self, outfd, data): self.table_header(outfd, [("Interface", "16"), ("IP Address", "20"), ("MAC Address", "18"), ("Promiscous Mode", "5")]) for (name, ip_addr, mac_addr, promisc) in data: self.table_row(outfd, name, ip_addr, mac_addr, promisc) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/pslist.py0000644000000000000000000001654313131215405024056 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.utils as utils import volatility.plugins.linux.common as linux_common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_pslist(linux_common.AbstractLinuxCommand): """Gather active tasks by walking the task_struct->task list""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') @staticmethod def virtual_process_from_physical_offset(addr_space, offset): pspace = utils.load_as(addr_space.get_config(), astype = 'physical') task = obj.Object("task_struct", vm = pspace, offset = offset) parent = obj.Object("task_struct", vm = addr_space, offset = task.parent) for child in parent.children.list_of_type("task_struct", "sibling"): if child.obj_vm.vtop(child.obj_offset) == task.obj_offset: return child return obj.NoneObject("Unable to bounce back from task_struct->parent->task_struct") def allprocs(self): linux_common.set_plugin_members(self) init_task_addr = self.addr_space.profile.get_symbol("init_task") init_task = obj.Object("task_struct", vm = self.addr_space, offset = init_task_addr) # walk the ->tasks list, note that this will *not* display "swapper" for task in init_task.tasks: yield task def calculate(self): linux_common.set_plugin_members(self) pidlist = self._config.PID if pidlist: pidlist = [int(p) for p in self._config.PID.split(',')] for task in self.allprocs(): if not pidlist or task.pid in pidlist: yield task def unified_output(self, data): return TreeGrid([("Offset", Address), ("Name", str), ("Pid", int), ("Uid", str), ("Gid", str), ("DTB", Address), ("StartTime", str)], self.generator(data)) def _get_task_vals(self, task): if task.parent.is_valid(): ppid = str(task.parent.pid) else: ppid = "-" uid = task.uid if uid == None or uid > 10000: uid = "-" gid = task.gid if gid == None or gid > 100000: gid = "-" start_time = task.get_task_start_time() if start_time == None: start_time = "-" if task.mm.pgd == None: dtb = task.mm.pgd else: dtb = self.addr_space.vtop(task.mm.pgd) or task.mm.pgd task_offset = None if hasattr(self, "wants_physical") and task.obj_vm.base: task_offset = self.addr_space.vtop(task.obj_offset) if task_offset == None: task_offset = task.obj_offset return task_offset, dtb, ppid, uid, gid, str(start_time) def generator(self, data): for task in data: task_offset, dtb, ppid, uid, gid, start_time = self._get_task_vals(task) yield (0, [Address(task_offset), str(task.comm), int(task.pid), str(uid), str(gid), Address(dtb), start_time]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "20"), ("Pid", "15"), ("PPid", "15"), ("Uid", "15"), ("Gid", "6"), ("DTB", "[addrpad]"), ("Start Time", "")]) for task in data: task_offset, dtb, ppid, uid, gid, start_time = self._get_task_vals(task) self.table_row(outfd, task_offset, task.comm, str(task.pid), str(ppid), str(uid), str(gid), dtb, str(start_time)) class linux_memmap(linux_pslist): """Dumps the memory map for linux tasks""" def unified_output(self, data): return TreeGrid([("Task", str), ("Pid", int), ("Virtual", Address), ("Physical", Address), ("Size", Address)], self.generator(data)) def generator(self, data): for task in data: task_space = task.get_process_address_space() pagedata = task_space.get_available_pages() if pagedata: for p in pagedata: pa = task_space.vtop(p[0]) # pa can be 0, according to the old memmap, but can't == None(NoneObject) if pa != None: yield (0, [str(task.comm), int(task.pid), Address(p[0]), Address(pa), Address(p[1])]) else: yield(0, [str(task.comm), int(task.pid), Address(-1), Address(-1), Address(-1)]) def render_text(self, outfd, data): self.table_header(outfd, [("Task", "16"), ("Pid", "8"), ("Virtual", "[addrpad]"), ("Physical", "[addrpad]"), ("Size", "[addr]")]) for task in data: task_space = task.get_process_address_space() pagedata = task_space.get_available_pages() if pagedata: for p in pagedata: pa = task_space.vtop(p[0]) # pa can be 0, according to the old memmap, but can't == None(NoneObject) if pa != None: self.table_row(outfd, task.comm, task.pid, p[0], pa, p[1]) #else: # outfd.write("0x{0:10x} 0x000000 0x{1:12x}\n".format(p[0], p[1])) else: outfd.write("Unable to read pages for {0} pid {1}.\n".format(task.comm, task.pid)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/apihooks.py0000644000000000000000000000601213131215405024343 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.plthook as linux_plthook import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_apihooks(linux_pslist.linux_pslist): """Checks for userland apihooks""" def unified_output(self, data): return TreeGrid([("Pid", int), ("Name", str), ("HookVMA", str), ("HookSymbol", str), ("HookedAddress", Address), ("HookType", str), ("HookAddress", Address), ("HookLibrary", str)], self.generator(data)) def generator(self, data): linux_common.set_plugin_members(self) try: import distorm3 except ImportError: debug.error("this plugin requres the distorm library to operate.") for task in data: for hook_desc, sym_name, addr, hook_type, hook_addr, hookfuncdesc in task.apihook_info(): yield (0, [int(task.pid), str(task.comm), str(hook_desc), str(sym_name), Address(addr), str(hook_type), Address(hook_addr), str(hookfuncdesc)]) def render_text(self, outfd, data): self.table_header(outfd, [ ("Pid", "7"), ("Name", "16"), ("Hook VMA", "40"), ("Hook Symbol", "24"), ("Hooked Address", "[addrpad]"), ("Type", "5"), ("Hook Address", "[addrpad]"), ("Hook Library", ""), ]) linux_common.set_plugin_members(self) try: import distorm3 except ImportError: debug.error("this plugin requres the distorm library to operate.") for task in data: for hook_desc, sym_name, addr, hook_type, hook_addr, hookfuncdesc in task.apihook_info(): self.table_row(outfd, task.pid, task.comm, hook_desc, sym_name, addr, hook_type, hook_addr, hookfuncdesc) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/pkt_queues.py0000644000000000000000000000660113131215405024717 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.debug as debug import volatility.plugins.linux.netstat as linux_netstat import volatility.plugins.linux.common as linux_common class linux_pkt_queues(linux_netstat.linux_netstat): """Writes per-process packet queues out to disk""" def __init__(self, config, *args, **kwargs): linux_netstat.linux_netstat.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'output directory for recovered packets', action = 'store', type = 'str') def process_queue(self, name, pid, fd_num, queue): if queue.qlen == 0: return wrote = 0 fname = "{0:s}.{1:d}.{2:d}".format(name, pid, fd_num) fd = None sk_buff = queue.m("next") while sk_buff and sk_buff != queue.v(): pkt_len = sk_buff.len if pkt_len > 0 and pkt_len != 0xffffffff: # only open once we have a packet with data # otherwise we get 0 sized files if fd == None: fd = open(os.path.join(self.edir, fname), "wb") start = sk_buff.data data = self.addr_space.zread(start, pkt_len) fd.write(data) wrote = wrote + pkt_len sk_buff = sk_buff.next if wrote: yield "Wrote {0:d} bytes to {1:s}".format(wrote, fname) if fd: fd.close() def render_text(self, outfd, data): linux_common.set_plugin_members(self) self.edir = self._config.DUMP_DIR if not self.edir: debug.error("No output directory given.") if not os.path.isdir(self.edir): debug.error(self.edir + " is not a directory") for task in linux_netstat.linux_netstat(self._config).calculate(): sfop = task.obj_vm.profile.get_symbol("socket_file_ops") dfop = task.obj_vm.profile.get_symbol("sockfs_dentry_operations") for (filp, fdnum) in task.lsof(): if filp.f_op == sfop or filp.dentry.d_op == dfop: iaddr = filp.dentry.d_inode skt = task.SOCKET_I(iaddr) sk = skt.sk for msg in self.process_queue( "receive", task.pid, fdnum, sk.sk_receive_queue): outfd.write(msg + "\n") for msg in self.process_queue( "write", task.pid, fdnum, sk.sk_write_queue): outfd.write(msg + "\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/proc_maps_rb.py0000644000000000000000000000277413131215405025207 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist import volatility.plugins.linux.proc_maps as linux_proc_maps class linux_proc_maps_rb(linux_proc_maps.linux_proc_maps): """Gathers process maps for linux through the mappings red-black tree""" def calculate(self): linux_common.set_plugin_members(self) tasks = linux_pslist.linux_pslist.calculate(self) for task in tasks: if task.mm: for vma in task.get_proc_maps_rb(): yield task, vma volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/tmpfs.py0000644000000000000000000001312613131215405023663 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.mount as linux_mount import volatility.plugins.linux.find_file as linux_find_file class linux_tmpfs(linux_common.AbstractLinuxCommand): '''Recovers tmpfs filesystems from memory''' def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'output directory for recovered files', action = 'store', type = 'str') config.add_option('SB', short_option = 'S', default = None, help = 'superblock to process, see -L', action = 'store', type = 'int') config.remove_option("LISTFILES") config.add_option('LIST_SBS', short_option = 'L', default = None, help = 'list avaiable tmpfs superblocks', action = 'store_true') # used to keep correct time for directories self.dir_times = {} def fix_md(self, new_file, perms, atime, mtime, isdir = 0): """Fix metadata for new files""" atime = atime.as_timestamp().v() mtime = mtime.as_timestamp().v() if isdir: self.dir_times[new_file] = (atime, mtime) else: os.utime(new_file, (atime, mtime)) os.chmod(new_file, perms) def process_directory(self, dentry, _recursive = 0, parent = ""): for dentry in dentry.d_subdirs.list_of_type("dentry", "d_u"): name = dentry.d_name.name.dereference_as("String", length = 255) inode = dentry.d_inode if inode: new_file = os.path.join(parent, str(name)) (perms, atime, mtime) = (inode.i_mode, inode.i_atime, inode.i_mtime) if inode.is_dir(): # since the directory may already exist try: os.mkdir(new_file) except OSError: pass self.fix_md(new_file, perms, atime, mtime, 1) self.process_directory(dentry, 1, new_file) elif inode.is_reg(): f = open(new_file, "wb") for page in linux_find_file.linux_find_file(self._config).get_file_contents(inode): f.write(page) f = open(new_file, "wb") f.close() self.fix_md(new_file, perms, atime, mtime) # FUTURE add support for symlinks else: #print "skipped: %s" % name pass else: #print "no inode for %s" % name pass def walk_sb(self, root_dentry): cur_dir = os.path.join(self._config.DUMP_DIR) self.process_directory(root_dentry, parent = cur_dir) # post processing for new_file in self.dir_times: (atime, mtime) = self.dir_times[new_file] os.utime(new_file, (atime, mtime)) def get_tmpfs_sbs(self): ''' we need this b/c we have a bunch of 'super_block' structs but no method that I could find maps a super_block to its vfs_mnt which is needed to figure out where the super_block is mounted This function returns a hash table of hash[sb] = path ''' ret = [] for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).calculate(): if str(fstype) == "tmpfs": ret.append((sb, path)) return ret def calculate(self): linux_common.set_plugin_members(self) # a list of root directory entries if self._config.DUMP_DIR and self._config.SB: if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") # this path never 'yield's, just writes the filesystem to disk tmpfs_sbs = self.get_tmpfs_sbs() sb_idx = self._config.SB - 1 if sb_idx >= len(tmpfs_sbs): debug.error("Invalid superblock number given. Please use the -L option to determine valid numbers.") root_dentry = tmpfs_sbs[sb_idx][0].s_root self.walk_sb(root_dentry) elif self._config.LIST_SBS: # vfsmnt.mnt_sb.s_root tmpfs_sbs = self.get_tmpfs_sbs() for (i, (_sb, path)) in enumerate(tmpfs_sbs): yield (i + 1, path) else: debug.error("No sb number/output directory combination given and list superblocks not given") # we only render the -L option def render_text(self, outfd, data): for (i, path) in data: outfd.write("{0:d} -> {1}\n".format(i, path)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/pslist_cache.py0000644000000000000000000000346413131215405025177 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: Digital Forensics Solutions """ import volatility.plugins.linux.common as linux_common from volatility.plugins.linux.slab_info import linux_slabinfo import volatility.plugins.linux.pslist as linux_pslist class linux_pslist_cache(linux_pslist.linux_pslist): """Gather tasks from the kmem_cache""" def __init__(self, config, *args, **kwargs): linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs) self._config.add_option('UNALLOCATED', short_option = 'u', default = False, help = 'Show unallocated', action = 'store_true') def calculate(self): linux_common.set_plugin_members(self) pidlist = self._config.PID if pidlist: pidlist = [int(p) for p in self._config.PID.split(',')] cache = linux_slabinfo(self._config).get_kmem_cache("task_struct", self._config.UNALLOCATED) for task in cache: if not pidlist or task.pid in pidlist: yield task volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/psscan.py0000644000000000000000000000515113131215405024020 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import struct import volatility.obj as obj import volatility.utils as utils import volatility.poolscan as poolscan import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as pslist from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_psscan(pslist.linux_pslist): """ Scan physical memory for processes """ def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self.wants_physical = True def calculate(self): linux_common.set_plugin_members(self) phys_addr_space = utils.load_as(self._config, astype = 'physical') if phys_addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": fmt = ". # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common class linux_dmesg(linux_common.AbstractLinuxCommand): """Gather dmesg buffer""" def _get_log_info(self): ptr_addr = self.addr_space.profile.get_symbol("log_buf", "d") log_buf_addr = obj.Object("unsigned long", offset = ptr_addr, vm = self.addr_space) log_buf_len = obj.Object("int", self.addr_space.profile.get_symbol("log_buf_len", "d"), vm = self.addr_space) return (log_buf_addr, log_buf_len) # pre 3.x def _pre_3(self, buf_addr, buf_len): return obj.Object("String", offset = buf_addr, vm = self.addr_space, length = buf_len) def _ver_3(self, buf_addr, buf_len): ''' During 3.x, the kernel switched the kernel debug buffer from just a big char array to the variable now holding variable sized records tracked by inline 'log' structures We deal with this by walking all the logs and building the buffer up and then returning it This produces the same results as the old way ''' ret = "" size_of_log = self.profile.get_obj_size("log") cur_addr = buf_addr end_addr = buf_addr + buf_len log = obj.Object("log", offset = cur_addr, vm = self.addr_space) cur_len = log.len while cur_addr < end_addr and cur_len != 0 and cur_len < 4096: msg_len = log.text_len cur_ts = log.ts_nsec buf = obj.Object("String", offset = cur_addr + size_of_log, vm = self.addr_space, length = msg_len) if buf == None: break ret = ret + "[{0}.{1}] {2}\n".format(cur_ts, cur_ts / 1000000000, buf) cur_addr = cur_addr + cur_len log = obj.Object("log", offset = cur_addr, vm = self.addr_space) if log == None: break cur_len = log.len return ret def calculate(self): linux_common.set_plugin_members(self) (log_buf_addr, log_buf_len) = self._get_log_info() if self.profile.has_type("log") and self.profile.obj_has_member("log", "ts_nsec"): yield self._ver_3(log_buf_addr, log_buf_len) else: yield self._pre_3(log_buf_addr, log_buf_len) def render_text(self, outfd, data): for buf in data: outfd.write("{0:s}\n".format(buf)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/check_evt_arm.py0000644000000000000000000000627513131215405025333 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: 504ENSICS Labs """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class linux_check_evt_arm(linux_common.AbstractLinuxARMCommand): ''' Checks the Exception Vector Table to look for syscall table hooking ''' VECTOR_BASE = 0xffff0000 SWI_BASE = VECTOR_BASE + 8 def calculate(self): linux_common.set_plugin_members(self) # Get instructions executed when an inturrupt exception occurs swi = obj.Object("unsigned int", offset = self.SWI_BASE, vm = self.addr_space) # Get offset of address to vector_swi offset = (swi & 0x0fff) + 8 # Verify that instruction hasn't been modified (should be: ldr pc, [pc, #???] (e59ff???)) if (swi & 0xfffff000) == 0xe59ff000: yield ("SWI Offset Instruction", "PASS", "Offset: {0}".format(offset)) else: yield ("SWI Offset Instruction", "FAIL", "{0:X}".format(swi)) return # Get vector_swi_addr from table vector_swi_addr = obj.Object("unsigned int", offset = self.SWI_BASE + (offset), vm = self.addr_space) # Check to see if vector_swi handler has been hooked if vector_swi_addr == self.addr_space.profile.get_symbol("vector_swi"): yield ("vector_swi address", "PASS", "0x{0:X}".format(vector_swi_addr)) else: yield ("vector_swi address", "FAIL", "0x{0:X}".format(vector_swi_addr)) return # Check for hooking of sys_call table pointer sc_opcode = None; max_opcodes_to_check = 1024 while (max_opcodes_to_check): opcode = obj.Object("unsigned int", offset= vector_swi_addr, vm = self.addr_space) if ((opcode & 0xffffff00) == 0xe28f8000): sc_opcode = opcode break vector_swi_addr += 4 max_opcodes_to_check -= 1 if sc_opcode: yield ("vector_swi code modification", "PASS", "{0:X}".format(sc_opcode)) else: yield ("vector_swi code modification", "FAIL", "Opcode E28F80?? not found") return def render_text(self, outfd, data): self.table_header(outfd, [("Check", "<30"), ("PASS/FAIL", "<5"), ("Info", "<30")]) for (check, result, info) in data: self.table_row(outfd, check, result, info) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/linux_strings.py0000644000000000000000000000714413131215405025445 0ustar rootroot# Volatility # Copyright (C) 2007,2008 Volatile Systems # Copyright (C) 2009 Timothy D. Morgan (strings optimization) # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA from bisect import bisect_right import volatility.plugins.linux.pslist as linux_pslist import volatility.plugins.strings as strings import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsmod as linux_lsmod class linux_strings(strings.Strings, linux_common.AbstractLinuxCommand): """Match physical offsets to virtual addresses (may take a while, VERY verbose)""" @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'linux' def get_processes(self, addr_space): """Enumerate processes based on user options. :param addr_space | :returns """ tasks = linux_pslist.linux_pslist(self._config).calculate() try: if self._config.PID is not None: pidlist = [int(p) for p in self._config.PID.split(',')] tasks = [t for t in tasks if int(t.pid) in pidlist] except (ValueError, TypeError): debug.error("Invalid PID {0}".format(self._config.PID)) return tasks @classmethod def get_modules(cls, addr_space): """Enumerate the kernel modules. :param addr_space | :returns """ mask = addr_space.address_mask config = addr_space.get_config() modules = linux_lsmod.linux_lsmod(config).calculate() mods = dict((mask(mod[0].module_core), mod[0]) for mod in modules) mod_addrs = sorted(mods.keys()) return (mods, mod_addrs) @classmethod def find_module(cls, modlist, mod_addrs, addr_space, vpage): """Determine which module owns a virtual page. :param modlist | mod_addrs | addr_space | vpage | :returns || None """ pos = bisect_right(mod_addrs, vpage) - 1 if pos == -1: return None mod = modlist[mod_addrs[pos]] compare = mod.obj_vm.address_compare if (compare(vpage, mod.module_core) != -1 and compare(vpage, mod.module_core + mod.core_size) == -1): return mod else: return None @classmethod def get_module_name(cls, module): """Get the name of a kernel module. :param module | :returns """ return str(module.m("name")) @classmethod def get_task_pid(cls, task): """Get the PID of a process. :param task | :returns """ return task.pid volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/check_creds.py0000644000000000000000000000543513131215405024773 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers import TreeGrid class linux_check_creds(linux_pslist.linux_pslist): """Checks if any processes are sharing credential structures""" def calculate(self): linux_common.set_plugin_members(self) if not self.profile.obj_has_member("task_struct", "cred"): debug.error("This command is not supported in this profile.") creds = {} tasks = linux_pslist.linux_pslist.calculate(self) for task in tasks: cred_addr = task.cred.v() if not cred_addr in creds: creds[cred_addr] = [] creds[cred_addr].append(task.pid) yield creds def unified_output(self, data): return TreeGrid([("PIDs", str)], self.generator(data)) def generator(self, data): # print out processes that are sharing cred structures for htable in data: for (addr, pids) in htable.items(): if len(pids) > 1: pid_str = "" for pid in pids: pid_str = pid_str + "{0:d}, ".format(pid) pid_str = pid_str[:-2] yield(0, [str(pid_str)]) def render_text(self, outfd, data): self.table_header(outfd, [("PIDs", "8")]) # print out processes that are sharing cred structures for htable in data: for (addr, pids) in htable.items(): if len(pids) > 1: pid_str = "" for pid in pids: pid_str = pid_str + "{0:d}, ".format(pid) pid_str = pid_str[:-2] self.table_row(outfd, pid_str) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/keyboard_notifiers.py0000644000000000000000000000506513131215405026417 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: 504ENSICS Labs """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class linux_keyboard_notifiers(linux_common.AbstractLinuxCommand): """Parses the keyboard notifier call chain""" def calculate(self): linux_common.set_plugin_members(self) knl_addr = self.addr_space.profile.get_symbol("keyboard_notifier_list") if not knl_addr: debug.error("Symbol keyboard_notifier_list not found in kernel") knl = obj.Object("atomic_notifier_head", offset = knl_addr, vm = self.addr_space) symbol_cache = {} for call_back in linux_common.walk_internal_list("notifier_block", "next", knl.head): call_addr = call_back.notifier_call if symbol_cache.has_key(call_addr): sym_name = symbol_cache[call_addr] hooked = 0 else: sym_name = self.profile.get_symbol_by_address("kernel", call_addr) if not sym_name: sym_name = "HOOKED" module = obj.Object("module", offset = 0xffffffffa03a15d0, vm = self.addr_space) sym = module.get_symbol_for_address(call_addr) sym_name = "%s: %s/%s" % (sym_name, module.name, sym) hooked = 1 symbol_cache[call_addr] = sym_name yield call_addr, sym_name, hooked def render_text(self, outfd, data): self.table_header(outfd, [("Address", "[addrpad]"), ("Symbol", "<30")]) for call_addr, sym_name, _ in data: self.table_row(outfd, call_addr, sym_name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/check_afinfo.py0000644000000000000000000000660713131215405025137 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsmod as linux_lsmod class linux_check_afinfo(linux_common.AbstractLinuxCommand): """Verifies the operation function pointers of network protocols""" def check_members(self, var_ops, var_name, members, modules): for (hooked_member, hook_address) in self.verify_ops(var_ops, members, modules): yield (hooked_member, hook_address) def check_afinfo(self, var_name, var, op_members, seq_members, modules): for (hooked_member, hook_address) in self.check_members(var.seq_fops, var_name, op_members, modules): yield (var_name, hooked_member, hook_address) # newer kernels if hasattr(var, "seq_ops"): for (hooked_member, hook_address) in self.check_members(var.seq_ops, var_name, seq_members, modules): yield (var_name, hooked_member, hook_address) elif not self.is_known_address(var.seq_show, modules): yield (var_name, "show", var.seq_show) def calculate(self): linux_common.set_plugin_members(self) modules = linux_lsmod.linux_lsmod(self._config).get_modules() op_members = self.profile.types['file_operations'].keywords["members"].keys() seq_members = self.profile.types['seq_operations'].keywords["members"].keys() tcp = ("tcp_seq_afinfo", ["tcp6_seq_afinfo", "tcp4_seq_afinfo"]) udp = ("udp_seq_afinfo", ["udplite6_seq_afinfo", "udp6_seq_afinfo", "udplite4_seq_afinfo", "udp4_seq_afinfo"]) protocols = [tcp, udp] for proto in protocols: struct_type = proto[0] for global_var_name in proto[1]: global_var_addr = self.addr_space.profile.get_symbol(global_var_name) if not global_var_addr: continue global_var = obj.Object(struct_type, offset = global_var_addr, vm = self.addr_space) for (name, member, address) in self.check_afinfo(global_var_name, global_var, op_members, seq_members, modules): yield (name, member, address) def render_text(self, outfd, data): self.table_header(outfd, [("Symbol Name", "42"), ("Member", "30"), ("Address", "[addrpad]")]) for (what, member, address) in data: self.table_row(outfd, what, member, address) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/check_idt.py0000644000000000000000000001045713131215405024453 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.debug as debug import volatility.obj as obj import volatility.plugins.linux.common as linux_common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address idt_vtype_64 = { 'idt_desc': [ 16 , { 'offset_low' : [0, ['unsigned short']], 'segment' : [2, ['unsigned short']], 'ist' : [4, ['unsigned short']], 'offset_middle' : [6, ['unsigned short']], 'offset_high' : [8, ['unsigned int']], 'unused' : [12, ['unsigned int']], }], } class LinuxIDTTypes(obj.ProfileModification): conditions = {"os" : lambda x : x in ["linux"]} def modification(self, profile): if profile.metadata.get('memory_model', '64bit') == "64bit": profile.vtypes.update(idt_vtype_64) class linux_check_idt(linux_common.AbstractLinuxCommand): """ Checks if the IDT has been altered """ def calculate(self): """ This works by walking the IDT table for the entries that Linux uses and verifies that each is a symbol in the kernel """ linux_common.set_plugin_members(self) if self.profile.metadata['arch'] not in ["x64", "x86"]: debug.error("This plugin is only supported on Intel-based memory captures") tblsz = 256 sym_addrs = self.profile.get_all_addresses() # hw handlers + system call check_idxs = list(range(0, 20)) + [128] if self.profile.metadata.get('memory_model', '32bit') == "32bit": idt_type = "desc_struct" else: if self.profile.has_type("gate_struct64"): idt_type = "gate_struct64" else: idt_type = "idt_desc" # this is written as a list b/c there are supposdly kernels with per-CPU IDTs # but I haven't found one yet... addrs = [self.addr_space.profile.get_symbol("idt_table")] for tableaddr in addrs: table = obj.Object(theType = 'Array', offset = tableaddr, vm = self.addr_space, targetType = idt_type, count = tblsz) for i in check_idxs: ent = table[i] if not ent: continue if hasattr(ent, "Address"): idt_addr = ent.Address else: low = ent.offset_low middle = ent.offset_middle high = ent.offset_high idt_addr = (high << 32) | (middle << 16) | low if idt_addr != 0: if not idt_addr in sym_addrs: hooked = 1 sym_name = "HOOKED" else: hooked = 0 sym_name = self.profile.get_symbol_by_address("kernel", idt_addr) yield(i, ent, idt_addr, sym_name, hooked) def unified_output(self, data): return TreeGrid([("Index", Address), ("Address", Address), ("Symbol", str)], self.generator(data)) def generator(self, data): for (i, _, idt_addr, sym_name, hooked) in data: yield (0, [Address(i), Address(idt_addr), str(sym_name)]) def render_text(self, outfd, data): self.table_header(outfd, [("Index", "[addr]"), ("Address", "[addrpad]"), ("Symbol", "<30")]) for (i, _, idt_addr, sym_name, hooked) in data: self.table_row(outfd, i, idt_addr, sym_name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/process_stack.py0000644000000000000000000010254013131215405025374 0ustar rootroot# Volatility # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA """ @author: Edwin Smulders @license: GNU General Public License 2.0 or later @contact: mail@edwinsmulders.eu """ import volatility.plugins.linux.process_info as linux_process_info import volatility.plugins.linux.check_syscall as linux_check_syscall import volatility.plugins.linux.common as linux_common import volatility.debug as debug import struct import os.path verbose_stack_arguments = True stats = {} stats['tasks'] = 0 stats['threads'] = 0 stats['tasks_ignored'] = 0 stats['tasks_zero_frames'] = 0 stats['threads_zero_frames'] = 0 stats['libc_start'] = 0 stats['main'] = 0 stats['frames'] = {} stats['frames']['possible_frames'] = 0 stats['frames']['function_address'] = 0 stats['frames']['symbols'] = 0 # stats['syscall'] = {} # stats['syscall']['total'] = 0 try: import distorm3 distorm_loaded = True except: distorm_loaded = False try: import elftools elftools_loaded = True except: elftools_loaded = False def yield_address(space, start, length = None, reverse = False): """ A function to read a series of values starting at a certain address. @param space: address space @param start: starting address @param length: the size of the values to read @param reverse: option to read in the other direction @return: an iterator """ if not length: length = linux_process_info.address_size cont = True while space.is_valid_address(start) and cont: try: value = read_address(space, start, length) yield value except struct.error: cont = False yield None if reverse: start -= length else: start += length def read_address(space, start, length = None): """ Read an address in a space, at a location, of a certain length. @param space: the address space @param start: the address @param length: size of the value """ if not length: length = linux_process_info.address_size fmt = " 0: lastframe = frames[-1] while(lastframe.ebp and p.is_thread_stack_pointer(lastframe.ebp) and not lastframe.ebp == lastframe.ebp_address ): newframe = stack_frame(lastframe.ebp + (address_size * 2), p.proc_as, lastframe.frame_number+1) frames.append(newframe) lastframe = newframe #print("{:016x}, {:016x}".format(main_frame.address, lastframe.address)) if main_frame: if main_frame.address == lastframe.address: lastframe.function = main_frame.function else: frames.append(main_frame) if libc_start_main_stack_frame: if lastframe.address != libc_start_main_stack_frame.address: frames.append(libc_start_main_stack_frame) else: if main_frame: frames.append(main_frame) if libc_start_main_stack_frame: frames.append(libc_start_main_stack_frame) for frame in frames: if not frame.function: frame.function = self.find_function_address(p.proc_as, frame.ret) frame.symbol = self.find_function_symbol(task, frame.function) stats['frames']['possible_frames'] += 1 if frame.function: stats['frames']['function_address'] += 1 if frame.symbol: stats['frames']['symbols'] += 1 # self.find_locals_size(p.proc_as, frames) if len(frames) == 0: if is_thread: stats['threads_zero_frames'] += 1 else: stats['tasks_zero_frames'] += 1 #self.validate_stack_frames(frames) return p, p.thread_registers[i], frames def find_oldschool_frames(self, p, proc_as, registers): """ This function builds a list of stack frames using the old frame pointer @param p: process info @param proc_as: process address space @param registers: cpu registers @return: a list of frames """ frames = [] address_size = linux_process_info.address_size rbp = registers.rbp rsp_value = read_address(proc_as, registers.rsp) frame_number = 1 st = stack_frame(rbp+0x10, proc_as, frame_number) address = registers.rsp # start at stack pointer frame0_addr = 0 foundframe0 = False frame0 = None while ( address < st.ebp_address ): value = read_address(p.proc_as, address) if value == st.ebp_address: frame0_addr = address + (address_size * 2) foundframe0 = True break address += address_size if frame0_addr == 0 and p.is_code_pointer(rsp_value): frame0_addr = registers.rsp + address_size foundframe0 = True if not foundframe0: st.frame_number = 0 else: frame0 = stack_frame(frame0_addr, p.proc_as, 0) if frame0: frames.append(frame0) frames.append(st) return frames def find_scanned_frames(self, p, address, end): """ Find frames by scanning for return addresses. @param p: process info object @param address: Start address @param end: End address @return: a list of frames """ address_size = linux_process_info.address_size frames = [] debug.info("Scan range (%rsp to end) = (0x{:016x} to 0x{:016x})".format(address, end)) count = 0 while address <= end: if p.proc_as.is_valid_address(address) and self.is_return_address(read_address(p.proc_as, address, address_size), p): st = stack_frame(address + address_size, p.proc_as, count) frames.append(st) count += 1 address += address_size return frames def find_entry_point(self, proc_as, start_code): """ Read the entry point from the program header. @param proc_as: Process address space @param start_code: Start of the program code mapping @return The address of the entry point (_start) """ # entry point lives at ELF header + 0x18 # add it to the memory mapping of the binary if not proc_as.is_valid_address(start_code+0x18): # it's gone from memory debug.info("We could not find program entry point, skipping _start detection") return False offset = read_address(proc_as, start_code+0x18) if offset > start_code: # it's an absolute address return offset else: # it's a relative offset, i.e. PIE code return start_code + offset def validate_stack_frames(self, frames): """ Attempt to validate stackframes, broken and unused. @param frames: list of frames @return: None """ prev_function = 0 to_remove = [] for frame in frames[::-1]: if prev_function < frame.ret: # this is good prev_function = frame.function else: frames.remove(frame) # to_remove.append(frame) # for frame in to_remove: # frames.remove(frame) def is_return_address(self, address, process_info): """ Checks if the address is a return address by checking if the preceding instruction is a 'CALL'. @param address: An address @param process_info: process info object @return True or False """ proc_as = process_info.proc_as size = 5 if distorm_loaded and process_info.is_code_pointer(address): offset = address - size instr = distorm3.Decode(offset, proc_as.read(offset, size), self.decode_as) # last instr, third tuple item (instr string), first 7 letters # if instr[-1][2][:7] == 'CALL 0x': # print(instr[-1][2]) if len(instr) > 0: return instr[-1][2][:4] == 'CALL' # there's also call return False def find_return_libc_start(self, proc_as, start_stack, return_start): """ Scans the stack for a certain address, in this case the return address of __libc_start_main. @param proc_as: Process address space @param start_stack: Start address to search @param return_start: The return address to find @return The address found or None """ address = start_stack for value in yield_address(proc_as, start_stack, reverse=True): if value == return_start: debug.info("Scanned {} stack addresses before finding the __libc_start_main return address".format((start_stack-address)/linux_process_info.address_size)) return address address -= linux_process_info.address_size debug.info("Exhausted search for __libc_start_main return address at stack address {:016x}".format(address)) return None def find_return_main(self, proc_as, libc_start, libc_end, start_address): """ Find the return address of the main function by scanning for pointers into libc. At this point we will look for specific patterns in the code, to gather addresses. @param proc_as: Process address space @param libc_start: Start address of libc code @param libc_end: End address of libc code @param start_address: The address to start the scan at. @return: The address on the stack and an offset (the location of the main address on the stack) or None/False """ if not distorm_loaded: return # This function checks if it is a return address, does the actual work def is_return_address(address): # Load 1 instruction (Debian) # # hardcoding 4 bytes size = 4 bytestr = proc_as.read(address - size, size) # Instruction in the form of 'CALL RSP+0x18' single_instr = distorm3.Decode(address - size, bytestr, self.decode_as) if len(single_instr) == 1 and single_instr[0][2][:4] == 'CALL': # we use this one # print(single_instr) part = single_instr[0][2].split('[')[1] if part[:4] == 'RSP+': # take the part after the +, slice off the 0x, and convert to an int rspoffset = int(part.split('+')[1][2:-1],16) return rspoffset # Arch linux/Ubuntu # load 3 instructions, something like this: # mov 0x18(%rsp), %rax (size 5) # mov (%rax), %rdx (size 3) # callq *reg (size 2) # hardcoding 10 bytes size = 10 bytestr = proc_as.read(address - size, size) possible = ['RCX', 'RAX'] instr = distorm3.Decode(address - size, bytestr, self.decode_as) # print(instr[-1][2]) checkother = False if 0 < len(instr) < 3: pass elif len(instr) == 3: # check all 3 checkother = True else: return False last_instr = instr[-1][2].split(' ') register = None #print(last_instr) if last_instr[0] == 'CALL' and last_instr[1] in possible: #print(last_instr) register = last_instr[1] else: # print(last_instr) return None # Find the offset if checkother: mov = 'MOV ' + register confirmed = True movinstr = None saveinstr = None if mov in instr[0][2]: movinstr = instr[0][2] saveinstr = instr[1][2] elif mov in instr[1][2]: saveinstr = instr[0][2] movinstr = instr[1][2] else: # that's weird confirmed = False if movinstr != None: part = movinstr.split('[')[1] if part[:4] == 'RSP+': # take the part after the +, slice off the 0x, and convert to an int rspoffset = int(part.split('+')[1][2:-1],16) return rspoffset return False # just a loop with some minor logic, the internal function does all the work addr = start_address counter = 0 invalid = 0 for value in yield_address(proc_as, start_address, reverse=True): if libc_start <= value <= libc_end: counter += 1 #print("{:016x} {:016x}".format(addr, value)) if not proc_as.is_valid_address(value): invalid += 1 else: retval = is_return_address(value) if retval: debug.info("Scanned {} libc addresses on the stack before finding the main return address".format(counter)) return addr, retval addr -= linux_process_info.address_size debug.info("Scanned {} libc addresses on the stack, did not find the main return address".format(counter)) debug.info("Of these addresses, {} were invalid (e.g. due to swap)".format(invalid)) def find_locals_size(self, proc_as, frames): """ Find the size of the locals of the function, similar to GDB's prologue analysis. Buggy and not actually used. @param proc_as: Process address space @param frames: a list of stack frames @return None """ if not distorm_loaded: return for frame in frames: if frame.function: instr = distorm3.Decode(frame.function, proc_as.read(frame.function, 8), self.decode_as) if self.is_function_header(instr) and len(instr) > 2: test = instr[2][2].split(' ') if test[0] == 'SUB' and test[1] == 'RSP,': frame.locals_size = int(test[2][2:], 16) def has_frame_pointer(self, function_address, proc_as): """ Check if the function at function_address has a frame pointer. @param function_address: An address of a function (code) @param proc_as: Process address space @return: True or False """ return proc_as.read(function_address, 1) == '\x55' # push rbp def is_function_header(self, instructions): """ Check if something is a function header (with frame pointer and locals). @param instructions: distorm disassembled instructions @return True or False """ return len(instructions) > 1 and instructions[0][2] == 'PUSH RBP' and instructions[1][2] == 'MOV RBP, RSP' def find_function_symbol(self, task, address): """ Match a function symbol to a functiona address. @param task: the task_struct @param address: The function address @return: The function symbol or None """ if self.symbols: for vma in task.get_proc_maps(): if vma.vm_start <= address <= vma.vm_end: #lib = vma.vm_file lib = linux_common.get_path(task, vma.vm_file) offset = address - vma.vm_start #libsymbols = self.symbols[os.path.basename(lib)] if type(lib) == list: lib = "" base = os.path.basename(lib) #print(base) #print("{:016x} {} {}".format(offset, base, lib)) if base in self.symbols: if offset in self.symbols[base]: debug.info("Instruction was a call to 0x{:016x} = {}@{}".format(address, self.symbols[base][offset], base )) return self.symbols[base][offset] elif address in self.symbols[base]:# for a function in the main binary, eg 0x40081e debug.info("Instruction was a call to 0x{:016x} = {}@{}".format(address, self.symbols[base][address], base )) return self.symbols[base][address] break return None def find_function_address(self, proc_as, ret_addr): """ Calculates the function address given a return address. Disassembles code to get through the double indirection introduced by the Linux PLT. @param proc_as: Process address space @param ret_addr: Return address @return The function address or None """ if distorm_loaded: decode_as = self.decode_as retaddr_assembly = distorm3.Decode(ret_addr - 5, proc_as.read(ret_addr - 5, 5), decode_as) if len(retaddr_assembly) == 0: return None #print(retaddr_assembly) retaddr_assembly = retaddr_assembly[0] # We're only getting 1 instruction # retaddr_assembly[2] = "CALL 0x400620" instr = retaddr_assembly[2].split(' ') #print(instr) if instr[0] == 'CALL': try: target = int(instr[1][2:], 16) except ValueError: return None bytes = proc_as.read(target, 6) if not bytes: # We're not sure if this is the function address return target plt_instructions = distorm3.Decode(target, bytes, decode_as) plt_assembly = plt_instructions[0] # 1 instruction #print(plt_assembly) instr2 = plt_assembly[2].split(' ') #print(instr2) if instr2[0] == 'JMP': final_addr = None if instr2[1] == 'DWORD': target2 = int(instr2[2][3:-1], 16) elif instr2[1] == 'QWORD': # if QWORD target2 = int(instr2[2][7:-1], 16) else: # if 0xADDRESS final_addr = int(instr2[1][2:],16) if not final_addr: final_addr = target + 6 + target2 debug.info("Found function address from instruction {} at offset 0x{:016x}".format(instr2, target)) return read_address(proc_as, final_addr) elif instr2[0] == 'PUSH' and instr2[1] == 'RBP': # This is an internal function debug.info("Found function address from instruction {} at offset 0x{:016x}".format(instr, target)) return target else: # In case push rbp is removed debug.info("Found function address from instruction {} at offset 0x{:016x}".format(instr, target)) return target return None else: return None def calculate_annotations(self, frames): """ Create annotations using the frame list. @param frames: a list of stackframes @return a dict of stack address -> (value, annotation) """ size = linux_process_info.address_size end = frames[-1].address start = frames[0].ebp_address l = linux_process_info.read_int_list(start, end, frames[0].proc_as) result = {} offset = start for value in l: result[offset] = (value, "") offset += size for frame in frames[::-1]: result[frame.ebp_address] = (frame.ebp, "") # print(frame) annotation = "return address" if frame.function: annotation += " for {:016x}".format(frame.function) if frame.symbol: annotation += " ( {} )".format(frame.symbol) result[frame.ret_address] = (frame.ret, annotation) return result def render_text(self, outfd, data): self.outfd = outfd for (p, reg, frames) in data: #self.render_registers(reg) debug.info("Found {} frames!".format(len(frames))) debug.info("") print(frames) if self.dump_file: self.write_annotated_stack(self.dump_file, self.calculate_annotations(frames)) print(stats) def write_annotated_stack(self, f, stack_ann): """ Writes an annotated to a file ( the -o option ) @param f: The file to write @param stack_ann: the annotated stack dict as returned by calculate_annotations() @return: None """ f.write("{:16s} {:16s} {}\n".format("Address", "Value", "Annotation")) for address in sorted(stack_ann.keys()): value, ann = stack_ann[address] f.write("{:016x}: {:016x} {}\n".format(address, value, ann)) #f.close() class stack_frame(object): """ A class to record info about a stack frame. """ def __init__(self, address, proc_as, frame_number): self.address = address self.proc_as = proc_as self.frame_number = frame_number self._function = None self.symbol = None self.locals_size = None @property def function(self): return self._function @function.setter def function(self, value): self._function = value @property def ret(self): if self.proc_as.is_valid_address(self.ret_address): return read_address(self.proc_as, self.ret_address) return 0 @property def ret_address(self): return self.address - linux_process_info.address_size @property def ebp(self): if self.proc_as.is_valid_address(self.ebp_address) and self.ebp_address != 0: return read_address(self.proc_as, self.ebp_address) return 0 @property def ebp_address(self): return self.address - (linux_process_info.address_size * 2) @property def arg_address(self): return self.address - (linux_process_info.address_size * 3) @property def locals_end(self): return self.ret_address - self.locals_size def get_locals(self): start = self.locals_end - linux_process_info.address_size end = self.ret_address - linux_process_info.address_size return linux_process_info.read_int_list(start, end, self.proc_as) def __repr__(self): rep = "\n" rep += "Frame {}\n========\n".format(self.frame_number) rep += "Stack frame at 0x{:016x}\n".format(self.address) if self.locals_size: rep += "Local variables at {:016x} to {:016x}\n".format(self.ebp_address, self.locals_end) if verbose_stack_arguments: rep += "Locals:\n" for local in self.get_locals(): rep += "\t0x{:016x}\n".format(local) #rep += "Arglist at {:016x}, args: TODO\n".format(self.arg_address) rep += "Saved registers:\n" rep += "\tebp at 0x{:016x}: 0x{:016x}\n".format(self.ebp_address, self.ebp) rep += "\teip at 0x{:016x}: 0x{:016x} (Return Address)\n".format(self.ret_address, self.ret) if self.function: rep += "Frame function address: {:016x}\n".format(self.function) if self.symbol: rep += "Frame function symbol: {}\n".format(self.symbol) return rep volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/ld_env.py0000644000000000000000000000277413131215405024010 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.pslist as linux_pslist class linux_dynamic_env(linux_pslist.linux_pslist): """Recover a process' dynamic environment variables""" def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Vars", "")]) for task in data: varstr = "" for (key, val) in task.bash_environment(): varstr = varstr + "%s=%s " % (key, val) self.table_row(outfd, task.pid, task.comm, varstr) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/tty_check.py0000644000000000000000000000543213131215405024510 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: 504ENSICS Labs """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsmod as linux_lsmod class linux_check_tty(linux_common.AbstractLinuxCommand): """Checks tty devices for hooks""" def calculate(self): linux_common.set_plugin_members(self) modules = linux_lsmod.linux_lsmod(self._config).get_modules() tty_addr = self.addr_space.profile.get_symbol("tty_drivers") if not tty_addr: debug.error("Symbol tty_drivers not found in kernel") drivers = obj.Object("list_head", offset = tty_addr, vm = self.addr_space) sym_cache = {} for tty in drivers.list_of_type("tty_driver", "tty_drivers"): name = tty.name.dereference_as("String", length = linux_common.MAX_STRING_LENGTH) ttys = obj.Object("Array", targetType = "Pointer", vm = self.addr_space, offset = tty.ttys, count = tty.num) for tty_dev in ttys: if tty_dev == 0: continue tty_dev = tty_dev.dereference_as("tty_struct") name = tty_dev.name recv_buf = tty_dev.ldisc.ops.receive_buf known = self.is_known_address(recv_buf, modules) if not known: sym_name = "HOOKED" hooked = 1 else: sym_name = self.profile.get_symbol_by_address("kernel", recv_buf) hooked = 0 sym_cache[recv_buf] = sym_name yield (name, recv_buf, sym_name, hooked) def render_text(self, outfd, data): self.table_header(outfd, [("Name", "<16"), ("Address", "[addrpad]"), ("Symbol", "<30")]) for name, call_addr, sym_name, _hooked in data: self.table_row(outfd, name, call_addr, sym_name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/librarydump.py0000644000000000000000000000561113131215405025064 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist import volatility.plugins.linux.procdump as linux_procdump class linux_librarydump(linux_pslist.linux_pslist): """Dumps shared libraries in process memory to disk""" def __init__(self, config, *args, **kwargs): linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') self._config.add_option('BASE', short_option = 'b', default = None, help = 'Dump driver with BASE address (in hex)', action = 'store', type = 'int') def render_text(self, outfd, data): if not self._config.DUMP_DIR: debug.error("-D/--dump-dir must given that specifies an existing directory") self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "20"), ("Pid", "15"), ("Address", "[addrpad]"), ("Output File", "")]) for task in data: if not task.mm: continue proc_as = task.get_process_address_space() for vma in task.get_proc_maps(): if self._config.BASE and vma.vm_start != self._config.BASE: continue elf_addr = vma.vm_start buf = proc_as.zread(elf_addr, 4) if buf != "\x7fELF": continue file_path = linux_common.write_elf_file(self._config.DUMP_DIR, task, elf_addr) self.table_row(outfd, task.obj_offset, task.comm, str(task.pid), elf_addr, file_path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/find_file.py0000644000000000000000000002116113131215405024447 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import sys, os import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.mount as linux_mount import volatility.plugins.linux.flags as linux_flags import volatility.debug as debug import volatility.utils as utils class linux_find_file(linux_common.AbstractLinuxCommand): '''Lists and recovers files from memory''' def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) config.add_option('FIND', short_option = 'F', default = None, help = 'file (path) to find', action = 'store', type = 'str') config.add_option('INODE', short_option = 'i', default = None, help = 'inode to write to disk', action = 'store', type = 'int') config.add_option('OUTFILE', short_option = 'O', default = None, help = 'output file path', action = 'store', type = 'str') config.remove_option("LIST_SBS") config.add_option('LISTFILES', short_option = 'L', default = None, help = 'list all files cached in memory', action = 'count') def _walk_sb(self, dentry_param, parent): ret = [] if hasattr(dentry_param, "d_child"): walk_member = "d_child" else: walk_member = "d_u" for dentry in dentry_param.d_subdirs.list_of_type("dentry", walk_member): # corruption if dentry.v() == dentry_param.v(): continue if not dentry.d_name.name.is_valid(): continue # do not use os.path.join # this allows us to have consistent paths from the user name = dentry.d_name.name.dereference_as("String", length = 255) new_file = parent + "/" + name ret.append((new_file, dentry)) inode = dentry.d_inode if inode and inode.is_valid() and inode.is_dir(): ret = ret + self._walk_sb(dentry, new_file) return ret def _get_sbs(self): ret = [] for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).calculate(): ret.append((sb, path)) return ret def walk_sbs(self): linux_common.set_plugin_members(self) sbs = self._get_sbs() for (sb, sb_path) in sbs: if sb_path != "/": parent = sb_path else: parent = "" rname = sb.s_root.d_name.name.dereference_as("String", length = 255) if rname and len(rname) > 0: yield (sb, sb_path, sb_path, sb.s_root) for (file_path, file_dentry) in self._walk_sb(sb.s_root, parent): yield (sb, sb_path, file_path, file_dentry) def calculate(self): linux_common.set_plugin_members(self) find_file = self._config.FIND inode_addr = self._config.inode outfile = self._config.outfile listfiles = self._config.LISTFILES if listfiles: for (_, _, file_path, file_dentry) in self.walk_sbs(): yield (file_path, file_dentry.d_inode) elif find_file and len(find_file): for (_, _, file_path, file_dentry) in self.walk_sbs(): if file_path == find_file: yield (file_path, file_dentry.d_inode) break elif inode_addr and inode_addr > 0 and outfile and len(outfile) > 0: inode = obj.Object("inode", offset = inode_addr, vm = self.addr_space) try: f = open(outfile, "wb") except IOError, e: debug.error("Unable to open output file (%s): %s" % (outfile, str(e))) for page in self.get_file_contents(inode): f.write(page) f.close() else: debug.error("Incorrect command line parameters given.") def render_text(self, outfd, data): shown_header = 0 for (file_path, inode) in data: if not shown_header: self.table_header(outfd, [("Inode Number", "16"), ("Inode", "[addr]"), ("File Path", "")]) shown_header = 1 inode_num = inode.i_ino self.table_row(outfd, inode_num, inode, file_path) # from here down is code to walk the page cache and mem_map / mem_section page structs# def radix_tree_is_indirect_ptr(self, ptr): return ptr & 1 def radix_tree_indirect_to_ptr(self, ptr): return obj.Object("radix_tree_node", offset = ptr & ~1, vm = self.addr_space) def radix_tree_lookup_slot(self, root, index): self.RADIX_TREE_MAP_SHIFT = 6 self.RADIX_TREE_MAP_SIZE = 1 << self.RADIX_TREE_MAP_SHIFT self.RADIX_TREE_MAP_MASK = self.RADIX_TREE_MAP_SIZE - 1 node = root.rnode if self.radix_tree_is_indirect_ptr(node) == 0: if index > 0: return None off = root.obj_offset + self.profile.get_obj_offset("radix_tree_root", "rnode") page = obj.Object("Pointer", offset = off, vm = self.addr_space) return page node = self.radix_tree_indirect_to_ptr(node) if hasattr(node, "height"): height = node.height else: height = node.path if hasattr(node, "shift"): shift = node.shift else: shift = (height - 1) * self.RADIX_TREE_MAP_SHIFT slot = -1 while 1: idx = (index >> shift) & self.RADIX_TREE_MAP_MASK slot = node.slots[idx] node = self.radix_tree_indirect_to_ptr(slot) shift = shift - self.RADIX_TREE_MAP_SHIFT height = height - 1 if height <= 0: break if slot == -1: return None return slot def SHMEM_I(self, inode): offset = self.profile.get_obj_offset("shmem_inode_info", "vfs_inode") return obj.Object("shmem_inode_info", offset = inode.obj_offset - offset, vm = self.addr_space) def find_get_page(self, inode, offset): page = self.radix_tree_lookup_slot(inode.i_mapping.page_tree, offset) #if not page: # FUTURE swapper_space support # print "no page" return page def get_page_contents(self, inode, idx): page_addr = self.find_get_page(inode, idx) if page_addr: page = obj.Object("page", offset = page_addr, vm = self.addr_space) phys_offset = page.to_paddr() if phys_offset > 0: phys_as = utils.load_as(self._config, astype = 'physical') data = phys_as.zread(phys_offset, 4096) else: data = "\x00" * 4096 else: data = "\x00" * 4096 return data # main function to be called, handles getting all the pages of an inode # and handles the last page not being page_size aligned def get_file_contents(self, inode): linux_common.set_plugin_members(self) data = "" file_size = inode.i_size if not inode.is_valid() or file_size == None: raise StopIteration extra = file_size % 4096 idxs = file_size / 4096 if extra > 0: extra = 4096 - extra idxs = idxs + 1 if idxs > 1000000000: raise StopIteration for idx in range(0, idxs): data = self.get_page_contents(inode, idx) # this is to chop off any extra data on the last page if idx == idxs - 1: if extra > 0: extra = extra * -1 data = data[:extra] yield data volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/mount.py0000644000000000000000000001562613131215405023703 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.flags as linux_flags import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_mount(linux_common.AbstractLinuxCommand): """Gather mounted fs/devices""" def _parse_mnt(self, mnt, ns, fs_types): ret = None if not mnt.mnt_root.is_valid(): return ret dev_name = mnt.mnt_devname.dereference_as("String", length = linux_common.MAX_STRING_LENGTH) if not dev_name.is_valid(): return ret fstype = mnt.mnt_sb.s_type.name.dereference_as("String", length = linux_common.MAX_STRING_LENGTH) if not fstype.is_valid(): return ret #print fs_types #if str(fstype) not in fs_types: # return ret path = linux_common.do_get_path(mnt.mnt_sb.s_root, mnt.mnt_parent, mnt.mnt_root, mnt) if path == []: return ret mnt_string = self._calc_mnt_string(mnt) if (mnt.mnt_flags & 0x40) or (mnt.mnt_sb.s_flags & 0x1): rr = "ro" else: rr = "rw" return mnt.mnt_sb, str(dev_name), path, fstype, rr, mnt_string def calculate(self): linux_common.set_plugin_members(self) mntptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("mount_hashtable"), vm = self.addr_space) mnt_list = obj.Object(theType = "Array", offset = mntptr, vm = self.addr_space, targetType = "list_head", count = 8200) if self.profile.has_type("mount"): mnttype = "mount" else: mnttype = "vfsmount" ns = None fs_types = self._get_filesystem_types() hash_mnts = {} seen_outer = {} for (idx, outerlist) in enumerate(mnt_list): if outerlist == None or outerlist.next == None: continue if outerlist.next.v() in seen_outer: continue seen_outer[outerlist.next.v()] = 1 if outerlist == outerlist.next or not outerlist.m("next").is_valid(): continue seen = {} for mnt in outerlist.list_of_type(mnttype, "mnt_hash"): if mnt.v() in seen: break seen[mnt.v()] = 1 if len(seen.keys()) > 1024: break if mnt.is_valid(): hash_mnts[mnt] = 1 else: break if mnt.mnt_parent.is_valid(): hash_mnts[mnt.mnt_parent] = 1 if mnt.mnt_parent.mnt_parent.is_valid(): hash_mnts[mnt.mnt_parent.mnt_parent] = 1 child_mnts = {} for mnt in hash_mnts: cseen = {} for child_mnt in mnt.mnt_child.list_of_type(mnttype, "mnt_child"): if not child_mnt.is_valid(): break child_mnts[child_mnt] = 1 if child_mnt.v() in cseen: break cseen[child_mnt.v()] = 1 if child_mnt.mnt_parent.is_valid(): child_mnts[child_mnt.mnt_parent] = 1 if child_mnt.mnt_parent.mnt_parent.is_valid(): child_mnts[child_mnt.mnt_parent.mnt_parent] = 1 tmp_mnts = list(set(hash_mnts.keys() + child_mnts.keys())) all_mnts = [] for t in tmp_mnts: tt = t.mnt_devname.dereference_as("String", length = linux_common.MAX_STRING_LENGTH) if tt: tmp = str(tt) if len(str(tmp)) > 2 and (str(tmp)[0] == '/' or tmp in ['devtmpfs', 'proc', 'sysfs', 'nfsd', 'tmpfs', 'sunrpc', 'devpts', 'none']): all_mnts.append(t) list_mnts = {} seen_m = {} for mnt in all_mnts: if mnt.v() in seen_m: continue else: seen_m[mnt.v()] = 1 for (idx, child_mnt) in enumerate(mnt.mnt_list.list_of_type(mnttype, "mnt_list")): if idx > 20: break if child_mnt.is_valid(): list_mnts[child_mnt] = 1 if child_mnt.mnt_parent.is_valid(): list_mnts[child_mnt.mnt_parent] = 1 if child_mnt.mnt_parent.mnt_parent.is_valid(): list_mnts[child_mnt.mnt_parent.mnt_parent] = 1 all_mnts = list(set(all_mnts + list_mnts.keys())) seen = {} for (idx, mnt) in enumerate(all_mnts): if mnt.mnt_sb.v() not in seen: ret = self._parse_mnt(mnt, ns, fs_types) mark = False if ret: (mnt_sb, dev_name, path, fstype, rr, mnt_string) = ret if not (dev_name == "devtmpfs" and path == "/"): yield (mnt_sb, dev_name, path, fstype, rr, mnt_string) mark = True if mark: seen[mnt.mnt_sb.v()] = 1 def _calc_mnt_string(self, mnt): ret = "" for mflag in linux_flags.mnt_flags: if mflag & mnt.mnt_flags: ret = ret + linux_flags.mnt_flags[mflag] return ret def _get_filesystem_types(self): all_fs = {} fs_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("file_systems"), vm = self.addr_space) file_systems = fs_ptr.dereference_as("file_system_type") fs = file_systems while fs.is_valid(): fsname = obj.Object("String", offset = fs.name, vm = self.addr_space, length=256) all_fs[str(fsname)] = fs fs = fs.next return all_fs def render_text(self, outfd, data): for (_sb, dev_name, path, fstype, rr, mnt_string) in data: outfd.write("{0:25s} {1:35s} {2:12s} {3:2s}{4:64s}\n".format(dev_name, path, fstype, rr, mnt_string)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/pstree.py0000644000000000000000000000660213131215405024035 0ustar rootroot# This file is part of Volatility. # Copyright (C) 2007-2013 Volatility Foundation # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com """ import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers.basic import Address from volatility.renderers import TreeGrid from collections import OrderedDict class linux_pstree(linux_pslist.linux_pslist): '''Shows the parent/child relationship between processes''' def __init__(self, *args, **kwargs): self.procs = {} linux_pslist.linux_pslist.__init__(self, *args, **kwargs) def unified_output(self, data): return TreeGrid([("Offset",Address), ("Name",str), ("Level",str), ("Pid",int), ("Ppid",int), ("Uid", int), ("Gid",int), ("Euid",int)], self.generator(data)) def generator(self, data): self.procs = OrderedDict() for task in data: self.recurse_task(task, 0, 0,self.procs) for offset,name,level,pid,ppid,uid,euid,gid in self.procs.values(): if offset: yield(0,[Address(offset), str(name), str(level), int(pid), int(ppid), int(uid), int(gid), int(euid)]) def recurse_task(self,task,ppid,level,procs): """ Fill a dictionnary with all the children of a given task(including itself) :param task: task that we want to get the children from :param ppid: pid of the parent task :param level: depth from the root task :param procs: dictionnary that we fill """ if not procs.has_key(task.pid.v()): if task.mm: proc_name = task.comm else: proc_name = "[" + task.comm + "]" procs[task.pid.v()] = (task.obj_offset,proc_name,"." * level + proc_name,task.pid,ppid,task.uid,task.euid,task.gid) for child in task.children.list_of_type("task_struct", "sibling"): self.recurse_task(child,task.pid, level + 1,procs) def render_text(self, outfd, data): self.procs = OrderedDict() outfd.write("{0:20s} {1:15s} {2:15s}\n".format("Name", "Pid", "Uid")) for task in data: self.recurse_task(task, 0, 0, self.procs) for offset,_,proc_name,pid,_,uid,_,_ in self.procs.values(): if offset: outfd.write("{0:20s} {1:15s} {2:15s}\n".format(proc_name, str(pid), str(uid or ''))) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/check_fops.py0000644000000000000000000001531513131215405024640 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist import volatility.plugins.linux.lsmod as linux_lsmod from volatility.plugins.linux.slab_info import linux_slabinfo import volatility.plugins.linux.find_file as find_file from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_check_fop(linux_common.AbstractLinuxCommand): """Check file operation structures for rootkit modifications""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('INODE', short_option = 'i', default = None, help = 'inode to check', action = 'store', type='int') def check_file_cache(self, f_op_members, modules): for (_, _, file_path, file_dentry) in find_file.linux_find_file(self._config).walk_sbs(): for (hooked_member, hook_address) in self.verify_ops(file_dentry.d_inode.i_fop, f_op_members, modules): yield (file_path, hooked_member, hook_address) def check_open_files_fop(self, f_op_members, modules): # get all the members in file_operations, they are all function pointers tasks = linux_pslist.linux_pslist(self._config).calculate() for task in tasks: for filp, i in task.lsof(): for (hooked_member, hook_address) in self.verify_ops(filp.f_op, f_op_members, modules): name = "{0:s} {1:d} {2:s}".format(task.comm, i, linux_common.get_path(task, filp)) yield (name, hooked_member, hook_address) def check_proc_fop(self, f_op_members, modules): proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt") if not proc_mnt_addr: return proc_mnt_ptr = obj.Object("Pointer", offset = proc_mnt_addr, vm = self.addr_space) proc_mnt = proc_mnt_ptr.dereference_as("vfsmount") root = proc_mnt.mnt_root for (hooked_member, hook_address) in self.verify_ops(root.d_inode.i_fop, f_op_members, modules): yield ("proc_mnt: root", hooked_member, hook_address) # only check the root directory for dentry in root.d_subdirs.list_of_type("dentry", "d_u"): name = dentry.d_name.name.dereference_as("String", length = 255) for (hooked_member, hook_address) in self.verify_ops(dentry.d_inode.i_fop, f_op_members, modules): yield("proc_mnt: {0}".format(name), hooked_member, hook_address) def walk_proc(self, cur, f_op_members, modules, parent = ""): last_cur = None while cur: if cur.obj_offset in self.seen_proc: if cur.obj_offset == last_cur: break cur = cur.next continue self.seen_proc[cur.obj_offset] = 1 name = cur.name.dereference_as("String", length = 255) fops = cur.proc_fops for (hooked_member, hook_address) in self.verify_ops(fops, f_op_members, modules): yield (name, hooked_member, hook_address) subdir = cur.subdir while subdir: for (name, hooked_member, hook_address) in self.walk_proc(subdir, f_op_members, modules): yield (name, hooked_member, hook_address) subdir = subdir.next last_cur = cur.obj_offset cur = cur.next def check_proc_root_fops(self, f_op_members, modules): self.seen_proc = {} proc_root_addr = self.addr_space.profile.get_symbol("proc_root") proc_root = obj.Object("proc_dir_entry", offset = proc_root_addr, vm = self.addr_space) for (hooked_member, hook_address) in self.verify_ops(proc_root.proc_fops, f_op_members, modules): yield("proc_root", hooked_member, hook_address) for (name, hooked_member, hook_address) in self.walk_proc(proc_root, f_op_members, modules): yield (name, hooked_member, hook_address) def calculate(self): linux_common.set_plugin_members(self) modules = linux_lsmod.linux_lsmod(self._config).get_modules() f_op_members = self.profile.types['file_operations'].keywords["members"].keys() f_op_members.remove('owner') if self._config.INODE: inode = obj.Object("inode", offset=self._config.INODE, vm=self.addr_space) if not inode.is_valid(): debug.error("Invalid inode address given. Please use linux_find_file to determine valid inode addresses.") for (hooked_member, hook_address) in self.verify_ops(inode.i_fop, f_op_members, modules): yield("inode at {0:x}".format(inode.obj_offset), hooked_member, hook_address) else: funcs = [self.check_open_files_fop, self.check_proc_fop, self.check_proc_root_fops, self.check_file_cache] for func in funcs: for (name, member, address) in func(f_op_members, modules): yield (name, member, address) def unified_output(self, data): return TreeGrid([("SymbolName", str), ("Member", str), ("Address", Address)], self.generator(data)) def generator(self, data): for (what, member, address) in data: yield (0, [str(what), str(member), Address(address)]) def render_text(self, outfd, data): self.table_header(outfd, [("Symbol Name", "42"), ("Member", "30"), ("Address", "[addr]")]) for (what, member, address) in data: self.table_row(outfd, what, member, address) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/lsmod.py0000644000000000000000000006065313131215405023657 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import re, os, struct import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class linux_lsmod(linux_common.AbstractLinuxCommand): """Gather loaded kernel modules""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('SECTIONS', short_option = 'T', default = None, help = 'show section addresses', action = 'store_true') self._config.add_option('PARAMS', short_option = 'P', default = None, help = 'show module parameters', action = 'store_true') self._config.add_option('BASE', short_option = 'b', default = None, help = 'Dump driver with BASE address (in hex)', action = 'store', type = 'int') self._config.add_option('IDC', short_option = 'c', default = None, help = 'Path to IDC file to be created for module', action = 'store', type = 'str') def _get_modules(self): if self._config.BASE: module_address = int(self._config.BASE) yield obj.Object("module", offset = module_address, vm = self.addr_space) else: modules_addr = self.addr_space.profile.get_symbol("modules") modules = obj.Object("list_head", vm = self.addr_space, offset = modules_addr) # walk the modules list for module in modules.list_of_type("module", "list"): yield module def calculate(self): linux_common.set_plugin_members(self) for module in self._get_modules(): if self._config.PARAMS: if not hasattr(module, "kp"): debug.error("Gathering module parameters is not supported in this profile.") params = module.get_params() else: params = "" if self._config.SECTIONS: sections = module.get_sections() else: sections = [] yield (module, sections, params) def render_text(self, outfd, data): for (module, sections, params) in data: if self._config.IDC: fd = open(self._config.IDC, "w") fd.write("#include \nstatic main(void) {\n") for (sname, saddr) in module.get_symbols(): fd.write(" MakeDword(0x{0:08X});\n".format(saddr)) fd.write(" MakeName(0x{0:08X}, \"{1}\");\n".format(saddr, sname)) fd.write("}") outfd.write("{2:x} {0:s} {1:d}\n".format(module.name, module.init_size + module.core_size, module.obj_offset)) # will be empty list if not set on command line for sect in sections: outfd.write("\t{0:30s} {1:#x}\n".format(sect.sect_name, sect.address)) # will be "" if not set, otherwise will be space seperated if params != "": for param in params.split(): outfd.write("\t{0:100s}\n".format(param)) def get_module(self, name): ret = None for (module, _, _) in self.calculate(): if str(module.name) == name: ret = module break return ret # returns a list of tuples of (name, .text start, .text end) for each module # include_list can contain a list of only the modules wanted by a plugin def get_modules(self, include_list = None): if not include_list: include_list = [] ret = [] for (module, _sections, _params) in self.calculate(): if len(include_list) == 0 or str(module.name) in include_list: start = module.module_core end = start + module.core_size ret.append(("%s" % module.name, start, end)) return ret class linux_moddump(linux_common.AbstractLinuxCommand): """Extract loaded kernel modules""" def __init__(self, config, *args, **kwargs): self.name_idx = 1 self.idc_started = False linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Directory in which to dump the files', action = 'store', type = 'string') config.add_option('REGEX', short_option = 'r', help = 'Dump modules matching REGEX', action = 'store', type = 'string') config.add_option('IGNORE-CASE', short_option = 'i', help = 'Ignore case in pattern match', action = 'store_true', default = False) config.add_option('BASE', short_option = 'b', default = None, help = 'Dump driver with BASE address (in hex)', action = 'store', type = 'int') def calculate(self): linux_common.set_plugin_members(self) if self._config.REGEX: try: if self._config.IGNORE_CASE: mod_re = re.compile(self._config.REGEX, re.I) else: mod_re = re.compile(self._config.REGEX) except re.error, e: debug.error('Error parsing regular expression: {0}'.format(e)) if self._config.BASE: module_address = int(self._config.BASE) yield obj.Object("module", offset = module_address, vm = self.addr_space) else: # walk the modules list modules_addr = self.addr_space.profile.get_symbol("modules") modules = obj.Object("list_head", vm = self.addr_space, offset = modules_addr) for module in modules.list_of_type("module", "list"): if self._config.REGEX: if not mod_re.search(str(module.name)): continue yield module def _get_header_64(self, load_addr, sect_hdr_offset, num_sects): e_ident = "\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" e_type = "\x01\x00" # relocateble e_machine = "\x03\x00" e_version = "\x01\x00\x00\x00" e_entry = "\x00" * 8 e_phoff = "\x00" * 8 e_shoff = struct.pack(" 0 and not module.obj_vm.profile.get_symbol_by_address("kernel", sym.st_value): val_map[sym.st_value.v()] = self._find_sec(sections_info, sym.st_value) for (i, sect) in enumerate(module.get_sections()): name_idx_map[str(sect.sect_name)] = (i + 1, sect.address) ### account for null segment syms = obj.Object(theType="Array", targetType=sym_type, count=module.num_symtab, vm = module.obj_vm, offset = module.symtab) for sym in syms: # fix absolute addresses st_value_int = sym.st_value.v() if st_value_int > 0 and st_value_int in val_map: secname = val_map[st_value_int] if secname in name_idx_map: sect_addr = name_idx_map[secname][1] # LOOK_HERE st_value_sub = st_value_int - sect_addr st_value_full = st_value_int else: st_value_sub = st_value_int st_value_full = st_value_int st_value = struct.pack(st_value_fmt, st_value_sub) #### fix bindings #### # moved out of the sections part if sym.st_name > 0: first_name = True if first_name: bind = 1 # STB_GLOBAL if sym.st_value == 0: stype = 0 elif module.obj_vm.profile.get_symbol_by_address("kernel", sym.st_value): stype = 0 # STT_NOTYPE else: secname = val_map[sym.st_value.v()] # a .text. section but not relocations if secname.find(".text") != -1 and secname.find(".rela") == -1: stype = 2 # STT_FUNC else: stype = 1 # STT_OBJECT else: bind = 0 # STB_LOCAL stype = 3 # STT_SECTION b = (bind << 4) & 0xf0 t = stype & 0xf st_info = (b | t) & 0xff #print "st_info: %x : %x | %x || %d | %x" % (sym.st_value, b, t, st_info, st_info) st_info = struct.pack("B", st_info) #### fix indexes #### if sym.st_value > 0 and sym.st_value.v() in val_map: secname = val_map[sym.st_value.v()] if secname in name_idx_map: st_shndx = name_idx_map[secname][0] st_shndx = struct.pack(". # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: Digital Forensics Solutions """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.mount as linux_mount import volatility.plugins.linux.pslist as linux_pslist from volatility.plugins.linux.slab_info import linux_slabinfo class linux_mount_cache(linux_mount.linux_mount): """Gather mounted fs/devices from kmem_cache""" def __init__(self, config, *args, **kwargs): linux_mount.linux_mount.__init__(self, config, *args, **kwargs) self._config.add_option('UNALLOCATED', short_option = 'u', default = False, help = 'Show unallocated', action = 'store_true') def _get_filesystem_types(self): all_fs = {} fs_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("file_systems"), vm = self.addr_space) file_systems = fs_ptr.dereference_as("file_system_type") fs = file_systems while fs.is_valid(): fsname = obj.Object("String", offset = fs.name, vm = self.addr_space, length=256) all_fs[str(fsname)] = fs fs = fs.next return all_fs def calculate(self): linux_common.set_plugin_members(self) fs_types = self._get_filesystem_types() # newer kernels if self.profile.has_type("mount"): mnttype = "mount" cache = linux_slabinfo(self._config).get_kmem_cache(mnttype, self._config.UNALLOCATED) for task in linux_pslist.linux_pslist(self._config).calculate(): if task.pid == 1: ns = task.nsproxy.mnt_ns break else: cache = linux_slabinfo(self._config).get_kmem_cache("mnt_cache", self._config.UNALLOCATED, struct_name = "vfsmount") ns = None for mnt in cache: ret = self._parse_mnt(mnt, ns, fs_types) if ret: (mnt_sb, dev_name, path, fstype, rr, mnt_string) = ret if not (dev_name == "devtmpfs" and path == "/"): yield (mnt_sb, dev_name, path, fstype, rr, mnt_string) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/list_raw.py0000644000000000000000000001130013131215405024346 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.ifconfig as linux_ifconfig import volatility.plugins.linux.pslist as linux_pslist import volatility.debug as debug import volatility.obj as obj class linux_list_raw(linux_common.AbstractLinuxCommand): """List applications with promiscuous sockets""" def __init__(self, config, *args, **kwargs): self.fd_cache = {} linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) def _SOCK_INODE(self, sk): backsize = self.profile.get_obj_size("socket") addr = sk + backsize return obj.Object('inode', offset = addr, vm = self.addr_space) def _walk_net_spaces(self): offset = self.addr_space.profile.get_obj_offset("sock_common", "skc_node") nslist_addr = self.addr_space.profile.get_symbol("net_namespace_list") nethead = obj.Object("list_head", offset = nslist_addr, vm = self.addr_space) for net in nethead.list_of_type("net", "list"): node = net.packet.sklist.first.dereference().v() sk = obj.Object("sock", offset = node - offset, vm = self.addr_space) while sk.is_valid(): inode = self._SOCK_INODE(sk.sk_socket) ino = inode yield ino sk = obj.Object("sock", offset = sk.sk_node.next - offset, vm = self.addr_space) def _fill_cache(self): for task in linux_pslist.linux_pslist(self._config).calculate(): for filp, fd in task.lsof(): filepath = linux_common.get_path(task, filp) if type(filepath) == str and filepath.find("socket:[") != -1: to_add = filp.dentry.d_inode.i_ino.v() self.fd_cache[to_add] = [task, filp, fd, filepath] def _find_proc_for_inode(self, inode): if self.fd_cache == {}: self._fill_cache() inum = inode.i_ino.v() if inum in self.fd_cache: (task, filp, fd, filepath) = self.fd_cache[inum] else: (task, filp, fd, filepat) = (None, None, None, None) return (task, fd, inum) def __walk_hlist_node(self, node): seen = set() offset = self.addr_space.profile.get_obj_offset("sock_common", "skc_node") nxt = node.next.dereference() while nxt.is_valid() and nxt.obj_offset not in seen: ## Instantiate the object item = obj.Object(obj_type, offset = nxt.obj_offset - offset, vm = self.addr_space) seen.add(nxt.obj_offset) yield item nxt = nxt.next.dereference() def _walk_packet_sklist(self): sklist_addr = self.addr_space.profile.get_symbol("packet_sklist") sklist = obj.Object("hlist_head", offset = sklist_addr, vm = self.addr_space) for sk in self.__walk_hlist_node(sklist.first): yield self._SOCK_INODE(sk.sk_socket) def calculate(self): linux_common.set_plugin_members(self) sym_addr = self.addr_space.profile.get_symbol("packet_sklist") # old kernels before namespaces if sym_addr: for inode in self._walk_packet_sklist(): yield self._find_proc_for_inode(inode) else: for inode in self._walk_net_spaces(): yield self._find_proc_for_inode(inode) def render_text(self, outfd, data): self.table_header(outfd, [("Process", "16"), ("PID", "6"), ("File Descriptor", "5"), ("Inode", "18"), ]) for (task, fd, inum) in data: if task: self.table_row(outfd, task.comm, task.pid, fd, inum) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/route_cache.py0000644000000000000000000000777413131215405025027 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import socket class linux_route_cache(linux_common.AbstractLinuxCommand): """ Recovers the routing cache from memory """ def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) config.add_option('RESOLVE', short_option = 'R', default = None, action='count', help = 'Resolve DNS names of remote IP addresses') def calculate(self): linux_common.set_plugin_members(self) mask_addr = self.addr_space.profile.get_symbol("rt_hash_mask") if mask_addr == None: debug.error("This plugin does not support this profile. The Linux routing cache was deleted in 3.6.x. See: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=89aef8921bfbac22f00e04f8450f6e447db13e42") mask = obj.Object("unsigned int", offset = mask_addr, vm = self.addr_space) rt_pointer = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("rt_hash_table"), vm = self.addr_space) rt_hash_table = obj.Object(theType = "Array", offset = rt_pointer, vm = self.addr_space, targetType = "rt_hash_bucket", count = mask) # rt_do_flush / rt_cache_seq_show for i in range(mask): rth = rt_hash_table[i].chain if not rth: continue while rth: # FIXME: Consider using kernel version metadata rather than checking hasattr if hasattr(rth, 'u'): dst = rth.u.dst nxt = rth.u.dst.rt_next else: dst = rth.dst nxt = rth.dst.rt_next if dst.dev: name = dst.dev.name else: name = "*" dest = rth.rt_dst gw = rth.rt_gateway yield (name, dest, gw) rth = nxt def render_text(self, outfd, data): if self._config.RESOLVE: self.table_header(outfd, [("Interface", "16"), ("Destination", "20"), ("Dest Name", "30"), ("Gateway", "")]) else: self.table_header(outfd, [("Interface", "16"), ("Destination", "20"), ("Gateway", "")]) for (name, dest, gw) in data: if self._config.RESOLVE: host = str(dest.cast("IpAddress")) try: host = socket.gethostbyaddr(host) host = host[0] except socket.herror: host = "" except socket.gaierror: host = "" self.table_row(outfd, name, dest.cast("IpAddress"), host, gw.cast("IpAddress")) else: self.table_row(outfd, name, dest.cast("IpAddress"), gw.cast("IpAddress")) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/ldrmodules.py0000644000000000000000000000514713131215405024710 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_ldrmodules(linux_pslist.linux_pslist): """Compares the output of proc maps with the list of libraries from libdl""" def unified_output(self, data): return TreeGrid([("Pid", int), ("Name", str), ("Start", Address), ("Path", str), ("Kernel", str), ("Libc", str)], self.generator(data)) def generator(self, data): for task in data: for vm_start, vma_name, pmaps, dmaps in task.ldrmodules(): yield (0, [int(task.pid), str(task.comm), Address(vm_start), str(vma_name), str(pmaps), str(dmaps)]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "16"), ("Start", "#018x"), ("File Path", "50"), ("Kernel", "6"), ("Libc", "6"), ]) for task in data: for vm_start, vma_name, pmaps, dmaps in task.ldrmodules(): self.table_row(outfd, task.pid, str(task.comm), vm_start, vma_name, pmaps, dmaps) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/__init__.py0000644000000000000000000000000013131215405024254 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/slab_info.py0000644000000000000000000001552513131215405024473 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: Digital Forensics Solutions """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class kmem_cache(obj.CType): def get_type(self): raise NotImplementedError def get_name(self): return str(self.name.dereference_as("String", length = 255)) class kmem_cache_slab(kmem_cache): def get_type(self): return "slab" # volatility does not support indexing pointers # and the definition of nodelists changes from array to pointer def _get_nodelist(self): ent = self.nodelists if type(ent) == obj.Pointer: ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm) elif type(ent) == obj.Array: ret = ent[0] else: debug.error("Unknown nodelists types. %s" % type(ent)) return ret def _get_free_list(self): slablist = self._get_nodelist().slabs_free for slab in slablist.list_of_type("slab", "list"): yield slab def _get_partial_list(self): slablist = self._get_nodelist().slabs_partial for slab in slablist.list_of_type("slab", "list"): yield slab def _get_full_list(self): slablist = self._get_nodelist().slabs_full for slab in slablist.list_of_type("slab", "list"): yield slab def _get_object(self, offset): return obj.Object(self.struct_type, offset = offset, vm = self.obj_vm, parent = self.obj_parent, name = self.struct_type) def __iter__(self): if not self.unalloc: for slab in self._get_full_list(): for i in range(self.num): yield self._get_object(slab.s_mem.v() + i * self.buffer_size) for slab in self._get_partial_list(): if not self.num or self.num == 0: return bufctl = obj.Object("Array", offset = slab.v() + slab.size(), vm = self.obj_vm, parent = self.obj_parent, targetType = "unsigned int", count = self.num) unallocated = [0] * self.num i = slab.free while i != 0xFFFFFFFF: if i >= self.num: break unallocated[i] = 1 i = bufctl[i] for i in range(0, self.num): if unallocated[i] == self.unalloc: yield self._get_object(slab.s_mem.v() + i * self.buffer_size) if self.unalloc: for slab in self._get_free_list(): for i in range(self.num): yield self._get_object(slab.s_mem.v() + i * self.buffer_size) class LinuxKmemCacheOverlay(obj.ProfileModification): conditions = {'os': lambda x: x == 'linux'} before = ['BasicObjectClasses'] # , 'LinuxVTypes'] def modification(self, profile): if profile.get_symbol("cache_chain"): profile.object_classes.update({'kmem_cache': kmem_cache_slab}) class linux_slabinfo(linux_common.AbstractLinuxCommand): """Mimics /proc/slabinfo on a running machine""" def get_all_kmem_caches(self): linux_common.set_plugin_members(self) cache_chain = self.addr_space.profile.get_symbol("cache_chain") slab_caches = self.addr_space.profile.get_symbol("slab_caches") if cache_chain: #slab caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space) listm = "next" ret = [cache for cache in caches.list_of_type("kmem_cache", listm)] elif slab_caches: #slub debug.info("SLUB is currently unsupported.") ret = [] else: debug.error("Unknown or unimplemented slab type.") return ret def get_kmem_cache(self, cache_name, unalloc, struct_name = ""): if struct_name == "": struct_name = cache_name for cache in self.get_all_kmem_caches(): if cache.get_name() == cache_name: cache.newattr("unalloc", unalloc) cache.newattr("struct_type", struct_name) return cache debug.debug("Invalid kmem_cache: {0}".format(cache_name)) return [] def calculate(self): linux_common.set_plugin_members(self) for cache in self.get_all_kmem_caches(): if cache.get_type() == "slab": active_objs = 0 active_slabs = 0 num_slabs = 0 # shared_avail = 0 for slab in cache._get_full_list(): active_objs += cache.num active_slabs += 1 for slab in cache._get_partial_list(): active_objs += slab.inuse active_slabs += 1 for slab in cache._get_free_list(): num_slabs += 1 num_slabs += active_slabs num_objs = num_slabs * cache.num yield [cache.get_name(), active_objs, num_objs, cache.buffer_size, cache.num, 1 << cache.gfporder, active_slabs, num_slabs] def render_text(self, outfd, data): self.table_header(outfd, [("", "<30"), ("", "<13"), ("", "<10"), ("", "<10"), ("", "<12"), ("", "<15"), ("", "<14"), ("", "<7"), ]) for info in data: self.table_row(outfd, info[0], info[1], info[2], info[3], info[4], info[5], info[6], info[7]) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/procdump.py0000644000000000000000000000443713131215405024370 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_procdump(linux_pslist.linux_pslist): """Dumps a process's executable image to disk""" def __init__(self, config, *args, **kwargs): linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') def render_text(self, outfd, data): if not self._config.DUMP_DIR: debug.error("-D/--dump-dir must given that specifies an existing directory") self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "20"), ("Pid", "15"), ("Address", "[addrpad]"), ("Output File", "")]) for task in data: if not task.mm: continue file_path = linux_common.write_elf_file(self._config.DUMP_DIR, task, task.mm.start_code) self.table_row(outfd, task.obj_offset, task.comm, str(task.pid), task.mm.start_code, file_path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/psxview.py0000644000000000000000000001345513131215405024244 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.utils as utils import volatility.plugins.linux.pslist as linux_pslist import volatility.plugins.linux.pidhashtable as linux_pidhashtable import volatility.plugins.linux.pslist_cache as linux_pslist_cache import volatility.plugins.linux.psscan as linux_psscan import volatility.plugins.linux.common as linux_common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address #based off the windows version from mhl # #INFO: # 'pslist' does not get threads # 'pid_hash' does # 'kmem_cache' does # 'runqueue' does class linux_psxview(linux_common.AbstractLinuxCommand): "Find hidden processes with various process listings" def _get_pslist(self): return [self.addr_space.vtop(x.obj_offset) for x in linux_pslist.linux_pslist(self._config).calculate()] def _get_pid_hash(self): return [self.addr_space.vtop(x.obj_offset) for x in linux_pidhashtable.linux_pidhashtable(self._config).calculate()] def _get_kmem_cache(self): return [self.addr_space.vtop(x.obj_offset) for x in linux_pslist_cache.linux_pslist_cache(self._config).calculate()] def _get_task_parents(self): if self.addr_space.profile.obj_has_member("task_struct", "real_parent"): ret = [self.addr_space.vtop(x.real_parent.v()) for x in linux_pslist.linux_pslist(self._config).calculate()] else: ret = [self.addr_space.vtop(x.parent.v()) for x in linux_pslist.linux_pslist(self._config).calculate()] return ret def _get_thread_leaders(self): return [self.addr_space.vtop(x.group_leader.v()) for x in linux_pidhashtable.linux_pidhashtable(self._config).calculate()] def _get_psscan(self): return [x.obj_offset for x in linux_psscan.linux_psscan(self._config).calculate()] def calculate(self): linux_common.set_plugin_members(self) phys_addr_space = utils.load_as(self._config, astype = 'physical') ps_sources = {} # The keys are names of process sources # The values are the virtual offset of the task_struct ps_sources['pslist'] = self._get_pslist() ps_sources['pid_hash'] = self._get_pid_hash() ps_sources['kmem_cache'] = self._get_kmem_cache() ps_sources['parents'] = self._get_task_parents() ps_sources['thread_leaders'] = self._get_thread_leaders() ps_sources['psscan'] = self._get_psscan() # Build a list of offsets from all sources seen_offsets = [] for source in ps_sources: tasks = ps_sources[source] for offset in tasks: if offset and offset not in seen_offsets: seen_offsets.append(offset) yield offset, obj.Object("task_struct", offset = offset, vm = phys_addr_space), ps_sources def unified_output(self, data): return TreeGrid([("Offset(V)", Address), ("Name", str), ("PID", int), ("pslist", str), ("psscan", str), ("pid_hash", str), ("kmem_cache", str), ("parents", str), ("leaders", str)], self.generator(data)) def generator(self, data): for offset, process, ps_sources in data: yield(0, [Address(offset), str(process.comm), int(process.pid), str(ps_sources['pslist'].__contains__(offset)), str(ps_sources['psscan'].__contains__(offset)), str(ps_sources['pid_hash'].__contains__(offset)), str(ps_sources['kmem_cache'].__contains__(offset)), str(ps_sources['parents'].__contains__(offset)), str(ps_sources['thread_leaders'].__contains__(offset))]) def render_text(self, outfd, data): self.table_header(outfd, [('Offset(V)', '[addrpad]'), ('Name', '<20'), ('PID', '>6'), ('pslist', '5'), ('psscan', '5'), ('pid_hash', '5'), ('kmem_cache', '5'), ('parents', '5'), ('leaders', '5'), ]) for offset, process, ps_sources in data: self.table_row(outfd, offset, process.comm, process.pid, str(ps_sources['pslist'].__contains__(offset)), str(ps_sources['psscan'].__contains__(offset)), str(ps_sources['pid_hash'].__contains__(offset)), str(ps_sources['kmem_cache'].__contains__(offset)), str(ps_sources['parents'].__contains__(offset)), str(ps_sources['thread_leaders'].__contains__(offset)), ) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/common.py0000644000000000000000000002225513131215405024025 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os, re import volatility.commands as commands import volatility.utils as utils import volatility.debug as debug import volatility.obj as obj MAX_STRING_LENGTH = 256 nsecs_per = 1000000000 class vol_timespec: def __init__(self, secs, nsecs): self.tv_sec = secs self.tv_nsec = nsecs def set_plugin_members(obj_ref): if obj_ref._config.SHIFT: debug.error("Linux uses --virtual_shift and --physical_shift. Please run linux_aslr_shift to obtain the values.") obj_ref.addr_space = utils.load_as(obj_ref._config) if not obj_ref.is_valid_profile(obj_ref.addr_space.profile): debug.error("This command does not support the selected profile.") class AbstractLinuxCommand(commands.Command): def __init__(self, *args, **kwargs): self.addr_space = None self.known_addrs = {} self.known_fops = {} commands.Command.__init__(self, *args, **kwargs) @property def profile(self): if self.addr_space: return self.addr_space.profile return None def execute(self, *args, **kwargs): commands.Command.execute(self, *args, **kwargs) @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'linux' @staticmethod def register_options(config): config.add_option("PHYSICAL_SHIFT", type = 'int', default = 0, help = "Linux kernel physical shift address") config.add_option("VIRTUAL_SHIFT", type = 'int', default = 0, help = "Linux kernel virtual shift address") def is_known_address(self, addr, modules): addr = int(addr) text = self.profile.get_symbol("_text") etext = self.profile.get_symbol("_etext") return (self.addr_space.address_compare(addr, text) != -1 and self.addr_space.address_compare(addr, etext) == -1) or self.address_in_module(addr, modules) def address_in_module(self, addr, modules): for (_, start, end) in modules: if self.addr_space.address_compare(addr, start) != -1 and self.addr_space.address_compare(addr, end) == -1: return True return False def verify_ops(self, ops, op_members, modules): ops_addr = ops.v() ops_list = [] if ops_addr in self.known_fops: for check, addr in self.known_fops[ops_addr]: yield check, addr return for check in op_members: addr = int(ops.m(check)) if addr and addr != 0 and addr != -1: if addr in self.known_addrs: known = self.known_addrs[addr] else: known = self.is_known_address(addr, modules) self.known_addrs[addr] = known if known == 0: yield (check, addr) ops_list.append((check, addr)) self.known_fops[ops_addr] = ops_list class AbstractLinuxIntelCommand(AbstractLinuxCommand): @staticmethod def is_valid_profile(profile): return AbstractLinuxCommand.is_valid_profile(profile) \ and (profile.metadata.get('arch').lower() == 'x86' \ or profile.metadata.get('arch').lower() == 'x64') class AbstractLinuxARMCommand(AbstractLinuxCommand): @staticmethod def is_valid_profile(profile): return AbstractLinuxCommand.is_valid_profile(profile) \ and (profile.metadata.get('arch').lower() == 'arm') def walk_internal_list(struct_name, list_member, list_start, addr_space = None): if not addr_space: addr_space = list_start.obj_vm while list_start: list_struct = obj.Object(struct_name, vm = addr_space, offset = list_start.v()) yield list_struct list_start = getattr(list_struct, list_member) # based on __d_path def do_get_path(rdentry, rmnt, dentry, vfsmnt): ret_path = [] inode = dentry.d_inode if not rdentry.is_valid() or not dentry.is_valid(): return [] while (dentry != rdentry or vfsmnt != rmnt) and dentry.d_name.name.is_valid(): dname = dentry.d_name.name.dereference_as("String", length = MAX_STRING_LENGTH) ret_path.append(dname.strip('/')) if dentry == vfsmnt.mnt_root or dentry == dentry.d_parent: if vfsmnt.mnt_parent == vfsmnt.v(): break dentry = vfsmnt.mnt_mountpoint vfsmnt = vfsmnt.mnt_parent continue parent = dentry.d_parent dentry = parent ret_path.reverse() if ret_path == []: return [] ret_val = '/'.join([str(p) for p in ret_path if p != ""]) if ret_val.startswith(("socket:", "pipe:")): if ret_val.find("]") == -1: ret_val = ret_val[:-1] + ":[{0}]".format(inode.i_ino) else: ret_val = ret_val.replace("/", "") elif ret_val != "inotify": ret_val = '/' + ret_val return ret_val def _get_path_file(task, filp): rdentry = task.fs.get_root_dentry() rmnt = task.fs.get_root_mnt() dentry = filp.dentry vfsmnt = filp.vfsmnt return do_get_path(rdentry, rmnt, dentry, vfsmnt) def get_new_sock_pipe_path(task, filp): dentry = filp.dentry sym = dentry.obj_vm.profile.get_symbol_by_address("kernel", dentry.d_op.d_dname) if sym: if sym == "sockfs_dname": pre_name = "socket" elif sym == "anon_inodefs_dname": pre_name = "anon_inode" elif sym == "pipefs_dname": pre_name = "pipe" elif sym == "simple_dname": pre_name = _get_path_file(task, filp) else: print "no handler for %s" % sym pre_name = "" ret = "%s:[%d]" % (pre_name, dentry.d_inode.i_ino) else: ret = "" return ret def get_path(task, filp): dentry = filp.dentry if dentry.d_op and hasattr(dentry.d_op, "d_dname") and dentry.d_op.d_dname: ret = get_new_sock_pipe_path(task, filp) else: ret = _get_path_file(task, filp) return ret def write_elf_file(dump_dir, task, elf_addr): file_name = re.sub("[./\\\]", "", str(task.comm)) file_path = os.path.join(dump_dir, "%s.%d.%#8x" % (file_name, task.pid, elf_addr)) file_contents = task.get_elf(elf_addr) fd = open(file_path, "wb") fd.write(file_contents) fd.close() return file_path def get_time_vars(obj_vm): ''' Sometime in 3.[3-5], Linux switched to a global timekeeper structure This just figures out which is in use and returns the correct variables ''' wall_addr = obj_vm.profile.get_symbol("wall_to_monotonic") sleep_addr = obj_vm.profile.get_symbol("total_sleep_time") timekeeper_addr = obj_vm.profile.get_symbol("timekeeper") tkcore_addr = obj_vm.profile.get_symbol("tk_core") wall = None timeo = None # old way if wall_addr and sleep_addr: wall = obj.Object("timespec", offset = wall_addr, vm = obj_vm) timeo = obj.Object("timespec", offset = sleep_addr, vm = obj_vm) elif wall_addr: wall = obj.Object("timespec", offset = wall_addr, vm = obj_vm) timeo = vol_timespec(0, 0) # timekeeper way elif timekeeper_addr: timekeeper = obj.Object("timekeeper", offset = timekeeper_addr, vm = obj_vm) wall = timekeeper.wall_to_monotonic timeo = timekeeper.total_sleep_time # 3.17(ish) - 3.19(ish) way elif tkcore_addr and hasattr("timekeeper", "total_sleep_time"): # skip seqcount timekeeper = obj.Object("timekeeper", offset = tkcore_addr + 4, vm = obj_vm) wall = timekeeper.wall_to_monotonic timeo = timekeeper.total_sleep_time # 3.19(ish)+ # getboottime from 3.19.x elif tkcore_addr: # skip seqcount timekeeper = obj.Object("timekeeper", offset = tkcore_addr + 8, vm = obj_vm) wall = timekeeper.wall_to_monotonic oreal = timekeeper.offs_real oboot = timekeeper.offs_boot if hasattr(oreal,"tv64"): tv64 = (oreal.tv64 & 0xffffffff) - (oboot.tv64 & 0xffffffff) else: tv64 = (oreal & 0xffffffff) - (oboot & 0xffffffff) if tv64: tv64 = (tv64 / 100000000) * -1 timeo = vol_timespec(tv64, 0) else: timeo = None return (wall, timeo) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/library_list.py0000644000000000000000000000446213131215405025234 0ustar rootroot# Volatility # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_library_list(linux_pslist.linux_pslist): """ Lists libraries loaded into a process """ def calculate(self): linux_common.set_plugin_members(self) tasks = linux_pslist.linux_pslist.calculate(self) for task in tasks: for mapping in task.get_libdl_maps(): if mapping.l_name == "" or mapping.l_addr == 0: continue yield task, mapping def unified_output(self, data): return TreeGrid([("Task", str), ("Pid", int), ("LoadAddress", Address), ("Path", str)], self.generator(data)) def generator(self, data): for task, mapping in data: yield (0, [str(task.comm), int(task.pid), Address(mapping.l_addr), str(mapping.l_name)]) def render_text(self, outfd, data): self.table_header(outfd, [("Task", "16"), ("Pid", "8"), ("Load Address", "[addrpad]"), ("Path", ""), ]) for task, mapping in data: self.table_row(outfd, task.comm, task.pid, mapping.l_addr, mapping.l_name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/hidden_modules.py0000644000000000000000000001030413131215405025510 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import re import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsmod as linux_lsmod from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_hidden_modules(linux_common.AbstractLinuxCommand): """Carves memory to find hidden kernel modules""" def walk_modules_address_space(self, addr_space): list_mods = [x[0].obj_offset for x in linux_lsmod.linux_lsmod(self._config).calculate()] # this for is for pre-2008 kernels: # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/kernel/module.c?id=3a642e99babe0617febb6f402e1e063479f489db) if addr_space.profile.get_symbol("module_addr_min") == None: return min_addr_sym = obj.Object("unsigned long", offset = addr_space.profile.get_symbol("module_addr_min"), vm = addr_space) max_addr_sym = obj.Object("unsigned long", offset = addr_space.profile.get_symbol("module_addr_max"), vm = addr_space) min_addr = min_addr_sym & ~0xfff max_addr = (max_addr_sym & ~0xfff) + 0x1000 scan_buf = "" llen = max_addr - min_addr allfs = "\xff" * 4096 memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit') if memory_model == '32bit': minus_size = 4 else: minus_size = 8 check_bufs = [] replace_bufs = [] check_nums = [3000, 2800, 2700, 2500, 2300, 2100, 2000, 1500, 1300, 1200, 1024, 512, 256, 128, 96, 64, 48, 32, 24] for num in check_nums: check_bufs.append("\x00" * num) replace_bufs.append(("\xff" * (num-minus_size)) + "\x00" * minus_size) for page in range(min_addr, max_addr, 4096): to_append = allfs tmp = addr_space.read(page, 4096) if tmp: non_zero = False for t in tmp: if t != "\x00": non_zero = True break if non_zero: for i in range(len(check_nums)): tmp = tmp.replace(check_bufs[i], replace_bufs[i]) to_append = tmp scan_buf = scan_buf + to_append for cur_addr in re.finditer("(?=(\x00\x00\x00\x00|\x01\x00\x00\x00|\x02\x00\x00\x00))", scan_buf): mod_addr = min_addr + cur_addr.start() if mod_addr in list_mods: continue m = obj.Object("module", offset = mod_addr, vm = addr_space) if m.is_valid(): yield m def calculate(self): linux_common.set_plugin_members(self) for mod in self.walk_modules_address_space(self.addr_space): yield mod def unified_output(self, data): return TreeGrid([("Offset(V)", Address), ("Name", str)], self.generator(data)) def generator(self, data): for module in data: yield (0, [Address(module.obj_offset), str(module.name)]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset (V)", "[addrpad]"), ("Name", "")]) for module in data: self.table_row(outfd, module.obj_offset, str(module.name)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/psaux.py0000644000000000000000000000343113131215405023670 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_psaux(linux_pslist.linux_pslist): '''Gathers processes along with full command line and start time''' def unified_output(self, data): return TreeGrid([("Arguments", str), ("Pid", int), ("Uid", int), ("Gid", int)], self.generator(data)) def generator(self, data): for task in data: yield (0, [str(task.get_commandline()), int(task.pid), int(task.uid), int(task.gid)]) def render_text(self, outfd, data): outfd.write("{1:6s} {2:6s} {3:6s} {0:64s}\n".format("Arguments", "Pid", "Uid", "Gid")) for task in data: outfd.write("{1:6s} {2:6s} {3:6s} {0:64s}\n".format(task.get_commandline(), str(task.pid), str(task.uid), str(task.gid))) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/plthook.py0000644000000000000000000000545113131215405024214 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2014 CrowdStrike, Inc. # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Georg Wicherski @license: GNU General Public License 2.0 @contact: georg@crowdstrike.com @organization: CrowdStrike, Inc. """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_plthook(linux_pslist.linux_pslist): """Scan ELF binaries' PLT for hooks to non-NEEDED images""" def __init__(self, config, *args, **kwargs): linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs) self._config.add_option( \ 'ALL', short_option = 'a', default = False, help = 'Display all PLT slots (incl. not hooked)', action = 'store_true') self._config.add_option( \ 'IGNORE', default = [ ], help = 'Ignore mappings backed by this path, ' \ +' useful for bad -l compiles (i.e. apache2 modules)', action = 'append') def render_text(self, outfd, data): linux_common.set_plugin_members(self) self.table_header(outfd, [("Task", "10"), ("ELF Start", "[addrpad]"), ("ELF Name", "24"), ("Symbol", "24"), ("Resolved Address", "[addrpad]"), ("H", "1"), ("Target Info", "")]) ignore = frozenset(self._config.IGNORE) for task in data: for soname, elf, elf_start, elf_end, addr, symbol_name, hookdesc, hooked in task.plt_hook_info(): if not hooked and not self._config.ALL: continue if hookdesc in ignore: continue if hookdesc == '[RTLD_LAZY]' and not self._config.ALL: continue self.table_row(outfd, task.pid, elf_start, soname if soname else '[main]', \ symbol_name, addr, '!' if hooked else ' ', hookdesc) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/check_inline_kernel.py0000644000000000000000000003144013131215405026504 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsmod as linux_lsmod from volatility.renderers import TreeGrid from volatility.renderers.basic import Address ### TODO: merge with check_fops import volatility.plugins.linux.pslist as linux_pslist from volatility.plugins.linux.slab_info import linux_slabinfo import volatility.plugins.linux.find_file as find_file try: import distorm3 has_distorm3 = True except ImportError: has_distorm3 = False class linux_check_inline_kernel(linux_common.AbstractLinuxCommand): """Check for inline kernel hooks""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) def _is_hooked(self, sym_addr, modules): hook_type = None addr = None counter = 1 prev_op = None ''' if sym_addr != 0xffffffff8114001d: return None ''' if self.profile.metadata.get('memory_model', '32bit') == '32bit': mode = distorm3.Decode32Bits else: mode = distorm3.Decode64Bits data = self.addr_space.read(sym_addr, 16) for op in distorm3.Decompose(sym_addr, data, mode): if not op.valid: continue if op.mnemonic == "JMP" and not self.is_known_address(op.operands[0].value, modules): hook_type = "JMP" addr = 0 # default in case we cannot extract # check for a mov reg, addr; jmp reg; if prev_op is not None and prev_op.mnemonic == "MOV" and prev_op.operands[0].type == 'Register' and op.operands[0].type == 'Register': prev_name = prev_op.operands[0].name # same register if prev_name == op.operands[0].name: addr = prev_op.operands[1].value elif op.mnemonic == "CALL" and not self.is_known_address(op.operands[0].value, modules): hook_type = "CALL" addr = op.operands[0].value # push xxxx; ret; elif counter == 2 and op.mnemonic == "RET": if prev_op.mnemonic == "MOV" and prev_op.operands[0].type == 'Register' and prev_op.operands[0].name in ["RAX", "EAX"]: break elif prev_op.mnemonic == "XOR" and prev_op.operands[0].type == 'Register' and prev_op.operands[1].type == 'Register': break elif prev_op.mnemonic == "MOV" and prev_op.operands[0].type == 'Register' and prev_op.operands[1].type == 'Register': break hook_type = "RET" addr = sym_addr if hook_type: break counter = counter + 1 if counter == 4: break prev_op = op if hook_type: ret = hook_type, addr else: ret = None return ret #### make api with check_fops def _is_inline_hooked(self, ops, op_members, modules): for check in op_members: addr = ops.m(check) if addr and addr != 0: hook_info = self._is_hooked(addr, modules) if hook_info: (hook_type, addr) = hook_info yield check, hook_type, addr def check_file_cache(self, f_op_members, modules): for (_, _, file_path, file_dentry) in find_file.linux_find_file(self._config).walk_sbs(): for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(file_dentry.d_inode.i_fop, f_op_members, modules): yield (file_path, hooked_member, hook_type, hook_address) def check_open_files_fop(self, f_op_members, modules): # get all the members in file_operations, they are all function pointers tasks = linux_pslist.linux_pslist(self._config).calculate() for task in tasks: for filp, i in task.lsof(): for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(filp.f_op, f_op_members, modules): name = "{0:s} {1:d} {2:s}".format(task.comm, i, linux_common.get_path(task, filp)) yield (name, hooked_member, hook_type, hook_address) def check_proc_fop(self, f_op_members, modules): proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt") if not proc_mnt_addr: return proc_mnt_ptr = obj.Object("Pointer", offset = proc_mnt_addr, vm = self.addr_space) proc_mnt = proc_mnt_ptr.dereference_as("vfsmount") root = proc_mnt.mnt_root for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(root.d_inode.i_fop, f_op_members, modules): yield ("proc_mnt: root", hooked_member, hook_type, hook_address) # only check the root directory for dentry in root.d_subdirs.list_of_type("dentry", "d_u"): name = dentry.d_name.name.dereference_as("String", length = 255) for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(dentry.d_inode.i_fop, f_op_members, modules): yield("proc_mnt: {0}".format(name), hooked_member, hook_type, hook_address) def walk_proc(self, cur, f_op_members, modules, parent = ""): while cur: if cur.obj_offset in self.seen_proc: cur = cur.next continue self.seen_proc[cur.obj_offset] = 1 name = parent + "/" + self.addr_space.read(cur.name.obj_offset, cur.namelen + 1) idx = name.find("\x00") if idx != -1: name = name[:idx] fops = cur.proc_fops for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(fops, f_op_members, modules): yield (name, hooked_member, hook_type, hook_address) subdir = cur.subdir while subdir: for (sub_name, hooked_member, hook_type, hook_address) in self.walk_proc(subdir, f_op_members, modules, name): yield (sub_name, hooked_member, hook_type, hook_address) subdir = subdir.next cur = cur.next def check_proc_root_fops(self, f_op_members, modules): self.seen_proc = {} proc_root_addr = self.addr_space.profile.get_symbol("proc_root") proc_root = obj.Object("proc_dir_entry", offset = proc_root_addr, vm = self.addr_space) for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(proc_root.proc_fops, f_op_members, modules): yield("proc_root", hooked_member, hook_type, hook_address) for (name, hooked_member, hook_type, hook_address) in self.walk_proc(proc_root, f_op_members, modules): yield (name, hooked_member, hook_type, hook_address) #### end make api with check_fops def _check_file_op_pointers(self, modules): funcs = [self.check_open_files_fop, self.check_proc_fop, self.check_proc_root_fops, self.check_file_cache] f_op_members = self.profile.types['file_operations'].keywords["members"].keys() f_op_members.remove('owner') for func in funcs: for (name, member, hook_type, address) in func(f_op_members, modules): yield (name, member, hook_type, address) def check_afinfo(self, var_name, var, op_members, seq_members, modules): for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(var.seq_fops, op_members, modules): yield (var_name, hooked_member, hook_type, hook_address) # newer kernels if hasattr(var, "seq_ops"): for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(var.seq_ops, seq_members, modules): yield (var_name, hooked_member, hook_type, hook_address) def _check_afinfo(self, modules): op_members = self.profile.types['file_operations'].keywords["members"].keys() seq_members = self.profile.types['seq_operations'].keywords["members"].keys() tcp = ("tcp_seq_afinfo", ["tcp6_seq_afinfo", "tcp4_seq_afinfo"]) udp = ("udp_seq_afinfo", ["udplite6_seq_afinfo", "udp6_seq_afinfo", "udplite4_seq_afinfo", "udp4_seq_afinfo"]) protocols = [tcp, udp] for proto in protocols: struct_type = proto[0] for global_var_name in proto[1]: global_var_addr = self.addr_space.profile.get_symbol(global_var_name) if not global_var_addr: continue global_var = obj.Object(struct_type, offset = global_var_addr, vm = self.addr_space) for (name, member, hook_type, address) in self.check_afinfo(global_var_name, global_var, op_members, seq_members, modules): yield (name, member, hook_type, address) def _check_inetsw(self, modules): try: self.addr_space.profile.get_obj_offset("inet_protosw", "list") except KeyError: debug.warning("You are using an old Linux profile. Please recreate the profile using the latest Volatility version.") return proto_members = self.profile.types['proto_ops'].keywords["members"].keys() proto_members.remove('owner') proto_members.remove('family') inetsw_addr = self.addr_space.profile.get_symbol("inetsw") inetsw = obj.Object(theType = "Array", targetType = "list_head", offset = inetsw_addr, vm = self.addr_space, count = 11) for inet_list in inetsw: for inet in inet_list.list_of_type("inet_protosw", "list"): name = self.addr_space.read(inet.prot.name.obj_offset, 32) idx = name.index("\x00") if idx != -1: name = name[:idx] for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(inet.ops, proto_members, modules): yield (name, hooked_member, hook_type, hook_address) def _check_known_functions(self, modules): known_funcs = ["dev_get_flags", "vfs_readdir", "tcp_sendmsg"] for func_name in known_funcs: func_addr = self.profile.get_symbol(func_name) if func_addr: hook_info = self._is_hooked(func_addr, modules) if hook_info: (hook_type, hook_address) = hook_info yield (func_name, "", hook_type, hook_address) def calculate(self): linux_common.set_plugin_members(self) if not has_distorm3: debug.error("This plugin cannot operate without distrom installed.") modules = linux_lsmod.linux_lsmod(self._config).get_modules() funcs = [self._check_known_functions, self._check_file_op_pointers, self._check_afinfo, self._check_inetsw] for func in funcs: for (sym_name, member, hook_type, sym_addr) in func(modules): yield (sym_name, member, hook_type, sym_addr) def unified_output(self, data): return TreeGrid([("Name", str), ("Member", int), ("HookType", str), ("HookAddress", Address)], self.generator(data)) def generator(self, data): for (sym_name, member, hook_type, sym_addr) in data: yield (0, [str(sym_name), str(member), str(hook_type), Address(sym_addr)]) def render_text(self, outfd, data): self.table_header(outfd, [("Name", "48"), ("Member", "16"), ("Hook Type", "8"), ("Hook Address", "[addrpad]")]) for (sym_name, member, hook_type, sym_addr) in data: self.table_row(outfd, sym_name, member, hook_type, sym_addr) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/check_syscall.py0000644000000000000000000002543513131215405025347 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsmod as linux_lsmod import volatility.plugins.linux.hidden_modules as linux_hidden_modules import volatility.plugins.linux.find_file as linux_find_file from volatility.renderers import TreeGrid from volatility.renderers.basic import Address try: import distorm3 has_distorm = True except ImportError: has_distorm = False class linux_check_syscall(linux_common.AbstractLinuxCommand): """ Checks if the system call table has been altered """ def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('syscall-indexes', short_option = 'I', default = None, help = 'Path to unistd_{32,64}.h from the target machine', action = 'store', type = 'str') def _get_table_size(self, table_addr, table_name): """ Returns the size of the table based on the next symbol """ # take this from the size of an address in the profile divisor = self.profile.get_obj_size("address") next_sym_addr = self.profile.get_next_symbol_address(table_name) return (next_sym_addr - table_addr) / divisor def _get_table_size_meta(self): """ returns the number of symbols that start with __syscall_meta this is a fast way to determine the number of system calls """ return len([n for n in self.profile.get_all_symbol_names() if n.startswith("__syscall_meta__")]) def _get_table_info_other(self, table_addr, table_name): table_size_meta = self._get_table_size_meta() table_size_syms = self._get_table_size(table_addr, table_name) sizes = [size for size in [table_size_meta, table_size_syms] if size > 0] table_size = min(sizes) return table_size def _get_table_info_distorm(self): """ Find the size of the system call table by disassembling functions that immediately reference it in their first isntruction This is in the form 'cmp reg,NR_syscalls' """ table_size = 0 if not has_distorm: return table_size memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit') if memory_model == '32bit': mode = distorm3.Decode32Bits func = "sysenter_do_call" else: mode = distorm3.Decode64Bits func = "system_call_fastpath" func_addr = self.addr_space.profile.get_symbol(func) if func_addr: data = self.addr_space.read(func_addr, 6) for op in distorm3.Decompose(func_addr, data, mode): if not op.valid: continue if op.mnemonic == 'CMP': table_size = (op.operands[1].value) & 0xffffffff break return table_size def _get_table_info(self, table_name): table_addr = self.addr_space.profile.get_symbol(table_name) table_size = self._get_table_info_distorm() if table_size == 0: table_size = self._get_table_info_other(table_addr, table_name) if table_size == 0: debug.error("Unable to get system call table size") return [table_addr, table_size] def _compute_hook_sym_name(self, visible_mods, hidden_mods, call_addr): mod_found = 0 for (module, _, __) in visible_mods: if module.module_core <= call_addr <= module.module_core + module.core_size: mod_found = 1 break if mod_found == 0: for module in hidden_mods: if module.module_core <= call_addr <= module.module_core + module.core_size: mod_found = 1 break if mod_found == 1: sym = module.get_symbol_for_address(call_addr) sym_name = "HOOKED: %s/%s" % (module.name, sym) else: sym_name = "HOOKED: UNKNOWN" return sym_name def _index_name(self, index_names, i): if i in index_names: ret = index_names[i] else: ret = "" % i return ret def _find_index(self, index_names, line_index): ret = None # "(__NR_timer_create+1)" (line_name, offset) = line_index[1:-1].split("+") line_name = line_name.replace("__NR_", "") for index in index_names: if index_names[index] == line_name: ret = index + int(offset) break if ret == None: debug.error("Unable to find offset for %s" % index_name) return ret def get_syscalls(self, index_lines = None, get_hidden = False): linux_common.set_plugin_members(self) if get_hidden: hidden_mods = list(linux_hidden_modules.linux_hidden_modules(self._config).calculate()) else: hidden_mods = [] visible_mods = linux_lsmod.linux_lsmod(self._config).calculate() if not index_lines: index_lines = self._find_and_parse_index_file() if index_lines: index_names = {} for line in index_lines.split("\n"): ents = line.split() if len(ents) == 3 and ents[0] == "#define": name = ents[1].replace("__NR_", "") # "(__NR_timer_create+1)" index = ents[2] if index[0] == "(": index = self._find_index(index_names, index) else: try: index = int(index) except ValueError: index = 999999 #well beyond any valid table index index_names[index] = name else: index_names = None table_name = self.addr_space.profile.metadata.get('memory_model', '32bit') sym_addrs = self.profile.get_all_addresses() sys_call_info = self._get_table_info("sys_call_table") addrs = [(table_name, sys_call_info)] # 64 bit systems with 32 bit emulation ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table") if ia32: ia32_info = self._get_table_info("ia32_sys_call_table") addrs.append(("32bit", ia32_info)) for (table_name, (tableaddr, tblsz)) in addrs: table = obj.Object(theType = 'Array', offset = tableaddr, vm = self.addr_space, targetType = 'unsigned long', count = tblsz) for (i, call_addr) in enumerate(table): if not call_addr: continue if index_names: idx_name = self._index_name(index_names, i) else: idx_name = "" call_addr = int(call_addr) if not call_addr in sym_addrs: hooked = 1 sym_name = self._compute_hook_sym_name(visible_mods, hidden_mods, call_addr) else: hooked = 0 sym_name = self.profile.get_symbol_by_address("kernel", call_addr) yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked) def _find_and_parse_index_file(self): memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit') if memory_model == '32bit': header_path = "unistd_32.h" else: header_path = "unistd_64.h" find_file = linux_find_file.linux_find_file(self._config) inodes = [] for (_, _, file_path, file_dentry) in find_file.walk_sbs(): ents = file_path.split("/") if len(ents) > 1 and ents[-1] == header_path: inode = file_dentry.d_inode inodes.append(inode) ret = None for inode in inodes: buf = "" for page in find_file.get_file_contents(inode): buf = buf + page if len(buf) > 4096: ret = buf break return ret def calculate(self): """ This works by walking the system call table and verifies that each is a symbol in the kernel """ linux_common.set_plugin_members(self) if not has_distorm: debug.warning("distorm not installed. The best method to calculate the system call table size will not be used.") if self._config.SYSCALL_INDEXES: if not os.path.exists(self._config.SYSCALL_INDEXES): debug.error("Given syscall indexes file does not exist!") index_lines = open(self._config.SYSCALL_INDEXES, "r").read() else: index_lines = None for (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked) in self.get_syscalls(index_lines, True): yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked) def unified_output(self, data): return TreeGrid([("TableName", str), ("Index", int), ("SystemCall", str), ("HandlerAddress", Address), ("Symbol", str)], self.generator(data)) def generator(self, data): for (tableaddr, table_name, i, idx_name, call_addr, sym_name, _) in data: yield (0, [str(table_name), int(i), str(idx_name), Address(call_addr), str(sym_name)]) def render_text(self, outfd, data): self.table_header(outfd, [("Table Name", "6"), ("Index", "5"), ("System Call", "24"), ("Handler Address", "[addrpad]"), ("Symbol", "<60")]) for (tableaddr, table_name, i, idx_name, call_addr, sym_name, _) in data: self.table_row(outfd, table_name, i, idx_name, call_addr, sym_name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/netscan.py0000644000000000000000000001045113131215405024163 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import struct, socket import volatility.debug as debug import volatility.obj as obj import volatility.utils as utils import volatility.plugins.linux.common as linux_common import volatility.plugins.malware.malfind as malfind try: import yara has_yara = True except ImportError: has_yara = False class linux_netscan(linux_common.AbstractLinuxCommand): """Carves for network connection structures""" def check_socket_back_pointer(self, i): scomp = self.addr_space.address_compare(i.sk.v(), i.sk.sk_socket.sk.v()) == 0 zcomp = i.sk.sk_socket.v() == 0x0 return scomp or zcomp def check_pointers(self, i): ret = self.addr_space.profile.get_symbol_by_address("kernel", i.sk.sk_backlog_rcv.v()) != None if ret: ret = self.addr_space.profile.get_symbol_by_address("kernel", i.sk.sk_error_report.v()) != None return ret def check_proto(self, i): return i.protocol in ("TCP", "UDP", "IP") def check_family(self, i): return i.sk.__sk_common.skc_family in (socket.AF_INET, socket.AF_INET6) #pylint: disable-msg=W0212 def calculate(self): if not has_yara: debug.error("Please install Yara from https://plusvic.github.io/yara/") linux_common.set_plugin_members(self) ## the start of kernel memory taken from VolatilityLinuxIntelValidAS if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": kernel_start = 0xc0000000 pack_size = 4 pack_fmt = "5} {3:<16}:{4:>5} {5:<15s}\n".format(proto, saddr, sport, daddr, dport, state, isock.v())) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/pidhashtable.py0000644000000000000000000001650213131215405025163 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist PIDTYPE_PID = 0 # determining the processing algorithm to use is based on crash from redhat class linux_pidhashtable(linux_pslist.linux_pslist): """Enumerates processes through the PID hash table""" def __init__(self, *args, **kwargs): self.seen_tasks = {} linux_pslist.linux_pslist.__init__(self, *args, **kwargs) def get_obj(self, ptr, sname, member): offset = self.profile.get_obj_offset(sname, member) addr = ptr - offset return obj.Object(sname, offset = addr, vm = self.addr_space) def _task_for_pid(self, upid, pid): chained = 0 pid_tasks_0 = pid.tasks[0].first if pid_tasks_0 == 0: chained = 1 pnext_addr = upid.obj_offset + self.profile.get_obj_offset("upid", "pid_chain") + self.profile.get_obj_offset("hlist_node", "next") pnext = obj.Object("unsigned long", offset = pnext_addr, vm = self.addr_space) upid = obj.Object("upid", offset = pnext - self.profile.get_obj_offset("upid", "pid_chain"), vm = self.addr_space) for task in self._walk_upid(upid): yield task if chained == 0: task = obj.Object("task_struct", offset = pid_tasks_0 - self.profile.get_obj_offset("task_struct", "pids"), vm = self.addr_space) if task.pid > 0: yield task def _walk_upid(self, upid): while upid: pid = self.get_obj(upid.obj_offset, "pid", "numbers") for task in self._task_for_pid(upid, pid): yield task if type(upid.pid_chain) == obj.Pointer: pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space) else: pid_chain = upid.pid_chain if not pid_chain: break upid = self.get_obj(pid_chain.next, "upid", "pid_chain") def _get_pidhash_array(self): pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space) pidhash_size = 1 << pidhash_shift pidhash_addr = self.addr_space.profile.get_symbol("pid_hash") pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space) # pidhash is an array of hlist_heads pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size) return pidhash def calculate_v3(self): self.seen_tasks = {} pidhash = self._get_pidhash_array() for hlist in pidhash: # each entry in the hlist is a upid which is wrapped in a pid ent = hlist.first while ent.v(): upid = self.get_obj(ent.obj_offset, "upid", "pid_chain") for task in self._walk_upid(upid): if not task.obj_offset in self.seen_tasks: self.seen_tasks[task.obj_offset] = 1 if task.is_valid_task(): yield task ent = ent.m("next") # the following functions exist because crash has handlers for them # but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel # if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again def profile_unsupported(self, func_name): debug.error("{0:s}: This profile is currently unsupported by this plugin. Please file a bug report on our issue tracker to have support added.".format(func_name)) def calculate_v2(self): poff = self.addr_space.profile.get_obj_offset("task_struct", "pids") pidhash = self._get_pidhash_array() for p in pidhash: if p.v() == 0: continue ptr = obj.Object("Pointer", offset = p.v(), vm = self.addr_space) if ptr.v() == 0: continue pidl = obj.Object("pid_link", offset = ptr.v(), vm = self.addr_space) nexth = pidl.pid if not nexth.is_valid(): continue nexth = obj.Object("task_struct", offset = nexth - poff, vm = self.addr_space) while 1: if not pidl: break yield nexth pidl = pidl.node.m("next").dereference_as("pid_link") nexth = pidl.pid if not nexth.is_valid(): break nexth = obj.Object("task_struct", offset = nexth - poff, vm = self.addr_space) def calculate_v1(self): self.profile_unsupported("calculate_v1") def refresh_pid_hash_task_table(self): self.profile_unsupported("refresh_pid_hash_task_table") def get_both(self): has_pid_link = self.profile.has_type("pid_link") has_link_pid = self.profile.obj_has_member("pid_link", "pid") has_pid_hash = self.profile.has_type("pid_hash") has_upid = self.profile.has_type("upid") has_pid_numbers = self.profile.obj_has_member("pid", "numbers") if has_pid_hash: has_hash_chain = self.profile.obj_has_member("pid_hash", "chain") else: has_hash_chain = None if has_link_pid and has_hash_chain: func = self.refresh_pid_hash_task_table elif has_pid_link: if has_upid and has_pid_numbers: func = self.calculate_v3 # refresh_hlist_task_table_v3 else: func = self.calculate_v2 # refresh_hlist_task_table_v2 else: func = self.calculate_v1 return func def determine_func(self): pidhash = self.addr_space.profile.get_symbol("pidhash") pid_hash = self.addr_space.profile.get_symbol("pid_hash") pidhash_shift = self.addr_space.profile.get_symbol("pidhash_shift") if pid_hash and pidhash_shift: func = self.get_both() elif pid_hash: func = self.refresh_pid_hash_task_table elif pidhash: func = self.refresh_pid_hash_task_table return func def calculate(self): linux_common.set_plugin_members(self) func = self.determine_func() for task in func(): yield task volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/bash.py0000644000000000000000000001526513131215405023455 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import struct import volatility.obj as obj import volatility.debug as debug import volatility.addrspace as addrspace import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers import TreeGrid bash_vtypes_32 = { '_hist_entry': [ 0xc, { 'line': [0x0, ['pointer', ['String', dict(length = 1024)]]], 'timestamp': [0x4, ['pointer', ['String', dict(length = 1024)]]], 'data': [0x8, ['pointer', ['void']]], }], } bash_vtypes_64 = { '_hist_entry': [ 24, { 'line': [0, ['pointer', ['String', dict(length = 1024)]]], 'timestamp': [8, ['pointer', ['String', dict(length = 1024)]]], 'data': [16, ['pointer', ['void']]], }], } class _hist_entry(obj.CType): """A class for history entries""" def is_valid(self): # Check the basic structure members if (not obj.CType.is_valid(self) or not self.line.is_valid() or len(self.line.dereference()) == 0 or not self.timestamp.is_valid()): return False # A pointer to the timestamp string ts = self.timestamp.dereference() # At this point in time, the epoc integer size will # never be less than 10 characters, and the stamp is # always preceded by a pound/hash character. if len(ts) < 10 or str(ts)[0] != "#": return False # The final check is to make sure the entire string # is composed of numbers. Try to convert to an int. try: int(str(ts)[1:]) except ValueError: return False return True @property def time_as_integer(self): # Get the string and remove the leading "#" from the timestamp time_string = str(self.timestamp.dereference())[1:] # Convert the string into an integer (number of seconds) return int(time_string) def time_object(self): nsecs = self.time_as_integer # Build a timestamp object from the integer time_val = struct.pack(". # import volatility.plugins.linux.pslist as pslist import volatility.plugins.linux.lsmod as lsmod import volatility.plugins.volshell as volshell import volatility.obj as obj class linux_volshell(volshell.volshell): """Shell in the memory image""" @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'linux' def modules(self): mods = lsmod.linux_lsmod(self._config).calculate() for (module, _, __) in mods: print "{0:24} {1:d}".format(module.name, module.init_size + module.core_size) def getpidlist(self): return pslist.linux_pslist(self._config).allprocs() def ps(self, procs = None): print "{0:16} {1:6} {2:8}".format("Name", "PID", "Offset") for proc in procs or self.getpidlist(): print "{0:16} {1:<6} {2:#08x}".format(proc.comm, proc.pid, proc.obj_offset) def context_display(self): dtb = self._addrspace.vtop(self._proc.mm.pgd) or self._proc.mm.pgd print "Current context: process {0}, pid={1} DTB={2:#x}".format(self._proc.comm, self._proc.pid, dtb) def set_context(self, offset = None, pid = None, name = None, physical = False): if physical and offset != None: offset = pslist.linux_pslist.virtual_process_from_physical_offset(self._addrspace, offset).obj_offset elif pid is not None: offsets = [] for p in self.getpidlist(): if p.pid.v() == pid: offsets.append(p) if not offsets: print "Unable to find process matching pid {0}".format(pid) return elif len(offsets) > 1: print "Multiple processes match {0}, please specify by offset".format(pid) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif name is not None: offsets = [] for p in self.getpidlist(): if p.comm.find(name) >= 0: offsets.append(p) if not offsets: print "Unable to find process matching name {0}".format(name) return elif len(offsets) > 1: print "Multiple processes match name {0}, please specify by PID or offset".format(name) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif offset is None: print "Must provide one of: offset, name, or pid as a argument." return self._proc = obj.Object("task_struct", offset = offset, vm = self._addrspace) self.context_display() volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/banner.py0000644000000000000000000000341113131215405023773 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.flags as linux_flags import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_banner(linux_common.AbstractLinuxCommand): """ Prints the Linux banner information """ def calculate(self): linux_common.set_plugin_members(self) banner_addr = self.addr_space.profile.get_symbol("linux_banner") if banner_addr: banner = obj.Object("String", offset = banner_addr, vm = self.addr_space, length = 256) else: debug.error("linux_banner symbol not found. Please report this as a bug on the issue tracker: https://code.google.com/p/volatility/issues/list") yield banner.strip() def render_text(self, outfd, data): for banner in data: outfd.write("{0:s}\n".format(banner)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/aslr_shift.py0000644000000000000000000000254513131215405024673 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.utils as utils import volatility.plugins.linux.common as common class linux_aslr_shift(common.AbstractLinuxCommand): """Automatically detect the Linux ASLR shift""" def calculate(self): aspace = utils.load_as(self._config) yield aspace.profile.virtual_shift, aspace.profile.physical_shift def render_text(self, outfd, data): self.table_header(outfd, [("Virtual Shift Address", "[addrpad]"), ("Physical Shift Address", "[addrpad]")]) for v, p in data: self.table_row(outfd, v, p) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/check_syscall_arm.py0000644000000000000000000001015013131215405026172 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: 504ENSICS Labs """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_check_syscall_arm(linux_common.AbstractLinuxARMCommand): """ Checks if the system call table has been altered """ def _get_syscall_table_size(self): """ Get size of syscall table from the vector_swi function """ vector_swi_addr = self.addr_space.profile.get_symbol("vector_swi") max_opcodes_to_check = 1024 while (max_opcodes_to_check): opcode = obj.Object("unsigned int", offset = vector_swi_addr, vm = self.addr_space) if ((opcode & 0xffff0000) == 0xe3570000): shift = 0x10 - ((opcode & 0xff00) >> 8) size = (opcode & 0xff) << (2 * shift) return size break vector_swi_addr += 4 max_opcodes_to_check -= 1 debug.error("Syscall table size could not be determined.") def _get_syscall_table_address(self): """ returns the address of the syscall table """ syscall_table_address = self.addr_space.profile.get_symbol("sys_call_table") if syscall_table_address: return syscall_table_address #TODO: Handle event where this isn't exported (if needed) debug.error("Symbol sys_call_table not export. Please file a bug report.") def calculate(self): """ This works by walking the system call table and verifies that each is a symbol in the kernel """ linux_common.set_plugin_members(self) num_syscalls = self._get_syscall_table_size() syscall_addr = self._get_syscall_table_address() sym_addrs = self.profile.get_all_addresses() table = obj.Object("Array", offset = syscall_addr, vm = self.addr_space, targetType = "unsigned int", count = num_syscalls) for (i, call_addr) in enumerate(table): if not call_addr: continue # have to treat them as 'long' so need to mask call_addr = call_addr & 0xffffffff if not call_addr in sym_addrs: yield(i, call_addr, 1) else: yield(i, call_addr, 0) def unified_output(self, data): return TreeGrid([("Index", Address), ("Address", Address), ("Symbol", str)], self.generator(data)) def generator(self, data): for (i, call_addr, hooked) in data: if hooked == 0: sym_name = self.profile.get_symbol_by_address("kernel", call_addr) else: sym_name = "HOOKED" yield (0 [Address(i), Address(call_addr), str(sym_name)]) def render_text(self, outfd, data): self.table_header(outfd, [("Index", "[addr]"), ("Address", "[addrpad]"), ("Symbol", "<30")]) for (i, call_addr, hooked) in data: if hooked == 0: sym_name = self.profile.get_symbol_by_address("kernel", call_addr) else: sym_name = "HOOKED" self.table_row(outfd, i, call_addr, sym_name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/libc_env.py0000644000000000000000000000330613131215405024312 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import struct from operator import attrgetter import volatility.obj as obj import volatility.debug as debug import volatility.addrspace as addrspace import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_bash_env(linux_pslist.linux_pslist): """Recover a process' dynamic environment variables""" def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Vars", "")]) for task in data: varstr = "" for (key, val) in task.bash_environment(): varstr = varstr + "%s=%s " % (key, val) self.table_row(outfd, task.pid, task.comm, varstr) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/linux_truecrypt.py0000644000000000000000000001152713131215405026015 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist import volatility.plugins.malware.malfind as malfind try: import yara has_yara = True except ImportError: has_yara = False class PassphraseScanner(malfind.BaseYaraScanner): """A scanner over all memory regions of a process.""" def __init__(self, task = None, **kwargs): """Scan the process address space through the VMAs. Args: task: The task_struct object for this task. """ self.task = task malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs) def scan(self, offset = 0, maxlen = None): profile = self.address_space.profile offset = profile.get_obj_offset("PASSPHRASE", "MaxLength") for vma in self.task.get_proc_maps(): # only scanning the process heap if not (vma.vm_start <= self.task.mm.start_brk and vma.vm_end >= self.task.mm.brk): continue for hit, address in malfind.BaseYaraScanner.scan(self, vma.vm_start, vma.vm_end - vma.vm_start): # possible passphrase structure passt = obj.Object("PASSPHRASE", offset = address - offset, vm = self.address_space) # the sanity checks if (passt and vma.vm_start <= passt.Text and vma.vm_end >= passt.Text and passt.Length > 0 and passt.Length < passt.MaxLength): password = passt.Text.dereference() if len(password) != passt.Length: continue yield address, password class LinuxTruecryptModification(obj.ProfileModification): """A modification for Linux Truecrypt passphrases""" conditions = {'os': lambda x: x == 'linux'} def modification(self, profile): x86_vtypes = { 'PASSPHRASE': [ None, { 'Text': [ 0, ['pointer', ['String', dict(length = 255)]]], 'MaxLength': [ 0x4, ['int']], 'Length': [ 0x8, ['int']], }]} x64_vtypes = { 'PASSPHRASE': [ None, { 'Text': [ 0, ['pointer', ['String', dict(length = 255)]]], 'MaxLength': [ 0x8, ['int']], 'Length': [ 0xC, ['int']], }]} bits = profile.metadata.get("memory_model", "32bit") if bits == "32bit": vtypes = x86_vtypes else: vtypes = x64_vtypes profile.vtypes.update(vtypes) class linux_truecrypt_passphrase(linux_pslist.linux_pslist): """ Recovers cached Truecrypt passphrases """ def calculate(self): ## we need this module imported if not has_yara: debug.error("Please install Yara from https://plusvic.github.io/yara/") linux_common.set_plugin_members(self) tasks = linux_pslist.linux_pslist.calculate(self) for task in tasks: if str(task.comm) != "truecrypt": continue space = task.get_process_address_space() if not space: continue rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}' }) scanner = PassphraseScanner(task = task, rules = rules) for address, password in scanner.scan(): yield task, address, password def render_text(self, outfd, data): self.table_header(outfd, [("Process", "16"), ("Pid", "8"), ("Address", "[addrpad]"), ("Password", "")]) for (task, address, password) in data: self.table_row(outfd, task.comm, task.pid, address, password)volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/getcwd.py0000644000000000000000000000256413131215405024013 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_getcwd(linux_pslist.linux_pslist): """Lists current working directory of each process""" def render_text(self, outfd, data): self.table_header(outfd, [("Name", "17"), ("Pid", "8"), ("CWD", "")]) for task in data: self.table_row(outfd, str(task.comm), task.pid, task.getcwd()) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/bash_hash.py0000644000000000000000000001426213131215405024454 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import struct from operator import attrgetter import volatility.obj as obj import volatility.debug as debug import volatility.addrspace as addrspace import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist from volatility.renderers import TreeGrid bash_hash_vtypes_32 = { '_pathdata' : [ 8, { 'path' : [0x0, ['pointer', ['String', dict(length = 1024)]]], 'flags': [0x4, ['int']], }], '_envdata' : [ 8, { 'name' : [0x0, ['pointer', ['String', dict(length = 1024)]]], 'value' : [0x4, ['pointer', ['String', dict(length = 1024)]]], }], 'bucket_contents' : [ 20, { 'next' : [0x0, ['pointer', ['bucket_contents']]], 'key' : [0x4, ['pointer', ['String', dict(length = 1024)]]], 'data' : [0x8, ['pointer', ['_pathdata']]], 'times_found' : [16, ['int']], }], '_bash_hash_table': [ 0xc, { 'bucket_array': [0x0, ['pointer', ['bucket_contents']]], 'nbuckets': [0x4, ['int']], 'nentries': [0x8, ['int']], }], } bash_hash_vtypes_64 = { '_pathdata' : [ 12, { 'path' : [0x0, ['pointer', ['String', dict(length = 1024)]]], 'flags': [0x8, ['int']], }], '_envdata' : [ 16, { 'name' : [0x0, ['pointer', ['String', dict(length = 1024)]]], 'value' : [0x8, ['pointer', ['String', dict(length = 1024)]]], }], 'bucket_contents' : [ 32, { 'next' : [0, ['pointer', ['bucket_contents']]], 'key' : [8, ['pointer', ['String', dict(length = 1024)]]], 'data' : [16, ['pointer', ['_pathdata']]], 'times_found' : [28, ['int']], }], '_bash_hash_table': [ 16, { 'bucket_array': [0, ['pointer', ['bucket_contents']]], 'nbuckets': [8, ['int']], 'nentries': [12, ['int']], }], } class _bash_hash_table(obj.CType): def is_valid(self): if (not obj.CType.is_valid(self) or not self.bucket_array.is_valid() or not self.nbuckets == 64 or not self.nentries > 1): return False return True def __iter__(self): if self.is_valid(): seen = {} bucket_array = obj.Object(theType="Array", targetType="Pointer", offset = self.bucket_array, vm = self.nbuckets.obj_vm, count = 64) for bucket_ptr in bucket_array: bucket = bucket_ptr.dereference_as("bucket_contents") while bucket.times_found > 0 and bucket.data.is_valid() and bucket.key.is_valid(): if bucket.v() in seen: break seen[bucket.v()] = 1 pdata = bucket.data if pdata.path.is_valid() and (0 <= pdata.flags <= 2): yield bucket bucket = bucket.next class BashHashTypes(obj.ProfileModification): conditions = {"os" : lambda x : x in ["linux"]} def modification(self, profile): if profile.metadata.get('memory_model', '32bit') == "32bit": profile.vtypes.update(bash_hash_vtypes_32) else: profile.vtypes.update(bash_hash_vtypes_64) profile.object_classes.update({"_bash_hash_table": _bash_hash_table}) class linux_bash_hash(linux_pslist.linux_pslist): """Recover bash hash table from bash process memory""" def __init__(self, config, *args, **kwargs): linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs) self._config.add_option('SCAN_ALL', short_option = 'A', default = False, help = 'scan all processes, not just those named bash', action = 'store_true') def calculate(self): linux_common.set_plugin_members(self) tasks = linux_pslist.linux_pslist(self._config).calculate() for task in tasks: proc_as = task.get_process_address_space() # In cases when mm is an invalid pointer if not proc_as: continue # Do we scan everything or just /bin/bash instances? if not (self._config.SCAN_ALL or str(task.comm) == "bash"): continue for ent in task.bash_hash_entries(): yield task, ent def unified_output(self, data): return TreeGrid([("Pid", int), ("Name", str), ("Hits", int), ("Command", str), ("Path", str)], self.generator(data)) def generator(self, data): for task, bucket in data: yield (0, [int(task.pid), str(task.comm), int(bucket.times_found), str(bucket.key.dereference()), str(bucket.data.path.dereference())]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Hits", "6"), ("Command", "25"), ("Full Path", "")]) for task, bucket in data: self.table_row(outfd, task.pid, task.comm, bucket.times_found, str(bucket.key.dereference()), str(bucket.data.path.dereference())) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/flags.py0000644000000000000000000000344713131215405023633 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ # flags used throughout the plugins # these aren't going to change due to binary breakage if they would # Protocol strings should use volatility.protos tcp_states = ("", "ESTABLISHED", "SYN_SENT", "SYN_RECV", "FIN_WAIT1", "FIN_WAIT2", "TIME_WAIT", "CLOSE", "CLOSE_WAIT", "LAST_ACK", "LISTEN", "CLOSING") MNT_NOSUID = 0x01 MNT_NODEV = 0x02 MNT_NOEXEC = 0x04 MNT_NOATIME = 0x08 MNT_NODIRATIME = 0x10 MNT_RELATIME = 0x20 mnt_flags = { MNT_NOSUID: ",nosuid", MNT_NODEV: ",nodev", MNT_NOEXEC: ",noexec", MNT_NOATIME: ",noatime", MNT_NODIRATIME: ",nodiratime", MNT_RELATIME: ",relatime" } S_IFMT = 0170000 S_IFSOCK = 0140000 S_IFLNK = 0120000 S_IFREG = 0100000 S_IFBLK = 0060000 S_IFDIR = 0040000 S_IFCHR = 0020000 S_IFIFO = 0010000 S_ISUID = 0004000 S_ISGID = 0002000 volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/netfilter.py0000644000000000000000000000640113131215405024524 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsmod as linux_lsmod from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_netfilter(linux_common.AbstractLinuxCommand): """Lists Netfilter hooks""" def calculate(self): linux_common.set_plugin_members(self) hook_names = ["PRE_ROUTING", "LOCAL_IN", "FORWARD", "LOCAL_OUT", "POST_ROUTING"] proto_names = ["", "", "IPV4", "", "", "", "", "", "", "", "" , "", "", ""] # struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] # NFPROTO_NUMPROTO = 12 # NF_MAX_HOOKS = 7 nf_hooks_addr = self.addr_space.profile.get_symbol("nf_hooks") if nf_hooks_addr == None: debug.error("Unable to analyze NetFilter. It is either disabled or compiled as a module.") modules = linux_lsmod.linux_lsmod(self._config).get_modules() list_head_size = self.addr_space.profile.get_obj_size("list_head") for outer in range(13): arr = nf_hooks_addr + (outer * (list_head_size * 8)) for inner in range(7): list_head = obj.Object("list_head", offset = arr + (inner * list_head_size), vm = self.addr_space) for hook_ops in list_head.list_of_type("nf_hook_ops", "list"): if self.is_known_address(hook_ops.hook.v(), modules): hooked = "False" else: hooked = "True" yield proto_names[outer], hook_names[inner], hook_ops.hook.v(), hooked def unified_output(self, data): return TreeGrid([("Proto", str), ("Hook", str), ("Handler", Address), ("IsHooked", str)], self.generator(data)) def generator(self, data): for outer, inner, hook_addr, hooked in data: yield (0, [str(outer), str(inner), Address(hook_addr), str(hooked)]) def render_text(self, outfd, data): self.table_header(outfd, [("Proto", "5"), ("Hook", "16"), ("Handler", "[addrpad]"), ("Is Hooked", "5")]) for outer, inner, hook_addr, hooked in data: self.table_row(outfd, outer, inner, hook_addr, hooked) volatility_2.6+git20170711.b3db0cc/volatility/plugins/linux/elfs.py0000644000000000000000000000523613131215405023466 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2014 CrowdStrike, Inc. # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Georg Wicherski @license: GNU General Public License 2.0 @contact: georg@crowdstrike.com @organization: CrowdStrike, Inc. """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist import volatility.plugins.linux.dump_map as linux_dump_map from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class linux_elfs(linux_pslist.linux_pslist): """Find ELF binaries in process mappings""" def calculate(self): linux_common.set_plugin_members(self) tasks = linux_pslist.linux_pslist.calculate(self) for task in tasks: for elf, elf_start, elf_end, soname, needed in task.elfs(): yield task, elf, elf_start, elf_end, soname, needed def unified_output(self, data): return TreeGrid([("Pid", int), ("Name", str), ("Start", Address), ("End", Address), ("Path", str), ("Needed", str)], self.generator(data)) def generator(self, data): for task, elf, start, end, soname, needed in data: yield (0, [int(task.pid), str(task.comm), Address(start), Address(end), str(soname), ",".join(needed)]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "17"), ("Start", "[addrpad]"), ("End", "[addrpad]"), ("Elf Path", "60"), ("Needed", "") ]) for task, elf, start, end, soname, needed in data: self.table_row(outfd, task.pid, task.comm, start, end, soname, ",".join(needed)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/0000755000000000000000000000000013131215405022446 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/malfind.py0000644000000000000000000006665513131215405024454 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # File-wide pylint filter for protected members, since we have three _BLAH structures #pylint: disable-msg=W0212 import os import volatility.utils as utils import volatility.obj as obj import volatility.debug as debug import volatility.win32.tasks as tasks import volatility.win32.modules as modules import volatility.plugins.taskmods as taskmods import volatility.plugins.vadinfo as vadinfo import volatility.plugins.overlays.windows.windows as windows import volatility.constants as constants from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Bytes try: import yara has_yara = True except ImportError: has_yara = False try: import distorm3 has_distorm3 = True except ImportError: has_distorm3 = False #-------------------------------------------------------------------------------- # functions #-------------------------------------------------------------------------------- def Disassemble(data, start, bits = '32bit', stoponret = False): """Dissassemble code with distorm3. @param data: python byte str to decode @param start: address where `data` is found in memory @param bits: use 32bit or 64bit decoding @param stoponret: stop disasm when function end is reached @returns: tuple of (offset, instruction, hex bytes) """ if not has_distorm3: raise StopIteration if bits == '32bit': mode = distorm3.Decode32Bits else: mode = distorm3.Decode64Bits for o, _, i, h in distorm3.DecodeGenerator(start, data, mode): if stoponret and i.startswith("RET"): raise StopIteration yield o, i, h #-------------------------------------------------------------------------------- # scanners by scudette # # unfortunately the existing scanning framework (i.e. scan.BaseScanner) has # some shortcomings that don't allow us to integrate yara easily. # # FIXME: these may need updating after resolving issue 310 which aims to # enhance the scan.BaseScanner to better support things like this #-------------------------------------------------------------------------------- class BaseYaraScanner(object): """An address space scanner for Yara signatures.""" overlap = 1024 def __init__(self, address_space = None, rules = None): self.rules = rules self.address_space = address_space def scan(self, offset, maxlen): # Start scanning from offset until maxlen: i = offset if isinstance(self.rules, list): rules = self.rules else: rules = [self.rules] while i < offset + maxlen: # Read some data and match it. to_read = min(constants.SCAN_BLOCKSIZE + self.overlap, offset + maxlen - i) data = self.address_space.zread(i, to_read) if data: for rule in rules: for match in rule.match(data = data): # We currently don't use name or value from the # yara results but they can be yielded in the # future if necessary. for moffset, _name, _value in match.strings: if moffset < constants.SCAN_BLOCKSIZE: yield match, moffset + i i += constants.SCAN_BLOCKSIZE class VadYaraScanner(BaseYaraScanner): """A scanner over all memory regions of a process.""" def __init__(self, task = None, **kwargs): """Scan the process address space through the Vads. Args: task: The _EPROCESS object for this task. """ self.task = task BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs) def scan(self, offset = 0, maxlen = None): if maxlen == None: vads = self.task.get_vads(skip_max_commit = True) else: filter = lambda x : x.Length < maxlen vads = self.task.get_vads(vad_filter = filter, skip_max_commit = True) for vad, self.address_space in vads: for match in BaseYaraScanner.scan(self, vad.Start, vad.Length): yield match class DiscontigYaraScanner(BaseYaraScanner): """A Scanner for Discontiguous scanning.""" def scan(self, start_offset = 0, maxlen = None): contiguous_offset = 0 total_length = 0 for (offset, length) in self.address_space.get_available_addresses(): # Skip ranges before the start_offset if self.address_space.address_compare(offset, start_offset) == -1: continue # Skip ranges that are too high (if maxlen is specified) if maxlen != None: if self.address_space.address_compare(offset, start_offset + maxlen) > 0: continue # Try to join up adjacent pages as much as possible. if offset == contiguous_offset + total_length: total_length += length else: # Scan the last contiguous range. for match in BaseYaraScanner.scan(self, contiguous_offset, total_length): yield match # Reset the contiguous range. contiguous_offset = offset total_length = length if total_length > 0: # Do the last range. for match in BaseYaraScanner.scan(self, contiguous_offset, total_length): yield match #-------------------------------------------------------------------------------- # yarascan #-------------------------------------------------------------------------------- class YaraScan(taskmods.DllList): "Scan process or kernel memory with Yara signatures" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option("ALL", short_option = 'A', default = False, action = 'store_true', help = 'Scan both process and kernel memory') config.add_option("CASE", short_option = 'C', default = False, action = 'store_true', help = 'Make the search case insensitive') config.add_option("KERNEL", short_option = 'K', default = False, action = 'store_true', help = 'Scan kernel modules') config.add_option("WIDE", short_option = 'W', default = False, action = 'store_true', help = 'Match wide (unicode) strings') config.add_option('YARA-RULES', short_option = 'Y', default = None, help = 'Yara rules (as a string)') config.add_option('YARA-FILE', short_option = 'y', default = None, help = 'Yara rules (rules file)') config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Directory in which to dump the files') config.add_option('SIZE', short_option = 's', default = 256, help = 'Size of preview hexdump (in bytes)', action = 'store', type = 'int') config.add_option('REVERSE', short_option = 'R', default = 0, help = 'Reverse this number of bytes', action = 'store', type = 'int') config.add_option('MAX-SIZE', short_option = 'M', default = 0x40000000, action = 'store', type = 'long', help = 'Set the maximum size (default is 1GB)') def _compile_rules(self): """Compile the YARA rules from command-line parameters. @returns: a YARA object on which you can call 'match' This function causes the plugin to exit if the YARA rules have syntax errors or are not supplied correctly. """ rules = None try: if self._config.YARA_RULES: s = self._config.YARA_RULES # Don't wrap hex or regex rules in quotes if s[0] not in ("{", "/"): s = '"' + s + '"' # Option for case insensitive searches if self._config.CASE: s += " nocase" # Scan for unicode and ascii strings if self._config.WIDE: s += " wide ascii" rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}' }) elif self._config.YARA_FILE and os.path.isfile(self._config.YARA_FILE): rules = yara.compile(self._config.YARA_FILE) else: debug.error("You must specify a string (-Y) or a rules file (-y)") except yara.SyntaxError, why: debug.error("Cannot compile rules: {0}".format(str(why))) return rules def _scan_process_memory(self, addr_space, rules): for task in self.filter_tasks(tasks.pslist(addr_space)): scanner = VadYaraScanner(task = task, rules = rules) for hit, address in scanner.scan(maxlen = self._config.MAX_SIZE): yield (task, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) def _scan_kernel_memory(self, addr_space, rules): # Find KDBG so we know where kernel memory begins. Do not assume # the starting range is 0x80000000 because we may be dealing with # an image with the /3GB boot switch. kdbg = tasks.get_kdbg(addr_space) start = kdbg.MmSystemRangeStart.dereference_as("Pointer") # Modules so we can map addresses to owners mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) # There are multiple views (GUI sessions) of kernel memory. # Since we're scanning virtual memory and not physical, # all sessions must be scanned for full coverage. This # really only has a positive effect if the data you're # searching for is in GUI memory. sessions = [] for proc in tasks.pslist(addr_space): sid = proc.SessionId # Skip sessions we've already seen if sid == None or sid in sessions: continue session_space = proc.get_process_address_space() if session_space == None: continue sessions.append(sid) scanner = DiscontigYaraScanner(address_space = session_space, rules = rules) for hit, address in scanner.scan(start_offset = start): module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address)) yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE)) def calculate(self): if not has_yara: debug.error("Please install Yara from https://plusvic.github.io/yara/") addr_space = utils.load_as(self._config) rules = self._compile_rules() process_mem = self._scan_process_memory(addr_space, rules) kernel_mem = self._scan_kernel_memory(addr_space, rules) if self._config.ALL: for p in process_mem: yield p for k in kernel_mem: yield k elif self._config.KERNEL: for k in kernel_mem: yield k else: for p in process_mem: yield p def unified_output(self, data): return TreeGrid([("Rule", str), ("Owner", str), ("Address", Address), ("Data", Bytes)], self.generator(data)) def generator(self, data): if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for o, addr, hit, content in data: owner = "Owner: (Unknown Kernel Memory)" if o == None: filename = "kernel.{0:#x}.dmp".format(addr) elif o.obj_name == "_EPROCESS": owner = "{0}: (Pid {1})".format(o.ImageFileName, o.UniqueProcessId) filename = "process.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr) else: owner = "{0}".format(o.BaseDllName) filename = "kernel.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr) # Dump the data if --dump-dir was supplied if self._config.DUMP_DIR: path = os.path.join(self._config.DUMP_DIR, filename) fh = open(path, "wb") fh.write(content) fh.close() yield (0, [str(hit.rule), owner, Address(addr), Bytes(content)]) def render_text(self, outfd, data): if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for o, addr, hit, content in data: outfd.write("Rule: {0}\n".format(hit.rule)) # Find out if the hit is from user or kernel mode if o == None: outfd.write("Owner: (Unknown Kernel Memory)\n") filename = "kernel.{0:#x}.dmp".format(addr) elif o.obj_name == "_EPROCESS": outfd.write("Owner: Process {0} Pid {1}\n".format(o.ImageFileName, o.UniqueProcessId)) filename = "process.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr) else: outfd.write("Owner: {0}\n".format(o.BaseDllName)) filename = "kernel.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr) # Dump the data if --dump-dir was supplied if self._config.DUMP_DIR: path = os.path.join(self._config.DUMP_DIR, filename) fh = open(path, "wb") fh.write(content) fh.close() outfd.write("".join( ["{0:#010x} {1:<48} {2}\n".format(addr + o, h, ''.join(c)) for o, h, c in utils.Hexdump(content) ])) #-------------------------------------------------------------------------------- # malfind #-------------------------------------------------------------------------------- class Malfind(vadinfo.VADDump): "Find hidden and injected code" def __init__(self, config, *args, **kwargs): vadinfo.VADDump.__init__(self, config, *args, **kwargs) config.remove_option("BASE") config.add_option("REFINED", short_option = 'W', default = False, action = 'store_true', help = 'Refine the output: only show regions with '\ 'an MZ header or that start with well known '\ 'opcode combinations (i.e. PUSH EBP). WARNING: '\ 'this can cause you to overlook regions with '\ 'wiped headers or shell code blocks starting '\ 'with NOP sleds, etc. However, it will in '\ 'general result in less noisy output') def _is_vad_empty(self, vad, address_space): """ Check if a VAD region is either entirely unavailable due to paging, entirely consiting of zeros, or a combination of the two. This helps ignore false positives whose VAD flags match task._injection_filter requirements but there's no data and thus not worth reporting it. @param vad: an MMVAD object in kernel AS @param address_space: the process address space """ PAGE_SIZE = 0x1000 all_zero_page = "\x00" * PAGE_SIZE offset = 0 while offset < vad.Length: next_addr = vad.Start + offset if (address_space.is_valid_address(next_addr) and address_space.read(next_addr, PAGE_SIZE) != all_zero_page): return False offset += PAGE_SIZE return True def unified_output(self, data): return TreeGrid([("Process", str), ("Pid", int), ("Address", Address), ("VadTag", str), ("Protection", str), ("Flags", str), ("Data", Bytes)], self.generator(data)) def generator(self, data): if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for task in data: for vad, address_space in task.get_vads(vad_filter = task._injection_filter): if self._is_vad_empty(vad, address_space): continue content = address_space.zread(vad.Start, 64) yield (0, [str(task.ImageFileName), int(task.UniqueProcessId), Address(vad.Start), str(vad.Tag), str(vadinfo.PROTECT_FLAGS.get(vad.VadFlags.Protection.v(), "")), str(vad.VadFlags), Bytes(content)]) # Dump the data if --dump-dir was supplied if self._config.DUMP_DIR: filename = os.path.join(self._config.DUMP_DIR, "process.{0:#x}.{1:#x}.dmp".format( task.obj_offset, vad.Start)) self.dump_vad(filename, vad, address_space) def render_text(self, outfd, data): if not has_distorm3: debug.warning("For best results please install distorm3") if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") refined_criteria = ["MZ", "\x55\x8B"] for task in data: for vad, address_space in task.get_vads(vad_filter = task._injection_filter): if self._is_vad_empty(vad, address_space): continue content = address_space.zread(vad.Start, 64) if self._config.REFINED and content[0:2] not in refined_criteria: continue outfd.write("Process: {0} Pid: {1} Address: {2:#x}\n".format( task.ImageFileName, task.UniqueProcessId, vad.Start)) outfd.write("Vad Tag: {0} Protection: {1}\n".format( vad.Tag, vadinfo.PROTECT_FLAGS.get(vad.VadFlags.Protection.v(), ""))) outfd.write("Flags: {0}\n".format(str(vad.VadFlags))) outfd.write("\n") # this is for address reporting in the output data_start = vad.Start # all zeros in the first page followed by 558B at the base of # the second page is an indicator of wiped PE headers if content.count(chr(0)) == len(content): if address_space.zread(vad.Start, 0x1000).count(chr(0)) == 0x1000: next_page = address_space.zread(vad.Start + 0x1000, 64) if next_page[0:2] == "\x55\x8B": outfd.write("**** POSSIBLE WIPED PE HEADER AT BASE *****\n\n") content = next_page data_start = vad.Start + 0x1000 outfd.write("{0}\n".format("\n".join( ["{0:#010x} {1:<48} {2}".format(data_start + o, h, ''.join(c)) for o, h, c in utils.Hexdump(content) ]))) outfd.write("\n") outfd.write("\n".join( ["{0:#010x} {1:<16} {2}".format(o, h, i) for o, i, h in Disassemble(content, data_start) ])) # Dump the data if --dump-dir was supplied if self._config.DUMP_DIR: filename = os.path.join(self._config.DUMP_DIR, "process.{0:#x}.{1:#x}.dmp".format( task.obj_offset, vad.Start)) self.dump_vad(filename, vad, address_space) outfd.write("\n\n") #-------------------------------------------------------------------------------- # ldrmodules #-------------------------------------------------------------------------------- class LdrModules(taskmods.DllList): "Detect unlinked DLLs" def unified_output(self, data): if self._config.verbose: return TreeGrid([("Pid", int), ("Process", str), ("Base", Address), ("InLoad", str), ("InInit", str), ("InMem", str), ("MappedPath", str), ("LoadPath", str), ("InitPath", str), ("MemPath", str)], self.generator(data)) else: return TreeGrid([("Pid", int), ("Process", str), ("Base", Address), ("InLoad", str), ("InInit", str), ("InMem", str), ("MappedPath", str)], self.generator(data)) def generator(self, data): for task in data: inloadorder = dict((mod.DllBase.v(), mod) for mod in task.get_load_modules()) ininitorder = dict((mod.DllBase.v(), mod) for mod in task.get_init_modules()) inmemorder = dict((mod.DllBase.v(), mod) for mod in task.get_mem_modules()) # Build a similar dictionary for the mapped files mapped_files = {} for vad, address_space in task.get_vads(vad_filter = task._mapped_file_filter): # Note this is a lot faster than acquiring the full # vad region and then checking the first two bytes. if obj.Object("_IMAGE_DOS_HEADER", offset = vad.Start, vm = address_space).e_magic != 0x5A4D: continue mapped_files[int(vad.Start)] = str(vad.FileObject.FileName or '') # For each base address with a mapped file, print info on # the other PEB lists to spot discrepancies. for base in mapped_files.keys(): # Does the base address exist in the PEB DLL lists? load_mod = inloadorder.get(base, None) init_mod = ininitorder.get(base, None) mem_mod = inmemorder.get(base, None) # Print the full paths and base names in verbose mode load = "-" init = "-" mem = "-" if self._config.verbose: if load_mod: load = "{0} : {1}".format(load_mod.FullDllName, load_mod.BaseDllName) if init_mod: init = "{0} : {1}".format(init_mod.FullDllName, init_mod.BaseDllName) if mem_mod: mem = "{0} : {1}".format(mem_mod.FullDllName, mem_mod.BaseDllName) yield (0, [int(task.UniqueProcessId), str(task.ImageFileName), Address(base), str(load_mod != None), str(init_mod != None), str(mem_mod != None), str(mapped_files[base]), str(load), str(init), str(mem)]) else: yield (0, [int(task.UniqueProcessId), str(task.ImageFileName), Address(base), str(load_mod != None), str(init_mod != None), str(mem_mod != None), str(mapped_files[base])]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Process", "20"), ("Base", "[addrpad]"), ("InLoad", "5"), ("InInit", "5"), ("InMem", "5"), ("MappedPath", "") ]) for task in data: # Build a dictionary for all three PEB lists where the # keys are base address and module objects are the values inloadorder = dict((mod.DllBase.v(), mod) for mod in task.get_load_modules()) ininitorder = dict((mod.DllBase.v(), mod) for mod in task.get_init_modules()) inmemorder = dict((mod.DllBase.v(), mod) for mod in task.get_mem_modules()) # Build a similar dictionary for the mapped files mapped_files = {} for vad, address_space in task.get_vads(vad_filter = task._mapped_file_filter): # Note this is a lot faster than acquiring the full # vad region and then checking the first two bytes. if obj.Object("_IMAGE_DOS_HEADER", offset = vad.Start, vm = address_space).e_magic != 0x5A4D: continue mapped_files[int(vad.Start)] = str(vad.FileObject.FileName or '') # For each base address with a mapped file, print info on # the other PEB lists to spot discrepancies. for base in mapped_files.keys(): # Does the base address exist in the PEB DLL lists? load_mod = inloadorder.get(base, None) init_mod = ininitorder.get(base, None) mem_mod = inmemorder.get(base, None) # Report if the mapped files are in the PEB lists self.table_row(outfd, task.UniqueProcessId, task.ImageFileName, base, str(load_mod != None), str(init_mod != None), str(mem_mod != None), mapped_files[base] ) # Print the full paths and base names in verbose mode if self._config.verbose: if load_mod: outfd.write(" Load Path: {0} : {1}\n".format(load_mod.FullDllName, load_mod.BaseDllName)) if init_mod: outfd.write(" Init Path: {0} : {1}\n".format(init_mod.FullDllName, init_mod.BaseDllName)) if mem_mod: outfd.write(" Mem Path: {0} : {1}\n".format(mem_mod.FullDllName, mem_mod.BaseDllName)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/timers.py0000644000000000000000000002545013131215405024331 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.debug as debug import volatility.win32.tasks as tasks import volatility.win32.modules as modules import volatility.plugins.patchguard as patchguard import volatility.plugins.overlays.windows.win8_kdbg as win8_kdbg from volatility.renderers import TreeGrid from volatility.renderers.basic import Address #-------------------------------------------------------------------------------- # vtypes #-------------------------------------------------------------------------------- # This type is defined in Win2K3SP0x86 and VistaSP2x86, but # it applies to many other profiles in which it is not defined # in the public PDBs. timer_types = { '_KTIMER_TABLE_ENTRY' : [ 0x10, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x8, ['_ULARGE_INTEGER']], }]} class _KTIMER(obj.CType): @property def Dpc(self): vm = self.obj_vm profile = vm.profile bits = profile.metadata.get("memory_model") if bits == "32bit": return self.m("Dpc") # cycle through the parents until we reach the top parent = self.obj_parent while parent and parent.obj_name != "_KDDEBUGGER_DATA64": parent = parent.obj_parent if not parent: return obj.NoneObject("Parent is not a KDBG structure") # test if the patchguard magic is already available to us if (not hasattr(parent, 'wait_always') or not hasattr(parent, 'wait_never')): # this scans for the patchguard magic by indirectly # finding the KdCopyDataBlock function kdbg = win8_kdbg.VolatilityKDBG("", offset = 0, vm = vm).v() if not kdbg: return obj.NoneObject("Cannot find KDBG structure") # transfer the attributes to our parent parent.newattr('wait_never', kdbg.wait_never) parent.newattr('wait_always', kdbg.wait_always) dpc = self.m("Dpc").v() decoded = patchguard.bswap(patchguard.rol(dpc ^ \ parent.wait_never, parent.wait_never & 0xFF) ^ \ self.obj_offset) ^ parent.wait_always return obj.Object("_KDPC", offset = decoded, vm = vm) #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class TimerVTypes(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): if profile.metadata.get("memory_model", "32bit") == "32bit": profile.vtypes.update(timer_types) profile.object_classes.update({'_KTIMER': _KTIMER}) #-------------------------------------------------------------------------------- # timers #-------------------------------------------------------------------------------- class Timers(common.AbstractWindowsCommand): """Print kernel timers and associated module DPCs""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('ListHead', short_option = 'L', default = None, help = 'Virtual address of nt!KiTimerTableListHead', action = 'store', type = 'int') def find_list_head(self, nt_mod, func, sig): """ Find the KiTimerTableListHead given an exported function as a starting point and a small signature. @param nt_mod: _LDR_DATA_TABLE_ENTRY object for NT module @param func: function name exported by the NT module @param sig: byte string/pattern to use for finding the symbol """ # Lookup the exported function func_rva = nt_mod.getprocaddress(func) if func_rva == None: return None func_addr = func_rva + nt_mod.DllBase # Read enough of the function prolog data = nt_mod.obj_vm.zread(func_addr, 200) # Scan for the byte signature n = data.find(sig) if n == -1: return None return obj.Object('address', func_addr + n + len(sig), nt_mod.obj_vm) def calculate(self): addr_space = utils.load_as(self._config) # Get the OS version we're analyzing version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) modlist = list(modules.lsmod(addr_space)) mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist) mod_addrs = sorted(mods.keys()) # KTIMERs collected timers = [] # Valid KTIMER.Header.Type values TimerNotificationObject = 8 TimerSynchronizationObject = 9 valid_types = (TimerNotificationObject, TimerSynchronizationObject) if version == (5, 1) or (version == (5, 2) and addr_space.profile.metadata.get('build', 0) == 3789): # On XP SP0-SP3 x86 and Windows 2003 SP0, KiTimerTableListHead # is an array of 256 _LIST_ENTRY for _KTIMERs. if self._config.LISTHEAD: KiTimerTableListHead = self._config.LISTHEAD else: KiTimerTableListHead = self.find_list_head(modlist[0], "KeUpdateSystemTime", "\x25\xFF\x00\x00\x00\x8D\x0C\xC5") if not KiTimerTableListHead: debug.warning("Cannot find KiTimerTableListHead") else: lists = obj.Object("Array", offset = KiTimerTableListHead, vm = addr_space, targetType = '_LIST_ENTRY', count = 256) for l in lists: for t in l.list_of_type("_KTIMER", "TimerListEntry"): timers.append(t) elif version == (5, 2) or version == (6, 0): # On XP x64, Windows 2003 SP1-SP2, and Vista SP0-SP2, KiTimerTableListHead # is an array of 512 _KTIMER_TABLE_ENTRY structs. if self._config.LISTHEAD: KiTimerTableListHead = self._config.LISTHEAD else: KiTimerTableListHead = self.find_list_head(modlist[0], "KeCancelTimer", "\xC1\xE7\x04\x81\xC7") if not KiTimerTableListHead: debug.warning("Cannot find KiTimerTableListHead") else: lists = obj.Object("Array", offset = KiTimerTableListHead, vm = addr_space, targetType = '_KTIMER_TABLE_ENTRY', count = 512) for l in lists: for t in l.Entry.list_of_type("_KTIMER", "TimerListEntry"): timers.append(t) elif version >= (6, 1): # Starting with Windows 7, there is no more KiTimerTableListHead. The list is # at _KPCR.PrcbData.TimerTable.TimerEntries (credits to Matt Suiche # for this one. See http://pastebin.com/FiRsGW3f). for kpcr in tasks.get_kdbg(addr_space).kpcrs(): for table in kpcr.ProcessorBlock.TimerTable.TimerEntries: for t in table.Entry.list_of_type("_KTIMER", "TimerListEntry"): timers.append(t) for timer in timers: # Sanity check on the timer type if timer.Header.Type not in valid_types: continue # Ignore timers without DPCs if not timer.Dpc.is_valid() or not timer.Dpc.DeferredRoutine.is_valid(): continue # Lookup the module containing the DPC module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(timer.Dpc.DeferredRoutine)) yield timer, module def unified_output(self, data): return TreeGrid([("Offset(V)", Address), ("DueTime", str), ("Period(ms)", int), ("Signaled", str), ("Routine", Address), ("Module", str)], self.generator(data)) def generator(self, data): for timer, module in data: if timer.Header.SignalState.v(): signaled = "Yes" else: signaled = "-" if module: module_name = str(module.BaseDllName or '') else: module_name = "UNKNOWN" due_time = "{0:#010x}:{1:#010x}".format(timer.DueTime.HighPart, timer.DueTime.LowPart) yield (0, [Address(timer.obj_offset), due_time, int(timer.Period), signaled, Address(timer.Dpc.DeferredRoutine), module_name]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset(V)", "[addrpad]"), ("DueTime", "24"), ("Period(ms)", "10"), ("Signaled", "10"), ("Routine", "[addrpad]"), ("Module", ""), ]) for timer, module in data: if timer.Header.SignalState.v(): signaled = "Yes" else: signaled = "-" if module: module_name = str(module.BaseDllName or '') else: module_name = "UNKNOWN" due_time = "{0:#010x}:{1:#010x}".format(timer.DueTime.HighPart, timer.DueTime.LowPart) self.table_row(outfd, timer.obj_offset, due_time, timer.Period, signaled, timer.Dpc.DeferredRoutine, module_name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/svcscan.py0000644000000000000000000006460413131215405024472 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.win32.tasks as tasks import volatility.debug as debug import volatility.plugins.registry.registryapi as registryapi from volatility.renderers import TreeGrid from volatility.renderers.basic import Address #-------------------------------------------------------------------------------- # vtypes #-------------------------------------------------------------------------------- SERVICE_TYPE_FLAGS = { 'SERVICE_KERNEL_DRIVER': 0, 'SERVICE_FILE_SYSTEM_DRIVER': 1, 'SERVICE_WIN32_OWN_PROCESS': 4, 'SERVICE_WIN32_SHARE_PROCESS': 5, 'SERVICE_INTERACTIVE_PROCESS': 8} SERVICE_STATE_ENUM = { 1: 'SERVICE_STOPPED', 2: 'SERVICE_START_PENDING', 3: 'SERVICE_STOP_PENDING', 4: 'SERVICE_RUNNING', 5: 'SERVICE_CONTINUE_PENDING', 6: 'SERVICE_PAUSE_PENDING', 7: 'SERVICE_PAUSED'} SERVICE_START_ENUM = { 0: 'SERVICE_BOOT_START', 1: 'SERVICE_SYSTEM_START', 2: 'SERVICE_AUTO_START', 3: 'SERVICE_DEMAND_START', 4: 'SERVICE_DISABLED'} svcscan_base_x86 = { '_SERVICE_HEADER': [ None, { 'Tag': [ 0x0, ['array', 4, ['unsigned char']]], 'ServiceRecord': [ 0xC, ['pointer', ['_SERVICE_RECORD']]], } ], '_SERVICE_LIST_ENTRY' : [ 0x8, { 'Blink' : [ 0x0, ['pointer', ['_SERVICE_RECORD']]], 'Flink' : [ 0x4, ['pointer', ['_SERVICE_RECORD']]], } ], '_SERVICE_RECORD' : [ None, { 'ServiceList' : [ 0x0, ['_SERVICE_LIST_ENTRY']], 'ServiceName' : [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName' : [ 0xc, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order' : [ 0x10, ['unsigned int']], 'Tag' : [ 0x18, ['array', 4, ['unsigned char']]], 'DriverName' : [ 0x24, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ServiceProcess' : [ 0x24, ['pointer', ['_SERVICE_PROCESS']]], 'Type' : [ 0x28, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], 'Start' : [ 0x44, ['Enumeration', dict(target = 'long', choices = SERVICE_START_ENUM)]], } ], '_SERVICE_PROCESS' : [ None, { 'BinaryPath' : [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ProcessId' : [ 0xc, ['unsigned int']], } ], } svcscan_base_x64 = { '_SERVICE_HEADER': [ None, { 'Tag': [ 0x0, ['array', 4, ['unsigned char']]], 'ServiceRecord': [ 0x10, ['pointer', ['_SERVICE_RECORD']]], } ], '_SERVICE_LIST_ENTRY' : [ 0x8, { 'Blink' : [ 0x0, ['pointer', ['_SERVICE_RECORD']]], 'Flink' : [ 0x10, ['pointer', ['_SERVICE_RECORD']]], } ], '_SERVICE_RECORD' : [ None, { 'ServiceList' : [ 0x0, ['_SERVICE_LIST_ENTRY']], 'ServiceName' : [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName' : [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order' : [ 0x18, ['unsigned int']], 'Tag' : [ 0x20, ['array', 4, ['unsigned char']]], 'DriverName' : [ 0x30, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ServiceProcess' : [ 0x30, ['pointer', ['_SERVICE_PROCESS']]], 'Type' : [ 0x38, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State' : [ 0x3C, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], 'Start' : [ 0x54, ['Enumeration', dict(target = 'long', choices = SERVICE_START_ENUM)]], } ], '_SERVICE_PROCESS': [ None, { 'BinaryPath': [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ProcessId': [ 0x18, ['unsigned int']], } ], } #-------------------------------------------------------------------------------- # object Classes #-------------------------------------------------------------------------------- class _SERVICE_RECORD_LEGACY(obj.CType): "Service records for XP/2003 x86 and x64" @property def Binary(self): "Return the binary path for a service" # No path in memory for services that aren't running # (if needed, query the registry key) if str(self.State) != 'SERVICE_RUNNING': return obj.NoneObject("No path, service isn't running") # Depending on whether the service is for a process # or kernel driver, the binary path is stored differently if 'PROCESS' in str(self.Type): return self.ServiceProcess.BinaryPath.dereference() else: return self.DriverName.dereference() @property def Pid(self): "Return the process ID for a service" if str(self.State) == 'SERVICE_RUNNING': if 'PROCESS' in str(self.Type): return self.ServiceProcess.ProcessId return obj.NoneObject("Cannot get process ID") def is_valid(self): "Check some fields for validity" return obj.CType.is_valid(self) and self.Order > 0 and self.Order < 0xFFFF def traverse(self): rec = self # Include this object in the list while rec and rec.is_valid(): yield rec rec = rec.ServiceList.Blink.dereference() class _SERVICE_RECORD_RECENT(_SERVICE_RECORD_LEGACY): "Service records for 2008, Vista, 7 x86 and x64" def traverse(self): """Generator that walks the singly-linked list""" if self.is_valid(): yield self # Include this object in the list # Make sure we dereference these pointers, or the # is_valid() checks will apply to the pointer and # not the _SERVICE_RECORD object as intended. rec = self.PrevEntry.dereference() while rec and rec.is_valid(): yield rec rec = rec.PrevEntry.dereference() class _SERVICE_HEADER(obj.CType): "Service headers for 2008, Vista, 7 x86 and x64" def is_valid(self): "Check some fields for validity" return (obj.CType.is_valid(self) and self.ServiceRecord.is_valid() and self.ServiceRecord.Order < 0xFFFF) #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class ServiceBase(obj.ProfileModification): """The base applies to XP and 2003 SP0-SP1""" before = ['WindowsOverlay', 'WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ '_SERVICE_RECORD': _SERVICE_RECORD_LEGACY, '_SERVICE_HEADER': _SERVICE_HEADER, }) profile.merge_overlay({'VOLATILITY_MAGIC': [ None, { 'ServiceTag': [ 0x0, ['VolatilityMagic', dict(value = "sErv")]] }]}) profile.vtypes.update(svcscan_base_x86) class ServiceBasex64(obj.ProfileModification): """This overrides the base x86 vtypes with x64 vtypes""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(svcscan_base_x64) class ServiceVista(obj.ProfileModification): """Override the base with OC's for Vista, 2008, and 7""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x >= 6} def modification(self, profile): profile.object_classes.update({ '_SERVICE_RECORD': _SERVICE_RECORD_RECENT, }) profile.merge_overlay({'VOLATILITY_MAGIC': [ None, { 'ServiceTag': [ 0x0, ['VolatilityMagic', dict(value = "serH")]] }]}) class ServiceVistax86(obj.ProfileModification): """Override the base with vtypes for x86 Vista, 2008, and 7""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x < 2, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.merge_overlay({'_SERVICE_RECORD': [ None, { 'PrevEntry': [ 0x0, ['pointer', ['_SERVICE_RECORD']]], 'ServiceName': [ 0x4, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName': [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order': [ 0xC, ['unsigned int']], 'ServiceProcess': [ 0x1C, ['pointer', ['_SERVICE_PROCESS']]], 'DriverName': [ 0x1C, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'Type' : [ 0x20, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State': [ 0x24, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], 'Start' : [ 0x3C, ['Enumeration', dict(target = 'long', choices = SERVICE_START_ENUM)]], 'ServiceList' : [ 0x5C, ['_SERVICE_LIST_ENTRY']], }]}) class ServiceVistax64(obj.ProfileModification): """Override the base with vtypes for x64 Vista, 2008, and 7""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x < 2, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.merge_overlay({'_SERVICE_RECORD': [ None, { 'PrevEntry': [ 0x0, ['pointer', ['_SERVICE_RECORD']]], 'ServiceName': [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName': [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order': [ 0x18, ['unsigned int']], 'ServiceProcess': [ 0x28, ['pointer', ['_SERVICE_PROCESS']]], 'DriverName': [ 0x28, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'Type' : [ 0x30, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State': [ 0x34, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], 'Start' : [ 0x4C, ['Enumeration', dict(target = 'long', choices = SERVICE_START_ENUM)]], 'ServiceList' : [ 0x78, ['_SERVICE_LIST_ENTRY']], }]}) class Service8x64(obj.ProfileModification): """Service structures for Win8/8.1 and Server2012/R2 64-bit""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase', 'ServiceVista'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 2, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.merge_overlay({ '_SERVICE_RECORD' : [ None, { 'Tag' : [ 0x0, ['String', dict(length = 4)]], 'PrevEntry': [ 0x8, ['pointer', ['_SERVICE_RECORD']]], 'ServiceName' : [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName' : [ 0x18, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order' : [ 0x20, ['unsigned int']], 'DriverName' : [ 0x38, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ServiceProcess' : [ 0x38, ['pointer', ['_SERVICE_PROCESS']]], 'Type' : [ 0x40, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State' : [ 0x44, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], 'Start' : [ 0x5C, ['Enumeration', dict(target = 'long', choices = SERVICE_START_ENUM)]], } ], '_SERVICE_PROCESS': [ None, { 'BinaryPath': [ 0x18, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ProcessId': [ 0x20, ['unsigned int']], } ], }) class Service10_15063x64(obj.ProfileModification): """Service structures for Win10 15063 (Creators)""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase', 'ServiceVista', 'Service8x64', 'ServiceVistax64'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 4, 'build': lambda x: x == 15063, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.merge_overlay({ '_SERVICE_RECORD' : [ None, { 'PrevEntry': [ 0x10, ['pointer', ['_SERVICE_RECORD']]], 'ServiceName' : [ 0x38, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName' : [ 0x40, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order' : [ 0x20, ['unsigned int']], 'DriverName' : [ 0xe8, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ServiceProcess' : [ 0xe8, ['pointer', ['_SERVICE_PROCESS']]], 'Type' : [ 0x48, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State' : [ 0x4C, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], 'Start' : [ 0x24, ['Enumeration', dict(target = 'long', choices = SERVICE_START_ENUM)]], } ], }) class Service8x86(obj.ProfileModification): """Service structures for Win8/8.1 32-bit""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase', 'ServiceVista'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 2, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update({ '_SERVICE_RECORD' : [ None, { 'Tag' : [ 0x0, ['String', dict(length = 4)]], 'PrevEntry': [ 0x4, ['pointer', ['_SERVICE_RECORD']]], 'ServiceName' : [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName' : [ 0xc, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order' : [ 0x10, ['unsigned int']], 'DriverName' : [ 0x24, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ServiceProcess' : [ 0x24, ['pointer', ['_SERVICE_PROCESS']]], 'Type' : [ 0x28, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], 'Start' : [ 0x44, ['Enumeration', dict(target = 'long', choices = SERVICE_START_ENUM)]], } ], '_SERVICE_PROCESS': [ None, { 'BinaryPath': [ 0xc, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ProcessId': [ 0x10, ['unsigned int']], } ], }) class Service10_15063x86(obj.ProfileModification): """Service structures for Win10 15063 (Creators)""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase', 'ServiceVista', 'Service8x86'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 4, 'build': lambda x: x == 15063, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update({ '_SERVICE_RECORD' : [ None, { 'PrevEntry': [ 0xC, ['pointer', ['_SERVICE_RECORD']]], 'ServiceName' : [ 0x2C, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName' : [ 0x30, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order' : [ 0x14, ['unsigned int']], 'DriverName' : [ 0x9C, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ServiceProcess' : [ 0x9C, ['pointer', ['_SERVICE_PROCESS']]], ## needs updating 'Type' : [ 0x34, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], 'Start' : [ 0x18, ['Enumeration', dict(target = 'long', choices = SERVICE_START_ENUM)]], } ], }) #-------------------------------------------------------------------------------- # svcscan plugin #-------------------------------------------------------------------------------- class SvcScan(common.AbstractWindowsCommand): "Scan for Windows services" def calculate(self): addr_space = utils.load_as(self._config) # Get the version we're analyzing version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) tag = obj.VolMagic(addr_space).ServiceTag.v() # On systems more recent than XP/2003, the serH marker doesn't # find *all* services, but the ones it does find have linked # lists to the others. We use this variable to track which # ones we've seen so as to not yield duplicates. records = [] for task in tasks.pslist(addr_space): # We only want the Service Control Manager process if str(task.ImageFileName).lower() != "services.exe": continue # Process AS must be valid process_space = task.get_process_address_space() if process_space == None: continue # Find all instances of the record tag for address in task.search_process_memory([tag], vad_filter = lambda x: x.Length < 0x40000000): if version <= (5, 2): # Windows XP/2003 rec = obj.Object("_SERVICE_RECORD", offset = address - addr_space.profile.get_obj_offset('_SERVICE_RECORD', 'Tag'), vm = process_space ) # Apply our sanity checks if rec.is_valid(): yield rec else: # Windows Vista, 2008, and 7 svc_hdr = obj.Object('_SERVICE_HEADER', offset = address, vm = process_space) # Apply our sanity checks if svc_hdr.is_valid(): # Since we walk the s-list backwards, if we've seen # an object, then we've also seen all objects that # exist before it, thus we can break at that time. for rec in svc_hdr.ServiceRecord.traverse(): if rec in records: break records.append(rec) yield rec def render_dot(self, outfd, data): """Generate a dot graph of service relationships. This currently only works for XP/2003 profiles, because the linked list was removed after that. """ ## Collect all the service records from calculate() all_services = [d for d in data] ## Abort if we're not using the supported profiles if all_services[0].obj_vm.profile.metadata.get('major', 0) != 5: debug.error("This profile does not support --output=dot format") objects = set() links = set() for svc in all_services: label = "{{ {0:#x} \\n {1} \\n {2} \\n F:{3:#x} B:{4:#x} }}".format( svc.obj_offset, svc.ServiceName.dereference(), str(svc.State), svc.ServiceList.Flink.v(), svc.ServiceList.Blink.v()) objects.add('"{0:#x}" [label="{1}" shape="record"];\n'.format( svc.obj_offset, label)) ## Check the linked list pointers flink = svc.ServiceList.Flink.dereference() blink = svc.ServiceList.Blink.dereference() if flink.is_valid(): links.add('"{0:#x}" -> "{1:#x}" [];\n'.format( svc.obj_offset, flink.obj_offset)) if blink.is_valid(): links.add('"{0:#x}" -> "{1:#x}" [];\n'.format( svc.obj_offset, blink.obj_offset)) ## Now write the graph nodes outfd.write("digraph svctree { \ngraph [rankdir = \"TB\"];\n") for item in objects: outfd.write(item) for link in links: outfd.write(link) outfd.write("}\n") @staticmethod def get_service_info(regapi): ccs = regapi.reg_get_currentcontrolset() key_name = "{0}\\services".format(ccs) info = {} for subkey in regapi.reg_get_all_subkeys(hive_name = "system", key = key_name): path_value = "" dll_value = "" failure_value = "" image_path = regapi.reg_get_value(hive_name = "system", key = "", value = "ImagePath", given_root = subkey) if image_path: path_value = utils.remove_unprintable(image_path) failure_path = regapi.reg_get_value(hive_name = "system", key = "", value = "FailureCommand", given_root = subkey) if failure_path: failure_value = utils.remove_unprintable(failure_path) for rootkey in regapi.reg_get_all_subkeys(hive_name = "system", key = "", given_root = subkey): if rootkey.Name == "Parameters": service_dll = regapi.reg_get_value(hive_name = "system", key = "", value = "ServiceDll", given_root = rootkey) if service_dll != None: dll_value = utils.remove_unprintable(service_dll) break last_write = int(subkey.LastWriteTime) info[utils.remove_unprintable(str(subkey.Name))] = (dll_value, path_value, failure_value, last_write) return info def unified_output(self, data): if self._config.VERBOSE: return TreeGrid([("Offset", Address), ("Order", int), ("Start", str), ("PID", int), ("ServiceName", str), ("DisplayName", str), ("ServiceType", str), ("State", str), ("BinaryPath", str), ("ServiceDll", str), ("ImagePath", str), ("FailureCommand", str)], self.generator(data)) return TreeGrid([("Offset", Address), ("Order", int), ("Start", str), ("PID", int), ("ServiceName", str), ("DisplayName", str), ("ServiceType", str), ("State", str), ("BinaryPath", str)], self.generator(data)) def generator(self, data): if self._config.VERBOSE: regapi = registryapi.RegistryApi(self._config) info = self.get_service_info(regapi) for rec in data: if self._config.VERBOSE: vals = info.get("{0}".format(rec.ServiceName.dereference()), None) yield (0, [Address(rec.obj_offset), int(rec.Order), str(rec.Start), int(rec.Pid), str(rec.ServiceName.dereference() or ""), str(rec.DisplayName.dereference() or ""), str(rec.Type), str(rec.State), str(rec.Binary or ""), str(vals[0] if vals else ""), str(vals[1] if vals else ""), str(vals[2] if vals else "")]) else: yield (0, [Address(rec.obj_offset), int(rec.Order), str(rec.Start), int(rec.Pid), str(rec.ServiceName.dereference() or ""), str(rec.DisplayName.dereference() or ""), str(rec.Type), str(rec.State), str(rec.Binary or "")]) def render_text(self, outfd, data): if self._config.VERBOSE: regapi = registryapi.RegistryApi(self._config) info = self.get_service_info(regapi) for rec in data: # This can't possibly look neat in a table with columns... outfd.write("Offset: {0:#x}\n".format(rec.obj_offset)) outfd.write("Order: {0}\n".format(rec.Order)) outfd.write("Start: {0}\n".format(rec.Start)) outfd.write("Process ID: {0}\n".format(rec.Pid)) outfd.write("Service Name: {0}\n".format(rec.ServiceName.dereference())) outfd.write("Display Name: {0}\n".format(rec.DisplayName.dereference())) outfd.write("Service Type: {0}\n".format(rec.Type)) outfd.write("Service State: {0}\n".format(rec.State)) outfd.write("Binary Path: {0}\n".format(rec.Binary)) if self._config.VERBOSE: vals = info.get("{0}".format(rec.ServiceName.dereference()), None) if vals: outfd.write("ServiceDll: {0}\n".format(vals[0])) outfd.write("ImagePath: {0}\n".format(vals[1])) outfd.write("FailureCommand: {0}\n".format(vals[2])) outfd.write("\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/threads.py0000644000000000000000000007210313131215405024455 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import sys, pydoc import volatility.utils as utils import volatility.registry as registry import volatility.obj as obj import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.plugins.ssdt as ssdt import volatility.plugins.taskmods as taskmods import volatility.plugins.modscan as modscan import volatility.plugins.malware.malfind as malfind import volatility.debug as debug from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Hex try: import distorm3 #pylint: disable-msg=W0611 has_distorm3 = True except ImportError: has_distorm3 = False #-------------------------------------------------------------------------------- # vtypes #-------------------------------------------------------------------------------- thread_types = { '_KTHREAD' : [ None , { 'State' : [ None, ['Enumeration', dict(target = 'unsigned char', choices = { 0: 'Initialized', 1: 'Ready', 2: 'Running', 3: 'Standby', 4: 'Terminated', 5: 'Waiting', 6: 'Transition', 7: 'DeferredReady', 8: 'GateWait'})]], 'WaitReason' : [ None, ['Enumeration', dict(target = 'unsigned char', choices = { 0: 'Executive', 1: 'FreePage', 2: 'PageIn', 3: 'PoolAllocation', 4: 'DelayExecution', 5: 'Suspended', 6: 'UserRequest', 7: 'WrExecutive', 8: 'WrFreePage', 9: 'WrPageIn', 10: 'WrPoolAllocation', 11: 'WrDelayExecution', 12: 'WrSuspended', 13: 'WrUserRequest', 14: 'WrEventPair', 15: 'WrQueue', 16: 'WrLpcReceive', 17: 'WrLpcReply', 18: 'WrVirtualMemory', 19: 'WrPageOut', 20: 'WrRendezvous', 21: 'Spare2', 22: 'Spare3', 23: 'Spare4', 24: 'Spare5', 25: 'Spare6', 26: 'WrKernel', 27: 'WrResource', 28: 'WrPushLock', 29: 'WrMutex', 30: 'WrQuantumEnd', 31: 'WrDispatchInt', 32: 'WrPreempted', 33: 'WrYieldExecution', 34: 'WrFastMutex', 35: 'WrGuardedMutex', 36: 'WrRundown', 37: 'MaximumWaitReason'})]], }], '_ETHREAD': [ None, { 'CrossThreadFlags': [ None, ['Flags', {'bitmap': { 'PS_CROSS_THREAD_FLAGS_TERMINATED': 0, 'PS_CROSS_THREAD_FLAGS_DEADTHREAD': 1, 'PS_CROSS_THREAD_FLAGS_HIDEFROMDBG': 2, 'PS_CROSS_THREAD_FLAGS_IMPERSONATING': 3, 'PS_CROSS_THREAD_FLAGS_SYSTEM': 4, 'PS_CROSS_THREAD_FLAGS_HARD_ERRORS_DISABLED': 5, 'PS_CROSS_THREAD_FLAGS_BREAK_ON_TERMINATION': 6, 'PS_CROSS_THREAD_FLAGS_SKIP_CREATION_MSG': 7, 'PS_CROSS_THREAD_FLAGS_SKIP_TERMINATION_MSG': 8, }}]], }], } #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwareKthread(obj.ProfileModification): before = ['WindowsObjectClasses', 'WindowsOverlay'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.merge_overlay(thread_types) #-------------------------------------------------------------------------------- # thread checks #-------------------------------------------------------------------------------- class AbstractThreadCheck(object): """Base thread check class""" def __init__(self, thread, mods, mod_addrs, \ hooked_tables, found_by_scanner): """ @param thread: the _ETHREAD object @param mods: a dictionary with module bases as keys and _LDR_DATA_TABLE_ENTRY as values. @param mod_addrs: a sorted list of module base addresses @param hooked_tables: a list of SSDTs that have one or more hooked functions. @param found_by_scanner: True/False if the _ETHREAD passed as the thread parameter was found via list walking or pool scanning. """ self.thread = thread self.mods = mods self.mod_addrs = mod_addrs self.hooked_tables = hooked_tables self.found_by_scanner = found_by_scanner self.flags = str(thread.CrossThreadFlags) def check(self): """Return True or False from this method""" class OrphanThread(AbstractThreadCheck): """Detect orphan threads""" def check(self): """This check is True for system threads whose start address do not map back to known/loaded kernel drivers.""" # Take the address space from any module object addr_space = self.mods.values()[0].obj_vm module = tasks.find_module(self.mods, self.mod_addrs, addr_space.address_mask(self.thread.StartAddress)) return ('PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags and module == None) class DkomExit(AbstractThreadCheck): """Detect inconsistencies wrt exit times and termination""" def check(self): """This check is True when a thread's ExitTime is non-zero (indicating it has exited) but the state and flags indicate that it is still active.""" return (self.thread.ExitTime != 0 and str(self.thread.Tcb.State) != 'Terminated' and not 'PS_CROSS_THREAD_FLAGS_TERMINATED' in self.flags) class HideFromDebug(AbstractThreadCheck): """Detect threads hidden from debuggers""" def check(self): """This check is True when a thread's flags report that it is being hidden from a debugger.""" return 'PS_CROSS_THREAD_FLAGS_HIDEFROMDBG' in self.flags class SystemThread(AbstractThreadCheck): """Detect system threads""" def check(self): """This check is True when a thread's flags report that it is a system thread (i.e. PsCreateSystemThread).""" return 'PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags class Impersonation(AbstractThreadCheck): """Detect impersonating threads""" def check(self): """This check is True when a thread's flags indicate that it is impersonating another thread's security context.""" return 'PS_CROSS_THREAD_FLAGS_IMPERSONATING' in self.flags class HwBreakpoint(AbstractThreadCheck): """Detect threads with hardware breakpoints""" def check(self): """This check is True when a thread's trap frame shows usage of the Dr* registers in a manner consistent with hardware breakpoints.""" # Don't check threads that appear to have exited if self.found_by_scanner: return False if 'PS_CROSS_THREAD_FLAGS_TERMINATED' in self.flags: return False trap = self.thread.Tcb.TrapFrame.dereference_as("_KTRAP_FRAME") if not trap: return False if ((trap.Dr0 != 0 or trap.Dr1 != 0 or trap.Dr2 != 0 or trap.Dr3 != 0) and (trap.Dr6 != 0 and trap.Dr7 != 0)): return True return False class AttachedProcess(AbstractThreadCheck): """Detect threads attached to another process""" def check(self): """This check is True when a thread is currently attached to a process other than the process that owns the thread.""" return (self.thread.ExitTime == 0 and self.thread.owning_process().obj_offset != self.thread.attached_process().obj_offset) class HookedSSDT(AbstractThreadCheck): """Check if a thread is using a hooked SSDT""" def check(self): """This check is True if any of the thread's SSDTs have hooked functions. If its True and the SSDT hooking module is legit, you can filter them out with --allow-hook.""" # Check doesn't apply to x64 if self.hooked_tables == None: return False ssdt_obj = self.thread.Tcb.ServiceTable.\ dereference_as('_SERVICE_DESCRIPTOR_TABLE') for _, desc in enumerate(ssdt_obj.Descriptors): table = desc.KiServiceTable.v() if table in self.hooked_tables.keys(): return True return False class ScannerOnly(AbstractThreadCheck): """Detect threads no longer in a linked list""" def check(self): """This check is True when a thread is found by pool tag scanning but not in list traversal.""" return self.found_by_scanner #-------------------------------------------------------------------------------- # threads plugin #-------------------------------------------------------------------------------- class Threads(taskmods.DllList): "Investigate _ETHREAD and _KTHREADs" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) self.bits32 = None config.add_option("FILTER", short_option = 'F', default = None, help = 'Tags to filter (comma-separated)') config.add_option("LISTTAGS", short_option = 'L', default = False, action = 'store_true', help = 'List all available tags') def get_hooked_tables(self, addr_space): """This function finds SSDTs in an address space, checks if there are any hooked functions in the SSDTs, and returns a dictionary where SSDT base addresses are the keys and the values are lists of hooked function names. @param addr_space: a kernel address space. """ # Names of the legit executive modules for SSDT tables executive_modules = [ # SSDT 0 ["ntoskrnl.exe", "ntkrnlpa.exe", "ntkrnlmp.exe", "ntkrpamp.exe"], # SSDT 1 ["win32k.sys"], # SSDT 2 ["spud.sys"], # SSDT 3 []] syscalls = addr_space.profile.syscalls hooked_tables = {} for info in ssdt.SSDT(self._config).calculate(): idx, table, n, vm, mods, mod_addrs = info # This is straight out of ssdt.py. Too bad there's no better way # to not duplicate code? for i in range(n): if self.bits32: # These are absolute function addresses in kernel memory. syscall_addr = obj.Object('address', table + (i * 4), vm).v() else: # These must be signed long for x64 because they are RVAs # relative to the base of the table and can be negative. offset = obj.Object('long', table + (i * 4), vm).v() # The offset is the top 20 bits of the 32 bit number. syscall_addr = table + (offset >> 4) try: syscall_name = syscalls[idx][i] except IndexError: syscall_name = "UNKNOWN" syscall_mod = tasks.find_module(mods, mod_addrs, syscall_addr) if syscall_mod: syscall_modname = syscall_mod.BaseDllName else: syscall_modname = "UNKNOWN" if str(syscall_modname).lower() not in executive_modules[idx]: fields = (i, syscall_name, syscall_addr, syscall_modname) if hooked_tables.has_key(table): hooked_tables[table].append(fields) else: hooked_tables[table] = [(fields)] return hooked_tables def calculate(self): if not has_distorm3: debug.warning("For best results please install distorm3") # Checks that subclass AbstractThreadCheck checks = registry.get_plugin_classes(AbstractThreadCheck) # If --listtags is chosen, just print the tags and return if self._config.LISTTAGS: for cls_name, cls in checks.items(): sys.stdout.write("{0:<20} {1}\n".format(cls_name, pydoc.getdoc(cls))) return addr_space = utils.load_as(self._config) system_range = tasks.get_kdbg(addr_space).MmSystemRangeStart.dereference_as("Pointer") # Only show threads owned by particular processes pidlist = [] if self._config.PID: pidlist = [int(p) for p in self._config.PID.split(',')] elif self._config.OFFSET: process = self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET) if process: pidlist = [int(process.UniqueProcessId)] # Get sorted list of kernel modules mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) # Are we on x86 or x64. Save this for render_text self.bits32 = addr_space.profile.metadata.\ get("memory_model", "32bit") == "32bit" # Get a list of hooked SSDTs but only on x86 if self.bits32: hooked_tables = self.get_hooked_tables(addr_space) else: hooked_tables = None # Dictionary to store threads. Keys are physical offsets of # ETHREAD objects. Values are tuples, where the first item is # a boolean specifying if the object was found by scanning and # the second item is the actual ETHREAD object. seen_threads = dict() # Gather threads by list traversal of active/linked processes for task in taskmods.DllList(self._config).calculate(): for thread in task.ThreadListHead.\ list_of_type("_ETHREAD", "ThreadListEntry"): seen_threads[thread.obj_vm.vtop(thread.obj_offset)] = (False, thread) # Now scan for threads and save any that haven't been seen for thread in modscan.ThrdScan(self._config).calculate(): if not seen_threads.has_key(thread.obj_offset): seen_threads[thread.obj_offset] = (True, thread) # Keep a record of processes whose DLLs we've already enumerated process_dll_info = {} for _offset, (found_by_scanner, thread) in seen_threads.items(): # Skip processes the user doesn't want to see if ((self._config.PID or self._config.OFFSET) and not pidlist) or (pidlist and thread.Cid.UniqueProcess not in pidlist): continue # Do we need to gather DLLs for module resolution if addr_space.address_compare(thread.StartAddress, system_range) != -1: owner = tasks.find_module(mods, mod_addrs, addr_space.address_mask(thread.StartAddress)) else: owning_process = thread.owning_process() if not owning_process.is_valid(): owner = None else: try: user_mod_addrs, user_mods = process_dll_info[owning_process.obj_offset] except KeyError: user_mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in owning_process.get_load_modules()) user_mod_addrs = sorted(user_mods.keys()) process_dll_info[owning_process.obj_offset] = (user_mod_addrs, user_mods) owner = tasks.find_module(user_mods, user_mod_addrs, addr_space.address_mask(thread.StartAddress)) if owner: owner_name = str(owner.BaseDllName or '') else: owner_name = "UNKNOWN" # Replace the dummy class with an instance instances = dict( (cls_name, cls(thread, mods, mod_addrs, hooked_tables, found_by_scanner)) for cls_name, cls in checks.items() ) yield thread, addr_space, mods, mod_addrs, \ instances, hooked_tables, system_range, owner_name def unified_output(self, data): return TreeGrid([("Offset", Address), ("PID", int), ("TID", int), ("Tags", str), ("Create Time", str), ("Exit Time", str), ("Owning Process", str), ("Attached Process", str), ("State", str), ("State Reason", str), ("Base Priority", int), ("Priority", int), ("TEB", Address), ("Start Address", Address), ("Owner Name", str), ("Win32 Start Address", Address), ("Win32 Thread", Address), ("Cross Thread Flags", str), ("EIP", Hex), ("EAX", Hex), ("EBX", Hex), ("ECX", Hex), ("EDX", Hex), ("ESI", Hex), ("EDI", Hex), ("ESP", Hex), ("EBP", Hex), ("ErrCode", Hex), ("SegCS", Hex), ("SegSS", Hex), ("SegDS", Hex), ("SegES", Hex), ("SegGS", Hex), ("SegFS", Hex), ("EFlags", Hex), ("dr0", Hex), ("dr1", Hex), ("dr2", Hex), ("dr3", Hex), ("dr6", Hex), ("dr7", Hex), ("SSDT", Address), ("Entry Number", int), ("Descriptor Service Table", Address), ("Hook Number", int), ("Function Name", str), ("Function Address", Address), ("Module Name", str), ("Disassembly", str), ], self.generator(data)) def generator(self, data): # Determine which filters the user wants to see if self._config.FILTER: filters = set(self._config.FILTER.split(',')) else: filters = set() for thread, addr_space, mods, mod_addrs, \ instances, hooked_tables, system_range, owner_name in data: # If the user didn't set filters, display all results. If # the user set one or more filters, only show threads # with matching results. tags = set([t for t, v in instances.items() if v.check()]) if filters and not filters & tags: continue values = [] values.append(Address(thread.obj_offset)) values.append(int(thread.Cid.UniqueProcess)) values.append(int(thread.Cid.UniqueThread)) values.append(','.join(tags)) values.append(str(thread.CreateTime)) if thread.ExitTime > 0: values.append(str(thread.ExitTime)) else: values.append('') values.append(str(thread.owning_process().ImageFileName)) values.append(str(thread.attached_process().ImageFileName)) # Lookup the thread's state state = str(thread.Tcb.State) # Find the wait reason if state == 'Waiting': state_reason = str(thread.Tcb.WaitReason) else: state_reason = '' values.append(state) values.append(state_reason) values.append(int(thread.Tcb.BasePriority)) values.append(int(thread.Tcb.Priority)) values.append(Address(thread.Tcb.Teb)) values.append(Address(thread.StartAddress)) values.append(owner_name) # Check the flag which indicates whether Win32StartAddress is valid if thread.SameThreadApcFlags & 1: values.append(Address(thread.Win32StartAddress)) else: values.append(Address(-1)) values.append(Address(thread.Tcb.Win32Thread)) values.append(str(thread.CrossThreadFlags)) # Disasemble the start address if possible dis = '' process_space = thread.owning_process().get_process_address_space() if process_space.is_valid_address(thread.StartAddress): buf = process_space.zread(thread.StartAddress, 24) mode = "32bit" if self.bits32 else "64bit" dis += "\n".join(["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(buf, thread.StartAddress.v(), mode)]) if self.bits32: # Print the registers if possible trapframe = thread.Tcb.TrapFrame.dereference_as("_KTRAP_FRAME") if trapframe: for r in trapframe.Eip, trapframe.Eax, trapframe.Ebx, \ trapframe.Ecx, trapframe.Edx, trapframe.Esi, \ trapframe.Edi, trapframe.HardwareEsp, \ trapframe.Ebp, trapframe.ErrCode, trapframe.SegCs, \ trapframe.HardwareSegSs, trapframe.SegDs, \ trapframe.SegEs, trapframe.SegGs, trapframe.SegFs, \ trapframe.EFlags, trapframe.Dr0, trapframe.Dr1, \ trapframe.Dr2, trapframe.Dr3, trapframe.Dr6, \ trapframe.Dr7 : values.append(Hex(r)) else: values.extend( [Hex(-1)] * 23 ) values.append(Address(thread.Tcb.ServiceTable)) ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", offset = thread.Tcb.ServiceTable, vm = addr_space ) if ssdt_obj != None: for i, desc in enumerate(ssdt_obj.Descriptors): if desc.is_valid(): service_table = Address(desc.KiServiceTable.v()) else: service_table = Address(-1) # Show exactly which functions are hooked table = desc.KiServiceTable.v() if table not in hooked_tables.keys(): yield (0, values + [i, service_table, -1, '', Address(-1), '', dis]) continue yielded=False for (j, func_name, func_addr, mod_name) in hooked_tables[table]: yielded=True yield(0, values + [i, service_table, j, func_name, Address(func_addr), mod_name, dis]) if not yielded: yield (0, values + [i, service_table, -1, '', Address(-1), '', dis]) else: values.extend([ -1, Address(-1), -1, '', Address(-1), '', dis ]) yield (0, values) else: # registers values.extend( [Hex(-1)] * 23 ) # ssdt values.extend([ Address(-1), -1, Address(-1), -1, '', Address(-1), '', dis ]) yield (0, values) def render_text(self, outfd, data): # Determine which filters the user wants to see if self._config.FILTER: filters = set(self._config.FILTER.split(',')) else: filters = set() for thread, addr_space, mods, mod_addrs, \ instances, hooked_tables, system_range, owner_name in data: # If the user didn't set filters, display all results. If # the user set one or more filters, only show threads # with matching results. tags = set([t for t, v in instances.items() if v.check()]) if filters and not filters & tags: continue s = "------\n" s += "ETHREAD: {0:#010x} Pid: {1} Tid: {2}\n".format( thread.obj_offset, thread.Cid.UniqueProcess, thread.Cid.UniqueThread) s += "Tags: {0}\n".format(','.join(tags)) s += "Created: {0}\n".format(thread.CreateTime) s += "Exited: {0}\n".format(thread.ExitTime) s += "Owning Process: {0}\n".format( thread.owning_process().ImageFileName) s += "Attached Process: {0}\n".format( thread.attached_process().ImageFileName) # Lookup the thread's state state = str(thread.Tcb.State) # Append the wait reason if state == 'Waiting': state = state + ':' + str(thread.Tcb.WaitReason) s += "State: {0}\n".format(state) s += "BasePriority: {0:#x}\n".format(thread.Tcb.BasePriority) s += "Priority: {0:#x}\n".format(thread.Tcb.Priority) s += "TEB: {0:#010x}\n".format(thread.Tcb.Teb) s += "StartAddress: {0:#010x} {1}\n".format( thread.StartAddress, owner_name) # Check the flag which indicates whether Win32StartAddress is valid if thread.SameThreadApcFlags & 1: s += "Win32StartAddress: {0:#010x}\n".format( thread.Win32StartAddress) if self.bits32: s += "ServiceTable: {0:#010x}\n".format(thread.Tcb.ServiceTable) ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", offset = thread.Tcb.ServiceTable, vm = addr_space ) if ssdt_obj != None: for i, desc in enumerate(ssdt_obj.Descriptors): if desc.is_valid(): s += " [{0}] {1:#010x}\n".format(i, desc.KiServiceTable.v()) else: s += " [{0}] -\n".format(i) # Show exactly which functions are hooked table = desc.KiServiceTable.v() if table not in hooked_tables.keys(): continue for (j, func_name, func_addr, mod_name) in hooked_tables[table]: s += " [{0:#x}] {1} {2:#x} {3}\n".format( j, func_name, func_addr, mod_name) s += "Win32Thread: {0:#010x}\n".format(thread.Tcb.Win32Thread) s += "CrossThreadFlags: {0}\n".format(thread.CrossThreadFlags) # Print the registers if possible trapframe = thread.Tcb.TrapFrame.dereference_as("_KTRAP_FRAME") if trapframe and self.bits32: s += "Eip: {0:#10x}\n".format(trapframe.Eip) s += " eax={0:#010x} ebx={1:#010x} ecx={2:#010x}".format( trapframe.Eax, trapframe.Ebx, trapframe.Ecx) s += " edx={0:#010x} esi={1:#010x} edi={2:#010x}\n".format( trapframe.Edx, trapframe.Esi, trapframe.Edi) s += " eip={0:#010x} esp={1:#010x} ebp={2:#010x} err={3:#010x}\n".format( trapframe.Eip, trapframe.HardwareEsp, trapframe.Ebp, trapframe.ErrCode) s += " cs={0:#04x} ss={1:#04x} ds={2:#04x}".format( trapframe.SegCs, trapframe.HardwareSegSs, trapframe.SegDs) s += " es={0:#04x} gs={1:#04x} fs={2:#04x} efl={3:#010x}\n".format( trapframe.SegEs, trapframe.SegGs, trapframe.SegFs, trapframe.EFlags) s += " dr0={0:#010x} dr1={1:#010x} dr2={2:#010x}".format( trapframe.Dr0, trapframe.Dr1, trapframe.Dr2) s += " dr3={0:#010x} dr6={1:#010x} dr7={2:#010x}\n".format( trapframe.Dr3, trapframe.Dr6, trapframe.Dr7) # Disasemble the start address if possible process_space = thread.owning_process().get_process_address_space() if process_space.is_valid_address(thread.StartAddress): buf = process_space.zread(thread.StartAddress, 24) mode = "32bit" if self.bits32 else "64bit" s += "\n".join(["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(buf, thread.StartAddress.v(), mode)]) outfd.write("{0}\n".format(s)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/idt.py0000644000000000000000000003446013131215405023607 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.debug as debug import volatility.plugins.malware.malfind as malfind import volatility.exceptions as exceptions from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Hex #-------------------------------------------------------------------------------- # constants #-------------------------------------------------------------------------------- GDT_DESCRIPTORS = dict(enumerate([ "Data RO", "Data RO Ac", "Data RW", "Data RW Ac", "Data RO E", "Data RO EA", "Data RW E", "Data RW EA", "Code EO", "Code EO Ac", "Code RE", "Code RE Ac", "Code EO C", "Code EO CA", "Code RE C", "Code RE CA", "", "TSS16 Avl", "LDT", "TSS16 Busy", "CallGate16", "TaskGate", "Int Gate16", "TrapGate16", "", "TSS32 Avl", "", "TSS32 Busy", "CallGate32", "", "Int Gate32", "TrapGate32", ])) #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _KIDTENTRY(obj.CType): """Class for interrupt descriptors""" @property def Address(self): """Return the address of the IDT entry handler""" if self.ExtendedOffset == 0: return 0 return (self.ExtendedOffset.v() << 16 | self.Offset.v()) class _KGDTENTRY(obj.CType): """A class for GDT entries""" @property def Type(self): """Get a string name of the descriptor type""" flag = self.HighWord.Bits.Type.v() & 1 << 4 typeval = self.HighWord.Bits.Type.v() & ~(1 << 4) if flag == 0: typeval += 16 return GDT_DESCRIPTORS.get(typeval, "UNKNOWN") @property def Base(self): """Get the base (start) of memory for this GDT""" return (self.BaseLow + ((self.HighWord.Bits.BaseMid + (self.HighWord.Bits.BaseHi << 8)) << 16)) @property def Limit(self): """Get the limit (end) of memory for this GDT""" limit = (self.HighWord.Bits.LimitHi.v() << 16) | self.LimitLow.v() if self.HighWord.Bits.Granularity == 1: limit = (limit + 1) * 0x1000 limit -= 1 return limit @property def CallGate(self): """Get the call gate address""" return self.HighWord.v() & 0xffff0000 | self.LimitLow.v() @property def Present(self): """Returns True if the entry is present""" return self.HighWord.Bits.Pres == 1 @property def Granularity(self): """Returns True if page granularity is used. Otherwise returns False indicating byte granularity is used.""" return self.HighWord.Bits.Granularity == 1 @property def Dpl(self): """Returns the descriptor privilege level""" return self.HighWord.Bits.Dpl #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwareIDTGDTx86(obj.ProfileModification): before = ['WindowsObjectClasses', 'WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.object_classes.update({ '_KIDTENTRY': _KIDTENTRY, '_KGDTENTRY': _KGDTENTRY, }) profile.merge_overlay({"_KPCR" : [None, {'IDT': [None, ["pointer", ["array", 256, ['_KIDTENTRY']]]], }]}) # Since the real GDT size is read from a register, we'll just assume # that there are 128 entries (which is normal for most OS) profile.merge_overlay({"_KPCR" : [None, {'GDT': [None, ["pointer", ["array", 128, ['_KGDTENTRY']]]], }]}) #-------------------------------------------------------------------------------- # GDT plugin #-------------------------------------------------------------------------------- class GDT(common.AbstractWindowsCommand): "Display Global Descriptor Table" @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('memory_model', '32bit') == '32bit') def calculate(self): addr_space = utils.load_as(self._config) # Currently we only support x86. The x64 does still have a GDT # but hooking is prohibited and results in bugcheck. if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") for kpcr in tasks.get_kdbg(addr_space).kpcrs(): for i, entry in kpcr.gdt_entries(): yield i, entry def unified_output(self, data): # Note: binary data is left out for now in VERBOSE mode return TreeGrid([("CPU", int), ("Sel", Address), ("Base", Address), ("Limit", Address), ("Type", str), ("DPL", int), ("Gr", str), ("Pr", str)], self.generator(data)) def generator(self, data): for n, entry in data: selector = n * 8 # Is the entry present? This applies to all types of GDT entries if entry.Present: present = "P" else: present = "Np" # The base, limit, and granularity is calculated differently # for 32bit call gates than they are for all other types. if entry.Type == 'CallGate32': base = entry.CallGate limit = 0 granularity = '-' else: base = entry.Base limit = entry.Limit if entry.Granularity: granularity = "Pg" else: granularity = "By" # The parent is GDT. The grand-parent is _KPCR cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number yield (0, [int(cpu_number), Address(selector), Address(base), Address(limit), str(entry.Type), int(entry.Dpl), str(granularity), str(present)]) def render_text(self, outfd, data): self.table_header(outfd, [('CPU', '>6'), ('Sel', '[addr]'), ('Base', '[addrpad]'), ('Limit', '[addrpad]'), ('Type', '<14'), ('DPL', '>6'), ('Gr', '<4'), ('Pr', '<4') ]) for n, entry in data: selector = n * 8 # Is the entry present? This applies to all types of GDT entries if entry.Present: present = "P" else: present = "Np" # The base, limit, and granularity is calculated differently # for 32bit call gates than they are for all other types. if entry.Type == 'CallGate32': base = entry.CallGate limit = 0 granularity = '-' else: base = entry.Base limit = entry.Limit if entry.Granularity: granularity = "Pg" else: granularity = "By" # The parent is GDT. The grand-parent is _KPCR cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number self.table_row(outfd, cpu_number, selector, base, limit, entry.Type, entry.Dpl, granularity, present) #-------------------------------------------------------------------------------- # IDT plugin #-------------------------------------------------------------------------------- class IDT(common.AbstractWindowsCommand): "Display Interrupt Descriptor Table" @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('memory_model', '32bit') == '32bit') @staticmethod def get_section_name(mod, addr): """Get the name of the PE section containing the specified address. @param mod: an _LDR_DATA_TABLE_ENTRY @param addr: virtual address to lookup @returns string PE section name """ try: dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = mod.DllBase, vm = mod.obj_vm) nt_header = dos_header.get_nt_header() except (ValueError, exceptions.SanityCheckException): return '' for sec in nt_header.get_sections(): if (addr > mod.DllBase + sec.VirtualAddress and addr < sec.Misc.VirtualSize + (mod.DllBase + sec.VirtualAddress)): return str(sec.Name or '') return '' def calculate(self): addr_space = utils.load_as(self._config) # Currently we only support x86. The x64 does still have a IDT # but hooking is prohibited and results in bugcheck. if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) for kpcr in tasks.get_kdbg(addr_space).kpcrs(): # Get the GDT for access to selector bases gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries()) for i, entry in kpcr.idt_entries(): # Where the IDT entry points. addr = entry.Address # Per MITRE, add the GDT selector base if available. # This allows us to detect sneaky attempts to hook IDT # entries by changing the entry's GDT selector. gdt_entry = gdt.get(entry.Selector.v()) if gdt_entry != None and "Code" in gdt_entry.Type: addr += gdt_entry.Base # Lookup the function's owner module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr)) yield i, entry, addr, module def unified_output(self, data): # Note: binary data is left out for now in VERBOSE mode return TreeGrid([("CPU", Hex), ("Index", Hex), ("Selector", Address), ("Value", Address), ("Module", str), ("Section", str)], self.generator(data)) def generator(self, data): for n, entry, addr, module in data: if addr == 0: module_name = "NOT USED" sect_name = "" elif module: module_name = str(module.BaseDllName or "") sect_name = self.get_section_name(module, addr) else: module_name = "UNKNOWN" sect_name = "" # The parent is IDT. The grand-parent is _KPCR. cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number yield (0, [Hex(cpu_number), Hex(n), Address(entry.Selector), Address(addr), str(module_name), str(sect_name)]) def render_text(self, outfd, data): self.table_header(outfd, [('CPU', '>6X'), ('Index', '>6X'), ('Selector', '[addr]'), ('Value', '[addrpad]'), ('Module', '20'), ('Section', '12'), ]) for n, entry, addr, module in data: if addr == 0: module_name = "NOT USED" sect_name = '' elif module: module_name = str(module.BaseDllName or '') sect_name = self.get_section_name(module, addr) else: module_name = "UNKNOWN" sect_name = '' # The parent is IDT. The grand-parent is _KPCR. cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number self.table_row(outfd, cpu_number, n, entry.Selector, addr, module_name, sect_name) if self._config.verbose: data = entry.obj_vm.zread(addr, 32) outfd.write("\n".join( ["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(data = data, start = addr, stoponret = True) ])) outfd.write("\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/cmdhistory.py0000644000000000000000000012512713131215405025215 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Authors: # Michael Hale Ligh # # Contributors/References: # Richard Stevens and Eoghan Casey # Extracting Windows Cmd Line Details from Physical Memory. # http://ww.dfrws.org/2010/proceedings/stevens.pdf # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.common as common import volatility.utils as utils import volatility.win32.tasks as tasks import volatility.debug as debug from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Hex MAX_HISTORY_DEFAULT = 50 #-------------------------------------------------------------------------------- # VTypes #-------------------------------------------------------------------------------- # Windows 7 Types from conhost.exe conhost_types_x86 = { '_COMMAND': [ None, { 'CmdLength': [ 0x00, ['unsigned short']], 'Cmd' : [ 0x02, ['String', dict(encoding = 'utf16', length = lambda x : x.CmdLength)]], }], '_COMMAND_HISTORY': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'Flags' : [ 0x08, ['Flags', {'bitmap': {'Allocated': 0, 'Reset': 1}}]], 'Application': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'CommandCount': [ 0x10, ['short']], 'LastAdded': [ 0x12, ['short']], 'LastDisplayed': [ 0x14, ['short']], 'FirstCommand': [ 0x16, ['short']], 'CommandCountMax': [ 0x18, ['short']], 'ProcessHandle': [ 0x1C, ['unsigned int']], 'PopupList': [ 0x20, ['_LIST_ENTRY']], 'CommandBucket': [ 0x28, ['array', lambda x : x.CommandCount, ['pointer', ['_COMMAND']]]], }], '_ALIAS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'SourceLength': [ 0x08, ['unsigned short']], 'TargetLength': [ 0x0A, ['unsigned short']], 'Source': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.SourceLength)]]], 'Target': [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.TargetLength)]]], }], '_EXE_ALIAS_LIST' : [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ExeLength': [ 0x08, ['unsigned short']], 'ExeName': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.ExeLength * 2)]]], 'AliasList': [ 0x10, ['_LIST_ENTRY']], }], '_POPUP_LIST' : [ None, { 'ListEntry' : [ 0x00, ['_LIST_ENTRY']], }], '_CONSOLE_INFORMATION': [ None, { 'CurrentScreenBuffer': [ 0x98, ['pointer', ['_SCREEN_INFORMATION']]], 'ScreenBuffer': [ 0x9C, ['pointer', ['_SCREEN_INFORMATION']]], 'HistoryList': [ 0xD4, ['_LIST_ENTRY']], 'ProcessList': [ 0x18, ['_LIST_ENTRY']], # GetConsoleProcessList() 'ExeAliasList': [ 0xDC, ['_LIST_ENTRY']], # GetConsoleAliasExes() 'HistoryBufferCount': [ 0xE4, ['unsigned short']], # GetConsoleHistoryInfo() 'HistoryBufferMax': [ 0xE6, ['unsigned short']], # GetConsoleHistoryInfo() 'CommandHistorySize': [ 0xE8, ['unsigned short']], 'OriginalTitle': [ 0xEC, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], # GetConsoleOriginalTitle() 'Title': [ 0xF0, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], # GetConsoleTitle() }], '_CONSOLE_PROCESS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ProcessHandle': [ 0x8, ['unsigned int']], }], '_SCREEN_INFORMATION': [ None, { 'ScreenX': [ 0x08, ['short']], 'ScreenY': [ 0x0A, ['short']], 'Rows': [ 0x3C, ['pointer', ['array', lambda x : x.ScreenY, ['_ROW']]]], 'Next': [ 0xDC, ['pointer', ['_SCREEN_INFORMATION']]], }], '_ROW': [ 0x1C, { 'Chars': [ 0x08, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], } # Windows 7 Types from conhost.exe conhost_types_x64 = { '_COMMAND': [ None, { 'CmdLength': [ 0x00, ['unsigned short']], 'Cmd' : [ 0x02, ['String', dict(encoding = 'utf16', length = lambda x : x.CmdLength)]], }], '_COMMAND_HISTORY': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['Flags', {'bitmap': {'Allocated': 0, 'Reset': 1}}]], # AllocateCommandHistory() 'Application': [ 0x18, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], # AllocateCommandHistory() 'CommandCount': [ 0x20, ['short']], 'LastAdded': [ 0x22, ['short']], 'LastDisplayed': [ 0x24, ['short']], 'FirstCommand': [ 0x26, ['short']], 'CommandCountMax': [ 0x28, ['short']], # AllocateCommandHistory() 'ProcessHandle': [ 0x30, ['address']], # AllocateCommandHistory() 'PopupList': [ 0x38, ['_LIST_ENTRY']], # AllocateCommandHistory() 'CommandBucket': [ 0x48, ['array', lambda x : x.CommandCount, ['pointer', ['_COMMAND']]]], }], '_ALIAS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'SourceLength': [ 0x10, ['unsigned short']], # AddAlias() 'TargetLength': [ 0x12, ['unsigned short']], # AddAlias() 'Source': [ 0x18, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.SourceLength)]]], # AddAlias() 'Target': [ 0x20, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.TargetLength)]]], # AddAlias() }], '_EXE_ALIAS_LIST' : [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ExeLength': [ 0x10, ['unsigned short']], # AddExeAliasList() 'ExeName': [ 0x18, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.ExeLength * 2)]]], # AddExeAliasList() 'AliasList': [ 0x20, ['_LIST_ENTRY']], # AddExeAliasList() }], '_POPUP_LIST' : [ None, { 'ListEntry' : [ 0x00, ['_LIST_ENTRY']], }], '_CONSOLE_INFORMATION': [ None, { 'ProcessList': [ 0x28, ['_LIST_ENTRY']], # SrvGetConsoleProcessList() 'CurrentScreenBuffer': [ 0xE0, ['pointer', ['_SCREEN_INFORMATION']]], # AllocateConsole() 'ScreenBuffer': [ 0xE8, ['pointer', ['_SCREEN_INFORMATION']]], # AllocateConsole() 'HistoryList': [ 0x148, ['_LIST_ENTRY']], # AllocateCommandHistory() 'ExeAliasList': [ 0x158, ['_LIST_ENTRY']], # SrvGetConsoleAliasExes() 'HistoryBufferCount': [ 0x168, ['unsigned short']], # AllocateConsole() 'HistoryBufferMax': [ 0x16A, ['unsigned short']], # AllocateConsole() 'CommandHistorySize': [ 0x16C, ['unsigned short']], # AllocateConsole() 'OriginalTitle': [ 0x170, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], # SrvGetConsoleTitle() 'Title': [ 0x178, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], # SrvGetConsoleTitle() }], '_CONSOLE_PROCESS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ProcessHandle': [ 0x10, ['unsigned int']], # FindProcessInList() }], '_SCREEN_INFORMATION': [ None, { 'ScreenX': [ 8, ['short']], 'ScreenY': [ 10, ['short']], 'Rows': [ 0x48, ['pointer', ['array', lambda x : x.ScreenY, ['_ROW']]]], 'Next': [ 0x128, ['pointer', ['_SCREEN_INFORMATION']]], }], '_ROW': [ 0x28, { 'Chars': [ 0x08, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], } # Windows XP, 2003, 2008, Vista from winsrv.dll winsrv_types_x86 = { '_COMMAND': [ None, { 'CmdLength': [ 0x00, ['unsigned short']], 'Cmd' : [ 0x02, ['String', dict(encoding = 'utf16', length = lambda x : x.CmdLength)]], }], '_COMMAND_HISTORY': [ None, { 'Flags' : [ 0x00, ['Flags', {'bitmap': {'Allocated': 0, 'Reset': 1}}]], 'ListEntry': [ 0x04, ['_LIST_ENTRY']], 'Application': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'CommandCount': [ 0x10, ['short']], 'LastAdded': [ 0x12, ['short']], 'LastDisplayed': [ 0x14, ['short']], 'FirstCommand': [ 0x16, ['short']], 'CommandCountMax': [ 0x18, ['short']], 'ProcessHandle': [ 0x1C, ['unsigned int']], 'PopupList': [ 0x20, ['_LIST_ENTRY']], 'CommandBucket': [ 0x28, ['array', lambda x : x.CommandCount, ['pointer', ['_COMMAND']]]], }], '_ALIAS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'SourceLength': [ 0x08, ['unsigned short']], 'TargetLength': [ 0x0A, ['unsigned short']], 'Source': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.SourceLength)]]], 'Target': [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.TargetLength)]]], }], '_EXE_ALIAS_LIST' : [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ExeLength': [ 0x08, ['unsigned short']], 'ExeName': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.ExeLength * 2)]]], 'AliasList': [ 0x10, ['_LIST_ENTRY']], }], '_POPUP_LIST' : [ None, { 'ListEntry' : [ 0x00, ['_LIST_ENTRY']], }], '_CONSOLE_INFORMATION': [ None, { 'CurrentScreenBuffer': [ 0xB0, ['pointer', ['_SCREEN_INFORMATION']]], 'ScreenBuffer': [ 0xB4, ['pointer', ['_SCREEN_INFORMATION']]], 'HistoryList': [ 0x108, ['_LIST_ENTRY']], 'ProcessList': [ 0x100, ['_LIST_ENTRY']], 'ExeAliasList': [ 0x110, ['_LIST_ENTRY']], 'HistoryBufferCount': [ 0x118, ['unsigned short']], 'HistoryBufferMax': [ 0x11A, ['unsigned short']], 'CommandHistorySize': [ 0x11C, ['unsigned short']], 'OriginalTitle': [ 0x124, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'Title': [ 0x128, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], '_CONSOLE_PROCESS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ProcessHandle': [ 0x08, ['unsigned int']], 'Process': [ 0x0C, ['pointer', ['_CSR_PROCESS']]], }], '_SCREEN_INFORMATION': [ None, { 'Console': [ 0x00, ['pointer', ['_CONSOLE_INFORMATION']]], 'ScreenX': [ 0x24, ['short']], 'ScreenY': [ 0x26, ['short']], 'Rows': [ 0x58, ['pointer', ['array', lambda x : x.ScreenY, ['_ROW']]]], 'Next': [ 0xF8, ['pointer', ['_SCREEN_INFORMATION']]], }], '_ROW': [ 0x1C, { 'Chars': [ 0x08, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], '_CSR_PROCESS' : [ 0x60, { # this is a public PDB 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'ListLink' : [ 0x8, ['_LIST_ENTRY']], 'ThreadList' : [ 0x10, ['_LIST_ENTRY']], 'NtSession' : [ 0x18, ['pointer', ['_CSR_NT_SESSION']]], 'ClientPort' : [ 0x1c, ['pointer', ['void']]], 'ClientViewBase' : [ 0x20, ['pointer', ['unsigned char']]], 'ClientViewBounds' : [ 0x24, ['pointer', ['unsigned char']]], 'ProcessHandle' : [ 0x28, ['pointer', ['void']]], 'SequenceNumber' : [ 0x2c, ['unsigned long']], 'Flags' : [ 0x30, ['unsigned long']], 'DebugFlags' : [ 0x34, ['unsigned long']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessGroupId' : [ 0x3c, ['unsigned long']], 'ProcessGroupSequence' : [ 0x40, ['unsigned long']], 'LastMessageSequence' : [ 0x44, ['unsigned long']], 'NumOutstandingMessages' : [ 0x48, ['unsigned long']], 'ShutdownLevel' : [ 0x4c, ['unsigned long']], 'ShutdownFlags' : [ 0x50, ['unsigned long']], 'Luid' : [ 0x54, ['_LUID']], 'ServerDllPerProcessData' : [ 0x5c, ['array', 1, ['pointer', ['void']]]], }], } winsrv_types_x64 = { '_COMMAND': [ None, { 'CmdLength': [ 0x00, ['unsigned short']], 'Cmd' : [ 0x02, ['String', dict(encoding = 'utf16', length = lambda x : x.CmdLength)]], }], '_COMMAND_HISTORY': [ None, { 'Flags' : [ 0x00, ['Flags', {'bitmap': {'Allocated': 0, 'Reset': 1}}]], 'ListEntry': [ 0x08, ['_LIST_ENTRY']], 'Application': [ 0x18, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'CommandCount': [ 0x20, ['short']], 'LastAdded': [ 0x22, ['short']], 'LastDisplayed': [ 0x24, ['short']], 'FirstCommand': [ 0x26, ['short']], 'CommandCountMax': [ 0x28, ['short']], 'ProcessHandle': [ 0x30, ['unsigned int']], 'PopupList': [ 0x38, ['_LIST_ENTRY']], 'CommandBucket': [ 0x48, ['array', lambda x : x.CommandCount, ['pointer', ['_COMMAND']]]], }], '_ALIAS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'SourceLength': [ 0x10, ['unsigned short']], 'TargetLength': [ 0x12, ['unsigned short']], 'Source': [ 0x14, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.SourceLength)]]], 'Target': [ 0x1C, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.TargetLength)]]], }], '_EXE_ALIAS_LIST' : [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ExeLength': [ 0x10, ['unsigned short']], 'ExeName': [ 0x12, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.ExeLength * 2)]]], 'AliasList': [ 0x1A, ['_LIST_ENTRY']], }], '_POPUP_LIST' : [ None, { 'ListEntry' : [ 0x00, ['_LIST_ENTRY']], }], '_CONSOLE_INFORMATION': [ None, { 'CurrentScreenBuffer': [ 0xE8, ['pointer', ['_SCREEN_INFORMATION']]], 'ScreenBuffer': [ 0xF0, ['pointer', ['_SCREEN_INFORMATION']]], 'HistoryList': [ 0x188, ['_LIST_ENTRY']], 'ProcessList': [ 0x178, ['_LIST_ENTRY']], 'ExeAliasList': [ 0x198, ['_LIST_ENTRY']], 'HistoryBufferCount': [ 0x1A8, ['unsigned short']], 'HistoryBufferMax': [ 0x1AA, ['unsigned short']], 'CommandHistorySize': [ 0x1AC, ['unsigned short']], 'OriginalTitle': [ 0x1B0, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'Title': [ 0x1B8, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], '_CONSOLE_PROCESS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ProcessHandle': [ 0x10, ['unsigned int']], 'Process': [ 0x18, ['pointer', ['_CSR_PROCESS']]], }], '_SCREEN_INFORMATION': [ None, { 'Console': [ 0x00, ['pointer', ['_CONSOLE_INFORMATION']]], 'ScreenX': [ 0x28, ['short']], 'ScreenY': [ 0x2A, ['short']], 'Rows': [ 0x68, ['pointer', ['array', lambda x : x.ScreenY, ['_ROW']]]], 'Next': [ 0x128, ['pointer', ['_SCREEN_INFORMATION']]], }], '_ROW': [ 0x28, { 'Chars': [ 0x08, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], '_CSR_PROCESS' : [ 0x60, { # this is a public PDB 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'ListLink' : [ 0x8, ['_LIST_ENTRY']], 'ThreadList' : [ 0x10, ['_LIST_ENTRY']], 'NtSession' : [ 0x18, ['pointer', ['_CSR_NT_SESSION']]], 'ClientPort' : [ 0x1c, ['pointer', ['void']]], 'ClientViewBase' : [ 0x20, ['pointer', ['unsigned char']]], 'ClientViewBounds' : [ 0x24, ['pointer', ['unsigned char']]], 'ProcessHandle' : [ 0x28, ['pointer', ['void']]], 'SequenceNumber' : [ 0x2c, ['unsigned long']], 'Flags' : [ 0x30, ['unsigned long']], 'DebugFlags' : [ 0x34, ['unsigned long']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessGroupId' : [ 0x3c, ['unsigned long']], 'ProcessGroupSequence' : [ 0x40, ['unsigned long']], 'LastMessageSequence' : [ 0x44, ['unsigned long']], 'NumOutstandingMessages' : [ 0x48, ['unsigned long']], 'ShutdownLevel' : [ 0x4c, ['unsigned long']], 'ShutdownFlags' : [ 0x50, ['unsigned long']], 'Luid' : [ 0x54, ['_LUID']], 'ServerDllPerProcessData' : [ 0x5c, ['array', 1, ['pointer', ['void']]]], }], } #-------------------------------------------------------------------------------- # Object Classes #-------------------------------------------------------------------------------- class _CONSOLE_INFORMATION(obj.CType): """ object class for console information structs """ def get_histories(self): for hist in self.HistoryList.list_of_type("_COMMAND_HISTORY", "ListEntry"): yield hist def get_exe_aliases(self): """Generator for exe aliases. There is one _EXE_ALIAS_LIST for each executable (i.e. C:\windows\system32\cmd.exe) with registered aliases. The _EXE_ALIAS_LIST.AliasList contains one _ALIAS structure for each specific mapping. See GetConsoleAliasExes, GetConsoleAliases, and AddConsoleAlias. """ for exe_alias in self.ExeAliasList.list_of_type("_EXE_ALIAS_LIST", "ListEntry"): yield exe_alias def get_processes(self): """Generator for processes attached to the console. Multiple processes can be attached to the same console (usually as a result of inheritance from a parent process or by duplicating another process's console handle). Internally, they are tracked as _CONSOLE_PROCESS structures in this linked list. See GetConsoleProcessList and AttachConsole. """ for h in self.ProcessList.list_of_type("_CONSOLE_PROCESS", "ListEntry"): yield h def get_screens(self): """Generator for screens in the console. A console can have multiple screen buffers at a time, but only the current/active one is displayed. Multiple screens are tracked using the singly-linked list _SCREEN_INFORMATION.Next. See CreateConsoleScreenBuffer """ screens = [self.CurrentScreenBuffer] if self.ScreenBuffer not in screens: screens.append(self.ScreenBuffer) for screen in screens: cur = screen while cur and cur.v() != 0: yield cur cur = cur.Next.dereference() class _CONSOLE_PROCESS(obj.CType): """ object class for console process """ def reference_object_by_handle(self): """ Given a process handle, return a reference to the _EPROCESS object. This function is similar to the kernel API ObReferenceObjectByHandle. """ console_information = self.obj_parent parent_process = console_information.obj_parent for h in parent_process.ObjectTable.handles(): if h.HandleValue == self.ProcessHandle: return h.dereference_as("_EPROCESS") return obj.NoneObject("Could not find process in handle table") class _SCREEN_INFORMATION(obj.CType): """ object class for screen information """ def get_buffer(self, truncate = True): """Get the screen buffer. The screen buffer is comprised of the screen's Y coordinate which tells us the number of rows and the X coordinate which tells us the width of each row in characters. These together provide all of the input and output that users see when the console is displayed. @param truncate: True if the empty rows at the end (i.e. bottom) of the screen buffer should be supressed. """ rows = [] for _, row in enumerate(self.Rows.dereference()): if row.Chars.is_valid(): rows.append(str(row.Chars.dereference())[0:self.ScreenX]) # To truncate empty rows at the end, walk the list # backwards and get the last non-empty row. Use that # row index to splice. An "empty" row isn't just "" # as one might assume. It is actually ScreenX number # of space characters if truncate: non_empty_index = 0 for index, row in enumerate(reversed(rows)): ## It seems that when the buffer width is greater than 128 ## characters, its truncated to 128 in memory. if row.count(" ") != min(self.ScreenX, 128): non_empty_index = index break if non_empty_index == 0: rows = [] else: rows = rows[0:len(rows) - non_empty_index] return rows class _EXE_ALIAS_LIST(obj.CType): """ object class for alias lists """ def get_aliases(self): """Generator for the individual aliases for a particular executable.""" for alias in self.AliasList.list_of_type("_ALIAS", "ListEntry"): yield alias class _COMMAND_HISTORY(obj.CType): """ object class for command histories """ def is_valid(self, max_history = MAX_HISTORY_DEFAULT): #pylint: disable-msg=W0221 """Override BaseObject.is_valid with some additional checks specific to _COMMAND_HISTORY objects.""" if not obj.CType.is_valid(self): return False # The count must be between zero and max if self.CommandCount < 0 or self.CommandCount > max_history: return False # Last added must be between -1 and max if self.LastAdded < -1 or self.LastAdded > max_history: return False # Last displayed must be between -1 and max if self.LastDisplayed < -1 or self.LastDisplayed > max_history: return False # First command must be between zero and max if self.FirstCommand < 0 or self.FirstCommand > max_history: return False # Validate first command with last added if self.FirstCommand != 0 and self.FirstCommand != self.LastAdded + 1: return False # Process handle must be a valid pid if self.ProcessHandle <= 0 or self.ProcessHandle > 0xFFFF: return False Popup = obj.Object("_POPUP_LIST", offset = self.PopupList.Flink, vm = self.obj_vm) # Check that the popup list entry is in tact if Popup.ListEntry.Blink != self.PopupList.obj_offset: return False return True def get_commands(self): """Generator for commands in the history buffer. The CommandBucket is an array of pointers to _COMMAND structures. The array size is CommandCount. Once CommandCount is reached, the oldest commands are cycled out and the rest are coalesced. """ for i, cmd in enumerate(self.CommandBucket): if cmd: yield i, cmd.dereference() #-------------------------------------------------------------------------------- # Profile Modifications #-------------------------------------------------------------------------------- class CmdHistoryVTypesx86(obj.ProfileModification): """This modification applies the vtypes for 32bit Windows up to Windows 7.""" before = ['WindowsObjectClasses'] def check(self, profile): m = profile.metadata return (m.get('os', None) == 'windows' and m.get('memory_model', '32bit') == '32bit' and (m.get('major') < 6 or (m.get('major') == 6 and m.get('minor') < 1))) def modification(self, profile): profile.vtypes.update(winsrv_types_x86) class CmdHistoryVTypesx64(obj.ProfileModification): """This modification applies the vtypes for 64bit Windows up to Windows 7.""" before = ['WindowsObjectClasses'] def check(self, profile): m = profile.metadata return (m.get('os', None) == 'windows' and m.get('memory_model', '32bit') == '64bit' and (m.get('major') < 6 or (m.get('major') == 6 and m.get('minor') < 1))) def modification(self, profile): profile.vtypes.update(winsrv_types_x64) class CmdHistoryVTypesWin7x86(obj.ProfileModification): """This modification applies the vtypes for 32bit Windows starting with Windows 7.""" before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 1, 'memory_model': lambda x : x == '32bit'} def modification(self, profile): profile.vtypes.update(conhost_types_x86) class CmdHistoryVTypesWin7x64(obj.ProfileModification): """This modification applies the vtypes for 64bit Windows starting with Windows 7.""" before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 1, 'memory_model': lambda x : x == '64bit'} def modification(self, profile): profile.vtypes.update(conhost_types_x64) class CmdHistoryObjectClasses(obj.ProfileModification): """This modification applies the object classes for all versions of 32bit Windows.""" before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} # 'memory_model': lambda x : x == '32bit'} def modification(self, profile): profile.object_classes.update({ '_CONSOLE_INFORMATION': _CONSOLE_INFORMATION, '_SCREEN_INFORMATION': _SCREEN_INFORMATION, '_EXE_ALIAS_LIST': _EXE_ALIAS_LIST, '_COMMAND_HISTORY': _COMMAND_HISTORY, '_CONSOLE_PROCESS': _CONSOLE_PROCESS, }) #-------------------------------------------------------------------------------- # CmdScan Plugin #-------------------------------------------------------------------------------- class CmdScan(common.AbstractWindowsCommand): """Extract command history by scanning for _COMMAND_HISTORY""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) # The default comes from HKCU\Console\HistoryBufferSize config.add_option('MAX_HISTORY', short_option = 'M', default = MAX_HISTORY_DEFAULT, action = 'store', type = 'int', help = 'CommandCountMax (default = 50)') def cmdhistory_process_filter(self, addr_space): """Generator for processes that might contain command history information. Takes into account if we're on Windows 7 or an earlier operator system. @param addr_space: a kernel address space. """ # Detect if we're on windows seven use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) for task in tasks.pslist(addr_space): process_name = str(task.ImageFileName).lower() # The process we select is conhost on Win7 or csrss for others if ((use_conhost and process_name == "conhost.exe") or (not use_conhost and process_name == "csrss.exe")): yield task def calculate(self): """The default pattern we search for, as described by Stevens and Casey, is "\x32\x00". That's because CommandCountMax is a little-endian unsigned short whose default value is 50. However, that value can be changed by right clicking cmd.exe and going to Properties->Options->Cmd History or by calling the API function kernel32!SetConsoleHistoryInfo. Thus you can tweak the search criteria by using the --MAX_HISTORY. """ addr_space = utils.load_as(self._config) MAX_HISTORY = self._config.MAX_HISTORY srch_pattern = chr(MAX_HISTORY) + "\x00" for task in self.cmdhistory_process_filter(addr_space): process_space = task.get_process_address_space() for found in task.search_process_memory([srch_pattern], vad_filter = lambda x: x.Length < 0x40000000): hist = obj.Object("_COMMAND_HISTORY", vm = process_space, offset = found - addr_space.profile.\ get_obj_offset("_COMMAND_HISTORY", "CommandCountMax")) if hist.is_valid(max_history = MAX_HISTORY): yield task, hist def unified_output(self, data): return TreeGrid([("Process", str), ("PID", int), ("History Offset", Address), ("Application", str), ("Flags", str), ("Command Count", int), ("Last Added", str), ("Last Displayed", str), ("First Command", str), ("Command Count Max", int), ("Handle", int), ("Command Number", int), ("Command Offset", Address), ("Command", str)], self.generator(data)) def generator(self, data): for task, hist in data: # If the _COMMAND_HISTORY is in use, we would only take # hist.CommandCount but since we're brute forcing, try the # maximum and hope that some slots were not overwritten # or zero-ed out. pointers = obj.Object("Array", targetType = "address", count = hist.CommandCountMax, offset = hist.obj_offset + hist.obj_vm.profile.get_obj_offset("_COMMAND_HISTORY", "CommandBucket"), vm = hist.obj_vm) values = [ str(task.ImageFileName), int(task.UniqueProcessId), Address(hist.obj_offset), str(hist.Application.dereference()), str(hist.Flags), int(hist.CommandCount), str(hist.LastAdded), str(hist.LastDisplayed), str(hist.FirstCommand), int(hist.CommandCountMax), int(hist.ProcessHandle), ] for i, p in enumerate(pointers): cmd = p.dereference_as("_COMMAND") if cmd and str(cmd.Cmd): yield (0, values + [ int(i), Address(cmd.obj_offset), str(cmd.Cmd) ]) def render_text(self, outfd, data): for task, hist in data: outfd.write("*" * 50 + "\n") outfd.write("CommandProcess: {0} Pid: {1}\n".format( task.ImageFileName, task.UniqueProcessId)) outfd.write("CommandHistory: {0:#x} Application: {1} Flags: {2}\n".format( hist.obj_offset, hist.Application.dereference(), hist.Flags)) outfd.write("CommandCount: {0} LastAdded: {1} LastDisplayed: {2}\n".format( hist.CommandCount, hist.LastAdded, hist.LastDisplayed)) outfd.write("FirstCommand: {0} CommandCountMax: {1}\n".format( hist.FirstCommand, hist.CommandCountMax)) outfd.write("ProcessHandle: {0:#x}\n".format(hist.ProcessHandle)) # If the _COMMAND_HISTORY is in use, we would only take # hist.CommandCount but since we're brute forcing, try the # maximum and hope that some slots were not overwritten # or zero-ed out. pointers = obj.Object("Array", targetType = "address", count = hist.CommandCountMax, offset = hist.obj_offset + hist.obj_vm.profile.get_obj_offset("_COMMAND_HISTORY", "CommandBucket"), vm = hist.obj_vm) for i, p in enumerate(pointers): cmd = p.dereference_as("_COMMAND") if cmd and str(cmd.Cmd): outfd.write("Cmd #{0} @ {1:#x}: {2}\n".format( i, cmd.obj_offset, str(cmd.Cmd))) #-------------------------------------------------------------------------------- # Consoles Plugin #-------------------------------------------------------------------------------- class Consoles(CmdScan): """Extract command history by scanning for _CONSOLE_INFORMATION""" def __init__(self, config, *args, **kwargs): CmdScan.__init__(self, config, *args, **kwargs) # The default comes from HKCU\Console\NumberOfHistoryBuffers config.add_option('HISTORY_BUFFERS', short_option = 'B', default = 4, action = 'store', type = 'int', help = 'HistoryBufferMax (default = 4)') def calculate(self): addr_space = utils.load_as(self._config) srch_pattern = chr(self._config.MAX_HISTORY) + "\x00" for task in self.cmdhistory_process_filter(addr_space): for found in task.search_process_memory([srch_pattern], vad_filter = lambda x: x.Length < 0x40000000): console = obj.Object("_CONSOLE_INFORMATION", offset = found - addr_space.profile.get_obj_offset("_CONSOLE_INFORMATION", "CommandHistorySize"), vm = task.get_process_address_space(), parent = task) if (console.HistoryBufferMax != self._config.HISTORY_BUFFERS or console.HistoryBufferCount > self._config.HISTORY_BUFFERS): continue # Check the first command history as the final constraint history = obj.Object("_COMMAND_HISTORY", offset = console.HistoryList.Flink.dereference().obj_offset - addr_space.profile.get_obj_offset("_COMMAND_HISTORY", "ListEntry"), vm = task.get_process_address_space()) if history.CommandCountMax != self._config.MAX_HISTORY: continue yield task, console def unified_output(self, data): return TreeGrid([('Console Process', str), ('Console PID', int), ('Console ID', int), ('Command History Size', int), ('History Buffer Count', int), ('History Buffer Max', int), ('OriginalTitle', str), ('Title', str), ('Attached Process Name', str), ('Attached Process PID', int), ('Attached Process Handle', int), ('Command History ID', int), ('Command History Applications', str), ('Command History Flags', str), ('Command History Count', int), ('Command History Last Added', str), ('Command History Last Displayed', str), ('Command History First Command', str), ('Command History Command Count Max', int), ('Command History Process Handle', int), ('Command History Command Number', int), ('Command History Command Offset', Address), ('Command History Command String', str), ('EXE Alias', str), ('EXE Alias Source', str), ('EXE Alias Target', str), ('Screen ID', str), ('Screen X', int), ('Screen Y', int), ('Screen Dump', str)], self.generator(data)) def _get_values(self, task, console, process=None, console_proc=None, hist=None, hist_i=None, hist_cmd=None, exe_alias=None, screen=None): # ('Console Process', str), # ('Console PID', int), # ('Console ID', int), # ('Command History Size', int), # ('History Buffer Count', int), # ('History Buffer Max', int), # ('OriginalTitle', str), # ('Title', str), v = [ str(task.ImageFileName), int(task.UniqueProcessId), int(console.obj_offset), int(console.CommandHistorySize), int(console.HistoryBufferCount), int(console.HistoryBufferMax), str(console.OriginalTitle.dereference()), str(console.Title.dereference()) ] # ('Attached Process Name', str), # ('Attached Process PID', int), # ('Attached Process Handle', int), if process is not None and console_proc is not None: v.extend([ str(process.ImageFileName), int(process.UniqueProcessId), int(console_proc.ProcessHandle) ]) else: v.extend([ "", -1, -1 ]) # ('Command History ID', int), # ('Command History Applications', str), # ('Command History Flags', str), # ('Command History Count', int), # ('Command History Last Added', str), # ('Command History Last Displayed', str), # ('Command History First Command', str), # ('Command History Command Count Max', int), # ('Command History Process Handle', int), # ('Command History Command Number', int), # ('Command History Command Offset', Address), # ('Command History Command String', str), if hist is not None: v.extend([ int(hist.obj_offset), str(hist.Application.dereference()), str(hist.Flags), int(hist.CommandCount), str(hist.LastAdded), str(hist.LastDisplayed), str(hist.FirstCommand), int(hist.CommandCountMax), int(hist.ProcessHandle) ]) if hist_i is None or hist_cmd is None: v.extend([ -1, Address(-1), '' ]) else: v.extend([ int(hist_i), Address(hist_cmd.obj_offset), str(hist_cmd.Cmd) ]) else: v.extend([ -1, '', '', -1, '', '', '', -1, -1, -1, Address(-1), '' ]) # ('EXE Alias', str), # ('EXE Alias Source', str), # ('EXE Alias Target', str), if exe_alias is not None: v.extend([ str(exe_alias.ExeName.dereference()), str(alias.Source.dereference()), str(alias.Target.dereference()) ]) else: v.extend([ '', '', '' ]) # ('Screen ID', str), # ('Screen X', int), # ('Screen Y', int), # ('Screen Dump', str)], if screen is not None: v.extend([ str(screen.dereference()), int(screen.ScreenX), int(screen.ScreenY), '\n'.join(screen.get_buffer()) ]) else: v.extend([ '', -1, -1, '' ]) return v def generator(self, data): for task, console in data: has_yielded = False for console_proc in console.get_processes(): process = console_proc.reference_object_by_handle() if process: has_yielded = True yield (0, self._get_values(task, console, process=process, console_proc=console_proc)) for hist in console.get_histories(): cmds_processed = False for i, cmd in hist.get_commands(): if cmd.Cmd: cmds_processed = True yield (0, self._get_values(task, console, hist=hist, hist_i=i, hist_cmd=cmd )) has_yielded = cmds_processed if not cmds_processed: # Did not generate any commands, so generate basic history # information so that no information is dropped. has_yielded = True yield (0, self._get_values(task, console, hist=hist)) for exe_alias in console.get_exe_aliases(): for alias in exe_alias.get_aliases(): has_yielded = True yield (0, self._get_values(task, console, exe_alias=alias)) for screen in console.get_screens(): has_yielded = True yield (0, self._get_values(task, console, screen=screen)) # if we have not yet generated any information if not has_yielded: # generate at least basic console information yield (0, self._get_values(task, console)) def render_text(self, outfd, data): for task, console in data: outfd.write("*" * 50 + "\n") outfd.write("ConsoleProcess: {0} Pid: {1}\n".format( task.ImageFileName, task.UniqueProcessId)) outfd.write("Console: {0:#x} CommandHistorySize: {1}\n".format( console.obj_offset, console.CommandHistorySize)) outfd.write("HistoryBufferCount: {0} HistoryBufferMax: {1}\n".format( console.HistoryBufferCount, console.HistoryBufferMax)) outfd.write("OriginalTitle: {0}\n".format(console.OriginalTitle.dereference())) outfd.write("Title: {0}\n".format(console.Title.dereference())) for console_proc in console.get_processes(): process = console_proc.reference_object_by_handle() if process: outfd.write("AttachedProcess: {0} Pid: {1} Handle: {2:#x}\n".format( process.ImageFileName, process.UniqueProcessId, console_proc.ProcessHandle)) for hist in console.get_histories(): outfd.write("----\n") outfd.write("CommandHistory: {0:#x} Application: {1} Flags: {2}\n".format( hist.obj_offset, hist.Application.dereference(), hist.Flags)) outfd.write("CommandCount: {0} LastAdded: {1} LastDisplayed: {2}\n".format( hist.CommandCount, hist.LastAdded, hist.LastDisplayed)) outfd.write("FirstCommand: {0} CommandCountMax: {1}\n".format( hist.FirstCommand, hist.CommandCountMax)) outfd.write("ProcessHandle: {0:#x}\n".format(hist.ProcessHandle)) for i, cmd in hist.get_commands(): if cmd.Cmd: outfd.write("Cmd #{0} at {1:#x}: {2}\n".format( i, cmd.obj_offset, str(cmd.Cmd))) for exe_alias in console.get_exe_aliases(): for alias in exe_alias.get_aliases(): outfd.write("----\n") outfd.write("Alias: {0} Source: {1} Target: {2}\n".format( exe_alias.ExeName.dereference(), alias.Source.dereference(), alias.Target.dereference())) for screen in console.get_screens(): outfd.write("----\n") outfd.write("Screen {0:#x} X:{1} Y:{2}\n".format( screen.dereference(), screen.ScreenX, screen.ScreenY)) outfd.write("Dump:\n{0}\n".format('\n'.join(screen.get_buffer()))) volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/apihooks.py0000644000000000000000000013404313131215405024642 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Authors: # Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re, ntpath import volatility.utils as utils import volatility.obj as obj import volatility.debug as debug import volatility.win32.tasks as tasks import volatility.win32.modules as modules import volatility.plugins.malware.malfind as malfind import volatility.plugins.overlays.basic as basic import volatility.plugins.procdump as procdump import volatility.exceptions as exceptions from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Bytes, Hex try: import distorm3 has_distorm3 = True except ImportError: has_distorm3 = False #-------------------------------------------------------------------------------- # Constants #-------------------------------------------------------------------------------- # hook modes HOOK_MODE_USER = 1 HOOK_MODE_KERNEL = 2 # hook types HOOKTYPE_IAT = 4 HOOKTYPE_EAT = 8 HOOKTYPE_INLINE = 16 HOOKTYPE_NT_SYSCALL = 32 HOOKTYPE_CODEPAGE_KERNEL = 64 HOOKTYPE_IDT = 128 HOOKTYPE_IRP = 256 HOOKTYPE_WINSOCK = 512 # names for hook types hook_type_strings = { HOOKTYPE_IAT : "Import Address Table (IAT)", HOOKTYPE_EAT : "Export Address Table (EAT)", HOOKTYPE_INLINE : "Inline/Trampoline", HOOKTYPE_NT_SYSCALL : "NT Syscall", HOOKTYPE_CODEPAGE_KERNEL : "Unknown Code Page Call", HOOKTYPE_WINSOCK : "Winsock Procedure Table Hook", } WINSOCK_TABLE = [ '_WSPAccept', '_WSPAddressToString', '_WSPAsyncSelect', '_WSPBind', '_WSPCancelBlockingCall', '_WSPCleanup', '_WSPCloseSocket', '_WSPConnect', '_WSPDuplicateSocket', '_WSPEnumNetworkEvents', '_WSPEventSelect', '_WSPGetOverlappedResult', '_WSPGetPeerName', '_WSPGetSockName', '_WSPGetSockOpt', '_WSPGetQOSByName', '_WSPIoctl', '_WSPJoinLeaf', '_WSPListen', '_WSPRecv', '_WSPRecvDisconnect', '_WSPRecvFrom', '_WSPSelect', '_WSPSend', '_WSPSendDisconnect', '_WSPSendTo', '_WSPSetSockOpt', '_WSPShutdown', '_WSPSocket', '_WSPStringToAddress', ] #-------------------------------------------------------------------------------- # Profile Modifications #-------------------------------------------------------------------------------- class MalwareWSPVTypes(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update({ '_SOCK_PROC_TABLE' : [ None, { 'Functions' : [ 0x0, ['array', 30, ['address']]], }]}) #-------------------------------------------------------------------------------- # Module Group Class #-------------------------------------------------------------------------------- class ModuleGroup(object): """A class to assist with module lookups""" def __init__(self, mod_list): """Initialize. @param mod_list: a list of _LDR_DATA_TABLE_ENTRY objects. This can be a generator. """ self.mods = list(mod_list) self.mod_name = {} self.mod_fast = [(mod.DllBase, mod.DllBase + mod.SizeOfImage, mod) for mod in self.mods] for mod in self.mods: name = str(mod.BaseDllName or '').lower() if name in self.mod_name: self.mod_name[name].append(mod) else: self.mod_name[name] = [mod] def find_module(self, address): """Find a module by an address it contains. @param address: location in process or kernel AS to find an owning module. When performing thousands of lookups, this method is actually quicker than tasks.find_module. """ for base, end, mod in self.mod_fast: if address >= base and address <= end: return mod return obj.NoneObject("") #-------------------------------------------------------------------------------- # Hook Class #-------------------------------------------------------------------------------- class Hook(object): """A class for API hooks. It helps organize the many pieces of information required to report on the hook.""" def __init__(self, hook_type, hook_mode, function_name, function_address = None, hook_address = None, hook_module = None, victim_module = None, decode_bits = distorm3.Decode32Bits): """ Initalize a hook class instance. @params hook_type: one of the HOOK_TYPE_* constants @params hook_mode: one of the HOOK_MODE_* constants @params function_name: name of the function being hooked @params function_address: address of the hooked function in process or kernel memory. @params hook_address: address where the hooked function actually points. @params hook_module: the _LDR_DATA_TABLE_ENTRY of the hooking module (owner of the hook_address). note: this can be None if the module cannot be identified. @params victim_module: the _LDR_DATA_TABLE_ENTRY of the module being hooked (contains the function_address). note: this can be a string if checking IAT hooks. """ self.hook_mode = hook_mode self.hook_type = hook_type self.function_name = function_name self.function_address = function_address self.hook_address = hook_address self.hook_module = hook_module self.victim_module = victim_module self.decode_bits = decode_bits # List of tuples: address, data pairs self.disassembled_hops = [] def add_hop_chunk(self, address, data): """Support disassembly for multiple hops""" self.disassembled_hops.append((address, data)) def _module_name(self, module): """Return a sanitized module name""" # The module can't be identified if not module: return '' # The module is a string name like "ntdll.dll" if isinstance(module, basic.String) or isinstance(module, str): return str(module) # The module is a _LDR_DATA_TABLE_ENTRY return str(module.BaseDllName or '') or str(module.FullDllName or '') or '' @property def Type(self): """Translate the hook type into a string""" return hook_type_strings.get(self.hook_type, "") @property def Mode(self): """Translate the hook mode into a string""" if self.hook_mode == HOOK_MODE_USER: return "Usermode" else: return "Kernelmode" @property def Function(self): """Return the function name if its available""" return str(self.function_name) or '' @property def Detail(self): """The detail depends on the hook type""" if self.hook_type == HOOKTYPE_IAT: return "{0}!{1}".format(self.VictimModule, self.Function) elif self.hook_type == HOOKTYPE_EAT: return "{0} at {1:#x}".format(self.Function, self.hook_address) elif self.hook_type == HOOKTYPE_INLINE: return "{0}!{1} at {2:#x}".format(self.VictimModule, self.Function, self.function_address) else: return self.Function @property def HookModule(self): """Name of the hooking module""" return self._module_name(self.hook_module) @property def VictimModule(self): """Name of the victim module""" return self._module_name(self.victim_module) #-------------------------------------------------------------------------------- # Whitelist Rules #-------------------------------------------------------------------------------- # The values of each dictionary item is a list of tuples which are regexes # in the format (process, srd_mod, dst_mod, function). If you specify # (".*", ".*", ".*", ".*") then you essentially whitelist all possible hooks # of the given type. whitelist_rules = { HOOK_MODE_USER | HOOKTYPE_IAT : [ # Ignore hooks that point inside C runtime libraries (".*", ".*", "(msvcr|msvcp).+\.dll", ".*"), # Ignore hooks of WMI that point inside advapi32.dll (".*", "wmi.dll", "advapi32.dll", ".*"), # Ignore hooks of winsock that point inside ws2 and mswsock (".*", "WSOCK32.dll", "(WS2_32|MSWSOCK)\.dll", ".*"), # Ignore hooks of SCHANNEL* that point inside secur32.dll (".*", "schannel.dll", "secur32.dll", ".*"), # Ignore hooks of Secur32* that point inside SSPICLI (".*", "Secur32.dll", "SSPICLI.DLL", ".*"), # Ignore hooks that point inside known modules (".*", ".*", "(kernel32|gdi32|advapi32|ntdll|shimeng|kernelbase|shlwapi|user32|cfgmgr32)", ".*"), # Handle some known forwarded imports (".*", ".*", ".*", "((Enter|Delete|Leave)CriticalSection|(Get|Set)LastError|Heap(ReAlloc|Free|Size|Alloc)|Rtl(Unwind|MoveMemory))"), # Ignore sfc hooks going to sfc_os (".*", "sfc\.dll", "sfc_os\.dll", ".*"), # Ignore netapi32 hooks pointing at netutils or samcli (".*", "netapi32\.dll", "(netutils|samcli)\.dll", ".*"), (".*", "setupapi\.dll", "devrtl\.dll", ".*"), ], HOOK_MODE_USER | HOOKTYPE_EAT : [ # These modules have so many hooks its really not useful to check (".*", "(msvcp|msvcr|mfc|wbemcomn|fastprox)", ".*", ".*"), ], HOOK_MODE_USER | HOOKTYPE_INLINE : [ # Ignore hooks in the pywin32 service process ("pythonservice", ".*", ".*", ".*"), # Many legit hooks land inside these modules (".*", ".*", "(msvcr|advapi32|version|wbemcomn|ntdll|kernel32|kernelbase|sechost|ole32|shlwapi|user32|gdi32|ws2_32|shell32|imm32|propsys)", ".*"), # Ignore hooks of the c runtime DLLs (".*", "(msvc(p|r)\d{2}|mfc\d{2})\.dll", ".*", ".*"), # This is a global variable (".*", "msvcrt\.dll", ".*", "_acmdln"), # Ignore hooks of MD5Final, MD5Init, MD5Update that point inside advapi32 (".*", ".*", "advapi32.dll", "MD5.+"), # Ignore hooks of common firefox components ("firefox\.exe", ".*", "(xul|mozcrt|nspr4)", ".*"), # Ignore hooks created by Parallels VM software (".*", "user32.dll", "prl_hook.dll", ".*"), # Ignore DLL registration functions (".*", ".*", ".*", "(DllCanUnloadNow|DllRegisterServer|DllUnregisterServer)"), # Ignore netapi32 hooks pointing at netutils (".*", "netapi32\.dll", "netutils\.dll", ".*"), ], HOOK_MODE_KERNEL | HOOKTYPE_IAT : [ (".*", ".*", "(win32k\.sys|hal\.dll|dump_wmilib\.sys|ntkrnlpa\.exe|ntoskrnl\.exe)", ".*"), # Ignore hooks of the SCSI module which point inside the dump_scsiport module (".*", "scsiport\.sys", "dump_scsiport\.sys", ".*"), # Ignore other storage port hooks (".*", "storport\.sys", "dump_storport\.sys", ".*"), ], HOOK_MODE_KERNEL | HOOKTYPE_EAT : [ ], HOOK_MODE_KERNEL | HOOKTYPE_INLINE : [ # Ignore kernel hooks that point inside these modules (".*", ".*", "(hal.dll|ndis.sys|ntkrnlpa.exe|ntoskrnl.exe)", ".*"), ], } class ApiHooks(procdump.ProcDump): """Detect API hooks in process and kernel memory""" def __init__(self, config, *args, **kwargs): procdump.ProcDump.__init__(self, config, *args, **kwargs) config.remove_option("DUMP-DIR") config.remove_option("MEMORY") config.add_option("NO-WHITELIST", short_option = 'N', default = False, action = 'store_true', help = 'No whitelist (show all hooks, can be verbose)') config.add_option("SKIP-KERNEL", short_option = 'R', default = False, action = 'store_true', help = 'Skip kernel mode checks') config.add_option("SKIP-PROCESS", short_option = 'P', default = False, action = 'store_true', help = 'Skip process checks') config.add_option("QUICK", short_option = 'Q', default = False, action = 'store_true', help = 'Work faster by only analyzing critical processes and dlls') self.compiled_rules = self.compile() # When the --quick option is set, we only scan the processes # and dlls in these lists. Feel free to adjust them for # your own purposes. self.critical_process = ["explorer.exe", "svchost.exe", "lsass.exe", "services.exe", "winlogon.exe", "csrss.exe", "smss.exe", "wininit.exe", "iexplore.exe", "firefox.exe", "spoolsv.exe"] self.critical_dlls = ["ntdll.dll", "kernel32.dll", "ws2_32.dll", "advapi32.dll", "secur32.dll", "crypt32.dll", "user32.dll", "gdi32.dll", "shell32.dll", "shlwapi.dll", "lsasrv.dll", "cryptdll.dll", "wsock32.dll", "mswsock.dll", "urlmon.dll", "csrsrv.dll", "winsrv.dll", "wininet.dll"] # When scanning for calls to unknown code pages (UCP), only # analyze the following drivers. This is based on an analysis of # the modules rootkits are most likely to infect, but feel free # to adjust it for your own purposes. self.ucpscan_modules = ["tcpip.sys", "ntfs.sys", "fastfast.sys", "wanarp.sys", "ndis.sys", "atapi.sys", "ntoskrnl.exe", "ntkrnlpa.exe", "ntkrnlmp.exe"] def compile(self): """ Precompile the regular expression rules. Its quicker if we do this once per plugin run, rather than once per API hook that needs checking. """ ret = dict() for key, rules in whitelist_rules.items(): for rule in rules: ruleset = ((re.compile(rule[0], re.I), # Process name re.compile(rule[1], re.I), # Source module re.compile(rule[2], re.I), # Destination module re.compile(rule[3], re.I), # Function name )) if ret.has_key(key): ret[key].append(ruleset) else: ret[key] = [ruleset] return ret def whitelist(self, rule_key, process, src_mod, dst_mod, function): """Check if an API hook should be ignored due to whitelisting. @param rule_key: a key from the whitelist_rules dictionary which describes the type of hook (i.e. Usermode IAT or Kernel Inline). @param process: name of the suspected victim process. @param src_mod: name of the source module whose function has been hooked. this varies depending on whether we're dealing with IAT EAT, inline, etc. @param dst_mod: name of the module that is the destination of the hook pointer. this is usually the rootkit dll, exe, or sys, however, in many cases there is no module name since the rootkit is trying to be stealthy. @param function: name of the function that has been hooked. """ # There are no whitelist rules for this hook type if rule_key not in self.compiled_rules: return False for rule in self.compiled_rules[rule_key]: if (rule[0].search(process) != None and rule[1].search(src_mod) != None and rule[2].search(dst_mod) != None and rule[3].search(function) != None): return True return False @staticmethod def check_syscall(addr_space, module, module_group): """ Enumerate syscall hooks in ntdll.dll. A syscall hook is one that modifies the function prologue of an NT API function (i.e. ntdll!NtCreateFile) or swaps the location of the sysenter with a malicious address. @param addr_space: a process AS for the process containing the ntdll.dll module. @param module: the _LDR_DATA_TABLE_ENTRY for ntdll.dll @param module_group: a ModuleGroup instance for the process. """ # Resolve the real location of KiFastSystem Call for comparison KiFastSystemCall = module.getprocaddress("KiFastSystemCall") KiIntSystemCall = module.getprocaddress("KiIntSystemCall") if not KiFastSystemCall or not KiIntSystemCall: #debug.debug("Abort check_syscall, can't find KiFastSystemCall") return # Add the RVA to make it absolute KiFastSystemCall += module.DllBase KiIntSystemCall += module.DllBase # Check each exported function if its an NT syscall for _, f, n in module.exports(): # Ignore forwarded exports if not f: #debug.debug("Skipping forwarded export {0}".format(n or '')) continue function_address = module.DllBase + f if not addr_space.is_valid_address(function_address): #debug.debug("Function address {0:#x} for {1} is paged".format( # function_address, n or '')) continue # Read enough of the function prologue for two instructions data = addr_space.zread(function_address, 24) instructions = [] for op in distorm3.Decompose(function_address, data, distorm3.Decode32Bits): if not op.valid: break if len(instructions) == 3: break instructions.append(op) i0 = instructions[0] i1 = instructions[1] i2 = instructions[2] # They both must be properly decomposed and have two operands if (not i0 or not i0.valid or len(i0.operands) != 2 or not i1 or not i1.valid or len(i1.operands) != 2): #debug.debug("Error decomposing prologue for {0} at {1:#x}".format( # n or '', function_address)) continue # Now check the instruction and operand types if (i0.mnemonic == "MOV" and i0.operands[0].type == 'Register' and i0.operands[0].name == 'EAX' and i0.operands[1].type == 'Immediate' and i1.mnemonic == "MOV" and i1.operands[0].type == 'Register' and i1.operands[0].name == 'EDX' and i0.operands[1].type == 'Immediate'): if i2.operands[0].type == "Register": # KiFastSystemCall is already in the register syscall_address = i1.operands[1].value else: # Pointer to where KiFastSystemCall is stored syscall_address = obj.Object('address', offset = i1.operands[1].value, vm = addr_space) if syscall_address not in [KiFastSystemCall, KiIntSystemCall]: hook_module = module_group.find_module(syscall_address) hook = Hook(hook_type = HOOKTYPE_NT_SYSCALL, hook_mode = HOOK_MODE_USER, function_name = n or '', function_address = function_address, hook_address = syscall_address, hook_module = hook_module, victim_module = module, ) # Add the bytes that will later be disassembled in the # output to show exactly how the hook works. The first # hop is the ntdll!Nt* API and the next hop is the rootkit. hook.add_hop_chunk(function_address, data) hook.add_hop_chunk(syscall_address, addr_space.zread(syscall_address, 24)) yield hook def check_ucpcall(self, addr_space, module, module_group): """Scan for calls to unknown code pages. @param addr_space: a kernel AS @param module: the _LDR_DATA_TABLE_ENTRY to scan @param module_group: a ModuleGroup instance for the process. """ try: dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = module.DllBase, vm = addr_space) nt_header = dos_header.get_nt_header() except (ValueError, exceptions.SanityCheckException), _why: #debug.debug('get_nt_header() failed: {0}'.format(why)) return # Parse the PE sections for this driver for sec in nt_header.get_sections(self._config.UNSAFE): # Only check executable sections if not sec.Characteristics & 0x20000000: continue # Calculate the virtual address of this PE section in memory sec_va = module.DllBase + sec.VirtualAddress # Extract the section's data and make sure its not all zeros data = addr_space.zread(sec_va, sec.Misc.VirtualSize) if data == "\x00" * len(data): continue # Disassemble instructions in the section for op in distorm3.DecomposeGenerator(sec_va, data, distorm3.Decode32Bits): if (op.valid and ((op.flowControl == 'FC_CALL' and op.mnemonic == "CALL") or (op.flowControl == 'FC_UNC_BRANCH' and op.mnemonic == "JMP")) and op.operands[0].type == 'AbsoluteMemoryAddress'): # This is ADDR, which is the IAT location const = op.operands[0].disp & 0xFFFFFFFF # Abort if ADDR is not a valid address if not addr_space.is_valid_address(const): continue # This is what [ADDR] points to - the absolute destination call_dest = obj.Object("address", offset = const, vm = addr_space) # Abort if [ADDR] is not a valid address if not addr_space.is_valid_address(call_dest): continue check1 = module_group.find_module(const) check2 = module_group.find_module(call_dest) # If ADDR or [ADDR] point to an unknown code page if not check1 or not check2: hook = Hook(hook_type = HOOKTYPE_CODEPAGE_KERNEL, hook_mode = HOOK_MODE_KERNEL, function_name = "", function_address = op.address, hook_address = call_dest, ) # Add the location we found the call hook.add_hop_chunk(op.address, data[op.address - sec_va : op.address - sec_va + 24]) # Add the rootkit stub hook.add_hop_chunk(call_dest, addr_space.zread(call_dest, 24)) yield hook def check_wsp(self, addr_space, module, module_group): """ Check for hooks of non-exported WSP* functions. The mswsock.dll module contains a global variable which points to all the internal Winsock functions. We find the function table by the reference from the exported WSPStartup API. .text:6C88922E 8B 7D 50 mov edi, [ebp+lpProcTable] .text:6C889231 6A 1E push 1Eh .text:6C889233 59 pop ecx .text:6C889234 BE 40 64 8B 6C mov esi, offset _SockProcTable .text:6C889239 F3 A5 rep movsd @param addr_space: process AS @param module: the _LDR_DATA_TABLE_ENTRY for mswsock.dll @param module_group: a ModuleGroup instance for the process. """ WSPStartup = module.getprocaddress("WSPStartup") if not WSPStartup: #debug.debug("Abort check_wsp, can't find WSPStartup") return WSPStartup += module.DllBase # Opcode pattern to look for signature = "\x6A\x1E\x59\xBE" # Read enough bytes of the function to find our signature data = addr_space.zread(WSPStartup, 300) if data == "\x00" * len(data): #debug.debug("WSPStartup prologue is paged") return offset = data.find(signature) if offset == -1: #debug.debug("Can't find {0} in WSPStartup".format(repr(signature))) return # Dereference the pointer as our _SockProcTable p = obj.Object("address", offset = WSPStartup + offset + len(signature), vm = addr_space) p = p.dereference_as("_SOCK_PROC_TABLE") # Enumerate functions in the procedure table for i, function_address in enumerate(p.Functions): function_owner = module_group.find_module(function_address) # The function points outside of mwsock, its hooked if function_owner != module: hook = Hook(hook_type = HOOKTYPE_WINSOCK, hook_mode = HOOK_MODE_USER, function_name = WINSOCK_TABLE[i], function_address = function_address, hook_module = function_owner, victim_module = module ) hook.add_hop_chunk(function_address, addr_space.zread(function_address, 12)) yield hook else: # The function points inside mwsock, check inline ret = self.check_inline(function_address, addr_space, module.DllBase, module.DllBase + module.SizeOfImage) if not ret: #debug.debug("Cannot analyze {0}".format(WINSOCK_TABLE[i])) continue (hooked, data, hook_address) = ret if hooked: hook_module = module_group.find_module(hook_address) if hook_module != module: hook = Hook(hook_type = HOOKTYPE_WINSOCK, hook_mode = HOOK_MODE_USER, function_name = WINSOCK_TABLE[i], function_address = function_address, hook_module = hook_module, hook_address = hook_address, victim_module = module ) hook.add_hop_chunk(function_address, data) hook.add_hop_chunk(hook_address, addr_space.zread(hook_address, 12)) yield hook @staticmethod def check_inline(va, addr_space, mem_start, mem_end, mode = distorm3.Decode32Bits): """ Check for inline API hooks. We check for direct and indirect calls, direct and indirect jumps, and PUSH/RET combinations. @param va: the virtual address of the function to check @param addr_space: process or kernel AS where the function resides @param mem_start: base address of the module containing the function being checked. @param mem_end: end address of the module containing the func being checked. @param mode: 32 or 64 bit mode (default: 32) @returns: a tuple of (hooked, data, hook_address) """ data = addr_space.zread(va, 24) if data == "\x00" * len(data): #debug.debug("Cannot read function prologue at {0:#x}".format(va)) return None outside_module = lambda x: x != None and (x < mem_start or x > mem_end) # Number of instructions disassembled so far n = 0 # Destination address of hooks d = None # Save the last PUSH before a CALL push_val = None # Save the general purpose registers regs = {} for op in distorm3.Decompose(va, data, mode): # Quit the loop when we have three instructions or when # a decomposition error is encountered, whichever is first. if not op.valid or n == 3: break if mode == distorm3.Decode64Bits: if op.flowControl == 'FC_CALL': pass elif op.flowControl == 'FC_UNC_BRANCH' and op.mnemonic.startswith("JMP"): if ('FLAG_RIP_RELATIVE' in op.flags and op.operands[0].type == 'AbsoluteMemory'): const = op.address + op.size + op.operands[0].disp d = obj.Object("unsigned long long", offset = const, vm = addr_space) if outside_module(d): break elif op.operands[0].type == 'Immediate': # Check for JMP ADDR d = op.operands[0].value if outside_module(d): break elif op.operands[0].type == 'FarMemory': # Check for JMP FAR ADDR d = op.operands[0].off if outside_module(d): break elif op.flowControl == 'FC_NONE': pass elif op.flowControl == 'FC_RET': pass elif mode == distorm3.Decode32Bits: if op.flowControl == 'FC_CALL': # Clear the push value if push_val: push_val = None if op.mnemonic == "CALL" and op.operands[0].type == 'AbsoluteMemoryAddress': # Check for CALL [ADDR] const = op.operands[0].disp & 0xFFFFFFFF d = obj.Object("unsigned int", offset = const, vm = addr_space) if outside_module(d): break elif op.operands[0].type == 'Immediate': # Check for CALL ADDR d = op.operands[0].value & 0xFFFFFFFF if outside_module(d): break elif op.operands[0].type == 'Register': # Check for CALL REG d = regs.get(op.operands[0].name) if d and outside_module(d): break elif op.flowControl == 'FC_UNC_BRANCH' and op.mnemonic.startswith("JMP"): # Clear the push value if push_val: push_val = None if op.size > 2: if op.operands[0].type == 'AbsoluteMemoryAddress': # Check for JMP [ADDR] const = op.operands[0].disp & 0xFFFFFFFF d = obj.Object("unsigned int", offset = const, vm = addr_space) if outside_module(d): break elif op.operands[0].type == 'Immediate': # Check for JMP ADDR d = op.operands[0].value & 0xFFFFFFFF if outside_module(d): break elif op.operands[0].type == 'FarMemory': # Check for JMP FAR ADDR d = op.operands[0].off if outside_module(d): break elif op.size == 2 and op.operands[0].type == 'Register': # Check for JMP REG d = regs.get(op.operands[0].name) if d and outside_module(d): break elif op.flowControl == 'FC_NONE': # Check for PUSH followed by a RET if (op.mnemonic == "PUSH" and op.operands[0].type == 'Immediate' and op.size == 5): # Set the push value push_val = op.operands[0].value & 0xFFFFFFFF # Check for moving imm values into a register if (op.mnemonic == "MOV" and op.operands[0].type == 'Register' and op.operands[1].type == 'Immediate'): # Clear the push value if push_val: push_val = None # Save the value put into the register regs[op.operands[0].name] = op.operands[1].value elif op.flowControl == 'FC_RET': if push_val: d = push_val if outside_module(d): break n += 1 # Check EIP after the function prologue if outside_module(d): return True, data, d else: return False, data, d def gather_stuff(self, _addr_space, module): """Use the Volatility object classes to enumerate imports and exports. This function can be overriden to use pefile instead for speed testing""" # This is a dictionary where keys are the names of imported # modules and values are lists of tuples (ord, addr, name). imports = {} exports = [(o, module.DllBase + f, n) for o, f, n in module.exports()] for dll, o, f, n in module.imports(): dll = dll.lower() if dll in imports: imports[dll].append((o, f, n)) else: imports[dll] = [(o, f, n)] return imports, exports def get_hooks(self, hook_mode, addr_space, module, module_group): """Enumerate IAT, EAT, Inline hooks. Also acts as a dispatcher for NT syscall, UCP scans, and winsock procedure table hooks. @param hook_mode: one of the HOOK_MODE_* constants @param addr_space: a process AS or kernel AS @param module: an _LDR_DATA_TABLE_ENTRY for the module being checked for hooks. @param module_group: a ModuleGroup instance for the process. """ bits32 = addr_space.profile.metadata.get("memory_model", "32bit") == "32bit" if bits32: decode_bits = distorm3.Decode32Bits else: if hook_mode == HOOK_MODE_KERNEL: decode_bits = distorm3.Decode64Bits else: parent = module.obj_parent while parent: parent = parent.obj_parent if (parent and parent.obj_name == "_EPROCESS" and parent.IsWow64()): print "FOUND A WOW64" else: decode_bits = distorm3.Decode64Bits # We start with the module base name. If that's not available, # trim the full name down to its base name. module_name = (str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or ''))) # Lowercase for string matching module_name = module_name.lower() if bits32: if hook_mode == HOOK_MODE_USER: if module_name == "ntdll.dll": for hook in self.check_syscall(addr_space, module, module_group): yield hook elif module_name == "mswsock.dll": for hook in self.check_wsp(addr_space, module, module_group): yield hook else: if module_name in self.ucpscan_modules: for hook in self.check_ucpcall(addr_space, module, module_group): yield hook imports, exports = \ self.gather_stuff(addr_space, module) for dll, functions in imports.items(): valid_owners = module_group.mod_name.get(dll, []) if not valid_owners: #debug.debug("Cannot find any modules named {0}".format(dll)) continue for (_, f, n) in functions: if not f: #debug.debug("IAT function {0} is paged or ordinal".format(n or '')) continue if not addr_space.is_valid_address(f): continue function_owner = module_group.find_module(f) if function_owner not in valid_owners: hook = Hook(hook_type = HOOKTYPE_IAT, hook_mode = hook_mode, function_name = n or '', hook_address = f, hook_module = function_owner, victim_module = dll, # only for IAT hooks ) # Add the rootkit code hook.add_hop_chunk(f, addr_space.zread(f, 24)) yield hook for _, f, n in exports: if not f: #debug.debug("EAT function {0} is paged".format(n or '')) continue function_address = f if not addr_space.is_valid_address(function_address): continue # Get the module containing the function function_owner = module_group.find_module(function_address) # This is a check for EAT hooks if function_owner != module: hook = Hook(hook_type = HOOKTYPE_EAT, hook_mode = hook_mode, function_name = n or '', hook_address = function_address, hook_module = function_owner, ) hook.add_hop_chunk(function_address, addr_space.zread(function_address, 24)) yield hook # No need to check for inline hooks if EAT is hooked continue ret = self.check_inline(function_address, addr_space, module.DllBase, module.DllBase + module.SizeOfImage, mode = decode_bits) if ret == None: #debug.debug("Cannot analyze {0}".format(n or '')) continue (hooked, data, dest_addr) = ret if not hooked: continue if not addr_space.is_valid_address(dest_addr): continue function_owner = module_group.find_module(dest_addr) if function_owner != module: # only do this for kernel hooks #if params['mode'] == HOOK_MODE_KERNEL: # if owner: # if self.in_data_section(owner, status['destaddr']): # continue hook = Hook(hook_type = HOOKTYPE_INLINE, hook_mode = hook_mode, function_name = n or '', function_address = function_address, hook_address = dest_addr, hook_module = function_owner, victim_module = module, decode_bits = decode_bits, ) # Add the function prologue hook.add_hop_chunk(function_address, data) # Add the first redirection hook.add_hop_chunk(dest_addr, addr_space.zread(dest_addr, 24)) yield hook def calculate(self): addr_space = utils.load_as(self._config) if not has_distorm3: debug.error("Install distorm3 code.google.com/p/distorm/") if not self._config.SKIP_PROCESS: for proc in self.filter_tasks(tasks.pslist(addr_space)): process_name = str(proc.ImageFileName).lower() if (self._config.QUICK and process_name not in self.critical_process): #debug.debug("Skipping non-critical process {0} ({1})".format( # process_name, proc.UniqueProcessId)) continue process_space = proc.get_process_address_space() if not process_space: #debug.debug("Cannot acquire process AS for {0} ({1})".format( # process_name, proc.UniqueProcessId)) continue module_group = ModuleGroup(proc.get_load_modules()) for dll in module_group.mods: if not process_space.is_valid_address(dll.DllBase): continue dll_name = str(dll.BaseDllName or '').lower() if (self._config.QUICK and dll_name not in self.critical_dlls and dll.DllBase != proc.Peb.ImageBaseAddress): #debug.debug("Skipping non-critical dll {0} at {1:#x}".format( # dll_name, dll.DllBase)) continue #debug.debug("Analyzing {0}!{1}".format(process_name, dll_name)) for hook in self.get_hooks(HOOK_MODE_USER, process_space, dll, module_group): if not self._config.NO_WHITELIST: if self.whitelist(hook.hook_mode | hook.hook_type, str(proc.ImageFileName), hook.VictimModule, hook.HookModule, hook.Function): continue yield proc, dll, hook if not self._config.SKIP_KERNEL: process_list = list(tasks.pslist(addr_space)) module_group = ModuleGroup(modules.lsmod(addr_space)) for mod in module_group.mods: #module_name = str(mod.BaseDllName or '') #debug.debug("Analyzing {0}".format(module_name)) kernel_space = tasks.find_space(addr_space, process_list, mod.DllBase) if not kernel_space: #debug.debug("No kernel AS for {0} at {1:#x}".format( # module_name, mod.DllBase)) continue for hook in self.get_hooks(HOOK_MODE_KERNEL, kernel_space, mod, module_group): if not self._config.NO_WHITELIST: if self.whitelist(hook.hook_mode | hook.hook_type, "", hook.VictimModule, hook.HookModule, hook.Function): continue yield None, mod, hook def unified_output(self, data): return TreeGrid([("HookMode", str), ("HookType", str), ("Process", str), ("PID", int), ("VictimModule", str), ("VictimModBase", Address), ("VictimModSize", Hex), ("Function", str), ("HookAddress", Address), ("HookingModule", str), ("DataAddress", Address), ("Data", Bytes)], self.generator(data)) def generator(self, data): for process, module, hook in data: if not self._config.NO_WHITELIST: process_name = "" if process: process_name = str(process.ImageFileName) if self.whitelist(hook.hook_mode | hook.hook_type, process_name, hook.VictimModule, hook.HookModule, hook.Function): continue procname = "N/A" pid = -1 if process: procname = str(process.ImageFileName) pid = int(process.UniqueProcessId) for n, info in enumerate(hook.disassembled_hops): (address, data) = info yield (0, [str(hook.Mode), str(hook.Type), procname, pid, str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')), Address(module.DllBase), Hex(module.DllBase + module.SizeOfImage), str(hook.Detail), Address(hook.hook_address), str(hook.HookModule), Address(address), Bytes(data)]) def render_text(self, outfd, data): for process, module, hook in data: outfd.write("*" * 72 + "\n") outfd.write("Hook mode: {0}\n".format(hook.Mode)) outfd.write("Hook type: {0}\n".format(hook.Type)) if process: outfd.write('Process: {0} ({1})\n'.format( process.UniqueProcessId, process.ImageFileName)) outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format( str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')), module.DllBase, module.DllBase + module.SizeOfImage)) outfd.write("Function: {0}\n".format(hook.Detail)) outfd.write("Hook address: {0:#x}\n".format(hook.hook_address)) outfd.write("Hooking module: {0}\n\n".format(hook.HookModule)) for n, info in enumerate(hook.disassembled_hops): (address, data) = info s = ["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit") ] outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s))) outfd.write("\n\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/callbacks.py0000644000000000000000000006172713131215405024754 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.poolscan as poolscan import volatility.debug as debug import volatility.plugins.common as common import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.plugins.malware.devicetree as devicetree from volatility.renderers import TreeGrid from volatility.renderers.basic import Address try: import distorm3 has_distorm3 = True except ImportError: has_distorm3 = False #-------------------------------------------------------------------------------- # vtypes #-------------------------------------------------------------------------------- callback_types = { '_NOTIFICATION_PACKET' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NotificationRoutine' : [ 0xC, ['unsigned int']], } ], '_KBUGCHECK_CALLBACK_RECORD' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'CallbackRoutine' : [ 0x8, ['unsigned int']], 'Buffer' : [ 0xC, ['pointer', ['void']]], 'Length' : [ 0x10, ['unsigned int']], 'Component' : [ 0x14, ['pointer', ['String', dict(length = 64)]]], 'Checksum' : [ 0x18, ['pointer', ['unsigned int']]], 'State' : [ 0x1C, ['unsigned char']], } ], '_KBUGCHECK_REASON_CALLBACK_RECORD' : [ 0x1C, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'CallbackRoutine' : [ 0x8, ['unsigned int']], 'Component' : [ 0xC, ['pointer', ['String', dict(length = 8)]]], 'Checksum' : [ 0x10, ['pointer', ['unsigned int']]], 'Reason' : [ 0x14, ['unsigned int']], 'State' : [ 0x18, ['unsigned char']], } ], '_SHUTDOWN_PACKET' : [ 0xC, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], } ], '_EX_CALLBACK_ROUTINE_BLOCK' : [ 0x8, { 'RundownProtect' : [ 0x0, ['unsigned int']], 'Function' : [ 0x4, ['unsigned int']], 'Context' : [ 0x8, ['unsigned int']], } ], '_GENERIC_CALLBACK' : [ 0xC, { 'Callback' : [ 0x4, ['pointer', ['void']]], 'Associated' : [ 0x8, ['pointer', ['void']]], } ], '_REGISTRY_CALLBACK_LEGACY' : [ 0x38, { 'CreateTime' : [ 0x0, ['WinTimeStamp', dict(is_utc = True)]], } ], '_REGISTRY_CALLBACK' : [ None, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Function' : [ 0x1C, ['pointer', ['void']]], } ], '_DBGPRINT_CALLBACK' : [ 0x14, { 'Function' : [ 0x8, ['pointer', ['void']]], } ], '_NOTIFY_ENTRY_HEADER' : [ None, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'EventCategory' : [ 0x8, ['Enumeration', dict(target = 'long', choices = { 0: 'EventCategoryReserved', 1: 'EventCategoryHardwareProfileChange', 2: 'EventCategoryDeviceInterfaceChange', 3: 'EventCategoryTargetDeviceChange'})]], 'CallbackRoutine' : [ 0x14, ['unsigned int']], 'DriverObject' : [ 0x1C, ['pointer', ['_DRIVER_OBJECT']]], } ], } callback_types_x64 = { '_GENERIC_CALLBACK' : [ 0x18, { 'Callback' : [ 0x8, ['pointer', ['void']]], 'Associated' : [ 0x10, ['pointer', ['void']]], } ], '_NOTIFICATION_PACKET' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DriverObject' : [ 0x10, ['pointer', ['_DRIVER_OBJECT']]], 'NotificationRoutine' : [ 0x18, ['address']], } ], '_SHUTDOWN_PACKET' : [ 0xC, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], } ], '_DBGPRINT_CALLBACK' : [ 0x14, { 'Function' : [ 0x10, ['pointer', ['void']]], } ], '_NOTIFY_ENTRY_HEADER' : [ None, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = { 0: 'EventCategoryReserved', 1: 'EventCategoryHardwareProfileChange', 2: 'EventCategoryDeviceInterfaceChange', 3: 'EventCategoryTargetDeviceChange'})]], 'CallbackRoutine' : [ 0x20, ['address']], 'DriverObject' : [ 0x30, ['pointer', ['_DRIVER_OBJECT']]], } ], '_REGISTRY_CALLBACK' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Function' : [ 0x20, ['pointer', ['void']]], # other could be 28 } ], '_KBUGCHECK_CALLBACK_RECORD' : [ None, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'CallbackRoutine' : [ 0x10, ['address']], 'Component' : [ 0x28, ['pointer', ['String', dict(length = 8)]]], } ], '_KBUGCHECK_REASON_CALLBACK_RECORD' : [ None, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'CallbackRoutine' : [ 0x10, ['unsigned int']], 'Component' : [ 0x28, ['pointer', ['String', dict(length = 8)]]], } ], } #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _SHUTDOWN_PACKET(obj.CType): """Class for shutdown notification callbacks""" def is_valid(self): """ Perform some checks. Note: obj_native_vm is kernel space. """ if not obj.CType.is_valid(self): return False if (not self.obj_native_vm.is_valid_address(self.Entry.Flink) or not self.obj_native_vm.is_valid_address(self.Entry.Blink) or not self.obj_native_vm.is_valid_address(self.DeviceObject)): return False # Dereference the device object device = self.DeviceObject.dereference() # Carve out the device's object header and check its type object_header = obj.Object("_OBJECT_HEADER", offset = device.obj_offset - self.obj_native_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"), vm = device.obj_vm, native_vm = device.obj_native_vm) return object_header.get_object_type() == "Device" #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class CallbackMods(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): if profile.metadata.get("memory_model", "32bit") == "32bit": profile.vtypes.update(callback_types) profile.object_classes.update({ '_SHUTDOWN_PACKET': _SHUTDOWN_PACKET, }) else: profile.vtypes.update(callback_types_x64) #-------------------------------------------------------------------------------- # pool scanners #-------------------------------------------------------------------------------- class AbstractCallbackScanner(poolscan.PoolScanner): """Return the offset of the callback, no object headers""" class PoolScanFSCallback(AbstractCallbackScanner): """PoolScanner for File System Callbacks""" def __init__(self, address_space): AbstractCallbackScanner.__init__(self, address_space) self.pooltag = "IoFs" self.struct_name = "_NOTIFICATION_PACKET" if address_space.profile.metadata.get("memory_model", "32bit") == "32bit": size = 0x18 else: size = 0x30 self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x == size)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), #('CheckPoolIndex', dict(value = 4)), ] class PoolScanShutdownCallback(AbstractCallbackScanner): """PoolScanner for Shutdown Callbacks""" def __init__(self, address_space): AbstractCallbackScanner.__init__(self, address_space) self.pooltag = "IoSh" self.struct_name = "_SHUTDOWN_PACKET" if address_space.profile.metadata.get("memory_model", "32bit") == "32bit": size = 0x18 else: size = 0x30 self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x == size)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class PoolScanGenericCallback(AbstractCallbackScanner): """PoolScanner for Generic Callbacks""" def __init__(self, address_space): AbstractCallbackScanner.__init__(self, address_space) self.pooltag = "Cbrb" self.struct_name = "_GENERIC_CALLBACK" if address_space.profile.metadata.get("memory_model", "32bit") == "32bit": size = 0x18 else: size = 0x30 self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x == size)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), # This is a good constraint for all images except Frank's rustock-c.vmem #('CheckPoolIndex', dict(value = 1)), ] class PoolScanDbgPrintCallback(AbstractCallbackScanner): """PoolScanner for DebugPrint Callbacks on Vista and 7""" def __init__(self, address_space): AbstractCallbackScanner.__init__(self, address_space) self.pooltag = "DbCb" self.struct_name = "_DBGPRINT_CALLBACK" self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= 0x20 and x <= 0x40)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), #('CheckPoolIndex', dict(value = 0)), ] class PoolScanRegistryCallback(AbstractCallbackScanner): """PoolScanner for DebugPrint Callbacks on Vista and 7""" def __init__(self, address_space): AbstractCallbackScanner.__init__(self, address_space) self.pooltag = "CMcb" self.struct_name = "_REGISTRY_CALLBACK" self.checks = [('CheckPoolSize', dict(condition = lambda x: x >= 0x38)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), ('CheckPoolIndex', dict(value = 4)), ] class PoolScanPnp9(AbstractCallbackScanner): """PoolScanner for Pnp9 (EventCategoryHardwareProfileChange)""" def __init__(self, address_space): AbstractCallbackScanner.__init__(self, address_space) self.pooltag = "Pnp9" self.struct_name = "_NOTIFY_ENTRY_HEADER" self.checks = [ # seen as 0x2C on W7, 0x28 on vistasp0 (4 less but needs 8 less) ('CheckPoolSize', dict(condition = lambda x: x >= 0x30)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), ('CheckPoolIndex', dict(value = 1)), ] class PoolScanPnpD(AbstractCallbackScanner): """PoolScanner for PnpD (EventCategoryDeviceInterfaceChange)""" def __init__(self, address_space): AbstractCallbackScanner.__init__(self, address_space) self.pooltag = "PnpD" self.struct_name = "_NOTIFY_ENTRY_HEADER" self.checks = [('CheckPoolSize', dict(condition = lambda x: x >= 0x40)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), ('CheckPoolIndex', dict(value = 1)), ] class PoolScanPnpC(AbstractCallbackScanner): """PoolScanner for PnpC (EventCategoryTargetDeviceChange)""" def __init__(self, address_space): AbstractCallbackScanner.__init__(self, address_space) self.pooltag = "PnpC" self.struct_name = "_NOTIFY_ENTRY_HEADER" self.checks = [('CheckPoolSize', dict(condition = lambda x: x >= 0x38)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), ('CheckPoolIndex', dict(value = 1)), ] #-------------------------------------------------------------------------------- # callbacks plugin #-------------------------------------------------------------------------------- class Callbacks(common.AbstractScanCommand): """Print system-wide notification routines""" scanners = [PoolScanFSCallback, PoolScanShutdownCallback, PoolScanGenericCallback] @staticmethod def get_kernel_callbacks(nt_mod): """ Enumerate the Create Process, Create Thread, and Image Load callbacks. On some systems, the byte sequences will be inaccurate or the exported function will not be found. In these cases, the PoolScanGenericCallback scanner will pick up the pool associated with the callbacks. """ bits32 = nt_mod.obj_vm.profile.metadata.get("memory_model", "32bit") == "32bit" vista_or_later = nt_mod.obj_vm.profile.metadata.get("major", 0) >= 6 if bits32: routines = [ # push esi; mov esi, offset _PspLoadImageNotifyRoutine ('PsSetLoadImageNotifyRoutine', "\x56\xbe"), # push esi; mov esi, offset _PspCreateThreadNotifyRoutine ('PsSetCreateThreadNotifyRoutine', "\x56\xbe"), # mov edi, offset _PspCreateProcessNotifyRoutine ('PsSetCreateProcessNotifyRoutine', "\xbf"), ] else: routines = [ # lea ecx, offset _PspLoadImageNotifyRoutine ('PsRemoveLoadImageNotifyRoutine', "\x48\x8d\x0d"), # lea rcx, offset _PspCreateThreadNotifyRoutine ('PsRemoveCreateThreadNotifyRoutine', "\x48\x8d\x0d"), # mov edi, offset _PspCreateProcessNotifyRoutine #('PsSetCreateProcessNotifyRoutine', "\xbf"), ] for symbol, hexbytes in routines: # Locate the exported symbol in the NT module symbol_rva = nt_mod.getprocaddress(symbol) if symbol_rva == None: continue symbol_address = symbol_rva + nt_mod.DllBase # Find the global variable referenced by the exported symbol data = nt_mod.obj_vm.zread(symbol_address, 100) offset = data.find(hexbytes) if offset == -1: continue if bits32: # Read the pointer to the list p = obj.Object('Pointer', offset = symbol_address + offset + len(hexbytes), vm = nt_mod.obj_vm) else: # Read the pointer to the list v = obj.Object('int', offset = symbol_address + offset + len(hexbytes), vm = nt_mod.obj_vm) p = symbol_address + offset + 7 + v # The list is an array of 8 _EX_FAST_REF objects on XP/2003 # and 64 starting with NT6 (Visa) and later if vista_or_later and ('CreateProcess' in symbol or 'CreateThread' in symbol): count = 64 else: count = 8 addrs = obj.Object('Array', count = 8, targetType = '_EX_FAST_REF', offset = p, vm = nt_mod.obj_vm) for addr in addrs: callback = addr.dereference_as("_GENERIC_CALLBACK") if callback: yield symbol, callback.Callback, None @staticmethod def get_bugcheck_callbacks(addr_space): """ Enumerate generic Bugcheck callbacks. Note: These structures don't exist in tagged pools, but you can find them via KDDEBUGGER_DATA64 on all versions of Windows. """ kdbg = tasks.get_kdbg(addr_space) list_head = kdbg.KeBugCheckCallbackListHead.dereference_as('_KBUGCHECK_CALLBACK_RECORD') for l in list_head.Entry.list_of_type("_KBUGCHECK_CALLBACK_RECORD", "Entry"): yield "KeBugCheckCallbackListHead", l.CallbackRoutine, l.Component.dereference() @staticmethod def get_registry_callbacks_legacy(nt_mod): """ Enumerate registry change callbacks. This method of finding a global variable via disassembly of the CmRegisterCallback function is only for XP systems. If it fails on XP you can still find the callbacks using PoolScanGenericCallback. On Vista and Windows 7, these callbacks are registered using the CmRegisterCallbackEx function. """ if not has_distorm3: return symbol = "CmRegisterCallback" # Get the RVA of the symbol from NT's EAT symbol_rva = nt_mod.getprocaddress(symbol) if symbol_rva == None: return # Absolute VA to the symbol code symbol_address = symbol_rva + nt_mod.DllBase # Read the function prologue data = nt_mod.obj_vm.zread(symbol_address, 200) c = 0 vector = None # Looking for MOV EBX, CmpCallBackVector # This may be the first or second MOV EBX instruction for op in distorm3.Decompose(symbol_address, data, distorm3.Decode32Bits): if (op.valid and op.mnemonic == "MOV" and len(op.operands) == 2 and op.operands[0].name == 'EBX'): vector = op.operands[1].value if c == 1: break else: c += 1 # Can't find the global variable if vector == None: return # The vector is an array of 100 _EX_FAST_REF objects addrs = obj.Object("Array", count = 100, offset = vector, vm = nt_mod.obj_vm, targetType = "_EX_FAST_REF") for addr in addrs: callback = addr.dereference_as("_EX_CALLBACK_ROUTINE_BLOCK") if callback: yield symbol, callback.Function, None @staticmethod def get_bugcheck_reason_callbacks(nt_mod): """ Enumerate Bugcheck Reason callbacks. Note: These structures don't exist in tagged pools, so we find them by locating the list head which is a non-exported NT symbol. The method works on all x86 versions of Windows. mov [eax+KBUGCHECK_REASON_CALLBACK_RECORD.Entry.Blink], \ offset _KeBugCheckReasonCallbackListHead """ symbol = "KeRegisterBugCheckReasonCallback" bits32 = nt_mod.obj_vm.profile.metadata.get("memory_model", "32bit") == "32bit" if bits32: hexbytes = "\xC7\x40\x04" else: hexbytes = "\x48\x8d\x0d" # Locate the symbol RVA symbol_rva = nt_mod.getprocaddress(symbol) if symbol_rva == None: return # Compute the absolute virtual address symbol_address = symbol_rva + nt_mod.DllBase data = nt_mod.obj_vm.zread(symbol_address, 200) # Search for the pattern offset = data.find(hexbytes) if offset == -1: return if bits32: p = obj.Object('Pointer', offset = symbol_address + offset + len(hexbytes), vm = nt_mod.obj_vm) bugs = p.dereference_as('_KBUGCHECK_REASON_CALLBACK_RECORD') else: v = obj.Object("int", offset = symbol_address + offset + len(hexbytes), vm = nt_mod.obj_vm) p = symbol_address + offset + 7 + v bugs = obj.Object("_KBUGCHECK_REASON_CALLBACK_RECORD", offset = p, vm = nt_mod.obj_vm) for l in bugs.Entry.list_of_type("_KBUGCHECK_REASON_CALLBACK_RECORD", "Entry"): if nt_mod.obj_vm.is_valid_address(l.CallbackRoutine): yield symbol, l.CallbackRoutine, l.Component.dereference() def calculate(self): addr_space = utils.load_as(self._config) bits32 = addr_space.profile.metadata.get("memory_model", "32bit") == "32bit" # Get the OS version we're analyzing version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) modlist = list(modules.lsmod(addr_space)) mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist) mod_addrs = sorted(mods.keys()) # Valid for Vista and later if version >= (6, 0): self.scanners.append(PoolScanDbgPrintCallback) self.scanners.append(PoolScanRegistryCallback) self.scanners.append(PoolScanPnp9) self.scanners.append(PoolScanPnpD) self.scanners.append(PoolScanPnpC) for objct in self.scan_results(addr_space): name = objct.obj_name if name == "_REGISTRY_CALLBACK": info = "CmRegisterCallback", objct.Function, None yield info, mods, mod_addrs elif name == "_DBGPRINT_CALLBACK": info = "DbgSetDebugPrintCallback", objct.Function, None yield info, mods, mod_addrs elif name == "_SHUTDOWN_PACKET": driver = objct.DeviceObject.dereference().DriverObject if not driver: continue index = devicetree.MAJOR_FUNCTIONS.index('IRP_MJ_SHUTDOWN') address = driver.MajorFunction[index] details = str(driver.DriverName or "-") info = "IoRegisterShutdownNotification", address, details yield info, mods, mod_addrs elif name == "_GENERIC_CALLBACK": info = "GenericKernelCallback", objct.Callback, None yield info, mods, mod_addrs elif name == "_NOTIFY_ENTRY_HEADER": # Dereference the driver object pointer driver = objct.DriverObject.dereference() driver_name = "" if driver: # Instantiate an object header for the driver name header = driver.get_object_header() if header.get_object_type() == "Driver": # Grab the object name driver_name = header.NameInfo.Name.v() info = objct.EventCategory, objct.CallbackRoutine, driver_name yield info, mods, mod_addrs elif name == "_NOTIFICATION_PACKET": info = "IoRegisterFsRegistrationChange", objct.NotificationRoutine, None yield info, mods, mod_addrs for info in self.get_kernel_callbacks(modlist[0]): yield info, mods, mod_addrs for info in self.get_bugcheck_callbacks(addr_space): yield info, mods, mod_addrs for info in self.get_bugcheck_reason_callbacks(modlist[0]): yield info, mods, mod_addrs # Valid for XP if bits32 and version == (5, 1): for info in self.get_registry_callbacks_legacy(modlist[0]): yield info, mods, mod_addrs def unified_output(self, data): return TreeGrid([("Type", str), ("Callback", Address), ("Module", str), ("Details", str)], self.generator(data)) def generator(self, data): for (sym, cb, detail), mods, mod_addrs in data: module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb)) ## The original callbacks plugin searched driver objects ## if the owning module isn't found (Rustock.B). We leave that ## task up to the user this time, and will be incoporating ## some different module association methods later. if module: module_name = module.BaseDllName or module.FullDllName else: module_name = "UNKNOWN" yield (0, [str(sym), Address(cb), str(module_name), str(detail or "-")]) def render_text(self, outfd, data): self.table_header(outfd, [("Type", "36"), ("Callback", "[addrpad]"), ("Module", "20"), ("Details", ""), ]) for (sym, cb, detail), mods, mod_addrs in data: module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb)) ## The original callbacks plugin searched driver objects ## if the owning module isn't found (Rustock.B). We leave that ## task up to the user this time, and will be incoporating ## some different module association methods later. if module: module_name = module.BaseDllName or module.FullDllName else: module_name = "UNKNOWN" self.table_row(outfd, sym, cb, module_name, detail or "-") volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/impscan.py0000644000000000000000000003761213131215405024463 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010 - 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.plugins.taskmods as taskmods import volatility.debug as debug import volatility.win32.tasks as tasks import volatility.win32.modules as modules from volatility.renderers import TreeGrid from volatility.renderers.basic import Address try: import distorm3 has_distorm = True except ImportError: has_distorm = False class ImpScan(common.AbstractWindowsCommand): """Scan for calls to imported functions""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) # Define a new PID option instead of inheriting from # taskmods.DllList because this one cannot be a comma # separated list of PIDs. config.remove_option('PID') config.add_option('PID', short_option = 'p', default = None, help = 'Process ID (leave off to scan kernel memory)', action = 'store', type = 'int') config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS offset (in hex) in the physical address space', action = 'store', type = 'int') # The base address in kernel or process memory where # we begin scanning. This is an executable region with # assembly instructions like a .text or .code PE section. config.add_option('BASE', short_option = 'b', default = None, help = 'Base address in process memory if --pid ' + 'is supplied, otherwise an address in kernel space', action = 'store', type = 'int') # The size in bytes of data to scan from the base address. config.add_option('SIZE', short_option = 's', default = None, help = 'Size of memory to scan', action = 'store', type = 'int') ## FIXME. ImpScan currently does not work on wow64 processes. ## Add an option to override the profile's memory_model and ## allow 32bit disasm on x64 operating systems. self.forwarded_imports = { "RtlGetLastWin32Error" : "kernel32.dll!GetLastError", "RtlSetLastWin32Error" : "kernel32.dll!SetLastError", "RtlRestoreLastWin32Error" : "kernel32.dll!SetLastError", "RtlAllocateHeap" : "kernel32.dll!HeapAlloc", "RtlReAllocateHeap" : "kernel32.dll!HeapReAlloc", "RtlFreeHeap" : "kernel32.dll!HeapFree", "RtlEnterCriticalSection" : "kernel32.dll!EnterCriticalSection", "RtlLeaveCriticalSection" : "kernel32.dll!LeaveCriticalSection", "RtlDeleteCriticalSection" : "kernel32.dll!DeleteCriticalSection", "RtlZeroMemory" : "kernel32.dll!ZeroMemory", "RtlSizeHeap" : "kernel32.dll!HeapSize", "RtlUnwind" : "kernel32.dll!RtlUnwind", } @staticmethod def enum_apis(all_mods): """Enumerate all exported functions from kernel or process space. @param all_mods: list of _LDR_DATA_TABLE_ENTRY To enum kernel APIs, all_mods is a list of drivers. To enum process APIs, all_mods is a list of DLLs. The function name is used if available, otherwise we take the ordinal value. """ exports = {} for mod in all_mods: for ordinal, func_addr, func_name in mod.exports(): # This value should only be None if its forwarded if func_addr != None: name = func_name or ordinal or '' exports[int(mod.DllBase + func_addr)] = (mod, str(name)) return exports def _call_or_unc_jmp(self, op): """Determine if an instruction is a call or an unconditional jump @param op: a distorm3 Op object """ return ((op.flowControl == 'FC_CALL' and op.mnemonic == "CALL") or (op.flowControl == 'FC_UNC_BRANCH' and op.mnemonic == "JMP")) def _vicinity_scan(self, addr_space, calls_imported, apis, base_address, data_len, forward): """Scan forward from the lowest IAT entry found or backward from the highest IAT entry found. We do this because not every imported function will be called from the code section and sometimes page(s) with the calls are unavailable. @param addr_space: an AS @param calls_imported: dictionary of confirmed imports @param apis: dictionary of exported functions in the AS @param base_address: memory base address @param data_len: size in bytes to check from base_address @param forwared: the direction for the vicinity scan """ sortedlist = calls_imported.keys() sortedlist.sort() if not sortedlist: return size_of_address = addr_space.profile.get_obj_size("address") if forward: start_addr = sortedlist[0] else: start_addr = sortedlist[len(sortedlist) - 1] # We stop scanning when the threshold reaches zero. This # value is decremented each invalid or duplicate API call # seen. It resets when a valid API call is seen. threshold = 5 i = 0 while threshold and i < 0x2000: if forward: next_addr = start_addr + (i * size_of_address) else: next_addr = start_addr - (i * size_of_address) call_dest = obj.Object("address", offset = next_addr, vm = addr_space).v() if (not call_dest or (call_dest > base_address and call_dest < base_address + data_len)): threshold -= 1 i += 1 continue # Reset the threshold if we found a valid API call, # otherwise decrement the threshold by one if call_dest in apis and call_dest not in calls_imported: calls_imported[next_addr] = call_dest threshold = 5 else: threshold -= 1 i += 1 def _original_import(self, mod_name, func_name): """Revert a forwarded import to the original module and function name. @param mod_name: current module name @param func_name: current function name """ if func_name in self.forwarded_imports: return self.forwarded_imports[func_name].split("!") else: return mod_name, func_name def call_scan(self, addr_space, base_address, data): """Disassemble a block of data and yield possible calls to imported functions. We're looking for instructions such as these: x86: CALL DWORD [0x1000400] JMP DWORD [0x1000400] x64: CALL QWORD [RIP+0x989d] On x86, the 0x1000400 address is an entry in the IAT or call table. It stores a DWORD which is the location of the API function being called. On x64, the 0x989d is a relative offset from the current instruction (RIP). @param addr_space: an AS to scan with @param base_address: memory base address @param data: buffer of data found at base_address """ end_address = base_address + len(data) memory_model = addr_space.profile.metadata.get('memory_model', '32bit') if memory_model == '32bit': mode = distorm3.Decode32Bits else: mode = distorm3.Decode64Bits for op in distorm3.DecomposeGenerator(base_address, data, mode): if not op.valid: continue iat_loc = None if memory_model == '32bit': if (self._call_or_unc_jmp(op) and op.operands[0].type == 'AbsoluteMemoryAddress'): iat_loc = (op.operands[0].disp) & 0xffffffff else: if (self._call_or_unc_jmp(op) and 'FLAG_RIP_RELATIVE' in op.flags and op.operands[0].type == 'AbsoluteMemory'): iat_loc = op.address + op.size + op.operands[0].disp if (not iat_loc or (iat_loc < base_address) or (iat_loc > end_address)): continue # This is the address being called call_dest = obj.Object("address", offset = iat_loc, vm = addr_space) if call_dest == None: continue yield op.address, iat_loc, int(call_dest) def calculate(self): if not has_distorm: debug.error("You must install distorm3") addr_space = utils.load_as(self._config) all_mods = [] if self._config.OFFSET != None: all_tasks = [taskmods.DllList.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)] else: all_tasks = list(tasks.pslist(addr_space)) all_mods = list(modules.lsmod(addr_space)) # Operate in kernel mode if pid is not supplied if not self._config.PID and not self._config.OFFSET: if not self._config.BASE: debug.error("You must specify --BASE") base_address = self._config.BASE size_to_read = self._config.SIZE # Get the size from the module list if its not supplied if not size_to_read: for module in all_mods: if module.DllBase == base_address: size_to_read = module.SizeOfImage break # Alternately, try the size from the PE header if not size_to_read: pefile = obj.Object("_IMAGE_DOS_HEADER", offset = base_address, vm = addr_space) try: nt_header = pefile.get_nt_header() size_to_read = nt_header.OptionalHeader.SizeOfImage except ValueError: pass if not size_to_read: debug.error("You must specify --SIZE") kernel_space = tasks.find_space(addr_space, all_tasks, base_address) if not kernel_space: debug.error("Cannot read supplied address") data = kernel_space.zread(base_address, size_to_read) apis = self.enum_apis(all_mods) addr_space = kernel_space else: # In process mode, we find the process by PID task = None for atask in all_tasks: if self._config.OFFSET or atask.UniqueProcessId == self._config.PID: task = atask break if not task: debug.error("You must supply an active PID") task_space = task.get_process_address_space() if not task_space: debug.error("Cannot acquire process AS") all_mods = list(task.get_load_modules()) # PEB is paged or no DLLs loaded if not all_mods: debug.error("Cannot load DLLs in process AS") # If an address is supplied with a size, try to get # the size from the vad node. If neither are supplied, # assume we should carve the main process executable. if self._config.BASE: base_address = self._config.BASE size_to_read = self._config.SIZE if not size_to_read: for vad in task.VadRoot.traverse(): if base_address >= vad.Start and base_address <= vad.End: size_to_read = vad.Length if not size_to_read: debug.error("You must specify --SIZE") else: # Its OK to blindly take the 0th element because the # executable is always the first module to load. base_address = all_mods[0].DllBase size_to_read = all_mods[0].SizeOfImage data = task_space.zread(base_address, size_to_read) apis = self.enum_apis(all_mods) addr_space = task_space # This is a dictionary of confirmed API calls. calls_imported = dict( (iat, call) for (_, iat, call) in self.call_scan(addr_space, base_address, data) if call in apis ) # Scan forward self._vicinity_scan(addr_space, calls_imported, apis, base_address, len(data), forward = True) # Scan reverse self._vicinity_scan(addr_space, calls_imported, apis, base_address, len(data), forward = False) for iat, call in sorted(calls_imported.items()): yield iat, call, apis[call][0], apis[call][1] def unified_output(self, data): return TreeGrid([("IAT", Address), ("Call", Address), ("Module", str), ("Function", str)], self.generator(data)) def generator(self, data): for iat, call, mod, func in data: mod_name, func_name = self._original_import( str(mod.BaseDllName or ''), func) yield (0, [Address(iat), Address(call), str(mod_name), str(func_name)]) def render_text(self, outfd, data): """Render as text""" self.table_header(outfd, [("IAT", "[addrpad]"), ("Call", "[addrpad]"), ("Module", "20"), ("Function", ""), ]) for iat, call, mod, func in data: mod_name, func_name = self._original_import( str(mod.BaseDllName or ''), func) self.table_row(outfd, iat, call, mod_name, func_name) def render_idc(self, outfd, data): """Render as IDC""" #outfd.write("#include \nstatic main(void) {\n") bits = None for iat, _, mod, func in data: if bits == None: bits = mod.obj_vm.profile.metadata.get("memory_model", "32bit") _, func_name = self._original_import( str(mod.BaseDllName or ''), func) if bits == "32bit": outfd.write("MakeDword(0x{0:08X});\n".format(iat)) else: outfd.write("MakeQword(0x{0:08X});\n".format(iat)) outfd.write("MakeName(0x{0:08X}, \"{1}\");\n".format(iat, func_name)) #outfd.write("}") volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/__init__.py0000644000000000000000000000000013131215405024545 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/psxview.py0000644000000000000000000004722113131215405024533 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.win32.tasks as tasks import volatility.plugins.modscan as modscan import volatility.plugins.filescan as filescan import volatility.plugins.overlays.windows.windows as windows import volatility.plugins.gui.sessions as sessions import volatility.plugins.gui.windowstations as windowstations from volatility.renderers import TreeGrid from volatility.renderers.basic import Address import volatility.debug as debug import volatility.plugins.addrspaces.standard as standard try: from openpyxl.workbook import Workbook from openpyxl.writer.excel import ExcelWriter from openpyxl.cell import get_column_letter from openpyxl.styles import Color, Fill, Style, PatternFill, Border, Side, Alignment, Protection, Font from openpyxl.cell import Cell from openpyxl import load_workbook has_openpyxl = True except ImportError: has_openpyxl = False #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _PSP_CID_TABLE(windows._HANDLE_TABLE): #pylint: disable-msg=W0212 """Subclass the Windows handle table object for parsing PspCidTable""" def get_item(self, entry, handle_value = 0): p = obj.Object("address", entry.Object.v(), self.obj_vm) handle = obj.Object("_OBJECT_HEADER", offset = (p & ~7) - self.obj_vm.profile.get_obj_offset('_OBJECT_HEADER', 'Body'), vm = self.obj_vm) return handle #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwarePspCid(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsVTypes'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.vtypes.update({"_PSP_CID_TABLE" : profile.vtypes["_HANDLE_TABLE"]}) profile.merge_overlay({"_KDDEBUGGER_DATA64" : [None, {'PspCidTable': [None, ["pointer", ["pointer", ['_PSP_CID_TABLE']]]], }]}) profile.object_classes.update({ '_PSP_CID_TABLE': _PSP_CID_TABLE, }) #-------------------------------------------------------------------------------- # psxview plugin #-------------------------------------------------------------------------------- class PsXview(common.AbstractWindowsCommand, sessions.SessionsMixin): "Find hidden processes with various process listings" def __init__(self, config, *args): common.AbstractWindowsCommand.__init__(self, config, *args) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, help = "Physical Offset", action = "store_true") config.add_option("APPLY-RULES", short_option = 'R', default = False, help = "Apply known good rules", action = "store_true") @staticmethod def get_file_offset(process): addr_space = process.obj_vm address = process.obj_offset # we're already at the file layer (i.e. psscan on a raw memory image) if isinstance(addr_space, standard.FileAddressSpace): return address paddr = addr_space.translate(address) offset = paddr addr_space = addr_space.base while not isinstance(addr_space, standard.FileAddressSpace): offset = addr_space.translate(offset) # device memory addresses won't translate, so restore the original value if offset == None: offset = paddr break addr_space = addr_space.base return offset def check_pslist(self, all_tasks): """Enumerate processes from PsActiveProcessHead""" return dict((PsXview.get_file_offset(p), p) for p in all_tasks) def check_psscan(self): """Enumerate processes with pool tag scanning""" return dict((PsXview.get_file_offset(p), p) for p in filescan.PSScan(self._config).calculate()) def check_thrdproc(self, _addr_space): """Enumerate processes indirectly by ETHREAD scanning""" ret = dict() for ethread in modscan.ThrdScan(self._config).calculate(): if ethread.ExitTime != 0: continue # Bounce back to the threads owner process = None if hasattr(ethread.Tcb, 'Process'): process = ethread.Tcb.Process.dereference_as('_EPROCESS') elif hasattr(ethread, 'ThreadsProcess'): process = ethread.ThreadsProcess.dereference() # Make sure the bounce succeeded if (process and process.ExitTime == 0 and process.UniqueProcessId > 0 and process.UniqueProcessId < 65535): ret[PsXview.get_file_offset(process)] = process return ret def check_sessions(self, addr_space): """Enumerate processes from session structures""" ret = dict() for session in self.session_spaces(addr_space): for process in session.processes(): ret[PsXview.get_file_offset(process)] = process return ret def check_desktop_thread(self, addr_space): """Enumerate processes from desktop threads""" ret = dict() for windowstation in windowstations.WndScan(self._config).calculate(): for desktop in windowstation.desktops(): for thread in desktop.threads(): process = thread.ppi.Process.dereference() if process == None: continue ret[PsXview.get_file_offset(process)] = process return ret def check_pspcid(self, addr_space): """Enumerate processes by walking the PspCidTable""" ret = dict() # Follow the pointers to the table base kdbg = tasks.get_kdbg(addr_space) PspCidTable = kdbg.PspCidTable.dereference().dereference() # Walk the handle table for handle in PspCidTable.handles(): if handle.get_object_type() == "Process": process = handle.dereference_as("_EPROCESS") ret[PsXview.get_file_offset(process)] = process return ret def check_csrss_handles(self, all_tasks): """Enumerate processes using the csrss.exe handle table""" ret = dict() for p in all_tasks: if str(p.ImageFileName).lower() == "csrss.exe": # Gather the handles to process objects for handle in p.ObjectTable.handles(): if handle.get_object_type() == "Process": process = handle.dereference_as("_EPROCESS") ret[PsXview.get_file_offset(process)] = process return ret def calculate(self): if self._config.OUTPUT == "xlsx" and not has_openpyxl: debug.error("You must install OpenPyxl 2.1.2 for xlsx format:\n\thttps://pypi.python.org/pypi/openpyxl") elif self._config.OUTPUT == "xlsx" and not self._config.OUTPUT_FILE: debug.error("You must specify an output *.xlsx file!\n\t(Example: --output-file=OUTPUT.xlsx)") addr_space = utils.load_as(self._config) all_tasks = list(tasks.pslist(addr_space)) ps_sources = {} # The keys are names of process sources. The values # are dictionaries whose keys are physical process # offsets and the values are _EPROCESS objects. ps_sources['pslist'] = self.check_pslist(all_tasks) ps_sources['psscan'] = self.check_psscan() ps_sources['thrdproc'] = self.check_thrdproc(addr_space) ps_sources['csrss'] = self.check_csrss_handles(all_tasks) ps_sources['pspcid'] = self.check_pspcid(addr_space) ps_sources['session'] = self.check_sessions(addr_space) ps_sources['deskthrd'] = self.check_desktop_thread(addr_space) # Build a list of offsets from all sources seen_offsets = [] for source in ps_sources.values(): for offset in source.keys(): if offset not in seen_offsets: seen_offsets.append(offset) yield offset, source[offset], ps_sources def render_xlsx(self, outfd, data): BoldStyle = Style(font=Font(name='Calibri', size=11, bold=True, italic=False, vertAlign=None, underline='none', strike=False, color='FFFFFFFF'), fill=PatternFill(fill_type="solid", start_color='FF000000', end_color='FF000000')) RedStyle = Style(font=Font(name='Calibri', size=11, bold=False, italic=False, vertAlign=None, underline='none', strike=False, color='FF000000'), border=Border(left=Side(border_style="thick", color='FF000000'), right=Side(border_style="thick", color='FF000000'), top=Side(border_style="thick", color='FF000000'), bottom=Side(border_style="thick", color='FF000000'), diagonal=Side(border_style="thick", color='FF000000'), diagonal_direction=0, outline=Side(border_style="thick", color='FF000000'), vertical=Side(border_style="thick", color='FF000000'), horizontal=Side(border_style="thick", color='FF000000')), fill=PatternFill(start_color = 'FFFF0000', end_color = 'FFFF0000', fill_type = 'solid')) GreenStyle = Style(font=Font(name='Calibri', size=11, bold=False, italic=False, vertAlign=None, underline='none', strike=False, color='FF000000'), fill=PatternFill(start_color = "FF00FF00", end_color = "FF00FF00", fill_type = "solid")) wb = Workbook(optimized_write = True) ws = wb.create_sheet() ws.title = "Psxview Output" ws.append(["Offset (P)", "Name", "PID", "pslist", "psscan", "thrdproc", "pspcid", "csrss", "session", "deskthrd", "Exit Time"]) total = 1 for offset, process, ps_sources in data: incsrss = ps_sources['csrss'].has_key(offset) insession = ps_sources['session'].has_key(offset) indesktop = ps_sources['deskthrd'].has_key(offset) inpspcid = ps_sources['pspcid'].has_key(offset) inpslist = ps_sources['pslist'].has_key(offset) inthread = ps_sources['thrdproc'].has_key(offset) if self._config.APPLY_RULES: if not incsrss: if str(process.ImageFileName).lower() in ["system", "smss.exe", "csrss.exe"]: incsrss = "Okay" elif process.ExitTime > 0: incsrss = "Okay" if not insession: if str(process.ImageFileName).lower() in ["system", "smss.exe"]: insession = "Okay" elif process.ExitTime > 0: insession = "Okay" if not indesktop: if str(process.ImageFileName).lower() in ["system", "smss.exe"]: indesktop = "Okay" elif process.ExitTime > 0: indesktop = "Okay" if not inpspcid: if process.ExitTime > 0: inpspcid = "Okay" if not inpslist: if process.ExitTime > 0: inpslist = "Okay" if not inthread: if process.ExitTime > 0: inthread = "Okay" ws.append([hex(offset), str(utils.remove_unprintable(str(process.ImageFileName)) or ""), str(process.UniqueProcessId), str(inpslist), str(ps_sources['psscan'].has_key(offset)), str(inthread), str(inpspcid), str(incsrss), str(insession), str(indesktop), str(process.ExitTime or '')]) total += 1 wb.save(filename = self._config.OUTPUT_FILE) wb = load_workbook(filename = self._config.OUTPUT_FILE) ws = wb.get_sheet_by_name(name = "Psxview Output") for col in xrange(1, 12): ws.cell("{0}{1}".format(get_column_letter(col), 1)).style = BoldStyle for row in xrange(2, total + 1): for col in xrange(4, 11): if ws.cell("{0}{1}".format(get_column_letter(col), row)).value == "False": ws.cell("{0}{1}".format(get_column_letter(col), row)).style = RedStyle else: ws.cell("{0}{1}".format(get_column_letter(col), row)).style = GreenStyle wb.save(filename = self._config.OUTPUT_FILE) def unified_output(self, data): return TreeGrid([("Offset(P)", Address), ("Name", str), ("PID", int), ("pslist", str), ("psscan", str), ("thrdproc", str), ("pspcid", str), ("csrss", str), ("session", str), ("deskthrd", str), ("ExitTime", str)], self.generator(data)) def generator(self, data): for offset, process, ps_sources in data: incsrss = ps_sources['csrss'].has_key(offset) insession = ps_sources['session'].has_key(offset) indesktop = ps_sources['deskthrd'].has_key(offset) inpspcid = ps_sources['pspcid'].has_key(offset) inpslist = ps_sources['pslist'].has_key(offset) inthread = ps_sources['thrdproc'].has_key(offset) if self._config.APPLY_RULES: if not incsrss: if str(process.ImageFileName).lower() in ["system", "smss.exe", "csrss.exe"]: incsrss = "Okay" elif process.ExitTime > 0: incsrss = "Okay" if not insession: if str(process.ImageFileName).lower() in ["system", "smss.exe"]: insession = "Okay" elif process.ExitTime > 0: insession = "Okay" if not indesktop: if str(process.ImageFileName).lower() in ["system", "smss.exe"]: indesktop = "Okay" elif process.ExitTime > 0: indesktop = "Okay" if not inpspcid: if process.ExitTime > 0: inpspcid = "Okay" if not inpslist: if process.ExitTime > 0: inpslist = "Okay" if not inthread: if process.ExitTime > 0: inthread = "Okay" yield (0, [ Address(offset), str(process.ImageFileName), int(process.UniqueProcessId), str(inpslist), str(ps_sources['psscan'].has_key(offset)), str(inthread), str(inpspcid), str(incsrss), str(insession), str(indesktop), str(process.ExitTime or ''), ]) def render_text(self, outfd, data): self.table_header(outfd, [('Offset(P)', '[addrpad]'), ('Name', '<20'), ('PID', '>6'), ('pslist', '5'), ('psscan', '5'), ('thrdproc', '5'), ('pspcid', '5'), ('csrss', '5'), ('session', '5'), ('deskthrd', '5'), ('ExitTime', ""), ]) for offset, process, ps_sources in data: incsrss = ps_sources['csrss'].has_key(offset) insession = ps_sources['session'].has_key(offset) indesktop = ps_sources['deskthrd'].has_key(offset) inpspcid = ps_sources['pspcid'].has_key(offset) inpslist = ps_sources['pslist'].has_key(offset) inthread = ps_sources['thrdproc'].has_key(offset) if self._config.APPLY_RULES: if not incsrss: if str(process.ImageFileName).lower() in ["system", "smss.exe", "csrss.exe"]: incsrss = "Okay" elif process.ExitTime > 0: incsrss = "Okay" if not insession: if str(process.ImageFileName).lower() in ["system", "smss.exe"]: insession = "Okay" elif process.ExitTime > 0: insession = "Okay" if not indesktop: if str(process.ImageFileName).lower() in ["system", "smss.exe"]: indesktop = "Okay" elif process.ExitTime > 0: indesktop = "Okay" if not inpspcid: if process.ExitTime > 0: inpspcid = "Okay" if not inpslist: if process.ExitTime > 0: inpslist = "Okay" if not inthread: if process.ExitTime > 0: inthread = "Okay" self.table_row(outfd, offset, process.ImageFileName, process.UniqueProcessId, str(inpslist), str(ps_sources['psscan'].has_key(offset)), str(inthread), str(inpspcid), str(incsrss), str(insession), str(indesktop), str(process.ExitTime or ''), ) volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/servicediff.py0000644000000000000000000001556613131215405025326 0ustar rootroot# Volatility # Copyright (C) 2007-2015 Volatility Foundation # Copyright (c) 2015 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import struct import volatility.utils as utils import volatility.obj as obj import volatility.win32.tasks as tasks import volatility.debug as debug import volatility.plugins.malware.svcscan as svcscan import volatility.win32.rawreg as rawreg import volatility.plugins.registry.hivelist as hivelist class ServiceDiff(svcscan.SvcScan): "List Windows services (ala Plugx)" @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('memory_model', '32bit') == '32bit') @staticmethod def services_from_registry(addr_space): """Enumerate services from the cached registry hive""" services = {} plugin = hivelist.HiveList(addr_space.get_config()) for hive in plugin.calculate(): ## find the SYSTEM hive name = hive.get_name() if not name.lower().endswith("system"): continue ## get the root key hive_space = hive.address_space() root = rawreg.get_root(hive_space) if not root: break ## open the services key key = rawreg.open_key(root, ["ControlSet001", "Services"]) if not key: break ## build a dictionary of the key names for subkey in rawreg.subkeys(key): services[(str(subkey.Name).lower())] = subkey ## we don't need to keep trying break return services @staticmethod def services_from_memory_list(addr_space): """Enumerate services from walking the SCM's linked list""" services = {} pre_vista = addr_space.profile.metadata.get('major', 0) < 6 mem_model = addr_space.profile.metadata.get('memory_model', '32bit') if mem_model != "32bit": return {} ## find the service control manager process for process in tasks.pslist(addr_space): if str(process.ImageFileName) != "services.exe": continue ## create a DOS header at the process' image base address process_space = process.get_process_address_space() image_base = process.Peb.ImageBaseAddress dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = image_base, vm = process_space) if not dos_header: debug.warning("Unable to parse DOS header") break ## the first section (.text) contains the values we need try: sections = list(dos_header.get_nt_header().get_sections()) text_seg = sections[0] except ValueError: ## couldn't parse the PE header debug.warning("Could not parse the PE header") break except IndexError: ## no sections were found in the array debug.warning("No sections were found in the array") break ## acquire the text section's data virtual_address = text_seg.VirtualAddress + image_base data = process_space.zread(virtual_address, text_seg.Misc.VirtualSize) list_head = None ## look for the ScInitDatabase signature for offset in utils.iterfind(data, "\xA3"): if not (data[offset + 5] == "\xA3" and data[offset + 10] == "\xA3" and data[offset + 15] == "\xA3" and data[offset + 20] == "\xA3" and data[offset + 25] == "\xE8"): continue ## the beginning of the service database list list_head = obj.Object("unsigned long", offset = virtual_address + offset + 21, vm = process_space) ## unable to find the signature...means list walking won't work if not list_head: debug.warning("Unable to find the signature") break record = obj.Object("_SERVICE_RECORD", offset = list_head, vm = process_space) while record: name = str(record.ServiceName.dereference() or '') name = name.lower() services[name] = record record = record.ServiceList.Flink.dereference() return services @staticmethod def compare(reg_list, mem_list): """Compare the services found in the registry with those in memory""" ## the names of all services in only the registry list missing = set(reg_list.keys()) - set(mem_list.keys()) for service in missing: ## the SCM only loads services with an ImagePath value so make ## sure to skip those entries, as they will not end up in memory has_imagepath = False for value in rawreg.values(reg_list[service]): if str(value.Name) == "ImagePath": has_imagepath = True break if has_imagepath: yield reg_list[service] def calculate(self): addr_space = utils.load_as(self._config) from_memory = ServiceDiff.services_from_memory_list(addr_space) if not from_memory: debug.error("Could not enumerate services from memory") from_registry = ServiceDiff.services_from_registry(addr_space) if not from_registry: debug.error("Could not enumerate services from the registry") return ServiceDiff.compare(from_registry, from_memory) def render_text(self, outfd, data): for subkey in data: outfd.write("\n{0:<20}: {1}\n".format("Missing service", subkey.Name)) for value in rawreg.values(subkey): value_type, value_data = rawreg.value_data(value) outfd.write("{0:<20}: ({1}) {2}\n".format(value.Name, value_type, value_data)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/malware/devicetree.py0000644000000000000000000002562613131215405025152 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re import volatility.obj as obj import volatility.plugins.filescan as filescan import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.utils as utils import volatility.plugins.malware.malfind as malfind import volatility.plugins.overlays.windows.windows as windows #-------------------------------------------------------------------------------- # constants #-------------------------------------------------------------------------------- MAJOR_FUNCTIONS = [ 'IRP_MJ_CREATE', 'IRP_MJ_CREATE_NAMED_PIPE', 'IRP_MJ_CLOSE', 'IRP_MJ_READ', 'IRP_MJ_WRITE', 'IRP_MJ_QUERY_INFORMATION', 'IRP_MJ_SET_INFORMATION', 'IRP_MJ_QUERY_EA', 'IRP_MJ_SET_EA', 'IRP_MJ_FLUSH_BUFFERS', 'IRP_MJ_QUERY_VOLUME_INFORMATION', 'IRP_MJ_SET_VOLUME_INFORMATION', 'IRP_MJ_DIRECTORY_CONTROL', 'IRP_MJ_FILE_SYSTEM_CONTROL', 'IRP_MJ_DEVICE_CONTROL', 'IRP_MJ_INTERNAL_DEVICE_CONTROL', 'IRP_MJ_SHUTDOWN', 'IRP_MJ_LOCK_CONTROL', 'IRP_MJ_CLEANUP', 'IRP_MJ_CREATE_MAILSLOT', 'IRP_MJ_QUERY_SECURITY', 'IRP_MJ_SET_SECURITY', 'IRP_MJ_POWER', 'IRP_MJ_SYSTEM_CONTROL', 'IRP_MJ_DEVICE_CHANGE', 'IRP_MJ_QUERY_QUOTA', 'IRP_MJ_SET_QUOTA', 'IRP_MJ_PNP' ] DEVICE_CODES = { 0x00000027 : 'FILE_DEVICE_8042_PORT', 0x00000032 : 'FILE_DEVICE_ACPI', 0x00000029 : 'FILE_DEVICE_BATTERY', 0x00000001 : 'FILE_DEVICE_BEEP', 0x0000002a : 'FILE_DEVICE_BUS_EXTENDER', 0x00000002 : 'FILE_DEVICE_CD_ROM', 0x00000003 : 'FILE_DEVICE_CD_ROM_FILE_SYSTEM', 0x00000030 : 'FILE_DEVICE_CHANGER', 0x00000004 : 'FILE_DEVICE_CONTROLLER', 0x00000005 : 'FILE_DEVICE_DATALINK', 0x00000006 : 'FILE_DEVICE_DFS', 0x00000035 : 'FILE_DEVICE_DFS_FILE_SYSTEM', 0x00000036 : 'FILE_DEVICE_DFS_VOLUME', 0x00000007 : 'FILE_DEVICE_DISK', 0x00000008 : 'FILE_DEVICE_DISK_FILE_SYSTEM', 0x00000033 : 'FILE_DEVICE_DVD', 0x00000009 : 'FILE_DEVICE_FILE_SYSTEM', 0x0000003a : 'FILE_DEVICE_FIPS', 0x00000034 : 'FILE_DEVICE_FULLSCREEN_VIDEO', 0x0000000a : 'FILE_DEVICE_INPORT_PORT', 0x0000000b : 'FILE_DEVICE_KEYBOARD', 0x0000002f : 'FILE_DEVICE_KS', 0x00000039 : 'FILE_DEVICE_KSEC', 0x0000000c : 'FILE_DEVICE_MAILSLOT', 0x0000002d : 'FILE_DEVICE_MASS_STORAGE', 0x0000000d : 'FILE_DEVICE_MIDI_IN', 0x0000000e : 'FILE_DEVICE_MIDI_OUT', 0x0000002b : 'FILE_DEVICE_MODEM', 0x0000000f : 'FILE_DEVICE_MOUSE', 0x00000010 : 'FILE_DEVICE_MULTI_UNC_PROVIDER', 0x00000011 : 'FILE_DEVICE_NAMED_PIPE', 0x00000012 : 'FILE_DEVICE_NETWORK', 0x00000013 : 'FILE_DEVICE_NETWORK_BROWSER', 0x00000014 : 'FILE_DEVICE_NETWORK_FILE_SYSTEM', 0x00000028 : 'FILE_DEVICE_NETWORK_REDIRECTOR', 0x00000015 : 'FILE_DEVICE_NULL', 0x00000016 : 'FILE_DEVICE_PARALLEL_PORT', 0x00000017 : 'FILE_DEVICE_PHYSICAL_NETCARD', 0x00000018 : 'FILE_DEVICE_PRINTER', 0x00000019 : 'FILE_DEVICE_SCANNER', 0x0000001c : 'FILE_DEVICE_SCREEN', 0x00000037 : 'FILE_DEVICE_SERENUM', 0x0000001a : 'FILE_DEVICE_SERIAL_MOUSE_PORT', 0x0000001b : 'FILE_DEVICE_SERIAL_PORT', 0x00000031 : 'FILE_DEVICE_SMARTCARD', 0x0000002e : 'FILE_DEVICE_SMB', 0x0000001d : 'FILE_DEVICE_SOUND', 0x0000001e : 'FILE_DEVICE_STREAMS', 0x0000001f : 'FILE_DEVICE_TAPE', 0x00000020 : 'FILE_DEVICE_TAPE_FILE_SYSTEM', 0x00000038 : 'FILE_DEVICE_TERMSRV', 0x00000021 : 'FILE_DEVICE_TRANSPORT', 0x00000022 : 'FILE_DEVICE_UNKNOWN', 0x0000002c : 'FILE_DEVICE_VDM', 0x00000023 : 'FILE_DEVICE_VIDEO', 0x00000024 : 'FILE_DEVICE_VIRTUAL_DISK', 0x00000025 : 'FILE_DEVICE_WAVE_IN', 0x00000026 : 'FILE_DEVICE_WAVE_OUT', } #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _DRIVER_OBJECT(obj.CType, windows.ExecutiveObjectMixin): "Class for driver objects" def devices(self): "Enumerate the driver's device objects" device = self.DeviceObject.dereference() while device: yield device device = device.NextDevice.dereference() def is_valid(self): return (obj.CType.is_valid(self) and self.DriverStart % 0x1000 == 0) class _DEVICE_OBJECT(obj.CType, windows.ExecutiveObjectMixin): "Class for device objects" def attached_devices(self): "Enumerate the device's attachees" device = self.AttachedDevice.dereference() while device: yield device device = device.AttachedDevice.dereference() #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwareDrivers(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ '_DRIVER_OBJECT': _DRIVER_OBJECT, '_DEVICE_OBJECT': _DEVICE_OBJECT, }) #-------------------------------------------------------------------------------- # devicetree plugin #-------------------------------------------------------------------------------- class DeviceTree(filescan.DriverScan): "Show device tree" def render_text(self, outfd, data): for driver in data: header = driver.get_object_header() outfd.write("DRV 0x{0:08x} {1}\n".format(driver.obj_offset, str(driver.DriverName or header.NameInfo.Name or ''))) for device in driver.devices(): device_header = obj.Object("_OBJECT_HEADER", offset = device.obj_offset - device.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"), vm = device.obj_vm, native_vm = device.obj_native_vm ) device_name = str(device_header.NameInfo.Name or '') outfd.write("---| DEV {0:#x} {1} {2}\n".format( device.obj_offset, device_name, DEVICE_CODES.get(device.DeviceType.v(), "UNKNOWN"))) level = 0 for att_device in device.attached_devices(): device_header = obj.Object("_OBJECT_HEADER", offset = att_device.obj_offset - att_device.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"), vm = att_device.obj_vm, native_vm = att_device.obj_native_vm ) device_name = str(device_header.NameInfo.Name or '') name = (device_name + " - " + str(att_device.DriverObject.DriverName or '')) outfd.write("------{0}| ATT {1:#x} {2} {3}\n".format( "---" * level, att_device.obj_offset, name, DEVICE_CODES.get(att_device.DeviceType.v(), "UNKNOWN"))) level += 1 #-------------------------------------------------------------------------------- # driverirp plugin #-------------------------------------------------------------------------------- class DriverIrp(filescan.DriverScan): "Driver IRP hook detection" def __init__(self, config, *args, **kwargs): filescan.DriverScan.__init__(self, config, *args, **kwargs) config.add_option("REGEX", short_option = 'r', type = 'str', action = 'store', help = 'Analyze drivers matching REGEX') def render_text(self, outfd, data): addr_space = utils.load_as(self._config) # Compile the regular expression for filtering by driver name if self._config.regex != None: mod_re = re.compile(self._config.regex, re.I) else: mod_re = None mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) bits = addr_space.profile.metadata.get('memory_model', '32bit') self.table_header(None, [('i', ">4"), ('Funcs', "36"), ('addr', '[addrpad]'), ('name', '') ]) for driver in data: header = driver.get_object_header() driver_name = str(header.NameInfo.Name or '') # Continue if a regex was supplied and it doesn't match if mod_re != None: if not (mod_re.search(driver_name) or mod_re.search(driver_name)): continue # Write the standard header for each driver object outfd.write("{0}\n".format("-" * 50)) outfd.write("DriverName: {0}\n".format(driver_name)) outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart)) outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize)) outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo)) # Write the address and owner of each IRP function for i, function in enumerate(driver.MajorFunction): function = driver.MajorFunction[i] module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function)) if module: module_name = str(module.BaseDllName or '') else: module_name = "Unknown" # This is where we check for inline hooks once the # ApiHooks plugin is ported to 2.1. self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name) if self._config.verbose: data = addr_space.zread(function, 64) outfd.write("\n".join( ["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(data = data, start = function, bits = bits, stoponret = True) ])) outfd.write("\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/modules.py0000644000000000000000000001117213131215405023042 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 from volatility import renderers import volatility.plugins.common as common import volatility.cache as cache from volatility.renderers.basic import Address, Hex import volatility.win32 as win32 import volatility.utils as utils class Modules(common.AbstractWindowsCommand): """Print list of loaded modules""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, cache_invalidator = False, help = "Physical Offset", action = "store_true") def generator(self, data): for module in data: if not self._config.PHYSICAL_OFFSET: offset = module.obj_offset else: offset = module.obj_vm.vtop(module.obj_offset) yield (0, [Address(offset), str(module.BaseDllName or ''), Address(module.DllBase), Hex(module.SizeOfImage), str(module.FullDllName or '')]) def unified_output(self, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" tg = renderers.TreeGrid( [("Offset{0}".format(offsettype), Address), ("Name", str), ('Base', Address), ('Size', Hex), ('File', str) ], self.generator(data)) return tg def render_text(self, outfd, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("Name", "20"), ('Base', "[addrpad]"), ('Size', "[addr]"), ('File', "") ]) for module in data: if not self._config.PHYSICAL_OFFSET: offset = module.obj_offset else: offset = module.obj_vm.vtop(module.obj_offset) self.table_row(outfd, offset, str(module.BaseDllName or ''), module.DllBase, module.SizeOfImage, str(module.FullDllName or '')) @cache.CacheDecorator("tests/lsmod") def calculate(self): addr_space = utils.load_as(self._config) result = win32.modules.lsmod(addr_space) return result class UnloadedModules(common.AbstractWindowsCommand): """Print list of unloaded modules""" def unified_output(self, data): def generator(data): for drv in data: yield (0, [str(drv.Name), Address(drv.StartAddress), Address(drv.EndAddress), str(drv.CurrentTime)]) return renderers.TreeGrid([("Name", str), ('StartAddress', Address), ('EndAddress', Address), ('Time', str)], generator(data)) def render_text(self, outfd, data): self.table_header(outfd, [ ("Name", "20"), ('StartAddress', "[addrpad]"), ('EndAddress', "[addrpad]"), ('Time', "")]) for drv in data: self.table_row(outfd, drv.Name, drv.StartAddress, drv.EndAddress, drv.CurrentTime) def calculate(self): addr_space = utils.load_as(self._config) kdbg = win32.tasks.get_kdbg(addr_space) for drv in kdbg.MmUnloadedDrivers.dereference().dereference(): yield drv volatility_2.6+git20170711.b3db0cc/volatility/plugins/kpcrscan.py0000644000000000000000000001630313131215405023177 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Bradley Schatz @license: GNU General Public License 2.0 @contact: bradley@schatzforensic.com.au @organization: Schatz Forensic """ import struct import volatility.utils as utils import volatility.scan as scan import volatility.cache as cache import volatility.plugins.common as common import volatility.obj as obj import volatility.plugins.addrspaces.intel as intel import volatility.plugins.addrspaces.amd64 as amd64 class KPCRScan(common.AbstractWindowsCommand): """Search for and dump potential KPCR values""" meta_info = dict( author = 'Bradley Schatz', copyright = 'Copyright (c) 2010 Bradley Schatz', contact = 'bradley@schatzforensic.com.au', license = 'GNU General Public License 2.0', url = 'http://www.schatzforensic.com.au/', os = 'WIN_32_VISTA_SP0', version = '1.0', ) @staticmethod def register_options(config): config.add_option('KPCR', short_option = 'k', default = None, type = 'int', help = "Specify a specific KPCR address") @cache.CacheDecorator("tests/kpcrscan") def calculate(self): """Determines the address space""" addr_space = utils.load_as(self._config, astype = 'any') scanner = KPCRScanner() for offset in scanner.scan(addr_space): kpcr = obj.Object("_KPCR", offset = offset, vm = addr_space) yield kpcr def render_text(self, outfd, data): """Renders the KPCR values as text""" for kpcr in data: outfd.write("*" * 50 + "\n") if hasattr(kpcr.obj_vm, 'vtop'): outfd.write("{0:<30}: {1:#x}\n".format("Offset (V)", kpcr.obj_offset)) outfd.write("{0:<30}: {1:#x}\n".format("Offset (P)", kpcr.obj_vm.vtop(kpcr.obj_offset))) else: outfd.write("{0:<30}: {1:#x}\n".format("Offset (P)", kpcr.obj_offset)) outfd.write("{0:<30}: {1:#x}\n".format("KdVersionBlock", kpcr.KdVersionBlock)) outfd.write("{0:<30}: {1:#x}\n".format("IDT", kpcr.IDT)) outfd.write("{0:<30}: {1:#x}\n".format("GDT", kpcr.GDT)) current_thread = kpcr.ProcessorBlock.CurrentThread.dereference_as("_ETHREAD") idle_thread = kpcr.ProcessorBlock.IdleThread.dereference_as("_ETHREAD") next_thread = kpcr.ProcessorBlock.NextThread.dereference_as("_ETHREAD") if current_thread: outfd.write("{0:<30}: {1:#x} TID {2} ({3}:{4})\n".format( "CurrentThread", current_thread.obj_offset, current_thread.Cid.UniqueThread, current_thread.owning_process().ImageFileName, current_thread.Cid.UniqueProcess, )) if idle_thread: outfd.write("{0:<30}: {1:#x} TID {2} ({3}:{4})\n".format( "IdleThread", idle_thread.obj_offset, idle_thread.Cid.UniqueThread, idle_thread.owning_process().ImageFileName, idle_thread.Cid.UniqueProcess, )) if next_thread: outfd.write("{0:<30}: {1:#x} TID {2} ({3}:{4})\n".format( "NextThread", next_thread.obj_offset, next_thread.Cid.UniqueThread, next_thread.owning_process().ImageFileName, next_thread.Cid.UniqueProcess, )) outfd.write("{0:<30}: CPU {1} ({2} @ {3} MHz)\n".format("Details", kpcr.ProcessorBlock.Number, kpcr.ProcessorBlock.VendorString, kpcr.ProcessorBlock.MHz)) outfd.write("{0:<30}: {1:#x}\n".format("CR3/DTB", kpcr.ProcessorBlock.ProcessorState.SpecialRegisters.Cr3)) class KPCRScannerCheck(scan.ScannerCheck): """Checks the self referential pointers to find KPCRs""" def __init__(self, address_space): scan.ScannerCheck.__init__(self, address_space) kpcr = obj.Object("_KPCR", vm = self.address_space, offset = 0) if address_space.profile.metadata.get('memory_model', '') == '32bit': self.SelfPcr_offset = kpcr.SelfPcr.obj_offset self.Prcb_offset = kpcr.Prcb.obj_offset self.PrcbData_offset = kpcr.PrcbData.obj_offset # In the check() routine, we need to compare masked virtual # addresses, but self.address_space is a BufferAddressSpace. self.address_equality = amd64.AMD64PagedMemory.address_equality else: # The self-referencing member of _KPCR is Self on x64 self.SelfPcr_offset = kpcr.Self.obj_offset # The pointer to _KPRCB is CurrentPrcb on x64 self.Prcb_offset = kpcr.CurrentPrcb.obj_offset # The nested _KPRCB in Prcb on x64 self.PrcbData_offset = kpcr.Prcb.obj_offset self.address_equality = intel.IA32PagedMemory.address_equality self.KPCR = None def check(self, offset): """ We check that _KCPR.pSelfPCR points to the start of the _KCPR struct """ paKCPR = offset paPRCBDATA = offset + self.PrcbData_offset try: pSelfPCR = obj.Object('Pointer', offset = (offset + self.SelfPcr_offset), vm = self.address_space) pPrcb = obj.Object('Pointer', offset = (offset + self.Prcb_offset), vm = self.address_space) if self.address_equality(pSelfPCR, paKCPR) and self.address_equality(pPrcb, paPRCBDATA): self.KPCR = pSelfPCR return True except BaseException: return False return False # make the scan DWORD aligned def skip(self, data, offset): return 4 offset_string = struct.pack("I", offset) new_offset = offset ## A successful match will need to at least match the Most ## Significant 3 bytes while (new_offset + self.SelfPcr_offset) & 0xFF >= self.SelfPcr_offset: new_offset = data.find(offset_string[3], new_offset + 1) ## Its not there, skip the whole buffer if new_offset < 0: return len(data) - offset if (new_offset % 4) == 0: return new_offset - self.SelfPcr_offset - 1 return len(data) - offset class KPCRScanner(scan.BaseScanner): checks = [ ("KPCRScannerCheck", {}) ] def scan(self, address_space, offset = 0, maxlen = None): return scan.BaseScanner.scan(self, address_space, max(offset, 0x80000000), maxlen) volatility_2.6+git20170711.b3db0cc/volatility/plugins/hibinfo.py0000644000000000000000000000565613131215405023022 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.debug as debug import volatility.cache as cache import volatility.win32.tasks as tasks class HibInfo(common.AbstractWindowsCommand): """Dump hibernation file information""" @cache.CacheDecorator("tests/hibinfo") def calculate(self): """Determines the address space""" addr_space = utils.load_as(self._config) result = None adrs = addr_space while adrs: if adrs.__class__.__name__ == 'WindowsHiberFileSpace32': sr = adrs.ProcState.SpecialRegisters peb = obj.NoneObject("Cannot locate a valid PEB") # Find the PEB by cycling through processes. This method works # on all versions of Windows x86 and x64. for task in tasks.pslist(addr_space): if task.Peb: peb = task.Peb break result = {'header': adrs.get_header(), 'sr': sr, 'peb': peb, 'adrs': adrs } adrs = adrs.base if result == None: debug.error("Memory Image could not be identified or did not contain hiberation information") return result def render_text(self, outfd, data): """Renders the hiberfil header as text""" hdr = data['header'] sr = data['sr'] peb = data['peb'] outfd.write("PO_MEMORY_IMAGE:\n") outfd.write(" Signature: {0}\n".format(hdr.Signature)) outfd.write(" SystemTime: {0}\n".format(hdr.SystemTime)) outfd.write("\nControl registers flags\n") outfd.write(" CR0: {0:08x}\n".format(sr.Cr0)) outfd.write(" CR0[PAGING]: {0}\n".format((sr.Cr0 >> 31) & 1)) outfd.write(" CR3: {0:08x}\n".format(sr.Cr3)) outfd.write(" CR4: {0:08x}\n".format(sr.Cr4)) outfd.write(" CR4[PSE]: {0}\n".format((sr.Cr4 >> 4) & 1)) outfd.write(" CR4[PAE]: {0}\n".format((sr.Cr4 >> 5) & 1)) outfd.write("\nWindows Version is {0}.{1} ({2})\n\n".format(peb.OSMajorVersion, peb.OSMinorVersion, peb.OSBuildNumber)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/ssdt.py0000644000000000000000000003711513131215405022354 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ from operator import itemgetter import volatility.obj as obj import volatility.win32.tasks as tasks import volatility.win32.modules as modules import volatility.plugins.common as common import volatility.utils as utils import volatility.plugins.malware.apihooks as apihooks import volatility.debug as debug #pylint: disable-msg=W0611 from volatility.cache import CacheDecorator from volatility.renderers import TreeGrid from volatility.renderers.basic import Address #pylint: disable-msg=C0111 def find_tables(start_addr, vm): """ This function finds the RVAs to KeServiceDescriptorTable and KeServiceDescriptorTableShadow in the NT module. @param start_addr: virtual address of KeAddSystemServiceTable @param vm: kernel address space We're looking for two instructions like this: //if (KeServiceDescriptorTable[i].Base) 4B 83 BC 1A 40 88 2A 00 00 cmp qword ptr [r10+r11+2A8840h], 0 //if (KeServiceDescriptorTableShadow[i].Base) 4B 83 BC 1A 80 88 2A 00 00 cmp qword ptr [r10+r11+2A8880h], 0 In the example, 2A8840h is the RVA of KeServiceDescriptorTable and 2A8880h is the RVA of KeServiceDescriptorTableShadow. The exported KeAddSystemServiceTable is a very small function (about 120 bytes at the most) and the two instructions appear very early, which reduces the possibility of false positives. If distorm3 is installed, we use it to decompose instructions in x64 format. If distorm3 is not available, we use Volatility's object model as a very simple and generic instruction parser. """ service_tables = [] try: import distorm3 use_distorm = True except ImportError: use_distorm = False function_size = 120 if use_distorm: data = vm.zread(start_addr, function_size) for op in distorm3.DecomposeGenerator(start_addr, data, distorm3.Decode64Bits): # Stop decomposing if we reach the function end if op.flowControl == 'FC_RET': break # Looking for a 9-byte CMP instruction whose first operand # has a 32-bit displacement and second operand is zero if op.mnemonic == 'CMP' and op.size == 9 and op.operands[0].dispSize == 32 and op.operands[0].value == 0: # The displacement is the RVA we want service_tables.append(op.operands[0].disp) elif op.mnemonic == 'LEA' and op.size == 7 and op.operands[1].dispSize == 32 and op.operands[1].disp > 0: service_tables.append(op.operands[1].disp) else: vm.profile.add_types({ '_INSTRUCTION' : [ 9, { 'opcode' : [ 0, ['String', dict(length = 4)]], 'disp' : [ 4, ['int']], 'value' : [ 8, ['unsigned char']], }]}) # The variations assume (which happens to be correct on all OS) # that volatile registers are used in the CMP QWORD instruction. # All combinations of volatile registers (rax, rcx, rdx, r8-r11) # will result in one of the variations in this list. ops_list = [ "\x4B\x83\xBC", # r10, r11 "\x48\x83\xBC", # rax, rcx "\x4A\x83\xBC", # rax, r8 "\x48\x8D\x8B", # win8x64 LEA RCX, [EBX+??????] ] for i in range(function_size): op = obj.Object("_INSTRUCTION", offset = start_addr + i, vm = vm) if op.value == 0: for s in ops_list: if op.opcode.v().startswith(s): service_tables.append(op.disp) return service_tables class SSDT(common.AbstractWindowsCommand): "Display SSDT entries" # Declare meta information associated with this plugin meta_info = { 'author': 'Brendan Dolan-Gavitt', 'copyright': 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', 'contact': 'bdolangavitt@wesleyan.edu', 'license': 'GNU General Public License 2.0', 'url': 'http://moyix.blogspot.com/', 'os': 'WIN_32_XP_SP2', 'version': '1.0'} @CacheDecorator("tests/ssdt") def calculate(self): addr_space = utils.load_as(self._config) ## Get a sorted list of module addresses mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) ssdts = set() if addr_space.profile.metadata.get('memory_model', '32bit') == '32bit': # Gather up all SSDTs referenced by threads print "[x86] Gathering all referenced SSDTs from KTHREADs..." for proc in tasks.pslist(addr_space): for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"): ssdt_obj = thread.Tcb.ServiceTable.dereference_as('_SERVICE_DESCRIPTOR_TABLE') ssdts.add(ssdt_obj) else: print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..." # The NT module always loads first ntos = list(modules.lsmod(addr_space))[0] func_rva = ntos.getprocaddress("KeAddSystemServiceTable") if func_rva == None: raise StopIteration("Cannot locate KeAddSystemServiceTable") KeAddSystemServiceTable = ntos.DllBase + func_rva for table_rva in find_tables(KeAddSystemServiceTable, addr_space): ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space) ssdts.add(ssdt_obj) # Get a list of *unique* SSDT entries. Typically we see only two. tables = set() for ssdt_obj in ssdts: for i, desc in enumerate(ssdt_obj.Descriptors): # Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit # should be greater than 0 but not unbelievably high if not desc.is_valid() or desc.ServiceLimit <= 0 or desc.ServiceLimit >= 0xFFFF or desc.KiServiceTable <= 0x80000000: break else: tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v())) print "Finding appropriate address space for tables..." tables_with_vm = [] procs = list(tasks.pslist(addr_space)) for idx, table, n in tables: vm = tasks.find_space(addr_space, procs, table) if vm: tables_with_vm.append((idx, table, n, vm)) else: debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table)) for idx, table, n, vm in sorted(tables_with_vm, key = itemgetter(0)): yield idx, table, n, vm, mods, mod_addrs def unified_output(self, data): if not self._config.VERBOSE: return TreeGrid([("Table", str), ("TableOffset", Address), ("NumEntries", int), ("Entry", Address), ("Addr", Address), ("Function", str), ("Owner", str)], self.generator(data)) else: return TreeGrid([("Table", str), ("TableOffset", Address), ("NumEntries", int), ("Entry", Address), ("Addr", Address), ("Function", str), ("Owner", str), ("Destination", Address), ("HookName", str)], self.generator(data)) def generator(self, data): addr_space = utils.load_as(self._config) syscalls = addr_space.profile.syscalls bits32 = addr_space.profile.metadata.get('memory_model', '32bit') == '32bit' # Print out the entries for each table for idx, table, n, vm, mods, mod_addrs in data: table_name = "SSDT[{0}]".format(idx) table_offset = Address(table) num_entries = int(n) for i in range(n): if bits32: # These are absolute function addresses in kernel memory. syscall_addr = obj.Object('address', table + (i * 4), vm).v() else: # These must be signed long for x64 because they are RVAs relative # to the base of the table and can be negative. offset = obj.Object('long', table + (i * 4), vm).v() # The offset is the top 20 bits of the 32 bit number. syscall_addr = table + (offset >> 4) try: syscall_name = syscalls[idx][i] except IndexError: syscall_name = "UNKNOWN" syscall_mod = tasks.find_module(mods, mod_addrs, addr_space.address_mask(syscall_addr)) if syscall_mod: syscall_modname = syscall_mod.BaseDllName else: syscall_modname = "UNKNOWN" if not self._config.VERBOSE: yield (0, [table_name, table_offset, num_entries, Address(idx * 0x1000 + i), Address(syscall_addr), str(syscall_name), str(syscall_modname)]) ## check for inline hooks if in --verbose mode, we're analyzing ## an x86 model system and the sycall_mod is available if (self._config.VERBOSE and addr_space.profile.metadata.get('memory_model', '32bit') == '32bit' and syscall_mod is not None): ## leverage this static method from apihooks ret = apihooks.ApiHooks.check_inline(va = syscall_addr, addr_space = vm, mem_start = syscall_mod.DllBase, mem_end = syscall_mod.DllBase + syscall_mod.SizeOfImage) ## could not analyze the memory if ret == None: yield (0, [table_name, table_offset, num_entries, Address(idx * 0x1000 + i), Address(syscall_addr), str(syscall_name), str(syscall_modname), Address(0), "NotInline"]) continue (hooked, data, dest_addr) = ret ## the function isn't hooked if not hooked: yield (0, [table_name, table_offset, num_entries, Address(idx * 0x1000 + i), Address(syscall_addr), str(syscall_name), str(syscall_modname), Address(0), "NotInline"]) continue ## we found a hook, try to resolve the hooker. no mask required because ## we currently only work on x86 anyway hook_mod = tasks.find_module(mods, mod_addrs, dest_addr) if hook_mod: hook_name = hook_mod.BaseDllName else: hook_name = "UNKNOWN" ## report it now yield (0, [table_name, table_offset, num_entries, Address(idx * 0x1000 + i), Address(syscall_addr), str(syscall_name), str(syscall_modname), Address(dest_addr), str(hook_name)]) def render_text(self, outfd, data): addr_space = utils.load_as(self._config) syscalls = addr_space.profile.syscalls bits32 = addr_space.profile.metadata.get('memory_model', '32bit') == '32bit' # Print out the entries for each table for idx, table, n, vm, mods, mod_addrs in data: outfd.write("SSDT[{0}] at {1:x} with {2} entries\n".format(idx, table, n)) for i in range(n): if bits32: # These are absolute function addresses in kernel memory. syscall_addr = obj.Object('address', table + (i * 4), vm).v() else: # These must be signed long for x64 because they are RVAs relative # to the base of the table and can be negative. offset = obj.Object('long', table + (i * 4), vm).v() # The offset is the top 20 bits of the 32 bit number. syscall_addr = table + (offset >> 4) try: syscall_name = syscalls[idx][i] except IndexError: syscall_name = "UNKNOWN" syscall_mod = tasks.find_module(mods, mod_addrs, addr_space.address_mask(syscall_addr)) if syscall_mod: syscall_modname = syscall_mod.BaseDllName else: syscall_modname = "UNKNOWN" outfd.write(" Entry {0:#06x}: {1:#x} ({2}) owned by {3}\n".format(idx * 0x1000 + i, syscall_addr, syscall_name, syscall_modname)) ## check for inline hooks if in --verbose mode, we're analyzing ## an x86 model system and the sycall_mod is available if (self._config.VERBOSE and addr_space.profile.metadata.get('memory_model', '32bit') == '32bit' and syscall_mod is not None): ## leverage this static method from apihooks ret = apihooks.ApiHooks.check_inline(va = syscall_addr, addr_space = vm, mem_start = syscall_mod.DllBase, mem_end = syscall_mod.DllBase + syscall_mod.SizeOfImage) ## could not analyze the memory if ret == None: continue (hooked, data, dest_addr) = ret ## the function isn't hooked if not hooked: continue ## we found a hook, try to resolve the hooker. no mask required because ## we currently only work on x86 anyway hook_mod = tasks.find_module(mods, mod_addrs, dest_addr) if hook_mod: hook_name = hook_mod.BaseDllName else: hook_name = "UNKNOWN" ## report it now outfd.write(" ** INLINE HOOK? => {0:#x} ({1})\n".format(dest_addr, hook_name)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/patchguard.py0000644000000000000000000000063013131215405023511 0ustar rootrootimport struct def rol(value, count): """A rotate-left instruction in Python""" for y in range(count): value *= 2 if (value > 0xFFFFFFFFFFFFFFFF): value -= 0x10000000000000000 value += 1 return value def bswap(value): """A byte-swap instruction in Python""" hi, lo = struct.unpack(">II", struct.pack(". # import volatility.plugins.crashinfo as crashinfo class MachOInfo(crashinfo.CrashInfo): """Dump Mach-O file format information""" target_as = ['MachOAddressSpace'] def render_text(self, outfd, data): header = data.get_header() outfd.write("Magic: {0:#x}\n".format(header.magic)) outfd.write("Architecture: {0}-bit\n".format(data.bits)) self.table_header(outfd, [("File Offset", "[addrpad]"), ("Memory Offset", "[addrpad]"), ("Size", "[addrpad]"), ("Name", "")]) for seg in data.segs: self.table_row(outfd, seg.fileoff, seg.vmaddr, seg.vmsize, seg.segname) volatility_2.6+git20170711.b3db0cc/volatility/plugins/imageinfo.py0000644000000000000000000001252513131215405023333 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.win32.tasks as tasks import volatility.timefmt as timefmt import volatility.utils as utils import volatility.debug as debug import volatility.obj as obj import volatility.cache as cache import volatility.registry as registry import volatility.plugins.kdbgscan as kdbgscan from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class ImageInfo(kdbgscan.KDBGScan): """ Identify information for the image """ def unified_output(self, data): columns = [] values = [] for l, t, v in data: columns.append( (l, t) ) values.append(v) return TreeGrid(columns, [(0, values)]) def render_text(self, outfd, data): """Renders the calculated data as text to outfd""" for k, t, v in data: outfd.write("{0:>30} : {1}\n".format(k, hex(v) if t is Address else v)) @cache.CacheDecorator("tests/imageinfo") def calculate(self): """Calculates various information about the image""" debug.info("Determining profile based on KDBG search...") profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ] bestguess = None suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)] if suglist: bestguess = suglist[0] suggestion = ", ".join(set(suglist)) # Set our suggested profile first, then run through the list if bestguess in profilelist: profilelist = [bestguess] + profilelist chosen = 'no profile' # Save the original profile origprofile = self._config.PROFILE # Force user provided profile over others profilelist = [origprofile] + profilelist for profile in profilelist: debug.debug('Trying profile ' + profile) self._config.update('PROFILE', profile) addr_space = utils.load_as(self._config, astype = 'any') if hasattr(addr_space, "dtb"): chosen = profile break if bestguess != chosen: if not suggestion: suggestion = 'No suggestion' suggestion += ' (Instantiated with ' + chosen + ')' yield ('Suggested Profile(s)', str, suggestion) tmpas = addr_space count = 0 while tmpas: count += 1 yield ('AS Layer' + str(count), str, tmpas.__class__.__name__ + " (" + tmpas.name + ")") tmpas = tmpas.base if not hasattr(addr_space, "pae"): yield ('PAE type', str, "No PAE") else: yield ('PAE type', str, "PAE" if addr_space.pae else "No PAE") if hasattr(addr_space, "dtb"): yield ('DTB', Address, Address(addr_space.dtb)) volmagic = obj.VolMagic(addr_space) if hasattr(addr_space, "dtb") and hasattr(volmagic, "KDBG"): kdbg = volmagic.KDBG.v() if type(kdbg) == int: kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = kdbg, vm = addr_space) if kdbg.is_valid(): yield ('KDBG', Address, Address(kdbg.obj_offset)) kpcr_list = list(kdbg.kpcrs()) yield ('Number of Processors', int, len(kpcr_list)) yield ('Image Type (Service Pack)', int, kdbg.ServicePack) for kpcr in kpcr_list: yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), Address, Address(kpcr.obj_offset)) KUSER_SHARED_DATA = volmagic.KUSER_SHARED_DATA.v() if KUSER_SHARED_DATA: yield ('KUSER_SHARED_DATA', Address, Address(KUSER_SHARED_DATA)) data = self.get_image_time(addr_space) if data: yield ('Image date and time', str, str(data['ImageDatetime'])) yield ('Image local date and time', str, timefmt.display_datetime(data['ImageDatetime'].as_datetime(), data['ImageTz'])) # Make sure to reset the profile to its original value to keep the invalidator from blocking the cache self._config.update('PROFILE', origprofile) def get_image_time(self, addr_space): """Get the Image Datetime""" result = {} KUSER_SHARED_DATA = obj.VolMagic(addr_space).KUSER_SHARED_DATA.v() k = obj.Object("_KUSER_SHARED_DATA", offset = KUSER_SHARED_DATA, vm = addr_space) if k == None: return k result['ImageDatetime'] = k.SystemTime result['ImageTz'] = timefmt.OffsetTzInfo(-k.TimeZoneBias.as_windows_timestamp() / 10000000) return result volatility_2.6+git20170711.b3db0cc/volatility/plugins/dumpfiles.py0000644000000000000000000016305713131215405023374 0ustar rootroot# Volatility # Copyright (C) 2012-13 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 import os import re import math import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug import volatility.win32.tasks as tasks_mod import volatility.win32.modules as modules import volatility.plugins.common as common import volatility.plugins.taskmods as taskmods from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Bytes import json from io import BytesIO #-------------------------------------------------------------------------------- # Constants #-------------------------------------------------------------------------------- PAGE_SIZE = 0x1000 PAGE_MASK = PAGE_SIZE - 1 IMAGE_EXT = "img" DATA_EXT = "dat" FILEOFFSET_MASK = 0xFFFFFFFFFFFF0000 VACB_BLOCK = 0x40000 VACB_ARRAY = 0x80 VACB_OFFSET_SHIFT = 18 VACB_LEVEL_SHIFT = 7 VACB_SIZE_OF_FIRST_LEVEL = 1 << (VACB_OFFSET_SHIFT + VACB_LEVEL_SHIFT) class _CONTROL_AREA(obj.CType): def extract_ca_file(self, unsafe = False): """ Extracts a file from a specified CONTROL_AREA Attempts to extract the memory resident pages pertaining to a particular CONTROL_AREA object. Args: control_area: Instance of a CONTROL_AREA object unsafe: Relax safety constraints for more data Returns: mdata: List of pages, (physoffset, fileoffset, size) tuples, that are memory resident zpad: List of pages, (offset, size) tuples, that not memory resident Raises: """ zpad = [] mdata = [] # Depending on the particular address space being used we need to # determine if the MMPTE will be either 4 or 8 bytes. The x64 # and IA32_PAE both use 8 byte PTEs. Whereas, IA32 uses 4 byte # PTE entries. memory_model = self.obj_vm.profile.metadata.get('memory_model', '32bit') pae = self.obj_vm.pae if pae: mmpte_size = self.obj_vm.profile.get_obj_size("_MMPTEPA") else: mmpte_size = self.obj_vm.profile.get_obj_size("_MMPTE") # Calculate the size of the _CONTROL_AREA object. It is used to find # the correct offset for the SUBSECTION object and the size of the # CONTROL_AREA can differ between versions of Windows. control_area_size = self.size() # The segment is used to describe the physical view of the # file. We also use this as a semantic check to see if # the processing should continue. If the Segment address # is invalid, then we return. Segment = self.Segment if not Segment.is_valid(): return mdata, zpad # The next semantic check validates that the _SEGMENT object # points back to the appropriate _CONTROL_AREA object. If the # check is invalid, then we return. if (self.obj_offset != Segment.ControlArea): return mdata, zpad # This is a semantic check added to make sure the Segment.SizeOfSegment value # is consistant with the Segment.TotalNumberOfPtes. This occurs fequently # when traversing through CONTROL_AREA Objects (~5%), often leading to # impossible values. Thus, to be conservative we do not proceed if the # Segment does not seem sound. if Segment.SizeOfSegment != (Segment.TotalNumberOfPtes * PAGE_SIZE): return mdata, zpad # The _SUBSECTION object is typically found immediately following # the CONTROL_AREA object. For Image Section Objects, the SUBSECTIONS # typically correspond with the sections found in the PE. On the otherhand, # for Data Section Objects, there is typically only a single valid SUBSECTION. subsection_offset = self.obj_offset + control_area_size #subsection = obj.Object("_SUBSECTION", subsection_offset, self.kaddr_space) subsection = obj.Object("_SUBSECTION", subsection_offset, self.obj_vm) # This was another check which was inspired by Ruud's code. It # verifies that the first SubsectionBaase (Mmst) never starts # at the beginning of a page. The UNSAFE option allows us to # ignore this constraint. This was necessary for dumping file data # for file objects found with filescan (ie $Mft) SubsectionBase = subsection.SubsectionBase if (SubsectionBase & PAGE_MASK == 0x0) and not unsafe: return mdata, zpad # We obtain the Subsections associated with this file # by traversing the singly linked list. Ideally, this # list should be null (0) terminated. Upon occasion we # we have seen instances where the link pointers are # undefined (XXX). If we hit an invalid pointer, the we # we exit the traversal. while subsection.is_valid() and subsection.v() != 0x0: if not subsection: break # This constraint makes sure that the _SUBSECTION object # points back to the associated CONTROL_AREA object. Otherwise, # we exit the traversal. if (self.obj_offset != subsection.ControlArea): break # Extract subsection meta-data into local variables # this helps with performance and not having to do # repetitive lookups. PtesInSubsection = subsection.PtesInSubsection SubsectionBase = subsection.SubsectionBase NextSubsection = subsection.NextSubsection # The offset into the file is stored implicitely # based on the PTE's location within the Subsection. StartingSector = subsection.StartingSector SubsectionOffset = StartingSector * 0x200 # This was another check based on something Ruud # had done. We also so instances where DataSectionObjects # would hit a SubsectionBase that was paged aligned # and hit strange data. In those instances, the # MMPTE SubsectionAddress would not point to the associated # Subsection. (XXX) if (SubsectionBase & PAGE_MASK == 0x0) and not unsafe: break ptecount = 0 while (ptecount < PtesInSubsection): pteoffset = SubsectionBase + (mmpte_size * ptecount) FileOffset = SubsectionOffset + ptecount * 0x1000 # The size of MMPTE changes depending on if it is IA32 (4 bytes) # or IA32_PAE/AMD64 (8 bytes). objname = "_MMPTE" if pae: objname = "_MMPTEPA" mmpte = obj.Object(objname, offset = pteoffset, vm = \ subsection.obj_vm) if not mmpte: ptecount += 1 continue # First we check if the entry is valid. If the entry is valid # then we get the physical offset. The valid entries are actually # handled by the hardware. if mmpte.u.Hard.Valid == 0x1: # There are some valid Page Table entries where bit 63 # is used to specify if the page is executable. This is # maintained by the processor. If it is not executable, # then the bit is set. Within the Intel documentation, # this is known as the Execute-disable (XD) flag. Regardless, # we will use the get_phys_addr method from the address space # to obtain the physical address. ### Should we check the size of the PAGE? Haven't seen # a hit for LargePage. #if mmpte.u.Hard.LargePage == 0x1: # print "LargePage" physoffset = mmpte.u.Hard.PageFrameNumber << 12 mdata.append([physoffset, FileOffset, PAGE_SIZE]) ptecount += 1 continue elif mmpte.u.Soft.Prototype == 0x1: # If the entry is not a valid physical address then # we check if it contains a pointer back to the SUBSECTION # object. If so, the page is in the backing file and we will # need to pad to maintain spacial integrity of the file. This # check needs to be performed for looking for the transition flag. # The prototype PTEs are initialized as MMPTE_SUBSECTION with the # SubsectionAddress. # On x86 systems that use 4 byte MMPTE , the MMPTE_SUBSECTION # stores an "encoded" version of the SUBSECTION object address. # The data is relative to global variable (MmSubsectionBase or # MmNonPagedPoolEnd) depending on the WhichPool member of # _SUBSECTION. This applies to x86 systems running ntoskrnl.exe. # If bit 10 is set then it is prototype/subsection if (memory_model == "32bit") and not pae: SubsectionOffset = \ ((mmpte.u.Subsect.SubsectionAddressHigh << 7) | (mmpte.u.Subsect.SubsectionAddressLow << 3)) #WhichPool = mmpte.u.Subsect.WhichPool #print "mmpte 0x%x ptecount 0x%x sub-32 0x%x pteoffset 0x%x which 0x%x subdelta 0x%x"%(mmpte.u.Long,ptecount,subsection_offset,pteoffset,WhichPool,SubsectionOffset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 continue if memory_model == "64bit" or pae: SubsectionAddress = mmpte.u.Subsect.SubsectionAddress else: SubsectionAddress = mmpte.u.Long if SubsectionAddress == subsection.obj_offset: # sub proto/prot 4c0 420 #print "mmpte 0x%x ptecount 0x%x sub 0x%x offset 0x%x"%(mmpte.u.Long,ptecount,SubsectionAddress,pteoffset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 continue elif (SubsectionAddress == (subsection.obj_offset + 4)): # This was a special case seen on IA32_PAE systems where # the SubsectionAddress pointed to subsection.obj_offset+4 # (0x420, 0x460, 0x4a0) #print "mmpte 0x%x ptecount 0x%x sub+4 0x%x offset 0x%x"%(mmpte.u.Long,ptecount,SubsectionAddress,pteoffset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 continue else: #print "mmpte 0x%x ptecount 0x%x sub_unk 0x%x offset 0x%x suboffset 0x%x"%(mmpte.u.Long,ptecount,SubsectionAddress,pteoffset,subsection.obj_offset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 continue # Check if the entry is a DemandZero entry. elif (mmpte.u.Soft.Transition == 0x0): if ((mmpte.u.Soft.PageFileLow == 0x0) and (mmpte.u.Soft.PageFileHigh == 0x0)): # Example entries include: a0,e0 #print "mmpte 0x%x ptecount 0x%x zero offset 0x%x subsec 0x%x"%(mmpte.u.Long,ptecount,pteoffset,subsection.obj_offset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 else: #print "mmpte 0x%x ptecount 0x%x paged offset 0x%x subsec 0x%x file 0x%x offset 0x%x"%(mmpte.u.Long,ptecount,pteoffset,subsection.obj_offset,mmpte.u.Soft.PageFileLow,mmpte.u.Soft.PageFileHigh) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 # If the entry is not a valid physical address then # we also check to see if it is in transition. elif mmpte.u.Trans.Transition == 0x1: physoffset = mmpte.u.Trans.PageFrameNumber << 12 #print "mmpte 0x%x ptecount 0x%x transition 0x%x offset 0x%x"%(mmpte.u.Long,ptecount,physoffset,pteoffset) mdata.append([physoffset, FileOffset, PAGE_SIZE]) ptecount += 1 continue else: # This is a catch all for all the other entry types. # sub proto/pro 420,4e0,460,4a0 (x64 +0x28)(x32 +4) # other a0,e0,0, (20,60) # 0x80000000 #print "mmpte 0x%x ptecount 0x%x other offset 0x%x subsec 0x%x"%(mmpte.u.Long,ptecount,pteoffset,subsection.obj_offset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 # Traverse the singly linked list to its next member. subsection = NextSubsection return (mdata, zpad) class _SHARED_CACHE_MAP(obj.CType): def is_valid(self): if not obj.CType.is_valid(self): return False # Added a semantic check to make sure the data is in a sound state. It's better # to catch it early. FileSize = self.FileSize.QuadPart ValidDataLength = self.ValidDataLength.QuadPart SectionSize = self.SectionSize.QuadPart # Corrupted values: Win2003SP0x86.vmem if FileSize <= 0 or ValidDataLength <= 0: return False #print "SectionSize 0x%x < 0 or FileSize < 0x%x ValidDataLength 0x%x"%(SectionSize,FileSize,ValidDataLength) #if SectionSize < 0 or (FileSize < ValidDataLength): if SectionSize < 0 or ((FileSize < ValidDataLength) and (ValidDataLength != 0x7fffffffffffffff)): return False return True def process_index_array(self, array_pointer, level, limit, vacbary = None): """ Recursively process the sparse multilevel VACB index array Args: array_pointer: The address of a possible index array shared_cache_map: The associated SHARED_CACHE_MAP object level: The current level limit: The level where we abandon all hope. Ideally this is 7 vacbary: An array of collected VACBs Returns: vacbary: Collected VACBs """ if vacbary is None: vacbary = [] if level > limit: return [] # Create an array of VACB entries VacbArray = obj.Object("Array", offset = array_pointer, \ vm = self.obj_vm, count = VACB_ARRAY, \ targetType = "address", parent = self) # Iterate through the entries for _i in range(0, VACB_ARRAY): # Check if the VACB entry is in use if VacbArray[_i] == 0x0: continue Vacbs = obj.Object("_VACB", offset = int(VacbArray[_i]), vm = self.obj_vm) # Check if this is a valid VACB entry by verifying # the SharedCacheMap member. if Vacbs.SharedCacheMap == self.obj_offset: # This is a VACB associated with this cache map vacbinfo = self.extract_vacb(Vacbs, VACB_BLOCK) if vacbinfo: vacbary.append(vacbinfo) else: #Process the next level of the multi-level array vacbary = self.process_index_array(VacbArray[_i], level + 1, limit, vacbary) #vacbary = vacbary + _vacbary return vacbary def extract_vacb(self, vacbs, size): """ Extracts data from a specified VACB Attempts to extract the memory resident data from a specified VACB. Args: vacbs: The VACB object size: How much data should be read from the VACB shared_cache_map: The associated SHARED_CACHE_MAP object Returns: vacbinfo: Extracted VACB meta-information """ # This is used to collect summary information. We will eventually leverage this # when creating the externally exposed APIs. vacbinfo = {} # Check if the Overlay member of _VACB is resident # The Overlay member stores information about the FileOffset # and the ActiveCount. This is just another proactive check # to make sure the objects are seemingly sound. if not vacbs.Overlay: return vacbinfo # We should add another check to make sure that # the SharedCacheMap member of the VACB points back # to the corresponding SHARED_CACHE_MAP if vacbs.SharedCacheMap != self.v(): return vacbinfo # The FileOffset member of VACB is used to denote the # offset within the file where the view begins. Since all # views are 256 KB in size, the bottom 16 bits are used to # store the number of references to the view. FileOffset = vacbs.Overlay.FileOffset.QuadPart if not FileOffset: return vacbinfo ActiveCount = vacbs.Overlay.ActiveCount FileOffset = FileOffset & FILEOFFSET_MASK BaseAddress = vacbs.BaseAddress.v() vacbinfo['foffset'] = int(FileOffset) vacbinfo['acount'] = int(ActiveCount) vacbinfo['voffset'] = int(vacbs.obj_offset) vacbinfo['baseaddr'] = int(BaseAddress) vacbinfo['size'] = int(size) return vacbinfo def extract_scm_file(self): """ Extracts a file from a specified _SHARED_CACHE_MAP Attempts to extract the memory resident pages pertaining to a particular _SHARED_CACHE_MAP object. Args: shared_cache_map: Instance of a _SHARED_CACHE_MAP object Returns: vacbary: List of collected VACB meta information. Raises: """ vacbary = [] if self.obj_offset == 0x0: return # Added a semantic check to make sure the data is in a sound state. #FileSize = shared_cache_map.FileSize.QuadPart #ValidDataLength = shared_cache_map.ValidDataLength.QuadPart SectionSize = self.SectionSize.QuadPart # Let's begin by determining the number of Virtual Address Control # Blocks (VACB) that are stored within the cache (nonpaged). A VACB # represents one 256-KB view in the system cache. There a are a couple # options to use for the data size: ValidDataLength, FileSize, # and SectionSize. full_blocks = SectionSize / VACB_BLOCK left_over = SectionSize % VACB_BLOCK # As an optimization, the shared cache map object contains a VACB index # array of four entries. The VACB index arrays are arrays of pointers # to VACBs, that track which views of a given file are mapped in the cache. # For example, the first entry in the VACB index array refers to the first # 256 KB of the file. The InitialVacbs can describe a file up to 1 MB (4xVACB). iterval = 0 while (iterval < full_blocks) and (full_blocks <= 4): Vacbs = self.InitialVacbs[iterval] vacbinfo = self.extract_vacb(Vacbs, VACB_BLOCK) if vacbinfo: vacbary.append(vacbinfo) iterval += 1 # We also have to account for the spill over data # that is not found in the full blocks. The first case to # consider is when the spill over is still in InitialVacbs. if (left_over > 0) and (full_blocks < 4): Vacbs = self.InitialVacbs[iterval] vacbinfo = self.extract_vacb(Vacbs, left_over) if vacbinfo: vacbary.append(vacbinfo) # If the file is larger than 1 MB, a seperate VACB index array # needs to be allocated. This is based on how many 256 KB blocks # would be required for the size of the file. This newly allocated # VACB index array is found through the Vacbs member of # SHARED_CACHE_MAP. Vacbs = self.Vacbs if not Vacbs or (Vacbs.v() == 0): return vacbary # There are a number of instances where the initial value in # InitialVacb will also be the fist entry in Vacbs. Thus we # ignore, since it was already processed. It is possible to just # process again as the file offset is specified for each VACB. if self.InitialVacbs[0].obj_offset == Vacbs.v(): return vacbary # If the file is less than 32 MB than it can be found in # a single level VACB index array. size_of_pointer = self.obj_vm.profile.get_obj_size("address") if not SectionSize > VACB_SIZE_OF_FIRST_LEVEL: ArrayHead = Vacbs.v() _i = 0 for _i in range(0, full_blocks): vacb_addr = ArrayHead + (_i * size_of_pointer) vacb_entry = obj.Object("address", offset = vacb_addr, vm = Vacbs.obj_vm) # If we find a zero entry, then we proceed to the next one. # If the entry is zero, then the view is not mapped and we # skip. We do not pad because we use the FileOffset to seek # to the correct offset in the file. if not vacb_entry or (vacb_entry.v() == 0x0): continue Vacb = obj.Object("_VACB", offset = vacb_entry.v(), vm = self.obj_vm) vacbinfo = self.extract_vacb(Vacb, VACB_BLOCK) if vacbinfo: vacbary.append(vacbinfo) if left_over > 0: vacb_addr = ArrayHead + ((_i + 1) * size_of_pointer) vacb_entry = obj.Object("address", offset = vacb_addr, vm = Vacbs.obj_vm) if not vacb_entry or (vacb_entry.v() == 0x0): return vacbary Vacb = obj.Object("_VACB", offset = vacb_entry.v(), vm = self.obj_vm) vacbinfo = self.extract_vacb(Vacb, left_over) if vacbinfo: vacbary.append(vacbinfo) # The file is less than 32 MB, so we can # stop processing. return vacbary # If we get to this point, then we know that the SectionSize is greator than # VACB_SIZE_OF_FIRST_LEVEL (32 MB). Then we have a "sparse multilevel index # array where each VACB index array is made up of 128 entries. We no # longer assume the data is sequential. (Log2 (32 MB) - 18)/7 #tree_depth = math.ceil((math.ceil(math.log(file_size, 2)) - 18)/7) level_depth = math.ceil(math.log(SectionSize, 2)) level_depth = (level_depth - VACB_OFFSET_SHIFT) / VACB_LEVEL_SHIFT level_depth = math.ceil(level_depth) limit_depth = level_depth if SectionSize > VACB_SIZE_OF_FIRST_LEVEL: # Create an array of 128 entries for the VACB index array VacbArray = obj.Object("Array", offset = Vacbs.v(), \ vm = self.obj_vm, count = VACB_ARRAY, \ targetType = "address", parent = self) # We use a bit of a brute force method. We walk the # array and if any entry points to the shared cache map # object then we extract it. Otherwise, if it is non-zero # we attempt to traverse to the next level. for _i in range(0, VACB_ARRAY): if VacbArray[_i] == 0x0: continue Vacb = obj.Object("_VACB", offset = int(VacbArray[_i]), vm = self.obj_vm) if Vacb.SharedCacheMap == self.obj_offset: vacbinfo = self.extract_vacb(Vacb, VACB_BLOCK) if vacbinfo: vacbary.append(vacbinfo) else: # The Index is a pointer #Process the next level of the multi-level array # We set the limit_depth to be the depth of the tree # as determined from the size and we initialize the # current level to 2. vacbary = self.process_index_array(VacbArray[_i], 2, limit_depth, vacbary) #vacbary = vacbary + _vacbary return vacbary class ControlAreaModification(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ '_CONTROL_AREA': _CONTROL_AREA, '_SHARED_CACHE_MAP': _SHARED_CACHE_MAP, }) #-------------------------------------------------------------------------------- # VTypes #-------------------------------------------------------------------------------- # Windows x86 symbols for ntkrnlpa ntkrnlpa_types_x86 = { '__ntkrnlpa' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE_64']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE_64']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION_64']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION_64']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTEPA' : [ 0x8, { 'u' : [ 0x0, ['__ntkrnlpa']], } ], '_MMPTE_SUBSECTION_64' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type = 'unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type = 'unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type = 'unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type = 'unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type = 'unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type = 'long long')]], } ], '_MMPTE_TRANSITION_64' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type = 'unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type = 'unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type = 'unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type = 'unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type = 'unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type = 'unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type = 'unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type = 'unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type = 'unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type = 'unsigned long long')]], }], '_MMPTE_HARDWARE_64' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type = 'unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type = 'unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type = 'unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type = 'unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type = 'unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type = 'unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type = 'unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type = 'unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type = 'unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type = 'unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type = 'unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type = 'unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type = 'unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type = 'unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type = 'unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type = 'unsigned long long')]], } ], '_MMPTE_SOFTWARE_64' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type = 'unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type = 'unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type = 'unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type = 'unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type = 'unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type = 'unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type = 'unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 32, native_type = 'unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type = 'unsigned long long')]], } ], } class DumpFilesVTypesx86(obj.ProfileModification): """This modification applies the vtypes for all versions of 32bit Windows.""" before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x : x == '32bit'} def modification(self, profile): profile.vtypes.update(ntkrnlpa_types_x86) class DumpFiles(common.AbstractWindowsCommand): """Extract memory mapped and cached files""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) self.kaddr_space = None self.filters = [] config.add_option('REGEX', short_option = 'r', help = 'Dump files matching REGEX', action = 'store', type = 'string') config.add_option('IGNORE-CASE', short_option = 'i', help = 'Ignore case in pattern match', action = 'store_true', default = False) config.add_option('OFFSET', short_option = 'o', default = None, help = 'Dump files for Process with physical address OFFSET', action = 'store', type = 'int') config.add_option('PHYSOFFSET', short_option = 'Q', default = None, help = 'Dump File Object at physical address PHYSOFFSETs (comma delimited)', action = 'store', type = 'str') config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump extracted files') config.add_option('SUMMARY-FILE', short_option = 'S', default = None, cache_invalidator = False, help = 'File where to store summary information') config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') config.add_option('NAME', short_option = 'n', help = 'Include extracted filename in output file path', action = 'store_true', default = False) config.add_option('UNSAFE', short_option = 'u', help = 'Relax safety constraints for more data', action = 'store_true', default = False) # Possible filters include: # SharedCacheMap,DataSectionObject,ImageSectionObject,HandleTable,VAD config.add_option("FILTER", short_option = 'F', default = None, help = 'Filters to apply (comma-separated). Possible values:\n\nSharedCacheMap,DataSectionObject,ImageSectionObject,HandleTable,VAD') def filter_tasks(self, tasks): """ Reduce the tasks based on the user selectable PIDS parameter. Returns a reduced list or the full list if config.PIDS not specified. """ if self._config.PID is None: return tasks try: pidlist = [int(p) for p in self._config.PID.split(',')] except ValueError: debug.error("Invalid PID {0}".format(self._config.PID)) return [t for t in tasks if t.UniqueProcessId in pidlist] def audited_read_bytes(self, vm, vaddr, length, pad): """ This function provides an audited zread capability It performs a similar function to zread, in that it will pad "invalid" pages. The main difference is that it allows us to collect auditing information about which pages were actually present and which ones were padded. Args: vm: The address space to read the data from. vaddr: The virtual address to start reading the data from. length: How many bytes to read pad: This argument controls if the unavailable bytes are padded. Returns: ret: Data that was read mdata: List of pages that are memory resident zpad: List of pages that not memory resident Raises: """ zpad = [] mdata = [] vaddr, length = int(vaddr), int(length) ret = '' while length > 0: chunk_len = min(length, PAGE_SIZE - (vaddr % PAGE_SIZE)) buf = vm.read(vaddr, chunk_len) if vm.vtop(vaddr) is None: zpad.append([vaddr, chunk_len]) if pad: buf = '\x00' * chunk_len else: buf = '' else: mdata.append([vaddr, chunk_len]) ret += buf vaddr += chunk_len length -= chunk_len return ret, mdata, zpad def calculate(self): """ Finds all the requested FILE_OBJECTS Traverses the VAD and HandleTable to find all requested FILE_OBJECTS """ # Initialize containers for collecting artifacts. control_area_list = [] shared_maps = [] procfiles = [] # These lists are used for object collecting files from # both the VAD and handle tables vadfiles = [] handlefiles = [] # Determine which filters the user wants to see self.filters = [] if self._config.FILTER: self.filters = self._config.FILTER.split(',') # Instantiate the kernel address space self.kaddr_space = utils.load_as(self._config) # Check to see if the physical address offset was passed for a # particular process. Otherwise, use the whole task list. if self._config.OFFSET != None: tasks_list = [taskmods.DllList.virtual_process_from_physical_offset( self.kaddr_space, self._config.OFFSET)] else: # Filter for the specified processes tasks_list = self.filter_tasks(tasks_mod.pslist(self.kaddr_space)) # If a regex is specified, build it. if self._config.REGEX: try: if self._config.IGNORE_CASE: file_re = re.compile(self._config.REGEX, re.I) else: file_re = re.compile(self._config.REGEX) except re.error, e: debug.error('Error parsing regular expression: {0:s}'.format(e)) # Check to see if a specific physical address was specified for a # FILE_OBJECT. In particular, this is useful for FILE_OBJECTS that # are found with filescan that are not associated with a process # For example, $Mft. if self._config.PHYSOFFSET: try: phys = [] for p in self._config.PHYSOFFSET.split(","): file_obj = obj.Object("_FILE_OBJECT", int(p, 16), self.kaddr_space.base, native_vm = self.kaddr_space) phys.append(file_obj) procfiles.append((None, phys)) except ValueError: debug.error("Invalid PHYSOFFSET {0}".format(self._config.PHYSOFFSET)) # Iterate through the process list and collect all references to # FILE_OBJECTS from both the VAD and HandleTable. Each open handle to a file # has a corresponding FILE_OBJECT. if not self._config.PHYSOFFSET: for task in tasks_list: pid = task.UniqueProcessId # Extract FILE_OBJECTS from the VAD if not self.filters or "VAD" in self.filters: for vad in task.VadRoot.traverse(): if vad != None: try: control_area = vad.ControlArea if not control_area: continue file_object = vad.FileObject if file_object: # Filter for specific FILE_OBJECTS based on user defined # regular expression. (Performance optimization) if self._config.REGEX: name = None if file_object.FileName: name = str(file_object.file_name_with_device()) if not name: continue if not file_re.search(name): continue vadfiles.append(file_object) except AttributeError: pass if not self.filters or "HandleTable" in self.filters: # Extract the FILE_OBJECTS from the handle table if task.ObjectTable.HandleTableList: for handle in task.ObjectTable.handles(): otype = handle.get_object_type() if otype == "File": file_obj = handle.dereference_as("_FILE_OBJECT") if file_obj: # Filter for specific FILE_OBJECTS based on user defined # regular expression. (Performance Optimization) if self._config.REGEX: name = None if file_obj.FileName: name = str(file_obj.file_name_with_device()) if not name: continue if not file_re.search(name): continue handlefiles.append(file_obj) # Append the lists of file objects #allfiles = handlefiles + vadfiles procfiles.append((pid, handlefiles + vadfiles)) for pid, allfiles in procfiles: for file_obj in allfiles: # XXX TODO: remove these comments when accepted #if not self._config.PHYSOFFSET: offset = file_obj.obj_offset #else: # I'm not sure why we need to specify PHYSOFFSET here, # shouldn't we have a valid _FILE_OBJECT? # offset = self._config.PHYSOFFSET name = None if file_obj.FileName: name = str(file_obj.file_name_with_device()) # The SECTION_OBJECT_POINTERS structure is used by the memory # manager and cache manager to store file-mapping and cache information # for a particular file stream. We will use it to determine what type # of FILE_OBJECT we have and how it should be parsed. if file_obj.SectionObjectPointer: DataSectionObject = \ file_obj.SectionObjectPointer.DataSectionObject SharedCacheMap = \ file_obj.SectionObjectPointer.SharedCacheMap ImageSectionObject = \ file_obj.SectionObjectPointer.ImageSectionObject # The ImageSectionObject is used to track state information for # an executable file stream. We will use it to extract memory # mapped binaries. if not self.filters or "ImageSectionObject" in self.filters: if ImageSectionObject and ImageSectionObject != 0: summaryinfo = {} # It points to a image section object( CONTROL_AREA ) control_area = \ ImageSectionObject.dereference_as('_CONTROL_AREA') if not control_area in control_area_list: control_area_list.append(control_area) # The format of the filenames: file...[img|dat] ca_offset_string = "0x{0:x}".format(control_area.obj_offset) if self._config.NAME and name != None: fname = name.split("\\") ca_offset_string += "." + fname[-1] file_string = ".".join(["file", str(pid), ca_offset_string, IMAGE_EXT]) of_path = os.path.join(self._config.DUMP_DIR, file_string) (mdata, zpad) = control_area.extract_ca_file(self._config.UNSAFE) summaryinfo['name'] = name summaryinfo['type'] = "ImageSectionObject" if pid: summaryinfo['pid'] = int(pid) else: summaryinfo['pid'] = None summaryinfo['present'] = mdata summaryinfo['pad'] = zpad summaryinfo['fobj'] = int(offset) summaryinfo['ofpath'] = of_path yield summaryinfo # The DataSectionObject is used to track state information for # a data file stream. We will use it to extract artifacts of # memory mapped data files. if not self.filters or "DataSectionObject" in self.filters: if DataSectionObject and DataSectionObject != 0: summaryinfo = {} # It points to a data section object (CONTROL_AREA) control_area = DataSectionObject.dereference_as('_CONTROL_AREA') if not control_area in control_area_list: control_area_list.append(control_area) # The format of the filenames: file...[img|dat] ca_offset_string = "0x{0:x}".format(control_area.obj_offset) if self._config.NAME and name != None: fname = name.split("\\") ca_offset_string += "." + fname[-1] file_string = ".".join(["file", str(pid), ca_offset_string, DATA_EXT]) of_path = os.path.join(self._config.DUMP_DIR, file_string) (mdata, zpad) = control_area.extract_ca_file(self._config.UNSAFE) summaryinfo['name'] = name summaryinfo['type'] = "DataSectionObject" if pid: summaryinfo['pid'] = int(pid) else: summaryinfo['pid'] = None summaryinfo['present'] = mdata summaryinfo['pad'] = zpad summaryinfo['fobj'] = int(offset) summaryinfo['ofpath'] = of_path yield summaryinfo # The SharedCacheMap is used to track views that are mapped to the # data file stream. Each cached file has a single SHARED_CACHE_MAP object, # which has pointers to slots in the system cache which contain views of the file. # The shared cache map is used to describe the state of the cached file. if self.filters and "SharedCacheMap" not in self.filters: continue if SharedCacheMap: vacbary = [] summaryinfo = {} #The SharedCacheMap member points to a SHARED_CACHE_MAP object. shared_cache_map = SharedCacheMap.dereference_as('_SHARED_CACHE_MAP') if shared_cache_map.obj_offset == 0x0: continue # Added a semantic check to make sure the data is in a sound state. It's better # to catch it early. if not shared_cache_map.is_valid(): continue if not shared_cache_map.obj_offset in shared_maps: shared_maps.append(shared_cache_map.obj_offset) else: continue shared_cache_map_string = ".0x{0:x}".format(shared_cache_map.obj_offset) if self._config.NAME and name != None: fname = name.split("\\") shared_cache_map_string = shared_cache_map_string + "." + fname[-1] of_path = os.path.join(self._config.DUMP_DIR, "file." + str(pid) + shared_cache_map_string + ".vacb") vacbary = shared_cache_map.extract_scm_file() summaryinfo['name'] = name summaryinfo['type'] = "SharedCacheMap" if pid: summaryinfo['pid'] = int(pid) else: summaryinfo['pid'] = None summaryinfo['fobj'] = int(offset) summaryinfo['ofpath'] = of_path summaryinfo['vacbary'] = vacbary yield summaryinfo def unified_output(self, data): return TreeGrid([("Source", str), ("Address", Address), ("PID", int), ("Name", str), ("OutputPath", str), ("Data", Bytes)], self.generator(data)) def generator(self, data): summaryfo = None summaryinfo = data if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") if self._config.SUMMARY_FILE: summaryfo = open(self._config.SUMMARY_FILE, 'wb') for summaryinfo in data: if summaryinfo['type'] == "DataSectionObject": if len(summaryinfo['present']) == 0: continue of = BytesIO() for mdata in summaryinfo['present']: rdata = None if not mdata[0]: continue try: rdata = self.kaddr_space.base.read(mdata[0], mdata[2]) except (IOError, OverflowError): debug.debug("IOError: Pid: {0} File: {1} PhysAddr: {2} Size: {3}".format(summaryinfo['pid'], summaryinfo['name'], mdata[0], mdata[2])) if not rdata: continue of.seek(mdata[1]) of.write(rdata) continue # XXX Verify FileOffsets #for zpad in summaryinfo['pad']: # of.seek(zpad[0]) # of.write("\0" * zpad[1]) if self._config.SUMMARY_FILE: json.dump(summaryinfo, summaryfo) summaryfo.write("\n") yield(0, ["DataSectionObject", Address(summaryinfo['fobj']), int(summaryinfo['pid']), str(summaryinfo['name']), str(summaryinfo['ofpath']), Bytes(of.getvalue())]) of.close() elif summaryinfo['type'] == "ImageSectionObject": if len(summaryinfo['present']) == 0: continue of = BytesIO() for mdata in summaryinfo['present']: rdata = None if not mdata[0]: continue try: rdata = self.kaddr_space.base.read(mdata[0], mdata[2]) except (IOError, OverflowError): debug.debug("IOError: Pid: {0} File: {1} PhysAddr: {2} Size: {3}".format(summaryinfo['pid'], summaryinfo['name'], mdata[0], mdata[2])) if not rdata: continue of.seek(mdata[1]) of.write(rdata) continue # XXX Verify FileOffsets #for zpad in summaryinfo['pad']: # print "ZPAD 0x%x"%(zpad[0]) # of.seek(zpad[0]) # of.write("\0" * zpad[1]) if self._config.SUMMARY_FILE: json.dump(summaryinfo, summaryfo) summaryfo.write("\n") yield(0, ["ImageSectionObject", Address(summaryinfo['fobj']), int(summaryinfo['pid']), str(summaryinfo['name']), str(summaryinfo['ofpath']), Bytes(of.getvalue())]) of.close() elif summaryinfo['type'] == "SharedCacheMap": of = BytesIO() for vacb in summaryinfo['vacbary']: if not vacb: continue (rdata, mdata, zpad) = self.audited_read_bytes(self.kaddr_space, vacb['baseaddr'], vacb['size'], True) ### We need to update the mdata,zpad if rdata: try: of.seek(vacb['foffset']) of.write(rdata) except IOError: # TODO: Handle things like write errors (not enough disk space, etc) continue vacb['present'] = mdata vacb['pad'] = zpad if self._config.SUMMARY_FILE: json.dump(summaryinfo, summaryfo) summaryfo.write("\n") yield(0, ["SharedCacheMap", Address(summaryinfo['fobj']), int(summaryinfo['pid']), str(summaryinfo['name']), str(summaryinfo['ofpath']), Bytes(of.getvalue())]) of.close() else: return if self._config.SUMMARY_FILE: summaryfo.close() def render_text(self, outfd, data): """Renders output for the dumpfiles plugin. This includes extracting the file artifacts from memory to the specified dump directory. Args: outfd: The file descriptor to write the text to. data: (summaryinfo) """ # Summary file object summaryfo = None summaryinfo = data if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") if self._config.SUMMARY_FILE: summaryfo = open(self._config.SUMMARY_FILE, 'wb') for summaryinfo in data: if summaryinfo['type'] == "DataSectionObject": outfd.write("DataSectionObject {0:#010x} {1:<6} {2}\n".format(summaryinfo['fobj'], summaryinfo['pid'], summaryinfo['name'])) if len(summaryinfo['present']) == 0: continue of = open(summaryinfo['ofpath'], 'wb') for mdata in summaryinfo['present']: rdata = None if not mdata[0]: continue try: rdata = self.kaddr_space.base.read(mdata[0], mdata[2]) except (IOError, OverflowError): debug.debug("IOError: Pid: {0} File: {1} PhysAddr: {2} Size: {3}".format(summaryinfo['pid'], summaryinfo['name'], mdata[0], mdata[2])) if not rdata: continue of.seek(mdata[1]) of.write(rdata) continue # XXX Verify FileOffsets #for zpad in summaryinfo['pad']: # of.seek(zpad[0]) # of.write("\0" * zpad[1]) if self._config.SUMMARY_FILE: json.dump(summaryinfo, summaryfo) summaryfo.write("\n") of.close() elif summaryinfo['type'] == "ImageSectionObject": outfd.write("ImageSectionObject {0:#010x} {1:<6} {2}\n".format(summaryinfo['fobj'], summaryinfo['pid'], summaryinfo['name'])) if len(summaryinfo['present']) == 0: continue of = open(summaryinfo['ofpath'], 'wb') for mdata in summaryinfo['present']: rdata = None if not mdata[0]: continue try: rdata = self.kaddr_space.base.read(mdata[0], mdata[2]) except (IOError, OverflowError): debug.debug("IOError: Pid: {0} File: {1} PhysAddr: {2} Size: {3}".format(summaryinfo['pid'], summaryinfo['name'], mdata[0], mdata[2])) if not rdata: continue of.seek(mdata[1]) of.write(rdata) continue # XXX Verify FileOffsets #for zpad in summaryinfo['pad']: # print "ZPAD 0x%x"%(zpad[0]) # of.seek(zpad[0]) # of.write("\0" * zpad[1]) if self._config.SUMMARY_FILE: json.dump(summaryinfo, summaryfo) summaryfo.write("\n") of.close() elif summaryinfo['type'] == "SharedCacheMap": outfd.write("SharedCacheMap {0:#010x} {1:<6} {2}\n".format(summaryinfo['fobj'], summaryinfo['pid'], summaryinfo['name'])) of = open(summaryinfo['ofpath'], 'wb') for vacb in summaryinfo['vacbary']: if not vacb: continue (rdata, mdata, zpad) = self.audited_read_bytes(self.kaddr_space, vacb['baseaddr'], vacb['size'], True) ### We need to update the mdata,zpad if rdata: try: of.seek(vacb['foffset']) of.write(rdata) except IOError: # TODO: Handle things like write errors (not enough disk space, etc) continue vacb['present'] = mdata vacb['pad'] = zpad if self._config.SUMMARY_FILE: json.dump(summaryinfo, summaryfo) summaryfo.write("\n") of.close() else: return if self._config.SUMMARY_FILE: summaryfo.close() volatility_2.6+git20170711.b3db0cc/volatility/plugins/cmdline.py0000644000000000000000000000530713131215405023010 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.taskmods as taskmods from volatility.renderers import TreeGrid class Cmdline(taskmods.DllList): """Display process command-line arguments""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option("VERBOSE", short_option = 'v', default = False, cache_invalidator = False, help = "Display full path of executable", action = "store_true") def unified_output(self, data): # blank header in case there is no shimcache data return TreeGrid([("Process", str), ("PID", int), ("CommandLine", str), ], self.generator(data)) def generator(self, data): for task in data: cmdline = "" name = str(task.ImageFileName) try: if self._config.VERBOSE and task.SeAuditProcessCreationInfo.ImageFileName.Name != None: name = str(task.SeAuditProcessCreationInfo.ImageFileName.Name) except AttributeError: pass if task.Peb: cmdline = "{0}".format(str(task.Peb.ProcessParameters.CommandLine or '')).strip() yield (0, [name, int(task.UniqueProcessId), str(cmdline)]) def render_text(self, outfd, data): for task in data: pid = task.UniqueProcessId name = str(task.ImageFileName) try: if self._config.VERBOSE and task.SeAuditProcessCreationInfo.ImageFileName.Name != None: name = str(task.SeAuditProcessCreationInfo.ImageFileName.Name) except AttributeError: pass outfd.write("*" * 72 + "\n") outfd.write("{0} pid: {1:6}\n".format(name, pid)) if task.Peb: outfd.write("Command line : {0}\n".format(str(task.Peb.ProcessParameters.CommandLine or ''))) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mftparser.py0000644000000000000000000012616613131215405023407 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ # Information for this script taken heavily from File System Forensic Analysis by Brian Carrier from volatility import renderers import volatility.plugins.common as common from volatility.renderers.basic import Address import volatility.plugins.overlays.basic as basic import volatility.scan as scan import volatility.utils as utils import volatility.addrspace as addrspace import volatility.obj as obj import volatility.debug as debug import struct import binascii import os import volatility.poolscan as poolscan import sys reload(sys) sys.setdefaultencoding('utf8') class UnicodeString(basic.String): def __str__(self): result = self.obj_vm.zread(self.obj_offset, self.length).split("\x00\x00")[0].decode("utf16", "ignore") if not result: result = "" return result def v(self): result = self.obj_vm.zread(self.obj_offset, self.length).split("\x00\x00")[0].decode("utf16", "ignore") if not result: return obj.NoneObject("Cannot read string length {0} at {1:#x}".format(self.length, self.obj_offset)) return result ATTRIBUTE_TYPE_ID = { 0x10:"STANDARD_INFORMATION", 0x20:"ATTRIBUTE_LIST", 0x30:"FILE_NAME", 0x40:"OBJECT_ID", 0x50:"SECURITY_DESCRIPTOR", 0x60:"VOLUME_NAME", 0x70:"VOLUME_INFORMATION", 0x80:"DATA", 0x90:"INDEX_ROOT", 0xa0:"INDEX_ALLOCATION", 0xb0:"BITMAP", 0xc0:"REPARSE_POINT", 0xd0:"EA_INFORMATION", #Extended Attribute 0xe0:"EA", 0xf0:"PROPERTY_SET", 0x100:"LOGGED_UTILITY_STREAM", } VERBOSE_STANDARD_INFO_FLAGS = { 0x1:"Read Only", 0x2:"Hidden", 0x4:"System", 0x20:"Archive", 0x40:"Device", 0x80:"Normal", 0x100:"Temporary", 0x200:"Sparse File", 0x400:"Reparse Point", 0x800:"Compressed", 0x1000:"Offline", 0x2000:"Content not indexed", 0x4000:"Encrypted", 0x10000000:"Directory", 0x20000000:"Index view", } # this method taken from mftscan by tecamac in issue 309: # http://code.google.com/p/volatility/issues/detail?id=309 # I like that it's more readable than the long version I had above :-) SHORT_STANDARD_INFO_FLAGS = { 0x1:"r", 0x2:"h", 0x4:"s", 0x20:"a", 0x40:"d", 0x80:"n", 0x100:"t", 0x200:"S", 0x400:"r", 0x800:"c", 0x1000:"o", 0x2000:"I", 0x4000:"e", 0x10000000:"D", 0x20000000:"i", } FILE_NAME_NAMESPACE = { 0x0:"POSIX", # Case sensitive, allows all Unicode chars except '/' and NULL 0x1:"Win32", # Case insensitive, allows most Unicide except specials ('/', '\', ';', '>', '<', '?') 0x2:"DOS", # Case insensitive, upper case, no special chars, name is 8 or fewer chars in name and 3 or less extension 0x3:"Win32 & DOS", # Used when original name fits in DOS namespace and 2 names are not needed } MFT_FLAGS = { 0x1:"In Use", 0x2:"Directory", # if flag & 0x0002 == 0 this is a regular file } INDEX_ENTRY_FLAGS = { 0x1:"Child Node Exists", 0x2:"Last entry in list", } MFT_PATHS_FULL = {} class MFT_FILE_RECORD(obj.CType): def remove_unprintable(self, str): return str.encode("utf8", "ignore") def add_path(self, fileinfo): # it doesn't really make sense to add regular files to parent directory, # since they wouldn't actually be in the middle of a file path, but at the end # therefore, we'll return for regular files if not self.is_directory(): return # otherwise keep a record of the directory that we've found cur = MFT_PATHS_FULL.get(int(self.RecordNumber), None) if (cur == None or fileinfo.Namespace != 2) and fileinfo.is_valid(): temp = {} temp["ParentDirectory"] = fileinfo.ParentDirectory temp["filename"] = self.remove_unprintable(fileinfo.get_name()) MFT_PATHS_FULL[int(self.RecordNumber)] = temp def get_full_path(self, fileinfo): if self.obj_vm._config.DEBUGOUT: print "Building path for file {0}".format(fileinfo.get_name()) parent = "" path = self.remove_unprintable(fileinfo.get_name()) or "(Null)" try: parent_id = fileinfo.ParentDirectory & 0xffffff except struct.error: return path if int(self.RecordNumber) == 5 or int(self.RecordNumber) == 0: return path seen = set() while parent != {}: seen.add(parent_id) parent = MFT_PATHS_FULL.get(int(parent_id), {}) if parent == {} or parent["filename"] == "" or int(parent_id) == 0 or int(parent_id) == 5: return path path = "{0}\\{1}".format(parent["filename"], path) parent_id = parent["ParentDirectory"] & 0xffffff if parent_id in seen: return path return path def is_directory(self): return int(self.Flags) & 0x2 def is_file(self): return int(self.Flags) & 0x2 == 0 def is_inuse(self): return int(self.Flags) & 0x1 == 0x1 def get_mft_type(self): return "{0}{1}".format("In Use & " if self.is_inuse() else "", "Directory" if self.is_directory() else "File") def parse_attributes(self, mft_buff, check = True, entrysize = 1024): next_attr = self.ResidentAttributes end = mft_buff.find("\xff\xff\xff\xff") if end == -1: end = entrysize attributes = [] dataseen = False while next_attr != None and next_attr.obj_offset <= end: try: attr = ATTRIBUTE_TYPE_ID.get(int(next_attr.Header.Type), None) except struct.error: next_attr = None attr = None continue if attr == None: next_attr = None elif attr == "STANDARD_INFORMATION": if self.obj_vm._config.DEBUGOUT: print "Found $SI" if not check or next_attr.STDInfo.is_valid(): attributes.append((attr, next_attr.STDInfo)) next_off = next_attr.STDInfo.obj_offset + next_attr.ContentSize if next_off == next_attr.STDInfo.obj_offset: next_attr = None continue next_attr = self.advance_one(next_off, mft_buff, end) elif attr == 'FILE_NAME': if self.obj_vm._config.DEBUGOUT: print "Found $FN" self.add_path(next_attr.FileName) if not check or next_attr.FileName.is_valid(): attributes.append((attr, next_attr.FileName)) next_off = next_attr.FileName.obj_offset + next_attr.ContentSize if next_off == next_attr.FileName.obj_offset: next_attr = None continue next_attr = self.advance_one(next_off, mft_buff, end) elif attr == "OBJECT_ID": if self.obj_vm._config.DEBUGOUT: print "Found $ObjectId" if next_attr.Header.NonResidentFlag == 1: attributes.append((attr, "Non-Resident")) next_attr = None continue else: attributes.append((attr, next_attr.ObjectID)) next_off = next_attr.ObjectID.obj_offset + next_attr.ContentSize if next_off == next_attr.ObjectID.obj_offset: next_attr = None continue next_attr = self.advance_one(next_off, mft_buff, end) elif attr == "DATA": if self.obj_vm._config.DEBUGOUT: print "Found $DATA" try: if next_attr.Header and next_attr.Header.NameOffset > 0 and next_attr.Header.NameLength > 0: adsname = "" if next_attr != None and next_attr.Header != None and next_attr.Header.NameOffset and next_attr.Header.NameLength: nameloc = next_attr.obj_offset + next_attr.Header.NameOffset adsname = obj.Object("UnicodeString", vm = self.obj_vm, offset = nameloc, length = next_attr.Header.NameLength * 2) if adsname != None and adsname.strip() != "" and dataseen: attr += " ADS Name: {0}".format(adsname.strip()) dataseen = True except struct.error: next_attr = None continue try: if next_attr.ContentSize == 0: next_off = next_attr.obj_offset + self.obj_vm.profile.get_obj_size("RESIDENT_ATTRIBUTE") next_attr = self.advance_one(next_off, mft_buff, end) attributes.append((attr, "")) continue start = next_attr.obj_offset + next_attr.ContentOffset theend = min(start + next_attr.ContentSize, end) except struct.error: next_attr = None continue if next_attr.Header.NonResidentFlag == 1: thedata = "" else: try: contents = mft_buff[start:theend] except TypeError: next_attr = None continue thedata = contents attributes.append((attr, thedata)) next_off = theend if next_off == start: next_attr = None continue next_attr = self.advance_one(next_off, mft_buff, end) elif attr == "ATTRIBUTE_LIST": if self.obj_vm._config.DEBUGOUT: print "Found $AttributeList" if next_attr.Header.NonResidentFlag == 1: attributes.append((attr, "Non-Resident")) next_attr = None continue next_attr.process_attr_list(self.obj_vm, self, attributes, check) next_attr = None else: next_attr = None return attributes def advance_one(self, next_off, mft_buff, end): item = None attr = None cursor = 0 if next_off == None: return None while attr == None and cursor <= end: try: val = struct.unpack(" 0x20 and thetype in ["STANDARD_INFORMATION", "FILE_NAME"]: theitem = obj.Object(thetype, vm = bufferas, offset = item.AttributeID.obj_offset) if thetype == "STANDARD_INFORMATION" and (not check or theitem.is_valid()): attributes.append(("STANDARD_INFORMATION (AL)", theitem)) elif thetype == "FILE_NAME" and (not check or theitem.is_valid()): mft_entry.add_path(theitem) attributes.append(("FILE_NAME (AL)", theitem)) except struct.error: return if item.Length <= 0: return start += item.Length class STANDARD_INFORMATION(obj.CType): # XXX need a better check than this # we return valid if we have _any_ timestamp other than Null def is_valid(self): try: modified = self.ModifiedTime.v() except struct.error: modified = 0 try: mftaltered = self.MFTAlteredTime.v() except struct.error: mftaltered = 0 try: creation = self.CreationTime.v() except struct.error: creation = 0 try: accessed = self.FileAccessedTime.v() except struct.error: accessed = 0 return obj.CType.is_valid(self) and (modified != 0 or mftaltered != 0 or \ accessed != 0 or creation != 0) def get_type_short(self): try: if self.Flags == None: return "?" except struct.error: return "?" type = "" for i, j in sorted(SHORT_STANDARD_INFO_FLAGS.items()): if i & self.Flags == i: type += j else: type += "-" return type def get_type(self): try: if self.Flags == None: return "Unknown Type" except struct.error: return "Unknown Type" type = None for i in VERBOSE_STANDARD_INFO_FLAGS: if (i & self.Flags) == i: if type == None: type = VERBOSE_STANDARD_INFO_FLAGS[i] else: type += " & " + VERBOSE_STANDARD_INFO_FLAGS[i] if type == None: type = "Unknown Type " return type def get_header(self): return [("Creation", "30"), ("Modified", "30"), ("MFT Altered", "30"), ("Access Date", "30"), ("Type", ""), ] def __str__(self): bufferas = addrspace.BufferAddressSpace(self.obj_vm._config, data = "\x00\x00\x00\x00\x00\x00\x00\x00") nulltime = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True) try: modified = str(self.ModifiedTime) except struct.error: modified = nulltime try: mftaltered = str(self.MFTAlteredTime) except struct.error: mftaltered = nulltime try: creation = str(self.CreationTime) except struct.error: creation = nulltime try: accessed = str(self.FileAccessedTime) except struct.error: accessed = nulltime return "{0:20} {1:30} {2:30} {3:30} {4}".format(creation, modified, mftaltered, accessed, self.get_type()) def body(self, path, record_num, size, offset): if path.strip() == "" or path == None: # if the path is null we just try to get the filename # from our dictionary and print the body file output record = MFT_PATHS_FULL.get(int(record_num), {}) path = "(Possible non-base entry, extra $SI or invalid $FN)" if record != {}: # we include with the found filename a note that this may be a # non-base entry. the analyst can investigate these types of records # on his/her own by comparing record numbers in output or examining the # given physical offset in memory for example path = "{0} {1}".format(record["filename"], path) try: modified = self.ModifiedTime.v() except struct.error: modified = 0 try: mftaltered = self.MFTAlteredTime.v() except struct.error: mftaltered = 0 try: creation = self.CreationTime.v() except struct.error: creation = 0 try: accessed = self.FileAccessedTime.v() except struct.error: accessed = 0 return "[{9}MFT STD_INFO] {0} (Offset: 0x{1:x})|{2}|{3}|0|0|{4}|{5}|{6}|{7}|{8}".format( path, offset, record_num, self.get_type_short(), size, accessed, modified, mftaltered, creation, self.obj_vm._config.MACHINE) class FILE_NAME(STANDARD_INFORMATION): def remove_unprintable(self, str): return str.encode("utf8", "ignore") # XXX need a better check than this # we return valid if we have _any_ timestamp other than Null # filename must also be a non-empty string def is_valid(self): try: modified = self.ModifiedTime.v() except struct.error: modified = 0 try: mftaltered = self.MFTAlteredTime.v() except struct.error: mftaltered = 0 try: creation = self.CreationTime.v() except struct.error: creation = 0 try: accessed = self.FileAccessedTime.v() except struct.error: accessed = 0 return obj.CType.is_valid(self) and (modified != 0 or mftaltered != 0 or \ accessed != 0 or creation != 0) #and \ #self.remove_unprintable(self.get_name()) != "" def get_name(self): if self.NameLength == None or self.NameLength == 0: return "" return self.remove_unprintable(self.Name) def get_header(self): return [("Creation", "30"), ("Modified", "30"), ("MFT Altered", "30"), ("Access Date", "30"), ("Name/Path", ""), ] def __str__(self): bufferas = addrspace.BufferAddressSpace(self.obj_vm._config, data = "\x00\x00\x00\x00\x00\x00\x00\x00") nulltime = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True) try: modified = str(self.ModifiedTime) except struct.error: modified = nulltime try: mftaltered = str(self.MFTAlteredTime) except struct.error: mftaltered = nulltime try: creation = str(self.CreationTime) except struct.error: creation = nulltime try: accessed = str(self.FileAccessedTime) except struct.error: accessed = nulltime return "{0:20} {1:30} {2:30} {3:30} {4}".format(creation, modified, mftaltered, accessed, self.remove_unprintable(self.get_name())) def get_full(self, full): bufferas = addrspace.BufferAddressSpace(self.obj_vm._config, data = "\x00\x00\x00\x00\x00\x00\x00\x00") nulltime = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True) try: modified = str(self.ModifiedTime) except struct.error: modified = nulltime try: mftaltered = str(self.MFTAlteredTime) except struct.error: mftaltered = nulltime try: creation = str(self.CreationTime) except struct.error: creation = nulltime try: accessed = str(self.FileAccessedTime) except struct.error: accessed = nulltime try: return "{0:20} {1:30} {2:30} {3:30} {4}".format(creation, modified, mftaltered, accessed, self.remove_unprintable(full)) except struct.error: return None def body(self, path, record_num, size, offset): try: modified = self.ModifiedTime.v() except struct.error: modified = 0 try: mftaltered = self.MFTAlteredTime.v() except struct.error: mftaltered = 0 try: creation = self.CreationTime.v() except struct.error: creation = 0 try: accessed = self.FileAccessedTime.v() except struct.error: accessed = 0 return "[{9}MFT FILE_NAME] {0} (Offset: 0x{1:x})|{2}|{3}|0|0|{4}|{5}|{6}|{7}|{8}".format( path, offset, record_num, self.get_type_short(), size, accessed, modified, mftaltered, creation, self.obj_vm._config.MACHINE) class OBJECT_ID(obj.CType): # Modified from analyzeMFT.py: def FmtObjectID(self, item): record = "" for i in item: record += str(i) return "{0}-{1}-{2}-{3}-{4}".format(binascii.hexlify(record[0:4]), binascii.hexlify(record[4:6]), binascii.hexlify(record[6:8]), binascii.hexlify(record[8:10]), binascii.hexlify(record[10:16])) def __str__(self): string = "Object ID: {0}\n".format(self.FmtObjectID(self.ObjectID)) string += "Birth Volume ID: {0}\n".format(self.FmtObjectID(self.BirthVolumeID)) string += "Birth Object ID: {0}\n".format(self.FmtObjectID(self.BirthObjectID)) string += "Birth Domain ID: {0}\n".format(self.FmtObjectID(self.BirthDomainID)) return string # Using structures defined in File System Forensic Analysis pg 353+ MFT_types = { 'MFT_FILE_RECORD': [ 0x400, { 'Signature': [ 0x0, ['unsigned int']], 'FixupArrayOffset': [ 0x4, ['unsigned short']], 'NumFixupEntries': [ 0x6, ['unsigned short']], 'LSN': [ 0x8, ['unsigned long long']], 'SequenceValue': [ 0x10, ['unsigned short']], 'LinkCount': [ 0x12, ['unsigned short']], 'FirstAttributeOffset': [0x14, ['unsigned short']], 'Flags': [0x16, ['unsigned short']], 'EntryUsedSize': [0x18, ['int']], 'EntryAllocatedSize': [0x1c, ['unsigned int']], 'FileRefBaseRecord': [0x20, ['unsigned long long']], 'NextAttributeID': [0x28, ['unsigned short']], 'RecordNumber': [0x2c, ['unsigned long']], 'FixupArray': lambda x: obj.Object("Array", offset = x.obj_offset + x.FixupArrayOffset, count = x.NumFixupEntries, vm = x.obj_vm, target = obj.Curry(obj.Object, "unsigned short")), 'ResidentAttributes': lambda x : obj.Object("RESIDENT_ATTRIBUTE", offset = x.obj_offset + x.FirstAttributeOffset, vm = x.obj_vm), 'NonResidentAttributes': lambda x : obj.Object("NON_RESIDENT_ATTRIBUTE", offset = x.obj_offset + x.FirstAttributeOffset, vm = x.obj_vm), }], 'ATTRIBUTE_HEADER': [ 0x10, { 'Type': [0x0, ['int']], 'Length': [0x4, ['int']], 'NonResidentFlag': [0x8, ['unsigned char']], 'NameLength': [0x9, ['unsigned char']], 'NameOffset': [0xa, ['unsigned short']], 'Flags': [0xc, ['unsigned short']], 'AttributeID': [0xe, ['unsigned short']], }], 'RESIDENT_ATTRIBUTE': [0x16, { 'Header': [0x0, ['ATTRIBUTE_HEADER']], 'ContentSize': [0x10, ['unsigned int']], #relative to the beginning of the attribute 'ContentOffset': [0x14, ['unsigned short']], 'STDInfo': lambda x : obj.Object("STANDARD_INFORMATION", offset = x.obj_offset + x.ContentOffset, vm = x.obj_vm), 'FileName': lambda x : obj.Object("FILE_NAME", offset = x.obj_offset + x.ContentOffset, vm = x.obj_vm), 'ObjectID': lambda x : obj.Object("OBJECT_ID", offset = x.obj_offset + x.ContentOffset, vm = x.obj_vm), 'AttributeList':lambda x : obj.Object("ATTRIBUTE_LIST", offset = x.obj_offset + x.ContentOffset, vm = x.obj_vm), }], 'NON_RESIDENT_ATTRIBUTE': [0x40, { 'Header': [0x0, ['ATTRIBUTE_HEADER']], 'StartingVCN': [0x10, ['unsigned long long']], 'EndingVCN': [0x18, ['unsigned long long']], 'RunListOffset': [0x20, ['unsigned short']], 'CompressionUnitSize': [0x22, ['unsigned short']], 'Unused': [0x24, ['int']], 'AllocatedAttributeSize': [0x28, ['unsigned long long']], 'ActualAttributeSize': [0x30, ['unsigned long long']], 'InitializedAttributeSize': [0x38, ['unsigned long long']], }], 'EA_INFORMATION': [None, { 'EaPackedLength': [0x0, ['int']], 'EaCount': [0x4, ['int']], 'EaUnpackedLength': [0x8, ['long']], }], 'EA': [None, { 'NextEntryOffset': [0x0, ['unsigned long long']], 'Flags': [0x8, ['unsigned char']], 'EaNameLength': [0x9, ['unsigned char']], 'EaValueLength': [0xa, ['unsigned short']], 'EaName': [0xc, ['String', dict(length = lambda x: x.EaNameLength)]], 'EaValue': lambda x: obj.Object("Array", offset = x.obj_offset + len(x.EaName), count = x.EaValueLength, vm = x.obj_vm, target = obj.Curry(obj.Object, "unsigned char")), }], 'STANDARD_INFORMATION': [0x48, { 'CreationTime': [0x0, ['WinTimeStamp', dict(is_utc = True)]], 'ModifiedTime': [0x8, ['WinTimeStamp', dict(is_utc = True)]], 'MFTAlteredTime': [0x10, ['WinTimeStamp', dict(is_utc = True)]], 'FileAccessedTime': [0x18, ['WinTimeStamp', dict(is_utc = True)]], 'Flags': [0x20, ['int']], 'MaxVersionNumber': [0x24, ['unsigned int']], 'VersionNumber': [0x28, ['unsigned int']], 'ClassID': [0x2c, ['unsigned int']], 'OwnerID': [0x30, ['unsigned int']], 'SecurityID': [0x34, ['unsigned int']], 'QuotaCharged': [0x38, ['unsigned long long']], 'USN': [0x40, ['unsigned long long']], 'NextAttribute': [0x48, ['RESIDENT_ATTRIBUTE']], }], 'FILE_NAME': [None, { 'ParentDirectory': [0x0, ['unsigned long long']], 'CreationTime': [0x8, ['WinTimeStamp', dict(is_utc = True)]], 'ModifiedTime': [0x10, ['WinTimeStamp', dict(is_utc = True)]], 'MFTAlteredTime': [0x18, ['WinTimeStamp', dict(is_utc = True)]], 'FileAccessedTime': [0x20, ['WinTimeStamp', dict(is_utc = True)]], 'AllocatedFileSize': [0x28, ['unsigned long long']], 'RealFileSize': [0x30, ['unsigned long long']], 'Flags': [0x38, ['unsigned int']], 'ReparseValue': [0x3c, ['unsigned int']], 'NameLength': [0x40, ['unsigned char']], 'Namespace': [0x41, ['unsigned char']], 'Name': [0x42, ['UnicodeString', dict(length = lambda x: x.NameLength * 2)]], }], 'ATTRIBUTE_LIST': [0x19, { 'Type': [0x0, ['unsigned int']], 'Length': [0x4, ['unsigned short']], 'NameLength': [0x6, ['unsigned char']], 'NameOffset': [0x7, ['unsigned char']], 'StartingVCN': [0x8, ['unigned long long']], 'FileReferenceLocation': [0x10, ['unsigned long long']], 'AttributeID': [0x18, ['unsigned char']], }], 'OBJECT_ID': [0x40, { 'ObjectID': [0x0, ['array', 0x10, ['char']]], 'BirthVolumeID': [0x10, ['array', 0x10, ['char']]], 'BirthObjectID': [0x20, ['array', 0x10, ['char']]], 'BirthDomainID': [0x30, ['array', 0x10, ['char']]], }], 'REPARSE_POINT': [0x10, { 'TypeFlags': [0x0, ['unsigned int']], 'DataSize': [0x4, ['unsigned short']], 'Unused': [0x6, ['unsigned short']], 'NameOffset': [0x8, ['unsigned short']], 'NameLength': [0xa, ['unsigned short']], 'PrintNameOffset': [0xc, ['unsigned short']], 'PrintNameLength': [0xe, ['unsigned short']], }], 'INDEX_ROOT': [None, { 'Type': [0x0, ['unsigned int']], 'SortingRule': [0x4, ['unsigned int']], 'IndexSizeBytes': [0x8, ['unsigned int']], 'IndexSizeClusters': [0xc, ['unsigned char']], 'Unused': [0xd, ['array', 0x3, ['unsigned char']]], 'NodeHeader': [0x10, ['NODE_HEADER']], }], 'INDEX_ALLOCATION': [None, { 'Signature': [0x0, ['unsigned int']], #INDX though not essential 'FixupArrayOffset': [0x4, ['unsigned short']], 'NumFixupEntries': [ 0x6, ['unsigned short']], 'LSN': [ 0x8, ['unsigned long long']], 'VCN': [0x10, ['unsigned long long']], 'NodeHeader': [0x18, ['NODE_HEADER']], }], 'NODE_HEADER': [0x10, { 'IndexEntryListOffset': [0x0, ['unsigned int']], 'EndUsedIndexOffset': [0x4, ['unsigned int']], 'EndAllocatedIndexOffset': [0x8, ['unsigned int']], 'Flags': [0xc, ['unsigned int']], }], # Index entries 'GENERIC_INDEX_ENTRY': [None, { 'Undefined': [0x0, ['unsigned long long']], 'EntryLength': [0x8, ['unsigned short']], 'ContentLength': [0xa, ['unsigned short']], 'Flags': [0xc, ['unsigned int']], 'Content': [0x10, ['array', lambda x : x.ContentLength , ['unsigned char']]], # last 8 bytes are VCN of child node, which is only here if flag is set... not sure how to code that yet }], 'DIRECTORY_INDEX_ENTRY': [None, { 'MFTFileReference': [0x0, ['unsigned long long']], 'EntryLength': [0x8, ['unsigned short']], 'FileNameAttrLength': [0xa, ['unsigned short']], 'Flags': [0xc, ['unsigned int']], 'FileNameAttr': [0x16, ['FILE_NAME']], # last 8 bytes are VCN of child node, which is only here if flag is set... not sure how to code that yet }], } class MFTTYPES(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ 'UnicodeString':UnicodeString, 'MFT_FILE_RECORD':MFT_FILE_RECORD, 'FILE_NAME':FILE_NAME, 'STANDARD_INFORMATION':STANDARD_INFORMATION, 'OBJECT_ID':OBJECT_ID, 'RESIDENT_ATTRIBUTE':RESIDENT_ATTRIBUTE, }) profile.vtypes.update(MFT_types) class MFTScanner(scan.BaseScanner): checks = [ ] def __init__(self, needles = None): self.needles = needles self.checks = [ ("MultiStringFinderCheck", {'needles':needles})] scan.BaseScanner.__init__(self) def scan(self, address_space, offset = 0, maxlen = None): for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen): yield offset class MFTParser(common.AbstractWindowsCommand): """ Scans for and parses potential MFT entries """ def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("OFFSET", short_option = "o", default = None, help = "Physical offset for MFT Entries (comma delimited)") config.add_option('NOCHECK', short_option = 'N', default = False, help = 'Only all entries including w/null timestamps', action = "store_true") config.add_option("ENTRYSIZE", short_option = "E", default = 1024, help = "MFT Entry Size", action = "store", type = "int") config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump extracted resident files') config.add_option("MACHINE", default = "", help = "Machine name to add to timeline header") config.add_option("DEBUGOUT", default = False, help = "Output debugging messages", action = "store_true") def calculate(self): if self._config.MACHINE != "": self._config.update("MACHINE", "{0} ".format(self._config.MACHINE)) offsets = [] address_space = utils.load_as(self._config, astype = 'physical') if self._config.OFFSET != None: items = [int(o, 16) for o in self._config.OFFSET.split(',')] for offset in items: mft_buff = address_space.read(offset, self._config.ENTRYSIZE) bufferas = addrspace.BufferAddressSpace(self._config, data = mft_buff) mft_entry = obj.Object('MFT_FILE_RECORD', vm = bufferas, offset = 0) offsets.append((offset, mft_entry, mft_buff)) else: scanner = poolscan.MultiPoolScanner(needles = ['FILE', 'BAAD']) print "Scanning for MFT entries and building directory, this can take a while" seen = [] for _, offset in scanner.scan(address_space): mft_buff = address_space.read(offset, self._config.ENTRYSIZE) bufferas = addrspace.BufferAddressSpace(self._config, data = mft_buff) name = "" try: mft_entry = obj.Object('MFT_FILE_RECORD', vm = bufferas, offset = 0) temp = mft_entry.advance_one(mft_entry.ResidentAttributes.STDInfo.obj_offset + mft_entry.ResidentAttributes.ContentSize, mft_buff, self._config.ENTRYSIZE) if temp == None: continue mft_entry.add_path(temp.FileName) name = temp.FileName.get_name() except struct.error: if self._config.DEBUGOUT: print "Problem entry at offset:", hex(offset) continue if (int(mft_entry.RecordNumber), name) in seen: continue else: seen.append((int(mft_entry.RecordNumber), name)) offsets.append((offset, mft_entry, mft_buff)) for offset, mft_entry, mft_buff in offsets: if self._config.DEBUGOUT: print "Processing MFT Entry at offset:", hex(offset) attributes = mft_entry.parse_attributes(mft_buff, not self._config.NOCHECK, self._config.ENTRYSIZE) yield offset, mft_entry, attributes def render_body(self, outfd, data): if self._config.DUMP_DIR != None and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") # Some notes: every base MFT entry should have one $SI and at lease one $FN # Usually $SI occurs before $FN # We'll make an effort to get the filename from $FN for $SI # If there is only one $SI with no $FN we dump whatever information it has for offset, mft_entry, attributes in data: si = None full = "" datanum = 0 for a, i in attributes: # we'll have a default file size of -1 for records missing $FN attributes # note that file size found in $FN may not actually be accurate and will most likely # be 0. See Carrier, pg 363 size = -1 if a.startswith("STANDARD_INFORMATION"): if full != "": # if we are here, we've hit one $FN attribute for this entry already and have the full name # so we can dump this $SI outfd.write("0|{0}\n".format(i.body(full, mft_entry.RecordNumber, size, offset))) elif si != None: # if we are here then we have more than one $SI attribute for this entry # since we don't want to lose its info, we'll just dump it for now # we won't have full path, but we'll have a filename most likely outfd.write("0|{0}\n".format(i.body("", mft_entry.RecordNumber, size, offset))) elif si == None: # this is the usual case and we'll save the $SI to process after we get the full path from the $FN si = i elif a.startswith("FILE_NAME"): if hasattr(i, "ParentDirectory"): full = mft_entry.get_full_path(i) size = int(i.RealFileSize) outfd.write("0|{0}\n".format(i.body(full, mft_entry.RecordNumber, size, offset))) if si != None: outfd.write("0|{0}\n".format(si.body(full, mft_entry.RecordNumber, size, offset))) si = None elif a.startswith("DATA"): if len(str(i)) > 0: file_string = ".".join(["file", "0x{0:x}".format(offset), "data{0}".format(datanum), "dmp"]) datanum += 1 if self._config.DUMP_DIR != None: of_path = os.path.join(self._config.DUMP_DIR, file_string) of = open(of_path, 'wb') of.write(i) of.close() if si != None: # here we have a lone $SI in an MFT entry with no valid $FN. This is most likely a non-base entry outfd.write("0|{0}\n".format(si.body("", mft_entry.RecordNumber, -1, offset))) def unified_output(self, data): return renderers.TreeGrid([("MFT Offset", Address), ("Attribute", str), ("Record", int), ("Link count", int), ("Type", str), ("Creation", str), ("Modified", str), ("MFT Altered", str), ("Access Date", str), ("Value", str)], self.generator(data)) def generator(self, data): bufferas = addrspace.BufferAddressSpace(self._config, data = "\x00\x00\x00\x00\x00\x00\x00\x00") nulltime = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True) for offset, mft_entry, attributes in data: if not len(attributes): continue datnum = 0 for a, i in attributes: if i == None: attrdata = ["Invalid (" + a + ")", "", "", "", "", ""] elif a.startswith("STANDARD_INFORMATION"): try: modified = str(i.ModifiedTime) except struct.error: modified = nulltime try: mftaltered = str(i.MFTAlteredTime) except struct.error: mftaltered = nulltime try: creation = str(i.CreationTime) except struct.error: creation = nulltime try: accessed = str(i.FileAccessedTime) except struct.error: accessed = nulltime attrdata = [a, creation, modified, mftaltered, accessed, i.get_type()] elif a.startswith("FILE_NAME"): try: modified = str(i.ModifiedTime) except struct.error: modified = nulltime try: mftaltered = str(i.MFTAlteredTime) except struct.error: mftaltered = nulltime try: creation = str(i.CreationTime) except struct.error: creation = nulltime try: accessed = str(i.FileAccessedTime) except struct.error: accessed = nulltime attrdata = [a, creation, modified, mftaltered, accessed, i.remove_unprintable(i.get_name())] else: attrdata = [a, "", "", "", "", ""] yield (0, [Address(offset), str(mft_entry.get_mft_type()), int(mft_entry.RecordNumber), int(mft_entry.LinkCount)] + attrdata) def render_text(self, outfd, data): if self._config.DUMP_DIR != None and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") border = "*" * 75 for offset, mft_entry, attributes in data: if len(attributes) == 0: continue outfd.write("{0}\n".format(border)) outfd.write("MFT entry found at offset 0x{0:x}\n".format(offset)) outfd.write("Attribute: {0}\n".format(mft_entry.get_mft_type())) outfd.write("Record Number: {0}\n".format(mft_entry.RecordNumber)) outfd.write("Link count: {0}\n".format(mft_entry.LinkCount)) outfd.write("\n") # there can be more than one resident $DATA attribute # e.g. ADS. Therfore we need to differentiate somehow # to avoid clobbering. For now we'll use a counter (datanum) datanum = 0 for a, i in attributes: if i == None: outfd.write("${0}: malformed entry\n".format(a)) continue if a.startswith("STANDARD_INFORMATION"): outfd.write("\n${0}\n".format(a)) self.table_header(outfd, i.get_header()) outfd.write("{0}\n".format(str(i))) elif a.startswith("FILE_NAME"): outfd.write("\n${0}\n".format(a)) if hasattr(i, "ParentDirectory"): full = mft_entry.get_full_path(i) self.table_header(outfd, i.get_header()) output = i.get_full(full) if output == None: continue outfd.write("{0}\n".format(output)) else: outfd.write("{0}\n".format(str(i))) elif a.startswith("DATA"): outfd.write("\n${0}\n".format(a)) contents = "\n".join(["{0:010x}: {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(i)]) outfd.write("{0}\n".format(str(contents))) if len(str(i)) > 0: file_string = ".".join(["file", "0x{0:x}".format(offset), "data{0}".format(datanum), "dmp"]) datanum += 1 if self._config.DUMP_DIR != None: of_path = os.path.join(self._config.DUMP_DIR, file_string) of = open(of_path, 'wb') of.write(i) of.close() elif a == "OBJECT_ID": outfd.write("\n$OBJECT_ID\n") outfd.write(str(i)) outfd.write("\n{0}\n".format(border)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/hpakinfo.py0000644000000000000000000000411313131215405023166 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.crashinfo as crashinfo import volatility.debug as debug class HPAKInfo(crashinfo.CrashInfo): """Info on an HPAK file""" target_as = ['HPAKAddressSpace'] def render_text(self, outfd, data): header = data.get_header() for section in header.Sections(): outfd.write("Header: {0}\n".format(section.Header)) outfd.write("Length: {0:#x}\n".format(section.Length)) outfd.write("Offset: {0:#x}\n".format(section.Offset)) outfd.write("NextOffset: {0:#x}\n".format(section.NextSection)) outfd.write("Name: {0}\n".format(section.Name)) outfd.write("Compressed: {0}\n".format(section.Compressed)) outfd.write("Comp. Size: {0:#x}\n".format(section.CompressedSize)) outfd.write("\n") class HPAKExtract(HPAKInfo): """Extract physical memory from an HPAK file""" def render_text(self, outfd, data): if not self._config.OUTPUT_FILE: debug.error("You must supply --output-file") data.convert_to_raw(outfd) print "Compressed: {0}".format("Yes" if data.physmem.Compressed == 1 else "No") print "Compressed Size: {0:#x}".format(data.physmem.CompressedSize) print "Final Size: {0:#x}".format(data.physmem.Length)volatility_2.6+git20170711.b3db0cc/volatility/plugins/dlldump.py0000644000000000000000000001421213131215405023031 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # Additional Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import re from volatility import renderers import volatility.plugins.procdump as procdump from volatility.renderers.basic import Address import volatility.win32.tasks as tasks import volatility.debug as debug import volatility.utils as utils import volatility.cache as cache class DLLDump(procdump.ProcDump): """Dump DLLs from a process address space""" def __init__(self, config, *args, **kwargs): procdump.ProcDump.__init__(self, config, *args, **kwargs) config.remove_option("OFFSET") config.add_option('REGEX', short_option = 'r', help = 'Dump dlls matching REGEX', action = 'store', type = 'string') config.add_option('IGNORE-CASE', short_option = 'i', help = 'Ignore case in pattern match', action = 'store_true', default = False) config.add_option('OFFSET', short_option = 'o', default = None, help = 'Dump DLLs for Process with physical address OFFSET', action = 'store', type = 'int') config.add_option('BASE', short_option = 'b', default = None, help = 'Dump DLLS at the specified BASE offset in the process address space', action = 'store', type = 'int') @cache.CacheDecorator(lambda self: "tests/dlldump/regex={0}/ignore_case={1}/offset={2}/base={3}".format(self._config.REGEX, self._config.IGNORE_CASE, self._config.OFFSET, self._config.BASE)) def calculate(self): addr_space = utils.load_as(self._config) if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") if self._config.OFFSET != None: data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)] else: data = self.filter_tasks(tasks.pslist(addr_space)) if self._config.REGEX: try: if self._config.IGNORE_CASE: mod_re = re.compile(self._config.REGEX, re.I) else: mod_re = re.compile(self._config.REGEX) except re.error, e: debug.error('Error parsing regular expression: %s' % e) for proc in data: ps_ad = proc.get_process_address_space() if ps_ad == None: continue mods = dict((mod.DllBase.v(), mod) for mod in proc.get_load_modules()) if self._config.BASE: if mods.has_key(self._config.BASE): mod_name = mods[self._config.BASE].BaseDllName else: mod_name = "UNKNOWN" yield proc, ps_ad, int(self._config.BASE), mod_name else: for mod in mods.values(): if self._config.REGEX: if not mod_re.search(str(mod.FullDllName or '')) and not mod_re.search(str(mod.BaseDllName or '')): continue yield proc, ps_ad, mod.DllBase.v(), mod.BaseDllName def generator(self, data): for proc, ps_ad, mod_base, mod_name in data: if not ps_ad.is_valid_address(mod_base): result = "Error: DllBase is unavailable (possibly due to paging)" else: process_offset = ps_ad.vtop(proc.obj_offset) dump_file = "module.{0}.{1:x}.{2:x}.dll".format(proc.UniqueProcessId, process_offset, mod_base) result = self.dump_pe(ps_ad, mod_base, dump_file) yield (0, [Address(proc.obj_offset), str(proc.ImageFileName), Address(mod_base), str(mod_name or ''), str(result)]) def unified_output(self, data): return renderers.TreeGrid( [("Process(V)", Address), ("Name", str), ("Module Base", Address), ("Module Name", str), ("Result", str)], self.generator(data)) def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") self.table_header(outfd, [("Process(V)", "[addrpad]"), ("Name", "20"), ("Module Base", "[addrpad]"), ("Module Name", "20"), ("Result", "")]) for proc, ps_ad, mod_base, mod_name in data: if not ps_ad.is_valid_address(mod_base): result = "Error: DllBase is paged" else: process_offset = ps_ad.vtop(proc.obj_offset) dump_file = "module.{0}.{1:x}.{2:x}.dll".format(proc.UniqueProcessId, process_offset, mod_base) result = self.dump_pe(ps_ad, mod_base, dump_file) self.table_row(outfd, proc.obj_offset, proc.ImageFileName, mod_base, str(mod_name or ''), result) volatility_2.6+git20170711.b3db0cc/volatility/plugins/bioskbd.py0000644000000000000000000000554413131215405023015 0ustar rootroot# Volatility # # Authors: # Adam Boileau # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # *Heavily* based upon http://www.storm.net.nz/static/files/bioskbsnarf import struct import volatility.plugins.common as common import volatility.utils as utils import volatility.debug as debug from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class BiosKbd(common.AbstractWindowsCommand): """Reads the keyboard buffer from Real Mode memory""" BASE = 0x400 OFFSET = 0x17 BUFOFFSET = 0x1e LEN = 39 FORMAT = "?!"$%^&*()_+-=`\\|': return c return "." def calculate(self): """Calculate returns the results of the bios keyboard reading""" addr_space = utils.load_as(self._config, astype = 'physical') data = addr_space.read(self.BASE + self.OFFSET, self.LEN) if not data or len(data) != self.LEN: debug.error("Failed to read keyboard buffer, please check this is a physical memory image.") _shifta, _shiftb, _alt, readp, _writep, buf = struct.unpack(self.FORMAT, data) unringed = buf[readp - self.BUFOFFSET:] unringed += buf[:readp - self.BUFOFFSET] results = [] for i in range(0, len(unringed) - 2, 2): if ord(unringed[i]) != 0: results.append((unringed[i], ord(unringed[i + 1]))) return results volatility_2.6+git20170711.b3db0cc/volatility/plugins/pstree.py0000644000000000000000000001515013131215405022674 0ustar rootroot# Volatility # # Authors # Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """pstree example file""" from volatility import renderers from volatility.renderers.basic import Address import volatility.win32.tasks as tasks import volatility.utils as utils import volatility.plugins.common as common import volatility.cache as cache import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=C0111 class ProcessAuditVTypes(obj.ProfileModification): before = ["WindowsVTypes"] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.vtypes.update({ '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], }], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], }]}) class PSTree(common.AbstractWindowsCommand): """Print process list as a tree""" text_sort_column = "Pid" def find_root(self, pid_dict, pid): # Prevent circular loops. seen = set() while pid in pid_dict and pid not in seen: seen.add(pid) pid = int(pid_dict[pid].InheritedFromUniqueProcessId) return pid def generator(self, data): def draw_branch(level, inherited_from): for task in data.values(): if task.InheritedFromUniqueProcessId == inherited_from: row = [Address(task.obj_offset), str(task.ImageFileName or ''), int(task.UniqueProcessId), int(task.InheritedFromUniqueProcessId), int(task.ActiveThreads), int(task.ObjectTable.HandleCount), str(task.CreateTime)] if self._config.VERBOSE: row += [str(task.SeAuditProcessCreationInfo.ImageFileName.Name or '')] process_params = task.Peb.ProcessParameters if not process_params: row += [str("-"), str("-")] else: row += [str(process_params.CommandLine or ''), str(process_params.ImagePathName or '')] yield (level, row) try: del data[int(task.UniqueProcessId)] except KeyError: debug.warning("PID {0} PPID {1} has already been seen".format(task.UniqueProcessId, task.InheritedFromUniqueProcessId)) for item in draw_branch(level + 1, task.UniqueProcessId): yield item while len(data.keys()) > 0: keys = data.keys() root = self.find_root(data, keys[0]) for item in draw_branch(0, root): yield item def unified_output(self, data): cols = [("Offset", Address), ("Name", str), ("Pid", int), ("PPid", int), ("Thds", int), ("Hnds", int), ("Time", str)] if self._config.VERBOSE: cols += [("Audit", str), ("Cmd", str), ("Path", str)] tg = renderers.TreeGrid(cols, self.generator(data)) return tg def render_text(self, outfd, data): self.table_header(outfd, [("Name", "<50"), ("Pid", ">6"), ("PPid", ">6"), ("Thds", ">6"), ("Hnds", ">6"), ("Time", "")]) def draw_branch(pad, inherited_from): for task in data.values(): if task.InheritedFromUniqueProcessId == inherited_from: first_column = "{0} {1:#x}:{2:20}".format( "." * pad, task.obj_offset, str(task.ImageFileName or '') ) self.table_row(outfd, first_column, task.UniqueProcessId, task.InheritedFromUniqueProcessId, task.ActiveThreads, task.ObjectTable.HandleCount, task.CreateTime) if self._config.VERBOSE: outfd.write("{0} audit: {1}\n".format( ' ' * pad, str(task.SeAuditProcessCreationInfo.ImageFileName.Name or ''))) process_params = task.Peb.ProcessParameters if process_params: outfd.write("{0} cmd: {1}\n".format( ' ' * pad, str(process_params.CommandLine or ''))) outfd.write("{0} path: {1}\n".format( ' ' * pad, str(process_params.ImagePathName or ''))) try: del data[int(task.UniqueProcessId)] except KeyError: debug.warning("PID {0} PPID {1} has already been seen".format(task.UniqueProcessId, task.InheritedFromUniqueProcessId)) draw_branch(pad + 1, task.UniqueProcessId) while len(data.keys()) > 0: keys = data.keys() root = self.find_root(data, keys[0]) draw_branch(0, root) @cache.CacheDecorator(lambda self: "tests/pstree/verbose={0}".format(self._config.VERBOSE)) def calculate(self): ## Load a new address space addr_space = utils.load_as(self._config) return dict( (int(task.UniqueProcessId), task) for task in tasks.pslist(addr_space) ) volatility_2.6+git20170711.b3db0cc/volatility/plugins/volshell.py0000644000000000000000000005573513131215405023237 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ import struct import sys import volatility.plugins.common as common import volatility.win32 as win32 import volatility.utils as utils import volatility.obj as obj import volatility.plugins.taskmods as taskmods import volatility.scan as scan try: import distorm3 #pylint: disable-msg=F0401 except ImportError: pass class volshell(common.AbstractWindowsCommand): """Shell in the memory image""" # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'Brendan Dolan-Gavitt' meta_info['copyright'] = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt' meta_info['contact'] = 'bdolangavitt@wesleyan.edu' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://moyix.blogspot.com/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '1.3' def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS Offset (in hex) in kernel address space', action = 'store', type = 'int') config.add_option('IMNAME', short_option = 'n', default = None, help = 'Operate on this Process name', action = 'store', type = 'str') config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') self._addrspace = None self._proc = None def getpidlist(self): return win32.tasks.pslist(self._addrspace) def getmodules(self): return win32.modules.lsmod(self._addrspace) def context_display(self): print "Current context: {0} @ {1:#x}, pid={2}, ppid={3} DTB={4:#x}".format(self._proc.ImageFileName, self._proc.obj_offset, self._proc.UniqueProcessId.v(), self._proc.InheritedFromUniqueProcessId.v(), self._proc.Pcb.DirectoryTableBase.v()) def ps(self, procs = None): print "{0:16} {1:6} {2:6} {3:8}".format("Name", "PID", "PPID", "Offset") for eproc in procs or self.getpidlist(): print "{0:16} {1:<6} {2:<6} {3:#08x}".format(eproc.ImageFileName, eproc.UniqueProcessId.v(), eproc.InheritedFromUniqueProcessId.v(), eproc.obj_offset) def modules(self, modules = None): if self._addrspace.profile.metadata.get('memory_model', '32bit') == '32bit': print "{0:10} {1:10} {2}".format("Offset", "Base", "Name") else: print "{0:18} {1:18} {2}".format("Offset", "Base", "Name") for module in modules or self.getmodules(): print "{0:#08x} {1:#08x} {2}".format(module.obj_offset, module.DllBase, module.FullDllName or module.BaseDllName or '') def set_context(self, offset = None, pid = None, name = None, physical = False): if physical and offset != None: offset = taskmods.DllList.virtual_process_from_physical_offset(self._addrspace, offset).obj_offset elif pid is not None: offsets = [] for p in self.getpidlist(): if p.UniqueProcessId.v() == pid: offsets.append(p) if not offsets: print "Unable to find process matching pid {0}".format(pid) return elif len(offsets) > 1: print "Multiple processes match {0}, please specify by offset".format(pid) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif name is not None: offsets = [] for p in self.getpidlist(): if p.ImageFileName.find(name) >= 0: offsets.append(p) if not offsets: print "Unable to find process matching name {0}".format(name) return elif len(offsets) > 1: print "Multiple processes match name {0}, please specify by PID or offset".format(name) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif offset is None: print "Must provide one of: offset, name, or pid as a argument." return self._proc = obj.Object("_EPROCESS", offset = offset, vm = self._addrspace) self.context_display() def render_text(self, _outfd, _data): self._addrspace = utils.load_as(self._config) if not self._config.OFFSET is None: self.set_context(offset = self._config.OFFSET) self.context_display() elif self._config.PID is not None: # FIXME: volshell is really not intended to switch into multiple # process contexts at once, so it doesn't make sense to use a csv # pid list. However, the linux and mac volshell call the respective # linux_pslist and mac_pslist which require a csv pidlist. After # the 2.3 release we should close this along with issue 375. pidlist = [int(p) for p in self._config.PID.split(',')] for p in pidlist: self.set_context(pid = p) break elif self._config.IMNAME is not None: self.set_context(name = self._config.IMNAME) else: # Just use the first process, whatever it is for p in self.getpidlist(): self.set_context(offset = p.v()) break # Functions inside the shell def cc(offset = None, pid = None, name = None, physical = False): """Change current shell context. This function changes the current shell context to to the process specified. The process specification can be given as a virtual address (option: offset), PID (option: pid), or process name (option: name). If multiple processes match the given PID or name, you will be shown a list of matching processes, and will have to specify by offset. """ self.set_context(offset = offset, pid = pid, name = name, physical = physical) def db(address, length = 0x80, space = None): """Print bytes as canonical hexdump. This function prints bytes at the given virtual address as a canonical hexdump. The address will be translated in the current process context (see help on cc for information on how to change contexts). The length parameter (default: 0x80) specifies how many bytes to print, the width parameter (default: 16) allows you to change how many bytes per line should be displayed, and the space parameter allows you to optionally specify the address space to read the data from. """ if not space: space = self._proc.get_process_address_space() #if length % 4 != 0: # length = (length+4) - (length%4) data = space.read(address, length) if not data: print "Memory unreadable at {0:08x}".format(address) return for offset, hexchars, chars in utils.Hexdump(data): print "{0:#010x} {1:<48} {2}".format(address + offset, hexchars, ''.join(chars)) def dd(address, length = 0x80, space = None): """Print dwords at address. This function prints the data at the given address, interpreted as a series of dwords (unsigned four-byte integers) in hexadecimal. The address will be translated in the current process context (see help on cc for information on how to change contexts). The optional length parameter (default: 0x80) controls how many bytes to display, and space allows you to optionally specify the address space to read the data from. """ if not space: space = self._proc.get_process_address_space() # round up to multiple of 4 if length % 4 != 0: length = (length + 4) - (length % 4) data = space.read(address, length) if not data: print "Memory unreadable at {0:08x}".format(address) return dwords = [] for i in range(0, length, 4): (dw,) = struct.unpack(" skip: db(hit + shift, length=length) if hit_count - skip == max: break print '-' * 16 if count: print '-' * 16 print 'Found {} matches.'.format(hit_count - skip) shell_funcs = {'find': find, 'cc': cc, 'dd': dd, 'db': db, 'ps': ps, 'dt': dt, 'list_entry': list_entry, 'dis': dis, 'dq': dq, 'modules': modules, 'sc': sc, 'addrspace': addrspace, 'proc': proc, 'getprocs': getprocs, 'getmods': getmods} def hh(cmd = None): """Get help on a command.""" shell_funcs['hh'] = hh import pydoc from inspect import getargspec, formatargspec if not cmd: print "\nUse addrspace() for Kernel/Virtual AS" print "Use addrspace().base for Physical AS" print "Use proc() to get the current process object" print " and proc().get_process_address_space() for the current process AS" print " and proc().get_load_modules() for the current process DLLs\n" for f in sorted(shell_funcs): doc = pydoc.getdoc(shell_funcs[f]) synop, _full = pydoc.splitdoc(doc) print "{0:40} : {1}".format(f + formatargspec(*getargspec(shell_funcs[f])), synop) print "\nFor help on a specific command, type 'hh()'" elif type(cmd) == str: try: doc = pydoc.getdoc(shell_funcs[cmd]) except KeyError: print "No such command: {0}".format(cmd) return print doc else: doc = pydoc.getdoc(cmd) print doc # Break into shell banner = "Welcome to volshell! Current memory image is:\n{0}\n".format(self._config.LOCATION) banner += "To get help, type 'hh()'" try: import IPython try: # New versions of IPython IPython.embed() except AttributeError: # Old versions of IPythom shell = IPython.Shell.IPShellEmbed([], banner = banner) shell() except (AttributeError, ImportError): import code, inspect frame = inspect.currentframe() # Try to enable tab completion try: import rlcompleter, readline #pylint: disable-msg=W0612 readline.parse_and_bind("tab: complete") except ImportError: pass # evaluate commands in current namespace namespace = frame.f_globals.copy() namespace.update(frame.f_locals) code.interact(banner = banner, local = namespace) volatility_2.6+git20170711.b3db0cc/volatility/plugins/imagecopy.py0000644000000000000000000001063513131215405023352 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.debug as debug import volatility.utils as utils import volatility.commands as commands class ImageCopy(commands.Command): """Copies a physical address space out as a raw DD image""" def __init__(self, *args, **kwargs): commands.Command.__init__(self, *args, **kwargs) self._config.add_option("BLOCKSIZE", short_option = "b", default = 1024 * 1024 * 5, help = "Size (in bytes) of blocks to copy", action = 'store', type = 'int') self._config.add_option("OUTPUT-IMAGE", short_option = "O", default = None, help = "Writes a raw DD image out to OUTPUT-IMAGE", action = 'store', type = 'str') self._config.add_option("COUNT", short_option = "c", default = False, help = "Show status of copy in byte count", action = 'store_true') def calculate(self): blocksize = self._config.BLOCKSIZE addr_space = utils.load_as(self._config, astype = 'physical') available_addresses = list(addr_space.get_available_addresses()) if not available_addresses: debug.error("Cannot find any memory ranges to convert. Make sure to specify --profile") for s, l in available_addresses: for i in range(s, s + l, blocksize): block_length = min(blocksize, s + l - i) yield i, block_length, addr_space.zread(i, block_length) def human_readable(self, value): for i in ['B', 'KB', 'MB', 'GB']: if value < 800: return "{0:0.2f} {1:s}".format(value, i) value = value / 1024.0 return "{0:0.2f} TB".format(value) def render_text(self, outfd, data): """Renders the file to disk""" if self._config.OUTPUT_IMAGE is None: debug.error("Please provide -O/--output-image=FILENAME") if os.path.exists(self._config.OUTPUT_IMAGE) and (os.path.getsize(self._config.OUTPUT_IMAGE) > 1): debug.error("Refusing to overwrite an existing file, please remove it before continuing") f = file(self._config.OUTPUT_IMAGE, "wb+") progress = 0 try: # Big if block to reduce number of ifs in for loop. Think Big-O. if self._config.COUNT: # --count/-c for human-friendly output report_at = 0 bytes_so_far = 0 for o, block_length, block in data: f.seek(o) f.write(block) f.flush() bytes_so_far += block_length if bytes_so_far > report_at: outfd.write("Written: {0:,} bytes...\r".format(bytes_so_far)) report_at += self._config.BLOCKSIZE outfd.flush() progress = o outfd.write("\nDone: {0:,} bytes.\n".format(bytes_so_far)) else: # |...| progress bar outfd.write("Writing data (" + self.human_readable(self._config.BLOCKSIZE) + " chunks): |") for o, block_length, block in data: f.seek(o) f.write(block) f.flush() outfd.write(".") outfd.flush() progress = o outfd.write("|\n") except TypeError, why: debug.error("Error when reading from address space: {0}".format(why)) except BaseException, e: debug.error("Unexpected error ({1}) during copy, recorded data up to offset {0:0x}".format(progress, str(e))) finally: f.close() volatility_2.6+git20170711.b3db0cc/volatility/plugins/pooltracker.py0000644000000000000000000002324213131215405023720 0ustar rootroot# Volatility # Copyright (C) Michael Ligh # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA import os import volatility.plugins.common as common import volatility.utils as utils import volatility.win32.tasks as tasks import volatility.obj as obj import volatility.debug as debug import volatility.poolscan as poolscan from volatility.renderers import TreeGrid from volatility.renderers.basic import Address #-------------------------------------------------------------------------------- # Profile Modifications #-------------------------------------------------------------------------------- class PoolTrackTagOverlay(obj.ProfileModification): """Overlays for pool trackers""" conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.merge_overlay({ '_POOL_TRACKER_TABLE': [ None, { 'Key': [ None, ['String', dict(length = 4)]] }], }) #-------------------------------------------------------------------------------- # PoolTracker Plugin #-------------------------------------------------------------------------------- class PoolTracker(common.AbstractWindowsCommand): """Show a summary of pool tag usage""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('TAGS', short_option = 't', help = 'Pool tag to find') config.add_option('TAGFILE', short_option = 'T', help = 'Pool tag file (pooltag.txt)', default = None) config.add_option('WHITELIST', short_option = 'W', help = 'Apply whitelist (only show third party tags)', default = False, action = "store_true") config.add_option('SHOW-FREE', short_option = 'F', help = 'Show tags with no allocations', default = False, action = "store_true") @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 6) def calculate(self): kernel_space = utils.load_as(self._config) if not self.is_valid_profile(kernel_space.profile): debug.error("Windows XP/2003 does not track pool tags") knowntags = {} if self._config.TAGFILE and os.path.isfile(self._config.TAGFILE): taglines = open(self._config.TAGFILE).readlines() for tag in taglines: tag = tag.strip() if tag.startswith("rem") or tag.startswith(" ") or tag == "": continue info = tag.split("-", 2) try: key = info[0].strip() driver = info[1].strip() reason = info[2].strip() except IndexError: continue knowntags[key] = (driver, reason) track_table = tasks.get_kdbg(kernel_space).PoolTrackTable # not really an address, this is just a trick to get # a 32bit number on x86 and 64bit number on x64. the # size is always directly before the pool table. table_size = obj.Object("address", offset = track_table - kernel_space.profile.get_obj_size("address"), vm = kernel_space ) track_table = track_table.dereference_as("address") if not kernel_space.is_valid_address(track_table) or table_size > 100000: debug.error("Cannot find the table or its size is unexpected: {0}".format(table_size)) entries = obj.Object("Array", targetType = "_POOL_TRACKER_TABLE", offset = track_table, count = table_size, vm = kernel_space ) if self._config.TAGS: tags = [tag for tag in self._config.TAGS.split(",")] else: tags = [] for entry in entries: if not self._config.SHOW_FREE: if entry.PagedBytes == 0 and entry.NonPagedBytes == 0: continue if not tags or entry.Key in tags: try: (driver, reason) = knowntags[str(entry.Key).strip()] if self._config.WHITELIST: continue except KeyError: (driver, reason) = ("", "") yield entry, driver, reason def render_whitelist(self, outfd, data): for entry, driver, reason in data: if str(entry.Key) == "": continue outfd.write("{0} - {1} - {2}\n".format(entry.Key, driver, reason)) def render_text(self, outfd, data): self.table_header(outfd, [("Tag", "6"), ("NpAllocs", "8"), ("NpFrees", "8"), ("NpBytes", "8"), ("PgAllocs", "8"), ("PgFrees", "8"), ("PgBytes", "8"), ("Driver", "20"), ("Reason", "")]) for entry, driver, reason in data: if str(entry.Key) == "": continue self.table_row(outfd, entry.Key, entry.NonPagedAllocs, entry.NonPagedFrees, entry.NonPagedBytes, entry.PagedAllocs, entry.PagedFrees, entry.PagedBytes, driver, reason) def unified_output(self, data): return TreeGrid([("Tag", str), ("NpAllocs", int), ("NpFrees", int), ("NpBytes", int), ("PgAllocs", int), ("PgFrees", int), ("PgBytes", int), ("Driver", str), ("Reason", str)], self.generator(data)) def generator(self, data): for entry, driver, reason in data: if str(entry.Key) == "": continue yield (0, [str(entry.Key), int(entry.NonPagedAllocs), int(entry.NonPagedFrees), int(entry.NonPagedBytes), int(entry.PagedAllocs), int(entry.PagedFrees), int(entry.PagedBytes), str(driver), str(reason)]) #-------------------------------------------------------------------------------- # Configurable PoolScanner Plugin #-------------------------------------------------------------------------------- class GenericPoolScan(poolscan.SinglePoolScanner): """Configurable pool scanner""" class PoolPeek(common.AbstractWindowsCommand): """Configurable pool scanner plugin""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('TAG', short_option = 't', help = 'Pool tag to find') config.add_option('MIN-SIZE', short_option = 'm', type = 'int', help = 'Minimum size of the pool to find (default: 0)', default = 0) config.add_option('MAX-SIZE', short_option = 'M', type = 'int', help = 'Maximum size of the pool to find (default: 4096)', default = 4096) config.add_option('PAGED', short_option = 'P', help = 'Search in paged pools (default: False)', default = False, action = "store_true") def calculate(self): addr_space = utils.load_as(self._config) tag = self._config.TAG if tag == None: debug.error("You must enter a --tag to find") minsize = self._config.MIN_SIZE maxsize = self._config.MAX_SIZE poolsize = lambda x : x >= minsize and x <= maxsize if self._config.PAGED: paged = True non_paged = False else: paged = False non_paged = True scanner = GenericPoolScan() scanner.checks = [ ('PoolTagCheck', dict(tag = tag)), ('CheckPoolSize', dict(condition = poolsize)), ('CheckPoolType', dict(paged = paged, non_paged = non_paged)), ] for offset in scanner.scan(addr_space): pool = obj.Object("_POOL_HEADER", offset = offset, vm = addr_space) buf = addr_space.zread(offset, minsize) yield pool, buf def render_text(self, outfd, data): for pool, buf in data: pool_alignment = obj.VolMagic(pool.obj_vm).PoolAlignment.v() outfd.write("Pool Header: {0:#x}, Size: {1}\n".format( pool.obj_offset, pool.BlockSize * pool_alignment)) outfd.write("{0}\n".format("\n".join( ["{0:#010x} {1:<48} {2}".format(pool.obj_offset + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf) ]))) outfd.write("\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/__init__.py0000644000000000000000000000205313131215405023127 0ustar rootrootimport volatility.conf as conf import volatility.constants as constants import os import sys config = conf.ConfObject() help_prefix = "" plugin_separator = ":" # Make a platform-dependent decision on plugin path separators # The separator is now in keeping with the PATH environment variable if sys.platform.startswith('win'): help_prefix = "semi-" plugin_separator = ";" config.add_option("PLUGINS", default = "", cache_invalidator = False, help = "Additional plugin directories to use (" + help_prefix + "colon separated)") # Add the PLUGINPATH, in case we're frozen __path__ = [constants.PLUGINPATH] + [ e for e in __path__ if not constants.PLUGINPATH.startswith(e) ] # This causes the config.PLUGINS paths to be treated as extensions of the volatility.plugins package # Meaning that each directory is search for module when import volatility.plugins.module is requested if config.PLUGINS: plugin_paths = [ os.path.abspath(x) for x in config.PLUGINS.split(plugin_separator)] __path__.extend(plugin_paths) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mbrparser.py0000644000000000000000000005430613131215405023375 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ import volatility.commands as commands import volatility.scan as scan import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Hex, Bytes import struct import hashlib import os try: import distorm3 has_distorm3 = True except ImportError: has_distorm3 = False # Partition types taken from Gary Kessler's MBRParser.pl: # http://www.garykessler.net/software/index.html PartitionTypes = { 0x00:"Empty", 0x01:"FAT12,CHS", 0x04:"FAT16 16-32MB,CHS", 0x05:"Microsoft Extended", 0x06:"FAT16 32MB,CHS", 0x07:"NTFS", 0x0b:"FAT32,CHS", 0x0c:"FAT32,LBA", 0x0e:"FAT16, 32MB-2GB,LBA", 0x0f:"Microsoft Extended, LBA", 0x11:"Hidden FAT12,CHS", 0x14:"Hidden FAT16,16-32MB,CHS", 0x16:"Hidden FAT16,32MB-2GB,CHS", 0x18:"AST SmartSleep Partition", 0x1b:"Hidden FAT32,CHS", 0x1c:"Hidden FAT32,LBA", 0x1e:"Hidden FAT16,32MB-2GB,LBA", 0x27:"PQservice", 0x39:"Plan 9 partition", 0x3c:"PartitionMagic recovery partition", 0x42:"Microsoft MBR,Dynamic Disk", 0x44:"GoBack partition", 0x51:"Novell", 0x52:"CP/M", 0x63:"Unix System V", 0x64:"PC-ARMOUR protected partition", 0x82:"Solaris x86 or Linux Swap", 0x83:"Linux", 0x84:"Hibernation", 0x85:"Linux Extended", 0x86:"NTFS Volume Set", 0x87:"NTFS Volume Set", 0x9f:"BSD/OS", 0xa0:"Hibernation", 0xa1:"Hibernation", 0xa5:"FreeBSD", 0xa6:"OpenBSD", 0xa8:"Mac OSX", 0xa9:"NetBSD", 0xab:"Mac OSX Boot", 0xaf:"MacOS X HFS", 0xb7:"BSDI", 0xb8:"BSDI Swap", 0xbb:"Boot Wizard hidden", 0xbe:"Solaris 8 boot partition", 0xd8:"CP/M-86", 0xde:"Dell PowerEdge Server utilities (FAT fs)", 0xdf:"DG/UX virtual disk manager partition", 0xeb:"BeOS BFS", 0xee:"EFI GPT Disk", 0xef:"EFI System Parition", 0xfb:"VMWare File System", 0xfc:"VMWare Swap", } # Using structures defined in File System Forensic Analysis pg 88+ # boot code is from bytes 0-439 in the partition table # we should dissassemble MBR_types = { 'PARTITION_ENTRY': [ 0x10, { 'BootableFlag': [0x0, ['char']], # 0x80 is bootable 'StartingCHS': [0x1, ['array', 3, ['unsigned char']]], 'PartitionType': [0x4, ['char']], 'EndingCHS': [0x5, ['array', 3, ['unsigned char']]], 'StartingLBA': [0x8, ['unsigned int']], 'SizeInSectors': [0xc, ['int']], }], 'PARTITION_TABLE': [ 0x200, { 'DiskSignature': [ 0x1b8, ['array', 4, ['unsigned char']]], 'Unused': [ 0x1bc, ['unsigned short']], 'Entry1': [ 0x1be, ['PARTITION_ENTRY']], 'Entry2': [ 0x1ce, ['PARTITION_ENTRY']], 'Entry3': [ 0x1de, ['PARTITION_ENTRY']], 'Entry4': [ 0x1ee, ['PARTITION_ENTRY']], 'Signature': [0x1fe, ['unsigned short']], }] } class PARTITION_ENTRY(obj.CType): def get_value(self, char): padded = "\x00\x00\x00" + str(char) val = int(struct.unpack('>I', padded)[0]) return val def get_type(self): return PartitionTypes.get(self.get_value(self.PartitionType), "Invalid") def is_bootable(self): return self.get_value(self.BootableFlag) == 0x80 def is_bootable_and_used(self): return self.is_bootable() and self.is_used() def is_valid(self): return self.get_type() != "Invalid" def is_used(self): return self.get_type() != "Empty" and self.is_valid() def StartingSector(self): return self.StartingCHS[1] % 64 def StartingCylinder(self): return (self.StartingCHS[1] - self.StartingSector()) * 4 + self.StartingCHS[2] def EndingSector(self): return self.EndingCHS[1] % 64 def EndingCylinder(self): return (self.EndingCHS[1] - self.EndingSector()) * 4 + self.EndingCHS[2] def __str__(self): processed_entry = "" bootable = self.get_value(self.BootableFlag) processed_entry = "Boot flag: {0:#x} {1}\n".format(bootable, "(Bootable)" if self.is_bootable() else '') processed_entry += "Partition type: {0:#x} ({1})\n".format(self.get_value(self.PartitionType), self.get_type()) processed_entry += "Starting Sector (LBA): {0:#x} ({0})\n".format(self.StartingLBA) processed_entry += "Starting CHS: Cylinder: {0} Head: {1} Sector: {2}\n".format(self.StartingCylinder(), self.StartingCHS[0], self.StartingSector()) processed_entry += "Ending CHS: Cylinder: {0} Head: {1} Sector: {2}\n".format(self.EndingCylinder(), self.EndingCHS[0], self.EndingSector()) processed_entry += "Size in sectors: {0:#x} ({0})\n\n".format(self.SizeInSectors) return processed_entry class MbrObjectTypes(obj.ProfileModification): def modification(self, profile): profile.object_classes.update({ 'PARTITION_ENTRY': PARTITION_ENTRY, }) profile.vtypes.update(MBR_types) class MBRScanner(scan.BaseScanner): checks = [ ] def __init__(self, window_size = 512, needles = None): self.needles = needles self.checks = [ ("MultiStringFinderCheck", {'needles':needles})] scan.BaseScanner.__init__(self, window_size) def scan(self, address_space, offset = 0, maxlen = None): for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen): yield offset - 0x1fe class MBRParser(commands.Command): """ Scans for and parses potential Master Boot Records (MBRs) """ def __init__(self, config, *args, **kwargs): commands.Command.__init__(self, config, *args) # We have all these options, however another will be added for diffing # when it is more refined config.add_option('HEX', short_option = 'H', default = False, help = 'Output HEX of Bootcode instead of default disassembly', action = "store_true") config.add_option('HASH', short_option = 'M', default = None, help = "Hash of bootcode (up to RET) to search for", action = "store", type = "str") config.add_option('FULLHASH', short_option = 'F', default = None, help = "Hash of full bootcode to search for", action = "store", type = "str") config.add_option('DISOFFSET', short_option = 'D', default = None, help = "Offset to start disassembly", action = "store", type = "int") config.add_option('OFFSET', short_option = 'o', default = None, help = "Offset of MBR", action = "store", type = "int") config.add_option('NOCHECK', short_option = 'N', default = False, help = "Don't check partitions", action = "store_true") config.add_option('DISK', short_option = 'm', default = None, help = "Disk or extracted MBR", action = "store", type = "str") config.add_option('MAXDISTANCE', short_option = 'x', default = None, help = "Maximum Levenshtein distance for MBR vs Disk", action = "store", type = "int") config.add_option('ZEROSTART', short_option = 'z', default = False, help = 'Start the output header at zero', action = "store_true") self.code_data = "" self.disk_mbr = None # Taken from: # http://en.wikibooks.org/wiki/Algorithm_implementation/Strings/Levenshtein_distance#Python def levenshtein(self, s1, s2): if len(s1) < len(s2): return self.levenshtein(s2, s1) # len(s1) >= len(s2) if len(s2) == 0: return len(s1) previous_row = xrange(len(s2) + 1) for i, c1 in enumerate(s1): current_row = [i + 1] for j, c2 in enumerate(s2): insertions = previous_row[j + 1] + 1 # j+1 instead of j since previous_row and current_row are one character longer deletions = current_row[j] + 1 # than s2 substitutions = previous_row[j] + (c1 != c2) current_row.append(min(insertions, deletions, substitutions)) previous_row = current_row return previous_row[-1] def calculate(self): address_space = utils.load_as(self._config, astype = 'physical') if not has_distorm3 and not self._config.HEX: debug.error("Install distorm3 code.google.com/p/distorm/") if self._config.MAXDISTANCE != None and not self._config.DISK: debug.error("Must supply the path for the extracted MBR/Disk when using MAXDISTANCE") if self._config.DISK and not os.path.isfile(self._config.DISK): debug.error(self._config.DISK + " does not exist") diff = 0 if self._config.DISOFFSET: diff = self._config.DISOFFSET if self._config.DISK: file = open(self._config.DISK, "rb") self.disk_mbr = file.read(440) file.close() if self._config.OFFSET: PARTITION_TABLE = obj.Object('PARTITION_TABLE', vm = address_space, offset = self._config.OFFSET) boot_code = address_space.read(self._config.OFFSET + diff, 440 - diff) if boot_code: all_zeros = boot_code.count(chr(0)) == len(boot_code) if not all_zeros: yield self._config.OFFSET, PARTITION_TABLE, boot_code else: print "Not a valid MBR: Data all zeroed out" else: scanner = MBRScanner(needles = ['\x55\xaa']) for offset in scanner.scan(address_space): PARTITION_TABLE = obj.Object('PARTITION_TABLE', vm = address_space, offset = offset) boot_code = address_space.read(offset + diff, 440 - diff) if boot_code: all_zeros = boot_code.count(chr(0)) == len(boot_code) if not all_zeros: yield offset, PARTITION_TABLE, boot_code def Hexdump(self, data, given_offset = 0, width = 16): for offset in xrange(0, len(data), width): row_data = data[offset:offset + width] translated_data = [x if ord(x) < 127 and ord(x) > 32 else "." for x in row_data] hexdata = " ".join(["{0:02x}".format(ord(x)) for x in row_data]) yield offset + given_offset, hexdata, translated_data def _get_instructions(self, boot_code): if self._config.HEX: return "".join(["{2}".format(o, h, ''.join(c)) for o, h, c in self.Hexdump(boot_code, 0)]) iterable = distorm3.DecodeGenerator(0, boot_code, distorm3.Decode16Bits) ret = "" for (offset, size, instruction, hexdump) in iterable: ret += "{0}".format(instruction) if instruction == "RET": hexstuff = "".join(["{2}".format(o, h, ''.join(c)) for o, h, c in self.Hexdump(boot_code[offset + size:], 0)]) ret += hexstuff break return ret def get_disasm_text(self, boot_code, start): iterable = distorm3.DecodeGenerator(0, boot_code, distorm3.Decode16Bits) ret = "" self.code_data = boot_code for (offset, size, instruction, hexdump) in iterable: ret += "{0:010x}: {1:<32} {2}\n".format(offset + start, hexdump, instruction) if instruction == "RET": self.code_data = boot_code[0:offset + size] hexstuff = "\n" + "\n".join(["{0:010x}: {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in self.Hexdump(boot_code[offset + size:], offset + start + size)]) ret += hexstuff break return ret def unified_output(self, data): return TreeGrid([("Offset", Address), ("DiskSignature", str), ("BootMD5", str), ("FullBootMD5", str), ("Distance", int), ("PartABootFlag", str), ("PartAType", str), ("PartALBA", Hex), ("PartAStartCHS", str), ("PartAEndCHS", str), ("PartASectorSize", Hex), ("PartBBootFlag", str), ("PartBType", str), ("PartBLBA", Hex), ("PartBStartCHS", str), ("PartBEndCHS", str), ("PartBSectorSize", Hex), ("PartCBootFlag", str), ("PartCType", str), ("PartCLBA", Hex), ("PartCStartCHS", str), ("PartCEndCHS", str), ("PartCSectorSize", Hex), ("PartDBootFlag", str), ("PartDType", str), ("PartDLBA", Hex), ("PartDStartCHS", str), ("PartDEndCHS", str), ("PartDSectorSize", Hex), ("Bootcode", Bytes)], self.generator(data)) def generator(self, data): if self._config.DISOFFSET: dis = self._config.DISOFFSET for offset, PARTITION_TABLE, boot_code in data: entry1 = PARTITION_TABLE.Entry1.dereference_as('PARTITION_ENTRY') entry2 = PARTITION_TABLE.Entry2.dereference_as('PARTITION_ENTRY') entry3 = PARTITION_TABLE.Entry3.dereference_as('PARTITION_ENTRY') entry4 = PARTITION_TABLE.Entry4.dereference_as('PARTITION_ENTRY') have_bootable = entry1.is_bootable_and_used() or entry2.is_bootable_and_used() or entry3.is_bootable_and_used() or entry4.is_bootable_and_used() if not self._config.NOCHECK and not have_bootable: # it doesn't really make sense to have a partition that is bootable, but empty or invalid # but we only skip MBRs with these types of partitions if we are checking continue distance = 0 h = hashlib.md5() f = hashlib.md5() h.update(self.code_data) f.update(boot_code) if self._config.HASH: hash = "{0}".format(h.hexdigest()) if hash.lower() != self._config.HASH.lower(): continue elif self._config.FULLHASH: hash = "{0}".format(f.hexdigest()) if hash.lower() != self._config.FULLHASH.lower(): continue if self.disk_mbr: distance = self.levenshtein(self._get_instructions(self.disk_mbr), self._get_instructions(boot_code)) if self._config.MAXDISTANCE != None and distance > self._config.MAXDISTANCE: continue disksig = "{0:02x}-{1:02x}-{2:02x}-{3:02x}".format( PARTITION_TABLE.DiskSignature[0], PARTITION_TABLE.DiskSignature[1], PARTITION_TABLE.DiskSignature[2], PARTITION_TABLE.DiskSignature[3]) yield (0, [Address(offset), disksig, str(h.hexdigest()), str(f.hexdigest()), int(distance), "{0:#x} {1}".format(entry1.get_value(entry1.BootableFlag), "(Bootable)" if entry1.is_bootable() else ""), "{0:#x} ({1})".format(entry1.get_value(entry1.PartitionType), entry1.get_type()), Hex(entry1.StartingLBA), "Cylinder: {0} Head: {1} Sector: {2}".format(entry1.StartingCylinder(), entry1.StartingCHS[0], entry1.StartingSector()), "Cylinder: {0} Head: {1} Sector: {2}".format(entry1.EndingCylinder(), entry1.EndingCHS[0], entry1.EndingSector()), Hex(entry1.SizeInSectors), "{0:#x} {1}".format(entry2.get_value(entry2.BootableFlag), "(Bootable)" if entry2.is_bootable() else ""), "{0:#x} ({1})".format(entry2.get_value(entry2.PartitionType), entry2.get_type()), Hex(entry2.StartingLBA), "Cylinder: {0} Head: {1} Sector: {2}".format(entry2.StartingCylinder(), entry2.StartingCHS[0], entry2.StartingSector()), "Cylinder: {0} Head: {1} Sector: {2}".format(entry2.EndingCylinder(), entry2.EndingCHS[0], entry2.EndingSector()), Hex(entry2.SizeInSectors), "{0:#x} {1}".format(entry3.get_value(entry3.BootableFlag), "(Bootable)" if entry3.is_bootable() else ""), "{0:#x} ({1})".format(entry3.get_value(entry3.PartitionType), entry3.get_type()), Hex(entry3.StartingLBA), "Cylinder: {0} Head: {1} Sector: {2}".format(entry3.StartingCylinder(), entry3.StartingCHS[0], entry3.StartingSector()), "Cylinder: {0} Head: {1} Sector: {2}".format(entry3.EndingCylinder(), entry3.EndingCHS[0], entry3.EndingSector()), Hex(entry3.SizeInSectors), "{0:#x} {1}".format(entry4.get_value(entry4.BootableFlag), "(Bootable)" if entry4.is_bootable() else ""), "{0:#x} ({1})".format(entry4.get_value(entry4.PartitionType), entry4.get_type()), Hex(entry4.StartingLBA), "Cylinder: {0} Head: {1} Sector: {2}".format(entry4.StartingCylinder(), entry4.StartingCHS[0], entry4.StartingSector()), "Cylinder: {0} Head: {1} Sector: {2}".format(entry4.EndingCylinder(), entry4.EndingCHS[0], entry4.EndingSector()), Hex(entry4.SizeInSectors), Bytes(boot_code)]) def render_text(self, outfd, data): border = "*" * 75 dis = 0 if self._config.DISOFFSET: dis = self._config.DISOFFSET for offset, PARTITION_TABLE, boot_code in data: entry1 = PARTITION_TABLE.Entry1.dereference_as('PARTITION_ENTRY') entry2 = PARTITION_TABLE.Entry2.dereference_as('PARTITION_ENTRY') entry3 = PARTITION_TABLE.Entry3.dereference_as('PARTITION_ENTRY') entry4 = PARTITION_TABLE.Entry4.dereference_as('PARTITION_ENTRY') have_bootable = entry1.is_bootable_and_used() or entry2.is_bootable_and_used() or entry3.is_bootable_and_used() or entry4.is_bootable_and_used() if not self._config.NOCHECK and not have_bootable: # it doesn't really make sense to have a partition that is bootable, but empty or invalid # but we only skip MBRs with these types of partitions if we are checking continue disasm = "" distance = 0 start = offset boot_code_output = "" if self._config.ZEROSTART: start = 0 if not self._config.HEX: disasm = self.get_disasm_text(boot_code, start + dis) if disasm == "" or self.code_data == None: continue boot_code_output = "Disassembly of Bootable Code:\n{0}\n\n".format(disasm) else: hexstuff = "\n" + "\n".join(["{0:010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in self.Hexdump(boot_code, start)]) boot_code_output = "Bootable code: \n{0} \n\n".format(hexstuff) h = hashlib.md5() f = hashlib.md5() h.update(self.code_data) f.update(boot_code) if self._config.HASH: hash = "{0}".format(h.hexdigest()) if hash.lower() != self._config.HASH.lower(): continue elif self._config.FULLHASH: hash = "{0}".format(f.hexdigest()) if hash.lower() != self._config.FULLHASH.lower(): continue if self.disk_mbr: distance = self.levenshtein(self._get_instructions(self.disk_mbr), self._get_instructions(boot_code)) if self._config.MAXDISTANCE != None and distance > self._config.MAXDISTANCE: continue outfd.write("{0}\n".format(border)) outfd.write("Potential MBR at physical offset: {0:#x}\n".format(offset)) outfd.write("Disk Signature: {0:02x}-{1:02x}-{2:02x}-{3:02x}\n".format( PARTITION_TABLE.DiskSignature[0], PARTITION_TABLE.DiskSignature[1], PARTITION_TABLE.DiskSignature[2], PARTITION_TABLE.DiskSignature[3])) outfd.write("Bootcode md5: {0}\n".format(h.hexdigest())) outfd.write("Bootcode (FULL) md5: {0}\n".format(f.hexdigest())) if self.disk_mbr: outfd.write("\nLevenshtein Distance from Supplied MBR: {0}\n\n".format(distance)) outfd.write(boot_code_output) outfd.write("===== Partition Table #1 =====\n") outfd.write(str(entry1)) outfd.write("===== Partition Table #2 =====\n") outfd.write(str(entry2)) outfd.write("===== Partition Table #3 =====\n") outfd.write(str(entry3)) outfd.write("===== Partition Table #4 =====\n") outfd.write(str(entry4)) outfd.write("{0}\n\n".format(border)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/procdump.py0000644000000000000000000001521313131215405023223 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # Additional Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import struct from volatility import renderers from volatility.commands import Command import volatility.plugins.taskmods as taskmods import volatility.debug as debug import volatility.obj as obj import volatility.exceptions as exceptions from volatility.renderers.basic import Address class ProcDump(taskmods.DllList): """Dump a process to an executable file sample""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump executable files') config.add_option("UNSAFE", short_option = "u", default = False, action = 'store_true', help = 'Bypasses certain sanity checks when creating image') config.add_option("MEMORY", short_option = "m", default = False, action = 'store_true', help = "Carve as a memory sample rather than exe/disk") config.add_option('FIX', short_option = 'x', default = False, help = 'Modify the image base of the dump to the in-memory base address', action = 'store_true') def dump_pe(self, space, base, dump_file): """ Dump a PE from an AS into a file. @param space: an AS to use @param base: PE base address @param dump_file: dumped file name @returns a string status message """ of = open(os.path.join(self._config.DUMP_DIR, dump_file), 'wb') pe_file = obj.Object("_IMAGE_DOS_HEADER", offset = base, vm = space) try: for offset, code in pe_file.get_image(unsafe = self._config.UNSAFE, memory = self._config.MEMORY, fix = self._config.FIX): of.seek(offset) of.write(code) result = "OK: {0}".format(dump_file) except ValueError, ve: result = "Error: {0}".format(ve) except exceptions.SanityCheckException, ve: result = "Error: {0} Try -u/--unsafe".format(ve) finally: of.close() return result def calculate(self): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") return taskmods.DllList.calculate(self) def unified_output(self, data): """Renders the tasks to disk images, outputting progress as they go""" return renderers.TreeGrid( [("Process(V)", Address), ("ImageBase", Address), ("Name", str), ("Result", str)], self.generator(data)) def generator(self, data): for task in data: task_space = task.get_process_address_space() if task_space == None: result = "Error: Cannot acquire process AS" elif task.Peb == None: # we must use m() here, because any other attempt to # reference task.Peb will try to instantiate the _PEB result = "Error: PEB at {0:#x} is unavailable (possibly due to paging)".format(task.m('Peb')) elif task_space.vtop(task.Peb.ImageBaseAddress) == None: result = "Error: ImageBaseAddress at {0:#x} is unavailable (possibly due to paging)".format(task.Peb.ImageBaseAddress) else: dump_file = "executable." + str(task.UniqueProcessId) + ".exe" result = self.dump_pe(task_space, task.Peb.ImageBaseAddress, dump_file) yield (0, [Address(task.obj_offset), Address(task.Peb.ImageBaseAddress), str(task.ImageFileName), str(result)]) def render_text(self, outfd, data): """Renders the tasks to disk images, outputting progress as they go""" if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") self.table_header(outfd, [("Process(V)", "[addrpad]"), ("ImageBase", "[addrpad]"), ("Name", "20"), ("Result", "")]) for task in data: task_space = task.get_process_address_space() if task_space == None: result = "Error: Cannot acquire process AS" elif task.Peb == None: # we must use m() here, because any other attempt to # reference task.Peb will try to instantiate the _PEB result = "Error: PEB at {0:#x} is unavailable (possibly due to paging)".format(task.m('Peb')) elif task_space.vtop(task.Peb.ImageBaseAddress) == None: result = "Error: ImageBaseAddress at {0:#x} is unavailable (possibly due to paging)".format(task.Peb.ImageBaseAddress) else: dump_file = "executable." + str(task.UniqueProcessId) + ".exe" result = self.dump_pe(task_space, task.Peb.ImageBaseAddress, dump_file) self.table_row(outfd, task.obj_offset, task.Peb.ImageBaseAddress, task.ImageFileName, result) volatility_2.6+git20170711.b3db0cc/volatility/plugins/modscan.py0000644000000000000000000001401013131215405023010 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This module implements the fast module scanning @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import common from volatility import renderers import volatility.plugins.filescan as filescan import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.poolscan as poolscan from volatility.renderers.basic import Address, Hex class PoolScanModule(poolscan.PoolScanner): """Pool scanner for kernel modules""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.struct_name = "_LDR_DATA_TABLE_ENTRY" self.pooltag = "MmLd" self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= 0x4C)), ('CheckPoolType', dict(paged = False, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = lambda x : x < 5)), ] class ModScan(common.AbstractScanCommand): """Pool scanner for kernel modules""" scanners = [PoolScanModule] # Declare meta information associated with this plugin meta_info = dict( author = 'Brendan Dolan-Gavitt', copyright = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', contact = 'bdolangavitt@wesleyan.edu', license = 'GNU General Public License 2.0', url = 'http://moyix.blogspot.com/', os = 'WIN_32_XP_SP2', version = '1.0', ) def unified_output(self, data): def generator(data): for ldr_entry in data: yield (0, [Address(ldr_entry.obj_offset), str(ldr_entry.BaseDllName or ''), Address(ldr_entry.DllBase), Hex(ldr_entry.SizeOfImage), str(ldr_entry.FullDllName or '')]) return renderers.TreeGrid( [(self.offset_column(), Address), ('Name', str), ('Base', Address), ('Size', Hex), ('File', str) ], generator(data)) def render_text(self, outfd, data): self.table_header(outfd, [(self.offset_column(), "#018x"), ('Name', "20"), ('Base', "[addrpad]"), ('Size', "[addr]"), ('File', "") ]) for ldr_entry in data: self.table_row(outfd, ldr_entry.obj_offset, str(ldr_entry.BaseDllName or ''), ldr_entry.DllBase, ldr_entry.SizeOfImage, str(ldr_entry.FullDllName or '')) class PoolScanThread(poolscan.PoolScanner): """Pool scanner for thread objects""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.struct_name = "_ETHREAD" self.object_type = "Thread" # this allows us to find terminated threads self.skip_type_check = True self.pooltag = obj.VolMagic(address_space).ThreadPoolTag.v() size = 0x278 # self.address_space.profile.get_obj_size("_ETHREAD") self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= size)), ('CheckPoolType', dict(paged = False, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = lambda x : x < 5)), ] class ThrdScan(common.AbstractScanCommand): """Pool scanner for thread objects""" scanners = [PoolScanThread] def unified_output(self, data): def generator(data): for thread in data: yield (0, [Address(thread.obj_offset), int(thread.Cid.UniqueProcess), int(thread.Cid.UniqueThread), Address(thread.StartAddress), str(thread.CreateTime or ''), str(thread.ExitTime or '')] ) return renderers.TreeGrid( [(self.offset_column(), Address), ("PID", int), ("TID", int), ("Start Address", Address), ("Create Time", str), ("Exit Time", str), ], generator(data)) def render_text(self, outfd, data): self.table_header(outfd, [(self.offset_column(), "#018x"), ("PID", ">6"), ("TID", ">6"), ("Start Address", "[addr]"), ("Create Time", "30"), ("Exit Time", "30"), ]) for thread in data: self.table_row(outfd, thread.obj_offset, thread.Cid.UniqueProcess, thread.Cid.UniqueThread, thread.StartAddress, thread.CreateTime or '', thread.ExitTime or '', ) volatility_2.6+git20170711.b3db0cc/volatility/plugins/tcaudit.py0000644000000000000000000007505413131215405023040 0ustar rootroot# Volatility # Copyright (c) 2008-2014 Volatility Foundation # Copyright (c) 2013,2014 Michael Ligh (michael.ligh@mnin.org) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.obj as obj import volatility.debug as debug import volatility.utils as utils import volatility.plugins.common as common import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.plugins.filescan as filescan import volatility.plugins.malware.devicetree as devicetree import volatility.plugins.malware.svcscan as svcscan import volatility.plugins.registry.registryapi as registryapi tc_70a_vtypes_x86 = { 'UINT64_STRUCT' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'Value' : [ 0x0, ['unsigned long long']], } ], 'CRYPTO_INFO_t' : [ 0x4468, { 'ea' : [ 0x0, ['long']], 'mode' : [ 0x4, ['long']], 'ks' : [ 0x8, ['array', 5324, ['unsigned char']]], 'ks2' : [ 0x14d4, ['array', 5324, ['unsigned char']]], 'hiddenVolume' : [ 0x29a0, ['long']], 'HeaderVersion' : [ 0x29a4, ['unsigned short']], 'gf_ctx' : [ 0x29a8, ['GfCtx']], 'master_keydata' : [ 0x41a8, ['array', 256, ['unsigned char']]], 'k2' : [ 0x42a8, ['array', 256, ['unsigned char']]], 'salt' : [ 0x43a8, ['array', 64, ['unsigned char']]], 'noIterations' : [ 0x43e8, ['long']], 'pkcs5' : [ 0x43ec, ['long']], 'volume_creation_time' : [ 0x43f0, ['unsigned long long']], 'header_creation_time' : [ 0x43f8, ['unsigned long long']], 'bProtectHiddenVolume' : [ 0x4400, ['long']], 'bHiddenVolProtectionAction' : [ 0x4404, ['long']], 'volDataAreaOffset' : [ 0x4408, ['unsigned long long']], 'hiddenVolumeSize' : [ 0x4410, ['unsigned long long']], 'hiddenVolumeOffset' : [ 0x4418, ['unsigned long long']], 'hiddenVolumeProtectedSize' : [ 0x4420, ['unsigned long long']], 'bPartitionInInactiveSysEncScope' : [ 0x4428, ['long']], 'FirstDataUnitNo' : [ 0x4430, ['UINT64_STRUCT']], 'RequiredProgramVersion' : [ 0x4438, ['unsigned short']], 'LegacyVolume' : [ 0x443c, ['long']], 'SectorSize' : [ 0x4440, ['unsigned long']], 'VolumeSize' : [ 0x4448, ['UINT64_STRUCT']], 'EncryptedAreaStart' : [ 0x4450, ['UINT64_STRUCT']], 'EncryptedAreaLength' : [ 0x4458, ['UINT64_STRUCT']], 'HeaderFlags' : [ 0x4460, ['unsigned long']], } ], 'Password' : [ 0x48, { 'Length' : [ 0x0, ['unsigned long']], 'Text' : [ 0x4, ['array', 65, ['unsigned char']]], 'Pad' : [ 0x45, ['array', 3, ['unsigned char']]], } ], 'EXTENSION' : [ 0x510, { 'bRootDevice' : [ 0x0, ['long']], 'IsVolumeDevice' : [ 0x4, ['long']], 'IsDriveFilterDevice' : [ 0x8, ['long']], 'IsVolumeFilterDevice' : [ 0xc, ['long']], 'lMagicNumber' : [ 0x10, ['unsigned long']], 'UniqueVolumeId' : [ 0x14, ['long']], 'nDosDriveNo' : [ 0x18, ['long']], 'bShuttingDown' : [ 0x1c, ['long']], 'bThreadShouldQuit' : [ 0x20, ['long']], 'peThread' : [ 0x24, ['pointer', ['_KTHREAD']]], 'keCreateEvent' : [ 0x28, ['_KEVENT']], 'ListSpinLock' : [ 0x38, ['unsigned long']], 'ListEntry' : [ 0x3c, ['_LIST_ENTRY']], 'RequestSemaphore' : [ 0x44, ['_KSEMAPHORE']], 'hDeviceFile' : [ 0x58, ['pointer', ['void']]], 'pfoDeviceFile' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'pFsdDevice' : [ 0x60, ['pointer', ['_DEVICE_OBJECT']]], 'cryptoInfo' : [ 0x64, ['pointer', ['CRYPTO_INFO_t']]], 'HostLength' : [ 0x68, ['long long']], 'DiskLength' : [ 0x70, ['long long']], 'NumberOfCylinders' : [ 0x78, ['long long']], 'TracksPerCylinder' : [ 0x80, ['unsigned long']], 'SectorsPerTrack' : [ 0x84, ['unsigned long']], 'BytesPerSector' : [ 0x88, ['unsigned long']], 'PartitionType' : [ 0x8c, ['unsigned char']], 'HostBytesPerSector' : [ 0x90, ['unsigned long']], 'keVolumeEvent' : [ 0x94, ['_KEVENT']], 'Queue' : [ 0xa8, ['EncryptedIoQueue']], 'bReadOnly' : [ 0x288, ['long']], 'bRemovable' : [ 0x28c, ['long']], 'PartitionInInactiveSysEncScope' : [ 0x290, ['long']], 'bRawDevice' : [ 0x294, ['long']], 'bMountManager' : [ 0x298, ['long']], 'SystemFavorite' : [ 0x29c, ['long']], 'wszVolume' : [ 0x2a0, ['array', 260, ['wchar']]], 'fileCreationTime' : [ 0x4a8, ['_LARGE_INTEGER']], 'fileLastAccessTime' : [ 0x4b0, ['_LARGE_INTEGER']], 'fileLastWriteTime' : [ 0x4b8, ['_LARGE_INTEGER']], 'fileLastChangeTime' : [ 0x4c0, ['_LARGE_INTEGER']], 'bTimeStampValid' : [ 0x4c8, ['long']], 'UserSid' : [ 0x4cc, ['pointer', ['void']]], 'SecurityClientContextValid' : [ 0x4d0, ['long']], 'SecurityClientContext' : [ 0x4d4, ['_SECURITY_CLIENT_CONTEXT']], } ], } tc_71a_vtypes_x86 = { 'UINT64_STRUCT' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'Value' : [ 0x0, ['unsigned long long']], } ], 'CRYPTO_INFO_t' : [ 0x4468, { 'ea' : [ 0x0, ['long']], 'mode' : [ 0x4, ['long']], 'ks' : [ 0x8, ['array', 5324, ['unsigned char']]], 'ks2' : [ 0x14d4, ['array', 5324, ['unsigned char']]], 'hiddenVolume' : [ 0x29a0, ['long']], 'HeaderVersion' : [ 0x29a4, ['unsigned short']], 'gf_ctx' : [ 0x29a8, ['GfCtx']], 'master_keydata' : [ 0x41a8, ['array', 256, ['unsigned char']]], 'k2' : [ 0x42a8, ['array', 256, ['unsigned char']]], 'salt' : [ 0x43a8, ['array', 64, ['unsigned char']]], 'noIterations' : [ 0x43e8, ['long']], 'pkcs5' : [ 0x43ec, ['long']], 'volume_creation_time' : [ 0x43f0, ['unsigned long long']], 'header_creation_time' : [ 0x43f8, ['unsigned long long']], 'bProtectHiddenVolume' : [ 0x4400, ['long']], 'bHiddenVolProtectionAction' : [ 0x4404, ['long']], 'volDataAreaOffset' : [ 0x4408, ['unsigned long long']], 'hiddenVolumeSize' : [ 0x4410, ['unsigned long long']], 'hiddenVolumeOffset' : [ 0x4418, ['unsigned long long']], 'hiddenVolumeProtectedSize' : [ 0x4420, ['unsigned long long']], 'bPartitionInInactiveSysEncScope' : [ 0x4428, ['long']], 'FirstDataUnitNo' : [ 0x4430, ['UINT64_STRUCT']], 'RequiredProgramVersion' : [ 0x4438, ['unsigned short']], 'LegacyVolume' : [ 0x443c, ['long']], 'SectorSize' : [ 0x4440, ['unsigned long']], 'VolumeSize' : [ 0x4448, ['UINT64_STRUCT']], 'EncryptedAreaStart' : [ 0x4450, ['UINT64_STRUCT']], 'EncryptedAreaLength' : [ 0x4458, ['UINT64_STRUCT']], 'HeaderFlags' : [ 0x4460, ['unsigned long']], } ], 'EXTENSION' : [ 0x4d0, { 'bRootDevice' : [ 0x0, ['long']], 'IsVolumeDevice' : [ 0x4, ['long']], 'IsDriveFilterDevice' : [ 0x8, ['long']], 'IsVolumeFilterDevice' : [ 0xc, ['long']], 'UniqueVolumeId' : [ 0x10, ['long']], 'nDosDriveNo' : [ 0x14, ['long']], 'bShuttingDown' : [ 0x18, ['long']], 'bThreadShouldQuit' : [ 0x1c, ['long']], 'peThread' : [ 0x20, ['pointer', ['_KTHREAD']]], 'keCreateEvent' : [ 0x24, ['_KEVENT']], 'ListSpinLock' : [ 0x34, ['unsigned long']], 'ListEntry' : [ 0x38, ['_LIST_ENTRY']], 'RequestSemaphore' : [ 0x40, ['_KSEMAPHORE']], 'hDeviceFile' : [ 0x54, ['pointer', ['void']]], 'pfoDeviceFile' : [ 0x58, ['pointer', ['_FILE_OBJECT']]], 'pFsdDevice' : [ 0x5c, ['pointer', ['_DEVICE_OBJECT']]], 'cryptoInfo' : [ 0x60, ['pointer', ['CRYPTO_INFO_t']]], 'HostLength' : [ 0x68, ['long long']], 'DiskLength' : [ 0x70, ['long long']], 'NumberOfCylinders' : [ 0x78, ['long long']], 'TracksPerCylinder' : [ 0x80, ['unsigned long']], 'SectorsPerTrack' : [ 0x84, ['unsigned long']], 'BytesPerSector' : [ 0x88, ['unsigned long']], 'PartitionType' : [ 0x8c, ['unsigned char']], 'HostBytesPerSector' : [ 0x90, ['unsigned long']], 'keVolumeEvent' : [ 0x94, ['_KEVENT']], 'Queue' : [ 0xa8, ['EncryptedIoQueue']], 'bReadOnly' : [ 0x248, ['long']], 'bRemovable' : [ 0x24c, ['long']], 'PartitionInInactiveSysEncScope' : [ 0x250, ['long']], 'bRawDevice' : [ 0x254, ['long']], 'bMountManager' : [ 0x258, ['long']], 'SystemFavorite' : [ 0x25c, ['long']], 'wszVolume' : [ 0x260, ['array', 260, ['wchar']]], 'fileCreationTime' : [ 0x468, ['_LARGE_INTEGER']], 'fileLastAccessTime' : [ 0x470, ['_LARGE_INTEGER']], 'fileLastWriteTime' : [ 0x478, ['_LARGE_INTEGER']], 'fileLastChangeTime' : [ 0x480, ['_LARGE_INTEGER']], 'bTimeStampValid' : [ 0x488, ['long']], 'UserSid' : [ 0x48c, ['pointer', ['void']]], 'SecurityClientContextValid' : [ 0x490, ['long']], 'SecurityClientContext' : [ 0x494, ['_SECURITY_CLIENT_CONTEXT']], } ], 'Password' : [ 0x48, { 'Length' : [ 0x0, ['unsigned long']], 'Text' : [ 0x4, ['array', 65, ['unsigned char']]], 'Pad' : [ 0x45, ['array', 3, ['unsigned char']]], } ], } tc_70a_vtypes_x64 = { 'UINT64_STRUCT' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'Value' : [ 0x0, ['unsigned long long']], } ], 'CRYPTO_INFO_t' : [ 0x4468, { 'ea' : [ 0x0, ['long']], 'mode' : [ 0x4, ['long']], 'ks' : [ 0x8, ['array', 5324, ['unsigned char']]], 'ks2' : [ 0x14d4, ['array', 5324, ['unsigned char']]], 'hiddenVolume' : [ 0x29a0, ['long']], 'HeaderVersion' : [ 0x29a4, ['unsigned short']], 'gf_ctx' : [ 0x29a8, ['GfCtx']], 'master_keydata' : [ 0x41a8, ['array', 256, ['unsigned char']]], 'k2' : [ 0x42a8, ['array', 256, ['unsigned char']]], 'salt' : [ 0x43a8, ['array', 64, ['unsigned char']]], 'noIterations' : [ 0x43e8, ['long']], 'pkcs5' : [ 0x43ec, ['long']], 'volume_creation_time' : [ 0x43f0, ['unsigned long long']], 'header_creation_time' : [ 0x43f8, ['unsigned long long']], 'bProtectHiddenVolume' : [ 0x4400, ['long']], 'bHiddenVolProtectionAction' : [ 0x4404, ['long']], 'volDataAreaOffset' : [ 0x4408, ['unsigned long long']], 'hiddenVolumeSize' : [ 0x4410, ['unsigned long long']], 'hiddenVolumeOffset' : [ 0x4418, ['unsigned long long']], 'hiddenVolumeProtectedSize' : [ 0x4420, ['unsigned long long']], 'bPartitionInInactiveSysEncScope' : [ 0x4428, ['long']], 'FirstDataUnitNo' : [ 0x4430, ['UINT64_STRUCT']], 'RequiredProgramVersion' : [ 0x4438, ['unsigned short']], 'LegacyVolume' : [ 0x443c, ['long']], 'SectorSize' : [ 0x4440, ['unsigned long']], 'VolumeSize' : [ 0x4448, ['UINT64_STRUCT']], 'EncryptedAreaStart' : [ 0x4450, ['UINT64_STRUCT']], 'EncryptedAreaLength' : [ 0x4458, ['UINT64_STRUCT']], 'HeaderFlags' : [ 0x4460, ['unsigned long']], } ], 'EXTENSION' : [ 0x640, { 'bRootDevice' : [ 0x0, ['long']], 'IsVolumeDevice' : [ 0x4, ['long']], 'IsDriveFilterDevice' : [ 0x8, ['long']], 'IsVolumeFilterDevice' : [ 0xc, ['long']], 'lMagicNumber' : [ 0x10, ['unsigned long']], 'UniqueVolumeId' : [ 0x14, ['long']], 'nDosDriveNo' : [ 0x18, ['long']], 'bShuttingDown' : [ 0x1c, ['long']], 'bThreadShouldQuit' : [ 0x20, ['long']], 'peThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'keCreateEvent' : [ 0x30, ['_KEVENT']], 'ListSpinLock' : [ 0x48, ['unsigned long long']], 'ListEntry' : [ 0x50, ['_LIST_ENTRY']], 'RequestSemaphore' : [ 0x60, ['_KSEMAPHORE']], 'hDeviceFile' : [ 0x80, ['pointer64', ['void']]], 'pfoDeviceFile' : [ 0x88, ['pointer64', ['_FILE_OBJECT']]], 'pFsdDevice' : [ 0x90, ['pointer64', ['_DEVICE_OBJECT']]], 'cryptoInfo' : [ 0x98, ['pointer64', ['CRYPTO_INFO_t']]], 'HostLength' : [ 0xa0, ['long long']], 'DiskLength' : [ 0xa8, ['long long']], 'NumberOfCylinders' : [ 0xb0, ['long long']], 'TracksPerCylinder' : [ 0xb8, ['unsigned long']], 'SectorsPerTrack' : [ 0xbc, ['unsigned long']], 'BytesPerSector' : [ 0xc0, ['unsigned long']], 'PartitionType' : [ 0xc4, ['unsigned char']], 'HostBytesPerSector' : [ 0xc8, ['unsigned long']], 'keVolumeEvent' : [ 0xd0, ['_KEVENT']], 'Queue' : [ 0xe8, ['EncryptedIoQueue']], 'bReadOnly' : [ 0x3a0, ['long']], 'bRemovable' : [ 0x3a4, ['long']], 'PartitionInInactiveSysEncScope' : [ 0x3a8, ['long']], 'bRawDevice' : [ 0x3ac, ['long']], 'bMountManager' : [ 0x3b0, ['long']], 'SystemFavorite' : [ 0x3b4, ['long']], 'wszVolume' : [ 0x3b8, ['array', 260, ['wchar']]], 'fileCreationTime' : [ 0x5c0, ['_LARGE_INTEGER']], 'fileLastAccessTime' : [ 0x5c8, ['_LARGE_INTEGER']], 'fileLastWriteTime' : [ 0x5d0, ['_LARGE_INTEGER']], 'fileLastChangeTime' : [ 0x5d8, ['_LARGE_INTEGER']], 'bTimeStampValid' : [ 0x5e0, ['long']], 'UserSid' : [ 0x5e8, ['pointer64', ['void']]], 'SecurityClientContextValid' : [ 0x5f0, ['long']], 'SecurityClientContext' : [ 0x5f8, ['_SECURITY_CLIENT_CONTEXT']], } ], 'Password' : [ 0x48, { 'Length' : [ 0x0, ['unsigned long']], 'Text' : [ 0x4, ['array', 65, ['unsigned char']]], 'Pad' : [ 0x45, ['array', 3, ['unsigned char']]], } ], } tc_71a_vtypes_x64 = { 'UINT64_STRUCT' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'Value' : [ 0x0, ['unsigned long long']], } ], 'CRYPTO_INFO_t' : [ 0x4468, { 'ea' : [ 0x0, ['long']], 'mode' : [ 0x4, ['long']], 'ks' : [ 0x8, ['array', 5324, ['unsigned char']]], 'ks2' : [ 0x14d4, ['array', 5324, ['unsigned char']]], 'hiddenVolume' : [ 0x29a0, ['long']], 'HeaderVersion' : [ 0x29a4, ['unsigned short']], 'gf_ctx' : [ 0x29a8, ['GfCtx']], 'master_keydata' : [ 0x41a8, ['array', 256, ['unsigned char']]], 'k2' : [ 0x42a8, ['array', 256, ['unsigned char']]], 'salt' : [ 0x43a8, ['array', 64, ['unsigned char']]], 'noIterations' : [ 0x43e8, ['long']], 'pkcs5' : [ 0x43ec, ['long']], 'volume_creation_time' : [ 0x43f0, ['unsigned long long']], 'header_creation_time' : [ 0x43f8, ['unsigned long long']], 'bProtectHiddenVolume' : [ 0x4400, ['long']], 'bHiddenVolProtectionAction' : [ 0x4404, ['long']], 'volDataAreaOffset' : [ 0x4408, ['unsigned long long']], 'hiddenVolumeSize' : [ 0x4410, ['unsigned long long']], 'hiddenVolumeOffset' : [ 0x4418, ['unsigned long long']], 'hiddenVolumeProtectedSize' : [ 0x4420, ['unsigned long long']], 'bPartitionInInactiveSysEncScope' : [ 0x4428, ['long']], 'FirstDataUnitNo' : [ 0x4430, ['UINT64_STRUCT']], 'RequiredProgramVersion' : [ 0x4438, ['unsigned short']], 'LegacyVolume' : [ 0x443c, ['long']], 'SectorSize' : [ 0x4440, ['unsigned long']], 'VolumeSize' : [ 0x4448, ['UINT64_STRUCT']], 'EncryptedAreaStart' : [ 0x4450, ['UINT64_STRUCT']], 'EncryptedAreaLength' : [ 0x4458, ['UINT64_STRUCT']], 'HeaderFlags' : [ 0x4460, ['unsigned long']], } ], 'Password' : [ 0x48, { 'Length' : [ 0x0, ['unsigned long']], 'Text' : [ 0x4, ['array', 65, ['unsigned char']]], 'Pad' : [ 0x45, ['array', 3, ['unsigned char']]], } ], 'EXTENSION' : [ 0x5e0, { 'bRootDevice' : [ 0x0, ['long']], 'IsVolumeDevice' : [ 0x4, ['long']], 'IsDriveFilterDevice' : [ 0x8, ['long']], 'IsVolumeFilterDevice' : [ 0xc, ['long']], 'UniqueVolumeId' : [ 0x10, ['long']], 'nDosDriveNo' : [ 0x14, ['long']], 'bShuttingDown' : [ 0x18, ['long']], 'bThreadShouldQuit' : [ 0x1c, ['long']], 'peThread' : [ 0x20, ['pointer64', ['_KTHREAD']]], 'keCreateEvent' : [ 0x28, ['_KEVENT']], 'ListSpinLock' : [ 0x40, ['unsigned long long']], 'ListEntry' : [ 0x48, ['_LIST_ENTRY']], 'RequestSemaphore' : [ 0x58, ['_KSEMAPHORE']], 'hDeviceFile' : [ 0x78, ['pointer64', ['void']]], 'pfoDeviceFile' : [ 0x80, ['pointer64', ['_FILE_OBJECT']]], 'pFsdDevice' : [ 0x88, ['pointer64', ['_DEVICE_OBJECT']]], 'cryptoInfo' : [ 0x90, ['pointer64', ['CRYPTO_INFO_t']]], 'HostLength' : [ 0x98, ['long long']], 'DiskLength' : [ 0xa0, ['long long']], 'NumberOfCylinders' : [ 0xa8, ['long long']], 'TracksPerCylinder' : [ 0xb0, ['unsigned long']], 'SectorsPerTrack' : [ 0xb4, ['unsigned long']], 'BytesPerSector' : [ 0xb8, ['unsigned long']], 'PartitionType' : [ 0xbc, ['unsigned char']], 'HostBytesPerSector' : [ 0xc0, ['unsigned long']], 'keVolumeEvent' : [ 0xc8, ['_KEVENT']], 'Queue' : [ 0xe0, ['EncryptedIoQueue']], 'bReadOnly' : [ 0x340, ['long']], 'bRemovable' : [ 0x344, ['long']], 'PartitionInInactiveSysEncScope' : [ 0x348, ['long']], 'bRawDevice' : [ 0x34c, ['long']], 'bMountManager' : [ 0x350, ['long']], 'SystemFavorite' : [ 0x354, ['long']], 'wszVolume' : [ 0x358, ['array', 260, ['wchar']]], 'fileCreationTime' : [ 0x560, ['_LARGE_INTEGER']], 'fileLastAccessTime' : [ 0x568, ['_LARGE_INTEGER']], 'fileLastWriteTime' : [ 0x570, ['_LARGE_INTEGER']], 'fileLastChangeTime' : [ 0x578, ['_LARGE_INTEGER']], 'bTimeStampValid' : [ 0x580, ['long']], 'UserSid' : [ 0x588, ['pointer64', ['void']]], 'SecurityClientContextValid' : [ 0x590, ['long']], 'SecurityClientContext' : [ 0x598, ['_SECURITY_CLIENT_CONTEXT']], } ], } #--------------------------------------------------------------------- # TrueCryptPassphrase Plugin #--------------------------------------------------------------------- class TrueCryptPassphrase(common.AbstractWindowsCommand): """TrueCrypt Cached Passphrase Finder""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('MIN-LENGTH', short_option = 'M', default = 5, help = 'Mimumim length of passphrases to identify', action = 'store', type = 'int') @staticmethod def scan_module(addr_space, module_base, min_length): dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = module_base, vm = addr_space) nt_header = dos_header.get_nt_header() # Finding the PE data section data_section = None for sec in nt_header.get_sections(): if str(sec.Name) == ".data": data_section = sec break if not data_section: raise StopIteration base = sec.VirtualAddress + module_base size = sec.Misc.VirtualSize # Looking for the Length member, DWORD-aligned ints = obj.Object("Array", targetType = "int", offset = base, count = size / 4, vm = addr_space) for length in ints: # Min and max passphrase lengths if length >= min_length and length <= 64: offset = length.obj_offset + 4 passphrase = addr_space.read(offset, length) if not passphrase: continue # All characters in the range must be ASCII chars = [c for c in passphrase if ord(c) >= 0x20 and ord(c) <= 0x7F] if len(chars) != length: continue # At least three zero-bad bytes must follow if addr_space.read(offset + length, 3) != "\x00" * 3: continue yield offset, passphrase def calculate(self): addr_space = utils.load_as(self._config) for mod in modules.lsmod(addr_space): # Finding the TC kernel module if str(mod.BaseDllName).lower() != "truecrypt.sys": continue for offset, password in self.scan_module(addr_space, mod.DllBase, self._config.MIN_LENGTH): yield offset, password def render_text(self, outfd, data): for offset, passphrase in data: outfd.write("Found at {0:#x} length {1}: {2}\n".format( offset, len(passphrase), passphrase)) #--------------------------------------------------------------------- # TrueCryptSummary Plugin #--------------------------------------------------------------------- class TrueCryptSummary(common.AbstractWindowsCommand): """TrueCrypt Summary""" def calculate(self): addr_space = utils.load_as(self._config) # we currently don't use this on x64 because for some reason the # x64 version actually doesn't create a DisplayVersion value memory_model = addr_space.profile.metadata.get('memory_model') if memory_model == '32bit': regapi = registryapi.RegistryApi(self._config) regapi.reset_current() regapi.set_current(hive_name = "software") x86key = "Microsoft\\Windows\\CurrentVersion\\Uninstall" x64key = "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall" for subkey in regapi.reg_get_all_subkeys(None, key = x86key): if str(subkey.Name) == "TrueCrypt": subpath = x86key + "\\" + subkey.Name version = regapi.reg_get_value("software", key = subpath, value = "DisplayVersion") if version: yield "Registry Version", "{0} Version {1}".format( str(subkey.Name), version) scanner = TrueCryptPassphrase(self._config) for offset, passphrase in scanner.calculate(): yield "Password", "{0} at offset {1:#x}".format( passphrase, offset) for proc in tasks.pslist(addr_space): if str(proc.ImageFileName).lower() == "truecrypt.exe": yield "Process", "{0} at {1:#x} pid {2}".format( proc.ImageFileName, proc.obj_offset, proc.UniqueProcessId) scanner = svcscan.SvcScan(self._config) for service in scanner.calculate(): name = str(service.ServiceName.dereference()) if name == "truecrypt": yield "Service", "{0} state {1}".format( name, service.State) for mod in modules.lsmod(addr_space): basename = str(mod.BaseDllName or '').lower() fullname = str(mod.FullDllName or '').lower() if (basename.endswith("truecrypt.sys") or fullname.endswith("truecrypt.sys")): yield "Kernel Module", "{0} at {1:#x} - {2:#x}".format( mod.BaseDllName, mod.DllBase, mod.DllBase + mod.SizeOfImage) scanner = filescan.SymLinkScan(self._config) for symlink in scanner.calculate(): object_header = symlink.get_object_header() if "TrueCryptVolume" in str(symlink.LinkTarget or ''): yield "Symbolic Link", "{0} -> {1} mounted {2}".format( str(object_header.NameInfo.Name or ''), str(symlink.LinkTarget or ''), str(symlink.CreationTime or '')) scanner = filescan.FileScan(self._config) for fileobj in scanner.calculate(): filename = str(fileobj.file_name_with_device() or '') if "TrueCryptVolume" in filename: yield "File Object", "{0} at {1:#x}".format( filename, fileobj.obj_offset) scanner = filescan.DriverScan(self._config) for driver in scanner.calculate(): object_header = driver.get_object_header() driverext = driver.DriverExtension drivername = str(driver.DriverName or '') servicekey = str(driverext.ServiceKeyName or '') if (drivername.endswith("truecrypt") or servicekey.endswith("truecrypt")): yield "Driver", "{0} at {1:#x} range {2:#x} - {3:#x}".format( drivername, driver.obj_offset, driver.DriverStart, driver.DriverStart + driver.DriverSize) for device in driver.devices(): header = device.get_object_header() devname = str(header.NameInfo.Name or '') type = devicetree.DEVICE_CODES.get(device.DeviceType.v()) yield "Device", "{0} at {1:#x} type {2}".format( devname or "", device.obj_offset, type or "UNKNOWN") if type == "FILE_DEVICE_DISK": data = addr_space.read(device.DeviceExtension, 2000) ## the file-hosted container path. no other fields in ## the struct are character based, so we should not ## hit false positives on this scan. offset = data.find("\\\x00?\x00?\x00\\\x00") if offset == -1: container = "" else: container = obj.Object("String", length = 255, offset = device.DeviceExtension + offset, encoding = "utf16", vm = addr_space) yield "Container", "Path: {0}".format(container) def render_text(self, outfd, data): for field, info in data: outfd.write("{0:20} {1}\n".format(field, info)) #--------------------------------------------------------------------- # TrueCryptMaster Plugin #--------------------------------------------------------------------- class TrueCryptMaster(common.AbstractWindowsCommand): """Recover TrueCrypt 7.1a Master Keys""" version_map = { # the most recent - released feb 2012 '7.1a' : {'32bit': tc_71a_vtypes_x86, '64bit': tc_71a_vtypes_x64}, # released july 2010. also supports 6.3a from # november 2009, so its likely all versions between # 6.3a and 7.0a are supported by these vtypes '7.0a' : {'32bit': tc_70a_vtypes_x86, '64bit': tc_70a_vtypes_x64}, } def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Directory in which to dump the keys') config.add_option('VERSION', short_option = 'T', default = '7.1a', help = 'Truecrypt version string (default: 7.1a)') @staticmethod def apply_types(addr_space, ver): """Apply the TrueCrypt types for a specific version of TC. @param addr_space: @param ver: version """ mm_model = addr_space.profile.metadata.get('memory_model', '32bit') try: vtypes = TrueCryptMaster.version_map[ver][mm_model] addr_space.profile.vtypes.update(vtypes) addr_space.profile.merge_overlay({ 'EXTENSION' : [ None, { 'wszVolume' : [ None, ['String', dict(length = 260, encoding = "utf16")]], }], 'CRYPTO_INFO_t' : [ None, { 'mode' : [ None, ['Enumeration', dict(target = "long", choices = {1: 'XTS', 2: 'LWR', 3: 'CBC', 4: 'OUTER_CBC', 5: 'INNER_CBC'})]], 'ea' : [ None, ['Enumeration', dict(target = "long", choices = {1: 'AES', 2: 'SERPENT', 3: 'TWOFISH', 4: 'BLOWFISH', 5: 'CAST', 6: 'TRIPLEDES'})]], }]}) addr_space.profile.compile() except KeyError: debug.error("Truecrypt version {0} is not supported".format(ver)) def calculate(self): addr_space = utils.load_as(self._config) self.apply_types(addr_space, self._config.VERSION) scanner = filescan.DriverScan(self._config) for driver in scanner.calculate(): drivername = str(driver.DriverName or '') if drivername.endswith("truecrypt"): for device in driver.devices(): code = device.DeviceType.v() type = devicetree.DEVICE_CODES.get(code) if type == 'FILE_DEVICE_DISK': yield device def render_text(self, outfd, data): for device in data: ext = device.DeviceExtension.dereference_as("EXTENSION") if not ext.is_valid(): continue outfd.write("Container: {0}\n".format(ext.wszVolume)) outfd.write("Hidden Volume: {0}\n".format("Yes" if ext.cryptoInfo.hiddenVolume == 1 else "No")) outfd.write("Removable: {0}\n".format("Yes" if ext.bRemovable == 1 else "No")) outfd.write("Read Only: {0}\n".format("Yes" if ext.bReadOnly == 1 else "No")) outfd.write("Disk Length: {0} (bytes)\n".format(ext.DiskLength)) outfd.write("Host Length: {0} (bytes)\n".format(ext.HostLength)) outfd.write("Encryption Algorithm: {0}\n".format(ext.cryptoInfo.ea)) outfd.write("Mode: {0}\n".format(ext.cryptoInfo.mode)) outfd.write("Master Key\n") key = device.obj_vm.read(ext.cryptoInfo.master_keydata.obj_offset, 64) addr = ext.cryptoInfo.master_keydata.obj_offset outfd.write("{0}\n".format("\n".join( ["{0:#010x} {1:<48} {2}".format(addr + o, h, ''.join(c)) for o, h, c in utils.Hexdump(key) ]))) if self._config.DUMP_DIR: if not os.path.isdir(self._config.DUMP_DIR): debug.error("The path {0} is not a valid directory".format(self._config.DUMP_DIR)) name = "{0:#x}_master.key".format(addr) keyfile = os.path.join(self._config.DUMP_DIR, name) with open(keyfile, "wb") as handle: handle.write(key) outfd.write("Dumped {0} bytes to {1}\n".format(len(key), keyfile)) outfd.write("\n")volatility_2.6+git20170711.b3db0cc/volatility/plugins/common.py0000644000000000000000000000725713131215405022673 0ustar rootroot# Volatility # # Authors: # Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This plugin contains CORE classes used by lots of other plugins """ import volatility.poolscan as poolscan import volatility.utils as utils import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.commands as commands #pylint: disable-msg=C0111 class AbstractWindowsCommand(commands.Command): @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'unknown') == 'windows' class AbstractScanCommand(AbstractWindowsCommand): """A command built to provide the common options that should be available to Volatility's various scanning plugins.""" # This is a list of scanners to use scanners = [] def __init__(self, config, *args, **kwargs): AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("VIRTUAL", short_option = "V", default = False, action = "store_true", help = "Scan virtual space instead of physical") config.add_option("SHOW-UNALLOCATED", short_option = "W", default = False, action = "store_true", help = "Skip unallocated objects (e.g. 0xbad0b0b0)") config.add_option("START", short_option = "A", default = None, action = "store", type = "int", help = "The starting address to begin scanning") config.add_option("LENGTH", short_option = "G", default = None, action = "store", type = "int", help = "Length (in bytes) to scan from the starting address") def calculate(self): addr_space = utils.load_as(self._config) if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") return self.scan_results(addr_space) def offset_column(self): return "Offset(V)" if self._config.VIRTUAL else "Offset(P)" def scan_results(self, addr_space): use_top_down = (addr_space.profile.metadata.get("major", 0) == 6 and addr_space.profile.metadata.get("minor") >= 2) multiscan = poolscan.MultiScanInterface(addr_space = addr_space, scanners = self.scanners, scan_virtual = self._config.VIRTUAL, show_unalloc = self._config.SHOW_UNALLOCATED, use_top_down = use_top_down, start_offset = self._config.START, max_length = self._config.LENGTH) return multiscan.scan() def pool_align(vm, object_name, align): """Returns the size of the object accounting for pool alignment.""" size_of_obj = vm.profile.get_obj_size(object_name) # Size is rounded to pool alignment extra = size_of_obj % align if extra: size_of_obj += align - extra return size_of_objvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/0000755000000000000000000000000013131215405022662 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/linux/0000755000000000000000000000000013131215405024021 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/linux/elf.py0000644000000000000000000006262013131215405025147 0ustar rootroot# Volatility # Copyright (C) 2007-2011 Volatile Systems # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA # ELF64 format: http://downloads.openwatcom.org/ftp/devel/docs/elf-64-gen.pdf import volatility.obj as obj elf32_vtypes = { 'elf32_hdr' : [ 52, { 'e_ident' : [ 0, ['String', dict(length = 16)]], 'e_type' : [ 16, ['Enumeration', dict(target = 'unsigned short', choices = { 0: 'ET_NONE', 1: 'ET_REL', 2: 'ET_EXEC', 3: 'ET_DYN', 4: 'ET_CORE', 0xff00: 'ET_LOPROC', 0xffff: 'ET_HIPROC'})]], 'e_machine' : [ 18, ['unsigned short']], 'e_version' : [ 20, ['unsigned int']], 'e_entry' : [ 24, ['unsigned int']], 'e_phoff' : [ 28, ['unsigned int']], 'e_shoff' : [ 32, ['unsigned int']], 'e_flags' : [ 36, ['unsigned int']], 'e_ehsize' : [ 40, ['unsigned short']], 'e_phentsize' : [ 42, ['unsigned short']], 'e_phnum' : [ 44, ['unsigned short']], 'e_shentsize' : [ 46, ['unsigned short']], 'e_shnum' : [ 48, ['unsigned short']], 'e_shstrndx' : [ 50, ['unsigned short']], }], 'elf32_phdr' : [ 32, { 'p_type' : [ 0, ['Enumeration', dict(target = 'unsigned int', choices = { 0: 'PT_NULL', 1: 'PT_LOAD', 2: 'PT_DYNAMIC', 3: 'PT_INTERP', 4: 'PT_NOTE', 5: 'PT_SHLIB', 6: 'PT_PHDR', 7: 'PT_TLS', 0x60000000: 'PT_LOOS', 0x6fffffff: 'PT_HIOS', 0x70000000: 'PT_LOPROC', 0x7fffffff: 'PT_HIPROC'})]], 'p_offset' : [ 4, ['unsigned int']], 'p_vaddr' : [ 8, ['unsigned int']], 'p_paddr' : [ 12, ['unsigned int']], 'p_filesz' : [ 16, ['unsigned int']], 'p_memsz' : [ 20, ['unsigned int']], 'p_flags' : [ 24, ['unsigned int']], 'p_align' : [ 28, ['unsigned int']], }], 'elf32_shdr' : [40, { 'sh_name' : [0, ['unsigned int']], 'sh_type' : [4, ['unsigned int']], 'sh_flags' : [8, ['unsigned int']], 'sh_addr' : [12, ['unsigned int']], 'sh_offset' : [16, ['unsigned int']], 'sh_size' : [20, ['unsigned int']], 'sh_link' : [24, ['unsigned int']], 'sh_info' : [28, ['unsigned int']], 'sh_addralign' : [32, ['unsigned int']], 'sh_entsize' : [36, ['unsigned int']], }], 'elf32_dyn' : [ 8, { 'd_tag' : [0, ['int']], 'd_ptr' : [4, ['unsigned int']], }], 'elf32_note' : [ 12, { 'n_namesz' : [ 0, ['unsigned int']], 'n_descsz' : [ 4, ['unsigned int']], 'n_type' : [ 8, ['unsigned int']], ## FIXME: this must be cast to int() because the base AS (FileAddressSpace) read method doesn't understand NativeType. ## Remove the cast after http://code.google.com/p/volatility/issues/detail?id=350 is fixed. 'namesz' : [ 12, ['String', dict(length = lambda x : int(x.n_namesz))]], }], 'elf32_link_map' : [0, { 'l_addr' : [0, ['unsigned int']], 'l_name' : [4, ['unsigned int']], 'l_ld' : [8, ['unsigned int']], 'l_next' : [12, ['unsigned int']], 'l_prev' : [16, ['unsigned int']], }], 'elf32_sym' : [ 16, { 'st_name' : [ 0, ['unsigned int']], 'st_value' : [ 4, ['unsigned int']], 'st_size' : [ 8, ['unsigned int']], 'st_info' : [ 12, ['unsigned char']], 'st_other' : [ 13, ['unsigned char']], 'st_shndx' : [ 14, ['unsigned short']], }], 'elf32_rel' : [ 8, { 'r_offset' : [ 0, ['unsigned int']], 'r_info' : [ 4, ['unsigned int']], }], 'elf32_rela' : [ 12, { 'r_offset' : [ 0, ['unsigned int']], 'r_info' : [ 4, ['unsigned int']], 'r_addend' : [ 8, ['int']], }], } elf64_vtypes = { 'elf64_hdr' : [ 64, { 'e_ident' : [ 0, ['String', dict(length = 16)]], 'e_type' : [ 16, ['Enumeration', dict(target = 'unsigned short', choices = { 0: 'ET_NONE', 1: 'ET_REL', 2: 'ET_EXEC', 3: 'ET_DYN', 4: 'ET_CORE', 0xff00: 'ET_LOPROC', 0xffff: 'ET_HIPROC'})]], 'e_machine' : [ 18, ['unsigned short']], 'e_version' : [ 20, ['unsigned int']], 'e_entry' : [ 24, ['unsigned long long']], 'e_phoff' : [ 32, ['unsigned long long']], 'e_shoff' : [ 40, ['unsigned long long']], 'e_flags' : [ 48, ['unsigned int']], 'e_ehsize' : [ 52, ['unsigned short']], 'e_phentsize' : [ 54, ['unsigned short']], 'e_phnum' : [ 56, ['unsigned short']], 'e_shentsize' : [ 58, ['unsigned short']], 'e_shnum' : [ 60, ['unsigned short']], 'e_shstrndx' : [ 62, ['unsigned short']], }], 'elf64_phdr' : [ 56, { 'p_type' : [ 0, ['Enumeration', dict(target = 'unsigned int', choices = { 0: 'PT_NULL', 1: 'PT_LOAD', 2: 'PT_DYNAMIC', 3: 'PT_INTERP', 4: 'PT_NOTE', 5: 'PT_SHLIB', 6: 'PT_PHDR', 7: 'PT_TLS', 0x60000000: 'PT_LOOS', 0x6fffffff: 'PT_HIOS', 0x70000000: 'PT_LOPROC', 0x7fffffff: 'PT_HIPROC'})]], 'p_flags' : [ 4, ['unsigned int']], 'p_offset' : [ 8, ['unsigned long long']], 'p_vaddr' : [ 16, ['unsigned long long']], 'p_paddr' : [ 24, ['unsigned long long']], 'p_filesz' : [ 32, ['unsigned long long']], 'p_memsz' : [ 40, ['unsigned long long']], 'p_align' : [ 48, ['unsigned long long']], }], 'elf64_shdr' : [64, { 'sh_name' : [0, ['unsigned int']], 'sh_type' : [4, ['unsigned int']], 'sh_flags' : [8, ['unsigned long long']], 'sh_addr' : [16, ['unsigned long long']], 'sh_offset' : [24, ['unsigned long long']], 'sh_size' : [32, ['unsigned long long']], 'sh_link' : [40, ['unsigned int']], 'sh_info' : [44, ['unsigned int']], 'sh_addralign' : [48, ['unsigned long long']], 'sh_entsize' : [56, ['unsigned long long']], }], 'elf64_dyn' : [ 16, { 'd_tag' : [0, ['long long']], 'd_ptr' : [8, ['unsigned long long']], }], 'elf64_note' : [ 12, { 'n_namesz' : [ 0, ['unsigned int']], 'n_descsz' : [ 4, ['unsigned int']], 'n_type' : [ 8, ['unsigned int']], ## FIXME: this must be cast to int() because the base AS (FileAddressSpace) read method doesn't understand NativeType. ## Remove the cast after http://code.google.com/p/volatility/issues/detail?id=350 is fixed. 'namesz' : [ 12, ['String', dict(length = lambda x : int(x.n_namesz))]], }], 'elf64_sym' : [ 24 , { 'st_name' : [ 0, ['unsigned int']], 'st_info' : [ 4, ['unsigned char']], 'st_other' : [ 5, ['unsigned char']], 'st_shndx' : [ 6, ['unsigned short']], 'st_value' : [ 8, ['unsigned long long']], 'st_size' : [ 16, ['unsigned long long']], }], 'elf64_link_map' : [0, { 'l_addr' : [0, ['unsigned long long']], 'l_name' : [8, ['unsigned long long']], 'l_ld' : [16, ['unsigned long long']], 'l_next' : [24, ['unsigned long long']], 'l_prev' : [32, ['unsigned long long']], }], 'elf64_rel' : [ 16, { 'r_offset' : [ 0, ['unsigned long long']], 'r_info' : [ 8, ['unsigned long long']], }], 'elf64_rela' : [ 24, { 'r_offset' : [ 0, ['unsigned long long']], 'r_info' : [ 8, ['unsigned long long']], 'r_addend' : [ 16, ['long long']], }], } class elf(obj.CType): def __init__(self, is_header, name32, name64, theType, offset, vm, name = None, **kwargs): self.name32 = name32 self.name64 = name64 self.elf_obj = None if is_header: self._init_cache(offset, vm) else: self.size_cache = -39 obj.CType.__init__(self, theType, offset, vm, name, **kwargs) def is_valid(self): return self.size_cache in [32, 64, -39] def _init_cache_from_parent(self): self.size_cache = self.obj_parent.size_cache self._make_elf_obj(self.obj_offset, self.obj_vm) def _make_elf_obj(self, offset, vm): if self.size_cache == 32: self.elf_obj = obj.Object(self.name32, offset = offset, vm = vm) elif self.size_cache == 64: self.elf_obj = obj.Object(self.name64, offset = offset, vm = vm) else: self.elf_obj = None def _set_size_cache(self, offset, vm): ei_class = obj.Object("unsigned char", offset = offset + 4, vm = vm) if ei_class == 1: self.size_cache = 32 elif ei_class == 2: self.size_cache = 64 else: self.size_cache = -42 def _init_cache(self, offset, vm): self._set_size_cache(offset, vm) self._make_elf_obj(offset, vm) def _get_typename(self, typename): if self.size_cache == -39: self._init_cache_from_parent() if self.size_cache == 32: typename = "elf32_" + typename else: typename = "elf64_" + typename return typename def __getattr__(self, attr): if self.size_cache == -39: self._init_cache_from_parent() return self.elf_obj.__getattr__(attr) class elf_hdr(elf): """An ELF header""" def __init__(self, theType, offset, vm, name = None, **kwargs): # these are populaed on the first call to symbols() self.cached_symtab = None self.cached_strtab = None self.cached_numsyms = 0 elf.__init__(self, 1, "elf32_hdr", "elf64_hdr", theType, offset, vm, name, **kwargs) def is_valid(self): return self.elf_obj != None def program_headers(self): rtname = self._get_typename("phdr") rtsize = self.obj_vm.profile.get_obj_size(rtname) tname = "elf_phdr" if self.e_phoff < 0 or self.e_phoff > 1000000: return # the buffer of headers arr_start = self.obj_offset + self.e_phoff if self.e_phnum > 128: phnum = self.e_phnum else: phnum = 128 for i in range(phnum): # use the real size idx = i * rtsize phdr = obj.Object("elf_phdr", offset = arr_start + idx, vm = self.obj_vm, parent = self) if phdr.is_valid(): yield phdr def _section_headers(self): rtname = self._get_typename("shdr") rtsize = self.obj_vm.profile.get_obj_size(rtname) tname = "elf_shdr" if self.e_shoff < 1: arr_start = -1 else: # the buffer of headers arr_start = self.obj_offset + self.e_shoff return (arr_start, rtsize) def section_headers(self): (arr_start, rtsize) = self._section_headers() if arr_start == -1: return for i in range(self.e_shnum): # use the real size idx = i * rtsize shdr = obj.Object("elf_shdr", offset = arr_start + idx, vm = self.obj_vm, parent = self) if shdr.is_valid(): yield shdr def _find_symbols_program_headers(self): for phdr in self.program_headers(): if not phdr.is_valid() or str(phdr.p_type) != 'PT_DYNAMIC': continue dt_strtab = None dt_symtab = None dt_strent = None for dsec in phdr.dynamic_sections(): if dsec.d_tag == 5: dt_strtab = dsec.d_ptr elif dsec.d_tag == 6: dt_symtab = dsec.d_ptr elif dsec.d_tag == 11: dt_strent = dsec.d_ptr if dt_strtab == None or dt_symtab == None or dt_strent == None: return None break self.cached_symtab = dt_symtab self.cached_strtab = dt_strtab if dt_symtab.v() < dt_strtab.v(): self.cached_numsyms = (dt_strtab.v() - dt_symtab.v()) / dt_strent else: self.cached_numsyms = 1024 def _find_symbols(self): self._find_symbols_program_headers() def symbols(self): if self.cached_symtab == None: self._find_symbols() if self.cached_symtab == None: return rtname = self._get_typename("sym") symtab_arr = obj.Object(theType="Array", targetType=rtname, count=self.cached_numsyms, offset = self.cached_symtab, vm = self.obj_vm) for sym in symtab_arr: yield sym def symbol_at(self, sym_idx): ret = None for (cur_idx, sym) in enumerate(self.symbols()): if cur_idx == sym_idx: ret = sym break return ret def symbol_name(self, sym): addr = self.cached_strtab + sym.st_name name = self.obj_vm.read(addr, 255) if name: idx = name.find("\x00") if idx != -1: name = name[:idx] else: name = "N/A" return name def relocation_symbol(self, reloc): ridx = reloc.relocation_symbol_index() sym = self.symbol_at(ridx) return sym def relocations(self): for phdr in self.program_headers(): if str(phdr.p_type) != 'PT_DYNAMIC': continue dt_jmprel = None dt_pltrelsz = None dt_pltrel = None for dsec in phdr.dynamic_sections(): if dsec.d_tag == 23: dt_jmprel = dsec.d_ptr elif dsec.d_tag == 2: dt_pltrelsz = dsec.d_ptr elif dsec.d_tag == 20: dt_pltrel = dsec.d_ptr if dt_jmprel == None or dt_pltrelsz == None or dt_pltrel == None: print "needed info missing" return if dt_pltrel == 7: struct_name = "elf_rela" if self.size_cache == 32: struct_size = 12 else: struct_size = 24 elif dt_pltrel == 17: struct_name = "elf_rel" if self.size_cache == 32: struct_size = 8 else: struct_size = 16 else: print "unknown relocation type: %d" % dt_pltrel # arr = obj.Object(theType="Array", targetType=struct_name, parent = self, count = dt_pltrelsz / struct_size, offset = dt_jmprel, vm = self.obj_vm) count = dt_pltrelsz / struct_size for idx in range(count + 24): offset = dt_jmprel + (idx * struct_size) reloc = obj.Object(struct_name, offset = offset, vm = self.obj_vm, parent = self) yield reloc class elf_shdr(elf): """ An elf section header """ def __init__(self, theType, offset, vm, name = None, **kwargs): elf.__init__(self, 0, "elf32_shdr", "elf64_shdr", theType, offset, vm, name, **kwargs) class elf32_shdr(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf64_shdr(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf_rel(elf): """ An elf relocation """ def __init__(self, theType, offset, vm, name = None, **kwargs): elf.__init__(self, 0, "elf32_rel", "elf64_rel", theType, offset, vm, name, **kwargs) def relocation_type(self): t = self._get_typename("rel") if t == "elf32_rel": ret = self.r_info & 0xff else: ret = self.r_info & 0xffffffff return ret def relocation_symbol_index(self): t = self._get_typename("rel") if t == "elf32_rel": ret = self.r_info >> 8 else: ret = self.r_info >> 32 return ret class elf32_rel(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf64_rel(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf_rela(elf): """ An elf relocation """ def __init__(self, theType, offset, vm, name = None, **kwargs): elf.__init__(self, 0, "elf32_rela", "elf64_rela", theType, offset, vm, name, **kwargs) def relocation_type(self): t = self._get_typename("rel") if t == "elf32_rel": ret = self.r_info & 0xff else: ret = self.r_info & 0xffffffff return ret def relocation_symbol_index(self): t = self._get_typename("rel") if t == "elf32_rel": ret = self.r_info >> 8 else: ret = self.r_info >> 32 return ret class elf32_rela(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf64_rela(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf_phdr(elf): """ An elf program header """ def __init__(self, theType, offset, vm, name = None, **kwargs): elf.__init__(self, 0, "elf32_phdr", "elf64_phdr", theType, offset, vm, name, **kwargs) def is_valid(self): return self.p_filesz > 0 and self.p_memsz > 0 @property def p_vaddr(self): ret = self.__getattr__("p_vaddr") if self.obj_parent.e_type == 3: # ET_DYN ret = self.obj_parent.obj_offset + ret return ret def dynamic_sections(self): # sanity check if str(self.p_type) != 'PT_DYNAMIC': return rtname = self._get_typename("dyn") rtsize = self.obj_vm.profile.get_obj_size(rtname) tname = "elf_dyn" # the buffer of array starts at elf_base + our virtual address ( offset ) arr_start = self.p_vaddr for i in range(256): # use the real size idx = i * rtsize dyn = obj.Object(tname, offset = arr_start + idx, vm = self.obj_vm, parent = self) yield dyn if dyn.d_tag == 0: break class elf32_phdr(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf64_phdr(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf_sym(elf): """ An elf symbol struct""" def __init__(self, theType, offset, vm, name = None, **kwargs): elf.__init__(self, 0, "elf32_sym", "elf64_sym", theType, offset, vm, name, **kwargs) class elf32_sym(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf64_sym(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf_dyn(elf): """ An elf dynamic section struct""" def __init__(self, theType, offset, vm, name = None, **kwargs): elf.__init__(self, 0, "elf32_dyn", "elf64_dyn", theType, offset, vm, name, **kwargs) class elf32_dyn(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf64_dyn(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf_note(elf): """An ELF note header""" def __init__(self, theType, offset, vm, name = None, **kwargs): elf.__init__(self, 0, "elf32_note", "elf64_note", theType, offset, vm, name, **kwargs) def cast_descsz(self, obj_type): """Cast the descsz member as a specified type. @param obj_type: name of the object The descsz member is at a variable offset, which depends on the length of the namesz string which precedes it. The string is 8-byte aligned and can be zero. """ desc_offset = (self.obj_offset + self.obj_vm.profile.get_obj_size(self._get_typename("note")) + ((((self.n_namesz - 1) >> 3) + 1) << 3)) return obj.Object(obj_type, offset = desc_offset, vm = self.obj_vm, parent = self) class elf32_note(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf64_note(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf_link_map(elf): """ An libdl link map structure""" def __init__(self, theType, offset, vm, name = None, **kwargs): elf.__init__(self, 0, "elf32_link_map", "elf64_link_map", theType, offset, vm, name, **kwargs) @property def l_name(self): saddr = self.__getattr__("l_name") buf = self.obj_vm.zread(saddr, 256) idx = buf.find("\x00") if idx != -1: buf = buf[:idx] return str(buf) @property def l_next(self): naddr = self.elf_obj.m("l_next") tname = "elf_link_map" return obj.Object(tname, offset = naddr, vm = self.obj_vm, parent = self) @property def l_prev(self): naddr = self.elf_obj.m("l_prev") tname = "elf_link_map" return obj.Object(tname, offset = naddr, vm = self.obj_vm, parent = self) def _walk_map_list(self, access_func): seen = [] cur = self while cur: if cur.obj_offset in seen: break yield cur seen.append(cur.obj_offset) # check for signs of infinite looping if len(seen) > 1024: break cur = access_func(cur) def __iter__(self): for member in [lambda x: x.l_next, lambda x: x.l_prev]: for mapinfo in self._walk_map_list(member): yield mapinfo class elf32_link_map(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class elf64_link_map(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class ELFModification(obj.ProfileModification): def modification(self, profile): profile.object_classes.update({ 'elf' : elf, 'elf_hdr' : elf_hdr, 'elf_note' : elf_note, 'elf_phdr' : elf_phdr, 'elf32_phdr' : elf32_phdr, 'elf64_phdr' : elf64_phdr, 'elf_dyn' : elf_dyn, 'elf32_dyn' : elf32_dyn, 'elf64_dyn' : elf64_dyn, 'elf_shdr' : elf_shdr, 'elf32_shdr' : elf32_shdr, 'elf64_shdr' : elf64_shdr, 'elf_sym' : elf_sym, 'elf32_sym' : elf32_sym, 'elf64_sym' : elf64_sym, 'elf_note' : elf_note, 'elf32_note' : elf32_note, 'elf64_note' : elf64_note, 'elf_link_map' : elf_link_map, 'elf32_link_map' : elf32_link_map, 'elf64_link_map' : elf64_link_map, 'elf_rel' : elf_rel, 'elf32_rel' : elf32_rel, 'elf64_rel' : elf64_rel, 'elf_rela' : elf_rela, 'elf32_rela' : elf32_rela, 'elf64_rela' : elf64_rela }) class ELF64Modification(obj.ProfileModification): def modification(self, profile): profile.vtypes.update(elf64_vtypes) class ELF32Modification(obj.ProfileModification): def modification(self, profile): profile.vtypes.update(elf32_vtypes) volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/linux/linux.py0000644000000000000000000024317113131215405025542 0ustar rootroot# Volatility # Copyright (C) 2010 Brendan Dolan-Gavitt # Copyright (c) 2011 Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: brendandg@gatech.edu @organization: Georgia Institute of Technology """ import os, struct, socket import copy import zipfile import volatility.plugins import volatility.plugins.overlays.basic as basic import volatility.plugins.overlays.native_types as native_types import volatility.exceptions as exceptions import volatility.obj as obj import volatility.debug as debug import volatility.dwarf as dwarf import volatility.scan as scan import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.flags as linux_flags import volatility.addrspace as addrspace import volatility.utils as utils import volatility.protos as protos x64_native_types = copy.deepcopy(native_types.x64_native_types) x64_native_types['long'] = [8, ' output.dwarf """ dwarfdata = None sysmapdata = None # XXX Do we want to initialize this memmodel, arch = "32bit", "x86" profilename = os.path.splitext(os.path.basename(profpkg.filename))[0] for f in profpkg.filelist: if f.filename.lower().endswith('.dwarf'): dwarfdata = profpkg.read(f.filename) elif 'system.map' in f.filename.lower(): sysmapdata = profpkg.read(f.filename) arch, memmodel, sysmap = parse_system_map(profpkg.read(f.filename), "kernel") if memmodel == "64bit": arch = "x64" if not sysmapdata or not dwarfdata: # Might be worth throwing an exception here? return None class AbstractLinuxProfile(obj.Profile): __doc__ = "A Profile for Linux " + profilename + " " + arch _md_os = "linux" _md_memory_model = memmodel _md_arch = arch # Override 64-bit native_types native_mapping = {'32bit': native_types.x86_native_types, '64bit': x64_native_types} def __init__(self, *args, **kwargs): # change the name to catch any code referencing the old hash table self.sys_map = {} self.sym_addr_cache = {} self.physical_shift = 0 self.virtual_shift = 0 obj.Profile.__init__(self, *args, **kwargs) def clear(self): """Clear out the system map, and everything else""" self.sys_map = {} self.sym_addr_cache = {} self.physical_shift = 0 self.virtual_shift = 0 obj.Profile.clear(self) def reset(self): """Reset the vtypes, sysmap and apply modifications, then compile""" self.clear() self.load_vtypes() self.load_sysmap() self.load_modifications() self.compile() def _merge_anonymous_members(self, vtypesvar): members_index = 1 types_index = 1 offset_index = 0 try: for candidate in vtypesvar: done = False while not done: if any(member.startswith('__unnamed_') for member in vtypesvar[candidate][members_index]): for member in vtypesvar[candidate][members_index].keys(): if member.startswith('__unnamed_'): member_type = vtypesvar[candidate][members_index][member][types_index][0] location = vtypesvar[candidate][members_index][member][offset_index] vtypesvar[candidate][members_index].update(vtypesvar[member_type][members_index]) for name in vtypesvar[member_type][members_index].keys(): vtypesvar[candidate][members_index][name][offset_index] += location del vtypesvar[candidate][members_index][member] # Don't update done because we'll need to check if any # of the newly imported types need merging else: done = True except KeyError, e: import pdb pdb.set_trace() raise exceptions.VolatilityException("Inconsistent linux profile - unable to look up " + str(e)) def load_vtypes(self): """Loads up the vtypes data""" ntvar = self.metadata.get('memory_model', '32bit') self.native_types = copy.deepcopy(self.native_mapping.get(ntvar)) vtypesvar = dwarf.DWARFParser(dwarfdata).finalize() self._merge_anonymous_members(vtypesvar) self.vtypes.update(vtypesvar) debug.debug("{2}: Found dwarf file {0} with {1} symbols".format(f.filename, len(vtypesvar.keys()), profilename)) def load_sysmap(self): """Loads up the system map data""" arch, _memmodel, sysmapvar = parse_system_map(sysmapdata, "kernel") debug.debug("{2}: Found system file {0} with {1} symbols".format(f.filename, len(sysmapvar.keys()), profilename)) self.sys_map.update(sysmapvar) def get_all_symbols(self, module = "kernel"): """ Gets all the symbol tuples for the given module """ ret = [] symtable = self.sys_map if module in symtable: mod = symtable[module] for (name, addrs) in mod.items(): addr = addrs[0][0] if self.virtual_shift and addr: addr = addr + self.virtual_shift ret.append((name, addr)) else: debug.info("All symbols requested for non-existent module %s" % module) return ret def get_all_addresses(self, module = "kernel"): """ Gets all the symbol addresses for the given module """ # returns a hash table for quick looks # the main use of this function is to see if an address is known symbols = self.get_all_symbols(module) ret = {} for _name, addr in symbols: ret[addr] = 1 return ret def _get_symbol_by_address(self, module, sym_address): ret = "" symtable = self.sys_map mod = symtable[module] for (name, addrs) in mod.items(): for (addr, addr_type) in addrs: if sym_address == addr + self.virtual_shift: ret = name break return ret def get_symbol_by_address(self, module, sym_address): key = "%s|%d" % (module, sym_address) if key in self.sym_addr_cache: ret = self.sym_addr_cache[key] else: ret = self._get_symbol_by_address(module, sym_address) self.sym_addr_cache[key] = ret return ret def get_all_symbol_names(self, module = "kernel"): symtable = self.sys_map if module in symtable: ret = symtable[module].keys() else: debug.error("get_all_symbol_names called on non-existent module") return ret def get_next_symbol_address(self, sym_name, module = "kernel"): """ This is used to find the address of the next symbol in the profile For some data structures, we cannot determine their size automaticlaly so this can be used to figure it out on the fly """ high_addr = 0xffffffffffffffff table_addr = self.get_symbol(sym_name, module = module) addrs = self.get_all_addresses(module = module) for addr in addrs.keys(): if table_addr < addr < high_addr: high_addr = addr return high_addr def get_symbol(self, sym_name, nm_type = "", module = "kernel"): """Gets a symbol out of the profile sym_name -> name of the symbol nm_tyes -> types as defined by 'nm' (man nm for examples) module -> which module to get the symbol from, default is kernel, otherwise can be any name seen in 'lsmod' This fixes a few issues from the old static hash table method: 1) Conflicting symbols can be handled, if a symbol is found to conflict on any profile, then the plugin will need to provide the nm_type to differentiate, otherwise the plugin will be errored out 2) Can handle symbols gathered from modules on disk as well from the static kernel symtable is stored as a hash table of: symtable[module][sym_name] = [(symbol address, symbol type), (symbol addres, symbol type), ...] The function has overly verbose error checking on purpose... """ symtable = self.sys_map ret = None # check if the module is there... if module in symtable: mod = symtable[module] # check if the requested symbol is in the module if sym_name in mod: sym_list = mod[sym_name] # if a symbol has multiple definitions, then the plugin needs to specify the type if len(sym_list) > 1: if nm_type == "": debug.debug("Requested symbol {0:s} in module {1:s} has multiple definitions and no type given\n".format(sym_name, module)) return None else: for (addr, stype) in sym_list: if stype == nm_type: ret = addr break if ret == None: debug.error("Requested symbol {0:s} in module {1:s} could not be found\n".format(sym_name, module)) else: # get the address of the symbol ret = sym_list[0][0] else: debug.debug("Requested symbol {0:s} not found in module {1:s}\n".format(sym_name, module)) else: debug.info("Requested module {0:s} not found in symbol table\n".format(module)) if ret: ret = ret + self.virtual_shift return ret def get_symbol_type(self, sym_name, nm_type = "", module = "kernel"): symtable = self.sys_map ret = None # check if the module is there... if module in symtable: mod = symtable[module] # check if the requested symbol is in the module if sym_name in mod: sym_list = mod[sym_name] # if a symbol has multiple definitions, then the plugin needs to specify the type if len(sym_list) > 1: if nm_type == "": debug.debug("Requested symbol {0:s} in module {1:s} has multiple definitions and no type given\n".format(sym_name, module)) return None else: for (addr, stype) in sym_list: if stype == nm_type: ret = addr break if ret == None: debug.error("Requested symbol {0:s} in module {1:s} could not be found\n".format(sym_name, module)) else: # get the type of the symbol ret = sym_list[0][1] else: debug.debug("Requested symbol {0:s} not found in module {1:s}\n".format(sym_name, module)) else: debug.info("Requested module {0:s} not found in symbol table\n".format(module)) return ret cls = AbstractLinuxProfile cls.__name__ = 'Linux' + profilename.replace('.', '_') + arch return cls ################################ # Track down the zip files # Push them through the factory # Check whether ProfileModifications will work new_classes = [] for path in set(volatility.plugins.__path__): for path, _, files in os.walk(path): for fn in files: if zipfile.is_zipfile(os.path.join(path, fn)): new_classes.append(LinuxProfileFactory(zipfile.ZipFile(os.path.join(path, fn)))) ################################ # really 'file' but don't want to mess with python's version class linux_file(obj.CType): @property def dentry(self): if hasattr(self, "f_dentry"): ret = self.f_dentry else: ret = self.f_path.dentry return ret @property def vfsmnt(self): if hasattr(self, "f_vfsmnt"): ret = self.f_vfsmnt else: ret = self.f_path.mnt return ret # FIXME - walking backwards has not been thorougly tested class hlist_node(obj.CType): """A hlist_node makes a doubly linked list.""" def list_of_type(self, obj_type, member, offset = -1, forward = True, head_sentinel = True): if not self.is_valid(): return ## Get the first element if forward: nxt = self.m("next").dereference() else: nxt = self.pprev.dereference().dereference() offset = self.obj_vm.profile.get_obj_offset(obj_type, member) seen = set() if head_sentinel: # We're a header element and not to be included in the list seen.add(self.obj_offset) while nxt.is_valid() and nxt.obj_offset not in seen: ## Instantiate the object item = obj.Object(obj_type, offset = nxt.obj_offset - offset, vm = self.obj_vm, parent = self.obj_parent, name = obj_type) seen.add(nxt.obj_offset) yield item if forward: nxt = item.m(member).m("next").dereference() else: nxt = item.m(member).pprev.dereference().dereference() def __nonzero__(self): ## List entries are valid when both Flinks and Blink are valid return bool(self.next) or bool(self.pprev) def __iter__(self): return self.list_of_type(self.obj_parent.obj_name, self.obj_name) class list_head(obj.CType): """A list_head makes a doubly linked list.""" def list_of_type(self, obj_type, member, offset = -1, forward = True, head_sentinel = True): if not self.is_valid(): return ## Get the first element if forward: nxt = self.next.dereference() else: nxt = self.prev.dereference() offset = self.obj_vm.profile.get_obj_offset(obj_type, member) seen = set() if head_sentinel: # We're a header element and not to be included in the list seen.add(self.obj_offset) while nxt.is_valid() and nxt.obj_offset not in seen: ## Instantiate the object item = obj.Object(obj_type, offset = nxt.obj_offset - offset, vm = self.obj_vm, parent = self.obj_parent, name = obj_type) seen.add(nxt.obj_offset) yield item if forward: nxt = item.m(member).m("next").dereference() else: nxt = item.m(member).prev.dereference() def __nonzero__(self): ## List entries are valid when both Flinks and Blink are valid return bool(self.next) or bool(self.prev) def __iter__(self): return self.list_of_type(self.obj_parent.obj_name, self.obj_name) class hlist_bl_node(obj.CType): """A list_head makes a doubly linked list.""" def list_of_type(self, obj_type, member, offset = -1, forward = True, head_sentinel = True): if not self.is_valid(): return ## Get the first element if forward: nxt = self.next.dereference() else: nxt = self.prev.dereference() offset = self.obj_vm.profile.get_obj_offset(obj_type, member) seen = set() if head_sentinel: # We're a header element and not to be included in the list seen.add(self.obj_offset) while nxt.is_valid() and nxt.obj_offset not in seen: ## Instantiate the object item = obj.Object(obj_type, offset = nxt.obj_offset - offset, vm = self.obj_vm, parent = self.obj_parent, name = obj_type) seen.add(nxt.obj_offset) yield item if forward: nxt = item.m(member).next.dereference() else: nxt = item.m(member).prev.dereference() def __nonzero__(self): ## List entries are valid when both Flinks and Blink are valid return bool(self.next) or bool(self.prev) def __iter__(self): return self.list_of_type(self.obj_parent.obj_name, self.obj_name) class files_struct(obj.CType): def get_fds(self): if hasattr(self, "fdt"): fdt = self.fdt ret = fdt.fd.dereference() else: ret = self.fd.dereference() return ret def get_max_fds(self): if hasattr(self, "fdt"): ret = self.fdt.max_fds else: ret = self.max_fds return ret class kernel_param(obj.CType): @property def get(self): if self.members.get("get"): ret = self.m("get") else: ret = self.ops.get return ret class kparam_array(obj.CType): @property def get(self): if self.members.get("get"): ret = self.m("get") else: ret = self.ops.get return ret class gate_struct64(obj.CType): @property def Address(self): low = self.offset_low middle = self.offset_middle high = self.offset_high ret = (high << 32) | (middle << 16) | low return ret class desc_struct(obj.CType): @property def Address(self): return (self.b & 0xffff0000) | (self.a & 0x0000ffff) class module_sect_attr(obj.CType): @property def sect_name(self): if type(self.m("name")) == obj.Array: name = obj.Object("String", offset = self.m("name").obj_offset, vm = self.obj_vm, length = 32) else: name = self.name.dereference_as("String", length = 255) return str(name) class sock(obj.CType): @property def sk_node(self): return self.__sk_common.skc_node #pylint: disable-msg=W0212 class inet_sock(obj.CType): """Class for an internet socket object""" @property def protocol(self): """Return the protocol string (i.e. IPv4, IPv6)""" return protos.protos.get(self.sk.sk_protocol.v(), "UNKNOWN") @property def state(self): state = self.sk.__sk_common.skc_state #pylint: disable-msg=W0212 if 0 <= state < len(linux_flags.tcp_states): ret = linux_flags.tcp_states[state] else: ret = "" return ret @property def src_port(self): if hasattr(self, "sport"): return socket.htons(self.sport) elif hasattr(self, "inet_sport"): return socket.htons(self.inet_sport) else: return None @property def dst_port(self): if hasattr(self, "sk") and hasattr(self.sk, "__sk_common") and hasattr(self.sk.__sk_common, "skc_portpair"): return socket.htons(self.sk.__sk_common.skc_portpair & 0xffff) #pylint: disable-msg=W0212 elif hasattr(self, "dport"): return socket.htons(self.dport) elif hasattr(self, "inet_dport"): return socket.htons(self.inet_dport) elif hasattr(self, "sk") and hasattr(self.sk, "__sk_common") and hasattr(self.sk.__sk_common, "skc_dport"): return socket.htons(self.sk.__sk_common.skc_dport) #pylint: disable-msg=W0212 else: return None @property def src_addr(self): if self.sk.__sk_common.skc_family == socket.AF_INET: # FIXME: Consider using kernel version metadata rather than checking hasattr if hasattr(self, "rcv_saddr"): saddr = self.rcv_saddr elif hasattr(self, "inet_rcv_saddr"): saddr = self.inet_rcv_saddr else: saddr = self.sk.__sk_common.skc_rcv_saddr return saddr.cast("IpAddress") else: return self.pinet6.saddr.cast("Ipv6Address") @property def dst_addr(self): if self.sk.__sk_common.skc_family == socket.AF_INET: # FIXME: Consider using kernel version metadata rather than checking hasattr if hasattr(self, "daddr") and self.daddr: daddr = self.daddr elif hasattr(self, "inet_daddr") and self.inet_daddr: daddr = self.inet_daddr else: daddr = self.sk.__sk_common.skc_daddr return daddr.cast("IpAddress") else: if hasattr(self.pinet6, "daddr"): return self.pinet6.daddr.cast("Ipv6Address") else: return self.sk.__sk_common.skc_v6_daddr.cast("Ipv6Address") #pylint: disable-msg=W0212 class tty_ldisc(obj.CType): @property def ops(self): check = self.members.get("ops") if check: ret = self.m('ops') else: ret = self return ret class in_device(obj.CType): def devices(self): cur = self.ifa_list while cur != None and cur.is_valid(): yield cur cur = cur.ifa_next class net_device(obj.CType): @property def mac_addr(self): macaddr = "00:00:00:00:00:00" if self.members.has_key("perm_addr"): hwaddr = self.perm_addr macaddr = ":".join(["{0:02x}".format(x) for x in hwaddr][:6]) if macaddr == "00:00:00:00:00:00": if type(self.dev_addr) == volatility.obj.Pointer: addr = self.dev_addr.v() else: addr = self.dev_addr.obj_offset hwaddr = self.obj_vm.zread(addr, 6) macaddr = ":".join(["{0:02x}".format(ord(x)) for x in hwaddr][:6]) return macaddr @property def promisc(self): return self.flags & 0x100 == 0x100 # IFF_PROMISC class module_struct(obj.CType): @property def module_core(self): if hasattr(self, "core_layout"): ret = self.m("core_layout").m("base") else: ret = self.m("module_core") return ret @property def module_init(self): if hasattr(self, "init_layout"): ret = self.m("init_layout").m("base") else: ret = self.m("module_init") return ret @property def init_size(self): if hasattr(self, "init_layout"): ret = self.m("init_layout").m("size") else: ret = self.m("init_size") return ret @property def core_size(self): if hasattr(self, "core_layout"): ret = self.m("core_layout").m("size") else: ret = self.m("core_size") return ret def _get_sect_count(self, grp): arr = obj.Object(theType = 'Array', offset = grp.attrs, vm = self.obj_vm, targetType = 'Pointer', count = 25) idx = 0 while arr[idx]: idx = idx + 1 return idx def get_sections(self): if hasattr(self.sect_attrs, "nsections"): num_sects = self.sect_attrs.nsections else: num_sects = self._get_sect_count(self.sect_attrs.grp) attrs = obj.Object(theType = 'Array', offset = self.sect_attrs.attrs.obj_offset, vm = self.obj_vm, targetType = 'module_sect_attr', count = num_sects) for attr in attrs: yield attr def get_param_val(self, param, _over = 0): ints = { self.obj_vm.profile.get_symbol("param_get_invbool") : "int", self.obj_vm.profile.get_symbol("param_get_bool") : "int", self.obj_vm.profile.get_symbol("param_get_int") : "int", self.obj_vm.profile.get_symbol("param_get_ulong") : "unsigned long", self.obj_vm.profile.get_symbol("param_get_long") : "long", self.obj_vm.profile.get_symbol("param_get_uint") : "unsigned int", self.obj_vm.profile.get_symbol("param_get_ushort") : "unsigned short", self.obj_vm.profile.get_symbol("param_get_short") : "short", self.obj_vm.profile.get_symbol("param_get_byte") : "char", } getfn = param.get if getfn == 0: val = "" elif getfn == self.obj_vm.profile.get_symbol("param_array_get"): val = "" arr = param.arr overwrite = param.arr if arr.num: maxi = arr.num.dereference() else: maxi = arr.max for i in range(maxi): if i > 0: val = val + "," arg = arr.elem + arr.elemsize * i overwrite.arg = arg mret = self.get_param_val(overwrite) val = val + str(mret or '') elif getfn == self.obj_vm.profile.get_symbol("param_get_string"): val = str(param.str.dereference_as("String", length = param.str.maxlen)) elif getfn == self.obj_vm.profile.get_symbol("param_get_charp"): addr = obj.Object("Pointer", offset = param.arg, vm = self.obj_vm) if addr == 0: val = "(null)" else: val = str(addr.dereference_as("String", length = 256)) elif getfn.v() in ints: val = obj.Object(ints[getfn.v()], offset = param.arg, vm = self.obj_vm) if getfn == self.obj_vm.profile.get_symbol("param_get_bool"): if val: val = 'Y' else: val = 'N' elif getfn == self.obj_vm.profile.get_symbol("param_get_invbool"): if val: val = 'N' else: val = 'Y' else: val = int(val) else: return None return val def get_params(self): if not hasattr(self, "kp"): return "" params = "" param_array = obj.Object(theType = 'Array', offset = self.kp, vm = self.obj_vm, targetType = 'kernel_param', count = self.num_kp) for param in param_array: val = self.get_param_val(param) params = params + "{0}={1} ".format(param.name.dereference_as("String", length = 255), val) return params def get_symbols(self): ret_syms = [] if self.obj_vm.profile.metadata.get('arch').lower() == 'x64': struct_name = "elf64_sym" else: struct_name = "elf32_sym" syms = obj.Object(theType = "Array", targetType = struct_name, offset = self.symtab, count = self.num_symtab + 1, vm = self.obj_vm) for sym_struct in syms: sym_name_addr = self.strtab + sym_struct.st_name sym_name = self.obj_vm.read(sym_name_addr, 64) if not sym_name: continue idx = sym_name.index("\x00") if idx != -1: sym_name = sym_name[:idx] if sym_name != "": ret_syms.append((str(sym_name), sym_struct.st_value.v())) return ret_syms def get_symbol_for_address(self, wanted_address): ret = None for (sym_name, sym_addr) in self.get_symbols(): if sym_addr == wanted_address: ret = sym_name break return ret def get_symbol(self, wanted_sym_name): ret = None for (sym_name, sym_addr) in self.get_symbols(): if wanted_sym_name == sym_name: ret = sym_addr break return ret @property def symtab(self): if hasattr(self, "kallsyms"): ret = self.kallsyms.symtab else: ret = self.m("symtab") return ret @property def num_symtab(self): if hasattr(self, "kallsyms"): ret = self.kallsyms.num_symtab.v() else: ret = self.m("num_symtab").v() return ret def is_valid(self): valid = False if self.state.v() in [0, 1, 2] and \ self.core_size >= 1 and self.core_size <= 1000000 and \ self.core_text_size >= 1 and self.core_text_size <= 1000000: s = self.obj_vm.read(self.name.obj_offset, 64) if s: idx = s.find("\x00") if idx > 1: good = True name = s[:idx] for n in name: if not (32 < ord(n) < 127): good = False break if good and self.module_core.is_valid(): valid = True return valid class vm_area_struct(obj.CType): def vm_name(self, task): if self.vm_file: fname = linux_common.get_path(task, self.vm_file) if fname == []: fname = "" elif self.vm_start <= task.mm.start_brk and self.vm_end >= task.mm.brk: fname = "[heap]" elif self.vm_start <= task.mm.start_stack and self.vm_end >= task.mm.start_stack: fname = "[stack]" elif hasattr(self.vm_mm.context, "vdso") and self.vm_start == self.vm_mm.context.vdso: fname = "[vdso]" else: fname = "Anonymous Mapping" return fname extended_flags = { 0x00000001 : "VM_READ", 0x00000002 : "VM_WRITE", 0x00000004 : "VM_EXEC", 0x00000008 : "VM_SHARED", 0x00000010 : "VM_MAYREAD", 0x00000020 : "VM_MAYWRITE", 0x00000040 : "VM_MAYEXEC", 0x00000080 : "VM_MAYSHARE", 0x00000100 : "VM_GROWSDOWN", 0x00000200 : "VM_NOHUGEPAGE", 0x00000400 : "VM_PFNMAP", 0x00000800 : "VM_DENYWRITE", 0x00001000 : "VM_EXECUTABLE", 0x00002000 : "VM_LOCKED", 0x00004000 : "VM_IO", 0x00008000 : "VM_SEQ_READ", 0x00010000 : "VM_RAND_READ", 0x00020000 : "VM_DONTCOPY", 0x00040000 : "VM_DONTEXPAND", 0x00080000 : "VM_RESERVED", 0x00100000 : "VM_ACCOUNT", 0x00200000 : "VM_NORESERVE", 0x00400000 : "VM_HUGETLB", 0x00800000 : "VM_NONLINEAR", 0x01000000 : "VM_MAPPED_COP__VM_HUGEPAGE", 0x02000000 : "VM_INSERTPAGE", 0x04000000 : "VM_ALWAYSDUMP", 0x08000000 : "VM_CAN_NONLINEAR", 0x10000000 : "VM_MIXEDMAP", 0x20000000 : "VM_SAO", 0x40000000 : "VM_PFN_AT_MMAP", 0x80000000 : "VM_MERGEABLE", } def _parse_perms(self, flags): fstr = "" for mask in sorted(self.extended_flags.keys()): if flags & mask == mask: fstr = fstr + self.extended_flags[mask] + "|" if len(fstr) != 0: fstr = fstr[:-1] return fstr def protection(self): return self._parse_perms(self.vm_flags.v() & 0b1111) def flags(self): return self._parse_perms(self.vm_flags.v()) # used by malfind def is_suspicious(self): ret = False flags_str = self.protection() if flags_str.find("VM_READ|VM_WRITE|VM_EXEC") != -1: ret = True elif flags_str == "VM_READ|VM_EXEC" and not self.vm_file: ret = True return ret def info(self, task): if self.vm_file: inode = self.vm_file.dentry.d_inode major, minor = inode.i_sb.major, inode.i_sb.minor ino = inode.i_ino pgoff = self.vm_pgoff << 12 else: (major, minor, ino, pgoff) = [0] * 4 fname = self.vm_name(task) if fname == "Anonymous Mapping": fname = "" return fname, major, minor, ino, pgoff class task_struct(obj.CType): def is_valid_task(self): ret = self.fs.v() != 0 and self.files.v() != 0 if ret and self.members.get("cred"): ret = self.cred.is_valid() return ret @property def comm(self): c = self.m("comm") return c.replace("\x1b", "\\x1b") def getcwd(self): rdentry = self.fs.get_root_dentry() rmnt = self.fs.get_root_mnt() pdentry = self.fs.get_pwd_dentry() pmnt = self.fs.get_pwd_mnt() path = linux_common.do_get_path(rdentry, rmnt, pdentry, pmnt) if path == []: path = "" return path def get_elf(self, elf_addr): sects = {} ret = "" proc_as = self.get_process_address_space() if proc_as == None: return ret elf_hdr = obj.Object("elf_hdr", offset = elf_addr, vm = proc_as) if not elf_hdr.is_valid(): return "" for phdr in elf_hdr.program_headers(): if str(phdr.p_type) != 'PT_LOAD': continue start = phdr.p_vaddr sz = phdr.p_memsz end = start + sz if start % 4096: start = start & ~0xfff if end % 4096: end = (end & ~0xfff) + 4096 real_size = end - start if real_size < 0 or real_size > 100000000: continue sects[start] = real_size last_end = -1 for start in sorted(sects.keys()): read_size = sects[start] if last_end != -1 and last_end != start + read_size: debug.error("busted LOAD segments in %s | %d -> %x != %x + %x" % (task.comm, task.pid, last_end, start, read_size)) buf = proc_as.zread(start, read_size) ret = ret + buf return ret @property def uid(self): ret = self.members.get("uid") if ret is None: if hasattr(self.cred.uid, "val"): ret = self.cred.uid.val else: ret = self.cred.uid else: ret = self.m("uid") if type(ret) in [obj.CType, obj.NativeType]: ret = ret.v() return ret @property def gid(self): ret = self.members.get("gid") if ret is None: gid = self.cred.gid if hasattr(gid, 'counter'): ret = obj.Object("int", offset = gid.v(), vm = self.obj_vm) elif hasattr(gid, "val"): ret = gid.val else: ret = gid else: ret = self.m("gid") if type(ret) == obj.CType: ret = ret.v() return ret @property def euid(self): ret = self.members.get("euid") if ret is None: ret = self.cred.euid else: ret = self.m("euid") if type(ret) == obj.CType: ret = ret.v() return ret def find_heap_vma(self): ret = None for vma in self.get_proc_maps(): # find the data section of bash if vma.vm_start <= self.mm.start_brk and vma.vm_end >= self.mm.brk: ret = vma break return ret def bash_hash_entries(self): nbuckets_offset = self.obj_vm.profile.get_obj_offset("_bash_hash_table", "nbuckets") heap_vma = self.find_heap_vma() if heap_vma == None: debug.debug("Unable to find heap for pid %d" % self.pid) return proc_as = self.get_process_address_space() if proc_as == None: return for off in self.search_process_memory(["\x40\x00\x00\x00"], heap_only=True): # test the number of buckets htable = obj.Object("_bash_hash_table", offset = off - nbuckets_offset, vm = proc_as) for ent in htable: yield ent off = off + 1 def ldrmodules(self): proc_maps = {} dl_maps = {} seen_starts = {} proc_as = self.get_process_address_space() if proc_as == None: return # get libraries from proc_maps for vma in self.get_proc_maps(): sig = proc_as.read(vma.vm_start, 4) if sig == "\x7fELF": flags = str(vma.vm_flags) if flags in ["rw-", "r--"]: continue fname = vma.vm_name(self) if fname == "[vdso]": continue start = vma.vm_start.v() proc_maps[start] = fname seen_starts[start] = 1 # get libraries from userland for so in self.get_libdl_maps(): if so.l_addr == 0x0 or len(str(so.l_name)) == 0: continue start = so.l_addr.v() dl_maps[start] = str(so.l_name) seen_starts[start] = 1 for start in seen_starts: vm_name = "" if start in proc_maps: pmaps = "True" vm_name = proc_maps[start] else: pmaps = "False" if start in dl_maps: dmaps = "True" # we prefer the name from proc_maps as it is within kernel memory if vm_name == "": vm_name = dl_maps[start] else: dmaps = "False" yield (start, vm_name, pmaps, dmaps) def plt_hook_info(self): elfs = dict() for elf, elf_start, elf_end, soname, needed in self.elfs(): elfs[(self, soname)] = (elf, elf_start, elf_end, needed) for k, v in elfs.iteritems(): task, soname = k elf, elf_start, elf_end, needed = v if elf._get_typename("hdr") == "elf32_hdr": elf_arch = 32 else: elf_arch = 64 needed_expanded = set([soname]) if (task, None) in elfs: needed_expanded.add(None) # jmp slot can point to ELF itself if the fn hasn't been called yet (RTLD_LAZY) # can point to main binary (None above) if this is a plugin-style symbol while len(needed) > 0: dep = needed.pop(0) needed_expanded.add(dep) try: needed += set(elfs[(task, dep)][3]) - needed_expanded except KeyError: needed_expanded.remove(dep) for reloc in elf.relocations(): rsym = elf.relocation_symbol(reloc) if rsym == None: continue symbol_name = elf.symbol_name(rsym) if symbol_name == None: symbol_name = "" offset = reloc.r_offset if offset < elf_start: offset = elf_start + offset if elf_arch == 32: addr = obj.Object("unsigned int", offset = offset, vm = elf.obj_vm) else: addr = obj.Object("unsigned long long", offset = offset, vm = elf.obj_vm) match = False for dep in needed_expanded: _, dep_start, dep_end, _ = elfs[(task, dep)] if addr >= dep_start and addr < dep_end: match = dep hookdesc = '' vma = None for i in task.get_proc_maps(): if addr >= i.vm_start and addr < i.vm_end: vma = i break if vma: if vma.vm_file: hookdesc = linux_common.get_path(task, vma.vm_file) else: hookdesc = '[{0:x}:{1:x},{2}]'.format(vma.vm_start, vma.vm_end, vma.vm_flags) if hookdesc == "": hookdesc = 'invalid memory' if match != False: if match == soname: hookdesc = '[RTLD_LAZY]' hooked = False else: hooked = True yield soname, elf, elf_start, elf_end, addr, symbol_name, hookdesc, hooked def _is_api_hooked(self, sym_addr, proc_as): hook_type = None addr = None counter = 1 prev_op = None if self.obj_vm.profile.metadata.get('memory_model', '32bit') == '32bit': mode = distorm3.Decode32Bits else: mode = distorm3.Decode64Bits data = proc_as.read(sym_addr, 24) for op in distorm3.Decompose(sym_addr, data, mode): if not op or not op.valid: continue if op.mnemonic == "JMP": hook_type = "JMP" addr = 0 # default in case we cannot extract # check for a mov reg, addr; jmp reg; if prev_op and prev_op.mnemonic == "MOV" and prev_op.operands[0].type == 'Register' and op.operands[0].type == 'Register': prev_name = prev_op.operands[0].name # same register if prev_name == op.operands[0].name: addr = prev_op.operands[1].value else: addr = op.operands[0].value elif op.mnemonic == "CALL": hook_type = "CALL" addr = op.operands[0].value # push xxxx; ret; elif counter == 2 and op.mnemonic == "RET": if prev_op.mnemonic == "MOV" and prev_op.operands[0].type == 'Register' and prev_op.operands[0].name in ["RAX", "EAX"]: break elif prev_op.mnemonic == "XOR" and prev_op.operands[0].type == 'Register' and prev_op.operands[1].type == 'Register': break elif prev_op.mnemonic == "MOV" and prev_op.operands[0].type == 'Register' and prev_op.operands[1].type == 'Register': break hook_type = "RET" addr = sym_addr if hook_type: break counter = counter + 1 if counter == 4: break prev_op = op if hook_type and addr: ret = hook_type, addr else: ret = None return ret def _get_hooked_name(self, addr): hook_vma = None hookdesc = "" for i in self.get_proc_maps(): if addr >= i.vm_start and addr < i.vm_end: hook_vma = i break if hook_vma: if hook_vma.vm_file: hookdesc = linux_common.get_path(self, hook_vma.vm_file) else: hookdesc = '[{0:x}:{1:x},{2}]'.format(hook_vma.vm_start, hook_vma.vm_end, hook_vma.vm_flags) return (hook_vma, hookdesc) def apihook_info(self): for soname, elf, elf_start, elf_end, addr, symbol_name, _, plt_hooked in self.plt_hook_info(): is_hooked = self._is_api_hooked(addr, elf.obj_vm) if is_hooked: hook_type, hook_addr = is_hooked else: continue (hook_vma, hookdesc) = self._get_hooked_name(addr) (hook_func_vma, hookfuncdesc) = self._get_hooked_name(hook_addr) if not hook_vma or not hook_func_vma or hook_vma.vm_start != hook_func_vma.vm_start: yield hookdesc, symbol_name, addr, hook_type, hook_addr, hookfuncdesc def bash_history_entries(self): proc_as = self.get_process_address_space() if not proc_as: return # Keep a bucket of history objects so we can order them history_entries = [] # Brute force the history list of an address isn't provided ts_offset = proc_as.profile.get_obj_offset("_hist_entry", "timestamp") # Are we dealing with 32 or 64-bit pointers if proc_as.profile.metadata.get('memory_model', '32bit') == '32bit': pack_format = "I" else: pack_format = "Q" bang_addrs = [] # Look for strings that begin with pound/hash on the process heap for ptr_hash in self.search_process_memory(["#"], heap_only = True): # Find pointers to this strings address, also on the heap bang_addrs.append(struct.pack(pack_format, ptr_hash)) for (idx, ptr_string) in enumerate(self.search_process_memory(bang_addrs, heap_only = True)): # Check if we found a valid history entry object hist = obj.Object("_hist_entry", offset = ptr_string - ts_offset, vm = proc_as) if hist.is_valid(): history_entries.append(hist) # Report everything we found in order for hist in sorted(history_entries, key = attrgetter('time_as_integer')): yield hist def _dynamic_env(self, proc_as, pack_format, addr_sz): for vma in self.get_proc_maps(): if not (vma.vm_file and str(vma.vm_flags) == "rw-"): continue fname = vma.info(self)[0] if fname.find("ld") == -1 and fname != "/bin/bash": continue env_start = 0 for off in range(vma.vm_start, vma.vm_end): # check the first index addrstr = proc_as.read(off, addr_sz) if not addrstr or len(addrstr) != addr_sz: continue addr = struct.unpack(pack_format, addrstr)[0] # check first idx... if addr: firstaddrstr = proc_as.read(addr, addr_sz) if not firstaddrstr or len(firstaddrstr) != addr_sz: continue firstaddr = struct.unpack(pack_format, firstaddrstr)[0] buf = proc_as.read(firstaddr, 64) if not buf: continue eqidx = buf.find("=") if eqidx > 0: nullidx = buf.find("\x00") # single char name, = if nullidx >= eqidx: env_start = addr if env_start == 0: continue envars = obj.Object(theType="Array", targetType="Pointer", vm=proc_as, offset=env_start, count=256) for var in envars: if var: sizes = [8, 16, 32, 64, 128, 256, 384, 512, 1024, 2048, 4096] good_varstr = None for size in sizes: varstr = proc_as.read(var, size) if not varstr: continue eqidx = varstr.find("=") idx = varstr.find("\x00") if idx == -1 or eqidx == -1 or idx < eqidx: continue good_varstr = varstr break if good_varstr: good_varstr = good_varstr[:idx] key = good_varstr[:eqidx] val = good_varstr[eqidx+1:] yield (key, val) else: break def _shell_variables(self, proc_as, pack_format, addr_sz): bash_was_last = False for vma in self.get_proc_maps(): if vma.vm_file: fname = vma.info(self)[0] if fname.endswith("/bin/bash"): bash_was_last = True else: bash_was_last = False # we are looking for the bss of bash if vma.vm_file or str(vma.vm_flags) != "rw-": continue # we are looking for the bss of bash if bash_was_last == False: continue nbuckets_offset = self.obj_vm.profile.get_obj_offset("_bash_hash_table", "nbuckets") for off in range(vma.vm_start, vma.vm_end, 4): ptr_test = proc_as.read(off, addr_sz) if not ptr_test: continue ptr = struct.unpack(pack_format, ptr_test)[0] ptr_test2 = proc_as.read(ptr + 20, addr_sz) if not ptr_test2: continue ptr2 = struct.unpack(pack_format, ptr_test2)[0] test = proc_as.read(ptr2 + 4, 4) if not test or test != "\x40\x00\x00\x00": continue htable = obj.Object("_bash_hash_table", offset = ptr2, vm = proc_as) for ent in htable: key = str(ent.key.dereference()) val = str(ent.data.dereference_as("_envdata").value.dereference()) yield key, val bash_was_last = False def bash_environment(self): proc_as = self.get_process_address_space() # In cases when mm is an invalid pointer if not proc_as: return # Are we dealing with 32 or 64-bit pointers if self.obj_vm.profile.metadata.get('memory_model', '32bit') == '32bit': pack_format = " 500000: return for i in range(max_fds): if fds[i]: filp = obj.Object('file', offset = fds[i], vm = self.obj_vm) yield filp, i # has to get the struct socket given an inode (see SOCKET_I in sock.h) def SOCKET_I(self, inode): # if too many of these, write a container_of backsize = self.obj_vm.profile.get_obj_size("socket") addr = inode - backsize return obj.Object('socket', offset = addr, vm = self.obj_vm) def netstat(self): sfop = self.obj_vm.profile.get_symbol("socket_file_ops") dfop = self.obj_vm.profile.get_symbol("sockfs_dentry_operations") for (filp, fdnum) in self.lsof(): if filp.f_op == sfop or filp.dentry.d_op == dfop: iaddr = filp.dentry.d_inode skt = self.SOCKET_I(iaddr) inet_sock = obj.Object("inet_sock", offset = skt.sk, vm = self.obj_vm) if inet_sock.protocol in ("TCP", "UDP", "IP", "HOPOPT"): #hopopt is where unix sockets end up on linux state = inet_sock.state if inet_sock.protocol == "TCP" else "" family = inet_sock.sk.__sk_common.skc_family #pylint: disable-msg=W0212 if family == 1: # AF_UNIX unix_sock = obj.Object("unix_sock", offset = inet_sock.sk.v(), vm = self.obj_vm) if unix_sock.addr: name_obj = obj.Object("sockaddr_un", offset = unix_sock.addr.name.obj_offset, vm = self.obj_vm) name = str(name_obj.sun_path) else: name = "" yield (1, (name, iaddr.i_ino)) elif family in (socket.AF_INET, socket.AF_INET6, 10, 30): sport = inet_sock.src_port dport = inet_sock.dst_port saddr = inet_sock.src_addr daddr = inet_sock.dst_addr yield (socket.AF_INET, (inet_sock, inet_sock.protocol, saddr, sport, daddr, dport, state)) def get_process_address_space(self): ## If we've got a NoneObject, return it maintain the reason if not self.mm: return self.mm if self.mm.pgd.v() == None: return self.mm.pgd.v() directory_table_base = self.obj_vm.vtop(self.mm.pgd.v()) try: process_as = self.obj_vm.__class__( self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base) except AssertionError, _e: return obj.NoneObject("Unable to get process AS") process_as.name = "Process {0}".format(self.pid) return process_as def get_libdl_maps(self): proc_as = self.get_process_address_space() if proc_as == None: return found_list = False for vma in self.get_proc_maps(): # find the executable part of libdl ehdr = obj.Object("elf_hdr", offset = vma.vm_start, vm = proc_as) if not ehdr or not ehdr.is_valid(): continue for phdr in ehdr.program_headers(): if str(phdr.p_type) != 'PT_DYNAMIC': continue for dsec in phdr.dynamic_sections(): # link_map is stored at the second GOT entry if dsec.d_tag == 3: # DT_PLTGOT seen_ents = {} got_start = dsec.d_ptr # size_cache tells us if we are a 32 or 64 bit ELF file link_map_addr = obj.Object("Pointer", offset = got_start + (dsec.size_cache / 8), vm = proc_as) link_map = obj.Object("elf_link_map", offset = link_map_addr, vm = proc_as, parent = dsec) for ent in link_map: if ent.obj_offset in seen_ents: continue found_list = True yield ent seen_ents[ent.obj_offset] = 1 if found_list: break def threads(self): thread_offset = self.obj_vm.profile.get_obj_offset("task_struct", "thread_group") threads = [self] x = obj.Object('task_struct', self.thread_group.next.v() - thread_offset, self.obj_vm) while x not in threads and x.is_valid() and x.thread_group.is_valid() and x.thread_group.next.is_valid(): threads.append(x) x = obj.Object('task_struct', x.thread_group.next.v() - thread_offset, self.obj_vm) return threads def get_proc_maps(self): if not self.mm: return seen = {} for vma in linux_common.walk_internal_list("vm_area_struct", "vm_next", self.mm.mmap): val = vma.v() if val in seen: break yield vma seen[val] = 1 def _walk_rb(self, rb): if not rb.is_valid(): return # container_of rboff = self.obj_vm.profile.get_obj_offset("vm_area_struct", "vm_rb") vma = obj.Object("vm_area_struct", offset = rb - rboff, vm = self.obj_vm) yield vma for vma in self._walk_rb(rb.rb_left): yield vma for vma in self._walk_rb(rb.rb_right): yield vma # based on find_vma in mm/mmap.c def get_proc_maps_rb(self): vmas = {} rb = self.mm.mm_rb.rb_node for vma in self._walk_rb(rb): vmas[vma.vm_start] = vma for key in sorted(vmas.iterkeys()): yield vmas[key] def search_process_memory(self, s, heap_only = False): # Allow for some overlap in case objects are # right on page boundaries overlap = 1024 # Make sure s in a list. This allows you to search for # multiple strings at once, without changing the API. if type(s) != list: debug.warning("Single strings to search_process_memory is deprecated, use a list instead") s = [s] scan_blk_sz = 1024 * 1024 * 10 addr_space = self.get_process_address_space() if addr_space == None: return for vma in self.get_proc_maps(): if heap_only: if not (vma.vm_start <= self.mm.start_brk and vma.vm_end >= self.mm.brk): continue offset = vma.vm_start out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start) while offset < out_of_range: # Read some data and match it. to_read = min(scan_blk_sz + overlap, out_of_range - offset) data = addr_space.zread(offset, to_read) if not data: break for x in s: for hit in utils.iterfind(data, x): yield offset + hit offset += min(to_read, scan_blk_sz) def elfs(self): proc_as = self.get_process_address_space() if proc_as == None: return for vma in self.get_proc_maps(): elf = obj.Object("elf_hdr", offset = vma.vm_start, vm = proc_as) if not elf.is_valid(): continue pt_loads = [] dt_soname = None dt_strtab = None dt_needed = [] #### Walk pt_load and gather ranges for phdr in elf.program_headers(): if not phdr.is_valid(): continue if str(phdr.p_type) == 'PT_LOAD': pt_loads.append((phdr.p_vaddr, phdr.p_vaddr + phdr.p_memsz)) if str(phdr.p_type) != 'PT_DYNAMIC': continue for dsec in phdr.dynamic_sections(): if dsec.d_tag == 5: dt_strtab = dsec.d_ptr elif dsec.d_tag == 14: dt_soname = dsec.d_ptr elif dsec.d_tag == 1: dt_needed.append(dsec.d_ptr) break if dt_strtab == None or dt_needed == []: continue needed = [] for n_idx in dt_needed: buf = proc_as.read(dt_strtab + n_idx, 256) if buf: idx = buf.find("\x00") if idx != -1: buf = buf[:idx] if len(buf) > 0: needed.append(buf) soname = "" if dt_soname: soname = proc_as.read(dt_strtab + dt_soname, 256) if soname: idx = soname.find("\x00") if idx != -1: soname = soname[:idx] if not soname or len(soname) == 0: soname = linux_common.get_path(self, vma.vm_file) if pt_loads: (elf_start, elf_end) = (min(s[0] for s in pt_loads), max(s[1] for s in pt_loads)) else: continue # TODO - test diff without setting soname of vma if soname or needed: yield elf, elf_start, elf_end, soname, needed def ACTHZ(self, CLOCK_TICK_RATE, HZ): LATCH = ((CLOCK_TICK_RATE + HZ/2) / HZ) return self.SH_DIV(CLOCK_TICK_RATE, LATCH, 8) def SH_DIV(self, NOM, DEN, LSH): return ((NOM / DEN) << LSH) + (((NOM % DEN) << LSH) + DEN / 2) / DEN def TICK_NSEC(self): HZ = 1000 CLOCK_TICK_RATE = 1193182 return self.SH_DIV(1000000 * 1000, self.ACTHZ(CLOCK_TICK_RATE, HZ), 8) # based on 2.6.35 getboottime def get_boot_time(self): (wall, timeo) = linux_common.get_time_vars(self.obj_vm) if wall == None or timeo == None: return -1 secs = wall.tv_sec + timeo.tv_sec nsecs = wall.tv_nsec + timeo.tv_nsec secs = secs * -1 nsecs = nsecs * -1 while nsecs >= linux_common.nsecs_per: nsecs = nsecs - linux_common.nsecs_per secs = secs + 1 while nsecs < 0: nsecs = nsecs + linux_common.nsecs_per secs = secs - 1 boot_time = secs + (nsecs / linux_common.nsecs_per / 100) return boot_time def get_task_start_time(self): if hasattr(self, "real_start_time"): start_time = self.real_start_time else: start_time = self.start_time if type(start_time) == volatility.obj.NativeType and type(start_time.v()) == long: start_time = linux_common.vol_timespec(start_time.v() / 0x989680 / 100, 0) start_secs = start_time.tv_sec + (start_time.tv_nsec / linux_common.nsecs_per / 100) boot_time = self.get_boot_time() if boot_time != -1: sec = boot_time + start_secs # convert the integer as little endian try: data = struct.pack(" 1 and env[-1] == " ": env = env[:-1] return env def get_commandline(self): if self.mm: # set the as with our new dtb so we can read from userland proc_as = self.get_process_address_space() if proc_as == None: return "" # read argv from userland start = self.mm.arg_start.v() size_to_read = self.mm.arg_end - self.mm.arg_start if size_to_read < 1 or size_to_read > 4096: name = "" else: argv = proc_as.read(start, size_to_read) if argv: # split the \x00 buffer into args name = " ".join(argv.split("\x00")) else: name = "" else: # kernel thread name = "[" + self.comm + "]" if len(name) > 1 and name[-1] == " ": name = name[:-1] return name class linux_fs_struct(obj.CType): def get_root_dentry(self): # < 2.6.26 if hasattr(self, "rootmnt"): ret = self.root else: ret = self.root.dentry return ret def get_root_mnt(self): # < 2.6.26 if hasattr(self, "rootmnt"): ret = self.rootmnt else: ret = self.root.mnt return ret def get_pwd_dentry(self): # < 2.6.26 if hasattr(self, "pwdmnt"): ret = self.pwd else: ret = self.pwd.dentry return ret def get_pwd_mnt(self): # < 2.6.26 if hasattr(self, "pwdmnt"): ret = self.pwdmnt else: ret = self.pwd.mnt return ret class super_block(obj.CType): @property def major(self): return self.s_dev >> 20 @property def minor(self): return self.s_dev & ((1 << 20) - 1) class inode(obj.CType): def is_dir(self): """Mimic the S_ISDIR macro""" return self.i_mode & linux_flags.S_IFMT == linux_flags.S_IFDIR def is_reg(self): """Mimic the S_ISREG macro""" return self.i_mode & linux_flags.S_IFMT == linux_flags.S_IFREG class timespec(obj.CType): def as_timestamp(self): time_val = struct.pack(" # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This file defines some basic types which might be useful for many OS's """ import struct, socket, datetime import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.constants as constants import volatility.plugins.overlays.native_types as native_types import volatility.utils as utils import volatility.timefmt as timefmt import encodings.utf_16 class String(obj.BaseObject): """Class for dealing with Strings""" def __init__(self, theType, offset, vm = None, encoding = 'ascii', length = 1, parent = None, profile = None, **kwargs): ## Allow length to be a callable: if callable(length): length = length(parent) self.length = length self.encoding = encoding ## length must be an integer obj.BaseObject.__init__(self, theType, offset, vm, parent = parent, profile = profile, **kwargs) def proxied(self, name): #pylint: disable-msg=W0613 """ Return an object to be proxied """ return self.__str__() def v(self): """ Use zread to help emulate reading null-terminated C strings across page boundaries. @returns: If all bytes are available, return the full string as a raw byte buffer. If the end of the string is in a page that isn't available, return as much of the string as possible, padded with nulls to the string's length. If the string length is 0, vtop() fails, or the physical addr of the string is not valid, return NoneObject. Note: to get a null terminated string, use the __str__ method. """ result = self.obj_vm.zread(self.obj_offset, self.length) if not result: return obj.NoneObject("Cannot read string length {0} at {1:#x}".format(self.length, self.obj_offset)) return result def __len__(self): """This returns the length of the string""" return len(unicode(self)) def __str__(self): """ This function ensures that we always return a string from the __str__ method. Any unusual/unicode characters in the input are replaced with ?. Note: this effectively masks the NoneObject alert from .v() """ return unicode(self).encode('ascii', 'replace') or "" def __unicode__(self): """ This function returns the unicode encoding of the data retrieved by .v() Any unusual characters in the input are replaced with \ufffd. """ return self.v().decode(self.encoding, 'replace').split("\x00", 1)[0] or u'' def __format__(self, formatspec): return format(self.__str__(), formatspec) def __cmp__(self, other): if str(self) == other: return 0 return -1 if str(self) < other else 1 def __add__(self, other): """Set up mappings for concat""" return str(self) + other def __radd__(self, other): """Set up mappings for reverse concat""" return other + str(self) class Flags(obj.NativeType): """ This object decodes each flag into a string """ ## This dictionary maps each bit to a String bitmap = None ## This dictionary maps a string mask name to a bit range ## consisting of a list of start, width bits maskmap = None def __init__(self, theType = None, offset = 0, vm = None, parent = None, bitmap = None, maskmap = None, target = "unsigned long", **kwargs): self.bitmap = bitmap or {} self.maskmap = maskmap or {} self.target = target self.target_obj = obj.Object(target, offset = offset, vm = vm, parent = parent) obj.NativeType.__init__(self, theType, offset, vm, parent, **kwargs) def v(self): return self.target_obj.v() def __str__(self): result = [] value = self.v() keys = self.bitmap.keys() keys.sort() for k in keys: if value & (1 << self.bitmap[k]): result.append(k) return ', '.join(result) def __format__(self, formatspec): return format(self.__str__(), formatspec) def __getattr__(self, attr): maprange = self.maskmap.get(attr) if not maprange: return obj.NoneObject("Mask {0} not known".format(attr)) bits = 2 ** maprange[1] - 1 mask = bits << maprange[0] return self.v() & mask class IpAddress(obj.NativeType): """Provides proper output for IpAddress objects""" def __init__(self, theType, offset, vm, **kwargs): obj.NativeType.__init__(self, theType, offset, vm, format_string = "4s", **kwargs) def v(self): return utils.inet_ntop(socket.AF_INET, obj.NativeType.v(self)) class Ipv6Address(obj.NativeType): """Provides proper output for Ipv6Address objects""" def __init__(self, theType, offset, vm, **kwargs): obj.NativeType.__init__(self, theType, offset, vm, format_string = "16s", **kwargs) def v(self): return utils.inet_ntop(socket.AF_INET6, obj.NativeType.v(self)) class Enumeration(obj.NativeType): """Enumeration class for handling multiple possible meanings for a single value""" def __init__(self, theType = None, offset = 0, vm = None, parent = None, choices = None, target = "unsigned long", **kwargs): self.choices = choices or {} self.target = target self.target_obj = obj.Object(target, offset = offset, vm = vm, parent = parent) obj.NativeType.__init__(self, theType, offset, vm, parent, **kwargs) def v(self): return self.target_obj.v() def __str__(self): value = self.v() if value in self.choices.keys(): return self.choices[value] return 'Unknown choice ' + str(value) def __format__(self, formatspec): return format(self.__str__(), formatspec) class VOLATILITY_MAGIC(obj.CType): """Class representing a VOLATILITY_MAGIC namespace Needed to ensure that the address space is not verified as valid for constants """ def __init__(self, theType, offset, vm, **kwargs): try: obj.CType.__init__(self, theType, offset, vm, **kwargs) except obj.InvalidOffsetError: # The exception will be raised before this point, # so we must finish off the CType's __init__ ourselves self.__initialized = True class VolatilityDTB(obj.VolatilityMagic): def generate_suggestions(self): offset = 0 data = self.obj_vm.zread(offset, constants.SCAN_BLOCKSIZE) last_range_start, last_range_size = sorted(self.obj_vm.get_available_addresses())[-1] max_offset = last_range_start + last_range_size while data: found = data.find(str(self.obj_parent.DTBSignature), 0) while found >= 0: proc = obj.Object("_EPROCESS", offset = offset + found, vm = self.obj_vm) if 'Idle' in proc.ImageFileName.v(): yield proc.Pcb.DirectoryTableBase.v() found = data.find(str(self.obj_parent.DTBSignature), found + 1) offset += len(data) if offset >= max_offset: break data = self.obj_vm.zread(offset, constants.SCAN_BLOCKSIZE) class UnixTimeStamp(obj.NativeType): """Class for handling Unix Time Stamps""" def __init__(self, theType, offset, vm, is_utc = False, **kwargs): self.is_utc = is_utc obj.NativeType.__init__(self, theType, offset, vm, format_string = "I", **kwargs) def v(self): return obj.NativeType.v(self) def __nonzero__(self): return self.v() != 0 def __str__(self): return "{0}".format(self) def as_datetime(self): try: dt = datetime.datetime.utcfromtimestamp(self.v()) if self.is_utc: # Only do dt.replace when dealing with UTC dt = dt.replace(tzinfo = timefmt.UTC()) except ValueError, e: return obj.NoneObject("Datetime conversion failure: " + str(e)) return dt def __format__(self, formatspec): """Formats the datetime according to the timefmt module""" dt = self.as_datetime() if dt != None: return format(timefmt.display_datetime(dt), formatspec) return "-" class VolatilityMaxAddress(obj.VolatilityMagic): """The maximum address of a profile's underlying AS. On x86 this is 0xFFFFFFFF (2 ** 32) - 1 On x64 this is 0xFFFFFFFFFFFFFFFF (2 ** 64) - 1 We use a VolatilityMagic to calculate this based on the size of an address, since that's something we can already rely on being set properly for the AS. """ def generate_suggestions(self): yield 2 ** (self.obj_vm.profile.get_obj_size("address") * 8) - 1 class BasicObjectClasses(obj.ProfileModification): def modification(self, profile): profile.object_classes.update({ 'String': String, 'Flags': Flags, 'Enumeration': Enumeration, 'VOLATILITY_MAGIC': VOLATILITY_MAGIC, 'VolatilityDTB': VolatilityDTB, 'UnixTimeStamp': UnixTimeStamp, 'VolatilityMaxAddress': VolatilityMaxAddress, }) profile.merge_overlay({'VOLATILITY_MAGIC': [None, { 'MaxAddress': [0x0, ['VolatilityMaxAddress']], }]}) ### DEPRECATED FEATURES ### # # These are due from removal after version 2.2, # please do not rely upon them x86_native_types_32bit = native_types.x86_native_types x86_native_types_64bit = native_types.x64_native_types volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/0000755000000000000000000000000013131215405024354 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win10_x64_DD08DD42_vtypes.py0000644000000000000000000275617113131215405031117 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x708, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'NtBuildNumber' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'BootId' : [ 0x2c4, ['unsigned long']], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'VirtualizationFlags' : [ 0x2ed, ['unsigned char']], 'Reserved12' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgMultiSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgMultiUsersInSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCall' : [ 0x308, ['unsigned long']], 'SystemCallPad0' : [ 0x30c, ['unsigned long']], 'SystemCallPad' : [ 0x310, ['array', 2, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrementShift' : [ 0x368, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x369, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x36a, ['unsigned short']], 'EnclaveFeatureMask' : [ 0x36c, ['array', 4, ['unsigned long']]], 'Reserved8' : [ 0x37c, ['unsigned long']], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1080' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1080']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1098' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109a' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_1098']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_109a']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TEB' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['pointer64', ['void']]]], 'SystemReserved1' : [ 0x190, ['array', 37, ['pointer64', ['void']]]], 'WorkingOnBehalfTicket' : [ 0x2b8, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'PerflibData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], 'ReservedForWdf' : [ 0x1818, ['pointer64', ['void']]], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0x18, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'CurEntry' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['wchar']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '__unnamed_110a' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_110a']], 'QuadPart' : [ 0x0, ['long long']], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_RB_TREE' : [ 0x10, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_RTL_BALANCED_NODE' : [ 0x18, { 'Children' : [ 0x0, ['array', 2, ['pointer64', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x10, ['unsigned long long']], } ], '_RTL_AVL_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x6a80, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x6900, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'ClockOwner' : [ 0x21, ['unsigned char']], 'PendingTickFlags' : [ 0x22, ['unsigned char']], 'PendingTick' : [ 0x22, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x22, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IdleState' : [ 0x23, ['unsigned char']], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PriorityState' : [ 0x38, ['pointer64', ['unsigned char']]], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ParentNode' : [ 0x640, ['pointer64', ['_KNODE']]], 'GroupSetMember' : [ 0x648, ['unsigned long long']], 'Group' : [ 0x650, ['unsigned char']], 'GroupIndex' : [ 0x651, ['unsigned char']], 'PrcbPad05' : [ 0x652, ['array', 2, ['unsigned char']]], 'InitialApicId' : [ 0x654, ['unsigned long']], 'ScbOffset' : [ 0x658, ['unsigned long']], 'ApicMask' : [ 0x65c, ['unsigned long']], 'AcpiReserved' : [ 0x660, ['pointer64', ['void']]], 'CFlushSize' : [ 0x668, ['unsigned long']], 'PrcbPad10' : [ 0x66c, ['unsigned long']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x2080, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PrcbPad20' : [ 0x2c80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2c88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2c90, ['long']], 'MmCopyOnWriteCount' : [ 0x2c94, ['long']], 'MmTransitionCount' : [ 0x2c98, ['long']], 'MmDemandZeroCount' : [ 0x2c9c, ['long']], 'MmPageReadCount' : [ 0x2ca0, ['long']], 'MmPageReadIoCount' : [ 0x2ca4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x2ca8, ['long']], 'MmDirtyWriteIoCount' : [ 0x2cac, ['long']], 'MmMappedPagesWriteCount' : [ 0x2cb0, ['long']], 'MmMappedWriteIoCount' : [ 0x2cb4, ['long']], 'KeSystemCalls' : [ 0x2cb8, ['unsigned long']], 'KeContextSwitches' : [ 0x2cbc, ['unsigned long']], 'LdtSelector' : [ 0x2cc0, ['unsigned short']], 'PrcbPad40' : [ 0x2cc2, ['unsigned short']], 'CcFastReadNoWait' : [ 0x2cc4, ['unsigned long']], 'CcFastReadWait' : [ 0x2cc8, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2ccc, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x2cd0, ['unsigned long']], 'CcCopyReadWait' : [ 0x2cd4, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2cd8, ['unsigned long']], 'IoReadOperationCount' : [ 0x2cdc, ['long']], 'IoWriteOperationCount' : [ 0x2ce0, ['long']], 'IoOtherOperationCount' : [ 0x2ce4, ['long']], 'IoReadTransferCount' : [ 0x2ce8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x2cf0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x2cf8, ['_LARGE_INTEGER']], 'PacketBarrier' : [ 0x2d00, ['long']], 'TargetCount' : [ 0x2d04, ['long']], 'IpiFrozen' : [ 0x2d08, ['unsigned long']], 'IsrDpcStats' : [ 0x2d10, ['pointer64', ['void']]], 'DeviceInterrupts' : [ 0x2d18, ['unsigned long']], 'LookasideIrpFloat' : [ 0x2d1c, ['long']], 'InterruptLastCount' : [ 0x2d20, ['unsigned long']], 'InterruptRate' : [ 0x2d24, ['unsigned long']], 'LastNonHrTimerExpiration' : [ 0x2d28, ['unsigned long long']], 'PrcbPad41' : [ 0x2d30, ['array', 20, ['unsigned long']]], 'DpcData' : [ 0x2d80, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2dd0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2dd8, ['long']], 'DpcRequestRate' : [ 0x2ddc, ['unsigned long']], 'MinimumDpcRate' : [ 0x2de0, ['unsigned long']], 'DpcLastCount' : [ 0x2de4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x2de8, ['unsigned char']], 'QuantumEnd' : [ 0x2de9, ['unsigned char']], 'DpcRoutineActive' : [ 0x2dea, ['unsigned char']], 'IdleSchedule' : [ 0x2deb, ['unsigned char']], 'DpcRequestSummary' : [ 0x2dec, ['long']], 'DpcRequestSlot' : [ 0x2dec, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x2dec, ['short']], 'ThreadDpcState' : [ 0x2dee, ['short']], 'DpcNormalProcessingActive' : [ 0x2dec, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x2dec, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x2dec, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x2dec, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x2dec, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x2dec, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x2dec, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x2dec, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x2dec, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x2dec, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2df0, ['unsigned long']], 'LastTick' : [ 0x2df4, ['unsigned long']], 'ClockInterrupts' : [ 0x2df8, ['unsigned long']], 'ReadyScanTick' : [ 0x2dfc, ['unsigned long']], 'InterruptObject' : [ 0x2e00, ['array', 256, ['pointer64', ['void']]]], 'TimerTable' : [ 0x3600, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x5800, ['_KGATE']], 'PrcbPad52' : [ 0x5818, ['pointer64', ['void']]], 'CallDpc' : [ 0x5820, ['_KDPC']], 'ClockKeepAlive' : [ 0x5860, ['long']], 'PrcbPad60' : [ 0x5864, ['array', 2, ['unsigned char']]], 'NmiActive' : [ 0x5866, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x5868, ['long']], 'DpcWatchdogCount' : [ 0x586c, ['long']], 'KeSpinLockOrdering' : [ 0x5870, ['long']], 'PrcbPad70' : [ 0x5874, ['array', 1, ['unsigned long']]], 'CachedPtes' : [ 0x5878, ['pointer64', ['void']]], 'WaitListHead' : [ 0x5880, ['_LIST_ENTRY']], 'WaitLock' : [ 0x5890, ['unsigned long long']], 'ReadySummary' : [ 0x5898, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x589c, ['long']], 'QueueIndex' : [ 0x58a0, ['unsigned long']], 'PrcbPad75' : [ 0x58a4, ['array', 3, ['unsigned long']]], 'TimerExpirationDpc' : [ 0x58b0, ['_KDPC']], 'ScbQueue' : [ 0x58f0, ['_RTL_RB_TREE']], 'DispatcherReadyListHead' : [ 0x5900, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x5b00, ['unsigned long']], 'KernelTime' : [ 0x5b04, ['unsigned long']], 'UserTime' : [ 0x5b08, ['unsigned long']], 'DpcTime' : [ 0x5b0c, ['unsigned long']], 'InterruptTime' : [ 0x5b10, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5b14, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x5b18, ['unsigned char']], 'GroupSchedulingOverQuota' : [ 0x5b19, ['unsigned char']], 'DeepSleep' : [ 0x5b1a, ['unsigned char']], 'PrcbPad80' : [ 0x5b1b, ['array', 5, ['unsigned char']]], 'DpcTimeCount' : [ 0x5b20, ['unsigned long']], 'DpcTimeLimit' : [ 0x5b24, ['unsigned long']], 'PeriodicCount' : [ 0x5b28, ['unsigned long']], 'PeriodicBias' : [ 0x5b2c, ['unsigned long']], 'AvailableTime' : [ 0x5b30, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x5b34, ['unsigned long']], 'StartCycles' : [ 0x5b38, ['unsigned long long']], 'TaggedCyclesStart' : [ 0x5b40, ['unsigned long long']], 'TaggedCycles' : [ 0x5b48, ['array', 2, ['unsigned long long']]], 'GenerationTarget' : [ 0x5b58, ['unsigned long long']], 'AffinitizedCycles' : [ 0x5b60, ['unsigned long long']], 'PrcbPad81' : [ 0x5b68, ['array', 29, ['unsigned long']]], 'MmSpinLockOrdering' : [ 0x5bdc, ['long']], 'PageColor' : [ 0x5be0, ['unsigned long']], 'NodeColor' : [ 0x5be4, ['unsigned long']], 'NodeShiftedColor' : [ 0x5be8, ['unsigned long']], 'SecondaryColorMask' : [ 0x5bec, ['unsigned long']], 'PrcbPad83' : [ 0x5bf0, ['unsigned long']], 'CycleTime' : [ 0x5bf8, ['unsigned long long']], 'Cycles' : [ 0x5c00, ['array', 4, ['array', 2, ['unsigned long long']]]], 'PrcbPad84' : [ 0x5c40, ['array', 16, ['unsigned long']]], 'CcFastMdlReadNoWait' : [ 0x5c80, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x5c84, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x5c88, ['unsigned long']], 'CcMapDataNoWait' : [ 0x5c8c, ['unsigned long']], 'CcMapDataWait' : [ 0x5c90, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x5c94, ['unsigned long']], 'CcPinReadNoWait' : [ 0x5c98, ['unsigned long']], 'CcPinReadWait' : [ 0x5c9c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x5ca0, ['unsigned long']], 'CcMdlReadWait' : [ 0x5ca4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x5ca8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x5cac, ['unsigned long']], 'CcLazyWritePages' : [ 0x5cb0, ['unsigned long']], 'CcDataFlushes' : [ 0x5cb4, ['unsigned long']], 'CcDataPages' : [ 0x5cb8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x5cbc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x5cc0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x5cc4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x5cc8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x5ccc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x5cd0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x5cd4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x5cd8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x5cdc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x5ce0, ['unsigned long']], 'CcReadAheadIos' : [ 0x5ce4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x5ce8, ['long']], 'MmCacheReadCount' : [ 0x5cec, ['long']], 'MmCacheIoCount' : [ 0x5cf0, ['long']], 'PrcbPad91' : [ 0x5cf4, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x5d00, ['_PROCESSOR_POWER_STATE']], 'ScbList' : [ 0x5ed0, ['_LIST_ENTRY']], 'PrcbPad92' : [ 0x5ee0, ['array', 7, ['unsigned long']]], 'KeAlignmentFixupCount' : [ 0x5efc, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x5f00, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x5f40, ['_KTIMER']], 'Cache' : [ 0x5f80, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x5fbc, ['unsigned long']], 'CachedCommit' : [ 0x5fc0, ['unsigned long']], 'CachedResidentAvailable' : [ 0x5fc4, ['unsigned long']], 'HyperPte' : [ 0x5fc8, ['pointer64', ['void']]], 'WheaInfo' : [ 0x5fd0, ['pointer64', ['void']]], 'EtwSupport' : [ 0x5fd8, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x5fe0, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x5ff0, ['_SLIST_HEADER']], 'HypercallCachedPages' : [ 0x6000, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x6008, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x6010, ['pointer64', ['unsigned long long']]], 'PackageProcessorSet' : [ 0x6018, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x60c0, ['unsigned long long']], 'SharedReadyQueue' : [ 0x60c8, ['pointer64', ['_KSHARED_READY_QUEUE']]], 'SharedQueueScanOwner' : [ 0x60d0, ['unsigned long']], 'ScanSiblingIndex' : [ 0x60d4, ['unsigned long']], 'CoreProcessorSet' : [ 0x60d8, ['unsigned long long']], 'ScanSiblingMask' : [ 0x60e0, ['unsigned long long']], 'LLCMask' : [ 0x60e8, ['unsigned long long']], 'CacheProcessorMask' : [ 0x60f0, ['array', 5, ['unsigned long long']]], 'ProcessorProfileControlArea' : [ 0x6118, ['pointer64', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x6120, ['pointer64', ['void']]], 'PrcbPad94' : [ 0x6128, ['array', 11, ['unsigned long long']]], 'SynchCounters' : [ 0x6180, ['_SYNCH_COUNTERS']], 'PteBitCache' : [ 0x6238, ['unsigned long long']], 'PteBitOffset' : [ 0x6240, ['unsigned long']], 'FsCounters' : [ 0x6248, ['_FILESYSTEM_DISK_COUNTERS']], 'VendorString' : [ 0x6258, ['array', 13, ['unsigned char']]], 'PrcbPad100' : [ 0x6265, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x6268, ['unsigned long long']], 'PrcbPad110' : [ 0x6270, ['unsigned long']], 'UpdateSignature' : [ 0x6278, ['_LARGE_INTEGER']], 'Context' : [ 0x6280, ['pointer64', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x6288, ['unsigned long']], 'ExtendedState' : [ 0x6290, ['pointer64', ['_XSAVE_AREA']]], 'IsrStack' : [ 0x6298, ['pointer64', ['void']]], 'EntropyTimingState' : [ 0x62a0, ['_KENTROPY_TIMING_STATE']], 'AbSelfIoBoostsList' : [ 0x63f0, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x63f8, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x6400, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x6440, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x6494, ['_IOP_IRP_STACK_PROFILER']], 'LocalSharedReadyQueue' : [ 0x6500, ['_KSHARED_READY_QUEUE']], 'TimerExpirationTrace' : [ 0x6760, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x6860, ['unsigned long']], 'ExSaPageArray' : [ 0x6868, ['pointer64', ['void']]], 'Mailbox' : [ 0x6880, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x68c0, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KFLOATING_SAVE' : [ 0x4, { 'Dummy' : [ 0x0, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_PS_TRUSTLET_CREATE_ATTRIBUTES' : [ 0x18, { 'TrustletIdentity' : [ 0x0, ['unsigned long long']], 'Attributes' : [ 0x8, ['array', 1, ['_PS_TRUSTLET_ATTRIBUTE_DATA']]], } ], '_PS_TRUSTLET_ATTRIBUTE_DATA' : [ 0x10, { 'Header' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_HEADER']], 'Data' : [ 0x8, ['array', 1, ['unsigned long long']]], } ], '_PS_TRUSTLET_ATTRIBUTE_HEADER' : [ 0x8, { 'AttributeType' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_TYPE']], 'InstanceNumber' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_TRUSTLET_MAILBOX_KEY' : [ 0x10, { 'SecretValue' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_TRUSTLET_COLLABORATION_ID' : [ 0x10, { 'Value' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_KPROCESS' : [ 0x2d8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long']], 'Spare0' : [ 0x44, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x48, ['unsigned long long']], 'Affinity' : [ 0x50, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0xf8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x108, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x110, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x1b8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x1b8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x1b8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'DeepFreeze' : [ 0x1b8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x1b8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x1b8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SpareFlags0' : [ 0x1b8, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x1b8, ['BitField', dict(start_bit = 8, end_bit = 28, native_type='unsigned long')]], 'ReservedFlags' : [ 0x1b8, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x1b8, ['long']], 'BasePriority' : [ 0x1bc, ['unsigned char']], 'QuantumReset' : [ 0x1bd, ['unsigned char']], 'Visited' : [ 0x1be, ['unsigned char']], 'Flags' : [ 0x1bf, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x1c0, ['array', 20, ['unsigned long']]], 'IdealNode' : [ 0x210, ['array', 20, ['unsigned short']]], 'IdealGlobalNode' : [ 0x238, ['unsigned short']], 'Spare1' : [ 0x23a, ['unsigned short']], 'StackCount' : [ 0x23c, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x240, ['_LIST_ENTRY']], 'CycleTime' : [ 0x250, ['unsigned long long']], 'ContextSwitches' : [ 0x258, ['unsigned long long']], 'SchedulingGroup' : [ 0x260, ['pointer64', ['_KSCHEDULING_GROUP']]], 'FreezeCount' : [ 0x268, ['unsigned long']], 'KernelTime' : [ 0x26c, ['unsigned long']], 'UserTime' : [ 0x270, ['unsigned long']], 'LdtFreeSelectorHint' : [ 0x274, ['unsigned short']], 'LdtTableLength' : [ 0x276, ['unsigned short']], 'LdtSystemDescriptor' : [ 0x278, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x288, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x290, ['_FAST_MUTEX']], 'InstrumentationCallback' : [ 0x2c8, ['pointer64', ['void']]], 'SecurePid' : [ 0x2d0, ['unsigned long long']], } ], '_KTHREAD' : [ 0x5e0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x18, ['pointer64', ['void']]], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'StackBase' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'CycleTime' : [ 0x48, ['unsigned long long']], 'CurrentRunTime' : [ 0x50, ['unsigned long']], 'ExpectedRunTime' : [ 0x54, ['unsigned long']], 'KernelStack' : [ 0x58, ['pointer64', ['void']]], 'StateSaveArea' : [ 0x60, ['pointer64', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x68, ['pointer64', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x70, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x71, ['unsigned char']], 'Alerted' : [ 0x72, ['array', 2, ['unsigned char']]], 'AutoBoostActive' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitNext' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x74, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Alertable' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'TimerActive' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SystemThread' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x74, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CalloutActive' : [ 0x74, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ApcQueueable' : [ 0x74, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x74, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x74, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'TimerSuspended' : [ 0x74, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x74, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SuspendSchedulerApcWait' : [ 0x74, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x74, ['long']], 'AutoAlignment' : [ 0x78, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x78, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ThreadFlagsSpare0' : [ 0x78, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x78, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x78, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x78, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x78, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x78, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x78, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x78, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x78, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x78, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x78, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x78, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x78, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CommitFailTerminateRequest' : [ 0x78, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ProcessStackCountDecremented' : [ 0x78, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'RestrictedGuiThread' : [ 0x78, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ThreadFlagsSpare' : [ 0x78, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x78, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x78, ['long']], 'Tag' : [ 0x7c, ['unsigned char']], 'SystemHeteroCpuPolicy' : [ 0x7d, ['unsigned char']], 'UserHeteroCpuPolicy' : [ 0x7e, ['BitField', dict(start_bit = 0, end_bit = 7, native_type='unsigned char')]], 'ExplicitSystemHeteroCpuPolicy' : [ 0x7e, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare0' : [ 0x7f, ['unsigned char']], 'SystemCallNumber' : [ 0x80, ['unsigned long']], 'Spare10' : [ 0x84, ['unsigned long']], 'FirstArgument' : [ 0x88, ['pointer64', ['void']]], 'TrapFrame' : [ 0x90, ['pointer64', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x98, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x98, ['array', 43, ['unsigned char']]], 'Priority' : [ 0xc3, ['unsigned char']], 'UserIdealProcessor' : [ 0xc4, ['unsigned long']], 'WaitStatus' : [ 0xc8, ['long long']], 'WaitBlockList' : [ 0xd0, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xd8, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xe8, ['pointer64', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xf0, ['pointer64', ['void']]], 'RelativeTimerBias' : [ 0xf8, ['unsigned long long']], 'Timer' : [ 0x100, ['_KTIMER']], 'WaitBlock' : [ 0x140, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x140, ['array', 20, ['unsigned char']]], 'ContextSwitches' : [ 0x154, ['unsigned long']], 'WaitBlockFill5' : [ 0x140, ['array', 68, ['unsigned char']]], 'State' : [ 0x184, ['unsigned char']], 'Spare13' : [ 0x185, ['unsigned char']], 'WaitIrql' : [ 0x186, ['unsigned char']], 'WaitMode' : [ 0x187, ['unsigned char']], 'WaitBlockFill6' : [ 0x140, ['array', 116, ['unsigned char']]], 'WaitTime' : [ 0x1b4, ['unsigned long']], 'WaitBlockFill7' : [ 0x140, ['array', 164, ['unsigned char']]], 'KernelApcDisable' : [ 0x1e4, ['short']], 'SpecialApcDisable' : [ 0x1e6, ['short']], 'CombinedApcDisable' : [ 0x1e4, ['unsigned long']], 'WaitBlockFill8' : [ 0x140, ['array', 40, ['unsigned char']]], 'ThreadCounters' : [ 0x168, ['pointer64', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0x140, ['array', 88, ['unsigned char']]], 'XStateSave' : [ 0x198, ['pointer64', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0x140, ['array', 136, ['unsigned char']]], 'Win32Thread' : [ 0x1c8, ['pointer64', ['void']]], 'WaitBlockFill11' : [ 0x140, ['array', 176, ['unsigned char']]], 'Ucb' : [ 0x1f0, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'Uch' : [ 0x1f8, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'TebMappedLowVa' : [ 0x200, ['pointer64', ['void']]], 'QueueListEntry' : [ 0x208, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x218, ['unsigned long']], 'NextProcessorNumber' : [ 0x218, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x218, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x21c, ['long']], 'Process' : [ 0x220, ['pointer64', ['_KPROCESS']]], 'UserAffinity' : [ 0x228, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x228, ['array', 10, ['unsigned char']]], 'PreviousMode' : [ 0x232, ['unsigned char']], 'BasePriority' : [ 0x233, ['unsigned char']], 'PriorityDecrement' : [ 0x234, ['unsigned char']], 'ForegroundBoost' : [ 0x234, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x234, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x235, ['unsigned char']], 'AdjustReason' : [ 0x236, ['unsigned char']], 'AdjustIncrement' : [ 0x237, ['unsigned char']], 'AffinityVersion' : [ 0x238, ['unsigned long long']], 'Affinity' : [ 0x240, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x240, ['array', 10, ['unsigned char']]], 'ApcStateIndex' : [ 0x24a, ['unsigned char']], 'WaitBlockCount' : [ 0x24b, ['unsigned char']], 'IdealProcessor' : [ 0x24c, ['unsigned long']], 'NpxState' : [ 0x250, ['unsigned long long']], 'SavedApcState' : [ 0x258, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x258, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x283, ['unsigned char']], 'SuspendCount' : [ 0x284, ['unsigned char']], 'Saturation' : [ 0x285, ['unsigned char']], 'SListFaultCount' : [ 0x286, ['unsigned short']], 'SchedulerApc' : [ 0x288, ['_KAPC']], 'SchedulerApcFill0' : [ 0x288, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x289, ['unsigned char']], 'SchedulerApcFill1' : [ 0x288, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x28b, ['unsigned char']], 'SchedulerApcFill2' : [ 0x288, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x28c, ['unsigned long']], 'SchedulerApcFill3' : [ 0x288, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c8, ['pointer64', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x288, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2d0, ['pointer64', ['void']]], 'SchedulerApcFill5' : [ 0x288, ['array', 83, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x2db, ['unsigned char']], 'UserTime' : [ 0x2dc, ['unsigned long']], 'SuspendEvent' : [ 0x2e0, ['_KEVENT']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'AbEntrySummary' : [ 0x318, ['unsigned char']], 'AbWaitEntryCount' : [ 0x319, ['unsigned char']], 'Spare20' : [ 0x31a, ['unsigned short']], 'SecureThreadCookie' : [ 0x31c, ['unsigned long']], 'LockEntries' : [ 0x320, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x560, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x568, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x570, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x580, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x584, ['long']], 'AbCompletedIoQoSBoostCount' : [ 0x588, ['long']], 'KeReferenceCount' : [ 0x58c, ['short']], 'AbOrphanedEntrySummary' : [ 0x58e, ['unsigned char']], 'AbOwnedEntryCount' : [ 0x58f, ['unsigned char']], 'ForegroundLossTime' : [ 0x590, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x598, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x598, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x5a0, ['unsigned long long']], 'ReadOperationCount' : [ 0x5a8, ['long long']], 'WriteOperationCount' : [ 0x5b0, ['long long']], 'OtherOperationCount' : [ 0x5b8, ['long long']], 'ReadTransferCount' : [ 0x5c0, ['long long']], 'WriteTransferCount' : [ 0x5c8, ['long long']], 'OtherTransferCount' : [ 0x5d0, ['long long']], 'QueuedScb' : [ 0x5d8, ['pointer64', ['_KSCB']]], } ], '_KSTACK_CONTROL' : [ 0x30, { 'StackBase' : [ 0x0, ['unsigned long long']], 'ActualLimit' : [ 0x8, ['unsigned long long']], 'StackExpansion' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_1269' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'HeaderX64' : [ 0x0, ['__unnamed_1269']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer64', ['void']]], 'DeleteContext' : [ 0x10, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0x140, { 'IdleNonParkedCpuSet' : [ 0x0, ['unsigned long long']], 'IdleSmtSet' : [ 0x8, ['unsigned long long']], 'IdleCpuSet' : [ 0x10, ['unsigned long long']], 'DeepIdleSet' : [ 0x40, ['unsigned long long']], 'IdleConstrainedSet' : [ 0x48, ['unsigned long long']], 'NonParkedSet' : [ 0x50, ['unsigned long long']], 'ParkLock' : [ 0x58, ['long']], 'Seed' : [ 0x5c, ['unsigned long']], 'SiblingMask' : [ 0x80, ['unsigned long']], 'Affinity' : [ 0x88, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x88, ['array', 10, ['unsigned char']]], 'NodeNumber' : [ 0x92, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x94, ['unsigned short']], 'Stride' : [ 0x96, ['unsigned char']], 'Spare0' : [ 0x97, ['unsigned char']], 'SharedReadyQueueLeaders' : [ 0x98, ['unsigned long long']], 'ProximityId' : [ 0xa0, ['unsigned long']], 'Lowest' : [ 0xa4, ['unsigned long']], 'Highest' : [ 0xa8, ['unsigned long']], 'MaximumProcessors' : [ 0xac, ['unsigned char']], 'Flags' : [ 0xad, ['_flags']], 'Spare10' : [ 0xae, ['unsigned char']], 'HeteroSets' : [ 0xb0, ['array', 5, ['_KHETERO_PROCESSOR_SET']]], } ], '_ENODE' : [ 0x840, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0x140, ['array', 8, ['pointer64', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0x180, ['_EX_WORK_QUEUE']], 'IoWorkQueue' : [ 0x450, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x720, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x738, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x778, ['_KEVENT']], 'WaitBlocks' : [ 0x790, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x820, ['pointer64', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x828, ['unsigned long']], 'ExWorkerFullInit' : [ 0x82c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x82c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x82c, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x80, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long long']], 'QuotaProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'HandleTableList' : [ 0x18, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], 'StrictFIFO' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x2c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x2c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'RaiseUMExceptionOnInvalidHandleClose' : [ 0x2c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x38, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x40, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x40, ['array', 32, ['unsigned char']]], 'DebugInfo' : [ 0x60, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x8, { 'AuditMask' : [ 0x0, ['unsigned long']], 'MaxRelativeAccessMask' : [ 0x4, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'VolatileLowValue' : [ 0x0, ['long long']], 'LowValue' : [ 0x0, ['long long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'HighValue' : [ 0x8, ['long long']], 'NextFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x8, ['_EXHANDLE']], 'RefCountField' : [ 0x0, ['long long']], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 17, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 20, native_type='unsigned long long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 64, native_type='unsigned long long')]], 'GrantedAccessBits' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Spare1' : [ 0x8, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], 'Spare2' : [ 0xc, ['unsigned long']], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '__unnamed_135b' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_135b']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xe0, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xd8, ['unsigned char']], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EPROCESS' : [ 0x7b0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x2d8, ['_EX_PUSH_LOCK']], 'RundownProtect' : [ 0x2e0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x2e8, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x2f0, ['_LIST_ENTRY']], 'Flags2' : [ 0x300, ['unsigned long']], 'JobNotReallyActive' : [ 0x300, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x300, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x300, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x300, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x300, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x300, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0x300, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x300, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x300, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x300, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0x300, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0x300, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x300, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x300, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x300, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x300, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x300, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x300, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x300, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x300, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0x300, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0x300, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0x300, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0x300, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0x300, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0x300, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0x300, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0x300, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x304, ['unsigned long']], 'CreateReported' : [ 0x304, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x304, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x304, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x304, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0x304, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x304, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x304, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x304, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FailFastOnCommitFail' : [ 0x304, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x304, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x304, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x304, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x304, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x304, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x304, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x304, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x304, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x304, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x304, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0x304, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x304, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x304, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x304, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x304, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0x304, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x304, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x304, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x304, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x304, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CreateTime' : [ 0x308, ['_LARGE_INTEGER']], 'ProcessQuotaUsage' : [ 0x310, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x320, ['array', 2, ['unsigned long long']]], 'PeakVirtualSize' : [ 0x330, ['unsigned long long']], 'VirtualSize' : [ 0x338, ['unsigned long long']], 'SessionProcessLinks' : [ 0x340, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0x350, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x350, ['unsigned long long']], 'ExceptionPortState' : [ 0x350, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Token' : [ 0x358, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x360, ['unsigned long long']], 'AddressCreationLock' : [ 0x368, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x370, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x378, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x380, ['pointer64', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x388, ['pointer64', ['_EJOB']]], 'CloneRoot' : [ 0x390, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x398, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x3a0, ['unsigned long long']], 'Win32Process' : [ 0x3a8, ['pointer64', ['void']]], 'Job' : [ 0x3b0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x3b8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x3c0, ['pointer64', ['void']]], 'Cookie' : [ 0x3c8, ['unsigned long']], 'WorkingSetWatch' : [ 0x3d0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x3d8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x3e0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x3e8, ['pointer64', ['void']]], 'OwnerProcessId' : [ 0x3f0, ['unsigned long long']], 'Peb' : [ 0x3f8, ['pointer64', ['_PEB']]], 'Session' : [ 0x400, ['pointer64', ['_MM_SESSION_SPACE']]], 'AweInfo' : [ 0x408, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x410, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x418, ['pointer64', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x420, ['pointer64', ['void']]], 'WoW64Process' : [ 0x428, ['pointer64', ['_EWOW64PROCESS']]], 'DeviceMap' : [ 0x430, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x438, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x440, ['unsigned long long']], 'ImageFilePointer' : [ 0x448, ['pointer64', ['_FILE_OBJECT']]], 'ImageFileName' : [ 0x450, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x45f, ['unsigned char']], 'SecurityPort' : [ 0x460, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x468, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x470, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x480, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x488, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x498, ['unsigned long']], 'ImagePathHash' : [ 0x49c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x4a0, ['unsigned long']], 'LastThreadExitStatus' : [ 0x4a4, ['long']], 'PrefetchTrace' : [ 0x4a8, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x4b0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x4b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x4c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x4c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x4d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x4d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x4e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x4e8, ['unsigned long long']], 'CommitCharge' : [ 0x4f0, ['unsigned long long']], 'CommitChargePeak' : [ 0x4f8, ['unsigned long long']], 'Vm' : [ 0x500, ['_MMSUPPORT_FULL']], 'MmProcessLinks' : [ 0x608, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x618, ['unsigned long']], 'ExitStatus' : [ 0x61c, ['long']], 'VadRoot' : [ 0x620, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x628, ['pointer64', ['void']]], 'VadCount' : [ 0x630, ['unsigned long long']], 'VadPhysicalPages' : [ 0x638, ['unsigned long long']], 'VadPhysicalPagesLimit' : [ 0x640, ['unsigned long long']], 'AlpcContext' : [ 0x648, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x668, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x678, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x680, ['unsigned long']], 'SmallestTimerResolution' : [ 0x684, ['unsigned long']], 'ExitTime' : [ 0x688, ['_LARGE_INTEGER']], 'InvertedFunctionTable' : [ 0x690, ['pointer64', ['_INVERTED_FUNCTION_TABLE']]], 'InvertedFunctionTableLock' : [ 0x698, ['_EX_PUSH_LOCK']], 'ActiveThreadsHighWatermark' : [ 0x6a0, ['unsigned long']], 'LargePrivateVadCount' : [ 0x6a4, ['unsigned long']], 'ThreadListLock' : [ 0x6a8, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x6b0, ['pointer64', ['void']]], 'Spare0' : [ 0x6b8, ['unsigned long long']], 'SignatureLevel' : [ 0x6c0, ['unsigned char']], 'SectionSignatureLevel' : [ 0x6c1, ['unsigned char']], 'Protection' : [ 0x6c2, ['_PS_PROTECTION']], 'HangCount' : [ 0x6c3, ['unsigned char']], 'Flags3' : [ 0x6c4, ['unsigned long']], 'Minimal' : [ 0x6c4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReplacingPageRoot' : [ 0x6c4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DisableNonSystemFonts' : [ 0x6c4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AuditNonSystemFontLoading' : [ 0x6c4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Crashed' : [ 0x6c4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'JobVadsAreTracked' : [ 0x6c4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'VadTrackingDisabled' : [ 0x6c4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AuxiliaryProcess' : [ 0x6c4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SubsystemProcess' : [ 0x6c4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x6c4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'InPrivate' : [ 0x6c4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProhibitRemoteImageMap' : [ 0x6c4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProhibitLowILImageMap' : [ 0x6c4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SignatureMitigationOptIn' : [ 0x6c4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DisableDynamicCodeAllowOptOut' : [ 0x6c4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'EnableFilteredWin32kAPIs' : [ 0x6c4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'AuditFilteredWin32kAPIs' : [ 0x6c4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PreferSystem32Images' : [ 0x6c4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'RelinquishedCommit' : [ 0x6c4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AutomaticallyOverrideChildProcessPolicy' : [ 0x6c4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'HighGraphicsPriority' : [ 0x6c4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CommitFailLogged' : [ 0x6c4, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ReserveFailLogged' : [ 0x6c4, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DeviceAsid' : [ 0x6c8, ['long']], 'SvmData' : [ 0x6d0, ['pointer64', ['void']]], 'SvmProcessLock' : [ 0x6d8, ['_EX_PUSH_LOCK']], 'SvmLock' : [ 0x6e0, ['unsigned long long']], 'SvmProcessDeviceListHead' : [ 0x6e8, ['_LIST_ENTRY']], 'LastFreezeInterruptTime' : [ 0x6f8, ['unsigned long long']], 'DiskCounters' : [ 0x700, ['pointer64', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x708, ['pointer64', ['void']]], 'TrustletIdentity' : [ 0x710, ['unsigned long long']], 'KeepAliveCounter' : [ 0x718, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x71c, ['unsigned long']], 'HighPriorityFaultsAllowed' : [ 0x720, ['unsigned long']], 'EnergyValues' : [ 0x728, ['pointer64', ['_PROCESS_ENERGY_VALUES']]], 'VmContext' : [ 0x730, ['pointer64', ['void']]], 'SequenceNumber' : [ 0x738, ['unsigned long long']], 'CreateInterruptTime' : [ 0x740, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x748, ['unsigned long long']], 'TotalUnbiasedFrozenTime' : [ 0x750, ['unsigned long long']], 'LastAppStateUpdateTime' : [ 0x758, ['unsigned long long']], 'LastAppStateUptime' : [ 0x760, ['BitField', dict(start_bit = 0, end_bit = 61, native_type='unsigned long long')]], 'LastAppState' : [ 0x760, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], 'SharedCommitCharge' : [ 0x768, ['unsigned long long']], 'SharedCommitLock' : [ 0x770, ['_EX_PUSH_LOCK']], 'SharedCommitLinks' : [ 0x778, ['_LIST_ENTRY']], 'AllowedCpuSets' : [ 0x788, ['unsigned long long']], 'DefaultCpuSets' : [ 0x790, ['unsigned long long']], 'AllowedCpuSetsIndirect' : [ 0x788, ['pointer64', ['unsigned long long']]], 'DefaultCpuSetsIndirect' : [ 0x790, ['pointer64', ['unsigned long long']]], 'DiskIoAttribution' : [ 0x798, ['pointer64', ['void']]], 'ReadyTime' : [ 0x7a0, ['unsigned long']], 'DxgProcess' : [ 0x7a8, ['pointer64', ['void']]], } ], '_EWOW64PROCESS' : [ 0x10, { 'Peb' : [ 0x0, ['pointer64', ['void']]], 'Machine' : [ 0x8, ['unsigned short']], } ], '_ETHREAD' : [ 0x7e0, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x5e0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x5e8, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x5e8, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x5f8, ['pointer64', ['void']]], 'PostBlockList' : [ 0x600, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x600, ['pointer64', ['void']]], 'StartAddress' : [ 0x608, ['pointer64', ['void']]], 'TerminationPort' : [ 0x610, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x610, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x610, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x618, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x620, ['_LIST_ENTRY']], 'Cid' : [ 0x630, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x640, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x640, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x660, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x668, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x678, ['unsigned long long']], 'DeviceToVerify' : [ 0x680, ['pointer64', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x688, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x690, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x698, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x6a8, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x6b0, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x6b8, ['unsigned long']], 'MmLockOrdering' : [ 0x6bc, ['long']], 'CrossThreadFlags' : [ 0x6c0, ['unsigned long']], 'Terminated' : [ 0x6c0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x6c0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x6c0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x6c0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x6c0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x6c0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x6c0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x6c0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x6c0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x6c0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x6c0, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x6c0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x6c0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x6c0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DisableDynamicCodeOptOut' : [ 0x6c0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ExplicitCaseSensitivity' : [ 0x6c0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x6c0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x6c4, ['unsigned long']], 'ActiveExWorker' : [ 0x6c4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x6c4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'StoreLockThread' : [ 0x6c4, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'ClonedThread' : [ 0x6c4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x6c4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SelfTerminate' : [ 0x6c4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RespectIoPriority' : [ 0x6c4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ActivePageLists' : [ 0x6c4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedSameThreadPassiveFlags' : [ 0x6c4, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x6c8, ['unsigned long']], 'OwnsProcessAddressSpaceExclusive' : [ 0x6c8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x6c8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardFaultBehavior' : [ 0x6c8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x6c8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x6c8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x6c8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Prefetching' : [ 0x6c8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x6c8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x6c9, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x6c9, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x6cc, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x6cd, ['unsigned char']], 'ActiveFaultCount' : [ 0x6ce, ['unsigned char']], 'LockOrderState' : [ 0x6cf, ['unsigned char']], 'AlpcMessageId' : [ 0x6d0, ['unsigned long long']], 'AlpcMessage' : [ 0x6d8, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x6d8, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x6e0, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x6f0, ['long']], 'CacheManagerCount' : [ 0x6f4, ['unsigned long']], 'IoBoostCount' : [ 0x6f8, ['unsigned long']], 'IoQoSBoostCount' : [ 0x6fc, ['unsigned long']], 'IoQoSThrottleCount' : [ 0x700, ['unsigned long']], 'BoostList' : [ 0x708, ['_LIST_ENTRY']], 'DeboostList' : [ 0x718, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x728, ['unsigned long long']], 'IrpListLock' : [ 0x730, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x738, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x740, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x748, ['pointer64', ['_GUID']]], 'SeLearningModeListHead' : [ 0x750, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x758, ['pointer64', ['void']]], 'KernelStackReference' : [ 0x760, ['unsigned long']], 'AdjustedClientToken' : [ 0x768, ['pointer64', ['void']]], 'WorkOnBehalfThread' : [ 0x770, ['pointer64', ['void']]], 'PropertySet' : [ 0x778, ['_PS_PROPERTY_SET']], 'PicoContext' : [ 0x790, ['pointer64', ['void']]], 'UserFsBase' : [ 0x798, ['unsigned long long']], 'UserGsBase' : [ 0x7a0, ['unsigned long long']], 'EnergyValues' : [ 0x7a8, ['pointer64', ['_THREAD_ENERGY_VALUES']]], 'CmDbgInfo' : [ 0x7b0, ['pointer64', ['void']]], 'SelectedCpuSets' : [ 0x7b8, ['unsigned long long']], 'SelectedCpuSetsIndirect' : [ 0x7b8, ['pointer64', ['unsigned long long']]], 'Silo' : [ 0x7c0, ['pointer64', ['_EJOB']]], 'ThreadName' : [ 0x7c8, ['pointer64', ['_UNICODE_STRING']]], 'SetContextState' : [ 0x7d0, ['pointer64', ['_CONTEXT']]], 'ReadyTime' : [ 0x7d8, ['unsigned long']], } ], '__unnamed_13c7' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_13cd' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_13cf' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_13cd']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_13d8' : [ 0x58, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x50, ['pointer64', ['void']]], } ], '__unnamed_13da' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_13d8']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'AllocationProcessorNumber' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_13c7']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_13cf']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_13da']], } ], '__unnamed_13e1' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_13e5' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_13e9' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_13eb' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13ef' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13f1' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_13f3' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileMaximumInformation'})]], } ], '__unnamed_13f5' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13f7' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13f9' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13fd' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMetadataSizeInformation', 14: 'FileFsMaximumInformation'})]], } ], '__unnamed_13ff' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1401' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1403' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1405' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1407' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_140b' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_140f' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1413' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1417' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_141b' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_141f' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1423' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1425' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1427' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_142b' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_142f' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1433' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_1437' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_143b' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1443' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], } ], '__unnamed_1447' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1449' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_144b' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_144d' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_13e1']], 'CreatePipe' : [ 0x0, ['__unnamed_13e5']], 'CreateMailslot' : [ 0x0, ['__unnamed_13e9']], 'Read' : [ 0x0, ['__unnamed_13eb']], 'Write' : [ 0x0, ['__unnamed_13eb']], 'QueryDirectory' : [ 0x0, ['__unnamed_13ef']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13f1']], 'QueryFile' : [ 0x0, ['__unnamed_13f3']], 'SetFile' : [ 0x0, ['__unnamed_13f5']], 'QueryEa' : [ 0x0, ['__unnamed_13f7']], 'SetEa' : [ 0x0, ['__unnamed_13f9']], 'QueryVolume' : [ 0x0, ['__unnamed_13fd']], 'SetVolume' : [ 0x0, ['__unnamed_13fd']], 'FileSystemControl' : [ 0x0, ['__unnamed_13ff']], 'LockControl' : [ 0x0, ['__unnamed_1401']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1403']], 'QuerySecurity' : [ 0x0, ['__unnamed_1405']], 'SetSecurity' : [ 0x0, ['__unnamed_1407']], 'MountVolume' : [ 0x0, ['__unnamed_140b']], 'VerifyVolume' : [ 0x0, ['__unnamed_140b']], 'Scsi' : [ 0x0, ['__unnamed_140f']], 'QueryQuota' : [ 0x0, ['__unnamed_1413']], 'SetQuota' : [ 0x0, ['__unnamed_13f9']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1417']], 'QueryInterface' : [ 0x0, ['__unnamed_141b']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_141f']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1423']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1425']], 'SetLock' : [ 0x0, ['__unnamed_1427']], 'QueryId' : [ 0x0, ['__unnamed_142b']], 'QueryDeviceText' : [ 0x0, ['__unnamed_142f']], 'UsageNotification' : [ 0x0, ['__unnamed_1433']], 'WaitWake' : [ 0x0, ['__unnamed_1437']], 'PowerSequence' : [ 0x0, ['__unnamed_143b']], 'Power' : [ 0x0, ['__unnamed_1443']], 'StartDevice' : [ 0x0, ['__unnamed_1447']], 'WMI' : [ 0x0, ['__unnamed_1449']], 'Others' : [ 0x0, ['__unnamed_144b']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_144d']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1463' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1463']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x10, ['unsigned long long']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x28, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], 'SiloContext' : [ 0x20, ['pointer64', ['_EJOB']]], } ], '_EJOB' : [ 0x5c8, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb8, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xc0, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0xc8, ['unsigned long long']], 'TotalPageFaultCount' : [ 0xd0, ['unsigned long']], 'TotalProcesses' : [ 0xd4, ['unsigned long']], 'ActiveProcesses' : [ 0xd8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xdc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xe0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf8, ['unsigned long long']], 'LimitFlags' : [ 0x100, ['unsigned long']], 'ActiveProcessLimit' : [ 0x104, ['unsigned long']], 'Affinity' : [ 0x108, ['_KAFFINITY_EX']], 'AccessState' : [ 0x1b0, ['pointer64', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0x1b8, ['pointer64', ['void']]], 'UIRestrictionsClass' : [ 0x1c0, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x1c4, ['unsigned long']], 'CompletionPort' : [ 0x1c8, ['pointer64', ['void']]], 'CompletionKey' : [ 0x1d0, ['pointer64', ['void']]], 'CompletionCount' : [ 0x1d8, ['unsigned long long']], 'SessionId' : [ 0x1e0, ['unsigned long']], 'SchedulingClass' : [ 0x1e4, ['unsigned long']], 'ReadOperationCount' : [ 0x1e8, ['unsigned long long']], 'WriteOperationCount' : [ 0x1f0, ['unsigned long long']], 'OtherOperationCount' : [ 0x1f8, ['unsigned long long']], 'ReadTransferCount' : [ 0x200, ['unsigned long long']], 'WriteTransferCount' : [ 0x208, ['unsigned long long']], 'OtherTransferCount' : [ 0x210, ['unsigned long long']], 'DiskIoInfo' : [ 0x218, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x240, ['unsigned long long']], 'JobMemoryLimit' : [ 0x248, ['unsigned long long']], 'JobTotalMemoryLimit' : [ 0x250, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x258, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x260, ['unsigned long long']], 'EffectiveAffinity' : [ 0x268, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x310, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x318, ['unsigned long long']], 'EffectiveMaximumWorkingSetSize' : [ 0x320, ['unsigned long long']], 'EffectiveProcessMemoryLimit' : [ 0x328, ['unsigned long long']], 'EffectiveProcessMemoryLimitJob' : [ 0x330, ['pointer64', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x338, ['pointer64', ['_EJOB']]], 'EffectiveNetIoRateLimitJob' : [ 0x340, ['pointer64', ['_EJOB']]], 'EffectiveHeapAttributionJob' : [ 0x348, ['pointer64', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x350, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x354, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x358, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x35c, ['unsigned long']], 'EffectiveSwapCount' : [ 0x360, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x364, ['unsigned long']], 'EffectivePriorityClass' : [ 0x368, ['unsigned char']], 'PriorityClass' : [ 0x369, ['unsigned char']], 'NestingDepth' : [ 0x36a, ['unsigned char']], 'Reserved1' : [ 0x36b, ['array', 1, ['unsigned char']]], 'CompletionFilter' : [ 0x36c, ['unsigned long']], 'WakeChannel' : [ 0x370, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x370, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x3a8, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x3b0, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x3b4, ['unsigned long']], 'NotificationLink' : [ 0x3b8, ['pointer64', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x3c0, ['unsigned long long']], 'NotificationInfo' : [ 0x3c8, ['pointer64', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x3d0, ['pointer64', ['void']]], 'NotificationPacket' : [ 0x3d8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x3e0, ['pointer64', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x3e8, ['pointer64', ['void']]], 'ReadyTime' : [ 0x3f0, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x3f8, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x400, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x410, ['_LIST_ENTRY']], 'ParentJob' : [ 0x420, ['pointer64', ['_EJOB']]], 'ParentSilo' : [ 0x428, ['pointer64', ['_EJOB']]], 'RootJob' : [ 0x430, ['pointer64', ['_EJOB']]], 'IteratorListHead' : [ 0x438, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x448, ['unsigned long long']], 'Ancestors' : [ 0x450, ['pointer64', ['pointer64', ['_EJOB']]]], 'SessionObject' : [ 0x450, ['pointer64', ['void']]], 'TimerListLock' : [ 0x458, ['unsigned long long']], 'TimerListHead' : [ 0x460, ['_LIST_ENTRY']], 'Accounting' : [ 0x470, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x4c8, ['unsigned long']], 'ActiveAuxiliaryProcessCount' : [ 0x4cc, ['unsigned long']], 'SequenceNumber' : [ 0x4d0, ['unsigned long']], 'JobId' : [ 0x4d4, ['unsigned long']], 'ContainerId' : [ 0x4d8, ['_GUID']], 'ServerSiloGlobals' : [ 0x4e8, ['pointer64', ['_ESERVERSILO_GLOBALS']]], 'PropertySet' : [ 0x4f0, ['_PS_PROPERTY_SET']], 'Storage' : [ 0x508, ['pointer64', ['_PSP_STORAGE']]], 'NetRateControl' : [ 0x510, ['pointer64', ['_JOB_NET_RATE_CONTROL']]], 'JobFlags' : [ 0x518, ['unsigned long']], 'CloseDone' : [ 0x518, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x518, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x518, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x518, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x518, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x518, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x518, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x518, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x518, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x518, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x518, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x518, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x518, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x518, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x518, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x518, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x518, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x518, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x518, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x518, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x518, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x518, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x518, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x518, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x518, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'NetRateControlActive' : [ 0x518, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'OwnNetRateControl' : [ 0x518, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IoRateControlActive' : [ 0x518, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'OwnIoRateControl' : [ 0x518, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'DisallowNewProcesses' : [ 0x518, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Silo' : [ 0x518, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare' : [ 0x518, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x51c, ['unsigned long']], 'EnergyValues' : [ 0x520, ['pointer64', ['_PROCESS_ENERGY_VALUES']]], 'SharedCommitCharge' : [ 0x528, ['unsigned long long']], 'WakeRoot' : [ 0x530, ['pointer64', ['_EJOB']]], 'DiskIoAttributionUserRefCount' : [ 0x538, ['unsigned long']], 'DiskIoAttributionRefCount' : [ 0x53c, ['unsigned long']], 'DiskIoAttributionContext' : [ 0x540, ['pointer64', ['void']]], 'DiskIoAttributionOwnerJob' : [ 0x540, ['pointer64', ['_EJOB']]], 'GlobalIoControl' : [ 0x548, ['_PS_IO_CONTROL_ENTRY']], 'VolumeIoControlLock' : [ 0x580, ['long']], 'VolumeIoControlTree' : [ 0x588, ['_RTL_RB_TREE']], 'IoControlLock' : [ 0x598, ['_EX_PUSH_LOCK']], 'SiloHardReferenceCount' : [ 0x5a0, ['unsigned long long']], 'RundownWorkItem' : [ 0x5a8, ['_WORK_QUEUE_ITEM']], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'AllocationProcessorNumber' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x70, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer64', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x60, ['pointer64', ['void']]], 'UserContext' : [ 0x68, ['pointer64', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'Oplock' : [ 0x58, ['pointer64', ['void']]], 'ReservedForRemote' : [ 0x58, ['pointer64', ['void']]], 'ReservedContext' : [ 0x60, ['pointer64', ['void']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_TlgProvider_t' : [ 0x40, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x8, ['pointer64', ['unsigned short']]], 'KeywordAny' : [ 0x10, ['unsigned long long']], 'KeywordAll' : [ 0x18, ['unsigned long long']], 'RegHandle' : [ 0x20, ['unsigned long long']], 'EnableCallback' : [ 0x28, ['pointer64', ['void']]], 'CallbackContext' : [ 0x30, ['pointer64', ['void']]], 'AnnotationFunc' : [ 0x38, ['pointer64', ['void']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '__unnamed_164d' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_164d']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND' : [ 0x10, { 'LocalLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'State' : [ 0x8, ['_EX_PUSH_LOCK_AUTO_EXPAND_STATE']], 'Stats' : [ 0xc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'ReservedLowFlags' : [ 0x1a, ['unsigned char']], 'WaiterPriority' : [ 0x1b, ['unsigned char']], 'SharedWaiters' : [ 0x20, ['_KWAIT_CHAIN']], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '_MMCLONE_DESCRIPTOR' : [ 0x50, { 'CloneNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Next' : [ 0x0, ['pointer64', ['_MMCLONE_DESCRIPTOR']]], 'StartingCloneBlock' : [ 0x18, ['pointer64', ['_MMCLONE_BLOCK']]], 'EndingCloneBlock' : [ 0x20, ['pointer64', ['_MMCLONE_BLOCK']]], 'NumberOfPtes' : [ 0x28, ['unsigned long long']], 'NumberOfReferences' : [ 0x30, ['unsigned long long']], 'CloneHeader' : [ 0x38, ['pointer64', ['_MMCLONE_HEADER']]], 'NonPagedPoolQuotaCharge' : [ 0x40, ['unsigned long long']], 'NestingLevel' : [ 0x48, ['unsigned long long']], } ], '__unnamed_168d' : [ 0x8, { 'Flink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeFlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 64, native_type='unsigned long long')]], 'WsIndex' : [ 0x0, ['unsigned long long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1692' : [ 0x2, { 'ReferenceCount' : [ 0x0, ['unsigned short']], } ], '__unnamed_1694' : [ 0x4, { 'EntireField' : [ 0x0, ['unsigned long']], } ], '__unnamed_1696' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY1']], 'e3' : [ 0x3, ['_MMPFNENTRY3']], 'e2' : [ 0x0, ['__unnamed_1692']], 'e4' : [ 0x0, ['__unnamed_1694']], } ], '__unnamed_16a2' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'Channel' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 38, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'Partition' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 50, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 52, native_type='unsigned long long')]], 'FileOnly' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'PfnExists' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], } ], '_MMPFN' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'u1' : [ 0x0, ['__unnamed_168d']], 'PteAddress' : [ 0x8, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer64', ['void']]], 'PteLong' : [ 0x8, ['unsigned long long']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'u2' : [ 0x18, ['_MIPFNBLINK']], 'u3' : [ 0x20, ['__unnamed_1696']], 'NodeBlinkLow' : [ 0x24, ['unsigned short']], 'Unused' : [ 0x26, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'VaType' : [ 0x26, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'ViewCount' : [ 0x27, ['unsigned char']], 'NodeFlinkLow' : [ 0x27, ['unsigned char']], 'u4' : [ 0x28, ['__unnamed_16a2']], } ], '__unnamed_16aa' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_16aa']], } ], '_MMWSL_SHARED' : [ 0x60, { 'FirstFree' : [ 0x0, ['unsigned long long']], 'FirstDynamic' : [ 0x8, ['unsigned long long']], 'LastEntry' : [ 0x10, ['unsigned long long']], 'LastInitializedWsle' : [ 0x18, ['unsigned long long']], 'WsleSize' : [ 0x20, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long long']], 'LowestPagableAddress' : [ 0x30, ['pointer64', ['void']]], 'NonDirectHash' : [ 0x38, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x40, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x48, ['pointer64', ['_MMWSLE_HASH']]], 'Wsle' : [ 0x50, ['pointer64', ['_MMWSLE']]], } ], '__unnamed_16bd' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_16c1' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x48, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_16bd']], 'u2' : [ 0x38, ['__unnamed_16c1']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], } ], '__unnamed_16c6' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_16c9' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS2']], } ], '__unnamed_16d3' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long')]], 'SystemImage' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'StrongCode' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_16d5' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_16d3']], } ], '__unnamed_16d7' : [ 0x8, { 'IoAttributionContext' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], 'SpareImage' : [ 0x0, ['unsigned long long']], } ], '_CONTROL_AREA' : [ 0x80, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_16c6']], 'u1' : [ 0x3c, ['__unnamed_16c9']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'WaitList' : [ 0x50, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x58, ['__unnamed_16d5']], 'FileObjectLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'LockedPages' : [ 0x70, ['unsigned long long']], 'u3' : [ 0x78, ['__unnamed_16d7']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x68, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'BasePte' : [ 0x10, ['pointer64', ['_MMPTE']]], 'Flags' : [ 0x18, ['unsigned long']], 'VaType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaMaximumType', 15: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x30, ['unsigned long long']], 'GlobalPushLock' : [ 0x30, ['pointer64', ['_EX_PUSH_LOCK']]], 'Vm' : [ 0x38, ['pointer64', ['_MMSUPPORT_INSTANCE']]], 'TotalSystemPtes' : [ 0x40, ['unsigned long long']], 'Hint' : [ 0x48, ['unsigned long long']], 'LowestBitEverAllocated' : [ 0x50, ['unsigned long long']], 'CachedPtes' : [ 0x58, ['pointer64', ['_MI_CACHED_PTES']]], 'TotalFreeSystemPtes' : [ 0x60, ['unsigned long long']], } ], '__unnamed_16f1' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_16f4' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x40, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer64', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0x18, ['unsigned long']], 'EndingVpn' : [ 0x1c, ['unsigned long']], 'StartingVpnHigh' : [ 0x20, ['unsigned char']], 'EndingVpnHigh' : [ 0x21, ['unsigned char']], 'CommitChargeHigh' : [ 0x22, ['unsigned char']], 'SpareNT64VadUChar' : [ 0x23, ['unsigned char']], 'ReferenceCount' : [ 0x24, ['long']], 'PushLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u' : [ 0x30, ['__unnamed_16f1']], 'u1' : [ 0x34, ['__unnamed_16f4']], 'EventList' : [ 0x38, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_HHIVE' : [ 0xa68, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileWrite' : [ 0x28, ['pointer64', ['void']]], 'FileRead' : [ 0x30, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x38, ['pointer64', ['void']]], 'BaseBlock' : [ 0x40, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x48, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x58, ['unsigned long']], 'DirtyAlloc' : [ 0x5c, ['unsigned long']], 'UnreconciledVector' : [ 0x60, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x70, ['unsigned long']], 'BaseBlockAlloc' : [ 0x74, ['unsigned long']], 'Cluster' : [ 0x78, ['unsigned long']], 'Flat' : [ 0x7c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x7c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SystemCacheBacked' : [ 0x7c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x7c, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x7d, ['unsigned char']], 'HvBinHeadersUse' : [ 0x80, ['unsigned long']], 'HvFreeCellsUse' : [ 0x84, ['unsigned long']], 'HvUsedCellsUse' : [ 0x88, ['unsigned long']], 'CmUsedCellsUse' : [ 0x8c, ['unsigned long']], 'HiveFlags' : [ 0x90, ['unsigned long']], 'CurrentLog' : [ 0x94, ['unsigned long']], 'CurrentLogSequence' : [ 0x98, ['unsigned long']], 'CurrentLogMinimumSequence' : [ 0x9c, ['unsigned long']], 'CurrentLogOffset' : [ 0xa0, ['unsigned long']], 'MinimumLogSequence' : [ 0xa4, ['unsigned long']], 'LogFileSizeCap' : [ 0xa8, ['unsigned long']], 'LogDataPresent' : [ 0xac, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0xae, ['unsigned char']], 'BaseBlockDirty' : [ 0xaf, ['unsigned char']], 'LastLogSwapTime' : [ 0xb0, ['_LARGE_INTEGER']], 'FirstLogFile' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0xb8, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0xb8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0xb8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0xb8, ['unsigned short']], 'LogEntriesRecovered' : [ 0xba, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0xbc, ['unsigned long']], 'StorageTypeCount' : [ 0xc0, ['unsigned long']], 'Version' : [ 0xc4, ['unsigned long']], 'ViewMap' : [ 0xc8, ['_HVIEW_MAP']], 'Storage' : [ 0x578, ['array', 2, ['_DUAL']]], } ], '_HV_GET_CELL_CONTEXT' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'BinContext' : [ 0x4, ['_HV_GET_BIN_CONTEXT']], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Discarded' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['_CM_PATH_HASH']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'KcbPushlock' : [ 0x28, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x30, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x30, ['long']], 'DelayedDeref' : [ 0x38, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DelayedClose' : [ 0x38, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Parking' : [ 0x38, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'LayerSemantics' : [ 0x39, ['unsigned char']], 'LayerHeight' : [ 0x3a, ['short']], 'SlotHint' : [ 0x3c, ['unsigned long']], 'ParentKcb' : [ 0x40, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x48, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x50, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x58, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x68, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x68, ['unsigned long']], 'SubKeyCount' : [ 0x68, ['unsigned long']], 'KeyBodyListHead' : [ 0x70, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x70, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x80, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa0, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xa8, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xaa, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xac, ['unsigned long']], 'KcbUserFlags' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'Spare3' : [ 0xb4, ['unsigned long']], 'LayerInfo' : [ 0xb8, ['pointer64', ['_CM_KCB_LAYER_INFO']]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], 'FullKCBNameStale' : [ 0x120, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x120, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], } ], 'tagSWITCH_CONTEXT' : [ 0x68, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'Trans' : [ 0x38, ['_CM_TRANS_PTR']], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '__unnamed_1762' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry', 21: '_CmpMountPreloadedHives', 22: '_CmpLoadHiveThread'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1765' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_1767' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1769' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_176b' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_176f' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_1773' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_1775' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_1762']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_1762']]], 'RegistryIO' : [ 0xd0, ['__unnamed_1765']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_1767']], 'CheckKey' : [ 0xf0, ['__unnamed_1769']], 'CheckValueList' : [ 0x110, ['__unnamed_176b']], 'CheckHive' : [ 0x128, ['__unnamed_176f']], 'CheckHive1' : [ 0x138, ['__unnamed_176f']], 'CheckBin' : [ 0x148, ['__unnamed_1773']], 'RecoverData' : [ 0x158, ['__unnamed_1775']], } ], '_CM_KCB_UOW' : [ 0x78, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ParentUoW' : [ 0x50, ['pointer64', ['_CM_KCB_UOW']]], 'ChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x58, ['unsigned long']], 'OldValueCell' : [ 0x58, ['unsigned long']], 'NewValueCell' : [ 0x5c, ['unsigned long']], 'UserFlags' : [ 0x58, ['unsigned long']], 'LastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x58, ['unsigned long']], 'OldChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x60, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x60, ['unsigned long']], 'PrepareDataPointer' : [ 0x68, ['pointer64', ['void']]], 'SecurityData' : [ 0x68, ['pointer64', ['_CM_UOW_SET_SD_DATA']]], 'ModifyKeysData' : [ 0x68, ['pointer64', ['_CM_UOW_KEY_STATE_MODIFICATION']]], 'SetValueData' : [ 0x68, ['pointer64', ['_CM_UOW_SET_VALUE_LIST_DATA']]], 'ValueData' : [ 0x70, ['pointer64', ['_CM_UOW_SET_VALUE_KEY_DATA']]], 'DiscardReplaceContext' : [ 0x70, ['pointer64', ['_CMP_DISCARD_AND_REPLACE_KCB_CONTEXT']]], } ], '_CM_TRANS' : [ 0xb0, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Prepared' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Aborted' : [ 0x30, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Committed' : [ 0x30, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Initializing' : [ 0x30, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Invalid' : [ 0x30, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UseReservation' : [ 0x30, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'TmCallbacksActive' : [ 0x30, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LightWeight' : [ 0x30, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Freed1' : [ 0x30, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Freed2' : [ 0x30, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x30, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'Freed' : [ 0x30, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Spare' : [ 0x30, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long')]], 'TransState' : [ 0x30, ['unsigned long']], 'Trans' : [ 0x38, ['_CM_TRANS_PTR']], 'CmRm' : [ 0x40, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x48, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x50, ['pointer64', ['void']]], 'KtmUow' : [ 0x58, ['_GUID']], 'StartLsn' : [ 0x68, ['unsigned long long']], 'HiveCount' : [ 0x70, ['unsigned long']], 'HiveArray' : [ 0x78, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xc0, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'ParkingStatus' : [ 0x80, ['unsigned long']], 'CurrentFrequency' : [ 0x84, ['unsigned long']], 'PercentMaxFrequency' : [ 0x88, ['unsigned long']], 'StateFlags' : [ 0x8c, ['unsigned long']], 'NominalThroughput' : [ 0x90, ['unsigned long']], 'ActiveThroughput' : [ 0x94, ['unsigned long']], 'ScaledThroughput' : [ 0x98, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0xa0, ['unsigned long long']], 'AverageIdleTime' : [ 0xa8, ['unsigned long long']], 'IdleBreakEvents' : [ 0xb0, ['unsigned long long']], 'PerformanceLimit' : [ 0xb8, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xbc, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_TEB32' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['unsigned long']]], 'SystemReserved1' : [ 0x10c, ['array', 36, ['unsigned long']]], 'WorkingOnBehalfTicket' : [ 0x19c, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_TEB64' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['unsigned long long']]], 'SystemReserved1' : [ 0x190, ['array', 37, ['unsigned long long']]], 'WorkingOnBehalfTicket' : [ 0x2b8, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_HV_X64_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState_Deprecated' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable_Deprecated' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ExtendedGvaRangesForFlushVirtualAddressListAvailable' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'FastHypercallOutputAvailable' : [ 0xc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SvmFeaturesAvailable' : [ 0xc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SintPollingModeAvailable' : [ 0xc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HypercallMsrLockAvailable' : [ 0xc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'DirectSyntheticTimers' : [ 0xc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeReg' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicRegs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerRegs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessIntrCtrlRegs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetReg' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsReg' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleReg' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyRegs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugRegs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'AccessReenlightenmentControls' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'AccessVpExitTracing' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'EnableExtendedGvaRangesForFlushVirtualAddressList' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 48, native_type='unsigned long long')]], 'AccessVsm' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 49, native_type='unsigned long long')]], 'AccessVpRegisters' : [ 0x0, ['BitField', dict(start_bit = 49, end_bit = 50, native_type='unsigned long long')]], 'UnusedBit' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 51, native_type='unsigned long long')]], 'FastHypercallOutput' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'EnableExtendedHypercalls' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'StartVirtualProcessor' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x260, { 'Lock' : [ 0x0, ['unsigned long long']], 'ReadySummary' : [ 0x8, ['unsigned long']], 'ReadyListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x210, ['array', 64, ['unsigned char']]], 'Span' : [ 0x250, ['unsigned char']], 'LowProcIndex' : [ 0x251, ['unsigned char']], 'QueueIndex' : [ 0x252, ['unsigned char']], 'ProcCount' : [ 0x253, ['unsigned char']], 'ScanOwner' : [ 0x254, ['unsigned char']], 'Spare' : [ 0x255, ['array', 3, ['unsigned char']]], 'Affinity' : [ 0x258, ['unsigned long long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'Spare1' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'OutputBuffer' : [ 0xd8, ['unsigned long long']], 'OutputLength' : [ 0xe0, ['unsigned long long']], 'Spare2' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'Fill4' : [ 0x18c, ['unsigned long']], } ], '__unnamed_18a0' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_18a2' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_18a6' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['wchar']]], } ], '_DEVICE_NODE' : [ 0x2d0, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x58, ['long']], 'FxRemoveEvent' : [ 0x60, ['_KEVENT']], 'FxActivationCount' : [ 0x78, ['long']], 'FxSleepCount' : [ 0x7c, ['long']], 'Plugin' : [ 0x80, ['pointer64', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x88, ['unsigned long']], 'CurrentPowerState' : [ 0x8c, ['_POWER_STATE']], 'Notify' : [ 0x90, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xf8, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0x118, ['_UNICODE_STRING']], 'PowerFlags' : [ 0x128, ['unsigned long']], 'State' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x134, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x184, ['unsigned long']], 'CompletionStatus' : [ 0x188, ['long']], 'Flags' : [ 0x18c, ['unsigned long']], 'UserFlags' : [ 0x190, ['unsigned long']], 'Problem' : [ 0x194, ['unsigned long']], 'ProblemStatus' : [ 0x198, ['long']], 'ResourceList' : [ 0x1a0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x1b0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x1b8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x1c4, ['unsigned long']], 'ChildInterfaceType' : [ 0x1c8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x1cc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x1d0, ['unsigned short']], 'RemovalPolicy' : [ 0x1d2, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x1d3, ['unsigned char']], 'TargetDeviceNotify' : [ 0x1d8, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x1e8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1f8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x208, ['unsigned short']], 'QueryTranslatorMask' : [ 0x20a, ['unsigned short']], 'NoArbiterMask' : [ 0x20c, ['unsigned short']], 'QueryArbiterMask' : [ 0x20e, ['unsigned short']], 'OverUsed1' : [ 0x210, ['__unnamed_18a0']], 'OverUsed2' : [ 0x218, ['__unnamed_18a2']], 'BootResources' : [ 0x220, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x228, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x230, ['unsigned long']], 'DockInfo' : [ 0x238, ['__unnamed_18a6']], 'DisableableDepends' : [ 0x258, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x260, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x270, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x280, ['unsigned long']], 'PreviousParent' : [ 0x288, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x290, ['long']], 'NumaNodeIndex' : [ 0x294, ['unsigned long']], 'ContainerID' : [ 0x298, ['_GUID']], 'OverrideFlags' : [ 0x2a8, ['unsigned char']], 'DeviceIdsHash' : [ 0x2ac, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x2b0, ['unsigned char']], 'PendingEjectRelations' : [ 0x2b8, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x2c0, ['unsigned long']], 'RebalanceContext' : [ 0x2c8, ['pointer64', ['_PNP_REBALANCE_TRACE_CONTEXT']]], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x48, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x30, ['pointer64', ['unsigned long']]], 'EnableKeyWords' : [ 0x38, ['pointer64', ['unsigned long long']]], 'EnableLevel' : [ 0x40, ['pointer64', ['unsigned char']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x68, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependencyNode' : [ 0x50, ['pointer64', ['void']]], 'InterruptContext' : [ 0x58, ['pointer64', ['void']]], 'VerifierContext' : [ 0x60, ['pointer64', ['void']]], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KAFFINITY_EX' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 20, ['unsigned long long']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_19a9' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'WriteCustomBreakPoint' : [ 0x0, ['_DBGKD_WRITE_CUSTOM_BREAKPOINT']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_19a9']], } ], '__unnamed_19b0' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_19b0']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PEP_ACPI_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'IoMemory' : [ 0x0, ['_PEP_ACPI_IO_MEMORY_RESOURCE']], 'Interrupt' : [ 0x0, ['_PEP_ACPI_INTERRUPT_RESOURCE']], 'Gpio' : [ 0x0, ['_PEP_ACPI_GPIO_RESOURCE']], 'SpbI2c' : [ 0x0, ['_PEP_ACPI_SPB_I2C_RESOURCE']], 'SpbSpi' : [ 0x0, ['_PEP_ACPI_SPB_SPI_RESOURCE']], 'SpbUart' : [ 0x0, ['_PEP_ACPI_SPB_UART_RESOURCE']], 'ExtendedAddress' : [ 0x0, ['_PEP_ACPI_EXTENDED_ADDRESS']], } ], '_PEP_ACPI_IO_MEMORY_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Information' : [ 0x4, ['unsigned char']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '_PEP_ACPI_INTERRUPT_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'InterruptType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Flags' : [ 0xc, ['_PEP_ACPI_RESOURCE_FLAGS']], 'Count' : [ 0x10, ['unsigned char']], 'Pins' : [ 0x18, ['pointer64', ['unsigned long']]], } ], '_PEP_ACPI_GPIO_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'InterruptType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'PinConfig' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PullDefault', 1: 'PullUp', 2: 'PullDown', 3: 'PullNone'})]], 'IoRestrictionType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'IoRestrictionNone', 1: 'IoRestrictionInputOnly', 2: 'IoRestrictionOutputOnly', 3: 'IoRestrictionNoneAndPreserve'})]], 'DriveStrength' : [ 0x18, ['unsigned short']], 'DebounceTimeout' : [ 0x1a, ['unsigned short']], 'PinTable' : [ 0x20, ['pointer64', ['unsigned short']]], 'PinCount' : [ 0x28, ['unsigned short']], 'ResourceSourceIndex' : [ 0x2a, ['unsigned char']], 'ResourceSourceName' : [ 0x30, ['pointer64', ['_UNICODE_STRING']]], 'VendorData' : [ 0x38, ['pointer64', ['unsigned char']]], 'VendorDataLength' : [ 0x40, ['unsigned short']], } ], '_PEP_ACPI_SPB_I2C_RESOURCE' : [ 0x30, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x28, ['unsigned long']], 'SlaveAddress' : [ 0x2c, ['unsigned short']], } ], '_PEP_ACPI_SPB_UART_RESOURCE' : [ 0x38, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'BaudRate' : [ 0x28, ['unsigned long']], 'RxBufferSize' : [ 0x2c, ['unsigned short']], 'TxBufferSize' : [ 0x2e, ['unsigned short']], 'Parity' : [ 0x30, ['unsigned char']], 'LinesInUse' : [ 0x31, ['unsigned char']], } ], '_PEP_ACPI_SPB_SPI_RESOURCE' : [ 0x38, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x28, ['unsigned long']], 'DataBitLength' : [ 0x2c, ['unsigned char']], 'Phase' : [ 0x2d, ['unsigned char']], 'Polarity' : [ 0x2e, ['unsigned char']], 'DeviceSelection' : [ 0x30, ['unsigned short']], } ], '_PEP_ACPI_EXTENDED_ADDRESS' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'ResourceFlags' : [ 0x8, ['unsigned char']], 'GeneralFlags' : [ 0x9, ['unsigned char']], 'TypeSpecificFlags' : [ 0xa, ['unsigned char']], 'RevisionId' : [ 0xb, ['unsigned char']], 'Reserved' : [ 0xc, ['unsigned char']], 'Granularity' : [ 0x10, ['unsigned long long']], 'MinimumAddress' : [ 0x18, ['unsigned long long']], 'MaximumAddress' : [ 0x20, ['unsigned long long']], 'TranslationAddress' : [ 0x28, ['unsigned long long']], 'AddressLength' : [ 0x30, ['unsigned long long']], 'TypeAttribute' : [ 0x38, ['unsigned long long']], 'DescriptorName' : [ 0x40, ['pointer64', ['_UNICODE_STRING']]], } ], '_PPM_PLATFORM_STATES' : [ 0x1c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'InterfaceVersion' : [ 0x4, ['unsigned long']], 'ProcessorCount' : [ 0x8, ['unsigned long']], 'CoordinatedInterface' : [ 0xc, ['unsigned char']], 'IdleTest' : [ 0x10, ['pointer64', ['void']]], 'IdlePreExecute' : [ 0x18, ['pointer64', ['void']]], 'IdleComplete' : [ 0x20, ['pointer64', ['void']]], 'QueryPlatformStateResidency' : [ 0x28, ['pointer64', ['void']]], 'Accounting' : [ 0x30, ['pointer64', ['_PLATFORM_IDLE_ACCOUNTING']]], 'State' : [ 0x40, ['array', 1, ['_PPM_PLATFORM_STATE']]], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_PPM_PROFILE' : [ 0xb30, { 'Name' : [ 0x0, ['pointer64', ['wchar']]], 'Id' : [ 0x8, ['unsigned char']], 'Guid' : [ 0xc, ['_GUID']], 'Flags' : [ 0x1c, ['unsigned long']], 'Priority' : [ 0x20, ['unsigned char']], 'Settings' : [ 0x28, ['array', 2, ['_PPM_ENGINE_SETTINGS']]], 'StartTime' : [ 0xb08, ['unsigned long long']], 'Count' : [ 0xb10, ['unsigned long long']], 'MaxDuration' : [ 0xb18, ['unsigned long long']], 'MinDuration' : [ 0xb20, ['unsigned long long']], 'TotalDuration' : [ 0xb28, ['unsigned long long']], } ], '_PPM_ENGINE_SETTINGS' : [ 0x570, { 'ExplicitSetting' : [ 0x0, ['array', 2, ['_PPM_POLICY_SETTINGS_MASK']]], 'ThrottlingPolicy' : [ 0x10, ['unsigned char']], 'PerfTimeCheck' : [ 0x14, ['unsigned long']], 'PerfHistoryCount' : [ 0x18, ['array', 2, ['unsigned char']]], 'PerfMinPolicy' : [ 0x1a, ['array', 2, ['unsigned char']]], 'PerfMaxPolicy' : [ 0x1c, ['array', 2, ['unsigned char']]], 'PerfDecreaseTime' : [ 0x1e, ['array', 2, ['unsigned char']]], 'PerfIncreaseTime' : [ 0x20, ['array', 2, ['unsigned char']]], 'PerfDecreasePolicy' : [ 0x22, ['array', 2, ['unsigned char']]], 'PerfIncreasePolicy' : [ 0x24, ['array', 2, ['unsigned char']]], 'PerfDecreaseThreshold' : [ 0x26, ['array', 2, ['unsigned char']]], 'PerfIncreaseThreshold' : [ 0x28, ['array', 2, ['unsigned char']]], 'PerfBoostPolicy' : [ 0x2c, ['unsigned long']], 'PerfBoostMode' : [ 0x30, ['unsigned long']], 'PerfReductionTolerance' : [ 0x34, ['unsigned long']], 'EnergyPerfPreference' : [ 0x38, ['unsigned long']], 'AutonomousActivityWindow' : [ 0x3c, ['unsigned long']], 'AutonomousPreference' : [ 0x40, ['unsigned char']], 'LatencyHintPerf' : [ 0x41, ['array', 2, ['unsigned char']]], 'LatencyHintUnpark' : [ 0x43, ['array', 2, ['unsigned char']]], 'DutyCycling' : [ 0x45, ['unsigned char']], 'ParkingPerfState' : [ 0x46, ['array', 2, ['unsigned char']]], 'DistributeUtility' : [ 0x48, ['unsigned char']], 'CoreParkingOverUtilizationThreshold' : [ 0x49, ['unsigned char']], 'CoreParkingConcurrencyThreshold' : [ 0x4a, ['unsigned char']], 'CoreParkingHeadroomThreshold' : [ 0x4b, ['unsigned char']], 'CoreParkingDistributionThreshold' : [ 0x4c, ['unsigned char']], 'CoreParkingDecreasePolicy' : [ 0x4d, ['unsigned char']], 'CoreParkingIncreasePolicy' : [ 0x4e, ['unsigned char']], 'CoreParkingDecreaseTime' : [ 0x50, ['unsigned long']], 'CoreParkingIncreaseTime' : [ 0x54, ['unsigned long']], 'CoreParkingMinCores' : [ 0x58, ['array', 2, ['unsigned char']]], 'CoreParkingMaxCores' : [ 0x5a, ['array', 2, ['unsigned char']]], 'AllowScaling' : [ 0x5c, ['unsigned char']], 'IdleDisabled' : [ 0x5d, ['unsigned char']], 'IdleTimeCheck' : [ 0x60, ['unsigned long']], 'IdleDemotePercent' : [ 0x64, ['unsigned char']], 'IdlePromotePercent' : [ 0x65, ['unsigned char']], 'HeteroDecreaseTime' : [ 0x66, ['unsigned char']], 'HeteroIncreaseTime' : [ 0x67, ['unsigned char']], 'HeteroDecreaseThreshold' : [ 0x68, ['array', 640, ['unsigned char']]], 'HeteroIncreaseThreshold' : [ 0x2e8, ['array', 640, ['unsigned char']]], 'Class0FloorPerformance' : [ 0x568, ['unsigned char']], 'Class1InitialPerformance' : [ 0x569, ['unsigned char']], } ], '_ESERVERSILO_GLOBALS' : [ 0x430, { 'ObSiloState' : [ 0x0, ['_OBP_SILODRIVERSTATE']], 'SeSiloState' : [ 0x2e0, ['_SEP_SILOSTATE']], 'SeRmSiloState' : [ 0x300, ['_SEP_RM_LSA_CONNECTION_STATE']], 'EtwSiloState' : [ 0x350, ['pointer64', ['_ETW_SILODRIVERSTATE']]], 'MiSessionLeaderProcess' : [ 0x358, ['pointer64', ['_EPROCESS']]], 'ExpDefaultErrorPortProcess' : [ 0x360, ['pointer64', ['_EPROCESS']]], 'ExpDefaultErrorPort' : [ 0x368, ['pointer64', ['void']]], 'HardErrorState' : [ 0x370, ['unsigned long']], 'WnfSiloState' : [ 0x378, ['_WNF_SILODRIVERSTATE']], 'ApiSetSection' : [ 0x3b0, ['pointer64', ['void']]], 'ApiSetSchema' : [ 0x3b8, ['pointer64', ['void']]], 'OneCoreForwardersEnabled' : [ 0x3c0, ['unsigned char']], 'SiloRootDirectoryName' : [ 0x3c8, ['_UNICODE_STRING']], 'Storage' : [ 0x3d8, ['pointer64', ['_PSP_STORAGE']]], 'State' : [ 0x3e0, ['Enumeration', dict(target = 'long', choices = {0: 'SERVERSILO_INITING', 1: 'SERVERSILO_STARTED', 2: 'SERVERSILO_SHUTTING_DOWN', 3: 'SERVERSILO_TERMINATING', 4: 'SERVERSILO_TERMINATED'})]], 'ExitStatus' : [ 0x3e4, ['long']], 'DeleteEvent' : [ 0x3e8, ['pointer64', ['_KEVENT']]], 'UserSharedData' : [ 0x3f0, ['_SILO_USER_SHARED_DATA']], 'TerminateWorkItem' : [ 0x410, ['_WORK_QUEUE_ITEM']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_PERF_FLAGS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'Progress' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 27, native_type='unsigned long')]], 'Synchronicity' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 29, native_type='unsigned long')]], 'RequestPepCompleted' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'RequestSucceeded' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NestedCallback' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'IrpFirstPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IrpLastPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0xd0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x20, ['unsigned long long']], 'LogHandleContext' : [ 0x28, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0xc0, ['unsigned long']], 'PagesQueuedToDisk' : [ 0xc4, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0xc8, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x210, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'V1' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0x100, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x118, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0x150, ['_LARGE_INTEGER']], 'Event' : [ 0x158, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x170, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x178, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1f0, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1f8, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x200, ['unsigned long']], 'WritesInProgress' : [ 0x204, ['unsigned long']], 'AsyncReadRequestCount' : [ 0x208, ['unsigned long']], } ], '__unnamed_1aa8' : [ 0x10, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_1aa8']], 'ArrayHead' : [ 0x20, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1acc' : [ 0x10, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], 'DiskIoAttribution' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1ace' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1ad0' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_1ad2' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ad4' : [ 0x30, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x8, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x10, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x28, ['unsigned char']], } ], '__unnamed_1ad8' : [ 0x68, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'FileOffset' : [ 0x8, ['_LARGE_INTEGER']], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Length' : [ 0x18, ['unsigned long']], 'PrefetchList' : [ 0x20, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'PrefetchPagePriority' : [ 0x28, ['unsigned long']], 'Mdl' : [ 0x30, ['pointer64', ['_MDL']]], 'IoStatusBlock' : [ 0x38, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallbackContext' : [ 0x40, ['pointer64', ['_CC_ASYNC_READ_CONTEXT']]], 'OriginatingProcess' : [ 0x48, ['pointer64', ['_EPROCESS']]], 'IoIssuerThread' : [ 0x50, ['pointer64', ['_ETHREAD']]], 'DiskIoAttribution' : [ 0x58, ['pointer64', ['void']]], 'RequestorMode' : [ 0x60, ['unsigned char']], 'NestingLevel' : [ 0x64, ['unsigned long']], } ], '__unnamed_1ada' : [ 0x68, { 'Read' : [ 0x0, ['__unnamed_1acc']], 'Write' : [ 0x0, ['__unnamed_1ace']], 'Event' : [ 0x0, ['__unnamed_1ad0']], 'Notification' : [ 0x0, ['__unnamed_1ad2']], 'LowPriWrite' : [ 0x0, ['__unnamed_1ad4']], 'AsyncRead' : [ 0x0, ['__unnamed_1ad8']], } ], '_WORK_QUEUE_ENTRY' : [ 0x80, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_1ada']], 'Function' : [ 0x78, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x30, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x8, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x20, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x98, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x10, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x18, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x30, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x68, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x6c, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x70, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x78, ['pointer64', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x80, ['unsigned long long']], 'LastLWTimeStamp' : [ 0x88, ['_LARGE_INTEGER']], 'Flags' : [ 0x90, ['unsigned long']], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x2a0, { 'Segment' : [ 0x0, ['_HEAP_SEGMENT']], 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x90, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x94, ['unsigned long']], 'Signature' : [ 0x98, ['unsigned long']], 'SegmentReserve' : [ 0xa0, ['unsigned long long']], 'SegmentCommit' : [ 0xa8, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb0, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xb8, ['unsigned long long']], 'TotalFreeSize' : [ 0xc0, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xc8, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd0, ['unsigned short']], 'HeaderValidateLength' : [ 0xd2, ['unsigned short']], 'HeaderValidateCopy' : [ 0xd8, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe0, ['unsigned short']], 'MaximumTagIndex' : [ 0xe2, ['unsigned short']], 'TagEntries' : [ 0xe8, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf0, ['_LIST_ENTRY']], 'AlignRound' : [ 0x100, ['unsigned long long']], 'AlignMask' : [ 0x108, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x110, ['_LIST_ENTRY']], 'SegmentList' : [ 0x120, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x130, ['unsigned short']], 'NonDedicatedListLength' : [ 0x134, ['unsigned long']], 'BlocksIndex' : [ 0x138, ['pointer64', ['void']]], 'UCRIndex' : [ 0x140, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x148, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x150, ['_LIST_ENTRY']], 'LockVariable' : [ 0x160, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x168, ['pointer64', ['void']]], 'StackTraceInitVar' : [ 0x170, ['_RTL_RUN_ONCE']], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0x183, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0x188, ['pointer64', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0x190, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0x192, ['array', 129, ['unsigned char']]], 'Counters' : [ 0x218, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x290, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1b49' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_1b49']], } ], '_HEAP_ENTRY' : [ 0x10, { 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'HeapEntry' : [ 0x0, ['_HEAP_ENTRY']], 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1b9c' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1b9e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b9c']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ba0' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1ba2' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1ba0']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1b9e']], 'u2' : [ 0x4, ['__unnamed_1ba2']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x30, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer64', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], } ], '__unnamed_1bbd' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1bbf' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1bbd']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x30, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1bbf']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x18, ['long long']], 'Lock' : [ 0x20, ['_EX_PUSH_LOCK']], } ], '__unnamed_1bd1' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1bd3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bd1']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_1bd3']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_1bdc' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1bde' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bdc']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_1bde']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_1be4' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1be6' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1be4']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_1be6']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x40, ['pointer64', ['_KALPC_MESSAGE']]], } ], '__unnamed_1c04' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1c06' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c04']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1d8, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa0, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0xb8, ['_LIST_ENTRY']], 'DirectQueueLock' : [ 0xc8, ['_EX_PUSH_LOCK']], 'DirectQueue' : [ 0xd0, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0xe0, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0xe8, ['_LIST_ENTRY']], 'Semaphore' : [ 0xf8, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xf8, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0x100, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x150, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0x168, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0x170, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x178, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x180, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x190, ['long']], 'ReferenceNo' : [ 0x194, ['long']], 'ReferenceNoWait' : [ 0x198, ['pointer64', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0x1a0, ['__unnamed_1c06']], 'TargetQueuePort' : [ 0x1a8, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x1b0, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x1b8, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x1c0, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x1c4, ['unsigned long']], 'PendingQueueLength' : [ 0x1c8, ['unsigned long']], 'DirectQueueLength' : [ 0x1cc, ['unsigned long']], 'CanceledQueueLength' : [ 0x1d0, ['unsigned long']], 'WaitQueueLength' : [ 0x1d4, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0xa0, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'CompletionListLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x20, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x28, ['pointer64', ['void']]], 'UserLimit' : [ 0x30, ['pointer64', ['void']]], 'DataUserVa' : [ 0x38, ['pointer64', ['void']]], 'SystemVa' : [ 0x40, ['pointer64', ['void']]], 'TotalSize' : [ 0x48, ['unsigned long long']], 'Header' : [ 0x50, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x58, ['pointer64', ['void']]], 'ListSize' : [ 0x60, ['unsigned long long']], 'Bitmap' : [ 0x68, ['pointer64', ['void']]], 'BitmapSize' : [ 0x70, ['unsigned long long']], 'Data' : [ 0x78, ['pointer64', ['void']]], 'DataSize' : [ 0x80, ['unsigned long long']], 'BitmapLimit' : [ 0x88, ['unsigned long']], 'BitmapNextHint' : [ 0x8c, ['unsigned long']], 'ConcurrencyCount' : [ 0x90, ['unsigned long']], 'AttributeFlags' : [ 0x94, ['unsigned long']], 'AttributeSize' : [ 0x98, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0xd8, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'Key' : [ 0xc0, ['unsigned long']], 'CallbackList' : [ 0xc8, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x20, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x18, ['long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1b9e']], 'u2' : [ 0x4, ['__unnamed_1ba2']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1c2c' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1c2e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c2c']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x110, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'u1' : [ 0x28, ['__unnamed_1c2e']], 'SequenceNo' : [ 0x2c, ['long']], 'QuotaProcess' : [ 0x30, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x30, ['pointer64', ['void']]], 'CancelSequencePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x40, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x48, ['long']], 'CancelListEntry' : [ 0x50, ['_LIST_ENTRY']], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x68, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb0, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xb8, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xc0, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xc8, ['pointer64', ['_ETHREAD']]], 'WakeReference' : [ 0xd0, ['pointer64', ['void']]], 'ExtensionBuffer' : [ 0xd8, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0xe0, ['unsigned long long']], 'PortMessage' : [ 0xe8, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x40, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'DirectEvent' : [ 0x28, ['_KALPC_DIRECT_EVENT']], 'Flags' : [ 0x30, ['unsigned long']], 'TotalLength' : [ 0x34, ['unsigned short']], 'Type' : [ 0x36, ['unsigned short']], 'DataInfoOffset' : [ 0x38, ['unsigned short']], 'SignalCompletion' : [ 0x3a, ['unsigned char']], 'PostedToCompletionList' : [ 0x3b, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x30, { 'ObjectType' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x48, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], 'DirectEvent' : [ 0x38, ['_KALPC_DIRECT_EVENT']], 'WorkOnBehalfData' : [ 0x40, ['_KALPC_WORK_ON_BEHALF_DATA']], } ], '__unnamed_1c73' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1c75' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c73']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1c75']], } ], '_KALPC_DIRECT_EVENT' : [ 0x8, { 'Event' : [ 0x0, ['unsigned long long']], 'Referenced' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x38, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer64', ['void']]], 'DiskIoAttributionHandle' : [ 0x10, ['unsigned long long']], 'ActivityId' : [ 0x18, ['_GUID']], 'Timestamp' : [ 0x28, ['_LARGE_INTEGER']], 'ZeroingOffset' : [ 0x28, ['unsigned long']], 'FsTrackOffsetBlob' : [ 0x28, ['pointer64', ['_IO_IRP_EXT_TRACK_OFFSET_HEADER']]], 'FsTrackedOffset' : [ 0x30, ['long long']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x50, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xc0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'AccessMode' : [ 0x94, ['unsigned char']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1d3b' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x118, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1d3b']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer64', ['wchar']]], 'LogFileName' : [ 0x40, ['pointer64', ['wchar']]], 'TimeZone' : [ 0x48, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf8, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0x100, ['_LARGE_INTEGER']], 'StartTime' : [ 0x108, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x110, ['unsigned long']], 'BuffersLost' : [ 0x114, ['unsigned long']], } ], '_RTL_HASH_TABLE' : [ 0x10, { 'EntryCount' : [ 0x0, ['unsigned long']], 'MaskBitCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'BucketCount' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Buckets' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_HASH_ENTRY' : [ 0x10, { 'BucketLink' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Key' : [ 0x8, ['unsigned long long']], } ], '_RTL_HASH_TABLE_ITERATOR' : [ 0x18, { 'Hash' : [ 0x0, ['pointer64', ['_RTL_HASH_TABLE']]], 'HashEntry' : [ 0x8, ['pointer64', ['_RTL_HASH_ENTRY']]], 'Bucket' : [ 0x10, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_CHASH_TABLE' : [ 0x18, { 'Table' : [ 0x0, ['pointer64', ['_RTL_CHASH_ENTRY']]], 'EntrySizeShift' : [ 0x8, ['unsigned long']], 'EntryMax' : [ 0xc, ['unsigned long']], 'EntryCount' : [ 0x10, ['unsigned long']], } ], '_RTL_CHASH_ENTRY' : [ 0x8, { 'Key' : [ 0x0, ['unsigned long long']], } ], '_ETW_BUFFER_QUEUE' : [ 0x10, { 'QueueTail' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStatePendingCompression', 5: 'EtwBufferStateCompressed', 6: 'EtwBufferStatePlaceholder', 7: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_WMI_LOGGER_CONTEXT' : [ 0x440, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 2, ['unsigned long']]], 'ErrorMarker' : [ 0x1c, ['unsigned long']], 'SizeMask' : [ 0x20, ['unsigned long']], 'GetCpuClock' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'FailureReason' : [ 0x3c, ['unsigned long']], 'BufferQueue' : [ 0x40, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x50, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x60, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x70, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x80, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x80, ['_EX_FAST_REF']], 'LoggerName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileName' : [ 0x98, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xa8, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xb8, ['_UNICODE_STRING']], 'ClockType' : [ 0xc8, ['unsigned long']], 'LastFlushedBuffer' : [ 0xcc, ['unsigned long']], 'FlushTimer' : [ 0xd0, ['unsigned long']], 'FlushThreshold' : [ 0xd4, ['unsigned long']], 'ByteOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xe0, ['unsigned long']], 'BuffersAvailable' : [ 0xe4, ['long']], 'NumberOfBuffers' : [ 0xe8, ['long']], 'MaximumBuffers' : [ 0xec, ['unsigned long']], 'EventsLost' : [ 0xf0, ['unsigned long']], 'PeakBuffersCount' : [ 0xf4, ['long']], 'BuffersWritten' : [ 0xf8, ['unsigned long']], 'LogBuffersLost' : [ 0xfc, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x100, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x104, ['unsigned long']], 'SequencePtr' : [ 0x108, ['pointer64', ['long']]], 'LocalSequence' : [ 0x110, ['unsigned long']], 'InstanceGuid' : [ 0x114, ['_GUID']], 'MaximumFileSize' : [ 0x124, ['unsigned long']], 'FileCounter' : [ 0x128, ['long']], 'PoolType' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x130, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0x140, ['long']], 'ProviderInfoSize' : [ 0x144, ['unsigned long']], 'Consumers' : [ 0x148, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x158, ['unsigned long']], 'TransitionConsumer' : [ 0x160, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x168, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x170, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x180, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x188, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x190, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x198, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1a0, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1a8, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1b0, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1c8, ['_KEVENT']], 'FlushEvent' : [ 0x1e0, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x1f8, ['_KTIMER']], 'LoggerDpc' : [ 0x238, ['_KDPC']], 'LoggerMutex' : [ 0x278, ['_KMUTANT']], 'LoggerLock' : [ 0x2b0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2b8, ['unsigned long long']], 'BufferListPushLock' : [ 0x2b8, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2c0, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x308, ['pointer64', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x310, ['_EX_FAST_REF']], 'StartTime' : [ 0x318, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x320, ['pointer64', ['void']]], 'BufferSequenceNumber' : [ 0x328, ['long long']], 'Flags' : [ 0x330, ['unsigned long']], 'Persistent' : [ 0x330, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x330, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x330, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x330, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x330, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x330, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x330, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x330, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x330, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x330, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x330, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x330, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x330, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'StackLookasideListAllocated' : [ 0x330, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SecurityTrace' : [ 0x330, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'SpareFlags1' : [ 0x330, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x330, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x330, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x330, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x334, ['unsigned long']], 'DbgRequestNewFile' : [ 0x334, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x334, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x334, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x334, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x334, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x334, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x334, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x334, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDeferredFlush' : [ 0x334, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDeferredFlushTimer' : [ 0x334, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x334, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x334, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x334, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x338, ['_RTL_BITMAP']], 'StackCache' : [ 0x348, ['pointer64', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x350, ['pointer64', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x358, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x368, ['pointer64', ['pointer64', ['_WMI_BUFFER_HEADER']]]], 'DisallowedGuids' : [ 0x370, ['_DISALLOWED_GUIDS']], 'SoftRestartContext' : [ 0x380, ['pointer64', ['_ETW_SOFT_RESTART_CONTEXT']]], 'SiloState' : [ 0x388, ['pointer64', ['_ETW_SILODRIVERSTATE']]], 'CompressionWorkItem' : [ 0x390, ['_WORK_QUEUE_ITEM']], 'CompressionWorkItemState' : [ 0x3b0, ['long']], 'CompressionLock' : [ 0x3b8, ['_EX_PUSH_LOCK']], 'CompressionTarget' : [ 0x3c0, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CompressionWorkspace' : [ 0x3c8, ['pointer64', ['void']]], 'CompressionOn' : [ 0x3d0, ['long']], 'CompressionRatioGuess' : [ 0x3d4, ['unsigned long']], 'PartialBufferCompressionLevel' : [ 0x3d8, ['unsigned long']], 'CompressionResumptionMode' : [ 0x3dc, ['Enumeration', dict(target = 'long', choices = {0: 'EtwCompressionModeRestart', 1: 'EtwCompressionModeNoDisable', 2: 'EtwCompressionModeNoRestart'})]], 'PlaceholderList' : [ 0x3e0, ['_SINGLE_LIST_ENTRY']], 'CompressionDpc' : [ 0x3e8, ['_KDPC']], 'LastBufferSwitchTime' : [ 0x428, ['_LARGE_INTEGER']], 'BufferWriteDuration' : [ 0x430, ['_LARGE_INTEGER']], 'BufferCompressDuration' : [ 0x438, ['_LARGE_INTEGER']], } ], '_ETW_PMC_SUPPORT' : [ 0x28, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer64', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_SILODRIVERSTATE' : [ 0x13a8, { 'EtwpSecurityProviderGuidEntry' : [ 0x0, ['_ETW_GUID_ENTRY']], 'EtwpLoggerRundown' : [ 0x190, ['array', 64, ['pointer64', ['_EX_RUNDOWN_REF_CACHE_AWARE']]]], 'WmipLoggerContext' : [ 0x390, ['array', 64, ['pointer64', ['_WMI_LOGGER_CONTEXT']]]], 'EtwpGuidHashTable' : [ 0x590, ['array', 64, ['_ETW_HASH_BUCKET']]], 'EtwpSecurityLoggers' : [ 0x1390, ['array', 8, ['unsigned short']]], 'EtwpSecurityProviderEnableMask' : [ 0x13a0, ['unsigned char']], 'EtwpShutdownInProgress' : [ 0x13a1, ['unsigned char']], 'EtwpSecurityProviderPID' : [ 0x13a4, ['unsigned long']], } ], '_EX_RUNDOWN_REF_CACHE_AWARE' : [ 0x18, { 'RunRefs' : [ 0x0, ['pointer64', ['_EX_RUNDOWN_REF']]], 'PoolToFree' : [ 0x8, ['pointer64', ['void']]], 'RunRefSize' : [ 0x10, ['unsigned long']], 'Number' : [ 0x14, ['unsigned long']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x488, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0xa0, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa8, ['pointer64', ['void']]], 'DynamicPart' : [ 0xb0, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb8, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc8, ['unsigned long']], 'TokenInUse' : [ 0xcc, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xd0, ['unsigned long']], 'MandatoryPolicy' : [ 0xd4, ['unsigned long']], 'LogonSession' : [ 0xd8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe0, ['_LUID']], 'SidHash' : [ 0xe8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f8, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x308, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x310, ['pointer64', ['void']]], 'Capabilities' : [ 0x318, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x320, ['unsigned long']], 'CapabilitiesHash' : [ 0x328, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x438, ['pointer64', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x440, ['pointer64', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x448, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x450, ['pointer64', ['void']]], 'TrustLinkedToken' : [ 0x458, ['pointer64', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x460, ['pointer64', ['void']]], 'TokenSidValues' : [ 0x468, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], 'IndexEntry' : [ 0x470, ['pointer64', ['_SEP_LUID_TO_INDEX_MAP_ENTRY']]], 'DiagnosticInfo' : [ 0x478, ['pointer64', ['_SEP_TOKEN_DIAG_TRACK_ENTRY']]], 'VariablePart' : [ 0x480, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0xc0, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['long long']], 'Flags' : [ 0x20, ['unsigned long']], 'pDeviceMap' : [ 0x28, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x30, ['pointer64', ['void']]], 'AccountName' : [ 0x38, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x48, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x58, ['_SEP_LOWBOX_HANDLES_TABLE']], 'SharedDataLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x70, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x78, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], 'RevocationBlock' : [ 0x80, ['_OB_HANDLE_REVOCATION_BLOCK']], 'ServerSilo' : [ 0xa0, ['pointer64', ['_EJOB']]], 'SiblingAuthId' : [ 0xa8, ['_LUID']], 'TokenList' : [ 0xb0, ['_LIST_ENTRY']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'DbgRefTrace' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'NewObject' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0x1b, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0x1b, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0x1b, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0x1b, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0x1b, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Reserved' : [ 0x1c, ['unsigned long']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved2' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], 'Reserved' : [ 0x1c, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved1' : [ 0x1a, ['unsigned short']], 'Reserved2' : [ 0x1c, ['unsigned long']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x10, { 'SecurityDescriptor' : [ 0x0, ['pointer64', ['void']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_EXTENDED_INFO' : [ 0x10, { 'Footer' : [ 0x0, ['pointer64', ['_OBJECT_FOOTER']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_FOOTER' : [ 0x30, { 'HandleRevocationInfo' : [ 0x0, ['_HANDLE_REVOCATION_INFO']], 'ExtendedUserInfo' : [ 0x20, ['_OB_EXTENDED_USER_INFO']], } ], '_OB_EXTENDED_USER_INFO' : [ 0x10, { 'Context1' : [ 0x0, ['pointer64', ['void']]], 'Context2' : [ 0x8, ['pointer64', ['void']]], } ], '_HANDLE_REVOCATION_INFO' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'RevocationBlock' : [ 0x10, ['pointer64', ['_OB_HANDLE_REVOCATION_BLOCK']]], 'AllowHandleRevocation' : [ 0x18, ['unsigned char']], 'Padding1' : [ 0x19, ['array', 3, ['unsigned char']]], 'Padding2' : [ 0x1c, ['array', 4, ['unsigned char']]], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x28, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'EntryLink' : [ 0x10, ['pointer64', ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0x18, ['unsigned long']], 'HashIndex' : [ 0x1c, ['unsigned short']], 'DirectoryLocked' : [ 0x1e, ['unsigned char']], 'LockedExclusive' : [ 0x1f, ['unsigned char']], 'LockStateSignature' : [ 0x20, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x158, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x138, ['pointer64', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0x140, ['unsigned long']], 'NamespaceEntry' : [ 0x148, ['pointer64', ['void']]], 'Flags' : [ 0x150, ['unsigned long']], } ], '_OBP_SILODRIVERSTATE' : [ 0x2e0, { 'SystemDeviceMap' : [ 0x0, ['pointer64', ['_DEVICE_MAP']]], 'SystemDosDeviceState' : [ 0x8, ['_OBP_SYSTEM_DOS_DEVICE_STATE']], 'DeviceMapLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'PrivateNamespaceLookupTable' : [ 0x80, ['_OBJECT_NAMESPACE_LOOKUPTABLE']], } ], '_WHEAP_INFO_BLOCK' : [ 0x18, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x8, ['pointer64', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x10, ['pointer64', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x428, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x10, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x14, ['unsigned long']], 'ErrorCount' : [ 0x18, ['long']], 'RecordCount' : [ 0x1c, ['unsigned long']], 'RecordLength' : [ 0x20, ['unsigned long']], 'PoolTag' : [ 0x24, ['unsigned long']], 'Type' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x30, ['pointer64', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x38, ['pointer64', ['void']]], 'SectionCount' : [ 0x40, ['unsigned long']], 'SectionLength' : [ 0x44, ['unsigned long']], 'TickCountAtLastError' : [ 0x48, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x50, ['unsigned long']], 'TotalErrors' : [ 0x54, ['unsigned long']], 'Deferred' : [ 0x58, ['unsigned char']], 'Descriptor' : [ 0x59, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xf0, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x10, ['unsigned long']], 'ProcessorNumber' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x1c, ['long']], 'ErrorSource' : [ 0x20, ['pointer64', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x28, ['_WHEA_ERROR_RECORD']], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ImageControlAreaOnRemovableMedia' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'SystemVaAllocated' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PreferredFsCompressionBoundary' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'UsingFileExtents' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PageSize64K' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PEP_ACPI_SPB_RESOURCE' : [ 0x28, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'TypeSpecificFlags' : [ 0x8, ['unsigned short']], 'ResourceSourceIndex' : [ 0xa, ['unsigned char']], 'ResourceSourceName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'VendorData' : [ 0x18, ['pointer64', ['unsigned char']]], 'VendorDataLength' : [ 0x20, ['unsigned short']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x40, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x10, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x18, ['long']], 'HighWaterMark' : [ 0x1c, ['unsigned long']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_KDPC_DATA' : [ 0x28, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], 'ActiveDpc' : [ 0x20, ['pointer64', ['_KDPC']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_PLATFORM_IDLE_ACCOUNTING' : [ 0x400, { 'ResetCount' : [ 0x0, ['unsigned long']], 'StateCount' : [ 0x4, ['unsigned long']], 'DeepSleepCount' : [ 0x8, ['unsigned long']], 'TimeUnit' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['_PLATFORM_IDLE_STATE_ACCOUNTING']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '__unnamed_1f02' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x4000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1f02']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long long']], 'NonPagablePages' : [ 0x28, ['unsigned long long']], 'CommittedPages' : [ 0x30, ['unsigned long long']], 'PagedPoolStart' : [ 0x38, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x40, ['pointer64', ['void']]], 'SessionObject' : [ 0x48, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x50, ['pointer64', ['void']]], 'SessionPoolAllocationFailures' : [ 0x58, ['array', 4, ['unsigned long']]], 'ImageTree' : [ 0x68, ['_RTL_AVL_TREE']], 'LocaleId' : [ 0x70, ['unsigned long']], 'AttachCount' : [ 0x74, ['unsigned long']], 'AttachGate' : [ 0x78, ['_KGATE']], 'WsListEntry' : [ 0x90, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb60, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xbc0, ['_MMSUPPORT_FULL']], 'AggregateSessionWs' : [ 0xd00, ['_MMSUPPORT_AGGREGATION']], 'DriverUnload' : [ 0xd20, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xd40, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e80, ['_MMPTE']], 'SessionVaLock' : [ 0x1e88, ['_EX_PUSH_LOCK']], 'DynamicVaBitMap' : [ 0x1e90, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1ea0, ['unsigned long']], 'SpecialPool' : [ 0x1ea8, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1ef8, ['_EX_PUSH_LOCK']], 'PoolBigEntriesInUse' : [ 0x1f00, ['long']], 'PagedPoolPdeCount' : [ 0x1f04, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f08, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f0c, ['unsigned long']], 'SystemPteInfo' : [ 0x1f10, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f78, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f80, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1f88, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f90, ['unsigned long long']], 'IoState' : [ 0x1f98, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f9c, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fa0, ['_KEVENT']], 'ServerSilo' : [ 0x1fb8, ['pointer64', ['_EJOB']]], 'CreateTime' : [ 0x1fc0, ['unsigned long long']], 'PoolTags' : [ 0x2000, ['array', 8192, ['unsigned char']]], } ], '_OBJECT_NAMESPACE_LOOKUPTABLE' : [ 0x260, { 'HashBuckets' : [ 0x0, ['array', 37, ['_LIST_ENTRY']]], 'Lock' : [ 0x250, ['_EX_PUSH_LOCK']], 'NumberOfPrivateSpaces' : [ 0x258, ['unsigned long']], } ], '_MI_CACHED_PTES' : [ 0x48, { 'Bins' : [ 0x0, ['array', 8, ['_MI_CACHED_PTE']]], 'CachedPteCount' : [ 0x40, ['long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x78, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeFlags2' : [ 0x3, ['unsigned char']], 'UseExtendedParameters' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'ParseProcedureEx' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], 'WaitObjectFlagMask' : [ 0x70, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x74, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x76, ['unsigned short']], } ], '_KLOCK_ENTRY' : [ 0x60, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'EntryFlags' : [ 0x18, ['unsigned long']], 'EntryOffset' : [ 0x18, ['unsigned char']], 'ThreadLocalFlags' : [ 0x19, ['unsigned char']], 'WaitingBit' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare0' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'AcquiredByte' : [ 0x1a, ['unsigned char']], 'AcquiredBit' : [ 0x1a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadFlags' : [ 0x1b, ['unsigned char']], 'HeadNodeBit' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IoPriorityBit' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IoQoSWaiter' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0x1b, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'StaticState' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'AllFlags' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'SpareFlags' : [ 0x1c, ['unsigned long']], 'LockState' : [ 0x20, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x20, ['pointer64', ['void']]], 'CrossThreadReleasableAndBusyByte' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x21, ['array', 6, ['unsigned char']]], 'InTreeByte' : [ 0x27, ['unsigned char']], 'SessionState' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], 'SessionPad' : [ 0x2c, ['unsigned long']], 'OwnerTree' : [ 0x30, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x40, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x30, ['unsigned char']], 'EntryLock' : [ 0x50, ['unsigned long long']], 'AllBoosts' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 17, native_type='unsigned long')]], 'CpuBoostsBitmap' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 15, native_type='unsigned short')]], 'IoBoost' : [ 0x58, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'IoQoSBoost' : [ 0x5a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x5a, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned short')]], 'IoQoSWaiterCount' : [ 0x5a, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'SparePad' : [ 0x5c, ['unsigned long']], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'Arm64ControlSet' : [ 0x0, ['_ARM64_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ManySubsections' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Enclave' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PageSize64K' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_COUNTERS' : [ 0x78, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'PollIntervalCounter' : [ 0x48, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x4c, ['unsigned long']], 'HeapPollInterval' : [ 0x50, ['unsigned long']], 'AllocAndFreeOps' : [ 0x54, ['unsigned long']], 'AllocationIndicesActive' : [ 0x58, ['unsigned long']], 'InBlockDeccommits' : [ 0x5c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x60, ['unsigned long long']], 'HighWatermarkSize' : [ 0x68, ['unsigned long long']], 'LastPolledSize' : [ 0x70, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x30, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'Irp' : [ 0x18, ['pointer64', ['_IRP']]], 'Device' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Static' : [ 0x28, ['unsigned char']], } ], '__unnamed_1f6b' : [ 0x20, { 'CallerCompletion' : [ 0x0, ['pointer64', ['void']]], 'CallerContext' : [ 0x8, ['pointer64', ['void']]], 'CallerDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0x18, ['unsigned char']], } ], '__unnamed_1f6e' : [ 0x10, { 'NotifyDevice' : [ 0x0, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x8, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0xf8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x30, ['unsigned long long']], 'WatchdogTimer' : [ 0x38, ['_KTIMER']], 'WatchdogDpc' : [ 0x78, ['_KDPC']], 'MinorFunction' : [ 0xb8, ['unsigned char']], 'PowerStateType' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0xc0, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0xc4, ['unsigned char']], 'FxDevice' : [ 0xc8, ['pointer64', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0xd0, ['unsigned char']], 'NotifyPEP' : [ 0xd1, ['unsigned char']], 'Device' : [ 0xd8, ['__unnamed_1f6b']], 'System' : [ 0xd8, ['__unnamed_1f6e']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x8, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_PPM_IDLE_STATES' : [ 0x418, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'UnaccountedTransition' : [ 0x5, ['unsigned char']], 'IdleDurationLimited' : [ 0x6, ['unsigned char']], 'IdleCheckLimited' : [ 0x7, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0xe0, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x188, ['pointer64', ['void']]], 'IdlePreExecute' : [ 0x190, ['pointer64', ['void']]], 'IdleExecute' : [ 0x198, ['pointer64', ['void']]], 'IdlePreselect' : [ 0x1a0, ['pointer64', ['void']]], 'IdleTest' : [ 0x1a8, ['pointer64', ['void']]], 'IdleAvailabilityCheck' : [ 0x1b0, ['pointer64', ['void']]], 'IdleComplete' : [ 0x1b8, ['pointer64', ['void']]], 'IdleCancel' : [ 0x1c0, ['pointer64', ['void']]], 'IdleIsHalted' : [ 0x1c8, ['pointer64', ['void']]], 'IdleInitiateWake' : [ 0x1d0, ['pointer64', ['void']]], 'PrepareInfo' : [ 0x1d8, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'DeepIdleSnapshot' : [ 0x230, ['_KAFFINITY_EX']], 'Tracing' : [ 0x2d8, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'CoordinatedTracing' : [ 0x2e0, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'ProcessorMenu' : [ 0x2e8, ['_PPM_SELECTION_MENU']], 'CoordinatedMenu' : [ 0x2f8, ['_PPM_SELECTION_MENU']], 'CoordinatedSelection' : [ 0x308, ['_PPM_COORDINATED_SELECTION']], 'State' : [ 0x320, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_ETW_HASH_BUCKET' : [ 0x38, { 'ListHead' : [ 0x0, ['array', 3, ['_LIST_ENTRY']]], 'BucketLock' : [ 0x30, ['_EX_PUSH_LOCK']], } ], '__unnamed_1fb5' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], 'GenErrDescriptorV2' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR_V2']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1fb5']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_SEP_TOKEN_DIAG_TRACK_ENTRY' : [ 0x120, { 'ProcessCid' : [ 0x0, ['pointer64', ['void']]], 'ThreadCid' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'CreateMethod' : [ 0x20, ['unsigned long']], 'CreateTrace' : [ 0x28, ['array', 30, ['unsigned long long']]], 'Count' : [ 0x118, ['long']], 'CaptureCount' : [ 0x11c, ['long']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND_STATE' : [ 0x4, { 'Expanded' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Transitioning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Pageable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_PPM_POLICY_SETTINGS_MASK' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'PerfDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PerfIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerfDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PerfIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PerfDecreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PerfIncreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'PerfMinPolicy' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'PerfMaxPolicy' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PerfTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PerfBoostPolicy' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PerfBoostMode' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AllowThrottling' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PerfHistoryCount' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ParkingPerfState' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LatencyHintPerf' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LatencyHintUnpark' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CoreParkingMinCores' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CoreParkingMaxCores' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'CoreParkingDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'CoreParkingIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CoreParkingDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CoreParkingIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CoreParkingOverUtilizationThreshold' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'CoreParkingDistributeUtility' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CoreParkingConcurrencyThreshold' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CoreParkingHeadroomThreshold' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CoreParkingDistributionThreshold' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IdleAllowScaling' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'IdleDisable' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'IdleTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'IdleDemoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'IdlePromoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HeteroDecreaseTime' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HeteroIncreaseTime' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HeteroDecreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HeteroIncreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Class0FloorPerformance' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Class1InitialPerformance' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnergyPerfPreference' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AutonomousActivityWindow' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AutonomousMode' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DutyCycling' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_KSCHEDULING_GROUP' : [ 0x240, { 'Policy' : [ 0x0, ['_KSCHEDULING_GROUP_POLICY']], 'RelativeWeight' : [ 0x8, ['unsigned long']], 'ChildMinRate' : [ 0xc, ['unsigned long']], 'ChildMinWeight' : [ 0x10, ['unsigned long']], 'ChildTotalWeight' : [ 0x14, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x18, ['unsigned long long']], 'NotificationCycles' : [ 0x20, ['long long']], 'MaxQuotaLimitCycles' : [ 0x28, ['long long']], 'MaxQuotaCyclesRemaining' : [ 0x30, ['long long']], 'SchedulingGroupList' : [ 0x38, ['_LIST_ENTRY']], 'Sibling' : [ 0x38, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x48, ['pointer64', ['_KDPC']]], 'ChildList' : [ 0x50, ['_LIST_ENTRY']], 'Parent' : [ 0x60, ['pointer64', ['_KSCHEDULING_GROUP']]], 'PerProcessor' : [ 0x80, ['array', 1, ['_KSCB']]], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x260, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x10, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x20, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x130, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x240, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x248, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x250, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x258, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_LOCK_HEADER' : [ 0x20, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x8, ['unsigned long long']], 'Lock' : [ 0x10, ['unsigned long long']], 'Valid' : [ 0x18, ['unsigned long']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_KHETERO_PROCESSOR_SET' : [ 0x18, { 'IdealMask' : [ 0x0, ['unsigned long long']], 'PreferredMask' : [ 0x8, ['unsigned long long']], 'AvailableMask' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x20, { 'SystemSpaceViewLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'SystemSpaceViewLockPointer' : [ 0x8, ['pointer64', ['_EX_PUSH_LOCK']]], 'ViewRoot' : [ 0x10, ['_RTL_AVL_TREE']], 'ViewCount' : [ 0x18, ['unsigned long']], 'BitmapFailures' : [ 0x1c, ['unsigned long']], } ], '_CC_ASYNC_READ_CONTEXT' : [ 0x20, { 'CompletionRoutine' : [ 0x0, ['pointer64', ['void']]], 'Context' : [ 0x8, ['pointer64', ['void']]], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'RequestorMode' : [ 0x18, ['unsigned char']], 'NestingLevel' : [ 0x1c, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0x18, { 'DirtyPages' : [ 0x0, ['unsigned long long']], 'DirtyPagesLastScan' : [ 0x8, ['unsigned long long']], 'DirtyPagesScheduledLastScan' : [ 0x10, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x58, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'ReadyTime' : [ 0x10, ['unsigned long long']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'ContextSwitches' : [ 0x20, ['unsigned long long']], 'ReadOperationCount' : [ 0x28, ['long long']], 'WriteOperationCount' : [ 0x30, ['long long']], 'OtherOperationCount' : [ 0x38, ['long long']], 'ReadTransferCount' : [ 0x40, ['long long']], 'WriteTransferCount' : [ 0x48, ['long long']], 'OtherTransferCount' : [ 0x50, ['long long']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x48, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], 'ServerSilo' : [ 0x40, ['pointer64', ['_EJOB']]], } ], '_RTL_BITMAP_EX' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 15, native_type='unsigned long long')]], 'ExecutePrivilege' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_TRIAGE_9F_PNP' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'CompletionQueue' : [ 0x8, ['pointer64', ['_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE']]], 'DelayedWorkQueue' : [ 0x10, ['pointer64', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_POP_CURRENT_BROADCAST' : [ 0x18, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'DeviceState' : [ 0x10, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LeakedPoolDeliberately' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR_V2' : [ 0x50, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'ReadAckAddressSpaceID' : [ 0x34, ['unsigned char']], 'ReadAckAddressBitWidth' : [ 0x35, ['unsigned char']], 'ReadAckAddressBitOffset' : [ 0x36, ['unsigned char']], 'ReadAckAddressAccessSize' : [ 0x37, ['unsigned char']], 'ReadAckAddress' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAckPreserveMask' : [ 0x40, ['unsigned long long']], 'ReadAckWriteMask' : [ 0x48, ['unsigned long long']], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_MI_SPECIAL_POOL' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long long']], 'SpecialPoolPdes' : [ 0x40, ['_RTL_BITMAP']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_DBGKD_WRITE_CUSTOM_BREAKPOINT' : [ 0x18, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointInstruction' : [ 0x8, ['unsigned long long']], 'BreakPointHandle' : [ 0x10, ['unsigned long']], 'BreakPointInstructionSize' : [ 0x14, ['unsigned char']], 'BreakPointInstructionAlignment' : [ 0x15, ['unsigned char']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x10, ['unsigned char']], 'Spare' : [ 0x11, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0x14, ['unsigned long']], 'DebugId' : [ 0x18, ['_CVDD']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'HighActiveFlink' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'HighActiveBlink' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 56, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], } ], '_PS_PROPERTY_SET' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['unsigned long long']], } ], '_TRIAGE_EX_WORK_QUEUE' : [ 0x2b0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x30, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'ExpectedWakeReason' : [ 0x2d, ['unsigned char']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_THREAD_ENERGY_VALUES' : [ 0x40, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], } ], '_MMWSLE_HASH' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long long']], } ], '_WHEAP_WORK_QUEUE' : [ 0x88, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x10, ['unsigned long long']], 'ItemCount' : [ 0x18, ['long']], 'Dpc' : [ 0x20, ['_KDPC']], 'WorkItem' : [ 0x60, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x80, ['pointer64', ['void']]], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_RTL_RUN_ONCE' : [ 0x8, { 'Ptr' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], } ], '_CM_PATH_HASH' : [ 0x4, { 'Hash' : [ 0x0, ['unsigned long']], } ], '_EXHANDLE' : [ 0x8, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_FAST_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['wchar']]], 'DriverName' : [ 0x50, ['pointer64', ['wchar']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x260, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x270, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], 'SecureInfo' : [ 0x10, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x10, ['_RTL_BITMAP_EX']], 'InPageSupport' : [ 0x10, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'LargePage' : [ 0x10, ['_MI_LARGEPAGE_IMAGE_INFO']], 'CreatingThread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'PebTeb' : [ 0x10, ['_MI_SUB64K_FREE_RANGES']], } ], '__unnamed_20a4' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '__unnamed_20a6' : [ 0x4, { 'NumberOfChildViews' : [ 0x0, ['unsigned long']], } ], '__unnamed_20a8' : [ 0x4, { 'AlignmentNoAccessPtes' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'GlobalPerSessionHead' : [ 0x18, ['_RTL_AVL_TREE']], 'CreationWaitList' : [ 0x18, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'SessionDriverProtos' : [ 0x18, ['pointer64', ['_MI_PER_SESSION_PROTOS']]], 'u' : [ 0x20, ['__unnamed_20a4']], 'StartingSector' : [ 0x24, ['unsigned long']], 'NumberOfFullSectors' : [ 0x28, ['unsigned long']], 'PtesInSubsection' : [ 0x2c, ['unsigned long']], 'u1' : [ 0x30, ['__unnamed_20a6']], 'UnusedPtes' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x34, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u2' : [ 0x34, ['__unnamed_20a8']], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['unsigned long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x30, ['pointer64', ['long']]], 'NodeTargetCount' : [ 0x38, ['long']], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x10, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_SEP_RM_LSA_CONNECTION_STATE' : [ 0x50, { 'LsaProcessHandle' : [ 0x0, ['pointer64', ['void']]], 'LsaCommandPortHandle' : [ 0x8, ['pointer64', ['void']]], 'SepRmThreadHandle' : [ 0x10, ['pointer64', ['void']]], 'RmCommandPortHandle' : [ 0x18, ['pointer64', ['void']]], 'RmCommandServerPortHandle' : [ 0x20, ['pointer64', ['void']]], 'LsaCommandPortSectionHandle' : [ 0x28, ['pointer64', ['void']]], 'LsaCommandPortSectionSize' : [ 0x30, ['_LARGE_INTEGER']], 'LsaViewPortMemory' : [ 0x38, ['pointer64', ['void']]], 'RmViewPortMemory' : [ 0x40, ['pointer64', ['void']]], 'LsaCommandPortMemoryDelta' : [ 0x48, ['long']], 'LsaCommandPortActive' : [ 0x4c, ['unsigned char']], } ], '_CM_KCB_LAYER_INFO' : [ 0x30, { 'LayerListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Kcb' : [ 0x10, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'LowerLayer' : [ 0x18, ['pointer64', ['_CM_KCB_LAYER_INFO']]], 'UpperLayerListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'PagedPoolAllocationMap' : [ 0x8, ['_RTL_BITMAP_EX']], 'FirstPteForPagedPool' : [ 0x18, ['pointer64', ['_MMPTE']]], 'MaximumSize' : [ 0x20, ['unsigned long long']], 'PagedPoolHint' : [ 0x28, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x30, ['unsigned long long']], } ], '_PPM_IDLE_STATE' : [ 0xf8, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Name' : [ 0xa8, ['_UNICODE_STRING']], 'Latency' : [ 0xb8, ['unsigned long']], 'BreakEvenDuration' : [ 0xbc, ['unsigned long']], 'Power' : [ 0xc0, ['unsigned long']], 'StateFlags' : [ 0xc4, ['unsigned long']], 'VetoAccounting' : [ 0xc8, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0xf0, ['unsigned char']], 'InterruptsEnabled' : [ 0xf1, ['unsigned char']], 'Interruptible' : [ 0xf2, ['unsigned char']], 'ContextRetained' : [ 0xf3, ['unsigned char']], 'CacheCoherent' : [ 0xf4, ['unsigned char']], 'WakesSpuriously' : [ 0xf5, ['unsigned char']], 'PlatformOnly' : [ 0xf6, ['unsigned char']], 'NoCState' : [ 0xf7, ['unsigned char']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '__unnamed_20dc' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_20de' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_20dc']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x120, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_20de']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], 'ExecutePoolTypes' : [ 0xf8, ['unsigned long']], 'ExecutePageProtections' : [ 0xfc, ['unsigned long']], 'ExecutePageMappings' : [ 0x100, ['unsigned long']], 'ExecuteWriteSections' : [ 0x104, ['unsigned long']], 'SectionAlignmentFailures' : [ 0x108, ['unsigned long']], 'UnsupportedRelocs' : [ 0x10c, ['unsigned long']], 'IATInExecutableSection' : [ 0x110, ['unsigned long']], } ], '_SEP_LUID_TO_INDEX_MAP_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'Luid' : [ 0x20, ['unsigned long long']], 'IndexIntoGlobalSingletonTable' : [ 0x28, ['unsigned long long']], 'MarkedForDeletion' : [ 0x30, ['unsigned char']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'DynamicRelocations' : [ 0x0, ['pointer64', ['void']]], 'SecurityContext' : [ 0x8, ['_IMAGE_SECURITY_CONTEXT']], 'StrongImageReference' : [ 0x10, ['unsigned long long']], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderZero', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderVsmMemory', 30: 'LoaderFirmwareCode', 31: 'LoaderFirmwareData', 32: 'LoaderFirmwareReserved', 33: 'LoaderEnclaveMemory', 34: 'LoaderFirmwareKsr', 35: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_OBP_SYSTEM_DOS_DEVICE_STATE' : [ 0x6c, { 'GlobalDeviceMap' : [ 0x0, ['unsigned long']], 'LocalDeviceCount' : [ 0x4, ['array', 26, ['unsigned long']]], } ], '_WNF_SILODRIVERSTATE' : [ 0x38, { 'ScopeMap' : [ 0x0, ['pointer64', ['_WNF_SCOPE_MAP']]], 'PermanentNameStoreRootKey' : [ 0x8, ['pointer64', ['void']]], 'PersistentNameStoreRootKey' : [ 0x10, ['pointer64', ['void']]], 'PermanentNameSequenceNumber' : [ 0x18, ['long long']], 'PermanentNameSequenceNumberLock' : [ 0x20, ['_WNF_LOCK']], 'PermanentNameSequenceNumberPool' : [ 0x28, ['long long']], 'RuntimeNameSequenceNumber' : [ 0x30, ['long long']], } ], '_DELAY_ACK_FO' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2Reserved1' : [ 0x2, ['unsigned char']], 'Timer2Reserved2' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Tagged' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'EnergyProfiling' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Minimal' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved4' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OB_HANDLE_REVOCATION_BLOCK' : [ 0x20, { 'RevocationInfos' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Rundown' : [ 0x18, ['_EX_RUNDOWN_REF']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x38, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long long']], 'DirtyPageThresholdTop' : [ 0x8, ['unsigned long long']], 'DirtyPageThresholdBottom' : [ 0x10, ['unsigned long long']], 'DirtyPageTarget' : [ 0x18, ['unsigned long']], 'AggregateAvailablePages' : [ 0x20, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x28, ['unsigned long long']], 'AvailableHistory' : [ 0x30, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x90, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'Count' : [ 0x28, ['unsigned long long']], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'StackTrace' : [ 0x40, ['array', 8, ['pointer64', ['void']]]], 'Who' : [ 0x80, ['unsigned long']], 'Process' : [ 0x88, ['pointer64', ['_EPROCESS']]], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_MMSECTION_FLAGS2' : [ 0x4, { 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'NumberOfChildViews' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer64', ['_MMPTE']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS' : [ 0x1, { 'Trustlet' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Ntos' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'WriteHandle' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ReadHandle' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'AccessRights' : [ 0x0, ['unsigned char']], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_2130' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2132' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2130']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2132']], } ], '_PROCESS_ENERGY_VALUES' : [ 0x90, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'DiskEnergy' : [ 0x40, ['unsigned long long']], 'NetworkTailEnergy' : [ 0x48, ['unsigned long long']], 'MBBTailEnergy' : [ 0x50, ['unsigned long long']], 'NetworkTxRxBytes' : [ 0x58, ['unsigned long long']], 'MBBTxRxBytes' : [ 0x60, ['unsigned long long']], 'Foreground' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DesktopVisible' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'WindowInformation' : [ 0x68, ['unsigned short']], 'CompositorRendered' : [ 0x6a, ['unsigned short']], 'DirtyGenerated' : [ 0x6c, ['unsigned short']], 'DirtyPropagated' : [ 0x6e, ['unsigned short']], 'DesktopVisibilityReportTimestamp' : [ 0x70, ['long long']], 'DesktopVisibleTime' : [ 0x78, ['unsigned long long']], 'ForegroundReportTimestamp' : [ 0x80, ['long long']], 'ForegroundTime' : [ 0x88, ['unsigned long long']], } ], '_MMCLONE_HEADER' : [ 0x18, { 'NumberOfPtes' : [ 0x0, ['unsigned long long']], 'NumberOfProcessReferences' : [ 0x8, ['unsigned long long']], 'ClonePtes' : [ 0x10, ['pointer64', ['_MMCLONE_BLOCK']]], } ], '_MI_SYSTEM_INFORMATION' : [ 0x1ec0, { 'Pools' : [ 0x0, ['_MI_POOL_STATE']], 'Sections' : [ 0x100, ['_MI_SECTION_STATE']], 'SystemImages' : [ 0x380, ['_MI_SYSTEM_IMAGE_STATE']], 'Sessions' : [ 0x440, ['_MI_SESSION_STATE']], 'Processes' : [ 0x4e0, ['_MI_PROCESS_STATE']], 'Hardware' : [ 0x540, ['_MI_HARDWARE_STATE']], 'SystemVa' : [ 0x640, ['_MI_SYSTEM_VA_STATE']], 'PageCombines' : [ 0x940, ['_MI_COMBINE_STATE']], 'PageLists' : [ 0xae0, ['_MI_PAGELIST_STATE']], 'Partitions' : [ 0xaf0, ['_MI_PARTITION_STATE']], 'Shutdowns' : [ 0xb50, ['_MI_SHUTDOWN_STATE']], 'Errors' : [ 0xbd0, ['_MI_ERROR_STATE']], 'AccessLog' : [ 0xcc0, ['_MI_ACCESS_LOG_STATE']], 'Debugger' : [ 0xd40, ['_MI_DEBUGGER_STATE']], 'Standby' : [ 0xe80, ['_MI_STANDBY_STATE']], 'SystemPtes' : [ 0xf40, ['_MI_SYSTEM_PTE_STATE']], 'IoPages' : [ 0x1100, ['_MI_IO_PAGE_STATE']], 'PagingIo' : [ 0x1170, ['_MI_PAGING_IO_STATE']], 'CommonPages' : [ 0x11c0, ['_MI_COMMON_PAGE_STATE']], 'Trims' : [ 0x1280, ['_MI_SYSTEM_TRIM_STATE']], 'ResTrack' : [ 0x12c0, ['_MI_RESAVAIL_TRACKER']], 'Cookie' : [ 0x1640, ['unsigned long long']], 'ZeroingDisabled' : [ 0x1648, ['long']], 'BootRegistryRuns' : [ 0x1650, ['pointer64', ['pointer64', ['void']]]], 'FullyInitialized' : [ 0x1658, ['unsigned char']], 'SafeBooted' : [ 0x1659, ['unsigned char']], 'TraceLogging' : [ 0x1660, ['pointer64', ['_TlgProvider_t']]], 'Vs' : [ 0x1680, ['_MI_VISIBLE_STATE']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 28, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x30, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x18, ['_KEVENT']], } ], '__unnamed_2160' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_2162' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2160']], } ], '__unnamed_2164' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_2162']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2164']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '__unnamed_216c' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_216c']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x10, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], } ], '_MI_LARGEPAGE_IMAGE_INFO' : [ 0x10, { 'LargeImageBias' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'ActualImageViewSize' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2179' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x28, { 'NodeRangeSize' : [ 0x0, ['unsigned long long']], 'NodeCount' : [ 0x8, ['unsigned long long']], 'Tables' : [ 0x10, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x18, ['unsigned long']], 'UseSessionId' : [ 0x1c, ['unsigned char']], 'u1' : [ 0x20, ['__unnamed_2179']], } ], '_SILO_USER_SHARED_DATA' : [ 0x20, { 'ServiceSessionId' : [ 0x0, ['unsigned long']], 'ActiveConsoleId' : [ 0x4, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x8, ['long long']], 'NtProductType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'SuiteMask' : [ 0x14, ['unsigned long']], 'IsMultiSessionSku' : [ 0x18, ['unsigned char']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_MMSUPPORT_FULL' : [ 0x108, { 'Instance' : [ 0x0, ['_MMSUPPORT_INSTANCE']], 'Shared' : [ 0xc0, ['_MMSUPPORT_SHARED']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_MI_PROCESS_STATE' : [ 0x60, { 'ColorSeed' : [ 0x0, ['unsigned long']], 'CloneDereferenceEvent' : [ 0x8, ['_KEVENT']], 'CloneProtosSListHead' : [ 0x20, ['_SLIST_HEADER']], 'SystemDllBase' : [ 0x30, ['pointer64', ['void']]], 'RotatingUniprocessorNumber' : [ 0x38, ['long']], 'CriticalSectionTimeout' : [ 0x40, ['_LARGE_INTEGER']], 'ProcessList' : [ 0x48, ['_LIST_ENTRY']], 'SharedUserDataPte' : [ 0x58, ['pointer64', ['_MMPTE']]], } ], '_MMSUPPORT_AGGREGATION' : [ 0x20, { 'PageFaultCount' : [ 0x0, ['unsigned long']], 'WorkingSetSize' : [ 0x8, ['unsigned long long']], 'WorkingSetLeafSize' : [ 0x10, ['unsigned long long']], 'PeakWorkingSetSize' : [ 0x18, ['unsigned long long']], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_PRIVATE_CACHE_MAP' : [ 0x78, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long long']], 'PipelinedReadAheadRequestSize' : [ 0x58, ['unsigned long']], 'ReadAheadGrowth' : [ 0x5c, ['unsigned long']], 'PrivateLinks' : [ 0x60, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x70, ['pointer64', ['void']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_ETW_GUID_ENTRY' : [ 0x190, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long long']], 'Guid' : [ 0x18, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['pointer64', ['_ETW_FILTER_HEADER']]], 'SiloState' : [ 0x178, ['pointer64', ['_ETW_SILODRIVERSTATE']]], 'Lock' : [ 0x180, ['_EX_PUSH_LOCK']], 'LockOwner' : [ 0x188, ['pointer64', ['_ETHREAD']]], } ], '_ARBITER_INSTANCE' : [ 0x150, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['wchar']]], 'OrderingName' : [ 0x18, ['pointer64', ['wchar']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '_MI_SYSTEM_IMAGE_STATE' : [ 0xc0, { 'FixupLock' : [ 0x0, ['long']], 'FixupList' : [ 0x8, ['_LIST_ENTRY']], 'LoadLock' : [ 0x18, ['_KMUTANT']], 'FirstLoadEver' : [ 0x50, ['unsigned char']], 'LargePageAll' : [ 0x51, ['unsigned char']], 'LastPage' : [ 0x58, ['unsigned long long']], 'LargePageList' : [ 0x60, ['_LIST_ENTRY']], 'StrongCodeLoadFailureList' : [ 0x70, ['_LIST_ENTRY']], 'BeingDeleted' : [ 0x80, ['pointer64', ['_KLDR_DATA_TABLE_ENTRY']]], 'MappingRangesPushLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'MappingRanges' : [ 0x90, ['array', 2, ['pointer64', ['_MI_DRIVER_VA']]]], 'PageCount' : [ 0xa0, ['unsigned long long']], 'PageCounts' : [ 0xa8, ['_MM_SYSTEM_PAGE_COUNTS']], 'CollidedLock' : [ 0xb8, ['_EX_PUSH_LOCK']], } ], '_MMPFNENTRY1' : [ 0x1, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_MI_FLAGS' : [ 0x4, { 'EntireFlags' : [ 0x0, ['long']], 'VerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'KernelVerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LargePageKernel' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StopOn4d' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'InitializationPhase' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'PageKernelStacks' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CheckZeroPages' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ProcessorPrewalks' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ProcessorPostwalks' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'CoverageBuild' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AccessBitReplacementDisabled' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CheckExecute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ProtectedPagesEnabled' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'StrongCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HardCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ExecutePagePrivilegeRequired' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StrongPageIdentity' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'FullHvci' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SecureRelocations' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'SlatKernelCodeProtected' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'BootDebuggerActive' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x68, ['unsigned char']], 'DeleteType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x10, ['unsigned long']], 'SyncCallback' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ZeroMapRegisters' : [ 0x14, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x14, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'HiberFileType' : [ 0x16, ['unsigned char']], 'AoAcConnectivitySupported' : [ 0x17, ['unsigned char']], 'spare3' : [ 0x18, ['array', 6, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_EX_WORK_QUEUE' : [ 0x2d0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x2b0, ['pointer64', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x2b8, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x2bc, ['unsigned long']], 'ThreadCount' : [ 0x2c0, ['long']], 'MinThreads' : [ 0x2c4, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x2c4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x2c8, ['long']], 'QueueIndex' : [ 0x2cc, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'IoPoolUntrusted', 2: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_KWAIT_CHAIN' : [ 0x8, { 'Head' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_VF_DRIVER_IO_CALLBACKS' : [ 0x100, { 'DriverInit' : [ 0x0, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x8, ['pointer64', ['void']]], 'DriverUnload' : [ 0x10, ['pointer64', ['void']]], 'AddDevice' : [ 0x18, ['pointer64', ['void']]], 'MajorFunction' : [ 0x20, ['array', 28, ['pointer64', ['void']]]], } ], '_CM_UOW_SET_VALUE_KEY_DATA' : [ 0x10, { 'PreparedCell' : [ 0x0, ['unsigned long']], 'OldValueCell' : [ 0x4, ['unsigned long']], 'NameLength' : [ 0x8, ['unsigned short']], 'DataSize' : [ 0xc, ['unsigned long']], } ], '_MI_PARTITION_STATE' : [ 0x60, { 'PartitionLock' : [ 0x0, ['unsigned long long']], 'PartitionIdLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'InitialPartitionIdBits' : [ 0x10, ['unsigned long long']], 'PartitionList' : [ 0x18, ['_LIST_ENTRY']], 'PartitionIdBitmap' : [ 0x28, ['pointer64', ['_RTL_BITMAP']]], 'InitialPartitionIdBitmap' : [ 0x30, ['_RTL_BITMAP']], 'TempPartitionPointers' : [ 0x40, ['array', 1, ['pointer64', ['_MI_PARTITION']]]], 'Partition' : [ 0x48, ['pointer64', ['pointer64', ['_MI_PARTITION']]]], 'TotalPagesInChildPartitions' : [ 0x50, ['unsigned long long']], 'CrossPartitionDenials' : [ 0x58, ['unsigned long']], } ], '_POP_THERMAL_ZONE' : [ 0x358, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], 'State' : [ 0x40, ['unsigned char']], 'Flags' : [ 0x41, ['unsigned char']], 'Removing' : [ 0x42, ['unsigned char']], 'Mode' : [ 0x43, ['unsigned char']], 'PendingMode' : [ 0x44, ['unsigned char']], 'ActivePoint' : [ 0x45, ['unsigned char']], 'PendingActivePoint' : [ 0x46, ['unsigned char']], 'Critical' : [ 0x47, ['unsigned char']], 'ThermalStandby' : [ 0x48, ['unsigned char']], 'OverThrottled' : [ 0x49, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x4c, ['long']], 'Throttle' : [ 0x50, ['long']], 'PendingThrottle' : [ 0x54, ['long']], 'ThrottleReasons' : [ 0x58, ['unsigned long']], 'LastTime' : [ 0x60, ['unsigned long long']], 'SampleRate' : [ 0x68, ['unsigned long']], 'LastTemp' : [ 0x6c, ['unsigned long']], 'PassiveTimer' : [ 0x70, ['_KTIMER']], 'PassiveDpc' : [ 0xb0, ['_KDPC']], 'Info' : [ 0xf0, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x148, ['_LARGE_INTEGER']], 'Policy' : [ 0x150, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0x168, ['unsigned char']], 'LastActiveStartTime' : [ 0x170, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x178, ['unsigned long long']], 'WorkItem' : [ 0x180, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x1a0, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x1b0, ['_KEVENT']], 'TemperatureUpdated' : [ 0x1c8, ['_KEVENT']], 'InstanceId' : [ 0x1e0, ['unsigned long']], 'TelemetryTracker' : [ 0x1e8, ['_POP_THERMAL_TELEMETRY_TRACKER']], 'Description' : [ 0x348, ['_UNICODE_STRING']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_MMPFNENTRY3' : [ 0x1, { 'Priority' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SystemChargedPage' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x20, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x8, ['long long']], 'SidCount' : [ 0x10, ['unsigned long']], 'SidValuesStart' : [ 0x18, ['unsigned long long']], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x8, { 'Function' : [ 0x0, ['pointer64', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long long']], } ], '__unnamed_2278' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_227a' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_2278']], 'Private' : [ 0x0, ['__unnamed_227a']], } ], '_CM_TRANS_PTR' : [ 0x8, { 'LightWeight' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'TransPtr' : [ 0x0, ['pointer64', ['void']]], } ], '_PS_TRUSTLET_ATTRIBUTE_TYPE' : [ 0x4, { 'Version' : [ 0x0, ['unsigned char']], 'DataCount' : [ 0x1, ['unsigned char']], 'SemanticType' : [ 0x2, ['unsigned char']], 'AccessRights' : [ 0x3, ['_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS']], 'AttributeType' : [ 0x0, ['unsigned long']], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['_CM_PATH_HASH']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PS_IO_CONTROL_ENTRY' : [ 0x38, { 'VolumeTreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ReservedForParentValue' : [ 0x10, ['unsigned long long']], 'VolumeKey' : [ 0x18, ['unsigned long long']], 'Rundown' : [ 0x20, ['_EX_RUNDOWN_REF']], 'IoControl' : [ 0x28, ['pointer64', ['void']]], 'VolumeIoAttribution' : [ 0x30, ['pointer64', ['void']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_CM_UOW_SET_VALUE_LIST_DATA' : [ 0xc, { 'RefCount' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['_CHILD_LIST']], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'PagesAllocated' : [ 0x48, ['unsigned long long']], 'BigPagesAllocated' : [ 0x50, ['unsigned long long']], 'BytesAllocated' : [ 0x58, ['unsigned long long']], 'RunningDeallocs' : [ 0x80, ['long']], 'PagesDeallocated' : [ 0x88, ['unsigned long long']], 'BigPagesDeallocated' : [ 0x90, ['unsigned long long']], 'BytesDeallocated' : [ 0x98, ['unsigned long long']], 'PoolIndex' : [ 0xc0, ['unsigned long']], 'PoolTypeCopy' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'ThreadsProcessingDeferrals' : [ 0x108, ['long']], 'PendingFreeDepth' : [ 0x10c, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_22ec' : [ 0x4, { 'PercentLevel' : [ 0x0, ['unsigned long']], } ], '__unnamed_22ee' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_22ec']], 'Button' : [ 0x10, ['__unnamed_22ee']], } ], '_RTL_ATOM_TABLE' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0x10, ['pointer64', ['_HANDLE_TABLE']]], 'Flags' : [ 0x18, ['unsigned long']], 'NumberOfBuckets' : [ 0x1c, ['unsigned long']], 'Buckets' : [ 0x20, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_KTIMER2' : [ 0x88, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'RbNodes' : [ 0x18, ['array', 2, ['_RTL_BALANCED_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'DueTime' : [ 0x48, ['array', 2, ['unsigned long long']]], 'Period' : [ 0x58, ['long long']], 'Callback' : [ 0x60, ['pointer64', ['void']]], 'CallbackContext' : [ 0x68, ['pointer64', ['void']]], 'DisableCallback' : [ 0x70, ['pointer64', ['void']]], 'DisableContext' : [ 0x78, ['pointer64', ['void']]], 'AbsoluteSystemTime' : [ 0x80, ['unsigned char']], 'TypeFlags' : [ 0x81, ['unsigned char']], 'Unused' : [ 0x81, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IdleResilient' : [ 0x81, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HighResolution' : [ 0x81, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'NoWake' : [ 0x81, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Unused1' : [ 0x81, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CollectionIndex' : [ 0x82, ['array', 2, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_MI_SESSION_STATE' : [ 0xa0, { 'SystemSession' : [ 0x0, ['_MMSESSION']], 'CodePageEdited' : [ 0x20, ['unsigned char']], 'DynamicPoolBitBuffer' : [ 0x28, ['pointer64', ['unsigned long']]], 'DynamicVaBitBuffer' : [ 0x30, ['pointer64', ['unsigned long']]], 'DynamicVaBitBufferPages' : [ 0x38, ['unsigned long long']], 'DynamicVaStart' : [ 0x40, ['pointer64', ['void']]], 'ImageVaStart' : [ 0x48, ['pointer64', ['void']]], 'DynamicPtesBitBuffer' : [ 0x50, ['pointer64', ['unsigned long']]], 'IdLock' : [ 0x58, ['_EX_PUSH_LOCK']], 'DetachTimeStamp' : [ 0x60, ['unsigned long']], 'LeaderProcess' : [ 0x68, ['pointer64', ['_EPROCESS']]], 'InitializeLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'WorkingSetList' : [ 0x78, ['pointer64', ['_MMWSL_FULL']]], 'WsHashStart' : [ 0x80, ['pointer64', ['_MMWSLE_HASH']]], 'WsHashEnd' : [ 0x88, ['pointer64', ['_MMWSLE_HASH']]], 'SessionBase' : [ 0x90, ['pointer64', ['void']]], 'SessionCore' : [ 0x98, ['pointer64', ['void']]], } ], '_XSTATE_CONFIGURATION' : [ 0x330, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'ControlFlags' : [ 0x14, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CompactionEnabled' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], 'EnabledSupervisorFeatures' : [ 0x218, ['unsigned long long']], 'AlignedFeatures' : [ 0x220, ['unsigned long long']], 'AllFeatureSize' : [ 0x228, ['unsigned long']], 'AllFeatures' : [ 0x22c, ['array', 64, ['unsigned long']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'AccessMask' : [ 0x20, ['unsigned long']], } ], '_MI_SECTION_STATE' : [ 0x280, { 'SectionObjectPointersLock' : [ 0x0, ['long']], 'SectionExtendLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'SectionExtendSetLock' : [ 0x10, ['_EX_PUSH_LOCK']], 'SectionBasedRoot' : [ 0x18, ['_RTL_AVL_TREE']], 'SectionBasedLock' : [ 0x20, ['_EX_PUSH_LOCK']], 'UnusedSubsectionPagedPool' : [ 0x28, ['unsigned long long']], 'UnusedSegmentForceFree' : [ 0x30, ['unsigned long']], 'DataSectionProtectionMask' : [ 0x34, ['unsigned long']], 'HighSectionBase' : [ 0x38, ['pointer64', ['void']]], 'PhysicalSubsection' : [ 0x40, ['_MSUBSECTION']], 'PhysicalControlArea' : [ 0xb0, ['_CONTROL_AREA']], 'DanglingExtentsPages' : [ 0x130, ['pointer64', ['_MMPFN']]], 'DanglingExtentsLock' : [ 0x138, ['long']], 'DanglingExtentsWorkItem' : [ 0x140, ['_WORK_QUEUE_ITEM']], 'DanglingExtentsWorkerActive' : [ 0x160, ['unsigned char']], 'PageFileSectionHead' : [ 0x168, ['_RTL_AVL_TREE']], 'PageFileSectionListSpinLock' : [ 0x170, ['long']], 'SharedSegmentCharges' : [ 0x178, ['_MI_CROSS_PARTITION_CHARGES']], 'SharedPageCombineCharges' : [ 0x1a0, ['_MI_CROSS_PARTITION_CHARGES']], 'ImageBias' : [ 0x1c8, ['unsigned long']], 'RelocateBitmapsLock' : [ 0x1d0, ['_EX_PUSH_LOCK']], 'ImageBitMap' : [ 0x1d8, ['_RTL_BITMAP']], 'ImageBias64Low' : [ 0x1e8, ['unsigned long']], 'ImageBias64High' : [ 0x1ec, ['unsigned long']], 'ImageBitMap64Low' : [ 0x1f0, ['_RTL_BITMAP']], 'ImageBitMap64High' : [ 0x200, ['_RTL_BITMAP']], 'ImageBitMapWow64Dll' : [ 0x210, ['_RTL_BITMAP']], 'ApiSetSection' : [ 0x220, ['pointer64', ['void']]], 'ApiSetSchema' : [ 0x228, ['pointer64', ['void']]], 'ApiSetSchemaSize' : [ 0x230, ['unsigned long long']], 'LostDataFiles' : [ 0x238, ['unsigned long']], 'LostDataPages' : [ 0x23c, ['unsigned long']], 'ImageFailureReason' : [ 0x240, ['unsigned long']], 'CfgBitMapSection32' : [ 0x248, ['pointer64', ['_SECTION']]], 'CfgBitMapControlArea32' : [ 0x250, ['pointer64', ['_CONTROL_AREA']]], 'CfgBitMapSection64' : [ 0x258, ['pointer64', ['_SECTION']]], 'CfgBitMapControlArea64' : [ 0x260, ['pointer64', ['_CONTROL_AREA']]], 'ImageCfgFailure' : [ 0x268, ['unsigned long']], 'ImageValidationFailed' : [ 0x26c, ['long']], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x30, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'Reference' : [ 0x10, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x28, ['unsigned char']], 'Name' : [ 0x2a, ['array', 1, ['wchar']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_UOW_KEY_STATE_MODIFICATION' : [ 0x14, { 'RefCount' : [ 0x0, ['unsigned long']], 'SubKeyListCount' : [ 0x4, ['array', 2, ['unsigned long']]], 'NewSubKeyList' : [ 0xc, ['array', 2, ['unsigned long']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'WaitResponse' : [ 0xc, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_ETW_FILTER_HEADER' : [ 0x50, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x8, ['pointer64', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x10, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0x18, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x20, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x28, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x30, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x38, ['pointer64', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x40, ['pointer64', ['_EVENT_FILTER_HEADER']]], 'EventNameFilter' : [ 0x48, ['pointer64', ['_ETW_FILTER_EVENT_NAME_DATA']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 24, native_type='unsigned long long')]], 'LocalPartition' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xb0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ExecutePoolTypes' : [ 0x90, ['unsigned long']], 'ExecutePageProtections' : [ 0x94, ['unsigned long']], 'ExecutePageMappings' : [ 0x98, ['unsigned long']], 'ExecuteWriteSections' : [ 0x9c, ['unsigned long']], 'SectionAlignmentFailures' : [ 0xa0, ['unsigned long']], 'UnsupportedRelocs' : [ 0xa4, ['unsigned long']], 'IATInExecutableSection' : [ 0xa8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PEB' : [ 0x7a0, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'IsLongPathAwareProcess' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['_SLIST_HEADER']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'SparePvoid0' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pUnused' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x388, ['unsigned long long']], 'TppWorkerpList' : [ 0x390, ['_LIST_ENTRY']], 'WaitOnAddressHashTable' : [ 0x3a0, ['array', 128, ['pointer64', ['void']]]], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '__unnamed_2366' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_236b' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_2366']], 'Bits' : [ 0x4, ['__unnamed_236b']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'DataLow' : [ 0x0, ['long long']], 'DataHigh' : [ 0x8, ['long long']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_MI_SUB64K_FREE_RANGES' : [ 0x30, { 'BitMap' : [ 0x0, ['_RTL_BITMAP_EX']], 'ListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Vad' : [ 0x20, ['pointer64', ['_MMVAD_SHORT']]], 'SubListIndex' : [ 0x28, ['unsigned short']], 'Hint' : [ 0x2a, ['unsigned short']], 'SetBits' : [ 0x2c, ['unsigned long']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_SEP_SILOSTATE' : [ 0x20, { 'SystemLogonSession' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'AnonymousLogonSession' : [ 0x8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'AnonymousLogonToken' : [ 0x10, ['pointer64', ['void']]], 'AnonymousLogonTokenNoEveryone' : [ 0x18, ['pointer64', ['void']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'HandleCount' : [ 0x28, ['unsigned long']], 'Handles' : [ 0x30, ['pointer64', ['pointer64', ['void']]]], } ], '__unnamed_2385' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_2388' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0x1b0, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x10, ['_LIST_ENTRY']], 'Event' : [ 0x20, ['_KEVENT']], 'CollidedEvent' : [ 0x38, ['_KEVENT']], 'IoStatus' : [ 0x50, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x60, ['_LARGE_INTEGER']], 'ApcState' : [ 0x68, ['_KAPC_STATE']], 'Thread' : [ 0x98, ['pointer64', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0xa0, ['pointer64', ['_MMPFN']]], 'PteContents' : [ 0xa8, ['_MMPTE']], 'WaitCount' : [ 0xb0, ['long']], 'ByteCount' : [ 0xb4, ['unsigned long']], 'u3' : [ 0xb8, ['__unnamed_2385']], 'u1' : [ 0xbc, ['__unnamed_2388']], 'FilePointer' : [ 0xc0, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0xc8, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0xc8, ['pointer64', ['_SUBSECTION']]], 'Autoboost' : [ 0xd0, ['pointer64', ['void']]], 'FaultingAddress' : [ 0xd8, ['pointer64', ['void']]], 'PointerPte' : [ 0xe0, ['pointer64', ['_MMPTE']]], 'BasePte' : [ 0xe8, ['pointer64', ['_MMPTE']]], 'Pfn' : [ 0xf0, ['pointer64', ['_MMPFN']]], 'PrefetchMdl' : [ 0xf8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x100, ['_MDL']], 'Page' : [ 0x130, ['array', 16, ['unsigned long long']]], 'FlowThrough' : [ 0x130, ['_MMINPAGE_SUPPORT_FLOW_THROUGH']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_CMP_DISCARD_AND_REPLACE_KCB_CONTEXT' : [ 0x20, { 'BaseKcb' : [ 0x0, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'PrepareStatus' : [ 0x8, ['long']], 'ClonedKcbListHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions', 24: 'ConfigureDeviceReset'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], 'ActivityId' : [ 0x38, ['_GUID']], } ], '_PPM_PLATFORM_STATE' : [ 0x180, { 'Latency' : [ 0x0, ['unsigned long']], 'BreakEvenDuration' : [ 0x4, ['unsigned long']], 'VetoAccounting' : [ 0x8, ['_PPM_VETO_ACCOUNTING']], 'TransitionDebugger' : [ 0x30, ['unsigned char']], 'Platform' : [ 0x31, ['unsigned char']], 'DependencyListCount' : [ 0x34, ['unsigned long']], 'Processors' : [ 0x38, ['_KAFFINITY_EX']], 'Name' : [ 0xe0, ['_UNICODE_STRING']], 'DependencyLists' : [ 0xf0, ['pointer64', ['_PPM_SELECTION_DEPENDENCY']]], 'Synchronization' : [ 0xf8, ['_PPM_COORDINATED_SYNCHRONIZATION']], 'EnterTime' : [ 0x100, ['unsigned long long']], 'RefCount' : [ 0x140, ['long']], 'CacheAlign0' : [ 0x140, ['array', 64, ['unsigned char']]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'Reserved' : [ 0x20, ['array', 3, ['pointer64', ['void']]]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'LowboxNumber' : [ 0x28, ['unsigned long']], 'AtomTable' : [ 0x30, ['pointer64', ['void']]], } ], '_PPM_SELECTION_MENU' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Entries' : [ 0x8, ['pointer64', ['_PPM_SELECTION_MENU_ENTRY']]], } ], '_MI_PARTITION' : [ 0x2780, { 'Core' : [ 0x0, ['_MI_PARTITION_CORE']], 'Modwriter' : [ 0x160, ['_MI_PARTITION_MODWRITES']], 'Store' : [ 0x430, ['_MI_PARTITION_STORES']], 'Segments' : [ 0x4c0, ['_MI_PARTITION_SEGMENTS']], 'PageLists' : [ 0x640, ['_MI_PARTITION_PAGE_LISTS']], 'Commit' : [ 0x1180, ['_MI_PARTITION_COMMIT']], 'Zeroing' : [ 0x1200, ['_MI_PARTITION_ZEROING']], 'PageCombine' : [ 0x1260, ['_MI_PAGE_COMBINING_SUPPORT']], 'WorkingSetControl' : [ 0x13e8, ['pointer64', ['void']]], 'WorkingSetExpansionHead' : [ 0x13f0, ['_MMWORKING_SET_EXPANSION_HEAD']], 'Vp' : [ 0x1400, ['_MI_VISIBLE_PARTITION']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_IO_WORKITEM' : [ 0x58, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'WorkOnBehalfThread' : [ 0x38, ['pointer64', ['_ETHREAD']]], 'Type' : [ 0x40, ['unsigned long']], 'ActivityId' : [ 0x44, ['_GUID']], } ], '_DISALLOWED_GUIDS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x8, ['pointer64', ['_GUID']]], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_CMHIVE' : [ 0x17a8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0xa68, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0xa98, ['_LIST_ENTRY']], 'HiveList' : [ 0xaa8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0xab8, ['_LIST_ENTRY']], 'FailedUnloadList' : [ 0xac8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0xad8, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0xae0, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0xaf0, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0xaf8, ['unsigned long']], 'DeletedKcbTable' : [ 0xb00, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0xb08, ['unsigned long']], 'Identity' : [ 0xb0c, ['unsigned long']], 'HiveLock' : [ 0xb10, ['pointer64', ['_FAST_MUTEX']]], 'WriterLock' : [ 0xb18, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0xb20, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0xb28, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0xb38, ['unsigned long']], 'FlushLogEntry' : [ 0xb40, ['pointer64', ['unsigned char']]], 'FlushLogEntrySize' : [ 0xb48, ['unsigned long']], 'FlushHiveTruncated' : [ 0xb4c, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0xb50, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0xb58, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0xb68, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0xb70, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0xb78, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0xb80, ['pointer64', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0xb88, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0xb90, ['unsigned long']], 'LastShrinkHiveSize' : [ 0xb94, ['unsigned long']], 'ActualFileSize' : [ 0xb98, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0xba0, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0xbb0, ['_UNICODE_STRING']], 'FileUserName' : [ 0xbc0, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0xbd0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0xbe0, ['unsigned long']], 'SecurityCacheSize' : [ 0xbe4, ['unsigned long']], 'SecurityHitHint' : [ 0xbe8, ['long']], 'SecurityCache' : [ 0xbf0, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0xbf8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xff8, ['unsigned long']], 'UnloadEventArray' : [ 0x1000, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0x1008, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x1010, ['unsigned char']], 'UnloadWorkItem' : [ 0x1018, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x1020, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x1048, ['unsigned char']], 'GrowOffset' : [ 0x104c, ['unsigned long']], 'KcbConvertListHead' : [ 0x1050, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x1060, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0x1068, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0x14f0, ['unsigned long']], 'TrustClassEntry' : [ 0x14f8, ['_LIST_ENTRY']], 'DirtyTime' : [ 0x1508, ['unsigned long long']], 'UnreconciledTime' : [ 0x1510, ['unsigned long long']], 'CmRm' : [ 0x1518, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x1520, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x1524, ['long']], 'CreatorOwner' : [ 0x1528, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0x1530, ['pointer64', ['_KTHREAD']]], 'LastWriteTime' : [ 0x1538, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0x1540, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0x1558, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0x1570, ['unsigned long']], 'FlushActive' : [ 0x1570, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0x1570, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0x1570, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0x1570, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0x1574, ['unsigned long']], 'ReferenceCount' : [ 0x1578, ['long']], 'UnloadHistoryIndex' : [ 0x157c, ['long']], 'UnloadHistory' : [ 0x1580, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0x1780, ['unsigned long']], 'UnaccessedStart' : [ 0x1784, ['unsigned long']], 'UnaccessedEnd' : [ 0x1788, ['unsigned long']], 'LoadedKeyCount' : [ 0x178c, ['unsigned long']], 'HandleClosePending' : [ 0x1790, ['unsigned long']], 'HandleClosePendingEvent' : [ 0x1798, ['_EX_PUSH_LOCK']], 'FinalFlushSucceeded' : [ 0x17a0, ['unsigned char']], 'FailedUnload' : [ 0x17a1, ['unsigned char']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'InProgressFlags' : [ 0x28, ['unsigned char']], 'KernelApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_PEP_ACPI_RESOURCE_FLAGS' : [ 0x4, { 'AsULong' : [ 0x0, ['unsigned long']], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Wake' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ResourceUsage' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SlaveMode' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'AddressingMode' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SharedMode' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_MI_PARTITION_PAGE_LISTS' : [ 0xb40, { 'FreePagesByColor' : [ 0x0, ['array', 2, ['pointer64', ['_MMPFNLIST']]]], 'FreePageSlist' : [ 0x10, ['array', 2, ['pointer64', ['_SLIST_HEADER']]]], 'ZeroedPageListHead' : [ 0x40, ['_MMPFNLIST']], 'FreePageListHead' : [ 0x80, ['_MMPFNLIST']], 'StandbyPageListHead' : [ 0xc0, ['_MMPFNLIST']], 'StandbyPageListByPriority' : [ 0x100, ['array', 8, ['_MMPFNLIST']]], 'ModifiedPageListNoReservation' : [ 0x240, ['_MMPFNLIST']], 'ModifiedPageListByReservation' : [ 0x280, ['array', 16, ['_MMPFNLIST']]], 'MappedPageListHead' : [ 0x500, ['array', 16, ['_MMPFNLIST']]], 'BadPageListHead' : [ 0x780, ['_MMPFNLIST']], 'EnclavePageListHead' : [ 0x7c0, ['_MMPFNLIST']], 'PageLocationList' : [ 0x7e8, ['array', 8, ['pointer64', ['_MMPFNLIST']]]], 'StandbyRepurposedByPriority' : [ 0x828, ['array', 8, ['unsigned long']]], 'MappedPageListHeadEvent' : [ 0x848, ['array', 16, ['_KEVENT']]], 'DecayClusterTimerHeads' : [ 0x9c8, ['array', 4, ['_MI_DECAY_TIMER_LINK']]], 'DecayHand' : [ 0x9e8, ['unsigned long']], 'LastDecayHandUpdateTime' : [ 0x9f0, ['unsigned long long']], 'LastChanceLdwContext' : [ 0x9f8, ['_MI_LDW_WORK_CONTEXT']], 'AvailableEventsLock' : [ 0xa40, ['unsigned long long']], 'AvailablePageWaitStates' : [ 0xa48, ['array', 3, ['_MI_AVAILABLE_PAGE_WAIT_STATES']]], 'LowMemoryThreshold' : [ 0xaa8, ['unsigned long long']], 'HighMemoryThreshold' : [ 0xab0, ['unsigned long long']], 'TransitionPrivatePages' : [ 0xac0, ['unsigned long long']], 'StandbyListDiscard' : [ 0xac8, ['unsigned long']], 'FreeListDiscard' : [ 0xacc, ['unsigned char']], 'MirrorListLocks' : [ 0xad0, ['pointer64', ['void']]], 'LargePfnBitMapsReady' : [ 0xad8, ['unsigned char']], 'LargePfnBitMap' : [ 0xae0, ['array', 2, ['_RTL_BITMAP_EX']]], 'LargePfnBitMapLock' : [ 0xb00, ['unsigned long long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '__unnamed_2436' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_2438' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_243a' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_2436']], 'Interrupt' : [ 0x0, ['__unnamed_2438']], 'LocalInterrupt' : [ 0x0, ['__unnamed_2438']], 'Sci' : [ 0x0, ['__unnamed_2438']], 'Nmi' : [ 0x0, ['__unnamed_2438']], 'Sea' : [ 0x0, ['__unnamed_2438']], 'Sei' : [ 0x0, ['__unnamed_2438']], 'Gsiv' : [ 0x0, ['__unnamed_2438']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_243a']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'ThermalStandbyTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], 'MinimumThrottle' : [ 0x50, ['unsigned long']], 'OverThrottleThreshold' : [ 0x54, ['unsigned long']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x8, { 'LogHandleContext' : [ 0x0, ['pointer64', ['_LOG_HANDLE_CONTEXT']]], } ], '_KPRIQUEUE' : [ 0x2b0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x218, ['array', 32, ['long']]], 'MaximumCount' : [ 0x298, ['unsigned long']], 'ThreadListHead' : [ 0x2a0, ['_LIST_ENTRY']], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_KSCB' : [ 0x1a8, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'MinQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'MaxQuotaCycleTarget' : [ 0x10, ['unsigned long long']], 'RankCycleTarget' : [ 0x18, ['unsigned long long']], 'LongTermCycles' : [ 0x20, ['unsigned long long']], 'LastReportedCycles' : [ 0x28, ['unsigned long long']], 'OverQuotaHistory' : [ 0x30, ['unsigned long long']], 'ReadyTime' : [ 0x38, ['unsigned long long']], 'InsertTime' : [ 0x40, ['unsigned long long']], 'PerProcessorList' : [ 0x48, ['_LIST_ENTRY']], 'QueueNode' : [ 0x58, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x70, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'MaxOverQuota' : [ 0x70, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'MinOverQuota' : [ 0x70, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x70, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SoftCap' : [ 0x70, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ShareRankOwner' : [ 0x70, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x70, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Depth' : [ 0x71, ['unsigned char']], 'ReadySummary' : [ 0x72, ['unsigned short']], 'Rank' : [ 0x74, ['unsigned long']], 'ShareRank' : [ 0x78, ['pointer64', ['unsigned long']]], 'OwnerShareRank' : [ 0x80, ['unsigned long']], 'ReadyListHead' : [ 0x88, ['array', 16, ['_LIST_ENTRY']]], 'ChildScbQueue' : [ 0x188, ['_RTL_RB_TREE']], 'Parent' : [ 0x198, ['pointer64', ['_KSCB']]], 'Root' : [ 0x1a0, ['pointer64', ['_KSCB']]], } ], '__unnamed_2458' : [ 0x2, { 'SignatureLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'SignatureType' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned short')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'EntireField' : [ 0x0, ['unsigned short']], } ], '_KLDR_DATA_TABLE_ENTRY' : [ 0xa0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'ExceptionTable' : [ 0x10, ['pointer64', ['void']]], 'ExceptionTableSize' : [ 0x18, ['unsigned long']], 'GpValue' : [ 0x20, ['pointer64', ['void']]], 'NonPagedDebugInfo' : [ 0x28, ['pointer64', ['_NON_PAGED_DEBUG_INFO']]], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'u1' : [ 0x6e, ['__unnamed_2458']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'CoverageSectionSize' : [ 0x7c, ['unsigned long']], 'CoverageSection' : [ 0x80, ['pointer64', ['void']]], 'LoadedImports' : [ 0x88, ['pointer64', ['void']]], 'Spare' : [ 0x90, ['pointer64', ['void']]], 'SizeOfImageNotRounded' : [ 0x98, ['unsigned long']], 'TimeDateStamp' : [ 0x9c, ['unsigned long']], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_MI_SYSTEM_TRIM_STATE' : [ 0x40, { 'ExpansionLock' : [ 0x0, ['unsigned long long']], 'TrimInProgressCount' : [ 0x8, ['long']], 'PeriodicWorkingSetEvent' : [ 0x10, ['_KEVENT']], 'TrimAllPageFaultCount' : [ 0x28, ['array', 3, ['unsigned long']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0x18, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x8, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_MM_SYSTEM_PAGE_COUNTS' : [ 0x10, { 'SystemCodePage' : [ 0x0, ['unsigned long']], 'SystemDriverPage' : [ 0x4, ['unsigned long']], 'TotalSystemCodePages' : [ 0x8, ['long']], 'TotalSystemDriverPages' : [ 0xc, ['long']], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_THERMAL_POLICY' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ThermalStandby' : [ 0x7, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], 'OverThrottled' : [ 0x14, ['unsigned char']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MI_ACCESS_LOG_STATE' : [ 0x80, { 'CcAccessLog' : [ 0x0, ['pointer64', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'Enabled' : [ 0x8, ['unsigned long']], 'DisableAccessLogging' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'MinLoggingPriority' : [ 0x30, ['unsigned long']], 'AccessLoggingLock' : [ 0x40, ['unsigned long long']], } ], '_HMAP_TABLE' : [ 0x5000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '__unnamed_248a' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_248c' : [ 0x20, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_248a']], } ], '_VF_TARGET_DRIVER' : [ 0x40, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE_EX']], 'u1' : [ 0x18, ['__unnamed_248c']], 'VerifiedData' : [ 0x38, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x28, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x10, ['pointer64', ['void']]], 'SessionViewVa' : [ 0x10, ['pointer64', ['void']]], 'VadsProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Type' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionType' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SectionOffset' : [ 0x20, ['unsigned long long']], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0x18, { 'ActiveThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'WaitList' : [ 0x8, ['pointer64', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x10, ['unsigned long']], } ], '_MI_SYSTEM_PTE_STATE' : [ 0x1c0, { 'DeadPteTrackerSListHead' : [ 0x0, ['_SLIST_HEADER']], 'PteTrackerLock' : [ 0x10, ['unsigned long long']], 'MdlTrackerLookaside' : [ 0x40, ['_NPAGED_LOOKASIDE_LIST']], 'PteTrackingBitmap' : [ 0xc0, ['_RTL_BITMAP_EX']], 'CachedPteHeads' : [ 0xd0, ['pointer64', ['_MI_CACHED_PTES']]], 'SystemViewPteInfo' : [ 0xd8, ['_MI_SYSTEM_PTE_TYPE']], 'KernelStackPages' : [ 0x140, ['unsigned char']], 'QueuedStacks' : [ 0x150, ['_SLIST_HEADER']], 'StackGrowthFailures' : [ 0x160, ['unsigned long']], 'TrackPtesAborted' : [ 0x164, ['unsigned char']], 'AdjustCounter' : [ 0x165, ['unsigned char']], 'ReservedMappingLock' : [ 0x168, ['long']], 'ReservedMappingTree' : [ 0x170, ['_RTL_AVL_TREE']], 'ReservedMappingPageTablePfns' : [ 0x178, ['pointer64', ['_MMPFN']]], 'QueuedStacksWorkItem' : [ 0x180, ['_MI_QUEUED_DEADSTACK_WORKITEM']], } ], '__unnamed_249e' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MI_PARTITION_FLAGS']], } ], '_MI_PARTITION_CORE' : [ 0x160, { 'PartitionId' : [ 0x0, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_249e']], 'Signature' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0x10, ['unsigned long long']], 'ParentPartition' : [ 0x18, ['pointer64', ['_MI_PARTITION']]], 'ListEntry' : [ 0x20, ['_LIST_ENTRY']], 'NodeInformation' : [ 0x30, ['pointer64', ['_MI_NODE_INFORMATION']]], 'PageRoot' : [ 0x38, ['_RTL_AVL_TREE']], 'MemoryNodeRuns' : [ 0x40, ['pointer64', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'MemoryBlockReferences' : [ 0x48, ['unsigned long long']], 'PfnUnmapWorkItem' : [ 0x50, ['_WORK_QUEUE_ITEM']], 'PfnUnmapActive' : [ 0x70, ['unsigned char']], 'PfnUnmapCount' : [ 0x78, ['unsigned long long']], 'PfnUnmapWaitList' : [ 0x80, ['pointer64', ['void']]], 'MemoryRuns' : [ 0x88, ['pointer64', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'ExitEvent' : [ 0x90, ['_KEVENT']], 'SystemThreadHandles' : [ 0xa8, ['array', 5, ['pointer64', ['void']]]], 'PartitionObject' : [ 0xd0, ['pointer64', ['void']]], 'PartitionObjectHandle' : [ 0xd8, ['pointer64', ['void']]], 'DynamicMemoryPushLock' : [ 0xe0, ['_EX_PUSH_LOCK']], 'DynamicMemoryLock' : [ 0xe8, ['long']], 'TemporaryMemoryEvent' : [ 0xf0, ['_KEVENT']], 'MemoryEvents' : [ 0x108, ['array', 11, ['pointer64', ['_KEVENT']]]], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '__unnamed_24ad' : [ 0x8, { 'InstancedWorkingSet' : [ 0x0, ['pointer64', ['void']]], } ], '_MMSUPPORT_INSTANCE' : [ 0xc0, { 'NextPageColor' : [ 0x0, ['unsigned short']], 'LastTrimStamp' : [ 0x2, ['unsigned short']], 'PageFaultCount' : [ 0x4, ['unsigned long']], 'TrimmedPageCount' : [ 0x8, ['unsigned long long']], 'VmWorkingSetList' : [ 0x10, ['pointer64', ['_MMWSL_INSTANCE']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long long']]], 'ExitOutswapGate' : [ 0x60, ['pointer64', ['_KGATE']]], 'MinimumWorkingSetSize' : [ 0x68, ['unsigned long long']], 'WorkingSetLeafSize' : [ 0x70, ['unsigned long long']], 'WorkingSetLeafPrivateSize' : [ 0x78, ['unsigned long long']], 'WorkingSetSize' : [ 0x80, ['unsigned long long']], 'WorkingSetPrivateSize' : [ 0x88, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0x90, ['unsigned long long']], 'PeakWorkingSetSize' : [ 0x98, ['unsigned long long']], 'HardFaultCount' : [ 0xa0, ['unsigned long']], 'PartitionId' : [ 0xa4, ['unsigned short']], 'Pad0' : [ 0xa6, ['unsigned short']], 'u1' : [ 0xa8, ['__unnamed_24ad']], 'Reserved0' : [ 0xb0, ['unsigned long long']], 'Flags' : [ 0xb8, ['_MMSUPPORT_FLAGS']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x10, ['unsigned char']], 'BlockState' : [ 0x11, ['unsigned char']], 'WaitKey' : [ 0x12, ['unsigned short']], 'SpareLong' : [ 0x14, ['long']], 'Thread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NotificationQueue' : [ 0x18, ['pointer64', ['_KQUEUE']]], 'Object' : [ 0x20, ['pointer64', ['void']]], 'SparePtr' : [ 0x28, ['pointer64', ['void']]], } ], '_PPM_SELECTION_MENU_ENTRY' : [ 0x18, { 'StrictDependency' : [ 0x0, ['unsigned char']], 'InitiatingState' : [ 0x1, ['unsigned char']], 'DependentState' : [ 0x2, ['unsigned char']], 'StateIndex' : [ 0x4, ['unsigned long']], 'Dependencies' : [ 0x8, ['unsigned long']], 'DependencyList' : [ 0x10, ['pointer64', ['_PPM_SELECTION_DEPENDENCY']]], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_HV_GET_BIN_CONTEXT' : [ 0x2, { 'OutstandingReference' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredRundown' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], } ], '_INVERTED_FUNCTION_TABLE' : [ 0x1810, { 'CurrentSize' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'Epoch' : [ 0x8, ['unsigned long']], 'Overflow' : [ 0xc, ['unsigned char']], 'TableEntry' : [ 0x10, ['array', 256, ['_INVERTED_FUNCTION_TABLE_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long long']], 'WorkQueue' : [ 0x20, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x60, ['pointer64', ['void']]], 'AcceptProcessorNotification' : [ 0x68, ['pointer64', ['void']]], 'AcceptAcpiNotification' : [ 0x70, ['pointer64', ['void']]], 'WorkOrderCount' : [ 0x78, ['unsigned long']], 'WorkOrders' : [ 0x80, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_ETW_REG_ENTRY' : [ 0x70, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x10, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x20, ['pointer64', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x28, ['pointer64', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x30, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x30, ['array', 4, ['pointer64', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x30, ['pointer64', ['void']]], 'SessionId' : [ 0x38, ['unsigned long']], 'Process' : [ 0x50, ['pointer64', ['_EPROCESS']]], 'CallbackContext' : [ 0x50, ['pointer64', ['void']]], 'Callback' : [ 0x58, ['pointer64', ['void']]], 'Index' : [ 0x60, ['unsigned short']], 'Flags' : [ 0x62, ['unsigned short']], 'DbgKernelRegistration' : [ 0x62, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgUserRegistration' : [ 0x62, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgReplyRegistration' : [ 0x62, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgClassicRegistration' : [ 0x62, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgSessionSpaceRegistration' : [ 0x62, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgModernRegistration' : [ 0x62, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClosed' : [ 0x62, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgInserted' : [ 0x62, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DbgWow64' : [ 0x62, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'EnableMask' : [ 0x64, ['unsigned char']], 'GroupEnableMask' : [ 0x65, ['unsigned char']], 'UseDescriptorType' : [ 0x66, ['unsigned char']], 'Traits' : [ 0x68, ['pointer64', ['_ETW_PROVIDER_TRAITS']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_MI_SYSTEM_VA_STATE' : [ 0x300, { 'SystemTablesLock' : [ 0x0, ['unsigned long long']], 'AvailableSystemCacheVa' : [ 0x8, ['unsigned long long']], 'DynamicBitMapSystemPtes' : [ 0x10, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapDriverImages' : [ 0x60, ['array', 2, ['_MI_DYNAMIC_BITMAP']]], 'DynamicBitMapPagedPool' : [ 0x100, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapSpecialPool' : [ 0x150, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapSystemCache' : [ 0x1a0, ['_MI_DYNAMIC_BITMAP']], 'SystemVaAssignment' : [ 0x1f0, ['array', 8, ['unsigned long']]], 'SystemVaAssignmentHint' : [ 0x210, ['unsigned long']], 'HyperSpaceEnd' : [ 0x218, ['pointer64', ['void']]], 'WorkingSetListHashStart' : [ 0x220, ['pointer64', ['_MMWSLE_HASH']]], 'WorkingSetListHashEnd' : [ 0x228, ['pointer64', ['_MMWSLE_HASH']]], 'WorkingSetListIndirectHashStart' : [ 0x230, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'FreeSystemCacheVa' : [ 0x238, ['_KEVENT']], 'SystemVaLock' : [ 0x250, ['unsigned long long']], 'DeleteKvaLock' : [ 0x258, ['long']], 'FreeSystemCache' : [ 0x260, ['_MI_PTE_CHAIN_HEAD']], 'SystemCacheViewLock' : [ 0x278, ['unsigned long long']], 'SystemCacheInitLock' : [ 0x280, ['_EX_PUSH_LOCK']], 'UnusableWsles' : [ 0x288, ['array', 5, ['unsigned long long']]], 'PossibleWsles' : [ 0x2b0, ['array', 5, ['unsigned long long']]], 'SystemWs' : [ 0x2d8, ['array', 3, ['pointer64', ['_MMSUPPORT_INSTANCE']]]], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MMSUPPORT_SHARED' : [ 0x48, { 'WorkingSetLock' : [ 0x0, ['long']], 'ReleasedCommitDebt' : [ 0x8, ['unsigned long long']], 'ResetPagesRepurposedCount' : [ 0x10, ['unsigned long long']], 'WsSwapSupport' : [ 0x18, ['pointer64', ['void']]], 'CommitReleaseContext' : [ 0x20, ['pointer64', ['void']]], 'AccessLog' : [ 0x28, ['pointer64', ['void']]], 'ChargedWslePages' : [ 0x30, ['unsigned long long']], 'ActualWslePages' : [ 0x38, ['unsigned long long']], 'WorkingSetSizeOverhead' : [ 0x40, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_MMCLONE_BLOCK' : [ 0x20, { 'ProtoPte' : [ 0x0, ['_MMPTE']], 'PaddingFor16ByteAlignment' : [ 0x8, ['unsigned long long']], 'CloneCommitCount' : [ 0x10, ['unsigned long long']], 'u1' : [ 0x10, ['_MI_CLONE_BLOCK_FLAGS']], 'CloneRefCount' : [ 0x18, ['unsigned long long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Propagated' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PS_TRUSTLET_TKSESSION_ID' : [ 0x20, { 'SessionId' : [ 0x0, ['array', 4, ['unsigned long long']]], } ], '__unnamed_2537' : [ 0x8, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], 'RemoteImageFileObject' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RemoteDataFileObject' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], } ], '_SECTION' : [ 0x40, { 'SectionNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u1' : [ 0x28, ['__unnamed_2537']], 'SizeOfSection' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_16c6']], 'InitialPageProtection' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'SessionId' : [ 0x3c, ['BitField', dict(start_bit = 12, end_bit = 31, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x3c, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'CompactionMask' : [ 0x8, ['unsigned long long']], 'Reserved2' : [ 0x10, ['array', 6, ['unsigned long long']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0xb8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'ArgumentStatus' : [ 0x14, ['long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'RefCount' : [ 0x40, ['unsigned long']], 'Lock' : [ 0x44, ['unsigned long']], 'Cancel' : [ 0x48, ['unsigned char']], 'Parent' : [ 0x50, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'ActivityId' : [ 0x58, ['_GUID']], 'Data' : [ 0x68, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_MI_LDW_WORK_CONTEXT' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'FileObject' : [ 0x20, ['pointer64', ['_FILE_OBJECT']]], 'ErrorStatus' : [ 0x28, ['long']], 'Active' : [ 0x2c, ['long']], 'FreeWhenDone' : [ 0x30, ['unsigned char']], } ], '_MI_DEBUGGER_STATE' : [ 0x118, { 'TransientWrite' : [ 0x0, ['unsigned char']], 'CodePageEdited' : [ 0x1, ['unsigned char']], 'DebugPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'PoisonedTb' : [ 0x10, ['unsigned long']], 'InDebugger' : [ 0x14, ['long']], 'Pfns' : [ 0x18, ['array', 32, ['pointer64', ['void']]]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x10, { 'CrossThreadReleasable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 63, native_type='unsigned long long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'LockState' : [ 0x0, ['pointer64', ['void']]], 'SessionState' : [ 0x8, ['pointer64', ['void']]], 'SessionId' : [ 0x8, ['unsigned long']], 'SessionPad' : [ 0xc, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_ETIMER' : [ 0x138, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x40, ['unsigned long long']], 'TimerApc' : [ 0x48, ['_KAPC']], 'TimerDpc' : [ 0xa0, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'Period' : [ 0xf0, ['unsigned long']], 'TimerFlags' : [ 0xf4, ['unsigned char']], 'ApcAssociated' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0xf5, ['unsigned char']], 'Spare2' : [ 0xf6, ['unsigned short']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x110, ['pointer64', ['void']]], 'VirtualizedTimerLinks' : [ 0x118, ['_LIST_ENTRY']], 'DueTime' : [ 0x128, ['unsigned long long']], 'CoalescingWindow' : [ 0x130, ['unsigned long']], } ], '_MI_SHUTDOWN_STATE' : [ 0x80, { 'CrashDumpInitialized' : [ 0x0, ['unsigned char']], 'ConnectedStandbyActive' : [ 0x1, ['unsigned char']], 'SystemShutdown' : [ 0x4, ['unsigned long']], 'ShutdownFlushInProgress' : [ 0x8, ['long']], 'ResumeItem' : [ 0x10, ['_MI_RESUME_WORKITEM']], 'MirrorHoldsPfn' : [ 0x48, ['pointer64', ['_ETHREAD']]], 'MirroringActive' : [ 0x50, ['unsigned long']], 'MirrorBitMaps' : [ 0x58, ['array', 2, ['_RTL_BITMAP_EX']]], 'CrashDumpPte' : [ 0x78, ['pointer64', ['_MMPTE']]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_ARM64_DBGKD_CONTROL_SET' : [ 0x18, { 'Continue' : [ 0x0, ['unsigned long']], 'TraceFlag' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x10, ['unsigned long long']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoQoSPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_PROCESSOR_POWER_STATE' : [ 0x1d0, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x8, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x10, ['unsigned long long']], 'IdleTimeTotal' : [ 0x18, ['unsigned long long']], 'IdleTimeEntry' : [ 0x20, ['unsigned long long']], 'IdleTimeExpiration' : [ 0x28, ['unsigned long long']], 'NonInterruptibleTransition' : [ 0x30, ['unsigned char']], 'PepWokenTransition' : [ 0x31, ['unsigned char']], 'EfficiencyClass' : [ 0x32, ['unsigned char']], 'SchedulingClass' : [ 0x33, ['unsigned char']], 'TargetIdleState' : [ 0x34, ['unsigned long']], 'IdlePolicy' : [ 0x38, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x40, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x48, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xd8, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower', 3: 'ProcHypervisorHvCounters'})]], 'LastSysTime' : [ 0xdc, ['unsigned long']], 'WmiDispatchPtr' : [ 0xe0, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0xe8, ['long']], 'FFHThrottleStateInfo' : [ 0xf0, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x110, ['_KDPC']], 'PerfActionMask' : [ 0x150, ['long']], 'HvIdleCheck' : [ 0x158, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x168, ['pointer64', ['_PROC_PERF_CHECK']]], 'Domain' : [ 0x170, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x178, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x180, ['pointer64', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x188, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x190, ['pointer64', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x198, ['unsigned char']], 'HvTargetState' : [ 0x199, ['unsigned char']], 'Parked' : [ 0x19a, ['unsigned char']], 'LatestPerformancePercent' : [ 0x19c, ['unsigned long']], 'AveragePerformancePercent' : [ 0x1a0, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x1a4, ['unsigned long']], 'RelativePerformance' : [ 0x1a8, ['unsigned long']], 'Utility' : [ 0x1ac, ['unsigned long']], 'AffinitizedUtility' : [ 0x1b0, ['unsigned long']], 'SnapTimeLast' : [ 0x1b8, ['unsigned long long']], 'EnergyConsumed' : [ 0x1b8, ['unsigned long long']], 'ActiveTime' : [ 0x1c0, ['unsigned long long']], 'TotalTime' : [ 0x1c8, ['unsigned long long']], } ], '_MI_PARTITION_SEGMENTS' : [ 0x180, { 'DeleteSubsectionCleanup' : [ 0x0, ['_KEVENT']], 'UnusedSegmentCleanup' : [ 0x18, ['_KEVENT']], 'SubsectionDeletePtes' : [ 0x30, ['unsigned long long']], 'DereferenceSegmentHeader' : [ 0x38, ['_MMDEREFERENCE_SEGMENT_HEADER']], 'DeleteOnCloseList' : [ 0x68, ['_LIST_ENTRY']], 'DeleteOnCloseTimer' : [ 0x78, ['_KTIMER']], 'DeleteOnCloseTimerActive' : [ 0xb8, ['unsigned char']], 'DeleteOnCloseCount' : [ 0xbc, ['unsigned long']], 'UnusedSegmentList' : [ 0xc0, ['_LIST_ENTRY']], 'UnusedSubsectionList' : [ 0xd0, ['_LIST_ENTRY']], 'DeleteSubsectionList' : [ 0xe0, ['_LIST_ENTRY']], 'ControlAreaDeleteEvent' : [ 0xf0, ['_KEVENT']], 'ControlAreaDeleteList' : [ 0x108, ['_SINGLE_LIST_ENTRY']], 'SegmentListLock' : [ 0x140, ['long']], 'ControlAreaCount' : [ 0x148, ['long long']], } ], '_MI_RESAVAIL_TRACKER' : [ 0x380, { 'AllocateKernelStack' : [ 0x0, ['unsigned long long']], 'AllocateGrowKernelStack' : [ 0x8, ['unsigned long long']], 'FreeKernelStack' : [ 0x10, ['unsigned long long']], 'FreeKernelStackError' : [ 0x18, ['unsigned long long']], 'FreeGrowKernelStackError' : [ 0x20, ['unsigned long long']], 'AllocateCreateProcess' : [ 0x28, ['unsigned long long']], 'FreeCreateProcessError' : [ 0x30, ['unsigned long long']], 'FreeDeleteProcess' : [ 0x38, ['unsigned long long']], 'FreeCleanProcess' : [ 0x40, ['unsigned long long']], 'FreeCleanProcessError' : [ 0x48, ['unsigned long long']], 'AllocateWsIncrease' : [ 0x50, ['unsigned long long']], 'FreeWsIncreaseError' : [ 0x58, ['unsigned long long']], 'FreeWsIncreaseErrorMax' : [ 0x60, ['unsigned long long']], 'FreeWsDecrease' : [ 0x68, ['unsigned long long']], 'AllocateWorkingSetPage' : [ 0x70, ['unsigned long long']], 'FreeWorkingSetPageError' : [ 0x78, ['unsigned long long']], 'FreeDeletePteRange' : [ 0x80, ['unsigned long long']], 'AllocatePageTablesForProcessMetadata' : [ 0x88, ['unsigned long long']], 'AllocatePageTablesForSystem' : [ 0x90, ['unsigned long long']], 'FreePageTablesExcess' : [ 0x98, ['unsigned long long']], 'FreeSystemVaPageTables' : [ 0xa0, ['unsigned long long']], 'FreeSessionVaPageTables' : [ 0xa8, ['unsigned long long']], 'AllocateCreateSession' : [ 0xb0, ['unsigned long long']], 'FreeSessionWsDereference' : [ 0xb8, ['unsigned long long']], 'FreeSessionDereference' : [ 0xc0, ['unsigned long long']], 'AllocateLockedSessionImage' : [ 0xc8, ['unsigned long long']], 'FreeLockedSessionImage' : [ 0xd0, ['unsigned long long']], 'FreeSessionImageConversion' : [ 0xd8, ['unsigned long long']], 'AllocateWsAdjustPageTable' : [ 0xe0, ['unsigned long long']], 'FreeWsAdjustPageTable' : [ 0xe8, ['unsigned long long']], 'FreeWsAdjustPageTableError' : [ 0xf0, ['unsigned long long']], 'AllocateNoLowMemory' : [ 0xf8, ['unsigned long long']], 'AllocatePagedPoolLockedDown' : [ 0x100, ['unsigned long long']], 'FreePagedPoolLockedDown' : [ 0x108, ['unsigned long long']], 'AllocateSystemBitmaps' : [ 0x110, ['unsigned long long']], 'FreeSystemBitmapsError' : [ 0x118, ['unsigned long long']], 'AllocateForMdl' : [ 0x120, ['unsigned long long']], 'FreeFromMdl' : [ 0x128, ['unsigned long long']], 'AllocateForMdlPartition' : [ 0x130, ['unsigned long long']], 'FreeFromMdlPartition' : [ 0x138, ['unsigned long long']], 'FreeMdlExcess' : [ 0x140, ['unsigned long long']], 'AllocateExpansionNonPagedPool' : [ 0x148, ['unsigned long long']], 'FreeExpansionNonPagedPool' : [ 0x150, ['unsigned long long']], 'AllocateVad' : [ 0x158, ['unsigned long long']], 'RemoveVad' : [ 0x160, ['unsigned long long']], 'FreeVad' : [ 0x168, ['unsigned long long']], 'AllocateContiguous' : [ 0x170, ['unsigned long long']], 'FreeContiguousPages' : [ 0x178, ['unsigned long long']], 'FreeContiguousError' : [ 0x180, ['unsigned long long']], 'FreeLargePageMemory' : [ 0x188, ['unsigned long long']], 'AllocateSystemWsles' : [ 0x190, ['unsigned long long']], 'FreeSystemWsles' : [ 0x198, ['unsigned long long']], 'AllocateSystemInitWs' : [ 0x1a0, ['unsigned long long']], 'AllocateSessionInitWs' : [ 0x1a8, ['unsigned long long']], 'FreeSessionInitWsError' : [ 0x1b0, ['unsigned long long']], 'AllocateSystemImage' : [ 0x1b8, ['unsigned long long']], 'AllocateSystemImageLoad' : [ 0x1c0, ['unsigned long long']], 'AllocateSessionSharedImage' : [ 0x1c8, ['unsigned long long']], 'FreeSystemImageInitCode' : [ 0x1d0, ['unsigned long long']], 'FreeSystemImageLargePageConversion' : [ 0x1d8, ['unsigned long long']], 'FreeSystemImageError' : [ 0x1e0, ['unsigned long long']], 'FreeSystemImageLoadExcess' : [ 0x1e8, ['unsigned long long']], 'FreeUnloadSystemImage' : [ 0x1f0, ['unsigned long long']], 'FreeReloadBootImageLarge' : [ 0x1f8, ['unsigned long long']], 'FreeIndependent' : [ 0x200, ['unsigned long long']], 'AllocateHotRemove' : [ 0x208, ['unsigned long long']], 'FreeHotAdd' : [ 0x210, ['unsigned long long']], 'AllocateBoot' : [ 0x218, ['unsigned long long']], 'FreeLoaderBlock' : [ 0x220, ['unsigned long long']], 'AllocateNonPagedSpecialPool' : [ 0x228, ['unsigned long long']], 'FreeNonPagedSpecialPoolError' : [ 0x230, ['unsigned long long']], 'FreeNonPagedSpecialPool' : [ 0x238, ['unsigned long long']], 'AllocateSharedSegmentPage' : [ 0x240, ['unsigned long long']], 'FreeSharedSegmentPage' : [ 0x248, ['unsigned long long']], 'AllocateZeroPage' : [ 0x250, ['unsigned long long']], 'FreeZeroPage' : [ 0x258, ['unsigned long long']], 'AllocateForPo' : [ 0x260, ['unsigned long long']], 'AllocateForPoForce' : [ 0x268, ['unsigned long long']], 'FreeForPo' : [ 0x270, ['unsigned long long']], 'AllocateThreadHardFaultBehavior' : [ 0x278, ['unsigned long long']], 'FreeThreadHardFaultBehavior' : [ 0x280, ['unsigned long long']], 'ObtainFaultCharges' : [ 0x288, ['unsigned long long']], 'FreeFaultCharges' : [ 0x290, ['unsigned long long']], 'AllocateStoreCharges' : [ 0x298, ['unsigned long long']], 'FreeStoreCharges' : [ 0x2a0, ['unsigned long long']], 'ObtainLockedPageCharge' : [ 0x2c0, ['unsigned long long']], 'FreeLockedPageCharge' : [ 0x300, ['unsigned long long']], 'AllocateStore' : [ 0x308, ['unsigned long long']], 'FreeStore' : [ 0x310, ['unsigned long long']], 'AllocateSystemImageProtos' : [ 0x318, ['unsigned long long']], 'FreeSystemImageProtos' : [ 0x320, ['unsigned long long']], 'AllocateModWriterCharge' : [ 0x328, ['unsigned long long']], 'FreeModWriterCharge' : [ 0x330, ['unsigned long long']], 'AllocateMappedWriterCharge' : [ 0x338, ['unsigned long long']], 'FreeMappedWriterCharge' : [ 0x340, ['unsigned long long']], 'AllocateRegistryCharges' : [ 0x348, ['unsigned long long']], 'FreeRegistryCharges' : [ 0x350, ['unsigned long long']], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_AVAILABLE_PAGE_WAIT_STATES' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'EventSets' : [ 0x18, ['unsigned long']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_POP_FX_DEVICE' : [ 0x278, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_POP_IRP_DATA']]], 'Status' : [ 0x20, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'DevNode' : [ 0x30, ['pointer64', ['_DEVICE_NODE']]], 'DpmContext' : [ 0x38, ['pointer64', ['PEPHANDLE__']]], 'Plugin' : [ 0x40, ['pointer64', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x48, ['pointer64', ['PEPHANDLE__']]], 'AcpiPlugin' : [ 0x50, ['pointer64', ['_POP_FX_PLUGIN']]], 'AcpiPluginHandle' : [ 0x58, ['pointer64', ['PEPHANDLE__']]], 'DeviceObject' : [ 0x60, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x68, ['pointer64', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x70, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0xa8, ['pointer64', ['void']]], 'AcpiLink' : [ 0xb0, ['_LIST_ENTRY']], 'DeviceId' : [ 0xc0, ['_UNICODE_STRING']], 'RemoveLock' : [ 0xd0, ['_IO_REMOVE_LOCK']], 'AcpiRemoveLock' : [ 0xf0, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0x110, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0x148, ['unsigned long long']], 'IdleTimer' : [ 0x150, ['_KTIMER']], 'IdleDpc' : [ 0x190, ['_KDPC']], 'IdleTimeout' : [ 0x1d0, ['unsigned long long']], 'IdleStamp' : [ 0x1d8, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x1e0, ['array', 2, ['pointer64', ['_DEVICE_OBJECT']]]], 'NextIrpPowerState' : [ 0x1f0, ['array', 2, ['_POWER_STATE']]], 'NextIrpCallerCompletion' : [ 0x1f8, ['array', 2, ['pointer64', ['void']]]], 'NextIrpCallerContext' : [ 0x208, ['array', 2, ['pointer64', ['void']]]], 'IrpCompleteEvent' : [ 0x218, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x230, ['pointer64', ['void']]], 'Accounting' : [ 0x238, ['_POP_FX_ACCOUNTING']], 'Flags' : [ 0x268, ['unsigned long']], 'ComponentCount' : [ 0x26c, ['unsigned long']], 'Components' : [ 0x270, ['pointer64', ['pointer64', ['_POP_FX_COMPONENT']]]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_IOV_IRP_TRACE' : [ 0x80, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x10, ['short']], 'SpecialApcDisable' : [ 0x12, ['short']], 'CombinedApcDisable' : [ 0x10, ['unsigned long']], 'Irql' : [ 0x14, ['unsigned char']], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '_MI_CLONE_BLOCK_FLAGS' : [ 0x8, { 'ActualCloneCommit' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 59, native_type='unsigned long long')]], 'CloneProtection' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GetExtents' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'VmLockNotNeeded' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_MI_QUEUED_DEADSTACK_WORKITEM' : [ 0x28, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Active' : [ 0x20, ['long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long long']], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long long']], 'Processors' : [ 0x8, ['unsigned long']], 'ActiveProcessors' : [ 0xc, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_AVL_TABLE' : [ 0xc0, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x70, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['long']], } ], '__unnamed_25dc' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_25de' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_25dc']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x60, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CoolingExtension' : [ 0x40, ['pointer64', ['_POP_COOLING_EXTENSION']]], 'Volume' : [ 0x48, ['_LIST_ENTRY']], 'Specific' : [ 0x58, ['__unnamed_25de']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_CM_UOW_SET_SD_DATA' : [ 0x4, { 'SecurityCell' : [ 0x0, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x38, ['long']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_PPM_COORDINATED_SYNCHRONIZATION' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'EnterProcessor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'ExitProcessor' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 24, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 26, native_type='unsigned long')]], 'Entered' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'EntryPriority' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_KDPC_LIST' : [ 0x10, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['_CM_COMPONENT_HASH']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_THERMAL_TELEMETRY_TRACKER' : [ 0x160, { 'AccountingDisabled' : [ 0x0, ['unsigned char']], 'LastPassiveUpdateTime' : [ 0x8, ['unsigned long long']], 'TotalPassiveTime' : [ 0x10, ['array', 21, ['unsigned long long']]], 'PassiveTimeSnap' : [ 0xb8, ['array', 21, ['unsigned long long']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_MI_VISIBLE_PARTITION' : [ 0x1380, { 'LowestPhysicalPage' : [ 0x0, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x8, ['unsigned long long']], 'NumberOfPhysicalPages' : [ 0x10, ['unsigned long long']], 'NumberOfPagingFiles' : [ 0x18, ['unsigned long']], 'PagingFile' : [ 0x20, ['array', 16, ['pointer64', ['_MMPAGING_FILE']]]], 'AvailablePages' : [ 0xc0, ['unsigned long long']], 'ResidentAvailablePages' : [ 0x100, ['unsigned long long']], 'PartitionWs' : [ 0x140, ['array', 1, ['_MMSUPPORT_INSTANCE']]], 'PartitionWorkingSetLists' : [ 0x200, ['array', 1, ['_MMWSL_INSTANCE']]], 'SystemCacheInitialized' : [ 0x3a0, ['unsigned char']], 'TotalCommittedPages' : [ 0x3a8, ['unsigned long long']], 'ModifiedPageListHead' : [ 0x3c0, ['_MMPFNLIST']], 'ModifiedNoWritePageListHead' : [ 0x400, ['_MMPFNLIST']], 'TotalCommitLimit' : [ 0x428, ['unsigned long long']], 'TotalPagesForPagingFile' : [ 0x430, ['unsigned long long']], 'VadPhysicalPages' : [ 0x438, ['unsigned long long']], 'ProcessLockedFilePages' : [ 0x440, ['unsigned long long']], 'ChargeCommitmentFailures' : [ 0x448, ['array', 4, ['unsigned long']]], 'PageTableBitmapPages' : [ 0x458, ['unsigned long long']], 'PageFileTraceIndex' : [ 0x460, ['long']], 'PageFileTraces' : [ 0x468, ['array', 32, ['_MI_PAGEFILE_TRACES']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x58, { 'Context' : [ 0x0, ['pointer64', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x38, ['unsigned long']], 'DependencyUsed' : [ 0x3c, ['unsigned long']], 'DependencyArray' : [ 0x40, ['pointer64', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x48, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x4c, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x50, ['unsigned long']], } ], '_PNP_REBALANCE_TRACE_CONTEXT' : [ 0x70, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'RebalancePhase' : [ 0x4, ['unsigned long']], 'Reason' : [ 0x8, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'RebalanceReasonUnknown', 1: 'RebalanceReasonRequirementsChanged', 2: 'RebalanceReasonNewDevice'})]]], 'Failure' : [ 0x10, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'RebalanceFailureNone', 1: 'RebalanceFailureDisabled', 2: 'RebalanceFailureNoMemory', 3: 'RebalanceFailureQueryStopUnexpectedVeto', 4: 'RebalanceFailureNoRequirements', 5: 'RebalanceFailureNoCandidates', 6: 'RebalanceFailureNoConfiguration'})]]], 'SubtreeRoot' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'SubtreeIncludesRoot' : [ 0x20, ['unsigned char']], 'TriggerRoot' : [ 0x28, ['pointer64', ['_DEVICE_NODE']]], 'RebalanceDueToDynamicPartitioning' : [ 0x30, ['unsigned char']], 'BeginTime' : [ 0x38, ['unsigned long long']], 'VetoNode' : [ 0x40, ['array', 2, ['pointer64', ['_DEVICE_NODE']]]], 'VetoQueryRebalanceReason' : [ 0x50, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceQueryRebalanceSucceeded', 1: 'DeviceQueryStopFailed', 2: 'DeviceFailedGetNewResourceRequirement', 3: 'DeviceInUnexpectedState', 4: 'DeviceNotSupportQueryRebalance'})]]], 'ConflictContext' : [ 0x58, ['_PNP_RESOURCE_CONFLICT_TRACE_CONTEXT']], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x28, { 'BlockOffset' : [ 0x0, ['unsigned long long']], 'PermanentBinAddress' : [ 0x8, ['unsigned long long']], 'TemporaryBinAddress' : [ 0x10, ['unsigned long long']], 'TemporaryBinRundown' : [ 0x18, ['_EX_RUNDOWN_REF']], 'MemAlloc' : [ 0x20, ['unsigned long']], } ], '__unnamed_2642' : [ 0x18, { 'RequestedTime' : [ 0x0, ['unsigned long long']], 'ProgrammedTime' : [ 0x8, ['unsigned long long']], 'TimerInfo' : [ 0x10, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0x110, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'WakeFirstUnattendedTime' : [ 0x58, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x68, ['array', 3, ['__unnamed_2642']]], 'WakeAlarmPaused' : [ 0xb0, ['unsigned char']], 'WakeAlarmLastTime' : [ 0xb8, ['unsigned long long']], 'FilteredCapabilities' : [ 0xc0, ['SYSTEM_POWER_CAPABILITIES']], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_WNF_LOCK' : [ 0x8, { 'PushLock' : [ 0x0, ['_EX_PUSH_LOCK']], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '_ISR_THUNK' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KINTERRUPT' : [ 0x100, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'EmulateActiveBoth' : [ 0x65, ['unsigned char']], 'ActiveCount' : [ 0x66, ['unsigned short']], 'InternalState' : [ 0x68, ['long']], 'Mode' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x74, ['unsigned long']], 'DispatchCount' : [ 0x78, ['unsigned long']], 'PassiveEvent' : [ 0x80, ['pointer64', ['_KEVENT']]], 'TrapFrame' : [ 0x88, ['pointer64', ['_KTRAP_FRAME']]], 'DisconnectData' : [ 0x90, ['pointer64', ['void']]], 'ServiceThread' : [ 0x98, ['pointer64', ['_KTHREAD']]], 'ConnectionData' : [ 0xa0, ['pointer64', ['_INTERRUPT_CONNECTION_DATA']]], 'IntTrackEntry' : [ 0xa8, ['pointer64', ['void']]], 'IsrDpcStats' : [ 0xb0, ['_ISRDPCSTATS']], 'RedirectObject' : [ 0xf0, ['pointer64', ['void']]], 'Padding' : [ 0xf8, ['array', 8, ['unsigned char']]], } ], '_MI_PARTITION_ZEROING' : [ 0x60, { 'PageEvent' : [ 0x0, ['_KEVENT']], 'ThreadActive' : [ 0x18, ['unsigned char']], 'ZeroFreePageSlistMinimum' : [ 0x1c, ['long']], 'RebalanceZeroFreeWorkItem' : [ 0x20, ['_WORK_QUEUE_ITEM']], 'ThreadCount' : [ 0x40, ['long']], 'Gate' : [ 0x48, ['_KGATE']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x38, { 'ComponentActive' : [ 0x0, ['pointer64', ['void']]], 'ComponentIdle' : [ 0x8, ['pointer64', ['void']]], 'ComponentIdleState' : [ 0x10, ['pointer64', ['void']]], 'DevicePowerRequired' : [ 0x18, ['pointer64', ['void']]], 'DevicePowerNotRequired' : [ 0x20, ['pointer64', ['void']]], 'PowerControl' : [ 0x28, ['pointer64', ['void']]], 'ComponentCriticalTransition' : [ 0x30, ['pointer64', ['void']]], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Reserved0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'u1' : [ 0x0, ['unsigned short']], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceAge' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'NewMaximum' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CommitReleaseState' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'u2' : [ 0x3, ['unsigned char']], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_WAITING_IRP' : [ 0x38, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'CompletionRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'Information' : [ 0x30, ['unsigned long']], 'BreakAllRH' : [ 0x34, ['unsigned char']], } ], '_MI_DYNAMIC_BITMAP' : [ 0x50, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'MaximumSize' : [ 0x10, ['unsigned long long']], 'Hint' : [ 0x18, ['unsigned long long']], 'BaseVa' : [ 0x20, ['pointer64', ['void']]], 'SizeTopDown' : [ 0x28, ['unsigned long long']], 'HintTopDown' : [ 0x30, ['unsigned long long']], 'BaseVaTopDown' : [ 0x38, ['pointer64', ['void']]], 'SpinLock' : [ 0x40, ['unsigned long long']], 'Vm' : [ 0x48, ['pointer64', ['_MMSUPPORT_INSTANCE']]], } ], '_UNEXPECTED_INTERRUPT' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 28, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PLATFORM_IDLE_STATE_ACCOUNTING' : [ 0x3e8, { 'CancelCount' : [ 0x0, ['unsigned long']], 'FailureCount' : [ 0x4, ['unsigned long']], 'SuccessCount' : [ 0x8, ['unsigned long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'TotalTime' : [ 0x20, ['unsigned long long']], 'InvalidBucketIndex' : [ 0x28, ['unsigned long']], 'SelectionStatistics' : [ 0x30, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa8, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_PROC_FEEDBACK' : [ 0x90, { 'Lock' : [ 0x0, ['unsigned long long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer64', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x28, ['unsigned long long']], 'UnscaledTime' : [ 0x30, ['unsigned long long']], 'UnaccountedTime' : [ 0x38, ['long long']], 'ScaledTime' : [ 0x40, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x50, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x58, ['unsigned long long']], 'UserTimeLast' : [ 0x60, ['unsigned long']], 'KernelTimeLast' : [ 0x64, ['unsigned long']], 'IdleGenerationNumberLast' : [ 0x68, ['unsigned long long']], 'HvActiveTimeLast' : [ 0x70, ['unsigned long long']], 'StallCyclesLast' : [ 0x78, ['unsigned long long']], 'StallTime' : [ 0x80, ['unsigned long long']], 'KernelTimesIndex' : [ 0x88, ['unsigned char']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x30, { 'InstantaneousRead' : [ 0x0, ['pointer64', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer64', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'Scaling' : [ 0x22, ['unsigned char']], 'Context' : [ 0x28, ['unsigned long long']], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_MI_DRIVER_VA' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_DRIVER_VA']]], 'PointerPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BitMap' : [ 0x10, ['_RTL_BITMAP']], 'Hint' : [ 0x20, ['unsigned long']], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_PEB64' : [ 0x7a0, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'IsLongPathAwareProcess' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'SparePvoid0' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pUnused' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x388, ['unsigned long long']], 'TppWorkerpList' : [ 0x390, ['LIST_ENTRY64']], 'WaitOnAddressHashTable' : [ 0x3a0, ['array', 128, ['unsigned long long']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned short']], 'Flags' : [ 0x5a, ['unsigned char']], 'ShutDownRequested' : [ 0x5a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x5a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x5a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x5a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Wow' : [ 0x5a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'EventsLostCount' : [ 0x88, ['pointer64', ['unsigned long']]], 'BuffersLostCount' : [ 0x90, ['pointer64', ['unsigned long']]], 'SiloState' : [ 0x98, ['pointer64', ['_ETW_SILODRIVERSTATE']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_POP_HIBER_CONTEXT' : [ 0x1d0, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x3, ['unsigned char']], 'InitializationFinished' : [ 0x4, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'HvCaptureReadyBarrier' : [ 0x14, ['long']], 'HvCaptureCompletedBarrier' : [ 0x18, ['long']], 'MapFrozen' : [ 0x1c, ['unsigned char']], 'DiscardMap' : [ 0x20, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x30, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x40, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x50, ['unsigned long']], 'ClonedPageCount' : [ 0x58, ['unsigned long long']], 'CurrentMap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x68, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x70, ['unsigned long long']], 'LoaderMdl' : [ 0x78, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x80, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x88, ['unsigned long long']], 'IoPages' : [ 0x90, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x98, ['unsigned long']], 'CurrentMcb' : [ 0xa0, ['pointer64', ['void']]], 'DumpStack' : [ 0xa8, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xb0, ['pointer64', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0xb8, ['unsigned long']], 'Status' : [ 0xbc, ['long']], 'GraphicsProc' : [ 0xc0, ['unsigned long']], 'MemoryImage' : [ 0xc8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0xd8, ['pointer64', ['_MDL']]], 'SiLogOffset' : [ 0xe0, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0xe8, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0xf0, ['pointer64', ['void']]], 'ResumeContext' : [ 0xf8, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x100, ['unsigned long']], 'SecurePages' : [ 0x104, ['unsigned long']], 'ProcessorCount' : [ 0x108, ['unsigned long']], 'ProcessorContext' : [ 0x110, ['pointer64', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0x118, ['pointer64', ['unsigned char']]], 'ProdConsSize' : [ 0x120, ['unsigned long']], 'MaxDataPages' : [ 0x124, ['unsigned long']], 'ExtraBuffer' : [ 0x128, ['pointer64', ['void']]], 'ExtraBufferSize' : [ 0x130, ['unsigned long long']], 'ExtraMapVa' : [ 0x138, ['pointer64', ['void']]], 'BitlockerKeyPFN' : [ 0x140, ['unsigned long long']], 'IoInfo' : [ 0x148, ['_POP_IO_INFO']], 'IoChecksums' : [ 0x1b8, ['pointer64', ['unsigned short']]], 'IoChecksumsSize' : [ 0x1c0, ['unsigned long long']], 'HardwareConfigurationSignature' : [ 0x1c8, ['unsigned long']], 'IumEnabled' : [ 0x1cc, ['unsigned char']], } ], '__unnamed_26c2' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MI_DECAY_TIMER_LINKAGE']], } ], '_MI_DECAY_TIMER_LINK' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_26c2']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '__unnamed_26c9' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_26c9']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '_MI_PARTITION_COMMIT' : [ 0x80, { 'PeakCommitment' : [ 0x0, ['unsigned long long']], 'TotalCommitLimitMaximum' : [ 0x8, ['unsigned long long']], 'Popups' : [ 0x10, ['array', 2, ['long']]], 'LowCommitThreshold' : [ 0x18, ['unsigned long long']], 'HighCommitThreshold' : [ 0x20, ['unsigned long long']], 'EventLock' : [ 0x28, ['unsigned long long']], 'SystemCommitReserve' : [ 0x30, ['unsigned long long']], 'OverCommit' : [ 0x40, ['unsigned long long']], } ], '_TRIAGE_DEVICE_NODE' : [ 0x58, { 'Sibling' : [ 0x0, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_TRIAGE_POP_FX_DEVICE']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x48, { 'InitiatingThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ThreadId' : [ 0x10, ['pointer64', ['void']]], 'ProcessId' : [ 0x18, ['pointer64', ['void']]], 'Code' : [ 0x20, ['unsigned long']], 'Parameter1' : [ 0x28, ['unsigned long long']], 'Parameter2' : [ 0x30, ['unsigned long long']], 'Parameter3' : [ 0x38, ['unsigned long long']], 'Parameter4' : [ 0x40, ['unsigned long long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x8, ['pointer64', ['wchar']]], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8180, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'StackLimitHits' : [ 0x8038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x803c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x8040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8044, ['unsigned long']], 'TotalReleases' : [ 0x8048, ['unsigned long']], 'RootNodesDeleted' : [ 0x804c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x8050, ['unsigned long']], 'Instigator' : [ 0x8058, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8060, ['unsigned long']], 'Participant' : [ 0x8068, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8168, ['long']], 'StackType' : [ 0x816c, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x8170, ['unsigned long long']], 'StackHighLimit' : [ 0x8178, ['unsigned long long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'PO_MEMORY_IMAGE' : [ 0x3c8, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long long']], 'HiberFlags' : [ 0x38, ['unsigned char']], 'spare' : [ 0x39, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x3c, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'NumPagesForLoader' : [ 0x58, ['unsigned long long']], 'FirstSecureRestorePage' : [ 0x60, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x68, ['unsigned long long']], 'FirstKernelRestorePage' : [ 0x70, ['unsigned long long']], 'FirstChecksumRestorePage' : [ 0x78, ['unsigned long long']], 'NoChecksumEntries' : [ 0x80, ['unsigned long long']], 'PerfInfo' : [ 0x88, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x270, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x278, ['array', 1, ['unsigned long long']]], 'SiLogOffset' : [ 0x280, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x284, ['unsigned long']], 'BootLoaderLogPages' : [ 0x288, ['array', 24, ['unsigned long long']]], 'NotUsed' : [ 0x348, ['unsigned long']], 'ResumeContextCheck' : [ 0x34c, ['unsigned long']], 'ResumeContextPages' : [ 0x350, ['unsigned long']], 'Hiberboot' : [ 0x354, ['unsigned char']], 'HvCr3' : [ 0x358, ['unsigned long long']], 'HvEntryPoint' : [ 0x360, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x368, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x370, ['unsigned long long']], 'BootFlags' : [ 0x378, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x380, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x388, ['unsigned long long']], 'BitlockerKeyPfns' : [ 0x390, ['array', 4, ['unsigned long long']]], 'HardwareSignature' : [ 0x3b0, ['unsigned long']], 'SMBiosTablePhysicalAddress' : [ 0x3b8, ['_LARGE_INTEGER']], 'SMBiosTableLength' : [ 0x3c0, ['unsigned long']], 'SMBiosMajorVersion' : [ 0x3c4, ['unsigned char']], 'SMBiosMinorVersion' : [ 0x3c5, ['unsigned char']], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_MI_PAGING_IO_STATE' : [ 0x50, { 'PageFileHead' : [ 0x0, ['_RTL_AVL_TREE']], 'PageFileHeadSpinLock' : [ 0x8, ['long']], 'PrefetchSeekThreshold' : [ 0xc, ['long']], 'InPageSupportSListHead' : [ 0x10, ['array', 2, ['_SLIST_HEADER']]], 'InPageSupportSListMinimum' : [ 0x30, ['array', 2, ['unsigned char']]], 'InPageSinglePages' : [ 0x34, ['unsigned long']], 'DelayPageFaults' : [ 0x38, ['long']], 'FileCompressionBoundary' : [ 0x3c, ['unsigned long']], 'MdlsAdjusted' : [ 0x40, ['unsigned char']], } ], '_MI_STANDBY_STATE' : [ 0xc0, { 'TransitionSharedPages' : [ 0x0, ['unsigned long long']], 'TransitionSharedPagesPeak' : [ 0x8, ['array', 3, ['unsigned long long']]], 'FirstDecayPage' : [ 0x20, ['unsigned long long']], 'PfnDecayFreeSList' : [ 0x30, ['_SLIST_HEADER']], 'PfnRepurposeLog' : [ 0x40, ['pointer64', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'AllocatePfnRepurposeDpc' : [ 0x48, ['_KDPC']], } ], '_MI_DECAY_TIMER_LINKAGE' : [ 0x8, { 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'NextDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x150, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x108, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x148, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_TRIAGE_9F_POWER' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'IrpList' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'ThreadList' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'DelayedWorkQueue' : [ 0x18, ['pointer64', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_MMINPAGE_SUPPORT_FLOW_THROUGH' : [ 0x38, { 'Page' : [ 0x0, ['array', 1, ['unsigned long long']]], 'InitialInPageSupport' : [ 0x8, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'PagingFile' : [ 0x10, ['pointer64', ['_MMPAGING_FILE']]], 'PageFileOffset' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['_RTL_BALANCED_NODE']], } ], '_MI_COMBINE_STATE' : [ 0x1a0, { 'ActiveSpinLock' : [ 0x0, ['long']], 'CombiningThreadCount' : [ 0x4, ['unsigned long']], 'ActiveThreadTree' : [ 0x8, ['_RTL_AVL_TREE']], 'ZeroPageHashValue' : [ 0x10, ['unsigned long long']], 'CrossPartition' : [ 0x18, ['_MI_PAGE_COMBINING_SUPPORT']], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_PTE_TRACKER' : [ 0x80, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'GuardPte' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x48, ['array', 7, ['pointer64', ['void']]]], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_HIVE_WAIT_PACKET' : [ 0x28, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Next' : [ 0x20, ['pointer64', ['_HIVE_WAIT_PACKET']]], } ], '_VF_AVL_TREE_NODE_EX' : [ 0x18, { 'Base' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'SessionId' : [ 0x10, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_CM_INDEX' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'NameHint' : [ 0x4, ['array', 4, ['unsigned char']]], 'HashKey' : [ 0x4, ['_CM_COMPONENT_HASH']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_MMPAGING_FILE' : [ 0x120, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'FreeReservationSpace' : [ 0x30, ['unsigned long long']], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x40, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x50, ['_SLIST_HEADER']], 'PageFileName' : [ 0x60, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x70, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x78, ['unsigned long']], 'LargestAllocationCluster' : [ 0x7c, ['unsigned long']], 'RefreshAllocationCluster' : [ 0x80, ['unsigned long']], 'LastRefreshAllocationCluster' : [ 0x84, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x88, ['unsigned long']], 'MaximumRunLengthInBitmaps' : [ 0x8c, ['unsigned long']], 'BitmapsCacheLengthTree' : [ 0x90, ['_RTL_RB_TREE']], 'BitmapsCacheLocationTree' : [ 0xa0, ['_RTL_RB_TREE']], 'BitmapsCacheFreeList' : [ 0xb0, ['_LIST_ENTRY']], 'BitmapsCacheEntries' : [ 0xc0, ['pointer64', ['_MI_PAGEFILE_BITMAPS_CACHE_ENTRY']]], 'ToBeEvictedCount' : [ 0xc8, ['unsigned long']], 'HybridPriority' : [ 0xc8, ['unsigned long']], 'PageFileNumber' : [ 0xcc, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0xcc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'NoReservations' : [ 0xcc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'VirtualStorePagefile' : [ 0xcc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SwapSupported' : [ 0xcc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'NodeInserted' : [ 0xcc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'StackNotified' : [ 0xcc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0xcc, ['BitField', dict(start_bit = 10, end_bit = 15, native_type='unsigned short')]], 'AdriftMdls' : [ 0xce, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0xce, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'IgnoreReservations' : [ 0xcf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare2' : [ 0xcf, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0xd0, ['unsigned long']], 'PageHashPagesPeak' : [ 0xd4, ['unsigned long']], 'PageHash' : [ 0xd8, ['pointer64', ['unsigned long']]], 'FileHandle' : [ 0xe0, ['pointer64', ['void']]], 'Lock' : [ 0xe8, ['unsigned long long']], 'LockOwner' : [ 0xf0, ['pointer64', ['_ETHREAD']]], 'FlowThroughReadRoot' : [ 0xf8, ['_RTL_AVL_TREE']], 'Partition' : [ 0x100, ['pointer64', ['_MI_PARTITION']]], 'FileObjectNode' : [ 0x108, ['_RTL_BALANCED_NODE']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_HVIEW_MAP' : [ 0x4b0, { 'MappedLength' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Directory' : [ 0x18, ['pointer64', ['_HVIEW_MAP_DIRECTORY']]], 'PagesCharged' : [ 0x20, ['unsigned long']], 'PinLog' : [ 0x28, ['_HVIEW_MAP_PIN_LOG']], } ], '_POP_FX_WORK_ORDER' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x20, ['long']], 'Context' : [ 0x28, ['pointer64', ['void']]], 'WatchdogTimerInfo' : [ 0x30, ['pointer64', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x18, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned short']], 'Flags' : [ 0x16, ['unsigned short']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_PAGELIST_STATE' : [ 0x10, { 'ActiveSpinLock' : [ 0x0, ['long']], 'ActiveThreadTree' : [ 0x8, ['_RTL_AVL_TREE']], } ], '_CRITICAL_PROCESS_EXCEPTION_DATA' : [ 0x30, { 'ReportId' : [ 0x0, ['_GUID']], 'ModuleName' : [ 0x10, ['_UNICODE_STRING']], 'ModuleTimestamp' : [ 0x20, ['unsigned long']], 'ModuleSize' : [ 0x24, ['unsigned long']], 'Offset' : [ 0x28, ['unsigned long long']], } ], '__unnamed_2770' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2772' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2770']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2772']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_RELATION_LIST' : [ 0x10, { 'DeviceObjectList' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT_LIST']]], 'Sorted' : [ 0x8, ['unsigned char']], } ], '_IO_IRP_EXT_TRACK_OFFSET_HEADER' : [ 0x10, { 'Validation' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'TrackedOffsetCallback' : [ 0x8, ['pointer64', ['void']]], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x50, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ulTargetPlatform' : [ 0x8, ['unsigned long']], 'ullContextMinimum' : [ 0x10, ['unsigned long long']], 'guPlatform' : [ 0x18, ['_GUID']], 'guMinPlatform' : [ 0x28, ['_GUID']], 'ulContextSource' : [ 0x38, ['unsigned long']], 'ulElementCount' : [ 0x3c, ['unsigned long']], 'guElements' : [ 0x40, ['array', 1, ['_GUID']]], } ], '_SESSION_LOWBOX_MAP' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'LowboxMap' : [ 0x18, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_POP_IO_INFO' : [ 0x70, { 'DumpMdl' : [ 0x0, ['pointer64', ['_MDL']]], 'IoStatus' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x10, ['unsigned long long']], 'IoBytesCompleted' : [ 0x18, ['unsigned long long']], 'IoBytesInProgress' : [ 0x20, ['unsigned long long']], 'RequestSize' : [ 0x28, ['unsigned long long']], 'IoLocation' : [ 0x30, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x38, ['unsigned long long']], 'Buffer' : [ 0x40, ['pointer64', ['void']]], 'AsyncCapable' : [ 0x48, ['unsigned char']], 'BytesToRead' : [ 0x50, ['unsigned long long']], 'Pages' : [ 0x58, ['unsigned long']], 'HighestChecksumIndex' : [ 0x60, ['unsigned long long']], 'PreviousChecksum' : [ 0x68, ['unsigned short']], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x58, { 'SidHash' : [ 0x0, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x10, ['pointer64', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0x18, ['_LUID']], 'TokenType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x28, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x2c, ['unsigned long']], 'AppContainerNumber' : [ 0x30, ['unsigned long']], 'PackageSid' : [ 0x38, ['pointer64', ['void']]], 'CapabilitiesHash' : [ 0x40, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'TrustLevelSid' : [ 0x48, ['pointer64', ['void']]], 'SecurityAttributes' : [ 0x50, ['pointer64', ['void']]], } ], '_MMWSL_INSTANCE' : [ 0x1a0, { 'NextSlot' : [ 0x0, ['unsigned long long']], 'NextAgingSlot' : [ 0x8, ['unsigned long long']], 'NextAccessClearingSlot' : [ 0x10, ['unsigned long long']], 'LastAccessClearingRemainder' : [ 0x18, ['unsigned long']], 'LastAgingRemainder' : [ 0x1c, ['unsigned long']], 'ActiveWsleCounts' : [ 0x20, ['array', 16, ['unsigned long long']]], 'ActiveWsles' : [ 0xa0, ['array', 16, ['_MI_ACTIVE_WSLE_LISTHEAD']]], } ], '_MIPFNBLINK' : [ 0x8, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeBlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 56, native_type='unsigned long long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 60, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 62, native_type='unsigned long long')]], 'PageBlinkDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'PageBlinkLockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'ShareCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 62, native_type='unsigned long long')]], 'PageShareCountDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'PageShareCountLockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], 'Lock' : [ 0x0, ['long long']], 'LockNotUsed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 62, native_type='unsigned long long')]], 'DeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'LockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x24, ['unsigned long']], } ], '_PPM_COORDINATED_SELECTION' : [ 0x18, { 'MaximumStates' : [ 0x0, ['unsigned long']], 'SelectedStates' : [ 0x4, ['unsigned long']], 'DefaultSelection' : [ 0x8, ['unsigned long']], 'Selection' : [ 0x10, ['pointer64', ['unsigned long']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '__unnamed_27b3' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x78, { 'Status' : [ 0x0, ['long']], 'PartitionId' : [ 0x4, ['unsigned short']], 'Priority' : [ 0x6, ['unsigned char']], 'IrpPriority' : [ 0x7, ['unsigned char']], 'ReservationWrite' : [ 0x8, ['unsigned char']], 'CurrentTime' : [ 0x10, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x18, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x20, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x28, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x30, ['unsigned long long']], 'ModifiedPagefileNoReservationPages' : [ 0x38, ['unsigned long long']], 'MdlHack' : [ 0x40, ['__unnamed_27b3']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['unsigned long long']], 'Key' : [ 0x8, ['unsigned long']], 'Pattern' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolType' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 20, native_type='unsigned long')]], 'SlushSize' : [ 0xc, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '__unnamed_27c0' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_27c0']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_PROC_PERF_HISTORY' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'UtilityTotal' : [ 0x8, ['unsigned long']], 'AffinitizedUtilityTotal' : [ 0xc, ['unsigned long']], 'FrequencyTotal' : [ 0x10, ['unsigned long']], 'TaggedPercentTotal' : [ 0x14, ['array', 2, ['unsigned long']]], 'HistoryList' : [ 0x1c, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '__unnamed_27d1' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_27d4' : [ 0x8, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x88, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x40, ['__unnamed_27d1']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u4' : [ 0x78, ['__unnamed_27d4']], 'FileObject' : [ 0x80, ['pointer64', ['_FILE_OBJECT']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1f, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1e, ['unsigned char']], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x408, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_UMS_CONTROL_BLOCK' : [ 0x90, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsWaitEvent' : [ 0x30, ['_KEVENT']], 'StagingArea' : [ 0x48, ['pointer64', ['void']]], 'UmsPrimaryDeliveredContext' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsFlags' : [ 0x50, ['unsigned long']], 'TebSelector' : [ 0x88, ['unsigned short']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '_KALPC_WORK_ON_BEHALF_DATA' : [ 0x8, { 'Ticket' : [ 0x0, ['_ALPC_WORK_ON_BEHALF_TICKET']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x120, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x68, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x68, ['unsigned long']], 'PackagedBinary' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x68, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x68, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LoadConfigProcessed' : [ 0x68, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectDelayLoad' : [ 0x68, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x68, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x68, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x68, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x68, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x68, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x68, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x68, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x68, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x68, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x68, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x68, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Lock' : [ 0x90, ['pointer64', ['void']]], 'DdagNode' : [ 0x98, ['pointer64', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0xa0, ['_LIST_ENTRY']], 'LoadContext' : [ 0xb0, ['pointer64', ['_LDRP_LOAD_CONTEXT']]], 'ParentDllBase' : [ 0xb8, ['pointer64', ['void']]], 'SwitchBackContext' : [ 0xc0, ['pointer64', ['void']]], 'BaseAddressIndexNode' : [ 0xc8, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0xe0, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0xf8, ['unsigned long long']], 'LoadTime' : [ 0x100, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x108, ['unsigned long']], 'LoadReason' : [ 0x10c, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x110, ['unsigned long']], 'ReferenceCount' : [ 0x114, ['unsigned long']], 'DependentLoadFlags' : [ 0x118, ['unsigned long']], } ], '_KTIMER2_COLLECTION' : [ 0x18, { 'Tree' : [ 0x0, ['_RTL_RB_TREE']], 'NextDueTime' : [ 0x10, ['unsigned long long']], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PrivateDemandZero' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_MI_PARTITION_MODWRITES' : [ 0x2d0, { 'AttemptForCantExtend' : [ 0x0, ['_MMPAGE_FILE_EXPANSION']], 'PageFileContract' : [ 0x60, ['_MMPAGE_FILE_EXPANSION']], 'NumberOfMappedMdls' : [ 0xc0, ['unsigned long long']], 'NumberOfMappedMdlsInUse' : [ 0xc8, ['long']], 'NumberOfMappedMdlsInUsePeak' : [ 0xcc, ['unsigned long']], 'MappedFileHeader' : [ 0xd0, ['_MMMOD_WRITER_LISTHEAD']], 'NeedMappedMdl' : [ 0xf8, ['unsigned char']], 'NeedPageFileMdl' : [ 0xf9, ['unsigned char']], 'TransitionInserted' : [ 0xfa, ['unsigned char']], 'LastModifiedWriteError' : [ 0xfc, ['long']], 'LastMappedWriteError' : [ 0x100, ['long']], 'MappedFileWriteSucceeded' : [ 0x104, ['unsigned long']], 'MappedWriteBurstCount' : [ 0x108, ['unsigned long']], 'LowPriorityModWritesOutstanding' : [ 0x10c, ['unsigned long']], 'BoostModWriteIoPriorityEvent' : [ 0x110, ['_KEVENT']], 'ModifiedWriterThreadPriority' : [ 0x128, ['long']], 'ModifiedPagesLowPriorityGoal' : [ 0x130, ['unsigned long long']], 'ModifiedPageWriterEvent' : [ 0x138, ['_KEVENT']], 'ModifiedWriterExitedEvent' : [ 0x150, ['_KEVENT']], 'WriteAllPagefilePages' : [ 0x168, ['long']], 'WriteAllMappedPages' : [ 0x16c, ['long']], 'MappedPageWriterEvent' : [ 0x170, ['_KEVENT']], 'ModWriteData' : [ 0x188, ['_MI_MODWRITE_DATA']], 'RescanPageFilesEvent' : [ 0x1c8, ['_KEVENT']], 'PagingFileHeader' : [ 0x1e0, ['_MMMOD_WRITER_LISTHEAD']], 'ModifiedPageWriterThread' : [ 0x208, ['pointer64', ['_ETHREAD']]], 'ModifiedPageWriterRundown' : [ 0x210, ['_EX_RUNDOWN_REF']], 'PagefileScanWorkItem' : [ 0x218, ['_WORK_QUEUE_ITEM']], 'PagefileScanCount' : [ 0x238, ['unsigned long']], 'ClusterWritesDisabled' : [ 0x23c, ['array', 2, ['long']]], 'NotifyStoreMemoryConditions' : [ 0x248, ['_KEVENT']], 'DelayMappedWrite' : [ 0x260, ['unsigned char']], 'PagefileReservationsEnabled' : [ 0x264, ['unsigned long']], 'PageFileCreationLock' : [ 0x268, ['_EX_PUSH_LOCK']], 'TrimPagefileWorkItem' : [ 0x270, ['_WORK_QUEUE_ITEM']], 'LastTrimPagefileTime' : [ 0x290, ['unsigned long long']], 'WsSwapPagefileContractWorkItem' : [ 0x298, ['_WORK_QUEUE_ITEM']], 'WsSwapPageFileContractionInProgress' : [ 0x2b8, ['long']], 'WorkingSetSwapLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'WorkingSetInswapLock' : [ 0x2c8, ['long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_OB_EXTENDED_PARSE_PARAMETERS' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'RestrictedAccessMask' : [ 0x4, ['unsigned long']], 'Silo' : [ 0x8, ['pointer64', ['_EJOB']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SubsectionMappedDirect' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_MMWORKING_SET_EXPANSION_HEAD' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_POP_FX_ACCOUNTING' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned char']], 'DripsRequiredState' : [ 0xc, ['unsigned long']], 'Level' : [ 0x10, ['long']], 'ActiveStamp' : [ 0x18, ['long long']], 'CsActiveTime' : [ 0x20, ['unsigned long long']], 'CriticalActiveTime' : [ 0x28, ['long long']], } ], '_KSCHEDULING_GROUP_POLICY' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long']], 'Weight' : [ 0x0, ['unsigned short']], 'MinRate' : [ 0x0, ['unsigned short']], 'MaxRate' : [ 0x2, ['unsigned short']], 'AllFlags' : [ 0x4, ['unsigned long']], 'Type' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare1' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_POLICY_DEVICE' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], } ], '_INVERTED_FUNCTION_TABLE_ENTRY' : [ 0x18, { 'FunctionTable' : [ 0x0, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'DynamicTable' : [ 0x0, ['pointer64', ['_DYNAMIC_FUNCTION_TABLE']]], 'ImageBase' : [ 0x8, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'SizeOfTable' : [ 0x14, ['unsigned long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x78, { 'SelectedCount' : [ 0x0, ['unsigned long long']], 'VetoCount' : [ 0x8, ['unsigned long long']], 'PreVetoCount' : [ 0x10, ['unsigned long long']], 'WrongProcessorCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'IdleDurationCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'PlatformOnlyCount' : [ 0x40, ['unsigned long long']], 'InterruptibleCount' : [ 0x48, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x50, ['unsigned long long']], 'CstateCheckCount' : [ 0x58, ['unsigned long long']], 'NoCStateCount' : [ 0x60, ['unsigned long long']], 'CoordinatedDependencyCount' : [ 0x68, ['unsigned long long']], 'PreVetoAccounting' : [ 0x70, ['pointer64', ['_PPM_VETO_ACCOUNTING']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '__unnamed_285d' : [ 0x4, { 'FlushCompleting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'FlushInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='long')]], 'Long' : [ 0x0, ['long']], } ], '_MI_PARTITION_STORES' : [ 0x90, { 'WriteAllStoreHintedPages' : [ 0x0, ['__unnamed_285d']], 'VirtualPageFileNumber' : [ 0x4, ['unsigned long']], 'Registered' : [ 0x8, ['unsigned long']], 'ReadClusterSizeMax' : [ 0xc, ['unsigned long']], 'EvictFlushRequestCount' : [ 0x10, ['unsigned long']], 'ModifiedWriteDisableCount' : [ 0x14, ['unsigned long']], 'WriteIssueFailures' : [ 0x18, ['unsigned long']], 'EvictionThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'EvictEvent' : [ 0x28, ['_KEVENT']], 'EvictFlushCompleteEvent' : [ 0x40, ['_KEVENT']], 'WriteSupportSListHead' : [ 0x60, ['_SLIST_HEADER']], 'EvictFlushLock' : [ 0x70, ['long']], 'ModifiedWriteFailedBitmap' : [ 0x78, ['pointer64', ['_RTL_BITMAP']]], 'StoreProcess' : [ 0x80, ['pointer64', ['_EPROCESS']]], } ], '_POP_FX_COMPONENT' : [ 0x100, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x18, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x58, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x60, ['long']], 'ActiveEvent' : [ 0x68, ['_KEVENT']], 'IdleLock' : [ 0x80, ['unsigned long long']], 'IdleConditionComplete' : [ 0x88, ['long']], 'IdleStateComplete' : [ 0x8c, ['long']], 'IdleStamp' : [ 0x90, ['unsigned long long']], 'CurrentIdleState' : [ 0x98, ['unsigned long']], 'IdleStateCount' : [ 0x9c, ['unsigned long']], 'IdleStates' : [ 0xa0, ['pointer64', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0xa8, ['unsigned long']], 'ProviderCount' : [ 0xac, ['unsigned long']], 'Providers' : [ 0xb0, ['pointer64', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0xb8, ['unsigned long']], 'DependentCount' : [ 0xbc, ['unsigned long']], 'Dependents' : [ 0xc0, ['pointer64', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0xc8, ['_POP_FX_ACCOUNTING']], 'Performance' : [ 0xf8, ['pointer64', ['_POP_FX_PERF_INFO']]], } ], '_DYNAMIC_FUNCTION_TABLE' : [ 0x70, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FunctionTable' : [ 0x10, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'TimeStamp' : [ 0x18, ['_LARGE_INTEGER']], 'MinimumAddress' : [ 0x20, ['unsigned long long']], 'MaximumAddress' : [ 0x28, ['unsigned long long']], 'BaseAddress' : [ 0x30, ['unsigned long long']], 'Callback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'OutOfProcessCallbackDll' : [ 0x48, ['pointer64', ['wchar']]], 'Type' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'RF_SORTED', 1: 'RF_UNSORTED', 2: 'RF_CALLBACK', 3: 'RF_KERNEL_DYNAMIC'})]], 'EntryCount' : [ 0x54, ['unsigned long']], 'TreeNode' : [ 0x58, ['_RTL_BALANCED_NODE']], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MMPAGE_FILE_EXPANSION' : [ 0x60, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'Partition' : [ 0x18, ['pointer64', ['_MI_PARTITION']]], 'RequestedExpansionSize' : [ 0x20, ['unsigned long long']], 'ActualExpansion' : [ 0x28, ['unsigned long long']], 'Event' : [ 0x30, ['_KEVENT']], 'InProgress' : [ 0x48, ['long']], 'u' : [ 0x4c, ['_MMPAGE_FILE_EXPANSION_FLAGS']], 'ActiveEntry' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'AttemptForCantExtend' : [ 0x58, ['unsigned char']], 'PageFileContract' : [ 0x59, ['unsigned char']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x86, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'Unused' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ForceCollision' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_HVIEW_MAP_PIN_LOG' : [ 0x488, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Entries' : [ 0x8, ['array', 16, ['_HVIEW_MAP_PIN_LOG_ENTRY']]], } ], '_IO_REMOVE_LOCK' : [ 0x20, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '__unnamed_2891' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_2891']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_MI_POOL_STATE' : [ 0xf8, { 'MaximumNonPagedPoolThreshold' : [ 0x0, ['unsigned long long']], 'NonPagedPoolSListMaximum' : [ 0x8, ['array', 3, ['unsigned long']]], 'AllocatedNonPagedPool' : [ 0x18, ['unsigned long long']], 'BadPoolHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'HighEventSets' : [ 0x28, ['unsigned long']], 'HighEventSetsValid' : [ 0x2c, ['unsigned char']], 'PoolFailures' : [ 0x30, ['array', 3, ['array', 3, ['unsigned long']]]], 'PoolFailureReasons' : [ 0x54, ['_MI_POOL_FAILURE_REASONS']], 'LowPagedPoolThreshold' : [ 0x80, ['unsigned long long']], 'HighPagedPoolThreshold' : [ 0x88, ['unsigned long long']], 'PagedPoolSListMaximum' : [ 0x90, ['unsigned long']], 'PreemptiveTrims' : [ 0x94, ['array', 4, ['unsigned long']]], 'SpecialPagesInUsePeak' : [ 0xa8, ['unsigned long long']], 'SpecialPoolRejected' : [ 0xb0, ['array', 9, ['unsigned long']]], 'SpecialPagesNonPaged' : [ 0xd8, ['unsigned long long']], 'SpecialPoolPdes' : [ 0xe0, ['long']], 'SessionSpecialPoolPdesMax' : [ 0xe4, ['unsigned long']], 'TotalPagedPoolQuota' : [ 0xe8, ['unsigned long long']], 'TotalNonPagedPoolQuota' : [ 0xf0, ['unsigned long long']], } ], '_IMAGE_RUNTIME_FUNCTION_ENTRY' : [ 0xc, { 'BeginAddress' : [ 0x0, ['unsigned long']], 'EndAddress' : [ 0x4, ['unsigned long']], 'UnwindInfoAddress' : [ 0x8, ['unsigned long']], 'UnwindData' : [ 0x8, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'OperatingSystemVersion' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ComPlusPrefer32bit' : [ 0x33, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x30, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'ConnectLock' : [ 0x8, ['_KEVENT']], 'LineMasked' : [ 0x20, ['unsigned char']], 'InterruptList' : [ 0x28, ['pointer64', ['_KINTERRUPT']]], } ], '_PPM_SELECTION_DEPENDENCY' : [ 0x18, { 'Processor' : [ 0x0, ['unsigned long']], 'Menu' : [ 0x8, ['_PPM_SELECTION_MENU']], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_MI_HARDWARE_STATE' : [ 0x100, { 'NodeMask' : [ 0x0, ['unsigned long']], 'NodeGraph' : [ 0x8, ['pointer64', ['unsigned short']]], 'SystemNodeInformation' : [ 0x10, ['pointer64', ['_MI_SYSTEM_NODE_INFORMATION']]], 'NumaLastRangeIndex' : [ 0x18, ['unsigned long']], 'NumaMemoryRanges' : [ 0x20, ['pointer64', ['_HAL_NODE_RANGE']]], 'NumaTableCaptured' : [ 0x28, ['unsigned char']], 'NodeShift' : [ 0x29, ['unsigned char']], 'ChannelMemoryRanges' : [ 0x30, ['pointer64', ['_HAL_CHANNEL_MEMORY_RANGES']]], 'ChannelShift' : [ 0x38, ['unsigned char']], 'SecondLevelCacheSize' : [ 0x3c, ['unsigned long']], 'FirstLevelCacheSize' : [ 0x40, ['unsigned long']], 'PhysicalAddressBits' : [ 0x44, ['unsigned long']], 'AllMainMemoryMustBeCached' : [ 0x48, ['unsigned char']], 'TotalPagesAllowed' : [ 0x50, ['unsigned long long']], 'SecondaryColorMask' : [ 0x58, ['unsigned long']], 'SecondaryColors' : [ 0x5c, ['unsigned long']], 'FlushTbForAttributeChange' : [ 0x60, ['unsigned long']], 'FlushCacheForAttributeChange' : [ 0x64, ['unsigned long']], 'FlushCacheForPageAttributeChange' : [ 0x68, ['unsigned long']], 'CacheFlushPromoteThreshold' : [ 0x6c, ['unsigned long']], 'FlushTbThreshold' : [ 0x70, ['unsigned long long']], 'OptimalZeroingAttribute' : [ 0x78, ['array', 4, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'MiNonCached', 1: 'MiCached', 2: 'MiWriteCombined', 3: 'MiNotMapped'})]]]], 'AttributeChangeRequiresReZero' : [ 0xb8, ['unsigned char']], 'ZeroCostCounts' : [ 0xc0, ['array', 2, ['_MI_ZERO_COST_COUNTS']]], 'PrimaryPfns' : [ 0xe0, ['unsigned long long']], 'HighestPossiblePhysicalPage' : [ 0xe8, ['unsigned long long']], 'EnclaveRegions' : [ 0xf0, ['_RTL_AVL_TREE']], 'VsmKernelPageCount' : [ 0xf8, ['unsigned long long']], } ], '_PPM_VETO_ACCOUNTING' : [ 0x28, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x8, ['_LIST_ENTRY']], 'CsAccountingBlocks' : [ 0x18, ['unsigned char']], 'BlocksDrips' : [ 0x19, ['unsigned char']], 'PreallocatedVetoCount' : [ 0x1c, ['unsigned long']], 'PreallocatedVetoList' : [ 0x20, ['pointer64', ['_PPM_VETO_ENTRY']]], } ], '__unnamed_28be' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_28be']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x118, { 'ListHead' : [ 0x0, ['array', 16, ['_LIST_ENTRY']]], 'Count' : [ 0x100, ['unsigned long long']], 'NumberOfEntries' : [ 0x108, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x110, ['unsigned long long']], } ], '_MI_ERROR_STATE' : [ 0xb8, { 'BadMemoryEventEntry' : [ 0x0, ['_MI_BAD_MEMORY_EVENT_ENTRY']], 'ProbeRaises' : [ 0x38, ['_MI_PROBE_RAISE_TRACKER']], 'ForcedCommits' : [ 0x78, ['_MI_FORCED_COMMITS']], 'WsleFailures' : [ 0x80, ['array', 2, ['unsigned long']]], 'WsLinear' : [ 0x88, ['unsigned long']], 'PageHashErrors' : [ 0x8c, ['unsigned long']], 'CheckZeroCount' : [ 0x90, ['unsigned long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x94, ['long']], 'BadPagesDetected' : [ 0x98, ['long']], 'ScrubPasses' : [ 0x9c, ['long']], 'ScrubBadPagesFound' : [ 0xa0, ['long']], 'UserViewFailures' : [ 0xa4, ['unsigned long']], 'UserViewCollisionFailures' : [ 0xa8, ['unsigned long']], 'ResavailFailures' : [ 0xac, ['_MI_RESAVAIL_FAILURES']], 'PendingBadPages' : [ 0xb4, ['unsigned char']], 'InitFailure' : [ 0xb5, ['unsigned char']], 'StopBadMaps' : [ 0xb6, ['unsigned char']], } ], '_PROC_PERF_DOMAIN' : [ 0x190, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0xc0, ['unsigned long']], 'EfficiencyClass' : [ 0xc4, ['unsigned char']], 'NominalPerformanceClass' : [ 0xc5, ['unsigned char']], 'HighestPerformanceClass' : [ 0xc6, ['unsigned char']], 'Spare' : [ 0xc7, ['unsigned char']], 'Processors' : [ 0xc8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0xd0, ['pointer64', ['void']]], 'TimeWindowHandler' : [ 0xd8, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0xe0, ['pointer64', ['void']]], 'BoostModeHandler' : [ 0xe8, ['pointer64', ['void']]], 'EnergyPerfPreferenceHandler' : [ 0xf0, ['pointer64', ['void']]], 'AutonomousActivityWindowHandler' : [ 0xf8, ['pointer64', ['void']]], 'AutonomousModeHandler' : [ 0x100, ['pointer64', ['void']]], 'ReinitializeHandler' : [ 0x108, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0x110, ['pointer64', ['void']]], 'PerfControlHandler' : [ 0x118, ['pointer64', ['void']]], 'MaxFrequency' : [ 0x120, ['unsigned long']], 'NominalFrequency' : [ 0x124, ['unsigned long']], 'MaxPercent' : [ 0x128, ['unsigned long']], 'MinPerfPercent' : [ 0x12c, ['unsigned long']], 'MinThrottlePercent' : [ 0x130, ['unsigned long']], 'MinimumRelativePerformance' : [ 0x138, ['unsigned long long']], 'NominalRelativePerformance' : [ 0x140, ['unsigned long long']], 'Coordination' : [ 0x148, ['unsigned char']], 'HardPlatformCap' : [ 0x149, ['unsigned char']], 'AffinitizeControl' : [ 0x14a, ['unsigned char']], 'EfficientThrottle' : [ 0x14b, ['unsigned char']], 'AutonomousMode' : [ 0x14c, ['unsigned char']], 'SelectedPercent' : [ 0x150, ['unsigned long']], 'SelectedFrequency' : [ 0x154, ['unsigned long']], 'DesiredPercent' : [ 0x158, ['unsigned long']], 'MaxPolicyPercent' : [ 0x15c, ['unsigned long']], 'MinPolicyPercent' : [ 0x160, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x164, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x168, ['unsigned long']], 'GuaranteedPercent' : [ 0x16c, ['unsigned long']], 'TolerancePercent' : [ 0x170, ['unsigned long']], 'SelectedState' : [ 0x178, ['unsigned long long']], 'PerfChangeTime' : [ 0x180, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x188, ['unsigned long']], 'Force' : [ 0x18c, ['unsigned char']], 'ProvideGuidance' : [ 0x18d, ['unsigned char']], } ], '_MI_COMMON_PAGE_STATE' : [ 0xa8, { 'PageOfOnesPfn' : [ 0x0, ['pointer64', ['_MMPFN']]], 'PageOfOnes' : [ 0x8, ['unsigned long long']], 'DummyPagePfn' : [ 0x10, ['pointer64', ['_MMPFN']]], 'DummyPage' : [ 0x18, ['unsigned long long']], 'PageOfZeroes' : [ 0x20, ['unsigned long long']], 'ZeroMapping' : [ 0x28, ['pointer64', ['void']]], 'OnesMapping' : [ 0x30, ['pointer64', ['void']]], 'ZeroCrc' : [ 0x38, ['unsigned long long']], 'OnesCrc' : [ 0x40, ['unsigned long long']], 'BitmapGapFrames' : [ 0x48, ['array', 4, ['unsigned long long']]], 'PfnGapFrames' : [ 0x68, ['array', 4, ['unsigned long long']]], 'PageTableOfZeroes' : [ 0x88, ['unsigned long long']], 'PdeOfZeroes' : [ 0x90, ['_MMPTE']], 'PageTableOfOnes' : [ 0x98, ['unsigned long long']], 'PdeOfOnes' : [ 0xa0, ['_MMPTE']], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_HEAP_EXTENDED_ENTRY' : [ 0x10, { 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'IoTracker' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_POP_COOLING_EXTENSION' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'RequestListHead' : [ 0x10, ['_LIST_ENTRY']], 'Lock' : [ 0x20, ['_POP_RW_LOCK']], 'DeviceObject' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'NotificationEntry' : [ 0x38, ['pointer64', ['void']]], 'Enabled' : [ 0x40, ['unsigned char']], 'ActiveEngaged' : [ 0x41, ['unsigned char']], 'ThrottleLimit' : [ 0x42, ['unsigned char']], 'UpdatingToCurrent' : [ 0x43, ['unsigned char']], 'RemovalFlushEvent' : [ 0x48, ['pointer64', ['_KEVENT']]], 'PnpFlushEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Interface' : [ 0x58, ['_THERMAL_COOLING_INTERFACE']], } ], '__unnamed_28f1' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_28f1']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_POP_POWER_SETTING_VALUES' : [ 0x13c, { 'StructureSize' : [ 0x0, ['unsigned long']], 'PopPolicy' : [ 0x4, ['_SYSTEM_POWER_POLICY']], 'CurrentAcDcPowerState' : [ 0xec, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'AwayModeEnabled' : [ 0xf0, ['unsigned char']], 'AwayModeEngaged' : [ 0xf1, ['unsigned char']], 'AwayModePolicyAllowed' : [ 0xf2, ['unsigned char']], 'AwayModeIgnoreUserPresent' : [ 0xf4, ['long']], 'AwayModeIgnoreAction' : [ 0xf8, ['long']], 'DisableFastS4' : [ 0xfc, ['unsigned char']], 'DisableStandbyStates' : [ 0xfd, ['unsigned char']], 'UnattendSleepTimeout' : [ 0x100, ['unsigned long']], 'DiskIgnoreTime' : [ 0x104, ['unsigned long']], 'DeviceIdlePolicy' : [ 0x108, ['unsigned long']], 'VideoDimTimeout' : [ 0x10c, ['unsigned long']], 'VideoNormalBrightness' : [ 0x110, ['unsigned long']], 'VideoDimBrightness' : [ 0x114, ['unsigned long']], 'AlsOffset' : [ 0x118, ['unsigned long']], 'AlsEnabled' : [ 0x11c, ['unsigned long']], 'EsBrightness' : [ 0x120, ['unsigned long']], 'SwitchShutdownForced' : [ 0x124, ['unsigned char']], 'SystemCoolingPolicy' : [ 0x128, ['unsigned long']], 'MediaBufferingEngaged' : [ 0x12c, ['unsigned char']], 'OffloadedAudio' : [ 0x12d, ['unsigned char']], 'NonOffloadedAudio' : [ 0x12e, ['unsigned char']], 'FullscreenVideoPlayback' : [ 0x12f, ['unsigned char']], 'EsBatteryThreshold' : [ 0x130, ['unsigned long']], 'EsAggressive' : [ 0x134, ['unsigned char']], 'EsUserAwaySetting' : [ 0x135, ['unsigned char']], 'ConnectivityInStandby' : [ 0x138, ['unsigned long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x8, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'TaggedPercent' : [ 0x5, ['array', 2, ['unsigned char']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '__unnamed_2904' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_2904']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_MI_ZERO_COST_COUNTS' : [ 0x10, { 'NativeSum' : [ 0x0, ['unsigned long long']], 'CachedSum' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x88, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x40, ['_KDPC']], 'WorkOrder' : [ 0x80, ['pointer64', ['_POP_FX_WORK_ORDER']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '__unnamed_2919' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_2919']], } ], '__unnamed_291d' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2921' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_2923' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_2925' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_2927' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_2929' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_292b' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_292d' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_292f' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2931' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2933' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_2935' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_291d']], 'Memory' : [ 0x0, ['__unnamed_291d']], 'Interrupt' : [ 0x0, ['__unnamed_2921']], 'Dma' : [ 0x0, ['__unnamed_2923']], 'DmaV3' : [ 0x0, ['__unnamed_2925']], 'Generic' : [ 0x0, ['__unnamed_291d']], 'DevicePrivate' : [ 0x0, ['__unnamed_2927']], 'BusNumber' : [ 0x0, ['__unnamed_2929']], 'ConfigData' : [ 0x0, ['__unnamed_292b']], 'Memory40' : [ 0x0, ['__unnamed_292d']], 'Memory48' : [ 0x0, ['__unnamed_292f']], 'Memory64' : [ 0x0, ['__unnamed_2931']], 'Connection' : [ 0x0, ['__unnamed_2933']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_2935']], } ], '_HEAP_UNPACKED_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x50, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x38, ['pointer64', ['void']]], 'DvCallbacks' : [ 0x40, ['pointer64', ['void']]], 'VerifierContext' : [ 0x48, ['pointer64', ['void']]], } ], '_ETW_PROVIDER_TRAITS' : [ 0x20, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Traits' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '_ETW_QUEUE_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x10, ['pointer64', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0x18, ['pointer64', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x20, ['pointer64', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x28, ['pointer64', ['void']]], 'RegIndex' : [ 0x30, ['unsigned short']], 'ReplyIndex' : [ 0x32, ['unsigned short']], 'Flags' : [ 0x34, ['unsigned long']], } ], '_MI_PARTITION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PageListsInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StoreReservedPagesCharged' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PureHoldingPartition' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0x60, { 'Count' : [ 0x0, ['unsigned long']], 'Vectors' : [ 0x8, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_NON_PAGED_DEBUG_INFO' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Machine' : [ 0x8, ['unsigned short']], 'Characteristics' : [ 0xa, ['unsigned short']], 'TimeDateStamp' : [ 0xc, ['unsigned long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'SizeOfImage' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Gate' : [ 0x10, ['_KGATE']], 'Event' : [ 0x10, ['_KEVENT']], } ], '__unnamed_2959' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x108, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_2959']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x2c, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x30, ['_KAPC']], 'ByteCount' : [ 0x88, ['unsigned long']], 'ChargedPages' : [ 0x8c, ['unsigned long']], 'PagingFile' : [ 0x90, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0xa0, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0xa8, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0xb0, ['_LARGE_INTEGER']], 'IssueTime' : [ 0xb8, ['_LARGE_INTEGER']], 'Partition' : [ 0xc0, ['pointer64', ['_MI_PARTITION']]], 'PointerMdl' : [ 0xc8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0xd0, ['_MDL']], 'Page' : [ 0x100, ['array', 1, ['unsigned long long']]], } ], '_NONOPAQUE_OPLOCK' : [ 0xa0, { 'IrpExclusiveOplock' : [ 0x0, ['pointer64', ['_IRP']]], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'WaiterPriority' : [ 0x20, ['unsigned char']], 'IrpOplocksR' : [ 0x28, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x38, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x48, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x58, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x68, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x78, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x88, ['pointer64', ['_GUID']]], 'OplockState' : [ 0x90, ['unsigned long']], 'FastMutex' : [ 0x98, ['pointer64', ['_FAST_MUTEX']]], } ], '__unnamed_2962' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2963' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2962']], 'Merged' : [ 0x10, ['__unnamed_2963']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '__unnamed_2967' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_2969' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_296b' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_296d' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_296b']], 'Translated' : [ 0x0, ['__unnamed_2969']], } ], '__unnamed_296f' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_2971' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_2973' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_2975' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_2977' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_2979' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_297b' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_297d' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_2967']], 'Port' : [ 0x0, ['__unnamed_2967']], 'Interrupt' : [ 0x0, ['__unnamed_2969']], 'MessageInterrupt' : [ 0x0, ['__unnamed_296d']], 'Memory' : [ 0x0, ['__unnamed_2967']], 'Dma' : [ 0x0, ['__unnamed_296f']], 'DmaV3' : [ 0x0, ['__unnamed_2971']], 'DevicePrivate' : [ 0x0, ['__unnamed_2927']], 'BusNumber' : [ 0x0, ['__unnamed_2973']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_2975']], 'Memory40' : [ 0x0, ['__unnamed_2977']], 'Memory48' : [ 0x0, ['__unnamed_2979']], 'Memory64' : [ 0x0, ['__unnamed_297b']], 'Connection' : [ 0x0, ['__unnamed_2933']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_297d']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_ETW_FILTER_EVENT_NAME_DATA' : [ 0x28, { 'FilterIn' : [ 0x0, ['unsigned char']], 'Level' : [ 0x1, ['unsigned char']], 'MatchAnyKeyword' : [ 0x8, ['unsigned long long']], 'MatchAllKeyword' : [ 0x10, ['unsigned long long']], 'NameTable' : [ 0x18, ['_RTL_HASH_TABLE']], } ], '_MI_VISIBLE_STATE' : [ 0x840, { 'SpecialPool' : [ 0x0, ['_MI_SPECIAL_POOL']], 'SessionWsList' : [ 0x50, ['_LIST_ENTRY']], 'SessionIdBitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'PagedPoolInfo' : [ 0x68, ['_MM_PAGED_POOL_INFO']], 'MaximumNonPagedPoolInPages' : [ 0xa0, ['unsigned long long']], 'SizeOfPagedPoolInPages' : [ 0xa8, ['unsigned long long']], 'SystemPteInfo' : [ 0xb0, ['_MI_SYSTEM_PTE_TYPE']], 'NonPagedPoolCommit' : [ 0x118, ['unsigned long long']], 'BootCommit' : [ 0x120, ['unsigned long long']], 'MdlPagesAllocated' : [ 0x128, ['unsigned long long']], 'SystemPageTableCommit' : [ 0x130, ['unsigned long long']], 'SpecialPagesInUse' : [ 0x138, ['unsigned long long']], 'WsOverheadPages' : [ 0x140, ['unsigned long long']], 'VadBitmapPages' : [ 0x148, ['unsigned long long']], 'ProcessCommit' : [ 0x150, ['unsigned long long']], 'SharedCommit' : [ 0x158, ['unsigned long long']], 'DriverCommit' : [ 0x160, ['long']], 'SystemWs' : [ 0x180, ['array', 3, ['_MMSUPPORT_FULL']]], 'SystemCacheShared' : [ 0x4c0, ['_MMSUPPORT_SHARED']], 'AggregateSystemWs' : [ 0x540, ['array', 1, ['_MMSUPPORT_AGGREGATION']]], 'SystemCacheSharedWorkingSetList' : [ 0x560, ['_MMWSL_SHARED']], 'MapCacheFailures' : [ 0x5c0, ['unsigned long']], 'PagefileHashPages' : [ 0x5c8, ['unsigned long long']], 'PteHeader' : [ 0x5d0, ['_SYSPTES_HEADER']], 'SessionSpecialPool' : [ 0x6e8, ['pointer64', ['_MI_SPECIAL_POOL']]], 'SystemVaTypeCount' : [ 0x6f0, ['array', 14, ['unsigned long long']]], 'SystemVaRegions' : [ 0x760, ['array', 14, ['_MI_SYSTEM_VA_ASSIGNMENT']]], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_CM_COMPONENT_HASH' : [ 0x4, { 'Hash' : [ 0x0, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0xe0, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], 'Xcr0' : [ 0xd8, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x48, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x10, ['pointer64', ['_IRP']]], 'OplockRequestFileObject' : [ 0x18, ['pointer64', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x28, ['pointer64', ['_ETHREAD']]], 'Flags' : [ 0x30, ['unsigned long']], 'AtomicLinks' : [ 0x38, ['_LIST_ENTRY']], } ], '_MSUBSECTION' : [ 0x70, { 'Core' : [ 0x0, ['_SUBSECTION']], 'SubsectionNode' : [ 0x38, ['_RTL_BALANCED_NODE']], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x68, ['unsigned long']], } ], '_PROC_PERF_CHECK' : [ 0xc0, { 'LastActive' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'LastStall' : [ 0x10, ['unsigned long long']], 'Snap' : [ 0x18, ['_PROC_PERF_CHECK_SNAP']], 'TempSnap' : [ 0x68, ['_PROC_PERF_CHECK_SNAP']], 'TaggedThreadPercent' : [ 0xb8, ['array', 2, ['unsigned char']]], 'Class0FloorPerfSelection' : [ 0xba, ['unsigned char']], 'Class1MinimumPerfSelection' : [ 0xbb, ['unsigned char']], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_PEB32' : [ 0x460, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'IsLongPathAwareProcess' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'SparePvoid0' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pUnused' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x250, ['unsigned long']], 'TppWorkerpList' : [ 0x254, ['LIST_ENTRY32']], 'WaitOnAddressHashTable' : [ 0x25c, ['array', 128, ['unsigned long']]], } ], '_MMWSL_FULL' : [ 0x200, { 'Instance' : [ 0x0, ['_MMWSL_INSTANCE']], 'Shared' : [ 0x1a0, ['_MMWSL_SHARED']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1d0, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'Order' : [ 0x30, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x1a8, ['_LIST_ENTRY']], 'Status' : [ 0x1b8, ['long']], 'FailedDevice' : [ 0x1c0, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1c8, ['unsigned char']], 'Cancelled' : [ 0x1c9, ['unsigned char']], 'IgnoreErrors' : [ 0x1ca, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1cb, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1cc, ['unsigned char']], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x98, { 'FileName' : [ 0x0, ['pointer64', ['wchar']]], 'BaseName' : [ 0x8, ['pointer64', ['wchar']]], 'RegRootName' : [ 0x10, ['pointer64', ['wchar']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], 'FilePath' : [ 0x88, ['_UNICODE_STRING']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x178, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_PPM_VETO_ENTRY' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'VetoReason' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'HitCount' : [ 0x18, ['unsigned long long']], 'LastActivationTime' : [ 0x20, ['unsigned long long']], 'TotalActiveTime' : [ 0x28, ['unsigned long long']], 'CsActivationTime' : [ 0x30, ['unsigned long long']], 'CsActiveTime' : [ 0x38, ['unsigned long long']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_BAD_MEMORY_EVENT_ENTRY' : [ 0x38, { 'BugCheckCode' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['long']], 'Data' : [ 0x8, ['unsigned long']], 'PhysicalAddress' : [ 0x10, ['_LARGE_INTEGER']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_KWAIT_CHAIN_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned char']], 'LayerSemantics' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Spare1' : [ 0xd, ['BitField', dict(start_bit = 2, end_bit = 7, native_type='unsigned char')]], 'InheritClass' : [ 0xd, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0xe, ['unsigned short']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x28, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x8, ['_RTL_BITMAP']], 'HashTable' : [ 0x18, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x20, ['unsigned char']], } ], '_MMDEREFERENCE_SEGMENT_HEADER' : [ 0x30, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'ListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '__unnamed_29e8' : [ 0x4, { 'ChannelsHotCold' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_MI_NODE_INFORMATION' : [ 0x890, { 'LargePageFreeCount' : [ 0x0, ['array', 3, ['array', 2, ['unsigned long long']]]], 'LargePages' : [ 0x30, ['array', 3, ['array', 2, ['array', 2, ['array', 4, ['_LIST_ENTRY']]]]]], 'LargePagesCount' : [ 0x330, ['array', 3, ['array', 2, ['array', 2, ['array', 4, ['unsigned long long']]]]]], 'LargePageRebuildTimer' : [ 0x4b0, ['_MI_REBUILD_LARGE_PAGE_TIMER']], 'StandbyPageList' : [ 0x4e0, ['array', 4, ['array', 8, ['_MMPFNLIST_SHORT']]]], 'FreeCount' : [ 0x7e0, ['array', 2, ['unsigned long long']]], 'TotalPages' : [ 0x7f0, ['array', 4, ['unsigned long long']]], 'TotalPagesEntireNode' : [ 0x810, ['unsigned long long']], 'MmShiftedColor' : [ 0x818, ['unsigned long']], 'Color' : [ 0x81c, ['unsigned long']], 'ChannelFreeCount' : [ 0x820, ['array', 4, ['array', 2, ['unsigned long long']]]], 'Flags' : [ 0x860, ['__unnamed_29e8']], 'NodeLock' : [ 0x868, ['_EX_PUSH_LOCK']], 'ZeroThreadHugeMapLock' : [ 0x870, ['unsigned long long']], 'ChannelStatus' : [ 0x878, ['unsigned char']], 'ChannelOrdering' : [ 0x879, ['array', 4, ['unsigned char']]], 'LockedChannelOrdering' : [ 0x87d, ['array', 4, ['unsigned char']]], 'PowerAttribute' : [ 0x881, ['array', 4, ['unsigned char']]], 'LargePageLock' : [ 0x888, ['unsigned long long']], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_TRIAGE_POP_FX_DEVICE' : [ 0x38, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_TRIAGE_POP_IRP_DATA']]], 'Status' : [ 0x20, ['long']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'DeviceNode' : [ 0x30, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '_MI_SYSTEM_NODE_INFORMATION' : [ 0x1a0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'NonPagedPoolSListHeadNx' : [ 0x40, ['array', 3, ['_SLIST_HEADER']]], 'CachedKernelStacks' : [ 0x70, ['array', 2, ['_CACHED_KSTACK_LIST']]], 'NonPagedBitMapMaximum' : [ 0xb0, ['unsigned long long']], 'DynamicBitMapNonPagedPool' : [ 0xb8, ['_MI_DYNAMIC_BITMAP']], 'NonPagedPoolLowestPage' : [ 0x108, ['unsigned long long']], 'NonPagedPoolHighestPage' : [ 0x110, ['unsigned long long']], 'AllocatedNonPagedPool' : [ 0x118, ['unsigned long long']], 'PartialLargePoolRegions' : [ 0x120, ['unsigned long long']], 'PagesInPartialLargePoolRegions' : [ 0x128, ['unsigned long long']], 'CachedNonPagedPoolCount' : [ 0x130, ['unsigned long long']], 'NonPagedPoolSpinLock' : [ 0x138, ['unsigned long long']], 'CachedNonPagedPool' : [ 0x140, ['pointer64', ['_MMPFN']]], 'NonPagedPoolFirstVa' : [ 0x148, ['pointer64', ['void']]], 'NonPagedPoolLastVa' : [ 0x150, ['pointer64', ['void']]], 'NonPagedBitMap' : [ 0x158, ['array', 3, ['_RTL_BITMAP_EX']]], 'NonPagedHint' : [ 0x188, ['array', 2, ['unsigned long long']]], } ], '_MI_PAGE_COMBINING_SUPPORT' : [ 0x188, { 'Partition' : [ 0x0, ['pointer64', ['_MI_PARTITION']]], 'ArbitraryPfnMapList' : [ 0x8, ['_LIST_ENTRY']], 'FreeCombinePoolItem' : [ 0x18, ['_MI_COMBINE_WORKITEM']], 'CombiningThreadCount' : [ 0x40, ['unsigned long']], 'CombinePageFreeList' : [ 0x48, ['_LIST_ENTRY']], 'CombineFreeListLock' : [ 0x58, ['unsigned long long']], 'CombinePageListHeads' : [ 0x60, ['array', 16, ['_MI_COMBINE_PAGE_LISTHEAD']]], 'PageCombineStats' : [ 0x160, ['_MI_PAGE_COMBINE_STATISTICS']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x38, { 'BadPageCount' : [ 0x0, ['unsigned long long']], 'BadPagesDetected' : [ 0x8, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0xc, ['long']], 'ScrubPasses' : [ 0x10, ['long']], 'ScrubBadPagesFound' : [ 0x14, ['long']], 'PageHashErrors' : [ 0x18, ['unsigned long']], 'FeatureBits' : [ 0x20, ['unsigned long long']], 'TimeZoneId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['_MI_FLAGS']], 'VsmConnection' : [ 0x30, ['pointer64', ['void']]], } ], '_MI_FORCED_COMMITS' : [ 0x8, { 'Regular' : [ 0x0, ['unsigned long']], 'Wrap' : [ 0x4, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x20, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0x18, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], '_MI_REBUILD_LARGE_PAGE_TIMER' : [ 0x30, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'SecondsLeft' : [ 0x20, ['unsigned char']], 'RebuildActive' : [ 0x21, ['unsigned char']], 'NextPassDelta' : [ 0x22, ['unsigned char']], 'LargeSubPagesActive' : [ 0x23, ['unsigned char']], 'SequenceNumber' : [ 0x24, ['unsigned long']], 'WaitList' : [ 0x28, ['pointer64', ['_MI_LARGE_PAGE_REBUILD_WAIT_BLOCK']]], } ], '_MI_IO_PAGE_STATE' : [ 0x68, { 'IoPfnLock' : [ 0x0, ['unsigned long long']], 'IoPfnRoot' : [ 0x8, ['array', 3, ['_RTL_AVL_TREE']]], 'UnusedCachedMaps' : [ 0x20, ['_LIST_ENTRY']], 'OldestCacheFlushTimeStamp' : [ 0x30, ['unsigned long']], 'IoCacheStats' : [ 0x38, ['_MI_IO_CACHE_STATS']], 'InvariantIoSpace' : [ 0x60, ['_RTL_AVL_TREE']], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_MI_CROSS_PARTITION_CHARGES' : [ 0x28, { 'CurrentCharges' : [ 0x0, ['unsigned long long']], 'ChargeFailures' : [ 0x8, ['unsigned long long']], 'ChargePeak' : [ 0x10, ['unsigned long long']], 'ChargeMinimum' : [ 0x18, ['unsigned long long']], 'ChargeMaximum' : [ 0x20, ['unsigned long long']], } ], '__unnamed_2a29' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x30, { 'SessionProtoNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeList' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'DriverAddress' : [ 0x0, ['pointer64', ['void']]], 'SessionId' : [ 0x18, ['unsigned long']], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionBase' : [ 0x20, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x28, ['__unnamed_2a29']], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_MI_MODWRITE_DATA' : [ 0x40, { 'PagesLoad' : [ 0x0, ['long long']], 'PagesAverage' : [ 0x8, ['unsigned long long']], 'AverageAvailablePages' : [ 0x10, ['unsigned long long']], 'PagesWritten' : [ 0x18, ['unsigned long long']], 'WritesIssued' : [ 0x20, ['unsigned long']], 'IgnoredReservationsCount' : [ 0x24, ['unsigned long']], 'FreedReservationsCount' : [ 0x28, ['unsigned long']], 'WriteBurstCount' : [ 0x2c, ['unsigned long']], 'IgnoreReservationsStartTime' : [ 0x30, ['unsigned long long']], 'ReservationClusterInfo' : [ 0x38, ['_MI_RESERVATION_CLUSTER_INFO']], 'IgnoreReservations' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare' : [ 0x3c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'Spare1' : [ 0x3e, ['unsigned short']], } ], '_PROC_IDLE_POLICY' : [ 0x6, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], 'ForceLightIdle' : [ 0x5, ['unsigned char']], } ], '_MI_RESAVAIL_FAILURES' : [ 0x8, { 'Wrap' : [ 0x0, ['unsigned long']], 'NoCharge' : [ 0x4, ['unsigned long']], } ], '_ALPC_WORK_ON_BEHALF_TICKET' : [ 0x8, { 'ThreadId' : [ 0x0, ['unsigned long']], 'ThreadCreationTimeLow' : [ 0x4, ['unsigned long']], } ], '_PO_HIBER_PERF' : [ 0x1e8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'HiberChecksumTicks' : [ 0x30, ['unsigned long long']], 'HiberChecksumIoTicks' : [ 0x38, ['unsigned long long']], 'TotalHibernateTime' : [ 0x40, ['_LARGE_INTEGER']], 'HibernateCompleteTimestamp' : [ 0x48, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x50, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x54, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x58, ['unsigned long']], 'ResumeAppTicks' : [ 0x60, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x70, ['unsigned long long']], 'ResumeInitTicks' : [ 0x78, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x80, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x88, ['unsigned long long']], 'ResumeIoTicks' : [ 0x90, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x98, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0xa0, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0xa8, ['unsigned long long']], 'ResumeMapTicks' : [ 0xb0, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xb8, ['unsigned long long']], 'ResumeChecksumTicks' : [ 0xc0, ['unsigned long long']], 'ResumeChecksumIoTicks' : [ 0xc8, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xd0, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xd8, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xe0, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xe8, ['unsigned long long']], 'HalTscOffset' : [ 0xf0, ['unsigned long long']], 'HvlTscOffset' : [ 0xf8, ['unsigned long long']], 'SleeperThreadEnd' : [ 0x100, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0x108, ['unsigned long long']], 'IoBoundedness' : [ 0x110, ['unsigned long long']], 'KernelDecompressTicks' : [ 0x118, ['unsigned long long']], 'KernelIoTicks' : [ 0x120, ['unsigned long long']], 'KernelCopyTicks' : [ 0x128, ['unsigned long long']], 'ReadCheckCount' : [ 0x130, ['unsigned long long']], 'KernelInitTicks' : [ 0x138, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x140, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x148, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x150, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x158, ['unsigned long long']], 'KernelChecksumTicks' : [ 0x160, ['unsigned long long']], 'KernelChecksumIoTicks' : [ 0x168, ['unsigned long long']], 'AnimationStart' : [ 0x170, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x178, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x180, ['unsigned long']], 'SecurePagesProcessed' : [ 0x188, ['unsigned long long']], 'BootPagesProcessed' : [ 0x190, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x198, ['unsigned long long']], 'BootBytesWritten' : [ 0x1a0, ['unsigned long long']], 'KernelBytesWritten' : [ 0x1a8, ['unsigned long long']], 'BootPagesWritten' : [ 0x1b0, ['unsigned long long']], 'KernelPagesWritten' : [ 0x1b8, ['unsigned long long']], 'BytesWritten' : [ 0x1c0, ['unsigned long long']], 'PagesWritten' : [ 0x1c8, ['unsigned long']], 'FileRuns' : [ 0x1cc, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x1d0, ['unsigned long']], 'MaxHuffRatio' : [ 0x1d4, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x1d8, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1e0, ['unsigned long long']], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1e, { 'PerUserPolicy' : [ 0x0, ['array', 30, ['unsigned char']]], } ], '_MI_PROBE_RAISE_TRACKER' : [ 0x40, { 'UserRangeInKernel' : [ 0x0, ['unsigned long']], 'FaultFailed' : [ 0x4, ['unsigned long']], 'WriteFaultFailed' : [ 0x8, ['unsigned long']], 'LargePageFailed' : [ 0xc, ['unsigned long']], 'UserAccessToKernelPte' : [ 0x10, ['unsigned long']], 'BadPageLocation' : [ 0x14, ['unsigned long']], 'InsufficientCharge' : [ 0x18, ['unsigned long']], 'PageTableCharge' : [ 0x1c, ['unsigned long']], 'NoPhysicalMapping' : [ 0x20, ['unsigned long']], 'NoIoReference' : [ 0x24, ['unsigned long']], 'ProbeFailed' : [ 0x28, ['unsigned long']], 'PteIsZero' : [ 0x2c, ['unsigned long']], 'StrongCodeWrite' : [ 0x30, ['unsigned long']], 'ReducedCloneCommitChargeFailed' : [ 0x34, ['unsigned long']], 'CopyOnWriteAtDispatchNoPages' : [ 0x38, ['unsigned long']], 'EnclavePageFailed' : [ 0x3c, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '__unnamed_2a4f' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2a51' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_2a54' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_2a58' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x58, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x18, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x28, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x38, ['__unnamed_2a4f']], 'HvDeviceId' : [ 0x40, ['unsigned long long']], 'XapicMessage' : [ 0x48, ['__unnamed_2a51']], 'Hypertransport' : [ 0x48, ['__unnamed_2a54']], 'GenericMessage' : [ 0x48, ['__unnamed_2a51']], 'MessageRequest' : [ 0x48, ['__unnamed_2a58']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['_CM_COMPONENT_HASH']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_LDR_DDAG_NODE' : [ 0x50, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x10, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0x18, ['unsigned long']], 'LoadWhileUnloadingCount' : [ 0x1c, ['unsigned long']], 'LowestLink' : [ 0x20, ['unsigned long']], 'Dependencies' : [ 0x28, ['_LDRP_CSLIST']], 'IncomingDependencies' : [ 0x30, ['_LDRP_CSLIST']], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x48, ['unsigned long']], } ], '_DUMP_STACK_CONTEXT' : [ 0x178, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x108, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x110, ['pointer64', ['void']]], 'PointersLength' : [ 0x118, ['unsigned long']], 'ModulePrefix' : [ 0x120, ['pointer64', ['wchar']]], 'DriverList' : [ 0x128, ['_LIST_ENTRY']], 'InitMsg' : [ 0x138, ['_STRING']], 'ProgMsg' : [ 0x148, ['_STRING']], 'DoneMsg' : [ 0x158, ['_STRING']], 'FileObject' : [ 0x168, ['pointer64', ['void']]], 'UsageType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_HAL_NODE_RANGE' : [ 0x10, { 'PageFrameIndex' : [ 0x0, ['unsigned long long']], 'Node' : [ 0x8, ['unsigned long']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_MI_PAGEFILE_BITMAPS_CACHE_ENTRY' : [ 0x38, { 'LengthTreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_LIST_ENTRY']], 'LocationTreeNode' : [ 0x18, ['_RTL_BALANCED_NODE']], 'StartingIndex' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], } ], '_RTL_UMS_CONTEXT' : [ 0x520, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'PrimaryUmsContext' : [ 0x500, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x508, ['unsigned long']], 'KernelYieldCount' : [ 0x50c, ['unsigned long']], 'MixedYieldCount' : [ 0x510, ['unsigned long']], 'YieldCount' : [ 0x514, ['unsigned long']], } ], '_MI_RESUME_WORKITEM' : [ 0x38, { 'ResumeCompleteEvent' : [ 0x0, ['_KEVENT']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2a80' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2a82' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2a84' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceId' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_2a86' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_2a88' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_2a8a' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_2a8c' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_2a8e' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2a90' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_2a92' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_2a80']], 'TargetDevice' : [ 0x0, ['__unnamed_2a82']], 'InstallDevice' : [ 0x0, ['__unnamed_2a82']], 'CustomNotification' : [ 0x0, ['__unnamed_2a84']], 'ProfileNotification' : [ 0x0, ['__unnamed_2a86']], 'PowerNotification' : [ 0x0, ['__unnamed_2a88']], 'VetoNotification' : [ 0x0, ['__unnamed_2a8a']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_2a8c']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_2a8e']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2a90']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_2a82']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_2a82']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_2a92']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], '_HVIEW_MAP_DIRECTORY' : [ 0x400, { 'Tables' : [ 0x0, ['array', 128, ['pointer64', ['_HVIEW_MAP_TABLE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], 'AllStacksInUse' : [ 0x1c, ['unsigned long']], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_HAL_CHANNEL_MEMORY_RANGES' : [ 0x10, { 'PageFrameIndex' : [ 0x0, ['unsigned long long']], 'MpnId' : [ 0x8, ['unsigned short']], 'Node' : [ 0xa, ['unsigned short']], 'Channel' : [ 0xc, ['unsigned short']], 'IsPowerManageable' : [ 0xe, ['unsigned char']], 'DeepPowerState' : [ 0xf, ['unsigned char']], } ], '_MI_LARGE_PAGE_REBUILD_WAIT_BLOCK' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_LARGE_PAGE_REBUILD_WAIT_BLOCK']]], 'Gate' : [ 0x8, ['_KGATE']], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x58, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'ProcCap' : [ 0x10, ['unsigned long']], 'ProcFloor' : [ 0x14, ['unsigned long']], 'PlatformCap' : [ 0x18, ['unsigned long']], 'ThermalCap' : [ 0x1c, ['unsigned long']], 'LimitReasons' : [ 0x20, ['unsigned long']], 'PlatformCapStartTime' : [ 0x28, ['unsigned long long']], 'TargetPercent' : [ 0x30, ['unsigned long']], 'SelectedPercent' : [ 0x34, ['unsigned long']], 'SelectedFrequency' : [ 0x38, ['unsigned long']], 'PreviousFrequency' : [ 0x3c, ['unsigned long']], 'PreviousPercent' : [ 0x40, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x44, ['unsigned long']], 'SelectedState' : [ 0x48, ['unsigned long long']], 'Force' : [ 0x50, ['unsigned char']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3e0, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa0, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x20, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x10, { 'DeviceHandle' : [ 0x0, ['pointer64', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x8, ['pointer64', ['void']]], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x488, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x410, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], 'PackageDependencyData' : [ 0x400, ['pointer64', ['void']]], 'ProcessGroupId' : [ 0x408, ['unsigned long']], 'LoaderThreads' : [ 0x40c, ['unsigned long']], } ], '_MI_IO_CACHE_STATS' : [ 0x28, { 'UnusedBlocks' : [ 0x0, ['unsigned long long']], 'ActiveCacheMatch' : [ 0x8, ['unsigned long']], 'ActiveCacheOverride' : [ 0xc, ['unsigned long']], 'UnmappedCacheFlush' : [ 0x10, ['unsigned long']], 'UnmappedCacheMatch' : [ 0x14, ['unsigned long']], 'UnmappedCacheConflict' : [ 0x18, ['unsigned long']], 'PermanentIoAttributeConflict' : [ 0x1c, ['unsigned long']], 'PermanentIoNodeConflict' : [ 0x20, ['unsigned long']], } ], '__unnamed_2ad8' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2ada' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2adc' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2ad8']], 'Gpt' : [ 0x0, ['__unnamed_2ada']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x108, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MarkMemoryOnly' : [ 0x69, ['unsigned char']], 'HiberResume' : [ 0x6a, ['unsigned char']], 'Reserved1' : [ 0x6b, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_2adc']], 'ReadRoutine' : [ 0xa0, ['pointer64', ['void']]], 'GetDriveTelemetryRoutine' : [ 0xa8, ['pointer64', ['void']]], 'LogSectionTruncateSize' : [ 0xb0, ['unsigned long']], 'Parameters' : [ 0xb4, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DumpNotifyRoutine' : [ 0x100, ['pointer64', ['void']]], } ], '_THERMAL_COOLING_INTERFACE' : [ 0x38, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'ActiveCooling' : [ 0x28, ['pointer64', ['void']]], 'PassiveCooling' : [ 0x30, ['pointer64', ['void']]], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_POP_FX_PERF_INFO' : [ 0xa0, { 'Component' : [ 0x0, ['pointer64', ['_POP_FX_COMPONENT']]], 'CompletedEvent' : [ 0x8, ['_KEVENT']], 'ComponentPerfState' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['_POP_FX_PERF_FLAGS']], 'LastChange' : [ 0x30, ['pointer64', ['_PO_FX_PERF_STATE_CHANGE']]], 'LastChangeCount' : [ 0x38, ['unsigned long']], 'LastChangeStamp' : [ 0x40, ['unsigned long long']], 'LastChangeNominal' : [ 0x48, ['unsigned char']], 'PepRegistered' : [ 0x49, ['unsigned char']], 'QueryOnIdleStates' : [ 0x4a, ['unsigned char']], 'RequestDriverContext' : [ 0x50, ['pointer64', ['void']]], 'WorkOrder' : [ 0x58, ['_POP_FX_WORK_ORDER']], 'SetsCount' : [ 0x90, ['unsigned long']], 'Sets' : [ 0x98, ['pointer64', ['_POP_FX_PERF_SET']]], } ], '_MMPAGE_FILE_EXPANSION_FLAGS' : [ 0x4, { 'PageFileNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'IgnoreCurrentCommit' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreaseMinimumSize' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare3' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '_MMPFNLIST_SHORT' : [ 0x18, { 'Total' : [ 0x0, ['unsigned long long']], 'Flink' : [ 0x8, ['unsigned long long']], 'Blink' : [ 0x10, ['unsigned long long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x8, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_TRIAGE_POP_IRP_DATA' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_2b0b' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_2b0d' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_2b0f' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_2b11' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_2b0b']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_2b0d']], 'Raw' : [ 0x0, ['__unnamed_2b0f']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'Operation' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0xc, ['__unnamed_2b11']], 'Stack' : [ 0x18, ['array', 6, ['pointer64', ['void']]]], } ], '_MI_COMBINE_PAGE_LISTHEAD' : [ 0x10, { 'Table' : [ 0x0, ['_RTL_AVL_TREE']], 'Lock' : [ 0x8, ['long']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x28, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x8, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0x18, ['_RTL_BITMAP']], 'EvictedBitmap' : [ 0x18, ['_RTL_BITMAP']], } ], '_MI_SYSTEM_VA_ASSIGNMENT' : [ 0x10, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2b21' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2b23' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2b21']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2b26' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2b28' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2b26']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_2b23']], 'HighPart' : [ 0x4, ['__unnamed_2b28']], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x80, { 'UncompressedData' : [ 0x0, ['pointer64', ['unsigned char']]], 'MappingVa' : [ 0x8, ['pointer64', ['void']]], 'XpressEncodeWorkspace' : [ 0x10, ['pointer64', ['void']]], 'CompressedDataBuffer' : [ 0x18, ['pointer64', ['unsigned char']]], 'CopyTicks' : [ 0x20, ['unsigned long long']], 'CompressTicks' : [ 0x28, ['unsigned long long']], 'BytesCopied' : [ 0x30, ['unsigned long long']], 'PagesProcessed' : [ 0x38, ['unsigned long long']], 'DecompressTicks' : [ 0x40, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x48, ['unsigned long long']], 'SharedBufferTicks' : [ 0x50, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x68, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x78, ['unsigned long']], 'HuffCompressCount' : [ 0x7c, ['unsigned long']], } ], '_PROC_PERF_CHECK_SNAP' : [ 0x50, { 'Time' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned long long']], 'Stall' : [ 0x10, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x18, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledKernelActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], 'TaggedThreadCycles' : [ 0x40, ['array', 2, ['unsigned long long']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_HVIEW_MAP_PIN_LOG_ENTRY' : [ 0x48, { 'ViewOffset' : [ 0x0, ['unsigned long']], 'Pinned' : [ 0x4, ['unsigned char']], 'PinMask' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Stack' : [ 0x18, ['array', 6, ['pointer64', ['void']]]], } ], '_MI_COMBINE_WORKITEM' : [ 0x28, { 'NextEntry' : [ 0x0, ['pointer64', ['void']]], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], } ], '_PNP_RESOURCE_CONFLICT_TRACE_CONTEXT' : [ 0x18, { 'ResourceType' : [ 0x0, ['unsigned char']], 'AlternativeCount' : [ 0x4, ['unsigned long']], 'ResourceRequests' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ArbiterInstance' : [ 0x10, ['pointer64', ['void']]], } ], '_MI_POOL_FAILURE_REASONS' : [ 0x2c, { 'NonPagedNoPtes' : [ 0x0, ['unsigned long']], 'PriorityTooLow' : [ 0x4, ['unsigned long']], 'NonPagedNoPagesAvailable' : [ 0x8, ['unsigned long']], 'PagedNoPtes' : [ 0xc, ['unsigned long']], 'SessionPagedNoPtes' : [ 0x10, ['unsigned long']], 'PagedNoPagesAvailable' : [ 0x14, ['unsigned long']], 'SessionPagedNoPagesAvailable' : [ 0x18, ['unsigned long']], 'PagedNoCommit' : [ 0x1c, ['unsigned long']], 'SessionPagedNoCommit' : [ 0x20, ['unsigned long']], 'NonPagedNoResidentAvailable' : [ 0x24, ['unsigned long']], 'NonPagedNoCommit' : [ 0x28, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_MI_PAGE_COMBINE_STATISTICS' : [ 0x28, { 'PagesScannedActive' : [ 0x0, ['unsigned long long']], 'PagesScannedStandby' : [ 0x8, ['unsigned long long']], 'PagesCombined' : [ 0x10, ['unsigned long long']], 'CombineScanCount' : [ 0x18, ['unsigned long']], 'CombinedBlocksInUse' : [ 0x1c, ['long']], 'SumCombinedBlocksReferenceCount' : [ 0x20, ['long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_HVIEW_MAP_TABLE' : [ 0x800, { 'Entries' : [ 0x0, ['array', 64, ['_HVIEW_MAP_ENTRY']]], } ], '_LDRP_CSLIST' : [ 0x8, { 'Tail' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_MI_RESERVATION_CLUSTER_INFO' : [ 0x4, { 'ClusterSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'EntireInfo' : [ 0x0, ['long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer64', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_POP_FX_PERF_SET' : [ 0x20, { 'PerfSet' : [ 0x0, ['pointer64', ['_PO_FX_COMPONENT_PERF_SET']]], 'CurrentPerf' : [ 0x8, ['unsigned long long']], 'CurrentPerfStamp' : [ 0x10, ['unsigned long long']], 'CurrentPerfNominal' : [ 0x18, ['unsigned char']], } ], '_PO_FX_PERF_STATE_CHANGE' : [ 0x10, { 'Set' : [ 0x0, ['unsigned long']], 'StateIndex' : [ 0x8, ['unsigned long']], 'StateValue' : [ 0x8, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x8, ['unsigned long']], } ], '_HVIEW_MAP_ENTRY' : [ 0x20, { 'ViewStart' : [ 0x0, ['pointer64', ['void']]], 'IsPinned' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Bcb' : [ 0x8, ['pointer64', ['void']]], 'PinnedPages' : [ 0x10, ['unsigned long long']], 'Size' : [ 0x18, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '__unnamed_2b7a' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['pointer64', ['_PO_FX_PERF_STATE']]], } ], '__unnamed_2b7c' : [ 0x10, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], } ], '_PO_FX_COMPONENT_PERF_SET' : [ 0x30, { 'Name' : [ 0x0, ['_UNICODE_STRING']], 'Flags' : [ 0x10, ['unsigned long long']], 'Unit' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateUnitOther', 1: 'PoFxPerfStateUnitFrequency', 2: 'PoFxPerfStateUnitBandwidth', 3: 'PoFxPerfStateUnitMaximum'})]], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateTypeDiscrete', 1: 'PoFxPerfStateTypeRange', 2: 'PoFxPerfStateTypeMaximum'})]], 'Discrete' : [ 0x20, ['__unnamed_2b7a']], 'Range' : [ 0x20, ['__unnamed_2b7c']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '__unnamed_2b82' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_2b84' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_2b82']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_2b84']], } ], '_PO_FX_PERF_STATE' : [ 0x10, { 'Value' : [ 0x0, ['unsigned long long']], 'Context' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2b8a' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_2b8c' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_2b92' : [ 0x10, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], 'OutputInformation' : [ 0x8, ['pointer64', ['_FS_FILTER_SECTION_SYNC_OUTPUT']]], } ], '__unnamed_2b96' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_2b98' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2b8a']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2b8c']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2b92']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2b96']], 'Others' : [ 0x0, ['__unnamed_2b98']], } ], '_FS_FILTER_SECTION_SYNC_OUTPUT' : [ 0x10, { 'StructureSize' : [ 0x0, ['unsigned long']], 'SizeReturned' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DesiredReadAlignment' : [ 0xc, ['unsigned long']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/xp_sp2_x86_syscalls.py0000644000000000000000000010331513131215405030566 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2011 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAdjustGroupsToken', # 0xa 'NtAdjustPrivilegesToken', # 0xb 'NtAlertResumeThread', # 0xc 'NtAlertThread', # 0xd 'NtAllocateLocallyUniqueId', # 0xe 'NtAllocateUserPhysicalPages', # 0xf 'NtAllocateUuids', # 0x10 'NtAllocateVirtualMemory', # 0x11 'NtAreMappedFilesTheSame', # 0x12 'NtAssignProcessToJobObject', # 0x13 'NtCallbackReturn', # 0x14 'NtCancelDeviceWakeupRequest', # 0x15 'NtCancelIoFile', # 0x16 'NtCancelTimer', # 0x17 'NtClearEvent', # 0x18 'NtClose', # 0x19 'NtCloseObjectAuditAlarm', # 0x1a 'NtCompactKeys', # 0x1b 'NtCompareTokens', # 0x1c 'NtCompleteConnectPort', # 0x1d 'NtCompressKey', # 0x1e 'NtConnectPort', # 0x1f 'NtContinue', # 0x20 'NtCreateDebugObject', # 0x21 'NtCreateDirectoryObject', # 0x22 'NtCreateEvent', # 0x23 'NtCreateEventPair', # 0x24 'NtCreateFile', # 0x25 'NtCreateIoCompletion', # 0x26 'NtCreateJobObject', # 0x27 'NtCreateJobSet', # 0x28 'NtCreateKey', # 0x29 'NtCreateMailslotFile', # 0x2a 'NtCreateMutant', # 0x2b 'NtCreateNamedPipeFile', # 0x2c 'NtCreatePagingFile', # 0x2d 'NtCreatePort', # 0x2e 'NtCreateProcess', # 0x2f 'NtCreateProcessEx', # 0x30 'NtCreateProfile', # 0x31 'NtCreateSection', # 0x32 'NtCreateSemaphore', # 0x33 'NtCreateSymbolicLinkObject', # 0x34 'NtCreateThread', # 0x35 'NtCreateTimer', # 0x36 'NtCreateToken', # 0x37 'NtCreateWaitablePort', # 0x38 'NtDebugActiveProcess', # 0x39 'NtDebugContinue', # 0x3a 'NtDelayExecution', # 0x3b 'NtDeleteAtom', # 0x3c 'NtDeleteBootEntry', # 0x3d 'NtDeleteFile', # 0x3e 'NtDeleteKey', # 0x3f 'NtDeleteObjectAuditAlarm', # 0x40 'NtDeleteValueKey', # 0x41 'NtDeviceIoControlFile', # 0x42 'NtDisplayString', # 0x43 'NtDuplicateObject', # 0x44 'NtDuplicateToken', # 0x45 'NtEnumerateBootEntries', # 0x46 'NtEnumerateKey', # 0x47 'NtEnumerateSystemEnvironmentValuesEx', # 0x48 'NtEnumerateValueKey', # 0x49 'NtExtendSection', # 0x4a 'NtFilterToken', # 0x4b 'NtFindAtom', # 0x4c 'NtFlushBuffersFile', # 0x4d 'NtFlushInstructionCache', # 0x4e 'NtFlushKey', # 0x4f 'NtFlushVirtualMemory', # 0x50 'NtFlushWriteBuffer', # 0x51 'NtFreeUserPhysicalPages', # 0x52 'NtFreeVirtualMemory', # 0x53 'NtFsControlFile', # 0x54 'NtGetContextThread', # 0x55 'NtGetDevicePowerState', # 0x56 'NtGetPlugPlayEvent', # 0x57 'NtGetWriteWatch', # 0x58 'NtImpersonateAnonymousToken', # 0x59 'NtImpersonateClientOfPort', # 0x5a 'NtImpersonateThread', # 0x5b 'NtInitializeRegistry', # 0x5c 'NtInitiatePowerAction', # 0x5d 'NtIsProcessInJob', # 0x5e 'NtIsSystemResumeAutomatic', # 0x5f 'NtListenPort', # 0x60 'NtLoadDriver', # 0x61 'NtLoadKey', # 0x62 'NtLoadKey2', # 0x63 'NtLockFile', # 0x64 'NtLockProductActivationKeys', # 0x65 'NtLockRegistryKey', # 0x66 'NtLockVirtualMemory', # 0x67 'NtMakePermanentObject', # 0x68 'NtMakeTemporaryObject', # 0x69 'NtMapUserPhysicalPages', # 0x6a 'NtMapUserPhysicalPagesScatter', # 0x6b 'NtMapViewOfSection', # 0x6c 'NtModifyBootEntry', # 0x6d 'NtNotifyChangeDirectoryFile', # 0x6e 'NtNotifyChangeKey', # 0x6f 'NtNotifyChangeMultipleKeys', # 0x70 'NtOpenDirectoryObject', # 0x71 'NtOpenEvent', # 0x72 'NtOpenEventPair', # 0x73 'NtOpenFile', # 0x74 'NtOpenIoCompletion', # 0x75 'NtOpenJobObject', # 0x76 'NtOpenKey', # 0x77 'NtOpenMutant', # 0x78 'NtOpenObjectAuditAlarm', # 0x79 'NtOpenProcess', # 0x7a 'NtOpenProcessToken', # 0x7b 'NtOpenProcessTokenEx', # 0x7c 'NtOpenSection', # 0x7d 'NtOpenSemaphore', # 0x7e 'NtOpenSymbolicLinkObject', # 0x7f 'NtOpenThread', # 0x80 'NtOpenThreadToken', # 0x81 'NtOpenThreadTokenEx', # 0x82 'NtOpenTimer', # 0x83 'NtPlugPlayControl', # 0x84 'NtPowerInformation', # 0x85 'NtPrivilegeCheck', # 0x86 'NtPrivilegeObjectAuditAlarm', # 0x87 'NtPrivilegedServiceAuditAlarm', # 0x88 'NtProtectVirtualMemory', # 0x89 'NtPulseEvent', # 0x8a 'NtQueryAttributesFile', # 0x8b 'NtQueryBootEntryOrder', # 0x8c 'NtQueryBootOptions', # 0x8d 'NtQueryDebugFilterState', # 0x8e 'NtQueryDefaultLocale', # 0x8f 'NtQueryDefaultUILanguage', # 0x90 'NtQueryDirectoryFile', # 0x91 'NtQueryDirectoryObject', # 0x92 'NtQueryEaFile', # 0x93 'NtQueryEvent', # 0x94 'NtQueryFullAttributesFile', # 0x95 'NtQueryInformationAtom', # 0x96 'NtQueryInformationFile', # 0x97 'NtQueryInformationJobObject', # 0x98 'NtQueryInformationPort', # 0x99 'NtQueryInformationProcess', # 0x9a 'NtQueryInformationThread', # 0x9b 'NtQueryInformationToken', # 0x9c 'NtQueryInstallUILanguage', # 0x9d 'NtQueryIntervalProfile', # 0x9e 'NtQueryIoCompletion', # 0x9f 'NtQueryKey', # 0xa0 'NtQueryMultipleValueKey', # 0xa1 'NtQueryMutant', # 0xa2 'NtQueryObject', # 0xa3 'NtQueryOpenSubKeys', # 0xa4 'NtQueryPerformanceCounter', # 0xa5 'NtQueryQuotaInformationFile', # 0xa6 'NtQuerySection', # 0xa7 'NtQuerySecurityObject', # 0xa8 'NtQuerySemaphore', # 0xa9 'NtQuerySymbolicLinkObject', # 0xaa 'NtQuerySystemEnvironmentValue', # 0xab 'NtQuerySystemEnvironmentValueEx', # 0xac 'NtQuerySystemInformation', # 0xad 'NtQuerySystemTime', # 0xae 'NtQueryTimer', # 0xaf 'NtQueryTimerResolution', # 0xb0 'NtQueryValueKey', # 0xb1 'NtQueryVirtualMemory', # 0xb2 'NtQueryVolumeInformationFile', # 0xb3 'NtQueueApcThread', # 0xb4 'NtRaiseException', # 0xb5 'NtRaiseHardError', # 0xb6 'NtReadFile', # 0xb7 'NtReadFileScatter', # 0xb8 'NtReadRequestData', # 0xb9 'NtReadVirtualMemory', # 0xba 'NtRegisterThreadTerminatePort', # 0xbb 'NtReleaseMutant', # 0xbc 'NtReleaseSemaphore', # 0xbd 'NtRemoveIoCompletion', # 0xbe 'NtRemoveProcessDebug', # 0xbf 'NtRenameKey', # 0xc0 'NtReplaceKey', # 0xc1 'NtReplyPort', # 0xc2 'NtReplyWaitReceivePort', # 0xc3 'NtReplyWaitReceivePortEx', # 0xc4 'NtReplyWaitReplyPort', # 0xc5 'NtRequestDeviceWakeup', # 0xc6 'NtRequestPort', # 0xc7 'NtRequestWaitReplyPort', # 0xc8 'NtRequestWakeupLatency', # 0xc9 'NtResetEvent', # 0xca 'NtResetWriteWatch', # 0xcb 'NtRestoreKey', # 0xcc 'NtResumeProcess', # 0xcd 'NtResumeThread', # 0xce 'NtSaveKey', # 0xcf 'NtSaveKeyEx', # 0xd0 'NtSaveMergedKeys', # 0xd1 'NtSecureConnectPort', # 0xd2 'NtSetBootEntryOrder', # 0xd3 'NtSetBootOptions', # 0xd4 'NtSetContextThread', # 0xd5 'NtSetDebugFilterState', # 0xd6 'NtSetDefaultHardErrorPort', # 0xd7 'NtSetDefaultLocale', # 0xd8 'NtSetDefaultUILanguage', # 0xd9 'NtSetEaFile', # 0xda 'NtSetEvent', # 0xdb 'NtSetEventBoostPriority', # 0xdc 'NtSetHighEventPair', # 0xdd 'NtSetHighWaitLowEventPair', # 0xde 'NtSetInformationDebugObject', # 0xdf 'NtSetInformationFile', # 0xe0 'NtSetInformationJobObject', # 0xe1 'NtSetInformationKey', # 0xe2 'NtSetInformationObject', # 0xe3 'NtSetInformationProcess', # 0xe4 'NtSetInformationThread', # 0xe5 'NtSetInformationToken', # 0xe6 'NtSetIntervalProfile', # 0xe7 'NtSetIoCompletion', # 0xe8 'NtSetLdtEntries', # 0xe9 'NtSetLowEventPair', # 0xea 'NtSetLowWaitHighEventPair', # 0xeb 'NtSetQuotaInformationFile', # 0xec 'NtSetSecurityObject', # 0xed 'NtSetSystemEnvironmentValue', # 0xee 'NtSetSystemEnvironmentValueEx', # 0xef 'NtSetSystemInformation', # 0xf0 'NtSetSystemPowerState', # 0xf1 'NtSetSystemTime', # 0xf2 'NtSetThreadExecutionState', # 0xf3 'NtSetTimer', # 0xf4 'NtSetTimerResolution', # 0xf5 'NtSetUuidSeed', # 0xf6 'NtSetValueKey', # 0xf7 'NtSetVolumeInformationFile', # 0xf8 'NtShutdownSystem', # 0xf9 'NtSignalAndWaitForSingleObject', # 0xfa 'NtStartProfile', # 0xfb 'NtStopProfile', # 0xfc 'NtSuspendProcess', # 0xfd 'NtSuspendThread', # 0xfe 'NtSystemDebugControl', # 0xff 'NtTerminateJobObject', # 0x100 'NtTerminateProcess', # 0x101 'NtTerminateThread', # 0x102 'NtTestAlert', # 0x103 'NtTraceEvent', # 0x104 'NtTranslateFilePath', # 0x105 'NtUnloadDriver', # 0x106 'NtUnloadKey', # 0x107 'NtUnloadKeyEx', # 0x108 'NtUnlockFile', # 0x109 'NtUnlockVirtualMemory', # 0x10a 'NtUnmapViewOfSection', # 0x10b 'NtVdmControl', # 0x10c 'NtWaitForDebugEvent', # 0x10d 'NtWaitForMultipleObjects', # 0x10e 'NtWaitForSingleObject', # 0x10f 'NtWaitHighEventPair', # 0x110 'NtWaitLowEventPair', # 0x111 'NtWriteFile', # 0x112 'NtWriteFileGather', # 0x113 'NtWriteRequestData', # 0x114 'NtWriteVirtualMemory', # 0x115 'NtYieldExecution', # 0x116 'NtCreateKeyedEvent', # 0x117 'NtOpenKeyedEvent', # 0x118 'NtReleaseKeyedEvent', # 0x119 'NtWaitForKeyedEvent', # 0x11a 'NtQueryPortInformationProcess', # 0x11b ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginPath', # 0xc 'NtGdiBitBlt', # 0xd 'NtGdiCancelDC', # 0xe 'NtGdiCheckBitmapBits', # 0xf 'NtGdiCloseFigure', # 0x10 'NtGdiClearBitmapAttributes', # 0x11 'NtGdiClearBrushAttributes', # 0x12 'NtGdiColorCorrectPalette', # 0x13 'NtGdiCombineRgn', # 0x14 'NtGdiCombineTransform', # 0x15 'NtGdiComputeXformCoefficients', # 0x16 'NtGdiConsoleTextOut', # 0x17 'NtGdiConvertMetafileRect', # 0x18 'NtGdiCreateBitmap', # 0x19 'NtGdiCreateClientObj', # 0x1a 'NtGdiCreateColorSpace', # 0x1b 'NtGdiCreateColorTransform', # 0x1c 'NtGdiCreateCompatibleBitmap', # 0x1d 'NtGdiCreateCompatibleDC', # 0x1e 'NtGdiCreateDIBBrush', # 0x1f 'NtGdiCreateDIBitmapInternal', # 0x20 'NtGdiCreateDIBSection', # 0x21 'NtGdiCreateEllipticRgn', # 0x22 'NtGdiCreateHalftonePalette', # 0x23 'NtGdiCreateHatchBrushInternal', # 0x24 'NtGdiCreateMetafileDC', # 0x25 'NtGdiCreatePaletteInternal', # 0x26 'NtGdiCreatePatternBrushInternal', # 0x27 'NtGdiCreatePen', # 0x28 'NtGdiCreateRectRgn', # 0x29 'NtGdiCreateRoundRectRgn', # 0x2a 'NtGdiCreateServerMetaFile', # 0x2b 'NtGdiCreateSolidBrush', # 0x2c 'NtGdiD3dContextCreate', # 0x2d 'NtGdiD3dContextDestroy', # 0x2e 'NtGdiD3dContextDestroyAll', # 0x2f 'NtGdiD3dValidateTextureStageState', # 0x30 'NtGdiD3dDrawPrimitives2', # 0x31 'NtGdiDdGetDriverState', # 0x32 'NtGdiDdAddAttachedSurface', # 0x33 'NtGdiDdAlphaBlt', # 0x34 'NtGdiDdAttachSurface', # 0x35 'NtGdiDdBeginMoCompFrame', # 0x36 'NtGdiDdBlt', # 0x37 'NtGdiDdCanCreateSurface', # 0x38 'NtGdiDdCanCreateD3DBuffer', # 0x39 'NtGdiDdColorControl', # 0x3a 'NtGdiDdCreateDirectDrawObject', # 0x3b 'NtGdiDdCreateSurface', # 0x3c 'NtGdiDdCreateD3DBuffer', # 0x3d 'NtGdiDdCreateMoComp', # 0x3e 'NtGdiDdCreateSurfaceObject', # 0x3f 'NtGdiDdDeleteDirectDrawObject', # 0x40 'NtGdiDdDeleteSurfaceObject', # 0x41 'NtGdiDdDestroyMoComp', # 0x42 'NtGdiDdDestroySurface', # 0x43 'NtGdiDdDestroyD3DBuffer', # 0x44 'NtGdiDdEndMoCompFrame', # 0x45 'NtGdiDdFlip', # 0x46 'NtGdiDdFlipToGDISurface', # 0x47 'NtGdiDdGetAvailDriverMemory', # 0x48 'NtGdiDdGetBltStatus', # 0x49 'NtGdiDdGetDC', # 0x4a 'NtGdiDdGetDriverInfo', # 0x4b 'NtGdiDdGetDxHandle', # 0x4c 'NtGdiDdGetFlipStatus', # 0x4d 'NtGdiDdGetInternalMoCompInfo', # 0x4e 'NtGdiDdGetMoCompBuffInfo', # 0x4f 'NtGdiDdGetMoCompGuids', # 0x50 'NtGdiDdGetMoCompFormats', # 0x51 'NtGdiDdGetScanLine', # 0x52 'NtGdiDdLock', # 0x53 'NtGdiDdLockD3D', # 0x54 'NtGdiDdQueryDirectDrawObject', # 0x55 'NtGdiDdQueryMoCompStatus', # 0x56 'NtGdiDdReenableDirectDrawObject', # 0x57 'NtGdiDdReleaseDC', # 0x58 'NtGdiDdRenderMoComp', # 0x59 'NtGdiDdResetVisrgn', # 0x5a 'NtGdiDdSetColorKey', # 0x5b 'NtGdiDdSetExclusiveMode', # 0x5c 'NtGdiDdSetGammaRamp', # 0x5d 'NtGdiDdCreateSurfaceEx', # 0x5e 'NtGdiDdSetOverlayPosition', # 0x5f 'NtGdiDdUnattachSurface', # 0x60 'NtGdiDdUnlock', # 0x61 'NtGdiDdUnlockD3D', # 0x62 'NtGdiDdUpdateOverlay', # 0x63 'NtGdiDdWaitForVerticalBlank', # 0x64 'NtGdiDvpCanCreateVideoPort', # 0x65 'NtGdiDvpColorControl', # 0x66 'NtGdiDvpCreateVideoPort', # 0x67 'NtGdiDvpDestroyVideoPort', # 0x68 'NtGdiDvpFlipVideoPort', # 0x69 'NtGdiDvpGetVideoPortBandwidth', # 0x6a 'NtGdiDvpGetVideoPortField', # 0x6b 'NtGdiDvpGetVideoPortFlipStatus', # 0x6c 'NtGdiDvpGetVideoPortInputFormats', # 0x6d 'NtGdiDvpGetVideoPortLine', # 0x6e 'NtGdiDvpGetVideoPortOutputFormats', # 0x6f 'NtGdiDvpGetVideoPortConnectInfo', # 0x70 'NtGdiDvpGetVideoSignalStatus', # 0x71 'NtGdiDvpUpdateVideoPort', # 0x72 'NtGdiDvpWaitForVideoPortSync', # 0x73 'NtGdiDvpAcquireNotification', # 0x74 'NtGdiDvpReleaseNotification', # 0x75 'NtGdiDxgGenericThunk', # 0x76 'NtGdiDeleteClientObj', # 0x77 'NtGdiDeleteColorSpace', # 0x78 'NtGdiDeleteColorTransform', # 0x79 'NtGdiDeleteObjectApp', # 0x7a 'NtGdiDescribePixelFormat', # 0x7b 'NtGdiGetPerBandInfo', # 0x7c 'NtGdiDoBanding', # 0x7d 'NtGdiDoPalette', # 0x7e 'NtGdiDrawEscape', # 0x7f 'NtGdiEllipse', # 0x80 'NtGdiEnableEudc', # 0x81 'NtGdiEndDoc', # 0x82 'NtGdiEndPage', # 0x83 'NtGdiEndPath', # 0x84 'NtGdiEnumFontChunk', # 0x85 'NtGdiEnumFontClose', # 0x86 'NtGdiEnumFontOpen', # 0x87 'NtGdiEnumObjects', # 0x88 'NtGdiEqualRgn', # 0x89 'NtGdiEudcLoadUnloadLink', # 0x8a 'NtGdiExcludeClipRect', # 0x8b 'NtGdiExtCreatePen', # 0x8c 'NtGdiExtCreateRegion', # 0x8d 'NtGdiExtEscape', # 0x8e 'NtGdiExtFloodFill', # 0x8f 'NtGdiExtGetObjectW', # 0x90 'NtGdiExtSelectClipRgn', # 0x91 'NtGdiExtTextOutW', # 0x92 'NtGdiFillPath', # 0x93 'NtGdiFillRgn', # 0x94 'NtGdiFlattenPath', # 0x95 'NtGdiFlushUserBatch', # 0x96 'NtGdiFlush', # 0x97 'NtGdiForceUFIMapping', # 0x98 'NtGdiFrameRgn', # 0x99 'NtGdiFullscreenControl', # 0x9a 'NtGdiGetAndSetDCDword', # 0x9b 'NtGdiGetAppClipBox', # 0x9c 'NtGdiGetBitmapBits', # 0x9d 'NtGdiGetBitmapDimension', # 0x9e 'NtGdiGetBoundsRect', # 0x9f 'NtGdiGetCharABCWidthsW', # 0xa0 'NtGdiGetCharacterPlacementW', # 0xa1 'NtGdiGetCharSet', # 0xa2 'NtGdiGetCharWidthW', # 0xa3 'NtGdiGetCharWidthInfo', # 0xa4 'NtGdiGetColorAdjustment', # 0xa5 'NtGdiGetColorSpaceforBitmap', # 0xa6 'NtGdiGetDCDword', # 0xa7 'NtGdiGetDCforBitmap', # 0xa8 'NtGdiGetDCObject', # 0xa9 'NtGdiGetDCPoint', # 0xaa 'NtGdiGetDeviceCaps', # 0xab 'NtGdiGetDeviceGammaRamp', # 0xac 'NtGdiGetDeviceCapsAll', # 0xad 'NtGdiGetDIBitsInternal', # 0xae 'NtGdiGetETM', # 0xaf 'NtGdiGetEudcTimeStampEx', # 0xb0 'NtGdiGetFontData', # 0xb1 'NtGdiGetFontResourceInfoInternalW', # 0xb2 'NtGdiGetGlyphIndicesW', # 0xb3 'NtGdiGetGlyphIndicesWInternal', # 0xb4 'NtGdiGetGlyphOutline', # 0xb5 'NtGdiGetKerningPairs', # 0xb6 'NtGdiGetLinkedUFIs', # 0xb7 'NtGdiGetMiterLimit', # 0xb8 'NtGdiGetMonitorID', # 0xb9 'NtGdiGetNearestColor', # 0xba 'NtGdiGetNearestPaletteIndex', # 0xbb 'NtGdiGetObjectBitmapHandle', # 0xbc 'NtGdiGetOutlineTextMetricsInternalW', # 0xbd 'NtGdiGetPath', # 0xbe 'NtGdiGetPixel', # 0xbf 'NtGdiGetRandomRgn', # 0xc0 'NtGdiGetRasterizerCaps', # 0xc1 'NtGdiGetRealizationInfo', # 0xc2 'NtGdiGetRegionData', # 0xc3 'NtGdiGetRgnBox', # 0xc4 'NtGdiGetServerMetaFileBits', # 0xc5 'NtGdiGetSpoolMessage', # 0xc6 'NtGdiGetStats', # 0xc7 'NtGdiGetStockObject', # 0xc8 'NtGdiGetStringBitmapW', # 0xc9 'NtGdiGetSystemPaletteUse', # 0xca 'NtGdiGetTextCharsetInfo', # 0xcb 'NtGdiGetTextExtent', # 0xcc 'NtGdiGetTextExtentExW', # 0xcd 'NtGdiGetTextFaceW', # 0xce 'NtGdiGetTextMetricsW', # 0xcf 'NtGdiGetTransform', # 0xd0 'NtGdiGetUFI', # 0xd1 'NtGdiGetEmbUFI', # 0xd2 'NtGdiGetUFIPathname', # 0xd3 'NtGdiGetEmbedFonts', # 0xd4 'NtGdiChangeGhostFont', # 0xd5 'NtGdiAddEmbFontToDC', # 0xd6 'NtGdiGetFontUnicodeRanges', # 0xd7 'NtGdiGetWidthTable', # 0xd8 'NtGdiGradientFill', # 0xd9 'NtGdiHfontCreate', # 0xda 'NtGdiIcmBrushInfo', # 0xdb 'NtGdiInit', # 0xdc 'NtGdiInitSpool', # 0xdd 'NtGdiIntersectClipRect', # 0xde 'NtGdiInvertRgn', # 0xdf 'NtGdiLineTo', # 0xe0 'NtGdiMakeFontDir', # 0xe1 'NtGdiMakeInfoDC', # 0xe2 'NtGdiMaskBlt', # 0xe3 'NtGdiModifyWorldTransform', # 0xe4 'NtGdiMonoBitmap', # 0xe5 'NtGdiMoveTo', # 0xe6 'NtGdiOffsetClipRgn', # 0xe7 'NtGdiOffsetRgn', # 0xe8 'NtGdiOpenDCW', # 0xe9 'NtGdiPatBlt', # 0xea 'NtGdiPolyPatBlt', # 0xeb 'NtGdiPathToRegion', # 0xec 'NtGdiPlgBlt', # 0xed 'NtGdiPolyDraw', # 0xee 'NtGdiPolyPolyDraw', # 0xef 'NtGdiPolyTextOutW', # 0xf0 'NtGdiPtInRegion', # 0xf1 'NtGdiPtVisible', # 0xf2 'NtGdiQueryFonts', # 0xf3 'NtGdiQueryFontAssocInfo', # 0xf4 'NtGdiRectangle', # 0xf5 'NtGdiRectInRegion', # 0xf6 'NtGdiRectVisible', # 0xf7 'NtGdiRemoveFontResourceW', # 0xf8 'NtGdiRemoveFontMemResourceEx', # 0xf9 'NtGdiResetDC', # 0xfa 'NtGdiResizePalette', # 0xfb 'NtGdiRestoreDC', # 0xfc 'NtGdiRoundRect', # 0xfd 'NtGdiSaveDC', # 0xfe 'NtGdiScaleViewportExtEx', # 0xff 'NtGdiScaleWindowExtEx', # 0x100 'NtGdiSelectBitmap', # 0x101 'NtGdiSelectBrush', # 0x102 'NtGdiSelectClipPath', # 0x103 'NtGdiSelectFont', # 0x104 'NtGdiSelectPen', # 0x105 'NtGdiSetBitmapAttributes', # 0x106 'NtGdiSetBitmapBits', # 0x107 'NtGdiSetBitmapDimension', # 0x108 'NtGdiSetBoundsRect', # 0x109 'NtGdiSetBrushAttributes', # 0x10a 'NtGdiSetBrushOrg', # 0x10b 'NtGdiSetColorAdjustment', # 0x10c 'NtGdiSetColorSpace', # 0x10d 'NtGdiSetDeviceGammaRamp', # 0x10e 'NtGdiSetDIBitsToDeviceInternal', # 0x10f 'NtGdiSetFontEnumeration', # 0x110 'NtGdiSetFontXform', # 0x111 'NtGdiSetIcmMode', # 0x112 'NtGdiSetLinkedUFIs', # 0x113 'NtGdiSetMagicColors', # 0x114 'NtGdiSetMetaRgn', # 0x115 'NtGdiSetMiterLimit', # 0x116 'NtGdiGetDeviceWidth', # 0x117 'NtGdiMirrorWindowOrg', # 0x118 'NtGdiSetLayout', # 0x119 'NtGdiSetPixel', # 0x11a 'NtGdiSetPixelFormat', # 0x11b 'NtGdiSetRectRgn', # 0x11c 'NtGdiSetSystemPaletteUse', # 0x11d 'NtGdiSetTextJustification', # 0x11e 'NtGdiSetupPublicCFONT', # 0x11f 'NtGdiSetVirtualResolution', # 0x120 'NtGdiSetSizeDevice', # 0x121 'NtGdiStartDoc', # 0x122 'NtGdiStartPage', # 0x123 'NtGdiStretchBlt', # 0x124 'NtGdiStretchDIBitsInternal', # 0x125 'NtGdiStrokeAndFillPath', # 0x126 'NtGdiStrokePath', # 0x127 'NtGdiSwapBuffers', # 0x128 'NtGdiTransformPoints', # 0x129 'NtGdiTransparentBlt', # 0x12a 'NtGdiUnloadPrinterDriver', # 0x12b 'NtGdiUnmapMemFont', # 0x12c 'NtGdiUnrealizeObject', # 0x12d 'NtGdiUpdateColors', # 0x12e 'NtGdiWidenPath', # 0x12f 'NtUserActivateKeyboardLayout', # 0x130 'NtUserAlterWindowStyle', # 0x131 'NtUserAssociateInputContext', # 0x132 'NtUserAttachThreadInput', # 0x133 'NtUserBeginPaint', # 0x134 'NtUserBitBltSysBmp', # 0x135 'NtUserBlockInput', # 0x136 'NtUserBuildHimcList', # 0x137 'NtUserBuildHwndList', # 0x138 'NtUserBuildNameList', # 0x139 'NtUserBuildPropList', # 0x13a 'NtUserCallHwnd', # 0x13b 'NtUserCallHwndLock', # 0x13c 'NtUserCallHwndOpt', # 0x13d 'NtUserCallHwndParam', # 0x13e 'NtUserCallHwndParamLock', # 0x13f 'NtUserCallMsgFilter', # 0x140 'NtUserCallNextHookEx', # 0x141 'NtUserCallNoParam', # 0x142 'NtUserCallOneParam', # 0x143 'NtUserCallTwoParam', # 0x144 'NtUserChangeClipboardChain', # 0x145 'NtUserChangeDisplaySettings', # 0x146 'NtUserCheckImeHotKey', # 0x147 'NtUserCheckMenuItem', # 0x148 'NtUserChildWindowFromPointEx', # 0x149 'NtUserClipCursor', # 0x14a 'NtUserCloseClipboard', # 0x14b 'NtUserCloseDesktop', # 0x14c 'NtUserCloseWindowStation', # 0x14d 'NtUserConsoleControl', # 0x14e 'NtUserConvertMemHandle', # 0x14f 'NtUserCopyAcceleratorTable', # 0x150 'NtUserCountClipboardFormats', # 0x151 'NtUserCreateAcceleratorTable', # 0x152 'NtUserCreateCaret', # 0x153 'NtUserCreateDesktop', # 0x154 'NtUserCreateInputContext', # 0x155 'NtUserCreateLocalMemHandle', # 0x156 'NtUserCreateWindowEx', # 0x157 'NtUserCreateWindowStation', # 0x158 'NtUserDdeGetQualityOfService', # 0x159 'NtUserDdeInitialize', # 0x15a 'NtUserDdeSetQualityOfService', # 0x15b 'NtUserDeferWindowPos', # 0x15c 'NtUserDefSetText', # 0x15d 'NtUserDeleteMenu', # 0x15e 'NtUserDestroyAcceleratorTable', # 0x15f 'NtUserDestroyCursor', # 0x160 'NtUserDestroyInputContext', # 0x161 'NtUserDestroyMenu', # 0x162 'NtUserDestroyWindow', # 0x163 'NtUserDisableThreadIme', # 0x164 'NtUserDispatchMessage', # 0x165 'NtUserDragDetect', # 0x166 'NtUserDragObject', # 0x167 'NtUserDrawAnimatedRects', # 0x168 'NtUserDrawCaption', # 0x169 'NtUserDrawCaptionTemp', # 0x16a 'NtUserDrawIconEx', # 0x16b 'NtUserDrawMenuBarTemp', # 0x16c 'NtUserEmptyClipboard', # 0x16d 'NtUserEnableMenuItem', # 0x16e 'NtUserEnableScrollBar', # 0x16f 'NtUserEndDeferWindowPosEx', # 0x170 'NtUserEndMenu', # 0x171 'NtUserEndPaint', # 0x172 'NtUserEnumDisplayDevices', # 0x173 'NtUserEnumDisplayMonitors', # 0x174 'NtUserEnumDisplaySettings', # 0x175 'NtUserEvent', # 0x176 'NtUserExcludeUpdateRgn', # 0x177 'NtUserFillWindow', # 0x178 'NtUserFindExistingCursorIcon', # 0x179 'NtUserFindWindowEx', # 0x17a 'NtUserFlashWindowEx', # 0x17b 'NtUserGetAltTabInfo', # 0x17c 'NtUserGetAncestor', # 0x17d 'NtUserGetAppImeLevel', # 0x17e 'NtUserGetAsyncKeyState', # 0x17f 'NtUserGetAtomName', # 0x180 'NtUserGetCaretBlinkTime', # 0x181 'NtUserGetCaretPos', # 0x182 'NtUserGetClassInfo', # 0x183 'NtUserGetClassName', # 0x184 'NtUserGetClipboardData', # 0x185 'NtUserGetClipboardFormatName', # 0x186 'NtUserGetClipboardOwner', # 0x187 'NtUserGetClipboardSequenceNumber', # 0x188 'NtUserGetClipboardViewer', # 0x189 'NtUserGetClipCursor', # 0x18a 'NtUserGetComboBoxInfo', # 0x18b 'NtUserGetControlBrush', # 0x18c 'NtUserGetControlColor', # 0x18d 'NtUserGetCPD', # 0x18e 'NtUserGetCursorFrameInfo', # 0x18f 'NtUserGetCursorInfo', # 0x190 'NtUserGetDC', # 0x191 'NtUserGetDCEx', # 0x192 'NtUserGetDoubleClickTime', # 0x193 'NtUserGetForegroundWindow', # 0x194 'NtUserGetGuiResources', # 0x195 'NtUserGetGUIThreadInfo', # 0x196 'NtUserGetIconInfo', # 0x197 'NtUserGetIconSize', # 0x198 'NtUserGetImeHotKey', # 0x199 'NtUserGetImeInfoEx', # 0x19a 'NtUserGetInternalWindowPos', # 0x19b 'NtUserGetKeyboardLayoutList', # 0x19c 'NtUserGetKeyboardLayoutName', # 0x19d 'NtUserGetKeyboardState', # 0x19e 'NtUserGetKeyNameText', # 0x19f 'NtUserGetKeyState', # 0x1a0 'NtUserGetListBoxInfo', # 0x1a1 'NtUserGetMenuBarInfo', # 0x1a2 'NtUserGetMenuIndex', # 0x1a3 'NtUserGetMenuItemRect', # 0x1a4 'NtUserGetMessage', # 0x1a5 'NtUserGetMouseMovePointsEx', # 0x1a6 'NtUserGetObjectInformation', # 0x1a7 'NtUserGetOpenClipboardWindow', # 0x1a8 'NtUserGetPriorityClipboardFormat', # 0x1a9 'NtUserGetProcessWindowStation', # 0x1aa 'NtUserGetRawInputBuffer', # 0x1ab 'NtUserGetRawInputData', # 0x1ac 'NtUserGetRawInputDeviceInfo', # 0x1ad 'NtUserGetRawInputDeviceList', # 0x1ae 'NtUserGetRegisteredRawInputDevices', # 0x1af 'NtUserGetScrollBarInfo', # 0x1b0 'NtUserGetSystemMenu', # 0x1b1 'NtUserGetThreadDesktop', # 0x1b2 'NtUserGetThreadState', # 0x1b3 'NtUserGetTitleBarInfo', # 0x1b4 'NtUserGetUpdateRect', # 0x1b5 'NtUserGetUpdateRgn', # 0x1b6 'NtUserGetWindowDC', # 0x1b7 'NtUserGetWindowPlacement', # 0x1b8 'NtUserGetWOWClass', # 0x1b9 'NtUserHardErrorControl', # 0x1ba 'NtUserHideCaret', # 0x1bb 'NtUserHiliteMenuItem', # 0x1bc 'NtUserImpersonateDdeClientWindow', # 0x1bd 'NtUserInitialize', # 0x1be 'NtUserInitializeClientPfnArrays', # 0x1bf 'NtUserInitTask', # 0x1c0 'NtUserInternalGetWindowText', # 0x1c1 'NtUserInvalidateRect', # 0x1c2 'NtUserInvalidateRgn', # 0x1c3 'NtUserIsClipboardFormatAvailable', # 0x1c4 'NtUserKillTimer', # 0x1c5 'NtUserLoadKeyboardLayoutEx', # 0x1c6 'NtUserLockWindowStation', # 0x1c7 'NtUserLockWindowUpdate', # 0x1c8 'NtUserLockWorkStation', # 0x1c9 'NtUserMapVirtualKeyEx', # 0x1ca 'NtUserMenuItemFromPoint', # 0x1cb 'NtUserMessageCall', # 0x1cc 'NtUserMinMaximize', # 0x1cd 'NtUserMNDragLeave', # 0x1ce 'NtUserMNDragOver', # 0x1cf 'NtUserModifyUserStartupInfoFlags', # 0x1d0 'NtUserMoveWindow', # 0x1d1 'NtUserNotifyIMEStatus', # 0x1d2 'NtUserNotifyProcessCreate', # 0x1d3 'NtUserNotifyWinEvent', # 0x1d4 'NtUserOpenClipboard', # 0x1d5 'NtUserOpenDesktop', # 0x1d6 'NtUserOpenInputDesktop', # 0x1d7 'NtUserOpenWindowStation', # 0x1d8 'NtUserPaintDesktop', # 0x1d9 'NtUserPeekMessage', # 0x1da 'NtUserPostMessage', # 0x1db 'NtUserPostThreadMessage', # 0x1dc 'NtUserPrintWindow', # 0x1dd 'NtUserProcessConnect', # 0x1de 'NtUserQueryInformationThread', # 0x1df 'NtUserQueryInputContext', # 0x1e0 'NtUserQuerySendMessage', # 0x1e1 'NtUserQueryUserCounters', # 0x1e2 'NtUserQueryWindow', # 0x1e3 'NtUserRealChildWindowFromPoint', # 0x1e4 'NtUserRealInternalGetMessage', # 0x1e5 'NtUserRealWaitMessageEx', # 0x1e6 'NtUserRedrawWindow', # 0x1e7 'NtUserRegisterClassExWOW', # 0x1e8 'NtUserRegisterUserApiHook', # 0x1e9 'NtUserRegisterHotKey', # 0x1ea 'NtUserRegisterRawInputDevices', # 0x1eb 'NtUserRegisterTasklist', # 0x1ec 'NtUserRegisterWindowMessage', # 0x1ed 'NtUserRemoveMenu', # 0x1ee 'NtUserRemoveProp', # 0x1ef 'NtUserResolveDesktop', # 0x1f0 'NtUserResolveDesktopForWOW', # 0x1f1 'NtUserSBGetParms', # 0x1f2 'NtUserScrollDC', # 0x1f3 'NtUserScrollWindowEx', # 0x1f4 'NtUserSelectPalette', # 0x1f5 'NtUserSendInput', # 0x1f6 'NtUserSetActiveWindow', # 0x1f7 'NtUserSetAppImeLevel', # 0x1f8 'NtUserSetCapture', # 0x1f9 'NtUserSetClassLong', # 0x1fa 'NtUserSetClassWord', # 0x1fb 'NtUserSetClipboardData', # 0x1fc 'NtUserSetClipboardViewer', # 0x1fd 'NtUserSetConsoleReserveKeys', # 0x1fe 'NtUserSetCursor', # 0x1ff 'NtUserSetCursorContents', # 0x200 'NtUserSetCursorIconData', # 0x201 'NtUserSetDbgTag', # 0x202 'NtUserSetFocus', # 0x203 'NtUserSetImeHotKey', # 0x204 'NtUserSetImeInfoEx', # 0x205 'NtUserSetImeOwnerWindow', # 0x206 'NtUserSetInformationProcess', # 0x207 'NtUserSetInformationThread', # 0x208 'NtUserSetInternalWindowPos', # 0x209 'NtUserSetKeyboardState', # 0x20a 'NtUserSetLogonNotifyWindow', # 0x20b 'NtUserSetMenu', # 0x20c 'NtUserSetMenuContextHelpId', # 0x20d 'NtUserSetMenuDefaultItem', # 0x20e 'NtUserSetMenuFlagRtoL', # 0x20f 'NtUserSetObjectInformation', # 0x210 'NtUserSetParent', # 0x211 'NtUserSetProcessWindowStation', # 0x212 'NtUserSetProp', # 0x213 'NtUserSetRipFlags', # 0x214 'NtUserSetScrollInfo', # 0x215 'NtUserSetShellWindowEx', # 0x216 'NtUserSetSysColors', # 0x217 'NtUserSetSystemCursor', # 0x218 'NtUserSetSystemMenu', # 0x219 'NtUserSetSystemTimer', # 0x21a 'NtUserSetThreadDesktop', # 0x21b 'NtUserSetThreadLayoutHandles', # 0x21c 'NtUserSetThreadState', # 0x21d 'NtUserSetTimer', # 0x21e 'NtUserSetWindowFNID', # 0x21f 'NtUserSetWindowLong', # 0x220 'NtUserSetWindowPlacement', # 0x221 'NtUserSetWindowPos', # 0x222 'NtUserSetWindowRgn', # 0x223 'NtUserSetWindowsHookAW', # 0x224 'NtUserSetWindowsHookEx', # 0x225 'NtUserSetWindowStationUser', # 0x226 'NtUserSetWindowWord', # 0x227 'NtUserSetWinEventHook', # 0x228 'NtUserShowCaret', # 0x229 'NtUserShowScrollBar', # 0x22a 'NtUserShowWindow', # 0x22b 'NtUserShowWindowAsync', # 0x22c 'NtUserSoundSentry', # 0x22d 'NtUserSwitchDesktop', # 0x22e 'NtUserSystemParametersInfo', # 0x22f 'NtUserTestForInteractiveUser', # 0x230 'NtUserThunkedMenuInfo', # 0x231 'NtUserThunkedMenuItemInfo', # 0x232 'NtUserToUnicodeEx', # 0x233 'NtUserTrackMouseEvent', # 0x234 'NtUserTrackPopupMenuEx', # 0x235 'NtUserCalcMenuBar', # 0x236 'NtUserPaintMenuBar', # 0x237 'NtUserTranslateAccelerator', # 0x238 'NtUserTranslateMessage', # 0x239 'NtUserUnhookWindowsHookEx', # 0x23a 'NtUserUnhookWinEvent', # 0x23b 'NtUserUnloadKeyboardLayout', # 0x23c 'NtUserUnlockWindowStation', # 0x23d 'NtUserUnregisterClass', # 0x23e 'NtUserUnregisterUserApiHook', # 0x23f 'NtUserUnregisterHotKey', # 0x240 'NtUserUpdateInputContext', # 0x241 'NtUserUpdateInstance', # 0x242 'NtUserUpdateLayeredWindow', # 0x243 'NtUserGetLayeredWindowAttributes', # 0x244 'NtUserSetLayeredWindowAttributes', # 0x245 'NtUserUpdatePerUserSystemParameters', # 0x246 'NtUserUserHandleGrantAccess', # 0x247 'NtUserValidateHandleSecure', # 0x248 'NtUserValidateRect', # 0x249 'NtUserValidateTimerCallback', # 0x24a 'NtUserVkKeyScanEx', # 0x24b 'NtUserWaitForInputIdle', # 0x24c 'NtUserWaitForMsgAndEvent', # 0x24d 'NtUserWaitMessage', # 0x24e 'NtUserWin32PoolAllocationStats', # 0x24f 'NtUserWindowFromPoint', # 0x250 'NtUserYieldTask', # 0x251 'NtUserRemoteConnect', # 0x252 'NtUserRemoteRedrawRectangle', # 0x253 'NtUserRemoteRedrawScreen', # 0x254 'NtUserRemoteStopScreenUpdates', # 0x255 'NtUserCtxDisplayIOCtl', # 0x256 'NtGdiEngAssociateSurface', # 0x257 'NtGdiEngCreateBitmap', # 0x258 'NtGdiEngCreateDeviceSurface', # 0x259 'NtGdiEngCreateDeviceBitmap', # 0x25a 'NtGdiEngCreatePalette', # 0x25b 'NtGdiEngComputeGlyphSet', # 0x25c 'NtGdiEngCopyBits', # 0x25d 'NtGdiEngDeletePalette', # 0x25e 'NtGdiEngDeleteSurface', # 0x25f 'NtGdiEngEraseSurface', # 0x260 'NtGdiEngUnlockSurface', # 0x261 'NtGdiEngLockSurface', # 0x262 'NtGdiEngBitBlt', # 0x263 'NtGdiEngStretchBlt', # 0x264 'NtGdiEngPlgBlt', # 0x265 'NtGdiEngMarkBandingSurface', # 0x266 'NtGdiEngStrokePath', # 0x267 'NtGdiEngFillPath', # 0x268 'NtGdiEngStrokeAndFillPath', # 0x269 'NtGdiEngPaint', # 0x26a 'NtGdiEngLineTo', # 0x26b 'NtGdiEngAlphaBlend', # 0x26c 'NtGdiEngGradientFill', # 0x26d 'NtGdiEngTransparentBlt', # 0x26e 'NtGdiEngTextOut', # 0x26f 'NtGdiEngStretchBltROP', # 0x270 'NtGdiXLATEOBJ_cGetPalette', # 0x271 'NtGdiXLATEOBJ_iXlate', # 0x272 'NtGdiXLATEOBJ_hGetColorTransform', # 0x273 'NtGdiCLIPOBJ_bEnum', # 0x274 'NtGdiCLIPOBJ_cEnumStart', # 0x275 'NtGdiCLIPOBJ_ppoGetPath', # 0x276 'NtGdiEngDeletePath', # 0x277 'NtGdiEngCreateClip', # 0x278 'NtGdiEngDeleteClip', # 0x279 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x27a 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x27b 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x27c 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x27d 'NtGdiXFORMOBJ_bApplyXform', # 0x27e 'NtGdiXFORMOBJ_iGetXform', # 0x27f 'NtGdiFONTOBJ_vGetInfo', # 0x280 'NtGdiFONTOBJ_pxoGetXform', # 0x281 'NtGdiFONTOBJ_cGetGlyphs', # 0x282 'NtGdiFONTOBJ_pifi', # 0x283 'NtGdiFONTOBJ_pfdg', # 0x284 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x285 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x286 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x287 'NtGdiSTROBJ_bEnum', # 0x288 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x289 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x28a 'NtGdiSTROBJ_vEnumStart', # 0x28b 'NtGdiSTROBJ_dwGetCodePage', # 0x28c 'NtGdiPATHOBJ_vGetBounds', # 0x28d 'NtGdiPATHOBJ_bEnum', # 0x28e 'NtGdiPATHOBJ_vEnumStart', # 0x28f 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x290 'NtGdiPATHOBJ_bEnumClipLines', # 0x291 'NtGdiGetDhpdev', # 0x292 'NtGdiEngCheckAbort', # 0x293 'NtGdiHT_Get8BPPFormatPalette', # 0x294 'NtGdiHT_Get8BPPMaskPalette', # 0x295 'NtGdiUpdateTransform', # 0x296 'NtGdiSetPUMPDOBJ', # 0x297 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x298 'NtGdiUMPDEngFreeUserMem', # 0x299 'NtGdiDrawStream', # 0x29a ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista_sp2_x64_vtypes.py0000644000000000000000000160322313131215405030762 0ustar rootrootntkrnlmp_types = { '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_202c' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_202e' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_202c']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_202e']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_2040' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_2040']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x18, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x28, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x30, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x50, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_PPM_DIA_STATS' : [ 0xc, { 'PerfLevel' : [ 0x0, ['unsigned long']], 'IdleTime' : [ 0x4, ['unsigned long']], 'TimeInterval' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x50, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], 'LimitModifiedPages' : [ 0x48, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_2097' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_2099' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_209d' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_20a1' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_20a3' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2097']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2099']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_209d']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_20a1']], 'Others' : [ 0x0, ['__unnamed_20a3']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x178, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x18, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x38, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x48, ['unsigned long']], 'NextCloneRange' : [ 0x50, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x58, ['unsigned long long']], 'LoaderMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x68, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x70, ['unsigned long long']], 'IoPages' : [ 0x78, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x80, ['unsigned long']], 'CurrentMcb' : [ 0x88, ['pointer64', ['void']]], 'DumpStack' : [ 0x90, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x98, ['pointer64', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0xa0, ['unsigned long long']], 'HiberPte' : [ 0xa8, ['_LARGE_INTEGER']], 'Status' : [ 0xb0, ['long']], 'MemoryImage' : [ 0xb8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0xc0, ['pointer64', ['_PO_MEMORY_RANGE_TABLE']]], 'CompressionWorkspace' : [ 0xc8, ['pointer64', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0xd0, ['pointer64', ['unsigned char']]], 'PerformanceStats' : [ 0xd8, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xe0, ['pointer64', ['void']]], 'DmaIO' : [ 0xe8, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xf0, ['pointer64', ['void']]], 'PerfInfo' : [ 0xf8, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0x158, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0x160, ['pointer64', ['_MDL']]], 'ResumeContext' : [ 0x168, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x170, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x40, { 'ThreadHandle' : [ 0x0, ['pointer64', ['void']]], 'ThreadId' : [ 0x8, ['pointer64', ['void']]], 'ProcessId' : [ 0x10, ['pointer64', ['void']]], 'Code' : [ 0x18, ['unsigned long']], 'Parameter1' : [ 0x20, ['unsigned long long']], 'Parameter2' : [ 0x28, ['unsigned long long']], 'Parameter3' : [ 0x30, ['unsigned long long']], 'Parameter4' : [ 0x38, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x10, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'ImageMerge' : [ 0x8, ['pointer64', ['void']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS' : [ 0x8, { 'ProcessorType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'InstructionSet' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Operation' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Flags' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Level' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'CPUVersion' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CPUBrandString' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'ProcessorId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'TargetAddress' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InstructionPointer' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_20cd' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_20cd']], } ], '__unnamed_20d1' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_20d1']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x138, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'TotalPages' : [ 0x60, ['unsigned long long']], 'FirstTablePage' : [ 0x68, ['unsigned long long']], 'PerfInfo' : [ 0x70, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xd0, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xd8, ['array', 1, ['unsigned long long']]], 'NoBootLoaderLogPages' : [ 0xe0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xe8, ['array', 8, ['unsigned long long']]], 'NotUsed' : [ 0x128, ['unsigned long']], 'ResumeContextCheck' : [ 0x12c, ['unsigned long']], 'ResumeContextPages' : [ 0x130, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x10, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '__unnamed_20f0' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_20f2' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20f4' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20f6' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_20f8' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_20fa' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_20fc' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20fe' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_2100' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2102' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_2104' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_20f0']], 'TargetDevice' : [ 0x0, ['__unnamed_20f2']], 'InstallDevice' : [ 0x0, ['__unnamed_20f4']], 'CustomNotification' : [ 0x0, ['__unnamed_20f6']], 'ProfileNotification' : [ 0x0, ['__unnamed_20f8']], 'PowerNotification' : [ 0x0, ['__unnamed_20fa']], 'VetoNotification' : [ 0x0, ['__unnamed_20fc']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20fe']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_2100']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2102']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_2104']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_2117' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2119' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_211b' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2117']], 'Gpt' : [ 0x0, ['__unnamed_2119']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_211b']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x48, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Hint' : [ 0x10, ['unsigned long']], 'BasePte' : [ 0x18, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'Vm' : [ 0x28, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x30, ['long']], 'TotalFreeSystemPtes' : [ 0x34, ['long']], 'CachedPteCount' : [ 0x38, ['long']], 'PteFailures' : [ 0x3c, ['unsigned long']], 'GlobalMutex' : [ 0x40, ['pointer64', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x250, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_PO_MEMORY_RANGE_TABLE' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_PO_MEMORY_RANGE_TABLE']]], 'NextTable' : [ 0x8, ['unsigned long long']], 'EntryCount' : [ 0x10, ['unsigned long']], 'Range' : [ 0x18, ['array', 1, ['_PO_MEMORY_RANGE']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '__unnamed_214b' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_214f' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_214b']], 'Bits' : [ 0x4, ['__unnamed_214f']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_PO_MEMORY_RANGE' : [ 0x10, { 'StartPage' : [ 0x0, ['unsigned long long']], 'EndPage' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_101f' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_101f']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1024' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1024']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_103d' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_103f' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_103d']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_103f']], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_TASK' : [ 0x8, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x8, { 'Callback' : [ 0x0, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_KPRCB' : [ 0x3b20, { 'MxCsr' : [ 0x0, ['unsigned long']], 'Number' : [ 0x4, ['unsigned short']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'Group' : [ 0x21, ['unsigned char']], 'PrcbPad00' : [ 0x22, ['array', 6, ['unsigned char']]], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'SetMember' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'PrcbPad01' : [ 0x658, ['array', 3, ['unsigned long long']]], 'LockQueue' : [ 0x670, ['array', 49, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x980, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0xa80, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1680, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2280, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2288, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2290, ['long']], 'MmCopyOnWriteCount' : [ 0x2294, ['long']], 'MmTransitionCount' : [ 0x2298, ['long']], 'MmDemandZeroCount' : [ 0x229c, ['long']], 'MmPageReadCount' : [ 0x22a0, ['long']], 'MmPageReadIoCount' : [ 0x22a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x22a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x22ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x22b0, ['long']], 'MmMappedWriteIoCount' : [ 0x22b4, ['long']], 'KeSystemCalls' : [ 0x22b8, ['unsigned long']], 'KeContextSwitches' : [ 0x22bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x22c0, ['unsigned long']], 'CcFastReadWait' : [ 0x22c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x22c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x22cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x22d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x22d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x22d8, ['long']], 'IoReadOperationCount' : [ 0x22dc, ['long']], 'IoWriteOperationCount' : [ 0x22e0, ['long']], 'IoOtherOperationCount' : [ 0x22e4, ['long']], 'IoReadTransferCount' : [ 0x22e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x22f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x22f8, ['_LARGE_INTEGER']], 'TargetSet' : [ 0x2300, ['unsigned long long']], 'IpiFrozen' : [ 0x2308, ['unsigned long']], 'PrcbPad3' : [ 0x230c, ['array', 116, ['unsigned char']]], 'RequestMailbox' : [ 0x2380, ['array', 64, ['_REQUEST_MAILBOX']]], 'SenderSummary' : [ 0x3380, ['unsigned long long']], 'PrcbPad4' : [ 0x3388, ['array', 120, ['unsigned char']]], 'DpcData' : [ 0x3400, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x3440, ['pointer64', ['void']]], 'SparePtr0' : [ 0x3448, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x3450, ['long']], 'DpcRequestRate' : [ 0x3454, ['unsigned long']], 'MinimumDpcRate' : [ 0x3458, ['unsigned long']], 'DpcInterruptRequested' : [ 0x345c, ['unsigned char']], 'DpcThreadRequested' : [ 0x345d, ['unsigned char']], 'DpcRoutineActive' : [ 0x345e, ['unsigned char']], 'DpcThreadActive' : [ 0x345f, ['unsigned char']], 'TimerHand' : [ 0x3460, ['unsigned long long']], 'TimerRequest' : [ 0x3460, ['unsigned long long']], 'TickOffset' : [ 0x3468, ['long']], 'MasterOffset' : [ 0x346c, ['long']], 'DpcLastCount' : [ 0x3470, ['unsigned long']], 'ThreadDpcEnable' : [ 0x3474, ['unsigned char']], 'QuantumEnd' : [ 0x3475, ['unsigned char']], 'PrcbPad50' : [ 0x3476, ['unsigned char']], 'IdleSchedule' : [ 0x3477, ['unsigned char']], 'DpcSetEventRequest' : [ 0x3478, ['long']], 'KeExceptionDispatchCount' : [ 0x347c, ['unsigned long']], 'DpcEvent' : [ 0x3480, ['_KEVENT']], 'PrcbPad51' : [ 0x3498, ['pointer64', ['void']]], 'CallDpc' : [ 0x34a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x34e0, ['long']], 'ClockCheckSlot' : [ 0x34e4, ['unsigned char']], 'ClockPollCycle' : [ 0x34e5, ['unsigned char']], 'PrcbPad6' : [ 0x34e6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x34e8, ['long']], 'DpcWatchdogCount' : [ 0x34ec, ['long']], 'PrcbPad70' : [ 0x34f0, ['array', 2, ['unsigned long long']]], 'WaitListHead' : [ 0x3500, ['_LIST_ENTRY']], 'WaitLock' : [ 0x3510, ['unsigned long long']], 'ReadySummary' : [ 0x3518, ['unsigned long']], 'QueueIndex' : [ 0x351c, ['unsigned long']], 'PrcbPad71' : [ 0x3520, ['array', 12, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3580, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x3780, ['unsigned long']], 'KernelTime' : [ 0x3784, ['unsigned long']], 'UserTime' : [ 0x3788, ['unsigned long']], 'DpcTime' : [ 0x378c, ['unsigned long']], 'InterruptTime' : [ 0x3790, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x3794, ['unsigned long']], 'SkipTick' : [ 0x3798, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x3799, ['unsigned char']], 'PollSlot' : [ 0x379a, ['unsigned char']], 'PrcbPad80' : [ 0x379b, ['array', 5, ['unsigned char']]], 'DpcTimeCount' : [ 0x37a0, ['unsigned long']], 'DpcTimeLimit' : [ 0x37a4, ['unsigned long']], 'PeriodicCount' : [ 0x37a8, ['unsigned long']], 'PeriodicBias' : [ 0x37ac, ['unsigned long']], 'PrcbPad81' : [ 0x37b0, ['array', 2, ['unsigned long long']]], 'ParentNode' : [ 0x37c0, ['pointer64', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x37c8, ['unsigned long long']], 'MultiThreadSetMaster' : [ 0x37d0, ['pointer64', ['_KPRCB']]], 'StartCycles' : [ 0x37d8, ['unsigned long long']], 'MmSpinLockOrdering' : [ 0x37e0, ['long']], 'PageColor' : [ 0x37e4, ['unsigned long']], 'NodeColor' : [ 0x37e8, ['unsigned long']], 'NodeShiftedColor' : [ 0x37ec, ['unsigned long']], 'SecondaryColorMask' : [ 0x37f0, ['unsigned long']], 'Sleeping' : [ 0x37f4, ['long']], 'CycleTime' : [ 0x37f8, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x3800, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x3804, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x3808, ['unsigned long']], 'CcMapDataNoWait' : [ 0x380c, ['unsigned long']], 'CcMapDataWait' : [ 0x3810, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x3814, ['unsigned long']], 'CcPinReadNoWait' : [ 0x3818, ['unsigned long']], 'CcPinReadWait' : [ 0x381c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x3820, ['unsigned long']], 'CcMdlReadWait' : [ 0x3824, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x3828, ['unsigned long']], 'CcLazyWriteIos' : [ 0x382c, ['unsigned long']], 'CcLazyWritePages' : [ 0x3830, ['unsigned long']], 'CcDataFlushes' : [ 0x3834, ['unsigned long']], 'CcDataPages' : [ 0x3838, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x383c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x3840, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x3844, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x3848, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x384c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x3850, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x3854, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x3858, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x385c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x3860, ['unsigned long']], 'CcReadAheadIos' : [ 0x3864, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x3868, ['long']], 'MmCacheReadCount' : [ 0x386c, ['long']], 'MmCacheIoCount' : [ 0x3870, ['long']], 'PrcbPad91' : [ 0x3874, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x3880, ['_PROCESSOR_POWER_STATE']], 'KeAlignmentFixupCount' : [ 0x3998, ['unsigned long']], 'VendorString' : [ 0x399c, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x39a9, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x39ac, ['unsigned long']], 'UpdateSignature' : [ 0x39b0, ['_LARGE_INTEGER']], 'DpcWatchdogDpc' : [ 0x39b8, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x39f8, ['_KTIMER']], 'Cache' : [ 0x3a38, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3a74, ['unsigned long']], 'CachedCommit' : [ 0x3a78, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3a7c, ['unsigned long']], 'HyperPte' : [ 0x3a80, ['pointer64', ['void']]], 'WheaInfo' : [ 0x3a88, ['pointer64', ['void']]], 'EtwSupport' : [ 0x3a90, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x3aa0, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x3ab0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x3ac0, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x3ac8, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x3ad0, ['pointer64', ['unsigned long long']]], 'RateControl' : [ 0x3ad8, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x3ae0, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x3b08, ['unsigned long long']], 'CoreProcessorSet' : [ 0x3b10, ['unsigned long long']], } ], '_KTHREAD' : [ 0x330, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'ApcState' : [ 0x48, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x48, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x73, ['unsigned char']], 'NextProcessor' : [ 0x74, ['unsigned short']], 'DeferredProcessor' : [ 0x76, ['unsigned short']], 'ApcQueueLock' : [ 0x78, ['unsigned long long']], 'WaitStatus' : [ 0x80, ['long long']], 'WaitBlockList' : [ 0x88, ['pointer64', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x88, ['pointer64', ['_KGATE']]], 'KernelStackResident' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x90, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x90, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x90, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x90, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x90, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x90, ['long']], 'WaitReason' : [ 0x94, ['unsigned char']], 'SwapBusy' : [ 0x95, ['unsigned char']], 'Alerted' : [ 0x96, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x98, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x98, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb0, ['pointer64', ['void']]], 'Timer' : [ 0xb8, ['_KTIMER']], 'TimerFill' : [ 0xb8, ['array', 60, ['unsigned char']]], 'AutoAlignment' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xf4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xf4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xf4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xf4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xf4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xf4, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xf4, ['long']], 'WaitBlock' : [ 0xf8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xf8, ['array', 43, ['unsigned char']]], 'IdealProcessor' : [ 0x123, ['unsigned char']], 'WaitBlockFill1' : [ 0xf8, ['array', 91, ['unsigned char']]], 'PreviousMode' : [ 0x153, ['unsigned char']], 'WaitBlockFill2' : [ 0xf8, ['array', 139, ['unsigned char']]], 'ResourceIndex' : [ 0x183, ['unsigned char']], 'WaitBlockFill3' : [ 0xf8, ['array', 187, ['unsigned char']]], 'LargeStack' : [ 0x1b3, ['unsigned char']], 'WaitBlockFill4' : [ 0xf8, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x124, ['unsigned long']], 'WaitBlockFill5' : [ 0xf8, ['array', 92, ['unsigned char']]], 'State' : [ 0x154, ['unsigned char']], 'NpxState' : [ 0x155, ['unsigned char']], 'WaitIrql' : [ 0x156, ['unsigned char']], 'WaitMode' : [ 0x157, ['unsigned char']], 'WaitBlockFill6' : [ 0xf8, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x184, ['unsigned long']], 'WaitBlockFill7' : [ 0xf8, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1b4, ['short']], 'SpecialApcDisable' : [ 0x1b6, ['short']], 'CombinedApcDisable' : [ 0x1b4, ['unsigned long']], 'QueueListEntry' : [ 0x1b8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1c8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1d0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1d8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1d8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1e0, ['unsigned char']], 'BasePriority' : [ 0x1e1, ['unsigned char']], 'PriorityDecrement' : [ 0x1e2, ['unsigned char']], 'Preempted' : [ 0x1e3, ['unsigned char']], 'AdjustReason' : [ 0x1e4, ['unsigned char']], 'AdjustIncrement' : [ 0x1e5, ['unsigned char']], 'Spare01' : [ 0x1e6, ['unsigned char']], 'Saturation' : [ 0x1e7, ['unsigned char']], 'SystemCallNumber' : [ 0x1e8, ['unsigned long']], 'FreezeCount' : [ 0x1ec, ['unsigned long']], 'UserAffinity' : [ 0x1f0, ['unsigned long long']], 'Process' : [ 0x1f8, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x200, ['unsigned long long']], 'ApcStatePointer' : [ 0x208, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x218, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x218, ['array', 43, ['unsigned char']]], 'Spare02' : [ 0x243, ['unsigned char']], 'SuspendCount' : [ 0x244, ['unsigned char']], 'UserIdealProcessor' : [ 0x245, ['unsigned char']], 'Spare03' : [ 0x246, ['unsigned char']], 'CodePatchInProgress' : [ 0x247, ['unsigned char']], 'Win32Thread' : [ 0x248, ['pointer64', ['void']]], 'StackBase' : [ 0x250, ['pointer64', ['void']]], 'SuspendApc' : [ 0x258, ['_KAPC']], 'SuspendApcFill0' : [ 0x258, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x259, ['unsigned char']], 'SuspendApcFill1' : [ 0x258, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x25b, ['unsigned char']], 'SuspendApcFill2' : [ 0x258, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x25c, ['unsigned long']], 'SuspendApcFill3' : [ 0x258, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x298, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x258, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2a0, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x258, ['array', 83, ['unsigned char']]], 'PowerState' : [ 0x2ab, ['unsigned char']], 'UserTime' : [ 0x2ac, ['unsigned long']], 'SuspendSemaphore' : [ 0x2b0, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2b0, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2cc, ['unsigned long']], 'ThreadListEntry' : [ 0x2d0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x2e0, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x2f0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x2f8, ['long long']], 'WriteOperationCount' : [ 0x300, ['long long']], 'OtherOperationCount' : [ 0x308, ['long long']], 'ReadTransferCount' : [ 0x310, ['long long']], 'WriteTransferCount' : [ 0x318, ['long long']], 'OtherTransferCount' : [ 0x320, ['long long']], 'MdlForLockedTeb' : [ 0x328, ['pointer64', ['void']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x250, { 'XmmSaveArea' : [ 0x0, ['_XMM_SAVE_AREA32']], 'Current' : [ 0x200, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x228, ['_KERNEL_STACK_SEGMENT']], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '__unnamed_1119' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_111e' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1121' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_1119']], 'Header16' : [ 0x0, ['__unnamed_111e']], 'HeaderX64' : [ 0x0, ['__unnamed_1121']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x450, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x330, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x338, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x338, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x348, ['long']], 'OfsChain' : [ 0x348, ['pointer64', ['void']]], 'PostBlockList' : [ 0x350, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x350, ['pointer64', ['void']]], 'StartAddress' : [ 0x358, ['pointer64', ['void']]], 'TerminationPort' : [ 0x360, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x360, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x360, ['pointer64', ['void']]], 'Win32StartParameter' : [ 0x360, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x368, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x370, ['_LIST_ENTRY']], 'Cid' : [ 0x380, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3b0, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3b8, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3c8, ['unsigned long long']], 'DeviceToVerify' : [ 0x3d0, ['pointer64', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x3d8, ['pointer64', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x3e0, ['pointer64', ['void']]], 'SparePtr0' : [ 0x3e8, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x3f0, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x400, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x408, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x410, ['unsigned long']], 'MmLockOrdering' : [ 0x414, ['long']], 'CrossThreadFlags' : [ 0x418, ['unsigned long']], 'Terminated' : [ 0x418, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x418, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x418, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x418, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x418, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x418, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x418, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x418, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x418, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x418, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x418, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x418, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x418, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x41c, ['unsigned long']], 'ActiveExWorker' : [ 0x41c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x41c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x41c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x41c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x41c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x41c, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x41c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x420, ['unsigned long']], 'Spare' : [ 0x420, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x420, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x420, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x421, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x421, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x421, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x421, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x421, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x421, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x421, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x421, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x422, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x423, ['unsigned char']], 'CacheManagerActive' : [ 0x424, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x425, ['unsigned char']], 'ActiveFaultCount' : [ 0x426, ['unsigned char']], 'AlpcMessageId' : [ 0x428, ['unsigned long long']], 'AlpcMessage' : [ 0x430, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x430, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x438, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x448, ['unsigned long']], } ], '_EPROCESS' : [ 0x3e8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xc0, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xc8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xd0, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xd8, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xe0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0xe8, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xf8, ['array', 3, ['unsigned long long']]], 'QuotaPeak' : [ 0x110, ['array', 3, ['unsigned long long']]], 'CommitCharge' : [ 0x128, ['unsigned long long']], 'PeakVirtualSize' : [ 0x130, ['unsigned long long']], 'VirtualSize' : [ 0x138, ['unsigned long long']], 'SessionProcessLinks' : [ 0x140, ['_LIST_ENTRY']], 'DebugPort' : [ 0x150, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x158, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x158, ['unsigned long long']], 'ExceptionPortState' : [ 0x158, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x160, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x168, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x170, ['unsigned long long']], 'AddressCreationLock' : [ 0x178, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x180, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x188, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x190, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x198, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x1a0, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x1a8, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x1b0, ['unsigned long long']], 'Win32Process' : [ 0x1b8, ['pointer64', ['void']]], 'Job' : [ 0x1c0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x1c8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x1d0, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x1d8, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x1e0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x1e8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x1f0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x1f8, ['pointer64', ['void']]], 'Spare' : [ 0x200, ['pointer64', ['void']]], 'VdmObjects' : [ 0x208, ['pointer64', ['void']]], 'DeviceMap' : [ 0x210, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x218, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x220, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x228, ['_HARDWARE_PTE']], 'Filler' : [ 0x228, ['unsigned long long']], 'Session' : [ 0x230, ['pointer64', ['void']]], 'ImageFileName' : [ 0x238, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x248, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x258, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x260, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x270, ['pointer64', ['void']]], 'Wow64Process' : [ 0x278, ['pointer64', ['void']]], 'ActiveThreads' : [ 0x280, ['unsigned long']], 'ImagePathHash' : [ 0x284, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x288, ['unsigned long']], 'LastThreadExitStatus' : [ 0x28c, ['long']], 'Peb' : [ 0x290, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x298, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x2a0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x2a8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x2b0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x2b8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x2c0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x2c8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x2d0, ['unsigned long long']], 'CommitChargePeak' : [ 0x2d8, ['unsigned long long']], 'AweInfo' : [ 0x2e0, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x2e8, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x2f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x358, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x368, ['unsigned long']], 'Flags2' : [ 0x36c, ['unsigned long']], 'JobNotReallyActive' : [ 0x36c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x36c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x36c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x36c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x36c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x36c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x36c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x36c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x36c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x36c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x36c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x36c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x36c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x36c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x36c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x36c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x36c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Flags' : [ 0x370, ['unsigned long']], 'CreateReported' : [ 0x370, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x370, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x370, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x370, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x370, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x370, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x370, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x370, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x370, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x370, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x370, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x370, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x370, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x370, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x370, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x370, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x370, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x370, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x370, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x370, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x370, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x370, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x370, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x370, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x370, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x370, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SpareProcessFlags' : [ 0x370, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x374, ['long']], 'Spare7' : [ 0x378, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x37a, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x37b, ['unsigned char']], 'SubSystemVersion' : [ 0x37a, ['unsigned short']], 'PriorityClass' : [ 0x37c, ['unsigned char']], 'VadRoot' : [ 0x380, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x3c0, ['unsigned long']], 'AlpcContext' : [ 0x3c8, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_11eb' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_11eb']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '__unnamed_11f9' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_11fe' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1200' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_11fe']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_120b' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_120d' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_120b']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_11f9']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_1200']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_120d']], } ], '__unnamed_1213' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1217' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_121b' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_121d' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1221' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1223' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1225' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], } ], '__unnamed_1227' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1229' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_122b' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_122f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_1231' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1233' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1235' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1237' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1239' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_123d' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1241' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1245' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1249' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1250' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1254' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1258' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_125a' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_125c' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1260' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1264' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1268' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_126c' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1270' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1278' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_127c' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_127e' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1280' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1282' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1213']], 'CreatePipe' : [ 0x0, ['__unnamed_1217']], 'CreateMailslot' : [ 0x0, ['__unnamed_121b']], 'Read' : [ 0x0, ['__unnamed_121d']], 'Write' : [ 0x0, ['__unnamed_121d']], 'QueryDirectory' : [ 0x0, ['__unnamed_1221']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1223']], 'QueryFile' : [ 0x0, ['__unnamed_1225']], 'SetFile' : [ 0x0, ['__unnamed_1227']], 'QueryEa' : [ 0x0, ['__unnamed_1229']], 'SetEa' : [ 0x0, ['__unnamed_122b']], 'QueryVolume' : [ 0x0, ['__unnamed_122f']], 'SetVolume' : [ 0x0, ['__unnamed_122f']], 'FileSystemControl' : [ 0x0, ['__unnamed_1231']], 'LockControl' : [ 0x0, ['__unnamed_1233']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1235']], 'QuerySecurity' : [ 0x0, ['__unnamed_1237']], 'SetSecurity' : [ 0x0, ['__unnamed_1239']], 'MountVolume' : [ 0x0, ['__unnamed_123d']], 'VerifyVolume' : [ 0x0, ['__unnamed_123d']], 'Scsi' : [ 0x0, ['__unnamed_1241']], 'QueryQuota' : [ 0x0, ['__unnamed_1245']], 'SetQuota' : [ 0x0, ['__unnamed_122b']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1249']], 'QueryInterface' : [ 0x0, ['__unnamed_1250']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1254']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1258']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_125a']], 'SetLock' : [ 0x0, ['__unnamed_125c']], 'QueryId' : [ 0x0, ['__unnamed_1260']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1264']], 'UsageNotification' : [ 0x0, ['__unnamed_1268']], 'WaitWake' : [ 0x0, ['__unnamed_126c']], 'PowerSequence' : [ 0x0, ['__unnamed_1270']], 'Power' : [ 0x0, ['__unnamed_1278']], 'StartDevice' : [ 0x0, ['__unnamed_127c']], 'WMI' : [ 0x0, ['__unnamed_127e']], 'Others' : [ 0x0, ['__unnamed_1280']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1282']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Type' : [ 0x10, ['pointer64', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0x18, ['unsigned char']], 'HandleInfoOffset' : [ 0x19, ['unsigned char']], 'QuotaInfoOffset' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'QueryReferences' : [ 0x18, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x38, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x30, ['_LARGE_INTEGER']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '__unnamed_132c' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIXBUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['_WHEA_ERROR_PACKET_FLAGS']], 'Size' : [ 0x8, ['unsigned long']], 'RawDataLength' : [ 0xc, ['unsigned long']], 'Reserved1' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Reserved2' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_132c']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaRawDataFormatIPFSalRecord', 1: 'WheaRawDataFormatIA32MCA', 2: 'WheaRawDataFormatIntel64MCA', 3: 'WheaRawDataFormatAMD64MCA', 4: 'WheaRawDataFormatMemory', 5: 'WheaRawDataFormatPCIExpress', 6: 'WheaRawDataFormatNMIPort', 7: 'WheaRawDataFormatPCIXBus', 8: 'WheaRawDataFormatPCIXDevice', 9: 'WheaRawDataFormatGeneric', 10: 'WheaRawDataFormatMax'})]], 'RawDataOffset' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0xc0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'Unused0' : [ 0x30, ['unsigned long long']], 'IopmOffset' : [ 0x38, ['unsigned short']], 'ActiveProcessors' : [ 0x40, ['unsigned long long']], 'KernelTime' : [ 0x48, ['unsigned long']], 'UserTime' : [ 0x4c, ['unsigned long']], 'ReadyListHead' : [ 0x50, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'InstrumentationCallback' : [ 0x68, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x70, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x80, ['unsigned long long']], 'Affinity' : [ 0x88, ['unsigned long long']], 'AutoAlignment' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x90, ['long']], 'BasePriority' : [ 0x94, ['unsigned char']], 'QuantumReset' : [ 0x95, ['unsigned char']], 'State' : [ 0x96, ['unsigned char']], 'ThreadSeed' : [ 0x97, ['unsigned char']], 'PowerState' : [ 0x98, ['unsigned char']], 'IdealNode' : [ 0x99, ['unsigned char']], 'Visited' : [ 0x9a, ['unsigned char']], 'Flags' : [ 0x9b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x9b, ['unsigned char']], 'StackCount' : [ 0xa0, ['unsigned long long']], 'ProcessListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'CycleTime' : [ 0xb8, ['unsigned long long']], } ], '__unnamed_13ec' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xe8, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x10, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x30, ['unsigned long long']], 'Prcb' : [ 0x38, ['unsigned long long']], 'Process' : [ 0x40, ['unsigned long long']], 'Thread' : [ 0x48, ['unsigned long long']], 'RegistryLength' : [ 0x50, ['unsigned long']], 'RegistryBase' : [ 0x58, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x60, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x68, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x70, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x78, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x80, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x88, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0x90, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x98, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xa0, ['pointer64', ['void']]], 'SetupLoaderBlock' : [ 0xa8, ['pointer64', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0xb0, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xb8, ['__unnamed_13ec']], 'FirmwareInformation' : [ 0xc8, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '__unnamed_1409' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'HardLarge' : [ 0x0, ['_MMPTE_HARDWARE_LARGEPAGE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1409']], } ], '__unnamed_1418' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_141a' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_141e' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1420' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_1422' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_141e']], 'e3' : [ 0x0, ['__unnamed_1420']], } ], '__unnamed_142a' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1418']], 'u2' : [ 0x8, ['__unnamed_141a']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'u3' : [ 0x18, ['__unnamed_1422']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_142a']], } ], '_MMPTE_FLUSH_LIST' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'MaximumCount' : [ 0x4, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 20, ['pointer64', ['void']]]], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x68, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x10, ['unsigned short']], 'NextPageColor' : [ 0x12, ['unsigned short']], 'Flags' : [ 0x14, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x18, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x1c, ['unsigned long']], 'ChargedWslePages' : [ 0x20, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x24, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x28, ['unsigned long']], 'VmWorkingSetList' : [ 0x30, ['pointer64', ['_MMWSL']]], 'Claim' : [ 0x38, ['unsigned long']], 'ActualWslePages' : [ 0x3c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x40, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'ExitGate' : [ 0x50, ['pointer64', ['_KGATE']]], 'WorkingSetMutex' : [ 0x58, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x60, ['pointer64', ['void']]], } ], '__unnamed_144e' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_144e']], } ], '_MMWSL' : [ 0x498, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextEstimationSlot' : [ 0x24, ['unsigned long']], 'NextAgingSlot' : [ 0x28, ['unsigned long']], 'EstimatedAvailable' : [ 0x2c, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x30, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x34, ['unsigned long']], 'VadBitMapHint' : [ 0x38, ['unsigned long']], 'NonDirectCount' : [ 0x3c, ['unsigned long']], 'LastVadBit' : [ 0x40, ['unsigned long']], 'MaximumLastVadBit' : [ 0x44, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x48, ['unsigned long']], 'LastAllocationSize' : [ 0x4c, ['unsigned long']], 'NonDirectHash' : [ 0x50, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x58, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x60, ['pointer64', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x68, ['pointer64', ['void']]], 'MaximumUserPageTablePages' : [ 0x70, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x74, ['unsigned long']], 'CommittedPageTables' : [ 0x78, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x80, ['unsigned long']], 'CommittedPageDirectories' : [ 0x88, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x488, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x490, ['array', 1, ['unsigned long long']]], } ], '__unnamed_1468' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_146a' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_146c' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_146a']], } ], '__unnamed_1476' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1478' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1476']], } ], '_CONTROL_AREA' : [ 0x70, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_1468']], 'u1' : [ 0x3c, ['__unnamed_146c']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'StartingFrame' : [ 0x4c, ['unsigned long']], 'WaitingForDeletion' : [ 0x50, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x58, ['__unnamed_1478']], 'LockedPages' : [ 0x68, ['long long']], } ], '_MMPAGING_FILE' : [ 0xa0, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x60, ['unsigned long']], 'LastAllocationSize' : [ 0x64, ['unsigned long']], 'PageFileNumber' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x6a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x6a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x70, ['pointer64', ['void']]], 'AvailableList' : [ 0x80, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x90, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x10, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x8, ['unsigned long']], } ], '__unnamed_14ab' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_14ae' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14b1' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_14ab']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ae']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b1']], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_14bb' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x60, { 'u1' : [ 0x0, ['__unnamed_14ab']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ae']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b1']], 'u2' : [ 0x40, ['__unnamed_14bb']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], } ], '__unnamed_14cd' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer64', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14cf' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x38, { 'u1' : [ 0x0, ['__unnamed_14cd']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0x18, ['unsigned long']], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'SubsectionBase' : [ 0x28, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x30, ['__unnamed_14cf']], } ], '__unnamed_14d4' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14d4']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '__unnamed_14dd' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14df' : [ 0x8, { 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_14dd']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_14df']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '__unnamed_14e7' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_14e7']], } ], '_HHIVE' : [ 0x590, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'BaseBlock' : [ 0x48, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x50, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x60, ['unsigned long']], 'DirtyAlloc' : [ 0x64, ['unsigned long']], 'BaseBlockAlloc' : [ 0x68, ['unsigned long']], 'Cluster' : [ 0x6c, ['unsigned long']], 'Flat' : [ 0x70, ['unsigned char']], 'ReadOnly' : [ 0x71, ['unsigned char']], 'DirtyFlag' : [ 0x72, ['unsigned char']], 'HvBinHeadersUse' : [ 0x74, ['unsigned long']], 'HvFreeCellsUse' : [ 0x78, ['unsigned long']], 'HvUsedCellsUse' : [ 0x7c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x80, ['unsigned long']], 'HiveFlags' : [ 0x84, ['unsigned long']], 'CurrentLog' : [ 0x88, ['unsigned long']], 'LogSize' : [ 0x8c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x94, ['unsigned long']], 'StorageTypeCount' : [ 0x98, ['unsigned long']], 'Version' : [ 0x9c, ['unsigned long']], 'Storage' : [ 0xa0, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_TEB' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Period' : [ 0x38, ['long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'SpareByte' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '__unnamed_15b8' : [ 0x8, { 'IdleTransitionTime' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15ba' : [ 0x8, { 'LastIdleCheck' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15c1' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0x118, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x8, ['unsigned long long']], 'IdleTimeAccumulated' : [ 0x10, ['unsigned long long']], 'Native' : [ 0x18, ['__unnamed_15b8']], 'Hv' : [ 0x18, ['__unnamed_15ba']], 'IdleAccounting' : [ 0x20, ['pointer64', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x28, ['pointer64', ['_PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x30, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x34, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x38, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x40, ['unsigned long long']], 'ThermalConstraint' : [ 0x48, ['unsigned char']], 'LastBusyPercentage' : [ 0x49, ['unsigned char']], 'Flags' : [ 0x4a, ['__unnamed_15c1']], 'PerfTimer' : [ 0x50, ['_KTIMER']], 'PerfDpc' : [ 0x90, ['_KDPC']], 'LastSysTime' : [ 0xd0, ['unsigned long']], 'PStateMaster' : [ 0xd8, ['pointer64', ['_KPRCB']]], 'PStateSet' : [ 0xe0, ['unsigned long long']], 'CurrentPState' : [ 0xe8, ['unsigned long']], 'DesiredPState' : [ 0xec, ['unsigned long']], 'PStateIdleStartTime' : [ 0xf0, ['unsigned long']], 'PStateIdleTime' : [ 0xf4, ['unsigned long']], 'LastPStateIdleTime' : [ 0xf8, ['unsigned long']], 'PStateStartTime' : [ 0xfc, ['unsigned long']], 'DiaIndex' : [ 0x100, ['unsigned long']], 'Reserved0' : [ 0x104, ['unsigned long']], 'WmiDispatchPtr' : [ 0x108, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x110, ['long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'DispatchedList' : [ 0x10, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x20, ['_KSEMAPHORE']], 'CompletedList' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_15f2' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_15f2']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '__unnamed_1604' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1606' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_160a' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x220, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'Level' : [ 0x20, ['unsigned long']], 'Notify' : [ 0x28, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x88, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x8c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x90, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xe0, ['unsigned long']], 'CompletionStatus' : [ 0xe4, ['long']], 'PendingIrp' : [ 0xe8, ['pointer64', ['_IRP']]], 'Flags' : [ 0xf0, ['unsigned long']], 'UserFlags' : [ 0xf4, ['unsigned long']], 'Problem' : [ 0xf8, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x100, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x108, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x110, ['pointer64', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x118, ['_UNICODE_STRING']], 'ServiceName' : [ 0x128, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x140, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x14c, ['unsigned long']], 'ChildInterfaceType' : [ 0x150, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x154, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x158, ['unsigned short']], 'RemovalPolicy' : [ 0x15a, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x15b, ['unsigned char']], 'TargetDeviceNotify' : [ 0x160, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x170, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x180, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x190, ['unsigned short']], 'QueryTranslatorMask' : [ 0x192, ['unsigned short']], 'NoArbiterMask' : [ 0x194, ['unsigned short']], 'QueryArbiterMask' : [ 0x196, ['unsigned short']], 'OverUsed1' : [ 0x198, ['__unnamed_1604']], 'OverUsed2' : [ 0x1a0, ['__unnamed_1606']], 'BootResources' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1b0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1b8, ['unsigned long']], 'DockInfo' : [ 0x1c0, ['__unnamed_160a']], 'DisableableDepends' : [ 0x1e0, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x1e8, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x1f8, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x208, ['unsigned long']], 'PreviousParent' : [ 0x210, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x218, ['unsigned long']], 'NumaNodeIndex' : [ 0x21c, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16aa' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16aa']], } ], '__unnamed_16b1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16b1']], } ], '_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1d0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x68, ['pointer64', ['_VACB']]], 'NeedToZero' : [ 0x70, ['pointer64', ['void']]], 'ActivePage' : [ 0x78, ['unsigned long']], 'NeedToZeroPage' : [ 0x7c, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x80, ['unsigned long long']], 'VacbActiveCount' : [ 0x88, ['unsigned long']], 'DirtyPages' : [ 0x8c, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x90, ['_LIST_ENTRY']], 'Flags' : [ 0xa0, ['unsigned long']], 'Status' : [ 0xa4, ['long']], 'Mbcb' : [ 0xa8, ['pointer64', ['_MBCB']]], 'Section' : [ 0xb0, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xc0, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc8, ['unsigned long']], 'BeyondLastFlush' : [ 0xd0, ['long long']], 'Callbacks' : [ 0xd8, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xe0, ['pointer64', ['void']]], 'PrivateList' : [ 0xe8, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf8, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x100, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0x118, ['pointer64', ['_VACB']]], 'BcbSpinLock' : [ 0x120, ['unsigned long long']], 'Reserved' : [ 0x128, ['pointer64', ['void']]], 'Event' : [ 0x130, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x148, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x150, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1b8, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1c0, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1c8, ['unsigned long']], 'MappedWritesInProgress' : [ 0x1cc, ['unsigned long']], } ], '__unnamed_16f3' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_16f3']], 'LruList' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1701' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1703' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1705' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_1707' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1709' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_1701']], 'Write' : [ 0x0, ['__unnamed_1703']], 'Event' : [ 0x0, ['__unnamed_1705']], 'Notification' : [ 0x0, ['__unnamed_1707']], } ], '_WORK_QUEUE_ENTRY' : [ 0x30, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x10, ['_LIST_ENTRY']], 'Parameters' : [ 0x20, ['__unnamed_1709']], 'Function' : [ 0x28, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x1f8, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1e8, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xc8, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x370, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer64', ['void']]], 'LoggerThread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x18, ['long']], 'LoggerId' : [ 0x1c, ['unsigned long']], 'NBQHead' : [ 0x20, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x28, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x30, ['_SLIST_HEADER']], 'GlobalList' : [ 0x40, ['_SLIST_HEADER']], 'BatchedBufferList' : [ 0x50, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'LoggerName' : [ 0x58, ['_UNICODE_STRING']], 'LogFileName' : [ 0x68, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x78, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x88, ['_UNICODE_STRING']], 'ClockType' : [ 0x98, ['unsigned long']], 'CollectionOn' : [ 0x9c, ['long']], 'MaximumFileSize' : [ 0xa0, ['unsigned long']], 'LoggerMode' : [ 0xa4, ['unsigned long']], 'LastFlushedBuffer' : [ 0xa8, ['unsigned long']], 'FlushTimer' : [ 0xac, ['unsigned long']], 'FlushThreshold' : [ 0xb0, ['unsigned long']], 'ByteOffset' : [ 0xb8, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0xc0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xc8, ['unsigned long']], 'BuffersAvailable' : [ 0xcc, ['long']], 'NumberOfBuffers' : [ 0xd0, ['long']], 'MaximumBuffers' : [ 0xd4, ['unsigned long']], 'EventsLost' : [ 0xd8, ['unsigned long']], 'BuffersWritten' : [ 0xdc, ['unsigned long']], 'LogBuffersLost' : [ 0xe0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xe4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xe8, ['unsigned long']], 'BufferSize' : [ 0xec, ['unsigned long']], 'MaximumEventSize' : [ 0xf0, ['unsigned long']], 'SequencePtr' : [ 0xf8, ['pointer64', ['long']]], 'LocalSequence' : [ 0x100, ['unsigned long']], 'InstanceGuid' : [ 0x104, ['_GUID']], 'GetCpuClock' : [ 0x118, ['pointer64', ['void']]], 'FileCounter' : [ 0x120, ['long']], 'BufferCallback' : [ 0x128, ['pointer64', ['void']]], 'PoolType' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x138, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0x148, ['unsigned char']], 'Consumers' : [ 0x150, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x160, ['unsigned long']], 'Connecting' : [ 0x168, ['_LIST_ENTRY']], 'NewConsumer' : [ 0x178, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0x180, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x188, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x1a0, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x1a8, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1b0, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1b8, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1c0, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1c8, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x1d8, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x1dc, ['unsigned long']], 'NewRTEventsLost' : [ 0x1e0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1e8, ['_KEVENT']], 'FlushEvent' : [ 0x200, ['_KEVENT']], 'FlushDpc' : [ 0x218, ['_KDPC']], 'LoggerMutex' : [ 0x258, ['_KMUTANT']], 'LoggerLock' : [ 0x290, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x298, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x2e0, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x2e8, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x330, ['long long']], 'AcceptNewEvents' : [ 0x338, ['long']], 'Flags' : [ 0x33c, ['unsigned long']], 'Persistent' : [ 0x33c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x33c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x33c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x33c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x33c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x33c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x33c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x340, ['unsigned long']], 'RequestNewFie' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x340, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x340, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x340, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x340, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x344, ['unsigned short']], 'StackTraceFilter' : [ 0x346, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'Padding2' : [ 0x38, ['pointer64', ['void']]], 'GlobalEntry' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x170, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_17f7' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_17f9' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_17f7']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_17fb' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_17fd' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_17fb']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_17f9']], 'u2' : [ 0x4, ['__unnamed_17fd']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_BLOB_TYPE' : [ 0x38, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], 'LookasideIndex' : [ 0x30, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1814' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1816' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1814']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x20, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1816']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x14, ['long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_1821' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1823' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1821']], } ], '_KALPC_SECTION' : [ 0x50, { 'u1' : [ 0x0, ['__unnamed_1823']], 'SectionObject' : [ 0x8, ['pointer64', ['void']]], 'Size' : [ 0x10, ['unsigned long long']], 'HandleTable' : [ 0x18, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x20, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x28, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'NumberOfRegions' : [ 0x38, ['unsigned long']], 'RegionListHead' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_1830' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1832' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1830']], } ], '_KALPC_REGION' : [ 0x60, { 'u1' : [ 0x0, ['__unnamed_1832']], 'RegionListEntry' : [ 0x8, ['_LIST_ENTRY']], 'Section' : [ 0x18, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x20, ['unsigned long long']], 'Size' : [ 0x28, ['unsigned long long']], 'ViewSize' : [ 0x30, ['unsigned long long']], 'ReadOnlyView' : [ 0x38, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x40, ['pointer64', ['_KALPC_VIEW']]], 'NumberOfViews' : [ 0x48, ['unsigned long']], 'ViewListHead' : [ 0x50, ['_LIST_ENTRY']], } ], '__unnamed_1838' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_183a' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1838']], } ], '_KALPC_VIEW' : [ 0x68, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_183a']], 'Region' : [ 0x18, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x28, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x30, ['pointer64', ['void']]], 'Size' : [ 0x38, ['unsigned long long']], 'SecureViewHandle' : [ 0x40, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x48, ['pointer64', ['void']]], 'NumberOfOwnerMessages' : [ 0x50, ['unsigned long']], 'ProcessViewListEntry' : [ 0x58, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_1852' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1854' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1852']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x198, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'SequenceNo' : [ 0x20, ['unsigned long']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x38, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x40, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x48, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'PendingQueue' : [ 0xa0, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xb0, ['_LIST_ENTRY']], 'WaitQueue' : [ 0xc0, ['_LIST_ENTRY']], 'Semaphore' : [ 0xd0, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xd0, ['pointer64', ['_KEVENT']]], 'Lock' : [ 0xd8, ['_EX_PUSH_LOCK']], 'PortAttributes' : [ 0xe0, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x128, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x130, ['_LIST_ENTRY']], 'CompletionList' : [ 0x140, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0x148, ['pointer64', ['_ALPC_MESSAGE_ZONE']]], 'CanceledQueue' : [ 0x150, ['_LIST_ENTRY']], 'u1' : [ 0x160, ['__unnamed_1854']], 'TargetQueuePort' : [ 0x168, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x170, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x178, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x180, ['unsigned long']], 'PendingQueueLength' : [ 0x184, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x188, ['unsigned long']], 'CanceledQueueLength' : [ 0x18c, ['unsigned long']], 'WaitQueueLength' : [ 0x190, ['unsigned long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_17f9']], 'u2' : [ 0x4, ['__unnamed_17fd']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1870' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], } ], '__unnamed_1872' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1870']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x108, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x10, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0x18, ['unsigned long long']], 'QuotaProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x20, ['pointer64', ['void']]], 'SequenceNo' : [ 0x28, ['long']], 'u1' : [ 0x2c, ['__unnamed_1872']], 'CancelSequencePort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x40, ['long']], 'CancelListEntry' : [ 0x48, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x68, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x70, ['pointer64', ['_ALPC_PORT']]], 'UniqueTableEntry' : [ 0x78, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'MessageAttributes' : [ 0x80, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb8, ['pointer64', ['void']]], 'DataSystemVa' : [ 0xc0, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xc8, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xd0, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xd8, ['pointer64', ['_ETHREAD']]], 'PortMessage' : [ 0xe0, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_HANDLE_DATA' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer64', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_18b1' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_18b3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18b1']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_18b3']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'Flags' : [ 0x18, ['unsigned long']], 'TargetThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'TotalLength' : [ 0x30, ['unsigned short']], 'Type' : [ 0x32, ['unsigned short']], 'DataInfoOffset' : [ 0x34, ['unsigned short']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x318, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'ProxyData' : [ 0xd0, ['pointer64', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xd8, ['pointer64', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xe0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe8, ['_LUID']], 'SidHash' : [ 0xf0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x200, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x310, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], 'HashIndex' : [ 0x14, ['unsigned short']], 'DirectoryLocked' : [ 0x16, ['unsigned char']], 'LockStateSignature' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x238, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'Mutex' : [ 0xb0, ['_ERESOURCE']], 'TypeLock' : [ 0x118, ['_EX_PUSH_LOCK']], 'Key' : [ 0x120, ['unsigned long']], 'ObjectLocks' : [ 0x128, ['array', 32, ['_EX_PUSH_LOCK']]], 'CallbackList' : [ 0x228, ['_LIST_ENTRY']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x60, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'InBlockDeccommits' : [ 0x50, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x20, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer64', ['void']]], 'FileObject' : [ 0x10, ['pointer64', ['void']]], 'ThreadId' : [ 0x18, ['unsigned long']], 'ByteCount' : [ 0x1c, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_DEVPROPKEY' : [ 0x14, { 'fmtid' : [ 0x0, ['_GUID']], 'pid' : [ 0x10, ['unsigned long']], } ], '_WHEA_NMI_ERROR' : [ 0xc, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], 'Flags' : [ 0x8, ['_WHEA_NMI_ERROR_FLAGS']], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x60, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x78, { 'CancelLock' : [ 0x0, ['unsigned long long']], 'IssueLock' : [ 0x8, ['unsigned long long']], 'Counters' : [ 0x10, ['array', 25, ['long']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['unsigned long']], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_XMM_SAVE_AREA32' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CpuValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_19b9' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_19bb' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_19b9']], 'Private' : [ 0x0, ['__unnamed_19bb']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_CMHIVE' : [ 0xb48, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x590, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c0, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d0, ['_LIST_ENTRY']], 'HiveLock' : [ 0x5e0, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x5e8, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x5f0, ['pointer64', ['_KTHREAD']]], 'ViewLockLast' : [ 0x5f8, ['unsigned long']], 'ViewUnLockLast' : [ 0x5fc, ['unsigned long']], 'WriterLock' : [ 0x600, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x608, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x610, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x618, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x628, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x638, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x648, ['unsigned short']], 'PinnedViewCount' : [ 0x64a, ['unsigned short']], 'UseCount' : [ 0x64c, ['unsigned long']], 'ViewsPerHive' : [ 0x650, ['unsigned long']], 'FileObject' : [ 0x658, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x660, ['unsigned long']], 'ActualFileSize' : [ 0x668, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x670, ['_UNICODE_STRING']], 'FileUserName' : [ 0x680, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x690, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x6a0, ['unsigned long']], 'SecurityCacheSize' : [ 0x6a4, ['unsigned long']], 'SecurityHitHint' : [ 0x6a8, ['long']], 'SecurityCache' : [ 0x6b0, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x6b8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xab8, ['unsigned long']], 'UnloadEventArray' : [ 0xac0, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xac8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xad0, ['unsigned char']], 'UnloadWorkItem' : [ 0xad8, ['pointer64', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0xae0, ['unsigned char']], 'GrowOffset' : [ 0xae4, ['unsigned long']], 'KcbConvertListHead' : [ 0xae8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xaf8, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb08, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xb10, ['unsigned long']], 'TrustClassEntry' : [ 0xb18, ['_LIST_ENTRY']], 'FlushCount' : [ 0xb28, ['unsigned long']], 'CmRm' : [ 0xb30, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xb38, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xb3c, ['long']], 'CreatorOwner' : [ 0xb40, ['pointer64', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_19ea' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_19f0' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_14ab']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ae']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b1']], 'u2' : [ 0x40, ['__unnamed_14bb']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'u3' : [ 0x60, ['__unnamed_19ea']], 'u4' : [ 0x70, ['__unnamed_19f0']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_EJOB' : [ 0x1b0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0xe0, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'ActiveProcessLimit' : [ 0xf8, ['unsigned long']], 'Affinity' : [ 0x100, ['unsigned long long']], 'PriorityClass' : [ 0x108, ['unsigned char']], 'AccessState' : [ 0x110, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x118, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x11c, ['unsigned long']], 'CompletionPort' : [ 0x120, ['pointer64', ['void']]], 'CompletionKey' : [ 0x128, ['pointer64', ['void']]], 'SessionId' : [ 0x130, ['unsigned long']], 'SchedulingClass' : [ 0x134, ['unsigned long']], 'ReadOperationCount' : [ 0x138, ['unsigned long long']], 'WriteOperationCount' : [ 0x140, ['unsigned long long']], 'OtherOperationCount' : [ 0x148, ['unsigned long long']], 'ReadTransferCount' : [ 0x150, ['unsigned long long']], 'WriteTransferCount' : [ 0x158, ['unsigned long long']], 'OtherTransferCount' : [ 0x160, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x168, ['unsigned long long']], 'JobMemoryLimit' : [ 0x170, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x178, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x180, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x188, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x190, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x198, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1a8, ['unsigned long']], 'JobFlags' : [ 0x1ac, ['unsigned long']], } ], '__unnamed_1a03' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hypervisor' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x48, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_1a03']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long long']], 'State' : [ 0x20, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'SparePebPtr0' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], } ], '__unnamed_1a1c' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1a1c']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_POOL_DESCRIPTOR' : [ 0x1048, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x20, ['pointer64', ['void']]], 'PendingFrees' : [ 0x28, ['pointer64', ['pointer64', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x30, ['long']], 'PendingFreeDepth' : [ 0x34, ['long']], 'TotalBytes' : [ 0x38, ['unsigned long long']], 'Spare0' : [ 0x40, ['unsigned long long']], 'ListHeads' : [ 0x48, ['array', 256, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned char']], 'ShareVector' : [ 0x61, ['unsigned char']], 'Mode' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x6c, ['unsigned long']], 'DispatchCount' : [ 0x70, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x38, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmHive2' : [ 0x28, ['pointer64', ['_CMHIVE']]], 'ThreadFinished' : [ 0x30, ['unsigned char']], 'ThreadStarted' : [ 0x31, ['unsigned char']], 'Allocate' : [ 0x32, ['unsigned char']], 'WinPERequired' : [ 0x33, ['unsigned char']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XMM_SAVE_AREA32']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x20, { 'Flags' : [ 0x0, ['unsigned long']], 'Handles' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'StackTrace' : [ 0x8, ['array', 63, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x20, ['pointer64', ['void']]], 'UserLimit' : [ 0x28, ['pointer64', ['void']]], 'DataUserVa' : [ 0x30, ['pointer64', ['void']]], 'SystemVa' : [ 0x38, ['pointer64', ['void']]], 'TotalSize' : [ 0x40, ['unsigned long long']], 'Header' : [ 0x48, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x50, ['pointer64', ['void']]], 'ListSize' : [ 0x58, ['unsigned long long']], 'Bitmap' : [ 0x60, ['pointer64', ['void']]], 'BitmapSize' : [ 0x68, ['unsigned long long']], 'Data' : [ 0x70, ['pointer64', ['void']]], 'DataSize' : [ 0x78, ['unsigned long long']], 'BitmapLimit' : [ 0x80, ['unsigned long']], 'BitmapNextHint' : [ 0x84, ['unsigned long']], 'ConcurrencyCount' : [ 0x88, ['unsigned long']], 'AttributeFlags' : [ 0x8c, ['unsigned long']], 'AttributeSize' : [ 0x90, ['unsigned long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x98, { 'WorkQueue' : [ 0x0, ['_LIST_ENTRY']], 'ScanDpc' : [ 0x10, ['_KDPC']], 'ScanTimer' : [ 0x50, ['_KTIMER']], 'ScanActive' : [ 0x90, ['unsigned char']], 'OtherWork' : [ 0x91, ['unsigned char']], 'PendingTeardown' : [ 0x92, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PCIXDEVICE_ERROR' : [ 0x68, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['_WHEA_PCIXDEVICE_ID']], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 4, ['WHEA_PCIXDEVICE_REGISTER_PAIR']]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '__unnamed_1aa4' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_1aa4']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned char']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x100, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x30, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x38, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x40, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x50, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x50, ['unsigned long']], 'SubKeyCount' : [ 0x50, ['unsigned long']], 'KeyBodyListHead' : [ 0x58, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x58, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x68, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x88, ['pointer64', ['void']]], 'KcbLastWriteTime' : [ 0x90, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x98, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x9a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x9c, ['unsigned long']], 'KcbUserFlags' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xa0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xa0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xa0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xa8, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xb0, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0xc0, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xc8, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0xd8, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0xe8, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0xf0, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0xf8, ['pointer64', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0x8, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x38, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 0, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'LastSubsectionHint' : [ 0x30, ['pointer64', ['_MSUBSECTION']]], } ], '_TEB64' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_WHEA_PCIXBUS_ERROR' : [ 0x48, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXBUS_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['_WHEA_PCIXBUS_ID']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['_WHEA_PCIXBUS_COMMAND']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'CompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x18, ['unsigned long']], 'ObjectMask' : [ 0x1c, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'OwnerCount' : [ 0x8, ['long']], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x8, ['_KGATE']], } ], '_ETIMER' : [ 0x108, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeTimer' : [ 0xf5, ['unsigned char']], 'WakeTimerListEntry' : [ 0xf8, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_WHEA_PCIXBUS_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusData' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BusCommand' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterId' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1b85' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1b85']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_ARBITER_INSTANCE' : [ 0x698, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x150, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3f0, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x690, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bef' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1bf5' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1bf7' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1bf9' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1bfb' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1bfd' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1bff' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c01' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c03' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c05' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1bef']], 'Memory' : [ 0x0, ['__unnamed_1bef']], 'Interrupt' : [ 0x0, ['__unnamed_1bf5']], 'Dma' : [ 0x0, ['__unnamed_1bf7']], 'Generic' : [ 0x0, ['__unnamed_1bef']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bf9']], 'BusNumber' : [ 0x0, ['__unnamed_1bfb']], 'ConfigData' : [ 0x0, ['__unnamed_1bfd']], 'Memory40' : [ 0x0, ['__unnamed_1bff']], 'Memory48' : [ 0x0, ['__unnamed_1c01']], 'Memory64' : [ 0x0, ['__unnamed_1c03']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1c05']], } ], '_POP_THERMAL_ZONE' : [ 0x128, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_WHEA_PCIXBUS_COMMAND' : [ 0x8, { 'Command' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 56, native_type='unsigned long long')]], 'PCIXCommand' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_CM_TRANS' : [ 0xb0, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 8, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x48, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ParseContext' : [ 0x10, ['pointer64', ['void']]], 'ProbeMode' : [ 0x18, ['unsigned char']], 'PagedPoolCharge' : [ 0x1c, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x20, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x24, ['unsigned long']], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'SecurityQos' : [ 0x30, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x38, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_MBCB' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x58, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x88, ['_BITMAP_RANGE']], } ], '__unnamed_1c48' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1c48']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_PCIXDEVICE_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfo' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumber' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], 'WHEA_PCIXDEVICE_REGISTER_PAIR' : [ 0x10, { 'Register' : [ 0x0, ['unsigned long long']], 'Data' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'SparePebPtr0' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KBUGCHECK_ACTIVE_STATE' : [ 0x4, { 'BugCheckState' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'RecursionCount' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'BugCheckOwner' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['long']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_PCIXBUS_ID' : [ 0x2, { 'BusNumber' : [ 0x0, ['unsigned char']], 'BusSegment' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x30, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'ObjectType' : [ 0x18, ['pointer64', ['_OBJECT_TYPE']]], 'TargetAccess' : [ 0x20, ['unsigned long']], 'ObjectInfo' : [ 0x24, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x28, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_1ce7' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ce9' : [ 0x10, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1ceb' : [ 0x10, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1ced' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_1ceb']], 'Translated' : [ 0x0, ['__unnamed_1ce9']], } ], '__unnamed_1cef' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf1' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf3' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf5' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf7' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf9' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cfb' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1ce7']], 'Port' : [ 0x0, ['__unnamed_1ce7']], 'Interrupt' : [ 0x0, ['__unnamed_1ce9']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1ced']], 'Memory' : [ 0x0, ['__unnamed_1ce7']], 'Dma' : [ 0x0, ['__unnamed_1cef']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bf9']], 'BusNumber' : [ 0x0, ['__unnamed_1cf1']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1cf3']], 'Memory40' : [ 0x0, ['__unnamed_1cf5']], 'Memory48' : [ 0x0, ['__unnamed_1cf7']], 'Memory64' : [ 0x0, ['__unnamed_1cf9']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1cfb']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '__unnamed_1d02' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1d02']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMPTE_HARDWARE_LARGEPAGE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PAT' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 21, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 48, native_type='unsigned long long')]], 'reserved2' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1d1f' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1d1f']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1d29' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_14d4']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_1d29']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '__unnamed_1d2f' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1d31' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1d2f']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x98, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'TotalBusyCount' : [ 0x8, ['unsigned long']], 'ConservationIdleTime' : [ 0xc, ['unsigned long']], 'PerformanceIdleTime' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'DeviceType' : [ 0x30, ['unsigned char']], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x40, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x50, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x60, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x80, ['_LIST_ENTRY']], 'Specific' : [ 0x90, ['__unnamed_1d31']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidBits' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR_VALIDBITS']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaPciExpressEndpoint', 1: 'WheaPciExpressLegacyEndpoint', 4: 'WheaPciExpressRootPort', 5: 'WheaPciExpressUpstreamSwitchPort', 6: 'WheaPciExpressDownstreamSwitchPort', 7: 'WheaPciExpressToPciXBridge', 8: 'WheaPciXToExpressBridge', 9: 'WheaPciExpressRootComplexIntegratedEndpoint', 10: 'WheaPciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['_WHEA_PCIEXPRESS_VERSION']], 'CommandStatus' : [ 0x10, ['_WHEA_PCIEXPRESS_COMMAND_STATUS']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_WHEA_PCIEXPRESS_DEVICE_ID']], 'DeviceSerialNumber' : [ 0x28, ['unsigned long long']], 'BridgeControlStatus' : [ 0x30, ['_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '__unnamed_1da3' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x98, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_1da3']], 'TargetProcessors' : [ 0x30, ['unsigned long long']], 'PStateHandler' : [ 0x38, ['pointer64', ['void']]], 'PStateContext' : [ 0x40, ['unsigned long long']], 'TStateHandler' : [ 0x48, ['pointer64', ['void']]], 'TStateContext' : [ 0x50, ['unsigned long long']], 'FeedbackHandler' : [ 0x58, ['pointer64', ['void']]], 'DiaStats' : [ 0x60, ['pointer64', ['_PPM_DIA_STATS']]], 'DiaStatsCount' : [ 0x68, ['unsigned long']], 'State' : [ 0x70, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'RequestSummary' : [ 0x0, ['long long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'Virtual' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_WHEA_NMI_ERROR_FLAGS' : [ 0x4, { 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x40, ['pointer64', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x48, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x50, ['unsigned long long']], 'SleepTime' : [ 0x58, ['unsigned long long']], 'FilteredCapabilities' : [ 0x60, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x18, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x28, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x30, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x38, ['unsigned long']], 'ActiveChild' : [ 0x3c, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1dff' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e01' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_1dff']], 'Button' : [ 0x10, ['__unnamed_1e01']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xc8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x20, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x28, ['unsigned long']], 'TriageDumpBlock' : [ 0x30, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x38, ['unsigned long long']], 'HeadlessLoaderBlock' : [ 0x40, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x48, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x50, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x58, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x60, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x68, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x78, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x80, ['unsigned long']], 'BootViaWinload' : [ 0x84, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x84, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x88, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x90, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0xa0, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa8, ['_GUID']], 'ResumePages' : [ 0xb8, ['unsigned long']], 'DumpHeader' : [ 0xc0, ['pointer64', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_WHEA_PCIEXPRESS_VERSION' : [ 0x4, { 'MinorVersion' : [ 0x0, ['unsigned char']], 'MajorVersion' : [ 0x1, ['unsigned char']], 'Reserved' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '__unnamed_1e6d' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1e6d']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x3f8, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], 'StartAddress' : [ 0x28, ['pointer64', ['void']]], 'EndAddress' : [ 0x30, ['pointer64', ['void']]], 'Flags' : [ 0x38, ['unsigned long']], 'Signature' : [ 0x40, ['unsigned long long']], 'PoolPageHeaders' : [ 0x50, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x60, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x70, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x74, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x78, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x7c, ['unsigned long']], 'PagedBytes' : [ 0x80, ['unsigned long long']], 'NonPagedBytes' : [ 0x88, ['unsigned long long']], 'PeakPagedBytes' : [ 0x90, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x98, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x30, { 'Mdl' : [ 0x0, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x8, ['pointer64', ['void']]], 'UserLimit' : [ 0x10, ['pointer64', ['void']]], 'SystemVa' : [ 0x18, ['pointer64', ['void']]], 'SystemLimit' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'SparePebPtr0' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_1eab' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1e00, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1eab']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'ImageLoadingCount' : [ 0x64, ['long']], 'SessionPoolAllocationFailures' : [ 0x68, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachGate' : [ 0x90, ['_KGATE']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc68, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc70, ['pointer64', ['void']]], 'PagedPool' : [ 0xc78, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1cc0, ['_MMPTE']], 'SessionVaLock' : [ 0x1cc8, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1d00, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1d10, ['unsigned long']], 'SpecialPool' : [ 0x1d18, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1d48, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1d80, ['long']], 'PagedPoolPdeCount' : [ 0x1d84, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1d88, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1d8c, ['unsigned long']], 'SystemPteInfo' : [ 0x1d90, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1dd8, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1de0, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1de8, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1df0, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequesterId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x30, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'FreePteHead' : [ 0x8, ['_MMPTE']], 'FreePteTail' : [ 0x10, ['_MMPTE']], 'PagesInUse' : [ 0x18, ['long long']], 'SpecialPoolPdes' : [ 0x20, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS' : [ 0x4, { 'BridgeSecondaryStatus' : [ 0x0, ['unsigned short']], 'BridgeControl' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1f25' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1f27' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1f25']], 'Merged' : [ 0x10, ['__unnamed_1f27']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['void']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_1f30' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1f30']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14d4']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_1d29']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x70, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], 'UpdateCapsule' : [ 0x58, ['unsigned long long']], 'QueryCapsuleCapabilities' : [ 0x60, ['unsigned long long']], 'QueryVariableInfo' : [ 0x68, ['unsigned long long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WHEA_MEMORY_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer64', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1f50' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_1f54' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x50, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_1f50']], 'u2' : [ 0x38, ['__unnamed_1f54']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x48, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIXDEVICE_ID' : [ 0x10, { 'VendorId' : [ 0x0, ['unsigned short']], 'DeviceId' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'BusNumber' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'SegmentNumber' : [ 0x8, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'Reserved1' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['unsigned long']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x60, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x48, ['pointer64', ['void']]], 'CallersCaller' : [ 0x50, ['pointer64', ['void']]], } ], '_MMPFNLIST' : [ 0x20, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], } ], '_DEVOBJ_EXTENSION' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependentList' : [ 0x50, ['_LIST_ENTRY']], 'ProviderList' : [ 0x60, ['_LIST_ENTRY']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_WHEA_PCIEXPRESS_COMMAND_STATUS' : [ 0x4, { 'Command' : [ 0x0, ['unsigned short']], 'Status' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR_VALIDBITS' : [ 0x8, { 'PortType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Version' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'CommandStatus' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'DeviceId' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'DeviceSerialNumber' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BridgeControlStatus' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'ExpressCapability' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AerInfo' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'ReplyQueue' : [ 0x20, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x40, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'CallbackContext' : [ 0x48, ['pointer64', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x40, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x50, ['unsigned long long']], 'Color' : [ 0x58, ['unsigned char']], 'Seed' : [ 0x59, ['unsigned char']], 'NodeNumber' : [ 0x5a, ['unsigned char']], 'Flags' : [ 0x5b, ['_flags']], 'MmShiftedColor' : [ 0x5c, ['unsigned long']], 'FreeCount' : [ 0x60, ['array', 2, ['unsigned long long']]], 'PfnDeferredList' : [ 0x70, ['pointer64', ['_SLIST_ENTRY']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2b8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x288, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x28c, ['long']], 'Pending' : [ 0x290, ['_LIST_ENTRY']], 'Status' : [ 0x2a0, ['long']], 'FailedDevice' : [ 0x2a8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2b0, ['unsigned char']], 'Cancelled' : [ 0x2b1, ['unsigned char']], 'IgnoreErrors' : [ 0x2b2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2b3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2b4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x30, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], } ], '_PPM_IDLE_STATE' : [ 0x28, { 'IdleHandler' : [ 0x0, ['pointer64', ['void']]], 'Context' : [ 0x8, ['pointer64', ['void']]], 'Latency' : [ 0x10, ['unsigned long']], 'Power' : [ 0x14, ['unsigned long']], 'TimeCheck' : [ 0x18, ['unsigned long']], 'StateFlags' : [ 0x1c, ['unsigned long']], 'PromotePercent' : [ 0x20, ['unsigned char']], 'DemotePercent' : [ 0x21, ['unsigned char']], 'PromotePercentBase' : [ 0x22, ['unsigned char']], 'DemotePercentBase' : [ 0x23, ['unsigned char']], 'StateType' : [ 0x24, ['unsigned char']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x90, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8160, ['long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x80, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x28, ['_KEVENT']], 'PowerOnEvent' : [ 0x40, ['_KEVENT']], 'DoneEvent' : [ 0x58, ['_KEVENT']], 'WorkerQueued' : [ 0x70, ['unsigned long']], 'WorkerAbort' : [ 0x74, ['unsigned long']], 'NoResumeUI' : [ 0x78, ['unsigned long']], } ], '_KPCR' : [ 0x3ca0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KTM' : [ 0x3a0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win81_u1_x64_vtypes.py0000644000000000000000000232212113131215405030417 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'Reserved2' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrement32' : [ 0x368, ['unsigned long']], 'QpcInterruptTimeIncrement32' : [ 0x36c, ['unsigned long']], 'QpcSystemTimeIncrementShift' : [ 0x370, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x371, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x372, ['unsigned short']], 'Reserved8' : [ 0x374, ['array', 12, ['unsigned char']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_107f' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_107f']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1083' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1083']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_109b' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109d' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109b']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_109d']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TEB' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'Padding1' : [ 0x2ec, ['array', 4, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'PerflibData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], 'ReservedForWdf' : [ 0x1818, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0x18, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_BALANCED_NODE' : [ 0x18, { 'Children' : [ 0x0, ['array', 2, ['pointer64', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x10, ['unsigned long long']], } ], '_RTL_RB_TREE' : [ 0x10, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_RTL_AVL_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x5f00, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x5d80, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'ClockOwner' : [ 0x21, ['unsigned char']], 'PendingTickFlags' : [ 0x22, ['unsigned char']], 'PendingTick' : [ 0x22, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x22, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'PrcbPad00' : [ 0x23, ['array', 1, ['unsigned char']]], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PriorityState' : [ 0x38, ['pointer64', ['unsigned char']]], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ParentNode' : [ 0x640, ['pointer64', ['_KNODE']]], 'GroupSetMember' : [ 0x648, ['unsigned long long']], 'Group' : [ 0x650, ['unsigned char']], 'GroupIndex' : [ 0x651, ['unsigned char']], 'PrcbPad05' : [ 0x652, ['array', 2, ['unsigned char']]], 'ApicMask' : [ 0x654, ['unsigned long']], 'CFlushSize' : [ 0x658, ['unsigned long']], 'AcpiReserved' : [ 0x660, ['pointer64', ['void']]], 'InitialApicId' : [ 0x668, ['unsigned long']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x2080, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PrcbPad20' : [ 0x2c80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2c88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2c90, ['long']], 'MmCopyOnWriteCount' : [ 0x2c94, ['long']], 'MmTransitionCount' : [ 0x2c98, ['long']], 'MmDemandZeroCount' : [ 0x2c9c, ['long']], 'MmPageReadCount' : [ 0x2ca0, ['long']], 'MmPageReadIoCount' : [ 0x2ca4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x2ca8, ['long']], 'MmDirtyWriteIoCount' : [ 0x2cac, ['long']], 'MmMappedPagesWriteCount' : [ 0x2cb0, ['long']], 'MmMappedWriteIoCount' : [ 0x2cb4, ['long']], 'KeSystemCalls' : [ 0x2cb8, ['unsigned long']], 'KeContextSwitches' : [ 0x2cbc, ['unsigned long']], 'LdtSelector' : [ 0x2cc0, ['unsigned short']], 'PrcbPad40' : [ 0x2cc2, ['unsigned short']], 'CcFastReadNoWait' : [ 0x2cc4, ['unsigned long']], 'CcFastReadWait' : [ 0x2cc8, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2ccc, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x2cd0, ['unsigned long']], 'CcCopyReadWait' : [ 0x2cd4, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2cd8, ['unsigned long']], 'IoReadOperationCount' : [ 0x2cdc, ['long']], 'IoWriteOperationCount' : [ 0x2ce0, ['long']], 'IoOtherOperationCount' : [ 0x2ce4, ['long']], 'IoReadTransferCount' : [ 0x2ce8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x2cf0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x2cf8, ['_LARGE_INTEGER']], 'PacketBarrier' : [ 0x2d00, ['long']], 'TargetCount' : [ 0x2d04, ['long']], 'IpiFrozen' : [ 0x2d08, ['unsigned long']], 'IsrDpcStats' : [ 0x2d10, ['pointer64', ['void']]], 'DeviceInterrupts' : [ 0x2d18, ['unsigned long']], 'LookasideIrpFloat' : [ 0x2d1c, ['long']], 'InterruptLastCount' : [ 0x2d20, ['unsigned long']], 'InterruptRate' : [ 0x2d24, ['unsigned long']], 'PrcbPad41' : [ 0x2d28, ['array', 22, ['unsigned long']]], 'DpcData' : [ 0x2d80, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2dd0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2dd8, ['long']], 'DpcRequestRate' : [ 0x2ddc, ['unsigned long']], 'MinimumDpcRate' : [ 0x2de0, ['unsigned long']], 'DpcLastCount' : [ 0x2de4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x2de8, ['unsigned char']], 'QuantumEnd' : [ 0x2de9, ['unsigned char']], 'DpcRoutineActive' : [ 0x2dea, ['unsigned char']], 'IdleSchedule' : [ 0x2deb, ['unsigned char']], 'DpcRequestSummary' : [ 0x2dec, ['long']], 'DpcRequestSlot' : [ 0x2dec, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x2dec, ['short']], 'ThreadDpcState' : [ 0x2dee, ['short']], 'DpcNormalProcessingActive' : [ 0x2dec, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x2dec, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x2dec, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x2dec, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x2dec, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x2dec, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x2dec, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x2dec, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x2dec, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x2dec, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2df0, ['unsigned long']], 'LastTick' : [ 0x2df4, ['unsigned long']], 'ClockInterrupts' : [ 0x2df8, ['unsigned long']], 'ReadyScanTick' : [ 0x2dfc, ['unsigned long']], 'TimerTable' : [ 0x2e00, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x5000, ['_KGATE']], 'PrcbPad52' : [ 0x5018, ['pointer64', ['void']]], 'CallDpc' : [ 0x5020, ['_KDPC']], 'ClockKeepAlive' : [ 0x5060, ['long']], 'PrcbPad60' : [ 0x5064, ['array', 2, ['unsigned char']]], 'NmiActive' : [ 0x5066, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x5068, ['long']], 'DpcWatchdogCount' : [ 0x506c, ['long']], 'KeSpinLockOrdering' : [ 0x5070, ['long']], 'PrcbPad70' : [ 0x5074, ['array', 1, ['unsigned long']]], 'CachedPtes' : [ 0x5078, ['pointer64', ['void']]], 'WaitListHead' : [ 0x5080, ['_LIST_ENTRY']], 'WaitLock' : [ 0x5090, ['unsigned long long']], 'ReadySummary' : [ 0x5098, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x509c, ['long']], 'QueueIndex' : [ 0x50a0, ['unsigned long']], 'PrcbPad75' : [ 0x50a4, ['array', 3, ['unsigned long']]], 'TimerExpirationDpc' : [ 0x50b0, ['_KDPC']], 'ScbQueue' : [ 0x50f0, ['_RTL_RB_TREE']], 'DispatcherReadyListHead' : [ 0x5100, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x5300, ['unsigned long']], 'KernelTime' : [ 0x5304, ['unsigned long']], 'UserTime' : [ 0x5308, ['unsigned long']], 'DpcTime' : [ 0x530c, ['unsigned long']], 'InterruptTime' : [ 0x5310, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5314, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x5318, ['unsigned char']], 'GroupSchedulingOverQuota' : [ 0x5319, ['unsigned char']], 'DeepSleep' : [ 0x531a, ['unsigned char']], 'PrcbPad80' : [ 0x531b, ['array', 1, ['unsigned char']]], 'ScbOffset' : [ 0x531c, ['unsigned long']], 'DpcTimeCount' : [ 0x5320, ['unsigned long']], 'DpcTimeLimit' : [ 0x5324, ['unsigned long']], 'PeriodicCount' : [ 0x5328, ['unsigned long']], 'PeriodicBias' : [ 0x532c, ['unsigned long']], 'AvailableTime' : [ 0x5330, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x5334, ['unsigned long']], 'StartCycles' : [ 0x5338, ['unsigned long long']], 'GenerationTarget' : [ 0x5340, ['unsigned long long']], 'AffinitizedCycles' : [ 0x5348, ['unsigned long long']], 'PrcbPad81' : [ 0x5350, ['array', 2, ['unsigned long long']]], 'MmSpinLockOrdering' : [ 0x5360, ['long']], 'PageColor' : [ 0x5364, ['unsigned long']], 'NodeColor' : [ 0x5368, ['unsigned long']], 'NodeShiftedColor' : [ 0x536c, ['unsigned long']], 'SecondaryColorMask' : [ 0x5370, ['unsigned long']], 'PrcbPad83' : [ 0x5374, ['unsigned long']], 'CycleTime' : [ 0x5378, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x5380, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x5384, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x5388, ['unsigned long']], 'CcMapDataNoWait' : [ 0x538c, ['unsigned long']], 'CcMapDataWait' : [ 0x5390, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x5394, ['unsigned long']], 'CcPinReadNoWait' : [ 0x5398, ['unsigned long']], 'CcPinReadWait' : [ 0x539c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x53a0, ['unsigned long']], 'CcMdlReadWait' : [ 0x53a4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x53a8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x53ac, ['unsigned long']], 'CcLazyWritePages' : [ 0x53b0, ['unsigned long']], 'CcDataFlushes' : [ 0x53b4, ['unsigned long']], 'CcDataPages' : [ 0x53b8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x53bc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x53c0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x53c4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x53c8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x53cc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x53d0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x53d4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x53d8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x53dc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x53e0, ['unsigned long']], 'CcReadAheadIos' : [ 0x53e4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x53e8, ['long']], 'MmCacheReadCount' : [ 0x53ec, ['long']], 'MmCacheIoCount' : [ 0x53f0, ['long']], 'PrcbPad91' : [ 0x53f4, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x5400, ['_PROCESSOR_POWER_STATE']], 'ScbList' : [ 0x55e0, ['_LIST_ENTRY']], 'PrcbPad92' : [ 0x55f0, ['array', 19, ['unsigned long']]], 'KeAlignmentFixupCount' : [ 0x563c, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x5640, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x5680, ['_KTIMER']], 'Cache' : [ 0x56c0, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x56fc, ['unsigned long']], 'CachedCommit' : [ 0x5700, ['unsigned long']], 'CachedResidentAvailable' : [ 0x5704, ['unsigned long']], 'HyperPte' : [ 0x5708, ['pointer64', ['void']]], 'WheaInfo' : [ 0x5710, ['pointer64', ['void']]], 'EtwSupport' : [ 0x5718, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x5720, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x5730, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x5740, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x5748, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x5750, ['pointer64', ['unsigned long long']]], 'PackageProcessorSet' : [ 0x5758, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x5800, ['unsigned long long']], 'SharedReadyQueue' : [ 0x5808, ['pointer64', ['_KSHARED_READY_QUEUE']]], 'CoreProcessorSet' : [ 0x5810, ['unsigned long long']], 'ScanSiblingMask' : [ 0x5818, ['unsigned long long']], 'LLCMask' : [ 0x5820, ['unsigned long long']], 'CacheProcessorMask' : [ 0x5828, ['array', 5, ['unsigned long long']]], 'ScanSiblingIndex' : [ 0x5850, ['unsigned long']], 'SharedReadyQueueOffset' : [ 0x5854, ['unsigned long']], 'ProcessorProfileControlArea' : [ 0x5858, ['pointer64', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x5860, ['pointer64', ['void']]], 'PrcbPad94' : [ 0x5868, ['array', 3, ['unsigned long long']]], 'SynchCounters' : [ 0x5880, ['_SYNCH_COUNTERS']], 'PteBitCache' : [ 0x5938, ['unsigned long long']], 'PteBitOffset' : [ 0x5940, ['unsigned long']], 'FsCounters' : [ 0x5948, ['_FILESYSTEM_DISK_COUNTERS']], 'VendorString' : [ 0x5958, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x5965, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x5968, ['unsigned long long']], 'PrcbPad11' : [ 0x5970, ['unsigned long']], 'UpdateSignature' : [ 0x5978, ['_LARGE_INTEGER']], 'Context' : [ 0x5980, ['pointer64', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x5988, ['unsigned long']], 'ExtendedState' : [ 0x5990, ['pointer64', ['_XSAVE_AREA']]], 'IsrStack' : [ 0x5998, ['pointer64', ['void']]], 'EntropyTimingState' : [ 0x59a0, ['_KENTROPY_TIMING_STATE']], 'AbSelfIoBoostsList' : [ 0x5af0, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x5af8, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x5b00, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x5b40, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x5b94, ['_IOP_IRP_STACK_PROFILER']], 'TimerExpirationTrace' : [ 0x5be8, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x5ce8, ['unsigned long']], 'Mailbox' : [ 0x5d00, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x5d40, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KFLOATING_SAVE' : [ 0x4, { 'Dummy' : [ 0x0, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_KTHREAD' : [ 0x5d0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x18, ['pointer64', ['void']]], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'StackBase' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'CycleTime' : [ 0x48, ['unsigned long long']], 'CurrentRunTime' : [ 0x50, ['unsigned long']], 'ExpectedRunTime' : [ 0x54, ['unsigned long']], 'KernelStack' : [ 0x58, ['pointer64', ['void']]], 'StateSaveArea' : [ 0x60, ['pointer64', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x68, ['pointer64', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x70, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x71, ['unsigned char']], 'Alerted' : [ 0x72, ['array', 2, ['unsigned char']]], 'SpareMiscFlag0' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x74, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'TimerActive' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SystemThread' : [ 0x74, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x74, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'CalloutActive' : [ 0x74, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ApcQueueable' : [ 0x74, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x74, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x74, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ApcPendingReload' : [ 0x74, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'TimerSuspended' : [ 0x74, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x74, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x74, ['long']], 'AutoAlignment' : [ 0x78, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x78, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UserAffinitySet' : [ 0x78, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x78, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x78, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x78, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x78, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x78, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x78, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x78, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x78, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x78, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x78, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x78, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x78, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x78, ['BitField', dict(start_bit = 17, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags' : [ 0x78, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x78, ['long']], 'Spare0' : [ 0x7c, ['unsigned long']], 'SystemCallNumber' : [ 0x80, ['unsigned long']], 'Spare1' : [ 0x84, ['unsigned long']], 'FirstArgument' : [ 0x88, ['pointer64', ['void']]], 'TrapFrame' : [ 0x90, ['pointer64', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x98, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x98, ['array', 43, ['unsigned char']]], 'Priority' : [ 0xc3, ['unsigned char']], 'UserIdealProcessor' : [ 0xc4, ['unsigned long']], 'WaitStatus' : [ 0xc8, ['long long']], 'WaitBlockList' : [ 0xd0, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xd8, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xe8, ['pointer64', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xf0, ['pointer64', ['void']]], 'RelativeTimerBias' : [ 0xf8, ['unsigned long long']], 'Timer' : [ 0x100, ['_KTIMER']], 'WaitBlock' : [ 0x140, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x140, ['array', 20, ['unsigned char']]], 'ContextSwitches' : [ 0x154, ['unsigned long']], 'WaitBlockFill5' : [ 0x140, ['array', 68, ['unsigned char']]], 'State' : [ 0x184, ['unsigned char']], 'NpxState' : [ 0x185, ['unsigned char']], 'WaitIrql' : [ 0x186, ['unsigned char']], 'WaitMode' : [ 0x187, ['unsigned char']], 'WaitBlockFill6' : [ 0x140, ['array', 116, ['unsigned char']]], 'WaitTime' : [ 0x1b4, ['unsigned long']], 'WaitBlockFill7' : [ 0x140, ['array', 164, ['unsigned char']]], 'KernelApcDisable' : [ 0x1e4, ['short']], 'SpecialApcDisable' : [ 0x1e6, ['short']], 'CombinedApcDisable' : [ 0x1e4, ['unsigned long']], 'WaitBlockFill8' : [ 0x140, ['array', 40, ['unsigned char']]], 'ThreadCounters' : [ 0x168, ['pointer64', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0x140, ['array', 88, ['unsigned char']]], 'XStateSave' : [ 0x198, ['pointer64', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0x140, ['array', 136, ['unsigned char']]], 'Win32Thread' : [ 0x1c8, ['pointer64', ['void']]], 'WaitBlockFill11' : [ 0x140, ['array', 176, ['unsigned char']]], 'Ucb' : [ 0x1f0, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'Uch' : [ 0x1f8, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'TebMappedLowVa' : [ 0x200, ['pointer64', ['void']]], 'QueueListEntry' : [ 0x208, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x218, ['unsigned long']], 'NextProcessorNumber' : [ 0x218, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x218, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x21c, ['long']], 'Process' : [ 0x220, ['pointer64', ['_KPROCESS']]], 'UserAffinity' : [ 0x228, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x228, ['array', 10, ['unsigned char']]], 'PreviousMode' : [ 0x232, ['unsigned char']], 'BasePriority' : [ 0x233, ['unsigned char']], 'PriorityDecrement' : [ 0x234, ['unsigned char']], 'ForegroundBoost' : [ 0x234, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x234, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x235, ['unsigned char']], 'AdjustReason' : [ 0x236, ['unsigned char']], 'AdjustIncrement' : [ 0x237, ['unsigned char']], 'Affinity' : [ 0x238, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x238, ['array', 10, ['unsigned char']]], 'ApcStateIndex' : [ 0x242, ['unsigned char']], 'WaitBlockCount' : [ 0x243, ['unsigned char']], 'IdealProcessor' : [ 0x244, ['unsigned long']], 'ApcStatePointer' : [ 0x248, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x258, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x258, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x283, ['unsigned char']], 'SuspendCount' : [ 0x284, ['unsigned char']], 'Saturation' : [ 0x285, ['unsigned char']], 'SListFaultCount' : [ 0x286, ['unsigned short']], 'SchedulerApc' : [ 0x288, ['_KAPC']], 'SchedulerApcFill0' : [ 0x288, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x289, ['unsigned char']], 'SchedulerApcFill1' : [ 0x288, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x28b, ['unsigned char']], 'SchedulerApcFill2' : [ 0x288, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x28c, ['unsigned long']], 'SchedulerApcFill3' : [ 0x288, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c8, ['pointer64', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x288, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2d0, ['pointer64', ['void']]], 'SchedulerApcFill5' : [ 0x288, ['array', 83, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x2db, ['unsigned char']], 'UserTime' : [ 0x2dc, ['unsigned long']], 'SuspendEvent' : [ 0x2e0, ['_KEVENT']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'LockEntriesFreeList' : [ 0x318, ['_SINGLE_LIST_ENTRY']], 'LockEntries' : [ 0x320, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x560, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x568, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x570, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x580, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x584, ['long']], 'AbReferenceCount' : [ 0x588, ['short']], 'AbFreeEntryCount' : [ 0x58a, ['unsigned char']], 'AbWaitEntryCount' : [ 0x58b, ['unsigned char']], 'ForegroundLossTime' : [ 0x58c, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x590, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x590, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x598, ['unsigned long long']], 'ReadOperationCount' : [ 0x5a0, ['long long']], 'WriteOperationCount' : [ 0x5a8, ['long long']], 'OtherOperationCount' : [ 0x5b0, ['long long']], 'ReadTransferCount' : [ 0x5b8, ['long long']], 'WriteTransferCount' : [ 0x5c0, ['long long']], 'OtherTransferCount' : [ 0x5c8, ['long long']], } ], '_KSTACK_CONTROL' : [ 0x30, { 'StackBase' : [ 0x0, ['unsigned long long']], 'ActualLimit' : [ 0x8, ['unsigned long long']], 'StackExpansion' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_1232' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'HeaderX64' : [ 0x0, ['__unnamed_1232']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer64', ['void']]], 'DeleteContext' : [ 0x10, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0xc0, { 'DeepIdleSet' : [ 0x0, ['unsigned long long']], 'SharedReadyQueueLeaders' : [ 0x8, ['unsigned long long']], 'ProximityId' : [ 0x40, ['unsigned long']], 'NodeNumber' : [ 0x44, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x46, ['unsigned short']], 'MaximumProcessors' : [ 0x48, ['unsigned char']], 'Flags' : [ 0x49, ['_flags']], 'Stride' : [ 0x4a, ['unsigned char']], 'LowIndex' : [ 0x4b, ['unsigned char']], 'Affinity' : [ 0x50, ['_GROUP_AFFINITY']], 'IdleCpuSet' : [ 0x60, ['unsigned long long']], 'IdleSmtSet' : [ 0x68, ['unsigned long long']], 'NonParkedSet' : [ 0x80, ['unsigned long long']], 'Seed' : [ 0x88, ['unsigned long']], 'Lowest' : [ 0x8c, ['unsigned long']], 'Highest' : [ 0x90, ['unsigned long']], 'ParkLock' : [ 0x94, ['long']], } ], '_ENODE' : [ 0x500, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0xc0, ['array', 8, ['pointer64', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0x100, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x3d0, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x3e8, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x428, ['_KEVENT']], 'WaitBlocks' : [ 0x440, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x4d0, ['pointer64', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x4d8, ['unsigned long']], 'ExWorkerFullInit' : [ 0x4dc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x4dc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x4dc, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x80, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long long']], 'QuotaProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'HandleTableList' : [ 0x18, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], 'StrictFIFO' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x2c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x2c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x38, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x40, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x40, ['array', 32, ['unsigned char']]], 'DebugInfo' : [ 0x60, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'VolatileLowValue' : [ 0x0, ['long long']], 'LowValue' : [ 0x0, ['long long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 17, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 20, native_type='unsigned long long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 64, native_type='unsigned long long')]], 'HighValue' : [ 0x8, ['long long']], 'NextFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x8, ['_EXHANDLE']], 'GrantedAccessBits' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Spare' : [ 0x8, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], 'TypeInfo' : [ 0xc, ['unsigned long']], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1329' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_1329']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xe0, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xd8, ['unsigned char']], } ], '_ETHREAD' : [ 0x778, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x5d0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x5d8, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x5d8, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x5e8, ['pointer64', ['void']]], 'PostBlockList' : [ 0x5f0, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x5f0, ['pointer64', ['void']]], 'StartAddress' : [ 0x5f8, ['pointer64', ['void']]], 'TerminationPort' : [ 0x600, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x600, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x600, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x608, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x610, ['_LIST_ENTRY']], 'Cid' : [ 0x620, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x630, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x630, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x650, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x658, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x668, ['unsigned long long']], 'DeviceToVerify' : [ 0x670, ['pointer64', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x678, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x680, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x688, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x698, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x6a0, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x6a8, ['unsigned long']], 'MmLockOrdering' : [ 0x6ac, ['long']], 'CmLockOrdering' : [ 0x6b0, ['long']], 'CrossThreadFlags' : [ 0x6b4, ['unsigned long']], 'Terminated' : [ 0x6b4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x6b4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x6b4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x6b4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x6b4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x6b4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x6b4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x6b4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x6b4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x6b4, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x6b4, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x6b4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x6b4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x6b4, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x6b8, ['unsigned long']], 'ActiveExWorker' : [ 0x6b8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x6b8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ClonedThread' : [ 0x6b8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x6b8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SelfTerminate' : [ 0x6b8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x6bc, ['unsigned long']], 'HardFaultBehavior' : [ 0x6bc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x6bc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x6bc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x6bc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x6bc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x6bc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x6bc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x6bc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x6bd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x6bd, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x6bd, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x6bd, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x6bd, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x6bd, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x6bd, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x6bd, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x6be, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x6be, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x6be, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x6be, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x6be, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare2' : [ 0x6be, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x6bf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x6bf, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'Spare3' : [ 0x6bf, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x6c0, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x6c1, ['unsigned char']], 'ActiveFaultCount' : [ 0x6c2, ['unsigned char']], 'LockOrderState' : [ 0x6c3, ['unsigned char']], 'AlpcMessageId' : [ 0x6c8, ['unsigned long long']], 'AlpcMessage' : [ 0x6d0, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x6d0, ['unsigned long']], 'ExitStatus' : [ 0x6d8, ['long']], 'AlpcWaitListEntry' : [ 0x6e0, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x6f0, ['unsigned long']], 'IoBoostCount' : [ 0x6f4, ['unsigned long']], 'BoostList' : [ 0x6f8, ['_LIST_ENTRY']], 'DeboostList' : [ 0x708, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x718, ['unsigned long long']], 'IrpListLock' : [ 0x720, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x728, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x730, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x738, ['pointer64', ['_GUID']]], 'SeLearningModeListHead' : [ 0x740, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x748, ['pointer64', ['void']]], 'KernelStackReference' : [ 0x750, ['unsigned long']], 'AdjustedClientToken' : [ 0x758, ['pointer64', ['void']]], 'UserFsBase' : [ 0x760, ['unsigned long']], 'UserGsBase' : [ 0x768, ['unsigned long long']], 'PicoContext' : [ 0x770, ['pointer64', ['void']]], } ], '_EPROCESS' : [ 0x6d8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x2d0, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x2d8, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x2e0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x2e8, ['_LIST_ENTRY']], 'Flags2' : [ 0x2f8, ['unsigned long']], 'JobNotReallyActive' : [ 0x2f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x2f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x2f8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x2f8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x2f8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x2f8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0x2f8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x2f8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x2f8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x2f8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0x2f8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0x2f8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x2f8, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x2f8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x2f8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x2f8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x2f8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x2f8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x2f8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x2f8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0x2f8, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0x2f8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0x2f8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0x2f8, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0x2f8, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0x2f8, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0x2f8, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0x2f8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x2fc, ['unsigned long']], 'CreateReported' : [ 0x2fc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x2fc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x2fc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x2fc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0x2fc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x2fc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x2fc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x2fc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x2fc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x2fc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x2fc, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x2fc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x2fc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x2fc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x2fc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x2fc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x2fc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x2fc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x2fc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0x2fc, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x2fc, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x2fc, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x2fc, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x2fc, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0x2fc, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x2fc, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x2fc, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x2fc, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x2fc, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ProcessQuotaUsage' : [ 0x300, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x310, ['array', 2, ['unsigned long long']]], 'PeakVirtualSize' : [ 0x320, ['unsigned long long']], 'VirtualSize' : [ 0x328, ['unsigned long long']], 'SessionProcessLinks' : [ 0x330, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0x340, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x340, ['unsigned long long']], 'ExceptionPortState' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Token' : [ 0x348, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x350, ['unsigned long long']], 'AddressCreationLock' : [ 0x358, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x360, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x368, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x370, ['pointer64', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x378, ['pointer64', ['_EJOB']]], 'CloneRoot' : [ 0x380, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x388, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x390, ['unsigned long long']], 'Win32Process' : [ 0x398, ['pointer64', ['void']]], 'Job' : [ 0x3a0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x3a8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x3b0, ['pointer64', ['void']]], 'Cookie' : [ 0x3b8, ['unsigned long']], 'WorkingSetWatch' : [ 0x3c0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x3c8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x3d0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x3d8, ['pointer64', ['void']]], 'OwnerProcessId' : [ 0x3e0, ['unsigned long long']], 'Peb' : [ 0x3e8, ['pointer64', ['_PEB']]], 'Session' : [ 0x3f0, ['pointer64', ['void']]], 'AweInfo' : [ 0x3f8, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x400, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x408, ['pointer64', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x410, ['pointer64', ['void']]], 'Wow64Process' : [ 0x418, ['pointer64', ['void']]], 'DeviceMap' : [ 0x420, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x428, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x430, ['unsigned long long']], 'ImageFileName' : [ 0x438, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x447, ['unsigned char']], 'SecurityPort' : [ 0x448, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x450, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x458, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x468, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x470, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x480, ['unsigned long']], 'ImagePathHash' : [ 0x484, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x488, ['unsigned long']], 'LastThreadExitStatus' : [ 0x48c, ['long']], 'PrefetchTrace' : [ 0x490, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x498, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x4a0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x4a8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x4b0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x4b8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x4c0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x4c8, ['_LARGE_INTEGER']], 'CommitCharge' : [ 0x4d0, ['unsigned long long']], 'Vm' : [ 0x4d8, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x5c0, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x5d0, ['unsigned long']], 'ExitStatus' : [ 0x5d4, ['long']], 'VadRoot' : [ 0x5d8, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x5e0, ['pointer64', ['void']]], 'VadCount' : [ 0x5e8, ['unsigned long long']], 'VadPhysicalPages' : [ 0x5f0, ['unsigned long long']], 'VadPhysicalPagesLimit' : [ 0x5f8, ['unsigned long long']], 'AlpcContext' : [ 0x600, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x620, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x630, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x638, ['unsigned long']], 'SmallestTimerResolution' : [ 0x63c, ['unsigned long']], 'ExitTime' : [ 0x640, ['_LARGE_INTEGER']], 'InvertedFunctionTable' : [ 0x648, ['pointer64', ['_INVERTED_FUNCTION_TABLE']]], 'InvertedFunctionTableLock' : [ 0x650, ['_EX_PUSH_LOCK']], 'ActiveThreadsHighWatermark' : [ 0x658, ['unsigned long']], 'LargePrivateVadCount' : [ 0x65c, ['unsigned long']], 'ThreadListLock' : [ 0x660, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x668, ['pointer64', ['void']]], 'Spare0' : [ 0x670, ['unsigned long long']], 'SignatureLevel' : [ 0x678, ['unsigned char']], 'SectionSignatureLevel' : [ 0x679, ['unsigned char']], 'Protection' : [ 0x67a, ['_PS_PROTECTION']], 'SpareByte20' : [ 0x67b, ['array', 1, ['unsigned char']]], 'Flags3' : [ 0x67c, ['unsigned long']], 'Minimal' : [ 0x67c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SvmReserved' : [ 0x680, ['long']], 'SvmReserved1' : [ 0x688, ['pointer64', ['void']]], 'SvmReserved2' : [ 0x690, ['unsigned long long']], 'LastFreezeInterruptTime' : [ 0x698, ['unsigned long long']], 'DiskCounters' : [ 0x6a0, ['pointer64', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x6a8, ['pointer64', ['void']]], 'KeepAliveCounter' : [ 0x6b0, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x6b4, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x6b8, ['unsigned long long']], 'CommitChargeLimit' : [ 0x6c0, ['unsigned long long']], 'CommitChargePeak' : [ 0x6c8, ['unsigned long long']], 'HighPriorityFaultsAllowed' : [ 0x6d0, ['unsigned long']], } ], '_KPROCESS' : [ 0x2c8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long']], 'Spare0' : [ 0x44, ['unsigned long']], 'Affinity' : [ 0x48, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0xf0, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x108, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x1b0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x1b0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x1b0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'AffinitySet' : [ 0x1b0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='long')]], 'DeepFreeze' : [ 0x1b0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x1b0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x1b0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x1b0, ['BitField', dict(start_bit = 7, end_bit = 27, native_type='unsigned long')]], 'ReservedFlags' : [ 0x1b0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x1b0, ['long']], 'BasePriority' : [ 0x1b4, ['unsigned char']], 'QuantumReset' : [ 0x1b5, ['unsigned char']], 'Visited' : [ 0x1b6, ['unsigned char']], 'Flags' : [ 0x1b7, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x1b8, ['array', 20, ['unsigned long']]], 'IdealNode' : [ 0x208, ['array', 20, ['unsigned short']]], 'IdealGlobalNode' : [ 0x230, ['unsigned short']], 'Spare1' : [ 0x232, ['unsigned short']], 'StackCount' : [ 0x234, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x238, ['_LIST_ENTRY']], 'CycleTime' : [ 0x248, ['unsigned long long']], 'ContextSwitches' : [ 0x250, ['unsigned long long']], 'SchedulingGroup' : [ 0x258, ['pointer64', ['_KSCHEDULING_GROUP']]], 'FreezeCount' : [ 0x260, ['unsigned long']], 'KernelTime' : [ 0x264, ['unsigned long']], 'UserTime' : [ 0x268, ['unsigned long']], 'LdtFreeSelectorHint' : [ 0x26c, ['unsigned short']], 'LdtTableLength' : [ 0x26e, ['unsigned short']], 'LdtSystemDescriptor' : [ 0x270, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x280, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x288, ['_FAST_MUTEX']], 'InstrumentationCallback' : [ 0x2c0, ['pointer64', ['void']]], } ], '__unnamed_1381' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1387' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1389' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1387']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1394' : [ 0x58, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x50, ['pointer64', ['void']]], } ], '__unnamed_1396' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_1394']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'AllocationProcessorNumber' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_1381']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_1389']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_1396']], } ], '__unnamed_139d' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_13a1' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_13a5' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_13a7' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13ab' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13ad' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_13af' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], } ], '__unnamed_13b1' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13b3' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13b5' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13b9' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMaximumInformation'})]], } ], '__unnamed_13bb' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13bd' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13bf' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13c1' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_13c3' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_13c7' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_13cb' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_13cf' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_13d3' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_13d7' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13db' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_13df' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_13e1' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_13e3' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_13e7' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_13eb' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_13ef' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_13f3' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_13f7' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_13ff' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1403' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1405' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1407' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1409' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_139d']], 'CreatePipe' : [ 0x0, ['__unnamed_13a1']], 'CreateMailslot' : [ 0x0, ['__unnamed_13a5']], 'Read' : [ 0x0, ['__unnamed_13a7']], 'Write' : [ 0x0, ['__unnamed_13a7']], 'QueryDirectory' : [ 0x0, ['__unnamed_13ab']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13ad']], 'QueryFile' : [ 0x0, ['__unnamed_13af']], 'SetFile' : [ 0x0, ['__unnamed_13b1']], 'QueryEa' : [ 0x0, ['__unnamed_13b3']], 'SetEa' : [ 0x0, ['__unnamed_13b5']], 'QueryVolume' : [ 0x0, ['__unnamed_13b9']], 'SetVolume' : [ 0x0, ['__unnamed_13b9']], 'FileSystemControl' : [ 0x0, ['__unnamed_13bb']], 'LockControl' : [ 0x0, ['__unnamed_13bd']], 'DeviceIoControl' : [ 0x0, ['__unnamed_13bf']], 'QuerySecurity' : [ 0x0, ['__unnamed_13c1']], 'SetSecurity' : [ 0x0, ['__unnamed_13c3']], 'MountVolume' : [ 0x0, ['__unnamed_13c7']], 'VerifyVolume' : [ 0x0, ['__unnamed_13c7']], 'Scsi' : [ 0x0, ['__unnamed_13cb']], 'QueryQuota' : [ 0x0, ['__unnamed_13cf']], 'SetQuota' : [ 0x0, ['__unnamed_13b5']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_13d3']], 'QueryInterface' : [ 0x0, ['__unnamed_13d7']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_13db']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_13df']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_13e1']], 'SetLock' : [ 0x0, ['__unnamed_13e3']], 'QueryId' : [ 0x0, ['__unnamed_13e7']], 'QueryDeviceText' : [ 0x0, ['__unnamed_13eb']], 'UsageNotification' : [ 0x0, ['__unnamed_13ef']], 'WaitWake' : [ 0x0, ['__unnamed_13f3']], 'PowerSequence' : [ 0x0, ['__unnamed_13f7']], 'Power' : [ 0x0, ['__unnamed_13ff']], 'StartDevice' : [ 0x0, ['__unnamed_1403']], 'WMI' : [ 0x0, ['__unnamed_1405']], 'Others' : [ 0x0, ['__unnamed_1407']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1409']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_141f' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_141f']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x10, ['unsigned long long']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'AllocationProcessorNumber' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x70, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer64', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x60, ['pointer64', ['void']]], 'UserContext' : [ 0x68, ['pointer64', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'Oplock' : [ 0x58, ['pointer64', ['void']]], 'ReservedForRemote' : [ 0x58, ['pointer64', ['void']]], 'ReservedContext' : [ 0x60, ['pointer64', ['void']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '__unnamed_15a1' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_15a1']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'ReservedLowFlags' : [ 0x1a, ['unsigned char']], 'WaiterPriority' : [ 0x1b, ['unsigned char']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_15e5' : [ 0x8, { 'Flink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeFlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 64, native_type='unsigned long long')]], 'WsIndex' : [ 0x0, ['unsigned long long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_15ea' : [ 0x8, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeBlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 56, native_type='unsigned long long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 60, native_type='unsigned long long')]], 'SpareBlink' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15ed' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_15ef' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_15ed']], } ], '__unnamed_15f9' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'Channel' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 38, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'Unused3' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 53, native_type='unsigned long long')]], 'PfnExists' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_15e5']], 'u2' : [ 0x8, ['__unnamed_15ea']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['long']], 'PteLong' : [ 0x10, ['unsigned long long']], 'u3' : [ 0x18, ['__unnamed_15ef']], 'NodeBlinkLow' : [ 0x1c, ['unsigned short']], 'Unused' : [ 0x1e, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'VaType' : [ 0x1e, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'ViewCount' : [ 0x1f, ['unsigned char']], 'NodeFlinkLow' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'u4' : [ 0x28, ['__unnamed_15f9']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x68, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'BasePte' : [ 0x10, ['pointer64', ['_MMPTE']]], 'Flags' : [ 0x18, ['unsigned long']], 'VaType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaMaximumType', 15: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x30, ['unsigned long long']], 'GlobalMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'Vm' : [ 0x38, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x40, ['unsigned long long']], 'Hint' : [ 0x48, ['unsigned long long']], 'CachedPtes' : [ 0x50, ['pointer64', ['_MI_CACHED_PTE']]], 'TotalFreeSystemPtes' : [ 0x58, ['unsigned long long']], 'CachedPteCount' : [ 0x60, ['long']], } ], '__unnamed_161b' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_161b']], } ], '_MMWSL' : [ 0x320, { 'FirstFree' : [ 0x0, ['unsigned long long']], 'FirstDynamic' : [ 0x8, ['unsigned long long']], 'LastEntry' : [ 0x10, ['unsigned long long']], 'NextSlot' : [ 0x18, ['unsigned long long']], 'LastInitializedWsle' : [ 0x20, ['unsigned long long']], 'NextAgingSlot' : [ 0x28, ['unsigned long long']], 'NextAccessClearingSlot' : [ 0x30, ['unsigned long long']], 'LastAccessClearingRemainder' : [ 0x38, ['unsigned long']], 'LastAgingRemainder' : [ 0x3c, ['unsigned long']], 'WsleSize' : [ 0x40, ['unsigned long']], 'NonDirectCount' : [ 0x48, ['unsigned long long']], 'LowestPagableAddress' : [ 0x50, ['pointer64', ['void']]], 'NonDirectHash' : [ 0x58, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x60, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x68, ['pointer64', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x70, ['array', 16, ['unsigned long long']]], 'ActiveWsles' : [ 0xf0, ['array', 16, ['_MI_ACTIVE_WSLE_LISTHEAD']]], 'Wsle' : [ 0x1f0, ['pointer64', ['_MMWSLE']]], 'UserVaInfo' : [ 0x1f8, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0xe8, { 'ExitGate' : [ 0x0, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer64', ['void']]], 'WorkingSetMutex' : [ 0x10, ['_EX_PUSH_LOCK']], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long long']]], 'MinimumWorkingSetSize' : [ 0x60, ['unsigned long long']], 'WorkingSetLeafSize' : [ 0x68, ['unsigned long long']], 'WorkingSetLeafPrivateSize' : [ 0x70, ['unsigned long long']], 'WorkingSetSize' : [ 0x78, ['unsigned long long']], 'WorkingSetPrivateSize' : [ 0x80, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0x88, ['unsigned long long']], 'ChargedWslePages' : [ 0x90, ['unsigned long long']], 'ActualWslePages' : [ 0x98, ['unsigned long long']], 'WorkingSetSizeOverhead' : [ 0xa0, ['unsigned long long']], 'PeakWorkingSetSize' : [ 0xa8, ['unsigned long long']], 'HardFaultCount' : [ 0xb0, ['unsigned long']], 'VmWorkingSetList' : [ 0xb8, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0xc0, ['unsigned short']], 'LastTrimStamp' : [ 0xc2, ['unsigned short']], 'PageFaultCount' : [ 0xc4, ['unsigned long']], 'TrimmedPageCount' : [ 0xc8, ['unsigned long long']], 'ForceTrimPages' : [ 0xd0, ['unsigned long long']], 'Flags' : [ 0xd8, ['_MMSUPPORT_FLAGS']], 'WsSwapSupport' : [ 0xe0, ['pointer64', ['void']]], } ], '__unnamed_1635' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_163f' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1641' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_163f']], } ], '_CONTROL_AREA' : [ 0x78, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_1635']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'WaitList' : [ 0x50, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x58, ['__unnamed_1641']], 'LockedPages' : [ 0x68, ['unsigned long long']], 'FileObjectLock' : [ 0x70, ['_EX_PUSH_LOCK']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0xe0, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'FreeReservationSpace' : [ 0x30, ['unsigned long long']], 'LargestReserveCluster' : [ 0x38, ['unsigned long long']], 'File' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x48, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x60, ['_SLIST_HEADER']], 'PageFileName' : [ 0x70, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x80, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x88, ['unsigned long']], 'ReservationBitmapHint' : [ 0x8c, ['unsigned long']], 'LargestNonReservedClusterSize' : [ 0x90, ['unsigned long']], 'RefreshClusterSize' : [ 0x94, ['unsigned long']], 'LastRefreshClusterSize' : [ 0x98, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x9c, ['unsigned long']], 'ToBeEvictedCount' : [ 0xa0, ['unsigned long']], 'HybridPriority' : [ 0xa4, ['unsigned long']], 'PageFileNumber' : [ 0xa8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0xa8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0xa8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'NoReservations' : [ 0xa8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Spare0' : [ 0xa8, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0xaa, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0xaa, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0xab, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0xac, ['unsigned long']], 'PageHashPagesPeak' : [ 0xb0, ['unsigned long']], 'PageHash' : [ 0xb8, ['pointer64', ['unsigned long']]], 'FileHandle' : [ 0xc0, ['pointer64', ['void']]], 'Lock' : [ 0xc8, ['unsigned long long']], 'LockOwner' : [ 0xd0, ['pointer64', ['_ETHREAD']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x30, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x8, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0x18, ['_RTL_BITMAP']], 'EvictStoreBitmap' : [ 0x28, ['pointer64', ['_RTL_BITMAP']]], } ], 'tagSWITCH_CONTEXT' : [ 0x60, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '__unnamed_1682' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1685' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_1687' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_168b' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_168d' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_1691' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_1695' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_1697' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_1682']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_1682']]], 'RegistryIO' : [ 0xd0, ['__unnamed_1685']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_1687']], 'CheckKey' : [ 0xf0, ['__unnamed_168b']], 'CheckValueList' : [ 0x110, ['__unnamed_168d']], 'CheckHive' : [ 0x128, ['__unnamed_1691']], 'CheckHive1' : [ 0x138, ['__unnamed_1691']], 'CheckBin' : [ 0x148, ['__unnamed_1695']], 'RecoverData' : [ 0x158, ['__unnamed_1697']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xb8, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'ParkingStatus' : [ 0x78, ['unsigned long']], 'CurrentFrequency' : [ 0x7c, ['unsigned long']], 'PercentMaxFrequency' : [ 0x80, ['unsigned long']], 'StateFlags' : [ 0x84, ['unsigned long']], 'NominalThroughput' : [ 0x88, ['unsigned long']], 'ActiveThroughput' : [ 0x8c, ['unsigned long']], 'ScaledThroughput' : [ 0x90, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0x98, ['unsigned long long']], 'AverageIdleTime' : [ 0xa0, ['unsigned long long']], 'IdleBreakEvents' : [ 0xa8, ['unsigned long long']], 'PerformanceLimit' : [ 0xb0, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xb4, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '__unnamed_1701' : [ 0x10, { 'ReservedEax' : [ 0x0, ['unsigned long']], 'ReservedEbx' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'InitialApicId' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ReservedEcx' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HypervisorPresent' : [ 0x8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_CPUID_RESULT' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'VersionAndFeatures' : [ 0x0, ['__unnamed_1701']], 'HvVendorAndMaxFunction' : [ 0x0, ['_HV_VENDOR_AND_MAX_FUNCTION']], 'HvInterface' : [ 0x0, ['_HV_HYPERVISOR_INTERFACE_INFO']], 'MsHvVersion' : [ 0x0, ['_HV_HYPERVISOR_VERSION_INFO']], 'MsHvFeatures' : [ 0x0, ['_HV_HYPERVISOR_FEATURES']], 'MsHvEnlightenmentInformation' : [ 0x0, ['_HV_ENLIGHTENMENT_INFORMATION']], 'MsHvImplementationLimits' : [ 0x0, ['_HV_IMPLEMENTATION_LIMITS']], 'MsHvHardwareFeatures' : [ 0x0, ['_HV_HYPERVISOR_HARDWARE_FEATURES']], } ], '_HV_VENDOR_AND_MAX_FUNCTION' : [ 0x10, { 'MaxFunction' : [ 0x0, ['unsigned long']], 'VendorName' : [ 0x4, ['array', 12, ['unsigned char']]], } ], '_HV_HYPERVISOR_INTERFACE_INFO' : [ 0x10, { 'Interface' : [ 0x0, ['unsigned long']], 'ReservedEbx' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_HYPERVISOR_VERSION_INFO' : [ 0x10, { 'BuildNumber' : [ 0x0, ['unsigned long']], 'MinorVersion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'MajorVersion' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ServicePack' : [ 0x8, ['unsigned long']], 'ServiceNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'ServiceBranch' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_HV_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], } ], '_HV_HYPERVISOR_HARDWARE_FEATURES' : [ 0x10, { 'ApicOverlayAssistInUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MsrBitmapsInUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ArchitecturalPerformanceCountersInUse' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SecondLevelAddressTranslationInUse' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DmaRemappingInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'InterruptRemappingInUse' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'MemoryPatrolScrubberPresent' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'ReservedEbx' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_ENLIGHTENMENT_INFORMATION' : [ 0x10, { 'UseHypercallForAddressSpaceSwitch' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UseHypercallForLocalFlush' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UseHypercallForRemoteFlush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UseApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UseMsrForReset' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UseRelaxedTiming' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UseDmaRemapping' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UseInterruptRemapping' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UseX2ApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeprecateAutoEoi' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'LongSpinWaitCount' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_IMPLEMENTATION_LIMITS' : [ 0x10, { 'MaxVirtualProcessorCount' : [ 0x0, ['unsigned long']], 'MaxLogicalProcessorCount' : [ 0x4, ['unsigned long']], 'MaxInterruptMappingCount' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeMsr' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicMsrs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerMsrs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetMsr' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsMsr' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleMsr' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyMsrs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugMsrs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'EnableExpandedStackwalking' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x268, { 'Lock' : [ 0x0, ['unsigned long long']], 'ReadySummary' : [ 0x8, ['unsigned long']], 'ReadyListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x210, ['array', 64, ['unsigned char']]], 'Span' : [ 0x250, ['unsigned long']], 'LowProcIndex' : [ 0x254, ['unsigned long']], 'QueueIndex' : [ 0x258, ['unsigned long']], 'ProcCount' : [ 0x25c, ['unsigned long']], 'Affinity' : [ 0x260, ['unsigned long long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'Spare1' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'OutputBuffer' : [ 0xd8, ['unsigned long long']], 'OutputLength' : [ 0xe0, ['unsigned long long']], 'Spare2' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'Fill4' : [ 0x18c, ['unsigned long']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x48, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x30, ['pointer64', ['unsigned long']]], 'EnableKeyWords' : [ 0x38, ['pointer64', ['unsigned long long']]], 'EnableLevel' : [ 0x40, ['pointer64', ['unsigned char']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependencyNode' : [ 0x50, ['pointer64', ['void']]], 'VerifierContext' : [ 0x58, ['pointer64', ['void']]], } ], '__unnamed_1801' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1803' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1807' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x2c8, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x58, ['long']], 'FxRemoveEvent' : [ 0x60, ['_KEVENT']], 'FxActivationCount' : [ 0x78, ['long']], 'FxSleepCount' : [ 0x7c, ['long']], 'Plugin' : [ 0x80, ['pointer64', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x88, ['unsigned long']], 'CurrentPowerState' : [ 0x8c, ['_POWER_STATE']], 'Notify' : [ 0x90, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xf8, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0x118, ['_UNICODE_STRING']], 'PowerFlags' : [ 0x128, ['unsigned long']], 'State' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x134, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x184, ['unsigned long']], 'CompletionStatus' : [ 0x188, ['long']], 'Flags' : [ 0x18c, ['unsigned long']], 'UserFlags' : [ 0x190, ['unsigned long']], 'Problem' : [ 0x194, ['unsigned long']], 'ProblemStatus' : [ 0x198, ['long']], 'ResourceList' : [ 0x1a0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x1b0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x1b8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x1c4, ['unsigned long']], 'ChildInterfaceType' : [ 0x1c8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x1cc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x1d0, ['unsigned short']], 'RemovalPolicy' : [ 0x1d2, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x1d3, ['unsigned char']], 'TargetDeviceNotify' : [ 0x1d8, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x1e8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1f8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x208, ['unsigned short']], 'QueryTranslatorMask' : [ 0x20a, ['unsigned short']], 'NoArbiterMask' : [ 0x20c, ['unsigned short']], 'QueryArbiterMask' : [ 0x20e, ['unsigned short']], 'OverUsed1' : [ 0x210, ['__unnamed_1801']], 'OverUsed2' : [ 0x218, ['__unnamed_1803']], 'BootResources' : [ 0x220, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x228, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x230, ['unsigned long']], 'DockInfo' : [ 0x238, ['__unnamed_1807']], 'DisableableDepends' : [ 0x258, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x260, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x270, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x280, ['unsigned long']], 'PreviousParent' : [ 0x288, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x290, ['unsigned long']], 'NumaNodeIndex' : [ 0x294, ['unsigned long']], 'ContainerID' : [ 0x298, ['_GUID']], 'OverrideFlags' : [ 0x2a8, ['unsigned char']], 'DeviceIdsHash' : [ 0x2ac, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x2b0, ['unsigned char']], 'PendingEjectRelations' : [ 0x2b8, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x2c0, ['unsigned long']], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KAFFINITY_EX' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 20, ['unsigned long long']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_18be' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_18be']], } ], '__unnamed_18c5' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_18c5']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PROCESSOR_POWER_STATE' : [ 0x1e0, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x8, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x10, ['unsigned long long']], 'IdleTimeTotal' : [ 0x18, ['unsigned long long']], 'IdleTimeEntry' : [ 0x20, ['unsigned long long']], 'Reserved' : [ 0x28, ['unsigned long long']], 'IdlePolicy' : [ 0x30, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x38, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x40, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xb0, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'LastSysTime' : [ 0xb4, ['unsigned long']], 'WmiDispatchPtr' : [ 0xb8, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0xc0, ['long']], 'FFHThrottleStateInfo' : [ 0xc8, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xe8, ['_KDPC']], 'PerfActionMask' : [ 0x128, ['long']], 'HvIdleCheck' : [ 0x130, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x140, ['_PROC_PERF_SNAP']], 'Domain' : [ 0x180, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x188, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x190, ['pointer64', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x198, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x1a0, ['pointer64', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x1a8, ['unsigned char']], 'HvTargetState' : [ 0x1a9, ['unsigned char']], 'Parked' : [ 0x1aa, ['unsigned char']], 'OverUtilized' : [ 0x1ab, ['unsigned char']], 'LatestPerformancePercent' : [ 0x1ac, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x1b0, ['unsigned long']], 'ExpectedUtility' : [ 0x1b4, ['unsigned long']], 'Utility' : [ 0x1b8, ['array', 3, ['_PROC_PERF_UTILITY']]], } ], '_PROC_PERF_UTILITY' : [ 0xc, { 'Affinitized' : [ 0x0, ['unsigned long']], 'Performance' : [ 0x4, ['unsigned long']], 'Total' : [ 0x8, ['unsigned long']], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CompleteIdleStatePending' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0xd0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x20, ['unsigned long long']], 'LogHandleContext' : [ 0x28, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0xc0, ['unsigned long']], 'PagesQueuedToDisk' : [ 0xc4, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0xc8, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x208, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'V1' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0x100, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x118, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0x150, ['_LARGE_INTEGER']], 'Event' : [ 0x158, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x170, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x178, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1f0, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1f8, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x200, ['unsigned long']], 'WritesInProgress' : [ 0x204, ['unsigned long']], } ], '__unnamed_196d' : [ 0x10, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_196d']], 'ArrayHead' : [ 0x20, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_198e' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1990' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1992' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_1994' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1996' : [ 0x30, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x8, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x10, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x28, ['unsigned char']], } ], '__unnamed_1998' : [ 0x30, { 'Read' : [ 0x0, ['__unnamed_198e']], 'Write' : [ 0x0, ['__unnamed_1990']], 'Event' : [ 0x0, ['__unnamed_1992']], 'Notification' : [ 0x0, ['__unnamed_1994']], 'LowPriWrite' : [ 0x0, ['__unnamed_1996']], } ], '_WORK_QUEUE_ENTRY' : [ 0x48, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_1998']], 'Function' : [ 0x40, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x30, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x8, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x20, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x98, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x10, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x18, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x30, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x68, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x6c, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x70, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x78, ['pointer64', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x80, ['unsigned long long']], 'LastLWTimeStamp' : [ 0x88, ['_LARGE_INTEGER']], 'Flags' : [ 0x90, ['unsigned long']], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x298, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x90, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x94, ['unsigned long']], 'Signature' : [ 0x98, ['unsigned long']], 'SegmentReserve' : [ 0xa0, ['unsigned long long']], 'SegmentCommit' : [ 0xa8, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb0, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xb8, ['unsigned long long']], 'TotalFreeSize' : [ 0xc0, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xc8, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd0, ['unsigned short']], 'HeaderValidateLength' : [ 0xd2, ['unsigned short']], 'HeaderValidateCopy' : [ 0xd8, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe0, ['unsigned short']], 'MaximumTagIndex' : [ 0xe2, ['unsigned short']], 'TagEntries' : [ 0xe8, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf0, ['_LIST_ENTRY']], 'AlignRound' : [ 0x100, ['unsigned long long']], 'AlignMask' : [ 0x108, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x110, ['_LIST_ENTRY']], 'SegmentList' : [ 0x120, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x130, ['unsigned short']], 'NonDedicatedListLength' : [ 0x134, ['unsigned long']], 'BlocksIndex' : [ 0x138, ['pointer64', ['void']]], 'UCRIndex' : [ 0x140, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x148, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x150, ['_LIST_ENTRY']], 'LockVariable' : [ 0x160, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x168, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x170, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x178, ['unsigned short']], 'FrontEndHeapType' : [ 0x17a, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0x17b, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0x180, ['pointer64', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0x188, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0x18a, ['array', 129, ['unsigned char']]], 'Counters' : [ 0x210, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x288, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1a03' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_1a03']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1a55' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1a57' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a55']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a59' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1a5b' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1a59']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1a57']], 'u2' : [ 0x4, ['__unnamed_1a5b']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x30, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer64', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], } ], '__unnamed_1a76' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1a78' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1a76']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x30, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1a78']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x18, ['long long']], 'Lock' : [ 0x20, ['_EX_PUSH_LOCK']], } ], '__unnamed_1a8a' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a8c' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a8a']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_1a8c']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_1a95' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1a97' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a95']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_1a97']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_1a9d' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1a9f' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a9d']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_1a9f']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x40, ['pointer64', ['_KALPC_MESSAGE']]], } ], '__unnamed_1abd' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1abf' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1abd']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1c0, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa0, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0xb8, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0xc8, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0xd0, ['_LIST_ENTRY']], 'Semaphore' : [ 0xe0, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xe0, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0xe8, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x130, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x138, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0x150, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0x158, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x160, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x168, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x178, ['long']], 'ReferenceNo' : [ 0x17c, ['long']], 'ReferenceNoWait' : [ 0x180, ['pointer64', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0x188, ['__unnamed_1abf']], 'TargetQueuePort' : [ 0x190, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x198, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x1a0, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x1a8, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x1ac, ['unsigned long']], 'PendingQueueLength' : [ 0x1b0, ['unsigned long']], 'CanceledQueueLength' : [ 0x1b4, ['unsigned long']], 'WaitQueueLength' : [ 0x1b8, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0xa0, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'CompletionListLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x20, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x28, ['pointer64', ['void']]], 'UserLimit' : [ 0x30, ['pointer64', ['void']]], 'DataUserVa' : [ 0x38, ['pointer64', ['void']]], 'SystemVa' : [ 0x40, ['pointer64', ['void']]], 'TotalSize' : [ 0x48, ['unsigned long long']], 'Header' : [ 0x50, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x58, ['pointer64', ['void']]], 'ListSize' : [ 0x60, ['unsigned long long']], 'Bitmap' : [ 0x68, ['pointer64', ['void']]], 'BitmapSize' : [ 0x70, ['unsigned long long']], 'Data' : [ 0x78, ['pointer64', ['void']]], 'DataSize' : [ 0x80, ['unsigned long long']], 'BitmapLimit' : [ 0x88, ['unsigned long']], 'BitmapNextHint' : [ 0x8c, ['unsigned long']], 'ConcurrencyCount' : [ 0x90, ['unsigned long']], 'AttributeFlags' : [ 0x94, ['unsigned long']], 'AttributeSize' : [ 0x98, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0xd8, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'Key' : [ 0xc0, ['unsigned long']], 'CallbackList' : [ 0xc8, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x20, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x18, ['long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1a57']], 'u2' : [ 0x4, ['__unnamed_1a5b']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1ae7' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1ae9' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1ae7']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x100, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'u1' : [ 0x28, ['__unnamed_1ae9']], 'SequenceNo' : [ 0x2c, ['long']], 'QuotaProcess' : [ 0x30, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x30, ['pointer64', ['void']]], 'CancelSequencePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x40, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x48, ['long']], 'CancelListEntry' : [ 0x50, ['_LIST_ENTRY']], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x68, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xa0, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xa8, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xb0, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xb8, ['pointer64', ['_ETHREAD']]], 'WakeReference' : [ 0xc0, ['pointer64', ['void']]], 'ExtensionBuffer' : [ 0xc8, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0xd0, ['unsigned long long']], 'PortMessage' : [ 0xd8, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'Flags' : [ 0x28, ['unsigned long']], 'TotalLength' : [ 0x2c, ['unsigned short']], 'Type' : [ 0x2e, ['unsigned short']], 'DataInfoOffset' : [ 0x30, ['unsigned short']], 'SignalCompletion' : [ 0x32, ['unsigned char']], 'PostedToCompletionList' : [ 0x33, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x30, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1b2b' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1b2d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b2b']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1b2d']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x28, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'TimeStamped' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer64', ['void']]], 'ActivityId' : [ 0x10, ['_GUID']], 'Timestamp' : [ 0x20, ['_LARGE_INTEGER']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x48, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'AccessMode' : [ 0x94, ['unsigned char']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1bf2' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x118, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1bf2']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer64', ['unsigned short']]], 'LogFileName' : [ 0x40, ['pointer64', ['unsigned short']]], 'TimeZone' : [ 0x48, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf8, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0x100, ['_LARGE_INTEGER']], 'StartTime' : [ 0x108, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x110, ['unsigned long']], 'BuffersLost' : [ 0x114, ['unsigned long']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x378, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 2, ['unsigned long']]], 'ErrorMarker' : [ 0x1c, ['unsigned long']], 'SizeMask' : [ 0x20, ['unsigned long']], 'GetCpuClock' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'FailureReason' : [ 0x3c, ['unsigned long']], 'BufferQueue' : [ 0x40, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x58, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x70, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x80, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x90, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x90, ['_EX_FAST_REF']], 'LoggerName' : [ 0x98, ['_UNICODE_STRING']], 'LogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xb8, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xc8, ['_UNICODE_STRING']], 'ClockType' : [ 0xd8, ['unsigned long']], 'LastFlushedBuffer' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'FlushThreshold' : [ 0xe4, ['unsigned long']], 'ByteOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xf0, ['unsigned long']], 'BuffersAvailable' : [ 0xf4, ['long']], 'NumberOfBuffers' : [ 0xf8, ['long']], 'MaximumBuffers' : [ 0xfc, ['unsigned long']], 'EventsLost' : [ 0x100, ['unsigned long']], 'PeakBuffersCount' : [ 0x104, ['long']], 'BuffersWritten' : [ 0x108, ['unsigned long']], 'LogBuffersLost' : [ 0x10c, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x110, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x114, ['unsigned long']], 'SequencePtr' : [ 0x118, ['pointer64', ['long']]], 'LocalSequence' : [ 0x120, ['unsigned long']], 'InstanceGuid' : [ 0x124, ['_GUID']], 'MaximumFileSize' : [ 0x134, ['unsigned long']], 'FileCounter' : [ 0x138, ['long']], 'PoolType' : [ 0x13c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x140, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0x150, ['long']], 'ProviderInfoSize' : [ 0x154, ['unsigned long']], 'Consumers' : [ 0x158, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x168, ['unsigned long']], 'TransitionConsumer' : [ 0x170, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x178, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x180, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x190, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x1a0, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1a8, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1b0, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1b8, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1c0, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1d0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1d8, ['_KEVENT']], 'FlushEvent' : [ 0x1f0, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x208, ['_KTIMER']], 'LoggerDpc' : [ 0x248, ['_KDPC']], 'LoggerMutex' : [ 0x288, ['_KMUTANT']], 'LoggerLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2c8, ['unsigned long long']], 'BufferListPushLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2d0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x318, ['_EX_FAST_REF']], 'StartTime' : [ 0x320, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x328, ['pointer64', ['void']]], 'BufferSequenceNumber' : [ 0x330, ['long long']], 'Flags' : [ 0x338, ['unsigned long']], 'Persistent' : [ 0x338, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x338, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x338, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x338, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x338, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x338, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x338, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x338, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x338, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x338, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x338, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x338, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x338, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SpareFlags1' : [ 0x338, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x338, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x338, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x338, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x33c, ['unsigned long']], 'DbgRequestNewFie' : [ 0x33c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x33c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x33c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x33c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x33c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x33c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x33c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x33c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDefferdFlush' : [ 0x33c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDefferdFlushTimer' : [ 0x33c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x33c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x33c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x33c, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x340, ['_RTL_BITMAP']], 'StackCache' : [ 0x350, ['pointer64', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x358, ['pointer64', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x360, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x370, ['pointer64', ['pointer64', ['_WMI_BUFFER_HEADER']]]], } ], '_ETW_PMC_SUPPORT' : [ 0x28, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer64', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x478, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0xa0, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa8, ['pointer64', ['void']]], 'DynamicPart' : [ 0xb0, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb8, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc8, ['unsigned long']], 'TokenInUse' : [ 0xcc, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xd0, ['unsigned long']], 'MandatoryPolicy' : [ 0xd4, ['unsigned long']], 'LogonSession' : [ 0xd8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe0, ['_LUID']], 'SidHash' : [ 0xe8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f8, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x308, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x310, ['pointer64', ['void']]], 'Capabilities' : [ 0x318, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x320, ['unsigned long']], 'CapabilitiesHash' : [ 0x328, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x438, ['pointer64', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x440, ['pointer64', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x448, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x450, ['pointer64', ['void']]], 'TrustLinkedToken' : [ 0x458, ['pointer64', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x460, ['pointer64', ['void']]], 'TokenSidValues' : [ 0x468, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], 'VariablePart' : [ 0x470, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x80, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['long long']], 'Flags' : [ 0x20, ['unsigned long']], 'pDeviceMap' : [ 0x28, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x30, ['pointer64', ['void']]], 'AccountName' : [ 0x38, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x48, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x58, ['_SEP_LOWBOX_HANDLES_TABLE']], 'SharedDataLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x70, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x78, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'DbgRefTrace' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'NewObject' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0x1b, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0x1b, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0x1b, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0x1b, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0x1b, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare' : [ 0x1c, ['unsigned long']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x10, { 'SecurityDescriptor' : [ 0x0, ['pointer64', ['void']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x28, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'EntryLink' : [ 0x10, ['pointer64', ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0x18, ['unsigned long']], 'HashIndex' : [ 0x1c, ['unsigned short']], 'DirectoryLocked' : [ 0x1e, ['unsigned char']], 'LockedExclusive' : [ 0x1f, ['unsigned char']], 'LockStateSignature' : [ 0x20, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x130, ['pointer64', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_WHEAP_INFO_BLOCK' : [ 0x18, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x8, ['pointer64', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x10, ['pointer64', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x428, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x10, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x14, ['unsigned long']], 'ErrorCount' : [ 0x18, ['long']], 'RecordCount' : [ 0x1c, ['unsigned long']], 'RecordLength' : [ 0x20, ['unsigned long']], 'PoolTag' : [ 0x24, ['unsigned long']], 'Type' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x30, ['pointer64', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x38, ['pointer64', ['void']]], 'SectionCount' : [ 0x40, ['unsigned long']], 'SectionLength' : [ 0x44, ['unsigned long']], 'TickCountAtLastError' : [ 0x48, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x50, ['unsigned long']], 'TotalErrors' : [ 0x54, ['unsigned long']], 'Deferred' : [ 0x58, ['unsigned char']], 'Descriptor' : [ 0x59, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xf0, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x10, ['unsigned long']], 'ProcessorNumber' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x1c, ['long']], 'ErrorSource' : [ 0x20, ['pointer64', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x28, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x30, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'ConnectLock' : [ 0x8, ['_KEVENT']], 'LineMasked' : [ 0x20, ['unsigned char']], 'InterruptList' : [ 0x28, ['pointer64', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0xb0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long long']], 'WorkQueue' : [ 0x20, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x60, ['pointer64', ['void']]], 'AcceptProcessorNotification' : [ 0x68, ['pointer64', ['void']]], 'WorkOrderCount' : [ 0x70, ['unsigned long']], 'WorkOrders' : [ 0x78, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x150, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x108, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x148, ['unsigned long']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2Reserved1' : [ 0x2, ['unsigned char']], 'Timer2Reserved2' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Minimal' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved4' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'WaitResponse' : [ 0xc, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], } ], '_HEAP_COUNTERS' : [ 0x78, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'PollIntervalCounter' : [ 0x48, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x4c, ['unsigned long']], 'HeapPollInterval' : [ 0x50, ['unsigned long']], 'AllocAndFreeOps' : [ 0x54, ['unsigned long']], 'AllocationIndicesActive' : [ 0x58, ['unsigned long']], 'InBlockDeccommits' : [ 0x5c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x60, ['unsigned long long']], 'HighWatermarkSize' : [ 0x68, ['unsigned long long']], 'LastPolledSize' : [ 0x70, ['unsigned long long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x68, ['unsigned char']], 'DeleteType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_WORK_ORDER' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x20, ['long']], 'Context' : [ 0x28, ['pointer64', ['void']]], 'WatchdogTimerInfo' : [ 0x30, ['pointer64', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'Reserved' : [ 0x20, ['array', 3, ['pointer64', ['void']]]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['unsigned long long']], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x48, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ullContextMinimum' : [ 0x8, ['unsigned long long']], 'guPlatform' : [ 0x10, ['_GUID']], 'guMinPlatform' : [ 0x20, ['_GUID']], 'ulContextSource' : [ 0x30, ['unsigned long']], 'ulElementCount' : [ 0x34, ['unsigned long']], 'guElements' : [ 0x38, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x30, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x18, ['_KEVENT']], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x10, ['unsigned char']], 'BlockState' : [ 0x11, ['unsigned char']], 'WaitKey' : [ 0x12, ['unsigned short']], 'SpareLong' : [ 0x14, ['long']], 'Thread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NotificationQueue' : [ 0x18, ['pointer64', ['_KQUEUE']]], 'Object' : [ 0x20, ['pointer64', ['void']]], 'SparePtr' : [ 0x28, ['pointer64', ['void']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'CriticalTripPoint' : [ 0x18, ['unsigned long']], 'ActiveTripPointCount' : [ 0x1c, ['unsigned char']], 'ActiveTripPoint' : [ 0x20, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x48, ['unsigned long']], 'MinimumThrottle' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1d8a' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1d8c' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1d8a']], 'Private' : [ 0x0, ['__unnamed_1d8c']], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long long']], 'Processors' : [ 0x8, ['unsigned long']], 'ActiveProcessors' : [ 0xc, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x10, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x260, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x10, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x20, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x130, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x240, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x248, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x250, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x258, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 28, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x4b0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb8, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xc0, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0xc8, ['unsigned long long']], 'TotalPageFaultCount' : [ 0xd0, ['unsigned long']], 'TotalProcesses' : [ 0xd4, ['unsigned long']], 'ActiveProcesses' : [ 0xd8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xdc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xe0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf8, ['unsigned long long']], 'LimitFlags' : [ 0x100, ['unsigned long']], 'ActiveProcessLimit' : [ 0x104, ['unsigned long']], 'Affinity' : [ 0x108, ['_KAFFINITY_EX']], 'AccessState' : [ 0x1b0, ['pointer64', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0x1b8, ['pointer64', ['void']]], 'UIRestrictionsClass' : [ 0x1c0, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x1c4, ['unsigned long']], 'CompletionPort' : [ 0x1c8, ['pointer64', ['void']]], 'CompletionKey' : [ 0x1d0, ['pointer64', ['void']]], 'CompletionCount' : [ 0x1d8, ['unsigned long long']], 'SessionId' : [ 0x1e0, ['unsigned long']], 'SchedulingClass' : [ 0x1e4, ['unsigned long']], 'ReadOperationCount' : [ 0x1e8, ['unsigned long long']], 'WriteOperationCount' : [ 0x1f0, ['unsigned long long']], 'OtherOperationCount' : [ 0x1f8, ['unsigned long long']], 'ReadTransferCount' : [ 0x200, ['unsigned long long']], 'WriteTransferCount' : [ 0x208, ['unsigned long long']], 'OtherTransferCount' : [ 0x210, ['unsigned long long']], 'DiskIoInfo' : [ 0x218, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x240, ['unsigned long long']], 'JobMemoryLimit' : [ 0x248, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x250, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x258, ['unsigned long long']], 'EffectiveAffinity' : [ 0x260, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x308, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x310, ['unsigned long long']], 'EffectiveMaximumWorkingSetSize' : [ 0x318, ['unsigned long long']], 'EffectiveProcessMemoryLimit' : [ 0x320, ['unsigned long long']], 'EffectiveProcessMemoryLimitJob' : [ 0x328, ['pointer64', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x330, ['pointer64', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x338, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x33c, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x340, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x344, ['unsigned long']], 'EffectiveSwapCount' : [ 0x348, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x34c, ['unsigned long']], 'EffectivePriorityClass' : [ 0x350, ['unsigned char']], 'PriorityClass' : [ 0x351, ['unsigned char']], 'Reserved1' : [ 0x352, ['array', 2, ['unsigned char']]], 'CompletionFilter' : [ 0x354, ['unsigned long']], 'WakeChannel' : [ 0x358, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x358, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x390, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x398, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x39c, ['unsigned long']], 'NotificationLink' : [ 0x3a0, ['pointer64', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x3a8, ['unsigned long long']], 'NotificationInfo' : [ 0x3b0, ['pointer64', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x3b8, ['pointer64', ['void']]], 'NotificationPacket' : [ 0x3c0, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x3c8, ['pointer64', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x3d0, ['pointer64', ['void']]], 'ReadyTime' : [ 0x3d8, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x3e0, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x3e8, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x3f8, ['_LIST_ENTRY']], 'ParentJob' : [ 0x408, ['pointer64', ['_EJOB']]], 'RootJob' : [ 0x410, ['pointer64', ['_EJOB']]], 'IteratorListHead' : [ 0x418, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x428, ['unsigned long long']], 'Ancestors' : [ 0x430, ['pointer64', ['pointer64', ['_EJOB']]]], 'Accounting' : [ 0x438, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x488, ['unsigned long']], 'SequenceNumber' : [ 0x48c, ['unsigned long']], 'TimerListLock' : [ 0x490, ['unsigned long long']], 'TimerListHead' : [ 0x498, ['_LIST_ENTRY']], 'JobFlags' : [ 0x4a8, ['unsigned long']], 'CloseDone' : [ 0x4a8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x4a8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x4a8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x4a8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x4a8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x4a8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x4a8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x4a8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x4a8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x4a8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x4a8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x4a8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x4a8, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x4a8, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x4a8, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x4a8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x4a8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x4a8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x4a8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x4a8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x4a8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x4a8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x4a8, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x4a8, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x4a8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x4a8, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x4ac, ['unsigned long']], } ], '_PPM_IDLE_STATES' : [ 0x318, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0xe0, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x188, ['pointer64', ['void']]], 'IdleExecute' : [ 0x190, ['pointer64', ['void']]], 'IdlePreselect' : [ 0x198, ['pointer64', ['void']]], 'IdleTest' : [ 0x1a0, ['pointer64', ['void']]], 'IdleComplete' : [ 0x1a8, ['pointer64', ['void']]], 'IdleCancel' : [ 0x1b0, ['pointer64', ['void']]], 'IdleIsHalted' : [ 0x1b8, ['pointer64', ['void']]], 'IdleInitiateWake' : [ 0x1c0, ['pointer64', ['void']]], 'QueryPlatformStateResidency' : [ 0x1c8, ['pointer64', ['void']]], 'PrepareInfo' : [ 0x1d0, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'Tracing' : [ 0x238, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'State' : [ 0x240, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x388, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'SparePvoid0' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pUnused' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x98, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned short']], 'Flags' : [ 0x5a, ['unsigned char']], 'ShutDownRequested' : [ 0x5a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x5a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x5a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x5a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Wow' : [ 0x5a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'EventsLostCount' : [ 0x88, ['pointer64', ['unsigned long']]], 'BuffersLostCount' : [ 0x90, ['pointer64', ['unsigned long']]], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x50, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x38, ['pointer64', ['void']]], 'DvCallbacks' : [ 0x40, ['pointer64', ['void']]], 'VerifierContext' : [ 0x48, ['pointer64', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x88, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x10, ['unsigned long long']], 'ItemCount' : [ 0x18, ['long']], 'Dpc' : [ 0x20, ['_KDPC']], 'WorkItem' : [ 0x60, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x80, ['pointer64', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x100, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'EmulateActiveBoth' : [ 0x65, ['unsigned char']], 'ActiveCount' : [ 0x66, ['unsigned short']], 'InternalState' : [ 0x68, ['long']], 'Mode' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x74, ['unsigned long']], 'DispatchCount' : [ 0x78, ['unsigned long']], 'PassiveEvent' : [ 0x80, ['pointer64', ['_KEVENT']]], 'TrapFrame' : [ 0x88, ['pointer64', ['_KTRAP_FRAME']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], 'DisconnectData' : [ 0xa0, ['pointer64', ['void']]], 'ServiceThread' : [ 0xa8, ['pointer64', ['_KTHREAD']]], 'IsrDpcStats' : [ 0xb0, ['_ISRDPCSTATS']], 'ConnectionData' : [ 0xf0, ['pointer64', ['_INTERRUPT_CONNECTION_DATA']]], 'Padding' : [ 0xf8, ['array', 8, ['unsigned char']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_HIVE_LIST_ENTRY' : [ 0x88, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '__unnamed_1e5a' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1e5a']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x2d0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x2b0, ['pointer64', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x2b8, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x2bc, ['unsigned long']], 'ThreadCount' : [ 0x2c0, ['long']], 'MinThreads' : [ 0x2c4, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x2c4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x2c8, ['long']], 'QueueIndex' : [ 0x2cc, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x86, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x50, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'Type' : [ 0x38, ['unsigned long']], 'ActivityId' : [ 0x3c, ['_GUID']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x88, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x40, ['_KDPC']], 'WorkOrder' : [ 0x80, ['pointer64', ['_POP_FX_WORK_ORDER']]], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_SESSION_LOWBOX_MAP' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'LowboxMap' : [ 0x18, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0xa8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'RefCount' : [ 0x40, ['unsigned long']], 'Lock' : [ 0x44, ['unsigned long']], 'Cancel' : [ 0x48, ['unsigned char']], 'Parent' : [ 0x50, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'Data' : [ 0x58, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PROC_IDLE_POLICY' : [ 0x5, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x48, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x10, ['pointer64', ['_IRP']]], 'OplockRequestFileObject' : [ 0x18, ['pointer64', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x28, ['pointer64', ['_ETHREAD']]], 'Flags' : [ 0x30, ['unsigned long']], 'AtomicLinks' : [ 0x38, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_RTL_BITMAP_EX' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_XSTATE_CONFIGURATION' : [ 0x218, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_KLOCK_ENTRY' : [ 0x60, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ThreadUnsafe' : [ 0x18, ['pointer64', ['void']]], 'HeadNodeByte' : [ 0x18, ['unsigned char']], 'Reserved1' : [ 0x19, ['array', 6, ['unsigned char']]], 'AcquiredByte' : [ 0x1f, ['unsigned char']], 'LockState' : [ 0x20, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x20, ['pointer64', ['void']]], 'WaitingAndBusyByte' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x21, ['array', 6, ['unsigned char']]], 'InTreeByte' : [ 0x27, ['unsigned char']], 'SessionState' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], 'SessionPad' : [ 0x2c, ['unsigned long']], 'OwnerTree' : [ 0x30, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x40, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x30, ['unsigned char']], 'EntryLock' : [ 0x50, ['unsigned long long']], 'AllBoosts' : [ 0x58, ['unsigned short']], 'IoBoost' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'CpuBoostsBitmap' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x5a, ['unsigned short']], 'IoPriorityBit' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'AbSpare' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'SparePad' : [ 0x5d, ['array', 3, ['unsigned char']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 25, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1efe' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x100, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_1efe']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x2c, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x30, ['_KAPC']], 'ByteCount' : [ 0x88, ['unsigned long']], 'PagingFile' : [ 0x90, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0xa0, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0xa8, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0xb0, ['_LARGE_INTEGER']], 'IssueTime' : [ 0xb8, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0xc0, ['pointer64', ['_MDL']]], 'Mdl' : [ 0xc8, ['_MDL']], 'Page' : [ 0xf8, ['array', 1, ['unsigned long long']]], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0x1360, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x5a8, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5d8, ['_LIST_ENTRY']], 'HiveList' : [ 0x5e8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x5f8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x608, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x610, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x620, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x628, ['unsigned long']], 'DeletedKcbTable' : [ 0x630, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x638, ['unsigned long']], 'Identity' : [ 0x63c, ['unsigned long']], 'HiveLock' : [ 0x640, ['pointer64', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x648, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x650, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x658, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0x668, ['unsigned long']], 'FlushLogEntry' : [ 0x670, ['pointer64', ['unsigned char']]], 'FlushLogEntrySize' : [ 0x678, ['unsigned long']], 'FlushHiveTruncated' : [ 0x67c, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0x680, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0x688, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0x698, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0x6a0, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0x6a8, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0x6b0, ['pointer64', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0x6b8, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x6c0, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x6c4, ['unsigned long']], 'ActualFileSize' : [ 0x6c8, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x6d0, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x6e0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x6f0, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x700, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x710, ['unsigned long']], 'SecurityCacheSize' : [ 0x714, ['unsigned long']], 'SecurityHitHint' : [ 0x718, ['long']], 'SecurityCache' : [ 0x720, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x728, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xb28, ['unsigned long']], 'UnloadEventArray' : [ 0xb30, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xb38, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xb40, ['unsigned char']], 'UnloadWorkItem' : [ 0xb48, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0xb50, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xb78, ['unsigned char']], 'GrowOffset' : [ 0xb7c, ['unsigned long']], 'KcbConvertListHead' : [ 0xb80, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xb90, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xba0, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0xba8, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0x10b0, ['unsigned long']], 'TrustClassEntry' : [ 0x10b8, ['_LIST_ENTRY']], 'DirtyTime' : [ 0x10c8, ['unsigned long long']], 'UnreconciledTime' : [ 0x10d0, ['unsigned long long']], 'CmRm' : [ 0x10d8, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x10e0, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x10e4, ['long']], 'CreatorOwner' : [ 0x10e8, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0x10f0, ['pointer64', ['_KTHREAD']]], 'LastWriteTime' : [ 0x10f8, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0x1100, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0x1118, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0x1130, ['unsigned long']], 'FlushActive' : [ 0x1130, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0x1130, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0x1130, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0x1130, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0x1134, ['unsigned long']], 'ReferenceCount' : [ 0x1138, ['long']], 'UnloadHistoryIndex' : [ 0x113c, ['long']], 'UnloadHistory' : [ 0x1140, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0x1340, ['unsigned long']], 'UnaccessedStart' : [ 0x1344, ['unsigned long']], 'UnaccessedEnd' : [ 0x1348, ['unsigned long']], 'LoadedKeyCount' : [ 0x134c, ['unsigned long']], 'HandleClosePending' : [ 0x1350, ['unsigned long']], 'HandleClosePendingEvent' : [ 0x1358, ['_EX_PUSH_LOCK']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x38, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long long']], 'DirtyPageThresholdTop' : [ 0x8, ['unsigned long long']], 'DirtyPageThresholdBottom' : [ 0x10, ['unsigned long long']], 'DirtyPageTarget' : [ 0x18, ['unsigned long']], 'AggregateAvailablePages' : [ 0x20, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x28, ['unsigned long long']], 'AvailableHistory' : [ 0x30, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ForceCredits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x3f8, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x28, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x8, ['_RTL_BITMAP']], 'HashTable' : [ 0x18, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x20, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_TEB64' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'Padding1' : [ 0x2ec, ['array', 4, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x90, ['unsigned long']], 'PreviousActivityCounter' : [ 0x94, ['unsigned long']], 'WorkerTrimRequests' : [ 0x98, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE' : [ 0x1810, { 'CurrentSize' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'Epoch' : [ 0x8, ['unsigned long']], 'Overflow' : [ 0xc, ['unsigned char']], 'TableEntry' : [ 0x10, ['array', 256, ['_INVERTED_FUNCTION_TABLE_ENTRY']]], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0x18, { 'ActiveThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'WaitList' : [ 0x8, ['pointer64', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x10, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_UMS_CONTROL_BLOCK' : [ 0x90, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsWaitEvent' : [ 0x30, ['_KEVENT']], 'StagingArea' : [ 0x48, ['pointer64', ['void']]], 'UmsPrimaryDeliveredContext' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsFlags' : [ 0x50, ['unsigned long']], 'TebSelector' : [ 0x88, ['unsigned short']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_ETIMER' : [ 0x138, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x40, ['unsigned long long']], 'TimerApc' : [ 0x48, ['_KAPC']], 'TimerDpc' : [ 0xa0, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'Period' : [ 0xf0, ['unsigned long']], 'TimerFlags' : [ 0xf4, ['unsigned char']], 'ApcAssociated' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0xf5, ['unsigned char']], 'Spare2' : [ 0xf6, ['unsigned short']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x110, ['pointer64', ['void']]], 'VirtualizedTimerLinks' : [ 0x118, ['_LIST_ENTRY']], 'DueTime' : [ 0x128, ['unsigned long long']], 'CoalescingWindow' : [ 0x130, ['unsigned long']], } ], '_PROC_PERF_SNAP' : [ 0x40, { 'Time' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'Active' : [ 0x10, ['unsigned long long']], 'LastActive' : [ 0x18, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x90, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'Count' : [ 0x28, ['unsigned long long']], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'StackTrace' : [ 0x40, ['array', 8, ['pointer64', ['void']]]], 'Who' : [ 0x80, ['unsigned long']], 'Process' : [ 0x88, ['pointer64', ['_EPROCESS']]], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_EXHANDLE' : [ 0x8, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x508, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_ARBITER_INSTANCE' : [ 0x150, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '__unnamed_2011' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_2013' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2011']], } ], '__unnamed_2015' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_2013']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2015']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x3000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'HandleCount' : [ 0x28, ['unsigned long']], 'Handles' : [ 0x30, ['pointer64', ['pointer64', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x58, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'PlatformCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'LimitReasons' : [ 0x18, ['unsigned long']], 'PlatformCapStartTime' : [ 0x20, ['unsigned long long']], 'TargetPercent' : [ 0x28, ['unsigned long']], 'DesiredPercent' : [ 0x2c, ['unsigned long']], 'SelectedPercent' : [ 0x30, ['unsigned long']], 'SelectedFrequency' : [ 0x34, ['unsigned long']], 'PreviousFrequency' : [ 0x38, ['unsigned long']], 'PreviousPercent' : [ 0x3c, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x40, ['unsigned long']], 'SelectedState' : [ 0x48, ['unsigned long long']], 'Force' : [ 0x50, ['unsigned char']], } ], '__unnamed_2028' : [ 0x20, { 'CallerCompletion' : [ 0x0, ['pointer64', ['void']]], 'CallerContext' : [ 0x8, ['pointer64', ['void']]], 'CallerDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0x18, ['unsigned char']], } ], '__unnamed_202b' : [ 0x10, { 'NotifyDevice' : [ 0x0, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x8, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0xf8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x30, ['unsigned long long']], 'WatchdogTimer' : [ 0x38, ['_KTIMER']], 'WatchdogDpc' : [ 0x78, ['_KDPC']], 'MinorFunction' : [ 0xb8, ['unsigned char']], 'PowerStateType' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0xc0, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0xc4, ['unsigned char']], 'FxDevice' : [ 0xc8, ['pointer64', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0xd0, ['unsigned char']], 'NotifyPEP' : [ 0xd1, ['unsigned char']], 'Device' : [ 0xd8, ['__unnamed_2028']], 'System' : [ 0xd8, ['__unnamed_202b']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0x128, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'PhysicalMappingCount' : [ 0x4, ['unsigned long']], 'VadBitMapHint' : [ 0x8, ['unsigned long']], 'LastAllocationSizeHint' : [ 0xc, ['unsigned long']], 'LastAllocationSize' : [ 0x10, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x14, ['unsigned long']], 'VadBitMapSize' : [ 0x18, ['unsigned long']], 'VadBitMapCommitment' : [ 0x1c, ['unsigned long']], 'MaximumLastVadBit' : [ 0x20, ['unsigned long']], 'VadsBeingDeleted' : [ 0x24, ['long']], 'LastVadDeletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'VadBitBuffer' : [ 0x30, ['pointer64', ['unsigned long']]], 'LowestBottomUpAllocationAddress' : [ 0x38, ['pointer64', ['void']]], 'HighestTopDownAllocationAddress' : [ 0x40, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x48, ['pointer64', ['void']]], 'NumaAware' : [ 0x50, ['unsigned char']], 'PrivateFixupVadCount' : [ 0x58, ['unsigned long long']], 'CfgBitMap' : [ 0x60, ['array', 3, ['_MI_CFG_BITMAP_INFO']]], 'CommittedPageTableBufferForTopLevel' : [ 0xc0, ['array', 8, ['unsigned long']]], 'CommittedPageTableBitmaps' : [ 0xe0, ['array', 3, ['_RTL_BITMAP']]], 'PageTableBitmapPages' : [ 0x110, ['array', 3, ['unsigned long']]], 'FreeUmsTebHint' : [ 0x120, ['pointer64', ['void']]], } ], '_PROC_FEEDBACK' : [ 0x70, { 'Lock' : [ 0x0, ['unsigned long long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer64', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x28, ['unsigned long long']], 'UnscaledTime' : [ 0x30, ['unsigned long long']], 'UnaccountedTime' : [ 0x38, ['long long']], 'ScaledTime' : [ 0x40, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x50, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x58, ['unsigned long long']], 'UserTimeLast' : [ 0x60, ['unsigned long']], 'KernelTimeLast' : [ 0x64, ['unsigned long']], 'KernelTimesIndex' : [ 0x68, ['unsigned char']], } ], '__unnamed_2040' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2044' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_2046' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_2048' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_204a' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_204c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_204e' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_2050' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2052' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2054' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2056' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_2058' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_2040']], 'Memory' : [ 0x0, ['__unnamed_2040']], 'Interrupt' : [ 0x0, ['__unnamed_2044']], 'Dma' : [ 0x0, ['__unnamed_2046']], 'DmaV3' : [ 0x0, ['__unnamed_2048']], 'Generic' : [ 0x0, ['__unnamed_2040']], 'DevicePrivate' : [ 0x0, ['__unnamed_204a']], 'BusNumber' : [ 0x0, ['__unnamed_204c']], 'ConfigData' : [ 0x0, ['__unnamed_204e']], 'Memory40' : [ 0x0, ['__unnamed_2050']], 'Memory48' : [ 0x0, ['__unnamed_2052']], 'Memory64' : [ 0x0, ['__unnamed_2054']], 'Connection' : [ 0x0, ['__unnamed_2056']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_2058']], } ], '_POP_THERMAL_ZONE' : [ 0x1f0, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], 'State' : [ 0x40, ['unsigned char']], 'Flags' : [ 0x41, ['unsigned char']], 'Removing' : [ 0x42, ['unsigned char']], 'Mode' : [ 0x43, ['unsigned char']], 'PendingMode' : [ 0x44, ['unsigned char']], 'ActivePoint' : [ 0x45, ['unsigned char']], 'PendingActivePoint' : [ 0x46, ['unsigned char']], 'Critical' : [ 0x47, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x48, ['long']], 'Throttle' : [ 0x4c, ['long']], 'PendingThrottle' : [ 0x50, ['long']], 'ThrottleReasons' : [ 0x54, ['unsigned long']], 'LastTime' : [ 0x58, ['unsigned long long']], 'SampleRate' : [ 0x60, ['unsigned long']], 'LastTemp' : [ 0x64, ['unsigned long']], 'PassiveTimer' : [ 0x68, ['_KTIMER']], 'PassiveDpc' : [ 0xa8, ['_KDPC']], 'Info' : [ 0xe8, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x138, ['_LARGE_INTEGER']], 'Policy' : [ 0x140, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0x154, ['unsigned char']], 'Metrics' : [ 0x158, ['_POP_THERMAL_ZONE_METRICS']], 'WorkItem' : [ 0x188, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x1a8, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x1b8, ['_KEVENT']], 'TemperatureUpdated' : [ 0x1d0, ['_KEVENT']], 'InstanceId' : [ 0x1e8, ['unsigned long']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 28, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x5a8, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'Allocate' : [ 0x10, ['pointer64', ['void']]], 'Free' : [ 0x18, ['pointer64', ['void']]], 'FileWrite' : [ 0x20, ['pointer64', ['void']]], 'FileRead' : [ 0x28, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x30, ['pointer64', ['void']]], 'BaseBlock' : [ 0x38, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x40, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x50, ['unsigned long']], 'DirtyAlloc' : [ 0x54, ['unsigned long']], 'UnreconciledVector' : [ 0x58, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x68, ['unsigned long']], 'BaseBlockAlloc' : [ 0x6c, ['unsigned long']], 'Cluster' : [ 0x70, ['unsigned long']], 'Flat' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x75, ['unsigned char']], 'HvBinHeadersUse' : [ 0x78, ['unsigned long']], 'HvFreeCellsUse' : [ 0x7c, ['unsigned long']], 'HvUsedCellsUse' : [ 0x80, ['unsigned long']], 'CmUsedCellsUse' : [ 0x84, ['unsigned long']], 'HiveFlags' : [ 0x88, ['unsigned long']], 'CurrentLog' : [ 0x8c, ['unsigned long']], 'CurrentLogSequence' : [ 0x90, ['unsigned long']], 'CurrentLogOffset' : [ 0x94, ['unsigned long']], 'MinimumLogSequence' : [ 0x98, ['unsigned long']], 'LogFileSizeCap' : [ 0x9c, ['unsigned long']], 'LogDataPresent' : [ 0xa0, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0xa2, ['unsigned char']], 'BaseBlockDirty' : [ 0xa3, ['unsigned char']], 'FirstLogFile' : [ 0xa4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0xa4, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0xa4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0xa4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0xa4, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0xa4, ['unsigned short']], 'LogEntriesRecovered' : [ 0xa6, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0xa8, ['unsigned long']], 'StorageTypeCount' : [ 0xac, ['unsigned long']], 'Version' : [ 0xb0, ['unsigned long']], 'Storage' : [ 0xb8, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x30, { 'ActiveCount' : [ 0x0, ['unsigned long']], 'PassiveCount' : [ 0x4, ['unsigned long']], 'LastActiveStartTime' : [ 0x8, ['unsigned long long']], 'AverageActiveTime' : [ 0x10, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x18, ['unsigned long long']], 'AveragePassiveTime' : [ 0x20, ['unsigned long long']], 'StartTickSinceLastReset' : [ 0x28, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1e, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1d, ['unsigned char']], } ], '__unnamed_20ab' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_20ad' : [ 0x20, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_20ab']], } ], '_VF_TARGET_DRIVER' : [ 0x38, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_20ad']], 'VerifiedData' : [ 0x30, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_20b6' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_20b8' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20ba' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceId' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_20bc' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_20be' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_20c0' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20c2' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_20c4' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20c6' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_20c8' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_20b6']], 'TargetDevice' : [ 0x0, ['__unnamed_20b8']], 'InstallDevice' : [ 0x0, ['__unnamed_20b8']], 'CustomNotification' : [ 0x0, ['__unnamed_20ba']], 'ProfileNotification' : [ 0x0, ['__unnamed_20bc']], 'PowerNotification' : [ 0x0, ['__unnamed_20be']], 'VetoNotification' : [ 0x0, ['__unnamed_20c0']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20c2']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_20c4']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_20c6']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_20b8']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_20b8']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_20c8']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x68, { 'Context' : [ 0x0, ['pointer64', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x48, ['unsigned long']], 'DependencyUsed' : [ 0x4c, ['unsigned long']], 'DependencyArray' : [ 0x50, ['pointer64', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x58, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x5c, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x60, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '__unnamed_20e4' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_20e4']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x78, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], 'WaitObjectFlagMask' : [ 0x70, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x74, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x76, ['unsigned short']], } ], '__unnamed_211d' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['_RTL_AVL_TREE']], 'u' : [ 0x28, ['__unnamed_211d']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0x18, { 'DirtyPages' : [ 0x0, ['unsigned long long']], 'DirtyPagesLastScan' : [ 0x8, ['unsigned long long']], 'DirtyPagesScheduledLastScan' : [ 0x10, ['unsigned long']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'HighActiveFlink' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'HighActiveBlink' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 56, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x30, ['pointer64', ['long']]], 'NodeTargetCount' : [ 0x38, ['long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x250, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'SparePvoid0' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pUnused' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_KPRIQUEUE' : [ 0x2b0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x218, ['array', 32, ['long']]], 'MaximumCount' : [ 0x298, ['unsigned long']], 'ThreadListHead' : [ 0x2a0, ['_LIST_ENTRY']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_WAITING_IRP' : [ 0x38, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'CompletionRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'Information' : [ 0x30, ['unsigned long']], 'BreakAllRH' : [ 0x34, ['unsigned char']], } ], '_POP_SYSTEM_IDLE' : [ 0x40, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned long']], 'IdleWorker' : [ 0x28, ['unsigned char']], 'Sampling' : [ 0x29, ['unsigned char']], 'LastTick' : [ 0x30, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x38, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x20, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0x18, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x1c0, { 'Value' : [ 0x0, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'HardCap' : [ 0x3, ['unsigned char']], 'RelativeWeight' : [ 0x4, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x8, ['unsigned long long']], 'NotificationCycles' : [ 0x10, ['long long']], 'SchedulingGroupList' : [ 0x18, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x28, ['pointer64', ['_KDPC']]], 'PerProcessor' : [ 0x40, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x30, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'Irp' : [ 0x18, ['pointer64', ['_IRP']]], 'Device' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Static' : [ 0x28, ['unsigned char']], } ], '_POP_POLICY_DEVICE' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], } ], '__unnamed_21a5' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_21a7' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_21a9' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_21ab' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_21a9']], 'Translated' : [ 0x0, ['__unnamed_21a7']], } ], '__unnamed_21ad' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_21af' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_21b1' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_21b3' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_21b5' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_21b7' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_21b9' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_21bb' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_21a5']], 'Port' : [ 0x0, ['__unnamed_21a5']], 'Interrupt' : [ 0x0, ['__unnamed_21a7']], 'MessageInterrupt' : [ 0x0, ['__unnamed_21ab']], 'Memory' : [ 0x0, ['__unnamed_21a5']], 'Dma' : [ 0x0, ['__unnamed_21ad']], 'DmaV3' : [ 0x0, ['__unnamed_21af']], 'DevicePrivate' : [ 0x0, ['__unnamed_204a']], 'BusNumber' : [ 0x0, ['__unnamed_21b1']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_21b3']], 'Memory40' : [ 0x0, ['__unnamed_21b5']], 'Memory48' : [ 0x0, ['__unnamed_21b7']], 'Memory64' : [ 0x0, ['__unnamed_21b9']], 'Connection' : [ 0x0, ['__unnamed_2056']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_21bb']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_21c3' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_21c3']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE_ENTRY' : [ 0x18, { 'FunctionTable' : [ 0x0, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'DynamicTable' : [ 0x0, ['pointer64', ['_DYNAMIC_FUNCTION_TABLE']]], 'ImageBase' : [ 0x8, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'SizeOfTable' : [ 0x14, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_21d3' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_21d3']], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_DEVICE' : [ 0x218, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_POP_IRP_DATA']]], 'Status' : [ 0x20, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'Plugin' : [ 0x30, ['pointer64', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x38, ['pointer64', ['PEPHANDLE__']]], 'MiniPlugin' : [ 0x40, ['pointer64', ['_POP_FX_PLUGIN']]], 'MiniPluginHandle' : [ 0x48, ['pointer64', ['PEPHANDLE__']]], 'DevNode' : [ 0x50, ['pointer64', ['_DEVICE_NODE']]], 'DeviceObject' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x60, ['pointer64', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x68, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0xa0, ['pointer64', ['void']]], 'RemoveLock' : [ 0xa8, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0xc8, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0x100, ['unsigned long long']], 'IdleTimer' : [ 0x108, ['_KTIMER']], 'IdleDpc' : [ 0x148, ['_KDPC']], 'IdleTimeout' : [ 0x188, ['unsigned long long']], 'IdleStamp' : [ 0x190, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x198, ['pointer64', ['_DEVICE_OBJECT']]], 'NextIrpPowerState' : [ 0x1a0, ['_POWER_STATE']], 'NextIrpCallerCompletion' : [ 0x1a8, ['pointer64', ['void']]], 'NextIrpCallerContext' : [ 0x1b0, ['pointer64', ['void']]], 'IrpCompleteEvent' : [ 0x1b8, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x1d0, ['pointer64', ['void']]], 'Accounting' : [ 0x1d8, ['_POP_FX_ACCOUNTING']], 'ComponentCount' : [ 0x208, ['unsigned long']], 'Components' : [ 0x210, ['array', 1, ['pointer64', ['_POP_FX_COMPONENT']]]], } ], '__unnamed_21ec' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_21ee' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_21ec']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x58, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x40, ['_LIST_ENTRY']], 'Specific' : [ 0x50, ['__unnamed_21ee']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x28, { 'BadPageCount' : [ 0x0, ['unsigned long long']], 'BadPagesDetected' : [ 0x8, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0xc, ['long']], 'ScrubPasses' : [ 0x10, ['long']], 'ScrubBadPagesFound' : [ 0x14, ['long']], 'FeatureBits' : [ 0x18, ['unsigned long long']], 'TimeZoneId' : [ 0x20, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'InProgressFlags' : [ 0x28, ['unsigned char']], 'KernelApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_DELAY_ACK_FO' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x38, ['long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '__unnamed_2254' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_2256' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_2258' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_225a' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_2254']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_2256']], 'Raw' : [ 0x0, ['__unnamed_2258']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x50, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'Operation' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0xc, ['__unnamed_225a']], 'Stack' : [ 0x18, ['array', 7, ['pointer64', ['void']]]], } ], '__unnamed_2261' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_2264' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x40, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer64', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0x18, ['unsigned long']], 'EndingVpn' : [ 0x1c, ['unsigned long']], 'StartingVpnHigh' : [ 0x20, ['unsigned char']], 'EndingVpnHigh' : [ 0x21, ['unsigned char']], 'CommitChargeHigh' : [ 0x22, ['unsigned char']], 'LargeImageBias' : [ 0x23, ['unsigned char']], 'ReferenceCount' : [ 0x24, ['long']], 'PushLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u' : [ 0x30, ['__unnamed_2261']], 'u1' : [ 0x34, ['__unnamed_2264']], 'EventList' : [ 0x38, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x10, { 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 63, native_type='unsigned long long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'LockState' : [ 0x0, ['pointer64', ['void']]], 'SessionState' : [ 0x8, ['pointer64', ['void']]], 'SessionId' : [ 0x8, ['unsigned long']], 'SessionPad' : [ 0xc, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x10, ['unsigned long']], 'SyncCallback' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x14, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0x10, ['pointer64', ['_HANDLE_TABLE']]], 'Flags' : [ 0x18, ['unsigned long']], 'NumberOfBuckets' : [ 0x1c, ['unsigned long']], 'Buckets' : [ 0x20, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_22a9' : [ 0x10, { 'ProgrammedTime' : [ 0x0, ['unsigned long long']], 'TimerInfo' : [ 0x8, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0xe0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x60, ['array', 3, ['__unnamed_22a9']]], 'FilteredCapabilities' : [ 0x90, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3d0, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0x90, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x410, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], 'PackageDependencyData' : [ 0x400, ['pointer64', ['void']]], 'ProcessGroupId' : [ 0x408, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_LOCK_HEADER' : [ 0x20, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x8, ['unsigned long long']], 'Lock' : [ 0x10, ['unsigned long long']], 'Valid' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xe0, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], 'Xcr0' : [ 0xd8, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_PEB64' : [ 0x388, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'SparePvoid0' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pUnused' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_2361' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2361']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long long']], 'NonPagablePages' : [ 0x28, ['unsigned long long']], 'CommittedPages' : [ 0x30, ['unsigned long long']], 'PagedPoolStart' : [ 0x38, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x40, ['pointer64', ['void']]], 'SessionObject' : [ 0x48, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x50, ['pointer64', ['void']]], 'SessionPoolAllocationFailures' : [ 0x58, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x68, ['_LIST_ENTRY']], 'LocaleId' : [ 0x78, ['unsigned long']], 'AttachCount' : [ 0x7c, ['unsigned long']], 'AttachGate' : [ 0x80, ['_KGATE']], 'WsListEntry' : [ 0x98, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xce8, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xcf0, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xd00, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e40, ['_MMPTE']], 'SessionVaLock' : [ 0x1e48, ['_FAST_MUTEX']], 'DynamicVaBitMap' : [ 0x1e80, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e90, ['unsigned long']], 'SpecialPool' : [ 0x1e98, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1ee8, ['_FAST_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1f20, ['long']], 'PagedPoolPdeCount' : [ 0x1f24, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f28, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f2c, ['unsigned long']], 'SystemPteInfo' : [ 0x1f30, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f98, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1fa0, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1fa8, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fb0, ['unsigned long long']], 'IoState' : [ 0x1fb8, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fbc, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fc0, ['_KEVENT']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_2371' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_2374' : [ 0x8, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x80, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x40, ['__unnamed_2371']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u4' : [ 0x78, ['__unnamed_2374']], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x20, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x8, ['long long']], 'SidCount' : [ 0x10, ['unsigned long']], 'SidValuesStart' : [ 0x18, ['unsigned long long']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0xa0, { 'IrpExclusiveOplock' : [ 0x0, ['pointer64', ['_IRP']]], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'WaiterPriority' : [ 0x20, ['unsigned char']], 'IrpOplocksR' : [ 0x28, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x38, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x48, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x58, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x68, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x78, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x88, ['pointer64', ['_GUID']]], 'OplockState' : [ 0x90, ['unsigned long']], 'FastMutex' : [ 0x98, ['pointer64', ['_FAST_MUTEX']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_FAST_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP_EX']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'MaximumSize' : [ 0x50, ['unsigned long long']], 'PagedPoolHint' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x28, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x10, ['pointer64', ['void']]], 'SessionViewVa' : [ 0x10, ['pointer64', ['void']]], 'VadsProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Type' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionType' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SectionOffset' : [ 0x20, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x158, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0xc0, ['unsigned long']], 'Processors' : [ 0xc8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0xd0, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0xd8, ['pointer64', ['void']]], 'BoostModeHandler' : [ 0xe0, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0xe8, ['pointer64', ['void']]], 'PerfControlHandler' : [ 0xf0, ['pointer64', ['void']]], 'MaxFrequency' : [ 0xf8, ['unsigned long']], 'NominalFrequency' : [ 0xfc, ['unsigned long']], 'MaxPercent' : [ 0x100, ['unsigned long']], 'MinPerfPercent' : [ 0x104, ['unsigned long']], 'MinThrottlePercent' : [ 0x108, ['unsigned long']], 'Coordination' : [ 0x10c, ['unsigned char']], 'HardPlatformCap' : [ 0x10d, ['unsigned char']], 'AffinitizeControl' : [ 0x10e, ['unsigned char']], 'SelectedPercent' : [ 0x110, ['unsigned long']], 'SelectedFrequency' : [ 0x114, ['unsigned long']], 'DesiredPercent' : [ 0x118, ['unsigned long']], 'MaxPolicyPercent' : [ 0x11c, ['unsigned long']], 'MinPolicyPercent' : [ 0x120, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x124, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x128, ['unsigned long']], 'GuaranteedPercent' : [ 0x12c, ['unsigned long']], 'TolerancePercent' : [ 0x130, ['unsigned long']], 'SelectedState' : [ 0x138, ['unsigned long long']], 'Force' : [ 0x140, ['unsigned char']], 'PerfChangeTime' : [ 0x148, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x150, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_RELATION_LIST' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer64', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ETW_BUFFER_QUEUE' : [ 0x18, { 'QueueHead' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x10, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long long']], 'SpecialPoolPdes' : [ 0x40, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x8, { 'LogHandleContext' : [ 0x0, ['pointer64', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x18, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'DeviceState' : [ 0x10, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '__unnamed_23e4' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_23e8' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_23e4']], 'Bits' : [ 0x4, ['__unnamed_23e8']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'DataLow' : [ 0x0, ['long long']], 'DataHigh' : [ 0x8, ['long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_FAST_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x80, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x10, ['short']], 'SpecialApcDisable' : [ 0x12, ['short']], 'CombinedApcDisable' : [ 0x10, ['unsigned long']], 'Irql' : [ 0x14, ['unsigned char']], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_DYNAMIC_FUNCTION_TABLE' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FunctionTable' : [ 0x10, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'TimeStamp' : [ 0x18, ['_LARGE_INTEGER']], 'MinimumAddress' : [ 0x20, ['unsigned long long']], 'MaximumAddress' : [ 0x28, ['unsigned long long']], 'BaseAddress' : [ 0x30, ['unsigned long long']], 'Callback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'OutOfProcessCallbackDll' : [ 0x48, ['pointer64', ['unsigned short']]], 'Type' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'RF_SORTED', 1: 'RF_UNSORTED', 2: 'RF_CALLBACK', 3: 'RF_KERNEL_DYNAMIC'})]], 'EntryCount' : [ 0x54, ['unsigned long']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x8, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2405' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_2407' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_2405']], 'Button' : [ 0x10, ['__unnamed_2407']], } ], '_KDPC_DATA' : [ 0x28, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], 'ActiveDpc' : [ 0x20, ['pointer64', ['_KDPC']]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0x170, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'UnderQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'RankCycleTarget' : [ 0x10, ['unsigned long long']], 'LongTermCycles' : [ 0x18, ['unsigned long long']], 'LastReportedCycles' : [ 0x20, ['unsigned long long']], 'OverQuotaHistory' : [ 0x28, ['unsigned long long']], 'ReadyTime' : [ 0x30, ['unsigned long long']], 'InsertTime' : [ 0x38, ['unsigned long long']], 'PerProcessorList' : [ 0x40, ['_LIST_ENTRY']], 'QueueNode' : [ 0x50, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OverQuota' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardCap' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Spare1' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x69, ['unsigned char']], 'ReadySummary' : [ 0x6a, ['unsigned short']], 'Rank' : [ 0x6c, ['unsigned long']], 'ReadyListHead' : [ 0x70, ['array', 16, ['_LIST_ENTRY']]], } ], '__unnamed_2417' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2419' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2417']], 'Merged' : [ 0x10, ['__unnamed_2419']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'HistoryList' : [ 0x8, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_IMAGE_RUNTIME_FUNCTION_ENTRY' : [ 0xc, { 'BeginAddress' : [ 0x0, ['unsigned long']], 'EndAddress' : [ 0x4, ['unsigned long']], 'UnwindInfoAddress' : [ 0x8, ['unsigned long']], 'UnwindData' : [ 0x8, ['unsigned long']], } ], '__unnamed_2427' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_2427']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer64', ['_MMPTE']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_243b' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_243f' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x48, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_243b']], 'u2' : [ 0x38, ['__unnamed_243f']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_2448' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_244a' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_2448']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x100, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_244a']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PRIVATE_CACHE_MAP' : [ 0x78, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long long']], 'PipelinedReadAheadRequestSize' : [ 0x58, ['unsigned long']], 'ReadAheadGrowth' : [ 0x5c, ['unsigned long']], 'PrivateLinks' : [ 0x60, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x70, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PTE_TRACKER' : [ 0x80, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x48, ['array', 7, ['pointer64', ['void']]]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x30, { 'InstantaneousRead' : [ 0x0, ['pointer64', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer64', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'DisableInterrupts' : [ 0x22, ['unsigned char']], 'Context' : [ 0x28, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_HMAP_ENTRY' : [ 0x18, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'MemAlloc' : [ 0x10, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x30, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'Reference' : [ 0x10, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x28, ['unsigned char']], 'Name' : [ 0x2a, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x260, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x270, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x8, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'LowboxNumber' : [ 0x28, ['unsigned long']], 'AtomTable' : [ 0x30, ['pointer64', ['void']]], } ], '_MI_CFG_BITMAP_INFO' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'RegionSize' : [ 0x8, ['unsigned long long']], 'VadBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'BitmapVad' : [ 0x18, ['pointer64', ['_MMVAD']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_FAST_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_FAST_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x18, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x18, ['array', 4, ['pointer64', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x18, ['pointer64', ['void']]], 'SessionId' : [ 0x20, ['unsigned long']], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'CallbackContext' : [ 0x38, ['pointer64', ['void']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'Index' : [ 0x48, ['unsigned short']], 'Flags' : [ 0x4a, ['unsigned char']], 'DbgKernelRegistration' : [ 0x4a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x4a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x4a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x4a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x4a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x4a, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x4a, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x4a, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x4b, ['unsigned char']], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'OriginalAffinity' : [ 0x8, ['_GROUP_AFFINITY']], 'SteeringListEntry' : [ 0x18, ['_LIST_ENTRY']], 'SteeringListRoot' : [ 0x28, ['pointer64', ['void']]], 'IsrTime' : [ 0x30, ['unsigned long long']], 'DpcTime' : [ 0x38, ['unsigned long long']], 'IsrLoad' : [ 0x40, ['unsigned long']], 'DpcLoad' : [ 0x44, ['unsigned long']], 'IsPrimaryInterrupt' : [ 0x48, ['unsigned char']], 'InterruptObjectArray' : [ 0x50, ['pointer64', ['pointer64', ['_KINTERRUPT']]]], 'InterruptObjectCount' : [ 0x58, ['unsigned long']], 'Vectors' : [ 0x60, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x118, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'InProgressLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x68, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x68, ['unsigned long']], 'PackagedBinary' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x68, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x68, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReservedFlags2' : [ 0x68, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x68, ['BitField', dict(start_bit = 15, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x68, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x68, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x68, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x68, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x68, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x68, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x68, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x68, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x68, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x68, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x68, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Spare' : [ 0x90, ['pointer64', ['void']]], 'DdagNode' : [ 0x98, ['pointer64', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0xa0, ['_LIST_ENTRY']], 'SnapContext' : [ 0xb0, ['pointer64', ['_LDRP_DLL_SNAP_CONTEXT']]], 'ParentDllBase' : [ 0xb8, ['pointer64', ['void']]], 'SwitchBackContext' : [ 0xc0, ['pointer64', ['void']]], 'BaseAddressIndexNode' : [ 0xc8, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0xe0, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0xf8, ['unsigned long long']], 'LoadTime' : [ 0x100, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x108, ['unsigned long']], 'LoadReason' : [ 0x10c, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x110, ['unsigned long']], } ], '_LDR_DDAG_NODE' : [ 0x50, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x10, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'DependencyCount' : [ 0x20, ['unsigned long']], 'Dependencies' : [ 0x28, ['_LDRP_CSLIST']], 'RemovalLink' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'IncomingDependencies' : [ 0x30, ['_LDRP_CSLIST']], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x48, ['unsigned long']], 'LowestLink' : [ 0x4c, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1d0, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'Order' : [ 0x30, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x1a8, ['_LIST_ENTRY']], 'Status' : [ 0x1b8, ['long']], 'FailedDevice' : [ 0x1c0, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1c8, ['unsigned char']], 'Cancelled' : [ 0x1c9, ['unsigned char']], 'IgnoreErrors' : [ 0x1ca, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1cb, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1cc, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LockedPages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ILOnly' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x10, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xfe8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0xd8, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Latency' : [ 0xa8, ['unsigned long']], 'BreakEvenDuration' : [ 0xac, ['unsigned long']], 'Power' : [ 0xb0, ['unsigned long']], 'StateFlags' : [ 0xb4, ['unsigned long']], 'VetoAccounting' : [ 0xb8, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0xd0, ['unsigned char']], 'InterruptsEnabled' : [ 0xd1, ['unsigned char']], 'Interruptible' : [ 0xd2, ['unsigned char']], 'ContextRetained' : [ 0xd3, ['unsigned char']], 'CacheCoherent' : [ 0xd4, ['unsigned char']], 'WakesSpuriously' : [ 0xd5, ['unsigned char']], 'PlatformOnly' : [ 0xd6, ['unsigned char']], 'NoCState' : [ 0xd7, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x40, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x10, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x18, ['long']], 'HighWaterMark' : [ 0x1c, ['unsigned long']], 'Reserved' : [ 0x20, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_250a' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x20, { 'NodeRangeSize' : [ 0x0, ['unsigned long long']], 'NodeCount' : [ 0x8, ['unsigned long long']], 'Tables' : [ 0x10, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x18, ['unsigned long']], 'u1' : [ 0x1c, ['__unnamed_250a']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_POP_FX_ACCOUNTING' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned char']], 'DripsRequiredState' : [ 0xc, ['unsigned long']], 'Level' : [ 0x10, ['long']], 'ActiveStamp' : [ 0x18, ['long long']], 'CsActiveTime' : [ 0x20, ['unsigned long long']], 'CriticalActiveTime' : [ 0x28, ['long long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RELATION_LIST_ENTRY' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['_DEVICE_OBJECT_LIST_ENTRY']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x6, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], } ], '_POP_FX_COMPONENT' : [ 0xf8, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x18, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x58, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x60, ['long']], 'ActiveEvent' : [ 0x68, ['_KEVENT']], 'IdleLock' : [ 0x80, ['unsigned long long']], 'IdleConditionComplete' : [ 0x88, ['long']], 'IdleStateComplete' : [ 0x8c, ['long']], 'IdleStamp' : [ 0x90, ['unsigned long long']], 'CurrentIdleState' : [ 0x98, ['unsigned long']], 'IdleStateCount' : [ 0x9c, ['unsigned long']], 'IdleStates' : [ 0xa0, ['pointer64', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0xa8, ['unsigned long']], 'ProviderCount' : [ 0xac, ['unsigned long']], 'Providers' : [ 0xb0, ['pointer64', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0xb8, ['unsigned long']], 'DependentCount' : [ 0xbc, ['unsigned long']], 'Dependents' : [ 0xc0, ['pointer64', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0xc8, ['_POP_FX_ACCOUNTING']], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x10, { 'DeviceHandle' : [ 0x0, ['pointer64', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x38, { 'ComponentActive' : [ 0x0, ['pointer64', ['void']]], 'ComponentIdle' : [ 0x8, ['pointer64', ['void']]], 'ComponentIdleState' : [ 0x10, ['pointer64', ['void']]], 'DevicePowerRequired' : [ 0x18, ['pointer64', ['void']]], 'DevicePowerNotRequired' : [ 0x20, ['pointer64', ['void']]], 'PowerControl' : [ 0x28, ['pointer64', ['void']]], 'ComponentCriticalTransition' : [ 0x30, ['pointer64', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x10, ['unsigned char']], 'Spare' : [ 0x11, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0x14, ['unsigned long']], 'DebugId' : [ 0x18, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8180, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'StackLimitHits' : [ 0x8038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x803c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x8040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8044, ['unsigned long']], 'TotalReleases' : [ 0x8048, ['unsigned long']], 'RootNodesDeleted' : [ 0x804c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x8050, ['unsigned long']], 'Instigator' : [ 0x8058, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8060, ['unsigned long']], 'Participant' : [ 0x8068, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8168, ['long']], 'StackType' : [ 0x816c, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x8170, ['unsigned long long']], 'StackHighLimit' : [ 0x8178, ['unsigned long long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x40, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'IRHints' : [ 0x30, ['unsigned long']], 'IRTruncatedHints' : [ 0x34, ['unsigned long']], 'ExpectedWakeReason' : [ 0x38, ['unsigned char']], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2577' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2579' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2577']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2579']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_258b' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_258b']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_THERMAL_POLICY' : [ 0x14, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_RTL_UMS_CONTEXT' : [ 0x520, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'PrimaryUmsContext' : [ 0x500, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x508, ['unsigned long']], 'KernelYieldCount' : [ 0x50c, ['unsigned long']], 'MixedYieldCount' : [ 0x510, ['unsigned long']], 'YieldCount' : [ 0x514, ['unsigned long']], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_ETW_GUID_ENTRY' : [ 0x178, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long long']], 'Guid' : [ 0x18, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['pointer64', ['_ETW_FILTER_HEADER']]], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_25f4' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_25f6' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_25f4']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_25f6']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0xc0, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x70, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1d, { 'PerUserPolicy' : [ 0x0, ['array', 29, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_260a' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_260c' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_2610' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2614' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_2616' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_260a']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_260c']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2610']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2614']], 'Others' : [ 0x0, ['__unnamed_2616']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x8, { 'Function' : [ 0x0, ['pointer64', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long long']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x68, { 'PlatformOnlyCount' : [ 0x0, ['unsigned long long']], 'PreVetoCount' : [ 0x8, ['unsigned long long']], 'VetoCount' : [ 0x10, ['unsigned long long']], 'IdleDurationCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'InterruptibleCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'WrongProcessorCount' : [ 0x40, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x48, ['unsigned long long']], 'CstateCheckCount' : [ 0x50, ['unsigned long long']], 'NoCStateCount' : [ 0x58, ['unsigned long long']], 'SelectedCount' : [ 0x60, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x8, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_HIVE_WAIT_PACKET' : [ 0x28, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Next' : [ 0x20, ['pointer64', ['_HIVE_WAIT_PACKET']]], } ], '__unnamed_2625' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_2627' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_2629' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_2625']], 'Interrupt' : [ 0x0, ['__unnamed_2627']], 'LocalInterrupt' : [ 0x0, ['__unnamed_2627']], 'Sci' : [ 0x0, ['__unnamed_2627']], 'Nmi' : [ 0x0, ['__unnamed_2627']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_2629']], } ], '_POP_HIBER_CONTEXT' : [ 0x1a0, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'MapFrozen' : [ 0x14, ['unsigned char']], 'DiscardMap' : [ 0x18, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x18, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x38, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x48, ['unsigned long']], 'ClonedPageCount' : [ 0x50, ['unsigned long long']], 'CurrentMap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x60, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x68, ['unsigned long long']], 'LoaderMdl' : [ 0x70, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x78, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x80, ['unsigned long long']], 'IoPages' : [ 0x88, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x90, ['unsigned long']], 'CurrentMcb' : [ 0x98, ['pointer64', ['void']]], 'DumpStack' : [ 0xa0, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xa8, ['pointer64', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0xb0, ['unsigned long']], 'Status' : [ 0xb4, ['long']], 'GraphicsProc' : [ 0xb8, ['unsigned long']], 'MemoryImage' : [ 0xc0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0xc8, ['pointer64', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0xd0, ['pointer64', ['_MDL']]], 'SiLogOffset' : [ 0xd8, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0xe0, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0xe8, ['pointer64', ['void']]], 'ResumeContext' : [ 0xf0, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0xf8, ['unsigned long']], 'ProcessorCount' : [ 0xfc, ['unsigned long']], 'ProcessorContext' : [ 0x100, ['pointer64', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0x108, ['pointer64', ['unsigned char']]], 'ProdConsSize' : [ 0x110, ['unsigned long']], 'MaxDataPages' : [ 0x114, ['unsigned long']], 'ExtraBuffer' : [ 0x118, ['pointer64', ['void']]], 'ExtraBufferSize' : [ 0x120, ['unsigned long long']], 'ExtraMapVa' : [ 0x128, ['pointer64', ['void']]], 'BitlockerKeyPFN' : [ 0x130, ['unsigned long long']], 'IoInfo' : [ 0x138, ['_POP_IO_INFO']], 'HardwareConfigurationSignature' : [ 0x198, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x178, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x108, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x110, ['pointer64', ['void']]], 'PointersLength' : [ 0x118, ['unsigned long']], 'ModulePrefix' : [ 0x120, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0x128, ['_LIST_ENTRY']], 'InitMsg' : [ 0x138, ['_STRING']], 'ProgMsg' : [ 0x148, ['_STRING']], 'DoneMsg' : [ 0x158, ['_STRING']], 'FileObject' : [ 0x168, ['pointer64', ['void']]], 'UsageType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_PPM_VETO_ACCOUNTING' : [ 0x18, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x48, { 'InitiatingThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ThreadId' : [ 0x10, ['pointer64', ['void']]], 'ProcessId' : [ 0x18, ['pointer64', ['void']]], 'Code' : [ 0x20, ['unsigned long']], 'Parameter1' : [ 0x28, ['unsigned long long']], 'Parameter2' : [ 0x30, ['unsigned long long']], 'Parameter3' : [ 0x38, ['unsigned long long']], 'Parameter4' : [ 0x40, ['unsigned long long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 31, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], 'SecureInfo' : [ 0x10, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x10, ['_RTL_BITMAP_EX']], 'InPageSupport' : [ 0x10, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'PhysicalMemory' : [ 0x10, ['_MI_PHYSMEM_BLOCK']], 'LargePage' : [ 0x10, ['pointer64', ['_MI_LARGEPAGE_MEMORY_INFO']]], } ], '__unnamed_2666' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_2666']], } ], '__unnamed_266a' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_266a']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x360, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long long']], 'HiberFlags' : [ 0x38, ['unsigned char']], 'spare' : [ 0x39, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x3c, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'NumPagesForLoader' : [ 0x58, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x60, ['unsigned long long']], 'FirstKernelRestorePage' : [ 0x68, ['unsigned long long']], 'PerfInfo' : [ 0x70, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x218, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x220, ['array', 1, ['unsigned long long']]], 'SiLogOffset' : [ 0x228, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x22c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x230, ['array', 24, ['unsigned long long']]], 'NotUsed' : [ 0x2f0, ['unsigned long']], 'ResumeContextCheck' : [ 0x2f4, ['unsigned long']], 'ResumeContextPages' : [ 0x2f8, ['unsigned long']], 'Hiberboot' : [ 0x2fc, ['unsigned char']], 'HvCr3' : [ 0x300, ['unsigned long long']], 'HvEntryPoint' : [ 0x308, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x310, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x318, ['unsigned long long']], 'BootFlags' : [ 0x320, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x328, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x330, ['unsigned long long']], 'BitlockerKeyPfns' : [ 0x338, ['array', 4, ['unsigned long long']]], 'HardwareSignature' : [ 0x358, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x18, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned short']], 'Flags' : [ 0x16, ['unsigned short']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1a8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'TotalHibernateTime' : [ 0x30, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x38, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x3c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x40, ['unsigned long']], 'ResumeAppTicks' : [ 0x48, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x50, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x58, ['unsigned long long']], 'ResumeInitTicks' : [ 0x60, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x70, ['unsigned long long']], 'ResumeIoTicks' : [ 0x78, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x80, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x88, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0x90, ['unsigned long long']], 'ResumeMapTicks' : [ 0x98, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xa0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xa8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xb0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xb8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xc0, ['unsigned long long']], 'HalTscOffset' : [ 0xc8, ['unsigned long long']], 'HvlTscOffset' : [ 0xd0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xd8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0xe0, ['unsigned long long']], 'IoBoundedness' : [ 0xe8, ['unsigned long long']], 'KernelDecompressTicks' : [ 0xf0, ['unsigned long long']], 'KernelIoTicks' : [ 0xf8, ['unsigned long long']], 'KernelCopyTicks' : [ 0x100, ['unsigned long long']], 'ReadCheckCount' : [ 0x108, ['unsigned long long']], 'KernelInitTicks' : [ 0x110, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x118, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x120, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x128, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x130, ['unsigned long long']], 'AnimationStart' : [ 0x138, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x140, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x148, ['unsigned long']], 'BootPagesProcessed' : [ 0x150, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x158, ['unsigned long long']], 'BootBytesWritten' : [ 0x160, ['unsigned long long']], 'KernelBytesWritten' : [ 0x168, ['unsigned long long']], 'BootPagesWritten' : [ 0x170, ['unsigned long long']], 'KernelPagesWritten' : [ 0x178, ['unsigned long long']], 'BytesWritten' : [ 0x180, ['unsigned long long']], 'PagesWritten' : [ 0x188, ['unsigned long']], 'FileRuns' : [ 0x18c, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x190, ['unsigned long']], 'MaxHuffRatio' : [ 0x194, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x198, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1a0, ['unsigned long long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '__unnamed_2689' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_2689']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_MI_PHYSMEM_BLOCK' : [ 0x8, { 'IoTracker' : [ 0x0, ['pointer64', ['_MMIO_TRACKER']]], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x80, { 'UncompressedData' : [ 0x0, ['pointer64', ['unsigned char']]], 'MappingVa' : [ 0x8, ['pointer64', ['void']]], 'XpressEncodeWorkspace' : [ 0x10, ['pointer64', ['void']]], 'CompressedDataBuffer' : [ 0x18, ['pointer64', ['unsigned char']]], 'CopyTicks' : [ 0x20, ['unsigned long long']], 'CompressTicks' : [ 0x28, ['unsigned long long']], 'BytesCopied' : [ 0x30, ['unsigned long long']], 'PagesProcessed' : [ 0x38, ['unsigned long long']], 'DecompressTicks' : [ 0x40, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x48, ['unsigned long long']], 'SharedBufferTicks' : [ 0x50, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x68, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x78, ['unsigned long']], 'HuffCompressCount' : [ 0x7c, ['unsigned long']], } ], '_DEVICE_OBJECT_LIST_ENTRY' : [ 0x10, { 'DeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceRelation', 1: 'Dependent', 2: 'DirectDescendant'})]], 'Flags' : [ 0xc, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x20, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_POP_IO_INFO' : [ 0x60, { 'DumpMdl' : [ 0x0, ['pointer64', ['_MDL']]], 'IoStatus' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x10, ['unsigned long long']], 'IoBytesCompleted' : [ 0x18, ['unsigned long long']], 'IoBytesInProgress' : [ 0x20, ['unsigned long long']], 'RequestSize' : [ 0x28, ['unsigned long long']], 'IoLocation' : [ 0x30, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x38, ['unsigned long long']], 'Buffer' : [ 0x40, ['pointer64', ['void']]], 'AsyncCapable' : [ 0x48, ['unsigned char']], 'BytesToRead' : [ 0x50, ['unsigned long long']], 'Pages' : [ 0x58, ['unsigned long']], } ], '_LDRP_CSLIST' : [ 0x8, { 'Tail' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_MMVIEW' : [ 0x38, { 'PteOffset' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['unsigned long long']], 'u1' : [ 0x10, ['_MMVIEW_CONTROL_AREA']], 'ViewLinks' : [ 0x18, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x30, ['unsigned long']], 'SessionIdForGlobalSubsections' : [ 0x34, ['unsigned long']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_FILTER_HEADER' : [ 0x48, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x8, ['pointer64', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x10, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0x18, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x20, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x28, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x30, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x38, ['pointer64', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x40, ['pointer64', ['_EVENT_FILTER_HEADER']]], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_MMVIEW_CONTROL_AREA' : [ 0x8, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ExceptionForInPageErrors' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'UsedForControlArea' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_26c0' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_26c2' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_26c5' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_26c9' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x18, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x28, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x38, ['__unnamed_26c0']], 'XapicMessage' : [ 0x38, ['__unnamed_26c2']], 'Hypertransport' : [ 0x38, ['__unnamed_26c5']], 'GenericMessage' : [ 0x38, ['__unnamed_26c2']], 'MessageRequest' : [ 0x38, ['__unnamed_26c9']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_26dc' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_26de' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_26e0' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_26dc']], 'Gpt' : [ 0x0, ['__unnamed_26de']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x108, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MarkMemoryOnly' : [ 0x69, ['unsigned char']], 'HiberResume' : [ 0x6a, ['unsigned char']], 'Reserved1' : [ 0x6b, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_26e0']], 'ReadRoutine' : [ 0xa0, ['pointer64', ['void']]], 'GetDriveTelemetryRoutine' : [ 0xa8, ['pointer64', ['void']]], 'LogSectionTruncateSize' : [ 0xb0, ['unsigned long']], 'Parameters' : [ 0xb4, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DumpNotifyRoutine' : [ 0x100, ['pointer64', ['void']]], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '_ETW_QUEUE_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x10, ['pointer64', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0x18, ['pointer64', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x20, ['pointer64', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x28, ['pointer64', ['void']]], 'RegIndex' : [ 0x30, ['unsigned short']], 'ReplyIndex' : [ 0x32, ['unsigned short']], 'Flags' : [ 0x34, ['unsigned long']], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_KDPC_LIST' : [ 0x10, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x178, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x20, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer64', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '__unnamed_2714' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2716' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2714']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2719' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_271b' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2719']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_2716']], 'HighPart' : [ 0x4, ['__unnamed_271b']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x10, ['pointer64', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0x18, ['unsigned long']], } ], '__unnamed_272d' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_272f' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_272d']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_272f']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_MMIO_TRACKER' : [ 0x70, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameIndex' : [ 0x10, ['unsigned long long']], 'NumberOfPages' : [ 0x18, ['unsigned long long']], 'BaseVa' : [ 0x20, ['pointer64', ['void']]], 'CacheFlushTimeStamp' : [ 0x20, ['unsigned long']], 'Mdl' : [ 0x28, ['pointer64', ['_MDL']]], 'MdlPages' : [ 0x30, ['unsigned long long']], 'StackTrace' : [ 0x38, ['array', 6, ['pointer64', ['void']]]], 'CacheInfo' : [ 0x68, ['array', 1, ['_IO_CACHE_INFO']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '__unnamed_273b' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_273e' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0x180, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x10, ['_LIST_ENTRY']], 'Event' : [ 0x20, ['_KEVENT']], 'CollidedEvent' : [ 0x38, ['_KEVENT']], 'IoStatus' : [ 0x50, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x60, ['_LARGE_INTEGER']], 'PteContents' : [ 0x68, ['_MMPTE']], 'Thread' : [ 0x70, ['pointer64', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0x78, ['pointer64', ['_MMPFN']]], 'WaitCount' : [ 0x80, ['long']], 'ByteCount' : [ 0x84, ['unsigned long']], 'u3' : [ 0x88, ['__unnamed_273b']], 'u1' : [ 0x8c, ['__unnamed_273e']], 'FilePointer' : [ 0x90, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x98, ['pointer64', ['_CONTROL_AREA']]], 'Autoboost' : [ 0xa0, ['pointer64', ['void']]], 'FaultingAddress' : [ 0xa8, ['pointer64', ['void']]], 'PointerPte' : [ 0xb0, ['pointer64', ['_MMPTE']]], 'BasePte' : [ 0xb8, ['pointer64', ['_MMPTE']]], 'Pfn' : [ 0xc0, ['pointer64', ['_MMPFN']]], 'PrefetchMdl' : [ 0xc8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0xd0, ['_MDL']], 'Page' : [ 0x100, ['array', 16, ['unsigned long long']]], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'BoostedPriority' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_COLORED_PAGE_INFO' : [ 0x18, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long long']], 'PfnAllocation' : [ 0x10, ['pointer64', ['_MMPFN']]], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0x18, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x8, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_IO_CACHE_INFO' : [ 0x1, { 'CacheAttribute' : [ 0x0, ['unsigned char']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x8, ['pointer64', ['unsigned short']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_sp0_x86_vtypes.py0000644000000000000000000205573313131215405030533 0ustar rootrootntkrpamp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'Reserved2' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateSequence' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrement32' : [ 0x368, ['unsigned long']], 'QpcInterruptTimeIncrement32' : [ 0x36c, ['unsigned long']], 'QpcSystemTimeIncrementShift' : [ 0x370, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x371, ['unsigned char']], 'Reserved8' : [ 0x372, ['array', 14, ['unsigned char']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'TscQpcData' : [ 0x3c6, ['unsigned short']], 'TscQpcEnabled' : [ 0x3c6, ['unsigned char']], 'TscQpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_107c' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_107c']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1080' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1080']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_109b' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109d' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109b']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_109d']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TEB' : [ 0xfe8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'PerflibData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], 'ReservedForWdf' : [ 0xfe4, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0xc, { 'Parent' : [ 0x0, ['pointer', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_BALANCED_NODE' : [ 0xc, { 'Children' : [ 0x0, ['array', 2, ['pointer', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x8, ['unsigned long']], } ], '_RTL_RB_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_RTL_AVL_TREE' : [ 0x4, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_KPCR' : [ 0x4280, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x4160, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x338, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'PrcbPad0' : [ 0x3be, ['array', 2, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'CpuVendor' : [ 0x3c4, ['unsigned char']], 'GroupIndex' : [ 0x3c5, ['unsigned char']], 'Group' : [ 0x3c6, ['unsigned short']], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'ClockOwner' : [ 0x3d0, ['unsigned char']], 'PendingTick' : [ 0x3d1, ['unsigned char']], 'PrcbPad1' : [ 0x3d2, ['array', 70, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x4a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x4a4, ['unsigned long']], 'KernelTime' : [ 0x4a8, ['unsigned long']], 'UserTime' : [ 0x4ac, ['unsigned long']], 'DpcTime' : [ 0x4b0, ['unsigned long']], 'DpcTimeCount' : [ 0x4b4, ['unsigned long']], 'InterruptTime' : [ 0x4b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4bc, ['unsigned long']], 'PageColor' : [ 0x4c0, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c4, ['unsigned char']], 'NodeColor' : [ 0x4c5, ['unsigned char']], 'PrcbPad20' : [ 0x4c6, ['array', 2, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'ParentNode' : [ 0x4cc, ['pointer', ['_KNODE']]], 'SecondaryColorMask' : [ 0x4d0, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d4, ['unsigned long']], 'PrcbPad21' : [ 0x4d8, ['array', 2, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1820, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2120, ['unsigned long']], 'ReverseStall' : [ 0x2124, ['long']], 'IpiFrame' : [ 0x2128, ['pointer', ['void']]], 'PrcbPad3' : [ 0x212c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x2160, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x216c, ['unsigned long']], 'WorkerRoutine' : [ 0x2170, ['pointer', ['void']]], 'IpiFrozen' : [ 0x2174, ['unsigned long']], 'PrcbPad4' : [ 0x2178, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x21a0, ['unsigned long']], 'SignalDone' : [ 0x21a4, ['pointer', ['_KPRCB']]], 'PrcbPad50' : [ 0x21a8, ['array', 48, ['unsigned char']]], 'InterruptLastCount' : [ 0x21d8, ['unsigned long']], 'InterruptRate' : [ 0x21dc, ['unsigned long']], 'DpcData' : [ 0x21e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2208, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x220c, ['long']], 'DpcRequestRate' : [ 0x2210, ['unsigned long']], 'MinimumDpcRate' : [ 0x2214, ['unsigned long']], 'DpcLastCount' : [ 0x2218, ['unsigned long']], 'PrcbLock' : [ 0x221c, ['unsigned long']], 'DpcGate' : [ 0x2220, ['_KGATE']], 'ThreadDpcEnable' : [ 0x2230, ['unsigned char']], 'QuantumEnd' : [ 0x2231, ['unsigned char']], 'DpcRoutineActive' : [ 0x2232, ['unsigned char']], 'IdleSchedule' : [ 0x2233, ['unsigned char']], 'DpcRequestSummary' : [ 0x2234, ['long']], 'DpcRequestSlot' : [ 0x2234, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x2234, ['short']], 'ThreadDpcState' : [ 0x2236, ['short']], 'DpcNormalProcessingActive' : [ 0x2234, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x2234, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x2234, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x2234, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x2234, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x2234, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x2234, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x2234, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x2234, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x2234, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2238, ['unsigned long']], 'LastTick' : [ 0x223c, ['unsigned long']], 'PeriodicCount' : [ 0x2240, ['unsigned long']], 'PeriodicBias' : [ 0x2244, ['unsigned long']], 'ClockInterrupts' : [ 0x2248, ['unsigned long']], 'ReadyScanTick' : [ 0x224c, ['unsigned long']], 'BalanceState' : [ 0x2250, ['unsigned char']], 'GroupSchedulingOverQuota' : [ 0x2251, ['unsigned char']], 'PrcbPad41' : [ 0x2252, ['array', 10, ['unsigned char']]], 'TimerTable' : [ 0x2260, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x3aa0, ['_KDPC']], 'ClockKeepAlive' : [ 0x3ac0, ['long']], 'PrcbPad6' : [ 0x3ac4, ['array', 4, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x3ac8, ['long']], 'DpcWatchdogCount' : [ 0x3acc, ['long']], 'KeSpinLockOrdering' : [ 0x3ad0, ['long']], 'PrcbPad70' : [ 0x3ad4, ['array', 1, ['unsigned long']]], 'QueueIndex' : [ 0x3ad8, ['unsigned long']], 'DeferredReadyListHead' : [ 0x3adc, ['_SINGLE_LIST_ENTRY']], 'WaitListHead' : [ 0x3ae0, ['_LIST_ENTRY']], 'WaitLock' : [ 0x3ae8, ['unsigned long']], 'ReadySummary' : [ 0x3aec, ['unsigned long']], 'ReadyQueueWeight' : [ 0x3af0, ['unsigned long']], 'BuddyPrcb' : [ 0x3af4, ['pointer', ['_KPRCB']]], 'StartCycles' : [ 0x3af8, ['unsigned long long']], 'GenerationTarget' : [ 0x3b00, ['unsigned long long']], 'CycleTime' : [ 0x3b08, ['unsigned long long']], 'HighCycleTime' : [ 0x3b10, ['unsigned long']], 'ScbOffset' : [ 0x3b14, ['unsigned long']], 'AffinitizedCycles' : [ 0x3b18, ['unsigned long long']], 'DispatcherReadyListHead' : [ 0x3b20, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3c20, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3c24, ['long']], 'ScbQueue' : [ 0x3c28, ['_RTL_RB_TREE']], 'ScbList' : [ 0x3c30, ['_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x3c38, ['long']], 'MmCopyOnWriteCount' : [ 0x3c3c, ['long']], 'MmTransitionCount' : [ 0x3c40, ['long']], 'MmCacheTransitionCount' : [ 0x3c44, ['long']], 'MmDemandZeroCount' : [ 0x3c48, ['long']], 'MmPageReadCount' : [ 0x3c4c, ['long']], 'MmPageReadIoCount' : [ 0x3c50, ['long']], 'MmCacheReadCount' : [ 0x3c54, ['long']], 'MmCacheIoCount' : [ 0x3c58, ['long']], 'MmDirtyPagesWriteCount' : [ 0x3c5c, ['long']], 'MmDirtyWriteIoCount' : [ 0x3c60, ['long']], 'MmMappedPagesWriteCount' : [ 0x3c64, ['long']], 'MmMappedWriteIoCount' : [ 0x3c68, ['long']], 'CachedCommit' : [ 0x3c6c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3c70, ['unsigned long']], 'HyperPte' : [ 0x3c74, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3c78, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x3c7c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3c89, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x3c8a, ['unsigned char']], 'PrcbPad9' : [ 0x3c8b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x3c90, ['unsigned long']], 'UpdateSignature' : [ 0x3c98, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3ca0, ['unsigned long long']], 'Stride' : [ 0x3ca8, ['unsigned long']], 'PrcbPad90' : [ 0x3cac, ['unsigned long']], 'PowerState' : [ 0x3cb0, ['_PROCESSOR_POWER_STATE']], 'PrcbPad91' : [ 0x3e30, ['array', 1, ['unsigned long']]], 'DpcWatchdogDpc' : [ 0x3e34, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3e58, ['_KTIMER']], 'HypercallPageList' : [ 0x3e80, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x3e88, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x3e8c, ['pointer', ['void']]], 'StatisticsPage' : [ 0x3e90, ['pointer', ['unsigned long long']]], 'Cache' : [ 0x3e94, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3ed0, ['unsigned long']], 'PackageProcessorSet' : [ 0x3ed4, ['_KAFFINITY_EX']], 'CacheProcessorMask' : [ 0x3ee0, ['array', 5, ['unsigned long']]], 'ScanSiblingMask' : [ 0x3ef4, ['unsigned long']], 'CoreProcessorSet' : [ 0x3ef8, ['unsigned long']], 'ScanSiblingIndex' : [ 0x3efc, ['unsigned long']], 'LLCLevel' : [ 0x3f00, ['unsigned long']], 'WheaInfo' : [ 0x3f04, ['pointer', ['void']]], 'EtwSupport' : [ 0x3f08, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x3f10, ['_SLIST_HEADER']], 'PrcbPad92' : [ 0x3f18, ['array', 8, ['unsigned long']]], 'ProcessorProfileControlArea' : [ 0x3f38, ['pointer', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x3f3c, ['pointer', ['void']]], 'TimerExpirationDpc' : [ 0x3f40, ['_KDPC']], 'SynchCounters' : [ 0x3f60, ['_SYNCH_COUNTERS']], 'FsCounters' : [ 0x4018, ['_FILESYSTEM_DISK_COUNTERS']], 'Context' : [ 0x4028, ['pointer', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x402c, ['unsigned long']], 'ExtendedState' : [ 0x4030, ['pointer', ['_XSAVE_AREA']]], 'EntropyTimingState' : [ 0x4034, ['_KENTROPY_TIMING_STATE']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'Reserved' : [ 0x14, ['array', 3, ['pointer', ['void']]]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x1e8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x10, ['pointer', ['void']]], 'QuantumTarget' : [ 0x18, ['unsigned long long']], 'InitialStack' : [ 0x20, ['pointer', ['void']]], 'StackLimit' : [ 0x24, ['pointer', ['void']]], 'StackBase' : [ 0x28, ['pointer', ['void']]], 'ThreadLock' : [ 0x2c, ['unsigned long']], 'CycleTime' : [ 0x30, ['unsigned long long']], 'HighCycleTime' : [ 0x38, ['unsigned long']], 'ServiceTable' : [ 0x3c, ['pointer', ['void']]], 'CurrentRunTime' : [ 0x40, ['unsigned long']], 'ExpectedRunTime' : [ 0x44, ['unsigned long']], 'KernelStack' : [ 0x48, ['pointer', ['void']]], 'StateSaveArea' : [ 0x4c, ['pointer', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x50, ['pointer', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x54, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x55, ['unsigned char']], 'Alerted' : [ 0x56, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x58, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'CodePatchInProgress' : [ 0x58, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x58, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x58, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x58, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x58, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'TimerActive' : [ 0x58, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SystemThread' : [ 0x58, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x58, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'CalloutActive' : [ 0x58, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x58, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ApcQueueable' : [ 0x58, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x58, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x58, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x58, ['long']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UserAffinitySet' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlyGroup' : [ 0x5c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x5c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ExplicitIdealProcessor' : [ 0x5c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x5c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x5c, ['BitField', dict(start_bit = 14, end_bit = 22, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x5c, ['long']], 'Spare0' : [ 0x60, ['unsigned long']], 'SystemCallNumber' : [ 0x64, ['unsigned long']], 'FirstArgument' : [ 0x68, ['pointer', ['void']]], 'TrapFrame' : [ 0x6c, ['pointer', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x70, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x70, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x87, ['unsigned char']], 'UserIdealProcessor' : [ 0x88, ['unsigned long']], 'ContextSwitches' : [ 0x8c, ['unsigned long']], 'State' : [ 0x90, ['unsigned char']], 'NpxState' : [ 0x91, ['unsigned char']], 'WaitIrql' : [ 0x92, ['unsigned char']], 'WaitMode' : [ 0x93, ['unsigned char']], 'WaitStatus' : [ 0x94, ['long']], 'WaitBlockList' : [ 0x98, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x9c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x9c, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa4, ['pointer', ['_KQUEUE']]], 'Teb' : [ 0xa8, ['pointer', ['void']]], 'RelativeTimerBias' : [ 0xb0, ['unsigned long long']], 'Timer' : [ 0xb8, ['_KTIMER']], 'WaitBlock' : [ 0xe0, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill8' : [ 0xe0, ['array', 20, ['unsigned char']]], 'ThreadCounters' : [ 0xf4, ['pointer', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0xe0, ['array', 44, ['unsigned char']]], 'XStateSave' : [ 0x10c, ['pointer', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0xe0, ['array', 68, ['unsigned char']]], 'Win32Thread' : [ 0x124, ['pointer', ['void']]], 'WaitBlockFill11' : [ 0xe0, ['array', 88, ['unsigned char']]], 'WaitTime' : [ 0x138, ['unsigned long']], 'KernelApcDisable' : [ 0x13c, ['short']], 'SpecialApcDisable' : [ 0x13e, ['short']], 'CombinedApcDisable' : [ 0x13c, ['unsigned long']], 'QueueListEntry' : [ 0x140, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x148, ['unsigned long']], 'DeferredProcessor' : [ 0x14c, ['unsigned long']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'UserAffinity' : [ 0x154, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x154, ['array', 6, ['unsigned char']]], 'PreviousMode' : [ 0x15a, ['unsigned char']], 'BasePriority' : [ 0x15b, ['unsigned char']], 'PriorityDecrement' : [ 0x15c, ['unsigned char']], 'ForegroundBoost' : [ 0x15c, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x15c, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x15d, ['unsigned char']], 'AdjustReason' : [ 0x15e, ['unsigned char']], 'AdjustIncrement' : [ 0x15f, ['unsigned char']], 'Affinity' : [ 0x160, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x160, ['array', 6, ['unsigned char']]], 'ApcStateIndex' : [ 0x166, ['unsigned char']], 'WaitBlockCount' : [ 0x167, ['unsigned char']], 'IdealProcessor' : [ 0x168, ['unsigned long']], 'ApcStatePointer' : [ 0x16c, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x174, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x174, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x18b, ['unsigned char']], 'SuspendCount' : [ 0x18c, ['unsigned char']], 'Saturation' : [ 0x18d, ['unsigned char']], 'SListFaultCount' : [ 0x18e, ['unsigned short']], 'SchedulerApc' : [ 0x190, ['_KAPC']], 'SchedulerApcFill0' : [ 0x190, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x191, ['unsigned char']], 'SchedulerApcFill1' : [ 0x190, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x193, ['unsigned char']], 'SchedulerApcFill2' : [ 0x190, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x194, ['unsigned long']], 'SchedulerApcFill3' : [ 0x190, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b4, ['pointer', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x190, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1b8, ['pointer', ['void']]], 'SchedulerApcFill5' : [ 0x190, ['array', 47, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x1bf, ['unsigned char']], 'UserTime' : [ 0x1c0, ['unsigned long']], 'SuspendEvent' : [ 0x1c4, ['_KEVENT']], 'ThreadListEntry' : [ 0x1d4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1dc, ['_LIST_ENTRY']], } ], '_KSTACK_CONTROL' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long']], 'ActualLimit' : [ 0x4, ['unsigned long']], 'StackExpansion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousTrapFrame' : [ 0x8, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0xc, ['pointer', ['void']]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0xc0, { 'DeepIdleSet' : [ 0x0, ['unsigned long']], 'ProximityId' : [ 0x40, ['unsigned long']], 'NodeNumber' : [ 0x44, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x46, ['unsigned short']], 'MaximumProcessors' : [ 0x48, ['unsigned char']], 'Flags' : [ 0x49, ['_flags']], 'Stride' : [ 0x4a, ['unsigned char']], 'NodePad0' : [ 0x4b, ['unsigned char']], 'Affinity' : [ 0x4c, ['_GROUP_AFFINITY']], 'IdleCpuSet' : [ 0x58, ['unsigned long']], 'IdleSmtSet' : [ 0x5c, ['unsigned long']], 'Seed' : [ 0x80, ['unsigned long']], 'Lowest' : [ 0x84, ['unsigned long']], 'Highest' : [ 0x88, ['unsigned long']], 'ParkLock' : [ 0x8c, ['long']], 'NonParkedSet' : [ 0x90, ['unsigned long']], } ], '_ENODE' : [ 0x280, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkerQueues' : [ 0xc0, ['array', 7, ['_EX_WORK_QUEUE']]], 'ExpThreadSetManagerEvent' : [ 0x248, ['_KEVENT']], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x258, ['pointer', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x25c, ['unsigned long']], 'ExWorkerFullInit' : [ 0x260, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x260, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x260, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x5c, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long']], 'QuotaProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'StrictFIFO' : [ 0x1c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x1c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x1c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x1c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x20, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x24, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x28, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x28, ['array', 20, ['unsigned char']]], 'DebugInfo' : [ 0x3c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'VolatileLowValue' : [ 0x0, ['long']], 'LowValue' : [ 0x0, ['long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'HighValue' : [ 0x4, ['long']], 'NextFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x4, ['_EXHANDLE']], 'GrantedAccessBits' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'ProtectFromClose' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'RefCnt' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '__unnamed_12ef' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_12ef']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc4, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xc0, ['unsigned char']], } ], '_ETHREAD' : [ 0x2c8, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1e8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1f0, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x1f0, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x1f8, ['pointer', ['void']]], 'PostBlockList' : [ 0x1fc, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x1fc, ['pointer', ['void']]], 'StartAddress' : [ 0x200, ['pointer', ['void']]], 'TerminationPort' : [ 0x204, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x204, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x204, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x208, ['unsigned long']], 'ActiveTimerListHead' : [ 0x20c, ['_LIST_ENTRY']], 'Cid' : [ 0x214, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x21c, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x21c, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x230, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x234, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x23c, ['unsigned long']], 'DeviceToVerify' : [ 0x240, ['pointer', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x244, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x248, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x24c, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x254, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x258, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x25c, ['unsigned long']], 'MmLockOrdering' : [ 0x260, ['long']], 'CmLockOrdering' : [ 0x264, ['long']], 'CrossThreadFlags' : [ 0x268, ['unsigned long']], 'Terminated' : [ 0x268, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x268, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x268, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x268, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x268, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x268, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x268, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x268, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x268, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x268, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x268, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x268, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x268, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x268, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x26c, ['unsigned long']], 'ActiveExWorker' : [ 0x26c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x26c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ClonedThread' : [ 0x26c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x26c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SelfTerminate' : [ 0x26c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x270, ['unsigned long']], 'Spare' : [ 0x270, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x270, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x270, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x270, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x270, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x270, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x270, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x270, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x271, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x271, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x271, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x271, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x271, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x271, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x271, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x271, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x272, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x272, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x272, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x272, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x272, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare2' : [ 0x272, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x273, ['unsigned char']], 'CacheManagerActive' : [ 0x274, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x275, ['unsigned char']], 'ActiveFaultCount' : [ 0x276, ['unsigned char']], 'LockOrderState' : [ 0x277, ['unsigned char']], 'AlpcMessageId' : [ 0x278, ['unsigned long']], 'AlpcMessage' : [ 0x27c, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x27c, ['unsigned long']], 'ExitStatus' : [ 0x280, ['long']], 'AlpcWaitListEntry' : [ 0x284, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x28c, ['unsigned long']], 'IoBoostCount' : [ 0x290, ['unsigned long']], 'BoostList' : [ 0x294, ['_LIST_ENTRY']], 'DeboostList' : [ 0x29c, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x2a4, ['unsigned long']], 'IrpListLock' : [ 0x2a8, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x2ac, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x2b0, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x2b4, ['pointer', ['_GUID']]], 'WnfContext' : [ 0x2b8, ['pointer', ['void']]], 'SeLearningModeListHead' : [ 0x2bc, ['_SINGLE_LIST_ENTRY']], 'KernelStackReference' : [ 0x2c0, ['unsigned long']], } ], '_EPROCESS' : [ 0x2e8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xa0, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xa8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xb0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'Flags2' : [ 0xc0, ['unsigned long']], 'JobNotReallyActive' : [ 0xc0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0xc0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0xc0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0xc0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoWakeCharge' : [ 0xc0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0xc0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0xc0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0xc0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0xc0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0xc0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0xc0, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0xc0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0xc0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0xc0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0xc0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0xc0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0xc0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0xc0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0xc0, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0xc0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0xc0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0xc0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0xc0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0xc0, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0xc0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0xc0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0xc4, ['unsigned long']], 'CreateReported' : [ 0xc4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0xc4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0xc4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0xc4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0xc4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0xc4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0xc4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0xc4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0xc4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0xc4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0xc4, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0xc4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0xc4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0xc4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0xc4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0xc4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0xc4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0xc4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0xc4, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0xc4, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0xc4, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0xc4, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0xc4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0xc4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0xc4, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0xc4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0xc4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ProcessQuotaUsage' : [ 0xc8, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xd0, ['array', 2, ['unsigned long']]], 'PeakVirtualSize' : [ 0xd8, ['unsigned long']], 'VirtualSize' : [ 0xdc, ['unsigned long']], 'SessionProcessLinks' : [ 0xe0, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0xe8, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xe8, ['unsigned long']], 'ExceptionPortState' : [ 0xe8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Token' : [ 0xec, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xf0, ['unsigned long']], 'AddressCreationLock' : [ 0xf4, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0xf8, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0xfc, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x100, ['unsigned long']], 'CommitChargeJob' : [ 0x104, ['pointer', ['_EJOB']]], 'CloneRoot' : [ 0x108, ['pointer', ['_MM_AVL_TABLE']]], 'NumberOfPrivatePages' : [ 0x10c, ['unsigned long']], 'NumberOfLockedPages' : [ 0x110, ['unsigned long']], 'Win32Process' : [ 0x114, ['pointer', ['void']]], 'Job' : [ 0x118, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x11c, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x120, ['pointer', ['void']]], 'Cookie' : [ 0x124, ['unsigned long']], 'VdmObjects' : [ 0x128, ['pointer', ['void']]], 'WorkingSetWatch' : [ 0x12c, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x130, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x134, ['pointer', ['void']]], 'LdtInformation' : [ 0x138, ['pointer', ['void']]], 'CreatorProcess' : [ 0x13c, ['pointer', ['_EPROCESS']]], 'ConsoleHostProcess' : [ 0x13c, ['unsigned long']], 'Peb' : [ 0x140, ['pointer', ['_PEB']]], 'Session' : [ 0x144, ['pointer', ['void']]], 'AweInfo' : [ 0x148, ['pointer', ['void']]], 'QuotaBlock' : [ 0x14c, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x150, ['pointer', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x154, ['pointer', ['void']]], 'PaeTop' : [ 0x158, ['pointer', ['void']]], 'DeviceMap' : [ 0x15c, ['pointer', ['void']]], 'EtwDataSource' : [ 0x160, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x168, ['unsigned long long']], 'ImageFileName' : [ 0x170, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x17f, ['unsigned char']], 'SecurityPort' : [ 0x180, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x184, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x188, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x190, ['pointer', ['void']]], 'ThreadListHead' : [ 0x194, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x19c, ['unsigned long']], 'ImagePathHash' : [ 0x1a0, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a4, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1a8, ['long']], 'PrefetchTrace' : [ 0x1ac, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x1b0, ['pointer', ['_MM_AVL_TABLE']]], 'ReadOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e8, ['unsigned long']], 'CommitCharge' : [ 0x1ec, ['unsigned long']], 'CommitChargePeak' : [ 0x1f0, ['unsigned long']], 'Vm' : [ 0x1f4, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x264, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x26c, ['unsigned long']], 'ExitStatus' : [ 0x270, ['long']], 'VadRoot' : [ 0x274, ['_MM_AVL_TABLE']], 'VadPhysicalPages' : [ 0x28c, ['unsigned long']], 'VadPhysicalPagesLimit' : [ 0x290, ['unsigned long']], 'AlpcContext' : [ 0x294, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x2a4, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x2ac, ['pointer', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x2b0, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2b4, ['unsigned long']], 'ExitTime' : [ 0x2b8, ['_LARGE_INTEGER']], 'ActiveThreadsHighWatermark' : [ 0x2c0, ['unsigned long']], 'LargePrivateVadCount' : [ 0x2c4, ['unsigned long']], 'ThreadListLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x2cc, ['pointer', ['void']]], 'SectionMappingSize' : [ 0x2d0, ['unsigned long']], 'SignatureLevel' : [ 0x2d4, ['unsigned char']], 'SectionSignatureLevel' : [ 0x2d5, ['unsigned char']], 'SpareByte20' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'KeepAliveCounter' : [ 0x2d8, ['unsigned long']], 'DiskCounters' : [ 0x2dc, ['pointer', ['_PROCESS_DISK_COUNTERS']]], 'LastFreezeInterruptTime' : [ 0x2e0, ['unsigned long long']], } ], '_KPROCESS' : [ 0xa0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'Affinity' : [ 0x38, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x44, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x4c, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x50, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'AffinitySet' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='long')]], 'DeepFreeze' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x5c, ['long']], 'BasePriority' : [ 0x60, ['unsigned char']], 'QuantumReset' : [ 0x61, ['unsigned char']], 'Visited' : [ 0x62, ['unsigned char']], 'Flags' : [ 0x63, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x64, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x68, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x6a, ['unsigned short']], 'Spare1' : [ 0x6c, ['unsigned short']], 'IopmOffset' : [ 0x6e, ['unsigned short']], 'SchedulingGroup' : [ 0x70, ['pointer', ['_KSCHEDULING_GROUP']]], 'StackCount' : [ 0x74, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x78, ['_LIST_ENTRY']], 'CycleTime' : [ 0x80, ['unsigned long long']], 'ContextSwitches' : [ 0x88, ['unsigned long long']], 'FreezeCount' : [ 0x90, ['unsigned long']], 'KernelTime' : [ 0x94, ['unsigned long']], 'UserTime' : [ 0x98, ['unsigned long']], 'VdmTrapcHandler' : [ 0x9c, ['pointer', ['void']]], } ], '__unnamed_133f' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1345' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1347' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1345']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1352' : [ 0x2c, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x28, ['pointer', ['void']]], } ], '__unnamed_1354' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_1352']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_133f']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_1347']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_1354']], } ], '__unnamed_135b' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_135f' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1363' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1365' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1369' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_136b' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_136d' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileMaximumInformation'})]], } ], '__unnamed_136f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1371' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1373' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1377' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMaximumInformation'})]], } ], '__unnamed_1379' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_137c' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_137e' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1380' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_1382' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1386' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_138a' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_138e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1392' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_1396' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_139a' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_139e' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_13a0' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_13a2' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_13a6' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_13aa' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_13ae' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_13b2' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_13b6' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_13be' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_13c2' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_13c4' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13c6' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13c8' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_135b']], 'CreatePipe' : [ 0x0, ['__unnamed_135f']], 'CreateMailslot' : [ 0x0, ['__unnamed_1363']], 'Read' : [ 0x0, ['__unnamed_1365']], 'Write' : [ 0x0, ['__unnamed_1365']], 'QueryDirectory' : [ 0x0, ['__unnamed_1369']], 'NotifyDirectory' : [ 0x0, ['__unnamed_136b']], 'QueryFile' : [ 0x0, ['__unnamed_136d']], 'SetFile' : [ 0x0, ['__unnamed_136f']], 'QueryEa' : [ 0x0, ['__unnamed_1371']], 'SetEa' : [ 0x0, ['__unnamed_1373']], 'QueryVolume' : [ 0x0, ['__unnamed_1377']], 'SetVolume' : [ 0x0, ['__unnamed_1377']], 'FileSystemControl' : [ 0x0, ['__unnamed_1379']], 'LockControl' : [ 0x0, ['__unnamed_137c']], 'DeviceIoControl' : [ 0x0, ['__unnamed_137e']], 'QuerySecurity' : [ 0x0, ['__unnamed_1380']], 'SetSecurity' : [ 0x0, ['__unnamed_1382']], 'MountVolume' : [ 0x0, ['__unnamed_1386']], 'VerifyVolume' : [ 0x0, ['__unnamed_1386']], 'Scsi' : [ 0x0, ['__unnamed_138a']], 'QueryQuota' : [ 0x0, ['__unnamed_138e']], 'SetQuota' : [ 0x0, ['__unnamed_1373']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1392']], 'QueryInterface' : [ 0x0, ['__unnamed_1396']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_139a']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_139e']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_13a0']], 'SetLock' : [ 0x0, ['__unnamed_13a2']], 'QueryId' : [ 0x0, ['__unnamed_13a6']], 'QueryDeviceText' : [ 0x0, ['__unnamed_13aa']], 'UsageNotification' : [ 0x0, ['__unnamed_13ae']], 'WaitWake' : [ 0x0, ['__unnamed_13b2']], 'PowerSequence' : [ 0x0, ['__unnamed_13b6']], 'Power' : [ 0x0, ['__unnamed_13be']], 'StartDevice' : [ 0x0, ['__unnamed_13c2']], 'WMI' : [ 0x0, ['__unnamed_13c4']], 'Others' : [ 0x0, ['__unnamed_13c6']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_13c8']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_13de' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_13de']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x68, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x5c, ['pointer', ['void']]], 'UserContext' : [ 0x60, ['pointer', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x40, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], 'Oplock' : [ 0x3c, ['pointer', ['void']]], 'ReservedForRemote' : [ 0x3c, ['pointer', ['void']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '__unnamed_156c' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'HighLow' : [ 0x0, ['_MMPTE_HIGHLOW']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_156c']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'ReservedLowFlags' : [ 0xe, ['unsigned char']], 'WaiterPriority' : [ 0xf, ['unsigned char']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '__unnamed_15a8' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_15ac' : [ 0x4, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 29, native_type='unsigned long')]], 'SpareBlink' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_15af' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_15b1' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_15af']], } ], '__unnamed_15b5' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], } ], '_MMPFN' : [ 0x1c, { 'u1' : [ 0x0, ['__unnamed_15a8']], 'u2' : [ 0x4, ['__unnamed_15ac']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0x8, ['long']], 'PteLong' : [ 0x8, ['unsigned long']], 'u3' : [ 0xc, ['__unnamed_15b1']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'u4' : [ 0x18, ['__unnamed_15b5']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x34, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x8, ['unsigned long']], 'Hint' : [ 0xc, ['unsigned long']], 'BasePte' : [ 0x10, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'Vm' : [ 0x18, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x1c, ['long']], 'TotalFreeSystemPtes' : [ 0x20, ['long']], 'CachedPteCount' : [ 0x24, ['long']], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x2c, ['unsigned long']], 'GlobalMutex' : [ 0x2c, ['pointer', ['_FAST_MUTEX']]], 'CachedPtes' : [ 0x30, ['pointer', ['_MI_CACHED_PTE']]], } ], '__unnamed_15d3' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_15d3']], } ], '_MMWSL' : [ 0xd9c, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'LastInitializedWsle' : [ 0x10, ['unsigned long']], 'NextAgingSlot' : [ 0x14, ['unsigned long']], 'NextAccessClearingSlot' : [ 0x18, ['unsigned long']], 'LastAccessClearingRemainder' : [ 0x1c, ['unsigned long']], 'LastAgingRemainder' : [ 0x20, ['unsigned long']], 'WsleSize' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LowestPagableAddress' : [ 0x2c, ['pointer', ['void']]], 'NonDirectHash' : [ 0x30, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x34, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x38, ['pointer', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x3c, ['array', 8, ['unsigned long']]], 'ActiveWsles' : [ 0x5c, ['array', 8, ['_MI_ACTIVE_WSLE']]], 'Wsle' : [ 0x9c, ['pointer', ['_MMWSLE']]], 'UserVaInfo' : [ 0xa0, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0x70, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x4, ['pointer', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer', ['void']]], 'WorkingSetExpansionLinks' : [ 0xc, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x14, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x30, ['unsigned long']], 'WorkingSetSize' : [ 0x34, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x38, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x3c, ['unsigned long']], 'ChargedWslePages' : [ 0x40, ['unsigned long']], 'ActualWslePages' : [ 0x44, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x48, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x4c, ['unsigned long']], 'HardFaultCount' : [ 0x50, ['unsigned long']], 'VmWorkingSetList' : [ 0x54, ['pointer', ['_MMWSL']]], 'NextPageColor' : [ 0x58, ['unsigned short']], 'LastTrimStamp' : [ 0x5a, ['unsigned short']], 'PageFaultCount' : [ 0x5c, ['unsigned long']], 'TrimmedPageCount' : [ 0x60, ['unsigned long']], 'ForceTrimPages' : [ 0x64, ['unsigned long']], 'Flags' : [ 0x68, ['_MMSUPPORT_FLAGS']], 'WsSwapSupport' : [ 0x6c, ['pointer', ['void']]], } ], '__unnamed_15f0' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_15f9' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_15fb' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_15f9']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'ListHead' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_15f0']], 'FlushInProgressCount' : [ 0x20, ['unsigned long']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'ModifiedWriteCount' : [ 0x2c, ['unsigned long']], 'WaitList' : [ 0x30, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x34, ['__unnamed_15fb']], 'LockedPages' : [ 0x40, ['unsigned long long']], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_MMPAGING_FILE' : [ 0x64, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'FreeReservationSpace' : [ 0x18, ['unsigned long']], 'LargestReserveCluster' : [ 0x1c, ['unsigned long']], 'File' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x24, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x2c, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x34, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x38, ['unsigned long']], 'ReservationBitmapHint' : [ 0x3c, ['unsigned long']], 'LargestNonReservedClusterSize' : [ 0x40, ['unsigned long']], 'RefreshClusterSize' : [ 0x44, ['unsigned long']], 'LastRefreshClusterSize' : [ 0x48, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x4c, ['unsigned long']], 'ToBeEvictedCount' : [ 0x50, ['unsigned long']], 'PageFileNumber' : [ 0x54, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x54, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0x54, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'NoReservations' : [ 0x54, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Spare0' : [ 0x54, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x56, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0x56, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x57, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'FileHandle' : [ 0x58, ['pointer', ['void']]], 'Lock' : [ 0x5c, ['unsigned long']], 'LockOwner' : [ 0x60, ['pointer', ['_ETHREAD']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x18, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x4, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0xc, ['_RTL_BITMAP']], 'EvictStoreBitmap' : [ 0x14, ['pointer', ['_RTL_BITMAP']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], 'tagSWITCH_CONTEXT' : [ 0x58, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '__unnamed_1645' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1648' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_164a' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_164e' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_1650' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_1654' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_1658' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_165a' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_1645']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_1645']]], 'RegistryIO' : [ 0xcc, ['__unnamed_1648']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_164a']], 'CheckKey' : [ 0xdc, ['__unnamed_164e']], 'CheckValueList' : [ 0xec, ['__unnamed_1650']], 'CheckHive' : [ 0xfc, ['__unnamed_1654']], 'CheckHive1' : [ 0x108, ['__unnamed_1654']], 'CheckBin' : [ 0x114, ['__unnamed_1658']], 'RecoverData' : [ 0x11c, ['__unnamed_165a']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xb8, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'ParkingStatus' : [ 0x78, ['unsigned long']], 'CurrentFrequency' : [ 0x7c, ['unsigned long']], 'PercentMaxFrequency' : [ 0x80, ['unsigned long']], 'StateFlags' : [ 0x84, ['unsigned long']], 'NominalThroughput' : [ 0x88, ['unsigned long']], 'ActiveThroughput' : [ 0x8c, ['unsigned long']], 'ScaledThroughput' : [ 0x90, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0x98, ['unsigned long long']], 'AverageIdleTime' : [ 0xa0, ['unsigned long long']], 'IdleBreakEvents' : [ 0xa8, ['unsigned long long']], 'PerformanceLimit' : [ 0xb0, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xb4, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_TEB32' : [ 0xfe8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], } ], '_TEB64' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x38, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x2c, ['pointer', ['unsigned long']]], 'EnableKeyWords' : [ 0x30, ['pointer', ['unsigned long long']]], 'EnableLevel' : [ 0x34, ['pointer', ['unsigned char']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x3c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependentList' : [ 0x2c, ['_LIST_ENTRY']], 'ProviderList' : [ 0x34, ['_LIST_ENTRY']], } ], '__unnamed_176e' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1770' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1774' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x1cc, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Level' : [ 0x28, ['unsigned long']], 'CurrentPowerState' : [ 0x2c, ['_POWER_STATE']], 'Notify' : [ 0x30, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x6c, ['_PO_IRP_MANAGER']], 'FxDevice' : [ 0x7c, ['pointer', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x80, ['long']], 'FxRemoveEvent' : [ 0x84, ['_KEVENT']], 'FxActivationCount' : [ 0x94, ['long']], 'FxSleepCount' : [ 0x98, ['long']], 'Plugin' : [ 0x9c, ['pointer', ['_POP_FX_PLUGIN']]], 'UniqueId' : [ 0xa0, ['_UNICODE_STRING']], 'PowerFlags' : [ 0xa8, ['unsigned long']], 'State' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xb0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xb4, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x104, ['unsigned long']], 'CompletionStatus' : [ 0x108, ['long']], 'Flags' : [ 0x10c, ['unsigned long']], 'UserFlags' : [ 0x110, ['unsigned long']], 'Problem' : [ 0x114, ['unsigned long']], 'ProblemStatus' : [ 0x118, ['long']], 'ResourceList' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x120, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x124, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x128, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x130, ['unsigned long']], 'ChildInterfaceType' : [ 0x134, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x138, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x13c, ['unsigned short']], 'RemovalPolicy' : [ 0x13e, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x13f, ['unsigned char']], 'TargetDeviceNotify' : [ 0x140, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x148, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x150, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x158, ['unsigned short']], 'QueryTranslatorMask' : [ 0x15a, ['unsigned short']], 'NoArbiterMask' : [ 0x15c, ['unsigned short']], 'QueryArbiterMask' : [ 0x15e, ['unsigned short']], 'OverUsed1' : [ 0x160, ['__unnamed_176e']], 'OverUsed2' : [ 0x164, ['__unnamed_1770']], 'BootResources' : [ 0x168, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x16c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x170, ['unsigned long']], 'DockInfo' : [ 0x174, ['__unnamed_1774']], 'DisableableDepends' : [ 0x184, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x190, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x198, ['unsigned long']], 'PreviousParent' : [ 0x19c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1a0, ['unsigned long']], 'NumaNodeIndex' : [ 0x1a4, ['unsigned long']], 'ContainerID' : [ 0x1a8, ['_GUID']], 'OverrideFlags' : [ 0x1b8, ['unsigned char']], 'DeviceIdsHash' : [ 0x1bc, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x1c0, ['unsigned char']], 'PendingEjectRelations' : [ 0x1c4, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x1c8, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_181b' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_181b']], } ], '__unnamed_1822' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1822']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0x78, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x14, ['unsigned long']], 'LogHandleContext' : [ 0x18, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0x68, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x6c, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0x70, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x170, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'V1' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0xa0, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xb4, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'Event' : [ 0xe0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xf0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x160, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x164, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x168, ['unsigned long']], 'WritesInProgress' : [ 0x16c, ['unsigned long']], } ], '__unnamed_18a5' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_18a5']], 'ArrayHead' : [ 0x10, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_18c6' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_18c8' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_18ca' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_18cc' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_18ce' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_18c6']], 'Write' : [ 0x0, ['__unnamed_18c8']], 'Event' : [ 0x0, ['__unnamed_18ca']], 'Notification' : [ 0x0, ['__unnamed_18cc']], } ], '_WORK_QUEUE_ENTRY' : [ 0x10, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_18ce']], 'Function' : [ 0xc, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x18, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0x4, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x10, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x50, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x8, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0xc, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x18, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x28, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x2c, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x30, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x38, ['pointer', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x3c, ['unsigned long']], 'LastLWTimeStamp' : [ 0x40, ['_LARGE_INTEGER']], 'Flags' : [ 0x48, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x248, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x58, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x5c, ['unsigned long']], 'Signature' : [ 0x60, ['unsigned long']], 'SegmentReserve' : [ 0x64, ['unsigned long']], 'SegmentCommit' : [ 0x68, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x6c, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x70, ['unsigned long']], 'TotalFreeSize' : [ 0x74, ['unsigned long']], 'MaximumAllocationSize' : [ 0x78, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x7c, ['unsigned short']], 'HeaderValidateLength' : [ 0x7e, ['unsigned short']], 'HeaderValidateCopy' : [ 0x80, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x84, ['unsigned short']], 'MaximumTagIndex' : [ 0x86, ['unsigned short']], 'TagEntries' : [ 0x88, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x8c, ['_LIST_ENTRY']], 'AlignRound' : [ 0x94, ['unsigned long']], 'AlignMask' : [ 0x98, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x9c, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa4, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xac, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb0, ['unsigned long']], 'BlocksIndex' : [ 0xb4, ['pointer', ['void']]], 'UCRIndex' : [ 0xb8, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xbc, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc0, ['_LIST_ENTRY']], 'LockVariable' : [ 0xc8, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xcc, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd0, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd4, ['unsigned short']], 'FrontEndHeapType' : [ 0xd6, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0xd7, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0xd8, ['pointer', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0xdc, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0xde, ['array', 257, ['unsigned char']]], 'Counters' : [ 0x1e0, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x23c, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_193c' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_193c']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1991' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1993' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1991']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1995' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1997' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1995']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1993']], 'u2' : [ 0x4, ['__unnamed_1997']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x20, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], } ], '__unnamed_19b4' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_19b6' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_19b4']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_19b6']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Pad' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x14, ['_EX_PUSH_LOCK']], } ], '__unnamed_19c5' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_19c7' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c5']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_19c7']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_19d0' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_19d2' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19d0']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_19d2']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_19d8' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19da' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19d8']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_19da']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x24, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19f5' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19f7' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19f5']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x108, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x5c, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x68, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0x74, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0x7c, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0x80, ['_LIST_ENTRY']], 'Semaphore' : [ 0x88, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x88, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x8c, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0xc4, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0xc8, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0xcc, ['pointer', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0xd0, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xd4, ['pointer', ['void']]], 'CanceledQueue' : [ 0xd8, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xe0, ['long']], 'u1' : [ 0xe4, ['__unnamed_19f7']], 'TargetQueuePort' : [ 0xe8, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xec, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0xf0, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xf4, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xf8, ['unsigned long']], 'PendingQueueLength' : [ 0xfc, ['unsigned long']], 'CanceledQueueLength' : [ 0x100, ['unsigned long']], 'WaitQueueLength' : [ 0x104, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x58, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'CompletionListLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x10, ['pointer', ['_MDL']]], 'UserVa' : [ 0x14, ['pointer', ['void']]], 'UserLimit' : [ 0x18, ['pointer', ['void']]], 'DataUserVa' : [ 0x1c, ['pointer', ['void']]], 'SystemVa' : [ 0x20, ['pointer', ['void']]], 'TotalSize' : [ 0x24, ['unsigned long']], 'Header' : [ 0x28, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x2c, ['pointer', ['void']]], 'ListSize' : [ 0x30, ['unsigned long']], 'Bitmap' : [ 0x34, ['pointer', ['void']]], 'BitmapSize' : [ 0x38, ['unsigned long']], 'Data' : [ 0x3c, ['pointer', ['void']]], 'DataSize' : [ 0x40, ['unsigned long']], 'BitmapLimit' : [ 0x44, ['unsigned long']], 'BitmapNextHint' : [ 0x48, ['unsigned long']], 'ConcurrencyCount' : [ 0x4c, ['unsigned long']], 'AttributeFlags' : [ 0x50, ['unsigned long']], 'AttributeSize' : [ 0x54, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x90, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'Key' : [ 0x84, ['unsigned long']], 'CallbackList' : [ 0x88, ['_LIST_ENTRY']], } ], '__unnamed_1a14' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1a16' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a14']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x90, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'u1' : [ 0x14, ['__unnamed_1a16']], 'SequenceNo' : [ 0x18, ['long']], 'QuotaProcess' : [ 0x1c, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x1c, ['pointer', ['void']]], 'CancelSequencePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x24, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x28, ['long']], 'CancelListEntry' : [ 0x2c, ['_LIST_ENTRY']], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x38, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x54, ['pointer', ['void']]], 'DataSystemVa' : [ 0x58, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x5c, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x60, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x64, ['pointer', ['_ETHREAD']]], 'WakeReference' : [ 0x68, ['pointer', ['void']]], 'ExtensionBuffer' : [ 0x6c, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0x70, ['unsigned long']], 'PortMessage' : [ 0x78, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a4d' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a4f' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a4d']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1a4f']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'Flags' : [ 0x14, ['unsigned long']], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], 'SignalCompletion' : [ 0x1e, ['unsigned char']], 'PostedToCompletionList' : [ 0x1f, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x20, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'TimeStamped' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'ActivityId' : [ 0x4, ['_GUID']], 'Timestamp' : [ 0x18, ['_LARGE_INTEGER']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x24, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 7, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'AccessMode' : [ 0x5c, ['unsigned char']], 'DriverCreateContext' : [ 0x60, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1b16' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x110, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1b16']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer', ['unsigned short']]], 'LogFileName' : [ 0x3c, ['pointer', ['unsigned short']]], 'TimeZone' : [ 0x40, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf0, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0xf8, ['_LARGE_INTEGER']], 'StartTime' : [ 0x100, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x108, ['unsigned long']], 'BuffersLost' : [ 0x10c, ['unsigned long']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x270, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 1, ['unsigned long']]], 'ErrorMarker' : [ 0x18, ['unsigned long']], 'SizeMask' : [ 0x1c, ['unsigned long']], 'GetCpuClock' : [ 0x20, ['pointer', ['void']]], 'LoggerThread' : [ 0x24, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x28, ['long']], 'FailureReason' : [ 0x2c, ['unsigned long']], 'BufferQueue' : [ 0x30, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x3c, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x48, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x50, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x58, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x58, ['_EX_FAST_REF']], 'LoggerName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFileName' : [ 0x64, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x6c, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x74, ['_UNICODE_STRING']], 'ClockType' : [ 0x7c, ['unsigned long']], 'LastFlushedBuffer' : [ 0x80, ['unsigned long']], 'FlushTimer' : [ 0x84, ['unsigned long']], 'FlushThreshold' : [ 0x88, ['unsigned long']], 'ByteOffset' : [ 0x90, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x98, ['unsigned long']], 'BuffersAvailable' : [ 0x9c, ['long']], 'NumberOfBuffers' : [ 0xa0, ['long']], 'MaximumBuffers' : [ 0xa4, ['unsigned long']], 'EventsLost' : [ 0xa8, ['unsigned long']], 'BuffersWritten' : [ 0xac, ['unsigned long']], 'LogBuffersLost' : [ 0xb0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xb4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xb8, ['unsigned long']], 'SequencePtr' : [ 0xbc, ['pointer', ['long']]], 'LocalSequence' : [ 0xc0, ['unsigned long']], 'InstanceGuid' : [ 0xc4, ['_GUID']], 'MaximumFileSize' : [ 0xd4, ['unsigned long']], 'FileCounter' : [ 0xd8, ['long']], 'PoolType' : [ 0xdc, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xe0, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0xf0, ['long']], 'ProviderInfoSize' : [ 0xf4, ['unsigned long']], 'Consumers' : [ 0xf8, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x100, ['unsigned long']], 'TransitionConsumer' : [ 0x104, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x108, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x10c, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x128, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x130, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x138, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x140, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x148, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x158, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x15c, ['_KEVENT']], 'FlushEvent' : [ 0x16c, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x180, ['_KTIMER']], 'LoggerDpc' : [ 0x1a8, ['_KDPC']], 'LoggerMutex' : [ 0x1c8, ['_KMUTANT']], 'LoggerLock' : [ 0x1e8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1ec, ['unsigned long']], 'BufferListPushLock' : [ 0x1ec, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1f0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x22c, ['_EX_FAST_REF']], 'StartTime' : [ 0x230, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x238, ['pointer', ['void']]], 'BufferSequenceNumber' : [ 0x240, ['long long']], 'Flags' : [ 0x248, ['unsigned long']], 'Persistent' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x248, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x248, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x248, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x248, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x248, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SpareFlags1' : [ 0x248, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x248, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x248, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x248, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x24c, ['unsigned long']], 'DbgRequestNewFie' : [ 0x24c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x24c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x24c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x24c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x24c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x24c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x24c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x24c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDefferdFlush' : [ 0x24c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDefferdFlushTimer' : [ 0x24c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x24c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x24c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x24c, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x250, ['_RTL_BITMAP']], 'StackCache' : [ 0x258, ['pointer', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x25c, ['pointer', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x260, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x268, ['pointer', ['pointer', ['_WMI_BUFFER_HEADER']]]], } ], '_ETW_PMC_SUPPORT' : [ 0x24, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x288, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x9c, ['pointer', ['void']]], 'DynamicPart' : [ 0xa0, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa4, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xb0, ['unsigned long']], 'TokenInUse' : [ 0xb4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb8, ['unsigned long']], 'MandatoryPolicy' : [ 0xbc, ['unsigned long']], 'LogonSession' : [ 0xc0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc4, ['_LUID']], 'SidHash' : [ 0xcc, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x154, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1dc, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x1e0, ['pointer', ['void']]], 'Capabilities' : [ 0x1e4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x1e8, ['unsigned long']], 'CapabilitiesHash' : [ 0x1ec, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x274, ['pointer', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x278, ['pointer', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x27c, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'VariablePart' : [ 0x280, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x3c, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x34, ['_SEP_LOWBOX_HANDLES_TABLE']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'DbgRefTrace' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x8, { 'SecurityDescriptor' : [ 0x0, ['pointer', ['void']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x18, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'EntryLink' : [ 0x8, ['pointer', ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0xc, ['unsigned long']], 'HashIndex' : [ 0x10, ['unsigned short']], 'DirectoryLocked' : [ 0x12, ['unsigned char']], 'LockedExclusive' : [ 0x13, ['unsigned char']], 'LockStateSignature' : [ 0x14, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x98, ['pointer', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_WHEAP_INFO_BLOCK' : [ 0xc, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x4, ['pointer', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x8, ['pointer', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x418, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x8, ['unsigned long']], 'PlatformErrorSourceId' : [ 0xc, ['unsigned long']], 'ErrorCount' : [ 0x10, ['long']], 'RecordCount' : [ 0x14, ['unsigned long']], 'RecordLength' : [ 0x18, ['unsigned long']], 'PoolTag' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x24, ['pointer', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x28, ['pointer', ['void']]], 'SectionCount' : [ 0x2c, ['unsigned long']], 'SectionLength' : [ 0x30, ['unsigned long']], 'TickCountAtLastError' : [ 0x38, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x40, ['unsigned long']], 'TotalErrors' : [ 0x44, ['unsigned long']], 'Deferred' : [ 0x48, ['unsigned char']], 'Descriptor' : [ 0x49, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xe4, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x8, ['unsigned long']], 'ProcessorNumber' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x14, ['long']], 'ErrorSource' : [ 0x18, ['pointer', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x1c, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x1c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'ConnectLock' : [ 0x4, ['_KEVENT']], 'LineMasked' : [ 0x14, ['unsigned char']], 'InterruptList' : [ 0x18, ['pointer', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0x60, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x8, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long long']], 'WorkOrder' : [ 0x18, ['_POP_FX_WORK_ORDER']], 'WorkQueue' : [ 0x2c, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x54, ['pointer', ['void']]], 'AcceptProcessorNotification' : [ 0x58, ['pointer', ['void']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x128, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x104, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x124, ['unsigned long']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'WaitResponse' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], } ], '_HEAP_COUNTERS' : [ 0x5c, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'PollIntervalCounter' : [ 0x38, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x3c, ['unsigned long']], 'HeapPollInterval' : [ 0x40, ['unsigned long']], 'AllocAndFreeOps' : [ 0x44, ['unsigned long']], 'AllocationIndicesActive' : [ 0x48, ['unsigned long']], 'InBlockDeccommits' : [ 0x4c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x50, ['unsigned long']], 'HighWatermarkSize' : [ 0x54, ['unsigned long']], 'LastPolledSize' : [ 0x58, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER' : [ 0x14, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x10, ['long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x40, { 'guPlatform' : [ 0x0, ['_GUID']], 'guMinPlatform' : [ 0x10, ['_GUID']], 'ulElementCount' : [ 0x20, ['unsigned long']], 'ulContextMinimum' : [ 0x24, ['unsigned short']], 'ullOsMaxVersionTested' : [ 0x28, ['unsigned long long']], 'guElements' : [ 0x30, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x10, ['_KEVENT']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x8, ['unsigned char']], 'BlockState' : [ 0x9, ['unsigned char']], 'WaitKey' : [ 0xa, ['unsigned short']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'NotificationQueue' : [ 0xc, ['pointer', ['_KQUEUE']]], 'Object' : [ 0x10, ['pointer', ['void']]], 'SparePtr' : [ 0x14, ['pointer', ['void']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'CriticalTripPoint' : [ 0x18, ['unsigned long']], 'ActiveTripPointCount' : [ 0x1c, ['unsigned char']], 'ActiveTripPoint' : [ 0x20, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x48, ['unsigned long']], } ], '__unnamed_1c87' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1c89' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1c87']], 'Private' : [ 0x0, ['__unnamed_1c89']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x8, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x130, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x8, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0xc, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x10, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x98, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x120, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x124, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x128, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x12c, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_MMPTE_HIGHLOW' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x2b8, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x70, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x78, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0x80, ['unsigned long long']], 'TotalPageFaultCount' : [ 0x88, ['unsigned long']], 'TotalProcesses' : [ 0x8c, ['unsigned long']], 'ActiveProcesses' : [ 0x90, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x94, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x98, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xa0, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xa8, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xac, ['unsigned long']], 'LimitFlags' : [ 0xb0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xb4, ['unsigned long']], 'Affinity' : [ 0xb8, ['_KAFFINITY_EX']], 'AccessState' : [ 0xc4, ['pointer', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0xc8, ['pointer', ['void']]], 'UIRestrictionsClass' : [ 0xcc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xd0, ['unsigned long']], 'CompletionPort' : [ 0xd4, ['pointer', ['void']]], 'CompletionKey' : [ 0xd8, ['pointer', ['void']]], 'CompletionCount' : [ 0xe0, ['unsigned long long']], 'SessionId' : [ 0xe8, ['unsigned long']], 'SchedulingClass' : [ 0xec, ['unsigned long']], 'ReadOperationCount' : [ 0xf0, ['unsigned long long']], 'WriteOperationCount' : [ 0xf8, ['unsigned long long']], 'OtherOperationCount' : [ 0x100, ['unsigned long long']], 'ReadTransferCount' : [ 0x108, ['unsigned long long']], 'WriteTransferCount' : [ 0x110, ['unsigned long long']], 'OtherTransferCount' : [ 0x118, ['unsigned long long']], 'DiskIoInfo' : [ 0x120, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x148, ['unsigned long']], 'JobMemoryLimit' : [ 0x14c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x150, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x154, ['unsigned long']], 'EffectiveAffinity' : [ 0x158, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x168, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x170, ['unsigned long']], 'EffectiveMaximumWorkingSetSize' : [ 0x174, ['unsigned long']], 'EffectiveProcessMemoryLimit' : [ 0x178, ['unsigned long']], 'EffectiveProcessMemoryLimitJob' : [ 0x17c, ['pointer', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x180, ['pointer', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x184, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x188, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x18c, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x190, ['unsigned long']], 'EffectiveSwapCount' : [ 0x194, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x198, ['unsigned long']], 'EffectivePriorityClass' : [ 0x19c, ['unsigned char']], 'PriorityClass' : [ 0x19d, ['unsigned char']], 'Reserved1' : [ 0x19e, ['array', 2, ['unsigned char']]], 'CompletionFilter' : [ 0x1a0, ['unsigned long']], 'WakeChannel' : [ 0x1a8, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x1a8, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x1f0, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x1f8, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x1fc, ['unsigned long']], 'NotificationLink' : [ 0x200, ['pointer', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x208, ['unsigned long long']], 'NotificationInfo' : [ 0x210, ['pointer', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x214, ['pointer', ['void']]], 'NotificationPacket' : [ 0x218, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x21c, ['pointer', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x220, ['pointer', ['void']]], 'MemoryLimitsLock' : [ 0x224, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x228, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x230, ['_LIST_ENTRY']], 'ParentJob' : [ 0x238, ['pointer', ['_EJOB']]], 'RootJob' : [ 0x23c, ['pointer', ['_EJOB']]], 'IteratorListHead' : [ 0x240, ['_LIST_ENTRY']], 'Accounting' : [ 0x248, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x298, ['unsigned long']], 'SequenceNumber' : [ 0x29c, ['unsigned long']], 'TimerListLock' : [ 0x2a0, ['unsigned long']], 'TimerListHead' : [ 0x2a4, ['_LIST_ENTRY']], 'JobFlags' : [ 0x2ac, ['unsigned long']], 'CloseDone' : [ 0x2ac, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x2ac, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x2ac, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x2ac, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x2ac, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x2ac, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x2ac, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x2ac, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x2ac, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x2ac, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x2ac, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x2ac, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x2ac, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x2ac, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x2ac, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x2ac, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x2ac, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x2ac, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x2ac, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x2ac, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x2ac, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x2ac, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x2ac, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x2ac, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x2b0, ['unsigned long']], } ], '_PPM_IDLE_STATES' : [ 0xe0, { 'ForceIdle' : [ 0x0, ['unsigned char']], 'EstimateIdleDuration' : [ 0x1, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x2, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x4, ['unsigned long']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'ActualPlatformState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'PlatformIdleCount' : [ 0x1c, ['unsigned long']], 'ProcessorIdleCount' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['unsigned long']], 'ReasonFlags' : [ 0x28, ['unsigned long']], 'InitiateWakeStamp' : [ 0x30, ['long long']], 'PreviousStatus' : [ 0x38, ['long']], 'PrimaryProcessorMask' : [ 0x3c, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0x48, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x54, ['pointer', ['void']]], 'IdleExecute' : [ 0x58, ['pointer', ['void']]], 'IdleComplete' : [ 0x5c, ['pointer', ['void']]], 'IdleCancel' : [ 0x60, ['pointer', ['void']]], 'IdleIsHalted' : [ 0x64, ['pointer', ['void']]], 'IdleInitiateWake' : [ 0x68, ['pointer', ['void']]], 'PrepareInfo' : [ 0x70, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'State' : [ 0xc0, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x250, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pUnused' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x4c, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned char']], 'ShutDownRequested' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x34, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x3c, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x40, ['unsigned long']], 'UserPagesAllocated' : [ 0x44, ['unsigned long']], 'UserPagesReused' : [ 0x48, ['unsigned long']], } ], '__unnamed_1ce8' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1cef' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1cf1' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1ce8']], 'Bits' : [ 0x0, ['__unnamed_1cef']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1cf1']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x104, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x24, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x1c, ['pointer', ['void']]], 'DvCallbacks' : [ 0x20, ['pointer', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x44, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['long']], 'Dpc' : [ 0x10, ['_KDPC']], 'WorkItem' : [ 0x30, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x40, ['pointer', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x2a0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'ActiveCount' : [ 0x3a, ['unsigned short']], 'InternalState' : [ 0x3c, ['long']], 'Mode' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBoth'})]], 'ServiceCount' : [ 0x48, ['unsigned long']], 'DispatchCount' : [ 0x4c, ['unsigned long']], 'PassiveEvent' : [ 0x50, ['pointer', ['_KEVENT']]], 'DispatchCode' : [ 0x54, ['array', 145, ['unsigned long']]], 'DisconnectData' : [ 0x298, ['pointer', ['void']]], 'ServiceThread' : [ 0x29c, ['pointer', ['_KTHREAD']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x58, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '__unnamed_1d4c' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1d4c']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x38, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'WorkItemsProcessed' : [ 0x28, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x2c, ['unsigned long']], 'ThreadCount' : [ 0x30, ['long']], 'TryFailed' : [ 0x34, ['unsigned char']], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x4e, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x30, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'Type' : [ 0x1c, ['unsigned long']], 'ActivityId' : [ 0x20, ['_GUID']], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_MI_ACTIVE_WSLE' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_SESSION_LOWBOX_MAP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'LowboxMap' : [ 0xc, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x74, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'RefCount' : [ 0x20, ['unsigned long']], 'Lock' : [ 0x24, ['unsigned long']], 'Cancel' : [ 0x28, ['unsigned char']], 'Parent' : [ 0x2c, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'Data' : [ 0x30, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x48, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 8, ['unsigned long long']]], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_XSTATE_CONFIGURATION' : [ 0x218, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0xc, ['_CM_KEY_HASH']], 'ConvKey' : [ 0xc, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x14, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], 'KcbPushlock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x20, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x20, ['long']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x6c, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x74, ['_LIST_ENTRY']], 'Stolen' : [ 0x74, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x7c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x80, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x88, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x90, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x98, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x9c, ['pointer', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'DbgCrc' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1ddd' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x68, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_1ddd']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['_MODWRITER_FLAGS']], 'ByteCount' : [ 0x18, ['unsigned long']], 'PagingFile' : [ 0x1c, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x24, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x28, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x30, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x38, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x40, ['pointer', ['_MDL']]], 'Mdl' : [ 0x44, ['_MDL']], 'Page' : [ 0x60, ['array', 1, ['unsigned long']]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x180, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x4, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'PlatformIdleAccounting' : [ 0x8, ['pointer', ['_PLATFORM_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x10, ['unsigned long long']], 'IdleTimeTotal' : [ 0x18, ['unsigned long long']], 'IdleTimeEntry' : [ 0x20, ['unsigned long long']], 'Reserved' : [ 0x28, ['unsigned long long']], 'IdlePolicy' : [ 0x30, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x38, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x40, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'LastSysTime' : [ 0xac, ['unsigned long']], 'WmiDispatchPtr' : [ 0xb0, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xb4, ['long']], 'FFHThrottleStateInfo' : [ 0xb8, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xd8, ['_KDPC']], 'PerfActionMask' : [ 0xf8, ['long']], 'HvIdleCheck' : [ 0x100, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x110, ['_PROC_PERF_SNAP']], 'Domain' : [ 0x150, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x154, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x158, ['pointer', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x15c, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x160, ['pointer', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x164, ['unsigned char']], 'HvTargetState' : [ 0x165, ['unsigned char']], 'Parked' : [ 0x166, ['unsigned char']], 'OverUtilized' : [ 0x167, ['unsigned char']], 'LatestPerformancePercent' : [ 0x168, ['unsigned long']], 'AveragePerformancePercent' : [ 0x16c, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x170, ['unsigned long']], 'Utility' : [ 0x174, ['unsigned long']], 'AffinitizedUtility' : [ 0x178, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0x908, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x3a0, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x3b8, ['_LIST_ENTRY']], 'HiveList' : [ 0x3c0, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x3c8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x3d0, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x3d4, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x3dc, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x3e0, ['unsigned long']], 'DeletedKcbTable' : [ 0x3e4, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x3e8, ['unsigned long']], 'Identity' : [ 0x3ec, ['unsigned long']], 'HiveLock' : [ 0x3f0, ['pointer', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x3f4, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x3f8, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x3fc, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x404, ['pointer', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x408, ['unsigned long']], 'FlushBaseBlock' : [ 0x40c, ['pointer', ['_HBASE_BLOCK']]], 'FlushHiveTruncated' : [ 0x410, ['unsigned long']], 'SecurityLock' : [ 0x414, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x418, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x41c, ['unsigned long']], 'ActualFileSize' : [ 0x420, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x428, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x438, ['_UNICODE_STRING']], 'FileUserName' : [ 0x440, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x448, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x450, ['unsigned long']], 'SecurityCacheSize' : [ 0x454, ['unsigned long']], 'SecurityHitHint' : [ 0x458, ['long']], 'SecurityCache' : [ 0x45c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x460, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x660, ['unsigned long']], 'UnloadEventArray' : [ 0x664, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x668, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x66c, ['unsigned char']], 'UnloadWorkItem' : [ 0x670, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x674, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x688, ['unsigned char']], 'GrowOffset' : [ 0x68c, ['unsigned long']], 'KcbConvertListHead' : [ 0x690, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x698, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x6a0, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x6a4, ['unsigned long']], 'TrustClassEntry' : [ 0x6a8, ['_LIST_ENTRY']], 'DirtyTime' : [ 0x6b0, ['unsigned long long']], 'CmRm' : [ 0x6b8, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x6bc, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x6c0, ['long']], 'CreatorOwner' : [ 0x6c4, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0x6c8, ['pointer', ['_KTHREAD']]], 'ActiveFlushThread' : [ 0x6cc, ['pointer', ['_ETHREAD']]], 'FlushBoostLock' : [ 0x6d0, ['_EX_PUSH_LOCK']], 'LastWriteTime' : [ 0x6d8, ['_LARGE_INTEGER']], 'ReferenceCount' : [ 0x6e0, ['long']], 'FlushFlags' : [ 0x6e4, ['unsigned long']], 'FlushActive' : [ 0x6e4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DiskFileBad' : [ 0x6e4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FlushBoosted' : [ 0x6e4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PrimaryWritePending' : [ 0x6e4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PriorPurgeComplete' : [ 0x6e4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'FlushWaitList' : [ 0x6e8, ['pointer', ['_HIVE_WAIT_PACKET']]], 'UnloadHistoryIndex' : [ 0x6ec, ['long']], 'UnloadHistory' : [ 0x6f0, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0x8f0, ['unsigned long']], 'UnaccessedStart' : [ 0x8f4, ['unsigned long']], 'UnaccessedEnd' : [ 0x8f8, ['unsigned long']], 'LoadedKeyCount' : [ 0x8fc, ['unsigned long']], 'HandleClosePending' : [ 0x900, ['unsigned long']], 'HandleClosePendingEvent' : [ 0x904, ['_EX_PUSH_LOCK']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x10, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long']], 'DirtyPageThresholdTop' : [ 0x4, ['unsigned long']], 'DirtyPageThresholdBottom' : [ 0x8, ['unsigned long']], 'DirtyPageTarget' : [ 0xc, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ForceCredits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x390, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x14, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x4, ['_RTL_BITMAP']], 'HashTable' : [ 0xc, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x10, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x84, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x78, ['unsigned long']], 'PreviousActivityCounter' : [ 0x7c, ['unsigned long']], 'WorkerTrimRequests' : [ 0x80, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_ETIMER' : [ 0xb8, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x28, ['unsigned long']], 'TimerApc' : [ 0x2c, ['_KAPC']], 'TimerDpc' : [ 0x5c, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x7c, ['_LIST_ENTRY']], 'Period' : [ 0x84, ['unsigned long']], 'TimerFlags' : [ 0x88, ['unsigned char']], 'ApcAssociated' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0x88, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0x88, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0x89, ['unsigned char']], 'Spare2' : [ 0x8a, ['unsigned short']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x98, ['pointer', ['void']]], 'VirtualizedTimerLinks' : [ 0x9c, ['_LIST_ENTRY']], 'DueTime' : [ 0xa8, ['unsigned long long']], 'CoalescingWindow' : [ 0xb0, ['unsigned long']], } ], '_PROC_PERF_SNAP' : [ 0x40, { 'Time' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'Active' : [ 0x10, ['unsigned long long']], 'LastActive' : [ 0x18, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_EXHANDLE' : [ 0x4, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x5ec, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa8, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x348, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e8, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '__unnamed_1eff' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1f01' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1eff']], } ], '__unnamed_1f03' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_1f01']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1f03']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x1800, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'HandleCount' : [ 0x14, ['unsigned long']], 'Handles' : [ 0x18, ['pointer', ['pointer', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x50, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'PlatformCap' : [ 0x8, ['unsigned long']], 'ThermalCap' : [ 0xc, ['unsigned long']], 'LimitReasons' : [ 0x10, ['unsigned long']], 'PlatformCapStartTime' : [ 0x18, ['unsigned long long']], 'TargetPercent' : [ 0x20, ['unsigned long']], 'DesiredPercent' : [ 0x24, ['unsigned long']], 'SelectedPercent' : [ 0x28, ['unsigned long']], 'SelectedFrequency' : [ 0x2c, ['unsigned long']], 'PreviousFrequency' : [ 0x30, ['unsigned long']], 'PreviousPercent' : [ 0x34, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x38, ['unsigned long']], 'SelectedState' : [ 0x40, ['unsigned long long']], 'Force' : [ 0x48, ['unsigned char']], } ], '__unnamed_1f16' : [ 0x10, { 'CallerCompletion' : [ 0x0, ['pointer', ['void']]], 'CallerContext' : [ 0x4, ['pointer', ['void']]], 'CallerDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0xc, ['unsigned char']], } ], '__unnamed_1f19' : [ 0x8, { 'NotifyDevice' : [ 0x0, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x4, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x18, ['unsigned long long']], 'WatchdogTimer' : [ 0x20, ['_KTIMER']], 'WatchdogDpc' : [ 0x48, ['_KDPC']], 'MinorFunction' : [ 0x68, ['unsigned char']], 'PowerStateType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0x70, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0x74, ['unsigned char']], 'FxDevice' : [ 0x78, ['pointer', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0x7c, ['unsigned char']], 'NotifyPEP' : [ 0x7d, ['unsigned char']], 'Device' : [ 0x80, ['__unnamed_1f16']], 'System' : [ 0x80, ['__unnamed_1f19']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0xcfc, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'PhysicalMappingCount' : [ 0x4, ['unsigned long']], 'VadBitMapHint' : [ 0x8, ['unsigned long']], 'LastAllocationSizeHint' : [ 0xc, ['unsigned long']], 'LastAllocationSize' : [ 0x10, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x14, ['unsigned long']], 'VadBitMapSize' : [ 0x18, ['unsigned long']], 'MaximumLastVadBit' : [ 0x1c, ['unsigned long']], 'VadsBeingDeleted' : [ 0x20, ['long']], 'LastVadDeletionEvent' : [ 0x24, ['pointer', ['_KEVENT']]], 'VadBitBuffer' : [ 0x28, ['pointer', ['unsigned long']]], 'LowestBottomUpAllocationAddress' : [ 0x2c, ['pointer', ['void']]], 'HighestTopDownAllocationAddress' : [ 0x30, ['pointer', ['void']]], 'FreeTebHint' : [ 0x34, ['pointer', ['void']]], 'PrivateFixupVadCount' : [ 0x38, ['unsigned long']], 'UsedPageTableEntries' : [ 0x3c, ['array', 1536, ['unsigned short']]], 'CommittedPageTables' : [ 0xc3c, ['array', 48, ['unsigned long']]], } ], '_PROC_FEEDBACK' : [ 0x68, { 'Lock' : [ 0x0, ['unsigned long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x20, ['unsigned long long']], 'UnscaledTime' : [ 0x28, ['unsigned long long']], 'UnaccountedTime' : [ 0x30, ['long long']], 'ScaledTime' : [ 0x38, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x48, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x50, ['unsigned long long']], 'UserTimeLast' : [ 0x58, ['unsigned long']], 'KernelTimeLast' : [ 0x5c, ['unsigned long']], 'KernelTimesIndex' : [ 0x60, ['unsigned char']], } ], '__unnamed_1f2c' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f30' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1f32' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f34' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_1f36' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1f38' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1f3a' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f3c' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f3e' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f40' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f42' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f44' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1f2c']], 'Memory' : [ 0x0, ['__unnamed_1f2c']], 'Interrupt' : [ 0x0, ['__unnamed_1f30']], 'Dma' : [ 0x0, ['__unnamed_1f32']], 'DmaV3' : [ 0x0, ['__unnamed_1f34']], 'Generic' : [ 0x0, ['__unnamed_1f2c']], 'DevicePrivate' : [ 0x0, ['__unnamed_1f36']], 'BusNumber' : [ 0x0, ['__unnamed_1f38']], 'ConfigData' : [ 0x0, ['__unnamed_1f3a']], 'Memory40' : [ 0x0, ['__unnamed_1f3c']], 'Memory48' : [ 0x0, ['__unnamed_1f3e']], 'Memory64' : [ 0x0, ['__unnamed_1f40']], 'Connection' : [ 0x0, ['__unnamed_1f42']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1f44']], } ], '_POP_THERMAL_ZONE' : [ 0x150, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x10, ['long']], 'Throttle' : [ 0x14, ['long']], 'PendingThrottle' : [ 0x18, ['long']], 'ThrottleStartTime' : [ 0x20, ['unsigned long long']], 'LastTime' : [ 0x28, ['unsigned long long']], 'SampleRate' : [ 0x30, ['unsigned long']], 'LastTemp' : [ 0x34, ['unsigned long']], 'PassiveTimer' : [ 0x38, ['_KTIMER']], 'PassiveDpc' : [ 0x60, ['_KDPC']], 'OverThrottled' : [ 0x80, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x90, ['pointer', ['_IRP']]], 'Info' : [ 0x94, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xe0, ['_LARGE_INTEGER']], 'Metrics' : [ 0xe8, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x3a0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'Allocate' : [ 0x8, ['pointer', ['void']]], 'Free' : [ 0xc, ['pointer', ['void']]], 'FileWrite' : [ 0x10, ['pointer', ['void']]], 'FileRead' : [ 0x14, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x18, ['pointer', ['void']]], 'BaseBlock' : [ 0x1c, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x20, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x28, ['unsigned long']], 'DirtyAlloc' : [ 0x2c, ['unsigned long']], 'BaseBlockAlloc' : [ 0x30, ['unsigned long']], 'Cluster' : [ 0x34, ['unsigned long']], 'Flat' : [ 0x38, ['unsigned char']], 'ReadOnly' : [ 0x39, ['unsigned char']], 'DirtyFlag' : [ 0x3a, ['unsigned char']], 'HvBinHeadersUse' : [ 0x3c, ['unsigned long']], 'HvFreeCellsUse' : [ 0x40, ['unsigned long']], 'HvUsedCellsUse' : [ 0x44, ['unsigned long']], 'CmUsedCellsUse' : [ 0x48, ['unsigned long']], 'HiveFlags' : [ 0x4c, ['unsigned long']], 'CurrentLog' : [ 0x50, ['unsigned long']], 'LogSize' : [ 0x54, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x5c, ['unsigned long']], 'StorageTypeCount' : [ 0x60, ['unsigned long']], 'Version' : [ 0x64, ['unsigned long']], 'Storage' : [ 0x68, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x68, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x38, ['unsigned long']], 'PassiveCount' : [ 0x3c, ['unsigned long']], 'LastActiveStartTick' : [ 0x40, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x48, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x50, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x58, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x60, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1e, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1d, ['unsigned char']], } ], '__unnamed_1f98' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1f9a' : [ 0x10, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1f98']], } ], '_VF_TARGET_DRIVER' : [ 0x1c, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x8, ['__unnamed_1f9a']], 'VerifiedData' : [ 0x18, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '_MM_AVL_TABLE' : [ 0x18, { 'BalancedRoot' : [ 0x0, ['_MM_AVL_NODE']], 'DepthOfTree' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'TableType' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x10, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x14, ['pointer', ['void']]], } ], '__unnamed_1fa7' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1fa9' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1fab' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceId' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1fad' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1faf' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1fb1' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1fb3' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1fb5' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1fb7' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1fb9' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1fa7']], 'TargetDevice' : [ 0x0, ['__unnamed_1fa9']], 'InstallDevice' : [ 0x0, ['__unnamed_1fa9']], 'CustomNotification' : [ 0x0, ['__unnamed_1fab']], 'ProfileNotification' : [ 0x0, ['__unnamed_1fad']], 'PowerNotification' : [ 0x0, ['__unnamed_1faf']], 'VetoNotification' : [ 0x0, ['__unnamed_1fb1']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1fb3']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1fb5']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1fb7']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1fa9']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_1fa9']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_1fb9']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x50, { 'Context' : [ 0x0, ['pointer', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x38, ['unsigned long']], 'DependencyUsed' : [ 0x3c, ['unsigned long']], 'DependencyArray' : [ 0x40, ['pointer', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x44, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x48, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x4c, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 220, ['unsigned char']]], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], } ], '__unnamed_1fd6' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1fd6']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x58, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], 'WaitObjectFlagMask' : [ 0x50, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x54, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x56, ['unsigned short']], } ], '__unnamed_2008' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_2008']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0xc, { 'DirtyPages' : [ 0x0, ['unsigned long']], 'DirtyPagesLastScan' : [ 0x4, ['unsigned long']], 'DirtyPagesScheduledLastScan' : [ 0x8, ['unsigned long']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x10, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '__unnamed_204c' : [ 0x4, { 'ProviderPdo' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ProviderReservation' : [ 0x0, ['pointer', ['_PNP_RESERVED_PROVIDER_INFO']]], } ], '_PNP_PROVIDER_INFO' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ProviderType' : [ 0x8, ['unsigned char']], 'Satisfied' : [ 0x9, ['unsigned char']], 'Flags' : [ 0xa, ['unsigned short']], 'u' : [ 0xc, ['__unnamed_204c']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_POP_SYSTEM_IDLE' : [ 0x40, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned long']], 'IdleWorker' : [ 0x28, ['unsigned char']], 'Sampling' : [ 0x29, ['unsigned char']], 'LastTick' : [ 0x30, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x38, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x10, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0xc, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x140, { 'Value' : [ 0x0, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'HardCap' : [ 0x3, ['unsigned char']], 'RelativeWeight' : [ 0x4, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x8, ['unsigned long long']], 'NotificationCycles' : [ 0x10, ['long long']], 'SchedulingGroupList' : [ 0x18, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x20, ['pointer', ['_KDPC']]], 'PerProcessor' : [ 0x40, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x18, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x14, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x18, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'Irp' : [ 0xc, ['pointer', ['_IRP']]], 'Device' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Static' : [ 0x14, ['unsigned char']], } ], '__unnamed_2081' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_2083' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_2085' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_2087' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_2085']], 'Translated' : [ 0x0, ['__unnamed_2083']], } ], '__unnamed_2089' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_208b' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_208d' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_208f' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_2091' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_2093' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_2095' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_2097' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_2081']], 'Port' : [ 0x0, ['__unnamed_2081']], 'Interrupt' : [ 0x0, ['__unnamed_2083']], 'MessageInterrupt' : [ 0x0, ['__unnamed_2087']], 'Memory' : [ 0x0, ['__unnamed_2081']], 'Dma' : [ 0x0, ['__unnamed_2089']], 'DmaV3' : [ 0x0, ['__unnamed_208b']], 'DevicePrivate' : [ 0x0, ['__unnamed_1f36']], 'BusNumber' : [ 0x0, ['__unnamed_208d']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_208f']], 'Memory40' : [ 0x0, ['__unnamed_2091']], 'Memory48' : [ 0x0, ['__unnamed_2093']], 'Memory64' : [ 0x0, ['__unnamed_2095']], 'Connection' : [ 0x0, ['__unnamed_1f42']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_2097']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_209f' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_209f']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_20a9' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_20a9']], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '_POP_FX_DEVICE' : [ 0x108, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Plugin' : [ 0x8, ['pointer', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0xc, ['pointer', ['PEPHANDLE__']]], 'MiniPlugin' : [ 0x10, ['pointer', ['_POP_FX_PLUGIN']]], 'MiniPluginHandle' : [ 0x14, ['pointer', ['PEPHANDLE__']]], 'DevNode' : [ 0x18, ['pointer', ['_DEVICE_NODE']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x24, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0x40, ['pointer', ['void']]], 'RemoveLock' : [ 0x44, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0x5c, ['_POP_FX_WORK_ORDER']], 'Status' : [ 0x70, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x74, ['long']], 'PowerNotReqCall' : [ 0x78, ['long']], 'IdleLock' : [ 0x7c, ['unsigned long']], 'IdleTimer' : [ 0x80, ['_KTIMER']], 'IdleDpc' : [ 0xa8, ['_KDPC']], 'IdleTimeout' : [ 0xc8, ['unsigned long long']], 'IdleStamp' : [ 0xd0, ['unsigned long long']], 'Irp' : [ 0xd8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xdc, ['pointer', ['_POP_IRP_DATA']]], 'NextIrpDeviceObject' : [ 0xe0, ['pointer', ['_DEVICE_OBJECT']]], 'NextIrpPowerState' : [ 0xe4, ['_POWER_STATE']], 'NextIrpCallerCompletion' : [ 0xe8, ['pointer', ['void']]], 'NextIrpCallerContext' : [ 0xec, ['pointer', ['void']]], 'IrpCompleteEvent' : [ 0xf0, ['_KEVENT']], 'ComponentCount' : [ 0x100, ['unsigned long']], 'Components' : [ 0x104, ['array', 1, ['pointer', ['_POP_FX_COMPONENT']]]], } ], '__unnamed_20bc' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_20be' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_20bc']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x40, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x30, ['_LIST_ENTRY']], 'Specific' : [ 0x38, ['__unnamed_20be']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x1c, { 'BadPageCount' : [ 0x0, ['unsigned long']], 'BadPagesDetected' : [ 0x4, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x8, ['long']], 'ScrubPasses' : [ 0xc, ['long']], 'ScrubBadPagesFound' : [ 0x10, ['long']], 'FeatureBits' : [ 0x14, ['unsigned long']], 'TimeZoneId' : [ 0x18, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x24, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'ReferenceCount' : [ 0x20, ['long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'FrameType' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_2122' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_2125' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x28, { 'VadNode' : [ 0x0, ['_MM_AVL_NODE']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'PushLock' : [ 0x14, ['_EX_PUSH_LOCK']], 'u' : [ 0x18, ['__unnamed_2122']], 'u1' : [ 0x1c, ['__unnamed_2125']], 'EventList' : [ 0x20, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], 'ReferenceCount' : [ 0x24, ['long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x8, ['unsigned long']], 'SyncCallback' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0xc, ['pointer', ['_HANDLE_TABLE']]], 'Flags' : [ 0x10, ['unsigned long']], 'NumberOfBuckets' : [ 0x14, ['unsigned long']], 'Buckets' : [ 0x18, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_2162' : [ 0x10, { 'ProgrammedTime' : [ 0x0, ['unsigned long long']], 'TimerInfo' : [ 0x8, ['pointer', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0xd8, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x58, ['array', 3, ['__unnamed_2162']]], 'FilteredCapabilities' : [ 0x88, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x6, { 'Processor' : [ 0x0, ['_PROCESSOR_NUMBER']], 'ExpectedState' : [ 0x4, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x28, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x368, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2189' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_218b' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_2189']], 'Button' : [ 0xc, ['__unnamed_218b']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x2a0, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], 'PackageDependencyData' : [ 0x298, ['pointer', ['void']]], 'ProcessGroupId' : [ 0x29c, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x18, { 'Mdl' : [ 0x0, ['pointer', ['_MDL']]], 'UserVa' : [ 0x4, ['pointer', ['void']]], 'UserLimit' : [ 0x8, ['pointer', ['void']]], 'SystemVa' : [ 0xc, ['pointer', ['void']]], 'SystemLimit' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_220e' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1fc0, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_220e']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x18, ['unsigned long']], 'NonPagablePages' : [ 0x1c, ['unsigned long']], 'CommittedPages' : [ 0x20, ['unsigned long']], 'PagedPoolStart' : [ 0x24, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x28, ['pointer', ['void']]], 'SessionObject' : [ 0x2c, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x30, ['pointer', ['void']]], 'SessionPoolAllocationFailures' : [ 0x34, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x44, ['_LIST_ENTRY']], 'LocaleId' : [ 0x4c, ['unsigned long']], 'AttachCount' : [ 0x50, ['unsigned long']], 'AttachGate' : [ 0x54, ['_KGATE']], 'WsListEntry' : [ 0x64, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 24, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xc80, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xcb8, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xcec, ['_MMSUPPORT']], 'Wsle' : [ 0xd5c, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xd60, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xd80, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1ec0, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1ec8, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f10, ['_FAST_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1f30, ['long']], 'PagedPoolPdeCount' : [ 0x1f34, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f38, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f3c, ['unsigned long']], 'SystemPteInfo' : [ 0x1f40, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f74, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f78, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1f7c, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f80, ['unsigned long']], 'IoState' : [ 0x1f84, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f88, ['unsigned long']], 'IoNotificationEvent' : [ 0x1f8c, ['_KEVENT']], 'SessionPoolPdes' : [ 0x1f9c, ['_RTL_BITMAP']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_221e' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_2223' : [ 0x4, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x48, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x28, ['__unnamed_221e']], 'Subsection' : [ 0x2c, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x2c, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x30, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x38, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x40, ['pointer', ['_EPROCESS']]], 'u4' : [ 0x44, ['__unnamed_2223']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0x50, { 'IrpExclusiveOplock' : [ 0x0, ['pointer', ['_IRP']]], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x8, ['pointer', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'WaiterPriority' : [ 0x10, ['unsigned char']], 'IrpOplocksR' : [ 0x14, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x1c, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x24, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x2c, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x34, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x3c, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x44, ['pointer', ['_GUID']]], 'OplockState' : [ 0x48, ['unsigned long']], 'FastMutex' : [ 0x4c, ['pointer', ['_FAST_MUTEX']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x34, { 'Mutex' : [ 0x0, ['_FAST_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'AllocatedPagedPool' : [ 0x30, ['unsigned long']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x18, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x8, ['pointer', ['void']]], 'SessionViewVa' : [ 0x8, ['pointer', ['void']]], 'VadsProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Type' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SectionOffset' : [ 0x10, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0x18, ['unsigned long']], 'Processors' : [ 0x1c, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0x20, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x24, ['pointer', ['void']]], 'BoostModeHandler' : [ 0x28, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x2c, ['pointer', ['void']]], 'PerfControlHandler' : [ 0x30, ['pointer', ['void']]], 'MaxFrequency' : [ 0x34, ['unsigned long']], 'NominalFrequency' : [ 0x38, ['unsigned long']], 'MaxPercent' : [ 0x3c, ['unsigned long']], 'MinPerfPercent' : [ 0x40, ['unsigned long']], 'MinThrottlePercent' : [ 0x44, ['unsigned long']], 'Coordination' : [ 0x48, ['unsigned char']], 'HardPlatformCap' : [ 0x49, ['unsigned char']], 'AffinitizeControl' : [ 0x4a, ['unsigned char']], 'SelectedPercent' : [ 0x4c, ['unsigned long']], 'SelectedFrequency' : [ 0x50, ['unsigned long']], 'DesiredPercent' : [ 0x54, ['unsigned long']], 'MaxPolicyPercent' : [ 0x58, ['unsigned long']], 'MinPolicyPercent' : [ 0x5c, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x60, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x64, ['unsigned long']], 'GuaranteedPercent' : [ 0x68, ['unsigned long']], 'TolerancePercent' : [ 0x6c, ['unsigned long']], 'SelectedState' : [ 0x70, ['unsigned long long']], 'Force' : [ 0x78, ['unsigned char']], 'PerfChangeTime' : [ 0x80, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x88, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x14, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_228e' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MM_AVL_NODE']]], } ], '_MM_AVL_NODE' : [ 0xc, { 'u1' : [ 0x0, ['__unnamed_228e']], 'LeftChild' : [ 0x4, ['pointer', ['_MM_AVL_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MM_AVL_NODE']]], } ], '_ETW_BUFFER_QUEUE' : [ 0xc, { 'QueueHead' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'Lock' : [ 0x0, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long']], 'SpecialPoolPdes' : [ 0x3c, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x4, { 'LogHandleContext' : [ 0x0, ['pointer', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x10, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'DeviceState' : [ 0xc, ['pointer', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_FAST_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x40, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x8, ['short']], 'SpecialApcDisable' : [ 0xa, ['short']], 'CombinedApcDisable' : [ 0x8, ['unsigned long']], 'Irql' : [ 0xc, ['unsigned char']], 'StackTrace' : [ 0x10, ['array', 12, ['pointer', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x4, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_PROC_IDLE_POLICY' : [ 0x5, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0xd0, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'UnderQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'RankCycleTarget' : [ 0x10, ['unsigned long long']], 'LongTermCycles' : [ 0x18, ['unsigned long long']], 'LastReportedCycles' : [ 0x20, ['unsigned long long']], 'OverQuotaHistory' : [ 0x28, ['unsigned long long']], 'PerProcessorList' : [ 0x30, ['_LIST_ENTRY']], 'QueueNode' : [ 0x38, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OverQuota' : [ 0x44, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardCap' : [ 0x44, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x44, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Spare1' : [ 0x44, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x45, ['unsigned char']], 'ReadySummary' : [ 0x46, ['unsigned short']], 'Rank' : [ 0x48, ['unsigned long']], 'ReadyListHead' : [ 0x4c, ['array', 16, ['_LIST_ENTRY']]], } ], '__unnamed_22c6' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_22c8' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_22c6']], 'Merged' : [ 0x10, ['__unnamed_22c8']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x1c, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'UtilityTotal' : [ 0x8, ['unsigned long']], 'AffinitizedUtilityTotal' : [ 0xc, ['unsigned long']], 'FrequencyTotal' : [ 0x10, ['unsigned long']], 'HistoryList' : [ 0x14, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '__unnamed_22d4' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_22d4']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x3c, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_2008']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'SubsectionNode' : [ 0x20, ['_MM_AVL_NODE']], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x38, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer', ['_MMPTE']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Processors' : [ 0x4, ['unsigned long']], 'ActiveProcessors' : [ 0x8, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '__unnamed_22f0' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_22f4' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_22f0']], 'u2' : [ 0x24, ['__unnamed_22f4']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '__unnamed_22fd' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_22ff' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_22fd']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x90, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_22ff']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long']], 'PipelinedReadAheadRequestSize' : [ 0x54, ['unsigned long']], 'ReadAheadGrowth' : [ 0x58, ['unsigned long']], 'PrivateLinks' : [ 0x5c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x64, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PTE_TRACKER' : [ 0x44, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 7, ['pointer', ['void']]]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x28, { 'InstantaneousRead' : [ 0x0, ['pointer', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'DisableInterrupts' : [ 0x22, ['unsigned char']], 'Context' : [ 0x24, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0xc, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'MemAlloc' : [ 0x8, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x1c, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'Reference' : [ 0x8, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x18, ['unsigned char']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_PLATFORM_IDLE_ACCOUNTING' : [ 0x388, { 'ResetCount' : [ 0x0, ['unsigned long']], 'StateCount' : [ 0x4, ['unsigned long']], 'TimeUnit' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['_PLATFORM_IDLE_STATE_ACCOUNTING']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_DUAL' : [ 0x19c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x190, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x198, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x4, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 11, native_type='unsigned long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'LowboxNumber' : [ 0x14, ['unsigned long']], 'AtomTable' : [ 0x18, ['pointer', ['void']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_FAST_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_FAST_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x28, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0xc, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0xc, ['array', 4, ['pointer', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0xc, ['pointer', ['void']]], 'SessionId' : [ 0x10, ['unsigned long']], 'Process' : [ 0x1c, ['pointer', ['_EPROCESS']]], 'CallbackContext' : [ 0x1c, ['pointer', ['void']]], 'Callback' : [ 0x20, ['pointer', ['void']]], 'Index' : [ 0x24, ['unsigned short']], 'Flags' : [ 0x26, ['unsigned char']], 'DbgKernelRegistration' : [ 0x26, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x26, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x26, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x26, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x26, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x26, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x26, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x26, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x27, ['unsigned char']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x98, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InProgressLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x34, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x34, ['unsigned long']], 'PackagedBinary' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x34, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x34, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x34, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x34, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x34, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x34, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x34, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x34, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReservedFlags2' : [ 0x34, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x34, ['BitField', dict(start_bit = 15, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x34, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x34, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x34, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x34, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x34, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x34, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x34, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x34, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x34, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'DdagNode' : [ 0x50, ['pointer', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0x54, ['_LIST_ENTRY']], 'SnapContext' : [ 0x5c, ['pointer', ['_LDRP_DLL_SNAP_CONTEXT']]], 'ParentDllBase' : [ 0x60, ['pointer', ['void']]], 'SwitchBackContext' : [ 0x64, ['pointer', ['void']]], 'BaseAddressIndexNode' : [ 0x68, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0x74, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0x80, ['unsigned long']], 'LoadTime' : [ 0x88, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x90, ['unsigned long']], 'LoadReason' : [ 0x94, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], } ], '_LDR_DDAG_NODE' : [ 0x30, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x8, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0xc, ['unsigned long']], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DependencyCount' : [ 0x14, ['unsigned long']], 'Dependencies' : [ 0x18, ['_LDRP_CSLIST']], 'RemovalLink' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'IncomingDependencies' : [ 0x1c, ['_LDRP_CSLIST']], 'State' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x28, ['unsigned long']], 'LowestLink' : [ 0x2c, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x104, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'Order' : [ 0x1c, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0xec, ['_LIST_ENTRY']], 'Status' : [ 0xf4, ['long']], 'FailedDevice' : [ 0xf8, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0xfc, ['unsigned char']], 'Cancelled' : [ 0xfd, ['unsigned char']], 'IgnoreErrors' : [ 0xfe, ['unsigned char']], 'IgnoreNotImplemented' : [ 0xff, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x100, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ILOnly' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x8, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x20, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Latency' : [ 0xc, ['unsigned long']], 'Power' : [ 0x10, ['unsigned long']], 'StateFlags' : [ 0x14, ['unsigned long']], 'StateType' : [ 0x18, ['unsigned char']], 'InterruptsEnabled' : [ 0x19, ['unsigned char']], 'Interruptible' : [ 0x1a, ['unsigned char']], 'ContextRetained' : [ 0x1b, ['unsigned char']], 'CacheCoherent' : [ 0x1c, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x34, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x8, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0xc, ['long']], 'HighWaterMark' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_23ac' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x14, { 'NodeRangeSize' : [ 0x0, ['unsigned long']], 'NodeCount' : [ 0x4, ['unsigned long']], 'Tables' : [ 0x8, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0xc, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_23ac']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RELATION_LIST_ENTRY' : [ 0xc, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x6, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], } ], '_POP_FX_COMPONENT' : [ 0x88, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x14, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x28, ['pointer', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x2c, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x34, ['long']], 'ActiveEvent' : [ 0x38, ['_KEVENT']], 'IdleLock' : [ 0x48, ['unsigned long']], 'IdleConditionComplete' : [ 0x4c, ['long']], 'IdleStateComplete' : [ 0x50, ['long']], 'IdleStamp' : [ 0x58, ['unsigned long long']], 'CurrentIdleState' : [ 0x60, ['unsigned long']], 'IdleStateCount' : [ 0x64, ['unsigned long']], 'IdleStates' : [ 0x68, ['pointer', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0x6c, ['unsigned long']], 'ProviderCount' : [ 0x70, ['unsigned long']], 'Providers' : [ 0x74, ['pointer', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0x78, ['unsigned long']], 'DependentCount' : [ 0x7c, ['unsigned long']], 'Dependents' : [ 0x80, ['pointer', ['_POP_FX_DEPENDENT']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x1c, { 'ComponentActive' : [ 0x0, ['pointer', ['void']]], 'ComponentIdle' : [ 0x4, ['pointer', ['void']]], 'ComponentIdleState' : [ 0x8, ['pointer', ['void']]], 'DevicePowerRequired' : [ 0xc, ['pointer', ['void']]], 'DevicePowerNotRequired' : [ 0x10, ['pointer', ['void']]], 'PowerControl' : [ 0x14, ['pointer', ['void']]], 'ComponentCriticalTransition' : [ 0x18, ['pointer', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x2c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x8, ['unsigned char']], 'Spare' : [ 0x9, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0xc, ['unsigned long']], 'DebugId' : [ 0x10, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40d8, ['long']], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_PLATFORM_IDLE_STATE_ACCOUNTING' : [ 0x370, { 'CancelCount' : [ 0x0, ['unsigned long']], 'FailureCount' : [ 0x4, ['unsigned long']], 'SuccessCount' : [ 0x8, ['unsigned long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'TotalTime' : [ 0x20, ['unsigned long long']], 'InvalidBucketIndex' : [ 0x28, ['unsigned long']], 'IdleTimeBuckets' : [ 0x30, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x30, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long']], 'OverrideState' : [ 0x1c, ['unsigned long']], 'TimeCheck' : [ 0x20, ['unsigned long']], 'PromotePercent' : [ 0x24, ['unsigned char']], 'DemotePercent' : [ 0x25, ['unsigned char']], 'Parked' : [ 0x26, ['unsigned char']], 'Interruptible' : [ 0x27, ['unsigned char']], 'PlatformIdle' : [ 0x28, ['unsigned char']], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_240e' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2410' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_240e']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2410']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_2422' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_2422']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x18, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_ETW_GUID_ENTRY' : [ 0x160, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['pointer', ['pointer', ['_EVENT_FILTER_HEADER']]]], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_247a' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_247c' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_247a']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_247c']], } ], '_PNP_RESERVED_PROVIDER_INFO' : [ 0x1c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DependentList' : [ 0x8, ['_LIST_ENTRY']], 'ReservationId' : [ 0x10, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x80, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x3c, ['pointer', ['void']]], 'Lock' : [ 0x40, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1d, { 'PerUserPolicy' : [ 0x0, ['array', 29, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2492' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_2494' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_2498' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_249c' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_249e' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2492']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2494']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2498']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_249c']], 'Others' : [ 0x0, ['__unnamed_249e']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x4, { 'Function' : [ 0x0, ['pointer', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x4, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_HIVE_WAIT_PACKET' : [ 0x1c, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Next' : [ 0x14, ['pointer', ['_HIVE_WAIT_PACKET']]], 'PrimaryFileWritten' : [ 0x18, ['unsigned char']], } ], '__unnamed_24ab' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_24ad' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_24af' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_24ab']], 'Interrupt' : [ 0x0, ['__unnamed_24ad']], 'LocalInterrupt' : [ 0x0, ['__unnamed_24ad']], 'Sci' : [ 0x0, ['__unnamed_24ad']], 'Nmi' : [ 0x0, ['__unnamed_24ad']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_24af']], } ], '_POP_HIBER_CONTEXT' : [ 0x120, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'MapFrozen' : [ 0x14, ['unsigned char']], 'DiscardMap' : [ 0x18, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x18, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x28, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x30, ['unsigned long']], 'ClonedPageCount' : [ 0x38, ['unsigned long long']], 'CurrentMap' : [ 0x40, ['pointer', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x44, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x48, ['unsigned long']], 'LoaderMdl' : [ 0x4c, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x50, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x58, ['unsigned long long']], 'IoPages' : [ 0x60, ['pointer', ['void']]], 'IoPagesCount' : [ 0x64, ['unsigned long']], 'CurrentMcb' : [ 0x68, ['pointer', ['void']]], 'DumpStack' : [ 0x6c, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x70, ['pointer', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0x74, ['unsigned long']], 'Status' : [ 0x78, ['long']], 'GraphicsProc' : [ 0x7c, ['unsigned long']], 'MemoryImage' : [ 0x80, ['pointer', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0x88, ['pointer', ['_MDL']]], 'SiLogOffset' : [ 0x8c, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0x90, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0x94, ['pointer', ['void']]], 'ResumeContext' : [ 0x98, ['pointer', ['void']]], 'ResumeContextPages' : [ 0x9c, ['unsigned long']], 'ProcessorCount' : [ 0xa0, ['unsigned long']], 'ProcessorContext' : [ 0xa4, ['pointer', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0xa8, ['pointer', ['unsigned char']]], 'ProdConsSize' : [ 0xac, ['unsigned long']], 'MaxDataPages' : [ 0xb0, ['unsigned long']], 'ExtraBuffer' : [ 0xb4, ['pointer', ['void']]], 'ExtraBufferSize' : [ 0xb8, ['unsigned long']], 'ExtraMapVa' : [ 0xbc, ['pointer', ['void']]], 'BitlockerKeyPFN' : [ 0xc0, ['unsigned long']], 'IoInfo' : [ 0xc8, ['_POP_IO_INFO']], 'HardwareConfigurationSignature' : [ 0x118, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x100, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xc0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xc8, ['pointer', ['void']]], 'PointersLength' : [ 0xcc, ['unsigned long']], 'ModulePrefix' : [ 0xd0, ['pointer', ['unsigned short']]], 'DriverList' : [ 0xd4, ['_LIST_ENTRY']], 'InitMsg' : [ 0xdc, ['_STRING']], 'ProgMsg' : [ 0xe4, ['_STRING']], 'DoneMsg' : [ 0xec, ['_STRING']], 'FileObject' : [ 0xf4, ['pointer', ['void']]], 'UsageType' : [ 0xf8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x24, { 'InitiatingThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ThreadId' : [ 0x8, ['pointer', ['void']]], 'ProcessId' : [ 0xc, ['pointer', ['void']]], 'Code' : [ 0x10, ['unsigned long']], 'Parameter1' : [ 0x14, ['unsigned long']], 'Parameter2' : [ 0x18, ['unsigned long']], 'Parameter3' : [ 0x1c, ['unsigned long']], 'Parameter4' : [ 0x20, ['unsigned long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 31, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x18, { 'Next' : [ 0x0, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'Gate' : [ 0x8, ['_KGATE']], 'SecureInfo' : [ 0x8, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x8, ['_RTL_BITMAP']], 'InPageSupport' : [ 0x8, ['pointer', ['_MMINPAGE_SUPPORT']]], 'PhysicalMemory' : [ 0x8, ['_MI_PHYSMEM_BLOCK']], 'LargePage' : [ 0x8, ['pointer', ['_MI_LARGEPAGE_MEMORY_INFO']]], } ], '__unnamed_24e8' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_24e8']], } ], '__unnamed_24ec' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_24ec']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x2c8, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'NoFreePages' : [ 0x38, ['unsigned long']], 'FreeMapCheck' : [ 0x3c, ['unsigned long']], 'WakeCheck' : [ 0x40, ['unsigned long']], 'NumPagesForLoader' : [ 0x48, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x50, ['unsigned long']], 'FirstKernelRestorePage' : [ 0x54, ['unsigned long']], 'PerfInfo' : [ 0x58, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x200, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x204, ['array', 1, ['unsigned long']]], 'SiLogOffset' : [ 0x208, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x20c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x210, ['array', 24, ['unsigned long']]], 'NotUsed' : [ 0x270, ['unsigned long']], 'ResumeContextCheck' : [ 0x274, ['unsigned long']], 'ResumeContextPages' : [ 0x278, ['unsigned long']], 'Hiberboot' : [ 0x27c, ['unsigned char']], 'HvCr3' : [ 0x280, ['unsigned long long']], 'HvEntryPoint' : [ 0x288, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x290, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x298, ['unsigned long long']], 'BootFlags' : [ 0x2a0, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x2a8, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x2b0, ['unsigned long']], 'BitlockerKeyPfns' : [ 0x2b4, ['array', 4, ['unsigned long']]], 'HardwareSignature' : [ 0x2c4, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x10, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1a8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'TotalHibernateTime' : [ 0x30, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x38, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x3c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x40, ['unsigned long']], 'ResumeAppTicks' : [ 0x48, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x50, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x58, ['unsigned long long']], 'ResumeInitTicks' : [ 0x60, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x70, ['unsigned long long']], 'ResumeIoTicks' : [ 0x78, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x80, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x88, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0x90, ['unsigned long long']], 'ResumeMapTicks' : [ 0x98, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xa0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xa8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xb0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xb8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xc0, ['unsigned long long']], 'HalTscOffset' : [ 0xc8, ['unsigned long long']], 'HvlTscOffset' : [ 0xd0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xd8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0xe0, ['unsigned long long']], 'IoBoundedness' : [ 0xe8, ['unsigned long long']], 'KernelDecompressTicks' : [ 0xf0, ['unsigned long long']], 'KernelIoTicks' : [ 0xf8, ['unsigned long long']], 'KernelCopyTicks' : [ 0x100, ['unsigned long long']], 'ReadCheckCount' : [ 0x108, ['unsigned long long']], 'KernelInitTicks' : [ 0x110, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x118, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x120, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x128, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x130, ['unsigned long long']], 'AnimationStart' : [ 0x138, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x140, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x148, ['unsigned long']], 'BootPagesProcessed' : [ 0x150, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x158, ['unsigned long long']], 'BootBytesWritten' : [ 0x160, ['unsigned long long']], 'KernelBytesWritten' : [ 0x168, ['unsigned long long']], 'BootPagesWritten' : [ 0x170, ['unsigned long long']], 'KernelPagesWritten' : [ 0x178, ['unsigned long long']], 'BytesWritten' : [ 0x180, ['unsigned long long']], 'PagesWritten' : [ 0x188, ['unsigned long']], 'FileRuns' : [ 0x18c, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x190, ['unsigned long']], 'MaxHuffRatio' : [ 0x194, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x198, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1a0, ['unsigned long long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x10, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '__unnamed_2508' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2508']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_MI_PHYSMEM_BLOCK' : [ 0x4, { 'IoTracker' : [ 0x0, ['pointer', ['_MMIO_TRACKER']]], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x70, { 'UncompressedData' : [ 0x0, ['pointer', ['unsigned char']]], 'MappingVa' : [ 0x4, ['pointer', ['void']]], 'XpressEncodeWorkspace' : [ 0x8, ['pointer', ['void']]], 'CompressedDataBuffer' : [ 0xc, ['pointer', ['unsigned char']]], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'CompressTicks' : [ 0x18, ['unsigned long long']], 'BytesCopied' : [ 0x20, ['unsigned long long']], 'PagesProcessed' : [ 0x28, ['unsigned long long']], 'DecompressTicks' : [ 0x30, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x38, ['unsigned long long']], 'SharedBufferTicks' : [ 0x40, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x48, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x68, ['unsigned long']], 'HuffCompressCount' : [ 0x6c, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x18, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_POP_IO_INFO' : [ 0x50, { 'DumpMdl' : [ 0x0, ['pointer', ['_MDL']]], 'IoStatus' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x8, ['unsigned long long']], 'IoBytesCompleted' : [ 0x10, ['unsigned long long']], 'IoBytesInProgress' : [ 0x18, ['unsigned long long']], 'RequestSize' : [ 0x20, ['unsigned long long']], 'IoLocation' : [ 0x28, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x30, ['unsigned long long']], 'Buffer' : [ 0x38, ['pointer', ['void']]], 'AsyncCapable' : [ 0x3c, ['unsigned char']], 'BytesToRead' : [ 0x40, ['unsigned long long']], 'Pages' : [ 0x48, ['unsigned long']], } ], '_LDRP_CSLIST' : [ 0x4, { 'Tail' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MMVIEW' : [ 0x28, { 'PteOffset' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['_MMVIEW_CONTROL_AREA']], 'ViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x18, ['pointer', ['void']]], 'SessionId' : [ 0x1c, ['unsigned long']], 'SessionIdForGlobalSubsections' : [ 0x20, ['unsigned long']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_MMVIEW_CONTROL_AREA' : [ 0x4, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExceptionForInPageErrors' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UsedForControlArea' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2537' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2539' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_253b' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2537']], 'Gpt' : [ 0x0, ['__unnamed_2539']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xc0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MarkMemoryOnly' : [ 0x45, ['unsigned char']], 'HiberResume' : [ 0x46, ['unsigned char']], 'Reserved1' : [ 0x47, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_253b']], 'ReadRoutine' : [ 0x6c, ['pointer', ['void']]], 'GetDriveTelemetryRoutine' : [ 0x70, ['pointer', ['void']]], 'LogSectionTruncateSize' : [ 0x74, ['unsigned long']], 'Parameters' : [ 0x78, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xb8, ['pointer', ['void']]], 'DumpNotifyRoutine' : [ 0xbc, ['pointer', ['void']]], } ], '_ETW_QUEUE_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x8, ['pointer', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0xc, ['pointer', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x10, ['pointer', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x14, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned short']], 'ReplyIndex' : [ 0x1a, ['unsigned short']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0xd0, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x18, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x8, ['pointer', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0xc, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Xcr0' : [ 0x3c, ['unsigned long long']], 'Reserved' : [ 0x44, ['array', 4, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_MMIO_TRACKER' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameIndex' : [ 0x8, ['unsigned long']], 'NumberOfPages' : [ 0xc, ['unsigned long']], 'BaseVa' : [ 0x10, ['pointer', ['void']]], 'CacheFlushTimeStamp' : [ 0x10, ['unsigned long']], 'Mdl' : [ 0x14, ['pointer', ['_MDL']]], 'MdlPages' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x1c, ['array', 6, ['pointer', ['void']]]], 'CacheInfo' : [ 0x34, ['array', 1, ['_IO_CACHE_INFO']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '__unnamed_257c' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_257f' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0xe0, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'ListHead' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x18, ['_KEVENT']], 'CollidedEvent' : [ 0x28, ['_KEVENT']], 'IoStatus' : [ 0x38, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x40, ['_LARGE_INTEGER']], 'PteContents' : [ 0x48, ['_MMPTE']], 'LockedProtoPfn' : [ 0x50, ['pointer', ['_MMPFN']]], 'WaitCount' : [ 0x54, ['long']], 'ByteCount' : [ 0x58, ['unsigned long']], 'u3' : [ 0x5c, ['__unnamed_257c']], 'u1' : [ 0x60, ['__unnamed_257f']], 'FilePointer' : [ 0x64, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x68, ['pointer', ['_CONTROL_AREA']]], 'FaultingAddress' : [ 0x6c, ['pointer', ['void']]], 'PointerPte' : [ 0x70, ['pointer', ['_MMPTE']]], 'BasePte' : [ 0x74, ['pointer', ['_MMPTE']]], 'Pfn' : [ 0x78, ['pointer', ['_MMPFN']]], 'PrefetchMdl' : [ 0x7c, ['pointer', ['_MDL']]], 'Mdl' : [ 0x80, ['_MDL']], 'Page' : [ 0x9c, ['array', 16, ['unsigned long']]], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'BoostedPriority' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 12, native_type='unsigned long')]], } ], '_COLORED_PAGE_INFO' : [ 0x10, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long']], 'PfnAllocation' : [ 0xc, ['pointer', ['_MMPFN']]], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_IO_CACHE_INFO' : [ 0x1, { 'CacheAttribute' : [ 0x0, ['unsigned char']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win2003_sp1_x64_vtypes.py0000644000000000000000000117642213131215405030743 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_1015' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1015']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '__unnamed_1026' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1026']], 'QuadPart' : [ 0x0, ['long long']], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KPRCB' : [ 0x2480, { 'MxCsr' : [ 0x0, ['unsigned long']], 'Number' : [ 0x4, ['unsigned char']], 'NestingLevel' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'UserRsp' : [ 0x20, ['unsigned long long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'SetMember' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'InitialApicId' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned char']], 'PrcbPad0x' : [ 0x645, ['array', 3, ['unsigned char']]], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'PrcbPad00' : [ 0x650, ['array', 4, ['unsigned long long']]], 'LockQueue' : [ 0x670, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x880, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x980, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0xb80, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0xd80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0xd88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0xd90, ['long']], 'MmCopyOnWriteCount' : [ 0xd94, ['long']], 'MmTransitionCount' : [ 0xd98, ['long']], 'MmCacheTransitionCount' : [ 0xd9c, ['long']], 'MmDemandZeroCount' : [ 0xda0, ['long']], 'MmPageReadCount' : [ 0xda4, ['long']], 'MmPageReadIoCount' : [ 0xda8, ['long']], 'MmCacheReadCount' : [ 0xdac, ['long']], 'MmCacheIoCount' : [ 0xdb0, ['long']], 'MmDirtyPagesWriteCount' : [ 0xdb4, ['long']], 'MmDirtyWriteIoCount' : [ 0xdb8, ['long']], 'MmMappedPagesWriteCount' : [ 0xdbc, ['long']], 'MmMappedWriteIoCount' : [ 0xdc0, ['long']], 'LookasideIrpFloat' : [ 0xdc4, ['long']], 'KeSystemCalls' : [ 0xdc8, ['unsigned long']], 'IoReadOperationCount' : [ 0xdcc, ['long']], 'IoWriteOperationCount' : [ 0xdd0, ['long']], 'IoOtherOperationCount' : [ 0xdd4, ['long']], 'IoReadTransferCount' : [ 0xdd8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0xde0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0xde8, ['_LARGE_INTEGER']], 'KeContextSwitches' : [ 0xdf0, ['unsigned long']], 'PrcbPad2' : [ 0xdf4, ['array', 12, ['unsigned char']]], 'TargetSet' : [ 0xe00, ['unsigned long long']], 'IpiFrozen' : [ 0xe08, ['unsigned long']], 'PrcbPad3' : [ 0xe0c, ['array', 116, ['unsigned char']]], 'RequestMailbox' : [ 0xe80, ['array', 64, ['_REQUEST_MAILBOX']]], 'SenderSummary' : [ 0x1e80, ['unsigned long long']], 'PrcbPad4' : [ 0x1e88, ['array', 120, ['unsigned char']]], 'DpcData' : [ 0x1f00, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1f40, ['pointer64', ['void']]], 'SavedRsp' : [ 0x1f48, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x1f50, ['long']], 'DpcRequestRate' : [ 0x1f54, ['unsigned long']], 'MinimumDpcRate' : [ 0x1f58, ['unsigned long']], 'DpcInterruptRequested' : [ 0x1f5c, ['unsigned char']], 'DpcThreadRequested' : [ 0x1f5d, ['unsigned char']], 'DpcRoutineActive' : [ 0x1f5e, ['unsigned char']], 'DpcThreadActive' : [ 0x1f5f, ['unsigned char']], 'TimerHand' : [ 0x1f60, ['unsigned long long']], 'TimerRequest' : [ 0x1f60, ['unsigned long long']], 'TickOffset' : [ 0x1f68, ['long']], 'MasterOffset' : [ 0x1f6c, ['long']], 'DpcLastCount' : [ 0x1f70, ['unsigned long']], 'ThreadDpcEnable' : [ 0x1f74, ['unsigned char']], 'QuantumEnd' : [ 0x1f75, ['unsigned char']], 'PrcbPad50' : [ 0x1f76, ['unsigned char']], 'IdleSchedule' : [ 0x1f77, ['unsigned char']], 'DpcSetEventRequest' : [ 0x1f78, ['long']], 'PrcbPad40' : [ 0x1f7c, ['long']], 'DpcThread' : [ 0x1f80, ['pointer64', ['void']]], 'DpcEvent' : [ 0x1f88, ['_KEVENT']], 'CallDpc' : [ 0x1fa0, ['_KDPC']], 'PrcbPad7' : [ 0x1fe0, ['array', 4, ['unsigned long long']]], 'WaitListHead' : [ 0x2000, ['_LIST_ENTRY']], 'ReadySummary' : [ 0x2010, ['unsigned long']], 'QueueIndex' : [ 0x2014, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x2018, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x2218, ['unsigned long']], 'KernelTime' : [ 0x221c, ['unsigned long']], 'UserTime' : [ 0x2220, ['unsigned long']], 'DpcTime' : [ 0x2224, ['unsigned long']], 'InterruptTime' : [ 0x2228, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x222c, ['unsigned long']], 'SkipTick' : [ 0x2230, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x2231, ['unsigned char']], 'PollSlot' : [ 0x2232, ['unsigned char']], 'PrcbPad8' : [ 0x2233, ['array', 13, ['unsigned char']]], 'ParentNode' : [ 0x2240, ['pointer64', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x2248, ['unsigned long long']], 'MultiThreadSetMaster' : [ 0x2250, ['pointer64', ['_KPRCB']]], 'Sleeping' : [ 0x2258, ['long']], 'PrcbPad90' : [ 0x225c, ['array', 1, ['unsigned long']]], 'DebugDpcTime' : [ 0x2260, ['unsigned long']], 'PageColor' : [ 0x2264, ['unsigned long']], 'NodeColor' : [ 0x2268, ['unsigned long']], 'NodeShiftedColor' : [ 0x226c, ['unsigned long']], 'SecondaryColorMask' : [ 0x2270, ['unsigned long']], 'PrcbPad9' : [ 0x2274, ['array', 12, ['unsigned char']]], 'CcFastReadNoWait' : [ 0x2280, ['unsigned long']], 'CcFastReadWait' : [ 0x2284, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2288, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x228c, ['unsigned long']], 'CcCopyReadWait' : [ 0x2290, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2294, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x2298, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x229c, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x22a0, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x22a4, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x22a8, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x22ac, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x22b0, ['unsigned long']], 'VendorString' : [ 0x22b4, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x22c1, ['array', 2, ['unsigned char']]], 'FeatureBits' : [ 0x22c4, ['unsigned long']], 'UpdateSignature' : [ 0x22c8, ['_LARGE_INTEGER']], 'PowerState' : [ 0x22d0, ['_PROCESSOR_POWER_STATE']], 'Cache' : [ 0x2440, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x247c, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned char']], 'Expedite' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x200, { 'XmmSaveArea' : [ 0x0, ['_XMM_SAVE_AREA32']], 'Fill' : [ 0x0, ['array', 432, ['unsigned char']]], 'Current' : [ 0x1b0, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x1d8, ['_KERNEL_STACK_SEGMENT']], } ], '_KTHREAD' : [ 0x320, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x18, ['_LIST_ENTRY']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'ApcState' : [ 0x48, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x48, ['array', 43, ['unsigned char']]], 'ApcQueueable' : [ 0x73, ['unsigned char']], 'NextProcessor' : [ 0x74, ['unsigned char']], 'DeferredProcessor' : [ 0x75, ['unsigned char']], 'AdjustReason' : [ 0x76, ['unsigned char']], 'AdjustIncrement' : [ 0x77, ['unsigned char']], 'ApcQueueLock' : [ 0x78, ['unsigned long long']], 'WaitStatus' : [ 0x80, ['long long']], 'WaitBlockList' : [ 0x88, ['pointer64', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x88, ['pointer64', ['_KGATE']]], 'Alertable' : [ 0x90, ['unsigned char']], 'WaitNext' : [ 0x91, ['unsigned char']], 'WaitReason' : [ 0x92, ['unsigned char']], 'Priority' : [ 0x93, ['unsigned char']], 'EnableStackSwap' : [ 0x94, ['unsigned char']], 'SwapBusy' : [ 0x95, ['unsigned char']], 'Alerted' : [ 0x96, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x98, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x98, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb0, ['pointer64', ['void']]], 'Timer' : [ 0xb8, ['_KTIMER']], 'TimerFill' : [ 0xb8, ['array', 60, ['unsigned char']]], 'AutoAlignment' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'ReservedFlags' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='long')]], 'ThreadFlags' : [ 0xf4, ['long']], 'WaitBlock' : [ 0xf8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xf8, ['array', 43, ['unsigned char']]], 'SystemAffinityActive' : [ 0x123, ['unsigned char']], 'WaitBlockFill1' : [ 0xf8, ['array', 91, ['unsigned char']]], 'PreviousMode' : [ 0x153, ['unsigned char']], 'WaitBlockFill2' : [ 0xf8, ['array', 139, ['unsigned char']]], 'ResourceIndex' : [ 0x183, ['unsigned char']], 'WaitBlockFill3' : [ 0xf8, ['array', 187, ['unsigned char']]], 'LargeStack' : [ 0x1b3, ['unsigned char']], 'WaitBlockFill4' : [ 0xf8, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x124, ['unsigned long']], 'WaitBlockFill5' : [ 0xf8, ['array', 92, ['unsigned char']]], 'State' : [ 0x154, ['unsigned char']], 'NpxState' : [ 0x155, ['unsigned char']], 'WaitIrql' : [ 0x156, ['unsigned char']], 'WaitMode' : [ 0x157, ['unsigned char']], 'WaitBlockFill6' : [ 0xf8, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x184, ['unsigned long']], 'WaitBlockFill7' : [ 0xf8, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1b4, ['short']], 'SpecialApcDisable' : [ 0x1b6, ['short']], 'CombinedApcDisable' : [ 0x1b4, ['unsigned long']], 'QueueListEntry' : [ 0x1b8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1c8, ['pointer64', ['_KTRAP_FRAME']]], 'CallbackStack' : [ 0x1d0, ['pointer64', ['void']]], 'ServiceTable' : [ 0x1d8, ['pointer64', ['void']]], 'KernelLimit' : [ 0x1e0, ['unsigned long']], 'ApcStateIndex' : [ 0x1e4, ['unsigned char']], 'IdealProcessor' : [ 0x1e5, ['unsigned char']], 'Preempted' : [ 0x1e6, ['unsigned char']], 'ProcessReadyQueue' : [ 0x1e7, ['unsigned char']], 'Win32kTable' : [ 0x1e8, ['pointer64', ['void']]], 'Win32kLimit' : [ 0x1f0, ['unsigned long']], 'KernelStackResident' : [ 0x1f4, ['unsigned char']], 'BasePriority' : [ 0x1f5, ['unsigned char']], 'PriorityDecrement' : [ 0x1f6, ['unsigned char']], 'Saturation' : [ 0x1f7, ['unsigned char']], 'UserAffinity' : [ 0x1f8, ['unsigned long long']], 'Process' : [ 0x200, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x208, ['unsigned long long']], 'ApcStatePointer' : [ 0x210, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x220, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x220, ['array', 43, ['unsigned char']]], 'FreezeCount' : [ 0x24b, ['unsigned char']], 'SuspendCount' : [ 0x24c, ['unsigned char']], 'UserIdealProcessor' : [ 0x24d, ['unsigned char']], 'CalloutActive' : [ 0x24e, ['unsigned char']], 'CodePatchInProgress' : [ 0x24f, ['unsigned char']], 'Win32Thread' : [ 0x250, ['pointer64', ['void']]], 'StackBase' : [ 0x258, ['pointer64', ['void']]], 'SuspendApc' : [ 0x260, ['_KAPC']], 'SuspendApcFill0' : [ 0x260, ['array', 1, ['unsigned char']]], 'Quantum' : [ 0x261, ['unsigned char']], 'SuspendApcFill1' : [ 0x260, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x263, ['unsigned char']], 'SuspendApcFill2' : [ 0x260, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x264, ['unsigned long']], 'SuspendApcFill3' : [ 0x260, ['array', 64, ['unsigned char']]], 'TlsArray' : [ 0x2a0, ['pointer64', ['void']]], 'SuspendApcFill4' : [ 0x260, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2a8, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x260, ['array', 83, ['unsigned char']]], 'PowerState' : [ 0x2b3, ['unsigned char']], 'UserTime' : [ 0x2b4, ['unsigned long']], 'SuspendSemaphore' : [ 0x2b8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2b8, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2d4, ['unsigned long']], 'ThreadListEntry' : [ 0x2d8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x2e8, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x2f0, ['long long']], 'WriteOperationCount' : [ 0x2f8, ['long long']], 'OtherOperationCount' : [ 0x300, ['long long']], 'ReadTransferCount' : [ 0x308, ['long long']], 'WriteTransferCount' : [ 0x310, ['long long']], 'OtherTransferCount' : [ 0x318, ['long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x428, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x320, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x328, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x328, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x328, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x338, ['long']], 'OfsChain' : [ 0x338, ['pointer64', ['void']]], 'PostBlockList' : [ 0x340, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x350, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x350, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x350, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x358, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x360, ['_LIST_ENTRY']], 'Cid' : [ 0x370, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x380, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x380, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x3a0, ['pointer64', ['void']]], 'LpcWaitingOnPort' : [ 0x3a0, ['pointer64', ['void']]], 'ImpersonationInfo' : [ 0x3a8, ['pointer64', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x3b0, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3c0, ['unsigned long long']], 'DeviceToVerify' : [ 0x3c8, ['pointer64', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x3d0, ['pointer64', ['_EPROCESS']]], 'StartAddress' : [ 0x3d8, ['pointer64', ['void']]], 'Win32StartAddress' : [ 0x3e0, ['pointer64', ['void']]], 'LpcReceivedMessageId' : [ 0x3e0, ['unsigned long']], 'ThreadListEntry' : [ 0x3e8, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x3f8, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x400, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x408, ['unsigned long']], 'ReadClusterSize' : [ 0x40c, ['unsigned long']], 'GrantedAccess' : [ 0x410, ['unsigned long']], 'CrossThreadFlags' : [ 0x414, ['unsigned long']], 'Terminated' : [ 0x414, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x414, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x414, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x414, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x414, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x414, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x414, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x414, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x414, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x418, ['unsigned long']], 'ActiveExWorker' : [ 0x418, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x418, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x418, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x418, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x41c, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x41c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x41c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x41c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x41c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x41c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x41c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x41c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x41c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x41d, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ApcNeeded' : [ 0x41d, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x420, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x421, ['unsigned char']], 'ActiveFaultCount' : [ 0x422, ['unsigned char']], } ], '_EPROCESS' : [ 0x3e0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xc0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xc8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xd0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xd8, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0xe0, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xf0, ['array', 3, ['unsigned long long']]], 'QuotaPeak' : [ 0x108, ['array', 3, ['unsigned long long']]], 'CommitCharge' : [ 0x120, ['unsigned long long']], 'PeakVirtualSize' : [ 0x128, ['unsigned long long']], 'VirtualSize' : [ 0x130, ['unsigned long long']], 'SessionProcessLinks' : [ 0x138, ['_LIST_ENTRY']], 'DebugPort' : [ 0x148, ['pointer64', ['void']]], 'ExceptionPort' : [ 0x150, ['pointer64', ['void']]], 'ObjectTable' : [ 0x158, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x160, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x168, ['unsigned long long']], 'AddressCreationLock' : [ 0x170, ['_KGUARDED_MUTEX']], 'HyperSpaceLock' : [ 0x1a8, ['unsigned long long']], 'ForkInProgress' : [ 0x1b0, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x1b8, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x1c0, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x1c8, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x1d0, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x1d8, ['unsigned long long']], 'Win32Process' : [ 0x1e0, ['pointer64', ['void']]], 'Job' : [ 0x1e8, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x1f0, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x1f8, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x200, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x208, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x210, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x218, ['pointer64', ['void']]], 'LdtInformation' : [ 0x220, ['pointer64', ['void']]], 'VadFreeHint' : [ 0x228, ['pointer64', ['void']]], 'VdmObjects' : [ 0x230, ['pointer64', ['void']]], 'DeviceMap' : [ 0x238, ['pointer64', ['void']]], 'Spare0' : [ 0x240, ['array', 3, ['pointer64', ['void']]]], 'PageDirectoryPte' : [ 0x258, ['_HARDWARE_PTE']], 'Filler' : [ 0x258, ['unsigned long long']], 'Session' : [ 0x260, ['pointer64', ['void']]], 'ImageFileName' : [ 0x268, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x278, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x288, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x290, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x2a0, ['pointer64', ['void']]], 'Wow64Process' : [ 0x2a8, ['pointer64', ['_WOW64_PROCESS']]], 'ActiveThreads' : [ 0x2b0, ['unsigned long']], 'GrantedAccess' : [ 0x2b4, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x2b8, ['unsigned long']], 'LastThreadExitStatus' : [ 0x2bc, ['long']], 'Peb' : [ 0x2c0, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x2c8, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x2d0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x2d8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x2e0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x2e8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x2f0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x2f8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x300, ['unsigned long long']], 'CommitChargePeak' : [ 0x308, ['unsigned long long']], 'AweInfo' : [ 0x310, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x318, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x320, ['_MMSUPPORT']], 'Spares' : [ 0x378, ['array', 2, ['unsigned long']]], 'ModifiedPageCount' : [ 0x380, ['unsigned long']], 'JobStatus' : [ 0x384, ['unsigned long']], 'Flags' : [ 0x388, ['unsigned long']], 'CreateReported' : [ 0x388, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x388, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x388, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x388, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x388, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x388, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x388, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x388, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x388, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x388, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x388, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x388, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x388, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x388, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x388, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x388, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x388, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x388, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x388, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x388, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x388, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x388, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x388, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x388, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x388, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CreateFailed' : [ 0x388, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x388, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'Spare1' : [ 0x388, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare2' : [ 0x388, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x38c, ['long']], 'NextPageColor' : [ 0x390, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x392, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x393, ['unsigned char']], 'SubSystemVersion' : [ 0x392, ['unsigned short']], 'PriorityClass' : [ 0x394, ['unsigned char']], 'VadRoot' : [ 0x398, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x3d8, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Type' : [ 0x10, ['pointer64', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0x18, ['unsigned char']], 'HandleInfoOffset' : [ 0x19, ['unsigned char']], 'QuotaInfoOffset' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'QueryReferences' : [ 0x18, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0x2c0, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x68, ['_LIST_ENTRY']], 'Name' : [ 0x78, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x88, ['pointer64', ['void']]], 'Index' : [ 0x90, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x94, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x98, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x9c, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0xa0, ['unsigned long']], 'TypeInfo' : [ 0xa8, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0x118, ['unsigned long']], 'ObjectLocks' : [ 0x120, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '__unnamed_1161' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'HardLarge' : [ 0x0, ['_MMPTE_HARDWARE_LARGEPAGE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1161']], } ], '__unnamed_116c' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_116e' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1171' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1173' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1171']], } ], '__unnamed_117b' : [ 0x8, { 'EntireFrame' : [ 0x0, ['unsigned long long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 57, native_type='unsigned long long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 60, native_type='unsigned long long')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 63, native_type='unsigned long long')]], 'MustBeCached' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_116c']], 'PteAddress' : [ 0x8, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x10, ['__unnamed_116e']], 'u3' : [ 0x18, ['__unnamed_1173']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned long']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_117b']], } ], '__unnamed_1182' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_1185' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_118a' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x50, { 'u1' : [ 0x0, ['__unnamed_1182']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1185']], 'ControlArea' : [ 0x30, ['pointer64', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x38, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x48, ['__unnamed_118a']], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '_MMPTE_FLUSH_LIST' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 20, ['pointer64', ['void']]]], } ], '__unnamed_119c' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'u' : [ 0x8, ['__unnamed_119c']], 'StartingSector' : [ 0xc, ['unsigned long']], 'NumberOfFullSectors' : [ 0x10, ['unsigned long']], 'SubsectionBase' : [ 0x18, ['pointer64', ['_MMPTE']]], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'PtesInSubsection' : [ 0x24, ['unsigned long']], 'NextSubsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], } ], '_MMPAGING_FILE' : [ 0x78, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'CurrentUsage' : [ 0x20, ['unsigned long long']], 'PeakUsage' : [ 0x28, ['unsigned long long']], 'HighestPage' : [ 0x30, ['unsigned long long']], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x40, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x50, ['_UNICODE_STRING']], 'Bitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'PageFileNumber' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'ReferenceCount' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'BootPartition' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Reserved' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'FileHandle' : [ 0x70, ['pointer64', ['void']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1216' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1216']], } ], '__unnamed_121d' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_121d']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_SHARED_CACHE_MAP' : [ 0x1b0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObject' : [ 0x60, ['pointer64', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x68, ['pointer64', ['_VACB']]], 'NeedToZero' : [ 0x70, ['pointer64', ['void']]], 'ActivePage' : [ 0x78, ['unsigned long']], 'NeedToZeroPage' : [ 0x7c, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x80, ['unsigned long long']], 'VacbActiveCount' : [ 0x88, ['unsigned long']], 'DirtyPages' : [ 0x8c, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x90, ['_LIST_ENTRY']], 'Flags' : [ 0xa0, ['unsigned long']], 'Status' : [ 0xa4, ['long']], 'Mbcb' : [ 0xa8, ['pointer64', ['_MBCB']]], 'Section' : [ 0xb0, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xc0, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc8, ['unsigned long']], 'BeyondLastFlush' : [ 0xd0, ['long long']], 'Callbacks' : [ 0xd8, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xe0, ['pointer64', ['void']]], 'PrivateList' : [ 0xe8, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf8, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x100, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0x118, ['pointer64', ['_VACB']]], 'BcbSpinLock' : [ 0x120, ['unsigned long long']], 'Reserved' : [ 0x128, ['pointer64', ['void']]], 'Event' : [ 0x130, ['_KEVENT']], 'VacbPushLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0x150, ['_PRIVATE_CACHE_MAP']], } ], '_FILE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], } ], '__unnamed_1247' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_1247']], 'LruList' : [ 0x18, ['_LIST_ENTRY']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '__unnamed_125c' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_125e' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0xae8, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'ForceFlags' : [ 0x18, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x1c, ['unsigned long']], 'SegmentReserve' : [ 0x20, ['unsigned long long']], 'SegmentCommit' : [ 0x28, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0x30, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0x38, ['unsigned long long']], 'TotalFreeSize' : [ 0x40, ['unsigned long long']], 'MaximumAllocationSize' : [ 0x48, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0x50, ['unsigned short']], 'HeaderValidateLength' : [ 0x52, ['unsigned short']], 'HeaderValidateCopy' : [ 0x58, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0x60, ['unsigned short']], 'MaximumTagIndex' : [ 0x62, ['unsigned short']], 'TagEntries' : [ 0x68, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x70, ['pointer64', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x78, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x80, ['unsigned long long']], 'AlignMask' : [ 0x88, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x90, ['_LIST_ENTRY']], 'Segments' : [ 0xa0, ['array', 64, ['pointer64', ['_HEAP_SEGMENT']]]], 'u' : [ 0x2a0, ['__unnamed_125c']], 'u2' : [ 0x2b0, ['__unnamed_125e']], 'AllocatorBackTraceIndex' : [ 0x2b2, ['unsigned short']], 'NonDedicatedListLength' : [ 0x2b4, ['unsigned long']], 'LargeBlocksIndex' : [ 0x2b8, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x2c0, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x2c8, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0xac8, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xad0, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0xad8, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0xae0, ['unsigned short']], 'FrontEndHeapType' : [ 0xae2, ['unsigned char']], 'LastSegmentIndex' : [ 0xae3, ['unsigned char']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'PreviousSize' : [ 0xa, ['unsigned short']], 'SmallTagIndex' : [ 0xc, ['unsigned char']], 'Flags' : [ 0xd, ['unsigned char']], 'UnusedBytes' : [ 0xe, ['unsigned char']], 'SegmentIndex' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x68, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'Heap' : [ 0x18, ['pointer64', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x20, ['unsigned long long']], 'BaseAddress' : [ 0x28, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x30, ['unsigned long']], 'FirstEntry' : [ 0x38, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x48, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x4c, ['unsigned long']], 'UnCommittedRanges' : [ 0x50, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'LastEntryInSegment' : [ 0x60, ['pointer64', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'Bucket' : [ 0x0, ['pointer64', ['void']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'FreeThreshold' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_TOKEN' : [ 0xd0, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x70, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x78, ['pointer64', ['void']]], 'Privileges' : [ 0x80, ['pointer64', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x88, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0x90, ['pointer64', ['_ACL']]], 'TokenType' : [ 0x98, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x9c, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xa0, ['unsigned char']], 'TokenInUse' : [ 0xa1, ['unsigned char']], 'ProxyData' : [ 0xa8, ['pointer64', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xb0, ['pointer64', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xb8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc0, ['_LUID']], 'VariablePart' : [ 0xc8, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'pDeviceMap' : [ 0x18, ['pointer64', ['_DEVICE_MAP']]], } ], '_TEB' : [ 0x17d8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x2d0, ['array', 28, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 14, ['pointer64', ['void']]]], 'SubProcessTag' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'InDbgPrint' : [ 0x1744, ['unsigned char']], 'FreeStackOnTermination' : [ 0x1745, ['unsigned char']], 'HasFiberData' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SparePointer1' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'SoftPatchPtr2' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'SafeThunkCall' : [ 0x17d0, ['unsigned char']], 'BooleanSpare' : [ 0x17d1, ['array', 3, ['unsigned char']]], } ], '_HEAP_UCR_SEGMENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x8, ['unsigned long long']], 'CommittedSize' : [ 0x10, ['unsigned long long']], 'filler' : [ 0x18, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerThreads' : [ 0x30, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x50, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x54, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x56, ['unsigned short']], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x18, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x28, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x30, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x98, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long long']], 'filler' : [ 0x18, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x1e0, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long long']], 'ResourceDatabase' : [ 0x30, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x38, ['pointer64', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x40, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x44, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x48, ['unsigned long']], 'NodesSearched' : [ 0x4c, ['unsigned long']], 'MaxNodesSearched' : [ 0x50, ['unsigned long']], 'SequenceNumber' : [ 0x54, ['unsigned long']], 'RecursionDepthLimit' : [ 0x58, ['unsigned long']], 'SearchedNodesLimit' : [ 0x5c, ['unsigned long']], 'DepthLimitHits' : [ 0x60, ['unsigned long']], 'SearchLimitHits' : [ 0x64, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x68, ['unsigned long']], 'OutOfOrderReleases' : [ 0x6c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x70, ['unsigned long']], 'TotalReleases' : [ 0x74, ['unsigned long']], 'RootNodesDeleted' : [ 0x78, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x7c, ['unsigned long']], 'PoolTrimCounter' : [ 0x80, ['unsigned long']], 'FreeResourceList' : [ 0x88, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x98, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0xa8, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0xb8, ['unsigned long']], 'FreeThreadCount' : [ 0xbc, ['unsigned long']], 'FreeNodeCount' : [ 0xc0, ['unsigned long']], 'Instigator' : [ 0xc8, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0xd0, ['unsigned long']], 'Participant' : [ 0xd8, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x1d8, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_SEGMENT_OBJECT' : [ 0x48, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x30, ['pointer64', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x38, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x40, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_1371' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x1c, ['unsigned long']], 'NumberOfMappedViews' : [ 0x20, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x24, ['unsigned long']], 'NumberOfUserReferences' : [ 0x28, ['unsigned long']], 'u' : [ 0x2c, ['__unnamed_1371']], 'FilePointer' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x38, ['pointer64', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x40, ['unsigned short']], 'FlushInProgressCount' : [ 0x42, ['unsigned short']], 'WritableUserReferences' : [ 0x44, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x70, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleTableLock' : [ 0x18, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x38, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x48, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x50, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x58, ['long']], 'FirstFree' : [ 0x5c, ['unsigned long']], 'LastFree' : [ 0x60, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x64, ['unsigned long']], 'HandleCount' : [ 0x68, ['long']], 'Flags' : [ 0x6c, ['unsigned long']], 'StrictFIFO' : [ 0x6c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_XMM_SAVE_AREA32' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'SpareByte' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_MMSUPPORT' : [ 0x58, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimTime' : [ 0x10, ['_LARGE_INTEGER']], 'Flags' : [ 0x18, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x1c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x20, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x24, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x28, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x2c, ['unsigned long']], 'VmWorkingSetList' : [ 0x30, ['pointer64', ['_MMWSL']]], 'Claim' : [ 0x38, ['unsigned long']], 'NextEstimationSlot' : [ 0x3c, ['unsigned long']], 'NextAgingSlot' : [ 0x40, ['unsigned long']], 'EstimatedAvailable' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetMutex' : [ 0x50, ['_EX_PUSH_LOCK']], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['unsigned short']]], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x78, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x60, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x70, ['unsigned long']], 'ProcessCount' : [ 0x74, ['unsigned long']], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_EVENT_COUNTER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'RefCount' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], } ], '_EJOB' : [ 0x220, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0xe0, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'ActiveProcessLimit' : [ 0xf8, ['unsigned long']], 'Affinity' : [ 0x100, ['unsigned long long']], 'PriorityClass' : [ 0x108, ['unsigned char']], 'UIRestrictionsClass' : [ 0x10c, ['unsigned long']], 'SecurityLimitFlags' : [ 0x110, ['unsigned long']], 'Token' : [ 0x118, ['pointer64', ['void']]], 'Filter' : [ 0x120, ['pointer64', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0x128, ['unsigned long']], 'CompletionPort' : [ 0x130, ['pointer64', ['void']]], 'CompletionKey' : [ 0x138, ['pointer64', ['void']]], 'SessionId' : [ 0x140, ['unsigned long']], 'SchedulingClass' : [ 0x144, ['unsigned long']], 'ReadOperationCount' : [ 0x148, ['unsigned long long']], 'WriteOperationCount' : [ 0x150, ['unsigned long long']], 'OtherOperationCount' : [ 0x158, ['unsigned long long']], 'ReadTransferCount' : [ 0x160, ['unsigned long long']], 'WriteTransferCount' : [ 0x168, ['unsigned long long']], 'OtherTransferCount' : [ 0x170, ['unsigned long long']], 'IoInfo' : [ 0x178, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x1a8, ['unsigned long long']], 'JobMemoryLimit' : [ 0x1b0, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x1b8, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x1c0, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x1c8, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x1d0, ['_KGUARDED_MUTEX']], 'JobSetLinks' : [ 0x208, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x218, ['unsigned long']], 'JobFlags' : [ 0x21c, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x68, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x1c, ['unsigned long']], 'NumberOfMappedViews' : [ 0x20, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x24, ['unsigned long']], 'NumberOfUserReferences' : [ 0x28, ['unsigned long']], 'u' : [ 0x2c, ['__unnamed_1371']], 'FilePointer' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x38, ['pointer64', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x40, ['unsigned short']], 'FlushInProgressCount' : [ 0x42, ['unsigned short']], 'WritableUserReferences' : [ 0x44, ['unsigned long']], 'StartingFrame' : [ 0x48, ['unsigned long long']], 'UserGlobalList' : [ 0x50, ['_LIST_ENTRY']], 'SessionId' : [ 0x60, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x38, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x10, ['unsigned long']], 'CapturedGroupCount' : [ 0x14, ['unsigned long']], 'CapturedGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x20, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x24, ['unsigned long']], 'CapturedPrivileges' : [ 0x28, ['pointer64', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x80, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'Reserved' : [ 0x78, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x50, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], 'LimitModifiedPages' : [ 0x48, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x30, { 'Name' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x10, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x18, ['unsigned long']], 'CmHiveFlags' : [ 0x1c, ['unsigned long']], 'CmHive2' : [ 0x20, ['pointer64', ['_CMHIVE']]], 'ThreadFinished' : [ 0x28, ['unsigned char']], 'ThreadStarted' : [ 0x29, ['unsigned char']], 'Allocate' : [ 0x2a, ['unsigned char']], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0x10, { 'Token' : [ 0x0, ['pointer64', ['void']]], 'CopyOnOpen' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], 'ImpersonationLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_142e' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], } ], '__unnamed_1430' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1434' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x1c0, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'Level' : [ 0x20, ['unsigned long']], 'Notify' : [ 0x28, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x38, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x88, ['unsigned long']], 'CompletionStatus' : [ 0x8c, ['long']], 'PendingIrp' : [ 0x90, ['pointer64', ['_IRP']]], 'Flags' : [ 0x98, ['unsigned long']], 'UserFlags' : [ 0x9c, ['unsigned long']], 'Problem' : [ 0xa0, ['unsigned long']], 'PhysicalDeviceObject' : [ 0xa8, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0xb0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xb8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0xc0, ['_UNICODE_STRING']], 'ServiceName' : [ 0xd0, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xe0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xe8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xf0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xf4, ['unsigned long']], 'ChildInterfaceType' : [ 0xf8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xfc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x100, ['unsigned short']], 'RemovalPolicy' : [ 0x102, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x103, ['unsigned char']], 'TargetDeviceNotify' : [ 0x108, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x118, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x128, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x138, ['unsigned short']], 'QueryTranslatorMask' : [ 0x13a, ['unsigned short']], 'NoArbiterMask' : [ 0x13c, ['unsigned short']], 'QueryArbiterMask' : [ 0x13e, ['unsigned short']], 'OverUsed1' : [ 0x140, ['__unnamed_142e']], 'OverUsed2' : [ 0x148, ['__unnamed_1430']], 'BootResources' : [ 0x150, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x158, ['unsigned long']], 'DockInfo' : [ 0x160, ['__unnamed_1434']], 'DisableableDepends' : [ 0x180, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x198, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x1a8, ['unsigned long']], 'PreviousParent' : [ 0x1b0, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1b8, ['unsigned long']], } ], '__unnamed_1439' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_1439']], } ], '_PEB64' : [ 0x358, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'SparePtr2' : [ 0x48, ['unsigned long long']], 'EnvironmentUpdateCount' : [ 0x50, ['unsigned long']], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'ReadOnlySharedMemoryHeap' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], } ], '_KPCR' : [ 0x2600, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'PerfGlobalGroupMask' : [ 0x10, ['pointer64', ['void']]], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_MMCOLOR_TABLES' : [ 0x18, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_KPROCESS' : [ 0xb8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['array', 2, ['unsigned long long']]], 'IopmOffset' : [ 0x38, ['unsigned short']], 'ActiveProcessors' : [ 0x40, ['unsigned long long']], 'KernelTime' : [ 0x48, ['unsigned long']], 'UserTime' : [ 0x4c, ['unsigned long']], 'ReadyListHead' : [ 0x50, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'Reserved1' : [ 0x68, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x70, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x80, ['unsigned long long']], 'Affinity' : [ 0x88, ['unsigned long long']], 'AutoAlignment' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x90, ['long']], 'BasePriority' : [ 0x94, ['unsigned char']], 'QuantumReset' : [ 0x95, ['unsigned char']], 'State' : [ 0x96, ['unsigned char']], 'ThreadSeed' : [ 0x97, ['unsigned char']], 'PowerState' : [ 0x98, ['unsigned char']], 'IdealNode' : [ 0x99, ['unsigned char']], 'Visited' : [ 0x9a, ['unsigned char']], 'Flags' : [ 0x9b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x9b, ['unsigned char']], 'StackCount' : [ 0xa0, ['unsigned long long']], 'ProcessListEntry' : [ 0xa8, ['_LIST_ENTRY']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1469' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1d80, { 'GlobalVirtualAddress' : [ 0x0, ['pointer64', ['_MM_SESSION_SPACE']]], 'ReferenceCount' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1469']], 'SessionId' : [ 0x10, ['unsigned long']], 'ProcessList' : [ 0x18, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x28, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x30, ['unsigned long long']], 'NonPagablePages' : [ 0x38, ['unsigned long long']], 'CommittedPages' : [ 0x40, ['unsigned long long']], 'PagedPoolStart' : [ 0x48, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x50, ['pointer64', ['void']]], 'PagedPoolBasePde' : [ 0x58, ['pointer64', ['_MMPTE']]], 'Color' : [ 0x60, ['unsigned long']], 'ResidentProcessCount' : [ 0x64, ['long']], 'SessionPoolAllocationFailures' : [ 0x68, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachEvent' : [ 0x90, ['_KEVENT']], 'LastProcess' : [ 0xa8, ['pointer64', ['_EPROCESS']]], 'ProcessReferenceToSession' : [ 0xb0, ['long']], 'WsListEntry' : [ 0xb8, ['_LIST_ENTRY']], 'Lookaside' : [ 0x100, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb80, ['_MMSESSION']], 'PagedPoolMutex' : [ 0xbe8, ['_KGUARDED_MUTEX']], 'PagedPoolInfo' : [ 0xc20, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc60, ['_MMSUPPORT']], 'Wsle' : [ 0xcb8, ['pointer64', ['_MMWSLE']]], 'Win32KDriverUnload' : [ 0xcc0, ['pointer64', ['void']]], 'PagedPool' : [ 0xcc8, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1d10, ['_MMPTE']], 'SpecialPoolFirstPte' : [ 0x1d18, ['pointer64', ['_MMPTE']]], 'SpecialPoolLastPte' : [ 0x1d20, ['pointer64', ['_MMPTE']]], 'NextPdeForSpecialPoolExpansion' : [ 0x1d28, ['pointer64', ['_MMPTE']]], 'LastPdeForSpecialPoolExpansion' : [ 0x1d30, ['pointer64', ['_MMPTE']]], 'SpecialPagesInUse' : [ 0x1d38, ['unsigned long long']], 'ImageLoadingCount' : [ 0x1d40, ['long']], } ], '_PEB' : [ 0x358, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'SparePtr2' : [ 0x48, ['pointer64', ['void']]], 'EnvironmentUpdateCount' : [ 0x50, ['unsigned long']], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['pointer64', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['pointer64', ['void']]]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'PreviousSize' : [ 0xa, ['unsigned short']], 'SmallTagIndex' : [ 0xc, ['unsigned char']], 'Flags' : [ 0xd, ['unsigned char']], 'UnusedBytes' : [ 0xe, ['unsigned char']], 'SegmentIndex' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '__unnamed_1499' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa8, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x10, ['_LARGE_INTEGER']], 'u' : [ 0x18, ['__unnamed_1499']], 'Irp' : [ 0x28, ['pointer64', ['_IRP']]], 'LastPageToWrite' : [ 0x30, ['unsigned long long']], 'PagingListHead' : [ 0x38, ['pointer64', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x40, ['pointer64', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x48, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x50, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x58, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x60, ['pointer64', ['_ERESOURCE']]], 'IssueTime' : [ 0x68, ['_LARGE_INTEGER']], 'Mdl' : [ 0x70, ['_MDL']], 'Page' : [ 0xa0, ['array', 1, ['unsigned long long']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TEB32' : [ 0xfbc, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes1' : [ 0x1ac, ['array', 40, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 14, ['unsigned long']]], 'SubProcessTag' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SparePointer1' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'SoftPatchPtr2' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'SafeThunkCall' : [ 0xfb8, ['unsigned char']], 'BooleanSpare' : [ 0xfb9, ['array', 3, ['unsigned char']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x20, { 'Usage' : [ 0x0, ['unsigned long long']], 'Limit' : [ 0x8, ['unsigned long long']], 'Peak' : [ 0x10, ['unsigned long long']], 'Return' : [ 0x18, ['unsigned long long']], } ], '__unnamed_14be' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_14be']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x170, { 'IdleFunction' : [ 0x0, ['pointer64', ['void']]], 'Idle0KernelTimeLimit' : [ 0x8, ['unsigned long']], 'Idle0LastTime' : [ 0xc, ['unsigned long']], 'IdleHandlers' : [ 0x10, ['pointer64', ['void']]], 'IdleState' : [ 0x18, ['pointer64', ['void']]], 'IdleHandlersCount' : [ 0x20, ['unsigned long']], 'LastCheck' : [ 0x28, ['unsigned long long']], 'IdleTimes' : [ 0x30, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x50, ['unsigned long']], 'PromotionCheck' : [ 0x54, ['unsigned long']], 'IdleTime2' : [ 0x58, ['unsigned long']], 'CurrentThrottle' : [ 0x5c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x5d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x5e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x5f, ['unsigned char']], 'LastKernelUserTime' : [ 0x60, ['unsigned long']], 'PerfIdleTime' : [ 0x64, ['unsigned long']], 'DebugDelta' : [ 0x68, ['unsigned long long']], 'DebugCount' : [ 0x70, ['unsigned long']], 'LastSysTime' : [ 0x74, ['unsigned long']], 'TotalIdleStateTime' : [ 0x78, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x90, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0xa0, ['unsigned long long']], 'KneeThrottleIndex' : [ 0xa8, ['unsigned char']], 'ThrottleLimitIndex' : [ 0xa9, ['unsigned char']], 'PerfStatesCount' : [ 0xaa, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xab, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0xac, ['unsigned char']], 'LastBusyPercentage' : [ 0xad, ['unsigned char']], 'LastC3Percentage' : [ 0xae, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0xaf, ['unsigned char']], 'PromotionCount' : [ 0xb0, ['unsigned long']], 'DemotionCount' : [ 0xb4, ['unsigned long']], 'ErrorCount' : [ 0xb8, ['unsigned long']], 'RetryCount' : [ 0xbc, ['unsigned long']], 'Flags' : [ 0xc0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xc8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xd0, ['unsigned long']], 'PerfTimer' : [ 0xd8, ['_KTIMER']], 'PerfDpc' : [ 0x118, ['_KDPC']], 'PerfStates' : [ 0x158, ['pointer64', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x160, ['pointer64', ['void']]], 'LastC3KernelUserTime' : [ 0x168, ['unsigned long']], 'Spare1' : [ 0x16c, ['array', 1, ['unsigned long']]], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned short')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned short')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned short')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x80, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x18, ['_LIST_ENTRY']], 'DeviceType' : [ 0x28, ['unsigned char']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x30, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x40, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x50, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x70, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Available0' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'GrowWsleHash' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredUnsafe' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Available' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_POP_THERMAL_ZONE' : [ 0x120, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc0, ['pointer64', ['_IRP']]], 'Info' : [ 0xc8, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x18, ['unsigned long']], 'ObjectMask' : [ 0x1c, ['unsigned long']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'OwnerCount' : [ 0x8, ['long']], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_TEB64' : [ 0x17d8, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes1' : [ 0x2d0, ['array', 28, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 14, ['unsigned long long']]], 'SubProcessTag' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'InDbgPrint' : [ 0x1744, ['unsigned char']], 'FreeStackOnTermination' : [ 0x1745, ['unsigned char']], 'HasFiberData' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SparePointer1' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'SoftPatchPtr2' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'SafeThunkCall' : [ 0x17d0, ['unsigned char']], 'BooleanSpare' : [ 0x17d1, ['array', 3, ['unsigned char']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CMHIVE' : [ 0xab8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x578, ['array', 3, ['pointer64', ['void']]]], 'NotifyList' : [ 0x590, ['_LIST_ENTRY']], 'HiveList' : [ 0x5a0, ['_LIST_ENTRY']], 'HiveLock' : [ 0x5b0, ['_EX_PUSH_LOCK']], 'ViewLock' : [ 0x5b8, ['pointer64', ['_KGUARDED_MUTEX']]], 'WriterLock' : [ 0x5c0, ['_EX_PUSH_LOCK']], 'FlusherLock' : [ 0x5c8, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x5d0, ['_EX_PUSH_LOCK']], 'LRUViewListHead' : [ 0x5d8, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x5e8, ['_LIST_ENTRY']], 'FileObject' : [ 0x5f8, ['pointer64', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x600, ['_UNICODE_STRING']], 'FileUserName' : [ 0x610, ['_UNICODE_STRING']], 'MappedViews' : [ 0x620, ['unsigned short']], 'PinnedViews' : [ 0x622, ['unsigned short']], 'UseCount' : [ 0x624, ['unsigned long']], 'SecurityCount' : [ 0x628, ['unsigned long']], 'SecurityCacheSize' : [ 0x62c, ['unsigned long']], 'SecurityHitHint' : [ 0x630, ['long']], 'SecurityCache' : [ 0x638, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x640, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0xa40, ['pointer64', ['_KEVENT']]], 'RootKcb' : [ 0xa48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xa50, ['unsigned char']], 'UnloadWorkItem' : [ 0xa58, ['pointer64', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0xa60, ['unsigned char']], 'GrowOffset' : [ 0xa64, ['unsigned long']], 'KcbConvertListHead' : [ 0xa68, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xa78, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xa88, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xa90, ['unsigned long']], 'TrustClassEntry' : [ 0xa98, ['_LIST_ENTRY']], 'FlushCount' : [ 0xaa8, ['unsigned long']], 'CreatorOwner' : [ 0xab0, ['pointer64', ['_KTHREAD']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_HHIVE' : [ 0x578, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'BaseBlock' : [ 0x48, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x50, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x60, ['unsigned long']], 'DirtyAlloc' : [ 0x64, ['unsigned long']], 'BaseBlockAlloc' : [ 0x68, ['unsigned long']], 'Cluster' : [ 0x6c, ['unsigned long']], 'Flat' : [ 0x70, ['unsigned char']], 'ReadOnly' : [ 0x71, ['unsigned char']], 'Log' : [ 0x72, ['unsigned char']], 'DirtyFlag' : [ 0x73, ['unsigned char']], 'HiveFlags' : [ 0x74, ['unsigned long']], 'LogSize' : [ 0x78, ['unsigned long']], 'RefreshCount' : [ 0x7c, ['unsigned long']], 'StorageTypeCount' : [ 0x80, ['unsigned long']], 'Version' : [ 0x84, ['unsigned long']], 'Storage' : [ 0x88, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x28, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x10, ['pointer64', ['void']]], 'WatchInfo' : [ 0x18, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x48, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ParseContext' : [ 0x10, ['pointer64', ['void']]], 'ProbeMode' : [ 0x18, ['unsigned char']], 'PagedPoolCharge' : [ 0x1c, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x20, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x24, ['unsigned long']], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'SecurityQos' : [ 0x30, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x38, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '__unnamed_1587' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1587']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '_PEB32' : [ 0x230, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'SparePtr2' : [ 0x24, ['unsigned long']], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], } ], '_MBCB' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x58, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x88, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x40, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x10, ['_LIST_ENTRY']], 'FileOffset' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'ViewAddress' : [ 0x28, ['pointer64', ['unsigned long long']]], 'Bcb' : [ 0x30, ['pointer64', ['void']]], 'UseCount' : [ 0x38, ['unsigned long']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_KUSER_SHARED_DATA' : [ 0x378, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'Wow64SharedInformation' : [ 0x334, ['array', 16, ['unsigned long']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '__unnamed_15db' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_15e1' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x68, { 'u1' : [ 0x0, ['__unnamed_1182']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1185']], 'ControlArea' : [ 0x30, ['pointer64', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x38, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x48, ['__unnamed_118a']], 'u3' : [ 0x50, ['__unnamed_15db']], 'u4' : [ 0x60, ['__unnamed_15e1']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1048, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x20, ['pointer64', ['void']]], 'PendingFrees' : [ 0x28, ['pointer64', ['void']]], 'PendingFreeDepth' : [ 0x30, ['long']], 'TotalBytes' : [ 0x38, ['unsigned long long']], 'Spare0' : [ 0x40, ['unsigned long long']], 'ListHeads' : [ 0x48, ['array', 256, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_WOW64_PROCESS' : [ 0x8, { 'Wow64' : [ 0x0, ['pointer64', ['void']]], } ], '_PEB_LDR_DATA' : [ 0x48, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x40, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer64', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x8, ['pointer64', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0x10, ['pointer64', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0x18, ['pointer64', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x20, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x28, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x38, ['unsigned long long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['unsigned short']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_MMSESSION' : [ 0x68, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewStart' : [ 0x40, ['pointer64', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x48, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x50, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x54, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x58, ['unsigned long']], 'BitmapFailures' : [ 0x5c, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'NumberOfPages' : [ 0xc, ['unsigned long']], 'QuotaObject' : [ 0x10, ['pointer64', ['void']]], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x10, { 'FaultingPc' : [ 0x0, ['pointer64', ['void']]], 'FaultingVa' : [ 0x8, ['pointer64', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x48, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x48, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XMM_SAVE_AREA32']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_MMPTE_HARDWARE_LARGEPAGE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PAT' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 21, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 40, native_type='unsigned long long')]], 'reserved2' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0x120, { 'Next' : [ 0x0, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], 'Slot' : [ 0x38, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x48, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x50, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x58, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x5c, ['unsigned long']], 'VendorId' : [ 0x60, ['unsigned short']], 'DeviceId' : [ 0x62, ['unsigned short']], 'SubsystemVendorId' : [ 0x64, ['unsigned short']], 'SubsystemId' : [ 0x66, ['unsigned short']], 'RevisionId' : [ 0x68, ['unsigned char']], 'ProgIf' : [ 0x69, ['unsigned char']], 'SubClass' : [ 0x6a, ['unsigned char']], 'BaseClass' : [ 0x6b, ['unsigned char']], 'AdditionalResourceCount' : [ 0x6c, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x6d, ['unsigned char']], 'InterruptPin' : [ 0x6e, ['unsigned char']], 'RawInterruptLine' : [ 0x6f, ['unsigned char']], 'CapabilitiesPtr' : [ 0x70, ['unsigned char']], 'SavedLatencyTimer' : [ 0x71, ['unsigned char']], 'SavedCacheLineSize' : [ 0x72, ['unsigned char']], 'HeaderType' : [ 0x73, ['unsigned char']], 'NotPresent' : [ 0x74, ['unsigned char']], 'ReportedMissing' : [ 0x75, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x76, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x77, ['unsigned char']], 'LegacyDriver' : [ 0x78, ['unsigned char']], 'UpdateHardware' : [ 0x79, ['unsigned char']], 'MovedDevice' : [ 0x7a, ['unsigned char']], 'DisablePowerDown' : [ 0x7b, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x7c, ['unsigned char']], 'IDEInNativeMode' : [ 0x7d, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x7e, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x7f, ['unsigned char']], 'OnDebugPath' : [ 0x80, ['unsigned char']], 'IoSpaceNotRequired' : [ 0x81, ['unsigned char']], 'PowerState' : [ 0x88, ['PCI_POWER_STATE']], 'Dependent' : [ 0xd8, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xe0, ['unsigned long long']], 'Resources' : [ 0xe8, ['pointer64', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xf0, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xf8, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0x100, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0x108, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0x118, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0x11a, ['unsigned char']], 'CommandEnables' : [ 0x11c, ['unsigned short']], 'InitialCommand' : [ 0x11e, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '__unnamed_1650' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1652' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1650']], 'Merged' : [ 0x10, ['__unnamed_1652']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_DEVICE_MAP' : [ 0x38, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DriveMap' : [ 0x14, ['unsigned long']], 'DriveType' : [ 0x18, ['array', 32, ['unsigned char']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStamp' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill1' : [ 0x172, ['array', 3, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['array', 1, ['unsigned short']]], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '__unnamed_1680' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0x130, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x50, ['_KEVENT']], 'ChildPdoList' : [ 0x68, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x70, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x78, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x80, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x88, ['pointer64', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x90, ['unsigned char']], 'BusHandler' : [ 0x98, ['pointer64', ['_BUS_HANDLER']]], 'BaseBus' : [ 0xa0, ['unsigned char']], 'Fake' : [ 0xa1, ['unsigned char']], 'ChildDelete' : [ 0xa2, ['unsigned char']], 'Scanned' : [ 0xa3, ['unsigned char']], 'ArbitersInitialized' : [ 0xa4, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0xa5, ['unsigned char']], 'Hibernated' : [ 0xa6, ['unsigned char']], 'PowerState' : [ 0xa8, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xf8, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0x100, ['unsigned long']], 'PreservedConfig' : [ 0x108, ['pointer64', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0x110, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0x120, ['__unnamed_1680']], 'BusHackFlags' : [ 0x128, ['unsigned long']], } ], '__unnamed_1684' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1686' : [ 0x10, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1688' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_168a' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_168c' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_168e' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1690' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1684']], 'Port' : [ 0x0, ['__unnamed_1684']], 'Interrupt' : [ 0x0, ['__unnamed_1686']], 'Memory' : [ 0x0, ['__unnamed_1684']], 'Dma' : [ 0x0, ['__unnamed_1688']], 'DevicePrivate' : [ 0x0, ['__unnamed_168a']], 'BusNumber' : [ 0x0, ['__unnamed_168c']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_168e']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1690']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'RequestSummary' : [ 0x0, ['long long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'Virtual' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa8, { 'RefCount' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x30, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x38, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x40, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x50, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x50, ['unsigned long']], 'SubKeyCount' : [ 0x50, ['unsigned long']], 'KeyBodyListHead' : [ 0x58, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x58, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x68, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x88, ['pointer64', ['void']]], 'KcbLastWriteTime' : [ 0x90, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x98, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x9a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x9c, ['unsigned long']], 'RealKeyName' : [ 0xa0, ['pointer64', ['unsigned char']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ReadConfig' : [ 0x20, ['pointer64', ['void']]], 'WriteConfig' : [ 0x28, ['pointer64', ['void']]], 'PinToLine' : [ 0x30, ['pointer64', ['void']]], 'LineToPin' : [ 0x38, ['pointer64', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x20, ['unsigned long']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Period' : [ 0x38, ['long']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '__unnamed_16d3' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_16d8' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_16da' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_16d8']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_16e2' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_16e4' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_16e2']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_16d3']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_16da']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_16e4']], } ], '_PCI_LOCK' : [ 0x10, { 'Atom' : [ 0x0, ['unsigned long long']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '__unnamed_16f2' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_16f2']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_16f8' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_16f8']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], } ], '_ETIMER' : [ 0x108, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeTimer' : [ 0xf5, ['unsigned char']], 'WakeTimerListEntry' : [ 0xf8, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_1718' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1718']], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '__unnamed_1722' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1722']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x3f0, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockQueuedSpinLock', 7: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['unsigned long']], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x48, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0x18, ['unsigned char']], 'OrderLevel' : [ 0x19, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Node' : [ 0x28, ['pointer64', ['void']]], 'DeviceName' : [ 0x30, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x38, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x40, ['unsigned long']], 'ActiveChild' : [ 0x44, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x20, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], } ], '__unnamed_174c' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_174e' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_174c']], 'type1' : [ 0x0, ['__unnamed_174e']], 'type2' : [ 0x0, ['__unnamed_174e']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'ServiceContext' : [ 0x20, ['pointer64', ['void']]], 'SpinLock' : [ 0x28, ['unsigned long long']], 'TickCount' : [ 0x30, ['unsigned long']], 'ActualLock' : [ 0x38, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x40, ['pointer64', ['void']]], 'Vector' : [ 0x48, ['unsigned long']], 'Irql' : [ 0x4c, ['unsigned char']], 'SynchronizeIrql' : [ 0x4d, ['unsigned char']], 'FloatingSave' : [ 0x4e, ['unsigned char']], 'Connected' : [ 0x4f, ['unsigned char']], 'Number' : [ 0x50, ['unsigned char']], 'ShareVector' : [ 0x51, ['unsigned char']], 'Mode' : [ 0x54, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x58, ['unsigned long']], 'DispatchCount' : [ 0x5c, ['unsigned long']], 'TrapFrame' : [ 0x60, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x68, ['pointer64', ['void']]], 'DispatchCode' : [ 0x70, ['array', 4, ['unsigned long']]], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0x190, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0x18, ['pointer64', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x20, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x28, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x58, ['_ARBITER_INSTANCE']], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x40, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x8, ['pointer64', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x10, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0x18, ['pointer64', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x28, ['pointer64', ['void']]], 'OtherIrpDispatchStyle' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x38, ['pointer64', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_178e' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_1792' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_178e']], 'Bits' : [ 0x4, ['__unnamed_1792']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_OBJECT_DIRECTORY' : [ 0x140, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x80, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NonDirectCount' : [ 0x1c, ['unsigned long']], 'HashTable' : [ 0x20, ['pointer64', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x28, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x2c, ['unsigned long']], 'HashTableStart' : [ 0x30, ['pointer64', ['void']]], 'HighestPermittedHashAddress' : [ 0x38, ['pointer64', ['void']]], 'NumberOfImageWaiters' : [ 0x40, ['unsigned long']], 'VadBitMapHint' : [ 0x44, ['unsigned long']], 'HighestUserAddress' : [ 0x48, ['pointer64', ['void']]], 'MaximumUserPageTablePages' : [ 0x50, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x54, ['unsigned long']], 'CommittedPageTables' : [ 0x58, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x60, ['unsigned long']], 'CommittedPageDirectories' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x70, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x78, ['array', 1, ['unsigned long long']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x170, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '__unnamed_17c3' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_17c7' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'NonExtendedPtes' : [ 0xc, ['unsigned long']], 'Spare0' : [ 0x10, ['unsigned long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x20, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x28, ['unsigned long long']], 'ExtendInfo' : [ 0x30, ['pointer64', ['_MMEXTEND_INFO']]], 'SegmentFlags' : [ 0x38, ['_SEGMENT_FLAGS']], 'BasedAddress' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_17c3']], 'u2' : [ 0x50, ['__unnamed_17c7']], 'PrototypePte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x60, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x38, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], 'StartAddress' : [ 0x28, ['pointer64', ['void']]], 'EndAddress' : [ 0x30, ['pointer64', ['void']]], 'Flags' : [ 0x38, ['unsigned long']], 'Signature' : [ 0x40, ['unsigned long long']], 'PoolPageHeaders' : [ 0x50, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x60, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x70, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x74, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x78, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x7c, ['unsigned long']], 'PagedBytes' : [ 0x80, ['unsigned long long']], 'NonPagedBytes' : [ 0x88, ['unsigned long long']], 'PeakPagedBytes' : [ 0x90, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x98, ['unsigned long long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x60, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x28, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x20, ['pointer64', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x50, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_MMVIEW' : [ 0x10, { 'Entry' : [ 0x0, ['unsigned long long']], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], 'PCI_SECONDARY_EXTENSION' : [ 0x18, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x10, ['pointer64', ['void']]], } ], '__unnamed_17f4' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_17f4']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'Spare1' : [ 0x33, ['unsigned char']], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'Reserved' : [ 0x3c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_KNODE' : [ 0x40, { 'DeadStackList' : [ 0x0, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x10, ['_SLIST_HEADER']], 'Alignment' : [ 0x10, ['unsigned long long']], 'ProcessorMask' : [ 0x18, ['unsigned long long']], 'Color' : [ 0x20, ['unsigned char']], 'Seed' : [ 0x21, ['unsigned char']], 'NodeNumber' : [ 0x22, ['unsigned char']], 'Flags' : [ 0x23, ['_flags']], 'MmShiftedColor' : [ 0x24, ['unsigned long']], 'FreeCount' : [ 0x28, ['array', 2, ['unsigned long long']]], 'PfnDeferredList' : [ 0x38, ['pointer64', ['_SLIST_ENTRY']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_SEGMENT_FLAGS' : [ 0x8, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_VI_DEADLOCK_THREAD' : [ 0x30, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x28, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'MinSize' : [ 0x8, ['unsigned short']], 'MinVersion' : [ 0xa, ['unsigned short']], 'MaxVersion' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'ReferenceCount' : [ 0x10, ['long']], 'Signature' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x18, ['pointer64', ['void']]], 'Initializer' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_POWER_ACTION' : [ 0x50, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x28, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x30, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1182']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1185']], } ], '__unnamed_183c' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_183c']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x88, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x30, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'Descriptor' : [ 0x1c, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x138, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x18, ['long']], 'Allocation' : [ 0x20, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x30, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x40, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x50, ['long']], 'Interface' : [ 0x58, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x60, ['unsigned long']], 'AllocationStack' : [ 0x68, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x70, ['pointer64', ['void']]], 'PackResource' : [ 0x78, ['pointer64', ['void']]], 'UnpackResource' : [ 0x80, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x88, ['pointer64', ['void']]], 'TestAllocation' : [ 0x90, ['pointer64', ['void']]], 'RetestAllocation' : [ 0x98, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa0, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xa8, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb0, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xb8, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc0, ['pointer64', ['void']]], 'AddReserved' : [ 0xc8, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd0, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xd8, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe0, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xe8, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf0, ['pointer64', ['void']]], 'AddAllocation' : [ 0xf8, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x100, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x108, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x110, ['unsigned char']], 'Extension' : [ 0x118, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x120, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x128, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x130, ['pointer64', ['void']]], } ], '_BUS_HANDLER' : [ 0xb8, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x18, ['pointer64', ['_BUS_HANDLER']]], 'BusData' : [ 0x20, ['pointer64', ['void']]], 'DeviceControlExtensionSize' : [ 0x28, ['unsigned long']], 'BusAddresses' : [ 0x30, ['pointer64', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x38, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x48, ['pointer64', ['void']]], 'SetBusData' : [ 0x50, ['pointer64', ['void']]], 'AdjustResourceList' : [ 0x58, ['pointer64', ['void']]], 'AssignSlotResources' : [ 0x60, ['pointer64', ['void']]], 'GetInterruptVector' : [ 0x68, ['pointer64', ['void']]], 'TranslateBusAddress' : [ 0x70, ['pointer64', ['void']]], 'Spare1' : [ 0x78, ['pointer64', ['void']]], 'Spare2' : [ 0x80, ['pointer64', ['void']]], 'Spare3' : [ 0x88, ['pointer64', ['void']]], 'Spare4' : [ 0x90, ['pointer64', ['void']]], 'Spare5' : [ 0x98, ['pointer64', ['void']]], 'Spare6' : [ 0xa0, ['pointer64', ['void']]], 'Spare7' : [ 0xa8, ['pointer64', ['void']]], 'Spare8' : [ 0xb0, ['pointer64', ['void']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x10, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0xba8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x20, ['unsigned long long']], 'Thread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x448, ['long']], 'FailedDevice' : [ 0x450, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x458, ['unsigned char']], 'Cancelled' : [ 0x459, ['unsigned char']], 'IgnoreErrors' : [ 0x45a, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x45b, ['unsigned char']], 'WaitAny' : [ 0x45c, ['unsigned char']], 'WaitAll' : [ 0x45d, ['unsigned char']], 'PresentIrpQueue' : [ 0x460, ['_LIST_ENTRY']], 'Head' : [ 0x470, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x4c8, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_MMWSLE_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['unsigned short']]], } ], '_CM_KEY_BODY' : [ 0x30, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x50, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x30, ['pointer64', ['_IRP']]], 'SavedCancelRoutine' : [ 0x38, ['pointer64', ['void']]], 'Paging' : [ 0x40, ['long']], 'Hibernate' : [ 0x44, ['long']], 'CrashDump' : [ 0x48, ['long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '__unnamed_18e1' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_18e5' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_18e9' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_18eb' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_18ef' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_18f1' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_18f3' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], } ], '__unnamed_18f5' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_18f7' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_18f9' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_18fd' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_18ff' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1901' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1903' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1905' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1907' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1909' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_190d' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1911' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1915' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1917' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_191b' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_191d' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_191f' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1921' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1925' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1929' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_192d' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_192f' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1933' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1937' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1939' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_193b' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_193d' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_193f' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_18e1']], 'CreatePipe' : [ 0x0, ['__unnamed_18e5']], 'CreateMailslot' : [ 0x0, ['__unnamed_18e9']], 'Read' : [ 0x0, ['__unnamed_18eb']], 'Write' : [ 0x0, ['__unnamed_18eb']], 'QueryDirectory' : [ 0x0, ['__unnamed_18ef']], 'NotifyDirectory' : [ 0x0, ['__unnamed_18f1']], 'QueryFile' : [ 0x0, ['__unnamed_18f3']], 'SetFile' : [ 0x0, ['__unnamed_18f5']], 'QueryEa' : [ 0x0, ['__unnamed_18f7']], 'SetEa' : [ 0x0, ['__unnamed_18f9']], 'QueryVolume' : [ 0x0, ['__unnamed_18fd']], 'SetVolume' : [ 0x0, ['__unnamed_18fd']], 'FileSystemControl' : [ 0x0, ['__unnamed_18ff']], 'LockControl' : [ 0x0, ['__unnamed_1901']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1903']], 'QuerySecurity' : [ 0x0, ['__unnamed_1905']], 'SetSecurity' : [ 0x0, ['__unnamed_1907']], 'MountVolume' : [ 0x0, ['__unnamed_1909']], 'VerifyVolume' : [ 0x0, ['__unnamed_1909']], 'Scsi' : [ 0x0, ['__unnamed_190d']], 'QueryQuota' : [ 0x0, ['__unnamed_1911']], 'SetQuota' : [ 0x0, ['__unnamed_18f9']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1915']], 'QueryInterface' : [ 0x0, ['__unnamed_1917']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_191b']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_191d']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_191f']], 'SetLock' : [ 0x0, ['__unnamed_1921']], 'QueryId' : [ 0x0, ['__unnamed_1925']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1929']], 'UsageNotification' : [ 0x0, ['__unnamed_192d']], 'WaitWake' : [ 0x0, ['__unnamed_192f']], 'PowerSequence' : [ 0x0, ['__unnamed_1933']], 'Power' : [ 0x0, ['__unnamed_1937']], 'StartDevice' : [ 0x0, ['__unnamed_1939']], 'WMI' : [ 0x0, ['__unnamed_193b']], 'Others' : [ 0x0, ['__unnamed_193d']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_193f']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1946' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1948' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_194a' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_194c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_194e' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1950' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1946']], 'Memory' : [ 0x0, ['__unnamed_1946']], 'Interrupt' : [ 0x0, ['__unnamed_1948']], 'Dma' : [ 0x0, ['__unnamed_194a']], 'Generic' : [ 0x0, ['__unnamed_1946']], 'DevicePrivate' : [ 0x0, ['__unnamed_168a']], 'BusNumber' : [ 0x0, ['__unnamed_194c']], 'ConfigData' : [ 0x0, ['__unnamed_194e']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1950']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '__unnamed_1959' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_195b' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1959']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_195d' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_195f' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_195d']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_195b']], 'u2' : [ 0x4, ['__unnamed_195f']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0x150, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['unsigned long long']], 'MapFrozen' : [ 0x18, ['unsigned char']], 'MemoryMap' : [ 0x20, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x30, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x40, ['unsigned long']], 'NextCloneRange' : [ 0x48, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x50, ['unsigned long long']], 'LoaderMdl' : [ 0x58, ['pointer64', ['_MDL']]], 'Clones' : [ 0x60, ['pointer64', ['_MDL']]], 'NextClone' : [ 0x68, ['pointer64', ['unsigned char']]], 'NoClones' : [ 0x70, ['unsigned long long']], 'Spares' : [ 0x78, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x80, ['unsigned long long']], 'IoPage' : [ 0x88, ['pointer64', ['void']]], 'CurrentMcb' : [ 0x90, ['pointer64', ['void']]], 'DumpStack' : [ 0x98, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xa0, ['pointer64', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0xa8, ['unsigned long']], 'HiberVa' : [ 0xb0, ['unsigned long long']], 'HiberPte' : [ 0xb8, ['_LARGE_INTEGER']], 'Status' : [ 0xc0, ['long']], 'MemoryImage' : [ 0xc8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0xd0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0xd8, ['pointer64', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0xe0, ['pointer64', ['unsigned char']]], 'PerformanceStats' : [ 0xe8, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xf0, ['pointer64', ['void']]], 'DmaIO' : [ 0xf8, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0x100, ['pointer64', ['void']]], 'PerfInfo' : [ 0x108, ['_PO_HIBER_PERF']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x10, { 'StartVpn' : [ 0x0, ['unsigned long long']], 'EndVpn' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x28, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x8, ['unsigned long long']], 'Parameter2' : [ 0x10, ['unsigned long long']], 'Parameter3' : [ 0x18, ['unsigned long long']], 'Parameter4' : [ 0x20, ['unsigned long long']], } ], '__unnamed_199a' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_199c' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_199a']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_199c']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xc0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x30, ['unsigned long']], 'Memory' : [ 0x38, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x60, ['unsigned long']], 'PrefetchMemory' : [ 0x68, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x90, ['unsigned long']], 'Dma' : [ 0x98, ['_SUPPORTED_RANGE']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_19cb' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_19cd' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '__unnamed_19d1' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_19d3' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_19d5' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_19d7' : [ 0x20, { 'TestAllocation' : [ 0x0, ['__unnamed_19cb']], 'RetestAllocation' : [ 0x0, ['__unnamed_19cb']], 'BootAllocation' : [ 0x0, ['__unnamed_19cd']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_19d1']], 'QueryConflict' : [ 0x0, ['__unnamed_19d3']], 'QueryArbitrate' : [ 0x0, ['__unnamed_19cd']], 'AddReserved' : [ 0x0, ['__unnamed_19d5']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_19d7']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xc0, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'ImageType' : [ 0x1c, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'TotalPages' : [ 0x60, ['unsigned long long']], 'FirstTablePage' : [ 0x68, ['unsigned long long']], 'LastFilePage' : [ 0x70, ['unsigned long long']], 'PerfInfo' : [ 0x78, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Spare' : [ 0x28, ['array', 2, ['unsigned long']]], } ], '__unnamed_19fb' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_19fd' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_19ff' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a01' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a03' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1a05' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a07' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a09' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1a0b' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a0d' : [ 0x18, { 'DeviceClass' : [ 0x0, ['__unnamed_19fb']], 'TargetDevice' : [ 0x0, ['__unnamed_19fd']], 'InstallDevice' : [ 0x0, ['__unnamed_19ff']], 'CustomNotification' : [ 0x0, ['__unnamed_1a01']], 'ProfileNotification' : [ 0x0, ['__unnamed_1a03']], 'PowerNotification' : [ 0x0, ['__unnamed_1a05']], 'VetoNotification' : [ 0x0, ['__unnamed_1a07']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1a09']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1a0b']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x48, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1a0d']], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_1a24' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a26' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_1a28' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1a24']], 'Gpt' : [ 0x0, ['__unnamed_1a26']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_1a28']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x410, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x20, { 'PageNo' : [ 0x0, ['unsigned long long']], 'StartPage' : [ 0x8, ['unsigned long long']], 'EndPage' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x80, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x18, ['unsigned long']], 'ActiveCount' : [ 0x1c, ['unsigned long']], 'WaitSleep' : [ 0x20, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x30, ['_LIST_ENTRY']], 'Pending' : [ 0x40, ['_LIST_ENTRY']], 'Complete' : [ 0x50, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x60, ['_LIST_ENTRY']], 'WaitS0' : [ 0x70, ['_LIST_ENTRY']], } ], '__unnamed_1a58' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_1a58']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x18, { 'Next' : [ 0x0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x8, ['unsigned long long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'EntryCount' : [ 0x14, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x58, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer64', ['_IRP']]], 'Notify' : [ 0x10, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0x18, ['_LIST_ENTRY']], 'Complete' : [ 0x28, ['_LIST_ENTRY']], 'Abort' : [ 0x38, ['_LIST_ENTRY']], 'Failed' : [ 0x48, ['_LIST_ENTRY']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x8, ['unsigned long']], 'SystemBase' : [ 0x10, ['long long']], 'Base' : [ 0x18, ['long long']], 'Limit' : [ 0x20, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['unsigned long']], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x28, ['array', 3, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_1ae3' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_1ae5' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_1ae9' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1aeb' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1ae3']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1ae5']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1ae9']], 'Others' : [ 0x0, ['__unnamed_1aeb']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/windows64.py0000644000000000000000000000675013131215405026602 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import copy import volatility.obj as obj import volatility.plugins.overlays.windows.windows as windows # File-wide pylint message disable because we have a few situations where we access structs starting _ #pylint: disable-msg=W0212 class Pointer64Decorator(object): def __init__(self, f): self.f = f def __call__(self, name, typeList, typeDict = None): if len(typeList) and typeList[0] == 'pointer64': typeList = copy.deepcopy(typeList) typeList[0] = 'pointer' return self.f(name, typeList, typeDict) class _EX_FAST_REF(windows._EX_FAST_REF): MAX_FAST_REF = 15 class ExFastRefx64(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsObjectClasses'] conditions = {'os': lambda x : x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.object_classes.update({'_EX_FAST_REF': _EX_FAST_REF}) class Windows64Overlay(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsObjectClasses'] conditions = {'memory_model': lambda x: x == '64bit', 'os': lambda x: x == 'windows'} def modification(self, profile): profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, { 'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ], 'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]], } ]}) profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"] profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, { 'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]], }]}) # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay # in windows.windows_overlay which sets the DTB to a single unsigned long, # but we do not want that bleeding through to the x64 profiles. Instead we # want the x64 DTB to be a single unsigned long long. profile.merge_overlay({'_KPROCESS' : [ None, { 'DirectoryTableBase' : [ None, ['unsigned long long']], }]}) # Note: the following method of profile modification is strongly discouraged # # Nasty hack because pointer64 has a special structure, # and therefore can't just be instantiated in object_classes # using profile.object_classes.update({'pointer64': obj.Pointer}) profile._list_to_type = Pointer64Decorator(profile._list_to_type) volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/kpcr_vtypes.py0000644000000000000000000000535613131215405027310 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj class _KPCROnx86(obj.CType): """KPCR for 32bit windows""" def idt_entries(self): for i, entry in enumerate(self.IDT.dereference()): yield i, entry def gdt_entries(self): for i, entry in enumerate(self.GDT.dereference()): yield i, entry def get_kdbg(self): """Find this CPUs KDBG. Please note the KdVersionBlock pointer is NULL on all KPCR structures except the one for the first CPU. In some cases on x64, even the first CPU has a NULL KdVersionBlock, so this is really a hit-or-miss. """ DebuggerDataList = self.KdVersionBlock.dereference_as("_DBGKD_GET_VERSION64").DebuggerDataList # DebuggerDataList is a pointer to unsigned long on x86 # and a pointer to unsigned long long on x64. The first # dereference() dereferences the pointer, and the second # dereference() dereferences the unsigned long or long long # as the actual KDBG address. return DebuggerDataList.dereference().dereference_as("_KDDEBUGGER_DATA64") @property def ProcessorBlock(self): return self.PrcbData class _KPCROnx64(_KPCROnx86): """KPCR for x64 windows""" @property def ProcessorBlock(self): return self.Prcb @property def IDT(self): return self.IdtBase @property def GDT(self): return self.GdtBase class KPCRProfileModification(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): if profile.metadata.get('memory_model', '32bit') == '32bit': kpcr_class = _KPCROnx86 else: kpcr_class = _KPCROnx64 profile.object_classes.update({'_KPCR': kpcr_class}) profile.merge_overlay({ '_KPRCB': [ None, { 'VendorString': [ None, ['String', dict(length = 13)]], }]}) volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_sp1_x64_syscalls.py0000755000000000000000000015626013131215405031031 0ustar rootrootsyscalls = [ [ 'NtWorkerFactoryWorkerReady', # 0x0 'NtAcceptConnectPort', # 0x1 'NtMapUserPhysicalPagesScatter', # 0x2 'NtWaitForSingleObject', # 0x3 'NtCallbackReturn', # 0x4 'NtReadFile', # 0x5 'NtDeviceIoControlFile', # 0x6 'NtWriteFile', # 0x7 'NtRemoveIoCompletion', # 0x8 'NtReleaseSemaphore', # 0x9 'NtReplyWaitReceivePort', # 0xa 'NtReplyPort', # 0xb 'NtSetInformationThread', # 0xc 'NtSetEvent', # 0xd 'NtClose', # 0xe 'NtQueryObject', # 0xf 'NtQueryInformationFile', # 0x10 'NtOpenKey', # 0x11 'NtEnumerateValueKey', # 0x12 'NtFindAtom', # 0x13 'NtQueryDefaultLocale', # 0x14 'NtQueryKey', # 0x15 'NtQueryValueKey', # 0x16 'NtAllocateVirtualMemory', # 0x17 'NtQueryInformationProcess', # 0x18 'NtWaitForMultipleObjects32', # 0x19 'NtWriteFileGather', # 0x1a 'NtSetInformationProcess', # 0x1b 'NtCreateKey', # 0x1c 'NtFreeVirtualMemory', # 0x1d 'NtImpersonateClientOfPort', # 0x1e 'NtReleaseMutant', # 0x1f 'NtQueryInformationToken', # 0x20 'NtRequestWaitReplyPort', # 0x21 'NtQueryVirtualMemory', # 0x22 'NtOpenThreadToken', # 0x23 'NtQueryInformationThread', # 0x24 'NtOpenProcess', # 0x25 'NtSetInformationFile', # 0x26 'NtMapViewOfSection', # 0x27 'NtAccessCheckAndAuditAlarm', # 0x28 'NtUnmapViewOfSection', # 0x29 'NtReplyWaitReceivePortEx', # 0x2a 'NtTerminateProcess', # 0x2b 'NtSetEventBoostPriority', # 0x2c 'NtReadFileScatter', # 0x2d 'NtOpenThreadTokenEx', # 0x2e 'NtOpenProcessTokenEx', # 0x2f 'NtQueryPerformanceCounter', # 0x30 'NtEnumerateKey', # 0x31 'NtOpenFile', # 0x32 'NtDelayExecution', # 0x33 'NtQueryDirectoryFile', # 0x34 'NtQuerySystemInformation', # 0x35 'NtOpenSection', # 0x36 'NtQueryTimer', # 0x37 'NtFsControlFile', # 0x38 'NtWriteVirtualMemory', # 0x39 'NtCloseObjectAuditAlarm', # 0x3a 'NtDuplicateObject', # 0x3b 'NtQueryAttributesFile', # 0x3c 'NtClearEvent', # 0x3d 'NtReadVirtualMemory', # 0x3e 'NtOpenEvent', # 0x3f 'NtAdjustPrivilegesToken', # 0x40 'NtDuplicateToken', # 0x41 'NtContinue', # 0x42 'NtQueryDefaultUILanguage', # 0x43 'NtQueueApcThread', # 0x44 'NtYieldExecution', # 0x45 'NtAddAtom', # 0x46 'NtCreateEvent', # 0x47 'NtQueryVolumeInformationFile', # 0x48 'NtCreateSection', # 0x49 'NtFlushBuffersFile', # 0x4a 'NtApphelpCacheControl', # 0x4b 'NtCreateProcessEx', # 0x4c 'NtCreateThread', # 0x4d 'NtIsProcessInJob', # 0x4e 'NtProtectVirtualMemory', # 0x4f 'NtQuerySection', # 0x50 'NtResumeThread', # 0x51 'NtTerminateThread', # 0x52 'NtReadRequestData', # 0x53 'NtCreateFile', # 0x54 'NtQueryEvent', # 0x55 'NtWriteRequestData', # 0x56 'NtOpenDirectoryObject', # 0x57 'NtAccessCheckByTypeAndAuditAlarm', # 0x58 'UNKNOWN', # 0x59 'NtWaitForMultipleObjects', # 0x5a 'NtSetInformationObject', # 0x5b 'NtCancelIoFile', # 0x5c 'NtTraceEvent', # 0x5d 'NtPowerInformation', # 0x5e 'NtSetValueKey', # 0x5f 'NtCancelTimer', # 0x60 'NtSetTimer', # 0x61 'NtAccessCheck', # 0x62 'NtAccessCheckByType', # 0x63 'NtAccessCheckByTypeResultList', # 0x64 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x65 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x66 'NtAddAtomEx', # 0x67 'NtAddBootEntry', # 0x68 'NtAddDriverEntry', # 0x69 'NtAdjustGroupsToken', # 0x6a 'NtAdjustTokenClaimsAndDeviceGroups', # 0x6b 'NtAlertResumeThread', # 0x6c 'NtAlertThread', # 0x6d 'NtAlertThreadByThreadId', # 0x6e 'NtAllocateLocallyUniqueId', # 0x6f 'NtAllocateReserveObject', # 0x70 'NtAllocateUserPhysicalPages', # 0x71 'NtAllocateUuids', # 0x72 'NtAlpcAcceptConnectPort', # 0x73 'NtAlpcCancelMessage', # 0x74 'NtAlpcConnectPort', # 0x75 'NtAlpcConnectPortEx', # 0x76 'NtAlpcCreatePort', # 0x77 'NtAlpcCreatePortSection', # 0x78 'NtAlpcCreateResourceReserve', # 0x79 'NtAlpcCreateSectionView', # 0x7a 'NtAlpcCreateSecurityContext', # 0x7b 'NtAlpcDeletePortSection', # 0x7c 'NtAlpcDeleteResourceReserve', # 0x7d 'NtAlpcDeleteSectionView', # 0x7e 'NtAlpcDeleteSecurityContext', # 0x7f 'NtAlpcDisconnectPort', # 0x80 'NtAlpcImpersonateClientOfPort', # 0x81 'NtAlpcOpenSenderProcess', # 0x82 'NtAlpcOpenSenderThread', # 0x83 'NtAlpcQueryInformation', # 0x84 'NtAlpcQueryInformationMessage', # 0x85 'NtAlpcRevokeSecurityContext', # 0x86 'NtAlpcSendWaitReceivePort', # 0x87 'NtAlpcSetInformation', # 0x88 'NtAreMappedFilesTheSame', # 0x89 'NtAssignProcessToJobObject', # 0x8a 'NtAssociateWaitCompletionPacket', # 0x8b 'NtCancelIoFileEx', # 0x8c 'NtCancelSynchronousIoFile', # 0x8d 'NtCancelTimer2', # 0x8e 'NtCancelWaitCompletionPacket', # 0x8f 'NtCommitComplete', # 0x90 'NtCommitEnlistment', # 0x91 'NtCommitTransaction', # 0x92 'NtCompactKeys', # 0x93 'NtCompareTokens', # 0x94 'NtCompleteConnectPort', # 0x95 'NtCompressKey', # 0x96 'NtConnectPort', # 0x97 'NtCreateDebugObject', # 0x98 'NtCreateDirectoryObject', # 0x99 'NtCreateDirectoryObjectEx', # 0x9a 'NtCreateEnlistment', # 0x9b 'NtCreateEventPair', # 0x9c 'NtCreateIRTimer', # 0x9d 'NtCreateIoCompletion', # 0x9e 'NtCreateJobObject', # 0x9f 'NtCreateJobSet', # 0xa0 'NtCreateKeyTransacted', # 0xa1 'NtCreateKeyedEvent', # 0xa2 'NtCreateLowBoxToken', # 0xa3 'NtCreateMailslotFile', # 0xa4 'NtCreateMutant', # 0xa5 'NtCreateNamedPipeFile', # 0xa6 'NtCreatePagingFile', # 0xa7 'NtCreatePort', # 0xa8 'NtCreatePrivateNamespace', # 0xa9 'NtCreateProcess', # 0xaa 'NtCreateProfile', # 0xab 'NtCreateProfileEx', # 0xac 'NtCreateResourceManager', # 0xad 'NtCreateSemaphore', # 0xae 'NtCreateSymbolicLinkObject', # 0xaf 'NtCreateThreadEx', # 0xb0 'NtCreateTimer', # 0xb1 'NtCreateTimer2', # 0xb2 'NtCreateToken', # 0xb3 'NtCreateTokenEx', # 0xb4 'NtCreateTransaction', # 0xb5 'NtCreateTransactionManager', # 0xb6 'NtCreateUserProcess', # 0xb7 'NtCreateWaitCompletionPacket', # 0xb8 'NtCreateWaitablePort', # 0xb9 'NtCreateWnfStateName', # 0xba 'NtCreateWorkerFactory', # 0xbb 'NtDebugActiveProcess', # 0xbc 'NtDebugContinue', # 0xbd 'NtDeleteAtom', # 0xbe 'NtDeleteBootEntry', # 0xbf 'NtDeleteDriverEntry', # 0xc0 'NtDeleteFile', # 0xc1 'NtDeleteKey', # 0xc2 'NtDeleteObjectAuditAlarm', # 0xc3 'NtDeletePrivateNamespace', # 0xc4 'NtDeleteValueKey', # 0xc5 'NtDeleteWnfStateData', # 0xc6 'NtDeleteWnfStateName', # 0xc7 'NtDisableLastKnownGood', # 0xc8 'NtDisplayString', # 0xc9 'NtDrawText', # 0xca 'NtEnableLastKnownGood', # 0xcb 'NtEnumerateBootEntries', # 0xcc 'NtEnumerateDriverEntries', # 0xcd 'NtEnumerateSystemEnvironmentValuesEx', # 0xce 'NtEnumerateTransactionObject', # 0xcf 'NtExtendSection', # 0xd0 'NtFilterBootOption', # 0xd1 'NtFilterToken', # 0xd2 'NtFilterTokenEx', # 0xd3 'NtFlushBuffersFileEx', # 0xd4 'NtFlushInstallUILanguage', # 0xd5 'NtFlushInstructionCache', # 0xd6 'NtFlushKey', # 0xd7 'NtFlushProcessWriteBuffers', # 0xd8 'NtFlushVirtualMemory', # 0xd9 'NtFlushWriteBuffer', # 0xda 'NtFreeUserPhysicalPages', # 0xdb 'NtFreezeRegistry', # 0xdc 'NtFreezeTransactions', # 0xdd 'NtGetCachedSigningLevel', # 0xde 'NtGetCompleteWnfStateSubscription', # 0xdf 'NtGetContextThread', # 0xe0 'NtGetCurrentProcessorNumber', # 0xe1 'NtGetDevicePowerState', # 0xe2 'NtGetMUIRegistryInfo', # 0xe3 'NtGetNextProcess', # 0xe4 'NtGetNextThread', # 0xe5 'NtGetNlsSectionPtr', # 0xe6 'NtGetNotificationResourceManager', # 0xe7 'NtGetWriteWatch', # 0xe8 'NtImpersonateAnonymousToken', # 0xe9 'NtImpersonateThread', # 0xea 'NtInitializeNlsFiles', # 0xeb 'NtInitializeRegistry', # 0xec 'NtInitiatePowerAction', # 0xed 'NtIsSystemResumeAutomatic', # 0xee 'NtIsUILanguageComitted', # 0xef 'NtListenPort', # 0xf0 'NtLoadDriver', # 0xf1 'NtLoadKey', # 0xf2 'NtLoadKey2', # 0xf3 'NtLoadKeyEx', # 0xf4 'NtLockFile', # 0xf5 'NtLockProductActivationKeys', # 0xf6 'NtLockRegistryKey', # 0xf7 'NtLockVirtualMemory', # 0xf8 'NtMakePermanentObject', # 0xf9 'NtMakeTemporaryObject', # 0xfa 'NtMapCMFModule', # 0xfb 'NtMapUserPhysicalPages', # 0xfc 'NtModifyBootEntry', # 0xfd 'NtModifyDriverEntry', # 0xfe 'NtNotifyChangeDirectoryFile', # 0xff 'NtNotifyChangeKey', # 0x100 'NtNotifyChangeMultipleKeys', # 0x101 'NtNotifyChangeSession', # 0x102 'NtOpenEnlistment', # 0x103 'NtOpenEventPair', # 0x104 'NtOpenIoCompletion', # 0x105 'NtOpenJobObject', # 0x106 'NtOpenKeyEx', # 0x107 'NtOpenKeyTransacted', # 0x108 'NtOpenKeyTransactedEx', # 0x109 'NtOpenKeyedEvent', # 0x10a 'NtOpenMutant', # 0x10b 'NtOpenObjectAuditAlarm', # 0x10c 'NtOpenPrivateNamespace', # 0x10d 'NtOpenProcessToken', # 0x10e 'NtOpenResourceManager', # 0x10f 'NtOpenSemaphore', # 0x110 'NtOpenSession', # 0x111 'NtOpenSymbolicLinkObject', # 0x112 'NtOpenThread', # 0x113 'NtOpenTimer', # 0x114 'NtOpenTransaction', # 0x115 'NtOpenTransactionManager', # 0x116 'NtPlugPlayControl', # 0x117 'NtPrePrepareComplete', # 0x118 'NtPrePrepareEnlistment', # 0x119 'NtPrepareComplete', # 0x11a 'NtPrepareEnlistment', # 0x11b 'NtPrivilegeCheck', # 0x11c 'NtPrivilegeObjectAuditAlarm', # 0x11d 'NtPrivilegedServiceAuditAlarm', # 0x11e 'NtPropagationComplete', # 0x11f 'NtPropagationFailed', # 0x120 'NtPulseEvent', # 0x121 'NtQueryBootEntryOrder', # 0x122 'NtQueryBootOptions', # 0x123 'NtQueryDebugFilterState', # 0x124 'NtQueryDirectoryObject', # 0x125 'NtQueryDriverEntryOrder', # 0x126 'NtQueryEaFile', # 0x127 'NtQueryFullAttributesFile', # 0x128 'NtQueryInformationAtom', # 0x129 'NtQueryInformationEnlistment', # 0x12a 'NtQueryInformationJobObject', # 0x12b 'NtQueryInformationPort', # 0x12c 'NtQueryInformationResourceManager', # 0x12d 'NtQueryInformationTransaction', # 0x12e 'NtQueryInformationTransactionManager', # 0x12f 'NtQueryInformationWorkerFactory', # 0x130 'NtQueryInstallUILanguage', # 0x131 'NtQueryIntervalProfile', # 0x132 'NtQueryIoCompletion', # 0x133 'NtQueryLicenseValue', # 0x134 'NtQueryMultipleValueKey', # 0x135 'NtQueryMutant', # 0x136 'NtQueryOpenSubKeys', # 0x137 'NtQueryOpenSubKeysEx', # 0x138 'NtQueryPortInformationProcess', # 0x139 'NtQueryQuotaInformationFile', # 0x13a 'NtQuerySecurityAttributesToken', # 0x13b 'NtQuerySecurityObject', # 0x13c 'NtQuerySemaphore', # 0x13d 'NtQuerySymbolicLinkObject', # 0x13e 'NtQuerySystemEnvironmentValue', # 0x13f 'NtQuerySystemEnvironmentValueEx', # 0x140 'NtQuerySystemInformationEx', # 0x141 'NtQueryTimerResolution', # 0x142 'NtQueryWnfStateData', # 0x143 'NtQueryWnfStateNameInformation', # 0x144 'NtQueueApcThreadEx', # 0x145 'NtRaiseException', # 0x146 'NtRaiseHardError', # 0x147 'NtReadOnlyEnlistment', # 0x148 'NtRecoverEnlistment', # 0x149 'NtRecoverResourceManager', # 0x14a 'NtRecoverTransactionManager', # 0x14b 'NtRegisterProtocolAddressInformation', # 0x14c 'NtRegisterThreadTerminatePort', # 0x14d 'NtReleaseKeyedEvent', # 0x14e 'NtReleaseWorkerFactoryWorker', # 0x14f 'NtRemoveIoCompletionEx', # 0x150 'NtRemoveProcessDebug', # 0x151 'NtRenameKey', # 0x152 'NtRenameTransactionManager', # 0x153 'NtReplaceKey', # 0x154 'NtReplacePartitionUnit', # 0x155 'NtReplyWaitReplyPort', # 0x156 'NtRequestPort', # 0x157 'NtResetEvent', # 0x158 'NtResetWriteWatch', # 0x159 'NtRestoreKey', # 0x15a 'NtResumeProcess', # 0x15b 'NtRollbackComplete', # 0x15c 'NtRollbackEnlistment', # 0x15d 'NtRollbackTransaction', # 0x15e 'NtRollforwardTransactionManager', # 0x15f 'NtSaveKey', # 0x160 'NtSaveKeyEx', # 0x161 'NtSaveMergedKeys', # 0x162 'NtSecureConnectPort', # 0x163 'NtSerializeBoot', # 0x164 'NtSetBootEntryOrder', # 0x165 'NtSetBootOptions', # 0x166 'NtSetCachedSigningLevel', # 0x167 'NtSetContextThread', # 0x168 'NtSetDebugFilterState', # 0x169 'NtSetDefaultHardErrorPort', # 0x16a 'NtSetDefaultLocale', # 0x16b 'NtSetDefaultUILanguage', # 0x16c 'NtSetDriverEntryOrder', # 0x16d 'NtSetEaFile', # 0x16e 'NtSetHighEventPair', # 0x16f 'NtSetHighWaitLowEventPair', # 0x170 'NtSetIRTimer', # 0x171 'NtSetInformationDebugObject', # 0x172 'NtSetInformationEnlistment', # 0x173 'NtSetInformationJobObject', # 0x174 'NtSetInformationKey', # 0x175 'NtSetInformationResourceManager', # 0x176 'NtSetInformationToken', # 0x177 'NtSetInformationTransaction', # 0x178 'NtSetInformationTransactionManager', # 0x179 'NtSetInformationVirtualMemory', # 0x17a 'NtSetInformationWorkerFactory', # 0x17b 'NtSetIntervalProfile', # 0x17c 'NtSetIoCompletion', # 0x17d 'NtSetIoCompletionEx', # 0x17e 'NtSetLdtEntries', # 0x17f 'NtSetLowEventPair', # 0x180 'NtSetLowWaitHighEventPair', # 0x181 'NtSetQuotaInformationFile', # 0x182 'NtSetSecurityObject', # 0x183 'NtSetSystemEnvironmentValue', # 0x184 'NtSetSystemEnvironmentValueEx', # 0x185 'NtSetSystemInformation', # 0x186 'NtSetSystemPowerState', # 0x187 'NtSetSystemTime', # 0x188 'NtSetThreadExecutionState', # 0x189 'NtSetTimer2', # 0x18a 'NtSetTimerEx', # 0x18b 'NtSetTimerResolution', # 0x18c 'NtSetUuidSeed', # 0x18d 'NtSetVolumeInformationFile', # 0x18e 'NtSetWnfProcessNotificationEvent', # 0x18f 'NtShutdownSystem', # 0x190 'NtShutdownWorkerFactory', # 0x191 'NtSignalAndWaitForSingleObject', # 0x192 'NtSinglePhaseReject', # 0x193 'NtStartProfile', # 0x194 'NtStopProfile', # 0x195 'NtSubscribeWnfStateChange', # 0x196 'NtSuspendProcess', # 0x197 'NtSuspendThread', # 0x198 'NtSystemDebugControl', # 0x199 'NtTerminateJobObject', # 0x19a 'NtTestAlert', # 0x19b 'NtThawRegistry', # 0x19c 'NtThawTransactions', # 0x19d 'NtTraceControl', # 0x19e 'NtTranslateFilePath', # 0x19f 'NtUmsThreadYield', # 0x1a0 'NtUnloadDriver', # 0x1a1 'NtUnloadKey', # 0x1a2 'NtUnloadKey2', # 0x1a3 'NtUnloadKeyEx', # 0x1a4 'NtUnlockFile', # 0x1a5 'NtUnlockVirtualMemory', # 0x1a6 'NtUnmapViewOfSectionEx', # 0x1a7 'NtUnsubscribeWnfStateChange', # 0x1a8 'NtUpdateWnfStateData', # 0x1a9 'NtVdmControl', # 0x1aa 'NtWaitForAlertByThreadId', # 0x1ab 'NtWaitForDebugEvent', # 0x1ac 'NtWaitForKeyedEvent', # 0x1ad 'NtWaitForWorkViaWorkerFactory', # 0x1ae 'NtWaitHighEventPair', # 0x1af 'NtWaitLowEventPair', # 0x1b0 ], [ 'NtUserYieldTask', # 0x0 'NtUserSetSensorPresence', # 0x1 'NtUserGetThreadState', # 0x2 'NtUserPeekMessage', # 0x3 'NtUserCallOneParam', # 0x4 'NtUserGetKeyState', # 0x5 'NtUserInvalidateRect', # 0x6 'NtUserCallNoParam', # 0x7 'NtUserGetMessage', # 0x8 'NtUserMessageCall', # 0x9 'NtGdiBitBlt', # 0xa 'NtGdiGetCharSet', # 0xb 'NtUserGetDC', # 0xc 'NtGdiSelectBitmap', # 0xd 'NtUserWaitMessage', # 0xe 'NtUserTranslateMessage', # 0xf 'NtUserGetProp', # 0x10 'NtUserPostMessage', # 0x11 'NtUserQueryWindow', # 0x12 'NtUserTranslateAccelerator', # 0x13 'NtGdiFlush', # 0x14 'NtUserRedrawWindow', # 0x15 'NtUserWindowFromPoint', # 0x16 'NtUserCallMsgFilter', # 0x17 'NtUserValidateTimerCallback', # 0x18 'NtUserBeginPaint', # 0x19 'NtUserSetTimer', # 0x1a 'NtUserEndPaint', # 0x1b 'NtUserSetCursor', # 0x1c 'NtUserKillTimer', # 0x1d 'NtUserBuildHwndList', # 0x1e 'NtUserSelectPalette', # 0x1f 'NtUserCallNextHookEx', # 0x20 'NtUserHideCaret', # 0x21 'NtGdiIntersectClipRect', # 0x22 'NtUserCallHwndLock', # 0x23 'NtUserGetProcessWindowStation', # 0x24 'NtGdiDeleteObjectApp', # 0x25 'NtUserSetWindowPos', # 0x26 'NtUserShowCaret', # 0x27 'NtUserEndDeferWindowPosEx', # 0x28 'NtUserCallHwndParamLock', # 0x29 'NtUserVkKeyScanEx', # 0x2a 'NtGdiSetDIBitsToDeviceInternal', # 0x2b 'NtUserCallTwoParam', # 0x2c 'NtGdiGetRandomRgn', # 0x2d 'NtUserCopyAcceleratorTable', # 0x2e 'NtUserNotifyWinEvent', # 0x2f 'NtGdiExtSelectClipRgn', # 0x30 'NtUserIsClipboardFormatAvailable', # 0x31 'NtUserSetScrollInfo', # 0x32 'NtGdiStretchBlt', # 0x33 'NtUserCreateCaret', # 0x34 'NtGdiRectVisible', # 0x35 'NtGdiCombineRgn', # 0x36 'NtGdiGetDCObject', # 0x37 'NtUserDispatchMessage', # 0x38 'NtUserRegisterWindowMessage', # 0x39 'NtGdiExtTextOutW', # 0x3a 'NtGdiSelectFont', # 0x3b 'NtGdiRestoreDC', # 0x3c 'NtGdiSaveDC', # 0x3d 'NtUserGetForegroundWindow', # 0x3e 'NtUserShowScrollBar', # 0x3f 'NtUserFindExistingCursorIcon', # 0x40 'NtGdiGetDCDword', # 0x41 'NtGdiGetRegionData', # 0x42 'NtGdiLineTo', # 0x43 'NtUserSystemParametersInfo', # 0x44 'NtGdiGetAppClipBox', # 0x45 'NtUserGetAsyncKeyState', # 0x46 'NtUserGetCPD', # 0x47 'NtUserRemoveProp', # 0x48 'NtGdiDoPalette', # 0x49 'NtGdiPolyPolyDraw', # 0x4a 'NtUserSetCapture', # 0x4b 'NtUserEnumDisplayMonitors', # 0x4c 'NtGdiCreateCompatibleBitmap', # 0x4d 'NtUserSetProp', # 0x4e 'NtGdiGetTextCharsetInfo', # 0x4f 'NtUserSBGetParms', # 0x50 'NtUserGetIconInfo', # 0x51 'NtUserExcludeUpdateRgn', # 0x52 'NtUserSetFocus', # 0x53 'NtGdiExtGetObjectW', # 0x54 'NtUserGetUpdateRect', # 0x55 'NtGdiCreateCompatibleDC', # 0x56 'NtUserGetClipboardSequenceNumber', # 0x57 'NtGdiCreatePen', # 0x58 'NtUserShowWindow', # 0x59 'NtUserGetKeyboardLayoutList', # 0x5a 'NtGdiPatBlt', # 0x5b 'NtUserMapVirtualKeyEx', # 0x5c 'NtUserSetWindowLong', # 0x5d 'NtGdiHfontCreate', # 0x5e 'NtUserMoveWindow', # 0x5f 'NtUserPostThreadMessage', # 0x60 'NtUserDrawIconEx', # 0x61 'NtUserGetSystemMenu', # 0x62 'NtGdiDrawStream', # 0x63 'NtUserInternalGetWindowText', # 0x64 'NtUserGetWindowDC', # 0x65 'NtGdiD3dDrawPrimitives2', # 0x66 'NtGdiInvertRgn', # 0x67 'NtGdiGetRgnBox', # 0x68 'NtGdiGetAndSetDCDword', # 0x69 'NtGdiMaskBlt', # 0x6a 'NtGdiGetWidthTable', # 0x6b 'NtUserScrollDC', # 0x6c 'NtUserGetObjectInformation', # 0x6d 'NtGdiCreateBitmap', # 0x6e 'NtUserFindWindowEx', # 0x6f 'NtGdiPolyPatBlt', # 0x70 'NtUserUnhookWindowsHookEx', # 0x71 'NtGdiGetNearestColor', # 0x72 'NtGdiTransformPoints', # 0x73 'NtGdiGetDCPoint', # 0x74 'NtGdiCreateDIBBrush', # 0x75 'NtGdiGetTextMetricsW', # 0x76 'NtUserCreateWindowEx', # 0x77 'NtUserSetParent', # 0x78 'NtUserGetKeyboardState', # 0x79 'NtUserToUnicodeEx', # 0x7a 'NtUserGetControlBrush', # 0x7b 'NtUserGetClassName', # 0x7c 'NtGdiAlphaBlend', # 0x7d 'NtGdiDdBlt', # 0x7e 'NtGdiOffsetRgn', # 0x7f 'NtUserDefSetText', # 0x80 'NtGdiGetTextFaceW', # 0x81 'NtGdiStretchDIBitsInternal', # 0x82 'NtUserSendInput', # 0x83 'NtUserGetThreadDesktop', # 0x84 'NtGdiCreateRectRgn', # 0x85 'NtGdiGetDIBitsInternal', # 0x86 'NtUserGetUpdateRgn', # 0x87 'NtGdiDeleteClientObj', # 0x88 'NtUserGetIconSize', # 0x89 'NtUserFillWindow', # 0x8a 'NtGdiExtCreateRegion', # 0x8b 'NtGdiComputeXformCoefficients', # 0x8c 'NtUserSetWindowsHookEx', # 0x8d 'NtUserNotifyProcessCreate', # 0x8e 'NtGdiUnrealizeObject', # 0x8f 'NtUserGetTitleBarInfo', # 0x90 'NtGdiRectangle', # 0x91 'NtUserSetThreadDesktop', # 0x92 'NtUserGetDCEx', # 0x93 'NtUserGetScrollBarInfo', # 0x94 'NtGdiGetTextExtent', # 0x95 'NtUserSetWindowFNID', # 0x96 'NtGdiSetLayout', # 0x97 'NtUserCalcMenuBar', # 0x98 'NtUserThunkedMenuItemInfo', # 0x99 'NtGdiExcludeClipRect', # 0x9a 'NtGdiCreateDIBSection', # 0x9b 'NtGdiGetDCforBitmap', # 0x9c 'NtUserDestroyCursor', # 0x9d 'NtUserDestroyWindow', # 0x9e 'NtUserCallHwndParam', # 0x9f 'NtGdiCreateDIBitmapInternal', # 0xa0 'NtUserOpenWindowStation', # 0xa1 'NtGdiDdDeleteSurfaceObject', # 0xa2 'NtGdiDdCanCreateSurface', # 0xa3 'NtGdiDdCreateSurface', # 0xa4 'NtUserSetCursorIconData', # 0xa5 'NtGdiDdDestroySurface', # 0xa6 'NtUserCloseDesktop', # 0xa7 'NtUserOpenDesktop', # 0xa8 'NtUserSetProcessWindowStation', # 0xa9 'NtUserGetAtomName', # 0xaa 'NtGdiDdResetVisrgn', # 0xab 'NtGdiExtCreatePen', # 0xac 'NtGdiCreatePaletteInternal', # 0xad 'NtGdiSetBrushOrg', # 0xae 'NtUserBuildNameList', # 0xaf 'NtGdiSetPixel', # 0xb0 'NtUserRegisterClassExWOW', # 0xb1 'NtGdiCreatePatternBrushInternal', # 0xb2 'NtUserGetAncestor', # 0xb3 'NtGdiGetOutlineTextMetricsInternalW', # 0xb4 'NtGdiSetBitmapBits', # 0xb5 'NtUserCloseWindowStation', # 0xb6 'NtUserGetDoubleClickTime', # 0xb7 'NtUserEnableScrollBar', # 0xb8 'NtGdiCreateSolidBrush', # 0xb9 'NtUserGetClassInfoEx', # 0xba 'NtGdiCreateClientObj', # 0xbb 'NtUserUnregisterClass', # 0xbc 'NtUserDeleteMenu', # 0xbd 'NtGdiRectInRegion', # 0xbe 'NtUserScrollWindowEx', # 0xbf 'NtGdiGetPixel', # 0xc0 'NtUserSetClassLong', # 0xc1 'NtUserGetMenuBarInfo', # 0xc2 'NtGdiDdCreateSurfaceEx', # 0xc3 'NtGdiDdCreateSurfaceObject', # 0xc4 'NtGdiGetNearestPaletteIndex', # 0xc5 'NtGdiDdLockD3D', # 0xc6 'NtGdiDdUnlockD3D', # 0xc7 'NtGdiGetCharWidthW', # 0xc8 'NtUserInvalidateRgn', # 0xc9 'NtUserGetClipboardOwner', # 0xca 'NtUserSetWindowRgn', # 0xcb 'NtUserBitBltSysBmp', # 0xcc 'NtGdiGetCharWidthInfo', # 0xcd 'NtUserValidateRect', # 0xce 'NtUserCloseClipboard', # 0xcf 'NtUserOpenClipboard', # 0xd0 'NtGdiGetStockObject', # 0xd1 'NtUserSetClipboardData', # 0xd2 'NtUserEnableMenuItem', # 0xd3 'NtUserAlterWindowStyle', # 0xd4 'NtGdiFillRgn', # 0xd5 'NtUserGetWindowPlacement', # 0xd6 'NtGdiModifyWorldTransform', # 0xd7 'NtGdiGetFontData', # 0xd8 'NtUserGetOpenClipboardWindow', # 0xd9 'NtUserSetThreadState', # 0xda 'NtGdiOpenDCW', # 0xdb 'NtUserTrackMouseEvent', # 0xdc 'NtGdiGetTransform', # 0xdd 'NtUserDestroyMenu', # 0xde 'NtGdiGetBitmapBits', # 0xdf 'NtUserConsoleControl', # 0xe0 'NtUserSetActiveWindow', # 0xe1 'NtUserSetInformationThread', # 0xe2 'NtUserSetWindowPlacement', # 0xe3 'NtUserGetControlColor', # 0xe4 'NtGdiSetMetaRgn', # 0xe5 'NtGdiSetMiterLimit', # 0xe6 'NtGdiSetVirtualResolution', # 0xe7 'NtGdiGetRasterizerCaps', # 0xe8 'NtUserSetWindowWord', # 0xe9 'NtUserGetClipboardFormatName', # 0xea 'NtUserRealInternalGetMessage', # 0xeb 'NtUserCreateLocalMemHandle', # 0xec 'NtUserAttachThreadInput', # 0xed 'NtGdiCreateHalftonePalette', # 0xee 'NtUserPaintMenuBar', # 0xef 'NtUserSetKeyboardState', # 0xf0 'NtGdiCombineTransform', # 0xf1 'NtUserCreateAcceleratorTable', # 0xf2 'NtUserGetCursorFrameInfo', # 0xf3 'NtUserGetAltTabInfo', # 0xf4 'NtUserGetCaretBlinkTime', # 0xf5 'NtGdiQueryFontAssocInfo', # 0xf6 'NtUserProcessConnect', # 0xf7 'NtUserEnumDisplayDevices', # 0xf8 'NtUserEmptyClipboard', # 0xf9 'NtUserGetClipboardData', # 0xfa 'NtUserRemoveMenu', # 0xfb 'NtGdiSetBoundsRect', # 0xfc 'NtGdiGetBitmapDimension', # 0xfd 'NtUserConvertMemHandle', # 0xfe 'NtUserDestroyAcceleratorTable', # 0xff 'NtUserGetGUIThreadInfo', # 0x100 'NtGdiCloseFigure', # 0x101 'NtUserSetWindowsHookAW', # 0x102 'NtUserSetMenuDefaultItem', # 0x103 'NtUserCheckMenuItem', # 0x104 'NtUserSetWinEventHook', # 0x105 'NtUserUnhookWinEvent', # 0x106 'NtUserLockWindowUpdate', # 0x107 'NtUserSetSystemMenu', # 0x108 'NtUserThunkedMenuInfo', # 0x109 'NtGdiBeginPath', # 0x10a 'NtGdiEndPath', # 0x10b 'NtGdiFillPath', # 0x10c 'NtUserCallHwnd', # 0x10d 'NtUserDdeInitialize', # 0x10e 'NtUserModifyUserStartupInfoFlags', # 0x10f 'NtUserCountClipboardFormats', # 0x110 'NtGdiAddFontMemResourceEx', # 0x111 'NtGdiEqualRgn', # 0x112 'NtGdiGetSystemPaletteUse', # 0x113 'NtGdiRemoveFontMemResourceEx', # 0x114 'NtUserEnumDisplaySettings', # 0x115 'NtUserPaintDesktop', # 0x116 'NtGdiExtEscape', # 0x117 'NtGdiSetBitmapDimension', # 0x118 'NtGdiSetFontEnumeration', # 0x119 'NtUserChangeClipboardChain', # 0x11a 'NtUserSetClipboardViewer', # 0x11b 'NtUserShowWindowAsync', # 0x11c 'NtGdiCreateColorSpace', # 0x11d 'NtGdiDeleteColorSpace', # 0x11e 'NtUserActivateKeyboardLayout', # 0x11f 'NtBindCompositionSurface', # 0x120 'NtCompositionInputThread', # 0x121 'NtCreateCompositionInputSink', # 0x122 'NtCreateCompositionSurfaceHandle', # 0x123 'NtDCompositionAddCrossDeviceVisualChild', # 0x124 'NtDCompositionAddVisualChild', # 0x125 'NtDCompositionBeginFrame', # 0x126 'NtDCompositionCommitChannel', # 0x127 'NtDCompositionConfirmFrame', # 0x128 'NtDCompositionConnectPipe', # 0x129 'NtDCompositionCreateAndBindSharedSection', # 0x12a 'NtDCompositionCreateChannel', # 0x12b 'NtDCompositionCreateConnection', # 0x12c 'NtDCompositionCreateDwmChannel', # 0x12d 'NtDCompositionCreateResource', # 0x12e 'NtDCompositionCurrentBatchId', # 0x12f 'NtDCompositionDestroyChannel', # 0x130 'NtDCompositionDestroyConnection', # 0x131 'NtDCompositionDiscardFrame', # 0x132 'NtDCompositionDuplicateHandleToProcess', # 0x133 'NtDCompositionDwmSyncFlush', # 0x134 'NtDCompositionGetChannels', # 0x135 'NtDCompositionGetConnectionBatch', # 0x136 'NtDCompositionGetDeletedResources', # 0x137 'NtDCompositionGetFrameLegacyTokens', # 0x138 'NtDCompositionGetFrameStatistics', # 0x139 'NtDCompositionGetFrameSurfaceUpdates', # 0x13a 'NtDCompositionOpenSharedResource', # 0x13b 'NtDCompositionOpenSharedResourceHandle', # 0x13c 'NtDCompositionReferenceSharedResourceOnDwmChannel', # 0x13d 'NtDCompositionRegisterThumbnailVisual', # 0x13e 'NtDCompositionReleaseAllResources', # 0x13f 'NtDCompositionReleaseResource', # 0x140 'NtDCompositionRemoveCrossDeviceVisualChild', # 0x141 'NtDCompositionRemoveVisualChild', # 0x142 'NtDCompositionReplaceVisualChildren', # 0x143 'NtDCompositionRetireFrame', # 0x144 'NtDCompositionSetChannelCommitCompletionEvent', # 0x145 'NtDCompositionSetDebugCounter', # 0x146 'NtDCompositionSetResourceAnimationProperty', # 0x147 'NtDCompositionSetResourceBufferProperty', # 0x148 'NtDCompositionSetResourceDeletedNotificationTag', # 0x149 'NtDCompositionSetResourceFloatProperty', # 0x14a 'NtDCompositionSetResourceHandleProperty', # 0x14b 'NtDCompositionSetResourceIntegerProperty', # 0x14c 'NtDCompositionSetResourceReferenceArrayProperty', # 0x14d 'NtDCompositionSetResourceReferenceProperty', # 0x14e 'NtDCompositionSignalGpuFence', # 0x14f 'NtDCompositionSubmitDWMBatch', # 0x150 'NtDCompositionSynchronize', # 0x151 'NtDCompositionTelemetryAnimationScenarioBegin', # 0x152 'NtDCompositionTelemetryAnimationScenarioReference', # 0x153 'NtDCompositionTelemetryAnimationScenarioUnreference', # 0x154 'NtDCompositionTelemetrySetApplicationId', # 0x155 'NtDCompositionTelemetryTouchInteractionBegin', # 0x156 'NtDCompositionTelemetryTouchInteractionEnd', # 0x157 'NtDCompositionTelemetryTouchInteractionUpdate', # 0x158 'NtDCompositionWaitForChannel', # 0x159 'NtDuplicateCompositionInputSink', # 0x15a 'NtGdiAbortDoc', # 0x15b 'NtGdiAbortPath', # 0x15c 'NtGdiAddEmbFontToDC', # 0x15d 'NtGdiAddFontResourceW', # 0x15e 'NtGdiAddRemoteFontToDC', # 0x15f 'NtGdiAddRemoteMMInstanceToDC', # 0x160 'NtGdiAngleArc', # 0x161 'NtGdiAnyLinkedFonts', # 0x162 'NtGdiArcInternal', # 0x163 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x164 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x165 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x166 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x167 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x168 'NtGdiBeginGdiRendering', # 0x169 'NtGdiCLIPOBJ_bEnum', # 0x16a 'NtGdiCLIPOBJ_cEnumStart', # 0x16b 'NtGdiCLIPOBJ_ppoGetPath', # 0x16c 'NtGdiCancelDC', # 0x16d 'NtGdiChangeGhostFont', # 0x16e 'NtGdiCheckBitmapBits', # 0x16f 'NtGdiClearBitmapAttributes', # 0x170 'NtGdiClearBrushAttributes', # 0x171 'NtGdiColorCorrectPalette', # 0x172 'NtGdiConfigureOPMProtectedOutput', # 0x173 'NtGdiConvertMetafileRect', # 0x174 'NtGdiCreateBitmapFromDxSurface', # 0x175 'NtGdiCreateBitmapFromDxSurface2', # 0x176 'NtGdiCreateColorTransform', # 0x177 'NtGdiCreateEllipticRgn', # 0x178 'NtGdiCreateHatchBrushInternal', # 0x179 'NtGdiCreateMetafileDC', # 0x17a 'NtGdiCreateOPMProtectedOutputs', # 0x17b 'NtGdiCreateRoundRectRgn', # 0x17c 'NtGdiCreateServerMetaFile', # 0x17d 'NtGdiCreateSessionMappedDIBSection', # 0x17e 'NtGdiD3dContextCreate', # 0x17f 'NtGdiD3dContextDestroy', # 0x180 'NtGdiD3dContextDestroyAll', # 0x181 'NtGdiD3dValidateTextureStageState', # 0x182 'NtGdiDDCCIGetCapabilitiesString', # 0x183 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x184 'NtGdiDDCCIGetTimingReport', # 0x185 'NtGdiDDCCIGetVCPFeature', # 0x186 'NtGdiDDCCISaveCurrentSettings', # 0x187 'NtGdiDDCCISetVCPFeature', # 0x188 'NtGdiDdAddAttachedSurface', # 0x189 'NtGdiDdAlphaBlt', # 0x18a 'NtGdiDdAttachSurface', # 0x18b 'NtGdiDdBeginMoCompFrame', # 0x18c 'NtGdiDdCanCreateD3DBuffer', # 0x18d 'NtGdiDdColorControl', # 0x18e 'NtGdiDdCreateD3DBuffer', # 0x18f 'NtGdiDdCreateDirectDrawObject', # 0x190 'NtGdiDdCreateFullscreenSprite', # 0x191 'NtGdiDdCreateMoComp', # 0x192 'NtGdiDdDDIAcquireKeyedMutex', # 0x193 'NtGdiDdDDIAcquireKeyedMutex2', # 0x194 'NtGdiDdDDICacheHybridQueryValue', # 0x195 'NtGdiDdDDICheckExclusiveOwnership', # 0x196 'NtGdiDdDDICheckMonitorPowerState', # 0x197 'NtGdiDdDDICheckMultiPlaneOverlaySupport', # 0x198 'NtGdiDdDDICheckOcclusion', # 0x199 'NtGdiDdDDICheckSharedResourceAccess', # 0x19a 'NtGdiDdDDICheckVidPnExclusiveOwnership', # 0x19b 'NtGdiDdDDICloseAdapter', # 0x19c 'NtGdiDdDDIConfigureSharedResource', # 0x19d 'NtGdiDdDDICreateAllocation', # 0x19e 'NtGdiDdDDICreateContext', # 0x19f 'NtGdiDdDDICreateDCFromMemory', # 0x1a0 'NtGdiDdDDICreateDevice', # 0x1a1 'NtGdiDdDDICreateKeyedMutex', # 0x1a2 'NtGdiDdDDICreateKeyedMutex2', # 0x1a3 'NtGdiDdDDICreateOutputDupl', # 0x1a4 'NtGdiDdDDICreateOverlay', # 0x1a5 'NtGdiDdDDICreateSynchronizationObject', # 0x1a6 'NtGdiDdDDIDestroyAllocation', # 0x1a7 'NtGdiDdDDIDestroyContext', # 0x1a8 'NtGdiDdDDIDestroyDCFromMemory', # 0x1a9 'NtGdiDdDDIDestroyDevice', # 0x1aa 'NtGdiDdDDIDestroyKeyedMutex', # 0x1ab 'NtGdiDdDDIDestroyOutputDupl', # 0x1ac 'NtGdiDdDDIDestroyOverlay', # 0x1ad 'NtGdiDdDDIDestroySynchronizationObject', # 0x1ae 'NtGdiDdDDIEnumAdapters', # 0x1af 'NtGdiDdDDIEscape', # 0x1b0 'NtGdiDdDDIFlipOverlay', # 0x1b1 'NtGdiDdDDIGetCachedHybridQueryValue', # 0x1b2 'NtGdiDdDDIGetContextInProcessSchedulingPriority', # 0x1b3 'NtGdiDdDDIGetContextSchedulingPriority', # 0x1b4 'NtGdiDdDDIGetDeviceState', # 0x1b5 'NtGdiDdDDIGetDisplayModeList', # 0x1b6 'NtGdiDdDDIGetMultisampleMethodList', # 0x1b7 'NtGdiDdDDIGetOverlayState', # 0x1b8 'NtGdiDdDDIGetPresentHistory', # 0x1b9 'NtGdiDdDDIGetPresentQueueEvent', # 0x1ba 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x1bb 'NtGdiDdDDIGetRuntimeData', # 0x1bc 'NtGdiDdDDIGetScanLine', # 0x1bd 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x1be 'NtGdiDdDDIGetSharedResourceAdapterLuid', # 0x1bf 'NtGdiDdDDIInvalidateActiveVidPn', # 0x1c0 'NtGdiDdDDILock', # 0x1c1 'NtGdiDdDDINetDispGetNextChunkInfo', # 0x1c2 'NtGdiDdDDINetDispQueryMiracastDisplayDeviceStatus', # 0x1c3 'NtGdiDdDDINetDispQueryMiracastDisplayDeviceSupport', # 0x1c4 'NtGdiDdDDINetDispStartMiracastDisplayDevice', # 0x1c5 'NtGdiDdDDINetDispStopMiracastDisplayDevice', # 0x1c6 'NtGdiDdDDIOfferAllocations', # 0x1c7 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x1c8 'NtGdiDdDDIOpenAdapterFromHdc', # 0x1c9 'NtGdiDdDDIOpenAdapterFromLuid', # 0x1ca 'NtGdiDdDDIOpenKeyedMutex', # 0x1cb 'NtGdiDdDDIOpenKeyedMutex2', # 0x1cc 'NtGdiDdDDIOpenNtHandleFromName', # 0x1cd 'NtGdiDdDDIOpenResource', # 0x1ce 'NtGdiDdDDIOpenResourceFromNtHandle', # 0x1cf 'NtGdiDdDDIOpenSyncObjectFromNtHandle', # 0x1d0 'NtGdiDdDDIOpenSynchronizationObject', # 0x1d1 'NtGdiDdDDIOutputDuplGetFrameInfo', # 0x1d2 'NtGdiDdDDIOutputDuplGetMetaData', # 0x1d3 'NtGdiDdDDIOutputDuplGetPointerShapeData', # 0x1d4 'NtGdiDdDDIOutputDuplPresent', # 0x1d5 'NtGdiDdDDIOutputDuplReleaseFrame', # 0x1d6 'NtGdiDdDDIPinDirectFlipResources', # 0x1d7 'NtGdiDdDDIPollDisplayChildren', # 0x1d8 'NtGdiDdDDIPresent', # 0x1d9 'NtGdiDdDDIPresentMultiPlaneOverlay', # 0x1da 'NtGdiDdDDIQueryAdapterInfo', # 0x1db 'NtGdiDdDDIQueryAllocationResidency', # 0x1dc 'NtGdiDdDDIQueryRemoteVidPnSourceFromGdiDisplayName', # 0x1dd 'NtGdiDdDDIQueryResourceInfo', # 0x1de 'NtGdiDdDDIQueryResourceInfoFromNtHandle', # 0x1df 'NtGdiDdDDIQueryStatistics', # 0x1e0 'NtGdiDdDDIReclaimAllocations', # 0x1e1 'NtGdiDdDDIReleaseKeyedMutex', # 0x1e2 'NtGdiDdDDIReleaseKeyedMutex2', # 0x1e3 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x1e4 'NtGdiDdDDIRender', # 0x1e5 'NtGdiDdDDISetAllocationPriority', # 0x1e6 'NtGdiDdDDISetContextInProcessSchedulingPriority', # 0x1e7 'NtGdiDdDDISetContextSchedulingPriority', # 0x1e8 'NtGdiDdDDISetDisplayMode', # 0x1e9 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x1ea 'NtGdiDdDDISetGammaRamp', # 0x1eb 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x1ec 'NtGdiDdDDISetQueuedLimit', # 0x1ed 'NtGdiDdDDISetStereoEnabled', # 0x1ee 'NtGdiDdDDISetVidPnSourceOwner', # 0x1ef 'NtGdiDdDDISetVidPnSourceOwner1', # 0x1f0 'NtGdiDdDDIShareObjects', # 0x1f1 'NtGdiDdDDISharedPrimaryLockNotification', # 0x1f2 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x1f3 'NtGdiDdDDISignalSynchronizationObject', # 0x1f4 'NtGdiDdDDIUnlock', # 0x1f5 'NtGdiDdDDIUnpinDirectFlipResources', # 0x1f6 'NtGdiDdDDIUpdateOverlay', # 0x1f7 'NtGdiDdDDIWaitForIdle', # 0x1f8 'NtGdiDdDDIWaitForSynchronizationObject', # 0x1f9 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x1fa 'NtGdiDdDDIWaitForVerticalBlankEvent2', # 0x1fb 'NtGdiDdDeleteDirectDrawObject', # 0x1fc 'NtGdiDdDestroyD3DBuffer', # 0x1fd 'NtGdiDdDestroyFullscreenSprite', # 0x1fe 'NtGdiDdDestroyMoComp', # 0x1ff 'NtGdiDdEndMoCompFrame', # 0x200 'NtGdiDdFlip', # 0x201 'NtGdiDdFlipToGDISurface', # 0x202 'NtGdiDdGetAvailDriverMemory', # 0x203 'NtGdiDdGetBltStatus', # 0x204 'NtGdiDdGetDC', # 0x205 'NtGdiDdGetDriverInfo', # 0x206 'NtGdiDdGetDriverState', # 0x207 'NtGdiDdGetDxHandle', # 0x208 'NtGdiDdGetFlipStatus', # 0x209 'NtGdiDdGetInternalMoCompInfo', # 0x20a 'NtGdiDdGetMoCompBuffInfo', # 0x20b 'NtGdiDdGetMoCompFormats', # 0x20c 'NtGdiDdGetMoCompGuids', # 0x20d 'NtGdiDdGetScanLine', # 0x20e 'NtGdiDdLock', # 0x20f 'NtGdiDdNotifyFullscreenSpriteUpdate', # 0x210 'NtGdiDdQueryDirectDrawObject', # 0x211 'NtGdiDdQueryMoCompStatus', # 0x212 'NtGdiDdQueryVisRgnUniqueness', # 0x213 'NtGdiDdReenableDirectDrawObject', # 0x214 'NtGdiDdReleaseDC', # 0x215 'NtGdiDdRenderMoComp', # 0x216 'NtGdiDdSetColorKey', # 0x217 'NtGdiDdSetExclusiveMode', # 0x218 'NtGdiDdSetGammaRamp', # 0x219 'NtGdiDdSetOverlayPosition', # 0x21a 'NtGdiDdUnattachSurface', # 0x21b 'NtGdiDdUnlock', # 0x21c 'NtGdiDdUpdateOverlay', # 0x21d 'NtGdiDdWaitForVerticalBlank', # 0x21e 'NtGdiDeleteColorTransform', # 0x21f 'NtGdiDescribePixelFormat', # 0x220 'NtGdiDestroyOPMProtectedOutput', # 0x221 'NtGdiDestroyPhysicalMonitor', # 0x222 'NtGdiDoBanding', # 0x223 'NtGdiDrawEscape', # 0x224 'NtGdiDvpAcquireNotification', # 0x225 'NtGdiDvpCanCreateVideoPort', # 0x226 'NtGdiDvpColorControl', # 0x227 'NtGdiDvpCreateVideoPort', # 0x228 'NtGdiDvpDestroyVideoPort', # 0x229 'NtGdiDvpFlipVideoPort', # 0x22a 'NtGdiDvpGetVideoPortBandwidth', # 0x22b 'NtGdiDvpGetVideoPortConnectInfo', # 0x22c 'NtGdiDvpGetVideoPortField', # 0x22d 'NtGdiDvpGetVideoPortFlipStatus', # 0x22e 'NtGdiDvpGetVideoPortInputFormats', # 0x22f 'NtGdiDvpGetVideoPortLine', # 0x230 'NtGdiDvpGetVideoPortOutputFormats', # 0x231 'NtGdiDvpGetVideoSignalStatus', # 0x232 'NtGdiDvpReleaseNotification', # 0x233 'NtGdiDvpUpdateVideoPort', # 0x234 'NtGdiDvpWaitForVideoPortSync', # 0x235 'NtGdiDwmCreatedBitmapRemotingOutput', # 0x236 'NtGdiDxgGenericThunk', # 0x237 'NtGdiEllipse', # 0x238 'NtGdiEnableEudc', # 0x239 'NtGdiEndDoc', # 0x23a 'NtGdiEndGdiRendering', # 0x23b 'NtGdiEndPage', # 0x23c 'NtGdiEngAlphaBlend', # 0x23d 'NtGdiEngAssociateSurface', # 0x23e 'NtGdiEngBitBlt', # 0x23f 'NtGdiEngCheckAbort', # 0x240 'NtGdiEngComputeGlyphSet', # 0x241 'NtGdiEngCopyBits', # 0x242 'NtGdiEngCreateBitmap', # 0x243 'NtGdiEngCreateClip', # 0x244 'NtGdiEngCreateDeviceBitmap', # 0x245 'NtGdiEngCreateDeviceSurface', # 0x246 'NtGdiEngCreatePalette', # 0x247 'NtGdiEngDeleteClip', # 0x248 'NtGdiEngDeletePalette', # 0x249 'NtGdiEngDeletePath', # 0x24a 'NtGdiEngDeleteSurface', # 0x24b 'NtGdiEngEraseSurface', # 0x24c 'NtGdiEngFillPath', # 0x24d 'NtGdiEngGradientFill', # 0x24e 'NtGdiEngLineTo', # 0x24f 'NtGdiEngLockSurface', # 0x250 'NtGdiEngMarkBandingSurface', # 0x251 'NtGdiEngPaint', # 0x252 'NtGdiEngPlgBlt', # 0x253 'NtGdiEngStretchBlt', # 0x254 'NtGdiEngStretchBltROP', # 0x255 'NtGdiEngStrokeAndFillPath', # 0x256 'NtGdiEngStrokePath', # 0x257 'NtGdiEngTextOut', # 0x258 'NtGdiEngTransparentBlt', # 0x259 'NtGdiEngUnlockSurface', # 0x25a 'NtGdiEnumFonts', # 0x25b 'NtGdiEnumObjects', # 0x25c 'NtGdiEudcLoadUnloadLink', # 0x25d 'NtGdiExtFloodFill', # 0x25e 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x25f 'NtGdiFONTOBJ_cGetGlyphs', # 0x260 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x261 'NtGdiFONTOBJ_pfdg', # 0x262 'NtGdiFONTOBJ_pifi', # 0x263 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x264 'NtGdiFONTOBJ_pxoGetXform', # 0x265 'NtGdiFONTOBJ_vGetInfo', # 0x266 'NtGdiFlattenPath', # 0x267 'NtGdiFontIsLinked', # 0x268 'NtGdiForceUFIMapping', # 0x269 'NtGdiFrameRgn', # 0x26a 'NtGdiFullscreenControl', # 0x26b 'NtGdiGetBoundsRect', # 0x26c 'NtGdiGetCOPPCompatibleOPMInformation', # 0x26d 'NtGdiGetCertificate', # 0x26e 'NtGdiGetCertificateSize', # 0x26f 'NtGdiGetCharABCWidthsW', # 0x270 'NtGdiGetCharacterPlacementW', # 0x271 'NtGdiGetColorAdjustment', # 0x272 'NtGdiGetColorSpaceforBitmap', # 0x273 'NtGdiGetCurrentDpiInfo', # 0x274 'NtGdiGetDeviceCaps', # 0x275 'NtGdiGetDeviceCapsAll', # 0x276 'NtGdiGetDeviceGammaRamp', # 0x277 'NtGdiGetDeviceWidth', # 0x278 'NtGdiGetDhpdev', # 0x279 'NtGdiGetETM', # 0x27a 'NtGdiGetEmbUFI', # 0x27b 'NtGdiGetEmbedFonts', # 0x27c 'NtGdiGetEudcTimeStampEx', # 0x27d 'NtGdiGetFontFileData', # 0x27e 'NtGdiGetFontFileInfo', # 0x27f 'NtGdiGetFontResourceInfoInternalW', # 0x280 'NtGdiGetFontUnicodeRanges', # 0x281 'NtGdiGetGlyphIndicesW', # 0x282 'NtGdiGetGlyphIndicesWInternal', # 0x283 'NtGdiGetGlyphOutline', # 0x284 'NtGdiGetKerningPairs', # 0x285 'NtGdiGetLinkedUFIs', # 0x286 'NtGdiGetMiterLimit', # 0x287 'NtGdiGetMonitorID', # 0x288 'NtGdiGetNumberOfPhysicalMonitors', # 0x289 'NtGdiGetOPMInformation', # 0x28a 'NtGdiGetOPMRandomNumber', # 0x28b 'NtGdiGetObjectBitmapHandle', # 0x28c 'NtGdiGetPath', # 0x28d 'NtGdiGetPerBandInfo', # 0x28e 'NtGdiGetPhysicalMonitorDescription', # 0x28f 'NtGdiGetPhysicalMonitors', # 0x290 'NtGdiGetRealizationInfo', # 0x291 'NtGdiGetServerMetaFileBits', # 0x292 'NtGdiGetSpoolMessage', # 0x293 'NtGdiGetStats', # 0x294 'NtGdiGetStringBitmapW', # 0x295 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0x296 'NtGdiGetTextExtentExW', # 0x297 'NtGdiGetUFI', # 0x298 'NtGdiGetUFIPathname', # 0x299 'NtGdiGradientFill', # 0x29a 'NtGdiHLSurfGetInformation', # 0x29b 'NtGdiHLSurfSetInformation', # 0x29c 'NtGdiHT_Get8BPPFormatPalette', # 0x29d 'NtGdiHT_Get8BPPMaskPalette', # 0x29e 'NtGdiIcmBrushInfo', # 0x29f 'NtGdiInit', # 0x2a0 'NtGdiInitSpool', # 0x2a1 'NtGdiMakeFontDir', # 0x2a2 'NtGdiMakeInfoDC', # 0x2a3 'NtGdiMakeObjectUnXferable', # 0x2a4 'NtGdiMakeObjectXferable', # 0x2a5 'NtGdiMirrorWindowOrg', # 0x2a6 'NtGdiMonoBitmap', # 0x2a7 'NtGdiMoveTo', # 0x2a8 'NtGdiOffsetClipRgn', # 0x2a9 'NtGdiPATHOBJ_bEnum', # 0x2aa 'NtGdiPATHOBJ_bEnumClipLines', # 0x2ab 'NtGdiPATHOBJ_vEnumStart', # 0x2ac 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x2ad 'NtGdiPATHOBJ_vGetBounds', # 0x2ae 'NtGdiPathToRegion', # 0x2af 'NtGdiPlgBlt', # 0x2b0 'NtGdiPolyDraw', # 0x2b1 'NtGdiPolyTextOutW', # 0x2b2 'NtGdiPtInRegion', # 0x2b3 'NtGdiPtVisible', # 0x2b4 'NtGdiQueryFonts', # 0x2b5 'NtGdiRemoveFontResourceW', # 0x2b6 'NtGdiRemoveMergeFont', # 0x2b7 'NtGdiResetDC', # 0x2b8 'NtGdiResizePalette', # 0x2b9 'NtGdiRoundRect', # 0x2ba 'NtGdiSTROBJ_bEnum', # 0x2bb 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x2bc 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x2bd 'NtGdiSTROBJ_dwGetCodePage', # 0x2be 'NtGdiSTROBJ_vEnumStart', # 0x2bf 'NtGdiScaleViewportExtEx', # 0x2c0 'NtGdiScaleWindowExtEx', # 0x2c1 'NtGdiSelectBrush', # 0x2c2 'NtGdiSelectClipPath', # 0x2c3 'NtGdiSelectPen', # 0x2c4 'NtGdiSetBitmapAttributes', # 0x2c5 'NtGdiSetBrushAttributes', # 0x2c6 'NtGdiSetColorAdjustment', # 0x2c7 'NtGdiSetColorSpace', # 0x2c8 'NtGdiSetDeviceGammaRamp', # 0x2c9 'NtGdiSetFontXform', # 0x2ca 'NtGdiSetIcmMode', # 0x2cb 'NtGdiSetLinkedUFIs', # 0x2cc 'NtGdiSetMagicColors', # 0x2cd 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x2ce 'NtGdiSetPUMPDOBJ', # 0x2cf 'NtGdiSetPixelFormat', # 0x2d0 'NtGdiSetRectRgn', # 0x2d1 'NtGdiSetSizeDevice', # 0x2d2 'NtGdiSetSystemPaletteUse', # 0x2d3 'NtGdiSetTextJustification', # 0x2d4 'NtGdiSetUMPDSandboxState', # 0x2d5 'NtGdiStartDoc', # 0x2d6 'NtGdiStartPage', # 0x2d7 'NtGdiStrokeAndFillPath', # 0x2d8 'NtGdiStrokePath', # 0x2d9 'NtGdiSwapBuffers', # 0x2da 'NtGdiTransparentBlt', # 0x2db 'NtGdiUMPDEngFreeUserMem', # 0x2dc 'NtGdiUnloadPrinterDriver', # 0x2dd 'NtGdiUnmapMemFont', # 0x2de 'NtGdiUpdateColors', # 0x2df 'NtGdiUpdateTransform', # 0x2e0 'NtGdiWidenPath', # 0x2e1 'NtGdiXFORMOBJ_bApplyXform', # 0x2e2 'NtGdiXFORMOBJ_iGetXform', # 0x2e3 'NtGdiXLATEOBJ_cGetPalette', # 0x2e4 'NtGdiXLATEOBJ_hGetColorTransform', # 0x2e5 'NtGdiXLATEOBJ_iXlate', # 0x2e6 'NtNotifyPresentToCompositionSurface', # 0x2e7 'NtOpenCompositionSurfaceDirtyRegion', # 0x2e8 'NtOpenCompositionSurfaceSectionInfo', # 0x2e9 'NtOpenCompositionSurfaceSwapChainHandleInfo', # 0x2ea 'NtQueryCompositionInputSink', # 0x2eb 'NtQueryCompositionInputSinkLuid', # 0x2ec 'NtQueryCompositionSurfaceBinding', # 0x2ed 'NtQueryCompositionSurfaceRenderingRealization', # 0x2ee 'NtQueryCompositionSurfaceStatistics', # 0x2ef 'NtSetCompositionSurfaceBufferCompositionMode', # 0x2f0 'NtSetCompositionSurfaceIndependentFlipInfo', # 0x2f1 'NtSetCompositionSurfaceOutOfFrameDirectFlipNotification', # 0x2f2 'NtSetCompositionSurfaceStatistics', # 0x2f3 'NtTokenManagerCreateCompositionTokenHandle', # 0x2f4 'NtTokenManagerDeleteOutstandingDirectFlipTokens', # 0x2f5 'NtTokenManagerGetOutOfFrameDirectFlipSurfaceUpdates', # 0x2f6 'NtTokenManagerOpenEvent', # 0x2f7 'NtTokenManagerOpenSection', # 0x2f8 'NtTokenManagerThread', # 0x2f9 'NtUnBindCompositionSurface', # 0x2fa 'NtUpdateInputSinkTransforms', # 0x2fb 'NtUserAcquireIAMKey', # 0x2fc 'NtUserAddClipboardFormatListener', # 0x2fd 'NtUserAssociateInputContext', # 0x2fe 'NtUserAutoPromoteMouseInPointer', # 0x2ff 'NtUserAutoRotateScreen', # 0x300 'NtUserBlockInput', # 0x301 'NtUserBuildHimcList', # 0x302 'NtUserBuildPropList', # 0x303 'NtUserCalculatePopupWindowPosition', # 0x304 'NtUserCallHwndOpt', # 0x305 'NtUserCanBrokerForceForeground', # 0x306 'NtUserChangeDisplaySettings', # 0x307 'NtUserChangeWindowMessageFilterEx', # 0x308 'NtUserCheckAccessForIntegrityLevel', # 0x309 'NtUserCheckProcessForClipboardAccess', # 0x30a 'NtUserCheckProcessSession', # 0x30b 'NtUserCheckWindowThreadDesktop', # 0x30c 'NtUserChildWindowFromPointEx', # 0x30d 'NtUserClearForeground', # 0x30e 'NtUserClipCursor', # 0x30f 'NtUserCompositionInputSinkLuidFromPoint', # 0x310 'NtUserCreateDCompositionHwndTarget', # 0x311 'NtUserCreateDesktopEx', # 0x312 'NtUserCreateInputContext', # 0x313 'NtUserCreateWindowStation', # 0x314 'NtUserCtxDisplayIOCtl', # 0x315 'NtUserDeferWindowPosAndBand', # 0x316 'NtUserDelegateCapturePointers', # 0x317 'NtUserDelegateInput', # 0x318 'NtUserDestroyDCompositionHwndTarget', # 0x319 'NtUserDestroyInputContext', # 0x31a 'NtUserDisableImmersiveOwner', # 0x31b 'NtUserDisableProcessWindowFiltering', # 0x31c 'NtUserDisableThreadIme', # 0x31d 'NtUserDiscardPointerFrameMessages', # 0x31e 'NtUserDisplayConfigGetDeviceInfo', # 0x31f 'NtUserDisplayConfigSetDeviceInfo', # 0x320 'NtUserDoSoundConnect', # 0x321 'NtUserDoSoundDisconnect', # 0x322 'NtUserDragDetect', # 0x323 'NtUserDragObject', # 0x324 'NtUserDrawAnimatedRects', # 0x325 'NtUserDrawCaption', # 0x326 'NtUserDrawCaptionTemp', # 0x327 'NtUserDrawMenuBarTemp', # 0x328 'NtUserDwmGetRemoteSessionOcclusionEvent', # 0x329 'NtUserDwmGetRemoteSessionOcclusionState', # 0x32a 'NtUserDwmStartRedirection', # 0x32b 'NtUserDwmStopRedirection', # 0x32c 'NtUserDwmValidateWindow', # 0x32d 'NtUserEnableIAMAccess', # 0x32e 'NtUserEnableMouseInPointer', # 0x32f 'NtUserEnableMouseInputForCursorSuppression', # 0x330 'NtUserEnableTouchPad', # 0x331 'NtUserEndMenu', # 0x332 'NtUserEvent', # 0x333 'NtUserFlashWindowEx', # 0x334 'NtUserFrostCrashedWindow', # 0x335 'NtUserGetAppImeLevel', # 0x336 'NtUserGetAutoRotationState', # 0x337 'NtUserGetCIMSSM', # 0x338 'NtUserGetCaretPos', # 0x339 'NtUserGetClipCursor', # 0x33a 'NtUserGetClipboardAccessToken', # 0x33b 'NtUserGetClipboardViewer', # 0x33c 'NtUserGetComboBoxInfo', # 0x33d 'NtUserGetCurrentInputMessageSource', # 0x33e 'NtUserGetCursorDims', # 0x33f 'NtUserGetCursorInfo', # 0x340 'NtUserGetDesktopID', # 0x341 'NtUserGetDisplayAutoRotationPreferences', # 0x342 'NtUserGetDisplayAutoRotationPreferencesByProcessId', # 0x343 'NtUserGetDisplayConfigBufferSizes', # 0x344 'NtUserGetDpiForMonitor', # 0x345 'NtUserGetGestureConfig', # 0x346 'NtUserGetGestureExtArgs', # 0x347 'NtUserGetGestureInfo', # 0x348 'NtUserGetGuiResources', # 0x349 'NtUserGetHimetricScaleFactorFromPixelLocation', # 0x34a 'NtUserGetImeHotKey', # 0x34b 'NtUserGetImeInfoEx', # 0x34c 'NtUserGetInputLocaleInfo', # 0x34d 'NtUserGetInternalWindowPos', # 0x34e 'NtUserGetKeyNameText', # 0x34f 'NtUserGetKeyboardLayoutName', # 0x350 'NtUserGetLayeredWindowAttributes', # 0x351 'NtUserGetListBoxInfo', # 0x352 'NtUserGetMenuIndex', # 0x353 'NtUserGetMenuItemRect', # 0x354 'NtUserGetMouseMovePointsEx', # 0x355 'NtUserGetOwnerTransformedMonitorRect', # 0x356 'NtUserGetPhysicalDeviceRect', # 0x357 'NtUserGetPointerCursorId', # 0x358 'NtUserGetPointerDevice', # 0x359 'NtUserGetPointerDeviceCursors', # 0x35a 'NtUserGetPointerDeviceProperties', # 0x35b 'NtUserGetPointerDeviceRects', # 0x35c 'NtUserGetPointerDevices', # 0x35d 'NtUserGetPointerInfoList', # 0x35e 'NtUserGetPointerInputTransform', # 0x35f 'NtUserGetPointerType', # 0x360 'NtUserGetPrecisionTouchPadConfiguration', # 0x361 'NtUserGetPriorityClipboardFormat', # 0x362 'NtUserGetProcessDpiAwareness', # 0x363 'NtUserGetProcessUIContextInformation', # 0x364 'NtUserGetQueueEventStatus', # 0x365 'NtUserGetRawInputBuffer', # 0x366 'NtUserGetRawInputData', # 0x367 'NtUserGetRawInputDeviceInfo', # 0x368 'NtUserGetRawInputDeviceList', # 0x369 'NtUserGetRawPointerDeviceData', # 0x36a 'NtUserGetRegisteredRawInputDevices', # 0x36b 'NtUserGetTopLevelWindow', # 0x36c 'NtUserGetTouchInputInfo', # 0x36d 'NtUserGetTouchValidationStatus', # 0x36e 'NtUserGetUpdatedClipboardFormats', # 0x36f 'NtUserGetWOWClass', # 0x370 'NtUserGetWindowBand', # 0x371 'NtUserGetWindowCompositionAttribute', # 0x372 'NtUserGetWindowCompositionInfo', # 0x373 'NtUserGetWindowDisplayAffinity', # 0x374 'NtUserGetWindowFeedbackSetting', # 0x375 'NtUserGetWindowMinimizeRect', # 0x376 'NtUserGetWindowRgnEx', # 0x377 'NtUserGhostWindowFromHungWindow', # 0x378 'NtUserHandleDelegatedInput', # 0x379 'NtUserHardErrorControl', # 0x37a 'NtUserHidePointerContactVisualization', # 0x37b 'NtUserHiliteMenuItem', # 0x37c 'NtUserHungWindowFromGhostWindow', # 0x37d 'NtUserHwndQueryRedirectionInfo', # 0x37e 'NtUserHwndSetRedirectionInfo', # 0x37f 'NtUserImpersonateDdeClientWindow', # 0x380 'NtUserInitTask', # 0x381 'NtUserInitialize', # 0x382 'NtUserInitializeClientPfnArrays', # 0x383 'NtUserInitializeTouchInjection', # 0x384 'NtUserInjectGesture', # 0x385 'NtUserInjectTouchInput', # 0x386 'NtUserInternalClipCursor', # 0x387 'NtUserInternalGetWindowIcon', # 0x388 'NtUserIsMouseInPointerEnabled', # 0x389 'NtUserIsMouseInputEnabled', # 0x38a 'NtUserIsTopLevelWindow', # 0x38b 'NtUserIsTouchWindow', # 0x38c 'NtUserLayoutCompleted', # 0x38d 'NtUserLinkDpiCursor', # 0x38e 'NtUserLoadKeyboardLayoutEx', # 0x38f 'NtUserLockWindowStation', # 0x390 'NtUserLockWorkStation', # 0x391 'NtUserLogicalToPerMonitorDPIPhysicalPoint', # 0x392 'NtUserLogicalToPhysicalPoint', # 0x393 'NtUserMNDragLeave', # 0x394 'NtUserMNDragOver', # 0x395 'NtUserMagControl', # 0x396 'NtUserMagGetContextInformation', # 0x397 'NtUserMagSetContextInformation', # 0x398 'NtUserMenuItemFromPoint', # 0x399 'NtUserMinMaximize', # 0x39a 'NtUserModifyWindowTouchCapability', # 0x39b 'NtUserNotifyIMEStatus', # 0x39c 'NtUserOpenInputDesktop', # 0x39d 'NtUserOpenThreadDesktop', # 0x39e 'NtUserPaintMonitor', # 0x39f 'NtUserPerMonitorDPIPhysicalToLogicalPoint', # 0x3a0 'NtUserPhysicalToLogicalPoint', # 0x3a1 'NtUserPrintWindow', # 0x3a2 'NtUserPromoteMouseInPointer', # 0x3a3 'NtUserPromotePointer', # 0x3a4 'NtUserQueryBSDRWindow', # 0x3a5 'NtUserQueryDisplayConfig', # 0x3a6 'NtUserQueryInformationThread', # 0x3a7 'NtUserQueryInputContext', # 0x3a8 'NtUserQuerySendMessage', # 0x3a9 'NtUserRealChildWindowFromPoint', # 0x3aa 'NtUserRealWaitMessageEx', # 0x3ab 'NtUserRegisterBSDRWindow', # 0x3ac 'NtUserRegisterEdgy', # 0x3ad 'NtUserRegisterErrorReportingDialog', # 0x3ae 'NtUserRegisterHotKey', # 0x3af 'NtUserRegisterPointerDeviceNotifications', # 0x3b0 'NtUserRegisterPointerInputTarget', # 0x3b1 'NtUserRegisterRawInputDevices', # 0x3b2 'NtUserRegisterServicesProcess', # 0x3b3 'NtUserRegisterSessionPort', # 0x3b4 'NtUserRegisterTasklist', # 0x3b5 'NtUserRegisterTouchHitTestingWindow', # 0x3b6 'NtUserRegisterTouchPadCapable', # 0x3b7 'NtUserRegisterUserApiHook', # 0x3b8 'NtUserRemoteConnect', # 0x3b9 'NtUserRemoteRedrawRectangle', # 0x3ba 'NtUserRemoteRedrawScreen', # 0x3bb 'NtUserRemoteStopScreenUpdates', # 0x3bc 'NtUserRemoveClipboardFormatListener', # 0x3bd 'NtUserReportInertia', # 0x3be 'NtUserResolveDesktopForWOW', # 0x3bf 'NtUserSendEventMessage', # 0x3c0 'NtUserSetActivationFilter', # 0x3c1 'NtUserSetActiveProcess', # 0x3c2 'NtUserSetAppImeLevel', # 0x3c3 'NtUserSetAutoRotation', # 0x3c4 'NtUserSetBrokeredForeground', # 0x3c5 'NtUserSetCalibrationData', # 0x3c6 'NtUserSetChildWindowNoActivate', # 0x3c7 'NtUserSetClassWord', # 0x3c8 'NtUserSetCursorContents', # 0x3c9 'NtUserSetDisplayAutoRotationPreferences', # 0x3ca 'NtUserSetDisplayConfig', # 0x3cb 'NtUserSetDisplayMapping', # 0x3cc 'NtUserSetFallbackForeground', # 0x3cd 'NtUserSetGestureConfig', # 0x3ce 'NtUserSetImeHotKey', # 0x3cf 'NtUserSetImeInfoEx', # 0x3d0 'NtUserSetImeOwnerWindow', # 0x3d1 'NtUserSetImmersiveBackgroundWindow', # 0x3d2 'NtUserSetInternalWindowPos', # 0x3d3 'NtUserSetLayeredWindowAttributes', # 0x3d4 'NtUserSetMenu', # 0x3d5 'NtUserSetMenuContextHelpId', # 0x3d6 'NtUserSetMenuFlagRtoL', # 0x3d7 'NtUserSetMirrorRendering', # 0x3d8 'NtUserSetObjectInformation', # 0x3d9 'NtUserSetPrecisionTouchPadConfiguration', # 0x3da 'NtUserSetProcessDpiAwareness', # 0x3db 'NtUserSetProcessRestrictionExemption', # 0x3dc 'NtUserSetProcessUIAccessZorder', # 0x3dd 'NtUserSetShellWindowEx', # 0x3de 'NtUserSetSysColors', # 0x3df 'NtUserSetSystemCursor', # 0x3e0 'NtUserSetSystemTimer', # 0x3e1 'NtUserSetThreadInputBlocked', # 0x3e2 'NtUserSetThreadLayoutHandles', # 0x3e3 'NtUserSetWindowBand', # 0x3e4 'NtUserSetWindowCompositionAttribute', # 0x3e5 'NtUserSetWindowCompositionTransition', # 0x3e6 'NtUserSetWindowDisplayAffinity', # 0x3e7 'NtUserSetWindowFeedbackSetting', # 0x3e8 'NtUserSetWindowRgnEx', # 0x3e9 'NtUserSetWindowStationUser', # 0x3ea 'NtUserShowSystemCursor', # 0x3eb 'NtUserShutdownBlockReasonCreate', # 0x3ec 'NtUserShutdownBlockReasonQuery', # 0x3ed 'NtUserShutdownReasonDestroy', # 0x3ee 'NtUserSignalRedirectionStartComplete', # 0x3ef 'NtUserSlicerControl', # 0x3f0 'NtUserSoundSentry', # 0x3f1 'NtUserSwitchDesktop', # 0x3f2 'NtUserTestForInteractiveUser', # 0x3f3 'NtUserTrackPopupMenuEx', # 0x3f4 'NtUserTransformPoint', # 0x3f5 'NtUserTransformRect', # 0x3f6 'NtUserUndelegateInput', # 0x3f7 'NtUserUnloadKeyboardLayout', # 0x3f8 'NtUserUnlockWindowStation', # 0x3f9 'NtUserUnregisterHotKey', # 0x3fa 'NtUserUnregisterSessionPort', # 0x3fb 'NtUserUnregisterUserApiHook', # 0x3fc 'NtUserUpdateDefaultDesktopThumbnail', # 0x3fd 'NtUserUpdateInputContext', # 0x3fe 'NtUserUpdateInstance', # 0x3ff 'NtUserUpdateLayeredWindow', # 0x400 'NtUserUpdatePerUserSystemParameters', # 0x401 'NtUserUpdateWindowInputSinkHints', # 0x402 'NtUserUpdateWindowTransform', # 0x403 'NtUserUserHandleGrantAccess', # 0x404 'NtUserValidateHandleSecure', # 0x405 'NtUserWaitAvailableMessageEx', # 0x406 'NtUserWaitForInputIdle', # 0x407 'NtUserWaitForMsgAndEvent', # 0x408 'NtUserWaitForRedirectionStartComplete', # 0x409 'NtUserWindowFromPhysicalPoint', # 0x40a 'NtValidateCompositionSurfaceHandle', # 0x40b 'NtUserSetClassLongPtr', # 0x40c 'NtUserSetWindowLongPtr', # 0x40d ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win2003_sp12_x86_syscalls.py0000644000000000000000000010424713131215405031327 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Windows 2003 SP1/2. """ syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAddDriverEntry', # 0xa 'NtAdjustGroupsToken', # 0xb 'NtAdjustPrivilegesToken', # 0xc 'NtAlertResumeThread', # 0xd 'NtAlertThread', # 0xe 'NtAllocateLocallyUniqueId', # 0xf 'NtAllocateUserPhysicalPages', # 0x10 'NtAllocateUuids', # 0x11 'NtAllocateVirtualMemory', # 0x12 'NtApphelpCacheControl', # 0x13 'NtAreMappedFilesTheSame', # 0x14 'NtAssignProcessToJobObject', # 0x15 'NtCallbackReturn', # 0x16 'NtCancelDeviceWakeupRequest', # 0x17 'NtCancelIoFile', # 0x18 'NtCancelTimer', # 0x19 'NtClearEvent', # 0x1a 'NtClose', # 0x1b 'NtCloseObjectAuditAlarm', # 0x1c 'NtCompactKeys', # 0x1d 'NtCompareTokens', # 0x1e 'NtCompleteConnectPort', # 0x1f 'NtCompressKey', # 0x20 'NtConnectPort', # 0x21 'NtContinue', # 0x22 'NtCreateDebugObject', # 0x23 'NtCreateDirectoryObject', # 0x24 'NtCreateEvent', # 0x25 'NtCreateEventPair', # 0x26 'NtCreateFile', # 0x27 'NtCreateIoCompletion', # 0x28 'NtCreateJobObject', # 0x29 'NtCreateJobSet', # 0x2a 'NtCreateKey', # 0x2b 'NtCreateMailslotFile', # 0x2c 'NtCreateMutant', # 0x2d 'NtCreateNamedPipeFile', # 0x2e 'NtCreatePagingFile', # 0x2f 'NtCreatePort', # 0x30 'NtCreateProcess', # 0x31 'NtCreateProcessEx', # 0x32 'NtCreateProfile', # 0x33 'NtCreateSection', # 0x34 'NtCreateSemaphore', # 0x35 'NtCreateSymbolicLinkObject', # 0x36 'NtCreateThread', # 0x37 'NtCreateTimer', # 0x38 'NtCreateToken', # 0x39 'NtCreateWaitablePort', # 0x3a 'NtDebugActiveProcess', # 0x3b 'NtDebugContinue', # 0x3c 'NtDelayExecution', # 0x3d 'NtDeleteAtom', # 0x3e 'NtDeleteBootEntry', # 0x3f 'NtDeleteDriverEntry', # 0x40 'NtDeleteFile', # 0x41 'NtDeleteKey', # 0x42 'NtDeleteObjectAuditAlarm', # 0x43 'NtDeleteValueKey', # 0x44 'NtDeviceIoControlFile', # 0x45 'NtDisplayString', # 0x46 'NtDuplicateObject', # 0x47 'NtDuplicateToken', # 0x48 'NtEnumerateBootEntries', # 0x49 'NtEnumerateDriverEntries', # 0x4a 'NtEnumerateKey', # 0x4b 'NtEnumerateSystemEnvironmentValuesEx', # 0x4c 'NtEnumerateValueKey', # 0x4d 'NtExtendSection', # 0x4e 'NtFilterToken', # 0x4f 'NtFindAtom', # 0x50 'NtFlushBuffersFile', # 0x51 'NtFlushInstructionCache', # 0x52 'NtFlushKey', # 0x53 'NtFlushVirtualMemory', # 0x54 'NtFlushWriteBuffer', # 0x55 'NtFreeUserPhysicalPages', # 0x56 'NtFreeVirtualMemory', # 0x57 'NtFsControlFile', # 0x58 'NtGetContextThread', # 0x59 'NtGetDevicePowerState', # 0x5a 'NtGetPlugPlayEvent', # 0x5b 'NtGetWriteWatch', # 0x5c 'NtImpersonateAnonymousToken', # 0x5d 'NtImpersonateClientOfPort', # 0x5e 'NtImpersonateThread', # 0x5f 'NtInitializeRegistry', # 0x60 'NtInitiatePowerAction', # 0x61 'NtIsProcessInJob', # 0x62 'NtIsSystemResumeAutomatic', # 0x63 'NtListenPort', # 0x64 'NtLoadDriver', # 0x65 'NtLoadKey', # 0x66 'NtLoadKey2', # 0x67 'NtLoadKeyEx', # 0x68 'NtLockFile', # 0x69 'NtLockProductActivationKeys', # 0x6a 'NtLockRegistryKey', # 0x6b 'NtLockVirtualMemory', # 0x6c 'NtMakePermanentObject', # 0x6d 'NtMakeTemporaryObject', # 0x6e 'NtMapUserPhysicalPages', # 0x6f 'NtMapUserPhysicalPagesScatter', # 0x70 'NtMapViewOfSection', # 0x71 'NtModifyBootEntry', # 0x72 'NtModifyDriverEntry', # 0x73 'NtNotifyChangeDirectoryFile', # 0x74 'NtNotifyChangeKey', # 0x75 'NtNotifyChangeMultipleKeys', # 0x76 'NtOpenDirectoryObject', # 0x77 'NtOpenEvent', # 0x78 'NtOpenEventPair', # 0x79 'NtOpenFile', # 0x7a 'NtOpenIoCompletion', # 0x7b 'NtOpenJobObject', # 0x7c 'NtOpenKey', # 0x7d 'NtOpenMutant', # 0x7e 'NtOpenObjectAuditAlarm', # 0x7f 'NtOpenProcess', # 0x80 'NtOpenProcessToken', # 0x81 'NtOpenProcessTokenEx', # 0x82 'NtOpenSection', # 0x83 'NtOpenSemaphore', # 0x84 'NtOpenSymbolicLinkObject', # 0x85 'NtOpenThread', # 0x86 'NtOpenThreadToken', # 0x87 'NtOpenThreadTokenEx', # 0x88 'NtOpenTimer', # 0x89 'NtPlugPlayControl', # 0x8a 'NtPowerInformation', # 0x8b 'NtPrivilegeCheck', # 0x8c 'NtPrivilegeObjectAuditAlarm', # 0x8d 'NtPrivilegedServiceAuditAlarm', # 0x8e 'NtProtectVirtualMemory', # 0x8f 'NtPulseEvent', # 0x90 'NtQueryAttributesFile', # 0x91 'NtQueryBootEntryOrder', # 0x92 'NtQueryBootOptions', # 0x93 'NtQueryDebugFilterState', # 0x94 'NtQueryDefaultLocale', # 0x95 'NtQueryDefaultUILanguage', # 0x96 'NtQueryDirectoryFile', # 0x97 'NtQueryDirectoryObject', # 0x98 'NtQueryDriverEntryOrder', # 0x99 'NtQueryEaFile', # 0x9a 'NtQueryEvent', # 0x9b 'NtQueryFullAttributesFile', # 0x9c 'NtQueryInformationAtom', # 0x9d 'NtQueryInformationFile', # 0x9e 'NtQueryInformationJobObject', # 0x9f 'NtQueryInformationPort', # 0xa0 'NtQueryInformationProcess', # 0xa1 'NtQueryInformationThread', # 0xa2 'NtQueryInformationToken', # 0xa3 'NtQueryInstallUILanguage', # 0xa4 'NtQueryIntervalProfile', # 0xa5 'NtQueryIoCompletion', # 0xa6 'NtQueryKey', # 0xa7 'NtQueryMultipleValueKey', # 0xa8 'NtQueryMutant', # 0xa9 'NtQueryObject', # 0xaa 'NtQueryOpenSubKeys', # 0xab 'NtQueryOpenSubKeysEx', # 0xac 'NtQueryPerformanceCounter', # 0xad 'NtQueryQuotaInformationFile', # 0xae 'NtQuerySection', # 0xaf 'NtQuerySecurityObject', # 0xb0 'NtQuerySemaphore', # 0xb1 'NtQuerySymbolicLinkObject', # 0xb2 'NtQuerySystemEnvironmentValue', # 0xb3 'NtQuerySystemEnvironmentValueEx', # 0xb4 'NtQuerySystemInformation', # 0xb5 'NtQuerySystemTime', # 0xb6 'NtQueryTimer', # 0xb7 'NtQueryTimerResolution', # 0xb8 'NtQueryValueKey', # 0xb9 'NtQueryVirtualMemory', # 0xba 'NtQueryVolumeInformationFile', # 0xbb 'NtQueueApcThread', # 0xbc 'NtRaiseException', # 0xbd 'NtRaiseHardError', # 0xbe 'NtReadFile', # 0xbf 'NtReadFileScatter', # 0xc0 'NtReadRequestData', # 0xc1 'NtReadVirtualMemory', # 0xc2 'NtRegisterThreadTerminatePort', # 0xc3 'NtReleaseMutant', # 0xc4 'NtReleaseSemaphore', # 0xc5 'NtRemoveIoCompletion', # 0xc6 'NtRemoveProcessDebug', # 0xc7 'NtRenameKey', # 0xc8 'NtReplaceKey', # 0xc9 'NtReplyPort', # 0xca 'NtReplyWaitReceivePort', # 0xcb 'NtReplyWaitReceivePortEx', # 0xcc 'NtReplyWaitReplyPort', # 0xcd 'NtRequestDeviceWakeup', # 0xce 'NtRequestPort', # 0xcf 'NtRequestWaitReplyPort', # 0xd0 'NtRequestWakeupLatency', # 0xd1 'NtResetEvent', # 0xd2 'NtResetWriteWatch', # 0xd3 'NtRestoreKey', # 0xd4 'NtResumeProcess', # 0xd5 'NtResumeThread', # 0xd6 'NtSaveKey', # 0xd7 'NtSaveKeyEx', # 0xd8 'NtSaveMergedKeys', # 0xd9 'NtSecureConnectPort', # 0xda 'NtSetBootEntryOrder', # 0xdb 'NtSetBootOptions', # 0xdc 'NtSetContextThread', # 0xdd 'NtSetDebugFilterState', # 0xde 'NtSetDefaultHardErrorPort', # 0xdf 'NtSetDefaultLocale', # 0xe0 'NtSetDefaultUILanguage', # 0xe1 'NtSetDriverEntryOrder', # 0xe2 'NtSetEaFile', # 0xe3 'NtSetEvent', # 0xe4 'NtSetEventBoostPriority', # 0xe5 'NtSetHighEventPair', # 0xe6 'NtSetHighWaitLowEventPair', # 0xe7 'NtSetInformationDebugObject', # 0xe8 'NtSetInformationFile', # 0xe9 'NtSetInformationJobObject', # 0xea 'NtSetInformationKey', # 0xeb 'NtSetInformationObject', # 0xec 'NtSetInformationProcess', # 0xed 'NtSetInformationThread', # 0xee 'NtSetInformationToken', # 0xef 'NtSetIntervalProfile', # 0xf0 'NtSetIoCompletion', # 0xf1 'NtSetLdtEntries', # 0xf2 'NtSetLowEventPair', # 0xf3 'NtSetLowWaitHighEventPair', # 0xf4 'NtSetQuotaInformationFile', # 0xf5 'NtSetSecurityObject', # 0xf6 'NtSetSystemEnvironmentValue', # 0xf7 'NtSetSystemEnvironmentValueEx', # 0xf8 'NtSetSystemInformation', # 0xf9 'NtSetSystemPowerState', # 0xfa 'NtSetSystemTime', # 0xfb 'NtSetThreadExecutionState', # 0xfc 'NtSetTimer', # 0xfd 'NtSetTimerResolution', # 0xfe 'NtSetUuidSeed', # 0xff 'NtSetValueKey', # 0x100 'NtSetVolumeInformationFile', # 0x101 'NtShutdownSystem', # 0x102 'NtSignalAndWaitForSingleObject', # 0x103 'NtStartProfile', # 0x104 'NtStopProfile', # 0x105 'NtSuspendProcess', # 0x106 'NtSuspendThread', # 0x107 'NtSystemDebugControl', # 0x108 'NtTerminateJobObject', # 0x109 'NtTerminateProcess', # 0x10a 'NtTerminateThread', # 0x10b 'NtTestAlert', # 0x10c 'NtTraceEvent', # 0x10d 'NtTranslateFilePath', # 0x10e 'NtUnloadDriver', # 0x10f 'NtUnloadKey', # 0x110 'NtUnloadKey2', # 0x111 'NtUnloadKeyEx', # 0x112 'NtUnlockFile', # 0x113 'NtUnlockVirtualMemory', # 0x114 'NtUnmapViewOfSection', # 0x115 'NtVdmControl', # 0x116 'NtWaitForDebugEvent', # 0x117 'NtWaitForMultipleObjects', # 0x118 'NtWaitForSingleObject', # 0x119 'NtWaitHighEventPair', # 0x11a 'NtWaitLowEventPair', # 0x11b 'NtWriteFile', # 0x11c 'NtWriteFileGather', # 0x11d 'NtWriteRequestData', # 0x11e 'NtWriteVirtualMemory', # 0x11f 'NtYieldExecution', # 0x120 'NtCreateKeyedEvent', # 0x121 'NtOpenKeyedEvent', # 0x122 'NtReleaseKeyedEvent', # 0x123 'NtWaitForKeyedEvent', # 0x124 'NtQueryPortInformationProcess', # 0x125 'NtGetCurrentProcessorNumber', # 0x126 'NtWaitForMultipleObjects32', # 0x127 ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginPath', # 0xc 'NtGdiBitBlt', # 0xd 'NtGdiCancelDC', # 0xe 'NtGdiCheckBitmapBits', # 0xf 'NtGdiCloseFigure', # 0x10 'NtGdiClearBitmapAttributes', # 0x11 'NtGdiClearBrushAttributes', # 0x12 'NtGdiColorCorrectPalette', # 0x13 'NtGdiCombineRgn', # 0x14 'NtGdiCombineTransform', # 0x15 'NtGdiComputeXformCoefficients', # 0x16 'NtGdiConsoleTextOut', # 0x17 'NtGdiConvertMetafileRect', # 0x18 'NtGdiCreateBitmap', # 0x19 'NtGdiCreateClientObj', # 0x1a 'NtGdiCreateColorSpace', # 0x1b 'NtGdiCreateColorTransform', # 0x1c 'NtGdiCreateCompatibleBitmap', # 0x1d 'NtGdiCreateCompatibleDC', # 0x1e 'NtGdiCreateDIBBrush', # 0x1f 'NtGdiCreateDIBitmapInternal', # 0x20 'NtGdiCreateDIBSection', # 0x21 'NtGdiCreateEllipticRgn', # 0x22 'NtGdiCreateHalftonePalette', # 0x23 'NtGdiCreateHatchBrushInternal', # 0x24 'NtGdiCreateMetafileDC', # 0x25 'NtGdiCreatePaletteInternal', # 0x26 'NtGdiCreatePatternBrushInternal', # 0x27 'NtGdiCreatePen', # 0x28 'NtGdiCreateRectRgn', # 0x29 'NtGdiCreateRoundRectRgn', # 0x2a 'NtGdiCreateServerMetaFile', # 0x2b 'NtGdiCreateSolidBrush', # 0x2c 'NtGdiD3dContextCreate', # 0x2d 'NtGdiD3dContextDestroy', # 0x2e 'NtGdiD3dContextDestroyAll', # 0x2f 'NtGdiD3dValidateTextureStageState', # 0x30 'NtGdiD3dDrawPrimitives2', # 0x31 'NtGdiDdGetDriverState', # 0x32 'NtGdiDdAddAttachedSurface', # 0x33 'NtGdiDdAlphaBlt', # 0x34 'NtGdiDdAttachSurface', # 0x35 'NtGdiDdBeginMoCompFrame', # 0x36 'NtGdiDdBlt', # 0x37 'NtGdiDdCanCreateSurface', # 0x38 'NtGdiDdCanCreateD3DBuffer', # 0x39 'NtGdiDdColorControl', # 0x3a 'NtGdiDdCreateDirectDrawObject', # 0x3b 'NtGdiDdCreateSurface', # 0x3c 'NtGdiDdCreateD3DBuffer', # 0x3d 'NtGdiDdCreateMoComp', # 0x3e 'NtGdiDdCreateSurfaceObject', # 0x3f 'NtGdiDdDeleteDirectDrawObject', # 0x40 'NtGdiDdDeleteSurfaceObject', # 0x41 'NtGdiDdDestroyMoComp', # 0x42 'NtGdiDdDestroySurface', # 0x43 'NtGdiDdDestroyD3DBuffer', # 0x44 'NtGdiDdEndMoCompFrame', # 0x45 'NtGdiDdFlip', # 0x46 'NtGdiDdFlipToGDISurface', # 0x47 'NtGdiDdGetAvailDriverMemory', # 0x48 'NtGdiDdGetBltStatus', # 0x49 'NtGdiDdGetDC', # 0x4a 'NtGdiDdGetDriverInfo', # 0x4b 'NtGdiDdGetDxHandle', # 0x4c 'NtGdiDdGetFlipStatus', # 0x4d 'NtGdiDdGetInternalMoCompInfo', # 0x4e 'NtGdiDdGetMoCompBuffInfo', # 0x4f 'NtGdiDdGetMoCompGuids', # 0x50 'NtGdiDdGetMoCompFormats', # 0x51 'NtGdiDdGetScanLine', # 0x52 'NtGdiDdLock', # 0x53 'NtGdiDdLockD3D', # 0x54 'NtGdiDdQueryDirectDrawObject', # 0x55 'NtGdiDdQueryMoCompStatus', # 0x56 'NtGdiDdReenableDirectDrawObject', # 0x57 'NtGdiDdReleaseDC', # 0x58 'NtGdiDdRenderMoComp', # 0x59 'NtGdiDdResetVisrgn', # 0x5a 'NtGdiDdSetColorKey', # 0x5b 'NtGdiDdSetExclusiveMode', # 0x5c 'NtGdiDdSetGammaRamp', # 0x5d 'NtGdiDdCreateSurfaceEx', # 0x5e 'NtGdiDdSetOverlayPosition', # 0x5f 'NtGdiDdUnattachSurface', # 0x60 'NtGdiDdUnlock', # 0x61 'NtGdiDdUnlockD3D', # 0x62 'NtGdiDdUpdateOverlay', # 0x63 'NtGdiDdWaitForVerticalBlank', # 0x64 'NtGdiDvpCanCreateVideoPort', # 0x65 'NtGdiDvpColorControl', # 0x66 'NtGdiDvpCreateVideoPort', # 0x67 'NtGdiDvpDestroyVideoPort', # 0x68 'NtGdiDvpFlipVideoPort', # 0x69 'NtGdiDvpGetVideoPortBandwidth', # 0x6a 'NtGdiDvpGetVideoPortField', # 0x6b 'NtGdiDvpGetVideoPortFlipStatus', # 0x6c 'NtGdiDvpGetVideoPortInputFormats', # 0x6d 'NtGdiDvpGetVideoPortLine', # 0x6e 'NtGdiDvpGetVideoPortOutputFormats', # 0x6f 'NtGdiDvpGetVideoPortConnectInfo', # 0x70 'NtGdiDvpGetVideoSignalStatus', # 0x71 'NtGdiDvpUpdateVideoPort', # 0x72 'NtGdiDvpWaitForVideoPortSync', # 0x73 'NtGdiDvpAcquireNotification', # 0x74 'NtGdiDvpReleaseNotification', # 0x75 'NtGdiDxgGenericThunk', # 0x76 'NtGdiDeleteClientObj', # 0x77 'NtGdiDeleteColorSpace', # 0x78 'NtGdiDeleteColorTransform', # 0x79 'NtGdiDeleteObjectApp', # 0x7a 'NtGdiDescribePixelFormat', # 0x7b 'NtGdiGetPerBandInfo', # 0x7c 'NtGdiDoBanding', # 0x7d 'NtGdiDoPalette', # 0x7e 'NtGdiDrawEscape', # 0x7f 'NtGdiEllipse', # 0x80 'NtGdiEnableEudc', # 0x81 'NtGdiEndDoc', # 0x82 'NtGdiEndPage', # 0x83 'NtGdiEndPath', # 0x84 'NtGdiEnumFontChunk', # 0x85 'NtGdiEnumFontClose', # 0x86 'NtGdiEnumFontOpen', # 0x87 'NtGdiEnumObjects', # 0x88 'NtGdiEqualRgn', # 0x89 'NtGdiEudcLoadUnloadLink', # 0x8a 'NtGdiExcludeClipRect', # 0x8b 'NtGdiExtCreatePen', # 0x8c 'NtGdiExtCreateRegion', # 0x8d 'NtGdiExtEscape', # 0x8e 'NtGdiExtFloodFill', # 0x8f 'NtGdiExtGetObjectW', # 0x90 'NtGdiExtSelectClipRgn', # 0x91 'NtGdiExtTextOutW', # 0x92 'NtGdiFillPath', # 0x93 'NtGdiFillRgn', # 0x94 'NtGdiFlattenPath', # 0x95 'NtGdiFlush', # 0x96 'NtGdiForceUFIMapping', # 0x97 'NtGdiFrameRgn', # 0x98 'NtGdiFullscreenControl', # 0x99 'NtGdiGetAndSetDCDword', # 0x9a 'NtGdiGetAppClipBox', # 0x9b 'NtGdiGetBitmapBits', # 0x9c 'NtGdiGetBitmapDimension', # 0x9d 'NtGdiGetBoundsRect', # 0x9e 'NtGdiGetCharABCWidthsW', # 0x9f 'NtGdiGetCharacterPlacementW', # 0xa0 'NtGdiGetCharSet', # 0xa1 'NtGdiGetCharWidthW', # 0xa2 'NtGdiGetCharWidthInfo', # 0xa3 'NtGdiGetColorAdjustment', # 0xa4 'NtGdiGetColorSpaceforBitmap', # 0xa5 'NtGdiGetDCDword', # 0xa6 'NtGdiGetDCforBitmap', # 0xa7 'NtGdiGetDCObject', # 0xa8 'NtGdiGetDCPoint', # 0xa9 'NtGdiGetDeviceCaps', # 0xaa 'NtGdiGetDeviceGammaRamp', # 0xab 'NtGdiGetDeviceCapsAll', # 0xac 'NtGdiGetDIBitsInternal', # 0xad 'NtGdiGetETM', # 0xae 'NtGdiGetEudcTimeStampEx', # 0xaf 'NtGdiGetFontData', # 0xb0 'NtGdiGetFontResourceInfoInternalW', # 0xb1 'NtGdiGetGlyphIndicesW', # 0xb2 'NtGdiGetGlyphIndicesWInternal', # 0xb3 'NtGdiGetGlyphOutline', # 0xb4 'NtGdiGetKerningPairs', # 0xb5 'NtGdiGetLinkedUFIs', # 0xb6 'NtGdiGetMiterLimit', # 0xb7 'NtGdiGetMonitorID', # 0xb8 'NtGdiGetNearestColor', # 0xb9 'NtGdiGetNearestPaletteIndex', # 0xba 'NtGdiGetObjectBitmapHandle', # 0xbb 'NtGdiGetOutlineTextMetricsInternalW', # 0xbc 'NtGdiGetPath', # 0xbd 'NtGdiGetPixel', # 0xbe 'NtGdiGetRandomRgn', # 0xbf 'NtGdiGetRasterizerCaps', # 0xc0 'NtGdiGetRealizationInfo', # 0xc1 'NtGdiGetRegionData', # 0xc2 'NtGdiGetRgnBox', # 0xc3 'NtGdiGetServerMetaFileBits', # 0xc4 'NtGdiGetSpoolMessage', # 0xc5 'NtGdiGetStats', # 0xc6 'NtGdiGetStockObject', # 0xc7 'NtGdiGetStringBitmapW', # 0xc8 'NtGdiGetSystemPaletteUse', # 0xc9 'NtGdiGetTextCharsetInfo', # 0xca 'NtGdiGetTextExtent', # 0xcb 'NtGdiGetTextExtentExW', # 0xcc 'NtGdiGetTextFaceW', # 0xcd 'NtGdiGetTextMetricsW', # 0xce 'NtGdiGetTransform', # 0xcf 'NtGdiGetUFI', # 0xd0 'NtGdiGetEmbUFI', # 0xd1 'NtGdiGetUFIPathname', # 0xd2 'NtGdiGetEmbedFonts', # 0xd3 'NtGdiChangeGhostFont', # 0xd4 'NtGdiAddEmbFontToDC', # 0xd5 'NtGdiGetFontUnicodeRanges', # 0xd6 'NtGdiGetWidthTable', # 0xd7 'NtGdiGradientFill', # 0xd8 'NtGdiHfontCreate', # 0xd9 'NtGdiIcmBrushInfo', # 0xda 'NtGdiInit', # 0xdb 'NtGdiInitSpool', # 0xdc 'NtGdiIntersectClipRect', # 0xdd 'NtGdiInvertRgn', # 0xde 'NtGdiLineTo', # 0xdf 'NtGdiMakeFontDir', # 0xe0 'NtGdiMakeInfoDC', # 0xe1 'NtGdiMaskBlt', # 0xe2 'NtGdiModifyWorldTransform', # 0xe3 'NtGdiMonoBitmap', # 0xe4 'NtGdiMoveTo', # 0xe5 'NtGdiOffsetClipRgn', # 0xe6 'NtGdiOffsetRgn', # 0xe7 'NtGdiOpenDCW', # 0xe8 'NtGdiPatBlt', # 0xe9 'NtGdiPolyPatBlt', # 0xea 'NtGdiPathToRegion', # 0xeb 'NtGdiPlgBlt', # 0xec 'NtGdiPolyDraw', # 0xed 'NtGdiPolyPolyDraw', # 0xee 'NtGdiPolyTextOutW', # 0xef 'NtGdiPtInRegion', # 0xf0 'NtGdiPtVisible', # 0xf1 'NtGdiQueryFonts', # 0xf2 'NtGdiQueryFontAssocInfo', # 0xf3 'NtGdiRectangle', # 0xf4 'NtGdiRectInRegion', # 0xf5 'NtGdiRectVisible', # 0xf6 'NtGdiRemoveFontResourceW', # 0xf7 'NtGdiRemoveFontMemResourceEx', # 0xf8 'NtGdiResetDC', # 0xf9 'NtGdiResizePalette', # 0xfa 'NtGdiRestoreDC', # 0xfb 'NtGdiRoundRect', # 0xfc 'NtGdiSaveDC', # 0xfd 'NtGdiScaleViewportExtEx', # 0xfe 'NtGdiScaleWindowExtEx', # 0xff 'NtGdiSelectBitmap', # 0x100 'NtGdiSelectBrush', # 0x101 'NtGdiSelectClipPath', # 0x102 'NtGdiSelectFont', # 0x103 'NtGdiSelectPen', # 0x104 'NtGdiSetBitmapAttributes', # 0x105 'NtGdiSetBitmapBits', # 0x106 'NtGdiSetBitmapDimension', # 0x107 'NtGdiSetBoundsRect', # 0x108 'NtGdiSetBrushAttributes', # 0x109 'NtGdiSetBrushOrg', # 0x10a 'NtGdiSetColorAdjustment', # 0x10b 'NtGdiSetColorSpace', # 0x10c 'NtGdiSetDeviceGammaRamp', # 0x10d 'NtGdiSetDIBitsToDeviceInternal', # 0x10e 'NtGdiSetFontEnumeration', # 0x10f 'NtGdiSetFontXform', # 0x110 'NtGdiSetIcmMode', # 0x111 'NtGdiSetLinkedUFIs', # 0x112 'NtGdiSetMagicColors', # 0x113 'NtGdiSetMetaRgn', # 0x114 'NtGdiSetMiterLimit', # 0x115 'NtGdiGetDeviceWidth', # 0x116 'NtGdiMirrorWindowOrg', # 0x117 'NtGdiSetLayout', # 0x118 'NtGdiSetPixel', # 0x119 'NtGdiSetPixelFormat', # 0x11a 'NtGdiSetRectRgn', # 0x11b 'NtGdiSetSystemPaletteUse', # 0x11c 'NtGdiSetTextJustification', # 0x11d 'NtGdiSetupPublicCFONT', # 0x11e 'NtGdiSetVirtualResolution', # 0x11f 'NtGdiSetSizeDevice', # 0x120 'NtGdiStartDoc', # 0x121 'NtGdiStartPage', # 0x122 'NtGdiStretchBlt', # 0x123 'NtGdiStretchDIBitsInternal', # 0x124 'NtGdiStrokeAndFillPath', # 0x125 'NtGdiStrokePath', # 0x126 'NtGdiSwapBuffers', # 0x127 'NtGdiTransformPoints', # 0x128 'NtGdiTransparentBlt', # 0x129 'NtGdiUnloadPrinterDriver', # 0x12a 'NtGdiUnmapMemFont', # 0x12b 'NtGdiUnrealizeObject', # 0x12c 'NtGdiUpdateColors', # 0x12d 'NtGdiWidenPath', # 0x12e 'NtUserActivateKeyboardLayout', # 0x12f 'NtUserAlterWindowStyle', # 0x130 'NtUserAssociateInputContext', # 0x131 'NtUserAttachThreadInput', # 0x132 'NtUserBeginPaint', # 0x133 'NtUserBitBltSysBmp', # 0x134 'NtUserBlockInput', # 0x135 'NtUserBuildHimcList', # 0x136 'NtUserBuildHwndList', # 0x137 'NtUserBuildNameList', # 0x138 'NtUserBuildPropList', # 0x139 'NtUserCallHwnd', # 0x13a 'NtUserCallHwndLock', # 0x13b 'NtUserCallHwndOpt', # 0x13c 'NtUserCallHwndParam', # 0x13d 'NtUserCallHwndParamLock', # 0x13e 'NtUserCallMsgFilter', # 0x13f 'NtUserCallNextHookEx', # 0x140 'NtUserCallNoParam', # 0x141 'NtUserCallOneParam', # 0x142 'NtUserCallTwoParam', # 0x143 'NtUserChangeClipboardChain', # 0x144 'NtUserChangeDisplaySettings', # 0x145 'NtUserCheckImeHotKey', # 0x146 'NtUserCheckMenuItem', # 0x147 'NtUserChildWindowFromPointEx', # 0x148 'NtUserClipCursor', # 0x149 'NtUserCloseClipboard', # 0x14a 'NtUserCloseDesktop', # 0x14b 'NtUserCloseWindowStation', # 0x14c 'NtUserConsoleControl', # 0x14d 'NtUserConvertMemHandle', # 0x14e 'NtUserCopyAcceleratorTable', # 0x14f 'NtUserCountClipboardFormats', # 0x150 'NtUserCreateAcceleratorTable', # 0x151 'NtUserCreateCaret', # 0x152 'NtUserCreateDesktop', # 0x153 'NtUserCreateInputContext', # 0x154 'NtUserCreateLocalMemHandle', # 0x155 'NtUserCreateWindowEx', # 0x156 'NtUserCreateWindowStation', # 0x157 'NtUserDdeGetQualityOfService', # 0x158 'NtUserDdeInitialize', # 0x159 'NtUserDdeSetQualityOfService', # 0x15a 'NtUserDeferWindowPos', # 0x15b 'NtUserDefSetText', # 0x15c 'NtUserDeleteMenu', # 0x15d 'NtUserDestroyAcceleratorTable', # 0x15e 'NtUserDestroyCursor', # 0x15f 'NtUserDestroyInputContext', # 0x160 'NtUserDestroyMenu', # 0x161 'NtUserDestroyWindow', # 0x162 'NtUserDisableThreadIme', # 0x163 'NtUserDispatchMessage', # 0x164 'NtUserDragDetect', # 0x165 'NtUserDragObject', # 0x166 'NtUserDrawAnimatedRects', # 0x167 'NtUserDrawCaption', # 0x168 'NtUserDrawCaptionTemp', # 0x169 'NtUserDrawIconEx', # 0x16a 'NtUserDrawMenuBarTemp', # 0x16b 'NtUserEmptyClipboard', # 0x16c 'NtUserEnableMenuItem', # 0x16d 'NtUserEnableScrollBar', # 0x16e 'NtUserEndDeferWindowPosEx', # 0x16f 'NtUserEndMenu', # 0x170 'NtUserEndPaint', # 0x171 'NtUserEnumDisplayDevices', # 0x172 'NtUserEnumDisplayMonitors', # 0x173 'NtUserEnumDisplaySettings', # 0x174 'NtUserEvent', # 0x175 'NtUserExcludeUpdateRgn', # 0x176 'NtUserFillWindow', # 0x177 'NtUserFindExistingCursorIcon', # 0x178 'NtUserFindWindowEx', # 0x179 'NtUserFlashWindowEx', # 0x17a 'NtUserGetAltTabInfo', # 0x17b 'NtUserGetAncestor', # 0x17c 'NtUserGetAppImeLevel', # 0x17d 'NtUserGetAsyncKeyState', # 0x17e 'NtUserGetAtomName', # 0x17f 'NtUserGetCaretBlinkTime', # 0x180 'NtUserGetCaretPos', # 0x181 'NtUserGetClassInfoEx', # 0x182 'NtUserGetClassName', # 0x183 'NtUserGetClipboardData', # 0x184 'NtUserGetClipboardFormatName', # 0x185 'NtUserGetClipboardOwner', # 0x186 'NtUserGetClipboardSequenceNumber', # 0x187 'NtUserGetClipboardViewer', # 0x188 'NtUserGetClipCursor', # 0x189 'NtUserGetComboBoxInfo', # 0x18a 'NtUserGetControlBrush', # 0x18b 'NtUserGetControlColor', # 0x18c 'NtUserGetCPD', # 0x18d 'NtUserGetCursorFrameInfo', # 0x18e 'NtUserGetCursorInfo', # 0x18f 'NtUserGetDC', # 0x190 'NtUserGetDCEx', # 0x191 'NtUserGetDoubleClickTime', # 0x192 'NtUserGetForegroundWindow', # 0x193 'NtUserGetGuiResources', # 0x194 'NtUserGetGUIThreadInfo', # 0x195 'NtUserGetIconInfo', # 0x196 'NtUserGetIconSize', # 0x197 'NtUserGetImeHotKey', # 0x198 'NtUserGetImeInfoEx', # 0x199 'NtUserGetInternalWindowPos', # 0x19a 'NtUserGetKeyboardLayoutList', # 0x19b 'NtUserGetKeyboardLayoutName', # 0x19c 'NtUserGetKeyboardState', # 0x19d 'NtUserGetKeyNameText', # 0x19e 'NtUserGetKeyState', # 0x19f 'NtUserGetListBoxInfo', # 0x1a0 'NtUserGetMenuBarInfo', # 0x1a1 'NtUserGetMenuIndex', # 0x1a2 'NtUserGetMenuItemRect', # 0x1a3 'NtUserGetMessage', # 0x1a4 'NtUserGetMouseMovePointsEx', # 0x1a5 'NtUserGetObjectInformation', # 0x1a6 'NtUserGetOpenClipboardWindow', # 0x1a7 'NtUserGetPriorityClipboardFormat', # 0x1a8 'NtUserGetProcessWindowStation', # 0x1a9 'NtUserGetRawInputBuffer', # 0x1aa 'NtUserGetRawInputData', # 0x1ab 'NtUserGetRawInputDeviceInfo', # 0x1ac 'NtUserGetRawInputDeviceList', # 0x1ad 'NtUserGetRegisteredRawInputDevices', # 0x1ae 'NtUserGetScrollBarInfo', # 0x1af 'NtUserGetSystemMenu', # 0x1b0 'NtUserGetThreadDesktop', # 0x1b1 'NtUserGetThreadState', # 0x1b2 'NtUserGetTitleBarInfo', # 0x1b3 'NtUserGetUpdateRect', # 0x1b4 'NtUserGetUpdateRgn', # 0x1b5 'NtUserGetWindowDC', # 0x1b6 'NtUserGetWindowPlacement', # 0x1b7 'NtUserGetWOWClass', # 0x1b8 'NtUserHardErrorControl', # 0x1b9 'NtUserHideCaret', # 0x1ba 'NtUserHiliteMenuItem', # 0x1bb 'NtUserImpersonateDdeClientWindow', # 0x1bc 'NtUserInitialize', # 0x1bd 'NtUserInitializeClientPfnArrays', # 0x1be 'NtUserInitTask', # 0x1bf 'NtUserInternalGetWindowText', # 0x1c0 'NtUserInvalidateRect', # 0x1c1 'NtUserInvalidateRgn', # 0x1c2 'NtUserIsClipboardFormatAvailable', # 0x1c3 'NtUserKillTimer', # 0x1c4 'NtUserLoadKeyboardLayoutEx', # 0x1c5 'NtUserLockWindowStation', # 0x1c6 'NtUserLockWindowUpdate', # 0x1c7 'NtUserLockWorkStation', # 0x1c8 'NtUserMapVirtualKeyEx', # 0x1c9 'NtUserMenuItemFromPoint', # 0x1ca 'NtUserMessageCall', # 0x1cb 'NtUserMinMaximize', # 0x1cc 'NtUserMNDragLeave', # 0x1cd 'NtUserMNDragOver', # 0x1ce 'NtUserModifyUserStartupInfoFlags', # 0x1cf 'NtUserMoveWindow', # 0x1d0 'NtUserNotifyIMEStatus', # 0x1d1 'NtUserNotifyProcessCreate', # 0x1d2 'NtUserNotifyWinEvent', # 0x1d3 'NtUserOpenClipboard', # 0x1d4 'NtUserOpenDesktop', # 0x1d5 'NtUserOpenInputDesktop', # 0x1d6 'NtUserOpenWindowStation', # 0x1d7 'NtUserPaintDesktop', # 0x1d8 'NtUserPeekMessage', # 0x1d9 'NtUserPostMessage', # 0x1da 'NtUserPostThreadMessage', # 0x1db 'NtUserPrintWindow', # 0x1dc 'NtUserProcessConnect', # 0x1dd 'NtUserQueryInformationThread', # 0x1de 'NtUserQueryInputContext', # 0x1df 'NtUserQuerySendMessage', # 0x1e0 'NtUserQueryWindow', # 0x1e1 'NtUserRealChildWindowFromPoint', # 0x1e2 'NtUserRealInternalGetMessage', # 0x1e3 'NtUserRealWaitMessageEx', # 0x1e4 'NtUserRedrawWindow', # 0x1e5 'NtUserRegisterClassExWOW', # 0x1e6 'NtUserRegisterUserApiHook', # 0x1e7 'NtUserRegisterHotKey', # 0x1e8 'NtUserRegisterRawInputDevices', # 0x1e9 'NtUserRegisterTasklist', # 0x1ea 'NtUserRegisterWindowMessage', # 0x1eb 'NtUserRemoveMenu', # 0x1ec 'NtUserRemoveProp', # 0x1ed 'NtUserResolveDesktop', # 0x1ee 'NtUserResolveDesktopForWOW', # 0x1ef 'NtUserSBGetParms', # 0x1f0 'NtUserScrollDC', # 0x1f1 'NtUserScrollWindowEx', # 0x1f2 'NtUserSelectPalette', # 0x1f3 'NtUserSendInput', # 0x1f4 'NtUserSetActiveWindow', # 0x1f5 'NtUserSetAppImeLevel', # 0x1f6 'NtUserSetCapture', # 0x1f7 'NtUserSetClassLong', # 0x1f8 'NtUserSetClassWord', # 0x1f9 'NtUserSetClipboardData', # 0x1fa 'NtUserSetClipboardViewer', # 0x1fb 'NtUserSetConsoleReserveKeys', # 0x1fc 'NtUserSetCursor', # 0x1fd 'NtUserSetCursorContents', # 0x1fe 'NtUserSetCursorIconData', # 0x1ff 'NtUserSetFocus', # 0x200 'NtUserSetImeHotKey', # 0x201 'NtUserSetImeInfoEx', # 0x202 'NtUserSetImeOwnerWindow', # 0x203 'NtUserSetInformationProcess', # 0x204 'NtUserSetInformationThread', # 0x205 'NtUserSetInternalWindowPos', # 0x206 'NtUserSetKeyboardState', # 0x207 'NtUserSetLogonNotifyWindow', # 0x208 'NtUserSetMenu', # 0x209 'NtUserSetMenuContextHelpId', # 0x20a 'NtUserSetMenuDefaultItem', # 0x20b 'NtUserSetMenuFlagRtoL', # 0x20c 'NtUserSetObjectInformation', # 0x20d 'NtUserSetParent', # 0x20e 'NtUserSetProcessWindowStation', # 0x20f 'NtUserSetProp', # 0x210 'NtUserSetScrollInfo', # 0x211 'NtUserSetShellWindowEx', # 0x212 'NtUserSetSysColors', # 0x213 'NtUserSetSystemCursor', # 0x214 'NtUserSetSystemMenu', # 0x215 'NtUserSetSystemTimer', # 0x216 'NtUserSetThreadDesktop', # 0x217 'NtUserSetThreadLayoutHandles', # 0x218 'NtUserSetThreadState', # 0x219 'NtUserSetTimer', # 0x21a 'NtUserSetWindowFNID', # 0x21b 'NtUserSetWindowLong', # 0x21c 'NtUserSetWindowPlacement', # 0x21d 'NtUserSetWindowPos', # 0x21e 'NtUserSetWindowRgn', # 0x21f 'NtUserSetWindowsHookAW', # 0x220 'NtUserSetWindowsHookEx', # 0x221 'NtUserSetWindowStationUser', # 0x222 'NtUserSetWindowWord', # 0x223 'NtUserSetWinEventHook', # 0x224 'NtUserShowCaret', # 0x225 'NtUserShowScrollBar', # 0x226 'NtUserShowWindow', # 0x227 'NtUserShowWindowAsync', # 0x228 'NtUserSoundSentry', # 0x229 'NtUserSwitchDesktop', # 0x22a 'NtUserSystemParametersInfo', # 0x22b 'NtUserTestForInteractiveUser', # 0x22c 'NtUserThunkedMenuInfo', # 0x22d 'NtUserThunkedMenuItemInfo', # 0x22e 'NtUserToUnicodeEx', # 0x22f 'NtUserTrackMouseEvent', # 0x230 'NtUserTrackPopupMenuEx', # 0x231 'NtUserCalcMenuBar', # 0x232 'NtUserPaintMenuBar', # 0x233 'NtUserTranslateAccelerator', # 0x234 'NtUserTranslateMessage', # 0x235 'NtUserUnhookWindowsHookEx', # 0x236 'NtUserUnhookWinEvent', # 0x237 'NtUserUnloadKeyboardLayout', # 0x238 'NtUserUnlockWindowStation', # 0x239 'NtUserUnregisterClass', # 0x23a 'NtUserUnregisterUserApiHook', # 0x23b 'NtUserUnregisterHotKey', # 0x23c 'NtUserUpdateInputContext', # 0x23d 'NtUserUpdateInstance', # 0x23e 'NtUserUpdateLayeredWindow', # 0x23f 'NtUserGetLayeredWindowAttributes', # 0x240 'NtUserSetLayeredWindowAttributes', # 0x241 'NtUserUpdatePerUserSystemParameters', # 0x242 'NtUserUserHandleGrantAccess', # 0x243 'NtUserValidateHandleSecure', # 0x244 'NtUserValidateRect', # 0x245 'NtUserValidateTimerCallback', # 0x246 'NtUserVkKeyScanEx', # 0x247 'NtUserWaitForInputIdle', # 0x248 'NtUserWaitForMsgAndEvent', # 0x249 'NtUserWaitMessage', # 0x24a 'NtUserWin32PoolAllocationStats', # 0x24b 'NtUserWindowFromPoint', # 0x24c 'NtUserYieldTask', # 0x24d 'NtUserRemoteConnect', # 0x24e 'NtUserRemoteRedrawRectangle', # 0x24f 'NtUserRemoteRedrawScreen', # 0x250 'NtUserRemoteStopScreenUpdates', # 0x251 'NtUserCtxDisplayIOCtl', # 0x252 'NtGdiEngAssociateSurface', # 0x253 'NtGdiEngCreateBitmap', # 0x254 'NtGdiEngCreateDeviceSurface', # 0x255 'NtGdiEngCreateDeviceBitmap', # 0x256 'NtGdiEngCreatePalette', # 0x257 'NtGdiEngComputeGlyphSet', # 0x258 'NtGdiEngCopyBits', # 0x259 'NtGdiEngDeletePalette', # 0x25a 'NtGdiEngDeleteSurface', # 0x25b 'NtGdiEngEraseSurface', # 0x25c 'NtGdiEngUnlockSurface', # 0x25d 'NtGdiEngLockSurface', # 0x25e 'NtGdiEngBitBlt', # 0x25f 'NtGdiEngStretchBlt', # 0x260 'NtGdiEngPlgBlt', # 0x261 'NtGdiEngMarkBandingSurface', # 0x262 'NtGdiEngStrokePath', # 0x263 'NtGdiEngFillPath', # 0x264 'NtGdiEngStrokeAndFillPath', # 0x265 'NtGdiEngPaint', # 0x266 'NtGdiEngLineTo', # 0x267 'NtGdiEngAlphaBlend', # 0x268 'NtGdiEngGradientFill', # 0x269 'NtGdiEngTransparentBlt', # 0x26a 'NtGdiEngTextOut', # 0x26b 'NtGdiEngStretchBltROP', # 0x26c 'NtGdiXLATEOBJ_cGetPalette', # 0x26d 'NtGdiXLATEOBJ_iXlate', # 0x26e 'NtGdiXLATEOBJ_hGetColorTransform', # 0x26f 'NtGdiCLIPOBJ_bEnum', # 0x270 'NtGdiCLIPOBJ_cEnumStart', # 0x271 'NtGdiCLIPOBJ_ppoGetPath', # 0x272 'NtGdiEngDeletePath', # 0x273 'NtGdiEngCreateClip', # 0x274 'NtGdiEngDeleteClip', # 0x275 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x276 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x277 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x278 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x279 'NtGdiXFORMOBJ_bApplyXform', # 0x27a 'NtGdiXFORMOBJ_iGetXform', # 0x27b 'NtGdiFONTOBJ_vGetInfo', # 0x27c 'NtGdiFONTOBJ_pxoGetXform', # 0x27d 'NtGdiFONTOBJ_cGetGlyphs', # 0x27e 'NtGdiFONTOBJ_pifi', # 0x27f 'NtGdiFONTOBJ_pfdg', # 0x280 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x281 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x282 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x283 'NtGdiSTROBJ_bEnum', # 0x284 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x285 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x286 'NtGdiSTROBJ_vEnumStart', # 0x287 'NtGdiSTROBJ_dwGetCodePage', # 0x288 'NtGdiPATHOBJ_vGetBounds', # 0x289 'NtGdiPATHOBJ_bEnum', # 0x28a 'NtGdiPATHOBJ_vEnumStart', # 0x28b 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x28c 'NtGdiPATHOBJ_bEnumClipLines', # 0x28d 'NtGdiGetDhpdev', # 0x28e 'NtGdiEngCheckAbort', # 0x28f 'NtGdiHT_Get8BPPFormatPalette', # 0x290 'NtGdiHT_Get8BPPMaskPalette', # 0x291 'NtGdiUpdateTransform', # 0x292 'NtGdiSetPUMPDOBJ', # 0x293 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x294 'NtGdiUMPDEngFreeUserMem', # 0x295 'NtGdiDrawStream', # 0x296 'NtGdiMakeObjectXferable', # 0x297 'DxEngGetRedirectionBitmap', # 0x298 ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win81_u1_x86_vtypes.py0000644000000000000000000221566213131215405030436 0ustar rootrootntkrpamp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'Reserved2' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrement32' : [ 0x368, ['unsigned long']], 'QpcInterruptTimeIncrement32' : [ 0x36c, ['unsigned long']], 'QpcSystemTimeIncrementShift' : [ 0x370, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x371, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x372, ['unsigned short']], 'Reserved8' : [ 0x374, ['array', 12, ['unsigned char']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_107c' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_107c']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1080' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1080']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_109b' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109d' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109b']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_109d']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TEB' : [ 0xfe8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'PerflibData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], 'ReservedForWdf' : [ 0xfe4, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0xc, { 'Parent' : [ 0x0, ['pointer', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_BALANCED_NODE' : [ 0xc, { 'Children' : [ 0x0, ['array', 2, ['pointer', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x8, ['unsigned long']], } ], '_RTL_RB_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_RTL_AVL_TREE' : [ 0x4, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x47d8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'MxCsr' : [ 0x8, ['unsigned long']], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x46b8, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'ParentNode' : [ 0x338, ['pointer', ['_KNODE']]], 'PriorityState' : [ 0x33c, ['pointer', ['unsigned char']]], 'KernelReserved' : [ 0x340, ['array', 14, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'CpuVendor' : [ 0x3be, ['unsigned char']], 'PrcbPad0' : [ 0x3bf, ['array', 1, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'GroupIndex' : [ 0x3c4, ['unsigned char']], 'Group' : [ 0x3c5, ['unsigned char']], 'PrcbPad05' : [ 0x3c6, ['array', 2, ['unsigned char']]], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'ClockOwner' : [ 0x3d0, ['unsigned char']], 'PendingTickFlags' : [ 0x3d1, ['unsigned char']], 'PendingTick' : [ 0x3d1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x3d1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'PrcbPad10' : [ 0x3d2, ['array', 70, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'InterruptCount' : [ 0x4a0, ['unsigned long']], 'KernelTime' : [ 0x4a4, ['unsigned long']], 'UserTime' : [ 0x4a8, ['unsigned long']], 'DpcTime' : [ 0x4ac, ['unsigned long']], 'DpcTimeCount' : [ 0x4b0, ['unsigned long']], 'InterruptTime' : [ 0x4b4, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4b8, ['unsigned long']], 'PageColor' : [ 0x4bc, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c0, ['unsigned char']], 'NodeColor' : [ 0x4c1, ['unsigned char']], 'PrcbPad20' : [ 0x4c2, ['array', 6, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'SecondaryColorMask' : [ 0x4cc, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d0, ['unsigned long']], 'PrcbPad21' : [ 0x4d4, ['array', 3, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1820, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2120, ['unsigned long']], 'ReverseStall' : [ 0x2124, ['long']], 'IpiFrame' : [ 0x2128, ['pointer', ['void']]], 'PrcbPad3' : [ 0x212c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x2160, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x216c, ['unsigned long']], 'WorkerRoutine' : [ 0x2170, ['pointer', ['void']]], 'IpiFrozen' : [ 0x2174, ['unsigned long']], 'PrcbPad4' : [ 0x2178, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x21a0, ['unsigned long']], 'SignalDone' : [ 0x21a4, ['pointer', ['_KPRCB']]], 'PrcbPad50' : [ 0x21a8, ['array', 40, ['unsigned char']]], 'InterruptLastCount' : [ 0x21d0, ['unsigned long']], 'InterruptRate' : [ 0x21d4, ['unsigned long']], 'DeviceInterrupts' : [ 0x21d8, ['unsigned long']], 'IsrDpcStats' : [ 0x21dc, ['pointer', ['void']]], 'DpcData' : [ 0x21e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2210, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2214, ['long']], 'DpcRequestRate' : [ 0x2218, ['unsigned long']], 'MinimumDpcRate' : [ 0x221c, ['unsigned long']], 'DpcLastCount' : [ 0x2220, ['unsigned long']], 'PrcbLock' : [ 0x2224, ['unsigned long']], 'DpcGate' : [ 0x2228, ['_KGATE']], 'ThreadDpcEnable' : [ 0x2238, ['unsigned char']], 'QuantumEnd' : [ 0x2239, ['unsigned char']], 'DpcRoutineActive' : [ 0x223a, ['unsigned char']], 'IdleSchedule' : [ 0x223b, ['unsigned char']], 'DpcRequestSummary' : [ 0x223c, ['long']], 'DpcRequestSlot' : [ 0x223c, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x223c, ['short']], 'ThreadDpcState' : [ 0x223e, ['short']], 'DpcNormalProcessingActive' : [ 0x223c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x223c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x223c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x223c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x223c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x223c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x223c, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x223c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x223c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x223c, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2240, ['unsigned long']], 'LastTick' : [ 0x2244, ['unsigned long']], 'PeriodicCount' : [ 0x2248, ['unsigned long']], 'PeriodicBias' : [ 0x224c, ['unsigned long']], 'ClockInterrupts' : [ 0x2250, ['unsigned long']], 'ReadyScanTick' : [ 0x2254, ['unsigned long']], 'GroupSchedulingOverQuota' : [ 0x2258, ['unsigned char']], 'PrcbPad41' : [ 0x2259, ['array', 3, ['unsigned char']]], 'TimerTable' : [ 0x2260, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x3aa0, ['_KDPC']], 'ClockKeepAlive' : [ 0x3ac0, ['long']], 'PrcbPad6' : [ 0x3ac4, ['array', 4, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x3ac8, ['long']], 'DpcWatchdogCount' : [ 0x3acc, ['long']], 'KeSpinLockOrdering' : [ 0x3ad0, ['long']], 'PrcbPad70' : [ 0x3ad4, ['array', 1, ['unsigned long']]], 'QueueIndex' : [ 0x3ad8, ['unsigned long']], 'DeferredReadyListHead' : [ 0x3adc, ['_SINGLE_LIST_ENTRY']], 'ReadySummary' : [ 0x3ae0, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x3ae4, ['long']], 'WaitLock' : [ 0x3ae8, ['unsigned long']], 'WaitListHead' : [ 0x3aec, ['_LIST_ENTRY']], 'ScbOffset' : [ 0x3af4, ['unsigned long']], 'StartCycles' : [ 0x3af8, ['unsigned long long']], 'GenerationTarget' : [ 0x3b00, ['unsigned long long']], 'CycleTime' : [ 0x3b08, ['unsigned long long']], 'AffinitizedCycles' : [ 0x3b10, ['unsigned long long']], 'HighCycleTime' : [ 0x3b18, ['unsigned long']], 'PrcbPad71' : [ 0x3b1c, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x3b20, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3c20, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3c24, ['long']], 'ScbQueue' : [ 0x3c28, ['_RTL_RB_TREE']], 'ScbList' : [ 0x3c30, ['_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x3c38, ['long']], 'MmCopyOnWriteCount' : [ 0x3c3c, ['long']], 'MmTransitionCount' : [ 0x3c40, ['long']], 'MmCacheTransitionCount' : [ 0x3c44, ['long']], 'MmDemandZeroCount' : [ 0x3c48, ['long']], 'MmPageReadCount' : [ 0x3c4c, ['long']], 'MmPageReadIoCount' : [ 0x3c50, ['long']], 'MmCacheReadCount' : [ 0x3c54, ['long']], 'MmCacheIoCount' : [ 0x3c58, ['long']], 'MmDirtyPagesWriteCount' : [ 0x3c5c, ['long']], 'MmDirtyWriteIoCount' : [ 0x3c60, ['long']], 'MmMappedPagesWriteCount' : [ 0x3c64, ['long']], 'MmMappedWriteIoCount' : [ 0x3c68, ['long']], 'CachedCommit' : [ 0x3c6c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3c70, ['unsigned long']], 'HyperPte' : [ 0x3c74, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3c78, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x3c7c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3c89, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x3c8a, ['unsigned char']], 'PrcbPad9' : [ 0x3c8b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x3c90, ['unsigned long']], 'UpdateSignature' : [ 0x3c98, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3ca0, ['unsigned long long']], 'PrcbPad90' : [ 0x3ca8, ['array', 2, ['unsigned long']]], 'PowerState' : [ 0x3cb0, ['_PROCESSOR_POWER_STATE']], 'PrcbPad91' : [ 0x3e40, ['array', 13, ['unsigned long']]], 'DpcWatchdogDpc' : [ 0x3e74, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3e98, ['_KTIMER']], 'HypercallPageList' : [ 0x3ec0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x3ec8, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x3ecc, ['pointer', ['void']]], 'StatisticsPage' : [ 0x3ed0, ['pointer', ['unsigned long long']]], 'Cache' : [ 0x3ed4, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3f10, ['unsigned long']], 'PackageProcessorSet' : [ 0x3f14, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x3f20, ['unsigned long']], 'SharedReadyQueue' : [ 0x3f24, ['pointer', ['_KSHARED_READY_QUEUE']]], 'CoreProcessorSet' : [ 0x3f28, ['unsigned long']], 'ScanSiblingMask' : [ 0x3f2c, ['unsigned long']], 'LLCMask' : [ 0x3f30, ['unsigned long']], 'CacheProcessorMask' : [ 0x3f34, ['array', 5, ['unsigned long']]], 'ScanSiblingIndex' : [ 0x3f48, ['unsigned long']], 'WheaInfo' : [ 0x3f4c, ['pointer', ['void']]], 'EtwSupport' : [ 0x3f50, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x3f58, ['_SLIST_HEADER']], 'SharedReadyQueueOffset' : [ 0x3f60, ['unsigned long']], 'PrcbPad92' : [ 0x3f64, ['array', 2, ['unsigned long']]], 'PteBitCache' : [ 0x3f6c, ['unsigned long']], 'PteBitOffset' : [ 0x3f70, ['unsigned long']], 'PrcbPad93' : [ 0x3f74, ['unsigned long']], 'ProcessorProfileControlArea' : [ 0x3f78, ['pointer', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x3f7c, ['pointer', ['void']]], 'TimerExpirationDpc' : [ 0x3f80, ['_KDPC']], 'SynchCounters' : [ 0x3fa0, ['_SYNCH_COUNTERS']], 'FsCounters' : [ 0x4058, ['_FILESYSTEM_DISK_COUNTERS']], 'Context' : [ 0x4068, ['pointer', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x406c, ['unsigned long']], 'ExtendedState' : [ 0x4070, ['pointer', ['_XSAVE_AREA']]], 'EntropyTimingState' : [ 0x4074, ['_KENTROPY_TIMING_STATE']], 'IsrStack' : [ 0x419c, ['pointer', ['void']]], 'VectorToInterruptObject' : [ 0x41a0, ['array', 208, ['pointer', ['_KINTERRUPT']]]], 'AbSelfIoBoostsList' : [ 0x44e0, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x44e4, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x44e8, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x4508, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x455c, ['_IOP_IRP_STACK_PROFILER']], 'TimerExpirationTrace' : [ 0x45b0, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x46b0, ['unsigned long']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'Reserved' : [ 0x14, ['array', 3, ['pointer', ['void']]]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_KTHREAD' : [ 0x338, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x10, ['pointer', ['void']]], 'QuantumTarget' : [ 0x18, ['unsigned long long']], 'InitialStack' : [ 0x20, ['pointer', ['void']]], 'StackLimit' : [ 0x24, ['pointer', ['void']]], 'StackBase' : [ 0x28, ['pointer', ['void']]], 'ThreadLock' : [ 0x2c, ['unsigned long']], 'CycleTime' : [ 0x30, ['unsigned long long']], 'HighCycleTime' : [ 0x38, ['unsigned long']], 'ServiceTable' : [ 0x3c, ['pointer', ['void']]], 'CurrentRunTime' : [ 0x40, ['unsigned long']], 'ExpectedRunTime' : [ 0x44, ['unsigned long']], 'KernelStack' : [ 0x48, ['pointer', ['void']]], 'StateSaveArea' : [ 0x4c, ['pointer', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x50, ['pointer', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x54, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x55, ['unsigned char']], 'Alerted' : [ 0x56, ['array', 2, ['unsigned char']]], 'SpareMiscFlag0' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x58, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x58, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x58, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x58, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x58, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'TimerActive' : [ 0x58, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SystemThread' : [ 0x58, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x58, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'CalloutActive' : [ 0x58, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x58, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ApcQueueable' : [ 0x58, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x58, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x58, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ApcPendingReload' : [ 0x58, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'TimerSuspended' : [ 0x58, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x58, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x58, ['long']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UserAffinitySet' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x5c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x5c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x5c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x5c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x5c, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x5c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x5c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x5c, ['BitField', dict(start_bit = 17, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x5c, ['long']], 'Spare0' : [ 0x60, ['unsigned long']], 'SystemCallNumber' : [ 0x64, ['unsigned long']], 'FirstArgument' : [ 0x68, ['pointer', ['void']]], 'TrapFrame' : [ 0x6c, ['pointer', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x70, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x70, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x87, ['unsigned char']], 'UserIdealProcessor' : [ 0x88, ['unsigned long']], 'ContextSwitches' : [ 0x8c, ['unsigned long']], 'State' : [ 0x90, ['unsigned char']], 'NpxState' : [ 0x91, ['unsigned char']], 'WaitIrql' : [ 0x92, ['unsigned char']], 'WaitMode' : [ 0x93, ['unsigned char']], 'WaitStatus' : [ 0x94, ['long']], 'WaitBlockList' : [ 0x98, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x9c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x9c, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa4, ['pointer', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xa8, ['pointer', ['void']]], 'RelativeTimerBias' : [ 0xb0, ['unsigned long long']], 'Timer' : [ 0xb8, ['_KTIMER']], 'WaitBlock' : [ 0xe0, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill8' : [ 0xe0, ['array', 20, ['unsigned char']]], 'ThreadCounters' : [ 0xf4, ['pointer', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0xe0, ['array', 44, ['unsigned char']]], 'XStateSave' : [ 0x10c, ['pointer', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0xe0, ['array', 68, ['unsigned char']]], 'Win32Thread' : [ 0x124, ['pointer', ['void']]], 'WaitBlockFill11' : [ 0xe0, ['array', 88, ['unsigned char']]], 'WaitTime' : [ 0x138, ['unsigned long']], 'KernelApcDisable' : [ 0x13c, ['short']], 'SpecialApcDisable' : [ 0x13e, ['short']], 'CombinedApcDisable' : [ 0x13c, ['unsigned long']], 'QueueListEntry' : [ 0x140, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x148, ['unsigned long']], 'NextProcessorNumber' : [ 0x148, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x148, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x14c, ['long']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'UserAffinity' : [ 0x154, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x154, ['array', 6, ['unsigned char']]], 'PreviousMode' : [ 0x15a, ['unsigned char']], 'BasePriority' : [ 0x15b, ['unsigned char']], 'PriorityDecrement' : [ 0x15c, ['unsigned char']], 'ForegroundBoost' : [ 0x15c, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x15c, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x15d, ['unsigned char']], 'AdjustReason' : [ 0x15e, ['unsigned char']], 'AdjustIncrement' : [ 0x15f, ['unsigned char']], 'Affinity' : [ 0x160, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x160, ['array', 6, ['unsigned char']]], 'ApcStateIndex' : [ 0x166, ['unsigned char']], 'WaitBlockCount' : [ 0x167, ['unsigned char']], 'IdealProcessor' : [ 0x168, ['unsigned long']], 'ApcStatePointer' : [ 0x16c, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x174, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x174, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x18b, ['unsigned char']], 'SuspendCount' : [ 0x18c, ['unsigned char']], 'Saturation' : [ 0x18d, ['unsigned char']], 'SListFaultCount' : [ 0x18e, ['unsigned short']], 'SchedulerApc' : [ 0x190, ['_KAPC']], 'SchedulerApcFill0' : [ 0x190, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x191, ['unsigned char']], 'SchedulerApcFill1' : [ 0x190, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x193, ['unsigned char']], 'SchedulerApcFill2' : [ 0x190, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x194, ['unsigned long']], 'SchedulerApcFill3' : [ 0x190, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b4, ['pointer', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x190, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1b8, ['pointer', ['void']]], 'SchedulerApcFill5' : [ 0x190, ['array', 47, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x1bf, ['unsigned char']], 'UserTime' : [ 0x1c0, ['unsigned long']], 'SuspendEvent' : [ 0x1c4, ['_KEVENT']], 'ThreadListEntry' : [ 0x1d4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1dc, ['_LIST_ENTRY']], 'LockEntriesFreeList' : [ 0x1e4, ['_SINGLE_LIST_ENTRY']], 'LockEntries' : [ 0x1e8, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x308, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x30c, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x310, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x320, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x324, ['long']], 'AbReferenceCount' : [ 0x328, ['short']], 'AbFreeEntryCount' : [ 0x32a, ['unsigned char']], 'AbWaitEntryCount' : [ 0x32b, ['unsigned char']], 'ForegroundLossTime' : [ 0x32c, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x330, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x330, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x334, ['unsigned long']], } ], '_KSTACK_CONTROL' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long']], 'ActualLimit' : [ 0x4, ['unsigned long']], 'StackExpansion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousTrapFrame' : [ 0x8, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0xc, ['pointer', ['void']]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'CpuId' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer', ['void']]], 'DeleteContext' : [ 0xc, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0xc0, { 'DeepIdleSet' : [ 0x0, ['unsigned long']], 'SharedReadyQueueLeaders' : [ 0x4, ['unsigned long']], 'ProximityId' : [ 0x40, ['unsigned long']], 'NodeNumber' : [ 0x44, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x46, ['unsigned short']], 'MaximumProcessors' : [ 0x48, ['unsigned char']], 'Flags' : [ 0x49, ['_flags']], 'Stride' : [ 0x4a, ['unsigned char']], 'LowIndex' : [ 0x4b, ['unsigned char']], 'Affinity' : [ 0x4c, ['_GROUP_AFFINITY']], 'IdleCpuSet' : [ 0x58, ['unsigned long']], 'IdleSmtSet' : [ 0x5c, ['unsigned long']], 'NonParkedSet' : [ 0x80, ['unsigned long']], 'Seed' : [ 0x84, ['unsigned long']], 'Lowest' : [ 0x88, ['unsigned long']], 'Highest' : [ 0x8c, ['unsigned long']], 'ParkLock' : [ 0x90, ['long']], } ], '_ENODE' : [ 0x340, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0xc0, ['array', 8, ['pointer', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0xe0, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x298, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x2a8, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x2d0, ['_KEVENT']], 'WaitBlocks' : [ 0x2e0, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x328, ['pointer', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x32c, ['unsigned long']], 'ExWorkerFullInit' : [ 0x330, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x330, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x330, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x5c, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long']], 'QuotaProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'StrictFIFO' : [ 0x1c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x1c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x1c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x1c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x20, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x24, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x28, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x28, ['array', 20, ['unsigned char']]], 'DebugInfo' : [ 0x3c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'VolatileLowValue' : [ 0x0, ['long']], 'LowValue' : [ 0x0, ['long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'HighValue' : [ 0x4, ['long']], 'NextFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x4, ['_EXHANDLE']], 'GrantedAccessBits' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'ProtectFromClose' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'RefCnt' : [ 0x4, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '__unnamed_1301' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1301']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc4, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xc0, ['unsigned char']], } ], '_ETHREAD' : [ 0x418, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x338, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x340, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x340, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x348, ['pointer', ['void']]], 'PostBlockList' : [ 0x34c, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x34c, ['pointer', ['void']]], 'StartAddress' : [ 0x350, ['pointer', ['void']]], 'TerminationPort' : [ 0x354, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x354, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x354, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x358, ['unsigned long']], 'ActiveTimerListHead' : [ 0x35c, ['_LIST_ENTRY']], 'Cid' : [ 0x364, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x36c, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x36c, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x380, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x384, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x38c, ['unsigned long']], 'DeviceToVerify' : [ 0x390, ['pointer', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x394, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x398, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x39c, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x3a4, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x3a8, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x3ac, ['unsigned long']], 'MmLockOrdering' : [ 0x3b0, ['long']], 'CmLockOrdering' : [ 0x3b4, ['long']], 'CrossThreadFlags' : [ 0x3b8, ['unsigned long']], 'Terminated' : [ 0x3b8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x3b8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x3b8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x3b8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x3b8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x3b8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x3b8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x3b8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x3b8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x3b8, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x3b8, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x3b8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x3b8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x3b8, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x3bc, ['unsigned long']], 'ActiveExWorker' : [ 0x3bc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x3bc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ClonedThread' : [ 0x3bc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x3bc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SelfTerminate' : [ 0x3bc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x3c0, ['unsigned long']], 'HardFaultBehavior' : [ 0x3c0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x3c0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x3c0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x3c0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x3c0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x3c0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x3c0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x3c0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x3c1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x3c1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x3c1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x3c1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x3c1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x3c1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x3c1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x3c1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x3c2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x3c2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x3c2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x3c2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x3c2, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare2' : [ 0x3c2, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x3c3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x3c3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'Spare3' : [ 0x3c3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x3c4, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x3c5, ['unsigned char']], 'ActiveFaultCount' : [ 0x3c6, ['unsigned char']], 'LockOrderState' : [ 0x3c7, ['unsigned char']], 'AlpcMessageId' : [ 0x3c8, ['unsigned long']], 'AlpcMessage' : [ 0x3cc, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x3cc, ['unsigned long']], 'ExitStatus' : [ 0x3d0, ['long']], 'AlpcWaitListEntry' : [ 0x3d4, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x3dc, ['unsigned long']], 'IoBoostCount' : [ 0x3e0, ['unsigned long']], 'BoostList' : [ 0x3e4, ['_LIST_ENTRY']], 'DeboostList' : [ 0x3ec, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x3f4, ['unsigned long']], 'IrpListLock' : [ 0x3f8, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x3fc, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x400, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x404, ['pointer', ['_GUID']]], 'SeLearningModeListHead' : [ 0x408, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x40c, ['pointer', ['void']]], 'KernelStackReference' : [ 0x410, ['unsigned long']], 'AdjustedClientToken' : [ 0x414, ['pointer', ['void']]], } ], '_EPROCESS' : [ 0x310, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xa0, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xa8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xb0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'Flags2' : [ 0xc0, ['unsigned long']], 'JobNotReallyActive' : [ 0xc0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0xc0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0xc0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0xc0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0xc0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0xc0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0xc0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0xc0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0xc0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0xc0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0xc0, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0xc0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0xc0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0xc0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0xc0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0xc0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0xc0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0xc0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0xc0, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0xc0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0xc0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0xc0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0xc0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0xc0, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0xc0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0xc0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0xc4, ['unsigned long']], 'CreateReported' : [ 0xc4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0xc4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0xc4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0xc4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0xc4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0xc4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0xc4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0xc4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0xc4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0xc4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0xc4, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0xc4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0xc4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0xc4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0xc4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0xc4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0xc4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0xc4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0xc4, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0xc4, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0xc4, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0xc4, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0xc4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0xc4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0xc4, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0xc4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0xc4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ProcessQuotaUsage' : [ 0xc8, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xd0, ['array', 2, ['unsigned long']]], 'PeakVirtualSize' : [ 0xd8, ['unsigned long']], 'VirtualSize' : [ 0xdc, ['unsigned long']], 'SessionProcessLinks' : [ 0xe0, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0xe8, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xe8, ['unsigned long']], 'ExceptionPortState' : [ 0xe8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Token' : [ 0xec, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xf0, ['unsigned long']], 'AddressCreationLock' : [ 0xf4, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0xf8, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0xfc, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x100, ['pointer', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x104, ['pointer', ['_EJOB']]], 'CloneRoot' : [ 0x108, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x10c, ['unsigned long']], 'NumberOfLockedPages' : [ 0x110, ['unsigned long']], 'Win32Process' : [ 0x114, ['pointer', ['void']]], 'Job' : [ 0x118, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x11c, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x120, ['pointer', ['void']]], 'Cookie' : [ 0x124, ['unsigned long']], 'VdmObjects' : [ 0x128, ['pointer', ['void']]], 'WorkingSetWatch' : [ 0x12c, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x130, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x134, ['pointer', ['void']]], 'LdtInformation' : [ 0x138, ['pointer', ['void']]], 'OwnerProcessId' : [ 0x13c, ['unsigned long']], 'Peb' : [ 0x140, ['pointer', ['_PEB']]], 'Session' : [ 0x144, ['pointer', ['void']]], 'AweInfo' : [ 0x148, ['pointer', ['void']]], 'QuotaBlock' : [ 0x14c, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x150, ['pointer', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x154, ['pointer', ['void']]], 'PaeTop' : [ 0x158, ['pointer', ['void']]], 'DeviceMap' : [ 0x15c, ['pointer', ['void']]], 'EtwDataSource' : [ 0x160, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x168, ['unsigned long long']], 'ImageFileName' : [ 0x170, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x17f, ['unsigned char']], 'SecurityPort' : [ 0x180, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x184, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x188, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x190, ['pointer', ['void']]], 'ThreadListHead' : [ 0x194, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x19c, ['unsigned long']], 'ImagePathHash' : [ 0x1a0, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a4, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1a8, ['long']], 'PrefetchTrace' : [ 0x1ac, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x1b0, ['pointer', ['void']]], 'ReadOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1e0, ['_LARGE_INTEGER']], 'CommitCharge' : [ 0x1e8, ['unsigned long']], 'Vm' : [ 0x1ec, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x264, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x26c, ['unsigned long']], 'ExitStatus' : [ 0x270, ['long']], 'VadRoot' : [ 0x274, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x278, ['pointer', ['void']]], 'VadCount' : [ 0x27c, ['unsigned long']], 'VadPhysicalPages' : [ 0x280, ['unsigned long']], 'VadPhysicalPagesLimit' : [ 0x284, ['unsigned long']], 'AlpcContext' : [ 0x288, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x298, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x2a0, ['pointer', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x2a4, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2a8, ['unsigned long']], 'ExitTime' : [ 0x2b0, ['_LARGE_INTEGER']], 'ActiveThreadsHighWatermark' : [ 0x2b8, ['unsigned long']], 'LargePrivateVadCount' : [ 0x2bc, ['unsigned long']], 'ThreadListLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x2c4, ['pointer', ['void']]], 'Spare0' : [ 0x2c8, ['unsigned long']], 'SignatureLevel' : [ 0x2cc, ['unsigned char']], 'SectionSignatureLevel' : [ 0x2cd, ['unsigned char']], 'Protection' : [ 0x2ce, ['_PS_PROTECTION']], 'SpareByte20' : [ 0x2cf, ['array', 1, ['unsigned char']]], 'Flags3' : [ 0x2d0, ['unsigned long']], 'Minimal' : [ 0x2d0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SvmReserved' : [ 0x2d4, ['long']], 'SvmReserved1' : [ 0x2d8, ['pointer', ['void']]], 'SvmReserved2' : [ 0x2dc, ['unsigned long']], 'LastFreezeInterruptTime' : [ 0x2e0, ['unsigned long long']], 'DiskCounters' : [ 0x2e8, ['pointer', ['_PROCESS_DISK_COUNTERS']]], 'KeepAliveCounter' : [ 0x2ec, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x2f0, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x2f8, ['unsigned long long']], 'CommitChargeLimit' : [ 0x300, ['unsigned long']], 'CommitChargePeak' : [ 0x304, ['unsigned long']], 'HighPriorityFaultsAllowed' : [ 0x308, ['unsigned long']], } ], '_KPROCESS' : [ 0xa0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'Affinity' : [ 0x38, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x44, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x4c, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x50, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'AffinitySet' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='long')]], 'DeepFreeze' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x5c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x5c, ['long']], 'BasePriority' : [ 0x60, ['unsigned char']], 'QuantumReset' : [ 0x61, ['unsigned char']], 'Visited' : [ 0x62, ['unsigned char']], 'Flags' : [ 0x63, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x64, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x68, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x6a, ['unsigned short']], 'Spare1' : [ 0x6c, ['unsigned short']], 'IopmOffset' : [ 0x6e, ['unsigned short']], 'SchedulingGroup' : [ 0x70, ['pointer', ['_KSCHEDULING_GROUP']]], 'StackCount' : [ 0x74, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x78, ['_LIST_ENTRY']], 'CycleTime' : [ 0x80, ['unsigned long long']], 'ContextSwitches' : [ 0x88, ['unsigned long long']], 'FreezeCount' : [ 0x90, ['unsigned long']], 'KernelTime' : [ 0x94, ['unsigned long']], 'UserTime' : [ 0x98, ['unsigned long']], 'VdmTrapcHandler' : [ 0x9c, ['pointer', ['void']]], } ], '__unnamed_134d' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1353' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1355' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1353']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1360' : [ 0x2c, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x28, ['pointer', ['void']]], } ], '__unnamed_1362' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_1360']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_134d']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_1355']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_1362']], } ], '__unnamed_1369' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_136d' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1371' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1373' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1377' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1379' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_137b' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], } ], '__unnamed_137d' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_137f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1381' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1385' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMaximumInformation'})]], } ], '__unnamed_1387' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_138a' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_138c' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_138e' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_1390' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1394' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1398' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_139c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_13a0' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_13a4' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13a8' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_13ac' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_13ae' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_13b0' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_13b4' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_13b8' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_13bc' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_13c0' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_13c4' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_13cc' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_13d0' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_13d2' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13d4' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13d6' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_1369']], 'CreatePipe' : [ 0x0, ['__unnamed_136d']], 'CreateMailslot' : [ 0x0, ['__unnamed_1371']], 'Read' : [ 0x0, ['__unnamed_1373']], 'Write' : [ 0x0, ['__unnamed_1373']], 'QueryDirectory' : [ 0x0, ['__unnamed_1377']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1379']], 'QueryFile' : [ 0x0, ['__unnamed_137b']], 'SetFile' : [ 0x0, ['__unnamed_137d']], 'QueryEa' : [ 0x0, ['__unnamed_137f']], 'SetEa' : [ 0x0, ['__unnamed_1381']], 'QueryVolume' : [ 0x0, ['__unnamed_1385']], 'SetVolume' : [ 0x0, ['__unnamed_1385']], 'FileSystemControl' : [ 0x0, ['__unnamed_1387']], 'LockControl' : [ 0x0, ['__unnamed_138a']], 'DeviceIoControl' : [ 0x0, ['__unnamed_138c']], 'QuerySecurity' : [ 0x0, ['__unnamed_138e']], 'SetSecurity' : [ 0x0, ['__unnamed_1390']], 'MountVolume' : [ 0x0, ['__unnamed_1394']], 'VerifyVolume' : [ 0x0, ['__unnamed_1394']], 'Scsi' : [ 0x0, ['__unnamed_1398']], 'QueryQuota' : [ 0x0, ['__unnamed_139c']], 'SetQuota' : [ 0x0, ['__unnamed_1381']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_13a0']], 'QueryInterface' : [ 0x0, ['__unnamed_13a4']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_13a8']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_13ac']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_13ae']], 'SetLock' : [ 0x0, ['__unnamed_13b0']], 'QueryId' : [ 0x0, ['__unnamed_13b4']], 'QueryDeviceText' : [ 0x0, ['__unnamed_13b8']], 'UsageNotification' : [ 0x0, ['__unnamed_13bc']], 'WaitWake' : [ 0x0, ['__unnamed_13c0']], 'PowerSequence' : [ 0x0, ['__unnamed_13c4']], 'Power' : [ 0x0, ['__unnamed_13cc']], 'StartDevice' : [ 0x0, ['__unnamed_13d0']], 'WMI' : [ 0x0, ['__unnamed_13d2']], 'Others' : [ 0x0, ['__unnamed_13d4']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_13d6']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_13ec' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_13ec']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x8, ['unsigned long']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x68, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x5c, ['pointer', ['void']]], 'UserContext' : [ 0x60, ['pointer', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], 'Oplock' : [ 0x3c, ['pointer', ['void']]], 'ReservedForRemote' : [ 0x3c, ['pointer', ['void']]], 'ReservedContext' : [ 0x40, ['pointer', ['void']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '__unnamed_1578' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'HighLow' : [ 0x0, ['_MMPTE_HIGHLOW']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1578']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'ReservedLowFlags' : [ 0xe, ['unsigned char']], 'WaiterPriority' : [ 0xf, ['unsigned char']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '__unnamed_15ba' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_15bf' : [ 0x4, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'SpareBlink' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 31, native_type='unsigned long')]], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_15c2' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_15c4' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_15c2']], } ], '__unnamed_15c8' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], } ], '_MMPFN' : [ 0x1c, { 'u1' : [ 0x0, ['__unnamed_15ba']], 'u2' : [ 0x4, ['__unnamed_15bf']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0x8, ['long']], 'PteLong' : [ 0x8, ['unsigned long']], 'u3' : [ 0xc, ['__unnamed_15c4']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'u4' : [ 0x18, ['__unnamed_15c8']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x38, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'BasePte' : [ 0x8, ['pointer', ['_MMPTE']]], 'Flags' : [ 0xc, ['unsigned long']], 'VaType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaPagedProtoPool', 15: 'MiVaMaximumType', 16: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'PteFailures' : [ 0x18, ['unsigned long']], 'SpinLock' : [ 0x1c, ['unsigned long']], 'GlobalMutex' : [ 0x1c, ['pointer', ['_FAST_MUTEX']]], 'Vm' : [ 0x20, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x24, ['unsigned long']], 'Hint' : [ 0x28, ['unsigned long']], 'CachedPtes' : [ 0x2c, ['pointer', ['_MI_CACHED_PTE']]], 'TotalFreeSystemPtes' : [ 0x30, ['unsigned long']], 'CachedPteCount' : [ 0x34, ['long']], } ], '__unnamed_15e8' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_15e8']], } ], '_MMWSL' : [ 0xe1c, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'LastInitializedWsle' : [ 0x10, ['unsigned long']], 'NextAgingSlot' : [ 0x14, ['unsigned long']], 'NextAccessClearingSlot' : [ 0x18, ['unsigned long']], 'LastAccessClearingRemainder' : [ 0x1c, ['unsigned long']], 'LastAgingRemainder' : [ 0x20, ['unsigned long']], 'WsleSize' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LowestPagableAddress' : [ 0x2c, ['pointer', ['void']]], 'NonDirectHash' : [ 0x30, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x34, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x38, ['pointer', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x3c, ['array', 16, ['unsigned long']]], 'ActiveWsles' : [ 0x7c, ['array', 16, ['_MI_ACTIVE_WSLE_LISTHEAD']]], 'Wsle' : [ 0xfc, ['pointer', ['_MMWSLE']]], 'UserVaInfo' : [ 0x100, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0x78, { 'ExitGate' : [ 0x0, ['pointer', ['_KGATE']]], 'AccessLog' : [ 0x4, ['pointer', ['void']]], 'WorkingSetMutex' : [ 0x8, ['_EX_PUSH_LOCK']], 'WorkingSetExpansionLinks' : [ 0xc, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x14, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x30, ['unsigned long']], 'WorkingSetLeafSize' : [ 0x34, ['unsigned long']], 'WorkingSetLeafPrivateSize' : [ 0x38, ['unsigned long']], 'WorkingSetSize' : [ 0x3c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x40, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x44, ['unsigned long']], 'ChargedWslePages' : [ 0x48, ['unsigned long']], 'ActualWslePages' : [ 0x4c, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x50, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x54, ['unsigned long']], 'HardFaultCount' : [ 0x58, ['unsigned long']], 'VmWorkingSetList' : [ 0x5c, ['pointer', ['_MMWSL']]], 'NextPageColor' : [ 0x60, ['unsigned short']], 'LastTrimStamp' : [ 0x62, ['unsigned short']], 'PageFaultCount' : [ 0x64, ['unsigned long']], 'TrimmedPageCount' : [ 0x68, ['unsigned long']], 'ForceTrimPages' : [ 0x6c, ['unsigned long']], 'Flags' : [ 0x70, ['_MMSUPPORT_FLAGS']], 'WsSwapSupport' : [ 0x74, ['pointer', ['void']]], } ], '__unnamed_1601' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_160b' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_160d' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_160b']], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'ListHead' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_1601']], 'FilePointer' : [ 0x20, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x24, ['long']], 'ModifiedWriteCount' : [ 0x28, ['unsigned long']], 'WaitList' : [ 0x2c, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x30, ['__unnamed_160d']], 'LockedPages' : [ 0x40, ['unsigned long long']], 'FileObjectLock' : [ 0x48, ['_EX_PUSH_LOCK']], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_MMPAGING_FILE' : [ 0x80, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'FreeReservationSpace' : [ 0x18, ['unsigned long']], 'LargestReserveCluster' : [ 0x1c, ['unsigned long']], 'File' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x24, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x30, ['_SLIST_HEADER']], 'PageFileName' : [ 0x38, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x40, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x44, ['unsigned long']], 'ReservationBitmapHint' : [ 0x48, ['unsigned long']], 'LargestNonReservedClusterSize' : [ 0x4c, ['unsigned long']], 'RefreshClusterSize' : [ 0x50, ['unsigned long']], 'LastRefreshClusterSize' : [ 0x54, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x58, ['unsigned long']], 'ToBeEvictedCount' : [ 0x5c, ['unsigned long']], 'HybridPriority' : [ 0x60, ['unsigned long']], 'PageFileNumber' : [ 0x64, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x64, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0x64, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'NoReservations' : [ 0x64, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Spare0' : [ 0x64, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x66, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0x66, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x67, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0x68, ['unsigned long']], 'PageHashPagesPeak' : [ 0x6c, ['unsigned long']], 'PageHash' : [ 0x70, ['pointer', ['unsigned long']]], 'FileHandle' : [ 0x74, ['pointer', ['void']]], 'Lock' : [ 0x78, ['unsigned long']], 'LockOwner' : [ 0x7c, ['pointer', ['_ETHREAD']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x18, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x4, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0xc, ['_RTL_BITMAP']], 'EvictStoreBitmap' : [ 0x14, ['pointer', ['_RTL_BITMAP']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], 'tagSWITCH_CONTEXT' : [ 0x60, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '__unnamed_1657' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_165a' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_165c' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1660' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_1662' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_1666' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_166a' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_166c' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_1657']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_1657']]], 'RegistryIO' : [ 0xcc, ['__unnamed_165a']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_165c']], 'CheckKey' : [ 0xdc, ['__unnamed_1660']], 'CheckValueList' : [ 0xec, ['__unnamed_1662']], 'CheckHive' : [ 0xfc, ['__unnamed_1666']], 'CheckHive1' : [ 0x108, ['__unnamed_1666']], 'CheckBin' : [ 0x114, ['__unnamed_166a']], 'RecoverData' : [ 0x11c, ['__unnamed_166c']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xb8, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'ParkingStatus' : [ 0x78, ['unsigned long']], 'CurrentFrequency' : [ 0x7c, ['unsigned long']], 'PercentMaxFrequency' : [ 0x80, ['unsigned long']], 'StateFlags' : [ 0x84, ['unsigned long']], 'NominalThroughput' : [ 0x88, ['unsigned long']], 'ActiveThroughput' : [ 0x8c, ['unsigned long']], 'ScaledThroughput' : [ 0x90, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0x98, ['unsigned long long']], 'AverageIdleTime' : [ 0xa0, ['unsigned long long']], 'IdleBreakEvents' : [ 0xa8, ['unsigned long long']], 'PerformanceLimit' : [ 0xb0, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xb4, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_TEB32' : [ 0xfe8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], } ], '_TEB64' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'Padding1' : [ 0x2ec, ['array', 4, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], } ], '__unnamed_16ef' : [ 0x10, { 'ReservedEax' : [ 0x0, ['unsigned long']], 'ReservedEbx' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'InitialApicId' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ReservedEcx' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HypervisorPresent' : [ 0x8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_CPUID_RESULT' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'VersionAndFeatures' : [ 0x0, ['__unnamed_16ef']], 'HvVendorAndMaxFunction' : [ 0x0, ['_HV_VENDOR_AND_MAX_FUNCTION']], 'HvInterface' : [ 0x0, ['_HV_HYPERVISOR_INTERFACE_INFO']], 'MsHvVersion' : [ 0x0, ['_HV_HYPERVISOR_VERSION_INFO']], 'MsHvFeatures' : [ 0x0, ['_HV_HYPERVISOR_FEATURES']], 'MsHvEnlightenmentInformation' : [ 0x0, ['_HV_ENLIGHTENMENT_INFORMATION']], 'MsHvImplementationLimits' : [ 0x0, ['_HV_IMPLEMENTATION_LIMITS']], 'MsHvHardwareFeatures' : [ 0x0, ['_HV_HYPERVISOR_HARDWARE_FEATURES']], } ], '_HV_VENDOR_AND_MAX_FUNCTION' : [ 0x10, { 'MaxFunction' : [ 0x0, ['unsigned long']], 'VendorName' : [ 0x4, ['array', 12, ['unsigned char']]], } ], '_HV_HYPERVISOR_INTERFACE_INFO' : [ 0x10, { 'Interface' : [ 0x0, ['unsigned long']], 'ReservedEbx' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_HYPERVISOR_VERSION_INFO' : [ 0x10, { 'BuildNumber' : [ 0x0, ['unsigned long']], 'MinorVersion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'MajorVersion' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ServicePack' : [ 0x8, ['unsigned long']], 'ServiceNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'ServiceBranch' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_HV_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], } ], '_HV_HYPERVISOR_HARDWARE_FEATURES' : [ 0x10, { 'ApicOverlayAssistInUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MsrBitmapsInUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ArchitecturalPerformanceCountersInUse' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SecondLevelAddressTranslationInUse' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DmaRemappingInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'InterruptRemappingInUse' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'MemoryPatrolScrubberPresent' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'ReservedEbx' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_ENLIGHTENMENT_INFORMATION' : [ 0x10, { 'UseHypercallForAddressSpaceSwitch' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UseHypercallForLocalFlush' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UseHypercallForRemoteFlush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UseApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UseMsrForReset' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UseRelaxedTiming' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UseDmaRemapping' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UseInterruptRemapping' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UseX2ApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeprecateAutoEoi' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'LongSpinWaitCount' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_IMPLEMENTATION_LIMITS' : [ 0x10, { 'MaxVirtualProcessorCount' : [ 0x0, ['unsigned long']], 'MaxLogicalProcessorCount' : [ 0x4, ['unsigned long']], 'MaxInterruptMappingCount' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeMsr' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicMsrs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerMsrs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetMsr' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsMsr' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleMsr' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyMsrs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugMsrs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'EnableExpandedStackwalking' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x13c, { 'Lock' : [ 0x0, ['unsigned long']], 'ReadySummary' : [ 0x4, ['unsigned long']], 'ReadyListHead' : [ 0x8, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x108, ['array', 32, ['unsigned char']]], 'Span' : [ 0x128, ['unsigned long']], 'LowProcIndex' : [ 0x12c, ['unsigned long']], 'QueueIndex' : [ 0x130, ['unsigned long']], 'ProcCount' : [ 0x134, ['unsigned long']], 'Affinity' : [ 0x138, ['unsigned long']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x38, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x2c, ['pointer', ['unsigned long']]], 'EnableKeyWords' : [ 0x30, ['pointer', ['unsigned long long']]], 'EnableLevel' : [ 0x34, ['pointer', ['unsigned char']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x34, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependencyNode' : [ 0x2c, ['pointer', ['void']]], 'VerifierContext' : [ 0x30, ['pointer', ['void']]], } ], '__unnamed_17f2' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_17f4' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_17f8' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x1cc, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'FxDevice' : [ 0x28, ['pointer', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x2c, ['long']], 'FxRemoveEvent' : [ 0x30, ['_KEVENT']], 'FxActivationCount' : [ 0x40, ['long']], 'FxSleepCount' : [ 0x44, ['long']], 'Plugin' : [ 0x48, ['pointer', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x4c, ['unsigned long']], 'CurrentPowerState' : [ 0x50, ['_POWER_STATE']], 'Notify' : [ 0x54, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x90, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0xa0, ['_UNICODE_STRING']], 'PowerFlags' : [ 0xa8, ['unsigned long']], 'State' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xb0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xb4, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x104, ['unsigned long']], 'CompletionStatus' : [ 0x108, ['long']], 'Flags' : [ 0x10c, ['unsigned long']], 'UserFlags' : [ 0x110, ['unsigned long']], 'Problem' : [ 0x114, ['unsigned long']], 'ProblemStatus' : [ 0x118, ['long']], 'ResourceList' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x120, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x124, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x128, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x130, ['unsigned long']], 'ChildInterfaceType' : [ 0x134, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x138, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x13c, ['unsigned short']], 'RemovalPolicy' : [ 0x13e, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x13f, ['unsigned char']], 'TargetDeviceNotify' : [ 0x140, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x148, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x150, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x158, ['unsigned short']], 'QueryTranslatorMask' : [ 0x15a, ['unsigned short']], 'NoArbiterMask' : [ 0x15c, ['unsigned short']], 'QueryArbiterMask' : [ 0x15e, ['unsigned short']], 'OverUsed1' : [ 0x160, ['__unnamed_17f2']], 'OverUsed2' : [ 0x164, ['__unnamed_17f4']], 'BootResources' : [ 0x168, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x16c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x170, ['unsigned long']], 'DockInfo' : [ 0x174, ['__unnamed_17f8']], 'DisableableDepends' : [ 0x184, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x190, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x198, ['unsigned long']], 'PreviousParent' : [ 0x19c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1a0, ['unsigned long']], 'NumaNodeIndex' : [ 0x1a4, ['unsigned long']], 'ContainerID' : [ 0x1a8, ['_GUID']], 'OverrideFlags' : [ 0x1b8, ['unsigned char']], 'DeviceIdsHash' : [ 0x1bc, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x1c0, ['unsigned char']], 'PendingEjectRelations' : [ 0x1c4, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x1c8, ['unsigned long']], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_18ac' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_18ac']], } ], '__unnamed_18b3' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_18b3']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PROCESSOR_POWER_STATE' : [ 0x190, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x4, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'Reserved' : [ 0x20, ['unsigned long long']], 'IdlePolicy' : [ 0x28, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x30, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x38, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xa0, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'LastSysTime' : [ 0xa4, ['unsigned long']], 'WmiDispatchPtr' : [ 0xa8, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xac, ['long']], 'FFHThrottleStateInfo' : [ 0xb0, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xd0, ['_KDPC']], 'PerfActionMask' : [ 0xf0, ['long']], 'HvIdleCheck' : [ 0xf8, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x108, ['_PROC_PERF_SNAP']], 'Domain' : [ 0x148, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x14c, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x150, ['pointer', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x154, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x158, ['pointer', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x15c, ['unsigned char']], 'HvTargetState' : [ 0x15d, ['unsigned char']], 'Parked' : [ 0x15e, ['unsigned char']], 'OverUtilized' : [ 0x15f, ['unsigned char']], 'LatestPerformancePercent' : [ 0x160, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x164, ['unsigned long']], 'ExpectedUtility' : [ 0x168, ['unsigned long']], 'Utility' : [ 0x16c, ['array', 3, ['_PROC_PERF_UTILITY']]], } ], '_PROC_PERF_UTILITY' : [ 0xc, { 'Affinitized' : [ 0x0, ['unsigned long']], 'Performance' : [ 0x4, ['unsigned long']], 'Total' : [ 0x8, ['unsigned long']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CompleteIdleStatePending' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0x90, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x14, ['unsigned long']], 'LogHandleContext' : [ 0x18, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0x80, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x84, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0x88, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x170, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'V1' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0xa0, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xb4, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'Event' : [ 0xe0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xf0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x160, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x164, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x168, ['unsigned long']], 'WritesInProgress' : [ 0x16c, ['unsigned long']], } ], '__unnamed_1960' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1960']], 'ArrayHead' : [ 0x10, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1981' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1983' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1985' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1987' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1989' : [ 0x1c, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x4, ['pointer', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x8, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x18, ['unsigned char']], } ], '__unnamed_198b' : [ 0x1c, { 'Read' : [ 0x0, ['__unnamed_1981']], 'Write' : [ 0x0, ['__unnamed_1983']], 'Event' : [ 0x0, ['__unnamed_1985']], 'Notification' : [ 0x0, ['__unnamed_1987']], 'LowPriWrite' : [ 0x0, ['__unnamed_1989']], } ], '_WORK_QUEUE_ENTRY' : [ 0x28, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_198b']], 'Function' : [ 0x24, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x18, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0x4, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x10, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x68, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x8, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0xc, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x18, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x40, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x44, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x48, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x50, ['pointer', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x54, ['unsigned long']], 'LastLWTimeStamp' : [ 0x58, ['_LARGE_INTEGER']], 'Flags' : [ 0x60, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x248, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x58, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x5c, ['unsigned long']], 'Signature' : [ 0x60, ['unsigned long']], 'SegmentReserve' : [ 0x64, ['unsigned long']], 'SegmentCommit' : [ 0x68, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x6c, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x70, ['unsigned long']], 'TotalFreeSize' : [ 0x74, ['unsigned long']], 'MaximumAllocationSize' : [ 0x78, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x7c, ['unsigned short']], 'HeaderValidateLength' : [ 0x7e, ['unsigned short']], 'HeaderValidateCopy' : [ 0x80, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x84, ['unsigned short']], 'MaximumTagIndex' : [ 0x86, ['unsigned short']], 'TagEntries' : [ 0x88, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x8c, ['_LIST_ENTRY']], 'AlignRound' : [ 0x94, ['unsigned long']], 'AlignMask' : [ 0x98, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x9c, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa4, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xac, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb0, ['unsigned long']], 'BlocksIndex' : [ 0xb4, ['pointer', ['void']]], 'UCRIndex' : [ 0xb8, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xbc, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc0, ['_LIST_ENTRY']], 'LockVariable' : [ 0xc8, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xcc, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd0, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd4, ['unsigned short']], 'FrontEndHeapType' : [ 0xd6, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0xd7, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0xd8, ['pointer', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0xdc, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0xde, ['array', 257, ['unsigned char']]], 'Counters' : [ 0x1e0, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x23c, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_19f6' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_19f6']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1a48' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1a4a' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a48']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a4c' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1a4e' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1a4c']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1a4a']], 'u2' : [ 0x4, ['__unnamed_1a4e']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x20, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1a6b' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1a6d' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1a6b']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1a6d']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Pad' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x14, ['_EX_PUSH_LOCK']], } ], '__unnamed_1a81' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a83' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a81']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1a83']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_1a8c' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1a8e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a8c']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_1a8e']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_1a94' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1a96' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a94']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_1a96']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x28, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x24, ['pointer', ['_KALPC_MESSAGE']]], } ], '__unnamed_1ab3' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1ab5' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1ab3']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x10c, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x5c, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x68, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0x74, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0x7c, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0x80, ['_LIST_ENTRY']], 'Semaphore' : [ 0x88, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x88, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x8c, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0xc4, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0xc8, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0xcc, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xd0, ['pointer', ['void']]], 'CanceledQueue' : [ 0xd4, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xdc, ['long']], 'ReferenceNo' : [ 0xe0, ['long']], 'ReferenceNoWait' : [ 0xe4, ['pointer', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0xe8, ['__unnamed_1ab5']], 'TargetQueuePort' : [ 0xec, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xf0, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0xf4, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xf8, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xfc, ['unsigned long']], 'PendingQueueLength' : [ 0x100, ['unsigned long']], 'CanceledQueueLength' : [ 0x104, ['unsigned long']], 'WaitQueueLength' : [ 0x108, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x58, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'CompletionListLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x10, ['pointer', ['_MDL']]], 'UserVa' : [ 0x14, ['pointer', ['void']]], 'UserLimit' : [ 0x18, ['pointer', ['void']]], 'DataUserVa' : [ 0x1c, ['pointer', ['void']]], 'SystemVa' : [ 0x20, ['pointer', ['void']]], 'TotalSize' : [ 0x24, ['unsigned long']], 'Header' : [ 0x28, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x2c, ['pointer', ['void']]], 'ListSize' : [ 0x30, ['unsigned long']], 'Bitmap' : [ 0x34, ['pointer', ['void']]], 'BitmapSize' : [ 0x38, ['unsigned long']], 'Data' : [ 0x3c, ['pointer', ['void']]], 'DataSize' : [ 0x40, ['unsigned long']], 'BitmapLimit' : [ 0x44, ['unsigned long']], 'BitmapNextHint' : [ 0x48, ['unsigned long']], 'ConcurrencyCount' : [ 0x4c, ['unsigned long']], 'AttributeFlags' : [ 0x50, ['unsigned long']], 'AttributeSize' : [ 0x54, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x90, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'Key' : [ 0x84, ['unsigned long']], 'CallbackList' : [ 0x88, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x14, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x10, ['long']], } ], '__unnamed_1ad9' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1adb' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1ad9']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x88, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'u1' : [ 0x14, ['__unnamed_1adb']], 'SequenceNo' : [ 0x18, ['long']], 'QuotaProcess' : [ 0x1c, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x1c, ['pointer', ['void']]], 'CancelSequencePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x24, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x28, ['long']], 'CancelListEntry' : [ 0x2c, ['_LIST_ENTRY']], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x38, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x54, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x58, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x5c, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x60, ['pointer', ['_ETHREAD']]], 'WakeReference' : [ 0x64, ['pointer', ['void']]], 'ExtensionBuffer' : [ 0x68, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0x6c, ['unsigned long']], 'PortMessage' : [ 0x70, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'Flags' : [ 0x14, ['unsigned long']], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], 'SignalCompletion' : [ 0x1e, ['unsigned char']], 'PostedToCompletionList' : [ 0x1f, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x20, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1b1c' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1b1e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b1c']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1b1e']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x24, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'TimeStamped' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer', ['void']]], 'ActivityId' : [ 0xc, ['_GUID']], 'Timestamp' : [ 0x1c, ['_LARGE_INTEGER']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x24, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 7, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'AccessMode' : [ 0x5c, ['unsigned char']], 'DriverCreateContext' : [ 0x60, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1be3' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x110, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1be3']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer', ['unsigned short']]], 'LogFileName' : [ 0x3c, ['pointer', ['unsigned short']]], 'TimeZone' : [ 0x40, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf0, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0xf8, ['_LARGE_INTEGER']], 'StartTime' : [ 0x100, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x108, ['unsigned long']], 'BuffersLost' : [ 0x10c, ['unsigned long']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x278, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 1, ['unsigned long']]], 'ErrorMarker' : [ 0x18, ['unsigned long']], 'SizeMask' : [ 0x1c, ['unsigned long']], 'GetCpuClock' : [ 0x20, ['pointer', ['void']]], 'LoggerThread' : [ 0x24, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x28, ['long']], 'FailureReason' : [ 0x2c, ['unsigned long']], 'BufferQueue' : [ 0x30, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x3c, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x48, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x50, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x58, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x58, ['_EX_FAST_REF']], 'LoggerName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFileName' : [ 0x64, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x6c, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x74, ['_UNICODE_STRING']], 'ClockType' : [ 0x7c, ['unsigned long']], 'LastFlushedBuffer' : [ 0x80, ['unsigned long']], 'FlushTimer' : [ 0x84, ['unsigned long']], 'FlushThreshold' : [ 0x88, ['unsigned long']], 'ByteOffset' : [ 0x90, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x98, ['unsigned long']], 'BuffersAvailable' : [ 0x9c, ['long']], 'NumberOfBuffers' : [ 0xa0, ['long']], 'MaximumBuffers' : [ 0xa4, ['unsigned long']], 'EventsLost' : [ 0xa8, ['unsigned long']], 'PeakBuffersCount' : [ 0xac, ['long']], 'BuffersWritten' : [ 0xb0, ['unsigned long']], 'LogBuffersLost' : [ 0xb4, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xb8, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xbc, ['unsigned long']], 'SequencePtr' : [ 0xc0, ['pointer', ['long']]], 'LocalSequence' : [ 0xc4, ['unsigned long']], 'InstanceGuid' : [ 0xc8, ['_GUID']], 'MaximumFileSize' : [ 0xd8, ['unsigned long']], 'FileCounter' : [ 0xdc, ['long']], 'PoolType' : [ 0xe0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xe8, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0xf8, ['long']], 'ProviderInfoSize' : [ 0xfc, ['unsigned long']], 'Consumers' : [ 0x100, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x108, ['unsigned long']], 'TransitionConsumer' : [ 0x10c, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x110, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x114, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x128, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x130, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x138, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x140, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x148, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x150, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x160, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x164, ['_KEVENT']], 'FlushEvent' : [ 0x174, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x188, ['_KTIMER']], 'LoggerDpc' : [ 0x1b0, ['_KDPC']], 'LoggerMutex' : [ 0x1d0, ['_KMUTANT']], 'LoggerLock' : [ 0x1f0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1f4, ['unsigned long']], 'BufferListPushLock' : [ 0x1f4, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1f8, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x234, ['_EX_FAST_REF']], 'StartTime' : [ 0x238, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x240, ['pointer', ['void']]], 'BufferSequenceNumber' : [ 0x248, ['long long']], 'Flags' : [ 0x250, ['unsigned long']], 'Persistent' : [ 0x250, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x250, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x250, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x250, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x250, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x250, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x250, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x250, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x250, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x250, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x250, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x250, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x250, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SpareFlags1' : [ 0x250, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x250, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x250, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x250, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x254, ['unsigned long']], 'DbgRequestNewFie' : [ 0x254, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x254, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x254, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x254, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x254, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x254, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x254, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x254, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDefferdFlush' : [ 0x254, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDefferdFlushTimer' : [ 0x254, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x254, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x254, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x254, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x258, ['_RTL_BITMAP']], 'StackCache' : [ 0x260, ['pointer', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x264, ['pointer', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x268, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x270, ['pointer', ['pointer', ['_WMI_BUFFER_HEADER']]]], } ], '_ETW_PMC_SUPPORT' : [ 0x24, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x298, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x9c, ['pointer', ['void']]], 'DynamicPart' : [ 0xa0, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa4, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xb0, ['unsigned long']], 'TokenInUse' : [ 0xb4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb8, ['unsigned long']], 'MandatoryPolicy' : [ 0xbc, ['unsigned long']], 'LogonSession' : [ 0xc0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc4, ['_LUID']], 'SidHash' : [ 0xcc, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x154, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1dc, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x1e0, ['pointer', ['void']]], 'Capabilities' : [ 0x1e4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x1e8, ['unsigned long']], 'CapabilitiesHash' : [ 0x1ec, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x274, ['pointer', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x278, ['pointer', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x27c, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x280, ['pointer', ['void']]], 'TrustLinkedToken' : [ 0x284, ['pointer', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x288, ['pointer', ['void']]], 'TokenSidValues' : [ 0x28c, ['pointer', ['_SEP_SID_VALUES_BLOCK']]], 'VariablePart' : [ 0x290, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x48, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x34, ['_SEP_LOWBOX_HANDLES_TABLE']], 'SharedDataLock' : [ 0x3c, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x40, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x44, ['pointer', ['_SEP_SID_VALUES_BLOCK']]], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'DbgRefTrace' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'NewObject' : [ 0xf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0xf, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0xf, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0xf, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0xf, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0xf, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0xf, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0xf, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x8, { 'SecurityDescriptor' : [ 0x0, ['pointer', ['void']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x18, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'EntryLink' : [ 0x8, ['pointer', ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0xc, ['unsigned long']], 'HashIndex' : [ 0x10, ['unsigned short']], 'DirectoryLocked' : [ 0x12, ['unsigned char']], 'LockedExclusive' : [ 0x13, ['unsigned char']], 'LockStateSignature' : [ 0x14, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x98, ['pointer', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_WHEAP_INFO_BLOCK' : [ 0xc, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x4, ['pointer', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x8, ['pointer', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x418, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x8, ['unsigned long']], 'PlatformErrorSourceId' : [ 0xc, ['unsigned long']], 'ErrorCount' : [ 0x10, ['long']], 'RecordCount' : [ 0x14, ['unsigned long']], 'RecordLength' : [ 0x18, ['unsigned long']], 'PoolTag' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x24, ['pointer', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x28, ['pointer', ['void']]], 'SectionCount' : [ 0x2c, ['unsigned long']], 'SectionLength' : [ 0x30, ['unsigned long']], 'TickCountAtLastError' : [ 0x38, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x40, ['unsigned long']], 'TotalErrors' : [ 0x44, ['unsigned long']], 'Deferred' : [ 0x48, ['unsigned char']], 'Descriptor' : [ 0x49, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xe4, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x8, ['unsigned long']], 'ProcessorNumber' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x14, ['long']], 'ErrorSource' : [ 0x18, ['pointer', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x1c, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x1c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'ConnectLock' : [ 0x4, ['_KEVENT']], 'LineMasked' : [ 0x14, ['unsigned char']], 'InterruptList' : [ 0x18, ['pointer', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x8, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long long']], 'WorkQueue' : [ 0x18, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x40, ['pointer', ['void']]], 'AcceptProcessorNotification' : [ 0x44, ['pointer', ['void']]], 'WorkOrderCount' : [ 0x48, ['unsigned long']], 'WorkOrders' : [ 0x4c, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x128, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x104, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x124, ['unsigned long']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2Reserved1' : [ 0x2, ['unsigned char']], 'Timer2Reserved2' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'WaitResponse' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], } ], '_HEAP_COUNTERS' : [ 0x5c, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'PollIntervalCounter' : [ 0x38, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x3c, ['unsigned long']], 'HeapPollInterval' : [ 0x40, ['unsigned long']], 'AllocAndFreeOps' : [ 0x44, ['unsigned long']], 'AllocationIndicesActive' : [ 0x48, ['unsigned long']], 'InBlockDeccommits' : [ 0x4c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x50, ['unsigned long']], 'HighWatermarkSize' : [ 0x54, ['unsigned long']], 'LastPolledSize' : [ 0x58, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x44, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x3c, ['unsigned char']], 'DeleteType' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER' : [ 0x1c, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x10, ['long']], 'Context' : [ 0x14, ['pointer', ['void']]], 'WatchdogTimerInfo' : [ 0x18, ['pointer', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x48, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ullContextMinimum' : [ 0x8, ['unsigned long long']], 'guPlatform' : [ 0x10, ['_GUID']], 'guMinPlatform' : [ 0x20, ['_GUID']], 'ulContextSource' : [ 0x30, ['unsigned long']], 'ulElementCount' : [ 0x34, ['unsigned long']], 'guElements' : [ 0x38, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x10, ['_KEVENT']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x8, ['unsigned char']], 'BlockState' : [ 0x9, ['unsigned char']], 'WaitKey' : [ 0xa, ['unsigned short']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'NotificationQueue' : [ 0xc, ['pointer', ['_KQUEUE']]], 'Object' : [ 0x10, ['pointer', ['void']]], 'SparePtr' : [ 0x14, ['pointer', ['void']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'CriticalTripPoint' : [ 0x18, ['unsigned long']], 'ActiveTripPointCount' : [ 0x1c, ['unsigned char']], 'ActiveTripPoint' : [ 0x20, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x48, ['unsigned long']], 'MinimumThrottle' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1d6c' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1d6e' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1d6c']], 'Private' : [ 0x0, ['__unnamed_1d6e']], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Processors' : [ 0x4, ['unsigned long']], 'ActiveProcessors' : [ 0x8, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x8, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x130, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x8, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0xc, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x10, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x98, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x120, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x124, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x128, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x12c, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_MMPTE_HIGHLOW' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x2c0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x70, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x78, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0x80, ['unsigned long long']], 'TotalPageFaultCount' : [ 0x88, ['unsigned long']], 'TotalProcesses' : [ 0x8c, ['unsigned long']], 'ActiveProcesses' : [ 0x90, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x94, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x98, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xa0, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xa8, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xac, ['unsigned long']], 'LimitFlags' : [ 0xb0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xb4, ['unsigned long']], 'Affinity' : [ 0xb8, ['_KAFFINITY_EX']], 'AccessState' : [ 0xc4, ['pointer', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0xc8, ['pointer', ['void']]], 'UIRestrictionsClass' : [ 0xcc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xd0, ['unsigned long']], 'CompletionPort' : [ 0xd4, ['pointer', ['void']]], 'CompletionKey' : [ 0xd8, ['pointer', ['void']]], 'CompletionCount' : [ 0xe0, ['unsigned long long']], 'SessionId' : [ 0xe8, ['unsigned long']], 'SchedulingClass' : [ 0xec, ['unsigned long']], 'ReadOperationCount' : [ 0xf0, ['unsigned long long']], 'WriteOperationCount' : [ 0xf8, ['unsigned long long']], 'OtherOperationCount' : [ 0x100, ['unsigned long long']], 'ReadTransferCount' : [ 0x108, ['unsigned long long']], 'WriteTransferCount' : [ 0x110, ['unsigned long long']], 'OtherTransferCount' : [ 0x118, ['unsigned long long']], 'DiskIoInfo' : [ 0x120, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x148, ['unsigned long']], 'JobMemoryLimit' : [ 0x14c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x150, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x154, ['unsigned long']], 'EffectiveAffinity' : [ 0x158, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x168, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x170, ['unsigned long']], 'EffectiveMaximumWorkingSetSize' : [ 0x174, ['unsigned long']], 'EffectiveProcessMemoryLimit' : [ 0x178, ['unsigned long']], 'EffectiveProcessMemoryLimitJob' : [ 0x17c, ['pointer', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x180, ['pointer', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x184, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x188, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x18c, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x190, ['unsigned long']], 'EffectiveSwapCount' : [ 0x194, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x198, ['unsigned long']], 'EffectivePriorityClass' : [ 0x19c, ['unsigned char']], 'PriorityClass' : [ 0x19d, ['unsigned char']], 'Reserved1' : [ 0x19e, ['array', 2, ['unsigned char']]], 'CompletionFilter' : [ 0x1a0, ['unsigned long']], 'WakeChannel' : [ 0x1a8, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x1a8, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x1e0, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x1e8, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x1ec, ['unsigned long']], 'NotificationLink' : [ 0x1f0, ['pointer', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x1f8, ['unsigned long long']], 'NotificationInfo' : [ 0x200, ['pointer', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x204, ['pointer', ['void']]], 'NotificationPacket' : [ 0x208, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x20c, ['pointer', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x210, ['pointer', ['void']]], 'ReadyTime' : [ 0x218, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x220, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x224, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x22c, ['_LIST_ENTRY']], 'ParentJob' : [ 0x234, ['pointer', ['_EJOB']]], 'RootJob' : [ 0x238, ['pointer', ['_EJOB']]], 'IteratorListHead' : [ 0x23c, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x244, ['unsigned long']], 'Ancestors' : [ 0x248, ['pointer', ['pointer', ['_EJOB']]]], 'Accounting' : [ 0x250, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x2a0, ['unsigned long']], 'SequenceNumber' : [ 0x2a4, ['unsigned long']], 'TimerListLock' : [ 0x2a8, ['unsigned long']], 'TimerListHead' : [ 0x2ac, ['_LIST_ENTRY']], 'JobFlags' : [ 0x2b4, ['unsigned long']], 'CloseDone' : [ 0x2b4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x2b4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x2b4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x2b4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x2b4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x2b4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x2b4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x2b4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x2b4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x2b4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x2b4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x2b4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x2b4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x2b4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x2b4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x2b4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x2b4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x2b4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x2b4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x2b4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x2b4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x2b4, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x2b4, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x2b4, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x2b4, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x2b4, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x2b8, ['unsigned long']], } ], '_PPM_IDLE_STATES' : [ 0x110, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0x44, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x50, ['pointer', ['void']]], 'IdleExecute' : [ 0x54, ['pointer', ['void']]], 'IdlePreselect' : [ 0x58, ['pointer', ['void']]], 'IdleTest' : [ 0x5c, ['pointer', ['void']]], 'IdleComplete' : [ 0x60, ['pointer', ['void']]], 'IdleCancel' : [ 0x64, ['pointer', ['void']]], 'IdleIsHalted' : [ 0x68, ['pointer', ['void']]], 'IdleInitiateWake' : [ 0x6c, ['pointer', ['void']]], 'QueryPlatformStateResidency' : [ 0x70, ['pointer', ['void']]], 'PrepareInfo' : [ 0x78, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'Tracing' : [ 0xd8, ['pointer', ['_PERFINFO_PPM_STATE_SELECTION']]], 'State' : [ 0xdc, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x250, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'SparePvoid0' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pUnused' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x54, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned char']], 'ShutDownRequested' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x34, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x3c, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x40, ['unsigned long']], 'UserPagesAllocated' : [ 0x44, ['unsigned long']], 'UserPagesReused' : [ 0x48, ['unsigned long']], 'EventsLostCount' : [ 0x4c, ['pointer', ['unsigned long']]], 'BuffersLostCount' : [ 0x50, ['pointer', ['unsigned long']]], } ], '__unnamed_1dde' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1de4' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1de6' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1dde']], 'Bits' : [ 0x0, ['__unnamed_1de4']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1de6']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x104, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x28, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x1c, ['pointer', ['void']]], 'DvCallbacks' : [ 0x20, ['pointer', ['void']]], 'VerifierContext' : [ 0x24, ['pointer', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x44, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['long']], 'Dpc' : [ 0x10, ['_KDPC']], 'WorkItem' : [ 0x30, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x40, ['pointer', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'EmulateActiveBoth' : [ 0x39, ['unsigned char']], 'ActiveCount' : [ 0x3a, ['unsigned short']], 'InternalState' : [ 0x3c, ['long']], 'Mode' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x48, ['unsigned long']], 'DispatchCount' : [ 0x4c, ['unsigned long']], 'PassiveEvent' : [ 0x50, ['pointer', ['_KEVENT']]], 'DisconnectData' : [ 0x54, ['pointer', ['void']]], 'ServiceThread' : [ 0x58, ['pointer', ['_KTHREAD']]], 'IsrDpcStats' : [ 0x60, ['_ISRDPCSTATS']], 'ConnectionData' : [ 0xa0, ['pointer', ['_INTERRUPT_CONNECTION_DATA']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x58, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '__unnamed_1e46' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1e46']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x1b8, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x19c, ['pointer', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x1a0, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x1a4, ['unsigned long']], 'ThreadCount' : [ 0x1a8, ['long']], 'MinThreads' : [ 0x1ac, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x1ac, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x1b0, ['long']], 'QueueIndex' : [ 0x1b4, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x4e, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x30, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'Type' : [ 0x1c, ['unsigned long']], 'ActivityId' : [ 0x20, ['_GUID']], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x50, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x28, ['_KDPC']], 'WorkOrder' : [ 0x48, ['pointer', ['_POP_FX_WORK_ORDER']]], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_SESSION_LOWBOX_MAP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'LowboxMap' : [ 0xc, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x74, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'RefCount' : [ 0x20, ['unsigned long']], 'Lock' : [ 0x24, ['unsigned long']], 'Cancel' : [ 0x28, ['unsigned char']], 'Parent' : [ 0x2c, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'Data' : [ 0x30, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PROC_IDLE_POLICY' : [ 0x5, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x24, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x8, ['pointer', ['_IRP']]], 'OplockRequestFileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x14, ['pointer', ['_ETHREAD']]], 'Flags' : [ 0x18, ['unsigned long']], 'AtomicLinks' : [ 0x1c, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_XSTATE_CONFIGURATION' : [ 0x218, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0xc, ['_CM_KEY_HASH']], 'ConvKey' : [ 0xc, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x14, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], 'KcbPushlock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x20, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x20, ['long']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x6c, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x74, ['_LIST_ENTRY']], 'Stolen' : [ 0x74, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x7c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x80, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x88, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x90, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x98, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x9c, ['pointer', ['_UNICODE_STRING']]], } ], '_KLOCK_ENTRY' : [ 0x30, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ThreadUnsafe' : [ 0xc, ['pointer', ['void']]], 'HeadNodeByte' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['array', 2, ['unsigned char']]], 'AcquiredByte' : [ 0xf, ['unsigned char']], 'LockState' : [ 0x10, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x10, ['pointer', ['void']]], 'WaitingAndBusyByte' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['array', 2, ['unsigned char']]], 'InTreeByte' : [ 0x13, ['unsigned char']], 'SessionState' : [ 0x14, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], 'OwnerTree' : [ 0x18, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x20, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x18, ['unsigned char']], 'EntryLock' : [ 0x28, ['unsigned long']], 'AllBoosts' : [ 0x2c, ['unsigned short']], 'IoBoost' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'CpuBoostsBitmap' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x2e, ['BitField', dict(start_bit = 0, end_bit = 15, native_type='unsigned short')]], 'IoPriorityBit' : [ 0x2e, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1ee8' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x98, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_1ee8']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x18, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x1c, ['_KAPC']], 'ByteCount' : [ 0x4c, ['unsigned long']], 'PagingFile' : [ 0x50, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x54, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x58, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x5c, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x60, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x68, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x70, ['pointer', ['_MDL']]], 'Mdl' : [ 0x74, ['_MDL']], 'Page' : [ 0x90, ['array', 1, ['unsigned long']]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0xc20, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x3bc, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x3d4, ['_LIST_ENTRY']], 'HiveList' : [ 0x3dc, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x3e4, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x3ec, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x3f0, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x3f8, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x3fc, ['unsigned long']], 'DeletedKcbTable' : [ 0x400, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x404, ['unsigned long']], 'Identity' : [ 0x408, ['unsigned long']], 'HiveLock' : [ 0x40c, ['pointer', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x410, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x414, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x418, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0x420, ['unsigned long']], 'FlushLogEntry' : [ 0x424, ['pointer', ['unsigned char']]], 'FlushLogEntrySize' : [ 0x428, ['unsigned long']], 'FlushHiveTruncated' : [ 0x42c, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0x430, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0x434, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0x43c, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0x440, ['pointer', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0x444, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0x448, ['pointer', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0x44c, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x450, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x454, ['unsigned long']], 'ActualFileSize' : [ 0x458, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x460, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x470, ['_UNICODE_STRING']], 'FileUserName' : [ 0x478, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x480, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x488, ['unsigned long']], 'SecurityCacheSize' : [ 0x48c, ['unsigned long']], 'SecurityHitHint' : [ 0x490, ['long']], 'SecurityCache' : [ 0x494, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x498, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x698, ['unsigned long']], 'UnloadEventArray' : [ 0x69c, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x6a0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x6a4, ['unsigned char']], 'UnloadWorkItem' : [ 0x6a8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x6ac, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x6c0, ['unsigned char']], 'GrowOffset' : [ 0x6c4, ['unsigned long']], 'KcbConvertListHead' : [ 0x6c8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x6d0, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x6d8, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0x6dc, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0x9a4, ['unsigned long']], 'TrustClassEntry' : [ 0x9a8, ['_LIST_ENTRY']], 'DirtyTime' : [ 0x9b0, ['unsigned long long']], 'UnreconciledTime' : [ 0x9b8, ['unsigned long long']], 'CmRm' : [ 0x9c0, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x9c4, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x9c8, ['long']], 'CreatorOwner' : [ 0x9cc, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0x9d0, ['pointer', ['_KTHREAD']]], 'LastWriteTime' : [ 0x9d8, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0x9e0, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0x9ec, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0x9f8, ['unsigned long']], 'FlushActive' : [ 0x9f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0x9f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0x9f8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0x9f8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0x9fc, ['unsigned long']], 'ReferenceCount' : [ 0xa00, ['long']], 'UnloadHistoryIndex' : [ 0xa04, ['long']], 'UnloadHistory' : [ 0xa08, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0xc08, ['unsigned long']], 'UnaccessedStart' : [ 0xc0c, ['unsigned long']], 'UnaccessedEnd' : [ 0xc10, ['unsigned long']], 'LoadedKeyCount' : [ 0xc14, ['unsigned long']], 'HandleClosePending' : [ 0xc18, ['unsigned long']], 'HandleClosePendingEvent' : [ 0xc1c, ['_EX_PUSH_LOCK']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x28, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long']], 'DirtyPageThresholdTop' : [ 0x4, ['unsigned long']], 'DirtyPageThresholdBottom' : [ 0x8, ['unsigned long']], 'DirtyPageTarget' : [ 0xc, ['unsigned long']], 'AggregateAvailablePages' : [ 0x10, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x18, ['unsigned long long']], 'AvailableHistory' : [ 0x20, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ForceCredits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x3f8, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x14, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x4, ['_RTL_BITMAP']], 'HashTable' : [ 0xc, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x10, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x84, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x78, ['unsigned long']], 'PreviousActivityCounter' : [ 0x7c, ['unsigned long']], 'WorkerTrimRequests' : [ 0x80, ['unsigned long']], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0xc, { 'ActiveThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'WaitList' : [ 0x4, ['pointer', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x8, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_ETIMER' : [ 0xb8, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x28, ['unsigned long']], 'TimerApc' : [ 0x2c, ['_KAPC']], 'TimerDpc' : [ 0x5c, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x7c, ['_LIST_ENTRY']], 'Period' : [ 0x84, ['unsigned long']], 'TimerFlags' : [ 0x88, ['unsigned char']], 'ApcAssociated' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0x88, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0x88, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0x89, ['unsigned char']], 'Spare2' : [ 0x8a, ['unsigned short']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x98, ['pointer', ['void']]], 'VirtualizedTimerLinks' : [ 0x9c, ['_LIST_ENTRY']], 'DueTime' : [ 0xa8, ['unsigned long long']], 'CoalescingWindow' : [ 0xb0, ['unsigned long']], } ], '_PROC_PERF_SNAP' : [ 0x40, { 'Time' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'Active' : [ 0x10, ['unsigned long long']], 'LastActive' : [ 0x18, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x4c, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'Count' : [ 0x14, ['unsigned long']], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'StackTrace' : [ 0x24, ['array', 8, ['pointer', ['void']]]], 'Who' : [ 0x44, ['unsigned long']], 'Process' : [ 0x48, ['pointer', ['_EPROCESS']]], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_EXHANDLE' : [ 0x4, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x2c8, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_ARBITER_INSTANCE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '__unnamed_1ff7' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ff9' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1ff7']], } ], '__unnamed_1ffb' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_1ff9']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1ffb']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x1800, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'HandleCount' : [ 0x14, ['unsigned long']], 'Handles' : [ 0x18, ['pointer', ['pointer', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x50, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'PlatformCap' : [ 0x8, ['unsigned long']], 'ThermalCap' : [ 0xc, ['unsigned long']], 'LimitReasons' : [ 0x10, ['unsigned long']], 'PlatformCapStartTime' : [ 0x18, ['unsigned long long']], 'TargetPercent' : [ 0x20, ['unsigned long']], 'DesiredPercent' : [ 0x24, ['unsigned long']], 'SelectedPercent' : [ 0x28, ['unsigned long']], 'SelectedFrequency' : [ 0x2c, ['unsigned long']], 'PreviousFrequency' : [ 0x30, ['unsigned long']], 'PreviousPercent' : [ 0x34, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x38, ['unsigned long']], 'SelectedState' : [ 0x40, ['unsigned long long']], 'Force' : [ 0x48, ['unsigned char']], } ], '__unnamed_200e' : [ 0x10, { 'CallerCompletion' : [ 0x0, ['pointer', ['void']]], 'CallerContext' : [ 0x4, ['pointer', ['void']]], 'CallerDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0xc, ['unsigned char']], } ], '__unnamed_2011' : [ 0x8, { 'NotifyDevice' : [ 0x0, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x4, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x18, ['unsigned long long']], 'WatchdogTimer' : [ 0x20, ['_KTIMER']], 'WatchdogDpc' : [ 0x48, ['_KDPC']], 'MinorFunction' : [ 0x68, ['unsigned char']], 'PowerStateType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0x70, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0x74, ['unsigned char']], 'FxDevice' : [ 0x78, ['pointer', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0x7c, ['unsigned char']], 'NotifyPEP' : [ 0x7d, ['unsigned char']], 'Device' : [ 0x80, ['__unnamed_200e']], 'System' : [ 0x80, ['__unnamed_2011']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0xd1c, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'PhysicalMappingCount' : [ 0x4, ['unsigned long']], 'VadBitMapHint' : [ 0x8, ['unsigned long']], 'LastAllocationSizeHint' : [ 0xc, ['unsigned long']], 'LastAllocationSize' : [ 0x10, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x14, ['unsigned long']], 'VadBitMapSize' : [ 0x18, ['unsigned long']], 'VadBitMapCommitment' : [ 0x1c, ['unsigned long']], 'MaximumLastVadBit' : [ 0x20, ['unsigned long']], 'VadsBeingDeleted' : [ 0x24, ['long']], 'LastVadDeletionEvent' : [ 0x28, ['pointer', ['_KEVENT']]], 'VadBitBuffer' : [ 0x2c, ['pointer', ['unsigned long']]], 'LowestBottomUpAllocationAddress' : [ 0x30, ['pointer', ['void']]], 'HighestTopDownAllocationAddress' : [ 0x34, ['pointer', ['void']]], 'FreeTebHint' : [ 0x38, ['pointer', ['void']]], 'NumaAware' : [ 0x3c, ['unsigned char']], 'PrivateFixupVadCount' : [ 0x40, ['unsigned long']], 'CfgBitMap' : [ 0x44, ['array', 1, ['_MI_CFG_BITMAP_INFO']]], 'CommittedPageTableBufferForTopLevel' : [ 0x54, ['array', 48, ['unsigned long']]], 'CommittedPageTableBitmaps' : [ 0x114, ['array', 1, ['_RTL_BITMAP']]], 'UsedPageTableEntries' : [ 0x11c, ['array', 1536, ['unsigned short']]], } ], '_PROC_FEEDBACK' : [ 0x68, { 'Lock' : [ 0x0, ['unsigned long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x20, ['unsigned long long']], 'UnscaledTime' : [ 0x28, ['unsigned long long']], 'UnaccountedTime' : [ 0x30, ['long long']], 'ScaledTime' : [ 0x38, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x48, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x50, ['unsigned long long']], 'UserTimeLast' : [ 0x58, ['unsigned long']], 'KernelTimeLast' : [ 0x5c, ['unsigned long']], 'KernelTimesIndex' : [ 0x60, ['unsigned char']], } ], '__unnamed_2028' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_202c' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_202e' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_2030' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_2032' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_2034' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_2036' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_2038' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_203a' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_203c' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_203e' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_2040' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_2028']], 'Memory' : [ 0x0, ['__unnamed_2028']], 'Interrupt' : [ 0x0, ['__unnamed_202c']], 'Dma' : [ 0x0, ['__unnamed_202e']], 'DmaV3' : [ 0x0, ['__unnamed_2030']], 'Generic' : [ 0x0, ['__unnamed_2028']], 'DevicePrivate' : [ 0x0, ['__unnamed_2032']], 'BusNumber' : [ 0x0, ['__unnamed_2034']], 'ConfigData' : [ 0x0, ['__unnamed_2036']], 'Memory40' : [ 0x0, ['__unnamed_2038']], 'Memory48' : [ 0x0, ['__unnamed_203a']], 'Memory64' : [ 0x0, ['__unnamed_203c']], 'Connection' : [ 0x0, ['__unnamed_203e']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_2040']], } ], '_POP_THERMAL_ZONE' : [ 0x170, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], 'State' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], 'Removing' : [ 0x22, ['unsigned char']], 'Mode' : [ 0x23, ['unsigned char']], 'PendingMode' : [ 0x24, ['unsigned char']], 'ActivePoint' : [ 0x25, ['unsigned char']], 'PendingActivePoint' : [ 0x26, ['unsigned char']], 'Critical' : [ 0x27, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x28, ['long']], 'Throttle' : [ 0x2c, ['long']], 'PendingThrottle' : [ 0x30, ['long']], 'ThrottleReasons' : [ 0x34, ['unsigned long']], 'LastTime' : [ 0x38, ['unsigned long long']], 'SampleRate' : [ 0x40, ['unsigned long']], 'LastTemp' : [ 0x44, ['unsigned long']], 'PassiveTimer' : [ 0x48, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'Info' : [ 0x90, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xe0, ['_LARGE_INTEGER']], 'Policy' : [ 0xe8, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0xfc, ['unsigned char']], 'Metrics' : [ 0x100, ['_POP_THERMAL_ZONE_METRICS']], 'WorkItem' : [ 0x130, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x140, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x148, ['_KEVENT']], 'TemperatureUpdated' : [ 0x158, ['_KEVENT']], 'InstanceId' : [ 0x168, ['unsigned long']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x3bc, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'Allocate' : [ 0x8, ['pointer', ['void']]], 'Free' : [ 0xc, ['pointer', ['void']]], 'FileWrite' : [ 0x10, ['pointer', ['void']]], 'FileRead' : [ 0x14, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x18, ['pointer', ['void']]], 'BaseBlock' : [ 0x1c, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x20, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x28, ['unsigned long']], 'DirtyAlloc' : [ 0x2c, ['unsigned long']], 'UnreconciledVector' : [ 0x30, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x38, ['unsigned long']], 'BaseBlockAlloc' : [ 0x3c, ['unsigned long']], 'Cluster' : [ 0x40, ['unsigned long']], 'Flat' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x44, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x44, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x45, ['unsigned char']], 'HvBinHeadersUse' : [ 0x48, ['unsigned long']], 'HvFreeCellsUse' : [ 0x4c, ['unsigned long']], 'HvUsedCellsUse' : [ 0x50, ['unsigned long']], 'CmUsedCellsUse' : [ 0x54, ['unsigned long']], 'HiveFlags' : [ 0x58, ['unsigned long']], 'CurrentLog' : [ 0x5c, ['unsigned long']], 'CurrentLogSequence' : [ 0x60, ['unsigned long']], 'CurrentLogOffset' : [ 0x64, ['unsigned long']], 'MinimumLogSequence' : [ 0x68, ['unsigned long']], 'LogFileSizeCap' : [ 0x6c, ['unsigned long']], 'LogDataPresent' : [ 0x70, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0x72, ['unsigned char']], 'BaseBlockDirty' : [ 0x73, ['unsigned char']], 'FirstLogFile' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0x74, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0x74, ['unsigned short']], 'LogEntriesRecovered' : [ 0x76, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0x78, ['unsigned long']], 'StorageTypeCount' : [ 0x7c, ['unsigned long']], 'Version' : [ 0x80, ['unsigned long']], 'Storage' : [ 0x84, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x30, { 'ActiveCount' : [ 0x0, ['unsigned long']], 'PassiveCount' : [ 0x4, ['unsigned long']], 'LastActiveStartTime' : [ 0x8, ['unsigned long long']], 'AverageActiveTime' : [ 0x10, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x18, ['unsigned long long']], 'AveragePassiveTime' : [ 0x20, ['unsigned long long']], 'StartTickSinceLastReset' : [ 0x28, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Spare0' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1e, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1d, ['unsigned char']], } ], '__unnamed_2098' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_209a' : [ 0x10, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_2098']], } ], '_VF_TARGET_DRIVER' : [ 0x1c, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x8, ['__unnamed_209a']], 'VerifiedData' : [ 0x18, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_20a3' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_20a5' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20a7' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceId' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20a9' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_20ab' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_20ad' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20af' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_20b1' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20b3' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_20b5' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_20a3']], 'TargetDevice' : [ 0x0, ['__unnamed_20a5']], 'InstallDevice' : [ 0x0, ['__unnamed_20a5']], 'CustomNotification' : [ 0x0, ['__unnamed_20a7']], 'ProfileNotification' : [ 0x0, ['__unnamed_20a9']], 'PowerNotification' : [ 0x0, ['__unnamed_20ab']], 'VetoNotification' : [ 0x0, ['__unnamed_20ad']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20af']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_20b1']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_20b3']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_20a5']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_20a5']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_20b5']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x60, { 'Context' : [ 0x0, ['pointer', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x48, ['unsigned long']], 'DependencyUsed' : [ 0x4c, ['unsigned long']], 'DependencyArray' : [ 0x50, ['pointer', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x54, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x58, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x5c, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], } ], '__unnamed_20d1' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_20d1']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x58, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], 'WaitObjectFlagMask' : [ 0x50, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x54, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x56, ['unsigned short']], } ], '__unnamed_2106' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['_RTL_AVL_TREE']], 'u' : [ 0x14, ['__unnamed_2106']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0xc, { 'DirtyPages' : [ 0x0, ['unsigned long']], 'DirtyPagesLastScan' : [ 0x4, ['unsigned long']], 'DirtyPagesScheduledLastScan' : [ 0x8, ['unsigned long']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x10, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_KPRIQUEUE' : [ 0x19c, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x110, ['array', 32, ['long']]], 'MaximumCount' : [ 0x190, ['unsigned long']], 'ThreadListHead' : [ 0x194, ['_LIST_ENTRY']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_WAITING_IRP' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'CompletionRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'Information' : [ 0x18, ['unsigned long']], 'BreakAllRH' : [ 0x1c, ['unsigned char']], } ], '_POP_SYSTEM_IDLE' : [ 0x40, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned long']], 'IdleWorker' : [ 0x28, ['unsigned char']], 'Sampling' : [ 0x29, ['unsigned char']], 'LastTick' : [ 0x30, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x38, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x10, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0xc, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x140, { 'Value' : [ 0x0, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'HardCap' : [ 0x3, ['unsigned char']], 'RelativeWeight' : [ 0x4, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x8, ['unsigned long long']], 'NotificationCycles' : [ 0x10, ['long long']], 'SchedulingGroupList' : [ 0x18, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x20, ['pointer', ['_KDPC']]], 'PerProcessor' : [ 0x40, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x18, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x14, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x18, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'Irp' : [ 0xc, ['pointer', ['_IRP']]], 'Device' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Static' : [ 0x14, ['unsigned char']], } ], '_POP_POLICY_DEVICE' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], } ], '__unnamed_2186' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_2188' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_218a' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_218c' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_218a']], 'Translated' : [ 0x0, ['__unnamed_2188']], } ], '__unnamed_218e' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_2190' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_2192' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_2194' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_2196' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_2198' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_219a' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_219c' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_2186']], 'Port' : [ 0x0, ['__unnamed_2186']], 'Interrupt' : [ 0x0, ['__unnamed_2188']], 'MessageInterrupt' : [ 0x0, ['__unnamed_218c']], 'Memory' : [ 0x0, ['__unnamed_2186']], 'Dma' : [ 0x0, ['__unnamed_218e']], 'DmaV3' : [ 0x0, ['__unnamed_2190']], 'DevicePrivate' : [ 0x0, ['__unnamed_2032']], 'BusNumber' : [ 0x0, ['__unnamed_2192']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_2194']], 'Memory40' : [ 0x0, ['__unnamed_2196']], 'Memory48' : [ 0x0, ['__unnamed_2198']], 'Memory64' : [ 0x0, ['__unnamed_219a']], 'Connection' : [ 0x0, ['__unnamed_203e']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_219c']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_21a4' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_21a4']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_21ae' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_21ae']], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '_POP_FX_DEVICE' : [ 0x140, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xc, ['pointer', ['_POP_IRP_DATA']]], 'Status' : [ 0x10, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x14, ['long']], 'PowerNotReqCall' : [ 0x18, ['long']], 'Plugin' : [ 0x1c, ['pointer', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x20, ['pointer', ['PEPHANDLE__']]], 'MiniPlugin' : [ 0x24, ['pointer', ['_POP_FX_PLUGIN']]], 'MiniPluginHandle' : [ 0x28, ['pointer', ['PEPHANDLE__']]], 'DevNode' : [ 0x2c, ['pointer', ['_DEVICE_NODE']]], 'DeviceObject' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x38, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0x54, ['pointer', ['void']]], 'RemoveLock' : [ 0x58, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0x70, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0x8c, ['unsigned long']], 'IdleTimer' : [ 0x90, ['_KTIMER']], 'IdleDpc' : [ 0xb8, ['_KDPC']], 'IdleTimeout' : [ 0xd8, ['unsigned long long']], 'IdleStamp' : [ 0xe0, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0xe8, ['pointer', ['_DEVICE_OBJECT']]], 'NextIrpPowerState' : [ 0xec, ['_POWER_STATE']], 'NextIrpCallerCompletion' : [ 0xf0, ['pointer', ['void']]], 'NextIrpCallerContext' : [ 0xf4, ['pointer', ['void']]], 'IrpCompleteEvent' : [ 0xf8, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x108, ['pointer', ['void']]], 'Accounting' : [ 0x110, ['_POP_FX_ACCOUNTING']], 'ComponentCount' : [ 0x138, ['unsigned long']], 'Components' : [ 0x13c, ['array', 1, ['pointer', ['_POP_FX_COMPONENT']]]], } ], '__unnamed_21c7' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_21c9' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_21c7']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x40, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x30, ['_LIST_ENTRY']], 'Specific' : [ 0x38, ['__unnamed_21c9']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x30, { 'BadPageCount' : [ 0x0, ['unsigned long']], 'BadPagesDetected' : [ 0x4, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x8, ['long']], 'ScrubPasses' : [ 0xc, ['long']], 'ScrubBadPagesFound' : [ 0x10, ['long']], 'FeatureBits' : [ 0x18, ['unsigned long long']], 'TimeZoneId' : [ 0x20, ['unsigned long']], 'ExceptionChainTerminator' : [ 0x24, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'ExceptionChainTerminatorRecord' : [ 0x28, ['_EXCEPTION_REGISTRATION_RECORD']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'InProgressFlags' : [ 0x14, ['unsigned char']], 'KernelApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_DELAY_ACK_FO' : [ 0xc, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x24, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'ReferenceCount' : [ 0x20, ['long']], } ], '__unnamed_2230' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_2232' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_2234' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_2236' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_2230']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_2232']], 'Raw' : [ 0x0, ['__unnamed_2234']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x2c, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'Operation' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0x8, ['__unnamed_2236']], 'Stack' : [ 0x10, ['array', 7, ['pointer', ['void']]]], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_223f' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_2242' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x28, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['long']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u' : [ 0x1c, ['__unnamed_223f']], 'u1' : [ 0x20, ['__unnamed_2242']], 'EventList' : [ 0x24, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x8, { 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 31, native_type='unsigned long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'LockState' : [ 0x0, ['pointer', ['void']]], 'SessionState' : [ 0x4, ['pointer', ['void']]], 'SessionId' : [ 0x4, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x8, ['unsigned long']], 'SyncCallback' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0xc, ['pointer', ['_HANDLE_TABLE']]], 'Flags' : [ 0x10, ['unsigned long']], 'NumberOfBuckets' : [ 0x14, ['unsigned long']], 'Buckets' : [ 0x18, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_2283' : [ 0x10, { 'ProgrammedTime' : [ 0x0, ['unsigned long long']], 'TimerInfo' : [ 0x8, ['pointer', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0xd8, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x58, ['array', 3, ['__unnamed_2283']]], 'FilteredCapabilities' : [ 0x88, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x28, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3d0, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0x90, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x2a0, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], 'PackageDependencyData' : [ 0x298, ['pointer', ['void']]], 'ProcessGroupId' : [ 0x29c, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_LOCK_HEADER' : [ 0x10, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x4, ['unsigned long']], 'Lock' : [ 0x8, ['unsigned long']], 'Valid' : [ 0xc, ['unsigned long']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_232f' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2040, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_232f']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x18, ['unsigned long']], 'NonPagablePages' : [ 0x1c, ['unsigned long']], 'CommittedPages' : [ 0x20, ['unsigned long']], 'PagedPoolStart' : [ 0x24, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x28, ['pointer', ['void']]], 'SessionObject' : [ 0x2c, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x30, ['pointer', ['void']]], 'SessionPoolAllocationFailures' : [ 0x34, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x44, ['_LIST_ENTRY']], 'LocaleId' : [ 0x4c, ['unsigned long']], 'AttachCount' : [ 0x50, ['unsigned long']], 'AttachGate' : [ 0x54, ['_KGATE']], 'WsListEntry' : [ 0x64, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 24, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xc80, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xcb8, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xcf0, ['_MMSUPPORT']], 'Wsle' : [ 0xd68, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xd6c, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xd80, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1ec0, ['pointer', ['_MMPTE']]], 'PagedPoolBitBuffer' : [ 0x1ec4, ['array', 32, ['unsigned long']]], 'SpecialPool' : [ 0x1f48, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f90, ['_FAST_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1fb0, ['long']], 'PagedPoolPdeCount' : [ 0x1fb4, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1fb8, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1fbc, ['unsigned long']], 'SystemPteInfo' : [ 0x1fc0, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1ff8, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1ffc, ['unsigned long']], 'PoolTrackBigPages' : [ 0x2000, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x2004, ['unsigned long']], 'IoState' : [ 0x2008, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x200c, ['unsigned long']], 'IoNotificationEvent' : [ 0x2010, ['_KEVENT']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_233f' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_2342' : [ 0x4, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x48, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x28, ['__unnamed_233f']], 'Subsection' : [ 0x2c, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x30, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x38, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x40, ['pointer', ['_EPROCESS']]], 'u4' : [ 0x44, ['__unnamed_2342']], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x10, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'SidCount' : [ 0x8, ['unsigned long']], 'SidValuesStart' : [ 0xc, ['unsigned long']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0x50, { 'IrpExclusiveOplock' : [ 0x0, ['pointer', ['_IRP']]], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x8, ['pointer', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'WaiterPriority' : [ 0x10, ['unsigned char']], 'IrpOplocksR' : [ 0x14, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x1c, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x24, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x2c, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x34, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x3c, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x44, ['pointer', ['_GUID']]], 'OplockState' : [ 0x48, ['unsigned long']], 'FastMutex' : [ 0x4c, ['pointer', ['_FAST_MUTEX']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_FAST_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'MaximumSize' : [ 0x2c, ['unsigned long']], 'PagedPoolHint' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x18, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x8, ['pointer', ['void']]], 'SessionViewVa' : [ 0x8, ['pointer', ['void']]], 'VadsProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Type' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SubsectionType' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SectionOffset' : [ 0x10, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0x18, ['unsigned long']], 'Processors' : [ 0x1c, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0x20, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x24, ['pointer', ['void']]], 'BoostModeHandler' : [ 0x28, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x2c, ['pointer', ['void']]], 'PerfControlHandler' : [ 0x30, ['pointer', ['void']]], 'MaxFrequency' : [ 0x34, ['unsigned long']], 'NominalFrequency' : [ 0x38, ['unsigned long']], 'MaxPercent' : [ 0x3c, ['unsigned long']], 'MinPerfPercent' : [ 0x40, ['unsigned long']], 'MinThrottlePercent' : [ 0x44, ['unsigned long']], 'Coordination' : [ 0x48, ['unsigned char']], 'HardPlatformCap' : [ 0x49, ['unsigned char']], 'AffinitizeControl' : [ 0x4a, ['unsigned char']], 'SelectedPercent' : [ 0x4c, ['unsigned long']], 'SelectedFrequency' : [ 0x50, ['unsigned long']], 'DesiredPercent' : [ 0x54, ['unsigned long']], 'MaxPolicyPercent' : [ 0x58, ['unsigned long']], 'MinPolicyPercent' : [ 0x5c, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x60, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x64, ['unsigned long']], 'GuaranteedPercent' : [ 0x68, ['unsigned long']], 'TolerancePercent' : [ 0x6c, ['unsigned long']], 'SelectedState' : [ 0x70, ['unsigned long long']], 'Force' : [ 0x78, ['unsigned char']], 'PerfChangeTime' : [ 0x80, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x88, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_RELATION_LIST' : [ 0x14, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_ETW_BUFFER_QUEUE' : [ 0xc, { 'QueueHead' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'Lock' : [ 0x0, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long']], 'SpecialPoolPdes' : [ 0x3c, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x4, { 'LogHandleContext' : [ 0x0, ['pointer', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x10, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'DeviceState' : [ 0xc, ['pointer', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_FAST_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x40, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x8, ['short']], 'SpecialApcDisable' : [ 0xa, ['short']], 'CombinedApcDisable' : [ 0x8, ['unsigned long']], 'Irql' : [ 0xc, ['unsigned char']], 'StackTrace' : [ 0x10, ['array', 12, ['pointer', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x4, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '__unnamed_23c7' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_23c9' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_23c7']], 'Button' : [ 0xc, ['__unnamed_23c9']], } ], '_KDPC_DATA' : [ 0x18, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], 'ActiveDpc' : [ 0x14, ['pointer', ['_KDPC']]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0xe0, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'UnderQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'RankCycleTarget' : [ 0x10, ['unsigned long long']], 'LongTermCycles' : [ 0x18, ['unsigned long long']], 'LastReportedCycles' : [ 0x20, ['unsigned long long']], 'OverQuotaHistory' : [ 0x28, ['unsigned long long']], 'ReadyTime' : [ 0x30, ['unsigned long long']], 'InsertTime' : [ 0x38, ['unsigned long long']], 'PerProcessorList' : [ 0x40, ['_LIST_ENTRY']], 'QueueNode' : [ 0x48, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x54, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OverQuota' : [ 0x54, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardCap' : [ 0x54, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x54, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Spare1' : [ 0x54, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x55, ['unsigned char']], 'ReadySummary' : [ 0x56, ['unsigned short']], 'Rank' : [ 0x58, ['unsigned long']], 'ReadyListHead' : [ 0x5c, ['array', 16, ['_LIST_ENTRY']]], } ], '__unnamed_23d9' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_23db' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_23d9']], 'Merged' : [ 0x10, ['__unnamed_23db']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'HistoryList' : [ 0x8, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '__unnamed_23e7' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_23e7']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer', ['_MMPTE']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_23fb' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_23ff' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_23fb']], 'u2' : [ 0x24, ['__unnamed_23ff']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '__unnamed_2408' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_240a' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_2408']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x90, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_240a']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long']], 'PipelinedReadAheadRequestSize' : [ 0x54, ['unsigned long']], 'ReadAheadGrowth' : [ 0x58, ['unsigned long']], 'PrivateLinks' : [ 0x5c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x64, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PTE_TRACKER' : [ 0x44, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 7, ['pointer', ['void']]]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x28, { 'InstantaneousRead' : [ 0x0, ['pointer', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'DisableInterrupts' : [ 0x22, ['unsigned char']], 'Context' : [ 0x24, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_HMAP_ENTRY' : [ 0xc, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'MemAlloc' : [ 0x8, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x1c, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'Reference' : [ 0x8, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x18, ['unsigned char']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_DUAL' : [ 0x19c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x190, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x198, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x4, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 11, native_type='unsigned long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'LowboxNumber' : [ 0x14, ['unsigned long']], 'AtomTable' : [ 0x18, ['pointer', ['void']]], } ], '_MI_CFG_BITMAP_INFO' : [ 0x10, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'RegionSize' : [ 0x4, ['unsigned long']], 'VadBaseAddress' : [ 0x8, ['pointer', ['void']]], 'BitmapVad' : [ 0xc, ['pointer', ['_MMVAD']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_FAST_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_FAST_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x28, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0xc, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0xc, ['array', 4, ['pointer', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0xc, ['pointer', ['void']]], 'SessionId' : [ 0x10, ['unsigned long']], 'Process' : [ 0x1c, ['pointer', ['_EPROCESS']]], 'CallbackContext' : [ 0x1c, ['pointer', ['void']]], 'Callback' : [ 0x20, ['pointer', ['void']]], 'Index' : [ 0x24, ['unsigned short']], 'Flags' : [ 0x26, ['unsigned char']], 'DbgKernelRegistration' : [ 0x26, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x26, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x26, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x26, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x26, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x26, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x26, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x26, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x27, ['unsigned char']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0x88, { 'Count' : [ 0x0, ['unsigned long']], 'OriginalAffinity' : [ 0x4, ['_GROUP_AFFINITY']], 'SteeringListEntry' : [ 0x10, ['_LIST_ENTRY']], 'SteeringListRoot' : [ 0x18, ['pointer', ['void']]], 'IsrTime' : [ 0x20, ['unsigned long long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'IsrLoad' : [ 0x30, ['unsigned long']], 'DpcLoad' : [ 0x34, ['unsigned long']], 'IsPrimaryInterrupt' : [ 0x38, ['unsigned char']], 'InterruptObjectArray' : [ 0x3c, ['pointer', ['pointer', ['_KINTERRUPT']]]], 'InterruptObjectCount' : [ 0x40, ['unsigned long']], 'Vectors' : [ 0x48, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xa0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InProgressLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x34, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x34, ['unsigned long']], 'PackagedBinary' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x34, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x34, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x34, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x34, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x34, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x34, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x34, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x34, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReservedFlags2' : [ 0x34, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x34, ['BitField', dict(start_bit = 15, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x34, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x34, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x34, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x34, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x34, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x34, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x34, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x34, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x34, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Spare' : [ 0x4c, ['pointer', ['void']]], 'DdagNode' : [ 0x50, ['pointer', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0x54, ['_LIST_ENTRY']], 'SnapContext' : [ 0x5c, ['pointer', ['_LDRP_DLL_SNAP_CONTEXT']]], 'ParentDllBase' : [ 0x60, ['pointer', ['void']]], 'SwitchBackContext' : [ 0x64, ['pointer', ['void']]], 'BaseAddressIndexNode' : [ 0x68, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0x74, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0x80, ['unsigned long']], 'LoadTime' : [ 0x88, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x90, ['unsigned long']], 'LoadReason' : [ 0x94, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x98, ['unsigned long']], } ], '_LDR_DDAG_NODE' : [ 0x30, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x8, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0xc, ['unsigned long']], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DependencyCount' : [ 0x14, ['unsigned long']], 'Dependencies' : [ 0x18, ['_LDRP_CSLIST']], 'RemovalLink' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'IncomingDependencies' : [ 0x1c, ['_LDRP_CSLIST']], 'State' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x28, ['unsigned long']], 'LowestLink' : [ 0x2c, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x104, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'Order' : [ 0x1c, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0xec, ['_LIST_ENTRY']], 'Status' : [ 0xf4, ['long']], 'FailedDevice' : [ 0xf8, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0xfc, ['unsigned char']], 'Cancelled' : [ 0xfd, ['unsigned char']], 'IgnoreErrors' : [ 0xfe, ['unsigned char']], 'IgnoreNotImplemented' : [ 0xff, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x100, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LockedPages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ILOnly' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x8, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x30, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Latency' : [ 0xc, ['unsigned long']], 'BreakEvenDuration' : [ 0x10, ['unsigned long']], 'Power' : [ 0x14, ['unsigned long']], 'StateFlags' : [ 0x18, ['unsigned long']], 'VetoAccounting' : [ 0x1c, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0x28, ['unsigned char']], 'InterruptsEnabled' : [ 0x29, ['unsigned char']], 'Interruptible' : [ 0x2a, ['unsigned char']], 'ContextRetained' : [ 0x2b, ['unsigned char']], 'CacheCoherent' : [ 0x2c, ['unsigned char']], 'WakesSpuriously' : [ 0x2d, ['unsigned char']], 'PlatformOnly' : [ 0x2e, ['unsigned char']], 'NoCState' : [ 0x2f, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x34, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x8, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0xc, ['long']], 'HighWaterMark' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_24bd' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x14, { 'NodeRangeSize' : [ 0x0, ['unsigned long']], 'NodeCount' : [ 0x4, ['unsigned long']], 'Tables' : [ 0x8, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0xc, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_24bd']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_POP_FX_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['unsigned char']], 'DripsRequiredState' : [ 0x8, ['unsigned long']], 'Level' : [ 0xc, ['long']], 'ActiveStamp' : [ 0x10, ['long long']], 'CsActiveTime' : [ 0x18, ['unsigned long long']], 'CriticalActiveTime' : [ 0x20, ['long long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RELATION_LIST_ENTRY' : [ 0x14, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['_DEVICE_OBJECT_LIST_ENTRY']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x6, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], } ], '_POP_FX_COMPONENT' : [ 0xb8, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x14, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x30, ['pointer', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x34, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x3c, ['long']], 'ActiveEvent' : [ 0x40, ['_KEVENT']], 'IdleLock' : [ 0x50, ['unsigned long']], 'IdleConditionComplete' : [ 0x54, ['long']], 'IdleStateComplete' : [ 0x58, ['long']], 'IdleStamp' : [ 0x60, ['unsigned long long']], 'CurrentIdleState' : [ 0x68, ['unsigned long']], 'IdleStateCount' : [ 0x6c, ['unsigned long']], 'IdleStates' : [ 0x70, ['pointer', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0x74, ['unsigned long']], 'ProviderCount' : [ 0x78, ['unsigned long']], 'Providers' : [ 0x7c, ['pointer', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0x80, ['unsigned long']], 'DependentCount' : [ 0x84, ['unsigned long']], 'Dependents' : [ 0x88, ['pointer', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0x90, ['_POP_FX_ACCOUNTING']], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x8, { 'DeviceHandle' : [ 0x0, ['pointer', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x4, ['pointer', ['void']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x1c, { 'ComponentActive' : [ 0x0, ['pointer', ['void']]], 'ComponentIdle' : [ 0x4, ['pointer', ['void']]], 'ComponentIdleState' : [ 0x8, ['pointer', ['void']]], 'DevicePowerRequired' : [ 0xc, ['pointer', ['void']]], 'DevicePowerNotRequired' : [ 0x10, ['pointer', ['void']]], 'PowerControl' : [ 0x14, ['pointer', ['void']]], 'ComponentCriticalTransition' : [ 0x18, ['pointer', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x2c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x8, ['unsigned char']], 'Spare' : [ 0x9, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0xc, ['unsigned long']], 'DebugId' : [ 0x10, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40f0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'StackLimitHits' : [ 0x4038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x403c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x4040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4044, ['unsigned long']], 'TotalReleases' : [ 0x4048, ['unsigned long']], 'RootNodesDeleted' : [ 0x404c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x4050, ['unsigned long']], 'Instigator' : [ 0x4054, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4058, ['unsigned long']], 'Participant' : [ 0x405c, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40dc, ['long']], 'StackType' : [ 0x40e0, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x40e4, ['unsigned long']], 'StackHighLimit' : [ 0x40e8, ['unsigned long']], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x40, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'IRHints' : [ 0x30, ['unsigned long']], 'IRTruncatedHints' : [ 0x34, ['unsigned long']], 'ExpectedWakeReason' : [ 0x38, ['unsigned char']], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_252b' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_252d' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_252b']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_252d']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_253f' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_253f']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x18, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_THERMAL_POLICY' : [ 0x14, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_ETW_GUID_ENTRY' : [ 0x160, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['pointer', ['_ETW_FILTER_HEADER']]], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_259b' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_259d' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_259b']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_259d']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x80, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x3c, ['pointer', ['void']]], 'Lock' : [ 0x40, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1d, { 'PerUserPolicy' : [ 0x0, ['array', 29, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_25b1' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_25b3' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_25b7' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_25bb' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_25bd' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_25b1']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_25b3']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_25b7']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_25bb']], 'Others' : [ 0x0, ['__unnamed_25bd']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x4, { 'Function' : [ 0x0, ['pointer', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x68, { 'PlatformOnlyCount' : [ 0x0, ['unsigned long long']], 'PreVetoCount' : [ 0x8, ['unsigned long long']], 'VetoCount' : [ 0x10, ['unsigned long long']], 'IdleDurationCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'InterruptibleCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'WrongProcessorCount' : [ 0x40, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x48, ['unsigned long long']], 'CstateCheckCount' : [ 0x50, ['unsigned long long']], 'NoCStateCount' : [ 0x58, ['unsigned long long']], 'SelectedCount' : [ 0x60, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x4, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_HIVE_WAIT_PACKET' : [ 0x18, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Next' : [ 0x14, ['pointer', ['_HIVE_WAIT_PACKET']]], } ], '__unnamed_25cc' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_25ce' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_25d0' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_25cc']], 'Interrupt' : [ 0x0, ['__unnamed_25ce']], 'LocalInterrupt' : [ 0x0, ['__unnamed_25ce']], 'Sci' : [ 0x0, ['__unnamed_25ce']], 'Nmi' : [ 0x0, ['__unnamed_25ce']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_25d0']], } ], '_POP_HIBER_CONTEXT' : [ 0x120, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'MapFrozen' : [ 0x14, ['unsigned char']], 'DiscardMap' : [ 0x18, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x18, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x28, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x30, ['unsigned long']], 'ClonedPageCount' : [ 0x38, ['unsigned long long']], 'CurrentMap' : [ 0x40, ['pointer', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x44, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x48, ['unsigned long']], 'LoaderMdl' : [ 0x4c, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x50, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x58, ['unsigned long long']], 'IoPages' : [ 0x60, ['pointer', ['void']]], 'IoPagesCount' : [ 0x64, ['unsigned long']], 'CurrentMcb' : [ 0x68, ['pointer', ['void']]], 'DumpStack' : [ 0x6c, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x70, ['pointer', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0x74, ['unsigned long']], 'Status' : [ 0x78, ['long']], 'GraphicsProc' : [ 0x7c, ['unsigned long']], 'MemoryImage' : [ 0x80, ['pointer', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0x88, ['pointer', ['_MDL']]], 'SiLogOffset' : [ 0x8c, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0x90, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0x94, ['pointer', ['void']]], 'ResumeContext' : [ 0x98, ['pointer', ['void']]], 'ResumeContextPages' : [ 0x9c, ['unsigned long']], 'ProcessorCount' : [ 0xa0, ['unsigned long']], 'ProcessorContext' : [ 0xa4, ['pointer', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0xa8, ['pointer', ['unsigned char']]], 'ProdConsSize' : [ 0xac, ['unsigned long']], 'MaxDataPages' : [ 0xb0, ['unsigned long']], 'ExtraBuffer' : [ 0xb4, ['pointer', ['void']]], 'ExtraBufferSize' : [ 0xb8, ['unsigned long']], 'ExtraMapVa' : [ 0xbc, ['pointer', ['void']]], 'BitlockerKeyPFN' : [ 0xc0, ['unsigned long']], 'IoInfo' : [ 0xc8, ['_POP_IO_INFO']], 'HardwareConfigurationSignature' : [ 0x118, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x100, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xc0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xc8, ['pointer', ['void']]], 'PointersLength' : [ 0xcc, ['unsigned long']], 'ModulePrefix' : [ 0xd0, ['pointer', ['unsigned short']]], 'DriverList' : [ 0xd4, ['_LIST_ENTRY']], 'InitMsg' : [ 0xdc, ['_STRING']], 'ProgMsg' : [ 0xe4, ['_STRING']], 'DoneMsg' : [ 0xec, ['_STRING']], 'FileObject' : [ 0xf4, ['pointer', ['void']]], 'UsageType' : [ 0xf8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_PPM_VETO_ACCOUNTING' : [ 0xc, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x4, ['_LIST_ENTRY']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x24, { 'InitiatingThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ThreadId' : [ 0x8, ['pointer', ['void']]], 'ProcessId' : [ 0xc, ['pointer', ['void']]], 'Code' : [ 0x10, ['unsigned long']], 'Parameter1' : [ 0x14, ['unsigned long']], 'Parameter2' : [ 0x18, ['unsigned long']], 'Parameter3' : [ 0x1c, ['unsigned long']], 'Parameter4' : [ 0x20, ['unsigned long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 31, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x18, { 'Next' : [ 0x0, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'Gate' : [ 0x8, ['_KGATE']], 'SecureInfo' : [ 0x8, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x8, ['_RTL_BITMAP']], 'InPageSupport' : [ 0x8, ['pointer', ['_MMINPAGE_SUPPORT']]], 'PhysicalMemory' : [ 0x8, ['_MI_PHYSMEM_BLOCK']], 'LargePage' : [ 0x8, ['pointer', ['_MI_LARGEPAGE_MEMORY_INFO']]], } ], '__unnamed_260b' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_260b']], } ], '__unnamed_260f' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_260f']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x2c8, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'NoFreePages' : [ 0x38, ['unsigned long']], 'FreeMapCheck' : [ 0x3c, ['unsigned long']], 'WakeCheck' : [ 0x40, ['unsigned long']], 'NumPagesForLoader' : [ 0x48, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x50, ['unsigned long']], 'FirstKernelRestorePage' : [ 0x54, ['unsigned long']], 'PerfInfo' : [ 0x58, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x200, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x204, ['array', 1, ['unsigned long']]], 'SiLogOffset' : [ 0x208, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x20c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x210, ['array', 24, ['unsigned long']]], 'NotUsed' : [ 0x270, ['unsigned long']], 'ResumeContextCheck' : [ 0x274, ['unsigned long']], 'ResumeContextPages' : [ 0x278, ['unsigned long']], 'Hiberboot' : [ 0x27c, ['unsigned char']], 'HvCr3' : [ 0x280, ['unsigned long long']], 'HvEntryPoint' : [ 0x288, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x290, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x298, ['unsigned long long']], 'BootFlags' : [ 0x2a0, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x2a8, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x2b0, ['unsigned long']], 'BitlockerKeyPfns' : [ 0x2b4, ['array', 4, ['unsigned long']]], 'HardwareSignature' : [ 0x2c4, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x10, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1a8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'TotalHibernateTime' : [ 0x30, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x38, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x3c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x40, ['unsigned long']], 'ResumeAppTicks' : [ 0x48, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x50, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x58, ['unsigned long long']], 'ResumeInitTicks' : [ 0x60, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x70, ['unsigned long long']], 'ResumeIoTicks' : [ 0x78, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x80, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x88, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0x90, ['unsigned long long']], 'ResumeMapTicks' : [ 0x98, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xa0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xa8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xb0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xb8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xc0, ['unsigned long long']], 'HalTscOffset' : [ 0xc8, ['unsigned long long']], 'HvlTscOffset' : [ 0xd0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xd8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0xe0, ['unsigned long long']], 'IoBoundedness' : [ 0xe8, ['unsigned long long']], 'KernelDecompressTicks' : [ 0xf0, ['unsigned long long']], 'KernelIoTicks' : [ 0xf8, ['unsigned long long']], 'KernelCopyTicks' : [ 0x100, ['unsigned long long']], 'ReadCheckCount' : [ 0x108, ['unsigned long long']], 'KernelInitTicks' : [ 0x110, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x118, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x120, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x128, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x130, ['unsigned long long']], 'AnimationStart' : [ 0x138, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x140, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x148, ['unsigned long']], 'BootPagesProcessed' : [ 0x150, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x158, ['unsigned long long']], 'BootBytesWritten' : [ 0x160, ['unsigned long long']], 'KernelBytesWritten' : [ 0x168, ['unsigned long long']], 'BootPagesWritten' : [ 0x170, ['unsigned long long']], 'KernelPagesWritten' : [ 0x178, ['unsigned long long']], 'BytesWritten' : [ 0x180, ['unsigned long long']], 'PagesWritten' : [ 0x188, ['unsigned long']], 'FileRuns' : [ 0x18c, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x190, ['unsigned long']], 'MaxHuffRatio' : [ 0x194, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x198, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1a0, ['unsigned long long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x10, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '__unnamed_262b' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_262b']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_MI_PHYSMEM_BLOCK' : [ 0x4, { 'IoTracker' : [ 0x0, ['pointer', ['_MMIO_TRACKER']]], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x70, { 'UncompressedData' : [ 0x0, ['pointer', ['unsigned char']]], 'MappingVa' : [ 0x4, ['pointer', ['void']]], 'XpressEncodeWorkspace' : [ 0x8, ['pointer', ['void']]], 'CompressedDataBuffer' : [ 0xc, ['pointer', ['unsigned char']]], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'CompressTicks' : [ 0x18, ['unsigned long long']], 'BytesCopied' : [ 0x20, ['unsigned long long']], 'PagesProcessed' : [ 0x28, ['unsigned long long']], 'DecompressTicks' : [ 0x30, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x38, ['unsigned long long']], 'SharedBufferTicks' : [ 0x40, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x48, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x68, ['unsigned long']], 'HuffCompressCount' : [ 0x6c, ['unsigned long']], } ], '_DEVICE_OBJECT_LIST_ENTRY' : [ 0xc, { 'DeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'RelationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceRelation', 1: 'Dependent', 2: 'DirectDescendant'})]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x18, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_POP_IO_INFO' : [ 0x50, { 'DumpMdl' : [ 0x0, ['pointer', ['_MDL']]], 'IoStatus' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x8, ['unsigned long long']], 'IoBytesCompleted' : [ 0x10, ['unsigned long long']], 'IoBytesInProgress' : [ 0x18, ['unsigned long long']], 'RequestSize' : [ 0x20, ['unsigned long long']], 'IoLocation' : [ 0x28, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x30, ['unsigned long long']], 'Buffer' : [ 0x38, ['pointer', ['void']]], 'AsyncCapable' : [ 0x3c, ['unsigned char']], 'BytesToRead' : [ 0x40, ['unsigned long long']], 'Pages' : [ 0x48, ['unsigned long']], } ], '_LDRP_CSLIST' : [ 0x4, { 'Tail' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MMVIEW' : [ 0x28, { 'PteOffset' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['_MMVIEW_CONTROL_AREA']], 'ViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x18, ['pointer', ['void']]], 'SessionId' : [ 0x1c, ['unsigned long']], 'SessionIdForGlobalSubsections' : [ 0x20, ['unsigned long']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_FILTER_HEADER' : [ 0x24, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x4, ['pointer', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x8, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0xc, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x10, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x14, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x18, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x1c, ['pointer', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x20, ['pointer', ['_EVENT_FILTER_HEADER']]], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_MMVIEW_CONTROL_AREA' : [ 0x4, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExceptionForInPageErrors' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UsedForControlArea' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LeakedPoolDeliberately' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_2661' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2663' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_2666' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_266a' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x40, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x14, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x20, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x30, ['__unnamed_2661']], 'XapicMessage' : [ 0x30, ['__unnamed_2663']], 'Hypertransport' : [ 0x30, ['__unnamed_2666']], 'GenericMessage' : [ 0x30, ['__unnamed_2663']], 'MessageRequest' : [ 0x30, ['__unnamed_266a']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_267d' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_267f' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2681' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_267d']], 'Gpt' : [ 0x0, ['__unnamed_267f']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xc0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MarkMemoryOnly' : [ 0x45, ['unsigned char']], 'HiberResume' : [ 0x46, ['unsigned char']], 'Reserved1' : [ 0x47, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_2681']], 'ReadRoutine' : [ 0x6c, ['pointer', ['void']]], 'GetDriveTelemetryRoutine' : [ 0x70, ['pointer', ['void']]], 'LogSectionTruncateSize' : [ 0x74, ['unsigned long']], 'Parameters' : [ 0x78, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xb8, ['pointer', ['void']]], 'DumpNotifyRoutine' : [ 0xbc, ['pointer', ['void']]], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '_ETW_QUEUE_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x8, ['pointer', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0xc, ['pointer', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x10, ['pointer', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x14, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned short']], 'ReplyIndex' : [ 0x1a, ['unsigned short']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_KDPC_LIST' : [ 0x8, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0xd0, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x18, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '__unnamed_26b1' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_26b3' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_26b1']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_26b6' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_26b8' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_26b6']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_26b3']], 'HighPart' : [ 0x4, ['__unnamed_26b8']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x8, ['pointer', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0xc, ['unsigned long']], } ], '__unnamed_26c8' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_26ca' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_26c8']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_26ca']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Xcr0' : [ 0x3c, ['unsigned long long']], 'ExceptionList' : [ 0x44, ['unsigned long']], 'Reserved' : [ 0x48, ['array', 3, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_MMIO_TRACKER' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameIndex' : [ 0x8, ['unsigned long']], 'NumberOfPages' : [ 0xc, ['unsigned long']], 'BaseVa' : [ 0x10, ['pointer', ['void']]], 'CacheFlushTimeStamp' : [ 0x10, ['unsigned long']], 'Mdl' : [ 0x14, ['pointer', ['_MDL']]], 'MdlPages' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x1c, ['array', 6, ['pointer', ['void']]]], 'CacheInfo' : [ 0x34, ['array', 1, ['_IO_CACHE_INFO']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '__unnamed_26d9' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_26dc' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0xe0, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], 'CollidedEvent' : [ 0x20, ['_KEVENT']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'PteContents' : [ 0x40, ['_MMPTE']], 'Thread' : [ 0x48, ['pointer', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0x4c, ['pointer', ['_MMPFN']]], 'WaitCount' : [ 0x50, ['long']], 'ByteCount' : [ 0x54, ['unsigned long']], 'u3' : [ 0x58, ['__unnamed_26d9']], 'u1' : [ 0x5c, ['__unnamed_26dc']], 'FilePointer' : [ 0x60, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x64, ['pointer', ['_CONTROL_AREA']]], 'Autoboost' : [ 0x68, ['pointer', ['void']]], 'FaultingAddress' : [ 0x6c, ['pointer', ['void']]], 'PointerPte' : [ 0x70, ['pointer', ['_MMPTE']]], 'BasePte' : [ 0x74, ['pointer', ['_MMPTE']]], 'Pfn' : [ 0x78, ['pointer', ['_MMPFN']]], 'PrefetchMdl' : [ 0x7c, ['pointer', ['_MDL']]], 'Mdl' : [ 0x80, ['_MDL']], 'Page' : [ 0x9c, ['array', 16, ['unsigned long']]], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'BoostedPriority' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_COLORED_PAGE_INFO' : [ 0x10, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long']], 'PfnAllocation' : [ 0xc, ['pointer', ['_MMPFN']]], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x4, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_IO_CACHE_INFO' : [ 0x1, { 'CacheAttribute' : [ 0x0, ['unsigned char']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x4, ['pointer', ['unsigned short']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8.py0000644000000000000000000004100213131215405025610 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: The Volatility Foundation @license: GNU General Public License 2.0 @contact: awalters@4tphi.net This file provides support for Windows 8. """ import struct import volatility.plugins.overlays.windows.windows as windows import volatility.obj as obj import volatility.constants as constants import volatility.utils as utils import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.addrspace as addrspace import volatility.plugins.malware.malfind as malfind import volatility.plugins.overlays.windows.pe_vtypes as pe_vtypes import volatility.plugins.overlays.windows.ssdt_vtypes as ssdt_vtypes import volatility.plugins.overlays.windows.win7 as win7 import volatility.plugins.overlays.windows.vista as vista try: import distorm3 has_distorm = True except: has_distorm = False class _HANDLE_TABLE32(windows._HANDLE_TABLE): """A class for 32-bit Windows 8 handle tables""" @property def HandleCount(self): """The Windows 8 / 2012 handle table does not have a HandleCount member, so we fake it. Alternately, we could return len(self.handles()) and show a valid number in pslist, however pslist would be much slower than normal. """ return 0 def get_item(self, entry, handle_value = 0): """Returns the OBJECT_HEADER of the associated handle. The parent is the _HANDLE_TABLE_ENTRY so that an object can be linked to its GrantedAccess. """ if entry.InfoTable == 0: return obj.NoneObject("LeafHandleValue pointer is invalid") return obj.Object("_OBJECT_HEADER", offset = entry.InfoTable & ~7, vm = self.obj_vm, parent = entry, handle_value = handle_value) class _HANDLE_TABLE64(_HANDLE_TABLE32): """A class for 64-bit Windows 8 / 2012 handle tables""" DECODE_MAGIC = 0x13 def decode_pointer(self, value): """Decode a pointer like SAR. Since Python does not have an operator for shift arithmetic, we implement one ourselves. """ value = value & 0xFFFFFFFFFFFFFFF8 value = value >> self.DECODE_MAGIC if (value & 1 << 44): return value | 0xFFFFF00000000000 else: return value | 0xFFFF000000000000 def get_item(self, entry, handle_value = 0): """Returns the OBJECT_HEADER of the associated handle. The parent is the _HANDLE_TABLE_ENTRY so that an object can be linked to its GrantedAccess. """ if entry.LowValue == 0: return obj.NoneObject("LowValue pointer is invalid") return obj.Object("_OBJECT_HEADER", offset = self.decode_pointer(entry.LowValue), vm = self.obj_vm, parent = entry, handle_value = handle_value) class _HANDLE_TABLE_81R264(_HANDLE_TABLE64): """A class for 64-bit Windows 8.1 / 2012 R2 handle tables""" DECODE_MAGIC = 0x10 class _PSP_CID_TABLE32(_HANDLE_TABLE32): """PspCidTable for 32-bit Windows 8""" class _PSP_CID_TABLE64(_HANDLE_TABLE64): """PspCidTable for 64-bit Windows 8 and Server 2012""" def get_item(self, entry, handle_value = 0): """Starting with 8/2012 x64 the PsPCidTable pointers go directly to an object rather than an object header. """ if entry.LowValue == 0: return obj.NoneObject("LowValue pointer is invalid") body_offset = self.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body") head_offset = self.decode_pointer(entry.LowValue) - body_offset return obj.Object("_OBJECT_HEADER", offset = head_offset, vm = self.obj_vm, parent = entry, handle_value = handle_value) class _PSP_CID_TABLE_81R264(_PSP_CID_TABLE64): """PspCidTable for 64-bit Windows 8.1 and Server 2012 R2""" DECODE_MAGIC = 0x10 class _LDR_DATA_TABLE_ENTRY(pe_vtypes._LDR_DATA_TABLE_ENTRY): """A class for DLL modules""" @property def LoadCount(self): """The Windows 8 / 2012 module does not have a LoadCount member, so we fake it. """ return self.ObsoleteLoadCount class _OBJECT_HEADER(win7._OBJECT_HEADER): """A class for object headers on Win 8 / Server 2012""" # This specifies the order the headers are found below the _OBJECT_HEADER # Note the AuditInfo field which is new as of Windows 8 / 2012 optional_header_mask = (('CreatorInfo', '_OBJECT_HEADER_CREATOR_INFO', 0x01), ('NameInfo', '_OBJECT_HEADER_NAME_INFO', 0x02), ('HandleInfo', '_OBJECT_HEADER_HANDLE_INFO', 0x04), ('QuotaInfo', '_OBJECT_HEADER_QUOTA_INFO', 0x08), ('ProcessInfo', '_OBJECT_HEADER_PROCESS_INFO', 0x10), ('AuditInfo', '_OBJECT_HEADER_AUDIT_INFO', 0x40), ) type_map = { 2: 'Type', 3: 'Directory', 4: 'SymbolicLink', 5: 'Token', 6: 'Job', 7: 'Process', 8: 'Thread', 9: 'UserApcReserve', 10: 'IoCompletionReserve', 11: 'DebugObject', 12: 'Event', 13: 'EventPair', 14: 'Mutant', 15: 'Callback', 16: 'Semaphore', 17: 'Timer', 18: 'IRTimer', 19: 'Profile', 20: 'KeyedEvent', 21: 'WindowStation', 22: 'Desktop', 24: 'TpWorkerFactory', 25: 'Adapter', 26: 'Controller', 27: 'Device', 28: 'Driver', 29: 'IoCompletion', 30: 'WaitCompletionPacket', 31: 'File', 32: 'TmTm', 33: 'TmTx', 34: 'TmRm', 35: 'TmEn', 36: 'Section', 37: 'Session', 38: 'Key', 39: 'ALPC Port', 40: 'PowerRequest', 41: 'WmiGuid', 42: 'EtwRegistration', 43: 'EtwConsumer', 44: 'FilterConnectionPort', 45: 'FilterCommunicationPort', 46: 'PcwObject', 47: 'DxgkSharedResource', 48: 'DxgkSharedSyncObject', } @property def GrantedAccess(self): """Return the object's granted access permissions""" if self.obj_parent: return self.obj_parent.GrantedAccessBits return obj.NoneObject("No parent known") def is_valid(self): """Determine if a given object header is valid""" if not obj.CType.is_valid(self): return False if self.InfoMask > 0x48: return False if self.PointerCount > 0x1000000 or self.PointerCount < 0: return False return True class _OBJECT_HEADER_81R2(_OBJECT_HEADER): """A class for object headers on Win 8.1 / Server 2012 R2""" type_map = { 2: 'Type', 3: 'Directory', 4: 'SymbolicLink', 5: 'Token', 6: 'Job', 7: 'Process', 8: 'Thread', 9: 'UserApcReserve', 10: 'IoCompletionReserve', 11: 'DebugObject', 12: 'Event', 13: 'Mutant', 14: 'Callback', 15: 'Semaphore', 16: 'Timer', 17: 'IRTimer', 18: 'Profile', 19: 'KeyedEvent', 20: 'WindowStation', 21: 'Desktop', 22: 'Composition', 23: 'TpWorkerFactory', 24: 'Adapter', 25: 'Controller', 26: 'Device', 27: 'Driver', 28: 'IoCompletion', 29: 'WaitCompletionPacket', 30: 'File', 31: 'TmTm', 32: 'TmTx', 33: 'TmRm', 34: 'TmEn', 35: 'Section', 36: 'Session', 37: 'Key', 38: 'ALPC Port', 39: 'PowerRequest', 40: 'WmiGuid', 41: 'EtwRegistration', 42: 'EtwConsumer', 43: 'FilterConnectionPort', 44: 'FilterCommunicationPort', 45: 'PcwObject', 46: 'DxgkSharedResource', } class Win8KDBG(windows.AbstractKDBGMod): """The Windows 8 / 2012 KDBG signatures""" before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 2} kdbgsize = 0x360 def modification(self, profile): if profile.metadata.get('memory_model', '32bit') == '32bit': signature = '\x00\x00\x00\x00\x00\x00\x00\x00' else: signature = '\x03\xf8\xff\xff' signature += 'KDBG' + struct.pack('= 2, 'memory_model': lambda x: x == '32bit', } def modification(self, profile): profile.merge_overlay({ 'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "\x03\x00\x28\x00")]], }]}) class Win8x64MaxCommit(obj.ProfileModification): """The Windows 8 / Server 2012 MM_MAX_COMMIT value""" before = ["Windows64Overlay"] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 2, 'memory_model': lambda x: x == '64bit', } def modification(self, profile): profile.merge_overlay({ 'VOLATILITY_MAGIC': [ 0x0, { 'MM_MAX_COMMIT': [ 0x0, ['VolatilityMagic', dict(value = 0x7fffffff)]], }]}) class Win8x64DTB(obj.ProfileModification): """The Windows 8 32-bit DTB signature""" before = ['WindowsOverlay', 'Windows64Overlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 2, 'memory_model': lambda x: x == '64bit', } def modification(self, profile): profile.merge_overlay({ 'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "\x03\x00\xb2\x00")]], }]}) class Win8x86SyscallVTypes(obj.ProfileModification): """Applying the SSDT structures for Win 8 32-bit""" before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x >= 2} def modification(self, profile): # Same as 2003, which basically just means there are # only two SSDT tables by default. profile.vtypes.update(ssdt_vtypes.ssdt_vtypes_2003) class Win8ObjectClasses(obj.ProfileModification): before = ["WindowsObjectClasses", "Win7ObjectClasses", "WinPEObjectClasses", "MalwarePspCid"] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 2} def modification(self, profile): memory_model = profile.metadata.get("memory_model", "32bit") major = profile.metadata.get("major", 0) minor = profile.metadata.get("minor", 0) if memory_model == '32bit': handletable = _HANDLE_TABLE32 pspcidtable = _PSP_CID_TABLE32 else: if (major, minor) >= (6, 3): handletable = _HANDLE_TABLE_81R264 pspcidtable = _PSP_CID_TABLE_81R264 else: handletable = _HANDLE_TABLE64 pspcidtable = _PSP_CID_TABLE64 if (major, minor) == (6, 3): objheader = _OBJECT_HEADER_81R2 else: objheader = _OBJECT_HEADER profile.object_classes.update({ "_LDR_DATA_TABLE_ENTRY": _LDR_DATA_TABLE_ENTRY, "_HANDLE_TABLE": handletable, "_OBJECT_HEADER": objheader, "_PSP_CID_TABLE": pspcidtable, }) class Win8SP0x64(obj.Profile): """ A Profile for Windows 8 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 2 _md_build = 9200 _md_vtype_module = 'volatility.plugins.overlays.windows.win8_sp0_x64_vtypes' _md_product = ["NtProductWinNt"] class Win8SP1x64(obj.Profile): """ A Profile for Windows 8.1 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 3 _md_build = 9600 _md_vtype_module = 'volatility.plugins.overlays.windows.win8_sp1_x64_vtypes' _md_product = ["NtProductWinNt"] class Win8SP1x64_18340(obj.Profile): """ A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13) """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 3 _md_build = 9600 _md_vtype_module = 'volatility.plugins.overlays.windows.win8_sp1_x64_54B5A1C6_vtypes' _md_product = ["NtProductWinNt"] class Win2012x64(Win8SP0x64): """ A Profile for Windows Server 2012 x64 """ _md_build = 9201 ##FIXME: fake build number to indicate server 2012 vs windows 8 _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2012R2x64(Win8SP1x64): """ A Profile for Windows Server 2012 R2 x64 """ _md_build = 9601 ##FIXME: fake build number to indicate server 2012 R2 vs windows 8.1 _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2012R2x64_18340(Win8SP1x64_18340): """ A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13) """ _md_build = 9601 ##FIXME: fake build number to indicate server 2012 R2 vs windows 8.1 _md_product = ["NtProductLanManNt", "NtProductServer"] class Win8SP0x86(obj.Profile): """ A Profile for Windows 8 x86 """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 2 _md_build = 9200 _md_vtype_module = 'volatility.plugins.overlays.windows.win8_sp0_x86_vtypes' _md_product = ["NtProductWinNt"] class Win8SP1x86(obj.Profile): """ A Profile for Windows 8.1 x86 """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 3 _md_build = 9600 _md_vtype_module = 'volatility.plugins.overlays.windows.win8_sp1_x86_vtypes' _md_product = ["NtProductWinNt"] class Win81U1x64(obj.Profile): """ A Profile for Windows 8.1 Update 1 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 3 _md_build = 17031 _md_vtype_module = 'volatility.plugins.overlays.windows.win81_u1_x64_vtypes' _md_product = ["NtProductWinNt"] class Win81U1x86(obj.Profile): """ A Profile for Windows 8.1 Update 1 x86 """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 3 _md_build = 17031 _md_vtype_module = 'volatility.plugins.overlays.windows.win81_u1_x86_vtypes' _md_product = ["NtProductWinNt"] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7_sp1_x64_vtypes.py0000644000000000000000000172707413131215405030532 0ustar rootrootntkrnlmp_types = { '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x68, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'WorkItem' : [ 0x38, ['_WORK_QUEUE_ITEM']], 'FailingDriver' : [ 0x58, ['pointer64', ['_DRIVER_OBJECT']]], 'ReferenceCount' : [ 0x60, ['long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '__unnamed_205c' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0xb0, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_205c']], 'TargetProcessors' : [ 0x30, ['_KAFFINITY_EX']], 'PStateHandler' : [ 0x58, ['pointer64', ['void']]], 'PStateContext' : [ 0x60, ['unsigned long long']], 'TStateHandler' : [ 0x68, ['pointer64', ['void']]], 'TStateContext' : [ 0x70, ['unsigned long long']], 'FeedbackHandler' : [ 0x78, ['pointer64', ['void']]], 'GetFFHThrottleState' : [ 0x80, ['pointer64', ['void']]], 'State' : [ 0x88, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xc0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'ProgrammedRTCTime' : [ 0x58, ['unsigned long long']], 'WakeOnRTC' : [ 0x60, ['unsigned char']], 'WakeTimerInfo' : [ 0x68, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], 'FilteredCapabilities' : [ 0x70, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x228, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTransitions' : [ 0x8, ['unsigned long']], 'FailedTransitions' : [ 0xc, ['unsigned long']], 'InvalidBucketIndex' : [ 0x10, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 16, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_209e' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_20a0' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_209e']], 'Button' : [ 0x10, ['__unnamed_20a0']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x148, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'EmInfFileImage' : [ 0x18, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x28, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x30, ['unsigned long long']], 'HeadlessLoaderBlock' : [ 0x38, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x40, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x48, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x50, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x58, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x60, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x70, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x78, ['unsigned long']], 'LastBootSucceeded' : [ 0x7c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LastBootShutdown' : [ 0x7c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPortAccessSupported' : [ 0x7c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x7c, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x80, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x88, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x98, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa0, ['_GUID']], 'ResumePages' : [ 0xb0, ['unsigned long']], 'DumpHeader' : [ 0xb8, ['pointer64', ['void']]], 'BgContext' : [ 0xc0, ['pointer64', ['void']]], 'NumaLocalityInfo' : [ 0xc8, ['pointer64', ['void']]], 'NumaGroupAssignment' : [ 0xd0, ['pointer64', ['void']]], 'AttachedHives' : [ 0xd8, ['_LIST_ENTRY']], 'MemoryCachingRequirementsCount' : [ 0xe8, ['unsigned long']], 'MemoryCachingRequirements' : [ 0xf0, ['pointer64', ['void']]], 'TpmBootEntropyResult' : [ 0xf8, ['_TPM_BOOT_ENTROPY_LDR_RESULT']], 'ProcessorCounterFrequency' : [ 0x140, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x400, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x30, { 'Mdl' : [ 0x0, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x8, ['pointer64', ['void']]], 'UserLimit' : [ 0x10, ['pointer64', ['void']]], 'SystemVa' : [ 0x18, ['pointer64', ['void']]], 'SystemLimit' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_PROC_HISTORY_ENTRY' : [ 0x4, { 'Utility' : [ 0x0, ['unsigned short']], 'Frequency' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x380, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pContextData' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_2145' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1f80, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2145']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'SessionPoolAllocationFailures' : [ 0x64, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachGate' : [ 0x90, ['_KGATE']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc88, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc90, ['pointer64', ['void']]], 'PagedPool' : [ 0xcc0, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e00, ['_MMPTE']], 'SessionVaLock' : [ 0x1e08, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1e40, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e50, ['unsigned long']], 'SpecialPool' : [ 0x1e58, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1ea0, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1ed8, ['long']], 'PagedPoolPdeCount' : [ 0x1edc, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1ee0, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1ee4, ['unsigned long']], 'SystemPteInfo' : [ 0x1ee8, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f30, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f38, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1f40, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f48, ['unsigned long long']], 'IoState' : [ 0x1f50, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f54, ['unsigned long']], 'IoNotificationEvent' : [ 0x1f58, ['_KEVENT']], 'CpuQuotaBlock' : [ 0x1f70, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'FeedbackHandler' : [ 0x40, ['pointer64', ['void']]], 'GetFFHThrottleState' : [ 0x48, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0x50, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0x58, ['pointer64', ['void']]], 'PerfHandler' : [ 0x60, ['pointer64', ['void']]], 'Processors' : [ 0x68, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'PerfChangeTime' : [ 0x70, ['unsigned long long']], 'ProcessorCount' : [ 0x78, ['unsigned long']], 'PreviousFrequencyMhz' : [ 0x7c, ['unsigned long']], 'CurrentFrequencyMhz' : [ 0x80, ['unsigned long']], 'PreviousFrequency' : [ 0x84, ['unsigned long']], 'CurrentFrequency' : [ 0x88, ['unsigned long']], 'CurrentPerfContext' : [ 0x8c, ['unsigned long']], 'DesiredFrequency' : [ 0x90, ['unsigned long']], 'MaxFrequency' : [ 0x94, ['unsigned long']], 'MinPerfPercent' : [ 0x98, ['unsigned long']], 'MinThrottlePercent' : [ 0x9c, ['unsigned long']], 'MaxPercent' : [ 0xa0, ['unsigned long']], 'MinPercent' : [ 0xa4, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0xa8, ['unsigned long']], 'ConstrainedMinPercent' : [ 0xac, ['unsigned long']], 'Coordination' : [ 0xb0, ['unsigned char']], 'PerfChangeIntervalCount' : [ 0xb4, ['long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_TP_NBQ_GUARD' : [ 0x20, { 'GuardLinks' : [ 0x0, ['_LIST_ENTRY']], 'Guards' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer64', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'Lock' : [ 0x8, ['unsigned long long']], 'Paged' : [ 0x10, ['_MI_SPECIAL_POOL_PTE_LIST']], 'NonPaged' : [ 0x20, ['_MI_SPECIAL_POOL_PTE_LIST']], 'PagesInUse' : [ 0x30, ['long long']], 'SpecialPoolPdes' : [ 0x38, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '__unnamed_21be' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_21c2' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_21be']], 'Bits' : [ 0x4, ['__unnamed_21c2']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_21de' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_21e0' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_21de']], 'Merged' : [ 0x10, ['__unnamed_21e0']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_21e8' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_21e8']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_1f31']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_1fd3']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x70, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], 'UpdateCapsule' : [ 0x58, ['unsigned long long']], 'QueryCapsuleCapabilities' : [ 0x60, ['unsigned long long']], 'QueryVariableInfo' : [ 0x68, ['unsigned long long']], } ], '_MI_SPECIAL_POOL_PTE_LIST' : [ 0x10, { 'FreePteHead' : [ 0x0, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_21fe' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_2202' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x50, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_21fe']], 'u2' : [ 0x38, ['__unnamed_2202']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x48, ['array', 1, ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_220b' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_220d' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_220b']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x100, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_220d']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x60, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_TPM_BOOT_ENTROPY_LDR_RESULT' : [ 0x48, { 'Policy' : [ 0x0, ['unsigned long long']], 'ResultCode' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'TpmBootEntropyStructureUninitialized', 1: 'TpmBootEntropyDisabledByPolicy', 2: 'TpmBootEntropyNoTpmFound', 3: 'TpmBootEntropyTpmError', 4: 'TpmBootEntropySuccess'})]], 'ResultStatus' : [ 0xc, ['long']], 'Time' : [ 0x10, ['unsigned long long']], 'EntropyLength' : [ 0x18, ['unsigned long']], 'EntropyData' : [ 0x1c, ['array', 40, ['unsigned char']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x48, ['pointer64', ['void']]], 'CallersCaller' : [ 0x50, ['pointer64', ['void']]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'SessionId' : [ 0x20, ['unsigned long']], 'ReplyQueue' : [ 0x20, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x40, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'CallbackContext' : [ 0x48, ['pointer64', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2f8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x2d0, ['_LIST_ENTRY']], 'Status' : [ 0x2e0, ['long']], 'FailedDevice' : [ 0x2e8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2f0, ['unsigned char']], 'Cancelled' : [ 0x2f1, ['unsigned char']], 'IgnoreErrors' : [ 0x2f2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2f3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2f4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ContainsDebug' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x60, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'IdleCheck' : [ 0x28, ['pointer64', ['void']]], 'IdleHandler' : [ 0x30, ['pointer64', ['void']]], 'HvConfig' : [ 0x38, ['unsigned long long']], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Latency' : [ 0x48, ['unsigned long']], 'Power' : [ 0x4c, ['unsigned long']], 'TimeCheck' : [ 0x50, ['unsigned long']], 'StateFlags' : [ 0x54, ['unsigned long']], 'PromotePercent' : [ 0x58, ['unsigned char']], 'DemotePercent' : [ 0x59, ['unsigned char']], 'PromotePercentBase' : [ 0x5a, ['unsigned char']], 'DemotePercentBase' : [ 0x5b, ['unsigned char']], 'StateType' : [ 0x5c, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2292' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x40, { 'Lock' : [ 0x0, ['long']], 'NodeToFree' : [ 0x8, ['pointer64', ['void']]], 'NodeRangeSize' : [ 0x10, ['unsigned long long']], 'NodeCount' : [ 0x18, ['unsigned long long']], 'Tables' : [ 0x20, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x28, ['unsigned long']], 'u1' : [ 0x2c, ['__unnamed_2292']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_RELATION_LIST_ENTRY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8160, ['long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'Group' : [ 0x14, ['unsigned short']], 'GroupIndex' : [ 0x16, ['unsigned short']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_22df' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_22e1' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_22df']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_22e1']], } ], '_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA' : [ 0x8, { 'CapturedCpuShareWeight' : [ 0x0, ['unsigned long']], 'CapturedTotalWeight' : [ 0x4, ['unsigned long']], 'CombinedData' : [ 0x0, ['long long']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_22f4' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_22f4']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x70, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_234a' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_234c' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_2350' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2354' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_2356' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_234a']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_234c']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2350']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2354']], 'Others' : [ 0x0, ['__unnamed_2356']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x110, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'Reset' : [ 0x3, ['unsigned char']], 'HiberFlags' : [ 0x4, ['unsigned char']], 'WroteHiberFile' : [ 0x5, ['unsigned char']], 'MapFrozen' : [ 0x6, ['unsigned char']], 'MemoryMap' : [ 0x8, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x28, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x38, ['unsigned long']], 'NextCloneRange' : [ 0x40, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x48, ['unsigned long long']], 'LoaderMdl' : [ 0x50, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x58, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x60, ['unsigned long long']], 'IoPages' : [ 0x68, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x70, ['unsigned long']], 'CurrentMcb' : [ 0x78, ['pointer64', ['void']]], 'DumpStack' : [ 0x80, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x88, ['pointer64', ['_KPROCESSOR_STATE']]], 'PreferredIoWriteSize' : [ 0x90, ['unsigned long']], 'IoProgress' : [ 0x94, ['unsigned long']], 'HiberVa' : [ 0x98, ['unsigned long long']], 'HiberPte' : [ 0xa0, ['_LARGE_INTEGER']], 'Status' : [ 0xa8, ['long']], 'MemoryImage' : [ 0xb0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'CompressionWorkspace' : [ 0xb8, ['pointer64', ['void']]], 'CompressedWriteBuffer' : [ 0xc0, ['pointer64', ['unsigned char']]], 'CompressedWriteBufferSize' : [ 0xc8, ['unsigned long']], 'MaxCompressedOutputSize' : [ 0xcc, ['unsigned long']], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xd8, ['pointer64', ['void']]], 'DmaIO' : [ 0xe0, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xe8, ['pointer64', ['void']]], 'BootLoaderLogMdl' : [ 0xf0, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0xf8, ['pointer64', ['_MDL']]], 'ResumeContext' : [ 0x100, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x108, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x40, { 'ThreadHandle' : [ 0x0, ['pointer64', ['void']]], 'ThreadId' : [ 0x8, ['pointer64', ['void']]], 'ProcessId' : [ 0x10, ['pointer64', ['void']]], 'Code' : [ 0x18, ['unsigned long']], 'Parameter1' : [ 0x20, ['unsigned long long']], 'Parameter2' : [ 0x28, ['unsigned long long']], 'Parameter3' : [ 0x30, ['unsigned long long']], 'Parameter4' : [ 0x38, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '__unnamed_237c' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_237c']], } ], '__unnamed_2380' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2380']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x128, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'FirstTablePage' : [ 0x60, ['unsigned long long']], 'PerfInfo' : [ 0x68, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xc0, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xc8, ['array', 1, ['unsigned long long']]], 'NoBootLoaderLogPages' : [ 0xd0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xd8, ['array', 8, ['unsigned long long']]], 'NotUsed' : [ 0x118, ['unsigned long']], 'ResumeContextCheck' : [ 0x11c, ['unsigned long']], 'ResumeContextPages' : [ 0x120, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x58, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'ElapsedTicks' : [ 0x18, ['unsigned long long']], 'CompressTicks' : [ 0x20, ['unsigned long long']], 'ResumeAppTime' : [ 0x28, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x30, ['unsigned long long']], 'BytesCopied' : [ 0x38, ['unsigned long long']], 'PagesProcessed' : [ 0x40, ['unsigned long long']], 'PagesWritten' : [ 0x48, ['unsigned long']], 'DumpCount' : [ 0x4c, ['unsigned long']], 'FileRuns' : [ 0x50, ['unsigned long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x30, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], 'ViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x20, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '__unnamed_23aa' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_23ac' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_23ae' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_23aa']], 'Gpt' : [ 0x0, ['__unnamed_23ac']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_23ae']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x48, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x10, ['unsigned long']], 'Hint' : [ 0x14, ['unsigned long']], 'BasePte' : [ 0x18, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'Vm' : [ 0x28, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x30, ['long']], 'TotalFreeSystemPtes' : [ 0x34, ['long']], 'CachedPteCount' : [ 0x38, ['long']], 'PteFailures' : [ 0x3c, ['unsigned long']], 'SpinLock' : [ 0x40, ['unsigned long long']], 'GlobalMutex' : [ 0x40, ['pointer64', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x298, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 9, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TscQpcData' : [ 0x2ed, ['unsigned char']], 'TscQpcEnabled' : [ 0x2ed, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TscQpcSpareFlag' : [ 0x2ed, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TscQpcShift' : [ 0x2ed, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'TscQpcPad' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved5' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned short']], 'Reserved4' : [ 0x3c6, ['unsigned short']], 'AitSamplingValue' : [ 0x3c8, ['unsigned long']], 'AppCompatFlag' : [ 0x3cc, ['unsigned long']], 'SystemDllNativeRelocation' : [ 0x3d0, ['unsigned long long']], 'SystemDllWowRelocation' : [ 0x3d8, ['unsigned long']], 'XStatePad' : [ 0x3dc, ['array', 1, ['unsigned long']]], 'XState' : [ 0x3e0, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1043' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1043']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1047' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1047']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_105f' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1061' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_105f']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_1061']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_INVALID'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TP_TASK' : [ 0x38, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], 'NumaNode' : [ 0x8, ['unsigned long']], 'IdealProcessor' : [ 0xc, ['unsigned char']], 'PostGuard' : [ 0x10, ['_TP_NBQ_GUARD']], 'NBQNode' : [ 0x30, ['pointer64', ['void']]], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_DIRECT' : [ 0x10, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'NumaNode' : [ 0x8, ['unsigned long']], 'IdealProcessor' : [ 0xc, ['unsigned char']], } ], '_TEB' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KPCR' : [ 0x4e80, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x4d00, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'PrcbPad00' : [ 0x21, ['array', 3, ['unsigned char']]], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PrcbPad01' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'Group' : [ 0x658, ['unsigned short']], 'GroupSetMember' : [ 0x660, ['unsigned long long']], 'GroupIndex' : [ 0x668, ['unsigned char']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2080, ['long']], 'DeferredReadyListHead' : [ 0x2088, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2090, ['long']], 'MmCopyOnWriteCount' : [ 0x2094, ['long']], 'MmTransitionCount' : [ 0x2098, ['long']], 'MmDemandZeroCount' : [ 0x209c, ['long']], 'MmPageReadCount' : [ 0x20a0, ['long']], 'MmPageReadIoCount' : [ 0x20a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x20a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x20ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x20b0, ['long']], 'MmMappedWriteIoCount' : [ 0x20b4, ['long']], 'KeSystemCalls' : [ 0x20b8, ['unsigned long']], 'KeContextSwitches' : [ 0x20bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x20c0, ['unsigned long']], 'CcFastReadWait' : [ 0x20c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x20c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x20cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x20d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x20d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x20d8, ['long']], 'IoReadOperationCount' : [ 0x20dc, ['long']], 'IoWriteOperationCount' : [ 0x20e0, ['long']], 'IoOtherOperationCount' : [ 0x20e4, ['long']], 'IoReadTransferCount' : [ 0x20e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x20f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x20f8, ['_LARGE_INTEGER']], 'TargetCount' : [ 0x2100, ['long']], 'IpiFrozen' : [ 0x2104, ['unsigned long']], 'DpcData' : [ 0x2180, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x21c0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x21c8, ['long']], 'DpcRequestRate' : [ 0x21cc, ['unsigned long']], 'MinimumDpcRate' : [ 0x21d0, ['unsigned long']], 'DpcLastCount' : [ 0x21d4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x21d8, ['unsigned char']], 'QuantumEnd' : [ 0x21d9, ['unsigned char']], 'DpcRoutineActive' : [ 0x21da, ['unsigned char']], 'IdleSchedule' : [ 0x21db, ['unsigned char']], 'DpcRequestSummary' : [ 0x21dc, ['long']], 'DpcRequestSlot' : [ 0x21dc, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x21dc, ['short']], 'DpcThreadActive' : [ 0x21de, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ThreadDpcState' : [ 0x21de, ['short']], 'TimerHand' : [ 0x21e0, ['unsigned long']], 'MasterOffset' : [ 0x21e4, ['long']], 'LastTick' : [ 0x21e8, ['unsigned long']], 'UnusedPad' : [ 0x21ec, ['unsigned long']], 'PrcbPad50' : [ 0x21f0, ['array', 2, ['unsigned long long']]], 'TimerTable' : [ 0x2200, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x4400, ['_KGATE']], 'PrcbPad52' : [ 0x4418, ['pointer64', ['void']]], 'CallDpc' : [ 0x4420, ['_KDPC']], 'ClockKeepAlive' : [ 0x4460, ['long']], 'ClockCheckSlot' : [ 0x4464, ['unsigned char']], 'ClockPollCycle' : [ 0x4465, ['unsigned char']], 'NmiActive' : [ 0x4466, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x4468, ['long']], 'DpcWatchdogCount' : [ 0x446c, ['long']], 'TickOffset' : [ 0x4470, ['unsigned long long']], 'KeSpinLockOrdering' : [ 0x4478, ['long']], 'PrcbPad70' : [ 0x447c, ['unsigned long']], 'WaitListHead' : [ 0x4480, ['_LIST_ENTRY']], 'WaitLock' : [ 0x4490, ['unsigned long long']], 'ReadySummary' : [ 0x4498, ['unsigned long']], 'QueueIndex' : [ 0x449c, ['unsigned long']], 'TimerExpirationDpc' : [ 0x44a0, ['_KDPC']], 'PrcbPad72' : [ 0x44e0, ['array', 4, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x4500, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x4700, ['unsigned long']], 'KernelTime' : [ 0x4704, ['unsigned long']], 'UserTime' : [ 0x4708, ['unsigned long']], 'DpcTime' : [ 0x470c, ['unsigned long']], 'InterruptTime' : [ 0x4710, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4714, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4718, ['unsigned char']], 'PrcbPad80' : [ 0x4719, ['array', 7, ['unsigned char']]], 'DpcTimeCount' : [ 0x4720, ['unsigned long']], 'DpcTimeLimit' : [ 0x4724, ['unsigned long']], 'PeriodicCount' : [ 0x4728, ['unsigned long']], 'PeriodicBias' : [ 0x472c, ['unsigned long']], 'AvailableTime' : [ 0x4730, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x4734, ['unsigned long']], 'ParentNode' : [ 0x4738, ['pointer64', ['_KNODE']]], 'StartCycles' : [ 0x4740, ['unsigned long long']], 'PrcbPad82' : [ 0x4748, ['array', 3, ['unsigned long long']]], 'MmSpinLockOrdering' : [ 0x4760, ['long']], 'PageColor' : [ 0x4764, ['unsigned long']], 'NodeColor' : [ 0x4768, ['unsigned long']], 'NodeShiftedColor' : [ 0x476c, ['unsigned long']], 'SecondaryColorMask' : [ 0x4770, ['unsigned long']], 'PrcbPad83' : [ 0x4774, ['unsigned long']], 'CycleTime' : [ 0x4778, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x4780, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x4784, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x4788, ['unsigned long']], 'CcMapDataNoWait' : [ 0x478c, ['unsigned long']], 'CcMapDataWait' : [ 0x4790, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x4794, ['unsigned long']], 'CcPinReadNoWait' : [ 0x4798, ['unsigned long']], 'CcPinReadWait' : [ 0x479c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x47a0, ['unsigned long']], 'CcMdlReadWait' : [ 0x47a4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x47a8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x47ac, ['unsigned long']], 'CcLazyWritePages' : [ 0x47b0, ['unsigned long']], 'CcDataFlushes' : [ 0x47b4, ['unsigned long']], 'CcDataPages' : [ 0x47b8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x47bc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x47c0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x47c4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x47c8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x47cc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x47d0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x47d4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x47d8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x47dc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x47e0, ['unsigned long']], 'CcReadAheadIos' : [ 0x47e4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x47e8, ['long']], 'MmCacheReadCount' : [ 0x47ec, ['long']], 'MmCacheIoCount' : [ 0x47f0, ['long']], 'PrcbPad91' : [ 0x47f4, ['array', 1, ['unsigned long']]], 'RuntimeAccumulation' : [ 0x47f8, ['unsigned long long']], 'PowerState' : [ 0x4800, ['_PROCESSOR_POWER_STATE']], 'PrcbPad92' : [ 0x4900, ['array', 16, ['unsigned char']]], 'KeAlignmentFixupCount' : [ 0x4910, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x4918, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x4958, ['_KTIMER']], 'Cache' : [ 0x4998, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x49d4, ['unsigned long']], 'CachedCommit' : [ 0x49d8, ['unsigned long']], 'CachedResidentAvailable' : [ 0x49dc, ['unsigned long']], 'HyperPte' : [ 0x49e0, ['pointer64', ['void']]], 'WheaInfo' : [ 0x49e8, ['pointer64', ['void']]], 'EtwSupport' : [ 0x49f0, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x4a00, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x4a10, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x4a20, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x4a28, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x4a30, ['pointer64', ['unsigned long long']]], 'RateControl' : [ 0x4a38, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x4a40, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x4a68, ['_KAFFINITY_EX']], 'CoreProcessorSet' : [ 0x4a90, ['unsigned long long']], 'PebsIndexAddress' : [ 0x4a98, ['pointer64', ['void']]], 'PrcbPad93' : [ 0x4aa0, ['array', 12, ['unsigned long long']]], 'SpinLockAcquireCount' : [ 0x4b00, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4b04, ['unsigned long']], 'SpinLockSpinCount' : [ 0x4b08, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0x4b0c, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x4b10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x4b14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x4b18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x4b1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x4b20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x4b24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x4b28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x4b2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x4b30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x4b34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x4b38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x4b3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x4b40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x4b44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x4b48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4b4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x4b50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x4b54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x4b58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x4b5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x4b60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x4b64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x4b68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x4b6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x4b70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x4b74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x4b78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x4b7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x4b80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x4b84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x4b88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x4b8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x4b90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x4b94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x4b98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x4b9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0x4ba0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0x4ba4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0x4ba8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0x4bac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0x4bb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0x4bb4, ['unsigned long']], 'VendorString' : [ 0x4bb8, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x4bc5, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x4bc8, ['unsigned long']], 'UpdateSignature' : [ 0x4bd0, ['_LARGE_INTEGER']], 'Context' : [ 0x4bd8, ['pointer64', ['_CONTEXT']]], 'ContextFlags' : [ 0x4be0, ['unsigned long']], 'ExtendedState' : [ 0x4be8, ['pointer64', ['_XSAVE_AREA']]], 'Mailbox' : [ 0x4c00, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x4c80, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_KTHREAD' : [ 0x360, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'WaitRegister' : [ 0x48, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x49, ['unsigned char']], 'Alerted' : [ 0x4a, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x4c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x4c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x4c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x4c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x4c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x4c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x4c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x4c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x4c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x4c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x4c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x4c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'TimerActive' : [ 0x4c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SystemThread' : [ 0x4c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved' : [ 0x4c, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x4c, ['long']], 'ApcState' : [ 0x50, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x50, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x7b, ['unsigned char']], 'NextProcessor' : [ 0x7c, ['unsigned long']], 'DeferredProcessor' : [ 0x80, ['unsigned long']], 'ApcQueueLock' : [ 0x88, ['unsigned long long']], 'WaitStatus' : [ 0x90, ['long long']], 'WaitBlockList' : [ 0x98, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xa0, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xb0, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb8, ['pointer64', ['void']]], 'Timer' : [ 0xc0, ['_KTIMER']], 'AutoAlignment' : [ 0x100, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x100, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0x100, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0x100, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CalloutActive' : [ 0x100, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ApcQueueable' : [ 0x100, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x100, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'GuiThread' : [ 0x100, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x100, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'VdmSafe' : [ 0x100, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'UmsDispatched' : [ 0x100, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReservedFlags' : [ 0x100, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x100, ['long']], 'Spare0' : [ 0x104, ['unsigned long']], 'WaitBlock' : [ 0x108, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x108, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x134, ['unsigned long']], 'WaitBlockFill5' : [ 0x108, ['array', 92, ['unsigned char']]], 'State' : [ 0x164, ['unsigned char']], 'NpxState' : [ 0x165, ['unsigned char']], 'WaitIrql' : [ 0x166, ['unsigned char']], 'WaitMode' : [ 0x167, ['unsigned char']], 'WaitBlockFill6' : [ 0x108, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x194, ['unsigned long']], 'WaitBlockFill7' : [ 0x108, ['array', 168, ['unsigned char']]], 'TebMappedLowVa' : [ 0x1b0, ['pointer64', ['void']]], 'Ucb' : [ 0x1b8, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'WaitBlockFill8' : [ 0x108, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1c4, ['short']], 'SpecialApcDisable' : [ 0x1c6, ['short']], 'CombinedApcDisable' : [ 0x1c4, ['unsigned long']], 'QueueListEntry' : [ 0x1c8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1d8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1e0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1e8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1e8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1f0, ['unsigned char']], 'BasePriority' : [ 0x1f1, ['unsigned char']], 'PriorityDecrement' : [ 0x1f2, ['unsigned char']], 'ForegroundBoost' : [ 0x1f2, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x1f2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x1f3, ['unsigned char']], 'AdjustReason' : [ 0x1f4, ['unsigned char']], 'AdjustIncrement' : [ 0x1f5, ['unsigned char']], 'PreviousMode' : [ 0x1f6, ['unsigned char']], 'Saturation' : [ 0x1f7, ['unsigned char']], 'SystemCallNumber' : [ 0x1f8, ['unsigned long']], 'FreezeCount' : [ 0x1fc, ['unsigned long']], 'UserAffinity' : [ 0x200, ['_GROUP_AFFINITY']], 'Process' : [ 0x210, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x218, ['_GROUP_AFFINITY']], 'IdealProcessor' : [ 0x228, ['unsigned long']], 'UserIdealProcessor' : [ 0x22c, ['unsigned long']], 'ApcStatePointer' : [ 0x230, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x240, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x240, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x26b, ['unsigned char']], 'SuspendCount' : [ 0x26c, ['unsigned char']], 'Spare1' : [ 0x26d, ['unsigned char']], 'CodePatchInProgress' : [ 0x26e, ['unsigned char']], 'Win32Thread' : [ 0x270, ['pointer64', ['void']]], 'StackBase' : [ 0x278, ['pointer64', ['void']]], 'SuspendApc' : [ 0x280, ['_KAPC']], 'SuspendApcFill0' : [ 0x280, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x281, ['unsigned char']], 'SuspendApcFill1' : [ 0x280, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x283, ['unsigned char']], 'SuspendApcFill2' : [ 0x280, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x284, ['unsigned long']], 'SuspendApcFill3' : [ 0x280, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c0, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x280, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2c8, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x280, ['array', 83, ['unsigned char']]], 'LargeStack' : [ 0x2d3, ['unsigned char']], 'UserTime' : [ 0x2d4, ['unsigned long']], 'SuspendSemaphore' : [ 0x2d8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2d8, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2f4, ['unsigned long']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x318, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x320, ['long long']], 'WriteOperationCount' : [ 0x328, ['long long']], 'OtherOperationCount' : [ 0x330, ['long long']], 'ReadTransferCount' : [ 0x338, ['long long']], 'WriteTransferCount' : [ 0x340, ['long long']], 'OtherTransferCount' : [ 0x348, ['long long']], 'ThreadCounters' : [ 0x350, ['pointer64', ['_KTHREAD_COUNTERS']]], 'XStateSave' : [ 0x358, ['pointer64', ['_XSTATE_SAVE']]], } ], '_KSTACK_AREA' : [ 0x250, { 'StackControl' : [ 0x0, ['_KERNEL_STACK_CONTROL']], 'NpxFrame' : [ 0x50, ['_XSAVE_FORMAT']], } ], '_KERNEL_STACK_CONTROL' : [ 0x50, { 'Current' : [ 0x0, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x28, ['_KERNEL_STACK_SEGMENT']], } ], '_UMS_CONTROL_BLOCK' : [ 0x98, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'PrimaryFlags' : [ 0x88, ['unsigned long']], 'UmsContextHeaderReady' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsContextHeader' : [ 0x30, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'UmsWaitGate' : [ 0x38, ['_KGATE']], 'StagingArea' : [ 0x50, ['pointer64', ['void']]], 'Flags' : [ 0x58, ['long']], 'UmsForceQueueTermination' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsPrimaryDeliveredContext' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UmsPerformingSingleStep' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'TebSelector' : [ 0x90, ['unsigned short']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_11cd' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_11d2' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_11d5' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_11cd']], 'Header16' : [ 0x0, ['__unnamed_11d2']], 'HeaderX64' : [ 0x0, ['__unnamed_11d5']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_IO_STATUS_BLOCK32' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x498, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x360, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x368, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x368, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x378, ['long']], 'PostBlockList' : [ 0x380, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x380, ['pointer64', ['void']]], 'StartAddress' : [ 0x388, ['pointer64', ['void']]], 'TerminationPort' : [ 0x390, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x390, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x390, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x398, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x3a0, ['_LIST_ENTRY']], 'Cid' : [ 0x3b0, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x3c0, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x3c0, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3e0, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3e8, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3f8, ['unsigned long long']], 'DeviceToVerify' : [ 0x400, ['pointer64', ['_DEVICE_OBJECT']]], 'CpuQuotaApc' : [ 0x408, ['pointer64', ['_PSP_CPU_QUOTA_APC']]], 'Win32StartAddress' : [ 0x410, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x418, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x420, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x430, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x438, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x440, ['unsigned long']], 'MmLockOrdering' : [ 0x444, ['long']], 'CrossThreadFlags' : [ 0x448, ['unsigned long']], 'Terminated' : [ 0x448, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x448, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x448, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x448, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x448, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x448, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x448, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x448, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x448, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x448, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x448, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x448, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x448, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NeedsWorkingSetAging' : [ 0x448, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x44c, ['unsigned long']], 'ActiveExWorker' : [ 0x44c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x44c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x44c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x44c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x44c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x44c, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x44c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x450, ['unsigned long']], 'Spare' : [ 0x450, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x450, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x450, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x450, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x450, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x451, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x451, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x451, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x451, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x451, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x451, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x451, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x451, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x452, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x452, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x452, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x452, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x452, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x452, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x453, ['unsigned char']], 'CacheManagerActive' : [ 0x454, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x455, ['unsigned char']], 'ActiveFaultCount' : [ 0x456, ['unsigned char']], 'LockOrderState' : [ 0x457, ['unsigned char']], 'AlpcMessageId' : [ 0x458, ['unsigned long long']], 'AlpcMessage' : [ 0x460, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x460, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x468, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x478, ['unsigned long']], 'IoBoostCount' : [ 0x47c, ['unsigned long']], 'IrpListLock' : [ 0x480, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x488, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x490, ['_SINGLE_LIST_ENTRY']], } ], '_EPROCESS' : [ 0x4d0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x168, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x170, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x178, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x180, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x188, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0x198, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x1a8, ['array', 2, ['unsigned long long']]], 'CommitCharge' : [ 0x1b8, ['unsigned long long']], 'QuotaBlock' : [ 0x1c0, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0x1c8, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0x1d0, ['unsigned long long']], 'VirtualSize' : [ 0x1d8, ['unsigned long long']], 'SessionProcessLinks' : [ 0x1e0, ['_LIST_ENTRY']], 'DebugPort' : [ 0x1f0, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x1f8, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x1f8, ['unsigned long long']], 'ExceptionPortState' : [ 0x1f8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x200, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x208, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x210, ['unsigned long long']], 'AddressCreationLock' : [ 0x218, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x220, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x228, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x230, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x238, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x240, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x248, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x250, ['unsigned long long']], 'Win32Process' : [ 0x258, ['pointer64', ['void']]], 'Job' : [ 0x260, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x268, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x270, ['pointer64', ['void']]], 'Cookie' : [ 0x278, ['unsigned long']], 'UmsScheduledThreads' : [ 0x27c, ['unsigned long']], 'WorkingSetWatch' : [ 0x280, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x288, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x290, ['pointer64', ['void']]], 'LdtInformation' : [ 0x298, ['pointer64', ['void']]], 'Spare' : [ 0x2a0, ['pointer64', ['void']]], 'ConsoleHostProcess' : [ 0x2a8, ['unsigned long long']], 'DeviceMap' : [ 0x2b0, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x2b8, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x2c0, ['pointer64', ['void']]], 'FreeUmsTebHint' : [ 0x2c8, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x2d0, ['_HARDWARE_PTE']], 'Filler' : [ 0x2d0, ['unsigned long long']], 'Session' : [ 0x2d8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x2e0, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x2ef, ['unsigned char']], 'JobLinks' : [ 0x2f0, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x300, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x308, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x318, ['pointer64', ['void']]], 'Wow64Process' : [ 0x320, ['pointer64', ['void']]], 'ActiveThreads' : [ 0x328, ['unsigned long']], 'ImagePathHash' : [ 0x32c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x330, ['unsigned long']], 'LastThreadExitStatus' : [ 0x334, ['long']], 'Peb' : [ 0x338, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x340, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x348, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x350, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x358, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x360, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x368, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x370, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x378, ['unsigned long long']], 'CommitChargePeak' : [ 0x380, ['unsigned long long']], 'AweInfo' : [ 0x388, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x390, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x398, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x420, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x430, ['pointer64', ['void']]], 'ModifiedPageCount' : [ 0x438, ['unsigned long']], 'Flags2' : [ 0x43c, ['unsigned long']], 'JobNotReallyActive' : [ 0x43c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x43c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x43c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x43c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x43c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x43c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x43c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x43c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x43c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x43c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x43c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x43c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x43c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x43c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x43c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x43c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x43c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x43c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x43c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x43c, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Flags' : [ 0x440, ['unsigned long']], 'CreateReported' : [ 0x440, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x440, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x440, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x440, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x440, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x440, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x440, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x440, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x440, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x440, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x440, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x440, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x440, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x440, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x440, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x440, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x440, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x440, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x440, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x440, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x440, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x440, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x440, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x440, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x440, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x440, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x440, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x440, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x440, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x444, ['long']], 'VadRoot' : [ 0x448, ['_MM_AVL_TABLE']], 'AlpcContext' : [ 0x488, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x4a8, ['_LIST_ENTRY']], 'RequestedTimerResolution' : [ 0x4b8, ['unsigned long']], 'ActiveThreadsHighWatermark' : [ 0x4bc, ['unsigned long']], 'SmallestTimerResolution' : [ 0x4c0, ['unsigned long']], 'TimerResolutionStackRecord' : [ 0x4c8, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], } ], '_KPROCESS' : [ 0x160, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long long']], 'Affinity' : [ 0x48, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x80, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x88, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ActiveGroupsMask' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0xb0, ['long']], 'BasePriority' : [ 0xb4, ['unsigned char']], 'QuantumReset' : [ 0xb5, ['unsigned char']], 'Visited' : [ 0xb6, ['unsigned char']], 'Unused3' : [ 0xb7, ['unsigned char']], 'ThreadSeed' : [ 0xb8, ['array', 4, ['unsigned long']]], 'IdealNode' : [ 0xc8, ['array', 4, ['unsigned short']]], 'IdealGlobalNode' : [ 0xd0, ['unsigned short']], 'Flags' : [ 0xd2, ['_KEXECUTE_OPTIONS']], 'Unused1' : [ 0xd3, ['unsigned char']], 'Unused2' : [ 0xd4, ['unsigned long']], 'Unused4' : [ 0xd8, ['unsigned long']], 'StackCount' : [ 0xdc, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'CycleTime' : [ 0xf0, ['unsigned long long']], 'KernelTime' : [ 0xf8, ['unsigned long']], 'UserTime' : [ 0xfc, ['unsigned long']], 'InstrumentationCallback' : [ 0x100, ['pointer64', ['void']]], 'LdtSystemDescriptor' : [ 0x108, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x118, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x120, ['_KGUARDED_MUTEX']], 'LdtFreeSelectorHint' : [ 0x158, ['unsigned short']], 'LdtTableLength' : [ 0x15a, ['unsigned short']], } ], '__unnamed_12d9' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_12d9']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xd8, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], } ], '__unnamed_12e8' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_12ed' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_12ef' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_12ed']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_12fa' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_12fc' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_12fa']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_12e8']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_12ef']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_12fc']], } ], '__unnamed_1303' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1307' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_130b' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_130d' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1311' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1313' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1315' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], } ], '__unnamed_1317' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1319' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_131b' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_131f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_1321' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1323' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1325' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1327' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1329' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_132d' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1331' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1335' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1339' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_133f' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1343' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1347' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1349' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_134b' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_134f' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_1353' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1357' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_135b' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_135f' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1367' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_136b' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_136d' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_136f' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1371' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1303']], 'CreatePipe' : [ 0x0, ['__unnamed_1307']], 'CreateMailslot' : [ 0x0, ['__unnamed_130b']], 'Read' : [ 0x0, ['__unnamed_130d']], 'Write' : [ 0x0, ['__unnamed_130d']], 'QueryDirectory' : [ 0x0, ['__unnamed_1311']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1313']], 'QueryFile' : [ 0x0, ['__unnamed_1315']], 'SetFile' : [ 0x0, ['__unnamed_1317']], 'QueryEa' : [ 0x0, ['__unnamed_1319']], 'SetEa' : [ 0x0, ['__unnamed_131b']], 'QueryVolume' : [ 0x0, ['__unnamed_131f']], 'SetVolume' : [ 0x0, ['__unnamed_131f']], 'FileSystemControl' : [ 0x0, ['__unnamed_1321']], 'LockControl' : [ 0x0, ['__unnamed_1323']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1325']], 'QuerySecurity' : [ 0x0, ['__unnamed_1327']], 'SetSecurity' : [ 0x0, ['__unnamed_1329']], 'MountVolume' : [ 0x0, ['__unnamed_132d']], 'VerifyVolume' : [ 0x0, ['__unnamed_132d']], 'Scsi' : [ 0x0, ['__unnamed_1331']], 'QueryQuota' : [ 0x0, ['__unnamed_1335']], 'SetQuota' : [ 0x0, ['__unnamed_131b']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1339']], 'QueryInterface' : [ 0x0, ['__unnamed_133f']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1343']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1347']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1349']], 'SetLock' : [ 0x0, ['__unnamed_134b']], 'QueryId' : [ 0x0, ['__unnamed_134f']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1353']], 'UsageNotification' : [ 0x0, ['__unnamed_1357']], 'WaitWake' : [ 0x0, ['__unnamed_135b']], 'PowerSequence' : [ 0x0, ['__unnamed_135f']], 'Power' : [ 0x0, ['__unnamed_1367']], 'StartDevice' : [ 0x0, ['__unnamed_136b']], 'WMI' : [ 0x0, ['__unnamed_136d']], 'Others' : [ 0x0, ['__unnamed_136f']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1371']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1387' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1387']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '__unnamed_14ef' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_14ef']], } ], '__unnamed_1500' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xf0, { 'OsMajorVersion' : [ 0x0, ['unsigned long']], 'OsMinorVersion' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'LoadOrderListHead' : [ 0x10, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x20, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x30, ['_LIST_ENTRY']], 'KernelStack' : [ 0x40, ['unsigned long long']], 'Prcb' : [ 0x48, ['unsigned long long']], 'Process' : [ 0x50, ['unsigned long long']], 'Thread' : [ 0x58, ['unsigned long long']], 'RegistryLength' : [ 0x60, ['unsigned long']], 'RegistryBase' : [ 0x68, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x70, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x78, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x80, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x88, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x90, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x98, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0xa0, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0xa8, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xb0, ['pointer64', ['void']]], 'Extension' : [ 0xb8, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xc0, ['__unnamed_1500']], 'FirmwareInformation' : [ 0xd0, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_152f' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1531' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1534' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1536' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1534']], } ], '__unnamed_153e' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_152f']], 'u2' : [ 0x8, ['__unnamed_1531']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['long']], 'PteLong' : [ 0x10, ['unsigned long long']], 'u3' : [ 0x18, ['__unnamed_1536']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_153e']], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x88, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x8, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x10, ['pointer64', ['void']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x4c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x50, ['unsigned long']], 'ChargedWslePages' : [ 0x54, ['unsigned long']], 'ActualWslePages' : [ 0x58, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x5c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x60, ['unsigned long']], 'HardFaultCount' : [ 0x64, ['unsigned long']], 'VmWorkingSetList' : [ 0x68, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0x70, ['unsigned short']], 'LastTrimStamp' : [ 0x72, ['unsigned short']], 'PageFaultCount' : [ 0x74, ['unsigned long']], 'RepurposeCount' : [ 0x78, ['unsigned long']], 'Spare' : [ 0x7c, ['array', 2, ['unsigned long']]], 'Flags' : [ 0x84, ['_MMSUPPORT_FLAGS']], } ], '_MMWSL' : [ 0x488, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextAgingSlot' : [ 0x24, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x28, ['unsigned long']], 'VadBitMapHint' : [ 0x2c, ['unsigned long']], 'NonDirectCount' : [ 0x30, ['unsigned long']], 'LastVadBit' : [ 0x34, ['unsigned long']], 'MaximumLastVadBit' : [ 0x38, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x3c, ['unsigned long']], 'LastAllocationSize' : [ 0x40, ['unsigned long']], 'NonDirectHash' : [ 0x48, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x50, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x58, ['pointer64', ['_MMWSLE_HASH']]], 'MaximumUserPageTablePages' : [ 0x60, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x64, ['unsigned long']], 'CommittedPageTables' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x70, ['unsigned long']], 'CommittedPageDirectories' : [ 0x78, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x478, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x480, ['array', 1, ['unsigned long long']]], } ], '__unnamed_156c' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_156c']], } ], '__unnamed_157b' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1585' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1587' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1585']], } ], '_CONTROL_AREA' : [ 0x80, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_157b']], 'FlushInProgressCount' : [ 0x3c, ['unsigned long']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'StartingFrame' : [ 0x4c, ['unsigned long']], 'WaitingForDeletion' : [ 0x50, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x58, ['__unnamed_1587']], 'LockedPages' : [ 0x68, ['long long']], 'ViewList' : [ 0x70, ['_LIST_ENTRY']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0x90, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'EvictStoreBitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x68, ['unsigned long']], 'LastAllocationSize' : [ 0x6c, ['unsigned long']], 'ToBeEvictedCount' : [ 0x70, ['unsigned long']], 'PageFileNumber' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x76, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x76, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['unsigned long long']], 'LockOwner' : [ 0x88, ['pointer64', ['_ETHREAD']]], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_15bf' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_15c2' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_15c5' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_15bf']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c2']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c5']], } ], '__unnamed_15cd' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_15cd']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '__unnamed_15d2' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_15bf']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c2']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c5']], 'u2' : [ 0x40, ['__unnamed_15d2']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_15dd' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_15dd']], } ], '__unnamed_15e3' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_15e5' : [ 0x8, { 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_15e3']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_15e5']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_HHIVE' : [ 0x598, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x48, ['pointer64', ['void']]], 'BaseBlock' : [ 0x50, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x58, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x68, ['unsigned long']], 'DirtyAlloc' : [ 0x6c, ['unsigned long']], 'BaseBlockAlloc' : [ 0x70, ['unsigned long']], 'Cluster' : [ 0x74, ['unsigned long']], 'Flat' : [ 0x78, ['unsigned char']], 'ReadOnly' : [ 0x79, ['unsigned char']], 'DirtyFlag' : [ 0x7a, ['unsigned char']], 'HvBinHeadersUse' : [ 0x7c, ['unsigned long']], 'HvFreeCellsUse' : [ 0x80, ['unsigned long']], 'HvUsedCellsUse' : [ 0x84, ['unsigned long']], 'CmUsedCellsUse' : [ 0x88, ['unsigned long']], 'HiveFlags' : [ 0x8c, ['unsigned long']], 'CurrentLog' : [ 0x90, ['unsigned long']], 'LogSize' : [ 0x94, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x9c, ['unsigned long']], 'StorageTypeCount' : [ 0xa0, ['unsigned long']], 'Version' : [ 0xa4, ['unsigned long']], 'Storage' : [ 0xa8, ['array', 2, ['_DUAL']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_CMHIVE' : [ 0xbe8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x598, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c8, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x5e8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x5f8, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x600, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x610, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x618, ['unsigned long']], 'Identity' : [ 0x61c, ['unsigned long']], 'HiveLock' : [ 0x620, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x628, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x630, ['pointer64', ['_KTHREAD']]], 'ViewLockLast' : [ 0x638, ['unsigned long']], 'ViewUnLockLast' : [ 0x63c, ['unsigned long']], 'WriterLock' : [ 0x640, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x648, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x650, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x660, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x668, ['unsigned long']], 'FlushHiveTruncated' : [ 0x66c, ['unsigned long']], 'FlushLock2' : [ 0x670, ['pointer64', ['_FAST_MUTEX']]], 'SecurityLock' : [ 0x678, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x680, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x690, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x6a0, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x6b0, ['unsigned short']], 'PinnedViewCount' : [ 0x6b2, ['unsigned short']], 'UseCount' : [ 0x6b4, ['unsigned long']], 'ViewsPerHive' : [ 0x6b8, ['unsigned long']], 'FileObject' : [ 0x6c0, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x6c8, ['unsigned long']], 'ActualFileSize' : [ 0x6d0, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x6d8, ['_UNICODE_STRING']], 'FileUserName' : [ 0x6e8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x6f8, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x708, ['unsigned long']], 'SecurityCacheSize' : [ 0x70c, ['unsigned long']], 'SecurityHitHint' : [ 0x710, ['long']], 'SecurityCache' : [ 0x718, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x720, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xb20, ['unsigned long']], 'UnloadEventArray' : [ 0xb28, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xb30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xb38, ['unsigned char']], 'UnloadWorkItem' : [ 0xb40, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0xb48, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xb70, ['unsigned char']], 'GrowOffset' : [ 0xb74, ['unsigned long']], 'KcbConvertListHead' : [ 0xb78, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xb88, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb98, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xba0, ['unsigned long']], 'TrustClassEntry' : [ 0xba8, ['_LIST_ENTRY']], 'FlushCount' : [ 0xbb8, ['unsigned long']], 'CmRm' : [ 0xbc0, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xbc8, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xbcc, ['long']], 'CreatorOwner' : [ 0xbd0, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0xbd8, ['pointer64', ['_KTHREAD']]], 'LastWriteTime' : [ 0xbe0, ['_LARGE_INTEGER']], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '__unnamed_1669' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_HvpRecoverWholeHive', 10: '_HvpMapFileImageAndBuildMap', 11: '_CmpValidateHiveSecurityDescriptors', 12: '_HvpEnlistBinInMap', 13: '_CmCheckRegistry', 14: '_CmRegistryIO', 15: '_CmCheckRegistry2', 16: '_CmpCheckKey', 17: '_CmpCheckValueList', 18: '_HvCheckHive', 19: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_166c' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_166e' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1670' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1672' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_1676' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_167a' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_167c' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_1669']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_1669']]], 'RegistryIO' : [ 0xd0, ['__unnamed_166c']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_166e']], 'CheckKey' : [ 0xf0, ['__unnamed_1670']], 'CheckValueList' : [ 0x110, ['__unnamed_1672']], 'CheckHive' : [ 0x128, ['__unnamed_1676']], 'CheckHive1' : [ 0x138, ['__unnamed_1676']], 'CheckBin' : [ 0x148, ['__unnamed_167a']], 'RecoverData' : [ 0x158, ['__unnamed_167c']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0x80, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'DpcCount' : [ 0x38, ['unsigned long']], 'DpcRate' : [ 0x3c, ['unsigned long']], 'C1Time' : [ 0x40, ['unsigned long long']], 'C2Time' : [ 0x48, ['unsigned long long']], 'C3Time' : [ 0x50, ['unsigned long long']], 'C1Transitions' : [ 0x58, ['unsigned long long']], 'C2Transitions' : [ 0x60, ['unsigned long long']], 'C3Transitions' : [ 0x68, ['unsigned long long']], 'ParkingStatus' : [ 0x70, ['unsigned long']], 'CurrentFrequency' : [ 0x74, ['unsigned long']], 'PercentMaxFrequency' : [ 0x78, ['unsigned long']], 'StateFlags' : [ 0x7c, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0x28, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 4, ['unsigned long long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0x18, { 'Affinity' : [ 0x0, ['pointer64', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x8, ['unsigned long long']], 'CurrentIndex' : [ 0x10, ['unsigned short']], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependentList' : [ 0x50, ['_LIST_ENTRY']], 'ProviderList' : [ 0x60, ['_LIST_ENTRY']], } ], '__unnamed_1763' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1765' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1769' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x268, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Level' : [ 0x50, ['unsigned long']], 'Notify' : [ 0x58, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xc0, ['_PO_IRP_MANAGER']], 'State' : [ 0xe0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xe8, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x138, ['unsigned long']], 'CompletionStatus' : [ 0x13c, ['long']], 'Flags' : [ 0x140, ['unsigned long']], 'UserFlags' : [ 0x144, ['unsigned long']], 'Problem' : [ 0x148, ['unsigned long']], 'ResourceList' : [ 0x150, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x158, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x160, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x168, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x174, ['unsigned long']], 'ChildInterfaceType' : [ 0x178, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x17c, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x180, ['unsigned short']], 'RemovalPolicy' : [ 0x182, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x183, ['unsigned char']], 'TargetDeviceNotify' : [ 0x188, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x198, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1a8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x1b8, ['unsigned short']], 'QueryTranslatorMask' : [ 0x1ba, ['unsigned short']], 'NoArbiterMask' : [ 0x1bc, ['unsigned short']], 'QueryArbiterMask' : [ 0x1be, ['unsigned short']], 'OverUsed1' : [ 0x1c0, ['__unnamed_1763']], 'OverUsed2' : [ 0x1c8, ['__unnamed_1765']], 'BootResources' : [ 0x1d0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1d8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1e0, ['unsigned long']], 'DockInfo' : [ 0x1e8, ['__unnamed_1769']], 'DisableableDepends' : [ 0x208, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x210, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x220, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x230, ['unsigned long']], 'PreviousParent' : [ 0x238, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x240, ['unsigned long']], 'NumaNodeIndex' : [ 0x244, ['unsigned long']], 'ContainerID' : [ 0x248, ['_GUID']], 'OverrideFlags' : [ 0x258, ['unsigned char']], 'RequiresUnloadedDriver' : [ 0x259, ['unsigned char']], 'PendingEjectRelations' : [ 0x260, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'Affinity' : [ 0x40, ['_GROUP_AFFINITY']], 'ProximityId' : [ 0x50, ['unsigned long']], 'NodeNumber' : [ 0x54, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x56, ['unsigned short']], 'MaximumProcessors' : [ 0x58, ['unsigned char']], 'Color' : [ 0x59, ['unsigned char']], 'Flags' : [ 0x5a, ['_flags']], 'NodePad0' : [ 0x5b, ['unsigned char']], 'Seed' : [ 0x5c, ['unsigned long']], 'MmShiftedColor' : [ 0x60, ['unsigned long']], 'FreeCount' : [ 0x68, ['array', 2, ['unsigned long long']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], 'ParkLock' : [ 0xa0, ['long']], 'NodePad1' : [ 0xa4, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1811' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1811']], } ], '__unnamed_1818' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1818']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_VOLUME_CACHE_MAP' : [ 0x38, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], 'DirtyPages' : [ 0x28, ['unsigned long long']], 'PagesQueuedToDisk' : [ 0x30, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1f8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x100, ['unsigned long']], 'LazyWritePassCount' : [ 0x104, ['unsigned long']], 'UninitializeEvent' : [ 0x108, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x110, ['_KGUARDED_MUTEX']], 'LastUnmapBehindOffset' : [ 0x148, ['_LARGE_INTEGER']], 'Event' : [ 0x150, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x168, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x170, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1d8, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1e0, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1e8, ['unsigned long']], 'WritesInProgress' : [ 0x1ec, ['unsigned long']], 'PipelinedReadAheadSize' : [ 0x1f0, ['unsigned long']], } ], '__unnamed_188a' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_188a']], 'Links' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '__unnamed_18a8' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_18aa' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_18ac' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_18ae' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_18b0' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_18a8']], 'Write' : [ 0x0, ['__unnamed_18aa']], 'Event' : [ 0x0, ['__unnamed_18ac']], 'Notification' : [ 0x0, ['__unnamed_18ae']], } ], '_WORK_QUEUE_ENTRY' : [ 0x20, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_18b0']], 'Function' : [ 0x18, ['unsigned char']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x208, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1f8, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1901' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_1901']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_PEB' : [ 0x380, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pContextData' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xe0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], 'ContextInformation' : [ 0xc8, ['pointer64', ['void']]], 'OriginalBase' : [ 0xd0, ['unsigned long long']], 'LoadTime' : [ 0xd8, ['_LARGE_INTEGER']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '__unnamed_197f' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1981' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_197f']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1983' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1985' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1983']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1981']], 'u2' : [ 0x4, ['__unnamed_1985']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x38, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], 'LookasideIndex' : [ 0x30, ['unsigned long']], } ], '__unnamed_199e' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_19a0' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_199e']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x20, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_19a0']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x14, ['long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_19b3' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_19b5' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19b3']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_19b5']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_19bb' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_19bd' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19bb']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_19bd']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_19c3' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19c5' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c3']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_19c5']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x40, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19e1' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19e3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19e1']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1a0, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x88, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x98, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa8, ['_LIST_ENTRY']], 'WaitQueue' : [ 0xb8, ['_LIST_ENTRY']], 'Semaphore' : [ 0xc8, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xc8, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0xd0, ['_ALPC_PORT_ATTRIBUTES']], 'Lock' : [ 0x118, ['_EX_PUSH_LOCK']], 'ResourceListLock' : [ 0x120, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x128, ['_LIST_ENTRY']], 'CompletionList' : [ 0x138, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0x140, ['pointer64', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0x148, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x150, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x158, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x168, ['long']], 'u1' : [ 0x16c, ['__unnamed_19e3']], 'TargetQueuePort' : [ 0x170, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x178, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x180, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x188, ['unsigned long']], 'PendingQueueLength' : [ 0x18c, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x190, ['unsigned long']], 'CanceledQueueLength' : [ 0x194, ['unsigned long']], 'WaitQueueLength' : [ 0x198, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0xd0, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'Key' : [ 0xb8, ['unsigned long']], 'CallbackList' : [ 0xc0, ['_LIST_ENTRY']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1981']], 'u2' : [ 0x4, ['__unnamed_1985']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1a00' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1a02' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a00']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x100, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x10, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0x18, ['unsigned long long']], 'QuotaProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x20, ['pointer64', ['void']]], 'SequenceNo' : [ 0x28, ['long']], 'u1' : [ 0x2c, ['__unnamed_1a02']], 'CancelSequencePort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x40, ['long']], 'CancelListEntry' : [ 0x48, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x68, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x70, ['pointer64', ['_ALPC_PORT']]], 'MessageAttributes' : [ 0x78, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb0, ['pointer64', ['void']]], 'DataSystemVa' : [ 0xb8, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xc0, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xc8, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xd0, ['pointer64', ['_ETHREAD']]], 'PortMessage' : [ 0xd8, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer64', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a41' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a43' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a41']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1a43']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'Flags' : [ 0x28, ['unsigned long']], 'TotalLength' : [ 0x2c, ['unsigned short']], 'Type' : [ 0x2e, ['unsigned short']], 'DataInfoOffset' : [ 0x30, ['unsigned short']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x48, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x330, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'CollectionOn' : [ 0xc, ['long']], 'LoggerMode' : [ 0x10, ['unsigned long']], 'AcceptNewEvents' : [ 0x14, ['long']], 'GetCpuClock' : [ 0x18, ['pointer64', ['void']]], 'StartTime' : [ 0x20, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'NBQHead' : [ 0x40, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x48, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x50, ['_SLIST_HEADER']], 'GlobalList' : [ 0x60, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x70, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x70, ['_EX_FAST_REF']], 'LoggerName' : [ 0x78, ['_UNICODE_STRING']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x98, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'ClockType' : [ 0xb8, ['unsigned long']], 'MaximumFileSize' : [ 0xbc, ['unsigned long']], 'LastFlushedBuffer' : [ 0xc0, ['unsigned long']], 'FlushTimer' : [ 0xc4, ['unsigned long']], 'FlushThreshold' : [ 0xc8, ['unsigned long']], 'ByteOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xd8, ['unsigned long']], 'BuffersAvailable' : [ 0xdc, ['long']], 'NumberOfBuffers' : [ 0xe0, ['long']], 'MaximumBuffers' : [ 0xe4, ['unsigned long']], 'EventsLost' : [ 0xe8, ['unsigned long']], 'BuffersWritten' : [ 0xec, ['unsigned long']], 'LogBuffersLost' : [ 0xf0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xf4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xf8, ['unsigned long']], 'SequencePtr' : [ 0x100, ['pointer64', ['long']]], 'LocalSequence' : [ 0x108, ['unsigned long']], 'InstanceGuid' : [ 0x10c, ['_GUID']], 'FileCounter' : [ 0x11c, ['long']], 'BufferCallback' : [ 0x120, ['pointer64', ['void']]], 'PoolType' : [ 0x128, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x130, ['_ETW_REF_CLOCK']], 'Consumers' : [ 0x140, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x150, ['unsigned long']], 'TransitionConsumer' : [ 0x158, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x160, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x168, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x178, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x180, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x188, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x190, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x198, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1a0, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1a8, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1b8, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1c0, ['_KEVENT']], 'FlushEvent' : [ 0x1d8, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x1f0, ['_KTIMER']], 'FlushDpc' : [ 0x230, ['_KDPC']], 'LoggerMutex' : [ 0x270, ['_KMUTANT']], 'LoggerLock' : [ 0x2a8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2b0, ['unsigned long long']], 'BufferListPushLock' : [ 0x2b0, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2b8, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x300, ['_EX_FAST_REF']], 'BufferSequenceNumber' : [ 0x308, ['long long']], 'Flags' : [ 0x310, ['unsigned long']], 'Persistent' : [ 0x310, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x310, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x310, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x310, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x310, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x310, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x310, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x310, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x310, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x310, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'RequestFlag' : [ 0x314, ['unsigned long']], 'RequestNewFie' : [ 0x314, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x314, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x314, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x314, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x314, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RequestConnectConsumer' : [ 0x314, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HookIdMap' : [ 0x318, ['_RTL_BITMAP']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_BUFFER_HANDLE' : [ 0x10, { 'TraceBuffer' : [ 0x0, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'BufferFastRef' : [ 0x8, ['pointer64', ['_EX_FAST_REF']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_NBQUEUE_BLOCK' : [ 0x20, { 'SListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'Next' : [ 0x10, ['unsigned long long']], 'Data' : [ 0x18, ['unsigned long long']], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x1b0, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['array', 8, ['pointer64', ['_EVENT_FILTER_HEADER']]]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x310, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'LogonSession' : [ 0xd0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xd8, ['_LUID']], 'SidHash' : [ 0xe0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f0, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x300, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'VariablePart' : [ 0x308, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], 'HashIndex' : [ 0x14, ['unsigned short']], 'DirectoryLocked' : [ 0x16, ['unsigned char']], 'LockedExclusive' : [ 0x17, ['unsigned char']], 'LockStateSignature' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Coalescable' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KeepShifting' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CpuThrottled' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x70, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'AllocAndFreeOps' : [ 0x50, ['unsigned long']], 'InBlockDeccommits' : [ 0x54, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], 'HighWatermarkSize' : [ 0x60, ['unsigned long long']], 'LastPolledSize' : [ 0x68, ['unsigned long long']], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x68, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['unsigned long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], 'HandleCountHighWatermark' : [ 0x60, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'BlockState' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x78, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['_KAFFINITY_EX']], 'SamplingPeriod' : [ 0x38, ['unsigned long']], 'CurrentTemperature' : [ 0x3c, ['unsigned long']], 'PassiveTripPoint' : [ 0x40, ['unsigned long']], 'CriticalTripPoint' : [ 0x44, ['unsigned long']], 'ActiveTripPointCount' : [ 0x48, ['unsigned char']], 'ActiveTripPoint' : [ 0x4c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x74, ['unsigned long']], } ], '__unnamed_1c5c' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1c5e' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1c5c']], 'Private' : [ 0x0, ['__unnamed_1c5e']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_1c7f' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1c85' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x90, { 'u1' : [ 0x0, ['__unnamed_15bf']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c2']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c5']], 'u2' : [ 0x40, ['__unnamed_15d2']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u3' : [ 0x78, ['__unnamed_1c7f']], 'u4' : [ 0x88, ['__unnamed_1c85']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x1c8, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xe0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'LimitFlags' : [ 0xf0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xf4, ['unsigned long']], 'Affinity' : [ 0xf8, ['_KAFFINITY_EX']], 'PriorityClass' : [ 0x120, ['unsigned char']], 'AccessState' : [ 0x128, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x130, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x134, ['unsigned long']], 'CompletionPort' : [ 0x138, ['pointer64', ['void']]], 'CompletionKey' : [ 0x140, ['pointer64', ['void']]], 'SessionId' : [ 0x148, ['unsigned long']], 'SchedulingClass' : [ 0x14c, ['unsigned long']], 'ReadOperationCount' : [ 0x150, ['unsigned long long']], 'WriteOperationCount' : [ 0x158, ['unsigned long long']], 'OtherOperationCount' : [ 0x160, ['unsigned long long']], 'ReadTransferCount' : [ 0x168, ['unsigned long long']], 'WriteTransferCount' : [ 0x170, ['unsigned long long']], 'OtherTransferCount' : [ 0x178, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x180, ['unsigned long long']], 'JobMemoryLimit' : [ 0x188, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x190, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x198, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x1a0, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x1a8, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x1b0, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1c0, ['unsigned long']], 'JobFlags' : [ 0x1c4, ['unsigned long']], } ], '__unnamed_1c99' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0xa0, { 'Count' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['__unnamed_1c99']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'OldState' : [ 0x10, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['_KAFFINITY_EX']], 'State' : [ 0x40, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '__unnamed_1ca2' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1ca2']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x88, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned long']], 'ShutDownRequested' : [ 0x5c, ['unsigned char']], 'NewBuffersLost' : [ 0x5d, ['unsigned char']], 'Disconnected' : [ 0x5e, ['unsigned char']], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'Wow' : [ 0x84, ['unsigned char']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_KGUARDED_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['pointer64', ['pointer64', ['void']]]], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'Pad' : [ 0x65, ['array', 3, ['unsigned char']]], 'Mode' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x70, ['unsigned long']], 'DispatchCount' : [ 0x74, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x88, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x20, ['pointer64', ['void']]], 'UserLimit' : [ 0x28, ['pointer64', ['void']]], 'DataUserVa' : [ 0x30, ['pointer64', ['void']]], 'SystemVa' : [ 0x38, ['pointer64', ['void']]], 'TotalSize' : [ 0x40, ['unsigned long long']], 'Header' : [ 0x48, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x50, ['pointer64', ['void']]], 'ListSize' : [ 0x58, ['unsigned long long']], 'Bitmap' : [ 0x60, ['pointer64', ['void']]], 'BitmapSize' : [ 0x68, ['unsigned long long']], 'Data' : [ 0x70, ['pointer64', ['void']]], 'DataSize' : [ 0x78, ['unsigned long long']], 'BitmapLimit' : [ 0x80, ['unsigned long']], 'BitmapNextHint' : [ 0x84, ['unsigned long']], 'ConcurrencyCount' : [ 0x88, ['unsigned long']], 'AttributeFlags' : [ 0x8c, ['unsigned long']], 'AttributeSize' : [ 0x90, ['unsigned long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_IO_WORKITEM' : [ 0x40, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'Type' : [ 0x38, ['unsigned long']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_ALIGNED_AFFINITY_SUMMARY' : [ 0x80, { 'CpuSet' : [ 0x0, ['_KAFFINITY_EX']], 'SMTSet' : [ 0x28, ['_KAFFINITY_EX']], } ], '_XSTATE_CONFIGURATION' : [ 0x210, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'OptimizedSave' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x10, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_RTL_UMS_CONTEXT' : [ 0x540, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HasQuantumReq' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HasAffinityReq' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HasPriorityReq' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4f0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x4f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'QuantumValue' : [ 0x500, ['unsigned long long']], 'AffinityMask' : [ 0x508, ['_GROUP_AFFINITY']], 'Priority' : [ 0x518, ['long']], 'PrimaryUmsContext' : [ 0x520, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x528, ['unsigned long']], 'KernelYieldCount' : [ 0x52c, ['unsigned long']], 'MixedYieldCount' : [ 0x530, ['unsigned long']], 'YieldCount' : [ 0x534, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x100, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleAccounting' : [ 0x20, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'Hypervisor' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'PerfHistoryTotal' : [ 0x2c, ['unsigned long']], 'ThermalConstraint' : [ 0x30, ['unsigned char']], 'PerfHistoryCount' : [ 0x31, ['unsigned char']], 'PerfHistorySlot' : [ 0x32, ['unsigned char']], 'Reserved' : [ 0x33, ['unsigned char']], 'LastSysTime' : [ 0x34, ['unsigned long']], 'WmiDispatchPtr' : [ 0x38, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x40, ['long']], 'FFHThrottleStateInfo' : [ 0x48, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x68, ['_KDPC']], 'PerfActionMask' : [ 0xa8, ['long']], 'IdleCheck' : [ 0xb0, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0xc0, ['_PROC_IDLE_SNAP']], 'Domain' : [ 0xd0, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0xd8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Load' : [ 0xe0, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0xe8, ['pointer64', ['_PROC_HISTORY_ENTRY']]], 'Utility' : [ 0xf0, ['unsigned long']], 'OverUtilizedHistory' : [ 0xf4, ['unsigned long']], 'AffinityCount' : [ 0xf8, ['unsigned long']], 'AffinityHistory' : [ 0xfc, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x2c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'BucketLimits' : [ 0x18, ['array', 16, ['unsigned long long']]], 'State' : [ 0x98, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_TEB64' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x90, ['unsigned long']], 'PreviousActivityCounter' : [ 0x94, ['unsigned long']], 'WorkerTrimRequests' : [ 0x98, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x8, ['_KGATE']], } ], '_ETIMER' : [ 0x110, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1e01' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1e01']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x698, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x150, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3f0, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x690, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '__unnamed_1e5a' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e5c' : [ 0x8, { 'Last' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_1e5a']], } ], '__unnamed_1e5e' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1e5a']], } ], '__unnamed_1e60' : [ 0x8, { 'OldCell' : [ 0x0, ['__unnamed_1e5c']], 'NewCell' : [ 0x0, ['__unnamed_1e5e']], } ], '_HCELL' : [ 0xc, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e60']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x30, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'PercentageCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'TargetFrequency' : [ 0x18, ['unsigned long']], 'AcumulatedFullFrequency' : [ 0x1c, ['unsigned long']], 'AcumulatedZeroFrequency' : [ 0x20, ['unsigned long']], 'FrequencyHistoryTotal' : [ 0x24, ['unsigned long']], 'AverageFrequency' : [ 0x28, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], 'Pad0' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1e73' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e77' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1e79' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1e7b' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1e7d' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1e7f' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1e81' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e83' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e85' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e87' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1e73']], 'Memory' : [ 0x0, ['__unnamed_1e73']], 'Interrupt' : [ 0x0, ['__unnamed_1e77']], 'Dma' : [ 0x0, ['__unnamed_1e79']], 'Generic' : [ 0x0, ['__unnamed_1e73']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e7b']], 'BusNumber' : [ 0x0, ['__unnamed_1e7d']], 'ConfigData' : [ 0x0, ['__unnamed_1e7f']], 'Memory40' : [ 0x0, ['__unnamed_1e81']], 'Memory48' : [ 0x0, ['__unnamed_1e83']], 'Memory64' : [ 0x0, ['__unnamed_1e85']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1e87']], } ], '_POP_THERMAL_ZONE' : [ 0x1e8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x148, ['_LARGE_INTEGER']], 'Metrics' : [ 0x150, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x98, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x68, ['unsigned long']], 'PassiveCount' : [ 0x6c, ['unsigned long']], 'LastActiveStartTick' : [ 0x70, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x78, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x80, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x88, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x90, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '__unnamed_1ec2' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1ec4' : [ 0x18, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1ec2']], } ], '_VF_TARGET_DRIVER' : [ 0x30, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_1ec4']], 'VerifiedData' : [ 0x28, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_1ecc' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1ece' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ed0' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ed2' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_1ed4' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1ed6' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ed8' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1eda' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1edc' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ede' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1ee0' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1ecc']], 'TargetDevice' : [ 0x0, ['__unnamed_1ece']], 'InstallDevice' : [ 0x0, ['__unnamed_1ed0']], 'CustomNotification' : [ 0x0, ['__unnamed_1ed2']], 'ProfileNotification' : [ 0x0, ['__unnamed_1ed4']], 'PowerNotification' : [ 0x0, ['__unnamed_1ed6']], 'VetoNotification' : [ 0x0, ['__unnamed_1ed8']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1eda']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1edc']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1ede']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1ed0']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1ee0']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_PS_CPU_QUOTA_BLOCK' : [ 0x4080, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'CpuShareWeight' : [ 0x14, ['unsigned long']], 'CapturedWeightData' : [ 0x18, ['_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA']], 'DuplicateInputMarker' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x20, ['long']], 'BlockCurrentGenerationLock' : [ 0x0, ['unsigned long long']], 'CyclesAccumulated' : [ 0x8, ['unsigned long long']], 'CycleCredit' : [ 0x40, ['unsigned long long']], 'BlockCurrentGeneration' : [ 0x48, ['unsigned long']], 'CpuCyclePercent' : [ 0x4c, ['unsigned long']], 'CyclesFinishedForCurrentGeneration' : [ 0x50, ['unsigned char']], 'Cpu' : [ 0x80, ['array', 256, ['_PS_PER_CPU_QUOTA_CACHE_AWARE']]], } ], '__unnamed_1efc' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1efc']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '__unnamed_1f31' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_1f31']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_PS_PER_CPU_QUOTA_CACHE_AWARE' : [ 0x40, { 'SortedListEntry' : [ 0x0, ['_LIST_ENTRY']], 'IdleOnlyListHead' : [ 0x10, ['_LIST_ENTRY']], 'CycleBaseAllowance' : [ 0x20, ['unsigned long long']], 'CyclesRemaining' : [ 0x28, ['long long']], 'CurrentGeneration' : [ 0x30, ['unsigned long']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x248, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pContextData' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_KBUGCHECK_ACTIVE_STATE' : [ 0x4, { 'BugCheckState' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'RecursionCount' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'BugCheckOwner' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['long']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_SYSTEM_IDLE' : [ 0x38, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned char']], 'IdleWorker' : [ 0x25, ['unsigned char']], 'Sampling' : [ 0x26, ['unsigned char']], 'LastTick' : [ 0x28, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x30, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x18, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_1fa6' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fa8' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1faa' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1fac' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_1faa']], 'Translated' : [ 0x0, ['__unnamed_1fa8']], } ], '__unnamed_1fae' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb0' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb2' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb4' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb6' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb8' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fba' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1fa6']], 'Port' : [ 0x0, ['__unnamed_1fa6']], 'Interrupt' : [ 0x0, ['__unnamed_1fa8']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1fac']], 'Memory' : [ 0x0, ['__unnamed_1fa6']], 'Dma' : [ 0x0, ['__unnamed_1fae']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e7b']], 'BusNumber' : [ 0x0, ['__unnamed_1fb0']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1fb2']], 'Memory40' : [ 0x0, ['__unnamed_1fb4']], 'Memory48' : [ 0x0, ['__unnamed_1fb6']], 'Memory64' : [ 0x0, ['__unnamed_1fb8']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1fba']], } ], '__unnamed_1fbf' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1fbf']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1fc9' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1fc9']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1fd3' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_1f31']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_1fd3']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1fdb' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1fdd' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1fdb']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x58, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x40, ['_LIST_ENTRY']], 'Specific' : [ 0x50, ['__unnamed_1fdd']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win10_x64_vtypes.py0000644000000000000000000265516413131215405030022 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x708, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'NtBuildNumber' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'BootId' : [ 0x2c4, ['unsigned long']], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgMultiSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrementShift' : [ 0x368, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x369, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x36a, ['unsigned short']], 'Reserved8' : [ 0x36c, ['array', 20, ['unsigned char']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1080' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1080']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1098' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109a' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_1098']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_109a']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TEB' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['pointer64', ['void']]]], 'SystemReserved1' : [ 0x190, ['array', 38, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'PerflibData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], 'ReservedForWdf' : [ 0x1818, ['pointer64', ['void']]], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0x18, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'CurEntry' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '__unnamed_1108' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1108']], 'QuadPart' : [ 0x0, ['long long']], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_RB_TREE' : [ 0x10, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_RTL_BALANCED_NODE' : [ 0x18, { 'Children' : [ 0x0, ['array', 2, ['pointer64', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x10, ['unsigned long long']], } ], '_RTL_AVL_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x6a80, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x6900, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'ClockOwner' : [ 0x21, ['unsigned char']], 'PendingTickFlags' : [ 0x22, ['unsigned char']], 'PendingTick' : [ 0x22, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x22, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IdleState' : [ 0x23, ['unsigned char']], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PriorityState' : [ 0x38, ['pointer64', ['unsigned char']]], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ParentNode' : [ 0x640, ['pointer64', ['_KNODE']]], 'GroupSetMember' : [ 0x648, ['unsigned long long']], 'Group' : [ 0x650, ['unsigned char']], 'GroupIndex' : [ 0x651, ['unsigned char']], 'PrcbPad05' : [ 0x652, ['array', 2, ['unsigned char']]], 'InitialApicId' : [ 0x654, ['unsigned long']], 'ScbOffset' : [ 0x658, ['unsigned long']], 'ApicMask' : [ 0x65c, ['unsigned long']], 'AcpiReserved' : [ 0x660, ['pointer64', ['void']]], 'CFlushSize' : [ 0x668, ['unsigned long']], 'PrcbPad10' : [ 0x66c, ['unsigned long']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x2080, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PrcbPad20' : [ 0x2c80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2c88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2c90, ['long']], 'MmCopyOnWriteCount' : [ 0x2c94, ['long']], 'MmTransitionCount' : [ 0x2c98, ['long']], 'MmDemandZeroCount' : [ 0x2c9c, ['long']], 'MmPageReadCount' : [ 0x2ca0, ['long']], 'MmPageReadIoCount' : [ 0x2ca4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x2ca8, ['long']], 'MmDirtyWriteIoCount' : [ 0x2cac, ['long']], 'MmMappedPagesWriteCount' : [ 0x2cb0, ['long']], 'MmMappedWriteIoCount' : [ 0x2cb4, ['long']], 'KeSystemCalls' : [ 0x2cb8, ['unsigned long']], 'KeContextSwitches' : [ 0x2cbc, ['unsigned long']], 'LdtSelector' : [ 0x2cc0, ['unsigned short']], 'PrcbPad40' : [ 0x2cc2, ['unsigned short']], 'CcFastReadNoWait' : [ 0x2cc4, ['unsigned long']], 'CcFastReadWait' : [ 0x2cc8, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2ccc, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x2cd0, ['unsigned long']], 'CcCopyReadWait' : [ 0x2cd4, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2cd8, ['unsigned long']], 'IoReadOperationCount' : [ 0x2cdc, ['long']], 'IoWriteOperationCount' : [ 0x2ce0, ['long']], 'IoOtherOperationCount' : [ 0x2ce4, ['long']], 'IoReadTransferCount' : [ 0x2ce8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x2cf0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x2cf8, ['_LARGE_INTEGER']], 'PacketBarrier' : [ 0x2d00, ['long']], 'TargetCount' : [ 0x2d04, ['long']], 'IpiFrozen' : [ 0x2d08, ['unsigned long']], 'IsrDpcStats' : [ 0x2d10, ['pointer64', ['void']]], 'DeviceInterrupts' : [ 0x2d18, ['unsigned long']], 'LookasideIrpFloat' : [ 0x2d1c, ['long']], 'InterruptLastCount' : [ 0x2d20, ['unsigned long']], 'InterruptRate' : [ 0x2d24, ['unsigned long']], 'PrcbPad41' : [ 0x2d28, ['array', 22, ['unsigned long']]], 'DpcData' : [ 0x2d80, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2dd0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2dd8, ['long']], 'DpcRequestRate' : [ 0x2ddc, ['unsigned long']], 'MinimumDpcRate' : [ 0x2de0, ['unsigned long']], 'DpcLastCount' : [ 0x2de4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x2de8, ['unsigned char']], 'QuantumEnd' : [ 0x2de9, ['unsigned char']], 'DpcRoutineActive' : [ 0x2dea, ['unsigned char']], 'IdleSchedule' : [ 0x2deb, ['unsigned char']], 'DpcRequestSummary' : [ 0x2dec, ['long']], 'DpcRequestSlot' : [ 0x2dec, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x2dec, ['short']], 'ThreadDpcState' : [ 0x2dee, ['short']], 'DpcNormalProcessingActive' : [ 0x2dec, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x2dec, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x2dec, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x2dec, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x2dec, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x2dec, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x2dec, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x2dec, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x2dec, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x2dec, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2df0, ['unsigned long']], 'LastTick' : [ 0x2df4, ['unsigned long']], 'ClockInterrupts' : [ 0x2df8, ['unsigned long']], 'ReadyScanTick' : [ 0x2dfc, ['unsigned long']], 'InterruptObject' : [ 0x2e00, ['array', 256, ['pointer64', ['void']]]], 'TimerTable' : [ 0x3600, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x5800, ['_KGATE']], 'PrcbPad52' : [ 0x5818, ['pointer64', ['void']]], 'CallDpc' : [ 0x5820, ['_KDPC']], 'ClockKeepAlive' : [ 0x5860, ['long']], 'PrcbPad60' : [ 0x5864, ['array', 2, ['unsigned char']]], 'NmiActive' : [ 0x5866, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x5868, ['long']], 'DpcWatchdogCount' : [ 0x586c, ['long']], 'KeSpinLockOrdering' : [ 0x5870, ['long']], 'PrcbPad70' : [ 0x5874, ['array', 1, ['unsigned long']]], 'CachedPtes' : [ 0x5878, ['pointer64', ['void']]], 'WaitListHead' : [ 0x5880, ['_LIST_ENTRY']], 'WaitLock' : [ 0x5890, ['unsigned long long']], 'ReadySummary' : [ 0x5898, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x589c, ['long']], 'QueueIndex' : [ 0x58a0, ['unsigned long']], 'PrcbPad75' : [ 0x58a4, ['array', 3, ['unsigned long']]], 'TimerExpirationDpc' : [ 0x58b0, ['_KDPC']], 'ScbQueue' : [ 0x58f0, ['_RTL_RB_TREE']], 'DispatcherReadyListHead' : [ 0x5900, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x5b00, ['unsigned long']], 'KernelTime' : [ 0x5b04, ['unsigned long']], 'UserTime' : [ 0x5b08, ['unsigned long']], 'DpcTime' : [ 0x5b0c, ['unsigned long']], 'InterruptTime' : [ 0x5b10, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5b14, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x5b18, ['unsigned char']], 'GroupSchedulingOverQuota' : [ 0x5b19, ['unsigned char']], 'DeepSleep' : [ 0x5b1a, ['unsigned char']], 'PrcbPad80' : [ 0x5b1b, ['array', 5, ['unsigned char']]], 'DpcTimeCount' : [ 0x5b20, ['unsigned long']], 'DpcTimeLimit' : [ 0x5b24, ['unsigned long']], 'PeriodicCount' : [ 0x5b28, ['unsigned long']], 'PeriodicBias' : [ 0x5b2c, ['unsigned long']], 'AvailableTime' : [ 0x5b30, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x5b34, ['unsigned long']], 'StartCycles' : [ 0x5b38, ['unsigned long long']], 'TaggedCyclesStart' : [ 0x5b40, ['unsigned long long']], 'TaggedCycles' : [ 0x5b48, ['array', 2, ['unsigned long long']]], 'GenerationTarget' : [ 0x5b58, ['unsigned long long']], 'AffinitizedCycles' : [ 0x5b60, ['unsigned long long']], 'PrcbPad81' : [ 0x5b68, ['array', 29, ['unsigned long']]], 'MmSpinLockOrdering' : [ 0x5bdc, ['long']], 'PageColor' : [ 0x5be0, ['unsigned long']], 'NodeColor' : [ 0x5be4, ['unsigned long']], 'NodeShiftedColor' : [ 0x5be8, ['unsigned long']], 'SecondaryColorMask' : [ 0x5bec, ['unsigned long']], 'PrcbPad83' : [ 0x5bf0, ['unsigned long']], 'CycleTime' : [ 0x5bf8, ['unsigned long long']], 'Cycles' : [ 0x5c00, ['array', 4, ['array', 2, ['unsigned long long']]]], 'PrcbPad84' : [ 0x5c40, ['array', 16, ['unsigned long']]], 'CcFastMdlReadNoWait' : [ 0x5c80, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x5c84, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x5c88, ['unsigned long']], 'CcMapDataNoWait' : [ 0x5c8c, ['unsigned long']], 'CcMapDataWait' : [ 0x5c90, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x5c94, ['unsigned long']], 'CcPinReadNoWait' : [ 0x5c98, ['unsigned long']], 'CcPinReadWait' : [ 0x5c9c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x5ca0, ['unsigned long']], 'CcMdlReadWait' : [ 0x5ca4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x5ca8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x5cac, ['unsigned long']], 'CcLazyWritePages' : [ 0x5cb0, ['unsigned long']], 'CcDataFlushes' : [ 0x5cb4, ['unsigned long']], 'CcDataPages' : [ 0x5cb8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x5cbc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x5cc0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x5cc4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x5cc8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x5ccc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x5cd0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x5cd4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x5cd8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x5cdc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x5ce0, ['unsigned long']], 'CcReadAheadIos' : [ 0x5ce4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x5ce8, ['long']], 'MmCacheReadCount' : [ 0x5cec, ['long']], 'MmCacheIoCount' : [ 0x5cf0, ['long']], 'PrcbPad91' : [ 0x5cf4, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x5d00, ['_PROCESSOR_POWER_STATE']], 'ScbList' : [ 0x5ed0, ['_LIST_ENTRY']], 'PrcbPad92' : [ 0x5ee0, ['array', 7, ['unsigned long']]], 'KeAlignmentFixupCount' : [ 0x5efc, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x5f00, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x5f40, ['_KTIMER']], 'Cache' : [ 0x5f80, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x5fbc, ['unsigned long']], 'CachedCommit' : [ 0x5fc0, ['unsigned long']], 'CachedResidentAvailable' : [ 0x5fc4, ['unsigned long']], 'HyperPte' : [ 0x5fc8, ['pointer64', ['void']]], 'WheaInfo' : [ 0x5fd0, ['pointer64', ['void']]], 'EtwSupport' : [ 0x5fd8, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x5fe0, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x5ff0, ['_SLIST_HEADER']], 'HypercallCachedPages' : [ 0x6000, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x6008, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x6010, ['pointer64', ['unsigned long long']]], 'PackageProcessorSet' : [ 0x6018, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x60c0, ['unsigned long long']], 'SharedReadyQueue' : [ 0x60c8, ['pointer64', ['_KSHARED_READY_QUEUE']]], 'SharedQueueScanOwner' : [ 0x60d0, ['unsigned long']], 'ScanSiblingIndex' : [ 0x60d4, ['unsigned long']], 'CoreProcessorSet' : [ 0x60d8, ['unsigned long long']], 'ScanSiblingMask' : [ 0x60e0, ['unsigned long long']], 'LLCMask' : [ 0x60e8, ['unsigned long long']], 'CacheProcessorMask' : [ 0x60f0, ['array', 5, ['unsigned long long']]], 'ProcessorProfileControlArea' : [ 0x6118, ['pointer64', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x6120, ['pointer64', ['void']]], 'PrcbPad94' : [ 0x6128, ['array', 11, ['unsigned long long']]], 'SynchCounters' : [ 0x6180, ['_SYNCH_COUNTERS']], 'PteBitCache' : [ 0x6238, ['unsigned long long']], 'PteBitOffset' : [ 0x6240, ['unsigned long']], 'FsCounters' : [ 0x6248, ['_FILESYSTEM_DISK_COUNTERS']], 'VendorString' : [ 0x6258, ['array', 13, ['unsigned char']]], 'PrcbPad100' : [ 0x6265, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x6268, ['unsigned long long']], 'PrcbPad110' : [ 0x6270, ['unsigned long']], 'UpdateSignature' : [ 0x6278, ['_LARGE_INTEGER']], 'Context' : [ 0x6280, ['pointer64', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x6288, ['unsigned long']], 'ExtendedState' : [ 0x6290, ['pointer64', ['_XSAVE_AREA']]], 'IsrStack' : [ 0x6298, ['pointer64', ['void']]], 'EntropyTimingState' : [ 0x62a0, ['_KENTROPY_TIMING_STATE']], 'AbSelfIoBoostsList' : [ 0x63f0, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x63f8, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x6400, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x6440, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x6494, ['_IOP_IRP_STACK_PROFILER']], 'LocalSharedReadyQueue' : [ 0x6500, ['_KSHARED_READY_QUEUE']], 'TimerExpirationTrace' : [ 0x6760, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x6860, ['unsigned long']], 'ExSaPageArray' : [ 0x6868, ['pointer64', ['void']]], 'Mailbox' : [ 0x6880, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x68c0, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KFLOATING_SAVE' : [ 0x4, { 'Dummy' : [ 0x0, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_KPROCESS' : [ 0x2d8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long']], 'Spare0' : [ 0x44, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x48, ['unsigned long long']], 'Affinity' : [ 0x50, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0xf8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x108, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x110, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x1b8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x1b8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x1b8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'DeepFreeze' : [ 0x1b8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x1b8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x1b8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SpareFlags0' : [ 0x1b8, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x1b8, ['BitField', dict(start_bit = 8, end_bit = 28, native_type='unsigned long')]], 'ReservedFlags' : [ 0x1b8, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x1b8, ['long']], 'BasePriority' : [ 0x1bc, ['unsigned char']], 'QuantumReset' : [ 0x1bd, ['unsigned char']], 'Visited' : [ 0x1be, ['unsigned char']], 'Flags' : [ 0x1bf, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x1c0, ['array', 20, ['unsigned long']]], 'IdealNode' : [ 0x210, ['array', 20, ['unsigned short']]], 'IdealGlobalNode' : [ 0x238, ['unsigned short']], 'Spare1' : [ 0x23a, ['unsigned short']], 'StackCount' : [ 0x23c, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x240, ['_LIST_ENTRY']], 'CycleTime' : [ 0x250, ['unsigned long long']], 'ContextSwitches' : [ 0x258, ['unsigned long long']], 'SchedulingGroup' : [ 0x260, ['pointer64', ['_KSCHEDULING_GROUP']]], 'FreezeCount' : [ 0x268, ['unsigned long']], 'KernelTime' : [ 0x26c, ['unsigned long']], 'UserTime' : [ 0x270, ['unsigned long']], 'LdtFreeSelectorHint' : [ 0x274, ['unsigned short']], 'LdtTableLength' : [ 0x276, ['unsigned short']], 'LdtSystemDescriptor' : [ 0x278, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x288, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x290, ['_FAST_MUTEX']], 'InstrumentationCallback' : [ 0x2c8, ['pointer64', ['void']]], 'SecurePid' : [ 0x2d0, ['unsigned long long']], } ], '_KTHREAD' : [ 0x5d8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x18, ['pointer64', ['void']]], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'StackBase' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'CycleTime' : [ 0x48, ['unsigned long long']], 'CurrentRunTime' : [ 0x50, ['unsigned long']], 'ExpectedRunTime' : [ 0x54, ['unsigned long']], 'KernelStack' : [ 0x58, ['pointer64', ['void']]], 'StateSaveArea' : [ 0x60, ['pointer64', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x68, ['pointer64', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x70, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x71, ['unsigned char']], 'Alerted' : [ 0x72, ['array', 2, ['unsigned char']]], 'AutoBoostActive' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitNext' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x74, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Alertable' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'TimerActive' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SystemThread' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x74, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CalloutActive' : [ 0x74, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ApcQueueable' : [ 0x74, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x74, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x74, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'TimerSuspended' : [ 0x74, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x74, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SuspendSchedulerApcWait' : [ 0x74, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x74, ['long']], 'AutoAlignment' : [ 0x78, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x78, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ThreadFlagsSpare0' : [ 0x78, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x78, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x78, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x78, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x78, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x78, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x78, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x78, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x78, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x78, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x78, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x78, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x78, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CommitFailTerminateRequest' : [ 0x78, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ProcessStackCountDecremented' : [ 0x78, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ThreadFlagsSpare' : [ 0x78, ['BitField', dict(start_bit = 19, end_bit = 24, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x78, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x78, ['long']], 'Tag' : [ 0x7c, ['unsigned char']], 'SystemHeteroCpuPolicy' : [ 0x7d, ['unsigned char']], 'UserHeteroCpuPolicy' : [ 0x7e, ['BitField', dict(start_bit = 0, end_bit = 7, native_type='unsigned char')]], 'ExplicitSystemHeteroCpuPolicy' : [ 0x7e, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare0' : [ 0x7f, ['unsigned char']], 'SystemCallNumber' : [ 0x80, ['unsigned long']], 'Spare10' : [ 0x84, ['unsigned long']], 'FirstArgument' : [ 0x88, ['pointer64', ['void']]], 'TrapFrame' : [ 0x90, ['pointer64', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x98, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x98, ['array', 43, ['unsigned char']]], 'Priority' : [ 0xc3, ['unsigned char']], 'UserIdealProcessor' : [ 0xc4, ['unsigned long']], 'WaitStatus' : [ 0xc8, ['long long']], 'WaitBlockList' : [ 0xd0, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xd8, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xe8, ['pointer64', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xf0, ['pointer64', ['void']]], 'RelativeTimerBias' : [ 0xf8, ['unsigned long long']], 'Timer' : [ 0x100, ['_KTIMER']], 'WaitBlock' : [ 0x140, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x140, ['array', 20, ['unsigned char']]], 'ContextSwitches' : [ 0x154, ['unsigned long']], 'WaitBlockFill5' : [ 0x140, ['array', 68, ['unsigned char']]], 'State' : [ 0x184, ['unsigned char']], 'Spare13' : [ 0x185, ['unsigned char']], 'WaitIrql' : [ 0x186, ['unsigned char']], 'WaitMode' : [ 0x187, ['unsigned char']], 'WaitBlockFill6' : [ 0x140, ['array', 116, ['unsigned char']]], 'WaitTime' : [ 0x1b4, ['unsigned long']], 'WaitBlockFill7' : [ 0x140, ['array', 164, ['unsigned char']]], 'KernelApcDisable' : [ 0x1e4, ['short']], 'SpecialApcDisable' : [ 0x1e6, ['short']], 'CombinedApcDisable' : [ 0x1e4, ['unsigned long']], 'WaitBlockFill8' : [ 0x140, ['array', 40, ['unsigned char']]], 'ThreadCounters' : [ 0x168, ['pointer64', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0x140, ['array', 88, ['unsigned char']]], 'XStateSave' : [ 0x198, ['pointer64', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0x140, ['array', 136, ['unsigned char']]], 'Win32Thread' : [ 0x1c8, ['pointer64', ['void']]], 'WaitBlockFill11' : [ 0x140, ['array', 176, ['unsigned char']]], 'Ucb' : [ 0x1f0, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'Uch' : [ 0x1f8, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'TebMappedLowVa' : [ 0x200, ['pointer64', ['void']]], 'QueueListEntry' : [ 0x208, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x218, ['unsigned long']], 'NextProcessorNumber' : [ 0x218, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x218, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x21c, ['long']], 'Process' : [ 0x220, ['pointer64', ['_KPROCESS']]], 'UserAffinity' : [ 0x228, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x228, ['array', 10, ['unsigned char']]], 'PreviousMode' : [ 0x232, ['unsigned char']], 'BasePriority' : [ 0x233, ['unsigned char']], 'PriorityDecrement' : [ 0x234, ['unsigned char']], 'ForegroundBoost' : [ 0x234, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x234, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x235, ['unsigned char']], 'AdjustReason' : [ 0x236, ['unsigned char']], 'AdjustIncrement' : [ 0x237, ['unsigned char']], 'AffinityVersion' : [ 0x238, ['unsigned long long']], 'Affinity' : [ 0x240, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x240, ['array', 10, ['unsigned char']]], 'ApcStateIndex' : [ 0x24a, ['unsigned char']], 'WaitBlockCount' : [ 0x24b, ['unsigned char']], 'IdealProcessor' : [ 0x24c, ['unsigned long']], 'NpxState' : [ 0x250, ['unsigned long long']], 'SavedApcState' : [ 0x258, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x258, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x283, ['unsigned char']], 'SuspendCount' : [ 0x284, ['unsigned char']], 'Saturation' : [ 0x285, ['unsigned char']], 'SListFaultCount' : [ 0x286, ['unsigned short']], 'SchedulerApc' : [ 0x288, ['_KAPC']], 'SchedulerApcFill0' : [ 0x288, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x289, ['unsigned char']], 'SchedulerApcFill1' : [ 0x288, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x28b, ['unsigned char']], 'SchedulerApcFill2' : [ 0x288, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x28c, ['unsigned long']], 'SchedulerApcFill3' : [ 0x288, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c8, ['pointer64', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x288, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2d0, ['pointer64', ['void']]], 'SchedulerApcFill5' : [ 0x288, ['array', 83, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x2db, ['unsigned char']], 'UserTime' : [ 0x2dc, ['unsigned long']], 'SuspendEvent' : [ 0x2e0, ['_KEVENT']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'AbEntrySummary' : [ 0x318, ['unsigned char']], 'AbWaitEntryCount' : [ 0x319, ['unsigned char']], 'Spare20' : [ 0x31a, ['unsigned short']], 'SecureThreadCookie' : [ 0x31c, ['unsigned long']], 'LockEntries' : [ 0x320, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x560, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x568, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x570, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x580, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x584, ['long']], 'KeReferenceCount' : [ 0x588, ['short']], 'AbOrphanedEntrySummary' : [ 0x58a, ['unsigned char']], 'AbOwnedEntryCount' : [ 0x58b, ['unsigned char']], 'ForegroundLossTime' : [ 0x58c, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x590, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x590, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x598, ['unsigned long long']], 'ReadOperationCount' : [ 0x5a0, ['long long']], 'WriteOperationCount' : [ 0x5a8, ['long long']], 'OtherOperationCount' : [ 0x5b0, ['long long']], 'ReadTransferCount' : [ 0x5b8, ['long long']], 'WriteTransferCount' : [ 0x5c0, ['long long']], 'OtherTransferCount' : [ 0x5c8, ['long long']], 'QueuedScb' : [ 0x5d0, ['pointer64', ['_KSCB']]], } ], '_KSTACK_CONTROL' : [ 0x30, { 'StackBase' : [ 0x0, ['unsigned long long']], 'ActualLimit' : [ 0x8, ['unsigned long long']], 'StackExpansion' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_124a' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'HeaderX64' : [ 0x0, ['__unnamed_124a']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer64', ['void']]], 'DeleteContext' : [ 0x10, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0x100, { 'IdleNonParkedCpuSet' : [ 0x0, ['unsigned long long']], 'IdleSmtSet' : [ 0x8, ['unsigned long long']], 'IdleCpuSet' : [ 0x10, ['unsigned long long']], 'DeepIdleSet' : [ 0x40, ['unsigned long long']], 'IdleConstrainedSet' : [ 0x48, ['unsigned long long']], 'NonParkedSet' : [ 0x50, ['unsigned long long']], 'ParkLock' : [ 0x58, ['long']], 'Seed' : [ 0x5c, ['unsigned long']], 'SiblingMask' : [ 0x80, ['unsigned long']], 'Affinity' : [ 0x88, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x88, ['array', 10, ['unsigned char']]], 'NodeNumber' : [ 0x92, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x94, ['unsigned short']], 'Stride' : [ 0x96, ['unsigned char']], 'Spare0' : [ 0x97, ['unsigned char']], 'SharedReadyQueueLeaders' : [ 0x98, ['unsigned long long']], 'ProximityId' : [ 0xa0, ['unsigned long']], 'Lowest' : [ 0xa4, ['unsigned long']], 'Highest' : [ 0xa8, ['unsigned long']], 'MaximumProcessors' : [ 0xac, ['unsigned char']], 'Flags' : [ 0xad, ['_flags']], 'Spare10' : [ 0xae, ['unsigned char']], 'HeteroSets' : [ 0xb0, ['array', 5, ['_KHETERO_PROCESSOR_SET']]], } ], '_ENODE' : [ 0x540, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0x100, ['array', 8, ['pointer64', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0x140, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x410, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x428, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x468, ['_KEVENT']], 'WaitBlocks' : [ 0x480, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x510, ['pointer64', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x518, ['unsigned long']], 'ExWorkerFullInit' : [ 0x51c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x51c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x51c, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x80, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long long']], 'QuotaProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'HandleTableList' : [ 0x18, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], 'StrictFIFO' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x2c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x2c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'RaiseUMExceptionOnInvalidHandleClose' : [ 0x2c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x38, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x40, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x40, ['array', 32, ['unsigned char']]], 'DebugInfo' : [ 0x60, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'VolatileLowValue' : [ 0x0, ['long long']], 'LowValue' : [ 0x0, ['long long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'HighValue' : [ 0x8, ['long long']], 'NextFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x8, ['_EXHANDLE']], 'RefCountField' : [ 0x0, ['long long']], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 17, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 20, native_type='unsigned long long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 64, native_type='unsigned long long')]], 'GrantedAccessBits' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Spare1' : [ 0x8, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], 'Spare2' : [ 0xc, ['unsigned long']], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1344' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_1344']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xe0, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xd8, ['unsigned char']], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_ETHREAD' : [ 0x7c0, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x5d8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x5e0, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x5e0, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x5f0, ['pointer64', ['void']]], 'PostBlockList' : [ 0x5f8, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x5f8, ['pointer64', ['void']]], 'StartAddress' : [ 0x600, ['pointer64', ['void']]], 'TerminationPort' : [ 0x608, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x608, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x608, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x610, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x618, ['_LIST_ENTRY']], 'Cid' : [ 0x628, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x638, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x638, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x658, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x660, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x670, ['unsigned long long']], 'DeviceToVerify' : [ 0x678, ['pointer64', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x680, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x688, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x690, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x6a0, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x6a8, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x6b0, ['unsigned long']], 'MmLockOrdering' : [ 0x6b4, ['long']], 'CmLockOrdering' : [ 0x6b8, ['long']], 'CrossThreadFlags' : [ 0x6bc, ['unsigned long']], 'Terminated' : [ 0x6bc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x6bc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x6bc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x6bc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x6bc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x6bc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x6bc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x6bc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x6bc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x6bc, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x6bc, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x6bc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x6bc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x6bc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x6bc, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x6c0, ['unsigned long']], 'ActiveExWorker' : [ 0x6c0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x6c0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ClonedThread' : [ 0x6c0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x6c0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SelfTerminate' : [ 0x6c0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RespectIoPriority' : [ 0x6c0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReservedSameThreadPassiveFlags' : [ 0x6c0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x6c4, ['unsigned long']], 'OwnsProcessAddressSpaceExclusive' : [ 0x6c4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x6c4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardFaultBehavior' : [ 0x6c4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x6c4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x6c4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x6c4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Prefetching' : [ 0x6c4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x6c4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x6c5, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x6c5, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x6c8, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x6c9, ['unsigned char']], 'ActiveFaultCount' : [ 0x6ca, ['unsigned char']], 'LockOrderState' : [ 0x6cb, ['unsigned char']], 'AlpcMessageId' : [ 0x6d0, ['unsigned long long']], 'AlpcMessage' : [ 0x6d8, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x6d8, ['unsigned long']], 'ExitStatus' : [ 0x6e0, ['long']], 'AlpcWaitListEntry' : [ 0x6e8, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x6f8, ['unsigned long']], 'IoBoostCount' : [ 0x6fc, ['unsigned long']], 'BoostList' : [ 0x700, ['_LIST_ENTRY']], 'DeboostList' : [ 0x710, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x720, ['unsigned long long']], 'IrpListLock' : [ 0x728, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x730, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x738, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x740, ['pointer64', ['_GUID']]], 'SeLearningModeListHead' : [ 0x748, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x750, ['pointer64', ['void']]], 'KernelStackReference' : [ 0x758, ['unsigned long']], 'AdjustedClientToken' : [ 0x760, ['pointer64', ['void']]], 'WorkingOnBehalfClient' : [ 0x768, ['pointer64', ['void']]], 'PropertySet' : [ 0x770, ['_PS_PROPERTY_SET']], 'PicoContext' : [ 0x788, ['pointer64', ['void']]], 'UserFsBase' : [ 0x790, ['unsigned long']], 'UserGsBase' : [ 0x798, ['unsigned long long']], 'EnergyValues' : [ 0x7a0, ['pointer64', ['_THREAD_ENERGY_VALUES']]], 'CmCellReferences' : [ 0x7a8, ['unsigned long']], 'SelectedCpuSets' : [ 0x7b0, ['unsigned long long']], 'SelectedCpuSetsIndirect' : [ 0x7b0, ['pointer64', ['unsigned long long']]], 'Silo' : [ 0x7b8, ['pointer64', ['_ESILO']]], } ], '_EPROCESS' : [ 0x798, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x2d8, ['_EX_PUSH_LOCK']], 'RundownProtect' : [ 0x2e0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x2e8, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x2f0, ['_LIST_ENTRY']], 'Flags2' : [ 0x300, ['unsigned long']], 'JobNotReallyActive' : [ 0x300, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x300, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x300, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x300, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x300, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x300, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0x300, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x300, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x300, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x300, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0x300, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0x300, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x300, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x300, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x300, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x300, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x300, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x300, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x300, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x300, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0x300, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0x300, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0x300, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0x300, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0x300, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0x300, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0x300, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0x300, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x304, ['unsigned long']], 'CreateReported' : [ 0x304, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x304, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x304, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x304, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0x304, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x304, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x304, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x304, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FailFastOnCommitFail' : [ 0x304, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x304, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x304, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x304, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x304, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x304, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x304, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x304, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x304, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x304, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x304, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0x304, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x304, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x304, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x304, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x304, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0x304, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x304, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x304, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x304, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x304, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CreateTime' : [ 0x308, ['_LARGE_INTEGER']], 'ProcessQuotaUsage' : [ 0x310, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x320, ['array', 2, ['unsigned long long']]], 'PeakVirtualSize' : [ 0x330, ['unsigned long long']], 'VirtualSize' : [ 0x338, ['unsigned long long']], 'SessionProcessLinks' : [ 0x340, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0x350, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x350, ['unsigned long long']], 'ExceptionPortState' : [ 0x350, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Token' : [ 0x358, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x360, ['unsigned long long']], 'AddressCreationLock' : [ 0x368, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x370, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x378, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x380, ['pointer64', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x388, ['pointer64', ['_EJOB']]], 'CloneRoot' : [ 0x390, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x398, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x3a0, ['unsigned long long']], 'Win32Process' : [ 0x3a8, ['pointer64', ['void']]], 'Job' : [ 0x3b0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x3b8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x3c0, ['pointer64', ['void']]], 'Cookie' : [ 0x3c8, ['unsigned long']], 'WorkingSetWatch' : [ 0x3d0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x3d8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x3e0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x3e8, ['pointer64', ['void']]], 'OwnerProcessId' : [ 0x3f0, ['unsigned long long']], 'Peb' : [ 0x3f8, ['pointer64', ['_PEB']]], 'Session' : [ 0x400, ['pointer64', ['void']]], 'AweInfo' : [ 0x408, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x410, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x418, ['pointer64', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x420, ['pointer64', ['void']]], 'Wow64Process' : [ 0x428, ['pointer64', ['void']]], 'DeviceMap' : [ 0x430, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x438, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x440, ['unsigned long long']], 'ImageFileName' : [ 0x448, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x457, ['unsigned char']], 'SecurityPort' : [ 0x458, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x460, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x468, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x478, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x480, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x490, ['unsigned long']], 'ImagePathHash' : [ 0x494, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x498, ['unsigned long']], 'LastThreadExitStatus' : [ 0x49c, ['long']], 'PrefetchTrace' : [ 0x4a0, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x4a8, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x4b0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x4b8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x4c0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x4c8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x4d0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x4d8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x4e0, ['unsigned long long']], 'CommitCharge' : [ 0x4e8, ['unsigned long long']], 'CommitChargePeak' : [ 0x4f0, ['unsigned long long']], 'Vm' : [ 0x4f8, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x5f0, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x600, ['unsigned long']], 'ExitStatus' : [ 0x604, ['long']], 'VadRoot' : [ 0x608, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x610, ['pointer64', ['void']]], 'VadCount' : [ 0x618, ['unsigned long long']], 'VadPhysicalPages' : [ 0x620, ['unsigned long long']], 'VadPhysicalPagesLimit' : [ 0x628, ['unsigned long long']], 'AlpcContext' : [ 0x630, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x650, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x660, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x668, ['unsigned long']], 'SmallestTimerResolution' : [ 0x66c, ['unsigned long']], 'ExitTime' : [ 0x670, ['_LARGE_INTEGER']], 'InvertedFunctionTable' : [ 0x678, ['pointer64', ['_INVERTED_FUNCTION_TABLE']]], 'InvertedFunctionTableLock' : [ 0x680, ['_EX_PUSH_LOCK']], 'ActiveThreadsHighWatermark' : [ 0x688, ['unsigned long']], 'LargePrivateVadCount' : [ 0x68c, ['unsigned long']], 'ThreadListLock' : [ 0x690, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x698, ['pointer64', ['void']]], 'Spare0' : [ 0x6a0, ['unsigned long long']], 'SignatureLevel' : [ 0x6a8, ['unsigned char']], 'SectionSignatureLevel' : [ 0x6a9, ['unsigned char']], 'Protection' : [ 0x6aa, ['_PS_PROTECTION']], 'HangCount' : [ 0x6ab, ['unsigned char']], 'Flags3' : [ 0x6ac, ['unsigned long']], 'Minimal' : [ 0x6ac, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReplacingPageRoot' : [ 0x6ac, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DisableNonSystemFonts' : [ 0x6ac, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AuditNonSystemFontLoading' : [ 0x6ac, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Crashed' : [ 0x6ac, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'JobVadsAreTracked' : [ 0x6ac, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'VadTrackingDisabled' : [ 0x6ac, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AuxiliaryProcess' : [ 0x6ac, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SubsystemProcess' : [ 0x6ac, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x6ac, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'InPrivate' : [ 0x6ac, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DeviceAsid' : [ 0x6b0, ['long']], 'SvmData' : [ 0x6b8, ['pointer64', ['void']]], 'SvmProcessLock' : [ 0x6c0, ['_EX_PUSH_LOCK']], 'SvmLock' : [ 0x6c8, ['unsigned long long']], 'SvmProcessDeviceListHead' : [ 0x6d0, ['_LIST_ENTRY']], 'LastFreezeInterruptTime' : [ 0x6e0, ['unsigned long long']], 'DiskCounters' : [ 0x6e8, ['pointer64', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x6f0, ['pointer64', ['void']]], 'TrustletIdentity' : [ 0x6f8, ['unsigned long long']], 'KeepAliveCounter' : [ 0x700, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x704, ['unsigned long']], 'HighPriorityFaultsAllowed' : [ 0x708, ['unsigned long']], 'EnergyValues' : [ 0x710, ['pointer64', ['_PROCESS_ENERGY_VALUES']]], 'VmContext' : [ 0x718, ['pointer64', ['void']]], 'Silo' : [ 0x720, ['pointer64', ['_ESILO']]], 'SiloEntry' : [ 0x728, ['_LIST_ENTRY']], 'SequenceNumber' : [ 0x738, ['unsigned long long']], 'CreateInterruptTime' : [ 0x740, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x748, ['unsigned long long']], 'TotalUnbiasedFrozenTime' : [ 0x750, ['unsigned long long']], 'LastAppStateUpdateTime' : [ 0x758, ['unsigned long long']], 'LastAppStateUptime' : [ 0x760, ['BitField', dict(start_bit = 0, end_bit = 61, native_type='unsigned long long')]], 'LastAppState' : [ 0x760, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], 'SharedCommitCharge' : [ 0x768, ['unsigned long long']], 'SharedCommitLock' : [ 0x770, ['_EX_PUSH_LOCK']], 'SharedCommitLinks' : [ 0x778, ['_LIST_ENTRY']], 'AllowedCpuSets' : [ 0x788, ['unsigned long long']], 'DefaultCpuSets' : [ 0x790, ['unsigned long long']], 'AllowedCpuSetsIndirect' : [ 0x788, ['pointer64', ['unsigned long long']]], 'DefaultCpuSetsIndirect' : [ 0x790, ['pointer64', ['unsigned long long']]], } ], '__unnamed_13a7' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_13ad' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_13af' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_13ad']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_13ba' : [ 0x58, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x50, ['pointer64', ['void']]], } ], '__unnamed_13bc' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_13ba']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'AllocationProcessorNumber' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_13a7']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_13af']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_13bc']], } ], '__unnamed_13c3' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_13c7' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_13cb' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_13cd' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13d1' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13d3' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_13d5' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], } ], '__unnamed_13d7' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13d9' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13db' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13df' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMetadataSizeInformation', 14: 'FileFsMaximumInformation'})]], } ], '__unnamed_13e1' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13e3' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13e5' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13e7' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_13e9' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_13ed' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_13f1' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_13f5' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_13f9' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_13fd' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1401' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1405' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1407' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1409' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_140d' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_1411' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1415' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_1419' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_141d' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1425' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], } ], '__unnamed_1429' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_142b' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_142d' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_142f' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_13c3']], 'CreatePipe' : [ 0x0, ['__unnamed_13c7']], 'CreateMailslot' : [ 0x0, ['__unnamed_13cb']], 'Read' : [ 0x0, ['__unnamed_13cd']], 'Write' : [ 0x0, ['__unnamed_13cd']], 'QueryDirectory' : [ 0x0, ['__unnamed_13d1']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13d3']], 'QueryFile' : [ 0x0, ['__unnamed_13d5']], 'SetFile' : [ 0x0, ['__unnamed_13d7']], 'QueryEa' : [ 0x0, ['__unnamed_13d9']], 'SetEa' : [ 0x0, ['__unnamed_13db']], 'QueryVolume' : [ 0x0, ['__unnamed_13df']], 'SetVolume' : [ 0x0, ['__unnamed_13df']], 'FileSystemControl' : [ 0x0, ['__unnamed_13e1']], 'LockControl' : [ 0x0, ['__unnamed_13e3']], 'DeviceIoControl' : [ 0x0, ['__unnamed_13e5']], 'QuerySecurity' : [ 0x0, ['__unnamed_13e7']], 'SetSecurity' : [ 0x0, ['__unnamed_13e9']], 'MountVolume' : [ 0x0, ['__unnamed_13ed']], 'VerifyVolume' : [ 0x0, ['__unnamed_13ed']], 'Scsi' : [ 0x0, ['__unnamed_13f1']], 'QueryQuota' : [ 0x0, ['__unnamed_13f5']], 'SetQuota' : [ 0x0, ['__unnamed_13db']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_13f9']], 'QueryInterface' : [ 0x0, ['__unnamed_13fd']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1401']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1405']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1407']], 'SetLock' : [ 0x0, ['__unnamed_1409']], 'QueryId' : [ 0x0, ['__unnamed_140d']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1411']], 'UsageNotification' : [ 0x0, ['__unnamed_1415']], 'WaitWake' : [ 0x0, ['__unnamed_1419']], 'PowerSequence' : [ 0x0, ['__unnamed_141d']], 'Power' : [ 0x0, ['__unnamed_1425']], 'StartDevice' : [ 0x0, ['__unnamed_1429']], 'WMI' : [ 0x0, ['__unnamed_142b']], 'Others' : [ 0x0, ['__unnamed_142d']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_142f']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1445' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1445']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x10, ['unsigned long long']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'AllocationProcessorNumber' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x70, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer64', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x60, ['pointer64', ['void']]], 'UserContext' : [ 0x68, ['pointer64', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'Oplock' : [ 0x58, ['pointer64', ['void']]], 'ReservedForRemote' : [ 0x58, ['pointer64', ['void']]], 'ReservedContext' : [ 0x60, ['pointer64', ['void']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_TlgProvider_t' : [ 0x40, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x8, ['pointer64', ['unsigned short']]], 'KeywordAny' : [ 0x10, ['unsigned long long']], 'KeywordAll' : [ 0x18, ['unsigned long long']], 'RegHandle' : [ 0x20, ['unsigned long long']], 'EnableCallback' : [ 0x28, ['pointer64', ['void']]], 'CallbackContext' : [ 0x30, ['pointer64', ['void']]], 'AnnotationFunc' : [ 0x38, ['pointer64', ['void']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '__unnamed_1611' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1611']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND' : [ 0x10, { 'LocalLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'State' : [ 0x8, ['_EX_PUSH_LOCK_AUTO_EXPAND_STATE']], 'Stats' : [ 0xc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'ReservedLowFlags' : [ 0x1a, ['unsigned char']], 'WaiterPriority' : [ 0x1b, ['unsigned char']], 'SharedWaiters' : [ 0x20, ['_KWAIT_CHAIN']], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_1649' : [ 0x8, { 'Flink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeFlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 64, native_type='unsigned long long')]], 'WsIndex' : [ 0x0, ['unsigned long long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_164d' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_164f' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_164d']], } ], '__unnamed_165b' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'Channel' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 38, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'Partition' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 50, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 52, native_type='unsigned long long')]], 'FileOnly' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'PfnExists' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], } ], '_MMPFN' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'u1' : [ 0x0, ['__unnamed_1649']], 'PteAddress' : [ 0x8, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer64', ['void']]], 'PteLong' : [ 0x8, ['unsigned long long']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'u2' : [ 0x18, ['_MIPFNBLINK']], 'u3' : [ 0x20, ['__unnamed_164f']], 'NodeBlinkLow' : [ 0x24, ['unsigned short']], 'Unused' : [ 0x26, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'VaType' : [ 0x26, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'ViewCount' : [ 0x27, ['unsigned char']], 'NodeFlinkLow' : [ 0x27, ['unsigned char']], 'u4' : [ 0x28, ['__unnamed_165b']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x60, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'BasePte' : [ 0x10, ['pointer64', ['_MMPTE']]], 'Flags' : [ 0x18, ['unsigned long']], 'VaType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaMaximumType', 15: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x30, ['unsigned long long']], 'GlobalPushLock' : [ 0x30, ['pointer64', ['_EX_PUSH_LOCK']]], 'Vm' : [ 0x38, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x40, ['unsigned long long']], 'Hint' : [ 0x48, ['unsigned long long']], 'CachedPtes' : [ 0x50, ['pointer64', ['_MI_CACHED_PTES']]], 'TotalFreeSystemPtes' : [ 0x58, ['unsigned long long']], } ], '_MMCLONE_DESCRIPTOR' : [ 0x50, { 'CloneNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Next' : [ 0x0, ['pointer64', ['_MMCLONE_DESCRIPTOR']]], 'StartingCloneBlock' : [ 0x18, ['pointer64', ['_MMCLONE_BLOCK']]], 'EndingCloneBlock' : [ 0x20, ['pointer64', ['_MMCLONE_BLOCK']]], 'NumberOfPtes' : [ 0x28, ['unsigned long long']], 'NumberOfReferences' : [ 0x30, ['unsigned long long']], 'CloneHeader' : [ 0x38, ['pointer64', ['_MMCLONE_HEADER']]], 'NonPagedPoolQuotaCharge' : [ 0x40, ['unsigned long long']], 'NestingLevel' : [ 0x48, ['unsigned long long']], } ], '__unnamed_168b' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_168b']], } ], '_MMWSL' : [ 0x300, { 'FirstFree' : [ 0x0, ['unsigned long long']], 'FirstDynamic' : [ 0x8, ['unsigned long long']], 'LastEntry' : [ 0x10, ['unsigned long long']], 'NextSlot' : [ 0x18, ['unsigned long long']], 'LastInitializedWsle' : [ 0x20, ['unsigned long long']], 'NextAgingSlot' : [ 0x28, ['unsigned long long']], 'NextAccessClearingSlot' : [ 0x30, ['unsigned long long']], 'LastAccessClearingRemainder' : [ 0x38, ['unsigned long']], 'LastAgingRemainder' : [ 0x3c, ['unsigned long']], 'WsleSize' : [ 0x40, ['unsigned long']], 'NonDirectCount' : [ 0x48, ['unsigned long long']], 'LowestPagableAddress' : [ 0x50, ['pointer64', ['void']]], 'NonDirectHash' : [ 0x58, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x60, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x68, ['pointer64', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x70, ['array', 16, ['unsigned long long']]], 'ActiveWsles' : [ 0xf0, ['array', 16, ['_MI_ACTIVE_WSLE_LISTHEAD']]], 'Wsle' : [ 0x1f0, ['pointer64', ['_MMWSLE']]], 'UserVaInfo' : [ 0x1f8, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0xf8, { 'WorkingSetLock' : [ 0x0, ['long']], 'ExitOutswapGate' : [ 0x8, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x10, ['pointer64', ['void']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long long']]], 'MinimumWorkingSetSize' : [ 0x60, ['unsigned long long']], 'WorkingSetLeafSize' : [ 0x68, ['unsigned long long']], 'WorkingSetLeafPrivateSize' : [ 0x70, ['unsigned long long']], 'WorkingSetSize' : [ 0x78, ['unsigned long long']], 'WorkingSetPrivateSize' : [ 0x80, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0x88, ['unsigned long long']], 'ChargedWslePages' : [ 0x90, ['unsigned long long']], 'ActualWslePages' : [ 0x98, ['unsigned long long']], 'WorkingSetSizeOverhead' : [ 0xa0, ['unsigned long long']], 'PeakWorkingSetSize' : [ 0xa8, ['unsigned long long']], 'HardFaultCount' : [ 0xb0, ['unsigned long']], 'PartitionId' : [ 0xb4, ['unsigned short']], 'Pad0' : [ 0xb6, ['unsigned short']], 'VmWorkingSetList' : [ 0xb8, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0xc0, ['unsigned short']], 'LastTrimStamp' : [ 0xc2, ['unsigned short']], 'PageFaultCount' : [ 0xc4, ['unsigned long']], 'TrimmedPageCount' : [ 0xc8, ['unsigned long long']], 'ForceTrimPages' : [ 0xd0, ['unsigned long long']], 'Flags' : [ 0xd8, ['_MMSUPPORT_FLAGS']], 'ReleasedCommitDebt' : [ 0xe0, ['unsigned long long']], 'WsSwapSupport' : [ 0xe8, ['pointer64', ['void']]], 'CommitReAcquireFailSupport' : [ 0xf0, ['pointer64', ['void']]], } ], '__unnamed_16a7' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_16ab' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x48, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_16a7']], 'u2' : [ 0x38, ['__unnamed_16ab']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], } ], '__unnamed_16b0' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_16b3' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS2']], } ], '__unnamed_16be' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long')]], 'SystemImage' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'StrongCode' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_16c0' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_16be']], } ], '_CONTROL_AREA' : [ 0x78, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_16b0']], 'u1' : [ 0x3c, ['__unnamed_16b3']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'WaitList' : [ 0x50, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x58, ['__unnamed_16c0']], 'LockedPages' : [ 0x68, ['unsigned long long']], 'FileObjectLock' : [ 0x70, ['_EX_PUSH_LOCK']], } ], '__unnamed_16ca' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_16cd' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x40, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer64', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0x18, ['unsigned long']], 'EndingVpn' : [ 0x1c, ['unsigned long']], 'StartingVpnHigh' : [ 0x20, ['unsigned char']], 'EndingVpnHigh' : [ 0x21, ['unsigned char']], 'CommitChargeHigh' : [ 0x22, ['unsigned char']], 'SpareNT64VadUChar' : [ 0x23, ['unsigned char']], 'ReferenceCount' : [ 0x24, ['long']], 'PushLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u' : [ 0x30, ['__unnamed_16ca']], 'u1' : [ 0x34, ['__unnamed_16cd']], 'EventList' : [ 0x38, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], } ], '_MI_PARTITION' : [ 0x25c0, { 'Core' : [ 0x0, ['_MI_PARTITION_CORE']], 'Modwriter' : [ 0x168, ['_MI_PARTITION_MODWRITES']], 'Store' : [ 0x410, ['_MI_PARTITION_STORES']], 'Segments' : [ 0x490, ['_MI_PARTITION_SEGMENTS']], 'PageLists' : [ 0x5c0, ['_MI_PARTITION_PAGE_LISTS']], 'Commit' : [ 0x1280, ['_MI_PARTITION_COMMIT']], 'Zeroing' : [ 0x12b8, ['_MI_PARTITION_ZEROING']], 'PageCombine' : [ 0x1300, ['_MI_PAGE_COMBINING_SUPPORT']], 'WorkingSetControl' : [ 0x1488, ['pointer64', ['void']]], 'WorkingSetExpansionHead' : [ 0x1490, ['_MMWORKING_SET_EXPANSION_HEAD']], 'Vp' : [ 0x14c0, ['_MI_VISIBLE_PARTITION']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0x100, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'FreeReservationSpace' : [ 0x30, ['unsigned long long']], 'LargestReserveCluster' : [ 0x38, ['unsigned long long']], 'File' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x48, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x60, ['_SLIST_HEADER']], 'PageFileName' : [ 0x70, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x80, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x88, ['unsigned long']], 'ReservationBitmapHint' : [ 0x8c, ['unsigned long']], 'LargestNonReservedClusterSize' : [ 0x90, ['unsigned long']], 'RefreshClusterSize' : [ 0x94, ['unsigned long']], 'LastRefreshClusterSize' : [ 0x98, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x9c, ['unsigned long']], 'ToBeEvictedCount' : [ 0xa0, ['unsigned long']], 'HybridPriority' : [ 0xa0, ['unsigned long']], 'PageFileNumber' : [ 0xa4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0xa4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'NoReservations' : [ 0xa4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'VirtualStorePagefile' : [ 0xa4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SwapSupported' : [ 0xa4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'NodeInserted' : [ 0xa4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'StackNotified' : [ 0xa4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0xa4, ['BitField', dict(start_bit = 10, end_bit = 15, native_type='unsigned short')]], 'AdriftMdls' : [ 0xa6, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0xa6, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0xa7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0xa8, ['unsigned long']], 'PageHashPagesPeak' : [ 0xac, ['unsigned long']], 'PageHash' : [ 0xb0, ['pointer64', ['unsigned long']]], 'FileHandle' : [ 0xb8, ['pointer64', ['void']]], 'Lock' : [ 0xc0, ['unsigned long long']], 'LockOwner' : [ 0xc8, ['pointer64', ['_ETHREAD']]], 'FlowThroughReadRoot' : [ 0xd0, ['_RTL_AVL_TREE']], 'Partition' : [ 0xd8, ['pointer64', ['_MI_PARTITION']]], 'FileObjectNode' : [ 0xe0, ['_RTL_BALANCED_NODE']], } ], 'tagSWITCH_CONTEXT' : [ 0x68, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '__unnamed_170d' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry', 21: '_CmpMountPreloadedHives', 22: '_CmpLoadHiveThread'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1710' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_1712' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1716' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1718' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_171c' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_1720' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_1722' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_170d']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_170d']]], 'RegistryIO' : [ 0xd0, ['__unnamed_1710']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_1712']], 'CheckKey' : [ 0xf0, ['__unnamed_1716']], 'CheckValueList' : [ 0x110, ['__unnamed_1718']], 'CheckHive' : [ 0x128, ['__unnamed_171c']], 'CheckHive1' : [ 0x138, ['__unnamed_171c']], 'CheckBin' : [ 0x148, ['__unnamed_1720']], 'RecoverData' : [ 0x158, ['__unnamed_1722']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xc0, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'ParkingStatus' : [ 0x80, ['unsigned long']], 'CurrentFrequency' : [ 0x84, ['unsigned long']], 'PercentMaxFrequency' : [ 0x88, ['unsigned long']], 'StateFlags' : [ 0x8c, ['unsigned long']], 'NominalThroughput' : [ 0x90, ['unsigned long']], 'ActiveThroughput' : [ 0x94, ['unsigned long']], 'ScaledThroughput' : [ 0x98, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0xa0, ['unsigned long long']], 'AverageIdleTime' : [ 0xa8, ['unsigned long long']], 'IdleBreakEvents' : [ 0xb0, ['unsigned long long']], 'PerformanceLimit' : [ 0xb8, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xbc, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_TEB32' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['unsigned long']]], 'SystemReserved1' : [ 0x10c, ['array', 38, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_TEB64' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['unsigned long long']]], 'SystemReserved1' : [ 0x190, ['array', 38, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_HV_X64_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState_Deprecated' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable_Deprecated' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ExtendedGvaRangesForFlushVirtualAddressListAvailable' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'FastHypercallOutputAvailable' : [ 0xc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SvmFeaturesAvailable' : [ 0xc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SintPollingModeAvailable' : [ 0xc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeReg' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicRegs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerRegs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessIntrCtrlRegs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetReg' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsReg' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleReg' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyRegs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugRegs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'AccessVpExitTracing' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'EnableExtendedGvaRangesForFlushVirtualAddressList' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 48, native_type='unsigned long long')]], 'AccessVsm' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 49, native_type='unsigned long long')]], 'AccessVpRegisters' : [ 0x0, ['BitField', dict(start_bit = 49, end_bit = 50, native_type='unsigned long long')]], 'UnusedBit' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 51, native_type='unsigned long long')]], 'FastHypercallOutput' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'EnableExtendedHypercalls' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'StartVirtualProcessor' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x260, { 'Lock' : [ 0x0, ['unsigned long long']], 'ReadySummary' : [ 0x8, ['unsigned long']], 'ReadyListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x210, ['array', 64, ['unsigned char']]], 'Span' : [ 0x250, ['unsigned char']], 'LowProcIndex' : [ 0x251, ['unsigned char']], 'QueueIndex' : [ 0x252, ['unsigned char']], 'ProcCount' : [ 0x253, ['unsigned char']], 'ScanOwner' : [ 0x254, ['unsigned char']], 'Spare' : [ 0x255, ['array', 3, ['unsigned char']]], 'Affinity' : [ 0x258, ['unsigned long long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'Spare1' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'OutputBuffer' : [ 0xd8, ['unsigned long long']], 'OutputLength' : [ 0xe0, ['unsigned long long']], 'Spare2' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'Fill4' : [ 0x18c, ['unsigned long']], } ], '__unnamed_181c' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_181e' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1822' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x2c8, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x58, ['long']], 'FxRemoveEvent' : [ 0x60, ['_KEVENT']], 'FxActivationCount' : [ 0x78, ['long']], 'FxSleepCount' : [ 0x7c, ['long']], 'Plugin' : [ 0x80, ['pointer64', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x88, ['unsigned long']], 'CurrentPowerState' : [ 0x8c, ['_POWER_STATE']], 'Notify' : [ 0x90, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xf8, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0x118, ['_UNICODE_STRING']], 'PowerFlags' : [ 0x128, ['unsigned long']], 'State' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x134, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x184, ['unsigned long']], 'CompletionStatus' : [ 0x188, ['long']], 'Flags' : [ 0x18c, ['unsigned long']], 'UserFlags' : [ 0x190, ['unsigned long']], 'Problem' : [ 0x194, ['unsigned long']], 'ProblemStatus' : [ 0x198, ['long']], 'ResourceList' : [ 0x1a0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x1b0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x1b8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x1c4, ['unsigned long']], 'ChildInterfaceType' : [ 0x1c8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x1cc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x1d0, ['unsigned short']], 'RemovalPolicy' : [ 0x1d2, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x1d3, ['unsigned char']], 'TargetDeviceNotify' : [ 0x1d8, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x1e8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1f8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x208, ['unsigned short']], 'QueryTranslatorMask' : [ 0x20a, ['unsigned short']], 'NoArbiterMask' : [ 0x20c, ['unsigned short']], 'QueryArbiterMask' : [ 0x20e, ['unsigned short']], 'OverUsed1' : [ 0x210, ['__unnamed_181c']], 'OverUsed2' : [ 0x218, ['__unnamed_181e']], 'BootResources' : [ 0x220, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x228, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x230, ['unsigned long']], 'DockInfo' : [ 0x238, ['__unnamed_1822']], 'DisableableDepends' : [ 0x258, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x260, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x270, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x280, ['unsigned long']], 'PreviousParent' : [ 0x288, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x290, ['long']], 'NumaNodeIndex' : [ 0x294, ['unsigned long']], 'ContainerID' : [ 0x298, ['_GUID']], 'OverrideFlags' : [ 0x2a8, ['unsigned char']], 'DeviceIdsHash' : [ 0x2ac, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x2b0, ['unsigned char']], 'PendingEjectRelations' : [ 0x2b8, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x2c0, ['unsigned long']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x48, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x30, ['pointer64', ['unsigned long']]], 'EnableKeyWords' : [ 0x38, ['pointer64', ['unsigned long long']]], 'EnableLevel' : [ 0x40, ['pointer64', ['unsigned char']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x68, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependencyNode' : [ 0x50, ['pointer64', ['void']]], 'InterruptContext' : [ 0x58, ['pointer64', ['void']]], 'VerifierContext' : [ 0x60, ['pointer64', ['void']]], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KAFFINITY_EX' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 20, ['unsigned long long']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_191f' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'WriteCustomBreakPoint' : [ 0x0, ['_DBGKD_WRITE_CUSTOM_BREAKPOINT']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_191f']], } ], '__unnamed_1926' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1926']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PEP_ACPI_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'IoMemory' : [ 0x0, ['_PEP_ACPI_IO_MEMORY_RESOURCE']], 'Interrupt' : [ 0x0, ['_PEP_ACPI_INTERRUPT_RESOURCE']], 'Gpio' : [ 0x0, ['_PEP_ACPI_GPIO_RESOURCE']], 'SpbI2c' : [ 0x0, ['_PEP_ACPI_SPB_I2C_RESOURCE']], 'SpbSpi' : [ 0x0, ['_PEP_ACPI_SPB_SPI_RESOURCE']], 'SpbUart' : [ 0x0, ['_PEP_ACPI_SPB_UART_RESOURCE']], 'ExtendedAddress' : [ 0x0, ['_PEP_ACPI_EXTENDED_ADDRESS']], } ], '_PEP_ACPI_IO_MEMORY_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Information' : [ 0x4, ['unsigned char']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '_PEP_ACPI_INTERRUPT_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'InterruptType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Flags' : [ 0xc, ['_PEP_ACPI_RESOURCE_FLAGS']], 'Count' : [ 0x10, ['unsigned char']], 'Pins' : [ 0x18, ['pointer64', ['unsigned long']]], } ], '_PEP_ACPI_GPIO_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'InterruptType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'PinConfig' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PullDefault', 1: 'PullUp', 2: 'PullDown', 3: 'PullNone'})]], 'IoRestrictionType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'IoRestrictionNone', 1: 'IoRestrictionInputOnly', 2: 'IoRestrictionOutputOnly', 3: 'IoRestrictionNoneAndPreserve'})]], 'DriveStrength' : [ 0x18, ['unsigned short']], 'DebounceTimeout' : [ 0x1a, ['unsigned short']], 'PinTable' : [ 0x20, ['pointer64', ['unsigned short']]], 'PinCount' : [ 0x28, ['unsigned short']], 'ResourceSourceIndex' : [ 0x2a, ['unsigned char']], 'ResourceSourceName' : [ 0x30, ['pointer64', ['_UNICODE_STRING']]], 'VendorData' : [ 0x38, ['pointer64', ['unsigned char']]], 'VendorDataLength' : [ 0x40, ['unsigned short']], } ], '_PEP_ACPI_SPB_I2C_RESOURCE' : [ 0x30, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x28, ['unsigned long']], 'SlaveAddress' : [ 0x2c, ['unsigned short']], } ], '_PEP_ACPI_SPB_UART_RESOURCE' : [ 0x38, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'BaudRate' : [ 0x28, ['unsigned long']], 'RxBufferSize' : [ 0x2c, ['unsigned short']], 'TxBufferSize' : [ 0x2e, ['unsigned short']], 'Parity' : [ 0x30, ['unsigned char']], 'LinesInUse' : [ 0x31, ['unsigned char']], } ], '_PEP_ACPI_SPB_SPI_RESOURCE' : [ 0x38, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x28, ['unsigned long']], 'DataBitLength' : [ 0x2c, ['unsigned char']], 'Phase' : [ 0x2d, ['unsigned char']], 'Polarity' : [ 0x2e, ['unsigned char']], 'DeviceSelection' : [ 0x30, ['unsigned short']], } ], '_PEP_ACPI_EXTENDED_ADDRESS' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'ResourceFlags' : [ 0x8, ['unsigned char']], 'GeneralFlags' : [ 0x9, ['unsigned char']], 'TypeSpecificFlags' : [ 0xa, ['unsigned char']], 'RevisionId' : [ 0xb, ['unsigned char']], 'Reserved' : [ 0xc, ['unsigned char']], 'Granularity' : [ 0x10, ['unsigned long long']], 'MinimumAddress' : [ 0x18, ['unsigned long long']], 'MaximumAddress' : [ 0x20, ['unsigned long long']], 'TranslationAddress' : [ 0x28, ['unsigned long long']], 'AddressLength' : [ 0x30, ['unsigned long long']], 'TypeAttribute' : [ 0x38, ['unsigned long long']], 'DescriptorName' : [ 0x40, ['pointer64', ['_UNICODE_STRING']]], } ], '_PPM_PLATFORM_STATES' : [ 0x1c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'InterfaceVersion' : [ 0x4, ['unsigned long']], 'ProcessorCount' : [ 0x8, ['unsigned long']], 'CoordinatedInterface' : [ 0xc, ['unsigned char']], 'IdleTest' : [ 0x10, ['pointer64', ['void']]], 'IdlePreExecute' : [ 0x18, ['pointer64', ['void']]], 'IdleComplete' : [ 0x20, ['pointer64', ['void']]], 'QueryPlatformStateResidency' : [ 0x28, ['pointer64', ['void']]], 'Accounting' : [ 0x30, ['pointer64', ['_PLATFORM_IDLE_ACCOUNTING']]], 'State' : [ 0x40, ['array', 1, ['_PPM_PLATFORM_STATE']]], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_PPM_PROFILE' : [ 0xb30, { 'Name' : [ 0x0, ['pointer64', ['unsigned short']]], 'Id' : [ 0x8, ['unsigned char']], 'Guid' : [ 0xc, ['_GUID']], 'Flags' : [ 0x1c, ['unsigned long']], 'Priority' : [ 0x20, ['unsigned char']], 'Settings' : [ 0x28, ['array', 2, ['_PPM_ENGINE_SETTINGS']]], 'StartTime' : [ 0xb08, ['unsigned long long']], 'Count' : [ 0xb10, ['unsigned long long']], 'MaxDuration' : [ 0xb18, ['unsigned long long']], 'MinDuration' : [ 0xb20, ['unsigned long long']], 'TotalDuration' : [ 0xb28, ['unsigned long long']], } ], '_PPM_ENGINE_SETTINGS' : [ 0x570, { 'ExplicitSetting' : [ 0x0, ['array', 2, ['_PPM_POLICY_SETTINGS_MASK']]], 'ThrottlingPolicy' : [ 0x10, ['unsigned char']], 'PerfTimeCheck' : [ 0x14, ['unsigned long']], 'PerfHistoryCount' : [ 0x18, ['array', 2, ['unsigned char']]], 'PerfMinPolicy' : [ 0x1a, ['array', 2, ['unsigned char']]], 'PerfMaxPolicy' : [ 0x1c, ['array', 2, ['unsigned char']]], 'PerfDecreaseTime' : [ 0x1e, ['array', 2, ['unsigned char']]], 'PerfIncreaseTime' : [ 0x20, ['array', 2, ['unsigned char']]], 'PerfDecreasePolicy' : [ 0x22, ['array', 2, ['unsigned char']]], 'PerfIncreasePolicy' : [ 0x24, ['array', 2, ['unsigned char']]], 'PerfDecreaseThreshold' : [ 0x26, ['array', 2, ['unsigned char']]], 'PerfIncreaseThreshold' : [ 0x28, ['array', 2, ['unsigned char']]], 'PerfBoostPolicy' : [ 0x2c, ['unsigned long']], 'PerfBoostMode' : [ 0x30, ['unsigned long']], 'PerfReductionTolerance' : [ 0x34, ['unsigned long']], 'EnergyPerfPreference' : [ 0x38, ['unsigned long']], 'AutonomousActivityWindow' : [ 0x3c, ['unsigned long']], 'AutonomousPreference' : [ 0x40, ['unsigned char']], 'LatencyHintPerf' : [ 0x41, ['array', 2, ['unsigned char']]], 'LatencyHintUnpark' : [ 0x43, ['array', 2, ['unsigned char']]], 'DutyCycling' : [ 0x45, ['unsigned char']], 'ParkingPerfState' : [ 0x46, ['array', 2, ['unsigned char']]], 'DistributeUtility' : [ 0x48, ['unsigned char']], 'CoreParkingOverUtilizationThreshold' : [ 0x49, ['unsigned char']], 'CoreParkingConcurrencyThreshold' : [ 0x4a, ['unsigned char']], 'CoreParkingHeadroomThreshold' : [ 0x4b, ['unsigned char']], 'CoreParkingDistributionThreshold' : [ 0x4c, ['unsigned char']], 'CoreParkingDecreasePolicy' : [ 0x4d, ['unsigned char']], 'CoreParkingIncreasePolicy' : [ 0x4e, ['unsigned char']], 'CoreParkingDecreaseTime' : [ 0x50, ['unsigned long']], 'CoreParkingIncreaseTime' : [ 0x54, ['unsigned long']], 'CoreParkingMinCores' : [ 0x58, ['array', 2, ['unsigned char']]], 'CoreParkingMaxCores' : [ 0x5a, ['array', 2, ['unsigned char']]], 'AllowScaling' : [ 0x5c, ['unsigned char']], 'IdleDisabled' : [ 0x5d, ['unsigned char']], 'IdleTimeCheck' : [ 0x60, ['unsigned long']], 'IdleDemotePercent' : [ 0x64, ['unsigned char']], 'IdlePromotePercent' : [ 0x65, ['unsigned char']], 'HeteroDecreaseTime' : [ 0x66, ['unsigned char']], 'HeteroIncreaseTime' : [ 0x67, ['unsigned char']], 'HeteroDecreaseThreshold' : [ 0x68, ['array', 640, ['unsigned char']]], 'HeteroIncreaseThreshold' : [ 0x2e8, ['array', 640, ['unsigned char']]], 'Class0FloorPerformance' : [ 0x568, ['unsigned char']], 'Class1InitialPerformance' : [ 0x569, ['unsigned char']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_PERF_FLAGS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'Progress' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 27, native_type='unsigned long')]], 'Synchronicity' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 29, native_type='unsigned long')]], 'RequestPepCompleted' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'RequestSucceeded' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NestedCallback' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'IrpFirstPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IrpLastPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0xd0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x20, ['unsigned long long']], 'LogHandleContext' : [ 0x28, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0xc0, ['unsigned long']], 'PagesQueuedToDisk' : [ 0xc4, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0xc8, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x210, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'V1' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0x100, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x118, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0x150, ['_LARGE_INTEGER']], 'Event' : [ 0x158, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x170, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x178, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1f0, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1f8, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x200, ['unsigned long']], 'WritesInProgress' : [ 0x204, ['unsigned long']], 'AsyncReadRequestCount' : [ 0x208, ['unsigned long']], } ], '__unnamed_1a0a' : [ 0x10, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_1a0a']], 'ArrayHead' : [ 0x20, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1a2e' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1a30' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1a32' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_1a34' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a36' : [ 0x30, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x8, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x10, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x28, ['unsigned char']], } ], '__unnamed_1a3a' : [ 0x58, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'FileOffset' : [ 0x8, ['_LARGE_INTEGER']], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Length' : [ 0x18, ['unsigned long']], 'PrefetchList' : [ 0x20, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'PrefetchPagePriority' : [ 0x28, ['unsigned long']], 'Mdl' : [ 0x30, ['pointer64', ['_MDL']]], 'IoStatusBlock' : [ 0x38, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallbackContext' : [ 0x40, ['pointer64', ['_CC_ASYNC_READ_CONTEXT']]], 'OriginatingProcess' : [ 0x48, ['pointer64', ['_EPROCESS']]], 'RequestorMode' : [ 0x50, ['unsigned char']], 'NestingLevel' : [ 0x54, ['unsigned long']], } ], '__unnamed_1a3c' : [ 0x58, { 'Read' : [ 0x0, ['__unnamed_1a2e']], 'Write' : [ 0x0, ['__unnamed_1a30']], 'Event' : [ 0x0, ['__unnamed_1a32']], 'Notification' : [ 0x0, ['__unnamed_1a34']], 'LowPriWrite' : [ 0x0, ['__unnamed_1a36']], 'AsyncRead' : [ 0x0, ['__unnamed_1a3a']], } ], '_WORK_QUEUE_ENTRY' : [ 0x70, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_1a3c']], 'Function' : [ 0x68, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x30, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x8, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x20, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x98, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x10, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x18, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x30, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x68, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x6c, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x70, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x78, ['pointer64', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x80, ['unsigned long long']], 'LastLWTimeStamp' : [ 0x88, ['_LARGE_INTEGER']], 'Flags' : [ 0x90, ['unsigned long']], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x298, { 'Segment' : [ 0x0, ['_HEAP_SEGMENT']], 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x90, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x94, ['unsigned long']], 'Signature' : [ 0x98, ['unsigned long']], 'SegmentReserve' : [ 0xa0, ['unsigned long long']], 'SegmentCommit' : [ 0xa8, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb0, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xb8, ['unsigned long long']], 'TotalFreeSize' : [ 0xc0, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xc8, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd0, ['unsigned short']], 'HeaderValidateLength' : [ 0xd2, ['unsigned short']], 'HeaderValidateCopy' : [ 0xd8, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe0, ['unsigned short']], 'MaximumTagIndex' : [ 0xe2, ['unsigned short']], 'TagEntries' : [ 0xe8, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf0, ['_LIST_ENTRY']], 'AlignRound' : [ 0x100, ['unsigned long long']], 'AlignMask' : [ 0x108, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x110, ['_LIST_ENTRY']], 'SegmentList' : [ 0x120, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x130, ['unsigned short']], 'NonDedicatedListLength' : [ 0x134, ['unsigned long']], 'BlocksIndex' : [ 0x138, ['pointer64', ['void']]], 'UCRIndex' : [ 0x140, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x148, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x150, ['_LIST_ENTRY']], 'LockVariable' : [ 0x160, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x168, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x170, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x178, ['unsigned short']], 'FrontEndHeapType' : [ 0x17a, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0x17b, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0x180, ['pointer64', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0x188, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0x18a, ['array', 129, ['unsigned char']]], 'Counters' : [ 0x210, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x288, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1aaa' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_1aaa']], } ], '_HEAP_ENTRY' : [ 0x10, { 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'HeapEntry' : [ 0x0, ['_HEAP_ENTRY']], 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1afd' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1aff' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1afd']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1b01' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1b03' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1b01']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1aff']], 'u2' : [ 0x4, ['__unnamed_1b03']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x30, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer64', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], } ], '__unnamed_1b1e' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1b20' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1b1e']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x30, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1b20']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x18, ['long long']], 'Lock' : [ 0x20, ['_EX_PUSH_LOCK']], } ], '__unnamed_1b32' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1b34' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b32']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_1b34']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_1b3d' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1b3f' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b3d']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_1b3f']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_1b45' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1b47' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b45']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_1b47']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x40, ['pointer64', ['_KALPC_MESSAGE']]], } ], '__unnamed_1b65' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1b67' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b65']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1d8, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa0, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0xb8, ['_LIST_ENTRY']], 'DirectQueueLock' : [ 0xc8, ['_EX_PUSH_LOCK']], 'DirectQueue' : [ 0xd0, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0xe0, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0xe8, ['_LIST_ENTRY']], 'Semaphore' : [ 0xf8, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xf8, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0x100, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x150, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0x168, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0x170, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x178, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x180, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x190, ['long']], 'ReferenceNo' : [ 0x194, ['long']], 'ReferenceNoWait' : [ 0x198, ['pointer64', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0x1a0, ['__unnamed_1b67']], 'TargetQueuePort' : [ 0x1a8, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x1b0, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x1b8, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x1c0, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x1c4, ['unsigned long']], 'PendingQueueLength' : [ 0x1c8, ['unsigned long']], 'DirectQueueLength' : [ 0x1cc, ['unsigned long']], 'CanceledQueueLength' : [ 0x1d0, ['unsigned long']], 'WaitQueueLength' : [ 0x1d4, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0xa0, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'CompletionListLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x20, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x28, ['pointer64', ['void']]], 'UserLimit' : [ 0x30, ['pointer64', ['void']]], 'DataUserVa' : [ 0x38, ['pointer64', ['void']]], 'SystemVa' : [ 0x40, ['pointer64', ['void']]], 'TotalSize' : [ 0x48, ['unsigned long long']], 'Header' : [ 0x50, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x58, ['pointer64', ['void']]], 'ListSize' : [ 0x60, ['unsigned long long']], 'Bitmap' : [ 0x68, ['pointer64', ['void']]], 'BitmapSize' : [ 0x70, ['unsigned long long']], 'Data' : [ 0x78, ['pointer64', ['void']]], 'DataSize' : [ 0x80, ['unsigned long long']], 'BitmapLimit' : [ 0x88, ['unsigned long']], 'BitmapNextHint' : [ 0x8c, ['unsigned long']], 'ConcurrencyCount' : [ 0x90, ['unsigned long']], 'AttributeFlags' : [ 0x94, ['unsigned long']], 'AttributeSize' : [ 0x98, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0xd8, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'Key' : [ 0xc0, ['unsigned long']], 'CallbackList' : [ 0xc8, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x20, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x18, ['long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1aff']], 'u2' : [ 0x4, ['__unnamed_1b03']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1b8d' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1b8f' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b8d']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x108, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'u1' : [ 0x28, ['__unnamed_1b8f']], 'SequenceNo' : [ 0x2c, ['long']], 'QuotaProcess' : [ 0x30, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x30, ['pointer64', ['void']]], 'CancelSequencePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x40, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x48, ['long']], 'CancelListEntry' : [ 0x50, ['_LIST_ENTRY']], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x68, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xa8, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xb0, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xb8, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xc0, ['pointer64', ['_ETHREAD']]], 'WakeReference' : [ 0xc8, ['pointer64', ['void']]], 'ExtensionBuffer' : [ 0xd0, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0xd8, ['unsigned long long']], 'PortMessage' : [ 0xe0, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x40, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'DirectEvent' : [ 0x28, ['_KALPC_DIRECT_EVENT']], 'Flags' : [ 0x30, ['unsigned long']], 'TotalLength' : [ 0x34, ['unsigned short']], 'Type' : [ 0x36, ['unsigned short']], 'DataInfoOffset' : [ 0x38, ['unsigned short']], 'SignalCompletion' : [ 0x3a, ['unsigned char']], 'PostedToCompletionList' : [ 0x3b, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x30, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x40, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], 'DirectEvent' : [ 0x38, ['_KALPC_DIRECT_EVENT']], } ], '__unnamed_1bd3' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1bd5' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bd3']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1bd5']], } ], '_KALPC_DIRECT_EVENT' : [ 0x8, { 'Event' : [ 0x0, ['unsigned long long']], 'Referenced' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x30, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer64', ['void']]], 'ActivityId' : [ 0x10, ['_GUID']], 'Timestamp' : [ 0x20, ['_LARGE_INTEGER']], 'ZeroingOffset' : [ 0x20, ['unsigned long']], 'FsTrackOffsetBlob' : [ 0x20, ['pointer64', ['_IO_IRP_EXT_TRACK_OFFSET_HEADER']]], 'FsTrackedOffset' : [ 0x28, ['long long']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x48, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'AccessMode' : [ 0x94, ['unsigned char']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1c9e' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x118, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1c9e']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer64', ['unsigned short']]], 'LogFileName' : [ 0x40, ['pointer64', ['unsigned short']]], 'TimeZone' : [ 0x48, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf8, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0x100, ['_LARGE_INTEGER']], 'StartTime' : [ 0x108, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x110, ['unsigned long']], 'BuffersLost' : [ 0x114, ['unsigned long']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x398, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 2, ['unsigned long']]], 'ErrorMarker' : [ 0x1c, ['unsigned long']], 'SizeMask' : [ 0x20, ['unsigned long']], 'GetCpuClock' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'FailureReason' : [ 0x3c, ['unsigned long']], 'BufferQueue' : [ 0x40, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x58, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x70, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x80, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x90, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x90, ['_EX_FAST_REF']], 'LoggerName' : [ 0x98, ['_UNICODE_STRING']], 'LogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xb8, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xc8, ['_UNICODE_STRING']], 'ClockType' : [ 0xd8, ['unsigned long']], 'LastFlushedBuffer' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'FlushThreshold' : [ 0xe4, ['unsigned long']], 'ByteOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xf0, ['unsigned long']], 'BuffersAvailable' : [ 0xf4, ['long']], 'NumberOfBuffers' : [ 0xf8, ['long']], 'MaximumBuffers' : [ 0xfc, ['unsigned long']], 'EventsLost' : [ 0x100, ['unsigned long']], 'PeakBuffersCount' : [ 0x104, ['long']], 'BuffersWritten' : [ 0x108, ['unsigned long']], 'LogBuffersLost' : [ 0x10c, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x110, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x114, ['unsigned long']], 'SequencePtr' : [ 0x118, ['pointer64', ['long']]], 'LocalSequence' : [ 0x120, ['unsigned long']], 'InstanceGuid' : [ 0x124, ['_GUID']], 'MaximumFileSize' : [ 0x134, ['unsigned long']], 'FileCounter' : [ 0x138, ['long']], 'PoolType' : [ 0x13c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x140, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0x150, ['long']], 'ProviderInfoSize' : [ 0x154, ['unsigned long']], 'Consumers' : [ 0x158, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x168, ['unsigned long']], 'TransitionConsumer' : [ 0x170, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x178, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x180, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x190, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x1a0, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1a8, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1b0, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1b8, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1c0, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1d0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1d8, ['_KEVENT']], 'FlushEvent' : [ 0x1f0, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x208, ['_KTIMER']], 'LoggerDpc' : [ 0x248, ['_KDPC']], 'LoggerMutex' : [ 0x288, ['_KMUTANT']], 'LoggerLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2c8, ['unsigned long long']], 'BufferListPushLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2d0, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x318, ['pointer64', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x320, ['_EX_FAST_REF']], 'StartTime' : [ 0x328, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x330, ['pointer64', ['void']]], 'BufferSequenceNumber' : [ 0x338, ['long long']], 'Flags' : [ 0x340, ['unsigned long']], 'Persistent' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x340, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x340, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x340, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x340, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x340, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x340, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x340, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x340, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x340, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x340, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x340, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x340, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'StackLookasideListAllocated' : [ 0x340, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SecurityTrace' : [ 0x340, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'SpareFlags1' : [ 0x340, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x340, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x340, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x340, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x344, ['unsigned long']], 'DbgRequestNewFile' : [ 0x344, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x344, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x344, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x344, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x344, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x344, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x344, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x344, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDeferredFlush' : [ 0x344, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDeferredFlushTimer' : [ 0x344, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x344, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x344, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x344, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x348, ['_RTL_BITMAP']], 'StackCache' : [ 0x358, ['pointer64', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x360, ['pointer64', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x368, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x378, ['pointer64', ['pointer64', ['_WMI_BUFFER_HEADER']]]], 'DisallowedGuids' : [ 0x380, ['_DISALLOWED_GUIDS']], 'ServerSilo' : [ 0x390, ['pointer64', ['_ESILO']]], } ], '_ETW_PMC_SUPPORT' : [ 0x28, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer64', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_SILODRIVERSTATE' : [ 0x1b0, { 'EtwpSecurityProviderPID' : [ 0x0, ['unsigned long']], 'EtwpSecurityProviderGuidEntry' : [ 0x8, ['_ETW_GUID_ENTRY']], 'AuditLoggerId' : [ 0x188, ['unsigned long']], 'EtwPsProvRegHandle' : [ 0x190, ['unsigned long long']], 'EtwpSecurityLoggers' : [ 0x198, ['array', 8, ['unsigned short']]], 'EtwpSecurityProviderEnableMask' : [ 0x1a8, ['unsigned char']], 'EtwpShutdownInProgress' : [ 0x1a9, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x478, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0xa0, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa8, ['pointer64', ['void']]], 'DynamicPart' : [ 0xb0, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb8, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc8, ['unsigned long']], 'TokenInUse' : [ 0xcc, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xd0, ['unsigned long']], 'MandatoryPolicy' : [ 0xd4, ['unsigned long']], 'LogonSession' : [ 0xd8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe0, ['_LUID']], 'SidHash' : [ 0xe8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f8, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x308, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x310, ['pointer64', ['void']]], 'Capabilities' : [ 0x318, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x320, ['unsigned long']], 'CapabilitiesHash' : [ 0x328, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x438, ['pointer64', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x440, ['pointer64', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x448, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x450, ['pointer64', ['void']]], 'TrustLinkedToken' : [ 0x458, ['pointer64', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x460, ['pointer64', ['void']]], 'TokenSidValues' : [ 0x468, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], 'VariablePart' : [ 0x470, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0xa8, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['long long']], 'Flags' : [ 0x20, ['unsigned long']], 'pDeviceMap' : [ 0x28, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x30, ['pointer64', ['void']]], 'AccountName' : [ 0x38, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x48, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x58, ['_SEP_LOWBOX_HANDLES_TABLE']], 'SharedDataLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x70, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x78, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], 'RevocationBlock' : [ 0x80, ['_OB_HANDLE_REVOCATION_BLOCK']], 'ServerSilo' : [ 0xa0, ['pointer64', ['_ESILO']]], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'DbgRefTrace' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'NewObject' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0x1b, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0x1b, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0x1b, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0x1b, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0x1b, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare' : [ 0x1c, ['unsigned long']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x10, { 'SecurityDescriptor' : [ 0x0, ['pointer64', ['void']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_REVOCATION_INFO' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'RevocationBlock' : [ 0x10, ['pointer64', ['_OB_HANDLE_REVOCATION_BLOCK']]], 'Padding1' : [ 0x18, ['array', 4, ['unsigned char']]], 'Padding2' : [ 0x1c, ['array', 4, ['unsigned char']]], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x28, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'EntryLink' : [ 0x10, ['pointer64', ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0x18, ['unsigned long']], 'HashIndex' : [ 0x1c, ['unsigned short']], 'DirectoryLocked' : [ 0x1e, ['unsigned char']], 'LockedExclusive' : [ 0x1f, ['unsigned char']], 'LockStateSignature' : [ 0x20, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x158, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x138, ['pointer64', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0x140, ['unsigned long']], 'NamespaceEntry' : [ 0x148, ['pointer64', ['void']]], 'Flags' : [ 0x150, ['unsigned long']], } ], '_OBP_SILODRIVERSTATE' : [ 0x80, { 'SystemDeviceMap' : [ 0x0, ['pointer64', ['_DEVICE_MAP']]], 'SystemDosDeviceState' : [ 0x8, ['_OBP_SYSTEM_DOS_DEVICE_STATE']], 'DeviceMapLock' : [ 0x78, ['_EX_PUSH_LOCK']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_WHEAP_INFO_BLOCK' : [ 0x18, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x8, ['pointer64', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x10, ['pointer64', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x428, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x10, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x14, ['unsigned long']], 'ErrorCount' : [ 0x18, ['long']], 'RecordCount' : [ 0x1c, ['unsigned long']], 'RecordLength' : [ 0x20, ['unsigned long']], 'PoolTag' : [ 0x24, ['unsigned long']], 'Type' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x30, ['pointer64', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x38, ['pointer64', ['void']]], 'SectionCount' : [ 0x40, ['unsigned long']], 'SectionLength' : [ 0x44, ['unsigned long']], 'TickCountAtLastError' : [ 0x48, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x50, ['unsigned long']], 'TotalErrors' : [ 0x54, ['unsigned long']], 'Deferred' : [ 0x58, ['unsigned char']], 'Descriptor' : [ 0x59, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xf0, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x10, ['unsigned long']], 'ProcessorNumber' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x1c, ['long']], 'ErrorSource' : [ 0x20, ['pointer64', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x28, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x30, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'ConnectLock' : [ 0x8, ['_KEVENT']], 'LineMasked' : [ 0x20, ['unsigned char']], 'InterruptList' : [ 0x28, ['pointer64', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'Arm64ControlSet' : [ 0x0, ['_ARM64_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long long']], 'WorkQueue' : [ 0x20, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x60, ['pointer64', ['void']]], 'AcceptProcessorNotification' : [ 0x68, ['pointer64', ['void']]], 'AcceptAcpiNotification' : [ 0x70, ['pointer64', ['void']]], 'WorkOrderCount' : [ 0x78, ['unsigned long']], 'WorkOrders' : [ 0x80, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_MI_PARTITION_SEGMENTS' : [ 0x110, { 'DeleteSubsectionCleanup' : [ 0x0, ['_KEVENT']], 'UnusedSegmentCleanup' : [ 0x18, ['_KEVENT']], 'SubsectionDeletePtes' : [ 0x30, ['unsigned long long']], 'DereferenceSegmentHeader' : [ 0x38, ['_MMDEREFERENCE_SEGMENT_HEADER']], 'DeleteOnCloseList' : [ 0x68, ['_LIST_ENTRY']], 'DeleteOnCloseTimer' : [ 0x78, ['_KTIMER']], 'DeleteOnCloseTimerActive' : [ 0xb8, ['unsigned char']], 'DeleteOnCloseCount' : [ 0xbc, ['unsigned long']], 'UnusedSegmentList' : [ 0xc0, ['_LIST_ENTRY']], 'UnusedSubsectionList' : [ 0xd0, ['_LIST_ENTRY']], 'DeleteSubsectionList' : [ 0xe0, ['_LIST_ENTRY']], 'ControlAreaDeleteEvent' : [ 0xf0, ['_KEVENT']], 'ControlAreaDeleteList' : [ 0x108, ['_SINGLE_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x150, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x108, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x148, ['unsigned long']], } ], '_HEAP_UNPACKED_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], } ], '_PEP_ACPI_SPB_RESOURCE' : [ 0x28, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'TypeSpecificFlags' : [ 0x8, ['unsigned short']], 'ResourceSourceIndex' : [ 0xa, ['unsigned char']], 'ResourceSourceName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'VendorData' : [ 0x18, ['pointer64', ['unsigned char']]], 'VendorDataLength' : [ 0x20, ['unsigned short']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2Reserved1' : [ 0x2, ['unsigned char']], 'Timer2Reserved2' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Tagged' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'EnergyProfiling' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Minimal' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved4' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_ETW_GUID_ENTRY' : [ 0x180, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long long']], 'Guid' : [ 0x18, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['pointer64', ['_ETW_FILTER_HEADER']]], 'ServerSilo' : [ 0x178, ['pointer64', ['_ESILO']]], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'WaitResponse' : [ 0xc, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], } ], '_HEAP_COUNTERS' : [ 0x78, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'PollIntervalCounter' : [ 0x48, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x4c, ['unsigned long']], 'HeapPollInterval' : [ 0x50, ['unsigned long']], 'AllocAndFreeOps' : [ 0x54, ['unsigned long']], 'AllocationIndicesActive' : [ 0x58, ['unsigned long']], 'InBlockDeccommits' : [ 0x5c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x60, ['unsigned long long']], 'HighWatermarkSize' : [ 0x68, ['unsigned long long']], 'LastPolledSize' : [ 0x70, ['unsigned long long']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_MI_VISIBLE_PARTITION' : [ 0x1100, { 'LowestPhysicalPage' : [ 0x0, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x8, ['unsigned long long']], 'NumberOfPhysicalPages' : [ 0x10, ['unsigned long long']], 'NumberOfPagingFiles' : [ 0x18, ['unsigned long']], 'PagingFile' : [ 0x20, ['array', 16, ['pointer64', ['_MMPAGING_FILE']]]], 'AvailablePages' : [ 0xc0, ['unsigned long long']], 'ResidentAvailablePages' : [ 0x100, ['unsigned long long']], 'TotalCommittedPages' : [ 0x108, ['unsigned long long']], 'ModifiedPageListHead' : [ 0x140, ['_MMPFNLIST']], 'ModifiedNoWritePageListHead' : [ 0x180, ['_MMPFNLIST']], 'TotalCommitLimit' : [ 0x1a8, ['unsigned long long']], 'TotalPagesForPagingFile' : [ 0x1b0, ['unsigned long long']], 'VadPhysicalPages' : [ 0x1b8, ['unsigned long long']], 'ProcessLockedFilePages' : [ 0x1c0, ['unsigned long long']], 'ChargeCommitmentFailures' : [ 0x1c8, ['array', 4, ['unsigned long']]], 'PageTableBitmapPages' : [ 0x1d8, ['unsigned long long']], 'PageFileTraceIndex' : [ 0x1e0, ['long']], 'PageFileTraces' : [ 0x1e8, ['array', 32, ['_MI_PAGEFILE_TRACES']]], } ], '_OB_HANDLE_REVOCATION_BLOCK' : [ 0x20, { 'RevocationInfos' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Rundown' : [ 0x18, ['_EX_RUNDOWN_REF']], } ], '_SYSPTES_HEADER' : [ 0x118, { 'ListHead' : [ 0x0, ['array', 16, ['_LIST_ENTRY']]], 'Count' : [ 0x100, ['unsigned long long']], 'NumberOfEntries' : [ 0x108, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x110, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x68, ['unsigned char']], 'DeleteType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_PPM_PLATFORM_STATE' : [ 0x180, { 'Latency' : [ 0x0, ['unsigned long']], 'BreakEvenDuration' : [ 0x4, ['unsigned long']], 'VetoAccounting' : [ 0x8, ['_PPM_VETO_ACCOUNTING']], 'TransitionDebugger' : [ 0x30, ['unsigned char']], 'Platform' : [ 0x31, ['unsigned char']], 'DependencyListCount' : [ 0x34, ['unsigned long']], 'Processors' : [ 0x38, ['_KAFFINITY_EX']], 'Name' : [ 0xe0, ['_UNICODE_STRING']], 'DependencyLists' : [ 0xf0, ['pointer64', ['_PPM_SELECTION_DEPENDENCY']]], 'Synchronization' : [ 0xf8, ['_PPM_COORDINATED_SYNCHRONIZATION']], 'EnterTime' : [ 0x100, ['unsigned long long']], 'RefCount' : [ 0x140, ['long']], 'CacheAlign0' : [ 0x140, ['array', 64, ['unsigned char']]], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x58, { 'SidHash' : [ 0x0, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x10, ['pointer64', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0x18, ['_LUID']], 'TokenType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x28, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x2c, ['unsigned long']], 'AppContainerNumber' : [ 0x30, ['unsigned long']], 'PackageSid' : [ 0x38, ['pointer64', ['void']]], 'CapabilitiesHash' : [ 0x40, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'TrustLevelSid' : [ 0x48, ['pointer64', ['void']]], 'SecurityAttributes' : [ 0x50, ['pointer64', ['void']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_WORK_ORDER' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x20, ['long']], 'Context' : [ 0x28, ['pointer64', ['void']]], 'WatchdogTimerInfo' : [ 0x30, ['pointer64', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ForceCollision' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'Reserved' : [ 0x20, ['array', 3, ['pointer64', ['void']]]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['unsigned long long']], 'Key' : [ 0x8, ['unsigned long']], 'Pattern' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolType' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 20, native_type='unsigned long')]], 'SlushSize' : [ 0xc, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x50, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ulTargetPlatform' : [ 0x8, ['unsigned long']], 'ullContextMinimum' : [ 0x10, ['unsigned long long']], 'guPlatform' : [ 0x18, ['_GUID']], 'guMinPlatform' : [ 0x28, ['_GUID']], 'ulContextSource' : [ 0x38, ['unsigned long']], 'ulElementCount' : [ 0x3c, ['unsigned long']], 'guElements' : [ 0x40, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x30, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x18, ['_KEVENT']], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x10, ['unsigned char']], 'BlockState' : [ 0x11, ['unsigned char']], 'WaitKey' : [ 0x12, ['unsigned short']], 'SpareLong' : [ 0x14, ['long']], 'Thread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NotificationQueue' : [ 0x18, ['pointer64', ['_KQUEUE']]], 'Object' : [ 0x20, ['pointer64', ['void']]], 'SparePtr' : [ 0x28, ['pointer64', ['void']]], } ], '_ARM64_DBGKD_CONTROL_SET' : [ 0x18, { 'Continue' : [ 0x0, ['unsigned long']], 'TraceFlag' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x10, ['unsigned long long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'ThermalStandbyTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], 'MinimumThrottle' : [ 0x50, ['unsigned long']], 'OverThrottleThreshold' : [ 0x54, ['unsigned long']], } ], '__unnamed_1e81' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1e83' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1e81']], 'Private' : [ 0x0, ['__unnamed_1e83']], } ], '_KTIMER2' : [ 0x88, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'RbNodes' : [ 0x18, ['array', 2, ['_RTL_BALANCED_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'DueTime' : [ 0x48, ['unsigned long long']], 'MaximumDueTime' : [ 0x50, ['unsigned long long']], 'Period' : [ 0x58, ['long long']], 'Callback' : [ 0x60, ['pointer64', ['void']]], 'CallbackContext' : [ 0x68, ['pointer64', ['void']]], 'DisableCallback' : [ 0x70, ['pointer64', ['void']]], 'DisableContext' : [ 0x78, ['pointer64', ['void']]], 'AbsoluteSystemTime' : [ 0x80, ['unsigned char']], 'TypeFlags' : [ 0x81, ['unsigned char']], 'Plain' : [ 0x81, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IdleResilient' : [ 0x81, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HighResolution' : [ 0x81, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'NoWake' : [ 0x81, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'NoWakeFinite' : [ 0x81, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Unused' : [ 0x81, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'DynamicRelocations' : [ 0x0, ['pointer64', ['void']]], 'SecurityContext' : [ 0x8, ['_IMAGE_SECURITY_CONTEXT']], 'StrongImageReference' : [ 0x10, ['unsigned long long']], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x260, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x10, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x20, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x130, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x240, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x248, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x250, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x258, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 28, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x528, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb8, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xc0, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0xc8, ['unsigned long long']], 'TotalPageFaultCount' : [ 0xd0, ['unsigned long']], 'TotalProcesses' : [ 0xd4, ['unsigned long']], 'ActiveProcesses' : [ 0xd8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xdc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xe0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf8, ['unsigned long long']], 'LimitFlags' : [ 0x100, ['unsigned long']], 'ActiveProcessLimit' : [ 0x104, ['unsigned long']], 'Affinity' : [ 0x108, ['_KAFFINITY_EX']], 'AccessState' : [ 0x1b0, ['pointer64', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0x1b8, ['pointer64', ['void']]], 'UIRestrictionsClass' : [ 0x1c0, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x1c4, ['unsigned long']], 'CompletionPort' : [ 0x1c8, ['pointer64', ['void']]], 'CompletionKey' : [ 0x1d0, ['pointer64', ['void']]], 'CompletionCount' : [ 0x1d8, ['unsigned long long']], 'SessionId' : [ 0x1e0, ['unsigned long']], 'SchedulingClass' : [ 0x1e4, ['unsigned long']], 'ReadOperationCount' : [ 0x1e8, ['unsigned long long']], 'WriteOperationCount' : [ 0x1f0, ['unsigned long long']], 'OtherOperationCount' : [ 0x1f8, ['unsigned long long']], 'ReadTransferCount' : [ 0x200, ['unsigned long long']], 'WriteTransferCount' : [ 0x208, ['unsigned long long']], 'OtherTransferCount' : [ 0x210, ['unsigned long long']], 'DiskIoInfo' : [ 0x218, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x240, ['unsigned long long']], 'JobMemoryLimit' : [ 0x248, ['unsigned long long']], 'JobTotalMemoryLimit' : [ 0x250, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x258, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x260, ['unsigned long long']], 'EffectiveAffinity' : [ 0x268, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x310, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x318, ['unsigned long long']], 'EffectiveMaximumWorkingSetSize' : [ 0x320, ['unsigned long long']], 'EffectiveProcessMemoryLimit' : [ 0x328, ['unsigned long long']], 'EffectiveProcessMemoryLimitJob' : [ 0x330, ['pointer64', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x338, ['pointer64', ['_EJOB']]], 'EffectiveDiskIoRateLimitJob' : [ 0x340, ['pointer64', ['_EJOB']]], 'EffectiveNetIoRateLimitJob' : [ 0x348, ['pointer64', ['_EJOB']]], 'EffectiveHeapAttributionJob' : [ 0x350, ['pointer64', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x358, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x35c, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x360, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x364, ['unsigned long']], 'EffectiveSwapCount' : [ 0x368, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x36c, ['unsigned long']], 'EffectivePriorityClass' : [ 0x370, ['unsigned char']], 'PriorityClass' : [ 0x371, ['unsigned char']], 'NestingDepth' : [ 0x372, ['unsigned char']], 'Reserved1' : [ 0x373, ['array', 1, ['unsigned char']]], 'CompletionFilter' : [ 0x374, ['unsigned long']], 'WakeChannel' : [ 0x378, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x378, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x3b0, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x3b8, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x3bc, ['unsigned long']], 'NotificationLink' : [ 0x3c0, ['pointer64', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x3c8, ['unsigned long long']], 'NotificationInfo' : [ 0x3d0, ['pointer64', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x3d8, ['pointer64', ['void']]], 'NotificationPacket' : [ 0x3e0, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x3e8, ['pointer64', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x3f0, ['pointer64', ['void']]], 'ReadyTime' : [ 0x3f8, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x400, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x408, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x418, ['_LIST_ENTRY']], 'ParentJob' : [ 0x428, ['pointer64', ['_EJOB']]], 'RootJob' : [ 0x430, ['pointer64', ['_EJOB']]], 'IteratorListHead' : [ 0x438, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x448, ['unsigned long long']], 'Ancestors' : [ 0x450, ['pointer64', ['pointer64', ['_EJOB']]]], 'SessionObject' : [ 0x450, ['pointer64', ['void']]], 'Accounting' : [ 0x458, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x4a8, ['unsigned long']], 'ActiveAuxiliaryProcessCount' : [ 0x4ac, ['unsigned long']], 'SequenceNumber' : [ 0x4b0, ['unsigned long']], 'TimerListLock' : [ 0x4b8, ['unsigned long long']], 'TimerListHead' : [ 0x4c0, ['_LIST_ENTRY']], 'ContainerId' : [ 0x4d0, ['_GUID']], 'Container' : [ 0x4e0, ['pointer64', ['_ESILO']]], 'PropertySet' : [ 0x4e8, ['_PS_PROPERTY_SET']], 'NetRateControl' : [ 0x500, ['pointer64', ['_JOB_NET_RATE_CONTROL']]], 'IoRateControl' : [ 0x508, ['pointer64', ['_JOB_IO_RATE_CONTROL']]], 'JobFlags' : [ 0x510, ['unsigned long']], 'CloseDone' : [ 0x510, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x510, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x510, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x510, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x510, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x510, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x510, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x510, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x510, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x510, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x510, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x510, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x510, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x510, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x510, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x510, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x510, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x510, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x510, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x510, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x510, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x510, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x510, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x510, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x510, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'NetRateControlActive' : [ 0x510, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'OwnNetRateControl' : [ 0x510, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IoRateControlActive' : [ 0x510, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'OwnIoRateControl' : [ 0x510, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'IsContainerRoot' : [ 0x510, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x510, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x514, ['unsigned long']], 'EnergyValues' : [ 0x518, ['pointer64', ['_PROCESS_ENERGY_VALUES']]], 'SharedCommitCharge' : [ 0x520, ['unsigned long long']], } ], '_PPM_IDLE_STATES' : [ 0x418, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'UnaccountedTransition' : [ 0x5, ['unsigned char']], 'IdleDurationLimited' : [ 0x6, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0xe0, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x188, ['pointer64', ['void']]], 'IdlePreExecute' : [ 0x190, ['pointer64', ['void']]], 'IdleExecute' : [ 0x198, ['pointer64', ['void']]], 'IdlePreselect' : [ 0x1a0, ['pointer64', ['void']]], 'IdleTest' : [ 0x1a8, ['pointer64', ['void']]], 'IdleAvailabilityCheck' : [ 0x1b0, ['pointer64', ['void']]], 'IdleComplete' : [ 0x1b8, ['pointer64', ['void']]], 'IdleCancel' : [ 0x1c0, ['pointer64', ['void']]], 'IdleIsHalted' : [ 0x1c8, ['pointer64', ['void']]], 'IdleInitiateWake' : [ 0x1d0, ['pointer64', ['void']]], 'PrepareInfo' : [ 0x1d8, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'DeepIdleSnapshot' : [ 0x230, ['_KAFFINITY_EX']], 'Tracing' : [ 0x2d8, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'CoordinatedTracing' : [ 0x2e0, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'ProcessorMenu' : [ 0x2e8, ['_PPM_SELECTION_MENU']], 'CoordinatedMenu' : [ 0x2f8, ['_PPM_SELECTION_MENU']], 'CoordinatedSelection' : [ 0x308, ['_PPM_COORDINATED_SELECTION']], 'State' : [ 0x320, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PPM_VETO_ACCOUNTING' : [ 0x28, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x8, ['_LIST_ENTRY']], 'PreallocatedVetoCount' : [ 0x18, ['unsigned long']], 'PreallocatedVetoList' : [ 0x20, ['pointer64', ['_PPM_VETO_ENTRY']]], } ], '_PEB' : [ 0x388, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'SparePvoid0' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pUnused' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x98, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned short']], 'Flags' : [ 0x5a, ['unsigned char']], 'ShutDownRequested' : [ 0x5a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x5a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x5a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x5a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Wow' : [ 0x5a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'EventsLostCount' : [ 0x88, ['pointer64', ['unsigned long']]], 'BuffersLostCount' : [ 0x90, ['pointer64', ['unsigned long']]], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x50, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x38, ['pointer64', ['void']]], 'DvCallbacks' : [ 0x40, ['pointer64', ['void']]], 'VerifierContext' : [ 0x48, ['pointer64', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x88, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x10, ['unsigned long long']], 'ItemCount' : [ 0x18, ['long']], 'Dpc' : [ 0x20, ['_KDPC']], 'WorkItem' : [ 0x60, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x80, ['pointer64', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x100, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'EmulateActiveBoth' : [ 0x65, ['unsigned char']], 'ActiveCount' : [ 0x66, ['unsigned short']], 'InternalState' : [ 0x68, ['long']], 'Mode' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x74, ['unsigned long']], 'DispatchCount' : [ 0x78, ['unsigned long']], 'PassiveEvent' : [ 0x80, ['pointer64', ['_KEVENT']]], 'TrapFrame' : [ 0x88, ['pointer64', ['_KTRAP_FRAME']]], 'DisconnectData' : [ 0x90, ['pointer64', ['void']]], 'ServiceThread' : [ 0x98, ['pointer64', ['_KTHREAD']]], 'ConnectionData' : [ 0xa0, ['pointer64', ['_INTERRUPT_CONNECTION_DATA']]], 'IntTrackEntry' : [ 0xa8, ['pointer64', ['void']]], 'IsrDpcStats' : [ 0xb0, ['_ISRDPCSTATS']], 'RedirectObject' : [ 0xf0, ['pointer64', ['void']]], 'Padding' : [ 0xf8, ['array', 8, ['unsigned char']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x98, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], 'FilePath' : [ 0x88, ['_UNICODE_STRING']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '__unnamed_1f5f' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1f5f']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x2d0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x2b0, ['pointer64', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x2b8, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x2bc, ['unsigned long']], 'ThreadCount' : [ 0x2c0, ['long']], 'MinThreads' : [ 0x2c4, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x2c4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x2c8, ['long']], 'QueueIndex' : [ 0x2cc, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_MI_FLAGS' : [ 0x4, { 'EntireFlags' : [ 0x0, ['long']], 'VerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'KernelVerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LargePageKernel' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StopOn4d' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'InitializationPhase' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'PageKernelStacks' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CheckZeroPages' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ProcessorPrewalks' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ProcessorPostwalks' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'CoverageBuild' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AccessBitReplacementDisabled' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CheckExecute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ZeroNonCachedByConverting' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ZeroWriteCombinedByConverting' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectedPagesEnabled' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'StrongCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long')]], 'HardCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'StrongPageIdentity' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'SecureRelocations' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PS_PROPERTY_SET' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['unsigned long long']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x86, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x58, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'WorkingOnBehalfClient' : [ 0x38, ['pointer64', ['void']]], 'Type' : [ 0x40, ['unsigned long']], 'ActivityId' : [ 0x44, ['_GUID']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ManySubsections' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 31, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x88, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x40, ['_KDPC']], 'WorkOrder' : [ 0x80, ['pointer64', ['_POP_FX_WORK_ORDER']]], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], 'SecureInfo' : [ 0x10, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x10, ['_RTL_BITMAP_EX']], 'InPageSupport' : [ 0x10, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'LargePage' : [ 0x10, ['pointer64', ['_MI_LARGEPAGE_MEMORY_INFO']]], 'CreatingThread' : [ 0x10, ['pointer64', ['_ETHREAD']]], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_KTIMER2_COLLECTION' : [ 0x18, { 'Tree' : [ 0x0, ['_RTL_RB_TREE']], 'NextDueTime' : [ 0x10, ['unsigned long long']], } ], '_MIPFNBLINK' : [ 0x8, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeBlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 56, native_type='unsigned long long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 60, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 62, native_type='unsigned long long')]], 'PageBlinkDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'PageBlinkLockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'ShareCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 62, native_type='unsigned long long')]], 'PageShareCountDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'PageShareCountLockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], 'Lock' : [ 0x0, ['long long']], 'LockNotUsed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 62, native_type='unsigned long long')]], 'DeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'LockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_MMCLONE_HEADER' : [ 0x18, { 'NumberOfPtes' : [ 0x0, ['unsigned long long']], 'NumberOfProcessReferences' : [ 0x8, ['unsigned long long']], 'ClonePtes' : [ 0x10, ['pointer64', ['_MMCLONE_BLOCK']]], } ], '_SESSION_LOWBOX_MAP' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'LowboxMap' : [ 0x18, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0xb8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'RefCount' : [ 0x40, ['unsigned long']], 'Lock' : [ 0x44, ['unsigned long']], 'Cancel' : [ 0x48, ['unsigned char']], 'Parent' : [ 0x50, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'ActivityId' : [ 0x58, ['_GUID']], 'Data' : [ 0x68, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x48, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x10, ['pointer64', ['_IRP']]], 'OplockRequestFileObject' : [ 0x18, ['pointer64', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x28, ['pointer64', ['_ETHREAD']]], 'Flags' : [ 0x30, ['unsigned long']], 'AtomicLinks' : [ 0x38, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_KWAIT_CHAIN' : [ 0x8, { 'Head' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_RTL_BITMAP_EX' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_MI_PARTITION_PAGE_LISTS' : [ 0xcc0, { 'FreePagesByColor' : [ 0x0, ['array', 2, ['pointer64', ['_MMPFNLIST']]]], 'FreePageSlist' : [ 0x10, ['array', 2, ['pointer64', ['_SLIST_HEADER']]]], 'ZeroedPageListHead' : [ 0x40, ['_MMPFNLIST']], 'FreePageListHead' : [ 0x80, ['_MMPFNLIST']], 'StandbyPageListHead' : [ 0xc0, ['_MMPFNLIST']], 'StandbyPageListByPriority' : [ 0x100, ['array', 8, ['_MMPFNLIST']]], 'ModifiedPageListNoReservation' : [ 0x240, ['_MMPFNLIST']], 'ModifiedPageListByReservation' : [ 0x280, ['array', 16, ['_MMPFNLIST']]], 'MappedPageListHead' : [ 0x500, ['array', 16, ['_MMPFNLIST']]], 'BadPageListHead' : [ 0x780, ['_MMPFNLIST']], 'PageLocationList' : [ 0x7a8, ['array', 8, ['pointer64', ['_MMPFNLIST']]]], 'StandbyRepurposedByPriority' : [ 0x7e8, ['array', 8, ['unsigned long']]], 'MappedPageListHeadEvent' : [ 0x808, ['array', 16, ['_KEVENT']]], 'DecayClusterTimerHeads' : [ 0x988, ['array', 4, ['_MI_DECAY_TIMER_LINK']]], 'DecayHand' : [ 0x9a8, ['unsigned long']], 'LastDecayHandUpdateTime' : [ 0x9b0, ['unsigned long long']], 'LastChanceLdwContext' : [ 0x9b8, ['_MI_LDW_WORK_CONTEXT']], 'AvailableEventsLock' : [ 0xa00, ['unsigned long long']], 'AvailablePageWaitStates' : [ 0xa08, ['array', 2, ['_MI_AVAILABLE_PAGE_WAIT_STATES']]], 'LowMemoryThreshold' : [ 0xa48, ['unsigned long long']], 'HighMemoryThreshold' : [ 0xa50, ['unsigned long long']], 'TransitionPrivatePages' : [ 0xa80, ['unsigned long long']], 'RebuildLargePagesInitialized' : [ 0xa88, ['unsigned char']], 'RebuildLargePagesItem' : [ 0xa90, ['_MI_REBUILD_LARGE_PAGES']], } ], '_XSTATE_CONFIGURATION' : [ 0x330, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CompactionEnabled' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], 'EnabledSupervisorFeatures' : [ 0x218, ['unsigned long long']], 'AlignedFeatures' : [ 0x220, ['unsigned long long']], 'AllFeatureSize' : [ 0x228, ['unsigned long']], 'AllFeatures' : [ 0x22c, ['array', 64, ['unsigned long']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_KLOCK_ENTRY' : [ 0x60, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'EntryFlags' : [ 0x18, ['unsigned long']], 'EntryOffset' : [ 0x18, ['unsigned char']], 'ThreadLocalFlags' : [ 0x19, ['unsigned char']], 'WaitingBit' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare0' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'AcquiredByte' : [ 0x1a, ['unsigned char']], 'AcquiredBit' : [ 0x1a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadFlags' : [ 0x1b, ['unsigned char']], 'HeadNodeBit' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IoPriorityBit' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare1' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'StaticState' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'AllFlags' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'SpareFlags' : [ 0x1c, ['unsigned long']], 'LockState' : [ 0x20, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x20, ['pointer64', ['void']]], 'CrossThreadReleasableAndBusyByte' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x21, ['array', 6, ['unsigned char']]], 'InTreeByte' : [ 0x27, ['unsigned char']], 'SessionState' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], 'SessionPad' : [ 0x2c, ['unsigned long']], 'OwnerTree' : [ 0x30, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x40, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x30, ['unsigned char']], 'EntryLock' : [ 0x50, ['unsigned long long']], 'AllBoosts' : [ 0x58, ['unsigned short']], 'IoBoost' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'CpuBoostsBitmap' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x5a, ['unsigned short']], 'SparePad' : [ 0x5c, ['unsigned short']], } ], '_OBP_SYSTEM_DOS_DEVICE_STATE' : [ 0x6c, { 'GlobalDeviceMap' : [ 0x0, ['unsigned long']], 'LocalDeviceCount' : [ 0x4, ['array', 26, ['unsigned long']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 24, native_type='unsigned long long')]], 'LocalPartition' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2038' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x108, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_2038']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x2c, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x30, ['_KAPC']], 'ByteCount' : [ 0x88, ['unsigned long']], 'ChargedPages' : [ 0x8c, ['unsigned long']], 'PagingFile' : [ 0x90, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0xa0, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0xa8, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0xb0, ['_LARGE_INTEGER']], 'IssueTime' : [ 0xb8, ['_LARGE_INTEGER']], 'Partition' : [ 0xc0, ['pointer64', ['_MI_PARTITION']]], 'PointerMdl' : [ 0xc8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0xd0, ['_MDL']], 'Page' : [ 0x100, ['array', 1, ['unsigned long long']]], } ], '_MI_PARTITION_COMMIT' : [ 0x38, { 'PeakCommitment' : [ 0x0, ['unsigned long long']], 'TotalCommitLimitMaximum' : [ 0x8, ['unsigned long long']], 'Popups' : [ 0x10, ['array', 2, ['long']]], 'LowCommitThreshold' : [ 0x18, ['unsigned long long']], 'HighCommitThreshold' : [ 0x20, ['unsigned long long']], 'EventLock' : [ 0x28, ['unsigned long long']], 'SystemCommitReserve' : [ 0x30, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x1d0, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x8, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x10, ['unsigned long long']], 'IdleTimeTotal' : [ 0x18, ['unsigned long long']], 'IdleTimeEntry' : [ 0x20, ['unsigned long long']], 'IdleTimeExpiration' : [ 0x28, ['unsigned long long']], 'NonInterruptibleTransition' : [ 0x30, ['unsigned char']], 'PepWokenTransition' : [ 0x31, ['unsigned char']], 'Class' : [ 0x32, ['unsigned char']], 'TargetIdleState' : [ 0x34, ['unsigned long']], 'IdlePolicy' : [ 0x38, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x40, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x48, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xd8, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower', 3: 'ProcHypervisorHvCounters'})]], 'LastSysTime' : [ 0xdc, ['unsigned long']], 'WmiDispatchPtr' : [ 0xe0, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0xe8, ['long']], 'FFHThrottleStateInfo' : [ 0xf0, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x110, ['_KDPC']], 'PerfActionMask' : [ 0x150, ['long']], 'HvIdleCheck' : [ 0x158, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x168, ['pointer64', ['_PROC_PERF_CHECK']]], 'Domain' : [ 0x170, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x178, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x180, ['pointer64', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x188, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x190, ['pointer64', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x198, ['unsigned char']], 'HvTargetState' : [ 0x199, ['unsigned char']], 'Parked' : [ 0x19a, ['unsigned char']], 'LatestPerformancePercent' : [ 0x19c, ['unsigned long']], 'AveragePerformancePercent' : [ 0x1a0, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x1a4, ['unsigned long']], 'RelativePerformance' : [ 0x1a8, ['unsigned long']], 'Utility' : [ 0x1ac, ['unsigned long']], 'AffinitizedUtility' : [ 0x1b0, ['unsigned long']], 'SnapTimeLast' : [ 0x1b8, ['unsigned long long']], 'EnergyConsumed' : [ 0x1b8, ['unsigned long long']], 'ActiveTime' : [ 0x1c0, ['unsigned long long']], 'TotalTime' : [ 0x1c8, ['unsigned long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SystemChargedPage' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_THREAD_ENERGY_VALUES' : [ 0x40, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_CC_ASYNC_READ_CONTEXT' : [ 0x20, { 'CompletionRoutine' : [ 0x0, ['pointer64', ['void']]], 'Context' : [ 0x8, ['pointer64', ['void']]], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'RequestorMode' : [ 0x18, ['unsigned char']], 'NestingLevel' : [ 0x1c, ['unsigned long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0x17a8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0xa68, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0xa98, ['_LIST_ENTRY']], 'HiveList' : [ 0xaa8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0xab8, ['_LIST_ENTRY']], 'FailedUnloadList' : [ 0xac8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0xad8, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0xae0, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0xaf0, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0xaf8, ['unsigned long']], 'DeletedKcbTable' : [ 0xb00, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0xb08, ['unsigned long']], 'Identity' : [ 0xb0c, ['unsigned long']], 'HiveLock' : [ 0xb10, ['pointer64', ['_FAST_MUTEX']]], 'WriterLock' : [ 0xb18, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0xb20, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0xb28, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0xb38, ['unsigned long']], 'FlushLogEntry' : [ 0xb40, ['pointer64', ['unsigned char']]], 'FlushLogEntrySize' : [ 0xb48, ['unsigned long']], 'FlushHiveTruncated' : [ 0xb4c, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0xb50, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0xb58, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0xb68, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0xb70, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0xb78, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0xb80, ['pointer64', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0xb88, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0xb90, ['unsigned long']], 'LastShrinkHiveSize' : [ 0xb94, ['unsigned long']], 'ActualFileSize' : [ 0xb98, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0xba0, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0xbb0, ['_UNICODE_STRING']], 'FileUserName' : [ 0xbc0, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0xbd0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0xbe0, ['unsigned long']], 'SecurityCacheSize' : [ 0xbe4, ['unsigned long']], 'SecurityHitHint' : [ 0xbe8, ['long']], 'SecurityCache' : [ 0xbf0, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0xbf8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xff8, ['unsigned long']], 'UnloadEventArray' : [ 0x1000, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0x1008, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x1010, ['unsigned char']], 'UnloadWorkItem' : [ 0x1018, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x1020, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x1048, ['unsigned char']], 'GrowOffset' : [ 0x104c, ['unsigned long']], 'KcbConvertListHead' : [ 0x1050, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x1060, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0x1068, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0x14f0, ['unsigned long']], 'TrustClassEntry' : [ 0x14f8, ['_LIST_ENTRY']], 'DirtyTime' : [ 0x1508, ['unsigned long long']], 'UnreconciledTime' : [ 0x1510, ['unsigned long long']], 'CmRm' : [ 0x1518, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x1520, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x1524, ['long']], 'CreatorOwner' : [ 0x1528, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0x1530, ['pointer64', ['_KTHREAD']]], 'LastWriteTime' : [ 0x1538, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0x1540, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0x1558, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0x1570, ['unsigned long']], 'FlushActive' : [ 0x1570, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0x1570, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0x1570, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0x1570, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0x1574, ['unsigned long']], 'ReferenceCount' : [ 0x1578, ['long']], 'UnloadHistoryIndex' : [ 0x157c, ['long']], 'UnloadHistory' : [ 0x1580, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0x1780, ['unsigned long']], 'UnaccessedStart' : [ 0x1784, ['unsigned long']], 'UnaccessedEnd' : [ 0x1788, ['unsigned long']], 'LoadedKeyCount' : [ 0x178c, ['unsigned long']], 'HandleClosePending' : [ 0x1790, ['unsigned long']], 'HandleClosePendingEvent' : [ 0x1798, ['_EX_PUSH_LOCK']], 'FinalFlushSucceeded' : [ 0x17a0, ['unsigned char']], 'FailedUnload' : [ 0x17a1, ['unsigned char']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x38, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long long']], 'DirtyPageThresholdTop' : [ 0x8, ['unsigned long long']], 'DirtyPageThresholdBottom' : [ 0x10, ['unsigned long long']], 'DirtyPageTarget' : [ 0x18, ['unsigned long']], 'AggregateAvailablePages' : [ 0x20, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x28, ['unsigned long long']], 'AvailableHistory' : [ 0x30, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ForceCredits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceAge' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'NewMaximum' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CommitReleaseState' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_PPM_VETO_ENTRY' : [ 0x18, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'VetoReason' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderZero', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderVsmMemory', 30: 'LoaderFirmwareCode', 31: 'LoaderFirmwareData', 32: 'LoaderFirmwareReserved', 33: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x400, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x28, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x8, ['_RTL_BITMAP']], 'HashTable' : [ 0x18, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x20, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa8, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ExecutePoolTypes' : [ 0x90, ['unsigned long']], 'ExecutePageProtections' : [ 0x94, ['unsigned long']], 'ExecutePageMappings' : [ 0x98, ['unsigned long']], 'ExecuteWriteSections' : [ 0x9c, ['unsigned long']], 'SectionAlignmentFailures' : [ 0xa0, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE' : [ 0x1810, { 'CurrentSize' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'Epoch' : [ 0x8, ['unsigned long']], 'Overflow' : [ 0xc, ['unsigned char']], 'TableEntry' : [ 0x10, ['array', 256, ['_INVERTED_FUNCTION_TABLE_ENTRY']]], } ], '_VF_DRIVER_IO_CALLBACKS' : [ 0x100, { 'DriverInit' : [ 0x0, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x8, ['pointer64', ['void']]], 'DriverUnload' : [ 0x10, ['pointer64', ['void']]], 'AddDevice' : [ 0x18, ['pointer64', ['void']]], 'MajorFunction' : [ 0x20, ['array', 28, ['pointer64', ['void']]]], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0x18, { 'ActiveThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'WaitList' : [ 0x8, ['pointer64', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x10, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x10, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_UMS_CONTROL_BLOCK' : [ 0x90, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsWaitEvent' : [ 0x30, ['_KEVENT']], 'StagingArea' : [ 0x48, ['pointer64', ['void']]], 'UmsPrimaryDeliveredContext' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsFlags' : [ 0x50, ['unsigned long']], 'TebSelector' : [ 0x88, ['unsigned short']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_ETIMER' : [ 0x138, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x40, ['unsigned long long']], 'TimerApc' : [ 0x48, ['_KAPC']], 'TimerDpc' : [ 0xa0, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'Period' : [ 0xf0, ['unsigned long']], 'TimerFlags' : [ 0xf4, ['unsigned char']], 'ApcAssociated' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0xf5, ['unsigned char']], 'Spare2' : [ 0xf6, ['unsigned short']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x110, ['pointer64', ['void']]], 'VirtualizedTimerLinks' : [ 0x118, ['_LIST_ENTRY']], 'DueTime' : [ 0x128, ['unsigned long long']], 'CoalescingWindow' : [ 0x130, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x90, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'Count' : [ 0x28, ['unsigned long long']], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'StackTrace' : [ 0x40, ['array', 8, ['pointer64', ['void']]]], 'Who' : [ 0x80, ['unsigned long']], 'Process' : [ 0x88, ['pointer64', ['_EPROCESS']]], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_MI_CACHED_PTES' : [ 0x48, { 'Bins' : [ 0x0, ['array', 8, ['_MI_CACHED_PTE']]], 'CachedPteCount' : [ 0x40, ['long']], } ], '_EXHANDLE' : [ 0x8, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], } ], '__unnamed_211a' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_211a']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_AUTO_EXPAND_STATE' : [ 0x4, { 'Expanded' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Transitioning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Pageable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x488, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_ARBITER_INSTANCE' : [ 0x150, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MI_SYSTEM_INFORMATION' : [ 0x1bc0, { 'Pools' : [ 0x0, ['_MI_POOL_STATE']], 'Sections' : [ 0x100, ['_MI_SECTION_STATE']], 'SystemImages' : [ 0x380, ['_MI_SYSTEM_IMAGE_STATE']], 'Sessions' : [ 0x430, ['_MI_SESSION_STATE']], 'Processes' : [ 0x4c0, ['_MI_PROCESS_STATE']], 'Hardware' : [ 0x520, ['_MI_HARDWARE_STATE']], 'SystemVa' : [ 0x600, ['_MI_SYSTEM_VA_STATE']], 'PageCombines' : [ 0x8c0, ['_MI_COMBINE_STATE']], 'Partitions' : [ 0xa60, ['_MI_PARTITION_STATE']], 'Shutdowns' : [ 0xab8, ['_MI_SHUTDOWN_STATE']], 'Errors' : [ 0xb38, ['_MI_ERROR_STATE']], 'AccessLog' : [ 0xc00, ['_MI_ACCESS_LOG_STATE']], 'Debugger' : [ 0xc80, ['_MI_DEBUGGER_STATE']], 'Standby' : [ 0xdc0, ['_MI_STANDBY_STATE']], 'SystemPtes' : [ 0xe80, ['_MI_SYSTEM_PTE_STATE']], 'IoPages' : [ 0x1000, ['_MI_IO_PAGE_STATE']], 'PagingIo' : [ 0x1060, ['_MI_PAGING_IO_STATE']], 'CommonPages' : [ 0x10b0, ['_MI_COMMON_PAGE_STATE']], 'Trims' : [ 0x1140, ['_MI_SYSTEM_TRIM_STATE']], 'ResTrack' : [ 0x1180, ['_MI_RESAVAIL_TRACKER']], 'Cookie' : [ 0x1540, ['unsigned long long']], 'ZeroingDisabled' : [ 0x1548, ['long']], 'BootRegistryRuns' : [ 0x1550, ['pointer64', ['pointer64', ['void']]]], 'FullyInitialized' : [ 0x1558, ['unsigned char']], 'SafeBooted' : [ 0x1559, ['unsigned char']], 'LargePfnBitMap' : [ 0x1560, ['_RTL_BITMAP_EX']], 'TraceLogging' : [ 0x1570, ['pointer64', ['_TlgProvider_t']]], 'Vs' : [ 0x1580, ['_MI_VISIBLE_STATE']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_PPM_SELECTION_DEPENDENCY' : [ 0x18, { 'Processor' : [ 0x0, ['unsigned long']], 'Menu' : [ 0x8, ['_PPM_SELECTION_MENU']], } ], '__unnamed_2194' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_2196' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2194']], } ], '__unnamed_2198' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_2196']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2198']], } ], '_MI_VISIBLE_STATE' : [ 0x640, { 'SpecialPool' : [ 0x0, ['_MI_SPECIAL_POOL']], 'SessionWsList' : [ 0x50, ['_LIST_ENTRY']], 'SessionIdBitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'PagedPoolInfo' : [ 0x68, ['_MM_PAGED_POOL_INFO']], 'MaximumNonPagedPoolInPages' : [ 0xa0, ['unsigned long long']], 'SizeOfPagedPoolInPages' : [ 0xa8, ['unsigned long long']], 'SystemPteInfo' : [ 0xb0, ['_MI_SYSTEM_PTE_TYPE']], 'NonPagedPoolCommit' : [ 0x110, ['unsigned long long']], 'BootCommit' : [ 0x118, ['unsigned long long']], 'MdlPagesAllocated' : [ 0x120, ['unsigned long long']], 'SystemPageTableCommit' : [ 0x128, ['unsigned long long']], 'SpecialPagesInUse' : [ 0x130, ['unsigned long long']], 'WsOverheadPages' : [ 0x138, ['unsigned long long']], 'VadBitmapPages' : [ 0x140, ['unsigned long long']], 'ProcessCommit' : [ 0x148, ['unsigned long long']], 'SharedCommit' : [ 0x150, ['unsigned long long']], 'DriverCommit' : [ 0x158, ['long']], 'SystemWs' : [ 0x180, ['array', 3, ['_MMSUPPORT']]], 'MapCacheFailures' : [ 0x468, ['unsigned long']], 'LastUnloadedDriver' : [ 0x46c, ['unsigned long']], 'UnloadedDrivers' : [ 0x470, ['pointer64', ['_UNLOADED_DRIVERS']]], 'PagefileHashPages' : [ 0x478, ['unsigned long long']], 'PteHeader' : [ 0x480, ['_SYSPTES_HEADER']], 'SessionSpecialPool' : [ 0x598, ['pointer64', ['_MI_SPECIAL_POOL']]], 'SystemVaTypeCount' : [ 0x5a0, ['array', 14, ['unsigned long long']]], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x5000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'HandleCount' : [ 0x28, ['unsigned long']], 'Handles' : [ 0x30, ['pointer64', ['pointer64', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x58, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'ProcCap' : [ 0x10, ['unsigned long']], 'ProcFloor' : [ 0x14, ['unsigned long']], 'PlatformCap' : [ 0x18, ['unsigned long']], 'ThermalCap' : [ 0x1c, ['unsigned long']], 'LimitReasons' : [ 0x20, ['unsigned long']], 'PlatformCapStartTime' : [ 0x28, ['unsigned long long']], 'TargetPercent' : [ 0x30, ['unsigned long']], 'SelectedPercent' : [ 0x34, ['unsigned long']], 'SelectedFrequency' : [ 0x38, ['unsigned long']], 'PreviousFrequency' : [ 0x3c, ['unsigned long']], 'PreviousPercent' : [ 0x40, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x44, ['unsigned long']], 'SelectedState' : [ 0x48, ['unsigned long long']], 'Force' : [ 0x50, ['unsigned char']], } ], '__unnamed_21b6' : [ 0x20, { 'CallerCompletion' : [ 0x0, ['pointer64', ['void']]], 'CallerContext' : [ 0x8, ['pointer64', ['void']]], 'CallerDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0x18, ['unsigned char']], } ], '__unnamed_21b9' : [ 0x10, { 'NotifyDevice' : [ 0x0, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x8, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0xf8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x30, ['unsigned long long']], 'WatchdogTimer' : [ 0x38, ['_KTIMER']], 'WatchdogDpc' : [ 0x78, ['_KDPC']], 'MinorFunction' : [ 0xb8, ['unsigned char']], 'PowerStateType' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0xc0, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0xc4, ['unsigned char']], 'FxDevice' : [ 0xc8, ['pointer64', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0xd0, ['unsigned char']], 'NotifyPEP' : [ 0xd1, ['unsigned char']], 'Device' : [ 0xd8, ['__unnamed_21b6']], 'System' : [ 0xd8, ['__unnamed_21b9']], } ], '_MI_ERROR_STATE' : [ 0xa8, { 'BadMemoryEventEntry' : [ 0x0, ['_MI_BAD_MEMORY_EVENT_ENTRY']], 'ProbeRaises' : [ 0x38, ['_MI_PROBE_RAISE_TRACKER']], 'ForcedCommits' : [ 0x74, ['_MI_FORCED_COMMITS']], 'WsleFailures' : [ 0x7c, ['array', 2, ['unsigned long']]], 'WsLinear' : [ 0x84, ['unsigned long']], 'PageHashErrors' : [ 0x88, ['unsigned long']], 'CheckZeroCount' : [ 0x8c, ['unsigned long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x90, ['long']], 'BadPagesDetected' : [ 0x94, ['long']], 'ScrubPasses' : [ 0x98, ['long']], 'ScrubBadPagesFound' : [ 0x9c, ['long']], 'PendingBadPages' : [ 0xa0, ['unsigned char']], 'InitFailure' : [ 0xa1, ['unsigned char']], 'StopBadMaps' : [ 0xa2, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0x108, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'VadBitMapHint' : [ 0x4, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x8, ['unsigned long']], 'LastAllocationSize' : [ 0xc, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x10, ['unsigned long']], 'VadBitMapSize' : [ 0x14, ['unsigned long']], 'VadBitMapCommitment' : [ 0x18, ['unsigned long']], 'MaximumLastVadBit' : [ 0x1c, ['unsigned long']], 'VadsBeingDeleted' : [ 0x20, ['long']], 'PhysicalMappingCount' : [ 0x28, ['unsigned long long']], 'LastVadDeletionEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'VadBitBuffer' : [ 0x38, ['pointer64', ['unsigned long']]], 'LowestBottomUpAllocationAddress' : [ 0x40, ['pointer64', ['void']]], 'HighestTopDownAllocationAddress' : [ 0x48, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x50, ['pointer64', ['void']]], 'NumaAware' : [ 0x58, ['unsigned char']], 'CloneNestingLevel' : [ 0x60, ['unsigned long long']], 'PrivateFixupVadCount' : [ 0x68, ['unsigned long long']], 'CfgBitMap' : [ 0x70, ['array', 2, ['_MI_CFG_BITMAP_INFO']]], 'CommittedPageTableBufferForTopLevel' : [ 0xa0, ['array', 8, ['unsigned long']]], 'CommittedPageTableBitmaps' : [ 0xc0, ['array', 3, ['_RTL_BITMAP']]], 'PageTableBitmapPages' : [ 0xf0, ['array', 3, ['unsigned long']]], 'FreeUmsTebHint' : [ 0x100, ['pointer64', ['void']]], } ], '_PROC_FEEDBACK' : [ 0x90, { 'Lock' : [ 0x0, ['unsigned long long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer64', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x28, ['unsigned long long']], 'UnscaledTime' : [ 0x30, ['unsigned long long']], 'UnaccountedTime' : [ 0x38, ['long long']], 'ScaledTime' : [ 0x40, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x50, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x58, ['unsigned long long']], 'UserTimeLast' : [ 0x60, ['unsigned long']], 'KernelTimeLast' : [ 0x64, ['unsigned long']], 'IdleGenerationNumberLast' : [ 0x68, ['unsigned long long']], 'HvActiveTimeLast' : [ 0x70, ['unsigned long long']], 'StallCyclesLast' : [ 0x78, ['unsigned long long']], 'StallTime' : [ 0x80, ['unsigned long long']], 'KernelTimesIndex' : [ 0x88, ['unsigned char']], } ], '__unnamed_21d1' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21d5' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_21d7' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_21d9' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_21db' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_21dd' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_21df' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_21e1' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21e3' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21e5' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21e7' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_21e9' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_21d1']], 'Memory' : [ 0x0, ['__unnamed_21d1']], 'Interrupt' : [ 0x0, ['__unnamed_21d5']], 'Dma' : [ 0x0, ['__unnamed_21d7']], 'DmaV3' : [ 0x0, ['__unnamed_21d9']], 'Generic' : [ 0x0, ['__unnamed_21d1']], 'DevicePrivate' : [ 0x0, ['__unnamed_21db']], 'BusNumber' : [ 0x0, ['__unnamed_21dd']], 'ConfigData' : [ 0x0, ['__unnamed_21df']], 'Memory40' : [ 0x0, ['__unnamed_21e1']], 'Memory48' : [ 0x0, ['__unnamed_21e3']], 'Memory64' : [ 0x0, ['__unnamed_21e5']], 'Connection' : [ 0x0, ['__unnamed_21e7']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_21e9']], } ], '_POP_THERMAL_ZONE' : [ 0x338, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], 'State' : [ 0x40, ['unsigned char']], 'Flags' : [ 0x41, ['unsigned char']], 'Removing' : [ 0x42, ['unsigned char']], 'Mode' : [ 0x43, ['unsigned char']], 'PendingMode' : [ 0x44, ['unsigned char']], 'ActivePoint' : [ 0x45, ['unsigned char']], 'PendingActivePoint' : [ 0x46, ['unsigned char']], 'Critical' : [ 0x47, ['unsigned char']], 'ThermalStandby' : [ 0x48, ['unsigned char']], 'OverThrottled' : [ 0x49, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x4c, ['long']], 'Throttle' : [ 0x50, ['long']], 'PendingThrottle' : [ 0x54, ['long']], 'ThrottleReasons' : [ 0x58, ['unsigned long']], 'LastTime' : [ 0x60, ['unsigned long long']], 'SampleRate' : [ 0x68, ['unsigned long']], 'LastTemp' : [ 0x6c, ['unsigned long']], 'PassiveTimer' : [ 0x70, ['_KTIMER']], 'PassiveDpc' : [ 0xb0, ['_KDPC']], 'Info' : [ 0xf0, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x148, ['_LARGE_INTEGER']], 'Policy' : [ 0x150, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0x168, ['unsigned char']], 'LastActiveStartTime' : [ 0x170, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x178, ['unsigned long long']], 'WorkItem' : [ 0x180, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x1a0, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x1b0, ['_KEVENT']], 'TemperatureUpdated' : [ 0x1c8, ['_KEVENT']], 'InstanceId' : [ 0x1e0, ['unsigned long']], 'TelemetryTracker' : [ 0x1e8, ['_POP_THERMAL_TELEMETRY_TRACKER']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 28, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_MI_REBUILD_LARGE_PAGES' : [ 0x228, { 'Active' : [ 0x0, ['long']], 'Timer' : [ 0x4, ['array', 64, ['array', 4, ['_MI_REBUILD_LARGE_PAGE_COUNTDOWN']]]], 'WorkItem' : [ 0x208, ['_WORK_QUEUE_ITEM']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0xa68, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileWrite' : [ 0x28, ['pointer64', ['void']]], 'FileRead' : [ 0x30, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x38, ['pointer64', ['void']]], 'BaseBlock' : [ 0x40, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x48, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x58, ['unsigned long']], 'DirtyAlloc' : [ 0x5c, ['unsigned long']], 'UnreconciledVector' : [ 0x60, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x70, ['unsigned long']], 'BaseBlockAlloc' : [ 0x74, ['unsigned long']], 'Cluster' : [ 0x78, ['unsigned long']], 'Flat' : [ 0x7c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x7c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SystemCacheBacked' : [ 0x7c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x7c, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x7d, ['unsigned char']], 'HvBinHeadersUse' : [ 0x80, ['unsigned long']], 'HvFreeCellsUse' : [ 0x84, ['unsigned long']], 'HvUsedCellsUse' : [ 0x88, ['unsigned long']], 'CmUsedCellsUse' : [ 0x8c, ['unsigned long']], 'HiveFlags' : [ 0x90, ['unsigned long']], 'CurrentLog' : [ 0x94, ['unsigned long']], 'CurrentLogSequence' : [ 0x98, ['unsigned long']], 'CurrentLogMinimumSequence' : [ 0x9c, ['unsigned long']], 'CurrentLogOffset' : [ 0xa0, ['unsigned long']], 'MinimumLogSequence' : [ 0xa4, ['unsigned long']], 'LogFileSizeCap' : [ 0xa8, ['unsigned long']], 'LogDataPresent' : [ 0xac, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0xae, ['unsigned char']], 'BaseBlockDirty' : [ 0xaf, ['unsigned char']], 'LastLogSwapTime' : [ 0xb0, ['_LARGE_INTEGER']], 'FirstLogFile' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0xb8, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0xb8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0xb8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0xb8, ['unsigned short']], 'LogEntriesRecovered' : [ 0xba, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0xbc, ['unsigned long']], 'StorageTypeCount' : [ 0xc0, ['unsigned long']], 'Version' : [ 0xc4, ['unsigned long']], 'ViewMap' : [ 0xc8, ['_HVIEW_MAP']], 'Storage' : [ 0x578, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_ETW_FILTER_HEADER' : [ 0x48, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x8, ['pointer64', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x10, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0x18, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x20, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x28, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x30, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x38, ['pointer64', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x40, ['pointer64', ['_EVENT_FILTER_HEADER']]], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_POP_THERMAL_TELEMETRY_TRACKER' : [ 0x150, { 'AccountingDisabled' : [ 0x0, ['unsigned char']], 'LastPassiveUpdateTime' : [ 0x8, ['unsigned long long']], 'TotalPassiveTime' : [ 0x10, ['array', 20, ['unsigned long long']]], 'PassiveTimeSnap' : [ 0xb0, ['array', 20, ['unsigned long long']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_HVIEW_MAP' : [ 0x4b0, { 'MappedLength' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Directory' : [ 0x18, ['pointer64', ['_HVIEW_MAP_DIRECTORY']]], 'PagesCharged' : [ 0x20, ['unsigned long']], 'PinLog' : [ 0x28, ['_HVIEW_MAP_PIN_LOG']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_DISALLOWED_GUIDS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x8, ['pointer64', ['_GUID']]], } ], '_HVIEW_MAP_DIRECTORY' : [ 0x400, { 'Tables' : [ 0x0, ['array', 128, ['pointer64', ['_HVIEW_MAP_TABLE']]]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1f, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1e, ['unsigned char']], } ], '__unnamed_2264' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2266' : [ 0x20, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_2264']], } ], '_VF_TARGET_DRIVER' : [ 0x38, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_2266']], 'VerifiedData' : [ 0x30, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_226f' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2271' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2273' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceId' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_2275' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_2277' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_2279' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_227b' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_227d' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_227f' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_2281' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_226f']], 'TargetDevice' : [ 0x0, ['__unnamed_2271']], 'InstallDevice' : [ 0x0, ['__unnamed_2271']], 'CustomNotification' : [ 0x0, ['__unnamed_2273']], 'ProfileNotification' : [ 0x0, ['__unnamed_2275']], 'PowerNotification' : [ 0x0, ['__unnamed_2277']], 'VetoNotification' : [ 0x0, ['__unnamed_2279']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_227b']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_227d']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_227f']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_2271']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_2271']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_2281']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x58, { 'Context' : [ 0x0, ['pointer64', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x38, ['unsigned long']], 'DependencyUsed' : [ 0x3c, ['unsigned long']], 'DependencyArray' : [ 0x40, ['pointer64', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x48, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x4c, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x50, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '__unnamed_229c' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_229c']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_MI_HARDWARE_STATE' : [ 0xa8, { 'NodeMask' : [ 0x0, ['unsigned long']], 'NodeGraph' : [ 0x8, ['pointer64', ['unsigned short']]], 'SystemNodeInformation' : [ 0x10, ['pointer64', ['_MI_SYSTEM_NODE_INFORMATION']]], 'NumaLastRangeIndex' : [ 0x18, ['unsigned long']], 'NumaMemoryRanges' : [ 0x20, ['pointer64', ['_HAL_NODE_RANGE']]], 'NumaTableCaptured' : [ 0x28, ['unsigned char']], 'NodeShift' : [ 0x29, ['unsigned char']], 'ChannelMemoryRanges' : [ 0x30, ['pointer64', ['_HAL_CHANNEL_MEMORY_RANGES']]], 'ChannelShift' : [ 0x38, ['unsigned char']], 'SecondLevelCacheSize' : [ 0x3c, ['unsigned long']], 'FirstLevelCacheSize' : [ 0x40, ['unsigned long']], 'PhysicalAddressBits' : [ 0x44, ['unsigned long']], 'WriteCombiningPtes' : [ 0x48, ['unsigned char']], 'AllMainMemoryMustBeCached' : [ 0x49, ['unsigned char']], 'TotalPagesAllowed' : [ 0x50, ['unsigned long long']], 'SecondaryColorMask' : [ 0x58, ['unsigned long']], 'SecondaryColors' : [ 0x5c, ['unsigned long']], 'FlushTbForAttributeChange' : [ 0x60, ['unsigned long']], 'FlushCacheForAttributeChange' : [ 0x64, ['unsigned long']], 'FlushCacheForPageAttributeChange' : [ 0x68, ['unsigned long']], 'CacheFlushPromoteThreshold' : [ 0x6c, ['unsigned long']], 'FlushTbThreshold' : [ 0x70, ['unsigned long long']], 'ZeroCostCounts' : [ 0x78, ['array', 2, ['_MI_ZERO_COST_COUNTS']]], 'PrimaryPfns' : [ 0x98, ['unsigned long long']], 'HighestPossiblePhysicalPage' : [ 0xa0, ['unsigned long long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x78, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], 'WaitObjectFlagMask' : [ 0x70, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x74, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x76, ['unsigned short']], } ], '__unnamed_22e3' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '__unnamed_22e5' : [ 0x4, { 'NumberOfChildViews' : [ 0x0, ['unsigned long']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'FileExtents' : [ 0x18, ['pointer64', ['_MI_FILE_EXTENTS']]], 'GlobalPerSessionHead' : [ 0x18, ['_RTL_AVL_TREE']], 'SessionDriverProtos' : [ 0x18, ['pointer64', ['_MI_PER_SESSION_PROTOS']]], 'u' : [ 0x20, ['__unnamed_22e3']], 'StartingSector' : [ 0x24, ['unsigned long']], 'NumberOfFullSectors' : [ 0x28, ['unsigned long']], 'PtesInSubsection' : [ 0x2c, ['unsigned long']], 'u1' : [ 0x30, ['__unnamed_22e5']], 'UnusedPtes' : [ 0x34, ['unsigned long']], 'AlignmentNoAccessPtes' : [ 0x34, ['unsigned long']], } ], '__unnamed_22ea' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MI_DECAY_TIMER_LINKAGE']], } ], '_MI_DECAY_TIMER_LINK' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_22ea']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_HEAP_EXTENDED_ENTRY' : [ 0x10, { 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], } ], '_MI_SYSTEM_VA_STATE' : [ 0x2c0, { 'SystemTablesLock' : [ 0x0, ['unsigned long long']], 'AvailableSystemCacheVa' : [ 0x8, ['unsigned long long']], 'DynamicBitMapSystemPtes' : [ 0x10, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapDriverImages' : [ 0x60, ['array', 2, ['_MI_DYNAMIC_BITMAP']]], 'DynamicBitMapPagedPool' : [ 0x100, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapSpecialPool' : [ 0x150, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapSystemCache' : [ 0x1a0, ['_MI_DYNAMIC_BITMAP']], 'WorkingSetListHashStart' : [ 0x1f0, ['pointer64', ['_MMWSLE_HASH']]], 'WorkingSetListHashEnd' : [ 0x1f8, ['pointer64', ['_MMWSLE_HASH']]], 'WorkingSetListIndirectHashStart' : [ 0x200, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'FreeSystemCacheVa' : [ 0x208, ['_KEVENT']], 'SystemVaLock' : [ 0x220, ['unsigned long long']], 'DeleteKvaLock' : [ 0x228, ['long']], 'FreeSystemCache' : [ 0x230, ['_MI_PTE_CHAIN_HEAD']], 'SystemCacheViewLock' : [ 0x248, ['unsigned long long']], 'UnusableWsles' : [ 0x250, ['array', 5, ['unsigned long long']]], 'PossibleWsles' : [ 0x278, ['array', 5, ['unsigned long long']]], } ], '_DIRTY_PAGE_STATISTICS' : [ 0x18, { 'DirtyPages' : [ 0x0, ['unsigned long long']], 'DirtyPagesLastScan' : [ 0x8, ['unsigned long long']], 'DirtyPagesScheduledLastScan' : [ 0x10, ['unsigned long']], } ], '_DBGKD_WRITE_CUSTOM_BREAKPOINT' : [ 0x18, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointInstruction' : [ 0x8, ['unsigned long long']], 'BreakPointHandle' : [ 0x10, ['unsigned long']], 'BreakPointInstructionSize' : [ 0x14, ['unsigned char']], 'BreakPointInstructionAlignment' : [ 0x15, ['unsigned char']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_MI_DEBUGGER_STATE' : [ 0x118, { 'TransientWrite' : [ 0x0, ['unsigned char']], 'CodePageEdited' : [ 0x1, ['unsigned char']], 'DebugPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'PoisonedTb' : [ 0x10, ['unsigned long']], 'InDebugger' : [ 0x14, ['long']], 'Pfns' : [ 0x18, ['array', 32, ['pointer64', ['void']]]], } ], '_MI_PROCESS_STATE' : [ 0x60, { 'ColorSeed' : [ 0x0, ['unsigned long']], 'CloneDereferenceEvent' : [ 0x8, ['_KEVENT']], 'CloneProtosSListHead' : [ 0x20, ['_SLIST_HEADER']], 'SystemDllBase' : [ 0x30, ['pointer64', ['void']]], 'RotatingUniprocessorNumber' : [ 0x38, ['long']], 'CriticalSectionTimeout' : [ 0x40, ['_LARGE_INTEGER']], 'ProcessList' : [ 0x48, ['_LIST_ENTRY']], 'SharedUserDataPte' : [ 0x58, ['pointer64', ['_MMPTE']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'HighActiveFlink' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'HighActiveBlink' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 56, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'HiberFileType' : [ 0x16, ['unsigned char']], 'AoAcConnectivitySupported' : [ 0x17, ['unsigned char']], 'spare3' : [ 0x18, ['array', 6, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_MI_REBUILD_LARGE_PAGE_COUNTDOWN' : [ 0x2, { 'SecondsLeft' : [ 0x0, ['unsigned char']], 'SecondsAssigned' : [ 0x1, ['unsigned char']], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['unsigned long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x30, ['pointer64', ['long']]], 'NodeTargetCount' : [ 0x38, ['long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x250, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'SparePvoid0' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pUnused' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], } ], '_IO_IRP_EXT_TRACK_OFFSET_HEADER' : [ 0x10, { 'Validation' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'TrackedOffsetCallback' : [ 0x8, ['pointer64', ['void']]], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_MI_SESSION_STATE' : [ 0x88, { 'SystemSession' : [ 0x0, ['_MMSESSION']], 'CodePageEdited' : [ 0x20, ['unsigned char']], 'DynamicVaBitBuffer' : [ 0x28, ['pointer64', ['unsigned long']]], 'DynamicVaBitBufferPages' : [ 0x30, ['unsigned long long']], 'DynamicPoolBitBuffer' : [ 0x38, ['pointer64', ['unsigned long']]], 'DynamicVaStart' : [ 0x40, ['pointer64', ['void']]], 'DynamicPtesBitBuffer' : [ 0x48, ['pointer64', ['unsigned long']]], 'IdLock' : [ 0x50, ['_EX_PUSH_LOCK']], 'DetachTimeStamp' : [ 0x58, ['unsigned long']], 'LeaderProcess' : [ 0x60, ['pointer64', ['_EPROCESS']]], 'InitializeLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'WorkingSetList' : [ 0x70, ['pointer64', ['_MMWSL']]], 'WsHashStart' : [ 0x78, ['pointer64', ['_MMWSLE_HASH']]], 'WsHashEnd' : [ 0x80, ['pointer64', ['_MMWSLE_HASH']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_MMSESSION' : [ 0x20, { 'SystemSpaceViewLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'SystemSpaceViewLockPointer' : [ 0x8, ['pointer64', ['_EX_PUSH_LOCK']]], 'ViewRoot' : [ 0x10, ['_RTL_AVL_TREE']], 'ViewCount' : [ 0x18, ['unsigned long']], 'BitmapFailures' : [ 0x1c, ['unsigned long']], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_MI_DECAY_TIMER_LINKAGE' : [ 0x8, { 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'NextDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '__unnamed_236e' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MI_PARTITION_FLAGS']], } ], '_MI_PARTITION_CORE' : [ 0x168, { 'PartitionId' : [ 0x0, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_236e']], 'ReferenceCount' : [ 0x8, ['unsigned long long']], 'ParentPartition' : [ 0x10, ['pointer64', ['_MI_PARTITION']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeInformation' : [ 0x28, ['pointer64', ['_MI_NODE_INFORMATION']]], 'MdlPhysicalMemoryBlock' : [ 0x30, ['pointer64', ['_MDL']]], 'MemoryNodeRuns' : [ 0x38, ['pointer64', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'Stats' : [ 0x40, ['_MI_PARTITION_STATISTICS']], 'MemoryRuns' : [ 0x90, ['pointer64', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'ExitEvent' : [ 0x98, ['_KEVENT']], 'SystemThreadHandles' : [ 0xb0, ['array', 5, ['pointer64', ['void']]]], 'PartitionObject' : [ 0xd8, ['pointer64', ['void']]], 'PartitionObjectHandle' : [ 0xe0, ['pointer64', ['void']]], 'DynamicMemoryPushLock' : [ 0xe8, ['_EX_PUSH_LOCK']], 'DynamicMemoryLock' : [ 0xf0, ['long']], 'TemporaryMemoryEvent' : [ 0xf8, ['_KEVENT']], 'MemoryEvents' : [ 0x110, ['array', 11, ['pointer64', ['_KEVENT']]]], } ], '_MI_PARTITION_MODWRITES' : [ 0x2a0, { 'AttemptForCantExtend' : [ 0x0, ['_MMPAGE_FILE_EXPANSION']], 'PageFileContract' : [ 0x60, ['_MMPAGE_FILE_EXPANSION']], 'NumberOfMappedMdls' : [ 0xc0, ['unsigned long long']], 'NumberOfMappedMdlsInUse' : [ 0xc8, ['long']], 'NumberOfMappedMdlsInUsePeak' : [ 0xcc, ['unsigned long']], 'MappedFileHeader' : [ 0xd0, ['_MMMOD_WRITER_LISTHEAD']], 'NeedMappedMdl' : [ 0xf8, ['unsigned char']], 'NeedPageFileMdl' : [ 0xf9, ['unsigned char']], 'TransitionInserted' : [ 0xfa, ['unsigned char']], 'LastModifiedWriteError' : [ 0xfc, ['long']], 'LastMappedWriteError' : [ 0x100, ['long']], 'MappedFileWriteSucceeded' : [ 0x104, ['unsigned long']], 'MappedWriteBurstCount' : [ 0x108, ['unsigned long']], 'LowPriorityModWritesOutstanding' : [ 0x10c, ['unsigned long']], 'BoostModWriteIoPriorityEvent' : [ 0x110, ['_KEVENT']], 'ModifiedWriterThreadPriority' : [ 0x128, ['long']], 'ModifiedPagesLowPriorityGoal' : [ 0x130, ['unsigned long long']], 'ModifiedPageWriterEvent' : [ 0x138, ['_KEVENT']], 'WriteAllPagefilePages' : [ 0x150, ['long']], 'WriteAllMappedPages' : [ 0x154, ['long']], 'MappedPageWriterEvent' : [ 0x158, ['_KEVENT']], 'ModWriteData' : [ 0x170, ['_MI_MODWRITE_DATA']], 'RescanPageFilesEvent' : [ 0x1b0, ['_KEVENT']], 'PagingFileHeader' : [ 0x1c8, ['_MMMOD_WRITER_LISTHEAD']], 'ModifiedPageWriterThread' : [ 0x1f0, ['pointer64', ['_ETHREAD']]], 'ModifiedPageWriterRundown' : [ 0x1f8, ['_EX_RUNDOWN_REF']], 'PagefileScanWorkItem' : [ 0x200, ['_WORK_QUEUE_ITEM']], 'PagefileScanCount' : [ 0x220, ['unsigned long']], 'ClusterWritesDisabled' : [ 0x224, ['array', 2, ['long']]], 'DelayMappedWrite' : [ 0x22c, ['unsigned char']], 'PagefileReservationsEnabled' : [ 0x230, ['unsigned long']], 'PageFileCreationLock' : [ 0x238, ['_EX_PUSH_LOCK']], 'TrimPagefileWorkItem' : [ 0x240, ['_WORK_QUEUE_ITEM']], 'LastTrimPagefileTime' : [ 0x260, ['unsigned long long']], 'WsSwapPagefileContractWorkItem' : [ 0x268, ['_WORK_QUEUE_ITEM']], 'WsSwapPageFileContractionInProgress' : [ 0x288, ['long']], 'WorkingSetSwapLock' : [ 0x290, ['_EX_PUSH_LOCK']], 'WorkingSetInswapLock' : [ 0x298, ['long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_KPRIQUEUE' : [ 0x2b0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x218, ['array', 32, ['long']]], 'MaximumCount' : [ 0x298, ['unsigned long']], 'ThreadListHead' : [ 0x2a0, ['_LIST_ENTRY']], } ], '__unnamed_238c' : [ 0x4, { 'ChannelsHotCold' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_MI_NODE_INFORMATION' : [ 0x538, { 'LargePageFreeCount' : [ 0x0, ['array', 2, ['unsigned long long']]], 'LargePages' : [ 0x10, ['array', 2, ['array', 2, ['array', 4, ['_LIST_ENTRY']]]]], 'LargePagesCount' : [ 0x110, ['array', 2, ['array', 2, ['array', 4, ['unsigned long long']]]]], 'StandbyPageList' : [ 0x190, ['array', 4, ['array', 8, ['_MMPFNLIST_SHORT']]]], 'FreeCount' : [ 0x490, ['array', 2, ['unsigned long long']]], 'TotalPages' : [ 0x4a0, ['array', 4, ['unsigned long long']]], 'TotalPagesEntireNode' : [ 0x4c0, ['unsigned long long']], 'MmShiftedColor' : [ 0x4c8, ['unsigned long']], 'Color' : [ 0x4cc, ['unsigned long']], 'ChannelFreeCount' : [ 0x4d0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'Flags' : [ 0x510, ['__unnamed_238c']], 'NodeLock' : [ 0x518, ['_EX_PUSH_LOCK']], 'ChannelStatus' : [ 0x520, ['unsigned char']], 'ChannelOrdering' : [ 0x521, ['array', 4, ['unsigned char']]], 'LockedChannelOrdering' : [ 0x525, ['array', 4, ['unsigned char']]], 'PowerAttribute' : [ 0x529, ['array', 4, ['unsigned char']]], 'LargePageLock' : [ 0x530, ['unsigned long long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_WAITING_IRP' : [ 0x38, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'CompletionRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'Information' : [ 0x30, ['unsigned long']], 'BreakAllRH' : [ 0x34, ['unsigned char']], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_PPM_SELECTION_MENU' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Entries' : [ 0x8, ['pointer64', ['_PPM_SELECTION_MENU_ENTRY']]], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x20, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0x18, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x240, { 'Policy' : [ 0x0, ['_KSCHEDULING_GROUP_POLICY']], 'RelativeWeight' : [ 0x8, ['unsigned long']], 'ChildMinRate' : [ 0xc, ['unsigned long']], 'ChildMinWeight' : [ 0x10, ['unsigned long']], 'ChildTotalWeight' : [ 0x14, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x18, ['unsigned long long']], 'NotificationCycles' : [ 0x20, ['long long']], 'SchedulingGroupList' : [ 0x28, ['_LIST_ENTRY']], 'Sibling' : [ 0x28, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x38, ['pointer64', ['_KDPC']]], 'ChildList' : [ 0x40, ['_LIST_ENTRY']], 'Parent' : [ 0x50, ['pointer64', ['_KSCHEDULING_GROUP']]], 'PerProcessor' : [ 0x80, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_MMWORKING_SET_EXPANSION_HEAD' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x30, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'Irp' : [ 0x18, ['pointer64', ['_IRP']]], 'Device' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Static' : [ 0x28, ['unsigned char']], } ], '_POP_POLICY_DEVICE' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], } ], '_MI_SECTION_STATE' : [ 0x280, { 'SegmentListLock' : [ 0x0, ['long']], 'SectionObjectPointersLock' : [ 0x40, ['long']], 'SectionExtendLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'SectionExtendSetLock' : [ 0x50, ['_EX_PUSH_LOCK']], 'SectionBasedRoot' : [ 0x58, ['_RTL_AVL_TREE']], 'SectionBasedLock' : [ 0x60, ['_EX_PUSH_LOCK']], 'UnusedSubsectionPagedPool' : [ 0x68, ['unsigned long long']], 'UnusedSegmentForceFree' : [ 0x70, ['unsigned long']], 'DataSectionProtectionMask' : [ 0x74, ['unsigned long']], 'HighSectionBase' : [ 0x78, ['pointer64', ['void']]], 'PhysicalSubsection' : [ 0x80, ['_MSUBSECTION']], 'PhysicalControlArea' : [ 0xf0, ['_CONTROL_AREA']], 'PageFileSectionHead' : [ 0x168, ['_RTL_AVL_TREE']], 'PageFileSectionListSpinLock' : [ 0x170, ['long']], 'SharedSegmentCharges' : [ 0x178, ['_MI_CROSS_PARTITION_CHARGES']], 'SharedPageCombineCharges' : [ 0x1a0, ['_MI_CROSS_PARTITION_CHARGES']], 'ImageBias' : [ 0x1c8, ['unsigned long']], 'RelocateBitmapsLock' : [ 0x1d0, ['_EX_PUSH_LOCK']], 'ImageBitMap' : [ 0x1d8, ['_RTL_BITMAP']], 'ImageBias64Low' : [ 0x1e8, ['unsigned long']], 'ImageBias64High' : [ 0x1ec, ['unsigned long']], 'ImageBitMap64Low' : [ 0x1f0, ['_RTL_BITMAP']], 'ImageBitMap64High' : [ 0x200, ['_RTL_BITMAP']], 'ImageBitMapWow64Dll' : [ 0x210, ['_RTL_BITMAP']], 'ApiSetSection' : [ 0x220, ['pointer64', ['void']]], 'ApiSetSchema' : [ 0x228, ['pointer64', ['void']]], 'ApiSetSchemaSize' : [ 0x230, ['unsigned long long']], 'LostDataFiles' : [ 0x238, ['unsigned long']], 'LostDataPages' : [ 0x23c, ['unsigned long']], 'ImageFailureReason' : [ 0x240, ['unsigned long']], 'CfgBitMapSection32' : [ 0x248, ['pointer64', ['_SECTION']]], 'CfgBitMapControlArea32' : [ 0x250, ['pointer64', ['_CONTROL_AREA']]], 'CfgBitMapSection64' : [ 0x258, ['pointer64', ['_SECTION']]], 'CfgBitMapControlArea64' : [ 0x260, ['pointer64', ['_CONTROL_AREA']]], 'ImageCfgFailure' : [ 0x268, ['unsigned long']], 'ImageValidationFailed' : [ 0x26c, ['long']], } ], '_MI_PARTITION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_23c4' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_23c6' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_23c8' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_23ca' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_23c8']], 'Translated' : [ 0x0, ['__unnamed_23c6']], } ], '__unnamed_23cc' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_23ce' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_23d0' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_23d2' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_23d4' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_23d6' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_23d8' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_23da' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_23c4']], 'Port' : [ 0x0, ['__unnamed_23c4']], 'Interrupt' : [ 0x0, ['__unnamed_23c6']], 'MessageInterrupt' : [ 0x0, ['__unnamed_23ca']], 'Memory' : [ 0x0, ['__unnamed_23c4']], 'Dma' : [ 0x0, ['__unnamed_23cc']], 'DmaV3' : [ 0x0, ['__unnamed_23ce']], 'DevicePrivate' : [ 0x0, ['__unnamed_21db']], 'BusNumber' : [ 0x0, ['__unnamed_23d0']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_23d2']], 'Memory40' : [ 0x0, ['__unnamed_23d4']], 'Memory48' : [ 0x0, ['__unnamed_23d6']], 'Memory64' : [ 0x0, ['__unnamed_23d8']], 'Connection' : [ 0x0, ['__unnamed_21e7']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_23da']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_23e2' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_23e2']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE_ENTRY' : [ 0x18, { 'FunctionTable' : [ 0x0, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'DynamicTable' : [ 0x0, ['pointer64', ['_DYNAMIC_FUNCTION_TABLE']]], 'ImageBase' : [ 0x8, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'SizeOfTable' : [ 0x14, ['unsigned long']], } ], '_UNLOADED_DRIVERS' : [ 0x28, { 'Name' : [ 0x0, ['_UNICODE_STRING']], 'StartAddress' : [ 0x10, ['pointer64', ['void']]], 'EndAddress' : [ 0x18, ['pointer64', ['void']]], 'CurrentTime' : [ 0x20, ['_LARGE_INTEGER']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'PagedPoolAllocationMap' : [ 0x8, ['_RTL_BITMAP_EX']], 'FirstPteForPagedPool' : [ 0x18, ['pointer64', ['_MMPTE']]], 'MaximumSize' : [ 0x20, ['unsigned long long']], 'PagedPoolHint' : [ 0x28, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x30, ['unsigned long long']], } ], '__unnamed_23f6' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_23f6']], } ], '_PPM_COORDINATED_SELECTION' : [ 0x18, { 'MaximumStates' : [ 0x0, ['unsigned long']], 'SelectedStates' : [ 0x4, ['unsigned long']], 'DefaultSelection' : [ 0x8, ['unsigned long']], 'Selection' : [ 0x10, ['pointer64', ['unsigned long']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_MI_PAGE_COMBINING_SUPPORT' : [ 0x188, { 'Partition' : [ 0x0, ['pointer64', ['_MI_PARTITION']]], 'ArbitraryPfnMapList' : [ 0x8, ['_LIST_ENTRY']], 'FreeCombinePoolItem' : [ 0x18, ['_MI_COMBINE_WORKITEM']], 'CombiningThreadCount' : [ 0x40, ['unsigned long']], 'CombinePageFreeList' : [ 0x48, ['_LIST_ENTRY']], 'CombineFreeListLock' : [ 0x58, ['unsigned long long']], 'CombinePageListHeads' : [ 0x60, ['array', 16, ['_MI_COMBINE_PAGE_LISTHEAD']]], 'PageCombineStats' : [ 0x160, ['_MI_PAGE_COMBINE_STATISTICS']], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_DEVICE' : [ 0x278, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_POP_IRP_DATA']]], 'Status' : [ 0x20, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'DevNode' : [ 0x30, ['pointer64', ['_DEVICE_NODE']]], 'DpmContext' : [ 0x38, ['pointer64', ['PEPHANDLE__']]], 'Plugin' : [ 0x40, ['pointer64', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x48, ['pointer64', ['PEPHANDLE__']]], 'AcpiPlugin' : [ 0x50, ['pointer64', ['_POP_FX_PLUGIN']]], 'AcpiPluginHandle' : [ 0x58, ['pointer64', ['PEPHANDLE__']]], 'DeviceObject' : [ 0x60, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x68, ['pointer64', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x70, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0xa8, ['pointer64', ['void']]], 'AcpiLink' : [ 0xb0, ['_LIST_ENTRY']], 'DeviceId' : [ 0xc0, ['_UNICODE_STRING']], 'RemoveLock' : [ 0xd0, ['_IO_REMOVE_LOCK']], 'AcpiRemoveLock' : [ 0xf0, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0x110, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0x148, ['unsigned long long']], 'IdleTimer' : [ 0x150, ['_KTIMER']], 'IdleDpc' : [ 0x190, ['_KDPC']], 'IdleTimeout' : [ 0x1d0, ['unsigned long long']], 'IdleStamp' : [ 0x1d8, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x1e0, ['array', 2, ['pointer64', ['_DEVICE_OBJECT']]]], 'NextIrpPowerState' : [ 0x1f0, ['array', 2, ['_POWER_STATE']]], 'NextIrpCallerCompletion' : [ 0x1f8, ['array', 2, ['pointer64', ['void']]]], 'NextIrpCallerContext' : [ 0x208, ['array', 2, ['pointer64', ['void']]]], 'IrpCompleteEvent' : [ 0x218, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x230, ['pointer64', ['void']]], 'Accounting' : [ 0x238, ['_POP_FX_ACCOUNTING']], 'Flags' : [ 0x268, ['unsigned long']], 'ComponentCount' : [ 0x26c, ['unsigned long']], 'Components' : [ 0x270, ['pointer64', ['pointer64', ['_POP_FX_COMPONENT']]]], } ], '_PEP_ACPI_RESOURCE_FLAGS' : [ 0x4, { 'AsULong' : [ 0x0, ['unsigned long']], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Wake' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ResourceUsage' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SlaveMode' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'AddressingMode' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SharedMode' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_241e' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_2420' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_241e']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x60, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CoolingExtension' : [ 0x40, ['pointer64', ['_POP_COOLING_EXTENSION']]], 'Volume' : [ 0x48, ['_LIST_ENTRY']], 'Specific' : [ 0x58, ['__unnamed_2420']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MI_COMBINE_STATE' : [ 0x1a0, { 'ActiveSpinLock' : [ 0x0, ['long']], 'CombiningThreadCount' : [ 0x4, ['unsigned long']], 'ActiveThreadTree' : [ 0x8, ['_RTL_AVL_TREE']], 'ZeroPageHashValue' : [ 0x10, ['unsigned long long']], 'CrossPartition' : [ 0x18, ['_MI_PAGE_COMBINING_SUPPORT']], } ], '_MMDEREFERENCE_SEGMENT_HEADER' : [ 0x30, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'ListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x38, { 'BadPageCount' : [ 0x0, ['unsigned long long']], 'BadPagesDetected' : [ 0x8, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0xc, ['long']], 'ScrubPasses' : [ 0x10, ['long']], 'ScrubBadPagesFound' : [ 0x14, ['long']], 'PageHashErrors' : [ 0x18, ['unsigned long']], 'FeatureBits' : [ 0x20, ['unsigned long long']], 'TimeZoneId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['_MI_FLAGS']], 'VsmConnection' : [ 0x30, ['pointer64', ['void']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_DELAY_ACK_FO' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_MI_CROSS_PARTITION_CHARGES' : [ 0x28, { 'CurrentCharges' : [ 0x0, ['unsigned long long']], 'ChargeFailures' : [ 0x8, ['unsigned long long']], 'ChargePeak' : [ 0x10, ['unsigned long long']], 'ChargeMinimum' : [ 0x18, ['unsigned long long']], 'ChargeMaximum' : [ 0x20, ['unsigned long long']], } ], '_MI_BAD_MEMORY_EVENT_ENTRY' : [ 0x38, { 'BugCheckCode' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['long']], 'Data' : [ 0x8, ['unsigned long']], 'PhysicalAddress' : [ 0x10, ['_LARGE_INTEGER']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_MI_SYSTEM_TRIM_STATE' : [ 0x40, { 'ExpansionLock' : [ 0x0, ['unsigned long long']], 'TrimInProgressCount' : [ 0x8, ['long']], 'PeriodicWorkingSetEvent' : [ 0x10, ['_KEVENT']], 'TrimAllPageFaultCount' : [ 0x28, ['array', 3, ['unsigned long']]], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_MI_ZERO_COST_COUNTS' : [ 0x10, { 'NativeSum' : [ 0x0, ['unsigned long long']], 'CachedSum' : [ 0x8, ['unsigned long long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MI_PARTITION_STATISTICS' : [ 0x50, { 'DeleteYield' : [ 0x0, ['unsigned long']], 'DeleteBad' : [ 0x4, ['unsigned long']], 'DeleteTrulyBad' : [ 0x8, ['unsigned long']], 'DeleteLargePage' : [ 0xc, ['unsigned long']], 'DeleteLargePageRetry' : [ 0x10, ['unsigned long']], 'DeleteZeroFree' : [ 0x14, ['unsigned long']], 'DeleteTransition' : [ 0x18, ['unsigned long']], 'DeleteStandbyReferenced' : [ 0x1c, ['unsigned long']], 'DeleteStandbyRelinkFailed' : [ 0x20, ['unsigned long']], 'DeleteStandbySharedPagefile' : [ 0x24, ['unsigned long']], 'DeleteStandbySharedFile' : [ 0x28, ['unsigned long']], 'DeleteModifiedReferenced' : [ 0x2c, ['unsigned long']], 'DeleteModified' : [ 0x30, ['unsigned long']], 'DeleteModifiedNoWrite' : [ 0x34, ['unsigned long']], 'DeleteModifiedSharedPagefile' : [ 0x38, ['unsigned long']], 'DeleteModifiedSharedFile' : [ 0x3c, ['unsigned long']], 'DeleteActiveSharedPagefile1' : [ 0x40, ['unsigned long']], 'DeleteActiveSharedPagefile2' : [ 0x44, ['unsigned long']], 'DeleteActiveSharedFile' : [ 0x48, ['unsigned long']], 'DeleteWriteDelay' : [ 0x4c, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MI_RESAVAIL_TRACKER' : [ 0x3c0, { 'AllocateKernelStack' : [ 0x0, ['unsigned long long']], 'AllocateGrowKernelStack' : [ 0x8, ['unsigned long long']], 'FreeKernelStack' : [ 0x10, ['unsigned long long']], 'FreeKernelStackError' : [ 0x18, ['unsigned long long']], 'FreeGrowKernelStackError' : [ 0x20, ['unsigned long long']], 'AllocateCreateProcess' : [ 0x28, ['unsigned long long']], 'FreeCreateProcessError' : [ 0x30, ['unsigned long long']], 'FreeDeleteProcess' : [ 0x38, ['unsigned long long']], 'FreeCleanProcess' : [ 0x40, ['unsigned long long']], 'FreeCleanProcessError' : [ 0x48, ['unsigned long long']], 'AllocateAddProcessWsMetaPage' : [ 0x50, ['unsigned long long']], 'AllocateWsIncrease' : [ 0x58, ['unsigned long long']], 'FreeWsIncreaseError' : [ 0x60, ['unsigned long long']], 'FreeWsIncreaseErrorMax' : [ 0x68, ['unsigned long long']], 'FreeWsDecrease' : [ 0x70, ['unsigned long long']], 'AllocateWorkingSetPage' : [ 0x78, ['unsigned long long']], 'FreeWorkingSetPageError' : [ 0x80, ['unsigned long long']], 'FreeDeletePteRange' : [ 0x88, ['unsigned long long']], 'AllocatePageTablesForProcessMetadata' : [ 0x90, ['unsigned long long']], 'FreePageTablesForProcessMetadataError2' : [ 0x98, ['unsigned long long']], 'AllocatePageTablesForSystem' : [ 0xa0, ['unsigned long long']], 'FreePageTablesExcess' : [ 0xa8, ['unsigned long long']], 'FreeSystemVaPageTables' : [ 0xb0, ['unsigned long long']], 'FreeSessionVaPageTables' : [ 0xb8, ['unsigned long long']], 'AllocateCreateSession' : [ 0xc0, ['unsigned long long']], 'FreeSessionWsDereference' : [ 0xc8, ['unsigned long long']], 'FreeSessionDereference' : [ 0xd0, ['unsigned long long']], 'AllocateLockedSessionImage' : [ 0xd8, ['unsigned long long']], 'FreeLockedSessionImage' : [ 0xe0, ['unsigned long long']], 'FreeSessionImageConversion' : [ 0xe8, ['unsigned long long']], 'AllocateWsAdjustPageTable' : [ 0xf0, ['unsigned long long']], 'FreeWsAdjustPageTable' : [ 0xf8, ['unsigned long long']], 'FreeWsAdjustPageTableError' : [ 0x100, ['unsigned long long']], 'AllocateNoLowMemory' : [ 0x108, ['unsigned long long']], 'AllocatePagedPoolLockedDown' : [ 0x110, ['unsigned long long']], 'FreePagedPoolLockedDown' : [ 0x118, ['unsigned long long']], 'AllocateSystemBitmaps' : [ 0x120, ['unsigned long long']], 'FreeSystemBitmapsError' : [ 0x128, ['unsigned long long']], 'AllocateForMdl' : [ 0x130, ['unsigned long long']], 'FreeFromMdl' : [ 0x138, ['unsigned long long']], 'AllocateForMdlPartition' : [ 0x140, ['unsigned long long']], 'FreeFromMdlPartition' : [ 0x148, ['unsigned long long']], 'FreeMdlExcess' : [ 0x150, ['unsigned long long']], 'AllocateExpansionNonPagedPool' : [ 0x158, ['unsigned long long']], 'FreeExpansionNonPagedPool' : [ 0x160, ['unsigned long long']], 'AllocateVad' : [ 0x168, ['unsigned long long']], 'RemoveVad' : [ 0x170, ['unsigned long long']], 'FreeVad' : [ 0x178, ['unsigned long long']], 'AllocateContiguous' : [ 0x180, ['unsigned long long']], 'FreeContiguousPages' : [ 0x188, ['unsigned long long']], 'FreeContiguousError' : [ 0x190, ['unsigned long long']], 'FreeLargePageMemory' : [ 0x198, ['unsigned long long']], 'AllocateSystemWsles' : [ 0x1a0, ['unsigned long long']], 'FreeSystemWsles' : [ 0x1a8, ['unsigned long long']], 'AllocateSystemInitWs' : [ 0x1b0, ['unsigned long long']], 'AllocateSessionInitWs' : [ 0x1b8, ['unsigned long long']], 'FreeSessionInitWsError' : [ 0x1c0, ['unsigned long long']], 'AllocateSystemImage' : [ 0x1c8, ['unsigned long long']], 'AllocateSystemImageLoad' : [ 0x1d0, ['unsigned long long']], 'AllocateSessionSharedImage' : [ 0x1d8, ['unsigned long long']], 'FreeSystemImageInitCode' : [ 0x1e0, ['unsigned long long']], 'FreeSystemImageLargePageConversion' : [ 0x1e8, ['unsigned long long']], 'FreeSystemImageError' : [ 0x1f0, ['unsigned long long']], 'FreeSystemImageLoadExcess' : [ 0x1f8, ['unsigned long long']], 'FreeUnloadSystemImage' : [ 0x200, ['unsigned long long']], 'FreeReloadBootImageLarge' : [ 0x208, ['unsigned long long']], 'FreeIndependent' : [ 0x210, ['unsigned long long']], 'AllocateHotAdd' : [ 0x218, ['unsigned long long']], 'AllocateHotRemove' : [ 0x220, ['unsigned long long']], 'FreeHotAdd' : [ 0x228, ['unsigned long long']], 'FreeHotAddEcc' : [ 0x230, ['unsigned long long']], 'FreeHotAddError' : [ 0x238, ['unsigned long long']], 'FreeHotAddUnmap' : [ 0x240, ['unsigned long long']], 'AllocateBoot' : [ 0x248, ['unsigned long long']], 'FreeLoaderBlock' : [ 0x250, ['unsigned long long']], 'AllocateNonPagedSpecialPool' : [ 0x258, ['unsigned long long']], 'FreeNonPagedSpecialPoolError' : [ 0x260, ['unsigned long long']], 'FreeNonPagedSpecialPool' : [ 0x268, ['unsigned long long']], 'AllocateSharedSegmentPage' : [ 0x270, ['unsigned long long']], 'FreeSharedSegmentPage' : [ 0x278, ['unsigned long long']], 'AllocateZeroPage' : [ 0x280, ['unsigned long long']], 'FreeZeroPage' : [ 0x288, ['unsigned long long']], 'AllocateForPo' : [ 0x290, ['unsigned long long']], 'AllocateForPoForce' : [ 0x298, ['unsigned long long']], 'FreeForPo' : [ 0x2a0, ['unsigned long long']], 'AllocateThreadHardFaultBehavior' : [ 0x2a8, ['unsigned long long']], 'FreeThreadHardFaultBehavior' : [ 0x2b0, ['unsigned long long']], 'ObtainFaultCharges' : [ 0x2b8, ['unsigned long long']], 'FreeFaultCharges' : [ 0x2c0, ['unsigned long long']], 'AllocateStoreCharges' : [ 0x2c8, ['unsigned long long']], 'FreeStoreCharges' : [ 0x2d0, ['unsigned long long']], 'ObtainLockedPageCharge' : [ 0x300, ['unsigned long long']], 'FreeLockedPageCharge' : [ 0x340, ['unsigned long long']], 'AllocateStore' : [ 0x348, ['unsigned long long']], 'FreeStore' : [ 0x350, ['unsigned long long']], 'AllocateSystemImageProtos' : [ 0x358, ['unsigned long long']], 'FreeSystemImageProtos' : [ 0x360, ['unsigned long long']], 'AllocateModWriterCharge' : [ 0x368, ['unsigned long long']], 'FreeModWriterCharge' : [ 0x370, ['unsigned long long']], 'AllocateMappedWriterCharge' : [ 0x378, ['unsigned long long']], 'FreeMappedWriterCharge' : [ 0x380, ['unsigned long long']], 'AllocateRegistryCharges' : [ 0x388, ['unsigned long long']], 'FreeRegistryCharges' : [ 0x390, ['unsigned long long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'CompactionMask' : [ 0x8, ['unsigned long long']], 'Reserved2' : [ 0x10, ['array', 6, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x38, ['long']], } ], '_MI_COMBINE_PAGE_LISTHEAD' : [ 0x10, { 'Table' : [ 0x0, ['_RTL_AVL_TREE']], 'Lock' : [ 0x8, ['long']], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '__unnamed_2496' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_2498' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_249a' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_249c' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_2496']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_2498']], 'Raw' : [ 0x0, ['__unnamed_249a']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'Operation' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0xc, ['__unnamed_249c']], 'Stack' : [ 0x18, ['array', 6, ['pointer64', ['void']]]], } ], '_MI_SYSTEM_NODE_INFORMATION' : [ 0x1a0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'NonPagedPoolSListHeadNx' : [ 0x40, ['array', 3, ['_SLIST_HEADER']]], 'CachedKernelStacks' : [ 0x70, ['array', 2, ['_CACHED_KSTACK_LIST']]], 'NonPagedBitMapMaximum' : [ 0xb0, ['unsigned long long']], 'DynamicBitMapNonPagedPool' : [ 0xb8, ['_MI_DYNAMIC_BITMAP']], 'NonPagedPoolLowestPage' : [ 0x108, ['unsigned long long']], 'NonPagedPoolHighestPage' : [ 0x110, ['unsigned long long']], 'AllocatedNonPagedPool' : [ 0x118, ['unsigned long long']], 'PartialLargePoolRegions' : [ 0x120, ['unsigned long long']], 'PagesInPartialLargePoolRegions' : [ 0x128, ['unsigned long long']], 'CachedNonPagedPoolCount' : [ 0x130, ['unsigned long long']], 'NonPagedPoolSpinLock' : [ 0x138, ['unsigned long long']], 'CachedNonPagedPool' : [ 0x140, ['pointer64', ['_MMPFN']]], 'NonPagedPoolFirstVa' : [ 0x148, ['pointer64', ['void']]], 'NonPagedPoolLastVa' : [ 0x150, ['pointer64', ['void']]], 'NonPagedBitMap' : [ 0x158, ['array', 3, ['_RTL_BITMAP_EX']]], 'NonPagedHint' : [ 0x188, ['array', 2, ['unsigned long long']]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x10, { 'CrossThreadReleasable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 63, native_type='unsigned long long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'LockState' : [ 0x0, ['pointer64', ['void']]], 'SessionState' : [ 0x8, ['pointer64', ['void']]], 'SessionId' : [ 0x8, ['unsigned long']], 'SessionPad' : [ 0xc, ['unsigned long']], } ], '__unnamed_24ac' : [ 0x4, { 'FlushCompleting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'FlushInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='long')]], 'Long' : [ 0x0, ['long']], } ], '_MI_PARTITION_STORES' : [ 0x80, { 'WriteAllStoreHintedPages' : [ 0x0, ['__unnamed_24ac']], 'VirtualPageFileNumber' : [ 0x4, ['unsigned long']], 'Registered' : [ 0x8, ['unsigned long']], 'ReadClusterSizeMax' : [ 0xc, ['unsigned long']], 'EvictFlushRequestCount' : [ 0x10, ['unsigned long']], 'ModifiedWriteDisableCount' : [ 0x14, ['unsigned long']], 'WriteIssueFailures' : [ 0x18, ['unsigned long']], 'EvictionThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'EvictEvent' : [ 0x28, ['_KEVENT']], 'EvictFlushCompleteEvent' : [ 0x40, ['_KEVENT']], 'WriteSupportSListHead' : [ 0x60, ['_SLIST_HEADER']], 'EvictFlushLock' : [ 0x70, ['long']], 'ModifiedWriteFailedBitmap' : [ 0x78, ['pointer64', ['_RTL_BITMAP']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x10, ['unsigned long']], 'SyncCallback' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x14, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0x10, ['pointer64', ['_HANDLE_TABLE']]], 'Flags' : [ 0x18, ['unsigned long']], 'NumberOfBuckets' : [ 0x1c, ['unsigned long']], 'Buckets' : [ 0x20, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_24ec' : [ 0x18, { 'RequestedTime' : [ 0x0, ['unsigned long long']], 'ProgrammedTime' : [ 0x8, ['unsigned long long']], 'TimerInfo' : [ 0x10, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0x108, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x60, ['array', 3, ['__unnamed_24ec']]], 'WakeAlarmPaused' : [ 0xa8, ['unsigned char']], 'WakeAlarmLastTime' : [ 0xb0, ['unsigned long long']], 'FilteredCapabilities' : [ 0xb8, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'InProgressFlags' : [ 0x28, ['unsigned char']], 'KernelApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3d8, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0x98, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer64', ['_MMPTE']]], } ], '_PPM_SELECTION_MENU_ENTRY' : [ 0x18, { 'StrictDependency' : [ 0x0, ['unsigned char']], 'InitiatingState' : [ 0x1, ['unsigned char']], 'DependentState' : [ 0x2, ['unsigned char']], 'StateIndex' : [ 0x4, ['unsigned long']], 'Dependencies' : [ 0x8, ['unsigned long']], 'DependencyList' : [ 0x10, ['pointer64', ['_PPM_SELECTION_DEPENDENCY']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x28, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x8, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0x18, ['_RTL_BITMAP']], 'EvictedBitmap' : [ 0x18, ['_RTL_BITMAP']], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_MI_COMBINE_WORKITEM' : [ 0x28, { 'NextEntry' : [ 0x0, ['pointer64', ['void']]], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x410, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], 'PackageDependencyData' : [ 0x400, ['pointer64', ['void']]], 'ProcessGroupId' : [ 0x408, ['unsigned long']], 'LoaderThreads' : [ 0x40c, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_LOCK_HEADER' : [ 0x20, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x8, ['unsigned long long']], 'Lock' : [ 0x10, ['unsigned long long']], 'Valid' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MMSECTION_FLAGS2' : [ 0x4, { 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'NumberOfChildViews' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_KSPECIAL_REGISTERS' : [ 0xe0, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], 'Xcr0' : [ 0xd8, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_PEB64' : [ 0x388, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'SparePvoid0' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pUnused' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_MSUBSECTION' : [ 0x70, { 'Core' : [ 0x0, ['_SUBSECTION']], 'SubsectionNode' : [ 0x38, ['_RTL_BALANCED_NODE']], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x68, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_25b9' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1f40, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_25b9']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long long']], 'NonPagablePages' : [ 0x28, ['unsigned long long']], 'CommittedPages' : [ 0x30, ['unsigned long long']], 'PagedPoolStart' : [ 0x38, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x40, ['pointer64', ['void']]], 'SessionObject' : [ 0x48, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x50, ['pointer64', ['void']]], 'SessionPoolAllocationFailures' : [ 0x58, ['array', 4, ['unsigned long']]], 'ImageTree' : [ 0x68, ['_RTL_AVL_TREE']], 'LocaleId' : [ 0x70, ['unsigned long']], 'AttachCount' : [ 0x74, ['unsigned long']], 'AttachGate' : [ 0x78, ['_KGATE']], 'WsListEntry' : [ 0x90, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb60, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xb98, ['_MMSUPPORT']], 'Wsle' : [ 0xc90, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc98, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xcc0, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e00, ['_MMPTE']], 'SessionVaLock' : [ 0x1e08, ['_EX_PUSH_LOCK']], 'DynamicVaBitMap' : [ 0x1e10, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e20, ['unsigned long']], 'SpecialPool' : [ 0x1e28, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1e78, ['_EX_PUSH_LOCK']], 'PoolBigEntriesInUse' : [ 0x1e80, ['long']], 'PagedPoolPdeCount' : [ 0x1e84, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1e88, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1e8c, ['unsigned long']], 'SystemPteInfo' : [ 0x1e90, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1ef0, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1ef8, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1f00, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f08, ['unsigned long long']], 'IoState' : [ 0x1f10, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f14, ['unsigned long']], 'IoNotificationEvent' : [ 0x1f18, ['_KEVENT']], 'ServerSilo' : [ 0x1f30, ['pointer64', ['_ESILO']]], 'CreateTime' : [ 0x1f38, ['unsigned long long']], } ], '_MMPAGE_FILE_EXPANSION' : [ 0x60, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'Partition' : [ 0x18, ['pointer64', ['_MI_PARTITION']]], 'RequestedExpansionSize' : [ 0x20, ['unsigned long long']], 'ActualExpansion' : [ 0x28, ['unsigned long long']], 'Event' : [ 0x30, ['_KEVENT']], 'InProgress' : [ 0x48, ['long']], 'u' : [ 0x4c, ['_MMPAGE_FILE_EXPANSION_FLAGS']], 'ActiveEntry' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'AttemptForCantExtend' : [ 0x58, ['unsigned char']], 'PageFileContract' : [ 0x59, ['unsigned char']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_25ca' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_25cd' : [ 0x8, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x88, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x40, ['__unnamed_25ca']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u4' : [ 0x78, ['__unnamed_25cd']], 'FileObject' : [ 0x80, ['pointer64', ['_FILE_OBJECT']]], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x20, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x8, ['long long']], 'SidCount' : [ 0x10, ['unsigned long']], 'SidValuesStart' : [ 0x18, ['unsigned long long']], } ], '_MI_PARTITION_STATE' : [ 0x58, { 'PartitionLock' : [ 0x0, ['unsigned long long']], 'PartitionIdLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'InitialPartitionIdBits' : [ 0x10, ['unsigned long long']], 'PartitionList' : [ 0x18, ['_LIST_ENTRY']], 'PartitionIdBitmap' : [ 0x28, ['pointer64', ['_RTL_BITMAP']]], 'InitialPartitionIdBitmap' : [ 0x30, ['_RTL_BITMAP']], 'TempPartitionPointers' : [ 0x40, ['array', 1, ['pointer64', ['_MI_PARTITION']]]], 'Partition' : [ 0x48, ['pointer64', ['pointer64', ['_MI_PARTITION']]]], 'TotalPagesInChildPartitions' : [ 0x50, ['unsigned long long']], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Gate' : [ 0x10, ['_KGATE']], 'Event' : [ 0x10, ['_KEVENT']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0xa0, { 'IrpExclusiveOplock' : [ 0x0, ['pointer64', ['_IRP']]], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'WaiterPriority' : [ 0x20, ['unsigned char']], 'IrpOplocksR' : [ 0x28, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x38, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x48, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x58, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x68, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x78, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x88, ['pointer64', ['_GUID']]], 'OplockState' : [ 0x90, ['unsigned long']], 'FastMutex' : [ 0x98, ['pointer64', ['_FAST_MUTEX']]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x10, ['pointer64', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0x18, ['unsigned long']], 'LargeImageBias' : [ 0x1c, ['unsigned char']], 'Spare' : [ 0x1d, ['array', 3, ['unsigned char']]], 'ActualImageViewSize' : [ 0x20, ['unsigned long long']], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PROCESS_ENERGY_VALUES' : [ 0x90, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'DiskEnergy' : [ 0x40, ['unsigned long long']], 'NetworkTailEnergy' : [ 0x48, ['unsigned long long']], 'MBBTailEnergy' : [ 0x50, ['unsigned long long']], 'NetworkTxRxBytes' : [ 0x58, ['unsigned long long']], 'MBBTxRxBytes' : [ 0x60, ['unsigned long long']], 'Foreground' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'WindowInformation' : [ 0x68, ['unsigned long']], 'PixelArea' : [ 0x6c, ['unsigned long']], 'PixelReportTimestamp' : [ 0x70, ['long long']], 'PixelTime' : [ 0x78, ['unsigned long long']], 'ForegroundReportTimestamp' : [ 0x80, ['long long']], 'ForegroundTime' : [ 0x88, ['unsigned long long']], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_MI_COMMON_PAGE_STATE' : [ 0x88, { 'PageOfOnesPfn' : [ 0x0, ['pointer64', ['_MMPFN']]], 'PageOfOnes' : [ 0x8, ['unsigned long long']], 'DummyPagePfn' : [ 0x10, ['pointer64', ['_MMPFN']]], 'DummyPage' : [ 0x18, ['unsigned long long']], 'PageOfZeroes' : [ 0x20, ['unsigned long long']], 'ZeroMapping' : [ 0x28, ['pointer64', ['void']]], 'OnesMapping' : [ 0x30, ['pointer64', ['void']]], 'BitmapGapFrames' : [ 0x38, ['array', 4, ['unsigned long long']]], 'PfnGapFrames' : [ 0x58, ['array', 4, ['unsigned long long']]], 'PageTableOfOnes' : [ 0x78, ['unsigned long long']], 'PdeOfOnes' : [ 0x80, ['_MMPTE']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '__unnamed_25f9' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x30, { 'SessionProtoNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeList' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'DriverAddress' : [ 0x0, ['pointer64', ['void']]], 'SessionId' : [ 0x18, ['unsigned long']], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionBase' : [ 0x20, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x28, ['__unnamed_25f9']], } ], '_MMPFNLIST_SHORT' : [ 0x18, { 'Total' : [ 0x0, ['unsigned long long']], 'Flink' : [ 0x8, ['unsigned long long']], 'Blink' : [ 0x10, ['unsigned long long']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'SystemVaAllocated' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PreferredFsCompressionBoundary' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'UsingFileExtents' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x28, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x10, ['pointer64', ['void']]], 'SessionViewVa' : [ 0x10, ['pointer64', ['void']]], 'VadsProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Type' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionType' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SectionOffset' : [ 0x20, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '__unnamed_2614' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x78, { 'Status' : [ 0x0, ['long']], 'PartitionId' : [ 0x4, ['unsigned short']], 'Priority' : [ 0x6, ['unsigned char']], 'IrpPriority' : [ 0x7, ['unsigned char']], 'ReservationWrite' : [ 0x8, ['unsigned char']], 'CurrentTime' : [ 0x10, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x18, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x20, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x28, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x30, ['unsigned long long']], 'ModifiedPagefileNoReservationPages' : [ 0x38, ['unsigned long long']], 'MdlHack' : [ 0x40, ['__unnamed_2614']], } ], '_PROC_PERF_DOMAIN' : [ 0x190, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0xc0, ['unsigned long']], 'Class' : [ 0xc4, ['unsigned char']], 'Spare' : [ 0xc5, ['array', 3, ['unsigned char']]], 'Processors' : [ 0xc8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0xd0, ['pointer64', ['void']]], 'TimeWindowHandler' : [ 0xd8, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0xe0, ['pointer64', ['void']]], 'BoostModeHandler' : [ 0xe8, ['pointer64', ['void']]], 'EnergyPerfPreferenceHandler' : [ 0xf0, ['pointer64', ['void']]], 'AutonomousActivityWindowHandler' : [ 0xf8, ['pointer64', ['void']]], 'AutonomousModeHandler' : [ 0x100, ['pointer64', ['void']]], 'ReinitializeHandler' : [ 0x108, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0x110, ['pointer64', ['void']]], 'PerfControlHandler' : [ 0x118, ['pointer64', ['void']]], 'MaxFrequency' : [ 0x120, ['unsigned long']], 'NominalFrequency' : [ 0x124, ['unsigned long']], 'MaxPercent' : [ 0x128, ['unsigned long']], 'MinPerfPercent' : [ 0x12c, ['unsigned long']], 'MinThrottlePercent' : [ 0x130, ['unsigned long']], 'MinimumRelativePerformance' : [ 0x138, ['unsigned long long']], 'NominalRelativePerformance' : [ 0x140, ['unsigned long long']], 'Coordination' : [ 0x148, ['unsigned char']], 'HardPlatformCap' : [ 0x149, ['unsigned char']], 'AffinitizeControl' : [ 0x14a, ['unsigned char']], 'EfficientThrottle' : [ 0x14b, ['unsigned char']], 'AutonomousMode' : [ 0x14c, ['unsigned char']], 'SelectedPercent' : [ 0x150, ['unsigned long']], 'SelectedFrequency' : [ 0x154, ['unsigned long']], 'DesiredPercent' : [ 0x158, ['unsigned long']], 'MaxPolicyPercent' : [ 0x15c, ['unsigned long']], 'MinPolicyPercent' : [ 0x160, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x164, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x168, ['unsigned long']], 'GuaranteedPercent' : [ 0x16c, ['unsigned long']], 'TolerancePercent' : [ 0x170, ['unsigned long']], 'SelectedState' : [ 0x178, ['unsigned long long']], 'PerfChangeTime' : [ 0x180, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x188, ['unsigned long']], 'Force' : [ 0x18c, ['unsigned char']], 'ProvideGuidance' : [ 0x18d, ['unsigned char']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HVIEW_MAP_TABLE' : [ 0x800, { 'Entries' : [ 0x0, ['array', 64, ['_HVIEW_MAP_ENTRY']]], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_TRIAGE_9F_PNP' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'CompletionQueue' : [ 0x8, ['pointer64', ['_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE']]], 'DelayedWorkQueue' : [ 0x10, ['pointer64', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_RELATION_LIST' : [ 0x10, { 'DeviceObjectList' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT_LIST']]], 'Sorted' : [ 0x8, ['unsigned char']], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MI_STANDBY_STATE' : [ 0xc0, { 'TransitionSharedPages' : [ 0x0, ['unsigned long long']], 'TransitionSharedPagesPeak' : [ 0x8, ['array', 3, ['unsigned long long']]], 'FirstDecayPage' : [ 0x20, ['unsigned long long']], 'PfnDecayFreeSList' : [ 0x30, ['_SLIST_HEADER']], 'PfnRepurposeLog' : [ 0x40, ['pointer64', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'AllocatePfnRepurposeDpc' : [ 0x48, ['_KDPC']], } ], '_MI_ACCESS_LOG_STATE' : [ 0x80, { 'CcAccessLog' : [ 0x0, ['pointer64', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'Enabled' : [ 0x8, ['unsigned long']], 'DisableAccessLogging' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'MinLoggingPriority' : [ 0x30, ['unsigned long']], 'AccessLoggingLock' : [ 0x40, ['unsigned long long']], } ], '_ETW_BUFFER_QUEUE' : [ 0x18, { 'QueueHead' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x10, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long long']], 'SpecialPoolPdes' : [ 0x40, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x8, { 'LogHandleContext' : [ 0x0, ['pointer64', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x18, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'DeviceState' : [ 0x10, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '__unnamed_265a' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_265e' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_265a']], 'Bits' : [ 0x4, ['__unnamed_265e']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'DataLow' : [ 0x0, ['long long']], 'DataHigh' : [ 0x8, ['long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_FAST_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x80, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x10, ['short']], 'SpecialApcDisable' : [ 0x12, ['short']], 'CombinedApcDisable' : [ 0x10, ['unsigned long']], 'Irql' : [ 0x14, ['unsigned char']], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_DYNAMIC_FUNCTION_TABLE' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FunctionTable' : [ 0x10, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'TimeStamp' : [ 0x18, ['_LARGE_INTEGER']], 'MinimumAddress' : [ 0x20, ['unsigned long long']], 'MaximumAddress' : [ 0x28, ['unsigned long long']], 'BaseAddress' : [ 0x30, ['unsigned long long']], 'Callback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'OutOfProcessCallbackDll' : [ 0x48, ['pointer64', ['unsigned short']]], 'Type' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'RF_SORTED', 1: 'RF_UNSORTED', 2: 'RF_CALLBACK', 3: 'RF_KERNEL_DYNAMIC'})]], 'EntryCount' : [ 0x54, ['unsigned long']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x8, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_PROC_IDLE_POLICY' : [ 0x6, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], 'ForceLightIdle' : [ 0x5, ['unsigned char']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2680' : [ 0x4, { 'PercentLevel' : [ 0x0, ['unsigned long']], } ], '__unnamed_2682' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_2680']], 'Button' : [ 0x10, ['__unnamed_2682']], } ], '_KDPC_DATA' : [ 0x28, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], 'ActiveDpc' : [ 0x20, ['pointer64', ['_KDPC']]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0x198, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'MinQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'MaxQuotaCycleTarget' : [ 0x10, ['unsigned long long']], 'RankCycleTarget' : [ 0x18, ['unsigned long long']], 'LongTermCycles' : [ 0x20, ['unsigned long long']], 'LastReportedCycles' : [ 0x28, ['unsigned long long']], 'OverQuotaHistory' : [ 0x30, ['unsigned long long']], 'ReadyTime' : [ 0x38, ['unsigned long long']], 'InsertTime' : [ 0x40, ['unsigned long long']], 'PerProcessorList' : [ 0x48, ['_LIST_ENTRY']], 'QueueNode' : [ 0x58, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x70, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'MaxOverQuota' : [ 0x70, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'MinOverQuota' : [ 0x70, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x70, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SoftCap' : [ 0x70, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare1' : [ 0x70, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Depth' : [ 0x71, ['unsigned char']], 'ReadySummary' : [ 0x72, ['unsigned short']], 'Rank' : [ 0x74, ['unsigned long']], 'ReadyListHead' : [ 0x78, ['array', 16, ['_LIST_ENTRY']]], 'ChildScbQueue' : [ 0x178, ['_RTL_RB_TREE']], 'Parent' : [ 0x188, ['pointer64', ['_KSCB']]], 'Root' : [ 0x190, ['pointer64', ['_KSCB']]], } ], '__unnamed_2691' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2692' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2691']], 'Merged' : [ 0x10, ['__unnamed_2692']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'UtilityTotal' : [ 0x8, ['unsigned long']], 'AffinitizedUtilityTotal' : [ 0xc, ['unsigned long']], 'FrequencyTotal' : [ 0x10, ['unsigned long']], 'TaggedPercentTotal' : [ 0x14, ['array', 2, ['unsigned long']]], 'HistoryList' : [ 0x1c, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_MI_PARTITION_ZEROING' : [ 0x48, { 'PageEvent' : [ 0x0, ['_KEVENT']], 'ThreadActive' : [ 0x18, ['unsigned char']], 'ZeroFreePageSlistMinimum' : [ 0x1c, ['long']], 'FirstReservedZeroingPte' : [ 0x20, ['pointer64', ['_MMPTE']]], 'RebalanceZeroFreeWorkItem' : [ 0x28, ['_WORK_QUEUE_ITEM']], } ], '_IMAGE_RUNTIME_FUNCTION_ENTRY' : [ 0xc, { 'BeginAddress' : [ 0x0, ['unsigned long']], 'EndAddress' : [ 0x4, ['unsigned long']], 'UnwindInfoAddress' : [ 0x8, ['unsigned long']], 'UnwindData' : [ 0x8, ['unsigned long']], } ], '__unnamed_26a1' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_26a1']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long long']], 'Processors' : [ 0x8, ['unsigned long']], 'ActiveProcessors' : [ 0xc, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_26b9' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_26bb' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_26b9']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x110, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_26bb']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], 'ExecutePoolTypes' : [ 0xf8, ['unsigned long']], 'ExecutePageProtections' : [ 0xfc, ['unsigned long']], 'ExecutePageMappings' : [ 0x100, ['unsigned long']], 'ExecuteWriteSections' : [ 0x104, ['unsigned long']], 'SectionAlignmentFailures' : [ 0x108, ['unsigned long']], } ], '_TRIAGE_DEVICE_NODE' : [ 0x58, { 'Sibling' : [ 0x0, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_TRIAGE_POP_FX_DEVICE']]], } ], '_PRIVATE_CACHE_MAP' : [ 0x78, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long long']], 'PipelinedReadAheadRequestSize' : [ 0x58, ['unsigned long']], 'ReadAheadGrowth' : [ 0x5c, ['unsigned long']], 'PrivateLinks' : [ 0x60, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x70, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_MI_SYSTEM_IMAGE_STATE' : [ 0xb0, { 'FixupLock' : [ 0x0, ['long']], 'FixupList' : [ 0x8, ['_LIST_ENTRY']], 'LoadLock' : [ 0x18, ['_KMUTANT']], 'FirstLoadEver' : [ 0x50, ['unsigned char']], 'LargePageAll' : [ 0x51, ['unsigned char']], 'LastPage' : [ 0x58, ['unsigned long long']], 'LargePageList' : [ 0x60, ['_LIST_ENTRY']], 'BeingDeleted' : [ 0x70, ['pointer64', ['_KLDR_DATA_TABLE_ENTRY']]], 'MappingRangesPushLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'MappingRanges' : [ 0x80, ['array', 2, ['pointer64', ['_MI_DRIVER_VA']]]], 'PageCount' : [ 0x90, ['unsigned long long']], 'PageCounts' : [ 0x98, ['_MM_SYSTEM_PAGE_COUNTS']], 'CollidedLock' : [ 0xa8, ['_EX_PUSH_LOCK']], } ], '_PTE_TRACKER' : [ 0x80, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'GuardPte' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x48, ['array', 7, ['pointer64', ['void']]]], } ], '_HV_GET_CELL_CONTEXT' : [ 0x4, { 'Cell' : [ 0x0, ['unsigned long']], 'IsInTempBin' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '__unnamed_26e8' : [ 0x2, { 'SignatureLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'SignatureType' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned short')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'EntireField' : [ 0x0, ['unsigned short']], } ], '_KLDR_DATA_TABLE_ENTRY' : [ 0xa0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'ExceptionTable' : [ 0x10, ['pointer64', ['void']]], 'ExceptionTableSize' : [ 0x18, ['unsigned long']], 'GpValue' : [ 0x20, ['pointer64', ['void']]], 'NonPagedDebugInfo' : [ 0x28, ['pointer64', ['_NON_PAGED_DEBUG_INFO']]], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'u1' : [ 0x6e, ['__unnamed_26e8']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'CoverageSectionSize' : [ 0x7c, ['unsigned long']], 'CoverageSection' : [ 0x80, ['pointer64', ['void']]], 'LoadedImports' : [ 0x88, ['pointer64', ['void']]], 'Spare' : [ 0x90, ['pointer64', ['void']]], 'SizeOfImageNotRounded' : [ 0x98, ['unsigned long']], 'TimeDateStamp' : [ 0x9c, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x30, { 'InstantaneousRead' : [ 0x0, ['pointer64', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer64', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'Scaling' : [ 0x22, ['unsigned char']], 'Context' : [ 0x28, ['unsigned long long']], } ], '_PPM_COORDINATED_SYNCHRONIZATION' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'EnterProcessor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'ExitProcessor' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 24, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 26, native_type='unsigned long')]], 'Entered' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'EntryPriority' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_MI_PAGING_IO_STATE' : [ 0x50, { 'PageFileHead' : [ 0x0, ['_RTL_AVL_TREE']], 'PageFileHeadSpinLock' : [ 0x8, ['long']], 'PrefetchSeekThreshold' : [ 0xc, ['long']], 'InPageSupportSListHead' : [ 0x10, ['array', 2, ['_SLIST_HEADER']]], 'InPageSupportSListMinimum' : [ 0x30, ['array', 2, ['unsigned char']]], 'InPageSinglePages' : [ 0x34, ['unsigned long']], 'DelayPageFaults' : [ 0x38, ['long']], 'FileCompressionBoundary' : [ 0x3c, ['unsigned long']], 'MdlsAdjusted' : [ 0x40, ['unsigned char']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_MI_FORCED_COMMITS' : [ 0x8, { 'Regular' : [ 0x0, ['unsigned long']], 'Wrap' : [ 0x4, ['unsigned long']], } ], '_MI_FILE_EXTENTS' : [ 0x8, { 'WaitList' : [ 0x0, ['pointer64', ['_MI_FILE_EXTENTS_WAIT_BLOCK']]], } ], '_HMAP_ENTRY' : [ 0x28, { 'BlockOffset' : [ 0x0, ['unsigned long long']], 'PermanentBinAddress' : [ 0x8, ['unsigned long long']], 'TemporaryBinAddress' : [ 0x10, ['unsigned long long']], 'TemporaryBinRundown' : [ 0x18, ['_EX_RUNDOWN_REF']], 'MemAlloc' : [ 0x20, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x30, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'Reference' : [ 0x10, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x28, ['unsigned char']], 'Name' : [ 0x2a, ['array', 1, ['wchar']]], } ], '_PLATFORM_IDLE_ACCOUNTING' : [ 0x3f8, { 'ResetCount' : [ 0x0, ['unsigned long']], 'StateCount' : [ 0x4, ['unsigned long']], 'TimeUnit' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['_PLATFORM_IDLE_STATE_ACCOUNTING']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x260, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x270, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x8, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_271c' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_271f' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0x1b0, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x10, ['_LIST_ENTRY']], 'Event' : [ 0x20, ['_KEVENT']], 'CollidedEvent' : [ 0x38, ['_KEVENT']], 'IoStatus' : [ 0x50, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x60, ['_LARGE_INTEGER']], 'ApcState' : [ 0x68, ['_KAPC_STATE']], 'Thread' : [ 0x98, ['pointer64', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0xa0, ['pointer64', ['_MMPFN']]], 'PteContents' : [ 0xa8, ['_MMPTE']], 'WaitCount' : [ 0xb0, ['long']], 'ByteCount' : [ 0xb4, ['unsigned long']], 'u3' : [ 0xb8, ['__unnamed_271c']], 'u1' : [ 0xbc, ['__unnamed_271f']], 'FilePointer' : [ 0xc0, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0xc8, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0xc8, ['pointer64', ['_SUBSECTION']]], 'Autoboost' : [ 0xd0, ['pointer64', ['void']]], 'FaultingAddress' : [ 0xd8, ['pointer64', ['void']]], 'PointerPte' : [ 0xe0, ['pointer64', ['_MMPTE']]], 'BasePte' : [ 0xe8, ['pointer64', ['_MMPTE']]], 'Pfn' : [ 0xf0, ['pointer64', ['_MMPFN']]], 'PrefetchMdl' : [ 0xf8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x100, ['_MDL']], 'Page' : [ 0x130, ['array', 16, ['unsigned long long']]], 'FlowThrough' : [ 0x130, ['_MMINPAGE_SUPPORT_FLOW_THROUGH']], } ], '_HAL_NODE_RANGE' : [ 0x10, { 'PageFrameIndex' : [ 0x0, ['unsigned long long']], 'Node' : [ 0x8, ['unsigned long']], } ], '_MMCLONE_BLOCK' : [ 0x20, { 'ProtoPte' : [ 0x0, ['_MMPTE']], 'PaddingFor16ByteAlignment' : [ 0x8, ['unsigned long long']], 'CloneCommitCount' : [ 0x10, ['unsigned long long']], 'u1' : [ 0x10, ['_MI_CLONE_BLOCK_FLAGS']], 'CloneRefCount' : [ 0x18, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions', 24: 'ConfigureDeviceReset'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], 'ActivityId' : [ 0x38, ['_GUID']], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'LowboxNumber' : [ 0x28, ['unsigned long']], 'AtomTable' : [ 0x30, ['pointer64', ['void']]], } ], '_MI_LDW_WORK_CONTEXT' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'FileObject' : [ 0x20, ['pointer64', ['_FILE_OBJECT']]], 'ErrorStatus' : [ 0x28, ['long']], 'Active' : [ 0x2c, ['long']], 'FreeWhenDone' : [ 0x30, ['unsigned char']], } ], '_MI_CFG_BITMAP_INFO' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'RegionSize' : [ 0x8, ['unsigned long long']], 'BitmapVad' : [ 0x10, ['pointer64', ['_MMVAD']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MI_SHUTDOWN_STATE' : [ 0x80, { 'StandbyListDiscard' : [ 0x0, ['unsigned long']], 'CrashDumpInitialized' : [ 0x4, ['unsigned char']], 'ConnectedStandbyActive' : [ 0x5, ['unsigned char']], 'SystemShutdown' : [ 0x8, ['unsigned long']], 'ShutdownFlushInProgress' : [ 0xc, ['long']], 'ResumeItem' : [ 0x10, ['_MI_RESUME_WORKITEM']], 'FreeListDiscard' : [ 0x48, ['unsigned char']], 'MirrorHoldsPfn' : [ 0x50, ['pointer64', ['_ETHREAD']]], 'MirroringActive' : [ 0x58, ['unsigned long']], 'MirrorBitMap' : [ 0x60, ['pointer64', ['_RTL_BITMAP_EX']]], 'MirrorBitMapInterlocked' : [ 0x68, ['pointer64', ['_RTL_BITMAP_EX']]], 'MirrorListLocks' : [ 0x70, ['pointer64', ['void']]], 'CrashDumpPte' : [ 0x78, ['pointer64', ['_MMPTE']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'OperatingSystemVersion' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ComPlusPrefer32bit' : [ 0x33, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x70, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x10, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x20, ['pointer64', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x28, ['pointer64', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x30, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x30, ['array', 4, ['pointer64', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x30, ['pointer64', ['void']]], 'SessionId' : [ 0x38, ['unsigned long']], 'Process' : [ 0x50, ['pointer64', ['_EPROCESS']]], 'CallbackContext' : [ 0x50, ['pointer64', ['void']]], 'Callback' : [ 0x58, ['pointer64', ['void']]], 'Index' : [ 0x60, ['unsigned short']], 'Flags' : [ 0x62, ['unsigned char']], 'DbgKernelRegistration' : [ 0x62, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x62, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x62, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x62, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x62, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x62, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x62, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x62, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x63, ['unsigned char']], 'GroupEnableMask' : [ 0x64, ['unsigned char']], 'UseDescriptorType' : [ 0x65, ['unsigned char']], 'Traits' : [ 0x68, ['pointer64', ['_ETW_PROVIDER_TRAITS']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_HVIEW_MAP_PIN_LOG' : [ 0x488, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Entries' : [ 0x8, ['array', 16, ['_HVIEW_MAP_PIN_LOG_ENTRY']]], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_MI_PROBE_RAISE_TRACKER' : [ 0x3c, { 'UserRangeInKernel' : [ 0x0, ['unsigned long']], 'FaultFailed' : [ 0x4, ['unsigned long']], 'WriteFaultFailed' : [ 0x8, ['unsigned long']], 'LargePageFailed' : [ 0xc, ['unsigned long']], 'UserAccessToKernelPte' : [ 0x10, ['unsigned long']], 'BadPageLocation' : [ 0x14, ['unsigned long']], 'InsufficientCharge' : [ 0x18, ['unsigned long']], 'PageTableCharge' : [ 0x1c, ['unsigned long']], 'NoPhysicalMapping' : [ 0x20, ['unsigned long']], 'NoIoReference' : [ 0x24, ['unsigned long']], 'ProbeFailed' : [ 0x28, ['unsigned long']], 'PteIsZero' : [ 0x2c, ['unsigned long']], 'StrongCodeWrite' : [ 0x30, ['unsigned long']], 'ReducedCloneCommitChargeFailed' : [ 0x34, ['unsigned long']], 'CopyOnWriteAtDispatchNoPages' : [ 0x38, ['unsigned long']], } ], '_ETW_PROVIDER_TRAITS' : [ 0x20, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Traits' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0x58, { 'Count' : [ 0x0, ['unsigned long']], 'Vectors' : [ 0x8, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_MI_CLONE_BLOCK_FLAGS' : [ 0x8, { 'ActualCloneCommit' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 59, native_type='unsigned long long')]], 'CloneProtection' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x118, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x68, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x68, ['unsigned long']], 'PackagedBinary' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x68, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x68, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LoadConfigProcessed' : [ 0x68, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectDelayLoad' : [ 0x68, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x68, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x68, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x68, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x68, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x68, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x68, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x68, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x68, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x68, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x68, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x68, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Lock' : [ 0x90, ['pointer64', ['void']]], 'DdagNode' : [ 0x98, ['pointer64', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0xa0, ['_LIST_ENTRY']], 'LoadContext' : [ 0xb0, ['pointer64', ['_LDRP_LOAD_CONTEXT']]], 'ParentDllBase' : [ 0xb8, ['pointer64', ['void']]], 'SwitchBackContext' : [ 0xc0, ['pointer64', ['void']]], 'BaseAddressIndexNode' : [ 0xc8, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0xe0, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0xf8, ['unsigned long long']], 'LoadTime' : [ 0x100, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x108, ['unsigned long']], 'LoadReason' : [ 0x10c, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x110, ['unsigned long']], 'ReferenceCount' : [ 0x114, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], 'AllStacksInUse' : [ 0x1c, ['unsigned long']], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'VmLockNotNeeded' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_MI_DRIVER_VA' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_DRIVER_VA']]], 'PointerPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BitMap' : [ 0x10, ['_RTL_BITMAP']], 'Hint' : [ 0x20, ['unsigned long']], } ], '_LDR_DDAG_NODE' : [ 0x50, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x10, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0x18, ['unsigned long']], 'LoadWhileUnloadingCount' : [ 0x1c, ['unsigned long']], 'LowestLink' : [ 0x20, ['unsigned long']], 'Dependencies' : [ 0x28, ['_LDRP_CSLIST']], 'IncomingDependencies' : [ 0x30, ['_LDRP_CSLIST']], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x48, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1d0, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'Order' : [ 0x30, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x1a8, ['_LIST_ENTRY']], 'Status' : [ 0x1b8, ['long']], 'FailedDevice' : [ 0x1c0, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1c8, ['unsigned char']], 'Cancelled' : [ 0x1c9, ['unsigned char']], 'IgnoreErrors' : [ 0x1ca, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1cb, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1cc, ['unsigned char']], } ], '_KHETERO_PROCESSOR_SET' : [ 0x10, { 'PreferredMask' : [ 0x0, ['unsigned long long']], 'AvailableMask' : [ 0x8, ['unsigned long long']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x10, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0xf8, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Name' : [ 0xa8, ['_UNICODE_STRING']], 'Latency' : [ 0xb8, ['unsigned long']], 'BreakEvenDuration' : [ 0xbc, ['unsigned long']], 'Power' : [ 0xc0, ['unsigned long']], 'StateFlags' : [ 0xc4, ['unsigned long']], 'VetoAccounting' : [ 0xc8, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0xf0, ['unsigned char']], 'InterruptsEnabled' : [ 0xf1, ['unsigned char']], 'Interruptible' : [ 0xf2, ['unsigned char']], 'ContextRetained' : [ 0xf3, ['unsigned char']], 'CacheCoherent' : [ 0xf4, ['unsigned char']], 'WakesSpuriously' : [ 0xf5, ['unsigned char']], 'PlatformOnly' : [ 0xf6, ['unsigned char']], 'NoCState' : [ 0xf7, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MI_SYSTEM_PTE_STATE' : [ 0x180, { 'DeadPteTrackerSListHead' : [ 0x0, ['_SLIST_HEADER']], 'PteTrackerLock' : [ 0x10, ['unsigned long long']], 'MdlTrackerLookaside' : [ 0x40, ['_NPAGED_LOOKASIDE_LIST']], 'PteTrackingBitmap' : [ 0xc0, ['_RTL_BITMAP_EX']], 'CachedPteHeads' : [ 0xd0, ['pointer64', ['_MI_CACHED_PTES']]], 'SystemViewPteInfo' : [ 0xd8, ['_MI_SYSTEM_PTE_TYPE']], 'KernelStackPages' : [ 0x138, ['unsigned char']], 'QueuedStacks' : [ 0x140, ['_SLIST_HEADER']], 'StackGrowthFailures' : [ 0x150, ['unsigned long']], 'TrackPtesAborted' : [ 0x154, ['unsigned char']], 'AdjustCounter' : [ 0x155, ['unsigned char']], 'QueuedStacksWorkItem' : [ 0x158, ['_MI_QUEUED_DEADSTACK_WORKITEM']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x40, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x10, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x18, ['long']], 'HighWaterMark' : [ 0x1c, ['unsigned long']], 'Reserved' : [ 0x20, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_PPM_POLICY_SETTINGS_MASK' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'PerfDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PerfIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerfDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PerfIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PerfDecreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PerfIncreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'PerfMinPolicy' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'PerfMaxPolicy' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PerfTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PerfBoostPolicy' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PerfBoostMode' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AllowThrottling' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PerfHistoryCount' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ParkingPerfState' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LatencyHintPerf' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LatencyHintUnpark' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CoreParkingMinCores' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CoreParkingMaxCores' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'CoreParkingDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'CoreParkingIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CoreParkingDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CoreParkingIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CoreParkingOverUtilizationThreshold' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'CoreParkingDistributeUtility' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CoreParkingConcurrencyThreshold' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CoreParkingHeadroomThreshold' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CoreParkingDistributionThreshold' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IdleAllowScaling' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'IdleDisable' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'IdleTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'IdleDemoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'IdlePromoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HeteroDecreaseTime' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HeteroIncreaseTime' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HeteroDecreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HeteroIncreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Class0FloorPerformance' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Class1InitialPerformance' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnergyPerfPreference' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AutonomousActivityWindow' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AutonomousMode' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DutyCycling' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_27bd' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x20, { 'NodeRangeSize' : [ 0x0, ['unsigned long long']], 'NodeCount' : [ 0x8, ['unsigned long long']], 'Tables' : [ 0x10, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x18, ['unsigned long']], 'u1' : [ 0x1c, ['__unnamed_27bd']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_POP_FX_ACCOUNTING' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned char']], 'DripsRequiredState' : [ 0xc, ['unsigned long']], 'Level' : [ 0x10, ['long']], 'ActiveStamp' : [ 0x18, ['long long']], 'CsActiveTime' : [ 0x20, ['unsigned long long']], 'CriticalActiveTime' : [ 0x28, ['long long']], } ], '_MI_RESUME_WORKITEM' : [ 0x38, { 'ResumeCompleteEvent' : [ 0x0, ['_KEVENT']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ISR_THUNK' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_TRIAGE_EX_WORK_QUEUE' : [ 0x2b0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x8, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'TaggedPercent' : [ 0x5, ['array', 2, ['unsigned char']]], } ], '_POP_FX_COMPONENT' : [ 0x100, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x18, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x58, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x60, ['long']], 'ActiveEvent' : [ 0x68, ['_KEVENT']], 'IdleLock' : [ 0x80, ['unsigned long long']], 'IdleConditionComplete' : [ 0x88, ['long']], 'IdleStateComplete' : [ 0x8c, ['long']], 'IdleStamp' : [ 0x90, ['unsigned long long']], 'CurrentIdleState' : [ 0x98, ['unsigned long']], 'IdleStateCount' : [ 0x9c, ['unsigned long']], 'IdleStates' : [ 0xa0, ['pointer64', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0xa8, ['unsigned long']], 'ProviderCount' : [ 0xac, ['unsigned long']], 'Providers' : [ 0xb0, ['pointer64', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0xb8, ['unsigned long']], 'DependentCount' : [ 0xbc, ['unsigned long']], 'Dependents' : [ 0xc0, ['pointer64', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0xc8, ['_POP_FX_ACCOUNTING']], 'Performance' : [ 0xf8, ['pointer64', ['_POP_FX_PERF_INFO']]], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x10, { 'DeviceHandle' : [ 0x0, ['pointer64', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x38, { 'ComponentActive' : [ 0x0, ['pointer64', ['void']]], 'ComponentIdle' : [ 0x8, ['pointer64', ['void']]], 'ComponentIdleState' : [ 0x10, ['pointer64', ['void']]], 'DevicePowerRequired' : [ 0x18, ['pointer64', ['void']]], 'DevicePowerNotRequired' : [ 0x20, ['pointer64', ['void']]], 'PowerControl' : [ 0x28, ['pointer64', ['void']]], 'ComponentCriticalTransition' : [ 0x30, ['pointer64', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x10, ['unsigned char']], 'Spare' : [ 0x11, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0x14, ['unsigned long']], 'DebugId' : [ 0x18, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8180, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'StackLimitHits' : [ 0x8038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x803c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x8040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8044, ['unsigned long']], 'TotalReleases' : [ 0x8048, ['unsigned long']], 'RootNodesDeleted' : [ 0x804c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x8050, ['unsigned long']], 'Instigator' : [ 0x8058, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8060, ['unsigned long']], 'Participant' : [ 0x8068, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8168, ['long']], 'StackType' : [ 0x816c, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x8170, ['unsigned long long']], 'StackHighLimit' : [ 0x8178, ['unsigned long long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_MM_SYSTEM_PAGE_COUNTS' : [ 0x10, { 'SystemCodePage' : [ 0x0, ['unsigned long']], 'SystemDriverPage' : [ 0x4, ['unsigned long']], 'TotalSystemCodePages' : [ 0x8, ['long']], 'TotalSystemDriverPages' : [ 0xc, ['long']], } ], '_MI_MODWRITE_DATA' : [ 0x40, { 'PagesLoad' : [ 0x0, ['long long']], 'PagesAverage' : [ 0x8, ['unsigned long long']], 'AverageAvailablePages' : [ 0x10, ['unsigned long long']], 'PagesWritten' : [ 0x18, ['unsigned long long']], 'WritesIssued' : [ 0x20, ['unsigned long']], 'IgnoredReservationsCount' : [ 0x24, ['unsigned long']], 'FreedReservationsCount' : [ 0x28, ['unsigned long']], 'WriteBurstCount' : [ 0x2c, ['unsigned long']], 'IgnoreReservationsStartTime' : [ 0x30, ['unsigned long long']], 'ReservationClusterInfo' : [ 0x38, ['_MI_RESERVATION_CLUSTER_INFO']], 'IgnoreReservations' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare' : [ 0x3c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'Spare1' : [ 0x3e, ['unsigned short']], } ], '_PLATFORM_IDLE_STATE_ACCOUNTING' : [ 0x3e0, { 'CancelCount' : [ 0x0, ['unsigned long']], 'FailureCount' : [ 0x4, ['unsigned long']], 'SuccessCount' : [ 0x8, ['unsigned long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'TotalTime' : [ 0x20, ['unsigned long long']], 'InvalidBucketIndex' : [ 0x28, ['unsigned long']], 'SelectionStatistics' : [ 0x30, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa0, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x30, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'ExpectedWakeReason' : [ 0x2d, ['unsigned char']], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PrivateDemandZero' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2838' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_283a' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2838']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_283a']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_284f' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_284f']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_HVIEW_MAP_ENTRY' : [ 0x20, { 'ViewStart' : [ 0x0, ['pointer64', ['void']]], 'IsPinned' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Bcb' : [ 0x8, ['pointer64', ['void']]], 'PinnedPages' : [ 0x10, ['unsigned long long']], 'Size' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_POP_COOLING_EXTENSION' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'RequestListHead' : [ 0x10, ['_LIST_ENTRY']], 'Lock' : [ 0x20, ['_POP_RW_LOCK']], 'DeviceObject' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'NotificationEntry' : [ 0x38, ['pointer64', ['void']]], 'Enabled' : [ 0x40, ['unsigned char']], 'ActiveEngaged' : [ 0x41, ['unsigned char']], 'ThrottleLimit' : [ 0x42, ['unsigned char']], 'UpdatingToCurrent' : [ 0x43, ['unsigned char']], 'RemovalFlushEvent' : [ 0x48, ['pointer64', ['_KEVENT']]], 'PnpFlushEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Interface' : [ 0x58, ['_THERMAL_COOLING_INTERFACE']], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_CM_INDEX' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'NameHint' : [ 0x4, ['array', 4, ['unsigned char']]], 'HashKey' : [ 0x4, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_THERMAL_POLICY' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ThermalStandby' : [ 0x7, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], 'OverThrottled' : [ 0x14, ['unsigned char']], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_RTL_UMS_CONTEXT' : [ 0x520, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'PrimaryUmsContext' : [ 0x500, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x508, ['unsigned long']], 'KernelYieldCount' : [ 0x50c, ['unsigned long']], 'MixedYieldCount' : [ 0x510, ['unsigned long']], 'YieldCount' : [ 0x514, ['unsigned long']], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_MI_AVAILABLE_PAGE_WAIT_STATES' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'EventSets' : [ 0x18, ['unsigned long']], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_COLORED_PAGE_INFO' : [ 0x18, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long long']], 'PfnAllocation' : [ 0x10, ['pointer64', ['_MMPFN']]], } ], '_TRIAGE_9F_POWER' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'IrpList' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'ThreadList' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'DelayedWorkQueue' : [ 0x18, ['pointer64', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_MI_POOL_STATE' : [ 0xf0, { 'MaximumNonPagedPoolThreshold' : [ 0x0, ['unsigned long long']], 'NonPagedPoolSListMaximum' : [ 0x8, ['array', 3, ['unsigned long']]], 'AllocatedNonPagedPool' : [ 0x18, ['unsigned long long']], 'BadPoolHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'PoolFailures' : [ 0x28, ['array', 3, ['array', 3, ['unsigned long']]]], 'PoolFailureReasons' : [ 0x4c, ['array', 11, ['unsigned long']]], 'LowPagedPoolThreshold' : [ 0x78, ['unsigned long long']], 'HighPagedPoolThreshold' : [ 0x80, ['unsigned long long']], 'PagedPoolSListMaximum' : [ 0x88, ['unsigned long']], 'PreemptiveTrims' : [ 0x8c, ['array', 4, ['unsigned long']]], 'SpecialPagesInUsePeak' : [ 0xa0, ['unsigned long long']], 'SpecialPoolRejected' : [ 0xa8, ['array', 9, ['unsigned long']]], 'SpecialPagesNonPaged' : [ 0xd0, ['unsigned long long']], 'SpecialPoolPdes' : [ 0xd8, ['long']], 'SessionSpecialPoolPdesMax' : [ 0xdc, ['unsigned long']], 'TotalPagedPoolQuota' : [ 0xe0, ['unsigned long long']], 'TotalNonPagedPoolQuota' : [ 0xe8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_POP_POWER_SETTING_VALUES' : [ 0x13c, { 'StructureSize' : [ 0x0, ['unsigned long']], 'PopPolicy' : [ 0x4, ['_SYSTEM_POWER_POLICY']], 'CurrentAcDcPowerState' : [ 0xec, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'AwayModeEnabled' : [ 0xf0, ['unsigned char']], 'AwayModeEngaged' : [ 0xf1, ['unsigned char']], 'AwayModePolicyAllowed' : [ 0xf2, ['unsigned char']], 'AwayModeIgnoreUserPresent' : [ 0xf4, ['long']], 'AwayModeIgnoreAction' : [ 0xf8, ['long']], 'DisableFastS4' : [ 0xfc, ['unsigned char']], 'DisableStandbyStates' : [ 0xfd, ['unsigned char']], 'UnattendSleepTimeout' : [ 0x100, ['unsigned long']], 'DiskIgnoreTime' : [ 0x104, ['unsigned long']], 'DeviceIdlePolicy' : [ 0x108, ['unsigned long']], 'VideoDimTimeout' : [ 0x10c, ['unsigned long']], 'VideoNormalBrightness' : [ 0x110, ['unsigned long']], 'VideoDimBrightness' : [ 0x114, ['unsigned long']], 'AlsOffset' : [ 0x118, ['unsigned long']], 'AlsEnabled' : [ 0x11c, ['unsigned long']], 'EsBrightness' : [ 0x120, ['unsigned long']], 'SwitchShutdownForced' : [ 0x124, ['unsigned char']], 'SystemCoolingPolicy' : [ 0x128, ['unsigned long']], 'MediaBufferingEngaged' : [ 0x12c, ['unsigned char']], 'OffloadedAudio' : [ 0x12d, ['unsigned char']], 'NonOffloadedAudio' : [ 0x12e, ['unsigned char']], 'FullscreenVideoPlayback' : [ 0x12f, ['unsigned char']], 'EsBatteryThreshold' : [ 0x130, ['unsigned long']], 'EsUserAwaySetting' : [ 0x134, ['unsigned char']], 'WiFiInStandby' : [ 0x138, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_28c7' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_28c9' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_28c7']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_28c9']], } ], '_MI_IO_PAGE_STATE' : [ 0x58, { 'IoPfnLock' : [ 0x0, ['unsigned long long']], 'IoPfnRoot' : [ 0x8, ['array', 3, ['_RTL_AVL_TREE']]], 'UnusedCachedMaps' : [ 0x20, ['_LIST_ENTRY']], 'OldestCacheFlushTimeStamp' : [ 0x30, ['unsigned long']], 'IoCacheStats' : [ 0x38, ['_MI_IO_CACHE_STATS']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_VF_AVL_TABLE' : [ 0xc0, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x70, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1e, { 'PerUserPolicy' : [ 0x0, ['array', 30, ['unsigned char']]], } ], '_TRIAGE_POP_FX_DEVICE' : [ 0x38, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_TRIAGE_POP_IRP_DATA']]], 'Status' : [ 0x20, ['long']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'DeviceNode' : [ 0x30, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], } ], '__unnamed_28e1' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_28e3' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_28e9' : [ 0x10, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], 'OutputInformation' : [ 0x8, ['pointer64', ['_FS_FILTER_SECTION_SYNC_OUTPUT']]], } ], '__unnamed_28ed' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_28ef' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_28e1']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_28e3']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_28e9']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_28ed']], 'Others' : [ 0x0, ['__unnamed_28ef']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x8, { 'Function' : [ 0x0, ['pointer64', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long long']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x70, { 'SelectedCount' : [ 0x0, ['unsigned long long']], 'VetoCount' : [ 0x8, ['unsigned long long']], 'PreVetoCount' : [ 0x10, ['unsigned long long']], 'WrongProcessorCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'IdleDurationCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'PlatformOnlyCount' : [ 0x40, ['unsigned long long']], 'InterruptibleCount' : [ 0x48, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x50, ['unsigned long long']], 'CstateCheckCount' : [ 0x58, ['unsigned long long']], 'NoCStateCount' : [ 0x60, ['unsigned long long']], 'CoordinatedDependencyCount' : [ 0x68, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x8, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_MI_PAGE_COMBINE_STATISTICS' : [ 0x28, { 'PagesScannedActive' : [ 0x0, ['unsigned long long']], 'PagesScannedStandby' : [ 0x8, ['unsigned long long']], 'PagesCombined' : [ 0x10, ['unsigned long long']], 'CombineScanCount' : [ 0x18, ['unsigned long']], 'CombinedBlocksInUse' : [ 0x1c, ['long']], 'SumCombinedBlocksReferenceCount' : [ 0x20, ['long']], } ], '__unnamed_28fd' : [ 0x8, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], 'RemoteImageFileObject' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RemoteDataFileObject' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], } ], '_SECTION' : [ 0x40, { 'SectionNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u1' : [ 0x28, ['__unnamed_28fd']], 'SizeOfSection' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_16b0']], 'InitialPageProtection' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'SessionId' : [ 0x3c, ['BitField', dict(start_bit = 12, end_bit = 31, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x3c, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_THERMAL_COOLING_INTERFACE' : [ 0x38, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'ActiveCooling' : [ 0x28, ['pointer64', ['void']]], 'PassiveCooling' : [ 0x30, ['pointer64', ['void']]], } ], '_HIVE_WAIT_PACKET' : [ 0x28, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Next' : [ 0x20, ['pointer64', ['_HIVE_WAIT_PACKET']]], } ], '_PROC_PERF_CHECK' : [ 0xc0, { 'LastActive' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'LastStall' : [ 0x10, ['unsigned long long']], 'Snap' : [ 0x18, ['_PROC_PERF_CHECK_SNAP']], 'TempSnap' : [ 0x68, ['_PROC_PERF_CHECK_SNAP']], 'TaggedThreadPercent' : [ 0xb8, ['array', 2, ['unsigned char']]], 'Class0FloorPerfSelection' : [ 0xba, ['unsigned char']], 'Class1MinimumPerfSelection' : [ 0xbb, ['unsigned char']], } ], '__unnamed_290c' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_290e' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_2910' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_290c']], 'Interrupt' : [ 0x0, ['__unnamed_290e']], 'LocalInterrupt' : [ 0x0, ['__unnamed_290e']], 'Sci' : [ 0x0, ['__unnamed_290e']], 'Nmi' : [ 0x0, ['__unnamed_290e']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_2910']], } ], '_POP_HIBER_CONTEXT' : [ 0x1d0, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'HvCaptureReadyBarrier' : [ 0x14, ['long']], 'HvCaptureCompletedBarrier' : [ 0x18, ['long']], 'MapFrozen' : [ 0x1c, ['unsigned char']], 'DiscardMap' : [ 0x20, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x30, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x40, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x50, ['unsigned long']], 'ClonedPageCount' : [ 0x58, ['unsigned long long']], 'CurrentMap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x68, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x70, ['unsigned long long']], 'LoaderMdl' : [ 0x78, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x80, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x88, ['unsigned long long']], 'IoPages' : [ 0x90, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x98, ['unsigned long']], 'CurrentMcb' : [ 0xa0, ['pointer64', ['void']]], 'DumpStack' : [ 0xa8, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xb0, ['pointer64', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0xb8, ['unsigned long']], 'Status' : [ 0xbc, ['long']], 'GraphicsProc' : [ 0xc0, ['unsigned long']], 'MemoryImage' : [ 0xc8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0xd8, ['pointer64', ['_MDL']]], 'SiLogOffset' : [ 0xe0, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0xe8, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0xf0, ['pointer64', ['void']]], 'ResumeContext' : [ 0xf8, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x100, ['unsigned long']], 'SecurePages' : [ 0x104, ['unsigned long']], 'ProcessorCount' : [ 0x108, ['unsigned long']], 'ProcessorContext' : [ 0x110, ['pointer64', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0x118, ['pointer64', ['unsigned char']]], 'ProdConsSize' : [ 0x120, ['unsigned long']], 'MaxDataPages' : [ 0x124, ['unsigned long']], 'ExtraBuffer' : [ 0x128, ['pointer64', ['void']]], 'ExtraBufferSize' : [ 0x130, ['unsigned long long']], 'ExtraMapVa' : [ 0x138, ['pointer64', ['void']]], 'BitlockerKeyPFN' : [ 0x140, ['unsigned long long']], 'IoInfo' : [ 0x148, ['_POP_IO_INFO']], 'IoChecksums' : [ 0x1b8, ['pointer64', ['unsigned short']]], 'IoChecksumsSize' : [ 0x1c0, ['unsigned long long']], 'HardwareConfigurationSignature' : [ 0x1c8, ['unsigned long']], 'IumEnabled' : [ 0x1cc, ['unsigned char']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_POP_FX_PERF_INFO' : [ 0xa0, { 'Component' : [ 0x0, ['pointer64', ['_POP_FX_COMPONENT']]], 'CompletedEvent' : [ 0x8, ['_KEVENT']], 'ComponentPerfState' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['_POP_FX_PERF_FLAGS']], 'LastChange' : [ 0x30, ['pointer64', ['_PO_FX_PERF_STATE_CHANGE']]], 'LastChangeCount' : [ 0x38, ['unsigned long']], 'LastChangeStamp' : [ 0x40, ['unsigned long long']], 'LastChangeNominal' : [ 0x48, ['unsigned char']], 'PepRegistered' : [ 0x49, ['unsigned char']], 'QueryOnIdleStates' : [ 0x4a, ['unsigned char']], 'RequestDriverContext' : [ 0x50, ['pointer64', ['void']]], 'WorkOrder' : [ 0x58, ['_POP_FX_WORK_ORDER']], 'SetsCount' : [ 0x90, ['unsigned long']], 'Sets' : [ 0x98, ['pointer64', ['_POP_FX_PERF_SET']]], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_HAL_CHANNEL_MEMORY_RANGES' : [ 0x10, { 'PageFrameIndex' : [ 0x0, ['unsigned long long']], 'MpnId' : [ 0x8, ['unsigned short']], 'Node' : [ 0xa, ['unsigned short']], 'Channel' : [ 0xc, ['unsigned short']], 'IsPowerManageable' : [ 0xe, ['unsigned char']], 'DeepPowerState' : [ 0xf, ['unsigned char']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x178, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x108, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x110, ['pointer64', ['void']]], 'PointersLength' : [ 0x118, ['unsigned long']], 'ModulePrefix' : [ 0x120, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0x128, ['_LIST_ENTRY']], 'InitMsg' : [ 0x138, ['_STRING']], 'ProgMsg' : [ 0x148, ['_STRING']], 'DoneMsg' : [ 0x158, ['_STRING']], 'FileObject' : [ 0x168, ['pointer64', ['void']]], 'UsageType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0x18, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x8, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x48, { 'InitiatingThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ThreadId' : [ 0x10, ['pointer64', ['void']]], 'ProcessId' : [ 0x18, ['pointer64', ['void']]], 'Code' : [ 0x20, ['unsigned long']], 'Parameter1' : [ 0x28, ['unsigned long long']], 'Parameter2' : [ 0x30, ['unsigned long long']], 'Parameter3' : [ 0x38, ['unsigned long long']], 'Parameter4' : [ 0x40, ['unsigned long long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_FS_FILTER_SECTION_SYNC_OUTPUT' : [ 0x10, { 'StructureSize' : [ 0x0, ['unsigned long']], 'SizeReturned' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DesiredReadAlignment' : [ 0xc, ['unsigned long']], } ], '_HVIEW_MAP_PIN_LOG_ENTRY' : [ 0x48, { 'ViewOffset' : [ 0x0, ['unsigned long']], 'Pinned' : [ 0x4, ['unsigned char']], 'PinMask' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Stack' : [ 0x18, ['array', 6, ['pointer64', ['void']]]], } ], '__unnamed_2950' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_2950']], } ], '__unnamed_2954' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2954']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_MI_FILE_EXTENTS_WAIT_BLOCK' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_FILE_EXTENTS_WAIT_BLOCK']]], 'Gate' : [ 0x8, ['_KGATE']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_KSCHEDULING_GROUP_POLICY' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long']], 'Weight' : [ 0x0, ['unsigned short']], 'MinRate' : [ 0x0, ['unsigned short']], 'MaxRate' : [ 0x2, ['unsigned short']], 'AllFlags' : [ 0x4, ['unsigned long']], 'Type' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare1' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x3b0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long long']], 'HiberFlags' : [ 0x38, ['unsigned char']], 'spare' : [ 0x39, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x3c, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'NumPagesForLoader' : [ 0x58, ['unsigned long long']], 'FirstSecureRestorePage' : [ 0x60, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x68, ['unsigned long long']], 'FirstKernelRestorePage' : [ 0x70, ['unsigned long long']], 'FirstChecksumRestorePage' : [ 0x78, ['unsigned long long']], 'NoChecksumEntries' : [ 0x80, ['unsigned long long']], 'PerfInfo' : [ 0x88, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x268, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x270, ['array', 1, ['unsigned long long']]], 'SiLogOffset' : [ 0x278, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x27c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x280, ['array', 24, ['unsigned long long']]], 'NotUsed' : [ 0x340, ['unsigned long']], 'ResumeContextCheck' : [ 0x344, ['unsigned long']], 'ResumeContextPages' : [ 0x348, ['unsigned long']], 'Hiberboot' : [ 0x34c, ['unsigned char']], 'HvCr3' : [ 0x350, ['unsigned long long']], 'HvEntryPoint' : [ 0x358, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x360, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x368, ['unsigned long long']], 'BootFlags' : [ 0x370, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x378, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x380, ['unsigned long long']], 'BitlockerKeyPfns' : [ 0x388, ['array', 4, ['unsigned long long']]], 'HardwareSignature' : [ 0x3a8, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x18, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned short']], 'Flags' : [ 0x16, ['unsigned short']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1e0, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'HiberChecksumTicks' : [ 0x30, ['unsigned long long']], 'HiberChecksumIoTicks' : [ 0x38, ['unsigned long long']], 'TotalHibernateTime' : [ 0x40, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x48, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x4c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x50, ['unsigned long']], 'ResumeAppTicks' : [ 0x58, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x60, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x68, ['unsigned long long']], 'ResumeInitTicks' : [ 0x70, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x78, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x80, ['unsigned long long']], 'ResumeIoTicks' : [ 0x88, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x90, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x98, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0xa0, ['unsigned long long']], 'ResumeMapTicks' : [ 0xa8, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xb0, ['unsigned long long']], 'ResumeChecksumTicks' : [ 0xb8, ['unsigned long long']], 'ResumeChecksumIoTicks' : [ 0xc0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xc8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xd0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xd8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xe0, ['unsigned long long']], 'HalTscOffset' : [ 0xe8, ['unsigned long long']], 'HvlTscOffset' : [ 0xf0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xf8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0x100, ['unsigned long long']], 'IoBoundedness' : [ 0x108, ['unsigned long long']], 'KernelDecompressTicks' : [ 0x110, ['unsigned long long']], 'KernelIoTicks' : [ 0x118, ['unsigned long long']], 'KernelCopyTicks' : [ 0x120, ['unsigned long long']], 'ReadCheckCount' : [ 0x128, ['unsigned long long']], 'KernelInitTicks' : [ 0x130, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x138, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x140, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x148, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x150, ['unsigned long long']], 'KernelChecksumTicks' : [ 0x158, ['unsigned long long']], 'KernelChecksumIoTicks' : [ 0x160, ['unsigned long long']], 'AnimationStart' : [ 0x168, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x170, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x178, ['unsigned long']], 'SecurePagesProcessed' : [ 0x180, ['unsigned long long']], 'BootPagesProcessed' : [ 0x188, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x190, ['unsigned long long']], 'BootBytesWritten' : [ 0x198, ['unsigned long long']], 'KernelBytesWritten' : [ 0x1a0, ['unsigned long long']], 'BootPagesWritten' : [ 0x1a8, ['unsigned long long']], 'KernelPagesWritten' : [ 0x1b0, ['unsigned long long']], 'BytesWritten' : [ 0x1b8, ['unsigned long long']], 'PagesWritten' : [ 0x1c0, ['unsigned long']], 'FileRuns' : [ 0x1c4, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x1c8, ['unsigned long']], 'MaxHuffRatio' : [ 0x1cc, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x1d0, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1d8, ['unsigned long long']], } ], '_MI_QUEUED_DEADSTACK_WORKITEM' : [ 0x28, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Active' : [ 0x20, ['long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_MMINPAGE_SUPPORT_FLOW_THROUGH' : [ 0x38, { 'Page' : [ 0x0, ['array', 1, ['unsigned long long']]], 'InitialInPageSupport' : [ 0x8, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'PagingFile' : [ 0x10, ['pointer64', ['_MMPAGING_FILE']]], 'PageFileOffset' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['_RTL_BALANCED_NODE']], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x80, { 'UncompressedData' : [ 0x0, ['pointer64', ['unsigned char']]], 'MappingVa' : [ 0x8, ['pointer64', ['void']]], 'XpressEncodeWorkspace' : [ 0x10, ['pointer64', ['void']]], 'CompressedDataBuffer' : [ 0x18, ['pointer64', ['unsigned char']]], 'CopyTicks' : [ 0x20, ['unsigned long long']], 'CompressTicks' : [ 0x28, ['unsigned long long']], 'BytesCopied' : [ 0x30, ['unsigned long long']], 'PagesProcessed' : [ 0x38, ['unsigned long long']], 'DecompressTicks' : [ 0x40, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x48, ['unsigned long long']], 'SharedBufferTicks' : [ 0x50, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x68, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x78, ['unsigned long']], 'HuffCompressCount' : [ 0x7c, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x20, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_MI_DYNAMIC_BITMAP' : [ 0x50, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'MaximumSize' : [ 0x10, ['unsigned long long']], 'Hint' : [ 0x18, ['unsigned long long']], 'BaseVa' : [ 0x20, ['pointer64', ['void']]], 'SizeTopDown' : [ 0x28, ['unsigned long long']], 'HintTopDown' : [ 0x30, ['unsigned long long']], 'BaseVaTopDown' : [ 0x38, ['pointer64', ['void']]], 'SpinLock' : [ 0x40, ['unsigned long long']], 'Vm' : [ 0x48, ['pointer64', ['_MMSUPPORT']]], } ], '_POP_IO_INFO' : [ 0x70, { 'DumpMdl' : [ 0x0, ['pointer64', ['_MDL']]], 'IoStatus' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x10, ['unsigned long long']], 'IoBytesCompleted' : [ 0x18, ['unsigned long long']], 'IoBytesInProgress' : [ 0x20, ['unsigned long long']], 'RequestSize' : [ 0x28, ['unsigned long long']], 'IoLocation' : [ 0x30, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x38, ['unsigned long long']], 'Buffer' : [ 0x40, ['pointer64', ['void']]], 'AsyncCapable' : [ 0x48, ['unsigned char']], 'BytesToRead' : [ 0x50, ['unsigned long long']], 'Pages' : [ 0x58, ['unsigned long']], 'HighestChecksumIndex' : [ 0x60, ['unsigned long long']], 'PreviousChecksum' : [ 0x68, ['unsigned short']], } ], '_LDRP_CSLIST' : [ 0x8, { 'Tail' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_NON_PAGED_DEBUG_INFO' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Machine' : [ 0x8, ['unsigned short']], 'Characteristics' : [ 0xa, ['unsigned short']], 'TimeDateStamp' : [ 0xc, ['unsigned long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'SizeOfImage' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], } ], '_POP_FX_PERF_SET' : [ 0x20, { 'PerfSet' : [ 0x0, ['pointer64', ['_PO_FX_COMPONENT_PERF_SET']]], 'CurrentPerf' : [ 0x8, ['unsigned long long']], 'CurrentPerfStamp' : [ 0x10, ['unsigned long long']], 'CurrentPerfNominal' : [ 0x18, ['unsigned char']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LeakedPoolDeliberately' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '__unnamed_2993' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2995' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_2998' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_299c' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x50, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x18, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x28, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x38, ['__unnamed_2993']], 'XapicMessage' : [ 0x40, ['__unnamed_2995']], 'Hypertransport' : [ 0x40, ['__unnamed_2998']], 'GenericMessage' : [ 0x40, ['__unnamed_2995']], 'MessageRequest' : [ 0x40, ['__unnamed_299c']], } ], '_MMPAGE_FILE_EXPANSION_FLAGS' : [ 0x4, { 'PageFileNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'IgnoreCurrentCommit' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreaseMinimumSize' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare3' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '__unnamed_29aa' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['pointer64', ['_PO_FX_PERF_STATE']]], } ], '__unnamed_29ac' : [ 0x10, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], } ], '_PO_FX_COMPONENT_PERF_SET' : [ 0x30, { 'Name' : [ 0x0, ['_UNICODE_STRING']], 'Flags' : [ 0x10, ['unsigned long long']], 'Unit' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateUnitOther', 1: 'PoFxPerfStateUnitFrequency', 2: 'PoFxPerfStateUnitBandwidth', 3: 'PoFxPerfStateUnitMaximum'})]], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateTypeDiscrete', 1: 'PoFxPerfStateTypeRange', 2: 'PoFxPerfStateTypeMaximum'})]], 'Discrete' : [ 0x20, ['__unnamed_29aa']], 'Range' : [ 0x20, ['__unnamed_29ac']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_29bd' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_29bf' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_29c1' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_29bd']], 'Gpt' : [ 0x0, ['__unnamed_29bf']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x108, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MarkMemoryOnly' : [ 0x69, ['unsigned char']], 'HiberResume' : [ 0x6a, ['unsigned char']], 'Reserved1' : [ 0x6b, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_29c1']], 'ReadRoutine' : [ 0xa0, ['pointer64', ['void']]], 'GetDriveTelemetryRoutine' : [ 0xa8, ['pointer64', ['void']]], 'LogSectionTruncateSize' : [ 0xb0, ['unsigned long']], 'Parameters' : [ 0xb4, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DumpNotifyRoutine' : [ 0x100, ['pointer64', ['void']]], } ], '_MI_IO_CACHE_STATS' : [ 0x20, { 'UnusedBlocks' : [ 0x0, ['unsigned long long']], 'ActiveCacheMatch' : [ 0x8, ['unsigned long']], 'ActiveCacheOverride' : [ 0xc, ['unsigned long']], 'UnmappedCacheFlush' : [ 0x10, ['unsigned long']], 'UnmappedCacheMatch' : [ 0x14, ['unsigned long']], 'UnmappedCacheConflict' : [ 0x18, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '_ETW_QUEUE_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x10, ['pointer64', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0x18, ['pointer64', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x20, ['pointer64', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x28, ['pointer64', ['void']]], 'RegIndex' : [ 0x30, ['unsigned short']], 'ReplyIndex' : [ 0x32, ['unsigned short']], 'Flags' : [ 0x34, ['unsigned long']], } ], '_MI_RESERVATION_CLUSTER_INFO' : [ 0x4, { 'ClusterSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'EntireInfo' : [ 0x0, ['long']], } ], '_TRIAGE_POP_IRP_DATA' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_KDPC_LIST' : [ 0x10, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x178, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x20, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer64', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '__unnamed_29f6' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_29f8' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_29f6']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_29fb' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_29fd' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_29fb']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_29f8']], 'HighPart' : [ 0x4, ['__unnamed_29fd']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_PROC_PERF_CHECK_SNAP' : [ 0x50, { 'Time' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned long long']], 'Stall' : [ 0x10, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x18, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledKernelActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], 'TaggedThreadCycles' : [ 0x40, ['array', 2, ['unsigned long long']]], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_PO_FX_PERF_STATE_CHANGE' : [ 0x10, { 'Set' : [ 0x0, ['unsigned long']], 'StateIndex' : [ 0x8, ['unsigned long']], 'StateValue' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2a0d' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_2a0f' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_2a0d']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_2a0f']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_PO_FX_PERF_STATE' : [ 0x10, { 'Value' : [ 0x0, ['unsigned long long']], 'Context' : [ 0x8, ['pointer64', ['void']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win2003_sp2_x64_vtypes.py0000644000000000000000000122370613131215405030742 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_1015' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1015']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '__unnamed_1026' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1026']], 'QuadPart' : [ 0x0, ['long long']], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KPRCB' : [ 0x2480, { 'MxCsr' : [ 0x0, ['unsigned long']], 'Number' : [ 0x4, ['unsigned char']], 'NestingLevel' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'UserRsp' : [ 0x20, ['unsigned long long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'SetMember' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'InitialApicId' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned char']], 'PrcbPad0x' : [ 0x645, ['array', 3, ['unsigned char']]], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'PrcbPad00' : [ 0x650, ['array', 4, ['unsigned long long']]], 'LockQueue' : [ 0x670, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x880, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x980, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0xb80, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0xd80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0xd88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0xd90, ['long']], 'MmCopyOnWriteCount' : [ 0xd94, ['long']], 'MmTransitionCount' : [ 0xd98, ['long']], 'MmCacheTransitionCount' : [ 0xd9c, ['long']], 'MmDemandZeroCount' : [ 0xda0, ['long']], 'MmPageReadCount' : [ 0xda4, ['long']], 'MmPageReadIoCount' : [ 0xda8, ['long']], 'MmCacheReadCount' : [ 0xdac, ['long']], 'MmCacheIoCount' : [ 0xdb0, ['long']], 'MmDirtyPagesWriteCount' : [ 0xdb4, ['long']], 'MmDirtyWriteIoCount' : [ 0xdb8, ['long']], 'MmMappedPagesWriteCount' : [ 0xdbc, ['long']], 'MmMappedWriteIoCount' : [ 0xdc0, ['long']], 'LookasideIrpFloat' : [ 0xdc4, ['long']], 'KeSystemCalls' : [ 0xdc8, ['unsigned long']], 'IoReadOperationCount' : [ 0xdcc, ['long']], 'IoWriteOperationCount' : [ 0xdd0, ['long']], 'IoOtherOperationCount' : [ 0xdd4, ['long']], 'IoReadTransferCount' : [ 0xdd8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0xde0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0xde8, ['_LARGE_INTEGER']], 'KeContextSwitches' : [ 0xdf0, ['unsigned long']], 'PrcbPad2' : [ 0xdf4, ['array', 12, ['unsigned char']]], 'TargetSet' : [ 0xe00, ['unsigned long long']], 'IpiFrozen' : [ 0xe08, ['unsigned long']], 'PrcbPad3' : [ 0xe0c, ['array', 116, ['unsigned char']]], 'RequestMailbox' : [ 0xe80, ['array', 64, ['_REQUEST_MAILBOX']]], 'SenderSummary' : [ 0x1e80, ['unsigned long long']], 'PrcbPad4' : [ 0x1e88, ['array', 120, ['unsigned char']]], 'DpcData' : [ 0x1f00, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1f40, ['pointer64', ['void']]], 'SavedRsp' : [ 0x1f48, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x1f50, ['long']], 'DpcRequestRate' : [ 0x1f54, ['unsigned long']], 'MinimumDpcRate' : [ 0x1f58, ['unsigned long']], 'DpcInterruptRequested' : [ 0x1f5c, ['unsigned char']], 'DpcThreadRequested' : [ 0x1f5d, ['unsigned char']], 'DpcRoutineActive' : [ 0x1f5e, ['unsigned char']], 'DpcThreadActive' : [ 0x1f5f, ['unsigned char']], 'TimerHand' : [ 0x1f60, ['unsigned long long']], 'TimerRequest' : [ 0x1f60, ['unsigned long long']], 'TickOffset' : [ 0x1f68, ['long']], 'MasterOffset' : [ 0x1f6c, ['long']], 'DpcLastCount' : [ 0x1f70, ['unsigned long']], 'ThreadDpcEnable' : [ 0x1f74, ['unsigned char']], 'QuantumEnd' : [ 0x1f75, ['unsigned char']], 'PrcbPad50' : [ 0x1f76, ['unsigned char']], 'IdleSchedule' : [ 0x1f77, ['unsigned char']], 'DpcSetEventRequest' : [ 0x1f78, ['long']], 'PrcbPad40' : [ 0x1f7c, ['long']], 'DpcThread' : [ 0x1f80, ['pointer64', ['void']]], 'DpcEvent' : [ 0x1f88, ['_KEVENT']], 'CallDpc' : [ 0x1fa0, ['_KDPC']], 'PrcbPad7' : [ 0x1fe0, ['array', 4, ['unsigned long long']]], 'WaitListHead' : [ 0x2000, ['_LIST_ENTRY']], 'ReadySummary' : [ 0x2010, ['unsigned long']], 'QueueIndex' : [ 0x2014, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x2018, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x2218, ['unsigned long']], 'KernelTime' : [ 0x221c, ['unsigned long']], 'UserTime' : [ 0x2220, ['unsigned long']], 'DpcTime' : [ 0x2224, ['unsigned long']], 'InterruptTime' : [ 0x2228, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x222c, ['unsigned long']], 'SkipTick' : [ 0x2230, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x2231, ['unsigned char']], 'PollSlot' : [ 0x2232, ['unsigned char']], 'PrcbPad8' : [ 0x2233, ['array', 13, ['unsigned char']]], 'ParentNode' : [ 0x2240, ['pointer64', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x2248, ['unsigned long long']], 'MultiThreadSetMaster' : [ 0x2250, ['pointer64', ['_KPRCB']]], 'Sleeping' : [ 0x2258, ['long']], 'PrcbPad90' : [ 0x225c, ['array', 1, ['unsigned long']]], 'DebugDpcTime' : [ 0x2260, ['unsigned long']], 'PageColor' : [ 0x2264, ['unsigned long']], 'NodeColor' : [ 0x2268, ['unsigned long']], 'NodeShiftedColor' : [ 0x226c, ['unsigned long']], 'SecondaryColorMask' : [ 0x2270, ['unsigned long']], 'PrcbPad9' : [ 0x2274, ['array', 12, ['unsigned char']]], 'CcFastReadNoWait' : [ 0x2280, ['unsigned long']], 'CcFastReadWait' : [ 0x2284, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2288, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x228c, ['unsigned long']], 'CcCopyReadWait' : [ 0x2290, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2294, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x2298, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x229c, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x22a0, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x22a4, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x22a8, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x22ac, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x22b0, ['unsigned long']], 'VendorString' : [ 0x22b4, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x22c1, ['array', 2, ['unsigned char']]], 'FeatureBits' : [ 0x22c4, ['unsigned long']], 'UpdateSignature' : [ 0x22c8, ['_LARGE_INTEGER']], 'PowerState' : [ 0x22d0, ['_PROCESSOR_POWER_STATE']], 'Cache' : [ 0x2440, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x247c, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned char']], 'Expedite' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x200, { 'XmmSaveArea' : [ 0x0, ['_XMM_SAVE_AREA32']], 'Fill' : [ 0x0, ['array', 432, ['unsigned char']]], 'Current' : [ 0x1b0, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x1d8, ['_KERNEL_STACK_SEGMENT']], } ], '_KTHREAD' : [ 0x308, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x18, ['_LIST_ENTRY']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'ApcState' : [ 0x48, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x48, ['array', 43, ['unsigned char']]], 'ApcQueueable' : [ 0x73, ['unsigned char']], 'NextProcessor' : [ 0x74, ['unsigned char']], 'DeferredProcessor' : [ 0x75, ['unsigned char']], 'AdjustReason' : [ 0x76, ['unsigned char']], 'AdjustIncrement' : [ 0x77, ['unsigned char']], 'ApcQueueLock' : [ 0x78, ['unsigned long long']], 'WaitStatus' : [ 0x80, ['long long']], 'WaitBlockList' : [ 0x88, ['pointer64', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x88, ['pointer64', ['_KGATE']]], 'Alertable' : [ 0x90, ['unsigned char']], 'WaitNext' : [ 0x91, ['unsigned char']], 'WaitReason' : [ 0x92, ['unsigned char']], 'Priority' : [ 0x93, ['unsigned char']], 'EnableStackSwap' : [ 0x94, ['unsigned char']], 'SwapBusy' : [ 0x95, ['unsigned char']], 'Alerted' : [ 0x96, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x98, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x98, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb0, ['pointer64', ['void']]], 'Timer' : [ 0xb8, ['_KTIMER']], 'TimerFill' : [ 0xb8, ['array', 60, ['unsigned char']]], 'AutoAlignment' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'GuiThread' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ReservedFlags' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xf4, ['long']], 'WaitBlock' : [ 0xf8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xf8, ['array', 43, ['unsigned char']]], 'SystemAffinityActive' : [ 0x123, ['unsigned char']], 'WaitBlockFill1' : [ 0xf8, ['array', 91, ['unsigned char']]], 'PreviousMode' : [ 0x153, ['unsigned char']], 'WaitBlockFill2' : [ 0xf8, ['array', 139, ['unsigned char']]], 'ResourceIndex' : [ 0x183, ['unsigned char']], 'WaitBlockFill3' : [ 0xf8, ['array', 187, ['unsigned char']]], 'LargeStack' : [ 0x1b3, ['unsigned char']], 'WaitBlockFill4' : [ 0xf8, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x124, ['unsigned long']], 'WaitBlockFill5' : [ 0xf8, ['array', 92, ['unsigned char']]], 'State' : [ 0x154, ['unsigned char']], 'NpxState' : [ 0x155, ['unsigned char']], 'WaitIrql' : [ 0x156, ['unsigned char']], 'WaitMode' : [ 0x157, ['unsigned char']], 'WaitBlockFill6' : [ 0xf8, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x184, ['unsigned long']], 'WaitBlockFill7' : [ 0xf8, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1b4, ['short']], 'SpecialApcDisable' : [ 0x1b6, ['short']], 'CombinedApcDisable' : [ 0x1b4, ['unsigned long']], 'QueueListEntry' : [ 0x1b8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1c8, ['pointer64', ['_KTRAP_FRAME']]], 'CallbackStack' : [ 0x1d0, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x1d8, ['unsigned char']], 'IdealProcessor' : [ 0x1d9, ['unsigned char']], 'Preempted' : [ 0x1da, ['unsigned char']], 'ProcessReadyQueue' : [ 0x1db, ['unsigned char']], 'KernelStackResident' : [ 0x1dc, ['unsigned char']], 'BasePriority' : [ 0x1dd, ['unsigned char']], 'PriorityDecrement' : [ 0x1de, ['unsigned char']], 'Saturation' : [ 0x1df, ['unsigned char']], 'UserAffinity' : [ 0x1e0, ['unsigned long long']], 'Process' : [ 0x1e8, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x1f0, ['unsigned long long']], 'ApcStatePointer' : [ 0x1f8, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x208, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x208, ['array', 43, ['unsigned char']]], 'FreezeCount' : [ 0x233, ['unsigned char']], 'SuspendCount' : [ 0x234, ['unsigned char']], 'UserIdealProcessor' : [ 0x235, ['unsigned char']], 'CalloutActive' : [ 0x236, ['unsigned char']], 'CodePatchInProgress' : [ 0x237, ['unsigned char']], 'Win32Thread' : [ 0x238, ['pointer64', ['void']]], 'StackBase' : [ 0x240, ['pointer64', ['void']]], 'SuspendApc' : [ 0x248, ['_KAPC']], 'SuspendApcFill0' : [ 0x248, ['array', 1, ['unsigned char']]], 'Quantum' : [ 0x249, ['unsigned char']], 'SuspendApcFill1' : [ 0x248, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x24b, ['unsigned char']], 'SuspendApcFill2' : [ 0x248, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x24c, ['unsigned long']], 'SuspendApcFill3' : [ 0x248, ['array', 64, ['unsigned char']]], 'TlsArray' : [ 0x288, ['pointer64', ['void']]], 'SuspendApcFill4' : [ 0x248, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x290, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x248, ['array', 83, ['unsigned char']]], 'PowerState' : [ 0x29b, ['unsigned char']], 'UserTime' : [ 0x29c, ['unsigned long']], 'SuspendSemaphore' : [ 0x2a0, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2a0, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2bc, ['unsigned long']], 'ThreadListEntry' : [ 0x2c0, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x2d0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x2d8, ['long long']], 'WriteOperationCount' : [ 0x2e0, ['long long']], 'OtherOperationCount' : [ 0x2e8, ['long long']], 'ReadTransferCount' : [ 0x2f0, ['long long']], 'WriteTransferCount' : [ 0x2f8, ['long long']], 'OtherTransferCount' : [ 0x300, ['long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x410, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x308, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x310, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x310, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x310, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x320, ['long']], 'OfsChain' : [ 0x320, ['pointer64', ['void']]], 'PostBlockList' : [ 0x328, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x338, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x338, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x338, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x340, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x348, ['_LIST_ENTRY']], 'Cid' : [ 0x358, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x368, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x368, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x388, ['pointer64', ['void']]], 'LpcWaitingOnPort' : [ 0x388, ['pointer64', ['void']]], 'ImpersonationInfo' : [ 0x390, ['pointer64', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x398, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3a8, ['unsigned long long']], 'DeviceToVerify' : [ 0x3b0, ['pointer64', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x3b8, ['pointer64', ['_EPROCESS']]], 'StartAddress' : [ 0x3c0, ['pointer64', ['void']]], 'Win32StartAddress' : [ 0x3c8, ['pointer64', ['void']]], 'LpcReceivedMessageId' : [ 0x3c8, ['unsigned long']], 'ThreadListEntry' : [ 0x3d0, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x3e0, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x3e8, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x3f0, ['unsigned long']], 'ReadClusterSize' : [ 0x3f4, ['unsigned long']], 'GrantedAccess' : [ 0x3f8, ['unsigned long']], 'CrossThreadFlags' : [ 0x3fc, ['unsigned long']], 'Terminated' : [ 0x3fc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x3fc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x3fc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x3fc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x3fc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x3fc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x3fc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x3fc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x3fc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x400, ['unsigned long']], 'ActiveExWorker' : [ 0x400, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x400, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x400, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x400, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x404, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x404, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x404, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x404, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x404, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x404, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x404, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x404, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x404, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x405, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ApcNeeded' : [ 0x405, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x408, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x409, ['unsigned char']], 'ActiveFaultCount' : [ 0x40a, ['unsigned char']], } ], '_EPROCESS' : [ 0x3e0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xc0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xc8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xd0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xd8, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0xe0, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xf0, ['array', 3, ['unsigned long long']]], 'QuotaPeak' : [ 0x108, ['array', 3, ['unsigned long long']]], 'CommitCharge' : [ 0x120, ['unsigned long long']], 'PeakVirtualSize' : [ 0x128, ['unsigned long long']], 'VirtualSize' : [ 0x130, ['unsigned long long']], 'SessionProcessLinks' : [ 0x138, ['_LIST_ENTRY']], 'DebugPort' : [ 0x148, ['pointer64', ['void']]], 'ExceptionPort' : [ 0x150, ['pointer64', ['void']]], 'ObjectTable' : [ 0x158, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x160, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x168, ['unsigned long long']], 'AddressCreationLock' : [ 0x170, ['_KGUARDED_MUTEX']], 'HyperSpaceLock' : [ 0x1a8, ['unsigned long long']], 'ForkInProgress' : [ 0x1b0, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x1b8, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x1c0, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x1c8, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x1d0, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x1d8, ['unsigned long long']], 'Win32Process' : [ 0x1e0, ['pointer64', ['void']]], 'Job' : [ 0x1e8, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x1f0, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x1f8, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x200, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x208, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x210, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x218, ['pointer64', ['void']]], 'LdtInformation' : [ 0x220, ['pointer64', ['void']]], 'VadFreeHint' : [ 0x228, ['pointer64', ['void']]], 'VdmObjects' : [ 0x230, ['pointer64', ['void']]], 'DeviceMap' : [ 0x238, ['pointer64', ['void']]], 'Spare0' : [ 0x240, ['array', 3, ['pointer64', ['void']]]], 'PageDirectoryPte' : [ 0x258, ['_HARDWARE_PTE']], 'Filler' : [ 0x258, ['unsigned long long']], 'Session' : [ 0x260, ['pointer64', ['void']]], 'ImageFileName' : [ 0x268, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x278, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x288, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x290, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x2a0, ['pointer64', ['void']]], 'Wow64Process' : [ 0x2a8, ['pointer64', ['_WOW64_PROCESS']]], 'ActiveThreads' : [ 0x2b0, ['unsigned long']], 'GrantedAccess' : [ 0x2b4, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x2b8, ['unsigned long']], 'LastThreadExitStatus' : [ 0x2bc, ['long']], 'Peb' : [ 0x2c0, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x2c8, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x2d0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x2d8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x2e0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x2e8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x2f0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x2f8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x300, ['unsigned long long']], 'CommitChargePeak' : [ 0x308, ['unsigned long long']], 'AweInfo' : [ 0x310, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x318, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x320, ['_MMSUPPORT']], 'Spares' : [ 0x378, ['array', 2, ['unsigned long']]], 'ModifiedPageCount' : [ 0x380, ['unsigned long']], 'JobStatus' : [ 0x384, ['unsigned long']], 'Flags' : [ 0x388, ['unsigned long']], 'CreateReported' : [ 0x388, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x388, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x388, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x388, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x388, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x388, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x388, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x388, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x388, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x388, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x388, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x388, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x388, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x388, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x388, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x388, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x388, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x388, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x388, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x388, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x388, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x388, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x388, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x388, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x388, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CreateFailed' : [ 0x388, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x388, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'Spare1' : [ 0x388, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare2' : [ 0x388, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x38c, ['long']], 'NextPageColor' : [ 0x390, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x392, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x393, ['unsigned char']], 'SubSystemVersion' : [ 0x392, ['unsigned short']], 'PriorityClass' : [ 0x394, ['unsigned char']], 'VadRoot' : [ 0x398, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x3d8, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Type' : [ 0x10, ['pointer64', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0x18, ['unsigned char']], 'HandleInfoOffset' : [ 0x19, ['unsigned char']], 'QuotaInfoOffset' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'QueryReferences' : [ 0x18, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0x2c0, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x68, ['_LIST_ENTRY']], 'Name' : [ 0x78, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x88, ['pointer64', ['void']]], 'Index' : [ 0x90, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x94, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x98, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x9c, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0xa0, ['unsigned long']], 'TypeInfo' : [ 0xa8, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0x118, ['unsigned long']], 'ObjectLocks' : [ 0x120, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '__unnamed_115f' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'HardLarge' : [ 0x0, ['_MMPTE_HARDWARE_LARGEPAGE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_115f']], } ], '__unnamed_116a' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_116c' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_116f' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1171' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_116f']], } ], '__unnamed_1179' : [ 0x8, { 'EntireFrame' : [ 0x0, ['unsigned long long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 57, native_type='unsigned long long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 60, native_type='unsigned long long')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 63, native_type='unsigned long long')]], 'MustBeCached' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_116a']], 'PteAddress' : [ 0x8, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x10, ['__unnamed_116c']], 'u3' : [ 0x18, ['__unnamed_1171']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned long']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_1179']], } ], '__unnamed_1180' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_1183' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1188' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x50, { 'u1' : [ 0x0, ['__unnamed_1180']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1183']], 'ControlArea' : [ 0x30, ['pointer64', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x38, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x48, ['__unnamed_1188']], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '_MMPTE_FLUSH_LIST' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 20, ['pointer64', ['void']]]], } ], '__unnamed_119a' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'u' : [ 0x8, ['__unnamed_119a']], 'StartingSector' : [ 0xc, ['unsigned long']], 'NumberOfFullSectors' : [ 0x10, ['unsigned long']], 'SubsectionBase' : [ 0x18, ['pointer64', ['_MMPTE']]], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'PtesInSubsection' : [ 0x24, ['unsigned long']], 'NextSubsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], } ], '_MMPAGING_FILE' : [ 0x78, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'CurrentUsage' : [ 0x20, ['unsigned long long']], 'PeakUsage' : [ 0x28, ['unsigned long long']], 'HighestPage' : [ 0x30, ['unsigned long long']], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x40, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x50, ['_UNICODE_STRING']], 'Bitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'PageFileNumber' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'ReferenceCount' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'BootPartition' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Reserved' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'FileHandle' : [ 0x70, ['pointer64', ['void']]], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Period' : [ 0x38, ['long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'SpareByte' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_KPROCESS' : [ 0xb8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['array', 2, ['unsigned long long']]], 'IopmOffset' : [ 0x38, ['unsigned short']], 'ActiveProcessors' : [ 0x40, ['unsigned long long']], 'KernelTime' : [ 0x48, ['unsigned long']], 'UserTime' : [ 0x4c, ['unsigned long']], 'ReadyListHead' : [ 0x50, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'Reserved1' : [ 0x68, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x70, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x80, ['unsigned long long']], 'Affinity' : [ 0x88, ['unsigned long long']], 'AutoAlignment' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x90, ['long']], 'BasePriority' : [ 0x94, ['unsigned char']], 'QuantumReset' : [ 0x95, ['unsigned char']], 'State' : [ 0x96, ['unsigned char']], 'ThreadSeed' : [ 0x97, ['unsigned char']], 'PowerState' : [ 0x98, ['unsigned char']], 'IdealNode' : [ 0x99, ['unsigned char']], 'Visited' : [ 0x9a, ['unsigned char']], 'Flags' : [ 0x9b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x9b, ['unsigned char']], 'StackCount' : [ 0xa0, ['unsigned long long']], 'ProcessListEntry' : [ 0xa8, ['_LIST_ENTRY']], } ], '_KEXCEPTION_FRAME' : [ 0x180, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'ExceptionRecord' : [ 0xf0, ['array', 64, ['unsigned char']]], 'MxCsr' : [ 0x130, ['unsigned long long']], 'Rbp' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'R12' : [ 0x158, ['unsigned long long']], 'R13' : [ 0x160, ['unsigned long long']], 'R14' : [ 0x168, ['unsigned long long']], 'R15' : [ 0x170, ['unsigned long long']], 'Return' : [ 0x178, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStamp' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill1' : [ 0x172, ['array', 3, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['array', 1, ['unsigned short']]], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1240' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1240']], } ], '__unnamed_1247' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1247']], } ], '_SHARED_CACHE_MAP' : [ 0x1b8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObject' : [ 0x60, ['pointer64', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x68, ['pointer64', ['_VACB']]], 'NeedToZero' : [ 0x70, ['pointer64', ['void']]], 'ActivePage' : [ 0x78, ['unsigned long']], 'NeedToZeroPage' : [ 0x7c, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x80, ['unsigned long long']], 'VacbActiveCount' : [ 0x88, ['unsigned long']], 'DirtyPages' : [ 0x8c, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x90, ['_LIST_ENTRY']], 'Flags' : [ 0xa0, ['unsigned long']], 'Status' : [ 0xa4, ['long']], 'Mbcb' : [ 0xa8, ['pointer64', ['_MBCB']]], 'Section' : [ 0xb0, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xc0, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc8, ['unsigned long']], 'BeyondLastFlush' : [ 0xd0, ['long long']], 'Callbacks' : [ 0xd8, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xe0, ['pointer64', ['void']]], 'PrivateList' : [ 0xe8, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf8, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x100, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0x118, ['pointer64', ['_VACB']]], 'BcbSpinLock' : [ 0x120, ['unsigned long long']], 'Reserved' : [ 0x128, ['pointer64', ['void']]], 'Event' : [ 0x130, ['_KEVENT']], 'VacbPushLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0x150, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1b0, ['pointer64', ['void']]], } ], '_FILE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], } ], '__unnamed_126d' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_126d']], 'LruList' : [ 0x18, ['_LIST_ENTRY']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '__unnamed_1282' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_1284' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0xae8, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'ForceFlags' : [ 0x18, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x1c, ['unsigned long']], 'SegmentReserve' : [ 0x20, ['unsigned long long']], 'SegmentCommit' : [ 0x28, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0x30, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0x38, ['unsigned long long']], 'TotalFreeSize' : [ 0x40, ['unsigned long long']], 'MaximumAllocationSize' : [ 0x48, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0x50, ['unsigned short']], 'HeaderValidateLength' : [ 0x52, ['unsigned short']], 'HeaderValidateCopy' : [ 0x58, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0x60, ['unsigned short']], 'MaximumTagIndex' : [ 0x62, ['unsigned short']], 'TagEntries' : [ 0x68, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x70, ['pointer64', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x78, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x80, ['unsigned long long']], 'AlignMask' : [ 0x88, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x90, ['_LIST_ENTRY']], 'Segments' : [ 0xa0, ['array', 64, ['pointer64', ['_HEAP_SEGMENT']]]], 'u' : [ 0x2a0, ['__unnamed_1282']], 'u2' : [ 0x2b0, ['__unnamed_1284']], 'AllocatorBackTraceIndex' : [ 0x2b2, ['unsigned short']], 'NonDedicatedListLength' : [ 0x2b4, ['unsigned long']], 'LargeBlocksIndex' : [ 0x2b8, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x2c0, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x2c8, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0xac8, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xad0, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0xad8, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0xae0, ['unsigned short']], 'FrontEndHeapType' : [ 0xae2, ['unsigned char']], 'LastSegmentIndex' : [ 0xae3, ['unsigned char']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'PreviousSize' : [ 0xa, ['unsigned short']], 'SmallTagIndex' : [ 0xc, ['unsigned char']], 'Flags' : [ 0xd, ['unsigned char']], 'UnusedBytes' : [ 0xe, ['unsigned char']], 'SegmentIndex' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x68, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'Heap' : [ 0x18, ['pointer64', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x20, ['unsigned long long']], 'BaseAddress' : [ 0x28, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x30, ['unsigned long']], 'FirstEntry' : [ 0x38, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x48, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x4c, ['unsigned long']], 'UnCommittedRanges' : [ 0x50, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'LastEntryInSegment' : [ 0x60, ['pointer64', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'Bucket' : [ 0x0, ['pointer64', ['void']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'FreeThreshold' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '_TOKEN' : [ 0xd0, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x70, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x78, ['pointer64', ['void']]], 'Privileges' : [ 0x80, ['pointer64', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x88, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0x90, ['pointer64', ['_ACL']]], 'TokenType' : [ 0x98, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x9c, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xa0, ['unsigned char']], 'TokenInUse' : [ 0xa1, ['unsigned char']], 'ProxyData' : [ 0xa8, ['pointer64', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xb0, ['pointer64', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xb8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc0, ['_LUID']], 'VariablePart' : [ 0xc8, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'pDeviceMap' : [ 0x18, ['pointer64', ['_DEVICE_MAP']]], } ], '_TEB' : [ 0x17d8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x2d0, ['array', 28, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 14, ['pointer64', ['void']]]], 'SubProcessTag' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'InDbgPrint' : [ 0x1744, ['unsigned char']], 'FreeStackOnTermination' : [ 0x1745, ['unsigned char']], 'HasFiberData' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SparePointer1' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'SoftPatchPtr2' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'SafeThunkCall' : [ 0x17d0, ['unsigned char']], 'BooleanSpare' : [ 0x17d1, ['array', 3, ['unsigned char']]], } ], '_HEAP_UCR_SEGMENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x8, ['unsigned long long']], 'CommittedSize' : [ 0x10, ['unsigned long long']], 'filler' : [ 0x18, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerThreads' : [ 0x30, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x50, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x54, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x56, ['unsigned short']], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x18, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x28, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x30, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x98, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long long']], 'filler' : [ 0x18, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x1e0, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long long']], 'ResourceDatabase' : [ 0x30, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x38, ['pointer64', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x40, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x44, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x48, ['unsigned long']], 'NodesSearched' : [ 0x4c, ['unsigned long']], 'MaxNodesSearched' : [ 0x50, ['unsigned long']], 'SequenceNumber' : [ 0x54, ['unsigned long']], 'RecursionDepthLimit' : [ 0x58, ['unsigned long']], 'SearchedNodesLimit' : [ 0x5c, ['unsigned long']], 'DepthLimitHits' : [ 0x60, ['unsigned long']], 'SearchLimitHits' : [ 0x64, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x68, ['unsigned long']], 'OutOfOrderReleases' : [ 0x6c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x70, ['unsigned long']], 'TotalReleases' : [ 0x74, ['unsigned long']], 'RootNodesDeleted' : [ 0x78, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x7c, ['unsigned long']], 'PoolTrimCounter' : [ 0x80, ['unsigned long']], 'FreeResourceList' : [ 0x88, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x98, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0xa8, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0xb8, ['unsigned long']], 'FreeThreadCount' : [ 0xbc, ['unsigned long']], 'FreeNodeCount' : [ 0xc0, ['unsigned long']], 'Instigator' : [ 0xc8, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0xd0, ['unsigned long']], 'Participant' : [ 0xd8, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x1d8, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x280, { 'BufferSpinLock' : [ 0x0, ['unsigned long long']], 'StartTime' : [ 0x8, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x10, ['pointer64', ['void']]], 'LoggerSemaphore' : [ 0x18, ['_KSEMAPHORE']], 'LoggerThread' : [ 0x38, ['pointer64', ['_ETHREAD']]], 'LoggerEvent' : [ 0x40, ['_KEVENT']], 'FlushEvent' : [ 0x58, ['_KEVENT']], 'LoggerStatus' : [ 0x70, ['long']], 'LoggerId' : [ 0x74, ['unsigned long']], 'BuffersAvailable' : [ 0x78, ['long']], 'UsePerfClock' : [ 0x7c, ['unsigned long']], 'WriteFailureLimit' : [ 0x80, ['unsigned long']], 'BuffersDirty' : [ 0x84, ['long']], 'BuffersInUse' : [ 0x88, ['long']], 'SwitchingInProgress' : [ 0x8c, ['unsigned long']], 'FreeList' : [ 0x90, ['_SLIST_HEADER']], 'FlushList' : [ 0xa0, ['_SLIST_HEADER']], 'WaitList' : [ 0xb0, ['_SLIST_HEADER']], 'GlobalList' : [ 0xc0, ['_SLIST_HEADER']], 'ProcessorBuffers' : [ 0xd0, ['pointer64', ['pointer64', ['_WMI_BUFFER_HEADER']]]], 'LoggerName' : [ 0xd8, ['_UNICODE_STRING']], 'LogFileName' : [ 0xe8, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xf8, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x108, ['_UNICODE_STRING']], 'EndPageMarker' : [ 0x118, ['pointer64', ['unsigned char']]], 'CollectionOn' : [ 0x120, ['long']], 'KernelTraceOn' : [ 0x124, ['unsigned long']], 'PerfLogInTransition' : [ 0x128, ['long']], 'RequestFlag' : [ 0x12c, ['unsigned long']], 'EnableFlags' : [ 0x130, ['unsigned long']], 'MaximumFileSize' : [ 0x134, ['unsigned long']], 'LoggerMode' : [ 0x138, ['unsigned long']], 'LoggerModeFlags' : [ 0x138, ['_WMI_LOGGER_MODE']], 'Wow' : [ 0x13c, ['unsigned long']], 'LastFlushedBuffer' : [ 0x140, ['unsigned long']], 'RefCount' : [ 0x144, ['unsigned long']], 'FlushTimer' : [ 0x148, ['unsigned long']], 'FirstBufferOffset' : [ 0x150, ['_LARGE_INTEGER']], 'ByteOffset' : [ 0x158, ['_LARGE_INTEGER']], 'BufferAgeLimit' : [ 0x160, ['_LARGE_INTEGER']], 'MaximumBuffers' : [ 0x168, ['unsigned long']], 'MinimumBuffers' : [ 0x16c, ['unsigned long']], 'EventsLost' : [ 0x170, ['unsigned long']], 'BuffersWritten' : [ 0x174, ['unsigned long']], 'LogBuffersLost' : [ 0x178, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x17c, ['unsigned long']], 'BufferSize' : [ 0x180, ['unsigned long']], 'NumberOfBuffers' : [ 0x184, ['long']], 'SequencePtr' : [ 0x188, ['pointer64', ['long']]], 'InstanceGuid' : [ 0x190, ['_GUID']], 'LoggerHeader' : [ 0x1a0, ['pointer64', ['void']]], 'GetCpuClock' : [ 0x1a8, ['pointer64', ['void']]], 'ClientSecurityContext' : [ 0x1b0, ['_SECURITY_CLIENT_CONTEXT']], 'LoggerExtension' : [ 0x1f8, ['pointer64', ['void']]], 'ReleaseQueue' : [ 0x200, ['long']], 'EnableFlagExtension' : [ 0x204, ['_TRACE_ENABLE_FLAG_EXTENSION']], 'LocalSequence' : [ 0x208, ['unsigned long']], 'MaximumIrql' : [ 0x20c, ['unsigned long']], 'EnableFlagArray' : [ 0x210, ['pointer64', ['unsigned long']]], 'LoggerMutex' : [ 0x218, ['_KMUTANT']], 'MutexCount' : [ 0x250, ['long']], 'FileCounter' : [ 0x254, ['long']], 'BufferCallback' : [ 0x258, ['pointer64', ['void']]], 'CallbackContext' : [ 0x260, ['pointer64', ['void']]], 'PoolType' : [ 0x268, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceSystemTime' : [ 0x270, ['_LARGE_INTEGER']], 'ReferenceTimeStamp' : [ 0x278, ['_LARGE_INTEGER']], } ], '_SEGMENT_OBJECT' : [ 0x48, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x30, ['pointer64', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x38, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x40, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_13b7' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x1c, ['unsigned long']], 'NumberOfMappedViews' : [ 0x20, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x24, ['unsigned long']], 'NumberOfUserReferences' : [ 0x28, ['unsigned long']], 'u' : [ 0x2c, ['__unnamed_13b7']], 'FilePointer' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x38, ['pointer64', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x40, ['unsigned short']], 'FlushInProgressCount' : [ 0x42, ['unsigned short']], 'WritableUserReferences' : [ 0x44, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x70, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleTableLock' : [ 0x18, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x38, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x48, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x50, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x58, ['long']], 'FirstFree' : [ 0x5c, ['unsigned long']], 'LastFree' : [ 0x60, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x64, ['unsigned long']], 'HandleCount' : [ 0x68, ['long']], 'Flags' : [ 0x6c, ['unsigned long']], 'StrictFIFO' : [ 0x6c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_XMM_SAVE_AREA32' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_MMSUPPORT' : [ 0x58, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimTime' : [ 0x10, ['_LARGE_INTEGER']], 'Flags' : [ 0x18, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x1c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x20, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x24, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x28, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x2c, ['unsigned long']], 'VmWorkingSetList' : [ 0x30, ['pointer64', ['_MMWSL']]], 'Claim' : [ 0x38, ['unsigned long']], 'NextEstimationSlot' : [ 0x3c, ['unsigned long']], 'NextAgingSlot' : [ 0x40, ['unsigned long']], 'EstimatedAvailable' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetMutex' : [ 0x50, ['_EX_PUSH_LOCK']], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['unsigned short']]], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x78, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x60, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x70, ['unsigned long']], 'ProcessCount' : [ 0x74, ['unsigned long']], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_EVENT_COUNTER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'RefCount' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], } ], '_EJOB' : [ 0x220, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0xe0, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'ActiveProcessLimit' : [ 0xf8, ['unsigned long']], 'Affinity' : [ 0x100, ['unsigned long long']], 'PriorityClass' : [ 0x108, ['unsigned char']], 'UIRestrictionsClass' : [ 0x10c, ['unsigned long']], 'SecurityLimitFlags' : [ 0x110, ['unsigned long']], 'Token' : [ 0x118, ['pointer64', ['void']]], 'Filter' : [ 0x120, ['pointer64', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0x128, ['unsigned long']], 'CompletionPort' : [ 0x130, ['pointer64', ['void']]], 'CompletionKey' : [ 0x138, ['pointer64', ['void']]], 'SessionId' : [ 0x140, ['unsigned long']], 'SchedulingClass' : [ 0x144, ['unsigned long']], 'ReadOperationCount' : [ 0x148, ['unsigned long long']], 'WriteOperationCount' : [ 0x150, ['unsigned long long']], 'OtherOperationCount' : [ 0x158, ['unsigned long long']], 'ReadTransferCount' : [ 0x160, ['unsigned long long']], 'WriteTransferCount' : [ 0x168, ['unsigned long long']], 'OtherTransferCount' : [ 0x170, ['unsigned long long']], 'IoInfo' : [ 0x178, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x1a8, ['unsigned long long']], 'JobMemoryLimit' : [ 0x1b0, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x1b8, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x1c0, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x1c8, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x1d0, ['_KGUARDED_MUTEX']], 'JobSetLinks' : [ 0x208, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x218, ['unsigned long']], 'JobFlags' : [ 0x21c, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x68, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x1c, ['unsigned long']], 'NumberOfMappedViews' : [ 0x20, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x24, ['unsigned long']], 'NumberOfUserReferences' : [ 0x28, ['unsigned long']], 'u' : [ 0x2c, ['__unnamed_13b7']], 'FilePointer' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x38, ['pointer64', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x40, ['unsigned short']], 'FlushInProgressCount' : [ 0x42, ['unsigned short']], 'WritableUserReferences' : [ 0x44, ['unsigned long']], 'StartingFrame' : [ 0x48, ['unsigned long long']], 'UserGlobalList' : [ 0x50, ['_LIST_ENTRY']], 'SessionId' : [ 0x60, ['unsigned long']], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x38, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x10, ['unsigned long']], 'CapturedGroupCount' : [ 0x14, ['unsigned long']], 'CapturedGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x20, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x24, ['unsigned long']], 'CapturedPrivileges' : [ 0x28, ['pointer64', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x80, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'Reserved' : [ 0x78, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x50, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], 'LimitModifiedPages' : [ 0x48, ['unsigned char']], } ], '_TRACE_ENABLE_FLAG_EXTENSION' : [ 0x4, { 'Offset' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned char']], 'Flag' : [ 0x3, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x30, { 'Name' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x10, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x18, ['unsigned long']], 'CmHiveFlags' : [ 0x1c, ['unsigned long']], 'CmHive2' : [ 0x20, ['pointer64', ['_CMHIVE']]], 'ThreadFinished' : [ 0x28, ['unsigned char']], 'ThreadStarted' : [ 0x29, ['unsigned char']], 'Allocate' : [ 0x2a, ['unsigned char']], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0x10, { 'Token' : [ 0x0, ['pointer64', ['void']]], 'CopyOnOpen' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], 'ImpersonationLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_1472' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], } ], '__unnamed_1474' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1478' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x1c0, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'Level' : [ 0x20, ['unsigned long']], 'Notify' : [ 0x28, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x38, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x88, ['unsigned long']], 'CompletionStatus' : [ 0x8c, ['long']], 'PendingIrp' : [ 0x90, ['pointer64', ['_IRP']]], 'Flags' : [ 0x98, ['unsigned long']], 'UserFlags' : [ 0x9c, ['unsigned long']], 'Problem' : [ 0xa0, ['unsigned long']], 'PhysicalDeviceObject' : [ 0xa8, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0xb0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xb8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0xc0, ['_UNICODE_STRING']], 'ServiceName' : [ 0xd0, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xe0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xe8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xf0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xf4, ['unsigned long']], 'ChildInterfaceType' : [ 0xf8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xfc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x100, ['unsigned short']], 'RemovalPolicy' : [ 0x102, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x103, ['unsigned char']], 'TargetDeviceNotify' : [ 0x108, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x118, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x128, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x138, ['unsigned short']], 'QueryTranslatorMask' : [ 0x13a, ['unsigned short']], 'NoArbiterMask' : [ 0x13c, ['unsigned short']], 'QueryArbiterMask' : [ 0x13e, ['unsigned short']], 'OverUsed1' : [ 0x140, ['__unnamed_1472']], 'OverUsed2' : [ 0x148, ['__unnamed_1474']], 'BootResources' : [ 0x150, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x158, ['unsigned long']], 'DockInfo' : [ 0x160, ['__unnamed_1478']], 'DisableableDepends' : [ 0x180, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x198, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x1a8, ['unsigned long']], 'PreviousParent' : [ 0x1b0, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1b8, ['unsigned long']], } ], '__unnamed_147d' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_147d']], } ], '_PEB64' : [ 0x358, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'SparePtr2' : [ 0x48, ['unsigned long long']], 'EnvironmentUpdateCount' : [ 0x50, ['unsigned long']], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'ReadOnlySharedMemoryHeap' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_KPCR' : [ 0x2600, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'PerfGlobalGroupMask' : [ 0x10, ['pointer64', ['void']]], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_MMCOLOR_TABLES' : [ 0x18, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '__unnamed_14ad' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1d80, { 'GlobalVirtualAddress' : [ 0x0, ['pointer64', ['_MM_SESSION_SPACE']]], 'ReferenceCount' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_14ad']], 'SessionId' : [ 0x10, ['unsigned long']], 'ProcessList' : [ 0x18, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x28, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x30, ['unsigned long long']], 'NonPagablePages' : [ 0x38, ['unsigned long long']], 'CommittedPages' : [ 0x40, ['unsigned long long']], 'PagedPoolStart' : [ 0x48, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x50, ['pointer64', ['void']]], 'PagedPoolBasePde' : [ 0x58, ['pointer64', ['_MMPTE']]], 'Color' : [ 0x60, ['unsigned long']], 'ResidentProcessCount' : [ 0x64, ['long']], 'SessionPoolAllocationFailures' : [ 0x68, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachEvent' : [ 0x90, ['_KEVENT']], 'LastProcess' : [ 0xa8, ['pointer64', ['_EPROCESS']]], 'ProcessReferenceToSession' : [ 0xb0, ['long']], 'WsListEntry' : [ 0xb8, ['_LIST_ENTRY']], 'Lookaside' : [ 0x100, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb80, ['_MMSESSION']], 'PagedPoolMutex' : [ 0xbe8, ['_KGUARDED_MUTEX']], 'PagedPoolInfo' : [ 0xc20, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc60, ['_MMSUPPORT']], 'Wsle' : [ 0xcb8, ['pointer64', ['_MMWSLE']]], 'Win32KDriverUnload' : [ 0xcc0, ['pointer64', ['void']]], 'PagedPool' : [ 0xcc8, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1d10, ['_MMPTE']], 'SpecialPoolFirstPte' : [ 0x1d18, ['pointer64', ['_MMPTE']]], 'SpecialPoolLastPte' : [ 0x1d20, ['pointer64', ['_MMPTE']]], 'NextPdeForSpecialPoolExpansion' : [ 0x1d28, ['pointer64', ['_MMPTE']]], 'LastPdeForSpecialPoolExpansion' : [ 0x1d30, ['pointer64', ['_MMPTE']]], 'SpecialPagesInUse' : [ 0x1d38, ['unsigned long long']], 'ImageLoadingCount' : [ 0x1d40, ['long']], } ], '_PEB' : [ 0x358, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'SparePtr2' : [ 0x48, ['pointer64', ['void']]], 'EnvironmentUpdateCount' : [ 0x50, ['unsigned long']], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['pointer64', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['pointer64', ['void']]]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'PreviousSize' : [ 0xa, ['unsigned short']], 'SmallTagIndex' : [ 0xc, ['unsigned char']], 'Flags' : [ 0xd, ['unsigned char']], 'UnusedBytes' : [ 0xe, ['unsigned char']], 'SegmentIndex' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '__unnamed_14dd' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa8, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x10, ['_LARGE_INTEGER']], 'u' : [ 0x18, ['__unnamed_14dd']], 'Irp' : [ 0x28, ['pointer64', ['_IRP']]], 'LastPageToWrite' : [ 0x30, ['unsigned long long']], 'PagingListHead' : [ 0x38, ['pointer64', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x40, ['pointer64', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x48, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x50, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x58, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x60, ['pointer64', ['_ERESOURCE']]], 'IssueTime' : [ 0x68, ['_LARGE_INTEGER']], 'Mdl' : [ 0x70, ['_MDL']], 'Page' : [ 0xa0, ['array', 1, ['unsigned long long']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TEB32' : [ 0xfbc, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes1' : [ 0x1ac, ['array', 40, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 14, ['unsigned long']]], 'SubProcessTag' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SparePointer1' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'SoftPatchPtr2' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'SafeThunkCall' : [ 0xfb8, ['unsigned char']], 'BooleanSpare' : [ 0xfb9, ['array', 3, ['unsigned char']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x20, { 'Usage' : [ 0x0, ['unsigned long long']], 'Limit' : [ 0x8, ['unsigned long long']], 'Peak' : [ 0x10, ['unsigned long long']], 'Return' : [ 0x18, ['unsigned long long']], } ], '__unnamed_1502' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1502']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'Reserved1' : [ 0x0, ['unsigned long long']], 'Reserved2' : [ 0x8, ['unsigned long long']], 'Reserved3' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['pointer64', ['void']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Entry' : [ 0x18, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x0, ['long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'UsePerfClock' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['_WMI_CLIENT_CONTEXT']], 'State' : [ 0x2c, ['_WMI_BUFFER_STATE']], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'InstanceGuid' : [ 0x38, ['_GUID']], 'LoggerContext' : [ 0x38, ['pointer64', ['void']]], 'GlobalEntry' : [ 0x40, ['_SINGLE_LIST_ENTRY']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x170, { 'IdleFunction' : [ 0x0, ['pointer64', ['void']]], 'Idle0KernelTimeLimit' : [ 0x8, ['unsigned long']], 'Idle0LastTime' : [ 0xc, ['unsigned long']], 'IdleHandlers' : [ 0x10, ['pointer64', ['void']]], 'IdleState' : [ 0x18, ['pointer64', ['void']]], 'IdleHandlersCount' : [ 0x20, ['unsigned long']], 'LastCheck' : [ 0x28, ['unsigned long long']], 'IdleTimes' : [ 0x30, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x50, ['unsigned long']], 'PromotionCheck' : [ 0x54, ['unsigned long']], 'IdleTime2' : [ 0x58, ['unsigned long']], 'CurrentThrottle' : [ 0x5c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x5d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x5e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x5f, ['unsigned char']], 'LastKernelUserTime' : [ 0x60, ['unsigned long']], 'LastIdleThreadKernelTime' : [ 0x64, ['unsigned long']], 'PackageIdleStartTime' : [ 0x68, ['unsigned long']], 'PackageIdleTime' : [ 0x6c, ['unsigned long']], 'DebugCount' : [ 0x70, ['unsigned long']], 'LastSysTime' : [ 0x74, ['unsigned long']], 'TotalIdleStateTime' : [ 0x78, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x90, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0xa0, ['unsigned long long']], 'KneeThrottleIndex' : [ 0xa8, ['unsigned char']], 'ThrottleLimitIndex' : [ 0xa9, ['unsigned char']], 'PerfStatesCount' : [ 0xaa, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xab, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0xac, ['unsigned char']], 'EnableIdleAccounting' : [ 0xad, ['unsigned char']], 'LastC3Percentage' : [ 0xae, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0xaf, ['unsigned char']], 'PromotionCount' : [ 0xb0, ['unsigned long']], 'DemotionCount' : [ 0xb4, ['unsigned long']], 'ErrorCount' : [ 0xb8, ['unsigned long']], 'RetryCount' : [ 0xbc, ['unsigned long']], 'Flags' : [ 0xc0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xc8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xd0, ['unsigned long']], 'PerfTimer' : [ 0xd8, ['_KTIMER']], 'PerfDpc' : [ 0x118, ['_KDPC']], 'PerfStates' : [ 0x158, ['pointer64', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x160, ['pointer64', ['void']]], 'LastC3KernelUserTime' : [ 0x168, ['unsigned long']], 'LastPackageIdleTime' : [ 0x16c, ['unsigned long']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned short')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned short')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned short')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x80, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x18, ['_LIST_ENTRY']], 'DeviceType' : [ 0x28, ['unsigned char']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x30, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x40, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x50, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x70, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Available0' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'GrowWsleHash' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredUnsafe' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Available' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_POP_THERMAL_ZONE' : [ 0x120, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc0, ['pointer64', ['_IRP']]], 'Info' : [ 0xc8, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x18, ['unsigned long']], 'ObjectMask' : [ 0x1c, ['unsigned long']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'OwnerCount' : [ 0x8, ['long']], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_TEB64' : [ 0x17d8, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes1' : [ 0x2d0, ['array', 28, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 14, ['unsigned long long']]], 'SubProcessTag' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'InDbgPrint' : [ 0x1744, ['unsigned char']], 'FreeStackOnTermination' : [ 0x1745, ['unsigned char']], 'HasFiberData' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SparePointer1' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'SoftPatchPtr2' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'SafeThunkCall' : [ 0x17d0, ['unsigned char']], 'BooleanSpare' : [ 0x17d1, ['array', 3, ['unsigned char']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CMHIVE' : [ 0xab8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x578, ['array', 3, ['pointer64', ['void']]]], 'NotifyList' : [ 0x590, ['_LIST_ENTRY']], 'HiveList' : [ 0x5a0, ['_LIST_ENTRY']], 'HiveLock' : [ 0x5b0, ['_EX_PUSH_LOCK']], 'ViewLock' : [ 0x5b8, ['pointer64', ['_KGUARDED_MUTEX']]], 'WriterLock' : [ 0x5c0, ['_EX_PUSH_LOCK']], 'FlusherLock' : [ 0x5c8, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x5d0, ['_EX_PUSH_LOCK']], 'LRUViewListHead' : [ 0x5d8, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x5e8, ['_LIST_ENTRY']], 'FileObject' : [ 0x5f8, ['pointer64', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x600, ['_UNICODE_STRING']], 'FileUserName' : [ 0x610, ['_UNICODE_STRING']], 'MappedViews' : [ 0x620, ['unsigned short']], 'PinnedViews' : [ 0x622, ['unsigned short']], 'UseCount' : [ 0x624, ['unsigned long']], 'SecurityCount' : [ 0x628, ['unsigned long']], 'SecurityCacheSize' : [ 0x62c, ['unsigned long']], 'SecurityHitHint' : [ 0x630, ['long']], 'SecurityCache' : [ 0x638, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x640, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0xa40, ['pointer64', ['_KEVENT']]], 'RootKcb' : [ 0xa48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xa50, ['unsigned char']], 'UnloadWorkItem' : [ 0xa58, ['pointer64', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0xa60, ['unsigned char']], 'GrowOffset' : [ 0xa64, ['unsigned long']], 'KcbConvertListHead' : [ 0xa68, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xa78, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xa88, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xa90, ['unsigned long']], 'TrustClassEntry' : [ 0xa98, ['_LIST_ENTRY']], 'FlushCount' : [ 0xaa8, ['unsigned long']], 'CreatorOwner' : [ 0xab0, ['pointer64', ['_KTHREAD']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_HHIVE' : [ 0x578, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'BaseBlock' : [ 0x48, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x50, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x60, ['unsigned long']], 'DirtyAlloc' : [ 0x64, ['unsigned long']], 'BaseBlockAlloc' : [ 0x68, ['unsigned long']], 'Cluster' : [ 0x6c, ['unsigned long']], 'Flat' : [ 0x70, ['unsigned char']], 'ReadOnly' : [ 0x71, ['unsigned char']], 'Log' : [ 0x72, ['unsigned char']], 'DirtyFlag' : [ 0x73, ['unsigned char']], 'HiveFlags' : [ 0x74, ['unsigned long']], 'LogSize' : [ 0x78, ['unsigned long']], 'RefreshCount' : [ 0x7c, ['unsigned long']], 'StorageTypeCount' : [ 0x80, ['unsigned long']], 'Version' : [ 0x84, ['unsigned long']], 'Storage' : [ 0x88, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x28, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x10, ['pointer64', ['void']]], 'WatchInfo' : [ 0x18, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x48, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ParseContext' : [ 0x10, ['pointer64', ['void']]], 'ProbeMode' : [ 0x18, ['unsigned char']], 'PagedPoolCharge' : [ 0x1c, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x20, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x24, ['unsigned long']], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'SecurityQos' : [ 0x30, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x38, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_WMI_BUFFER_STATE' : [ 0x4, { 'Free' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'InUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Flush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_MMFREE_POOL_ENTRY' : [ 0x28, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Size' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long']], 'Owner' : [ 0x20, ['pointer64', ['_MMFREE_POOL_ENTRY']]], } ], '__unnamed_15d3' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_15d3']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '_PEB32' : [ 0x230, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'SparePtr2' : [ 0x24, ['unsigned long']], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], } ], '_MBCB' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x58, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x88, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x40, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x10, ['_LIST_ENTRY']], 'FileOffset' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'ViewAddress' : [ 0x28, ['pointer64', ['unsigned long long']]], 'Bcb' : [ 0x30, ['pointer64', ['void']]], 'UseCount' : [ 0x38, ['unsigned long']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_KUSER_SHARED_DATA' : [ 0x378, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'Wow64SharedInformation' : [ 0x334, ['array', 16, ['unsigned long']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '_WMI_LOGGER_MODE' : [ 0x4, { 'SequentialFile' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CircularFile' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'AppendFile' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'RealTime' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DelayOpenFile' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'BufferOnly' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PrivateLogger' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'AddHeader' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'UseExisting' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'UseGlobalSequence' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'UseLocalSequence' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '__unnamed_162d' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1633' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x68, { 'u1' : [ 0x0, ['__unnamed_1180']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1183']], 'ControlArea' : [ 0x30, ['pointer64', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x38, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x48, ['__unnamed_1188']], 'u3' : [ 0x50, ['__unnamed_162d']], 'u4' : [ 0x60, ['__unnamed_1633']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1048, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x20, ['pointer64', ['void']]], 'PendingFrees' : [ 0x28, ['pointer64', ['void']]], 'PendingFreeDepth' : [ 0x30, ['long']], 'TotalBytes' : [ 0x38, ['unsigned long long']], 'Spare0' : [ 0x40, ['unsigned long long']], 'ListHeads' : [ 0x48, ['array', 256, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_WOW64_PROCESS' : [ 0x8, { 'Wow64' : [ 0x0, ['pointer64', ['void']]], } ], '_PEB_LDR_DATA' : [ 0x48, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x40, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer64', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x8, ['pointer64', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0x10, ['pointer64', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0x18, ['pointer64', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x20, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x28, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x38, ['unsigned long long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['unsigned short']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_MMSESSION' : [ 0x68, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewStart' : [ 0x40, ['pointer64', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x48, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x50, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x54, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x58, ['unsigned long']], 'BitmapFailures' : [ 0x5c, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'NumberOfPages' : [ 0xc, ['unsigned long']], 'QuotaObject' : [ 0x10, ['pointer64', ['void']]], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x10, { 'FaultingPc' : [ 0x0, ['pointer64', ['void']]], 'FaultingVa' : [ 0x8, ['pointer64', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x48, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x48, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XMM_SAVE_AREA32']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_MMPTE_HARDWARE_LARGEPAGE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PAT' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 21, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 40, native_type='unsigned long long')]], 'reserved2' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0x120, { 'Next' : [ 0x0, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], 'Slot' : [ 0x38, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x48, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x50, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x58, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x5c, ['unsigned long']], 'VendorId' : [ 0x60, ['unsigned short']], 'DeviceId' : [ 0x62, ['unsigned short']], 'SubsystemVendorId' : [ 0x64, ['unsigned short']], 'SubsystemId' : [ 0x66, ['unsigned short']], 'RevisionId' : [ 0x68, ['unsigned char']], 'ProgIf' : [ 0x69, ['unsigned char']], 'SubClass' : [ 0x6a, ['unsigned char']], 'BaseClass' : [ 0x6b, ['unsigned char']], 'AdditionalResourceCount' : [ 0x6c, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x6d, ['unsigned char']], 'InterruptPin' : [ 0x6e, ['unsigned char']], 'RawInterruptLine' : [ 0x6f, ['unsigned char']], 'CapabilitiesPtr' : [ 0x70, ['unsigned char']], 'SavedLatencyTimer' : [ 0x71, ['unsigned char']], 'SavedCacheLineSize' : [ 0x72, ['unsigned char']], 'HeaderType' : [ 0x73, ['unsigned char']], 'NotPresent' : [ 0x74, ['unsigned char']], 'ReportedMissing' : [ 0x75, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x76, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x77, ['unsigned char']], 'LegacyDriver' : [ 0x78, ['unsigned char']], 'UpdateHardware' : [ 0x79, ['unsigned char']], 'MovedDevice' : [ 0x7a, ['unsigned char']], 'DisablePowerDown' : [ 0x7b, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x7c, ['unsigned char']], 'IDEInNativeMode' : [ 0x7d, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x7e, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x7f, ['unsigned char']], 'OnDebugPath' : [ 0x80, ['unsigned char']], 'IoSpaceNotRequired' : [ 0x81, ['unsigned char']], 'PowerState' : [ 0x88, ['PCI_POWER_STATE']], 'Dependent' : [ 0xd8, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xe0, ['unsigned long long']], 'Resources' : [ 0xe8, ['pointer64', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xf0, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xf8, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0x100, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0x108, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0x118, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0x11a, ['unsigned char']], 'CommandEnables' : [ 0x11c, ['unsigned short']], 'InitialCommand' : [ 0x11e, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '__unnamed_16a5' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_16a7' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_16a5']], 'Merged' : [ 0x10, ['__unnamed_16a7']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_DEVICE_MAP' : [ 0x38, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DriveMap' : [ 0x14, ['unsigned long']], 'DriveType' : [ 0x18, ['array', 32, ['unsigned char']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '__unnamed_16d2' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0x130, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x50, ['_KEVENT']], 'ChildPdoList' : [ 0x68, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x70, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x78, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x80, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x88, ['pointer64', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x90, ['unsigned char']], 'BusHandler' : [ 0x98, ['pointer64', ['_BUS_HANDLER']]], 'BaseBus' : [ 0xa0, ['unsigned char']], 'Fake' : [ 0xa1, ['unsigned char']], 'ChildDelete' : [ 0xa2, ['unsigned char']], 'Scanned' : [ 0xa3, ['unsigned char']], 'ArbitersInitialized' : [ 0xa4, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0xa5, ['unsigned char']], 'Hibernated' : [ 0xa6, ['unsigned char']], 'PowerState' : [ 0xa8, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xf8, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0x100, ['unsigned long']], 'PreservedConfig' : [ 0x108, ['pointer64', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0x110, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0x120, ['__unnamed_16d2']], 'BusHackFlags' : [ 0x128, ['unsigned long']], } ], '__unnamed_16d6' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_16d8' : [ 0x10, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_16da' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_16dc' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_16de' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_16e0' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_16e2' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_16d6']], 'Port' : [ 0x0, ['__unnamed_16d6']], 'Interrupt' : [ 0x0, ['__unnamed_16d8']], 'Memory' : [ 0x0, ['__unnamed_16d6']], 'Dma' : [ 0x0, ['__unnamed_16da']], 'DevicePrivate' : [ 0x0, ['__unnamed_16dc']], 'BusNumber' : [ 0x0, ['__unnamed_16de']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_16e0']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_16e2']], } ], '_SYSPTES_HEADER' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'RequestSummary' : [ 0x0, ['long long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'Virtual' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xb0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x30, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x38, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x40, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x50, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x50, ['unsigned long']], 'SubKeyCount' : [ 0x50, ['unsigned long']], 'KeyBodyListHead' : [ 0x58, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x58, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x68, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x88, ['pointer64', ['void']]], 'KcbLastWriteTime' : [ 0x90, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x98, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x9a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x9c, ['unsigned long']], 'KcbUserFlags' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xa0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xa0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xa0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xa8, ['pointer64', ['unsigned char']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ReadConfig' : [ 0x20, ['pointer64', ['void']]], 'WriteConfig' : [ 0x28, ['pointer64', ['void']]], 'PinToLine' : [ 0x30, ['pointer64', ['void']]], 'LineToPin' : [ 0x38, ['pointer64', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x20, ['unsigned long']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '__unnamed_1726' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_172b' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_172d' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_172b']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1735' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1737' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_1735']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_1726']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_172d']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_1737']], } ], '_PCI_LOCK' : [ 0x10, { 'Atom' : [ 0x0, ['unsigned long long']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '__unnamed_1744' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1744']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_174a' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_174a']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], } ], '_ETIMER' : [ 0x108, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeTimer' : [ 0xf5, ['unsigned char']], 'WakeTimerListEntry' : [ 0xf8, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_1764' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1764']], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '__unnamed_176c' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_176c']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x3f0, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockQueuedSpinLock', 7: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['unsigned long']], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x48, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0x18, ['unsigned char']], 'OrderLevel' : [ 0x19, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Node' : [ 0x28, ['pointer64', ['void']]], 'DeviceName' : [ 0x30, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x38, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x40, ['unsigned long']], 'ActiveChild' : [ 0x44, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x20, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], } ], '__unnamed_1795' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_1797' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_1795']], 'type1' : [ 0x0, ['__unnamed_1797']], 'type2' : [ 0x0, ['__unnamed_1797']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'ServiceContext' : [ 0x20, ['pointer64', ['void']]], 'SpinLock' : [ 0x28, ['unsigned long long']], 'TickCount' : [ 0x30, ['unsigned long']], 'ActualLock' : [ 0x38, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x40, ['pointer64', ['void']]], 'Vector' : [ 0x48, ['unsigned long']], 'Irql' : [ 0x4c, ['unsigned char']], 'SynchronizeIrql' : [ 0x4d, ['unsigned char']], 'FloatingSave' : [ 0x4e, ['unsigned char']], 'Connected' : [ 0x4f, ['unsigned char']], 'Number' : [ 0x50, ['unsigned char']], 'ShareVector' : [ 0x51, ['unsigned char']], 'Mode' : [ 0x54, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x58, ['unsigned long']], 'DispatchCount' : [ 0x5c, ['unsigned long']], 'TrapFrame' : [ 0x60, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x68, ['pointer64', ['void']]], 'DispatchCode' : [ 0x70, ['array', 4, ['unsigned long']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0x190, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0x18, ['pointer64', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x20, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x28, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x58, ['_ARBITER_INSTANCE']], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x40, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x8, ['pointer64', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x10, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0x18, ['pointer64', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x28, ['pointer64', ['void']]], 'OtherIrpDispatchStyle' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x38, ['pointer64', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_17da' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_17de' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_17da']], 'Bits' : [ 0x4, ['__unnamed_17de']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_OBJECT_DIRECTORY' : [ 0x140, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], } ], '_WMI_CLIENT_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x80, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NonDirectCount' : [ 0x1c, ['unsigned long']], 'HashTable' : [ 0x20, ['pointer64', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x28, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x2c, ['unsigned long']], 'HashTableStart' : [ 0x30, ['pointer64', ['void']]], 'HighestPermittedHashAddress' : [ 0x38, ['pointer64', ['void']]], 'NumberOfImageWaiters' : [ 0x40, ['unsigned long']], 'VadBitMapHint' : [ 0x44, ['unsigned long']], 'HighestUserAddress' : [ 0x48, ['pointer64', ['void']]], 'MaximumUserPageTablePages' : [ 0x50, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x54, ['unsigned long']], 'CommittedPageTables' : [ 0x58, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x60, ['unsigned long']], 'CommittedPageDirectories' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x70, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x78, ['array', 1, ['unsigned long long']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x170, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer64', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1811' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_1815' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'NonExtendedPtes' : [ 0xc, ['unsigned long']], 'Spare0' : [ 0x10, ['unsigned long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x20, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x28, ['unsigned long long']], 'ExtendInfo' : [ 0x30, ['pointer64', ['_MMEXTEND_INFO']]], 'SegmentFlags' : [ 0x38, ['_SEGMENT_FLAGS']], 'BasedAddress' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_1811']], 'u2' : [ 0x50, ['__unnamed_1815']], 'PrototypePte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x60, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x38, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], 'StartAddress' : [ 0x28, ['pointer64', ['void']]], 'EndAddress' : [ 0x30, ['pointer64', ['void']]], 'Flags' : [ 0x38, ['unsigned long']], 'Signature' : [ 0x40, ['unsigned long long']], 'PoolPageHeaders' : [ 0x50, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x60, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x70, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x74, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x78, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x7c, ['unsigned long']], 'PagedBytes' : [ 0x80, ['unsigned long long']], 'NonPagedBytes' : [ 0x88, ['unsigned long long']], 'PeakPagedBytes' : [ 0x90, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x98, ['unsigned long long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x60, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x28, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x20, ['pointer64', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x50, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_MMVIEW' : [ 0x10, { 'Entry' : [ 0x0, ['unsigned long long']], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], 'PCI_SECONDARY_EXTENSION' : [ 0x18, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x10, ['pointer64', ['void']]], } ], '__unnamed_1842' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_1842']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'Spare1' : [ 0x33, ['unsigned char']], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'Reserved' : [ 0x3c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_KNODE' : [ 0x40, { 'DeadStackList' : [ 0x0, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x10, ['_SLIST_HEADER']], 'Alignment' : [ 0x10, ['unsigned long long']], 'ProcessorMask' : [ 0x18, ['unsigned long long']], 'Color' : [ 0x20, ['unsigned char']], 'Seed' : [ 0x21, ['unsigned char']], 'NodeNumber' : [ 0x22, ['unsigned char']], 'Flags' : [ 0x23, ['_flags']], 'MmShiftedColor' : [ 0x24, ['unsigned long']], 'FreeCount' : [ 0x28, ['array', 2, ['unsigned long long']]], 'PfnDeferredList' : [ 0x38, ['pointer64', ['_SLIST_ENTRY']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_SEGMENT_FLAGS' : [ 0x8, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_VI_DEADLOCK_THREAD' : [ 0x30, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x28, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'MinSize' : [ 0x8, ['unsigned short']], 'MinVersion' : [ 0xa, ['unsigned short']], 'MaxVersion' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'ReferenceCount' : [ 0x10, ['long']], 'Signature' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x18, ['pointer64', ['void']]], 'Initializer' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_POWER_ACTION' : [ 0x50, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x28, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x30, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1180']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1183']], } ], '__unnamed_188b' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_188b']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x88, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_INSTANCE' : [ 0x138, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x18, ['long']], 'Allocation' : [ 0x20, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x30, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x40, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x50, ['long']], 'Interface' : [ 0x58, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x60, ['unsigned long']], 'AllocationStack' : [ 0x68, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x70, ['pointer64', ['void']]], 'PackResource' : [ 0x78, ['pointer64', ['void']]], 'UnpackResource' : [ 0x80, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x88, ['pointer64', ['void']]], 'TestAllocation' : [ 0x90, ['pointer64', ['void']]], 'RetestAllocation' : [ 0x98, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa0, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xa8, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb0, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xb8, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc0, ['pointer64', ['void']]], 'AddReserved' : [ 0xc8, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd0, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xd8, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe0, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xe8, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf0, ['pointer64', ['void']]], 'AddAllocation' : [ 0xf8, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x100, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x108, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x110, ['unsigned char']], 'Extension' : [ 0x118, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x120, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x128, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x130, ['pointer64', ['void']]], } ], '_BUS_HANDLER' : [ 0xb8, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x18, ['pointer64', ['_BUS_HANDLER']]], 'BusData' : [ 0x20, ['pointer64', ['void']]], 'DeviceControlExtensionSize' : [ 0x28, ['unsigned long']], 'BusAddresses' : [ 0x30, ['pointer64', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x38, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x48, ['pointer64', ['void']]], 'SetBusData' : [ 0x50, ['pointer64', ['void']]], 'AdjustResourceList' : [ 0x58, ['pointer64', ['void']]], 'AssignSlotResources' : [ 0x60, ['pointer64', ['void']]], 'GetInterruptVector' : [ 0x68, ['pointer64', ['void']]], 'TranslateBusAddress' : [ 0x70, ['pointer64', ['void']]], 'Spare1' : [ 0x78, ['pointer64', ['void']]], 'Spare2' : [ 0x80, ['pointer64', ['void']]], 'Spare3' : [ 0x88, ['pointer64', ['void']]], 'Spare4' : [ 0x90, ['pointer64', ['void']]], 'Spare5' : [ 0x98, ['pointer64', ['void']]], 'Spare6' : [ 0xa0, ['pointer64', ['void']]], 'Spare7' : [ 0xa8, ['pointer64', ['void']]], 'Spare8' : [ 0xb0, ['pointer64', ['void']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x10, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0xba8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x20, ['unsigned long long']], 'Thread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x448, ['long']], 'FailedDevice' : [ 0x450, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x458, ['unsigned char']], 'Cancelled' : [ 0x459, ['unsigned char']], 'IgnoreErrors' : [ 0x45a, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x45b, ['unsigned char']], 'WaitAny' : [ 0x45c, ['unsigned char']], 'WaitAll' : [ 0x45d, ['unsigned char']], 'PresentIrpQueue' : [ 0x460, ['_LIST_ENTRY']], 'Head' : [ 0x470, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x4c8, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_MMWSLE_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['unsigned short']]], } ], '_CM_KEY_BODY' : [ 0x30, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x50, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x30, ['pointer64', ['_IRP']]], 'SavedCancelRoutine' : [ 0x38, ['pointer64', ['void']]], 'Paging' : [ 0x40, ['long']], 'Hibernate' : [ 0x44, ['long']], 'CrashDump' : [ 0x48, ['long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_1930' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1934' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1938' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_193a' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_193e' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1940' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1942' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], } ], '__unnamed_1944' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1946' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1948' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_194c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_194e' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1950' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1952' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1954' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1956' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1958' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_195c' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1960' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1964' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1966' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_196a' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_196c' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_196e' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1970' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1974' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1978' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_197c' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_197e' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1982' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1986' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1988' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_198a' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_198c' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_198e' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1930']], 'CreatePipe' : [ 0x0, ['__unnamed_1934']], 'CreateMailslot' : [ 0x0, ['__unnamed_1938']], 'Read' : [ 0x0, ['__unnamed_193a']], 'Write' : [ 0x0, ['__unnamed_193a']], 'QueryDirectory' : [ 0x0, ['__unnamed_193e']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1940']], 'QueryFile' : [ 0x0, ['__unnamed_1942']], 'SetFile' : [ 0x0, ['__unnamed_1944']], 'QueryEa' : [ 0x0, ['__unnamed_1946']], 'SetEa' : [ 0x0, ['__unnamed_1948']], 'QueryVolume' : [ 0x0, ['__unnamed_194c']], 'SetVolume' : [ 0x0, ['__unnamed_194c']], 'FileSystemControl' : [ 0x0, ['__unnamed_194e']], 'LockControl' : [ 0x0, ['__unnamed_1950']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1952']], 'QuerySecurity' : [ 0x0, ['__unnamed_1954']], 'SetSecurity' : [ 0x0, ['__unnamed_1956']], 'MountVolume' : [ 0x0, ['__unnamed_1958']], 'VerifyVolume' : [ 0x0, ['__unnamed_1958']], 'Scsi' : [ 0x0, ['__unnamed_195c']], 'QueryQuota' : [ 0x0, ['__unnamed_1960']], 'SetQuota' : [ 0x0, ['__unnamed_1948']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1964']], 'QueryInterface' : [ 0x0, ['__unnamed_1966']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_196a']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_196c']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_196e']], 'SetLock' : [ 0x0, ['__unnamed_1970']], 'QueryId' : [ 0x0, ['__unnamed_1974']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1978']], 'UsageNotification' : [ 0x0, ['__unnamed_197c']], 'WaitWake' : [ 0x0, ['__unnamed_197e']], 'PowerSequence' : [ 0x0, ['__unnamed_1982']], 'Power' : [ 0x0, ['__unnamed_1986']], 'StartDevice' : [ 0x0, ['__unnamed_1988']], 'WMI' : [ 0x0, ['__unnamed_198a']], 'Others' : [ 0x0, ['__unnamed_198c']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_198e']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1995' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1997' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_1999' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_199b' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_199d' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_199f' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1995']], 'Memory' : [ 0x0, ['__unnamed_1995']], 'Interrupt' : [ 0x0, ['__unnamed_1997']], 'Dma' : [ 0x0, ['__unnamed_1999']], 'Generic' : [ 0x0, ['__unnamed_1995']], 'DevicePrivate' : [ 0x0, ['__unnamed_16dc']], 'BusNumber' : [ 0x0, ['__unnamed_199b']], 'ConfigData' : [ 0x0, ['__unnamed_199d']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_199f']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '__unnamed_19a8' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_19aa' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19a8']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_19ac' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_19ae' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_19ac']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_19aa']], 'u2' : [ 0x4, ['__unnamed_19ae']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0x150, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['unsigned long long']], 'MapFrozen' : [ 0x18, ['unsigned char']], 'MemoryMap' : [ 0x20, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x30, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x40, ['unsigned long']], 'NextCloneRange' : [ 0x48, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x50, ['unsigned long long']], 'LoaderMdl' : [ 0x58, ['pointer64', ['_MDL']]], 'Clones' : [ 0x60, ['pointer64', ['_MDL']]], 'NextClone' : [ 0x68, ['pointer64', ['unsigned char']]], 'NoClones' : [ 0x70, ['unsigned long long']], 'Spares' : [ 0x78, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x80, ['unsigned long long']], 'IoPage' : [ 0x88, ['pointer64', ['void']]], 'CurrentMcb' : [ 0x90, ['pointer64', ['void']]], 'DumpStack' : [ 0x98, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xa0, ['pointer64', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0xa8, ['unsigned long']], 'HiberVa' : [ 0xb0, ['unsigned long long']], 'HiberPte' : [ 0xb8, ['_LARGE_INTEGER']], 'Status' : [ 0xc0, ['long']], 'MemoryImage' : [ 0xc8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0xd0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0xd8, ['pointer64', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0xe0, ['pointer64', ['unsigned char']]], 'PerformanceStats' : [ 0xe8, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xf0, ['pointer64', ['void']]], 'DmaIO' : [ 0xf8, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0x100, ['pointer64', ['void']]], 'PerfInfo' : [ 0x108, ['_PO_HIBER_PERF']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x10, { 'StartVpn' : [ 0x0, ['unsigned long long']], 'EndVpn' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x28, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x8, ['unsigned long long']], 'Parameter2' : [ 0x10, ['unsigned long long']], 'Parameter3' : [ 0x18, ['unsigned long long']], 'Parameter4' : [ 0x20, ['unsigned long long']], } ], '__unnamed_19e9' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_19eb' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_19e9']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_19eb']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xc0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x30, ['unsigned long']], 'Memory' : [ 0x38, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x60, ['unsigned long']], 'PrefetchMemory' : [ 0x68, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x90, ['unsigned long']], 'Dma' : [ 0x98, ['_SUPPORTED_RANGE']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_1a1a' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_1a1c' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '__unnamed_1a20' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_1a22' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_1a24' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1a26' : [ 0x20, { 'TestAllocation' : [ 0x0, ['__unnamed_1a1a']], 'RetestAllocation' : [ 0x0, ['__unnamed_1a1a']], 'BootAllocation' : [ 0x0, ['__unnamed_1a1c']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_1a20']], 'QueryConflict' : [ 0x0, ['__unnamed_1a22']], 'QueryArbitrate' : [ 0x0, ['__unnamed_1a1c']], 'AddReserved' : [ 0x0, ['__unnamed_1a24']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_1a26']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xc0, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'ImageType' : [ 0x1c, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'TotalPages' : [ 0x60, ['unsigned long long']], 'FirstTablePage' : [ 0x68, ['unsigned long long']], 'LastFilePage' : [ 0x70, ['unsigned long long']], 'PerfInfo' : [ 0x78, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Spare' : [ 0x28, ['array', 2, ['unsigned long']]], } ], '__unnamed_1a48' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a4a' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a4c' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a4e' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a50' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1a52' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a54' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a56' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1a58' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a5a' : [ 0x18, { 'DeviceClass' : [ 0x0, ['__unnamed_1a48']], 'TargetDevice' : [ 0x0, ['__unnamed_1a4a']], 'InstallDevice' : [ 0x0, ['__unnamed_1a4c']], 'CustomNotification' : [ 0x0, ['__unnamed_1a4e']], 'ProfileNotification' : [ 0x0, ['__unnamed_1a50']], 'PowerNotification' : [ 0x0, ['__unnamed_1a52']], 'VetoNotification' : [ 0x0, ['__unnamed_1a54']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1a56']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1a58']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x48, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1a5a']], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_1a71' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a73' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_1a75' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1a71']], 'Gpt' : [ 0x0, ['__unnamed_1a73']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_1a75']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x410, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x20, { 'PageNo' : [ 0x0, ['unsigned long long']], 'StartPage' : [ 0x8, ['unsigned long long']], 'EndPage' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x80, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x18, ['unsigned long']], 'ActiveCount' : [ 0x1c, ['unsigned long']], 'WaitSleep' : [ 0x20, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x30, ['_LIST_ENTRY']], 'Pending' : [ 0x40, ['_LIST_ENTRY']], 'Complete' : [ 0x50, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x60, ['_LIST_ENTRY']], 'WaitS0' : [ 0x70, ['_LIST_ENTRY']], } ], '__unnamed_1aa5' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_1aa5']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x18, { 'Next' : [ 0x0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x8, ['unsigned long long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'EntryCount' : [ 0x14, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x58, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer64', ['_IRP']]], 'Notify' : [ 0x10, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0x18, ['_LIST_ENTRY']], 'Complete' : [ 0x28, ['_LIST_ENTRY']], 'Abort' : [ 0x38, ['_LIST_ENTRY']], 'Failed' : [ 0x48, ['_LIST_ENTRY']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x8, ['unsigned long']], 'SystemBase' : [ 0x10, ['long long']], 'Base' : [ 0x18, ['long long']], 'Limit' : [ 0x20, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x28, ['array', 3, ['unsigned long']]], } ], '__unnamed_1b2b' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_1b2d' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_1b31' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1b33' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1b2b']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1b2d']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1b31']], 'Others' : [ 0x0, ['__unnamed_1b33']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/windows.py0000644000000000000000000013553713131215405026436 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import datetime, struct, calendar import volatility.plugins.overlays.basic as basic import volatility.plugins.kpcrscan as kpcr import volatility.plugins.kdbgscan as kdbg import volatility.timefmt as timefmt import volatility.debug as debug import volatility.obj as obj import volatility.addrspace as addrspace import volatility.exceptions as exceptions import volatility.utils as utils import volatility.plugins.common as common import volatility.constants as constants import volatility.plugins.vadinfo as vadinfo import volatility.win32.hive as hivemod # Standard vtypes are usually autogenerated by scanning through header # files, collecting debugging symbol data etc. This file defines # fixups and improvements to the standard types. windows_overlay = { 'VOLATILITY_MAGIC' : [None, { # Profile specific values 'DTBSignature' : [ 0x0, ['VolatilityMagic', dict(value = "Volatility DTBSignature unspecified")]], 'KUSER_SHARED_DATA' : [ 0x0, ['VolatilityMagic', dict(value = 0xFFDF0000)]], 'KDBGHeader' : [ 0x0, ['VolatilityMagic', dict(value = 'Volatility KDBGHeader unspecified')]], # Configuration options 'DTB' : [ 0x0, ['VolatilityDTB', dict(configname = "DTB")]], 'KPCR' : [ 0x0, ['VolatilityMagic', dict(value = 0xffdff000, configname = "KPCR")]], 'KDBG' : [ 0x0, ['VolatilityKDBG', dict(configname = "KDBG")]], 'IA32ValidAS': [ 0x0, ['VolatilityIA32ValidAS']], 'AMD64ValidAS': [ 0x0, ['VolatilityAMD64ValidAS']], # Pool allocations are aligned to this many bytes. 'PoolAlignment': [0x0, ['VolatilityMagic', dict(value = 8)]], #hibrfil.sys values 'HibrProcPage': [0x0, ['VolatilityMagic', dict(value = 0x0)]], 'HibrEntryCount': [0x0, ['VolatilityMagic', dict(value = 0x0)]], 'MM_MAX_COMMIT': [ 0x0, ['VolatilityMagic', dict(value = 0x7ffffffffffff)]], 'PolicyKey': [0x0, ['VolatilityMagic', dict(value = "PolSecretEncryptionKey")]], }], '_EPROCESS' : [ None, { 'CreateTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], 'ExitTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], 'InheritedFromUniqueProcessId' : [ None, ['unsigned int']], 'ImageFileName' : [ None, ['String', dict(length = 16)]], 'UniqueProcessId' : [ None, ['unsigned int']], }], '_ETHREAD' : [ None, { 'CreateTime' : [ None, ['ThreadCreateTimeStamp', dict(is_utc = True)]], 'ExitTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], '_OBJECT_SYMBOLIC_LINK' : [ None, { 'CreationTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], '_KUSER_SHARED_DATA' : [ None, { 'SystemTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], 'TimeZoneBias' : [ None, ['WinTimeStamp', {}]], }], # The DTB is really an array of 2 ULONG_PTR but we only need the first one # which is the value loaded into CR3. The second one, according to procobj.c # of the wrk-v1.2, contains the PTE that maps something called hyper space. '_KPROCESS' : [ None, { 'DirectoryTableBase' : [ None, ['unsigned long']], }], '_IMAGE_SECTION_HEADER' : [ None, { 'Name' : [ 0x0, ['String', dict(length = 8)]], }], '_IMAGE_FILE_HEADER': [ None, { 'TimeDateStamp' : [None, ['UnixTimeStamp', dict(is_utc = True)]], }], '_LDR_DATA_TABLE_ENTRY': [ None, { 'TimeDateStamp' : [None, ['UnixTimeStamp', dict(is_utc = True)]], }], '_DBGKD_GET_VERSION64' : [ None, { 'DebuggerDataList' : [ None, ['pointer', ['unsigned long']]], }], '_CM_KEY_NODE' : [ None, { 'Signature' : [ None, ['String', dict(length = 2)]], 'LastWriteTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], 'Name' : [ None, ['String', dict(length = lambda x: x.NameLength)]], 'Parent': [ None, ['pointer32', ['_CM_KEY_NODE']]], }], '_CM_NAME_CONTROL_BLOCK' : [ None, { 'Name' : [ None, ['String', dict(length = lambda x: x.NameLength)]], }], '_CHILD_LIST' : [ None, { 'List' : [ None, ['pointer32', ['array', lambda x: x.Count, ['pointer32', ['_CM_KEY_VALUE']]]]], }], '_CM_KEY_VALUE' : [ None, { 'Signature' : [ None, ['String', dict(length = 2)]], 'Name' : [ None, ['String', dict(length = lambda x: x.NameLength)]], }], '_CM_KEY_INDEX' : [ None, { 'Signature' : [ None, ['String', dict(length = 2)]], 'List' : [ None, ['array', lambda x: x.Count.v() * 2, ['pointer32', ['_CM_KEY_NODE']]]], }], 'PO_MEMORY_IMAGE' : [ None, { 'Signature': [ None, ['String', dict(length = 4)]], 'SystemTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ None, { 'Run' : [ None, ['array', lambda x: x.NumberOfRuns, ['_PHYSICAL_MEMORY_RUN']]], }], '_TOKEN' : [ None, { 'UserAndGroups' : [ None, ['pointer', ['array', lambda x: x.UserAndGroupCount, ['_SID_AND_ATTRIBUTES']]]], }], '_SID' : [ None, { 'SubAuthority' : [ None, ['array', lambda x: x.SubAuthorityCount, ['unsigned long']]], }], '_CLIENT_ID': [ None, { 'UniqueProcess' : [ None, ['unsigned int']], 'UniqueThread' : [ None, ['unsigned int']], }], } class ExecutiveObjectMixin(object): """A mixin for executive objects to allow easy derivation of the object's _OBJECT_HEADER struct """ def get_object_header(self): return obj.Object("_OBJECT_HEADER", vm = self.obj_vm, offset = self.obj_offset - self.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"), native_vm = self.obj_native_vm) class _UNICODE_STRING(obj.CType): """Class representing a _UNICODE_STRING Adds the following behavior: * The Buffer attribute is presented as a Python string rather than a pointer to an unsigned short. * The __str__ method returns the value of the Buffer. """ def v(self): """ If the claimed length of the string is acceptable, return a unicode string. Otherwise, return a NoneObject. """ data = self.dereference() if data: return unicode(data) return data def dereference(self): length = self.Length.v() if length > 0 and length <= 1024: data = self.Buffer.dereference_as('String', encoding = 'utf16', length = length) return data else: return obj.NoneObject("Buffer length {0} for _UNICODE_STRING not within bounds".format(length)) def proxied(self, _name): return str(self) def __nonzero__(self): ## Unicode strings are valid if they point at a valid memory return bool(self.Buffer and self.Length.v() > 0 and self.Length.v() <= 1024) def __format__(self, formatspec): return format(self.v(), formatspec) def __str__(self): return str(self.v().encode("utf8", "ignore")) def __unicode__(self): return unicode(self.dereference()) def __len__(self): return len(self.dereference()) class _LIST_ENTRY(obj.CType): """ Adds iterators for _LIST_ENTRY types """ def list_of_type(self, type, member, forward = True, head_sentinel = True): if not self.is_valid(): return ## Get the first element if forward: nxt = self.Flink.dereference() else: nxt = self.Blink.dereference() offset = self.obj_vm.profile.get_obj_offset(type, member) seen = set() if head_sentinel: # We're a header element and not to be included in the list seen.add(self.obj_offset) while nxt.is_valid() and nxt.obj_offset not in seen: ## Instantiate the object item = obj.Object(type, offset = nxt.obj_offset - offset, vm = self.obj_vm, parent = self.obj_parent, native_vm = self.obj_native_vm, name = type) seen.add(nxt.obj_offset) yield item if forward: nxt = item.m(member).Flink.dereference() else: nxt = item.m(member).Blink.dereference() def __nonzero__(self): ## List entries are valid when both Flinks and Blink are valid return bool(self.Flink) or bool(self.Blink) def __iter__(self): return self.list_of_type(self.obj_parent.obj_name, self.obj_name) class WinTimeStamp(obj.NativeType): """Class for handling Windows Time Stamps""" def __init__(self, theType, offset, vm, is_utc = False, **kwargs): self.is_utc = is_utc obj.NativeType.__init__(self, theType, offset, vm, format_string = "q", **kwargs) def windows_to_unix_time(self, windows_time): """ Converts Windows 64-bit time to UNIX time @type windows_time: Integer @param windows_time: Windows time to convert (64-bit number) @rtype Integer @return UNIX time """ if windows_time == None or windows_time == 0: unix_time = 0 else: unix_time = windows_time / 10000000 unix_time = unix_time - 11644473600 if unix_time < 0: unix_time = 0 return unix_time def as_windows_timestamp(self): return obj.NativeType.v(self) def v(self): value = self.as_windows_timestamp() return self.windows_to_unix_time(value) def __nonzero__(self): return self.v() != 0 def __str__(self): return "{0}".format(self) def as_datetime(self): try: dt = datetime.datetime.utcfromtimestamp(self.v()) if self.is_utc: # Only do dt.replace when dealing with UTC dt = dt.replace(tzinfo = timefmt.UTC()) except ValueError, e: return obj.NoneObject("Datetime conversion failure: " + str(e)) return dt def __format__(self, formatspec): """Formats the datetime according to the timefmt module""" dt = self.as_datetime() if dt != None: return format(timefmt.display_datetime(dt), formatspec) return "-" class DosDate(obj.NativeType): def __init__(self, theType, offset, vm, is_utc = False, **kwargs): self.is_utc = is_utc obj.NativeType.__init__(self, theType, offset, vm, format_string = "H", ''.join([chr(x) for x in [(dosdate >> 8) & 0xff, (dosdate & 0xff)]]))[0] time = struct.unpack(">H", ''.join([chr(x) for x in [(dosdate >> 24) & 0xff, (dosdate >> 16) & 0xff]]))[0] seconds = (time & 0x1F) * 2 minutes = (time & 0x7E0) >> 5 hours = (time & 0xF800) >> 11 day = date & 0x1F month = (date & 0x1E0) >> 5 year = ((date & 0xFE00) >> 9) + 1980 #convert into timestamp and return: try: return calendar.timegm(datetime.datetime(year, month, day, hours, minutes, seconds).utctimetuple()) except ValueError: return 0 # if we use the following we need to s/utcfromtimestamp/fromtimestamp/ in as_datetime() function: #return time.mktime(datetime.datetime(year, month, day, hours, minutes, seconds).timetuple()) class _EPROCESS(obj.CType, ExecutiveObjectMixin): """ An extensive _EPROCESS with bells and whistles """ @property def Peb(self): """ Returns a _PEB object which is using the process address space. The PEB structure is referencing back into the process address space so we need to switch address spaces when we look at it. This method ensure this happens automatically. """ process_ad = self.get_process_address_space() if process_ad: offset = self.m("Peb").v() peb = obj.Object("_PEB", offset, vm = process_ad, name = "Peb", parent = self) if peb.is_valid(): return peb return obj.NoneObject("Peb not found") def get_process_address_space(self): """ Gets a process address space for a task given in _EPROCESS """ directory_table_base = self.Pcb.DirectoryTableBase.v() try: process_as = self.obj_vm.__class__(self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base) except AssertionError, _e: return obj.NoneObject("Unable to get process AS") process_as.name = "Process {0}".format(self.UniqueProcessId) return process_as def _get_modules(self, the_list, the_type): """Generator for DLLs in one of the 3 PEB lists""" if self.UniqueProcessId and the_list: for l in the_list.list_of_type("_LDR_DATA_TABLE_ENTRY", the_type): yield l def get_init_modules(self): return self._get_modules(self.Peb.Ldr.InInitializationOrderModuleList, "InInitializationOrderLinks") def get_mem_modules(self): return self._get_modules(self.Peb.Ldr.InMemoryOrderModuleList, "InMemoryOrderLinks") def get_load_modules(self): return self._get_modules(self.Peb.Ldr.InLoadOrderModuleList, "InLoadOrderLinks") def get_token(self): """Return the process's TOKEN object if its valid""" # The dereference checks if the address is valid # and returns obj.NoneObject if it fails token = self.Token.dereference_as("_TOKEN") # This check fails if the above dereference failed # or if any of the _TOKEN specific validity tests failed. if token.is_valid(): return token return obj.NoneObject("Cannot get process Token") @property def IsWow64(self): """Returns True if this is a wow64 process""" return hasattr(self, 'Wow64Process') and self.Wow64Process.v() != 0 @property def SessionId(self): """Returns the Session ID of the process""" if self.Session.is_valid(): process_space = self.get_process_address_space() if process_space: return obj.Object("_MM_SESSION_SPACE", offset = self.Session, vm = process_space).SessionId return obj.NoneObject("Cannot find process session") def get_vads(self, vad_filter = None, skip_max_commit = False): """ Generator for MMVADs that match specific metadata. @param vad_filter: a callable that is passed the current MMVAD and applies tests to the MMVAD struct members or nested struct members. @param skip_max_commit: boolean, if true then VADs for Wow64 processes with the MM_MAX_COMMIT flag set will not be yielded. @yields a tuple (mmvad, address_space). Where mmvad is the MMVAD object in kernel AS and address_space is the process address space. """ # We absolutely need a process AS. If this # fails then all else fails process_space = self.get_process_address_space() if not process_space: return max_commit = obj.VolMagic(process_space).MM_MAX_COMMIT.v() for vad in self.VadRoot.traverse(): if not vad.is_valid(): continue # Skip Wow64 MM_MAX_COMMIT range if skip_max_commit: if self.IsWow64 and vad.CommitCharge == max_commit and vad.End > 0x7fffffff: continue elif vad.Length > 0x7f000000000: # see issue #70 continue # Apply the meta filter if one is supplied if vad_filter: if not vad_filter(vad): continue yield vad, process_space def search_process_memory(self, s, vad_filter = None): """ Search memory for a simple byte string. FIXME: as of 2.3 this parameter can also be a list to search for mutliple strings concurrently. The single string will be deprecated in 3.0. @param s: the string to search for. @returns every occurrance of the string in process memory (as absolute address). """ # Allow for some overlap in case objects are # right on page boundaries overlap = 1024 # Make sure s in a list. This allows you to search for # multiple strings at once, without changing the API. if type(s) != list: debug.warning("Single strings to search_process_memory is deprecated, use a list instead") s = [s] # All MMVADs that belong to this process. for vad, address_space in self.get_vads(vad_filter, skip_max_commit = True): offset = vad.Start out_of_range = vad.Start + vad.Length while offset < out_of_range: # Read some data and match it. to_read = min(constants.SCAN_BLOCKSIZE + overlap, out_of_range - offset) data = address_space.zread(offset, to_read) if not data: break for x in s: for hit in utils.iterfind(data, x): yield offset + hit offset += min(to_read, constants.SCAN_BLOCKSIZE) def _injection_filter(self, vad): """ This is a callback that's executed by get_vads() when searching for injected code / hidden DLLs. This looks for private allocations that are committed, memory-resident, non-empty (not all zeros) and with an original protection that includes write and execute. It is important to note that protections are applied at the allocation granularity (page level). Thus the original protection might not be the current protection, and it also might not apply to all pages in the VAD range. @param vad: an MMVAD object. @returns: True if the MMVAD looks like it might contain injected code. """ protect = vadinfo.PROTECT_FLAGS.get(vad.VadFlags.Protection.v(), "") write_exec = "EXECUTE" in protect and "WRITE" in protect # The Write/Execute check applies to everything if not write_exec: return False # This is a typical VirtualAlloc'd injection if vad.VadFlags.PrivateMemory == 1 and vad.Tag == "VadS": return True # This is a stuxnet-style injection if (vad.VadFlags.PrivateMemory == 0 and protect != "PAGE_EXECUTE_WRITECOPY"): return True return False def _mapped_file_filter(self, vad): """ This is a callback that's executed by get_vads() when searching for memory-mapped files. @param vad: an MMVAD object. @returns: True if the MMVAD looks like it might contain a mapped file. """ return vad.VadFlags.PrivateMemory == 0 and vad.ControlArea def environment_variables(self): """Generator for environment variables. The PEB points to our env block - a series of null-terminated unicode strings. Each string cannot be more than 0x7FFF chars. End of the list is a quad-null. """ # Address of the environment block if not self.Peb.ProcessParameters.Environment.is_valid(): return process_space = self.get_process_address_space() if not process_space: return block = self.Peb.ProcessParameters.Environment s = obj.Object("String", offset = block, vm = process_space, encoding = 'utf16', length = 0x7FFF) # The terminator is a quad null while len(s): if s.count(u"=") == 1: yield s.split(u"=") # Scan forward the length of this string plus the null next_offset = s.obj_offset + ((len(s) + 1) * 2) s = obj.Object("String", offset = next_offset, vm = process_space, encoding = 'utf16', length = 0x7FFF) def is_valid(self): if not obj.CType.is_valid(self): return False if (self.Pcb.DirectoryTableBase == 0): return False if (self.Pcb.DirectoryTableBase % 0x20 != 0): return False list_head = self.ThreadListHead kernel = 0x80000000 if (list_head.Flink < kernel) or (list_head.Blink < kernel): return False return True class _TOKEN(obj.CType): """A class for Tokens""" def is_valid(self): """Override BaseObject.is_valid with some additional checks specific to _TOKEN objects.""" return obj.CType.is_valid(self) and self.TokenInUse in (0, 1) and self.SessionId < 10 def get_sids(self): """Generator for process SID strings""" if self.UserAndGroupCount < 0xFFFF: for sa in self.UserAndGroups.dereference(): sid = sa.Sid.dereference_as('_SID') id_auth = "" for i in sid.IdentifierAuthority.Value: id_auth = i yield "S-" + "-".join(str(i) for i in (sid.Revision, id_auth) + tuple(sid.SubAuthority)) def privileges(self): """Generator for privileges. @yields a tuple (value, present, enabled, default). We only yield 'present' here for consistency with the Vista+ privileges() generator. In the XP/2003 case, values will never be reported unless they're present (thus we hard-code it to True) but Vista+ can be optional due to DKOM. """ # The max size check originates from code seen in the # DisplayPrivileges function of windbg's exts.dll if self.PrivilegeCount < 1024: # This is a pointer to an array of _LUID_AND_ATTRIBUTES for luid in self.Privileges.dereference(): # The Attributes member is a flag enabled = luid.Attributes & 2 != 0 default = luid.Attributes & 1 != 0 yield luid.Luid.LowPart, True, enabled, default class _OBJECT_TYPE(obj.CType, ExecutiveObjectMixin): pass class _ETHREAD(obj.CType, ExecutiveObjectMixin): """ A class for threads """ def owning_process(self): """Return the EPROCESS that owns this thread""" return self.ThreadsProcess.dereference() def attached_process(self): """Return the EPROCESS that this thread is currently attached to.""" return self.Tcb.ApcState.Process.dereference_as("_EPROCESS") def is_valid(self): if not obj.CType.is_valid(self): return False ## check the start address if self.Cid.UniqueProcess.v() != 0 and self.StartAddress == 0: return False # win8 _KTHREAD doesn't have this member if (hasattr(self.Tcb, 'SuspendSemaphore') and self.Tcb.SuspendSemaphore.Header.Size != 0x05 and self.Tcb.SuspendSemaphore.Header.Type != 0x05): return False if (self.KeyedWaitSemaphore.Header.Size != 0x05 and self.KeyedWaitSemaphore.Header.Type != 0x05): return False return True class _HANDLE_TABLE(obj.CType): """ A class for _HANDLE_TABLE. This used to be a member of _EPROCESS but it was isolated per issue 91 so that it could be subclassed and used to service other handle tables, such as the _KDDEBUGGER_DATA64.PspCidTable. """ def get_item(self, entry, handle_value = 0): """Returns the OBJECT_HEADER of the associated handle. The parent is the _HANDLE_TABLE_ENTRY so that an object can be linked to its GrantedAccess. """ return entry.Object.dereference_as("_OBJECT_HEADER", parent = entry, handle_value = handle_value) def _make_handle_array(self, offset, level, depth = 0): """ Returns an array of _HANDLE_TABLE_ENTRY rooted at offset, and iterates over them. """ # The counts below are calculated by taking the size of a page and dividing # by the size of the data type contained within the page. For more information # see http://blogs.technet.com/b/markrussinovich/archive/2009/09/29/3283844.aspx if level > 0: count = 0x1000 / self.obj_vm.profile.get_obj_size("address") targetType = "address" else: count = 0x1000 / self.obj_vm.profile.get_obj_size("_HANDLE_TABLE_ENTRY") targetType = "_HANDLE_TABLE_ENTRY" table = obj.Object("Array", offset = offset, vm = self.obj_vm, count = count, targetType = targetType, parent = self, native_vm = self.obj_native_vm) if table: for entry in table: if not entry.is_valid(): break if level > 0: ## We need to go deeper: for h in self._make_handle_array(entry, level - 1, depth): yield h depth += 1 else: # All handle values are multiples of four, on both x86 and x64. handle_multiplier = 4 # Calculate the starting handle value for this level. handle_level_base = depth * count * handle_multiplier # The size of a handle table entry. handle_entry_size = self.obj_vm.profile.get_obj_size("_HANDLE_TABLE_ENTRY") # Finally, compute the handle value for this object. handle_value = ((entry.obj_offset - offset) / (handle_entry_size / handle_multiplier)) + handle_level_base ## OK We got to the bottom table, we just resolve ## objects here: item = self.get_item(entry, handle_value) if item == None: continue try: # New object header if item.TypeIndex != 0x0: yield item except AttributeError: if item.Type.Name: yield item def handles(self): """ A generator which yields this process's handles _HANDLE_TABLE tables are multi-level tables at the first level they are pointers to second level table, which might be pointers to third level tables etc, until the final table contains the real _OBJECT_HEADER table. This generator iterates over all the handles recursively yielding all handles. We take care of recursing into the nested tables automatically. """ magic = obj.VolMagic(self.obj_vm) if hasattr(magic, 'ObHeaderCookie'): cookie = magic.ObHeaderCookie.v() if not cookie: raise StopIteration("Cannot find nt!ObHeaderCookie") # This should work equally for 32 and 64 bit systems LEVEL_MASK = 7 TableCode = self.TableCode.v() & ~LEVEL_MASK table_levels = self.TableCode.v() & LEVEL_MASK offset = TableCode for h in self._make_handle_array(offset, table_levels): yield h class _OBJECT_HEADER(obj.CType): """A Volatility object to handle Windows object headers. This object applies only to versions below windows 7. """ optional_headers = [('NameInfo', '_OBJECT_HEADER_NAME_INFO'), ('HandleInfo', '_OBJECT_HEADER_HANDLE_INFO'), ('QuotaInfo', '_OBJECT_HEADER_QUOTA_INFO')] def __init__(self, *args, **kwargs): # Usually we don't add members to objects like this, but its an # exception due to lack of better options. See Issue #135. self.HandleValue = kwargs.get("handle_value", 0) obj.CType.__init__(self, *args, **kwargs) # Create accessors for optional headers self.find_optional_headers() def find_optional_headers(self): """Find this object's optional headers.""" offset = self.obj_offset for name, objtype in self.optional_headers: if self.obj_vm.profile.has_type(objtype): header_offset = self.m(name + 'Offset').v() if header_offset: o = obj.Object(objtype, offset - header_offset, vm = self.obj_vm, native_vm = self.obj_native_vm) else: o = obj.NoneObject("Header {0} not set for object at {1:#x}".format(name, offset)) self.newattr(name, o) @property def GrantedAccess(self): if self.obj_parent: return self.obj_parent.GrantedAccess return obj.NoneObject("No parent known") def dereference_as(self, theType): """Instantiate an object from the _OBJECT_HEADER.Body""" return obj.Object(theType, offset = self.Body.obj_offset, vm = self.obj_vm, native_vm = self.obj_native_vm, parent = self) def get_object_type(self): """Return the object's type as a string""" type_obj = obj.Object("_OBJECT_TYPE", self.Type, self.obj_native_vm) return str(type_obj.Name or '') def is_valid(self): if not obj.CType.is_valid(self): return False if self.PointerCount > 0x1000000 or self.PointerCount < 0: return False return True class _OBJECT_SYMBOLIC_LINK(obj.CType, ExecutiveObjectMixin): """A symbolic link object""" def is_valid(self): return obj.CType.is_valid(self) and self.LinkTarget.v() class _KMUTANT(obj.CType, ExecutiveObjectMixin): """A mutex object""" class _FILE_OBJECT(obj.CType, ExecutiveObjectMixin): """Class for file objects""" def file_name_with_device(self): """Return the name of the file, prefixed with the name of the device object to which the file belongs""" name = "" if self.DeviceObject: object_hdr = obj.Object("_OBJECT_HEADER", self.DeviceObject - self.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"), self.obj_native_vm) if object_hdr: name = "\\Device\\{0}".format(str(object_hdr.NameInfo.Name or '')) if self.FileName: name += str(self.FileName) return name def access_string(self): ## Make a nicely formatted ACL string AccessStr = (((self.ReadAccess > 0 and "R") or '-') + ((self.WriteAccess > 0 and "W") or '-') + ((self.DeleteAccess > 0 and "D") or '-') + ((self.SharedRead > 0 and "r") or '-') + ((self.SharedWrite > 0 and "w") or '-') + ((self.SharedDelete > 0 and "d") or '-')) return AccessStr def is_valid(self): return obj.CType.is_valid(self) and self.FileName.v() class _EX_FAST_REF(obj.CType): MAX_FAST_REF = 7 def dereference_as(self, theType, parent = None, **kwargs): """Use the _EX_FAST_REF.Object pointer to resolve an object of the specified type""" return obj.Object(theType, self.Object.v() & ~self.MAX_FAST_REF, self.obj_native_vm, parent = parent or self, **kwargs) class ThreadCreateTimeStamp(WinTimeStamp): """Handles ThreadCreateTimeStamps which are bit shifted WinTimeStamps""" def __init__(self, *args, **kwargs): WinTimeStamp.__init__(self, *args, **kwargs) def as_windows_timestamp(self): return obj.NativeType.v(self) >> 3 class VolatilityKPCR(obj.VolatilityMagic): """A scanner for KPCR data within an address space""" def __init__(self, *args, **kwargs): # Remove the value kwarg since overlaying one # on the other would give the value precedence kwargs.pop('value', None) obj.VolatilityMagic.__init__(self, *args, **kwargs) def generate_suggestions(self): """Returns the results of KCPRScanner for an adderss space""" scanner = kpcr.KPCRScanner() for val in scanner.scan(self.obj_vm): yield val class VolatilityKDBG(obj.VolatilityMagic): """A Scanner for KDBG data within an address space""" def v(self): if self.value is None: return self.get_best_suggestion() else: return obj.Object("_KDDEBUGGER_DATA64", offset = self.value, vm = self.obj_vm) def get_suggestions(self): if self.value: yield obj.Object("_KDDEBUGGER_DATA64", offset = self.value, vm = self.obj_vm) for x in self.generate_suggestions(): yield x def generate_suggestions(self): """Generates a list of possible KDBG structure locations""" scanner = kdbg.KDBGScanner(needles = [obj.VolMagic(self.obj_vm).KDBGHeader.v()]) for val in scanner.scan(self.obj_vm): val = obj.Object("_KDDEBUGGER_DATA64", offset = val, vm = self.obj_vm) yield val class VolatilityIA32ValidAS(obj.VolatilityMagic): """An object to check that an address space is a valid IA32 Paged space""" def generate_suggestions(self): """Generates a single response of True or False depending on whether the space is a valid Windows AS""" # This constraint looks for self referential values within # the paging tables try: if self.obj_vm.pae: pde_base = 0xc0600000 pd = self.obj_vm.get_pdpi(0) & 0xffffffffff000 else: pde_base = 0xc0300000 pd = self.obj_vm.dtb if (self.obj_vm.vtop(pde_base) == pd): yield True raise StopIteration except addrspace.ASAssertionError, _e: pass debug.debug("Failed to pass the Moyix Valid IA32 AS test", 3) # This constraint verifies that _KUSER_ SHARED_DATA is shared # between user and kernel address spaces. if (self.obj_vm.vtop(0xffdf0000)) == (self.obj_vm.vtop(0x7ffe0000)): if self.obj_vm.vtop(0xffdf0000) != None: yield True raise StopIteration debug.debug("Failed to pass the labarum_x Valid IA32 AS test", 3) yield False class VolatilityAMD64ValidAS(obj.VolatilityMagic): def generate_suggestions(self): if self.obj_vm.vtop(0xFFFFF78000000000) != None: if (self.obj_vm.vtop(0xFFFFF78000000000)) == (self.obj_vm.vtop(0x7FFE0000)): yield True raise StopIteration if obj.Object("_KUSER_SHARED_DATA", offset = 0xFFFFF78000000000, vm = self.obj_vm).Reserved1 == 0x7FFEFFFF: yield True raise StopIteration yield False class _CM_KEY_BODY(obj.CType): """Registry key""" def full_key_name(self): output = [] kcb = self.KeyControlBlock seen = [] while kcb.ParentKcb and kcb.ParentKcb.obj_offset not in seen: if kcb.NameBlock.Name == None: break output.append(str(kcb.NameBlock.Name)) kcb = kcb.ParentKcb seen.append(kcb.obj_offset) return "\\".join(reversed(output)) class _CMHIVE(obj.CType): """Registry hive""" def get_name(self): try: name = str(self.FileFullPath or '') or str(self.FileUserName or '') or str(self.HiveRootPath or '') or "[no name]" except AttributeError: name = "[no name]" return name def address_space(self): return hivemod.HiveAddressSpace(self.obj_vm, self.obj_vm.get_config(), self.obj_offset) def is_valid(self): return obj.CType.is_valid(self) and self.Hive.Signature == 0xbee0bee0 class _POOL_HEADER(obj.CType): """A class for pool headers""" # the maximum size of optional object headers that may # exist in an allocation below the pool header but above # the actual executive object. MAX_PREAMBLE = 0x60 @property def FreePool(self): return self.PoolType.v() == 0 @property def NonPagedPool(self): return self.PoolType.v() % 2 == 1 @property def PagedPool(self): return self.PoolType.v() % 2 == 0 and self.PoolType.v() > 0 def get_object_bottom_up(self, struct_name, object_type, skip_type_check): """Get the windows object contained within this pool by using the bottom-up approach to finding the object """ if not object_type: return obj.Object(struct_name, vm = self.obj_vm, offset = self.obj_offset + self.obj_vm.profile.get_obj_size("_POOL_HEADER"), native_vm = self.obj_native_vm) pool_alignment = obj.VolMagic(self.obj_vm).PoolAlignment.v() the_object = obj.Object(struct_name, vm = self.obj_vm, offset = (self.obj_offset + self.BlockSize * pool_alignment - common.pool_align(self.obj_vm, struct_name, pool_alignment)), native_vm = self.obj_native_vm) header = the_object.get_object_header() if (skip_type_check or header.get_object_type() == object_type): return the_object else: return obj.NoneObject("Cannot find the object") def get_object_top_down(self, object_name, object_type, _skip_type_check): """On windows 8, pool allocations are done from preset sizes. This means that the allocation is never exactly the same size and we can not use the bottom up method like before. We therefore, have to build the headers forward by checking the preamble size and validity of each object. This is a little slower than with earlier versions of windows. """ # we start after the pool header start_offset = self.obj_offset + self.obj_vm.profile.get_obj_size("_POOL_HEADER") # allocations containing only one structure if not object_type: return obj.Object(object_name, offset = start_offset, vm = self.obj_vm, native_vm = self.obj_native_vm) # pool aligned boundary pool_alignment = obj.VolMagic(self.obj_vm).PoolAlignment.v() # maximum distance to search end_offset = start_offset + min(self.MAX_PREAMBLE, self.BlockSize * pool_alignment) for addr in range(start_offset, end_offset, pool_alignment): header = obj.Object("_OBJECT_HEADER", offset = addr, vm = self.obj_vm, native_vm = self.obj_native_vm) if (header.is_valid() and header.get_object_type() == object_type): the_object = header.dereference_as(object_name) if the_object.is_valid(): return the_object return obj.NoneObject("Cannot find object") def get_object(self, struct_name, object_type = None, use_top_down = False, skip_type_check = False): """Get the windows object contained within this pool using whichever method is best for the target OS. @param struct_name: the name of the structure to cast such as _EPROCESS. @param object_type: the name of the executive object. If there is no executive object in the pool allocation, then this can be None. @param use_top_down: specify the technique we use to find the object within the pool allocation. @param skip_type_check: specify if we skip unallocated objects or return them. """ if use_top_down: return self.get_object_top_down(struct_name, object_type, skip_type_check) else: return self.get_object_bottom_up(struct_name, object_type, skip_type_check) import crash_vtypes import hibernate_vtypes import kdbg_vtypes import tcpip_vtypes import ssdt_vtypes class WindowsOverlay(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows'} before = ['BasicObjectClasses', 'WindowsVTypes'] def modification(self, profile): profile.merge_overlay(windows_overlay) class WindowsVTypes(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows'} before = ['BasicObjectClasses'] def modification(self, profile): profile.vtypes.update(crash_vtypes.crash_vtypes) profile.vtypes.update(hibernate_vtypes.hibernate_vtypes) profile.vtypes.update(kdbg_vtypes.kdbg_vtypes) profile.vtypes.update(tcpip_vtypes.tcpip_vtypes) profile.vtypes.update(ssdt_vtypes.ssdt_vtypes) class WindowsObjectClasses(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows'} before = ['BasicObjectClasses', 'WindowsVTypes', 'WindowsOverlay'] def modification(self, profile): profile.object_classes.update({ '_UNICODE_STRING': _UNICODE_STRING, '_LIST_ENTRY': _LIST_ENTRY, 'WinTimeStamp': WinTimeStamp, 'DosDate':DosDate, '_EPROCESS': _EPROCESS, '_ETHREAD': _ETHREAD, '_HANDLE_TABLE': _HANDLE_TABLE, '_OBJECT_HEADER': _OBJECT_HEADER, '_FILE_OBJECT': _FILE_OBJECT, '_EX_FAST_REF': _EX_FAST_REF, 'ThreadCreateTimeStamp': ThreadCreateTimeStamp, 'IpAddress': basic.IpAddress, 'Ipv6Address': basic.Ipv6Address, 'VolatilityKPCR': VolatilityKPCR, 'VolatilityKDBG': VolatilityKDBG, 'VolatilityIA32ValidAS': VolatilityIA32ValidAS, 'VolatilityAMD64ValidAS': VolatilityAMD64ValidAS, '_CM_KEY_BODY': _CM_KEY_BODY, '_TOKEN': _TOKEN, '_POOL_HEADER': _POOL_HEADER, '_OBJECT_SYMBOLIC_LINK': _OBJECT_SYMBOLIC_LINK, '_KMUTANT': _KMUTANT, '_CMHIVE': _CMHIVE, '_OBJECT_TYPE': _OBJECT_TYPE, }) class VolMagicPoolTag(obj.VolatilityMagic): """The pool tag for a specific data structure on a given OS""" def __init__(self, *args, **kwargs): kwargs.pop('value', None) self.protected = kwargs.get("protected", False) self.tag = kwargs.get("tag", None) obj.VolatilityMagic.__init__(self, *args, **kwargs) def generate_suggestions(self): """Return the tag value, setting the protected bit if necessary""" tag = struct.unpack("I", self.tag)[0] if self.protected: tag |= 0x80000000 yield struct.pack("I", tag) class HandleTableEntryPreWin8(obj.ProfileModification): """A modification for handle table entries before Windows 8""" conditions = {"os": lambda x: x == "windows"} def modification(self, profile): version = (profile.metadata.get('major', 0), profile.metadata.get('minor', 0)) if version <= (6, 1): profile.merge_overlay({ '_HANDLE_TABLE_ENTRY' : [ None, { 'Object' : [ None, ['_EX_FAST_REF']], }]}) class PoolTagModification(obj.ProfileModification): """A modification for variable pool tags across Windows versions""" conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({'VolMagicPoolTag': VolMagicPoolTag}) # win8 / 2012 pool tags are not protected if (profile.metadata.get('major', 0) == 6 and profile.metadata.get('minor', 0) >= 2): protected = False else: protected = True profile.merge_overlay({ 'VOLATILITY_MAGIC': [ None, { 'ProcessPoolTag': [ 0x0, ['VolMagicPoolTag', dict(tag = "Proc", protected = protected)]], 'MutexPoolTag': [ 0x0, ['VolMagicPoolTag', dict(tag = "Muta", protected = protected)]], 'SymlinkPoolTag': [ 0x0, ['VolMagicPoolTag', dict(tag = "Symb", protected = protected)]], 'DriverPoolTag': [ 0x0, ['VolMagicPoolTag', dict(tag = "Driv", protected = protected)]], 'FilePoolTag': [ 0x0, ['VolMagicPoolTag', dict(tag = "File", protected = protected)]], 'WindPoolTag': [ 0x0, ['VolMagicPoolTag', dict(tag = "Wind", protected = protected)]], 'ThreadPoolTag': [ 0x0, ['VolMagicPoolTag', dict(tag = "Thre", protected = protected)]], 'ObjectTypePoolTag': [ 0x0, ['VolMagicPoolTag', dict(tag = "ObjT", protected = protected)]], }]}) class AbstractKDBGMod(obj.ProfileModification): kdbgsize = 0x290 def modification(self, profile): signature = '\x00\x00\x00\x00\x00\x00\x00\x00' if profile.metadata.get('memory_model', '32bit') == '32bit' else '\x00\xf8\xff\xff' signature += 'KDBG' + struct.pack('. # import volatility.obj as obj #---------------------------------------------------------------------- # All Windows #---------------------------------------------------------------------- class VadTraverser(obj.CType): ## The actual type depends on this tag value. tag_map = {'Vadl': '_MMVAD_LONG', 'VadS': '_MMVAD_SHORT', 'Vad ': '_MMVAD_LONG', 'VadF': '_MMVAD_SHORT', 'Vadm': '_MMVAD_LONG', } def is_valid(self): return (obj.CType.is_valid(self) and self.Start < obj.VolMagic(self.obj_vm).MaxAddress.v() and self.End < (obj.VolMagic(self.obj_vm).MaxAddress.v())) def traverse(self, visited = None, depth = 0): """ Traverse the VAD tree by generating all the left items, then the right items. We try to be tolerant of cycles by storing all offsets visited. """ if depth > 100: raise RuntimeError("Vad tree too deep - something went wrong!") if visited == None: visited = set() ## We try to prevent loops here if self.obj_offset in visited: return # Find out which Vad type we need to be: if str(self.Tag) in self.tag_map: yield self.cast(self.tag_map[str(self.Tag)]) # This tag is valid for the Root. elif depth and str(self.Tag) != "": return # add this node to those that have been visited visited.add(self.obj_offset) # traverse children for c in self.LeftChild.traverse(visited = visited, depth = depth + 1): yield c for c in self.RightChild.traverse(visited = visited, depth = depth + 1): yield c class VadFlags(obj.CType): def __str__(self): return ", ".join(["{0}: {1}".format(name, self.m(name)) for name in sorted(self.members.keys()) if self.m(name) != 0]) class _MMVAD_FLAGS(VadFlags): pass class _MMVAD_FLAGS2(VadFlags): pass class _MMSECTION_FLAGS(VadFlags): pass class VadFlagsModification(obj.ProfileModification): before = ["WindowsOverlay"] conditions = {"os": lambda x : x == "windows"} def modification(self, profile): profile.object_classes.update({ '_MMVAD_FLAGS': _MMVAD_FLAGS, '_MMVAD_FLAGS2': _MMVAD_FLAGS2, '_MMSECTION_FLAGS': _MMSECTION_FLAGS, }) class VadTagModification(obj.ProfileModification): before = ["WindowsOverlay"] conditions = {"os": lambda x : x == "windows"} def modification(self, profile): version = (profile.metadata.get("major", 0), profile.metadata.get("minor", 0)) model = profile.metadata.get("memory_model", "32bit") if model == "32bit": offset = -4 else: offset = -12 overlay = { '_MMVAD_SHORT': [ None, { 'Tag': [offset , ['String', dict(length = 4)]], }], '_MMVAD': [ None, { 'Tag': [offset , ['String', dict(length = 4)]], }]} if version < (6, 2): overlay.update({ '_MMVAD_LONG': [ None, { 'Tag': [offset , ['String', dict(length = 4)]], }]}) if version >= (5, 2) and version <= (6, 1): overlay.update({ '_MMADDRESS_NODE': [ None, { 'Tag': [offset , ['String', dict(length = 4)]], }]}) elif version == (6, 2): overlay.update({ '_MM_AVL_NODE': [ None, { 'Tag': [offset , ['String', dict(length = 4)]], }]}) elif version >= (6, 3): overlay.update({ '_RTL_BALANCED_NODE': [ None, { 'Tag': [offset , ['String', dict(length = 4)]], }]}) profile.merge_overlay(overlay) #---------------------------------------------------------------------- # Windows XP #---------------------------------------------------------------------- class _MMVAD_SHORT_XP(VadTraverser): @property def Parent(self): return self.m('Parent').dereference() @property def Start(self): return self.StartingVpn << 12 @property def End(self): return ((self.EndingVpn + 1) << 12) - 1 @property def Length(self): return ((self.EndingVpn + 1) << 12) - self.Start @property def VadFlags(self): return self.u.VadFlags @property def CommitCharge(self): return self.u.VadFlags.CommitCharge class _MMVAD_XP(_MMVAD_SHORT_XP): @property def ControlArea(self): return self.m('ControlArea') @property def FileObject(self): return self.ControlArea.FilePointer.dereference() class _MMVAD_LONG_XP(_MMVAD_XP): pass class WinXPx86Vad(obj.ProfileModification): before = ["WindowsOverlay"] conditions = {"os": lambda x: x == "windows", "major": lambda x: x == 5, "minor": lambda x: x == 1, "memory_model": lambda x: x == "32bit"} def modification(self, profile): profile.merge_overlay({ '_EPROCESS' : [ None, { 'VadRoot' : [ None, ['pointer', ['_MMVAD']]], }]}) profile.object_classes.update({ '_MMVAD': _MMVAD_XP, '_MMVAD_SHORT': _MMVAD_SHORT_XP, '_MMVAD_LONG': _MMVAD_LONG_XP, }) #---------------------------------------------------------------------- # Windows 2003 #---------------------------------------------------------------------- class _MMVAD_SHORT_2003(_MMVAD_SHORT_XP): @property def Parent(self): return obj.Object("_MMADDRESS_NODE", vm = self.obj_vm, offset = self.u1.Parent.v() & ~0x3, parent = self.obj_parent) class _MMVAD_2003(_MMVAD_SHORT_2003): @property def ControlArea(self): return self.m('ControlArea') @property def FileObject(self): return self.ControlArea.FilePointer.dereference() class _MMVAD_LONG_2003(_MMVAD_2003): pass class _MM_AVL_TABLE(obj.CType): def traverse(self): for c in self.cast("_MMADDRESS_NODE").traverse(): yield c class Win2003x86Vad(obj.ProfileModification): before = ["WindowsOverlay"] conditions = {"os": lambda x: x == "windows", "major": lambda x: x == 5, "minor": lambda x: x == 2} def modification(self, profile): profile.object_classes.update({ '_MMVAD': _MMVAD_2003, '_MMVAD_SHORT': _MMVAD_SHORT_2003, '_MMVAD_LONG': _MMVAD_LONG_2003, '_MM_AVL_TABLE': _MM_AVL_TABLE, '_MMADDRESS_NODE': _MMVAD_2003, }) #---------------------------------------------------------------------- # Windows Vista, 2008, and 7 #---------------------------------------------------------------------- class _MMVAD_VISTA(_MMVAD_SHORT_2003): @property def ControlArea(self): return self.Subsection.ControlArea @property def FileObject(self): return self.Subsection.ControlArea.FilePointer.dereference_as("_FILE_OBJECT") class _MMVAD_LONG_VISTA(_MMVAD_VISTA): pass class VistaVad(obj.ProfileModification): before = ["WindowsOverlay"] conditions = {"os": lambda x: x == "windows", "major": lambda x: x == 6, "minor": lambda x: (x == 0 or x == 1)} def modification(self, profile): profile.object_classes.update({ '_MMVAD': _MMVAD_VISTA, '_MMVAD_SHORT': _MMVAD_SHORT_2003, '_MMVAD_LONG': _MMVAD_LONG_VISTA, '_MM_AVL_TABLE': _MM_AVL_TABLE, '_MMADDRESS_NODE': _MMVAD_VISTA, }) #---------------------------------------------------------------------- # Windows 8 and Server 2012 #---------------------------------------------------------------------- class _MM_AVL_TABLE_WIN8(obj.CType): def traverse(self): for c in self.cast("_MM_AVL_NODE").traverse(): yield c class _MM_AVL_NODE(VadTraverser): ## The actual type depends on this tag value. tag_map = {'Vadl': '_MMVAD', 'VadS': '_MMVAD_SHORT', 'Vad ': '_MMVAD', 'VadF': '_MMVAD_SHORT', 'Vadm': '_MMVAD', } class _MMVAD_SHORT_WIN8(_MM_AVL_NODE): @property def Parent(self): return obj.Object("_MM_AVL_NODE", vm = self.obj_vm, offset = self.VadNode.u1.Parent.v() & ~0x3, parent = self.obj_parent) @property def Start(self): return self.StartingVpn << 12 @property def End(self): return ((self.EndingVpn + 1) << 12) - 1 @property def VadFlags(self): return self.u.VadFlags @property def CommitCharge(self): return self.u1.VadFlags1.CommitCharge @property def Length(self): return self.End - self.Start @property def LeftChild(self): return self.VadNode.LeftChild @property def RightChild(self): return self.VadNode.RightChild class _MMVAD_WIN8(_MM_AVL_NODE): @property def Parent(self): return self.Core.Parent @property def Start(self): return self.Core.Start @property def End(self): return self.Core.End @property def VadFlags(self): return self.Core.VadFlags @property def CommitCharge(self): return self.Core.CommitCharge @property def ControlArea(self): return self.Subsection.ControlArea @property def FileObject(self): return self.Subsection.ControlArea.FilePointer.dereference_as("_FILE_OBJECT") @property def Length(self): return self.End - self.Start @property def LeftChild(self): return self.Core.LeftChild @property def RightChild(self): return self.Core.RightChild class Win8Vad(obj.ProfileModification): before = ["WindowsOverlay"] conditions = {"os": lambda x: x == "windows", "major": lambda x: x == 6, "minor": lambda x: x == 2} def modification(self, profile): profile.object_classes.update({ '_MMVAD': _MMVAD_WIN8, '_MMVAD_SHORT': _MMVAD_SHORT_WIN8, '_MM_AVL_TABLE': _MM_AVL_TABLE_WIN8, '_MM_AVL_NODE': _MM_AVL_NODE, }) #---------------------------------------------------------------------- # Windows 8.1 and Server 2012 R2 #---------------------------------------------------------------------- class _RTL_AVL_TREE(obj.CType): def traverse(self): for x in self.Root.traverse(): yield x class _RTL_BALANCED_NODE(VadTraverser): ## The actual type depends on this tag value. tag_map = {'Vadl': '_MMVAD', 'VadS': '_MMVAD_SHORT', 'Vad ': '_MMVAD', 'VadF': '_MMVAD_SHORT', 'Vadm': '_MMVAD', } @property def LeftChild(self): return self.Left @property def RightChild(self): return self.Right class _MMVAD_SHORT_WIN81(_RTL_BALANCED_NODE): @property def Parent(self): return obj.Object("_RTL_BALANCED_NODE", vm = self.obj_vm, offset = self.VadNode.ParentValue.v() & ~0x3, parent = self.obj_parent) @property def Start(self): return self.StartingVpn << 12 @property def End(self): return ((self.EndingVpn + 1) << 12) - 1 @property def VadFlags(self): return self.u.VadFlags @property def CommitCharge(self): return self.u1.VadFlags1.CommitCharge @property def Length(self): return self.End - self.Start @property def LeftChild(self): return self.VadNode.Left @property def RightChild(self): return self.VadNode.Right class _MMVAD_SHORT_WIN81_64(_MMVAD_SHORT_WIN81): @property def Start(self): return (self.StartingVpn << 12) | (self.StartingVpnHigh << 44) @property def End(self): return (((self.EndingVpn + 1) << 12) | (self.EndingVpnHigh << 44)) - 1 class _MMVAD_WIN81(_MMVAD_SHORT_WIN81): @property def Parent(self): return self.Core.Parent @property def Start(self): return self.Core.Start @property def End(self): return self.Core.End @property def VadFlags(self): return self.Core.VadFlags @property def CommitCharge(self): return self.Core.CommitCharge @property def ControlArea(self): return self.Subsection.ControlArea @property def FileObject(self): return self.Subsection.ControlArea.FilePointer.dereference_as("_FILE_OBJECT") @property def Length(self): return self.End - self.Start @property def LeftChild(self): return self.Core.LeftChild @property def RightChild(self): return self.Core.RightChild class Win81Vad(obj.ProfileModification): before = ["WindowsOverlay"] conditions = {"os": lambda x: x == "windows", "major": lambda x: x == 6, "minor": lambda x: x >= 3} def modification(self, profile): if profile.metadata.get("memory_model") == "32bit": short_vad = _MMVAD_SHORT_WIN81 else: short_vad = _MMVAD_SHORT_WIN81_64 profile.object_classes.update({ '_MMVAD': _MMVAD_WIN81, '_MMVAD_SHORT': short_vad, '_RTL_AVL_TREE': _RTL_AVL_TREE, '_RTL_BALANCED_NODE': _RTL_BALANCED_NODE, }) volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win10_x86_15063_vtypes.py0000755000000000000000000271177213131215405030565 0ustar rootrootntkrpamp_86_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_PS_MITIGATION_OPTIONS_MAP' : [ 0x10, { 'Map' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_KUSER_SHARED_DATA' : [ 0x708, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'NtBuildNumber' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'BootId' : [ 0x2c4, ['unsigned long']], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'VirtualizationFlags' : [ 0x2ed, ['unsigned char']], 'Reserved12' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgMultiSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgMultiUsersInSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCall' : [ 0x308, ['unsigned long']], 'SystemCallPad0' : [ 0x30c, ['unsigned long']], 'SystemCallPad' : [ 0x310, ['array', 2, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrementShift' : [ 0x368, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x369, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x36a, ['unsigned short']], 'EnclaveFeatureMask' : [ 0x36c, ['array', 4, ['unsigned long']]], 'Reserved8' : [ 0x37c, ['unsigned long']], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1084' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1084']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1088' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1088']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_10a3' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_10a5' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_10a3']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_10a5']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TEB' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['pointer', ['void']]]], 'SystemReserved1' : [ 0x10c, ['array', 30, ['pointer', ['void']]]], '_ActivationStack' : [ 0x184, ['_ACTIVATION_CONTEXT_STACK']], 'WorkingOnBehalfTicket' : [ 0x19c, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'PerflibData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SkipLoaderInit' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], 'ReservedForWdf' : [ 0xfe4, ['pointer', ['void']]], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0xc, { 'Parent' : [ 0x0, ['pointer', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'CurEntry' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['wchar']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_BALANCED_NODE' : [ 0xc, { 'Children' : [ 0x0, ['array', 2, ['pointer', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x8, ['unsigned long']], } ], '_RTL_RB_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Encoded' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Min' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_RTL_AVL_TREE' : [ 0x4, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x4a20, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'MxCsr' : [ 0x8, ['unsigned long']], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x4900, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'ParentNode' : [ 0x338, ['pointer', ['_KNODE']]], 'PriorityState' : [ 0x33c, ['pointer', ['unsigned char']]], 'KernelReserved' : [ 0x340, ['array', 14, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'CpuVendor' : [ 0x3be, ['unsigned char']], 'PrcbPad0' : [ 0x3bf, ['array', 1, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'GroupIndex' : [ 0x3c4, ['unsigned char']], 'Group' : [ 0x3c5, ['unsigned char']], 'PrcbPad05' : [ 0x3c6, ['array', 2, ['unsigned char']]], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'ClockOwner' : [ 0x3d0, ['unsigned char']], 'PendingTickFlags' : [ 0x3d1, ['unsigned char']], 'PendingTick' : [ 0x3d1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x3d1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'PrcbPad10' : [ 0x3d2, ['array', 70, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'InterruptCount' : [ 0x4a0, ['unsigned long']], 'KernelTime' : [ 0x4a4, ['unsigned long']], 'UserTime' : [ 0x4a8, ['unsigned long']], 'DpcTime' : [ 0x4ac, ['unsigned long']], 'DpcTimeCount' : [ 0x4b0, ['unsigned long']], 'InterruptTime' : [ 0x4b4, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4b8, ['unsigned long']], 'PageColor' : [ 0x4bc, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c0, ['unsigned char']], 'NodeColor' : [ 0x4c1, ['unsigned char']], 'DeepSleep' : [ 0x4c2, ['unsigned char']], 'PrcbPad20' : [ 0x4c3, ['array', 5, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'SecondaryColorMask' : [ 0x4cc, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d0, ['unsigned long']], 'PrcbPad21' : [ 0x4d4, ['array', 3, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1820, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2120, ['long']], 'ReverseStall' : [ 0x2124, ['long']], 'IpiFrame' : [ 0x2128, ['pointer', ['void']]], 'PrcbPad3' : [ 0x212c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x2160, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x216c, ['unsigned long']], 'WorkerRoutine' : [ 0x2170, ['pointer', ['void']]], 'IpiFrozen' : [ 0x2174, ['unsigned long']], 'PrcbPad4' : [ 0x2178, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x21a0, ['unsigned long']], 'TargetCount' : [ 0x21a4, ['long']], 'LastNonHrTimerExpiration' : [ 0x21a8, ['unsigned long long']], 'PrcbPad50' : [ 0x21b0, ['array', 32, ['unsigned char']]], 'InterruptLastCount' : [ 0x21d0, ['unsigned long']], 'InterruptRate' : [ 0x21d4, ['unsigned long']], 'DeviceInterrupts' : [ 0x21d8, ['unsigned long']], 'IsrDpcStats' : [ 0x21dc, ['pointer', ['void']]], 'DpcData' : [ 0x21e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2210, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2214, ['long']], 'DpcRequestRate' : [ 0x2218, ['unsigned long']], 'MinimumDpcRate' : [ 0x221c, ['unsigned long']], 'DpcLastCount' : [ 0x2220, ['unsigned long']], 'PrcbLock' : [ 0x2224, ['unsigned long']], 'DpcGate' : [ 0x2228, ['_KGATE']], 'IdleState' : [ 0x2238, ['unsigned char']], 'QuantumEnd' : [ 0x2239, ['unsigned char']], 'DpcRoutineActive' : [ 0x223a, ['unsigned char']], 'IdleSchedule' : [ 0x223b, ['unsigned char']], 'DpcRequestSummary' : [ 0x223c, ['long']], 'DpcRequestSlot' : [ 0x223c, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x223c, ['short']], 'ThreadDpcState' : [ 0x223e, ['short']], 'DpcNormalProcessingActive' : [ 0x223c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x223c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x223c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x223c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x223c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x223c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x223c, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x223c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x223c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x223c, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2240, ['unsigned long']], 'LastTick' : [ 0x2244, ['unsigned long']], 'PeriodicCount' : [ 0x2248, ['unsigned long']], 'PeriodicBias' : [ 0x224c, ['unsigned long']], 'ClockInterrupts' : [ 0x2250, ['unsigned long']], 'ReadyScanTick' : [ 0x2254, ['unsigned long']], 'GroupSchedulingOverQuota' : [ 0x2258, ['unsigned char']], 'ThreadDpcEnable' : [ 0x2259, ['unsigned char']], 'PrcbPad41' : [ 0x225a, ['array', 2, ['unsigned char']]], 'TimerTable' : [ 0x2260, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x3aa0, ['_KDPC']], 'ClockKeepAlive' : [ 0x3ac0, ['long']], 'PrcbPad6' : [ 0x3ac4, ['array', 4, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x3ac8, ['long']], 'DpcWatchdogCount' : [ 0x3acc, ['long']], 'KeSpinLockOrdering' : [ 0x3ad0, ['long']], 'DpcWatchdogProfileCumulativeDpcThreshold' : [ 0x3ad4, ['unsigned long']], 'QueueIndex' : [ 0x3ad8, ['unsigned long']], 'DeferredReadyListHead' : [ 0x3adc, ['_SINGLE_LIST_ENTRY']], 'ReadySummary' : [ 0x3ae0, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x3ae4, ['long']], 'WaitLock' : [ 0x3ae8, ['unsigned long']], 'WaitListHead' : [ 0x3aec, ['_LIST_ENTRY']], 'ScbOffset' : [ 0x3af4, ['unsigned long']], 'ReadyThreadCount' : [ 0x3af8, ['unsigned long']], 'StartCycles' : [ 0x3b00, ['unsigned long long']], 'TaggedCyclesStart' : [ 0x3b08, ['unsigned long long']], 'TaggedCycles' : [ 0x3b10, ['array', 2, ['unsigned long long']]], 'GenerationTarget' : [ 0x3b20, ['unsigned long long']], 'CycleTime' : [ 0x3b28, ['unsigned long long']], 'AffinitizedCycles' : [ 0x3b30, ['unsigned long long']], 'ImportantCycles' : [ 0x3b38, ['unsigned long long']], 'UnimportantCycles' : [ 0x3b40, ['unsigned long long']], 'ReadyQueueExpectedRunTime' : [ 0x3b48, ['unsigned long long']], 'HighCycleTime' : [ 0x3b50, ['unsigned long']], 'Cycles' : [ 0x3b58, ['array', 4, ['array', 2, ['unsigned long long']]]], 'PrcbPad71' : [ 0x3b98, ['array', 2, ['unsigned long']]], 'DispatcherReadyListHead' : [ 0x3ba0, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3ca0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3ca4, ['long']], 'ScbQueue' : [ 0x3ca8, ['_RTL_RB_TREE']], 'ScbList' : [ 0x3cb0, ['_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x3cb8, ['long']], 'MmCopyOnWriteCount' : [ 0x3cbc, ['long']], 'MmTransitionCount' : [ 0x3cc0, ['long']], 'MmCacheTransitionCount' : [ 0x3cc4, ['long']], 'MmDemandZeroCount' : [ 0x3cc8, ['long']], 'MmPageReadCount' : [ 0x3ccc, ['long']], 'MmPageReadIoCount' : [ 0x3cd0, ['long']], 'MmCacheReadCount' : [ 0x3cd4, ['long']], 'MmCacheIoCount' : [ 0x3cd8, ['long']], 'MmDirtyPagesWriteCount' : [ 0x3cdc, ['long']], 'MmDirtyWriteIoCount' : [ 0x3ce0, ['long']], 'MmMappedPagesWriteCount' : [ 0x3ce4, ['long']], 'MmMappedWriteIoCount' : [ 0x3ce8, ['long']], 'CachedCommit' : [ 0x3cec, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3cf0, ['unsigned long']], 'HyperPte' : [ 0x3cf4, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3cf8, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x3cfc, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3d09, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x3d0a, ['unsigned char']], 'PrcbPad9' : [ 0x3d0b, ['array', 1, ['unsigned char']]], 'FeatureBits' : [ 0x3d10, ['unsigned long long']], 'UpdateSignature' : [ 0x3d18, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3d20, ['unsigned long long']], 'PrcbPad90' : [ 0x3d28, ['array', 2, ['unsigned long']]], 'PowerState' : [ 0x3d30, ['_PROCESSOR_POWER_STATE']], 'ForceIdleDpc' : [ 0x3eb0, ['_KDPC']], 'PrcbPad91' : [ 0x3ed0, ['array', 8, ['unsigned long']]], 'DpcWatchdogProfileSingleDpcThreshold' : [ 0x3ef0, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x3ef4, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3f18, ['_KTIMER']], 'HypercallPageList' : [ 0x3f40, ['_SLIST_HEADER']], 'HypercallCachedPages' : [ 0x3f48, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x3f4c, ['pointer', ['void']]], 'StatisticsPage' : [ 0x3f50, ['pointer', ['unsigned long long']]], 'Cache' : [ 0x3f54, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3f90, ['unsigned long']], 'PackageProcessorSet' : [ 0x3f94, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x3fa0, ['unsigned long']], 'SharedReadyQueue' : [ 0x3fa4, ['pointer', ['_KSHARED_READY_QUEUE']]], 'SharedQueueScanOwner' : [ 0x3fa8, ['unsigned long']], 'CoreProcessorSet' : [ 0x3fac, ['unsigned long']], 'ScanSiblingMask' : [ 0x3fb0, ['unsigned long']], 'LLCMask' : [ 0x3fb4, ['unsigned long']], 'CacheProcessorMask' : [ 0x3fb8, ['array', 5, ['unsigned long']]], 'ScanSiblingIndex' : [ 0x3fcc, ['unsigned long']], 'WheaInfo' : [ 0x3fd0, ['pointer', ['void']]], 'EtwSupport' : [ 0x3fd4, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x3fd8, ['_SLIST_HEADER']], 'DpcWatchdogProfile' : [ 0x3fe0, ['pointer', ['pointer', ['void']]]], 'DpcWatchdogProfileCurrentEmptyCapture' : [ 0x3fe4, ['pointer', ['pointer', ['void']]]], 'PrcbPad92' : [ 0x3fe8, ['array', 1, ['unsigned long']]], 'PteBitCache' : [ 0x3fec, ['unsigned long']], 'PteBitOffset' : [ 0x3ff0, ['unsigned long']], 'PrcbPad93' : [ 0x3ff4, ['unsigned long']], 'ProcessorProfileControlArea' : [ 0x3ff8, ['pointer', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x3ffc, ['pointer', ['void']]], 'TimerExpirationDpc' : [ 0x4000, ['_KDPC']], 'SynchCounters' : [ 0x4020, ['_SYNCH_COUNTERS']], 'FsCounters' : [ 0x40d8, ['_FILESYSTEM_DISK_COUNTERS']], 'Context' : [ 0x40e8, ['pointer', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x40ec, ['unsigned long']], 'ExtendedState' : [ 0x40f0, ['pointer', ['_XSAVE_AREA']]], 'EntropyTimingState' : [ 0x40f4, ['_KENTROPY_TIMING_STATE']], 'IsrStack' : [ 0x421c, ['pointer', ['void']]], 'VectorToInterruptObject' : [ 0x4220, ['array', 208, ['pointer', ['_KINTERRUPT']]]], 'AbSelfIoBoostsList' : [ 0x4560, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x4564, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x4568, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x4588, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x45dc, ['_IOP_IRP_STACK_PROFILER']], 'TimerExpirationTrace' : [ 0x4630, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x4730, ['unsigned long']], 'ExSaPageArray' : [ 0x4734, ['pointer', ['void']]], 'PrcbPad100' : [ 0x4738, ['array', 10, ['unsigned long']]], 'LocalSharedReadyQueue' : [ 0x4760, ['_KSHARED_READY_QUEUE']], 'Mailbox' : [ 0x48a0, ['pointer', ['_REQUEST_MAILBOX']]], 'PrcbPad' : [ 0x48a4, ['array', 60, ['unsigned char']]], 'RequestMailbox' : [ 0x48e0, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'Reserved' : [ 0x14, ['array', 3, ['pointer', ['void']]]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_PS_TRUSTLET_CREATE_ATTRIBUTES' : [ 0x18, { 'TrustletIdentity' : [ 0x0, ['unsigned long long']], 'Attributes' : [ 0x8, ['array', 1, ['_PS_TRUSTLET_ATTRIBUTE_DATA']]], } ], '_PS_TRUSTLET_ATTRIBUTE_DATA' : [ 0x10, { 'Header' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_HEADER']], 'Data' : [ 0x8, ['array', 1, ['unsigned long long']]], } ], '_PS_TRUSTLET_ATTRIBUTE_HEADER' : [ 0x8, { 'AttributeType' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_TYPE']], 'InstanceNumber' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_TRUSTLET_MAILBOX_KEY' : [ 0x10, { 'SecretValue' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_TRUSTLET_COLLABORATION_ID' : [ 0x10, { 'Value' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_KPROCESS' : [ 0xb0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x38, ['unsigned long long']], 'Affinity' : [ 0x40, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x4c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x54, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x58, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x64, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x64, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x64, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'DeepFreeze' : [ 0x64, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x64, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x64, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'PpmPolicy' : [ 0x64, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x64, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0x64, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x64, ['long']], 'BasePriority' : [ 0x68, ['unsigned char']], 'QuantumReset' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x6c, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x70, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x72, ['unsigned short']], 'Spare1' : [ 0x74, ['unsigned short']], 'IopmOffset' : [ 0x76, ['unsigned short']], 'SchedulingGroup' : [ 0x78, ['pointer', ['_KSCHEDULING_GROUP']]], 'StackCount' : [ 0x7c, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x80, ['_LIST_ENTRY']], 'CycleTime' : [ 0x88, ['unsigned long long']], 'ContextSwitches' : [ 0x90, ['unsigned long long']], 'FreezeCount' : [ 0x98, ['unsigned long']], 'KernelTime' : [ 0x9c, ['unsigned long']], 'UserTime' : [ 0xa0, ['unsigned long']], 'ReadyTime' : [ 0xa4, ['unsigned long']], 'VdmTrapcHandler' : [ 0xa8, ['pointer', ['void']]], 'ProcessTimerDelay' : [ 0xac, ['unsigned long']], } ], '_KTHREAD' : [ 0x350, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x10, ['pointer', ['void']]], 'QuantumTarget' : [ 0x18, ['unsigned long long']], 'InitialStack' : [ 0x20, ['pointer', ['void']]], 'StackLimit' : [ 0x24, ['pointer', ['void']]], 'StackBase' : [ 0x28, ['pointer', ['void']]], 'ThreadLock' : [ 0x2c, ['unsigned long']], 'CycleTime' : [ 0x30, ['unsigned long long']], 'HighCycleTime' : [ 0x38, ['unsigned long']], 'ServiceTable' : [ 0x3c, ['pointer', ['void']]], 'CurrentRunTime' : [ 0x40, ['unsigned long']], 'ExpectedRunTime' : [ 0x44, ['unsigned long']], 'KernelStack' : [ 0x48, ['pointer', ['void']]], 'StateSaveArea' : [ 0x4c, ['pointer', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x50, ['pointer', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x54, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x55, ['unsigned char']], 'Alerted' : [ 0x56, ['array', 2, ['unsigned char']]], 'AutoBoostActive' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitNext' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Alertable' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x58, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x58, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x58, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x58, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'TimerActive' : [ 0x58, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SystemThread' : [ 0x58, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x58, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CalloutActive' : [ 0x58, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x58, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ApcQueueable' : [ 0x58, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x58, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x58, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'TimerSuspended' : [ 0x58, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x58, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SuspendSchedulerApcWait' : [ 0x58, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x58, ['long']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BamEppImportant' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x5c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x5c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x5c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x5c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x5c, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x5c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x5c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'TerminateRequestReason' : [ 0x5c, ['BitField', dict(start_bit = 17, end_bit = 19, native_type='unsigned long')]], 'ProcessStackCountDecremented' : [ 0x5c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'RestrictedGuiThread' : [ 0x5c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ThreadFlagsSpare' : [ 0x5c, ['BitField', dict(start_bit = 21, end_bit = 24, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x5c, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x5c, ['long']], 'Tag' : [ 0x60, ['unsigned char']], 'SystemHeteroCpuPolicy' : [ 0x61, ['unsigned char']], 'UserHeteroCpuPolicy' : [ 0x62, ['BitField', dict(start_bit = 0, end_bit = 7, native_type='unsigned char')]], 'ExplicitSystemHeteroCpuPolicy' : [ 0x62, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare0' : [ 0x63, ['unsigned char']], 'SystemCallNumber' : [ 0x64, ['unsigned long']], 'FirstArgument' : [ 0x68, ['pointer', ['void']]], 'TrapFrame' : [ 0x6c, ['pointer', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x70, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x70, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x87, ['unsigned char']], 'UserIdealProcessor' : [ 0x88, ['unsigned long']], 'ContextSwitches' : [ 0x8c, ['unsigned long']], 'State' : [ 0x90, ['unsigned char']], 'Spare12' : [ 0x91, ['unsigned char']], 'WaitIrql' : [ 0x92, ['unsigned char']], 'WaitMode' : [ 0x93, ['unsigned char']], 'WaitStatus' : [ 0x94, ['long']], 'WaitBlockList' : [ 0x98, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x9c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x9c, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa4, ['pointer', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xa8, ['pointer', ['void']]], 'RelativeTimerBias' : [ 0xb0, ['unsigned long long']], 'Timer' : [ 0xb8, ['_KTIMER']], 'WaitBlock' : [ 0xe0, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill8' : [ 0xe0, ['array', 20, ['unsigned char']]], 'ThreadCounters' : [ 0xf4, ['pointer', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0xe0, ['array', 44, ['unsigned char']]], 'XStateSave' : [ 0x10c, ['pointer', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0xe0, ['array', 68, ['unsigned char']]], 'Win32Thread' : [ 0x124, ['pointer', ['void']]], 'WaitBlockFill11' : [ 0xe0, ['array', 88, ['unsigned char']]], 'WaitTime' : [ 0x138, ['unsigned long']], 'KernelApcDisable' : [ 0x13c, ['short']], 'SpecialApcDisable' : [ 0x13e, ['short']], 'CombinedApcDisable' : [ 0x13c, ['unsigned long']], 'QueueListEntry' : [ 0x140, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x148, ['unsigned long']], 'NextProcessorNumber' : [ 0x148, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x148, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x14c, ['long']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'UserAffinity' : [ 0x154, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x154, ['array', 6, ['unsigned char']]], 'PreviousMode' : [ 0x15a, ['unsigned char']], 'BasePriority' : [ 0x15b, ['unsigned char']], 'PriorityDecrement' : [ 0x15c, ['unsigned char']], 'ForegroundBoost' : [ 0x15c, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x15c, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x15d, ['unsigned char']], 'AdjustReason' : [ 0x15e, ['unsigned char']], 'AdjustIncrement' : [ 0x15f, ['unsigned char']], 'AffinityVersion' : [ 0x160, ['unsigned long']], 'Affinity' : [ 0x164, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x164, ['array', 6, ['unsigned char']]], 'ApcStateIndex' : [ 0x16a, ['unsigned char']], 'WaitBlockCount' : [ 0x16b, ['unsigned char']], 'IdealProcessor' : [ 0x16c, ['unsigned long']], 'ReadyTime' : [ 0x170, ['unsigned long']], 'SavedApcState' : [ 0x174, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x174, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x18b, ['unsigned char']], 'SuspendCount' : [ 0x18c, ['unsigned char']], 'Saturation' : [ 0x18d, ['unsigned char']], 'SListFaultCount' : [ 0x18e, ['unsigned short']], 'SchedulerApc' : [ 0x190, ['_KAPC']], 'SchedulerApcFill0' : [ 0x190, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x191, ['unsigned char']], 'SchedulerApcFill1' : [ 0x190, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x193, ['unsigned char']], 'SchedulerApcFill2' : [ 0x190, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x194, ['unsigned long']], 'SchedulerApcFill3' : [ 0x190, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b4, ['pointer', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x190, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1b8, ['pointer', ['void']]], 'SchedulerApcFill5' : [ 0x190, ['array', 47, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x1bf, ['unsigned char']], 'UserTime' : [ 0x1c0, ['unsigned long']], 'SuspendEvent' : [ 0x1c4, ['_KEVENT']], 'ThreadListEntry' : [ 0x1d4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1dc, ['_LIST_ENTRY']], 'AbEntrySummary' : [ 0x1e4, ['unsigned char']], 'AbWaitEntryCount' : [ 0x1e5, ['unsigned char']], 'AbAllocationRegionCount' : [ 0x1e6, ['unsigned char']], 'Spare20' : [ 0x1e7, ['unsigned char']], 'LockEntries' : [ 0x1e8, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x308, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x30c, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x310, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x320, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x324, ['long']], 'AbCompletedIoQoSBoostCount' : [ 0x328, ['long']], 'KeReferenceCount' : [ 0x32c, ['short']], 'AbOrphanedEntrySummary' : [ 0x32e, ['unsigned char']], 'AbOwnedEntryCount' : [ 0x32f, ['unsigned char']], 'ForegroundLossTime' : [ 0x330, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x334, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x334, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x338, ['unsigned long']], 'QueuedScb' : [ 0x33c, ['pointer', ['_KSCB']]], 'NpxState' : [ 0x340, ['unsigned long long']], 'ThreadTimerDelay' : [ 0x348, ['unsigned long']], } ], '_KSTACK_CONTROL' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long']], 'ActualLimit' : [ 0x4, ['unsigned long']], 'StackExpansion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousTrapFrame' : [ 0x8, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0xc, ['pointer', ['void']]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'CpuId' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer', ['void']]], 'DeleteContext' : [ 0xc, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0x100, { 'IdleNonParkedCpuSet' : [ 0x0, ['unsigned long']], 'IdleSmtSet' : [ 0x4, ['unsigned long']], 'IdleCpuSet' : [ 0x8, ['unsigned long']], 'DeepIdleSet' : [ 0x40, ['unsigned long']], 'IdleConstrainedSet' : [ 0x44, ['unsigned long']], 'NonParkedSet' : [ 0x48, ['unsigned long']], 'ParkLock' : [ 0x4c, ['long']], 'Seed' : [ 0x50, ['unsigned long']], 'SiblingMask' : [ 0x80, ['unsigned long']], 'Affinity' : [ 0x84, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x84, ['array', 6, ['unsigned char']]], 'NodeNumber' : [ 0x8a, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x8c, ['unsigned short']], 'Stride' : [ 0x8e, ['unsigned char']], 'Spare0' : [ 0x8f, ['unsigned char']], 'SharedReadyQueueLeaders' : [ 0x90, ['unsigned long']], 'ProximityId' : [ 0x94, ['unsigned long']], 'Lowest' : [ 0x98, ['unsigned long']], 'Highest' : [ 0x9c, ['unsigned long']], 'MaximumProcessors' : [ 0xa0, ['unsigned char']], 'Flags' : [ 0xa1, ['_flags']], 'Spare10' : [ 0xa2, ['unsigned char']], 'HeteroSets' : [ 0xa4, ['array', 5, ['_KHETERO_PROCESSOR_SET']]], } ], '_ENODE' : [ 0x540, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0x100, ['array', 8, ['pointer', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0x120, ['_EX_WORK_QUEUE']], 'IoWorkQueue' : [ 0x2d8, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x490, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x4a0, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x4c8, ['_KEVENT']], 'WaitBlocks' : [ 0x4d8, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x520, ['pointer', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x524, ['unsigned long']], 'ExWorkerFullInit' : [ 0x528, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x528, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x528, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x80, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long']], 'QuotaProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'StrictFIFO' : [ 0x1c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x1c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x1c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x1c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'RaiseUMExceptionOnInvalidHandleClose' : [ 0x1c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x20, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x24, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x40, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x40, ['array', 20, ['unsigned char']]], 'DebugInfo' : [ 0x54, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x8, { 'AuditMask' : [ 0x0, ['unsigned long']], 'MaxRelativeAccessMask' : [ 0x4, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'VolatileLowValue' : [ 0x0, ['long']], 'LowValue' : [ 0x0, ['long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'HighValue' : [ 0x4, ['long']], 'NextFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x4, ['_EXHANDLE']], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'RefCountField' : [ 0x4, ['long']], 'GrantedAccessBits' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'ProtectFromClose' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'RefCnt' : [ 0x4, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '__unnamed_1352' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1352']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc4, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xc0, ['unsigned char']], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_ETHREAD' : [ 0x480, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x350, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x358, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x358, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x360, ['pointer', ['void']]], 'PostBlockList' : [ 0x364, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x364, ['pointer', ['void']]], 'StartAddress' : [ 0x368, ['pointer', ['void']]], 'TerminationPort' : [ 0x36c, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x36c, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x36c, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x370, ['unsigned long']], 'ActiveTimerListHead' : [ 0x374, ['_LIST_ENTRY']], 'Cid' : [ 0x37c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x384, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x384, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x398, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x39c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3a4, ['unsigned long']], 'DeviceToVerify' : [ 0x3a8, ['pointer', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x3ac, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x3b0, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x3b4, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x3bc, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x3c0, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x3c4, ['unsigned long']], 'MmLockOrdering' : [ 0x3c8, ['long']], 'CrossThreadFlags' : [ 0x3cc, ['unsigned long']], 'Terminated' : [ 0x3cc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x3cc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x3cc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x3cc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x3cc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x3cc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x3cc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x3cc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x3cc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x3cc, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x3cc, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x3cc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x3cc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x3cc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DisableDynamicCodeOptOut' : [ 0x3cc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ExplicitCaseSensitivity' : [ 0x3cc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PicoNotifyExit' : [ 0x3cc, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'DbgWerUserReportActive' : [ 0x3cc, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x3cc, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x3d0, ['unsigned long']], 'ActiveExWorker' : [ 0x3d0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x3d0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'StoreLockThread' : [ 0x3d0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'ClonedThread' : [ 0x3d0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x3d0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SelfTerminate' : [ 0x3d0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RespectIoPriority' : [ 0x3d0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ActivePageLists' : [ 0x3d0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedSameThreadPassiveFlags' : [ 0x3d0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x3d4, ['unsigned long']], 'OwnsProcessAddressSpaceExclusive' : [ 0x3d4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x3d4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardFaultBehavior' : [ 0x3d4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x3d4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x3d4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x3d4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Prefetching' : [ 0x3d4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x3d4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x3d5, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x3d5, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x3d8, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x3d9, ['unsigned char']], 'ActiveFaultCount' : [ 0x3da, ['unsigned char']], 'LockOrderState' : [ 0x3db, ['unsigned char']], 'AlpcMessageId' : [ 0x3dc, ['unsigned long']], 'AlpcMessage' : [ 0x3e0, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x3e0, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x3e4, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x3ec, ['long']], 'CacheManagerCount' : [ 0x3f0, ['unsigned long']], 'IoBoostCount' : [ 0x3f4, ['unsigned long']], 'IoQoSBoostCount' : [ 0x3f8, ['unsigned long']], 'IoQoSThrottleCount' : [ 0x3fc, ['unsigned long']], 'BoostList' : [ 0x400, ['_LIST_ENTRY']], 'DeboostList' : [ 0x408, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x410, ['unsigned long']], 'IrpListLock' : [ 0x414, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x418, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x41c, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x420, ['pointer', ['_GUID']]], 'SeLearningModeListHead' : [ 0x424, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x428, ['pointer', ['void']]], 'KernelStackReference' : [ 0x42c, ['unsigned long']], 'AdjustedClientToken' : [ 0x430, ['pointer', ['void']]], 'WorkOnBehalfThread' : [ 0x434, ['pointer', ['void']]], 'PropertySet' : [ 0x438, ['_PS_PROPERTY_SET']], 'PicoContext' : [ 0x444, ['pointer', ['void']]], 'UserFsBase' : [ 0x448, ['unsigned long']], 'UserGsBase' : [ 0x44c, ['unsigned long']], 'EnergyValues' : [ 0x450, ['pointer', ['_THREAD_ENERGY_VALUES']]], 'CmDbgInfo' : [ 0x454, ['pointer', ['void']]], 'SelectedCpuSets' : [ 0x458, ['unsigned long']], 'SelectedCpuSetsIndirect' : [ 0x458, ['pointer', ['unsigned long']]], 'Silo' : [ 0x45c, ['pointer', ['_EJOB']]], 'ThreadName' : [ 0x460, ['pointer', ['_UNICODE_STRING']]], 'LastExpectedRunTime' : [ 0x464, ['unsigned long']], 'OwnerEntryListHead' : [ 0x468, ['_LIST_ENTRY']], 'DisownedOwnerEntryListLock' : [ 0x470, ['unsigned long']], 'DisownedOwnerEntryListHead' : [ 0x474, ['_LIST_ENTRY']], } ], '_EPROCESS' : [ 0x3e0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'RundownProtect' : [ 0xc0, ['_EX_RUNDOWN_REF']], 'VdmObjects' : [ 0xc4, ['pointer', ['void']]], 'Flags2' : [ 0xc8, ['unsigned long']], 'JobNotReallyActive' : [ 0xc8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0xc8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0xc8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0xc8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0xc8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0xc8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0xc8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0xc8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0xc8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0xc8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0xc8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0xc8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0xc8, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0xc8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0xc8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0xc8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0xc8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0xc8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0xc8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0xc8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0xc8, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0xc8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0xc8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0xc8, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0xc8, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0xc8, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0xc8, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0xc8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0xcc, ['unsigned long']], 'CreateReported' : [ 0xcc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0xcc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0xcc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0xcc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0xcc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0xcc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0xcc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0xcc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FailFastOnCommitFail' : [ 0xcc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0xcc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0xcc, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0xcc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0xcc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0xcc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0xcc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0xcc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0xcc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0xcc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0xcc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0xcc, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0xcc, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0xcc, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0xcc, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0xcc, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0xcc, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0xcc, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0xcc, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0xcc, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0xcc, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CreateTime' : [ 0xd0, ['_LARGE_INTEGER']], 'ProcessQuotaUsage' : [ 0xd8, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xe0, ['array', 2, ['unsigned long']]], 'PeakVirtualSize' : [ 0xe8, ['unsigned long']], 'VirtualSize' : [ 0xec, ['unsigned long']], 'SessionProcessLinks' : [ 0xf0, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0xf8, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xf8, ['unsigned long']], 'ExceptionPortState' : [ 0xf8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Token' : [ 0xfc, ['_EX_FAST_REF']], 'MmReserved' : [ 0x100, ['unsigned long']], 'AddressCreationLock' : [ 0x104, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x108, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x10c, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x110, ['pointer', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x114, ['pointer', ['_EJOB']]], 'CloneRoot' : [ 0x118, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x11c, ['unsigned long']], 'NumberOfLockedPages' : [ 0x120, ['unsigned long']], 'Win32Process' : [ 0x124, ['pointer', ['void']]], 'Job' : [ 0x128, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x12c, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x130, ['pointer', ['void']]], 'Cookie' : [ 0x134, ['unsigned long']], 'WorkingSetWatch' : [ 0x138, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x13c, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x140, ['pointer', ['void']]], 'LdtInformation' : [ 0x144, ['pointer', ['void']]], 'OwnerProcessId' : [ 0x148, ['unsigned long']], 'Peb' : [ 0x14c, ['pointer', ['_PEB']]], 'Session' : [ 0x150, ['pointer', ['_MM_SESSION_SPACE']]], 'AweInfo' : [ 0x154, ['pointer', ['void']]], 'QuotaBlock' : [ 0x158, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x15c, ['pointer', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x160, ['pointer', ['void']]], 'PaeTop' : [ 0x164, ['pointer', ['void']]], 'DeviceMap' : [ 0x168, ['pointer', ['void']]], 'EtwDataSource' : [ 0x16c, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x170, ['unsigned long long']], 'ImageFilePointer' : [ 0x178, ['pointer', ['_FILE_OBJECT']]], 'ImageFileName' : [ 0x17c, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x18b, ['unsigned char']], 'SecurityPort' : [ 0x18c, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x190, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x194, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x19c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x1a0, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x1a8, ['unsigned long']], 'ImagePathHash' : [ 0x1ac, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1b0, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1b4, ['long']], 'PrefetchTrace' : [ 0x1b8, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x1bc, ['pointer', ['void']]], 'ReadOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1e0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1e8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1f0, ['unsigned long']], 'CommitCharge' : [ 0x1f4, ['unsigned long']], 'CommitChargePeak' : [ 0x1f8, ['unsigned long']], 'Vm' : [ 0x1fc, ['_MMSUPPORT_FULL']], 'MmProcessLinks' : [ 0x288, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x290, ['unsigned long']], 'ExitStatus' : [ 0x294, ['long']], 'VadRoot' : [ 0x298, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x29c, ['pointer', ['void']]], 'VadCount' : [ 0x2a0, ['unsigned long']], 'VadPhysicalPages' : [ 0x2a4, ['unsigned long']], 'VadPhysicalPagesLimit' : [ 0x2a8, ['unsigned long']], 'AlpcContext' : [ 0x2ac, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x2bc, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x2c4, ['pointer', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x2c8, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2cc, ['unsigned long']], 'ExitTime' : [ 0x2d0, ['_LARGE_INTEGER']], 'ActiveThreadsHighWatermark' : [ 0x2d8, ['unsigned long']], 'LargePrivateVadCount' : [ 0x2dc, ['unsigned long']], 'ThreadListLock' : [ 0x2e0, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x2e4, ['pointer', ['void']]], 'ServerSilo' : [ 0x2e8, ['pointer', ['_EJOB']]], 'SignatureLevel' : [ 0x2ec, ['unsigned char']], 'SectionSignatureLevel' : [ 0x2ed, ['unsigned char']], 'Protection' : [ 0x2ee, ['_PS_PROTECTION']], 'HangCount' : [ 0x2ef, ['unsigned char']], 'Flags3' : [ 0x2f0, ['unsigned long']], 'Minimal' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReplacingPageRoot' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DisableNonSystemFonts' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AuditNonSystemFontLoading' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Crashed' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'JobVadsAreTracked' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'VadTrackingDisabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AuxiliaryProcess' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SubsystemProcess' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x2f0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'InPrivate' : [ 0x2f0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProhibitRemoteImageMap' : [ 0x2f0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProhibitLowILImageMap' : [ 0x2f0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SignatureMitigationOptIn' : [ 0x2f0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DisableDynamicCodeAllowOptOut' : [ 0x2f0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'EnableFilteredWin32kAPIs' : [ 0x2f0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'AuditFilteredWin32kAPIs' : [ 0x2f0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PreferSystem32Images' : [ 0x2f0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'RelinquishedCommit' : [ 0x2f0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AutomaticallyOverrideChildProcessPolicy' : [ 0x2f0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'HighGraphicsPriority' : [ 0x2f0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CommitFailLogged' : [ 0x2f0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ReserveFailLogged' : [ 0x2f0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DisableDynamicCodeAllowRemoteDowngrade' : [ 0x2f0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'LoaderIntegrityContinuityEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'LoaderIntegrityContinuityAudit' : [ 0x2f0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ControlFlowGuardExportSuppressionEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'FatalAccessTerminationRequested' : [ 0x2f0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'DisableSystemAllowedCpuSet' : [ 0x2f0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ControlFlowGuardStrict' : [ 0x2f0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'DeviceAsid' : [ 0x2f4, ['long']], 'SvmData' : [ 0x2f8, ['pointer', ['void']]], 'SvmProcessLock' : [ 0x2fc, ['_EX_PUSH_LOCK']], 'SvmLock' : [ 0x300, ['unsigned long']], 'SvmProcessDeviceListHead' : [ 0x304, ['_LIST_ENTRY']], 'LastFreezeInterruptTime' : [ 0x310, ['unsigned long long']], 'DiskCounters' : [ 0x318, ['pointer', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x31c, ['pointer', ['void']]], 'HighPriorityFaultsAllowed' : [ 0x320, ['unsigned long']], 'InstrumentationCallback' : [ 0x324, ['pointer', ['void']]], 'EnergyContext' : [ 0x328, ['pointer', ['_PO_PROCESS_ENERGY_CONTEXT']]], 'VmContext' : [ 0x32c, ['pointer', ['void']]], 'SequenceNumber' : [ 0x330, ['unsigned long long']], 'CreateInterruptTime' : [ 0x338, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x340, ['unsigned long long']], 'TotalUnbiasedFrozenTime' : [ 0x348, ['unsigned long long']], 'LastAppStateUpdateTime' : [ 0x350, ['unsigned long long']], 'LastAppStateUptime' : [ 0x358, ['BitField', dict(start_bit = 0, end_bit = 61, native_type='unsigned long long')]], 'LastAppState' : [ 0x358, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], 'SharedCommitCharge' : [ 0x360, ['unsigned long']], 'SharedCommitLock' : [ 0x364, ['_EX_PUSH_LOCK']], 'SharedCommitLinks' : [ 0x368, ['_LIST_ENTRY']], 'AllowedCpuSets' : [ 0x370, ['unsigned long']], 'DefaultCpuSets' : [ 0x374, ['unsigned long']], 'AllowedCpuSetsIndirect' : [ 0x370, ['pointer', ['unsigned long']]], 'DefaultCpuSetsIndirect' : [ 0x374, ['pointer', ['unsigned long']]], 'DiskIoAttribution' : [ 0x378, ['pointer', ['void']]], 'DxgProcess' : [ 0x37c, ['pointer', ['void']]], 'Win32KFilterSet' : [ 0x380, ['unsigned long']], 'ProcessTimerDelay' : [ 0x388, ['_PS_INTERLOCKED_TIMER_DELAY_VALUES']], 'KTimerSets' : [ 0x390, ['unsigned long']], 'KTimer2Sets' : [ 0x394, ['unsigned long']], 'ThreadTimerSets' : [ 0x398, ['unsigned long']], 'VirtualTimerListLock' : [ 0x39c, ['unsigned long']], 'VirtualTimerListHead' : [ 0x3a0, ['_LIST_ENTRY']], 'WakeChannel' : [ 0x3a8, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x3a8, ['_PS_PROCESS_WAKE_INFORMATION']], 'Flags4' : [ 0x3d8, ['unsigned long']], 'PicoCreated' : [ 0x3d8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RestrictSetThreadContext' : [ 0x3d8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_13b5' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_13bb' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_13bd' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_13bb']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_13c6' : [ 0x2c, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x28, ['pointer', ['void']]], } ], '__unnamed_13c8' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_13c6']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_13b5']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_13bd']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_13c8']], } ], '__unnamed_13cf' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_13d3' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_13d7' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_13d9' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_13dd' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileDesiredStorageClassInformation', 68: 'FileStatInformation', 69: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_13df' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_13e1' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileDesiredStorageClassInformation', 68: 'FileStatInformation', 69: 'FileMaximumInformation'})]], } ], '__unnamed_13e3' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileDesiredStorageClassInformation', 68: 'FileStatInformation', 69: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13e5' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_13e7' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13eb' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMetadataSizeInformation', 14: 'FileFsMaximumInformation'})]], } ], '__unnamed_13ed' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13f0' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_13f2' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13f4' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_13f6' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_13fa' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_13fe' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1402' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1406' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_140a' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_140e' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1412' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1414' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1416' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_141a' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_141e' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1422' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_1426' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_142a' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1432' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], } ], '__unnamed_1436' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1438' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_143a' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_143c' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_13cf']], 'CreatePipe' : [ 0x0, ['__unnamed_13d3']], 'CreateMailslot' : [ 0x0, ['__unnamed_13d7']], 'Read' : [ 0x0, ['__unnamed_13d9']], 'Write' : [ 0x0, ['__unnamed_13d9']], 'QueryDirectory' : [ 0x0, ['__unnamed_13dd']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13df']], 'QueryFile' : [ 0x0, ['__unnamed_13e1']], 'SetFile' : [ 0x0, ['__unnamed_13e3']], 'QueryEa' : [ 0x0, ['__unnamed_13e5']], 'SetEa' : [ 0x0, ['__unnamed_13e7']], 'QueryVolume' : [ 0x0, ['__unnamed_13eb']], 'SetVolume' : [ 0x0, ['__unnamed_13eb']], 'FileSystemControl' : [ 0x0, ['__unnamed_13ed']], 'LockControl' : [ 0x0, ['__unnamed_13f0']], 'DeviceIoControl' : [ 0x0, ['__unnamed_13f2']], 'QuerySecurity' : [ 0x0, ['__unnamed_13f4']], 'SetSecurity' : [ 0x0, ['__unnamed_13f6']], 'MountVolume' : [ 0x0, ['__unnamed_13fa']], 'VerifyVolume' : [ 0x0, ['__unnamed_13fa']], 'Scsi' : [ 0x0, ['__unnamed_13fe']], 'QueryQuota' : [ 0x0, ['__unnamed_1402']], 'SetQuota' : [ 0x0, ['__unnamed_13e7']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1406']], 'QueryInterface' : [ 0x0, ['__unnamed_140a']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_140e']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1412']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1414']], 'SetLock' : [ 0x0, ['__unnamed_1416']], 'QueryId' : [ 0x0, ['__unnamed_141a']], 'QueryDeviceText' : [ 0x0, ['__unnamed_141e']], 'UsageNotification' : [ 0x0, ['__unnamed_1422']], 'WaitWake' : [ 0x0, ['__unnamed_1426']], 'PowerSequence' : [ 0x0, ['__unnamed_142a']], 'Power' : [ 0x0, ['__unnamed_1432']], 'StartDevice' : [ 0x0, ['__unnamed_1436']], 'WMI' : [ 0x0, ['__unnamed_1438']], 'Others' : [ 0x0, ['__unnamed_143a']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_143c']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1452' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_1452']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x8, ['unsigned long']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x14, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], 'SiloContext' : [ 0x10, ['pointer', ['_EJOB']]], } ], '_EJOB' : [ 0x398, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x70, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x78, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0x80, ['unsigned long long']], 'TotalPageFaultCount' : [ 0x88, ['unsigned long']], 'TotalProcesses' : [ 0x8c, ['unsigned long']], 'ActiveProcesses' : [ 0x90, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x94, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x98, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xa0, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xa8, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xac, ['unsigned long']], 'LimitFlags' : [ 0xb0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xb4, ['unsigned long']], 'Affinity' : [ 0xb8, ['_KAFFINITY_EX']], 'AccessState' : [ 0xc4, ['pointer', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0xc8, ['pointer', ['void']]], 'UIRestrictionsClass' : [ 0xcc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xd0, ['unsigned long']], 'CompletionPort' : [ 0xd4, ['pointer', ['void']]], 'CompletionKey' : [ 0xd8, ['pointer', ['void']]], 'CompletionCount' : [ 0xe0, ['unsigned long long']], 'SessionId' : [ 0xe8, ['unsigned long']], 'SchedulingClass' : [ 0xec, ['unsigned long']], 'ReadOperationCount' : [ 0xf0, ['unsigned long long']], 'WriteOperationCount' : [ 0xf8, ['unsigned long long']], 'OtherOperationCount' : [ 0x100, ['unsigned long long']], 'ReadTransferCount' : [ 0x108, ['unsigned long long']], 'WriteTransferCount' : [ 0x110, ['unsigned long long']], 'OtherTransferCount' : [ 0x118, ['unsigned long long']], 'DiskIoInfo' : [ 0x120, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x148, ['unsigned long']], 'JobMemoryLimit' : [ 0x14c, ['unsigned long']], 'JobTotalMemoryLimit' : [ 0x150, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x154, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x158, ['unsigned long']], 'EffectiveAffinity' : [ 0x15c, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x168, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x170, ['unsigned long']], 'EffectiveMaximumWorkingSetSize' : [ 0x174, ['unsigned long']], 'EffectiveProcessMemoryLimit' : [ 0x178, ['unsigned long']], 'EffectiveProcessMemoryLimitJob' : [ 0x17c, ['pointer', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x180, ['pointer', ['_EJOB']]], 'EffectiveNetIoRateLimitJob' : [ 0x184, ['pointer', ['_EJOB']]], 'EffectiveHeapAttributionJob' : [ 0x188, ['pointer', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x18c, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x190, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x194, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x198, ['unsigned long']], 'EffectiveSwapCount' : [ 0x19c, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x1a0, ['unsigned long']], 'EffectivePriorityClass' : [ 0x1a4, ['unsigned char']], 'PriorityClass' : [ 0x1a5, ['unsigned char']], 'NestingDepth' : [ 0x1a6, ['unsigned char']], 'Reserved1' : [ 0x1a7, ['array', 1, ['unsigned char']]], 'CompletionFilter' : [ 0x1a8, ['unsigned long']], 'WakeChannel' : [ 0x1b0, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x1b0, ['_PS_JOB_WAKE_INFORMATION']], 'WakeFilter' : [ 0x1f8, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x200, ['unsigned long']], 'NotificationLink' : [ 0x204, ['pointer', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x208, ['unsigned long long']], 'NotificationInfo' : [ 0x210, ['pointer', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x214, ['pointer', ['void']]], 'NotificationPacket' : [ 0x218, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x21c, ['pointer', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x220, ['pointer', ['void']]], 'ReadyTime' : [ 0x228, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x230, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x234, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x23c, ['_LIST_ENTRY']], 'ParentJob' : [ 0x244, ['pointer', ['_EJOB']]], 'RootJob' : [ 0x248, ['pointer', ['_EJOB']]], 'IteratorListHead' : [ 0x24c, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x254, ['unsigned long']], 'Ancestors' : [ 0x258, ['pointer', ['pointer', ['_EJOB']]]], 'SessionObject' : [ 0x258, ['pointer', ['void']]], 'Accounting' : [ 0x260, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x2b8, ['unsigned long']], 'ActiveAuxiliaryProcessCount' : [ 0x2bc, ['unsigned long']], 'SequenceNumber' : [ 0x2c0, ['unsigned long']], 'JobId' : [ 0x2c4, ['unsigned long']], 'ContainerId' : [ 0x2c8, ['_GUID']], 'ContainerTelemetryId' : [ 0x2d8, ['_GUID']], 'ServerSiloGlobals' : [ 0x2e8, ['pointer', ['_ESERVERSILO_GLOBALS']]], 'PropertySet' : [ 0x2ec, ['_PS_PROPERTY_SET']], 'Storage' : [ 0x2f8, ['pointer', ['_PSP_STORAGE']]], 'NetRateControl' : [ 0x2fc, ['pointer', ['_JOB_NET_RATE_CONTROL']]], 'JobFlags' : [ 0x300, ['unsigned long']], 'CloseDone' : [ 0x300, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x300, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x300, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x300, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x300, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x300, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x300, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x300, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x300, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x300, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x300, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x300, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x300, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x300, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x300, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x300, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x300, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x300, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x300, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x300, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x300, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x300, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x300, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x300, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x300, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'NetRateControlActive' : [ 0x300, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'OwnNetRateControl' : [ 0x300, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IoRateControlActive' : [ 0x300, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'OwnIoRateControl' : [ 0x300, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'DisallowNewProcesses' : [ 0x300, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Silo' : [ 0x300, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ContainerTelemetryIdSet' : [ 0x300, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'JobFlags2' : [ 0x304, ['unsigned long']], 'ParentLocked' : [ 0x304, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'EnableUsermodeSiloThreadImpersonation' : [ 0x304, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DisallowUsermodeSiloThreadImpersonation' : [ 0x304, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EnergyValues' : [ 0x308, ['pointer', ['_PROCESS_EXTENDED_ENERGY_VALUES']]], 'SharedCommitCharge' : [ 0x30c, ['unsigned long']], 'DiskIoAttributionUserRefCount' : [ 0x310, ['unsigned long']], 'DiskIoAttributionRefCount' : [ 0x314, ['unsigned long']], 'DiskIoAttributionContext' : [ 0x318, ['pointer', ['void']]], 'DiskIoAttributionOwnerJob' : [ 0x318, ['pointer', ['_EJOB']]], 'IoRateControlHeader' : [ 0x31c, ['_JOB_RATE_CONTROL_HEADER']], 'GlobalIoControl' : [ 0x330, ['_PS_IO_CONTROL_ENTRY']], 'IoControlStateLock' : [ 0x34c, ['long']], 'VolumeIoControlTree' : [ 0x350, ['_RTL_RB_TREE']], 'IoRateOverQuotaHistory' : [ 0x358, ['unsigned long long']], 'IoRateCurrentGeneration' : [ 0x360, ['unsigned long']], 'IoRateLastQueryGeneration' : [ 0x364, ['unsigned long']], 'IoRateGenerationLength' : [ 0x368, ['unsigned long']], 'IoRateOverQuotaNotifySequenceId' : [ 0x36c, ['unsigned long']], 'IoControlLock' : [ 0x370, ['_EX_PUSH_LOCK']], 'SiloHardReferenceCount' : [ 0x374, ['unsigned long']], 'RundownWorkItem' : [ 0x378, ['_WORK_QUEUE_ITEM']], 'MemoryPartitionObject' : [ 0x388, ['pointer', ['void']]], 'EnergyTrackingState' : [ 0x390, ['_JOBOBJECT_ENERGY_TRACKING_STATE']], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x68, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x5c, ['pointer', ['void']]], 'UserContext' : [ 0x60, ['pointer', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_PROCESS_EXTENDED_ENERGY_VALUES' : [ 0x158, { 'Base' : [ 0x0, ['_PROCESS_ENERGY_VALUES']], 'Extension' : [ 0x110, ['_PROCESS_ENERGY_VALUES_EXTENSION']], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], 'Oplock' : [ 0x3c, ['pointer', ['void']]], 'ReservedForRemote' : [ 0x3c, ['pointer', ['void']]], 'ReservedContext' : [ 0x40, ['pointer', ['void']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_TlgProvider_t' : [ 0x30, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x4, ['pointer', ['unsigned short']]], 'KeywordAny' : [ 0x8, ['unsigned long long']], 'KeywordAll' : [ 0x10, ['unsigned long long']], 'RegHandle' : [ 0x18, ['unsigned long long']], 'EnableCallback' : [ 0x20, ['pointer', ['void']]], 'CallbackContext' : [ 0x24, ['pointer', ['void']]], 'AnnotationFunc' : [ 0x28, ['pointer', ['void']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '__unnamed_1642' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'HighLow' : [ 0x0, ['_MMPTE_HIGHLOW']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1642']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND' : [ 0xc, { 'LocalLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'State' : [ 0x4, ['_EX_PUSH_LOCK_AUTO_EXPAND_STATE']], 'Stats' : [ 0x8, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'ReservedLowFlags' : [ 0xe, ['unsigned char']], 'WaiterPriority' : [ 0xf, ['unsigned char']], 'SharedWaiters' : [ 0x10, ['pointer', ['void']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['void']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '_MMCLONE_DESCRIPTOR' : [ 0x30, { 'CloneNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Next' : [ 0x0, ['pointer', ['_MMCLONE_DESCRIPTOR']]], 'StartingCloneBlock' : [ 0xc, ['pointer', ['_MMCLONE_BLOCK']]], 'EndingCloneBlock' : [ 0x10, ['pointer', ['_MMCLONE_BLOCK']]], 'NumberOfPtes' : [ 0x14, ['unsigned long']], 'NumberOfReferences' : [ 0x18, ['unsigned long']], 'CloneHeader' : [ 0x1c, ['pointer', ['_MMCLONE_HEADER']]], 'NonPagedPoolQuotaCharge' : [ 0x20, ['unsigned long']], 'NestingLevel' : [ 0x28, ['unsigned long long']], } ], '__unnamed_1686' : [ 0x4, { 'MustNotBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], } ], '__unnamed_1688' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'PageTableWsle' : [ 0x0, ['__unnamed_1686']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_168d' : [ 0x2, { 'ReferenceCount' : [ 0x0, ['unsigned short']], } ], '__unnamed_168f' : [ 0x4, { 'EntireField' : [ 0x0, ['unsigned long']], } ], '__unnamed_1691' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY1']], 'e3' : [ 0x3, ['_MMPFNENTRY3']], 'e2' : [ 0x0, ['__unnamed_168d']], 'e4' : [ 0x0, ['__unnamed_168f']], } ], '__unnamed_1696' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], } ], '_MMPFN' : [ 0x1c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'u1' : [ 0x0, ['__unnamed_1688']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x4, ['pointer', ['void']]], 'PteLong' : [ 0x4, ['unsigned long']], 'OriginalPte' : [ 0x8, ['_MMPTE']], 'u2' : [ 0x10, ['_MIPFNBLINK']], 'u3' : [ 0x14, ['__unnamed_1691']], 'u4' : [ 0x18, ['__unnamed_1696']], } ], '__unnamed_16a1' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcessId' : [ 0x0, ['unsigned long']], } ], '__unnamed_16a5' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_16a1']], 'u2' : [ 0x24, ['__unnamed_16a5']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], } ], '__unnamed_16aa' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_16b3' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'LargePage' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SystemImage' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'StrongCode' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 20, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 23, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_16b5' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_16b3']], } ], '__unnamed_16ba' : [ 0x4, { 'IoAttributionContext' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], 'ImageCrossPartitionCharge' : [ 0x0, ['unsigned long']], 'CommittedPageCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 20, native_type='unsigned long')]], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'ListHead' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_16aa']], 'FilePointer' : [ 0x20, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x24, ['long']], 'ModifiedWriteCount' : [ 0x28, ['unsigned long']], 'WaitList' : [ 0x2c, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x30, ['__unnamed_16b5']], 'FileObjectLock' : [ 0x3c, ['_EX_PUSH_LOCK']], 'LockedPages' : [ 0x40, ['unsigned long long']], 'u3' : [ 0x48, ['__unnamed_16ba']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x38, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'BasePte' : [ 0x8, ['pointer', ['_MMPTE']]], 'Flags' : [ 0xc, ['unsigned long']], 'VaType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaPagedProtoPool', 15: 'MiVaMaximumType', 16: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'PteFailures' : [ 0x18, ['unsigned long']], 'SpinLock' : [ 0x1c, ['unsigned long']], 'GlobalPushLock' : [ 0x1c, ['pointer', ['_EX_PUSH_LOCK']]], 'Vm' : [ 0x20, ['pointer', ['_MMSUPPORT_INSTANCE']]], 'TotalSystemPtes' : [ 0x24, ['unsigned long']], 'Hint' : [ 0x28, ['unsigned long']], 'LowestBitEverAllocated' : [ 0x2c, ['unsigned long']], 'CachedPtes' : [ 0x30, ['pointer', ['_MI_CACHED_PTES']]], 'TotalFreeSystemPtes' : [ 0x34, ['unsigned long']], } ], '__unnamed_16db' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_16de' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x28, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['long']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u' : [ 0x1c, ['__unnamed_16db']], 'u1' : [ 0x20, ['__unnamed_16de']], 'EventList' : [ 0x24, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_HHIVE' : [ 0x6f0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileWrite' : [ 0x14, ['pointer', ['void']]], 'FileRead' : [ 0x18, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x1c, ['pointer', ['void']]], 'BaseBlock' : [ 0x20, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x24, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x2c, ['unsigned long']], 'DirtyAlloc' : [ 0x30, ['unsigned long']], 'UnreconciledVector' : [ 0x34, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x3c, ['unsigned long']], 'BaseBlockAlloc' : [ 0x40, ['unsigned long']], 'Cluster' : [ 0x44, ['unsigned long']], 'Flat' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SystemCacheBacked' : [ 0x48, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x49, ['unsigned char']], 'HvBinHeadersUse' : [ 0x4c, ['unsigned long']], 'HvFreeCellsUse' : [ 0x50, ['unsigned long']], 'HvUsedCellsUse' : [ 0x54, ['unsigned long']], 'CmUsedCellsUse' : [ 0x58, ['unsigned long']], 'HiveFlags' : [ 0x5c, ['unsigned long']], 'CurrentLog' : [ 0x60, ['unsigned long']], 'CurrentLogSequence' : [ 0x64, ['unsigned long']], 'CurrentLogMinimumSequence' : [ 0x68, ['unsigned long']], 'CurrentLogOffset' : [ 0x6c, ['unsigned long']], 'MinimumLogSequence' : [ 0x70, ['unsigned long']], 'LogFileSizeCap' : [ 0x74, ['unsigned long']], 'LogDataPresent' : [ 0x78, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0x7a, ['unsigned char']], 'BaseBlockDirty' : [ 0x7b, ['unsigned char']], 'LastLogSwapTime' : [ 0x80, ['_LARGE_INTEGER']], 'FirstLogFile' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0x88, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0x88, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0x88, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0x88, ['unsigned short']], 'LogEntriesRecovered' : [ 0x8a, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0x8c, ['unsigned long']], 'StorageTypeCount' : [ 0x90, ['unsigned long']], 'Version' : [ 0x94, ['unsigned long']], 'ViewMap' : [ 0x98, ['_HVIEW_MAP']], 'Storage' : [ 0x3b8, ['array', 2, ['_DUAL']]], } ], '_HV_GET_CELL_CONTEXT' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'BinContext' : [ 0x4, ['_HV_GET_BIN_CONTEXT']], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa8, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Discarded' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['_CM_PATH_HASH']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'KcbPushlock' : [ 0x18, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x1c, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x1c, ['long']], 'DelayedDeref' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DelayedClose' : [ 0x20, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Parking' : [ 0x20, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'LayerSemantics' : [ 0x21, ['unsigned char']], 'LayerHeight' : [ 0x22, ['short']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'LayerInfo' : [ 0x6c, ['pointer', ['_CM_KCB_LAYER_INFO']]], 'KCBUoWListHead' : [ 0x70, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x78, ['_LIST_ENTRY']], 'Stolen' : [ 0x78, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x80, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x84, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x8c, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x94, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x9c, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0xa0, ['pointer', ['_UNICODE_STRING']]], 'FullKCBNameStale' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0xa0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], 'tagSWITCH_CONTEXT' : [ 0x358, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'Trans' : [ 0x1c, ['_CM_TRANS_PTR']], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '__unnamed_1749' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry', 21: '_CmpMountPreloadedHives', 22: '_CmpLoadHiveThread', 23: '_CmpCheckLeaf'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_174c' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_174e' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1750' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_1752' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_1756' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_175a' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_175c' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x11c, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned short']], 'RecoverableIndex' : [ 0x6, ['unsigned short']], 'Locations' : [ 0x8, ['array', 8, ['__unnamed_1749']]], 'RecoverableLocations' : [ 0x68, ['array', 8, ['__unnamed_1749']]], 'RegistryIO' : [ 0xc8, ['__unnamed_174c']], 'CheckRegistry2' : [ 0xd4, ['__unnamed_174e']], 'CheckKey' : [ 0xd8, ['__unnamed_1750']], 'CheckValueList' : [ 0xe8, ['__unnamed_1752']], 'CheckHive' : [ 0xf8, ['__unnamed_1756']], 'CheckHive1' : [ 0x104, ['__unnamed_1756']], 'CheckBin' : [ 0x110, ['__unnamed_175a']], 'RecoverData' : [ 0x118, ['__unnamed_175c']], } ], '_CM_KCB_UOW' : [ 0x40, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ParentUoW' : [ 0x2c, ['pointer', ['_CM_KCB_UOW']]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxCachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'TxSecurityCell' : [ 0x34, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], 'PrepareDataPointer' : [ 0x38, ['pointer', ['void']]], 'SecurityData' : [ 0x38, ['pointer', ['_CM_UOW_SET_SD_DATA']]], 'ModifyKeysData' : [ 0x38, ['pointer', ['_CM_UOW_KEY_STATE_MODIFICATION']]], 'SetValueData' : [ 0x38, ['pointer', ['_CM_UOW_SET_VALUE_LIST_DATA']]], 'ValueData' : [ 0x3c, ['pointer', ['_CM_UOW_SET_VALUE_KEY_DATA']]], 'DiscardReplaceContext' : [ 0x3c, ['pointer', ['_CMP_DISCARD_AND_REPLACE_KCB_CONTEXT']]], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Prepared' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Aborted' : [ 0x18, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Committed' : [ 0x18, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Initializing' : [ 0x18, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Invalid' : [ 0x18, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UseReservation' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'TmCallbacksActive' : [ 0x18, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LightWeight' : [ 0x18, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Freed1' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Freed2' : [ 0x18, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x18, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'Freed' : [ 0x18, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Spare' : [ 0x18, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long')]], 'TransState' : [ 0x18, ['unsigned long']], 'Trans' : [ 0x1c, ['_CM_TRANS_PTR']], 'CmRm' : [ 0x20, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x24, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x28, ['pointer', ['void']]], 'KtmUow' : [ 0x2c, ['_GUID']], 'StartLsn' : [ 0x40, ['unsigned long long']], 'HiveCount' : [ 0x48, ['unsigned long']], 'HiveArray' : [ 0x4c, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xc0, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'ParkingStatus' : [ 0x80, ['unsigned long']], 'CurrentFrequency' : [ 0x84, ['unsigned long']], 'PercentMaxFrequency' : [ 0x88, ['unsigned long']], 'StateFlags' : [ 0x8c, ['unsigned long']], 'NominalThroughput' : [ 0x90, ['unsigned long']], 'ActiveThroughput' : [ 0x94, ['unsigned long']], 'ScaledThroughput' : [ 0x98, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0xa0, ['unsigned long long']], 'AverageIdleTime' : [ 0xa8, ['unsigned long long']], 'IdleBreakEvents' : [ 0xb0, ['unsigned long long']], 'PerformanceLimit' : [ 0xb8, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xbc, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0x10, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], 'TemperatureHighPrecision' : [ 0xc, ['unsigned long']], } ], '_TEB32' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['unsigned long']]], 'SystemReserved1' : [ 0x10c, ['array', 30, ['unsigned long']]], '_ActivationStack' : [ 0x184, ['_ACTIVATION_CONTEXT_STACK32']], 'WorkingOnBehalfTicket' : [ 0x19c, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SkipLoaderInit' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_TEB64' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['unsigned long long']]], 'SystemReserved1' : [ 0x190, ['array', 32, ['unsigned long long']]], '_ActivationStack' : [ 0x290, ['_ACTIVATION_CONTEXT_STACK64']], 'WorkingOnBehalfTicket' : [ 0x2b8, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SkipLoaderInit' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_HV_X64_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState_Deprecated' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable_Deprecated' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ExtendedGvaRangesForFlushVirtualAddressListAvailable' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'FastHypercallOutputAvailable' : [ 0xc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SvmFeaturesAvailable' : [ 0xc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SintPollingModeAvailable' : [ 0xc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HypercallMsrLockAvailable' : [ 0xc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'DirectSyntheticTimers' : [ 0xc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'RegisterPatAvailable' : [ 0xc, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'RegisterBndcfgsAvailable' : [ 0xc, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'WatchdogTimerAvailable' : [ 0xc, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long')]], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeReg' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicRegs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerRegs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessIntrCtrlRegs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetReg' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsReg' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleReg' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyRegs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugRegs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'AccessReenlightenmentControls' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'AccessVpExitTracing' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'EnableExtendedGvaRangesForFlushVirtualAddressList' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 48, native_type='unsigned long long')]], 'AccessVsm' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 49, native_type='unsigned long long')]], 'AccessVpRegisters' : [ 0x0, ['BitField', dict(start_bit = 49, end_bit = 50, native_type='unsigned long long')]], 'UnusedBit' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 51, native_type='unsigned long long')]], 'FastHypercallOutput' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'EnableExtendedHypercalls' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'StartVirtualProcessor' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x140, { 'Lock' : [ 0x0, ['unsigned long']], 'ReadySummary' : [ 0x4, ['unsigned long']], 'ReadyListHead' : [ 0x8, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x108, ['array', 32, ['unsigned char']]], 'Span' : [ 0x128, ['unsigned char']], 'LowProcIndex' : [ 0x129, ['unsigned char']], 'QueueIndex' : [ 0x12a, ['unsigned char']], 'ProcCount' : [ 0x12b, ['unsigned char']], 'ScanOwner' : [ 0x12c, ['unsigned char']], 'Spare' : [ 0x12d, ['array', 3, ['unsigned char']]], 'Affinity' : [ 0x130, ['unsigned long']], 'ReadyThreadCount' : [ 0x134, ['unsigned long']], 'ReadyQueueExpectedRunTime' : [ 0x138, ['unsigned long long']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0xc, { 'Affinity' : [ 0x0, ['pointer', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x4, ['unsigned long']], 'CurrentIndex' : [ 0x8, ['unsigned short']], } ], '__unnamed_189e' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_18a0' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_18a4' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['wchar']]], } ], '_DEVICE_NODE' : [ 0x1d0, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'FxDevice' : [ 0x28, ['pointer', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x2c, ['long']], 'FxRemoveEvent' : [ 0x30, ['_KEVENT']], 'FxActivationCount' : [ 0x40, ['long']], 'FxSleepCount' : [ 0x44, ['long']], 'Plugin' : [ 0x48, ['pointer', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x4c, ['unsigned long']], 'CurrentPowerState' : [ 0x50, ['_POWER_STATE']], 'Notify' : [ 0x54, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x90, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0xa0, ['_UNICODE_STRING']], 'PowerFlags' : [ 0xa8, ['unsigned long']], 'State' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xb0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xb4, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x104, ['unsigned long']], 'CompletionStatus' : [ 0x108, ['long']], 'Flags' : [ 0x10c, ['unsigned long']], 'UserFlags' : [ 0x110, ['unsigned long']], 'Problem' : [ 0x114, ['unsigned long']], 'ProblemStatus' : [ 0x118, ['long']], 'ResourceList' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x120, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x124, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x128, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x130, ['unsigned long']], 'ChildInterfaceType' : [ 0x134, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x138, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x13c, ['unsigned short']], 'RemovalPolicy' : [ 0x13e, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x13f, ['unsigned char']], 'TargetDeviceNotify' : [ 0x140, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x148, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x150, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x158, ['unsigned short']], 'QueryTranslatorMask' : [ 0x15a, ['unsigned short']], 'NoArbiterMask' : [ 0x15c, ['unsigned short']], 'QueryArbiterMask' : [ 0x15e, ['unsigned short']], 'OverUsed1' : [ 0x160, ['__unnamed_189e']], 'OverUsed2' : [ 0x164, ['__unnamed_18a0']], 'BootResources' : [ 0x168, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x16c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x170, ['unsigned long']], 'DockInfo' : [ 0x174, ['__unnamed_18a4']], 'DisableableDepends' : [ 0x184, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x190, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x198, ['unsigned long']], 'PreviousParent' : [ 0x19c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1a0, ['long']], 'NumaNodeIndex' : [ 0x1a4, ['unsigned long']], 'ContainerID' : [ 0x1a8, ['_GUID']], 'OverrideFlags' : [ 0x1b8, ['unsigned char']], 'DeviceIdsHash' : [ 0x1bc, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x1c0, ['unsigned char']], 'PendingEjectRelations' : [ 0x1c4, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x1c8, ['unsigned long']], 'RebalanceContext' : [ 0x1cc, ['pointer', ['_PNP_REBALANCE_TRACE_CONTEXT']]], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x38, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x2c, ['pointer', ['unsigned long']]], 'EnableKeyWords' : [ 0x30, ['pointer', ['unsigned long long']]], 'EnableLevel' : [ 0x34, ['pointer', ['unsigned char']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x38, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependencyNode' : [ 0x2c, ['pointer', ['void']]], 'InterruptContext' : [ 0x30, ['pointer', ['void']]], 'VerifierContext' : [ 0x34, ['pointer', ['void']]], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_199c' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'WriteCustomBreakPoint' : [ 0x0, ['_DBGKD_WRITE_CUSTOM_BREAKPOINT']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_199c']], } ], '__unnamed_19a3' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_19a3']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PEP_ACPI_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'IoMemory' : [ 0x0, ['_PEP_ACPI_IO_MEMORY_RESOURCE']], 'Interrupt' : [ 0x0, ['_PEP_ACPI_INTERRUPT_RESOURCE']], 'Gpio' : [ 0x0, ['_PEP_ACPI_GPIO_RESOURCE']], 'SpbI2c' : [ 0x0, ['_PEP_ACPI_SPB_I2C_RESOURCE']], 'SpbSpi' : [ 0x0, ['_PEP_ACPI_SPB_SPI_RESOURCE']], 'SpbUart' : [ 0x0, ['_PEP_ACPI_SPB_UART_RESOURCE']], 'ExtendedAddress' : [ 0x0, ['_PEP_ACPI_EXTENDED_ADDRESS']], } ], '_PEP_ACPI_IO_MEMORY_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Information' : [ 0x4, ['unsigned char']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '_PEP_ACPI_INTERRUPT_RESOURCE' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'InterruptType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Flags' : [ 0xc, ['_PEP_ACPI_RESOURCE_FLAGS']], 'Count' : [ 0x10, ['unsigned char']], 'Pins' : [ 0x14, ['pointer', ['unsigned long']]], } ], '_PEP_ACPI_GPIO_RESOURCE' : [ 0x30, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'InterruptType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'PinConfig' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PullDefault', 1: 'PullUp', 2: 'PullDown', 3: 'PullNone'})]], 'IoRestrictionType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'IoRestrictionNone', 1: 'IoRestrictionInputOnly', 2: 'IoRestrictionOutputOnly', 3: 'IoRestrictionNoneAndPreserve'})]], 'DriveStrength' : [ 0x18, ['unsigned short']], 'DebounceTimeout' : [ 0x1a, ['unsigned short']], 'PinTable' : [ 0x1c, ['pointer', ['unsigned short']]], 'PinCount' : [ 0x20, ['unsigned short']], 'ResourceSourceIndex' : [ 0x22, ['unsigned char']], 'ResourceSourceName' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'VendorData' : [ 0x28, ['pointer', ['unsigned char']]], 'VendorDataLength' : [ 0x2c, ['unsigned short']], } ], '_PEP_ACPI_SPB_I2C_RESOURCE' : [ 0x20, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x18, ['unsigned long']], 'SlaveAddress' : [ 0x1c, ['unsigned short']], } ], '_PEP_ACPI_SPB_UART_RESOURCE' : [ 0x24, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'BaudRate' : [ 0x18, ['unsigned long']], 'RxBufferSize' : [ 0x1c, ['unsigned short']], 'TxBufferSize' : [ 0x1e, ['unsigned short']], 'Parity' : [ 0x20, ['unsigned char']], 'LinesInUse' : [ 0x21, ['unsigned char']], } ], '_PEP_ACPI_SPB_SPI_RESOURCE' : [ 0x24, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x18, ['unsigned long']], 'DataBitLength' : [ 0x1c, ['unsigned char']], 'Phase' : [ 0x1d, ['unsigned char']], 'Polarity' : [ 0x1e, ['unsigned char']], 'DeviceSelection' : [ 0x20, ['unsigned short']], } ], '_PEP_ACPI_EXTENDED_ADDRESS' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'ResourceFlags' : [ 0x8, ['unsigned char']], 'GeneralFlags' : [ 0x9, ['unsigned char']], 'TypeSpecificFlags' : [ 0xa, ['unsigned char']], 'RevisionId' : [ 0xb, ['unsigned char']], 'Reserved' : [ 0xc, ['unsigned char']], 'Granularity' : [ 0x10, ['unsigned long long']], 'MinimumAddress' : [ 0x18, ['unsigned long long']], 'MaximumAddress' : [ 0x20, ['unsigned long long']], 'TranslationAddress' : [ 0x28, ['unsigned long long']], 'AddressLength' : [ 0x30, ['unsigned long long']], 'TypeAttribute' : [ 0x38, ['unsigned long long']], 'DescriptorName' : [ 0x40, ['pointer', ['_UNICODE_STRING']]], } ], '_PPM_PLATFORM_STATES' : [ 0x100, { 'StateCount' : [ 0x0, ['unsigned long']], 'InterfaceVersion' : [ 0x4, ['unsigned long']], 'ProcessorCount' : [ 0x8, ['unsigned long']], 'CoordinatedInterface' : [ 0xc, ['unsigned char']], 'IdleTest' : [ 0x10, ['pointer', ['void']]], 'IdlePreExecute' : [ 0x14, ['pointer', ['void']]], 'IdleComplete' : [ 0x18, ['pointer', ['void']]], 'QueryPlatformStateResidency' : [ 0x1c, ['pointer', ['void']]], 'Accounting' : [ 0x20, ['pointer', ['_PLATFORM_IDLE_ACCOUNTING']]], 'State' : [ 0x40, ['array', 1, ['_PPM_PLATFORM_STATE']]], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_PPM_PROFILE' : [ 0x1b8, { 'Name' : [ 0x0, ['pointer', ['wchar']]], 'Id' : [ 0x4, ['unsigned char']], 'Guid' : [ 0x8, ['_GUID']], 'Flags' : [ 0x18, ['unsigned long']], 'Priority' : [ 0x1c, ['unsigned char']], 'Settings' : [ 0x20, ['array', 2, ['_PPM_ENGINE_SETTINGS']]], 'StartTime' : [ 0x190, ['unsigned long long']], 'Count' : [ 0x198, ['unsigned long long']], 'MaxDuration' : [ 0x1a0, ['unsigned long long']], 'MinDuration' : [ 0x1a8, ['unsigned long long']], 'TotalDuration' : [ 0x1b0, ['unsigned long long']], } ], '_PPM_ENGINE_SETTINGS' : [ 0xb8, { 'ExplicitSetting' : [ 0x0, ['array', 2, ['_PPM_POLICY_SETTINGS_MASK']]], 'ThrottlingPolicy' : [ 0x10, ['unsigned char']], 'PerfTimeCheck' : [ 0x14, ['unsigned long']], 'PerfHistoryCount' : [ 0x18, ['array', 2, ['unsigned char']]], 'PerfMinPolicy' : [ 0x1a, ['array', 2, ['unsigned char']]], 'PerfMaxPolicy' : [ 0x1c, ['array', 2, ['unsigned char']]], 'PerfDecreaseTime' : [ 0x1e, ['array', 2, ['unsigned char']]], 'PerfIncreaseTime' : [ 0x20, ['array', 2, ['unsigned char']]], 'PerfDecreasePolicy' : [ 0x22, ['array', 2, ['unsigned char']]], 'PerfIncreasePolicy' : [ 0x24, ['array', 2, ['unsigned char']]], 'PerfDecreaseThreshold' : [ 0x26, ['array', 2, ['unsigned char']]], 'PerfIncreaseThreshold' : [ 0x28, ['array', 2, ['unsigned char']]], 'PerfFrequencyCap' : [ 0x2c, ['array', 2, ['unsigned long']]], 'PerfBoostPolicy' : [ 0x34, ['unsigned long']], 'PerfBoostMode' : [ 0x38, ['unsigned long']], 'PerfReductionTolerance' : [ 0x3c, ['unsigned long']], 'EnergyPerfPreference' : [ 0x40, ['unsigned long']], 'AutonomousActivityWindow' : [ 0x44, ['unsigned long']], 'AutonomousPreference' : [ 0x48, ['unsigned char']], 'LatencyHintPerf' : [ 0x49, ['array', 2, ['unsigned char']]], 'LatencyHintUnpark' : [ 0x4b, ['array', 2, ['unsigned char']]], 'DutyCycling' : [ 0x4d, ['unsigned char']], 'ParkingPerfState' : [ 0x4e, ['array', 2, ['unsigned char']]], 'DistributeUtility' : [ 0x50, ['unsigned char']], 'CoreParkingOverUtilizationThreshold' : [ 0x51, ['unsigned char']], 'CoreParkingConcurrencyThreshold' : [ 0x52, ['unsigned char']], 'CoreParkingHeadroomThreshold' : [ 0x53, ['unsigned char']], 'CoreParkingDistributionThreshold' : [ 0x54, ['unsigned char']], 'CoreParkingDecreasePolicy' : [ 0x55, ['unsigned char']], 'CoreParkingIncreasePolicy' : [ 0x56, ['unsigned char']], 'CoreParkingDecreaseTime' : [ 0x58, ['unsigned long']], 'CoreParkingIncreaseTime' : [ 0x5c, ['unsigned long']], 'CoreParkingMinCores' : [ 0x60, ['array', 2, ['unsigned char']]], 'CoreParkingMaxCores' : [ 0x62, ['array', 2, ['unsigned char']]], 'AllowScaling' : [ 0x64, ['unsigned char']], 'IdleDisabled' : [ 0x65, ['unsigned char']], 'IdleTimeCheck' : [ 0x68, ['unsigned long']], 'IdleDemotePercent' : [ 0x6c, ['unsigned char']], 'IdlePromotePercent' : [ 0x6d, ['unsigned char']], 'HeteroDecreaseTime' : [ 0x6e, ['unsigned char']], 'HeteroIncreaseTime' : [ 0x6f, ['unsigned char']], 'HeteroDecreaseThreshold' : [ 0x70, ['array', 32, ['unsigned char']]], 'HeteroIncreaseThreshold' : [ 0x90, ['array', 32, ['unsigned char']]], 'Class0FloorPerformance' : [ 0xb0, ['unsigned char']], 'Class1InitialPerformance' : [ 0xb1, ['unsigned char']], } ], '_ESERVERSILO_GLOBALS' : [ 0x290, { 'ObSiloState' : [ 0x0, ['_OBP_SILODRIVERSTATE']], 'SeSiloState' : [ 0x1a4, ['_SEP_SILOSTATE']], 'SeRmSiloState' : [ 0x1c0, ['_SEP_RM_LSA_CONNECTION_STATE']], 'EtwSiloState' : [ 0x1f0, ['pointer', ['_ETW_SILODRIVERSTATE']]], 'MiSessionLeaderProcess' : [ 0x1f4, ['pointer', ['_EPROCESS']]], 'ExpDefaultErrorPortProcess' : [ 0x1f8, ['pointer', ['_EPROCESS']]], 'ExpDefaultErrorPort' : [ 0x1fc, ['pointer', ['void']]], 'HardErrorState' : [ 0x200, ['unsigned long']], 'WnfSiloState' : [ 0x208, ['_WNF_SILODRIVERSTATE']], 'PsProtectedCurrentDirectory' : [ 0x238, ['_UNICODE_STRING']], 'PsProtectedEnvironment' : [ 0x240, ['_UNICODE_STRING']], 'ApiSetSection' : [ 0x248, ['pointer', ['void']]], 'ApiSetSchema' : [ 0x24c, ['pointer', ['void']]], 'OneCoreForwardersEnabled' : [ 0x250, ['unsigned char']], 'NtSystemRoot' : [ 0x254, ['_UNICODE_STRING']], 'SiloRootDirectoryName' : [ 0x25c, ['_UNICODE_STRING']], 'Storage' : [ 0x264, ['pointer', ['_PSP_STORAGE']]], 'State' : [ 0x268, ['Enumeration', dict(target = 'long', choices = {0: 'SERVERSILO_INITING', 1: 'SERVERSILO_STARTED', 2: 'SERVERSILO_SHUTTING_DOWN', 3: 'SERVERSILO_TERMINATING', 4: 'SERVERSILO_TERMINATED'})]], 'ExitStatus' : [ 0x26c, ['long']], 'DeleteEvent' : [ 0x270, ['pointer', ['_KEVENT']]], 'UserSharedData' : [ 0x274, ['pointer', ['_SILO_USER_SHARED_DATA']]], 'UserSharedSection' : [ 0x278, ['pointer', ['void']]], 'TerminateWorkItem' : [ 0x27c, ['_WORK_QUEUE_ITEM']], } ], '_SILO_USER_SHARED_DATA' : [ 0x248, { 'ServiceSessionId' : [ 0x0, ['unsigned long']], 'ActiveConsoleId' : [ 0x4, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x8, ['long long']], 'NtProductType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'SuiteMask' : [ 0x14, ['unsigned long']], 'SharedUserSessionId' : [ 0x18, ['unsigned long']], 'IsMultiSessionSku' : [ 0x1c, ['unsigned char']], 'NtSystemRoot' : [ 0x1e, ['array', 260, ['wchar']]], 'UserModeGlobalLogger' : [ 0x226, ['array', 16, ['unsigned short']]], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_PERF_FLAGS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'Progress' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 27, native_type='unsigned long')]], 'Synchronicity' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 29, native_type='unsigned long')]], 'RequestPepCompleted' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'RequestSucceeded' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NestedCallback' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'IrpFirstPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IrpLastPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0x90, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x14, ['unsigned long']], 'LogHandleContext' : [ 0x18, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0x80, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x84, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0x88, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x178, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'V1' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0xa0, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xb4, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'Event' : [ 0xe0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xf0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x160, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x164, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x168, ['unsigned long']], 'WritesInProgress' : [ 0x16c, ['unsigned long']], 'AsyncReadRequestCount' : [ 0x170, ['unsigned long']], 'Partition' : [ 0x174, ['pointer', ['_CC_PARTITION']]], } ], '__unnamed_1aa4' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1aa4']], 'ArrayHead' : [ 0x10, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '_CC_PARTITION' : [ 0x280, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'MasterLock' : [ 0x40, ['unsigned long']], 'WorkQueueLock' : [ 0x80, ['unsigned long']], 'PartitionID' : [ 0x84, ['unsigned short']], 'PartitionLinks' : [ 0x88, ['_LIST_ENTRY']], 'CleanSharedCacheMapList' : [ 0x90, ['_LIST_ENTRY']], 'CleanSharedCacheMapWithLogHandleList' : [ 0x98, ['_LIST_ENTRY']], 'DirtySharedCacheMapList' : [ 0xa0, ['_SHARED_CACHE_MAP_LIST_CURSOR']], 'LazyWriterCursor' : [ 0xac, ['_SHARED_CACHE_MAP_LIST_CURSOR']], 'DirtySharedCacheMapWithLogHandleList' : [ 0xb8, ['_LIST_ENTRY']], 'ChangeSharedCacheMapFileLock' : [ 0xc0, ['_EX_PUSH_LOCK']], 'ConsecutiveWorklessLazyScanCount' : [ 0xc4, ['unsigned long']], 'ForcedDisableLazywriteScan' : [ 0xc8, ['unsigned char']], 'NumberWorkerThreads' : [ 0xcc, ['unsigned long']], 'NumberActiveWorkerThreads' : [ 0xd0, ['unsigned long']], 'IdleWorkerThreadList' : [ 0xd4, ['_LIST_ENTRY']], 'FastTeardownWorkQueue' : [ 0xdc, ['_LIST_ENTRY']], 'ExpressWorkQueue' : [ 0xe4, ['_LIST_ENTRY']], 'RegularWorkQueue' : [ 0xec, ['_LIST_ENTRY']], 'PostTickWorkQueue' : [ 0xf4, ['_LIST_ENTRY']], 'IdleExtraWriteBehindThreadList' : [ 0xfc, ['_LIST_ENTRY']], 'ActiveExtraWriteBehindThreads' : [ 0x104, ['unsigned long']], 'MaxExtraWriteBehindThreads' : [ 0x108, ['unsigned long']], 'QueueThrottle' : [ 0x10c, ['unsigned char']], 'PostTickWorkItemCount' : [ 0x110, ['unsigned long']], 'ThreadsActiveBeforeThrottle' : [ 0x114, ['unsigned long']], 'ExtraWBThreadsActiveBeforeThrottle' : [ 0x118, ['unsigned long']], 'ExecutingWriteBehindWorkItems' : [ 0x11c, ['unsigned long']], 'ExecutingHighPriorityWorkItem' : [ 0x120, ['unsigned long']], 'LowMemoryEvent' : [ 0x124, ['_KEVENT']], 'PowerEvent' : [ 0x134, ['_KEVENT']], 'PeriodicEvent' : [ 0x144, ['_KEVENT']], 'WaitingForTeardownEvent' : [ 0x154, ['_KEVENT']], 'CoalescingFlushEvent' : [ 0x164, ['_KEVENT']], 'PagesYetToWrite' : [ 0x174, ['unsigned long']], 'LazyWriter' : [ 0x178, ['_LAZY_WRITER']], 'DirtyPageStatistics' : [ 0x1c8, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x1d8, ['_DIRTY_PAGE_THRESHOLDS']], 'ThroughputStats' : [ 0x200, ['pointer', ['_WRITE_BEHIND_THROUGHPUT']]], 'ThroughputTrend' : [ 0x204, ['long']], 'AverageAvailablePages' : [ 0x208, ['unsigned long long']], 'AverageDirtyPages' : [ 0x210, ['unsigned long long']], 'PagesSkippedDueToHotSpot' : [ 0x218, ['unsigned long long']], 'PrevRegularQueueItemRunTime' : [ 0x220, ['_LARGE_INTEGER']], 'PrevExtraWBThreadCheckTime' : [ 0x228, ['_LARGE_INTEGER']], 'AddExtraWriteBehindThreads' : [ 0x230, ['unsigned char']], 'RemoveExtraThreadPending' : [ 0x231, ['unsigned char']], 'DeferredWrites' : [ 0x234, ['_LIST_ENTRY']], 'DeferredWriteSpinLock' : [ 0x240, ['unsigned long']], 'IdleAsyncReadWorkerThreadList' : [ 0x244, ['pointer', ['_LIST_ENTRY']]], 'NumberActiveAsyncReadWorkerThreads' : [ 0x248, ['pointer', ['unsigned long']]], 'NumberActiveCompleteAsyncReadWorkItems' : [ 0x24c, ['pointer', ['unsigned long']]], 'AsyncReadWorkQueue' : [ 0x250, ['pointer', ['_LIST_ENTRY']]], 'AsyncReadCompletionWorkQueue' : [ 0x254, ['pointer', ['_LIST_ENTRY']]], 'NewAsyncReadRequestEvent' : [ 0x258, ['pointer', ['_KEVENT']]], 'ReaderThreadsStats' : [ 0x25c, ['pointer', ['_ASYNC_READ_THREAD_STATS']]], 'AsyncReadWorkQueueLock' : [ 0x260, ['_EX_PUSH_LOCK']], } ], '__unnamed_1ac8' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], 'DiskIoAttribution' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1aca' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1acc' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1ace' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ad0' : [ 0x1c, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x4, ['pointer', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x8, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x18, ['unsigned char']], } ], '__unnamed_1ad4' : [ 0x40, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], 'FileOffset' : [ 0x8, ['_LARGE_INTEGER']], 'FileObject' : [ 0x10, ['pointer', ['_FILE_OBJECT']]], 'Length' : [ 0x14, ['unsigned long']], 'PrefetchList' : [ 0x18, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'PrefetchPagePriority' : [ 0x1c, ['unsigned long']], 'Mdl' : [ 0x20, ['pointer', ['_MDL']]], 'IoStatusBlock' : [ 0x24, ['pointer', ['_IO_STATUS_BLOCK']]], 'CallbackContext' : [ 0x28, ['pointer', ['_CC_ASYNC_READ_CONTEXT']]], 'OriginatingProcess' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'IoIssuerThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'DiskIoAttribution' : [ 0x34, ['pointer', ['void']]], 'RequestorMode' : [ 0x38, ['unsigned char']], 'NestingLevel' : [ 0x3c, ['unsigned long']], } ], '__unnamed_1ad6' : [ 0x40, { 'Read' : [ 0x0, ['__unnamed_1ac8']], 'Write' : [ 0x0, ['__unnamed_1aca']], 'Event' : [ 0x0, ['__unnamed_1acc']], 'Notification' : [ 0x0, ['__unnamed_1ace']], 'LowPriWrite' : [ 0x0, ['__unnamed_1ad0']], 'AsyncRead' : [ 0x0, ['__unnamed_1ad4']], } ], '_WORK_QUEUE_ENTRY' : [ 0x50, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_1ad6']], 'Function' : [ 0x48, ['unsigned char']], 'Partition' : [ 0x4c, ['pointer', ['_CC_PARTITION']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x18, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0x4, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x10, ['_LIST_ENTRY']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x68, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x8, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0xc, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x18, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x40, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x44, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x48, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x50, ['pointer', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x54, ['unsigned long']], 'LastLWTimeStamp' : [ 0x58, ['_LARGE_INTEGER']], 'Flags' : [ 0x60, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x4e, ['unsigned char']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_SUBALLOCATOR_CALLBACKS' : [ 0x14, { 'Allocate' : [ 0x0, ['unsigned long']], 'Free' : [ 0x4, ['unsigned long']], 'Commit' : [ 0x8, ['unsigned long']], 'Decommit' : [ 0xc, ['unsigned long']], 'ExtendContext' : [ 0x10, ['unsigned long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x248, { 'Segment' : [ 0x0, ['_HEAP_SEGMENT']], 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x58, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x5c, ['unsigned long']], 'Signature' : [ 0x60, ['unsigned long']], 'SegmentReserve' : [ 0x64, ['unsigned long']], 'SegmentCommit' : [ 0x68, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x6c, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x70, ['unsigned long']], 'TotalFreeSize' : [ 0x74, ['unsigned long']], 'MaximumAllocationSize' : [ 0x78, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x7c, ['unsigned short']], 'HeaderValidateLength' : [ 0x7e, ['unsigned short']], 'HeaderValidateCopy' : [ 0x80, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x84, ['unsigned short']], 'MaximumTagIndex' : [ 0x86, ['unsigned short']], 'TagEntries' : [ 0x88, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x8c, ['_LIST_ENTRY']], 'AlignRound' : [ 0x94, ['unsigned long']], 'AlignMask' : [ 0x98, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x9c, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa4, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xac, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb0, ['unsigned long']], 'BlocksIndex' : [ 0xb4, ['pointer', ['void']]], 'UCRIndex' : [ 0xb8, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xbc, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc0, ['_LIST_ENTRY']], 'LockVariable' : [ 0xc8, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xcc, ['pointer', ['void']]], 'StackTraceInitVar' : [ 0xd0, ['_RTL_RUN_ONCE']], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0xdb, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0xdc, ['pointer', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0xe0, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0xe2, ['array', 257, ['unsigned char']]], 'Counters' : [ 0x1e4, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x240, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1b6b' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_1b6b']], } ], '_HEAP_ENTRY' : [ 0x8, { 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'HeapEntry' : [ 0x0, ['_HEAP_ENTRY']], 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1bbe' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1bc0' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bbe']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bc2' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1bc4' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1bc2']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1bc0']], 'u2' : [ 0x4, ['__unnamed_1bc4']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x20, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1be1' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1be3' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1be1']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1be3']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Pad' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x14, ['_EX_PUSH_LOCK']], } ], '__unnamed_1bf7' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1bf9' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bf7']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1bf9']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_1c02' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1c04' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c02']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_1c04']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_1c0a' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1c0c' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c0a']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_1c0c']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x28, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x24, ['pointer', ['_KALPC_MESSAGE']]], } ], '__unnamed_1c29' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1c2b' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c29']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x11c, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x5c, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x68, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0x74, ['_LIST_ENTRY']], 'DirectQueueLock' : [ 0x7c, ['_EX_PUSH_LOCK']], 'DirectQueue' : [ 0x80, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0x8c, ['_LIST_ENTRY']], 'Semaphore' : [ 0x94, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x98, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xc4, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xc8, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0xd4, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0xd8, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xdc, ['pointer', ['void']]], 'CanceledQueue' : [ 0xe0, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xe8, ['long']], 'ReferenceNo' : [ 0xec, ['long']], 'ReferenceNoWait' : [ 0xf0, ['pointer', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0xf4, ['__unnamed_1c2b']], 'TargetQueuePort' : [ 0xf8, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xfc, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x100, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x104, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x108, ['unsigned long']], 'PendingQueueLength' : [ 0x10c, ['unsigned long']], 'DirectQueueLength' : [ 0x110, ['unsigned long']], 'CanceledQueueLength' : [ 0x114, ['unsigned long']], 'WaitQueueLength' : [ 0x118, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x58, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'CompletionListLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x10, ['pointer', ['_MDL']]], 'UserVa' : [ 0x14, ['pointer', ['void']]], 'UserLimit' : [ 0x18, ['pointer', ['void']]], 'DataUserVa' : [ 0x1c, ['pointer', ['void']]], 'SystemVa' : [ 0x20, ['pointer', ['void']]], 'TotalSize' : [ 0x24, ['unsigned long']], 'Header' : [ 0x28, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x2c, ['pointer', ['void']]], 'ListSize' : [ 0x30, ['unsigned long']], 'Bitmap' : [ 0x34, ['pointer', ['void']]], 'BitmapSize' : [ 0x38, ['unsigned long']], 'Data' : [ 0x3c, ['pointer', ['void']]], 'DataSize' : [ 0x40, ['unsigned long']], 'BitmapLimit' : [ 0x44, ['unsigned long']], 'BitmapNextHint' : [ 0x48, ['unsigned long']], 'ConcurrencyCount' : [ 0x4c, ['unsigned long']], 'AttributeFlags' : [ 0x50, ['unsigned long']], 'AttributeSize' : [ 0x54, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x90, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'Key' : [ 0x84, ['unsigned long']], 'CallbackList' : [ 0x88, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x14, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x10, ['long']], } ], '__unnamed_1c4e' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1c50' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c4e']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'u1' : [ 0x14, ['__unnamed_1c50']], 'SequenceNo' : [ 0x18, ['long']], 'QuotaProcess' : [ 0x1c, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x1c, ['pointer', ['void']]], 'CancelSequencePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x24, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x28, ['long']], 'CancelListEntry' : [ 0x2c, ['_LIST_ENTRY']], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x38, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x60, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x64, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x68, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x6c, ['pointer', ['_ETHREAD']]], 'WakeReference' : [ 0x70, ['pointer', ['void']]], 'WakeReference2' : [ 0x74, ['pointer', ['void']]], 'ExtensionBuffer' : [ 0x78, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0x7c, ['unsigned long']], 'PortMessage' : [ 0x80, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x24, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'DirectEvent' : [ 0x14, ['_KALPC_DIRECT_EVENT']], 'Flags' : [ 0x18, ['unsigned long']], 'TotalLength' : [ 0x1c, ['unsigned short']], 'Type' : [ 0x1e, ['unsigned short']], 'DataInfoOffset' : [ 0x20, ['unsigned short']], 'SignalCompletion' : [ 0x22, ['unsigned char']], 'PostedToCompletionList' : [ 0x23, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x24, { 'ObjectType' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x28, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], 'DirectEvent' : [ 0x1c, ['_KALPC_DIRECT_EVENT']], 'WorkOnBehalfData' : [ 0x20, ['_KALPC_WORK_ON_BEHALF_DATA']], } ], '__unnamed_1c94' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1c96' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c94']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1c96']], } ], '_KALPC_DIRECT_EVENT' : [ 0x4, { 'Event' : [ 0x0, ['unsigned long']], 'Referenced' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x30, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer', ['void']]], 'DiskIoAttributionHandle' : [ 0xc, ['unsigned long']], 'ActivityId' : [ 0x10, ['_GUID']], 'Timestamp' : [ 0x20, ['_LARGE_INTEGER']], 'ZeroingOffset' : [ 0x20, ['unsigned long']], 'FsTrackOffsetBlob' : [ 0x20, ['pointer', ['_IO_IRP_EXT_TRACK_OFFSET_HEADER']]], 'FsTrackedOffset' : [ 0x24, ['long long']], 'AdapterCryptoParameters' : [ 0x20, ['_IO_ADAPTER_CRYPTO_PARAMETERS']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x28, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 8, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x88, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'FileInformation' : [ 0x48, ['pointer', ['void']]], 'CreateFileType' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x50, ['pointer', ['void']]], 'Override' : [ 0x54, ['unsigned char']], 'QueryOnly' : [ 0x55, ['unsigned char']], 'DeleteOnly' : [ 0x56, ['unsigned char']], 'FullAttributes' : [ 0x57, ['unsigned char']], 'LocalFileObject' : [ 0x58, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x5c, ['unsigned long']], 'AccessMode' : [ 0x60, ['unsigned char']], 'DriverCreateContext' : [ 0x64, ['_IO_DRIVER_CREATE_CONTEXT']], 'FileInformationClass' : [ 0x78, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileDesiredStorageClassInformation', 68: 'FileStatInformation', 69: 'FileMaximumInformation'})]], 'FileInformationLength' : [ 0x7c, ['unsigned long']], 'FilterQuery' : [ 0x80, ['unsigned char']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1d5f' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x110, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1d5f']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer', ['wchar']]], 'LogFileName' : [ 0x3c, ['pointer', ['wchar']]], 'TimeZone' : [ 0x40, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf0, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0xf8, ['_LARGE_INTEGER']], 'StartTime' : [ 0x100, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x108, ['unsigned long']], 'BuffersLost' : [ 0x10c, ['unsigned long']], } ], '_RTL_HASH_TABLE' : [ 0xc, { 'EntryCount' : [ 0x0, ['unsigned long']], 'MaskBitCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'BucketCount' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Buckets' : [ 0x8, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_HASH_ENTRY' : [ 0x8, { 'BucketLink' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Key' : [ 0x4, ['unsigned long']], } ], '_RTL_HASH_TABLE_ITERATOR' : [ 0xc, { 'Hash' : [ 0x0, ['pointer', ['_RTL_HASH_TABLE']]], 'HashEntry' : [ 0x4, ['pointer', ['_RTL_HASH_ENTRY']]], 'Bucket' : [ 0x8, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_CHASH_TABLE' : [ 0x10, { 'Table' : [ 0x0, ['pointer', ['_RTL_CHASH_ENTRY']]], 'EntrySizeShift' : [ 0x4, ['unsigned long']], 'EntryMax' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_RTL_CHASH_ENTRY' : [ 0x4, { 'Key' : [ 0x0, ['unsigned long']], } ], '_ETW_BUFFER_QUEUE' : [ 0x8, { 'QueueTail' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x4, ['_SINGLE_LIST_ENTRY']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStatePendingCompression', 5: 'EtwBufferStateCompressed', 6: 'EtwBufferStatePlaceholder', 7: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_WMI_LOGGER_CONTEXT' : [ 0x310, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 1, ['unsigned long']]], 'ErrorMarker' : [ 0x18, ['unsigned long']], 'SizeMask' : [ 0x1c, ['unsigned long']], 'GetCpuClock' : [ 0x20, ['pointer', ['void']]], 'LoggerThread' : [ 0x24, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x28, ['long']], 'FailureReason' : [ 0x2c, ['unsigned long']], 'BufferQueue' : [ 0x30, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x38, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x40, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x48, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x50, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x50, ['_EX_FAST_REF']], 'LoggerName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x64, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x6c, ['_UNICODE_STRING']], 'ClockType' : [ 0x74, ['unsigned long']], 'LastFlushedBuffer' : [ 0x78, ['unsigned long']], 'FlushTimer' : [ 0x7c, ['unsigned long']], 'FlushThreshold' : [ 0x80, ['unsigned long']], 'ByteOffset' : [ 0x88, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x90, ['unsigned long']], 'BuffersAvailable' : [ 0x94, ['long']], 'NumberOfBuffers' : [ 0x98, ['long']], 'MaximumBuffers' : [ 0x9c, ['unsigned long']], 'EventsLost' : [ 0xa0, ['unsigned long']], 'PeakBuffersCount' : [ 0xa4, ['long']], 'BuffersWritten' : [ 0xa8, ['unsigned long']], 'LogBuffersLost' : [ 0xac, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xb0, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xb4, ['unsigned long']], 'SequencePtr' : [ 0xb8, ['pointer', ['long']]], 'LocalSequence' : [ 0xbc, ['unsigned long']], 'InstanceGuid' : [ 0xc0, ['_GUID']], 'MaximumFileSize' : [ 0xd0, ['unsigned long']], 'FileCounter' : [ 0xd4, ['long']], 'PoolType' : [ 0xd8, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xe0, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0xf0, ['long']], 'ProviderInfoSize' : [ 0xf4, ['unsigned long']], 'Consumers' : [ 0xf8, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x100, ['unsigned long']], 'TransitionConsumer' : [ 0x104, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x108, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x10c, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x128, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x130, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x138, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x140, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x148, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x158, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x15c, ['_KEVENT']], 'FlushEvent' : [ 0x16c, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x180, ['_KTIMER']], 'LoggerDpc' : [ 0x1a8, ['_KDPC']], 'LoggerMutex' : [ 0x1c8, ['_KMUTANT']], 'LoggerLock' : [ 0x1e8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1ec, ['unsigned long']], 'BufferListPushLock' : [ 0x1ec, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1f0, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x22c, ['pointer', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x230, ['_EX_FAST_REF']], 'StartTime' : [ 0x238, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x240, ['pointer', ['void']]], 'BufferSequenceNumber' : [ 0x248, ['long long']], 'Flags' : [ 0x250, ['unsigned long']], 'Persistent' : [ 0x250, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x250, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x250, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x250, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x250, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x250, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x250, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x250, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x250, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x250, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x250, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x250, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x250, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'StackLookasideListAllocated' : [ 0x250, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SecurityTrace' : [ 0x250, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'SpareFlags1' : [ 0x250, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x250, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x250, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x250, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x254, ['unsigned long']], 'DbgRequestNewFile' : [ 0x254, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x254, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x254, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x254, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x254, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x254, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x254, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x254, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDeferredFlush' : [ 0x254, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDeferredFlushTimer' : [ 0x254, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x254, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x254, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x254, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x258, ['_RTL_BITMAP']], 'StackCache' : [ 0x260, ['pointer', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x264, ['pointer', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x268, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x270, ['pointer', ['pointer', ['_WMI_BUFFER_HEADER']]]], 'DisallowedGuids' : [ 0x274, ['_DISALLOWED_GUIDS']], 'RelativeTimerDueTime' : [ 0x280, ['long long']], 'PeriodicCaptureStateGuids' : [ 0x288, ['_PERIODIC_CAPTURE_STATE_GUIDS']], 'PeriodicCaptureStateTimer' : [ 0x290, ['pointer', ['_EX_TIMER']]], 'PeriodicCaptureStateTimerState' : [ 0x294, ['Enumeration', dict(target = 'long', choices = {0: 'EtwpPeriodicTimerUnset', 1: 'EtwpPeriodicTimerSet'})]], 'SoftRestartContext' : [ 0x298, ['pointer', ['_ETW_SOFT_RESTART_CONTEXT']]], 'SiloState' : [ 0x29c, ['pointer', ['_ETW_SILODRIVERSTATE']]], 'CompressionWorkItem' : [ 0x2a0, ['_WORK_QUEUE_ITEM']], 'CompressionWorkItemState' : [ 0x2b0, ['long']], 'CompressionLock' : [ 0x2b4, ['_EX_PUSH_LOCK']], 'CompressionTarget' : [ 0x2b8, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CompressionWorkspace' : [ 0x2bc, ['pointer', ['void']]], 'CompressionOn' : [ 0x2c0, ['long']], 'CompressionRatioGuess' : [ 0x2c4, ['unsigned long']], 'PartialBufferCompressionLevel' : [ 0x2c8, ['unsigned long']], 'CompressionResumptionMode' : [ 0x2cc, ['Enumeration', dict(target = 'long', choices = {0: 'EtwCompressionModeRestart', 1: 'EtwCompressionModeNoDisable', 2: 'EtwCompressionModeNoRestart'})]], 'PlaceholderList' : [ 0x2d0, ['_SINGLE_LIST_ENTRY']], 'CompressionDpc' : [ 0x2d4, ['_KDPC']], 'LastBufferSwitchTime' : [ 0x2f8, ['_LARGE_INTEGER']], 'BufferWriteDuration' : [ 0x300, ['_LARGE_INTEGER']], 'BufferCompressDuration' : [ 0x308, ['_LARGE_INTEGER']], } ], '_ETW_PMC_SUPPORT' : [ 0x34, { 'Source' : [ 0x0, ['array', -32, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x20, ['unsigned long']], 'HookId' : [ 0x24, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x2c, ['unsigned long']], 'ProcessorCtrs' : [ 0x30, ['array', 1, ['pointer', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_SILODRIVERSTATE' : [ 0xac0, { 'SiloGlobals' : [ 0x0, ['pointer', ['_ESERVERSILO_GLOBALS']]], 'EtwpSecurityProviderGuidEntry' : [ 0x8, ['_ETW_GUID_ENTRY']], 'EtwpLoggerRundown' : [ 0x170, ['array', 64, ['pointer', ['_EX_RUNDOWN_REF_CACHE_AWARE']]]], 'WmipLoggerContext' : [ 0x270, ['array', 64, ['pointer', ['_WMI_LOGGER_CONTEXT']]]], 'EtwpGuidHashTable' : [ 0x370, ['array', 64, ['_ETW_HASH_BUCKET']]], 'EtwpSecurityLoggers' : [ 0xa70, ['array', 8, ['unsigned short']]], 'EtwpSecurityProviderEnableMask' : [ 0xa80, ['unsigned char']], 'EtwpShutdownInProgress' : [ 0xa84, ['long']], 'EtwpSecurityProviderPID' : [ 0xa88, ['unsigned long']], 'PrivHandleDemuxTable' : [ 0xa8c, ['_ETW_PRIV_HANDLE_DEMUX_TABLE']], 'EtwpCounters' : [ 0xa9c, ['_ETW_COUNTERS']], 'LogfileBytesWritten' : [ 0xab0, ['_LARGE_INTEGER']], 'ProcessorBlocks' : [ 0xab8, ['pointer', ['_ETW_SILO_TRACING_BLOCK']]], } ], '_EX_RUNDOWN_REF_CACHE_AWARE' : [ 0x10, { 'RunRefs' : [ 0x0, ['pointer', ['_EX_RUNDOWN_REF']]], 'PoolToFree' : [ 0x4, ['pointer', ['void']]], 'RunRefSize' : [ 0x8, ['unsigned long']], 'Number' : [ 0xc, ['unsigned long']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_SEP_SILOSTATE' : [ 0x18, { 'SystemLogonSession' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'AnonymousLogonSession' : [ 0x4, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'AnonymousLogonToken' : [ 0x8, ['pointer', ['void']]], 'AnonymousLogonTokenNoEveryone' : [ 0xc, ['pointer', ['void']]], 'UncSystemPaths' : [ 0x10, ['pointer', ['_UNICODE_STRING']]], 'NgenPaths' : [ 0x14, ['pointer', ['_CI_NGEN_PATHS']]], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x2a8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x9c, ['pointer', ['void']]], 'DynamicPart' : [ 0xa0, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa4, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xb0, ['unsigned long']], 'TokenInUse' : [ 0xb4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb8, ['unsigned long']], 'MandatoryPolicy' : [ 0xbc, ['unsigned long']], 'LogonSession' : [ 0xc0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc4, ['_LUID']], 'SidHash' : [ 0xcc, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x154, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1dc, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x1e0, ['pointer', ['void']]], 'Capabilities' : [ 0x1e4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x1e8, ['unsigned long']], 'CapabilitiesHash' : [ 0x1ec, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x274, ['pointer', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x278, ['pointer', ['_SEP_CACHED_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x27c, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x280, ['pointer', ['void']]], 'TrustLinkedToken' : [ 0x284, ['pointer', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x288, ['pointer', ['void']]], 'TokenSidValues' : [ 0x28c, ['pointer', ['_SEP_SID_VALUES_BLOCK']]], 'IndexEntry' : [ 0x290, ['pointer', ['_SEP_LUID_TO_INDEX_MAP_ENTRY']]], 'DiagnosticInfo' : [ 0x294, ['pointer', ['_SEP_TOKEN_DIAG_TRACK_ENTRY']]], 'BnoIsolationHandlesEntry' : [ 0x298, ['pointer', ['_SEP_CACHED_HANDLES_ENTRY']]], 'SessionObject' : [ 0x29c, ['pointer', ['void']]], 'VariablePart' : [ 0x2a0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x6c, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], 'CachedHandlesTable' : [ 0x34, ['_SEP_CACHED_HANDLES_TABLE']], 'SharedDataLock' : [ 0x3c, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x40, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x44, ['pointer', ['_SEP_SID_VALUES_BLOCK']]], 'RevocationBlock' : [ 0x48, ['_OB_HANDLE_REVOCATION_BLOCK']], 'ServerSilo' : [ 0x58, ['pointer', ['_EJOB']]], 'SiblingAuthId' : [ 0x5c, ['_LUID']], 'TokenList' : [ 0x64, ['_LIST_ENTRY']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'DbgRefTrace' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'NewObject' : [ 0xf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0xf, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0xf, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0xf, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0xf, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0xf, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0xf, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0xf, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved1' : [ 0xe, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x8, { 'SecurityDescriptor' : [ 0x0, ['pointer', ['void']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_EXTENDED_INFO' : [ 0x8, { 'Footer' : [ 0x0, ['pointer', ['_OBJECT_FOOTER']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_FOOTER' : [ 0x18, { 'HandleRevocationInfo' : [ 0x0, ['_HANDLE_REVOCATION_INFO']], 'ExtendedUserInfo' : [ 0x10, ['_OB_EXTENDED_USER_INFO']], } ], '_OB_EXTENDED_USER_INFO' : [ 0x8, { 'Context1' : [ 0x0, ['pointer', ['void']]], 'Context2' : [ 0x4, ['pointer', ['void']]], } ], '_HANDLE_REVOCATION_INFO' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'RevocationBlock' : [ 0x8, ['pointer', ['_OB_HANDLE_REVOCATION_BLOCK']]], 'AllowHandleRevocation' : [ 0xc, ['unsigned char']], 'Padding1' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x18, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'EntryLink' : [ 0x8, ['pointer', ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0xc, ['unsigned long']], 'HashIndex' : [ 0x10, ['unsigned short']], 'DirectoryLocked' : [ 0x12, ['unsigned char']], 'LockedExclusive' : [ 0x13, ['unsigned char']], 'LockStateSignature' : [ 0x14, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xb0, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x9c, ['pointer', ['_OBJECT_DIRECTORY']]], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'SessionObject' : [ 0xa4, ['pointer', ['void']]], 'Flags' : [ 0xa8, ['unsigned long']], 'SessionId' : [ 0xac, ['unsigned long']], } ], '_OBP_SILODRIVERSTATE' : [ 0x1a4, { 'SystemDeviceMap' : [ 0x0, ['pointer', ['_DEVICE_MAP']]], 'SystemDosDeviceState' : [ 0x4, ['_OBP_SYSTEM_DOS_DEVICE_STATE']], 'DeviceMapLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'PrivateNamespaceLookupTable' : [ 0x74, ['_OBJECT_NAMESPACE_LOOKUPTABLE']], } ], '_WHEAP_INFO_BLOCK' : [ 0xc, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x4, ['pointer', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x8, ['pointer', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x418, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x8, ['unsigned long']], 'PlatformErrorSourceId' : [ 0xc, ['unsigned long']], 'ErrorCount' : [ 0x10, ['long']], 'RecordCount' : [ 0x14, ['unsigned long']], 'RecordLength' : [ 0x18, ['unsigned long']], 'PoolTag' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x24, ['pointer', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x28, ['pointer', ['void']]], 'SectionCount' : [ 0x2c, ['unsigned long']], 'SectionLength' : [ 0x30, ['unsigned long']], 'TickCountAtLastError' : [ 0x38, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x40, ['unsigned long']], 'TotalErrors' : [ 0x44, ['unsigned long']], 'Deferred' : [ 0x48, ['unsigned char']], 'Descriptor' : [ 0x49, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xe4, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x8, ['unsigned long']], 'ProcessorNumber' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x14, ['long']], 'ErrorSource' : [ 0x18, ['pointer', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x1c, ['_WHEA_ERROR_RECORD']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ImageControlAreaOnRemovableMedia' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'SystemVaAllocated' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PreferredFsCompressionBoundary' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'UsingFileExtents' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PageSize64K' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PEP_ACPI_SPB_RESOURCE' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'TypeSpecificFlags' : [ 0x8, ['unsigned short']], 'ResourceSourceIndex' : [ 0xa, ['unsigned char']], 'ResourceSourceName' : [ 0xc, ['pointer', ['_UNICODE_STRING']]], 'VendorData' : [ 0x10, ['pointer', ['unsigned char']]], 'VendorDataLength' : [ 0x14, ['unsigned short']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x40, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x8, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0xc, ['long']], 'HighWaterMark' : [ 0x10, ['unsigned long']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_KDPC_DATA' : [ 0x18, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], 'ActiveDpc' : [ 0x14, ['pointer', ['_KDPC']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_PLATFORM_IDLE_ACCOUNTING' : [ 0x408, { 'ResetCount' : [ 0x0, ['unsigned long']], 'StateCount' : [ 0x4, ['unsigned long']], 'DeepSleepCount' : [ 0x8, ['unsigned long']], 'TimeUnit' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['_PLATFORM_IDLE_STATE_ACCOUNTING']]], } ], '_ACTIVATION_CONTEXT_STACK32' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['unsigned long']], 'FrameListCache' : [ 0x4, ['LIST_ENTRY32']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '__unnamed_1f37' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x7000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1f37']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x18, ['unsigned long']], 'NonPagablePages' : [ 0x1c, ['unsigned long']], 'CommittedPages' : [ 0x20, ['unsigned long']], 'PagedPoolStart' : [ 0x24, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x28, ['pointer', ['void']]], 'SessionObject' : [ 0x2c, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x30, ['pointer', ['void']]], 'SessionPoolAllocationFailures' : [ 0x34, ['array', 4, ['unsigned long']]], 'ImageTree' : [ 0x44, ['_RTL_AVL_TREE']], 'LocaleId' : [ 0x48, ['unsigned long']], 'AttachCount' : [ 0x4c, ['unsigned long']], 'AttachGate' : [ 0x50, ['_KGATE']], 'WsListEntry' : [ 0x60, ['_LIST_ENTRY']], 'PagedPoolInfo' : [ 0x68, ['_MM_PAGED_POOL_INFO']], 'Lookaside' : [ 0xc0, ['array', 24, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xcc0, ['_MMSESSION']], 'Vm' : [ 0xd00, ['_MMSUPPORT_FULL']], 'WorkingSetList' : [ 0xdc0, ['_MMWSL_INSTANCE']], 'PagedPool' : [ 0xe00, ['_POOL_DESCRIPTOR']], 'DriverUnload' : [ 0x1f40, ['_MI_SESSION_DRIVER_UNLOAD']], 'PageTables' : [ 0x1f48, ['array', 1024, ['_MMPTE']]], 'PagedPoolBitBuffer' : [ 0x3f48, ['array', 32, ['unsigned long']]], 'SpecialPool' : [ 0x3fc8, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x4008, ['_EX_PUSH_LOCK']], 'PoolBigEntriesInUse' : [ 0x400c, ['long']], 'PagedPoolPdeCount' : [ 0x4010, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x4014, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x4018, ['unsigned long']], 'SystemPteInfo' : [ 0x401c, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x4054, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x4058, ['unsigned long']], 'PoolTrackBigPages' : [ 0x405c, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x4060, ['unsigned long']], 'IoState' : [ 0x4064, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x4068, ['unsigned long']], 'IoNotificationEvent' : [ 0x406c, ['_KEVENT']], 'ServerSilo' : [ 0x407c, ['pointer', ['_EJOB']]], 'CreateTime' : [ 0x4080, ['unsigned long long']], 'PoolTags' : [ 0x5000, ['array', 8192, ['unsigned char']]], } ], '_OBJECT_NAMESPACE_LOOKUPTABLE' : [ 0x130, { 'HashBuckets' : [ 0x0, ['array', 37, ['_LIST_ENTRY']]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'NumberOfPrivateSpaces' : [ 0x12c, ['unsigned long']], } ], '_MI_CACHED_PTES' : [ 0x48, { 'Bins' : [ 0x0, ['array', 8, ['_MI_CACHED_PTE']]], 'CachedPteCount' : [ 0x40, ['long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x58, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned short']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UseExtendedParameters' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'ParseProcedureEx' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], 'WaitObjectFlagMask' : [ 0x50, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x54, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x56, ['unsigned short']], } ], '_KLOCK_ENTRY' : [ 0x30, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'EntryFlags' : [ 0xc, ['unsigned long']], 'EntryOffset' : [ 0xc, ['unsigned char']], 'ThreadLocalFlags' : [ 0xd, ['unsigned char']], 'WaitingBit' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare0' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'AcquiredByte' : [ 0xe, ['unsigned char']], 'AcquiredBit' : [ 0xe, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadFlags' : [ 0xf, ['unsigned char']], 'HeadNodeBit' : [ 0xf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IoPriorityBit' : [ 0xf, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IoQoSWaiter' : [ 0xf, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0xf, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'StaticState' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'AllFlags' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'LockState' : [ 0x10, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x10, ['pointer', ['void']]], 'CrossThreadReleasableAndBusyByte' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['array', 2, ['unsigned char']]], 'InTreeByte' : [ 0x13, ['unsigned char']], 'SessionState' : [ 0x14, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], 'OwnerTree' : [ 0x18, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x20, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x18, ['unsigned char']], 'EntryLock' : [ 0x28, ['unsigned long']], 'BoostBitmap' : [ 0x2c, ['_KLOCK_ENTRY_BOOST_BITMAP']], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'Arm64ControlSet' : [ 0x0, ['_ARM64_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ManySubsections' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Enclave' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PageSize64K' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'RfgControlStack' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_COUNTERS' : [ 0x5c, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'PollIntervalCounter' : [ 0x38, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x3c, ['unsigned long']], 'HeapPollInterval' : [ 0x40, ['unsigned long']], 'AllocAndFreeOps' : [ 0x44, ['unsigned long']], 'AllocationIndicesActive' : [ 0x48, ['unsigned long']], 'InBlockDeccommits' : [ 0x4c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x50, ['unsigned long']], 'HighWatermarkSize' : [ 0x54, ['unsigned long']], 'LastPolledSize' : [ 0x58, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x18, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'Irp' : [ 0xc, ['pointer', ['_IRP']]], 'Device' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Static' : [ 0x14, ['unsigned char']], } ], '__unnamed_1f9d' : [ 0x10, { 'CallerCompletion' : [ 0x0, ['pointer', ['void']]], 'CallerContext' : [ 0x4, ['pointer', ['void']]], 'CallerDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0xc, ['unsigned char']], } ], '__unnamed_1fa0' : [ 0x8, { 'NotifyDevice' : [ 0x0, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x4, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x18, ['unsigned long long']], 'WatchdogTimer' : [ 0x20, ['_KTIMER']], 'WatchdogDpc' : [ 0x48, ['_KDPC']], 'MinorFunction' : [ 0x68, ['unsigned char']], 'PowerStateType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0x70, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0x74, ['unsigned char']], 'FxDevice' : [ 0x78, ['pointer', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0x7c, ['unsigned char']], 'NotifyPEP' : [ 0x7d, ['unsigned char']], 'Device' : [ 0x80, ['__unnamed_1f9d']], 'System' : [ 0x80, ['__unnamed_1fa0']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_KLOCK_ENTRY_BOOST_BITMAP' : [ 0x4, { 'AllFields' : [ 0x0, ['unsigned long']], 'AllBoosts' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 17, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], 'CpuBoostsBitmap' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 15, native_type='unsigned short')]], 'IoBoost' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'IoQoSBoost' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned short')]], 'IoQoSWaiterCount' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_PPM_IDLE_STATES' : [ 0x150, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'IdleOverride' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'UnaccountedTransition' : [ 0x5, ['unsigned char']], 'IdleDurationLimited' : [ 0x6, ['unsigned char']], 'IdleCheckLimited' : [ 0x7, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'LevelId' : [ 0x28, ['unsigned long long']], 'ReasonFlags' : [ 0x30, ['unsigned short']], 'InitiateWakeStamp' : [ 0x38, ['unsigned long long']], 'PreviousStatus' : [ 0x40, ['long']], 'PreviousCancelReason' : [ 0x44, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x48, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0x54, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x60, ['pointer', ['void']]], 'IdlePreExecute' : [ 0x64, ['pointer', ['void']]], 'IdleExecute' : [ 0x68, ['pointer', ['void']]], 'IdlePreselect' : [ 0x6c, ['pointer', ['void']]], 'IdleTest' : [ 0x70, ['pointer', ['void']]], 'IdleAvailabilityCheck' : [ 0x74, ['pointer', ['void']]], 'IdleComplete' : [ 0x78, ['pointer', ['void']]], 'IdleCancel' : [ 0x7c, ['pointer', ['void']]], 'IdleIsHalted' : [ 0x80, ['pointer', ['void']]], 'IdleInitiateWake' : [ 0x84, ['pointer', ['void']]], 'PrepareInfo' : [ 0x88, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'DeepIdleSnapshot' : [ 0xd8, ['_KAFFINITY_EX']], 'Tracing' : [ 0xe4, ['pointer', ['_PERFINFO_PPM_STATE_SELECTION']]], 'CoordinatedTracing' : [ 0xe8, ['pointer', ['_PERFINFO_PPM_STATE_SELECTION']]], 'ProcessorMenu' : [ 0xec, ['_PPM_SELECTION_MENU']], 'CoordinatedMenu' : [ 0xf4, ['_PPM_SELECTION_MENU']], 'CoordinatedSelection' : [ 0xfc, ['_PPM_COORDINATED_SELECTION']], 'State' : [ 0x10c, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_ETW_HASH_BUCKET' : [ 0x1c, { 'ListHead' : [ 0x0, ['array', 3, ['_LIST_ENTRY']]], 'BucketLock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_1ff3' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], 'GenErrDescriptorV2' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR_V2']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1ff3']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_SEP_TOKEN_DIAG_TRACK_ENTRY' : [ 0x9c, { 'ProcessCid' : [ 0x0, ['pointer', ['void']]], 'ThreadCid' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'CreateMethod' : [ 0x18, ['unsigned long']], 'CreateTrace' : [ 0x1c, ['array', 30, ['unsigned long']]], 'Count' : [ 0x94, ['long']], 'CaptureCount' : [ 0x98, ['long']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND_STATE' : [ 0x4, { 'Expanded' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Transitioning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Pageable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_PPM_POLICY_SETTINGS_MASK' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'PerfDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PerfIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerfDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PerfIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PerfDecreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PerfIncreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'PerfMinPolicy' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'PerfMaxPolicy' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PerfTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PerfBoostPolicy' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PerfBoostMode' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AllowThrottling' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PerfHistoryCount' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ParkingPerfState' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LatencyHintPerf' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LatencyHintUnpark' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CoreParkingMinCores' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CoreParkingMaxCores' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'CoreParkingDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'CoreParkingIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CoreParkingDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CoreParkingIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CoreParkingOverUtilizationThreshold' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'CoreParkingDistributeUtility' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CoreParkingConcurrencyThreshold' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CoreParkingHeadroomThreshold' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CoreParkingDistributionThreshold' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IdleAllowScaling' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'IdleDisable' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'IdleTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'IdleDemoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'IdlePromoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HeteroDecreaseTime' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HeteroIncreaseTime' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HeteroDecreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HeteroIncreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Class0FloorPerformance' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Class1InitialPerformance' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnergyPerfPreference' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AutonomousActivityWindow' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AutonomousMode' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DutyCycling' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'FrequencyCap' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_KSCHEDULING_GROUP' : [ 0x180, { 'Policy' : [ 0x0, ['_KSCHEDULING_GROUP_POLICY']], 'RelativeWeight' : [ 0x8, ['unsigned long']], 'ChildMinRate' : [ 0xc, ['unsigned long']], 'ChildMinWeight' : [ 0x10, ['unsigned long']], 'ChildTotalWeight' : [ 0x14, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x18, ['unsigned long long']], 'NotificationCycles' : [ 0x20, ['long long']], 'MaxQuotaLimitCycles' : [ 0x28, ['long long']], 'MaxQuotaCyclesRemaining' : [ 0x30, ['long long']], 'SchedulingGroupList' : [ 0x38, ['_LIST_ENTRY']], 'Sibling' : [ 0x38, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x40, ['pointer', ['_KDPC']]], 'ChildList' : [ 0x44, ['_LIST_ENTRY']], 'Parent' : [ 0x4c, ['pointer', ['_KSCHEDULING_GROUP']]], 'PerProcessor' : [ 0x80, ['array', 1, ['_KSCB']]], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x130, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x8, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0xc, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x10, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x98, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x120, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x124, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x128, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x12c, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'SecureDevice' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_JOBOBJECT_ENERGY_TRACKING_STATE' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'UpdateMask' : [ 0x0, ['unsigned long']], 'DesiredState' : [ 0x4, ['unsigned long']], } ], '_LOCK_HEADER' : [ 0x10, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x4, ['unsigned long']], 'Lock' : [ 0x8, ['unsigned long']], 'Valid' : [ 0xc, ['unsigned long']], } ], '_SEP_CACHED_HANDLES_ENTRY' : [ 0x24, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'EntryDescriptor' : [ 0x10, ['_SEP_CACHED_HANDLES_ENTRY_DESCRIPTOR']], 'HandleCount' : [ 0x1c, ['unsigned long']], 'Handles' : [ 0x20, ['pointer', ['pointer', ['void']]]], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_KHETERO_PROCESSOR_SET' : [ 0xc, { 'IdealMask' : [ 0x0, ['unsigned long']], 'PreferredMask' : [ 0x4, ['unsigned long']], 'AvailableMask' : [ 0x8, ['unsigned long']], } ], '_MMSESSION' : [ 0x14, { 'SystemSpaceViewLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'SystemSpaceViewLockPointer' : [ 0x4, ['pointer', ['_EX_PUSH_LOCK']]], 'ViewRoot' : [ 0x8, ['_RTL_AVL_TREE']], 'ViewCount' : [ 0xc, ['unsigned long']], 'BitmapFailures' : [ 0x10, ['unsigned long']], } ], '_CC_ASYNC_READ_CONTEXT' : [ 0x14, { 'CompletionRoutine' : [ 0x0, ['pointer', ['void']]], 'Context' : [ 0x4, ['pointer', ['void']]], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'RequestorMode' : [ 0xc, ['unsigned char']], 'NestingLevel' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0xc, { 'DirtyPages' : [ 0x0, ['unsigned long']], 'DirtyPagesLastScan' : [ 0x4, ['unsigned long']], 'DirtyPagesScheduledLastScan' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x58, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'ReadyTime' : [ 0x10, ['unsigned long long']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'ContextSwitches' : [ 0x20, ['unsigned long long']], 'ReadOperationCount' : [ 0x28, ['long long']], 'WriteOperationCount' : [ 0x30, ['long long']], 'OtherOperationCount' : [ 0x38, ['long long']], 'ReadTransferCount' : [ 0x40, ['long long']], 'WriteTransferCount' : [ 0x48, ['long long']], 'OtherTransferCount' : [ 0x50, ['long long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x38, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], 'ServerSilo' : [ 0x34, ['pointer', ['_EJOB']]], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_TRIAGE_9F_PNP' : [ 0xc, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'CompletionQueue' : [ 0x4, ['pointer', ['_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE']]], 'DelayedWorkQueue' : [ 0x8, ['pointer', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_POP_CURRENT_BROADCAST' : [ 0x10, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'DeviceState' : [ 0xc, ['pointer', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LeakedPoolDeliberately' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_JOB_RATE_CONTROL_HEADER' : [ 0x14, { 'RateControlQuotaReference' : [ 0x0, ['pointer', ['void']]], 'OverQuotaHistory' : [ 0x4, ['_RTL_BITMAP']], 'BitMapBuffer' : [ 0xc, ['pointer', ['unsigned char']]], 'BitMapBufferSize' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR_V2' : [ 0x50, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'ReadAckAddressSpaceID' : [ 0x34, ['unsigned char']], 'ReadAckAddressBitWidth' : [ 0x35, ['unsigned char']], 'ReadAckAddressBitOffset' : [ 0x36, ['unsigned char']], 'ReadAckAddressAccessSize' : [ 0x37, ['unsigned char']], 'ReadAckAddress' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAckPreserveMask' : [ 0x40, ['unsigned long long']], 'ReadAckWriteMask' : [ 0x48, ['unsigned long long']], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_MI_SPECIAL_POOL' : [ 0x40, { 'Lock' : [ 0x0, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_DBGKD_WRITE_CUSTOM_BREAKPOINT' : [ 0x18, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointInstruction' : [ 0x8, ['unsigned long long']], 'BreakPointHandle' : [ 0x10, ['unsigned long']], 'BreakPointInstructionSize' : [ 0x14, ['unsigned char']], 'BreakPointInstructionAlignment' : [ 0x15, ['unsigned char']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x2c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x8, ['unsigned char']], 'Spare' : [ 0x9, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0xc, ['unsigned long']], 'DebugId' : [ 0x10, ['_CVDD']], } ], '_PS_PROPERTY_SET' : [ 0xc, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x8, ['unsigned long']], } ], '_TRIAGE_EX_WORK_QUEUE' : [ 0x19c, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x30, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'ExpectedWakeReason' : [ 0x2d, ['unsigned char']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_THREAD_ENERGY_VALUES' : [ 0xc8, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'AttributedCycles' : [ 0x40, ['array', 4, ['array', 2, ['unsigned long long']]]], 'WorkOnBehalfCycles' : [ 0x80, ['array', 4, ['array', 2, ['unsigned long long']]]], 'CpuTimeline' : [ 0xc0, ['_TIMELINE_BITMAP']], } ], '_WHEAP_WORK_QUEUE' : [ 0x44, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['long']], 'Dpc' : [ 0x10, ['_KDPC']], 'WorkItem' : [ 0x30, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x40, ['pointer', ['void']]], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_RTL_RUN_ONCE' : [ 0x4, { 'Ptr' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], } ], '_CM_PATH_HASH' : [ 0x4, { 'Hash' : [ 0x0, ['unsigned long']], } ], '_EXHANDLE' : [ 0x4, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_FAST_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['wchar']]], 'DriverName' : [ 0x28, ['pointer', ['wchar']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_DUAL' : [ 0x19c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x190, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x198, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], 'Gate' : [ 0x4, ['_KGATE']], 'SecureInfo' : [ 0x4, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x4, ['_RTL_BITMAP']], 'InPageSupport' : [ 0x4, ['pointer', ['_MMINPAGE_SUPPORT']]], 'LargePage' : [ 0x4, ['_MI_LARGEPAGE_IMAGE_INFO']], 'CreatingThread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'PebTebRfg' : [ 0x4, ['_MI_SUB64K_FREE_RANGES']], 'RfgProtectedStack' : [ 0x4, ['_MI_RFG_PROTECTED_STACK']], 'WaitReason' : [ 0x24, ['unsigned long']], } ], '__unnamed_20e3' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '__unnamed_20e6' : [ 0x4, { 'e1' : [ 0x0, ['_MI_SUBSECTION_ENTRY1']], 'EntireField' : [ 0x0, ['unsigned long']], } ], '__unnamed_20e8' : [ 0x4, { 'AlignmentNoAccessPtes' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SUBSECTION' : [ 0x28, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'GlobalPerSessionHead' : [ 0xc, ['_RTL_AVL_TREE']], 'CreationWaitList' : [ 0xc, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'SessionDriverProtos' : [ 0xc, ['pointer', ['_MI_PER_SESSION_PROTOS']]], 'u' : [ 0x10, ['__unnamed_20e3']], 'StartingSector' : [ 0x14, ['unsigned long']], 'NumberOfFullSectors' : [ 0x18, ['unsigned long']], 'PtesInSubsection' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_20e6']], 'UnusedPtes' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'ExtentQueryNeeded' : [ 0x24, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x24, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u2' : [ 0x24, ['__unnamed_20e8']], } ], '_REQUEST_MAILBOX' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x4, ['unsigned long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x18, ['pointer', ['long']]], 'NodeTargetCount' : [ 0x1c, ['long']], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_FAST_ERESOURCE' : [ 0x38, { 'Reserved1' : [ 0x0, ['array', 3, ['pointer', ['void']]]], 'Reserved2' : [ 0xc, ['unsigned long']], 'Reserved3' : [ 0x10, ['array', 4, ['pointer', ['void']]]], 'Reserved4' : [ 0x20, ['array', 4, ['unsigned long']]], 'Reserved6' : [ 0x30, ['array', 2, ['pointer', ['void']]]], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x8, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_SEP_RM_LSA_CONNECTION_STATE' : [ 0x30, { 'LsaProcessHandle' : [ 0x0, ['pointer', ['void']]], 'LsaCommandPortHandle' : [ 0x4, ['pointer', ['void']]], 'SepRmThreadHandle' : [ 0x8, ['pointer', ['void']]], 'RmCommandPortHandle' : [ 0xc, ['pointer', ['void']]], 'RmCommandServerPortHandle' : [ 0x10, ['pointer', ['void']]], 'LsaCommandPortSectionHandle' : [ 0x14, ['pointer', ['void']]], 'LsaCommandPortSectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'LsaViewPortMemory' : [ 0x20, ['pointer', ['void']]], 'RmViewPortMemory' : [ 0x24, ['pointer', ['void']]], 'LsaCommandPortMemoryDelta' : [ 0x28, ['long']], 'LsaCommandPortActive' : [ 0x2c, ['unsigned char']], } ], '_CM_KCB_LAYER_INFO' : [ 0x18, { 'LayerListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Kcb' : [ 0x8, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'LowerLayer' : [ 0xc, ['pointer', ['_CM_KCB_LAYER_INFO']]], 'UpperLayerListHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MM_PAGED_POOL_INFO' : [ 0x1c, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'PagedPoolAllocationMap' : [ 0x4, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'MaximumSize' : [ 0x10, ['unsigned long']], 'PagedPoolHint' : [ 0x14, ['unsigned long']], 'AllocatedPagedPool' : [ 0x18, ['unsigned long']], } ], '_PPM_IDLE_STATE' : [ 0x44, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Name' : [ 0xc, ['_UNICODE_STRING']], 'Latency' : [ 0x14, ['unsigned long']], 'BreakEvenDuration' : [ 0x18, ['unsigned long']], 'Power' : [ 0x1c, ['unsigned long']], 'StateFlags' : [ 0x20, ['unsigned long']], 'VetoAccounting' : [ 0x24, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0x3c, ['unsigned char']], 'InterruptsEnabled' : [ 0x3d, ['unsigned char']], 'Interruptible' : [ 0x3e, ['unsigned char']], 'ContextRetained' : [ 0x3f, ['unsigned char']], 'CacheCoherent' : [ 0x40, ['unsigned char']], 'WakesSpuriously' : [ 0x41, ['unsigned char']], 'PlatformOnly' : [ 0x42, ['unsigned char']], 'NoCState' : [ 0x43, ['unsigned char']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '__unnamed_211c' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_211e' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_211c']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0xb0, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_211e']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], 'ExecutePoolTypes' : [ 0x90, ['unsigned long']], 'ExecutePageProtections' : [ 0x94, ['unsigned long']], 'ExecutePageMappings' : [ 0x98, ['unsigned long']], 'ExecuteWriteSections' : [ 0x9c, ['unsigned long']], 'SectionAlignmentFailures' : [ 0xa0, ['unsigned long']], 'UnsupportedRelocs' : [ 0xa4, ['unsigned long']], 'IATInExecutableSection' : [ 0xa8, ['unsigned long']], } ], '_SEP_LUID_TO_INDEX_MAP_ENTRY' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'Luid' : [ 0x10, ['unsigned long long']], 'IndexIntoGlobalSingletonTable' : [ 0x18, ['unsigned long long']], 'MarkedForDeletion' : [ 0x20, ['unsigned char']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'DynamicRelocations' : [ 0x0, ['pointer', ['void']]], 'SecurityContext' : [ 0x4, ['_IMAGE_SECURITY_CONTEXT']], 'StrongImageReference' : [ 0x8, ['unsigned long']], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderZero', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderVsmMemory', 30: 'LoaderFirmwareCode', 31: 'LoaderFirmwareData', 32: 'LoaderFirmwareReserved', 33: 'LoaderEnclaveMemory', 34: 'LoaderFirmwareKsr', 35: 'LoaderEnclaveKsr', 36: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_OBP_SYSTEM_DOS_DEVICE_STATE' : [ 0x6c, { 'GlobalDeviceMap' : [ 0x0, ['unsigned long']], 'LocalDeviceCount' : [ 0x4, ['array', 26, ['unsigned long']]], } ], '_WNF_SILODRIVERSTATE' : [ 0x30, { 'ScopeMap' : [ 0x0, ['pointer', ['_WNF_SCOPE_MAP']]], 'PermanentNameStoreRootKey' : [ 0x4, ['pointer', ['void']]], 'PersistentNameStoreRootKey' : [ 0x8, ['pointer', ['void']]], 'PermanentNameSequenceNumber' : [ 0x10, ['long long']], 'PermanentNameSequenceNumberLock' : [ 0x18, ['_WNF_LOCK']], 'PermanentNameSequenceNumberPool' : [ 0x20, ['long long']], 'RuntimeNameSequenceNumber' : [ 0x28, ['long long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_DELAY_ACK_FO' : [ 0xc, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2ComponentId' : [ 0x2, ['unsigned char']], 'Timer2RelativeId' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Tagged' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'EnergyProfiling' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Instrumented' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OB_HANDLE_REVOCATION_BLOCK' : [ 0x10, { 'RevocationInfos' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'Rundown' : [ 0xc, ['_EX_RUNDOWN_REF']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x28, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long']], 'DirtyPageThresholdTop' : [ 0x4, ['unsigned long']], 'DirtyPageThresholdBottom' : [ 0x8, ['unsigned long']], 'DirtyPageTarget' : [ 0xc, ['unsigned long']], 'AggregateAvailablePages' : [ 0x10, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x18, ['unsigned long long']], 'AvailableHistory' : [ 0x20, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x4c, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'Count' : [ 0x14, ['unsigned long']], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'StackTrace' : [ 0x24, ['array', 8, ['pointer', ['void']]]], 'Who' : [ 0x44, ['unsigned long']], 'Process' : [ 0x48, ['pointer', ['_EPROCESS']]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer', ['_MMPTE']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS' : [ 0x1, { 'Trustlet' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Ntos' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'WriteHandle' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ReadHandle' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'AccessRights' : [ 0x0, ['unsigned char']], } ], '_KREQUEST_PACKET' : [ 0x10, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer', ['void']]]], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], } ], '_PS_PROCESS_WAKE_INFORMATION' : [ 0x30, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 7, ['unsigned long']]], 'WakeFilter' : [ 0x24, ['_JOBOBJECT_WAKE_FILTER']], 'NoWakeCounter' : [ 0x2c, ['unsigned long']], } ], '__unnamed_216c' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_216e' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_216c']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_216e']], } ], '_PROCESS_ENERGY_VALUES' : [ 0x110, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'DiskEnergy' : [ 0x40, ['unsigned long long']], 'NetworkTailEnergy' : [ 0x48, ['unsigned long long']], 'MBBTailEnergy' : [ 0x50, ['unsigned long long']], 'NetworkTxRxBytes' : [ 0x58, ['unsigned long long']], 'MBBTxRxBytes' : [ 0x60, ['unsigned long long']], 'Durations' : [ 0x68, ['array', 3, ['_ENERGY_STATE_DURATION']]], 'ForegroundDuration' : [ 0x68, ['_ENERGY_STATE_DURATION']], 'DesktopVisibleDuration' : [ 0x70, ['_ENERGY_STATE_DURATION']], 'PSMForegroundDuration' : [ 0x78, ['_ENERGY_STATE_DURATION']], 'CompositionRendered' : [ 0x80, ['unsigned long']], 'CompositionDirtyGenerated' : [ 0x84, ['unsigned long']], 'CompositionDirtyPropagated' : [ 0x88, ['unsigned long']], 'Reserved1' : [ 0x8c, ['unsigned long']], 'AttributedCycles' : [ 0x90, ['array', 4, ['array', 2, ['unsigned long long']]]], 'WorkOnBehalfCycles' : [ 0xd0, ['array', 4, ['array', 2, ['unsigned long long']]]], } ], '_MMCLONE_HEADER' : [ 0xc, { 'NumberOfPtes' : [ 0x0, ['unsigned long']], 'NumberOfProcessReferences' : [ 0x4, ['unsigned long']], 'ClonePtes' : [ 0x8, ['pointer', ['_MMCLONE_BLOCK']]], } ], '_MI_SYSTEM_INFORMATION' : [ 0x3b00, { 'Pools' : [ 0x0, ['_MI_POOL_STATE']], 'Sections' : [ 0x500, ['_MI_SECTION_STATE']], 'SystemImages' : [ 0x640, ['_MI_SYSTEM_IMAGE_STATE']], 'Sessions' : [ 0x6ac, ['_MI_SESSION_STATE']], 'Processes' : [ 0x16e8, ['_MI_PROCESS_STATE']], 'Hardware' : [ 0x1740, ['_MI_HARDWARE_STATE']], 'SystemVa' : [ 0x1800, ['_MI_SYSTEM_VA_STATE']], 'PageCombines' : [ 0x2d00, ['_MI_COMBINE_STATE']], 'PageLists' : [ 0x2d18, ['_MI_PAGELIST_STATE']], 'Partitions' : [ 0x2d20, ['_MI_PARTITION_STATE']], 'Shutdowns' : [ 0x2d58, ['_MI_SHUTDOWN_STATE']], 'Errors' : [ 0x2da0, ['_MI_ERROR_STATE']], 'AccessLog' : [ 0x2e80, ['_MI_ACCESS_LOG_STATE']], 'Debugger' : [ 0x2f00, ['_MI_DEBUGGER_STATE']], 'Standby' : [ 0x2f90, ['_MI_STANDBY_STATE']], 'SystemPtes' : [ 0x3000, ['_MI_SYSTEM_PTE_STATE']], 'IoPages' : [ 0x3140, ['_MI_IO_PAGE_STATE']], 'PagingIo' : [ 0x3180, ['_MI_PAGING_IO_STATE']], 'CommonPages' : [ 0x31b8, ['_MI_COMMON_PAGE_STATE']], 'Trims' : [ 0x3200, ['_MI_SYSTEM_TRIM_STATE']], 'Cookie' : [ 0x3240, ['unsigned long']], 'BootRegistryRuns' : [ 0x3244, ['pointer', ['pointer', ['void']]]], 'ZeroingDisabled' : [ 0x3248, ['long']], 'FullyInitialized' : [ 0x324c, ['unsigned char']], 'SafeBooted' : [ 0x324d, ['unsigned char']], 'PfnBitMap' : [ 0x3250, ['_RTL_BITMAP']], 'TraceLogging' : [ 0x3258, ['pointer', ['_TlgProvider_t']]], 'Vs' : [ 0x3280, ['_MI_VISIBLE_STATE']], } ], '_ETW_SILO_TRACING_BLOCK' : [ 0x300, { 'ProcessorBuffers' : [ 0x0, ['array', 64, ['_EX_FAST_REF']]], 'EventsLoggedCount' : [ 0x100, ['array', 64, ['unsigned long long']]], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x10, ['_KEVENT']], } ], '__unnamed_219c' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_219e' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_219c']], } ], '__unnamed_21a0' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_219e']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_21a0']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '__unnamed_21a8' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_21a8']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x8, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], } ], '_MI_LARGEPAGE_IMAGE_INFO' : [ 0x8, { 'LargeImageBias' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'ActualImageViewSize' : [ 0x4, ['unsigned long']], } ], '__unnamed_21b5' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x18, { 'NodeRangeSize' : [ 0x0, ['unsigned long']], 'NodeCount' : [ 0x4, ['unsigned long']], 'Tables' : [ 0x8, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0xc, ['unsigned long']], 'UseSessionId' : [ 0x10, ['unsigned char']], 'u1' : [ 0x14, ['__unnamed_21b5']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_MMSUPPORT_FULL' : [ 0x8c, { 'Instance' : [ 0x0, ['_MMSUPPORT_INSTANCE']], 'Shared' : [ 0x68, ['_MMSUPPORT_SHARED']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_MI_PROCESS_STATE' : [ 0x58, { 'SystemDllBase' : [ 0x0, ['pointer', ['void']]], 'ColorSeed' : [ 0x4, ['unsigned long']], 'RotatingUniprocessorNumber' : [ 0x8, ['long']], 'CriticalSectionTimeout' : [ 0x10, ['_LARGE_INTEGER']], 'ProcessList' : [ 0x18, ['_LIST_ENTRY']], 'SharedUserDataPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'FreePaeEntries' : [ 0x24, ['unsigned long']], 'FirstFreePae' : [ 0x28, ['_PAE_ENTRY']], 'AllocatedPaePages' : [ 0x48, ['long']], 'PaeLock' : [ 0x4c, ['unsigned long']], 'PaeEntrySList' : [ 0x50, ['_SLIST_HEADER']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long']], 'PipelinedReadAheadRequestSize' : [ 0x54, ['unsigned long']], 'ReadAheadGrowth' : [ 0x58, ['unsigned long']], 'PrivateLinks' : [ 0x5c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x64, ['pointer', ['void']]], } ], '_ETW_GUID_ENTRY' : [ 0x168, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['pointer', ['_ETW_FILTER_HEADER']]], 'SiloState' : [ 0x15c, ['pointer', ['_ETW_SILODRIVERSTATE']]], 'Lock' : [ 0x160, ['_EX_PUSH_LOCK']], 'LockOwner' : [ 0x164, ['pointer', ['_ETHREAD']]], } ], '_ARBITER_INSTANCE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['wchar']]], 'OrderingName' : [ 0xc, ['pointer', ['wchar']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '_MI_SYSTEM_IMAGE_STATE' : [ 0x6c, { 'FixupList' : [ 0x0, ['_LIST_ENTRY']], 'LoadLock' : [ 0x8, ['_KMUTANT']], 'FixupLock' : [ 0x28, ['long']], 'FirstLoadEver' : [ 0x2c, ['unsigned char']], 'LargePageAll' : [ 0x2d, ['unsigned char']], 'LastPage' : [ 0x30, ['unsigned long']], 'LargePageList' : [ 0x34, ['_LIST_ENTRY']], 'StrongCodeLoadFailureList' : [ 0x3c, ['_LIST_ENTRY']], 'BeingDeleted' : [ 0x44, ['pointer', ['_KLDR_DATA_TABLE_ENTRY']]], 'MappingRangesPushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'MappingRanges' : [ 0x4c, ['array', 2, ['pointer', ['_MI_DRIVER_VA']]]], 'PageCount' : [ 0x54, ['unsigned long']], 'PageCounts' : [ 0x58, ['_MM_SYSTEM_PAGE_COUNTS']], 'CollidedLock' : [ 0x68, ['_EX_PUSH_LOCK']], } ], '_MMPFNENTRY1' : [ 0x1, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x44, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x3c, ['unsigned char']], 'DeleteType' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x8, ['unsigned long']], 'SyncCallback' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ZeroMapRegisters' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'HiberFileType' : [ 0x16, ['unsigned char']], 'AoAcConnectivitySupported' : [ 0x17, ['unsigned char']], 'spare3' : [ 0x18, ['array', 6, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_EX_WORK_QUEUE' : [ 0x1b8, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x19c, ['pointer', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x1a0, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x1a4, ['unsigned long']], 'ThreadCount' : [ 0x1a8, ['long']], 'MinThreads' : [ 0x1ac, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x1ac, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x1b0, ['long']], 'QueueIndex' : [ 0x1b4, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'IoPoolUntrusted', 2: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_KWAIT_CHAIN' : [ 0x4, { 'Head' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_VF_DRIVER_IO_CALLBACKS' : [ 0x80, { 'DriverInit' : [ 0x0, ['pointer', ['void']]], 'DriverStartIo' : [ 0x4, ['pointer', ['void']]], 'DriverUnload' : [ 0x8, ['pointer', ['void']]], 'AddDevice' : [ 0xc, ['pointer', ['void']]], 'MajorFunction' : [ 0x10, ['array', 28, ['pointer', ['void']]]], } ], '_CM_UOW_SET_VALUE_KEY_DATA' : [ 0x10, { 'PreparedCell' : [ 0x0, ['unsigned long']], 'OldValueCell' : [ 0x4, ['unsigned long']], 'NameLength' : [ 0x8, ['unsigned short']], 'DataSize' : [ 0xc, ['unsigned long']], } ], '_MI_PARTITION_STATE' : [ 0x38, { 'PartitionLock' : [ 0x0, ['unsigned long']], 'PartitionIdLock' : [ 0x4, ['_EX_PUSH_LOCK']], 'InitialPartitionIdBits' : [ 0x8, ['unsigned long long']], 'PartitionList' : [ 0x10, ['_LIST_ENTRY']], 'PartitionIdBitmap' : [ 0x18, ['pointer', ['_RTL_BITMAP']]], 'InitialPartitionIdBitmap' : [ 0x1c, ['_RTL_BITMAP']], 'TempPartitionPointers' : [ 0x24, ['array', 1, ['pointer', ['_MI_PARTITION']]]], 'Partition' : [ 0x28, ['pointer', ['pointer', ['_MI_PARTITION']]]], 'TotalPagesInChildPartitions' : [ 0x2c, ['unsigned long']], 'CrossPartitionDenials' : [ 0x30, ['unsigned long']], 'MultiplePartitionsExist' : [ 0x34, ['unsigned char']], } ], '_POP_THERMAL_ZONE' : [ 0x2e8, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], 'State' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], 'Removing' : [ 0x22, ['unsigned char']], 'Mode' : [ 0x23, ['unsigned char']], 'PendingMode' : [ 0x24, ['unsigned char']], 'ActivePoint' : [ 0x25, ['unsigned char']], 'PendingActivePoint' : [ 0x26, ['unsigned char']], 'Critical' : [ 0x27, ['unsigned char']], 'ThermalStandby' : [ 0x28, ['unsigned char']], 'OverThrottled' : [ 0x29, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x2c, ['long']], 'Throttle' : [ 0x30, ['long']], 'PendingThrottle' : [ 0x34, ['long']], 'ThrottleReasons' : [ 0x38, ['unsigned long']], 'LastPassiveTime' : [ 0x40, ['unsigned long long']], 'SampleRate' : [ 0x48, ['unsigned long']], 'LastTemp' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['_THERMAL_INFORMATION_EX']], 'Policy' : [ 0xac, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0xc4, ['unsigned char']], 'PollingRate' : [ 0xc8, ['unsigned long']], 'LastTemperatureTime' : [ 0xd0, ['unsigned long long']], 'LastActiveStartTime' : [ 0xd8, ['unsigned long long']], 'LastPassiveStartTime' : [ 0xe0, ['unsigned long long']], 'WorkItem' : [ 0xe8, ['_WORK_QUEUE_ITEM']], 'ZoneUpdateTimer' : [ 0xf8, ['_KTIMER2']], 'Lock' : [ 0x150, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x158, ['_KEVENT']], 'TemperatureUpdated' : [ 0x168, ['_KEVENT']], 'InstanceId' : [ 0x178, ['unsigned long']], 'TelemetryTracker' : [ 0x180, ['_POP_THERMAL_TELEMETRY_TRACKER']], 'Description' : [ 0x2e0, ['_UNICODE_STRING']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_REQUEST' : [ 0xc, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_TRIAGE_DEVICE_NODE']]], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_MMPFNENTRY3' : [ 0x1, { 'Priority' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SystemChargedPage' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x10, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'SidCount' : [ 0x8, ['unsigned long']], 'SidValuesStart' : [ 0xc, ['unsigned long']], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x4, { 'Function' : [ 0x0, ['pointer', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long']], } ], '__unnamed_22b2' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_22b4' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_22b2']], 'Private' : [ 0x0, ['__unnamed_22b4']], } ], '_CM_TRANS_PTR' : [ 0x4, { 'LightWeight' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'TransPtr' : [ 0x0, ['pointer', ['void']]], } ], '_PS_TRUSTLET_ATTRIBUTE_TYPE' : [ 0x4, { 'Version' : [ 0x0, ['unsigned char']], 'DataCount' : [ 0x1, ['unsigned char']], 'SemanticType' : [ 0x2, ['unsigned char']], 'AccessRights' : [ 0x3, ['_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS']], 'AttributeType' : [ 0x0, ['unsigned long']], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['_CM_PATH_HASH']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PS_IO_CONTROL_ENTRY' : [ 0x1c, { 'VolumeTreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ReservedForParentValue' : [ 0x8, ['unsigned long']], 'VolumeKey' : [ 0xc, ['unsigned long']], 'Rundown' : [ 0x10, ['_EX_RUNDOWN_REF']], 'IoControl' : [ 0x14, ['pointer', ['void']]], 'VolumeIoAttribution' : [ 0x18, ['pointer', ['void']]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_CM_UOW_SET_VALUE_LIST_DATA' : [ 0xc, { 'RefCount' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['_CHILD_LIST']], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'PagesAllocated' : [ 0x44, ['unsigned long']], 'BigPagesAllocated' : [ 0x48, ['unsigned long']], 'BytesAllocated' : [ 0x4c, ['unsigned long']], 'RunningDeallocs' : [ 0x80, ['long']], 'PagesDeallocated' : [ 0x84, ['unsigned long']], 'BigPagesDeallocated' : [ 0x88, ['unsigned long']], 'BytesDeallocated' : [ 0x8c, ['unsigned long']], 'PoolIndex' : [ 0xc0, ['unsigned long']], 'PoolTypeCopy' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'ThreadsProcessingDeferrals' : [ 0x104, ['long']], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SUBSECTION_ENTRY1' : [ 0x4, { 'CrossPartitionReferences' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'SubsectionMappedLarge' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_232b' : [ 0x4, { 'PercentLevel' : [ 0x0, ['unsigned long']], } ], '__unnamed_232d' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_232b']], 'Button' : [ 0xc, ['__unnamed_232d']], } ], '_RTL_ATOM_TABLE' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0xc, ['pointer', ['_HANDLE_TABLE']]], 'Flags' : [ 0x10, ['unsigned long']], 'NumberOfBuckets' : [ 0x14, ['unsigned long']], 'Buckets' : [ 0x18, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_KTIMER2' : [ 0x58, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'RbNodes' : [ 0x10, ['array', 2, ['_RTL_BALANCED_NODE']]], 'ListEntry' : [ 0x10, ['_LIST_ENTRY']], 'DueTime' : [ 0x28, ['array', 2, ['unsigned long long']]], 'Period' : [ 0x38, ['long long']], 'Callback' : [ 0x40, ['pointer', ['void']]], 'CallbackContext' : [ 0x44, ['pointer', ['void']]], 'DisableCallback' : [ 0x48, ['pointer', ['void']]], 'DisableContext' : [ 0x4c, ['pointer', ['void']]], 'AbsoluteSystemTime' : [ 0x50, ['unsigned char']], 'TypeFlags' : [ 0x51, ['unsigned char']], 'Unused' : [ 0x51, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IdleResilient' : [ 0x51, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HighResolution' : [ 0x51, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'NoWake' : [ 0x51, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Unused1' : [ 0x51, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CollectionIndex' : [ 0x52, ['array', 2, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_MI_SESSION_STATE' : [ 0x103c, { 'SystemSession' : [ 0x0, ['_MMSESSION']], 'DetachTimeStamp' : [ 0x14, ['unsigned long']], 'CodePageEdited' : [ 0x18, ['unsigned char']], 'DynamicPoolBitBuffer' : [ 0x1c, ['pointer', ['unsigned long']]], 'VaReferenceCount' : [ 0x20, ['array', 1024, ['long']]], 'DynamicPtesBitBuffer' : [ 0x1020, ['pointer', ['unsigned long']]], 'IdLock' : [ 0x1024, ['_EX_PUSH_LOCK']], 'LeaderProcess' : [ 0x1028, ['pointer', ['_EPROCESS']]], 'InitializeLock' : [ 0x102c, ['_EX_PUSH_LOCK']], 'WorkingSetList' : [ 0x1030, ['pointer', ['_MMWSL_INSTANCE']]], 'SessionBase' : [ 0x1034, ['pointer', ['void']]], 'SessionCore' : [ 0x1038, ['pointer', ['void']]], } ], '_XSTATE_CONFIGURATION' : [ 0x330, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'ControlFlags' : [ 0x14, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CompactionEnabled' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], 'EnabledSupervisorFeatures' : [ 0x218, ['unsigned long long']], 'AlignedFeatures' : [ 0x220, ['unsigned long long']], 'AllFeatureSize' : [ 0x228, ['unsigned long']], 'AllFeatures' : [ 0x22c, ['array', 64, ['unsigned long']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'Callback' : [ 0x8, ['pointer', ['void']]], 'CallbackContext' : [ 0xc, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'AccessMask' : [ 0x18, ['unsigned long']], } ], '_MI_SECTION_STATE' : [ 0x140, { 'SectionObjectPointersLock' : [ 0x0, ['long']], 'SectionBasedRoot' : [ 0x4, ['_RTL_AVL_TREE']], 'SectionBasedLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'UnusedSubsectionPagedPool' : [ 0xc, ['unsigned long']], 'UnusedSegmentForceFree' : [ 0x10, ['unsigned long']], 'DataSectionProtectionMask' : [ 0x14, ['unsigned long']], 'HighSectionBase' : [ 0x18, ['pointer', ['void']]], 'PhysicalSubsection' : [ 0x1c, ['_MSUBSECTION']], 'PhysicalControlArea' : [ 0x60, ['_CONTROL_AREA']], 'DanglingExtentsPages' : [ 0xb0, ['pointer', ['_MMPFN']]], 'DanglingExtentsLock' : [ 0xb4, ['long']], 'DanglingExtentsWorkItem' : [ 0xb8, ['_WORK_QUEUE_ITEM']], 'DanglingExtentsWorkerActive' : [ 0xc8, ['unsigned char']], 'PageFileSectionHead' : [ 0xcc, ['_RTL_AVL_TREE']], 'PageFileSectionListSpinLock' : [ 0xd0, ['long']], 'ImageBias' : [ 0xd4, ['unsigned long']], 'RelocateBitmapsLock' : [ 0xd8, ['_EX_PUSH_LOCK']], 'ImageBitMap' : [ 0xdc, ['_RTL_BITMAP']], 'ApiSetSection' : [ 0xe4, ['pointer', ['void']]], 'ApiSetSchema' : [ 0xe8, ['pointer', ['void']]], 'ApiSetSchemaSize' : [ 0xec, ['unsigned long']], 'LostDataFiles' : [ 0xf0, ['unsigned long']], 'LostDataPages' : [ 0xf4, ['unsigned long']], 'ImageFailureReason' : [ 0xf8, ['unsigned long']], 'CfgBitMapSection32' : [ 0xfc, ['pointer', ['_SECTION']]], 'CfgBitMapControlArea32' : [ 0x100, ['pointer', ['_CONTROL_AREA']]], 'ImageCfgFailure' : [ 0x104, ['unsigned long']], 'ImageChecksumBreakpoint' : [ 0x108, ['unsigned long']], 'ImageSizeBreakpoint' : [ 0x10c, ['unsigned long']], 'ImageValidationFailed' : [ 0x110, ['long']], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x1c, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'Reference' : [ 0x8, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x18, ['unsigned char']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_UOW_KEY_STATE_MODIFICATION' : [ 0x14, { 'RefCount' : [ 0x0, ['unsigned long']], 'SubKeyListCount' : [ 0x4, ['array', 2, ['unsigned long']]], 'NewSubKeyList' : [ 0xc, ['array', 2, ['unsigned long']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'WaitResponse' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_ETW_FILTER_HEADER' : [ 0x28, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x4, ['pointer', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x8, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0xc, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x10, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x14, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x18, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x1c, ['pointer', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x20, ['pointer', ['_EVENT_FILTER_HEADER']]], 'EventNameFilter' : [ 0x24, ['pointer', ['_ETW_FILTER_EVENT_NAME_DATA']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x94, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ExecutePoolTypes' : [ 0x78, ['unsigned long']], 'ExecutePageProtections' : [ 0x7c, ['unsigned long']], 'ExecutePageMappings' : [ 0x80, ['unsigned long']], 'ExecuteWriteSections' : [ 0x84, ['unsigned long']], 'SectionAlignmentFailures' : [ 0x88, ['unsigned long']], 'UnsupportedRelocs' : [ 0x8c, ['unsigned long']], 'IATInExecutableSection' : [ 0x90, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PEB' : [ 0x460, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'IsLongPathAwareProcess' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['_SLIST_HEADER']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessPreviouslyThrottled' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ProcessCurrentlyThrottled' : [ 0x28, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['pointer', ['_SLIST_HEADER']]], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'SharedData' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pUnused' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x250, ['unsigned long']], 'TppWorkerpList' : [ 0x254, ['_LIST_ENTRY']], 'WaitOnAddressHashTable' : [ 0x25c, ['array', 128, ['pointer', ['void']]]], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_23ad' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_23b2' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_23b4' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_23ad']], 'Bits' : [ 0x0, ['__unnamed_23b2']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_23b4']], } ], '_MI_SUB64K_FREE_RANGES' : [ 0x20, { 'BitMap' : [ 0x0, ['_RTL_BITMAP']], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'Vad' : [ 0x10, ['pointer', ['_MMVAD_SHORT']]], 'SetBits' : [ 0x14, ['unsigned long']], 'FullSetBits' : [ 0x18, ['unsigned long']], 'SubListIndex' : [ 0x1c, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Hint' : [ 0x1c, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '__unnamed_23bc' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_23bf' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0xf8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], 'CollidedEvent' : [ 0x20, ['_KEVENT']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ApcState' : [ 0x40, ['_KAPC_STATE']], 'Thread' : [ 0x58, ['pointer', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0x5c, ['pointer', ['_MMPFN']]], 'PteContents' : [ 0x60, ['_MMPTE']], 'WaitCount' : [ 0x68, ['long']], 'ByteCount' : [ 0x6c, ['unsigned long']], 'u3' : [ 0x70, ['__unnamed_23bc']], 'u1' : [ 0x74, ['__unnamed_23bf']], 'FilePointer' : [ 0x78, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x7c, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x7c, ['pointer', ['_SUBSECTION']]], 'Autoboost' : [ 0x80, ['pointer', ['void']]], 'FaultingAddress' : [ 0x84, ['pointer', ['void']]], 'PointerPte' : [ 0x88, ['pointer', ['_MMPTE']]], 'BasePte' : [ 0x8c, ['pointer', ['_MMPTE']]], 'Pfn' : [ 0x90, ['pointer', ['_MMPFN']]], 'PrefetchMdl' : [ 0x94, ['pointer', ['_MDL']]], 'Mdl' : [ 0x98, ['_MDL']], 'Page' : [ 0xb4, ['array', 16, ['unsigned long']]], 'FlowThrough' : [ 0xb4, ['_MMINPAGE_SUPPORT_FLOW_THROUGH']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_CMP_DISCARD_AND_REPLACE_KCB_CONTEXT' : [ 0x10, { 'BaseKcb' : [ 0x0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'PrepareStatus' : [ 0x4, ['long']], 'ClonedKcbListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions', 24: 'ConfigureDeviceReset'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], 'ActivityId' : [ 0x20, ['_GUID']], 'RefCount' : [ 0x30, ['long']], 'Dequeued' : [ 0x34, ['unsigned char']], 'CancelLock' : [ 0x38, ['_EX_PUSH_LOCK']], 'CancelRequested' : [ 0x3c, ['unsigned char']], } ], '_PPM_PLATFORM_STATE' : [ 0xc0, { 'LevelId' : [ 0x0, ['unsigned long long']], 'Latency' : [ 0x8, ['unsigned long']], 'BreakEvenDuration' : [ 0xc, ['unsigned long']], 'VetoAccounting' : [ 0x10, ['_PPM_VETO_ACCOUNTING']], 'TransitionDebugger' : [ 0x28, ['unsigned char']], 'Platform' : [ 0x29, ['unsigned char']], 'DependencyListCount' : [ 0x2c, ['unsigned long']], 'Processors' : [ 0x30, ['_KAFFINITY_EX']], 'Name' : [ 0x3c, ['_UNICODE_STRING']], 'DependencyLists' : [ 0x44, ['pointer', ['_PPM_SELECTION_DEPENDENCY']]], 'Synchronization' : [ 0x48, ['_PPM_COORDINATED_SYNCHRONIZATION']], 'EnterTime' : [ 0x50, ['unsigned long long']], 'RefCount' : [ 0x80, ['long']], 'CacheAlign0' : [ 0x80, ['array', 64, ['unsigned char']]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_ETW_COUNTERS' : [ 0x10, { 'GuidCount' : [ 0x0, ['long']], 'PoolUsage' : [ 0x4, ['array', 2, ['long']]], 'SessionCount' : [ 0xc, ['long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'LowboxNumber' : [ 0x14, ['unsigned long']], 'AtomTable' : [ 0x18, ['pointer', ['void']]], } ], '_PPM_SELECTION_MENU' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Entries' : [ 0x4, ['pointer', ['_PPM_SELECTION_MENU_ENTRY']]], } ], '_MI_PARTITION' : [ 0x1a00, { 'Core' : [ 0x0, ['_MI_PARTITION_CORE']], 'Modwriter' : [ 0xf8, ['_MI_PARTITION_MODWRITES']], 'Store' : [ 0x2c8, ['_MI_PARTITION_STORES']], 'Segments' : [ 0x340, ['_MI_PARTITION_SEGMENTS']], 'PageLists' : [ 0x440, ['_MI_PARTITION_PAGE_LISTS']], 'Commit' : [ 0xc00, ['_MI_PARTITION_COMMIT']], 'Zeroing' : [ 0xc80, ['_MI_PARTITION_ZEROING']], 'PageCombine' : [ 0xcc0, ['_MI_PAGE_COMBINING_SUPPORT']], 'WorkingSetControl' : [ 0xd98, ['pointer', ['void']]], 'WorkingSetExpansionHead' : [ 0xd9c, ['_MMWORKING_SET_EXPANSION_HEAD']], 'Vp' : [ 0xdc0, ['_MI_VISIBLE_PARTITION']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_MMPTE_HIGHLOW' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_KINTERRUPT' : [ 0xb0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'EmulateActiveBoth' : [ 0x39, ['unsigned char']], 'ActiveCount' : [ 0x3a, ['unsigned short']], 'InternalState' : [ 0x3c, ['long']], 'Mode' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x48, ['unsigned long']], 'DispatchCount' : [ 0x4c, ['unsigned long']], 'PassiveEvent' : [ 0x50, ['pointer', ['_KEVENT']]], 'DisconnectData' : [ 0x54, ['pointer', ['void']]], 'ServiceThread' : [ 0x58, ['pointer', ['_KTHREAD']]], 'ConnectionData' : [ 0x5c, ['pointer', ['_INTERRUPT_CONNECTION_DATA']]], 'IntTrackEntry' : [ 0x60, ['pointer', ['void']]], 'IsrDpcStats' : [ 0x68, ['_ISRDPCSTATS']], 'RedirectObject' : [ 0xa8, ['pointer', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_IO_WORKITEM' : [ 0x34, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'WorkOnBehalfThread' : [ 0x1c, ['pointer', ['_ETHREAD']]], 'Type' : [ 0x20, ['unsigned long']], 'ActivityId' : [ 0x24, ['_GUID']], } ], '_DISALLOWED_GUIDS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x4, ['pointer', ['_GUID']]], } ], '_MMWSL_INSTANCE' : [ 0x18, { 'NextPteToTrim' : [ 0x0, ['pointer', ['_MMPTE']]], 'NextPteToAge' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextPteToAccessClear' : [ 0x8, ['pointer', ['_MMPTE']]], 'LastAccessClearingRemainder' : [ 0xc, ['unsigned long']], 'LastAgingRemainder' : [ 0x10, ['unsigned long']], 'LockedEntries' : [ 0x14, ['unsigned long']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_CMHIVE' : [ 0xf20, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x6f0, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x708, ['_LIST_ENTRY']], 'HiveList' : [ 0x710, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x718, ['_LIST_ENTRY']], 'FailedUnloadList' : [ 0x720, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x728, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x72c, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x734, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x738, ['unsigned long']], 'DeletedKcbTable' : [ 0x73c, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x740, ['unsigned long']], 'Identity' : [ 0x744, ['unsigned long']], 'HiveLock' : [ 0x748, ['pointer', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x74c, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x750, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x754, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0x75c, ['unsigned long']], 'FlushLogEntry' : [ 0x760, ['pointer', ['unsigned char']]], 'FlushLogEntrySize' : [ 0x764, ['unsigned long']], 'FlushHiveTruncated' : [ 0x768, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0x76c, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0x770, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0x778, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0x77c, ['pointer', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0x780, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0x784, ['pointer', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0x788, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x78c, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x790, ['unsigned long']], 'ActualFileSize' : [ 0x798, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x7a0, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x7b0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x7b8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x7c0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x7c8, ['unsigned long']], 'SecurityCacheSize' : [ 0x7cc, ['unsigned long']], 'SecurityHitHint' : [ 0x7d0, ['long']], 'SecurityCache' : [ 0x7d4, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x7d8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x9d8, ['unsigned long']], 'UnloadEventArray' : [ 0x9dc, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x9e0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x9e4, ['unsigned char']], 'UnloadWorkItem' : [ 0x9e8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x9ec, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xa00, ['unsigned char']], 'GrowOffset' : [ 0xa04, ['unsigned long']], 'KcbConvertListHead' : [ 0xa08, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xa10, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0xa14, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0xc9c, ['unsigned long']], 'TrustClassEntry' : [ 0xca0, ['_LIST_ENTRY']], 'DirtyTime' : [ 0xca8, ['unsigned long long']], 'UnreconciledTime' : [ 0xcb0, ['unsigned long long']], 'CmRm' : [ 0xcb8, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xcbc, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xcc0, ['long']], 'CreatorOwner' : [ 0xcc4, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0xcc8, ['pointer', ['_KTHREAD']]], 'LastWriteTime' : [ 0xcd0, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0xcd8, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0xce4, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0xcf0, ['unsigned long']], 'FlushActive' : [ 0xcf0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0xcf0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0xcf0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0xcf0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0xcf4, ['unsigned long']], 'ReferenceCount' : [ 0xcf8, ['long']], 'UnloadHistoryIndex' : [ 0xcfc, ['long']], 'UnloadHistory' : [ 0xd00, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0xf00, ['unsigned long']], 'UnaccessedStart' : [ 0xf04, ['unsigned long']], 'UnaccessedEnd' : [ 0xf08, ['unsigned long']], 'LoadedKeyCount' : [ 0xf0c, ['unsigned long']], 'HandleClosePending' : [ 0xf10, ['unsigned long']], 'HandleClosePendingEvent' : [ 0xf14, ['_EX_PUSH_LOCK']], 'FinalFlushSucceeded' : [ 0xf18, ['unsigned char']], 'FailedUnload' : [ 0xf19, ['unsigned char']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'InProgressFlags' : [ 0x14, ['unsigned char']], 'KernelApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_PEP_ACPI_RESOURCE_FLAGS' : [ 0x4, { 'AsULong' : [ 0x0, ['unsigned long']], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Wake' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ResourceUsage' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SlaveMode' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'AddressingMode' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SharedMode' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_IO_ADAPTER_CRYPTO_PARAMETERS' : [ 0x10, { 'Tweak' : [ 0x0, ['unsigned long long']], 'KeyDescriptor' : [ 0x8, ['pointer', ['_IO_ADAPTER_CRYPTO_KEY_DESCRIPTOR']]], } ], '_MI_PARTITION_PAGE_LISTS' : [ 0x7c0, { 'FreePagesByColor' : [ 0x0, ['array', 2, ['pointer', ['_MMPFNLIST']]]], 'ZeroedPageListHead' : [ 0x40, ['_MMPFNLIST']], 'FreePageListHead' : [ 0x80, ['_MMPFNLIST']], 'StandbyPageListHead' : [ 0xc0, ['_MMPFNLIST']], 'StandbyPageListByPriority' : [ 0x100, ['array', 8, ['_MMPFNLIST']]], 'ModifiedPageListNoReservation' : [ 0x1c0, ['_MMPFNLIST']], 'ModifiedPageListByReservation' : [ 0x200, ['array', 16, ['_MMPFNLIST']]], 'MappedPageListHead' : [ 0x340, ['array', 16, ['_MMPFNLIST']]], 'BadPageListHead' : [ 0x480, ['_MMPFNLIST']], 'EnclavePageListHead' : [ 0x4c0, ['_MMPFNLIST']], 'FreePageSlist' : [ 0x4d4, ['array', 2, ['pointer', ['_SLIST_HEADER']]]], 'PageLocationList' : [ 0x4dc, ['array', 8, ['pointer', ['_MMPFNLIST']]]], 'StandbyRepurposedByPriority' : [ 0x4fc, ['array', 8, ['unsigned long']]], 'TransitionSharedPages' : [ 0x540, ['unsigned long']], 'TransitionSharedPagesPeak' : [ 0x544, ['array', 3, ['unsigned long']]], 'MappedPageListHeadEvent' : [ 0x550, ['array', 16, ['_KEVENT']]], 'DecayClusterTimerHeads' : [ 0x650, ['array', 4, ['_MI_DECAY_TIMER_LINK']]], 'DecayHand' : [ 0x660, ['unsigned long']], 'StandbyListDiscard' : [ 0x664, ['unsigned char']], 'FreeListDiscard' : [ 0x665, ['unsigned char']], 'LargePfnBitMapsReady' : [ 0x666, ['unsigned char']], 'LastDecayHandUpdateTime' : [ 0x668, ['unsigned long long']], 'LastChanceLdwContext' : [ 0x670, ['_MI_LDW_WORK_CONTEXT']], 'AvailableEventsLock' : [ 0x6c0, ['unsigned long']], 'AvailablePageWaitStates' : [ 0x6c4, ['array', 3, ['_MI_AVAILABLE_PAGE_WAIT_STATES']]], 'MirrorListLocks' : [ 0x700, ['pointer', ['void']]], 'TransitionPrivatePages' : [ 0x740, ['unsigned long']], 'LargePfnBitMap' : [ 0x744, ['array', 1, ['_RTL_BITMAP']]], 'LowMemoryThreshold' : [ 0x74c, ['unsigned long']], 'HighMemoryThreshold' : [ 0x750, ['unsigned long']], 'LargePfnBitMapLock' : [ 0x780, ['unsigned long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '__unnamed_246d' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_246f' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_2471' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_246d']], 'Interrupt' : [ 0x0, ['__unnamed_246f']], 'LocalInterrupt' : [ 0x0, ['__unnamed_246f']], 'Sci' : [ 0x0, ['__unnamed_246f']], 'Nmi' : [ 0x0, ['__unnamed_246f']], 'Sea' : [ 0x0, ['__unnamed_246f']], 'Sei' : [ 0x0, ['__unnamed_246f']], 'Gsiv' : [ 0x0, ['__unnamed_246f']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_2471']], } ], '_THERMAL_INFORMATION_EX' : [ 0x5c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'ThermalStandbyTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], 'MinimumThrottle' : [ 0x50, ['unsigned long']], 'OverThrottleThreshold' : [ 0x54, ['unsigned long']], 'PollingPeriod' : [ 0x58, ['unsigned long']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x4, { 'LogHandleContext' : [ 0x0, ['pointer', ['_LOG_HANDLE_CONTEXT']]], } ], '_KPRIQUEUE' : [ 0x19c, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x110, ['array', 32, ['long']]], 'MaximumCount' : [ 0x190, ['unsigned long']], 'ThreadListHead' : [ 0x194, ['_LIST_ENTRY']], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_KSCB' : [ 0x100, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'MinQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'MaxQuotaCycleTarget' : [ 0x10, ['unsigned long long']], 'RankCycleTarget' : [ 0x18, ['unsigned long long']], 'LongTermCycles' : [ 0x20, ['unsigned long long']], 'LastReportedCycles' : [ 0x28, ['unsigned long long']], 'OverQuotaHistory' : [ 0x30, ['unsigned long long']], 'ReadyTime' : [ 0x38, ['unsigned long long']], 'InsertTime' : [ 0x40, ['unsigned long long']], 'PerProcessorList' : [ 0x48, ['_LIST_ENTRY']], 'QueueNode' : [ 0x50, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'MaxOverQuota' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'MinOverQuota' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SoftCap' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ShareRankOwner' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Depth' : [ 0x5d, ['unsigned char']], 'ReadySummary' : [ 0x5e, ['unsigned short']], 'Rank' : [ 0x60, ['unsigned long']], 'ShareRank' : [ 0x64, ['pointer', ['unsigned long']]], 'OwnerShareRank' : [ 0x68, ['unsigned long']], 'ReadyListHead' : [ 0x6c, ['array', 16, ['_LIST_ENTRY']]], 'ChildScbQueue' : [ 0xec, ['_RTL_RB_TREE']], 'Parent' : [ 0xf4, ['pointer', ['_KSCB']]], 'Root' : [ 0xf8, ['pointer', ['_KSCB']]], } ], '__unnamed_248e' : [ 0x2, { 'SignatureLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'SignatureType' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned short')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'EntireField' : [ 0x0, ['unsigned short']], } ], '_KLDR_DATA_TABLE_ENTRY' : [ 0x5c, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'ExceptionTable' : [ 0x8, ['pointer', ['void']]], 'ExceptionTableSize' : [ 0xc, ['unsigned long']], 'GpValue' : [ 0x10, ['pointer', ['void']]], 'NonPagedDebugInfo' : [ 0x14, ['pointer', ['_NON_PAGED_DEBUG_INFO']]], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'u1' : [ 0x3a, ['__unnamed_248e']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'CoverageSectionSize' : [ 0x44, ['unsigned long']], 'CoverageSection' : [ 0x48, ['pointer', ['void']]], 'LoadedImports' : [ 0x4c, ['pointer', ['void']]], 'Spare' : [ 0x50, ['pointer', ['void']]], 'SizeOfImageNotRounded' : [ 0x54, ['unsigned long']], 'TimeDateStamp' : [ 0x58, ['unsigned long']], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_MI_SYSTEM_TRIM_STATE' : [ 0x40, { 'ExpansionLock' : [ 0x0, ['unsigned long']], 'TrimInProgressCount' : [ 0x4, ['long']], 'PeriodicWorkingSetEvent' : [ 0x8, ['_KEVENT']], 'TrimAllPageFaultCount' : [ 0x18, ['array', 3, ['unsigned long']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x4, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_MM_SYSTEM_PAGE_COUNTS' : [ 0x10, { 'SystemCodePage' : [ 0x0, ['unsigned long']], 'SystemDriverPage' : [ 0x4, ['unsigned long']], 'TotalSystemCodePages' : [ 0x8, ['long']], 'TotalSystemDriverPages' : [ 0xc, ['long']], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_THERMAL_POLICY' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ThermalStandby' : [ 0x7, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], 'OverThrottled' : [ 0x14, ['unsigned char']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MI_ACCESS_LOG_STATE' : [ 0x80, { 'CcAccessLog' : [ 0x0, ['pointer', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'DisableAccessLogging' : [ 0x4, ['_WORK_QUEUE_ITEM']], 'Enabled' : [ 0x14, ['unsigned long']], 'MinLoggingPriority' : [ 0x18, ['unsigned long']], 'AccessLoggingLock' : [ 0x40, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x2800, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '__unnamed_24c4' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_24c6' : [ 0x10, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_24c4']], } ], '_VF_TARGET_DRIVER' : [ 0x20, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE_EX']], 'u1' : [ 0xc, ['__unnamed_24c6']], 'VerifiedData' : [ 0x1c, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_ENERGY_STATE_DURATION' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'LastChangeTime' : [ 0x0, ['unsigned long']], 'Duration' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'IsInState' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x20, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x8, ['pointer', ['void']]], 'SessionViewVa' : [ 0x8, ['pointer', ['void']]], 'VadsProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Type' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SubsectionType' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SystemCacheAttributes' : [ 0x10, ['_MI_SYSTEM_CACHE_VIEW_ATTRIBUTES']], 'SectionOffset' : [ 0x10, ['unsigned long long']], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0xc, { 'ActiveThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'WaitList' : [ 0x4, ['pointer', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x8, ['unsigned long']], } ], '_MI_SYSTEM_PTE_STATE' : [ 0x140, { 'MdlTrackerLookaside' : [ 0x0, ['_NPAGED_LOOKASIDE_LIST']], 'DeadPteTrackerSListHead' : [ 0xc0, ['_SLIST_HEADER']], 'PteTrackerLock' : [ 0xc8, ['unsigned long']], 'PteTrackingBitmap' : [ 0xcc, ['_RTL_BITMAP']], 'CachedPteHeads' : [ 0xd4, ['pointer', ['_MI_CACHED_PTES']]], 'SystemViewPteInfo' : [ 0xd8, ['_MI_SYSTEM_PTE_TYPE']], 'StackGrowthFailures' : [ 0x110, ['unsigned long']], 'KernelStackPages' : [ 0x114, ['unsigned char']], 'TrackPtesAborted' : [ 0x115, ['unsigned char']], 'AdjustCounter' : [ 0x116, ['unsigned char']], 'ReservedMappingLock' : [ 0x118, ['long']], 'ReservedMappingTree' : [ 0x11c, ['_RTL_AVL_TREE']], 'ReservedMappingPageTablePfns' : [ 0x120, ['pointer', ['_MMPFN']]], 'OutswappedKernelStackRoot' : [ 0x124, ['_RTL_AVL_TREE']], 'OutswappedKernelStackLock' : [ 0x128, ['long']], } ], '__unnamed_24da' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MI_PARTITION_FLAGS']], } ], '_MI_PARTITION_CORE' : [ 0xf8, { 'PartitionId' : [ 0x0, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_24da']], 'Signature' : [ 0x8, ['unsigned long']], 'MemoryConfigurationChanged' : [ 0xc, ['unsigned char']], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'ParentPartition' : [ 0x14, ['pointer', ['_MI_PARTITION']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeInformation' : [ 0x20, ['pointer', ['_MI_NODE_INFORMATION']]], 'PageRoot' : [ 0x24, ['_RTL_AVL_TREE']], 'MemoryNodeRuns' : [ 0x28, ['pointer', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'MemoryBlockReferences' : [ 0x2c, ['unsigned long']], 'PfnUnmapWorkItem' : [ 0x30, ['_WORK_QUEUE_ITEM']], 'PfnUnmapCount' : [ 0x40, ['unsigned long']], 'PfnUnmapWaitList' : [ 0x44, ['pointer', ['void']]], 'MemoryRuns' : [ 0x48, ['pointer', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'ExitEvent' : [ 0x4c, ['_KEVENT']], 'SystemThreadHandles' : [ 0x5c, ['array', 5, ['pointer', ['void']]]], 'PartitionObject' : [ 0x70, ['pointer', ['void']]], 'PartitionObjectHandle' : [ 0x74, ['pointer', ['void']]], 'PartitionSystemThreadsLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'DynamicMemoryPushLock' : [ 0x7c, ['_EX_PUSH_LOCK']], 'DynamicMemoryLock' : [ 0x80, ['long']], 'PfnUnmapActive' : [ 0x84, ['unsigned char']], 'TemporaryMemoryEvent' : [ 0x88, ['_KEVENT']], 'RootDirectory' : [ 0x98, ['pointer', ['void']]], 'KernelObjectsDirectory' : [ 0x9c, ['pointer', ['void']]], 'MemoryEvents' : [ 0xa0, ['array', 11, ['pointer', ['_KEVENT']]]], 'MemoryEventHandles' : [ 0xcc, ['array', 11, ['pointer', ['void']]]], } ], '__unnamed_24e5' : [ 0x4, { 'InstancedWorkingSet' : [ 0x0, ['pointer', ['void']]], } ], '_MMSUPPORT_INSTANCE' : [ 0x68, { 'NextPageColor' : [ 0x0, ['unsigned short']], 'LastTrimStamp' : [ 0x2, ['unsigned short']], 'PageFaultCount' : [ 0x4, ['unsigned long']], 'TrimmedPageCount' : [ 0x8, ['unsigned long']], 'VmWorkingSetList' : [ 0xc, ['pointer', ['_MMWSL_INSTANCE']]], 'WorkingSetExpansionLinks' : [ 0x10, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x18, ['array', 8, ['unsigned long']]], 'ExitOutswapGate' : [ 0x38, ['pointer', ['_KGATE']]], 'MinimumWorkingSetSize' : [ 0x3c, ['unsigned long']], 'WorkingSetLeafSize' : [ 0x40, ['unsigned long']], 'WorkingSetLeafPrivateSize' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x4c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x50, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x54, ['unsigned long']], 'HardFaultCount' : [ 0x58, ['unsigned long']], 'u1' : [ 0x5c, ['__unnamed_24e5']], 'Reserved0' : [ 0x60, ['unsigned long']], 'Flags' : [ 0x64, ['_MMSUPPORT_FLAGS']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x8, ['unsigned char']], 'BlockState' : [ 0x9, ['unsigned char']], 'WaitKey' : [ 0xa, ['unsigned short']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'NotificationQueue' : [ 0xc, ['pointer', ['_KQUEUE']]], 'Object' : [ 0x10, ['pointer', ['void']]], 'SparePtr' : [ 0x14, ['pointer', ['void']]], } ], '_PPM_SELECTION_MENU_ENTRY' : [ 0x10, { 'StrictDependency' : [ 0x0, ['unsigned char']], 'InitiatingState' : [ 0x1, ['unsigned char']], 'DependentState' : [ 0x2, ['unsigned char']], 'StateIndex' : [ 0x4, ['unsigned long']], 'Dependencies' : [ 0x8, ['unsigned long']], 'DependencyList' : [ 0xc, ['pointer', ['_PPM_SELECTION_DEPENDENCY']]], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_HV_GET_BIN_CONTEXT' : [ 0x2, { 'OutstandingReference' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredRundown' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], } ], '_POP_FX_PLUGIN' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x8, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long long']], 'WorkQueue' : [ 0x18, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x40, ['pointer', ['void']]], 'AcceptProcessorNotification' : [ 0x44, ['pointer', ['void']]], 'AcceptAcpiNotification' : [ 0x48, ['pointer', ['void']]], 'WorkOrderCount' : [ 0x4c, ['unsigned long']], 'WorkOrders' : [ 0x50, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_ETW_REG_ENTRY' : [ 0x3c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x8, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x14, ['pointer', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x18, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x18, ['array', 4, ['pointer', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x18, ['pointer', ['void']]], 'SessionId' : [ 0x1c, ['unsigned long']], 'Process' : [ 0x28, ['pointer', ['_EPROCESS']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], 'Callback' : [ 0x2c, ['pointer', ['void']]], 'Index' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned short']], 'DbgKernelRegistration' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgUserRegistration' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgReplyRegistration' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgClassicRegistration' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgSessionSpaceRegistration' : [ 0x32, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgModernRegistration' : [ 0x32, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClosed' : [ 0x32, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgInserted' : [ 0x32, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DbgWow64' : [ 0x32, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'EnableMask' : [ 0x34, ['unsigned char']], 'GroupEnableMask' : [ 0x35, ['unsigned char']], 'UseDescriptorType' : [ 0x36, ['unsigned char']], 'Traits' : [ 0x38, ['pointer', ['_ETW_PROVIDER_TRAITS']]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_PS_INTERLOCKED_TIMER_DELAY_VALUES' : [ 0x8, { 'DelayMs' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long long')]], 'CoalescingWindowMs' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 60, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 61, native_type='unsigned long long')]], 'NewTimerWheel' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 62, native_type='unsigned long long')]], 'Retry' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'Locked' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'All' : [ 0x0, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_MI_SYSTEM_VA_STATE' : [ 0x1500, { 'SystemTablesLock' : [ 0x0, ['unsigned long']], 'SystemVaBias' : [ 0x4, ['unsigned long']], 'SystemAvailableVaLow' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], 'SystemRangeStart' : [ 0x10, ['pointer', ['void']]], 'SystemCachePdeCount' : [ 0x14, ['array', 1024, ['unsigned char']]], 'SystemCacheReverseMaps' : [ 0x414, ['array', 1024, ['pointer', ['void']]]], 'DeleteKvaLock' : [ 0x1414, ['long']], 'WsleArrays' : [ 0x1418, ['array', 5, ['pointer', ['_MI_WSLE']]]], 'PagableHyperSpace' : [ 0x142c, ['pointer', ['_MI_HYPER_SPACE']]], 'HyperSpaceEnd' : [ 0x1430, ['pointer', ['void']]], 'FreeSystemCacheVa' : [ 0x1434, ['_KEVENT']], 'SystemVaLock' : [ 0x1444, ['unsigned long']], 'SystemCacheViewLock' : [ 0x1448, ['unsigned long']], 'SystemWorkingSetList' : [ 0x144c, ['array', 5, ['_MMWSL_INSTANCE']]], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MMSUPPORT_SHARED' : [ 0x24, { 'WorkingSetLock' : [ 0x0, ['long']], 'ReleasedCommitDebt' : [ 0x4, ['unsigned long']], 'ResetPagesRepurposedCount' : [ 0x8, ['unsigned long']], 'WsSwapSupport' : [ 0xc, ['pointer', ['void']]], 'CommitReleaseContext' : [ 0x10, ['pointer', ['void']]], 'AccessLog' : [ 0x14, ['pointer', ['void']]], 'ChargedWslePages' : [ 0x18, ['unsigned long']], 'ActualWslePages' : [ 0x1c, ['unsigned long']], 'GoodCitizenWaiting' : [ 0x20, ['long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_ASYNC_READ_THREAD_STATS' : [ 0x194, { 'CurrentLoad' : [ 0x0, ['array', 101, ['unsigned long']]], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_PAE_ENTRY' : [ 0x20, { 'PteEntry' : [ 0x0, ['array', 4, ['_MMPTE']]], 'PaeEntry' : [ 0x0, ['_PAE_PAGEINFO']], 'NextPae' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '_MMCLONE_BLOCK' : [ 0x10, { 'ProtoPte' : [ 0x0, ['_MMPTE']], 'CloneCommitCount' : [ 0x8, ['unsigned long']], 'u1' : [ 0x8, ['_MI_CLONE_BLOCK_FLAGS']], 'CloneRefCount' : [ 0xc, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Propagated' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PS_TRUSTLET_TKSESSION_ID' : [ 0x20, { 'SessionId' : [ 0x0, ['array', 4, ['unsigned long long']]], } ], '__unnamed_257a' : [ 0x4, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], 'RemoteImageFileObject' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RemoteDataFileObject' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '_SECTION' : [ 0x28, { 'SectionNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u1' : [ 0x14, ['__unnamed_257a']], 'SizeOfSection' : [ 0x18, ['unsigned long long']], 'u' : [ 0x20, ['__unnamed_16aa']], 'InitialPageProtection' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'SessionId' : [ 0x24, ['BitField', dict(start_bit = 12, end_bit = 31, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x24, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_FAST_OWNER_ENTRY' : [ 0x24, { 'Reserved' : [ 0x0, ['array', 9, ['pointer', ['void']]]], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'CompactionMask' : [ 0x8, ['unsigned long long']], 'Reserved2' : [ 0x10, ['array', 6, ['unsigned long long']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x88, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'ArgumentStatus' : [ 0xc, ['long']], 'CallerEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'VetoType' : [ 0x1c, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x20, ['pointer', ['_UNICODE_STRING']]], 'RefCount' : [ 0x24, ['unsigned long']], 'Lock' : [ 0x28, ['unsigned long']], 'Cancel' : [ 0x2c, ['unsigned char']], 'Parent' : [ 0x30, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'ActivityId' : [ 0x34, ['_GUID']], 'Data' : [ 0x44, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_PROCESS_ENERGY_VALUES_EXTENSION' : [ 0x48, { 'Timelines' : [ 0x0, ['array', 9, ['_TIMELINE_BITMAP']]], 'CpuTimeline' : [ 0x0, ['_TIMELINE_BITMAP']], 'DiskTimeline' : [ 0x8, ['_TIMELINE_BITMAP']], 'NetworkTimeline' : [ 0x10, ['_TIMELINE_BITMAP']], 'MBBTimeline' : [ 0x18, ['_TIMELINE_BITMAP']], 'ForegroundTimeline' : [ 0x20, ['_TIMELINE_BITMAP']], 'DesktopVisibleTimeline' : [ 0x28, ['_TIMELINE_BITMAP']], 'CompositionRenderedTimeline' : [ 0x30, ['_TIMELINE_BITMAP']], 'CompositionDirtyGeneratedTimeline' : [ 0x38, ['_TIMELINE_BITMAP']], 'CompositionDirtyPropagatedTimeline' : [ 0x40, ['_TIMELINE_BITMAP']], } ], '_MI_LDW_WORK_CONTEXT' : [ 0x20, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'FileObject' : [ 0x10, ['pointer', ['_FILE_OBJECT']]], 'ErrorStatus' : [ 0x14, ['long']], 'Active' : [ 0x18, ['long']], 'FreeWhenDone' : [ 0x1c, ['unsigned char']], } ], '_MI_DEBUGGER_STATE' : [ 0x90, { 'TransientWrite' : [ 0x0, ['unsigned char']], 'CodePageEdited' : [ 0x1, ['unsigned char']], 'DebugPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'PoisonedTb' : [ 0x8, ['unsigned long']], 'InDebugger' : [ 0xc, ['long']], 'Pfns' : [ 0x10, ['array', 32, ['pointer', ['void']]]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x8, { 'CrossThreadReleasable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 31, native_type='unsigned long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'LockState' : [ 0x0, ['pointer', ['void']]], 'SessionState' : [ 0x4, ['pointer', ['void']]], 'SessionId' : [ 0x4, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_ETIMER' : [ 0xb8, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x28, ['unsigned long']], 'TimerApc' : [ 0x2c, ['_KAPC']], 'TimerDpc' : [ 0x5c, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x7c, ['_LIST_ENTRY']], 'Period' : [ 0x84, ['unsigned long']], 'TimerFlags' : [ 0x88, ['unsigned char']], 'ApcAssociated' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0x88, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0x88, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0x89, ['unsigned char']], 'Spare2' : [ 0x8a, ['unsigned short']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x98, ['pointer', ['void']]], 'VirtualizedTimerLinks' : [ 0x9c, ['_LIST_ENTRY']], 'DueTime' : [ 0xa8, ['unsigned long long']], 'CoalescingWindow' : [ 0xb0, ['unsigned long']], } ], '_MI_SHUTDOWN_STATE' : [ 0x48, { 'CrashDumpInitialized' : [ 0x0, ['unsigned char']], 'ConnectedStandbyActive' : [ 0x1, ['unsigned char']], 'ZeroPageFileAtShutdown' : [ 0x2, ['unsigned char']], 'SystemShutdown' : [ 0x4, ['unsigned long']], 'ShutdownFlushInProgress' : [ 0x8, ['long']], 'MirroringActive' : [ 0xc, ['unsigned long']], 'ResumeItem' : [ 0x10, ['_MI_RESUME_WORKITEM']], 'MirrorHoldsPfn' : [ 0x30, ['pointer', ['_ETHREAD']]], 'MirrorBitMaps' : [ 0x34, ['array', 2, ['_RTL_BITMAP']]], 'CrashDumpPte' : [ 0x44, ['pointer', ['_MMPTE']]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_ETW_PRIV_HANDLE_DEMUX_TABLE' : [ 0x10, { 'Tree' : [ 0x0, ['_RTL_RB_TREE']], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'SequenceNumber' : [ 0xc, ['unsigned short']], } ], '_ARM64_DBGKD_CONTROL_SET' : [ 0x18, { 'Continue' : [ 0x0, ['unsigned long']], 'TraceFlag' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x10, ['unsigned long long']], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoQoSPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PERIODIC_CAPTURE_STATE_GUIDS' : [ 0x8, { 'ProviderCount' : [ 0x0, ['unsigned short']], 'Providers' : [ 0x4, ['pointer', ['_GUID']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_ACTIVATION_CONTEXT_STACK64' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['unsigned long long']], 'FrameListCache' : [ 0x8, ['LIST_ENTRY64']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x180, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x4, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleTimeExpiration' : [ 0x20, ['unsigned long long']], 'NonInterruptibleTransition' : [ 0x28, ['unsigned char']], 'PepWokenTransition' : [ 0x29, ['unsigned char']], 'EfficiencyClass' : [ 0x2a, ['unsigned char']], 'SchedulingClass' : [ 0x2b, ['unsigned char']], 'TargetIdleState' : [ 0x2c, ['unsigned long']], 'IdlePolicy' : [ 0x30, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x38, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x40, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xc8, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower', 3: 'ProcHypervisorHvCounters'})]], 'LastSysTime' : [ 0xcc, ['unsigned long']], 'WmiDispatchPtr' : [ 0xd0, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xd4, ['long']], 'FFHThrottleStateInfo' : [ 0xd8, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xf8, ['_KDPC']], 'PerfActionMask' : [ 0x118, ['long']], 'HvIdleCheck' : [ 0x120, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x130, ['pointer', ['_PROC_PERF_CHECK']]], 'Domain' : [ 0x134, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x138, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x13c, ['pointer', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'ClassConcurrency' : [ 0x140, ['pointer', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x144, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x148, ['pointer', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x14c, ['unsigned char']], 'HvTargetState' : [ 0x14d, ['unsigned char']], 'Parked' : [ 0x14e, ['unsigned char']], 'LatestPerformancePercent' : [ 0x150, ['unsigned long']], 'AveragePerformancePercent' : [ 0x154, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x158, ['unsigned long']], 'RelativePerformance' : [ 0x15c, ['unsigned long']], 'Utility' : [ 0x160, ['unsigned long']], 'AffinitizedUtility' : [ 0x164, ['unsigned long']], 'SnapTimeLast' : [ 0x168, ['unsigned long long']], 'EnergyConsumed' : [ 0x168, ['unsigned long long']], 'ActiveTime' : [ 0x170, ['unsigned long long']], 'TotalTime' : [ 0x178, ['unsigned long long']], } ], '_MI_PARTITION_SEGMENTS' : [ 0x100, { 'SegmentListLock' : [ 0x0, ['long']], 'DeleteOnCloseCount' : [ 0x4, ['unsigned long']], 'FsControlAreaCount' : [ 0x8, ['long long']], 'PfControlAreaCount' : [ 0x10, ['long long']], 'DeleteSubsectionCleanup' : [ 0x18, ['_KEVENT']], 'UnusedSegmentCleanup' : [ 0x28, ['_KEVENT']], 'SubsectionDeletePtes' : [ 0x38, ['unsigned long']], 'DereferenceSegmentHeader' : [ 0x3c, ['_MMDEREFERENCE_SEGMENT_HEADER']], 'DeleteOnCloseList' : [ 0x58, ['_LIST_ENTRY']], 'DeleteOnCloseTimer' : [ 0x60, ['_KTIMER']], 'DeleteOnCloseTimerActive' : [ 0x88, ['unsigned char']], 'UnusedSegmentList' : [ 0x8c, ['_LIST_ENTRY']], 'UnusedSubsectionList' : [ 0x94, ['_LIST_ENTRY']], 'DeleteSubsectionList' : [ 0x9c, ['_LIST_ENTRY']], 'ControlAreaDeleteEvent' : [ 0xa4, ['_KEVENT']], 'ControlAreaDeleteList' : [ 0xb4, ['_SINGLE_LIST_ENTRY']], 'FreeSystemCache' : [ 0xb8, ['_MI_PTE_CHAIN_HEAD']], 'CloneDereferenceEvent' : [ 0xd0, ['_KEVENT']], 'CloneProtosSListHead' : [ 0xe0, ['_SLIST_HEADER']], 'SystemCacheInitLock' : [ 0xe8, ['_EX_PUSH_LOCK']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_AVAILABLE_PAGE_WAIT_STATES' : [ 0x14, { 'Event' : [ 0x0, ['_KEVENT']], 'EventSets' : [ 0x10, ['unsigned long']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_POP_FX_DEVICE' : [ 0x198, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xc, ['pointer', ['_POP_IRP_DATA']]], 'Status' : [ 0x10, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x14, ['long']], 'PowerNotReqCall' : [ 0x18, ['long']], 'DevNode' : [ 0x1c, ['pointer', ['_DEVICE_NODE']]], 'DpmContext' : [ 0x20, ['pointer', ['PEPHANDLE__']]], 'Plugin' : [ 0x24, ['pointer', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x28, ['pointer', ['PEPHANDLE__']]], 'AcpiPlugin' : [ 0x2c, ['pointer', ['_POP_FX_PLUGIN']]], 'AcpiPluginHandle' : [ 0x30, ['pointer', ['PEPHANDLE__']]], 'DeviceObject' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x38, ['pointer', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x3c, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0x5c, ['pointer', ['void']]], 'AcpiLink' : [ 0x60, ['_LIST_ENTRY']], 'DeviceId' : [ 0x68, ['_UNICODE_STRING']], 'RemoveLock' : [ 0x70, ['_IO_REMOVE_LOCK']], 'AcpiRemoveLock' : [ 0x88, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0xa0, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0xbc, ['unsigned long']], 'IdleTimer' : [ 0xc0, ['_KTIMER']], 'IdleDpc' : [ 0xe8, ['_KDPC']], 'IdleTimeout' : [ 0x108, ['unsigned long long']], 'IdleStamp' : [ 0x110, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x118, ['array', 2, ['pointer', ['_DEVICE_OBJECT']]]], 'NextIrpPowerState' : [ 0x120, ['array', 2, ['_POWER_STATE']]], 'NextIrpCallerCompletion' : [ 0x128, ['array', 2, ['pointer', ['void']]]], 'NextIrpCallerContext' : [ 0x130, ['array', 2, ['pointer', ['void']]]], 'IrpCompleteEvent' : [ 0x138, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x148, ['pointer', ['void']]], 'Accounting' : [ 0x150, ['_POP_FX_ACCOUNTING']], 'Flags' : [ 0x178, ['unsigned long']], 'ComponentCount' : [ 0x17c, ['unsigned long']], 'Components' : [ 0x180, ['pointer', ['pointer', ['_POP_FX_COMPONENT']]]], 'LogEntries' : [ 0x184, ['unsigned long']], 'Log' : [ 0x188, ['pointer', ['_POP_FX_LOG_ENTRY']]], 'LogIndex' : [ 0x18c, ['long']], 'DripsWatchdogDriverObject' : [ 0x190, ['pointer', ['_DRIVER_OBJECT']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_IOV_IRP_TRACE' : [ 0x40, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x8, ['short']], 'SpecialApcDisable' : [ 0xa, ['short']], 'CombinedApcDisable' : [ 0x8, ['unsigned long']], 'Irql' : [ 0xc, ['unsigned char']], 'StackTrace' : [ 0x10, ['array', 12, ['pointer', ['void']]]], } ], '_MI_CLONE_BLOCK_FLAGS' : [ 0x4, { 'ActualCloneCommit' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 27, native_type='unsigned long')]], 'CloneProtection' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_PS_JOB_WAKE_INFORMATION' : [ 0x48, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 7, ['unsigned long long']]], 'NoWakeCounter' : [ 0x40, ['unsigned long long']], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GetExtents' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'VmLockNotNeeded' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_IO_ADAPTER_CRYPTO_KEY_DESCRIPTOR' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'CryptoIndex' : [ 0x8, ['unsigned long']], 'AlgorithmId' : [ 0xc, ['unsigned long']], 'DataUnitSize' : [ 0x10, ['unsigned long']], 'KeySize' : [ 0x14, ['unsigned long']], 'KeyHash' : [ 0x18, ['array', 32, ['unsigned char']]], 'KeyVirtualAddress' : [ 0x38, ['pointer', ['void']]], 'KeyPhysicalAddress' : [ 0x40, ['_LARGE_INTEGER']], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Processors' : [ 0x4, ['unsigned long']], 'ActiveProcessors' : [ 0x8, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_SEP_CACHED_HANDLES_ENTRY_DESCRIPTOR' : [ 0xc, { 'DescriptorType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SepCachedHandlesEntryLowbox', 1: 'SepCachedHandlesEntryBnoIsolation'})]], 'PackageSid' : [ 0x4, ['pointer', ['void']]], 'IsolationPrefix' : [ 0x4, ['_UNICODE_STRING']], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_AVL_TABLE' : [ 0x80, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x3c, ['pointer', ['void']]], 'Lock' : [ 0x40, ['long']], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Spare0' : [ 0x6c, ['unsigned long']], } ], '__unnamed_2637' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_2639' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_2637']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x44, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CoolingExtension' : [ 0x30, ['pointer', ['_POP_COOLING_EXTENSION']]], 'Volume' : [ 0x34, ['_LIST_ENTRY']], 'Specific' : [ 0x3c, ['__unnamed_2639']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_CM_UOW_SET_SD_DATA' : [ 0x4, { 'SecurityCell' : [ 0x0, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x24, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'ReferenceCount' : [ 0x20, ['long']], } ], '_WRITE_BEHIND_THROUGHPUT' : [ 0x8, { 'PagesYetToWrite' : [ 0x0, ['unsigned long']], 'Throughput' : [ 0x4, ['unsigned long']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_PPM_COORDINATED_SYNCHRONIZATION' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'EnterProcessor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'ExitProcessor' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 24, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 26, native_type='unsigned long')]], 'Entered' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'EntryPriority' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_KDPC_LIST' : [ 0x8, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['_CM_COMPONENT_HASH']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_THERMAL_TELEMETRY_TRACKER' : [ 0x160, { 'AccountingDisabled' : [ 0x0, ['unsigned char']], 'LastPassiveUpdateTime' : [ 0x8, ['unsigned long long']], 'TotalPassiveTime' : [ 0x10, ['array', 21, ['unsigned long long']]], 'PassiveTimeSnap' : [ 0xb8, ['array', 21, ['unsigned long long']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_POP_FX_LOG_ENTRY' : [ 0x18, { 'Timestamp' : [ 0x0, ['unsigned long long']], 'Operation' : [ 0x8, ['unsigned char']], 'Component' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'Process' : [ 0xc, ['unsigned short']], 'Thread' : [ 0xe, ['unsigned short']], 'Information' : [ 0x10, ['unsigned long long']], } ], '_MI_VISIBLE_PARTITION' : [ 0xc40, { 'LowestPhysicalPage' : [ 0x0, ['unsigned long']], 'HighestPhysicalPage' : [ 0x4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x8, ['unsigned long']], 'NumberOfPagingFiles' : [ 0xc, ['unsigned long']], 'SystemCacheInitialized' : [ 0x10, ['unsigned char']], 'PagingFile' : [ 0x14, ['array', 16, ['pointer', ['_MMPAGING_FILE']]]], 'AvailablePages' : [ 0x80, ['unsigned long']], 'ResidentAvailablePages' : [ 0xc0, ['unsigned long']], 'PartitionWs' : [ 0x100, ['array', 1, ['_MMSUPPORT_INSTANCE']]], 'PartitionWorkingSetLists' : [ 0x168, ['array', 1, ['_MMWSL_INSTANCE']]], 'TotalCommittedPages' : [ 0x180, ['unsigned long']], 'ModifiedPageListHead' : [ 0x1c0, ['_MMPFNLIST']], 'ModifiedNoWritePageListHead' : [ 0x200, ['_MMPFNLIST']], 'TotalCommitLimit' : [ 0x214, ['unsigned long']], 'TotalPagesForPagingFile' : [ 0x218, ['unsigned long']], 'VadPhysicalPages' : [ 0x21c, ['unsigned long']], 'ProcessLockedFilePages' : [ 0x220, ['unsigned long']], 'SharedCommit' : [ 0x224, ['unsigned long']], 'ChargeCommitmentFailures' : [ 0x228, ['array', 4, ['unsigned long']]], 'PageFileTraceIndex' : [ 0x238, ['long']], 'PageFileTraces' : [ 0x240, ['array', 32, ['_MI_PAGEFILE_TRACES']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_FREE_DISPLAY' : [ 0x10, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x50, { 'Context' : [ 0x0, ['pointer', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x38, ['unsigned long']], 'DependencyUsed' : [ 0x3c, ['unsigned long']], 'DependencyArray' : [ 0x40, ['pointer', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x44, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x48, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x4c, ['unsigned long']], } ], '_PNP_REBALANCE_TRACE_CONTEXT' : [ 0x50, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'RebalancePhase' : [ 0x4, ['unsigned long']], 'Reason' : [ 0x8, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'RebalanceReasonUnknown', 1: 'RebalanceReasonRequirementsChanged', 2: 'RebalanceReasonNewDevice'})]]], 'Failure' : [ 0x10, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'RebalanceFailureNone', 1: 'RebalanceFailureDisabled', 2: 'RebalanceFailureNoMemory', 3: 'RebalanceFailureQueryStopUnexpectedVeto', 4: 'RebalanceFailureNoRequirements', 5: 'RebalanceFailureNoCandidates', 6: 'RebalanceFailureNoConfiguration'})]]], 'SubtreeRoot' : [ 0x18, ['pointer', ['_DEVICE_NODE']]], 'SubtreeIncludesRoot' : [ 0x1c, ['unsigned char']], 'TriggerRoot' : [ 0x20, ['pointer', ['_DEVICE_NODE']]], 'RebalanceDueToDynamicPartitioning' : [ 0x24, ['unsigned char']], 'BeginTime' : [ 0x28, ['unsigned long long']], 'VetoNode' : [ 0x30, ['array', 2, ['pointer', ['_DEVICE_NODE']]]], 'VetoQueryRebalanceReason' : [ 0x38, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceQueryRebalanceSucceeded', 1: 'DeviceQueryStopFailed', 2: 'DeviceFailedGetNewResourceRequirement', 3: 'DeviceInUnexpectedState', 4: 'DeviceNotSupportQueryRebalance'})]]], 'ConflictContext' : [ 0x40, ['_PNP_RESOURCE_CONFLICT_TRACE_CONTEXT']], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x14, { 'BlockOffset' : [ 0x0, ['unsigned long']], 'PermanentBinAddress' : [ 0x4, ['unsigned long']], 'TemporaryBinAddress' : [ 0x8, ['unsigned long']], 'TemporaryBinRundown' : [ 0xc, ['_EX_RUNDOWN_REF']], 'MemAlloc' : [ 0x10, ['unsigned long']], } ], '__unnamed_26a0' : [ 0x18, { 'RequestedTime' : [ 0x0, ['unsigned long long']], 'ProgrammedTime' : [ 0x8, ['unsigned long long']], 'TimerInfo' : [ 0x10, ['pointer', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0x108, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'WakeFirstUnattendedTime' : [ 0x50, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x60, ['array', 3, ['__unnamed_26a0']]], 'WakeAlarmPaused' : [ 0xa8, ['unsigned char']], 'WakeAlarmLastTime' : [ 0xb0, ['unsigned long long']], 'FilteredCapabilities' : [ 0xb8, ['SYSTEM_POWER_CAPABILITIES']], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_WNF_LOCK' : [ 0x4, { 'PushLock' : [ 0x0, ['_EX_PUSH_LOCK']], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_MI_PARTITION_ZEROING' : [ 0x3c, { 'PageEvent' : [ 0x0, ['_KEVENT']], 'ThreadActive' : [ 0x10, ['unsigned char']], 'ZeroFreePageSlistMinimum' : [ 0x14, ['long']], 'RebalanceZeroFreeWorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], 'ThreadCount' : [ 0x28, ['long']], 'Gate' : [ 0x2c, ['_KGATE']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x10, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x20, { 'ComponentActive' : [ 0x0, ['pointer', ['void']]], 'ComponentIdle' : [ 0x4, ['pointer', ['void']]], 'ComponentIdleState' : [ 0x8, ['pointer', ['void']]], 'DevicePowerRequired' : [ 0xc, ['pointer', ['void']]], 'DevicePowerNotRequired' : [ 0x10, ['pointer', ['void']]], 'PowerControl' : [ 0x14, ['pointer', ['void']]], 'ComponentCriticalTransition' : [ 0x18, ['pointer', ['void']]], 'DripsWatchdogCallback' : [ 0x1c, ['pointer', ['void']]], } ], '_FAST_ERESOURCE_INTERNAL' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'ReservedPointer' : [ 0x8, ['pointer', ['void']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['_KWAIT_CHAIN']], 'ExclusiveWaiters' : [ 0x14, ['_KWAIT_CHAIN']], 'OwnerEntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Reserved0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'u1' : [ 0x0, ['unsigned short']], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ForceAge' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ForceTrim' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'UnlockInProgress' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'NewMaximum' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CommitReleaseState' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'u2' : [ 0x3, ['unsigned char']], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_MI_SYSTEM_CACHE_VIEW_ATTRIBUTES' : [ 0x10, { 'NumberOfPtes' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long long')]], 'SectionOffset' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 48, native_type='unsigned long long')]], } ], '_WAITING_IRP' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'CompletionRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'Information' : [ 0x18, ['unsigned long']], 'BreakAllRH' : [ 0x1c, ['unsigned char']], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PLATFORM_IDLE_STATE_ACCOUNTING' : [ 0x3f0, { 'CancelCount' : [ 0x0, ['unsigned long']], 'FailureCount' : [ 0x4, ['unsigned long']], 'SuccessCount' : [ 0x8, ['unsigned long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'TotalTime' : [ 0x20, ['unsigned long long']], 'InvalidBucketIndex' : [ 0x28, ['unsigned long']], 'SelectionStatistics' : [ 0x30, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xb0, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_PROC_FEEDBACK' : [ 0x88, { 'Lock' : [ 0x0, ['unsigned long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x20, ['unsigned long long']], 'UnscaledTime' : [ 0x28, ['unsigned long long']], 'UnaccountedTime' : [ 0x30, ['long long']], 'ScaledTime' : [ 0x38, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x48, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x50, ['unsigned long long']], 'UserTimeLast' : [ 0x58, ['unsigned long']], 'KernelTimeLast' : [ 0x5c, ['unsigned long']], 'IdleGenerationNumberLast' : [ 0x60, ['unsigned long long']], 'HvActiveTimeLast' : [ 0x68, ['unsigned long long']], 'StallCyclesLast' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'KernelTimesIndex' : [ 0x80, ['unsigned char']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_TIMELINE_BITMAP' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x0, ['unsigned long']], 'Bitmap' : [ 0x4, ['unsigned long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x28, { 'InstantaneousRead' : [ 0x0, ['pointer', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'Scaling' : [ 0x22, ['unsigned char']], 'Context' : [ 0x24, ['unsigned long']], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_MI_DRIVER_VA' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_DRIVER_VA']]], 'PointerPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BitMap' : [ 0x8, ['_RTL_BITMAP']], 'Hint' : [ 0x10, ['unsigned long']], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned char']], 'ShutDownRequested' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x34, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x3c, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x40, ['unsigned long']], 'UserPagesAllocated' : [ 0x44, ['unsigned long']], 'UserPagesReused' : [ 0x48, ['unsigned long']], 'EventsLostCount' : [ 0x4c, ['pointer', ['unsigned long']]], 'BuffersLostCount' : [ 0x50, ['pointer', ['unsigned long']]], 'SiloState' : [ 0x54, ['pointer', ['_ETW_SILODRIVERSTATE']]], } ], '_PAE_PAGEINFO' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameNumber' : [ 0x8, ['unsigned long']], 'EntriesInUse' : [ 0xc, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_POP_HIBER_CONTEXT' : [ 0x140, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x3, ['unsigned char']], 'InitializationFinished' : [ 0x4, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'HvCaptureReadyBarrier' : [ 0x14, ['long']], 'HvCaptureCompletedBarrier' : [ 0x18, ['long']], 'MapFrozen' : [ 0x1c, ['unsigned char']], 'DiscardMap' : [ 0x20, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x30, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x38, ['unsigned long']], 'ClonedPageCount' : [ 0x40, ['unsigned long long']], 'CurrentMap' : [ 0x48, ['pointer', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x4c, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x50, ['unsigned long']], 'LoaderMdl' : [ 0x54, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x58, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x60, ['unsigned long long']], 'IoPages' : [ 0x68, ['pointer', ['void']]], 'IoPagesCount' : [ 0x6c, ['unsigned long']], 'CurrentMcb' : [ 0x70, ['pointer', ['void']]], 'DumpStack' : [ 0x74, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x78, ['pointer', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0x7c, ['unsigned long']], 'Status' : [ 0x80, ['long']], 'GraphicsProc' : [ 0x84, ['unsigned long']], 'MemoryImage' : [ 0x88, ['pointer', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0x8c, ['pointer', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0x90, ['pointer', ['_MDL']]], 'SiLogOffset' : [ 0x94, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0x98, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0x9c, ['pointer', ['void']]], 'ResumeContext' : [ 0xa0, ['pointer', ['void']]], 'ResumeContextPages' : [ 0xa4, ['unsigned long']], 'ProcessorCount' : [ 0xa8, ['unsigned long']], 'ProcessorContext' : [ 0xac, ['pointer', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0xb0, ['pointer', ['unsigned char']]], 'ProdConsSize' : [ 0xb4, ['unsigned long']], 'MaxDataPages' : [ 0xb8, ['unsigned long']], 'ExtraBuffer' : [ 0xbc, ['pointer', ['void']]], 'ExtraBufferSize' : [ 0xc0, ['unsigned long']], 'ExtraMapVa' : [ 0xc4, ['pointer', ['void']]], 'BitlockerKeyPFN' : [ 0xc8, ['unsigned long']], 'IoInfo' : [ 0xd0, ['_POP_IO_INFO']], 'IoChecksums' : [ 0x130, ['pointer', ['unsigned short']]], 'IoChecksumsSize' : [ 0x134, ['unsigned long']], 'HardwareConfigurationSignature' : [ 0x138, ['unsigned long']], } ], '_SEP_CACHED_HANDLES_TABLE' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x4, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '__unnamed_2719' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MI_DECAY_TIMER_LINKAGE']], } ], '_MI_DECAY_TIMER_LINK' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_2719']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '__unnamed_2720' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_2720']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '_MI_PARTITION_COMMIT' : [ 0x80, { 'PeakCommitment' : [ 0x0, ['unsigned long']], 'TotalCommitLimitMaximum' : [ 0x4, ['unsigned long']], 'Popups' : [ 0x8, ['array', 2, ['long']]], 'LowCommitThreshold' : [ 0x10, ['unsigned long']], 'HighCommitThreshold' : [ 0x14, ['unsigned long']], 'EventLock' : [ 0x18, ['unsigned long']], 'SystemCommitReserve' : [ 0x1c, ['unsigned long']], 'OverCommit' : [ 0x40, ['unsigned long']], } ], '_TRIAGE_DEVICE_NODE' : [ 0x2c, { 'Sibling' : [ 0x0, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'FxDevice' : [ 0x28, ['pointer', ['_TRIAGE_POP_FX_DEVICE']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x24, { 'InitiatingThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ThreadId' : [ 0x8, ['pointer', ['void']]], 'ProcessId' : [ 0xc, ['pointer', ['void']]], 'Code' : [ 0x10, ['unsigned long']], 'Parameter1' : [ 0x14, ['unsigned long']], 'Parameter2' : [ 0x18, ['unsigned long']], 'Parameter3' : [ 0x1c, ['unsigned long']], 'Parameter4' : [ 0x20, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x4, ['pointer', ['wchar']]], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40f0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'StackLimitHits' : [ 0x4038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x403c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x4040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4044, ['unsigned long']], 'TotalReleases' : [ 0x4048, ['unsigned long']], 'RootNodesDeleted' : [ 0x404c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x4050, ['unsigned long']], 'Instigator' : [ 0x4054, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4058, ['unsigned long']], 'Participant' : [ 0x405c, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40dc, ['long']], 'StackType' : [ 0x40e0, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'DebuggerStackLimits', 8: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x40e4, ['unsigned long']], 'StackHighLimit' : [ 0x40e8, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'PO_MEMORY_IMAGE' : [ 0x338, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long long']], 'HiberFlags' : [ 0x30, ['unsigned char']], 'spare' : [ 0x31, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x34, ['unsigned long']], 'HiberVa' : [ 0x38, ['unsigned long']], 'NoFreePages' : [ 0x3c, ['unsigned long']], 'FreeMapCheck' : [ 0x40, ['unsigned long']], 'WakeCheck' : [ 0x44, ['unsigned long']], 'NumPagesForLoader' : [ 0x48, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x50, ['unsigned long']], 'FirstKernelRestorePage' : [ 0x54, ['unsigned long']], 'FirstChecksumRestorePage' : [ 0x58, ['unsigned long']], 'NoChecksumEntries' : [ 0x60, ['unsigned long long']], 'PerfInfo' : [ 0x68, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x260, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x264, ['array', 1, ['unsigned long']]], 'SiLogOffset' : [ 0x268, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x26c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x270, ['array', 24, ['unsigned long']]], 'NotUsed' : [ 0x2d0, ['unsigned long']], 'ResumeContextCheck' : [ 0x2d4, ['unsigned long']], 'ResumeContextPages' : [ 0x2d8, ['unsigned long']], 'Hiberboot' : [ 0x2dc, ['unsigned char']], 'HvCr3' : [ 0x2e0, ['unsigned long long']], 'HvEntryPoint' : [ 0x2e8, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x2f0, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x2f8, ['unsigned long long']], 'BootFlags' : [ 0x300, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x308, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x310, ['unsigned long']], 'BitlockerKeyPfns' : [ 0x314, ['array', 4, ['unsigned long']]], 'HardwareSignature' : [ 0x324, ['unsigned long']], 'SMBiosTablePhysicalAddress' : [ 0x328, ['_LARGE_INTEGER']], 'SMBiosTableLength' : [ 0x330, ['unsigned long']], 'SMBiosMajorVersion' : [ 0x334, ['unsigned char']], 'SMBiosMinorVersion' : [ 0x335, ['unsigned char']], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_MI_PAGING_IO_STATE' : [ 0x38, { 'PageFileHead' : [ 0x0, ['_RTL_AVL_TREE']], 'PageFileHeadSpinLock' : [ 0x4, ['long']], 'PrefetchSeekThreshold' : [ 0x8, ['long']], 'InPageSupportSListHead' : [ 0x10, ['array', 2, ['_SLIST_HEADER']]], 'InPageSupportSListMinimum' : [ 0x20, ['array', 2, ['unsigned char']]], 'InPageSinglePages' : [ 0x24, ['unsigned long']], 'DelayPageFaults' : [ 0x28, ['long']], 'FileCompressionBoundary' : [ 0x2c, ['unsigned long']], 'MdlsAdjusted' : [ 0x30, ['unsigned char']], } ], '_MI_STANDBY_STATE' : [ 0x38, { 'FirstDecayPage' : [ 0x0, ['unsigned long']], 'PfnDecayFreeSList' : [ 0x8, ['_SLIST_HEADER']], 'PfnRepurposeLog' : [ 0x10, ['pointer', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'AllocatePfnRepurposeDpc' : [ 0x14, ['_KDPC']], } ], '_MI_DECAY_TIMER_LINKAGE' : [ 0x4, { 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NextDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x128, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x104, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x124, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_TRIAGE_9F_POWER' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'IrpList' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'ThreadList' : [ 0x8, ['pointer', ['_LIST_ENTRY']]], 'DelayedWorkQueue' : [ 0xc, ['pointer', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_MMINPAGE_SUPPORT_FLOW_THROUGH' : [ 0x1c, { 'Page' : [ 0x0, ['array', 1, ['unsigned long']]], 'InitialInPageSupport' : [ 0x4, ['pointer', ['_MMINPAGE_SUPPORT']]], 'PagingFile' : [ 0x8, ['pointer', ['_MMPAGING_FILE']]], 'PageFileOffset' : [ 0xc, ['unsigned long']], 'Node' : [ 0x10, ['_RTL_BALANCED_NODE']], } ], '_MI_COMBINE_STATE' : [ 0x18, { 'ActiveSpinLock' : [ 0x0, ['long']], 'CombiningThreadCount' : [ 0x4, ['unsigned long']], 'ActiveThreadTree' : [ 0x8, ['_RTL_AVL_TREE']], 'ZeroPageHashValue' : [ 0x10, ['unsigned long long']], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_PTE_TRACKER' : [ 0x44, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'GuardPte' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 7, ['pointer', ['void']]]], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_HIVE_WAIT_PACKET' : [ 0x18, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Next' : [ 0x14, ['pointer', ['_HIVE_WAIT_PACKET']]], } ], '_VF_AVL_TREE_NODE_EX' : [ 0xc, { 'Base' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'SessionId' : [ 0x8, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_CM_INDEX' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'NameHint' : [ 0x4, ['_CM_FAST_LEAF_HINT']], 'HashKey' : [ 0x4, ['_CM_COMPONENT_HASH']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_MMPAGING_FILE' : [ 0xa8, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'FreeReservationSpace' : [ 0x18, ['unsigned long']], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x28, ['_SLIST_HEADER']], 'PageFileName' : [ 0x30, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x38, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x3c, ['unsigned long']], 'LargestAllocationCluster' : [ 0x40, ['unsigned long']], 'RefreshAllocationCluster' : [ 0x44, ['unsigned long']], 'LastRefreshAllocationCluster' : [ 0x48, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x4c, ['unsigned long']], 'MaximumRunLengthInBitmaps' : [ 0x50, ['unsigned long']], 'BitmapsCacheLengthTree' : [ 0x54, ['_RTL_RB_TREE']], 'BitmapsCacheLocationTree' : [ 0x5c, ['_RTL_RB_TREE']], 'BitmapsCacheFreeList' : [ 0x64, ['_LIST_ENTRY']], 'BitmapsCacheEntries' : [ 0x6c, ['pointer', ['_MI_PAGEFILE_BITMAPS_CACHE_ENTRY']]], 'ToBeEvictedCount' : [ 0x70, ['unsigned long']], 'HybridPriority' : [ 0x70, ['unsigned long']], 'PageFileNumber' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'NoReservations' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'VirtualStorePagefile' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SwapSupported' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'NodeInserted' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'StackNotified' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'BackedBySCM' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'Spare0' : [ 0x74, ['BitField', dict(start_bit = 11, end_bit = 15, native_type='unsigned short')]], 'AdriftMdls' : [ 0x76, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0x76, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'IgnoreReservations' : [ 0x77, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare2' : [ 0x77, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0x78, ['unsigned long']], 'PageHashPagesPeak' : [ 0x7c, ['unsigned long']], 'PageHash' : [ 0x80, ['pointer', ['unsigned long']]], 'FileHandle' : [ 0x84, ['pointer', ['void']]], 'Lock' : [ 0x88, ['unsigned long']], 'LockOwner' : [ 0x8c, ['pointer', ['_ETHREAD']]], 'FlowThroughReadRoot' : [ 0x90, ['_RTL_AVL_TREE']], 'Partition' : [ 0x94, ['pointer', ['_MI_PARTITION']]], 'FileObjectNode' : [ 0x98, ['_RTL_BALANCED_NODE']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_HVIEW_MAP' : [ 0x320, { 'MappedLength' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x4, ['_EX_PUSH_LOCK']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'Directory' : [ 0xc, ['pointer', ['_HVIEW_MAP_DIRECTORY']]], 'PagesCharged' : [ 0x10, ['unsigned long']], 'PinLog' : [ 0x18, ['_HVIEW_MAP_PIN_LOG']], } ], '_POP_FX_WORK_ORDER' : [ 0x1c, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x10, ['long']], 'Context' : [ 0x14, ['pointer', ['void']]], 'WatchdogTimerInfo' : [ 0x18, ['pointer', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x10, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_PAGELIST_STATE' : [ 0x8, { 'ActiveSpinLock' : [ 0x0, ['long']], 'ActiveThreadTree' : [ 0x4, ['_RTL_AVL_TREE']], } ], '_CRITICAL_PROCESS_EXCEPTION_DATA' : [ 0x28, { 'ReportId' : [ 0x0, ['_GUID']], 'ModuleName' : [ 0x10, ['_UNICODE_STRING']], 'ModuleTimestamp' : [ 0x18, ['unsigned long']], 'ModuleSize' : [ 0x1c, ['unsigned long']], 'Offset' : [ 0x20, ['unsigned long long']], } ], '__unnamed_27c7' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_27c9' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_27c7']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_27c9']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_RELATION_LIST' : [ 0x8, { 'DeviceObjectList' : [ 0x0, ['pointer', ['_DEVICE_OBJECT_LIST']]], 'Sorted' : [ 0x4, ['unsigned char']], } ], '_IO_IRP_EXT_TRACK_OFFSET_HEADER' : [ 0x8, { 'Validation' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'TrackedOffsetCallback' : [ 0x4, ['pointer', ['void']]], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x340, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ulTargetPlatform' : [ 0x8, ['unsigned long']], 'ullContextMinimum' : [ 0x10, ['unsigned long long']], 'guPlatform' : [ 0x18, ['_GUID']], 'guMinPlatform' : [ 0x28, ['_GUID']], 'ulContextSource' : [ 0x38, ['unsigned long']], 'ulElementCount' : [ 0x3c, ['unsigned long']], 'guElements' : [ 0x40, ['array', 48, ['_GUID']]], } ], '_SESSION_LOWBOX_MAP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'LowboxMap' : [ 0xc, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_POP_IO_INFO' : [ 0x60, { 'DumpMdl' : [ 0x0, ['pointer', ['_MDL']]], 'IoStatus' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x8, ['unsigned long long']], 'IoBytesCompleted' : [ 0x10, ['unsigned long long']], 'IoBytesInProgress' : [ 0x18, ['unsigned long long']], 'RequestSize' : [ 0x20, ['unsigned long long']], 'IoLocation' : [ 0x28, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x30, ['unsigned long long']], 'Buffer' : [ 0x38, ['pointer', ['void']]], 'AsyncCapable' : [ 0x3c, ['unsigned char']], 'BytesToRead' : [ 0x40, ['unsigned long long']], 'Pages' : [ 0x48, ['unsigned long']], 'HighestChecksumIndex' : [ 0x50, ['unsigned long long']], 'PreviousChecksum' : [ 0x58, ['unsigned short']], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x38, { 'SidHash' : [ 0x0, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x8, ['pointer', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0xc, ['_LUID']], 'TokenType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x1c, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x20, ['unsigned long']], 'AppContainerNumber' : [ 0x24, ['unsigned long']], 'PackageSid' : [ 0x28, ['pointer', ['void']]], 'CapabilitiesHash' : [ 0x2c, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'TrustLevelSid' : [ 0x30, ['pointer', ['void']]], 'SecurityAttributes' : [ 0x34, ['pointer', ['void']]], } ], '_MIPFNBLINK' : [ 0x4, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PageBlinkDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'PageBlinkLockBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ShareCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'PageShareCountDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PageShareCountLockBit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x0, ['long']], 'LockNotUsed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'DeleteBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'LockBit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x1c, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x18, ['unsigned long']], } ], '_PPM_COORDINATED_SELECTION' : [ 0x10, { 'MaximumStates' : [ 0x0, ['unsigned long']], 'SelectedStates' : [ 0x4, ['unsigned long']], 'DefaultSelection' : [ 0x8, ['unsigned long']], 'Selection' : [ 0xc, ['pointer', ['unsigned long']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '__unnamed_2801' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x50, { 'Status' : [ 0x0, ['long']], 'PartitionId' : [ 0x4, ['unsigned short']], 'Priority' : [ 0x6, ['unsigned char']], 'IrpPriority' : [ 0x7, ['unsigned char']], 'ReservationWrite' : [ 0x8, ['unsigned char']], 'CurrentTime' : [ 0x10, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x18, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x1c, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x24, ['unsigned long']], 'ModifiedPagefileNoReservationPages' : [ 0x28, ['unsigned long']], 'MdlHack' : [ 0x2c, ['__unnamed_2801']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'Pattern' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolType' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 20, native_type='unsigned long')]], 'SlushSize' : [ 0x8, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '__unnamed_280e' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_280e']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_PROC_PERF_HISTORY' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'UtilityTotal' : [ 0x8, ['unsigned long']], 'AffinitizedUtilityTotal' : [ 0xc, ['unsigned long']], 'FrequencyTotal' : [ 0x10, ['unsigned long']], 'TaggedPercentTotal' : [ 0x14, ['array', 2, ['unsigned long']]], 'HistoryList' : [ 0x1c, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '__unnamed_281f' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_2822' : [ 0x4, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x4c, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x28, ['__unnamed_281f']], 'Subsection' : [ 0x2c, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x30, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x38, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x40, ['pointer', ['_EPROCESS']]], 'u4' : [ 0x44, ['__unnamed_2822']], 'FileObject' : [ 0x48, ['pointer', ['_FILE_OBJECT']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1f, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1e, ['unsigned char']], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x410, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '_KALPC_WORK_ON_BEHALF_DATA' : [ 0x8, { 'Ticket' : [ 0x0, ['_ALPC_WORK_ON_BEHALF_TICKET']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xa8, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x34, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x34, ['unsigned long']], 'PackagedBinary' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x34, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x34, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x34, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x34, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x34, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x34, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x34, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x34, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LoadConfigProcessed' : [ 0x34, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectDelayLoad' : [ 0x34, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x34, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x34, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x34, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x34, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x34, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x34, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x34, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x34, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x34, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Lock' : [ 0x4c, ['pointer', ['void']]], 'DdagNode' : [ 0x50, ['pointer', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0x54, ['_LIST_ENTRY']], 'LoadContext' : [ 0x5c, ['pointer', ['_LDRP_LOAD_CONTEXT']]], 'ParentDllBase' : [ 0x60, ['pointer', ['void']]], 'SwitchBackContext' : [ 0x64, ['pointer', ['void']]], 'BaseAddressIndexNode' : [ 0x68, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0x74, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0x80, ['unsigned long']], 'LoadTime' : [ 0x88, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x90, ['unsigned long']], 'LoadReason' : [ 0x94, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x98, ['unsigned long']], 'ReferenceCount' : [ 0x9c, ['unsigned long']], 'DependentLoadFlags' : [ 0xa0, ['unsigned long']], 'SigningLevel' : [ 0xa4, ['unsigned char']], } ], '_KTIMER2_COLLECTION' : [ 0x10, { 'Tree' : [ 0x0, ['_RTL_RB_TREE']], 'NextDueTime' : [ 0x8, ['unsigned long long']], } ], '__unnamed_284b' : [ 0x1, { 'Age' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_284d' : [ 0x1, { 'EntireWsle' : [ 0x0, ['unsigned char']], } ], '__unnamed_284f' : [ 0x1, { 'e1' : [ 0x0, ['__unnamed_284b']], 'e2' : [ 0x0, ['__unnamed_284d']], } ], '_MI_WSLE' : [ 0x1, { 'u1' : [ 0x0, ['__unnamed_284f']], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PrivateDemandZero' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_MI_PARTITION_MODWRITES' : [ 0x1d0, { 'AttemptForCantExtend' : [ 0x0, ['_MMPAGE_FILE_EXPANSION']], 'PageFileContract' : [ 0x38, ['_MMPAGE_FILE_EXPANSION']], 'NumberOfMappedMdls' : [ 0x70, ['unsigned long']], 'NumberOfMappedMdlsInUse' : [ 0x74, ['long']], 'NumberOfMappedMdlsInUsePeak' : [ 0x78, ['unsigned long']], 'MappedFileHeader' : [ 0x7c, ['_MMMOD_WRITER_LISTHEAD']], 'NeedMappedMdl' : [ 0x94, ['unsigned char']], 'NeedPageFileMdl' : [ 0x95, ['unsigned char']], 'TransitionInserted' : [ 0x96, ['unsigned char']], 'LastModifiedWriteError' : [ 0x98, ['long']], 'LastMappedWriteError' : [ 0x9c, ['long']], 'MappedFileWriteSucceeded' : [ 0xa0, ['unsigned long']], 'MappedWriteBurstCount' : [ 0xa4, ['unsigned long']], 'LowPriorityModWritesOutstanding' : [ 0xa8, ['unsigned long']], 'BoostModWriteIoPriorityEvent' : [ 0xac, ['_KEVENT']], 'ModifiedWriterThreadPriority' : [ 0xbc, ['long']], 'ModifiedPagesLowPriorityGoal' : [ 0xc0, ['unsigned long']], 'ModifiedPageWriterEvent' : [ 0xc4, ['_KEVENT']], 'ModifiedWriterExitedEvent' : [ 0xd4, ['_KEVENT']], 'WriteAllPagefilePages' : [ 0xe4, ['long']], 'WriteAllMappedPages' : [ 0xe8, ['long']], 'MappedPageWriterEvent' : [ 0xec, ['_KEVENT']], 'ModWriteData' : [ 0x100, ['_MI_MODWRITE_DATA']], 'RescanPageFilesEvent' : [ 0x130, ['_KEVENT']], 'PagingFileHeader' : [ 0x140, ['_MMMOD_WRITER_LISTHEAD']], 'ModifiedPageWriterThread' : [ 0x158, ['pointer', ['_ETHREAD']]], 'ModifiedPageWriterRundown' : [ 0x15c, ['_EX_RUNDOWN_REF']], 'PagefileScanWorkItem' : [ 0x160, ['_WORK_QUEUE_ITEM']], 'PagefileScanCount' : [ 0x170, ['unsigned long']], 'ClusterWritesDisabled' : [ 0x174, ['array', 2, ['long']]], 'NotifyStoreMemoryConditions' : [ 0x17c, ['_KEVENT']], 'DelayMappedWrite' : [ 0x18c, ['unsigned char']], 'PagefileReservationsEnabled' : [ 0x190, ['unsigned long']], 'PageFileCreationLock' : [ 0x194, ['_EX_PUSH_LOCK']], 'TrimPagefileWorkItem' : [ 0x198, ['_WORK_QUEUE_ITEM']], 'LastTrimPagefileTime' : [ 0x1a8, ['unsigned long long']], 'WsSwapPagefileContractWorkItem' : [ 0x1b0, ['_WORK_QUEUE_ITEM']], 'WsSwapPageFileContractionInProgress' : [ 0x1c0, ['long']], 'WorkingSetSwapLock' : [ 0x1c4, ['_EX_PUSH_LOCK']], 'WorkingSetInswapLock' : [ 0x1c8, ['long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_OB_EXTENDED_PARSE_PARAMETERS' : [ 0xc, { 'Length' : [ 0x0, ['unsigned short']], 'RestrictedAccessMask' : [ 0x4, ['unsigned long']], 'Silo' : [ 0x8, ['pointer', ['_EJOB']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '_MMWORKING_SET_EXPANSION_HEAD' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_POP_FX_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['unsigned char']], 'DripsRequiredState' : [ 0x8, ['unsigned long']], 'Level' : [ 0xc, ['long']], 'ActiveStamp' : [ 0x10, ['long long']], 'CsActiveTime' : [ 0x18, ['unsigned long long']], 'CriticalActiveTime' : [ 0x20, ['long long']], } ], '_KSCHEDULING_GROUP_POLICY' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long']], 'Weight' : [ 0x0, ['unsigned short']], 'MinRate' : [ 0x0, ['unsigned short']], 'MaxRate' : [ 0x2, ['unsigned short']], 'AllFlags' : [ 0x4, ['unsigned long']], 'Type' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RankBias' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Spare1' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_POP_POLICY_DEVICE' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x80, { 'SelectedCount' : [ 0x0, ['unsigned long long']], 'VetoCount' : [ 0x8, ['unsigned long long']], 'PreVetoCount' : [ 0x10, ['unsigned long long']], 'WrongProcessorCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'IdleDurationCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'PlatformOnlyCount' : [ 0x40, ['unsigned long long']], 'InterruptibleCount' : [ 0x48, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x50, ['unsigned long long']], 'CstateCheckCount' : [ 0x58, ['unsigned long long']], 'NoCStateCount' : [ 0x60, ['unsigned long long']], 'CoordinatedDependencyCount' : [ 0x68, ['unsigned long long']], 'NotClockOwnerCount' : [ 0x70, ['unsigned long long']], 'PreVetoAccounting' : [ 0x78, ['pointer', ['_PPM_VETO_ACCOUNTING']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '__unnamed_28ad' : [ 0x4, { 'FlushCompleting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'FlushInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='long')]], 'Long' : [ 0x0, ['long']], } ], '_MI_PARTITION_STORES' : [ 0x58, { 'WriteAllStoreHintedPages' : [ 0x0, ['__unnamed_28ad']], 'VirtualPageFileNumber' : [ 0x4, ['unsigned long']], 'Registered' : [ 0x8, ['unsigned long']], 'ReadClusterSizeMax' : [ 0xc, ['unsigned long']], 'EvictFlushRequestCount' : [ 0x10, ['unsigned long']], 'ModifiedWriteDisableCount' : [ 0x14, ['unsigned long']], 'WriteIssueFailures' : [ 0x18, ['unsigned long']], 'EvictFlushLock' : [ 0x1c, ['long']], 'EvictionThread' : [ 0x20, ['pointer', ['_ETHREAD']]], 'EvictEvent' : [ 0x24, ['_KEVENT']], 'WriteSupportSListHead' : [ 0x38, ['_SLIST_HEADER']], 'EvictFlushCompleteEvent' : [ 0x40, ['_KEVENT']], 'ModifiedWriteFailedBitmap' : [ 0x50, ['pointer', ['_RTL_BITMAP']]], 'StoreProcess' : [ 0x54, ['pointer', ['_EPROCESS']]], } ], '_MI_RFG_PROTECTED_STACK' : [ 0xc, { 'ControlStackBase' : [ 0x0, ['pointer', ['void']]], 'ControlStackVad' : [ 0x4, ['pointer', ['_MMVAD_SHORT']]], 'OwnerThread' : [ 0x8, ['pointer', ['void']]], } ], '_POP_FX_COMPONENT' : [ 0xc0, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x14, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x30, ['pointer', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x34, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x3c, ['long']], 'ActiveEvent' : [ 0x40, ['_KEVENT']], 'IdleLock' : [ 0x50, ['unsigned long']], 'IdleConditionComplete' : [ 0x54, ['long']], 'IdleStateComplete' : [ 0x58, ['long']], 'IdleStamp' : [ 0x60, ['unsigned long long']], 'CurrentIdleState' : [ 0x68, ['unsigned long']], 'IdleStateCount' : [ 0x6c, ['unsigned long']], 'IdleStates' : [ 0x70, ['pointer', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0x74, ['unsigned long']], 'ProviderCount' : [ 0x78, ['unsigned long']], 'Providers' : [ 0x7c, ['pointer', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0x80, ['unsigned long']], 'DependentCount' : [ 0x84, ['unsigned long']], 'Dependents' : [ 0x88, ['pointer', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0x90, ['_POP_FX_ACCOUNTING']], 'Performance' : [ 0xb8, ['pointer', ['_POP_FX_PERF_INFO']]], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], } ], '_MMPAGE_FILE_EXPANSION' : [ 0x38, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'Partition' : [ 0xc, ['pointer', ['_MI_PARTITION']]], 'RequestedExpansionSize' : [ 0x10, ['unsigned long']], 'ActualExpansion' : [ 0x14, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'InProgress' : [ 0x28, ['long']], 'u' : [ 0x2c, ['_MMPAGE_FILE_EXPANSION_FLAGS']], 'ActiveEntry' : [ 0x30, ['pointer', ['pointer', ['void']]]], 'AttemptForCantExtend' : [ 0x34, ['unsigned char']], 'PageFileContract' : [ 0x35, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'Unused' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ForceCollision' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_HVIEW_MAP_PIN_LOG' : [ 0x308, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Entries' : [ 0x8, ['array', 16, ['_HVIEW_MAP_PIN_LOG_ENTRY']]], } ], '_IO_REMOVE_LOCK' : [ 0x18, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '__unnamed_28d9' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_28d9']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_FAST_OWNER_ENTRY_INTERNAL' : [ 0x24, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AbLockHandle' : [ 0x8, ['unsigned char']], 'Disowned' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DynamicallyAllocated' : [ 0x9, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CallerExclusive' : [ 0x9, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsSublistHead' : [ 0xa, ['unsigned char']], 'IsWaiting' : [ 0xb, ['unsigned char']], 'LockAddress' : [ 0xc, ['pointer', ['void']]], 'ThreadAddress' : [ 0x10, ['pointer', ['void']]], 'SublistHead' : [ 0x14, ['_LIST_ENTRY']], 'LockListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_MI_POOL_STATE' : [ 0x4dc, { 'MaximumNonPagedPoolThreshold' : [ 0x0, ['unsigned long']], 'NonPagedPoolSListMaximum' : [ 0x4, ['array', 3, ['unsigned long']]], 'AllocatedNonPagedPool' : [ 0x10, ['unsigned long']], 'BadPoolHead' : [ 0x14, ['_SINGLE_LIST_ENTRY']], 'HighEventSets' : [ 0x18, ['unsigned long']], 'HighEventSetsValid' : [ 0x1c, ['unsigned char']], 'PoolFailures' : [ 0x20, ['array', 3, ['array', 3, ['unsigned long']]]], 'PoolFailureReasons' : [ 0x44, ['_MI_POOL_FAILURE_REASONS']], 'LowPagedPoolThreshold' : [ 0x70, ['unsigned long']], 'HighPagedPoolThreshold' : [ 0x74, ['unsigned long']], 'SpecialPoolPdesMax' : [ 0x78, ['long']], 'NonPagedPoolNodes' : [ 0x7c, ['array', 1024, ['unsigned char']]], 'PagedProtoPoolInfo' : [ 0x47c, ['_MM_PAGED_POOL_INFO']], 'PagedPoolSListMaximum' : [ 0x498, ['unsigned long']], 'PreemptiveTrims' : [ 0x49c, ['array', 4, ['unsigned long']]], 'SpecialPagesInUsePeak' : [ 0x4ac, ['unsigned long']], 'SpecialPoolRejected' : [ 0x4b0, ['array', 6, ['unsigned long']]], 'SpecialPagesNonPaged' : [ 0x4c8, ['unsigned long']], 'SpecialPoolPdes' : [ 0x4cc, ['long']], 'SessionSpecialPoolPdesMax' : [ 0x4d0, ['unsigned long']], 'TotalPagedPoolQuota' : [ 0x4d4, ['unsigned long']], 'TotalNonPagedPoolQuota' : [ 0x4d8, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x18, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x1a, ['unsigned short']], 'OperatingSystemVersion' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ComPlusPrefer32bit' : [ 0x23, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x1c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'ConnectLock' : [ 0x4, ['_KEVENT']], 'LineMasked' : [ 0x14, ['unsigned char']], 'InterruptList' : [ 0x18, ['pointer', ['_KINTERRUPT']]], } ], '_PPM_SELECTION_DEPENDENCY' : [ 0xc, { 'Processor' : [ 0x0, ['unsigned long']], 'Menu' : [ 0x4, ['_PPM_SELECTION_MENU']], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_MI_HARDWARE_STATE' : [ 0xc0, { 'NodeMask' : [ 0x0, ['unsigned long']], 'NumaLastRangeIndex' : [ 0x4, ['unsigned long']], 'NumaTableCaptured' : [ 0x8, ['unsigned char']], 'NodeShift' : [ 0x9, ['unsigned char']], 'ChannelShift' : [ 0xa, ['unsigned char']], 'NodeGraph' : [ 0xc, ['pointer', ['unsigned short']]], 'SystemNodeInformation' : [ 0x10, ['pointer', ['_MI_SYSTEM_NODE_INFORMATION']]], 'NumaMemoryRanges' : [ 0x14, ['pointer', ['_HAL_NODE_RANGE']]], 'ChannelMemoryRanges' : [ 0x18, ['pointer', ['_HAL_CHANNEL_MEMORY_RANGES']]], 'SecondLevelCacheSize' : [ 0x1c, ['unsigned long']], 'FirstLevelCacheSize' : [ 0x20, ['unsigned long']], 'PhysicalAddressBits' : [ 0x24, ['unsigned long']], 'TotalPagesAllowed' : [ 0x28, ['unsigned long']], 'SecondaryColorMask' : [ 0x2c, ['unsigned long']], 'SecondaryColors' : [ 0x30, ['unsigned long']], 'FlushTbForAttributeChange' : [ 0x34, ['unsigned long']], 'FlushCacheForAttributeChange' : [ 0x38, ['unsigned long']], 'FlushCacheForPageAttributeChange' : [ 0x3c, ['unsigned long']], 'CacheFlushPromoteThreshold' : [ 0x40, ['unsigned long']], 'FlushTbThreshold' : [ 0x44, ['unsigned long']], 'OptimalZeroingAttribute' : [ 0x48, ['array', 4, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'MiNonCached', 1: 'MiCached', 2: 'MiWriteCombined', 3: 'MiNotMapped'})]]]], 'AttributeChangeRequiresReZero' : [ 0x88, ['unsigned char']], 'ZeroCostCounts' : [ 0x90, ['array', 2, ['_MI_ZERO_COST_COUNTS']]], 'HighestPossiblePhysicalPage' : [ 0xb0, ['unsigned long']], 'EnclaveRegions' : [ 0xb4, ['_RTL_AVL_TREE']], 'VsmKernelPageCount' : [ 0xb8, ['unsigned long']], } ], '_PPM_VETO_ACCOUNTING' : [ 0x18, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x4, ['_LIST_ENTRY']], 'CsAccountingBlocks' : [ 0xc, ['unsigned char']], 'BlocksDrips' : [ 0xd, ['unsigned char']], 'PreallocatedVetoCount' : [ 0x10, ['unsigned long']], 'PreallocatedVetoList' : [ 0x14, ['pointer', ['_PPM_VETO_ENTRY']]], } ], '__unnamed_2908' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2908']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x8c, { 'ListHead' : [ 0x0, ['array', 16, ['_LIST_ENTRY']]], 'Count' : [ 0x80, ['unsigned long']], 'NumberOfEntries' : [ 0x84, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x88, ['unsigned long']], } ], '_MI_ERROR_STATE' : [ 0xa8, { 'BadMemoryEventEntry' : [ 0x0, ['_MI_BAD_MEMORY_EVENT_ENTRY']], 'PageOfInterest' : [ 0x28, ['unsigned long']], 'ProbeRaises' : [ 0x2c, ['_MI_PROBE_RAISE_TRACKER']], 'ForcedCommits' : [ 0x6c, ['_MI_FORCED_COMMITS']], 'WsleFailures' : [ 0x74, ['array', 1, ['unsigned long']]], 'PageHashErrors' : [ 0x78, ['unsigned long']], 'CheckZeroCount' : [ 0x7c, ['unsigned long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x80, ['long']], 'BadPagesDetected' : [ 0x84, ['long']], 'ScrubPasses' : [ 0x88, ['long']], 'ScrubBadPagesFound' : [ 0x8c, ['long']], 'UserViewFailures' : [ 0x90, ['unsigned long']], 'UserViewCollisionFailures' : [ 0x94, ['unsigned long']], 'ResavailFailures' : [ 0x98, ['_MI_RESAVAIL_FAILURES']], 'PendingBadPages' : [ 0xa0, ['unsigned char']], 'InitFailure' : [ 0xa1, ['unsigned char']], 'StopBadMaps' : [ 0xa2, ['unsigned char']], } ], '_PROC_PERF_DOMAIN' : [ 0x100, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'DomainContext' : [ 0x18, ['unsigned long']], 'ProcessorCount' : [ 0x1c, ['unsigned long']], 'EfficiencyClass' : [ 0x20, ['unsigned char']], 'NominalPerformanceClass' : [ 0x21, ['unsigned char']], 'HighestPerformanceClass' : [ 0x22, ['unsigned char']], 'Spare' : [ 0x23, ['unsigned char']], 'Processors' : [ 0x24, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0x28, ['pointer', ['void']]], 'TimeWindowHandler' : [ 0x2c, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x30, ['pointer', ['void']]], 'BoostModeHandler' : [ 0x34, ['pointer', ['void']]], 'EnergyPerfPreferenceHandler' : [ 0x38, ['pointer', ['void']]], 'AutonomousActivityWindowHandler' : [ 0x3c, ['pointer', ['void']]], 'AutonomousModeHandler' : [ 0x40, ['pointer', ['void']]], 'ReinitializeHandler' : [ 0x44, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x48, ['pointer', ['void']]], 'PerfControlHandler' : [ 0x4c, ['pointer', ['void']]], 'DomainPerfControlHandler' : [ 0x50, ['pointer', ['void']]], 'MaxFrequency' : [ 0x54, ['unsigned long']], 'NominalFrequency' : [ 0x58, ['unsigned long']], 'MaxPercent' : [ 0x5c, ['unsigned long']], 'MinPerfPercent' : [ 0x60, ['unsigned long']], 'MinThrottlePercent' : [ 0x64, ['unsigned long']], 'MinimumRelativePerformance' : [ 0x68, ['unsigned long long']], 'NominalRelativePerformance' : [ 0x70, ['unsigned long long']], 'NominalRelativePerformancePercent' : [ 0x78, ['unsigned char']], 'Coordination' : [ 0x79, ['unsigned char']], 'HardPlatformCap' : [ 0x7a, ['unsigned char']], 'AffinitizeControl' : [ 0x7b, ['unsigned char']], 'EfficientThrottle' : [ 0x7c, ['unsigned char']], 'AllowVirtualHeterogeneity' : [ 0x7d, ['unsigned char']], 'InitiateAllProcessors' : [ 0x7e, ['unsigned char']], 'AutonomousMode' : [ 0x7f, ['unsigned char']], 'DesiredPercent' : [ 0x80, ['unsigned long']], 'MaxPolicyPercent' : [ 0x84, ['unsigned long']], 'MaxEquivalentFrequencyPercent' : [ 0x88, ['unsigned long']], 'MinPolicyPercent' : [ 0x8c, ['unsigned long']], 'GuaranteedPercent' : [ 0x90, ['unsigned long']], 'SelectionGeneration' : [ 0x94, ['unsigned long']], 'BackgroundSelectionGeneration' : [ 0x98, ['unsigned long']], 'Selection' : [ 0xa0, ['_PERF_CONTROL_STATE_SELECTION']], 'BackgroundSelection' : [ 0xc8, ['_PERF_CONTROL_STATE_SELECTION']], 'PerfChangeTime' : [ 0xf0, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0xf8, ['unsigned long']], 'Force' : [ 0xfc, ['unsigned char']], 'ProvideGuidance' : [ 0xfd, ['unsigned char']], } ], '_MI_COMMON_PAGE_STATE' : [ 0x40, { 'PageOfOnesPfn' : [ 0x0, ['pointer', ['_MMPFN']]], 'PageOfOnes' : [ 0x4, ['unsigned long']], 'DummyPagePfn' : [ 0x8, ['pointer', ['_MMPFN']]], 'DummyPage' : [ 0xc, ['unsigned long']], 'PageOfZeroes' : [ 0x10, ['unsigned long']], 'ZeroMapping' : [ 0x14, ['pointer', ['void']]], 'OnesMapping' : [ 0x18, ['pointer', ['void']]], 'ZeroCrc' : [ 0x20, ['unsigned long long']], 'OnesCrc' : [ 0x28, ['unsigned long long']], 'BitmapGapFrames' : [ 0x30, ['array', 2, ['unsigned long']]], 'PfnGapFrames' : [ 0x38, ['array', 2, ['unsigned long']]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_HEAP_EXTENDED_ENTRY' : [ 0x8, { 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SiloSessionId' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'IoTracker' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_POP_COOLING_EXTENSION' : [ 0x48, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'RequestListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['_POP_RW_LOCK']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'NotificationEntry' : [ 0x1c, ['pointer', ['void']]], 'Enabled' : [ 0x20, ['unsigned char']], 'ActiveEngaged' : [ 0x21, ['unsigned char']], 'ThrottleLimit' : [ 0x22, ['unsigned char']], 'UpdatingToCurrent' : [ 0x23, ['unsigned char']], 'RemovalFlushEvent' : [ 0x24, ['pointer', ['_KEVENT']]], 'PnpFlushEvent' : [ 0x28, ['pointer', ['_KEVENT']]], 'Interface' : [ 0x2c, ['_THERMAL_COOLING_INTERFACE']], } ], '__unnamed_2942' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_2942']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_POP_POWER_SETTING_VALUES' : [ 0x140, { 'StructureSize' : [ 0x0, ['unsigned long']], 'PopPolicy' : [ 0x4, ['_SYSTEM_POWER_POLICY']], 'CurrentAcDcPowerState' : [ 0xec, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'AwayModeEnabled' : [ 0xf0, ['unsigned char']], 'AwayModeEngaged' : [ 0xf1, ['unsigned char']], 'AwayModePolicyAllowed' : [ 0xf2, ['unsigned char']], 'AwayModeIgnoreUserPresent' : [ 0xf4, ['long']], 'AwayModeIgnoreAction' : [ 0xf8, ['long']], 'DisableFastS4' : [ 0xfc, ['unsigned char']], 'DisableStandbyStates' : [ 0xfd, ['unsigned char']], 'UnattendSleepTimeout' : [ 0x100, ['unsigned long']], 'DiskIgnoreTime' : [ 0x104, ['unsigned long']], 'DeviceIdlePolicy' : [ 0x108, ['unsigned long']], 'VideoDimTimeout' : [ 0x10c, ['unsigned long']], 'VideoNormalBrightness' : [ 0x110, ['unsigned long']], 'VideoDimBrightness' : [ 0x114, ['unsigned long']], 'AlsOffset' : [ 0x118, ['unsigned long']], 'AlsEnabled' : [ 0x11c, ['unsigned long']], 'EsBrightness' : [ 0x120, ['unsigned long']], 'SwitchShutdownForced' : [ 0x124, ['unsigned char']], 'SystemCoolingPolicy' : [ 0x128, ['unsigned long']], 'MediaBufferingEngaged' : [ 0x12c, ['unsigned char']], 'AudioActivity' : [ 0x12d, ['unsigned char']], 'FullscreenVideoPlayback' : [ 0x12e, ['unsigned char']], 'EsBatteryThreshold' : [ 0x130, ['unsigned long']], 'EsAggressive' : [ 0x134, ['unsigned char']], 'EsUserAwaySetting' : [ 0x135, ['unsigned char']], 'ConnectivityInStandby' : [ 0x138, ['unsigned long']], 'DisconnectedStandbyMode' : [ 0x13c, ['unsigned long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x8, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'TaggedPercent' : [ 0x5, ['array', 2, ['unsigned char']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_2955' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2955']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_MI_ZERO_COST_COUNTS' : [ 0x10, { 'NativeSum' : [ 0x0, ['unsigned long long']], 'CachedSum' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x50, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x28, ['_KDPC']], 'WorkOrder' : [ 0x48, ['pointer', ['_POP_FX_WORK_ORDER']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '__unnamed_296a' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_296a']], } ], '__unnamed_296e' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2972' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_2974' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_2976' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_2978' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_297a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_297c' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_297e' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2980' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2982' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2984' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_2986' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_296e']], 'Memory' : [ 0x0, ['__unnamed_296e']], 'Interrupt' : [ 0x0, ['__unnamed_2972']], 'Dma' : [ 0x0, ['__unnamed_2974']], 'DmaV3' : [ 0x0, ['__unnamed_2976']], 'Generic' : [ 0x0, ['__unnamed_296e']], 'DevicePrivate' : [ 0x0, ['__unnamed_2978']], 'BusNumber' : [ 0x0, ['__unnamed_297a']], 'ConfigData' : [ 0x0, ['__unnamed_297c']], 'Memory40' : [ 0x0, ['__unnamed_297e']], 'Memory48' : [ 0x0, ['__unnamed_2980']], 'Memory64' : [ 0x0, ['__unnamed_2982']], 'Connection' : [ 0x0, ['__unnamed_2984']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_2986']], } ], '_HEAP_UNPACKED_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x28, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x1c, ['pointer', ['void']]], 'DvCallbacks' : [ 0x20, ['pointer', ['void']]], 'VerifierContext' : [ 0x24, ['pointer', ['void']]], } ], '_ETW_PROVIDER_TRAITS' : [ 0x14, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'Traits' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_QUEUE_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x8, ['pointer', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0xc, ['pointer', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x10, ['pointer', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x14, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned short']], 'ReplyIndex' : [ 0x1a, ['unsigned short']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_MI_PARTITION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PageListsInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StoreReservedPagesCharged' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PureHoldingPartition' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0x58, { 'Count' : [ 0x0, ['unsigned long']], 'Vectors' : [ 0x8, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_NON_PAGED_DEBUG_INFO' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Machine' : [ 0x8, ['unsigned short']], 'Characteristics' : [ 0xa, ['unsigned short']], 'TimeDateStamp' : [ 0xc, ['unsigned long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'SizeOfImage' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Gate' : [ 0x8, ['_KGATE']], 'Event' : [ 0x8, ['_KEVENT']], } ], '__unnamed_29aa' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_29aa']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x18, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x1c, ['_KAPC']], 'ByteCount' : [ 0x4c, ['unsigned long']], 'ChargedPages' : [ 0x50, ['unsigned long']], 'PagingFile' : [ 0x54, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x58, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x5c, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x60, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x70, ['_LARGE_INTEGER']], 'Partition' : [ 0x78, ['pointer', ['_MI_PARTITION']]], 'PointerMdl' : [ 0x7c, ['pointer', ['_MDL']]], 'Mdl' : [ 0x80, ['_MDL']], 'Page' : [ 0x9c, ['array', 1, ['unsigned long']]], } ], '_NONOPAQUE_OPLOCK' : [ 0x50, { 'IrpExclusiveOplock' : [ 0x0, ['pointer', ['_IRP']]], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x8, ['pointer', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'WaiterPriority' : [ 0x10, ['unsigned char']], 'IrpOplocksR' : [ 0x14, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x1c, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x24, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x2c, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x34, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x3c, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x44, ['pointer', ['_GUID']]], 'OplockState' : [ 0x48, ['unsigned long']], 'FastMutex' : [ 0x4c, ['pointer', ['_FAST_MUTEX']]], } ], '__unnamed_29b3' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_29b4' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_29b3']], 'Merged' : [ 0x10, ['__unnamed_29b4']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '__unnamed_29b8' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_29ba' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_29bc' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_29be' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_29bc']], 'Translated' : [ 0x0, ['__unnamed_29ba']], } ], '__unnamed_29c0' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_29c2' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_29c4' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_29c6' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_29c8' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_29ca' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_29cc' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_29ce' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_29b8']], 'Port' : [ 0x0, ['__unnamed_29b8']], 'Interrupt' : [ 0x0, ['__unnamed_29ba']], 'MessageInterrupt' : [ 0x0, ['__unnamed_29be']], 'Memory' : [ 0x0, ['__unnamed_29b8']], 'Dma' : [ 0x0, ['__unnamed_29c0']], 'DmaV3' : [ 0x0, ['__unnamed_29c2']], 'DevicePrivate' : [ 0x0, ['__unnamed_2978']], 'BusNumber' : [ 0x0, ['__unnamed_29c4']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_29c6']], 'Memory40' : [ 0x0, ['__unnamed_29c8']], 'Memory48' : [ 0x0, ['__unnamed_29ca']], 'Memory64' : [ 0x0, ['__unnamed_29cc']], 'Connection' : [ 0x0, ['__unnamed_2984']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_29ce']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_ETW_FILTER_EVENT_NAME_DATA' : [ 0x28, { 'FilterIn' : [ 0x0, ['unsigned char']], 'Level' : [ 0x1, ['unsigned char']], 'MatchAnyKeyword' : [ 0x8, ['unsigned long long']], 'MatchAllKeyword' : [ 0x10, ['unsigned long long']], 'NameTable' : [ 0x18, ['_RTL_HASH_TABLE']], } ], '_MI_VISIBLE_STATE' : [ 0x880, { 'SpecialPool' : [ 0x0, ['_MI_SPECIAL_POOL']], 'SessionWsList' : [ 0x40, ['_LIST_ENTRY']], 'SessionIdBitmap' : [ 0x48, ['pointer', ['_RTL_BITMAP']]], 'PagedPoolInfo' : [ 0x4c, ['_MM_PAGED_POOL_INFO']], 'MaximumNonPagedPoolInPages' : [ 0x68, ['unsigned long']], 'SizeOfPagedPoolInPages' : [ 0x6c, ['unsigned long']], 'SystemPteInfo' : [ 0x70, ['_MI_SYSTEM_PTE_TYPE']], 'NonPagedPoolCommit' : [ 0xa8, ['unsigned long']], 'SmallNonPagedPtesCommit' : [ 0xac, ['unsigned long']], 'BootCommit' : [ 0xb0, ['unsigned long']], 'MdlPagesAllocated' : [ 0xb4, ['unsigned long']], 'SystemPageTableCommit' : [ 0xb8, ['unsigned long']], 'SpecialPagesInUse' : [ 0xbc, ['unsigned long']], 'ProcessCommit' : [ 0xc0, ['unsigned long']], 'DriverCommit' : [ 0xc4, ['long']], 'PfnDatabaseCommit' : [ 0xc8, ['unsigned long']], 'SystemWs' : [ 0x100, ['array', 3, ['_MMSUPPORT_FULL']]], 'SystemCacheShared' : [ 0x2c0, ['_MMSUPPORT_SHARED']], 'MapCacheFailures' : [ 0x2e4, ['unsigned long']], 'PagefileHashPages' : [ 0x2e8, ['unsigned long']], 'PteHeader' : [ 0x2ec, ['_SYSPTES_HEADER']], 'SessionSpecialPool' : [ 0x378, ['pointer', ['_MI_SPECIAL_POOL']]], 'SystemVaTypeCount' : [ 0x37c, ['array', 15, ['unsigned long']]], 'SystemVaType' : [ 0x3b8, ['array', 1024, ['unsigned char']]], 'SystemVaTypeCountFailures' : [ 0x7b8, ['array', 15, ['unsigned long']]], 'SystemVaTypeCountLimit' : [ 0x7f4, ['array', 15, ['unsigned long']]], 'SystemVaTypeCountPeak' : [ 0x830, ['array', 15, ['unsigned long']]], 'SystemAvailableVa' : [ 0x86c, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_CM_COMPONENT_HASH' : [ 0x4, { 'Hash' : [ 0x0, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Xcr0' : [ 0x3c, ['unsigned long long']], 'ExceptionList' : [ 0x44, ['unsigned long']], 'Reserved' : [ 0x48, ['array', 3, ['unsigned long']]], } ], '_RH_OP_CONTEXT' : [ 0x24, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x8, ['pointer', ['_IRP']]], 'OplockRequestFileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x14, ['pointer', ['_ETHREAD']]], 'Flags' : [ 0x18, ['unsigned long']], 'AtomicLinks' : [ 0x1c, ['_LIST_ENTRY']], } ], '_MSUBSECTION' : [ 0x44, { 'Core' : [ 0x0, ['_SUBSECTION']], 'SubsectionNode' : [ 0x28, ['_RTL_BALANCED_NODE']], 'DereferenceList' : [ 0x34, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x3c, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x40, ['unsigned long']], } ], '_PROC_PERF_CHECK' : [ 0x118, { 'LastActive' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'LastStall' : [ 0x10, ['unsigned long long']], 'LastPerfCheckSnap' : [ 0x18, ['_PROC_PERF_CHECK_SNAP']], 'CurrentSnap' : [ 0x68, ['_PROC_PERF_CHECK_SNAP']], 'LastDeliveredSnap' : [ 0xb8, ['_PROC_PERF_CHECK_SNAP']], 'LastDeliveredPerformance' : [ 0x108, ['unsigned long']], 'LastDeliveredFrequency' : [ 0x10c, ['unsigned long']], 'TaggedThreadPercent' : [ 0x110, ['array', 2, ['unsigned char']]], 'Class0FloorPerfSelection' : [ 0x112, ['unsigned char']], 'Class1MinimumPerfSelection' : [ 0x113, ['unsigned char']], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x104, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'Order' : [ 0x1c, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0xec, ['_LIST_ENTRY']], 'Status' : [ 0xf4, ['long']], 'FailedDevice' : [ 0xf8, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0xfc, ['unsigned char']], 'Cancelled' : [ 0xfd, ['unsigned char']], 'IgnoreErrors' : [ 0xfe, ['unsigned char']], 'IgnoreNotImplemented' : [ 0xff, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x100, ['unsigned char']], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x60, { 'FileName' : [ 0x0, ['pointer', ['wchar']]], 'BaseName' : [ 0x4, ['pointer', ['wchar']]], 'RegRootName' : [ 0x8, ['pointer', ['wchar']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], 'FilePath' : [ 0x58, ['_UNICODE_STRING']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0xd0, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_PPM_VETO_ENTRY' : [ 0x38, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'VetoReason' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'HitCount' : [ 0x10, ['unsigned long long']], 'LastActivationTime' : [ 0x18, ['unsigned long long']], 'TotalActiveTime' : [ 0x20, ['unsigned long long']], 'CsActivationTime' : [ 0x28, ['unsigned long long']], 'CsActiveTime' : [ 0x30, ['unsigned long long']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_BAD_MEMORY_EVENT_ENTRY' : [ 0x28, { 'BugCheckCode' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['long']], 'Data' : [ 0x8, ['unsigned long']], 'PhysicalAddress' : [ 0x10, ['_LARGE_INTEGER']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_KWAIT_CHAIN_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned char']], 'LayerSemantics' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Spare1' : [ 0xd, ['BitField', dict(start_bit = 2, end_bit = 7, native_type='unsigned char')]], 'InheritClass' : [ 0xd, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0xe, ['unsigned short']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x14, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x4, ['_RTL_BITMAP']], 'HashTable' : [ 0xc, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x10, ['unsigned char']], } ], '_MMDEREFERENCE_SEGMENT_HEADER' : [ 0x1c, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'ListHead' : [ 0x14, ['_LIST_ENTRY']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_2a28' : [ 0x4, { 'ChannelsHotCold' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_MI_NODE_INFORMATION' : [ 0xb4, { 'LargePageFreeCount' : [ 0x0, ['array', 2, ['array', 2, ['unsigned long']]]], 'LargePages' : [ 0x10, ['array', 2, ['array', 2, ['array', 2, ['array', 1, ['_LIST_ENTRY']]]]]], 'LargePagesCount' : [ 0x50, ['array', 2, ['array', 2, ['array', 2, ['array', 1, ['unsigned long']]]]]], 'LargePageRebuildTimer' : [ 0x70, ['_MI_REBUILD_LARGE_PAGE_TIMER']], 'FreeCount' : [ 0x84, ['array', 2, ['unsigned long']]], 'TotalPages' : [ 0x8c, ['array', 1, ['unsigned long']]], 'TotalPagesEntireNode' : [ 0x90, ['unsigned long']], 'MmShiftedColor' : [ 0x94, ['unsigned long']], 'Color' : [ 0x98, ['unsigned long']], 'ChannelFreeCount' : [ 0x9c, ['array', 1, ['array', 2, ['unsigned long']]]], 'Flags' : [ 0xa4, ['__unnamed_2a28']], 'NodeLock' : [ 0xa8, ['_EX_PUSH_LOCK']], 'ChannelStatus' : [ 0xac, ['unsigned char']], 'ChannelOrdering' : [ 0xad, ['array', 1, ['unsigned char']]], 'LockedChannelOrdering' : [ 0xae, ['array', 1, ['unsigned char']]], 'PowerAttribute' : [ 0xaf, ['array', 1, ['unsigned char']]], 'LargePageLock' : [ 0xb0, ['unsigned long']], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_MI_HYPER_SPACE' : [ 0x2000, { 'VadBitmap' : [ 0x0, ['array', 6144, ['unsigned char']]], 'PaddingToPageBoundary' : [ 0x1800, ['array', 2048, ['unsigned char']]], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_TRIAGE_POP_FX_DEVICE' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xc, ['pointer', ['_TRIAGE_POP_IRP_DATA']]], 'Status' : [ 0x10, ['long']], 'PowerReqCall' : [ 0x14, ['long']], 'PowerNotReqCall' : [ 0x18, ['long']], 'DeviceNode' : [ 0x1c, ['pointer', ['_TRIAGE_DEVICE_NODE']]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '_MI_SYSTEM_NODE_INFORMATION' : [ 0xb0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'NonPagedPoolSListHeadNx' : [ 0x20, ['array', 3, ['_SLIST_HEADER']]], 'CachedKernelStacks' : [ 0x38, ['array', 2, ['_CACHED_KSTACK_LIST']]], 'NonPagedPoolLowestPage' : [ 0x68, ['unsigned long']], 'NonPagedPoolHighestPage' : [ 0x6c, ['unsigned long']], 'AllocatedNonPagedPool' : [ 0x70, ['unsigned long']], 'PartialLargePoolRegions' : [ 0x74, ['unsigned long']], 'PagesInPartialLargePoolRegions' : [ 0x78, ['unsigned long']], 'CachedNonPagedPoolCount' : [ 0x7c, ['unsigned long']], 'NonPagedPoolSpinLock' : [ 0x80, ['unsigned long']], 'CachedNonPagedPool' : [ 0x84, ['pointer', ['_MMPFN']]], 'NonPagedPoolFirstVa' : [ 0x88, ['pointer', ['void']]], 'NonPagedPoolLastVa' : [ 0x8c, ['pointer', ['void']]], 'NonPagedBitMap' : [ 0x90, ['array', 3, ['_RTL_BITMAP']]], 'NonPagedHint' : [ 0xa8, ['array', 2, ['unsigned long']]], } ], '_MI_PAGE_COMBINING_SUPPORT' : [ 0xd8, { 'Partition' : [ 0x0, ['pointer', ['_MI_PARTITION']]], 'ArbitraryPfnMapList' : [ 0x4, ['_LIST_ENTRY']], 'FreeCombinePoolItem' : [ 0xc, ['_MI_COMBINE_WORKITEM']], 'CombiningThreadCount' : [ 0x20, ['unsigned long']], 'CombinePageFreeList' : [ 0x24, ['_LIST_ENTRY']], 'CombineFreeListLock' : [ 0x2c, ['unsigned long']], 'CombinePageListHeads' : [ 0x30, ['array', 16, ['_MI_COMBINE_PAGE_LISTHEAD']]], 'PageCombineStats' : [ 0xb0, ['_MI_PAGE_COMBINE_STATISTICS']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x38, { 'BadPageCount' : [ 0x0, ['unsigned long']], 'BadPagesDetected' : [ 0x4, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x8, ['long']], 'ScrubPasses' : [ 0xc, ['long']], 'ScrubBadPagesFound' : [ 0x10, ['long']], 'PageHashErrors' : [ 0x14, ['unsigned long']], 'FeatureBits' : [ 0x18, ['unsigned long long']], 'TimeZoneId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['_MI_FLAGS']], 'VsmConnection' : [ 0x28, ['pointer', ['void']]], 'ExceptionChainTerminator' : [ 0x2c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'ExceptionChainTerminatorRecord' : [ 0x30, ['_EXCEPTION_REGISTRATION_RECORD']], } ], '_MI_FORCED_COMMITS' : [ 0x8, { 'Regular' : [ 0x0, ['unsigned long']], 'Wrap' : [ 0x4, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x10, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0xc, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_PERF_CONTROL_STATE_SELECTION' : [ 0x28, { 'SelectedState' : [ 0x0, ['unsigned long long']], 'SelectedPercent' : [ 0x8, ['unsigned long']], 'SelectedFrequency' : [ 0xc, ['unsigned long']], 'MinPercent' : [ 0x10, ['unsigned long']], 'MaxPercent' : [ 0x14, ['unsigned long']], 'TolerancePercent' : [ 0x18, ['unsigned long']], 'EppPercent' : [ 0x1c, ['unsigned long']], 'AutonomousActivityWindow' : [ 0x20, ['unsigned long']], 'Autonomous' : [ 0x24, ['unsigned char']], 'InheritFromDomain' : [ 0x25, ['unsigned char']], } ], '_MI_REBUILD_LARGE_PAGE_TIMER' : [ 0x14, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'SecondsLeft' : [ 0x10, ['unsigned char']], 'RebuildActive' : [ 0x11, ['unsigned char']], 'NextPassDelta' : [ 0x12, ['unsigned char']], 'LargeSubPagesActive' : [ 0x13, ['unsigned char']], } ], '_MI_IO_PAGE_STATE' : [ 0x40, { 'IoPfnLock' : [ 0x0, ['unsigned long']], 'IoPfnRoot' : [ 0x4, ['array', 3, ['_RTL_AVL_TREE']]], 'UnusedCachedMaps' : [ 0x10, ['_LIST_ENTRY']], 'OldestCacheFlushTimeStamp' : [ 0x18, ['unsigned long']], 'IoCacheStats' : [ 0x1c, ['_MI_IO_CACHE_STATS']], 'InvariantIoSpace' : [ 0x3c, ['_RTL_AVL_TREE']], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_2a6b' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x18, { 'SessionProtoNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeList' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'DriverAddress' : [ 0x0, ['pointer', ['void']]], 'SessionId' : [ 0xc, ['unsigned long']], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'u2' : [ 0x14, ['__unnamed_2a6b']], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_MI_MODWRITE_DATA' : [ 0x30, { 'PagesLoad' : [ 0x0, ['long']], 'PagesAverage' : [ 0x4, ['unsigned long']], 'AverageAvailablePages' : [ 0x8, ['unsigned long']], 'PagesWritten' : [ 0xc, ['unsigned long']], 'WritesIssued' : [ 0x10, ['unsigned long']], 'IgnoredReservationsCount' : [ 0x14, ['unsigned long']], 'FreedReservationsCount' : [ 0x18, ['unsigned long']], 'WriteBurstCount' : [ 0x1c, ['unsigned long']], 'IgnoreReservationsStartTime' : [ 0x20, ['unsigned long long']], 'ReservationClusterInfo' : [ 0x28, ['_MI_RESERVATION_CLUSTER_INFO']], 'IgnoreReservations' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'Spare1' : [ 0x2e, ['unsigned short']], } ], '_PROC_IDLE_POLICY' : [ 0x6, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], 'ForceLightIdle' : [ 0x5, ['unsigned char']], } ], '_MI_RESAVAIL_FAILURES' : [ 0x8, { 'Wrap' : [ 0x0, ['unsigned long']], 'NoCharge' : [ 0x4, ['unsigned long']], } ], '_ALPC_WORK_ON_BEHALF_TICKET' : [ 0x8, { 'ThreadId' : [ 0x0, ['unsigned long']], 'ThreadCreationTimeLow' : [ 0x4, ['unsigned long']], } ], '_PO_HIBER_PERF' : [ 0x1f8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'HiberChecksumTicks' : [ 0x30, ['unsigned long long']], 'HiberChecksumIoTicks' : [ 0x38, ['unsigned long long']], 'TotalHibernateTime' : [ 0x40, ['_LARGE_INTEGER']], 'HibernateCompleteTimestamp' : [ 0x48, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x50, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x54, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x58, ['unsigned long']], 'ResumeAppTicks' : [ 0x60, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x70, ['unsigned long long']], 'ResumeInitTicks' : [ 0x78, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x80, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x88, ['unsigned long long']], 'ResumeIoTicks' : [ 0x90, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x98, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0xa0, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0xa8, ['unsigned long long']], 'ResumeMapTicks' : [ 0xb0, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xb8, ['unsigned long long']], 'ResumeChecksumTicks' : [ 0xc0, ['unsigned long long']], 'ResumeChecksumIoTicks' : [ 0xc8, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xd0, ['unsigned long long']], 'CyclesPerMs' : [ 0xd8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xe0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xe8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xf0, ['unsigned long long']], 'HalTscOffset' : [ 0xf8, ['unsigned long long']], 'HvlTscOffset' : [ 0x100, ['unsigned long long']], 'SleeperThreadEnd' : [ 0x108, ['unsigned long long']], 'PostCmosUpdateTimestamp' : [ 0x110, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0x118, ['unsigned long long']], 'IoBoundedness' : [ 0x120, ['unsigned long long']], 'KernelDecompressTicks' : [ 0x128, ['unsigned long long']], 'KernelIoTicks' : [ 0x130, ['unsigned long long']], 'KernelCopyTicks' : [ 0x138, ['unsigned long long']], 'ReadCheckCount' : [ 0x140, ['unsigned long long']], 'KernelInitTicks' : [ 0x148, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x150, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x158, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x160, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x168, ['unsigned long long']], 'KernelChecksumTicks' : [ 0x170, ['unsigned long long']], 'KernelChecksumIoTicks' : [ 0x178, ['unsigned long long']], 'AnimationStart' : [ 0x180, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x188, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x190, ['unsigned long']], 'SecurePagesProcessed' : [ 0x198, ['unsigned long long']], 'BootPagesProcessed' : [ 0x1a0, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x1a8, ['unsigned long long']], 'BootBytesWritten' : [ 0x1b0, ['unsigned long long']], 'KernelBytesWritten' : [ 0x1b8, ['unsigned long long']], 'BootPagesWritten' : [ 0x1c0, ['unsigned long long']], 'KernelPagesWritten' : [ 0x1c8, ['unsigned long long']], 'BytesWritten' : [ 0x1d0, ['unsigned long long']], 'PagesWritten' : [ 0x1d8, ['unsigned long']], 'FileRuns' : [ 0x1dc, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x1e0, ['unsigned long']], 'MaxHuffRatio' : [ 0x1e4, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x1e8, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1f0, ['unsigned long long']], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1e, { 'PerUserPolicy' : [ 0x0, ['array', 30, ['unsigned char']]], } ], '_MI_PROBE_RAISE_TRACKER' : [ 0x40, { 'UserRangeInKernel' : [ 0x0, ['unsigned long']], 'FaultFailed' : [ 0x4, ['unsigned long']], 'WriteFaultFailed' : [ 0x8, ['unsigned long']], 'LargePageFailed' : [ 0xc, ['unsigned long']], 'UserAccessToKernelPte' : [ 0x10, ['unsigned long']], 'BadPageLocation' : [ 0x14, ['unsigned long']], 'InsufficientCharge' : [ 0x18, ['unsigned long']], 'PageTableCharge' : [ 0x1c, ['unsigned long']], 'NoPhysicalMapping' : [ 0x20, ['unsigned long']], 'NoIoReference' : [ 0x24, ['unsigned long']], 'ProbeFailed' : [ 0x28, ['unsigned long']], 'PteIsZero' : [ 0x2c, ['unsigned long']], 'StrongCodeWrite' : [ 0x30, ['unsigned long']], 'ReducedCloneCommitChargeFailed' : [ 0x34, ['unsigned long']], 'CopyOnWriteAtDispatchNoPages' : [ 0x38, ['unsigned long']], 'EnclavePageFailed' : [ 0x3c, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '__unnamed_2a91' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2a93' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_2a96' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_2a9a' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x50, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x14, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x20, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x30, ['__unnamed_2a91']], 'HvDeviceId' : [ 0x38, ['unsigned long long']], 'XapicMessage' : [ 0x40, ['__unnamed_2a93']], 'Hypertransport' : [ 0x40, ['__unnamed_2a96']], 'GenericMessage' : [ 0x40, ['__unnamed_2a93']], 'MessageRequest' : [ 0x40, ['__unnamed_2a9a']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['_CM_COMPONENT_HASH']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_LDR_DDAG_NODE' : [ 0x2c, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x8, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0xc, ['unsigned long']], 'LoadWhileUnloadingCount' : [ 0x10, ['unsigned long']], 'LowestLink' : [ 0x14, ['unsigned long']], 'Dependencies' : [ 0x18, ['_LDRP_CSLIST']], 'IncomingDependencies' : [ 0x1c, ['_LDRP_CSLIST']], 'State' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x28, ['unsigned long']], } ], '_DUMP_STACK_CONTEXT' : [ 0x100, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xc0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xc8, ['pointer', ['void']]], 'StorageInfo' : [ 0xc8, ['pointer', ['void']]], 'UseStorageInfo' : [ 0xcc, ['unsigned char']], 'PointersLength' : [ 0xd0, ['unsigned long']], 'ModulePrefix' : [ 0xd4, ['pointer', ['wchar']]], 'DriverList' : [ 0xd8, ['_LIST_ENTRY']], 'InitMsg' : [ 0xe0, ['_STRING']], 'ProgMsg' : [ 0xe8, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0xf8, ['pointer', ['void']]], 'UsageType' : [ 0xfc, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_HAL_NODE_RANGE' : [ 0x8, { 'PageFrameIndex' : [ 0x0, ['unsigned long']], 'Node' : [ 0x4, ['unsigned long']], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_MI_PAGEFILE_BITMAPS_CACHE_ENTRY' : [ 0x20, { 'LengthTreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_LIST_ENTRY']], 'LocationTreeNode' : [ 0xc, ['_RTL_BALANCED_NODE']], 'StartingIndex' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '_MI_RESUME_WORKITEM' : [ 0x20, { 'ResumeCompleteEvent' : [ 0x0, ['_KEVENT']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '__unnamed_2abb' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2abd' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2abf' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceId' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_2ac1' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_2ac3' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_2ac5' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_2ac7' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_2ac9' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2acb' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_2acd' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_2abb']], 'TargetDevice' : [ 0x0, ['__unnamed_2abd']], 'InstallDevice' : [ 0x0, ['__unnamed_2abd']], 'CustomNotification' : [ 0x0, ['__unnamed_2abf']], 'ProfileNotification' : [ 0x0, ['__unnamed_2ac1']], 'PowerNotification' : [ 0x0, ['__unnamed_2ac3']], 'VetoNotification' : [ 0x0, ['__unnamed_2ac5']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_2ac7']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_2ac9']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2acb']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_2abd']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_2abd']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_2acd']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], '_HVIEW_MAP_DIRECTORY' : [ 0x200, { 'Tables' : [ 0x0, ['array', 128, ['pointer', ['_HVIEW_MAP_TABLE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], 'AllStacksInUse' : [ 0x14, ['unsigned long']], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_HAL_CHANNEL_MEMORY_RANGES' : [ 0xc, { 'PageFrameIndex' : [ 0x0, ['unsigned long']], 'MpnId' : [ 0x4, ['unsigned short']], 'Node' : [ 0x6, ['unsigned short']], 'Channel' : [ 0x8, ['unsigned short']], 'IsPowerManageable' : [ 0xa, ['unsigned char']], 'DeepPowerState' : [ 0xb, ['unsigned char']], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x88, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'PlatformCap' : [ 0x8, ['unsigned long']], 'ThermalCap' : [ 0xc, ['unsigned long']], 'LimitReasons' : [ 0x10, ['unsigned long']], 'PlatformCapStartTime' : [ 0x18, ['unsigned long long']], 'VirtualLittle' : [ 0x20, ['unsigned char']], 'ResolvedVirtualLittle' : [ 0x21, ['unsigned char']], 'LastVirtualTranstionTsc' : [ 0x28, ['unsigned long long']], 'VirtualTranstionHysteresis' : [ 0x30, ['unsigned long long']], 'ProcCap' : [ 0x38, ['unsigned long']], 'ProcFloor' : [ 0x3c, ['unsigned long']], 'TargetPercent' : [ 0x40, ['unsigned long']], 'Selection' : [ 0x48, ['_PERF_CONTROL_STATE_SELECTION']], 'DomainSelectionGeneration' : [ 0x70, ['unsigned long']], 'PreviousFrequency' : [ 0x74, ['unsigned long']], 'PreviousPercent' : [ 0x78, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x7c, ['unsigned long']], 'Force' : [ 0x80, ['unsigned char']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3e8, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa8, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x18, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x8, { 'DeviceHandle' : [ 0x0, ['pointer', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x4, ['pointer', ['void']]], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x288, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x2a4, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], 'PackageDependencyData' : [ 0x298, ['pointer', ['void']]], 'ProcessGroupId' : [ 0x29c, ['unsigned long']], 'LoaderThreads' : [ 0x2a0, ['unsigned long']], } ], '_MI_IO_CACHE_STATS' : [ 0x20, { 'UnusedBlocks' : [ 0x0, ['unsigned long']], 'ActiveCacheMatch' : [ 0x4, ['unsigned long']], 'ActiveCacheOverride' : [ 0x8, ['unsigned long']], 'UnmappedCacheFlush' : [ 0xc, ['unsigned long']], 'UnmappedCacheMatch' : [ 0x10, ['unsigned long']], 'UnmappedCacheConflict' : [ 0x14, ['unsigned long']], 'PermanentIoAttributeConflict' : [ 0x18, ['unsigned long']], 'PermanentIoNodeConflict' : [ 0x1c, ['unsigned long']], } ], '__unnamed_2b11' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2b13' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2b15' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2b11']], 'Gpt' : [ 0x0, ['__unnamed_2b13']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xc0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MarkMemoryOnly' : [ 0x45, ['unsigned char']], 'HiberResume' : [ 0x46, ['unsigned char']], 'Reserved1' : [ 0x47, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_2b15']], 'ReadRoutine' : [ 0x6c, ['pointer', ['void']]], 'GetDriveTelemetryRoutine' : [ 0x70, ['pointer', ['void']]], 'LogSectionTruncateSize' : [ 0x74, ['unsigned long']], 'Parameters' : [ 0x78, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xb8, ['pointer', ['void']]], 'DumpNotifyRoutine' : [ 0xbc, ['pointer', ['void']]], } ], '_CM_FAST_LEAF_HINT' : [ 0x4, { 'Characters' : [ 0x0, ['array', 4, ['unsigned char']]], 'FullHint' : [ 0x0, ['unsigned long']], } ], '_THERMAL_COOLING_INTERFACE' : [ 0x1c, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'Flags' : [ 0x10, ['unsigned long']], 'ActiveCooling' : [ 0x14, ['pointer', ['void']]], 'PassiveCooling' : [ 0x18, ['pointer', ['void']]], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_POP_FX_PERF_INFO' : [ 0x60, { 'Component' : [ 0x0, ['pointer', ['_POP_FX_COMPONENT']]], 'CompletedEvent' : [ 0x4, ['_KEVENT']], 'ComponentPerfState' : [ 0x14, ['pointer', ['void']]], 'Flags' : [ 0x18, ['_POP_FX_PERF_FLAGS']], 'LastChange' : [ 0x1c, ['pointer', ['_PO_FX_PERF_STATE_CHANGE']]], 'LastChangeCount' : [ 0x20, ['unsigned long']], 'LastChangeStamp' : [ 0x28, ['unsigned long long']], 'LastChangeNominal' : [ 0x30, ['unsigned char']], 'PepRegistered' : [ 0x31, ['unsigned char']], 'QueryOnIdleStates' : [ 0x32, ['unsigned char']], 'RequestDriverContext' : [ 0x34, ['pointer', ['void']]], 'WorkOrder' : [ 0x38, ['_POP_FX_WORK_ORDER']], 'SetsCount' : [ 0x54, ['unsigned long']], 'Sets' : [ 0x58, ['pointer', ['_POP_FX_PERF_SET']]], } ], '_MMPAGE_FILE_EXPANSION_FLAGS' : [ 0x4, { 'PageFileNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'IgnoreCurrentCommit' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreaseMinimumSize' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare3' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x4, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 11, native_type='unsigned long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_TRIAGE_POP_IRP_DATA' : [ 0x10, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_2b40' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_2b42' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_2b44' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_2b46' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_2b40']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_2b42']], 'Raw' : [ 0x0, ['__unnamed_2b44']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x28, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'Operation' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0x8, ['__unnamed_2b46']], 'Stack' : [ 0x10, ['array', 6, ['pointer', ['void']]]], } ], '_MI_COMBINE_PAGE_LISTHEAD' : [ 0x8, { 'Table' : [ 0x0, ['_RTL_AVL_TREE']], 'Lock' : [ 0x4, ['long']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x14, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x4, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0xc, ['_RTL_BITMAP']], 'EvictedBitmap' : [ 0xc, ['_RTL_BITMAP']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2b54' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2b56' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2b54']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2b59' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2b5b' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2b59']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_2b56']], 'HighPart' : [ 0x4, ['__unnamed_2b5b']], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x70, { 'UncompressedData' : [ 0x0, ['pointer', ['unsigned char']]], 'MappingVa' : [ 0x4, ['pointer', ['void']]], 'XpressEncodeWorkspace' : [ 0x8, ['pointer', ['void']]], 'CompressedDataBuffer' : [ 0xc, ['pointer', ['unsigned char']]], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'CompressTicks' : [ 0x18, ['unsigned long long']], 'BytesCopied' : [ 0x20, ['unsigned long long']], 'PagesProcessed' : [ 0x28, ['unsigned long long']], 'DecompressTicks' : [ 0x30, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x38, ['unsigned long long']], 'SharedBufferTicks' : [ 0x40, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x48, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x68, ['unsigned long']], 'HuffCompressCount' : [ 0x6c, ['unsigned long']], } ], '_PROC_PERF_CHECK_SNAP' : [ 0x50, { 'Time' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned long long']], 'Stall' : [ 0x10, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x18, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledKernelActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], 'TaggedThreadCycles' : [ 0x40, ['array', 2, ['unsigned long long']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_HVIEW_MAP_PIN_LOG_ENTRY' : [ 0x30, { 'ViewOffset' : [ 0x0, ['unsigned long']], 'Pinned' : [ 0x4, ['unsigned char']], 'PinMask' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer', ['_KTHREAD']]], 'Stack' : [ 0x14, ['array', 6, ['pointer', ['void']]]], } ], '_MI_COMBINE_WORKITEM' : [ 0x14, { 'NextEntry' : [ 0x0, ['pointer', ['void']]], 'WorkItem' : [ 0x4, ['_WORK_QUEUE_ITEM']], } ], '_PNP_RESOURCE_CONFLICT_TRACE_CONTEXT' : [ 0x10, { 'ResourceType' : [ 0x0, ['unsigned char']], 'AlternativeCount' : [ 0x4, ['unsigned long']], 'ResourceRequests' : [ 0x8, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ArbiterInstance' : [ 0xc, ['pointer', ['void']]], } ], '_MI_POOL_FAILURE_REASONS' : [ 0x2c, { 'NonPagedNoPtes' : [ 0x0, ['unsigned long']], 'PriorityTooLow' : [ 0x4, ['unsigned long']], 'NonPagedNoPagesAvailable' : [ 0x8, ['unsigned long']], 'PagedNoPtes' : [ 0xc, ['unsigned long']], 'SessionPagedNoPtes' : [ 0x10, ['unsigned long']], 'PagedNoPagesAvailable' : [ 0x14, ['unsigned long']], 'SessionPagedNoPagesAvailable' : [ 0x18, ['unsigned long']], 'PagedNoCommit' : [ 0x1c, ['unsigned long']], 'SessionPagedNoCommit' : [ 0x20, ['unsigned long']], 'NonPagedNoResidentAvailable' : [ 0x24, ['unsigned long']], 'NonPagedNoCommit' : [ 0x28, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_MI_PAGE_COMBINE_STATISTICS' : [ 0x28, { 'PagesScannedActive' : [ 0x0, ['unsigned long long']], 'PagesScannedStandby' : [ 0x8, ['unsigned long long']], 'PagesCombined' : [ 0x10, ['unsigned long long']], 'CombineScanCount' : [ 0x18, ['unsigned long']], 'CombinedBlocksInUse' : [ 0x1c, ['long']], 'SumCombinedBlocksReferenceCount' : [ 0x20, ['long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_HVIEW_MAP_TABLE' : [ 0x600, { 'Entries' : [ 0x0, ['array', 64, ['_HVIEW_MAP_ENTRY']]], } ], '_LDRP_CSLIST' : [ 0x4, { 'Tail' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MI_RESERVATION_CLUSTER_INFO' : [ 0x4, { 'ClusterSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'EntireInfo' : [ 0x0, ['long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_MI_FLAGS' : [ 0x4, { 'EntireFlags' : [ 0x0, ['long']], 'VerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'KernelVerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LargePageKernel' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StopOn4d' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'InitializationPhase' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'PageKernelStacks' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CheckZeroPages' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ProcessorPrewalks' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ProcessorPostwalks' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'CoverageBuild' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AccessBitReplacementDisabled' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CheckExecute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ProtectedPagesEnabled' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SecureRelocations' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'StrongPageIdentity' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'StrongCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'HardCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ExecutePagePrivilegeRequired' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SecureKernelCfgEnabled' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'FullHvci' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SlatKernelCodeProtected' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'BootDebuggerActive' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeFilteredPrivateLogger', 12: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_FS_FILTER_CALLBACKS' : [ 0x40, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], 'PreQueryOpen' : [ 0x38, ['pointer', ['void']]], 'PostQueryOpen' : [ 0x3c, ['pointer', ['void']]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_POP_FX_PERF_SET' : [ 0x20, { 'PerfSet' : [ 0x0, ['pointer', ['_PO_FX_COMPONENT_PERF_SET']]], 'CurrentPerf' : [ 0x8, ['unsigned long long']], 'CurrentPerfStamp' : [ 0x10, ['unsigned long long']], 'CurrentPerfNominal' : [ 0x18, ['unsigned char']], } ], '_PO_FX_PERF_STATE_CHANGE' : [ 0x10, { 'Set' : [ 0x0, ['unsigned long']], 'StateIndex' : [ 0x8, ['unsigned long']], 'StateValue' : [ 0x8, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x4, ['unsigned long']], } ], '_HVIEW_MAP_ENTRY' : [ 0x18, { 'ViewStart' : [ 0x0, ['pointer', ['void']]], 'IsPinned' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Bcb' : [ 0x4, ['pointer', ['void']]], 'PinnedPages' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '__unnamed_2bb3' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x4, ['pointer', ['_PO_FX_PERF_STATE']]], } ], '__unnamed_2bb5' : [ 0x10, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], } ], '_PO_FX_COMPONENT_PERF_SET' : [ 0x28, { 'Name' : [ 0x0, ['_UNICODE_STRING']], 'Flags' : [ 0x8, ['unsigned long long']], 'Unit' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateUnitOther', 1: 'PoFxPerfStateUnitFrequency', 2: 'PoFxPerfStateUnitBandwidth', 3: 'PoFxPerfStateUnitMaximum'})]], 'Type' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateTypeDiscrete', 1: 'PoFxPerfStateTypeRange', 2: 'PoFxPerfStateTypeMaximum'})]], 'Discrete' : [ 0x18, ['__unnamed_2bb3']], 'Range' : [ 0x18, ['__unnamed_2bb5']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_2bbb' : [ 0xc, { 'MessageAddressHigh' : [ 0x0, ['unsigned long']], 'MessageAddressLow' : [ 0x4, ['unsigned long']], 'MessageData' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['unsigned short']], } ], '__unnamed_2bbd' : [ 0xc, { 'Msi' : [ 0x0, ['__unnamed_2bbb']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_2bbd']], } ], '_PO_FX_PERF_STATE' : [ 0x10, { 'Value' : [ 0x0, ['unsigned long long']], 'Context' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_2bc3' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_2bc5' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_2bcb' : [ 0xc, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], 'OutputInformation' : [ 0x8, ['pointer', ['_FS_FILTER_SECTION_SYNC_OUTPUT']]], } ], '__unnamed_2bcf' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_2bd1' : [ 0x10, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'FileInformation' : [ 0x4, ['pointer', ['void']]], 'Length' : [ 0x8, ['pointer', ['unsigned long']]], 'FileInformationClass' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileDesiredStorageClassInformation', 68: 'FileStatInformation', 69: 'FileMaximumInformation'})]], } ], '__unnamed_2bd3' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2bc3']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2bc5']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2bcb']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2bcf']], 'QueryOpen' : [ 0x0, ['__unnamed_2bd1']], 'Others' : [ 0x0, ['__unnamed_2bd3']], } ], '_FS_FILTER_SECTION_SYNC_OUTPUT' : [ 0x10, { 'StructureSize' : [ 0x0, ['unsigned long']], 'SizeReturned' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DesiredReadAlignment' : [ 0xc, ['unsigned long']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_sp1_x86_vtypes.py0000644000000000000000000220747413131215405030535 0ustar rootrootntkrpamp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'Reserved2' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrement32' : [ 0x368, ['unsigned long']], 'QpcInterruptTimeIncrement32' : [ 0x36c, ['unsigned long']], 'QpcSystemTimeIncrementShift' : [ 0x370, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x371, ['unsigned char']], 'Reserved8' : [ 0x372, ['array', 14, ['unsigned char']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_107c' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_107c']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1080' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1080']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_109b' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109d' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109b']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_109d']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TEB' : [ 0xfe8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'PerflibData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], 'ReservedForWdf' : [ 0xfe4, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0xc, { 'Parent' : [ 0x0, ['pointer', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_BALANCED_NODE' : [ 0xc, { 'Children' : [ 0x0, ['array', 2, ['pointer', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x8, ['unsigned long']], } ], '_RTL_RB_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_RTL_AVL_TREE' : [ 0x4, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x4730, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'MxCsr' : [ 0x8, ['unsigned long']], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x4610, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'ParentNode' : [ 0x338, ['pointer', ['_KNODE']]], 'PriorityState' : [ 0x33c, ['pointer', ['unsigned char']]], 'KernelReserved' : [ 0x340, ['array', 14, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'CpuVendor' : [ 0x3be, ['unsigned char']], 'PrcbPad0' : [ 0x3bf, ['array', 1, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'GroupIndex' : [ 0x3c4, ['unsigned char']], 'Group' : [ 0x3c5, ['unsigned char']], 'PrcbPad05' : [ 0x3c6, ['array', 2, ['unsigned char']]], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'ClockOwner' : [ 0x3d0, ['unsigned char']], 'PendingTickFlags' : [ 0x3d1, ['unsigned char']], 'PendingTick' : [ 0x3d1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x3d1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'PrcbPad10' : [ 0x3d2, ['array', 70, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'InterruptCount' : [ 0x4a0, ['unsigned long']], 'KernelTime' : [ 0x4a4, ['unsigned long']], 'UserTime' : [ 0x4a8, ['unsigned long']], 'DpcTime' : [ 0x4ac, ['unsigned long']], 'DpcTimeCount' : [ 0x4b0, ['unsigned long']], 'InterruptTime' : [ 0x4b4, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4b8, ['unsigned long']], 'PageColor' : [ 0x4bc, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c0, ['unsigned char']], 'NodeColor' : [ 0x4c1, ['unsigned char']], 'PrcbPad20' : [ 0x4c2, ['array', 6, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'SecondaryColorMask' : [ 0x4cc, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d0, ['unsigned long']], 'PrcbPad21' : [ 0x4d4, ['array', 3, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1820, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2120, ['unsigned long']], 'ReverseStall' : [ 0x2124, ['long']], 'IpiFrame' : [ 0x2128, ['pointer', ['void']]], 'PrcbPad3' : [ 0x212c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x2160, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x216c, ['unsigned long']], 'WorkerRoutine' : [ 0x2170, ['pointer', ['void']]], 'IpiFrozen' : [ 0x2174, ['unsigned long']], 'PrcbPad4' : [ 0x2178, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x21a0, ['unsigned long']], 'SignalDone' : [ 0x21a4, ['pointer', ['_KPRCB']]], 'PrcbPad50' : [ 0x21a8, ['array', 40, ['unsigned char']]], 'InterruptLastCount' : [ 0x21d0, ['unsigned long']], 'InterruptRate' : [ 0x21d4, ['unsigned long']], 'DeviceInterrupts' : [ 0x21d8, ['unsigned long']], 'IsrDpcStats' : [ 0x21dc, ['pointer', ['void']]], 'DpcData' : [ 0x21e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2210, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2214, ['long']], 'DpcRequestRate' : [ 0x2218, ['unsigned long']], 'MinimumDpcRate' : [ 0x221c, ['unsigned long']], 'DpcLastCount' : [ 0x2220, ['unsigned long']], 'PrcbLock' : [ 0x2224, ['unsigned long']], 'DpcGate' : [ 0x2228, ['_KGATE']], 'ThreadDpcEnable' : [ 0x2238, ['unsigned char']], 'QuantumEnd' : [ 0x2239, ['unsigned char']], 'DpcRoutineActive' : [ 0x223a, ['unsigned char']], 'IdleSchedule' : [ 0x223b, ['unsigned char']], 'DpcRequestSummary' : [ 0x223c, ['long']], 'DpcRequestSlot' : [ 0x223c, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x223c, ['short']], 'ThreadDpcState' : [ 0x223e, ['short']], 'DpcNormalProcessingActive' : [ 0x223c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x223c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x223c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x223c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x223c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x223c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x223c, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x223c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x223c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x223c, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2240, ['unsigned long']], 'LastTick' : [ 0x2244, ['unsigned long']], 'PeriodicCount' : [ 0x2248, ['unsigned long']], 'PeriodicBias' : [ 0x224c, ['unsigned long']], 'ClockInterrupts' : [ 0x2250, ['unsigned long']], 'ReadyScanTick' : [ 0x2254, ['unsigned long']], 'GroupSchedulingOverQuota' : [ 0x2258, ['unsigned char']], 'PrcbPad41' : [ 0x2259, ['array', 3, ['unsigned char']]], 'TimerTable' : [ 0x2260, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x3aa0, ['_KDPC']], 'ClockKeepAlive' : [ 0x3ac0, ['long']], 'PrcbPad6' : [ 0x3ac4, ['array', 4, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x3ac8, ['long']], 'DpcWatchdogCount' : [ 0x3acc, ['long']], 'KeSpinLockOrdering' : [ 0x3ad0, ['long']], 'PrcbPad70' : [ 0x3ad4, ['array', 1, ['unsigned long']]], 'QueueIndex' : [ 0x3ad8, ['unsigned long']], 'DeferredReadyListHead' : [ 0x3adc, ['_SINGLE_LIST_ENTRY']], 'ReadySummary' : [ 0x3ae0, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x3ae4, ['long']], 'WaitLock' : [ 0x3ae8, ['unsigned long']], 'WaitListHead' : [ 0x3aec, ['_LIST_ENTRY']], 'ScbOffset' : [ 0x3af4, ['unsigned long']], 'StartCycles' : [ 0x3af8, ['unsigned long long']], 'GenerationTarget' : [ 0x3b00, ['unsigned long long']], 'CycleTime' : [ 0x3b08, ['unsigned long long']], 'AffinitizedCycles' : [ 0x3b10, ['unsigned long long']], 'HighCycleTime' : [ 0x3b18, ['unsigned long']], 'PrcbPad71' : [ 0x3b1c, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x3b20, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3c20, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3c24, ['long']], 'ScbQueue' : [ 0x3c28, ['_RTL_RB_TREE']], 'ScbList' : [ 0x3c30, ['_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x3c38, ['long']], 'MmCopyOnWriteCount' : [ 0x3c3c, ['long']], 'MmTransitionCount' : [ 0x3c40, ['long']], 'MmCacheTransitionCount' : [ 0x3c44, ['long']], 'MmDemandZeroCount' : [ 0x3c48, ['long']], 'MmPageReadCount' : [ 0x3c4c, ['long']], 'MmPageReadIoCount' : [ 0x3c50, ['long']], 'MmCacheReadCount' : [ 0x3c54, ['long']], 'MmCacheIoCount' : [ 0x3c58, ['long']], 'MmDirtyPagesWriteCount' : [ 0x3c5c, ['long']], 'MmDirtyWriteIoCount' : [ 0x3c60, ['long']], 'MmMappedPagesWriteCount' : [ 0x3c64, ['long']], 'MmMappedWriteIoCount' : [ 0x3c68, ['long']], 'CachedCommit' : [ 0x3c6c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3c70, ['unsigned long']], 'HyperPte' : [ 0x3c74, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3c78, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x3c7c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3c89, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x3c8a, ['unsigned char']], 'PrcbPad9' : [ 0x3c8b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x3c90, ['unsigned long']], 'UpdateSignature' : [ 0x3c98, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3ca0, ['unsigned long long']], 'PrcbPad90' : [ 0x3ca8, ['array', 2, ['unsigned long']]], 'PowerState' : [ 0x3cb0, ['_PROCESSOR_POWER_STATE']], 'PrcbPad91' : [ 0x3e40, ['array', 13, ['unsigned long']]], 'DpcWatchdogDpc' : [ 0x3e74, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3e98, ['_KTIMER']], 'HypercallPageList' : [ 0x3ec0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x3ec8, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x3ecc, ['pointer', ['void']]], 'StatisticsPage' : [ 0x3ed0, ['pointer', ['unsigned long long']]], 'Cache' : [ 0x3ed4, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3f10, ['unsigned long']], 'PackageProcessorSet' : [ 0x3f14, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x3f20, ['unsigned long']], 'SharedReadyQueue' : [ 0x3f24, ['pointer', ['_KSHARED_READY_QUEUE']]], 'CoreProcessorSet' : [ 0x3f28, ['unsigned long']], 'ScanSiblingMask' : [ 0x3f2c, ['unsigned long']], 'LLCMask' : [ 0x3f30, ['unsigned long']], 'CacheProcessorMask' : [ 0x3f34, ['array', 5, ['unsigned long']]], 'ScanSiblingIndex' : [ 0x3f48, ['unsigned long']], 'WheaInfo' : [ 0x3f4c, ['pointer', ['void']]], 'EtwSupport' : [ 0x3f50, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x3f58, ['_SLIST_HEADER']], 'SharedReadyQueueOffset' : [ 0x3f60, ['unsigned long']], 'PrcbPad92' : [ 0x3f64, ['array', 2, ['unsigned long']]], 'PteBitCache' : [ 0x3f6c, ['unsigned long']], 'PteBitOffset' : [ 0x3f70, ['unsigned long']], 'PrcbPad93' : [ 0x3f74, ['unsigned long']], 'ProcessorProfileControlArea' : [ 0x3f78, ['pointer', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x3f7c, ['pointer', ['void']]], 'TimerExpirationDpc' : [ 0x3f80, ['_KDPC']], 'SynchCounters' : [ 0x3fa0, ['_SYNCH_COUNTERS']], 'FsCounters' : [ 0x4058, ['_FILESYSTEM_DISK_COUNTERS']], 'Context' : [ 0x4068, ['pointer', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x406c, ['unsigned long']], 'ExtendedState' : [ 0x4070, ['pointer', ['_XSAVE_AREA']]], 'EntropyTimingState' : [ 0x4074, ['_KENTROPY_TIMING_STATE']], 'IsrStack' : [ 0x419c, ['pointer', ['void']]], 'VectorToInterruptObject' : [ 0x41a0, ['array', 208, ['pointer', ['_KINTERRUPT']]]], 'AbSelfIoBoostsList' : [ 0x44e0, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x44e4, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x44e8, ['_KDPC']], 'TimerExpirationTrace' : [ 0x4508, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x4608, ['unsigned long']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'Reserved' : [ 0x14, ['array', 3, ['pointer', ['void']]]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_KTHREAD' : [ 0x338, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x10, ['pointer', ['void']]], 'QuantumTarget' : [ 0x18, ['unsigned long long']], 'InitialStack' : [ 0x20, ['pointer', ['void']]], 'StackLimit' : [ 0x24, ['pointer', ['void']]], 'StackBase' : [ 0x28, ['pointer', ['void']]], 'ThreadLock' : [ 0x2c, ['unsigned long']], 'CycleTime' : [ 0x30, ['unsigned long long']], 'HighCycleTime' : [ 0x38, ['unsigned long']], 'ServiceTable' : [ 0x3c, ['pointer', ['void']]], 'CurrentRunTime' : [ 0x40, ['unsigned long']], 'ExpectedRunTime' : [ 0x44, ['unsigned long']], 'KernelStack' : [ 0x48, ['pointer', ['void']]], 'StateSaveArea' : [ 0x4c, ['pointer', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x50, ['pointer', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x54, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x55, ['unsigned char']], 'Alerted' : [ 0x56, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x58, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x58, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x58, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x58, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x58, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'TimerActive' : [ 0x58, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SystemThread' : [ 0x58, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x58, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'CalloutActive' : [ 0x58, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x58, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ApcQueueable' : [ 0x58, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x58, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x58, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ApcPendingReload' : [ 0x58, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x58, ['long']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UserAffinitySet' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x5c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x5c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x5c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x5c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x5c, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x5c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x5c, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x5c, ['long']], 'Spare0' : [ 0x60, ['unsigned long']], 'SystemCallNumber' : [ 0x64, ['unsigned long']], 'FirstArgument' : [ 0x68, ['pointer', ['void']]], 'TrapFrame' : [ 0x6c, ['pointer', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x70, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x70, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x87, ['unsigned char']], 'UserIdealProcessor' : [ 0x88, ['unsigned long']], 'ContextSwitches' : [ 0x8c, ['unsigned long']], 'State' : [ 0x90, ['unsigned char']], 'NpxState' : [ 0x91, ['unsigned char']], 'WaitIrql' : [ 0x92, ['unsigned char']], 'WaitMode' : [ 0x93, ['unsigned char']], 'WaitStatus' : [ 0x94, ['long']], 'WaitBlockList' : [ 0x98, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x9c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x9c, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa4, ['pointer', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xa8, ['pointer', ['void']]], 'RelativeTimerBias' : [ 0xb0, ['unsigned long long']], 'Timer' : [ 0xb8, ['_KTIMER']], 'WaitBlock' : [ 0xe0, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill8' : [ 0xe0, ['array', 20, ['unsigned char']]], 'ThreadCounters' : [ 0xf4, ['pointer', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0xe0, ['array', 44, ['unsigned char']]], 'XStateSave' : [ 0x10c, ['pointer', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0xe0, ['array', 68, ['unsigned char']]], 'Win32Thread' : [ 0x124, ['pointer', ['void']]], 'WaitBlockFill11' : [ 0xe0, ['array', 88, ['unsigned char']]], 'WaitTime' : [ 0x138, ['unsigned long']], 'KernelApcDisable' : [ 0x13c, ['short']], 'SpecialApcDisable' : [ 0x13e, ['short']], 'CombinedApcDisable' : [ 0x13c, ['unsigned long']], 'QueueListEntry' : [ 0x140, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x148, ['unsigned long']], 'NextProcessorNumber' : [ 0x148, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x148, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x14c, ['long']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'UserAffinity' : [ 0x154, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x154, ['array', 6, ['unsigned char']]], 'PreviousMode' : [ 0x15a, ['unsigned char']], 'BasePriority' : [ 0x15b, ['unsigned char']], 'PriorityDecrement' : [ 0x15c, ['unsigned char']], 'ForegroundBoost' : [ 0x15c, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x15c, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x15d, ['unsigned char']], 'AdjustReason' : [ 0x15e, ['unsigned char']], 'AdjustIncrement' : [ 0x15f, ['unsigned char']], 'Affinity' : [ 0x160, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x160, ['array', 6, ['unsigned char']]], 'ApcStateIndex' : [ 0x166, ['unsigned char']], 'WaitBlockCount' : [ 0x167, ['unsigned char']], 'IdealProcessor' : [ 0x168, ['unsigned long']], 'ApcStatePointer' : [ 0x16c, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x174, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x174, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x18b, ['unsigned char']], 'SuspendCount' : [ 0x18c, ['unsigned char']], 'Saturation' : [ 0x18d, ['unsigned char']], 'SListFaultCount' : [ 0x18e, ['unsigned short']], 'SchedulerApc' : [ 0x190, ['_KAPC']], 'SchedulerApcFill0' : [ 0x190, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x191, ['unsigned char']], 'SchedulerApcFill1' : [ 0x190, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x193, ['unsigned char']], 'SchedulerApcFill2' : [ 0x190, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x194, ['unsigned long']], 'SchedulerApcFill3' : [ 0x190, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b4, ['pointer', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x190, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1b8, ['pointer', ['void']]], 'SchedulerApcFill5' : [ 0x190, ['array', 47, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x1bf, ['unsigned char']], 'UserTime' : [ 0x1c0, ['unsigned long']], 'SuspendEvent' : [ 0x1c4, ['_KEVENT']], 'ThreadListEntry' : [ 0x1d4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1dc, ['_LIST_ENTRY']], 'LockEntriesFreeList' : [ 0x1e4, ['_SINGLE_LIST_ENTRY']], 'LockEntries' : [ 0x1e8, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x308, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x30c, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x310, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x320, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x324, ['long']], 'AbReferenceCount' : [ 0x328, ['short']], 'AbFreeEntryCount' : [ 0x32a, ['unsigned char']], 'AbWaitEntryCount' : [ 0x32b, ['unsigned char']], 'ForegroundLossTime' : [ 0x32c, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x330, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x330, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x334, ['unsigned long']], } ], '_KSTACK_CONTROL' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long']], 'ActualLimit' : [ 0x4, ['unsigned long']], 'StackExpansion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousTrapFrame' : [ 0x8, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0xc, ['pointer', ['void']]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'CpuId' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer', ['void']]], 'DeleteContext' : [ 0xc, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0xc0, { 'DeepIdleSet' : [ 0x0, ['unsigned long']], 'SharedReadyQueueLeaders' : [ 0x4, ['unsigned long']], 'ProximityId' : [ 0x40, ['unsigned long']], 'NodeNumber' : [ 0x44, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x46, ['unsigned short']], 'MaximumProcessors' : [ 0x48, ['unsigned char']], 'Flags' : [ 0x49, ['_flags']], 'Stride' : [ 0x4a, ['unsigned char']], 'LowIndex' : [ 0x4b, ['unsigned char']], 'Affinity' : [ 0x4c, ['_GROUP_AFFINITY']], 'IdleCpuSet' : [ 0x58, ['unsigned long']], 'IdleSmtSet' : [ 0x5c, ['unsigned long']], 'NonParkedSet' : [ 0x80, ['unsigned long']], 'Seed' : [ 0x84, ['unsigned long']], 'Lowest' : [ 0x88, ['unsigned long']], 'Highest' : [ 0x8c, ['unsigned long']], 'ParkLock' : [ 0x90, ['long']], } ], '_ENODE' : [ 0x500, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueue' : [ 0xc0, ['array', 2, ['_EX_WORK_QUEUE']]], 'ExpThreadSetManagerEvent' : [ 0x418, ['_KEVENT']], 'ExpBalancerExitEvent' : [ 0x428, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x438, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x460, ['_KEVENT']], 'WaitBlocks' : [ 0x470, ['array', 4, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x4d0, ['pointer', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x4d4, ['unsigned long']], 'ExWorkerFullInit' : [ 0x4d8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x4d8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x4d8, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x5c, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long']], 'QuotaProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'StrictFIFO' : [ 0x1c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x1c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x1c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x1c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x20, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x24, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x28, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x28, ['array', 20, ['unsigned char']]], 'DebugInfo' : [ 0x3c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'VolatileLowValue' : [ 0x0, ['long']], 'LowValue' : [ 0x0, ['long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'HighValue' : [ 0x4, ['long']], 'NextFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x4, ['_EXHANDLE']], 'GrantedAccessBits' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'ProtectFromClose' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'RefCnt' : [ 0x4, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '__unnamed_12fc' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_12fc']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc4, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xc0, ['unsigned char']], } ], '_ETHREAD' : [ 0x418, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x338, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x340, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x340, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x348, ['pointer', ['void']]], 'PostBlockList' : [ 0x34c, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x34c, ['pointer', ['void']]], 'StartAddress' : [ 0x350, ['pointer', ['void']]], 'TerminationPort' : [ 0x354, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x354, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x354, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x358, ['unsigned long']], 'ActiveTimerListHead' : [ 0x35c, ['_LIST_ENTRY']], 'Cid' : [ 0x364, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x36c, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x36c, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x380, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x384, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x38c, ['unsigned long']], 'DeviceToVerify' : [ 0x390, ['pointer', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x394, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x398, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x39c, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x3a4, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x3a8, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x3ac, ['unsigned long']], 'MmLockOrdering' : [ 0x3b0, ['long']], 'CmLockOrdering' : [ 0x3b4, ['long']], 'CrossThreadFlags' : [ 0x3b8, ['unsigned long']], 'Terminated' : [ 0x3b8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x3b8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x3b8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x3b8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x3b8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x3b8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x3b8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x3b8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x3b8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x3b8, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x3b8, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x3b8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x3b8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x3b8, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x3bc, ['unsigned long']], 'ActiveExWorker' : [ 0x3bc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x3bc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ClonedThread' : [ 0x3bc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x3bc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SelfTerminate' : [ 0x3bc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x3c0, ['unsigned long']], 'HardFaultBehavior' : [ 0x3c0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x3c0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x3c0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x3c0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x3c0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x3c0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x3c0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x3c0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x3c1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x3c1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x3c1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x3c1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x3c1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x3c1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x3c1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x3c1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x3c2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x3c2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x3c2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x3c2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x3c2, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare2' : [ 0x3c2, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x3c3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x3c3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'Spare3' : [ 0x3c3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x3c4, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x3c5, ['unsigned char']], 'ActiveFaultCount' : [ 0x3c6, ['unsigned char']], 'LockOrderState' : [ 0x3c7, ['unsigned char']], 'AlpcMessageId' : [ 0x3c8, ['unsigned long']], 'AlpcMessage' : [ 0x3cc, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x3cc, ['unsigned long']], 'ExitStatus' : [ 0x3d0, ['long']], 'AlpcWaitListEntry' : [ 0x3d4, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x3dc, ['unsigned long']], 'IoBoostCount' : [ 0x3e0, ['unsigned long']], 'BoostList' : [ 0x3e4, ['_LIST_ENTRY']], 'DeboostList' : [ 0x3ec, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x3f4, ['unsigned long']], 'IrpListLock' : [ 0x3f8, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x3fc, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x400, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x404, ['pointer', ['_GUID']]], 'SeLearningModeListHead' : [ 0x408, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x40c, ['pointer', ['void']]], 'KernelStackReference' : [ 0x410, ['unsigned long']], 'AdjustedClientToken' : [ 0x414, ['pointer', ['void']]], } ], '_EPROCESS' : [ 0x2f8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xa0, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xa8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xb0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'Flags2' : [ 0xc0, ['unsigned long']], 'JobNotReallyActive' : [ 0xc0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0xc0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0xc0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0xc0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0xc0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0xc0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0xc0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0xc0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0xc0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0xc0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0xc0, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0xc0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0xc0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0xc0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0xc0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0xc0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0xc0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0xc0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0xc0, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0xc0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0xc0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0xc0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0xc0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0xc0, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0xc0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0xc0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0xc4, ['unsigned long']], 'CreateReported' : [ 0xc4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0xc4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0xc4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0xc4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0xc4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0xc4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0xc4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0xc4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0xc4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0xc4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0xc4, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0xc4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0xc4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0xc4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0xc4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0xc4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0xc4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0xc4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0xc4, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0xc4, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0xc4, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0xc4, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0xc4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0xc4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0xc4, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0xc4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0xc4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ProcessQuotaUsage' : [ 0xc8, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xd0, ['array', 2, ['unsigned long']]], 'PeakVirtualSize' : [ 0xd8, ['unsigned long']], 'VirtualSize' : [ 0xdc, ['unsigned long']], 'SessionProcessLinks' : [ 0xe0, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0xe8, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xe8, ['unsigned long']], 'ExceptionPortState' : [ 0xe8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Token' : [ 0xec, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xf0, ['unsigned long']], 'AddressCreationLock' : [ 0xf4, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0xf8, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0xfc, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x100, ['pointer', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x104, ['pointer', ['_EJOB']]], 'CloneRoot' : [ 0x108, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x10c, ['unsigned long']], 'NumberOfLockedPages' : [ 0x110, ['unsigned long']], 'Win32Process' : [ 0x114, ['pointer', ['void']]], 'Job' : [ 0x118, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x11c, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x120, ['pointer', ['void']]], 'Cookie' : [ 0x124, ['unsigned long']], 'VdmObjects' : [ 0x128, ['pointer', ['void']]], 'WorkingSetWatch' : [ 0x12c, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x130, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x134, ['pointer', ['void']]], 'LdtInformation' : [ 0x138, ['pointer', ['void']]], 'OwnerProcessId' : [ 0x13c, ['unsigned long']], 'Peb' : [ 0x140, ['pointer', ['_PEB']]], 'Session' : [ 0x144, ['pointer', ['void']]], 'AweInfo' : [ 0x148, ['pointer', ['void']]], 'QuotaBlock' : [ 0x14c, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x150, ['pointer', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x154, ['pointer', ['void']]], 'PaeTop' : [ 0x158, ['pointer', ['void']]], 'DeviceMap' : [ 0x15c, ['pointer', ['void']]], 'EtwDataSource' : [ 0x160, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x168, ['unsigned long long']], 'ImageFileName' : [ 0x170, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x17f, ['unsigned char']], 'SecurityPort' : [ 0x180, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x184, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x188, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x190, ['pointer', ['void']]], 'ThreadListHead' : [ 0x194, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x19c, ['unsigned long']], 'ImagePathHash' : [ 0x1a0, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a4, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1a8, ['long']], 'PrefetchTrace' : [ 0x1ac, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x1b0, ['pointer', ['void']]], 'ReadOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e8, ['unsigned long']], 'CommitCharge' : [ 0x1ec, ['unsigned long']], 'CommitChargePeak' : [ 0x1f0, ['unsigned long']], 'Vm' : [ 0x1f4, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x264, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x26c, ['unsigned long']], 'ExitStatus' : [ 0x270, ['long']], 'VadRoot' : [ 0x274, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x278, ['pointer', ['void']]], 'VadCount' : [ 0x27c, ['unsigned long']], 'VadPhysicalPages' : [ 0x280, ['unsigned long']], 'VadPhysicalPagesLimit' : [ 0x284, ['unsigned long']], 'AlpcContext' : [ 0x288, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x298, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x2a0, ['pointer', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x2a4, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2a8, ['unsigned long']], 'ExitTime' : [ 0x2b0, ['_LARGE_INTEGER']], 'ActiveThreadsHighWatermark' : [ 0x2b8, ['unsigned long']], 'LargePrivateVadCount' : [ 0x2bc, ['unsigned long']], 'ThreadListLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x2c4, ['pointer', ['void']]], 'Spare0' : [ 0x2c8, ['unsigned long']], 'SignatureLevel' : [ 0x2cc, ['unsigned char']], 'SectionSignatureLevel' : [ 0x2cd, ['unsigned char']], 'Protection' : [ 0x2ce, ['_PS_PROTECTION']], 'SpareByte20' : [ 0x2cf, ['array', 1, ['unsigned char']]], 'Flags3' : [ 0x2d0, ['unsigned long']], 'Minimal' : [ 0x2d0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SvmReserved' : [ 0x2d4, ['long']], 'SvmReserved1' : [ 0x2d8, ['pointer', ['void']]], 'SvmReserved2' : [ 0x2dc, ['unsigned long']], 'LastFreezeInterruptTime' : [ 0x2e0, ['unsigned long long']], 'DiskCounters' : [ 0x2e8, ['pointer', ['_PROCESS_DISK_COUNTERS']]], 'KeepAliveCounter' : [ 0x2ec, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x2f0, ['unsigned long']], } ], '_KPROCESS' : [ 0xa0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'Affinity' : [ 0x38, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x44, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x4c, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x50, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'AffinitySet' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='long')]], 'DeepFreeze' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x5c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x5c, ['long']], 'BasePriority' : [ 0x60, ['unsigned char']], 'QuantumReset' : [ 0x61, ['unsigned char']], 'Visited' : [ 0x62, ['unsigned char']], 'Flags' : [ 0x63, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x64, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x68, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x6a, ['unsigned short']], 'Spare1' : [ 0x6c, ['unsigned short']], 'IopmOffset' : [ 0x6e, ['unsigned short']], 'SchedulingGroup' : [ 0x70, ['pointer', ['_KSCHEDULING_GROUP']]], 'StackCount' : [ 0x74, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x78, ['_LIST_ENTRY']], 'CycleTime' : [ 0x80, ['unsigned long long']], 'ContextSwitches' : [ 0x88, ['unsigned long long']], 'FreezeCount' : [ 0x90, ['unsigned long']], 'KernelTime' : [ 0x94, ['unsigned long']], 'UserTime' : [ 0x98, ['unsigned long']], 'VdmTrapcHandler' : [ 0x9c, ['pointer', ['void']]], } ], '__unnamed_134a' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1350' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1352' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1350']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_135d' : [ 0x2c, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x28, ['pointer', ['void']]], } ], '__unnamed_135f' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_135d']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_134a']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_1352']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_135f']], } ], '__unnamed_1366' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_136a' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_136e' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1370' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1374' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1376' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1378' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileMaximumInformation'})]], } ], '__unnamed_137a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_137c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_137e' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1382' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMaximumInformation'})]], } ], '__unnamed_1384' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1387' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1389' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_138b' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_138d' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1391' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1395' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1399' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_139d' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_13a1' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13a5' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_13a9' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_13ab' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_13ad' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_13b1' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_13b5' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_13b9' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_13bd' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_13c1' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_13c9' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_13cd' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_13cf' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13d1' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13d3' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_1366']], 'CreatePipe' : [ 0x0, ['__unnamed_136a']], 'CreateMailslot' : [ 0x0, ['__unnamed_136e']], 'Read' : [ 0x0, ['__unnamed_1370']], 'Write' : [ 0x0, ['__unnamed_1370']], 'QueryDirectory' : [ 0x0, ['__unnamed_1374']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1376']], 'QueryFile' : [ 0x0, ['__unnamed_1378']], 'SetFile' : [ 0x0, ['__unnamed_137a']], 'QueryEa' : [ 0x0, ['__unnamed_137c']], 'SetEa' : [ 0x0, ['__unnamed_137e']], 'QueryVolume' : [ 0x0, ['__unnamed_1382']], 'SetVolume' : [ 0x0, ['__unnamed_1382']], 'FileSystemControl' : [ 0x0, ['__unnamed_1384']], 'LockControl' : [ 0x0, ['__unnamed_1387']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1389']], 'QuerySecurity' : [ 0x0, ['__unnamed_138b']], 'SetSecurity' : [ 0x0, ['__unnamed_138d']], 'MountVolume' : [ 0x0, ['__unnamed_1391']], 'VerifyVolume' : [ 0x0, ['__unnamed_1391']], 'Scsi' : [ 0x0, ['__unnamed_1395']], 'QueryQuota' : [ 0x0, ['__unnamed_1399']], 'SetQuota' : [ 0x0, ['__unnamed_137e']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_139d']], 'QueryInterface' : [ 0x0, ['__unnamed_13a1']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_13a5']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_13a9']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_13ab']], 'SetLock' : [ 0x0, ['__unnamed_13ad']], 'QueryId' : [ 0x0, ['__unnamed_13b1']], 'QueryDeviceText' : [ 0x0, ['__unnamed_13b5']], 'UsageNotification' : [ 0x0, ['__unnamed_13b9']], 'WaitWake' : [ 0x0, ['__unnamed_13bd']], 'PowerSequence' : [ 0x0, ['__unnamed_13c1']], 'Power' : [ 0x0, ['__unnamed_13c9']], 'StartDevice' : [ 0x0, ['__unnamed_13cd']], 'WMI' : [ 0x0, ['__unnamed_13cf']], 'Others' : [ 0x0, ['__unnamed_13d1']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_13d3']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_13e9' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_13e9']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x8, ['unsigned long']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x68, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x5c, ['pointer', ['void']]], 'UserContext' : [ 0x60, ['pointer', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], 'Oplock' : [ 0x3c, ['pointer', ['void']]], 'ReservedForRemote' : [ 0x3c, ['pointer', ['void']]], 'ReservedContext' : [ 0x40, ['pointer', ['void']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '__unnamed_1575' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'HighLow' : [ 0x0, ['_MMPTE_HIGHLOW']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1575']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'ReservedLowFlags' : [ 0xe, ['unsigned char']], 'WaiterPriority' : [ 0xf, ['unsigned char']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '__unnamed_15b7' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_15bc' : [ 0x4, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'SpareBlink' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 31, native_type='unsigned long')]], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_15bf' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_15c1' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_15bf']], } ], '__unnamed_15c5' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], } ], '_MMPFN' : [ 0x1c, { 'u1' : [ 0x0, ['__unnamed_15b7']], 'u2' : [ 0x4, ['__unnamed_15bc']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0x8, ['long']], 'PteLong' : [ 0x8, ['unsigned long']], 'u3' : [ 0xc, ['__unnamed_15c1']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'u4' : [ 0x18, ['__unnamed_15c5']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x38, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'BasePte' : [ 0x8, ['pointer', ['_MMPTE']]], 'Flags' : [ 0xc, ['unsigned long']], 'VaType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaPagedProtoPool', 15: 'MiVaMaximumType', 16: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'PteFailures' : [ 0x18, ['unsigned long']], 'SpinLock' : [ 0x1c, ['unsigned long']], 'GlobalMutex' : [ 0x1c, ['pointer', ['_FAST_MUTEX']]], 'Vm' : [ 0x20, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x24, ['unsigned long']], 'Hint' : [ 0x28, ['unsigned long']], 'CachedPtes' : [ 0x2c, ['pointer', ['_MI_CACHED_PTE']]], 'TotalFreeSystemPtes' : [ 0x30, ['unsigned long']], 'CachedPteCount' : [ 0x34, ['long']], } ], '__unnamed_15e5' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_15e5']], } ], '_MMWSL' : [ 0xdbc, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'LastInitializedWsle' : [ 0x10, ['unsigned long']], 'NextAgingSlot' : [ 0x14, ['unsigned long']], 'NextAccessClearingSlot' : [ 0x18, ['unsigned long']], 'LastAccessClearingRemainder' : [ 0x1c, ['unsigned long']], 'LastAgingRemainder' : [ 0x20, ['unsigned long']], 'WsleSize' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LowestPagableAddress' : [ 0x2c, ['pointer', ['void']]], 'NonDirectHash' : [ 0x30, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x34, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x38, ['pointer', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x3c, ['array', 8, ['unsigned long']]], 'ActiveWsles' : [ 0x5c, ['array', 8, ['_MI_ACTIVE_WSLE_LISTHEAD']]], 'Wsle' : [ 0x9c, ['pointer', ['_MMWSLE']]], 'UserVaInfo' : [ 0xa0, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0x70, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x4, ['pointer', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer', ['void']]], 'WorkingSetExpansionLinks' : [ 0xc, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x14, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x30, ['unsigned long']], 'WorkingSetSize' : [ 0x34, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x38, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x3c, ['unsigned long']], 'ChargedWslePages' : [ 0x40, ['unsigned long']], 'ActualWslePages' : [ 0x44, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x48, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x4c, ['unsigned long']], 'HardFaultCount' : [ 0x50, ['unsigned long']], 'VmWorkingSetList' : [ 0x54, ['pointer', ['_MMWSL']]], 'NextPageColor' : [ 0x58, ['unsigned short']], 'LastTrimStamp' : [ 0x5a, ['unsigned short']], 'PageFaultCount' : [ 0x5c, ['unsigned long']], 'TrimmedPageCount' : [ 0x60, ['unsigned long']], 'ForceTrimPages' : [ 0x64, ['unsigned long']], 'Flags' : [ 0x68, ['_MMSUPPORT_FLAGS']], 'WsSwapSupport' : [ 0x6c, ['pointer', ['void']]], } ], '__unnamed_15fe' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1608' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_160a' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1608']], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'ListHead' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_15fe']], 'FilePointer' : [ 0x20, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x24, ['long']], 'ModifiedWriteCount' : [ 0x28, ['unsigned long']], 'WaitList' : [ 0x2c, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x30, ['__unnamed_160a']], 'LockedPages' : [ 0x40, ['unsigned long long']], 'FileObjectLock' : [ 0x48, ['_EX_PUSH_LOCK']], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_MMPAGING_FILE' : [ 0x80, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'FreeReservationSpace' : [ 0x18, ['unsigned long']], 'LargestReserveCluster' : [ 0x1c, ['unsigned long']], 'File' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x24, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x30, ['_SLIST_HEADER']], 'PageFileName' : [ 0x38, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x40, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x44, ['unsigned long']], 'ReservationBitmapHint' : [ 0x48, ['unsigned long']], 'LargestNonReservedClusterSize' : [ 0x4c, ['unsigned long']], 'RefreshClusterSize' : [ 0x50, ['unsigned long']], 'LastRefreshClusterSize' : [ 0x54, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x58, ['unsigned long']], 'ToBeEvictedCount' : [ 0x5c, ['unsigned long']], 'HybridPriority' : [ 0x60, ['unsigned long']], 'PageFileNumber' : [ 0x64, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x64, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0x64, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'NoReservations' : [ 0x64, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Spare0' : [ 0x64, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x66, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0x66, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x67, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0x68, ['unsigned long']], 'PageHashPagesPeak' : [ 0x6c, ['unsigned long']], 'PageHash' : [ 0x70, ['pointer', ['unsigned long']]], 'FileHandle' : [ 0x74, ['pointer', ['void']]], 'Lock' : [ 0x78, ['unsigned long']], 'LockOwner' : [ 0x7c, ['pointer', ['_ETHREAD']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x18, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x4, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0xc, ['_RTL_BITMAP']], 'EvictStoreBitmap' : [ 0x14, ['pointer', ['_RTL_BITMAP']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], 'tagSWITCH_CONTEXT' : [ 0x60, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '__unnamed_1654' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1657' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_1659' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_165d' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_165f' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_1663' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_1667' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_1669' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_1654']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_1654']]], 'RegistryIO' : [ 0xcc, ['__unnamed_1657']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_1659']], 'CheckKey' : [ 0xdc, ['__unnamed_165d']], 'CheckValueList' : [ 0xec, ['__unnamed_165f']], 'CheckHive' : [ 0xfc, ['__unnamed_1663']], 'CheckHive1' : [ 0x108, ['__unnamed_1663']], 'CheckBin' : [ 0x114, ['__unnamed_1667']], 'RecoverData' : [ 0x11c, ['__unnamed_1669']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xb8, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'ParkingStatus' : [ 0x78, ['unsigned long']], 'CurrentFrequency' : [ 0x7c, ['unsigned long']], 'PercentMaxFrequency' : [ 0x80, ['unsigned long']], 'StateFlags' : [ 0x84, ['unsigned long']], 'NominalThroughput' : [ 0x88, ['unsigned long']], 'ActiveThroughput' : [ 0x8c, ['unsigned long']], 'ScaledThroughput' : [ 0x90, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0x98, ['unsigned long long']], 'AverageIdleTime' : [ 0xa0, ['unsigned long long']], 'IdleBreakEvents' : [ 0xa8, ['unsigned long long']], 'PerformanceLimit' : [ 0xb0, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xb4, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_TEB32' : [ 0xfe8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], } ], '_TEB64' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'Padding1' : [ 0x2ec, ['array', 4, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], } ], '__unnamed_16ec' : [ 0x10, { 'ReservedEax' : [ 0x0, ['unsigned long']], 'ReservedEbx' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'InitialApicId' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ReservedEcx' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HypervisorPresent' : [ 0x8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_CPUID_RESULT' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'VersionAndFeatures' : [ 0x0, ['__unnamed_16ec']], 'HvVendorAndMaxFunction' : [ 0x0, ['_HV_VENDOR_AND_MAX_FUNCTION']], 'HvInterface' : [ 0x0, ['_HV_HYPERVISOR_INTERFACE_INFO']], 'MsHvVersion' : [ 0x0, ['_HV_HYPERVISOR_VERSION_INFO']], 'MsHvFeatures' : [ 0x0, ['_HV_HYPERVISOR_FEATURES']], 'MsHvEnlightenmentInformation' : [ 0x0, ['_HV_ENLIGHTENMENT_INFORMATION']], 'MsHvImplementationLimits' : [ 0x0, ['_HV_IMPLEMENTATION_LIMITS']], 'MsHvHardwareFeatures' : [ 0x0, ['_HV_HYPERVISOR_HARDWARE_FEATURES']], } ], '_HV_VENDOR_AND_MAX_FUNCTION' : [ 0x10, { 'MaxFunction' : [ 0x0, ['unsigned long']], 'VendorName' : [ 0x4, ['array', 12, ['unsigned char']]], } ], '_HV_HYPERVISOR_INTERFACE_INFO' : [ 0x10, { 'Interface' : [ 0x0, ['unsigned long']], 'ReservedEbx' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_HYPERVISOR_VERSION_INFO' : [ 0x10, { 'BuildNumber' : [ 0x0, ['unsigned long']], 'MinorVersion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'MajorVersion' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ServicePack' : [ 0x8, ['unsigned long']], 'ServiceNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'ServiceBranch' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_HV_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], } ], '_HV_HYPERVISOR_HARDWARE_FEATURES' : [ 0x10, { 'ApicOverlayAssistInUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MsrBitmapsInUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ArchitecturalPerformanceCountersInUse' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SecondLevelAddressTranslationInUse' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DmaRemappingInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'InterruptRemappingInUse' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'MemoryPatrolScrubberPresent' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'ReservedEbx' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_ENLIGHTENMENT_INFORMATION' : [ 0x10, { 'UseHypercallForAddressSpaceSwitch' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UseHypercallForLocalFlush' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UseHypercallForRemoteFlush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UseApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UseMsrForReset' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UseRelaxedTiming' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UseDmaRemapping' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UseInterruptRemapping' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UseX2ApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeprecateAutoEoi' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'LongSpinWaitCount' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_IMPLEMENTATION_LIMITS' : [ 0x10, { 'MaxVirtualProcessorCount' : [ 0x0, ['unsigned long']], 'MaxLogicalProcessorCount' : [ 0x4, ['unsigned long']], 'MaxInterruptMappingCount' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeMsr' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicMsrs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerMsrs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetMsr' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsMsr' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleMsr' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyMsrs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugMsrs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'EnableExpandedStackwalking' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x13c, { 'Lock' : [ 0x0, ['unsigned long']], 'ReadySummary' : [ 0x4, ['unsigned long']], 'ReadyListHead' : [ 0x8, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x108, ['array', 32, ['unsigned char']]], 'Span' : [ 0x128, ['unsigned long']], 'LowProcIndex' : [ 0x12c, ['unsigned long']], 'QueueIndex' : [ 0x130, ['unsigned long']], 'ProcCount' : [ 0x134, ['unsigned long']], 'Affinity' : [ 0x138, ['unsigned long']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x38, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x2c, ['pointer', ['unsigned long']]], 'EnableKeyWords' : [ 0x30, ['pointer', ['unsigned long long']]], 'EnableLevel' : [ 0x34, ['pointer', ['unsigned char']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x34, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependencyNode' : [ 0x2c, ['pointer', ['void']]], 'VerifierContext' : [ 0x30, ['pointer', ['void']]], } ], '__unnamed_17f0' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_17f2' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_17f6' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x1cc, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'FxDevice' : [ 0x28, ['pointer', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x2c, ['long']], 'FxRemoveEvent' : [ 0x30, ['_KEVENT']], 'FxActivationCount' : [ 0x40, ['long']], 'FxSleepCount' : [ 0x44, ['long']], 'Plugin' : [ 0x48, ['pointer', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x4c, ['unsigned long']], 'CurrentPowerState' : [ 0x50, ['_POWER_STATE']], 'Notify' : [ 0x54, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x90, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0xa0, ['_UNICODE_STRING']], 'PowerFlags' : [ 0xa8, ['unsigned long']], 'State' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xb0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xb4, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x104, ['unsigned long']], 'CompletionStatus' : [ 0x108, ['long']], 'Flags' : [ 0x10c, ['unsigned long']], 'UserFlags' : [ 0x110, ['unsigned long']], 'Problem' : [ 0x114, ['unsigned long']], 'ProblemStatus' : [ 0x118, ['long']], 'ResourceList' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x120, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x124, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x128, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x130, ['unsigned long']], 'ChildInterfaceType' : [ 0x134, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x138, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x13c, ['unsigned short']], 'RemovalPolicy' : [ 0x13e, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x13f, ['unsigned char']], 'TargetDeviceNotify' : [ 0x140, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x148, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x150, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x158, ['unsigned short']], 'QueryTranslatorMask' : [ 0x15a, ['unsigned short']], 'NoArbiterMask' : [ 0x15c, ['unsigned short']], 'QueryArbiterMask' : [ 0x15e, ['unsigned short']], 'OverUsed1' : [ 0x160, ['__unnamed_17f0']], 'OverUsed2' : [ 0x164, ['__unnamed_17f2']], 'BootResources' : [ 0x168, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x16c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x170, ['unsigned long']], 'DockInfo' : [ 0x174, ['__unnamed_17f6']], 'DisableableDepends' : [ 0x184, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x190, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x198, ['unsigned long']], 'PreviousParent' : [ 0x19c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1a0, ['unsigned long']], 'NumaNodeIndex' : [ 0x1a4, ['unsigned long']], 'ContainerID' : [ 0x1a8, ['_GUID']], 'OverrideFlags' : [ 0x1b8, ['unsigned char']], 'DeviceIdsHash' : [ 0x1bc, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x1c0, ['unsigned char']], 'PendingEjectRelations' : [ 0x1c4, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x1c8, ['unsigned long']], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_18aa' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_18aa']], } ], '__unnamed_18b1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_18b1']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PROCESSOR_POWER_STATE' : [ 0x190, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x4, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'Reserved' : [ 0x20, ['unsigned long long']], 'IdlePolicy' : [ 0x28, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x30, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x38, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xa0, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'LastSysTime' : [ 0xa4, ['unsigned long']], 'WmiDispatchPtr' : [ 0xa8, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xac, ['long']], 'FFHThrottleStateInfo' : [ 0xb0, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xd0, ['_KDPC']], 'PerfActionMask' : [ 0xf0, ['long']], 'HvIdleCheck' : [ 0xf8, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x108, ['_PROC_PERF_SNAP']], 'Domain' : [ 0x148, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x14c, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x150, ['pointer', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x154, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x158, ['pointer', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x15c, ['unsigned char']], 'HvTargetState' : [ 0x15d, ['unsigned char']], 'Parked' : [ 0x15e, ['unsigned char']], 'OverUtilized' : [ 0x15f, ['unsigned char']], 'LatestPerformancePercent' : [ 0x160, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x164, ['unsigned long']], 'ExpectedUtility' : [ 0x168, ['unsigned long']], 'Utility' : [ 0x16c, ['array', 3, ['_PROC_PERF_UTILITY']]], } ], '_PROC_PERF_UTILITY' : [ 0xc, { 'Affinitized' : [ 0x0, ['unsigned long']], 'Performance' : [ 0x4, ['unsigned long']], 'Total' : [ 0x8, ['unsigned long']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CompleteIdleStatePending' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0x90, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x14, ['unsigned long']], 'LogHandleContext' : [ 0x18, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0x80, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x84, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0x88, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x170, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'V1' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0xa0, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xb4, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'Event' : [ 0xe0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xf0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x160, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x164, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x168, ['unsigned long']], 'WritesInProgress' : [ 0x16c, ['unsigned long']], } ], '__unnamed_195e' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_195e']], 'ArrayHead' : [ 0x10, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_197f' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1981' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1983' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1985' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1987' : [ 0x1c, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x4, ['pointer', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x8, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x18, ['unsigned char']], } ], '__unnamed_1989' : [ 0x1c, { 'Read' : [ 0x0, ['__unnamed_197f']], 'Write' : [ 0x0, ['__unnamed_1981']], 'Event' : [ 0x0, ['__unnamed_1983']], 'Notification' : [ 0x0, ['__unnamed_1985']], 'LowPriWrite' : [ 0x0, ['__unnamed_1987']], } ], '_WORK_QUEUE_ENTRY' : [ 0x28, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_1989']], 'Function' : [ 0x24, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x18, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0x4, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x10, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x68, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x8, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0xc, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x18, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x40, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x44, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x48, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x50, ['pointer', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x54, ['unsigned long']], 'LastLWTimeStamp' : [ 0x58, ['_LARGE_INTEGER']], 'Flags' : [ 0x60, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x248, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x58, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x5c, ['unsigned long']], 'Signature' : [ 0x60, ['unsigned long']], 'SegmentReserve' : [ 0x64, ['unsigned long']], 'SegmentCommit' : [ 0x68, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x6c, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x70, ['unsigned long']], 'TotalFreeSize' : [ 0x74, ['unsigned long']], 'MaximumAllocationSize' : [ 0x78, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x7c, ['unsigned short']], 'HeaderValidateLength' : [ 0x7e, ['unsigned short']], 'HeaderValidateCopy' : [ 0x80, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x84, ['unsigned short']], 'MaximumTagIndex' : [ 0x86, ['unsigned short']], 'TagEntries' : [ 0x88, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x8c, ['_LIST_ENTRY']], 'AlignRound' : [ 0x94, ['unsigned long']], 'AlignMask' : [ 0x98, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x9c, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa4, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xac, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb0, ['unsigned long']], 'BlocksIndex' : [ 0xb4, ['pointer', ['void']]], 'UCRIndex' : [ 0xb8, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xbc, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc0, ['_LIST_ENTRY']], 'LockVariable' : [ 0xc8, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xcc, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd0, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd4, ['unsigned short']], 'FrontEndHeapType' : [ 0xd6, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0xd7, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0xd8, ['pointer', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0xdc, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0xde, ['array', 257, ['unsigned char']]], 'Counters' : [ 0x1e0, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x23c, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_19f4' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_19f4']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1a46' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1a48' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a46']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a4a' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1a4c' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1a4a']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1a48']], 'u2' : [ 0x4, ['__unnamed_1a4c']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x20, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1a69' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1a6b' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1a69']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1a6b']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Pad' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x14, ['_EX_PUSH_LOCK']], } ], '__unnamed_1a7f' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a81' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a7f']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1a81']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_1a8a' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1a8c' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a8a']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_1a8c']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_1a92' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1a94' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a92']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_1a94']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x28, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x24, ['pointer', ['_KALPC_MESSAGE']]], } ], '__unnamed_1ab1' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1ab3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1ab1']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x10c, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x5c, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x68, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0x74, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0x7c, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0x80, ['_LIST_ENTRY']], 'Semaphore' : [ 0x88, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x88, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x8c, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0xc4, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0xc8, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0xcc, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xd0, ['pointer', ['void']]], 'CanceledQueue' : [ 0xd4, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xdc, ['long']], 'ReferenceNo' : [ 0xe0, ['long']], 'ReferenceNoWait' : [ 0xe4, ['pointer', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0xe8, ['__unnamed_1ab3']], 'TargetQueuePort' : [ 0xec, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xf0, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0xf4, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xf8, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xfc, ['unsigned long']], 'PendingQueueLength' : [ 0x100, ['unsigned long']], 'CanceledQueueLength' : [ 0x104, ['unsigned long']], 'WaitQueueLength' : [ 0x108, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x58, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'CompletionListLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x10, ['pointer', ['_MDL']]], 'UserVa' : [ 0x14, ['pointer', ['void']]], 'UserLimit' : [ 0x18, ['pointer', ['void']]], 'DataUserVa' : [ 0x1c, ['pointer', ['void']]], 'SystemVa' : [ 0x20, ['pointer', ['void']]], 'TotalSize' : [ 0x24, ['unsigned long']], 'Header' : [ 0x28, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x2c, ['pointer', ['void']]], 'ListSize' : [ 0x30, ['unsigned long']], 'Bitmap' : [ 0x34, ['pointer', ['void']]], 'BitmapSize' : [ 0x38, ['unsigned long']], 'Data' : [ 0x3c, ['pointer', ['void']]], 'DataSize' : [ 0x40, ['unsigned long']], 'BitmapLimit' : [ 0x44, ['unsigned long']], 'BitmapNextHint' : [ 0x48, ['unsigned long']], 'ConcurrencyCount' : [ 0x4c, ['unsigned long']], 'AttributeFlags' : [ 0x50, ['unsigned long']], 'AttributeSize' : [ 0x54, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x90, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'Key' : [ 0x84, ['unsigned long']], 'CallbackList' : [ 0x88, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x14, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x10, ['long']], } ], '__unnamed_1ad7' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1ad9' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1ad7']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x88, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'u1' : [ 0x14, ['__unnamed_1ad9']], 'SequenceNo' : [ 0x18, ['long']], 'QuotaProcess' : [ 0x1c, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x1c, ['pointer', ['void']]], 'CancelSequencePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x24, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x28, ['long']], 'CancelListEntry' : [ 0x2c, ['_LIST_ENTRY']], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x38, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x54, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x58, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x5c, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x60, ['pointer', ['_ETHREAD']]], 'WakeReference' : [ 0x64, ['pointer', ['void']]], 'ExtensionBuffer' : [ 0x68, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0x6c, ['unsigned long']], 'PortMessage' : [ 0x70, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'Flags' : [ 0x14, ['unsigned long']], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], 'SignalCompletion' : [ 0x1e, ['unsigned char']], 'PostedToCompletionList' : [ 0x1f, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x20, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1b1a' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1b1c' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b1a']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1b1c']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x24, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'TimeStamped' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer', ['void']]], 'ActivityId' : [ 0xc, ['_GUID']], 'Timestamp' : [ 0x1c, ['_LARGE_INTEGER']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x24, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 7, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'AccessMode' : [ 0x5c, ['unsigned char']], 'DriverCreateContext' : [ 0x60, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1be1' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x110, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1be1']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer', ['unsigned short']]], 'LogFileName' : [ 0x3c, ['pointer', ['unsigned short']]], 'TimeZone' : [ 0x40, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf0, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0xf8, ['_LARGE_INTEGER']], 'StartTime' : [ 0x100, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x108, ['unsigned long']], 'BuffersLost' : [ 0x10c, ['unsigned long']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x278, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 1, ['unsigned long']]], 'ErrorMarker' : [ 0x18, ['unsigned long']], 'SizeMask' : [ 0x1c, ['unsigned long']], 'GetCpuClock' : [ 0x20, ['pointer', ['void']]], 'LoggerThread' : [ 0x24, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x28, ['long']], 'FailureReason' : [ 0x2c, ['unsigned long']], 'BufferQueue' : [ 0x30, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x3c, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x48, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x50, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x58, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x58, ['_EX_FAST_REF']], 'LoggerName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFileName' : [ 0x64, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x6c, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x74, ['_UNICODE_STRING']], 'ClockType' : [ 0x7c, ['unsigned long']], 'LastFlushedBuffer' : [ 0x80, ['unsigned long']], 'FlushTimer' : [ 0x84, ['unsigned long']], 'FlushThreshold' : [ 0x88, ['unsigned long']], 'ByteOffset' : [ 0x90, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x98, ['unsigned long']], 'BuffersAvailable' : [ 0x9c, ['long']], 'NumberOfBuffers' : [ 0xa0, ['long']], 'MaximumBuffers' : [ 0xa4, ['unsigned long']], 'EventsLost' : [ 0xa8, ['unsigned long']], 'PeakBuffersCount' : [ 0xac, ['long']], 'BuffersWritten' : [ 0xb0, ['unsigned long']], 'LogBuffersLost' : [ 0xb4, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xb8, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xbc, ['unsigned long']], 'SequencePtr' : [ 0xc0, ['pointer', ['long']]], 'LocalSequence' : [ 0xc4, ['unsigned long']], 'InstanceGuid' : [ 0xc8, ['_GUID']], 'MaximumFileSize' : [ 0xd8, ['unsigned long']], 'FileCounter' : [ 0xdc, ['long']], 'PoolType' : [ 0xe0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xe8, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0xf8, ['long']], 'ProviderInfoSize' : [ 0xfc, ['unsigned long']], 'Consumers' : [ 0x100, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x108, ['unsigned long']], 'TransitionConsumer' : [ 0x10c, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x110, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x114, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x128, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x130, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x138, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x140, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x148, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x150, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x160, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x164, ['_KEVENT']], 'FlushEvent' : [ 0x174, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x188, ['_KTIMER']], 'LoggerDpc' : [ 0x1b0, ['_KDPC']], 'LoggerMutex' : [ 0x1d0, ['_KMUTANT']], 'LoggerLock' : [ 0x1f0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1f4, ['unsigned long']], 'BufferListPushLock' : [ 0x1f4, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1f8, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x234, ['_EX_FAST_REF']], 'StartTime' : [ 0x238, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x240, ['pointer', ['void']]], 'BufferSequenceNumber' : [ 0x248, ['long long']], 'Flags' : [ 0x250, ['unsigned long']], 'Persistent' : [ 0x250, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x250, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x250, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x250, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x250, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x250, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x250, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x250, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x250, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x250, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x250, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x250, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x250, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SpareFlags1' : [ 0x250, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x250, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x250, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x250, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x254, ['unsigned long']], 'DbgRequestNewFie' : [ 0x254, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x254, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x254, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x254, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x254, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x254, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x254, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x254, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDefferdFlush' : [ 0x254, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDefferdFlushTimer' : [ 0x254, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x254, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x254, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x254, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x258, ['_RTL_BITMAP']], 'StackCache' : [ 0x260, ['pointer', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x264, ['pointer', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x268, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x270, ['pointer', ['pointer', ['_WMI_BUFFER_HEADER']]]], } ], '_ETW_PMC_SUPPORT' : [ 0x24, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x290, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x9c, ['pointer', ['void']]], 'DynamicPart' : [ 0xa0, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa4, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xb0, ['unsigned long']], 'TokenInUse' : [ 0xb4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb8, ['unsigned long']], 'MandatoryPolicy' : [ 0xbc, ['unsigned long']], 'LogonSession' : [ 0xc0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc4, ['_LUID']], 'SidHash' : [ 0xcc, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x154, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1dc, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x1e0, ['pointer', ['void']]], 'Capabilities' : [ 0x1e4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x1e8, ['unsigned long']], 'CapabilitiesHash' : [ 0x1ec, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x274, ['pointer', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x278, ['pointer', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x27c, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x280, ['pointer', ['void']]], 'TrustLinkedToken' : [ 0x284, ['pointer', ['_TOKEN']]], 'VariablePart' : [ 0x288, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x3c, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x34, ['_SEP_LOWBOX_HANDLES_TABLE']], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'DbgRefTrace' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'NewObject' : [ 0xf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0xf, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0xf, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0xf, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0xf, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0xf, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0xf, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0xf, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x8, { 'SecurityDescriptor' : [ 0x0, ['pointer', ['void']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x18, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'EntryLink' : [ 0x8, ['pointer', ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0xc, ['unsigned long']], 'HashIndex' : [ 0x10, ['unsigned short']], 'DirectoryLocked' : [ 0x12, ['unsigned char']], 'LockedExclusive' : [ 0x13, ['unsigned char']], 'LockStateSignature' : [ 0x14, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x98, ['pointer', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_WHEAP_INFO_BLOCK' : [ 0xc, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x4, ['pointer', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x8, ['pointer', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x418, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x8, ['unsigned long']], 'PlatformErrorSourceId' : [ 0xc, ['unsigned long']], 'ErrorCount' : [ 0x10, ['long']], 'RecordCount' : [ 0x14, ['unsigned long']], 'RecordLength' : [ 0x18, ['unsigned long']], 'PoolTag' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x24, ['pointer', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x28, ['pointer', ['void']]], 'SectionCount' : [ 0x2c, ['unsigned long']], 'SectionLength' : [ 0x30, ['unsigned long']], 'TickCountAtLastError' : [ 0x38, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x40, ['unsigned long']], 'TotalErrors' : [ 0x44, ['unsigned long']], 'Deferred' : [ 0x48, ['unsigned char']], 'Descriptor' : [ 0x49, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xe4, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x8, ['unsigned long']], 'ProcessorNumber' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x14, ['long']], 'ErrorSource' : [ 0x18, ['pointer', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x1c, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x1c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'ConnectLock' : [ 0x4, ['_KEVENT']], 'LineMasked' : [ 0x14, ['unsigned char']], 'InterruptList' : [ 0x18, ['pointer', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x8, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long long']], 'WorkQueue' : [ 0x18, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x40, ['pointer', ['void']]], 'AcceptProcessorNotification' : [ 0x44, ['pointer', ['void']]], 'WorkOrderCount' : [ 0x48, ['unsigned long']], 'WorkOrders' : [ 0x4c, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x128, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x104, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x124, ['unsigned long']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Signalling' : [ 0x1, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Reserved1' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved2' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Reserved3' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Reserved5' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'WaitResponse' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], } ], '_HEAP_COUNTERS' : [ 0x5c, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'PollIntervalCounter' : [ 0x38, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x3c, ['unsigned long']], 'HeapPollInterval' : [ 0x40, ['unsigned long']], 'AllocAndFreeOps' : [ 0x44, ['unsigned long']], 'AllocationIndicesActive' : [ 0x48, ['unsigned long']], 'InBlockDeccommits' : [ 0x4c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x50, ['unsigned long']], 'HighWatermarkSize' : [ 0x54, ['unsigned long']], 'LastPolledSize' : [ 0x58, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x44, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x3c, ['unsigned char']], 'DeleteType' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER' : [ 0x1c, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x10, ['long']], 'Context' : [ 0x14, ['pointer', ['void']]], 'WatchdogTimerInfo' : [ 0x18, ['pointer', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x48, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ullContextMinimum' : [ 0x8, ['unsigned long long']], 'guPlatform' : [ 0x10, ['_GUID']], 'guMinPlatform' : [ 0x20, ['_GUID']], 'ulContextSource' : [ 0x30, ['unsigned long']], 'ulElementCount' : [ 0x34, ['unsigned long']], 'guElements' : [ 0x38, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x10, ['_KEVENT']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x8, ['unsigned char']], 'BlockState' : [ 0x9, ['unsigned char']], 'WaitKey' : [ 0xa, ['unsigned short']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'NotificationQueue' : [ 0xc, ['pointer', ['_KQUEUE']]], 'Object' : [ 0x10, ['pointer', ['void']]], 'SparePtr' : [ 0x14, ['pointer', ['void']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'CriticalTripPoint' : [ 0x18, ['unsigned long']], 'ActiveTripPointCount' : [ 0x1c, ['unsigned char']], 'ActiveTripPoint' : [ 0x20, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x48, ['unsigned long']], 'MinimumThrottle' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1d67' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1d69' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1d67']], 'Private' : [ 0x0, ['__unnamed_1d69']], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Processors' : [ 0x4, ['unsigned long']], 'ActiveProcessors' : [ 0x8, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x8, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x130, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x8, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0xc, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x10, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x98, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x120, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x124, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x128, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x12c, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_MMPTE_HIGHLOW' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x2c0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x70, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x78, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0x80, ['unsigned long long']], 'TotalPageFaultCount' : [ 0x88, ['unsigned long']], 'TotalProcesses' : [ 0x8c, ['unsigned long']], 'ActiveProcesses' : [ 0x90, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x94, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x98, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xa0, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xa8, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xac, ['unsigned long']], 'LimitFlags' : [ 0xb0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xb4, ['unsigned long']], 'Affinity' : [ 0xb8, ['_KAFFINITY_EX']], 'AccessState' : [ 0xc4, ['pointer', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0xc8, ['pointer', ['void']]], 'UIRestrictionsClass' : [ 0xcc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xd0, ['unsigned long']], 'CompletionPort' : [ 0xd4, ['pointer', ['void']]], 'CompletionKey' : [ 0xd8, ['pointer', ['void']]], 'CompletionCount' : [ 0xe0, ['unsigned long long']], 'SessionId' : [ 0xe8, ['unsigned long']], 'SchedulingClass' : [ 0xec, ['unsigned long']], 'ReadOperationCount' : [ 0xf0, ['unsigned long long']], 'WriteOperationCount' : [ 0xf8, ['unsigned long long']], 'OtherOperationCount' : [ 0x100, ['unsigned long long']], 'ReadTransferCount' : [ 0x108, ['unsigned long long']], 'WriteTransferCount' : [ 0x110, ['unsigned long long']], 'OtherTransferCount' : [ 0x118, ['unsigned long long']], 'DiskIoInfo' : [ 0x120, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x148, ['unsigned long']], 'JobMemoryLimit' : [ 0x14c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x150, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x154, ['unsigned long']], 'EffectiveAffinity' : [ 0x158, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x168, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x170, ['unsigned long']], 'EffectiveMaximumWorkingSetSize' : [ 0x174, ['unsigned long']], 'EffectiveProcessMemoryLimit' : [ 0x178, ['unsigned long']], 'EffectiveProcessMemoryLimitJob' : [ 0x17c, ['pointer', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x180, ['pointer', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x184, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x188, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x18c, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x190, ['unsigned long']], 'EffectiveSwapCount' : [ 0x194, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x198, ['unsigned long']], 'EffectivePriorityClass' : [ 0x19c, ['unsigned char']], 'PriorityClass' : [ 0x19d, ['unsigned char']], 'Reserved1' : [ 0x19e, ['array', 2, ['unsigned char']]], 'CompletionFilter' : [ 0x1a0, ['unsigned long']], 'WakeChannel' : [ 0x1a8, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x1a8, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x1e0, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x1e8, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x1ec, ['unsigned long']], 'NotificationLink' : [ 0x1f0, ['pointer', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x1f8, ['unsigned long long']], 'NotificationInfo' : [ 0x200, ['pointer', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x204, ['pointer', ['void']]], 'NotificationPacket' : [ 0x208, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x20c, ['pointer', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x210, ['pointer', ['void']]], 'ReadyTime' : [ 0x218, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x220, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x224, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x22c, ['_LIST_ENTRY']], 'ParentJob' : [ 0x234, ['pointer', ['_EJOB']]], 'RootJob' : [ 0x238, ['pointer', ['_EJOB']]], 'IteratorListHead' : [ 0x23c, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x244, ['unsigned long']], 'Ancestors' : [ 0x248, ['pointer', ['pointer', ['_EJOB']]]], 'Accounting' : [ 0x250, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x2a0, ['unsigned long']], 'SequenceNumber' : [ 0x2a4, ['unsigned long']], 'TimerListLock' : [ 0x2a8, ['unsigned long']], 'TimerListHead' : [ 0x2ac, ['_LIST_ENTRY']], 'JobFlags' : [ 0x2b4, ['unsigned long']], 'CloseDone' : [ 0x2b4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x2b4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x2b4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x2b4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x2b4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x2b4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x2b4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x2b4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x2b4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x2b4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x2b4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x2b4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x2b4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x2b4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x2b4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x2b4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x2b4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x2b4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x2b4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x2b4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x2b4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x2b4, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x2b4, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x2b4, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x2b4, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x2b4, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x2b8, ['unsigned long']], } ], '_PPM_IDLE_STATES' : [ 0x110, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0x44, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x50, ['pointer', ['void']]], 'IdleExecute' : [ 0x54, ['pointer', ['void']]], 'IdlePreselect' : [ 0x58, ['pointer', ['void']]], 'IdleTest' : [ 0x5c, ['pointer', ['void']]], 'IdleComplete' : [ 0x60, ['pointer', ['void']]], 'IdleCancel' : [ 0x64, ['pointer', ['void']]], 'IdleIsHalted' : [ 0x68, ['pointer', ['void']]], 'IdleInitiateWake' : [ 0x6c, ['pointer', ['void']]], 'QueryPlatformStateResidency' : [ 0x70, ['pointer', ['void']]], 'PrepareInfo' : [ 0x78, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'Tracing' : [ 0xd8, ['pointer', ['_PERFINFO_PPM_STATE_SELECTION']]], 'State' : [ 0xdc, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x250, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'SparePvoid0' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pUnused' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x54, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned char']], 'ShutDownRequested' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x34, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x3c, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x40, ['unsigned long']], 'UserPagesAllocated' : [ 0x44, ['unsigned long']], 'UserPagesReused' : [ 0x48, ['unsigned long']], 'EventsLostCount' : [ 0x4c, ['pointer', ['unsigned long']]], 'BuffersLostCount' : [ 0x50, ['pointer', ['unsigned long']]], } ], '__unnamed_1dd9' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1ddf' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1de1' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1dd9']], 'Bits' : [ 0x0, ['__unnamed_1ddf']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1de1']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x104, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x28, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x1c, ['pointer', ['void']]], 'DvCallbacks' : [ 0x20, ['pointer', ['void']]], 'VerifierContext' : [ 0x24, ['pointer', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x44, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['long']], 'Dpc' : [ 0x10, ['_KDPC']], 'WorkItem' : [ 0x30, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x40, ['pointer', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'EmulateActiveBoth' : [ 0x39, ['unsigned char']], 'ActiveCount' : [ 0x3a, ['unsigned short']], 'InternalState' : [ 0x3c, ['long']], 'Mode' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x48, ['unsigned long']], 'DispatchCount' : [ 0x4c, ['unsigned long']], 'PassiveEvent' : [ 0x50, ['pointer', ['_KEVENT']]], 'DisconnectData' : [ 0x54, ['pointer', ['void']]], 'ServiceThread' : [ 0x58, ['pointer', ['_KTHREAD']]], 'IsrDpcStats' : [ 0x60, ['_ISRDPCSTATS']], 'ConnectionData' : [ 0xa0, ['pointer', ['_INTERRUPT_CONNECTION_DATA']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x58, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '__unnamed_1e3f' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1e3f']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x1ac, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'WorkItemsProcessed' : [ 0x19c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x1a0, ['unsigned long']], 'ThreadCount' : [ 0x1a4, ['long']], 'TryFailed' : [ 0x1a8, ['unsigned char']], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x4e, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x30, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'Type' : [ 0x1c, ['unsigned long']], 'ActivityId' : [ 0x20, ['_GUID']], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x50, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x28, ['_KDPC']], 'WorkOrder' : [ 0x48, ['pointer', ['_POP_FX_WORK_ORDER']]], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_SESSION_LOWBOX_MAP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'LowboxMap' : [ 0xc, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x74, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'RefCount' : [ 0x20, ['unsigned long']], 'Lock' : [ 0x24, ['unsigned long']], 'Cancel' : [ 0x28, ['unsigned char']], 'Parent' : [ 0x2c, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'Data' : [ 0x30, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PROC_IDLE_POLICY' : [ 0x5, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x24, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x8, ['pointer', ['_IRP']]], 'OplockRequestFileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x14, ['pointer', ['_ETHREAD']]], 'Flags' : [ 0x18, ['unsigned long']], 'AtomicLinks' : [ 0x1c, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_XSTATE_CONFIGURATION' : [ 0x218, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0xc, ['_CM_KEY_HASH']], 'ConvKey' : [ 0xc, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x14, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], 'KcbPushlock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x20, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x20, ['long']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x6c, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x74, ['_LIST_ENTRY']], 'Stolen' : [ 0x74, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x7c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x80, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x88, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x90, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x98, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x9c, ['pointer', ['_UNICODE_STRING']]], } ], '_KLOCK_ENTRY' : [ 0x30, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ThreadUnsafe' : [ 0xc, ['pointer', ['void']]], 'HeadNodeByte' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['array', 2, ['unsigned char']]], 'AcquiredByte' : [ 0xf, ['unsigned char']], 'LockState' : [ 0x10, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x10, ['pointer', ['void']]], 'WaitingAndBusyByte' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['array', 2, ['unsigned char']]], 'InTreeByte' : [ 0x13, ['unsigned char']], 'SessionState' : [ 0x14, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], 'OwnerTree' : [ 0x18, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x20, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x18, ['unsigned char']], 'EntryLock' : [ 0x28, ['unsigned long']], 'AllBoosts' : [ 0x2c, ['unsigned short']], 'IoBoost' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'CpuBoostsBitmap' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x2e, ['BitField', dict(start_bit = 0, end_bit = 15, native_type='unsigned short')]], 'IoPriorityBit' : [ 0x2e, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1edd' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x68, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_1edd']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['_MODWRITER_FLAGS']], 'ByteCount' : [ 0x18, ['unsigned long']], 'PagingFile' : [ 0x1c, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x24, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x28, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x30, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x38, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x40, ['pointer', ['_MDL']]], 'Mdl' : [ 0x44, ['_MDL']], 'Page' : [ 0x60, ['array', 1, ['unsigned long']]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0xc20, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x3b8, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x3d0, ['_LIST_ENTRY']], 'HiveList' : [ 0x3d8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x3e0, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x3e8, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x3ec, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x3f4, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x3f8, ['unsigned long']], 'DeletedKcbTable' : [ 0x3fc, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x400, ['unsigned long']], 'Identity' : [ 0x404, ['unsigned long']], 'HiveLock' : [ 0x408, ['pointer', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x40c, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x410, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x414, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0x41c, ['unsigned long']], 'FlushLogEntry' : [ 0x420, ['pointer', ['unsigned char']]], 'FlushLogEntrySize' : [ 0x424, ['unsigned long']], 'FlushHiveTruncated' : [ 0x428, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0x42c, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0x430, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0x438, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0x43c, ['pointer', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0x440, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0x444, ['pointer', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0x448, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x44c, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x450, ['unsigned long']], 'ActualFileSize' : [ 0x458, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x460, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x470, ['_UNICODE_STRING']], 'FileUserName' : [ 0x478, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x480, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x488, ['unsigned long']], 'SecurityCacheSize' : [ 0x48c, ['unsigned long']], 'SecurityHitHint' : [ 0x490, ['long']], 'SecurityCache' : [ 0x494, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x498, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x698, ['unsigned long']], 'UnloadEventArray' : [ 0x69c, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x6a0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x6a4, ['unsigned char']], 'UnloadWorkItem' : [ 0x6a8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x6ac, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x6c0, ['unsigned char']], 'GrowOffset' : [ 0x6c4, ['unsigned long']], 'KcbConvertListHead' : [ 0x6c8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x6d0, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x6d8, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0x6dc, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0x9a4, ['unsigned long']], 'TrustClassEntry' : [ 0x9a8, ['_LIST_ENTRY']], 'DirtyTime' : [ 0x9b0, ['unsigned long long']], 'UnreconciledTime' : [ 0x9b8, ['unsigned long long']], 'CmRm' : [ 0x9c0, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x9c4, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x9c8, ['long']], 'CreatorOwner' : [ 0x9cc, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0x9d0, ['pointer', ['_KTHREAD']]], 'LastWriteTime' : [ 0x9d8, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0x9e0, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0x9ec, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0x9f8, ['unsigned long']], 'FlushActive' : [ 0x9f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0x9f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0x9f8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0x9f8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0x9fc, ['unsigned long']], 'ReferenceCount' : [ 0xa00, ['long']], 'UnloadHistoryIndex' : [ 0xa04, ['long']], 'UnloadHistory' : [ 0xa08, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0xc08, ['unsigned long']], 'UnaccessedStart' : [ 0xc0c, ['unsigned long']], 'UnaccessedEnd' : [ 0xc10, ['unsigned long']], 'LoadedKeyCount' : [ 0xc14, ['unsigned long']], 'HandleClosePending' : [ 0xc18, ['unsigned long']], 'HandleClosePendingEvent' : [ 0xc1c, ['_EX_PUSH_LOCK']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x28, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long']], 'DirtyPageThresholdTop' : [ 0x4, ['unsigned long']], 'DirtyPageThresholdBottom' : [ 0x8, ['unsigned long']], 'DirtyPageTarget' : [ 0xc, ['unsigned long']], 'AggregateAvailablePages' : [ 0x10, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x18, ['unsigned long long']], 'AvailableHistory' : [ 0x20, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ForceCredits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x3f8, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x14, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x4, ['_RTL_BITMAP']], 'HashTable' : [ 0xc, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x10, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x84, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x78, ['unsigned long']], 'PreviousActivityCounter' : [ 0x7c, ['unsigned long']], 'WorkerTrimRequests' : [ 0x80, ['unsigned long']], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0xc, { 'ActiveThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'WaitList' : [ 0x4, ['pointer', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x8, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_ETIMER' : [ 0xb8, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x28, ['unsigned long']], 'TimerApc' : [ 0x2c, ['_KAPC']], 'TimerDpc' : [ 0x5c, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x7c, ['_LIST_ENTRY']], 'Period' : [ 0x84, ['unsigned long']], 'TimerFlags' : [ 0x88, ['unsigned char']], 'ApcAssociated' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0x88, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0x88, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0x89, ['unsigned char']], 'Spare2' : [ 0x8a, ['unsigned short']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x98, ['pointer', ['void']]], 'VirtualizedTimerLinks' : [ 0x9c, ['_LIST_ENTRY']], 'DueTime' : [ 0xa8, ['unsigned long long']], 'CoalescingWindow' : [ 0xb0, ['unsigned long']], } ], '_PROC_PERF_SNAP' : [ 0x40, { 'Time' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'Active' : [ 0x10, ['unsigned long long']], 'LastActive' : [ 0x18, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x4c, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'Count' : [ 0x14, ['unsigned long']], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'StackTrace' : [ 0x24, ['array', 8, ['pointer', ['void']]]], 'Who' : [ 0x44, ['unsigned long']], 'Process' : [ 0x48, ['pointer', ['_EPROCESS']]], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_EXHANDLE' : [ 0x4, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x2c8, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_ARBITER_INSTANCE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '__unnamed_1fec' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1fee' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1fec']], } ], '__unnamed_1ff0' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_1fee']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1ff0']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x1800, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'HandleCount' : [ 0x14, ['unsigned long']], 'Handles' : [ 0x18, ['pointer', ['pointer', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x50, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'PlatformCap' : [ 0x8, ['unsigned long']], 'ThermalCap' : [ 0xc, ['unsigned long']], 'LimitReasons' : [ 0x10, ['unsigned long']], 'PlatformCapStartTime' : [ 0x18, ['unsigned long long']], 'TargetPercent' : [ 0x20, ['unsigned long']], 'DesiredPercent' : [ 0x24, ['unsigned long']], 'SelectedPercent' : [ 0x28, ['unsigned long']], 'SelectedFrequency' : [ 0x2c, ['unsigned long']], 'PreviousFrequency' : [ 0x30, ['unsigned long']], 'PreviousPercent' : [ 0x34, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x38, ['unsigned long']], 'SelectedState' : [ 0x40, ['unsigned long long']], 'Force' : [ 0x48, ['unsigned char']], } ], '__unnamed_2003' : [ 0x10, { 'CallerCompletion' : [ 0x0, ['pointer', ['void']]], 'CallerContext' : [ 0x4, ['pointer', ['void']]], 'CallerDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0xc, ['unsigned char']], } ], '__unnamed_2006' : [ 0x8, { 'NotifyDevice' : [ 0x0, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x4, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x18, ['unsigned long long']], 'WatchdogTimer' : [ 0x20, ['_KTIMER']], 'WatchdogDpc' : [ 0x48, ['_KDPC']], 'MinorFunction' : [ 0x68, ['unsigned char']], 'PowerStateType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0x70, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0x74, ['unsigned char']], 'FxDevice' : [ 0x78, ['pointer', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0x7c, ['unsigned char']], 'NotifyPEP' : [ 0x7d, ['unsigned char']], 'Device' : [ 0x80, ['__unnamed_2003']], 'System' : [ 0x80, ['__unnamed_2006']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0xd1c, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'PhysicalMappingCount' : [ 0x4, ['unsigned long']], 'VadBitMapHint' : [ 0x8, ['unsigned long']], 'LastAllocationSizeHint' : [ 0xc, ['unsigned long']], 'LastAllocationSize' : [ 0x10, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x14, ['unsigned long']], 'VadBitMapSize' : [ 0x18, ['unsigned long']], 'VadBitMapCommitment' : [ 0x1c, ['unsigned long']], 'MaximumLastVadBit' : [ 0x20, ['unsigned long']], 'VadsBeingDeleted' : [ 0x24, ['long']], 'LastVadDeletionEvent' : [ 0x28, ['pointer', ['_KEVENT']]], 'VadBitBuffer' : [ 0x2c, ['pointer', ['unsigned long']]], 'LowestBottomUpAllocationAddress' : [ 0x30, ['pointer', ['void']]], 'HighestTopDownAllocationAddress' : [ 0x34, ['pointer', ['void']]], 'FreeTebHint' : [ 0x38, ['pointer', ['void']]], 'NumaAware' : [ 0x3c, ['unsigned char']], 'PrivateFixupVadCount' : [ 0x40, ['unsigned long']], 'CfgBitMap' : [ 0x44, ['array', 1, ['_MI_CFG_BITMAP_INFO']]], 'CommittedPageTableBufferForTopLevel' : [ 0x54, ['array', 48, ['unsigned long']]], 'CommittedPageTableBitmaps' : [ 0x114, ['array', 1, ['_RTL_BITMAP']]], 'UsedPageTableEntries' : [ 0x11c, ['array', 1536, ['unsigned short']]], } ], '_PROC_FEEDBACK' : [ 0x68, { 'Lock' : [ 0x0, ['unsigned long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x20, ['unsigned long long']], 'UnscaledTime' : [ 0x28, ['unsigned long long']], 'UnaccountedTime' : [ 0x30, ['long long']], 'ScaledTime' : [ 0x38, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x48, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x50, ['unsigned long long']], 'UserTimeLast' : [ 0x58, ['unsigned long']], 'KernelTimeLast' : [ 0x5c, ['unsigned long']], 'KernelTimesIndex' : [ 0x60, ['unsigned char']], } ], '__unnamed_201d' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2021' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_2023' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_2025' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_2027' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_2029' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_202b' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_202d' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_202f' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2031' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2033' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_2035' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_201d']], 'Memory' : [ 0x0, ['__unnamed_201d']], 'Interrupt' : [ 0x0, ['__unnamed_2021']], 'Dma' : [ 0x0, ['__unnamed_2023']], 'DmaV3' : [ 0x0, ['__unnamed_2025']], 'Generic' : [ 0x0, ['__unnamed_201d']], 'DevicePrivate' : [ 0x0, ['__unnamed_2027']], 'BusNumber' : [ 0x0, ['__unnamed_2029']], 'ConfigData' : [ 0x0, ['__unnamed_202b']], 'Memory40' : [ 0x0, ['__unnamed_202d']], 'Memory48' : [ 0x0, ['__unnamed_202f']], 'Memory64' : [ 0x0, ['__unnamed_2031']], 'Connection' : [ 0x0, ['__unnamed_2033']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_2035']], } ], '_POP_THERMAL_ZONE' : [ 0x170, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], 'State' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], 'Removing' : [ 0x22, ['unsigned char']], 'Mode' : [ 0x23, ['unsigned char']], 'PendingMode' : [ 0x24, ['unsigned char']], 'ActivePoint' : [ 0x25, ['unsigned char']], 'PendingActivePoint' : [ 0x26, ['unsigned char']], 'Critical' : [ 0x27, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x28, ['long']], 'Throttle' : [ 0x2c, ['long']], 'PendingThrottle' : [ 0x30, ['long']], 'ThrottleReasons' : [ 0x34, ['unsigned long']], 'LastTime' : [ 0x38, ['unsigned long long']], 'SampleRate' : [ 0x40, ['unsigned long']], 'LastTemp' : [ 0x44, ['unsigned long']], 'PassiveTimer' : [ 0x48, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'Info' : [ 0x90, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xe0, ['_LARGE_INTEGER']], 'Policy' : [ 0xe8, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0xfc, ['unsigned char']], 'Metrics' : [ 0x100, ['_POP_THERMAL_ZONE_METRICS']], 'WorkItem' : [ 0x130, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x140, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x148, ['_KEVENT']], 'TemperatureUpdated' : [ 0x158, ['_KEVENT']], 'InstanceId' : [ 0x168, ['unsigned long']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x3b8, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'Allocate' : [ 0x8, ['pointer', ['void']]], 'Free' : [ 0xc, ['pointer', ['void']]], 'FileWrite' : [ 0x10, ['pointer', ['void']]], 'FileRead' : [ 0x14, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x18, ['pointer', ['void']]], 'BaseBlock' : [ 0x1c, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x20, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x28, ['unsigned long']], 'DirtyAlloc' : [ 0x2c, ['unsigned long']], 'UnreconciledVector' : [ 0x30, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x38, ['unsigned long']], 'BaseBlockAlloc' : [ 0x3c, ['unsigned long']], 'Cluster' : [ 0x40, ['unsigned long']], 'Flat' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x44, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x44, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x45, ['unsigned char']], 'HvBinHeadersUse' : [ 0x48, ['unsigned long']], 'HvFreeCellsUse' : [ 0x4c, ['unsigned long']], 'HvUsedCellsUse' : [ 0x50, ['unsigned long']], 'CmUsedCellsUse' : [ 0x54, ['unsigned long']], 'HiveFlags' : [ 0x58, ['unsigned long']], 'CurrentLog' : [ 0x5c, ['unsigned long']], 'CurrentLogSequence' : [ 0x60, ['unsigned long']], 'CurrentLogOffset' : [ 0x64, ['unsigned long']], 'MinimumLogSequence' : [ 0x68, ['unsigned long']], 'LogDataPresent' : [ 0x6c, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0x6e, ['unsigned char']], 'BaseBlockDirty' : [ 0x6f, ['unsigned char']], 'FirstLogFile' : [ 0x70, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0x70, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0x70, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0x70, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0x70, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0x70, ['unsigned short']], 'LogEntriesRecovered' : [ 0x72, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0x74, ['unsigned long']], 'StorageTypeCount' : [ 0x78, ['unsigned long']], 'Version' : [ 0x7c, ['unsigned long']], 'Storage' : [ 0x80, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x30, { 'ActiveCount' : [ 0x0, ['unsigned long']], 'PassiveCount' : [ 0x4, ['unsigned long']], 'LastActiveStartTime' : [ 0x8, ['unsigned long long']], 'AverageActiveTime' : [ 0x10, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x18, ['unsigned long long']], 'AveragePassiveTime' : [ 0x20, ['unsigned long long']], 'StartTickSinceLastReset' : [ 0x28, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Spare0' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1e, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1d, ['unsigned char']], } ], '__unnamed_208d' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_208f' : [ 0x10, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_208d']], } ], '_VF_TARGET_DRIVER' : [ 0x1c, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x8, ['__unnamed_208f']], 'VerifiedData' : [ 0x18, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_2098' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_209a' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_209c' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceId' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_209e' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_20a0' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_20a2' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20a4' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_20a6' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20a8' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_20aa' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_2098']], 'TargetDevice' : [ 0x0, ['__unnamed_209a']], 'InstallDevice' : [ 0x0, ['__unnamed_209a']], 'CustomNotification' : [ 0x0, ['__unnamed_209c']], 'ProfileNotification' : [ 0x0, ['__unnamed_209e']], 'PowerNotification' : [ 0x0, ['__unnamed_20a0']], 'VetoNotification' : [ 0x0, ['__unnamed_20a2']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20a4']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_20a6']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_20a8']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_209a']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_209a']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_20aa']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x60, { 'Context' : [ 0x0, ['pointer', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x48, ['unsigned long']], 'DependencyUsed' : [ 0x4c, ['unsigned long']], 'DependencyArray' : [ 0x50, ['pointer', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x54, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x58, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x5c, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], } ], '__unnamed_20c6' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_20c6']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x58, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], 'WaitObjectFlagMask' : [ 0x50, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x54, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x56, ['unsigned short']], } ], '__unnamed_20fb' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['_RTL_AVL_TREE']], 'u' : [ 0x14, ['__unnamed_20fb']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0xc, { 'DirtyPages' : [ 0x0, ['unsigned long']], 'DirtyPagesLastScan' : [ 0x4, ['unsigned long']], 'DirtyPagesScheduledLastScan' : [ 0x8, ['unsigned long']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x10, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_KPRIQUEUE' : [ 0x19c, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x110, ['array', 32, ['long']]], 'MaximumCount' : [ 0x190, ['unsigned long']], 'ThreadListHead' : [ 0x194, ['_LIST_ENTRY']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_WAITING_IRP' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'CompletionRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'Information' : [ 0x18, ['unsigned long']], 'BreakAllRH' : [ 0x1c, ['unsigned char']], } ], '_POP_SYSTEM_IDLE' : [ 0x40, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned long']], 'IdleWorker' : [ 0x28, ['unsigned char']], 'Sampling' : [ 0x29, ['unsigned char']], 'LastTick' : [ 0x30, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x38, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x10, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0xc, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x140, { 'Value' : [ 0x0, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'HardCap' : [ 0x3, ['unsigned char']], 'RelativeWeight' : [ 0x4, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x8, ['unsigned long long']], 'NotificationCycles' : [ 0x10, ['long long']], 'SchedulingGroupList' : [ 0x18, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x20, ['pointer', ['_KDPC']]], 'PerProcessor' : [ 0x40, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x18, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x14, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x18, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'Irp' : [ 0xc, ['pointer', ['_IRP']]], 'Device' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Static' : [ 0x14, ['unsigned char']], } ], '_POP_POLICY_DEVICE' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], } ], '__unnamed_217a' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_217c' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_217e' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_2180' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_217e']], 'Translated' : [ 0x0, ['__unnamed_217c']], } ], '__unnamed_2182' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_2184' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_2186' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_2188' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_218a' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_218c' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_218e' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_2190' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_217a']], 'Port' : [ 0x0, ['__unnamed_217a']], 'Interrupt' : [ 0x0, ['__unnamed_217c']], 'MessageInterrupt' : [ 0x0, ['__unnamed_2180']], 'Memory' : [ 0x0, ['__unnamed_217a']], 'Dma' : [ 0x0, ['__unnamed_2182']], 'DmaV3' : [ 0x0, ['__unnamed_2184']], 'DevicePrivate' : [ 0x0, ['__unnamed_2027']], 'BusNumber' : [ 0x0, ['__unnamed_2186']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_2188']], 'Memory40' : [ 0x0, ['__unnamed_218a']], 'Memory48' : [ 0x0, ['__unnamed_218c']], 'Memory64' : [ 0x0, ['__unnamed_218e']], 'Connection' : [ 0x0, ['__unnamed_2033']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_2190']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_2198' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_2198']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_21a2' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_21a2']], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '_POP_FX_DEVICE' : [ 0x140, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xc, ['pointer', ['_POP_IRP_DATA']]], 'Status' : [ 0x10, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x14, ['long']], 'PowerNotReqCall' : [ 0x18, ['long']], 'Plugin' : [ 0x1c, ['pointer', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x20, ['pointer', ['PEPHANDLE__']]], 'MiniPlugin' : [ 0x24, ['pointer', ['_POP_FX_PLUGIN']]], 'MiniPluginHandle' : [ 0x28, ['pointer', ['PEPHANDLE__']]], 'DevNode' : [ 0x2c, ['pointer', ['_DEVICE_NODE']]], 'DeviceObject' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x38, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0x54, ['pointer', ['void']]], 'RemoveLock' : [ 0x58, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0x70, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0x8c, ['unsigned long']], 'IdleTimer' : [ 0x90, ['_KTIMER']], 'IdleDpc' : [ 0xb8, ['_KDPC']], 'IdleTimeout' : [ 0xd8, ['unsigned long long']], 'IdleStamp' : [ 0xe0, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0xe8, ['pointer', ['_DEVICE_OBJECT']]], 'NextIrpPowerState' : [ 0xec, ['_POWER_STATE']], 'NextIrpCallerCompletion' : [ 0xf0, ['pointer', ['void']]], 'NextIrpCallerContext' : [ 0xf4, ['pointer', ['void']]], 'IrpCompleteEvent' : [ 0xf8, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x108, ['pointer', ['void']]], 'Accounting' : [ 0x110, ['_POP_FX_ACCOUNTING']], 'ComponentCount' : [ 0x138, ['unsigned long']], 'Components' : [ 0x13c, ['array', 1, ['pointer', ['_POP_FX_COMPONENT']]]], } ], '__unnamed_21bb' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_21bd' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_21bb']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x40, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x30, ['_LIST_ENTRY']], 'Specific' : [ 0x38, ['__unnamed_21bd']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x30, { 'BadPageCount' : [ 0x0, ['unsigned long']], 'BadPagesDetected' : [ 0x4, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x8, ['long']], 'ScrubPasses' : [ 0xc, ['long']], 'ScrubBadPagesFound' : [ 0x10, ['long']], 'FeatureBits' : [ 0x18, ['unsigned long long']], 'TimeZoneId' : [ 0x20, ['unsigned long']], 'ExceptionChainTerminator' : [ 0x24, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'ExceptionChainTerminatorRecord' : [ 0x28, ['_EXCEPTION_REGISTRATION_RECORD']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'InProgressFlags' : [ 0x14, ['unsigned char']], 'KernelApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_DELAY_ACK_FO' : [ 0xc, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x24, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'ReferenceCount' : [ 0x20, ['long']], } ], '__unnamed_2224' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_2226' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_2228' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_222a' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_2224']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_2226']], 'Raw' : [ 0x0, ['__unnamed_2228']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x2c, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'Operation' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0x8, ['__unnamed_222a']], 'Stack' : [ 0x10, ['array', 7, ['pointer', ['void']]]], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_2233' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_2236' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x28, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['long']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u' : [ 0x1c, ['__unnamed_2233']], 'u1' : [ 0x20, ['__unnamed_2236']], 'EventList' : [ 0x24, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x8, { 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 31, native_type='unsigned long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'LockState' : [ 0x0, ['pointer', ['void']]], 'SessionState' : [ 0x4, ['pointer', ['void']]], 'SessionId' : [ 0x4, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x8, ['unsigned long']], 'SyncCallback' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0xc, ['pointer', ['_HANDLE_TABLE']]], 'Flags' : [ 0x10, ['unsigned long']], 'NumberOfBuckets' : [ 0x14, ['unsigned long']], 'Buckets' : [ 0x18, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_2277' : [ 0x10, { 'ProgrammedTime' : [ 0x0, ['unsigned long long']], 'TimerInfo' : [ 0x8, ['pointer', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0xd8, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x58, ['array', 3, ['__unnamed_2277']]], 'FilteredCapabilities' : [ 0x88, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x28, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3d0, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0x90, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x2a0, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], 'PackageDependencyData' : [ 0x298, ['pointer', ['void']]], 'ProcessGroupId' : [ 0x29c, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_LOCK_HEADER' : [ 0x10, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x4, ['unsigned long']], 'Lock' : [ 0x8, ['unsigned long']], 'Valid' : [ 0xc, ['unsigned long']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_2323' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1fc0, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2323']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x18, ['unsigned long']], 'NonPagablePages' : [ 0x1c, ['unsigned long']], 'CommittedPages' : [ 0x20, ['unsigned long']], 'PagedPoolStart' : [ 0x24, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x28, ['pointer', ['void']]], 'SessionObject' : [ 0x2c, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x30, ['pointer', ['void']]], 'SessionPoolAllocationFailures' : [ 0x34, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x44, ['_LIST_ENTRY']], 'LocaleId' : [ 0x4c, ['unsigned long']], 'AttachCount' : [ 0x50, ['unsigned long']], 'AttachGate' : [ 0x54, ['_KGATE']], 'WsListEntry' : [ 0x64, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 24, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xc80, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xcb8, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xcf0, ['_MMSUPPORT']], 'Wsle' : [ 0xd60, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xd64, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xd80, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1ec0, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1ec8, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f10, ['_FAST_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1f30, ['long']], 'PagedPoolPdeCount' : [ 0x1f34, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f38, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f3c, ['unsigned long']], 'SystemPteInfo' : [ 0x1f40, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f78, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f7c, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1f80, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f84, ['unsigned long']], 'IoState' : [ 0x1f88, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f8c, ['unsigned long']], 'IoNotificationEvent' : [ 0x1f90, ['_KEVENT']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_2333' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_2336' : [ 0x4, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x48, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x28, ['__unnamed_2333']], 'Subsection' : [ 0x2c, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x30, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x38, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x40, ['pointer', ['_EPROCESS']]], 'u4' : [ 0x44, ['__unnamed_2336']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0x50, { 'IrpExclusiveOplock' : [ 0x0, ['pointer', ['_IRP']]], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x8, ['pointer', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'WaiterPriority' : [ 0x10, ['unsigned char']], 'IrpOplocksR' : [ 0x14, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x1c, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x24, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x2c, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x34, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x3c, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x44, ['pointer', ['_GUID']]], 'OplockState' : [ 0x48, ['unsigned long']], 'FastMutex' : [ 0x4c, ['pointer', ['_FAST_MUTEX']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_FAST_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'MaximumSize' : [ 0x2c, ['unsigned long']], 'PagedPoolHint' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x18, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x8, ['pointer', ['void']]], 'SessionViewVa' : [ 0x8, ['pointer', ['void']]], 'VadsProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Type' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SubsectionType' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SectionOffset' : [ 0x10, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0x18, ['unsigned long']], 'Processors' : [ 0x1c, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0x20, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x24, ['pointer', ['void']]], 'BoostModeHandler' : [ 0x28, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x2c, ['pointer', ['void']]], 'PerfControlHandler' : [ 0x30, ['pointer', ['void']]], 'MaxFrequency' : [ 0x34, ['unsigned long']], 'NominalFrequency' : [ 0x38, ['unsigned long']], 'MaxPercent' : [ 0x3c, ['unsigned long']], 'MinPerfPercent' : [ 0x40, ['unsigned long']], 'MinThrottlePercent' : [ 0x44, ['unsigned long']], 'Coordination' : [ 0x48, ['unsigned char']], 'HardPlatformCap' : [ 0x49, ['unsigned char']], 'AffinitizeControl' : [ 0x4a, ['unsigned char']], 'SelectedPercent' : [ 0x4c, ['unsigned long']], 'SelectedFrequency' : [ 0x50, ['unsigned long']], 'DesiredPercent' : [ 0x54, ['unsigned long']], 'MaxPolicyPercent' : [ 0x58, ['unsigned long']], 'MinPolicyPercent' : [ 0x5c, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x60, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x64, ['unsigned long']], 'GuaranteedPercent' : [ 0x68, ['unsigned long']], 'TolerancePercent' : [ 0x6c, ['unsigned long']], 'SelectedState' : [ 0x70, ['unsigned long long']], 'Force' : [ 0x78, ['unsigned char']], 'PerfChangeTime' : [ 0x80, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x88, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_RELATION_LIST' : [ 0x14, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_ETW_BUFFER_QUEUE' : [ 0xc, { 'QueueHead' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'Lock' : [ 0x0, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long']], 'SpecialPoolPdes' : [ 0x3c, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x4, { 'LogHandleContext' : [ 0x0, ['pointer', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x10, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'DeviceState' : [ 0xc, ['pointer', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_FAST_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x40, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x8, ['short']], 'SpecialApcDisable' : [ 0xa, ['short']], 'CombinedApcDisable' : [ 0x8, ['unsigned long']], 'Irql' : [ 0xc, ['unsigned char']], 'StackTrace' : [ 0x10, ['array', 12, ['pointer', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x4, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '__unnamed_23b8' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_23ba' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_23b8']], 'Button' : [ 0xc, ['__unnamed_23ba']], } ], '_KDPC_DATA' : [ 0x18, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], 'ActiveDpc' : [ 0x14, ['pointer', ['_KDPC']]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0xe0, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'UnderQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'RankCycleTarget' : [ 0x10, ['unsigned long long']], 'LongTermCycles' : [ 0x18, ['unsigned long long']], 'LastReportedCycles' : [ 0x20, ['unsigned long long']], 'OverQuotaHistory' : [ 0x28, ['unsigned long long']], 'ReadyTime' : [ 0x30, ['unsigned long long']], 'InsertTime' : [ 0x38, ['unsigned long long']], 'PerProcessorList' : [ 0x40, ['_LIST_ENTRY']], 'QueueNode' : [ 0x48, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x54, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OverQuota' : [ 0x54, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardCap' : [ 0x54, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x54, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Spare1' : [ 0x54, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x55, ['unsigned char']], 'ReadySummary' : [ 0x56, ['unsigned short']], 'Rank' : [ 0x58, ['unsigned long']], 'ReadyListHead' : [ 0x5c, ['array', 16, ['_LIST_ENTRY']]], } ], '__unnamed_23ca' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_23cc' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_23ca']], 'Merged' : [ 0x10, ['__unnamed_23cc']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'HistoryList' : [ 0x8, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '__unnamed_23d8' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_23d8']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer', ['_MMPTE']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_23ec' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_23f0' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_23ec']], 'u2' : [ 0x24, ['__unnamed_23f0']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '__unnamed_23f9' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_23fb' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_23f9']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x90, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_23fb']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long']], 'PipelinedReadAheadRequestSize' : [ 0x54, ['unsigned long']], 'ReadAheadGrowth' : [ 0x58, ['unsigned long']], 'PrivateLinks' : [ 0x5c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x64, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PTE_TRACKER' : [ 0x44, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 7, ['pointer', ['void']]]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x28, { 'InstantaneousRead' : [ 0x0, ['pointer', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'DisableInterrupts' : [ 0x22, ['unsigned char']], 'Context' : [ 0x24, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_HMAP_ENTRY' : [ 0xc, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'MemAlloc' : [ 0x8, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x1c, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'Reference' : [ 0x8, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x18, ['unsigned char']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_DUAL' : [ 0x19c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x190, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x198, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x4, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 11, native_type='unsigned long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'LowboxNumber' : [ 0x14, ['unsigned long']], 'AtomTable' : [ 0x18, ['pointer', ['void']]], } ], '_MI_CFG_BITMAP_INFO' : [ 0x10, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'RegionSize' : [ 0x4, ['unsigned long']], 'VadBaseAddress' : [ 0x8, ['pointer', ['void']]], 'BitmapVad' : [ 0xc, ['pointer', ['_MMVAD']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_FAST_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_FAST_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x28, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0xc, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0xc, ['array', 4, ['pointer', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0xc, ['pointer', ['void']]], 'SessionId' : [ 0x10, ['unsigned long']], 'Process' : [ 0x1c, ['pointer', ['_EPROCESS']]], 'CallbackContext' : [ 0x1c, ['pointer', ['void']]], 'Callback' : [ 0x20, ['pointer', ['void']]], 'Index' : [ 0x24, ['unsigned short']], 'Flags' : [ 0x26, ['unsigned char']], 'DbgKernelRegistration' : [ 0x26, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x26, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x26, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x26, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x26, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x26, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x26, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x26, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x27, ['unsigned char']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0x88, { 'Count' : [ 0x0, ['unsigned long']], 'OriginalAffinity' : [ 0x4, ['_GROUP_AFFINITY']], 'SteeringListEntry' : [ 0x10, ['_LIST_ENTRY']], 'SteeringListRoot' : [ 0x18, ['pointer', ['void']]], 'IsrTime' : [ 0x20, ['unsigned long long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'IsrLoad' : [ 0x30, ['unsigned long']], 'DpcLoad' : [ 0x34, ['unsigned long']], 'IsPrimaryInterrupt' : [ 0x38, ['unsigned char']], 'InterruptObjectArray' : [ 0x3c, ['pointer', ['pointer', ['_KINTERRUPT']]]], 'InterruptObjectCount' : [ 0x40, ['unsigned long']], 'Vectors' : [ 0x48, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xa0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InProgressLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x34, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x34, ['unsigned long']], 'PackagedBinary' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x34, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x34, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x34, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x34, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x34, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x34, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x34, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x34, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReservedFlags2' : [ 0x34, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x34, ['BitField', dict(start_bit = 15, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x34, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x34, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x34, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x34, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x34, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x34, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x34, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x34, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x34, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Spare' : [ 0x4c, ['pointer', ['void']]], 'DdagNode' : [ 0x50, ['pointer', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0x54, ['_LIST_ENTRY']], 'SnapContext' : [ 0x5c, ['pointer', ['_LDRP_DLL_SNAP_CONTEXT']]], 'ParentDllBase' : [ 0x60, ['pointer', ['void']]], 'SwitchBackContext' : [ 0x64, ['pointer', ['void']]], 'BaseAddressIndexNode' : [ 0x68, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0x74, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0x80, ['unsigned long']], 'LoadTime' : [ 0x88, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x90, ['unsigned long']], 'LoadReason' : [ 0x94, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x98, ['unsigned long']], } ], '_LDR_DDAG_NODE' : [ 0x30, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x8, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0xc, ['unsigned long']], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DependencyCount' : [ 0x14, ['unsigned long']], 'Dependencies' : [ 0x18, ['_LDRP_CSLIST']], 'RemovalLink' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'IncomingDependencies' : [ 0x1c, ['_LDRP_CSLIST']], 'State' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x28, ['unsigned long']], 'LowestLink' : [ 0x2c, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x104, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'Order' : [ 0x1c, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0xec, ['_LIST_ENTRY']], 'Status' : [ 0xf4, ['long']], 'FailedDevice' : [ 0xf8, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0xfc, ['unsigned char']], 'Cancelled' : [ 0xfd, ['unsigned char']], 'IgnoreErrors' : [ 0xfe, ['unsigned char']], 'IgnoreNotImplemented' : [ 0xff, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x100, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LockedPages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ILOnly' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x8, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x30, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Latency' : [ 0xc, ['unsigned long']], 'BreakEvenDuration' : [ 0x10, ['unsigned long']], 'Power' : [ 0x14, ['unsigned long']], 'StateFlags' : [ 0x18, ['unsigned long']], 'VetoAccounting' : [ 0x1c, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0x28, ['unsigned char']], 'InterruptsEnabled' : [ 0x29, ['unsigned char']], 'Interruptible' : [ 0x2a, ['unsigned char']], 'ContextRetained' : [ 0x2b, ['unsigned char']], 'CacheCoherent' : [ 0x2c, ['unsigned char']], 'WakesSpuriously' : [ 0x2d, ['unsigned char']], 'PlatformOnly' : [ 0x2e, ['unsigned char']], 'NoCState' : [ 0x2f, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x34, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x8, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0xc, ['long']], 'HighWaterMark' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_24ae' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x14, { 'NodeRangeSize' : [ 0x0, ['unsigned long']], 'NodeCount' : [ 0x4, ['unsigned long']], 'Tables' : [ 0x8, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0xc, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_24ae']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_POP_FX_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['unsigned char']], 'DripsRequiredState' : [ 0x8, ['unsigned long']], 'Level' : [ 0xc, ['long']], 'ActiveStamp' : [ 0x10, ['long long']], 'CsActiveTime' : [ 0x18, ['unsigned long long']], 'CriticalActiveTime' : [ 0x20, ['long long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RELATION_LIST_ENTRY' : [ 0x14, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['_DEVICE_OBJECT_LIST_ENTRY']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x6, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], } ], '_POP_FX_COMPONENT' : [ 0xb8, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x14, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x30, ['pointer', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x34, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x3c, ['long']], 'ActiveEvent' : [ 0x40, ['_KEVENT']], 'IdleLock' : [ 0x50, ['unsigned long']], 'IdleConditionComplete' : [ 0x54, ['long']], 'IdleStateComplete' : [ 0x58, ['long']], 'IdleStamp' : [ 0x60, ['unsigned long long']], 'CurrentIdleState' : [ 0x68, ['unsigned long']], 'IdleStateCount' : [ 0x6c, ['unsigned long']], 'IdleStates' : [ 0x70, ['pointer', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0x74, ['unsigned long']], 'ProviderCount' : [ 0x78, ['unsigned long']], 'Providers' : [ 0x7c, ['pointer', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0x80, ['unsigned long']], 'DependentCount' : [ 0x84, ['unsigned long']], 'Dependents' : [ 0x88, ['pointer', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0x90, ['_POP_FX_ACCOUNTING']], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x8, { 'DeviceHandle' : [ 0x0, ['pointer', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x4, ['pointer', ['void']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x1c, { 'ComponentActive' : [ 0x0, ['pointer', ['void']]], 'ComponentIdle' : [ 0x4, ['pointer', ['void']]], 'ComponentIdleState' : [ 0x8, ['pointer', ['void']]], 'DevicePowerRequired' : [ 0xc, ['pointer', ['void']]], 'DevicePowerNotRequired' : [ 0x10, ['pointer', ['void']]], 'PowerControl' : [ 0x14, ['pointer', ['void']]], 'ComponentCriticalTransition' : [ 0x18, ['pointer', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x2c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x8, ['unsigned char']], 'Spare' : [ 0x9, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0xc, ['unsigned long']], 'DebugId' : [ 0x10, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40f0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'StackLimitHits' : [ 0x4038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x403c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x4040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4044, ['unsigned long']], 'TotalReleases' : [ 0x4048, ['unsigned long']], 'RootNodesDeleted' : [ 0x404c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x4050, ['unsigned long']], 'Instigator' : [ 0x4054, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4058, ['unsigned long']], 'Participant' : [ 0x405c, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40dc, ['long']], 'StackType' : [ 0x40e0, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x40e4, ['unsigned long']], 'StackHighLimit' : [ 0x40e8, ['unsigned long']], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x40, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'IRHints' : [ 0x30, ['unsigned long']], 'IRTruncatedHints' : [ 0x34, ['unsigned long']], 'ExpectedWakeReason' : [ 0x38, ['unsigned char']], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_251c' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_251e' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_251c']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_251e']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_2530' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_2530']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x18, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_THERMAL_POLICY' : [ 0x14, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_ETW_GUID_ENTRY' : [ 0x160, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['pointer', ['_ETW_FILTER_HEADER']]], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_258c' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_258e' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_258c']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_258e']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x80, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x3c, ['pointer', ['void']]], 'Lock' : [ 0x40, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1d, { 'PerUserPolicy' : [ 0x0, ['array', 29, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_25a2' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_25a4' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_25a8' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_25ac' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_25ae' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_25a2']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_25a4']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_25a8']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_25ac']], 'Others' : [ 0x0, ['__unnamed_25ae']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x4, { 'Function' : [ 0x0, ['pointer', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x68, { 'PlatformOnlyCount' : [ 0x0, ['unsigned long long']], 'PreVetoCount' : [ 0x8, ['unsigned long long']], 'VetoCount' : [ 0x10, ['unsigned long long']], 'IdleDurationCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'InterruptibleCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'WrongProcessorCount' : [ 0x40, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x48, ['unsigned long long']], 'CstateCheckCount' : [ 0x50, ['unsigned long long']], 'NoCStateCount' : [ 0x58, ['unsigned long long']], 'SelectedCount' : [ 0x60, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x4, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_HIVE_WAIT_PACKET' : [ 0x18, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Next' : [ 0x14, ['pointer', ['_HIVE_WAIT_PACKET']]], } ], '__unnamed_25bd' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_25bf' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_25c1' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_25bd']], 'Interrupt' : [ 0x0, ['__unnamed_25bf']], 'LocalInterrupt' : [ 0x0, ['__unnamed_25bf']], 'Sci' : [ 0x0, ['__unnamed_25bf']], 'Nmi' : [ 0x0, ['__unnamed_25bf']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_25c1']], } ], '_POP_HIBER_CONTEXT' : [ 0x120, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'MapFrozen' : [ 0x14, ['unsigned char']], 'DiscardMap' : [ 0x18, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x18, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x28, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x30, ['unsigned long']], 'ClonedPageCount' : [ 0x38, ['unsigned long long']], 'CurrentMap' : [ 0x40, ['pointer', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x44, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x48, ['unsigned long']], 'LoaderMdl' : [ 0x4c, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x50, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x58, ['unsigned long long']], 'IoPages' : [ 0x60, ['pointer', ['void']]], 'IoPagesCount' : [ 0x64, ['unsigned long']], 'CurrentMcb' : [ 0x68, ['pointer', ['void']]], 'DumpStack' : [ 0x6c, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x70, ['pointer', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0x74, ['unsigned long']], 'Status' : [ 0x78, ['long']], 'GraphicsProc' : [ 0x7c, ['unsigned long']], 'MemoryImage' : [ 0x80, ['pointer', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0x88, ['pointer', ['_MDL']]], 'SiLogOffset' : [ 0x8c, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0x90, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0x94, ['pointer', ['void']]], 'ResumeContext' : [ 0x98, ['pointer', ['void']]], 'ResumeContextPages' : [ 0x9c, ['unsigned long']], 'ProcessorCount' : [ 0xa0, ['unsigned long']], 'ProcessorContext' : [ 0xa4, ['pointer', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0xa8, ['pointer', ['unsigned char']]], 'ProdConsSize' : [ 0xac, ['unsigned long']], 'MaxDataPages' : [ 0xb0, ['unsigned long']], 'ExtraBuffer' : [ 0xb4, ['pointer', ['void']]], 'ExtraBufferSize' : [ 0xb8, ['unsigned long']], 'ExtraMapVa' : [ 0xbc, ['pointer', ['void']]], 'BitlockerKeyPFN' : [ 0xc0, ['unsigned long']], 'IoInfo' : [ 0xc8, ['_POP_IO_INFO']], 'HardwareConfigurationSignature' : [ 0x118, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x100, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xc0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xc8, ['pointer', ['void']]], 'PointersLength' : [ 0xcc, ['unsigned long']], 'ModulePrefix' : [ 0xd0, ['pointer', ['unsigned short']]], 'DriverList' : [ 0xd4, ['_LIST_ENTRY']], 'InitMsg' : [ 0xdc, ['_STRING']], 'ProgMsg' : [ 0xe4, ['_STRING']], 'DoneMsg' : [ 0xec, ['_STRING']], 'FileObject' : [ 0xf4, ['pointer', ['void']]], 'UsageType' : [ 0xf8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_PPM_VETO_ACCOUNTING' : [ 0xc, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x4, ['_LIST_ENTRY']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x24, { 'InitiatingThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ThreadId' : [ 0x8, ['pointer', ['void']]], 'ProcessId' : [ 0xc, ['pointer', ['void']]], 'Code' : [ 0x10, ['unsigned long']], 'Parameter1' : [ 0x14, ['unsigned long']], 'Parameter2' : [ 0x18, ['unsigned long']], 'Parameter3' : [ 0x1c, ['unsigned long']], 'Parameter4' : [ 0x20, ['unsigned long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 31, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x18, { 'Next' : [ 0x0, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'Gate' : [ 0x8, ['_KGATE']], 'SecureInfo' : [ 0x8, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x8, ['_RTL_BITMAP']], 'InPageSupport' : [ 0x8, ['pointer', ['_MMINPAGE_SUPPORT']]], 'PhysicalMemory' : [ 0x8, ['_MI_PHYSMEM_BLOCK']], 'LargePage' : [ 0x8, ['pointer', ['_MI_LARGEPAGE_MEMORY_INFO']]], } ], '__unnamed_25fc' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_25fc']], } ], '__unnamed_2600' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2600']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x2c8, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'NoFreePages' : [ 0x38, ['unsigned long']], 'FreeMapCheck' : [ 0x3c, ['unsigned long']], 'WakeCheck' : [ 0x40, ['unsigned long']], 'NumPagesForLoader' : [ 0x48, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x50, ['unsigned long']], 'FirstKernelRestorePage' : [ 0x54, ['unsigned long']], 'PerfInfo' : [ 0x58, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x200, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x204, ['array', 1, ['unsigned long']]], 'SiLogOffset' : [ 0x208, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x20c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x210, ['array', 24, ['unsigned long']]], 'NotUsed' : [ 0x270, ['unsigned long']], 'ResumeContextCheck' : [ 0x274, ['unsigned long']], 'ResumeContextPages' : [ 0x278, ['unsigned long']], 'Hiberboot' : [ 0x27c, ['unsigned char']], 'HvCr3' : [ 0x280, ['unsigned long long']], 'HvEntryPoint' : [ 0x288, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x290, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x298, ['unsigned long long']], 'BootFlags' : [ 0x2a0, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x2a8, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x2b0, ['unsigned long']], 'BitlockerKeyPfns' : [ 0x2b4, ['array', 4, ['unsigned long']]], 'HardwareSignature' : [ 0x2c4, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x10, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1a8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'TotalHibernateTime' : [ 0x30, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x38, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x3c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x40, ['unsigned long']], 'ResumeAppTicks' : [ 0x48, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x50, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x58, ['unsigned long long']], 'ResumeInitTicks' : [ 0x60, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x70, ['unsigned long long']], 'ResumeIoTicks' : [ 0x78, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x80, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x88, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0x90, ['unsigned long long']], 'ResumeMapTicks' : [ 0x98, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xa0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xa8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xb0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xb8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xc0, ['unsigned long long']], 'HalTscOffset' : [ 0xc8, ['unsigned long long']], 'HvlTscOffset' : [ 0xd0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xd8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0xe0, ['unsigned long long']], 'IoBoundedness' : [ 0xe8, ['unsigned long long']], 'KernelDecompressTicks' : [ 0xf0, ['unsigned long long']], 'KernelIoTicks' : [ 0xf8, ['unsigned long long']], 'KernelCopyTicks' : [ 0x100, ['unsigned long long']], 'ReadCheckCount' : [ 0x108, ['unsigned long long']], 'KernelInitTicks' : [ 0x110, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x118, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x120, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x128, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x130, ['unsigned long long']], 'AnimationStart' : [ 0x138, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x140, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x148, ['unsigned long']], 'BootPagesProcessed' : [ 0x150, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x158, ['unsigned long long']], 'BootBytesWritten' : [ 0x160, ['unsigned long long']], 'KernelBytesWritten' : [ 0x168, ['unsigned long long']], 'BootPagesWritten' : [ 0x170, ['unsigned long long']], 'KernelPagesWritten' : [ 0x178, ['unsigned long long']], 'BytesWritten' : [ 0x180, ['unsigned long long']], 'PagesWritten' : [ 0x188, ['unsigned long']], 'FileRuns' : [ 0x18c, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x190, ['unsigned long']], 'MaxHuffRatio' : [ 0x194, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x198, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1a0, ['unsigned long long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x10, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '__unnamed_261c' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_261c']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_MI_PHYSMEM_BLOCK' : [ 0x4, { 'IoTracker' : [ 0x0, ['pointer', ['_MMIO_TRACKER']]], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x70, { 'UncompressedData' : [ 0x0, ['pointer', ['unsigned char']]], 'MappingVa' : [ 0x4, ['pointer', ['void']]], 'XpressEncodeWorkspace' : [ 0x8, ['pointer', ['void']]], 'CompressedDataBuffer' : [ 0xc, ['pointer', ['unsigned char']]], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'CompressTicks' : [ 0x18, ['unsigned long long']], 'BytesCopied' : [ 0x20, ['unsigned long long']], 'PagesProcessed' : [ 0x28, ['unsigned long long']], 'DecompressTicks' : [ 0x30, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x38, ['unsigned long long']], 'SharedBufferTicks' : [ 0x40, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x48, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x68, ['unsigned long']], 'HuffCompressCount' : [ 0x6c, ['unsigned long']], } ], '_DEVICE_OBJECT_LIST_ENTRY' : [ 0xc, { 'DeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'RelationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceRelation', 1: 'Dependent', 2: 'DirectDescendant'})]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x18, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_POP_IO_INFO' : [ 0x50, { 'DumpMdl' : [ 0x0, ['pointer', ['_MDL']]], 'IoStatus' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x8, ['unsigned long long']], 'IoBytesCompleted' : [ 0x10, ['unsigned long long']], 'IoBytesInProgress' : [ 0x18, ['unsigned long long']], 'RequestSize' : [ 0x20, ['unsigned long long']], 'IoLocation' : [ 0x28, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x30, ['unsigned long long']], 'Buffer' : [ 0x38, ['pointer', ['void']]], 'AsyncCapable' : [ 0x3c, ['unsigned char']], 'BytesToRead' : [ 0x40, ['unsigned long long']], 'Pages' : [ 0x48, ['unsigned long']], } ], '_LDRP_CSLIST' : [ 0x4, { 'Tail' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MMVIEW' : [ 0x28, { 'PteOffset' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['_MMVIEW_CONTROL_AREA']], 'ViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x18, ['pointer', ['void']]], 'SessionId' : [ 0x1c, ['unsigned long']], 'SessionIdForGlobalSubsections' : [ 0x20, ['unsigned long']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_FILTER_HEADER' : [ 0x24, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x4, ['pointer', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x8, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0xc, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x10, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x14, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x18, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x1c, ['pointer', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x20, ['pointer', ['_EVENT_FILTER_HEADER']]], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_MMVIEW_CONTROL_AREA' : [ 0x4, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExceptionForInPageErrors' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UsedForControlArea' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_2652' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2654' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_2657' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_265b' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x40, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x14, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x20, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x30, ['__unnamed_2652']], 'XapicMessage' : [ 0x30, ['__unnamed_2654']], 'Hypertransport' : [ 0x30, ['__unnamed_2657']], 'GenericMessage' : [ 0x30, ['__unnamed_2654']], 'MessageRequest' : [ 0x30, ['__unnamed_265b']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_266e' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2670' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2672' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_266e']], 'Gpt' : [ 0x0, ['__unnamed_2670']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xc0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MarkMemoryOnly' : [ 0x45, ['unsigned char']], 'HiberResume' : [ 0x46, ['unsigned char']], 'Reserved1' : [ 0x47, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_2672']], 'ReadRoutine' : [ 0x6c, ['pointer', ['void']]], 'GetDriveTelemetryRoutine' : [ 0x70, ['pointer', ['void']]], 'LogSectionTruncateSize' : [ 0x74, ['unsigned long']], 'Parameters' : [ 0x78, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xb8, ['pointer', ['void']]], 'DumpNotifyRoutine' : [ 0xbc, ['pointer', ['void']]], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '_ETW_QUEUE_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x8, ['pointer', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0xc, ['pointer', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x10, ['pointer', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x14, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned short']], 'ReplyIndex' : [ 0x1a, ['unsigned short']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_KDPC_LIST' : [ 0x8, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0xd0, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x18, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '__unnamed_26a2' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_26a4' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_26a2']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_26a7' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_26a9' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_26a7']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_26a4']], 'HighPart' : [ 0x4, ['__unnamed_26a9']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x8, ['pointer', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0xc, ['unsigned long']], } ], '__unnamed_26b9' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_26bb' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_26b9']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_26bb']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Xcr0' : [ 0x3c, ['unsigned long long']], 'ExceptionList' : [ 0x44, ['unsigned long']], 'Reserved' : [ 0x48, ['array', 3, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_MMIO_TRACKER' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameIndex' : [ 0x8, ['unsigned long']], 'NumberOfPages' : [ 0xc, ['unsigned long']], 'BaseVa' : [ 0x10, ['pointer', ['void']]], 'CacheFlushTimeStamp' : [ 0x10, ['unsigned long']], 'Mdl' : [ 0x14, ['pointer', ['_MDL']]], 'MdlPages' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x1c, ['array', 6, ['pointer', ['void']]]], 'CacheInfo' : [ 0x34, ['array', 1, ['_IO_CACHE_INFO']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '__unnamed_26ca' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_26cd' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0xe0, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], 'CollidedEvent' : [ 0x20, ['_KEVENT']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'PteContents' : [ 0x40, ['_MMPTE']], 'Thread' : [ 0x48, ['pointer', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0x4c, ['pointer', ['_MMPFN']]], 'WaitCount' : [ 0x50, ['long']], 'ByteCount' : [ 0x54, ['unsigned long']], 'u3' : [ 0x58, ['__unnamed_26ca']], 'u1' : [ 0x5c, ['__unnamed_26cd']], 'FilePointer' : [ 0x60, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x64, ['pointer', ['_CONTROL_AREA']]], 'Autoboost' : [ 0x68, ['pointer', ['void']]], 'FaultingAddress' : [ 0x6c, ['pointer', ['void']]], 'PointerPte' : [ 0x70, ['pointer', ['_MMPTE']]], 'BasePte' : [ 0x74, ['pointer', ['_MMPTE']]], 'Pfn' : [ 0x78, ['pointer', ['_MMPFN']]], 'PrefetchMdl' : [ 0x7c, ['pointer', ['_MDL']]], 'Mdl' : [ 0x80, ['_MDL']], 'Page' : [ 0x9c, ['array', 16, ['unsigned long']]], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'BoostedPriority' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare1' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_COLORED_PAGE_INFO' : [ 0x10, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long']], 'PfnAllocation' : [ 0xc, ['pointer', ['_MMPFN']]], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x4, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_IO_CACHE_INFO' : [ 0x1, { 'CacheAttribute' : [ 0x0, ['unsigned char']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x4, ['pointer', ['unsigned short']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/xp.py0000644000000000000000000000470713131215405025365 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu This file provides support for Windows XP. """ #pylint: disable-msg=C0111 import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.obj as obj class XPOverlay(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x == 1} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "\x03\x00\x1b\x00")]], 'KDBGHeader' : [ None, ['VolatilityMagic', dict(value = '\x00\x00\x00\x00\x00\x00\x00\x00KDBG\x90\x02')]], 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x2)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xff)]], }], } profile.merge_overlay(overlay) class WinXPSP2x86(obj.Profile): """ A Profile for Windows XP SP2 x86 """ _md_major = 5 _md_minor = 1 _md_os = 'windows' _md_memory_model = '32bit' _md_vtype_module = 'volatility.plugins.overlays.windows.xp_sp2_x86_vtypes' _md_product = ["NtProductWinNt"] class WinXPSP3x86(obj.Profile): """ A Profile for Windows XP SP3 x86 """ _md_major = 5 _md_minor = 1 _md_os = 'windows' _md_memory_model = '32bit' _md_vtype_module = 'volatility.plugins.overlays.windows.xp_sp3_x86_vtypes' _md_product = ["NtProductWinNt"] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista_sp12_x64_syscalls.py0000644000000000000000000012460313131215405031345 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Vista SP1 and SP2 x64 """ syscalls = [ [ 'NtMapUserPhysicalPagesScatter', # 0x0 'NtWaitForSingleObject', # 0x1 'NtCallbackReturn', # 0x2 'NtReadFile', # 0x3 'NtDeviceIoControlFile', # 0x4 'NtWriteFile', # 0x5 'NtRemoveIoCompletion', # 0x6 'NtReleaseSemaphore', # 0x7 'NtReplyWaitReceivePort', # 0x8 'NtReplyPort', # 0x9 'NtSetInformationThread', # 0xa 'NtSetEvent', # 0xb 'NtClose', # 0xc 'NtQueryObject', # 0xd 'NtQueryInformationFile', # 0xe 'NtOpenKey', # 0xf 'NtEnumerateValueKey', # 0x10 'NtFindAtom', # 0x11 'NtQueryDefaultLocale', # 0x12 'NtQueryKey', # 0x13 'NtQueryValueKey', # 0x14 'NtAllocateVirtualMemory', # 0x15 'NtQueryInformationProcess', # 0x16 'NtWaitForMultipleObjects32', # 0x17 'NtWriteFileGather', # 0x18 'NtSetInformationProcess', # 0x19 'NtCreateKey', # 0x1a 'NtFreeVirtualMemory', # 0x1b 'NtImpersonateClientOfPort', # 0x1c 'NtReleaseMutant', # 0x1d 'NtQueryInformationToken', # 0x1e 'NtRequestWaitReplyPort', # 0x1f 'NtQueryVirtualMemory', # 0x20 'NtOpenThreadToken', # 0x21 'NtQueryInformationThread', # 0x22 'NtOpenProcess', # 0x23 'NtSetInformationFile', # 0x24 'NtMapViewOfSection', # 0x25 'NtAccessCheckAndAuditAlarm', # 0x26 'NtUnmapViewOfSection', # 0x27 'NtReplyWaitReceivePortEx', # 0x28 'NtTerminateProcess', # 0x29 'NtSetEventBoostPriority', # 0x2a 'NtReadFileScatter', # 0x2b 'NtOpenThreadTokenEx', # 0x2c 'NtOpenProcessTokenEx', # 0x2d 'NtQueryPerformanceCounter', # 0x2e 'NtEnumerateKey', # 0x2f 'NtOpenFile', # 0x30 'NtDelayExecution', # 0x31 'NtQueryDirectoryFile', # 0x32 'NtQuerySystemInformation', # 0x33 'NtOpenSection', # 0x34 'NtQueryTimer', # 0x35 'NtFsControlFile', # 0x36 'NtWriteVirtualMemory', # 0x37 'NtCloseObjectAuditAlarm', # 0x38 'NtDuplicateObject', # 0x39 'NtQueryAttributesFile', # 0x3a 'NtClearEvent', # 0x3b 'NtReadVirtualMemory', # 0x3c 'NtOpenEvent', # 0x3d 'NtAdjustPrivilegesToken', # 0x3e 'NtDuplicateToken', # 0x3f 'NtContinue', # 0x40 'NtQueryDefaultUILanguage', # 0x41 'NtQueueApcThread', # 0x42 'NtYieldExecution', # 0x43 'NtAddAtom', # 0x44 'NtCreateEvent', # 0x45 'NtQueryVolumeInformationFile', # 0x46 'NtCreateSection', # 0x47 'NtFlushBuffersFile', # 0x48 'NtApphelpCacheControl', # 0x49 'NtCreateProcessEx', # 0x4a 'NtCreateThread', # 0x4b 'NtIsProcessInJob', # 0x4c 'NtProtectVirtualMemory', # 0x4d 'NtQuerySection', # 0x4e 'NtResumeThread', # 0x4f 'NtTerminateThread', # 0x50 'NtReadRequestData', # 0x51 'NtCreateFile', # 0x52 'NtQueryEvent', # 0x53 'NtWriteRequestData', # 0x54 'NtOpenDirectoryObject', # 0x55 'NtAccessCheckByTypeAndAuditAlarm', # 0x56 'NtQuerySystemTime', # 0x57 'NtWaitForMultipleObjects', # 0x58 'NtSetInformationObject', # 0x59 'NtCancelIoFile', # 0x5a 'NtTraceEvent', # 0x5b 'NtPowerInformation', # 0x5c 'NtSetValueKey', # 0x5d 'NtCancelTimer', # 0x5e 'NtSetTimer', # 0x5f 'NtAcceptConnectPort', # 0x60 'NtAccessCheck', # 0x61 'NtAccessCheckByType', # 0x62 'NtAccessCheckByTypeResultList', # 0x63 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x64 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x65 'NtAcquireCMFViewOwnership', # 0x66 'NtAddBootEntry', # 0x67 'NtAddDriverEntry', # 0x68 'NtAdjustGroupsToken', # 0x69 'NtAlertResumeThread', # 0x6a 'NtAlertThread', # 0x6b 'NtAllocateLocallyUniqueId', # 0x6c 'NtAllocateUserPhysicalPages', # 0x6d 'NtAllocateUuids', # 0x6e 'NtAlpcAcceptConnectPort', # 0x6f 'NtAlpcCancelMessage', # 0x70 'NtAlpcConnectPort', # 0x71 'NtAlpcCreatePort', # 0x72 'NtAlpcCreatePortSection', # 0x73 'NtAlpcCreateResourceReserve', # 0x74 'NtAlpcCreateSectionView', # 0x75 'NtAlpcCreateSecurityContext', # 0x76 'NtAlpcDeletePortSection', # 0x77 'NtAlpcDeleteResourceReserve', # 0x78 'NtAlpcDeleteSectionView', # 0x79 'NtAlpcDeleteSecurityContext', # 0x7a 'NtAlpcDisconnectPort', # 0x7b 'NtAlpcImpersonateClientOfPort', # 0x7c 'NtAlpcOpenSenderProcess', # 0x7d 'NtAlpcOpenSenderThread', # 0x7e 'NtAlpcQueryInformation', # 0x7f 'NtAlpcQueryInformationMessage', # 0x80 'NtAlpcRevokeSecurityContext', # 0x81 'NtAlpcSendWaitReceivePort', # 0x82 'NtAlpcSetInformation', # 0x83 'NtAreMappedFilesTheSame', # 0x84 'NtAssignProcessToJobObject', # 0x85 'NtCancelDeviceWakeupRequest', # 0x86 'NtCancelIoFileEx', # 0x87 'NtCancelSynchronousIoFile', # 0x88 'NtCommitComplete', # 0x89 'NtCommitEnlistment', # 0x8a 'NtCommitTransaction', # 0x8b 'NtCompactKeys', # 0x8c 'NtCompareTokens', # 0x8d 'NtCompleteConnectPort', # 0x8e 'NtCompressKey', # 0x8f 'NtConnectPort', # 0x90 'NtCreateDebugObject', # 0x91 'NtCreateDirectoryObject', # 0x92 'NtCreateEnlistment', # 0x93 'NtCreateEventPair', # 0x94 'NtCreateIoCompletion', # 0x95 'NtCreateJobObject', # 0x96 'NtCreateJobSet', # 0x97 'NtCreateKeyTransacted', # 0x98 'NtCreateKeyedEvent', # 0x99 'NtCreateMailslotFile', # 0x9a 'NtCreateMutant', # 0x9b 'NtCreateNamedPipeFile', # 0x9c 'NtCreatePagingFile', # 0x9d 'NtCreatePort', # 0x9e 'NtCreatePrivateNamespace', # 0x9f 'NtCreateProcess', # 0xa0 'NtCreateProfile', # 0xa1 'NtCreateResourceManager', # 0xa2 'NtCreateSemaphore', # 0xa3 'NtCreateSymbolicLinkObject', # 0xa4 'NtCreateThreadEx', # 0xa5 'NtCreateTimer', # 0xa6 'NtCreateToken', # 0xa7 'NtCreateTransaction', # 0xa8 'NtCreateTransactionManager', # 0xa9 'NtCreateUserProcess', # 0xaa 'NtCreateWaitablePort', # 0xab 'NtCreateWorkerFactory', # 0xac 'NtDebugActiveProcess', # 0xad 'NtDebugContinue', # 0xae 'NtDeleteAtom', # 0xaf 'NtDeleteBootEntry', # 0xb0 'NtDeleteDriverEntry', # 0xb1 'NtDeleteFile', # 0xb2 'NtDeleteKey', # 0xb3 'NtDeleteObjectAuditAlarm', # 0xb4 'NtDeletePrivateNamespace', # 0xb5 'NtDeleteValueKey', # 0xb6 'NtDisplayString', # 0xb7 'NtEnumerateBootEntries', # 0xb8 'NtEnumerateDriverEntries', # 0xb9 'NtEnumerateSystemEnvironmentValuesEx', # 0xba 'NtEnumerateTransactionObject', # 0xbb 'NtExtendSection', # 0xbc 'NtFilterToken', # 0xbd 'NtFlushInstallUILanguage', # 0xbe 'NtFlushInstructionCache', # 0xbf 'NtFlushKey', # 0xc0 'NtFlushProcessWriteBuffers', # 0xc1 'NtFlushVirtualMemory', # 0xc2 'NtFlushWriteBuffer', # 0xc3 'NtFreeUserPhysicalPages', # 0xc4 'NtFreezeRegistry', # 0xc5 'NtFreezeTransactions', # 0xc6 'NtGetContextThread', # 0xc7 'NtGetCurrentProcessorNumber', # 0xc8 'NtGetDevicePowerState', # 0xc9 'NtGetMUIRegistryInfo', # 0xca 'NtGetNextProcess', # 0xcb 'NtGetNextThread', # 0xcc 'NtGetNlsSectionPtr', # 0xcd 'NtGetNotificationResourceManager', # 0xce 'NtGetPlugPlayEvent', # 0xcf 'NtGetWriteWatch', # 0xd0 'NtImpersonateAnonymousToken', # 0xd1 'NtImpersonateThread', # 0xd2 'NtInitializeNlsFiles', # 0xd3 'NtInitializeRegistry', # 0xd4 'NtInitiatePowerAction', # 0xd5 'NtIsSystemResumeAutomatic', # 0xd6 'NtIsUILanguageComitted', # 0xd7 'NtListenPort', # 0xd8 'NtLoadDriver', # 0xd9 'NtLoadKey', # 0xda 'NtLoadKey2', # 0xdb 'NtLoadKeyEx', # 0xdc 'NtLockFile', # 0xdd 'NtLockProductActivationKeys', # 0xde 'NtLockRegistryKey', # 0xdf 'NtLockVirtualMemory', # 0xe0 'NtMakePermanentObject', # 0xe1 'NtMakeTemporaryObject', # 0xe2 'NtMapCMFModule', # 0xe3 'NtMapUserPhysicalPages', # 0xe4 'NtModifyBootEntry', # 0xe5 'NtModifyDriverEntry', # 0xe6 'NtNotifyChangeDirectoryFile', # 0xe7 'NtNotifyChangeKey', # 0xe8 'NtNotifyChangeMultipleKeys', # 0xe9 'NtOpenEnlistment', # 0xea 'NtOpenEventPair', # 0xeb 'NtOpenIoCompletion', # 0xec 'NtOpenJobObject', # 0xed 'NtOpenKeyTransacted', # 0xee 'NtOpenKeyedEvent', # 0xef 'NtOpenMutant', # 0xf0 'NtOpenObjectAuditAlarm', # 0xf1 'NtOpenPrivateNamespace', # 0xf2 'NtOpenProcessToken', # 0xf3 'NtOpenResourceManager', # 0xf4 'NtOpenSemaphore', # 0xf5 'NtOpenSession', # 0xf6 'NtOpenSymbolicLinkObject', # 0xf7 'NtOpenThread', # 0xf8 'NtOpenTimer', # 0xf9 'NtOpenTransaction', # 0xfa 'NtOpenTransactionManager', # 0xfb 'NtPlugPlayControl', # 0xfc 'NtPrePrepareComplete', # 0xfd 'NtPrePrepareEnlistment', # 0xfe 'NtPrepareComplete', # 0xff 'NtPrepareEnlistment', # 0x100 'NtPrivilegeCheck', # 0x101 'NtPrivilegeObjectAuditAlarm', # 0x102 'NtPrivilegedServiceAuditAlarm', # 0x103 'NtPropagationComplete', # 0x104 'NtPropagationFailed', # 0x105 'NtPulseEvent', # 0x106 'NtQueryBootEntryOrder', # 0x107 'NtQueryBootOptions', # 0x108 'NtQueryDebugFilterState', # 0x109 'NtQueryDirectoryObject', # 0x10a 'NtQueryDriverEntryOrder', # 0x10b 'NtQueryEaFile', # 0x10c 'NtQueryFullAttributesFile', # 0x10d 'NtQueryInformationAtom', # 0x10e 'NtQueryInformationEnlistment', # 0x10f 'NtQueryInformationJobObject', # 0x110 'NtQueryInformationPort', # 0x111 'NtQueryInformationResourceManager', # 0x112 'NtQueryInformationTransaction', # 0x113 'NtQueryInformationTransactionManager', # 0x114 'NtQueryInformationWorkerFactory', # 0x115 'NtQueryInstallUILanguage', # 0x116 'NtQueryIntervalProfile', # 0x117 'NtQueryIoCompletion', # 0x118 'NtQueryLicenseValue', # 0x119 'NtQueryMultipleValueKey', # 0x11a 'NtQueryMutant', # 0x11b 'NtQueryOpenSubKeys', # 0x11c 'NtQueryOpenSubKeysEx', # 0x11d 'NtQueryPortInformationProcess', # 0x11e 'NtQueryQuotaInformationFile', # 0x11f 'NtQuerySecurityObject', # 0x120 'NtQuerySemaphore', # 0x121 'NtQuerySymbolicLinkObject', # 0x122 'NtQuerySystemEnvironmentValue', # 0x123 'NtQuerySystemEnvironmentValueEx', # 0x124 'NtQueryTimerResolution', # 0x125 'NtRaiseException', # 0x126 'NtRaiseHardError', # 0x127 'NtReadOnlyEnlistment', # 0x128 'NtRecoverEnlistment', # 0x129 'NtRecoverResourceManager', # 0x12a 'NtRecoverTransactionManager', # 0x12b 'NtRegisterProtocolAddressInformation', # 0x12c 'NtRegisterThreadTerminatePort', # 0x12d 'NtReleaseCMFViewOwnership', # 0x12e 'NtReleaseKeyedEvent', # 0x12f 'NtReleaseWorkerFactoryWorker', # 0x130 'NtRemoveIoCompletionEx', # 0x131 'NtRemoveProcessDebug', # 0x132 'NtRenameKey', # 0x133 'NtRenameTransactionManager', # 0x134 'NtReplaceKey', # 0x135 'NtReplacePartitionUnit', # 0x136 'NtReplyWaitReplyPort', # 0x137 'NtRequestDeviceWakeup', # 0x138 'NtRequestPort', # 0x139 'NtRequestWakeupLatency', # 0x13a 'NtResetEvent', # 0x13b 'NtResetWriteWatch', # 0x13c 'NtRestoreKey', # 0x13d 'NtResumeProcess', # 0x13e 'NtRollbackComplete', # 0x13f 'NtRollbackEnlistment', # 0x140 'NtRollbackTransaction', # 0x141 'NtRollforwardTransactionManager', # 0x142 'NtSaveKey', # 0x143 'NtSaveKeyEx', # 0x144 'NtSaveMergedKeys', # 0x145 'NtSecureConnectPort', # 0x146 'NtSetBootEntryOrder', # 0x147 'NtSetBootOptions', # 0x148 'NtSetContextThread', # 0x149 'NtSetDebugFilterState', # 0x14a 'NtSetDefaultHardErrorPort', # 0x14b 'NtSetDefaultLocale', # 0x14c 'NtSetDefaultUILanguage', # 0x14d 'NtSetDriverEntryOrder', # 0x14e 'NtSetEaFile', # 0x14f 'NtSetHighEventPair', # 0x150 'NtSetHighWaitLowEventPair', # 0x151 'NtSetInformationDebugObject', # 0x152 'NtSetInformationEnlistment', # 0x153 'NtSetInformationJobObject', # 0x154 'NtSetInformationKey', # 0x155 'NtSetInformationResourceManager', # 0x156 'NtSetInformationToken', # 0x157 'NtSetInformationTransaction', # 0x158 'NtSetInformationTransactionManager', # 0x159 'NtSetInformationWorkerFactory', # 0x15a 'NtSetIntervalProfile', # 0x15b 'NtSetIoCompletion', # 0x15c 'NtSetLdtEntries', # 0x15d 'NtSetLowEventPair', # 0x15e 'NtSetLowWaitHighEventPair', # 0x15f 'NtSetQuotaInformationFile', # 0x160 'NtSetSecurityObject', # 0x161 'NtSetSystemEnvironmentValue', # 0x162 'NtSetSystemEnvironmentValueEx', # 0x163 'NtSetSystemInformation', # 0x164 'NtSetSystemPowerState', # 0x165 'NtSetSystemTime', # 0x166 'NtSetThreadExecutionState', # 0x167 'NtSetTimerResolution', # 0x168 'NtSetUuidSeed', # 0x169 'NtSetVolumeInformationFile', # 0x16a 'NtShutdownSystem', # 0x16b 'NtShutdownWorkerFactory', # 0x16c 'NtSignalAndWaitForSingleObject', # 0x16d 'NtSinglePhaseReject', # 0x16e 'NtStartProfile', # 0x16f 'NtStopProfile', # 0x170 'NtSuspendProcess', # 0x171 'NtSuspendThread', # 0x172 'NtSystemDebugControl', # 0x173 'NtTerminateJobObject', # 0x174 'NtTestAlert', # 0x175 'NtThawRegistry', # 0x176 'NtThawTransactions', # 0x177 'NtTraceControl', # 0x178 'NtTranslateFilePath', # 0x179 'NtUnloadDriver', # 0x17a 'NtUnloadKey', # 0x17b 'NtUnloadKey2', # 0x17c 'NtUnloadKeyEx', # 0x17d 'NtUnlockFile', # 0x17e 'NtUnlockVirtualMemory', # 0x17f 'NtVdmControl', # 0x180 'NtWaitForDebugEvent', # 0x181 'NtWaitForKeyedEvent', # 0x182 'NtWaitForWorkViaWorkerFactory', # 0x183 'NtWaitHighEventPair', # 0x184 'NtWaitLowEventPair', # 0x185 'NtWorkerFactoryWorkerReady', # 0x186 ], [ 'NtUserGetThreadState', # 0x0 'NtUserPeekMessage', # 0x1 'NtUserCallOneParam', # 0x2 'NtUserGetKeyState', # 0x3 'NtUserInvalidateRect', # 0x4 'NtUserCallNoParam', # 0x5 'NtUserGetMessage', # 0x6 'NtUserMessageCall', # 0x7 'NtGdiBitBlt', # 0x8 'NtGdiGetCharSet', # 0x9 'NtUserGetDC', # 0xa 'NtGdiSelectBitmap', # 0xb 'NtUserWaitMessage', # 0xc 'NtUserTranslateMessage', # 0xd 'NtUserGetProp', # 0xe 'NtUserPostMessage', # 0xf 'NtUserQueryWindow', # 0x10 'NtUserTranslateAccelerator', # 0x11 'NtGdiFlush', # 0x12 'NtUserRedrawWindow', # 0x13 'NtUserWindowFromPoint', # 0x14 'NtUserCallMsgFilter', # 0x15 'NtUserValidateTimerCallback', # 0x16 'NtUserBeginPaint', # 0x17 'NtUserSetTimer', # 0x18 'NtUserEndPaint', # 0x19 'NtUserSetCursor', # 0x1a 'NtUserKillTimer', # 0x1b 'NtUserBuildHwndList', # 0x1c 'NtUserSelectPalette', # 0x1d 'NtUserCallNextHookEx', # 0x1e 'NtUserHideCaret', # 0x1f 'NtGdiIntersectClipRect', # 0x20 'NtUserCallHwndLock', # 0x21 'NtUserGetProcessWindowStation', # 0x22 'NtGdiDeleteObjectApp', # 0x23 'NtUserSetWindowPos', # 0x24 'NtUserShowCaret', # 0x25 'NtUserEndDeferWindowPosEx', # 0x26 'NtUserCallHwndParamLock', # 0x27 'NtUserVkKeyScanEx', # 0x28 'NtGdiSetDIBitsToDeviceInternal', # 0x29 'NtUserCallTwoParam', # 0x2a 'NtGdiGetRandomRgn', # 0x2b 'NtUserCopyAcceleratorTable', # 0x2c 'NtUserNotifyWinEvent', # 0x2d 'NtGdiExtSelectClipRgn', # 0x2e 'NtUserIsClipboardFormatAvailable', # 0x2f 'NtUserSetScrollInfo', # 0x30 'NtGdiStretchBlt', # 0x31 'NtUserCreateCaret', # 0x32 'NtGdiRectVisible', # 0x33 'NtGdiCombineRgn', # 0x34 'NtGdiGetDCObject', # 0x35 'NtUserDispatchMessage', # 0x36 'NtUserRegisterWindowMessage', # 0x37 'NtGdiExtTextOutW', # 0x38 'NtGdiSelectFont', # 0x39 'NtGdiRestoreDC', # 0x3a 'NtGdiSaveDC', # 0x3b 'NtUserGetForegroundWindow', # 0x3c 'NtUserShowScrollBar', # 0x3d 'NtUserFindExistingCursorIcon', # 0x3e 'NtGdiGetDCDword', # 0x3f 'NtGdiGetRegionData', # 0x40 'NtGdiLineTo', # 0x41 'NtUserSystemParametersInfo', # 0x42 'NtGdiGetAppClipBox', # 0x43 'NtUserGetAsyncKeyState', # 0x44 'NtUserGetCPD', # 0x45 'NtUserRemoveProp', # 0x46 'NtGdiDoPalette', # 0x47 'NtGdiPolyPolyDraw', # 0x48 'NtUserSetCapture', # 0x49 'NtUserEnumDisplayMonitors', # 0x4a 'NtGdiCreateCompatibleBitmap', # 0x4b 'NtUserSetProp', # 0x4c 'NtGdiGetTextCharsetInfo', # 0x4d 'NtUserSBGetParms', # 0x4e 'NtUserGetIconInfo', # 0x4f 'NtUserExcludeUpdateRgn', # 0x50 'NtUserSetFocus', # 0x51 'NtGdiExtGetObjectW', # 0x52 'NtUserDeferWindowPos', # 0x53 'NtUserGetUpdateRect', # 0x54 'NtGdiCreateCompatibleDC', # 0x55 'NtUserGetClipboardSequenceNumber', # 0x56 'NtGdiCreatePen', # 0x57 'NtUserShowWindow', # 0x58 'NtUserGetKeyboardLayoutList', # 0x59 'NtGdiPatBlt', # 0x5a 'NtUserMapVirtualKeyEx', # 0x5b 'NtUserSetWindowLong', # 0x5c 'NtGdiHfontCreate', # 0x5d 'NtUserMoveWindow', # 0x5e 'NtUserPostThreadMessage', # 0x5f 'NtUserDrawIconEx', # 0x60 'NtUserGetSystemMenu', # 0x61 'NtGdiDrawStream', # 0x62 'NtUserInternalGetWindowText', # 0x63 'NtUserGetWindowDC', # 0x64 'NtGdiD3dDrawPrimitives2', # 0x65 'NtGdiInvertRgn', # 0x66 'NtGdiGetRgnBox', # 0x67 'NtGdiGetAndSetDCDword', # 0x68 'NtGdiMaskBlt', # 0x69 'NtGdiGetWidthTable', # 0x6a 'NtUserScrollDC', # 0x6b 'NtUserGetObjectInformation', # 0x6c 'NtGdiCreateBitmap', # 0x6d 'NtGdiConsoleTextOut', # 0x6e 'NtUserFindWindowEx', # 0x6f 'NtGdiPolyPatBlt', # 0x70 'NtUserUnhookWindowsHookEx', # 0x71 'NtGdiGetNearestColor', # 0x72 'NtGdiTransformPoints', # 0x73 'NtGdiGetDCPoint', # 0x74 'NtUserCheckImeHotKey', # 0x75 'NtGdiCreateDIBBrush', # 0x76 'NtGdiGetTextMetricsW', # 0x77 'NtUserCreateWindowEx', # 0x78 'NtUserSetParent', # 0x79 'NtUserGetKeyboardState', # 0x7a 'NtUserToUnicodeEx', # 0x7b 'NtUserGetControlBrush', # 0x7c 'NtUserGetClassName', # 0x7d 'NtGdiAlphaBlend', # 0x7e 'NtGdiDdBlt', # 0x7f 'NtGdiOffsetRgn', # 0x80 'NtUserDefSetText', # 0x81 'NtGdiGetTextFaceW', # 0x82 'NtGdiStretchDIBitsInternal', # 0x83 'NtUserSendInput', # 0x84 'NtUserGetThreadDesktop', # 0x85 'NtGdiCreateRectRgn', # 0x86 'NtGdiGetDIBitsInternal', # 0x87 'NtUserGetUpdateRgn', # 0x88 'NtGdiDeleteClientObj', # 0x89 'NtUserGetIconSize', # 0x8a 'NtUserFillWindow', # 0x8b 'NtGdiExtCreateRegion', # 0x8c 'NtGdiComputeXformCoefficients', # 0x8d 'NtUserSetWindowsHookEx', # 0x8e 'NtUserNotifyProcessCreate', # 0x8f 'NtGdiUnrealizeObject', # 0x90 'NtUserGetTitleBarInfo', # 0x91 'NtGdiRectangle', # 0x92 'NtUserSetThreadDesktop', # 0x93 'NtUserGetDCEx', # 0x94 'NtUserGetScrollBarInfo', # 0x95 'NtGdiGetTextExtent', # 0x96 'NtUserSetWindowFNID', # 0x97 'NtGdiSetLayout', # 0x98 'NtUserCalcMenuBar', # 0x99 'NtUserThunkedMenuItemInfo', # 0x9a 'NtGdiExcludeClipRect', # 0x9b 'NtGdiCreateDIBSection', # 0x9c 'NtGdiGetDCforBitmap', # 0x9d 'NtUserDestroyCursor', # 0x9e 'NtUserDestroyWindow', # 0x9f 'NtUserCallHwndParam', # 0xa0 'NtGdiCreateDIBitmapInternal', # 0xa1 'NtUserOpenWindowStation', # 0xa2 'NtGdiDdDeleteSurfaceObject', # 0xa3 'NtGdiEnumFontClose', # 0xa4 'NtGdiEnumFontOpen', # 0xa5 'NtGdiEnumFontChunk', # 0xa6 'NtGdiDdCanCreateSurface', # 0xa7 'NtGdiDdCreateSurface', # 0xa8 'NtUserSetCursorIconData', # 0xa9 'NtGdiDdDestroySurface', # 0xaa 'NtUserCloseDesktop', # 0xab 'NtUserOpenDesktop', # 0xac 'NtUserSetProcessWindowStation', # 0xad 'NtUserGetAtomName', # 0xae 'NtGdiDdResetVisrgn', # 0xaf 'NtGdiExtCreatePen', # 0xb0 'NtGdiCreatePaletteInternal', # 0xb1 'NtGdiSetBrushOrg', # 0xb2 'NtUserBuildNameList', # 0xb3 'NtGdiSetPixel', # 0xb4 'NtUserRegisterClassExWOW', # 0xb5 'NtGdiCreatePatternBrushInternal', # 0xb6 'NtUserGetAncestor', # 0xb7 'NtGdiGetOutlineTextMetricsInternalW', # 0xb8 'NtGdiSetBitmapBits', # 0xb9 'NtUserCloseWindowStation', # 0xba 'NtUserGetDoubleClickTime', # 0xbb 'NtUserEnableScrollBar', # 0xbc 'NtGdiCreateSolidBrush', # 0xbd 'NtUserGetClassInfoEx', # 0xbe 'NtGdiCreateClientObj', # 0xbf 'NtUserUnregisterClass', # 0xc0 'NtUserDeleteMenu', # 0xc1 'NtGdiRectInRegion', # 0xc2 'NtUserScrollWindowEx', # 0xc3 'NtGdiGetPixel', # 0xc4 'NtUserSetClassLong', # 0xc5 'NtUserGetMenuBarInfo', # 0xc6 'NtGdiDdCreateSurfaceEx', # 0xc7 'NtGdiDdCreateSurfaceObject', # 0xc8 'NtGdiGetNearestPaletteIndex', # 0xc9 'NtGdiDdLockD3D', # 0xca 'NtGdiDdUnlockD3D', # 0xcb 'NtGdiGetCharWidthW', # 0xcc 'NtUserInvalidateRgn', # 0xcd 'NtUserGetClipboardOwner', # 0xce 'NtUserSetWindowRgn', # 0xcf 'NtUserBitBltSysBmp', # 0xd0 'NtGdiGetCharWidthInfo', # 0xd1 'NtUserValidateRect', # 0xd2 'NtUserCloseClipboard', # 0xd3 'NtUserOpenClipboard', # 0xd4 'NtGdiGetStockObject', # 0xd5 'NtUserSetClipboardData', # 0xd6 'NtUserEnableMenuItem', # 0xd7 'NtUserAlterWindowStyle', # 0xd8 'NtGdiFillRgn', # 0xd9 'NtUserGetWindowPlacement', # 0xda 'NtGdiModifyWorldTransform', # 0xdb 'NtGdiGetFontData', # 0xdc 'NtUserGetOpenClipboardWindow', # 0xdd 'NtUserSetThreadState', # 0xde 'NtGdiOpenDCW', # 0xdf 'NtUserTrackMouseEvent', # 0xe0 'NtGdiGetTransform', # 0xe1 'NtUserDestroyMenu', # 0xe2 'NtGdiGetBitmapBits', # 0xe3 'NtUserConsoleControl', # 0xe4 'NtUserSetActiveWindow', # 0xe5 'NtUserSetInformationThread', # 0xe6 'NtUserSetWindowPlacement', # 0xe7 'NtUserGetControlColor', # 0xe8 'NtGdiSetMetaRgn', # 0xe9 'NtGdiSetMiterLimit', # 0xea 'NtGdiSetVirtualResolution', # 0xeb 'NtGdiGetRasterizerCaps', # 0xec 'NtUserSetWindowWord', # 0xed 'NtUserGetClipboardFormatName', # 0xee 'NtUserRealInternalGetMessage', # 0xef 'NtUserCreateLocalMemHandle', # 0xf0 'NtUserAttachThreadInput', # 0xf1 'NtGdiCreateHalftonePalette', # 0xf2 'NtUserPaintMenuBar', # 0xf3 'NtUserSetKeyboardState', # 0xf4 'NtGdiCombineTransform', # 0xf5 'NtUserCreateAcceleratorTable', # 0xf6 'NtUserGetCursorFrameInfo', # 0xf7 'NtUserGetAltTabInfo', # 0xf8 'NtUserGetCaretBlinkTime', # 0xf9 'NtGdiQueryFontAssocInfo', # 0xfa 'NtUserProcessConnect', # 0xfb 'NtUserEnumDisplayDevices', # 0xfc 'NtUserEmptyClipboard', # 0xfd 'NtUserGetClipboardData', # 0xfe 'NtUserRemoveMenu', # 0xff 'NtGdiSetBoundsRect', # 0x100 'NtUserSetInformationProcess', # 0x101 'NtGdiGetBitmapDimension', # 0x102 'NtUserConvertMemHandle', # 0x103 'NtUserDestroyAcceleratorTable', # 0x104 'NtUserGetGUIThreadInfo', # 0x105 'NtGdiCloseFigure', # 0x106 'NtUserSetWindowsHookAW', # 0x107 'NtUserSetMenuDefaultItem', # 0x108 'NtUserCheckMenuItem', # 0x109 'NtUserSetWinEventHook', # 0x10a 'NtUserUnhookWinEvent', # 0x10b 'NtGdiSetupPublicCFONT', # 0x10c 'NtUserLockWindowUpdate', # 0x10d 'NtUserSetSystemMenu', # 0x10e 'NtUserThunkedMenuInfo', # 0x10f 'NtGdiBeginPath', # 0x110 'NtGdiEndPath', # 0x111 'NtGdiFillPath', # 0x112 'NtUserCallHwnd', # 0x113 'NtUserDdeInitialize', # 0x114 'NtUserModifyUserStartupInfoFlags', # 0x115 'NtUserCountClipboardFormats', # 0x116 'NtGdiAddFontMemResourceEx', # 0x117 'NtGdiEqualRgn', # 0x118 'NtGdiGetSystemPaletteUse', # 0x119 'NtGdiRemoveFontMemResourceEx', # 0x11a 'NtUserEnumDisplaySettings', # 0x11b 'NtUserPaintDesktop', # 0x11c 'NtGdiExtEscape', # 0x11d 'NtGdiSetBitmapDimension', # 0x11e 'NtGdiSetFontEnumeration', # 0x11f 'NtUserChangeClipboardChain', # 0x120 'NtUserResolveDesktop', # 0x121 'NtUserSetClipboardViewer', # 0x122 'NtUserShowWindowAsync', # 0x123 'NtUserSetConsoleReserveKeys', # 0x124 'NtGdiCreateColorSpace', # 0x125 'NtGdiDeleteColorSpace', # 0x126 'NtUserActivateKeyboardLayout', # 0x127 'NtGdiAbortDoc', # 0x128 'NtGdiAbortPath', # 0x129 'NtGdiAddEmbFontToDC', # 0x12a 'NtGdiAddFontResourceW', # 0x12b 'NtGdiAddRemoteFontToDC', # 0x12c 'NtGdiAddRemoteMMInstanceToDC', # 0x12d 'NtGdiAngleArc', # 0x12e 'NtGdiAnyLinkedFonts', # 0x12f 'NtGdiArcInternal', # 0x130 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x131 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x132 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x133 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x134 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x135 'NtGdiCLIPOBJ_bEnum', # 0x136 'NtGdiCLIPOBJ_cEnumStart', # 0x137 'NtGdiCLIPOBJ_ppoGetPath', # 0x138 'NtGdiCancelDC', # 0x139 'NtGdiChangeGhostFont', # 0x13a 'NtGdiCheckBitmapBits', # 0x13b 'NtGdiClearBitmapAttributes', # 0x13c 'NtGdiClearBrushAttributes', # 0x13d 'NtGdiColorCorrectPalette', # 0x13e 'NtGdiConfigureOPMProtectedOutput', # 0x13f 'NtGdiConvertMetafileRect', # 0x140 'NtGdiCreateColorTransform', # 0x141 'NtGdiCreateEllipticRgn', # 0x142 'NtGdiCreateHatchBrushInternal', # 0x143 'NtGdiCreateMetafileDC', # 0x144 'NtGdiCreateOPMProtectedOutputs', # 0x145 'NtGdiCreateRoundRectRgn', # 0x146 'NtGdiCreateServerMetaFile', # 0x147 'NtGdiD3dContextCreate', # 0x148 'NtGdiD3dContextDestroy', # 0x149 'NtGdiD3dContextDestroyAll', # 0x14a 'NtGdiD3dValidateTextureStageState', # 0x14b 'NtGdiDDCCIGetCapabilitiesString', # 0x14c 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x14d 'NtGdiDDCCIGetTimingReport', # 0x14e 'NtGdiDDCCIGetVCPFeature', # 0x14f 'NtGdiDDCCISaveCurrentSettings', # 0x150 'NtGdiDDCCISetVCPFeature', # 0x151 'NtGdiDdAddAttachedSurface', # 0x152 'NtGdiDdAlphaBlt', # 0x153 'NtGdiDdAttachSurface', # 0x154 'NtGdiDdBeginMoCompFrame', # 0x155 'NtGdiDdCanCreateD3DBuffer', # 0x156 'NtGdiDdColorControl', # 0x157 'NtGdiDdCreateD3DBuffer', # 0x158 'NtGdiDdCreateDirectDrawObject', # 0x159 'NtGdiDdCreateMoComp', # 0x15a 'NtGdiDdDDICheckExclusiveOwnership', # 0x15b 'NtGdiDdDDICheckMonitorPowerState', # 0x15c 'NtGdiDdDDICheckOcclusion', # 0x15d 'NtGdiDdDDICloseAdapter', # 0x15e 'NtGdiDdDDICreateAllocation', # 0x15f 'NtGdiDdDDICreateContext', # 0x160 'NtGdiDdDDICreateDCFromMemory', # 0x161 'NtGdiDdDDICreateDevice', # 0x162 'NtGdiDdDDICreateOverlay', # 0x163 'NtGdiDdDDICreateSynchronizationObject', # 0x164 'NtGdiDdDDIDestroyAllocation', # 0x165 'NtGdiDdDDIDestroyContext', # 0x166 'NtGdiDdDDIDestroyDCFromMemory', # 0x167 'NtGdiDdDDIDestroyDevice', # 0x168 'NtGdiDdDDIDestroyOverlay', # 0x169 'NtGdiDdDDIDestroySynchronizationObject', # 0x16a 'NtGdiDdDDIEscape', # 0x16b 'NtGdiDdDDIFlipOverlay', # 0x16c 'NtGdiDdDDIGetContextSchedulingPriority', # 0x16d 'NtGdiDdDDIGetDeviceState', # 0x16e 'NtGdiDdDDIGetDisplayModeList', # 0x16f 'NtGdiDdDDIGetMultisampleMethodList', # 0x170 'NtGdiDdDDIGetPresentHistory', # 0x171 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x172 'NtGdiDdDDIGetRuntimeData', # 0x173 'NtGdiDdDDIGetScanLine', # 0x174 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x175 'NtGdiDdDDIInvalidateActiveVidPn', # 0x176 'NtGdiDdDDILock', # 0x177 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x178 'NtGdiDdDDIOpenAdapterFromHdc', # 0x179 'NtGdiDdDDIOpenResource', # 0x17a 'NtGdiDdDDIPollDisplayChildren', # 0x17b 'NtGdiDdDDIPresent', # 0x17c 'NtGdiDdDDIQueryAdapterInfo', # 0x17d 'NtGdiDdDDIQueryAllocationResidency', # 0x17e 'NtGdiDdDDIQueryResourceInfo', # 0x17f 'NtGdiDdDDIQueryStatistics', # 0x180 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x181 'NtGdiDdDDIRender', # 0x182 'NtGdiDdDDISetAllocationPriority', # 0x183 'NtGdiDdDDISetContextSchedulingPriority', # 0x184 'NtGdiDdDDISetDisplayMode', # 0x185 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x186 'NtGdiDdDDISetGammaRamp', # 0x187 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x188 'NtGdiDdDDISetQueuedLimit', # 0x189 'NtGdiDdDDISetVidPnSourceOwner', # 0x18a 'NtGdiDdDDISharedPrimaryLockNotification', # 0x18b 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x18c 'NtGdiDdDDISignalSynchronizationObject', # 0x18d 'NtGdiDdDDIUnlock', # 0x18e 'NtGdiDdDDIUpdateOverlay', # 0x18f 'NtGdiDdDDIWaitForIdle', # 0x190 'NtGdiDdDDIWaitForSynchronizationObject', # 0x191 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x192 'NtGdiDdDeleteDirectDrawObject', # 0x193 'NtGdiDdDestroyD3DBuffer', # 0x194 'NtGdiDdDestroyMoComp', # 0x195 'NtGdiDdEndMoCompFrame', # 0x196 'NtGdiDdFlip', # 0x197 'NtGdiDdFlipToGDISurface', # 0x198 'NtGdiDdGetAvailDriverMemory', # 0x199 'NtGdiDdGetBltStatus', # 0x19a 'NtGdiDdGetDC', # 0x19b 'NtGdiDdGetDriverInfo', # 0x19c 'NtGdiDdGetDriverState', # 0x19d 'NtGdiDdGetDxHandle', # 0x19e 'NtGdiDdGetFlipStatus', # 0x19f 'NtGdiDdGetInternalMoCompInfo', # 0x1a0 'NtGdiDdGetMoCompBuffInfo', # 0x1a1 'NtGdiDdGetMoCompFormats', # 0x1a2 'NtGdiDdGetMoCompGuids', # 0x1a3 'NtGdiDdGetScanLine', # 0x1a4 'NtGdiDdLock', # 0x1a5 'NtGdiDdQueryDirectDrawObject', # 0x1a6 'NtGdiDdQueryMoCompStatus', # 0x1a7 'NtGdiDdReenableDirectDrawObject', # 0x1a8 'NtGdiDdReleaseDC', # 0x1a9 'NtGdiDdRenderMoComp', # 0x1aa 'NtGdiDdSetColorKey', # 0x1ab 'NtGdiDdSetExclusiveMode', # 0x1ac 'NtGdiDdSetGammaRamp', # 0x1ad 'NtGdiDdSetOverlayPosition', # 0x1ae 'NtGdiDdUnattachSurface', # 0x1af 'NtGdiDdUnlock', # 0x1b0 'NtGdiDdUpdateOverlay', # 0x1b1 'NtGdiDdWaitForVerticalBlank', # 0x1b2 'NtGdiDeleteColorTransform', # 0x1b3 'NtGdiDescribePixelFormat', # 0x1b4 'NtGdiDestroyOPMProtectedOutput', # 0x1b5 'NtGdiDestroyPhysicalMonitor', # 0x1b6 'NtGdiDoBanding', # 0x1b7 'NtGdiDrawEscape', # 0x1b8 'NtGdiDvpAcquireNotification', # 0x1b9 'NtGdiDvpCanCreateVideoPort', # 0x1ba 'NtGdiDvpColorControl', # 0x1bb 'NtGdiDvpCreateVideoPort', # 0x1bc 'NtGdiDvpDestroyVideoPort', # 0x1bd 'NtGdiDvpFlipVideoPort', # 0x1be 'NtGdiDvpGetVideoPortBandwidth', # 0x1bf 'NtGdiDvpGetVideoPortConnectInfo', # 0x1c0 'NtGdiDvpGetVideoPortField', # 0x1c1 'NtGdiDvpGetVideoPortFlipStatus', # 0x1c2 'NtGdiDvpGetVideoPortInputFormats', # 0x1c3 'NtGdiDvpGetVideoPortLine', # 0x1c4 'NtGdiDvpGetVideoPortOutputFormats', # 0x1c5 'NtGdiDvpGetVideoSignalStatus', # 0x1c6 'NtGdiDvpReleaseNotification', # 0x1c7 'NtGdiDvpUpdateVideoPort', # 0x1c8 'NtGdiDvpWaitForVideoPortSync', # 0x1c9 'NtGdiDwmGetDirtyRgn', # 0x1ca 'NtGdiDwmGetSurfaceData', # 0x1cb 'NtGdiDxgGenericThunk', # 0x1cc 'NtGdiEllipse', # 0x1cd 'NtGdiEnableEudc', # 0x1ce 'NtGdiEndDoc', # 0x1cf 'NtGdiEndPage', # 0x1d0 'NtGdiEngAlphaBlend', # 0x1d1 'NtGdiEngAssociateSurface', # 0x1d2 'NtGdiEngBitBlt', # 0x1d3 'NtGdiEngCheckAbort', # 0x1d4 'NtGdiEngComputeGlyphSet', # 0x1d5 'NtGdiEngCopyBits', # 0x1d6 'NtGdiEngCreateBitmap', # 0x1d7 'NtGdiEngCreateClip', # 0x1d8 'NtGdiEngCreateDeviceBitmap', # 0x1d9 'NtGdiEngCreateDeviceSurface', # 0x1da 'NtGdiEngCreatePalette', # 0x1db 'NtGdiEngDeleteClip', # 0x1dc 'NtGdiEngDeletePalette', # 0x1dd 'NtGdiEngDeletePath', # 0x1de 'NtGdiEngDeleteSurface', # 0x1df 'NtGdiEngEraseSurface', # 0x1e0 'NtGdiEngFillPath', # 0x1e1 'NtGdiEngGradientFill', # 0x1e2 'NtGdiEngLineTo', # 0x1e3 'NtGdiEngLockSurface', # 0x1e4 'NtGdiEngMarkBandingSurface', # 0x1e5 'NtGdiEngPaint', # 0x1e6 'NtGdiEngPlgBlt', # 0x1e7 'NtGdiEngStretchBlt', # 0x1e8 'NtGdiEngStretchBltROP', # 0x1e9 'NtGdiEngStrokeAndFillPath', # 0x1ea 'NtGdiEngStrokePath', # 0x1eb 'NtGdiEngTextOut', # 0x1ec 'NtGdiEngTransparentBlt', # 0x1ed 'NtGdiEngUnlockSurface', # 0x1ee 'NtGdiEnumObjects', # 0x1ef 'NtGdiEudcLoadUnloadLink', # 0x1f0 'NtGdiExtFloodFill', # 0x1f1 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x1f2 'NtGdiFONTOBJ_cGetGlyphs', # 0x1f3 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x1f4 'NtGdiFONTOBJ_pfdg', # 0x1f5 'NtGdiFONTOBJ_pifi', # 0x1f6 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x1f7 'NtGdiFONTOBJ_pxoGetXform', # 0x1f8 'NtGdiFONTOBJ_vGetInfo', # 0x1f9 'NtGdiFlattenPath', # 0x1fa 'NtGdiFontIsLinked', # 0x1fb 'NtGdiForceUFIMapping', # 0x1fc 'NtGdiFrameRgn', # 0x1fd 'NtGdiFullscreenControl', # 0x1fe 'NtGdiGetBoundsRect', # 0x1ff 'NtGdiGetCOPPCompatibleOPMInformation', # 0x200 'NtGdiGetCertificate', # 0x201 'NtGdiGetCertificateSize', # 0x202 'NtGdiGetCharABCWidthsW', # 0x203 'NtGdiGetCharacterPlacementW', # 0x204 'NtGdiGetColorAdjustment', # 0x205 'NtGdiGetColorSpaceforBitmap', # 0x206 'NtGdiGetDeviceCaps', # 0x207 'NtGdiGetDeviceCapsAll', # 0x208 'NtGdiGetDeviceGammaRamp', # 0x209 'NtGdiGetDeviceWidth', # 0x20a 'NtGdiGetDhpdev', # 0x20b 'NtGdiGetETM', # 0x20c 'NtGdiGetEmbUFI', # 0x20d 'NtGdiGetEmbedFonts', # 0x20e 'NtGdiGetEudcTimeStampEx', # 0x20f 'NtGdiGetFontResourceInfoInternalW', # 0x210 'NtGdiGetFontUnicodeRanges', # 0x211 'NtGdiGetGlyphIndicesW', # 0x212 'NtGdiGetGlyphIndicesWInternal', # 0x213 'NtGdiGetGlyphOutline', # 0x214 'NtGdiGetKerningPairs', # 0x215 'NtGdiGetLinkedUFIs', # 0x216 'NtGdiGetMiterLimit', # 0x217 'NtGdiGetMonitorID', # 0x218 'NtGdiGetNumberOfPhysicalMonitors', # 0x219 'NtGdiGetOPMInformation', # 0x21a 'NtGdiGetOPMRandomNumber', # 0x21b 'NtGdiGetObjectBitmapHandle', # 0x21c 'NtGdiGetPath', # 0x21d 'NtGdiGetPerBandInfo', # 0x21e 'NtGdiGetPhysicalMonitorDescription', # 0x21f 'NtGdiGetPhysicalMonitors', # 0x220 'NtGdiGetRealizationInfo', # 0x221 'NtGdiGetServerMetaFileBits', # 0x222 'NtGdiGetSpoolMessage', # 0x223 'NtGdiGetStats', # 0x224 'NtGdiGetStringBitmapW', # 0x225 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0x226 'NtGdiGetTextExtentExW', # 0x227 'NtGdiGetUFI', # 0x228 'NtGdiGetUFIPathname', # 0x229 'NtGdiGradientFill', # 0x22a 'NtGdiHT_Get8BPPFormatPalette', # 0x22b 'NtGdiHT_Get8BPPMaskPalette', # 0x22c 'NtGdiIcmBrushInfo', # 0x22d 'NtGdiInit', # 0x22e 'NtGdiInitSpool', # 0x22f 'NtGdiMakeFontDir', # 0x230 'NtGdiMakeInfoDC', # 0x231 'NtGdiMakeObjectUnXferable', # 0x232 'NtGdiMakeObjectXferable', # 0x233 'NtGdiMirrorWindowOrg', # 0x234 'NtGdiMonoBitmap', # 0x235 'NtGdiMoveTo', # 0x236 'NtGdiOffsetClipRgn', # 0x237 'NtGdiPATHOBJ_bEnum', # 0x238 'NtGdiPATHOBJ_bEnumClipLines', # 0x239 'NtGdiPATHOBJ_vEnumStart', # 0x23a 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x23b 'NtGdiPATHOBJ_vGetBounds', # 0x23c 'NtGdiPathToRegion', # 0x23d 'NtGdiPlgBlt', # 0x23e 'NtGdiPolyDraw', # 0x23f 'NtGdiPolyTextOutW', # 0x240 'NtGdiPtInRegion', # 0x241 'NtGdiPtVisible', # 0x242 'NtGdiQueryFonts', # 0x243 'NtGdiRemoveFontResourceW', # 0x244 'NtGdiRemoveMergeFont', # 0x245 'NtGdiResetDC', # 0x246 'NtGdiResizePalette', # 0x247 'NtGdiRoundRect', # 0x248 'NtGdiSTROBJ_bEnum', # 0x249 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x24a 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x24b 'NtGdiSTROBJ_dwGetCodePage', # 0x24c 'NtGdiSTROBJ_vEnumStart', # 0x24d 'NtGdiScaleViewportExtEx', # 0x24e 'NtGdiScaleWindowExtEx', # 0x24f 'NtGdiSelectBrush', # 0x250 'NtGdiSelectClipPath', # 0x251 'NtGdiSelectPen', # 0x252 'NtGdiSetBitmapAttributes', # 0x253 'NtGdiSetBrushAttributes', # 0x254 'NtGdiSetColorAdjustment', # 0x255 'NtGdiSetColorSpace', # 0x256 'NtGdiSetDeviceGammaRamp', # 0x257 'NtGdiSetFontXform', # 0x258 'NtGdiSetIcmMode', # 0x259 'NtGdiSetLinkedUFIs', # 0x25a 'NtGdiSetMagicColors', # 0x25b 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x25c 'NtGdiSetPUMPDOBJ', # 0x25d 'NtGdiSetPixelFormat', # 0x25e 'NtGdiSetRectRgn', # 0x25f 'NtGdiSetSizeDevice', # 0x260 'NtGdiSetSystemPaletteUse', # 0x261 'NtGdiSetTextJustification', # 0x262 'NtGdiStartDoc', # 0x263 'NtGdiStartPage', # 0x264 'NtGdiStrokeAndFillPath', # 0x265 'NtGdiStrokePath', # 0x266 'NtGdiSwapBuffers', # 0x267 'NtGdiTransparentBlt', # 0x268 'NtGdiUMPDEngFreeUserMem', # 0x269 'NtGdiUnloadPrinterDriver', # 0x26a 'NtGdiUnmapMemFont', # 0x26b 'NtGdiUpdateColors', # 0x26c 'NtGdiUpdateTransform', # 0x26d 'NtGdiWidenPath', # 0x26e 'NtGdiXFORMOBJ_bApplyXform', # 0x26f 'NtGdiXFORMOBJ_iGetXform', # 0x270 'NtGdiXLATEOBJ_cGetPalette', # 0x271 'NtGdiXLATEOBJ_hGetColorTransform', # 0x272 'NtGdiXLATEOBJ_iXlate', # 0x273 'NtUserAddClipboardFormatListener', # 0x274 'NtUserAssociateInputContext', # 0x275 'NtUserBlockInput', # 0x276 'NtUserBuildHimcList', # 0x277 'NtUserBuildPropList', # 0x278 'NtUserCallHwndOpt', # 0x279 'NtUserChangeDisplaySettings', # 0x27a 'NtUserCheckAccessForIntegrityLevel', # 0x27b 'NtUserCheckDesktopByThreadId', # 0x27c 'NtUserCheckWindowThreadDesktop', # 0x27d 'NtUserChildWindowFromPointEx', # 0x27e 'NtUserClipCursor', # 0x27f 'NtUserCreateDesktopEx', # 0x280 'NtUserCreateInputContext', # 0x281 'NtUserCreateWindowStation', # 0x282 'NtUserCtxDisplayIOCtl', # 0x283 'NtUserDestroyInputContext', # 0x284 'NtUserDisableThreadIme', # 0x285 'NtUserDoSoundConnect', # 0x286 'NtUserDoSoundDisconnect', # 0x287 'NtUserDragDetect', # 0x288 'NtUserDragObject', # 0x289 'NtUserDrawAnimatedRects', # 0x28a 'NtUserDrawCaption', # 0x28b 'NtUserDrawCaptionTemp', # 0x28c 'NtUserDrawMenuBarTemp', # 0x28d 'NtUserDwmGetDxRgn', # 0x28e 'NtUserDwmHintDxUpdate', # 0x28f 'NtUserDwmStartRedirection', # 0x290 'NtUserDwmStopRedirection', # 0x291 'NtUserEndMenu', # 0x292 'NtUserEvent', # 0x293 'NtUserFlashWindowEx', # 0x294 'NtUserFrostCrashedWindow', # 0x295 'NtUserGetAppImeLevel', # 0x296 'NtUserGetCaretPos', # 0x297 'NtUserGetClipCursor', # 0x298 'NtUserGetClipboardViewer', # 0x299 'NtUserGetComboBoxInfo', # 0x29a 'NtUserGetCursorInfo', # 0x29b 'NtUserGetGuiResources', # 0x29c 'NtUserGetImeHotKey', # 0x29d 'NtUserGetImeInfoEx', # 0x29e 'NtUserGetInternalWindowPos', # 0x29f 'NtUserGetKeyNameText', # 0x2a0 'NtUserGetKeyboardLayoutName', # 0x2a1 'NtUserGetLayeredWindowAttributes', # 0x2a2 'NtUserGetListBoxInfo', # 0x2a3 'NtUserGetMenuIndex', # 0x2a4 'NtUserGetMenuItemRect', # 0x2a5 'NtUserGetMouseMovePointsEx', # 0x2a6 'NtUserGetPriorityClipboardFormat', # 0x2a7 'NtUserGetRawInputBuffer', # 0x2a8 'NtUserGetRawInputData', # 0x2a9 'NtUserGetRawInputDeviceInfo', # 0x2aa 'NtUserGetRawInputDeviceList', # 0x2ab 'NtUserGetRegisteredRawInputDevices', # 0x2ac 'NtUserGetUpdatedClipboardFormats', # 0x2ad 'NtUserGetWOWClass', # 0x2ae 'NtUserGetWindowMinimizeRect', # 0x2af 'NtUserGetWindowRgnEx', # 0x2b0 'NtUserGhostWindowFromHungWindow', # 0x2b1 'NtUserHardErrorControl', # 0x2b2 'NtUserHiliteMenuItem', # 0x2b3 'NtUserHungWindowFromGhostWindow', # 0x2b4 'NtUserImpersonateDdeClientWindow', # 0x2b5 'NtUserInitTask', # 0x2b6 'NtUserInitialize', # 0x2b7 'NtUserInitializeClientPfnArrays', # 0x2b8 'NtUserInternalGetWindowIcon', # 0x2b9 'NtUserLoadKeyboardLayoutEx', # 0x2ba 'NtUserLockWindowStation', # 0x2bb 'NtUserLockWorkStation', # 0x2bc 'NtUserLogicalToPhysicalPoint', # 0x2bd 'NtUserMNDragLeave', # 0x2be 'NtUserMNDragOver', # 0x2bf 'NtUserMenuItemFromPoint', # 0x2c0 'NtUserMinMaximize', # 0x2c1 'NtUserNotifyIMEStatus', # 0x2c2 'NtUserOpenInputDesktop', # 0x2c3 'NtUserOpenThreadDesktop', # 0x2c4 'NtUserPaintMonitor', # 0x2c5 'NtUserPhysicalToLogicalPoint', # 0x2c6 'NtUserPrintWindow', # 0x2c7 'NtUserQueryInformationThread', # 0x2c8 'NtUserQueryInputContext', # 0x2c9 'NtUserQuerySendMessage', # 0x2ca 'NtUserRealChildWindowFromPoint', # 0x2cb 'NtUserRealWaitMessageEx', # 0x2cc 'NtUserRegisterErrorReportingDialog', # 0x2cd 'NtUserRegisterHotKey', # 0x2ce 'NtUserRegisterRawInputDevices', # 0x2cf 'NtUserRegisterSessionPort', # 0x2d0 'NtUserRegisterTasklist', # 0x2d1 'NtUserRegisterUserApiHook', # 0x2d2 'NtUserRemoteConnect', # 0x2d3 'NtUserRemoteRedrawRectangle', # 0x2d4 'NtUserRemoteRedrawScreen', # 0x2d5 'NtUserRemoteStopScreenUpdates', # 0x2d6 'NtUserRemoveClipboardFormatListener', # 0x2d7 'NtUserResolveDesktopForWOW', # 0x2d8 'NtUserSetAppImeLevel', # 0x2d9 'NtUserSetClassWord', # 0x2da 'NtUserSetCursorContents', # 0x2db 'NtUserSetImeHotKey', # 0x2dc 'NtUserSetImeInfoEx', # 0x2dd 'NtUserSetImeOwnerWindow', # 0x2de 'NtUserSetInternalWindowPos', # 0x2df 'NtUserSetLayeredWindowAttributes', # 0x2e0 'NtUserSetMenu', # 0x2e1 'NtUserSetMenuContextHelpId', # 0x2e2 'NtUserSetMenuFlagRtoL', # 0x2e3 'NtUserSetMirrorRendering', # 0x2e4 'NtUserSetObjectInformation', # 0x2e5 'NtUserSetProcessDPIAware', # 0x2e6 'NtUserSetShellWindowEx', # 0x2e7 'NtUserSetSysColors', # 0x2e8 'NtUserSetSystemCursor', # 0x2e9 'NtUserSetSystemTimer', # 0x2ea 'NtUserSetThreadLayoutHandles', # 0x2eb 'NtUserSetWindowRgnEx', # 0x2ec 'NtUserSetWindowStationUser', # 0x2ed 'NtUserShowSystemCursor', # 0x2ee 'NtUserSoundSentry', # 0x2ef 'NtUserSwitchDesktop', # 0x2f0 'NtUserTestForInteractiveUser', # 0x2f1 'NtUserTrackPopupMenuEx', # 0x2f2 'NtUserUnloadKeyboardLayout', # 0x2f3 'NtUserUnlockWindowStation', # 0x2f4 'NtUserUnregisterHotKey', # 0x2f5 'NtUserUnregisterSessionPort', # 0x2f6 'NtUserUnregisterUserApiHook', # 0x2f7 'NtUserUpdateInputContext', # 0x2f8 'NtUserUpdateInstance', # 0x2f9 'NtUserUpdateLayeredWindow', # 0x2fa 'NtUserUpdatePerUserSystemParameters', # 0x2fb 'NtUserUpdateWindowTransform', # 0x2fc 'NtUserUserHandleGrantAccess', # 0x2fd 'NtUserValidateHandleSecure', # 0x2fe 'NtUserWaitForInputIdle', # 0x2ff 'NtUserWaitForMsgAndEvent', # 0x300 'NtUserWin32PoolAllocationStats', # 0x301 'NtUserWindowFromPhysicalPoint', # 0x302 'NtUserYieldTask', # 0x303 'NtUserSetClassLongPtr', # 0x304 'NtUserSetWindowLongPtr', # 0x305 ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win2003_sp0_x86_syscalls.py0000644000000000000000000010405213131215405031236 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Windows 2003 SP0. """ syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAddDriverEntry', # 0xa 'NtAdjustGroupsToken', # 0xb 'NtAdjustPrivilegesToken', # 0xc 'NtAlertResumeThread', # 0xd 'NtAlertThread', # 0xe 'NtAllocateLocallyUniqueId', # 0xf 'NtAllocateUserPhysicalPages', # 0x10 'NtAllocateUuids', # 0x11 'NtAllocateVirtualMemory', # 0x12 'NtApphelpCacheControl', # 0x13 'NtAreMappedFilesTheSame', # 0x14 'NtAssignProcessToJobObject', # 0x15 'NtCallbackReturn', # 0x16 'NtCancelDeviceWakeupRequest', # 0x17 'NtCancelIoFile', # 0x18 'NtCancelTimer', # 0x19 'NtClearEvent', # 0x1a 'NtClose', # 0x1b 'NtCloseObjectAuditAlarm', # 0x1c 'NtCompactKeys', # 0x1d 'NtCompareTokens', # 0x1e 'NtCompleteConnectPort', # 0x1f 'NtCompressKey', # 0x20 'NtConnectPort', # 0x21 'NtContinue', # 0x22 'NtCreateDebugObject', # 0x23 'NtCreateDirectoryObject', # 0x24 'NtCreateEvent', # 0x25 'NtCreateEventPair', # 0x26 'NtCreateFile', # 0x27 'NtCreateIoCompletion', # 0x28 'NtCreateJobObject', # 0x29 'NtCreateJobSet', # 0x2a 'NtCreateKey', # 0x2b 'NtCreateMailslotFile', # 0x2c 'NtCreateMutant', # 0x2d 'NtCreateNamedPipeFile', # 0x2e 'NtCreatePagingFile', # 0x2f 'NtCreatePort', # 0x30 'NtCreateProcess', # 0x31 'NtCreateProcessEx', # 0x32 'NtCreateProfile', # 0x33 'NtCreateSection', # 0x34 'NtCreateSemaphore', # 0x35 'NtCreateSymbolicLinkObject', # 0x36 'NtCreateThread', # 0x37 'NtCreateTimer', # 0x38 'NtCreateToken', # 0x39 'NtCreateWaitablePort', # 0x3a 'NtDebugActiveProcess', # 0x3b 'NtDebugContinue', # 0x3c 'NtDelayExecution', # 0x3d 'NtDeleteAtom', # 0x3e 'NtDeleteBootEntry', # 0x3f 'NtDeleteDriverEntry', # 0x40 'NtDeleteFile', # 0x41 'NtDeleteKey', # 0x42 'NtDeleteObjectAuditAlarm', # 0x43 'NtDeleteValueKey', # 0x44 'NtDeviceIoControlFile', # 0x45 'NtDisplayString', # 0x46 'NtDuplicateObject', # 0x47 'NtDuplicateToken', # 0x48 'NtEnumerateBootEntries', # 0x49 'NtEnumerateDriverEntries', # 0x4a 'NtEnumerateKey', # 0x4b 'NtEnumerateSystemEnvironmentValuesEx', # 0x4c 'NtEnumerateValueKey', # 0x4d 'NtExtendSection', # 0x4e 'NtFilterToken', # 0x4f 'NtFindAtom', # 0x50 'NtFlushBuffersFile', # 0x51 'NtFlushInstructionCache', # 0x52 'NtFlushKey', # 0x53 'NtFlushVirtualMemory', # 0x54 'NtFlushWriteBuffer', # 0x55 'NtFreeUserPhysicalPages', # 0x56 'NtFreeVirtualMemory', # 0x57 'NtFsControlFile', # 0x58 'NtGetContextThread', # 0x59 'NtGetDevicePowerState', # 0x5a 'NtGetPlugPlayEvent', # 0x5b 'NtGetWriteWatch', # 0x5c 'NtImpersonateAnonymousToken', # 0x5d 'NtImpersonateClientOfPort', # 0x5e 'NtImpersonateThread', # 0x5f 'NtInitializeRegistry', # 0x60 'NtInitiatePowerAction', # 0x61 'NtIsProcessInJob', # 0x62 'NtIsSystemResumeAutomatic', # 0x63 'NtListenPort', # 0x64 'NtLoadDriver', # 0x65 'NtLoadKey', # 0x66 'NtLoadKey2', # 0x67 'NtLoadKeyEx', # 0x68 'NtLockFile', # 0x69 'NtLockProductActivationKeys', # 0x6a 'NtLockRegistryKey', # 0x6b 'NtLockVirtualMemory', # 0x6c 'NtMakePermanentObject', # 0x6d 'NtMakeTemporaryObject', # 0x6e 'NtMapUserPhysicalPages', # 0x6f 'NtMapUserPhysicalPagesScatter', # 0x70 'NtMapViewOfSection', # 0x71 'NtModifyBootEntry', # 0x72 'NtModifyDriverEntry', # 0x73 'NtNotifyChangeDirectoryFile', # 0x74 'NtNotifyChangeKey', # 0x75 'NtNotifyChangeMultipleKeys', # 0x76 'NtOpenDirectoryObject', # 0x77 'NtOpenEvent', # 0x78 'NtOpenEventPair', # 0x79 'NtOpenFile', # 0x7a 'NtOpenIoCompletion', # 0x7b 'NtOpenJobObject', # 0x7c 'NtOpenKey', # 0x7d 'NtOpenMutant', # 0x7e 'NtOpenObjectAuditAlarm', # 0x7f 'NtOpenProcess', # 0x80 'NtOpenProcessToken', # 0x81 'NtOpenProcessTokenEx', # 0x82 'NtOpenSection', # 0x83 'NtOpenSemaphore', # 0x84 'NtOpenSymbolicLinkObject', # 0x85 'NtOpenThread', # 0x86 'NtOpenThreadToken', # 0x87 'NtOpenThreadTokenEx', # 0x88 'NtOpenTimer', # 0x89 'NtPlugPlayControl', # 0x8a 'NtPowerInformation', # 0x8b 'NtPrivilegeCheck', # 0x8c 'NtPrivilegeObjectAuditAlarm', # 0x8d 'NtPrivilegedServiceAuditAlarm', # 0x8e 'NtProtectVirtualMemory', # 0x8f 'NtPulseEvent', # 0x90 'NtQueryAttributesFile', # 0x91 'NtQueryBootEntryOrder', # 0x92 'NtQueryBootOptions', # 0x93 'NtQueryDebugFilterState', # 0x94 'NtQueryDefaultLocale', # 0x95 'NtQueryDefaultUILanguage', # 0x96 'NtQueryDirectoryFile', # 0x97 'NtQueryDirectoryObject', # 0x98 'NtQueryDriverEntryOrder', # 0x99 'NtQueryEaFile', # 0x9a 'NtQueryEvent', # 0x9b 'NtQueryFullAttributesFile', # 0x9c 'NtQueryInformationAtom', # 0x9d 'NtQueryInformationFile', # 0x9e 'NtQueryInformationJobObject', # 0x9f 'NtQueryInformationPort', # 0xa0 'NtQueryInformationProcess', # 0xa1 'NtQueryInformationThread', # 0xa2 'NtQueryInformationToken', # 0xa3 'NtQueryInstallUILanguage', # 0xa4 'NtQueryIntervalProfile', # 0xa5 'NtQueryIoCompletion', # 0xa6 'NtQueryKey', # 0xa7 'NtQueryMultipleValueKey', # 0xa8 'NtQueryMutant', # 0xa9 'NtQueryObject', # 0xaa 'NtQueryOpenSubKeys', # 0xab 'NtQueryOpenSubKeysEx', # 0xac 'NtQueryPerformanceCounter', # 0xad 'NtQueryQuotaInformationFile', # 0xae 'NtQuerySection', # 0xaf 'NtQuerySecurityObject', # 0xb0 'NtQuerySemaphore', # 0xb1 'NtQuerySymbolicLinkObject', # 0xb2 'NtQuerySystemEnvironmentValue', # 0xb3 'NtQuerySystemEnvironmentValueEx', # 0xb4 'NtQuerySystemInformation', # 0xb5 'NtQuerySystemTime', # 0xb6 'NtQueryTimer', # 0xb7 'NtQueryTimerResolution', # 0xb8 'NtQueryValueKey', # 0xb9 'NtQueryVirtualMemory', # 0xba 'NtQueryVolumeInformationFile', # 0xbb 'NtQueueApcThread', # 0xbc 'NtRaiseException', # 0xbd 'NtRaiseHardError', # 0xbe 'NtReadFile', # 0xbf 'NtReadFileScatter', # 0xc0 'NtReadRequestData', # 0xc1 'NtReadVirtualMemory', # 0xc2 'NtRegisterThreadTerminatePort', # 0xc3 'NtReleaseMutant', # 0xc4 'NtReleaseSemaphore', # 0xc5 'NtRemoveIoCompletion', # 0xc6 'NtRemoveProcessDebug', # 0xc7 'NtRenameKey', # 0xc8 'NtReplaceKey', # 0xc9 'NtReplyPort', # 0xca 'NtReplyWaitReceivePort', # 0xcb 'NtReplyWaitReceivePortEx', # 0xcc 'NtReplyWaitReplyPort', # 0xcd 'NtRequestDeviceWakeup', # 0xce 'NtRequestPort', # 0xcf 'NtRequestWaitReplyPort', # 0xd0 'NtRequestWakeupLatency', # 0xd1 'NtResetEvent', # 0xd2 'NtResetWriteWatch', # 0xd3 'NtRestoreKey', # 0xd4 'NtResumeProcess', # 0xd5 'NtResumeThread', # 0xd6 'NtSaveKey', # 0xd7 'NtSaveKeyEx', # 0xd8 'NtSaveMergedKeys', # 0xd9 'NtSecureConnectPort', # 0xda 'NtSetBootEntryOrder', # 0xdb 'NtSetBootOptions', # 0xdc 'NtSetContextThread', # 0xdd 'NtSetDebugFilterState', # 0xde 'NtSetDefaultHardErrorPort', # 0xdf 'NtSetDefaultLocale', # 0xe0 'NtSetDefaultUILanguage', # 0xe1 'NtSetDriverEntryOrder', # 0xe2 'NtSetEaFile', # 0xe3 'NtSetEvent', # 0xe4 'NtSetEventBoostPriority', # 0xe5 'NtSetHighEventPair', # 0xe6 'NtSetHighWaitLowEventPair', # 0xe7 'NtSetInformationDebugObject', # 0xe8 'NtSetInformationFile', # 0xe9 'NtSetInformationJobObject', # 0xea 'NtSetInformationKey', # 0xeb 'NtSetInformationObject', # 0xec 'NtSetInformationProcess', # 0xed 'NtSetInformationThread', # 0xee 'NtSetInformationToken', # 0xef 'NtSetIntervalProfile', # 0xf0 'NtSetIoCompletion', # 0xf1 'NtSetLdtEntries', # 0xf2 'NtSetLowEventPair', # 0xf3 'NtSetLowWaitHighEventPair', # 0xf4 'NtSetQuotaInformationFile', # 0xf5 'NtSetSecurityObject', # 0xf6 'NtSetSystemEnvironmentValue', # 0xf7 'NtSetSystemEnvironmentValueEx', # 0xf8 'NtSetSystemInformation', # 0xf9 'NtSetSystemPowerState', # 0xfa 'NtSetSystemTime', # 0xfb 'NtSetThreadExecutionState', # 0xfc 'NtSetTimer', # 0xfd 'NtSetTimerResolution', # 0xfe 'NtSetUuidSeed', # 0xff 'NtSetValueKey', # 0x100 'NtSetVolumeInformationFile', # 0x101 'NtShutdownSystem', # 0x102 'NtSignalAndWaitForSingleObject', # 0x103 'NtStartProfile', # 0x104 'NtStopProfile', # 0x105 'NtSuspendProcess', # 0x106 'NtSuspendThread', # 0x107 'NtSystemDebugControl', # 0x108 'NtTerminateJobObject', # 0x109 'NtTerminateProcess', # 0x10a 'NtTerminateThread', # 0x10b 'NtTestAlert', # 0x10c 'NtTraceEvent', # 0x10d 'NtTranslateFilePath', # 0x10e 'NtUnloadDriver', # 0x10f 'NtUnloadKey', # 0x110 'NtUnloadKey2', # 0x111 'NtUnloadKeyEx', # 0x112 'NtUnlockFile', # 0x113 'NtUnlockVirtualMemory', # 0x114 'NtUnmapViewOfSection', # 0x115 'NtVdmControl', # 0x116 'NtWaitForDebugEvent', # 0x117 'NtWaitForMultipleObjects', # 0x118 'NtWaitForSingleObject', # 0x119 'NtWaitHighEventPair', # 0x11a 'NtWaitLowEventPair', # 0x11b 'NtWriteFile', # 0x11c 'NtWriteFileGather', # 0x11d 'NtWriteRequestData', # 0x11e 'NtWriteVirtualMemory', # 0x11f 'NtYieldExecution', # 0x120 'NtCreateKeyedEvent', # 0x121 'NtOpenKeyedEvent', # 0x122 'NtReleaseKeyedEvent', # 0x123 'NtWaitForKeyedEvent', # 0x124 'NtQueryPortInformationProcess', # 0x125 'NtGetCurrentProcessorNumber', # 0x126 ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginPath', # 0xc 'NtGdiBitBlt', # 0xd 'NtGdiCancelDC', # 0xe 'NtGdiCheckBitmapBits', # 0xf 'NtGdiCloseFigure', # 0x10 'NtGdiClearBitmapAttributes', # 0x11 'NtGdiClearBrushAttributes', # 0x12 'NtGdiColorCorrectPalette', # 0x13 'NtGdiCombineRgn', # 0x14 'NtGdiCombineTransform', # 0x15 'NtGdiComputeXformCoefficients', # 0x16 'NtGdiConsoleTextOut', # 0x17 'NtGdiConvertMetafileRect', # 0x18 'NtGdiCreateBitmap', # 0x19 'NtGdiCreateClientObj', # 0x1a 'NtGdiCreateColorSpace', # 0x1b 'NtGdiCreateColorTransform', # 0x1c 'NtGdiCreateCompatibleBitmap', # 0x1d 'NtGdiCreateCompatibleDC', # 0x1e 'NtGdiCreateDIBBrush', # 0x1f 'NtGdiCreateDIBitmapInternal', # 0x20 'NtGdiCreateDIBSection', # 0x21 'NtGdiCreateEllipticRgn', # 0x22 'NtGdiCreateHalftonePalette', # 0x23 'NtGdiCreateHatchBrushInternal', # 0x24 'NtGdiCreateMetafileDC', # 0x25 'NtGdiCreatePaletteInternal', # 0x26 'NtGdiCreatePatternBrushInternal', # 0x27 'NtGdiCreatePen', # 0x28 'NtGdiCreateRectRgn', # 0x29 'NtGdiCreateRoundRectRgn', # 0x2a 'NtGdiCreateServerMetaFile', # 0x2b 'NtGdiCreateSolidBrush', # 0x2c 'NtGdiD3dContextCreate', # 0x2d 'NtGdiD3dContextDestroy', # 0x2e 'NtGdiD3dContextDestroyAll', # 0x2f 'NtGdiD3dValidateTextureStageState', # 0x30 'NtGdiD3dDrawPrimitives2', # 0x31 'NtGdiDdGetDriverState', # 0x32 'NtGdiDdAddAttachedSurface', # 0x33 'NtGdiDdAlphaBlt', # 0x34 'NtGdiDdAttachSurface', # 0x35 'NtGdiDdBeginMoCompFrame', # 0x36 'NtGdiDdBlt', # 0x37 'NtGdiDdCanCreateSurface', # 0x38 'NtGdiDdCanCreateD3DBuffer', # 0x39 'NtGdiDdColorControl', # 0x3a 'NtGdiDdCreateDirectDrawObject', # 0x3b 'NtGdiDdCreateSurface', # 0x3c 'NtGdiDdCreateD3DBuffer', # 0x3d 'NtGdiDdCreateMoComp', # 0x3e 'NtGdiDdCreateSurfaceObject', # 0x3f 'NtGdiDdDeleteDirectDrawObject', # 0x40 'NtGdiDdDeleteSurfaceObject', # 0x41 'NtGdiDdDestroyMoComp', # 0x42 'NtGdiDdDestroySurface', # 0x43 'NtGdiDdDestroyD3DBuffer', # 0x44 'NtGdiDdEndMoCompFrame', # 0x45 'NtGdiDdFlip', # 0x46 'NtGdiDdFlipToGDISurface', # 0x47 'NtGdiDdGetAvailDriverMemory', # 0x48 'NtGdiDdGetBltStatus', # 0x49 'NtGdiDdGetDC', # 0x4a 'NtGdiDdGetDriverInfo', # 0x4b 'NtGdiDdGetDxHandle', # 0x4c 'NtGdiDdGetFlipStatus', # 0x4d 'NtGdiDdGetInternalMoCompInfo', # 0x4e 'NtGdiDdGetMoCompBuffInfo', # 0x4f 'NtGdiDdGetMoCompGuids', # 0x50 'NtGdiDdGetMoCompFormats', # 0x51 'NtGdiDdGetScanLine', # 0x52 'NtGdiDdLock', # 0x53 'NtGdiDdLockD3D', # 0x54 'NtGdiDdQueryDirectDrawObject', # 0x55 'NtGdiDdQueryMoCompStatus', # 0x56 'NtGdiDdReenableDirectDrawObject', # 0x57 'NtGdiDdReleaseDC', # 0x58 'NtGdiDdRenderMoComp', # 0x59 'NtGdiDdResetVisrgn', # 0x5a 'NtGdiDdSetColorKey', # 0x5b 'NtGdiDdSetExclusiveMode', # 0x5c 'NtGdiDdSetGammaRamp', # 0x5d 'NtGdiDdCreateSurfaceEx', # 0x5e 'NtGdiDdSetOverlayPosition', # 0x5f 'NtGdiDdUnattachSurface', # 0x60 'NtGdiDdUnlock', # 0x61 'NtGdiDdUnlockD3D', # 0x62 'NtGdiDdUpdateOverlay', # 0x63 'NtGdiDdWaitForVerticalBlank', # 0x64 'NtGdiDvpCanCreateVideoPort', # 0x65 'NtGdiDvpColorControl', # 0x66 'NtGdiDvpCreateVideoPort', # 0x67 'NtGdiDvpDestroyVideoPort', # 0x68 'NtGdiDvpFlipVideoPort', # 0x69 'NtGdiDvpGetVideoPortBandwidth', # 0x6a 'NtGdiDvpGetVideoPortField', # 0x6b 'NtGdiDvpGetVideoPortFlipStatus', # 0x6c 'NtGdiDvpGetVideoPortInputFormats', # 0x6d 'NtGdiDvpGetVideoPortLine', # 0x6e 'NtGdiDvpGetVideoPortOutputFormats', # 0x6f 'NtGdiDvpGetVideoPortConnectInfo', # 0x70 'NtGdiDvpGetVideoSignalStatus', # 0x71 'NtGdiDvpUpdateVideoPort', # 0x72 'NtGdiDvpWaitForVideoPortSync', # 0x73 'NtGdiDvpAcquireNotification', # 0x74 'NtGdiDvpReleaseNotification', # 0x75 'NtGdiDxgGenericThunk', # 0x76 'NtGdiDeleteClientObj', # 0x77 'NtGdiDeleteColorSpace', # 0x78 'NtGdiDeleteColorTransform', # 0x79 'NtGdiDeleteObjectApp', # 0x7a 'NtGdiDescribePixelFormat', # 0x7b 'NtGdiGetPerBandInfo', # 0x7c 'NtGdiDoBanding', # 0x7d 'NtGdiDoPalette', # 0x7e 'NtGdiDrawEscape', # 0x7f 'NtGdiEllipse', # 0x80 'NtGdiEnableEudc', # 0x81 'NtGdiEndDoc', # 0x82 'NtGdiEndPage', # 0x83 'NtGdiEndPath', # 0x84 'NtGdiEnumFontChunk', # 0x85 'NtGdiEnumFontClose', # 0x86 'NtGdiEnumFontOpen', # 0x87 'NtGdiEnumObjects', # 0x88 'NtGdiEqualRgn', # 0x89 'NtGdiEudcLoadUnloadLink', # 0x8a 'NtGdiExcludeClipRect', # 0x8b 'NtGdiExtCreatePen', # 0x8c 'NtGdiExtCreateRegion', # 0x8d 'NtGdiExtEscape', # 0x8e 'NtGdiExtFloodFill', # 0x8f 'NtGdiExtGetObjectW', # 0x90 'NtGdiExtSelectClipRgn', # 0x91 'NtGdiExtTextOutW', # 0x92 'NtGdiFillPath', # 0x93 'NtGdiFillRgn', # 0x94 'NtGdiFlattenPath', # 0x95 'NtGdiFlush', # 0x96 'NtGdiForceUFIMapping', # 0x97 'NtGdiFrameRgn', # 0x98 'NtGdiFullscreenControl', # 0x99 'NtGdiGetAndSetDCDword', # 0x9a 'NtGdiGetAppClipBox', # 0x9b 'NtGdiGetBitmapBits', # 0x9c 'NtGdiGetBitmapDimension', # 0x9d 'NtGdiGetBoundsRect', # 0x9e 'NtGdiGetCharABCWidthsW', # 0x9f 'NtGdiGetCharacterPlacementW', # 0xa0 'NtGdiGetCharSet', # 0xa1 'NtGdiGetCharWidthW', # 0xa2 'NtGdiGetCharWidthInfo', # 0xa3 'NtGdiGetColorAdjustment', # 0xa4 'NtGdiGetColorSpaceforBitmap', # 0xa5 'NtGdiGetDCDword', # 0xa6 'NtGdiGetDCforBitmap', # 0xa7 'NtGdiGetDCObject', # 0xa8 'NtGdiGetDCPoint', # 0xa9 'NtGdiGetDeviceCaps', # 0xaa 'NtGdiGetDeviceGammaRamp', # 0xab 'NtGdiGetDeviceCapsAll', # 0xac 'NtGdiGetDIBitsInternal', # 0xad 'NtGdiGetETM', # 0xae 'NtGdiGetEudcTimeStampEx', # 0xaf 'NtGdiGetFontData', # 0xb0 'NtGdiGetFontResourceInfoInternalW', # 0xb1 'NtGdiGetGlyphIndicesW', # 0xb2 'NtGdiGetGlyphIndicesWInternal', # 0xb3 'NtGdiGetGlyphOutline', # 0xb4 'NtGdiGetKerningPairs', # 0xb5 'NtGdiGetLinkedUFIs', # 0xb6 'NtGdiGetMiterLimit', # 0xb7 'NtGdiGetMonitorID', # 0xb8 'NtGdiGetNearestColor', # 0xb9 'NtGdiGetNearestPaletteIndex', # 0xba 'NtGdiGetObjectBitmapHandle', # 0xbb 'NtGdiGetOutlineTextMetricsInternalW', # 0xbc 'NtGdiGetPath', # 0xbd 'NtGdiGetPixel', # 0xbe 'NtGdiGetRandomRgn', # 0xbf 'NtGdiGetRasterizerCaps', # 0xc0 'NtGdiGetRealizationInfo', # 0xc1 'NtGdiGetRegionData', # 0xc2 'NtGdiGetRgnBox', # 0xc3 'NtGdiGetServerMetaFileBits', # 0xc4 'NtGdiGetSpoolMessage', # 0xc5 'NtGdiGetStats', # 0xc6 'NtGdiGetStockObject', # 0xc7 'NtGdiGetStringBitmapW', # 0xc8 'NtGdiGetSystemPaletteUse', # 0xc9 'NtGdiGetTextCharsetInfo', # 0xca 'NtGdiGetTextExtent', # 0xcb 'NtGdiGetTextExtentExW', # 0xcc 'NtGdiGetTextFaceW', # 0xcd 'NtGdiGetTextMetricsW', # 0xce 'NtGdiGetTransform', # 0xcf 'NtGdiGetUFI', # 0xd0 'NtGdiGetEmbUFI', # 0xd1 'NtGdiGetUFIPathname', # 0xd2 'NtGdiGetEmbedFonts', # 0xd3 'NtGdiChangeGhostFont', # 0xd4 'NtGdiAddEmbFontToDC', # 0xd5 'NtGdiGetFontUnicodeRanges', # 0xd6 'NtGdiGetWidthTable', # 0xd7 'NtGdiGradientFill', # 0xd8 'NtGdiHfontCreate', # 0xd9 'NtGdiIcmBrushInfo', # 0xda 'NtGdiInit', # 0xdb 'NtGdiInitSpool', # 0xdc 'NtGdiIntersectClipRect', # 0xdd 'NtGdiInvertRgn', # 0xde 'NtGdiLineTo', # 0xdf 'NtGdiMakeFontDir', # 0xe0 'NtGdiMakeInfoDC', # 0xe1 'NtGdiMaskBlt', # 0xe2 'NtGdiModifyWorldTransform', # 0xe3 'NtGdiMonoBitmap', # 0xe4 'NtGdiMoveTo', # 0xe5 'NtGdiOffsetClipRgn', # 0xe6 'NtGdiOffsetRgn', # 0xe7 'NtGdiOpenDCW', # 0xe8 'NtGdiPatBlt', # 0xe9 'NtGdiPolyPatBlt', # 0xea 'NtGdiPathToRegion', # 0xeb 'NtGdiPlgBlt', # 0xec 'NtGdiPolyDraw', # 0xed 'NtGdiPolyPolyDraw', # 0xee 'NtGdiPolyTextOutW', # 0xef 'NtGdiPtInRegion', # 0xf0 'NtGdiPtVisible', # 0xf1 'NtGdiQueryFonts', # 0xf2 'NtGdiQueryFontAssocInfo', # 0xf3 'NtGdiRectangle', # 0xf4 'NtGdiRectInRegion', # 0xf5 'NtGdiRectVisible', # 0xf6 'NtGdiRemoveFontResourceW', # 0xf7 'NtGdiRemoveFontMemResourceEx', # 0xf8 'NtGdiResetDC', # 0xf9 'NtGdiResizePalette', # 0xfa 'NtGdiRestoreDC', # 0xfb 'NtGdiRoundRect', # 0xfc 'NtGdiSaveDC', # 0xfd 'NtGdiScaleViewportExtEx', # 0xfe 'NtGdiScaleWindowExtEx', # 0xff 'NtGdiSelectBitmap', # 0x100 'NtGdiSelectBrush', # 0x101 'NtGdiSelectClipPath', # 0x102 'NtGdiSelectFont', # 0x103 'NtGdiSelectPen', # 0x104 'NtGdiSetBitmapAttributes', # 0x105 'NtGdiSetBitmapBits', # 0x106 'NtGdiSetBitmapDimension', # 0x107 'NtGdiSetBoundsRect', # 0x108 'NtGdiSetBrushAttributes', # 0x109 'NtGdiSetBrushOrg', # 0x10a 'NtGdiSetColorAdjustment', # 0x10b 'NtGdiSetColorSpace', # 0x10c 'NtGdiSetDeviceGammaRamp', # 0x10d 'NtGdiSetDIBitsToDeviceInternal', # 0x10e 'NtGdiSetFontEnumeration', # 0x10f 'NtGdiSetFontXform', # 0x110 'NtGdiSetIcmMode', # 0x111 'NtGdiSetLinkedUFIs', # 0x112 'NtGdiSetMagicColors', # 0x113 'NtGdiSetMetaRgn', # 0x114 'NtGdiSetMiterLimit', # 0x115 'NtGdiGetDeviceWidth', # 0x116 'NtGdiMirrorWindowOrg', # 0x117 'NtGdiSetLayout', # 0x118 'NtGdiSetPixel', # 0x119 'NtGdiSetPixelFormat', # 0x11a 'NtGdiSetRectRgn', # 0x11b 'NtGdiSetSystemPaletteUse', # 0x11c 'NtGdiSetTextJustification', # 0x11d 'NtGdiSetupPublicCFONT', # 0x11e 'NtGdiSetVirtualResolution', # 0x11f 'NtGdiSetSizeDevice', # 0x120 'NtGdiStartDoc', # 0x121 'NtGdiStartPage', # 0x122 'NtGdiStretchBlt', # 0x123 'NtGdiStretchDIBitsInternal', # 0x124 'NtGdiStrokeAndFillPath', # 0x125 'NtGdiStrokePath', # 0x126 'NtGdiSwapBuffers', # 0x127 'NtGdiTransformPoints', # 0x128 'NtGdiTransparentBlt', # 0x129 'NtGdiUnloadPrinterDriver', # 0x12a 'NtGdiUnmapMemFont', # 0x12b 'NtGdiUnrealizeObject', # 0x12c 'NtGdiUpdateColors', # 0x12d 'NtGdiWidenPath', # 0x12e 'NtUserActivateKeyboardLayout', # 0x12f 'NtUserAlterWindowStyle', # 0x130 'NtUserAssociateInputContext', # 0x131 'NtUserAttachThreadInput', # 0x132 'NtUserBeginPaint', # 0x133 'NtUserBitBltSysBmp', # 0x134 'NtUserBlockInput', # 0x135 'NtUserBuildHimcList', # 0x136 'NtUserBuildHwndList', # 0x137 'NtUserBuildNameList', # 0x138 'NtUserBuildPropList', # 0x139 'NtUserCallHwnd', # 0x13a 'NtUserCallHwndLock', # 0x13b 'NtUserCallHwndOpt', # 0x13c 'NtUserCallHwndParam', # 0x13d 'NtUserCallHwndParamLock', # 0x13e 'NtUserCallMsgFilter', # 0x13f 'NtUserCallNextHookEx', # 0x140 'NtUserCallNoParam', # 0x141 'NtUserCallOneParam', # 0x142 'NtUserCallTwoParam', # 0x143 'NtUserChangeClipboardChain', # 0x144 'NtUserChangeDisplaySettings', # 0x145 'NtUserCheckImeHotKey', # 0x146 'NtUserCheckMenuItem', # 0x147 'NtUserChildWindowFromPointEx', # 0x148 'NtUserClipCursor', # 0x149 'NtUserCloseClipboard', # 0x14a 'NtUserCloseDesktop', # 0x14b 'NtUserCloseWindowStation', # 0x14c 'NtUserConsoleControl', # 0x14d 'NtUserConvertMemHandle', # 0x14e 'NtUserCopyAcceleratorTable', # 0x14f 'NtUserCountClipboardFormats', # 0x150 'NtUserCreateAcceleratorTable', # 0x151 'NtUserCreateCaret', # 0x152 'NtUserCreateDesktop', # 0x153 'NtUserCreateInputContext', # 0x154 'NtUserCreateLocalMemHandle', # 0x155 'NtUserCreateWindowEx', # 0x156 'NtUserCreateWindowStation', # 0x157 'NtUserDdeGetQualityOfService', # 0x158 'NtUserDdeInitialize', # 0x159 'NtUserDdeSetQualityOfService', # 0x15a 'NtUserDeferWindowPos', # 0x15b 'NtUserDefSetText', # 0x15c 'NtUserDeleteMenu', # 0x15d 'NtUserDestroyAcceleratorTable', # 0x15e 'NtUserDestroyCursor', # 0x15f 'NtUserDestroyInputContext', # 0x160 'NtUserDestroyMenu', # 0x161 'NtUserDestroyWindow', # 0x162 'NtUserDisableThreadIme', # 0x163 'NtUserDispatchMessage', # 0x164 'NtUserDragDetect', # 0x165 'NtUserDragObject', # 0x166 'NtUserDrawAnimatedRects', # 0x167 'NtUserDrawCaption', # 0x168 'NtUserDrawCaptionTemp', # 0x169 'NtUserDrawIconEx', # 0x16a 'NtUserDrawMenuBarTemp', # 0x16b 'NtUserEmptyClipboard', # 0x16c 'NtUserEnableMenuItem', # 0x16d 'NtUserEnableScrollBar', # 0x16e 'NtUserEndDeferWindowPosEx', # 0x16f 'NtUserEndMenu', # 0x170 'NtUserEndPaint', # 0x171 'NtUserEnumDisplayDevices', # 0x172 'NtUserEnumDisplayMonitors', # 0x173 'NtUserEnumDisplaySettings', # 0x174 'NtUserEvent', # 0x175 'NtUserExcludeUpdateRgn', # 0x176 'NtUserFillWindow', # 0x177 'NtUserFindExistingCursorIcon', # 0x178 'NtUserFindWindowEx', # 0x179 'NtUserFlashWindowEx', # 0x17a 'NtUserGetAltTabInfo', # 0x17b 'NtUserGetAncestor', # 0x17c 'NtUserGetAppImeLevel', # 0x17d 'NtUserGetAsyncKeyState', # 0x17e 'NtUserGetAtomName', # 0x17f 'NtUserGetCaretBlinkTime', # 0x180 'NtUserGetCaretPos', # 0x181 'NtUserGetClassInfoEx', # 0x182 'NtUserGetClassName', # 0x183 'NtUserGetClipboardData', # 0x184 'NtUserGetClipboardFormatName', # 0x185 'NtUserGetClipboardOwner', # 0x186 'NtUserGetClipboardSequenceNumber', # 0x187 'NtUserGetClipboardViewer', # 0x188 'NtUserGetClipCursor', # 0x189 'NtUserGetComboBoxInfo', # 0x18a 'NtUserGetControlBrush', # 0x18b 'NtUserGetControlColor', # 0x18c 'NtUserGetCPD', # 0x18d 'NtUserGetCursorFrameInfo', # 0x18e 'NtUserGetCursorInfo', # 0x18f 'NtUserGetDC', # 0x190 'NtUserGetDCEx', # 0x191 'NtUserGetDoubleClickTime', # 0x192 'NtUserGetForegroundWindow', # 0x193 'NtUserGetGuiResources', # 0x194 'NtUserGetGUIThreadInfo', # 0x195 'NtUserGetIconInfo', # 0x196 'NtUserGetIconSize', # 0x197 'NtUserGetImeHotKey', # 0x198 'NtUserGetImeInfoEx', # 0x199 'NtUserGetInternalWindowPos', # 0x19a 'NtUserGetKeyboardLayoutList', # 0x19b 'NtUserGetKeyboardLayoutName', # 0x19c 'NtUserGetKeyboardState', # 0x19d 'NtUserGetKeyNameText', # 0x19e 'NtUserGetKeyState', # 0x19f 'NtUserGetListBoxInfo', # 0x1a0 'NtUserGetMenuBarInfo', # 0x1a1 'NtUserGetMenuIndex', # 0x1a2 'NtUserGetMenuItemRect', # 0x1a3 'NtUserGetMessage', # 0x1a4 'NtUserGetMouseMovePointsEx', # 0x1a5 'NtUserGetObjectInformation', # 0x1a6 'NtUserGetOpenClipboardWindow', # 0x1a7 'NtUserGetPriorityClipboardFormat', # 0x1a8 'NtUserGetProcessWindowStation', # 0x1a9 'NtUserGetRawInputBuffer', # 0x1aa 'NtUserGetRawInputData', # 0x1ab 'NtUserGetRawInputDeviceInfo', # 0x1ac 'NtUserGetRawInputDeviceList', # 0x1ad 'NtUserGetRegisteredRawInputDevices', # 0x1ae 'NtUserGetScrollBarInfo', # 0x1af 'NtUserGetSystemMenu', # 0x1b0 'NtUserGetThreadDesktop', # 0x1b1 'NtUserGetThreadState', # 0x1b2 'NtUserGetTitleBarInfo', # 0x1b3 'NtUserGetUpdateRect', # 0x1b4 'NtUserGetUpdateRgn', # 0x1b5 'NtUserGetWindowDC', # 0x1b6 'NtUserGetWindowPlacement', # 0x1b7 'NtUserGetWOWClass', # 0x1b8 'NtUserHardErrorControl', # 0x1b9 'NtUserHideCaret', # 0x1ba 'NtUserHiliteMenuItem', # 0x1bb 'NtUserImpersonateDdeClientWindow', # 0x1bc 'NtUserInitialize', # 0x1bd 'NtUserInitializeClientPfnArrays', # 0x1be 'NtUserInitTask', # 0x1bf 'NtUserInternalGetWindowText', # 0x1c0 'NtUserInvalidateRect', # 0x1c1 'NtUserInvalidateRgn', # 0x1c2 'NtUserIsClipboardFormatAvailable', # 0x1c3 'NtUserKillTimer', # 0x1c4 'NtUserLoadKeyboardLayoutEx', # 0x1c5 'NtUserLockWindowStation', # 0x1c6 'NtUserLockWindowUpdate', # 0x1c7 'NtUserLockWorkStation', # 0x1c8 'NtUserMapVirtualKeyEx', # 0x1c9 'NtUserMenuItemFromPoint', # 0x1ca 'NtUserMessageCall', # 0x1cb 'NtUserMinMaximize', # 0x1cc 'NtUserMNDragLeave', # 0x1cd 'NtUserMNDragOver', # 0x1ce 'NtUserModifyUserStartupInfoFlags', # 0x1cf 'NtUserMoveWindow', # 0x1d0 'NtUserNotifyIMEStatus', # 0x1d1 'NtUserNotifyProcessCreate', # 0x1d2 'NtUserNotifyWinEvent', # 0x1d3 'NtUserOpenClipboard', # 0x1d4 'NtUserOpenDesktop', # 0x1d5 'NtUserOpenInputDesktop', # 0x1d6 'NtUserOpenWindowStation', # 0x1d7 'NtUserPaintDesktop', # 0x1d8 'NtUserPeekMessage', # 0x1d9 'NtUserPostMessage', # 0x1da 'NtUserPostThreadMessage', # 0x1db 'NtUserPrintWindow', # 0x1dc 'NtUserProcessConnect', # 0x1dd 'NtUserQueryInformationThread', # 0x1de 'NtUserQueryInputContext', # 0x1df 'NtUserQuerySendMessage', # 0x1e0 'NtUserQueryWindow', # 0x1e1 'NtUserRealChildWindowFromPoint', # 0x1e2 'NtUserRealInternalGetMessage', # 0x1e3 'NtUserRealWaitMessageEx', # 0x1e4 'NtUserRedrawWindow', # 0x1e5 'NtUserRegisterClassExWOW', # 0x1e6 'NtUserRegisterUserApiHook', # 0x1e7 'NtUserRegisterHotKey', # 0x1e8 'NtUserRegisterRawInputDevices', # 0x1e9 'NtUserRegisterTasklist', # 0x1ea 'NtUserRegisterWindowMessage', # 0x1eb 'NtUserRemoveMenu', # 0x1ec 'NtUserRemoveProp', # 0x1ed 'NtUserResolveDesktop', # 0x1ee 'NtUserResolveDesktopForWOW', # 0x1ef 'NtUserSBGetParms', # 0x1f0 'NtUserScrollDC', # 0x1f1 'NtUserScrollWindowEx', # 0x1f2 'NtUserSelectPalette', # 0x1f3 'NtUserSendInput', # 0x1f4 'NtUserSetActiveWindow', # 0x1f5 'NtUserSetAppImeLevel', # 0x1f6 'NtUserSetCapture', # 0x1f7 'NtUserSetClassLong', # 0x1f8 'NtUserSetClassWord', # 0x1f9 'NtUserSetClipboardData', # 0x1fa 'NtUserSetClipboardViewer', # 0x1fb 'NtUserSetConsoleReserveKeys', # 0x1fc 'NtUserSetCursor', # 0x1fd 'NtUserSetCursorContents', # 0x1fe 'NtUserSetCursorIconData', # 0x1ff 'NtUserSetFocus', # 0x200 'NtUserSetImeHotKey', # 0x201 'NtUserSetImeInfoEx', # 0x202 'NtUserSetImeOwnerWindow', # 0x203 'NtUserSetInformationProcess', # 0x204 'NtUserSetInformationThread', # 0x205 'NtUserSetInternalWindowPos', # 0x206 'NtUserSetKeyboardState', # 0x207 'NtUserSetLogonNotifyWindow', # 0x208 'NtUserSetMenu', # 0x209 'NtUserSetMenuContextHelpId', # 0x20a 'NtUserSetMenuDefaultItem', # 0x20b 'NtUserSetMenuFlagRtoL', # 0x20c 'NtUserSetObjectInformation', # 0x20d 'NtUserSetParent', # 0x20e 'NtUserSetProcessWindowStation', # 0x20f 'NtUserSetProp', # 0x210 'NtUserSetScrollInfo', # 0x211 'NtUserSetShellWindowEx', # 0x212 'NtUserSetSysColors', # 0x213 'NtUserSetSystemCursor', # 0x214 'NtUserSetSystemMenu', # 0x215 'NtUserSetSystemTimer', # 0x216 'NtUserSetThreadDesktop', # 0x217 'NtUserSetThreadLayoutHandles', # 0x218 'NtUserSetThreadState', # 0x219 'NtUserSetTimer', # 0x21a 'NtUserSetWindowFNID', # 0x21b 'NtUserSetWindowLong', # 0x21c 'NtUserSetWindowPlacement', # 0x21d 'NtUserSetWindowPos', # 0x21e 'NtUserSetWindowRgn', # 0x21f 'NtUserSetWindowsHookAW', # 0x220 'NtUserSetWindowsHookEx', # 0x221 'NtUserSetWindowStationUser', # 0x222 'NtUserSetWindowWord', # 0x223 'NtUserSetWinEventHook', # 0x224 'NtUserShowCaret', # 0x225 'NtUserShowScrollBar', # 0x226 'NtUserShowWindow', # 0x227 'NtUserShowWindowAsync', # 0x228 'NtUserSoundSentry', # 0x229 'NtUserSwitchDesktop', # 0x22a 'NtUserSystemParametersInfo', # 0x22b 'NtUserTestForInteractiveUser', # 0x22c 'NtUserThunkedMenuInfo', # 0x22d 'NtUserThunkedMenuItemInfo', # 0x22e 'NtUserToUnicodeEx', # 0x22f 'NtUserTrackMouseEvent', # 0x230 'NtUserTrackPopupMenuEx', # 0x231 'NtUserCalcMenuBar', # 0x232 'NtUserPaintMenuBar', # 0x233 'NtUserTranslateAccelerator', # 0x234 'NtUserTranslateMessage', # 0x235 'NtUserUnhookWindowsHookEx', # 0x236 'NtUserUnhookWinEvent', # 0x237 'NtUserUnloadKeyboardLayout', # 0x238 'NtUserUnlockWindowStation', # 0x239 'NtUserUnregisterClass', # 0x23a 'NtUserUnregisterUserApiHook', # 0x23b 'NtUserUnregisterHotKey', # 0x23c 'NtUserUpdateInputContext', # 0x23d 'NtUserUpdateInstance', # 0x23e 'NtUserUpdateLayeredWindow', # 0x23f 'NtUserGetLayeredWindowAttributes', # 0x240 'NtUserSetLayeredWindowAttributes', # 0x241 'NtUserUpdatePerUserSystemParameters', # 0x242 'NtUserUserHandleGrantAccess', # 0x243 'NtUserValidateHandleSecure', # 0x244 'NtUserValidateRect', # 0x245 'NtUserValidateTimerCallback', # 0x246 'NtUserVkKeyScanEx', # 0x247 'NtUserWaitForInputIdle', # 0x248 'NtUserWaitForMsgAndEvent', # 0x249 'NtUserWaitMessage', # 0x24a 'NtUserWin32PoolAllocationStats', # 0x24b 'NtUserWindowFromPoint', # 0x24c 'NtUserYieldTask', # 0x24d 'NtUserRemoteConnect', # 0x24e 'NtUserRemoteRedrawRectangle', # 0x24f 'NtUserRemoteRedrawScreen', # 0x250 'NtUserRemoteStopScreenUpdates', # 0x251 'NtUserCtxDisplayIOCtl', # 0x252 'NtGdiEngAssociateSurface', # 0x253 'NtGdiEngCreateBitmap', # 0x254 'NtGdiEngCreateDeviceSurface', # 0x255 'NtGdiEngCreateDeviceBitmap', # 0x256 'NtGdiEngCreatePalette', # 0x257 'NtGdiEngComputeGlyphSet', # 0x258 'NtGdiEngCopyBits', # 0x259 'NtGdiEngDeletePalette', # 0x25a 'NtGdiEngDeleteSurface', # 0x25b 'NtGdiEngEraseSurface', # 0x25c 'NtGdiEngUnlockSurface', # 0x25d 'NtGdiEngLockSurface', # 0x25e 'NtGdiEngBitBlt', # 0x25f 'NtGdiEngStretchBlt', # 0x260 'NtGdiEngPlgBlt', # 0x261 'NtGdiEngMarkBandingSurface', # 0x262 'NtGdiEngStrokePath', # 0x263 'NtGdiEngFillPath', # 0x264 'NtGdiEngStrokeAndFillPath', # 0x265 'NtGdiEngPaint', # 0x266 'NtGdiEngLineTo', # 0x267 'NtGdiEngAlphaBlend', # 0x268 'NtGdiEngGradientFill', # 0x269 'NtGdiEngTransparentBlt', # 0x26a 'NtGdiEngTextOut', # 0x26b 'NtGdiEngStretchBltROP', # 0x26c 'NtGdiXLATEOBJ_cGetPalette', # 0x26d 'NtGdiXLATEOBJ_iXlate', # 0x26e 'NtGdiXLATEOBJ_hGetColorTransform', # 0x26f 'NtGdiCLIPOBJ_bEnum', # 0x270 'NtGdiCLIPOBJ_cEnumStart', # 0x271 'NtGdiCLIPOBJ_ppoGetPath', # 0x272 'NtGdiEngDeletePath', # 0x273 'NtGdiEngCreateClip', # 0x274 'NtGdiEngDeleteClip', # 0x275 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x276 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x277 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x278 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x279 'NtGdiXFORMOBJ_bApplyXform', # 0x27a 'NtGdiXFORMOBJ_iGetXform', # 0x27b 'NtGdiFONTOBJ_vGetInfo', # 0x27c 'NtGdiFONTOBJ_pxoGetXform', # 0x27d 'NtGdiFONTOBJ_cGetGlyphs', # 0x27e 'NtGdiFONTOBJ_pifi', # 0x27f 'NtGdiFONTOBJ_pfdg', # 0x280 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x281 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x282 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x283 'NtGdiSTROBJ_bEnum', # 0x284 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x285 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x286 'NtGdiSTROBJ_vEnumStart', # 0x287 'NtGdiSTROBJ_dwGetCodePage', # 0x288 'NtGdiPATHOBJ_vGetBounds', # 0x289 'NtGdiPATHOBJ_bEnum', # 0x28a 'NtGdiPATHOBJ_vEnumStart', # 0x28b 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x28c 'NtGdiPATHOBJ_bEnumClipLines', # 0x28d 'NtGdiGetDhpdev', # 0x28e 'NtGdiEngCheckAbort', # 0x28f 'NtGdiHT_Get8BPPFormatPalette', # 0x290 'NtGdiHT_Get8BPPMaskPalette', # 0x291 'NtGdiUpdateTransform', # 0x292 'NtGdiSetPUMPDOBJ', # 0x293 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x294 'NtGdiUMPDEngFreeUserMem', # 0x295 'NtGdiDrawStream', # 0x296 ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win10_x86_9619274A_vtypes.py0000644000000000000000000263735013131215405031051 0ustar rootrootntkrpamp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x708, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'NtBuildNumber' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'BootId' : [ 0x2c4, ['unsigned long']], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'VirtualizationFlags' : [ 0x2ed, ['unsigned char']], 'Reserved12' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgMultiSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgMultiUsersInSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCall' : [ 0x308, ['unsigned long']], 'SystemCallPad0' : [ 0x30c, ['unsigned long']], 'SystemCallPad' : [ 0x310, ['array', 2, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrementShift' : [ 0x368, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x369, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x36a, ['unsigned short']], 'EnclaveFeatureMask' : [ 0x36c, ['array', 4, ['unsigned long']]], 'Reserved8' : [ 0x37c, ['unsigned long']], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_107d' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_107d']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1081' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1081']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_109c' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109e' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109c']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_109e']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TEB' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['pointer', ['void']]]], 'SystemReserved1' : [ 0x10c, ['array', 36, ['pointer', ['void']]]], 'WorkingOnBehalfTicket' : [ 0x19c, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'PerflibData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], 'ReservedForWdf' : [ 0xfe4, ['pointer', ['void']]], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0xc, { 'Parent' : [ 0x0, ['pointer', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'CurEntry' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['wchar']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_RB_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_RTL_BALANCED_NODE' : [ 0xc, { 'Children' : [ 0x0, ['array', 2, ['pointer', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x8, ['unsigned long']], } ], '_RTL_AVL_TREE' : [ 0x4, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x4a20, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'MxCsr' : [ 0x8, ['unsigned long']], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x4900, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'ParentNode' : [ 0x338, ['pointer', ['_KNODE']]], 'PriorityState' : [ 0x33c, ['pointer', ['unsigned char']]], 'KernelReserved' : [ 0x340, ['array', 14, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'CpuVendor' : [ 0x3be, ['unsigned char']], 'PrcbPad0' : [ 0x3bf, ['array', 1, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'GroupIndex' : [ 0x3c4, ['unsigned char']], 'Group' : [ 0x3c5, ['unsigned char']], 'PrcbPad05' : [ 0x3c6, ['array', 2, ['unsigned char']]], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'ClockOwner' : [ 0x3d0, ['unsigned char']], 'PendingTickFlags' : [ 0x3d1, ['unsigned char']], 'PendingTick' : [ 0x3d1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x3d1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'PrcbPad10' : [ 0x3d2, ['array', 70, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'InterruptCount' : [ 0x4a0, ['unsigned long']], 'KernelTime' : [ 0x4a4, ['unsigned long']], 'UserTime' : [ 0x4a8, ['unsigned long']], 'DpcTime' : [ 0x4ac, ['unsigned long']], 'DpcTimeCount' : [ 0x4b0, ['unsigned long']], 'InterruptTime' : [ 0x4b4, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4b8, ['unsigned long']], 'PageColor' : [ 0x4bc, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c0, ['unsigned char']], 'NodeColor' : [ 0x4c1, ['unsigned char']], 'DeepSleep' : [ 0x4c2, ['unsigned char']], 'PrcbPad20' : [ 0x4c3, ['array', 5, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'SecondaryColorMask' : [ 0x4cc, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d0, ['unsigned long']], 'PrcbPad21' : [ 0x4d4, ['array', 3, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1820, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2120, ['long']], 'ReverseStall' : [ 0x2124, ['long']], 'IpiFrame' : [ 0x2128, ['pointer', ['void']]], 'PrcbPad3' : [ 0x212c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x2160, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x216c, ['unsigned long']], 'WorkerRoutine' : [ 0x2170, ['pointer', ['void']]], 'IpiFrozen' : [ 0x2174, ['unsigned long']], 'PrcbPad4' : [ 0x2178, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x21a0, ['unsigned long']], 'TargetCount' : [ 0x21a4, ['long']], 'LastNonHrTimerExpiration' : [ 0x21a8, ['unsigned long long']], 'PrcbPad50' : [ 0x21b0, ['array', 32, ['unsigned char']]], 'InterruptLastCount' : [ 0x21d0, ['unsigned long']], 'InterruptRate' : [ 0x21d4, ['unsigned long']], 'DeviceInterrupts' : [ 0x21d8, ['unsigned long']], 'IsrDpcStats' : [ 0x21dc, ['pointer', ['void']]], 'DpcData' : [ 0x21e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2210, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2214, ['long']], 'DpcRequestRate' : [ 0x2218, ['unsigned long']], 'MinimumDpcRate' : [ 0x221c, ['unsigned long']], 'DpcLastCount' : [ 0x2220, ['unsigned long']], 'PrcbLock' : [ 0x2224, ['unsigned long']], 'DpcGate' : [ 0x2228, ['_KGATE']], 'IdleState' : [ 0x2238, ['unsigned char']], 'QuantumEnd' : [ 0x2239, ['unsigned char']], 'DpcRoutineActive' : [ 0x223a, ['unsigned char']], 'IdleSchedule' : [ 0x223b, ['unsigned char']], 'DpcRequestSummary' : [ 0x223c, ['long']], 'DpcRequestSlot' : [ 0x223c, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x223c, ['short']], 'ThreadDpcState' : [ 0x223e, ['short']], 'DpcNormalProcessingActive' : [ 0x223c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x223c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x223c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x223c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x223c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x223c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x223c, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x223c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x223c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x223c, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2240, ['unsigned long']], 'LastTick' : [ 0x2244, ['unsigned long']], 'PeriodicCount' : [ 0x2248, ['unsigned long']], 'PeriodicBias' : [ 0x224c, ['unsigned long']], 'ClockInterrupts' : [ 0x2250, ['unsigned long']], 'ReadyScanTick' : [ 0x2254, ['unsigned long']], 'GroupSchedulingOverQuota' : [ 0x2258, ['unsigned char']], 'ThreadDpcEnable' : [ 0x2259, ['unsigned char']], 'PrcbPad41' : [ 0x225a, ['array', 2, ['unsigned char']]], 'TimerTable' : [ 0x2260, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x3aa0, ['_KDPC']], 'ClockKeepAlive' : [ 0x3ac0, ['long']], 'PrcbPad6' : [ 0x3ac4, ['array', 4, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x3ac8, ['long']], 'DpcWatchdogCount' : [ 0x3acc, ['long']], 'KeSpinLockOrdering' : [ 0x3ad0, ['long']], 'PrcbPad70' : [ 0x3ad4, ['array', 1, ['unsigned long']]], 'QueueIndex' : [ 0x3ad8, ['unsigned long']], 'DeferredReadyListHead' : [ 0x3adc, ['_SINGLE_LIST_ENTRY']], 'ReadySummary' : [ 0x3ae0, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x3ae4, ['long']], 'WaitLock' : [ 0x3ae8, ['unsigned long']], 'WaitListHead' : [ 0x3aec, ['_LIST_ENTRY']], 'ScbOffset' : [ 0x3af4, ['unsigned long']], 'StartCycles' : [ 0x3af8, ['unsigned long long']], 'TaggedCyclesStart' : [ 0x3b00, ['unsigned long long']], 'TaggedCycles' : [ 0x3b08, ['array', 2, ['unsigned long long']]], 'GenerationTarget' : [ 0x3b18, ['unsigned long long']], 'CycleTime' : [ 0x3b20, ['unsigned long long']], 'AffinitizedCycles' : [ 0x3b28, ['unsigned long long']], 'HighCycleTime' : [ 0x3b30, ['unsigned long']], 'Cycles' : [ 0x3b38, ['array', 4, ['array', 2, ['unsigned long long']]]], 'PrcbPad71' : [ 0x3b78, ['array', 10, ['unsigned long']]], 'DispatcherReadyListHead' : [ 0x3ba0, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3ca0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3ca4, ['long']], 'ScbQueue' : [ 0x3ca8, ['_RTL_RB_TREE']], 'ScbList' : [ 0x3cb0, ['_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x3cb8, ['long']], 'MmCopyOnWriteCount' : [ 0x3cbc, ['long']], 'MmTransitionCount' : [ 0x3cc0, ['long']], 'MmCacheTransitionCount' : [ 0x3cc4, ['long']], 'MmDemandZeroCount' : [ 0x3cc8, ['long']], 'MmPageReadCount' : [ 0x3ccc, ['long']], 'MmPageReadIoCount' : [ 0x3cd0, ['long']], 'MmCacheReadCount' : [ 0x3cd4, ['long']], 'MmCacheIoCount' : [ 0x3cd8, ['long']], 'MmDirtyPagesWriteCount' : [ 0x3cdc, ['long']], 'MmDirtyWriteIoCount' : [ 0x3ce0, ['long']], 'MmMappedPagesWriteCount' : [ 0x3ce4, ['long']], 'MmMappedWriteIoCount' : [ 0x3ce8, ['long']], 'CachedCommit' : [ 0x3cec, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3cf0, ['unsigned long']], 'HyperPte' : [ 0x3cf4, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3cf8, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x3cfc, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3d09, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x3d0a, ['unsigned char']], 'PrcbPad9' : [ 0x3d0b, ['array', 1, ['unsigned char']]], 'FeatureBits' : [ 0x3d10, ['unsigned long long']], 'UpdateSignature' : [ 0x3d18, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3d20, ['unsigned long long']], 'PrcbPad90' : [ 0x3d28, ['array', 2, ['unsigned long']]], 'PowerState' : [ 0x3d30, ['_PROCESSOR_POWER_STATE']], 'PrcbPad91' : [ 0x3eb0, ['array', 17, ['unsigned long']]], 'DpcWatchdogDpc' : [ 0x3ef4, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3f18, ['_KTIMER']], 'HypercallPageList' : [ 0x3f40, ['_SLIST_HEADER']], 'HypercallCachedPages' : [ 0x3f48, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x3f4c, ['pointer', ['void']]], 'StatisticsPage' : [ 0x3f50, ['pointer', ['unsigned long long']]], 'Cache' : [ 0x3f54, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3f90, ['unsigned long']], 'PackageProcessorSet' : [ 0x3f94, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x3fa0, ['unsigned long']], 'SharedReadyQueue' : [ 0x3fa4, ['pointer', ['_KSHARED_READY_QUEUE']]], 'SharedQueueScanOwner' : [ 0x3fa8, ['unsigned long']], 'CoreProcessorSet' : [ 0x3fac, ['unsigned long']], 'ScanSiblingMask' : [ 0x3fb0, ['unsigned long']], 'LLCMask' : [ 0x3fb4, ['unsigned long']], 'CacheProcessorMask' : [ 0x3fb8, ['array', 5, ['unsigned long']]], 'ScanSiblingIndex' : [ 0x3fcc, ['unsigned long']], 'WheaInfo' : [ 0x3fd0, ['pointer', ['void']]], 'EtwSupport' : [ 0x3fd4, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x3fd8, ['_SLIST_HEADER']], 'PrcbPad92' : [ 0x3fe0, ['array', 3, ['unsigned long']]], 'PteBitCache' : [ 0x3fec, ['unsigned long']], 'PteBitOffset' : [ 0x3ff0, ['unsigned long']], 'PrcbPad93' : [ 0x3ff4, ['unsigned long']], 'ProcessorProfileControlArea' : [ 0x3ff8, ['pointer', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x3ffc, ['pointer', ['void']]], 'TimerExpirationDpc' : [ 0x4000, ['_KDPC']], 'SynchCounters' : [ 0x4020, ['_SYNCH_COUNTERS']], 'FsCounters' : [ 0x40d8, ['_FILESYSTEM_DISK_COUNTERS']], 'Context' : [ 0x40e8, ['pointer', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x40ec, ['unsigned long']], 'ExtendedState' : [ 0x40f0, ['pointer', ['_XSAVE_AREA']]], 'EntropyTimingState' : [ 0x40f4, ['_KENTROPY_TIMING_STATE']], 'IsrStack' : [ 0x421c, ['pointer', ['void']]], 'VectorToInterruptObject' : [ 0x4220, ['array', 208, ['pointer', ['_KINTERRUPT']]]], 'AbSelfIoBoostsList' : [ 0x4560, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x4564, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x4568, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x4588, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x45dc, ['_IOP_IRP_STACK_PROFILER']], 'TimerExpirationTrace' : [ 0x4630, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x4730, ['unsigned long']], 'ExSaPageArray' : [ 0x4734, ['pointer', ['void']]], 'PrcbPad100' : [ 0x4738, ['array', 10, ['unsigned long']]], 'LocalSharedReadyQueue' : [ 0x4760, ['_KSHARED_READY_QUEUE']], 'PrcbPad95' : [ 0x4894, ['array', 12, ['unsigned char']]], 'Mailbox' : [ 0x48a0, ['pointer', ['_REQUEST_MAILBOX']]], 'PrcbPad' : [ 0x48a4, ['array', 60, ['unsigned char']]], 'RequestMailbox' : [ 0x48e0, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'Reserved' : [ 0x14, ['array', 3, ['pointer', ['void']]]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_PS_TRUSTLET_CREATE_ATTRIBUTES' : [ 0x18, { 'TrustletIdentity' : [ 0x0, ['unsigned long long']], 'Attributes' : [ 0x8, ['array', 1, ['_PS_TRUSTLET_ATTRIBUTE_DATA']]], } ], '_PS_TRUSTLET_ATTRIBUTE_DATA' : [ 0x10, { 'Header' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_HEADER']], 'Data' : [ 0x8, ['array', 1, ['unsigned long long']]], } ], '_PS_TRUSTLET_ATTRIBUTE_HEADER' : [ 0x8, { 'AttributeType' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_TYPE']], 'InstanceNumber' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_TRUSTLET_MAILBOX_KEY' : [ 0x10, { 'SecretValue' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_TRUSTLET_COLLABORATION_ID' : [ 0x10, { 'Value' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_KPROCESS' : [ 0xa8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x38, ['unsigned long long']], 'Affinity' : [ 0x40, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x4c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x54, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x58, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x64, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x64, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x64, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'DeepFreeze' : [ 0x64, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x64, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x64, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SpareFlags0' : [ 0x64, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x64, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0x64, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x64, ['long']], 'BasePriority' : [ 0x68, ['unsigned char']], 'QuantumReset' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x6c, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x70, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x72, ['unsigned short']], 'Spare1' : [ 0x74, ['unsigned short']], 'IopmOffset' : [ 0x76, ['unsigned short']], 'SchedulingGroup' : [ 0x78, ['pointer', ['_KSCHEDULING_GROUP']]], 'StackCount' : [ 0x7c, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x80, ['_LIST_ENTRY']], 'CycleTime' : [ 0x88, ['unsigned long long']], 'ContextSwitches' : [ 0x90, ['unsigned long long']], 'FreezeCount' : [ 0x98, ['unsigned long']], 'KernelTime' : [ 0x9c, ['unsigned long']], 'UserTime' : [ 0xa0, ['unsigned long']], 'VdmTrapcHandler' : [ 0xa4, ['pointer', ['void']]], } ], '_KTHREAD' : [ 0x348, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x10, ['pointer', ['void']]], 'QuantumTarget' : [ 0x18, ['unsigned long long']], 'InitialStack' : [ 0x20, ['pointer', ['void']]], 'StackLimit' : [ 0x24, ['pointer', ['void']]], 'StackBase' : [ 0x28, ['pointer', ['void']]], 'ThreadLock' : [ 0x2c, ['unsigned long']], 'CycleTime' : [ 0x30, ['unsigned long long']], 'HighCycleTime' : [ 0x38, ['unsigned long']], 'ServiceTable' : [ 0x3c, ['pointer', ['void']]], 'CurrentRunTime' : [ 0x40, ['unsigned long']], 'ExpectedRunTime' : [ 0x44, ['unsigned long']], 'KernelStack' : [ 0x48, ['pointer', ['void']]], 'StateSaveArea' : [ 0x4c, ['pointer', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x50, ['pointer', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x54, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x55, ['unsigned char']], 'Alerted' : [ 0x56, ['array', 2, ['unsigned char']]], 'AutoBoostActive' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitNext' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Alertable' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x58, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x58, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x58, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x58, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'TimerActive' : [ 0x58, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SystemThread' : [ 0x58, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x58, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CalloutActive' : [ 0x58, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x58, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ApcQueueable' : [ 0x58, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x58, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x58, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'TimerSuspended' : [ 0x58, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x58, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SuspendSchedulerApcWait' : [ 0x58, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x58, ['long']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ThreadFlagsSpare0' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x5c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x5c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x5c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x5c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x5c, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x5c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x5c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CommitFailTerminateRequest' : [ 0x5c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ProcessStackCountDecremented' : [ 0x5c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'RestrictedGuiThread' : [ 0x5c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ThreadFlagsSpare' : [ 0x5c, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x5c, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x5c, ['long']], 'Tag' : [ 0x60, ['unsigned char']], 'SystemHeteroCpuPolicy' : [ 0x61, ['unsigned char']], 'UserHeteroCpuPolicy' : [ 0x62, ['BitField', dict(start_bit = 0, end_bit = 7, native_type='unsigned char')]], 'ExplicitSystemHeteroCpuPolicy' : [ 0x62, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare0' : [ 0x63, ['unsigned char']], 'SystemCallNumber' : [ 0x64, ['unsigned long']], 'FirstArgument' : [ 0x68, ['pointer', ['void']]], 'TrapFrame' : [ 0x6c, ['pointer', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x70, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x70, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x87, ['unsigned char']], 'UserIdealProcessor' : [ 0x88, ['unsigned long']], 'ContextSwitches' : [ 0x8c, ['unsigned long']], 'State' : [ 0x90, ['unsigned char']], 'Spare12' : [ 0x91, ['unsigned char']], 'WaitIrql' : [ 0x92, ['unsigned char']], 'WaitMode' : [ 0x93, ['unsigned char']], 'WaitStatus' : [ 0x94, ['long']], 'WaitBlockList' : [ 0x98, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x9c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x9c, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa4, ['pointer', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xa8, ['pointer', ['void']]], 'RelativeTimerBias' : [ 0xb0, ['unsigned long long']], 'Timer' : [ 0xb8, ['_KTIMER']], 'WaitBlock' : [ 0xe0, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill8' : [ 0xe0, ['array', 20, ['unsigned char']]], 'ThreadCounters' : [ 0xf4, ['pointer', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0xe0, ['array', 44, ['unsigned char']]], 'XStateSave' : [ 0x10c, ['pointer', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0xe0, ['array', 68, ['unsigned char']]], 'Win32Thread' : [ 0x124, ['pointer', ['void']]], 'WaitBlockFill11' : [ 0xe0, ['array', 88, ['unsigned char']]], 'WaitTime' : [ 0x138, ['unsigned long']], 'KernelApcDisable' : [ 0x13c, ['short']], 'SpecialApcDisable' : [ 0x13e, ['short']], 'CombinedApcDisable' : [ 0x13c, ['unsigned long']], 'QueueListEntry' : [ 0x140, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x148, ['unsigned long']], 'NextProcessorNumber' : [ 0x148, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x148, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x14c, ['long']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'UserAffinity' : [ 0x154, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x154, ['array', 6, ['unsigned char']]], 'PreviousMode' : [ 0x15a, ['unsigned char']], 'BasePriority' : [ 0x15b, ['unsigned char']], 'PriorityDecrement' : [ 0x15c, ['unsigned char']], 'ForegroundBoost' : [ 0x15c, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x15c, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x15d, ['unsigned char']], 'AdjustReason' : [ 0x15e, ['unsigned char']], 'AdjustIncrement' : [ 0x15f, ['unsigned char']], 'AffinityVersion' : [ 0x160, ['unsigned long']], 'Affinity' : [ 0x164, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x164, ['array', 6, ['unsigned char']]], 'ApcStateIndex' : [ 0x16a, ['unsigned char']], 'WaitBlockCount' : [ 0x16b, ['unsigned char']], 'IdealProcessor' : [ 0x16c, ['unsigned long']], 'Spare15' : [ 0x170, ['array', 1, ['unsigned long']]], 'SavedApcState' : [ 0x174, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x174, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x18b, ['unsigned char']], 'SuspendCount' : [ 0x18c, ['unsigned char']], 'Saturation' : [ 0x18d, ['unsigned char']], 'SListFaultCount' : [ 0x18e, ['unsigned short']], 'SchedulerApc' : [ 0x190, ['_KAPC']], 'SchedulerApcFill0' : [ 0x190, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x191, ['unsigned char']], 'SchedulerApcFill1' : [ 0x190, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x193, ['unsigned char']], 'SchedulerApcFill2' : [ 0x190, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x194, ['unsigned long']], 'SchedulerApcFill3' : [ 0x190, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b4, ['pointer', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x190, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1b8, ['pointer', ['void']]], 'SchedulerApcFill5' : [ 0x190, ['array', 47, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x1bf, ['unsigned char']], 'UserTime' : [ 0x1c0, ['unsigned long']], 'SuspendEvent' : [ 0x1c4, ['_KEVENT']], 'ThreadListEntry' : [ 0x1d4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1dc, ['_LIST_ENTRY']], 'AbEntrySummary' : [ 0x1e4, ['unsigned char']], 'AbWaitEntryCount' : [ 0x1e5, ['unsigned char']], 'Spare20' : [ 0x1e6, ['unsigned short']], 'LockEntries' : [ 0x1e8, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x308, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x30c, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x310, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x320, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x324, ['long']], 'AbCompletedIoQoSBoostCount' : [ 0x328, ['long']], 'KeReferenceCount' : [ 0x32c, ['short']], 'AbOrphanedEntrySummary' : [ 0x32e, ['unsigned char']], 'AbOwnedEntryCount' : [ 0x32f, ['unsigned char']], 'ForegroundLossTime' : [ 0x330, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x334, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x334, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x338, ['unsigned long']], 'QueuedScb' : [ 0x33c, ['pointer', ['_KSCB']]], 'NpxState' : [ 0x340, ['unsigned long long']], } ], '_KSTACK_CONTROL' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long']], 'ActualLimit' : [ 0x4, ['unsigned long']], 'StackExpansion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousTrapFrame' : [ 0x8, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0xc, ['pointer', ['void']]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'CpuId' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer', ['void']]], 'DeleteContext' : [ 0xc, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0x100, { 'IdleNonParkedCpuSet' : [ 0x0, ['unsigned long']], 'IdleSmtSet' : [ 0x4, ['unsigned long']], 'IdleCpuSet' : [ 0x8, ['unsigned long']], 'DeepIdleSet' : [ 0x40, ['unsigned long']], 'IdleConstrainedSet' : [ 0x44, ['unsigned long']], 'NonParkedSet' : [ 0x48, ['unsigned long']], 'ParkLock' : [ 0x4c, ['long']], 'Seed' : [ 0x50, ['unsigned long']], 'SiblingMask' : [ 0x80, ['unsigned long']], 'Affinity' : [ 0x84, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x84, ['array', 6, ['unsigned char']]], 'NodeNumber' : [ 0x8a, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x8c, ['unsigned short']], 'Stride' : [ 0x8e, ['unsigned char']], 'Spare0' : [ 0x8f, ['unsigned char']], 'SharedReadyQueueLeaders' : [ 0x90, ['unsigned long']], 'ProximityId' : [ 0x94, ['unsigned long']], 'Lowest' : [ 0x98, ['unsigned long']], 'Highest' : [ 0x9c, ['unsigned long']], 'MaximumProcessors' : [ 0xa0, ['unsigned char']], 'Flags' : [ 0xa1, ['_flags']], 'Spare10' : [ 0xa2, ['unsigned char']], 'HeteroSets' : [ 0xa4, ['array', 5, ['_KHETERO_PROCESSOR_SET']]], } ], '_ENODE' : [ 0x540, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0x100, ['array', 8, ['pointer', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0x120, ['_EX_WORK_QUEUE']], 'IoWorkQueue' : [ 0x2d8, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x490, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x4a0, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x4c8, ['_KEVENT']], 'WaitBlocks' : [ 0x4d8, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x520, ['pointer', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x524, ['unsigned long']], 'ExWorkerFullInit' : [ 0x528, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x528, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x528, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x80, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long']], 'QuotaProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'StrictFIFO' : [ 0x1c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x1c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x1c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x1c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'RaiseUMExceptionOnInvalidHandleClose' : [ 0x1c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x20, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x24, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x40, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x40, ['array', 20, ['unsigned char']]], 'DebugInfo' : [ 0x54, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x8, { 'AuditMask' : [ 0x0, ['unsigned long']], 'MaxRelativeAccessMask' : [ 0x4, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'VolatileLowValue' : [ 0x0, ['long']], 'LowValue' : [ 0x0, ['long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'HighValue' : [ 0x4, ['long']], 'NextFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x4, ['_EXHANDLE']], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'RefCountField' : [ 0x4, ['long']], 'GrantedAccessBits' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'ProtectFromClose' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'RefCnt' : [ 0x4, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '__unnamed_1337' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1337']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc4, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xc0, ['unsigned char']], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_ETHREAD' : [ 0x460, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x348, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x350, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x350, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x358, ['pointer', ['void']]], 'PostBlockList' : [ 0x35c, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x35c, ['pointer', ['void']]], 'StartAddress' : [ 0x360, ['pointer', ['void']]], 'TerminationPort' : [ 0x364, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x364, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x364, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x368, ['unsigned long']], 'ActiveTimerListHead' : [ 0x36c, ['_LIST_ENTRY']], 'Cid' : [ 0x374, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x37c, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x37c, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x390, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x394, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x39c, ['unsigned long']], 'DeviceToVerify' : [ 0x3a0, ['pointer', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x3a4, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x3a8, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x3ac, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x3b4, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x3b8, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x3bc, ['unsigned long']], 'MmLockOrdering' : [ 0x3c0, ['long']], 'CrossThreadFlags' : [ 0x3c4, ['unsigned long']], 'Terminated' : [ 0x3c4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x3c4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x3c4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x3c4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x3c4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x3c4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x3c4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x3c4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x3c4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x3c4, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x3c4, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x3c4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x3c4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x3c4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DisableDynamicCodeOptOut' : [ 0x3c4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ExplicitCaseSensitivity' : [ 0x3c4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x3c4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x3c8, ['unsigned long']], 'ActiveExWorker' : [ 0x3c8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x3c8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'StoreLockThread' : [ 0x3c8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'ClonedThread' : [ 0x3c8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x3c8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SelfTerminate' : [ 0x3c8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RespectIoPriority' : [ 0x3c8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ActivePageLists' : [ 0x3c8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedSameThreadPassiveFlags' : [ 0x3c8, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x3cc, ['unsigned long']], 'OwnsProcessAddressSpaceExclusive' : [ 0x3cc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x3cc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardFaultBehavior' : [ 0x3cc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x3cc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x3cc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x3cc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Prefetching' : [ 0x3cc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x3cc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x3cd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x3cd, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x3d0, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x3d1, ['unsigned char']], 'ActiveFaultCount' : [ 0x3d2, ['unsigned char']], 'LockOrderState' : [ 0x3d3, ['unsigned char']], 'AlpcMessageId' : [ 0x3d4, ['unsigned long']], 'AlpcMessage' : [ 0x3d8, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x3d8, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x3dc, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x3e4, ['long']], 'CacheManagerCount' : [ 0x3e8, ['unsigned long']], 'IoBoostCount' : [ 0x3ec, ['unsigned long']], 'IoQoSBoostCount' : [ 0x3f0, ['unsigned long']], 'IoQoSThrottleCount' : [ 0x3f4, ['unsigned long']], 'BoostList' : [ 0x3f8, ['_LIST_ENTRY']], 'DeboostList' : [ 0x400, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x408, ['unsigned long']], 'IrpListLock' : [ 0x40c, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x410, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x414, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x418, ['pointer', ['_GUID']]], 'SeLearningModeListHead' : [ 0x41c, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x420, ['pointer', ['void']]], 'KernelStackReference' : [ 0x424, ['unsigned long']], 'AdjustedClientToken' : [ 0x428, ['pointer', ['void']]], 'WorkOnBehalfThread' : [ 0x42c, ['pointer', ['void']]], 'PropertySet' : [ 0x430, ['_PS_PROPERTY_SET']], 'PicoContext' : [ 0x43c, ['pointer', ['void']]], 'UserFsBase' : [ 0x440, ['unsigned long']], 'UserGsBase' : [ 0x444, ['unsigned long']], 'EnergyValues' : [ 0x448, ['pointer', ['_THREAD_ENERGY_VALUES']]], 'CmDbgInfo' : [ 0x44c, ['pointer', ['void']]], 'SelectedCpuSets' : [ 0x450, ['unsigned long']], 'SelectedCpuSetsIndirect' : [ 0x450, ['pointer', ['unsigned long']]], 'Silo' : [ 0x454, ['pointer', ['_EJOB']]], 'ThreadName' : [ 0x458, ['pointer', ['_UNICODE_STRING']]], 'ReadyTime' : [ 0x45c, ['unsigned long']], } ], '_EPROCESS' : [ 0x388, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xa8, ['_EX_PUSH_LOCK']], 'RundownProtect' : [ 0xac, ['_EX_RUNDOWN_REF']], 'VdmObjects' : [ 0xb0, ['pointer', ['void']]], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'Flags2' : [ 0xc0, ['unsigned long']], 'JobNotReallyActive' : [ 0xc0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0xc0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0xc0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0xc0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0xc0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0xc0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0xc0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0xc0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0xc0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0xc0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0xc0, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0xc0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0xc0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0xc0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0xc0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0xc0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0xc0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0xc0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0xc0, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0xc0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0xc0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0xc0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0xc0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0xc0, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0xc0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0xc0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0xc4, ['unsigned long']], 'CreateReported' : [ 0xc4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0xc4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0xc4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0xc4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0xc4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0xc4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0xc4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0xc4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FailFastOnCommitFail' : [ 0xc4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0xc4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0xc4, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0xc4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0xc4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0xc4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0xc4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0xc4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0xc4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0xc4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0xc4, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0xc4, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0xc4, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0xc4, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0xc4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0xc4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0xc4, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0xc4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0xc4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CreateTime' : [ 0xc8, ['_LARGE_INTEGER']], 'ProcessQuotaUsage' : [ 0xd0, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xd8, ['array', 2, ['unsigned long']]], 'PeakVirtualSize' : [ 0xe0, ['unsigned long']], 'VirtualSize' : [ 0xe4, ['unsigned long']], 'SessionProcessLinks' : [ 0xe8, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0xf0, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xf0, ['unsigned long']], 'ExceptionPortState' : [ 0xf0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Token' : [ 0xf4, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xf8, ['unsigned long']], 'AddressCreationLock' : [ 0xfc, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x100, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x108, ['pointer', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x10c, ['pointer', ['_EJOB']]], 'CloneRoot' : [ 0x110, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x114, ['unsigned long']], 'NumberOfLockedPages' : [ 0x118, ['unsigned long']], 'Win32Process' : [ 0x11c, ['pointer', ['void']]], 'Job' : [ 0x120, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x124, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x128, ['pointer', ['void']]], 'Cookie' : [ 0x12c, ['unsigned long']], 'WorkingSetWatch' : [ 0x130, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x134, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x138, ['pointer', ['void']]], 'LdtInformation' : [ 0x13c, ['pointer', ['void']]], 'OwnerProcessId' : [ 0x140, ['unsigned long']], 'Peb' : [ 0x144, ['pointer', ['_PEB']]], 'Session' : [ 0x148, ['pointer', ['_MM_SESSION_SPACE']]], 'AweInfo' : [ 0x14c, ['pointer', ['void']]], 'QuotaBlock' : [ 0x150, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x154, ['pointer', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x158, ['pointer', ['void']]], 'PaeTop' : [ 0x15c, ['pointer', ['void']]], 'DeviceMap' : [ 0x160, ['pointer', ['void']]], 'EtwDataSource' : [ 0x164, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x168, ['unsigned long long']], 'ImageFilePointer' : [ 0x170, ['pointer', ['_FILE_OBJECT']]], 'ImageFileName' : [ 0x174, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x183, ['unsigned char']], 'SecurityPort' : [ 0x184, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x188, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x18c, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x194, ['pointer', ['void']]], 'ThreadListHead' : [ 0x198, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x1a0, ['unsigned long']], 'ImagePathHash' : [ 0x1a4, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a8, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1ac, ['long']], 'PrefetchTrace' : [ 0x1b0, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x1b4, ['pointer', ['void']]], 'ReadOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e8, ['unsigned long']], 'CommitCharge' : [ 0x1ec, ['unsigned long']], 'CommitChargePeak' : [ 0x1f0, ['unsigned long']], 'Vm' : [ 0x1f4, ['_MMSUPPORT_FULL']], 'MmProcessLinks' : [ 0x27c, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x284, ['unsigned long']], 'ExitStatus' : [ 0x288, ['long']], 'VadRoot' : [ 0x28c, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x290, ['pointer', ['void']]], 'VadCount' : [ 0x294, ['unsigned long']], 'VadPhysicalPages' : [ 0x298, ['unsigned long']], 'VadPhysicalPagesLimit' : [ 0x29c, ['unsigned long']], 'AlpcContext' : [ 0x2a0, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x2b0, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x2b8, ['pointer', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x2bc, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2c0, ['unsigned long']], 'ExitTime' : [ 0x2c8, ['_LARGE_INTEGER']], 'ActiveThreadsHighWatermark' : [ 0x2d0, ['unsigned long']], 'LargePrivateVadCount' : [ 0x2d4, ['unsigned long']], 'ThreadListLock' : [ 0x2d8, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x2dc, ['pointer', ['void']]], 'Spare0' : [ 0x2e0, ['unsigned long']], 'SignatureLevel' : [ 0x2e4, ['unsigned char']], 'SectionSignatureLevel' : [ 0x2e5, ['unsigned char']], 'Protection' : [ 0x2e6, ['_PS_PROTECTION']], 'HangCount' : [ 0x2e7, ['unsigned char']], 'Flags3' : [ 0x2e8, ['unsigned long']], 'Minimal' : [ 0x2e8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReplacingPageRoot' : [ 0x2e8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DisableNonSystemFonts' : [ 0x2e8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AuditNonSystemFontLoading' : [ 0x2e8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Crashed' : [ 0x2e8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'JobVadsAreTracked' : [ 0x2e8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'VadTrackingDisabled' : [ 0x2e8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AuxiliaryProcess' : [ 0x2e8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SubsystemProcess' : [ 0x2e8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x2e8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'InPrivate' : [ 0x2e8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProhibitRemoteImageMap' : [ 0x2e8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProhibitLowILImageMap' : [ 0x2e8, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SignatureMitigationOptIn' : [ 0x2e8, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DisableDynamicCodeAllowOptOut' : [ 0x2e8, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'EnableFilteredWin32kAPIs' : [ 0x2e8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'AuditFilteredWin32kAPIs' : [ 0x2e8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PreferSystem32Images' : [ 0x2e8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'RelinquishedCommit' : [ 0x2e8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AutomaticallyOverrideChildProcessPolicy' : [ 0x2e8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'HighGraphicsPriority' : [ 0x2e8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CommitFailLogged' : [ 0x2e8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ReserveFailLogged' : [ 0x2e8, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DeviceAsid' : [ 0x2ec, ['long']], 'SvmData' : [ 0x2f0, ['pointer', ['void']]], 'SvmProcessLock' : [ 0x2f4, ['_EX_PUSH_LOCK']], 'SvmLock' : [ 0x2f8, ['unsigned long']], 'SvmProcessDeviceListHead' : [ 0x2fc, ['_LIST_ENTRY']], 'LastFreezeInterruptTime' : [ 0x308, ['unsigned long long']], 'DiskCounters' : [ 0x310, ['pointer', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x314, ['pointer', ['void']]], 'KeepAliveCounter' : [ 0x318, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x31c, ['unsigned long']], 'HighPriorityFaultsAllowed' : [ 0x320, ['unsigned long']], 'InstrumentationCallback' : [ 0x324, ['pointer', ['void']]], 'EnergyValues' : [ 0x328, ['pointer', ['_PROCESS_ENERGY_VALUES']]], 'VmContext' : [ 0x32c, ['pointer', ['void']]], 'SequenceNumber' : [ 0x330, ['unsigned long long']], 'CreateInterruptTime' : [ 0x338, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x340, ['unsigned long long']], 'TotalUnbiasedFrozenTime' : [ 0x348, ['unsigned long long']], 'LastAppStateUpdateTime' : [ 0x350, ['unsigned long long']], 'LastAppStateUptime' : [ 0x358, ['BitField', dict(start_bit = 0, end_bit = 61, native_type='unsigned long long')]], 'LastAppState' : [ 0x358, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], 'SharedCommitCharge' : [ 0x360, ['unsigned long']], 'SharedCommitLock' : [ 0x364, ['_EX_PUSH_LOCK']], 'SharedCommitLinks' : [ 0x368, ['_LIST_ENTRY']], 'AllowedCpuSets' : [ 0x370, ['unsigned long']], 'DefaultCpuSets' : [ 0x374, ['unsigned long']], 'AllowedCpuSetsIndirect' : [ 0x370, ['pointer', ['unsigned long']]], 'DefaultCpuSetsIndirect' : [ 0x374, ['pointer', ['unsigned long']]], 'DiskIoAttribution' : [ 0x378, ['pointer', ['void']]], 'ReadyTime' : [ 0x37c, ['unsigned long']], 'DxgProcess' : [ 0x380, ['pointer', ['void']]], } ], '__unnamed_1394' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_139a' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_139c' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_139a']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_13a5' : [ 0x2c, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x28, ['pointer', ['void']]], } ], '__unnamed_13a7' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_13a5']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_1394']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_139c']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_13a7']], } ], '__unnamed_13ae' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_13b2' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_13b6' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_13b8' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_13bc' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_13be' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_13c0' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileMaximumInformation'})]], } ], '__unnamed_13c2' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13c4' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_13c6' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13ca' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMetadataSizeInformation', 14: 'FileFsMaximumInformation'})]], } ], '__unnamed_13cc' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13cf' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_13d1' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13d3' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_13d5' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_13d9' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_13dd' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_13e1' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_13e5' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_13e9' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13ed' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_13f1' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_13f3' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_13f5' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_13f9' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_13fd' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1401' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_1405' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1409' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1411' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], } ], '__unnamed_1415' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1417' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1419' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_141b' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_13ae']], 'CreatePipe' : [ 0x0, ['__unnamed_13b2']], 'CreateMailslot' : [ 0x0, ['__unnamed_13b6']], 'Read' : [ 0x0, ['__unnamed_13b8']], 'Write' : [ 0x0, ['__unnamed_13b8']], 'QueryDirectory' : [ 0x0, ['__unnamed_13bc']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13be']], 'QueryFile' : [ 0x0, ['__unnamed_13c0']], 'SetFile' : [ 0x0, ['__unnamed_13c2']], 'QueryEa' : [ 0x0, ['__unnamed_13c4']], 'SetEa' : [ 0x0, ['__unnamed_13c6']], 'QueryVolume' : [ 0x0, ['__unnamed_13ca']], 'SetVolume' : [ 0x0, ['__unnamed_13ca']], 'FileSystemControl' : [ 0x0, ['__unnamed_13cc']], 'LockControl' : [ 0x0, ['__unnamed_13cf']], 'DeviceIoControl' : [ 0x0, ['__unnamed_13d1']], 'QuerySecurity' : [ 0x0, ['__unnamed_13d3']], 'SetSecurity' : [ 0x0, ['__unnamed_13d5']], 'MountVolume' : [ 0x0, ['__unnamed_13d9']], 'VerifyVolume' : [ 0x0, ['__unnamed_13d9']], 'Scsi' : [ 0x0, ['__unnamed_13dd']], 'QueryQuota' : [ 0x0, ['__unnamed_13e1']], 'SetQuota' : [ 0x0, ['__unnamed_13c6']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_13e5']], 'QueryInterface' : [ 0x0, ['__unnamed_13e9']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_13ed']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_13f1']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_13f3']], 'SetLock' : [ 0x0, ['__unnamed_13f5']], 'QueryId' : [ 0x0, ['__unnamed_13f9']], 'QueryDeviceText' : [ 0x0, ['__unnamed_13fd']], 'UsageNotification' : [ 0x0, ['__unnamed_1401']], 'WaitWake' : [ 0x0, ['__unnamed_1405']], 'PowerSequence' : [ 0x0, ['__unnamed_1409']], 'Power' : [ 0x0, ['__unnamed_1411']], 'StartDevice' : [ 0x0, ['__unnamed_1415']], 'WMI' : [ 0x0, ['__unnamed_1417']], 'Others' : [ 0x0, ['__unnamed_1419']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_141b']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1431' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_1431']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x8, ['unsigned long']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x14, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], 'SiloContext' : [ 0x10, ['pointer', ['_EJOB']]], } ], '_EJOB' : [ 0x358, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x70, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x78, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0x80, ['unsigned long long']], 'TotalPageFaultCount' : [ 0x88, ['unsigned long']], 'TotalProcesses' : [ 0x8c, ['unsigned long']], 'ActiveProcesses' : [ 0x90, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x94, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x98, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xa0, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xa8, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xac, ['unsigned long']], 'LimitFlags' : [ 0xb0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xb4, ['unsigned long']], 'Affinity' : [ 0xb8, ['_KAFFINITY_EX']], 'AccessState' : [ 0xc4, ['pointer', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0xc8, ['pointer', ['void']]], 'UIRestrictionsClass' : [ 0xcc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xd0, ['unsigned long']], 'CompletionPort' : [ 0xd4, ['pointer', ['void']]], 'CompletionKey' : [ 0xd8, ['pointer', ['void']]], 'CompletionCount' : [ 0xe0, ['unsigned long long']], 'SessionId' : [ 0xe8, ['unsigned long']], 'SchedulingClass' : [ 0xec, ['unsigned long']], 'ReadOperationCount' : [ 0xf0, ['unsigned long long']], 'WriteOperationCount' : [ 0xf8, ['unsigned long long']], 'OtherOperationCount' : [ 0x100, ['unsigned long long']], 'ReadTransferCount' : [ 0x108, ['unsigned long long']], 'WriteTransferCount' : [ 0x110, ['unsigned long long']], 'OtherTransferCount' : [ 0x118, ['unsigned long long']], 'DiskIoInfo' : [ 0x120, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x148, ['unsigned long']], 'JobMemoryLimit' : [ 0x14c, ['unsigned long']], 'JobTotalMemoryLimit' : [ 0x150, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x154, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x158, ['unsigned long']], 'EffectiveAffinity' : [ 0x15c, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x168, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x170, ['unsigned long']], 'EffectiveMaximumWorkingSetSize' : [ 0x174, ['unsigned long']], 'EffectiveProcessMemoryLimit' : [ 0x178, ['unsigned long']], 'EffectiveProcessMemoryLimitJob' : [ 0x17c, ['pointer', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x180, ['pointer', ['_EJOB']]], 'EffectiveNetIoRateLimitJob' : [ 0x184, ['pointer', ['_EJOB']]], 'EffectiveHeapAttributionJob' : [ 0x188, ['pointer', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x18c, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x190, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x194, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x198, ['unsigned long']], 'EffectiveSwapCount' : [ 0x19c, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x1a0, ['unsigned long']], 'EffectivePriorityClass' : [ 0x1a4, ['unsigned char']], 'PriorityClass' : [ 0x1a5, ['unsigned char']], 'NestingDepth' : [ 0x1a6, ['unsigned char']], 'Reserved1' : [ 0x1a7, ['array', 1, ['unsigned char']]], 'CompletionFilter' : [ 0x1a8, ['unsigned long']], 'WakeChannel' : [ 0x1b0, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x1b0, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x1e8, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x1f0, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x1f4, ['unsigned long']], 'NotificationLink' : [ 0x1f8, ['pointer', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x200, ['unsigned long long']], 'NotificationInfo' : [ 0x208, ['pointer', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x20c, ['pointer', ['void']]], 'NotificationPacket' : [ 0x210, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x214, ['pointer', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x218, ['pointer', ['void']]], 'ReadyTime' : [ 0x220, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x228, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x22c, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x234, ['_LIST_ENTRY']], 'ParentJob' : [ 0x23c, ['pointer', ['_EJOB']]], 'ParentSilo' : [ 0x240, ['pointer', ['_EJOB']]], 'RootJob' : [ 0x244, ['pointer', ['_EJOB']]], 'IteratorListHead' : [ 0x248, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x250, ['unsigned long']], 'Ancestors' : [ 0x254, ['pointer', ['pointer', ['_EJOB']]]], 'SessionObject' : [ 0x254, ['pointer', ['void']]], 'TimerListLock' : [ 0x258, ['unsigned long']], 'TimerListHead' : [ 0x25c, ['_LIST_ENTRY']], 'Accounting' : [ 0x268, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x2c0, ['unsigned long']], 'ActiveAuxiliaryProcessCount' : [ 0x2c4, ['unsigned long']], 'SequenceNumber' : [ 0x2c8, ['unsigned long']], 'JobId' : [ 0x2cc, ['unsigned long']], 'ContainerId' : [ 0x2d0, ['_GUID']], 'ServerSiloGlobals' : [ 0x2e0, ['pointer', ['_ESERVERSILO_GLOBALS']]], 'PropertySet' : [ 0x2e4, ['_PS_PROPERTY_SET']], 'Storage' : [ 0x2f0, ['pointer', ['_PSP_STORAGE']]], 'NetRateControl' : [ 0x2f4, ['pointer', ['_JOB_NET_RATE_CONTROL']]], 'JobFlags' : [ 0x2f8, ['unsigned long']], 'CloseDone' : [ 0x2f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x2f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x2f8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x2f8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x2f8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x2f8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x2f8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x2f8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x2f8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x2f8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x2f8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x2f8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x2f8, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x2f8, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x2f8, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x2f8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x2f8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x2f8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x2f8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x2f8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x2f8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x2f8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x2f8, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x2f8, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x2f8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'NetRateControlActive' : [ 0x2f8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'OwnNetRateControl' : [ 0x2f8, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IoRateControlActive' : [ 0x2f8, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'OwnIoRateControl' : [ 0x2f8, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'DisallowNewProcesses' : [ 0x2f8, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Silo' : [ 0x2f8, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare' : [ 0x2f8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x2fc, ['unsigned long']], 'EnergyValues' : [ 0x300, ['pointer', ['_PROCESS_ENERGY_VALUES']]], 'SharedCommitCharge' : [ 0x304, ['unsigned long']], 'WakeRoot' : [ 0x308, ['pointer', ['_EJOB']]], 'DiskIoAttributionUserRefCount' : [ 0x30c, ['unsigned long']], 'DiskIoAttributionRefCount' : [ 0x310, ['unsigned long']], 'DiskIoAttributionContext' : [ 0x314, ['pointer', ['void']]], 'DiskIoAttributionOwnerJob' : [ 0x314, ['pointer', ['_EJOB']]], 'GlobalIoControl' : [ 0x318, ['_PS_IO_CONTROL_ENTRY']], 'VolumeIoControlLock' : [ 0x334, ['long']], 'VolumeIoControlTree' : [ 0x338, ['_RTL_RB_TREE']], 'IoControlLock' : [ 0x340, ['_EX_PUSH_LOCK']], 'SiloHardReferenceCount' : [ 0x344, ['unsigned long']], 'RundownWorkItem' : [ 0x348, ['_WORK_QUEUE_ITEM']], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x68, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x5c, ['pointer', ['void']]], 'UserContext' : [ 0x60, ['pointer', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], 'Oplock' : [ 0x3c, ['pointer', ['void']]], 'ReservedForRemote' : [ 0x3c, ['pointer', ['void']]], 'ReservedContext' : [ 0x40, ['pointer', ['void']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_TlgProvider_t' : [ 0x30, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x4, ['pointer', ['unsigned short']]], 'KeywordAny' : [ 0x8, ['unsigned long long']], 'KeywordAll' : [ 0x10, ['unsigned long long']], 'RegHandle' : [ 0x18, ['unsigned long long']], 'EnableCallback' : [ 0x20, ['pointer', ['void']]], 'CallbackContext' : [ 0x24, ['pointer', ['void']]], 'AnnotationFunc' : [ 0x28, ['pointer', ['void']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '__unnamed_161c' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'HighLow' : [ 0x0, ['_MMPTE_HIGHLOW']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_161c']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND' : [ 0xc, { 'LocalLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'State' : [ 0x4, ['_EX_PUSH_LOCK_AUTO_EXPAND_STATE']], 'Stats' : [ 0x8, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'ReservedLowFlags' : [ 0xe, ['unsigned char']], 'WaiterPriority' : [ 0xf, ['unsigned char']], 'SharedWaiters' : [ 0x10, ['_KWAIT_CHAIN']], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '_MMCLONE_DESCRIPTOR' : [ 0x30, { 'CloneNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Next' : [ 0x0, ['pointer', ['_MMCLONE_DESCRIPTOR']]], 'StartingCloneBlock' : [ 0xc, ['pointer', ['_MMCLONE_BLOCK']]], 'EndingCloneBlock' : [ 0x10, ['pointer', ['_MMCLONE_BLOCK']]], 'NumberOfPtes' : [ 0x14, ['unsigned long']], 'NumberOfReferences' : [ 0x18, ['unsigned long']], 'CloneHeader' : [ 0x1c, ['pointer', ['_MMCLONE_HEADER']]], 'NonPagedPoolQuotaCharge' : [ 0x20, ['unsigned long']], 'NestingLevel' : [ 0x28, ['unsigned long long']], } ], '__unnamed_165f' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1664' : [ 0x2, { 'ReferenceCount' : [ 0x0, ['unsigned short']], } ], '__unnamed_1666' : [ 0x4, { 'EntireField' : [ 0x0, ['unsigned long']], } ], '__unnamed_1668' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY1']], 'e3' : [ 0x3, ['_MMPFNENTRY3']], 'e2' : [ 0x0, ['__unnamed_1664']], 'e4' : [ 0x0, ['__unnamed_1666']], } ], '__unnamed_166d' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], } ], '_MMPFN' : [ 0x1c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'u1' : [ 0x0, ['__unnamed_165f']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x4, ['pointer', ['void']]], 'PteLong' : [ 0x4, ['unsigned long']], 'OriginalPte' : [ 0x8, ['_MMPTE']], 'u2' : [ 0x10, ['_MIPFNBLINK']], 'u3' : [ 0x14, ['__unnamed_1668']], 'u4' : [ 0x18, ['__unnamed_166d']], } ], '__unnamed_1675' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_1675']], } ], '_MMWSL_SHARED' : [ 0x40, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'LastInitializedWsle' : [ 0xc, ['unsigned long']], 'WsleSize' : [ 0x10, ['unsigned long']], 'NonDirectCount' : [ 0x14, ['unsigned long']], 'LowestPagableAddress' : [ 0x18, ['pointer', ['void']]], 'NonDirectHash' : [ 0x1c, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x20, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x24, ['pointer', ['_MMWSLE_HASH']]], 'Wsle' : [ 0x30, ['pointer', ['_MMWSLE']]], } ], '__unnamed_1688' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_168c' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_1688']], 'u2' : [ 0x24, ['__unnamed_168c']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], } ], '__unnamed_1691' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_169b' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long')]], 'SystemImage' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'StrongCode' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_169d' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_169b']], } ], '__unnamed_16a1' : [ 0x4, { 'IoAttributionContext' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], 'SpareImage' : [ 0x0, ['unsigned long']], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'ListHead' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_1691']], 'FilePointer' : [ 0x20, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x24, ['long']], 'ModifiedWriteCount' : [ 0x28, ['unsigned long']], 'WaitList' : [ 0x2c, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x30, ['__unnamed_169d']], 'FileObjectLock' : [ 0x3c, ['_EX_PUSH_LOCK']], 'LockedPages' : [ 0x40, ['unsigned long long']], 'u3' : [ 0x48, ['__unnamed_16a1']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x38, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'BasePte' : [ 0x8, ['pointer', ['_MMPTE']]], 'Flags' : [ 0xc, ['unsigned long']], 'VaType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaPagedProtoPool', 15: 'MiVaMaximumType', 16: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'PteFailures' : [ 0x18, ['unsigned long']], 'SpinLock' : [ 0x1c, ['unsigned long']], 'GlobalPushLock' : [ 0x1c, ['pointer', ['_EX_PUSH_LOCK']]], 'Vm' : [ 0x20, ['pointer', ['_MMSUPPORT_INSTANCE']]], 'TotalSystemPtes' : [ 0x24, ['unsigned long']], 'Hint' : [ 0x28, ['unsigned long']], 'LowestBitEverAllocated' : [ 0x2c, ['unsigned long']], 'CachedPtes' : [ 0x30, ['pointer', ['_MI_CACHED_PTES']]], 'TotalFreeSystemPtes' : [ 0x34, ['unsigned long']], } ], '__unnamed_16c2' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_16c5' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x28, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['long']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u' : [ 0x1c, ['__unnamed_16c2']], 'u1' : [ 0x20, ['__unnamed_16c5']], 'EventList' : [ 0x24, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_HHIVE' : [ 0x6f0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileWrite' : [ 0x14, ['pointer', ['void']]], 'FileRead' : [ 0x18, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x1c, ['pointer', ['void']]], 'BaseBlock' : [ 0x20, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x24, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x2c, ['unsigned long']], 'DirtyAlloc' : [ 0x30, ['unsigned long']], 'UnreconciledVector' : [ 0x34, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x3c, ['unsigned long']], 'BaseBlockAlloc' : [ 0x40, ['unsigned long']], 'Cluster' : [ 0x44, ['unsigned long']], 'Flat' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SystemCacheBacked' : [ 0x48, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x49, ['unsigned char']], 'HvBinHeadersUse' : [ 0x4c, ['unsigned long']], 'HvFreeCellsUse' : [ 0x50, ['unsigned long']], 'HvUsedCellsUse' : [ 0x54, ['unsigned long']], 'CmUsedCellsUse' : [ 0x58, ['unsigned long']], 'HiveFlags' : [ 0x5c, ['unsigned long']], 'CurrentLog' : [ 0x60, ['unsigned long']], 'CurrentLogSequence' : [ 0x64, ['unsigned long']], 'CurrentLogMinimumSequence' : [ 0x68, ['unsigned long']], 'CurrentLogOffset' : [ 0x6c, ['unsigned long']], 'MinimumLogSequence' : [ 0x70, ['unsigned long']], 'LogFileSizeCap' : [ 0x74, ['unsigned long']], 'LogDataPresent' : [ 0x78, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0x7a, ['unsigned char']], 'BaseBlockDirty' : [ 0x7b, ['unsigned char']], 'LastLogSwapTime' : [ 0x80, ['_LARGE_INTEGER']], 'FirstLogFile' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0x88, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0x88, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0x88, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0x88, ['unsigned short']], 'LogEntriesRecovered' : [ 0x8a, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0x8c, ['unsigned long']], 'StorageTypeCount' : [ 0x90, ['unsigned long']], 'Version' : [ 0x94, ['unsigned long']], 'ViewMap' : [ 0x98, ['_HVIEW_MAP']], 'Storage' : [ 0x3b8, ['array', 2, ['_DUAL']]], } ], '_HV_GET_CELL_CONTEXT' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'BinContext' : [ 0x4, ['_HV_GET_BIN_CONTEXT']], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa8, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Discarded' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['_CM_PATH_HASH']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'KcbPushlock' : [ 0x18, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x1c, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x1c, ['long']], 'DelayedDeref' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DelayedClose' : [ 0x20, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Parking' : [ 0x20, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'LayerSemantics' : [ 0x21, ['unsigned char']], 'LayerHeight' : [ 0x22, ['short']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'LayerInfo' : [ 0x6c, ['pointer', ['_CM_KCB_LAYER_INFO']]], 'KCBUoWListHead' : [ 0x70, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x78, ['_LIST_ENTRY']], 'Stolen' : [ 0x78, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x80, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x84, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x8c, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x94, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x9c, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0xa0, ['pointer', ['_UNICODE_STRING']]], 'FullKCBNameStale' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0xa0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], 'tagSWITCH_CONTEXT' : [ 0x68, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'Trans' : [ 0x1c, ['_CM_TRANS_PTR']], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '__unnamed_1730' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry', 21: '_CmpMountPreloadedHives', 22: '_CmpLoadHiveThread'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1733' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_1735' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1737' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_1739' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_173d' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_1741' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_1743' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_1730']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_1730']]], 'RegistryIO' : [ 0xcc, ['__unnamed_1733']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_1735']], 'CheckKey' : [ 0xdc, ['__unnamed_1737']], 'CheckValueList' : [ 0xec, ['__unnamed_1739']], 'CheckHive' : [ 0xfc, ['__unnamed_173d']], 'CheckHive1' : [ 0x108, ['__unnamed_173d']], 'CheckBin' : [ 0x114, ['__unnamed_1741']], 'RecoverData' : [ 0x11c, ['__unnamed_1743']], } ], '_CM_KCB_UOW' : [ 0x40, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ParentUoW' : [ 0x2c, ['pointer', ['_CM_KCB_UOW']]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], 'PrepareDataPointer' : [ 0x38, ['pointer', ['void']]], 'SecurityData' : [ 0x38, ['pointer', ['_CM_UOW_SET_SD_DATA']]], 'ModifyKeysData' : [ 0x38, ['pointer', ['_CM_UOW_KEY_STATE_MODIFICATION']]], 'SetValueData' : [ 0x38, ['pointer', ['_CM_UOW_SET_VALUE_LIST_DATA']]], 'ValueData' : [ 0x3c, ['pointer', ['_CM_UOW_SET_VALUE_KEY_DATA']]], 'DiscardReplaceContext' : [ 0x3c, ['pointer', ['_CMP_DISCARD_AND_REPLACE_KCB_CONTEXT']]], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Prepared' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Aborted' : [ 0x18, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Committed' : [ 0x18, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Initializing' : [ 0x18, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Invalid' : [ 0x18, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UseReservation' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'TmCallbacksActive' : [ 0x18, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LightWeight' : [ 0x18, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Freed1' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Freed2' : [ 0x18, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x18, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'Freed' : [ 0x18, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Spare' : [ 0x18, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long')]], 'TransState' : [ 0x18, ['unsigned long']], 'Trans' : [ 0x1c, ['_CM_TRANS_PTR']], 'CmRm' : [ 0x20, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x24, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x28, ['pointer', ['void']]], 'KtmUow' : [ 0x2c, ['_GUID']], 'StartLsn' : [ 0x40, ['unsigned long long']], 'HiveCount' : [ 0x48, ['unsigned long']], 'HiveArray' : [ 0x4c, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xc0, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'ParkingStatus' : [ 0x80, ['unsigned long']], 'CurrentFrequency' : [ 0x84, ['unsigned long']], 'PercentMaxFrequency' : [ 0x88, ['unsigned long']], 'StateFlags' : [ 0x8c, ['unsigned long']], 'NominalThroughput' : [ 0x90, ['unsigned long']], 'ActiveThroughput' : [ 0x94, ['unsigned long']], 'ScaledThroughput' : [ 0x98, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0xa0, ['unsigned long long']], 'AverageIdleTime' : [ 0xa8, ['unsigned long long']], 'IdleBreakEvents' : [ 0xb0, ['unsigned long long']], 'PerformanceLimit' : [ 0xb8, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xbc, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_TEB32' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['unsigned long']]], 'SystemReserved1' : [ 0x10c, ['array', 36, ['unsigned long']]], 'WorkingOnBehalfTicket' : [ 0x19c, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_TEB64' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['unsigned long long']]], 'SystemReserved1' : [ 0x190, ['array', 37, ['unsigned long long']]], 'WorkingOnBehalfTicket' : [ 0x2b8, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_HV_X64_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState_Deprecated' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable_Deprecated' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ExtendedGvaRangesForFlushVirtualAddressListAvailable' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'FastHypercallOutputAvailable' : [ 0xc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SvmFeaturesAvailable' : [ 0xc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SintPollingModeAvailable' : [ 0xc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HypercallMsrLockAvailable' : [ 0xc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'DirectSyntheticTimers' : [ 0xc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeReg' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicRegs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerRegs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessIntrCtrlRegs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetReg' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsReg' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleReg' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyRegs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugRegs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'AccessReenlightenmentControls' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'AccessVpExitTracing' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'EnableExtendedGvaRangesForFlushVirtualAddressList' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 48, native_type='unsigned long long')]], 'AccessVsm' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 49, native_type='unsigned long long')]], 'AccessVpRegisters' : [ 0x0, ['BitField', dict(start_bit = 49, end_bit = 50, native_type='unsigned long long')]], 'UnusedBit' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 51, native_type='unsigned long long')]], 'FastHypercallOutput' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'EnableExtendedHypercalls' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'StartVirtualProcessor' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x134, { 'Lock' : [ 0x0, ['unsigned long']], 'ReadySummary' : [ 0x4, ['unsigned long']], 'ReadyListHead' : [ 0x8, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x108, ['array', 32, ['unsigned char']]], 'Span' : [ 0x128, ['unsigned char']], 'LowProcIndex' : [ 0x129, ['unsigned char']], 'QueueIndex' : [ 0x12a, ['unsigned char']], 'ProcCount' : [ 0x12b, ['unsigned char']], 'ScanOwner' : [ 0x12c, ['unsigned char']], 'Spare' : [ 0x12d, ['array', 3, ['unsigned char']]], 'Affinity' : [ 0x130, ['unsigned long']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0xc, { 'Affinity' : [ 0x0, ['pointer', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x4, ['unsigned long']], 'CurrentIndex' : [ 0x8, ['unsigned short']], } ], '__unnamed_1880' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1882' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1886' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['wchar']]], } ], '_DEVICE_NODE' : [ 0x1d0, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'FxDevice' : [ 0x28, ['pointer', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x2c, ['long']], 'FxRemoveEvent' : [ 0x30, ['_KEVENT']], 'FxActivationCount' : [ 0x40, ['long']], 'FxSleepCount' : [ 0x44, ['long']], 'Plugin' : [ 0x48, ['pointer', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x4c, ['unsigned long']], 'CurrentPowerState' : [ 0x50, ['_POWER_STATE']], 'Notify' : [ 0x54, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x90, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0xa0, ['_UNICODE_STRING']], 'PowerFlags' : [ 0xa8, ['unsigned long']], 'State' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xb0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xb4, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x104, ['unsigned long']], 'CompletionStatus' : [ 0x108, ['long']], 'Flags' : [ 0x10c, ['unsigned long']], 'UserFlags' : [ 0x110, ['unsigned long']], 'Problem' : [ 0x114, ['unsigned long']], 'ProblemStatus' : [ 0x118, ['long']], 'ResourceList' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x120, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x124, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x128, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x130, ['unsigned long']], 'ChildInterfaceType' : [ 0x134, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x138, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x13c, ['unsigned short']], 'RemovalPolicy' : [ 0x13e, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x13f, ['unsigned char']], 'TargetDeviceNotify' : [ 0x140, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x148, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x150, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x158, ['unsigned short']], 'QueryTranslatorMask' : [ 0x15a, ['unsigned short']], 'NoArbiterMask' : [ 0x15c, ['unsigned short']], 'QueryArbiterMask' : [ 0x15e, ['unsigned short']], 'OverUsed1' : [ 0x160, ['__unnamed_1880']], 'OverUsed2' : [ 0x164, ['__unnamed_1882']], 'BootResources' : [ 0x168, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x16c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x170, ['unsigned long']], 'DockInfo' : [ 0x174, ['__unnamed_1886']], 'DisableableDepends' : [ 0x184, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x190, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x198, ['unsigned long']], 'PreviousParent' : [ 0x19c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1a0, ['long']], 'NumaNodeIndex' : [ 0x1a4, ['unsigned long']], 'ContainerID' : [ 0x1a8, ['_GUID']], 'OverrideFlags' : [ 0x1b8, ['unsigned char']], 'DeviceIdsHash' : [ 0x1bc, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x1c0, ['unsigned char']], 'PendingEjectRelations' : [ 0x1c4, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x1c8, ['unsigned long']], 'RebalanceContext' : [ 0x1cc, ['pointer', ['_PNP_REBALANCE_TRACE_CONTEXT']]], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x38, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x2c, ['pointer', ['unsigned long']]], 'EnableKeyWords' : [ 0x30, ['pointer', ['unsigned long long']]], 'EnableLevel' : [ 0x34, ['pointer', ['unsigned char']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x38, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependencyNode' : [ 0x2c, ['pointer', ['void']]], 'InterruptContext' : [ 0x30, ['pointer', ['void']]], 'VerifierContext' : [ 0x34, ['pointer', ['void']]], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1986' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'WriteCustomBreakPoint' : [ 0x0, ['_DBGKD_WRITE_CUSTOM_BREAKPOINT']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1986']], } ], '__unnamed_198d' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_198d']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PEP_ACPI_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'IoMemory' : [ 0x0, ['_PEP_ACPI_IO_MEMORY_RESOURCE']], 'Interrupt' : [ 0x0, ['_PEP_ACPI_INTERRUPT_RESOURCE']], 'Gpio' : [ 0x0, ['_PEP_ACPI_GPIO_RESOURCE']], 'SpbI2c' : [ 0x0, ['_PEP_ACPI_SPB_I2C_RESOURCE']], 'SpbSpi' : [ 0x0, ['_PEP_ACPI_SPB_SPI_RESOURCE']], 'SpbUart' : [ 0x0, ['_PEP_ACPI_SPB_UART_RESOURCE']], 'ExtendedAddress' : [ 0x0, ['_PEP_ACPI_EXTENDED_ADDRESS']], } ], '_PEP_ACPI_IO_MEMORY_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Information' : [ 0x4, ['unsigned char']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '_PEP_ACPI_INTERRUPT_RESOURCE' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'InterruptType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Flags' : [ 0xc, ['_PEP_ACPI_RESOURCE_FLAGS']], 'Count' : [ 0x10, ['unsigned char']], 'Pins' : [ 0x14, ['pointer', ['unsigned long']]], } ], '_PEP_ACPI_GPIO_RESOURCE' : [ 0x30, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'InterruptType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'PinConfig' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PullDefault', 1: 'PullUp', 2: 'PullDown', 3: 'PullNone'})]], 'IoRestrictionType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'IoRestrictionNone', 1: 'IoRestrictionInputOnly', 2: 'IoRestrictionOutputOnly', 3: 'IoRestrictionNoneAndPreserve'})]], 'DriveStrength' : [ 0x18, ['unsigned short']], 'DebounceTimeout' : [ 0x1a, ['unsigned short']], 'PinTable' : [ 0x1c, ['pointer', ['unsigned short']]], 'PinCount' : [ 0x20, ['unsigned short']], 'ResourceSourceIndex' : [ 0x22, ['unsigned char']], 'ResourceSourceName' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'VendorData' : [ 0x28, ['pointer', ['unsigned char']]], 'VendorDataLength' : [ 0x2c, ['unsigned short']], } ], '_PEP_ACPI_SPB_I2C_RESOURCE' : [ 0x20, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x18, ['unsigned long']], 'SlaveAddress' : [ 0x1c, ['unsigned short']], } ], '_PEP_ACPI_SPB_UART_RESOURCE' : [ 0x24, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'BaudRate' : [ 0x18, ['unsigned long']], 'RxBufferSize' : [ 0x1c, ['unsigned short']], 'TxBufferSize' : [ 0x1e, ['unsigned short']], 'Parity' : [ 0x20, ['unsigned char']], 'LinesInUse' : [ 0x21, ['unsigned char']], } ], '_PEP_ACPI_SPB_SPI_RESOURCE' : [ 0x24, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x18, ['unsigned long']], 'DataBitLength' : [ 0x1c, ['unsigned char']], 'Phase' : [ 0x1d, ['unsigned char']], 'Polarity' : [ 0x1e, ['unsigned char']], 'DeviceSelection' : [ 0x20, ['unsigned short']], } ], '_PEP_ACPI_EXTENDED_ADDRESS' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'ResourceFlags' : [ 0x8, ['unsigned char']], 'GeneralFlags' : [ 0x9, ['unsigned char']], 'TypeSpecificFlags' : [ 0xa, ['unsigned char']], 'RevisionId' : [ 0xb, ['unsigned char']], 'Reserved' : [ 0xc, ['unsigned char']], 'Granularity' : [ 0x10, ['unsigned long long']], 'MinimumAddress' : [ 0x18, ['unsigned long long']], 'MaximumAddress' : [ 0x20, ['unsigned long long']], 'TranslationAddress' : [ 0x28, ['unsigned long long']], 'AddressLength' : [ 0x30, ['unsigned long long']], 'TypeAttribute' : [ 0x38, ['unsigned long long']], 'DescriptorName' : [ 0x40, ['pointer', ['_UNICODE_STRING']]], } ], '_PPM_PLATFORM_STATES' : [ 0x100, { 'StateCount' : [ 0x0, ['unsigned long']], 'InterfaceVersion' : [ 0x4, ['unsigned long']], 'ProcessorCount' : [ 0x8, ['unsigned long']], 'CoordinatedInterface' : [ 0xc, ['unsigned char']], 'IdleTest' : [ 0x10, ['pointer', ['void']]], 'IdlePreExecute' : [ 0x14, ['pointer', ['void']]], 'IdleComplete' : [ 0x18, ['pointer', ['void']]], 'QueryPlatformStateResidency' : [ 0x1c, ['pointer', ['void']]], 'Accounting' : [ 0x20, ['pointer', ['_PLATFORM_IDLE_ACCOUNTING']]], 'State' : [ 0x40, ['array', 1, ['_PPM_PLATFORM_STATE']]], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_PPM_PROFILE' : [ 0x1a8, { 'Name' : [ 0x0, ['pointer', ['wchar']]], 'Id' : [ 0x4, ['unsigned char']], 'Guid' : [ 0x8, ['_GUID']], 'Flags' : [ 0x18, ['unsigned long']], 'Priority' : [ 0x1c, ['unsigned char']], 'Settings' : [ 0x20, ['array', 2, ['_PPM_ENGINE_SETTINGS']]], 'StartTime' : [ 0x180, ['unsigned long long']], 'Count' : [ 0x188, ['unsigned long long']], 'MaxDuration' : [ 0x190, ['unsigned long long']], 'MinDuration' : [ 0x198, ['unsigned long long']], 'TotalDuration' : [ 0x1a0, ['unsigned long long']], } ], '_PPM_ENGINE_SETTINGS' : [ 0xb0, { 'ExplicitSetting' : [ 0x0, ['array', 2, ['_PPM_POLICY_SETTINGS_MASK']]], 'ThrottlingPolicy' : [ 0x10, ['unsigned char']], 'PerfTimeCheck' : [ 0x14, ['unsigned long']], 'PerfHistoryCount' : [ 0x18, ['array', 2, ['unsigned char']]], 'PerfMinPolicy' : [ 0x1a, ['array', 2, ['unsigned char']]], 'PerfMaxPolicy' : [ 0x1c, ['array', 2, ['unsigned char']]], 'PerfDecreaseTime' : [ 0x1e, ['array', 2, ['unsigned char']]], 'PerfIncreaseTime' : [ 0x20, ['array', 2, ['unsigned char']]], 'PerfDecreasePolicy' : [ 0x22, ['array', 2, ['unsigned char']]], 'PerfIncreasePolicy' : [ 0x24, ['array', 2, ['unsigned char']]], 'PerfDecreaseThreshold' : [ 0x26, ['array', 2, ['unsigned char']]], 'PerfIncreaseThreshold' : [ 0x28, ['array', 2, ['unsigned char']]], 'PerfBoostPolicy' : [ 0x2c, ['unsigned long']], 'PerfBoostMode' : [ 0x30, ['unsigned long']], 'PerfReductionTolerance' : [ 0x34, ['unsigned long']], 'EnergyPerfPreference' : [ 0x38, ['unsigned long']], 'AutonomousActivityWindow' : [ 0x3c, ['unsigned long']], 'AutonomousPreference' : [ 0x40, ['unsigned char']], 'LatencyHintPerf' : [ 0x41, ['array', 2, ['unsigned char']]], 'LatencyHintUnpark' : [ 0x43, ['array', 2, ['unsigned char']]], 'DutyCycling' : [ 0x45, ['unsigned char']], 'ParkingPerfState' : [ 0x46, ['array', 2, ['unsigned char']]], 'DistributeUtility' : [ 0x48, ['unsigned char']], 'CoreParkingOverUtilizationThreshold' : [ 0x49, ['unsigned char']], 'CoreParkingConcurrencyThreshold' : [ 0x4a, ['unsigned char']], 'CoreParkingHeadroomThreshold' : [ 0x4b, ['unsigned char']], 'CoreParkingDistributionThreshold' : [ 0x4c, ['unsigned char']], 'CoreParkingDecreasePolicy' : [ 0x4d, ['unsigned char']], 'CoreParkingIncreasePolicy' : [ 0x4e, ['unsigned char']], 'CoreParkingDecreaseTime' : [ 0x50, ['unsigned long']], 'CoreParkingIncreaseTime' : [ 0x54, ['unsigned long']], 'CoreParkingMinCores' : [ 0x58, ['array', 2, ['unsigned char']]], 'CoreParkingMaxCores' : [ 0x5a, ['array', 2, ['unsigned char']]], 'AllowScaling' : [ 0x5c, ['unsigned char']], 'IdleDisabled' : [ 0x5d, ['unsigned char']], 'IdleTimeCheck' : [ 0x60, ['unsigned long']], 'IdleDemotePercent' : [ 0x64, ['unsigned char']], 'IdlePromotePercent' : [ 0x65, ['unsigned char']], 'HeteroDecreaseTime' : [ 0x66, ['unsigned char']], 'HeteroIncreaseTime' : [ 0x67, ['unsigned char']], 'HeteroDecreaseThreshold' : [ 0x68, ['array', 32, ['unsigned char']]], 'HeteroIncreaseThreshold' : [ 0x88, ['array', 32, ['unsigned char']]], 'Class0FloorPerformance' : [ 0xa8, ['unsigned char']], 'Class1InitialPerformance' : [ 0xa9, ['unsigned char']], } ], '_ESERVERSILO_GLOBALS' : [ 0x288, { 'ObSiloState' : [ 0x0, ['_OBP_SILODRIVERSTATE']], 'SeSiloState' : [ 0x1a4, ['_SEP_SILOSTATE']], 'SeRmSiloState' : [ 0x1b8, ['_SEP_RM_LSA_CONNECTION_STATE']], 'EtwSiloState' : [ 0x1e8, ['pointer', ['_ETW_SILODRIVERSTATE']]], 'MiSessionLeaderProcess' : [ 0x1ec, ['pointer', ['_EPROCESS']]], 'ExpDefaultErrorPortProcess' : [ 0x1f0, ['pointer', ['_EPROCESS']]], 'ExpDefaultErrorPort' : [ 0x1f4, ['pointer', ['void']]], 'HardErrorState' : [ 0x1f8, ['unsigned long']], 'WnfSiloState' : [ 0x200, ['_WNF_SILODRIVERSTATE']], 'ApiSetSection' : [ 0x230, ['pointer', ['void']]], 'ApiSetSchema' : [ 0x234, ['pointer', ['void']]], 'OneCoreForwardersEnabled' : [ 0x238, ['unsigned char']], 'SiloRootDirectoryName' : [ 0x23c, ['_UNICODE_STRING']], 'Storage' : [ 0x244, ['pointer', ['_PSP_STORAGE']]], 'State' : [ 0x248, ['Enumeration', dict(target = 'long', choices = {0: 'SERVERSILO_INITING', 1: 'SERVERSILO_STARTED', 2: 'SERVERSILO_SHUTTING_DOWN', 3: 'SERVERSILO_TERMINATING', 4: 'SERVERSILO_TERMINATED'})]], 'ExitStatus' : [ 0x24c, ['long']], 'DeleteEvent' : [ 0x250, ['pointer', ['_KEVENT']]], 'UserSharedData' : [ 0x258, ['_SILO_USER_SHARED_DATA']], 'TerminateWorkItem' : [ 0x278, ['_WORK_QUEUE_ITEM']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_PERF_FLAGS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'Progress' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 27, native_type='unsigned long')]], 'Synchronicity' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 29, native_type='unsigned long')]], 'RequestPepCompleted' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'RequestSucceeded' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NestedCallback' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'IrpFirstPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IrpLastPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0x90, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x14, ['unsigned long']], 'LogHandleContext' : [ 0x18, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0x80, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x84, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0x88, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x178, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'V1' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0xa0, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xb4, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'Event' : [ 0xe0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xf0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x160, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x164, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x168, ['unsigned long']], 'WritesInProgress' : [ 0x16c, ['unsigned long']], 'AsyncReadRequestCount' : [ 0x170, ['unsigned long']], } ], '__unnamed_1a86' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1a86']], 'ArrayHead' : [ 0x10, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1aab' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], 'DiskIoAttribution' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1aad' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1aaf' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1ab1' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ab3' : [ 0x1c, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x4, ['pointer', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x8, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x18, ['unsigned char']], } ], '__unnamed_1ab7' : [ 0x40, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], 'FileOffset' : [ 0x8, ['_LARGE_INTEGER']], 'FileObject' : [ 0x10, ['pointer', ['_FILE_OBJECT']]], 'Length' : [ 0x14, ['unsigned long']], 'PrefetchList' : [ 0x18, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'PrefetchPagePriority' : [ 0x1c, ['unsigned long']], 'Mdl' : [ 0x20, ['pointer', ['_MDL']]], 'IoStatusBlock' : [ 0x24, ['pointer', ['_IO_STATUS_BLOCK']]], 'CallbackContext' : [ 0x28, ['pointer', ['_CC_ASYNC_READ_CONTEXT']]], 'OriginatingProcess' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'IoIssuerThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'DiskIoAttribution' : [ 0x34, ['pointer', ['void']]], 'RequestorMode' : [ 0x38, ['unsigned char']], 'NestingLevel' : [ 0x3c, ['unsigned long']], } ], '__unnamed_1ab9' : [ 0x40, { 'Read' : [ 0x0, ['__unnamed_1aab']], 'Write' : [ 0x0, ['__unnamed_1aad']], 'Event' : [ 0x0, ['__unnamed_1aaf']], 'Notification' : [ 0x0, ['__unnamed_1ab1']], 'LowPriWrite' : [ 0x0, ['__unnamed_1ab3']], 'AsyncRead' : [ 0x0, ['__unnamed_1ab7']], } ], '_WORK_QUEUE_ENTRY' : [ 0x50, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_1ab9']], 'Function' : [ 0x48, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x18, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0x4, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x10, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x68, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x8, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0xc, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x18, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x40, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x44, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x48, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x50, ['pointer', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x54, ['unsigned long']], 'LastLWTimeStamp' : [ 0x58, ['_LARGE_INTEGER']], 'Flags' : [ 0x60, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x248, { 'Segment' : [ 0x0, ['_HEAP_SEGMENT']], 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x58, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x5c, ['unsigned long']], 'Signature' : [ 0x60, ['unsigned long']], 'SegmentReserve' : [ 0x64, ['unsigned long']], 'SegmentCommit' : [ 0x68, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x6c, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x70, ['unsigned long']], 'TotalFreeSize' : [ 0x74, ['unsigned long']], 'MaximumAllocationSize' : [ 0x78, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x7c, ['unsigned short']], 'HeaderValidateLength' : [ 0x7e, ['unsigned short']], 'HeaderValidateCopy' : [ 0x80, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x84, ['unsigned short']], 'MaximumTagIndex' : [ 0x86, ['unsigned short']], 'TagEntries' : [ 0x88, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x8c, ['_LIST_ENTRY']], 'AlignRound' : [ 0x94, ['unsigned long']], 'AlignMask' : [ 0x98, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x9c, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa4, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xac, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb0, ['unsigned long']], 'BlocksIndex' : [ 0xb4, ['pointer', ['void']]], 'UCRIndex' : [ 0xb8, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xbc, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc0, ['_LIST_ENTRY']], 'LockVariable' : [ 0xc8, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xcc, ['pointer', ['void']]], 'StackTraceInitVar' : [ 0xd0, ['_RTL_RUN_ONCE']], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0xdb, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0xdc, ['pointer', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0xe0, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0xe2, ['array', 257, ['unsigned char']]], 'Counters' : [ 0x1e4, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x240, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1b28' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_1b28']], } ], '_HEAP_ENTRY' : [ 0x8, { 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'HeapEntry' : [ 0x0, ['_HEAP_ENTRY']], 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1b7b' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1b7d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b7b']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1b7f' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1b81' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1b7f']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1b7d']], 'u2' : [ 0x4, ['__unnamed_1b81']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x20, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1b9e' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1ba0' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1b9e']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1ba0']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Pad' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x14, ['_EX_PUSH_LOCK']], } ], '__unnamed_1bb4' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1bb6' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bb4']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1bb6']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_1bbf' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1bc1' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bbf']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_1bc1']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_1bc7' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1bc9' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bc7']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_1bc9']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x28, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x24, ['pointer', ['_KALPC_MESSAGE']]], } ], '__unnamed_1be6' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1be8' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1be6']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x11c, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x5c, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x68, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0x74, ['_LIST_ENTRY']], 'DirectQueueLock' : [ 0x7c, ['_EX_PUSH_LOCK']], 'DirectQueue' : [ 0x80, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0x8c, ['_LIST_ENTRY']], 'Semaphore' : [ 0x94, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x98, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xc4, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xc8, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0xd4, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0xd8, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xdc, ['pointer', ['void']]], 'CanceledQueue' : [ 0xe0, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xe8, ['long']], 'ReferenceNo' : [ 0xec, ['long']], 'ReferenceNoWait' : [ 0xf0, ['pointer', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0xf4, ['__unnamed_1be8']], 'TargetQueuePort' : [ 0xf8, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xfc, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x100, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x104, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x108, ['unsigned long']], 'PendingQueueLength' : [ 0x10c, ['unsigned long']], 'DirectQueueLength' : [ 0x110, ['unsigned long']], 'CanceledQueueLength' : [ 0x114, ['unsigned long']], 'WaitQueueLength' : [ 0x118, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x58, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'CompletionListLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x10, ['pointer', ['_MDL']]], 'UserVa' : [ 0x14, ['pointer', ['void']]], 'UserLimit' : [ 0x18, ['pointer', ['void']]], 'DataUserVa' : [ 0x1c, ['pointer', ['void']]], 'SystemVa' : [ 0x20, ['pointer', ['void']]], 'TotalSize' : [ 0x24, ['unsigned long']], 'Header' : [ 0x28, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x2c, ['pointer', ['void']]], 'ListSize' : [ 0x30, ['unsigned long']], 'Bitmap' : [ 0x34, ['pointer', ['void']]], 'BitmapSize' : [ 0x38, ['unsigned long']], 'Data' : [ 0x3c, ['pointer', ['void']]], 'DataSize' : [ 0x40, ['unsigned long']], 'BitmapLimit' : [ 0x44, ['unsigned long']], 'BitmapNextHint' : [ 0x48, ['unsigned long']], 'ConcurrencyCount' : [ 0x4c, ['unsigned long']], 'AttributeFlags' : [ 0x50, ['unsigned long']], 'AttributeSize' : [ 0x54, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x90, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'Key' : [ 0x84, ['unsigned long']], 'CallbackList' : [ 0x88, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x14, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x10, ['long']], } ], '__unnamed_1c0b' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1c0d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c0b']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'u1' : [ 0x14, ['__unnamed_1c0d']], 'SequenceNo' : [ 0x18, ['long']], 'QuotaProcess' : [ 0x1c, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x1c, ['pointer', ['void']]], 'CancelSequencePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x24, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x28, ['long']], 'CancelListEntry' : [ 0x2c, ['_LIST_ENTRY']], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x38, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x60, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x64, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x68, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x6c, ['pointer', ['_ETHREAD']]], 'WakeReference' : [ 0x70, ['pointer', ['void']]], 'ExtensionBuffer' : [ 0x74, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0x78, ['unsigned long']], 'PortMessage' : [ 0x80, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x24, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'DirectEvent' : [ 0x14, ['_KALPC_DIRECT_EVENT']], 'Flags' : [ 0x18, ['unsigned long']], 'TotalLength' : [ 0x1c, ['unsigned short']], 'Type' : [ 0x1e, ['unsigned short']], 'DataInfoOffset' : [ 0x20, ['unsigned short']], 'SignalCompletion' : [ 0x22, ['unsigned char']], 'PostedToCompletionList' : [ 0x23, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x24, { 'ObjectType' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x28, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], 'DirectEvent' : [ 0x1c, ['_KALPC_DIRECT_EVENT']], 'WorkOnBehalfData' : [ 0x20, ['_KALPC_WORK_ON_BEHALF_DATA']], } ], '__unnamed_1c51' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1c53' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c51']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1c53']], } ], '_KALPC_DIRECT_EVENT' : [ 0x4, { 'Event' : [ 0x0, ['unsigned long']], 'Referenced' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x2c, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer', ['void']]], 'DiskIoAttributionHandle' : [ 0xc, ['unsigned long']], 'ActivityId' : [ 0x10, ['_GUID']], 'Timestamp' : [ 0x20, ['_LARGE_INTEGER']], 'ZeroingOffset' : [ 0x20, ['unsigned long']], 'FsTrackOffsetBlob' : [ 0x20, ['pointer', ['_IO_IRP_EXT_TRACK_OFFSET_HEADER']]], 'FsTrackedOffset' : [ 0x24, ['long long']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x28, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 8, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x78, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'AccessMode' : [ 0x5c, ['unsigned char']], 'DriverCreateContext' : [ 0x60, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1d1b' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x110, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1d1b']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer', ['wchar']]], 'LogFileName' : [ 0x3c, ['pointer', ['wchar']]], 'TimeZone' : [ 0x40, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf0, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0xf8, ['_LARGE_INTEGER']], 'StartTime' : [ 0x100, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x108, ['unsigned long']], 'BuffersLost' : [ 0x10c, ['unsigned long']], } ], '_RTL_HASH_TABLE' : [ 0xc, { 'EntryCount' : [ 0x0, ['unsigned long']], 'MaskBitCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'BucketCount' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Buckets' : [ 0x8, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_HASH_ENTRY' : [ 0x8, { 'BucketLink' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Key' : [ 0x4, ['unsigned long']], } ], '_RTL_HASH_TABLE_ITERATOR' : [ 0xc, { 'Hash' : [ 0x0, ['pointer', ['_RTL_HASH_TABLE']]], 'HashEntry' : [ 0x4, ['pointer', ['_RTL_HASH_ENTRY']]], 'Bucket' : [ 0x8, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_CHASH_TABLE' : [ 0x10, { 'Table' : [ 0x0, ['pointer', ['_RTL_CHASH_ENTRY']]], 'EntrySizeShift' : [ 0x4, ['unsigned long']], 'EntryMax' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_RTL_CHASH_ENTRY' : [ 0x4, { 'Key' : [ 0x0, ['unsigned long']], } ], '_ETW_BUFFER_QUEUE' : [ 0x8, { 'QueueTail' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x4, ['_SINGLE_LIST_ENTRY']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStatePendingCompression', 5: 'EtwBufferStateCompressed', 6: 'EtwBufferStatePlaceholder', 7: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_WMI_LOGGER_CONTEXT' : [ 0x2f0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 1, ['unsigned long']]], 'ErrorMarker' : [ 0x18, ['unsigned long']], 'SizeMask' : [ 0x1c, ['unsigned long']], 'GetCpuClock' : [ 0x20, ['pointer', ['void']]], 'LoggerThread' : [ 0x24, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x28, ['long']], 'FailureReason' : [ 0x2c, ['unsigned long']], 'BufferQueue' : [ 0x30, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x38, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x40, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x48, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x50, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x50, ['_EX_FAST_REF']], 'LoggerName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x64, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x6c, ['_UNICODE_STRING']], 'ClockType' : [ 0x74, ['unsigned long']], 'LastFlushedBuffer' : [ 0x78, ['unsigned long']], 'FlushTimer' : [ 0x7c, ['unsigned long']], 'FlushThreshold' : [ 0x80, ['unsigned long']], 'ByteOffset' : [ 0x88, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x90, ['unsigned long']], 'BuffersAvailable' : [ 0x94, ['long']], 'NumberOfBuffers' : [ 0x98, ['long']], 'MaximumBuffers' : [ 0x9c, ['unsigned long']], 'EventsLost' : [ 0xa0, ['unsigned long']], 'PeakBuffersCount' : [ 0xa4, ['long']], 'BuffersWritten' : [ 0xa8, ['unsigned long']], 'LogBuffersLost' : [ 0xac, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xb0, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xb4, ['unsigned long']], 'SequencePtr' : [ 0xb8, ['pointer', ['long']]], 'LocalSequence' : [ 0xbc, ['unsigned long']], 'InstanceGuid' : [ 0xc0, ['_GUID']], 'MaximumFileSize' : [ 0xd0, ['unsigned long']], 'FileCounter' : [ 0xd4, ['long']], 'PoolType' : [ 0xd8, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xe0, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0xf0, ['long']], 'ProviderInfoSize' : [ 0xf4, ['unsigned long']], 'Consumers' : [ 0xf8, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x100, ['unsigned long']], 'TransitionConsumer' : [ 0x104, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x108, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x10c, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x128, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x130, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x138, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x140, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x148, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x158, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x15c, ['_KEVENT']], 'FlushEvent' : [ 0x16c, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x180, ['_KTIMER']], 'LoggerDpc' : [ 0x1a8, ['_KDPC']], 'LoggerMutex' : [ 0x1c8, ['_KMUTANT']], 'LoggerLock' : [ 0x1e8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1ec, ['unsigned long']], 'BufferListPushLock' : [ 0x1ec, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1f0, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x22c, ['pointer', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x230, ['_EX_FAST_REF']], 'StartTime' : [ 0x238, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x240, ['pointer', ['void']]], 'BufferSequenceNumber' : [ 0x248, ['long long']], 'Flags' : [ 0x250, ['unsigned long']], 'Persistent' : [ 0x250, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x250, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x250, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x250, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x250, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x250, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x250, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x250, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x250, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x250, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x250, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x250, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x250, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'StackLookasideListAllocated' : [ 0x250, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SecurityTrace' : [ 0x250, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'SpareFlags1' : [ 0x250, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x250, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x250, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x250, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x254, ['unsigned long']], 'DbgRequestNewFile' : [ 0x254, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x254, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x254, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x254, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x254, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x254, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x254, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x254, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDeferredFlush' : [ 0x254, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDeferredFlushTimer' : [ 0x254, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x254, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x254, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x254, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x258, ['_RTL_BITMAP']], 'StackCache' : [ 0x260, ['pointer', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x264, ['pointer', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x268, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x270, ['pointer', ['pointer', ['_WMI_BUFFER_HEADER']]]], 'DisallowedGuids' : [ 0x274, ['_DISALLOWED_GUIDS']], 'SoftRestartContext' : [ 0x27c, ['pointer', ['_ETW_SOFT_RESTART_CONTEXT']]], 'SiloState' : [ 0x280, ['pointer', ['_ETW_SILODRIVERSTATE']]], 'CompressionWorkItem' : [ 0x284, ['_WORK_QUEUE_ITEM']], 'CompressionWorkItemState' : [ 0x294, ['long']], 'CompressionLock' : [ 0x298, ['_EX_PUSH_LOCK']], 'CompressionTarget' : [ 0x29c, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CompressionWorkspace' : [ 0x2a0, ['pointer', ['void']]], 'CompressionOn' : [ 0x2a4, ['long']], 'CompressionRatioGuess' : [ 0x2a8, ['unsigned long']], 'PartialBufferCompressionLevel' : [ 0x2ac, ['unsigned long']], 'CompressionResumptionMode' : [ 0x2b0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwCompressionModeRestart', 1: 'EtwCompressionModeNoDisable', 2: 'EtwCompressionModeNoRestart'})]], 'PlaceholderList' : [ 0x2b4, ['_SINGLE_LIST_ENTRY']], 'CompressionDpc' : [ 0x2b8, ['_KDPC']], 'LastBufferSwitchTime' : [ 0x2d8, ['_LARGE_INTEGER']], 'BufferWriteDuration' : [ 0x2e0, ['_LARGE_INTEGER']], 'BufferCompressDuration' : [ 0x2e8, ['_LARGE_INTEGER']], } ], '_ETW_PMC_SUPPORT' : [ 0x24, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_SILODRIVERSTATE' : [ 0xa80, { 'EtwpSecurityProviderGuidEntry' : [ 0x0, ['_ETW_GUID_ENTRY']], 'EtwpLoggerRundown' : [ 0x168, ['array', 64, ['pointer', ['_EX_RUNDOWN_REF_CACHE_AWARE']]]], 'WmipLoggerContext' : [ 0x268, ['array', 64, ['pointer', ['_WMI_LOGGER_CONTEXT']]]], 'EtwpGuidHashTable' : [ 0x368, ['array', 64, ['_ETW_HASH_BUCKET']]], 'EtwpSecurityLoggers' : [ 0xa68, ['array', 8, ['unsigned short']]], 'EtwpSecurityProviderEnableMask' : [ 0xa78, ['unsigned char']], 'EtwpShutdownInProgress' : [ 0xa79, ['unsigned char']], 'EtwpSecurityProviderPID' : [ 0xa7c, ['unsigned long']], } ], '_EX_RUNDOWN_REF_CACHE_AWARE' : [ 0x10, { 'RunRefs' : [ 0x0, ['pointer', ['_EX_RUNDOWN_REF']]], 'PoolToFree' : [ 0x4, ['pointer', ['void']]], 'RunRefSize' : [ 0x8, ['unsigned long']], 'Number' : [ 0xc, ['unsigned long']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x2a0, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x9c, ['pointer', ['void']]], 'DynamicPart' : [ 0xa0, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa4, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xb0, ['unsigned long']], 'TokenInUse' : [ 0xb4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb8, ['unsigned long']], 'MandatoryPolicy' : [ 0xbc, ['unsigned long']], 'LogonSession' : [ 0xc0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc4, ['_LUID']], 'SidHash' : [ 0xcc, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x154, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1dc, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x1e0, ['pointer', ['void']]], 'Capabilities' : [ 0x1e4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x1e8, ['unsigned long']], 'CapabilitiesHash' : [ 0x1ec, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x274, ['pointer', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x278, ['pointer', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x27c, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x280, ['pointer', ['void']]], 'TrustLinkedToken' : [ 0x284, ['pointer', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x288, ['pointer', ['void']]], 'TokenSidValues' : [ 0x28c, ['pointer', ['_SEP_SID_VALUES_BLOCK']]], 'IndexEntry' : [ 0x290, ['pointer', ['_SEP_LUID_TO_INDEX_MAP_ENTRY']]], 'DiagnosticInfo' : [ 0x294, ['pointer', ['_SEP_TOKEN_DIAG_TRACK_ENTRY']]], 'VariablePart' : [ 0x298, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x6c, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x34, ['_SEP_LOWBOX_HANDLES_TABLE']], 'SharedDataLock' : [ 0x3c, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x40, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x44, ['pointer', ['_SEP_SID_VALUES_BLOCK']]], 'RevocationBlock' : [ 0x48, ['_OB_HANDLE_REVOCATION_BLOCK']], 'ServerSilo' : [ 0x58, ['pointer', ['_EJOB']]], 'SiblingAuthId' : [ 0x5c, ['_LUID']], 'TokenList' : [ 0x64, ['_LIST_ENTRY']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'DbgRefTrace' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'NewObject' : [ 0xf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0xf, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0xf, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0xf, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0xf, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0xf, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0xf, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0xf, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved1' : [ 0xe, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x8, { 'SecurityDescriptor' : [ 0x0, ['pointer', ['void']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_EXTENDED_INFO' : [ 0x8, { 'Footer' : [ 0x0, ['pointer', ['_OBJECT_FOOTER']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_FOOTER' : [ 0x18, { 'HandleRevocationInfo' : [ 0x0, ['_HANDLE_REVOCATION_INFO']], 'ExtendedUserInfo' : [ 0x10, ['_OB_EXTENDED_USER_INFO']], } ], '_OB_EXTENDED_USER_INFO' : [ 0x8, { 'Context1' : [ 0x0, ['pointer', ['void']]], 'Context2' : [ 0x4, ['pointer', ['void']]], } ], '_HANDLE_REVOCATION_INFO' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'RevocationBlock' : [ 0x8, ['pointer', ['_OB_HANDLE_REVOCATION_BLOCK']]], 'AllowHandleRevocation' : [ 0xc, ['unsigned char']], 'Padding1' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x18, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'EntryLink' : [ 0x8, ['pointer', ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0xc, ['unsigned long']], 'HashIndex' : [ 0x10, ['unsigned short']], 'DirectoryLocked' : [ 0x12, ['unsigned char']], 'LockedExclusive' : [ 0x13, ['unsigned char']], 'LockStateSignature' : [ 0x14, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xac, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x9c, ['pointer', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0xa0, ['unsigned long']], 'NamespaceEntry' : [ 0xa4, ['pointer', ['void']]], 'Flags' : [ 0xa8, ['unsigned long']], } ], '_OBP_SILODRIVERSTATE' : [ 0x1a4, { 'SystemDeviceMap' : [ 0x0, ['pointer', ['_DEVICE_MAP']]], 'SystemDosDeviceState' : [ 0x4, ['_OBP_SYSTEM_DOS_DEVICE_STATE']], 'DeviceMapLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'PrivateNamespaceLookupTable' : [ 0x74, ['_OBJECT_NAMESPACE_LOOKUPTABLE']], } ], '_WHEAP_INFO_BLOCK' : [ 0xc, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x4, ['pointer', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x8, ['pointer', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x418, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x8, ['unsigned long']], 'PlatformErrorSourceId' : [ 0xc, ['unsigned long']], 'ErrorCount' : [ 0x10, ['long']], 'RecordCount' : [ 0x14, ['unsigned long']], 'RecordLength' : [ 0x18, ['unsigned long']], 'PoolTag' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x24, ['pointer', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x28, ['pointer', ['void']]], 'SectionCount' : [ 0x2c, ['unsigned long']], 'SectionLength' : [ 0x30, ['unsigned long']], 'TickCountAtLastError' : [ 0x38, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x40, ['unsigned long']], 'TotalErrors' : [ 0x44, ['unsigned long']], 'Deferred' : [ 0x48, ['unsigned char']], 'Descriptor' : [ 0x49, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xe4, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x8, ['unsigned long']], 'ProcessorNumber' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x14, ['long']], 'ErrorSource' : [ 0x18, ['pointer', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x1c, ['_WHEA_ERROR_RECORD']], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ImageControlAreaOnRemovableMedia' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'SystemVaAllocated' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PreferredFsCompressionBoundary' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'UsingFileExtents' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PageSize64K' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PEP_ACPI_SPB_RESOURCE' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'TypeSpecificFlags' : [ 0x8, ['unsigned short']], 'ResourceSourceIndex' : [ 0xa, ['unsigned char']], 'ResourceSourceName' : [ 0xc, ['pointer', ['_UNICODE_STRING']]], 'VendorData' : [ 0x10, ['pointer', ['unsigned char']]], 'VendorDataLength' : [ 0x14, ['unsigned short']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x40, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x8, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0xc, ['long']], 'HighWaterMark' : [ 0x10, ['unsigned long']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_KDPC_DATA' : [ 0x18, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], 'ActiveDpc' : [ 0x14, ['pointer', ['_KDPC']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_PLATFORM_IDLE_ACCOUNTING' : [ 0x400, { 'ResetCount' : [ 0x0, ['unsigned long']], 'StateCount' : [ 0x4, ['unsigned long']], 'DeepSleepCount' : [ 0x8, ['unsigned long']], 'TimeUnit' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['_PLATFORM_IDLE_STATE_ACCOUNTING']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '__unnamed_1edf' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x5000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1edf']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x18, ['unsigned long']], 'NonPagablePages' : [ 0x1c, ['unsigned long']], 'CommittedPages' : [ 0x20, ['unsigned long']], 'PagedPoolStart' : [ 0x24, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x28, ['pointer', ['void']]], 'SessionObject' : [ 0x2c, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x30, ['pointer', ['void']]], 'SessionPoolAllocationFailures' : [ 0x34, ['array', 4, ['unsigned long']]], 'ImageTree' : [ 0x44, ['_RTL_AVL_TREE']], 'LocaleId' : [ 0x48, ['unsigned long']], 'AttachCount' : [ 0x4c, ['unsigned long']], 'AttachGate' : [ 0x50, ['_KGATE']], 'WsListEntry' : [ 0x60, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 24, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xc80, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xc94, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xcc0, ['_MMSUPPORT_FULL']], 'DriverUnload' : [ 0xd48, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xd80, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1ec0, ['pointer', ['_MMPTE']]], 'PagedPoolBitBuffer' : [ 0x1ec4, ['array', 32, ['unsigned long']]], 'SpecialPool' : [ 0x1f48, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f90, ['_EX_PUSH_LOCK']], 'PoolBigEntriesInUse' : [ 0x1f94, ['long']], 'PagedPoolPdeCount' : [ 0x1f98, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f9c, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1fa0, ['unsigned long']], 'SystemPteInfo' : [ 0x1fa4, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1fdc, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1fe0, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1fe4, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fe8, ['unsigned long']], 'IoState' : [ 0x1fec, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1ff0, ['unsigned long']], 'IoNotificationEvent' : [ 0x1ff4, ['_KEVENT']], 'ServerSilo' : [ 0x2004, ['pointer', ['_EJOB']]], 'CreateTime' : [ 0x2008, ['unsigned long long']], 'PoolTags' : [ 0x3000, ['array', 8192, ['unsigned char']]], } ], '_OBJECT_NAMESPACE_LOOKUPTABLE' : [ 0x130, { 'HashBuckets' : [ 0x0, ['array', 37, ['_LIST_ENTRY']]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'NumberOfPrivateSpaces' : [ 0x12c, ['unsigned long']], } ], '_MI_CACHED_PTES' : [ 0x48, { 'Bins' : [ 0x0, ['array', 8, ['_MI_CACHED_PTE']]], 'CachedPteCount' : [ 0x40, ['long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x58, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeFlags2' : [ 0x3, ['unsigned char']], 'UseExtendedParameters' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'ParseProcedureEx' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], 'WaitObjectFlagMask' : [ 0x50, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x54, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x56, ['unsigned short']], } ], '_KLOCK_ENTRY' : [ 0x30, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'EntryFlags' : [ 0xc, ['unsigned long']], 'EntryOffset' : [ 0xc, ['unsigned char']], 'ThreadLocalFlags' : [ 0xd, ['unsigned char']], 'WaitingBit' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare0' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'AcquiredByte' : [ 0xe, ['unsigned char']], 'AcquiredBit' : [ 0xe, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadFlags' : [ 0xf, ['unsigned char']], 'HeadNodeBit' : [ 0xf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IoPriorityBit' : [ 0xf, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IoQoSWaiter' : [ 0xf, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0xf, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'StaticState' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'AllFlags' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'LockState' : [ 0x10, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x10, ['pointer', ['void']]], 'CrossThreadReleasableAndBusyByte' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['array', 2, ['unsigned char']]], 'InTreeByte' : [ 0x13, ['unsigned char']], 'SessionState' : [ 0x14, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], 'OwnerTree' : [ 0x18, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x20, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x18, ['unsigned char']], 'EntryLock' : [ 0x28, ['unsigned long']], 'AllBoosts' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 17, native_type='unsigned long')]], 'CpuBoostsBitmap' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 15, native_type='unsigned short')]], 'IoBoost' : [ 0x2c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'IoQoSBoost' : [ 0x2e, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x2e, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned short')]], 'IoQoSWaiterCount' : [ 0x2e, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'Arm64ControlSet' : [ 0x0, ['_ARM64_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ManySubsections' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Enclave' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PageSize64K' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_COUNTERS' : [ 0x5c, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'PollIntervalCounter' : [ 0x38, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x3c, ['unsigned long']], 'HeapPollInterval' : [ 0x40, ['unsigned long']], 'AllocAndFreeOps' : [ 0x44, ['unsigned long']], 'AllocationIndicesActive' : [ 0x48, ['unsigned long']], 'InBlockDeccommits' : [ 0x4c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x50, ['unsigned long']], 'HighWatermarkSize' : [ 0x54, ['unsigned long']], 'LastPolledSize' : [ 0x58, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x18, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'Irp' : [ 0xc, ['pointer', ['_IRP']]], 'Device' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Static' : [ 0x14, ['unsigned char']], } ], '__unnamed_1f48' : [ 0x10, { 'CallerCompletion' : [ 0x0, ['pointer', ['void']]], 'CallerContext' : [ 0x4, ['pointer', ['void']]], 'CallerDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0xc, ['unsigned char']], } ], '__unnamed_1f4b' : [ 0x8, { 'NotifyDevice' : [ 0x0, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x4, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x18, ['unsigned long long']], 'WatchdogTimer' : [ 0x20, ['_KTIMER']], 'WatchdogDpc' : [ 0x48, ['_KDPC']], 'MinorFunction' : [ 0x68, ['unsigned char']], 'PowerStateType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0x70, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0x74, ['unsigned char']], 'FxDevice' : [ 0x78, ['pointer', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0x7c, ['unsigned char']], 'NotifyPEP' : [ 0x7d, ['unsigned char']], 'Device' : [ 0x80, ['__unnamed_1f48']], 'System' : [ 0x80, ['__unnamed_1f4b']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x4, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_PPM_IDLE_STATES' : [ 0x140, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'UnaccountedTransition' : [ 0x5, ['unsigned char']], 'IdleDurationLimited' : [ 0x6, ['unsigned char']], 'IdleCheckLimited' : [ 0x7, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0x44, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x50, ['pointer', ['void']]], 'IdlePreExecute' : [ 0x54, ['pointer', ['void']]], 'IdleExecute' : [ 0x58, ['pointer', ['void']]], 'IdlePreselect' : [ 0x5c, ['pointer', ['void']]], 'IdleTest' : [ 0x60, ['pointer', ['void']]], 'IdleAvailabilityCheck' : [ 0x64, ['pointer', ['void']]], 'IdleComplete' : [ 0x68, ['pointer', ['void']]], 'IdleCancel' : [ 0x6c, ['pointer', ['void']]], 'IdleIsHalted' : [ 0x70, ['pointer', ['void']]], 'IdleInitiateWake' : [ 0x74, ['pointer', ['void']]], 'PrepareInfo' : [ 0x78, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'DeepIdleSnapshot' : [ 0xc8, ['_KAFFINITY_EX']], 'Tracing' : [ 0xd4, ['pointer', ['_PERFINFO_PPM_STATE_SELECTION']]], 'CoordinatedTracing' : [ 0xd8, ['pointer', ['_PERFINFO_PPM_STATE_SELECTION']]], 'ProcessorMenu' : [ 0xdc, ['_PPM_SELECTION_MENU']], 'CoordinatedMenu' : [ 0xe4, ['_PPM_SELECTION_MENU']], 'CoordinatedSelection' : [ 0xec, ['_PPM_COORDINATED_SELECTION']], 'State' : [ 0xfc, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_ETW_HASH_BUCKET' : [ 0x1c, { 'ListHead' : [ 0x0, ['array', 3, ['_LIST_ENTRY']]], 'BucketLock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_1f96' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], 'GenErrDescriptorV2' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR_V2']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1f96']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_SEP_TOKEN_DIAG_TRACK_ENTRY' : [ 0x9c, { 'ProcessCid' : [ 0x0, ['pointer', ['void']]], 'ThreadCid' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'CreateMethod' : [ 0x18, ['unsigned long']], 'CreateTrace' : [ 0x1c, ['array', 30, ['unsigned long']]], 'Count' : [ 0x94, ['long']], 'CaptureCount' : [ 0x98, ['long']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND_STATE' : [ 0x4, { 'Expanded' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Transitioning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Pageable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_PPM_POLICY_SETTINGS_MASK' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'PerfDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PerfIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerfDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PerfIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PerfDecreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PerfIncreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'PerfMinPolicy' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'PerfMaxPolicy' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PerfTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PerfBoostPolicy' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PerfBoostMode' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AllowThrottling' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PerfHistoryCount' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ParkingPerfState' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LatencyHintPerf' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LatencyHintUnpark' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CoreParkingMinCores' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CoreParkingMaxCores' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'CoreParkingDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'CoreParkingIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CoreParkingDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CoreParkingIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CoreParkingOverUtilizationThreshold' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'CoreParkingDistributeUtility' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CoreParkingConcurrencyThreshold' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CoreParkingHeadroomThreshold' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CoreParkingDistributionThreshold' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IdleAllowScaling' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'IdleDisable' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'IdleTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'IdleDemoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'IdlePromoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HeteroDecreaseTime' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HeteroIncreaseTime' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HeteroDecreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HeteroIncreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Class0FloorPerformance' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Class1InitialPerformance' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnergyPerfPreference' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AutonomousActivityWindow' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AutonomousMode' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DutyCycling' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_KSCHEDULING_GROUP' : [ 0x180, { 'Policy' : [ 0x0, ['_KSCHEDULING_GROUP_POLICY']], 'RelativeWeight' : [ 0x8, ['unsigned long']], 'ChildMinRate' : [ 0xc, ['unsigned long']], 'ChildMinWeight' : [ 0x10, ['unsigned long']], 'ChildTotalWeight' : [ 0x14, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x18, ['unsigned long long']], 'NotificationCycles' : [ 0x20, ['long long']], 'MaxQuotaLimitCycles' : [ 0x28, ['long long']], 'MaxQuotaCyclesRemaining' : [ 0x30, ['long long']], 'SchedulingGroupList' : [ 0x38, ['_LIST_ENTRY']], 'Sibling' : [ 0x38, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x40, ['pointer', ['_KDPC']]], 'ChildList' : [ 0x44, ['_LIST_ENTRY']], 'Parent' : [ 0x4c, ['pointer', ['_KSCHEDULING_GROUP']]], 'PerProcessor' : [ 0x80, ['array', 1, ['_KSCB']]], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x130, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x8, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0xc, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x10, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x98, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x120, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x124, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x128, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x12c, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_LOCK_HEADER' : [ 0x10, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x4, ['unsigned long']], 'Lock' : [ 0x8, ['unsigned long']], 'Valid' : [ 0xc, ['unsigned long']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_KHETERO_PROCESSOR_SET' : [ 0xc, { 'IdealMask' : [ 0x0, ['unsigned long']], 'PreferredMask' : [ 0x4, ['unsigned long']], 'AvailableMask' : [ 0x8, ['unsigned long']], } ], '_MMSESSION' : [ 0x14, { 'SystemSpaceViewLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'SystemSpaceViewLockPointer' : [ 0x4, ['pointer', ['_EX_PUSH_LOCK']]], 'ViewRoot' : [ 0x8, ['_RTL_AVL_TREE']], 'ViewCount' : [ 0xc, ['unsigned long']], 'BitmapFailures' : [ 0x10, ['unsigned long']], } ], '_CC_ASYNC_READ_CONTEXT' : [ 0x14, { 'CompletionRoutine' : [ 0x0, ['pointer', ['void']]], 'Context' : [ 0x4, ['pointer', ['void']]], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'RequestorMode' : [ 0xc, ['unsigned char']], 'NestingLevel' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0xc, { 'DirtyPages' : [ 0x0, ['unsigned long']], 'DirtyPagesLastScan' : [ 0x4, ['unsigned long']], 'DirtyPagesScheduledLastScan' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x58, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'ReadyTime' : [ 0x10, ['unsigned long long']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'ContextSwitches' : [ 0x20, ['unsigned long long']], 'ReadOperationCount' : [ 0x28, ['long long']], 'WriteOperationCount' : [ 0x30, ['long long']], 'OtherOperationCount' : [ 0x38, ['long long']], 'ReadTransferCount' : [ 0x40, ['long long']], 'WriteTransferCount' : [ 0x48, ['long long']], 'OtherTransferCount' : [ 0x50, ['long long']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x38, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], 'ServerSilo' : [ 0x34, ['pointer', ['_EJOB']]], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_TRIAGE_9F_PNP' : [ 0xc, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'CompletionQueue' : [ 0x4, ['pointer', ['_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE']]], 'DelayedWorkQueue' : [ 0x8, ['pointer', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_POP_CURRENT_BROADCAST' : [ 0x10, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'DeviceState' : [ 0xc, ['pointer', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LeakedPoolDeliberately' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR_V2' : [ 0x50, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'ReadAckAddressSpaceID' : [ 0x34, ['unsigned char']], 'ReadAckAddressBitWidth' : [ 0x35, ['unsigned char']], 'ReadAckAddressBitOffset' : [ 0x36, ['unsigned char']], 'ReadAckAddressAccessSize' : [ 0x37, ['unsigned char']], 'ReadAckAddress' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAckPreserveMask' : [ 0x40, ['unsigned long long']], 'ReadAckWriteMask' : [ 0x48, ['unsigned long long']], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'Lock' : [ 0x0, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long']], 'SpecialPoolPdes' : [ 0x3c, ['_RTL_BITMAP']], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_DBGKD_WRITE_CUSTOM_BREAKPOINT' : [ 0x18, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointInstruction' : [ 0x8, ['unsigned long long']], 'BreakPointHandle' : [ 0x10, ['unsigned long']], 'BreakPointInstructionSize' : [ 0x14, ['unsigned char']], 'BreakPointInstructionAlignment' : [ 0x15, ['unsigned char']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x2c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x8, ['unsigned char']], 'Spare' : [ 0x9, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0xc, ['unsigned long']], 'DebugId' : [ 0x10, ['_CVDD']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PS_PROPERTY_SET' : [ 0xc, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x8, ['unsigned long']], } ], '_TRIAGE_EX_WORK_QUEUE' : [ 0x19c, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x30, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'ExpectedWakeReason' : [ 0x2d, ['unsigned char']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_THREAD_ENERGY_VALUES' : [ 0x40, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_WHEAP_WORK_QUEUE' : [ 0x44, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['long']], 'Dpc' : [ 0x10, ['_KDPC']], 'WorkItem' : [ 0x30, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x40, ['pointer', ['void']]], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_RTL_RUN_ONCE' : [ 0x4, { 'Ptr' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], } ], '_CM_PATH_HASH' : [ 0x4, { 'Hash' : [ 0x0, ['unsigned long']], } ], '_EXHANDLE' : [ 0x4, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_FAST_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['wchar']]], 'DriverName' : [ 0x28, ['pointer', ['wchar']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_DUAL' : [ 0x19c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x190, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x198, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x24, { 'Next' : [ 0x0, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'Gate' : [ 0x8, ['_KGATE']], 'SecureInfo' : [ 0x8, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x8, ['_RTL_BITMAP']], 'InPageSupport' : [ 0x8, ['pointer', ['_MMINPAGE_SUPPORT']]], 'LargePage' : [ 0x8, ['_MI_LARGEPAGE_IMAGE_INFO']], 'CreatingThread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'PebTeb' : [ 0x8, ['_MI_SUB64K_FREE_RANGES']], } ], '__unnamed_2084' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '__unnamed_2086' : [ 0x4, { 'NumberOfChildViews' : [ 0x0, ['unsigned long']], } ], '__unnamed_2088' : [ 0x4, { 'AlignmentNoAccessPtes' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SUBSECTION' : [ 0x28, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'GlobalPerSessionHead' : [ 0xc, ['_RTL_AVL_TREE']], 'CreationWaitList' : [ 0xc, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'SessionDriverProtos' : [ 0xc, ['pointer', ['_MI_PER_SESSION_PROTOS']]], 'u' : [ 0x10, ['__unnamed_2084']], 'StartingSector' : [ 0x14, ['unsigned long']], 'NumberOfFullSectors' : [ 0x18, ['unsigned long']], 'PtesInSubsection' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_2086']], 'UnusedPtes' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x24, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u2' : [ 0x24, ['__unnamed_2088']], } ], '_REQUEST_MAILBOX' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x4, ['unsigned long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x18, ['pointer', ['long']]], 'NodeTargetCount' : [ 0x1c, ['long']], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x8, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_SEP_RM_LSA_CONNECTION_STATE' : [ 0x30, { 'LsaProcessHandle' : [ 0x0, ['pointer', ['void']]], 'LsaCommandPortHandle' : [ 0x4, ['pointer', ['void']]], 'SepRmThreadHandle' : [ 0x8, ['pointer', ['void']]], 'RmCommandPortHandle' : [ 0xc, ['pointer', ['void']]], 'RmCommandServerPortHandle' : [ 0x10, ['pointer', ['void']]], 'LsaCommandPortSectionHandle' : [ 0x14, ['pointer', ['void']]], 'LsaCommandPortSectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'LsaViewPortMemory' : [ 0x20, ['pointer', ['void']]], 'RmViewPortMemory' : [ 0x24, ['pointer', ['void']]], 'LsaCommandPortMemoryDelta' : [ 0x28, ['long']], 'LsaCommandPortActive' : [ 0x2c, ['unsigned char']], } ], '_CM_KCB_LAYER_INFO' : [ 0x18, { 'LayerListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Kcb' : [ 0x8, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'LowerLayer' : [ 0xc, ['pointer', ['_CM_KCB_LAYER_INFO']]], 'UpperLayerListHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MM_PAGED_POOL_INFO' : [ 0x1c, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'PagedPoolAllocationMap' : [ 0x4, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'MaximumSize' : [ 0x10, ['unsigned long']], 'PagedPoolHint' : [ 0x14, ['unsigned long']], 'AllocatedPagedPool' : [ 0x18, ['unsigned long']], } ], '_PPM_IDLE_STATE' : [ 0x44, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Name' : [ 0xc, ['_UNICODE_STRING']], 'Latency' : [ 0x14, ['unsigned long']], 'BreakEvenDuration' : [ 0x18, ['unsigned long']], 'Power' : [ 0x1c, ['unsigned long']], 'StateFlags' : [ 0x20, ['unsigned long']], 'VetoAccounting' : [ 0x24, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0x3c, ['unsigned char']], 'InterruptsEnabled' : [ 0x3d, ['unsigned char']], 'Interruptible' : [ 0x3e, ['unsigned char']], 'ContextRetained' : [ 0x3f, ['unsigned char']], 'CacheCoherent' : [ 0x40, ['unsigned char']], 'WakesSpuriously' : [ 0x41, ['unsigned char']], 'PlatformOnly' : [ 0x42, ['unsigned char']], 'NoCState' : [ 0x43, ['unsigned char']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '__unnamed_20b9' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_20bb' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_20b9']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0xb0, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_20bb']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], 'ExecutePoolTypes' : [ 0x90, ['unsigned long']], 'ExecutePageProtections' : [ 0x94, ['unsigned long']], 'ExecutePageMappings' : [ 0x98, ['unsigned long']], 'ExecuteWriteSections' : [ 0x9c, ['unsigned long']], 'SectionAlignmentFailures' : [ 0xa0, ['unsigned long']], 'UnsupportedRelocs' : [ 0xa4, ['unsigned long']], 'IATInExecutableSection' : [ 0xa8, ['unsigned long']], } ], '_SEP_LUID_TO_INDEX_MAP_ENTRY' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'Luid' : [ 0x10, ['unsigned long long']], 'IndexIntoGlobalSingletonTable' : [ 0x18, ['unsigned long long']], 'MarkedForDeletion' : [ 0x20, ['unsigned char']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'DynamicRelocations' : [ 0x0, ['pointer', ['void']]], 'SecurityContext' : [ 0x4, ['_IMAGE_SECURITY_CONTEXT']], 'StrongImageReference' : [ 0x8, ['unsigned long']], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderZero', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderVsmMemory', 30: 'LoaderFirmwareCode', 31: 'LoaderFirmwareData', 32: 'LoaderFirmwareReserved', 33: 'LoaderEnclaveMemory', 34: 'LoaderFirmwareKsr', 35: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_OBP_SYSTEM_DOS_DEVICE_STATE' : [ 0x6c, { 'GlobalDeviceMap' : [ 0x0, ['unsigned long']], 'LocalDeviceCount' : [ 0x4, ['array', 26, ['unsigned long']]], } ], '_WNF_SILODRIVERSTATE' : [ 0x30, { 'ScopeMap' : [ 0x0, ['pointer', ['_WNF_SCOPE_MAP']]], 'PermanentNameStoreRootKey' : [ 0x4, ['pointer', ['void']]], 'PersistentNameStoreRootKey' : [ 0x8, ['pointer', ['void']]], 'PermanentNameSequenceNumber' : [ 0x10, ['long long']], 'PermanentNameSequenceNumberLock' : [ 0x18, ['_WNF_LOCK']], 'PermanentNameSequenceNumberPool' : [ 0x20, ['long long']], 'RuntimeNameSequenceNumber' : [ 0x28, ['long long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_DELAY_ACK_FO' : [ 0xc, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2Reserved1' : [ 0x2, ['unsigned char']], 'Timer2Reserved2' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Tagged' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'EnergyProfiling' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Instrumented' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OB_HANDLE_REVOCATION_BLOCK' : [ 0x10, { 'RevocationInfos' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'Rundown' : [ 0xc, ['_EX_RUNDOWN_REF']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x28, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long']], 'DirtyPageThresholdTop' : [ 0x4, ['unsigned long']], 'DirtyPageThresholdBottom' : [ 0x8, ['unsigned long']], 'DirtyPageTarget' : [ 0xc, ['unsigned long']], 'AggregateAvailablePages' : [ 0x10, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x18, ['unsigned long long']], 'AvailableHistory' : [ 0x20, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x4c, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'Count' : [ 0x14, ['unsigned long']], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'StackTrace' : [ 0x24, ['array', 8, ['pointer', ['void']]]], 'Who' : [ 0x44, ['unsigned long']], 'Process' : [ 0x48, ['pointer', ['_EPROCESS']]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer', ['_MMPTE']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS' : [ 0x1, { 'Trustlet' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Ntos' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'WriteHandle' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ReadHandle' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'AccessRights' : [ 0x0, ['unsigned char']], } ], '_KREQUEST_PACKET' : [ 0x10, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer', ['void']]]], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_2107' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2109' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2107']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2109']], } ], '_PROCESS_ENERGY_VALUES' : [ 0x90, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'DiskEnergy' : [ 0x40, ['unsigned long long']], 'NetworkTailEnergy' : [ 0x48, ['unsigned long long']], 'MBBTailEnergy' : [ 0x50, ['unsigned long long']], 'NetworkTxRxBytes' : [ 0x58, ['unsigned long long']], 'MBBTxRxBytes' : [ 0x60, ['unsigned long long']], 'Foreground' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DesktopVisible' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'WindowInformation' : [ 0x68, ['unsigned short']], 'CompositorRendered' : [ 0x6a, ['unsigned short']], 'DirtyGenerated' : [ 0x6c, ['unsigned short']], 'DirtyPropagated' : [ 0x6e, ['unsigned short']], 'DesktopVisibilityReportTimestamp' : [ 0x70, ['long long']], 'DesktopVisibleTime' : [ 0x78, ['unsigned long long']], 'ForegroundReportTimestamp' : [ 0x80, ['long long']], 'ForegroundTime' : [ 0x88, ['unsigned long long']], } ], '_MMCLONE_HEADER' : [ 0xc, { 'NumberOfPtes' : [ 0x0, ['unsigned long']], 'NumberOfProcessReferences' : [ 0x4, ['unsigned long']], 'ClonePtes' : [ 0x8, ['pointer', ['_MMCLONE_BLOCK']]], } ], '_MI_SYSTEM_INFORMATION' : [ 0x3d80, { 'Pools' : [ 0x0, ['_MI_POOL_STATE']], 'Sections' : [ 0x500, ['_MI_SECTION_STATE']], 'SystemImages' : [ 0x640, ['_MI_SYSTEM_IMAGE_STATE']], 'Sessions' : [ 0x6ac, ['_MI_SESSION_STATE']], 'Processes' : [ 0x16f0, ['_MI_PROCESS_STATE']], 'Hardware' : [ 0x1760, ['_MI_HARDWARE_STATE']], 'SystemVa' : [ 0x1840, ['_MI_SYSTEM_VA_STATE']], 'PageCombines' : [ 0x2d00, ['_MI_COMBINE_STATE']], 'PageLists' : [ 0x2d18, ['_MI_PAGELIST_STATE']], 'Partitions' : [ 0x2d20, ['_MI_PARTITION_STATE']], 'Shutdowns' : [ 0x2d58, ['_MI_SHUTDOWN_STATE']], 'Errors' : [ 0x2da0, ['_MI_ERROR_STATE']], 'AccessLog' : [ 0x2e80, ['_MI_ACCESS_LOG_STATE']], 'Debugger' : [ 0x2f00, ['_MI_DEBUGGER_STATE']], 'Standby' : [ 0x2fc0, ['_MI_STANDBY_STATE']], 'SystemPtes' : [ 0x3040, ['_MI_SYSTEM_PTE_STATE']], 'IoPages' : [ 0x31c0, ['_MI_IO_PAGE_STATE']], 'PagingIo' : [ 0x3200, ['_MI_PAGING_IO_STATE']], 'CommonPages' : [ 0x3238, ['_MI_COMMON_PAGE_STATE']], 'Trims' : [ 0x3280, ['_MI_SYSTEM_TRIM_STATE']], 'ResTrack' : [ 0x32c0, ['_MI_RESAVAIL_TRACKER']], 'Cookie' : [ 0x34c0, ['unsigned long']], 'ZeroingDisabled' : [ 0x34c4, ['long']], 'BootRegistryRuns' : [ 0x34c8, ['pointer', ['pointer', ['void']]]], 'FullyInitialized' : [ 0x34cc, ['unsigned char']], 'SafeBooted' : [ 0x34cd, ['unsigned char']], 'PfnBitMap' : [ 0x34d0, ['_RTL_BITMAP']], 'TraceLogging' : [ 0x34d8, ['pointer', ['_TlgProvider_t']]], 'Vs' : [ 0x3500, ['_MI_VISIBLE_STATE']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x10, ['_KEVENT']], } ], '__unnamed_2136' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_2138' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2136']], } ], '__unnamed_213a' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_2138']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_213a']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '__unnamed_2142' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_2142']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x8, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], } ], '_MI_LARGEPAGE_IMAGE_INFO' : [ 0x8, { 'LargeImageBias' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'ActualImageViewSize' : [ 0x4, ['unsigned long']], } ], '__unnamed_214f' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x18, { 'NodeRangeSize' : [ 0x0, ['unsigned long']], 'NodeCount' : [ 0x4, ['unsigned long']], 'Tables' : [ 0x8, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0xc, ['unsigned long']], 'UseSessionId' : [ 0x10, ['unsigned char']], 'u1' : [ 0x14, ['__unnamed_214f']], } ], '_SILO_USER_SHARED_DATA' : [ 0x20, { 'ServiceSessionId' : [ 0x0, ['unsigned long']], 'ActiveConsoleId' : [ 0x4, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x8, ['long long']], 'NtProductType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'SuiteMask' : [ 0x14, ['unsigned long']], 'IsMultiSessionSku' : [ 0x18, ['unsigned char']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_MMSUPPORT_FULL' : [ 0x88, { 'Instance' : [ 0x0, ['_MMSUPPORT_INSTANCE']], 'Shared' : [ 0x64, ['_MMSUPPORT_SHARED']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_MI_PROCESS_STATE' : [ 0x70, { 'ColorSeed' : [ 0x0, ['unsigned long']], 'CloneDereferenceEvent' : [ 0x4, ['_KEVENT']], 'CloneProtosSListHead' : [ 0x18, ['_SLIST_HEADER']], 'SystemDllBase' : [ 0x20, ['pointer', ['void']]], 'RotatingUniprocessorNumber' : [ 0x24, ['long']], 'CriticalSectionTimeout' : [ 0x28, ['_LARGE_INTEGER']], 'ProcessList' : [ 0x30, ['_LIST_ENTRY']], 'SharedUserDataPte' : [ 0x38, ['pointer', ['_MMPTE']]], 'FreePaeEntries' : [ 0x3c, ['unsigned long']], 'FirstFreePae' : [ 0x40, ['_PAE_ENTRY']], 'AllocatedPaePages' : [ 0x60, ['long']], 'PaeLock' : [ 0x64, ['unsigned long']], 'PaeEntrySList' : [ 0x68, ['_SLIST_HEADER']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long']], 'PipelinedReadAheadRequestSize' : [ 0x54, ['unsigned long']], 'ReadAheadGrowth' : [ 0x58, ['unsigned long']], 'PrivateLinks' : [ 0x5c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x64, ['pointer', ['void']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_ETW_GUID_ENTRY' : [ 0x168, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['pointer', ['_ETW_FILTER_HEADER']]], 'SiloState' : [ 0x15c, ['pointer', ['_ETW_SILODRIVERSTATE']]], 'Lock' : [ 0x160, ['_EX_PUSH_LOCK']], 'LockOwner' : [ 0x164, ['pointer', ['_ETHREAD']]], } ], '_ARBITER_INSTANCE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['wchar']]], 'OrderingName' : [ 0xc, ['pointer', ['wchar']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '_MI_SYSTEM_IMAGE_STATE' : [ 0x6c, { 'FixupLock' : [ 0x0, ['long']], 'FixupList' : [ 0x4, ['_LIST_ENTRY']], 'LoadLock' : [ 0xc, ['_KMUTANT']], 'FirstLoadEver' : [ 0x2c, ['unsigned char']], 'LargePageAll' : [ 0x2d, ['unsigned char']], 'LastPage' : [ 0x30, ['unsigned long']], 'LargePageList' : [ 0x34, ['_LIST_ENTRY']], 'StrongCodeLoadFailureList' : [ 0x3c, ['_LIST_ENTRY']], 'BeingDeleted' : [ 0x44, ['pointer', ['_KLDR_DATA_TABLE_ENTRY']]], 'MappingRangesPushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'MappingRanges' : [ 0x4c, ['array', 2, ['pointer', ['_MI_DRIVER_VA']]]], 'PageCount' : [ 0x54, ['unsigned long']], 'PageCounts' : [ 0x58, ['_MM_SYSTEM_PAGE_COUNTS']], 'CollidedLock' : [ 0x68, ['_EX_PUSH_LOCK']], } ], '_MMPFNENTRY1' : [ 0x1, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x44, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x3c, ['unsigned char']], 'DeleteType' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x8, ['unsigned long']], 'SyncCallback' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ZeroMapRegisters' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'HiberFileType' : [ 0x16, ['unsigned char']], 'AoAcConnectivitySupported' : [ 0x17, ['unsigned char']], 'spare3' : [ 0x18, ['array', 6, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_EX_WORK_QUEUE' : [ 0x1b8, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x19c, ['pointer', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x1a0, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x1a4, ['unsigned long']], 'ThreadCount' : [ 0x1a8, ['long']], 'MinThreads' : [ 0x1ac, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x1ac, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x1b0, ['long']], 'QueueIndex' : [ 0x1b4, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'IoPoolUntrusted', 2: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_KWAIT_CHAIN' : [ 0x4, { 'Head' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_VF_DRIVER_IO_CALLBACKS' : [ 0x80, { 'DriverInit' : [ 0x0, ['pointer', ['void']]], 'DriverStartIo' : [ 0x4, ['pointer', ['void']]], 'DriverUnload' : [ 0x8, ['pointer', ['void']]], 'AddDevice' : [ 0xc, ['pointer', ['void']]], 'MajorFunction' : [ 0x10, ['array', 28, ['pointer', ['void']]]], } ], '_CM_UOW_SET_VALUE_KEY_DATA' : [ 0x10, { 'PreparedCell' : [ 0x0, ['unsigned long']], 'OldValueCell' : [ 0x4, ['unsigned long']], 'NameLength' : [ 0x8, ['unsigned short']], 'DataSize' : [ 0xc, ['unsigned long']], } ], '_MI_PARTITION_STATE' : [ 0x38, { 'PartitionLock' : [ 0x0, ['unsigned long']], 'PartitionIdLock' : [ 0x4, ['_EX_PUSH_LOCK']], 'InitialPartitionIdBits' : [ 0x8, ['unsigned long long']], 'PartitionList' : [ 0x10, ['_LIST_ENTRY']], 'PartitionIdBitmap' : [ 0x18, ['pointer', ['_RTL_BITMAP']]], 'InitialPartitionIdBitmap' : [ 0x1c, ['_RTL_BITMAP']], 'TempPartitionPointers' : [ 0x24, ['array', 1, ['pointer', ['_MI_PARTITION']]]], 'Partition' : [ 0x28, ['pointer', ['pointer', ['_MI_PARTITION']]]], 'TotalPagesInChildPartitions' : [ 0x2c, ['unsigned long']], 'CrossPartitionDenials' : [ 0x30, ['unsigned long']], } ], '_POP_THERMAL_ZONE' : [ 0x2d0, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], 'State' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], 'Removing' : [ 0x22, ['unsigned char']], 'Mode' : [ 0x23, ['unsigned char']], 'PendingMode' : [ 0x24, ['unsigned char']], 'ActivePoint' : [ 0x25, ['unsigned char']], 'PendingActivePoint' : [ 0x26, ['unsigned char']], 'Critical' : [ 0x27, ['unsigned char']], 'ThermalStandby' : [ 0x28, ['unsigned char']], 'OverThrottled' : [ 0x29, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x2c, ['long']], 'Throttle' : [ 0x30, ['long']], 'PendingThrottle' : [ 0x34, ['long']], 'ThrottleReasons' : [ 0x38, ['unsigned long']], 'LastTime' : [ 0x40, ['unsigned long long']], 'SampleRate' : [ 0x48, ['unsigned long']], 'LastTemp' : [ 0x4c, ['unsigned long']], 'PassiveTimer' : [ 0x50, ['_KTIMER']], 'PassiveDpc' : [ 0x78, ['_KDPC']], 'Info' : [ 0x98, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xf0, ['_LARGE_INTEGER']], 'Policy' : [ 0xf8, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0x110, ['unsigned char']], 'LastActiveStartTime' : [ 0x118, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x120, ['unsigned long long']], 'WorkItem' : [ 0x128, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x138, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x140, ['_KEVENT']], 'TemperatureUpdated' : [ 0x150, ['_KEVENT']], 'InstanceId' : [ 0x160, ['unsigned long']], 'TelemetryTracker' : [ 0x168, ['_POP_THERMAL_TELEMETRY_TRACKER']], 'Description' : [ 0x2c8, ['_UNICODE_STRING']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_REQUEST' : [ 0xc, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_TRIAGE_DEVICE_NODE']]], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_MMPFNENTRY3' : [ 0x1, { 'Priority' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SystemChargedPage' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x10, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'SidCount' : [ 0x8, ['unsigned long']], 'SidValuesStart' : [ 0xc, ['unsigned long']], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x4, { 'Function' : [ 0x0, ['pointer', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long']], } ], '__unnamed_224d' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_224f' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_224d']], 'Private' : [ 0x0, ['__unnamed_224f']], } ], '_CM_TRANS_PTR' : [ 0x4, { 'LightWeight' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'TransPtr' : [ 0x0, ['pointer', ['void']]], } ], '_PS_TRUSTLET_ATTRIBUTE_TYPE' : [ 0x4, { 'Version' : [ 0x0, ['unsigned char']], 'DataCount' : [ 0x1, ['unsigned char']], 'SemanticType' : [ 0x2, ['unsigned char']], 'AccessRights' : [ 0x3, ['_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS']], 'AttributeType' : [ 0x0, ['unsigned long']], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['_CM_PATH_HASH']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PS_IO_CONTROL_ENTRY' : [ 0x1c, { 'VolumeTreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ReservedForParentValue' : [ 0x8, ['unsigned long']], 'VolumeKey' : [ 0xc, ['unsigned long']], 'Rundown' : [ 0x10, ['_EX_RUNDOWN_REF']], 'IoControl' : [ 0x14, ['pointer', ['void']]], 'VolumeIoAttribution' : [ 0x18, ['pointer', ['void']]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_CM_UOW_SET_VALUE_LIST_DATA' : [ 0xc, { 'RefCount' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['_CHILD_LIST']], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'PagesAllocated' : [ 0x44, ['unsigned long']], 'BigPagesAllocated' : [ 0x48, ['unsigned long']], 'BytesAllocated' : [ 0x4c, ['unsigned long']], 'RunningDeallocs' : [ 0x80, ['long']], 'PagesDeallocated' : [ 0x84, ['unsigned long']], 'BigPagesDeallocated' : [ 0x88, ['unsigned long']], 'BytesDeallocated' : [ 0x8c, ['unsigned long']], 'PoolIndex' : [ 0xc0, ['unsigned long']], 'PoolTypeCopy' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'ThreadsProcessingDeferrals' : [ 0x104, ['long']], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_22c1' : [ 0x4, { 'PercentLevel' : [ 0x0, ['unsigned long']], } ], '__unnamed_22c3' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_22c1']], 'Button' : [ 0xc, ['__unnamed_22c3']], } ], '_RTL_ATOM_TABLE' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0xc, ['pointer', ['_HANDLE_TABLE']]], 'Flags' : [ 0x10, ['unsigned long']], 'NumberOfBuckets' : [ 0x14, ['unsigned long']], 'Buckets' : [ 0x18, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_KTIMER2' : [ 0x58, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'RbNodes' : [ 0x10, ['array', 2, ['_RTL_BALANCED_NODE']]], 'ListEntry' : [ 0x10, ['_LIST_ENTRY']], 'DueTime' : [ 0x28, ['array', 2, ['unsigned long long']]], 'Period' : [ 0x38, ['long long']], 'Callback' : [ 0x40, ['pointer', ['void']]], 'CallbackContext' : [ 0x44, ['pointer', ['void']]], 'DisableCallback' : [ 0x48, ['pointer', ['void']]], 'DisableContext' : [ 0x4c, ['pointer', ['void']]], 'AbsoluteSystemTime' : [ 0x50, ['unsigned char']], 'TypeFlags' : [ 0x51, ['unsigned char']], 'Unused' : [ 0x51, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IdleResilient' : [ 0x51, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HighResolution' : [ 0x51, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'NoWake' : [ 0x51, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Unused1' : [ 0x51, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CollectionIndex' : [ 0x52, ['array', 2, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_MI_SESSION_STATE' : [ 0x1044, { 'SystemSession' : [ 0x0, ['_MMSESSION']], 'CodePageEdited' : [ 0x14, ['unsigned char']], 'DynamicPoolBitBuffer' : [ 0x18, ['pointer', ['unsigned long']]], 'VaReferenceCount' : [ 0x1c, ['array', 1024, ['long']]], 'DynamicPtesBitBuffer' : [ 0x101c, ['pointer', ['unsigned long']]], 'IdLock' : [ 0x1020, ['_EX_PUSH_LOCK']], 'DetachTimeStamp' : [ 0x1024, ['unsigned long']], 'LeaderProcess' : [ 0x1028, ['pointer', ['_EPROCESS']]], 'InitializeLock' : [ 0x102c, ['_EX_PUSH_LOCK']], 'WorkingSetList' : [ 0x1030, ['pointer', ['_MMWSL_FULL']]], 'WsHashStart' : [ 0x1034, ['pointer', ['_MMWSLE_HASH']]], 'WsHashEnd' : [ 0x1038, ['pointer', ['_MMWSLE_HASH']]], 'SessionBase' : [ 0x103c, ['pointer', ['void']]], 'SessionCore' : [ 0x1040, ['pointer', ['void']]], } ], '_XSTATE_CONFIGURATION' : [ 0x330, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'ControlFlags' : [ 0x14, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CompactionEnabled' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], 'EnabledSupervisorFeatures' : [ 0x218, ['unsigned long long']], 'AlignedFeatures' : [ 0x220, ['unsigned long long']], 'AllFeatureSize' : [ 0x228, ['unsigned long']], 'AllFeatures' : [ 0x22c, ['array', 64, ['unsigned long']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'AccessMask' : [ 0x18, ['unsigned long']], } ], '_MI_SECTION_STATE' : [ 0x140, { 'SectionObjectPointersLock' : [ 0x0, ['long']], 'SectionExtendLock' : [ 0x4, ['_EX_PUSH_LOCK']], 'SectionExtendSetLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'SectionBasedRoot' : [ 0xc, ['_RTL_AVL_TREE']], 'SectionBasedLock' : [ 0x10, ['_EX_PUSH_LOCK']], 'UnusedSubsectionPagedPool' : [ 0x14, ['unsigned long']], 'UnusedSegmentForceFree' : [ 0x18, ['unsigned long']], 'DataSectionProtectionMask' : [ 0x1c, ['unsigned long']], 'HighSectionBase' : [ 0x20, ['pointer', ['void']]], 'PhysicalSubsection' : [ 0x24, ['_MSUBSECTION']], 'PhysicalControlArea' : [ 0x68, ['_CONTROL_AREA']], 'DanglingExtentsPages' : [ 0xb8, ['pointer', ['_MMPFN']]], 'DanglingExtentsLock' : [ 0xbc, ['long']], 'DanglingExtentsWorkItem' : [ 0xc0, ['_WORK_QUEUE_ITEM']], 'DanglingExtentsWorkerActive' : [ 0xd0, ['unsigned char']], 'PageFileSectionHead' : [ 0xd4, ['_RTL_AVL_TREE']], 'PageFileSectionListSpinLock' : [ 0xd8, ['long']], 'ImageBias' : [ 0xdc, ['unsigned long']], 'RelocateBitmapsLock' : [ 0xe0, ['_EX_PUSH_LOCK']], 'ImageBitMap' : [ 0xe4, ['_RTL_BITMAP']], 'ApiSetSection' : [ 0xec, ['pointer', ['void']]], 'ApiSetSchema' : [ 0xf0, ['pointer', ['void']]], 'ApiSetSchemaSize' : [ 0xf4, ['unsigned long']], 'LostDataFiles' : [ 0xf8, ['unsigned long']], 'LostDataPages' : [ 0xfc, ['unsigned long']], 'ImageFailureReason' : [ 0x100, ['unsigned long']], 'CfgBitMapSection32' : [ 0x104, ['pointer', ['_SECTION']]], 'CfgBitMapControlArea32' : [ 0x108, ['pointer', ['_CONTROL_AREA']]], 'ImageCfgFailure' : [ 0x10c, ['unsigned long']], 'ImageValidationFailed' : [ 0x110, ['long']], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x1c, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'Reference' : [ 0x8, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x18, ['unsigned char']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_UOW_KEY_STATE_MODIFICATION' : [ 0x14, { 'RefCount' : [ 0x0, ['unsigned long']], 'SubKeyListCount' : [ 0x4, ['array', 2, ['unsigned long']]], 'NewSubKeyList' : [ 0xc, ['array', 2, ['unsigned long']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'WaitResponse' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_ETW_FILTER_HEADER' : [ 0x28, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x4, ['pointer', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x8, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0xc, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x10, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x14, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x18, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x1c, ['pointer', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x20, ['pointer', ['_EVENT_FILTER_HEADER']]], 'EventNameFilter' : [ 0x24, ['pointer', ['_ETW_FILTER_EVENT_NAME_DATA']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x94, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ExecutePoolTypes' : [ 0x78, ['unsigned long']], 'ExecutePageProtections' : [ 0x7c, ['unsigned long']], 'ExecutePageMappings' : [ 0x80, ['unsigned long']], 'ExecuteWriteSections' : [ 0x84, ['unsigned long']], 'SectionAlignmentFailures' : [ 0x88, ['unsigned long']], 'UnsupportedRelocs' : [ 0x8c, ['unsigned long']], 'IATInExecutableSection' : [ 0x90, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PEB' : [ 0x460, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'IsLongPathAwareProcess' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['_SLIST_HEADER']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['pointer', ['_SLIST_HEADER']]], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'SparePvoid0' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pUnused' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x250, ['unsigned long']], 'TppWorkerpList' : [ 0x254, ['_LIST_ENTRY']], 'WaitOnAddressHashTable' : [ 0x25c, ['array', 128, ['pointer', ['void']]]], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_233f' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_2344' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2346' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_233f']], 'Bits' : [ 0x0, ['__unnamed_2344']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_2346']], } ], '_MI_SUB64K_FREE_RANGES' : [ 0x1c, { 'BitMap' : [ 0x0, ['_RTL_BITMAP']], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'Vad' : [ 0x10, ['pointer', ['_MMVAD_SHORT']]], 'SubListIndex' : [ 0x14, ['unsigned short']], 'Hint' : [ 0x16, ['unsigned short']], 'SetBits' : [ 0x18, ['unsigned long']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_SEP_SILOSTATE' : [ 0x10, { 'SystemLogonSession' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'AnonymousLogonSession' : [ 0x4, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'AnonymousLogonToken' : [ 0x8, ['pointer', ['void']]], 'AnonymousLogonTokenNoEveryone' : [ 0xc, ['pointer', ['void']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'HandleCount' : [ 0x14, ['unsigned long']], 'Handles' : [ 0x18, ['pointer', ['pointer', ['void']]]], } ], '__unnamed_2352' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_2355' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0xf8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], 'CollidedEvent' : [ 0x20, ['_KEVENT']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ApcState' : [ 0x40, ['_KAPC_STATE']], 'Thread' : [ 0x58, ['pointer', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0x5c, ['pointer', ['_MMPFN']]], 'PteContents' : [ 0x60, ['_MMPTE']], 'WaitCount' : [ 0x68, ['long']], 'ByteCount' : [ 0x6c, ['unsigned long']], 'u3' : [ 0x70, ['__unnamed_2352']], 'u1' : [ 0x74, ['__unnamed_2355']], 'FilePointer' : [ 0x78, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x7c, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x7c, ['pointer', ['_SUBSECTION']]], 'Autoboost' : [ 0x80, ['pointer', ['void']]], 'FaultingAddress' : [ 0x84, ['pointer', ['void']]], 'PointerPte' : [ 0x88, ['pointer', ['_MMPTE']]], 'BasePte' : [ 0x8c, ['pointer', ['_MMPTE']]], 'Pfn' : [ 0x90, ['pointer', ['_MMPFN']]], 'PrefetchMdl' : [ 0x94, ['pointer', ['_MDL']]], 'Mdl' : [ 0x98, ['_MDL']], 'Page' : [ 0xb4, ['array', 16, ['unsigned long']]], 'FlowThrough' : [ 0xb4, ['_MMINPAGE_SUPPORT_FLOW_THROUGH']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_CMP_DISCARD_AND_REPLACE_KCB_CONTEXT' : [ 0x10, { 'BaseKcb' : [ 0x0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'PrepareStatus' : [ 0x4, ['long']], 'ClonedKcbListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions', 24: 'ConfigureDeviceReset'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], 'ActivityId' : [ 0x20, ['_GUID']], } ], '_PPM_PLATFORM_STATE' : [ 0xc0, { 'Latency' : [ 0x0, ['unsigned long']], 'BreakEvenDuration' : [ 0x4, ['unsigned long']], 'VetoAccounting' : [ 0x8, ['_PPM_VETO_ACCOUNTING']], 'TransitionDebugger' : [ 0x20, ['unsigned char']], 'Platform' : [ 0x21, ['unsigned char']], 'DependencyListCount' : [ 0x24, ['unsigned long']], 'Processors' : [ 0x28, ['_KAFFINITY_EX']], 'Name' : [ 0x34, ['_UNICODE_STRING']], 'DependencyLists' : [ 0x3c, ['pointer', ['_PPM_SELECTION_DEPENDENCY']]], 'Synchronization' : [ 0x40, ['_PPM_COORDINATED_SYNCHRONIZATION']], 'EnterTime' : [ 0x48, ['unsigned long long']], 'RefCount' : [ 0x80, ['long']], 'CacheAlign0' : [ 0x80, ['array', 64, ['unsigned char']]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'LowboxNumber' : [ 0x14, ['unsigned long']], 'AtomTable' : [ 0x18, ['pointer', ['void']]], } ], '_PPM_SELECTION_MENU' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Entries' : [ 0x4, ['pointer', ['_PPM_SELECTION_MENU_ENTRY']]], } ], '_MI_PARTITION' : [ 0x1a00, { 'Core' : [ 0x0, ['_MI_PARTITION_CORE']], 'Modwriter' : [ 0xc0, ['_MI_PARTITION_MODWRITES']], 'Store' : [ 0x290, ['_MI_PARTITION_STORES']], 'Segments' : [ 0x300, ['_MI_PARTITION_SEGMENTS']], 'PageLists' : [ 0x400, ['_MI_PARTITION_PAGE_LISTS']], 'Commit' : [ 0xb80, ['_MI_PARTITION_COMMIT']], 'Zeroing' : [ 0xc00, ['_MI_PARTITION_ZEROING']], 'PageCombine' : [ 0xc40, ['_MI_PAGE_COMBINING_SUPPORT']], 'WorkingSetControl' : [ 0xd18, ['pointer', ['void']]], 'WorkingSetExpansionHead' : [ 0xd1c, ['_MMWORKING_SET_EXPANSION_HEAD']], 'Vp' : [ 0xd40, ['_MI_VISIBLE_PARTITION']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_MMPTE_HIGHLOW' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_KINTERRUPT' : [ 0xb0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'EmulateActiveBoth' : [ 0x39, ['unsigned char']], 'ActiveCount' : [ 0x3a, ['unsigned short']], 'InternalState' : [ 0x3c, ['long']], 'Mode' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x48, ['unsigned long']], 'DispatchCount' : [ 0x4c, ['unsigned long']], 'PassiveEvent' : [ 0x50, ['pointer', ['_KEVENT']]], 'DisconnectData' : [ 0x54, ['pointer', ['void']]], 'ServiceThread' : [ 0x58, ['pointer', ['_KTHREAD']]], 'ConnectionData' : [ 0x5c, ['pointer', ['_INTERRUPT_CONNECTION_DATA']]], 'IntTrackEntry' : [ 0x60, ['pointer', ['void']]], 'IsrDpcStats' : [ 0x68, ['_ISRDPCSTATS']], 'RedirectObject' : [ 0xa8, ['pointer', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_IO_WORKITEM' : [ 0x34, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'WorkOnBehalfThread' : [ 0x1c, ['pointer', ['_ETHREAD']]], 'Type' : [ 0x20, ['unsigned long']], 'ActivityId' : [ 0x24, ['_GUID']], } ], '_DISALLOWED_GUIDS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x4, ['pointer', ['_GUID']]], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_CMHIVE' : [ 0xf20, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x6f0, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x708, ['_LIST_ENTRY']], 'HiveList' : [ 0x710, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x718, ['_LIST_ENTRY']], 'FailedUnloadList' : [ 0x720, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x728, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x72c, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x734, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x738, ['unsigned long']], 'DeletedKcbTable' : [ 0x73c, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x740, ['unsigned long']], 'Identity' : [ 0x744, ['unsigned long']], 'HiveLock' : [ 0x748, ['pointer', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x74c, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x750, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x754, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0x75c, ['unsigned long']], 'FlushLogEntry' : [ 0x760, ['pointer', ['unsigned char']]], 'FlushLogEntrySize' : [ 0x764, ['unsigned long']], 'FlushHiveTruncated' : [ 0x768, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0x76c, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0x770, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0x778, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0x77c, ['pointer', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0x780, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0x784, ['pointer', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0x788, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x78c, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x790, ['unsigned long']], 'ActualFileSize' : [ 0x798, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x7a0, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x7b0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x7b8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x7c0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x7c8, ['unsigned long']], 'SecurityCacheSize' : [ 0x7cc, ['unsigned long']], 'SecurityHitHint' : [ 0x7d0, ['long']], 'SecurityCache' : [ 0x7d4, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x7d8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x9d8, ['unsigned long']], 'UnloadEventArray' : [ 0x9dc, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x9e0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x9e4, ['unsigned char']], 'UnloadWorkItem' : [ 0x9e8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x9ec, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xa00, ['unsigned char']], 'GrowOffset' : [ 0xa04, ['unsigned long']], 'KcbConvertListHead' : [ 0xa08, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xa10, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0xa14, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0xc9c, ['unsigned long']], 'TrustClassEntry' : [ 0xca0, ['_LIST_ENTRY']], 'DirtyTime' : [ 0xca8, ['unsigned long long']], 'UnreconciledTime' : [ 0xcb0, ['unsigned long long']], 'CmRm' : [ 0xcb8, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xcbc, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xcc0, ['long']], 'CreatorOwner' : [ 0xcc4, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0xcc8, ['pointer', ['_KTHREAD']]], 'LastWriteTime' : [ 0xcd0, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0xcd8, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0xce4, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0xcf0, ['unsigned long']], 'FlushActive' : [ 0xcf0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0xcf0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0xcf0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0xcf0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0xcf4, ['unsigned long']], 'ReferenceCount' : [ 0xcf8, ['long']], 'UnloadHistoryIndex' : [ 0xcfc, ['long']], 'UnloadHistory' : [ 0xd00, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0xf00, ['unsigned long']], 'UnaccessedStart' : [ 0xf04, ['unsigned long']], 'UnaccessedEnd' : [ 0xf08, ['unsigned long']], 'LoadedKeyCount' : [ 0xf0c, ['unsigned long']], 'HandleClosePending' : [ 0xf10, ['unsigned long']], 'HandleClosePendingEvent' : [ 0xf14, ['_EX_PUSH_LOCK']], 'FinalFlushSucceeded' : [ 0xf18, ['unsigned char']], 'FailedUnload' : [ 0xf19, ['unsigned char']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'InProgressFlags' : [ 0x14, ['unsigned char']], 'KernelApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_PEP_ACPI_RESOURCE_FLAGS' : [ 0x4, { 'AsULong' : [ 0x0, ['unsigned long']], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Wake' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ResourceUsage' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SlaveMode' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'AddressingMode' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SharedMode' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_MI_PARTITION_PAGE_LISTS' : [ 0x780, { 'FreePagesByColor' : [ 0x0, ['array', 2, ['pointer', ['_MMPFNLIST']]]], 'FreePageSlist' : [ 0x8, ['array', 2, ['pointer', ['_SLIST_HEADER']]]], 'ZeroedPageListHead' : [ 0x40, ['_MMPFNLIST']], 'FreePageListHead' : [ 0x80, ['_MMPFNLIST']], 'StandbyPageListHead' : [ 0xc0, ['_MMPFNLIST']], 'StandbyPageListByPriority' : [ 0x100, ['array', 8, ['_MMPFNLIST']]], 'ModifiedPageListNoReservation' : [ 0x1c0, ['_MMPFNLIST']], 'ModifiedPageListByReservation' : [ 0x200, ['array', 16, ['_MMPFNLIST']]], 'MappedPageListHead' : [ 0x340, ['array', 16, ['_MMPFNLIST']]], 'BadPageListHead' : [ 0x480, ['_MMPFNLIST']], 'EnclavePageListHead' : [ 0x4c0, ['_MMPFNLIST']], 'PageLocationList' : [ 0x4d4, ['array', 8, ['pointer', ['_MMPFNLIST']]]], 'StandbyRepurposedByPriority' : [ 0x4f4, ['array', 8, ['unsigned long']]], 'MappedPageListHeadEvent' : [ 0x514, ['array', 16, ['_KEVENT']]], 'DecayClusterTimerHeads' : [ 0x614, ['array', 4, ['_MI_DECAY_TIMER_LINK']]], 'DecayHand' : [ 0x624, ['unsigned long']], 'LastDecayHandUpdateTime' : [ 0x628, ['unsigned long long']], 'LastChanceLdwContext' : [ 0x630, ['_MI_LDW_WORK_CONTEXT']], 'AvailableEventsLock' : [ 0x680, ['unsigned long']], 'AvailablePageWaitStates' : [ 0x684, ['array', 3, ['_MI_AVAILABLE_PAGE_WAIT_STATES']]], 'LowMemoryThreshold' : [ 0x6c0, ['unsigned long']], 'HighMemoryThreshold' : [ 0x6c4, ['unsigned long']], 'TransitionPrivatePages' : [ 0x700, ['unsigned long']], 'StandbyListDiscard' : [ 0x704, ['unsigned long']], 'FreeListDiscard' : [ 0x708, ['unsigned char']], 'MirrorListLocks' : [ 0x70c, ['pointer', ['void']]], 'LargePfnBitMapsReady' : [ 0x710, ['unsigned char']], 'LargePfnBitMap' : [ 0x714, ['array', 1, ['_RTL_BITMAP']]], 'LargePfnBitMapLock' : [ 0x740, ['unsigned long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '__unnamed_23fd' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_23ff' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_2401' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_23fd']], 'Interrupt' : [ 0x0, ['__unnamed_23ff']], 'LocalInterrupt' : [ 0x0, ['__unnamed_23ff']], 'Sci' : [ 0x0, ['__unnamed_23ff']], 'Nmi' : [ 0x0, ['__unnamed_23ff']], 'Sea' : [ 0x0, ['__unnamed_23ff']], 'Sei' : [ 0x0, ['__unnamed_23ff']], 'Gsiv' : [ 0x0, ['__unnamed_23ff']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_2401']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'ThermalStandbyTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], 'MinimumThrottle' : [ 0x50, ['unsigned long']], 'OverThrottleThreshold' : [ 0x54, ['unsigned long']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x4, { 'LogHandleContext' : [ 0x0, ['pointer', ['_LOG_HANDLE_CONTEXT']]], } ], '_KPRIQUEUE' : [ 0x19c, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x110, ['array', 32, ['long']]], 'MaximumCount' : [ 0x190, ['unsigned long']], 'ThreadListHead' : [ 0x194, ['_LIST_ENTRY']], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_KSCB' : [ 0x100, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'MinQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'MaxQuotaCycleTarget' : [ 0x10, ['unsigned long long']], 'RankCycleTarget' : [ 0x18, ['unsigned long long']], 'LongTermCycles' : [ 0x20, ['unsigned long long']], 'LastReportedCycles' : [ 0x28, ['unsigned long long']], 'OverQuotaHistory' : [ 0x30, ['unsigned long long']], 'ReadyTime' : [ 0x38, ['unsigned long long']], 'InsertTime' : [ 0x40, ['unsigned long long']], 'PerProcessorList' : [ 0x48, ['_LIST_ENTRY']], 'QueueNode' : [ 0x50, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'MaxOverQuota' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'MinOverQuota' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SoftCap' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ShareRankOwner' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Depth' : [ 0x5d, ['unsigned char']], 'ReadySummary' : [ 0x5e, ['unsigned short']], 'Rank' : [ 0x60, ['unsigned long']], 'ShareRank' : [ 0x64, ['pointer', ['unsigned long']]], 'OwnerShareRank' : [ 0x68, ['unsigned long']], 'ReadyListHead' : [ 0x6c, ['array', 16, ['_LIST_ENTRY']]], 'ChildScbQueue' : [ 0xec, ['_RTL_RB_TREE']], 'Parent' : [ 0xf4, ['pointer', ['_KSCB']]], 'Root' : [ 0xf8, ['pointer', ['_KSCB']]], } ], '__unnamed_241e' : [ 0x2, { 'SignatureLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'SignatureType' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned short')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'EntireField' : [ 0x0, ['unsigned short']], } ], '_KLDR_DATA_TABLE_ENTRY' : [ 0x5c, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'ExceptionTable' : [ 0x8, ['pointer', ['void']]], 'ExceptionTableSize' : [ 0xc, ['unsigned long']], 'GpValue' : [ 0x10, ['pointer', ['void']]], 'NonPagedDebugInfo' : [ 0x14, ['pointer', ['_NON_PAGED_DEBUG_INFO']]], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'u1' : [ 0x3a, ['__unnamed_241e']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'CoverageSectionSize' : [ 0x44, ['unsigned long']], 'CoverageSection' : [ 0x48, ['pointer', ['void']]], 'LoadedImports' : [ 0x4c, ['pointer', ['void']]], 'Spare' : [ 0x50, ['pointer', ['void']]], 'SizeOfImageNotRounded' : [ 0x54, ['unsigned long']], 'TimeDateStamp' : [ 0x58, ['unsigned long']], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_MI_SYSTEM_TRIM_STATE' : [ 0x40, { 'ExpansionLock' : [ 0x0, ['unsigned long']], 'TrimInProgressCount' : [ 0x4, ['long']], 'PeriodicWorkingSetEvent' : [ 0x8, ['_KEVENT']], 'TrimAllPageFaultCount' : [ 0x18, ['array', 3, ['unsigned long']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x4, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_MM_SYSTEM_PAGE_COUNTS' : [ 0x10, { 'SystemCodePage' : [ 0x0, ['unsigned long']], 'SystemDriverPage' : [ 0x4, ['unsigned long']], 'TotalSystemCodePages' : [ 0x8, ['long']], 'TotalSystemDriverPages' : [ 0xc, ['long']], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_THERMAL_POLICY' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ThermalStandby' : [ 0x7, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], 'OverThrottled' : [ 0x14, ['unsigned char']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MI_ACCESS_LOG_STATE' : [ 0x80, { 'CcAccessLog' : [ 0x0, ['pointer', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'Enabled' : [ 0x4, ['unsigned long']], 'DisableAccessLogging' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'MinLoggingPriority' : [ 0x18, ['unsigned long']], 'AccessLoggingLock' : [ 0x40, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x2800, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '__unnamed_2454' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2456' : [ 0x10, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_2454']], } ], '_VF_TARGET_DRIVER' : [ 0x20, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE_EX']], 'u1' : [ 0xc, ['__unnamed_2456']], 'VerifiedData' : [ 0x1c, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x18, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x8, ['pointer', ['void']]], 'SessionViewVa' : [ 0x8, ['pointer', ['void']]], 'VadsProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Type' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SubsectionType' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SectionOffset' : [ 0x10, ['unsigned long long']], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0xc, { 'ActiveThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'WaitList' : [ 0x4, ['pointer', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x8, ['unsigned long']], } ], '_MI_SYSTEM_PTE_STATE' : [ 0x180, { 'DeadPteTrackerSListHead' : [ 0x0, ['_SLIST_HEADER']], 'PteTrackerLock' : [ 0x8, ['unsigned long']], 'MdlTrackerLookaside' : [ 0x40, ['_NPAGED_LOOKASIDE_LIST']], 'PteTrackingBitmap' : [ 0x100, ['_RTL_BITMAP']], 'CachedPteHeads' : [ 0x108, ['pointer', ['_MI_CACHED_PTES']]], 'SystemViewPteInfo' : [ 0x10c, ['_MI_SYSTEM_PTE_TYPE']], 'KernelStackPages' : [ 0x144, ['unsigned char']], 'QueuedStacks' : [ 0x148, ['_SLIST_HEADER']], 'StackGrowthFailures' : [ 0x150, ['unsigned long']], 'TrackPtesAborted' : [ 0x154, ['unsigned char']], 'AdjustCounter' : [ 0x155, ['unsigned char']], 'ReservedMappingLock' : [ 0x158, ['long']], 'ReservedMappingTree' : [ 0x15c, ['_RTL_AVL_TREE']], 'ReservedMappingPageTablePfns' : [ 0x160, ['pointer', ['_MMPFN']]], 'QueuedStacksWorkItem' : [ 0x164, ['_MI_QUEUED_DEADSTACK_WORKITEM']], } ], '__unnamed_2468' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MI_PARTITION_FLAGS']], } ], '_MI_PARTITION_CORE' : [ 0xbc, { 'PartitionId' : [ 0x0, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_2468']], 'Signature' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'ParentPartition' : [ 0x10, ['pointer', ['_MI_PARTITION']]], 'ListEntry' : [ 0x14, ['_LIST_ENTRY']], 'NodeInformation' : [ 0x1c, ['pointer', ['_MI_NODE_INFORMATION']]], 'PageRoot' : [ 0x20, ['_RTL_AVL_TREE']], 'MemoryNodeRuns' : [ 0x24, ['pointer', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'MemoryBlockReferences' : [ 0x28, ['unsigned long']], 'PfnUnmapWorkItem' : [ 0x2c, ['_WORK_QUEUE_ITEM']], 'PfnUnmapActive' : [ 0x3c, ['unsigned char']], 'PfnUnmapCount' : [ 0x40, ['unsigned long']], 'PfnUnmapWaitList' : [ 0x44, ['pointer', ['void']]], 'MemoryRuns' : [ 0x48, ['pointer', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'ExitEvent' : [ 0x4c, ['_KEVENT']], 'SystemThreadHandles' : [ 0x5c, ['array', 5, ['pointer', ['void']]]], 'PartitionObject' : [ 0x70, ['pointer', ['void']]], 'PartitionObjectHandle' : [ 0x74, ['pointer', ['void']]], 'DynamicMemoryPushLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'DynamicMemoryLock' : [ 0x7c, ['long']], 'TemporaryMemoryEvent' : [ 0x80, ['_KEVENT']], 'MemoryEvents' : [ 0x90, ['array', 11, ['pointer', ['_KEVENT']]]], } ], '__unnamed_2475' : [ 0x4, { 'InstancedWorkingSet' : [ 0x0, ['pointer', ['void']]], } ], '_MMSUPPORT_INSTANCE' : [ 0x64, { 'NextPageColor' : [ 0x0, ['unsigned short']], 'LastTrimStamp' : [ 0x2, ['unsigned short']], 'PageFaultCount' : [ 0x4, ['unsigned long']], 'TrimmedPageCount' : [ 0x8, ['unsigned long']], 'VmWorkingSetList' : [ 0xc, ['pointer', ['_MMWSL_INSTANCE']]], 'WorkingSetExpansionLinks' : [ 0x10, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x18, ['array', 7, ['unsigned long']]], 'ExitOutswapGate' : [ 0x34, ['pointer', ['_KGATE']]], 'MinimumWorkingSetSize' : [ 0x38, ['unsigned long']], 'WorkingSetLeafSize' : [ 0x3c, ['unsigned long']], 'WorkingSetLeafPrivateSize' : [ 0x40, ['unsigned long']], 'WorkingSetSize' : [ 0x44, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x48, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x4c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x50, ['unsigned long']], 'HardFaultCount' : [ 0x54, ['unsigned long']], 'u1' : [ 0x58, ['__unnamed_2475']], 'Reserved0' : [ 0x5c, ['unsigned long']], 'Flags' : [ 0x60, ['_MMSUPPORT_FLAGS']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x8, ['unsigned char']], 'BlockState' : [ 0x9, ['unsigned char']], 'WaitKey' : [ 0xa, ['unsigned short']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'NotificationQueue' : [ 0xc, ['pointer', ['_KQUEUE']]], 'Object' : [ 0x10, ['pointer', ['void']]], 'SparePtr' : [ 0x14, ['pointer', ['void']]], } ], '_PPM_SELECTION_MENU_ENTRY' : [ 0x10, { 'StrictDependency' : [ 0x0, ['unsigned char']], 'InitiatingState' : [ 0x1, ['unsigned char']], 'DependentState' : [ 0x2, ['unsigned char']], 'StateIndex' : [ 0x4, ['unsigned long']], 'Dependencies' : [ 0x8, ['unsigned long']], 'DependencyList' : [ 0xc, ['pointer', ['_PPM_SELECTION_DEPENDENCY']]], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_HV_GET_BIN_CONTEXT' : [ 0x2, { 'OutstandingReference' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredRundown' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], } ], '_POP_FX_PLUGIN' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x8, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long long']], 'WorkQueue' : [ 0x18, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x40, ['pointer', ['void']]], 'AcceptProcessorNotification' : [ 0x44, ['pointer', ['void']]], 'AcceptAcpiNotification' : [ 0x48, ['pointer', ['void']]], 'WorkOrderCount' : [ 0x4c, ['unsigned long']], 'WorkOrders' : [ 0x50, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_ETW_REG_ENTRY' : [ 0x3c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x8, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x14, ['pointer', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x18, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x18, ['array', 4, ['pointer', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x18, ['pointer', ['void']]], 'SessionId' : [ 0x1c, ['unsigned long']], 'Process' : [ 0x28, ['pointer', ['_EPROCESS']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], 'Callback' : [ 0x2c, ['pointer', ['void']]], 'Index' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned short']], 'DbgKernelRegistration' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgUserRegistration' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgReplyRegistration' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgClassicRegistration' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgSessionSpaceRegistration' : [ 0x32, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgModernRegistration' : [ 0x32, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClosed' : [ 0x32, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgInserted' : [ 0x32, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DbgWow64' : [ 0x32, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'EnableMask' : [ 0x34, ['unsigned char']], 'GroupEnableMask' : [ 0x35, ['unsigned char']], 'UseDescriptorType' : [ 0x36, ['unsigned char']], 'Traits' : [ 0x38, ['pointer', ['_ETW_PROVIDER_TRAITS']]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_MI_SYSTEM_VA_STATE' : [ 0x14c0, { 'SystemTablesLock' : [ 0x0, ['unsigned long']], 'SystemVaBias' : [ 0x4, ['unsigned long']], 'SystemAvailableVaLow' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], 'HyperSpaceEndPte' : [ 0x10, ['pointer', ['_MMPTE']]], 'SystemRangeStart' : [ 0x14, ['pointer', ['void']]], 'SystemCachePdeCount' : [ 0x18, ['array', 1024, ['unsigned char']]], 'SystemCacheReverseMaps' : [ 0x418, ['array', 1024, ['pointer', ['void']]]], 'HyperSpaceEnd' : [ 0x1418, ['pointer', ['void']]], 'WorkingSetListHashStart' : [ 0x141c, ['pointer', ['_MMWSLE_HASH']]], 'WorkingSetListHashEnd' : [ 0x1420, ['pointer', ['_MMWSLE_HASH']]], 'WorkingSetListIndirectHashStart' : [ 0x1424, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'FreeSystemCacheVa' : [ 0x1428, ['_KEVENT']], 'SystemVaLock' : [ 0x1438, ['unsigned long']], 'DeleteKvaLock' : [ 0x143c, ['long']], 'FreeSystemCache' : [ 0x1440, ['_MI_PTE_CHAIN_HEAD']], 'SystemCacheViewLock' : [ 0x1458, ['unsigned long']], 'SystemCacheInitLock' : [ 0x145c, ['_EX_PUSH_LOCK']], 'UnusableWsles' : [ 0x1460, ['array', 5, ['unsigned long']]], 'PossibleWsles' : [ 0x1474, ['array', 5, ['unsigned long']]], 'SystemWs' : [ 0x1488, ['array', 3, ['pointer', ['_MMSUPPORT_INSTANCE']]]], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MMSUPPORT_SHARED' : [ 0x24, { 'WorkingSetLock' : [ 0x0, ['long']], 'ReleasedCommitDebt' : [ 0x4, ['unsigned long']], 'ResetPagesRepurposedCount' : [ 0x8, ['unsigned long']], 'WsSwapSupport' : [ 0xc, ['pointer', ['void']]], 'CommitReleaseContext' : [ 0x10, ['pointer', ['void']]], 'AccessLog' : [ 0x14, ['pointer', ['void']]], 'ChargedWslePages' : [ 0x18, ['unsigned long']], 'ActualWslePages' : [ 0x1c, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x20, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_PAE_ENTRY' : [ 0x20, { 'PteEntry' : [ 0x0, ['array', 4, ['_MMPTE']]], 'PaeEntry' : [ 0x0, ['_PAE_PAGEINFO']], 'NextPae' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '_MMCLONE_BLOCK' : [ 0x10, { 'ProtoPte' : [ 0x0, ['_MMPTE']], 'CloneCommitCount' : [ 0x8, ['unsigned long']], 'u1' : [ 0x8, ['_MI_CLONE_BLOCK_FLAGS']], 'CloneRefCount' : [ 0xc, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Propagated' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PS_TRUSTLET_TKSESSION_ID' : [ 0x20, { 'SessionId' : [ 0x0, ['array', 4, ['unsigned long long']]], } ], '__unnamed_24fb' : [ 0x4, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], 'RemoteImageFileObject' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RemoteDataFileObject' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '_SECTION' : [ 0x28, { 'SectionNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u1' : [ 0x14, ['__unnamed_24fb']], 'SizeOfSection' : [ 0x18, ['unsigned long long']], 'u' : [ 0x20, ['__unnamed_1691']], 'InitialPageProtection' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'SessionId' : [ 0x24, ['BitField', dict(start_bit = 12, end_bit = 31, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x24, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'CompactionMask' : [ 0x8, ['unsigned long long']], 'Reserved2' : [ 0x10, ['array', 6, ['unsigned long long']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x88, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'ArgumentStatus' : [ 0xc, ['long']], 'CallerEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'VetoType' : [ 0x1c, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x20, ['pointer', ['_UNICODE_STRING']]], 'RefCount' : [ 0x24, ['unsigned long']], 'Lock' : [ 0x28, ['unsigned long']], 'Cancel' : [ 0x2c, ['unsigned char']], 'Parent' : [ 0x30, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'ActivityId' : [ 0x34, ['_GUID']], 'Data' : [ 0x44, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_MI_LDW_WORK_CONTEXT' : [ 0x20, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'FileObject' : [ 0x10, ['pointer', ['_FILE_OBJECT']]], 'ErrorStatus' : [ 0x14, ['long']], 'Active' : [ 0x18, ['long']], 'FreeWhenDone' : [ 0x1c, ['unsigned char']], } ], '_MI_DEBUGGER_STATE' : [ 0x90, { 'TransientWrite' : [ 0x0, ['unsigned char']], 'CodePageEdited' : [ 0x1, ['unsigned char']], 'DebugPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'PoisonedTb' : [ 0x8, ['unsigned long']], 'InDebugger' : [ 0xc, ['long']], 'Pfns' : [ 0x10, ['array', 32, ['pointer', ['void']]]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x8, { 'CrossThreadReleasable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 31, native_type='unsigned long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'LockState' : [ 0x0, ['pointer', ['void']]], 'SessionState' : [ 0x4, ['pointer', ['void']]], 'SessionId' : [ 0x4, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_ETIMER' : [ 0xb8, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x28, ['unsigned long']], 'TimerApc' : [ 0x2c, ['_KAPC']], 'TimerDpc' : [ 0x5c, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x7c, ['_LIST_ENTRY']], 'Period' : [ 0x84, ['unsigned long']], 'TimerFlags' : [ 0x88, ['unsigned char']], 'ApcAssociated' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0x88, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0x88, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0x89, ['unsigned char']], 'Spare2' : [ 0x8a, ['unsigned short']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x98, ['pointer', ['void']]], 'VirtualizedTimerLinks' : [ 0x9c, ['_LIST_ENTRY']], 'DueTime' : [ 0xa8, ['unsigned long long']], 'CoalescingWindow' : [ 0xb0, ['unsigned long']], } ], '_MI_SHUTDOWN_STATE' : [ 0x48, { 'CrashDumpInitialized' : [ 0x0, ['unsigned char']], 'ConnectedStandbyActive' : [ 0x1, ['unsigned char']], 'SystemShutdown' : [ 0x4, ['unsigned long']], 'ShutdownFlushInProgress' : [ 0x8, ['long']], 'ResumeItem' : [ 0xc, ['_MI_RESUME_WORKITEM']], 'MirrorHoldsPfn' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'MirroringActive' : [ 0x30, ['unsigned long']], 'MirrorBitMaps' : [ 0x34, ['array', 2, ['_RTL_BITMAP']]], 'CrashDumpPte' : [ 0x44, ['pointer', ['_MMPTE']]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_ARM64_DBGKD_CONTROL_SET' : [ 0x18, { 'Continue' : [ 0x0, ['unsigned long']], 'TraceFlag' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x10, ['unsigned long long']], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoQoSPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_PROCESSOR_POWER_STATE' : [ 0x180, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x4, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleTimeExpiration' : [ 0x20, ['unsigned long long']], 'NonInterruptibleTransition' : [ 0x28, ['unsigned char']], 'PepWokenTransition' : [ 0x29, ['unsigned char']], 'EfficiencyClass' : [ 0x2a, ['unsigned char']], 'SchedulingClass' : [ 0x2b, ['unsigned char']], 'TargetIdleState' : [ 0x2c, ['unsigned long']], 'IdlePolicy' : [ 0x30, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x38, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x40, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xc8, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower', 3: 'ProcHypervisorHvCounters'})]], 'LastSysTime' : [ 0xcc, ['unsigned long']], 'WmiDispatchPtr' : [ 0xd0, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xd4, ['long']], 'FFHThrottleStateInfo' : [ 0xd8, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xf8, ['_KDPC']], 'PerfActionMask' : [ 0x118, ['long']], 'HvIdleCheck' : [ 0x120, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x130, ['pointer', ['_PROC_PERF_CHECK']]], 'Domain' : [ 0x134, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x138, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x13c, ['pointer', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x140, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x144, ['pointer', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x148, ['unsigned char']], 'HvTargetState' : [ 0x149, ['unsigned char']], 'Parked' : [ 0x14a, ['unsigned char']], 'LatestPerformancePercent' : [ 0x14c, ['unsigned long']], 'AveragePerformancePercent' : [ 0x150, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x154, ['unsigned long']], 'RelativePerformance' : [ 0x158, ['unsigned long']], 'Utility' : [ 0x15c, ['unsigned long']], 'AffinitizedUtility' : [ 0x160, ['unsigned long']], 'SnapTimeLast' : [ 0x168, ['unsigned long long']], 'EnergyConsumed' : [ 0x168, ['unsigned long long']], 'ActiveTime' : [ 0x170, ['unsigned long long']], 'TotalTime' : [ 0x178, ['unsigned long long']], } ], '_MI_PARTITION_SEGMENTS' : [ 0x100, { 'DeleteSubsectionCleanup' : [ 0x0, ['_KEVENT']], 'UnusedSegmentCleanup' : [ 0x10, ['_KEVENT']], 'SubsectionDeletePtes' : [ 0x20, ['unsigned long']], 'DereferenceSegmentHeader' : [ 0x24, ['_MMDEREFERENCE_SEGMENT_HEADER']], 'DeleteOnCloseList' : [ 0x40, ['_LIST_ENTRY']], 'DeleteOnCloseTimer' : [ 0x48, ['_KTIMER']], 'DeleteOnCloseTimerActive' : [ 0x70, ['unsigned char']], 'DeleteOnCloseCount' : [ 0x74, ['unsigned long']], 'UnusedSegmentList' : [ 0x78, ['_LIST_ENTRY']], 'UnusedSubsectionList' : [ 0x80, ['_LIST_ENTRY']], 'DeleteSubsectionList' : [ 0x88, ['_LIST_ENTRY']], 'ControlAreaDeleteEvent' : [ 0x90, ['_KEVENT']], 'ControlAreaDeleteList' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'SegmentListLock' : [ 0xc0, ['long']], 'ControlAreaCount' : [ 0xc8, ['long long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_MI_RESAVAIL_TRACKER' : [ 0x200, { 'AllocateKernelStack' : [ 0x0, ['unsigned long']], 'AllocateGrowKernelStack' : [ 0x4, ['unsigned long']], 'FreeKernelStack' : [ 0x8, ['unsigned long']], 'FreeKernelStackError' : [ 0xc, ['unsigned long']], 'FreeGrowKernelStackError' : [ 0x10, ['unsigned long']], 'AllocateCreateProcess' : [ 0x14, ['unsigned long']], 'FreeCreateProcessError' : [ 0x18, ['unsigned long']], 'FreeDeleteProcess' : [ 0x1c, ['unsigned long']], 'FreeCleanProcess' : [ 0x20, ['unsigned long']], 'FreeCleanProcessError' : [ 0x24, ['unsigned long']], 'AllocateWsIncrease' : [ 0x28, ['unsigned long']], 'FreeWsIncreaseError' : [ 0x2c, ['unsigned long']], 'FreeWsIncreaseErrorMax' : [ 0x30, ['unsigned long']], 'FreeWsDecrease' : [ 0x34, ['unsigned long']], 'AllocateWorkingSetPage' : [ 0x38, ['unsigned long']], 'FreeWorkingSetPageError' : [ 0x3c, ['unsigned long']], 'FreeDeletePteRange' : [ 0x40, ['unsigned long']], 'AllocatePageTablesForProcessMetadata' : [ 0x44, ['unsigned long']], 'AllocatePageTablesForSystem' : [ 0x48, ['unsigned long']], 'FreePageTablesExcess' : [ 0x4c, ['unsigned long']], 'FreeSystemVaPageTables' : [ 0x50, ['unsigned long']], 'FreeSessionVaPageTables' : [ 0x54, ['unsigned long']], 'AllocateCreateSession' : [ 0x58, ['unsigned long']], 'FreeSessionWsDereference' : [ 0x5c, ['unsigned long']], 'FreeSessionDereference' : [ 0x60, ['unsigned long']], 'AllocateLockedSessionImage' : [ 0x64, ['unsigned long']], 'FreeLockedSessionImage' : [ 0x68, ['unsigned long']], 'FreeSessionImageConversion' : [ 0x6c, ['unsigned long']], 'AllocateWsAdjustPageTable' : [ 0x70, ['unsigned long']], 'FreeWsAdjustPageTable' : [ 0x74, ['unsigned long']], 'FreeWsAdjustPageTableError' : [ 0x78, ['unsigned long']], 'AllocateNoLowMemory' : [ 0x7c, ['unsigned long']], 'AllocatePagedPoolLockedDown' : [ 0x80, ['unsigned long']], 'FreePagedPoolLockedDown' : [ 0x84, ['unsigned long']], 'AllocateSystemBitmaps' : [ 0x88, ['unsigned long']], 'FreeSystemBitmapsError' : [ 0x8c, ['unsigned long']], 'AllocateForMdl' : [ 0x90, ['unsigned long']], 'FreeFromMdl' : [ 0x94, ['unsigned long']], 'AllocateForMdlPartition' : [ 0x98, ['unsigned long']], 'FreeFromMdlPartition' : [ 0x9c, ['unsigned long']], 'FreeMdlExcess' : [ 0xa0, ['unsigned long']], 'AllocateExpansionNonPagedPool' : [ 0xa4, ['unsigned long']], 'FreeExpansionNonPagedPool' : [ 0xa8, ['unsigned long']], 'AllocateVad' : [ 0xac, ['unsigned long']], 'RemoveVad' : [ 0xb0, ['unsigned long']], 'FreeVad' : [ 0xb4, ['unsigned long']], 'AllocateContiguous' : [ 0xb8, ['unsigned long']], 'FreeContiguousPages' : [ 0xbc, ['unsigned long']], 'FreeContiguousError' : [ 0xc0, ['unsigned long']], 'FreeLargePageMemory' : [ 0xc4, ['unsigned long']], 'AllocateSystemWsles' : [ 0xc8, ['unsigned long']], 'FreeSystemWsles' : [ 0xcc, ['unsigned long']], 'AllocateSystemInitWs' : [ 0xd0, ['unsigned long']], 'AllocateSessionInitWs' : [ 0xd4, ['unsigned long']], 'FreeSessionInitWsError' : [ 0xd8, ['unsigned long']], 'AllocateSystemImage' : [ 0xdc, ['unsigned long']], 'AllocateSystemImageLoad' : [ 0xe0, ['unsigned long']], 'AllocateSessionSharedImage' : [ 0xe4, ['unsigned long']], 'FreeSystemImageInitCode' : [ 0xe8, ['unsigned long']], 'FreeSystemImageLargePageConversion' : [ 0xec, ['unsigned long']], 'FreeSystemImageError' : [ 0xf0, ['unsigned long']], 'FreeSystemImageLoadExcess' : [ 0xf4, ['unsigned long']], 'FreeUnloadSystemImage' : [ 0xf8, ['unsigned long']], 'FreeReloadBootImageLarge' : [ 0xfc, ['unsigned long']], 'FreeIndependent' : [ 0x100, ['unsigned long']], 'AllocateHotRemove' : [ 0x104, ['unsigned long']], 'FreeHotAdd' : [ 0x108, ['unsigned long']], 'AllocateBoot' : [ 0x10c, ['unsigned long']], 'FreeLoaderBlock' : [ 0x110, ['unsigned long']], 'AllocateNonPagedSpecialPool' : [ 0x114, ['unsigned long']], 'FreeNonPagedSpecialPoolError' : [ 0x118, ['unsigned long']], 'FreeNonPagedSpecialPool' : [ 0x11c, ['unsigned long']], 'AllocateSharedSegmentPage' : [ 0x120, ['unsigned long']], 'FreeSharedSegmentPage' : [ 0x124, ['unsigned long']], 'AllocateZeroPage' : [ 0x128, ['unsigned long']], 'FreeZeroPage' : [ 0x12c, ['unsigned long']], 'AllocateForPo' : [ 0x130, ['unsigned long']], 'AllocateForPoForce' : [ 0x134, ['unsigned long']], 'FreeForPo' : [ 0x138, ['unsigned long']], 'AllocateThreadHardFaultBehavior' : [ 0x13c, ['unsigned long']], 'FreeThreadHardFaultBehavior' : [ 0x140, ['unsigned long']], 'ObtainFaultCharges' : [ 0x144, ['unsigned long']], 'FreeFaultCharges' : [ 0x148, ['unsigned long']], 'AllocateStoreCharges' : [ 0x14c, ['unsigned long']], 'FreeStoreCharges' : [ 0x150, ['unsigned long']], 'ObtainLockedPageCharge' : [ 0x180, ['unsigned long']], 'FreeLockedPageCharge' : [ 0x1c0, ['unsigned long']], 'AllocateStore' : [ 0x1c4, ['unsigned long']], 'FreeStore' : [ 0x1c8, ['unsigned long']], 'AllocateSystemImageProtos' : [ 0x1cc, ['unsigned long']], 'FreeSystemImageProtos' : [ 0x1d0, ['unsigned long']], 'AllocateModWriterCharge' : [ 0x1d4, ['unsigned long']], 'FreeModWriterCharge' : [ 0x1d8, ['unsigned long']], 'AllocateMappedWriterCharge' : [ 0x1dc, ['unsigned long']], 'FreeMappedWriterCharge' : [ 0x1e0, ['unsigned long']], 'AllocateRegistryCharges' : [ 0x1e4, ['unsigned long']], 'FreeRegistryCharges' : [ 0x1e8, ['unsigned long']], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_AVAILABLE_PAGE_WAIT_STATES' : [ 0x14, { 'Event' : [ 0x0, ['_KEVENT']], 'EventSets' : [ 0x10, ['unsigned long']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_POP_FX_DEVICE' : [ 0x188, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xc, ['pointer', ['_POP_IRP_DATA']]], 'Status' : [ 0x10, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x14, ['long']], 'PowerNotReqCall' : [ 0x18, ['long']], 'DevNode' : [ 0x1c, ['pointer', ['_DEVICE_NODE']]], 'DpmContext' : [ 0x20, ['pointer', ['PEPHANDLE__']]], 'Plugin' : [ 0x24, ['pointer', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x28, ['pointer', ['PEPHANDLE__']]], 'AcpiPlugin' : [ 0x2c, ['pointer', ['_POP_FX_PLUGIN']]], 'AcpiPluginHandle' : [ 0x30, ['pointer', ['PEPHANDLE__']]], 'DeviceObject' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x38, ['pointer', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x3c, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0x58, ['pointer', ['void']]], 'AcpiLink' : [ 0x5c, ['_LIST_ENTRY']], 'DeviceId' : [ 0x64, ['_UNICODE_STRING']], 'RemoveLock' : [ 0x6c, ['_IO_REMOVE_LOCK']], 'AcpiRemoveLock' : [ 0x84, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0x9c, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0xb8, ['unsigned long']], 'IdleTimer' : [ 0xc0, ['_KTIMER']], 'IdleDpc' : [ 0xe8, ['_KDPC']], 'IdleTimeout' : [ 0x108, ['unsigned long long']], 'IdleStamp' : [ 0x110, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x118, ['array', 2, ['pointer', ['_DEVICE_OBJECT']]]], 'NextIrpPowerState' : [ 0x120, ['array', 2, ['_POWER_STATE']]], 'NextIrpCallerCompletion' : [ 0x128, ['array', 2, ['pointer', ['void']]]], 'NextIrpCallerContext' : [ 0x130, ['array', 2, ['pointer', ['void']]]], 'IrpCompleteEvent' : [ 0x138, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x148, ['pointer', ['void']]], 'Accounting' : [ 0x150, ['_POP_FX_ACCOUNTING']], 'Flags' : [ 0x178, ['unsigned long']], 'ComponentCount' : [ 0x17c, ['unsigned long']], 'Components' : [ 0x180, ['pointer', ['pointer', ['_POP_FX_COMPONENT']]]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_IOV_IRP_TRACE' : [ 0x40, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x8, ['short']], 'SpecialApcDisable' : [ 0xa, ['short']], 'CombinedApcDisable' : [ 0x8, ['unsigned long']], 'Irql' : [ 0xc, ['unsigned char']], 'StackTrace' : [ 0x10, ['array', 12, ['pointer', ['void']]]], } ], '_MI_CLONE_BLOCK_FLAGS' : [ 0x4, { 'ActualCloneCommit' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 27, native_type='unsigned long')]], 'CloneProtection' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GetExtents' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'VmLockNotNeeded' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_MI_QUEUED_DEADSTACK_WORKITEM' : [ 0x14, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Active' : [ 0x10, ['long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Processors' : [ 0x4, ['unsigned long']], 'ActiveProcessors' : [ 0x8, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_AVL_TABLE' : [ 0x80, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x3c, ['pointer', ['void']]], 'Lock' : [ 0x40, ['long']], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Spare0' : [ 0x6c, ['unsigned long']], } ], '__unnamed_25a7' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_25a9' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_25a7']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x44, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CoolingExtension' : [ 0x30, ['pointer', ['_POP_COOLING_EXTENSION']]], 'Volume' : [ 0x34, ['_LIST_ENTRY']], 'Specific' : [ 0x3c, ['__unnamed_25a9']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_CM_UOW_SET_SD_DATA' : [ 0x4, { 'SecurityCell' : [ 0x0, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x24, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'ReferenceCount' : [ 0x20, ['long']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_PPM_COORDINATED_SYNCHRONIZATION' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'EnterProcessor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'ExitProcessor' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 24, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 26, native_type='unsigned long')]], 'Entered' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'EntryPriority' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_KDPC_LIST' : [ 0x8, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['_CM_COMPONENT_HASH']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_THERMAL_TELEMETRY_TRACKER' : [ 0x160, { 'AccountingDisabled' : [ 0x0, ['unsigned char']], 'LastPassiveUpdateTime' : [ 0x8, ['unsigned long long']], 'TotalPassiveTime' : [ 0x10, ['array', 21, ['unsigned long long']]], 'PassiveTimeSnap' : [ 0xb8, ['array', 21, ['unsigned long long']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_MI_VISIBLE_PARTITION' : [ 0xcc0, { 'LowestPhysicalPage' : [ 0x0, ['unsigned long']], 'HighestPhysicalPage' : [ 0x4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x8, ['unsigned long']], 'NumberOfPagingFiles' : [ 0xc, ['unsigned long']], 'PagingFile' : [ 0x10, ['array', 16, ['pointer', ['_MMPAGING_FILE']]]], 'AvailablePages' : [ 0x80, ['unsigned long']], 'ResidentAvailablePages' : [ 0xc0, ['unsigned long']], 'PartitionWs' : [ 0x100, ['array', 1, ['_MMSUPPORT_INSTANCE']]], 'PartitionWorkingSetLists' : [ 0x164, ['array', 1, ['_MMWSL_INSTANCE']]], 'SystemCacheInitialized' : [ 0x238, ['unsigned char']], 'TotalCommittedPages' : [ 0x23c, ['unsigned long']], 'ModifiedPageListHead' : [ 0x240, ['_MMPFNLIST']], 'ModifiedNoWritePageListHead' : [ 0x280, ['_MMPFNLIST']], 'TotalCommitLimit' : [ 0x294, ['unsigned long']], 'TotalPagesForPagingFile' : [ 0x298, ['unsigned long']], 'VadPhysicalPages' : [ 0x29c, ['unsigned long']], 'ProcessLockedFilePages' : [ 0x2a0, ['unsigned long']], 'ChargeCommitmentFailures' : [ 0x2a4, ['array', 4, ['unsigned long']]], 'PageFileTraceIndex' : [ 0x2b4, ['long']], 'PageFileTraces' : [ 0x2b8, ['array', 32, ['_MI_PAGEFILE_TRACES']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_FREE_DISPLAY' : [ 0x10, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x50, { 'Context' : [ 0x0, ['pointer', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x38, ['unsigned long']], 'DependencyUsed' : [ 0x3c, ['unsigned long']], 'DependencyArray' : [ 0x40, ['pointer', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x44, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x48, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x4c, ['unsigned long']], } ], '_PNP_REBALANCE_TRACE_CONTEXT' : [ 0x50, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'RebalancePhase' : [ 0x4, ['unsigned long']], 'Reason' : [ 0x8, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'RebalanceReasonUnknown', 1: 'RebalanceReasonRequirementsChanged', 2: 'RebalanceReasonNewDevice'})]]], 'Failure' : [ 0x10, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'RebalanceFailureNone', 1: 'RebalanceFailureDisabled', 2: 'RebalanceFailureNoMemory', 3: 'RebalanceFailureQueryStopUnexpectedVeto', 4: 'RebalanceFailureNoRequirements', 5: 'RebalanceFailureNoCandidates', 6: 'RebalanceFailureNoConfiguration'})]]], 'SubtreeRoot' : [ 0x18, ['pointer', ['_DEVICE_NODE']]], 'SubtreeIncludesRoot' : [ 0x1c, ['unsigned char']], 'TriggerRoot' : [ 0x20, ['pointer', ['_DEVICE_NODE']]], 'RebalanceDueToDynamicPartitioning' : [ 0x24, ['unsigned char']], 'BeginTime' : [ 0x28, ['unsigned long long']], 'VetoNode' : [ 0x30, ['array', 2, ['pointer', ['_DEVICE_NODE']]]], 'VetoQueryRebalanceReason' : [ 0x38, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceQueryRebalanceSucceeded', 1: 'DeviceQueryStopFailed', 2: 'DeviceFailedGetNewResourceRequirement', 3: 'DeviceInUnexpectedState', 4: 'DeviceNotSupportQueryRebalance'})]]], 'ConflictContext' : [ 0x40, ['_PNP_RESOURCE_CONFLICT_TRACE_CONTEXT']], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x14, { 'BlockOffset' : [ 0x0, ['unsigned long']], 'PermanentBinAddress' : [ 0x4, ['unsigned long']], 'TemporaryBinAddress' : [ 0x8, ['unsigned long']], 'TemporaryBinRundown' : [ 0xc, ['_EX_RUNDOWN_REF']], 'MemAlloc' : [ 0x10, ['unsigned long']], } ], '__unnamed_260c' : [ 0x18, { 'RequestedTime' : [ 0x0, ['unsigned long long']], 'ProgrammedTime' : [ 0x8, ['unsigned long long']], 'TimerInfo' : [ 0x10, ['pointer', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0x108, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'WakeFirstUnattendedTime' : [ 0x50, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x60, ['array', 3, ['__unnamed_260c']]], 'WakeAlarmPaused' : [ 0xa8, ['unsigned char']], 'WakeAlarmLastTime' : [ 0xb0, ['unsigned long long']], 'FilteredCapabilities' : [ 0xb8, ['SYSTEM_POWER_CAPABILITIES']], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_WNF_LOCK' : [ 0x4, { 'PushLock' : [ 0x0, ['_EX_PUSH_LOCK']], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_MI_PARTITION_ZEROING' : [ 0x3c, { 'PageEvent' : [ 0x0, ['_KEVENT']], 'ThreadActive' : [ 0x10, ['unsigned char']], 'ZeroFreePageSlistMinimum' : [ 0x14, ['long']], 'RebalanceZeroFreeWorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], 'ThreadCount' : [ 0x28, ['long']], 'Gate' : [ 0x2c, ['_KGATE']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x10, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x1c, { 'ComponentActive' : [ 0x0, ['pointer', ['void']]], 'ComponentIdle' : [ 0x4, ['pointer', ['void']]], 'ComponentIdleState' : [ 0x8, ['pointer', ['void']]], 'DevicePowerRequired' : [ 0xc, ['pointer', ['void']]], 'DevicePowerNotRequired' : [ 0x10, ['pointer', ['void']]], 'PowerControl' : [ 0x14, ['pointer', ['void']]], 'ComponentCriticalTransition' : [ 0x18, ['pointer', ['void']]], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Reserved0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'u1' : [ 0x0, ['unsigned short']], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceAge' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'NewMaximum' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CommitReleaseState' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'u2' : [ 0x3, ['unsigned char']], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_WAITING_IRP' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'CompletionRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'Information' : [ 0x18, ['unsigned long']], 'BreakAllRH' : [ 0x1c, ['unsigned char']], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PLATFORM_IDLE_STATE_ACCOUNTING' : [ 0x3e8, { 'CancelCount' : [ 0x0, ['unsigned long']], 'FailureCount' : [ 0x4, ['unsigned long']], 'SuccessCount' : [ 0x8, ['unsigned long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'TotalTime' : [ 0x20, ['unsigned long long']], 'InvalidBucketIndex' : [ 0x28, ['unsigned long']], 'SelectionStatistics' : [ 0x30, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa8, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_PROC_FEEDBACK' : [ 0x88, { 'Lock' : [ 0x0, ['unsigned long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x20, ['unsigned long long']], 'UnscaledTime' : [ 0x28, ['unsigned long long']], 'UnaccountedTime' : [ 0x30, ['long long']], 'ScaledTime' : [ 0x38, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x48, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x50, ['unsigned long long']], 'UserTimeLast' : [ 0x58, ['unsigned long']], 'KernelTimeLast' : [ 0x5c, ['unsigned long']], 'IdleGenerationNumberLast' : [ 0x60, ['unsigned long long']], 'HvActiveTimeLast' : [ 0x68, ['unsigned long long']], 'StallCyclesLast' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'KernelTimesIndex' : [ 0x80, ['unsigned char']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x28, { 'InstantaneousRead' : [ 0x0, ['pointer', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'Scaling' : [ 0x22, ['unsigned char']], 'Context' : [ 0x24, ['unsigned long']], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_MI_DRIVER_VA' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_DRIVER_VA']]], 'PointerPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BitMap' : [ 0x8, ['_RTL_BITMAP']], 'Hint' : [ 0x10, ['unsigned long']], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned char']], 'ShutDownRequested' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x34, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x3c, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x40, ['unsigned long']], 'UserPagesAllocated' : [ 0x44, ['unsigned long']], 'UserPagesReused' : [ 0x48, ['unsigned long']], 'EventsLostCount' : [ 0x4c, ['pointer', ['unsigned long']]], 'BuffersLostCount' : [ 0x50, ['pointer', ['unsigned long']]], 'SiloState' : [ 0x54, ['pointer', ['_ETW_SILODRIVERSTATE']]], } ], '_PAE_PAGEINFO' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameNumber' : [ 0x8, ['unsigned long']], 'EntriesInUse' : [ 0xc, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_POP_HIBER_CONTEXT' : [ 0x140, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x3, ['unsigned char']], 'InitializationFinished' : [ 0x4, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'HvCaptureReadyBarrier' : [ 0x14, ['long']], 'HvCaptureCompletedBarrier' : [ 0x18, ['long']], 'MapFrozen' : [ 0x1c, ['unsigned char']], 'DiscardMap' : [ 0x20, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x30, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x38, ['unsigned long']], 'ClonedPageCount' : [ 0x40, ['unsigned long long']], 'CurrentMap' : [ 0x48, ['pointer', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x4c, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x50, ['unsigned long']], 'LoaderMdl' : [ 0x54, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x58, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x60, ['unsigned long long']], 'IoPages' : [ 0x68, ['pointer', ['void']]], 'IoPagesCount' : [ 0x6c, ['unsigned long']], 'CurrentMcb' : [ 0x70, ['pointer', ['void']]], 'DumpStack' : [ 0x74, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x78, ['pointer', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0x7c, ['unsigned long']], 'Status' : [ 0x80, ['long']], 'GraphicsProc' : [ 0x84, ['unsigned long']], 'MemoryImage' : [ 0x88, ['pointer', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0x8c, ['pointer', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0x90, ['pointer', ['_MDL']]], 'SiLogOffset' : [ 0x94, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0x98, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0x9c, ['pointer', ['void']]], 'ResumeContext' : [ 0xa0, ['pointer', ['void']]], 'ResumeContextPages' : [ 0xa4, ['unsigned long']], 'ProcessorCount' : [ 0xa8, ['unsigned long']], 'ProcessorContext' : [ 0xac, ['pointer', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0xb0, ['pointer', ['unsigned char']]], 'ProdConsSize' : [ 0xb4, ['unsigned long']], 'MaxDataPages' : [ 0xb8, ['unsigned long']], 'ExtraBuffer' : [ 0xbc, ['pointer', ['void']]], 'ExtraBufferSize' : [ 0xc0, ['unsigned long']], 'ExtraMapVa' : [ 0xc4, ['pointer', ['void']]], 'BitlockerKeyPFN' : [ 0xc8, ['unsigned long']], 'IoInfo' : [ 0xd0, ['_POP_IO_INFO']], 'IoChecksums' : [ 0x130, ['pointer', ['unsigned short']]], 'IoChecksumsSize' : [ 0x134, ['unsigned long']], 'HardwareConfigurationSignature' : [ 0x138, ['unsigned long']], } ], '__unnamed_2673' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MI_DECAY_TIMER_LINKAGE']], } ], '_MI_DECAY_TIMER_LINK' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_2673']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '__unnamed_267a' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_267a']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '_MI_PARTITION_COMMIT' : [ 0x80, { 'PeakCommitment' : [ 0x0, ['unsigned long']], 'TotalCommitLimitMaximum' : [ 0x4, ['unsigned long']], 'Popups' : [ 0x8, ['array', 2, ['long']]], 'LowCommitThreshold' : [ 0x10, ['unsigned long']], 'HighCommitThreshold' : [ 0x14, ['unsigned long']], 'EventLock' : [ 0x18, ['unsigned long']], 'SystemCommitReserve' : [ 0x1c, ['unsigned long']], 'OverCommit' : [ 0x40, ['unsigned long']], } ], '_TRIAGE_DEVICE_NODE' : [ 0x2c, { 'Sibling' : [ 0x0, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'FxDevice' : [ 0x28, ['pointer', ['_TRIAGE_POP_FX_DEVICE']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x24, { 'InitiatingThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ThreadId' : [ 0x8, ['pointer', ['void']]], 'ProcessId' : [ 0xc, ['pointer', ['void']]], 'Code' : [ 0x10, ['unsigned long']], 'Parameter1' : [ 0x14, ['unsigned long']], 'Parameter2' : [ 0x18, ['unsigned long']], 'Parameter3' : [ 0x1c, ['unsigned long']], 'Parameter4' : [ 0x20, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x4, ['pointer', ['wchar']]], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40f0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'StackLimitHits' : [ 0x4038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x403c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x4040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4044, ['unsigned long']], 'TotalReleases' : [ 0x4048, ['unsigned long']], 'RootNodesDeleted' : [ 0x404c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x4050, ['unsigned long']], 'Instigator' : [ 0x4054, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4058, ['unsigned long']], 'Participant' : [ 0x405c, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40dc, ['long']], 'StackType' : [ 0x40e0, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x40e4, ['unsigned long']], 'StackHighLimit' : [ 0x40e8, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'PO_MEMORY_IMAGE' : [ 0x328, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long long']], 'HiberFlags' : [ 0x30, ['unsigned char']], 'spare' : [ 0x31, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x34, ['unsigned long']], 'HiberVa' : [ 0x38, ['unsigned long']], 'NoFreePages' : [ 0x3c, ['unsigned long']], 'FreeMapCheck' : [ 0x40, ['unsigned long']], 'WakeCheck' : [ 0x44, ['unsigned long']], 'NumPagesForLoader' : [ 0x48, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x50, ['unsigned long']], 'FirstKernelRestorePage' : [ 0x54, ['unsigned long']], 'FirstChecksumRestorePage' : [ 0x58, ['unsigned long']], 'NoChecksumEntries' : [ 0x60, ['unsigned long long']], 'PerfInfo' : [ 0x68, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x250, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x254, ['array', 1, ['unsigned long']]], 'SiLogOffset' : [ 0x258, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x25c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x260, ['array', 24, ['unsigned long']]], 'NotUsed' : [ 0x2c0, ['unsigned long']], 'ResumeContextCheck' : [ 0x2c4, ['unsigned long']], 'ResumeContextPages' : [ 0x2c8, ['unsigned long']], 'Hiberboot' : [ 0x2cc, ['unsigned char']], 'HvCr3' : [ 0x2d0, ['unsigned long long']], 'HvEntryPoint' : [ 0x2d8, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x2e0, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x2e8, ['unsigned long long']], 'BootFlags' : [ 0x2f0, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x2f8, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x300, ['unsigned long']], 'BitlockerKeyPfns' : [ 0x304, ['array', 4, ['unsigned long']]], 'HardwareSignature' : [ 0x314, ['unsigned long']], 'SMBiosTablePhysicalAddress' : [ 0x318, ['_LARGE_INTEGER']], 'SMBiosTableLength' : [ 0x320, ['unsigned long']], 'SMBiosMajorVersion' : [ 0x324, ['unsigned char']], 'SMBiosMinorVersion' : [ 0x325, ['unsigned char']], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_MI_PAGING_IO_STATE' : [ 0x38, { 'PageFileHead' : [ 0x0, ['_RTL_AVL_TREE']], 'PageFileHeadSpinLock' : [ 0x4, ['long']], 'PrefetchSeekThreshold' : [ 0x8, ['long']], 'InPageSupportSListHead' : [ 0x10, ['array', 2, ['_SLIST_HEADER']]], 'InPageSupportSListMinimum' : [ 0x20, ['array', 2, ['unsigned char']]], 'InPageSinglePages' : [ 0x24, ['unsigned long']], 'DelayPageFaults' : [ 0x28, ['long']], 'FileCompressionBoundary' : [ 0x2c, ['unsigned long']], 'MdlsAdjusted' : [ 0x30, ['unsigned char']], } ], '_MI_STANDBY_STATE' : [ 0x80, { 'TransitionSharedPages' : [ 0x0, ['unsigned long']], 'TransitionSharedPagesPeak' : [ 0x4, ['array', 3, ['unsigned long']]], 'FirstDecayPage' : [ 0x10, ['unsigned long']], 'PfnDecayFreeSList' : [ 0x18, ['_SLIST_HEADER']], 'PfnRepurposeLog' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'AllocatePfnRepurposeDpc' : [ 0x24, ['_KDPC']], } ], '_MI_DECAY_TIMER_LINKAGE' : [ 0x4, { 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NextDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x128, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x104, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x124, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_TRIAGE_9F_POWER' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'IrpList' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'ThreadList' : [ 0x8, ['pointer', ['_LIST_ENTRY']]], 'DelayedWorkQueue' : [ 0xc, ['pointer', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_MMINPAGE_SUPPORT_FLOW_THROUGH' : [ 0x1c, { 'Page' : [ 0x0, ['array', 1, ['unsigned long']]], 'InitialInPageSupport' : [ 0x4, ['pointer', ['_MMINPAGE_SUPPORT']]], 'PagingFile' : [ 0x8, ['pointer', ['_MMPAGING_FILE']]], 'PageFileOffset' : [ 0xc, ['unsigned long']], 'Node' : [ 0x10, ['_RTL_BALANCED_NODE']], } ], '_MI_COMBINE_STATE' : [ 0x18, { 'ActiveSpinLock' : [ 0x0, ['long']], 'CombiningThreadCount' : [ 0x4, ['unsigned long']], 'ActiveThreadTree' : [ 0x8, ['_RTL_AVL_TREE']], 'ZeroPageHashValue' : [ 0x10, ['unsigned long long']], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_PTE_TRACKER' : [ 0x44, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'GuardPte' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 7, ['pointer', ['void']]]], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_HIVE_WAIT_PACKET' : [ 0x18, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Next' : [ 0x14, ['pointer', ['_HIVE_WAIT_PACKET']]], } ], '_VF_AVL_TREE_NODE_EX' : [ 0xc, { 'Base' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'SessionId' : [ 0x8, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_CM_INDEX' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'NameHint' : [ 0x4, ['array', 4, ['unsigned char']]], 'HashKey' : [ 0x4, ['_CM_COMPONENT_HASH']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_MMPAGING_FILE' : [ 0xa8, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'FreeReservationSpace' : [ 0x18, ['unsigned long']], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x28, ['_SLIST_HEADER']], 'PageFileName' : [ 0x30, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x38, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x3c, ['unsigned long']], 'LargestAllocationCluster' : [ 0x40, ['unsigned long']], 'RefreshAllocationCluster' : [ 0x44, ['unsigned long']], 'LastRefreshAllocationCluster' : [ 0x48, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x4c, ['unsigned long']], 'MaximumRunLengthInBitmaps' : [ 0x50, ['unsigned long']], 'BitmapsCacheLengthTree' : [ 0x54, ['_RTL_RB_TREE']], 'BitmapsCacheLocationTree' : [ 0x5c, ['_RTL_RB_TREE']], 'BitmapsCacheFreeList' : [ 0x64, ['_LIST_ENTRY']], 'BitmapsCacheEntries' : [ 0x6c, ['pointer', ['_MI_PAGEFILE_BITMAPS_CACHE_ENTRY']]], 'ToBeEvictedCount' : [ 0x70, ['unsigned long']], 'HybridPriority' : [ 0x70, ['unsigned long']], 'PageFileNumber' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'NoReservations' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'VirtualStorePagefile' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SwapSupported' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'NodeInserted' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'StackNotified' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 15, native_type='unsigned short')]], 'AdriftMdls' : [ 0x76, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0x76, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'IgnoreReservations' : [ 0x77, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare2' : [ 0x77, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0x78, ['unsigned long']], 'PageHashPagesPeak' : [ 0x7c, ['unsigned long']], 'PageHash' : [ 0x80, ['pointer', ['unsigned long']]], 'FileHandle' : [ 0x84, ['pointer', ['void']]], 'Lock' : [ 0x88, ['unsigned long']], 'LockOwner' : [ 0x8c, ['pointer', ['_ETHREAD']]], 'FlowThroughReadRoot' : [ 0x90, ['_RTL_AVL_TREE']], 'Partition' : [ 0x94, ['pointer', ['_MI_PARTITION']]], 'FileObjectNode' : [ 0x98, ['_RTL_BALANCED_NODE']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_HVIEW_MAP' : [ 0x320, { 'MappedLength' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x4, ['_EX_PUSH_LOCK']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'Directory' : [ 0xc, ['pointer', ['_HVIEW_MAP_DIRECTORY']]], 'PagesCharged' : [ 0x10, ['unsigned long']], 'PinLog' : [ 0x18, ['_HVIEW_MAP_PIN_LOG']], } ], '_POP_FX_WORK_ORDER' : [ 0x1c, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x10, ['long']], 'Context' : [ 0x14, ['pointer', ['void']]], 'WatchdogTimerInfo' : [ 0x18, ['pointer', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x10, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_PAGELIST_STATE' : [ 0x8, { 'ActiveSpinLock' : [ 0x0, ['long']], 'ActiveThreadTree' : [ 0x4, ['_RTL_AVL_TREE']], } ], '_CRITICAL_PROCESS_EXCEPTION_DATA' : [ 0x28, { 'ReportId' : [ 0x0, ['_GUID']], 'ModuleName' : [ 0x10, ['_UNICODE_STRING']], 'ModuleTimestamp' : [ 0x18, ['unsigned long']], 'ModuleSize' : [ 0x1c, ['unsigned long']], 'Offset' : [ 0x20, ['unsigned long long']], } ], '__unnamed_2721' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2723' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2721']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2723']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_RELATION_LIST' : [ 0x8, { 'DeviceObjectList' : [ 0x0, ['pointer', ['_DEVICE_OBJECT_LIST']]], 'Sorted' : [ 0x4, ['unsigned char']], } ], '_IO_IRP_EXT_TRACK_OFFSET_HEADER' : [ 0x8, { 'Validation' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'TrackedOffsetCallback' : [ 0x4, ['pointer', ['void']]], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x50, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ulTargetPlatform' : [ 0x8, ['unsigned long']], 'ullContextMinimum' : [ 0x10, ['unsigned long long']], 'guPlatform' : [ 0x18, ['_GUID']], 'guMinPlatform' : [ 0x28, ['_GUID']], 'ulContextSource' : [ 0x38, ['unsigned long']], 'ulElementCount' : [ 0x3c, ['unsigned long']], 'guElements' : [ 0x40, ['array', 1, ['_GUID']]], } ], '_SESSION_LOWBOX_MAP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'LowboxMap' : [ 0xc, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_POP_IO_INFO' : [ 0x60, { 'DumpMdl' : [ 0x0, ['pointer', ['_MDL']]], 'IoStatus' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x8, ['unsigned long long']], 'IoBytesCompleted' : [ 0x10, ['unsigned long long']], 'IoBytesInProgress' : [ 0x18, ['unsigned long long']], 'RequestSize' : [ 0x20, ['unsigned long long']], 'IoLocation' : [ 0x28, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x30, ['unsigned long long']], 'Buffer' : [ 0x38, ['pointer', ['void']]], 'AsyncCapable' : [ 0x3c, ['unsigned char']], 'BytesToRead' : [ 0x40, ['unsigned long long']], 'Pages' : [ 0x48, ['unsigned long']], 'HighestChecksumIndex' : [ 0x50, ['unsigned long long']], 'PreviousChecksum' : [ 0x58, ['unsigned short']], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x38, { 'SidHash' : [ 0x0, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x8, ['pointer', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0xc, ['_LUID']], 'TokenType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x1c, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x20, ['unsigned long']], 'AppContainerNumber' : [ 0x24, ['unsigned long']], 'PackageSid' : [ 0x28, ['pointer', ['void']]], 'CapabilitiesHash' : [ 0x2c, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'TrustLevelSid' : [ 0x30, ['pointer', ['void']]], 'SecurityAttributes' : [ 0x34, ['pointer', ['void']]], } ], '_MMWSL_INSTANCE' : [ 0xd4, { 'NextSlot' : [ 0x0, ['unsigned long']], 'NextAgingSlot' : [ 0x4, ['unsigned long']], 'NextAccessClearingSlot' : [ 0x8, ['unsigned long']], 'LastAccessClearingRemainder' : [ 0xc, ['unsigned long']], 'LastAgingRemainder' : [ 0x10, ['unsigned long']], 'ActiveWsleCounts' : [ 0x14, ['array', 16, ['unsigned long']]], 'ActiveWsles' : [ 0x54, ['array', 16, ['_MI_ACTIVE_WSLE_LISTHEAD']]], } ], '_MIPFNBLINK' : [ 0x4, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PageBlinkDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'PageBlinkLockBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ShareCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'PageShareCountDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PageShareCountLockBit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x0, ['long']], 'LockNotUsed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'DeleteBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'LockBit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x1c, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x18, ['unsigned long']], } ], '_PPM_COORDINATED_SELECTION' : [ 0x10, { 'MaximumStates' : [ 0x0, ['unsigned long']], 'SelectedStates' : [ 0x4, ['unsigned long']], 'DefaultSelection' : [ 0x8, ['unsigned long']], 'Selection' : [ 0xc, ['pointer', ['unsigned long']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '__unnamed_275f' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x50, { 'Status' : [ 0x0, ['long']], 'PartitionId' : [ 0x4, ['unsigned short']], 'Priority' : [ 0x6, ['unsigned char']], 'IrpPriority' : [ 0x7, ['unsigned char']], 'ReservationWrite' : [ 0x8, ['unsigned char']], 'CurrentTime' : [ 0x10, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x18, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x1c, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x24, ['unsigned long']], 'ModifiedPagefileNoReservationPages' : [ 0x28, ['unsigned long']], 'MdlHack' : [ 0x2c, ['__unnamed_275f']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'Pattern' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolType' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 20, native_type='unsigned long')]], 'SlushSize' : [ 0x8, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '__unnamed_276c' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_276c']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_PROC_PERF_HISTORY' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'UtilityTotal' : [ 0x8, ['unsigned long']], 'AffinitizedUtilityTotal' : [ 0xc, ['unsigned long']], 'FrequencyTotal' : [ 0x10, ['unsigned long']], 'TaggedPercentTotal' : [ 0x14, ['array', 2, ['unsigned long']]], 'HistoryList' : [ 0x1c, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '__unnamed_277d' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_2780' : [ 0x4, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x4c, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x28, ['__unnamed_277d']], 'Subsection' : [ 0x2c, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x30, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x38, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x40, ['pointer', ['_EPROCESS']]], 'u4' : [ 0x44, ['__unnamed_2780']], 'FileObject' : [ 0x48, ['pointer', ['_FILE_OBJECT']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1f, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1e, ['unsigned char']], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x408, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '_KALPC_WORK_ON_BEHALF_DATA' : [ 0x8, { 'Ticket' : [ 0x0, ['_ALPC_WORK_ON_BEHALF_TICKET']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xa8, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x34, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x34, ['unsigned long']], 'PackagedBinary' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x34, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x34, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x34, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x34, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x34, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x34, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x34, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x34, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LoadConfigProcessed' : [ 0x34, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectDelayLoad' : [ 0x34, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x34, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x34, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x34, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x34, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x34, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x34, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x34, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x34, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x34, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Lock' : [ 0x4c, ['pointer', ['void']]], 'DdagNode' : [ 0x50, ['pointer', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0x54, ['_LIST_ENTRY']], 'LoadContext' : [ 0x5c, ['pointer', ['_LDRP_LOAD_CONTEXT']]], 'ParentDllBase' : [ 0x60, ['pointer', ['void']]], 'SwitchBackContext' : [ 0x64, ['pointer', ['void']]], 'BaseAddressIndexNode' : [ 0x68, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0x74, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0x80, ['unsigned long']], 'LoadTime' : [ 0x88, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x90, ['unsigned long']], 'LoadReason' : [ 0x94, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x98, ['unsigned long']], 'ReferenceCount' : [ 0x9c, ['unsigned long']], 'DependentLoadFlags' : [ 0xa0, ['unsigned long']], } ], '_KTIMER2_COLLECTION' : [ 0x10, { 'Tree' : [ 0x0, ['_RTL_RB_TREE']], 'NextDueTime' : [ 0x8, ['unsigned long long']], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PrivateDemandZero' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_MI_PARTITION_MODWRITES' : [ 0x1d0, { 'AttemptForCantExtend' : [ 0x0, ['_MMPAGE_FILE_EXPANSION']], 'PageFileContract' : [ 0x38, ['_MMPAGE_FILE_EXPANSION']], 'NumberOfMappedMdls' : [ 0x70, ['unsigned long']], 'NumberOfMappedMdlsInUse' : [ 0x74, ['long']], 'NumberOfMappedMdlsInUsePeak' : [ 0x78, ['unsigned long']], 'MappedFileHeader' : [ 0x7c, ['_MMMOD_WRITER_LISTHEAD']], 'NeedMappedMdl' : [ 0x94, ['unsigned char']], 'NeedPageFileMdl' : [ 0x95, ['unsigned char']], 'TransitionInserted' : [ 0x96, ['unsigned char']], 'LastModifiedWriteError' : [ 0x98, ['long']], 'LastMappedWriteError' : [ 0x9c, ['long']], 'MappedFileWriteSucceeded' : [ 0xa0, ['unsigned long']], 'MappedWriteBurstCount' : [ 0xa4, ['unsigned long']], 'LowPriorityModWritesOutstanding' : [ 0xa8, ['unsigned long']], 'BoostModWriteIoPriorityEvent' : [ 0xac, ['_KEVENT']], 'ModifiedWriterThreadPriority' : [ 0xbc, ['long']], 'ModifiedPagesLowPriorityGoal' : [ 0xc0, ['unsigned long']], 'ModifiedPageWriterEvent' : [ 0xc4, ['_KEVENT']], 'ModifiedWriterExitedEvent' : [ 0xd4, ['_KEVENT']], 'WriteAllPagefilePages' : [ 0xe4, ['long']], 'WriteAllMappedPages' : [ 0xe8, ['long']], 'MappedPageWriterEvent' : [ 0xec, ['_KEVENT']], 'ModWriteData' : [ 0x100, ['_MI_MODWRITE_DATA']], 'RescanPageFilesEvent' : [ 0x130, ['_KEVENT']], 'PagingFileHeader' : [ 0x140, ['_MMMOD_WRITER_LISTHEAD']], 'ModifiedPageWriterThread' : [ 0x158, ['pointer', ['_ETHREAD']]], 'ModifiedPageWriterRundown' : [ 0x15c, ['_EX_RUNDOWN_REF']], 'PagefileScanWorkItem' : [ 0x160, ['_WORK_QUEUE_ITEM']], 'PagefileScanCount' : [ 0x170, ['unsigned long']], 'ClusterWritesDisabled' : [ 0x174, ['array', 2, ['long']]], 'NotifyStoreMemoryConditions' : [ 0x17c, ['_KEVENT']], 'DelayMappedWrite' : [ 0x18c, ['unsigned char']], 'PagefileReservationsEnabled' : [ 0x190, ['unsigned long']], 'PageFileCreationLock' : [ 0x194, ['_EX_PUSH_LOCK']], 'TrimPagefileWorkItem' : [ 0x198, ['_WORK_QUEUE_ITEM']], 'LastTrimPagefileTime' : [ 0x1a8, ['unsigned long long']], 'WsSwapPagefileContractWorkItem' : [ 0x1b0, ['_WORK_QUEUE_ITEM']], 'WsSwapPageFileContractionInProgress' : [ 0x1c0, ['long']], 'WorkingSetSwapLock' : [ 0x1c4, ['_EX_PUSH_LOCK']], 'WorkingSetInswapLock' : [ 0x1c8, ['long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_OB_EXTENDED_PARSE_PARAMETERS' : [ 0xc, { 'Length' : [ 0x0, ['unsigned short']], 'RestrictedAccessMask' : [ 0x4, ['unsigned long']], 'Silo' : [ 0x8, ['pointer', ['_EJOB']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SubsectionMappedDirect' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '_MMWORKING_SET_EXPANSION_HEAD' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_POP_FX_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['unsigned char']], 'DripsRequiredState' : [ 0x8, ['unsigned long']], 'Level' : [ 0xc, ['long']], 'ActiveStamp' : [ 0x10, ['long long']], 'CsActiveTime' : [ 0x18, ['unsigned long long']], 'CriticalActiveTime' : [ 0x20, ['long long']], } ], '_KSCHEDULING_GROUP_POLICY' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long']], 'Weight' : [ 0x0, ['unsigned short']], 'MinRate' : [ 0x0, ['unsigned short']], 'MaxRate' : [ 0x2, ['unsigned short']], 'AllFlags' : [ 0x4, ['unsigned long']], 'Type' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare1' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_POLICY_DEVICE' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x78, { 'SelectedCount' : [ 0x0, ['unsigned long long']], 'VetoCount' : [ 0x8, ['unsigned long long']], 'PreVetoCount' : [ 0x10, ['unsigned long long']], 'WrongProcessorCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'IdleDurationCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'PlatformOnlyCount' : [ 0x40, ['unsigned long long']], 'InterruptibleCount' : [ 0x48, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x50, ['unsigned long long']], 'CstateCheckCount' : [ 0x58, ['unsigned long long']], 'NoCStateCount' : [ 0x60, ['unsigned long long']], 'CoordinatedDependencyCount' : [ 0x68, ['unsigned long long']], 'PreVetoAccounting' : [ 0x70, ['pointer', ['_PPM_VETO_ACCOUNTING']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '__unnamed_2800' : [ 0x4, { 'FlushCompleting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'FlushInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='long')]], 'Long' : [ 0x0, ['long']], } ], '_MI_PARTITION_STORES' : [ 0x58, { 'WriteAllStoreHintedPages' : [ 0x0, ['__unnamed_2800']], 'VirtualPageFileNumber' : [ 0x4, ['unsigned long']], 'Registered' : [ 0x8, ['unsigned long']], 'ReadClusterSizeMax' : [ 0xc, ['unsigned long']], 'EvictFlushRequestCount' : [ 0x10, ['unsigned long']], 'ModifiedWriteDisableCount' : [ 0x14, ['unsigned long']], 'WriteIssueFailures' : [ 0x18, ['unsigned long']], 'EvictionThread' : [ 0x1c, ['pointer', ['_ETHREAD']]], 'EvictEvent' : [ 0x20, ['_KEVENT']], 'EvictFlushCompleteEvent' : [ 0x30, ['_KEVENT']], 'WriteSupportSListHead' : [ 0x40, ['_SLIST_HEADER']], 'EvictFlushLock' : [ 0x48, ['long']], 'ModifiedWriteFailedBitmap' : [ 0x4c, ['pointer', ['_RTL_BITMAP']]], 'StoreProcess' : [ 0x50, ['pointer', ['_EPROCESS']]], } ], '_POP_FX_COMPONENT' : [ 0xc0, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x14, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x30, ['pointer', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x34, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x3c, ['long']], 'ActiveEvent' : [ 0x40, ['_KEVENT']], 'IdleLock' : [ 0x50, ['unsigned long']], 'IdleConditionComplete' : [ 0x54, ['long']], 'IdleStateComplete' : [ 0x58, ['long']], 'IdleStamp' : [ 0x60, ['unsigned long long']], 'CurrentIdleState' : [ 0x68, ['unsigned long']], 'IdleStateCount' : [ 0x6c, ['unsigned long']], 'IdleStates' : [ 0x70, ['pointer', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0x74, ['unsigned long']], 'ProviderCount' : [ 0x78, ['unsigned long']], 'Providers' : [ 0x7c, ['pointer', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0x80, ['unsigned long']], 'DependentCount' : [ 0x84, ['unsigned long']], 'Dependents' : [ 0x88, ['pointer', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0x90, ['_POP_FX_ACCOUNTING']], 'Performance' : [ 0xb8, ['pointer', ['_POP_FX_PERF_INFO']]], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], } ], '_MMPAGE_FILE_EXPANSION' : [ 0x38, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'Partition' : [ 0xc, ['pointer', ['_MI_PARTITION']]], 'RequestedExpansionSize' : [ 0x10, ['unsigned long']], 'ActualExpansion' : [ 0x14, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'InProgress' : [ 0x28, ['long']], 'u' : [ 0x2c, ['_MMPAGE_FILE_EXPANSION_FLAGS']], 'ActiveEntry' : [ 0x30, ['pointer', ['pointer', ['void']]]], 'AttemptForCantExtend' : [ 0x34, ['unsigned char']], 'PageFileContract' : [ 0x35, ['unsigned char']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x4e, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'Unused' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ForceCollision' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_HVIEW_MAP_PIN_LOG' : [ 0x308, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Entries' : [ 0x8, ['array', 16, ['_HVIEW_MAP_PIN_LOG_ENTRY']]], } ], '_IO_REMOVE_LOCK' : [ 0x18, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '__unnamed_282e' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_282e']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_MI_POOL_STATE' : [ 0x4e8, { 'MaximumNonPagedPoolThreshold' : [ 0x0, ['unsigned long']], 'NonPagedPoolSListMaximum' : [ 0x4, ['array', 3, ['unsigned long']]], 'AllocatedNonPagedPool' : [ 0x10, ['unsigned long']], 'BadPoolHead' : [ 0x14, ['_SINGLE_LIST_ENTRY']], 'HighEventSets' : [ 0x18, ['unsigned long']], 'HighEventSetsValid' : [ 0x1c, ['unsigned char']], 'PoolFailures' : [ 0x20, ['array', 3, ['array', 3, ['unsigned long']]]], 'PoolFailureReasons' : [ 0x44, ['_MI_POOL_FAILURE_REASONS']], 'LowPagedPoolThreshold' : [ 0x70, ['unsigned long']], 'HighPagedPoolThreshold' : [ 0x74, ['unsigned long']], 'SpecialPoolPdesMax' : [ 0x78, ['long']], 'NonPagedPoolNodes' : [ 0x7c, ['array', 1024, ['unsigned char']]], 'PagedProtoPoolInfo' : [ 0x47c, ['_MM_PAGED_POOL_INFO']], 'PagedPoolSListMaximum' : [ 0x498, ['unsigned long']], 'PreemptiveTrims' : [ 0x49c, ['array', 4, ['unsigned long']]], 'SpecialPagesInUsePeak' : [ 0x4ac, ['unsigned long']], 'SpecialPoolRejected' : [ 0x4b0, ['array', 9, ['unsigned long']]], 'SpecialPagesNonPaged' : [ 0x4d4, ['unsigned long']], 'SpecialPoolPdes' : [ 0x4d8, ['long']], 'SessionSpecialPoolPdesMax' : [ 0x4dc, ['unsigned long']], 'TotalPagedPoolQuota' : [ 0x4e0, ['unsigned long']], 'TotalNonPagedPoolQuota' : [ 0x4e4, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x18, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x1a, ['unsigned short']], 'OperatingSystemVersion' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ComPlusPrefer32bit' : [ 0x23, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x1c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'ConnectLock' : [ 0x4, ['_KEVENT']], 'LineMasked' : [ 0x14, ['unsigned char']], 'InterruptList' : [ 0x18, ['pointer', ['_KINTERRUPT']]], } ], '_PPM_SELECTION_DEPENDENCY' : [ 0xc, { 'Processor' : [ 0x0, ['unsigned long']], 'Menu' : [ 0x4, ['_PPM_SELECTION_MENU']], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_MI_HARDWARE_STATE' : [ 0xc8, { 'NodeMask' : [ 0x0, ['unsigned long']], 'NodeGraph' : [ 0x4, ['pointer', ['unsigned short']]], 'SystemNodeInformation' : [ 0x8, ['pointer', ['_MI_SYSTEM_NODE_INFORMATION']]], 'NumaLastRangeIndex' : [ 0xc, ['unsigned long']], 'NumaMemoryRanges' : [ 0x10, ['pointer', ['_HAL_NODE_RANGE']]], 'NumaTableCaptured' : [ 0x14, ['unsigned char']], 'NodeShift' : [ 0x15, ['unsigned char']], 'ChannelMemoryRanges' : [ 0x18, ['pointer', ['_HAL_CHANNEL_MEMORY_RANGES']]], 'ChannelShift' : [ 0x1c, ['unsigned char']], 'SecondLevelCacheSize' : [ 0x20, ['unsigned long']], 'FirstLevelCacheSize' : [ 0x24, ['unsigned long']], 'PhysicalAddressBits' : [ 0x28, ['unsigned long']], 'AllMainMemoryMustBeCached' : [ 0x2c, ['unsigned char']], 'TotalPagesAllowed' : [ 0x30, ['unsigned long']], 'SecondaryColorMask' : [ 0x34, ['unsigned long']], 'SecondaryColors' : [ 0x38, ['unsigned long']], 'FlushTbForAttributeChange' : [ 0x3c, ['unsigned long']], 'FlushCacheForAttributeChange' : [ 0x40, ['unsigned long']], 'FlushCacheForPageAttributeChange' : [ 0x44, ['unsigned long']], 'CacheFlushPromoteThreshold' : [ 0x48, ['unsigned long']], 'FlushTbThreshold' : [ 0x4c, ['unsigned long']], 'OptimalZeroingAttribute' : [ 0x50, ['array', 4, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'MiNonCached', 1: 'MiCached', 2: 'MiWriteCombined', 3: 'MiNotMapped'})]]]], 'AttributeChangeRequiresReZero' : [ 0x90, ['unsigned char']], 'ZeroCostCounts' : [ 0x98, ['array', 2, ['_MI_ZERO_COST_COUNTS']]], 'HighestPossiblePhysicalPage' : [ 0xb8, ['unsigned long']], 'EnclaveRegions' : [ 0xbc, ['_RTL_AVL_TREE']], 'VsmKernelPageCount' : [ 0xc0, ['unsigned long']], } ], '_PPM_VETO_ACCOUNTING' : [ 0x18, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x4, ['_LIST_ENTRY']], 'CsAccountingBlocks' : [ 0xc, ['unsigned char']], 'BlocksDrips' : [ 0xd, ['unsigned char']], 'PreallocatedVetoCount' : [ 0x10, ['unsigned long']], 'PreallocatedVetoList' : [ 0x14, ['pointer', ['_PPM_VETO_ENTRY']]], } ], '__unnamed_2859' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2859']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x8c, { 'ListHead' : [ 0x0, ['array', 16, ['_LIST_ENTRY']]], 'Count' : [ 0x80, ['unsigned long']], 'NumberOfEntries' : [ 0x84, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x88, ['unsigned long']], } ], '_MI_ERROR_STATE' : [ 0xa8, { 'BadMemoryEventEntry' : [ 0x0, ['_MI_BAD_MEMORY_EVENT_ENTRY']], 'ProbeRaises' : [ 0x28, ['_MI_PROBE_RAISE_TRACKER']], 'ForcedCommits' : [ 0x68, ['_MI_FORCED_COMMITS']], 'WsleFailures' : [ 0x70, ['array', 2, ['unsigned long']]], 'WsLinear' : [ 0x78, ['unsigned long']], 'PageHashErrors' : [ 0x7c, ['unsigned long']], 'CheckZeroCount' : [ 0x80, ['unsigned long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x84, ['long']], 'BadPagesDetected' : [ 0x88, ['long']], 'ScrubPasses' : [ 0x8c, ['long']], 'ScrubBadPagesFound' : [ 0x90, ['long']], 'UserViewFailures' : [ 0x94, ['unsigned long']], 'UserViewCollisionFailures' : [ 0x98, ['unsigned long']], 'ResavailFailures' : [ 0x9c, ['_MI_RESAVAIL_FAILURES']], 'PendingBadPages' : [ 0xa4, ['unsigned char']], 'InitFailure' : [ 0xa5, ['unsigned char']], 'StopBadMaps' : [ 0xa6, ['unsigned char']], } ], '_PROC_PERF_DOMAIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0x18, ['unsigned long']], 'EfficiencyClass' : [ 0x1c, ['unsigned char']], 'NominalPerformanceClass' : [ 0x1d, ['unsigned char']], 'HighestPerformanceClass' : [ 0x1e, ['unsigned char']], 'Spare' : [ 0x1f, ['unsigned char']], 'Processors' : [ 0x20, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0x24, ['pointer', ['void']]], 'TimeWindowHandler' : [ 0x28, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x2c, ['pointer', ['void']]], 'BoostModeHandler' : [ 0x30, ['pointer', ['void']]], 'EnergyPerfPreferenceHandler' : [ 0x34, ['pointer', ['void']]], 'AutonomousActivityWindowHandler' : [ 0x38, ['pointer', ['void']]], 'AutonomousModeHandler' : [ 0x3c, ['pointer', ['void']]], 'ReinitializeHandler' : [ 0x40, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x44, ['pointer', ['void']]], 'PerfControlHandler' : [ 0x48, ['pointer', ['void']]], 'MaxFrequency' : [ 0x4c, ['unsigned long']], 'NominalFrequency' : [ 0x50, ['unsigned long']], 'MaxPercent' : [ 0x54, ['unsigned long']], 'MinPerfPercent' : [ 0x58, ['unsigned long']], 'MinThrottlePercent' : [ 0x5c, ['unsigned long']], 'MinimumRelativePerformance' : [ 0x60, ['unsigned long long']], 'NominalRelativePerformance' : [ 0x68, ['unsigned long long']], 'Coordination' : [ 0x70, ['unsigned char']], 'HardPlatformCap' : [ 0x71, ['unsigned char']], 'AffinitizeControl' : [ 0x72, ['unsigned char']], 'EfficientThrottle' : [ 0x73, ['unsigned char']], 'AutonomousMode' : [ 0x74, ['unsigned char']], 'SelectedPercent' : [ 0x78, ['unsigned long']], 'SelectedFrequency' : [ 0x7c, ['unsigned long']], 'DesiredPercent' : [ 0x80, ['unsigned long']], 'MaxPolicyPercent' : [ 0x84, ['unsigned long']], 'MinPolicyPercent' : [ 0x88, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x8c, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x90, ['unsigned long']], 'GuaranteedPercent' : [ 0x94, ['unsigned long']], 'TolerancePercent' : [ 0x98, ['unsigned long']], 'SelectedState' : [ 0xa0, ['unsigned long long']], 'PerfChangeTime' : [ 0xa8, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0xb0, ['unsigned long']], 'Force' : [ 0xb4, ['unsigned char']], 'ProvideGuidance' : [ 0xb5, ['unsigned char']], } ], '_MI_COMMON_PAGE_STATE' : [ 0x40, { 'PageOfOnesPfn' : [ 0x0, ['pointer', ['_MMPFN']]], 'PageOfOnes' : [ 0x4, ['unsigned long']], 'DummyPagePfn' : [ 0x8, ['pointer', ['_MMPFN']]], 'DummyPage' : [ 0xc, ['unsigned long']], 'PageOfZeroes' : [ 0x10, ['unsigned long']], 'ZeroMapping' : [ 0x14, ['pointer', ['void']]], 'OnesMapping' : [ 0x18, ['pointer', ['void']]], 'ZeroCrc' : [ 0x20, ['unsigned long long']], 'OnesCrc' : [ 0x28, ['unsigned long long']], 'BitmapGapFrames' : [ 0x30, ['array', 2, ['unsigned long']]], 'PfnGapFrames' : [ 0x38, ['array', 2, ['unsigned long']]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_HEAP_EXTENDED_ENTRY' : [ 0x8, { 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'IoTracker' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_POP_COOLING_EXTENSION' : [ 0x48, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'RequestListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['_POP_RW_LOCK']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'NotificationEntry' : [ 0x1c, ['pointer', ['void']]], 'Enabled' : [ 0x20, ['unsigned char']], 'ActiveEngaged' : [ 0x21, ['unsigned char']], 'ThrottleLimit' : [ 0x22, ['unsigned char']], 'UpdatingToCurrent' : [ 0x23, ['unsigned char']], 'RemovalFlushEvent' : [ 0x24, ['pointer', ['_KEVENT']]], 'PnpFlushEvent' : [ 0x28, ['pointer', ['_KEVENT']]], 'Interface' : [ 0x2c, ['_THERMAL_COOLING_INTERFACE']], } ], '__unnamed_2890' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_2890']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_POP_POWER_SETTING_VALUES' : [ 0x13c, { 'StructureSize' : [ 0x0, ['unsigned long']], 'PopPolicy' : [ 0x4, ['_SYSTEM_POWER_POLICY']], 'CurrentAcDcPowerState' : [ 0xec, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'AwayModeEnabled' : [ 0xf0, ['unsigned char']], 'AwayModeEngaged' : [ 0xf1, ['unsigned char']], 'AwayModePolicyAllowed' : [ 0xf2, ['unsigned char']], 'AwayModeIgnoreUserPresent' : [ 0xf4, ['long']], 'AwayModeIgnoreAction' : [ 0xf8, ['long']], 'DisableFastS4' : [ 0xfc, ['unsigned char']], 'DisableStandbyStates' : [ 0xfd, ['unsigned char']], 'UnattendSleepTimeout' : [ 0x100, ['unsigned long']], 'DiskIgnoreTime' : [ 0x104, ['unsigned long']], 'DeviceIdlePolicy' : [ 0x108, ['unsigned long']], 'VideoDimTimeout' : [ 0x10c, ['unsigned long']], 'VideoNormalBrightness' : [ 0x110, ['unsigned long']], 'VideoDimBrightness' : [ 0x114, ['unsigned long']], 'AlsOffset' : [ 0x118, ['unsigned long']], 'AlsEnabled' : [ 0x11c, ['unsigned long']], 'EsBrightness' : [ 0x120, ['unsigned long']], 'SwitchShutdownForced' : [ 0x124, ['unsigned char']], 'SystemCoolingPolicy' : [ 0x128, ['unsigned long']], 'MediaBufferingEngaged' : [ 0x12c, ['unsigned char']], 'OffloadedAudio' : [ 0x12d, ['unsigned char']], 'NonOffloadedAudio' : [ 0x12e, ['unsigned char']], 'FullscreenVideoPlayback' : [ 0x12f, ['unsigned char']], 'EsBatteryThreshold' : [ 0x130, ['unsigned long']], 'EsAggressive' : [ 0x134, ['unsigned char']], 'EsUserAwaySetting' : [ 0x135, ['unsigned char']], 'ConnectivityInStandby' : [ 0x138, ['unsigned long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x8, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'TaggedPercent' : [ 0x5, ['array', 2, ['unsigned char']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_28a3' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_28a3']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_MI_ZERO_COST_COUNTS' : [ 0x10, { 'NativeSum' : [ 0x0, ['unsigned long long']], 'CachedSum' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x50, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x28, ['_KDPC']], 'WorkOrder' : [ 0x48, ['pointer', ['_POP_FX_WORK_ORDER']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '__unnamed_28b8' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_28b8']], } ], '__unnamed_28bc' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_28c0' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_28c2' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_28c4' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_28c6' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_28c8' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_28ca' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_28cc' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_28ce' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_28d0' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_28d2' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_28d4' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_28bc']], 'Memory' : [ 0x0, ['__unnamed_28bc']], 'Interrupt' : [ 0x0, ['__unnamed_28c0']], 'Dma' : [ 0x0, ['__unnamed_28c2']], 'DmaV3' : [ 0x0, ['__unnamed_28c4']], 'Generic' : [ 0x0, ['__unnamed_28bc']], 'DevicePrivate' : [ 0x0, ['__unnamed_28c6']], 'BusNumber' : [ 0x0, ['__unnamed_28c8']], 'ConfigData' : [ 0x0, ['__unnamed_28ca']], 'Memory40' : [ 0x0, ['__unnamed_28cc']], 'Memory48' : [ 0x0, ['__unnamed_28ce']], 'Memory64' : [ 0x0, ['__unnamed_28d0']], 'Connection' : [ 0x0, ['__unnamed_28d2']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_28d4']], } ], '_HEAP_UNPACKED_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x28, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x1c, ['pointer', ['void']]], 'DvCallbacks' : [ 0x20, ['pointer', ['void']]], 'VerifierContext' : [ 0x24, ['pointer', ['void']]], } ], '_ETW_PROVIDER_TRAITS' : [ 0x14, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'Traits' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_QUEUE_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x8, ['pointer', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0xc, ['pointer', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x10, ['pointer', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x14, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned short']], 'ReplyIndex' : [ 0x1a, ['unsigned short']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_MI_PARTITION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PageListsInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StoreReservedPagesCharged' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PureHoldingPartition' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0x58, { 'Count' : [ 0x0, ['unsigned long']], 'Vectors' : [ 0x8, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_NON_PAGED_DEBUG_INFO' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Machine' : [ 0x8, ['unsigned short']], 'Characteristics' : [ 0xa, ['unsigned short']], 'TimeDateStamp' : [ 0xc, ['unsigned long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'SizeOfImage' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Gate' : [ 0x8, ['_KGATE']], 'Event' : [ 0x8, ['_KEVENT']], } ], '__unnamed_28f8' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_28f8']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x18, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x1c, ['_KAPC']], 'ByteCount' : [ 0x4c, ['unsigned long']], 'ChargedPages' : [ 0x50, ['unsigned long']], 'PagingFile' : [ 0x54, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x58, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x5c, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x60, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x70, ['_LARGE_INTEGER']], 'Partition' : [ 0x78, ['pointer', ['_MI_PARTITION']]], 'PointerMdl' : [ 0x7c, ['pointer', ['_MDL']]], 'Mdl' : [ 0x80, ['_MDL']], 'Page' : [ 0x9c, ['array', 1, ['unsigned long']]], } ], '_NONOPAQUE_OPLOCK' : [ 0x50, { 'IrpExclusiveOplock' : [ 0x0, ['pointer', ['_IRP']]], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x8, ['pointer', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'WaiterPriority' : [ 0x10, ['unsigned char']], 'IrpOplocksR' : [ 0x14, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x1c, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x24, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x2c, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x34, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x3c, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x44, ['pointer', ['_GUID']]], 'OplockState' : [ 0x48, ['unsigned long']], 'FastMutex' : [ 0x4c, ['pointer', ['_FAST_MUTEX']]], } ], '__unnamed_2901' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_2902' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2901']], 'Merged' : [ 0x10, ['__unnamed_2902']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '__unnamed_2906' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_2908' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_290a' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_290c' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_290a']], 'Translated' : [ 0x0, ['__unnamed_2908']], } ], '__unnamed_290e' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_2910' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_2912' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_2914' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_2916' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_2918' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_291a' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_291c' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_2906']], 'Port' : [ 0x0, ['__unnamed_2906']], 'Interrupt' : [ 0x0, ['__unnamed_2908']], 'MessageInterrupt' : [ 0x0, ['__unnamed_290c']], 'Memory' : [ 0x0, ['__unnamed_2906']], 'Dma' : [ 0x0, ['__unnamed_290e']], 'DmaV3' : [ 0x0, ['__unnamed_2910']], 'DevicePrivate' : [ 0x0, ['__unnamed_28c6']], 'BusNumber' : [ 0x0, ['__unnamed_2912']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_2914']], 'Memory40' : [ 0x0, ['__unnamed_2916']], 'Memory48' : [ 0x0, ['__unnamed_2918']], 'Memory64' : [ 0x0, ['__unnamed_291a']], 'Connection' : [ 0x0, ['__unnamed_28d2']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_291c']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_ETW_FILTER_EVENT_NAME_DATA' : [ 0x28, { 'FilterIn' : [ 0x0, ['unsigned char']], 'Level' : [ 0x1, ['unsigned char']], 'MatchAnyKeyword' : [ 0x8, ['unsigned long long']], 'MatchAllKeyword' : [ 0x10, ['unsigned long long']], 'NameTable' : [ 0x18, ['_RTL_HASH_TABLE']], } ], '_MI_VISIBLE_STATE' : [ 0x880, { 'SpecialPool' : [ 0x0, ['_MI_SPECIAL_POOL']], 'SessionWsList' : [ 0x48, ['_LIST_ENTRY']], 'SessionIdBitmap' : [ 0x50, ['pointer', ['_RTL_BITMAP']]], 'PagedPoolInfo' : [ 0x54, ['_MM_PAGED_POOL_INFO']], 'MaximumNonPagedPoolInPages' : [ 0x70, ['unsigned long']], 'SizeOfPagedPoolInPages' : [ 0x74, ['unsigned long']], 'SystemPteInfo' : [ 0x78, ['_MI_SYSTEM_PTE_TYPE']], 'NonPagedPoolCommit' : [ 0xb0, ['unsigned long']], 'BootCommit' : [ 0xb4, ['unsigned long']], 'MdlPagesAllocated' : [ 0xb8, ['unsigned long']], 'SystemPageTableCommit' : [ 0xbc, ['unsigned long']], 'SpecialPagesInUse' : [ 0xc0, ['unsigned long']], 'WsOverheadPages' : [ 0xc4, ['unsigned long']], 'VadBitmapPages' : [ 0xc8, ['unsigned long']], 'ProcessCommit' : [ 0xcc, ['unsigned long']], 'SharedCommit' : [ 0xd0, ['unsigned long']], 'DriverCommit' : [ 0xd4, ['long']], 'SystemWs' : [ 0x100, ['array', 3, ['_MMSUPPORT_FULL']]], 'SystemCacheShared' : [ 0x2c0, ['_MMSUPPORT_SHARED']], 'MapCacheFailures' : [ 0x2e4, ['unsigned long']], 'PagefileHashPages' : [ 0x2e8, ['unsigned long']], 'PteHeader' : [ 0x2ec, ['_SYSPTES_HEADER']], 'SessionSpecialPool' : [ 0x378, ['pointer', ['_MI_SPECIAL_POOL']]], 'SystemVaTypeCount' : [ 0x37c, ['array', 15, ['unsigned long']]], 'SystemVaType' : [ 0x3b8, ['array', 1024, ['unsigned char']]], 'SystemVaTypeCountFailures' : [ 0x7b8, ['array', 15, ['unsigned long']]], 'SystemVaTypeCountLimit' : [ 0x7f4, ['array', 15, ['unsigned long']]], 'SystemVaTypeCountPeak' : [ 0x830, ['array', 15, ['unsigned long']]], 'SystemAvailableVa' : [ 0x86c, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_CM_COMPONENT_HASH' : [ 0x4, { 'Hash' : [ 0x0, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Xcr0' : [ 0x3c, ['unsigned long long']], 'ExceptionList' : [ 0x44, ['unsigned long']], 'Reserved' : [ 0x48, ['array', 3, ['unsigned long']]], } ], '_RH_OP_CONTEXT' : [ 0x24, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x8, ['pointer', ['_IRP']]], 'OplockRequestFileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x14, ['pointer', ['_ETHREAD']]], 'Flags' : [ 0x18, ['unsigned long']], 'AtomicLinks' : [ 0x1c, ['_LIST_ENTRY']], } ], '_MSUBSECTION' : [ 0x44, { 'Core' : [ 0x0, ['_SUBSECTION']], 'SubsectionNode' : [ 0x28, ['_RTL_BALANCED_NODE']], 'DereferenceList' : [ 0x34, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x3c, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x40, ['unsigned long']], } ], '_PROC_PERF_CHECK' : [ 0xc0, { 'LastActive' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'LastStall' : [ 0x10, ['unsigned long long']], 'Snap' : [ 0x18, ['_PROC_PERF_CHECK_SNAP']], 'TempSnap' : [ 0x68, ['_PROC_PERF_CHECK_SNAP']], 'TaggedThreadPercent' : [ 0xb8, ['array', 2, ['unsigned char']]], 'Class0FloorPerfSelection' : [ 0xba, ['unsigned char']], 'Class1MinimumPerfSelection' : [ 0xbb, ['unsigned char']], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_MMWSL_FULL' : [ 0x120, { 'Instance' : [ 0x0, ['_MMWSL_INSTANCE']], 'Shared' : [ 0xe0, ['_MMWSL_SHARED']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x104, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'Order' : [ 0x1c, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0xec, ['_LIST_ENTRY']], 'Status' : [ 0xf4, ['long']], 'FailedDevice' : [ 0xf8, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0xfc, ['unsigned char']], 'Cancelled' : [ 0xfd, ['unsigned char']], 'IgnoreErrors' : [ 0xfe, ['unsigned char']], 'IgnoreNotImplemented' : [ 0xff, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x100, ['unsigned char']], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x60, { 'FileName' : [ 0x0, ['pointer', ['wchar']]], 'BaseName' : [ 0x4, ['pointer', ['wchar']]], 'RegRootName' : [ 0x8, ['pointer', ['wchar']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], 'FilePath' : [ 0x58, ['_UNICODE_STRING']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0xd0, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_PPM_VETO_ENTRY' : [ 0x38, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'VetoReason' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'HitCount' : [ 0x10, ['unsigned long long']], 'LastActivationTime' : [ 0x18, ['unsigned long long']], 'TotalActiveTime' : [ 0x20, ['unsigned long long']], 'CsActivationTime' : [ 0x28, ['unsigned long long']], 'CsActiveTime' : [ 0x30, ['unsigned long long']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_BAD_MEMORY_EVENT_ENTRY' : [ 0x28, { 'BugCheckCode' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['long']], 'Data' : [ 0x8, ['unsigned long']], 'PhysicalAddress' : [ 0x10, ['_LARGE_INTEGER']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_KWAIT_CHAIN_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Event' : [ 0x4, ['_KEVENT']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned char']], 'LayerSemantics' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Spare1' : [ 0xd, ['BitField', dict(start_bit = 2, end_bit = 7, native_type='unsigned char')]], 'InheritClass' : [ 0xd, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0xe, ['unsigned short']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x14, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x4, ['_RTL_BITMAP']], 'HashTable' : [ 0xc, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x10, ['unsigned char']], } ], '_MMDEREFERENCE_SEGMENT_HEADER' : [ 0x1c, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'ListHead' : [ 0x14, ['_LIST_ENTRY']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_2978' : [ 0x4, { 'ChannelsHotCold' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_MI_NODE_INFORMATION' : [ 0xbc, { 'LargePageFreeCount' : [ 0x0, ['array', 2, ['array', 2, ['unsigned long']]]], 'LargePages' : [ 0x10, ['array', 2, ['array', 2, ['array', 2, ['array', 1, ['_LIST_ENTRY']]]]]], 'LargePagesCount' : [ 0x50, ['array', 2, ['array', 2, ['array', 2, ['array', 1, ['unsigned long']]]]]], 'LargePageRebuildTimer' : [ 0x70, ['_MI_REBUILD_LARGE_PAGE_TIMER']], 'FreeCount' : [ 0x8c, ['array', 2, ['unsigned long']]], 'TotalPages' : [ 0x94, ['array', 1, ['unsigned long']]], 'TotalPagesEntireNode' : [ 0x98, ['unsigned long']], 'MmShiftedColor' : [ 0x9c, ['unsigned long']], 'Color' : [ 0xa0, ['unsigned long']], 'ChannelFreeCount' : [ 0xa4, ['array', 1, ['array', 2, ['unsigned long']]]], 'Flags' : [ 0xac, ['__unnamed_2978']], 'NodeLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'ChannelStatus' : [ 0xb4, ['unsigned char']], 'ChannelOrdering' : [ 0xb5, ['array', 1, ['unsigned char']]], 'LockedChannelOrdering' : [ 0xb6, ['array', 1, ['unsigned char']]], 'PowerAttribute' : [ 0xb7, ['array', 1, ['unsigned char']]], 'LargePageLock' : [ 0xb8, ['unsigned long']], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_TRIAGE_POP_FX_DEVICE' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xc, ['pointer', ['_TRIAGE_POP_IRP_DATA']]], 'Status' : [ 0x10, ['long']], 'PowerReqCall' : [ 0x14, ['long']], 'PowerNotReqCall' : [ 0x18, ['long']], 'DeviceNode' : [ 0x1c, ['pointer', ['_TRIAGE_DEVICE_NODE']]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '_MI_SYSTEM_NODE_INFORMATION' : [ 0xb0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'NonPagedPoolSListHeadNx' : [ 0x20, ['array', 3, ['_SLIST_HEADER']]], 'CachedKernelStacks' : [ 0x38, ['array', 2, ['_CACHED_KSTACK_LIST']]], 'NonPagedPoolLowestPage' : [ 0x68, ['unsigned long']], 'NonPagedPoolHighestPage' : [ 0x6c, ['unsigned long']], 'AllocatedNonPagedPool' : [ 0x70, ['unsigned long']], 'PartialLargePoolRegions' : [ 0x74, ['unsigned long']], 'PagesInPartialLargePoolRegions' : [ 0x78, ['unsigned long']], 'CachedNonPagedPoolCount' : [ 0x7c, ['unsigned long']], 'NonPagedPoolSpinLock' : [ 0x80, ['unsigned long']], 'CachedNonPagedPool' : [ 0x84, ['pointer', ['_MMPFN']]], 'NonPagedPoolFirstVa' : [ 0x88, ['pointer', ['void']]], 'NonPagedPoolLastVa' : [ 0x8c, ['pointer', ['void']]], 'NonPagedBitMap' : [ 0x90, ['array', 3, ['_RTL_BITMAP']]], 'NonPagedHint' : [ 0xa8, ['array', 2, ['unsigned long']]], } ], '_MI_PAGE_COMBINING_SUPPORT' : [ 0xd8, { 'Partition' : [ 0x0, ['pointer', ['_MI_PARTITION']]], 'ArbitraryPfnMapList' : [ 0x4, ['_LIST_ENTRY']], 'FreeCombinePoolItem' : [ 0xc, ['_MI_COMBINE_WORKITEM']], 'CombiningThreadCount' : [ 0x20, ['unsigned long']], 'CombinePageFreeList' : [ 0x24, ['_LIST_ENTRY']], 'CombineFreeListLock' : [ 0x2c, ['unsigned long']], 'CombinePageListHeads' : [ 0x30, ['array', 16, ['_MI_COMBINE_PAGE_LISTHEAD']]], 'PageCombineStats' : [ 0xb0, ['_MI_PAGE_COMBINE_STATISTICS']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x38, { 'BadPageCount' : [ 0x0, ['unsigned long']], 'BadPagesDetected' : [ 0x4, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x8, ['long']], 'ScrubPasses' : [ 0xc, ['long']], 'ScrubBadPagesFound' : [ 0x10, ['long']], 'PageHashErrors' : [ 0x14, ['unsigned long']], 'FeatureBits' : [ 0x18, ['unsigned long long']], 'TimeZoneId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['_MI_FLAGS']], 'VsmConnection' : [ 0x28, ['pointer', ['void']]], 'ExceptionChainTerminator' : [ 0x2c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'ExceptionChainTerminatorRecord' : [ 0x30, ['_EXCEPTION_REGISTRATION_RECORD']], } ], '_MI_FORCED_COMMITS' : [ 0x8, { 'Regular' : [ 0x0, ['unsigned long']], 'Wrap' : [ 0x4, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x10, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0xc, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_MI_REBUILD_LARGE_PAGE_TIMER' : [ 0x1c, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'SecondsLeft' : [ 0x10, ['unsigned char']], 'RebuildActive' : [ 0x11, ['unsigned char']], 'NextPassDelta' : [ 0x12, ['unsigned char']], 'LargeSubPagesActive' : [ 0x13, ['unsigned char']], 'SequenceNumber' : [ 0x14, ['unsigned long']], 'WaitList' : [ 0x18, ['pointer', ['_MI_LARGE_PAGE_REBUILD_WAIT_BLOCK']]], } ], '_MI_IO_PAGE_STATE' : [ 0x40, { 'IoPfnLock' : [ 0x0, ['unsigned long']], 'IoPfnRoot' : [ 0x4, ['array', 3, ['_RTL_AVL_TREE']]], 'UnusedCachedMaps' : [ 0x10, ['_LIST_ENTRY']], 'OldestCacheFlushTimeStamp' : [ 0x18, ['unsigned long']], 'IoCacheStats' : [ 0x1c, ['_MI_IO_CACHE_STATS']], 'InvariantIoSpace' : [ 0x3c, ['_RTL_AVL_TREE']], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_29b8' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x18, { 'SessionProtoNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeList' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'DriverAddress' : [ 0x0, ['pointer', ['void']]], 'SessionId' : [ 0xc, ['unsigned long']], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'u2' : [ 0x14, ['__unnamed_29b8']], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_MI_MODWRITE_DATA' : [ 0x30, { 'PagesLoad' : [ 0x0, ['long']], 'PagesAverage' : [ 0x4, ['unsigned long']], 'AverageAvailablePages' : [ 0x8, ['unsigned long']], 'PagesWritten' : [ 0xc, ['unsigned long']], 'WritesIssued' : [ 0x10, ['unsigned long']], 'IgnoredReservationsCount' : [ 0x14, ['unsigned long']], 'FreedReservationsCount' : [ 0x18, ['unsigned long']], 'WriteBurstCount' : [ 0x1c, ['unsigned long']], 'IgnoreReservationsStartTime' : [ 0x20, ['unsigned long long']], 'ReservationClusterInfo' : [ 0x28, ['_MI_RESERVATION_CLUSTER_INFO']], 'IgnoreReservations' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'Spare1' : [ 0x2e, ['unsigned short']], } ], '_PROC_IDLE_POLICY' : [ 0x6, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], 'ForceLightIdle' : [ 0x5, ['unsigned char']], } ], '_MI_RESAVAIL_FAILURES' : [ 0x8, { 'Wrap' : [ 0x0, ['unsigned long']], 'NoCharge' : [ 0x4, ['unsigned long']], } ], '_ALPC_WORK_ON_BEHALF_TICKET' : [ 0x8, { 'ThreadId' : [ 0x0, ['unsigned long']], 'ThreadCreationTimeLow' : [ 0x4, ['unsigned long']], } ], '_PO_HIBER_PERF' : [ 0x1e8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'HiberChecksumTicks' : [ 0x30, ['unsigned long long']], 'HiberChecksumIoTicks' : [ 0x38, ['unsigned long long']], 'TotalHibernateTime' : [ 0x40, ['_LARGE_INTEGER']], 'HibernateCompleteTimestamp' : [ 0x48, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x50, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x54, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x58, ['unsigned long']], 'ResumeAppTicks' : [ 0x60, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x70, ['unsigned long long']], 'ResumeInitTicks' : [ 0x78, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x80, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x88, ['unsigned long long']], 'ResumeIoTicks' : [ 0x90, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x98, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0xa0, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0xa8, ['unsigned long long']], 'ResumeMapTicks' : [ 0xb0, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xb8, ['unsigned long long']], 'ResumeChecksumTicks' : [ 0xc0, ['unsigned long long']], 'ResumeChecksumIoTicks' : [ 0xc8, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xd0, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xd8, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xe0, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xe8, ['unsigned long long']], 'HalTscOffset' : [ 0xf0, ['unsigned long long']], 'HvlTscOffset' : [ 0xf8, ['unsigned long long']], 'SleeperThreadEnd' : [ 0x100, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0x108, ['unsigned long long']], 'IoBoundedness' : [ 0x110, ['unsigned long long']], 'KernelDecompressTicks' : [ 0x118, ['unsigned long long']], 'KernelIoTicks' : [ 0x120, ['unsigned long long']], 'KernelCopyTicks' : [ 0x128, ['unsigned long long']], 'ReadCheckCount' : [ 0x130, ['unsigned long long']], 'KernelInitTicks' : [ 0x138, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x140, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x148, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x150, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x158, ['unsigned long long']], 'KernelChecksumTicks' : [ 0x160, ['unsigned long long']], 'KernelChecksumIoTicks' : [ 0x168, ['unsigned long long']], 'AnimationStart' : [ 0x170, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x178, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x180, ['unsigned long']], 'SecurePagesProcessed' : [ 0x188, ['unsigned long long']], 'BootPagesProcessed' : [ 0x190, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x198, ['unsigned long long']], 'BootBytesWritten' : [ 0x1a0, ['unsigned long long']], 'KernelBytesWritten' : [ 0x1a8, ['unsigned long long']], 'BootPagesWritten' : [ 0x1b0, ['unsigned long long']], 'KernelPagesWritten' : [ 0x1b8, ['unsigned long long']], 'BytesWritten' : [ 0x1c0, ['unsigned long long']], 'PagesWritten' : [ 0x1c8, ['unsigned long']], 'FileRuns' : [ 0x1cc, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x1d0, ['unsigned long']], 'MaxHuffRatio' : [ 0x1d4, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x1d8, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1e0, ['unsigned long long']], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1e, { 'PerUserPolicy' : [ 0x0, ['array', 30, ['unsigned char']]], } ], '_MI_PROBE_RAISE_TRACKER' : [ 0x40, { 'UserRangeInKernel' : [ 0x0, ['unsigned long']], 'FaultFailed' : [ 0x4, ['unsigned long']], 'WriteFaultFailed' : [ 0x8, ['unsigned long']], 'LargePageFailed' : [ 0xc, ['unsigned long']], 'UserAccessToKernelPte' : [ 0x10, ['unsigned long']], 'BadPageLocation' : [ 0x14, ['unsigned long']], 'InsufficientCharge' : [ 0x18, ['unsigned long']], 'PageTableCharge' : [ 0x1c, ['unsigned long']], 'NoPhysicalMapping' : [ 0x20, ['unsigned long']], 'NoIoReference' : [ 0x24, ['unsigned long']], 'ProbeFailed' : [ 0x28, ['unsigned long']], 'PteIsZero' : [ 0x2c, ['unsigned long']], 'StrongCodeWrite' : [ 0x30, ['unsigned long']], 'ReducedCloneCommitChargeFailed' : [ 0x34, ['unsigned long']], 'CopyOnWriteAtDispatchNoPages' : [ 0x38, ['unsigned long']], 'EnclavePageFailed' : [ 0x3c, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '__unnamed_29de' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_29e0' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_29e3' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_29e7' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x50, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x14, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x20, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x30, ['__unnamed_29de']], 'HvDeviceId' : [ 0x38, ['unsigned long long']], 'XapicMessage' : [ 0x40, ['__unnamed_29e0']], 'Hypertransport' : [ 0x40, ['__unnamed_29e3']], 'GenericMessage' : [ 0x40, ['__unnamed_29e0']], 'MessageRequest' : [ 0x40, ['__unnamed_29e7']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['_CM_COMPONENT_HASH']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_LDR_DDAG_NODE' : [ 0x2c, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x8, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0xc, ['unsigned long']], 'LoadWhileUnloadingCount' : [ 0x10, ['unsigned long']], 'LowestLink' : [ 0x14, ['unsigned long']], 'Dependencies' : [ 0x18, ['_LDRP_CSLIST']], 'IncomingDependencies' : [ 0x1c, ['_LDRP_CSLIST']], 'State' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x28, ['unsigned long']], } ], '_DUMP_STACK_CONTEXT' : [ 0x100, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xc0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xc8, ['pointer', ['void']]], 'PointersLength' : [ 0xcc, ['unsigned long']], 'ModulePrefix' : [ 0xd0, ['pointer', ['wchar']]], 'DriverList' : [ 0xd4, ['_LIST_ENTRY']], 'InitMsg' : [ 0xdc, ['_STRING']], 'ProgMsg' : [ 0xe4, ['_STRING']], 'DoneMsg' : [ 0xec, ['_STRING']], 'FileObject' : [ 0xf4, ['pointer', ['void']]], 'UsageType' : [ 0xf8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_HAL_NODE_RANGE' : [ 0x8, { 'PageFrameIndex' : [ 0x0, ['unsigned long']], 'Node' : [ 0x4, ['unsigned long']], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_MI_PAGEFILE_BITMAPS_CACHE_ENTRY' : [ 0x20, { 'LengthTreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_LIST_ENTRY']], 'LocationTreeNode' : [ 0xc, ['_RTL_BALANCED_NODE']], 'StartingIndex' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '_MI_RESUME_WORKITEM' : [ 0x20, { 'ResumeCompleteEvent' : [ 0x0, ['_KEVENT']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '__unnamed_2a08' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2a0a' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2a0c' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceId' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_2a0e' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_2a10' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_2a12' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_2a14' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_2a16' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2a18' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_2a1a' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_2a08']], 'TargetDevice' : [ 0x0, ['__unnamed_2a0a']], 'InstallDevice' : [ 0x0, ['__unnamed_2a0a']], 'CustomNotification' : [ 0x0, ['__unnamed_2a0c']], 'ProfileNotification' : [ 0x0, ['__unnamed_2a0e']], 'PowerNotification' : [ 0x0, ['__unnamed_2a10']], 'VetoNotification' : [ 0x0, ['__unnamed_2a12']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_2a14']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_2a16']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2a18']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_2a0a']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_2a0a']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_2a1a']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], '_HVIEW_MAP_DIRECTORY' : [ 0x200, { 'Tables' : [ 0x0, ['array', 128, ['pointer', ['_HVIEW_MAP_TABLE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], 'AllStacksInUse' : [ 0x14, ['unsigned long']], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_HAL_CHANNEL_MEMORY_RANGES' : [ 0xc, { 'PageFrameIndex' : [ 0x0, ['unsigned long']], 'MpnId' : [ 0x4, ['unsigned short']], 'Node' : [ 0x6, ['unsigned short']], 'Channel' : [ 0x8, ['unsigned short']], 'IsPowerManageable' : [ 0xa, ['unsigned char']], 'DeepPowerState' : [ 0xb, ['unsigned char']], } ], '_MI_LARGE_PAGE_REBUILD_WAIT_BLOCK' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_LARGE_PAGE_REBUILD_WAIT_BLOCK']]], 'Gate' : [ 0x4, ['_KGATE']], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x50, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'ProcCap' : [ 0x8, ['unsigned long']], 'ProcFloor' : [ 0xc, ['unsigned long']], 'PlatformCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'LimitReasons' : [ 0x18, ['unsigned long']], 'PlatformCapStartTime' : [ 0x20, ['unsigned long long']], 'TargetPercent' : [ 0x28, ['unsigned long']], 'SelectedPercent' : [ 0x2c, ['unsigned long']], 'SelectedFrequency' : [ 0x30, ['unsigned long']], 'PreviousFrequency' : [ 0x34, ['unsigned long']], 'PreviousPercent' : [ 0x38, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x3c, ['unsigned long']], 'SelectedState' : [ 0x40, ['unsigned long long']], 'Force' : [ 0x48, ['unsigned char']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3e0, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa0, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x18, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x8, { 'DeviceHandle' : [ 0x0, ['pointer', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x4, ['pointer', ['void']]], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x288, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x2a4, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], 'PackageDependencyData' : [ 0x298, ['pointer', ['void']]], 'ProcessGroupId' : [ 0x29c, ['unsigned long']], 'LoaderThreads' : [ 0x2a0, ['unsigned long']], } ], '_MI_IO_CACHE_STATS' : [ 0x20, { 'UnusedBlocks' : [ 0x0, ['unsigned long']], 'ActiveCacheMatch' : [ 0x4, ['unsigned long']], 'ActiveCacheOverride' : [ 0x8, ['unsigned long']], 'UnmappedCacheFlush' : [ 0xc, ['unsigned long']], 'UnmappedCacheMatch' : [ 0x10, ['unsigned long']], 'UnmappedCacheConflict' : [ 0x14, ['unsigned long']], 'PermanentIoAttributeConflict' : [ 0x18, ['unsigned long']], 'PermanentIoNodeConflict' : [ 0x1c, ['unsigned long']], } ], '__unnamed_2a60' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2a62' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2a64' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2a60']], 'Gpt' : [ 0x0, ['__unnamed_2a62']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xc0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MarkMemoryOnly' : [ 0x45, ['unsigned char']], 'HiberResume' : [ 0x46, ['unsigned char']], 'Reserved1' : [ 0x47, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_2a64']], 'ReadRoutine' : [ 0x6c, ['pointer', ['void']]], 'GetDriveTelemetryRoutine' : [ 0x70, ['pointer', ['void']]], 'LogSectionTruncateSize' : [ 0x74, ['unsigned long']], 'Parameters' : [ 0x78, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xb8, ['pointer', ['void']]], 'DumpNotifyRoutine' : [ 0xbc, ['pointer', ['void']]], } ], '_THERMAL_COOLING_INTERFACE' : [ 0x1c, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'Flags' : [ 0x10, ['unsigned long']], 'ActiveCooling' : [ 0x14, ['pointer', ['void']]], 'PassiveCooling' : [ 0x18, ['pointer', ['void']]], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_POP_FX_PERF_INFO' : [ 0x60, { 'Component' : [ 0x0, ['pointer', ['_POP_FX_COMPONENT']]], 'CompletedEvent' : [ 0x4, ['_KEVENT']], 'ComponentPerfState' : [ 0x14, ['pointer', ['void']]], 'Flags' : [ 0x18, ['_POP_FX_PERF_FLAGS']], 'LastChange' : [ 0x1c, ['pointer', ['_PO_FX_PERF_STATE_CHANGE']]], 'LastChangeCount' : [ 0x20, ['unsigned long']], 'LastChangeStamp' : [ 0x28, ['unsigned long long']], 'LastChangeNominal' : [ 0x30, ['unsigned char']], 'PepRegistered' : [ 0x31, ['unsigned char']], 'QueryOnIdleStates' : [ 0x32, ['unsigned char']], 'RequestDriverContext' : [ 0x34, ['pointer', ['void']]], 'WorkOrder' : [ 0x38, ['_POP_FX_WORK_ORDER']], 'SetsCount' : [ 0x54, ['unsigned long']], 'Sets' : [ 0x58, ['pointer', ['_POP_FX_PERF_SET']]], } ], '_MMPAGE_FILE_EXPANSION_FLAGS' : [ 0x4, { 'PageFileNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'IgnoreCurrentCommit' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreaseMinimumSize' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare3' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x4, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 11, native_type='unsigned long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_TRIAGE_POP_IRP_DATA' : [ 0x10, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_2a8e' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_2a90' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_2a92' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_2a94' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_2a8e']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_2a90']], 'Raw' : [ 0x0, ['__unnamed_2a92']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x28, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'Operation' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0x8, ['__unnamed_2a94']], 'Stack' : [ 0x10, ['array', 6, ['pointer', ['void']]]], } ], '_MI_COMBINE_PAGE_LISTHEAD' : [ 0x8, { 'Table' : [ 0x0, ['_RTL_AVL_TREE']], 'Lock' : [ 0x4, ['long']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x14, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x4, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0xc, ['_RTL_BITMAP']], 'EvictedBitmap' : [ 0xc, ['_RTL_BITMAP']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2aa2' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2aa4' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2aa2']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2aa7' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2aa9' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2aa7']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_2aa4']], 'HighPart' : [ 0x4, ['__unnamed_2aa9']], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x70, { 'UncompressedData' : [ 0x0, ['pointer', ['unsigned char']]], 'MappingVa' : [ 0x4, ['pointer', ['void']]], 'XpressEncodeWorkspace' : [ 0x8, ['pointer', ['void']]], 'CompressedDataBuffer' : [ 0xc, ['pointer', ['unsigned char']]], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'CompressTicks' : [ 0x18, ['unsigned long long']], 'BytesCopied' : [ 0x20, ['unsigned long long']], 'PagesProcessed' : [ 0x28, ['unsigned long long']], 'DecompressTicks' : [ 0x30, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x38, ['unsigned long long']], 'SharedBufferTicks' : [ 0x40, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x48, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x68, ['unsigned long']], 'HuffCompressCount' : [ 0x6c, ['unsigned long']], } ], '_PROC_PERF_CHECK_SNAP' : [ 0x50, { 'Time' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned long long']], 'Stall' : [ 0x10, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x18, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledKernelActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], 'TaggedThreadCycles' : [ 0x40, ['array', 2, ['unsigned long long']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_HVIEW_MAP_PIN_LOG_ENTRY' : [ 0x30, { 'ViewOffset' : [ 0x0, ['unsigned long']], 'Pinned' : [ 0x4, ['unsigned char']], 'PinMask' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer', ['_KTHREAD']]], 'Stack' : [ 0x14, ['array', 6, ['pointer', ['void']]]], } ], '_MI_COMBINE_WORKITEM' : [ 0x14, { 'NextEntry' : [ 0x0, ['pointer', ['void']]], 'WorkItem' : [ 0x4, ['_WORK_QUEUE_ITEM']], } ], '_PNP_RESOURCE_CONFLICT_TRACE_CONTEXT' : [ 0x10, { 'ResourceType' : [ 0x0, ['unsigned char']], 'AlternativeCount' : [ 0x4, ['unsigned long']], 'ResourceRequests' : [ 0x8, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ArbiterInstance' : [ 0xc, ['pointer', ['void']]], } ], '_MI_POOL_FAILURE_REASONS' : [ 0x2c, { 'NonPagedNoPtes' : [ 0x0, ['unsigned long']], 'PriorityTooLow' : [ 0x4, ['unsigned long']], 'NonPagedNoPagesAvailable' : [ 0x8, ['unsigned long']], 'PagedNoPtes' : [ 0xc, ['unsigned long']], 'SessionPagedNoPtes' : [ 0x10, ['unsigned long']], 'PagedNoPagesAvailable' : [ 0x14, ['unsigned long']], 'SessionPagedNoPagesAvailable' : [ 0x18, ['unsigned long']], 'PagedNoCommit' : [ 0x1c, ['unsigned long']], 'SessionPagedNoCommit' : [ 0x20, ['unsigned long']], 'NonPagedNoResidentAvailable' : [ 0x24, ['unsigned long']], 'NonPagedNoCommit' : [ 0x28, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_MI_PAGE_COMBINE_STATISTICS' : [ 0x28, { 'PagesScannedActive' : [ 0x0, ['unsigned long long']], 'PagesScannedStandby' : [ 0x8, ['unsigned long long']], 'PagesCombined' : [ 0x10, ['unsigned long long']], 'CombineScanCount' : [ 0x18, ['unsigned long']], 'CombinedBlocksInUse' : [ 0x1c, ['long']], 'SumCombinedBlocksReferenceCount' : [ 0x20, ['long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_HVIEW_MAP_TABLE' : [ 0x600, { 'Entries' : [ 0x0, ['array', 64, ['_HVIEW_MAP_ENTRY']]], } ], '_LDRP_CSLIST' : [ 0x4, { 'Tail' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MI_RESERVATION_CLUSTER_INFO' : [ 0x4, { 'ClusterSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'EntireInfo' : [ 0x0, ['long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_MI_FLAGS' : [ 0x4, { 'EntireFlags' : [ 0x0, ['long']], 'VerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'KernelVerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LargePageKernel' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StopOn4d' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'InitializationPhase' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'PageKernelStacks' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CheckZeroPages' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ProcessorPrewalks' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ProcessorPostwalks' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'CoverageBuild' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AccessBitReplacementDisabled' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CheckExecute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ProtectedPagesEnabled' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'StrongCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HardCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ExecutePagePrivilegeRequired' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StrongPageIdentity' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'FullHvci' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SecureRelocations' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'SlatKernelCodeProtected' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'BootDebuggerActive' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_POP_FX_PERF_SET' : [ 0x20, { 'PerfSet' : [ 0x0, ['pointer', ['_PO_FX_COMPONENT_PERF_SET']]], 'CurrentPerf' : [ 0x8, ['unsigned long long']], 'CurrentPerfStamp' : [ 0x10, ['unsigned long long']], 'CurrentPerfNominal' : [ 0x18, ['unsigned char']], } ], '_PO_FX_PERF_STATE_CHANGE' : [ 0x10, { 'Set' : [ 0x0, ['unsigned long']], 'StateIndex' : [ 0x8, ['unsigned long']], 'StateValue' : [ 0x8, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x4, ['unsigned long']], } ], '_HVIEW_MAP_ENTRY' : [ 0x18, { 'ViewStart' : [ 0x0, ['pointer', ['void']]], 'IsPinned' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Bcb' : [ 0x4, ['pointer', ['void']]], 'PinnedPages' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '__unnamed_2b01' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x4, ['pointer', ['_PO_FX_PERF_STATE']]], } ], '__unnamed_2b03' : [ 0x10, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], } ], '_PO_FX_COMPONENT_PERF_SET' : [ 0x28, { 'Name' : [ 0x0, ['_UNICODE_STRING']], 'Flags' : [ 0x8, ['unsigned long long']], 'Unit' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateUnitOther', 1: 'PoFxPerfStateUnitFrequency', 2: 'PoFxPerfStateUnitBandwidth', 3: 'PoFxPerfStateUnitMaximum'})]], 'Type' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateTypeDiscrete', 1: 'PoFxPerfStateTypeRange', 2: 'PoFxPerfStateTypeMaximum'})]], 'Discrete' : [ 0x18, ['__unnamed_2b01']], 'Range' : [ 0x18, ['__unnamed_2b03']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_2b09' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_2b0b' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_2b09']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_2b0b']], } ], '_PO_FX_PERF_STATE' : [ 0x10, { 'Value' : [ 0x0, ['unsigned long long']], 'Context' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_2b11' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_2b13' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_2b19' : [ 0xc, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], 'OutputInformation' : [ 0x8, ['pointer', ['_FS_FILTER_SECTION_SYNC_OUTPUT']]], } ], '__unnamed_2b1d' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_2b1f' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2b11']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2b13']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2b19']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2b1d']], 'Others' : [ 0x0, ['__unnamed_2b1f']], } ], '_FS_FILTER_SECTION_SYNC_OUTPUT' : [ 0x10, { 'StructureSize' : [ 0x0, ['unsigned long']], 'SizeReturned' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DesiredReadAlignment' : [ 0xc, ['unsigned long']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_sp0_x86_syscalls.py0000644000000000000000000015072213131215405031026 0ustar rootrootsyscalls = [ [ 'NtWorkerFactoryWorkerReady', # 0x0 'NtYieldExecution', # 0x1 'NtWriteVirtualMemory', # 0x2 'NtWriteRequestData', # 0x3 'NtWriteFileGather', # 0x4 'NtWriteFile', # 0x5 'NtWaitLowEventPair', # 0x6 'NtWaitHighEventPair', # 0x7 'NtWaitForWorkViaWorkerFactory', # 0x8 'NtWaitForWnfNotifications', # 0x9 'NtWaitForSingleObject', # 0xa 'NtWaitForMultipleObjects32', # 0xb 'NtWaitForMultipleObjects', # 0xc 'NtWaitForKeyedEvent', # 0xd 'NtWaitForDebugEvent', # 0xe 'NtWaitForAlertByThreadId', # 0xf 'NtVdmControl', # 0x10 'NtUnsubscribeWnfStateChange', # 0x11 'NtUpdateWnfStateData', # 0x12 'NtUnmapViewOfSection', # 0x13 'NtUnmapViewOfSectionEx', # 0x14 'NtUnlockVirtualMemory', # 0x15 'NtUnlockFile', # 0x16 'NtUnloadKeyEx', # 0x17 'NtUnloadKey2', # 0x18 'NtUnloadKey', # 0x19 'NtUnloadDriver', # 0x1a 'NtUmsThreadYield', # 0x1b 'NtTranslateFilePath', # 0x1c 'NtTraceEvent', # 0x1d 'NtTraceControl', # 0x1e 'NtThawTransactions', # 0x1f 'NtThawRegistry', # 0x20 'NtTestAlert', # 0x21 'NtTerminateThread', # 0x22 'NtTerminateProcess', # 0x23 'NtTerminateJobObject', # 0x24 'NtSystemDebugControl', # 0x25 'NtSuspendThread', # 0x26 'NtSuspendProcess', # 0x27 'NtSubscribeWnfStateChange', # 0x28 'NtStopProfile', # 0x29 'NtStartProfile', # 0x2a 'NtSinglePhaseReject', # 0x2b 'NtSignalAndWaitForSingleObject', # 0x2c 'NtShutdownWorkerFactory', # 0x2d 'NtShutdownSystem', # 0x2e 'NtSetVolumeInformationFile', # 0x2f 'NtSetValueKey', # 0x30 'NtSetUuidSeed', # 0x31 'NtSetTimerResolution', # 0x32 'NtSetTimerEx', # 0x33 'NtSetTimer', # 0x34 'NtSetThreadExecutionState', # 0x35 'NtSetSystemTime', # 0x36 'NtSetSystemPowerState', # 0x37 'NtSetSystemInformation', # 0x38 'NtSetSystemEnvironmentValueEx', # 0x39 'NtSetSystemEnvironmentValue', # 0x3a 'NtSetSecurityObject', # 0x3b 'NtSetQuotaInformationFile', # 0x3c 'NtSetLowWaitHighEventPair', # 0x3d 'NtSetLowEventPair', # 0x3e 'NtSetLdtEntries', # 0x3f 'NtSetIRTimer', # 0x40 'NtSetIoCompletionEx', # 0x41 'NtSetIoCompletion', # 0x42 'NtSetIntervalProfile', # 0x43 'NtSetInformationWorkerFactory', # 0x44 'NtSetInformationTransactionManager', # 0x45 'NtSetInformationTransaction', # 0x46 'NtSetInformationToken', # 0x47 'NtSetInformationThread', # 0x48 'NtSetInformationResourceManager', # 0x49 'NtSetInformationProcess', # 0x4a 'NtSetInformationObject', # 0x4b 'NtSetInformationKey', # 0x4c 'NtSetInformationJobObject', # 0x4d 'NtSetInformationFile', # 0x4e 'NtSetInformationEnlistment', # 0x4f 'NtSetInformationDebugObject', # 0x50 'NtSetHighWaitLowEventPair', # 0x51 'NtSetHighEventPair', # 0x52 'NtSetEventBoostPriority', # 0x53 'NtSetEvent', # 0x54 'NtSetEaFile', # 0x55 'NtSetDriverEntryOrder', # 0x56 'NtSetDefaultUILanguage', # 0x57 'NtSetDefaultLocale', # 0x58 'NtSetDefaultHardErrorPort', # 0x59 'NtSetDebugFilterState', # 0x5a 'NtSetContextThread', # 0x5b 'NtSetCachedSigningLevel', # 0x5c 'NtSetBootOptions', # 0x5d 'NtSetBootEntryOrder', # 0x5e 'NtSerializeBoot', # 0x5f 'NtSecureConnectPort', # 0x60 'NtSaveMergedKeys', # 0x61 'NtSaveKeyEx', # 0x62 'NtSaveKey', # 0x63 'NtRollforwardTransactionManager', # 0x64 'NtRollbackTransaction', # 0x65 'NtRollbackEnlistment', # 0x66 'NtRollbackComplete', # 0x67 'NtResumeThread', # 0x68 'NtResumeProcess', # 0x69 'NtRestoreKey', # 0x6a 'NtResetWriteWatch', # 0x6b 'NtResetEvent', # 0x6c 'NtRequestWaitReplyPort', # 0x6d 'NtRequestPort', # 0x6e 'NtReplyWaitReplyPort', # 0x6f 'NtReplyWaitReceivePortEx', # 0x70 'NtReplyWaitReceivePort', # 0x71 'NtReplyPort', # 0x72 'NtReplacePartitionUnit', # 0x73 'NtReplaceKey', # 0x74 'NtRenameTransactionManager', # 0x75 'NtRenameKey', # 0x76 'NtRemoveProcessDebug', # 0x77 'NtRemoveIoCompletionEx', # 0x78 'NtRemoveIoCompletion', # 0x79 'NtReleaseWorkerFactoryWorker', # 0x7a 'NtReleaseSemaphore', # 0x7b 'NtReleaseMutant', # 0x7c 'NtReleaseKeyedEvent', # 0x7d 'NtRegisterThreadTerminatePort', # 0x7e 'NtRegisterProtocolAddressInformation', # 0x7f 'NtRecoverTransactionManager', # 0x80 'NtRecoverResourceManager', # 0x81 'NtRecoverEnlistment', # 0x82 'NtReadVirtualMemory', # 0x83 'NtReadRequestData', # 0x84 'NtReadOnlyEnlistment', # 0x85 'NtReadFileScatter', # 0x86 'NtReadFile', # 0x87 'NtRaiseHardError', # 0x88 'NtRaiseException', # 0x89 'NtQueueApcThreadEx', # 0x8a 'NtQueueApcThread', # 0x8b 'NtQueryWnfStateData', # 0x8c 'NtQueryWnfStateNameInformation', # 0x8d 'NtQueryVolumeInformationFile', # 0x8e 'NtQueryVirtualMemory', # 0x8f 'NtQueryValueKey', # 0x90 'NtQueryTimerResolution', # 0x91 'NtQueryTimer', # 0x92 'NtQuerySystemTime', # 0x93 'NtQuerySystemInformationEx', # 0x94 'NtQuerySystemInformation', # 0x95 'NtQuerySystemEnvironmentValueEx', # 0x96 'NtQuerySystemEnvironmentValue', # 0x97 'NtQuerySymbolicLinkObject', # 0x98 'NtQuerySemaphore', # 0x99 'NtQuerySecurityObject', # 0x9a 'NtQuerySecurityAttributesToken', # 0x9b 'NtQuerySection', # 0x9c 'NtQueryQuotaInformationFile', # 0x9d 'NtQueryPortInformationProcess', # 0x9e 'NtQueryPerformanceCounter', # 0x9f 'NtQueryOpenSubKeysEx', # 0xa0 'NtQueryOpenSubKeys', # 0xa1 'NtQueryObject', # 0xa2 'NtQueryMutant', # 0xa3 'NtQueryMultipleValueKey', # 0xa4 'NtQueryLicenseValue', # 0xa5 'NtQueryKey', # 0xa6 'NtQueryIoCompletion', # 0xa7 'NtQueryIntervalProfile', # 0xa8 'NtQueryInstallUILanguage', # 0xa9 'NtQueryInformationWorkerFactory', # 0xaa 'NtQueryInformationTransactionManager', # 0xab 'NtQueryInformationTransaction', # 0xac 'NtQueryInformationToken', # 0xad 'NtQueryInformationThread', # 0xae 'NtQueryInformationResourceManager', # 0xaf 'NtQueryInformationProcess', # 0xb0 'NtQueryInformationPort', # 0xb1 'NtQueryInformationJobObject', # 0xb2 'NtQueryInformationFile', # 0xb3 'NtQueryInformationEnlistment', # 0xb4 'NtQueryInformationAtom', # 0xb5 'NtQueryFullAttributesFile', # 0xb6 'NtQueryEvent', # 0xb7 'NtQueryEaFile', # 0xb8 'NtQueryDriverEntryOrder', # 0xb9 'NtQueryDirectoryObject', # 0xba 'NtQueryDirectoryFile', # 0xbb 'NtQueryDefaultUILanguage', # 0xbc 'NtQueryDefaultLocale', # 0xbd 'NtQueryDebugFilterState', # 0xbe 'NtQueryBootOptions', # 0xbf 'NtQueryBootEntryOrder', # 0xc0 'NtQueryAttributesFile', # 0xc1 'NtPulseEvent', # 0xc2 'NtProtectVirtualMemory', # 0xc3 'NtPropagationFailed', # 0xc4 'NtPropagationComplete', # 0xc5 'NtPrivilegeObjectAuditAlarm', # 0xc6 'NtPrivilegedServiceAuditAlarm', # 0xc7 'NtPrivilegeCheck', # 0xc8 'NtSetInformationVirtualMemory', # 0xc9 'NtPrePrepareEnlistment', # 0xca 'NtPrePrepareComplete', # 0xcb 'NtPrepareEnlistment', # 0xcc 'NtPrepareComplete', # 0xcd 'NtPowerInformation', # 0xce 'NtPlugPlayControl', # 0xcf 'NtOpenTransactionManager', # 0xd0 'NtOpenTransaction', # 0xd1 'NtOpenTimer', # 0xd2 'NtOpenThreadTokenEx', # 0xd3 'NtOpenThreadToken', # 0xd4 'NtOpenThread', # 0xd5 'NtOpenSymbolicLinkObject', # 0xd6 'NtOpenSession', # 0xd7 'NtOpenSemaphore', # 0xd8 'NtOpenSection', # 0xd9 'NtOpenResourceManager', # 0xda 'NtOpenProcessTokenEx', # 0xdb 'NtOpenProcessToken', # 0xdc 'NtOpenProcess', # 0xdd 'NtOpenPrivateNamespace', # 0xde 'NtOpenObjectAuditAlarm', # 0xdf 'NtOpenMutant', # 0xe0 'NtOpenKeyTransactedEx', # 0xe1 'NtOpenKeyTransacted', # 0xe2 'NtOpenKeyEx', # 0xe3 'NtOpenKeyedEvent', # 0xe4 'NtOpenKey', # 0xe5 'NtOpenJobObject', # 0xe6 'NtOpenIoCompletion', # 0xe7 'NtOpenFile', # 0xe8 'NtOpenEventPair', # 0xe9 'NtOpenEvent', # 0xea 'NtOpenEnlistment', # 0xeb 'NtOpenDirectoryObject', # 0xec 'NtNotifyChangeSession', # 0xed 'NtNotifyChangeMultipleKeys', # 0xee 'NtNotifyChangeKey', # 0xef 'NtNotifyChangeDirectoryFile', # 0xf0 'NtModifyDriverEntry', # 0xf1 'NtModifyBootEntry', # 0xf2 'NtMapViewOfSection', # 0xf3 'NtMapUserPhysicalPagesScatter', # 0xf4 'NtMapUserPhysicalPages', # 0xf5 'NtMapCMFModule', # 0xf6 'NtMakeTemporaryObject', # 0xf7 'NtMakePermanentObject', # 0xf8 'NtLockVirtualMemory', # 0xf9 'NtLockRegistryKey', # 0xfa 'NtLockProductActivationKeys', # 0xfb 'NtLockFile', # 0xfc 'NtLoadKeyEx', # 0xfd 'NtLoadKey2', # 0xfe 'NtLoadKey', # 0xff 'NtLoadDriver', # 0x100 'NtListenPort', # 0x101 'NtIsUILanguageComitted', # 0x102 'NtIsSystemResumeAutomatic', # 0x103 'NtIsProcessInJob', # 0x104 'NtInitiatePowerAction', # 0x105 'NtInitializeRegistry', # 0x106 'NtInitializeNlsFiles', # 0x107 'NtImpersonateThread', # 0x108 'NtImpersonateClientOfPort', # 0x109 'NtImpersonateAnonymousToken', # 0x10a 'NtGetWriteWatch', # 0x10b 'NtGetNotificationResourceManager', # 0x10c 'NtGetNlsSectionPtr', # 0x10d 'NtGetNextThread', # 0x10e 'NtGetNextProcess', # 0x10f 'NtGetMUIRegistryInfo', # 0x110 'NtGetDevicePowerState', # 0x111 'NtGetCurrentProcessorNumber', # 0x112 'NtGetContextThread', # 0x113 'NtGetCachedSigningLevel', # 0x114 'NtFsControlFile', # 0x115 'NtFreezeTransactions', # 0x116 'NtFreezeRegistry', # 0x117 'NtFreeVirtualMemory', # 0x118 'NtFreeUserPhysicalPages', # 0x119 'NtFlushWriteBuffer', # 0x11a 'NtFlushVirtualMemory', # 0x11b 'NtFlushProcessWriteBuffers', # 0x11c 'NtFlushKey', # 0x11d 'NtFlushInstructionCache', # 0x11e 'NtFlushInstallUILanguage', # 0x11f 'NtFlushBuffersFile', # 0x120 'NtFlushBuffersFileEx', # 0x121 'NtFindAtom', # 0x122 'NtFilterToken', # 0x123 'NtFilterTokenEx', # 0x124 'NtFilterBootOption', # 0x125 'NtExtendSection', # 0x126 'NtEnumerateValueKey', # 0x127 'NtEnumerateTransactionObject', # 0x128 'NtEnumerateSystemEnvironmentValuesEx', # 0x129 'NtEnumerateKey', # 0x12a 'NtEnumerateDriverEntries', # 0x12b 'NtEnumerateBootEntries', # 0x12c 'NtEnableLastKnownGood', # 0x12d 'NtDuplicateToken', # 0x12e 'NtDuplicateObject', # 0x12f 'NtDrawText', # 0x130 'NtDisplayString', # 0x131 'NtDisableLastKnownGood', # 0x132 'NtDeviceIoControlFile', # 0x133 'NtDeleteWnfStateName', # 0x134 'NtDeleteWnfStateData', # 0x135 'NtDeleteValueKey', # 0x136 'NtDeletePrivateNamespace', # 0x137 'NtDeleteObjectAuditAlarm', # 0x138 'NtDeleteKey', # 0x139 'NtDeleteFile', # 0x13a 'NtDeleteDriverEntry', # 0x13b 'NtDeleteBootEntry', # 0x13c 'NtDeleteAtom', # 0x13d 'NtDelayExecution', # 0x13e 'NtDebugContinue', # 0x13f 'NtDebugActiveProcess', # 0x140 'NtCreateWorkerFactory', # 0x141 'NtCreateWnfStateName', # 0x142 'NtCreateWaitCompletionPacket', # 0x143 'NtCreateWaitablePort', # 0x144 'NtCreateUserProcess', # 0x145 'NtCreateTransactionManager', # 0x146 'NtCreateTransaction', # 0x147 'NtCreateToken', # 0x148 'NtCreateLowBoxToken', # 0x149 'NtCreateTokenEx', # 0x14a 'NtCreateTimer', # 0x14b 'NtCreateThreadEx', # 0x14c 'NtCreateThread', # 0x14d 'NtCreateSymbolicLinkObject', # 0x14e 'NtCreateSemaphore', # 0x14f 'NtCreateSection', # 0x150 'NtCreateResourceManager', # 0x151 'NtCreateProfileEx', # 0x152 'NtCreateProfile', # 0x153 'NtCreateProcessEx', # 0x154 'NtCreateProcess', # 0x155 'NtCreatePrivateNamespace', # 0x156 'NtCreatePort', # 0x157 'NtCreatePagingFile', # 0x158 'NtCreateNamedPipeFile', # 0x159 'NtCreateMutant', # 0x15a 'NtCreateMailslotFile', # 0x15b 'NtCreateKeyTransacted', # 0x15c 'NtCreateKeyedEvent', # 0x15d 'NtCreateKey', # 0x15e 'NtCreateJobSet', # 0x15f 'NtCreateJobObject', # 0x160 'NtCreateIRTimer', # 0x161 'NtCreateIoCompletion', # 0x162 'NtCreateFile', # 0x163 'NtCreateEventPair', # 0x164 'NtCreateEvent', # 0x165 'NtCreateEnlistment', # 0x166 'NtCreateDirectoryObjectEx', # 0x167 'NtCreateDirectoryObject', # 0x168 'NtCreateDebugObject', # 0x169 'NtContinue', # 0x16a 'NtConnectPort', # 0x16b 'NtCompressKey', # 0x16c 'NtCompleteConnectPort', # 0x16d 'NtCompareTokens', # 0x16e 'NtCompactKeys', # 0x16f 'NtCommitTransaction', # 0x170 'NtCommitEnlistment', # 0x171 'NtCommitComplete', # 0x172 'NtCloseObjectAuditAlarm', # 0x173 'NtClose', # 0x174 'NtClearEvent', # 0x175 'NtCancelWaitCompletionPacket', # 0x176 'NtCancelTimer', # 0x177 'NtCancelSynchronousIoFile', # 0x178 'NtCancelIoFileEx', # 0x179 'NtCancelIoFile', # 0x17a 'NtCallbackReturn', # 0x17b 'NtAssociateWaitCompletionPacket', # 0x17c 'NtAssignProcessToJobObject', # 0x17d 'NtAreMappedFilesTheSame', # 0x17e 'NtApphelpCacheControl', # 0x17f 'NtAlpcSetInformation', # 0x180 'NtAlpcSendWaitReceivePort', # 0x181 'NtAlpcRevokeSecurityContext', # 0x182 'NtAlpcQueryInformationMessage', # 0x183 'NtAlpcQueryInformation', # 0x184 'NtAlpcOpenSenderThread', # 0x185 'NtAlpcOpenSenderProcess', # 0x186 'NtAlpcImpersonateClientOfPort', # 0x187 'NtAlpcDisconnectPort', # 0x188 'NtAlpcDeleteSecurityContext', # 0x189 'NtAlpcDeleteSectionView', # 0x18a 'NtAlpcDeleteResourceReserve', # 0x18b 'NtAlpcDeletePortSection', # 0x18c 'NtAlpcCreateSecurityContext', # 0x18d 'NtAlpcCreateSectionView', # 0x18e 'NtAlpcCreateResourceReserve', # 0x18f 'NtAlpcCreatePortSection', # 0x190 'NtAlpcCreatePort', # 0x191 'NtAlpcConnectPort', # 0x192 'NtAlpcConnectPortEx', # 0x193 'NtAlpcCancelMessage', # 0x194 'NtAlpcAcceptConnectPort', # 0x195 'NtAllocateVirtualMemory', # 0x196 'NtAllocateUuids', # 0x197 'NtAllocateUserPhysicalPages', # 0x198 'NtAllocateReserveObject', # 0x199 'NtAllocateLocallyUniqueId', # 0x19a 'NtAlertThreadByThreadId', # 0x19b 'NtAlertThread', # 0x19c 'NtAlertResumeThread', # 0x19d 'NtAdjustPrivilegesToken', # 0x19e 'NtAdjustGroupsToken', # 0x19f 'NtAdjustTokenClaimsAndDeviceGroups', # 0x1a0 'NtAddDriverEntry', # 0x1a1 'NtAddBootEntry', # 0x1a2 'NtAddAtom', # 0x1a3 'NtAddAtomEx', # 0x1a4 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x1a5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x1a6 'NtAccessCheckByTypeResultList', # 0x1a7 'NtAccessCheckByTypeAndAuditAlarm', # 0x1a8 'NtAccessCheckByType', # 0x1a9 'NtAccessCheckAndAuditAlarm', # 0x1aa 'NtAccessCheck', # 0x1ab 'NtAcceptConnectPort', # 0x1ac ], [ 'NtUserYieldTask', # 0x0 'NtGdiWidenPath', # 0x1 'NtGdiUpdateColors', # 0x2 'NtGdiUnrealizeObject', # 0x3 'NtGdiUnmapMemFont', # 0x4 'NtGdiUnloadPrinterDriver', # 0x5 'NtGdiTransparentBlt', # 0x6 'NtGdiTransformPoints', # 0x7 'NtGdiSwapBuffers', # 0x8 'NtGdiStrokePath', # 0x9 'NtGdiStrokeAndFillPath', # 0xa 'NtGdiStretchDIBitsInternal', # 0xb 'NtGdiStretchBlt', # 0xc 'NtGdiStartPage', # 0xd 'NtGdiStartDoc', # 0xe 'NtGdiSetSizeDevice', # 0xf 'NtGdiSetVirtualResolution', # 0x10 'NtGdiSetTextJustification', # 0x11 'NtGdiSetSystemPaletteUse', # 0x12 'NtGdiSetRectRgn', # 0x13 'NtGdiSetPixelFormat', # 0x14 'NtGdiSetPixel', # 0x15 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x16 'NtGdiSetLayout', # 0x17 'NtGdiMirrorWindowOrg', # 0x18 'NtGdiGetDeviceWidth', # 0x19 'NtGdiSetMiterLimit', # 0x1a 'NtGdiSetMetaRgn', # 0x1b 'NtGdiSetMagicColors', # 0x1c 'NtGdiSetLinkedUFIs', # 0x1d 'NtGdiSetIcmMode', # 0x1e 'NtGdiSetFontXform', # 0x1f 'NtGdiSetFontEnumeration', # 0x20 'NtGdiSetDIBitsToDeviceInternal', # 0x21 'NtGdiSetDeviceGammaRamp', # 0x22 'NtGdiSetColorSpace', # 0x23 'NtGdiSetColorAdjustment', # 0x24 'NtGdiSetBrushOrg', # 0x25 'NtGdiSetBrushAttributes', # 0x26 'NtGdiSetBoundsRect', # 0x27 'NtGdiSetBitmapDimension', # 0x28 'NtGdiSetBitmapBits', # 0x29 'NtGdiSetBitmapAttributes', # 0x2a 'NtGdiSelectPen', # 0x2b 'NtGdiSelectFont', # 0x2c 'NtGdiSelectClipPath', # 0x2d 'NtGdiSelectBrush', # 0x2e 'NtGdiSelectBitmap', # 0x2f 'NtGdiScaleWindowExtEx', # 0x30 'NtGdiScaleViewportExtEx', # 0x31 'NtGdiSaveDC', # 0x32 'NtGdiRoundRect', # 0x33 'NtGdiRestoreDC', # 0x34 'NtGdiResizePalette', # 0x35 'NtGdiResetDC', # 0x36 'NtGdiRemoveFontMemResourceEx', # 0x37 'NtGdiRemoveFontResourceW', # 0x38 'NtGdiRectVisible', # 0x39 'NtGdiRectInRegion', # 0x3a 'NtGdiRectangle', # 0x3b 'NtGdiQueryFontAssocInfo', # 0x3c 'NtGdiQueryFonts', # 0x3d 'NtGdiPtVisible', # 0x3e 'NtGdiPtInRegion', # 0x3f 'NtGdiPolyTextOutW', # 0x40 'NtGdiPolyPolyDraw', # 0x41 'NtGdiPolyDraw', # 0x42 'NtGdiPlgBlt', # 0x43 'NtGdiPathToRegion', # 0x44 'NtGdiPolyPatBlt', # 0x45 'NtGdiPatBlt', # 0x46 'NtGdiOpenDCW', # 0x47 'NtGdiOffsetRgn', # 0x48 'NtGdiOffsetClipRgn', # 0x49 'NtGdiMoveTo', # 0x4a 'NtGdiMonoBitmap', # 0x4b 'NtGdiModifyWorldTransform', # 0x4c 'NtGdiMaskBlt', # 0x4d 'NtGdiMakeInfoDC', # 0x4e 'NtGdiMakeFontDir', # 0x4f 'NtGdiLineTo', # 0x50 'NtGdiInvertRgn', # 0x51 'NtGdiIntersectClipRect', # 0x52 'NtGdiInitSpool', # 0x53 'NtGdiInit', # 0x54 'NtGdiIcmBrushInfo', # 0x55 'NtGdiHfontCreate', # 0x56 'NtGdiGradientFill', # 0x57 'NtGdiGetWidthTable', # 0x58 'NtGdiGetFontUnicodeRanges', # 0x59 'NtGdiAddEmbFontToDC', # 0x5a 'NtGdiChangeGhostFont', # 0x5b 'NtGdiGetEmbedFonts', # 0x5c 'NtGdiGetUFIPathname', # 0x5d 'NtGdiGetEmbUFI', # 0x5e 'NtGdiGetUFI', # 0x5f 'NtGdiGetTransform', # 0x60 'NtGdiGetTextMetricsW', # 0x61 'NtGdiGetTextFaceW', # 0x62 'NtGdiGetTextExtentExW', # 0x63 'NtGdiGetTextExtent', # 0x64 'NtGdiGetTextCharsetInfo', # 0x65 'NtGdiGetSystemPaletteUse', # 0x66 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0x67 'NtGdiGetStringBitmapW', # 0x68 'NtGdiGetStockObject', # 0x69 'NtGdiGetStats', # 0x6a 'NtGdiGetSpoolMessage', # 0x6b 'NtGdiGetServerMetaFileBits', # 0x6c 'NtGdiGetRgnBox', # 0x6d 'NtGdiGetRegionData', # 0x6e 'NtGdiGetRealizationInfo', # 0x6f 'NtGdiGetRasterizerCaps', # 0x70 'NtGdiGetRandomRgn', # 0x71 'NtGdiGetPixel', # 0x72 'NtGdiGetPath', # 0x73 'NtGdiGetOutlineTextMetricsInternalW', # 0x74 'NtGdiGetOPMRandomNumber', # 0x75 'NtGdiGetObjectBitmapHandle', # 0x76 'NtGdiGetNearestPaletteIndex', # 0x77 'NtGdiGetNearestColor', # 0x78 'NtGdiGetMonitorID', # 0x79 'NtGdiGetMiterLimit', # 0x7a 'NtGdiGetLinkedUFIs', # 0x7b 'NtGdiGetKerningPairs', # 0x7c 'NtGdiGetOPMInformation', # 0x7d 'NtGdiGetGlyphOutline', # 0x7e 'NtGdiGetGlyphIndicesWInternal', # 0x7f 'NtGdiGetGlyphIndicesW', # 0x80 'NtGdiGetFontResourceInfoInternalW', # 0x81 'NtGdiGetFontFileInfo', # 0x82 'NtGdiGetFontFileData', # 0x83 'NtGdiGetFontData', # 0x84 'NtGdiGetEudcTimeStampEx', # 0x85 'NtGdiGetETM', # 0x86 'NtGdiGetDIBitsInternal', # 0x87 'NtGdiGetDeviceCapsAll', # 0x88 'NtGdiGetDeviceGammaRamp', # 0x89 'NtGdiGetDeviceCaps', # 0x8a 'NtGdiGetDCPoint', # 0x8b 'NtGdiGetDCObject', # 0x8c 'NtGdiGetDCforBitmap', # 0x8d 'NtGdiGetDCDword', # 0x8e 'NtGdiGetCOPPCompatibleOPMInformation', # 0x8f 'NtGdiGetColorSpaceforBitmap', # 0x90 'NtGdiGetColorAdjustment', # 0x91 'NtGdiGetCharWidthInfo', # 0x92 'NtGdiGetCharWidthW', # 0x93 'NtGdiGetCharSet', # 0x94 'NtGdiGetCharacterPlacementW', # 0x95 'NtGdiGetCharABCWidthsW', # 0x96 'NtGdiGetCertificateSize', # 0x97 'NtGdiGetCertificate', # 0x98 'NtGdiGetBoundsRect', # 0x99 'NtGdiGetBitmapDimension', # 0x9a 'NtGdiGetBitmapBits', # 0x9b 'NtGdiGetAppClipBox', # 0x9c 'NtGdiGetAndSetDCDword', # 0x9d 'NtGdiFullscreenControl', # 0x9e 'NtGdiFrameRgn', # 0x9f 'NtGdiForceUFIMapping', # 0xa0 'NtGdiFlush', # 0xa1 'NtGdiFlattenPath', # 0xa2 'NtGdiFillRgn', # 0xa3 'NtGdiFillPath', # 0xa4 'NtGdiExtTextOutW', # 0xa5 'NtGdiExtSelectClipRgn', # 0xa6 'NtGdiExtGetObjectW', # 0xa7 'NtGdiExtFloodFill', # 0xa8 'NtGdiExtEscape', # 0xa9 'NtGdiExtCreateRegion', # 0xaa 'NtGdiExtCreatePen', # 0xab 'NtGdiExcludeClipRect', # 0xac 'NtGdiEudcLoadUnloadLink', # 0xad 'NtGdiEqualRgn', # 0xae 'NtGdiEnumObjects', # 0xaf 'NtGdiEnumFonts', # 0xb0 'NtGdiEndPath', # 0xb1 'NtGdiEndPage', # 0xb2 'NtGdiEndGdiRendering', # 0xb3 'NtGdiEndDoc', # 0xb4 'NtGdiEnableEudc', # 0xb5 'NtGdiEllipse', # 0xb6 'NtGdiDrawEscape', # 0xb7 'NtGdiDoPalette', # 0xb8 'NtGdiDoBanding', # 0xb9 'NtGdiGetPerBandInfo', # 0xba 'NtGdiDestroyOPMProtectedOutput', # 0xbb 'NtGdiDescribePixelFormat', # 0xbc 'NtGdiDeleteObjectApp', # 0xbd 'NtGdiDeleteColorTransform', # 0xbe 'NtGdiDeleteColorSpace', # 0xbf 'NtGdiDeleteClientObj', # 0xc0 'NtGdiDxgGenericThunk', # 0xc1 'NtGdiDvpReleaseNotification', # 0xc2 'NtGdiDvpAcquireNotification', # 0xc3 'NtGdiDvpWaitForVideoPortSync', # 0xc4 'NtGdiDvpUpdateVideoPort', # 0xc5 'NtGdiDvpGetVideoSignalStatus', # 0xc6 'NtGdiDvpGetVideoPortConnectInfo', # 0xc7 'NtGdiDvpGetVideoPortOutputFormats', # 0xc8 'NtGdiDvpGetVideoPortLine', # 0xc9 'NtGdiDvpGetVideoPortInputFormats', # 0xca 'NtGdiDvpGetVideoPortFlipStatus', # 0xcb 'NtGdiDvpGetVideoPortField', # 0xcc 'NtGdiDvpGetVideoPortBandwidth', # 0xcd 'NtGdiDvpFlipVideoPort', # 0xce 'NtGdiDvpDestroyVideoPort', # 0xcf 'NtGdiDvpCreateVideoPort', # 0xd0 'NtGdiDvpColorControl', # 0xd1 'NtGdiDvpCanCreateVideoPort', # 0xd2 'NtGdiDdWaitForVerticalBlank', # 0xd3 'NtGdiDdUpdateOverlay', # 0xd4 'NtGdiDdUnlockD3D', # 0xd5 'NtGdiDdUnlock', # 0xd6 'NtGdiDdUnattachSurface', # 0xd7 'NtGdiDdSetOverlayPosition', # 0xd8 'NtGdiDdCreateSurfaceEx', # 0xd9 'NtGdiDdSetGammaRamp', # 0xda 'NtGdiDdSetExclusiveMode', # 0xdb 'NtGdiDdSetColorKey', # 0xdc 'NtGdiDdResetVisrgn', # 0xdd 'NtGdiDdRenderMoComp', # 0xde 'NtGdiDdReleaseDC', # 0xdf 'NtGdiDdReenableDirectDrawObject', # 0xe0 'NtGdiDdQueryMoCompStatus', # 0xe1 'NtGdiDdQueryDirectDrawObject', # 0xe2 'NtGdiDdLockD3D', # 0xe3 'NtGdiDdLock', # 0xe4 'NtGdiDdGetScanLine', # 0xe5 'NtGdiDdGetMoCompFormats', # 0xe6 'NtGdiDdGetMoCompGuids', # 0xe7 'NtGdiDdGetMoCompBuffInfo', # 0xe8 'NtGdiDdGetInternalMoCompInfo', # 0xe9 'NtGdiDdGetFlipStatus', # 0xea 'NtGdiDdGetDxHandle', # 0xeb 'NtGdiDdGetDriverInfo', # 0xec 'NtGdiDdGetDC', # 0xed 'NtGdiDdGetBltStatus', # 0xee 'NtGdiDdGetAvailDriverMemory', # 0xef 'NtGdiDdFlipToGDISurface', # 0xf0 'NtGdiDdFlip', # 0xf1 'NtGdiDdEndMoCompFrame', # 0xf2 'NtGdiDdDestroyD3DBuffer', # 0xf3 'NtGdiDdDestroySurface', # 0xf4 'NtGdiDdDestroyMoComp', # 0xf5 'NtGdiDdDeleteSurfaceObject', # 0xf6 'NtGdiDdDeleteDirectDrawObject', # 0xf7 'NtGdiDdCreateSurfaceObject', # 0xf8 'NtGdiDdCreateMoComp', # 0xf9 'NtGdiDdCreateD3DBuffer', # 0xfa 'NtGdiDdCreateSurface', # 0xfb 'NtGdiDdCreateDirectDrawObject', # 0xfc 'NtGdiDdColorControl', # 0xfd 'NtGdiDdCanCreateD3DBuffer', # 0xfe 'NtGdiDdCanCreateSurface', # 0xff 'NtGdiDdBlt', # 0x100 'NtGdiDdBeginMoCompFrame', # 0x101 'NtGdiDdAttachSurface', # 0x102 'NtGdiDdAlphaBlt', # 0x103 'NtGdiDdAddAttachedSurface', # 0x104 'NtGdiDdGetDriverState', # 0x105 'NtGdiD3dDrawPrimitives2', # 0x106 'NtGdiD3dValidateTextureStageState', # 0x107 'NtGdiD3dContextDestroyAll', # 0x108 'NtGdiD3dContextDestroy', # 0x109 'NtGdiD3dContextCreate', # 0x10a 'NtGdiCreateSolidBrush', # 0x10b 'NtGdiCreateServerMetaFile', # 0x10c 'NtGdiCreateRoundRectRgn', # 0x10d 'NtGdiCreateRectRgn', # 0x10e 'NtGdiCreatePen', # 0x10f 'NtGdiCreatePatternBrushInternal', # 0x110 'NtGdiCreatePaletteInternal', # 0x111 'NtGdiCreateOPMProtectedOutputs', # 0x112 'NtGdiCreateMetafileDC', # 0x113 'NtGdiCreateHatchBrushInternal', # 0x114 'NtGdiCreateHalftonePalette', # 0x115 'NtGdiCreateEllipticRgn', # 0x116 'NtGdiCreateSessionMappedDIBSection', # 0x117 'NtGdiCreateDIBSection', # 0x118 'NtGdiCreateDIBitmapInternal', # 0x119 'NtGdiCreateDIBBrush', # 0x11a 'NtGdiCreateCompatibleDC', # 0x11b 'NtGdiCreateCompatibleBitmap', # 0x11c 'NtGdiCreateColorTransform', # 0x11d 'NtGdiCreateColorSpace', # 0x11e 'NtGdiCreateClientObj', # 0x11f 'NtGdiCreateBitmapFromDxSurface2', # 0x120 'NtGdiCreateBitmapFromDxSurface', # 0x121 'NtGdiCreateBitmap', # 0x122 'NtGdiConvertMetafileRect', # 0x123 'NtGdiConfigureOPMProtectedOutput', # 0x124 'NtGdiComputeXformCoefficients', # 0x125 'NtGdiCombineTransform', # 0x126 'NtGdiCombineRgn', # 0x127 'NtGdiColorCorrectPalette', # 0x128 'NtGdiClearBrushAttributes', # 0x129 'NtGdiClearBitmapAttributes', # 0x12a 'NtGdiCloseFigure', # 0x12b 'NtGdiCheckBitmapBits', # 0x12c 'NtGdiCancelDC', # 0x12d 'NtGdiBitBlt', # 0x12e 'NtGdiBeginPath', # 0x12f 'NtGdiBeginGdiRendering', # 0x130 'NtGdiArcInternal', # 0x131 'NtGdiFontIsLinked', # 0x132 'NtGdiAnyLinkedFonts', # 0x133 'NtGdiAngleArc', # 0x134 'NtGdiAlphaBlend', # 0x135 'NtGdiAddRemoteMMInstanceToDC', # 0x136 'NtGdiRemoveMergeFont', # 0x137 'NtGdiAddFontMemResourceEx', # 0x138 'NtGdiAddRemoteFontToDC', # 0x139 'NtGdiAddFontResourceW', # 0x13a 'NtGdiAbortPath', # 0x13b 'NtGdiAbortDoc', # 0x13c 'NtUserDefSetText', # 0x13d 'NtUserDeferWindowPosAndBand', # 0x13e 'NtUserDdeInitialize', # 0x13f 'NtUserCanBrokerForceForeground', # 0x140 'NtUserCreateWindowStation', # 0x141 'NtUserCreateWindowEx', # 0x142 'NtUserCreateLocalMemHandle', # 0x143 'NtUserCreateInputContext', # 0x144 'NtUserCreateDesktopEx', # 0x145 'NtUserCreateCaret', # 0x146 'NtUserCreateAcceleratorTable', # 0x147 'NtUserCountClipboardFormats', # 0x148 'NtUserCopyAcceleratorTable', # 0x149 'NtUserConvertMemHandle', # 0x14a 'NtUserConsoleControl', # 0x14b 'NtUserCloseWindowStation', # 0x14c 'NtUserCloseDesktop', # 0x14d 'NtUserCloseClipboard', # 0x14e 'NtUserClipCursor', # 0x14f 'NtUserChildWindowFromPointEx', # 0x150 'NtUserCheckMenuItem', # 0x151 'NtUserCheckWindowThreadDesktop', # 0x152 'NtUserDwmValidateWindow', # 0x153 'NtUserCheckAccessForIntegrityLevel', # 0x154 'NtUserDisplayConfigSetDeviceInfo', # 0x155 'NtUserDisplayConfigGetDeviceInfo', # 0x156 'NtUserQueryDisplayConfig', # 0x157 'NtUserSetDisplayConfig', # 0x158 'NtUserGetDisplayConfigBufferSizes', # 0x159 'NtUserChangeDisplaySettings', # 0x15a 'NtUserChangeClipboardChain', # 0x15b 'NtUserCallTwoParam', # 0x15c 'NtUserCallOneParam', # 0x15d 'NtUserCallNoParam', # 0x15e 'NtUserCallNextHookEx', # 0x15f 'NtUserCallMsgFilter', # 0x160 'NtUserCallHwndParamLock', # 0x161 'NtUserCallHwndParam', # 0x162 'NtUserCallHwndOpt', # 0x163 'NtUserCallHwndLock', # 0x164 'NtUserCallHwnd', # 0x165 'NtUserBuildPropList', # 0x166 'NtUserBuildNameList', # 0x167 'NtUserBuildHwndList', # 0x168 'NtUserBuildHimcList', # 0x169 'NtUserBlockInput', # 0x16a 'NtUserBitBltSysBmp', # 0x16b 'NtUserBeginPaint', # 0x16c 'NtUserAttachThreadInput', # 0x16d 'NtUserAssociateInputContext', # 0x16e 'NtUserAlterWindowStyle', # 0x16f 'NtUserAddClipboardFormatListener', # 0x170 'NtUserActivateKeyboardLayout', # 0x171 'NtUserDelegateCapturePointers', # 0x172 'NtUserDelegateInput', # 0x173 'NtUserDispatchMessage', # 0x174 'NtUserDisableProcessWindowFiltering', # 0x175 'NtUserDisableThreadIme', # 0x176 'NtUserDestroyWindow', # 0x177 'NtUserDestroyMenu', # 0x178 'NtUserDestroyInputContext', # 0x179 'NtUserDestroyCursor', # 0x17a 'NtUserDestroyAcceleratorTable', # 0x17b 'NtUserDeleteMenu', # 0x17c 'NtUserDoSoundDisconnect', # 0x17d 'NtUserDoSoundConnect', # 0x17e 'NtUserGhostWindowFromHungWindow', # 0x17f 'NtUserGetWOWClass', # 0x180 'NtUserGetWindowPlacement', # 0x181 'NtUserGetWindowDisplayAffinity', # 0x182 'NtUserGetWindowDC', # 0x183 'NtUserGetWindowCompositionAttribute', # 0x184 'NtUserGetWindowCompositionInfo', # 0x185 'NtUserGetWindowBand', # 0x186 'NtUserGetUpdateRgn', # 0x187 'NtUserGetUpdateRect', # 0x188 'NtUserGetUpdatedClipboardFormats', # 0x189 'NtUserGetTopLevelWindow', # 0x18a 'NtUserGetTitleBarInfo', # 0x18b 'NtUserGetThreadState', # 0x18c 'NtUserGetThreadDesktop', # 0x18d 'NtUserGetSystemMenu', # 0x18e 'NtUserGetScrollBarInfo', # 0x18f 'NtUserGetRegisteredRawInputDevices', # 0x190 'NtUserGetRawInputDeviceList', # 0x191 'NtUserGetRawInputDeviceInfo', # 0x192 'NtUserGetRawInputData', # 0x193 'NtUserGetRawInputBuffer', # 0x194 'NtUserGetProcessWindowStation', # 0x195 'NtUserGetPriorityClipboardFormat', # 0x196 'NtUserGetOpenClipboardWindow', # 0x197 'NtUserGetObjectInformation', # 0x198 'NtUserGetMouseMovePointsEx', # 0x199 'NtUserGetMessage', # 0x19a 'NtUserGetMenuItemRect', # 0x19b 'NtUserGetMenuIndex', # 0x19c 'NtUserGetMenuBarInfo', # 0x19d 'NtUserGetListBoxInfo', # 0x19e 'NtUserGetKeyState', # 0x19f 'NtUserGetKeyNameText', # 0x1a0 'NtUserGetKeyboardState', # 0x1a1 'NtUserGetKeyboardLayoutName', # 0x1a2 'NtUserGetKeyboardLayoutList', # 0x1a3 'NtUserGetInternalWindowPos', # 0x1a4 'NtUserGetInputLocaleInfo', # 0x1a5 'NtUserGetImeInfoEx', # 0x1a6 'NtUserGetImeHotKey', # 0x1a7 'NtUserGetIconSize', # 0x1a8 'NtUserGetIconInfo', # 0x1a9 'NtUserGetGUIThreadInfo', # 0x1aa 'NtUserGetGuiResources', # 0x1ab 'NtUserGetGlobalIMEStatus', # 0x1ac 'NtUserGetForegroundWindow', # 0x1ad 'NtUserGetDoubleClickTime', # 0x1ae 'NtUserGetDesktopID', # 0x1af 'NtUserGetDCEx', # 0x1b0 'NtUserGetDC', # 0x1b1 'NtUserGetCursorInfo', # 0x1b2 'NtUserGetCursorFrameInfo', # 0x1b3 'NtUserGetCurrentInputMessageSource', # 0x1b4 'NtUserGetCIMSSM', # 0x1b5 'NtUserGetCPD', # 0x1b6 'NtUserGetControlColor', # 0x1b7 'NtUserGetControlBrush', # 0x1b8 'NtUserGetComboBoxInfo', # 0x1b9 'NtUserGetClipCursor', # 0x1ba 'NtUserGetClipboardViewer', # 0x1bb 'NtUserGetClipboardSequenceNumber', # 0x1bc 'NtUserGetClipboardOwner', # 0x1bd 'NtUserGetClipboardFormatName', # 0x1be 'NtUserGetClipboardData', # 0x1bf 'NtUserGetClassName', # 0x1c0 'NtUserGetClassInfoEx', # 0x1c1 'NtUserGetCaretPos', # 0x1c2 'NtUserGetCaretBlinkTime', # 0x1c3 'NtUserGetAtomName', # 0x1c4 'NtUserGetAsyncKeyState', # 0x1c5 'NtUserGetAppImeLevel', # 0x1c6 'NtUserGetAncestor', # 0x1c7 'NtUserGetAltTabInfo', # 0x1c8 'NtUserFrostCrashedWindow', # 0x1c9 'NtUserFlashWindowEx', # 0x1ca 'NtUserFindWindowEx', # 0x1cb 'NtUserFindExistingCursorIcon', # 0x1cc 'NtUserFillWindow', # 0x1cd 'NtUserExcludeUpdateRgn', # 0x1ce 'NtUserEvent', # 0x1cf 'NtUserEnumDisplaySettings', # 0x1d0 'NtUserEnumDisplayMonitors', # 0x1d1 'NtUserEnumDisplayDevices', # 0x1d2 'NtUserEndPaint', # 0x1d3 'NtUserEndMenu', # 0x1d4 'NtUserEndDeferWindowPosEx', # 0x1d5 'NtUserEnableScrollBar', # 0x1d6 'NtUserEnableMenuItem', # 0x1d7 'NtUserEmptyClipboard', # 0x1d8 'NtUserDrawMenuBarTemp', # 0x1d9 'NtUserDrawIconEx', # 0x1da 'NtUserDrawCaptionTemp', # 0x1db 'NtUserDrawCaption', # 0x1dc 'NtUserDrawAnimatedRects', # 0x1dd 'NtUserDragObject', # 0x1de 'NtUserDragDetect', # 0x1df 'NtUserHandleDelegatedInput', # 0x1e0 'NtUserRealChildWindowFromPoint', # 0x1e1 'NtUserQueryWindow', # 0x1e2 'NtUserQuerySendMessage', # 0x1e3 'NtUserQueryInputContext', # 0x1e4 'NtUserQueryInformationThread', # 0x1e5 'NtUserQueryBSDRWindow', # 0x1e6 'NtUserProcessConnect', # 0x1e7 'NtUserPrintWindow', # 0x1e8 'NtUserPostThreadMessage', # 0x1e9 'NtUserPostMessage', # 0x1ea 'NtUserPhysicalToLogicalPoint', # 0x1eb 'NtUserPeekMessage', # 0x1ec 'NtUserPaintMonitor', # 0x1ed 'NtUserPaintDesktop', # 0x1ee 'NtUserOpenWindowStation', # 0x1ef 'NtUserOpenThreadDesktop', # 0x1f0 'NtUserOpenInputDesktop', # 0x1f1 'NtUserOpenDesktop', # 0x1f2 'NtUserOpenClipboard', # 0x1f3 'NtUserNotifyWinEvent', # 0x1f4 'NtUserNotifyProcessCreate', # 0x1f5 'NtUserNotifyIMEStatus', # 0x1f6 'NtUserMoveWindow', # 0x1f7 'NtUserModifyUserStartupInfoFlags', # 0x1f8 'NtUserMNDragOver', # 0x1f9 'NtUserMNDragLeave', # 0x1fa 'NtUserMinMaximize', # 0x1fb 'NtUserMessageCall', # 0x1fc 'NtUserMenuItemFromPoint', # 0x1fd 'NtUserMapVirtualKeyEx', # 0x1fe 'NtUserLayoutCompleted', # 0x1ff 'NtUserLogicalToPhysicalPoint', # 0x200 'NtUserLockWorkStation', # 0x201 'NtUserLockWindowUpdate', # 0x202 'NtUserLockWindowStation', # 0x203 'NtUserLoadKeyboardLayoutEx', # 0x204 'NtUserKillTimer', # 0x205 'NtUserIsTopLevelWindow', # 0x206 'NtUserIsClipboardFormatAvailable', # 0x207 'NtUserInvalidateRgn', # 0x208 'NtUserInvalidateRect', # 0x209 'NtUserInternalGetWindowIcon', # 0x20a 'NtUserInternalGetWindowText', # 0x20b 'NtUserInitTask', # 0x20c 'NtUserInitializeClientPfnArrays', # 0x20d 'NtUserInitialize', # 0x20e 'NtUserImpersonateDdeClientWindow', # 0x20f 'NtUserHungWindowFromGhostWindow', # 0x210 'NtUserHiliteMenuItem', # 0x211 'NtUserHideCaret', # 0x212 'NtUserHardErrorControl', # 0x213 'NtUserRealInternalGetMessage', # 0x214 'NtUserRealWaitMessageEx', # 0x215 'NtUserTranslateMessage', # 0x216 'NtUserTranslateAccelerator', # 0x217 'NtUserPaintMenuBar', # 0x218 'NtUserCalcMenuBar', # 0x219 'NtUserCalculatePopupWindowPosition', # 0x21a 'NtUserTrackPopupMenuEx', # 0x21b 'NtUserTrackMouseEvent', # 0x21c 'NtUserToUnicodeEx', # 0x21d 'NtUserThunkedMenuItemInfo', # 0x21e 'NtUserThunkedMenuInfo', # 0x21f 'NtUserTestForInteractiveUser', # 0x220 'NtUserSendEventMessage', # 0x221 'NtUserSystemParametersInfo', # 0x222 'NtUserSwitchDesktop', # 0x223 'NtUserSoundSentry', # 0x224 'NtUserShutdownReasonDestroy', # 0x225 'NtUserShutdownBlockReasonQuery', # 0x226 'NtUserShutdownBlockReasonCreate', # 0x227 'NtUserShowWindowAsync', # 0x228 'NtUserShowWindow', # 0x229 'NtUserShowScrollBar', # 0x22a 'NtUserShowCaret', # 0x22b 'NtUserSetWinEventHook', # 0x22c 'NtUserSetWindowWord', # 0x22d 'NtUserSetWindowStationUser', # 0x22e 'NtUserSetWindowsHookEx', # 0x22f 'NtUserSetWindowsHookAW', # 0x230 'NtUserSetWindowRgnEx', # 0x231 'NtUserGetWindowRgnEx', # 0x232 'NtUserSetWindowRgn', # 0x233 'NtUserSetWindowPos', # 0x234 'NtUserSetWindowPlacement', # 0x235 'NtUserSetWindowLong', # 0x236 'NtUserSetWindowFNID', # 0x237 'NtUserSetWindowDisplayAffinity', # 0x238 'NtUserSetWindowCompositionTransition', # 0x239 'NtUserUpdateDefaultDesktopThumbnail', # 0x23a 'NtUserSetWindowCompositionAttribute', # 0x23b 'NtUserSetWindowBand', # 0x23c 'NtUserSetProcessUIAccessZorder', # 0x23d 'NtUserSetProcessDPIAware', # 0x23e 'NtUserSetTimer', # 0x23f 'NtUserSetThreadState', # 0x240 'NtUserSetThreadLayoutHandles', # 0x241 'NtUserSetThreadDesktop', # 0x242 'NtUserSetThreadInputBlocked', # 0x243 'NtUserSetSystemTimer', # 0x244 'NtUserSetSystemMenu', # 0x245 'NtUserSetSystemCursor', # 0x246 'NtUserSetSysColors', # 0x247 'NtUserSetShellWindowEx', # 0x248 'NtUserSetImmersiveBackgroundWindow', # 0x249 'NtUserSetScrollInfo', # 0x24a 'NtUserSetProp', # 0x24b 'NtUserGetProp', # 0x24c 'NtUserSetProcessWindowStation', # 0x24d 'NtUserSetParent', # 0x24e 'NtUserSetObjectInformation', # 0x24f 'NtUserSetMenuFlagRtoL', # 0x250 'NtUserSetMenuDefaultItem', # 0x251 'NtUserSetMenuContextHelpId', # 0x252 'NtUserSetMenu', # 0x253 'NtUserSetKeyboardState', # 0x254 'NtUserSetInternalWindowPos', # 0x255 'NtUserSetInformationThread', # 0x256 'NtUserSetImeOwnerWindow', # 0x257 'NtUserSetImeInfoEx', # 0x258 'NtUserSetImeHotKey', # 0x259 'NtUserSetFocus', # 0x25a 'NtUserSetCursorIconData', # 0x25b 'NtUserSetCursorContents', # 0x25c 'NtUserSetCursor', # 0x25d 'NtUserSetClipboardViewer', # 0x25e 'NtUserSetClipboardData', # 0x25f 'NtUserSetClassWord', # 0x260 'NtUserSetClassLong', # 0x261 'NtUserSetChildWindowNoActivate', # 0x262 'NtUserSetCapture', # 0x263 'NtUserSetAppImeLevel', # 0x264 'NtUserSetActiveWindow', # 0x265 'NtUserSendInput', # 0x266 'NtUserSelectPalette', # 0x267 'NtUserScrollWindowEx', # 0x268 'NtUserScrollDC', # 0x269 'NtUserSBGetParms', # 0x26a 'NtUserResolveDesktopForWOW', # 0x26b 'NtUserRemoveProp', # 0x26c 'NtUserRemoveMenu', # 0x26d 'NtUserRemoveClipboardFormatListener', # 0x26e 'NtUserRegisterWindowMessage', # 0x26f 'NtUserRegisterTasklist', # 0x270 'NtUserRegisterServicesProcess', # 0x271 'NtUserRegisterRawInputDevices', # 0x272 'NtUserRegisterHotKey', # 0x273 'NtUserRegisterUserApiHook', # 0x274 'NtUserRegisterErrorReportingDialog', # 0x275 'NtUserRegisterClassExWOW', # 0x276 'NtUserRegisterBSDRWindow', # 0x277 'NtUserRedrawWindow', # 0x278 'NtUserUndelegateInput', # 0x279 'NtUserGetWindowMinimizeRect', # 0x27a 'NtUserDwmStopRedirection', # 0x27b 'NtUserDwmStartRedirection', # 0x27c 'NtUserDwmGetRemoteSessionOcclusionEvent', # 0x27d 'NtUserDwmGetRemoteSessionOcclusionState', # 0x27e 'NtUserUpdateWindowTransform', # 0x27f 'NtUserCheckProcessSession', # 0x280 'NtUserUnregisterSessionPort', # 0x281 'NtUserRegisterSessionPort', # 0x282 'NtUserCtxDisplayIOCtl', # 0x283 'NtUserRemoteStopScreenUpdates', # 0x284 'NtUserRemoteRedrawScreen', # 0x285 'NtUserRemoteRedrawRectangle', # 0x286 'NtUserRemoteConnect', # 0x287 'NtUserWaitAvailableMessageEx', # 0x288 'NtUserWindowFromPoint', # 0x289 'NtUserWindowFromPhysicalPoint', # 0x28a 'NtUserWaitMessage', # 0x28b 'NtUserWaitForMsgAndEvent', # 0x28c 'NtUserWaitForInputIdle', # 0x28d 'NtUserVkKeyScanEx', # 0x28e 'NtUserValidateTimerCallback', # 0x28f 'NtUserValidateRect', # 0x290 'NtUserValidateHandleSecure', # 0x291 'NtUserUserHandleGrantAccess', # 0x292 'NtUserUpdatePerUserSystemParameters', # 0x293 'NtUserSetLayeredWindowAttributes', # 0x294 'NtUserGetLayeredWindowAttributes', # 0x295 'NtUserUpdateLayeredWindow', # 0x296 'NtUserUpdateInstance', # 0x297 'NtUserUpdateInputContext', # 0x298 'NtUserUnregisterHotKey', # 0x299 'NtUserUnregisterUserApiHook', # 0x29a 'NtUserUnregisterClass', # 0x29b 'NtUserUnlockWindowStation', # 0x29c 'NtUserUnloadKeyboardLayout', # 0x29d 'NtUserUnhookWinEvent', # 0x29e 'NtUserUnhookWindowsHookEx', # 0x29f 'NtUserGetTouchInputInfo', # 0x2a0 'NtUserIsTouchWindow', # 0x2a1 'NtUserModifyWindowTouchCapability', # 0x2a2 'NtGdiEngStretchBltROP', # 0x2a3 'NtGdiEngTextOut', # 0x2a4 'NtGdiEngTransparentBlt', # 0x2a5 'NtGdiEngGradientFill', # 0x2a6 'NtGdiEngAlphaBlend', # 0x2a7 'NtGdiEngLineTo', # 0x2a8 'NtGdiEngPaint', # 0x2a9 'NtGdiEngStrokeAndFillPath', # 0x2aa 'NtGdiEngFillPath', # 0x2ab 'NtGdiEngStrokePath', # 0x2ac 'NtGdiEngMarkBandingSurface', # 0x2ad 'NtGdiEngPlgBlt', # 0x2ae 'NtGdiEngStretchBlt', # 0x2af 'NtGdiEngBitBlt', # 0x2b0 'NtGdiEngLockSurface', # 0x2b1 'NtGdiEngUnlockSurface', # 0x2b2 'NtGdiEngEraseSurface', # 0x2b3 'NtGdiEngDeleteSurface', # 0x2b4 'NtGdiEngDeletePalette', # 0x2b5 'NtGdiEngCopyBits', # 0x2b6 'NtGdiEngComputeGlyphSet', # 0x2b7 'NtGdiEngCreatePalette', # 0x2b8 'NtGdiEngCreateDeviceBitmap', # 0x2b9 'NtGdiEngCreateDeviceSurface', # 0x2ba 'NtGdiEngCreateBitmap', # 0x2bb 'NtGdiEngAssociateSurface', # 0x2bc 'NtUserSetWindowFeedbackSetting', # 0x2bd 'NtUserRegisterEdgy', # 0x2be 'NtUserGetWindowFeedbackSetting', # 0x2bf 'NtUserHidePointerContactVisualization', # 0x2c0 'NtUserGetTouchValidationStatus', # 0x2c1 'NtUserInitializeTouchInjection', # 0x2c2 'NtUserInjectTouchInput', # 0x2c3 'NtUserRegisterTouchHitTestingWindow', # 0x2c4 'NtUserSetDisplayMapping', # 0x2c5 'NtUserSetCalibrationData', # 0x2c6 'NtUserGetRawPointerDeviceData', # 0x2c7 'NtUserGetPointerDeviceCursors', # 0x2c8 'NtUserGetPointerDeviceRects', # 0x2c9 'NtUserRegisterPointerDeviceNotifications', # 0x2ca 'NtUserGetPointerDeviceProperties', # 0x2cb 'NtUserGetPointerDevice', # 0x2cc 'NtUserGetPointerDevices', # 0x2cd 'NtUserPromotePointer', # 0x2ce 'NtUserDiscardPointerFrameMessages', # 0x2cf 'NtUserRegisterPointerInputTarget', # 0x2d0 'NtUserGetPointerInfoList', # 0x2d1 'NtUserGetPointerCursorId', # 0x2d2 'NtUserGetPointerType', # 0x2d3 'NtUserGetGestureConfig', # 0x2d4 'NtUserSetGestureConfig', # 0x2d5 'NtUserGetGestureExtArgs', # 0x2d6 'NtUserGetGestureInfo', # 0x2d7 'NtUserInjectGesture', # 0x2d8 'NtUserChangeWindowMessageFilterEx', # 0x2d9 'NtGdiXLATEOBJ_hGetColorTransform', # 0x2da 'NtGdiXLATEOBJ_iXlate', # 0x2db 'NtGdiXLATEOBJ_cGetPalette', # 0x2dc 'NtGdiEngDeleteClip', # 0x2dd 'NtGdiEngCreateClip', # 0x2de 'NtGdiEngDeletePath', # 0x2df 'NtGdiCLIPOBJ_ppoGetPath', # 0x2e0 'NtGdiCLIPOBJ_cEnumStart', # 0x2e1 'NtGdiCLIPOBJ_bEnum', # 0x2e2 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x2e3 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x2e4 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x2e5 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x2e6 'NtGdiXFORMOBJ_iGetXform', # 0x2e7 'NtGdiXFORMOBJ_bApplyXform', # 0x2e8 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x2e9 'NtGdiFONTOBJ_pfdg', # 0x2ea 'NtGdiFONTOBJ_pifi', # 0x2eb 'NtGdiFONTOBJ_cGetGlyphs', # 0x2ec 'NtGdiFONTOBJ_pxoGetXform', # 0x2ed 'NtGdiFONTOBJ_vGetInfo', # 0x2ee 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x2ef 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x2f0 'NtGdiSTROBJ_dwGetCodePage', # 0x2f1 'NtGdiSTROBJ_vEnumStart', # 0x2f2 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x2f3 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x2f4 'NtGdiSTROBJ_bEnum', # 0x2f5 'NtGdiPATHOBJ_bEnumClipLines', # 0x2f6 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x2f7 'NtGdiPATHOBJ_vEnumStart', # 0x2f8 'NtGdiPATHOBJ_bEnum', # 0x2f9 'NtGdiPATHOBJ_vGetBounds', # 0x2fa 'NtGdiEngCheckAbort', # 0x2fb 'NtGdiGetDhpdev', # 0x2fc 'NtGdiHT_Get8BPPMaskPalette', # 0x2fd 'NtGdiHT_Get8BPPFormatPalette', # 0x2fe 'NtGdiUpdateTransform', # 0x2ff 'NtGdiUMPDEngFreeUserMem', # 0x300 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x301 'NtGdiSetPUMPDOBJ', # 0x302 'NtGdiSetUMPDSandboxState', # 0x303 'NtGdiDrawStream', # 0x304 'NtGdiHLSurfSetInformation', # 0x305 'NtGdiHLSurfGetInformation', # 0x306 'NtGdiDwmCreatedBitmapRemotingOutput', # 0x307 'NtGdiDdDDIGetScanLine', # 0x308 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x309 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x30a 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x30b 'NtGdiDdDDIGetContextSchedulingPriority', # 0x30c 'NtGdiDdDDISetContextSchedulingPriority', # 0x30d 'NtGdiDdDDIDestroyDCFromMemory', # 0x30e 'NtGdiDdDDICreateDCFromMemory', # 0x30f 'NtGdiDdDDIGetDeviceState', # 0x310 'NtGdiDdDDISetGammaRamp', # 0x311 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x312 'NtGdiDdDDIDestroyOverlay', # 0x313 'NtGdiDdDDIFlipOverlay', # 0x314 'NtGdiDdDDIUpdateOverlay', # 0x315 'NtGdiDdDDICreateOverlay', # 0x316 'NtGdiDdDDIGetPresentQueueEvent', # 0x317 'NtGdiDdDDIGetPresentHistory', # 0x318 'NtGdiDdDDISetVidPnSourceOwner1', # 0x319 'NtGdiDdDDISetVidPnSourceOwner', # 0x31a 'NtGdiDdDDIQueryStatistics', # 0x31b 'NtGdiDdDDIEscape', # 0x31c 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x31d 'NtGdiDdDDICloseAdapter', # 0x31e 'NtGdiDdDDIOpenAdapterFromLuid', # 0x31f 'NtGdiDdDDIEnumAdapters', # 0x320 'NtGdiDdDDIOpenAdapterFromHdc', # 0x321 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x322 'NtGdiDdDDIRender', # 0x323 'NtGdiDdDDIPresent', # 0x324 'NtGdiDdDDIGetMultisampleMethodList', # 0x325 'NtGdiDdDDISetDisplayMode', # 0x326 'NtGdiDdDDIGetDisplayModeList', # 0x327 'NtGdiDdDDIUnlock', # 0x328 'NtGdiDdDDILock', # 0x329 'NtGdiDdDDIQueryAdapterInfo', # 0x32a 'NtGdiDdDDIGetRuntimeData', # 0x32b 'NtGdiDdDDISignalSynchronizationObject', # 0x32c 'NtGdiDdDDIWaitForSynchronizationObject', # 0x32d 'NtGdiDdDDIDestroySynchronizationObject', # 0x32e 'NtGdiDdDDIOpenSynchronizationObject', # 0x32f 'NtGdiDdDDICreateSynchronizationObject', # 0x330 'NtGdiDdDDIDestroyContext', # 0x331 'NtGdiDdDDICreateContext', # 0x332 'NtGdiDdDDIDestroyDevice', # 0x333 'NtGdiDdDDICreateDevice', # 0x334 'NtGdiDdDDIQueryAllocationResidency', # 0x335 'NtGdiDdDDISetAllocationPriority', # 0x336 'NtGdiDdDDIDestroyAllocation', # 0x337 'NtGdiDdDDIOpenResourceFromNtHandle', # 0x338 'NtGdiDdDDIOpenSyncObjectFromNtHandle', # 0x339 'NtGdiDdDDIOpenResource', # 0x33a 'NtGdiDdDDIOpenNtHandleFromName', # 0x33b 'NtGdiDdDDIShareObjects', # 0x33c 'NtGdiDdDDIQueryResourceInfoFromNtHandle', # 0x33d 'NtGdiDdDDIQueryResourceInfo', # 0x33e 'NtGdiDdDDICreateAllocation', # 0x33f 'NtGdiDdDDIOutputDuplReleaseFrame', # 0x340 'NtGdiDdDDIQueryRemoteVidPnSourceFromGdiDisplayName', # 0x341 'NtGdiDdDDIOutputDuplPresent', # 0x342 'NtGdiDdDDIReleaseKeyedMutex2', # 0x343 'NtGdiDdDDIAcquireKeyedMutex2', # 0x344 'NtGdiDdDDIOpenKeyedMutex2', # 0x345 'NtGdiDdDDICreateKeyedMutex2', # 0x346 'NtGdiDdDDIOutputDuplGetPointerShapeData', # 0x347 'NtGdiDdDDIOutputDuplGetMetaData', # 0x348 'NtGdiDdDDIOutputDuplGetFrameInfo', # 0x349 'NtGdiDdDDIDestroyOutputDupl', # 0x34a 'NtGdiDdDDICreateOutputDupl', # 0x34b 'NtGdiDdDDIReclaimAllocations', # 0x34c 'NtGdiDdDDIOfferAllocations', # 0x34d 'NtGdiDdDDICheckSharedResourceAccess', # 0x34e 'NtGdiDdDDICheckVidPnExclusiveOwnership', # 0x34f 'NtGdiDdDDIGetOverlayState', # 0x350 'NtGdiDdDDIConfigureSharedResource', # 0x351 'NtGdiDdDDIReleaseKeyedMutex', # 0x352 'NtGdiDdDDIAcquireKeyedMutex', # 0x353 'NtGdiDdDDIDestroyKeyedMutex', # 0x354 'NtGdiDdDDIOpenKeyedMutex', # 0x355 'NtGdiDdDDICreateKeyedMutex', # 0x356 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x357 'NtGdiDdDDISharedPrimaryLockNotification', # 0x358 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x359 'NtGdiDdDDICheckExclusiveOwnership', # 0x35a 'NtGdiDdDDICheckMonitorPowerState', # 0x35b 'NtGdiDdDDIWaitForIdle', # 0x35c 'NtGdiDdDDICheckOcclusion', # 0x35d 'NtGdiDdDDIInvalidateActiveVidPn', # 0x35e 'NtGdiDdDDIPollDisplayChildren', # 0x35f 'NtGdiDdDDISetQueuedLimit', # 0x360 'NtGdiDdDDIPinDirectFlipResources', # 0x361 'NtGdiDdDDIUnpinDirectFlipResources', # 0x362 'NtGdiDdDDIWaitForVerticalBlankEvent2', # 0x363 'NtGdiDdDDISetContextInProcessSchedulingPriority', # 0x364 'NtGdiDdDDIGetContextInProcessSchedulingPriority', # 0x365 'NtGdiDdDDIGetSharedResourceAdapterLuid', # 0x366 'NtGdiDdDDISetStereoEnabled', # 0x367 'NtGdiMakeObjectUnXferable', # 0x368 'NtGdiMakeObjectXferable', # 0x369 'NtGdiDestroyPhysicalMonitor', # 0x36a 'NtGdiGetPhysicalMonitorDescription', # 0x36b 'NtGdiGetPhysicalMonitors', # 0x36c 'NtGdiGetNumberOfPhysicalMonitors', # 0x36d 'NtGdiDDCCIGetTimingReport', # 0x36e 'NtGdiDDCCIGetCapabilitiesString', # 0x36f 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x370 'NtGdiDDCCISaveCurrentSettings', # 0x371 'NtGdiDDCCISetVCPFeature', # 0x372 'NtGdiDDCCIGetVCPFeature', # 0x373 'NtGdiDdQueryVisRgnUniqueness', # 0x374 'NtGdiDdDestroyFullscreenSprite', # 0x375 'NtGdiDdNotifyFullscreenSpriteUpdate', # 0x376 'NtGdiDdCreateFullscreenSprite', # 0x377 'NtUserShowSystemCursor', # 0x378 'NtUserSetMirrorRendering', # 0x379 'NtUserMagGetContextInformation', # 0x37a 'NtUserMagSetContextInformation', # 0x37b 'NtUserMagControl', # 0x37c 'NtUserSlicerControl', # 0x37d 'NtUserHwndSetRedirectionInfo', # 0x37e 'NtUserHwndQueryRedirectionInfo', # 0x37f 'NtCreateCompositionSurfaceHandle', # 0x380 'NtValidateCompositionSurfaceHandle', # 0x381 'NtBindCompositionSurface', # 0x382 'NtUnBindCompositionSurface', # 0x383 'NtQueryCompositionSurfaceBinding', # 0x384 'NtNotifyPresentToCompositionSurface', # 0x385 'NtQueryCompositionSurfaceStatistics', # 0x386 'NtOpenCompositionSurfaceSectionInfo', # 0x387 'NtOpenCompositionSurfaceSwapChainHandleInfo', # 0x388 'NtQueryCompositionSurfaceRenderingRealization', # 0x389 'NtOpenCompositionSurfaceDirtyRegion', # 0x38a 'NtSetCompositionSurfaceOutOfFrameDirectFlipNotification', # 0x38b 'NtSetCompositionSurfaceStatistics', # 0x38c 'NtTokenManagerOpenEvent', # 0x38d 'NtTokenManagerThread', # 0x38e 'NtTokenManagerGetOutOfFrameDirectFlipSurfaceUpdates', # 0x38f 'NtDCompositionBeginFrame', # 0x390 'NtDCompositionConfirmFrame', # 0x391 'NtDCompositionRetireFrame', # 0x392 'NtDCompositionDiscardFrame', # 0x393 'NtDCompositionGetFrameSurfaceUpdates', # 0x394 'NtDCompositionGetFrameLegacyTokens', # 0x395 'NtDCompositionDestroyConnectionContext', # 0x396 'NtDCompositionGetConnectionContextBatch', # 0x397 'NtDCompositionGetFrameStatistics', # 0x398 'NtDCompositionGetDeletedResources', # 0x399 'NtDCompositionSetResourceDeletedNotificationTag', # 0x39a 'NtDCompositionCreateConnectionContext', # 0x39b 'NtDCompositionDestroyChannel', # 0x39c 'NtDCompositionReleaseAllResources', # 0x39d 'NtDCompositionSubmitDWMBatch', # 0x39e 'NtDCompositionCommitChannel', # 0x39f 'NtDCompositionWaitForChannel', # 0x3a0 'NtDCompositionSetChannelCommitCompletionEvent', # 0x3a1 'NtDCompositionTelemetryTouchInteractionBegin', # 0x3a2 'NtDCompositionTelemetryTouchInteractionUpdate', # 0x3a3 'NtDCompositionTelemetryTouchInteractionEnd', # 0x3a4 'NtDCompositionCurrentBatchId', # 0x3a5 'NtDCompositionReleaseResource', # 0x3a6 'NtDCompositionRemoveCrossDeviceVisualChild', # 0x3a7 'NtDCompositionRemoveVisualChild', # 0x3a8 'NtDCompositionAddCrossDeviceVisualChild', # 0x3a9 'NtDCompositionAddVisualChild', # 0x3aa 'NtDCompositionReplaceVisualChildren', # 0x3ab 'NtDCompositionSetResourceAnimationProperty', # 0x3ac 'NtDCompositionSetResourceReferenceArrayProperty', # 0x3ad 'NtDCompositionSetResourceReferenceProperty', # 0x3ae 'NtDCompositionSetResourceBufferProperty', # 0x3af 'NtDCompositionSetResourceIntegerProperty', # 0x3b0 'NtDCompositionSetResourceFloatProperty', # 0x3b1 'NtDCompositionCreateResource', # 0x3b2 'NtDCompositionCreateDwmChannel', # 0x3b3 'NtDCompositionCreateChannel', # 0x3b4 'NtDCompositionSynchronize', # 0x3b5 'NtDCompositionDwmSyncFlush', # 0x3b6 'NtDCompositionValidateAndReferenceSystemVisualForHwndTarget', # 0x3b7 'NtDCompositionSignalGpuFence', # 0x3b8 'NtDCompositionGetChannels', # 0x3b9 'NtDCompositionConnectPipe', # 0x3ba 'NtUserDestroyDCompositionHwndTarget', # 0x3bb 'NtUserCreateDCompositionHwndTarget', # 0x3bc 'NtUserWaitForRedirectionStartComplete', # 0x3bd 'NtUserSignalRedirectionStartComplete', # 0x3be 'NtUserSetActiveProcess', # 0x3bf 'NtUserGetDisplayAutoRotationPreferencesByProcessId', # 0x3c0 'NtUserGetDisplayAutoRotationPreferences', # 0x3c1 'NtUserSetDisplayAutoRotationPreferences', # 0x3c2 'NtUserSetAutoRotation', # 0x3c3 'NtUserGetAutoRotationState', # 0x3c4 'NtUserAutoRotateScreen', # 0x3c5 'NtUserSetSensorPresence', # 0x3c6 'NtUserAcquireIAMKey', # 0x3c7 'NtUserSetFallbackForeground', # 0x3c8 'NtUserSetBrokeredForeground', # 0x3c9 'NtUserDisableImmersiveOwner', # 0x3ca 'NtUserEnableIAMAccess', # 0x3cb 'NtUserGetProcessUIContextInformation', # 0x3cc 'NtUserSetProcessRestrictionExemption', # 0x3cd 'NtUserEnableMouseInPointer', # 0x3ce 'NtUserIsMouseInPointerEnabled', # 0x3cf 'NtUserPromoteMouseInPointer', # 0x3d0 'NtUserAutoPromoteMouseInPointer', # 0x3d1 'NtUserEnableMouseInputForCursorSuppression', # 0x3d2 'NtUserIsMouseInputEnabled', # 0x3d3 'NtUserInternalClipCursor', # 0x3d4 'NtUserCheckProcessForClipboardAccess', # 0x3d5 'NtUserGetClipboardAccessToken', # 0x3d6 'NtUserGetQueueEventStatus', # 0x3d7 ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win2003_sp1_x86_vtypes.py0000644000000000000000000110242113131215405030733 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_100d' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_100d']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '__unnamed_101e' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101e']], 'QuadPart' : [ 0x0, ['long long']], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KPRCB' : [ 0xec0, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'PrcbPad0' : [ 0x3bc, ['array', 92, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x520, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x524, ['unsigned long']], 'KernelTime' : [ 0x528, ['unsigned long']], 'UserTime' : [ 0x52c, ['unsigned long']], 'DpcTime' : [ 0x530, ['unsigned long']], 'DebugDpcTime' : [ 0x534, ['unsigned long']], 'InterruptTime' : [ 0x538, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x53c, ['unsigned long']], 'PageColor' : [ 0x540, ['unsigned long']], 'SkipTick' : [ 0x544, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x545, ['unsigned char']], 'NodeColor' : [ 0x546, ['unsigned char']], 'Spare1' : [ 0x547, ['unsigned char']], 'NodeShiftedColor' : [ 0x548, ['unsigned long']], 'ParentNode' : [ 0x54c, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x550, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x554, ['pointer', ['_KPRCB']]], 'SecondaryColorMask' : [ 0x558, ['unsigned long']], 'Sleeping' : [ 0x55c, ['long']], 'CcFastReadNoWait' : [ 0x560, ['unsigned long']], 'CcFastReadWait' : [ 0x564, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x568, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x56c, ['unsigned long']], 'CcCopyReadWait' : [ 0x570, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x578, ['unsigned long']], 'SpareCounter0' : [ 0x57c, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x580, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x584, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x588, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x58c, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x590, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x594, ['unsigned long']], 'KeSystemCalls' : [ 0x598, ['unsigned long']], 'IoReadOperationCount' : [ 0x59c, ['long']], 'IoWriteOperationCount' : [ 0x5a0, ['long']], 'IoOtherOperationCount' : [ 0x5a4, ['long']], 'IoReadTransferCount' : [ 0x5a8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x5b0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x5b8, ['_LARGE_INTEGER']], 'SpareCounter1' : [ 0x5c0, ['array', 8, ['unsigned long']]], 'PPLookasideList' : [ 0x5e0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x660, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0x760, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0x860, ['unsigned long']], 'ReverseStall' : [ 0x864, ['unsigned long']], 'IpiFrame' : [ 0x868, ['pointer', ['void']]], 'PrcbPad2' : [ 0x86c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x8a0, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x8ac, ['unsigned long']], 'WorkerRoutine' : [ 0x8b0, ['pointer', ['void']]], 'IpiFrozen' : [ 0x8b4, ['unsigned long']], 'PrcbPad3' : [ 0x8b8, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x8e0, ['unsigned long']], 'SignalDone' : [ 0x8e4, ['pointer', ['_KPRCB']]], 'PrcbPad4' : [ 0x8e8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x920, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x948, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x94c, ['unsigned long']], 'DpcRequestRate' : [ 0x950, ['unsigned long']], 'MinimumDpcRate' : [ 0x954, ['unsigned long']], 'DpcInterruptRequested' : [ 0x958, ['unsigned char']], 'DpcThreadRequested' : [ 0x959, ['unsigned char']], 'DpcRoutineActive' : [ 0x95a, ['unsigned char']], 'DpcThreadActive' : [ 0x95b, ['unsigned char']], 'PrcbLock' : [ 0x95c, ['unsigned long']], 'DpcLastCount' : [ 0x960, ['unsigned long']], 'TimerHand' : [ 0x964, ['unsigned long']], 'TimerRequest' : [ 0x968, ['unsigned long']], 'DpcThread' : [ 0x96c, ['pointer', ['void']]], 'DpcEvent' : [ 0x970, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x980, ['unsigned char']], 'QuantumEnd' : [ 0x981, ['unsigned char']], 'PrcbPad50' : [ 0x982, ['unsigned char']], 'IdleSchedule' : [ 0x983, ['unsigned char']], 'DpcSetEventRequest' : [ 0x984, ['long']], 'PrcbPad5' : [ 0x988, ['array', 18, ['unsigned char']]], 'TickOffset' : [ 0x99c, ['long']], 'CallDpc' : [ 0x9a0, ['_KDPC']], 'PrcbPad7' : [ 0x9c0, ['array', 8, ['unsigned long']]], 'WaitListHead' : [ 0x9e0, ['_LIST_ENTRY']], 'ReadySummary' : [ 0x9e8, ['unsigned long']], 'QueueIndex' : [ 0x9ec, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x9f0, ['array', 32, ['_LIST_ENTRY']]], 'DeferredReadyListHead' : [ 0xaf0, ['_SINGLE_LIST_ENTRY']], 'PrcbPad72' : [ 0xaf4, ['array', 11, ['unsigned long']]], 'ChainedInterruptList' : [ 0xb20, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0xb24, ['long']], 'MmPageFaultCount' : [ 0xb28, ['long']], 'MmCopyOnWriteCount' : [ 0xb2c, ['long']], 'MmTransitionCount' : [ 0xb30, ['long']], 'MmCacheTransitionCount' : [ 0xb34, ['long']], 'MmDemandZeroCount' : [ 0xb38, ['long']], 'MmPageReadCount' : [ 0xb3c, ['long']], 'MmPageReadIoCount' : [ 0xb40, ['long']], 'MmCacheReadCount' : [ 0xb44, ['long']], 'MmCacheIoCount' : [ 0xb48, ['long']], 'MmDirtyPagesWriteCount' : [ 0xb4c, ['long']], 'MmDirtyWriteIoCount' : [ 0xb50, ['long']], 'MmMappedPagesWriteCount' : [ 0xb54, ['long']], 'MmMappedWriteIoCount' : [ 0xb58, ['long']], 'SpareFields0' : [ 0xb5c, ['array', 1, ['unsigned long']]], 'VendorString' : [ 0xb60, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0xb6d, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0xb6e, ['unsigned char']], 'MHz' : [ 0xb70, ['unsigned long']], 'FeatureBits' : [ 0xb74, ['unsigned long']], 'UpdateSignature' : [ 0xb78, ['_LARGE_INTEGER']], 'IsrTime' : [ 0xb80, ['unsigned long long']], 'SpareField1' : [ 0xb88, ['unsigned long long']], 'NpxSaveArea' : [ 0xb90, ['_FX_SAVE_AREA']], 'PowerState' : [ 0xda0, ['_PROCESSOR_POWER_STATE']], } ], '_KPCR' : [ 0xfe0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'PerfGlobalGroupMask' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned char']], 'Expedite' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_KTHREAD' : [ 0x1b8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x10, ['_LIST_ENTRY']], 'InitialStack' : [ 0x18, ['pointer', ['void']]], 'StackLimit' : [ 0x1c, ['pointer', ['void']]], 'KernelStack' : [ 0x20, ['pointer', ['void']]], 'ThreadLock' : [ 0x24, ['unsigned long']], 'ApcState' : [ 0x28, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x28, ['array', 23, ['unsigned char']]], 'ApcQueueable' : [ 0x3f, ['unsigned char']], 'NextProcessor' : [ 0x40, ['unsigned char']], 'DeferredProcessor' : [ 0x41, ['unsigned char']], 'AdjustReason' : [ 0x42, ['unsigned char']], 'AdjustIncrement' : [ 0x43, ['unsigned char']], 'ApcQueueLock' : [ 0x44, ['unsigned long']], 'ContextSwitches' : [ 0x48, ['unsigned long']], 'State' : [ 0x4c, ['unsigned char']], 'NpxState' : [ 0x4d, ['unsigned char']], 'WaitIrql' : [ 0x4e, ['unsigned char']], 'WaitMode' : [ 0x4f, ['unsigned char']], 'WaitStatus' : [ 0x50, ['long']], 'WaitBlockList' : [ 0x54, ['pointer', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x54, ['pointer', ['_KGATE']]], 'Alertable' : [ 0x58, ['unsigned char']], 'WaitNext' : [ 0x59, ['unsigned char']], 'WaitReason' : [ 0x5a, ['unsigned char']], 'Priority' : [ 0x5b, ['unsigned char']], 'EnableStackSwap' : [ 0x5c, ['unsigned char']], 'SwapBusy' : [ 0x5d, ['unsigned char']], 'Alerted' : [ 0x5e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x60, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x68, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x6c, ['unsigned long']], 'KernelApcDisable' : [ 0x70, ['short']], 'SpecialApcDisable' : [ 0x72, ['short']], 'CombinedApcDisable' : [ 0x70, ['unsigned long']], 'Teb' : [ 0x74, ['pointer', ['void']]], 'Timer' : [ 0x78, ['_KTIMER']], 'TimerFill' : [ 0x78, ['array', 40, ['unsigned char']]], 'AutoAlignment' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0xa0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'ReservedFlags' : [ 0xa0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='long')]], 'ThreadFlags' : [ 0xa0, ['long']], 'WaitBlock' : [ 0xa8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xa8, ['array', 23, ['unsigned char']]], 'SystemAffinityActive' : [ 0xbf, ['unsigned char']], 'WaitBlockFill1' : [ 0xa8, ['array', 47, ['unsigned char']]], 'PreviousMode' : [ 0xd7, ['unsigned char']], 'WaitBlockFill2' : [ 0xa8, ['array', 71, ['unsigned char']]], 'ResourceIndex' : [ 0xef, ['unsigned char']], 'WaitBlockFill3' : [ 0xa8, ['array', 95, ['unsigned char']]], 'LargeStack' : [ 0x107, ['unsigned char']], 'QueueListEntry' : [ 0x108, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x110, ['pointer', ['_KTRAP_FRAME']]], 'CallbackStack' : [ 0x114, ['pointer', ['void']]], 'ServiceTable' : [ 0x118, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x11c, ['unsigned char']], 'IdealProcessor' : [ 0x11d, ['unsigned char']], 'Preempted' : [ 0x11e, ['unsigned char']], 'ProcessReadyQueue' : [ 0x11f, ['unsigned char']], 'KernelStackResident' : [ 0x120, ['unsigned char']], 'BasePriority' : [ 0x121, ['unsigned char']], 'PriorityDecrement' : [ 0x122, ['unsigned char']], 'Saturation' : [ 0x123, ['unsigned char']], 'UserAffinity' : [ 0x124, ['unsigned long']], 'Process' : [ 0x128, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x12c, ['unsigned long']], 'ApcStatePointer' : [ 0x130, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x138, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x138, ['array', 23, ['unsigned char']]], 'FreezeCount' : [ 0x14f, ['unsigned char']], 'SuspendCount' : [ 0x150, ['unsigned char']], 'UserIdealProcessor' : [ 0x151, ['unsigned char']], 'CalloutActive' : [ 0x152, ['unsigned char']], 'Iopl' : [ 0x153, ['unsigned char']], 'Win32Thread' : [ 0x154, ['pointer', ['void']]], 'StackBase' : [ 0x158, ['pointer', ['void']]], 'SuspendApc' : [ 0x15c, ['_KAPC']], 'SuspendApcFill0' : [ 0x15c, ['array', 1, ['unsigned char']]], 'Quantum' : [ 0x15d, ['unsigned char']], 'SuspendApcFill1' : [ 0x15c, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x15f, ['unsigned char']], 'SuspendApcFill2' : [ 0x15c, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x160, ['unsigned long']], 'SuspendApcFill3' : [ 0x15c, ['array', 36, ['unsigned char']]], 'TlsArray' : [ 0x180, ['pointer', ['void']]], 'SuspendApcFill4' : [ 0x15c, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x184, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x15c, ['array', 47, ['unsigned char']]], 'PowerState' : [ 0x18b, ['unsigned char']], 'UserTime' : [ 0x18c, ['unsigned long']], 'SuspendSemaphore' : [ 0x190, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x190, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1a4, ['unsigned long']], 'ThreadListEntry' : [ 0x1a8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1b0, ['pointer', ['void']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x250, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1b8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1c0, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x1c0, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x1c0, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1c8, ['long']], 'OfsChain' : [ 0x1c8, ['pointer', ['void']]], 'PostBlockList' : [ 0x1cc, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x1d4, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1d4, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1d4, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x1d8, ['unsigned long']], 'ActiveTimerListHead' : [ 0x1dc, ['_LIST_ENTRY']], 'Cid' : [ 0x1e4, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x1ec, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x1ec, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x200, ['pointer', ['void']]], 'LpcWaitingOnPort' : [ 0x200, ['pointer', ['void']]], 'ImpersonationInfo' : [ 0x204, ['pointer', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x208, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x210, ['unsigned long']], 'DeviceToVerify' : [ 0x214, ['pointer', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x218, ['pointer', ['_EPROCESS']]], 'StartAddress' : [ 0x21c, ['pointer', ['void']]], 'Win32StartAddress' : [ 0x220, ['pointer', ['void']]], 'LpcReceivedMessageId' : [ 0x220, ['unsigned long']], 'ThreadListEntry' : [ 0x224, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x22c, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x230, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x234, ['unsigned long']], 'ReadClusterSize' : [ 0x238, ['unsigned long']], 'GrantedAccess' : [ 0x23c, ['unsigned long']], 'CrossThreadFlags' : [ 0x240, ['unsigned long']], 'Terminated' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x240, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x240, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x240, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x240, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x240, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x244, ['unsigned long']], 'ActiveExWorker' : [ 0x244, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x244, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x244, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x244, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x248, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x249, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ApcNeeded' : [ 0x249, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x24c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x24d, ['unsigned char']], 'ActiveFaultCount' : [ 0x24e, ['unsigned char']], } ], '_EPROCESS' : [ 0x278, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x80, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x88, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x90, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x94, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0x98, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xa0, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0xac, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xb8, ['unsigned long']], 'PeakVirtualSize' : [ 0xbc, ['unsigned long']], 'VirtualSize' : [ 0xc0, ['unsigned long']], 'SessionProcessLinks' : [ 0xc4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xcc, ['pointer', ['void']]], 'ExceptionPort' : [ 0xd0, ['pointer', ['void']]], 'ObjectTable' : [ 0xd4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xd8, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xdc, ['unsigned long']], 'AddressCreationLock' : [ 0xe0, ['_KGUARDED_MUTEX']], 'HyperSpaceLock' : [ 0x100, ['unsigned long']], 'ForkInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x108, ['unsigned long']], 'PhysicalVadRoot' : [ 0x10c, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x110, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x114, ['unsigned long']], 'NumberOfLockedPages' : [ 0x118, ['unsigned long']], 'Win32Process' : [ 0x11c, ['pointer', ['void']]], 'Job' : [ 0x120, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x124, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x128, ['pointer', ['void']]], 'QuotaBlock' : [ 0x12c, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x130, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x134, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x138, ['pointer', ['void']]], 'LdtInformation' : [ 0x13c, ['pointer', ['void']]], 'VadFreeHint' : [ 0x140, ['pointer', ['void']]], 'VdmObjects' : [ 0x144, ['pointer', ['void']]], 'DeviceMap' : [ 0x148, ['pointer', ['void']]], 'Spare0' : [ 0x14c, ['array', 3, ['pointer', ['void']]]], 'PageDirectoryPte' : [ 0x158, ['_HARDWARE_PTE']], 'Filler' : [ 0x158, ['unsigned long long']], 'Session' : [ 0x160, ['pointer', ['void']]], 'ImageFileName' : [ 0x164, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x174, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x17c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x180, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x188, ['pointer', ['void']]], 'PaeTop' : [ 0x18c, ['pointer', ['void']]], 'ActiveThreads' : [ 0x190, ['unsigned long']], 'GrantedAccess' : [ 0x194, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x198, ['unsigned long']], 'LastThreadExitStatus' : [ 0x19c, ['long']], 'Peb' : [ 0x1a0, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1a4, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1d8, ['unsigned long']], 'CommitChargePeak' : [ 0x1dc, ['unsigned long']], 'AweInfo' : [ 0x1e0, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1e4, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1e8, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x230, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x238, ['unsigned long']], 'JobStatus' : [ 0x23c, ['unsigned long']], 'Flags' : [ 0x240, ['unsigned long']], 'CreateReported' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x240, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x240, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x240, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x240, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x240, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x240, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x240, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x240, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x240, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x240, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x240, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x240, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x240, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x240, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x240, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x240, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x240, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x240, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x240, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x240, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x240, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CreateFailed' : [ 0x240, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x240, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'Spare1' : [ 0x240, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare2' : [ 0x240, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x244, ['long']], 'NextPageColor' : [ 0x248, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x24a, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x24b, ['unsigned char']], 'SubSystemVersion' : [ 0x24a, ['unsigned short']], 'PriorityClass' : [ 0x24c, ['unsigned char']], 'VadRoot' : [ 0x250, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x270, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x190, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x38, ['_LIST_ENTRY']], 'Name' : [ 0x40, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x48, ['pointer', ['void']]], 'Index' : [ 0x4c, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x50, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x54, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x58, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x5c, ['unsigned long']], 'TypeInfo' : [ 0x60, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0xac, ['unsigned long']], 'ObjectLocks' : [ 0xb0, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1154' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1154']], } ], '__unnamed_1161' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1163' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1166' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1168' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1166']], } ], '__unnamed_116d' : [ 0x4, { 'EntireFrame' : [ 0x0, ['unsigned long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 31, native_type='unsigned long')]], 'MustBeCached' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1161']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'u2' : [ 0x8, ['__unnamed_1163']], 'u3' : [ 0xc, ['__unnamed_1168']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_116d']], } ], '__unnamed_1174' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_1177' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_117c' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1174']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1177']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_117c']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_MMPTE_FLUSH_LIST' : [ 0x88, { 'Count' : [ 0x0, ['unsigned long']], 'FlushVa' : [ 0x4, ['array', 33, ['pointer', ['void']]]], } ], '__unnamed_118e' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'u' : [ 0x4, ['__unnamed_118e']], 'StartingSector' : [ 0x8, ['unsigned long']], 'NumberOfFullSectors' : [ 0xc, ['unsigned long']], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'UnusedPtes' : [ 0x14, ['unsigned long']], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'NextSubsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], } ], '_MMPAGING_FILE' : [ 0x3c, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'CurrentUsage' : [ 0x10, ['unsigned long']], 'PeakUsage' : [ 0x14, ['unsigned long']], 'HighestPage' : [ 0x18, ['unsigned long']], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x28, ['_UNICODE_STRING']], 'Bitmap' : [ 0x30, ['pointer', ['_RTL_BITMAP']]], 'PageFileNumber' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'ReferenceCount' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'BootPartition' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Reserved' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'FileHandle' : [ 0x38, ['pointer', ['void']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_120a' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_120a']], } ], '__unnamed_1211' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1211']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_SHARED_CACHE_MAP' : [ 0x130, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObject' : [ 0x44, ['pointer', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'VacbPushLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], } ], '_FILE_OBJECT' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], } ], '__unnamed_123a' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_123a']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '__unnamed_124f' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_1251' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0x588, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'ForceFlags' : [ 0x10, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x14, ['unsigned long']], 'SegmentReserve' : [ 0x18, ['unsigned long']], 'SegmentCommit' : [ 0x1c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x20, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x24, ['unsigned long']], 'TotalFreeSize' : [ 0x28, ['unsigned long']], 'MaximumAllocationSize' : [ 0x2c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x30, ['unsigned short']], 'HeaderValidateLength' : [ 0x32, ['unsigned short']], 'HeaderValidateCopy' : [ 0x34, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x38, ['unsigned short']], 'MaximumTagIndex' : [ 0x3a, ['unsigned short']], 'TagEntries' : [ 0x3c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x40, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x44, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x48, ['unsigned long']], 'AlignMask' : [ 0x4c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x50, ['_LIST_ENTRY']], 'Segments' : [ 0x58, ['array', 64, ['pointer', ['_HEAP_SEGMENT']]]], 'u' : [ 0x158, ['__unnamed_124f']], 'u2' : [ 0x168, ['__unnamed_1251']], 'AllocatorBackTraceIndex' : [ 0x16a, ['unsigned short']], 'NonDedicatedListLength' : [ 0x16c, ['unsigned long']], 'LargeBlocksIndex' : [ 0x170, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0x174, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x178, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0x578, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x57c, ['pointer', ['void']]], 'FrontEndHeap' : [ 0x580, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0x584, ['unsigned short']], 'FrontEndHeapType' : [ 0x586, ['unsigned char']], 'LastSegmentIndex' : [ 0x587, ['unsigned char']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], } ], '_HEAP_SEGMENT' : [ 0x3c, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Heap' : [ 0x10, ['pointer', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x14, ['unsigned long']], 'BaseAddress' : [ 0x18, ['pointer', ['void']]], 'NumberOfPages' : [ 0x1c, ['unsigned long']], 'FirstEntry' : [ 0x20, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x28, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x2c, ['unsigned long']], 'UnCommittedRanges' : [ 0x30, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'LastEntryInSegment' : [ 0x38, ['pointer', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'Bucket' : [ 0x0, ['pointer', ['void']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'FreeThreshold' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_TOKEN' : [ 0xa8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x6c, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x70, ['pointer', ['void']]], 'Privileges' : [ 0x74, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x78, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0x7c, ['pointer', ['_ACL']]], 'TokenType' : [ 0x80, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x84, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0x88, ['unsigned char']], 'TokenInUse' : [ 0x89, ['unsigned char']], 'ProxyData' : [ 0x8c, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0x90, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0x94, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0x98, ['_LUID']], 'VariablePart' : [ 0xa0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x18, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long']], 'pDeviceMap' : [ 0x14, ['pointer', ['_DEVICE_MAP']]], } ], '_HEAP_UCR_SEGMENT' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x4, ['unsigned long']], 'CommittedSize' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerThreads' : [ 0x18, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x28, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x2c, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x2e, ['unsigned short']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x50, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x128, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long']], 'ResourceDatabase' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x30, ['pointer', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x34, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x38, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x3c, ['unsigned long']], 'NodesSearched' : [ 0x40, ['unsigned long']], 'MaxNodesSearched' : [ 0x44, ['unsigned long']], 'SequenceNumber' : [ 0x48, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4c, ['unsigned long']], 'SearchedNodesLimit' : [ 0x50, ['unsigned long']], 'DepthLimitHits' : [ 0x54, ['unsigned long']], 'SearchLimitHits' : [ 0x58, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x5c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x60, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x64, ['unsigned long']], 'TotalReleases' : [ 0x68, ['unsigned long']], 'RootNodesDeleted' : [ 0x6c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x70, ['unsigned long']], 'PoolTrimCounter' : [ 0x74, ['unsigned long']], 'FreeResourceList' : [ 0x78, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x80, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0x88, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0x90, ['unsigned long']], 'FreeThreadCount' : [ 0x94, ['unsigned long']], 'FreeNodeCount' : [ 0x98, ['unsigned long']], 'Instigator' : [ 0x9c, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0xa0, ['unsigned long']], 'Participant' : [ 0xa4, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x124, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SEGMENT_OBJECT' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x20, ['pointer', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x24, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x28, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_1337' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x38, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x18, ['unsigned long']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_1337']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'FlushInProgressCount' : [ 0x2e, ['unsigned short']], 'WritableUserReferences' : [ 0x30, ['unsigned long']], 'QuadwordPad' : [ 0x34, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x44, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleTableLock' : [ 0xc, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x1c, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x24, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x28, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x2c, ['long']], 'FirstFree' : [ 0x30, ['unsigned long']], 'LastFree' : [ 0x34, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x38, ['unsigned long']], 'HandleCount' : [ 0x3c, ['long']], 'Flags' : [ 0x40, ['unsigned long']], 'StrictFIFO' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'SpareByte' : [ 0x17, ['unsigned char']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_MMSUPPORT' : [ 0x48, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimTime' : [ 0x8, ['_LARGE_INTEGER']], 'Flags' : [ 0x10, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x14, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x18, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x1c, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x20, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x24, ['unsigned long']], 'VmWorkingSetList' : [ 0x28, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x2c, ['unsigned long']], 'NextEstimationSlot' : [ 0x30, ['unsigned long']], 'NextAgingSlot' : [ 0x34, ['unsigned long']], 'EstimatedAvailable' : [ 0x38, ['unsigned long']], 'WorkingSetSize' : [ 0x3c, ['unsigned long']], 'WorkingSetMutex' : [ 0x40, ['_EX_PUSH_LOCK']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['unsigned short']]], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x40, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x30, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessCount' : [ 0x3c, ['unsigned long']], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EVENT_COUNTER' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'RefCount' : [ 0x4, ['unsigned long']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_EJOB' : [ 0x180, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'UIRestrictionsClass' : [ 0xb0, ['unsigned long']], 'SecurityLimitFlags' : [ 0xb4, ['unsigned long']], 'Token' : [ 0xb8, ['pointer', ['void']]], 'Filter' : [ 0xbc, ['pointer', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'IoInfo' : [ 0x108, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x138, ['unsigned long']], 'JobMemoryLimit' : [ 0x13c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x140, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x144, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x148, ['unsigned long']], 'MemoryLimitsLock' : [ 0x14c, ['_KGUARDED_MUTEX']], 'JobSetLinks' : [ 0x16c, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x174, ['unsigned long']], 'JobFlags' : [ 0x178, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x18, ['unsigned long']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_1337']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'FlushInProgressCount' : [ 0x2e, ['unsigned short']], 'WritableUserReferences' : [ 0x30, ['unsigned long']], 'QuadwordPad' : [ 0x34, ['unsigned long']], 'StartingFrame' : [ 0x38, ['unsigned long']], 'UserGlobalList' : [ 0x3c, ['_LIST_ENTRY']], 'SessionId' : [ 0x44, ['unsigned long']], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x24, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x8, ['unsigned long']], 'CapturedGroupCount' : [ 0xc, ['unsigned long']], 'CapturedGroups' : [ 0x10, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x14, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x18, ['unsigned long']], 'CapturedPrivileges' : [ 0x1c, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x20, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x70, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'Reserved' : [ 0x68, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x1c, { 'Name' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'CmHive' : [ 0x8, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0xc, ['unsigned long']], 'CmHiveFlags' : [ 0x10, ['unsigned long']], 'CmHive2' : [ 0x14, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x18, ['unsigned char']], 'ThreadStarted' : [ 0x19, ['unsigned char']], 'Allocate' : [ 0x1a, ['unsigned char']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0xc, { 'Token' : [ 0x0, ['pointer', ['void']]], 'CopyOnOpen' : [ 0x4, ['unsigned char']], 'EffectiveOnly' : [ 0x5, ['unsigned char']], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_13db' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], } ], '__unnamed_13dd' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_13e1' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x120, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x20, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x70, ['unsigned long']], 'CompletionStatus' : [ 0x74, ['long']], 'PendingIrp' : [ 0x78, ['pointer', ['_IRP']]], 'Flags' : [ 0x7c, ['unsigned long']], 'UserFlags' : [ 0x80, ['unsigned long']], 'Problem' : [ 0x84, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x88, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x8c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x90, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x94, ['_UNICODE_STRING']], 'ServiceName' : [ 0x9c, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xa4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xa8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xb0, ['unsigned long']], 'ChildInterfaceType' : [ 0xb4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xb8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xbc, ['unsigned short']], 'RemovalPolicy' : [ 0xbe, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xbf, ['unsigned char']], 'TargetDeviceNotify' : [ 0xc0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xc8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0xd0, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0xd8, ['unsigned short']], 'QueryTranslatorMask' : [ 0xda, ['unsigned short']], 'NoArbiterMask' : [ 0xdc, ['unsigned short']], 'QueryArbiterMask' : [ 0xde, ['unsigned short']], 'OverUsed1' : [ 0xe0, ['__unnamed_13db']], 'OverUsed2' : [ 0xe4, ['__unnamed_13dd']], 'BootResources' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0xec, ['unsigned long']], 'DockInfo' : [ 0xf0, ['__unnamed_13e1']], 'DisableableDepends' : [ 0x100, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x104, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x10c, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x114, ['unsigned long']], 'PreviousParent' : [ 0x118, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x11c, ['unsigned long']], } ], '__unnamed_13e6' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_13e6']], } ], '_MMCOLOR_TABLES' : [ 0xc, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_KPROCESS' : [ 0x78, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['array', 2, ['unsigned long']]], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Iopl' : [ 0x32, ['unsigned char']], 'Unused' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'AutoAlignment' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x60, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x60, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x60, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x60, ['long']], 'BasePriority' : [ 0x64, ['unsigned char']], 'QuantumReset' : [ 0x65, ['unsigned char']], 'State' : [ 0x66, ['unsigned char']], 'ThreadSeed' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'IdealNode' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], 'StackCount' : [ 0x6c, ['unsigned long']], 'ProcessListEntry' : [ 0x70, ['_LIST_ENTRY']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_1400' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1ec0, { 'GlobalVirtualAddress' : [ 0x0, ['pointer', ['_MM_SESSION_SPACE']]], 'ReferenceCount' : [ 0x4, ['long']], 'u' : [ 0x8, ['__unnamed_1400']], 'SessionId' : [ 0xc, ['unsigned long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'PagedPoolBasePde' : [ 0x34, ['pointer', ['_MMPTE']]], 'Color' : [ 0x38, ['unsigned long']], 'ResidentProcessCount' : [ 0x3c, ['long']], 'SessionPoolAllocationFailures' : [ 0x40, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x50, ['_LIST_ENTRY']], 'LocaleId' : [ 0x58, ['unsigned long']], 'AttachCount' : [ 0x5c, ['unsigned long']], 'AttachEvent' : [ 0x60, ['_KEVENT']], 'LastProcess' : [ 0x70, ['pointer', ['_EPROCESS']]], 'ProcessReferenceToSession' : [ 0x74, ['long']], 'WsListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 26, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd80, ['_MMSESSION']], 'PagedPoolMutex' : [ 0xdc0, ['_KGUARDED_MUTEX']], 'PagedPoolInfo' : [ 0xde0, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xe00, ['_MMSUPPORT']], 'Wsle' : [ 0xe48, ['pointer', ['_MMWSLE']]], 'Win32KDriverUnload' : [ 0xe4c, ['pointer', ['void']]], 'PagedPool' : [ 0xe50, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1e80, ['pointer', ['_MMPTE']]], 'ImageLoadingCount' : [ 0x1e84, ['long']], } ], '_PEB' : [ 0x230, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'SparePtr2' : [ 0x24, ['pointer', ['void']]], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['pointer', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['pointer', ['void']]]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '__unnamed_142f' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x8, ['_LARGE_INTEGER']], 'u' : [ 0x10, ['__unnamed_142f']], 'Irp' : [ 0x18, ['pointer', ['_IRP']]], 'LastPageToWrite' : [ 0x1c, ['unsigned long']], 'PagingListHead' : [ 0x20, ['pointer', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x28, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x30, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x34, ['pointer', ['_ERESOURCE']]], 'IssueTime' : [ 0x38, ['_LARGE_INTEGER']], 'Mdl' : [ 0x40, ['_MDL']], 'Page' : [ 0x5c, ['array', 1, ['unsigned long']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x10, { 'Usage' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], 'Peak' : [ 0x8, ['unsigned long']], 'Return' : [ 0xc, ['unsigned long']], } ], '__unnamed_1445' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1445']], } ], '__unnamed_144b' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_144b']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x120, { 'IdleFunction' : [ 0x0, ['pointer', ['void']]], 'Idle0KernelTimeLimit' : [ 0x4, ['unsigned long']], 'Idle0LastTime' : [ 0x8, ['unsigned long']], 'IdleHandlers' : [ 0xc, ['pointer', ['void']]], 'IdleState' : [ 0x10, ['pointer', ['void']]], 'IdleHandlersCount' : [ 0x14, ['unsigned long']], 'LastCheck' : [ 0x18, ['unsigned long long']], 'IdleTimes' : [ 0x20, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x40, ['unsigned long']], 'PromotionCheck' : [ 0x44, ['unsigned long']], 'IdleTime2' : [ 0x48, ['unsigned long']], 'CurrentThrottle' : [ 0x4c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x4d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x4e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x4f, ['unsigned char']], 'LastKernelUserTime' : [ 0x50, ['unsigned long']], 'PerfIdleTime' : [ 0x54, ['unsigned long']], 'DebugDelta' : [ 0x58, ['unsigned long long']], 'DebugCount' : [ 0x60, ['unsigned long']], 'LastSysTime' : [ 0x64, ['unsigned long']], 'TotalIdleStateTime' : [ 0x68, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x80, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0x90, ['unsigned long long']], 'KneeThrottleIndex' : [ 0x98, ['unsigned char']], 'ThrottleLimitIndex' : [ 0x99, ['unsigned char']], 'PerfStatesCount' : [ 0x9a, ['unsigned char']], 'ProcessorMinThrottle' : [ 0x9b, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x9c, ['unsigned char']], 'LastBusyPercentage' : [ 0x9d, ['unsigned char']], 'LastC3Percentage' : [ 0x9e, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0x9f, ['unsigned char']], 'PromotionCount' : [ 0xa0, ['unsigned long']], 'DemotionCount' : [ 0xa4, ['unsigned long']], 'ErrorCount' : [ 0xa8, ['unsigned long']], 'RetryCount' : [ 0xac, ['unsigned long']], 'Flags' : [ 0xb0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xb8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xc0, ['unsigned long']], 'PerfTimer' : [ 0xc8, ['_KTIMER']], 'PerfDpc' : [ 0xf0, ['_KDPC']], 'PerfStates' : [ 0x110, ['pointer', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x114, ['pointer', ['void']]], 'LastC3KernelUserTime' : [ 0x118, ['unsigned long']], 'Spare1' : [ 0x11c, ['array', 1, ['unsigned long']]], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned short')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned short')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned short')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x4c, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x10, ['_LIST_ENTRY']], 'DeviceType' : [ 0x18, ['unsigned char']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x20, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x28, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x30, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x44, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Available0' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'GrowWsleHash' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredUnsafe' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Available' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POP_THERMAL_ZONE' : [ 0xd0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x7c, ['pointer', ['_IRP']]], 'Info' : [ 0x80, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CMHIVE' : [ 0x57c, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2d0, ['array', 3, ['pointer', ['void']]]], 'NotifyList' : [ 0x2dc, ['_LIST_ENTRY']], 'HiveList' : [ 0x2e4, ['_LIST_ENTRY']], 'HiveLock' : [ 0x2ec, ['_EX_PUSH_LOCK']], 'ViewLock' : [ 0x2f0, ['pointer', ['_KGUARDED_MUTEX']]], 'WriterLock' : [ 0x2f4, ['_EX_PUSH_LOCK']], 'FlusherLock' : [ 0x2f8, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x2fc, ['_EX_PUSH_LOCK']], 'LRUViewListHead' : [ 0x300, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x308, ['_LIST_ENTRY']], 'FileObject' : [ 0x310, ['pointer', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x314, ['_UNICODE_STRING']], 'FileUserName' : [ 0x31c, ['_UNICODE_STRING']], 'MappedViews' : [ 0x324, ['unsigned short']], 'PinnedViews' : [ 0x326, ['unsigned short']], 'UseCount' : [ 0x328, ['unsigned long']], 'SecurityCount' : [ 0x32c, ['unsigned long']], 'SecurityCacheSize' : [ 0x330, ['unsigned long']], 'SecurityHitHint' : [ 0x334, ['long']], 'SecurityCache' : [ 0x338, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x33c, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0x53c, ['pointer', ['_KEVENT']]], 'RootKcb' : [ 0x540, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x544, ['unsigned char']], 'UnloadWorkItem' : [ 0x548, ['pointer', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0x54c, ['unsigned char']], 'GrowOffset' : [ 0x550, ['unsigned long']], 'KcbConvertListHead' : [ 0x554, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x55c, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x564, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x568, ['unsigned long']], 'TrustClassEntry' : [ 0x56c, ['_LIST_ENTRY']], 'FlushCount' : [ 0x574, ['unsigned long']], 'CreatorOwner' : [ 0x578, ['pointer', ['_KTHREAD']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_HHIVE' : [ 0x2d0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'Log' : [ 0x42, ['unsigned char']], 'DirtyFlag' : [ 0x43, ['unsigned char']], 'HiveFlags' : [ 0x44, ['unsigned long']], 'LogSize' : [ 0x48, ['unsigned long']], 'RefreshCount' : [ 0x4c, ['unsigned long']], 'StorageTypeCount' : [ 0x50, ['unsigned long']], 'Version' : [ 0x54, ['unsigned long']], 'Storage' : [ 0x58, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x18, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['pointer', ['void']]], 'WatchInfo' : [ 0x10, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '__unnamed_151b' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_151b']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x24, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x8, ['_LIST_ENTRY']], 'FileOffset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewAddress' : [ 0x18, ['pointer', ['unsigned long']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'UseCount' : [ 0x20, ['unsigned long']], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_KUSER_SHARED_DATA' : [ 0x378, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'Wow64SharedInformation' : [ 0x334, ['array', 16, ['unsigned long']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x4c, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x2c, ['pointer', ['void']]], 'OpenProcedure' : [ 0x30, ['pointer', ['void']]], 'CloseProcedure' : [ 0x34, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x38, ['pointer', ['void']]], 'ParseProcedure' : [ 0x3c, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x40, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x44, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x48, ['pointer', ['void']]], } ], '__unnamed_1565' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_156b' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x34, { 'u1' : [ 0x0, ['__unnamed_1174']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1177']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_117c']], 'u3' : [ 0x28, ['__unnamed_1565']], 'u4' : [ 0x30, ['__unnamed_156b']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1030, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['void']]], 'PendingFreeDepth' : [ 0x24, ['long']], 'TotalBytes' : [ 0x28, ['unsigned long']], 'Spare0' : [ 0x2c, ['unsigned long']], 'ListHeads' : [ 0x30, ['array', 512, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x28, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x20, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x4, ['pointer', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0x8, ['pointer', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x10, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x14, ['unsigned long']], 'PagedPoolCommit' : [ 0x18, ['unsigned long']], 'AllocatedPagedPool' : [ 0x1c, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['unsigned short']]], } ], '_MMSESSION' : [ 0x40, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewStart' : [ 0x24, ['pointer', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x28, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x30, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x34, ['unsigned long']], 'BitmapFailures' : [ 0x38, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x3c, ['pointer', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long']], 'QuotaObject' : [ 0xc, ['pointer', ['void']]], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x8, { 'FaultingPc' : [ 0x0, ['pointer', ['void']]], 'FaultingVa' : [ 0x4, ['pointer', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 31, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_DEADLOCK_NODE' : [ 0x68, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x24, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x48, ['array', 8, ['pointer', ['void']]]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0xc8, { 'Next' : [ 0x0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'Slot' : [ 0x20, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x28, ['pointer', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x2c, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x30, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x34, ['unsigned long']], 'VendorId' : [ 0x38, ['unsigned short']], 'DeviceId' : [ 0x3a, ['unsigned short']], 'SubsystemVendorId' : [ 0x3c, ['unsigned short']], 'SubsystemId' : [ 0x3e, ['unsigned short']], 'RevisionId' : [ 0x40, ['unsigned char']], 'ProgIf' : [ 0x41, ['unsigned char']], 'SubClass' : [ 0x42, ['unsigned char']], 'BaseClass' : [ 0x43, ['unsigned char']], 'AdditionalResourceCount' : [ 0x44, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x45, ['unsigned char']], 'InterruptPin' : [ 0x46, ['unsigned char']], 'RawInterruptLine' : [ 0x47, ['unsigned char']], 'CapabilitiesPtr' : [ 0x48, ['unsigned char']], 'SavedLatencyTimer' : [ 0x49, ['unsigned char']], 'SavedCacheLineSize' : [ 0x4a, ['unsigned char']], 'HeaderType' : [ 0x4b, ['unsigned char']], 'NotPresent' : [ 0x4c, ['unsigned char']], 'ReportedMissing' : [ 0x4d, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x4e, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x4f, ['unsigned char']], 'LegacyDriver' : [ 0x50, ['unsigned char']], 'UpdateHardware' : [ 0x51, ['unsigned char']], 'MovedDevice' : [ 0x52, ['unsigned char']], 'DisablePowerDown' : [ 0x53, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x54, ['unsigned char']], 'IDEInNativeMode' : [ 0x55, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x56, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x57, ['unsigned char']], 'OnDebugPath' : [ 0x58, ['unsigned char']], 'IoSpaceNotRequired' : [ 0x59, ['unsigned char']], 'PowerState' : [ 0x5c, ['PCI_POWER_STATE']], 'Dependent' : [ 0x9c, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xa0, ['unsigned long long']], 'Resources' : [ 0xa8, ['pointer', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xac, ['pointer', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xb0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0xb4, ['pointer', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0xb8, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0xc0, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0xc2, ['unsigned char']], 'CommandEnables' : [ 0xc4, ['unsigned short']], 'InitialCommand' : [ 0xc6, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '__unnamed_15da' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_15dc' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_15da']], 'Merged' : [ 0x10, ['__unnamed_15dc']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_1600' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1607' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1609' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1600']], 'Bits' : [ 0x0, ['__unnamed_1607']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1609']], } ], '__unnamed_1613' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0xc0, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x28, ['pointer', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x2c, ['_KEVENT']], 'ChildPdoList' : [ 0x3c, ['pointer', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x40, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x44, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x48, ['pointer', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x4c, ['pointer', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x50, ['unsigned char']], 'BusHandler' : [ 0x54, ['pointer', ['_BUS_HANDLER']]], 'BaseBus' : [ 0x58, ['unsigned char']], 'Fake' : [ 0x59, ['unsigned char']], 'ChildDelete' : [ 0x5a, ['unsigned char']], 'Scanned' : [ 0x5b, ['unsigned char']], 'ArbitersInitialized' : [ 0x5c, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0x5d, ['unsigned char']], 'Hibernated' : [ 0x5e, ['unsigned char']], 'PowerState' : [ 0x60, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0xa4, ['unsigned long']], 'PreservedConfig' : [ 0xa8, ['pointer', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0xac, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0xb4, ['__unnamed_1613']], 'BusHackFlags' : [ 0xbc, ['unsigned long']], } ], '__unnamed_1617' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1619' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_161b' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_161d' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_161f' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1621' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1623' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1617']], 'Port' : [ 0x0, ['__unnamed_1617']], 'Interrupt' : [ 0x0, ['__unnamed_1619']], 'Memory' : [ 0x0, ['__unnamed_1617']], 'Dma' : [ 0x0, ['__unnamed_161b']], 'DevicePrivate' : [ 0x0, ['__unnamed_161d']], 'BusNumber' : [ 0x0, ['__unnamed_161f']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1621']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1623']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x60, { 'RefCount' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x38, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x48, ['pointer', ['void']]], 'KcbLastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x58, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x5a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x5c, ['unsigned long']], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ReadConfig' : [ 0x10, ['pointer', ['void']]], 'WriteConfig' : [ 0x14, ['pointer', ['void']]], 'PinToLine' : [ 0x18, ['pointer', ['void']]], 'LineToPin' : [ 0x1c, ['pointer', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x10, ['unsigned long']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '__unnamed_165d' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1663' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1665' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1663']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_166d' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_166f' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_166d']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_165d']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_1665']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_166f']], } ], '_PCI_LOCK' : [ 0x8, { 'Atom' : [ 0x0, ['unsigned long']], 'OldIrql' : [ 0x4, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '__unnamed_167b' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_167b']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_1681' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0xc, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_1681']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_1697' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_1697']], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_16a1' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_16a1']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x290, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockQueuedSpinLock', 7: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['unsigned long']], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x28, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0xc, ['unsigned char']], 'OrderLevel' : [ 0xd, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Node' : [ 0x14, ['pointer', ['void']]], 'DeviceName' : [ 0x18, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x1c, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x20, ['unsigned long']], 'ActiveChild' : [ 0x24, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '__unnamed_16c7' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_16c9' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_16c7']], 'type1' : [ 0x0, ['__unnamed_16c9']], 'type2' : [ 0x0, ['__unnamed_16c9']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x1e4, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'ServiceContext' : [ 0x10, ['pointer', ['void']]], 'SpinLock' : [ 0x14, ['unsigned long']], 'TickCount' : [ 0x18, ['unsigned long']], 'ActualLock' : [ 0x1c, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x20, ['pointer', ['void']]], 'Vector' : [ 0x24, ['unsigned long']], 'Irql' : [ 0x28, ['unsigned char']], 'SynchronizeIrql' : [ 0x29, ['unsigned char']], 'FloatingSave' : [ 0x2a, ['unsigned char']], 'Connected' : [ 0x2b, ['unsigned char']], 'Number' : [ 0x2c, ['unsigned char']], 'ShareVector' : [ 0x2d, ['unsigned char']], 'Mode' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x34, ['unsigned long']], 'DispatchCount' : [ 0x38, ['unsigned long']], 'DispatchCode' : [ 0x3c, ['array', 106, ['unsigned long']]], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0xe0, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0xc, ['pointer', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x10, ['pointer', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x14, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x44, ['_ARBITER_INSTANCE']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x20, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x4, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x8, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0xc, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x14, ['pointer', ['void']]], 'OtherIrpDispatchStyle' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x1c, ['pointer', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_DIRECTORY' : [ 0xa0, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['unsigned long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x698, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x14, ['unsigned long']], 'NonDirectCount' : [ 0x18, ['unsigned long']], 'HashTable' : [ 0x1c, ['pointer', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x20, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x24, ['unsigned long']], 'HashTableStart' : [ 0x28, ['pointer', ['void']]], 'HighestPermittedHashAddress' : [ 0x2c, ['pointer', ['void']]], 'NumberOfImageWaiters' : [ 0x30, ['unsigned long']], 'VadBitMapHint' : [ 0x34, ['unsigned long']], 'UsedPageTableEntries' : [ 0x38, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x638, ['array', 24, ['unsigned long']]], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x150, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '__unnamed_1733' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_1737' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x40, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'Spare0' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x18, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x1c, ['unsigned long']], 'ExtendInfo' : [ 0x20, ['pointer', ['_MMEXTEND_INFO']]], 'SegmentFlags' : [ 0x24, ['_SEGMENT_FLAGS']], 'BasedAddress' : [ 0x28, ['pointer', ['void']]], 'u1' : [ 0x2c, ['__unnamed_1733']], 'u2' : [ 0x30, ['__unnamed_1737']], 'PrototypePte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x38, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['void']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x20, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x1c, ['pointer', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x2c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TEB' : [ 0xfbc, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x1ac, ['array', 40, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 14, ['pointer', ['void']]]], 'SubProcessTag' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SparePointer1' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'SoftPatchPtr2' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'SafeThunkCall' : [ 0xfb8, ['unsigned char']], 'BooleanSpare' : [ 0xfb9, ['array', 3, ['unsigned char']]], } ], 'PCI_SECONDARY_EXTENSION' : [ 0xc, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_1776' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_1776']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'Spare1' : [ 0x23, ['unsigned char']], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'Reserved' : [ 0x2c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_KNODE' : [ 0x40, { 'DeadStackList' : [ 0x0, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x8, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x10, ['unsigned long']], 'Color' : [ 0x14, ['unsigned char']], 'Seed' : [ 0x15, ['unsigned char']], 'NodeNumber' : [ 0x16, ['unsigned char']], 'Flags' : [ 0x17, ['_flags']], 'MmShiftedColor' : [ 0x18, ['unsigned long']], 'FreeCount' : [ 0x1c, ['array', 2, ['unsigned long']]], 'PfnDeferredList' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x1c, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'MinSize' : [ 0x4, ['unsigned short']], 'MinVersion' : [ 0x6, ['unsigned short']], 'MaxVersion' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['long']], 'Signature' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x14, ['pointer', ['void']]], 'Initializer' : [ 0x18, ['pointer', ['void']]], } ], '_POP_POWER_ACTION' : [ 0x40, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x24, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x28, ['pointer', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x30, ['unsigned long long']], 'SleepTime' : [ 0x38, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1174']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1177']], } ], '__unnamed_17bd' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_17bd']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x28, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x9c, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0xc, ['long']], 'Allocation' : [ 0x10, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x18, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x20, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x28, ['long']], 'Interface' : [ 0x2c, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x30, ['unsigned long']], 'AllocationStack' : [ 0x34, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x38, ['pointer', ['void']]], 'PackResource' : [ 0x3c, ['pointer', ['void']]], 'UnpackResource' : [ 0x40, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x44, ['pointer', ['void']]], 'TestAllocation' : [ 0x48, ['pointer', ['void']]], 'RetestAllocation' : [ 0x4c, ['pointer', ['void']]], 'CommitAllocation' : [ 0x50, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x54, ['pointer', ['void']]], 'BootAllocation' : [ 0x58, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x5c, ['pointer', ['void']]], 'QueryConflict' : [ 0x60, ['pointer', ['void']]], 'AddReserved' : [ 0x64, ['pointer', ['void']]], 'StartArbiter' : [ 0x68, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x6c, ['pointer', ['void']]], 'AllocateEntry' : [ 0x70, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x74, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x78, ['pointer', ['void']]], 'AddAllocation' : [ 0x7c, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x80, ['pointer', ['void']]], 'OverrideConflict' : [ 0x84, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x88, ['unsigned char']], 'Extension' : [ 0x8c, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x90, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x94, ['pointer', ['void']]], 'ConflictCallback' : [ 0x98, ['pointer', ['void']]], } ], '_BUS_HANDLER' : [ 0x6c, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x14, ['pointer', ['_BUS_HANDLER']]], 'BusData' : [ 0x18, ['pointer', ['void']]], 'DeviceControlExtensionSize' : [ 0x1c, ['unsigned long']], 'BusAddresses' : [ 0x20, ['pointer', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x24, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x34, ['pointer', ['void']]], 'SetBusData' : [ 0x38, ['pointer', ['void']]], 'AdjustResourceList' : [ 0x3c, ['pointer', ['void']]], 'AssignSlotResources' : [ 0x40, ['pointer', ['void']]], 'GetInterruptVector' : [ 0x44, ['pointer', ['void']]], 'TranslateBusAddress' : [ 0x48, ['pointer', ['void']]], 'Spare1' : [ 0x4c, ['pointer', ['void']]], 'Spare2' : [ 0x50, ['pointer', ['void']]], 'Spare3' : [ 0x54, ['pointer', ['void']]], 'Spare4' : [ 0x58, ['pointer', ['void']]], 'Spare5' : [ 0x5c, ['pointer', ['void']]], 'Spare6' : [ 0x60, ['pointer', ['void']]], 'Spare7' : [ 0x64, ['pointer', ['void']]], 'Spare8' : [ 0x68, ['pointer', ['void']]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x8, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x4, ['pointer', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x620, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x18, ['unsigned long']], 'Thread' : [ 0x1c, ['pointer', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x20, ['unsigned char']], 'Order' : [ 0x24, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x26c, ['long']], 'FailedDevice' : [ 0x270, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x274, ['unsigned char']], 'Cancelled' : [ 0x275, ['unsigned char']], 'IgnoreErrors' : [ 0x276, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x277, ['unsigned char']], 'WaitAny' : [ 0x278, ['unsigned char']], 'WaitAll' : [ 0x279, ['unsigned char']], 'PresentIrpQueue' : [ 0x27c, ['_LIST_ENTRY']], 'Head' : [ 0x284, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x2b0, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['unsigned short']]], } ], '_CM_KEY_BODY' : [ 0x44, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'Callers' : [ 0x10, ['unsigned long']], 'CallerAddress' : [ 0x14, ['array', 10, ['pointer', ['void']]]], 'KeyBodyList' : [ 0x3c, ['_LIST_ENTRY']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x40, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x2c, ['pointer', ['_IRP']]], 'SavedCancelRoutine' : [ 0x30, ['pointer', ['void']]], 'Paging' : [ 0x34, ['long']], 'Hibernate' : [ 0x38, ['long']], 'CrashDump' : [ 0x3c, ['long']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '__unnamed_185f' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1863' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1867' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1869' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_186d' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_186f' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1871' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], } ], '__unnamed_1873' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1875' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1877' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_187b' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_187d' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_187f' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1881' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1883' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_1885' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1887' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_188b' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_188f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1893' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1895' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1899' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_189b' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_189d' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_189f' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_18a3' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_18a7' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_18ab' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_18ad' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_18b1' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_18b5' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_18b7' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_18b9' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18bb' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18bd' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_185f']], 'CreatePipe' : [ 0x0, ['__unnamed_1863']], 'CreateMailslot' : [ 0x0, ['__unnamed_1867']], 'Read' : [ 0x0, ['__unnamed_1869']], 'Write' : [ 0x0, ['__unnamed_1869']], 'QueryDirectory' : [ 0x0, ['__unnamed_186d']], 'NotifyDirectory' : [ 0x0, ['__unnamed_186f']], 'QueryFile' : [ 0x0, ['__unnamed_1871']], 'SetFile' : [ 0x0, ['__unnamed_1873']], 'QueryEa' : [ 0x0, ['__unnamed_1875']], 'SetEa' : [ 0x0, ['__unnamed_1877']], 'QueryVolume' : [ 0x0, ['__unnamed_187b']], 'SetVolume' : [ 0x0, ['__unnamed_187b']], 'FileSystemControl' : [ 0x0, ['__unnamed_187d']], 'LockControl' : [ 0x0, ['__unnamed_187f']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1881']], 'QuerySecurity' : [ 0x0, ['__unnamed_1883']], 'SetSecurity' : [ 0x0, ['__unnamed_1885']], 'MountVolume' : [ 0x0, ['__unnamed_1887']], 'VerifyVolume' : [ 0x0, ['__unnamed_1887']], 'Scsi' : [ 0x0, ['__unnamed_188b']], 'QueryQuota' : [ 0x0, ['__unnamed_188f']], 'SetQuota' : [ 0x0, ['__unnamed_1877']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1893']], 'QueryInterface' : [ 0x0, ['__unnamed_1895']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1899']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_189b']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_189d']], 'SetLock' : [ 0x0, ['__unnamed_189f']], 'QueryId' : [ 0x0, ['__unnamed_18a3']], 'QueryDeviceText' : [ 0x0, ['__unnamed_18a7']], 'UsageNotification' : [ 0x0, ['__unnamed_18ab']], 'WaitWake' : [ 0x0, ['__unnamed_18ad']], 'PowerSequence' : [ 0x0, ['__unnamed_18b1']], 'Power' : [ 0x0, ['__unnamed_18b5']], 'StartDevice' : [ 0x0, ['__unnamed_18b7']], 'WMI' : [ 0x0, ['__unnamed_18b9']], 'Others' : [ 0x0, ['__unnamed_18bb']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_18bd']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_18c4' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_18c6' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_18c8' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_18ca' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_18cc' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_18ce' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_18c4']], 'Memory' : [ 0x0, ['__unnamed_18c4']], 'Interrupt' : [ 0x0, ['__unnamed_18c6']], 'Dma' : [ 0x0, ['__unnamed_18c8']], 'Generic' : [ 0x0, ['__unnamed_18c4']], 'DevicePrivate' : [ 0x0, ['__unnamed_161d']], 'BusNumber' : [ 0x0, ['__unnamed_18ca']], 'ConfigData' : [ 0x0, ['__unnamed_18cc']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_18ce']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '__unnamed_18d7' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_18d9' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18d7']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_18db' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_18dd' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_18db']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_18d9']], 'u2' : [ 0x4, ['__unnamed_18dd']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0xe0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0xc, ['unsigned long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x14, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x1c, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x24, ['unsigned long']], 'NextCloneRange' : [ 0x28, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x2c, ['unsigned long']], 'LoaderMdl' : [ 0x30, ['pointer', ['_MDL']]], 'Clones' : [ 0x34, ['pointer', ['_MDL']]], 'NextClone' : [ 0x38, ['pointer', ['unsigned char']]], 'NoClones' : [ 0x3c, ['unsigned long']], 'Spares' : [ 0x40, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x48, ['unsigned long long']], 'IoPage' : [ 0x50, ['pointer', ['void']]], 'CurrentMcb' : [ 0x54, ['pointer', ['void']]], 'DumpStack' : [ 0x58, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x5c, ['pointer', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0x60, ['unsigned long']], 'HiberVa' : [ 0x64, ['unsigned long']], 'HiberPte' : [ 0x68, ['_LARGE_INTEGER']], 'Status' : [ 0x70, ['long']], 'MemoryImage' : [ 0x74, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x78, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x7c, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x80, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x88, ['pointer', ['void']]], 'DmaIO' : [ 0x8c, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x90, ['pointer', ['void']]], 'PerfInfo' : [ 0x98, ['_PO_HIBER_PERF']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x8, { 'StartVpn' : [ 0x0, ['unsigned long']], 'EndVpn' : [ 0x4, ['unsigned long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x14, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x4, ['unsigned long']], 'Parameter2' : [ 0x8, ['unsigned long']], 'Parameter3' : [ 0xc, ['unsigned long']], 'Parameter4' : [ 0x10, ['unsigned long']], } ], '__unnamed_1918' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_191a' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_1918']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_191a']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xa0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x28, ['unsigned long']], 'Memory' : [ 0x30, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x50, ['unsigned long']], 'PrefetchMemory' : [ 0x58, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x78, ['unsigned long']], 'Dma' : [ 0x80, ['_SUPPORTED_RANGE']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '__unnamed_194b' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_194d' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_1951' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_1953' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_1955' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1957' : [ 0x10, { 'TestAllocation' : [ 0x0, ['__unnamed_194b']], 'RetestAllocation' : [ 0x0, ['__unnamed_194b']], 'BootAllocation' : [ 0x0, ['__unnamed_194d']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_1951']], 'QueryConflict' : [ 0x0, ['__unnamed_1953']], 'QueryArbitrate' : [ 0x0, ['__unnamed_194d']], 'AddReserved' : [ 0x0, ['__unnamed_1955']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_1957']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], 'PO_MEMORY_IMAGE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'ImageType' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x3c, ['unsigned long']], 'HiberPte' : [ 0x40, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'TotalPages' : [ 0x54, ['unsigned long']], 'FirstTablePage' : [ 0x58, ['unsigned long']], 'LastFilePage' : [ 0x5c, ['unsigned long']], 'PerfInfo' : [ 0x60, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Spare' : [ 0x18, ['array', 2, ['unsigned long']]], } ], '__unnamed_197a' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_197c' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_197e' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1980' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1982' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1984' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1986' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1988' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_198a' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_198c' : [ 0x14, { 'DeviceClass' : [ 0x0, ['__unnamed_197a']], 'TargetDevice' : [ 0x0, ['__unnamed_197c']], 'InstallDevice' : [ 0x0, ['__unnamed_197e']], 'CustomNotification' : [ 0x0, ['__unnamed_1980']], 'ProfileNotification' : [ 0x0, ['__unnamed_1982']], 'PowerNotification' : [ 0x0, ['__unnamed_1984']], 'VetoNotification' : [ 0x0, ['__unnamed_1986']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1988']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_198a']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x38, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_198c']], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_19a3' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_19a5' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_19a7' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_19a3']], 'Gpt' : [ 0x0, ['__unnamed_19a5']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_19a7']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x248, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x10, ['unsigned long']], 'ActiveCount' : [ 0x14, ['unsigned long']], 'WaitSleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x20, ['_LIST_ENTRY']], 'Pending' : [ 0x28, ['_LIST_ENTRY']], 'Complete' : [ 0x30, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x38, ['_LIST_ENTRY']], 'WaitS0' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_19d7' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_19d7']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x2c, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x4, ['pointer', ['_IRP']]], 'Notify' : [ 0x8, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0xc, ['_LIST_ENTRY']], 'Complete' : [ 0x14, ['_LIST_ENTRY']], 'Abort' : [ 0x1c, ['_LIST_ENTRY']], 'Failed' : [ 0x24, ['_LIST_ENTRY']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x4, ['unsigned long']], 'SystemBase' : [ 0x8, ['long long']], 'Base' : [ 0x10, ['long long']], 'Limit' : [ 0x18, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['unsigned long']], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x30, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x24, ['array', 3, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_1a65' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_1a67' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_1a6b' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a6d' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1a65']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1a67']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1a6b']], 'Others' : [ 0x0, ['__unnamed_1a6d']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/xp_sp2_x86_vtypes.py0000644000000000000000000105102613131215405030265 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '__unnamed_1016' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1016']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_101b' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_101b']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Spare0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_KPRCB' : [ 0xc50, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'PrcbPad0' : [ 0x3bc, ['array', 92, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 16, ['_KSPIN_LOCK_QUEUE']]], 'PrcbPad1' : [ 0x498, ['array', 8, ['unsigned char']]], 'NpxThread' : [ 0x4a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x4a4, ['unsigned long']], 'KernelTime' : [ 0x4a8, ['unsigned long']], 'UserTime' : [ 0x4ac, ['unsigned long']], 'DpcTime' : [ 0x4b0, ['unsigned long']], 'DebugDpcTime' : [ 0x4b4, ['unsigned long']], 'InterruptTime' : [ 0x4b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4bc, ['unsigned long']], 'PageColor' : [ 0x4c0, ['unsigned long']], 'SkipTick' : [ 0x4c4, ['unsigned long']], 'MultiThreadSetBusy' : [ 0x4c8, ['unsigned char']], 'Spare2' : [ 0x4c9, ['array', 3, ['unsigned char']]], 'ParentNode' : [ 0x4cc, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x4d0, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x4d4, ['pointer', ['_KPRCB']]], 'ThreadStartCount' : [ 0x4d8, ['array', 2, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x4f8, ['unsigned long']], 'KeContextSwitches' : [ 0x4fc, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x500, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x504, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x508, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x50c, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x510, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x514, ['unsigned long']], 'KeSystemCalls' : [ 0x518, ['unsigned long']], 'SpareCounter0' : [ 0x51c, ['array', 1, ['unsigned long']]], 'PPLookasideList' : [ 0x520, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x5a0, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0x6a0, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0x7a0, ['unsigned long']], 'ReverseStall' : [ 0x7a4, ['unsigned long']], 'IpiFrame' : [ 0x7a8, ['pointer', ['void']]], 'PrcbPad2' : [ 0x7ac, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x7e0, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x7ec, ['unsigned long']], 'WorkerRoutine' : [ 0x7f0, ['pointer', ['void']]], 'IpiFrozen' : [ 0x7f4, ['unsigned long']], 'PrcbPad3' : [ 0x7f8, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x820, ['unsigned long']], 'SignalDone' : [ 0x824, ['pointer', ['_KPRCB']]], 'PrcbPad4' : [ 0x828, ['array', 56, ['unsigned char']]], 'DpcListHead' : [ 0x860, ['_LIST_ENTRY']], 'DpcStack' : [ 0x868, ['pointer', ['void']]], 'DpcCount' : [ 0x86c, ['unsigned long']], 'DpcQueueDepth' : [ 0x870, ['unsigned long']], 'DpcRoutineActive' : [ 0x874, ['unsigned long']], 'DpcInterruptRequested' : [ 0x878, ['unsigned long']], 'DpcLastCount' : [ 0x87c, ['unsigned long']], 'DpcRequestRate' : [ 0x880, ['unsigned long']], 'MaximumDpcQueueDepth' : [ 0x884, ['unsigned long']], 'MinimumDpcRate' : [ 0x888, ['unsigned long']], 'QuantumEnd' : [ 0x88c, ['unsigned long']], 'PrcbPad5' : [ 0x890, ['array', 16, ['unsigned char']]], 'DpcLock' : [ 0x8a0, ['unsigned long']], 'PrcbPad6' : [ 0x8a4, ['array', 28, ['unsigned char']]], 'CallDpc' : [ 0x8c0, ['_KDPC']], 'ChainedInterruptList' : [ 0x8e0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x8e4, ['long']], 'SpareFields0' : [ 0x8e8, ['array', 6, ['unsigned long']]], 'VendorString' : [ 0x900, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x90d, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x90e, ['unsigned char']], 'MHz' : [ 0x910, ['unsigned long']], 'FeatureBits' : [ 0x914, ['unsigned long']], 'UpdateSignature' : [ 0x918, ['_LARGE_INTEGER']], 'NpxSaveArea' : [ 0x920, ['_FX_SAVE_AREA']], 'PowerState' : [ 0xb30, ['_PROCESSOR_POWER_STATE']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x100, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x100, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Exclusive' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x1c, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x14, ['unsigned long']], 'Exclusive' : [ 0x18, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x258, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1c0, ['_LARGE_INTEGER']], 'NestedFaultCount' : [ 0x1c0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'ApcNeeded' : [ 0x1c0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitTime' : [ 0x1c8, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x1c8, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x1c8, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1d0, ['long']], 'OfsChain' : [ 0x1d0, ['pointer', ['void']]], 'PostBlockList' : [ 0x1d4, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x1dc, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1dc, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1dc, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x1e0, ['unsigned long']], 'ActiveTimerListHead' : [ 0x1e4, ['_LIST_ENTRY']], 'Cid' : [ 0x1ec, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x1f4, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x1f4, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x208, ['pointer', ['void']]], 'LpcWaitingOnPort' : [ 0x208, ['pointer', ['void']]], 'ImpersonationInfo' : [ 0x20c, ['pointer', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x210, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x218, ['unsigned long']], 'DeviceToVerify' : [ 0x21c, ['pointer', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x220, ['pointer', ['_EPROCESS']]], 'StartAddress' : [ 0x224, ['pointer', ['void']]], 'Win32StartAddress' : [ 0x228, ['pointer', ['void']]], 'LpcReceivedMessageId' : [ 0x228, ['unsigned long']], 'ThreadListEntry' : [ 0x22c, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x234, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x238, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x23c, ['unsigned long']], 'ReadClusterSize' : [ 0x240, ['unsigned long']], 'GrantedAccess' : [ 0x244, ['unsigned long']], 'CrossThreadFlags' : [ 0x248, ['unsigned long']], 'Terminated' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x248, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x24c, ['unsigned long']], 'ActiveExWorker' : [ 0x24c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x24c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x24c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x250, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x250, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x250, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x250, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x254, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x255, ['unsigned char']], } ], '_EPROCESS' : [ 0x260, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x6c, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x70, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x78, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x80, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x84, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0x88, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0x90, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0x9c, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xa8, ['unsigned long']], 'PeakVirtualSize' : [ 0xac, ['unsigned long']], 'VirtualSize' : [ 0xb0, ['unsigned long']], 'SessionProcessLinks' : [ 0xb4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xbc, ['pointer', ['void']]], 'ExceptionPort' : [ 0xc0, ['pointer', ['void']]], 'ObjectTable' : [ 0xc4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xc8, ['_EX_FAST_REF']], 'WorkingSetLock' : [ 0xcc, ['_FAST_MUTEX']], 'WorkingSetPage' : [ 0xec, ['unsigned long']], 'AddressCreationLock' : [ 0xf0, ['_FAST_MUTEX']], 'HyperSpaceLock' : [ 0x110, ['unsigned long']], 'ForkInProgress' : [ 0x114, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x118, ['unsigned long']], 'VadRoot' : [ 0x11c, ['pointer', ['void']]], 'VadHint' : [ 0x120, ['pointer', ['void']]], 'CloneRoot' : [ 0x124, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x128, ['unsigned long']], 'NumberOfLockedPages' : [ 0x12c, ['unsigned long']], 'Win32Process' : [ 0x130, ['pointer', ['void']]], 'Job' : [ 0x134, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x138, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x13c, ['pointer', ['void']]], 'QuotaBlock' : [ 0x140, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x144, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x148, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x14c, ['pointer', ['void']]], 'LdtInformation' : [ 0x150, ['pointer', ['void']]], 'VadFreeHint' : [ 0x154, ['pointer', ['void']]], 'VdmObjects' : [ 0x158, ['pointer', ['void']]], 'DeviceMap' : [ 0x15c, ['pointer', ['void']]], 'PhysicalVadList' : [ 0x160, ['_LIST_ENTRY']], 'PageDirectoryPte' : [ 0x168, ['_HARDWARE_PTE']], 'Filler' : [ 0x168, ['unsigned long long']], 'Session' : [ 0x170, ['pointer', ['void']]], 'ImageFileName' : [ 0x174, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x184, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x18c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x190, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x198, ['pointer', ['void']]], 'PaeTop' : [ 0x19c, ['pointer', ['void']]], 'ActiveThreads' : [ 0x1a0, ['unsigned long']], 'GrantedAccess' : [ 0x1a4, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a8, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1ac, ['long']], 'Peb' : [ 0x1b0, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1b4, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e8, ['unsigned long']], 'CommitChargePeak' : [ 0x1ec, ['unsigned long']], 'AweInfo' : [ 0x1f0, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1f4, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1f8, ['_MMSUPPORT']], 'LastFaultCount' : [ 0x238, ['unsigned long']], 'ModifiedPageCount' : [ 0x23c, ['unsigned long']], 'NumberOfVads' : [ 0x240, ['unsigned long']], 'JobStatus' : [ 0x244, ['unsigned long']], 'Flags' : [ 0x248, ['unsigned long']], 'CreateReported' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x248, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'HasPhysicalVad' : [ 0x248, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x248, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x248, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x248, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x248, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x248, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x248, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x248, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x248, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x248, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x248, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x248, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Unused3' : [ 0x248, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Unused4' : [ 0x248, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x248, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'Unused' : [ 0x248, ['BitField', dict(start_bit = 25, end_bit = 30, native_type='unsigned long')]], 'Unused1' : [ 0x248, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Unused2' : [ 0x248, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x24c, ['long']], 'NextPageColor' : [ 0x250, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x252, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x253, ['unsigned char']], 'SubSystemVersion' : [ 0x252, ['unsigned short']], 'PriorityClass' : [ 0x254, ['unsigned char']], 'WorkingSetAcquiredUnsafe' : [ 0x255, ['unsigned char']], 'Cookie' : [ 0x258, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x190, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x38, ['_LIST_ENTRY']], 'Name' : [ 0x40, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x48, ['pointer', ['void']]], 'Index' : [ 0x4c, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x50, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x54, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x58, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x5c, ['unsigned long']], 'TypeInfo' : [ 0x60, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0xac, ['unsigned long']], 'ObjectLocks' : [ 0xb0, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_KTHREAD' : [ 0x1c0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x10, ['_LIST_ENTRY']], 'InitialStack' : [ 0x18, ['pointer', ['void']]], 'StackLimit' : [ 0x1c, ['pointer', ['void']]], 'Teb' : [ 0x20, ['pointer', ['void']]], 'TlsArray' : [ 0x24, ['pointer', ['void']]], 'KernelStack' : [ 0x28, ['pointer', ['void']]], 'DebugActive' : [ 0x2c, ['unsigned char']], 'State' : [ 0x2d, ['unsigned char']], 'Alerted' : [ 0x2e, ['array', 2, ['unsigned char']]], 'Iopl' : [ 0x30, ['unsigned char']], 'NpxState' : [ 0x31, ['unsigned char']], 'Saturation' : [ 0x32, ['unsigned char']], 'Priority' : [ 0x33, ['unsigned char']], 'ApcState' : [ 0x34, ['_KAPC_STATE']], 'ContextSwitches' : [ 0x4c, ['unsigned long']], 'IdleSwapBlock' : [ 0x50, ['unsigned char']], 'Spare0' : [ 0x51, ['array', 3, ['unsigned char']]], 'WaitStatus' : [ 0x54, ['long']], 'WaitIrql' : [ 0x58, ['unsigned char']], 'WaitMode' : [ 0x59, ['unsigned char']], 'WaitNext' : [ 0x5a, ['unsigned char']], 'WaitReason' : [ 0x5b, ['unsigned char']], 'WaitBlockList' : [ 0x5c, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x60, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'WaitTime' : [ 0x68, ['unsigned long']], 'BasePriority' : [ 0x6c, ['unsigned char']], 'DecrementCount' : [ 0x6d, ['unsigned char']], 'PriorityDecrement' : [ 0x6e, ['unsigned char']], 'Quantum' : [ 0x6f, ['unsigned char']], 'WaitBlock' : [ 0x70, ['array', 4, ['_KWAIT_BLOCK']]], 'LegoData' : [ 0xd0, ['pointer', ['void']]], 'KernelApcDisable' : [ 0xd4, ['unsigned long']], 'UserAffinity' : [ 0xd8, ['unsigned long']], 'SystemAffinityActive' : [ 0xdc, ['unsigned char']], 'PowerState' : [ 0xdd, ['unsigned char']], 'NpxIrql' : [ 0xde, ['unsigned char']], 'InitialNode' : [ 0xdf, ['unsigned char']], 'ServiceTable' : [ 0xe0, ['pointer', ['void']]], 'Queue' : [ 0xe4, ['pointer', ['_KQUEUE']]], 'ApcQueueLock' : [ 0xe8, ['unsigned long']], 'Timer' : [ 0xf0, ['_KTIMER']], 'QueueListEntry' : [ 0x118, ['_LIST_ENTRY']], 'SoftAffinity' : [ 0x120, ['unsigned long']], 'Affinity' : [ 0x124, ['unsigned long']], 'Preempted' : [ 0x128, ['unsigned char']], 'ProcessReadyQueue' : [ 0x129, ['unsigned char']], 'KernelStackResident' : [ 0x12a, ['unsigned char']], 'NextProcessor' : [ 0x12b, ['unsigned char']], 'CallbackStack' : [ 0x12c, ['pointer', ['void']]], 'Win32Thread' : [ 0x130, ['pointer', ['void']]], 'TrapFrame' : [ 0x134, ['pointer', ['_KTRAP_FRAME']]], 'ApcStatePointer' : [ 0x138, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'PreviousMode' : [ 0x140, ['unsigned char']], 'EnableStackSwap' : [ 0x141, ['unsigned char']], 'LargeStack' : [ 0x142, ['unsigned char']], 'ResourceIndex' : [ 0x143, ['unsigned char']], 'KernelTime' : [ 0x144, ['unsigned long']], 'UserTime' : [ 0x148, ['unsigned long']], 'SavedApcState' : [ 0x14c, ['_KAPC_STATE']], 'Alertable' : [ 0x164, ['unsigned char']], 'ApcStateIndex' : [ 0x165, ['unsigned char']], 'ApcQueueable' : [ 0x166, ['unsigned char']], 'AutoAlignment' : [ 0x167, ['unsigned char']], 'StackBase' : [ 0x168, ['pointer', ['void']]], 'SuspendApc' : [ 0x16c, ['_KAPC']], 'SuspendSemaphore' : [ 0x19c, ['_KSEMAPHORE']], 'ThreadListEntry' : [ 0x1b0, ['_LIST_ENTRY']], 'FreezeCount' : [ 0x1b8, ['unsigned char']], 'SuspendCount' : [ 0x1b9, ['unsigned char']], 'IdealProcessor' : [ 0x1ba, ['unsigned char']], 'DisableBoost' : [ 0x1bb, ['unsigned char']], } ], '__unnamed_10f2' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_10f2']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1163' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1163']], } ], '__unnamed_116a' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_116a']], } ], '__unnamed_1173' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1173']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], } ], '_SHARED_CACHE_MAP' : [ 0x130, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObject' : [ 0x44, ['pointer', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'VacbPushLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], } ], '__unnamed_119d' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_119f' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0x588, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'ForceFlags' : [ 0x10, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x14, ['unsigned long']], 'SegmentReserve' : [ 0x18, ['unsigned long']], 'SegmentCommit' : [ 0x1c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x20, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x24, ['unsigned long']], 'TotalFreeSize' : [ 0x28, ['unsigned long']], 'MaximumAllocationSize' : [ 0x2c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x30, ['unsigned short']], 'HeaderValidateLength' : [ 0x32, ['unsigned short']], 'HeaderValidateCopy' : [ 0x34, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x38, ['unsigned short']], 'MaximumTagIndex' : [ 0x3a, ['unsigned short']], 'TagEntries' : [ 0x3c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x40, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x44, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x48, ['unsigned long']], 'AlignMask' : [ 0x4c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x50, ['_LIST_ENTRY']], 'Segments' : [ 0x58, ['array', 64, ['pointer', ['_HEAP_SEGMENT']]]], 'u' : [ 0x158, ['__unnamed_119d']], 'u2' : [ 0x168, ['__unnamed_119f']], 'AllocatorBackTraceIndex' : [ 0x16a, ['unsigned short']], 'NonDedicatedListLength' : [ 0x16c, ['unsigned long']], 'LargeBlocksIndex' : [ 0x170, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0x174, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x178, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0x578, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x57c, ['pointer', ['void']]], 'FrontEndHeap' : [ 0x580, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0x584, ['unsigned short']], 'FrontEndHeapType' : [ 0x586, ['unsigned char']], 'LastSegmentIndex' : [ 0x587, ['unsigned char']], } ], '_HEAP_SEGMENT' : [ 0x3c, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Heap' : [ 0x10, ['pointer', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x14, ['unsigned long']], 'BaseAddress' : [ 0x18, ['pointer', ['void']]], 'NumberOfPages' : [ 0x1c, ['unsigned long']], 'FirstEntry' : [ 0x20, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x28, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x2c, ['unsigned long']], 'UnCommittedRanges' : [ 0x30, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'LastEntryInSegment' : [ 0x38, ['pointer', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'Bucket' : [ 0x0, ['pointer', ['void']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'FreeThreshold' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_HEAP_UCR_SEGMENT' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x4, ['unsigned long']], 'CommittedSize' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x50, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['void']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x110, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long']], 'ResourceDatabase' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x30, ['pointer', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x34, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x38, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x3c, ['unsigned long']], 'NodesSearched' : [ 0x40, ['unsigned long']], 'MaxNodesSearched' : [ 0x44, ['unsigned long']], 'SequenceNumber' : [ 0x48, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4c, ['unsigned long']], 'SearchedNodesLimit' : [ 0x50, ['unsigned long']], 'DepthLimitHits' : [ 0x54, ['unsigned long']], 'SearchLimitHits' : [ 0x58, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x5c, ['unsigned long']], 'FreeResourceList' : [ 0x60, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x68, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0x70, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0x78, ['unsigned long']], 'FreeThreadCount' : [ 0x7c, ['unsigned long']], 'FreeNodeCount' : [ 0x80, ['unsigned long']], 'Instigator' : [ 0x84, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x88, ['unsigned long']], 'Participant' : [ 0x8c, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x10c, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SEGMENT_OBJECT' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x20, ['pointer', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x24, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x28, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_1224' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x30, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSubsections' : [ 0x18, ['unsigned short']], 'FlushInProgressCount' : [ 0x1a, ['unsigned short']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_1224']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'NumberOfSystemCacheViews' : [ 0x2e, ['unsigned short']], } ], '_HANDLE_TABLE' : [ 0x44, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleTableLock' : [ 0xc, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x1c, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x24, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x28, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x2c, ['long']], 'FirstFree' : [ 0x30, ['unsigned long']], 'LastFree' : [ 0x34, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x38, ['unsigned long']], 'HandleCount' : [ 0x3c, ['long']], 'Flags' : [ 0x40, ['unsigned long']], 'StrictFIFO' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'ProcessBilled' : [ 0x4, ['pointer', ['_EPROCESS']]], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x40, { 'LastTrimTime' : [ 0x0, ['_LARGE_INTEGER']], 'Flags' : [ 0x8, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0xc, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x10, ['unsigned long']], 'WorkingSetSize' : [ 0x14, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x18, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x1c, ['unsigned long']], 'VmWorkingSetList' : [ 0x20, ['pointer', ['_MMWSL']]], 'WorkingSetExpansionLinks' : [ 0x24, ['_LIST_ENTRY']], 'Claim' : [ 0x2c, ['unsigned long']], 'NextEstimationSlot' : [ 0x30, ['unsigned long']], 'NextAgingSlot' : [ 0x34, ['unsigned long']], 'EstimatedAvailable' : [ 0x38, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x3c, ['unsigned long']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['unsigned short']]], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x40, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x30, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessCount' : [ 0x3c, ['unsigned long']], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_EVENT_COUNTER' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'RefCount' : [ 0x4, ['unsigned long']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_EJOB' : [ 0x180, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'UIRestrictionsClass' : [ 0xb0, ['unsigned long']], 'SecurityLimitFlags' : [ 0xb4, ['unsigned long']], 'Token' : [ 0xb8, ['pointer', ['void']]], 'Filter' : [ 0xbc, ['pointer', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'IoInfo' : [ 0x108, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x138, ['unsigned long']], 'JobMemoryLimit' : [ 0x13c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x140, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x144, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x148, ['unsigned long']], 'MemoryLimitsLock' : [ 0x14c, ['_FAST_MUTEX']], 'JobSetLinks' : [ 0x16c, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x174, ['unsigned long']], 'JobFlags' : [ 0x178, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x40, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSubsections' : [ 0x18, ['unsigned short']], 'FlushInProgressCount' : [ 0x1a, ['unsigned short']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_1224']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'NumberOfSystemCacheViews' : [ 0x2e, ['unsigned short']], 'StartingFrame' : [ 0x30, ['unsigned long']], 'UserGlobalList' : [ 0x34, ['_LIST_ENTRY']], 'SessionId' : [ 0x3c, ['unsigned long']], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x24, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x8, ['unsigned long']], 'CapturedGroupCount' : [ 0xc, ['unsigned long']], 'CapturedGroups' : [ 0x10, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x14, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x18, ['unsigned long']], 'CapturedPrivileges' : [ 0x1c, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x20, ['unsigned long']], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x70, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'Reserved' : [ 0x68, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_FILE_OBJECT' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'HadUserReference' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x18, { 'Name' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'CmHive' : [ 0x8, ['pointer', ['_CMHIVE']]], 'Flags' : [ 0xc, ['unsigned long']], 'CmHive2' : [ 0x10, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x14, ['unsigned char']], 'ThreadStarted' : [ 0x15, ['unsigned char']], 'Allocate' : [ 0x16, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0xc, { 'Token' : [ 0x0, ['pointer', ['void']]], 'CopyOnOpen' : [ 0x4, ['unsigned char']], 'EffectiveOnly' : [ 0x5, ['unsigned char']], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_12c3' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], } ], '__unnamed_12c5' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_12c9' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x118, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted'})]], 'PreviousState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted'})]], 'StateHistory' : [ 0x20, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted'})]]], 'StateHistoryEntry' : [ 0x70, ['unsigned long']], 'CompletionStatus' : [ 0x74, ['long']], 'PendingIrp' : [ 0x78, ['pointer', ['_IRP']]], 'Flags' : [ 0x7c, ['unsigned long']], 'UserFlags' : [ 0x80, ['unsigned long']], 'Problem' : [ 0x84, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x88, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x8c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x90, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x94, ['_UNICODE_STRING']], 'ServiceName' : [ 0x9c, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xa4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xa8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xb0, ['unsigned long']], 'ChildInterfaceType' : [ 0xb4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xb8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xbc, ['unsigned short']], 'RemovalPolicy' : [ 0xbe, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xbf, ['unsigned char']], 'TargetDeviceNotify' : [ 0xc0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xc8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0xd0, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0xd8, ['unsigned short']], 'QueryTranslatorMask' : [ 0xda, ['unsigned short']], 'NoArbiterMask' : [ 0xdc, ['unsigned short']], 'QueryArbiterMask' : [ 0xde, ['unsigned short']], 'OverUsed1' : [ 0xe0, ['__unnamed_12c3']], 'OverUsed2' : [ 0xe4, ['__unnamed_12c5']], 'BootResources' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0xec, ['unsigned long']], 'DockInfo' : [ 0xf0, ['__unnamed_12c9']], 'DisableableDepends' : [ 0x100, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x104, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x10c, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x114, ['unsigned long']], } ], '__unnamed_12ce' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_12ce']], } ], '_KPCR' : [ 0xd70, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'DebugActive' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_MMCOLOR_TABLES' : [ 0xc, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_12ed' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1278, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_12ed']], 'SessionId' : [ 0x8, ['unsigned long']], 'SessionPageDirectoryIndex' : [ 0xc, ['unsigned long']], 'GlobalVirtualAddress' : [ 0x10, ['pointer', ['_MM_SESSION_SPACE']]], 'ProcessList' : [ 0x14, ['_LIST_ENTRY']], 'NonPagedPoolBytes' : [ 0x1c, ['unsigned long']], 'PagedPoolBytes' : [ 0x20, ['unsigned long']], 'NonPagedPoolAllocations' : [ 0x24, ['unsigned long']], 'PagedPoolAllocations' : [ 0x28, ['unsigned long']], 'NonPagablePages' : [ 0x2c, ['unsigned long']], 'CommittedPages' : [ 0x30, ['unsigned long']], 'LastProcessSwappedOutTime' : [ 0x38, ['_LARGE_INTEGER']], 'PageTables' : [ 0x40, ['pointer', ['_MMPTE']]], 'PagedPoolMutex' : [ 0x44, ['_FAST_MUTEX']], 'PagedPoolStart' : [ 0x64, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x68, ['pointer', ['void']]], 'PagedPoolBasePde' : [ 0x6c, ['pointer', ['_MMPTE']]], 'PagedPoolInfo' : [ 0x70, ['_MM_PAGED_POOL_INFO']], 'Color' : [ 0x94, ['unsigned long']], 'ProcessOutSwapCount' : [ 0x98, ['unsigned long']], 'ImageList' : [ 0x9c, ['_LIST_ENTRY']], 'GlobalPteEntry' : [ 0xa4, ['pointer', ['_MMPTE']]], 'CopyOnWriteCount' : [ 0xa8, ['unsigned long']], 'SessionPoolAllocationFailures' : [ 0xac, ['array', 4, ['unsigned long']]], 'AttachCount' : [ 0xbc, ['unsigned long']], 'AttachEvent' : [ 0xc0, ['_KEVENT']], 'LastProcess' : [ 0xd0, ['pointer', ['_EPROCESS']]], 'Vm' : [ 0xd8, ['_MMSUPPORT']], 'Wsle' : [ 0x118, ['pointer', ['_MMWSLE']]], 'WsLock' : [ 0x11c, ['_ERESOURCE']], 'WsListEntry' : [ 0x154, ['_LIST_ENTRY']], 'Session' : [ 0x15c, ['_MMSESSION']], 'Win32KDriverObject' : [ 0x198, ['_DRIVER_OBJECT']], 'WorkingSetLockOwner' : [ 0x240, ['pointer', ['_ETHREAD']]], 'PagedPool' : [ 0x244, ['_POOL_DESCRIPTOR']], 'ProcessReferenceToSession' : [ 0x126c, ['long']], 'LocaleId' : [ 0x1270, ['unsigned long']], } ], '_PEB' : [ 0x210, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'SpareBool' : [ 0x3, ['unsigned char']], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'FastPebLockRoutine' : [ 0x20, ['pointer', ['void']]], 'FastPebUnlockRoutine' : [ 0x24, ['pointer', ['void']]], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['pointer', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['void']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['void']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['void']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['void']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['void']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerThreads' : [ 0x18, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x28, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x2c, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x2e, ['unsigned short']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '__unnamed_1317' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1317']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x10, { 'Usage' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], 'Peak' : [ 0x8, ['unsigned long']], 'Return' : [ 0xc, ['unsigned long']], } ], '__unnamed_1333' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1333']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x120, { 'IdleFunction' : [ 0x0, ['pointer', ['void']]], 'Idle0KernelTimeLimit' : [ 0x4, ['unsigned long']], 'Idle0LastTime' : [ 0x8, ['unsigned long']], 'IdleHandlers' : [ 0xc, ['pointer', ['void']]], 'IdleState' : [ 0x10, ['pointer', ['void']]], 'IdleHandlersCount' : [ 0x14, ['unsigned long']], 'LastCheck' : [ 0x18, ['unsigned long long']], 'IdleTimes' : [ 0x20, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x40, ['unsigned long']], 'PromotionCheck' : [ 0x44, ['unsigned long']], 'IdleTime2' : [ 0x48, ['unsigned long']], 'CurrentThrottle' : [ 0x4c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x4d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x4e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x4f, ['unsigned char']], 'LastKernelUserTime' : [ 0x50, ['unsigned long']], 'PerfIdleTime' : [ 0x54, ['unsigned long']], 'DebugDelta' : [ 0x58, ['unsigned long long']], 'DebugCount' : [ 0x60, ['unsigned long']], 'LastSysTime' : [ 0x64, ['unsigned long']], 'TotalIdleStateTime' : [ 0x68, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x80, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0x90, ['unsigned long long']], 'KneeThrottleIndex' : [ 0x98, ['unsigned char']], 'ThrottleLimitIndex' : [ 0x99, ['unsigned char']], 'PerfStatesCount' : [ 0x9a, ['unsigned char']], 'ProcessorMinThrottle' : [ 0x9b, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x9c, ['unsigned char']], 'LastBusyPercentage' : [ 0x9d, ['unsigned char']], 'LastC3Percentage' : [ 0x9e, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0x9f, ['unsigned char']], 'PromotionCount' : [ 0xa0, ['unsigned long']], 'DemotionCount' : [ 0xa4, ['unsigned long']], 'ErrorCount' : [ 0xa8, ['unsigned long']], 'RetryCount' : [ 0xac, ['unsigned long']], 'Flags' : [ 0xb0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xb8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xc0, ['unsigned long']], 'PerfTimer' : [ 0xc8, ['_KTIMER']], 'PerfDpc' : [ 0xf0, ['_KDPC']], 'PerfStates' : [ 0x110, ['pointer', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x114, ['pointer', ['void']]], 'LastC3KernelUserTime' : [ 0x118, ['unsigned long']], 'Spare1' : [ 0x11c, ['array', 1, ['unsigned long']]], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x4c, { 'IdleCount' : [ 0x0, ['unsigned long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x10, ['_LIST_ENTRY']], 'DeviceType' : [ 0x18, ['unsigned char']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x20, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x28, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x30, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x44, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'AddressSpaceBeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'AllowWorkingSetAdjustment' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'MemoryPriority' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POP_THERMAL_ZONE' : [ 0xd0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x7c, ['pointer', ['_IRP']]], 'Info' : [ 0x80, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CMHIVE' : [ 0x49c, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x210, ['array', 3, ['pointer', ['void']]]], 'NotifyList' : [ 0x21c, ['_LIST_ENTRY']], 'HiveList' : [ 0x224, ['_LIST_ENTRY']], 'HiveLock' : [ 0x22c, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x230, ['pointer', ['_FAST_MUTEX']]], 'LRUViewListHead' : [ 0x234, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x23c, ['_LIST_ENTRY']], 'FileObject' : [ 0x244, ['pointer', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x248, ['_UNICODE_STRING']], 'FileUserName' : [ 0x250, ['_UNICODE_STRING']], 'MappedViews' : [ 0x258, ['unsigned short']], 'PinnedViews' : [ 0x25a, ['unsigned short']], 'UseCount' : [ 0x25c, ['unsigned long']], 'SecurityCount' : [ 0x260, ['unsigned long']], 'SecurityCacheSize' : [ 0x264, ['unsigned long']], 'SecurityHitHint' : [ 0x268, ['long']], 'SecurityCache' : [ 0x26c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x270, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0x470, ['pointer', ['_KEVENT']]], 'RootKcb' : [ 0x474, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x478, ['unsigned char']], 'UnloadWorkItem' : [ 0x47c, ['pointer', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0x480, ['unsigned char']], 'GrowOffset' : [ 0x484, ['unsigned long']], 'KcbConvertListHead' : [ 0x488, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x490, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x498, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x50004, { 'CurrentStackIndex' : [ 0x0, ['unsigned long']], 'TraceDb' : [ 0x4, ['array', 4096, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x210, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'RealWrites' : [ 0x38, ['unsigned char']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'Log' : [ 0x42, ['unsigned char']], 'HiveFlags' : [ 0x44, ['unsigned long']], 'LogSize' : [ 0x48, ['unsigned long']], 'RefreshCount' : [ 0x4c, ['unsigned long']], 'StorageTypeCount' : [ 0x50, ['unsigned long']], 'Version' : [ 0x54, ['unsigned long']], 'Storage' : [ 0x58, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x18, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['pointer', ['void']]], 'WatchInfo' : [ 0x10, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Filler0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long')]], 'HasWsLock' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '__unnamed_13f8' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_13f8']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x24, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x8, ['_LIST_ENTRY']], 'FileOffset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewAddress' : [ 0x18, ['pointer', ['unsigned long']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'UseCount' : [ 0x20, ['unsigned long']], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_KUSER_SHARED_DATA' : [ 0x338, { 'TickCountLow' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'Reserved2' : [ 0x244, ['array', 8, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x4c, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x2c, ['pointer', ['void']]], 'OpenProcedure' : [ 0x30, ['pointer', ['void']]], 'CloseProcedure' : [ 0x34, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x38, ['pointer', ['void']]], 'ParseProcedure' : [ 0x3c, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x40, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x44, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x48, ['pointer', ['void']]], } ], '__unnamed_143e' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'u' : [ 0x4, ['__unnamed_143e']], 'StartingSector' : [ 0x8, ['unsigned long']], 'NumberOfFullSectors' : [ 0xc, ['unsigned long']], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'UnusedPtes' : [ 0x14, ['unsigned long']], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'NextSubsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '__unnamed_144c' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_144f' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_1452' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1458' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x34, { 'StartingVpn' : [ 0x0, ['unsigned long']], 'EndingVpn' : [ 0x4, ['unsigned long']], 'Parent' : [ 0x8, ['pointer', ['_MMVAD']]], 'LeftChild' : [ 0xc, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer', ['_MMVAD']]], 'u' : [ 0x14, ['__unnamed_144c']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_144f']], 'u3' : [ 0x28, ['__unnamed_1452']], 'u4' : [ 0x30, ['__unnamed_1458']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'PhysicalMapping' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ImageMap' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'UserPhysicalPages' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'WriteWatch' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POOL_DESCRIPTOR' : [ 0x1028, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['void']]], 'PendingFreeDepth' : [ 0x24, ['long']], 'ListHeads' : [ 0x28, ['array', 512, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x28, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x24, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x4, ['pointer', ['_RTL_BITMAP']]], 'PagedPoolLargeSessionAllocationMap' : [ 0x8, ['pointer', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0x10, ['pointer', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x14, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x18, ['unsigned long']], 'PagedPoolCommit' : [ 0x1c, ['unsigned long']], 'AllocatedPagedPool' : [ 0x20, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['unsigned short']]], } ], '_MMSESSION' : [ 0x3c, { 'SystemSpaceViewLock' : [ 0x0, ['_FAST_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_FAST_MUTEX']]], 'SystemSpaceViewStart' : [ 0x24, ['pointer', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x28, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x30, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x34, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x38, ['pointer', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0xc, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long']], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x8, { 'FaultingPc' : [ 0x0, ['pointer', ['void']]], 'FaultingVa' : [ 0x4, ['pointer', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 31, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_DEADLOCK_NODE' : [ 0x68, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SequenceNumber' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x48, ['array', 8, ['pointer', ['void']]]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0xc8, { 'Next' : [ 0x0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'Slot' : [ 0x20, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x28, ['pointer', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x2c, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x30, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x34, ['unsigned long']], 'VendorId' : [ 0x38, ['unsigned short']], 'DeviceId' : [ 0x3a, ['unsigned short']], 'SubsystemVendorId' : [ 0x3c, ['unsigned short']], 'SubsystemId' : [ 0x3e, ['unsigned short']], 'RevisionId' : [ 0x40, ['unsigned char']], 'ProgIf' : [ 0x41, ['unsigned char']], 'SubClass' : [ 0x42, ['unsigned char']], 'BaseClass' : [ 0x43, ['unsigned char']], 'AdditionalResourceCount' : [ 0x44, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x45, ['unsigned char']], 'InterruptPin' : [ 0x46, ['unsigned char']], 'RawInterruptLine' : [ 0x47, ['unsigned char']], 'CapabilitiesPtr' : [ 0x48, ['unsigned char']], 'SavedLatencyTimer' : [ 0x49, ['unsigned char']], 'SavedCacheLineSize' : [ 0x4a, ['unsigned char']], 'HeaderType' : [ 0x4b, ['unsigned char']], 'NotPresent' : [ 0x4c, ['unsigned char']], 'ReportedMissing' : [ 0x4d, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x4e, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x4f, ['unsigned char']], 'LegacyDriver' : [ 0x50, ['unsigned char']], 'UpdateHardware' : [ 0x51, ['unsigned char']], 'MovedDevice' : [ 0x52, ['unsigned char']], 'DisablePowerDown' : [ 0x53, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x54, ['unsigned char']], 'SwitchedIDEToNativeMode' : [ 0x55, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x56, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x57, ['unsigned char']], 'OnDebugPath' : [ 0x58, ['unsigned char']], 'PowerState' : [ 0x5c, ['PCI_POWER_STATE']], 'Dependent' : [ 0x9c, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xa0, ['unsigned long long']], 'Resources' : [ 0xa8, ['pointer', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xac, ['pointer', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xb0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0xb4, ['pointer', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0xb8, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0xc0, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0xc2, ['unsigned char']], 'CommandEnables' : [ 0xc4, ['unsigned short']], 'InitialCommand' : [ 0xc6, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_QUAD' : [ 0x8, { 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '__unnamed_14ca' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_14cc' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_14ca']], 'Merged' : [ 0x10, ['__unnamed_14cc']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_KPROCESS' : [ 0x6c, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['array', 2, ['unsigned long']]], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Iopl' : [ 0x32, ['unsigned char']], 'Unused' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'StackCount' : [ 0x60, ['unsigned short']], 'BasePriority' : [ 0x62, ['unsigned char']], 'ThreadQuantum' : [ 0x63, ['unsigned char']], 'AutoAlignment' : [ 0x64, ['unsigned char']], 'State' : [ 0x65, ['unsigned char']], 'ThreadSeed' : [ 0x66, ['unsigned char']], 'DisableBoost' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'DisableQuantum' : [ 0x69, ['unsigned char']], 'IdealNode' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_14f5' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_14fc' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_14fe' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_14f5']], 'Bits' : [ 0x0, ['__unnamed_14fc']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_14fe']], } ], '__unnamed_1508' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0xc0, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x28, ['pointer', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x2c, ['_KEVENT']], 'ChildPdoList' : [ 0x3c, ['pointer', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x40, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x44, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x48, ['pointer', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x4c, ['pointer', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x50, ['unsigned char']], 'BusHandler' : [ 0x54, ['pointer', ['_BUS_HANDLER']]], 'BaseBus' : [ 0x58, ['unsigned char']], 'Fake' : [ 0x59, ['unsigned char']], 'ChildDelete' : [ 0x5a, ['unsigned char']], 'Scanned' : [ 0x5b, ['unsigned char']], 'ArbitersInitialized' : [ 0x5c, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0x5d, ['unsigned char']], 'Hibernated' : [ 0x5e, ['unsigned char']], 'PowerState' : [ 0x60, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0xa4, ['unsigned long']], 'PreservedConfig' : [ 0xa8, ['pointer', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0xac, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0xb4, ['__unnamed_1508']], 'BusHackFlags' : [ 0xbc, ['unsigned long']], } ], '__unnamed_150c' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_150e' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1510' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1512' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1514' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1516' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1518' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_150c']], 'Port' : [ 0x0, ['__unnamed_150c']], 'Interrupt' : [ 0x0, ['__unnamed_150e']], 'Memory' : [ 0x0, ['__unnamed_150c']], 'Dma' : [ 0x0, ['__unnamed_1510']], 'DevicePrivate' : [ 0x0, ['__unnamed_1512']], 'BusNumber' : [ 0x0, ['__unnamed_1514']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1516']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1518']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x48, { 'RefCount' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KcbLastWriteTime' : [ 0x38, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x40, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x42, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x44, ['unsigned long']], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['short']], 'Number' : [ 0x2, ['unsigned char']], 'Importance' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'Lock' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ReadConfig' : [ 0x10, ['pointer', ['void']]], 'WriteConfig' : [ 0x14, ['pointer', ['void']]], 'PinToLine' : [ 0x18, ['pointer', ['void']]], 'LineToPin' : [ 0x1c, ['pointer', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x10, ['unsigned long']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '__unnamed_1550' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1557' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1559' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1557']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_155e' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1560' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_155e']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_1550']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_1559']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_1560']], } ], '_PCI_LOCK' : [ 0x8, { 'Atom' : [ 0x0, ['unsigned long']], 'OldIrql' : [ 0x4, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '__unnamed_1569' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1569']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_156f' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0xc, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_156f']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_15d6' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_15d6']], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x290, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockFastMutex', 3: 'VfDeadlockFastMutexUnsafe', 4: 'VfDeadlockSpinLock', 5: 'VfDeadlockQueuedSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x28, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0xc, ['unsigned char']], 'OrderLevel' : [ 0xd, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Node' : [ 0x14, ['pointer', ['void']]], 'DeviceName' : [ 0x18, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x1c, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x20, ['unsigned long']], 'ActiveChild' : [ 0x24, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '__unnamed_1603' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_1605' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_1603']], 'type1' : [ 0x0, ['__unnamed_1605']], 'type2' : [ 0x0, ['__unnamed_1605']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x1e4, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'ServiceContext' : [ 0x10, ['pointer', ['void']]], 'SpinLock' : [ 0x14, ['unsigned long']], 'TickCount' : [ 0x18, ['unsigned long']], 'ActualLock' : [ 0x1c, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x20, ['pointer', ['void']]], 'Vector' : [ 0x24, ['unsigned long']], 'Irql' : [ 0x28, ['unsigned char']], 'SynchronizeIrql' : [ 0x29, ['unsigned char']], 'FloatingSave' : [ 0x2a, ['unsigned char']], 'Connected' : [ 0x2b, ['unsigned char']], 'Number' : [ 0x2c, ['unsigned char']], 'ShareVector' : [ 0x2d, ['unsigned char']], 'Mode' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x34, ['unsigned long']], 'DispatchCount' : [ 0x38, ['unsigned long']], 'DispatchCode' : [ 0x3c, ['array', 106, ['unsigned long']]], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0xe0, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0xc, ['pointer', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x10, ['pointer', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x14, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x44, ['_ARBITER_INSTANCE']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_MMPAGING_FILE' : [ 0x44, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'CurrentUsage' : [ 0x10, ['unsigned long']], 'PeakUsage' : [ 0x14, ['unsigned long']], 'Hint' : [ 0x18, ['unsigned long']], 'HighestPage' : [ 0x1c, ['unsigned long']], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'Bitmap' : [ 0x28, ['pointer', ['_RTL_BITMAP']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'PageFileName' : [ 0x30, ['_UNICODE_STRING']], 'PageFileNumber' : [ 0x38, ['unsigned long']], 'Extended' : [ 0x3c, ['unsigned char']], 'HintSetToZero' : [ 0x3d, ['unsigned char']], 'BootPartition' : [ 0x3e, ['unsigned char']], 'FileHandle' : [ 0x40, ['pointer', ['void']]], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x20, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x4, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x8, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0xc, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x14, ['pointer', ['void']]], 'OtherIrpDispatchStyle' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x1c, ['pointer', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_DIRECTORY' : [ 0xa4, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'Reserved' : [ 0xa0, ['unsigned short']], 'SymbolicLinkUsageCount' : [ 0xa2, ['unsigned short']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x69c, { 'Quota' : [ 0x0, ['unsigned long']], 'FirstFree' : [ 0x4, ['unsigned long']], 'FirstDynamic' : [ 0x8, ['unsigned long']], 'LastEntry' : [ 0xc, ['unsigned long']], 'NextSlot' : [ 0x10, ['unsigned long']], 'Wsle' : [ 0x14, ['pointer', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NonDirectCount' : [ 0x1c, ['unsigned long']], 'HashTable' : [ 0x20, ['pointer', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x24, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x28, ['unsigned long']], 'HashTableStart' : [ 0x2c, ['pointer', ['void']]], 'HighestPermittedHashAddress' : [ 0x30, ['pointer', ['void']]], 'NumberOfImageWaiters' : [ 0x34, ['unsigned long']], 'VadBitMapHint' : [ 0x38, ['unsigned long']], 'UsedPageTableEntries' : [ 0x3c, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x63c, ['array', 24, ['unsigned long']]], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x150, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '__unnamed_167b' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_167f' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x40, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'WritableUserReferences' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x18, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x1c, ['unsigned long']], 'ExtendInfo' : [ 0x20, ['pointer', ['_MMEXTEND_INFO']]], 'SystemImageBase' : [ 0x24, ['pointer', ['void']]], 'BasedAddress' : [ 0x28, ['pointer', ['void']]], 'u1' : [ 0x2c, ['__unnamed_167b']], 'u2' : [ 0x30, ['__unnamed_167f']], 'PrototypePte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x38, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['void']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x20, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x1c, ['pointer', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x2c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TOKEN' : [ 0xa8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x6c, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x70, ['pointer', ['void']]], 'Privileges' : [ 0x74, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x78, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0x7c, ['pointer', ['_ACL']]], 'TokenType' : [ 0x80, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x84, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0x88, ['unsigned long']], 'TokenInUse' : [ 0x8c, ['unsigned char']], 'ProxyData' : [ 0x90, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0x94, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'OriginatingLogonSession' : [ 0x98, ['_LUID']], 'VariablePart' : [ 0xa0, ['unsigned long']], } ], '_TEB' : [ 0xfb8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStack' : [ 0x1a8, ['_ACTIVATION_CONTEXT_STACK']], 'SpareBytes1' : [ 0x1bc, ['array', 24, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorsAreDisabled' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 16, ['pointer', ['void']]]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'Spare3' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'Wx86Thread' : [ 0xf88, ['_Wx86ThreadState']], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'SafeThunkCall' : [ 0xfb4, ['unsigned char']], 'BooleanSpare' : [ 0xfb5, ['array', 3, ['unsigned char']]], } ], 'PCI_SECONDARY_EXTENSION' : [ 0xc, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_16c6' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_16c6']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'Spare1' : [ 0x23, ['unsigned char']], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'Reserved' : [ 0x2c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_KNODE' : [ 0x30, { 'ProcessorMask' : [ 0x0, ['unsigned long']], 'Color' : [ 0x4, ['unsigned long']], 'MmShiftedColor' : [ 0x8, ['unsigned long']], 'FreeCount' : [ 0xc, ['array', 2, ['unsigned long']]], 'DeadStackList' : [ 0x18, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x20, ['_SLIST_HEADER']], 'PfnDeferredList' : [ 0x28, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'Seed' : [ 0x2c, ['unsigned char']], 'Flags' : [ 0x2d, ['_flags']], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned long']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x1c, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'MinSize' : [ 0x4, ['unsigned short']], 'MinVersion' : [ 0x6, ['unsigned short']], 'MaxVersion' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['long']], 'Signature' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x14, ['pointer', ['void']]], 'Initializer' : [ 0x18, ['pointer', ['void']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MMVAD' : [ 0x28, { 'StartingVpn' : [ 0x0, ['unsigned long']], 'EndingVpn' : [ 0x4, ['unsigned long']], 'Parent' : [ 0x8, ['pointer', ['_MMVAD']]], 'LeftChild' : [ 0xc, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer', ['_MMVAD']]], 'u' : [ 0x14, ['__unnamed_144c']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_144f']], } ], '__unnamed_16fb' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x8, ['_LARGE_INTEGER']], 'u' : [ 0x10, ['__unnamed_16fb']], 'Irp' : [ 0x18, ['pointer', ['_IRP']]], 'LastPageToWrite' : [ 0x1c, ['unsigned long']], 'PagingListHead' : [ 0x20, ['pointer', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x28, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x30, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x34, ['pointer', ['_ERESOURCE']]], 'Mdl' : [ 0x38, ['_MDL']], 'Page' : [ 0x54, ['array', 1, ['unsigned long']]], } ], '_POP_POWER_ACTION' : [ 0x40, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x24, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x28, ['pointer', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x30, ['unsigned long long']], 'SleepTime' : [ 0x38, ['unsigned long long']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x18, { 'StartingVpn' : [ 0x0, ['unsigned long']], 'EndingVpn' : [ 0x4, ['unsigned long']], 'Parent' : [ 0x8, ['pointer', ['_MMVAD']]], 'LeftChild' : [ 0xc, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer', ['_MMVAD']]], 'u' : [ 0x14, ['__unnamed_144c']], } ], '__unnamed_1717' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1717']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_FAST_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x28, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x9c, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0xc, ['long']], 'Allocation' : [ 0x10, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x18, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x20, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x28, ['long']], 'Interface' : [ 0x2c, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x30, ['unsigned long']], 'AllocationStack' : [ 0x34, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x38, ['pointer', ['void']]], 'PackResource' : [ 0x3c, ['pointer', ['void']]], 'UnpackResource' : [ 0x40, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x44, ['pointer', ['void']]], 'TestAllocation' : [ 0x48, ['pointer', ['void']]], 'RetestAllocation' : [ 0x4c, ['pointer', ['void']]], 'CommitAllocation' : [ 0x50, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x54, ['pointer', ['void']]], 'BootAllocation' : [ 0x58, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x5c, ['pointer', ['void']]], 'QueryConflict' : [ 0x60, ['pointer', ['void']]], 'AddReserved' : [ 0x64, ['pointer', ['void']]], 'StartArbiter' : [ 0x68, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x6c, ['pointer', ['void']]], 'AllocateEntry' : [ 0x70, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x74, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x78, ['pointer', ['void']]], 'AddAllocation' : [ 0x7c, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x80, ['pointer', ['void']]], 'OverrideConflict' : [ 0x84, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x88, ['unsigned char']], 'Extension' : [ 0x8c, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x90, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x94, ['pointer', ['void']]], 'ConflictCallback' : [ 0x98, ['pointer', ['void']]], } ], '_BUS_HANDLER' : [ 0x6c, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x14, ['pointer', ['_BUS_HANDLER']]], 'BusData' : [ 0x18, ['pointer', ['void']]], 'DeviceControlExtensionSize' : [ 0x1c, ['unsigned long']], 'BusAddresses' : [ 0x20, ['pointer', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x24, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x34, ['pointer', ['void']]], 'SetBusData' : [ 0x38, ['pointer', ['void']]], 'AdjustResourceList' : [ 0x3c, ['pointer', ['void']]], 'AssignSlotResources' : [ 0x40, ['pointer', ['void']]], 'GetInterruptVector' : [ 0x44, ['pointer', ['void']]], 'TranslateBusAddress' : [ 0x48, ['pointer', ['void']]], 'Spare1' : [ 0x4c, ['pointer', ['void']]], 'Spare2' : [ 0x50, ['pointer', ['void']]], 'Spare3' : [ 0x54, ['pointer', ['void']]], 'Spare4' : [ 0x58, ['pointer', ['void']]], 'Spare5' : [ 0x5c, ['pointer', ['void']]], 'Spare6' : [ 0x60, ['pointer', ['void']]], 'Spare7' : [ 0x64, ['pointer', ['void']]], 'Spare8' : [ 0x68, ['pointer', ['void']]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x8, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x4, ['pointer', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x620, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x18, ['unsigned long']], 'Thread' : [ 0x1c, ['pointer', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x20, ['unsigned char']], 'Order' : [ 0x24, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x26c, ['long']], 'FailedDevice' : [ 0x270, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x274, ['unsigned char']], 'Cancelled' : [ 0x275, ['unsigned char']], 'IgnoreErrors' : [ 0x276, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x277, ['unsigned char']], 'WaitAny' : [ 0x278, ['unsigned char']], 'WaitAll' : [ 0x279, ['unsigned char']], 'PresentIrpQueue' : [ 0x27c, ['_LIST_ENTRY']], 'Head' : [ 0x284, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x2b0, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x14, { 'Flags' : [ 0x0, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x4, ['unsigned long']], 'ActiveFrame' : [ 0x8, ['pointer', ['void']]], 'FrameListCache' : [ 0xc, ['_LIST_ENTRY']], } ], '__unnamed_179d' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_179f' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_17a2' : [ 0x4, { 'ShortFlags' : [ 0x0, ['unsigned short']], 'ReferenceCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_17a4' : [ 0x4, { 'e1' : [ 0x0, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_17a2']], } ], '__unnamed_17aa' : [ 0x4, { 'EntireFrame' : [ 0x0, ['unsigned long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 26, native_type='unsigned long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'LockCharged' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'KernelStack' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_179d']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'u2' : [ 0x8, ['__unnamed_179f']], 'u3' : [ 0xc, ['__unnamed_17a4']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'u4' : [ 0x14, ['__unnamed_17aa']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['unsigned short']]], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x40, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x2c, ['pointer', ['_IRP']]], 'SavedCancelRoutine' : [ 0x30, ['pointer', ['void']]], 'Paging' : [ 0x34, ['long']], 'Hibernate' : [ 0x38, ['long']], 'CrashDump' : [ 0x3c, ['long']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '__unnamed_17ce' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_17d2' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_17d6' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_17d8' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_17dd' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_17df' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_17e1' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], } ], '__unnamed_17e3' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_17e5' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_17e7' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_17eb' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_17ed' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_17ef' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_17f1' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_17f3' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_17f5' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_17f7' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_17fb' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_17ff' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1803' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1805' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1809' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_180b' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_180d' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_180f' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1813' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1817' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_181b' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_181d' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1821' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1825' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1827' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1829' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_182b' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_182d' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_17ce']], 'CreatePipe' : [ 0x0, ['__unnamed_17d2']], 'CreateMailslot' : [ 0x0, ['__unnamed_17d6']], 'Read' : [ 0x0, ['__unnamed_17d8']], 'Write' : [ 0x0, ['__unnamed_17d8']], 'QueryDirectory' : [ 0x0, ['__unnamed_17dd']], 'NotifyDirectory' : [ 0x0, ['__unnamed_17df']], 'QueryFile' : [ 0x0, ['__unnamed_17e1']], 'SetFile' : [ 0x0, ['__unnamed_17e3']], 'QueryEa' : [ 0x0, ['__unnamed_17e5']], 'SetEa' : [ 0x0, ['__unnamed_17e7']], 'QueryVolume' : [ 0x0, ['__unnamed_17eb']], 'SetVolume' : [ 0x0, ['__unnamed_17eb']], 'FileSystemControl' : [ 0x0, ['__unnamed_17ed']], 'LockControl' : [ 0x0, ['__unnamed_17ef']], 'DeviceIoControl' : [ 0x0, ['__unnamed_17f1']], 'QuerySecurity' : [ 0x0, ['__unnamed_17f3']], 'SetSecurity' : [ 0x0, ['__unnamed_17f5']], 'MountVolume' : [ 0x0, ['__unnamed_17f7']], 'VerifyVolume' : [ 0x0, ['__unnamed_17f7']], 'Scsi' : [ 0x0, ['__unnamed_17fb']], 'QueryQuota' : [ 0x0, ['__unnamed_17ff']], 'SetQuota' : [ 0x0, ['__unnamed_17e7']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1803']], 'QueryInterface' : [ 0x0, ['__unnamed_1805']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1809']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_180b']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_180d']], 'SetLock' : [ 0x0, ['__unnamed_180f']], 'QueryId' : [ 0x0, ['__unnamed_1813']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1817']], 'UsageNotification' : [ 0x0, ['__unnamed_181b']], 'WaitWake' : [ 0x0, ['__unnamed_181d']], 'PowerSequence' : [ 0x0, ['__unnamed_1821']], 'Power' : [ 0x0, ['__unnamed_1825']], 'StartDevice' : [ 0x0, ['__unnamed_1827']], 'WMI' : [ 0x0, ['__unnamed_1829']], 'Others' : [ 0x0, ['__unnamed_182b']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_182d']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1834' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1836' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_1838' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_183a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_183c' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_183e' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1834']], 'Memory' : [ 0x0, ['__unnamed_1834']], 'Interrupt' : [ 0x0, ['__unnamed_1836']], 'Dma' : [ 0x0, ['__unnamed_1838']], 'Generic' : [ 0x0, ['__unnamed_1834']], 'DevicePrivate' : [ 0x0, ['__unnamed_1512']], 'BusNumber' : [ 0x0, ['__unnamed_183a']], 'ConfigData' : [ 0x0, ['__unnamed_183c']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_183e']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'ListIndex' : [ 0x0, ['unsigned long']], 'Verifier' : [ 0x4, ['pointer', ['_MI_VERIFIER_DRIVER_ENTRY']]], } ], '_CM_KEY_BODY' : [ 0x44, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'Callers' : [ 0x10, ['unsigned long']], 'CallerAddress' : [ 0x14, ['array', 10, ['pointer', ['void']]]], 'KeyBodyList' : [ 0x3c, ['_LIST_ENTRY']], } ], '__unnamed_184f' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1851' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_184f']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1853' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1855' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1853']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1851']], 'u2' : [ 0x4, ['__unnamed_1855']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0xdc, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_RTL_BITMAP']]], 'FreeSummary' : [ 0xd0, ['unsigned long']], 'FreeBins' : [ 0xd4, ['_LIST_ENTRY']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0xe0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0xc, ['unsigned long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x14, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x1c, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x24, ['unsigned long']], 'NextCloneRange' : [ 0x28, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x2c, ['unsigned long']], 'LoaderMdl' : [ 0x30, ['pointer', ['_MDL']]], 'Clones' : [ 0x34, ['pointer', ['_MDL']]], 'NextClone' : [ 0x38, ['pointer', ['unsigned char']]], 'NoClones' : [ 0x3c, ['unsigned long']], 'Spares' : [ 0x40, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x48, ['unsigned long long']], 'IoPage' : [ 0x50, ['pointer', ['void']]], 'CurrentMcb' : [ 0x54, ['pointer', ['void']]], 'DumpStack' : [ 0x58, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x5c, ['pointer', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0x60, ['unsigned long']], 'HiberVa' : [ 0x64, ['unsigned long']], 'HiberPte' : [ 0x68, ['_LARGE_INTEGER']], 'Status' : [ 0x70, ['long']], 'MemoryImage' : [ 0x74, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x78, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x7c, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x80, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x88, ['pointer', ['void']]], 'DmaIO' : [ 0x8c, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x90, ['pointer', ['void']]], 'PerfInfo' : [ 0x98, ['_PO_HIBER_PERF']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x8, { 'StartVpn' : [ 0x0, ['unsigned long']], 'EndVpn' : [ 0x4, ['unsigned long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x14, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x4, ['unsigned long']], 'Parameter2' : [ 0x8, ['unsigned long']], 'Parameter3' : [ 0xc, ['unsigned long']], 'Parameter4' : [ 0x10, ['unsigned long']], } ], '__unnamed_1894' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1896' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_1894']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1896']], } ], '_Wx86ThreadState' : [ 0xc, { 'CallBx86Eip' : [ 0x0, ['pointer', ['unsigned long']]], 'DeallocationCpu' : [ 0x4, ['pointer', ['void']]], 'UseKnownWx86Dll' : [ 0x8, ['unsigned char']], 'OleStubInvoked' : [ 0x9, ['unsigned char']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xa0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x28, ['unsigned long']], 'Memory' : [ 0x30, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x50, ['unsigned long']], 'PrefetchMemory' : [ 0x58, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x78, ['unsigned long']], 'Dma' : [ 0x80, ['_SUPPORTED_RANGE']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_18be' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_18c0' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_18c4' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_18c6' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_18c8' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_18ca' : [ 0x10, { 'TestAllocation' : [ 0x0, ['__unnamed_18be']], 'RetestAllocation' : [ 0x0, ['__unnamed_18be']], 'BootAllocation' : [ 0x0, ['__unnamed_18c0']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_18c4']], 'QueryConflict' : [ 0x0, ['__unnamed_18c6']], 'QueryArbitrate' : [ 0x0, ['__unnamed_18c0']], 'AddReserved' : [ 0x0, ['__unnamed_18c8']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_18ca']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x4, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned long')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned long')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LockCharged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'Reserved' : [ 0x28, ['unsigned long']], 'VerifierPoolLock' : [ 0x2c, ['unsigned long']], 'PoolHash' : [ 0x30, ['pointer', ['_VI_POOL_ENTRY']]], 'PoolHashSize' : [ 0x34, ['unsigned long']], 'PoolHashFree' : [ 0x38, ['unsigned long']], 'PoolHashReserved' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], 'PO_MEMORY_IMAGE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'ImageType' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x3c, ['unsigned long']], 'HiberPte' : [ 0x40, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'TotalPages' : [ 0x54, ['unsigned long']], 'FirstTablePage' : [ 0x58, ['unsigned long']], 'LastFilePage' : [ 0x5c, ['unsigned long']], 'PerfInfo' : [ 0x60, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Spare' : [ 0x18, ['array', 2, ['unsigned long']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '__unnamed_18fe' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_1900' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1902' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1904' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1906' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1908' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_190a' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_190c' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_190e' : [ 0x14, { 'DeviceClass' : [ 0x0, ['__unnamed_18fe']], 'TargetDevice' : [ 0x0, ['__unnamed_1900']], 'InstallDevice' : [ 0x0, ['__unnamed_1902']], 'CustomNotification' : [ 0x0, ['__unnamed_1904']], 'ProfileNotification' : [ 0x0, ['__unnamed_1906']], 'PowerNotification' : [ 0x0, ['__unnamed_1908']], 'VetoNotification' : [ 0x0, ['__unnamed_190a']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_190c']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x38, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_190e']], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '__unnamed_1914' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '__unnamed_1916' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['__unnamed_1914']], 'Link' : [ 0x0, ['__unnamed_1916']], } ], '__unnamed_1928' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_192a' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_192c' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1928']], 'Gpt' : [ 0x0, ['__unnamed_192a']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_192c']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x248, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x10, ['unsigned long']], 'ActiveCount' : [ 0x14, ['unsigned long']], 'WaitSleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x20, ['_LIST_ENTRY']], 'Pending' : [ 0x28, ['_LIST_ENTRY']], 'Complete' : [ 0x30, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x38, ['_LIST_ENTRY']], 'WaitS0' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_1961' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_1961']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x8, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'FreeListNext' : [ 0x0, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x2c, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x4, ['pointer', ['_IRP']]], 'Notify' : [ 0x8, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0xc, ['_LIST_ENTRY']], 'Complete' : [ 0x14, ['_LIST_ENTRY']], 'Abort' : [ 0x1c, ['_LIST_ENTRY']], 'Failed' : [ 0x24, ['_LIST_ENTRY']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x4, ['unsigned long']], 'SystemBase' : [ 0x8, ['long long']], 'Base' : [ 0x10, ['long long']], 'Limit' : [ 0x18, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['unsigned long']], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x30, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x24, ['array', 3, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_19ab' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_19ad' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_19b1' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_19b3' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_19ab']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_19ad']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_19b1']], 'Others' : [ 0x0, ['__unnamed_19b3']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista.py0000644000000000000000000002660613131215405026066 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: The Volatility Foundation @license: GNU General Public License 2.0 @contact: awalters@4tphi.net This file provides support for Windows Vista. """ #pylint: disable-msg=C0111 import windows import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.obj as obj class _ETHREAD(windows._ETHREAD): """A class for Windows 7 ETHREAD objects""" def owning_process(self): """Return the EPROCESS that owns this thread""" return self.Tcb.Process.dereference_as("_EPROCESS") class _POOL_HEADER(windows._POOL_HEADER): """A class for pool headers""" @property def NonPagedPool(self): return self.PoolType.v() % 2 == 0 and self.PoolType.v() > 0 @property def PagedPool(self): return self.PoolType.v() % 2 == 1 class _TOKEN(windows._TOKEN): def privileges(self): """Generator for privileges. @yields a tuple (value, present, enabled, default). """ for i in range(0, 64): bit_position = 1 << i present = self.Privileges.Present & bit_position != 0 enabled = self.Privileges.Enabled & bit_position != 0 default = self.Privileges.EnabledByDefault & bit_position != 0 yield i, present, enabled, default class VistaWin7KPCR(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os' : lambda x: x == 'windows', 'major': lambda x: x == 6} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'KPCR' : [ None, ['VolatilityKPCR', dict(configname = "KPCR")]], }]} profile.merge_overlay(overlay) class Vistax86DTB(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'memory_model': lambda x: x == '32bit', } def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "\x03\x00\x20\x00")]], }]} profile.merge_overlay(overlay) class Vistax64DTB(obj.ProfileModification): before = ['WindowsOverlay', 'Windows64Overlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'memory_model': lambda x: x == '64bit', } def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "\x03\x00\x30\x00")]], }]} profile.merge_overlay(overlay) class VistaObjectClasses(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x >= 6, } def modification(self, profile): profile.object_classes.update({'_ETHREAD' : _ETHREAD, '_POOL_HEADER': _POOL_HEADER, '_TOKEN': _TOKEN}) class VistaKDBG(windows.AbstractKDBGMod): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0} kdbgsize = 0x328 class VistaSP1KDBG(windows.AbstractKDBGMod): before = ['WindowsOverlay', 'VistaKDBG'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x >= 6001, } kdbgsize = 0x330 class VistaPolicyKey(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'major': lambda x: x == 6} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'PolicyKey': [0x0, ['VolatilityMagic', dict(value = "PolEKList")]], }]} profile.merge_overlay(overlay) class VistaSP0x86Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6000} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x4)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xff)]], }]} profile.merge_overlay(overlay) class VistaSP1x86Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6001} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xff)]], }]} profile.merge_overlay(overlay) class VistaSP2x86Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6002} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0x1fe)]], }]} profile.merge_overlay(overlay) class VistaSP0x64Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6000} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x4)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0x7f)]], }]} profile.merge_overlay(overlay) class VistaSP1x64Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6001} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0x7f)]], }]} profile.merge_overlay(overlay) class VistaSP2x64Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6002} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xfe)]], }]} profile.merge_overlay(overlay) class VistaSP0x86(obj.Profile): """ A Profile for Windows Vista SP0 x86 """ _md_major = 6 _md_minor = 0 _md_build = 6000 _md_memory_model = '32bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp0_x86_vtypes' _md_product = ["NtProductWinNt"] class VistaSP0x64(obj.Profile): """ A Profile for Windows Vista SP0 x64 """ _md_major = 6 _md_minor = 0 _md_build = 6000 _md_memory_model = '64bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp0_x64_vtypes' _md_product = ["NtProductWinNt"] class VistaSP1x86(obj.Profile): """ A Profile for Windows Vista SP1 x86 """ _md_major = 6 _md_minor = 0 _md_build = 6001 _md_memory_model = '32bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp1_x86_vtypes' _md_product = ["NtProductWinNt"] class VistaSP1x64(obj.Profile): """ A Profile for Windows Vista SP1 x64 """ _md_major = 6 _md_minor = 0 _md_build = 6001 _md_memory_model = '64bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp1_x64_vtypes' _md_product = ["NtProductWinNt"] class VistaSP2x86(obj.Profile): """ A Profile for Windows Vista SP2 x86 """ _md_major = 6 _md_minor = 0 _md_build = 6002 _md_memory_model = '32bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp2_x86_vtypes' _md_product = ["NtProductWinNt"] class VistaSP2x64(obj.Profile): """ A Profile for Windows Vista SP2 x64 """ _md_major = 6 _md_minor = 0 _md_build = 6002 _md_memory_model = '64bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp2_x64_vtypes' _md_product = ["NtProductWinNt"] class Win2008SP1x64(VistaSP1x64): """ A Profile for Windows 2008 SP1 x64 """ _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2008SP2x64(VistaSP2x64): """ A Profile for Windows 2008 SP2 x64 """ _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2008SP1x86(VistaSP1x86): """ A Profile for Windows 2008 SP1 x86 """ _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2008SP2x86(VistaSP2x86): """ A Profile for Windows 2008 SP2 x86 """ _md_product = ["NtProductLanManNt", "NtProductServer"] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista_sp0_x64_syscalls.py0000644000000000000000000012521013131215405031255 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Vista SP0 x64 """ syscalls = [ [ 'NtMapUserPhysicalPagesScatter', # 0x0 'NtWaitForSingleObject', # 0x1 'NtCallbackReturn', # 0x2 'NtReadFile', # 0x3 'NtDeviceIoControlFile', # 0x4 'NtWriteFile', # 0x5 'NtRemoveIoCompletion', # 0x6 'NtReleaseSemaphore', # 0x7 'NtReplyWaitReceivePort', # 0x8 'NtReplyPort', # 0x9 'NtSetInformationThread', # 0xa 'NtSetEvent', # 0xb 'NtClose', # 0xc 'NtQueryObject', # 0xd 'NtQueryInformationFile', # 0xe 'NtOpenKey', # 0xf 'NtEnumerateValueKey', # 0x10 'NtFindAtom', # 0x11 'NtQueryDefaultLocale', # 0x12 'NtQueryKey', # 0x13 'NtQueryValueKey', # 0x14 'NtAllocateVirtualMemory', # 0x15 'NtQueryInformationProcess', # 0x16 'NtWaitForMultipleObjects32', # 0x17 'NtWriteFileGather', # 0x18 'NtSetInformationProcess', # 0x19 'NtCreateKey', # 0x1a 'NtFreeVirtualMemory', # 0x1b 'NtImpersonateClientOfPort', # 0x1c 'NtReleaseMutant', # 0x1d 'NtQueryInformationToken', # 0x1e 'NtRequestWaitReplyPort', # 0x1f 'NtQueryVirtualMemory', # 0x20 'NtOpenThreadToken', # 0x21 'NtQueryInformationThread', # 0x22 'NtOpenProcess', # 0x23 'NtSetInformationFile', # 0x24 'NtMapViewOfSection', # 0x25 'NtAccessCheckAndAuditAlarm', # 0x26 'NtUnmapViewOfSection', # 0x27 'NtReplyWaitReceivePortEx', # 0x28 'NtTerminateProcess', # 0x29 'NtSetEventBoostPriority', # 0x2a 'NtReadFileScatter', # 0x2b 'NtOpenThreadTokenEx', # 0x2c 'NtOpenProcessTokenEx', # 0x2d 'NtQueryPerformanceCounter', # 0x2e 'NtEnumerateKey', # 0x2f 'NtOpenFile', # 0x30 'NtDelayExecution', # 0x31 'NtQueryDirectoryFile', # 0x32 'NtQuerySystemInformation', # 0x33 'NtOpenSection', # 0x34 'NtQueryTimer', # 0x35 'NtFsControlFile', # 0x36 'NtWriteVirtualMemory', # 0x37 'NtCloseObjectAuditAlarm', # 0x38 'NtDuplicateObject', # 0x39 'NtQueryAttributesFile', # 0x3a 'NtClearEvent', # 0x3b 'NtReadVirtualMemory', # 0x3c 'NtOpenEvent', # 0x3d 'NtAdjustPrivilegesToken', # 0x3e 'NtDuplicateToken', # 0x3f 'NtContinue', # 0x40 'NtQueryDefaultUILanguage', # 0x41 'NtQueueApcThread', # 0x42 'NtYieldExecution', # 0x43 'NtAddAtom', # 0x44 'NtCreateEvent', # 0x45 'NtQueryVolumeInformationFile', # 0x46 'NtCreateSection', # 0x47 'NtFlushBuffersFile', # 0x48 'NtApphelpCacheControl', # 0x49 'NtCreateProcessEx', # 0x4a 'NtCreateThread', # 0x4b 'NtIsProcessInJob', # 0x4c 'NtProtectVirtualMemory', # 0x4d 'NtQuerySection', # 0x4e 'NtResumeThread', # 0x4f 'NtTerminateThread', # 0x50 'NtReadRequestData', # 0x51 'NtCreateFile', # 0x52 'NtQueryEvent', # 0x53 'NtWriteRequestData', # 0x54 'NtOpenDirectoryObject', # 0x55 'NtAccessCheckByTypeAndAuditAlarm', # 0x56 'NtQuerySystemTime', # 0x57 'NtWaitForMultipleObjects', # 0x58 'NtSetInformationObject', # 0x59 'NtCancelIoFile', # 0x5a 'NtTraceEvent', # 0x5b 'NtPowerInformation', # 0x5c 'NtSetValueKey', # 0x5d 'NtCancelTimer', # 0x5e 'NtSetTimer', # 0x5f 'NtAcceptConnectPort', # 0x60 'NtAccessCheck', # 0x61 'NtAccessCheckByType', # 0x62 'NtAccessCheckByTypeResultList', # 0x63 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x64 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x65 'NtAcquireCMFViewOwnership', # 0x66 'NtAddBootEntry', # 0x67 'NtAddDriverEntry', # 0x68 'NtAdjustGroupsToken', # 0x69 'NtAlertResumeThread', # 0x6a 'NtAlertThread', # 0x6b 'NtAllocateLocallyUniqueId', # 0x6c 'NtAllocateUserPhysicalPages', # 0x6d 'NtAllocateUuids', # 0x6e 'NtAlpcAcceptConnectPort', # 0x6f 'NtAlpcCancelMessage', # 0x70 'NtAlpcConnectPort', # 0x71 'NtAlpcCreatePort', # 0x72 'NtAlpcCreatePortSection', # 0x73 'NtAlpcCreateResourceReserve', # 0x74 'NtAlpcCreateSectionView', # 0x75 'NtAlpcCreateSecurityContext', # 0x76 'NtAlpcDeletePortSection', # 0x77 'NtAlpcDeleteResourceReserve', # 0x78 'NtAlpcDeleteSectionView', # 0x79 'NtAlpcDeleteSecurityContext', # 0x7a 'NtAlpcDisconnectPort', # 0x7b 'NtAlpcImpersonateClientOfPort', # 0x7c 'NtAlpcOpenSenderProcess', # 0x7d 'NtAlpcOpenSenderThread', # 0x7e 'NtAlpcQueryInformation', # 0x7f 'NtAlpcQueryInformationMessage', # 0x80 'NtAlpcRevokeSecurityContext', # 0x81 'NtAlpcSendWaitReceivePort', # 0x82 'NtAlpcSetInformation', # 0x83 'NtAreMappedFilesTheSame', # 0x84 'NtAssignProcessToJobObject', # 0x85 'NtCancelDeviceWakeupRequest', # 0x86 'NtCancelIoFileEx', # 0x87 'NtCancelSynchronousIoFile', # 0x88 'NtClearAllSavepointsTransaction', # 0x89 'NtClearSavepointTransaction', # 0x8a 'NtCommitComplete', # 0x8b 'NtCommitEnlistment', # 0x8c 'NtCommitTransaction', # 0x8d 'NtCompactKeys', # 0x8e 'NtCompareTokens', # 0x8f 'NtCompleteConnectPort', # 0x90 'NtCompressKey', # 0x91 'NtConnectPort', # 0x92 'NtCreateDebugObject', # 0x93 'NtCreateDirectoryObject', # 0x94 'NtCreateEnlistment', # 0x95 'NtCreateEventPair', # 0x96 'NtCreateIoCompletion', # 0x97 'NtCreateJobObject', # 0x98 'NtCreateJobSet', # 0x99 'NtCreateKeyTransacted', # 0x9a 'NtCreateKeyedEvent', # 0x9b 'NtCreateMailslotFile', # 0x9c 'NtCreateMutant', # 0x9d 'NtCreateNamedPipeFile', # 0x9e 'NtCreatePagingFile', # 0x9f 'NtCreatePort', # 0xa0 'NtCreatePrivateNamespace', # 0xa1 'NtCreateProcess', # 0xa2 'NtCreateProfile', # 0xa3 'NtCreateResourceManager', # 0xa4 'NtCreateSemaphore', # 0xa5 'NtCreateSymbolicLinkObject', # 0xa6 'NtCreateThreadEx', # 0xa7 'NtCreateTimer', # 0xa8 'NtCreateToken', # 0xa9 'NtCreateTransaction', # 0xaa 'NtCreateTransactionManager', # 0xab 'NtCreateUserProcess', # 0xac 'NtCreateWaitablePort', # 0xad 'NtCreateWorkerFactory', # 0xae 'NtDebugActiveProcess', # 0xaf 'NtDebugContinue', # 0xb0 'NtDeleteAtom', # 0xb1 'NtDeleteBootEntry', # 0xb2 'NtDeleteDriverEntry', # 0xb3 'NtDeleteFile', # 0xb4 'NtDeleteKey', # 0xb5 'NtDeleteObjectAuditAlarm', # 0xb6 'NtDeletePrivateNamespace', # 0xb7 'NtDeleteValueKey', # 0xb8 'NtDisplayString', # 0xb9 'NtEnumerateBootEntries', # 0xba 'NtEnumerateDriverEntries', # 0xbb 'NtEnumerateSystemEnvironmentValuesEx', # 0xbc 'NtEnumerateTransactionObject', # 0xbd 'NtExtendSection', # 0xbe 'NtFilterToken', # 0xbf 'NtFlushInstallUILanguage', # 0xc0 'NtFlushInstructionCache', # 0xc1 'NtFlushKey', # 0xc2 'NtFlushProcessWriteBuffers', # 0xc3 'NtFlushVirtualMemory', # 0xc4 'NtFlushWriteBuffer', # 0xc5 'NtFreeUserPhysicalPages', # 0xc6 'NtFreezeRegistry', # 0xc7 'NtFreezeTransactions', # 0xc8 'NtGetContextThread', # 0xc9 'NtGetCurrentProcessorNumber', # 0xca 'NtGetDevicePowerState', # 0xcb 'NtGetMUIRegistryInfo', # 0xcc 'NtGetNextProcess', # 0xcd 'NtGetNextThread', # 0xce 'NtGetNlsSectionPtr', # 0xcf 'NtGetNotificationResourceManager', # 0xd0 'NtGetPlugPlayEvent', # 0xd1 'NtGetWriteWatch', # 0xd2 'NtImpersonateAnonymousToken', # 0xd3 'NtImpersonateThread', # 0xd4 'NtInitializeNlsFiles', # 0xd5 'NtInitializeRegistry', # 0xd6 'NtInitiatePowerAction', # 0xd7 'NtIsSystemResumeAutomatic', # 0xd8 'NtIsUILanguageComitted', # 0xd9 'NtListTransactions', # 0xda 'NtListenPort', # 0xdb 'NtLoadDriver', # 0xdc 'NtLoadKey', # 0xdd 'NtLoadKey2', # 0xde 'NtLoadKeyEx', # 0xdf 'NtLockFile', # 0xe0 'NtLockProductActivationKeys', # 0xe1 'NtLockRegistryKey', # 0xe2 'NtLockVirtualMemory', # 0xe3 'NtMakePermanentObject', # 0xe4 'NtMakeTemporaryObject', # 0xe5 'NtMapCMFModule', # 0xe6 'NtMapUserPhysicalPages', # 0xe7 'NtMarshallTransaction', # 0xe8 'NtModifyBootEntry', # 0xe9 'NtModifyDriverEntry', # 0xea 'NtNotifyChangeDirectoryFile', # 0xeb 'NtNotifyChangeKey', # 0xec 'NtNotifyChangeMultipleKeys', # 0xed 'NtOpenEnlistment', # 0xee 'NtOpenEventPair', # 0xef 'NtOpenIoCompletion', # 0xf0 'NtOpenJobObject', # 0xf1 'NtOpenKeyTransacted', # 0xf2 'NtOpenKeyedEvent', # 0xf3 'NtOpenMutant', # 0xf4 'NtOpenObjectAuditAlarm', # 0xf5 'NtOpenPrivateNamespace', # 0xf6 'NtOpenProcessToken', # 0xf7 'NtOpenResourceManager', # 0xf8 'NtOpenSemaphore', # 0xf9 'NtOpenSession', # 0xfa 'NtOpenSymbolicLinkObject', # 0xfb 'NtOpenThread', # 0xfc 'NtOpenTimer', # 0xfd 'NtOpenTransaction', # 0xfe 'NtOpenTransactionManager', # 0xff 'NtPlugPlayControl', # 0x100 'NtPrePrepareComplete', # 0x101 'NtPrePrepareEnlistment', # 0x102 'NtPrepareComplete', # 0x103 'NtPrepareEnlistment', # 0x104 'NtPrivilegeCheck', # 0x105 'NtPrivilegeObjectAuditAlarm', # 0x106 'NtPrivilegedServiceAuditAlarm', # 0x107 'NtPropagationComplete', # 0x108 'NtPropagationFailed', # 0x109 'NtPullTransaction', # 0x10a 'NtPulseEvent', # 0x10b 'NtQueryBootEntryOrder', # 0x10c 'NtQueryBootOptions', # 0x10d 'NtQueryDebugFilterState', # 0x10e 'NtQueryDirectoryObject', # 0x10f 'NtQueryDriverEntryOrder', # 0x110 'NtQueryEaFile', # 0x111 'NtQueryFullAttributesFile', # 0x112 'NtQueryInformationAtom', # 0x113 'NtQueryInformationEnlistment', # 0x114 'NtQueryInformationJobObject', # 0x115 'NtQueryInformationPort', # 0x116 'NtQueryInformationResourceManager', # 0x117 'NtQueryInformationTransaction', # 0x118 'NtQueryInformationTransactionManager', # 0x119 'NtQueryInformationWorkerFactory', # 0x11a 'NtQueryInstallUILanguage', # 0x11b 'NtQueryIntervalProfile', # 0x11c 'NtQueryIoCompletion', # 0x11d 'NtQueryLicenseValue', # 0x11e 'NtQueryMultipleValueKey', # 0x11f 'NtQueryMutant', # 0x120 'NtQueryOpenSubKeys', # 0x121 'NtQueryOpenSubKeysEx', # 0x122 'NtQueryPortInformationProcess', # 0x123 'NtQueryQuotaInformationFile', # 0x124 'NtQuerySecurityObject', # 0x125 'NtQuerySemaphore', # 0x126 'NtQuerySymbolicLinkObject', # 0x127 'NtQuerySystemEnvironmentValue', # 0x128 'NtQuerySystemEnvironmentValueEx', # 0x129 'NtQueryTimerResolution', # 0x12a 'NtRaiseException', # 0x12b 'NtRaiseHardError', # 0x12c 'NtReadOnlyEnlistment', # 0x12d 'NtRecoverEnlistment', # 0x12e 'NtRecoverResourceManager', # 0x12f 'NtRecoverTransactionManager', # 0x130 'NtRegisterProtocolAddressInformation', # 0x131 'NtRegisterThreadTerminatePort', # 0x132 'NtReleaseCMFViewOwnership', # 0x133 'NtReleaseKeyedEvent', # 0x134 'NtReleaseWorkerFactoryWorker', # 0x135 'NtRemoveIoCompletionEx', # 0x136 'NtRemoveProcessDebug', # 0x137 'NtRenameKey', # 0x138 'NtReplaceKey', # 0x139 'NtReplyWaitReplyPort', # 0x13a 'NtRequestDeviceWakeup', # 0x13b 'NtRequestPort', # 0x13c 'NtRequestWakeupLatency', # 0x13d 'NtResetEvent', # 0x13e 'NtResetWriteWatch', # 0x13f 'NtRestoreKey', # 0x140 'NtResumeProcess', # 0x141 'NtRollbackComplete', # 0x142 'NtRollbackEnlistment', # 0x143 'NtRollbackSavepointTransaction', # 0x144 'NtRollbackTransaction', # 0x145 'NtRollforwardTransactionManager', # 0x146 'NtSaveKey', # 0x147 'NtSaveKeyEx', # 0x148 'NtSaveMergedKeys', # 0x149 'NtSavepointComplete', # 0x14a 'NtSavepointTransaction', # 0x14b 'NtSecureConnectPort', # 0x14c 'NtSetBootEntryOrder', # 0x14d 'NtSetBootOptions', # 0x14e 'NtSetContextThread', # 0x14f 'NtSetDebugFilterState', # 0x150 'NtSetDefaultHardErrorPort', # 0x151 'NtSetDefaultLocale', # 0x152 'NtSetDefaultUILanguage', # 0x153 'NtSetDriverEntryOrder', # 0x154 'NtSetEaFile', # 0x155 'NtSetHighEventPair', # 0x156 'NtSetHighWaitLowEventPair', # 0x157 'NtSetInformationDebugObject', # 0x158 'NtSetInformationEnlistment', # 0x159 'NtSetInformationJobObject', # 0x15a 'NtSetInformationKey', # 0x15b 'NtSetInformationResourceManager', # 0x15c 'NtSetInformationToken', # 0x15d 'NtSetInformationTransaction', # 0x15e 'NtSetInformationTransactionManager', # 0x15f 'NtSetInformationWorkerFactory', # 0x160 'NtSetIntervalProfile', # 0x161 'NtSetIoCompletion', # 0x162 'NtSetLdtEntries', # 0x163 'NtSetLowEventPair', # 0x164 'NtSetLowWaitHighEventPair', # 0x165 'NtSetQuotaInformationFile', # 0x166 'NtSetSecurityObject', # 0x167 'NtSetSystemEnvironmentValue', # 0x168 'NtSetSystemEnvironmentValueEx', # 0x169 'NtSetSystemInformation', # 0x16a 'NtSetSystemPowerState', # 0x16b 'NtSetSystemTime', # 0x16c 'NtSetThreadExecutionState', # 0x16d 'NtSetTimerResolution', # 0x16e 'NtSetUuidSeed', # 0x16f 'NtSetVolumeInformationFile', # 0x170 'NtShutdownSystem', # 0x171 'NtShutdownWorkerFactory', # 0x172 'NtSignalAndWaitForSingleObject', # 0x173 'NtSinglePhaseReject', # 0x174 'NtStartProfile', # 0x175 'NtStartTm', # 0x176 'NtStopProfile', # 0x177 'NtSuspendProcess', # 0x178 'NtSuspendThread', # 0x179 'NtSystemDebugControl', # 0x17a 'NtTerminateJobObject', # 0x17b 'NtTestAlert', # 0x17c 'NtThawRegistry', # 0x17d 'NtThawTransactions', # 0x17e 'NtTraceControl', # 0x17f 'NtTranslateFilePath', # 0x180 'NtUnloadDriver', # 0x181 'NtUnloadKey', # 0x182 'NtUnloadKey2', # 0x183 'NtUnloadKeyEx', # 0x184 'NtUnlockFile', # 0x185 'NtUnlockVirtualMemory', # 0x186 'NtVdmControl', # 0x187 'NtWaitForDebugEvent', # 0x188 'NtWaitForKeyedEvent', # 0x189 'NtWaitForWorkViaWorkerFactory', # 0x18a 'NtWaitHighEventPair', # 0x18b 'NtWaitLowEventPair', # 0x18c 'NtWorkerFactoryWorkerReady', # 0x18d ], [ 'NtUserGetThreadState', # 0x0 'NtUserPeekMessage', # 0x1 'NtUserCallOneParam', # 0x2 'NtUserGetKeyState', # 0x3 'NtUserInvalidateRect', # 0x4 'NtUserCallNoParam', # 0x5 'NtUserGetMessage', # 0x6 'NtUserMessageCall', # 0x7 'NtGdiBitBlt', # 0x8 'NtGdiGetCharSet', # 0x9 'NtUserGetDC', # 0xa 'NtGdiSelectBitmap', # 0xb 'NtUserWaitMessage', # 0xc 'NtUserTranslateMessage', # 0xd 'NtUserGetProp', # 0xe 'NtUserPostMessage', # 0xf 'NtUserQueryWindow', # 0x10 'NtUserTranslateAccelerator', # 0x11 'NtGdiFlush', # 0x12 'NtUserRedrawWindow', # 0x13 'NtUserWindowFromPoint', # 0x14 'NtUserCallMsgFilter', # 0x15 'NtUserValidateTimerCallback', # 0x16 'NtUserBeginPaint', # 0x17 'NtUserSetTimer', # 0x18 'NtUserEndPaint', # 0x19 'NtUserSetCursor', # 0x1a 'NtUserKillTimer', # 0x1b 'NtUserBuildHwndList', # 0x1c 'NtUserSelectPalette', # 0x1d 'NtUserCallNextHookEx', # 0x1e 'NtUserHideCaret', # 0x1f 'NtGdiIntersectClipRect', # 0x20 'NtUserCallHwndLock', # 0x21 'NtUserGetProcessWindowStation', # 0x22 'NtGdiDeleteObjectApp', # 0x23 'NtUserSetWindowPos', # 0x24 'NtUserShowCaret', # 0x25 'NtUserEndDeferWindowPosEx', # 0x26 'NtUserCallHwndParamLock', # 0x27 'NtUserVkKeyScanEx', # 0x28 'NtGdiSetDIBitsToDeviceInternal', # 0x29 'NtUserCallTwoParam', # 0x2a 'NtGdiGetRandomRgn', # 0x2b 'NtUserCopyAcceleratorTable', # 0x2c 'NtUserNotifyWinEvent', # 0x2d 'NtGdiExtSelectClipRgn', # 0x2e 'NtUserIsClipboardFormatAvailable', # 0x2f 'NtUserSetScrollInfo', # 0x30 'NtGdiStretchBlt', # 0x31 'NtUserCreateCaret', # 0x32 'NtGdiRectVisible', # 0x33 'NtGdiCombineRgn', # 0x34 'NtGdiGetDCObject', # 0x35 'NtUserDispatchMessage', # 0x36 'NtUserRegisterWindowMessage', # 0x37 'NtGdiExtTextOutW', # 0x38 'NtGdiSelectFont', # 0x39 'NtGdiRestoreDC', # 0x3a 'NtGdiSaveDC', # 0x3b 'NtUserGetForegroundWindow', # 0x3c 'NtUserShowScrollBar', # 0x3d 'NtUserFindExistingCursorIcon', # 0x3e 'NtGdiGetDCDword', # 0x3f 'NtGdiGetRegionData', # 0x40 'NtGdiLineTo', # 0x41 'NtUserSystemParametersInfo', # 0x42 'NtGdiGetAppClipBox', # 0x43 'NtUserGetAsyncKeyState', # 0x44 'NtUserGetCPD', # 0x45 'NtUserRemoveProp', # 0x46 'NtGdiDoPalette', # 0x47 'NtGdiPolyPolyDraw', # 0x48 'NtUserSetCapture', # 0x49 'NtUserEnumDisplayMonitors', # 0x4a 'NtGdiCreateCompatibleBitmap', # 0x4b 'NtUserSetProp', # 0x4c 'NtGdiGetTextCharsetInfo', # 0x4d 'NtUserSBGetParms', # 0x4e 'NtUserGetIconInfo', # 0x4f 'NtUserExcludeUpdateRgn', # 0x50 'NtUserSetFocus', # 0x51 'NtGdiExtGetObjectW', # 0x52 'NtUserDeferWindowPos', # 0x53 'NtUserGetUpdateRect', # 0x54 'NtGdiCreateCompatibleDC', # 0x55 'NtUserGetClipboardSequenceNumber', # 0x56 'NtGdiCreatePen', # 0x57 'NtUserShowWindow', # 0x58 'NtUserGetKeyboardLayoutList', # 0x59 'NtGdiPatBlt', # 0x5a 'NtUserMapVirtualKeyEx', # 0x5b 'NtUserSetWindowLong', # 0x5c 'NtGdiHfontCreate', # 0x5d 'NtUserMoveWindow', # 0x5e 'NtUserPostThreadMessage', # 0x5f 'NtUserDrawIconEx', # 0x60 'NtUserGetSystemMenu', # 0x61 'NtGdiDrawStream', # 0x62 'NtUserInternalGetWindowText', # 0x63 'NtUserGetWindowDC', # 0x64 'NtGdiD3dDrawPrimitives2', # 0x65 'NtGdiInvertRgn', # 0x66 'NtGdiGetRgnBox', # 0x67 'NtGdiGetAndSetDCDword', # 0x68 'NtGdiMaskBlt', # 0x69 'NtGdiGetWidthTable', # 0x6a 'NtUserScrollDC', # 0x6b 'NtUserGetObjectInformation', # 0x6c 'NtGdiCreateBitmap', # 0x6d 'NtGdiConsoleTextOut', # 0x6e 'NtUserFindWindowEx', # 0x6f 'NtGdiPolyPatBlt', # 0x70 'NtUserUnhookWindowsHookEx', # 0x71 'NtGdiGetNearestColor', # 0x72 'NtGdiTransformPoints', # 0x73 'NtGdiGetDCPoint', # 0x74 'NtUserCheckImeHotKey', # 0x75 'NtGdiCreateDIBBrush', # 0x76 'NtGdiGetTextMetricsW', # 0x77 'NtUserCreateWindowEx', # 0x78 'NtUserSetParent', # 0x79 'NtUserGetKeyboardState', # 0x7a 'NtUserToUnicodeEx', # 0x7b 'NtUserGetControlBrush', # 0x7c 'NtUserGetClassName', # 0x7d 'NtGdiAlphaBlend', # 0x7e 'NtGdiDdBlt', # 0x7f 'NtGdiOffsetRgn', # 0x80 'NtUserDefSetText', # 0x81 'NtGdiGetTextFaceW', # 0x82 'NtGdiStretchDIBitsInternal', # 0x83 'NtUserSendInput', # 0x84 'NtUserGetThreadDesktop', # 0x85 'NtGdiCreateRectRgn', # 0x86 'NtGdiGetDIBitsInternal', # 0x87 'NtUserGetUpdateRgn', # 0x88 'NtGdiDeleteClientObj', # 0x89 'NtUserGetIconSize', # 0x8a 'NtUserFillWindow', # 0x8b 'NtGdiExtCreateRegion', # 0x8c 'NtGdiComputeXformCoefficients', # 0x8d 'NtUserSetWindowsHookEx', # 0x8e 'NtUserNotifyProcessCreate', # 0x8f 'NtGdiUnrealizeObject', # 0x90 'NtUserGetTitleBarInfo', # 0x91 'NtGdiRectangle', # 0x92 'NtUserSetThreadDesktop', # 0x93 'NtUserGetDCEx', # 0x94 'NtUserGetScrollBarInfo', # 0x95 'NtGdiGetTextExtent', # 0x96 'NtUserSetWindowFNID', # 0x97 'NtGdiSetLayout', # 0x98 'NtUserCalcMenuBar', # 0x99 'NtUserThunkedMenuItemInfo', # 0x9a 'NtGdiExcludeClipRect', # 0x9b 'NtGdiCreateDIBSection', # 0x9c 'NtGdiGetDCforBitmap', # 0x9d 'NtUserDestroyCursor', # 0x9e 'NtUserDestroyWindow', # 0x9f 'NtUserCallHwndParam', # 0xa0 'NtGdiCreateDIBitmapInternal', # 0xa1 'NtUserOpenWindowStation', # 0xa2 'NtGdiDdDeleteSurfaceObject', # 0xa3 'NtGdiEnumFontClose', # 0xa4 'NtGdiEnumFontOpen', # 0xa5 'NtGdiEnumFontChunk', # 0xa6 'NtGdiDdCanCreateSurface', # 0xa7 'NtGdiDdCreateSurface', # 0xa8 'NtUserSetCursorIconData', # 0xa9 'NtGdiDdDestroySurface', # 0xaa 'NtUserCloseDesktop', # 0xab 'NtUserOpenDesktop', # 0xac 'NtUserSetProcessWindowStation', # 0xad 'NtUserGetAtomName', # 0xae 'NtGdiDdResetVisrgn', # 0xaf 'NtGdiExtCreatePen', # 0xb0 'NtGdiCreatePaletteInternal', # 0xb1 'NtGdiSetBrushOrg', # 0xb2 'NtUserBuildNameList', # 0xb3 'NtGdiSetPixel', # 0xb4 'NtUserRegisterClassExWOW', # 0xb5 'NtGdiCreatePatternBrushInternal', # 0xb6 'NtUserGetAncestor', # 0xb7 'NtGdiGetOutlineTextMetricsInternalW', # 0xb8 'NtGdiSetBitmapBits', # 0xb9 'NtUserCloseWindowStation', # 0xba 'NtUserGetDoubleClickTime', # 0xbb 'NtUserEnableScrollBar', # 0xbc 'NtGdiCreateSolidBrush', # 0xbd 'NtUserGetClassInfoEx', # 0xbe 'NtGdiCreateClientObj', # 0xbf 'NtUserUnregisterClass', # 0xc0 'NtUserDeleteMenu', # 0xc1 'NtGdiRectInRegion', # 0xc2 'NtUserScrollWindowEx', # 0xc3 'NtGdiGetPixel', # 0xc4 'NtUserSetClassLong', # 0xc5 'NtUserGetMenuBarInfo', # 0xc6 'NtGdiDdCreateSurfaceEx', # 0xc7 'NtGdiDdCreateSurfaceObject', # 0xc8 'NtGdiGetNearestPaletteIndex', # 0xc9 'NtGdiDdLockD3D', # 0xca 'NtGdiDdUnlockD3D', # 0xcb 'NtGdiGetCharWidthW', # 0xcc 'NtUserInvalidateRgn', # 0xcd 'NtUserGetClipboardOwner', # 0xce 'NtUserSetWindowRgn', # 0xcf 'NtUserBitBltSysBmp', # 0xd0 'NtGdiGetCharWidthInfo', # 0xd1 'NtUserValidateRect', # 0xd2 'NtUserCloseClipboard', # 0xd3 'NtUserOpenClipboard', # 0xd4 'NtGdiGetStockObject', # 0xd5 'NtUserSetClipboardData', # 0xd6 'NtUserEnableMenuItem', # 0xd7 'NtUserAlterWindowStyle', # 0xd8 'NtGdiFillRgn', # 0xd9 'NtUserGetWindowPlacement', # 0xda 'NtGdiModifyWorldTransform', # 0xdb 'NtGdiGetFontData', # 0xdc 'NtUserGetOpenClipboardWindow', # 0xdd 'NtUserSetThreadState', # 0xde 'NtGdiOpenDCW', # 0xdf 'NtUserTrackMouseEvent', # 0xe0 'NtGdiGetTransform', # 0xe1 'NtUserDestroyMenu', # 0xe2 'NtGdiGetBitmapBits', # 0xe3 'NtUserConsoleControl', # 0xe4 'NtUserSetActiveWindow', # 0xe5 'NtUserSetInformationThread', # 0xe6 'NtUserSetWindowPlacement', # 0xe7 'NtUserGetControlColor', # 0xe8 'NtGdiSetMetaRgn', # 0xe9 'NtGdiSetMiterLimit', # 0xea 'NtGdiSetVirtualResolution', # 0xeb 'NtGdiGetRasterizerCaps', # 0xec 'NtUserSetWindowWord', # 0xed 'NtUserGetClipboardFormatName', # 0xee 'NtUserRealInternalGetMessage', # 0xef 'NtUserCreateLocalMemHandle', # 0xf0 'NtUserAttachThreadInput', # 0xf1 'NtGdiCreateHalftonePalette', # 0xf2 'NtUserPaintMenuBar', # 0xf3 'NtUserSetKeyboardState', # 0xf4 'NtGdiCombineTransform', # 0xf5 'NtUserCreateAcceleratorTable', # 0xf6 'NtUserGetCursorFrameInfo', # 0xf7 'NtUserGetAltTabInfo', # 0xf8 'NtUserGetCaretBlinkTime', # 0xf9 'NtGdiQueryFontAssocInfo', # 0xfa 'NtUserProcessConnect', # 0xfb 'NtUserEnumDisplayDevices', # 0xfc 'NtUserEmptyClipboard', # 0xfd 'NtUserGetClipboardData', # 0xfe 'NtUserRemoveMenu', # 0xff 'NtGdiSetBoundsRect', # 0x100 'NtUserSetInformationProcess', # 0x101 'NtGdiGetBitmapDimension', # 0x102 'NtUserConvertMemHandle', # 0x103 'NtUserDestroyAcceleratorTable', # 0x104 'NtUserGetGUIThreadInfo', # 0x105 'NtGdiCloseFigure', # 0x106 'NtUserSetWindowsHookAW', # 0x107 'NtUserSetMenuDefaultItem', # 0x108 'NtUserCheckMenuItem', # 0x109 'NtUserSetWinEventHook', # 0x10a 'NtUserUnhookWinEvent', # 0x10b 'NtGdiSetupPublicCFONT', # 0x10c 'NtUserLockWindowUpdate', # 0x10d 'NtUserSetSystemMenu', # 0x10e 'NtUserThunkedMenuInfo', # 0x10f 'NtGdiBeginPath', # 0x110 'NtGdiEndPath', # 0x111 'NtGdiFillPath', # 0x112 'NtUserCallHwnd', # 0x113 'NtUserDdeInitialize', # 0x114 'NtUserModifyUserStartupInfoFlags', # 0x115 'NtUserCountClipboardFormats', # 0x116 'NtGdiAddFontMemResourceEx', # 0x117 'NtGdiEqualRgn', # 0x118 'NtGdiGetSystemPaletteUse', # 0x119 'NtGdiRemoveFontMemResourceEx', # 0x11a 'NtUserEnumDisplaySettings', # 0x11b 'NtUserPaintDesktop', # 0x11c 'NtGdiExtEscape', # 0x11d 'NtGdiSetBitmapDimension', # 0x11e 'NtGdiSetFontEnumeration', # 0x11f 'NtUserChangeClipboardChain', # 0x120 'NtUserResolveDesktop', # 0x121 'NtUserSetClipboardViewer', # 0x122 'NtUserShowWindowAsync', # 0x123 'NtUserSetConsoleReserveKeys', # 0x124 'NtGdiCreateColorSpace', # 0x125 'NtGdiDeleteColorSpace', # 0x126 'NtUserActivateKeyboardLayout', # 0x127 'NtGdiAbortDoc', # 0x128 'NtGdiAbortPath', # 0x129 'NtGdiAddEmbFontToDC', # 0x12a 'NtGdiAddFontResourceW', # 0x12b 'NtGdiAddRemoteFontToDC', # 0x12c 'NtGdiAddRemoteMMInstanceToDC', # 0x12d 'NtGdiAngleArc', # 0x12e 'NtGdiAnyLinkedFonts', # 0x12f 'NtGdiArcInternal', # 0x130 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x131 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x132 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x133 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x134 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x135 'NtGdiCLIPOBJ_bEnum', # 0x136 'NtGdiCLIPOBJ_cEnumStart', # 0x137 'NtGdiCLIPOBJ_ppoGetPath', # 0x138 'NtGdiCancelDC', # 0x139 'NtGdiChangeGhostFont', # 0x13a 'NtGdiCheckBitmapBits', # 0x13b 'NtGdiClearBitmapAttributes', # 0x13c 'NtGdiClearBrushAttributes', # 0x13d 'NtGdiColorCorrectPalette', # 0x13e 'NtGdiConfigureOPMProtectedOutput', # 0x13f 'NtGdiConvertMetafileRect', # 0x140 'NtGdiCreateColorTransform', # 0x141 'NtGdiCreateEllipticRgn', # 0x142 'NtGdiCreateHatchBrushInternal', # 0x143 'NtGdiCreateMetafileDC', # 0x144 'NtGdiCreateOPMProtectedOutputs', # 0x145 'NtGdiCreateRoundRectRgn', # 0x146 'NtGdiCreateServerMetaFile', # 0x147 'NtGdiD3dContextCreate', # 0x148 'NtGdiD3dContextDestroy', # 0x149 'NtGdiD3dContextDestroyAll', # 0x14a 'NtGdiD3dValidateTextureStageState', # 0x14b 'NtGdiDDCCIGetCapabilitiesString', # 0x14c 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x14d 'NtGdiDDCCIGetTimingReport', # 0x14e 'NtGdiDDCCIGetVCPFeature', # 0x14f 'NtGdiDDCCISaveCurrentSettings', # 0x150 'NtGdiDDCCISetVCPFeature', # 0x151 'NtGdiDdAddAttachedSurface', # 0x152 'NtGdiDdAlphaBlt', # 0x153 'NtGdiDdAttachSurface', # 0x154 'NtGdiDdBeginMoCompFrame', # 0x155 'NtGdiDdCanCreateD3DBuffer', # 0x156 'NtGdiDdColorControl', # 0x157 'NtGdiDdCreateD3DBuffer', # 0x158 'NtGdiDdCreateDirectDrawObject', # 0x159 'NtGdiDdCreateMoComp', # 0x15a 'NtGdiDdDDICheckExclusiveOwnership', # 0x15b 'NtGdiDdDDICheckMonitorPowerState', # 0x15c 'NtGdiDdDDICheckOcclusion', # 0x15d 'NtGdiDdDDICloseAdapter', # 0x15e 'NtGdiDdDDICreateAllocation', # 0x15f 'NtGdiDdDDICreateContext', # 0x160 'NtGdiDdDDICreateDCFromMemory', # 0x161 'NtGdiDdDDICreateDevice', # 0x162 'NtGdiDdDDICreateOverlay', # 0x163 'NtGdiDdDDICreateSynchronizationObject', # 0x164 'NtGdiDdDDIDestroyAllocation', # 0x165 'NtGdiDdDDIDestroyContext', # 0x166 'NtGdiDdDDIDestroyDCFromMemory', # 0x167 'NtGdiDdDDIDestroyDevice', # 0x168 'NtGdiDdDDIDestroyOverlay', # 0x169 'NtGdiDdDDIDestroySynchronizationObject', # 0x16a 'NtGdiDdDDIEscape', # 0x16b 'NtGdiDdDDIFlipOverlay', # 0x16c 'NtGdiDdDDIGetContextSchedulingPriority', # 0x16d 'NtGdiDdDDIGetDeviceState', # 0x16e 'NtGdiDdDDIGetDisplayModeList', # 0x16f 'NtGdiDdDDIGetMultisampleMethodList', # 0x170 'NtGdiDdDDIGetPresentHistory', # 0x171 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x172 'NtGdiDdDDIGetRuntimeData', # 0x173 'NtGdiDdDDIGetScanLine', # 0x174 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x175 'NtGdiDdDDIInvalidateActiveVidPn', # 0x176 'NtGdiDdDDILock', # 0x177 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x178 'NtGdiDdDDIOpenAdapterFromHdc', # 0x179 'NtGdiDdDDIOpenResource', # 0x17a 'NtGdiDdDDIPollDisplayChildren', # 0x17b 'NtGdiDdDDIPresent', # 0x17c 'NtGdiDdDDIQueryAdapterInfo', # 0x17d 'NtGdiDdDDIQueryAllocationResidency', # 0x17e 'NtGdiDdDDIQueryResourceInfo', # 0x17f 'NtGdiDdDDIQueryStatistics', # 0x180 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x181 'NtGdiDdDDIRender', # 0x182 'NtGdiDdDDISetAllocationPriority', # 0x183 'NtGdiDdDDISetContextSchedulingPriority', # 0x184 'NtGdiDdDDISetDisplayMode', # 0x185 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x186 'NtGdiDdDDISetGammaRamp', # 0x187 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x188 'NtGdiDdDDISetQueuedLimit', # 0x189 'NtGdiDdDDISetVidPnSourceOwner', # 0x18a 'NtGdiDdDDISharedPrimaryLockNotification', # 0x18b 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x18c 'NtGdiDdDDISignalSynchronizationObject', # 0x18d 'NtGdiDdDDIUnlock', # 0x18e 'NtGdiDdDDIUpdateOverlay', # 0x18f 'NtGdiDdDDIWaitForIdle', # 0x190 'NtGdiDdDDIWaitForSynchronizationObject', # 0x191 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x192 'NtGdiDdDeleteDirectDrawObject', # 0x193 'NtGdiDdDestroyD3DBuffer', # 0x194 'NtGdiDdDestroyMoComp', # 0x195 'NtGdiDdEndMoCompFrame', # 0x196 'NtGdiDdFlip', # 0x197 'NtGdiDdFlipToGDISurface', # 0x198 'NtGdiDdGetAvailDriverMemory', # 0x199 'NtGdiDdGetBltStatus', # 0x19a 'NtGdiDdGetDC', # 0x19b 'NtGdiDdGetDriverInfo', # 0x19c 'NtGdiDdGetDriverState', # 0x19d 'NtGdiDdGetDxHandle', # 0x19e 'NtGdiDdGetFlipStatus', # 0x19f 'NtGdiDdGetInternalMoCompInfo', # 0x1a0 'NtGdiDdGetMoCompBuffInfo', # 0x1a1 'NtGdiDdGetMoCompFormats', # 0x1a2 'NtGdiDdGetMoCompGuids', # 0x1a3 'NtGdiDdGetScanLine', # 0x1a4 'NtGdiDdLock', # 0x1a5 'NtGdiDdQueryDirectDrawObject', # 0x1a6 'NtGdiDdQueryMoCompStatus', # 0x1a7 'NtGdiDdReenableDirectDrawObject', # 0x1a8 'NtGdiDdReleaseDC', # 0x1a9 'NtGdiDdRenderMoComp', # 0x1aa 'NtGdiDdSetColorKey', # 0x1ab 'NtGdiDdSetExclusiveMode', # 0x1ac 'NtGdiDdSetGammaRamp', # 0x1ad 'NtGdiDdSetOverlayPosition', # 0x1ae 'NtGdiDdUnattachSurface', # 0x1af 'NtGdiDdUnlock', # 0x1b0 'NtGdiDdUpdateOverlay', # 0x1b1 'NtGdiDdWaitForVerticalBlank', # 0x1b2 'NtGdiDeleteColorTransform', # 0x1b3 'NtGdiDescribePixelFormat', # 0x1b4 'NtGdiDestroyOPMProtectedOutput', # 0x1b5 'NtGdiDestroyPhysicalMonitor', # 0x1b6 'NtGdiDoBanding', # 0x1b7 'NtGdiDrawEscape', # 0x1b8 'NtGdiDvpAcquireNotification', # 0x1b9 'NtGdiDvpCanCreateVideoPort', # 0x1ba 'NtGdiDvpColorControl', # 0x1bb 'NtGdiDvpCreateVideoPort', # 0x1bc 'NtGdiDvpDestroyVideoPort', # 0x1bd 'NtGdiDvpFlipVideoPort', # 0x1be 'NtGdiDvpGetVideoPortBandwidth', # 0x1bf 'NtGdiDvpGetVideoPortConnectInfo', # 0x1c0 'NtGdiDvpGetVideoPortField', # 0x1c1 'NtGdiDvpGetVideoPortFlipStatus', # 0x1c2 'NtGdiDvpGetVideoPortInputFormats', # 0x1c3 'NtGdiDvpGetVideoPortLine', # 0x1c4 'NtGdiDvpGetVideoPortOutputFormats', # 0x1c5 'NtGdiDvpGetVideoSignalStatus', # 0x1c6 'NtGdiDvpReleaseNotification', # 0x1c7 'NtGdiDvpUpdateVideoPort', # 0x1c8 'NtGdiDvpWaitForVideoPortSync', # 0x1c9 'NtGdiDwmGetDirtyRgn', # 0x1ca 'NtGdiDwmGetSurfaceData', # 0x1cb 'NtGdiDxgGenericThunk', # 0x1cc 'NtGdiEllipse', # 0x1cd 'NtGdiEnableEudc', # 0x1ce 'NtGdiEndDoc', # 0x1cf 'NtGdiEndPage', # 0x1d0 'NtGdiEngAlphaBlend', # 0x1d1 'NtGdiEngAssociateSurface', # 0x1d2 'NtGdiEngBitBlt', # 0x1d3 'NtGdiEngCheckAbort', # 0x1d4 'NtGdiEngComputeGlyphSet', # 0x1d5 'NtGdiEngCopyBits', # 0x1d6 'NtGdiEngCreateBitmap', # 0x1d7 'NtGdiEngCreateClip', # 0x1d8 'NtGdiEngCreateDeviceBitmap', # 0x1d9 'NtGdiEngCreateDeviceSurface', # 0x1da 'NtGdiEngCreatePalette', # 0x1db 'NtGdiEngDeleteClip', # 0x1dc 'NtGdiEngDeletePalette', # 0x1dd 'NtGdiEngDeletePath', # 0x1de 'NtGdiEngDeleteSurface', # 0x1df 'NtGdiEngEraseSurface', # 0x1e0 'NtGdiEngFillPath', # 0x1e1 'NtGdiEngGradientFill', # 0x1e2 'NtGdiEngLineTo', # 0x1e3 'NtGdiEngLockSurface', # 0x1e4 'NtGdiEngMarkBandingSurface', # 0x1e5 'NtGdiEngPaint', # 0x1e6 'NtGdiEngPlgBlt', # 0x1e7 'NtGdiEngStretchBlt', # 0x1e8 'NtGdiEngStretchBltROP', # 0x1e9 'NtGdiEngStrokeAndFillPath', # 0x1ea 'NtGdiEngStrokePath', # 0x1eb 'NtGdiEngTextOut', # 0x1ec 'NtGdiEngTransparentBlt', # 0x1ed 'NtGdiEngUnlockSurface', # 0x1ee 'NtGdiEnumObjects', # 0x1ef 'NtGdiEudcLoadUnloadLink', # 0x1f0 'NtGdiExtFloodFill', # 0x1f1 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x1f2 'NtGdiFONTOBJ_cGetGlyphs', # 0x1f3 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x1f4 'NtGdiFONTOBJ_pfdg', # 0x1f5 'NtGdiFONTOBJ_pifi', # 0x1f6 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x1f7 'NtGdiFONTOBJ_pxoGetXform', # 0x1f8 'NtGdiFONTOBJ_vGetInfo', # 0x1f9 'NtGdiFlattenPath', # 0x1fa 'NtGdiFontIsLinked', # 0x1fb 'NtGdiForceUFIMapping', # 0x1fc 'NtGdiFrameRgn', # 0x1fd 'NtGdiFullscreenControl', # 0x1fe 'NtGdiGetBoundsRect', # 0x1ff 'NtGdiGetCOPPCompatibleOPMInformation', # 0x200 'NtGdiGetCertificate', # 0x201 'NtGdiGetCertificateSize', # 0x202 'NtGdiGetCharABCWidthsW', # 0x203 'NtGdiGetCharacterPlacementW', # 0x204 'NtGdiGetColorAdjustment', # 0x205 'NtGdiGetColorSpaceforBitmap', # 0x206 'NtGdiGetDeviceCaps', # 0x207 'NtGdiGetDeviceCapsAll', # 0x208 'NtGdiGetDeviceGammaRamp', # 0x209 'NtGdiGetDeviceWidth', # 0x20a 'NtGdiGetDhpdev', # 0x20b 'NtGdiGetETM', # 0x20c 'NtGdiGetEmbUFI', # 0x20d 'NtGdiGetEmbedFonts', # 0x20e 'NtGdiGetEudcTimeStampEx', # 0x20f 'NtGdiGetFontResourceInfoInternalW', # 0x210 'NtGdiGetFontUnicodeRanges', # 0x211 'NtGdiGetGlyphIndicesW', # 0x212 'NtGdiGetGlyphIndicesWInternal', # 0x213 'NtGdiGetGlyphOutline', # 0x214 'NtGdiGetKerningPairs', # 0x215 'NtGdiGetLinkedUFIs', # 0x216 'NtGdiGetMiterLimit', # 0x217 'NtGdiGetMonitorID', # 0x218 'NtGdiGetNumberOfPhysicalMonitors', # 0x219 'NtGdiGetOPMInformation', # 0x21a 'NtGdiGetOPMRandomNumber', # 0x21b 'NtGdiGetObjectBitmapHandle', # 0x21c 'NtGdiGetPath', # 0x21d 'NtGdiGetPerBandInfo', # 0x21e 'NtGdiGetPhysicalMonitorDescription', # 0x21f 'NtGdiGetPhysicalMonitors', # 0x220 'NtGdiGetRealizationInfo', # 0x221 'NtGdiGetServerMetaFileBits', # 0x222 'NtGdiGetSpoolMessage', # 0x223 'NtGdiGetStats', # 0x224 'NtGdiGetStringBitmapW', # 0x225 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0x226 'NtGdiGetTextExtentExW', # 0x227 'NtGdiGetUFI', # 0x228 'NtGdiGetUFIPathname', # 0x229 'NtGdiGradientFill', # 0x22a 'NtGdiHT_Get8BPPFormatPalette', # 0x22b 'NtGdiHT_Get8BPPMaskPalette', # 0x22c 'NtGdiIcmBrushInfo', # 0x22d 'NtGdiInit', # 0x22e 'NtGdiInitSpool', # 0x22f 'NtGdiMakeFontDir', # 0x230 'NtGdiMakeInfoDC', # 0x231 'NtGdiMakeObjectUnXferable', # 0x232 'NtGdiMakeObjectXferable', # 0x233 'NtGdiMirrorWindowOrg', # 0x234 'NtGdiMonoBitmap', # 0x235 'NtGdiMoveTo', # 0x236 'NtGdiOffsetClipRgn', # 0x237 'NtGdiPATHOBJ_bEnum', # 0x238 'NtGdiPATHOBJ_bEnumClipLines', # 0x239 'NtGdiPATHOBJ_vEnumStart', # 0x23a 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x23b 'NtGdiPATHOBJ_vGetBounds', # 0x23c 'NtGdiPathToRegion', # 0x23d 'NtGdiPlgBlt', # 0x23e 'NtGdiPolyDraw', # 0x23f 'NtGdiPolyTextOutW', # 0x240 'NtGdiPtInRegion', # 0x241 'NtGdiPtVisible', # 0x242 'NtGdiQueryFonts', # 0x243 'NtGdiRemoveFontResourceW', # 0x244 'NtGdiRemoveMergeFont', # 0x245 'NtGdiResetDC', # 0x246 'NtGdiResizePalette', # 0x247 'NtGdiRoundRect', # 0x248 'NtGdiSTROBJ_bEnum', # 0x249 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x24a 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x24b 'NtGdiSTROBJ_dwGetCodePage', # 0x24c 'NtGdiSTROBJ_vEnumStart', # 0x24d 'NtGdiScaleViewportExtEx', # 0x24e 'NtGdiScaleWindowExtEx', # 0x24f 'NtGdiSelectBrush', # 0x250 'NtGdiSelectClipPath', # 0x251 'NtGdiSelectPen', # 0x252 'NtGdiSetBitmapAttributes', # 0x253 'NtGdiSetBrushAttributes', # 0x254 'NtGdiSetColorAdjustment', # 0x255 'NtGdiSetColorSpace', # 0x256 'NtGdiSetDeviceGammaRamp', # 0x257 'NtGdiSetFontXform', # 0x258 'NtGdiSetIcmMode', # 0x259 'NtGdiSetLinkedUFIs', # 0x25a 'NtGdiSetMagicColors', # 0x25b 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x25c 'NtGdiSetPUMPDOBJ', # 0x25d 'NtGdiSetPixelFormat', # 0x25e 'NtGdiSetRectRgn', # 0x25f 'NtGdiSetSizeDevice', # 0x260 'NtGdiSetSystemPaletteUse', # 0x261 'NtGdiSetTextJustification', # 0x262 'NtGdiStartDoc', # 0x263 'NtGdiStartPage', # 0x264 'NtGdiStrokeAndFillPath', # 0x265 'NtGdiStrokePath', # 0x266 'NtGdiSwapBuffers', # 0x267 'NtGdiTransparentBlt', # 0x268 'NtGdiUMPDEngFreeUserMem', # 0x269 'NtGdiUnloadPrinterDriver', # 0x26a 'EngRestoreFloatingPointState', # 0x26b 'NtGdiUpdateColors', # 0x26c 'NtGdiUpdateTransform', # 0x26d 'NtGdiWidenPath', # 0x26e 'NtGdiXFORMOBJ_bApplyXform', # 0x26f 'NtGdiXFORMOBJ_iGetXform', # 0x270 'NtGdiXLATEOBJ_cGetPalette', # 0x271 'NtGdiXLATEOBJ_hGetColorTransform', # 0x272 'NtGdiXLATEOBJ_iXlate', # 0x273 'NtUserAddClipboardFormatListener', # 0x274 'NtUserAssociateInputContext', # 0x275 'NtUserBlockInput', # 0x276 'NtUserBuildHimcList', # 0x277 'NtUserBuildPropList', # 0x278 'NtUserCallHwndOpt', # 0x279 'NtUserChangeDisplaySettings', # 0x27a 'NtUserCheckAccessForIntegrityLevel', # 0x27b 'NtUserCheckDesktopByThreadId', # 0x27c 'NtUserCheckWindowThreadDesktop', # 0x27d 'NtUserChildWindowFromPointEx', # 0x27e 'NtUserClipCursor', # 0x27f 'NtUserCreateDesktopEx', # 0x280 'NtUserCreateInputContext', # 0x281 'NtUserCreateWindowStation', # 0x282 'NtUserCtxDisplayIOCtl', # 0x283 'NtUserDestroyInputContext', # 0x284 'NtUserDisableThreadIme', # 0x285 'NtUserDoSoundConnect', # 0x286 'NtUserDoSoundDisconnect', # 0x287 'NtUserDragDetect', # 0x288 'NtUserDragObject', # 0x289 'NtUserDrawAnimatedRects', # 0x28a 'NtUserDrawCaption', # 0x28b 'NtUserDrawCaptionTemp', # 0x28c 'NtUserDrawMenuBarTemp', # 0x28d 'NtUserDwmGetDxRgn', # 0x28e 'NtUserDwmHintDxUpdate', # 0x28f 'NtUserDwmStartRedirection', # 0x290 'NtUserDwmStopRedirection', # 0x291 'NtUserEndMenu', # 0x292 'NtUserEvent', # 0x293 'NtUserFlashWindowEx', # 0x294 'NtUserFrostCrashedWindow', # 0x295 'NtUserGetAppImeLevel', # 0x296 'NtUserGetCaretPos', # 0x297 'NtUserGetClipCursor', # 0x298 'NtUserGetClipboardViewer', # 0x299 'NtUserGetComboBoxInfo', # 0x29a 'NtUserGetCursorInfo', # 0x29b 'NtUserGetGuiResources', # 0x29c 'NtUserGetImeHotKey', # 0x29d 'NtUserGetImeInfoEx', # 0x29e 'NtUserGetInternalWindowPos', # 0x29f 'NtUserGetKeyNameText', # 0x2a0 'NtUserGetKeyboardLayoutName', # 0x2a1 'NtUserGetLayeredWindowAttributes', # 0x2a2 'NtUserGetListBoxInfo', # 0x2a3 'NtUserGetMenuIndex', # 0x2a4 'NtUserGetMenuItemRect', # 0x2a5 'NtUserGetMouseMovePointsEx', # 0x2a6 'NtUserGetPriorityClipboardFormat', # 0x2a7 'NtUserGetRawInputBuffer', # 0x2a8 'NtUserGetRawInputData', # 0x2a9 'NtUserGetRawInputDeviceInfo', # 0x2aa 'NtUserGetRawInputDeviceList', # 0x2ab 'NtUserGetRegisteredRawInputDevices', # 0x2ac 'NtUserGetUpdatedClipboardFormats', # 0x2ad 'NtUserGetWOWClass', # 0x2ae 'NtUserGetWindowMinimizeRect', # 0x2af 'NtUserGetWindowRgnEx', # 0x2b0 'NtUserGhostWindowFromHungWindow', # 0x2b1 'NtUserHardErrorControl', # 0x2b2 'NtUserHiliteMenuItem', # 0x2b3 'NtUserHungWindowFromGhostWindow', # 0x2b4 'NtUserImpersonateDdeClientWindow', # 0x2b5 'NtUserInitTask', # 0x2b6 'NtUserInitialize', # 0x2b7 'NtUserInitializeClientPfnArrays', # 0x2b8 'NtUserInternalGetWindowIcon', # 0x2b9 'NtUserLoadKeyboardLayoutEx', # 0x2ba 'NtUserLockWindowStation', # 0x2bb 'NtUserLockWorkStation', # 0x2bc 'NtUserLogicalToPhysicalPoint', # 0x2bd 'NtUserMNDragLeave', # 0x2be 'NtUserMNDragOver', # 0x2bf 'NtUserMenuItemFromPoint', # 0x2c0 'NtUserMinMaximize', # 0x2c1 'NtUserNotifyIMEStatus', # 0x2c2 'NtUserOpenInputDesktop', # 0x2c3 'NtUserOpenThreadDesktop', # 0x2c4 'NtUserPaintMonitor', # 0x2c5 'NtUserPhysicalToLogicalPoint', # 0x2c6 'NtUserPrintWindow', # 0x2c7 'NtUserQueryInformationThread', # 0x2c8 'NtUserQueryInputContext', # 0x2c9 'NtUserQuerySendMessage', # 0x2ca 'NtUserRealChildWindowFromPoint', # 0x2cb 'NtUserRealWaitMessageEx', # 0x2cc 'NtUserRegisterErrorReportingDialog', # 0x2cd 'NtUserRegisterHotKey', # 0x2ce 'NtUserRegisterRawInputDevices', # 0x2cf 'NtUserRegisterSessionPort', # 0x2d0 'NtUserRegisterTasklist', # 0x2d1 'NtUserRegisterUserApiHook', # 0x2d2 'NtUserRemoteConnect', # 0x2d3 'NtUserRemoteRedrawRectangle', # 0x2d4 'NtUserRemoteRedrawScreen', # 0x2d5 'NtUserRemoteStopScreenUpdates', # 0x2d6 'NtUserRemoveClipboardFormatListener', # 0x2d7 'NtUserResolveDesktopForWOW', # 0x2d8 'NtUserSetAppImeLevel', # 0x2d9 'NtUserSetClassWord', # 0x2da 'NtUserSetCursorContents', # 0x2db 'NtUserSetImeHotKey', # 0x2dc 'NtUserSetImeInfoEx', # 0x2dd 'NtUserSetImeOwnerWindow', # 0x2de 'NtUserSetInternalWindowPos', # 0x2df 'NtUserSetLayeredWindowAttributes', # 0x2e0 'NtUserSetMenu', # 0x2e1 'NtUserSetMenuContextHelpId', # 0x2e2 'NtUserSetMenuFlagRtoL', # 0x2e3 'NtUserSetMirrorRendering', # 0x2e4 'NtUserSetObjectInformation', # 0x2e5 'NtUserSetProcessDPIAware', # 0x2e6 'NtUserSetShellWindowEx', # 0x2e7 'NtUserSetSysColors', # 0x2e8 'NtUserSetSystemCursor', # 0x2e9 'NtUserSetSystemTimer', # 0x2ea 'NtUserSetThreadLayoutHandles', # 0x2eb 'NtUserSetWindowRgnEx', # 0x2ec 'NtUserSetWindowStationUser', # 0x2ed 'NtUserShowSystemCursor', # 0x2ee 'NtUserSoundSentry', # 0x2ef 'NtUserSwitchDesktop', # 0x2f0 'NtUserTestForInteractiveUser', # 0x2f1 'NtUserTrackPopupMenuEx', # 0x2f2 'NtUserUnloadKeyboardLayout', # 0x2f3 'NtUserUnlockWindowStation', # 0x2f4 'NtUserUnregisterHotKey', # 0x2f5 'NtUserUnregisterSessionPort', # 0x2f6 'NtUserUnregisterUserApiHook', # 0x2f7 'NtUserUpdateInputContext', # 0x2f8 'NtUserUpdateInstance', # 0x2f9 'NtUserUpdateLayeredWindow', # 0x2fa 'NtUserUpdatePerUserSystemParameters', # 0x2fb 'NtUserUpdateWindowTransform', # 0x2fc 'NtUserUserHandleGrantAccess', # 0x2fd 'NtUserValidateHandleSecure', # 0x2fe 'NtUserWaitForInputIdle', # 0x2ff 'NtUserWaitForMsgAndEvent', # 0x300 'NtUserWin32PoolAllocationStats', # 0x301 'NtUserWindowFromPhysicalPoint', # 0x302 'NtUserYieldTask', # 0x303 'NtUserSetClassLongPtr', # 0x304 'NtUserSetWindowLongPtr', # 0x305 ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win2003_sp2_x86_vtypes.py0000644000000000000000000112471013131215405030741 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_100d' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_100d']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '__unnamed_101e' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101e']], 'QuadPart' : [ 0x0, ['long long']], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KPRCB' : [ 0xec0, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'PrcbPad0' : [ 0x3bc, ['array', 92, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x520, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x524, ['unsigned long']], 'KernelTime' : [ 0x528, ['unsigned long']], 'UserTime' : [ 0x52c, ['unsigned long']], 'DpcTime' : [ 0x530, ['unsigned long']], 'DebugDpcTime' : [ 0x534, ['unsigned long']], 'InterruptTime' : [ 0x538, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x53c, ['unsigned long']], 'PageColor' : [ 0x540, ['unsigned long']], 'SkipTick' : [ 0x544, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x545, ['unsigned char']], 'NodeColor' : [ 0x546, ['unsigned char']], 'Spare1' : [ 0x547, ['unsigned char']], 'NodeShiftedColor' : [ 0x548, ['unsigned long']], 'ParentNode' : [ 0x54c, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x550, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x554, ['pointer', ['_KPRCB']]], 'SecondaryColorMask' : [ 0x558, ['unsigned long']], 'Sleeping' : [ 0x55c, ['long']], 'CcFastReadNoWait' : [ 0x560, ['unsigned long']], 'CcFastReadWait' : [ 0x564, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x568, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x56c, ['unsigned long']], 'CcCopyReadWait' : [ 0x570, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x578, ['unsigned long']], 'SpareCounter0' : [ 0x57c, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x580, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x584, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x588, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x58c, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x590, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x594, ['unsigned long']], 'KeSystemCalls' : [ 0x598, ['unsigned long']], 'IoReadOperationCount' : [ 0x59c, ['long']], 'IoWriteOperationCount' : [ 0x5a0, ['long']], 'IoOtherOperationCount' : [ 0x5a4, ['long']], 'IoReadTransferCount' : [ 0x5a8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x5b0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x5b8, ['_LARGE_INTEGER']], 'SpareCounter1' : [ 0x5c0, ['array', 8, ['unsigned long']]], 'PPLookasideList' : [ 0x5e0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x660, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0x760, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0x860, ['unsigned long']], 'ReverseStall' : [ 0x864, ['unsigned long']], 'IpiFrame' : [ 0x868, ['pointer', ['void']]], 'PrcbPad2' : [ 0x86c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x8a0, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x8ac, ['unsigned long']], 'WorkerRoutine' : [ 0x8b0, ['pointer', ['void']]], 'IpiFrozen' : [ 0x8b4, ['unsigned long']], 'PrcbPad3' : [ 0x8b8, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x8e0, ['unsigned long']], 'SignalDone' : [ 0x8e4, ['pointer', ['_KPRCB']]], 'PrcbPad4' : [ 0x8e8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x920, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x948, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x94c, ['unsigned long']], 'DpcRequestRate' : [ 0x950, ['unsigned long']], 'MinimumDpcRate' : [ 0x954, ['unsigned long']], 'DpcInterruptRequested' : [ 0x958, ['unsigned char']], 'DpcThreadRequested' : [ 0x959, ['unsigned char']], 'DpcRoutineActive' : [ 0x95a, ['unsigned char']], 'DpcThreadActive' : [ 0x95b, ['unsigned char']], 'PrcbLock' : [ 0x95c, ['unsigned long']], 'DpcLastCount' : [ 0x960, ['unsigned long']], 'TimerHand' : [ 0x964, ['unsigned long']], 'TimerRequest' : [ 0x968, ['unsigned long']], 'DpcThread' : [ 0x96c, ['pointer', ['void']]], 'DpcEvent' : [ 0x970, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x980, ['unsigned char']], 'QuantumEnd' : [ 0x981, ['unsigned char']], 'PrcbPad50' : [ 0x982, ['unsigned char']], 'IdleSchedule' : [ 0x983, ['unsigned char']], 'DpcSetEventRequest' : [ 0x984, ['long']], 'PrcbPad5' : [ 0x988, ['array', 18, ['unsigned char']]], 'TickOffset' : [ 0x99c, ['long']], 'CallDpc' : [ 0x9a0, ['_KDPC']], 'PrcbPad7' : [ 0x9c0, ['array', 8, ['unsigned long']]], 'WaitListHead' : [ 0x9e0, ['_LIST_ENTRY']], 'ReadySummary' : [ 0x9e8, ['unsigned long']], 'QueueIndex' : [ 0x9ec, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x9f0, ['array', 32, ['_LIST_ENTRY']]], 'DeferredReadyListHead' : [ 0xaf0, ['_SINGLE_LIST_ENTRY']], 'PrcbPad72' : [ 0xaf4, ['array', 11, ['unsigned long']]], 'ChainedInterruptList' : [ 0xb20, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0xb24, ['long']], 'MmPageFaultCount' : [ 0xb28, ['long']], 'MmCopyOnWriteCount' : [ 0xb2c, ['long']], 'MmTransitionCount' : [ 0xb30, ['long']], 'MmCacheTransitionCount' : [ 0xb34, ['long']], 'MmDemandZeroCount' : [ 0xb38, ['long']], 'MmPageReadCount' : [ 0xb3c, ['long']], 'MmPageReadIoCount' : [ 0xb40, ['long']], 'MmCacheReadCount' : [ 0xb44, ['long']], 'MmCacheIoCount' : [ 0xb48, ['long']], 'MmDirtyPagesWriteCount' : [ 0xb4c, ['long']], 'MmDirtyWriteIoCount' : [ 0xb50, ['long']], 'MmMappedPagesWriteCount' : [ 0xb54, ['long']], 'MmMappedWriteIoCount' : [ 0xb58, ['long']], 'SpareFields0' : [ 0xb5c, ['array', 1, ['unsigned long']]], 'VendorString' : [ 0xb60, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0xb6d, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0xb6e, ['unsigned char']], 'MHz' : [ 0xb70, ['unsigned long']], 'FeatureBits' : [ 0xb74, ['unsigned long']], 'UpdateSignature' : [ 0xb78, ['_LARGE_INTEGER']], 'IsrTime' : [ 0xb80, ['unsigned long long']], 'SpareField1' : [ 0xb88, ['unsigned long long']], 'NpxSaveArea' : [ 0xb90, ['_FX_SAVE_AREA']], 'PowerState' : [ 0xda0, ['_PROCESSOR_POWER_STATE']], } ], '_KPCR' : [ 0xfe0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'PerfGlobalGroupMask' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned char']], 'Expedite' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_KTHREAD' : [ 0x1b8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x10, ['_LIST_ENTRY']], 'InitialStack' : [ 0x18, ['pointer', ['void']]], 'StackLimit' : [ 0x1c, ['pointer', ['void']]], 'KernelStack' : [ 0x20, ['pointer', ['void']]], 'ThreadLock' : [ 0x24, ['unsigned long']], 'ApcState' : [ 0x28, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x28, ['array', 23, ['unsigned char']]], 'ApcQueueable' : [ 0x3f, ['unsigned char']], 'NextProcessor' : [ 0x40, ['unsigned char']], 'DeferredProcessor' : [ 0x41, ['unsigned char']], 'AdjustReason' : [ 0x42, ['unsigned char']], 'AdjustIncrement' : [ 0x43, ['unsigned char']], 'ApcQueueLock' : [ 0x44, ['unsigned long']], 'ContextSwitches' : [ 0x48, ['unsigned long']], 'State' : [ 0x4c, ['unsigned char']], 'NpxState' : [ 0x4d, ['unsigned char']], 'WaitIrql' : [ 0x4e, ['unsigned char']], 'WaitMode' : [ 0x4f, ['unsigned char']], 'WaitStatus' : [ 0x50, ['long']], 'WaitBlockList' : [ 0x54, ['pointer', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x54, ['pointer', ['_KGATE']]], 'Alertable' : [ 0x58, ['unsigned char']], 'WaitNext' : [ 0x59, ['unsigned char']], 'WaitReason' : [ 0x5a, ['unsigned char']], 'Priority' : [ 0x5b, ['unsigned char']], 'EnableStackSwap' : [ 0x5c, ['unsigned char']], 'SwapBusy' : [ 0x5d, ['unsigned char']], 'Alerted' : [ 0x5e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x60, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x68, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x6c, ['unsigned long']], 'KernelApcDisable' : [ 0x70, ['short']], 'SpecialApcDisable' : [ 0x72, ['short']], 'CombinedApcDisable' : [ 0x70, ['unsigned long']], 'Teb' : [ 0x74, ['pointer', ['void']]], 'Timer' : [ 0x78, ['_KTIMER']], 'TimerFill' : [ 0x78, ['array', 40, ['unsigned char']]], 'AutoAlignment' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xa0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'GuiThread' : [ 0xa0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ReservedFlags' : [ 0xa0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xa0, ['long']], 'WaitBlock' : [ 0xa8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xa8, ['array', 23, ['unsigned char']]], 'SystemAffinityActive' : [ 0xbf, ['unsigned char']], 'WaitBlockFill1' : [ 0xa8, ['array', 47, ['unsigned char']]], 'PreviousMode' : [ 0xd7, ['unsigned char']], 'WaitBlockFill2' : [ 0xa8, ['array', 71, ['unsigned char']]], 'ResourceIndex' : [ 0xef, ['unsigned char']], 'WaitBlockFill3' : [ 0xa8, ['array', 95, ['unsigned char']]], 'LargeStack' : [ 0x107, ['unsigned char']], 'QueueListEntry' : [ 0x108, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x110, ['pointer', ['_KTRAP_FRAME']]], 'CallbackStack' : [ 0x114, ['pointer', ['void']]], 'ServiceTable' : [ 0x118, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x11c, ['unsigned char']], 'IdealProcessor' : [ 0x11d, ['unsigned char']], 'Preempted' : [ 0x11e, ['unsigned char']], 'ProcessReadyQueue' : [ 0x11f, ['unsigned char']], 'KernelStackResident' : [ 0x120, ['unsigned char']], 'BasePriority' : [ 0x121, ['unsigned char']], 'PriorityDecrement' : [ 0x122, ['unsigned char']], 'Saturation' : [ 0x123, ['unsigned char']], 'UserAffinity' : [ 0x124, ['unsigned long']], 'Process' : [ 0x128, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x12c, ['unsigned long']], 'ApcStatePointer' : [ 0x130, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x138, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x138, ['array', 23, ['unsigned char']]], 'FreezeCount' : [ 0x14f, ['unsigned char']], 'SuspendCount' : [ 0x150, ['unsigned char']], 'UserIdealProcessor' : [ 0x151, ['unsigned char']], 'CalloutActive' : [ 0x152, ['unsigned char']], 'Iopl' : [ 0x153, ['unsigned char']], 'Win32Thread' : [ 0x154, ['pointer', ['void']]], 'StackBase' : [ 0x158, ['pointer', ['void']]], 'SuspendApc' : [ 0x15c, ['_KAPC']], 'SuspendApcFill0' : [ 0x15c, ['array', 1, ['unsigned char']]], 'Quantum' : [ 0x15d, ['unsigned char']], 'SuspendApcFill1' : [ 0x15c, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x15f, ['unsigned char']], 'SuspendApcFill2' : [ 0x15c, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x160, ['unsigned long']], 'SuspendApcFill3' : [ 0x15c, ['array', 36, ['unsigned char']]], 'TlsArray' : [ 0x180, ['pointer', ['void']]], 'SuspendApcFill4' : [ 0x15c, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x184, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x15c, ['array', 47, ['unsigned char']]], 'PowerState' : [ 0x18b, ['unsigned char']], 'UserTime' : [ 0x18c, ['unsigned long']], 'SuspendSemaphore' : [ 0x190, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x190, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1a4, ['unsigned long']], 'ThreadListEntry' : [ 0x1a8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1b0, ['pointer', ['void']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x250, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1b8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1c0, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x1c0, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x1c0, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1c8, ['long']], 'OfsChain' : [ 0x1c8, ['pointer', ['void']]], 'PostBlockList' : [ 0x1cc, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x1d4, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1d4, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1d4, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x1d8, ['unsigned long']], 'ActiveTimerListHead' : [ 0x1dc, ['_LIST_ENTRY']], 'Cid' : [ 0x1e4, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x1ec, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x1ec, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x200, ['pointer', ['void']]], 'LpcWaitingOnPort' : [ 0x200, ['pointer', ['void']]], 'ImpersonationInfo' : [ 0x204, ['pointer', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x208, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x210, ['unsigned long']], 'DeviceToVerify' : [ 0x214, ['pointer', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x218, ['pointer', ['_EPROCESS']]], 'StartAddress' : [ 0x21c, ['pointer', ['void']]], 'Win32StartAddress' : [ 0x220, ['pointer', ['void']]], 'LpcReceivedMessageId' : [ 0x220, ['unsigned long']], 'ThreadListEntry' : [ 0x224, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x22c, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x230, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x234, ['unsigned long']], 'ReadClusterSize' : [ 0x238, ['unsigned long']], 'GrantedAccess' : [ 0x23c, ['unsigned long']], 'CrossThreadFlags' : [ 0x240, ['unsigned long']], 'Terminated' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x240, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x240, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x240, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x240, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x240, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x244, ['unsigned long']], 'ActiveExWorker' : [ 0x244, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x244, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x244, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x244, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x248, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x249, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ApcNeeded' : [ 0x249, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x24c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x24d, ['unsigned char']], 'ActiveFaultCount' : [ 0x24e, ['unsigned char']], } ], '_EPROCESS' : [ 0x278, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x80, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x88, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x90, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x94, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0x98, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xa0, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0xac, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xb8, ['unsigned long']], 'PeakVirtualSize' : [ 0xbc, ['unsigned long']], 'VirtualSize' : [ 0xc0, ['unsigned long']], 'SessionProcessLinks' : [ 0xc4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xcc, ['pointer', ['void']]], 'ExceptionPort' : [ 0xd0, ['pointer', ['void']]], 'ObjectTable' : [ 0xd4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xd8, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xdc, ['unsigned long']], 'AddressCreationLock' : [ 0xe0, ['_KGUARDED_MUTEX']], 'HyperSpaceLock' : [ 0x100, ['unsigned long']], 'ForkInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x108, ['unsigned long']], 'PhysicalVadRoot' : [ 0x10c, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x110, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x114, ['unsigned long']], 'NumberOfLockedPages' : [ 0x118, ['unsigned long']], 'Win32Process' : [ 0x11c, ['pointer', ['void']]], 'Job' : [ 0x120, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x124, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x128, ['pointer', ['void']]], 'QuotaBlock' : [ 0x12c, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x130, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x134, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x138, ['pointer', ['void']]], 'LdtInformation' : [ 0x13c, ['pointer', ['void']]], 'VadFreeHint' : [ 0x140, ['pointer', ['void']]], 'VdmObjects' : [ 0x144, ['pointer', ['void']]], 'DeviceMap' : [ 0x148, ['pointer', ['void']]], 'Spare0' : [ 0x14c, ['array', 3, ['pointer', ['void']]]], 'PageDirectoryPte' : [ 0x158, ['_HARDWARE_PTE']], 'Filler' : [ 0x158, ['unsigned long long']], 'Session' : [ 0x160, ['pointer', ['void']]], 'ImageFileName' : [ 0x164, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x174, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x17c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x180, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x188, ['pointer', ['void']]], 'PaeTop' : [ 0x18c, ['pointer', ['void']]], 'ActiveThreads' : [ 0x190, ['unsigned long']], 'GrantedAccess' : [ 0x194, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x198, ['unsigned long']], 'LastThreadExitStatus' : [ 0x19c, ['long']], 'Peb' : [ 0x1a0, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1a4, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1d8, ['unsigned long']], 'CommitChargePeak' : [ 0x1dc, ['unsigned long']], 'AweInfo' : [ 0x1e0, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1e4, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1e8, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x230, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x238, ['unsigned long']], 'JobStatus' : [ 0x23c, ['unsigned long']], 'Flags' : [ 0x240, ['unsigned long']], 'CreateReported' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x240, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x240, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x240, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x240, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x240, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x240, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x240, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x240, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x240, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x240, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x240, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x240, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x240, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x240, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x240, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x240, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x240, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x240, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x240, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x240, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x240, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CreateFailed' : [ 0x240, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x240, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'Spare1' : [ 0x240, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare2' : [ 0x240, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x244, ['long']], 'NextPageColor' : [ 0x248, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x24a, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x24b, ['unsigned char']], 'SubSystemVersion' : [ 0x24a, ['unsigned short']], 'PriorityClass' : [ 0x24c, ['unsigned char']], 'VadRoot' : [ 0x250, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x270, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x190, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x38, ['_LIST_ENTRY']], 'Name' : [ 0x40, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x48, ['pointer', ['void']]], 'Index' : [ 0x4c, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x50, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x54, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x58, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x5c, ['unsigned long']], 'TypeInfo' : [ 0x60, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0xac, ['unsigned long']], 'ObjectLocks' : [ 0xb0, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1152' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1152']], } ], '__unnamed_115f' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1161' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1164' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1166' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1164']], } ], '__unnamed_116b' : [ 0x4, { 'EntireFrame' : [ 0x0, ['unsigned long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 31, native_type='unsigned long')]], 'MustBeCached' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_115f']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'u2' : [ 0x8, ['__unnamed_1161']], 'u3' : [ 0xc, ['__unnamed_1166']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_116b']], } ], '__unnamed_1172' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_1175' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_117a' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1172']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1175']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_117a']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_MMPTE_FLUSH_LIST' : [ 0x88, { 'Count' : [ 0x0, ['unsigned long']], 'FlushVa' : [ 0x4, ['array', 33, ['pointer', ['void']]]], } ], '__unnamed_118c' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'u' : [ 0x4, ['__unnamed_118c']], 'StartingSector' : [ 0x8, ['unsigned long']], 'NumberOfFullSectors' : [ 0xc, ['unsigned long']], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'UnusedPtes' : [ 0x14, ['unsigned long']], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'NextSubsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], } ], '_MMPAGING_FILE' : [ 0x3c, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'CurrentUsage' : [ 0x10, ['unsigned long']], 'PeakUsage' : [ 0x14, ['unsigned long']], 'HighestPage' : [ 0x18, ['unsigned long']], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x28, ['_UNICODE_STRING']], 'Bitmap' : [ 0x30, ['pointer', ['_RTL_BITMAP']]], 'PageFileNumber' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'ReferenceCount' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'BootPartition' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Reserved' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'FileHandle' : [ 0x38, ['pointer', ['void']]], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'SpareByte' : [ 0x17, ['unsigned char']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x10, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x8, ['_ULARGE_INTEGER']], } ], '__unnamed_11b9' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_11b9']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1227' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1227']], } ], '__unnamed_122e' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_122e']], } ], '_SHARED_CACHE_MAP' : [ 0x138, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObject' : [ 0x44, ['pointer', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'VacbPushLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x130, ['pointer', ['void']]], } ], '_FILE_OBJECT' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], } ], '__unnamed_1253' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1253']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '__unnamed_1268' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_126a' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0x588, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'ForceFlags' : [ 0x10, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x14, ['unsigned long']], 'SegmentReserve' : [ 0x18, ['unsigned long']], 'SegmentCommit' : [ 0x1c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x20, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x24, ['unsigned long']], 'TotalFreeSize' : [ 0x28, ['unsigned long']], 'MaximumAllocationSize' : [ 0x2c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x30, ['unsigned short']], 'HeaderValidateLength' : [ 0x32, ['unsigned short']], 'HeaderValidateCopy' : [ 0x34, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x38, ['unsigned short']], 'MaximumTagIndex' : [ 0x3a, ['unsigned short']], 'TagEntries' : [ 0x3c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x40, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x44, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x48, ['unsigned long']], 'AlignMask' : [ 0x4c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x50, ['_LIST_ENTRY']], 'Segments' : [ 0x58, ['array', 64, ['pointer', ['_HEAP_SEGMENT']]]], 'u' : [ 0x158, ['__unnamed_1268']], 'u2' : [ 0x168, ['__unnamed_126a']], 'AllocatorBackTraceIndex' : [ 0x16a, ['unsigned short']], 'NonDedicatedListLength' : [ 0x16c, ['unsigned long']], 'LargeBlocksIndex' : [ 0x170, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0x174, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x178, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0x578, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x57c, ['pointer', ['void']]], 'FrontEndHeap' : [ 0x580, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0x584, ['unsigned short']], 'FrontEndHeapType' : [ 0x586, ['unsigned char']], 'LastSegmentIndex' : [ 0x587, ['unsigned char']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], } ], '_HEAP_SEGMENT' : [ 0x3c, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Heap' : [ 0x10, ['pointer', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x14, ['unsigned long']], 'BaseAddress' : [ 0x18, ['pointer', ['void']]], 'NumberOfPages' : [ 0x1c, ['unsigned long']], 'FirstEntry' : [ 0x20, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x28, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x2c, ['unsigned long']], 'UnCommittedRanges' : [ 0x30, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'LastEntryInSegment' : [ 0x38, ['pointer', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'Bucket' : [ 0x0, ['pointer', ['void']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'FreeThreshold' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_TOKEN' : [ 0xa8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x6c, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x70, ['pointer', ['void']]], 'Privileges' : [ 0x74, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x78, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0x7c, ['pointer', ['_ACL']]], 'TokenType' : [ 0x80, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x84, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0x88, ['unsigned char']], 'TokenInUse' : [ 0x89, ['unsigned char']], 'ProxyData' : [ 0x8c, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0x90, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0x94, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0x98, ['_LUID']], 'VariablePart' : [ 0xa0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x18, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long']], 'pDeviceMap' : [ 0x14, ['pointer', ['_DEVICE_MAP']]], } ], '_TEB' : [ 0xfbc, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x1ac, ['array', 40, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 14, ['pointer', ['void']]]], 'SubProcessTag' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SparePointer1' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'SoftPatchPtr2' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'SafeThunkCall' : [ 0xfb8, ['unsigned char']], 'BooleanSpare' : [ 0xfb9, ['array', 3, ['unsigned char']]], } ], '_HEAP_UCR_SEGMENT' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x4, ['unsigned long']], 'CommittedSize' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerThreads' : [ 0x18, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x28, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x2c, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x2e, ['unsigned short']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x50, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x128, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long']], 'ResourceDatabase' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x30, ['pointer', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x34, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x38, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x3c, ['unsigned long']], 'NodesSearched' : [ 0x40, ['unsigned long']], 'MaxNodesSearched' : [ 0x44, ['unsigned long']], 'SequenceNumber' : [ 0x48, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4c, ['unsigned long']], 'SearchedNodesLimit' : [ 0x50, ['unsigned long']], 'DepthLimitHits' : [ 0x54, ['unsigned long']], 'SearchLimitHits' : [ 0x58, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x5c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x60, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x64, ['unsigned long']], 'TotalReleases' : [ 0x68, ['unsigned long']], 'RootNodesDeleted' : [ 0x6c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x70, ['unsigned long']], 'PoolTrimCounter' : [ 0x74, ['unsigned long']], 'FreeResourceList' : [ 0x78, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x80, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0x88, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0x90, ['unsigned long']], 'FreeThreadCount' : [ 0x94, ['unsigned long']], 'FreeNodeCount' : [ 0x98, ['unsigned long']], 'Instigator' : [ 0x9c, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0xa0, ['unsigned long']], 'Participant' : [ 0xa4, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x124, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WMI_LOGGER_CONTEXT' : [ 0x1d8, { 'BufferSpinLock' : [ 0x0, ['unsigned long']], 'StartTime' : [ 0x8, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x10, ['pointer', ['void']]], 'LoggerSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'LoggerThread' : [ 0x28, ['pointer', ['_ETHREAD']]], 'LoggerEvent' : [ 0x2c, ['_KEVENT']], 'FlushEvent' : [ 0x3c, ['_KEVENT']], 'LoggerStatus' : [ 0x4c, ['long']], 'LoggerId' : [ 0x50, ['unsigned long']], 'BuffersAvailable' : [ 0x54, ['long']], 'UsePerfClock' : [ 0x58, ['unsigned long']], 'WriteFailureLimit' : [ 0x5c, ['unsigned long']], 'BuffersDirty' : [ 0x60, ['long']], 'BuffersInUse' : [ 0x64, ['long']], 'SwitchingInProgress' : [ 0x68, ['unsigned long']], 'FreeList' : [ 0x70, ['_SLIST_HEADER']], 'FlushList' : [ 0x78, ['_SLIST_HEADER']], 'WaitList' : [ 0x80, ['_SLIST_HEADER']], 'GlobalList' : [ 0x88, ['_SLIST_HEADER']], 'ProcessorBuffers' : [ 0x90, ['pointer', ['pointer', ['_WMI_BUFFER_HEADER']]]], 'LoggerName' : [ 0x94, ['_UNICODE_STRING']], 'LogFileName' : [ 0x9c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xa4, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xac, ['_UNICODE_STRING']], 'EndPageMarker' : [ 0xb4, ['pointer', ['unsigned char']]], 'CollectionOn' : [ 0xb8, ['long']], 'KernelTraceOn' : [ 0xbc, ['unsigned long']], 'PerfLogInTransition' : [ 0xc0, ['long']], 'RequestFlag' : [ 0xc4, ['unsigned long']], 'EnableFlags' : [ 0xc8, ['unsigned long']], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'LoggerMode' : [ 0xd0, ['unsigned long']], 'LoggerModeFlags' : [ 0xd0, ['_WMI_LOGGER_MODE']], 'Wow' : [ 0xd4, ['unsigned long']], 'LastFlushedBuffer' : [ 0xd8, ['unsigned long']], 'RefCount' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'FirstBufferOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'ByteOffset' : [ 0xf0, ['_LARGE_INTEGER']], 'BufferAgeLimit' : [ 0xf8, ['_LARGE_INTEGER']], 'MaximumBuffers' : [ 0x100, ['unsigned long']], 'MinimumBuffers' : [ 0x104, ['unsigned long']], 'EventsLost' : [ 0x108, ['unsigned long']], 'BuffersWritten' : [ 0x10c, ['unsigned long']], 'LogBuffersLost' : [ 0x110, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x114, ['unsigned long']], 'BufferSize' : [ 0x118, ['unsigned long']], 'NumberOfBuffers' : [ 0x11c, ['long']], 'SequencePtr' : [ 0x120, ['pointer', ['long']]], 'InstanceGuid' : [ 0x124, ['_GUID']], 'LoggerHeader' : [ 0x134, ['pointer', ['void']]], 'GetCpuClock' : [ 0x138, ['pointer', ['void']]], 'ClientSecurityContext' : [ 0x13c, ['_SECURITY_CLIENT_CONTEXT']], 'LoggerExtension' : [ 0x178, ['pointer', ['void']]], 'ReleaseQueue' : [ 0x17c, ['long']], 'EnableFlagExtension' : [ 0x180, ['_TRACE_ENABLE_FLAG_EXTENSION']], 'LocalSequence' : [ 0x184, ['unsigned long']], 'MaximumIrql' : [ 0x188, ['unsigned long']], 'EnableFlagArray' : [ 0x18c, ['pointer', ['unsigned long']]], 'LoggerMutex' : [ 0x190, ['_KMUTANT']], 'MutexCount' : [ 0x1b0, ['long']], 'FileCounter' : [ 0x1b4, ['long']], 'BufferCallback' : [ 0x1b8, ['pointer', ['void']]], 'CallbackContext' : [ 0x1bc, ['pointer', ['void']]], 'PoolType' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceSystemTime' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReferenceTimeStamp' : [ 0x1d0, ['_LARGE_INTEGER']], } ], '_SEGMENT_OBJECT' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x20, ['pointer', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x24, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x28, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_1388' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x38, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x18, ['unsigned long']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_1388']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'FlushInProgressCount' : [ 0x2e, ['unsigned short']], 'WritableUserReferences' : [ 0x30, ['unsigned long']], 'QuadwordPad' : [ 0x34, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x44, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleTableLock' : [ 0xc, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x1c, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x24, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x28, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x2c, ['long']], 'FirstFree' : [ 0x30, ['unsigned long']], 'LastFree' : [ 0x34, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x38, ['unsigned long']], 'HandleCount' : [ 0x3c, ['long']], 'Flags' : [ 0x40, ['unsigned long']], 'StrictFIFO' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_MMSUPPORT' : [ 0x48, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimTime' : [ 0x8, ['_LARGE_INTEGER']], 'Flags' : [ 0x10, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x14, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x18, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x1c, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x20, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x24, ['unsigned long']], 'VmWorkingSetList' : [ 0x28, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x2c, ['unsigned long']], 'NextEstimationSlot' : [ 0x30, ['unsigned long']], 'NextAgingSlot' : [ 0x34, ['unsigned long']], 'EstimatedAvailable' : [ 0x38, ['unsigned long']], 'WorkingSetSize' : [ 0x3c, ['unsigned long']], 'WorkingSetMutex' : [ 0x40, ['_EX_PUSH_LOCK']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['unsigned short']]], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x40, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x30, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessCount' : [ 0x3c, ['unsigned long']], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EVENT_COUNTER' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'RefCount' : [ 0x4, ['unsigned long']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_EJOB' : [ 0x180, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'UIRestrictionsClass' : [ 0xb0, ['unsigned long']], 'SecurityLimitFlags' : [ 0xb4, ['unsigned long']], 'Token' : [ 0xb8, ['pointer', ['void']]], 'Filter' : [ 0xbc, ['pointer', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'IoInfo' : [ 0x108, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x138, ['unsigned long']], 'JobMemoryLimit' : [ 0x13c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x140, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x144, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x148, ['unsigned long']], 'MemoryLimitsLock' : [ 0x14c, ['_KGUARDED_MUTEX']], 'JobSetLinks' : [ 0x16c, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x174, ['unsigned long']], 'JobFlags' : [ 0x178, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x18, ['unsigned long']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_1388']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'FlushInProgressCount' : [ 0x2e, ['unsigned short']], 'WritableUserReferences' : [ 0x30, ['unsigned long']], 'QuadwordPad' : [ 0x34, ['unsigned long']], 'StartingFrame' : [ 0x38, ['unsigned long']], 'UserGlobalList' : [ 0x3c, ['_LIST_ENTRY']], 'SessionId' : [ 0x44, ['unsigned long']], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x24, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x8, ['unsigned long']], 'CapturedGroupCount' : [ 0xc, ['unsigned long']], 'CapturedGroups' : [ 0x10, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x14, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x18, ['unsigned long']], 'CapturedPrivileges' : [ 0x1c, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x20, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x70, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'Reserved' : [ 0x68, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_TRACE_ENABLE_FLAG_EXTENSION' : [ 0x4, { 'Offset' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned char']], 'Flag' : [ 0x3, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x1c, { 'Name' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'CmHive' : [ 0x8, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0xc, ['unsigned long']], 'CmHiveFlags' : [ 0x10, ['unsigned long']], 'CmHive2' : [ 0x14, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x18, ['unsigned char']], 'ThreadStarted' : [ 0x19, ['unsigned char']], 'Allocate' : [ 0x1a, ['unsigned char']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0xc, { 'Token' : [ 0x0, ['pointer', ['void']]], 'CopyOnOpen' : [ 0x4, ['unsigned char']], 'EffectiveOnly' : [ 0x5, ['unsigned char']], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_1430' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], } ], '__unnamed_1432' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1436' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x120, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x20, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x70, ['unsigned long']], 'CompletionStatus' : [ 0x74, ['long']], 'PendingIrp' : [ 0x78, ['pointer', ['_IRP']]], 'Flags' : [ 0x7c, ['unsigned long']], 'UserFlags' : [ 0x80, ['unsigned long']], 'Problem' : [ 0x84, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x88, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x8c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x90, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x94, ['_UNICODE_STRING']], 'ServiceName' : [ 0x9c, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xa4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xa8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xb0, ['unsigned long']], 'ChildInterfaceType' : [ 0xb4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xb8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xbc, ['unsigned short']], 'RemovalPolicy' : [ 0xbe, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xbf, ['unsigned char']], 'TargetDeviceNotify' : [ 0xc0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xc8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0xd0, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0xd8, ['unsigned short']], 'QueryTranslatorMask' : [ 0xda, ['unsigned short']], 'NoArbiterMask' : [ 0xdc, ['unsigned short']], 'QueryArbiterMask' : [ 0xde, ['unsigned short']], 'OverUsed1' : [ 0xe0, ['__unnamed_1430']], 'OverUsed2' : [ 0xe4, ['__unnamed_1432']], 'BootResources' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0xec, ['unsigned long']], 'DockInfo' : [ 0xf0, ['__unnamed_1436']], 'DisableableDepends' : [ 0x100, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x104, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x10c, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x114, ['unsigned long']], 'PreviousParent' : [ 0x118, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x11c, ['unsigned long']], } ], '__unnamed_143b' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_143b']], } ], '_MMCOLOR_TABLES' : [ 0xc, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_KPROCESS' : [ 0x78, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['array', 2, ['unsigned long']]], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Iopl' : [ 0x32, ['unsigned char']], 'Unused' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'AutoAlignment' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x60, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x60, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x60, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x60, ['long']], 'BasePriority' : [ 0x64, ['unsigned char']], 'QuantumReset' : [ 0x65, ['unsigned char']], 'State' : [ 0x66, ['unsigned char']], 'ThreadSeed' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'IdealNode' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], 'StackCount' : [ 0x6c, ['unsigned long']], 'ProcessListEntry' : [ 0x70, ['_LIST_ENTRY']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_1457' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1ec0, { 'GlobalVirtualAddress' : [ 0x0, ['pointer', ['_MM_SESSION_SPACE']]], 'ReferenceCount' : [ 0x4, ['long']], 'u' : [ 0x8, ['__unnamed_1457']], 'SessionId' : [ 0xc, ['unsigned long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'PagedPoolBasePde' : [ 0x34, ['pointer', ['_MMPTE']]], 'Color' : [ 0x38, ['unsigned long']], 'ResidentProcessCount' : [ 0x3c, ['long']], 'SessionPoolAllocationFailures' : [ 0x40, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x50, ['_LIST_ENTRY']], 'LocaleId' : [ 0x58, ['unsigned long']], 'AttachCount' : [ 0x5c, ['unsigned long']], 'AttachEvent' : [ 0x60, ['_KEVENT']], 'LastProcess' : [ 0x70, ['pointer', ['_EPROCESS']]], 'ProcessReferenceToSession' : [ 0x74, ['long']], 'WsListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 26, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd80, ['_MMSESSION']], 'PagedPoolMutex' : [ 0xdc0, ['_KGUARDED_MUTEX']], 'PagedPoolInfo' : [ 0xde0, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xe00, ['_MMSUPPORT']], 'Wsle' : [ 0xe48, ['pointer', ['_MMWSLE']]], 'Win32KDriverUnload' : [ 0xe4c, ['pointer', ['void']]], 'PagedPool' : [ 0xe50, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1e80, ['pointer', ['_MMPTE']]], 'ImageLoadingCount' : [ 0x1e84, ['long']], } ], '_PEB' : [ 0x230, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'SparePtr2' : [ 0x24, ['pointer', ['void']]], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['pointer', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['pointer', ['void']]]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '__unnamed_1488' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x8, ['_LARGE_INTEGER']], 'u' : [ 0x10, ['__unnamed_1488']], 'Irp' : [ 0x18, ['pointer', ['_IRP']]], 'LastPageToWrite' : [ 0x1c, ['unsigned long']], 'PagingListHead' : [ 0x20, ['pointer', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x28, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x30, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x34, ['pointer', ['_ERESOURCE']]], 'IssueTime' : [ 0x38, ['_LARGE_INTEGER']], 'Mdl' : [ 0x40, ['_MDL']], 'Page' : [ 0x5c, ['array', 1, ['unsigned long']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x10, { 'Usage' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], 'Peak' : [ 0x8, ['unsigned long']], 'Return' : [ 0xc, ['unsigned long']], } ], '__unnamed_149e' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_149e']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'Reserved1' : [ 0x0, ['unsigned long long']], 'Reserved2' : [ 0x8, ['unsigned long long']], 'Reserved3' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['pointer', ['void']]], 'SlistEntry' : [ 0x1c, ['_SINGLE_LIST_ENTRY']], 'Entry' : [ 0x18, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x0, ['long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'UsePerfClock' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['_WMI_CLIENT_CONTEXT']], 'State' : [ 0x2c, ['_WMI_BUFFER_STATE']], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'InstanceGuid' : [ 0x38, ['_GUID']], 'LoggerContext' : [ 0x38, ['pointer', ['void']]], 'GlobalEntry' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x120, { 'IdleFunction' : [ 0x0, ['pointer', ['void']]], 'Idle0KernelTimeLimit' : [ 0x4, ['unsigned long']], 'Idle0LastTime' : [ 0x8, ['unsigned long']], 'IdleHandlers' : [ 0xc, ['pointer', ['void']]], 'IdleState' : [ 0x10, ['pointer', ['void']]], 'IdleHandlersCount' : [ 0x14, ['unsigned long']], 'LastCheck' : [ 0x18, ['unsigned long long']], 'IdleTimes' : [ 0x20, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x40, ['unsigned long']], 'PromotionCheck' : [ 0x44, ['unsigned long']], 'IdleTime2' : [ 0x48, ['unsigned long']], 'CurrentThrottle' : [ 0x4c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x4d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x4e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x4f, ['unsigned char']], 'LastKernelUserTime' : [ 0x50, ['unsigned long']], 'LastIdleThreadKernelTime' : [ 0x54, ['unsigned long']], 'PackageIdleStartTime' : [ 0x58, ['unsigned long']], 'PackageIdleTime' : [ 0x5c, ['unsigned long']], 'DebugCount' : [ 0x60, ['unsigned long']], 'LastSysTime' : [ 0x64, ['unsigned long']], 'TotalIdleStateTime' : [ 0x68, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x80, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0x90, ['unsigned long long']], 'KneeThrottleIndex' : [ 0x98, ['unsigned char']], 'ThrottleLimitIndex' : [ 0x99, ['unsigned char']], 'PerfStatesCount' : [ 0x9a, ['unsigned char']], 'ProcessorMinThrottle' : [ 0x9b, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x9c, ['unsigned char']], 'EnableIdleAccounting' : [ 0x9d, ['unsigned char']], 'LastC3Percentage' : [ 0x9e, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0x9f, ['unsigned char']], 'PromotionCount' : [ 0xa0, ['unsigned long']], 'DemotionCount' : [ 0xa4, ['unsigned long']], 'ErrorCount' : [ 0xa8, ['unsigned long']], 'RetryCount' : [ 0xac, ['unsigned long']], 'Flags' : [ 0xb0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xb8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xc0, ['unsigned long']], 'PerfTimer' : [ 0xc8, ['_KTIMER']], 'PerfDpc' : [ 0xf0, ['_KDPC']], 'PerfStates' : [ 0x110, ['pointer', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x114, ['pointer', ['void']]], 'LastC3KernelUserTime' : [ 0x118, ['unsigned long']], 'LastPackageIdleTime' : [ 0x11c, ['unsigned long']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned short')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned short')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned short')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x4c, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x10, ['_LIST_ENTRY']], 'DeviceType' : [ 0x18, ['unsigned char']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x20, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x28, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x30, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x44, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Available0' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'GrowWsleHash' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredUnsafe' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Available' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_POP_THERMAL_ZONE' : [ 0xd0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x7c, ['pointer', ['_IRP']]], 'Info' : [ 0x80, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CMHIVE' : [ 0x57c, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2d0, ['array', 3, ['pointer', ['void']]]], 'NotifyList' : [ 0x2dc, ['_LIST_ENTRY']], 'HiveList' : [ 0x2e4, ['_LIST_ENTRY']], 'HiveLock' : [ 0x2ec, ['_EX_PUSH_LOCK']], 'ViewLock' : [ 0x2f0, ['pointer', ['_KGUARDED_MUTEX']]], 'WriterLock' : [ 0x2f4, ['_EX_PUSH_LOCK']], 'FlusherLock' : [ 0x2f8, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x2fc, ['_EX_PUSH_LOCK']], 'LRUViewListHead' : [ 0x300, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x308, ['_LIST_ENTRY']], 'FileObject' : [ 0x310, ['pointer', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x314, ['_UNICODE_STRING']], 'FileUserName' : [ 0x31c, ['_UNICODE_STRING']], 'MappedViews' : [ 0x324, ['unsigned short']], 'PinnedViews' : [ 0x326, ['unsigned short']], 'UseCount' : [ 0x328, ['unsigned long']], 'SecurityCount' : [ 0x32c, ['unsigned long']], 'SecurityCacheSize' : [ 0x330, ['unsigned long']], 'SecurityHitHint' : [ 0x334, ['long']], 'SecurityCache' : [ 0x338, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x33c, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0x53c, ['pointer', ['_KEVENT']]], 'RootKcb' : [ 0x540, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x544, ['unsigned char']], 'UnloadWorkItem' : [ 0x548, ['pointer', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0x54c, ['unsigned char']], 'GrowOffset' : [ 0x550, ['unsigned long']], 'KcbConvertListHead' : [ 0x554, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x55c, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x564, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x568, ['unsigned long']], 'TrustClassEntry' : [ 0x56c, ['_LIST_ENTRY']], 'FlushCount' : [ 0x574, ['unsigned long']], 'CreatorOwner' : [ 0x578, ['pointer', ['_KTHREAD']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_HHIVE' : [ 0x2d0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'Log' : [ 0x42, ['unsigned char']], 'DirtyFlag' : [ 0x43, ['unsigned char']], 'HiveFlags' : [ 0x44, ['unsigned long']], 'LogSize' : [ 0x48, ['unsigned long']], 'RefreshCount' : [ 0x4c, ['unsigned long']], 'StorageTypeCount' : [ 0x50, ['unsigned long']], 'Version' : [ 0x54, ['unsigned long']], 'Storage' : [ 0x58, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x18, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['pointer', ['void']]], 'WatchInfo' : [ 0x10, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_WMI_BUFFER_STATE' : [ 0x4, { 'Free' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'InUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Flush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_MMFREE_POOL_ENTRY' : [ 0x14, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Size' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], 'Owner' : [ 0x10, ['pointer', ['_MMFREE_POOL_ENTRY']]], } ], '__unnamed_157f' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_157f']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x24, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x8, ['_LIST_ENTRY']], 'FileOffset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewAddress' : [ 0x18, ['pointer', ['unsigned long']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'UseCount' : [ 0x20, ['unsigned long']], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_KUSER_SHARED_DATA' : [ 0x378, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'Wow64SharedInformation' : [ 0x334, ['array', 16, ['unsigned long']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x4c, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x2c, ['pointer', ['void']]], 'OpenProcedure' : [ 0x30, ['pointer', ['void']]], 'CloseProcedure' : [ 0x34, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x38, ['pointer', ['void']]], 'ParseProcedure' : [ 0x3c, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x40, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x44, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x48, ['pointer', ['void']]], } ], '_WMI_LOGGER_MODE' : [ 0x4, { 'SequentialFile' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CircularFile' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'AppendFile' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'RealTime' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DelayOpenFile' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'BufferOnly' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PrivateLogger' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'AddHeader' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'UseExisting' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'UseGlobalSequence' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'UseLocalSequence' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_15cb' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_15d1' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x34, { 'u1' : [ 0x0, ['__unnamed_1172']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1175']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_117a']], 'u3' : [ 0x28, ['__unnamed_15cb']], 'u4' : [ 0x30, ['__unnamed_15d1']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1030, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['void']]], 'PendingFreeDepth' : [ 0x24, ['long']], 'TotalBytes' : [ 0x28, ['unsigned long']], 'Spare0' : [ 0x2c, ['unsigned long']], 'ListHeads' : [ 0x30, ['array', 512, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x28, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x20, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x4, ['pointer', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0x8, ['pointer', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x10, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x14, ['unsigned long']], 'PagedPoolCommit' : [ 0x18, ['unsigned long']], 'AllocatedPagedPool' : [ 0x1c, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['unsigned short']]], } ], '_MMSESSION' : [ 0x40, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewStart' : [ 0x24, ['pointer', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x28, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x30, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x34, ['unsigned long']], 'BitmapFailures' : [ 0x38, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x3c, ['pointer', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long']], 'QuotaObject' : [ 0xc, ['pointer', ['void']]], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x8, { 'FaultingPc' : [ 0x0, ['pointer', ['void']]], 'FaultingVa' : [ 0x4, ['pointer', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 31, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_DEADLOCK_NODE' : [ 0x68, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x24, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x48, ['array', 8, ['pointer', ['void']]]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0xc8, { 'Next' : [ 0x0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'Slot' : [ 0x20, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x28, ['pointer', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x2c, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x30, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x34, ['unsigned long']], 'VendorId' : [ 0x38, ['unsigned short']], 'DeviceId' : [ 0x3a, ['unsigned short']], 'SubsystemVendorId' : [ 0x3c, ['unsigned short']], 'SubsystemId' : [ 0x3e, ['unsigned short']], 'RevisionId' : [ 0x40, ['unsigned char']], 'ProgIf' : [ 0x41, ['unsigned char']], 'SubClass' : [ 0x42, ['unsigned char']], 'BaseClass' : [ 0x43, ['unsigned char']], 'AdditionalResourceCount' : [ 0x44, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x45, ['unsigned char']], 'InterruptPin' : [ 0x46, ['unsigned char']], 'RawInterruptLine' : [ 0x47, ['unsigned char']], 'CapabilitiesPtr' : [ 0x48, ['unsigned char']], 'SavedLatencyTimer' : [ 0x49, ['unsigned char']], 'SavedCacheLineSize' : [ 0x4a, ['unsigned char']], 'HeaderType' : [ 0x4b, ['unsigned char']], 'NotPresent' : [ 0x4c, ['unsigned char']], 'ReportedMissing' : [ 0x4d, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x4e, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x4f, ['unsigned char']], 'LegacyDriver' : [ 0x50, ['unsigned char']], 'UpdateHardware' : [ 0x51, ['unsigned char']], 'MovedDevice' : [ 0x52, ['unsigned char']], 'DisablePowerDown' : [ 0x53, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x54, ['unsigned char']], 'IDEInNativeMode' : [ 0x55, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x56, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x57, ['unsigned char']], 'OnDebugPath' : [ 0x58, ['unsigned char']], 'IoSpaceNotRequired' : [ 0x59, ['unsigned char']], 'PowerState' : [ 0x5c, ['PCI_POWER_STATE']], 'Dependent' : [ 0x9c, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xa0, ['unsigned long long']], 'Resources' : [ 0xa8, ['pointer', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xac, ['pointer', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xb0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0xb4, ['pointer', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0xb8, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0xc0, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0xc2, ['unsigned char']], 'CommandEnables' : [ 0xc4, ['unsigned short']], 'InitialCommand' : [ 0xc6, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '__unnamed_1640' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1642' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1640']], 'Merged' : [ 0x10, ['__unnamed_1642']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_1666' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_166d' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_166f' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1666']], 'Bits' : [ 0x0, ['__unnamed_166d']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_166f']], } ], '__unnamed_1679' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0xc0, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x28, ['pointer', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x2c, ['_KEVENT']], 'ChildPdoList' : [ 0x3c, ['pointer', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x40, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x44, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x48, ['pointer', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x4c, ['pointer', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x50, ['unsigned char']], 'BusHandler' : [ 0x54, ['pointer', ['_BUS_HANDLER']]], 'BaseBus' : [ 0x58, ['unsigned char']], 'Fake' : [ 0x59, ['unsigned char']], 'ChildDelete' : [ 0x5a, ['unsigned char']], 'Scanned' : [ 0x5b, ['unsigned char']], 'ArbitersInitialized' : [ 0x5c, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0x5d, ['unsigned char']], 'Hibernated' : [ 0x5e, ['unsigned char']], 'PowerState' : [ 0x60, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0xa4, ['unsigned long']], 'PreservedConfig' : [ 0xa8, ['pointer', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0xac, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0xb4, ['__unnamed_1679']], 'BusHackFlags' : [ 0xbc, ['unsigned long']], } ], '__unnamed_167d' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_167f' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1681' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1683' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1685' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1687' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1689' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_167d']], 'Port' : [ 0x0, ['__unnamed_167d']], 'Interrupt' : [ 0x0, ['__unnamed_167f']], 'Memory' : [ 0x0, ['__unnamed_167d']], 'Dma' : [ 0x0, ['__unnamed_1681']], 'DevicePrivate' : [ 0x0, ['__unnamed_1683']], 'BusNumber' : [ 0x0, ['__unnamed_1685']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1687']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1689']], } ], '_SYSPTES_HEADER' : [ 0xc, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x68, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x38, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x48, ['pointer', ['void']]], 'KcbLastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x58, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x5a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x5c, ['unsigned long']], 'KcbUserFlags' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x60, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x60, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x60, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ReadConfig' : [ 0x10, ['pointer', ['void']]], 'WriteConfig' : [ 0x14, ['pointer', ['void']]], 'PinToLine' : [ 0x18, ['pointer', ['void']]], 'LineToPin' : [ 0x1c, ['pointer', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x10, ['unsigned long']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '__unnamed_16c5' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_16cb' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_16cd' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_16cb']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_16d5' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_16d7' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_16d5']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_16c5']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_16cd']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_16d7']], } ], '_PCI_LOCK' : [ 0x8, { 'Atom' : [ 0x0, ['unsigned long']], 'OldIrql' : [ 0x4, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '__unnamed_16e2' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_16e2']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_16e8' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0xc, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_16e8']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_16fe' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_16fe']], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '__unnamed_1706' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_1706']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x290, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockQueuedSpinLock', 7: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['unsigned long']], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x28, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0xc, ['unsigned char']], 'OrderLevel' : [ 0xd, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Node' : [ 0x14, ['pointer', ['void']]], 'DeviceName' : [ 0x18, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x1c, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x20, ['unsigned long']], 'ActiveChild' : [ 0x24, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '__unnamed_172b' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_172d' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_172b']], 'type1' : [ 0x0, ['__unnamed_172d']], 'type2' : [ 0x0, ['__unnamed_172d']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x1e4, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'ServiceContext' : [ 0x10, ['pointer', ['void']]], 'SpinLock' : [ 0x14, ['unsigned long']], 'TickCount' : [ 0x18, ['unsigned long']], 'ActualLock' : [ 0x1c, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x20, ['pointer', ['void']]], 'Vector' : [ 0x24, ['unsigned long']], 'Irql' : [ 0x28, ['unsigned char']], 'SynchronizeIrql' : [ 0x29, ['unsigned char']], 'FloatingSave' : [ 0x2a, ['unsigned char']], 'Connected' : [ 0x2b, ['unsigned char']], 'Number' : [ 0x2c, ['unsigned char']], 'ShareVector' : [ 0x2d, ['unsigned char']], 'Mode' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x34, ['unsigned long']], 'DispatchCount' : [ 0x38, ['unsigned long']], 'DispatchCode' : [ 0x3c, ['array', 106, ['unsigned long']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0xe0, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0xc, ['pointer', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x10, ['pointer', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x14, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x44, ['_ARBITER_INSTANCE']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x20, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x4, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x8, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0xc, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x14, ['pointer', ['void']]], 'OtherIrpDispatchStyle' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x1c, ['pointer', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_DIRECTORY' : [ 0xa0, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], } ], '_WMI_CLIENT_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['unsigned long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x698, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x14, ['unsigned long']], 'NonDirectCount' : [ 0x18, ['unsigned long']], 'HashTable' : [ 0x1c, ['pointer', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x20, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x24, ['unsigned long']], 'HashTableStart' : [ 0x28, ['pointer', ['void']]], 'HighestPermittedHashAddress' : [ 0x2c, ['pointer', ['void']]], 'NumberOfImageWaiters' : [ 0x30, ['unsigned long']], 'VadBitMapHint' : [ 0x34, ['unsigned long']], 'UsedPageTableEntries' : [ 0x38, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x638, ['array', 24, ['unsigned long']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x150, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '__unnamed_179f' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_17a3' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x40, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'Spare0' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x18, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x1c, ['unsigned long']], 'ExtendInfo' : [ 0x20, ['pointer', ['_MMEXTEND_INFO']]], 'SegmentFlags' : [ 0x24, ['_SEGMENT_FLAGS']], 'BasedAddress' : [ 0x28, ['pointer', ['void']]], 'u1' : [ 0x2c, ['__unnamed_179f']], 'u2' : [ 0x30, ['__unnamed_17a3']], 'PrototypePte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x38, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['void']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x20, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x1c, ['pointer', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x2c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], 'PCI_SECONDARY_EXTENSION' : [ 0xc, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_17ce' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_17ce']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'Spare1' : [ 0x23, ['unsigned char']], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'Reserved' : [ 0x2c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_KNODE' : [ 0x40, { 'DeadStackList' : [ 0x0, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x8, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x10, ['unsigned long']], 'Color' : [ 0x14, ['unsigned char']], 'Seed' : [ 0x15, ['unsigned char']], 'NodeNumber' : [ 0x16, ['unsigned char']], 'Flags' : [ 0x17, ['_flags']], 'MmShiftedColor' : [ 0x18, ['unsigned long']], 'FreeCount' : [ 0x1c, ['array', 2, ['unsigned long']]], 'PfnDeferredList' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x1c, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'MinSize' : [ 0x4, ['unsigned short']], 'MinVersion' : [ 0x6, ['unsigned short']], 'MaxVersion' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['long']], 'Signature' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x14, ['pointer', ['void']]], 'Initializer' : [ 0x18, ['pointer', ['void']]], } ], '_POP_POWER_ACTION' : [ 0x40, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x24, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x28, ['pointer', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x30, ['unsigned long long']], 'SleepTime' : [ 0x38, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1172']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1175']], } ], '__unnamed_1816' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1816']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_INSTANCE' : [ 0x9c, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0xc, ['long']], 'Allocation' : [ 0x10, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x18, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x20, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x28, ['long']], 'Interface' : [ 0x2c, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x30, ['unsigned long']], 'AllocationStack' : [ 0x34, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x38, ['pointer', ['void']]], 'PackResource' : [ 0x3c, ['pointer', ['void']]], 'UnpackResource' : [ 0x40, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x44, ['pointer', ['void']]], 'TestAllocation' : [ 0x48, ['pointer', ['void']]], 'RetestAllocation' : [ 0x4c, ['pointer', ['void']]], 'CommitAllocation' : [ 0x50, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x54, ['pointer', ['void']]], 'BootAllocation' : [ 0x58, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x5c, ['pointer', ['void']]], 'QueryConflict' : [ 0x60, ['pointer', ['void']]], 'AddReserved' : [ 0x64, ['pointer', ['void']]], 'StartArbiter' : [ 0x68, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x6c, ['pointer', ['void']]], 'AllocateEntry' : [ 0x70, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x74, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x78, ['pointer', ['void']]], 'AddAllocation' : [ 0x7c, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x80, ['pointer', ['void']]], 'OverrideConflict' : [ 0x84, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x88, ['unsigned char']], 'Extension' : [ 0x8c, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x90, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x94, ['pointer', ['void']]], 'ConflictCallback' : [ 0x98, ['pointer', ['void']]], } ], '_BUS_HANDLER' : [ 0x6c, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x14, ['pointer', ['_BUS_HANDLER']]], 'BusData' : [ 0x18, ['pointer', ['void']]], 'DeviceControlExtensionSize' : [ 0x1c, ['unsigned long']], 'BusAddresses' : [ 0x20, ['pointer', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x24, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x34, ['pointer', ['void']]], 'SetBusData' : [ 0x38, ['pointer', ['void']]], 'AdjustResourceList' : [ 0x3c, ['pointer', ['void']]], 'AssignSlotResources' : [ 0x40, ['pointer', ['void']]], 'GetInterruptVector' : [ 0x44, ['pointer', ['void']]], 'TranslateBusAddress' : [ 0x48, ['pointer', ['void']]], 'Spare1' : [ 0x4c, ['pointer', ['void']]], 'Spare2' : [ 0x50, ['pointer', ['void']]], 'Spare3' : [ 0x54, ['pointer', ['void']]], 'Spare4' : [ 0x58, ['pointer', ['void']]], 'Spare5' : [ 0x5c, ['pointer', ['void']]], 'Spare6' : [ 0x60, ['pointer', ['void']]], 'Spare7' : [ 0x64, ['pointer', ['void']]], 'Spare8' : [ 0x68, ['pointer', ['void']]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x8, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x4, ['pointer', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x620, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x18, ['unsigned long']], 'Thread' : [ 0x1c, ['pointer', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x20, ['unsigned char']], 'Order' : [ 0x24, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x26c, ['long']], 'FailedDevice' : [ 0x270, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x274, ['unsigned char']], 'Cancelled' : [ 0x275, ['unsigned char']], 'IgnoreErrors' : [ 0x276, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x277, ['unsigned char']], 'WaitAny' : [ 0x278, ['unsigned char']], 'WaitAll' : [ 0x279, ['unsigned char']], 'PresentIrpQueue' : [ 0x27c, ['_LIST_ENTRY']], 'Head' : [ 0x284, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x2b0, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['unsigned short']]], } ], '_CM_KEY_BODY' : [ 0x44, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'Callers' : [ 0x10, ['unsigned long']], 'CallerAddress' : [ 0x14, ['array', 10, ['pointer', ['void']]]], 'KeyBodyList' : [ 0x3c, ['_LIST_ENTRY']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x40, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x2c, ['pointer', ['_IRP']]], 'SavedCancelRoutine' : [ 0x30, ['pointer', ['void']]], 'Paging' : [ 0x34, ['long']], 'Hibernate' : [ 0x38, ['long']], 'CrashDump' : [ 0x3c, ['long']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_18b6' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_18ba' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_18be' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_18c0' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_18c4' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_18c6' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_18c8' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], } ], '__unnamed_18ca' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18cc' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_18ce' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_18d2' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_18d4' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18d6' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_18d8' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18da' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_18dc' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_18de' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_18e2' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_18e6' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_18ea' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_18ec' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18f0' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_18f2' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_18f4' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_18f6' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_18fa' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_18fe' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1902' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1904' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1908' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_190c' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_190e' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1910' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1912' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1914' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_18b6']], 'CreatePipe' : [ 0x0, ['__unnamed_18ba']], 'CreateMailslot' : [ 0x0, ['__unnamed_18be']], 'Read' : [ 0x0, ['__unnamed_18c0']], 'Write' : [ 0x0, ['__unnamed_18c0']], 'QueryDirectory' : [ 0x0, ['__unnamed_18c4']], 'NotifyDirectory' : [ 0x0, ['__unnamed_18c6']], 'QueryFile' : [ 0x0, ['__unnamed_18c8']], 'SetFile' : [ 0x0, ['__unnamed_18ca']], 'QueryEa' : [ 0x0, ['__unnamed_18cc']], 'SetEa' : [ 0x0, ['__unnamed_18ce']], 'QueryVolume' : [ 0x0, ['__unnamed_18d2']], 'SetVolume' : [ 0x0, ['__unnamed_18d2']], 'FileSystemControl' : [ 0x0, ['__unnamed_18d4']], 'LockControl' : [ 0x0, ['__unnamed_18d6']], 'DeviceIoControl' : [ 0x0, ['__unnamed_18d8']], 'QuerySecurity' : [ 0x0, ['__unnamed_18da']], 'SetSecurity' : [ 0x0, ['__unnamed_18dc']], 'MountVolume' : [ 0x0, ['__unnamed_18de']], 'VerifyVolume' : [ 0x0, ['__unnamed_18de']], 'Scsi' : [ 0x0, ['__unnamed_18e2']], 'QueryQuota' : [ 0x0, ['__unnamed_18e6']], 'SetQuota' : [ 0x0, ['__unnamed_18ce']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_18ea']], 'QueryInterface' : [ 0x0, ['__unnamed_18ec']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_18f0']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_18f2']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_18f4']], 'SetLock' : [ 0x0, ['__unnamed_18f6']], 'QueryId' : [ 0x0, ['__unnamed_18fa']], 'QueryDeviceText' : [ 0x0, ['__unnamed_18fe']], 'UsageNotification' : [ 0x0, ['__unnamed_1902']], 'WaitWake' : [ 0x0, ['__unnamed_1904']], 'PowerSequence' : [ 0x0, ['__unnamed_1908']], 'Power' : [ 0x0, ['__unnamed_190c']], 'StartDevice' : [ 0x0, ['__unnamed_190e']], 'WMI' : [ 0x0, ['__unnamed_1910']], 'Others' : [ 0x0, ['__unnamed_1912']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_1914']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_191b' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_191d' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_191f' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1921' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1923' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1925' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_191b']], 'Memory' : [ 0x0, ['__unnamed_191b']], 'Interrupt' : [ 0x0, ['__unnamed_191d']], 'Dma' : [ 0x0, ['__unnamed_191f']], 'Generic' : [ 0x0, ['__unnamed_191b']], 'DevicePrivate' : [ 0x0, ['__unnamed_1683']], 'BusNumber' : [ 0x0, ['__unnamed_1921']], 'ConfigData' : [ 0x0, ['__unnamed_1923']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1925']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '__unnamed_192e' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1930' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_192e']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1932' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1934' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1932']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1930']], 'u2' : [ 0x4, ['__unnamed_1934']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0xe0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0xc, ['unsigned long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x14, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x1c, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x24, ['unsigned long']], 'NextCloneRange' : [ 0x28, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x2c, ['unsigned long']], 'LoaderMdl' : [ 0x30, ['pointer', ['_MDL']]], 'Clones' : [ 0x34, ['pointer', ['_MDL']]], 'NextClone' : [ 0x38, ['pointer', ['unsigned char']]], 'NoClones' : [ 0x3c, ['unsigned long']], 'Spares' : [ 0x40, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x48, ['unsigned long long']], 'IoPage' : [ 0x50, ['pointer', ['void']]], 'CurrentMcb' : [ 0x54, ['pointer', ['void']]], 'DumpStack' : [ 0x58, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x5c, ['pointer', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0x60, ['unsigned long']], 'HiberVa' : [ 0x64, ['unsigned long']], 'HiberPte' : [ 0x68, ['_LARGE_INTEGER']], 'Status' : [ 0x70, ['long']], 'MemoryImage' : [ 0x74, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x78, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x7c, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x80, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x88, ['pointer', ['void']]], 'DmaIO' : [ 0x8c, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x90, ['pointer', ['void']]], 'PerfInfo' : [ 0x98, ['_PO_HIBER_PERF']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x8, { 'StartVpn' : [ 0x0, ['unsigned long']], 'EndVpn' : [ 0x4, ['unsigned long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x14, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x4, ['unsigned long']], 'Parameter2' : [ 0x8, ['unsigned long']], 'Parameter3' : [ 0xc, ['unsigned long']], 'Parameter4' : [ 0x10, ['unsigned long']], } ], '__unnamed_196a' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_196c' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_196a']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_196c']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xa0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x28, ['unsigned long']], 'Memory' : [ 0x30, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x50, ['unsigned long']], 'PrefetchMemory' : [ 0x58, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x78, ['unsigned long']], 'Dma' : [ 0x80, ['_SUPPORTED_RANGE']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_199b' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_199d' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_19a1' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_19a3' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_19a5' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_19a7' : [ 0x10, { 'TestAllocation' : [ 0x0, ['__unnamed_199b']], 'RetestAllocation' : [ 0x0, ['__unnamed_199b']], 'BootAllocation' : [ 0x0, ['__unnamed_199d']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_19a1']], 'QueryConflict' : [ 0x0, ['__unnamed_19a3']], 'QueryArbitrate' : [ 0x0, ['__unnamed_199d']], 'AddReserved' : [ 0x0, ['__unnamed_19a5']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_19a7']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], 'PO_MEMORY_IMAGE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'ImageType' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x3c, ['unsigned long']], 'HiberPte' : [ 0x40, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'TotalPages' : [ 0x54, ['unsigned long']], 'FirstTablePage' : [ 0x58, ['unsigned long']], 'LastFilePage' : [ 0x5c, ['unsigned long']], 'PerfInfo' : [ 0x60, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Spare' : [ 0x18, ['array', 2, ['unsigned long']]], } ], '__unnamed_19c7' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_19c9' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_19cb' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_19cd' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_19cf' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_19d1' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_19d3' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_19d5' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_19d7' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_19d9' : [ 0x14, { 'DeviceClass' : [ 0x0, ['__unnamed_19c7']], 'TargetDevice' : [ 0x0, ['__unnamed_19c9']], 'InstallDevice' : [ 0x0, ['__unnamed_19cb']], 'CustomNotification' : [ 0x0, ['__unnamed_19cd']], 'ProfileNotification' : [ 0x0, ['__unnamed_19cf']], 'PowerNotification' : [ 0x0, ['__unnamed_19d1']], 'VetoNotification' : [ 0x0, ['__unnamed_19d3']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_19d5']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_19d7']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x38, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_19d9']], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_19f0' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_19f2' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_19f4' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_19f0']], 'Gpt' : [ 0x0, ['__unnamed_19f2']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_19f4']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x248, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x10, ['unsigned long']], 'ActiveCount' : [ 0x14, ['unsigned long']], 'WaitSleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x20, ['_LIST_ENTRY']], 'Pending' : [ 0x28, ['_LIST_ENTRY']], 'Complete' : [ 0x30, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x38, ['_LIST_ENTRY']], 'WaitS0' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_1a24' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_1a24']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x2c, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x4, ['pointer', ['_IRP']]], 'Notify' : [ 0x8, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0xc, ['_LIST_ENTRY']], 'Complete' : [ 0x14, ['_LIST_ENTRY']], 'Abort' : [ 0x1c, ['_LIST_ENTRY']], 'Failed' : [ 0x24, ['_LIST_ENTRY']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x4, ['unsigned long']], 'SystemBase' : [ 0x8, ['long long']], 'Base' : [ 0x10, ['long long']], 'Limit' : [ 0x18, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x30, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x24, ['array', 3, ['unsigned long']]], } ], '__unnamed_1aad' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_1aaf' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_1ab3' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ab5' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1aad']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1aaf']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1ab3']], 'Others' : [ 0x0, ['__unnamed_1ab5']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/ssdt_vtypes.py0000644000000000000000000002015513131215405027320 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import sys import volatility.debug as debug import volatility.obj as obj # SSDT structures for all x86 profiles *except* Win 2003 Server ssdt_vtypes = { '_SERVICE_DESCRIPTOR_TABLE' : [ 0x40, { 'Descriptors' : [0x0, ['array', 4, ['_SERVICE_DESCRIPTOR_ENTRY']]], }], '_SERVICE_DESCRIPTOR_ENTRY' : [ 0x10, { 'KiServiceTable' : [0x0, ['pointer', ['void']]], 'CounterBaseTable' : [0x4, ['pointer', ['unsigned long']]], 'ServiceLimit' : [0x8, ['unsigned long']], 'ArgumentTable' : [0xc, ['pointer', ['unsigned char']]], }], } # SSDT structures for Win 2003 Server x86 ssdt_vtypes_2003 = { '_SERVICE_DESCRIPTOR_TABLE' : [ 0x20, { 'Descriptors' : [0x0, ['array', 2, ['_SERVICE_DESCRIPTOR_ENTRY']]], }], } # SSDT structures for x64 ssdt_vtypes_64 = { '_SERVICE_DESCRIPTOR_TABLE' : [ 0x40, { 'Descriptors' : [0x0, ['array', 2, ['_SERVICE_DESCRIPTOR_ENTRY']]], }], '_SERVICE_DESCRIPTOR_ENTRY' : [ 0x20, { 'KiServiceTable' : [0x0, ['pointer64', ['void']]], 'CounterBaseTable' : [0x8, ['pointer64', ['unsigned long']]], 'ServiceLimit' : [0x10, ['unsigned long long']], 'ArgumentTable' : [0x18, ['pointer64', ['unsigned char']]], }], } #### Filthy Hack for backwards compatibility def syscalls_property(x): debug.debug("Deprecation warning: Please use profile.additional['syscalls'] over profile.syscalls") return x.additional.get('syscalls', [[], []]) class WinSyscallsAttribute(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): # Filthy hack for backwards compatibilitiy profile.__class__.syscalls = property(syscalls_property) #### class AbstractSyscalls(obj.ProfileModification): syscall_module = 'No default' def modification(self, profile): module = sys.modules.get(self.syscall_module, None) profile.additional['syscalls'] = module.syscalls class WinXPSyscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.xp_sp2_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 5, 'minor': lambda x : x == 1} class Win64SyscallVTypes(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(ssdt_vtypes_64) class Win2003SyscallVTypes(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): profile.vtypes.update(ssdt_vtypes_2003) class Win2003SP0Syscalls(AbstractSyscalls): # Win2003SP12Syscalls applies to SP0 as well, so this must be applied second before = ['Win2003SP12Syscalls'] syscall_module = 'volatility.plugins.overlays.windows.win2003_sp0_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2, 'build': lambda x: x == 3789} class Win2003SP12Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win2003_sp12_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 5, 'minor': lambda x : x == 2} class Win2003SP12x64Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win2003_sp12_x64_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 5, 'minor': lambda x : x == 2} class VistaSP0Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.vista_sp0_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 0, 'build': lambda x : x == 6000} class VistaSP0x64Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.vista_sp0_x64_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 0, 'build': lambda x : x == 6000} class VistaSP12Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.vista_sp12_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 0, 'build': lambda x : x >= 6001} class VistaSP12x64Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.vista_sp12_x64_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 0, 'build': lambda x : x >= 6001} class Win7SP01Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win7_sp01_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 1} class Win7SP01x64Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win7_sp01_x64_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 1} class Win8SP0x64Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win8_sp0_x64_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 2} class Win8SP0x86Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win8_sp0_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 2} class Win8SP1x86Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win8_sp1_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 3} class Win8SP1x64Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win8_sp1_x64_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 3}././@LongLink0000644000000000000000000000014700000000000011605 Lustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_sp1_x64_54B5A1C6_vtypes.pyvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_sp1_x64_54B5A1C6_vtypes.0000644000000000000000000233121413131215405031220 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'Reserved2' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrement32' : [ 0x368, ['unsigned long']], 'QpcInterruptTimeIncrement32' : [ 0x36c, ['unsigned long']], 'QpcSystemTimeIncrementShift' : [ 0x370, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x371, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x372, ['unsigned short']], 'Reserved8' : [ 0x374, ['array', 12, ['unsigned char']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_107f' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_107f']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1083' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1083']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_109b' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109d' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109b']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_109d']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TEB' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'Padding1' : [ 0x2ec, ['array', 4, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'PerflibData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], 'ReservedForWdf' : [ 0x1818, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0x18, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_BALANCED_NODE' : [ 0x18, { 'Children' : [ 0x0, ['array', 2, ['pointer64', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x10, ['unsigned long long']], } ], '_RTL_RB_TREE' : [ 0x10, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_RTL_AVL_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x5f00, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x5d80, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'ClockOwner' : [ 0x21, ['unsigned char']], 'PendingTickFlags' : [ 0x22, ['unsigned char']], 'PendingTick' : [ 0x22, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x22, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'PrcbPad00' : [ 0x23, ['array', 1, ['unsigned char']]], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PriorityState' : [ 0x38, ['pointer64', ['unsigned char']]], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ParentNode' : [ 0x640, ['pointer64', ['_KNODE']]], 'GroupSetMember' : [ 0x648, ['unsigned long long']], 'Group' : [ 0x650, ['unsigned char']], 'GroupIndex' : [ 0x651, ['unsigned char']], 'PrcbPad05' : [ 0x652, ['array', 2, ['unsigned char']]], 'ApicMask' : [ 0x654, ['unsigned long']], 'CFlushSize' : [ 0x658, ['unsigned long']], 'AcpiReserved' : [ 0x660, ['pointer64', ['void']]], 'InitialApicId' : [ 0x668, ['unsigned long']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x2080, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PrcbPad20' : [ 0x2c80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2c88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2c90, ['long']], 'MmCopyOnWriteCount' : [ 0x2c94, ['long']], 'MmTransitionCount' : [ 0x2c98, ['long']], 'MmDemandZeroCount' : [ 0x2c9c, ['long']], 'MmPageReadCount' : [ 0x2ca0, ['long']], 'MmPageReadIoCount' : [ 0x2ca4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x2ca8, ['long']], 'MmDirtyWriteIoCount' : [ 0x2cac, ['long']], 'MmMappedPagesWriteCount' : [ 0x2cb0, ['long']], 'MmMappedWriteIoCount' : [ 0x2cb4, ['long']], 'KeSystemCalls' : [ 0x2cb8, ['unsigned long']], 'KeContextSwitches' : [ 0x2cbc, ['unsigned long']], 'LdtSelector' : [ 0x2cc0, ['unsigned short']], 'PrcbPad40' : [ 0x2cc2, ['unsigned short']], 'CcFastReadNoWait' : [ 0x2cc4, ['unsigned long']], 'CcFastReadWait' : [ 0x2cc8, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2ccc, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x2cd0, ['unsigned long']], 'CcCopyReadWait' : [ 0x2cd4, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2cd8, ['unsigned long']], 'IoReadOperationCount' : [ 0x2cdc, ['long']], 'IoWriteOperationCount' : [ 0x2ce0, ['long']], 'IoOtherOperationCount' : [ 0x2ce4, ['long']], 'IoReadTransferCount' : [ 0x2ce8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x2cf0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x2cf8, ['_LARGE_INTEGER']], 'PacketBarrier' : [ 0x2d00, ['long']], 'TargetCount' : [ 0x2d04, ['long']], 'IpiFrozen' : [ 0x2d08, ['unsigned long']], 'IsrDpcStats' : [ 0x2d10, ['pointer64', ['void']]], 'DeviceInterrupts' : [ 0x2d18, ['unsigned long']], 'LookasideIrpFloat' : [ 0x2d1c, ['long']], 'InterruptLastCount' : [ 0x2d20, ['unsigned long']], 'InterruptRate' : [ 0x2d24, ['unsigned long']], 'PrcbPad41' : [ 0x2d28, ['array', 22, ['unsigned long']]], 'DpcData' : [ 0x2d80, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2dd0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2dd8, ['long']], 'DpcRequestRate' : [ 0x2ddc, ['unsigned long']], 'MinimumDpcRate' : [ 0x2de0, ['unsigned long']], 'DpcLastCount' : [ 0x2de4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x2de8, ['unsigned char']], 'QuantumEnd' : [ 0x2de9, ['unsigned char']], 'DpcRoutineActive' : [ 0x2dea, ['unsigned char']], 'IdleSchedule' : [ 0x2deb, ['unsigned char']], 'DpcRequestSummary' : [ 0x2dec, ['long']], 'DpcRequestSlot' : [ 0x2dec, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x2dec, ['short']], 'ThreadDpcState' : [ 0x2dee, ['short']], 'DpcNormalProcessingActive' : [ 0x2dec, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x2dec, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x2dec, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x2dec, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x2dec, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x2dec, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x2dec, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x2dec, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x2dec, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x2dec, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2df0, ['unsigned long']], 'LastTick' : [ 0x2df4, ['unsigned long']], 'ClockInterrupts' : [ 0x2df8, ['unsigned long']], 'ReadyScanTick' : [ 0x2dfc, ['unsigned long']], 'TimerTable' : [ 0x2e00, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x5000, ['_KGATE']], 'PrcbPad52' : [ 0x5018, ['pointer64', ['void']]], 'CallDpc' : [ 0x5020, ['_KDPC']], 'ClockKeepAlive' : [ 0x5060, ['long']], 'PrcbPad60' : [ 0x5064, ['array', 2, ['unsigned char']]], 'NmiActive' : [ 0x5066, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x5068, ['long']], 'DpcWatchdogCount' : [ 0x506c, ['long']], 'KeSpinLockOrdering' : [ 0x5070, ['long']], 'PrcbPad70' : [ 0x5074, ['array', 1, ['unsigned long']]], 'CachedPtes' : [ 0x5078, ['pointer64', ['void']]], 'WaitListHead' : [ 0x5080, ['_LIST_ENTRY']], 'WaitLock' : [ 0x5090, ['unsigned long long']], 'ReadySummary' : [ 0x5098, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x509c, ['long']], 'QueueIndex' : [ 0x50a0, ['unsigned long']], 'PrcbPad75' : [ 0x50a4, ['array', 3, ['unsigned long']]], 'TimerExpirationDpc' : [ 0x50b0, ['_KDPC']], 'ScbQueue' : [ 0x50f0, ['_RTL_RB_TREE']], 'DispatcherReadyListHead' : [ 0x5100, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x5300, ['unsigned long']], 'KernelTime' : [ 0x5304, ['unsigned long']], 'UserTime' : [ 0x5308, ['unsigned long']], 'DpcTime' : [ 0x530c, ['unsigned long']], 'InterruptTime' : [ 0x5310, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5314, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x5318, ['unsigned char']], 'GroupSchedulingOverQuota' : [ 0x5319, ['unsigned char']], 'DeepSleep' : [ 0x531a, ['unsigned char']], 'PrcbPad80' : [ 0x531b, ['array', 1, ['unsigned char']]], 'ScbOffset' : [ 0x531c, ['unsigned long']], 'DpcTimeCount' : [ 0x5320, ['unsigned long']], 'DpcTimeLimit' : [ 0x5324, ['unsigned long']], 'PeriodicCount' : [ 0x5328, ['unsigned long']], 'PeriodicBias' : [ 0x532c, ['unsigned long']], 'AvailableTime' : [ 0x5330, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x5334, ['unsigned long']], 'StartCycles' : [ 0x5338, ['unsigned long long']], 'GenerationTarget' : [ 0x5340, ['unsigned long long']], 'AffinitizedCycles' : [ 0x5348, ['unsigned long long']], 'PrcbPad81' : [ 0x5350, ['array', 2, ['unsigned long long']]], 'MmSpinLockOrdering' : [ 0x5360, ['long']], 'PageColor' : [ 0x5364, ['unsigned long']], 'NodeColor' : [ 0x5368, ['unsigned long']], 'NodeShiftedColor' : [ 0x536c, ['unsigned long']], 'SecondaryColorMask' : [ 0x5370, ['unsigned long']], 'PrcbPad83' : [ 0x5374, ['unsigned long']], 'CycleTime' : [ 0x5378, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x5380, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x5384, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x5388, ['unsigned long']], 'CcMapDataNoWait' : [ 0x538c, ['unsigned long']], 'CcMapDataWait' : [ 0x5390, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x5394, ['unsigned long']], 'CcPinReadNoWait' : [ 0x5398, ['unsigned long']], 'CcPinReadWait' : [ 0x539c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x53a0, ['unsigned long']], 'CcMdlReadWait' : [ 0x53a4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x53a8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x53ac, ['unsigned long']], 'CcLazyWritePages' : [ 0x53b0, ['unsigned long']], 'CcDataFlushes' : [ 0x53b4, ['unsigned long']], 'CcDataPages' : [ 0x53b8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x53bc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x53c0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x53c4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x53c8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x53cc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x53d0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x53d4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x53d8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x53dc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x53e0, ['unsigned long']], 'CcReadAheadIos' : [ 0x53e4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x53e8, ['long']], 'MmCacheReadCount' : [ 0x53ec, ['long']], 'MmCacheIoCount' : [ 0x53f0, ['long']], 'PrcbPad91' : [ 0x53f4, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x5400, ['_PROCESSOR_POWER_STATE']], 'ScbList' : [ 0x55e0, ['_LIST_ENTRY']], 'PrcbPad92' : [ 0x55f0, ['array', 19, ['unsigned long']]], 'KeAlignmentFixupCount' : [ 0x563c, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x5640, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x5680, ['_KTIMER']], 'Cache' : [ 0x56c0, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x56fc, ['unsigned long']], 'CachedCommit' : [ 0x5700, ['unsigned long']], 'CachedResidentAvailable' : [ 0x5704, ['unsigned long']], 'HyperPte' : [ 0x5708, ['pointer64', ['void']]], 'WheaInfo' : [ 0x5710, ['pointer64', ['void']]], 'EtwSupport' : [ 0x5718, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x5720, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x5730, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x5740, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x5748, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x5750, ['pointer64', ['unsigned long long']]], 'PackageProcessorSet' : [ 0x5758, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x5800, ['unsigned long long']], 'SharedReadyQueue' : [ 0x5808, ['pointer64', ['_KSHARED_READY_QUEUE']]], 'CoreProcessorSet' : [ 0x5810, ['unsigned long long']], 'ScanSiblingMask' : [ 0x5818, ['unsigned long long']], 'LLCMask' : [ 0x5820, ['unsigned long long']], 'CacheProcessorMask' : [ 0x5828, ['array', 5, ['unsigned long long']]], 'ScanSiblingIndex' : [ 0x5850, ['unsigned long']], 'SharedReadyQueueOffset' : [ 0x5854, ['unsigned long']], 'ProcessorProfileControlArea' : [ 0x5858, ['pointer64', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x5860, ['pointer64', ['void']]], 'PrcbPad94' : [ 0x5868, ['array', 3, ['unsigned long long']]], 'SynchCounters' : [ 0x5880, ['_SYNCH_COUNTERS']], 'PteBitCache' : [ 0x5938, ['unsigned long long']], 'PteBitOffset' : [ 0x5940, ['unsigned long']], 'FsCounters' : [ 0x5948, ['_FILESYSTEM_DISK_COUNTERS']], 'VendorString' : [ 0x5958, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x5965, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x5968, ['unsigned long long']], 'PrcbPad11' : [ 0x5970, ['unsigned long']], 'UpdateSignature' : [ 0x5978, ['_LARGE_INTEGER']], 'Context' : [ 0x5980, ['pointer64', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x5988, ['unsigned long']], 'ExtendedState' : [ 0x5990, ['pointer64', ['_XSAVE_AREA']]], 'IsrStack' : [ 0x5998, ['pointer64', ['void']]], 'EntropyTimingState' : [ 0x59a0, ['_KENTROPY_TIMING_STATE']], 'AbSelfIoBoostsList' : [ 0x5af0, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x5af8, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x5b00, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x5b40, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x5b94, ['_IOP_IRP_STACK_PROFILER']], 'TimerExpirationTrace' : [ 0x5be8, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x5ce8, ['unsigned long']], 'Mailbox' : [ 0x5d00, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x5d40, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KFLOATING_SAVE' : [ 0x4, { 'Dummy' : [ 0x0, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_KTHREAD' : [ 0x5d0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x18, ['pointer64', ['void']]], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'StackBase' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'CycleTime' : [ 0x48, ['unsigned long long']], 'CurrentRunTime' : [ 0x50, ['unsigned long']], 'ExpectedRunTime' : [ 0x54, ['unsigned long']], 'KernelStack' : [ 0x58, ['pointer64', ['void']]], 'StateSaveArea' : [ 0x60, ['pointer64', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x68, ['pointer64', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x70, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x71, ['unsigned char']], 'Alerted' : [ 0x72, ['array', 2, ['unsigned char']]], 'SpareMiscFlag0' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x74, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'TimerActive' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SystemThread' : [ 0x74, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x74, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'CalloutActive' : [ 0x74, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ApcQueueable' : [ 0x74, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x74, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x74, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ApcPendingReload' : [ 0x74, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'TimerSuspended' : [ 0x74, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x74, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x74, ['long']], 'AutoAlignment' : [ 0x78, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x78, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UserAffinitySet' : [ 0x78, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x78, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x78, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x78, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x78, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x78, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x78, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x78, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x78, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x78, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x78, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x78, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x78, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x78, ['BitField', dict(start_bit = 17, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags' : [ 0x78, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x78, ['long']], 'Spare0' : [ 0x7c, ['unsigned long']], 'SystemCallNumber' : [ 0x80, ['unsigned long']], 'Spare1' : [ 0x84, ['unsigned long']], 'FirstArgument' : [ 0x88, ['pointer64', ['void']]], 'TrapFrame' : [ 0x90, ['pointer64', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x98, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x98, ['array', 43, ['unsigned char']]], 'Priority' : [ 0xc3, ['unsigned char']], 'UserIdealProcessor' : [ 0xc4, ['unsigned long']], 'WaitStatus' : [ 0xc8, ['long long']], 'WaitBlockList' : [ 0xd0, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xd8, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xe8, ['pointer64', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xf0, ['pointer64', ['void']]], 'RelativeTimerBias' : [ 0xf8, ['unsigned long long']], 'Timer' : [ 0x100, ['_KTIMER']], 'WaitBlock' : [ 0x140, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x140, ['array', 20, ['unsigned char']]], 'ContextSwitches' : [ 0x154, ['unsigned long']], 'WaitBlockFill5' : [ 0x140, ['array', 68, ['unsigned char']]], 'State' : [ 0x184, ['unsigned char']], 'NpxState' : [ 0x185, ['unsigned char']], 'WaitIrql' : [ 0x186, ['unsigned char']], 'WaitMode' : [ 0x187, ['unsigned char']], 'WaitBlockFill6' : [ 0x140, ['array', 116, ['unsigned char']]], 'WaitTime' : [ 0x1b4, ['unsigned long']], 'WaitBlockFill7' : [ 0x140, ['array', 164, ['unsigned char']]], 'KernelApcDisable' : [ 0x1e4, ['short']], 'SpecialApcDisable' : [ 0x1e6, ['short']], 'CombinedApcDisable' : [ 0x1e4, ['unsigned long']], 'WaitBlockFill8' : [ 0x140, ['array', 40, ['unsigned char']]], 'ThreadCounters' : [ 0x168, ['pointer64', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0x140, ['array', 88, ['unsigned char']]], 'XStateSave' : [ 0x198, ['pointer64', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0x140, ['array', 136, ['unsigned char']]], 'Win32Thread' : [ 0x1c8, ['pointer64', ['void']]], 'WaitBlockFill11' : [ 0x140, ['array', 176, ['unsigned char']]], 'Ucb' : [ 0x1f0, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'Uch' : [ 0x1f8, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'TebMappedLowVa' : [ 0x200, ['pointer64', ['void']]], 'QueueListEntry' : [ 0x208, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x218, ['unsigned long']], 'NextProcessorNumber' : [ 0x218, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x218, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x21c, ['long']], 'Process' : [ 0x220, ['pointer64', ['_KPROCESS']]], 'UserAffinity' : [ 0x228, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x228, ['array', 10, ['unsigned char']]], 'PreviousMode' : [ 0x232, ['unsigned char']], 'BasePriority' : [ 0x233, ['unsigned char']], 'PriorityDecrement' : [ 0x234, ['unsigned char']], 'ForegroundBoost' : [ 0x234, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x234, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x235, ['unsigned char']], 'AdjustReason' : [ 0x236, ['unsigned char']], 'AdjustIncrement' : [ 0x237, ['unsigned char']], 'Affinity' : [ 0x238, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x238, ['array', 10, ['unsigned char']]], 'ApcStateIndex' : [ 0x242, ['unsigned char']], 'WaitBlockCount' : [ 0x243, ['unsigned char']], 'IdealProcessor' : [ 0x244, ['unsigned long']], 'ApcStatePointer' : [ 0x248, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x258, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x258, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x283, ['unsigned char']], 'SuspendCount' : [ 0x284, ['unsigned char']], 'Saturation' : [ 0x285, ['unsigned char']], 'SListFaultCount' : [ 0x286, ['unsigned short']], 'SchedulerApc' : [ 0x288, ['_KAPC']], 'SchedulerApcFill0' : [ 0x288, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x289, ['unsigned char']], 'SchedulerApcFill1' : [ 0x288, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x28b, ['unsigned char']], 'SchedulerApcFill2' : [ 0x288, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x28c, ['unsigned long']], 'SchedulerApcFill3' : [ 0x288, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c8, ['pointer64', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x288, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2d0, ['pointer64', ['void']]], 'SchedulerApcFill5' : [ 0x288, ['array', 83, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x2db, ['unsigned char']], 'UserTime' : [ 0x2dc, ['unsigned long']], 'SuspendEvent' : [ 0x2e0, ['_KEVENT']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'LockEntriesFreeList' : [ 0x318, ['_SINGLE_LIST_ENTRY']], 'LockEntries' : [ 0x320, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x560, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x568, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x570, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x580, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x584, ['long']], 'AbReferenceCount' : [ 0x588, ['short']], 'AbFreeEntryCount' : [ 0x58a, ['unsigned char']], 'AbWaitEntryCount' : [ 0x58b, ['unsigned char']], 'ForegroundLossTime' : [ 0x58c, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x590, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x590, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x598, ['unsigned long long']], 'ReadOperationCount' : [ 0x5a0, ['long long']], 'WriteOperationCount' : [ 0x5a8, ['long long']], 'OtherOperationCount' : [ 0x5b0, ['long long']], 'ReadTransferCount' : [ 0x5b8, ['long long']], 'WriteTransferCount' : [ 0x5c0, ['long long']], 'OtherTransferCount' : [ 0x5c8, ['long long']], } ], '_KSTACK_CONTROL' : [ 0x30, { 'StackBase' : [ 0x0, ['unsigned long long']], 'ActualLimit' : [ 0x8, ['unsigned long long']], 'StackExpansion' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_1232' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'HeaderX64' : [ 0x0, ['__unnamed_1232']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer64', ['void']]], 'DeleteContext' : [ 0x10, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0xc0, { 'DeepIdleSet' : [ 0x0, ['unsigned long long']], 'SharedReadyQueueLeaders' : [ 0x8, ['unsigned long long']], 'ProximityId' : [ 0x40, ['unsigned long']], 'NodeNumber' : [ 0x44, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x46, ['unsigned short']], 'MaximumProcessors' : [ 0x48, ['unsigned char']], 'Flags' : [ 0x49, ['_flags']], 'Stride' : [ 0x4a, ['unsigned char']], 'LowIndex' : [ 0x4b, ['unsigned char']], 'Affinity' : [ 0x50, ['_GROUP_AFFINITY']], 'IdleCpuSet' : [ 0x60, ['unsigned long long']], 'IdleSmtSet' : [ 0x68, ['unsigned long long']], 'NonParkedSet' : [ 0x80, ['unsigned long long']], 'Seed' : [ 0x88, ['unsigned long']], 'Lowest' : [ 0x8c, ['unsigned long']], 'Highest' : [ 0x90, ['unsigned long']], 'ParkLock' : [ 0x94, ['long']], } ], '_ENODE' : [ 0x500, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0xc0, ['array', 8, ['pointer64', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0x100, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x3d0, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x3e8, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x428, ['_KEVENT']], 'WaitBlocks' : [ 0x440, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x4d0, ['pointer64', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x4d8, ['unsigned long']], 'ExWorkerFullInit' : [ 0x4dc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x4dc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x4dc, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x80, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long long']], 'QuotaProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'HandleTableList' : [ 0x18, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], 'StrictFIFO' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x2c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x2c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x38, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x40, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x40, ['array', 32, ['unsigned char']]], 'DebugInfo' : [ 0x60, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'VolatileLowValue' : [ 0x0, ['long long']], 'LowValue' : [ 0x0, ['long long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 17, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 20, native_type='unsigned long long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 64, native_type='unsigned long long')]], 'HighValue' : [ 0x8, ['long long']], 'NextFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x8, ['_EXHANDLE']], 'GrantedAccessBits' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Spare' : [ 0x8, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], 'TypeInfo' : [ 0xc, ['unsigned long']], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1329' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_1329']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xe0, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xd8, ['unsigned char']], } ], '_ETHREAD' : [ 0x778, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x5d0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x5d8, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x5d8, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x5e8, ['pointer64', ['void']]], 'PostBlockList' : [ 0x5f0, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x5f0, ['pointer64', ['void']]], 'StartAddress' : [ 0x5f8, ['pointer64', ['void']]], 'TerminationPort' : [ 0x600, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x600, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x600, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x608, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x610, ['_LIST_ENTRY']], 'Cid' : [ 0x620, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x630, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x630, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x650, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x658, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x668, ['unsigned long long']], 'DeviceToVerify' : [ 0x670, ['pointer64', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x678, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x680, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x688, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x698, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x6a0, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x6a8, ['unsigned long']], 'MmLockOrdering' : [ 0x6ac, ['long']], 'CmLockOrdering' : [ 0x6b0, ['long']], 'CrossThreadFlags' : [ 0x6b4, ['unsigned long']], 'Terminated' : [ 0x6b4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x6b4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x6b4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x6b4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x6b4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x6b4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x6b4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x6b4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x6b4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x6b4, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x6b4, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x6b4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x6b4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x6b4, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x6b8, ['unsigned long']], 'ActiveExWorker' : [ 0x6b8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x6b8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ClonedThread' : [ 0x6b8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x6b8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SelfTerminate' : [ 0x6b8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x6bc, ['unsigned long']], 'HardFaultBehavior' : [ 0x6bc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x6bc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x6bc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x6bc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x6bc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x6bc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x6bc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x6bc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x6bd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x6bd, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x6bd, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x6bd, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x6bd, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x6bd, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x6bd, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x6bd, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x6be, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x6be, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x6be, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x6be, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x6be, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare2' : [ 0x6be, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x6bf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x6bf, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'Spare3' : [ 0x6bf, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x6c0, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x6c1, ['unsigned char']], 'ActiveFaultCount' : [ 0x6c2, ['unsigned char']], 'LockOrderState' : [ 0x6c3, ['unsigned char']], 'AlpcMessageId' : [ 0x6c8, ['unsigned long long']], 'AlpcMessage' : [ 0x6d0, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x6d0, ['unsigned long']], 'ExitStatus' : [ 0x6d8, ['long']], 'AlpcWaitListEntry' : [ 0x6e0, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x6f0, ['unsigned long']], 'IoBoostCount' : [ 0x6f4, ['unsigned long']], 'BoostList' : [ 0x6f8, ['_LIST_ENTRY']], 'DeboostList' : [ 0x708, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x718, ['unsigned long long']], 'IrpListLock' : [ 0x720, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x728, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x730, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x738, ['pointer64', ['_GUID']]], 'SeLearningModeListHead' : [ 0x740, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x748, ['pointer64', ['void']]], 'KernelStackReference' : [ 0x750, ['unsigned long']], 'AdjustedClientToken' : [ 0x758, ['pointer64', ['void']]], 'UserFsBase' : [ 0x760, ['unsigned long']], 'UserGsBase' : [ 0x768, ['unsigned long long']], 'PicoContext' : [ 0x770, ['pointer64', ['void']]], } ], '_EPROCESS' : [ 0x6f0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x2d0, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x2d8, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x2e0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x2e8, ['_LIST_ENTRY']], 'Flags2' : [ 0x2f8, ['unsigned long']], 'JobNotReallyActive' : [ 0x2f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x2f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x2f8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x2f8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x2f8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x2f8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0x2f8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x2f8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x2f8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x2f8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0x2f8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0x2f8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x2f8, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x2f8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x2f8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x2f8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x2f8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x2f8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x2f8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x2f8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0x2f8, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0x2f8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0x2f8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0x2f8, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0x2f8, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0x2f8, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0x2f8, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0x2f8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x2fc, ['unsigned long']], 'CreateReported' : [ 0x2fc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x2fc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x2fc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x2fc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0x2fc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x2fc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x2fc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x2fc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x2fc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x2fc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x2fc, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x2fc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x2fc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x2fc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x2fc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x2fc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x2fc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x2fc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x2fc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0x2fc, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x2fc, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x2fc, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x2fc, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x2fc, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0x2fc, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x2fc, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x2fc, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x2fc, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x2fc, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ProcessQuotaUsage' : [ 0x300, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x310, ['array', 2, ['unsigned long long']]], 'PeakVirtualSize' : [ 0x320, ['unsigned long long']], 'VirtualSize' : [ 0x328, ['unsigned long long']], 'SessionProcessLinks' : [ 0x330, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0x340, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x340, ['unsigned long long']], 'ExceptionPortState' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Token' : [ 0x348, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x350, ['unsigned long long']], 'AddressCreationLock' : [ 0x358, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x360, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x368, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x370, ['pointer64', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x378, ['pointer64', ['_EJOB']]], 'CloneRoot' : [ 0x380, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x388, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x390, ['unsigned long long']], 'Win32Process' : [ 0x398, ['pointer64', ['void']]], 'Job' : [ 0x3a0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x3a8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x3b0, ['pointer64', ['void']]], 'Cookie' : [ 0x3b8, ['unsigned long']], 'WorkingSetWatch' : [ 0x3c0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x3c8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x3d0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x3d8, ['pointer64', ['void']]], 'OwnerProcessId' : [ 0x3e0, ['unsigned long long']], 'Peb' : [ 0x3e8, ['pointer64', ['_PEB']]], 'Session' : [ 0x3f0, ['pointer64', ['void']]], 'AweInfo' : [ 0x3f8, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x400, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x408, ['pointer64', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x410, ['pointer64', ['void']]], 'Wow64Process' : [ 0x418, ['pointer64', ['void']]], 'DeviceMap' : [ 0x420, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x428, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x430, ['unsigned long long']], 'ImageFileName' : [ 0x438, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x447, ['unsigned char']], 'SecurityPort' : [ 0x448, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x450, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x458, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x468, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x470, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x480, ['unsigned long']], 'ImagePathHash' : [ 0x484, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x488, ['unsigned long']], 'LastThreadExitStatus' : [ 0x48c, ['long']], 'PrefetchTrace' : [ 0x490, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x498, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x4a0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x4a8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x4b0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x4b8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x4c0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x4c8, ['_LARGE_INTEGER']], 'CommitCharge' : [ 0x4d0, ['unsigned long long']], 'Vm' : [ 0x4d8, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x5c0, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x5d0, ['unsigned long']], 'ExitStatus' : [ 0x5d4, ['long']], 'VadRoot' : [ 0x5d8, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x5e0, ['pointer64', ['void']]], 'VadCount' : [ 0x5e8, ['unsigned long long']], 'VadPhysicalPages' : [ 0x5f0, ['unsigned long long']], 'VadPhysicalPagesLimit' : [ 0x5f8, ['unsigned long long']], 'AlpcContext' : [ 0x600, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x620, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x630, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x638, ['unsigned long']], 'SmallestTimerResolution' : [ 0x63c, ['unsigned long']], 'ExitTime' : [ 0x640, ['_LARGE_INTEGER']], 'InvertedFunctionTable' : [ 0x648, ['pointer64', ['_INVERTED_FUNCTION_TABLE']]], 'InvertedFunctionTableLock' : [ 0x650, ['_EX_PUSH_LOCK']], 'ActiveThreadsHighWatermark' : [ 0x658, ['unsigned long']], 'LargePrivateVadCount' : [ 0x65c, ['unsigned long']], 'ThreadListLock' : [ 0x660, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x668, ['pointer64', ['void']]], 'Spare0' : [ 0x670, ['unsigned long long']], 'SignatureLevel' : [ 0x678, ['unsigned char']], 'SectionSignatureLevel' : [ 0x679, ['unsigned char']], 'Protection' : [ 0x67a, ['_PS_PROTECTION']], 'SpareByte20' : [ 0x67b, ['array', 1, ['unsigned char']]], 'Flags3' : [ 0x67c, ['unsigned long']], 'Minimal' : [ 0x67c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SvmReserved' : [ 0x680, ['long']], 'SvmReserved1' : [ 0x688, ['pointer64', ['void']]], 'SvmReserved2' : [ 0x690, ['unsigned long long']], 'LastFreezeInterruptTime' : [ 0x698, ['unsigned long long']], 'DiskCounters' : [ 0x6a0, ['pointer64', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x6a8, ['pointer64', ['void']]], 'KeepAliveCounter' : [ 0x6b0, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x6b4, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x6b8, ['unsigned long long']], 'CommitChargeLimit' : [ 0x6c0, ['unsigned long long']], 'CommitChargePeak' : [ 0x6c8, ['unsigned long long']], 'HighPriorityFaultsAllowed' : [ 0x6d0, ['unsigned long']], 'SequenceNumber' : [ 0x6d8, ['unsigned long long']], 'CreateInterruptTime' : [ 0x6e0, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x6e8, ['unsigned long long']], } ], '_KPROCESS' : [ 0x2c8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long']], 'Spare0' : [ 0x44, ['unsigned long']], 'Affinity' : [ 0x48, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0xf0, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x108, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x1b0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x1b0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x1b0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'AffinitySet' : [ 0x1b0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='long')]], 'DeepFreeze' : [ 0x1b0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x1b0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x1b0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x1b0, ['BitField', dict(start_bit = 7, end_bit = 27, native_type='unsigned long')]], 'ReservedFlags' : [ 0x1b0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x1b0, ['long']], 'BasePriority' : [ 0x1b4, ['unsigned char']], 'QuantumReset' : [ 0x1b5, ['unsigned char']], 'Visited' : [ 0x1b6, ['unsigned char']], 'Flags' : [ 0x1b7, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x1b8, ['array', 20, ['unsigned long']]], 'IdealNode' : [ 0x208, ['array', 20, ['unsigned short']]], 'IdealGlobalNode' : [ 0x230, ['unsigned short']], 'Spare1' : [ 0x232, ['unsigned short']], 'StackCount' : [ 0x234, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x238, ['_LIST_ENTRY']], 'CycleTime' : [ 0x248, ['unsigned long long']], 'ContextSwitches' : [ 0x250, ['unsigned long long']], 'SchedulingGroup' : [ 0x258, ['pointer64', ['_KSCHEDULING_GROUP']]], 'FreezeCount' : [ 0x260, ['unsigned long']], 'KernelTime' : [ 0x264, ['unsigned long']], 'UserTime' : [ 0x268, ['unsigned long']], 'LdtFreeSelectorHint' : [ 0x26c, ['unsigned short']], 'LdtTableLength' : [ 0x26e, ['unsigned short']], 'LdtSystemDescriptor' : [ 0x270, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x280, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x288, ['_FAST_MUTEX']], 'InstrumentationCallback' : [ 0x2c0, ['pointer64', ['void']]], } ], '__unnamed_1381' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1387' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1389' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1387']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1394' : [ 0x58, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x50, ['pointer64', ['void']]], } ], '__unnamed_1396' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_1394']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'AllocationProcessorNumber' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_1381']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_1389']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_1396']], } ], '__unnamed_139d' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_13a1' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_13a5' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_13a7' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13ab' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13ad' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_13af' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], } ], '__unnamed_13b1' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13b3' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13b5' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13b9' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMaximumInformation'})]], } ], '__unnamed_13bb' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13bd' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13bf' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13c1' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_13c3' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_13c7' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_13cb' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_13cf' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_13d3' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_13d7' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13db' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_13df' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_13e1' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_13e3' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_13e7' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_13eb' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_13ef' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_13f3' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_13f7' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_13ff' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1403' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1405' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1407' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1409' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_139d']], 'CreatePipe' : [ 0x0, ['__unnamed_13a1']], 'CreateMailslot' : [ 0x0, ['__unnamed_13a5']], 'Read' : [ 0x0, ['__unnamed_13a7']], 'Write' : [ 0x0, ['__unnamed_13a7']], 'QueryDirectory' : [ 0x0, ['__unnamed_13ab']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13ad']], 'QueryFile' : [ 0x0, ['__unnamed_13af']], 'SetFile' : [ 0x0, ['__unnamed_13b1']], 'QueryEa' : [ 0x0, ['__unnamed_13b3']], 'SetEa' : [ 0x0, ['__unnamed_13b5']], 'QueryVolume' : [ 0x0, ['__unnamed_13b9']], 'SetVolume' : [ 0x0, ['__unnamed_13b9']], 'FileSystemControl' : [ 0x0, ['__unnamed_13bb']], 'LockControl' : [ 0x0, ['__unnamed_13bd']], 'DeviceIoControl' : [ 0x0, ['__unnamed_13bf']], 'QuerySecurity' : [ 0x0, ['__unnamed_13c1']], 'SetSecurity' : [ 0x0, ['__unnamed_13c3']], 'MountVolume' : [ 0x0, ['__unnamed_13c7']], 'VerifyVolume' : [ 0x0, ['__unnamed_13c7']], 'Scsi' : [ 0x0, ['__unnamed_13cb']], 'QueryQuota' : [ 0x0, ['__unnamed_13cf']], 'SetQuota' : [ 0x0, ['__unnamed_13b5']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_13d3']], 'QueryInterface' : [ 0x0, ['__unnamed_13d7']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_13db']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_13df']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_13e1']], 'SetLock' : [ 0x0, ['__unnamed_13e3']], 'QueryId' : [ 0x0, ['__unnamed_13e7']], 'QueryDeviceText' : [ 0x0, ['__unnamed_13eb']], 'UsageNotification' : [ 0x0, ['__unnamed_13ef']], 'WaitWake' : [ 0x0, ['__unnamed_13f3']], 'PowerSequence' : [ 0x0, ['__unnamed_13f7']], 'Power' : [ 0x0, ['__unnamed_13ff']], 'StartDevice' : [ 0x0, ['__unnamed_1403']], 'WMI' : [ 0x0, ['__unnamed_1405']], 'Others' : [ 0x0, ['__unnamed_1407']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1409']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_141f' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_141f']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x10, ['unsigned long long']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'AllocationProcessorNumber' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x70, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer64', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x60, ['pointer64', ['void']]], 'UserContext' : [ 0x68, ['pointer64', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'Oplock' : [ 0x58, ['pointer64', ['void']]], 'ReservedForRemote' : [ 0x58, ['pointer64', ['void']]], 'ReservedContext' : [ 0x60, ['pointer64', ['void']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '__unnamed_15a5' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_15a5']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'ReservedLowFlags' : [ 0x1a, ['unsigned char']], 'WaiterPriority' : [ 0x1b, ['unsigned char']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_15e9' : [ 0x8, { 'Flink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeFlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 64, native_type='unsigned long long')]], 'WsIndex' : [ 0x0, ['unsigned long long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_15ee' : [ 0x8, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeBlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 56, native_type='unsigned long long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 60, native_type='unsigned long long')]], 'SpareBlink' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15f1' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_15f3' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_15f1']], } ], '__unnamed_15fd' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'Channel' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 38, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'Unused3' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 53, native_type='unsigned long long')]], 'PfnExists' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_15e9']], 'u2' : [ 0x8, ['__unnamed_15ee']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['long']], 'PteLong' : [ 0x10, ['unsigned long long']], 'u3' : [ 0x18, ['__unnamed_15f3']], 'NodeBlinkLow' : [ 0x1c, ['unsigned short']], 'Unused' : [ 0x1e, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'VaType' : [ 0x1e, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'ViewCount' : [ 0x1f, ['unsigned char']], 'NodeFlinkLow' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'u4' : [ 0x28, ['__unnamed_15fd']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x68, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'BasePte' : [ 0x10, ['pointer64', ['_MMPTE']]], 'Flags' : [ 0x18, ['unsigned long']], 'VaType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaMaximumType', 15: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x30, ['unsigned long long']], 'GlobalMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'Vm' : [ 0x38, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x40, ['unsigned long long']], 'Hint' : [ 0x48, ['unsigned long long']], 'CachedPtes' : [ 0x50, ['pointer64', ['_MI_CACHED_PTE']]], 'TotalFreeSystemPtes' : [ 0x58, ['unsigned long long']], 'CachedPteCount' : [ 0x60, ['long']], } ], '__unnamed_161f' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_161f']], } ], '_MMWSL' : [ 0x320, { 'FirstFree' : [ 0x0, ['unsigned long long']], 'FirstDynamic' : [ 0x8, ['unsigned long long']], 'LastEntry' : [ 0x10, ['unsigned long long']], 'NextSlot' : [ 0x18, ['unsigned long long']], 'LastInitializedWsle' : [ 0x20, ['unsigned long long']], 'NextAgingSlot' : [ 0x28, ['unsigned long long']], 'NextAccessClearingSlot' : [ 0x30, ['unsigned long long']], 'LastAccessClearingRemainder' : [ 0x38, ['unsigned long']], 'LastAgingRemainder' : [ 0x3c, ['unsigned long']], 'WsleSize' : [ 0x40, ['unsigned long']], 'NonDirectCount' : [ 0x48, ['unsigned long long']], 'LowestPagableAddress' : [ 0x50, ['pointer64', ['void']]], 'NonDirectHash' : [ 0x58, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x60, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x68, ['pointer64', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x70, ['array', 16, ['unsigned long long']]], 'ActiveWsles' : [ 0xf0, ['array', 16, ['_MI_ACTIVE_WSLE_LISTHEAD']]], 'Wsle' : [ 0x1f0, ['pointer64', ['_MMWSLE']]], 'UserVaInfo' : [ 0x1f8, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0xe8, { 'ExitGate' : [ 0x0, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer64', ['void']]], 'WorkingSetMutex' : [ 0x10, ['_EX_PUSH_LOCK']], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long long']]], 'MinimumWorkingSetSize' : [ 0x60, ['unsigned long long']], 'WorkingSetLeafSize' : [ 0x68, ['unsigned long long']], 'WorkingSetLeafPrivateSize' : [ 0x70, ['unsigned long long']], 'WorkingSetSize' : [ 0x78, ['unsigned long long']], 'WorkingSetPrivateSize' : [ 0x80, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0x88, ['unsigned long long']], 'ChargedWslePages' : [ 0x90, ['unsigned long long']], 'ActualWslePages' : [ 0x98, ['unsigned long long']], 'WorkingSetSizeOverhead' : [ 0xa0, ['unsigned long long']], 'PeakWorkingSetSize' : [ 0xa8, ['unsigned long long']], 'HardFaultCount' : [ 0xb0, ['unsigned long']], 'VmWorkingSetList' : [ 0xb8, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0xc0, ['unsigned short']], 'LastTrimStamp' : [ 0xc2, ['unsigned short']], 'PageFaultCount' : [ 0xc4, ['unsigned long']], 'TrimmedPageCount' : [ 0xc8, ['unsigned long long']], 'ForceTrimPages' : [ 0xd0, ['unsigned long long']], 'Flags' : [ 0xd8, ['_MMSUPPORT_FLAGS']], 'WsSwapSupport' : [ 0xe0, ['pointer64', ['void']]], } ], '__unnamed_1639' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1643' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1645' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1643']], } ], '_CONTROL_AREA' : [ 0x78, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_1639']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'WaitList' : [ 0x50, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x58, ['__unnamed_1645']], 'LockedPages' : [ 0x68, ['unsigned long long']], 'FileObjectLock' : [ 0x70, ['_EX_PUSH_LOCK']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0xe0, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'FreeReservationSpace' : [ 0x30, ['unsigned long long']], 'LargestReserveCluster' : [ 0x38, ['unsigned long long']], 'File' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x48, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x60, ['_SLIST_HEADER']], 'PageFileName' : [ 0x70, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x80, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x88, ['unsigned long']], 'ReservationBitmapHint' : [ 0x8c, ['unsigned long']], 'LargestNonReservedClusterSize' : [ 0x90, ['unsigned long']], 'RefreshClusterSize' : [ 0x94, ['unsigned long']], 'LastRefreshClusterSize' : [ 0x98, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x9c, ['unsigned long']], 'ToBeEvictedCount' : [ 0xa0, ['unsigned long']], 'HybridPriority' : [ 0xa4, ['unsigned long']], 'PageFileNumber' : [ 0xa8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0xa8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0xa8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'NoReservations' : [ 0xa8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Spare0' : [ 0xa8, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0xaa, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0xaa, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0xab, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0xac, ['unsigned long']], 'PageHashPagesPeak' : [ 0xb0, ['unsigned long']], 'PageHash' : [ 0xb8, ['pointer64', ['unsigned long']]], 'FileHandle' : [ 0xc0, ['pointer64', ['void']]], 'Lock' : [ 0xc8, ['unsigned long long']], 'LockOwner' : [ 0xd0, ['pointer64', ['_ETHREAD']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x30, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x8, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0x18, ['_RTL_BITMAP']], 'EvictStoreBitmap' : [ 0x28, ['pointer64', ['_RTL_BITMAP']]], } ], 'tagSWITCH_CONTEXT' : [ 0x60, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '__unnamed_1686' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1689' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_168b' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_168f' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1691' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_1695' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_1699' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_169b' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_1686']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_1686']]], 'RegistryIO' : [ 0xd0, ['__unnamed_1689']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_168b']], 'CheckKey' : [ 0xf0, ['__unnamed_168f']], 'CheckValueList' : [ 0x110, ['__unnamed_1691']], 'CheckHive' : [ 0x128, ['__unnamed_1695']], 'CheckHive1' : [ 0x138, ['__unnamed_1695']], 'CheckBin' : [ 0x148, ['__unnamed_1699']], 'RecoverData' : [ 0x158, ['__unnamed_169b']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xb8, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'ParkingStatus' : [ 0x78, ['unsigned long']], 'CurrentFrequency' : [ 0x7c, ['unsigned long']], 'PercentMaxFrequency' : [ 0x80, ['unsigned long']], 'StateFlags' : [ 0x84, ['unsigned long']], 'NominalThroughput' : [ 0x88, ['unsigned long']], 'ActiveThroughput' : [ 0x8c, ['unsigned long']], 'ScaledThroughput' : [ 0x90, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0x98, ['unsigned long long']], 'AverageIdleTime' : [ 0xa0, ['unsigned long long']], 'IdleBreakEvents' : [ 0xa8, ['unsigned long long']], 'PerformanceLimit' : [ 0xb0, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xb4, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '__unnamed_1705' : [ 0x10, { 'ReservedEax' : [ 0x0, ['unsigned long']], 'ReservedEbx' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'InitialApicId' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ReservedEcx' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HypervisorPresent' : [ 0x8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_CPUID_RESULT' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'VersionAndFeatures' : [ 0x0, ['__unnamed_1705']], 'HvVendorAndMaxFunction' : [ 0x0, ['_HV_VENDOR_AND_MAX_FUNCTION']], 'HvInterface' : [ 0x0, ['_HV_HYPERVISOR_INTERFACE_INFO']], 'MsHvVersion' : [ 0x0, ['_HV_HYPERVISOR_VERSION_INFO']], 'MsHvFeatures' : [ 0x0, ['_HV_HYPERVISOR_FEATURES']], 'MsHvEnlightenmentInformation' : [ 0x0, ['_HV_ENLIGHTENMENT_INFORMATION']], 'MsHvImplementationLimits' : [ 0x0, ['_HV_IMPLEMENTATION_LIMITS']], 'MsHvHardwareFeatures' : [ 0x0, ['_HV_HYPERVISOR_HARDWARE_FEATURES']], } ], '_HV_VENDOR_AND_MAX_FUNCTION' : [ 0x10, { 'MaxFunction' : [ 0x0, ['unsigned long']], 'VendorName' : [ 0x4, ['array', 12, ['unsigned char']]], } ], '_HV_HYPERVISOR_INTERFACE_INFO' : [ 0x10, { 'Interface' : [ 0x0, ['unsigned long']], 'ReservedEbx' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_HYPERVISOR_VERSION_INFO' : [ 0x10, { 'BuildNumber' : [ 0x0, ['unsigned long']], 'MinorVersion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'MajorVersion' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ServicePack' : [ 0x8, ['unsigned long']], 'ServiceNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'ServiceBranch' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_HV_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], } ], '_HV_HYPERVISOR_HARDWARE_FEATURES' : [ 0x10, { 'ApicOverlayAssistInUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MsrBitmapsInUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ArchitecturalPerformanceCountersInUse' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SecondLevelAddressTranslationInUse' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DmaRemappingInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'InterruptRemappingInUse' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'MemoryPatrolScrubberPresent' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'ReservedEbx' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_ENLIGHTENMENT_INFORMATION' : [ 0x10, { 'UseHypercallForAddressSpaceSwitch' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UseHypercallForLocalFlush' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UseHypercallForRemoteFlush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UseApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UseMsrForReset' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UseRelaxedTiming' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UseDmaRemapping' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UseInterruptRemapping' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UseX2ApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeprecateAutoEoi' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'LongSpinWaitCount' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_IMPLEMENTATION_LIMITS' : [ 0x10, { 'MaxVirtualProcessorCount' : [ 0x0, ['unsigned long']], 'MaxLogicalProcessorCount' : [ 0x4, ['unsigned long']], 'MaxInterruptMappingCount' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeMsr' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicMsrs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerMsrs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetMsr' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsMsr' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleMsr' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyMsrs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugMsrs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'EnableExpandedStackwalking' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x268, { 'Lock' : [ 0x0, ['unsigned long long']], 'ReadySummary' : [ 0x8, ['unsigned long']], 'ReadyListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x210, ['array', 64, ['unsigned char']]], 'Span' : [ 0x250, ['unsigned long']], 'LowProcIndex' : [ 0x254, ['unsigned long']], 'QueueIndex' : [ 0x258, ['unsigned long']], 'ProcCount' : [ 0x25c, ['unsigned long']], 'Affinity' : [ 0x260, ['unsigned long long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'Spare1' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'OutputBuffer' : [ 0xd8, ['unsigned long long']], 'OutputLength' : [ 0xe0, ['unsigned long long']], 'Spare2' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'Fill4' : [ 0x18c, ['unsigned long']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x48, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x30, ['pointer64', ['unsigned long']]], 'EnableKeyWords' : [ 0x38, ['pointer64', ['unsigned long long']]], 'EnableLevel' : [ 0x40, ['pointer64', ['unsigned char']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependencyNode' : [ 0x50, ['pointer64', ['void']]], 'VerifierContext' : [ 0x58, ['pointer64', ['void']]], } ], '__unnamed_1805' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1807' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_180b' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x2c8, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x58, ['long']], 'FxRemoveEvent' : [ 0x60, ['_KEVENT']], 'FxActivationCount' : [ 0x78, ['long']], 'FxSleepCount' : [ 0x7c, ['long']], 'Plugin' : [ 0x80, ['pointer64', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x88, ['unsigned long']], 'CurrentPowerState' : [ 0x8c, ['_POWER_STATE']], 'Notify' : [ 0x90, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xf8, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0x118, ['_UNICODE_STRING']], 'PowerFlags' : [ 0x128, ['unsigned long']], 'State' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x134, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x184, ['unsigned long']], 'CompletionStatus' : [ 0x188, ['long']], 'Flags' : [ 0x18c, ['unsigned long']], 'UserFlags' : [ 0x190, ['unsigned long']], 'Problem' : [ 0x194, ['unsigned long']], 'ProblemStatus' : [ 0x198, ['long']], 'ResourceList' : [ 0x1a0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x1b0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x1b8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x1c4, ['unsigned long']], 'ChildInterfaceType' : [ 0x1c8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x1cc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x1d0, ['unsigned short']], 'RemovalPolicy' : [ 0x1d2, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x1d3, ['unsigned char']], 'TargetDeviceNotify' : [ 0x1d8, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x1e8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1f8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x208, ['unsigned short']], 'QueryTranslatorMask' : [ 0x20a, ['unsigned short']], 'NoArbiterMask' : [ 0x20c, ['unsigned short']], 'QueryArbiterMask' : [ 0x20e, ['unsigned short']], 'OverUsed1' : [ 0x210, ['__unnamed_1805']], 'OverUsed2' : [ 0x218, ['__unnamed_1807']], 'BootResources' : [ 0x220, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x228, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x230, ['unsigned long']], 'DockInfo' : [ 0x238, ['__unnamed_180b']], 'DisableableDepends' : [ 0x258, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x260, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x270, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x280, ['unsigned long']], 'PreviousParent' : [ 0x288, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x290, ['unsigned long']], 'NumaNodeIndex' : [ 0x294, ['unsigned long']], 'ContainerID' : [ 0x298, ['_GUID']], 'OverrideFlags' : [ 0x2a8, ['unsigned char']], 'DeviceIdsHash' : [ 0x2ac, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x2b0, ['unsigned char']], 'PendingEjectRelations' : [ 0x2b8, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x2c0, ['unsigned long']], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KAFFINITY_EX' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 20, ['unsigned long long']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_18c2' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_18c2']], } ], '__unnamed_18c9' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_18c9']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PROCESSOR_POWER_STATE' : [ 0x1e0, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x8, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x10, ['unsigned long long']], 'IdleTimeTotal' : [ 0x18, ['unsigned long long']], 'IdleTimeEntry' : [ 0x20, ['unsigned long long']], 'Reserved' : [ 0x28, ['unsigned long long']], 'IdlePolicy' : [ 0x30, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x38, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x40, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xb0, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'LastSysTime' : [ 0xb4, ['unsigned long']], 'WmiDispatchPtr' : [ 0xb8, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0xc0, ['long']], 'FFHThrottleStateInfo' : [ 0xc8, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xe8, ['_KDPC']], 'PerfActionMask' : [ 0x128, ['long']], 'HvIdleCheck' : [ 0x130, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x140, ['_PROC_PERF_SNAP']], 'Domain' : [ 0x180, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x188, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x190, ['pointer64', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x198, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x1a0, ['pointer64', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x1a8, ['unsigned char']], 'HvTargetState' : [ 0x1a9, ['unsigned char']], 'Parked' : [ 0x1aa, ['unsigned char']], 'OverUtilized' : [ 0x1ab, ['unsigned char']], 'LatestPerformancePercent' : [ 0x1ac, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x1b0, ['unsigned long']], 'ExpectedUtility' : [ 0x1b4, ['unsigned long']], 'Utility' : [ 0x1b8, ['array', 3, ['_PROC_PERF_UTILITY']]], } ], '_PROC_PERF_UTILITY' : [ 0xc, { 'Affinitized' : [ 0x0, ['unsigned long']], 'Performance' : [ 0x4, ['unsigned long']], 'Total' : [ 0x8, ['unsigned long']], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CompleteIdleStatePending' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0xd0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x20, ['unsigned long long']], 'LogHandleContext' : [ 0x28, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0xc0, ['unsigned long']], 'PagesQueuedToDisk' : [ 0xc4, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0xc8, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x208, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'V1' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0x100, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x118, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0x150, ['_LARGE_INTEGER']], 'Event' : [ 0x158, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x170, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x178, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1f0, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1f8, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x200, ['unsigned long']], 'WritesInProgress' : [ 0x204, ['unsigned long']], } ], '__unnamed_1971' : [ 0x10, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_1971']], 'ArrayHead' : [ 0x20, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1992' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1994' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1996' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_1998' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_199a' : [ 0x30, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x8, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x10, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x28, ['unsigned char']], } ], '__unnamed_199c' : [ 0x30, { 'Read' : [ 0x0, ['__unnamed_1992']], 'Write' : [ 0x0, ['__unnamed_1994']], 'Event' : [ 0x0, ['__unnamed_1996']], 'Notification' : [ 0x0, ['__unnamed_1998']], 'LowPriWrite' : [ 0x0, ['__unnamed_199a']], } ], '_WORK_QUEUE_ENTRY' : [ 0x48, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_199c']], 'Function' : [ 0x40, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x30, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x8, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x20, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x98, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x10, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x18, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x30, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x68, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x6c, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x70, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x78, ['pointer64', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x80, ['unsigned long long']], 'LastLWTimeStamp' : [ 0x88, ['_LARGE_INTEGER']], 'Flags' : [ 0x90, ['unsigned long']], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x298, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x90, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x94, ['unsigned long']], 'Signature' : [ 0x98, ['unsigned long']], 'SegmentReserve' : [ 0xa0, ['unsigned long long']], 'SegmentCommit' : [ 0xa8, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb0, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xb8, ['unsigned long long']], 'TotalFreeSize' : [ 0xc0, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xc8, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd0, ['unsigned short']], 'HeaderValidateLength' : [ 0xd2, ['unsigned short']], 'HeaderValidateCopy' : [ 0xd8, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe0, ['unsigned short']], 'MaximumTagIndex' : [ 0xe2, ['unsigned short']], 'TagEntries' : [ 0xe8, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf0, ['_LIST_ENTRY']], 'AlignRound' : [ 0x100, ['unsigned long long']], 'AlignMask' : [ 0x108, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x110, ['_LIST_ENTRY']], 'SegmentList' : [ 0x120, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x130, ['unsigned short']], 'NonDedicatedListLength' : [ 0x134, ['unsigned long']], 'BlocksIndex' : [ 0x138, ['pointer64', ['void']]], 'UCRIndex' : [ 0x140, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x148, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x150, ['_LIST_ENTRY']], 'LockVariable' : [ 0x160, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x168, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x170, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x178, ['unsigned short']], 'FrontEndHeapType' : [ 0x17a, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0x17b, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0x180, ['pointer64', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0x188, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0x18a, ['array', 129, ['unsigned char']]], 'Counters' : [ 0x210, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x288, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1a07' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_1a07']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1a59' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1a5b' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a59']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a5d' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1a5f' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1a5d']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1a5b']], 'u2' : [ 0x4, ['__unnamed_1a5f']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x30, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer64', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], } ], '__unnamed_1a7a' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1a7c' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1a7a']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x30, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1a7c']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x18, ['long long']], 'Lock' : [ 0x20, ['_EX_PUSH_LOCK']], } ], '__unnamed_1a8e' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a90' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a8e']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_1a90']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_1a99' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1a9b' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a99']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_1a9b']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_1aa1' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1aa3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1aa1']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_1aa3']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x40, ['pointer64', ['_KALPC_MESSAGE']]], } ], '__unnamed_1ac1' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1ac3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1ac1']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1c0, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa0, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0xb8, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0xc8, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0xd0, ['_LIST_ENTRY']], 'Semaphore' : [ 0xe0, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xe0, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0xe8, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x130, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x138, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0x150, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0x158, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x160, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x168, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x178, ['long']], 'ReferenceNo' : [ 0x17c, ['long']], 'ReferenceNoWait' : [ 0x180, ['pointer64', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0x188, ['__unnamed_1ac3']], 'TargetQueuePort' : [ 0x190, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x198, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x1a0, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x1a8, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x1ac, ['unsigned long']], 'PendingQueueLength' : [ 0x1b0, ['unsigned long']], 'CanceledQueueLength' : [ 0x1b4, ['unsigned long']], 'WaitQueueLength' : [ 0x1b8, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0xa0, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'CompletionListLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x20, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x28, ['pointer64', ['void']]], 'UserLimit' : [ 0x30, ['pointer64', ['void']]], 'DataUserVa' : [ 0x38, ['pointer64', ['void']]], 'SystemVa' : [ 0x40, ['pointer64', ['void']]], 'TotalSize' : [ 0x48, ['unsigned long long']], 'Header' : [ 0x50, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x58, ['pointer64', ['void']]], 'ListSize' : [ 0x60, ['unsigned long long']], 'Bitmap' : [ 0x68, ['pointer64', ['void']]], 'BitmapSize' : [ 0x70, ['unsigned long long']], 'Data' : [ 0x78, ['pointer64', ['void']]], 'DataSize' : [ 0x80, ['unsigned long long']], 'BitmapLimit' : [ 0x88, ['unsigned long']], 'BitmapNextHint' : [ 0x8c, ['unsigned long']], 'ConcurrencyCount' : [ 0x90, ['unsigned long']], 'AttributeFlags' : [ 0x94, ['unsigned long']], 'AttributeSize' : [ 0x98, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0xd8, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'Key' : [ 0xc0, ['unsigned long']], 'CallbackList' : [ 0xc8, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x20, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x18, ['long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1a5b']], 'u2' : [ 0x4, ['__unnamed_1a5f']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1aeb' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1aed' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1aeb']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x100, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'u1' : [ 0x28, ['__unnamed_1aed']], 'SequenceNo' : [ 0x2c, ['long']], 'QuotaProcess' : [ 0x30, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x30, ['pointer64', ['void']]], 'CancelSequencePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x40, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x48, ['long']], 'CancelListEntry' : [ 0x50, ['_LIST_ENTRY']], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x68, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xa0, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xa8, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xb0, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xb8, ['pointer64', ['_ETHREAD']]], 'WakeReference' : [ 0xc0, ['pointer64', ['void']]], 'ExtensionBuffer' : [ 0xc8, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0xd0, ['unsigned long long']], 'PortMessage' : [ 0xd8, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'Flags' : [ 0x28, ['unsigned long']], 'TotalLength' : [ 0x2c, ['unsigned short']], 'Type' : [ 0x2e, ['unsigned short']], 'DataInfoOffset' : [ 0x30, ['unsigned short']], 'SignalCompletion' : [ 0x32, ['unsigned char']], 'PostedToCompletionList' : [ 0x33, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x30, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1b2f' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1b31' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b2f']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1b31']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x28, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'TimeStamped' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer64', ['void']]], 'ActivityId' : [ 0x10, ['_GUID']], 'Timestamp' : [ 0x20, ['_LARGE_INTEGER']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x48, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'AccessMode' : [ 0x94, ['unsigned char']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1bf6' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x118, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1bf6']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer64', ['unsigned short']]], 'LogFileName' : [ 0x40, ['pointer64', ['unsigned short']]], 'TimeZone' : [ 0x48, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf8, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0x100, ['_LARGE_INTEGER']], 'StartTime' : [ 0x108, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x110, ['unsigned long']], 'BuffersLost' : [ 0x114, ['unsigned long']], } ], '_TlgProvider_t' : [ 0x40, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x8, ['pointer64', ['unsigned short']]], 'KeywordAny' : [ 0x10, ['unsigned long long']], 'KeywordAll' : [ 0x18, ['unsigned long long']], 'RegHandle' : [ 0x20, ['unsigned long long']], 'EnableCallback' : [ 0x28, ['pointer64', ['void']]], 'CallbackContext' : [ 0x30, ['pointer64', ['void']]], 'AnnotationFunc' : [ 0x38, ['pointer64', ['void']]], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x390, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 2, ['unsigned long']]], 'ErrorMarker' : [ 0x1c, ['unsigned long']], 'SizeMask' : [ 0x20, ['unsigned long']], 'GetCpuClock' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'FailureReason' : [ 0x3c, ['unsigned long']], 'BufferQueue' : [ 0x40, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x58, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x70, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x80, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x90, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x90, ['_EX_FAST_REF']], 'LoggerName' : [ 0x98, ['_UNICODE_STRING']], 'LogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xb8, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xc8, ['_UNICODE_STRING']], 'ClockType' : [ 0xd8, ['unsigned long']], 'LastFlushedBuffer' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'FlushThreshold' : [ 0xe4, ['unsigned long']], 'ByteOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xf0, ['unsigned long']], 'BuffersAvailable' : [ 0xf4, ['long']], 'NumberOfBuffers' : [ 0xf8, ['long']], 'MaximumBuffers' : [ 0xfc, ['unsigned long']], 'EventsLost' : [ 0x100, ['unsigned long']], 'PeakBuffersCount' : [ 0x104, ['long']], 'BuffersWritten' : [ 0x108, ['unsigned long']], 'LogBuffersLost' : [ 0x10c, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x110, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x114, ['unsigned long']], 'SequencePtr' : [ 0x118, ['pointer64', ['long']]], 'LocalSequence' : [ 0x120, ['unsigned long']], 'InstanceGuid' : [ 0x124, ['_GUID']], 'MaximumFileSize' : [ 0x134, ['unsigned long']], 'FileCounter' : [ 0x138, ['long']], 'PoolType' : [ 0x13c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x140, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0x150, ['long']], 'ProviderInfoSize' : [ 0x154, ['unsigned long']], 'Consumers' : [ 0x158, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x168, ['unsigned long']], 'TransitionConsumer' : [ 0x170, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x178, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x180, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x190, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x1a0, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1a8, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1b0, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1b8, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1c0, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1d0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1d8, ['_KEVENT']], 'FlushEvent' : [ 0x1f0, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x208, ['_KTIMER']], 'LoggerDpc' : [ 0x248, ['_KDPC']], 'LoggerMutex' : [ 0x288, ['_KMUTANT']], 'LoggerLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2c8, ['unsigned long long']], 'BufferListPushLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2d0, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x318, ['pointer64', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x320, ['_EX_FAST_REF']], 'StartTime' : [ 0x328, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x330, ['pointer64', ['void']]], 'BufferSequenceNumber' : [ 0x338, ['long long']], 'Flags' : [ 0x340, ['unsigned long']], 'Persistent' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x340, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x340, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x340, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x340, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x340, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x340, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x340, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x340, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x340, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x340, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x340, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x340, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SpareFlags1' : [ 0x340, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x340, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x340, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x340, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x344, ['unsigned long']], 'DbgRequestNewFie' : [ 0x344, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x344, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x344, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x344, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x344, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x344, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x344, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x344, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDefferdFlush' : [ 0x344, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDefferdFlushTimer' : [ 0x344, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x344, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x344, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x344, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x348, ['_RTL_BITMAP']], 'StackCache' : [ 0x358, ['pointer64', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x360, ['pointer64', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x368, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x378, ['pointer64', ['pointer64', ['_WMI_BUFFER_HEADER']]]], 'DisallowedGuids' : [ 0x380, ['_DISALLOWED_GUIDS']], } ], '_ETW_PMC_SUPPORT' : [ 0x28, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer64', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x478, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0xa0, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa8, ['pointer64', ['void']]], 'DynamicPart' : [ 0xb0, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb8, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc8, ['unsigned long']], 'TokenInUse' : [ 0xcc, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xd0, ['unsigned long']], 'MandatoryPolicy' : [ 0xd4, ['unsigned long']], 'LogonSession' : [ 0xd8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe0, ['_LUID']], 'SidHash' : [ 0xe8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f8, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x308, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x310, ['pointer64', ['void']]], 'Capabilities' : [ 0x318, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x320, ['unsigned long']], 'CapabilitiesHash' : [ 0x328, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x438, ['pointer64', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x440, ['pointer64', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x448, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x450, ['pointer64', ['void']]], 'TrustLinkedToken' : [ 0x458, ['pointer64', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x460, ['pointer64', ['void']]], 'TokenSidValues' : [ 0x468, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], 'VariablePart' : [ 0x470, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x80, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['long long']], 'Flags' : [ 0x20, ['unsigned long']], 'pDeviceMap' : [ 0x28, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x30, ['pointer64', ['void']]], 'AccountName' : [ 0x38, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x48, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x58, ['_SEP_LOWBOX_HANDLES_TABLE']], 'SharedDataLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x70, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x78, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'DbgRefTrace' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'NewObject' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0x1b, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0x1b, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0x1b, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0x1b, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0x1b, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare' : [ 0x1c, ['unsigned long']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x10, { 'SecurityDescriptor' : [ 0x0, ['pointer64', ['void']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x28, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'EntryLink' : [ 0x10, ['pointer64', ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0x18, ['unsigned long']], 'HashIndex' : [ 0x1c, ['unsigned short']], 'DirectoryLocked' : [ 0x1e, ['unsigned char']], 'LockedExclusive' : [ 0x1f, ['unsigned char']], 'LockStateSignature' : [ 0x20, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x130, ['pointer64', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_WHEAP_INFO_BLOCK' : [ 0x18, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x8, ['pointer64', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x10, ['pointer64', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x428, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x10, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x14, ['unsigned long']], 'ErrorCount' : [ 0x18, ['long']], 'RecordCount' : [ 0x1c, ['unsigned long']], 'RecordLength' : [ 0x20, ['unsigned long']], 'PoolTag' : [ 0x24, ['unsigned long']], 'Type' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x30, ['pointer64', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x38, ['pointer64', ['void']]], 'SectionCount' : [ 0x40, ['unsigned long']], 'SectionLength' : [ 0x44, ['unsigned long']], 'TickCountAtLastError' : [ 0x48, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x50, ['unsigned long']], 'TotalErrors' : [ 0x54, ['unsigned long']], 'Deferred' : [ 0x58, ['unsigned char']], 'Descriptor' : [ 0x59, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xf0, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x10, ['unsigned long']], 'ProcessorNumber' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x1c, ['long']], 'ErrorSource' : [ 0x20, ['pointer64', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x28, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x30, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'ConnectLock' : [ 0x8, ['_KEVENT']], 'LineMasked' : [ 0x20, ['unsigned char']], 'InterruptList' : [ 0x28, ['pointer64', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0xb0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long long']], 'WorkQueue' : [ 0x20, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x60, ['pointer64', ['void']]], 'AcceptProcessorNotification' : [ 0x68, ['pointer64', ['void']]], 'WorkOrderCount' : [ 0x70, ['unsigned long']], 'WorkOrders' : [ 0x78, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x150, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x108, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x148, ['unsigned long']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2Reserved1' : [ 0x2, ['unsigned char']], 'Timer2Reserved2' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Minimal' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved4' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'WaitResponse' : [ 0xc, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_HEAP_COUNTERS' : [ 0x78, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'PollIntervalCounter' : [ 0x48, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x4c, ['unsigned long']], 'HeapPollInterval' : [ 0x50, ['unsigned long']], 'AllocAndFreeOps' : [ 0x54, ['unsigned long']], 'AllocationIndicesActive' : [ 0x58, ['unsigned long']], 'InBlockDeccommits' : [ 0x5c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x60, ['unsigned long long']], 'HighWatermarkSize' : [ 0x68, ['unsigned long long']], 'LastPolledSize' : [ 0x70, ['unsigned long long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x68, ['unsigned char']], 'DeleteType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x50, { 'SidHash' : [ 0x0, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x10, ['pointer64', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0x18, ['_LUID']], 'TokenType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x28, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x2c, ['unsigned long']], 'AppContainerNumber' : [ 0x30, ['unsigned long']], 'PackageSid' : [ 0x38, ['pointer64', ['void']]], 'CapabilitiesHash' : [ 0x40, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'TrustLevelSid' : [ 0x48, ['pointer64', ['void']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_WORK_ORDER' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x20, ['long']], 'Context' : [ 0x28, ['pointer64', ['void']]], 'WatchdogTimerInfo' : [ 0x30, ['pointer64', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'Reserved' : [ 0x20, ['array', 3, ['pointer64', ['void']]]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['unsigned long long']], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x48, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ullContextMinimum' : [ 0x8, ['unsigned long long']], 'guPlatform' : [ 0x10, ['_GUID']], 'guMinPlatform' : [ 0x20, ['_GUID']], 'ulContextSource' : [ 0x30, ['unsigned long']], 'ulElementCount' : [ 0x34, ['unsigned long']], 'guElements' : [ 0x38, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x30, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x18, ['_KEVENT']], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x10, ['unsigned char']], 'BlockState' : [ 0x11, ['unsigned char']], 'WaitKey' : [ 0x12, ['unsigned short']], 'SpareLong' : [ 0x14, ['long']], 'Thread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NotificationQueue' : [ 0x18, ['pointer64', ['_KQUEUE']]], 'Object' : [ 0x20, ['pointer64', ['void']]], 'SparePtr' : [ 0x28, ['pointer64', ['void']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'CriticalTripPoint' : [ 0x18, ['unsigned long']], 'ActiveTripPointCount' : [ 0x1c, ['unsigned char']], 'ActiveTripPoint' : [ 0x20, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x48, ['unsigned long']], 'MinimumThrottle' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1dce' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1dd0' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1dce']], 'Private' : [ 0x0, ['__unnamed_1dd0']], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long long']], 'Processors' : [ 0x8, ['unsigned long']], 'ActiveProcessors' : [ 0xc, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x10, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x260, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x10, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x20, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x130, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x240, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x248, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x250, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x258, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 28, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x4b0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb8, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xc0, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0xc8, ['unsigned long long']], 'TotalPageFaultCount' : [ 0xd0, ['unsigned long']], 'TotalProcesses' : [ 0xd4, ['unsigned long']], 'ActiveProcesses' : [ 0xd8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xdc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xe0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf8, ['unsigned long long']], 'LimitFlags' : [ 0x100, ['unsigned long']], 'ActiveProcessLimit' : [ 0x104, ['unsigned long']], 'Affinity' : [ 0x108, ['_KAFFINITY_EX']], 'AccessState' : [ 0x1b0, ['pointer64', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0x1b8, ['pointer64', ['void']]], 'UIRestrictionsClass' : [ 0x1c0, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x1c4, ['unsigned long']], 'CompletionPort' : [ 0x1c8, ['pointer64', ['void']]], 'CompletionKey' : [ 0x1d0, ['pointer64', ['void']]], 'CompletionCount' : [ 0x1d8, ['unsigned long long']], 'SessionId' : [ 0x1e0, ['unsigned long']], 'SchedulingClass' : [ 0x1e4, ['unsigned long']], 'ReadOperationCount' : [ 0x1e8, ['unsigned long long']], 'WriteOperationCount' : [ 0x1f0, ['unsigned long long']], 'OtherOperationCount' : [ 0x1f8, ['unsigned long long']], 'ReadTransferCount' : [ 0x200, ['unsigned long long']], 'WriteTransferCount' : [ 0x208, ['unsigned long long']], 'OtherTransferCount' : [ 0x210, ['unsigned long long']], 'DiskIoInfo' : [ 0x218, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x240, ['unsigned long long']], 'JobMemoryLimit' : [ 0x248, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x250, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x258, ['unsigned long long']], 'EffectiveAffinity' : [ 0x260, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x308, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x310, ['unsigned long long']], 'EffectiveMaximumWorkingSetSize' : [ 0x318, ['unsigned long long']], 'EffectiveProcessMemoryLimit' : [ 0x320, ['unsigned long long']], 'EffectiveProcessMemoryLimitJob' : [ 0x328, ['pointer64', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x330, ['pointer64', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x338, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x33c, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x340, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x344, ['unsigned long']], 'EffectiveSwapCount' : [ 0x348, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x34c, ['unsigned long']], 'EffectivePriorityClass' : [ 0x350, ['unsigned char']], 'PriorityClass' : [ 0x351, ['unsigned char']], 'Reserved1' : [ 0x352, ['array', 2, ['unsigned char']]], 'CompletionFilter' : [ 0x354, ['unsigned long']], 'WakeChannel' : [ 0x358, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x358, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x390, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x398, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x39c, ['unsigned long']], 'NotificationLink' : [ 0x3a0, ['pointer64', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x3a8, ['unsigned long long']], 'NotificationInfo' : [ 0x3b0, ['pointer64', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x3b8, ['pointer64', ['void']]], 'NotificationPacket' : [ 0x3c0, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x3c8, ['pointer64', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x3d0, ['pointer64', ['void']]], 'ReadyTime' : [ 0x3d8, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x3e0, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x3e8, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x3f8, ['_LIST_ENTRY']], 'ParentJob' : [ 0x408, ['pointer64', ['_EJOB']]], 'RootJob' : [ 0x410, ['pointer64', ['_EJOB']]], 'IteratorListHead' : [ 0x418, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x428, ['unsigned long long']], 'Ancestors' : [ 0x430, ['pointer64', ['pointer64', ['_EJOB']]]], 'Accounting' : [ 0x438, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x488, ['unsigned long']], 'SequenceNumber' : [ 0x48c, ['unsigned long']], 'TimerListLock' : [ 0x490, ['unsigned long long']], 'TimerListHead' : [ 0x498, ['_LIST_ENTRY']], 'JobFlags' : [ 0x4a8, ['unsigned long']], 'CloseDone' : [ 0x4a8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x4a8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x4a8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x4a8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x4a8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x4a8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x4a8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x4a8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x4a8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x4a8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x4a8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x4a8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x4a8, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x4a8, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x4a8, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x4a8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x4a8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x4a8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x4a8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x4a8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x4a8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x4a8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x4a8, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x4a8, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x4a8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x4a8, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x4ac, ['unsigned long']], } ], '_PPM_IDLE_STATES' : [ 0x318, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0xe0, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x188, ['pointer64', ['void']]], 'IdleExecute' : [ 0x190, ['pointer64', ['void']]], 'IdlePreselect' : [ 0x198, ['pointer64', ['void']]], 'IdleTest' : [ 0x1a0, ['pointer64', ['void']]], 'IdleComplete' : [ 0x1a8, ['pointer64', ['void']]], 'IdleCancel' : [ 0x1b0, ['pointer64', ['void']]], 'IdleIsHalted' : [ 0x1b8, ['pointer64', ['void']]], 'IdleInitiateWake' : [ 0x1c0, ['pointer64', ['void']]], 'QueryPlatformStateResidency' : [ 0x1c8, ['pointer64', ['void']]], 'PrepareInfo' : [ 0x1d0, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'Tracing' : [ 0x238, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'State' : [ 0x240, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x388, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'SparePvoid0' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pUnused' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x98, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned short']], 'Flags' : [ 0x5a, ['unsigned char']], 'ShutDownRequested' : [ 0x5a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x5a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x5a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x5a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Wow' : [ 0x5a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'EventsLostCount' : [ 0x88, ['pointer64', ['unsigned long']]], 'BuffersLostCount' : [ 0x90, ['pointer64', ['unsigned long']]], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x50, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x38, ['pointer64', ['void']]], 'DvCallbacks' : [ 0x40, ['pointer64', ['void']]], 'VerifierContext' : [ 0x48, ['pointer64', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x88, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x10, ['unsigned long long']], 'ItemCount' : [ 0x18, ['long']], 'Dpc' : [ 0x20, ['_KDPC']], 'WorkItem' : [ 0x60, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x80, ['pointer64', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x100, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'EmulateActiveBoth' : [ 0x65, ['unsigned char']], 'ActiveCount' : [ 0x66, ['unsigned short']], 'InternalState' : [ 0x68, ['long']], 'Mode' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x74, ['unsigned long']], 'DispatchCount' : [ 0x78, ['unsigned long']], 'PassiveEvent' : [ 0x80, ['pointer64', ['_KEVENT']]], 'TrapFrame' : [ 0x88, ['pointer64', ['_KTRAP_FRAME']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], 'DisconnectData' : [ 0xa0, ['pointer64', ['void']]], 'ServiceThread' : [ 0xa8, ['pointer64', ['_KTHREAD']]], 'IsrDpcStats' : [ 0xb0, ['_ISRDPCSTATS']], 'ConnectionData' : [ 0xf0, ['pointer64', ['_INTERRUPT_CONNECTION_DATA']]], 'Padding' : [ 0xf8, ['array', 8, ['unsigned char']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_HIVE_LIST_ENTRY' : [ 0x88, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '__unnamed_1ea0' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1ea0']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x2d0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x2b0, ['pointer64', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x2b8, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x2bc, ['unsigned long']], 'ThreadCount' : [ 0x2c0, ['long']], 'MinThreads' : [ 0x2c4, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x2c4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x2c8, ['long']], 'QueueIndex' : [ 0x2cc, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x86, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x50, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'Type' : [ 0x38, ['unsigned long']], 'ActivityId' : [ 0x3c, ['_GUID']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x88, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x40, ['_KDPC']], 'WorkOrder' : [ 0x80, ['pointer64', ['_POP_FX_WORK_ORDER']]], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_SESSION_LOWBOX_MAP' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'LowboxMap' : [ 0x18, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0xa8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'RefCount' : [ 0x40, ['unsigned long']], 'Lock' : [ 0x44, ['unsigned long']], 'Cancel' : [ 0x48, ['unsigned char']], 'Parent' : [ 0x50, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'Data' : [ 0x58, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PROC_IDLE_POLICY' : [ 0x5, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x48, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x10, ['pointer64', ['_IRP']]], 'OplockRequestFileObject' : [ 0x18, ['pointer64', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x28, ['pointer64', ['_ETHREAD']]], 'Flags' : [ 0x30, ['unsigned long']], 'AtomicLinks' : [ 0x38, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_RTL_BITMAP_EX' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_XSTATE_CONFIGURATION' : [ 0x218, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_KLOCK_ENTRY' : [ 0x60, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ThreadUnsafe' : [ 0x18, ['pointer64', ['void']]], 'HeadNodeByte' : [ 0x18, ['unsigned char']], 'Reserved1' : [ 0x19, ['array', 6, ['unsigned char']]], 'AcquiredByte' : [ 0x1f, ['unsigned char']], 'LockState' : [ 0x20, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x20, ['pointer64', ['void']]], 'WaitingAndBusyByte' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x21, ['array', 6, ['unsigned char']]], 'InTreeByte' : [ 0x27, ['unsigned char']], 'SessionState' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], 'SessionPad' : [ 0x2c, ['unsigned long']], 'OwnerTree' : [ 0x30, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x40, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x30, ['unsigned char']], 'EntryLock' : [ 0x50, ['unsigned long long']], 'AllBoosts' : [ 0x58, ['unsigned short']], 'IoBoost' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'CpuBoostsBitmap' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x5a, ['unsigned short']], 'IoPriorityBit' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'AbSpare' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'SparePad' : [ 0x5d, ['array', 3, ['unsigned char']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 25, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1f44' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x100, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_1f44']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x2c, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x30, ['_KAPC']], 'ByteCount' : [ 0x88, ['unsigned long']], 'PagingFile' : [ 0x90, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0xa0, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0xa8, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0xb0, ['_LARGE_INTEGER']], 'IssueTime' : [ 0xb8, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0xc0, ['pointer64', ['_MDL']]], 'Mdl' : [ 0xc8, ['_MDL']], 'Page' : [ 0xf8, ['array', 1, ['unsigned long long']]], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0x1360, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x5a8, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5d8, ['_LIST_ENTRY']], 'HiveList' : [ 0x5e8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x5f8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x608, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x610, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x620, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x628, ['unsigned long']], 'DeletedKcbTable' : [ 0x630, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x638, ['unsigned long']], 'Identity' : [ 0x63c, ['unsigned long']], 'HiveLock' : [ 0x640, ['pointer64', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x648, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x650, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x658, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0x668, ['unsigned long']], 'FlushLogEntry' : [ 0x670, ['pointer64', ['unsigned char']]], 'FlushLogEntrySize' : [ 0x678, ['unsigned long']], 'FlushHiveTruncated' : [ 0x67c, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0x680, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0x688, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0x698, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0x6a0, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0x6a8, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0x6b0, ['pointer64', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0x6b8, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x6c0, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x6c4, ['unsigned long']], 'ActualFileSize' : [ 0x6c8, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x6d0, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x6e0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x6f0, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x700, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x710, ['unsigned long']], 'SecurityCacheSize' : [ 0x714, ['unsigned long']], 'SecurityHitHint' : [ 0x718, ['long']], 'SecurityCache' : [ 0x720, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x728, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xb28, ['unsigned long']], 'UnloadEventArray' : [ 0xb30, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xb38, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xb40, ['unsigned char']], 'UnloadWorkItem' : [ 0xb48, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0xb50, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xb78, ['unsigned char']], 'GrowOffset' : [ 0xb7c, ['unsigned long']], 'KcbConvertListHead' : [ 0xb80, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xb90, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xba0, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0xba8, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0x10b0, ['unsigned long']], 'TrustClassEntry' : [ 0x10b8, ['_LIST_ENTRY']], 'DirtyTime' : [ 0x10c8, ['unsigned long long']], 'UnreconciledTime' : [ 0x10d0, ['unsigned long long']], 'CmRm' : [ 0x10d8, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x10e0, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x10e4, ['long']], 'CreatorOwner' : [ 0x10e8, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0x10f0, ['pointer64', ['_KTHREAD']]], 'LastWriteTime' : [ 0x10f8, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0x1100, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0x1118, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0x1130, ['unsigned long']], 'FlushActive' : [ 0x1130, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0x1130, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0x1130, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0x1130, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0x1134, ['unsigned long']], 'ReferenceCount' : [ 0x1138, ['long']], 'UnloadHistoryIndex' : [ 0x113c, ['long']], 'UnloadHistory' : [ 0x1140, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0x1340, ['unsigned long']], 'UnaccessedStart' : [ 0x1344, ['unsigned long']], 'UnaccessedEnd' : [ 0x1348, ['unsigned long']], 'LoadedKeyCount' : [ 0x134c, ['unsigned long']], 'HandleClosePending' : [ 0x1350, ['unsigned long']], 'HandleClosePendingEvent' : [ 0x1358, ['_EX_PUSH_LOCK']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x38, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long long']], 'DirtyPageThresholdTop' : [ 0x8, ['unsigned long long']], 'DirtyPageThresholdBottom' : [ 0x10, ['unsigned long long']], 'DirtyPageTarget' : [ 0x18, ['unsigned long']], 'AggregateAvailablePages' : [ 0x20, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x28, ['unsigned long long']], 'AvailableHistory' : [ 0x30, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ForceCredits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x3f8, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x28, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x8, ['_RTL_BITMAP']], 'HashTable' : [ 0x18, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x20, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_TEB64' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'Padding1' : [ 0x2ec, ['array', 4, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x90, ['unsigned long']], 'PreviousActivityCounter' : [ 0x94, ['unsigned long']], 'WorkerTrimRequests' : [ 0x98, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE' : [ 0x1810, { 'CurrentSize' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'Epoch' : [ 0x8, ['unsigned long']], 'Overflow' : [ 0xc, ['unsigned char']], 'TableEntry' : [ 0x10, ['array', 256, ['_INVERTED_FUNCTION_TABLE_ENTRY']]], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0x18, { 'ActiveThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'WaitList' : [ 0x8, ['pointer64', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x10, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_UMS_CONTROL_BLOCK' : [ 0x90, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsWaitEvent' : [ 0x30, ['_KEVENT']], 'StagingArea' : [ 0x48, ['pointer64', ['void']]], 'UmsPrimaryDeliveredContext' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsFlags' : [ 0x50, ['unsigned long']], 'TebSelector' : [ 0x88, ['unsigned short']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_ETIMER' : [ 0x138, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x40, ['unsigned long long']], 'TimerApc' : [ 0x48, ['_KAPC']], 'TimerDpc' : [ 0xa0, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'Period' : [ 0xf0, ['unsigned long']], 'TimerFlags' : [ 0xf4, ['unsigned char']], 'ApcAssociated' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0xf5, ['unsigned char']], 'Spare2' : [ 0xf6, ['unsigned short']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x110, ['pointer64', ['void']]], 'VirtualizedTimerLinks' : [ 0x118, ['_LIST_ENTRY']], 'DueTime' : [ 0x128, ['unsigned long long']], 'CoalescingWindow' : [ 0x130, ['unsigned long']], } ], '_PROC_PERF_SNAP' : [ 0x40, { 'Time' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'Active' : [ 0x10, ['unsigned long long']], 'LastActive' : [ 0x18, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x90, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'Count' : [ 0x28, ['unsigned long long']], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'StackTrace' : [ 0x40, ['array', 8, ['pointer64', ['void']]]], 'Who' : [ 0x80, ['unsigned long']], 'Process' : [ 0x88, ['pointer64', ['_EPROCESS']]], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_EXHANDLE' : [ 0x8, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x508, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_ARBITER_INSTANCE' : [ 0x150, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '__unnamed_2059' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_205b' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2059']], } ], '__unnamed_205d' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_205b']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_205d']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x3000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'HandleCount' : [ 0x28, ['unsigned long']], 'Handles' : [ 0x30, ['pointer64', ['pointer64', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x58, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'PlatformCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'LimitReasons' : [ 0x18, ['unsigned long']], 'PlatformCapStartTime' : [ 0x20, ['unsigned long long']], 'TargetPercent' : [ 0x28, ['unsigned long']], 'DesiredPercent' : [ 0x2c, ['unsigned long']], 'SelectedPercent' : [ 0x30, ['unsigned long']], 'SelectedFrequency' : [ 0x34, ['unsigned long']], 'PreviousFrequency' : [ 0x38, ['unsigned long']], 'PreviousPercent' : [ 0x3c, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x40, ['unsigned long']], 'SelectedState' : [ 0x48, ['unsigned long long']], 'Force' : [ 0x50, ['unsigned char']], } ], '__unnamed_2072' : [ 0x20, { 'CallerCompletion' : [ 0x0, ['pointer64', ['void']]], 'CallerContext' : [ 0x8, ['pointer64', ['void']]], 'CallerDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0x18, ['unsigned char']], } ], '__unnamed_2075' : [ 0x10, { 'NotifyDevice' : [ 0x0, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x8, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0xf8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x30, ['unsigned long long']], 'WatchdogTimer' : [ 0x38, ['_KTIMER']], 'WatchdogDpc' : [ 0x78, ['_KDPC']], 'MinorFunction' : [ 0xb8, ['unsigned char']], 'PowerStateType' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0xc0, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0xc4, ['unsigned char']], 'FxDevice' : [ 0xc8, ['pointer64', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0xd0, ['unsigned char']], 'NotifyPEP' : [ 0xd1, ['unsigned char']], 'Device' : [ 0xd8, ['__unnamed_2072']], 'System' : [ 0xd8, ['__unnamed_2075']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0x128, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'PhysicalMappingCount' : [ 0x4, ['unsigned long']], 'VadBitMapHint' : [ 0x8, ['unsigned long']], 'LastAllocationSizeHint' : [ 0xc, ['unsigned long']], 'LastAllocationSize' : [ 0x10, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x14, ['unsigned long']], 'VadBitMapSize' : [ 0x18, ['unsigned long']], 'VadBitMapCommitment' : [ 0x1c, ['unsigned long']], 'MaximumLastVadBit' : [ 0x20, ['unsigned long']], 'VadsBeingDeleted' : [ 0x24, ['long']], 'LastVadDeletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'VadBitBuffer' : [ 0x30, ['pointer64', ['unsigned long']]], 'LowestBottomUpAllocationAddress' : [ 0x38, ['pointer64', ['void']]], 'HighestTopDownAllocationAddress' : [ 0x40, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x48, ['pointer64', ['void']]], 'NumaAware' : [ 0x50, ['unsigned char']], 'PrivateFixupVadCount' : [ 0x58, ['unsigned long long']], 'CfgBitMap' : [ 0x60, ['array', 3, ['_MI_CFG_BITMAP_INFO']]], 'CommittedPageTableBufferForTopLevel' : [ 0xc0, ['array', 8, ['unsigned long']]], 'CommittedPageTableBitmaps' : [ 0xe0, ['array', 3, ['_RTL_BITMAP']]], 'PageTableBitmapPages' : [ 0x110, ['array', 3, ['unsigned long']]], 'FreeUmsTebHint' : [ 0x120, ['pointer64', ['void']]], } ], '_PROC_FEEDBACK' : [ 0x70, { 'Lock' : [ 0x0, ['unsigned long long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer64', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x28, ['unsigned long long']], 'UnscaledTime' : [ 0x30, ['unsigned long long']], 'UnaccountedTime' : [ 0x38, ['long long']], 'ScaledTime' : [ 0x40, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x50, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x58, ['unsigned long long']], 'UserTimeLast' : [ 0x60, ['unsigned long']], 'KernelTimeLast' : [ 0x64, ['unsigned long']], 'KernelTimesIndex' : [ 0x68, ['unsigned char']], } ], '__unnamed_208a' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_208e' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_2090' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_2092' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_2094' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_2096' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_2098' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_209a' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_209c' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_209e' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_20a0' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_20a2' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_208a']], 'Memory' : [ 0x0, ['__unnamed_208a']], 'Interrupt' : [ 0x0, ['__unnamed_208e']], 'Dma' : [ 0x0, ['__unnamed_2090']], 'DmaV3' : [ 0x0, ['__unnamed_2092']], 'Generic' : [ 0x0, ['__unnamed_208a']], 'DevicePrivate' : [ 0x0, ['__unnamed_2094']], 'BusNumber' : [ 0x0, ['__unnamed_2096']], 'ConfigData' : [ 0x0, ['__unnamed_2098']], 'Memory40' : [ 0x0, ['__unnamed_209a']], 'Memory48' : [ 0x0, ['__unnamed_209c']], 'Memory64' : [ 0x0, ['__unnamed_209e']], 'Connection' : [ 0x0, ['__unnamed_20a0']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_20a2']], } ], '_POP_THERMAL_ZONE' : [ 0x1f0, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], 'State' : [ 0x40, ['unsigned char']], 'Flags' : [ 0x41, ['unsigned char']], 'Removing' : [ 0x42, ['unsigned char']], 'Mode' : [ 0x43, ['unsigned char']], 'PendingMode' : [ 0x44, ['unsigned char']], 'ActivePoint' : [ 0x45, ['unsigned char']], 'PendingActivePoint' : [ 0x46, ['unsigned char']], 'Critical' : [ 0x47, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x48, ['long']], 'Throttle' : [ 0x4c, ['long']], 'PendingThrottle' : [ 0x50, ['long']], 'ThrottleReasons' : [ 0x54, ['unsigned long']], 'LastTime' : [ 0x58, ['unsigned long long']], 'SampleRate' : [ 0x60, ['unsigned long']], 'LastTemp' : [ 0x64, ['unsigned long']], 'PassiveTimer' : [ 0x68, ['_KTIMER']], 'PassiveDpc' : [ 0xa8, ['_KDPC']], 'Info' : [ 0xe8, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x138, ['_LARGE_INTEGER']], 'Policy' : [ 0x140, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0x154, ['unsigned char']], 'Metrics' : [ 0x158, ['_POP_THERMAL_ZONE_METRICS']], 'WorkItem' : [ 0x188, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x1a8, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x1b8, ['_KEVENT']], 'TemperatureUpdated' : [ 0x1d0, ['_KEVENT']], 'InstanceId' : [ 0x1e8, ['unsigned long']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 28, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x5a8, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'Allocate' : [ 0x10, ['pointer64', ['void']]], 'Free' : [ 0x18, ['pointer64', ['void']]], 'FileWrite' : [ 0x20, ['pointer64', ['void']]], 'FileRead' : [ 0x28, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x30, ['pointer64', ['void']]], 'BaseBlock' : [ 0x38, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x40, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x50, ['unsigned long']], 'DirtyAlloc' : [ 0x54, ['unsigned long']], 'UnreconciledVector' : [ 0x58, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x68, ['unsigned long']], 'BaseBlockAlloc' : [ 0x6c, ['unsigned long']], 'Cluster' : [ 0x70, ['unsigned long']], 'Flat' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x75, ['unsigned char']], 'HvBinHeadersUse' : [ 0x78, ['unsigned long']], 'HvFreeCellsUse' : [ 0x7c, ['unsigned long']], 'HvUsedCellsUse' : [ 0x80, ['unsigned long']], 'CmUsedCellsUse' : [ 0x84, ['unsigned long']], 'HiveFlags' : [ 0x88, ['unsigned long']], 'CurrentLog' : [ 0x8c, ['unsigned long']], 'CurrentLogSequence' : [ 0x90, ['unsigned long']], 'CurrentLogMinimumSequence' : [ 0x94, ['unsigned long']], 'CurrentLogOffset' : [ 0x98, ['unsigned long']], 'MinimumLogSequence' : [ 0x9c, ['unsigned long']], 'LogFileSizeCap' : [ 0xa0, ['unsigned long']], 'LogDataPresent' : [ 0xa4, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0xa6, ['unsigned char']], 'BaseBlockDirty' : [ 0xa7, ['unsigned char']], 'FirstLogFile' : [ 0xa8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0xa8, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0xa8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0xa8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0xa8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0xa8, ['unsigned short']], 'LogEntriesRecovered' : [ 0xaa, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0xac, ['unsigned long']], 'StorageTypeCount' : [ 0xb0, ['unsigned long']], 'Version' : [ 0xb4, ['unsigned long']], 'Storage' : [ 0xb8, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x30, { 'ActiveCount' : [ 0x0, ['unsigned long']], 'PassiveCount' : [ 0x4, ['unsigned long']], 'LastActiveStartTime' : [ 0x8, ['unsigned long long']], 'AverageActiveTime' : [ 0x10, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x18, ['unsigned long long']], 'AveragePassiveTime' : [ 0x20, ['unsigned long long']], 'StartTickSinceLastReset' : [ 0x28, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_DISALLOWED_GUIDS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x8, ['pointer64', ['_GUID']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1e, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1d, ['unsigned char']], } ], '__unnamed_20f7' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_20f9' : [ 0x20, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_20f7']], } ], '_VF_TARGET_DRIVER' : [ 0x38, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_20f9']], 'VerifiedData' : [ 0x30, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_2102' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2104' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2106' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceId' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_2108' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_210a' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_210c' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_210e' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_2110' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2112' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_2114' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_2102']], 'TargetDevice' : [ 0x0, ['__unnamed_2104']], 'InstallDevice' : [ 0x0, ['__unnamed_2104']], 'CustomNotification' : [ 0x0, ['__unnamed_2106']], 'ProfileNotification' : [ 0x0, ['__unnamed_2108']], 'PowerNotification' : [ 0x0, ['__unnamed_210a']], 'VetoNotification' : [ 0x0, ['__unnamed_210c']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_210e']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_2110']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2112']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_2104']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_2104']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_2114']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x68, { 'Context' : [ 0x0, ['pointer64', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x48, ['unsigned long']], 'DependencyUsed' : [ 0x4c, ['unsigned long']], 'DependencyArray' : [ 0x50, ['pointer64', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x58, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x5c, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x60, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '__unnamed_2130' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_2130']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x78, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], 'WaitObjectFlagMask' : [ 0x70, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x74, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x76, ['unsigned short']], } ], '__unnamed_2169' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['_RTL_AVL_TREE']], 'u' : [ 0x28, ['__unnamed_2169']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0x18, { 'DirtyPages' : [ 0x0, ['unsigned long long']], 'DirtyPagesLastScan' : [ 0x8, ['unsigned long long']], 'DirtyPagesScheduledLastScan' : [ 0x10, ['unsigned long']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'HighActiveFlink' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'HighActiveBlink' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 56, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x30, ['pointer64', ['long']]], 'NodeTargetCount' : [ 0x38, ['long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x250, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'SparePvoid0' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pUnused' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_KPRIQUEUE' : [ 0x2b0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x218, ['array', 32, ['long']]], 'MaximumCount' : [ 0x298, ['unsigned long']], 'ThreadListHead' : [ 0x2a0, ['_LIST_ENTRY']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_WAITING_IRP' : [ 0x38, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'CompletionRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'Information' : [ 0x30, ['unsigned long']], 'BreakAllRH' : [ 0x34, ['unsigned char']], } ], '_POP_SYSTEM_IDLE' : [ 0x40, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned long']], 'IdleWorker' : [ 0x28, ['unsigned char']], 'Sampling' : [ 0x29, ['unsigned char']], 'LastTick' : [ 0x30, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x38, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x20, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0x18, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x1c0, { 'Value' : [ 0x0, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'HardCap' : [ 0x3, ['unsigned char']], 'RelativeWeight' : [ 0x4, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x8, ['unsigned long long']], 'NotificationCycles' : [ 0x10, ['long long']], 'SchedulingGroupList' : [ 0x18, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x28, ['pointer64', ['_KDPC']]], 'PerProcessor' : [ 0x40, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x30, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'Irp' : [ 0x18, ['pointer64', ['_IRP']]], 'Device' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Static' : [ 0x28, ['unsigned char']], } ], '_POP_POLICY_DEVICE' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], } ], '__unnamed_21f1' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_21f3' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_21f5' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_21f7' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_21f5']], 'Translated' : [ 0x0, ['__unnamed_21f3']], } ], '__unnamed_21f9' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_21fb' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_21fd' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_21ff' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_2201' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_2203' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_2205' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_2207' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_21f1']], 'Port' : [ 0x0, ['__unnamed_21f1']], 'Interrupt' : [ 0x0, ['__unnamed_21f3']], 'MessageInterrupt' : [ 0x0, ['__unnamed_21f7']], 'Memory' : [ 0x0, ['__unnamed_21f1']], 'Dma' : [ 0x0, ['__unnamed_21f9']], 'DmaV3' : [ 0x0, ['__unnamed_21fb']], 'DevicePrivate' : [ 0x0, ['__unnamed_2094']], 'BusNumber' : [ 0x0, ['__unnamed_21fd']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_21ff']], 'Memory40' : [ 0x0, ['__unnamed_2201']], 'Memory48' : [ 0x0, ['__unnamed_2203']], 'Memory64' : [ 0x0, ['__unnamed_2205']], 'Connection' : [ 0x0, ['__unnamed_20a0']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_2207']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_220f' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_220f']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE_ENTRY' : [ 0x18, { 'FunctionTable' : [ 0x0, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'DynamicTable' : [ 0x0, ['pointer64', ['_DYNAMIC_FUNCTION_TABLE']]], 'ImageBase' : [ 0x8, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'SizeOfTable' : [ 0x14, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_221f' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_221f']], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_DEVICE' : [ 0x218, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_POP_IRP_DATA']]], 'Status' : [ 0x20, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'Plugin' : [ 0x30, ['pointer64', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x38, ['pointer64', ['PEPHANDLE__']]], 'MiniPlugin' : [ 0x40, ['pointer64', ['_POP_FX_PLUGIN']]], 'MiniPluginHandle' : [ 0x48, ['pointer64', ['PEPHANDLE__']]], 'DevNode' : [ 0x50, ['pointer64', ['_DEVICE_NODE']]], 'DeviceObject' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x60, ['pointer64', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x68, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0xa0, ['pointer64', ['void']]], 'RemoveLock' : [ 0xa8, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0xc8, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0x100, ['unsigned long long']], 'IdleTimer' : [ 0x108, ['_KTIMER']], 'IdleDpc' : [ 0x148, ['_KDPC']], 'IdleTimeout' : [ 0x188, ['unsigned long long']], 'IdleStamp' : [ 0x190, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x198, ['pointer64', ['_DEVICE_OBJECT']]], 'NextIrpPowerState' : [ 0x1a0, ['_POWER_STATE']], 'NextIrpCallerCompletion' : [ 0x1a8, ['pointer64', ['void']]], 'NextIrpCallerContext' : [ 0x1b0, ['pointer64', ['void']]], 'IrpCompleteEvent' : [ 0x1b8, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x1d0, ['pointer64', ['void']]], 'Accounting' : [ 0x1d8, ['_POP_FX_ACCOUNTING']], 'ComponentCount' : [ 0x208, ['unsigned long']], 'Components' : [ 0x210, ['array', 1, ['pointer64', ['_POP_FX_COMPONENT']]]], } ], '__unnamed_2238' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_223a' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_2238']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x58, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x40, ['_LIST_ENTRY']], 'Specific' : [ 0x50, ['__unnamed_223a']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x28, { 'BadPageCount' : [ 0x0, ['unsigned long long']], 'BadPagesDetected' : [ 0x8, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0xc, ['long']], 'ScrubPasses' : [ 0x10, ['long']], 'ScrubBadPagesFound' : [ 0x14, ['long']], 'FeatureBits' : [ 0x18, ['unsigned long long']], 'TimeZoneId' : [ 0x20, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'InProgressFlags' : [ 0x28, ['unsigned char']], 'KernelApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_DELAY_ACK_FO' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x38, ['long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '__unnamed_229f' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_22a1' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_22a3' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_22a5' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_229f']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_22a1']], 'Raw' : [ 0x0, ['__unnamed_22a3']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x50, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'Operation' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0xc, ['__unnamed_22a5']], 'Stack' : [ 0x18, ['array', 7, ['pointer64', ['void']]]], } ], '__unnamed_22ac' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_22af' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x40, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer64', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0x18, ['unsigned long']], 'EndingVpn' : [ 0x1c, ['unsigned long']], 'StartingVpnHigh' : [ 0x20, ['unsigned char']], 'EndingVpnHigh' : [ 0x21, ['unsigned char']], 'CommitChargeHigh' : [ 0x22, ['unsigned char']], 'LargeImageBias' : [ 0x23, ['unsigned char']], 'ReferenceCount' : [ 0x24, ['long']], 'PushLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u' : [ 0x30, ['__unnamed_22ac']], 'u1' : [ 0x34, ['__unnamed_22af']], 'EventList' : [ 0x38, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x10, { 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 63, native_type='unsigned long long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'LockState' : [ 0x0, ['pointer64', ['void']]], 'SessionState' : [ 0x8, ['pointer64', ['void']]], 'SessionId' : [ 0x8, ['unsigned long']], 'SessionPad' : [ 0xc, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x10, ['unsigned long']], 'SyncCallback' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x14, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0x10, ['pointer64', ['_HANDLE_TABLE']]], 'Flags' : [ 0x18, ['unsigned long']], 'NumberOfBuckets' : [ 0x1c, ['unsigned long']], 'Buckets' : [ 0x20, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_22f4' : [ 0x10, { 'ProgrammedTime' : [ 0x0, ['unsigned long long']], 'TimerInfo' : [ 0x8, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0xe0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x60, ['array', 3, ['__unnamed_22f4']]], 'FilteredCapabilities' : [ 0x90, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3d0, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0x90, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x410, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], 'PackageDependencyData' : [ 0x400, ['pointer64', ['void']]], 'ProcessGroupId' : [ 0x408, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_LOCK_HEADER' : [ 0x20, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x8, ['unsigned long long']], 'Lock' : [ 0x10, ['unsigned long long']], 'Valid' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xe0, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], 'Xcr0' : [ 0xd8, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_PEB64' : [ 0x388, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'SparePvoid0' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pUnused' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_23ac' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_23ac']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long long']], 'NonPagablePages' : [ 0x28, ['unsigned long long']], 'CommittedPages' : [ 0x30, ['unsigned long long']], 'PagedPoolStart' : [ 0x38, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x40, ['pointer64', ['void']]], 'SessionObject' : [ 0x48, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x50, ['pointer64', ['void']]], 'SessionPoolAllocationFailures' : [ 0x58, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x68, ['_LIST_ENTRY']], 'LocaleId' : [ 0x78, ['unsigned long']], 'AttachCount' : [ 0x7c, ['unsigned long']], 'AttachGate' : [ 0x80, ['_KGATE']], 'WsListEntry' : [ 0x98, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xce8, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xcf0, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xd00, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e40, ['_MMPTE']], 'SessionVaLock' : [ 0x1e48, ['_FAST_MUTEX']], 'DynamicVaBitMap' : [ 0x1e80, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e90, ['unsigned long']], 'SpecialPool' : [ 0x1e98, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1ee8, ['_FAST_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1f20, ['long']], 'PagedPoolPdeCount' : [ 0x1f24, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f28, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f2c, ['unsigned long']], 'SystemPteInfo' : [ 0x1f30, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f98, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1fa0, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1fa8, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fb0, ['unsigned long long']], 'IoState' : [ 0x1fb8, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fbc, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fc0, ['_KEVENT']], 'CreateTime' : [ 0x1fd8, ['unsigned long long']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_23bc' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_23bf' : [ 0x8, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x80, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x40, ['__unnamed_23bc']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u4' : [ 0x78, ['__unnamed_23bf']], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x20, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x8, ['long long']], 'SidCount' : [ 0x10, ['unsigned long']], 'SidValuesStart' : [ 0x18, ['unsigned long long']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0xa0, { 'IrpExclusiveOplock' : [ 0x0, ['pointer64', ['_IRP']]], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'WaiterPriority' : [ 0x20, ['unsigned char']], 'IrpOplocksR' : [ 0x28, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x38, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x48, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x58, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x68, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x78, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x88, ['pointer64', ['_GUID']]], 'OplockState' : [ 0x90, ['unsigned long']], 'FastMutex' : [ 0x98, ['pointer64', ['_FAST_MUTEX']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_FAST_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP_EX']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'MaximumSize' : [ 0x50, ['unsigned long long']], 'PagedPoolHint' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x28, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x10, ['pointer64', ['void']]], 'SessionViewVa' : [ 0x10, ['pointer64', ['void']]], 'VadsProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Type' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionType' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SectionOffset' : [ 0x20, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x158, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0xc0, ['unsigned long']], 'Processors' : [ 0xc8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0xd0, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0xd8, ['pointer64', ['void']]], 'BoostModeHandler' : [ 0xe0, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0xe8, ['pointer64', ['void']]], 'PerfControlHandler' : [ 0xf0, ['pointer64', ['void']]], 'MaxFrequency' : [ 0xf8, ['unsigned long']], 'NominalFrequency' : [ 0xfc, ['unsigned long']], 'MaxPercent' : [ 0x100, ['unsigned long']], 'MinPerfPercent' : [ 0x104, ['unsigned long']], 'MinThrottlePercent' : [ 0x108, ['unsigned long']], 'Coordination' : [ 0x10c, ['unsigned char']], 'HardPlatformCap' : [ 0x10d, ['unsigned char']], 'AffinitizeControl' : [ 0x10e, ['unsigned char']], 'SelectedPercent' : [ 0x110, ['unsigned long']], 'SelectedFrequency' : [ 0x114, ['unsigned long']], 'DesiredPercent' : [ 0x118, ['unsigned long']], 'MaxPolicyPercent' : [ 0x11c, ['unsigned long']], 'MinPolicyPercent' : [ 0x120, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x124, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x128, ['unsigned long']], 'GuaranteedPercent' : [ 0x12c, ['unsigned long']], 'TolerancePercent' : [ 0x130, ['unsigned long']], 'SelectedState' : [ 0x138, ['unsigned long long']], 'Force' : [ 0x140, ['unsigned char']], 'PerfChangeTime' : [ 0x148, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x150, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_RELATION_LIST' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer64', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ETW_BUFFER_QUEUE' : [ 0x18, { 'QueueHead' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x10, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long long']], 'SpecialPoolPdes' : [ 0x40, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x8, { 'LogHandleContext' : [ 0x0, ['pointer64', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x18, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'DeviceState' : [ 0x10, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '__unnamed_242f' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_2433' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_242f']], 'Bits' : [ 0x4, ['__unnamed_2433']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'DataLow' : [ 0x0, ['long long']], 'DataHigh' : [ 0x8, ['long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_FAST_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x80, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x10, ['short']], 'SpecialApcDisable' : [ 0x12, ['short']], 'CombinedApcDisable' : [ 0x10, ['unsigned long']], 'Irql' : [ 0x14, ['unsigned char']], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_DYNAMIC_FUNCTION_TABLE' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FunctionTable' : [ 0x10, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'TimeStamp' : [ 0x18, ['_LARGE_INTEGER']], 'MinimumAddress' : [ 0x20, ['unsigned long long']], 'MaximumAddress' : [ 0x28, ['unsigned long long']], 'BaseAddress' : [ 0x30, ['unsigned long long']], 'Callback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'OutOfProcessCallbackDll' : [ 0x48, ['pointer64', ['unsigned short']]], 'Type' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'RF_SORTED', 1: 'RF_UNSORTED', 2: 'RF_CALLBACK', 3: 'RF_KERNEL_DYNAMIC'})]], 'EntryCount' : [ 0x54, ['unsigned long']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x8, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2450' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_2452' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_2450']], 'Button' : [ 0x10, ['__unnamed_2452']], } ], '_KDPC_DATA' : [ 0x28, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], 'ActiveDpc' : [ 0x20, ['pointer64', ['_KDPC']]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0x170, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'UnderQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'RankCycleTarget' : [ 0x10, ['unsigned long long']], 'LongTermCycles' : [ 0x18, ['unsigned long long']], 'LastReportedCycles' : [ 0x20, ['unsigned long long']], 'OverQuotaHistory' : [ 0x28, ['unsigned long long']], 'ReadyTime' : [ 0x30, ['unsigned long long']], 'InsertTime' : [ 0x38, ['unsigned long long']], 'PerProcessorList' : [ 0x40, ['_LIST_ENTRY']], 'QueueNode' : [ 0x50, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OverQuota' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardCap' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Spare1' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x69, ['unsigned char']], 'ReadySummary' : [ 0x6a, ['unsigned short']], 'Rank' : [ 0x6c, ['unsigned long']], 'ReadyListHead' : [ 0x70, ['array', 16, ['_LIST_ENTRY']]], } ], '__unnamed_2462' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2464' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2462']], 'Merged' : [ 0x10, ['__unnamed_2464']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'HistoryList' : [ 0x8, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_IMAGE_RUNTIME_FUNCTION_ENTRY' : [ 0xc, { 'BeginAddress' : [ 0x0, ['unsigned long']], 'EndAddress' : [ 0x4, ['unsigned long']], 'UnwindInfoAddress' : [ 0x8, ['unsigned long']], 'UnwindData' : [ 0x8, ['unsigned long']], } ], '__unnamed_2472' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_2472']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer64', ['_MMPTE']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_2486' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_248a' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x48, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_2486']], 'u2' : [ 0x38, ['__unnamed_248a']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_2493' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2495' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_2493']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x100, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_2495']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PRIVATE_CACHE_MAP' : [ 0x78, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long long']], 'PipelinedReadAheadRequestSize' : [ 0x58, ['unsigned long']], 'ReadAheadGrowth' : [ 0x5c, ['unsigned long']], 'PrivateLinks' : [ 0x60, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x70, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PTE_TRACKER' : [ 0x80, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x48, ['array', 7, ['pointer64', ['void']]]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x30, { 'InstantaneousRead' : [ 0x0, ['pointer64', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer64', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'DisableInterrupts' : [ 0x22, ['unsigned char']], 'Context' : [ 0x28, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_HMAP_ENTRY' : [ 0x18, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'MemAlloc' : [ 0x10, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x30, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'Reference' : [ 0x10, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x28, ['unsigned char']], 'Name' : [ 0x2a, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x260, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x270, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x8, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'LowboxNumber' : [ 0x28, ['unsigned long']], 'AtomTable' : [ 0x30, ['pointer64', ['void']]], } ], '_MI_CFG_BITMAP_INFO' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'RegionSize' : [ 0x8, ['unsigned long long']], 'VadBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'BitmapVad' : [ 0x18, ['pointer64', ['_MMVAD']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_FAST_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_FAST_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x70, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x10, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x20, ['pointer64', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x28, ['pointer64', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x30, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x30, ['array', 4, ['pointer64', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x30, ['pointer64', ['void']]], 'SessionId' : [ 0x38, ['unsigned long']], 'Process' : [ 0x50, ['pointer64', ['_EPROCESS']]], 'CallbackContext' : [ 0x50, ['pointer64', ['void']]], 'Callback' : [ 0x58, ['pointer64', ['void']]], 'Index' : [ 0x60, ['unsigned short']], 'Flags' : [ 0x62, ['unsigned char']], 'DbgKernelRegistration' : [ 0x62, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x62, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x62, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x62, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x62, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x62, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x62, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x62, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x63, ['unsigned char']], 'GroupEnableMask' : [ 0x64, ['unsigned char']], 'UseDescriptorType' : [ 0x65, ['unsigned char']], 'Traits' : [ 0x68, ['pointer64', ['_ETW_PROVIDER_TRAITS']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_ETW_PROVIDER_TRAITS' : [ 0x20, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Traits' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'OriginalAffinity' : [ 0x8, ['_GROUP_AFFINITY']], 'SteeringListEntry' : [ 0x18, ['_LIST_ENTRY']], 'SteeringListRoot' : [ 0x28, ['pointer64', ['void']]], 'IsrTime' : [ 0x30, ['unsigned long long']], 'DpcTime' : [ 0x38, ['unsigned long long']], 'IsrLoad' : [ 0x40, ['unsigned long']], 'DpcLoad' : [ 0x44, ['unsigned long']], 'IsPrimaryInterrupt' : [ 0x48, ['unsigned char']], 'InterruptObjectArray' : [ 0x50, ['pointer64', ['pointer64', ['_KINTERRUPT']]]], 'InterruptObjectCount' : [ 0x58, ['unsigned long']], 'Vectors' : [ 0x60, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x118, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'InProgressLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x68, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x68, ['unsigned long']], 'PackagedBinary' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x68, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x68, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReservedFlags2' : [ 0x68, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectDelayLoad' : [ 0x68, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x68, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x68, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x68, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x68, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x68, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x68, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x68, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x68, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x68, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x68, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x68, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Lock' : [ 0x90, ['pointer64', ['void']]], 'DdagNode' : [ 0x98, ['pointer64', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0xa0, ['_LIST_ENTRY']], 'SnapContext' : [ 0xb0, ['pointer64', ['_LDRP_DLL_SNAP_CONTEXT']]], 'ParentDllBase' : [ 0xb8, ['pointer64', ['void']]], 'SwitchBackContext' : [ 0xc0, ['pointer64', ['void']]], 'BaseAddressIndexNode' : [ 0xc8, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0xe0, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0xf8, ['unsigned long long']], 'LoadTime' : [ 0x100, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x108, ['unsigned long']], 'LoadReason' : [ 0x10c, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x110, ['unsigned long']], } ], '_LDR_DDAG_NODE' : [ 0x50, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x10, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'DependencyCount' : [ 0x20, ['unsigned long']], 'Dependencies' : [ 0x28, ['_LDRP_CSLIST']], 'RemovalLink' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'IncomingDependencies' : [ 0x30, ['_LDRP_CSLIST']], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x48, ['unsigned long']], 'LowestLink' : [ 0x4c, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1d0, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'Order' : [ 0x30, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x1a8, ['_LIST_ENTRY']], 'Status' : [ 0x1b8, ['long']], 'FailedDevice' : [ 0x1c0, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1c8, ['unsigned char']], 'Cancelled' : [ 0x1c9, ['unsigned char']], 'IgnoreErrors' : [ 0x1ca, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1cb, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1cc, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LockedPages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ILOnly' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x10, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xfe8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0xd8, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Latency' : [ 0xa8, ['unsigned long']], 'BreakEvenDuration' : [ 0xac, ['unsigned long']], 'Power' : [ 0xb0, ['unsigned long']], 'StateFlags' : [ 0xb4, ['unsigned long']], 'VetoAccounting' : [ 0xb8, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0xd0, ['unsigned char']], 'InterruptsEnabled' : [ 0xd1, ['unsigned char']], 'Interruptible' : [ 0xd2, ['unsigned char']], 'ContextRetained' : [ 0xd3, ['unsigned char']], 'CacheCoherent' : [ 0xd4, ['unsigned char']], 'WakesSpuriously' : [ 0xd5, ['unsigned char']], 'PlatformOnly' : [ 0xd6, ['unsigned char']], 'NoCState' : [ 0xd7, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x40, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x10, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x18, ['long']], 'HighWaterMark' : [ 0x1c, ['unsigned long']], 'Reserved' : [ 0x20, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2559' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x20, { 'NodeRangeSize' : [ 0x0, ['unsigned long long']], 'NodeCount' : [ 0x8, ['unsigned long long']], 'Tables' : [ 0x10, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x18, ['unsigned long']], 'u1' : [ 0x1c, ['__unnamed_2559']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_POP_FX_ACCOUNTING' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned char']], 'DripsRequiredState' : [ 0xc, ['unsigned long']], 'Level' : [ 0x10, ['long']], 'ActiveStamp' : [ 0x18, ['long long']], 'CsActiveTime' : [ 0x20, ['unsigned long long']], 'CriticalActiveTime' : [ 0x28, ['long long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RELATION_LIST_ENTRY' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['_DEVICE_OBJECT_LIST_ENTRY']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x6, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], } ], '_POP_FX_COMPONENT' : [ 0xf8, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x18, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x58, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x60, ['long']], 'ActiveEvent' : [ 0x68, ['_KEVENT']], 'IdleLock' : [ 0x80, ['unsigned long long']], 'IdleConditionComplete' : [ 0x88, ['long']], 'IdleStateComplete' : [ 0x8c, ['long']], 'IdleStamp' : [ 0x90, ['unsigned long long']], 'CurrentIdleState' : [ 0x98, ['unsigned long']], 'IdleStateCount' : [ 0x9c, ['unsigned long']], 'IdleStates' : [ 0xa0, ['pointer64', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0xa8, ['unsigned long']], 'ProviderCount' : [ 0xac, ['unsigned long']], 'Providers' : [ 0xb0, ['pointer64', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0xb8, ['unsigned long']], 'DependentCount' : [ 0xbc, ['unsigned long']], 'Dependents' : [ 0xc0, ['pointer64', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0xc8, ['_POP_FX_ACCOUNTING']], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x10, { 'DeviceHandle' : [ 0x0, ['pointer64', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x38, { 'ComponentActive' : [ 0x0, ['pointer64', ['void']]], 'ComponentIdle' : [ 0x8, ['pointer64', ['void']]], 'ComponentIdleState' : [ 0x10, ['pointer64', ['void']]], 'DevicePowerRequired' : [ 0x18, ['pointer64', ['void']]], 'DevicePowerNotRequired' : [ 0x20, ['pointer64', ['void']]], 'PowerControl' : [ 0x28, ['pointer64', ['void']]], 'ComponentCriticalTransition' : [ 0x30, ['pointer64', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x10, ['unsigned char']], 'Spare' : [ 0x11, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0x14, ['unsigned long']], 'DebugId' : [ 0x18, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8180, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'StackLimitHits' : [ 0x8038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x803c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x8040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8044, ['unsigned long']], 'TotalReleases' : [ 0x8048, ['unsigned long']], 'RootNodesDeleted' : [ 0x804c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x8050, ['unsigned long']], 'Instigator' : [ 0x8058, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8060, ['unsigned long']], 'Participant' : [ 0x8068, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8168, ['long']], 'StackType' : [ 0x816c, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x8170, ['unsigned long long']], 'StackHighLimit' : [ 0x8178, ['unsigned long long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x40, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'IRHints' : [ 0x30, ['unsigned long']], 'IRTruncatedHints' : [ 0x34, ['unsigned long']], 'ExpectedWakeReason' : [ 0x38, ['unsigned char']], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_25c8' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_25ca' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_25c8']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_25ca']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_25dc' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_25dc']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_THERMAL_POLICY' : [ 0x14, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_RTL_UMS_CONTEXT' : [ 0x520, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'PrimaryUmsContext' : [ 0x500, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x508, ['unsigned long']], 'KernelYieldCount' : [ 0x50c, ['unsigned long']], 'MixedYieldCount' : [ 0x510, ['unsigned long']], 'YieldCount' : [ 0x514, ['unsigned long']], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_ETW_GUID_ENTRY' : [ 0x178, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long long']], 'Guid' : [ 0x18, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['pointer64', ['_ETW_FILTER_HEADER']]], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_2647' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2649' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2647']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2649']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0xc0, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x70, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1d, { 'PerUserPolicy' : [ 0x0, ['array', 29, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_265d' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_265f' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_2663' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2667' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_2669' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_265d']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_265f']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2663']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2667']], 'Others' : [ 0x0, ['__unnamed_2669']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x8, { 'Function' : [ 0x0, ['pointer64', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long long']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x68, { 'PlatformOnlyCount' : [ 0x0, ['unsigned long long']], 'PreVetoCount' : [ 0x8, ['unsigned long long']], 'VetoCount' : [ 0x10, ['unsigned long long']], 'IdleDurationCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'InterruptibleCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'WrongProcessorCount' : [ 0x40, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x48, ['unsigned long long']], 'CstateCheckCount' : [ 0x50, ['unsigned long long']], 'NoCStateCount' : [ 0x58, ['unsigned long long']], 'SelectedCount' : [ 0x60, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x8, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_HIVE_WAIT_PACKET' : [ 0x28, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Next' : [ 0x20, ['pointer64', ['_HIVE_WAIT_PACKET']]], } ], '__unnamed_2678' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_267a' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_267c' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_2678']], 'Interrupt' : [ 0x0, ['__unnamed_267a']], 'LocalInterrupt' : [ 0x0, ['__unnamed_267a']], 'Sci' : [ 0x0, ['__unnamed_267a']], 'Nmi' : [ 0x0, ['__unnamed_267a']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_267c']], } ], '_POP_HIBER_CONTEXT' : [ 0x1a0, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'MapFrozen' : [ 0x14, ['unsigned char']], 'DiscardMap' : [ 0x18, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x18, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x38, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x48, ['unsigned long']], 'ClonedPageCount' : [ 0x50, ['unsigned long long']], 'CurrentMap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x60, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x68, ['unsigned long long']], 'LoaderMdl' : [ 0x70, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x78, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x80, ['unsigned long long']], 'IoPages' : [ 0x88, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x90, ['unsigned long']], 'CurrentMcb' : [ 0x98, ['pointer64', ['void']]], 'DumpStack' : [ 0xa0, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xa8, ['pointer64', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0xb0, ['unsigned long']], 'Status' : [ 0xb4, ['long']], 'GraphicsProc' : [ 0xb8, ['unsigned long']], 'MemoryImage' : [ 0xc0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0xc8, ['pointer64', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0xd0, ['pointer64', ['_MDL']]], 'SiLogOffset' : [ 0xd8, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0xe0, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0xe8, ['pointer64', ['void']]], 'ResumeContext' : [ 0xf0, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0xf8, ['unsigned long']], 'ProcessorCount' : [ 0xfc, ['unsigned long']], 'ProcessorContext' : [ 0x100, ['pointer64', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0x108, ['pointer64', ['unsigned char']]], 'ProdConsSize' : [ 0x110, ['unsigned long']], 'MaxDataPages' : [ 0x114, ['unsigned long']], 'ExtraBuffer' : [ 0x118, ['pointer64', ['void']]], 'ExtraBufferSize' : [ 0x120, ['unsigned long long']], 'ExtraMapVa' : [ 0x128, ['pointer64', ['void']]], 'BitlockerKeyPFN' : [ 0x130, ['unsigned long long']], 'IoInfo' : [ 0x138, ['_POP_IO_INFO']], 'HardwareConfigurationSignature' : [ 0x198, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x178, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x108, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x110, ['pointer64', ['void']]], 'PointersLength' : [ 0x118, ['unsigned long']], 'ModulePrefix' : [ 0x120, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0x128, ['_LIST_ENTRY']], 'InitMsg' : [ 0x138, ['_STRING']], 'ProgMsg' : [ 0x148, ['_STRING']], 'DoneMsg' : [ 0x158, ['_STRING']], 'FileObject' : [ 0x168, ['pointer64', ['void']]], 'UsageType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_PPM_VETO_ACCOUNTING' : [ 0x18, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x48, { 'InitiatingThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ThreadId' : [ 0x10, ['pointer64', ['void']]], 'ProcessId' : [ 0x18, ['pointer64', ['void']]], 'Code' : [ 0x20, ['unsigned long']], 'Parameter1' : [ 0x28, ['unsigned long long']], 'Parameter2' : [ 0x30, ['unsigned long long']], 'Parameter3' : [ 0x38, ['unsigned long long']], 'Parameter4' : [ 0x40, ['unsigned long long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 31, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], 'SecureInfo' : [ 0x10, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x10, ['_RTL_BITMAP_EX']], 'InPageSupport' : [ 0x10, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'PhysicalMemory' : [ 0x10, ['_MI_PHYSMEM_BLOCK']], 'LargePage' : [ 0x10, ['pointer64', ['_MI_LARGEPAGE_MEMORY_INFO']]], } ], '__unnamed_26b9' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_26b9']], } ], '__unnamed_26bd' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_26bd']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x360, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long long']], 'HiberFlags' : [ 0x38, ['unsigned char']], 'spare' : [ 0x39, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x3c, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'NumPagesForLoader' : [ 0x58, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x60, ['unsigned long long']], 'FirstKernelRestorePage' : [ 0x68, ['unsigned long long']], 'PerfInfo' : [ 0x70, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x218, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x220, ['array', 1, ['unsigned long long']]], 'SiLogOffset' : [ 0x228, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x22c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x230, ['array', 24, ['unsigned long long']]], 'NotUsed' : [ 0x2f0, ['unsigned long']], 'ResumeContextCheck' : [ 0x2f4, ['unsigned long']], 'ResumeContextPages' : [ 0x2f8, ['unsigned long']], 'Hiberboot' : [ 0x2fc, ['unsigned char']], 'HvCr3' : [ 0x300, ['unsigned long long']], 'HvEntryPoint' : [ 0x308, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x310, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x318, ['unsigned long long']], 'BootFlags' : [ 0x320, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x328, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x330, ['unsigned long long']], 'BitlockerKeyPfns' : [ 0x338, ['array', 4, ['unsigned long long']]], 'HardwareSignature' : [ 0x358, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x18, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned short']], 'Flags' : [ 0x16, ['unsigned short']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1a8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'TotalHibernateTime' : [ 0x30, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x38, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x3c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x40, ['unsigned long']], 'ResumeAppTicks' : [ 0x48, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x50, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x58, ['unsigned long long']], 'ResumeInitTicks' : [ 0x60, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x70, ['unsigned long long']], 'ResumeIoTicks' : [ 0x78, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x80, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x88, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0x90, ['unsigned long long']], 'ResumeMapTicks' : [ 0x98, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xa0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xa8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xb0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xb8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xc0, ['unsigned long long']], 'HalTscOffset' : [ 0xc8, ['unsigned long long']], 'HvlTscOffset' : [ 0xd0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xd8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0xe0, ['unsigned long long']], 'IoBoundedness' : [ 0xe8, ['unsigned long long']], 'KernelDecompressTicks' : [ 0xf0, ['unsigned long long']], 'KernelIoTicks' : [ 0xf8, ['unsigned long long']], 'KernelCopyTicks' : [ 0x100, ['unsigned long long']], 'ReadCheckCount' : [ 0x108, ['unsigned long long']], 'KernelInitTicks' : [ 0x110, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x118, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x120, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x128, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x130, ['unsigned long long']], 'AnimationStart' : [ 0x138, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x140, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x148, ['unsigned long']], 'BootPagesProcessed' : [ 0x150, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x158, ['unsigned long long']], 'BootBytesWritten' : [ 0x160, ['unsigned long long']], 'KernelBytesWritten' : [ 0x168, ['unsigned long long']], 'BootPagesWritten' : [ 0x170, ['unsigned long long']], 'KernelPagesWritten' : [ 0x178, ['unsigned long long']], 'BytesWritten' : [ 0x180, ['unsigned long long']], 'PagesWritten' : [ 0x188, ['unsigned long']], 'FileRuns' : [ 0x18c, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x190, ['unsigned long']], 'MaxHuffRatio' : [ 0x194, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x198, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1a0, ['unsigned long long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '__unnamed_26dc' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_26dc']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_MI_PHYSMEM_BLOCK' : [ 0x8, { 'IoTracker' : [ 0x0, ['pointer64', ['_MMIO_TRACKER']]], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x80, { 'UncompressedData' : [ 0x0, ['pointer64', ['unsigned char']]], 'MappingVa' : [ 0x8, ['pointer64', ['void']]], 'XpressEncodeWorkspace' : [ 0x10, ['pointer64', ['void']]], 'CompressedDataBuffer' : [ 0x18, ['pointer64', ['unsigned char']]], 'CopyTicks' : [ 0x20, ['unsigned long long']], 'CompressTicks' : [ 0x28, ['unsigned long long']], 'BytesCopied' : [ 0x30, ['unsigned long long']], 'PagesProcessed' : [ 0x38, ['unsigned long long']], 'DecompressTicks' : [ 0x40, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x48, ['unsigned long long']], 'SharedBufferTicks' : [ 0x50, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x68, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x78, ['unsigned long']], 'HuffCompressCount' : [ 0x7c, ['unsigned long']], } ], '_DEVICE_OBJECT_LIST_ENTRY' : [ 0x10, { 'DeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceRelation', 1: 'Dependent', 2: 'DirectDescendant'})]], 'Flags' : [ 0xc, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x20, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_POP_IO_INFO' : [ 0x60, { 'DumpMdl' : [ 0x0, ['pointer64', ['_MDL']]], 'IoStatus' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x10, ['unsigned long long']], 'IoBytesCompleted' : [ 0x18, ['unsigned long long']], 'IoBytesInProgress' : [ 0x20, ['unsigned long long']], 'RequestSize' : [ 0x28, ['unsigned long long']], 'IoLocation' : [ 0x30, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x38, ['unsigned long long']], 'Buffer' : [ 0x40, ['pointer64', ['void']]], 'AsyncCapable' : [ 0x48, ['unsigned char']], 'BytesToRead' : [ 0x50, ['unsigned long long']], 'Pages' : [ 0x58, ['unsigned long']], } ], '_LDRP_CSLIST' : [ 0x8, { 'Tail' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_MMVIEW' : [ 0x38, { 'PteOffset' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['unsigned long long']], 'u1' : [ 0x10, ['_MMVIEW_CONTROL_AREA']], 'ViewLinks' : [ 0x18, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x30, ['unsigned long']], 'SessionIdForGlobalSubsections' : [ 0x34, ['unsigned long']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_FILTER_HEADER' : [ 0x48, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x8, ['pointer64', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x10, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0x18, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x20, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x28, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x30, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x38, ['pointer64', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x40, ['pointer64', ['_EVENT_FILTER_HEADER']]], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_MMVIEW_CONTROL_AREA' : [ 0x8, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ExceptionForInPageErrors' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'UsedForControlArea' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LeakedPoolDeliberately' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_2712' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2714' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_2717' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_271b' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x18, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x28, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x38, ['__unnamed_2712']], 'XapicMessage' : [ 0x38, ['__unnamed_2714']], 'Hypertransport' : [ 0x38, ['__unnamed_2717']], 'GenericMessage' : [ 0x38, ['__unnamed_2714']], 'MessageRequest' : [ 0x38, ['__unnamed_271b']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_272e' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2730' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2732' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_272e']], 'Gpt' : [ 0x0, ['__unnamed_2730']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x108, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MarkMemoryOnly' : [ 0x69, ['unsigned char']], 'HiberResume' : [ 0x6a, ['unsigned char']], 'Reserved1' : [ 0x6b, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_2732']], 'ReadRoutine' : [ 0xa0, ['pointer64', ['void']]], 'GetDriveTelemetryRoutine' : [ 0xa8, ['pointer64', ['void']]], 'LogSectionTruncateSize' : [ 0xb0, ['unsigned long']], 'Parameters' : [ 0xb4, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DumpNotifyRoutine' : [ 0x100, ['pointer64', ['void']]], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '_ETW_QUEUE_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x10, ['pointer64', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0x18, ['pointer64', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x20, ['pointer64', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x28, ['pointer64', ['void']]], 'RegIndex' : [ 0x30, ['unsigned short']], 'ReplyIndex' : [ 0x32, ['unsigned short']], 'Flags' : [ 0x34, ['unsigned long']], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_KDPC_LIST' : [ 0x10, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x178, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x20, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer64', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '__unnamed_2766' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2768' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2766']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_276b' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_276d' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_276b']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_2768']], 'HighPart' : [ 0x4, ['__unnamed_276d']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x10, ['pointer64', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0x18, ['unsigned long']], 'ActualImageViewSize' : [ 0x20, ['unsigned long long']], } ], '__unnamed_277f' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_2781' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_277f']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_2781']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_MMIO_TRACKER' : [ 0x70, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameIndex' : [ 0x10, ['unsigned long long']], 'NumberOfPages' : [ 0x18, ['unsigned long long']], 'BaseVa' : [ 0x20, ['pointer64', ['void']]], 'CacheFlushTimeStamp' : [ 0x20, ['unsigned long']], 'Mdl' : [ 0x28, ['pointer64', ['_MDL']]], 'MdlPages' : [ 0x30, ['unsigned long long']], 'StackTrace' : [ 0x38, ['array', 6, ['pointer64', ['void']]]], 'CacheInfo' : [ 0x68, ['array', 1, ['_IO_CACHE_INFO']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '__unnamed_278d' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_2790' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0x180, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x10, ['_LIST_ENTRY']], 'Event' : [ 0x20, ['_KEVENT']], 'CollidedEvent' : [ 0x38, ['_KEVENT']], 'IoStatus' : [ 0x50, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x60, ['_LARGE_INTEGER']], 'PteContents' : [ 0x68, ['_MMPTE']], 'Thread' : [ 0x70, ['pointer64', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0x78, ['pointer64', ['_MMPFN']]], 'WaitCount' : [ 0x80, ['long']], 'ByteCount' : [ 0x84, ['unsigned long']], 'u3' : [ 0x88, ['__unnamed_278d']], 'u1' : [ 0x8c, ['__unnamed_2790']], 'FilePointer' : [ 0x90, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x98, ['pointer64', ['_CONTROL_AREA']]], 'Autoboost' : [ 0xa0, ['pointer64', ['void']]], 'FaultingAddress' : [ 0xa8, ['pointer64', ['void']]], 'PointerPte' : [ 0xb0, ['pointer64', ['_MMPTE']]], 'BasePte' : [ 0xb8, ['pointer64', ['_MMPTE']]], 'Pfn' : [ 0xc0, ['pointer64', ['_MMPFN']]], 'PrefetchMdl' : [ 0xc8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0xd0, ['_MDL']], 'Page' : [ 0x100, ['array', 16, ['unsigned long long']]], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'BoostedPriority' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_COLORED_PAGE_INFO' : [ 0x18, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long long']], 'PfnAllocation' : [ 0x10, ['pointer64', ['_MMPFN']]], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0x18, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x8, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_IO_CACHE_INFO' : [ 0x1, { 'CacheAttribute' : [ 0x0, ['unsigned char']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x8, ['pointer64', ['unsigned short']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista_sp1_x86_vtypes.py0000644000000000000000000146330713131215405030774 0ustar rootrootntkrnlmp_types = { '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_PPM_DIA_STATS' : [ 0xc, { 'PerfLevel' : [ 0x0, ['unsigned long']], 'IdleTime' : [ 0x4, ['unsigned long']], 'TimeInterval' : [ 0x8, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_203f' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_2041' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_2045' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2049' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_204b' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_203f']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2041']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2045']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2049']], 'Others' : [ 0x0, ['__unnamed_204b']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x100, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long']], 'MapFrozen' : [ 0xc, ['unsigned char']], 'MemoryMap' : [ 0x10, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x20, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x28, ['unsigned long']], 'NextCloneRange' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x30, ['unsigned long']], 'LoaderMdl' : [ 0x34, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x38, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x40, ['unsigned long long']], 'IoPages' : [ 0x48, ['pointer', ['void']]], 'IoPagesCount' : [ 0x4c, ['unsigned long']], 'CurrentMcb' : [ 0x50, ['pointer', ['void']]], 'DumpStack' : [ 0x54, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x58, ['pointer', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0x5c, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x70, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x78, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x7c, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x80, ['pointer', ['void']]], 'DmaIO' : [ 0x84, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x88, ['pointer', ['void']]], 'PerfInfo' : [ 0x90, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0xf0, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0xf4, ['pointer', ['_MDL']]], 'ResumeContext' : [ 0xf8, ['pointer', ['void']]], 'ResumeContextPages' : [ 0xfc, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x20, { 'ThreadHandle' : [ 0x0, ['pointer', ['void']]], 'ThreadId' : [ 0x4, ['pointer', ['void']]], 'ProcessId' : [ 0x8, ['pointer', ['void']]], 'Code' : [ 0xc, ['unsigned long']], 'Parameter1' : [ 0x10, ['unsigned long']], 'Parameter2' : [ 0x14, ['unsigned long']], 'Parameter3' : [ 0x18, ['unsigned long']], 'Parameter4' : [ 0x1c, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'ImageMerge' : [ 0x4, ['pointer', ['void']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS' : [ 0x8, { 'ProcessorType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'InstructionSet' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Operation' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Flags' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Level' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'CPUVersion' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CPUBrandString' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'ProcessorId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'TargetAddress' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InstructionPointer' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_2072' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_2072']], } ], '__unnamed_2076' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2076']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xf0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'TotalPages' : [ 0x4c, ['unsigned long']], 'FirstTablePage' : [ 0x50, ['unsigned long']], 'LastFilePage' : [ 0x54, ['unsigned long']], 'PerfInfo' : [ 0x58, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xb8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xbc, ['array', 1, ['unsigned long']]], 'NoBootLoaderLogPages' : [ 0xc0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xc4, ['array', 8, ['unsigned long']]], 'NotUsed' : [ 0xe4, ['unsigned long']], 'ResumeContextCheck' : [ 0xe8, ['unsigned long']], 'ResumeContextPages' : [ 0xec, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '__unnamed_2093' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2095' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2097' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2099' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_209b' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_209d' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_209f' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20a1' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_20a3' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20a5' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_20a7' : [ 0x1c, { 'DeviceClass' : [ 0x0, ['__unnamed_2093']], 'TargetDevice' : [ 0x0, ['__unnamed_2095']], 'InstallDevice' : [ 0x0, ['__unnamed_2097']], 'CustomNotification' : [ 0x0, ['__unnamed_2099']], 'ProfileNotification' : [ 0x0, ['__unnamed_209b']], 'PowerNotification' : [ 0x0, ['__unnamed_209d']], 'VetoNotification' : [ 0x0, ['__unnamed_209f']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20a1']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_20a3']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_20a5']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x40, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_20a7']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_20be' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_20c0' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_20c2' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_20be']], 'Gpt' : [ 0x0, ['__unnamed_20c0']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_20c2']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x2c, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Hint' : [ 0x8, ['unsigned long']], 'BasePte' : [ 0xc, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x10, ['pointer', ['unsigned long']]], 'Vm' : [ 0x14, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x18, ['long']], 'TotalFreeSystemPtes' : [ 0x1c, ['long']], 'CachedPteCount' : [ 0x20, ['long']], 'PteFailures' : [ 0x24, ['unsigned long']], 'GlobalMutex' : [ 0x28, ['pointer', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x148, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_1019' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1019']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_101e' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101e']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_1037' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1039' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_1037']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x20, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1039']], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_TASK' : [ 0x4, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x4, { 'Callback' : [ 0x0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_KPRCB' : [ 0x2008, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'CpuStepping' : [ 0x1a, ['unsigned char']], 'CpuModel' : [ 0x1b, ['unsigned char']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3bc, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3c0, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3c1, ['unsigned char']], 'PrcbPad0' : [ 0x3c2, ['array', 2, ['unsigned char']]], 'MHz' : [ 0x3c4, ['unsigned long']], 'PrcbPad1' : [ 0x3c8, ['array', 80, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 49, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x5a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x5a4, ['unsigned long']], 'KernelTime' : [ 0x5a8, ['unsigned long']], 'UserTime' : [ 0x5ac, ['unsigned long']], 'DpcTime' : [ 0x5b0, ['unsigned long']], 'DpcTimeCount' : [ 0x5b4, ['unsigned long']], 'InterruptTime' : [ 0x5b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5bc, ['unsigned long']], 'PageColor' : [ 0x5c0, ['unsigned long']], 'SkipTick' : [ 0x5c4, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x5c5, ['unsigned char']], 'NodeColor' : [ 0x5c6, ['unsigned char']], 'PollSlot' : [ 0x5c7, ['unsigned char']], 'NodeShiftedColor' : [ 0x5c8, ['unsigned long']], 'ParentNode' : [ 0x5cc, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x5d0, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x5d4, ['pointer', ['_KPRCB']]], 'SecondaryColorMask' : [ 0x5d8, ['unsigned long']], 'DpcTimeLimit' : [ 0x5dc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x5e0, ['unsigned long']], 'CcFastReadWait' : [ 0x5e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x5e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x5ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x5f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x5f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x5f8, ['long']], 'IoReadOperationCount' : [ 0x5fc, ['long']], 'IoWriteOperationCount' : [ 0x600, ['long']], 'IoOtherOperationCount' : [ 0x604, ['long']], 'IoReadTransferCount' : [ 0x608, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x610, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x618, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x620, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x624, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x628, ['unsigned long']], 'CcMapDataNoWait' : [ 0x62c, ['unsigned long']], 'CcMapDataWait' : [ 0x630, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x634, ['unsigned long']], 'CcPinReadNoWait' : [ 0x638, ['unsigned long']], 'CcPinReadWait' : [ 0x63c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x640, ['unsigned long']], 'CcMdlReadWait' : [ 0x644, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x648, ['unsigned long']], 'CcLazyWriteIos' : [ 0x64c, ['unsigned long']], 'CcLazyWritePages' : [ 0x650, ['unsigned long']], 'CcDataFlushes' : [ 0x654, ['unsigned long']], 'CcDataPages' : [ 0x658, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x65c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x660, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x664, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x668, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x66c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x670, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x674, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x678, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x67c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x680, ['unsigned long']], 'CcReadAheadIos' : [ 0x684, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x688, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x68c, ['unsigned long']], 'KeSystemCalls' : [ 0x690, ['unsigned long']], 'PrcbPad2' : [ 0x694, ['array', 3, ['unsigned long']]], 'PPLookasideList' : [ 0x6a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x720, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1020, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x1920, ['unsigned long']], 'ReverseStall' : [ 0x1924, ['long']], 'IpiFrame' : [ 0x1928, ['pointer', ['void']]], 'PrcbPad3' : [ 0x192c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x1960, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x196c, ['unsigned long']], 'WorkerRoutine' : [ 0x1970, ['pointer', ['void']]], 'IpiFrozen' : [ 0x1974, ['unsigned long']], 'PrcbPad4' : [ 0x1978, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x19a0, ['unsigned long']], 'SignalDone' : [ 0x19a4, ['pointer', ['_KPRCB']]], 'PrcbPad5' : [ 0x19a8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x19e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1a08, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x1a0c, ['long']], 'DpcRequestRate' : [ 0x1a10, ['unsigned long']], 'MinimumDpcRate' : [ 0x1a14, ['unsigned long']], 'DpcInterruptRequested' : [ 0x1a18, ['unsigned char']], 'DpcThreadRequested' : [ 0x1a19, ['unsigned char']], 'DpcRoutineActive' : [ 0x1a1a, ['unsigned char']], 'DpcThreadActive' : [ 0x1a1b, ['unsigned char']], 'PrcbLock' : [ 0x1a1c, ['unsigned long']], 'DpcLastCount' : [ 0x1a20, ['unsigned long']], 'TimerHand' : [ 0x1a24, ['unsigned long']], 'TimerRequest' : [ 0x1a28, ['unsigned long']], 'PrcbPad41' : [ 0x1a2c, ['pointer', ['void']]], 'DpcEvent' : [ 0x1a30, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x1a40, ['unsigned char']], 'QuantumEnd' : [ 0x1a41, ['unsigned char']], 'PrcbPad50' : [ 0x1a42, ['unsigned char']], 'IdleSchedule' : [ 0x1a43, ['unsigned char']], 'DpcSetEventRequest' : [ 0x1a44, ['long']], 'Sleeping' : [ 0x1a48, ['long']], 'PeriodicCount' : [ 0x1a4c, ['unsigned long']], 'PeriodicBias' : [ 0x1a50, ['unsigned long']], 'PrcbPad51' : [ 0x1a54, ['array', 6, ['unsigned char']]], 'TickOffset' : [ 0x1a5c, ['long']], 'CallDpc' : [ 0x1a60, ['_KDPC']], 'ClockKeepAlive' : [ 0x1a80, ['long']], 'ClockCheckSlot' : [ 0x1a84, ['unsigned char']], 'ClockPollCycle' : [ 0x1a85, ['unsigned char']], 'PrcbPad6' : [ 0x1a86, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x1a88, ['long']], 'DpcWatchdogCount' : [ 0x1a8c, ['long']], 'ThreadWatchdogPeriod' : [ 0x1a90, ['long']], 'ThreadWatchdogCount' : [ 0x1a94, ['long']], 'PrcbPad70' : [ 0x1a98, ['array', 2, ['unsigned long']]], 'WaitListHead' : [ 0x1aa0, ['_LIST_ENTRY']], 'WaitLock' : [ 0x1aa8, ['unsigned long']], 'ReadySummary' : [ 0x1aac, ['unsigned long']], 'QueueIndex' : [ 0x1ab0, ['unsigned long']], 'DeferredReadyListHead' : [ 0x1ab4, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x1ab8, ['unsigned long long']], 'CycleTime' : [ 0x1ac0, ['unsigned long long']], 'PrcbPad71' : [ 0x1ac8, ['array', 3, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x1ae0, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x1be0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x1be4, ['long']], 'MmPageFaultCount' : [ 0x1be8, ['long']], 'MmCopyOnWriteCount' : [ 0x1bec, ['long']], 'MmTransitionCount' : [ 0x1bf0, ['long']], 'MmCacheTransitionCount' : [ 0x1bf4, ['long']], 'MmDemandZeroCount' : [ 0x1bf8, ['long']], 'MmPageReadCount' : [ 0x1bfc, ['long']], 'MmPageReadIoCount' : [ 0x1c00, ['long']], 'MmCacheReadCount' : [ 0x1c04, ['long']], 'MmCacheIoCount' : [ 0x1c08, ['long']], 'MmDirtyPagesWriteCount' : [ 0x1c0c, ['long']], 'MmDirtyWriteIoCount' : [ 0x1c10, ['long']], 'MmMappedPagesWriteCount' : [ 0x1c14, ['long']], 'MmMappedWriteIoCount' : [ 0x1c18, ['long']], 'CachedCommit' : [ 0x1c1c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x1c20, ['unsigned long']], 'HyperPte' : [ 0x1c24, ['pointer', ['void']]], 'CpuVendor' : [ 0x1c28, ['unsigned char']], 'PrcbPad8' : [ 0x1c29, ['array', 3, ['unsigned char']]], 'VendorString' : [ 0x1c2c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x1c39, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x1c3a, ['unsigned char']], 'PrcbPad9' : [ 0x1c3b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x1c40, ['unsigned long']], 'UpdateSignature' : [ 0x1c48, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x1c50, ['unsigned long long']], 'SpareField1' : [ 0x1c58, ['unsigned long long']], 'NpxSaveArea' : [ 0x1c60, ['_FX_SAVE_AREA']], 'PowerState' : [ 0x1e70, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x1f38, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x1f58, ['_KTIMER']], 'WheaInfo' : [ 0x1f80, ['pointer', ['void']]], 'EtwSupport' : [ 0x1f84, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x1f88, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x1f90, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x1f98, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x1f9c, ['pointer', ['void']]], 'StatisticsPage' : [ 0x1fa0, ['pointer', ['unsigned long long']]], 'RateControl' : [ 0x1fa4, ['pointer', ['void']]], 'Cache' : [ 0x1fa8, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x1fe4, ['unsigned long']], 'CacheProcessorMask' : [ 0x1fe8, ['array', 5, ['unsigned long']]], 'PackageProcessorSet' : [ 0x1ffc, ['unsigned long']], 'CoreProcessorSet' : [ 0x2000, ['unsigned long']], } ], '_KPCR' : [ 0x2128, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x1e0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'ApcState' : [ 0x38, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x38, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x4f, ['unsigned char']], 'NextProcessor' : [ 0x50, ['unsigned short']], 'DeferredProcessor' : [ 0x52, ['unsigned short']], 'ApcQueueLock' : [ 0x54, ['unsigned long']], 'ContextSwitches' : [ 0x58, ['unsigned long']], 'State' : [ 0x5c, ['unsigned char']], 'NpxState' : [ 0x5d, ['unsigned char']], 'WaitIrql' : [ 0x5e, ['unsigned char']], 'WaitMode' : [ 0x5f, ['unsigned char']], 'WaitStatus' : [ 0x60, ['long']], 'WaitBlockList' : [ 0x64, ['pointer', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x64, ['pointer', ['_KGATE']]], 'KernelStackResident' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x68, ['long']], 'WaitReason' : [ 0x6c, ['unsigned char']], 'SwapBusy' : [ 0x6d, ['unsigned char']], 'Alerted' : [ 0x6e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x70, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x78, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x7c, ['unsigned long']], 'KernelApcDisable' : [ 0x80, ['short']], 'SpecialApcDisable' : [ 0x82, ['short']], 'CombinedApcDisable' : [ 0x80, ['unsigned long']], 'Teb' : [ 0x84, ['pointer', ['void']]], 'Timer' : [ 0x88, ['_KTIMER']], 'TimerFill' : [ 0x88, ['array', 40, ['unsigned char']]], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xb0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xb0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xb0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb0, ['long']], 'WaitBlock' : [ 0xb8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xb8, ['array', 23, ['unsigned char']]], 'IdealProcessor' : [ 0xcf, ['unsigned char']], 'WaitBlockFill1' : [ 0xb8, ['array', 47, ['unsigned char']]], 'PreviousMode' : [ 0xe7, ['unsigned char']], 'WaitBlockFill2' : [ 0xb8, ['array', 71, ['unsigned char']]], 'ResourceIndex' : [ 0xff, ['unsigned char']], 'WaitBlockFill3' : [ 0xb8, ['array', 95, ['unsigned char']]], 'LargeStack' : [ 0x117, ['unsigned char']], 'QueueListEntry' : [ 0x118, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x120, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x124, ['pointer', ['void']]], 'CallbackStack' : [ 0x128, ['pointer', ['void']]], 'CallbackDepth' : [ 0x128, ['unsigned long']], 'ServiceTable' : [ 0x12c, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x130, ['unsigned char']], 'BasePriority' : [ 0x131, ['unsigned char']], 'PriorityDecrement' : [ 0x132, ['unsigned char']], 'Preempted' : [ 0x133, ['unsigned char']], 'AdjustReason' : [ 0x134, ['unsigned char']], 'AdjustIncrement' : [ 0x135, ['unsigned char']], 'Spare01' : [ 0x136, ['unsigned char']], 'Saturation' : [ 0x137, ['unsigned char']], 'SystemCallNumber' : [ 0x138, ['unsigned long']], 'FreezeCount' : [ 0x13c, ['unsigned long']], 'UserAffinity' : [ 0x140, ['unsigned long']], 'Process' : [ 0x144, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x148, ['unsigned long']], 'ApcStatePointer' : [ 0x14c, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x154, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x154, ['array', 23, ['unsigned char']]], 'Spare02' : [ 0x16b, ['unsigned char']], 'SuspendCount' : [ 0x16c, ['unsigned char']], 'UserIdealProcessor' : [ 0x16d, ['unsigned char']], 'Spare03' : [ 0x16e, ['unsigned char']], 'OtherPlatformFill' : [ 0x16f, ['unsigned char']], 'Win32Thread' : [ 0x170, ['pointer', ['void']]], 'StackBase' : [ 0x174, ['pointer', ['void']]], 'SuspendApc' : [ 0x178, ['_KAPC']], 'SuspendApcFill0' : [ 0x178, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x179, ['unsigned char']], 'SuspendApcFill1' : [ 0x178, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x17b, ['unsigned char']], 'SuspendApcFill2' : [ 0x178, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x17c, ['unsigned long']], 'SuspendApcFill3' : [ 0x178, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x19c, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x178, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1a0, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x178, ['array', 47, ['unsigned char']]], 'PowerState' : [ 0x1a7, ['unsigned char']], 'UserTime' : [ 0x1a8, ['unsigned long']], 'SuspendSemaphore' : [ 0x1ac, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1ac, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1c0, ['unsigned long']], 'ThreadListEntry' : [ 0x1c4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1cc, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1d4, ['pointer', ['void']]], 'MdlForLockedTeb' : [ 0x1d8, ['pointer', ['void']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x288, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1e0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1e8, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x1e8, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1f0, ['long']], 'OfsChain' : [ 0x1f0, ['pointer', ['void']]], 'PostBlockList' : [ 0x1f4, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x1f4, ['pointer', ['void']]], 'StartAddress' : [ 0x1f8, ['pointer', ['void']]], 'TerminationPort' : [ 0x1fc, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1fc, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1fc, ['pointer', ['void']]], 'Win32StartParameter' : [ 0x1fc, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x200, ['unsigned long']], 'ActiveTimerListHead' : [ 0x204, ['_LIST_ENTRY']], 'Cid' : [ 0x20c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x228, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x22c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x234, ['unsigned long']], 'DeviceToVerify' : [ 0x238, ['pointer', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x23c, ['pointer', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x240, ['pointer', ['void']]], 'SparePtr0' : [ 0x244, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x248, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x250, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x254, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x258, ['unsigned long']], 'MmLockOrdering' : [ 0x25c, ['long']], 'CrossThreadFlags' : [ 0x260, ['unsigned long']], 'Terminated' : [ 0x260, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x260, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x260, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x260, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x260, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x260, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x260, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x260, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x260, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x260, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x260, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x260, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x260, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x264, ['unsigned long']], 'ActiveExWorker' : [ 0x264, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x264, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x264, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x264, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x264, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x264, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x264, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x268, ['unsigned long']], 'Spare' : [ 0x268, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x268, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x268, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x269, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x269, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x269, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x269, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x269, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x269, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x269, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x269, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x26a, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x26b, ['unsigned char']], 'CacheManagerActive' : [ 0x26c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x26d, ['unsigned char']], 'ActiveFaultCount' : [ 0x26e, ['unsigned char']], 'AlpcMessageId' : [ 0x270, ['unsigned long']], 'AlpcMessage' : [ 0x274, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x274, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x278, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x280, ['unsigned long']], } ], '_EPROCESS' : [ 0x270, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x88, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x90, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x98, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x9c, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xa0, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xa8, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0xb4, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xc0, ['unsigned long']], 'PeakVirtualSize' : [ 0xc4, ['unsigned long']], 'VirtualSize' : [ 0xc8, ['unsigned long']], 'SessionProcessLinks' : [ 0xcc, ['_LIST_ENTRY']], 'DebugPort' : [ 0xd4, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xd8, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xd8, ['unsigned long']], 'ExceptionPortState' : [ 0xd8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xdc, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xe0, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xe4, ['unsigned long']], 'AddressCreationLock' : [ 0xe8, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0xec, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0xf0, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0xf4, ['unsigned long']], 'PhysicalVadRoot' : [ 0xf8, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0xfc, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x100, ['unsigned long']], 'NumberOfLockedPages' : [ 0x104, ['unsigned long']], 'Win32Process' : [ 0x108, ['pointer', ['void']]], 'Job' : [ 0x10c, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x110, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x114, ['pointer', ['void']]], 'QuotaBlock' : [ 0x118, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x11c, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x120, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x124, ['pointer', ['void']]], 'LdtInformation' : [ 0x128, ['pointer', ['void']]], 'Spare' : [ 0x12c, ['pointer', ['void']]], 'VdmObjects' : [ 0x130, ['pointer', ['void']]], 'DeviceMap' : [ 0x134, ['pointer', ['void']]], 'EtwDataSource' : [ 0x138, ['pointer', ['void']]], 'FreeTebHint' : [ 0x13c, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x140, ['_HARDWARE_PTE']], 'Filler' : [ 0x140, ['unsigned long long']], 'Session' : [ 0x148, ['pointer', ['void']]], 'ImageFileName' : [ 0x14c, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x15c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x164, ['pointer', ['void']]], 'ThreadListHead' : [ 0x168, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x170, ['pointer', ['void']]], 'PaeTop' : [ 0x174, ['pointer', ['void']]], 'ActiveThreads' : [ 0x178, ['unsigned long']], 'ImagePathHash' : [ 0x17c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x180, ['unsigned long']], 'LastThreadExitStatus' : [ 0x184, ['long']], 'Peb' : [ 0x188, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x18c, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x190, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x198, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1a0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1c0, ['unsigned long']], 'CommitChargePeak' : [ 0x1c4, ['unsigned long']], 'AweInfo' : [ 0x1c8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1cc, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1d0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x218, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x220, ['unsigned long']], 'Flags2' : [ 0x224, ['unsigned long']], 'JobNotReallyActive' : [ 0x224, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x224, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x224, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x224, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x224, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x224, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x224, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x224, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x224, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x224, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x224, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x224, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x224, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x224, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x224, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x224, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x224, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x224, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x224, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Flags' : [ 0x228, ['unsigned long']], 'CreateReported' : [ 0x228, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x228, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x228, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x228, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x228, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x228, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x228, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x228, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x228, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x228, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x228, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x228, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x228, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x228, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x228, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x228, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x228, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x228, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x228, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x228, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x228, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x228, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x228, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x228, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x228, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x228, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SpareProcessFlags' : [ 0x228, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x22c, ['long']], 'Spare7' : [ 0x230, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x232, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x233, ['unsigned char']], 'SubSystemVersion' : [ 0x232, ['unsigned short']], 'PriorityClass' : [ 0x234, ['unsigned char']], 'VadRoot' : [ 0x238, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x258, ['unsigned long']], 'AlpcContext' : [ 0x25c, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_11d8' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_11d8']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '__unnamed_11e6' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_11eb' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_11ed' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_11eb']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_11f8' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_11fa' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_11f8']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_11e6']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_11ed']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_11fa']], } ], '__unnamed_1200' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1204' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1208' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_120a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_120e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1210' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1212' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], } ], '__unnamed_1214' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1216' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1218' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_121c' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_121e' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1221' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1223' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1225' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_1227' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_122b' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_122f' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1233' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1237' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_123e' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1242' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1246' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1248' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_124a' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_124e' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1252' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1256' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_125a' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_125e' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1266' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_126a' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_126c' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_126e' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1270' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_1200']], 'CreatePipe' : [ 0x0, ['__unnamed_1204']], 'CreateMailslot' : [ 0x0, ['__unnamed_1208']], 'Read' : [ 0x0, ['__unnamed_120a']], 'Write' : [ 0x0, ['__unnamed_120a']], 'QueryDirectory' : [ 0x0, ['__unnamed_120e']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1210']], 'QueryFile' : [ 0x0, ['__unnamed_1212']], 'SetFile' : [ 0x0, ['__unnamed_1214']], 'QueryEa' : [ 0x0, ['__unnamed_1216']], 'SetEa' : [ 0x0, ['__unnamed_1218']], 'QueryVolume' : [ 0x0, ['__unnamed_121c']], 'SetVolume' : [ 0x0, ['__unnamed_121c']], 'FileSystemControl' : [ 0x0, ['__unnamed_121e']], 'LockControl' : [ 0x0, ['__unnamed_1221']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1223']], 'QuerySecurity' : [ 0x0, ['__unnamed_1225']], 'SetSecurity' : [ 0x0, ['__unnamed_1227']], 'MountVolume' : [ 0x0, ['__unnamed_122b']], 'VerifyVolume' : [ 0x0, ['__unnamed_122b']], 'Scsi' : [ 0x0, ['__unnamed_122f']], 'QueryQuota' : [ 0x0, ['__unnamed_1233']], 'SetQuota' : [ 0x0, ['__unnamed_1218']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1237']], 'QueryInterface' : [ 0x0, ['__unnamed_123e']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1242']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1246']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1248']], 'SetLock' : [ 0x0, ['__unnamed_124a']], 'QueryId' : [ 0x0, ['__unnamed_124e']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1252']], 'UsageNotification' : [ 0x0, ['__unnamed_1256']], 'WaitWake' : [ 0x0, ['__unnamed_125a']], 'PowerSequence' : [ 0x0, ['__unnamed_125e']], 'Power' : [ 0x0, ['__unnamed_1266']], 'StartDevice' : [ 0x0, ['__unnamed_126a']], 'WMI' : [ 0x0, ['__unnamed_126c']], 'Others' : [ 0x0, ['__unnamed_126e']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_1270']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x30, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x28, ['_LARGE_INTEGER']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '__unnamed_1320' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIXBUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['_WHEA_ERROR_PACKET_FLAGS']], 'Size' : [ 0x8, ['unsigned long']], 'RawDataLength' : [ 0xc, ['unsigned long']], 'Reserved1' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Reserved2' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_1320']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaRawDataFormatIPFSalRecord', 1: 'WheaRawDataFormatIA32MCA', 2: 'WheaRawDataFormatIntel64MCA', 3: 'WheaRawDataFormatAMD64MCA', 4: 'WheaRawDataFormatMemory', 5: 'WheaRawDataFormatPCIExpress', 6: 'WheaRawDataFormatNMIPort', 7: 'WheaRawDataFormatPCIXBus', 8: 'WheaRawDataFormatPCIXDevice', 9: 'WheaRawDataFormatGeneric', 10: 'WheaRawDataFormatMax'})]], 'RawDataOffset' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0x80, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'Unused0' : [ 0x1c, ['unsigned long']], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Unused1' : [ 0x32, ['unsigned char']], 'Unused2' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'AutoAlignment' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x60, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x60, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x60, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x60, ['long']], 'BasePriority' : [ 0x64, ['unsigned char']], 'QuantumReset' : [ 0x65, ['unsigned char']], 'State' : [ 0x66, ['unsigned char']], 'ThreadSeed' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'IdealNode' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], 'StackCount' : [ 0x6c, ['unsigned long']], 'ProcessListEntry' : [ 0x70, ['_LIST_ENTRY']], 'CycleTime' : [ 0x78, ['unsigned long long']], } ], '__unnamed_13d6' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_13d6']], } ], '__unnamed_13ea' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x7c, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x8, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x10, ['_LIST_ENTRY']], 'KernelStack' : [ 0x18, ['unsigned long']], 'Prcb' : [ 0x1c, ['unsigned long']], 'Process' : [ 0x20, ['unsigned long']], 'Thread' : [ 0x24, ['unsigned long']], 'RegistryLength' : [ 0x28, ['unsigned long']], 'RegistryBase' : [ 0x2c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x30, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x34, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x38, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x3c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x40, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x44, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x48, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x4c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x50, ['pointer', ['void']]], 'SetupLoaderBlock' : [ 0x54, ['pointer', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0x58, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x5c, ['__unnamed_13ea']], 'FirmwareInformation' : [ 0x68, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_MMPTE_FLUSH_LIST' : [ 0x8c, { 'Count' : [ 0x0, ['unsigned long']], 'MaximumCount' : [ 0x4, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 33, ['pointer', ['void']]]], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x48, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x8, ['unsigned short']], 'NextPageColor' : [ 0xa, ['unsigned short']], 'Flags' : [ 0xc, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x10, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x14, ['unsigned long']], 'ChargedWslePages' : [ 0x18, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x1c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x20, ['unsigned long']], 'VmWorkingSetList' : [ 0x24, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x28, ['unsigned long']], 'ActualWslePages' : [ 0x2c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x30, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x34, ['unsigned long']], 'WorkingSetSize' : [ 0x38, ['unsigned long']], 'ExitGate' : [ 0x3c, ['pointer', ['_KGATE']]], 'WorkingSetMutex' : [ 0x40, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x44, ['pointer', ['void']]], } ], '__unnamed_1424' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1426' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1429' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_142b' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_142d' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1429']], 'e3' : [ 0x0, ['__unnamed_142b']], } ], '__unnamed_1432' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1424']], 'u2' : [ 0x4, ['__unnamed_1426']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'u3' : [ 0xc, ['__unnamed_142d']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_1432']], } ], '__unnamed_143c' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_143c']], } ], '_MMWSL' : [ 0x6b8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextEstimationSlot' : [ 0x1c, ['unsigned long']], 'NextAgingSlot' : [ 0x20, ['unsigned long']], 'EstimatedAvailable' : [ 0x24, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x28, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x2c, ['unsigned long']], 'VadBitMapHint' : [ 0x30, ['unsigned long']], 'NonDirectCount' : [ 0x34, ['unsigned long']], 'LastVadBit' : [ 0x38, ['unsigned long']], 'MaximumLastVadBit' : [ 0x3c, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x40, ['unsigned long']], 'LastAllocationSize' : [ 0x44, ['unsigned long']], 'NonDirectHash' : [ 0x48, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x4c, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x50, ['pointer', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x54, ['pointer', ['void']]], 'UsedPageTableEntries' : [ 0x58, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x658, ['array', 24, ['unsigned long']]], } ], '__unnamed_1454' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1456' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_1458' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_1456']], } ], '__unnamed_1462' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1464' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1462']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_1454']], 'u1' : [ 0x20, ['__unnamed_1458']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitingForDeletion' : [ 0x30, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x34, ['__unnamed_1464']], 'LockedPages' : [ 0x40, ['long long']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x30, ['unsigned long']], 'LastAllocationSize' : [ 0x34, ['unsigned long']], 'PageFileNumber' : [ 0x38, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x38, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x38, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x3a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x3a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x3c, ['pointer', ['void']]], 'AvailableList' : [ 0x40, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x48, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x8, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x4, ['unsigned long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '__unnamed_149d' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_14a0' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14a3' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_14ac' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], 'u2' : [ 0x20, ['__unnamed_14ac']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], } ], '__unnamed_14bc' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_14bc']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '__unnamed_14c1' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14c1']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '__unnamed_14c7' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14c9' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x1c, { 'u1' : [ 0x0, ['__unnamed_14c7']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0xc, ['unsigned long']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'EndingVpn' : [ 0x10, ['unsigned long']], 'SubsectionBase' : [ 0x14, ['pointer', ['_MMPTE']]], 'u2' : [ 0x18, ['__unnamed_14c9']], } ], '__unnamed_14d2' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14d4' : [ 0x4, { 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_14d2']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_14d4']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '__unnamed_14dd' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_14dd']], } ], '_HHIVE' : [ 0x2e8, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'DirtyFlag' : [ 0x42, ['unsigned char']], 'HvBinHeadersUse' : [ 0x44, ['unsigned long']], 'HvFreeCellsUse' : [ 0x48, ['unsigned long']], 'HvUsedCellsUse' : [ 0x4c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x50, ['unsigned long']], 'HiveFlags' : [ 0x54, ['unsigned long']], 'CurrentLog' : [ 0x58, ['unsigned long']], 'LogSize' : [ 0x5c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x64, ['unsigned long']], 'StorageTypeCount' : [ 0x68, ['unsigned long']], 'Version' : [ 0x6c, ['unsigned long']], 'Storage' : [ 0x70, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_TEB' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'SpareByte' : [ 0x17, ['unsigned char']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x10, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x8, ['_ULARGE_INTEGER']], } ], '__unnamed_15af' : [ 0x8, { 'IdleTransitionTime' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15b1' : [ 0x8, { 'LastIdleCheck' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15b8' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0xc8, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x8, ['unsigned long long']], 'IdleTimeAccumulated' : [ 0x10, ['unsigned long long']], 'Native' : [ 0x18, ['__unnamed_15af']], 'Hv' : [ 0x18, ['__unnamed_15b1']], 'IdleAccounting' : [ 0x20, ['pointer', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x24, ['pointer', ['_PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x28, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x2c, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x30, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x38, ['unsigned long long']], 'ThermalConstraint' : [ 0x40, ['unsigned char']], 'LastBusyPercentage' : [ 0x41, ['unsigned char']], 'Flags' : [ 0x42, ['__unnamed_15b8']], 'PerfTimer' : [ 0x48, ['_KTIMER']], 'PerfDpc' : [ 0x70, ['_KDPC']], 'LastSysTime' : [ 0x90, ['unsigned long']], 'PStateMaster' : [ 0x94, ['pointer', ['_KPRCB']]], 'PStateSet' : [ 0x98, ['unsigned long']], 'CurrentPState' : [ 0x9c, ['unsigned long']], 'DesiredPState' : [ 0xa0, ['unsigned long']], 'PStateIdleStartTime' : [ 0xa4, ['unsigned long']], 'PStateIdleTime' : [ 0xa8, ['unsigned long']], 'LastPStateIdleTime' : [ 0xac, ['unsigned long']], 'PStateStartTime' : [ 0xb0, ['unsigned long']], 'DiaIndex' : [ 0xb4, ['unsigned long']], 'Reserved0' : [ 0xb8, ['unsigned long']], 'WmiDispatchPtr' : [ 0xbc, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xc0, ['long']], } ], '__unnamed_15bf' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_15bf']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'DispatchedCount' : [ 0x4, ['unsigned long']], 'DispatchedList' : [ 0x8, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x10, ['_KSEMAPHORE']], 'CompletedList' : [ 0x24, ['_LIST_ENTRY']], } ], '__unnamed_15e8' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_15e8']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '__unnamed_15fa' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_15fc' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1600' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x158, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x38, ['_PO_IRP_MANAGER']], 'State' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x50, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xa0, ['unsigned long']], 'CompletionStatus' : [ 0xa4, ['long']], 'PendingIrp' : [ 0xa8, ['pointer', ['_IRP']]], 'Flags' : [ 0xac, ['unsigned long']], 'UserFlags' : [ 0xb0, ['unsigned long']], 'Problem' : [ 0xb4, ['unsigned long']], 'PhysicalDeviceObject' : [ 0xb8, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0xbc, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xc0, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0xc4, ['_UNICODE_STRING']], 'ServiceName' : [ 0xcc, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xd4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xd8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xdc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xe0, ['unsigned long']], 'ChildInterfaceType' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xe8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xec, ['unsigned short']], 'RemovalPolicy' : [ 0xee, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xef, ['unsigned char']], 'TargetDeviceNotify' : [ 0xf0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xf8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x100, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x108, ['unsigned short']], 'QueryTranslatorMask' : [ 0x10a, ['unsigned short']], 'NoArbiterMask' : [ 0x10c, ['unsigned short']], 'QueryArbiterMask' : [ 0x10e, ['unsigned short']], 'OverUsed1' : [ 0x110, ['__unnamed_15fa']], 'OverUsed2' : [ 0x114, ['__unnamed_15fc']], 'BootResources' : [ 0x118, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x120, ['unsigned long']], 'DockInfo' : [ 0x124, ['__unnamed_1600']], 'DisableableDepends' : [ 0x134, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x138, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x140, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x148, ['unsigned long']], 'PreviousParent' : [ 0x14c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x150, ['unsigned long']], 'NumaNodeIndex' : [ 0x154, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16a5' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16a5']], } ], '__unnamed_16ac' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16ac']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x18, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x140, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x130, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x134, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x138, ['unsigned long']], 'MappedWritesInProgress' : [ 0x13c, ['unsigned long']], } ], '__unnamed_16f4' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_16f4']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1702' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1704' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1706' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1708' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_170a' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_1702']], 'Write' : [ 0x0, ['__unnamed_1704']], 'Event' : [ 0x0, ['__unnamed_1706']], 'Notification' : [ 0x0, ['__unnamed_1708']], } ], '_WORK_QUEUE_ENTRY' : [ 0x18, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x8, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_170a']], 'Function' : [ 0x14, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x130, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x124, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x68, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x280, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer', ['void']]], 'LoggerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x10, ['long']], 'LoggerId' : [ 0x14, ['unsigned long']], 'NBQHead' : [ 0x18, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x1c, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x20, ['_SLIST_HEADER']], 'GlobalList' : [ 0x28, ['_SLIST_HEADER']], 'BatchedBufferList' : [ 0x30, ['pointer', ['_WMI_BUFFER_HEADER']]], 'LoggerName' : [ 0x34, ['_UNICODE_STRING']], 'LogFileName' : [ 0x3c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x44, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x4c, ['_UNICODE_STRING']], 'ClockType' : [ 0x54, ['unsigned long']], 'CollectionOn' : [ 0x58, ['long']], 'MaximumFileSize' : [ 0x5c, ['unsigned long']], 'LoggerMode' : [ 0x60, ['unsigned long']], 'LastFlushedBuffer' : [ 0x64, ['unsigned long']], 'FlushTimer' : [ 0x68, ['unsigned long']], 'FlushThreshold' : [ 0x6c, ['unsigned long']], 'ByteOffset' : [ 0x70, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0x78, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x80, ['unsigned long']], 'BuffersAvailable' : [ 0x84, ['long']], 'NumberOfBuffers' : [ 0x88, ['long']], 'MaximumBuffers' : [ 0x8c, ['unsigned long']], 'EventsLost' : [ 0x90, ['unsigned long']], 'BuffersWritten' : [ 0x94, ['unsigned long']], 'LogBuffersLost' : [ 0x98, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x9c, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xa0, ['unsigned long']], 'BufferSize' : [ 0xa4, ['unsigned long']], 'MaximumEventSize' : [ 0xa8, ['unsigned long']], 'SequencePtr' : [ 0xac, ['pointer', ['long']]], 'LocalSequence' : [ 0xb0, ['unsigned long']], 'InstanceGuid' : [ 0xb4, ['_GUID']], 'GetCpuClock' : [ 0xc4, ['pointer', ['void']]], 'FileCounter' : [ 0xc8, ['long']], 'BufferCallback' : [ 0xcc, ['pointer', ['void']]], 'PoolType' : [ 0xd0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd8, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0xe8, ['unsigned char']], 'Consumers' : [ 0xec, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xf4, ['unsigned long']], 'Connecting' : [ 0xf8, ['_LIST_ENTRY']], 'NewConsumer' : [ 0x100, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0x104, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x108, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x128, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x130, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x138, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x140, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x150, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x154, ['unsigned long']], 'NewRTEventsLost' : [ 0x158, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x15c, ['_KEVENT']], 'FlushEvent' : [ 0x16c, ['_KEVENT']], 'FlushDpc' : [ 0x17c, ['_KDPC']], 'LoggerMutex' : [ 0x19c, ['_KMUTANT']], 'LoggerLock' : [ 0x1bc, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1c0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x1fc, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x200, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x248, ['long long']], 'AcceptNewEvents' : [ 0x250, ['long']], 'Flags' : [ 0x254, ['unsigned long']], 'Persistent' : [ 0x254, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x254, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x254, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x254, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x254, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x254, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x254, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x258, ['unsigned long']], 'RequestNewFie' : [ 0x258, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x258, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x258, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x258, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x258, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x25c, ['unsigned short']], 'StackTraceFilter' : [ 0x25e, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'Padding2' : [ 0x38, ['pointer', ['void']]], 'GlobalEntry' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x158, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_17f5' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_17f7' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_17f5']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_17f9' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_17fb' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_17f9']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_17f7']], 'u2' : [ 0x4, ['__unnamed_17fb']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_BLOB_TYPE' : [ 0x24, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], 'LookasideIndex' : [ 0x20, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1812' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1814' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1812']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1814']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Pad' : [ 0x14, ['unsigned long']], } ], '__unnamed_181c' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_181e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_181c']], } ], '_KALPC_SECTION' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_181e']], 'SectionObject' : [ 0x4, ['pointer', ['void']]], 'Size' : [ 0x8, ['unsigned long']], 'HandleTable' : [ 0xc, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x10, ['pointer', ['void']]], 'OwnerProcess' : [ 0x14, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer', ['_ALPC_PORT']]], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_182b' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_182d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_182b']], } ], '_KALPC_REGION' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_182d']], 'RegionListEntry' : [ 0x4, ['_LIST_ENTRY']], 'Section' : [ 0xc, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewSize' : [ 0x18, ['unsigned long']], 'ReadOnlyView' : [ 0x1c, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x20, ['pointer', ['_KALPC_VIEW']]], 'NumberOfViews' : [ 0x24, ['unsigned long']], 'ViewListHead' : [ 0x28, ['_LIST_ENTRY']], } ], '__unnamed_1833' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1835' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1833']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1835']], 'Region' : [ 0xc, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x14, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x18, ['pointer', ['void']]], 'Size' : [ 0x1c, ['unsigned long']], 'SecureViewHandle' : [ 0x20, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x24, ['pointer', ['void']]], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x24, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_184d' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_184f' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_184d']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0xf4, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'SequenceNo' : [ 0x10, ['unsigned long']], 'CompletionPort' : [ 0x14, ['pointer', ['void']]], 'CompletionKey' : [ 0x18, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x1c, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x20, ['pointer', ['void']]], 'StaticSecurity' : [ 0x24, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x68, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x70, ['_LIST_ENTRY']], 'WaitQueue' : [ 0x78, ['_LIST_ENTRY']], 'Semaphore' : [ 0x80, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x80, ['pointer', ['_KEVENT']]], 'Lock' : [ 0x84, ['_EX_PUSH_LOCK']], 'PortAttributes' : [ 0x88, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xb4, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xb8, ['_LIST_ENTRY']], 'CompletionList' : [ 0xc0, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0xc4, ['pointer', ['_ALPC_MESSAGE_ZONE']]], 'CanceledQueue' : [ 0xc8, ['_LIST_ENTRY']], 'u1' : [ 0xd0, ['__unnamed_184f']], 'TargetQueuePort' : [ 0xd4, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xd8, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0xdc, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xe0, ['unsigned long']], 'PendingQueueLength' : [ 0xe4, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xe8, ['unsigned long']], 'CanceledQueueLength' : [ 0xec, ['unsigned long']], 'WaitQueueLength' : [ 0xf0, ['unsigned long']], } ], '__unnamed_1866' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], } ], '__unnamed_1868' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1866']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x90, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x8, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0xc, ['unsigned long']], 'QuotaProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x10, ['pointer', ['void']]], 'SequenceNo' : [ 0x14, ['long']], 'u1' : [ 0x18, ['__unnamed_1868']], 'CancelSequencePort' : [ 0x1c, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x24, ['long']], 'CancelListEntry' : [ 0x28, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x38, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x3c, ['pointer', ['_ALPC_PORT']]], 'UniqueTableEntry' : [ 0x40, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'MessageAttributes' : [ 0x44, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x60, ['pointer', ['void']]], 'DataSystemVa' : [ 0x64, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x68, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x6c, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x70, ['pointer', ['_ETHREAD']]], 'PortMessage' : [ 0x78, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_HANDLE_DATA' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_18a6' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_18a8' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18a6']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_18a8']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'Flags' : [ 0xc, ['unsigned long']], 'TargetThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'ProxyData' : [ 0xbc, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xc0, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xc4, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc8, ['_LUID']], 'SidHash' : [ 0xd0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x158, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x1e0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x14, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], 'HashIndex' : [ 0xc, ['unsigned short']], 'DirectoryLocked' : [ 0xe, ['unsigned char']], 'LockStateSignature' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x140, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'Mutex' : [ 0x78, ['_ERESOURCE']], 'TypeLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'Key' : [ 0xb4, ['unsigned long']], 'ObjectLocks' : [ 0xb8, ['array', 32, ['_EX_PUSH_LOCK']]], 'CallbackList' : [ 0x138, ['_LIST_ENTRY']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x48, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'InBlockDeccommits' : [ 0x40, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x44, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x18, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer', ['void']]], 'FileObject' : [ 0xc, ['pointer', ['void']]], 'ThreadId' : [ 0x10, ['unsigned long']], 'ByteCount' : [ 0x14, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_DEVPROPKEY' : [ 0x14, { 'fmtid' : [ 0x0, ['_GUID']], 'pid' : [ 0x10, ['unsigned long']], } ], '_WHEA_NMI_ERROR' : [ 0xc, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], 'Flags' : [ 0x8, ['_WHEA_NMI_ERROR_FLAGS']], } ], '_HANDLE_TABLE' : [ 0x38, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x6c, { 'CancelLock' : [ 0x0, ['unsigned long']], 'IssueLock' : [ 0x4, ['unsigned long']], 'Counters' : [ 0x8, ['array', 25, ['long']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CpuValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1995' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1997' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1995']], 'Private' : [ 0x0, ['__unnamed_1997']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_CMHIVE' : [ 0x5e0, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2e8, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x300, ['_LIST_ENTRY']], 'HiveList' : [ 0x308, ['_LIST_ENTRY']], 'HiveLock' : [ 0x310, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x314, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x318, ['pointer', ['_KTHREAD']]], 'ViewLockLast' : [ 0x31c, ['unsigned long']], 'ViewUnLockLast' : [ 0x320, ['unsigned long']], 'WriterLock' : [ 0x324, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x328, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x32c, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x330, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x338, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x340, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x348, ['unsigned short']], 'PinnedViewCount' : [ 0x34a, ['unsigned short']], 'UseCount' : [ 0x34c, ['unsigned long']], 'ViewsPerHive' : [ 0x350, ['unsigned long']], 'FileObject' : [ 0x354, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x358, ['unsigned long']], 'ActualFileSize' : [ 0x360, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x368, ['_UNICODE_STRING']], 'FileUserName' : [ 0x370, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x378, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x380, ['unsigned long']], 'SecurityCacheSize' : [ 0x384, ['unsigned long']], 'SecurityHitHint' : [ 0x388, ['long']], 'SecurityCache' : [ 0x38c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x390, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x590, ['unsigned long']], 'UnloadEventArray' : [ 0x594, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x598, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x59c, ['unsigned char']], 'UnloadWorkItem' : [ 0x5a0, ['pointer', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0x5a4, ['unsigned char']], 'GrowOffset' : [ 0x5a8, ['unsigned long']], 'KcbConvertListHead' : [ 0x5ac, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x5b4, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x5bc, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x5c0, ['unsigned long']], 'TrustClassEntry' : [ 0x5c4, ['_LIST_ENTRY']], 'FlushCount' : [ 0x5cc, ['unsigned long']], 'CmRm' : [ 0x5d0, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x5d4, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x5d8, ['long']], 'CreatorOwner' : [ 0x5dc, ['pointer', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_19c6' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_19cc' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], 'u2' : [ 0x20, ['__unnamed_14ac']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'u3' : [ 0x30, ['__unnamed_19c6']], 'u4' : [ 0x38, ['__unnamed_19cc']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EJOB' : [ 0x128, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'AccessState' : [ 0xb0, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xb4, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xb8, ['unsigned long']], 'CompletionPort' : [ 0xbc, ['pointer', ['void']]], 'CompletionKey' : [ 0xc0, ['pointer', ['void']]], 'SessionId' : [ 0xc4, ['unsigned long']], 'SchedulingClass' : [ 0xc8, ['unsigned long']], 'ReadOperationCount' : [ 0xd0, ['unsigned long long']], 'WriteOperationCount' : [ 0xd8, ['unsigned long long']], 'OtherOperationCount' : [ 0xe0, ['unsigned long long']], 'ReadTransferCount' : [ 0xe8, ['unsigned long long']], 'WriteTransferCount' : [ 0xf0, ['unsigned long long']], 'OtherTransferCount' : [ 0xf8, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x100, ['unsigned long']], 'JobMemoryLimit' : [ 0x104, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x108, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x10c, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x110, ['unsigned long']], 'MemoryLimitsLock' : [ 0x114, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x118, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x120, ['unsigned long']], 'JobFlags' : [ 0x124, ['unsigned long']], } ], '__unnamed_19dc' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hypervisor' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x3c, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_19dc']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'SparePebPtr0' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], } ], '__unnamed_19f4' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_19f4']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '__unnamed_19fb' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1a01' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1a03' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_19fb']], 'Bits' : [ 0x0, ['__unnamed_1a01']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1a03']], } ], '_POOL_DESCRIPTOR' : [ 0x1034, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['pointer', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x24, ['long']], 'PendingFreeDepth' : [ 0x28, ['long']], 'TotalBytes' : [ 0x2c, ['unsigned long']], 'Spare0' : [ 0x30, ['unsigned long']], 'ListHeads' : [ 0x34, ['array', 512, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x270, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned char']], 'ShareVector' : [ 0x35, ['unsigned char']], 'Mode' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x40, ['unsigned long']], 'DispatchCount' : [ 0x44, ['unsigned long']], 'Rsvd1' : [ 0x48, ['unsigned long long']], 'DispatchCode' : [ 0x50, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x20, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmHive2' : [ 0x18, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x1c, ['unsigned char']], 'ThreadStarted' : [ 0x1d, ['unsigned char']], 'Allocate' : [ 0x1e, ['unsigned char']], 'WinPERequired' : [ 0x1f, ['unsigned char']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'Handles' : [ 0x4, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'StackTrace' : [ 0x4, ['array', 63, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x54, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'UserVa' : [ 0x10, ['pointer', ['void']]], 'UserLimit' : [ 0x14, ['pointer', ['void']]], 'DataUserVa' : [ 0x18, ['pointer', ['void']]], 'SystemVa' : [ 0x1c, ['pointer', ['void']]], 'TotalSize' : [ 0x20, ['unsigned long']], 'Header' : [ 0x24, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x28, ['pointer', ['void']]], 'ListSize' : [ 0x2c, ['unsigned long']], 'Bitmap' : [ 0x30, ['pointer', ['void']]], 'BitmapSize' : [ 0x34, ['unsigned long']], 'Data' : [ 0x38, ['pointer', ['void']]], 'DataSize' : [ 0x3c, ['unsigned long']], 'BitmapLimit' : [ 0x40, ['unsigned long']], 'BitmapNextHint' : [ 0x44, ['unsigned long']], 'ConcurrencyCount' : [ 0x48, ['unsigned long']], 'AttributeFlags' : [ 0x4c, ['unsigned long']], 'AttributeSize' : [ 0x50, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x58, { 'WorkQueue' : [ 0x0, ['_LIST_ENTRY']], 'ScanDpc' : [ 0x8, ['_KDPC']], 'ScanTimer' : [ 0x28, ['_KTIMER']], 'ScanActive' : [ 0x50, ['unsigned char']], 'OtherWork' : [ 0x51, ['unsigned char']], 'PendingTeardown' : [ 0x52, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_PCIXDEVICE_ERROR' : [ 0x68, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['_WHEA_PCIXDEVICE_ID']], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 4, ['WHEA_PCIXDEVICE_REGISTER_PAIR']]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a82' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_1a82']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned char']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x90, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x38, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x48, ['pointer', ['void']]], 'KcbLastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x58, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x5a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x5c, ['unsigned long']], 'KcbUserFlags' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x60, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x60, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x60, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x64, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0x6c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x70, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x78, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x80, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x88, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x8c, ['pointer', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0x8, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x24, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 0, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x28, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'LastSubsectionHint' : [ 0x20, ['pointer', ['_MSUBSECTION']]], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_WHEA_PCIXBUS_ERROR' : [ 0x48, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXBUS_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['_WHEA_PCIXBUS_ID']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['_WHEA_PCIXBUS_COMMAND']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'CompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x4, ['_KGATE']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_WHEA_PCIXBUS_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusData' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BusCommand' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterId' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1b68' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1b68']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x5ec, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa8, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x348, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e8, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bd4' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1bda' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1bdc' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1bde' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1be0' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1be2' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1be4' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1be6' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1be8' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1bea' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1bd4']], 'Memory' : [ 0x0, ['__unnamed_1bd4']], 'Interrupt' : [ 0x0, ['__unnamed_1bda']], 'Dma' : [ 0x0, ['__unnamed_1bdc']], 'Generic' : [ 0x0, ['__unnamed_1bd4']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bde']], 'BusNumber' : [ 0x0, ['__unnamed_1be0']], 'ConfigData' : [ 0x0, ['__unnamed_1be2']], 'Memory40' : [ 0x0, ['__unnamed_1be4']], 'Memory48' : [ 0x0, ['__unnamed_1be6']], 'Memory64' : [ 0x0, ['__unnamed_1be8']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1bea']], } ], '_POP_THERMAL_ZONE' : [ 0xd8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_WHEA_PCIXBUS_COMMAND' : [ 0x8, { 'Command' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 56, native_type='unsigned long long')]], 'PCIXCommand' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 8, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '_MMPTE_TIMESTAMP' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '__unnamed_1c2f' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1c2f']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x50, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_PCIXDEVICE_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfo' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumber' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], 'WHEA_PCIXDEVICE_REGISTER_PAIR' : [ 0x10, { 'Register' : [ 0x0, ['unsigned long long']], 'Data' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_PCIXBUS_ID' : [ 0x2, { 'BusNumber' : [ 0x0, ['unsigned char']], 'BusSegment' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x1c, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'ObjectType' : [ 0xc, ['pointer', ['_OBJECT_TYPE']]], 'TargetAccess' : [ 0x10, ['unsigned long']], 'ObjectInfo' : [ 0x14, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x18, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1cc2' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc4' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc6' : [ 0xc, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc8' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1cc6']], 'Translated' : [ 0x0, ['__unnamed_1cc4']], } ], '__unnamed_1cca' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ccc' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cce' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd0' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd2' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd4' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd6' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1cc2']], 'Port' : [ 0x0, ['__unnamed_1cc2']], 'Interrupt' : [ 0x0, ['__unnamed_1cc4']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1cc8']], 'Memory' : [ 0x0, ['__unnamed_1cc2']], 'Dma' : [ 0x0, ['__unnamed_1cca']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bde']], 'BusNumber' : [ 0x0, ['__unnamed_1ccc']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1cce']], 'Memory40' : [ 0x0, ['__unnamed_1cd0']], 'Memory48' : [ 0x0, ['__unnamed_1cd2']], 'Memory64' : [ 0x0, ['__unnamed_1cd4']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1cd6']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '__unnamed_1cdd' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1cdd']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1cf1' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1cf1']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1cfb' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_14c1']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_1cfb']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '__unnamed_1d01' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1d03' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1d01']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x60, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'TotalBusyCount' : [ 0x8, ['unsigned long']], 'ConservationIdleTime' : [ 0xc, ['unsigned long']], 'PerformanceIdleTime' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x18, ['_LIST_ENTRY']], 'DeviceType' : [ 0x20, ['unsigned char']], 'IdleState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x2c, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x34, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x3c, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x50, ['_LIST_ENTRY']], 'Specific' : [ 0x58, ['__unnamed_1d03']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidBits' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR_VALIDBITS']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaPciExpressEndpoint', 1: 'WheaPciExpressLegacyEndpoint', 4: 'WheaPciExpressRootPort', 5: 'WheaPciExpressUpstreamSwitchPort', 6: 'WheaPciExpressDownstreamSwitchPort', 7: 'WheaPciExpressToPciXBridge', 8: 'WheaPciXToExpressBridge', 9: 'WheaPciExpressRootComplexIntegratedEndpoint', 10: 'WheaPciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['_WHEA_PCIEXPRESS_VERSION']], 'CommandStatus' : [ 0x10, ['_WHEA_PCIEXPRESS_COMMAND_STATUS']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_WHEA_PCIEXPRESS_DEVICE_ID']], 'DeviceSerialNumber' : [ 0x28, ['unsigned long long']], 'BridgeControlStatus' : [ 0x30, ['_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_1d78' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x78, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_1d78']], 'TargetProcessors' : [ 0x30, ['unsigned long']], 'PStateHandler' : [ 0x34, ['pointer', ['void']]], 'PStateContext' : [ 0x38, ['unsigned long']], 'TStateHandler' : [ 0x3c, ['pointer', ['void']]], 'TStateContext' : [ 0x40, ['unsigned long']], 'FeedbackHandler' : [ 0x44, ['pointer', ['void']]], 'DiaStats' : [ 0x48, ['pointer', ['_PPM_DIA_STATS']]], 'DiaStatsCount' : [ 0x4c, ['unsigned long']], 'State' : [ 0x50, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_WHEA_NMI_ERROR_FLAGS' : [ 0x4, { 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xa0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x38, ['pointer', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x3c, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'FilteredCapabilities' : [ 0x50, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x24, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0xc, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x14, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x18, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x1c, ['unsigned long']], 'ActiveChild' : [ 0x20, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1dcb' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1dcd' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_1dcb']], 'Button' : [ 0xc, ['__unnamed_1dcd']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x84, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x1c, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x24, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x28, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x2c, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x30, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x34, ['pointer', ['void']]], 'DrvDBSize' : [ 0x38, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x3c, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x40, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x44, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x48, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x50, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x54, ['unsigned long']], 'BootViaWinload' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x5c, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x60, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x68, ['pointer', ['void']]], 'BootIdentifier' : [ 0x6c, ['_GUID']], 'ResumePages' : [ 0x7c, ['unsigned long']], 'DumpHeader' : [ 0x80, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_WHEA_PCIEXPRESS_VERSION' : [ 0x4, { 'MinorVersion' : [ 0x0, ['unsigned char']], 'MajorVersion' : [ 0x1, ['unsigned char']], 'Reserved' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x294, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x18, { 'Mdl' : [ 0x0, ['pointer', ['_MDL']]], 'UserVa' : [ 0x4, ['pointer', ['void']]], 'UserLimit' : [ 0x8, ['pointer', ['void']]], 'SystemVa' : [ 0xc, ['pointer', ['void']]], 'SystemLimit' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_1e6b' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1ec0, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e6b']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'ImageLoadingCount' : [ 0x40, ['long']], 'SessionPoolAllocationFailures' : [ 0x44, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x54, ['_LIST_ENTRY']], 'LocaleId' : [ 0x5c, ['unsigned long']], 'AttachCount' : [ 0x60, ['unsigned long']], 'AttachGate' : [ 0x64, ['_KGATE']], 'WsListEntry' : [ 0x74, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xdb8, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xdbc, ['pointer', ['void']]], 'PagedPool' : [ 0xdc0, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1df4, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1df8, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1e10, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1e30, ['long']], 'PagedPoolPdeCount' : [ 0x1e34, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1e38, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1e3c, ['unsigned long']], 'SystemPteInfo' : [ 0x1e40, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1e6c, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1e70, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1e74, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1e78, ['unsigned long']], 'SessionPoolPdes' : [ 0x1e7c, ['_RTL_BITMAP']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequesterId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x18, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'FreePteHead' : [ 0x4, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], 'PagesInUse' : [ 0xc, ['long']], 'SpecialPoolPdes' : [ 0x10, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS' : [ 0x4, { 'BridgeSecondaryStatus' : [ 0x0, ['unsigned short']], 'BridgeControl' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1ee4' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1ee6' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1ee4']], 'Merged' : [ 0x10, ['__unnamed_1ee6']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['void']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_1eed' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1eed']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14c1']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_1cfb']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x38, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], 'UpdateCapsule' : [ 0x2c, ['unsigned long']], 'QueryCapsuleCapabilities' : [ 0x30, ['unsigned long']], 'QueryVariableInfo' : [ 0x34, ['unsigned long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WHEA_MEMORY_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1f11' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_1f15' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_1f11']], 'u2' : [ 0x24, ['__unnamed_1f15']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x2c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIXDEVICE_ID' : [ 0x10, { 'VendorId' : [ 0x0, ['unsigned short']], 'DeviceId' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'BusNumber' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'SegmentNumber' : [ 0x8, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'Reserved1' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['unsigned long']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x54, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x28, ['pointer', ['void']]], 'CallersCaller' : [ 0x2c, ['pointer', ['void']]], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '_DEVOBJ_EXTENSION' : [ 0x3c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependentList' : [ 0x2c, ['_LIST_ENTRY']], 'ProviderList' : [ 0x34, ['_LIST_ENTRY']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_COMMAND_STATUS' : [ 0x4, { 'Command' : [ 0x0, ['unsigned short']], 'Status' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR_VALIDBITS' : [ 0x8, { 'PortType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Version' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'CommandStatus' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'DeviceId' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'DeviceSerialNumber' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BridgeControlStatus' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'ExpressCapability' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AerInfo' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_ETW_REG_ENTRY' : [ 0x2c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'EnableMask' : [ 0x10, ['unsigned char']], 'ReplyQueue' : [ 0x14, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x14, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x24, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x24, ['pointer', ['void']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x20, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x28, ['unsigned long']], 'Color' : [ 0x2c, ['unsigned char']], 'Seed' : [ 0x2d, ['unsigned char']], 'NodeNumber' : [ 0x2e, ['unsigned char']], 'Flags' : [ 0x2f, ['_flags']], 'MmShiftedColor' : [ 0x30, ['unsigned long']], 'FreeCount' : [ 0x34, ['array', 2, ['unsigned long']]], 'PfnDeferredList' : [ 0x3c, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'CachedKernelStacks' : [ 0x40, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x188, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x168, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x16c, ['long']], 'Pending' : [ 0x170, ['_LIST_ENTRY']], 'Status' : [ 0x178, ['long']], 'FailedDevice' : [ 0x17c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x180, ['unsigned char']], 'Cancelled' : [ 0x181, ['unsigned char']], 'IgnoreErrors' : [ 0x182, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x183, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x184, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_PPM_IDLE_STATE' : [ 0x20, { 'IdleHandler' : [ 0x0, ['pointer', ['void']]], 'Context' : [ 0x4, ['pointer', ['void']]], 'Latency' : [ 0x8, ['unsigned long']], 'Power' : [ 0xc, ['unsigned long']], 'TimeCheck' : [ 0x10, ['unsigned long']], 'StateFlags' : [ 0x14, ['unsigned long']], 'PromotePercent' : [ 0x18, ['unsigned char']], 'DemotePercent' : [ 0x19, ['unsigned char']], 'PromotePercentBase' : [ 0x1a, ['unsigned char']], 'DemotePercentBase' : [ 0x1b, ['unsigned char']], 'StateType' : [ 0x1c, ['unsigned char']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x78, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40d8, ['long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x50, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x14, ['_KEVENT']], 'PowerOnEvent' : [ 0x24, ['_KEVENT']], 'DoneEvent' : [ 0x34, ['_KEVENT']], 'WorkerQueued' : [ 0x44, ['unsigned long']], 'WorkerAbort' : [ 0x48, ['unsigned long']], 'NoResumeUI' : [ 0x4c, ['unsigned long']], } ], '_KTM' : [ 0x228, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_1fd5' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1fd7' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_1fd5']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1fd7']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_1fe9' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_1fe9']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/kdbg_vtypes.py0000644000000000000000000003533013131215405027253 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj class _KDDEBUGGER_DATA64(obj.CType): """A class for KDBG""" def is_valid(self): """Returns true if the kdbg_object appears valid""" # Check the OwnerTag is in fact the string KDBG return obj.CType.is_valid(self) and self.Header.OwnerTag == 0x4742444B @property def ServicePack(self): """Get the service pack number. This is something like 0x100 for SP1, 0x200 for SP2 etc. """ csdresult = obj.Object("unsigned long", offset = self.CmNtCSDVersion, vm = self.obj_native_vm) return (csdresult >> 8) & 0xffffffff def processes(self): """Enumerate processes""" # This is defined as a pointer to _LIST_ENTRY in the overlay list_head = self.PsActiveProcessHead.dereference() if not list_head: raise AttributeError("Could not list tasks, please verify your --profile with kdbgscan") for l in list_head.list_of_type("_EPROCESS", "ActiveProcessLinks"): yield l def modules(self): """Enumerate modules""" # This is defined as a pointer to _LIST_ENTRY in the overlay list_head = self.PsLoadedModuleList.dereference() if not list_head: raise AttributeError("Could not list modules, please verify your --profile with kdbgscan") for l in list_head.dereference_as("_LIST_ENTRY").list_of_type( "_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks"): yield l def dbgkd_version64(self): """Finds _DBGKD_GET_VERSION64 corresponding to this KDBG""" verinfo = self.dbgkd_find_version64(pages_to_scan = 1) if verinfo: return verinfo # _DBGKD_GET_VERSION64 does not immediately precede KDBG on newer Windows. # Try again with more pages to scan. return self.dbgkd_find_version64(pages_to_scan = 16) def dbgkd_find_version64(self, pages_to_scan): """Scan backwards from the base of KDBG to find the _DBGKD_GET_VERSION64. We have a winner when kernel base addresses and process list head match.""" # Account for address masking differences in x86 and x64 memory_model = self.obj_native_vm.profile.metadata.get('memory_model', '32bit') dbgkd_off = self.obj_offset & 0xFFFFFFFFFFFFF000 dbgkd_off -= (pages_to_scan / 2) * 0x1000 dbgkd_end = dbgkd_off + pages_to_scan * 0x1000 # The _DBGKD_GET_VERSION64 structure is autogenerated, so # this value should be correct for each profile dbgkd_size = self.obj_native_vm.profile.get_obj_size("_DBGKD_GET_VERSION64") while dbgkd_off <= (dbgkd_end - dbgkd_size): dbgkd = obj.Object("_DBGKD_GET_VERSION64", offset = dbgkd_off, vm = self.obj_native_vm) if memory_model == "32bit": KernBase = dbgkd.KernBase & 0xFFFFFFFF PsLoadedModuleList = dbgkd.PsLoadedModuleList & 0xFFFFFFFF else: KernBase = dbgkd.KernBase PsLoadedModuleList = dbgkd.PsLoadedModuleList if ((KernBase == self.KernBase) and (PsLoadedModuleList == self.PsLoadedModuleList)): return dbgkd dbgkd_off += 1 return obj.NoneObject("Cannot find _DBGKD_GET_VERSION64") def kpcrs(self): """Generator for KPCRs referenced by this KDBG. These are returned in the order in which the processors were registered. """ if self.obj_native_vm.profile.metadata.get('memory_model', '32bit') == '32bit': prcb_member = "PrcbData" else: prcb_member = "Prcb" cpu_array = self.KiProcessorBlock.dereference() for p in cpu_array: # Terminate the loop if an item in the array is # invalid (ie paged) or if the pointer is NULL. if p == None or p == 0: break kpcrb = p.dereference_as("_KPRCB") kpcr = obj.Object("_KPCR", offset = kpcrb.obj_offset - self.obj_native_vm.profile.get_obj_offset("_KPCR", prcb_member), vm = self.obj_native_vm, parent = self, ) if kpcr.is_valid(): yield kpcr class KDBGObjectClass(obj.ProfileModification): """Add the KDBG object class to all Windows profiles""" before = ["WindowsObjectClasses"] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({'_KDDEBUGGER_DATA64': _KDDEBUGGER_DATA64}) # This value is stored in nt!_KeMaximumProcessors if profile.metadata.get('memory_model', '32bit'): max_processors = 32 else: max_processors = 64 profile.merge_overlay({ '_KDDEBUGGER_DATA64': [ None, { 'NtBuildLab': [ None, ['pointer', ['String', dict(length = 32)]]], 'KiProcessorBlock': [ None, ['pointer', ['array', max_processors, ['pointer', ['_KPRCB']]]]], 'PsActiveProcessHead': [ None, ['pointer', ['_LIST_ENTRY']]], 'PsLoadedModuleList': [ None, ['pointer', ['_LIST_ENTRY']]], 'MmUnloadedDrivers' : [ None, ['pointer', ['pointer', ['array', lambda x : x.MmLastUnloadedDriver.dereference(), ['_UNLOADED_DRIVER']]]]], 'MmLastUnloadedDriver' : [ None, ['pointer', ['unsigned int']]], }]}) class UnloadedDriverVTypes(obj.ProfileModification): """Add the unloaded driver structure definitions""" conditions = {'os': lambda x: x == "windows"} def modification(self, profile): if profile.metadata.get("memory_model", "32bit") == "32bit": vtypes = {'_UNLOADED_DRIVER' : [ 24, { 'Name' : [ 0, ['_UNICODE_STRING']], 'StartAddress' : [ 8, ['address']], 'EndAddress' : [ 12, ['address']], 'CurrentTime' : [ 16, ['WinTimeStamp', {}]], }]} else: vtypes = {'_UNLOADED_DRIVER' : [ 40, { 'Name' : [ 0, ['_UNICODE_STRING']], 'StartAddress' : [ 16, ['address']], 'EndAddress' : [ 24, ['address']], 'CurrentTime' : [ 32, ['WinTimeStamp', {}]], }]} profile.vtypes.update(vtypes) kdbg_vtypes = { '_DBGKD_DEBUG_DATA_HEADER64' : [ 0x18, { 'List' : [ 0x0, ['LIST_ENTRY64']], 'OwnerTag' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], } ], '_KDDEBUGGER_DATA64' : [ 0x340, { 'Header' : [ 0x0, ['_DBGKD_DEBUG_DATA_HEADER64']], 'KernBase' : [ 0x18, ['unsigned long long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long long']], 'SavedContext' : [ 0x28, ['unsigned long long']], 'ThCallbackStack' : [ 0x30, ['unsigned short']], 'NextCallback' : [ 0x32, ['unsigned short']], 'FramePointer' : [ 0x34, ['unsigned short']], 'KiCallUserMode' : [ 0x38, ['unsigned long long']], 'KeUserCallbackDispatcher' : [ 0x40, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x48, ['unsigned long long']], 'PsActiveProcessHead' : [ 0x50, ['unsigned long long']], 'PspCidTable' : [ 0x58, ['unsigned long long']], 'ExpSystemResourcesList' : [ 0x60, ['unsigned long long']], 'ExpPagedPoolDescriptor' : [ 0x68, ['unsigned long long']], 'ExpNumberOfPagedPools' : [ 0x70, ['unsigned long long']], 'KeTimeIncrement' : [ 0x78, ['unsigned long long']], 'KeBugCheckCallbackListHead' : [ 0x80, ['unsigned long long']], 'KiBugcheckData' : [ 0x88, ['unsigned long long']], 'IopErrorLogListHead' : [ 0x90, ['unsigned long long']], 'ObpRootDirectoryObject' : [ 0x98, ['unsigned long long']], 'ObpTypeObjectType' : [ 0xa0, ['unsigned long long']], 'MmSystemCacheStart' : [ 0xa8, ['unsigned long long']], 'MmSystemCacheEnd' : [ 0xb0, ['unsigned long long']], 'MmSystemCacheWs' : [ 0xb8, ['unsigned long long']], 'MmPfnDatabase' : [ 0xc0, ['unsigned long long']], 'MmSystemPtesStart' : [ 0xc8, ['unsigned long long']], 'MmSystemPtesEnd' : [ 0xd0, ['unsigned long long']], 'MmSubsectionBase' : [ 0xd8, ['unsigned long long']], 'MmNumberOfPagingFiles' : [ 0xe0, ['unsigned long long']], 'MmLowestPhysicalPage' : [ 0xe8, ['unsigned long long']], 'MmHighestPhysicalPage' : [ 0xf0, ['unsigned long long']], 'MmNumberOfPhysicalPages' : [ 0xf8, ['unsigned long long']], 'MmMaximumNonPagedPoolInBytes' : [ 0x100, ['unsigned long long']], 'MmNonPagedSystemStart' : [ 0x108, ['unsigned long long']], 'MmNonPagedPoolStart' : [ 0x110, ['unsigned long long']], 'MmNonPagedPoolEnd' : [ 0x118, ['unsigned long long']], 'MmPagedPoolStart' : [ 0x120, ['unsigned long long']], 'MmPagedPoolEnd' : [ 0x128, ['unsigned long long']], 'MmPagedPoolInformation' : [ 0x130, ['unsigned long long']], 'MmPageSize' : [ 0x138, ['unsigned long long']], 'MmSizeOfPagedPoolInBytes' : [ 0x140, ['unsigned long long']], 'MmTotalCommitLimit' : [ 0x148, ['unsigned long long']], 'MmTotalCommittedPages' : [ 0x150, ['unsigned long long']], 'MmSharedCommit' : [ 0x158, ['unsigned long long']], 'MmDriverCommit' : [ 0x160, ['unsigned long long']], 'MmProcessCommit' : [ 0x168, ['unsigned long long']], 'MmPagedPoolCommit' : [ 0x170, ['unsigned long long']], 'MmExtendedCommit' : [ 0x178, ['unsigned long long']], 'MmZeroedPageListHead' : [ 0x180, ['unsigned long long']], 'MmFreePageListHead' : [ 0x188, ['unsigned long long']], 'MmStandbyPageListHead' : [ 0x190, ['unsigned long long']], 'MmModifiedPageListHead' : [ 0x198, ['unsigned long long']], 'MmModifiedNoWritePageListHead' : [ 0x1a0, ['unsigned long long']], 'MmAvailablePages' : [ 0x1a8, ['unsigned long long']], 'MmResidentAvailablePages' : [ 0x1b0, ['unsigned long long']], 'PoolTrackTable' : [ 0x1b8, ['unsigned long long']], 'NonPagedPoolDescriptor' : [ 0x1c0, ['unsigned long long']], 'MmHighestUserAddress' : [ 0x1c8, ['unsigned long long']], 'MmSystemRangeStart' : [ 0x1d0, ['unsigned long long']], 'MmUserProbeAddress' : [ 0x1d8, ['unsigned long long']], 'KdPrintCircularBuffer' : [ 0x1e0, ['unsigned long long']], 'KdPrintCircularBufferEnd' : [ 0x1e8, ['unsigned long long']], 'KdPrintWritePointer' : [ 0x1f0, ['unsigned long long']], 'KdPrintRolloverCount' : [ 0x1f8, ['unsigned long long']], 'MmLoadedUserImageList' : [ 0x200, ['unsigned long long']], 'NtBuildLab' : [ 0x208, ['unsigned long long']], 'KiNormalSystemCall' : [ 0x210, ['unsigned long long']], 'KiProcessorBlock' : [ 0x218, ['unsigned long long']], 'MmUnloadedDrivers' : [ 0x220, ['unsigned long long']], 'MmLastUnloadedDriver' : [ 0x228, ['unsigned long long']], 'MmTriageActionTaken' : [ 0x230, ['unsigned long long']], 'MmSpecialPoolTag' : [ 0x238, ['unsigned long long']], 'KernelVerifier' : [ 0x240, ['unsigned long long']], 'MmVerifierData' : [ 0x248, ['unsigned long long']], 'MmAllocatedNonPagedPool' : [ 0x250, ['unsigned long long']], 'MmPeakCommitment' : [ 0x258, ['unsigned long long']], 'MmTotalCommitLimitMaximum' : [ 0x260, ['unsigned long long']], 'CmNtCSDVersion' : [ 0x268, ['unsigned long long']], 'MmPhysicalMemoryBlock' : [ 0x270, ['unsigned long long']], 'MmSessionBase' : [ 0x278, ['unsigned long long']], 'MmSessionSize' : [ 0x280, ['unsigned long long']], 'MmSystemParentTablePage' : [ 0x288, ['unsigned long long']], 'MmVirtualTranslationBase' : [ 0x290, ['unsigned long long']], 'OffsetKThreadNextProcessor' : [ 0x298, ['unsigned short']], 'OffsetKThreadTeb' : [ 0x29a, ['unsigned short']], 'OffsetKThreadKernelStack' : [ 0x29c, ['unsigned short']], 'OffsetKThreadInitialStack' : [ 0x29e, ['unsigned short']], 'OffsetKThreadApcProcess' : [ 0x2a0, ['unsigned short']], 'OffsetKThreadState' : [ 0x2a2, ['unsigned short']], 'OffsetKThreadBStore' : [ 0x2a4, ['unsigned short']], 'OffsetKThreadBStoreLimit' : [ 0x2a6, ['unsigned short']], 'SizeEProcess' : [ 0x2a8, ['unsigned short']], 'OffsetEprocessPeb' : [ 0x2aa, ['unsigned short']], 'OffsetEprocessParentCID' : [ 0x2ac, ['unsigned short']], 'OffsetEprocessDirectoryTableBase' : [ 0x2ae, ['unsigned short']], 'SizePrcb' : [ 0x2b0, ['unsigned short']], 'OffsetPrcbDpcRoutine' : [ 0x2b2, ['unsigned short']], 'OffsetPrcbCurrentThread' : [ 0x2b4, ['unsigned short']], 'OffsetPrcbMhz' : [ 0x2b6, ['unsigned short']], 'OffsetPrcbCpuType' : [ 0x2b8, ['unsigned short']], 'OffsetPrcbVendorString' : [ 0x2ba, ['unsigned short']], 'OffsetPrcbProcStateContext' : [ 0x2bc, ['unsigned short']], 'OffsetPrcbNumber' : [ 0x2be, ['unsigned short']], 'SizeEThread' : [ 0x2c0, ['unsigned short']], 'KdPrintCircularBufferPtr' : [ 0x2c8, ['unsigned long long']], 'KdPrintBufferSize' : [ 0x2d0, ['unsigned long long']], 'KeLoaderBlock' : [ 0x2d8, ['unsigned long long']], 'SizePcr' : [ 0x2e0, ['unsigned short']], 'OffsetPcrSelfPcr' : [ 0x2e2, ['unsigned short']], 'OffsetPcrCurrentPrcb' : [ 0x2e4, ['unsigned short']], 'OffsetPcrContainedPrcb' : [ 0x2e6, ['unsigned short']], 'OffsetPcrInitialBStore' : [ 0x2e8, ['unsigned short']], 'OffsetPcrBStoreLimit' : [ 0x2ea, ['unsigned short']], 'OffsetPcrInitialStack' : [ 0x2ec, ['unsigned short']], 'OffsetPcrStackLimit' : [ 0x2ee, ['unsigned short']], 'OffsetPrcbPcrPage' : [ 0x2f0, ['unsigned short']], 'OffsetPrcbProcStateSpecialReg' : [ 0x2f2, ['unsigned short']], 'GdtR0Code' : [ 0x2f4, ['unsigned short']], 'GdtR0Data' : [ 0x2f6, ['unsigned short']], 'GdtR0Pcr' : [ 0x2f8, ['unsigned short']], 'GdtR3Code' : [ 0x2fa, ['unsigned short']], 'GdtR3Data' : [ 0x2fc, ['unsigned short']], 'GdtR3Teb' : [ 0x2fe, ['unsigned short']], 'GdtLdt' : [ 0x300, ['unsigned short']], 'GdtTss' : [ 0x302, ['unsigned short']], 'Gdt64R3CmCode' : [ 0x304, ['unsigned short']], 'Gdt64R3CmTeb' : [ 0x306, ['unsigned short']], 'IopNumTriageDumpDataBlocks' : [ 0x308, ['unsigned long long']], 'IopTriageDumpDataBlocks' : [ 0x310, ['unsigned long long']], 'VfCrashDataBlock' : [ 0x318, ['unsigned long long']], 'MmBadPagesDetected' : [ 0x320, ['unsigned long long']], 'MmZeroedPageSingleBitErrorsDetected' : [ 0x328, ['unsigned long long']], 'EtwpDebuggerData' : [ 0x330, ['unsigned long long']], 'OffsetPrcbContext' : [ 0x338, ['unsigned short']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_sp1_x86_syscalls.py0000755000000000000000000015615713131215405031042 0ustar rootrootsyscalls = [ [ 'NtWorkerFactoryWorkerReady', # 0x0 'NtAcceptConnectPort', # 0x1 'NtYieldExecution', # 0x2 'NtWriteVirtualMemory', # 0x3 'NtWriteRequestData', # 0x4 'NtWriteFileGather', # 0x5 'NtWriteFile', # 0x6 'NtWaitLowEventPair', # 0x7 'NtWaitHighEventPair', # 0x8 'NtWaitForWorkViaWorkerFactory', # 0x9 'NtWaitForSingleObject', # 0xa 'NtWaitForMultipleObjects32', # 0xb 'NtWaitForMultipleObjects', # 0xc 'NtWaitForKeyedEvent', # 0xd 'NtWaitForDebugEvent', # 0xe 'NtWaitForAlertByThreadId', # 0xf 'NtVdmControl', # 0x10 'NtUnsubscribeWnfStateChange', # 0x11 'NtUpdateWnfStateData', # 0x12 'NtUnmapViewOfSection', # 0x13 'NtUnmapViewOfSectionEx', # 0x14 'NtUnlockVirtualMemory', # 0x15 'NtUnlockFile', # 0x16 'NtUnloadKeyEx', # 0x17 'NtUnloadKey2', # 0x18 'NtUnloadKey', # 0x19 'NtUnloadDriver', # 0x1a 'NtUmsThreadYield', # 0x1b 'NtTranslateFilePath', # 0x1c 'NtTraceEvent', # 0x1d 'NtTraceControl', # 0x1e 'NtThawTransactions', # 0x1f 'NtThawRegistry', # 0x20 'NtTestAlert', # 0x21 'NtTerminateThread', # 0x22 'NtTerminateProcess', # 0x23 'NtTerminateJobObject', # 0x24 'NtSystemDebugControl', # 0x25 'NtSuspendThread', # 0x26 'NtSuspendProcess', # 0x27 'NtSubscribeWnfStateChange', # 0x28 'NtStopProfile', # 0x29 'NtStartProfile', # 0x2a 'NtSinglePhaseReject', # 0x2b 'NtSignalAndWaitForSingleObject', # 0x2c 'NtShutdownWorkerFactory', # 0x2d 'NtShutdownSystem', # 0x2e 'NtSetWnfProcessNotificationEvent', # 0x2f 'NtSetVolumeInformationFile', # 0x30 'NtSetValueKey', # 0x31 'NtSetUuidSeed', # 0x32 'NtSetTimerResolution', # 0x33 'NtSetTimerEx', # 0x34 'NtSetTimer', # 0x35 'NtSetThreadExecutionState', # 0x36 'NtSetSystemTime', # 0x37 'NtSetSystemPowerState', # 0x38 'NtSetSystemInformation', # 0x39 'NtSetSystemEnvironmentValueEx', # 0x3a 'NtSetSystemEnvironmentValue', # 0x3b 'NtSetSecurityObject', # 0x3c 'NtSetQuotaInformationFile', # 0x3d 'NtSetLowWaitHighEventPair', # 0x3e 'NtSetLowEventPair', # 0x3f 'NtSetLdtEntries', # 0x40 'NtSetIRTimer', # 0x41 'NtSetTimer2', # 0x42 'NtCancelTimer2', # 0x43 'NtSetIoCompletionEx', # 0x44 'NtSetIoCompletion', # 0x45 'NtSetIntervalProfile', # 0x46 'NtSetInformationWorkerFactory', # 0x47 'NtSetInformationTransactionManager', # 0x48 'NtSetInformationTransaction', # 0x49 'NtSetInformationToken', # 0x4a 'NtSetInformationThread', # 0x4b 'NtSetInformationResourceManager', # 0x4c 'NtSetInformationProcess', # 0x4d 'NtSetInformationObject', # 0x4e 'NtSetInformationKey', # 0x4f 'NtSetInformationJobObject', # 0x50 'NtSetInformationFile', # 0x51 'NtSetInformationEnlistment', # 0x52 'NtSetInformationDebugObject', # 0x53 'NtSetHighWaitLowEventPair', # 0x54 'NtSetHighEventPair', # 0x55 'NtSetEventBoostPriority', # 0x56 'NtSetEvent', # 0x57 'NtSetEaFile', # 0x58 'NtSetDriverEntryOrder', # 0x59 'NtSetDefaultUILanguage', # 0x5a 'NtSetDefaultLocale', # 0x5b 'NtSetDefaultHardErrorPort', # 0x5c 'NtSetDebugFilterState', # 0x5d 'NtSetContextThread', # 0x5e 'NtSetCachedSigningLevel', # 0x5f 'NtSetBootOptions', # 0x60 'NtSetBootEntryOrder', # 0x61 'NtSerializeBoot', # 0x62 'NtSecureConnectPort', # 0x63 'NtSaveMergedKeys', # 0x64 'NtSaveKeyEx', # 0x65 'NtSaveKey', # 0x66 'NtRollforwardTransactionManager', # 0x67 'NtRollbackTransaction', # 0x68 'NtRollbackEnlistment', # 0x69 'NtRollbackComplete', # 0x6a 'NtResumeThread', # 0x6b 'NtResumeProcess', # 0x6c 'NtRestoreKey', # 0x6d 'NtResetWriteWatch', # 0x6e 'NtResetEvent', # 0x6f 'NtRequestWaitReplyPort', # 0x70 'NtRequestPort', # 0x71 'NtReplyWaitReplyPort', # 0x72 'NtReplyWaitReceivePortEx', # 0x73 'NtReplyWaitReceivePort', # 0x74 'NtReplyPort', # 0x75 'NtReplacePartitionUnit', # 0x76 'NtReplaceKey', # 0x77 'NtRenameTransactionManager', # 0x78 'NtRenameKey', # 0x79 'NtRemoveProcessDebug', # 0x7a 'NtRemoveIoCompletionEx', # 0x7b 'NtRemoveIoCompletion', # 0x7c 'NtReleaseWorkerFactoryWorker', # 0x7d 'NtReleaseSemaphore', # 0x7e 'NtReleaseMutant', # 0x7f 'NtReleaseKeyedEvent', # 0x80 'NtRegisterThreadTerminatePort', # 0x81 'NtRegisterProtocolAddressInformation', # 0x82 'NtRecoverTransactionManager', # 0x83 'NtRecoverResourceManager', # 0x84 'NtRecoverEnlistment', # 0x85 'NtReadVirtualMemory', # 0x86 'NtReadRequestData', # 0x87 'NtReadOnlyEnlistment', # 0x88 'NtReadFileScatter', # 0x89 'NtReadFile', # 0x8a 'NtRaiseHardError', # 0x8b 'NtRaiseException', # 0x8c 'NtQueueApcThreadEx', # 0x8d 'NtQueueApcThread', # 0x8e 'NtQueryWnfStateData', # 0x8f 'NtQueryWnfStateNameInformation', # 0x90 'NtQueryVolumeInformationFile', # 0x91 'NtQueryVirtualMemory', # 0x92 'NtQueryValueKey', # 0x93 'NtQueryTimerResolution', # 0x94 'NtQueryTimer', # 0x95 'NtQuerySystemTime', # 0x96 'NtQuerySystemInformationEx', # 0x97 'NtQuerySystemInformation', # 0x98 'NtQuerySystemEnvironmentValueEx', # 0x99 'NtQuerySystemEnvironmentValue', # 0x9a 'NtQuerySymbolicLinkObject', # 0x9b 'NtQuerySemaphore', # 0x9c 'NtQuerySecurityObject', # 0x9d 'NtQuerySecurityAttributesToken', # 0x9e 'NtQuerySection', # 0x9f 'NtQueryQuotaInformationFile', # 0xa0 'NtQueryPortInformationProcess', # 0xa1 'NtQueryPerformanceCounter', # 0xa2 'NtQueryOpenSubKeysEx', # 0xa3 'NtQueryOpenSubKeys', # 0xa4 'NtQueryObject', # 0xa5 'NtQueryMutant', # 0xa6 'NtQueryMultipleValueKey', # 0xa7 'NtQueryLicenseValue', # 0xa8 'NtQueryKey', # 0xa9 'NtQueryIoCompletion', # 0xaa 'NtQueryIntervalProfile', # 0xab 'NtQueryInstallUILanguage', # 0xac 'NtQueryInformationWorkerFactory', # 0xad 'NtQueryInformationTransactionManager', # 0xae 'NtQueryInformationTransaction', # 0xaf 'NtQueryInformationToken', # 0xb0 'NtQueryInformationThread', # 0xb1 'NtQueryInformationResourceManager', # 0xb2 'NtQueryInformationProcess', # 0xb3 'NtQueryInformationPort', # 0xb4 'NtQueryInformationJobObject', # 0xb5 'NtQueryInformationFile', # 0xb6 'NtQueryInformationEnlistment', # 0xb7 'NtQueryInformationAtom', # 0xb8 'NtQueryFullAttributesFile', # 0xb9 'NtQueryEvent', # 0xba 'NtQueryEaFile', # 0xbb 'NtQueryDriverEntryOrder', # 0xbc 'NtQueryDirectoryObject', # 0xbd 'NtQueryDirectoryFile', # 0xbe 'NtQueryDefaultUILanguage', # 0xbf 'NtQueryDefaultLocale', # 0xc0 'NtQueryDebugFilterState', # 0xc1 'NtQueryBootOptions', # 0xc2 'NtQueryBootEntryOrder', # 0xc3 'NtQueryAttributesFile', # 0xc4 'NtPulseEvent', # 0xc5 'NtProtectVirtualMemory', # 0xc6 'NtPropagationFailed', # 0xc7 'NtPropagationComplete', # 0xc8 'NtPrivilegeObjectAuditAlarm', # 0xc9 'NtPrivilegedServiceAuditAlarm', # 0xca 'NtPrivilegeCheck', # 0xcb 'NtSetInformationVirtualMemory', # 0xcc 'NtPrePrepareEnlistment', # 0xcd 'NtPrePrepareComplete', # 0xce 'NtPrepareEnlistment', # 0xcf 'NtPrepareComplete', # 0xd0 'NtPowerInformation', # 0xd1 'NtPlugPlayControl', # 0xd2 'NtOpenTransactionManager', # 0xd3 'NtOpenTransaction', # 0xd4 'NtOpenTimer', # 0xd5 'NtOpenThreadTokenEx', # 0xd6 'NtOpenThreadToken', # 0xd7 'NtOpenThread', # 0xd8 'NtOpenSymbolicLinkObject', # 0xd9 'NtOpenSession', # 0xda 'NtOpenSemaphore', # 0xdb 'NtOpenSection', # 0xdc 'NtOpenResourceManager', # 0xdd 'NtOpenProcessTokenEx', # 0xde 'NtOpenProcessToken', # 0xdf 'NtOpenProcess', # 0xe0 'NtOpenPrivateNamespace', # 0xe1 'NtOpenObjectAuditAlarm', # 0xe2 'NtOpenMutant', # 0xe3 'NtOpenKeyTransactedEx', # 0xe4 'NtOpenKeyTransacted', # 0xe5 'NtOpenKeyEx', # 0xe6 'NtOpenKeyedEvent', # 0xe7 'NtOpenKey', # 0xe8 'NtOpenJobObject', # 0xe9 'NtOpenIoCompletion', # 0xea 'NtOpenFile', # 0xeb 'NtOpenEventPair', # 0xec 'NtOpenEvent', # 0xed 'NtOpenEnlistment', # 0xee 'NtOpenDirectoryObject', # 0xef 'NtNotifyChangeSession', # 0xf0 'NtNotifyChangeMultipleKeys', # 0xf1 'NtNotifyChangeKey', # 0xf2 'NtNotifyChangeDirectoryFile', # 0xf3 'NtModifyDriverEntry', # 0xf4 'NtModifyBootEntry', # 0xf5 'NtMapViewOfSection', # 0xf6 'NtMapUserPhysicalPagesScatter', # 0xf7 'NtMapUserPhysicalPages', # 0xf8 'NtMapCMFModule', # 0xf9 'NtMakeTemporaryObject', # 0xfa 'NtMakePermanentObject', # 0xfb 'NtLockVirtualMemory', # 0xfc 'NtLockRegistryKey', # 0xfd 'NtLockProductActivationKeys', # 0xfe 'NtLockFile', # 0xff 'NtLoadKeyEx', # 0x100 'NtLoadKey2', # 0x101 'NtLoadKey', # 0x102 'NtLoadDriver', # 0x103 'NtListenPort', # 0x104 'NtIsUILanguageComitted', # 0x105 'NtIsSystemResumeAutomatic', # 0x106 'NtIsProcessInJob', # 0x107 'NtInitiatePowerAction', # 0x108 'NtInitializeRegistry', # 0x109 'NtInitializeNlsFiles', # 0x10a 'NtImpersonateThread', # 0x10b 'NtImpersonateClientOfPort', # 0x10c 'NtImpersonateAnonymousToken', # 0x10d 'NtGetWriteWatch', # 0x10e 'NtGetNotificationResourceManager', # 0x10f 'NtGetNlsSectionPtr', # 0x110 'NtGetNextThread', # 0x111 'NtGetNextProcess', # 0x112 'NtGetMUIRegistryInfo', # 0x113 'NtGetDevicePowerState', # 0x114 'NtGetCurrentProcessorNumber', # 0x115 'NtGetContextThread', # 0x116 'NtGetCompleteWnfStateSubscription', # 0x117 'NtGetCachedSigningLevel', # 0x118 'NtFsControlFile', # 0x119 'NtFreezeTransactions', # 0x11a 'NtFreezeRegistry', # 0x11b 'NtFreeVirtualMemory', # 0x11c 'NtFreeUserPhysicalPages', # 0x11d 'NtFlushWriteBuffer', # 0x11e 'NtFlushVirtualMemory', # 0x11f 'NtFlushProcessWriteBuffers', # 0x120 'NtFlushKey', # 0x121 'NtFlushInstructionCache', # 0x122 'NtFlushInstallUILanguage', # 0x123 'NtFlushBuffersFile', # 0x124 'NtFlushBuffersFileEx', # 0x125 'NtFindAtom', # 0x126 'NtFilterToken', # 0x127 'NtFilterTokenEx', # 0x128 'NtFilterBootOption', # 0x129 'NtExtendSection', # 0x12a 'NtEnumerateValueKey', # 0x12b 'NtEnumerateTransactionObject', # 0x12c 'NtEnumerateSystemEnvironmentValuesEx', # 0x12d 'NtEnumerateKey', # 0x12e 'NtEnumerateDriverEntries', # 0x12f 'NtEnumerateBootEntries', # 0x130 'NtEnableLastKnownGood', # 0x131 'NtDuplicateToken', # 0x132 'NtDuplicateObject', # 0x133 'NtDrawText', # 0x134 'NtDisplayString', # 0x135 'NtDisableLastKnownGood', # 0x136 'NtDeviceIoControlFile', # 0x137 'NtDeleteWnfStateName', # 0x138 'NtDeleteWnfStateData', # 0x139 'NtDeleteValueKey', # 0x13a 'NtDeletePrivateNamespace', # 0x13b 'NtDeleteObjectAuditAlarm', # 0x13c 'NtDeleteKey', # 0x13d 'NtDeleteFile', # 0x13e 'NtDeleteDriverEntry', # 0x13f 'NtDeleteBootEntry', # 0x140 'NtDeleteAtom', # 0x141 'NtDelayExecution', # 0x142 'NtDebugContinue', # 0x143 'NtDebugActiveProcess', # 0x144 'NtCreateWorkerFactory', # 0x145 'NtCreateWnfStateName', # 0x146 'NtCreateWaitCompletionPacket', # 0x147 'NtCreateWaitablePort', # 0x148 'NtCreateUserProcess', # 0x149 'NtCreateTransactionManager', # 0x14a 'NtCreateTransaction', # 0x14b 'NtCreateToken', # 0x14c 'NtCreateLowBoxToken', # 0x14d 'NtCreateTokenEx', # 0x14e 'NtCreateTimer', # 0x14f 'NtCreateThreadEx', # 0x150 'NtCreateThread', # 0x151 'NtCreateSymbolicLinkObject', # 0x152 'NtCreateSemaphore', # 0x153 'NtCreateSection', # 0x154 'NtCreateResourceManager', # 0x155 'NtCreateProfileEx', # 0x156 'NtCreateProfile', # 0x157 'NtCreateProcessEx', # 0x158 'NtCreateProcess', # 0x159 'NtCreatePrivateNamespace', # 0x15a 'NtCreatePort', # 0x15b 'NtCreatePagingFile', # 0x15c 'NtCreateNamedPipeFile', # 0x15d 'NtCreateMutant', # 0x15e 'NtCreateMailslotFile', # 0x15f 'NtCreateKeyTransacted', # 0x160 'NtCreateKeyedEvent', # 0x161 'NtCreateKey', # 0x162 'NtCreateJobSet', # 0x163 'NtCreateJobObject', # 0x164 'NtCreateIRTimer', # 0x165 'NtCreateTimer2', # 0x166 'NtCreateIoCompletion', # 0x167 'NtCreateFile', # 0x168 'NtCreateEventPair', # 0x169 'NtCreateEvent', # 0x16a 'NtCreateEnlistment', # 0x16b 'NtCreateDirectoryObjectEx', # 0x16c 'NtCreateDirectoryObject', # 0x16d 'NtCreateDebugObject', # 0x16e 'NtContinue', # 0x16f 'NtConnectPort', # 0x170 'NtCompressKey', # 0x171 'NtCompleteConnectPort', # 0x172 'NtCompareTokens', # 0x173 'NtCompactKeys', # 0x174 'NtCommitTransaction', # 0x175 'NtCommitEnlistment', # 0x176 'NtCommitComplete', # 0x177 'NtCloseObjectAuditAlarm', # 0x178 'NtClose', # 0x179 'NtClearEvent', # 0x17a 'NtCancelWaitCompletionPacket', # 0x17b 'NtCancelTimer', # 0x17c 'NtCancelSynchronousIoFile', # 0x17d 'NtCancelIoFileEx', # 0x17e 'NtCancelIoFile', # 0x17f 'NtCallbackReturn', # 0x180 'NtAssociateWaitCompletionPacket', # 0x181 'NtAssignProcessToJobObject', # 0x182 'NtAreMappedFilesTheSame', # 0x183 'NtApphelpCacheControl', # 0x184 'NtAlpcSetInformation', # 0x185 'NtAlpcSendWaitReceivePort', # 0x186 'NtAlpcRevokeSecurityContext', # 0x187 'NtAlpcQueryInformationMessage', # 0x188 'NtAlpcQueryInformation', # 0x189 'NtAlpcOpenSenderThread', # 0x18a 'NtAlpcOpenSenderProcess', # 0x18b 'NtAlpcImpersonateClientOfPort', # 0x18c 'NtAlpcDisconnectPort', # 0x18d 'NtAlpcDeleteSecurityContext', # 0x18e 'NtAlpcDeleteSectionView', # 0x18f 'NtAlpcDeleteResourceReserve', # 0x190 'NtAlpcDeletePortSection', # 0x191 'NtAlpcCreateSecurityContext', # 0x192 'NtAlpcCreateSectionView', # 0x193 'NtAlpcCreateResourceReserve', # 0x194 'NtAlpcCreatePortSection', # 0x195 'NtAlpcCreatePort', # 0x196 'NtAlpcConnectPort', # 0x197 'NtAlpcConnectPortEx', # 0x198 'NtAlpcCancelMessage', # 0x199 'NtAlpcAcceptConnectPort', # 0x19a 'NtAllocateVirtualMemory', # 0x19b 'NtAllocateUuids', # 0x19c 'NtAllocateUserPhysicalPages', # 0x19d 'NtAllocateReserveObject', # 0x19e 'NtAllocateLocallyUniqueId', # 0x19f 'NtAlertThreadByThreadId', # 0x1a0 'NtAlertThread', # 0x1a1 'NtAlertResumeThread', # 0x1a2 'NtAdjustPrivilegesToken', # 0x1a3 'NtAdjustGroupsToken', # 0x1a4 'NtAdjustTokenClaimsAndDeviceGroups', # 0x1a5 'NtAddDriverEntry', # 0x1a6 'NtAddBootEntry', # 0x1a7 'NtAddAtom', # 0x1a8 'NtAddAtomEx', # 0x1a9 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x1aa 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x1ab 'NtAccessCheckByTypeResultList', # 0x1ac 'NtAccessCheckByTypeAndAuditAlarm', # 0x1ad 'NtAccessCheckByType', # 0x1ae 'NtAccessCheckAndAuditAlarm', # 0x1af 'NtAccessCheck', # 0x1b0 ], [ 'NtUserYieldTask', # 0x0 'NtUserSetSensorPresence', # 0x1 'NtGdiWidenPath', # 0x2 'NtGdiUpdateColors', # 0x3 'NtGdiUnrealizeObject', # 0x4 'NtGdiUnmapMemFont', # 0x5 'NtGdiUnloadPrinterDriver', # 0x6 'NtGdiTransparentBlt', # 0x7 'NtGdiTransformPoints', # 0x8 'NtGdiSwapBuffers', # 0x9 'NtGdiStrokePath', # 0xa 'NtGdiStrokeAndFillPath', # 0xb 'NtGdiStretchDIBitsInternal', # 0xc 'NtGdiStretchBlt', # 0xd 'NtGdiStartPage', # 0xe 'NtGdiStartDoc', # 0xf 'NtGdiSetSizeDevice', # 0x10 'NtGdiSetVirtualResolution', # 0x11 'NtGdiSetTextJustification', # 0x12 'NtGdiSetSystemPaletteUse', # 0x13 'NtGdiSetRectRgn', # 0x14 'NtGdiSetPixelFormat', # 0x15 'NtGdiSetPixel', # 0x16 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x17 'NtGdiSetLayout', # 0x18 'NtGdiMirrorWindowOrg', # 0x19 'NtGdiGetDeviceWidth', # 0x1a 'NtGdiSetMiterLimit', # 0x1b 'NtGdiSetMetaRgn', # 0x1c 'NtGdiSetMagicColors', # 0x1d 'NtGdiSetLinkedUFIs', # 0x1e 'NtGdiSetIcmMode', # 0x1f 'NtGdiSetFontXform', # 0x20 'NtGdiSetFontEnumeration', # 0x21 'NtGdiSetDIBitsToDeviceInternal', # 0x22 'NtGdiSetDeviceGammaRamp', # 0x23 'NtGdiSetColorSpace', # 0x24 'NtGdiSetColorAdjustment', # 0x25 'NtGdiSetBrushOrg', # 0x26 'NtGdiSetBrushAttributes', # 0x27 'NtGdiSetBoundsRect', # 0x28 'NtGdiSetBitmapDimension', # 0x29 'NtGdiSetBitmapBits', # 0x2a 'NtGdiSetBitmapAttributes', # 0x2b 'NtGdiSelectPen', # 0x2c 'NtGdiSelectFont', # 0x2d 'NtGdiSelectClipPath', # 0x2e 'NtGdiSelectBrush', # 0x2f 'NtGdiSelectBitmap', # 0x30 'NtGdiScaleWindowExtEx', # 0x31 'NtGdiScaleViewportExtEx', # 0x32 'NtGdiSaveDC', # 0x33 'NtGdiRoundRect', # 0x34 'NtGdiRestoreDC', # 0x35 'NtGdiResizePalette', # 0x36 'NtGdiResetDC', # 0x37 'NtGdiRemoveFontMemResourceEx', # 0x38 'NtGdiRemoveFontResourceW', # 0x39 'NtGdiRectVisible', # 0x3a 'NtGdiRectInRegion', # 0x3b 'NtGdiRectangle', # 0x3c 'NtGdiQueryFontAssocInfo', # 0x3d 'NtGdiQueryFonts', # 0x3e 'NtGdiPtVisible', # 0x3f 'NtGdiPtInRegion', # 0x40 'NtGdiPolyTextOutW', # 0x41 'NtGdiPolyPolyDraw', # 0x42 'NtGdiPolyDraw', # 0x43 'NtGdiPlgBlt', # 0x44 'NtGdiPathToRegion', # 0x45 'NtGdiPolyPatBlt', # 0x46 'NtGdiPatBlt', # 0x47 'NtGdiOpenDCW', # 0x48 'NtGdiOffsetRgn', # 0x49 'NtGdiOffsetClipRgn', # 0x4a 'NtGdiMoveTo', # 0x4b 'NtGdiMonoBitmap', # 0x4c 'NtGdiModifyWorldTransform', # 0x4d 'NtGdiMaskBlt', # 0x4e 'NtGdiMakeInfoDC', # 0x4f 'NtGdiMakeFontDir', # 0x50 'NtGdiLineTo', # 0x51 'NtGdiInvertRgn', # 0x52 'NtGdiIntersectClipRect', # 0x53 'NtGdiInitSpool', # 0x54 'NtGdiInit', # 0x55 'NtGdiIcmBrushInfo', # 0x56 'NtGdiHfontCreate', # 0x57 'NtGdiGradientFill', # 0x58 'NtGdiGetWidthTable', # 0x59 'NtGdiGetFontUnicodeRanges', # 0x5a 'NtGdiAddEmbFontToDC', # 0x5b 'NtGdiChangeGhostFont', # 0x5c 'NtGdiGetEmbedFonts', # 0x5d 'NtGdiGetUFIPathname', # 0x5e 'NtGdiGetEmbUFI', # 0x5f 'NtGdiGetUFI', # 0x60 'NtGdiGetTransform', # 0x61 'NtGdiGetTextMetricsW', # 0x62 'NtGdiGetTextFaceW', # 0x63 'NtGdiGetTextExtentExW', # 0x64 'NtGdiGetTextExtent', # 0x65 'NtGdiGetTextCharsetInfo', # 0x66 'NtGdiGetSystemPaletteUse', # 0x67 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0x68 'NtGdiGetStringBitmapW', # 0x69 'NtGdiGetStockObject', # 0x6a 'NtGdiGetStats', # 0x6b 'NtGdiGetSpoolMessage', # 0x6c 'NtGdiGetServerMetaFileBits', # 0x6d 'NtGdiGetRgnBox', # 0x6e 'NtGdiGetRegionData', # 0x6f 'NtGdiGetRealizationInfo', # 0x70 'NtGdiGetRasterizerCaps', # 0x71 'NtGdiGetRandomRgn', # 0x72 'NtGdiGetPixel', # 0x73 'NtGdiGetPath', # 0x74 'NtGdiGetOutlineTextMetricsInternalW', # 0x75 'NtGdiGetOPMRandomNumber', # 0x76 'NtGdiGetObjectBitmapHandle', # 0x77 'NtGdiGetNearestPaletteIndex', # 0x78 'NtGdiGetNearestColor', # 0x79 'NtGdiGetMonitorID', # 0x7a 'NtGdiGetMiterLimit', # 0x7b 'NtGdiGetLinkedUFIs', # 0x7c 'NtGdiGetKerningPairs', # 0x7d 'NtGdiGetOPMInformation', # 0x7e 'NtGdiGetGlyphOutline', # 0x7f 'NtGdiGetGlyphIndicesWInternal', # 0x80 'NtGdiGetGlyphIndicesW', # 0x81 'NtGdiGetFontResourceInfoInternalW', # 0x82 'NtGdiGetFontFileInfo', # 0x83 'NtGdiGetFontFileData', # 0x84 'NtGdiGetFontData', # 0x85 'NtGdiGetEudcTimeStampEx', # 0x86 'NtGdiGetETM', # 0x87 'NtGdiGetDIBitsInternal', # 0x88 'NtGdiGetDeviceCapsAll', # 0x89 'NtGdiGetDeviceGammaRamp', # 0x8a 'NtGdiGetDeviceCaps', # 0x8b 'NtGdiGetDCPoint', # 0x8c 'NtGdiGetDCObject', # 0x8d 'NtGdiGetDCforBitmap', # 0x8e 'NtGdiGetDCDword', # 0x8f 'NtGdiGetCurrentDpiInfo', # 0x90 'NtGdiGetCOPPCompatibleOPMInformation', # 0x91 'NtGdiGetColorSpaceforBitmap', # 0x92 'NtGdiGetColorAdjustment', # 0x93 'NtGdiGetCharWidthInfo', # 0x94 'NtGdiGetCharWidthW', # 0x95 'NtGdiGetCharSet', # 0x96 'NtGdiGetCharacterPlacementW', # 0x97 'NtGdiGetCharABCWidthsW', # 0x98 'NtGdiGetCertificateSize', # 0x99 'NtGdiGetCertificate', # 0x9a 'NtGdiGetBoundsRect', # 0x9b 'NtGdiGetBitmapDimension', # 0x9c 'NtGdiGetBitmapBits', # 0x9d 'NtGdiGetAppClipBox', # 0x9e 'NtGdiGetAndSetDCDword', # 0x9f 'NtGdiFullscreenControl', # 0xa0 'NtGdiFrameRgn', # 0xa1 'NtGdiForceUFIMapping', # 0xa2 'NtGdiFlush', # 0xa3 'NtGdiFlattenPath', # 0xa4 'NtGdiFillRgn', # 0xa5 'NtGdiFillPath', # 0xa6 'NtGdiExtTextOutW', # 0xa7 'NtGdiExtSelectClipRgn', # 0xa8 'NtGdiExtGetObjectW', # 0xa9 'NtGdiExtFloodFill', # 0xaa 'NtGdiExtEscape', # 0xab 'NtGdiExtCreateRegion', # 0xac 'NtGdiExtCreatePen', # 0xad 'NtGdiExcludeClipRect', # 0xae 'NtGdiEudcLoadUnloadLink', # 0xaf 'NtGdiEqualRgn', # 0xb0 'NtGdiEnumObjects', # 0xb1 'NtGdiEnumFonts', # 0xb2 'NtGdiEndPath', # 0xb3 'NtGdiEndPage', # 0xb4 'NtGdiEndGdiRendering', # 0xb5 'NtGdiEndDoc', # 0xb6 'NtGdiEnableEudc', # 0xb7 'NtGdiEllipse', # 0xb8 'NtGdiDrawEscape', # 0xb9 'NtGdiDoPalette', # 0xba 'NtGdiDoBanding', # 0xbb 'NtGdiGetPerBandInfo', # 0xbc 'NtGdiDestroyOPMProtectedOutput', # 0xbd 'NtGdiDescribePixelFormat', # 0xbe 'NtGdiDeleteObjectApp', # 0xbf 'NtGdiDeleteColorTransform', # 0xc0 'NtGdiDeleteColorSpace', # 0xc1 'NtGdiDeleteClientObj', # 0xc2 'NtGdiDxgGenericThunk', # 0xc3 'NtGdiDvpReleaseNotification', # 0xc4 'NtGdiDvpAcquireNotification', # 0xc5 'NtGdiDvpWaitForVideoPortSync', # 0xc6 'NtGdiDvpUpdateVideoPort', # 0xc7 'NtGdiDvpGetVideoSignalStatus', # 0xc8 'NtGdiDvpGetVideoPortConnectInfo', # 0xc9 'NtGdiDvpGetVideoPortOutputFormats', # 0xca 'NtGdiDvpGetVideoPortLine', # 0xcb 'NtGdiDvpGetVideoPortInputFormats', # 0xcc 'NtGdiDvpGetVideoPortFlipStatus', # 0xcd 'NtGdiDvpGetVideoPortField', # 0xce 'NtGdiDvpGetVideoPortBandwidth', # 0xcf 'NtGdiDvpFlipVideoPort', # 0xd0 'NtGdiDvpDestroyVideoPort', # 0xd1 'NtGdiDvpCreateVideoPort', # 0xd2 'NtGdiDvpColorControl', # 0xd3 'NtGdiDvpCanCreateVideoPort', # 0xd4 'NtGdiDdWaitForVerticalBlank', # 0xd5 'NtGdiDdUpdateOverlay', # 0xd6 'NtGdiDdUnlockD3D', # 0xd7 'NtGdiDdUnlock', # 0xd8 'NtGdiDdUnattachSurface', # 0xd9 'NtGdiDdSetOverlayPosition', # 0xda 'NtGdiDdCreateSurfaceEx', # 0xdb 'NtGdiDdSetGammaRamp', # 0xdc 'NtGdiDdSetExclusiveMode', # 0xdd 'NtGdiDdSetColorKey', # 0xde 'NtGdiDdResetVisrgn', # 0xdf 'NtGdiDdRenderMoComp', # 0xe0 'NtGdiDdReleaseDC', # 0xe1 'NtGdiDdReenableDirectDrawObject', # 0xe2 'NtGdiDdQueryMoCompStatus', # 0xe3 'NtGdiDdQueryDirectDrawObject', # 0xe4 'NtGdiDdLockD3D', # 0xe5 'NtGdiDdLock', # 0xe6 'NtGdiDdGetScanLine', # 0xe7 'NtGdiDdGetMoCompFormats', # 0xe8 'NtGdiDdGetMoCompGuids', # 0xe9 'NtGdiDdGetMoCompBuffInfo', # 0xea 'NtGdiDdGetInternalMoCompInfo', # 0xeb 'NtGdiDdGetFlipStatus', # 0xec 'NtGdiDdGetDxHandle', # 0xed 'NtGdiDdGetDriverInfo', # 0xee 'NtGdiDdGetDC', # 0xef 'NtGdiDdGetBltStatus', # 0xf0 'NtGdiDdGetAvailDriverMemory', # 0xf1 'NtGdiDdFlipToGDISurface', # 0xf2 'NtGdiDdFlip', # 0xf3 'NtGdiDdEndMoCompFrame', # 0xf4 'NtGdiDdDestroyD3DBuffer', # 0xf5 'NtGdiDdDestroySurface', # 0xf6 'NtGdiDdDestroyMoComp', # 0xf7 'NtGdiDdDeleteSurfaceObject', # 0xf8 'NtGdiDdDeleteDirectDrawObject', # 0xf9 'NtGdiDdCreateSurfaceObject', # 0xfa 'NtGdiDdCreateMoComp', # 0xfb 'NtGdiDdCreateD3DBuffer', # 0xfc 'NtGdiDdCreateSurface', # 0xfd 'NtGdiDdCreateDirectDrawObject', # 0xfe 'NtGdiDdColorControl', # 0xff 'NtGdiDdCanCreateD3DBuffer', # 0x100 'NtGdiDdCanCreateSurface', # 0x101 'NtGdiDdBlt', # 0x102 'NtGdiDdBeginMoCompFrame', # 0x103 'NtGdiDdAttachSurface', # 0x104 'NtGdiDdAlphaBlt', # 0x105 'NtGdiDdAddAttachedSurface', # 0x106 'NtGdiDdGetDriverState', # 0x107 'NtGdiD3dDrawPrimitives2', # 0x108 'NtGdiD3dValidateTextureStageState', # 0x109 'NtGdiD3dContextDestroyAll', # 0x10a 'NtGdiD3dContextDestroy', # 0x10b 'NtGdiD3dContextCreate', # 0x10c 'NtGdiCreateSolidBrush', # 0x10d 'NtGdiCreateServerMetaFile', # 0x10e 'NtGdiCreateRoundRectRgn', # 0x10f 'NtGdiCreateRectRgn', # 0x110 'NtGdiCreatePen', # 0x111 'NtGdiCreatePatternBrushInternal', # 0x112 'NtGdiCreatePaletteInternal', # 0x113 'NtGdiCreateOPMProtectedOutputs', # 0x114 'NtGdiCreateMetafileDC', # 0x115 'NtGdiCreateHatchBrushInternal', # 0x116 'NtGdiCreateHalftonePalette', # 0x117 'NtGdiCreateEllipticRgn', # 0x118 'NtGdiCreateSessionMappedDIBSection', # 0x119 'NtGdiCreateDIBSection', # 0x11a 'NtGdiCreateDIBitmapInternal', # 0x11b 'NtGdiCreateDIBBrush', # 0x11c 'NtGdiCreateCompatibleDC', # 0x11d 'NtGdiCreateCompatibleBitmap', # 0x11e 'NtGdiCreateColorTransform', # 0x11f 'NtGdiCreateColorSpace', # 0x120 'NtGdiCreateClientObj', # 0x121 'NtGdiCreateBitmapFromDxSurface2', # 0x122 'NtGdiCreateBitmapFromDxSurface', # 0x123 'NtGdiCreateBitmap', # 0x124 'NtGdiConvertMetafileRect', # 0x125 'NtGdiConfigureOPMProtectedOutput', # 0x126 'NtGdiComputeXformCoefficients', # 0x127 'NtGdiCombineTransform', # 0x128 'NtGdiCombineRgn', # 0x129 'NtGdiColorCorrectPalette', # 0x12a 'NtGdiClearBrushAttributes', # 0x12b 'NtGdiClearBitmapAttributes', # 0x12c 'NtGdiCloseFigure', # 0x12d 'NtGdiCheckBitmapBits', # 0x12e 'NtGdiCancelDC', # 0x12f 'NtGdiBitBlt', # 0x130 'NtGdiBeginPath', # 0x131 'NtGdiBeginGdiRendering', # 0x132 'NtGdiArcInternal', # 0x133 'NtGdiFontIsLinked', # 0x134 'NtGdiAnyLinkedFonts', # 0x135 'NtGdiAngleArc', # 0x136 'NtGdiAlphaBlend', # 0x137 'NtGdiAddRemoteMMInstanceToDC', # 0x138 'NtGdiRemoveMergeFont', # 0x139 'NtGdiAddFontMemResourceEx', # 0x13a 'NtGdiAddRemoteFontToDC', # 0x13b 'NtGdiAddFontResourceW', # 0x13c 'NtGdiAbortPath', # 0x13d 'NtGdiAbortDoc', # 0x13e 'NtUserDefSetText', # 0x13f 'NtUserDeferWindowPosAndBand', # 0x140 'NtUserDdeInitialize', # 0x141 'NtUserCanBrokerForceForeground', # 0x142 'NtUserCreateWindowStation', # 0x143 'NtUserCreateWindowEx', # 0x144 'NtUserCreateLocalMemHandle', # 0x145 'NtUserCreateInputContext', # 0x146 'NtUserCreateDesktopEx', # 0x147 'NtUserCreateCaret', # 0x148 'NtUserCreateAcceleratorTable', # 0x149 'NtUserCountClipboardFormats', # 0x14a 'NtUserCopyAcceleratorTable', # 0x14b 'NtUserConvertMemHandle', # 0x14c 'NtUserConsoleControl', # 0x14d 'NtUserCloseWindowStation', # 0x14e 'NtUserCloseDesktop', # 0x14f 'NtUserCloseClipboard', # 0x150 'NtUserClipCursor', # 0x151 'NtUserChildWindowFromPointEx', # 0x152 'NtUserCheckMenuItem', # 0x153 'NtUserCheckWindowThreadDesktop', # 0x154 'NtUserDwmValidateWindow', # 0x155 'NtUserCheckAccessForIntegrityLevel', # 0x156 'NtUserDisplayConfigSetDeviceInfo', # 0x157 'NtUserDisplayConfigGetDeviceInfo', # 0x158 'NtUserQueryDisplayConfig', # 0x159 'NtUserSetDisplayConfig', # 0x15a 'NtUserGetDisplayConfigBufferSizes', # 0x15b 'NtUserChangeDisplaySettings', # 0x15c 'NtUserChangeClipboardChain', # 0x15d 'NtUserCallTwoParam', # 0x15e 'NtUserCallOneParam', # 0x15f 'NtUserCallNoParam', # 0x160 'NtUserCallNextHookEx', # 0x161 'NtUserCallMsgFilter', # 0x162 'NtUserCallHwndParamLock', # 0x163 'NtUserCallHwndParam', # 0x164 'NtUserCallHwndOpt', # 0x165 'NtUserCallHwndLock', # 0x166 'NtUserCallHwnd', # 0x167 'NtUserBuildPropList', # 0x168 'NtUserBuildNameList', # 0x169 'NtUserBuildHwndList', # 0x16a 'NtUserBuildHimcList', # 0x16b 'NtUserBlockInput', # 0x16c 'NtUserBitBltSysBmp', # 0x16d 'NtUserBeginPaint', # 0x16e 'NtUserAttachThreadInput', # 0x16f 'NtUserAssociateInputContext', # 0x170 'NtUserAlterWindowStyle', # 0x171 'NtUserAddClipboardFormatListener', # 0x172 'NtUserActivateKeyboardLayout', # 0x173 'NtUserDelegateCapturePointers', # 0x174 'NtUserDelegateInput', # 0x175 'NtUserDispatchMessage', # 0x176 'NtUserDisableProcessWindowFiltering', # 0x177 'NtUserDisableThreadIme', # 0x178 'NtUserDestroyWindow', # 0x179 'NtUserDestroyMenu', # 0x17a 'NtUserDestroyInputContext', # 0x17b 'NtUserDestroyCursor', # 0x17c 'NtUserDestroyAcceleratorTable', # 0x17d 'NtUserDeleteMenu', # 0x17e 'NtUserDoSoundDisconnect', # 0x17f 'NtUserDoSoundConnect', # 0x180 'NtUserGhostWindowFromHungWindow', # 0x181 'NtUserGetWOWClass', # 0x182 'NtUserGetWindowPlacement', # 0x183 'NtUserGetWindowDisplayAffinity', # 0x184 'NtUserGetWindowDC', # 0x185 'NtUserGetWindowCompositionAttribute', # 0x186 'NtUserGetWindowCompositionInfo', # 0x187 'NtUserGetWindowBand', # 0x188 'NtUserGetUpdateRgn', # 0x189 'NtUserGetUpdateRect', # 0x18a 'NtUserGetUpdatedClipboardFormats', # 0x18b 'NtUserGetTopLevelWindow', # 0x18c 'NtUserGetTitleBarInfo', # 0x18d 'NtUserGetThreadState', # 0x18e 'NtUserGetThreadDesktop', # 0x18f 'NtUserGetSystemMenu', # 0x190 'NtUserGetScrollBarInfo', # 0x191 'NtUserGetRegisteredRawInputDevices', # 0x192 'NtUserGetRawInputDeviceList', # 0x193 'NtUserGetRawInputDeviceInfo', # 0x194 'NtUserGetRawInputData', # 0x195 'NtUserGetRawInputBuffer', # 0x196 'NtUserGetProcessWindowStation', # 0x197 'NtUserGetPriorityClipboardFormat', # 0x198 'NtUserGetOpenClipboardWindow', # 0x199 'NtUserGetObjectInformation', # 0x19a 'NtUserGetMouseMovePointsEx', # 0x19b 'NtUserGetMessage', # 0x19c 'NtUserGetMenuItemRect', # 0x19d 'NtUserGetMenuIndex', # 0x19e 'NtUserGetMenuBarInfo', # 0x19f 'NtUserGetListBoxInfo', # 0x1a0 'NtUserGetKeyState', # 0x1a1 'NtUserGetKeyNameText', # 0x1a2 'NtUserGetKeyboardState', # 0x1a3 'NtUserGetKeyboardLayoutName', # 0x1a4 'NtUserGetKeyboardLayoutList', # 0x1a5 'NtUserGetInternalWindowPos', # 0x1a6 'NtUserGetInputLocaleInfo', # 0x1a7 'NtUserGetImeInfoEx', # 0x1a8 'NtUserGetImeHotKey', # 0x1a9 'NtUserGetIconSize', # 0x1aa 'NtUserGetIconInfo', # 0x1ab 'NtUserGetGUIThreadInfo', # 0x1ac 'NtUserGetGuiResources', # 0x1ad 'NtUserGetForegroundWindow', # 0x1ae 'NtUserGetDoubleClickTime', # 0x1af 'NtUserGetDesktopID', # 0x1b0 'NtUserGetDCEx', # 0x1b1 'NtUserGetDC', # 0x1b2 'NtUserGetCursorInfo', # 0x1b3 'NtUserGetCursorFrameInfo', # 0x1b4 'NtUserGetCurrentInputMessageSource', # 0x1b5 'NtUserGetCIMSSM', # 0x1b6 'NtUserGetCPD', # 0x1b7 'NtUserGetControlColor', # 0x1b8 'NtUserGetControlBrush', # 0x1b9 'NtUserGetComboBoxInfo', # 0x1ba 'NtUserGetClipCursor', # 0x1bb 'NtUserGetClipboardViewer', # 0x1bc 'NtUserGetClipboardSequenceNumber', # 0x1bd 'NtUserGetClipboardOwner', # 0x1be 'NtUserGetClipboardFormatName', # 0x1bf 'NtUserGetClipboardData', # 0x1c0 'NtUserGetClassName', # 0x1c1 'NtUserGetClassInfoEx', # 0x1c2 'NtUserGetCaretPos', # 0x1c3 'NtUserGetCaretBlinkTime', # 0x1c4 'NtUserGetAtomName', # 0x1c5 'NtUserGetAsyncKeyState', # 0x1c6 'NtUserGetAppImeLevel', # 0x1c7 'NtUserGetAncestor', # 0x1c8 'NtUserGetAltTabInfo', # 0x1c9 'NtUserFrostCrashedWindow', # 0x1ca 'NtUserFlashWindowEx', # 0x1cb 'NtUserFindWindowEx', # 0x1cc 'NtUserFindExistingCursorIcon', # 0x1cd 'NtUserFillWindow', # 0x1ce 'NtUserExcludeUpdateRgn', # 0x1cf 'NtUserEvent', # 0x1d0 'NtUserEnumDisplaySettings', # 0x1d1 'NtUserEnumDisplayMonitors', # 0x1d2 'NtUserEnumDisplayDevices', # 0x1d3 'NtUserEndPaint', # 0x1d4 'NtUserEndMenu', # 0x1d5 'NtUserEndDeferWindowPosEx', # 0x1d6 'NtUserEnableScrollBar', # 0x1d7 'NtUserEnableMenuItem', # 0x1d8 'NtUserEmptyClipboard', # 0x1d9 'NtUserDrawMenuBarTemp', # 0x1da 'NtUserDrawIconEx', # 0x1db 'NtUserDrawCaptionTemp', # 0x1dc 'NtUserDrawCaption', # 0x1dd 'NtUserDrawAnimatedRects', # 0x1de 'NtUserDragObject', # 0x1df 'NtUserDragDetect', # 0x1e0 'NtUserHandleDelegatedInput', # 0x1e1 'NtUserRealChildWindowFromPoint', # 0x1e2 'NtUserQueryWindow', # 0x1e3 'NtUserQuerySendMessage', # 0x1e4 'NtUserQueryInputContext', # 0x1e5 'NtUserQueryInformationThread', # 0x1e6 'NtUserQueryBSDRWindow', # 0x1e7 'NtUserPerMonitorDPIPhysicalToLogicalPoint', # 0x1e8 'NtUserProcessConnect', # 0x1e9 'NtUserPrintWindow', # 0x1ea 'NtUserPostThreadMessage', # 0x1eb 'NtUserPostMessage', # 0x1ec 'NtUserPhysicalToLogicalPoint', # 0x1ed 'NtUserPeekMessage', # 0x1ee 'NtUserPaintMonitor', # 0x1ef 'NtUserPaintDesktop', # 0x1f0 'NtUserOpenWindowStation', # 0x1f1 'NtUserOpenThreadDesktop', # 0x1f2 'NtUserOpenInputDesktop', # 0x1f3 'NtUserOpenDesktop', # 0x1f4 'NtUserOpenClipboard', # 0x1f5 'NtUserNotifyWinEvent', # 0x1f6 'NtUserNotifyProcessCreate', # 0x1f7 'NtUserNotifyIMEStatus', # 0x1f8 'NtUserMoveWindow', # 0x1f9 'NtUserModifyUserStartupInfoFlags', # 0x1fa 'NtUserMNDragOver', # 0x1fb 'NtUserMNDragLeave', # 0x1fc 'NtUserMinMaximize', # 0x1fd 'NtUserMessageCall', # 0x1fe 'NtUserMenuItemFromPoint', # 0x1ff 'NtUserMapVirtualKeyEx', # 0x200 'NtUserLayoutCompleted', # 0x201 'NtUserLogicalToPerMonitorDPIPhysicalPoint', # 0x202 'NtUserLogicalToPhysicalPoint', # 0x203 'NtUserLockWorkStation', # 0x204 'NtUserLockWindowUpdate', # 0x205 'NtUserLockWindowStation', # 0x206 'NtUserLoadKeyboardLayoutEx', # 0x207 'NtUserKillTimer', # 0x208 'NtUserIsTopLevelWindow', # 0x209 'NtUserIsClipboardFormatAvailable', # 0x20a 'NtUserInvalidateRgn', # 0x20b 'NtUserInvalidateRect', # 0x20c 'NtUserInternalGetWindowIcon', # 0x20d 'NtUserInternalGetWindowText', # 0x20e 'NtUserInitTask', # 0x20f 'NtUserInitializeClientPfnArrays', # 0x210 'NtUserInitialize', # 0x211 'NtUserImpersonateDdeClientWindow', # 0x212 'NtUserHungWindowFromGhostWindow', # 0x213 'NtUserHiliteMenuItem', # 0x214 'NtUserHideCaret', # 0x215 'NtUserHardErrorControl', # 0x216 'NtUserRealInternalGetMessage', # 0x217 'NtUserRealWaitMessageEx', # 0x218 'NtUserTranslateMessage', # 0x219 'NtUserTranslateAccelerator', # 0x21a 'NtUserPaintMenuBar', # 0x21b 'NtUserCalcMenuBar', # 0x21c 'NtUserCalculatePopupWindowPosition', # 0x21d 'NtUserTrackPopupMenuEx', # 0x21e 'NtUserTrackMouseEvent', # 0x21f 'NtUserToUnicodeEx', # 0x220 'NtUserThunkedMenuItemInfo', # 0x221 'NtUserThunkedMenuInfo', # 0x222 'NtUserTestForInteractiveUser', # 0x223 'NtUserSendEventMessage', # 0x224 'NtUserSystemParametersInfo', # 0x225 'NtUserSwitchDesktop', # 0x226 'NtUserSoundSentry', # 0x227 'NtUserShutdownReasonDestroy', # 0x228 'NtUserShutdownBlockReasonQuery', # 0x229 'NtUserShutdownBlockReasonCreate', # 0x22a 'NtUserShowWindowAsync', # 0x22b 'NtUserShowWindow', # 0x22c 'NtUserShowScrollBar', # 0x22d 'NtUserShowCaret', # 0x22e 'NtUserSetWinEventHook', # 0x22f 'NtUserSetWindowWord', # 0x230 'NtUserSetWindowStationUser', # 0x231 'NtUserSetWindowsHookEx', # 0x232 'NtUserSetWindowsHookAW', # 0x233 'NtUserSetWindowRgnEx', # 0x234 'NtUserGetWindowRgnEx', # 0x235 'NtUserSetWindowRgn', # 0x236 'NtUserSetWindowPos', # 0x237 'NtUserSetWindowPlacement', # 0x238 'NtUserSetWindowLong', # 0x239 'NtUserSetWindowFNID', # 0x23a 'NtUserSetWindowDisplayAffinity', # 0x23b 'NtUserSetWindowCompositionTransition', # 0x23c 'NtUserUpdateDefaultDesktopThumbnail', # 0x23d 'NtUserSetWindowCompositionAttribute', # 0x23e 'NtUserSetWindowBand', # 0x23f 'NtUserSetProcessUIAccessZorder', # 0x240 'NtUserSetProcessDpiAwareness', # 0x241 'NtUserSetTimer', # 0x242 'NtUserSetThreadState', # 0x243 'NtUserSetThreadLayoutHandles', # 0x244 'NtUserSetThreadDesktop', # 0x245 'NtUserSetThreadInputBlocked', # 0x246 'NtUserSetSystemTimer', # 0x247 'NtUserSetSystemMenu', # 0x248 'NtUserSetSystemCursor', # 0x249 'NtUserSetSysColors', # 0x24a 'NtUserSetShellWindowEx', # 0x24b 'NtUserSetImmersiveBackgroundWindow', # 0x24c 'NtUserSetScrollInfo', # 0x24d 'NtUserSetProp', # 0x24e 'NtUserGetProp', # 0x24f 'NtUserSetProcessWindowStation', # 0x250 'NtUserSetParent', # 0x251 'NtUserSetObjectInformation', # 0x252 'NtUserSetMenuFlagRtoL', # 0x253 'NtUserSetMenuDefaultItem', # 0x254 'NtUserSetMenuContextHelpId', # 0x255 'NtUserSetMenu', # 0x256 'NtUserSetKeyboardState', # 0x257 'NtUserSetInternalWindowPos', # 0x258 'NtUserSetInformationThread', # 0x259 'NtUserSetImeOwnerWindow', # 0x25a 'NtUserSetImeInfoEx', # 0x25b 'NtUserSetImeHotKey', # 0x25c 'NtUserSetFocus', # 0x25d 'NtUserSetCursorIconData', # 0x25e 'NtUserSetCursorContents', # 0x25f 'NtUserSetCursor', # 0x260 'NtUserSetClipboardViewer', # 0x261 'NtUserSetClipboardData', # 0x262 'NtUserSetClassWord', # 0x263 'NtUserSetClassLong', # 0x264 'NtUserSetChildWindowNoActivate', # 0x265 'NtUserSetCapture', # 0x266 'NtUserSetAppImeLevel', # 0x267 'NtUserSetActiveWindow', # 0x268 'NtUserSendInput', # 0x269 'NtUserSelectPalette', # 0x26a 'NtUserScrollWindowEx', # 0x26b 'NtUserScrollDC', # 0x26c 'NtUserSBGetParms', # 0x26d 'NtUserResolveDesktopForWOW', # 0x26e 'NtUserRemoveProp', # 0x26f 'NtUserRemoveMenu', # 0x270 'NtUserRemoveClipboardFormatListener', # 0x271 'NtUserRegisterWindowMessage', # 0x272 'NtUserRegisterTasklist', # 0x273 'NtUserRegisterServicesProcess', # 0x274 'NtUserRegisterRawInputDevices', # 0x275 'NtUserRegisterHotKey', # 0x276 'NtUserRegisterUserApiHook', # 0x277 'NtUserRegisterErrorReportingDialog', # 0x278 'NtUserRegisterClassExWOW', # 0x279 'NtUserRegisterBSDRWindow', # 0x27a 'NtUserRedrawWindow', # 0x27b 'NtUserUndelegateInput', # 0x27c 'NtUserGetWindowMinimizeRect', # 0x27d 'NtUserDwmStopRedirection', # 0x27e 'NtUserDwmStartRedirection', # 0x27f 'NtUserDwmGetRemoteSessionOcclusionEvent', # 0x280 'NtUserDwmGetRemoteSessionOcclusionState', # 0x281 'NtUserUpdateWindowTransform', # 0x282 'NtUserCheckProcessSession', # 0x283 'NtUserUnregisterSessionPort', # 0x284 'NtUserRegisterSessionPort', # 0x285 'NtUserCtxDisplayIOCtl', # 0x286 'NtUserRemoteStopScreenUpdates', # 0x287 'NtUserRemoteRedrawScreen', # 0x288 'NtUserRemoteRedrawRectangle', # 0x289 'NtUserRemoteConnect', # 0x28a 'NtUserWaitAvailableMessageEx', # 0x28b 'NtUserWindowFromPoint', # 0x28c 'NtUserWindowFromPhysicalPoint', # 0x28d 'NtUserWaitMessage', # 0x28e 'NtUserWaitForMsgAndEvent', # 0x28f 'NtUserWaitForInputIdle', # 0x290 'NtUserVkKeyScanEx', # 0x291 'NtUserValidateTimerCallback', # 0x292 'NtUserValidateRect', # 0x293 'NtUserValidateHandleSecure', # 0x294 'NtUserUserHandleGrantAccess', # 0x295 'NtUserUpdatePerUserSystemParameters', # 0x296 'NtUserSetLayeredWindowAttributes', # 0x297 'NtUserGetLayeredWindowAttributes', # 0x298 'NtUserUpdateLayeredWindow', # 0x299 'NtUserUpdateInstance', # 0x29a 'NtUserUpdateInputContext', # 0x29b 'NtUserUnregisterHotKey', # 0x29c 'NtUserUnregisterUserApiHook', # 0x29d 'NtUserUnregisterClass', # 0x29e 'NtUserUnlockWindowStation', # 0x29f 'NtUserUnloadKeyboardLayout', # 0x2a0 'NtUserUnhookWinEvent', # 0x2a1 'NtUserUnhookWindowsHookEx', # 0x2a2 'NtUserGetTouchInputInfo', # 0x2a3 'NtUserIsTouchWindow', # 0x2a4 'NtUserModifyWindowTouchCapability', # 0x2a5 'NtGdiEngStretchBltROP', # 0x2a6 'NtGdiEngTextOut', # 0x2a7 'NtGdiEngTransparentBlt', # 0x2a8 'NtGdiEngGradientFill', # 0x2a9 'NtGdiEngAlphaBlend', # 0x2aa 'NtGdiEngLineTo', # 0x2ab 'NtGdiEngPaint', # 0x2ac 'NtGdiEngStrokeAndFillPath', # 0x2ad 'NtGdiEngFillPath', # 0x2ae 'NtGdiEngStrokePath', # 0x2af 'NtGdiEngMarkBandingSurface', # 0x2b0 'NtGdiEngPlgBlt', # 0x2b1 'NtGdiEngStretchBlt', # 0x2b2 'NtGdiEngBitBlt', # 0x2b3 'NtGdiEngLockSurface', # 0x2b4 'NtGdiEngUnlockSurface', # 0x2b5 'NtGdiEngEraseSurface', # 0x2b6 'NtGdiEngDeleteSurface', # 0x2b7 'NtGdiEngDeletePalette', # 0x2b8 'NtGdiEngCopyBits', # 0x2b9 'NtGdiEngComputeGlyphSet', # 0x2ba 'NtGdiEngCreatePalette', # 0x2bb 'NtGdiEngCreateDeviceBitmap', # 0x2bc 'NtGdiEngCreateDeviceSurface', # 0x2bd 'NtGdiEngCreateBitmap', # 0x2be 'NtGdiEngAssociateSurface', # 0x2bf 'NtUserSetWindowFeedbackSetting', # 0x2c0 'NtUserRegisterEdgy', # 0x2c1 'NtUserGetWindowFeedbackSetting', # 0x2c2 'NtUserHidePointerContactVisualization', # 0x2c3 'NtUserGetTouchValidationStatus', # 0x2c4 'NtUserInitializeTouchInjection', # 0x2c5 'NtUserInjectTouchInput', # 0x2c6 'NtUserRegisterTouchHitTestingWindow', # 0x2c7 'NtUserSetDisplayMapping', # 0x2c8 'NtUserSetCalibrationData', # 0x2c9 'NtUserGetPhysicalDeviceRect', # 0x2ca 'NtUserRegisterTouchPadCapable', # 0x2cb 'NtUserGetRawPointerDeviceData', # 0x2cc 'NtUserGetPointerDeviceCursors', # 0x2cd 'NtUserGetPointerDeviceRects', # 0x2ce 'NtUserRegisterPointerDeviceNotifications', # 0x2cf 'NtUserGetPointerDeviceProperties', # 0x2d0 'NtUserGetPointerDevice', # 0x2d1 'NtUserGetPointerDevices', # 0x2d2 'NtUserEnableTouchPad', # 0x2d3 'NtUserGetPrecisionTouchPadConfiguration', # 0x2d4 'NtUserSetPrecisionTouchPadConfiguration', # 0x2d5 'NtUserPromotePointer', # 0x2d6 'NtUserDiscardPointerFrameMessages', # 0x2d7 'NtUserRegisterPointerInputTarget', # 0x2d8 'NtUserGetPointerInputTransform', # 0x2d9 'NtUserGetPointerInfoList', # 0x2da 'NtUserGetPointerCursorId', # 0x2db 'NtUserGetPointerType', # 0x2dc 'NtUserGetGestureConfig', # 0x2dd 'NtUserSetGestureConfig', # 0x2de 'NtUserGetGestureExtArgs', # 0x2df 'NtUserGetGestureInfo', # 0x2e0 'NtUserInjectGesture', # 0x2e1 'NtUserChangeWindowMessageFilterEx', # 0x2e2 'NtGdiXLATEOBJ_hGetColorTransform', # 0x2e3 'NtGdiXLATEOBJ_iXlate', # 0x2e4 'NtGdiXLATEOBJ_cGetPalette', # 0x2e5 'NtGdiEngDeleteClip', # 0x2e6 'NtGdiEngCreateClip', # 0x2e7 'NtGdiEngDeletePath', # 0x2e8 'NtGdiCLIPOBJ_ppoGetPath', # 0x2e9 'NtGdiCLIPOBJ_cEnumStart', # 0x2ea 'NtGdiCLIPOBJ_bEnum', # 0x2eb 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x2ec 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x2ed 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x2ee 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x2ef 'NtGdiXFORMOBJ_iGetXform', # 0x2f0 'NtGdiXFORMOBJ_bApplyXform', # 0x2f1 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x2f2 'NtGdiFONTOBJ_pfdg', # 0x2f3 'NtGdiFONTOBJ_pifi', # 0x2f4 'NtGdiFONTOBJ_cGetGlyphs', # 0x2f5 'NtGdiFONTOBJ_pxoGetXform', # 0x2f6 'NtGdiFONTOBJ_vGetInfo', # 0x2f7 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x2f8 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x2f9 'NtGdiSTROBJ_dwGetCodePage', # 0x2fa 'NtGdiSTROBJ_vEnumStart', # 0x2fb 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x2fc 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x2fd 'NtGdiSTROBJ_bEnum', # 0x2fe 'NtGdiPATHOBJ_bEnumClipLines', # 0x2ff 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x300 'NtGdiPATHOBJ_vEnumStart', # 0x301 'NtGdiPATHOBJ_bEnum', # 0x302 'NtGdiPATHOBJ_vGetBounds', # 0x303 'NtGdiEngCheckAbort', # 0x304 'NtGdiGetDhpdev', # 0x305 'NtGdiHT_Get8BPPMaskPalette', # 0x306 'NtGdiHT_Get8BPPFormatPalette', # 0x307 'NtGdiUpdateTransform', # 0x308 'NtGdiUMPDEngFreeUserMem', # 0x309 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x30a 'NtGdiSetPUMPDOBJ', # 0x30b 'NtGdiSetUMPDSandboxState', # 0x30c 'NtGdiDrawStream', # 0x30d 'NtGdiHLSurfSetInformation', # 0x30e 'NtGdiHLSurfGetInformation', # 0x30f 'NtGdiDwmCreatedBitmapRemotingOutput', # 0x310 'NtGdiDdDDIGetScanLine', # 0x311 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x312 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x313 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x314 'NtGdiDdDDIGetContextSchedulingPriority', # 0x315 'NtGdiDdDDISetContextSchedulingPriority', # 0x316 'NtGdiDdDDIDestroyDCFromMemory', # 0x317 'NtGdiDdDDICreateDCFromMemory', # 0x318 'NtGdiDdDDIGetDeviceState', # 0x319 'NtGdiDdDDISetGammaRamp', # 0x31a 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x31b 'NtGdiDdDDIDestroyOverlay', # 0x31c 'NtGdiDdDDIFlipOverlay', # 0x31d 'NtGdiDdDDIUpdateOverlay', # 0x31e 'NtGdiDdDDICreateOverlay', # 0x31f 'NtGdiDdDDIGetPresentQueueEvent', # 0x320 'NtGdiDdDDIGetPresentHistory', # 0x321 'NtGdiDdDDISetVidPnSourceOwner1', # 0x322 'NtGdiDdDDISetVidPnSourceOwner', # 0x323 'NtGdiDdDDIQueryStatistics', # 0x324 'NtGdiDdDDIEscape', # 0x325 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x326 'NtGdiDdDDICloseAdapter', # 0x327 'NtGdiDdDDIOpenAdapterFromLuid', # 0x328 'NtGdiDdDDIEnumAdapters', # 0x329 'NtGdiDdDDIOpenAdapterFromHdc', # 0x32a 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x32b 'NtGdiDdDDIRender', # 0x32c 'NtGdiDdDDIPresent', # 0x32d 'NtGdiDdDDIGetMultisampleMethodList', # 0x32e 'NtGdiDdDDISetDisplayMode', # 0x32f 'NtGdiDdDDIGetDisplayModeList', # 0x330 'NtGdiDdDDIUnlock', # 0x331 'NtGdiDdDDILock', # 0x332 'NtGdiDdDDIQueryAdapterInfo', # 0x333 'NtGdiDdDDIGetRuntimeData', # 0x334 'NtGdiDdDDISignalSynchronizationObject', # 0x335 'NtGdiDdDDIWaitForSynchronizationObject', # 0x336 'NtGdiDdDDIDestroySynchronizationObject', # 0x337 'NtGdiDdDDIOpenSynchronizationObject', # 0x338 'NtGdiDdDDICreateSynchronizationObject', # 0x339 'NtGdiDdDDIDestroyContext', # 0x33a 'NtGdiDdDDICreateContext', # 0x33b 'NtGdiDdDDIDestroyDevice', # 0x33c 'NtGdiDdDDICreateDevice', # 0x33d 'NtGdiDdDDIQueryAllocationResidency', # 0x33e 'NtGdiDdDDISetAllocationPriority', # 0x33f 'NtGdiDdDDIDestroyAllocation', # 0x340 'NtGdiDdDDIOpenResourceFromNtHandle', # 0x341 'NtGdiDdDDIOpenSyncObjectFromNtHandle', # 0x342 'NtGdiDdDDIOpenResource', # 0x343 'NtGdiDdDDIOpenNtHandleFromName', # 0x344 'NtGdiDdDDIShareObjects', # 0x345 'NtGdiDdDDIQueryResourceInfoFromNtHandle', # 0x346 'NtGdiDdDDIQueryResourceInfo', # 0x347 'NtGdiDdDDICreateAllocation', # 0x348 'NtGdiDdDDIOutputDuplReleaseFrame', # 0x349 'NtGdiDdDDIQueryRemoteVidPnSourceFromGdiDisplayName', # 0x34a 'NtGdiDdDDIOutputDuplPresent', # 0x34b 'NtGdiDdDDIReleaseKeyedMutex2', # 0x34c 'NtGdiDdDDIAcquireKeyedMutex2', # 0x34d 'NtGdiDdDDIOpenKeyedMutex2', # 0x34e 'NtGdiDdDDICreateKeyedMutex2', # 0x34f 'NtGdiDdDDIOutputDuplGetPointerShapeData', # 0x350 'NtGdiDdDDIOutputDuplGetMetaData', # 0x351 'NtGdiDdDDIOutputDuplGetFrameInfo', # 0x352 'NtGdiDdDDIDestroyOutputDupl', # 0x353 'NtGdiDdDDICreateOutputDupl', # 0x354 'NtGdiDdDDIReclaimAllocations', # 0x355 'NtGdiDdDDIOfferAllocations', # 0x356 'NtGdiDdDDICheckSharedResourceAccess', # 0x357 'NtGdiDdDDICheckVidPnExclusiveOwnership', # 0x358 'NtGdiDdDDIGetOverlayState', # 0x359 'NtGdiDdDDIConfigureSharedResource', # 0x35a 'NtGdiDdDDIReleaseKeyedMutex', # 0x35b 'NtGdiDdDDIAcquireKeyedMutex', # 0x35c 'NtGdiDdDDIDestroyKeyedMutex', # 0x35d 'NtGdiDdDDIOpenKeyedMutex', # 0x35e 'NtGdiDdDDICreateKeyedMutex', # 0x35f 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x360 'NtGdiDdDDISharedPrimaryLockNotification', # 0x361 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x362 'NtGdiDdDDICheckExclusiveOwnership', # 0x363 'NtGdiDdDDICheckMonitorPowerState', # 0x364 'NtGdiDdDDIWaitForIdle', # 0x365 'NtGdiDdDDICheckOcclusion', # 0x366 'NtGdiDdDDIInvalidateActiveVidPn', # 0x367 'NtGdiDdDDIPollDisplayChildren', # 0x368 'NtGdiDdDDISetQueuedLimit', # 0x369 'NtGdiDdDDIPinDirectFlipResources', # 0x36a 'NtGdiDdDDIUnpinDirectFlipResources', # 0x36b 'NtGdiDdDDIWaitForVerticalBlankEvent2', # 0x36c 'NtGdiDdDDISetContextInProcessSchedulingPriority', # 0x36d 'NtGdiDdDDIGetContextInProcessSchedulingPriority', # 0x36e 'NtGdiDdDDIGetSharedResourceAdapterLuid', # 0x36f 'NtGdiDdDDISetStereoEnabled', # 0x370 'NtGdiDdDDIPresentMultiPlaneOverlay', # 0x371 'NtGdiDdDDICheckMultiPlaneOverlaySupport', # 0x372 'NtGdiDdDDIGetCachedHybridQueryValue', # 0x373 'NtGdiDdDDICacheHybridQueryValue', # 0x374 'NtGdiDdDDINetDispGetNextChunkInfo', # 0x375 'NtGdiDdDDINetDispQueryMiracastDisplayDeviceSupport', # 0x376 'NtGdiDdDDINetDispStartMiracastDisplayDevice', # 0x377 'NtGdiDdDDINetDispStopMiracastDisplayDevice', # 0x378 'NtGdiDdDDINetDispQueryMiracastDisplayDeviceStatus', # 0x379 'NtGdiMakeObjectUnXferable', # 0x37a 'NtGdiMakeObjectXferable', # 0x37b 'NtGdiDestroyPhysicalMonitor', # 0x37c 'NtGdiGetPhysicalMonitorDescription', # 0x37d 'NtGdiGetPhysicalMonitors', # 0x37e 'NtGdiGetNumberOfPhysicalMonitors', # 0x37f 'NtGdiDDCCIGetTimingReport', # 0x380 'NtGdiDDCCIGetCapabilitiesString', # 0x381 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x382 'NtGdiDDCCISaveCurrentSettings', # 0x383 'NtGdiDDCCISetVCPFeature', # 0x384 'NtGdiDDCCIGetVCPFeature', # 0x385 'NtGdiDdQueryVisRgnUniqueness', # 0x386 'NtGdiDdDestroyFullscreenSprite', # 0x387 'NtGdiDdNotifyFullscreenSpriteUpdate', # 0x388 'NtGdiDdCreateFullscreenSprite', # 0x389 'NtUserShowSystemCursor', # 0x38a 'NtUserSetMirrorRendering', # 0x38b 'NtUserMagGetContextInformation', # 0x38c 'NtUserMagSetContextInformation', # 0x38d 'NtUserMagControl', # 0x38e 'NtUserSlicerControl', # 0x38f 'NtUserHwndSetRedirectionInfo', # 0x390 'NtUserHwndQueryRedirectionInfo', # 0x391 'NtCreateCompositionSurfaceHandle', # 0x392 'NtValidateCompositionSurfaceHandle', # 0x393 'NtBindCompositionSurface', # 0x394 'NtUnBindCompositionSurface', # 0x395 'NtQueryCompositionSurfaceBinding', # 0x396 'NtNotifyPresentToCompositionSurface', # 0x397 'NtQueryCompositionSurfaceStatistics', # 0x398 'NtOpenCompositionSurfaceSectionInfo', # 0x399 'NtOpenCompositionSurfaceSwapChainHandleInfo', # 0x39a 'NtQueryCompositionSurfaceRenderingRealization', # 0x39b 'NtOpenCompositionSurfaceDirtyRegion', # 0x39c 'NtSetCompositionSurfaceOutOfFrameDirectFlipNotification', # 0x39d 'NtSetCompositionSurfaceStatistics', # 0x39e 'NtSetCompositionSurfaceBufferCompositionMode', # 0x39f 'NtSetCompositionSurfaceIndependentFlipInfo', # 0x3a0 'NtCreateCompositionInputSink', # 0x3a1 'NtDuplicateCompositionInputSink', # 0x3a2 'NtQueryCompositionInputSink', # 0x3a3 'NtQueryCompositionInputSinkLuid', # 0x3a4 'NtUpdateInputSinkTransforms', # 0x3a5 'NtCompositionInputThread', # 0x3a6 'NtTokenManagerOpenSection', # 0x3a7 'NtTokenManagerOpenEvent', # 0x3a8 'NtTokenManagerThread', # 0x3a9 'NtTokenManagerGetOutOfFrameDirectFlipSurfaceUpdates', # 0x3aa 'NtTokenManagerDeleteOutstandingDirectFlipTokens', # 0x3ab 'NtTokenManagerCreateCompositionTokenHandle', # 0x3ac 'NtDCompositionBeginFrame', # 0x3ad 'NtDCompositionConfirmFrame', # 0x3ae 'NtDCompositionRetireFrame', # 0x3af 'NtDCompositionDiscardFrame', # 0x3b0 'NtDCompositionGetFrameSurfaceUpdates', # 0x3b1 'NtDCompositionGetFrameLegacyTokens', # 0x3b2 'NtDCompositionDestroyConnection', # 0x3b3 'NtDCompositionGetConnectionBatch', # 0x3b4 'NtDCompositionGetFrameStatistics', # 0x3b5 'NtDCompositionGetDeletedResources', # 0x3b6 'NtDCompositionSetResourceDeletedNotificationTag', # 0x3b7 'NtDCompositionCreateConnection', # 0x3b8 'NtDCompositionDestroyChannel', # 0x3b9 'NtDCompositionReleaseAllResources', # 0x3ba 'NtDCompositionSubmitDWMBatch', # 0x3bb 'NtDCompositionCommitChannel', # 0x3bc 'NtDCompositionWaitForChannel', # 0x3bd 'NtDCompositionSetChannelCommitCompletionEvent', # 0x3be 'NtDCompositionTelemetryTouchInteractionBegin', # 0x3bf 'NtDCompositionTelemetryTouchInteractionUpdate', # 0x3c0 'NtDCompositionTelemetryTouchInteractionEnd', # 0x3c1 'NtDCompositionTelemetrySetApplicationId', # 0x3c2 'NtDCompositionTelemetryAnimationScenarioBegin', # 0x3c3 'NtDCompositionTelemetryAnimationScenarioReference', # 0x3c4 'NtDCompositionTelemetryAnimationScenarioUnreference', # 0x3c5 'NtDCompositionCurrentBatchId', # 0x3c6 'NtDCompositionReleaseResource', # 0x3c7 'NtDCompositionRemoveCrossDeviceVisualChild', # 0x3c8 'NtDCompositionRemoveVisualChild', # 0x3c9 'NtDCompositionAddCrossDeviceVisualChild', # 0x3ca 'NtDCompositionAddVisualChild', # 0x3cb 'NtDCompositionReplaceVisualChildren', # 0x3cc 'NtDCompositionSetResourceAnimationProperty', # 0x3cd 'NtDCompositionSetResourceReferenceArrayProperty', # 0x3ce 'NtDCompositionSetResourceReferenceProperty', # 0x3cf 'NtDCompositionSetResourceBufferProperty', # 0x3d0 'NtDCompositionSetResourceIntegerProperty', # 0x3d1 'NtDCompositionSetResourceFloatProperty', # 0x3d2 'NtDCompositionSetResourceHandleProperty', # 0x3d3 'NtDCompositionCreateResource', # 0x3d4 'NtDCompositionOpenSharedResource', # 0x3d5 'NtDCompositionOpenSharedResourceHandle', # 0x3d6 'NtDCompositionCreateDwmChannel', # 0x3d7 'NtDCompositionCreateChannel', # 0x3d8 'NtDCompositionSynchronize', # 0x3d9 'NtDCompositionDwmSyncFlush', # 0x3da 'NtDCompositionReferenceSharedResourceOnDwmChannel', # 0x3db 'NtDCompositionSignalGpuFence', # 0x3dc 'NtDCompositionCreateAndBindSharedSection', # 0x3dd 'NtDCompositionSetDebugCounter', # 0x3de 'NtDCompositionGetChannels', # 0x3df 'NtDCompositionConnectPipe', # 0x3e0 'NtDCompositionRegisterThumbnailVisual', # 0x3e1 'NtDCompositionDuplicateHandleToProcess', # 0x3e2 'NtUserDestroyDCompositionHwndTarget', # 0x3e3 'NtUserCreateDCompositionHwndTarget', # 0x3e4 'NtUserWaitForRedirectionStartComplete', # 0x3e5 'NtUserSignalRedirectionStartComplete', # 0x3e6 'NtUserSetActiveProcess', # 0x3e7 'NtUserGetDisplayAutoRotationPreferencesByProcessId', # 0x3e8 'NtUserGetDisplayAutoRotationPreferences', # 0x3e9 'NtUserSetDisplayAutoRotationPreferences', # 0x3ea 'NtUserSetAutoRotation', # 0x3eb 'NtUserGetAutoRotationState', # 0x3ec 'NtUserAutoRotateScreen', # 0x3ed 'NtUserAcquireIAMKey', # 0x3ee 'NtUserSetActivationFilter', # 0x3ef 'NtUserSetFallbackForeground', # 0x3f0 'NtUserSetBrokeredForeground', # 0x3f1 'NtUserDisableImmersiveOwner', # 0x3f2 'NtUserClearForeground', # 0x3f3 'NtUserEnableIAMAccess', # 0x3f4 'NtUserGetProcessUIContextInformation', # 0x3f5 'NtUserSetProcessRestrictionExemption', # 0x3f6 'NtUserEnableMouseInPointer', # 0x3f7 'NtUserIsMouseInPointerEnabled', # 0x3f8 'NtUserPromoteMouseInPointer', # 0x3f9 'NtUserAutoPromoteMouseInPointer', # 0x3fa 'NtUserEnableMouseInputForCursorSuppression', # 0x3fb 'NtUserIsMouseInputEnabled', # 0x3fc 'NtUserInternalClipCursor', # 0x3fd 'NtUserCheckProcessForClipboardAccess', # 0x3fe 'NtUserGetClipboardAccessToken', # 0x3ff 'NtUserGetQueueEventStatus', # 0x400 'NtUserCompositionInputSinkLuidFromPoint', # 0x401 'NtUserUpdateWindowInputSinkHints', # 0x402 'NtUserTransformPoint', # 0x403 'NtUserTransformRect', # 0x404 'NtUserGetHimetricScaleFactorFromPixelLocation', # 0x405 'NtUserGetProcessDpiAwareness', # 0x406 'NtUserGetDpiForMonitor', # 0x407 'NtUserReportInertia', # 0x408 'NtUserLinkDpiCursor', # 0x409 'NtUserGetCursorDims', # 0x40a 'NtUserGetOwnerTransformedMonitorRect', # 0x40b ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win10_x64_1AC738FB_vtypes.py0000644000000000000000000267156413131215405031122 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x708, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'NtBuildNumber' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'BootId' : [ 0x2c4, ['unsigned long']], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgMultiSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCall' : [ 0x308, ['unsigned long']], 'SystemCallPad0' : [ 0x30c, ['unsigned long']], 'SystemCallPad' : [ 0x310, ['array', 2, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrementShift' : [ 0x368, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x369, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x36a, ['unsigned short']], 'EnclaveFeatureMask' : [ 0x36c, ['array', 4, ['unsigned long']]], 'Reserved8' : [ 0x37c, ['unsigned long']], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1080' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1080']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1098' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109a' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_1098']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_109a']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TEB' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['pointer64', ['void']]]], 'SystemReserved1' : [ 0x190, ['array', 38, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'PerflibData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], 'ReservedForWdf' : [ 0x1818, ['pointer64', ['void']]], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0x18, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'CurEntry' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '__unnamed_1108' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1108']], 'QuadPart' : [ 0x0, ['long long']], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_RB_TREE' : [ 0x10, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_RTL_BALANCED_NODE' : [ 0x18, { 'Children' : [ 0x0, ['array', 2, ['pointer64', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x10, ['unsigned long long']], } ], '_RTL_AVL_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x6a80, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x6900, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'ClockOwner' : [ 0x21, ['unsigned char']], 'PendingTickFlags' : [ 0x22, ['unsigned char']], 'PendingTick' : [ 0x22, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x22, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IdleState' : [ 0x23, ['unsigned char']], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PriorityState' : [ 0x38, ['pointer64', ['unsigned char']]], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ParentNode' : [ 0x640, ['pointer64', ['_KNODE']]], 'GroupSetMember' : [ 0x648, ['unsigned long long']], 'Group' : [ 0x650, ['unsigned char']], 'GroupIndex' : [ 0x651, ['unsigned char']], 'PrcbPad05' : [ 0x652, ['array', 2, ['unsigned char']]], 'InitialApicId' : [ 0x654, ['unsigned long']], 'ScbOffset' : [ 0x658, ['unsigned long']], 'ApicMask' : [ 0x65c, ['unsigned long']], 'AcpiReserved' : [ 0x660, ['pointer64', ['void']]], 'CFlushSize' : [ 0x668, ['unsigned long']], 'PrcbPad10' : [ 0x66c, ['unsigned long']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x2080, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PrcbPad20' : [ 0x2c80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2c88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2c90, ['long']], 'MmCopyOnWriteCount' : [ 0x2c94, ['long']], 'MmTransitionCount' : [ 0x2c98, ['long']], 'MmDemandZeroCount' : [ 0x2c9c, ['long']], 'MmPageReadCount' : [ 0x2ca0, ['long']], 'MmPageReadIoCount' : [ 0x2ca4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x2ca8, ['long']], 'MmDirtyWriteIoCount' : [ 0x2cac, ['long']], 'MmMappedPagesWriteCount' : [ 0x2cb0, ['long']], 'MmMappedWriteIoCount' : [ 0x2cb4, ['long']], 'KeSystemCalls' : [ 0x2cb8, ['unsigned long']], 'KeContextSwitches' : [ 0x2cbc, ['unsigned long']], 'LdtSelector' : [ 0x2cc0, ['unsigned short']], 'PrcbPad40' : [ 0x2cc2, ['unsigned short']], 'CcFastReadNoWait' : [ 0x2cc4, ['unsigned long']], 'CcFastReadWait' : [ 0x2cc8, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2ccc, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x2cd0, ['unsigned long']], 'CcCopyReadWait' : [ 0x2cd4, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2cd8, ['unsigned long']], 'IoReadOperationCount' : [ 0x2cdc, ['long']], 'IoWriteOperationCount' : [ 0x2ce0, ['long']], 'IoOtherOperationCount' : [ 0x2ce4, ['long']], 'IoReadTransferCount' : [ 0x2ce8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x2cf0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x2cf8, ['_LARGE_INTEGER']], 'PacketBarrier' : [ 0x2d00, ['long']], 'TargetCount' : [ 0x2d04, ['long']], 'IpiFrozen' : [ 0x2d08, ['unsigned long']], 'IsrDpcStats' : [ 0x2d10, ['pointer64', ['void']]], 'DeviceInterrupts' : [ 0x2d18, ['unsigned long']], 'LookasideIrpFloat' : [ 0x2d1c, ['long']], 'InterruptLastCount' : [ 0x2d20, ['unsigned long']], 'InterruptRate' : [ 0x2d24, ['unsigned long']], 'PrcbPad41' : [ 0x2d28, ['array', 22, ['unsigned long']]], 'DpcData' : [ 0x2d80, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2dd0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2dd8, ['long']], 'DpcRequestRate' : [ 0x2ddc, ['unsigned long']], 'MinimumDpcRate' : [ 0x2de0, ['unsigned long']], 'DpcLastCount' : [ 0x2de4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x2de8, ['unsigned char']], 'QuantumEnd' : [ 0x2de9, ['unsigned char']], 'DpcRoutineActive' : [ 0x2dea, ['unsigned char']], 'IdleSchedule' : [ 0x2deb, ['unsigned char']], 'DpcRequestSummary' : [ 0x2dec, ['long']], 'DpcRequestSlot' : [ 0x2dec, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x2dec, ['short']], 'ThreadDpcState' : [ 0x2dee, ['short']], 'DpcNormalProcessingActive' : [ 0x2dec, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x2dec, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x2dec, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x2dec, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x2dec, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x2dec, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x2dec, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x2dec, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x2dec, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x2dec, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2df0, ['unsigned long']], 'LastTick' : [ 0x2df4, ['unsigned long']], 'ClockInterrupts' : [ 0x2df8, ['unsigned long']], 'ReadyScanTick' : [ 0x2dfc, ['unsigned long']], 'InterruptObject' : [ 0x2e00, ['array', 256, ['pointer64', ['void']]]], 'TimerTable' : [ 0x3600, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x5800, ['_KGATE']], 'PrcbPad52' : [ 0x5818, ['pointer64', ['void']]], 'CallDpc' : [ 0x5820, ['_KDPC']], 'ClockKeepAlive' : [ 0x5860, ['long']], 'PrcbPad60' : [ 0x5864, ['array', 2, ['unsigned char']]], 'NmiActive' : [ 0x5866, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x5868, ['long']], 'DpcWatchdogCount' : [ 0x586c, ['long']], 'KeSpinLockOrdering' : [ 0x5870, ['long']], 'PrcbPad70' : [ 0x5874, ['array', 1, ['unsigned long']]], 'CachedPtes' : [ 0x5878, ['pointer64', ['void']]], 'WaitListHead' : [ 0x5880, ['_LIST_ENTRY']], 'WaitLock' : [ 0x5890, ['unsigned long long']], 'ReadySummary' : [ 0x5898, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x589c, ['long']], 'QueueIndex' : [ 0x58a0, ['unsigned long']], 'PrcbPad75' : [ 0x58a4, ['array', 3, ['unsigned long']]], 'TimerExpirationDpc' : [ 0x58b0, ['_KDPC']], 'ScbQueue' : [ 0x58f0, ['_RTL_RB_TREE']], 'DispatcherReadyListHead' : [ 0x5900, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x5b00, ['unsigned long']], 'KernelTime' : [ 0x5b04, ['unsigned long']], 'UserTime' : [ 0x5b08, ['unsigned long']], 'DpcTime' : [ 0x5b0c, ['unsigned long']], 'InterruptTime' : [ 0x5b10, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5b14, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x5b18, ['unsigned char']], 'GroupSchedulingOverQuota' : [ 0x5b19, ['unsigned char']], 'DeepSleep' : [ 0x5b1a, ['unsigned char']], 'PrcbPad80' : [ 0x5b1b, ['array', 5, ['unsigned char']]], 'DpcTimeCount' : [ 0x5b20, ['unsigned long']], 'DpcTimeLimit' : [ 0x5b24, ['unsigned long']], 'PeriodicCount' : [ 0x5b28, ['unsigned long']], 'PeriodicBias' : [ 0x5b2c, ['unsigned long']], 'AvailableTime' : [ 0x5b30, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x5b34, ['unsigned long']], 'StartCycles' : [ 0x5b38, ['unsigned long long']], 'TaggedCyclesStart' : [ 0x5b40, ['unsigned long long']], 'TaggedCycles' : [ 0x5b48, ['array', 2, ['unsigned long long']]], 'GenerationTarget' : [ 0x5b58, ['unsigned long long']], 'AffinitizedCycles' : [ 0x5b60, ['unsigned long long']], 'PrcbPad81' : [ 0x5b68, ['array', 29, ['unsigned long']]], 'MmSpinLockOrdering' : [ 0x5bdc, ['long']], 'PageColor' : [ 0x5be0, ['unsigned long']], 'NodeColor' : [ 0x5be4, ['unsigned long']], 'NodeShiftedColor' : [ 0x5be8, ['unsigned long']], 'SecondaryColorMask' : [ 0x5bec, ['unsigned long']], 'PrcbPad83' : [ 0x5bf0, ['unsigned long']], 'CycleTime' : [ 0x5bf8, ['unsigned long long']], 'Cycles' : [ 0x5c00, ['array', 4, ['array', 2, ['unsigned long long']]]], 'PrcbPad84' : [ 0x5c40, ['array', 16, ['unsigned long']]], 'CcFastMdlReadNoWait' : [ 0x5c80, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x5c84, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x5c88, ['unsigned long']], 'CcMapDataNoWait' : [ 0x5c8c, ['unsigned long']], 'CcMapDataWait' : [ 0x5c90, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x5c94, ['unsigned long']], 'CcPinReadNoWait' : [ 0x5c98, ['unsigned long']], 'CcPinReadWait' : [ 0x5c9c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x5ca0, ['unsigned long']], 'CcMdlReadWait' : [ 0x5ca4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x5ca8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x5cac, ['unsigned long']], 'CcLazyWritePages' : [ 0x5cb0, ['unsigned long']], 'CcDataFlushes' : [ 0x5cb4, ['unsigned long']], 'CcDataPages' : [ 0x5cb8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x5cbc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x5cc0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x5cc4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x5cc8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x5ccc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x5cd0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x5cd4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x5cd8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x5cdc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x5ce0, ['unsigned long']], 'CcReadAheadIos' : [ 0x5ce4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x5ce8, ['long']], 'MmCacheReadCount' : [ 0x5cec, ['long']], 'MmCacheIoCount' : [ 0x5cf0, ['long']], 'PrcbPad91' : [ 0x5cf4, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x5d00, ['_PROCESSOR_POWER_STATE']], 'ScbList' : [ 0x5ed0, ['_LIST_ENTRY']], 'PrcbPad92' : [ 0x5ee0, ['array', 7, ['unsigned long']]], 'KeAlignmentFixupCount' : [ 0x5efc, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x5f00, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x5f40, ['_KTIMER']], 'Cache' : [ 0x5f80, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x5fbc, ['unsigned long']], 'CachedCommit' : [ 0x5fc0, ['unsigned long']], 'CachedResidentAvailable' : [ 0x5fc4, ['unsigned long']], 'HyperPte' : [ 0x5fc8, ['pointer64', ['void']]], 'WheaInfo' : [ 0x5fd0, ['pointer64', ['void']]], 'EtwSupport' : [ 0x5fd8, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x5fe0, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x5ff0, ['_SLIST_HEADER']], 'HypercallCachedPages' : [ 0x6000, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x6008, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x6010, ['pointer64', ['unsigned long long']]], 'PackageProcessorSet' : [ 0x6018, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x60c0, ['unsigned long long']], 'SharedReadyQueue' : [ 0x60c8, ['pointer64', ['_KSHARED_READY_QUEUE']]], 'SharedQueueScanOwner' : [ 0x60d0, ['unsigned long']], 'ScanSiblingIndex' : [ 0x60d4, ['unsigned long']], 'CoreProcessorSet' : [ 0x60d8, ['unsigned long long']], 'ScanSiblingMask' : [ 0x60e0, ['unsigned long long']], 'LLCMask' : [ 0x60e8, ['unsigned long long']], 'CacheProcessorMask' : [ 0x60f0, ['array', 5, ['unsigned long long']]], 'ProcessorProfileControlArea' : [ 0x6118, ['pointer64', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x6120, ['pointer64', ['void']]], 'PrcbPad94' : [ 0x6128, ['array', 11, ['unsigned long long']]], 'SynchCounters' : [ 0x6180, ['_SYNCH_COUNTERS']], 'PteBitCache' : [ 0x6238, ['unsigned long long']], 'PteBitOffset' : [ 0x6240, ['unsigned long']], 'FsCounters' : [ 0x6248, ['_FILESYSTEM_DISK_COUNTERS']], 'VendorString' : [ 0x6258, ['array', 13, ['unsigned char']]], 'PrcbPad100' : [ 0x6265, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x6268, ['unsigned long long']], 'PrcbPad110' : [ 0x6270, ['unsigned long']], 'UpdateSignature' : [ 0x6278, ['_LARGE_INTEGER']], 'Context' : [ 0x6280, ['pointer64', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x6288, ['unsigned long']], 'ExtendedState' : [ 0x6290, ['pointer64', ['_XSAVE_AREA']]], 'IsrStack' : [ 0x6298, ['pointer64', ['void']]], 'EntropyTimingState' : [ 0x62a0, ['_KENTROPY_TIMING_STATE']], 'AbSelfIoBoostsList' : [ 0x63f0, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x63f8, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x6400, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x6440, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x6494, ['_IOP_IRP_STACK_PROFILER']], 'LocalSharedReadyQueue' : [ 0x6500, ['_KSHARED_READY_QUEUE']], 'TimerExpirationTrace' : [ 0x6760, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x6860, ['unsigned long']], 'ExSaPageArray' : [ 0x6868, ['pointer64', ['void']]], 'Mailbox' : [ 0x6880, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x68c0, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KFLOATING_SAVE' : [ 0x4, { 'Dummy' : [ 0x0, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_PS_TRUSTLET_CREATE_ATTRIBUTES' : [ 0x18, { 'TrustletIdentity' : [ 0x0, ['unsigned long long']], 'Attributes' : [ 0x8, ['array', 1, ['_PS_TRUSTLET_ATTRIBUTE_DATA']]], } ], '_PS_TRUSTLET_ATTRIBUTE_DATA' : [ 0x10, { 'Header' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_HEADER']], 'Data' : [ 0x8, ['array', 1, ['unsigned long long']]], } ], '_PS_TRUSTLET_ATTRIBUTE_HEADER' : [ 0x8, { 'AttributeType' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_TYPE']], 'InstanceNumber' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_TRUSTLET_MAILBOX_KEY' : [ 0x10, { 'SecretValue' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_TRUSTLET_COLLABORATION_ID' : [ 0x10, { 'Value' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_KPROCESS' : [ 0x2d8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long']], 'Spare0' : [ 0x44, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x48, ['unsigned long long']], 'Affinity' : [ 0x50, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0xf8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x108, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x110, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x1b8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x1b8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x1b8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'DeepFreeze' : [ 0x1b8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x1b8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x1b8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SpareFlags0' : [ 0x1b8, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x1b8, ['BitField', dict(start_bit = 8, end_bit = 28, native_type='unsigned long')]], 'ReservedFlags' : [ 0x1b8, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x1b8, ['long']], 'BasePriority' : [ 0x1bc, ['unsigned char']], 'QuantumReset' : [ 0x1bd, ['unsigned char']], 'Visited' : [ 0x1be, ['unsigned char']], 'Flags' : [ 0x1bf, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x1c0, ['array', 20, ['unsigned long']]], 'IdealNode' : [ 0x210, ['array', 20, ['unsigned short']]], 'IdealGlobalNode' : [ 0x238, ['unsigned short']], 'Spare1' : [ 0x23a, ['unsigned short']], 'StackCount' : [ 0x23c, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x240, ['_LIST_ENTRY']], 'CycleTime' : [ 0x250, ['unsigned long long']], 'ContextSwitches' : [ 0x258, ['unsigned long long']], 'SchedulingGroup' : [ 0x260, ['pointer64', ['_KSCHEDULING_GROUP']]], 'FreezeCount' : [ 0x268, ['unsigned long']], 'KernelTime' : [ 0x26c, ['unsigned long']], 'UserTime' : [ 0x270, ['unsigned long']], 'LdtFreeSelectorHint' : [ 0x274, ['unsigned short']], 'LdtTableLength' : [ 0x276, ['unsigned short']], 'LdtSystemDescriptor' : [ 0x278, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x288, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x290, ['_FAST_MUTEX']], 'InstrumentationCallback' : [ 0x2c8, ['pointer64', ['void']]], 'SecurePid' : [ 0x2d0, ['unsigned long long']], } ], '_KTHREAD' : [ 0x5d8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x18, ['pointer64', ['void']]], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'StackBase' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'CycleTime' : [ 0x48, ['unsigned long long']], 'CurrentRunTime' : [ 0x50, ['unsigned long']], 'ExpectedRunTime' : [ 0x54, ['unsigned long']], 'KernelStack' : [ 0x58, ['pointer64', ['void']]], 'StateSaveArea' : [ 0x60, ['pointer64', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x68, ['pointer64', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x70, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x71, ['unsigned char']], 'Alerted' : [ 0x72, ['array', 2, ['unsigned char']]], 'AutoBoostActive' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitNext' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x74, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Alertable' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'TimerActive' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SystemThread' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x74, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CalloutActive' : [ 0x74, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ApcQueueable' : [ 0x74, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x74, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x74, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'TimerSuspended' : [ 0x74, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x74, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SuspendSchedulerApcWait' : [ 0x74, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x74, ['long']], 'AutoAlignment' : [ 0x78, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x78, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ThreadFlagsSpare0' : [ 0x78, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x78, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x78, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x78, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x78, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x78, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x78, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x78, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x78, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x78, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x78, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x78, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x78, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CommitFailTerminateRequest' : [ 0x78, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ProcessStackCountDecremented' : [ 0x78, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ThreadFlagsSpare' : [ 0x78, ['BitField', dict(start_bit = 19, end_bit = 24, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x78, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x78, ['long']], 'Tag' : [ 0x7c, ['unsigned char']], 'SystemHeteroCpuPolicy' : [ 0x7d, ['unsigned char']], 'UserHeteroCpuPolicy' : [ 0x7e, ['BitField', dict(start_bit = 0, end_bit = 7, native_type='unsigned char')]], 'ExplicitSystemHeteroCpuPolicy' : [ 0x7e, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare0' : [ 0x7f, ['unsigned char']], 'SystemCallNumber' : [ 0x80, ['unsigned long']], 'Spare10' : [ 0x84, ['unsigned long']], 'FirstArgument' : [ 0x88, ['pointer64', ['void']]], 'TrapFrame' : [ 0x90, ['pointer64', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x98, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x98, ['array', 43, ['unsigned char']]], 'Priority' : [ 0xc3, ['unsigned char']], 'UserIdealProcessor' : [ 0xc4, ['unsigned long']], 'WaitStatus' : [ 0xc8, ['long long']], 'WaitBlockList' : [ 0xd0, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xd8, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xe8, ['pointer64', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xf0, ['pointer64', ['void']]], 'RelativeTimerBias' : [ 0xf8, ['unsigned long long']], 'Timer' : [ 0x100, ['_KTIMER']], 'WaitBlock' : [ 0x140, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x140, ['array', 20, ['unsigned char']]], 'ContextSwitches' : [ 0x154, ['unsigned long']], 'WaitBlockFill5' : [ 0x140, ['array', 68, ['unsigned char']]], 'State' : [ 0x184, ['unsigned char']], 'Spare13' : [ 0x185, ['unsigned char']], 'WaitIrql' : [ 0x186, ['unsigned char']], 'WaitMode' : [ 0x187, ['unsigned char']], 'WaitBlockFill6' : [ 0x140, ['array', 116, ['unsigned char']]], 'WaitTime' : [ 0x1b4, ['unsigned long']], 'WaitBlockFill7' : [ 0x140, ['array', 164, ['unsigned char']]], 'KernelApcDisable' : [ 0x1e4, ['short']], 'SpecialApcDisable' : [ 0x1e6, ['short']], 'CombinedApcDisable' : [ 0x1e4, ['unsigned long']], 'WaitBlockFill8' : [ 0x140, ['array', 40, ['unsigned char']]], 'ThreadCounters' : [ 0x168, ['pointer64', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0x140, ['array', 88, ['unsigned char']]], 'XStateSave' : [ 0x198, ['pointer64', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0x140, ['array', 136, ['unsigned char']]], 'Win32Thread' : [ 0x1c8, ['pointer64', ['void']]], 'WaitBlockFill11' : [ 0x140, ['array', 176, ['unsigned char']]], 'Ucb' : [ 0x1f0, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'Uch' : [ 0x1f8, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'TebMappedLowVa' : [ 0x200, ['pointer64', ['void']]], 'QueueListEntry' : [ 0x208, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x218, ['unsigned long']], 'NextProcessorNumber' : [ 0x218, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x218, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x21c, ['long']], 'Process' : [ 0x220, ['pointer64', ['_KPROCESS']]], 'UserAffinity' : [ 0x228, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x228, ['array', 10, ['unsigned char']]], 'PreviousMode' : [ 0x232, ['unsigned char']], 'BasePriority' : [ 0x233, ['unsigned char']], 'PriorityDecrement' : [ 0x234, ['unsigned char']], 'ForegroundBoost' : [ 0x234, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x234, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x235, ['unsigned char']], 'AdjustReason' : [ 0x236, ['unsigned char']], 'AdjustIncrement' : [ 0x237, ['unsigned char']], 'AffinityVersion' : [ 0x238, ['unsigned long long']], 'Affinity' : [ 0x240, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x240, ['array', 10, ['unsigned char']]], 'ApcStateIndex' : [ 0x24a, ['unsigned char']], 'WaitBlockCount' : [ 0x24b, ['unsigned char']], 'IdealProcessor' : [ 0x24c, ['unsigned long']], 'NpxState' : [ 0x250, ['unsigned long long']], 'SavedApcState' : [ 0x258, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x258, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x283, ['unsigned char']], 'SuspendCount' : [ 0x284, ['unsigned char']], 'Saturation' : [ 0x285, ['unsigned char']], 'SListFaultCount' : [ 0x286, ['unsigned short']], 'SchedulerApc' : [ 0x288, ['_KAPC']], 'SchedulerApcFill0' : [ 0x288, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x289, ['unsigned char']], 'SchedulerApcFill1' : [ 0x288, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x28b, ['unsigned char']], 'SchedulerApcFill2' : [ 0x288, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x28c, ['unsigned long']], 'SchedulerApcFill3' : [ 0x288, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c8, ['pointer64', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x288, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2d0, ['pointer64', ['void']]], 'SchedulerApcFill5' : [ 0x288, ['array', 83, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x2db, ['unsigned char']], 'UserTime' : [ 0x2dc, ['unsigned long']], 'SuspendEvent' : [ 0x2e0, ['_KEVENT']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'AbEntrySummary' : [ 0x318, ['unsigned char']], 'AbWaitEntryCount' : [ 0x319, ['unsigned char']], 'Spare20' : [ 0x31a, ['unsigned short']], 'SecureThreadCookie' : [ 0x31c, ['unsigned long']], 'LockEntries' : [ 0x320, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x560, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x568, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x570, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x580, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x584, ['long']], 'KeReferenceCount' : [ 0x588, ['short']], 'AbOrphanedEntrySummary' : [ 0x58a, ['unsigned char']], 'AbOwnedEntryCount' : [ 0x58b, ['unsigned char']], 'ForegroundLossTime' : [ 0x58c, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x590, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x590, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x598, ['unsigned long long']], 'ReadOperationCount' : [ 0x5a0, ['long long']], 'WriteOperationCount' : [ 0x5a8, ['long long']], 'OtherOperationCount' : [ 0x5b0, ['long long']], 'ReadTransferCount' : [ 0x5b8, ['long long']], 'WriteTransferCount' : [ 0x5c0, ['long long']], 'OtherTransferCount' : [ 0x5c8, ['long long']], 'QueuedScb' : [ 0x5d0, ['pointer64', ['_KSCB']]], } ], '_KSTACK_CONTROL' : [ 0x30, { 'StackBase' : [ 0x0, ['unsigned long long']], 'ActualLimit' : [ 0x8, ['unsigned long long']], 'StackExpansion' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_1269' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'HeaderX64' : [ 0x0, ['__unnamed_1269']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer64', ['void']]], 'DeleteContext' : [ 0x10, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0x100, { 'IdleNonParkedCpuSet' : [ 0x0, ['unsigned long long']], 'IdleSmtSet' : [ 0x8, ['unsigned long long']], 'IdleCpuSet' : [ 0x10, ['unsigned long long']], 'DeepIdleSet' : [ 0x40, ['unsigned long long']], 'IdleConstrainedSet' : [ 0x48, ['unsigned long long']], 'NonParkedSet' : [ 0x50, ['unsigned long long']], 'ParkLock' : [ 0x58, ['long']], 'Seed' : [ 0x5c, ['unsigned long']], 'SiblingMask' : [ 0x80, ['unsigned long']], 'Affinity' : [ 0x88, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x88, ['array', 10, ['unsigned char']]], 'NodeNumber' : [ 0x92, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x94, ['unsigned short']], 'Stride' : [ 0x96, ['unsigned char']], 'Spare0' : [ 0x97, ['unsigned char']], 'SharedReadyQueueLeaders' : [ 0x98, ['unsigned long long']], 'ProximityId' : [ 0xa0, ['unsigned long']], 'Lowest' : [ 0xa4, ['unsigned long']], 'Highest' : [ 0xa8, ['unsigned long']], 'MaximumProcessors' : [ 0xac, ['unsigned char']], 'Flags' : [ 0xad, ['_flags']], 'Spare10' : [ 0xae, ['unsigned char']], 'HeteroSets' : [ 0xb0, ['array', 5, ['_KHETERO_PROCESSOR_SET']]], } ], '_ENODE' : [ 0x540, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0x100, ['array', 8, ['pointer64', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0x140, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x410, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x428, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x468, ['_KEVENT']], 'WaitBlocks' : [ 0x480, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x510, ['pointer64', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x518, ['unsigned long']], 'ExWorkerFullInit' : [ 0x51c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x51c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x51c, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x80, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long long']], 'QuotaProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'HandleTableList' : [ 0x18, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], 'StrictFIFO' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x2c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x2c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'RaiseUMExceptionOnInvalidHandleClose' : [ 0x2c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x38, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x40, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x40, ['array', 32, ['unsigned char']]], 'DebugInfo' : [ 0x60, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'VolatileLowValue' : [ 0x0, ['long long']], 'LowValue' : [ 0x0, ['long long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'HighValue' : [ 0x8, ['long long']], 'NextFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x8, ['_EXHANDLE']], 'RefCountField' : [ 0x0, ['long long']], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 17, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 20, native_type='unsigned long long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 64, native_type='unsigned long long')]], 'GrantedAccessBits' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Spare1' : [ 0x8, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], 'Spare2' : [ 0xc, ['unsigned long']], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '__unnamed_135c' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_135c']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xe0, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xd8, ['unsigned char']], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EPROCESS' : [ 0x788, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x2d8, ['_EX_PUSH_LOCK']], 'RundownProtect' : [ 0x2e0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x2e8, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x2f0, ['_LIST_ENTRY']], 'Flags2' : [ 0x300, ['unsigned long']], 'JobNotReallyActive' : [ 0x300, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x300, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x300, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x300, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x300, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x300, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0x300, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x300, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x300, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x300, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0x300, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0x300, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x300, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x300, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x300, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x300, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x300, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x300, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x300, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x300, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0x300, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0x300, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0x300, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0x300, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0x300, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0x300, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0x300, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0x300, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x304, ['unsigned long']], 'CreateReported' : [ 0x304, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x304, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x304, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x304, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0x304, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x304, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x304, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x304, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FailFastOnCommitFail' : [ 0x304, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x304, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x304, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x304, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x304, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x304, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x304, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x304, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x304, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x304, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x304, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0x304, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x304, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x304, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x304, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x304, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0x304, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x304, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x304, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x304, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x304, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CreateTime' : [ 0x308, ['_LARGE_INTEGER']], 'ProcessQuotaUsage' : [ 0x310, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x320, ['array', 2, ['unsigned long long']]], 'PeakVirtualSize' : [ 0x330, ['unsigned long long']], 'VirtualSize' : [ 0x338, ['unsigned long long']], 'SessionProcessLinks' : [ 0x340, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0x350, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x350, ['unsigned long long']], 'ExceptionPortState' : [ 0x350, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Token' : [ 0x358, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x360, ['unsigned long long']], 'AddressCreationLock' : [ 0x368, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x370, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x378, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x380, ['pointer64', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x388, ['pointer64', ['_EJOB']]], 'CloneRoot' : [ 0x390, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x398, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x3a0, ['unsigned long long']], 'Win32Process' : [ 0x3a8, ['pointer64', ['void']]], 'Job' : [ 0x3b0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x3b8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x3c0, ['pointer64', ['void']]], 'Cookie' : [ 0x3c8, ['unsigned long']], 'WorkingSetWatch' : [ 0x3d0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x3d8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x3e0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x3e8, ['pointer64', ['void']]], 'OwnerProcessId' : [ 0x3f0, ['unsigned long long']], 'Peb' : [ 0x3f8, ['pointer64', ['_PEB']]], 'Session' : [ 0x400, ['pointer64', ['void']]], 'AweInfo' : [ 0x408, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x410, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x418, ['pointer64', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x420, ['pointer64', ['void']]], 'WoW64Process' : [ 0x428, ['pointer64', ['_EWOW64PROCESS']]], 'DeviceMap' : [ 0x430, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x438, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x440, ['unsigned long long']], 'ImageFilePointer' : [ 0x448, ['pointer64', ['_FILE_OBJECT']]], 'ImageFileName' : [ 0x450, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x45f, ['unsigned char']], 'SecurityPort' : [ 0x460, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x468, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x470, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x480, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x488, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x498, ['unsigned long']], 'ImagePathHash' : [ 0x49c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x4a0, ['unsigned long']], 'LastThreadExitStatus' : [ 0x4a4, ['long']], 'PrefetchTrace' : [ 0x4a8, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x4b0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x4b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x4c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x4c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x4d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x4d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x4e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x4e8, ['unsigned long long']], 'CommitCharge' : [ 0x4f0, ['unsigned long long']], 'CommitChargePeak' : [ 0x4f8, ['unsigned long long']], 'Vm' : [ 0x500, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x5f8, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x608, ['unsigned long']], 'ExitStatus' : [ 0x60c, ['long']], 'VadRoot' : [ 0x610, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x618, ['pointer64', ['void']]], 'VadCount' : [ 0x620, ['unsigned long long']], 'VadPhysicalPages' : [ 0x628, ['unsigned long long']], 'VadPhysicalPagesLimit' : [ 0x630, ['unsigned long long']], 'AlpcContext' : [ 0x638, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x658, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x668, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x670, ['unsigned long']], 'SmallestTimerResolution' : [ 0x674, ['unsigned long']], 'ExitTime' : [ 0x678, ['_LARGE_INTEGER']], 'InvertedFunctionTable' : [ 0x680, ['pointer64', ['_INVERTED_FUNCTION_TABLE']]], 'InvertedFunctionTableLock' : [ 0x688, ['_EX_PUSH_LOCK']], 'ActiveThreadsHighWatermark' : [ 0x690, ['unsigned long']], 'LargePrivateVadCount' : [ 0x694, ['unsigned long']], 'ThreadListLock' : [ 0x698, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x6a0, ['pointer64', ['void']]], 'Spare0' : [ 0x6a8, ['unsigned long long']], 'SignatureLevel' : [ 0x6b0, ['unsigned char']], 'SectionSignatureLevel' : [ 0x6b1, ['unsigned char']], 'Protection' : [ 0x6b2, ['_PS_PROTECTION']], 'HangCount' : [ 0x6b3, ['unsigned char']], 'Flags3' : [ 0x6b4, ['unsigned long']], 'Minimal' : [ 0x6b4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReplacingPageRoot' : [ 0x6b4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DisableNonSystemFonts' : [ 0x6b4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AuditNonSystemFontLoading' : [ 0x6b4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Crashed' : [ 0x6b4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'JobVadsAreTracked' : [ 0x6b4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'VadTrackingDisabled' : [ 0x6b4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AuxiliaryProcess' : [ 0x6b4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SubsystemProcess' : [ 0x6b4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x6b4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'InPrivate' : [ 0x6b4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProhibitRemoteImageMap' : [ 0x6b4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProhibitLowILImageMap' : [ 0x6b4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SignatureMitigationOptIn' : [ 0x6b4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeviceAsid' : [ 0x6b8, ['long']], 'SvmData' : [ 0x6c0, ['pointer64', ['void']]], 'SvmProcessLock' : [ 0x6c8, ['_EX_PUSH_LOCK']], 'SvmLock' : [ 0x6d0, ['unsigned long long']], 'SvmProcessDeviceListHead' : [ 0x6d8, ['_LIST_ENTRY']], 'LastFreezeInterruptTime' : [ 0x6e8, ['unsigned long long']], 'DiskCounters' : [ 0x6f0, ['pointer64', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x6f8, ['pointer64', ['void']]], 'TrustletIdentity' : [ 0x700, ['unsigned long long']], 'KeepAliveCounter' : [ 0x708, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x70c, ['unsigned long']], 'HighPriorityFaultsAllowed' : [ 0x710, ['unsigned long']], 'EnergyValues' : [ 0x718, ['pointer64', ['_PROCESS_ENERGY_VALUES']]], 'VmContext' : [ 0x720, ['pointer64', ['void']]], 'SequenceNumber' : [ 0x728, ['unsigned long long']], 'CreateInterruptTime' : [ 0x730, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x738, ['unsigned long long']], 'TotalUnbiasedFrozenTime' : [ 0x740, ['unsigned long long']], 'LastAppStateUpdateTime' : [ 0x748, ['unsigned long long']], 'LastAppStateUptime' : [ 0x750, ['BitField', dict(start_bit = 0, end_bit = 61, native_type='unsigned long long')]], 'LastAppState' : [ 0x750, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], 'SharedCommitCharge' : [ 0x758, ['unsigned long long']], 'SharedCommitLock' : [ 0x760, ['_EX_PUSH_LOCK']], 'SharedCommitLinks' : [ 0x768, ['_LIST_ENTRY']], 'AllowedCpuSets' : [ 0x778, ['unsigned long long']], 'DefaultCpuSets' : [ 0x780, ['unsigned long long']], 'AllowedCpuSetsIndirect' : [ 0x778, ['pointer64', ['unsigned long long']]], 'DefaultCpuSetsIndirect' : [ 0x780, ['pointer64', ['unsigned long long']]], } ], '_EWOW64PROCESS' : [ 0x10, { 'Peb' : [ 0x0, ['pointer64', ['void']]], 'Machine' : [ 0x8, ['unsigned short']], } ], '_ETHREAD' : [ 0x7c0, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x5d8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x5e0, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x5e0, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x5f0, ['pointer64', ['void']]], 'PostBlockList' : [ 0x5f8, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x5f8, ['pointer64', ['void']]], 'StartAddress' : [ 0x600, ['pointer64', ['void']]], 'TerminationPort' : [ 0x608, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x608, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x608, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x610, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x618, ['_LIST_ENTRY']], 'Cid' : [ 0x628, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x638, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x638, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x658, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x660, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x670, ['unsigned long long']], 'DeviceToVerify' : [ 0x678, ['pointer64', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x680, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x688, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x690, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x6a0, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x6a8, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x6b0, ['unsigned long']], 'MmLockOrdering' : [ 0x6b4, ['long']], 'CmLockOrdering' : [ 0x6b8, ['long']], 'CrossThreadFlags' : [ 0x6bc, ['unsigned long']], 'Terminated' : [ 0x6bc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x6bc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x6bc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x6bc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x6bc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x6bc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x6bc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x6bc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x6bc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x6bc, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x6bc, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x6bc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x6bc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x6bc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x6bc, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x6c0, ['unsigned long']], 'ActiveExWorker' : [ 0x6c0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x6c0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'StoreLockThread' : [ 0x6c0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x6c0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x6c0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SelfTerminate' : [ 0x6c0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'RespectIoPriority' : [ 0x6c0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ReservedSameThreadPassiveFlags' : [ 0x6c0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x6c4, ['unsigned long']], 'OwnsProcessAddressSpaceExclusive' : [ 0x6c4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x6c4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardFaultBehavior' : [ 0x6c4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x6c4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x6c4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x6c4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Prefetching' : [ 0x6c4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x6c4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x6c5, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x6c5, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x6c8, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x6c9, ['unsigned char']], 'ActiveFaultCount' : [ 0x6ca, ['unsigned char']], 'LockOrderState' : [ 0x6cb, ['unsigned char']], 'AlpcMessageId' : [ 0x6d0, ['unsigned long long']], 'AlpcMessage' : [ 0x6d8, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x6d8, ['unsigned long']], 'ExitStatus' : [ 0x6e0, ['long']], 'AlpcWaitListEntry' : [ 0x6e8, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x6f8, ['unsigned long']], 'IoBoostCount' : [ 0x6fc, ['unsigned long']], 'BoostList' : [ 0x700, ['_LIST_ENTRY']], 'DeboostList' : [ 0x710, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x720, ['unsigned long long']], 'IrpListLock' : [ 0x728, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x730, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x738, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x740, ['pointer64', ['_GUID']]], 'SeLearningModeListHead' : [ 0x748, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x750, ['pointer64', ['void']]], 'KernelStackReference' : [ 0x758, ['unsigned long']], 'AdjustedClientToken' : [ 0x760, ['pointer64', ['void']]], 'WorkingOnBehalfClient' : [ 0x768, ['pointer64', ['void']]], 'PropertySet' : [ 0x770, ['_PS_PROPERTY_SET']], 'PicoContext' : [ 0x788, ['pointer64', ['void']]], 'UserFsBase' : [ 0x790, ['unsigned long']], 'UserGsBase' : [ 0x798, ['unsigned long long']], 'EnergyValues' : [ 0x7a0, ['pointer64', ['_THREAD_ENERGY_VALUES']]], 'CmCellReferences' : [ 0x7a8, ['unsigned long']], 'SelectedCpuSets' : [ 0x7b0, ['unsigned long long']], 'SelectedCpuSetsIndirect' : [ 0x7b0, ['pointer64', ['unsigned long long']]], 'Silo' : [ 0x7b8, ['pointer64', ['_EJOB']]], } ], '__unnamed_13c5' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_13cb' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_13cd' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_13cb']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_13d6' : [ 0x58, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x50, ['pointer64', ['void']]], } ], '__unnamed_13d8' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_13d6']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'AllocationProcessorNumber' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_13c5']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_13cd']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_13d8']], } ], '__unnamed_13df' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_13e3' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_13e7' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_13e9' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13ed' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13ef' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_13f1' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], } ], '__unnamed_13f3' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13f5' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13f7' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13fb' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMetadataSizeInformation', 14: 'FileFsMaximumInformation'})]], } ], '__unnamed_13fd' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13ff' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1401' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1403' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1405' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1409' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_140d' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1411' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1415' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_1419' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_141d' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1421' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1423' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1425' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1429' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_142d' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1431' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_1435' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1439' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1441' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], } ], '__unnamed_1445' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1447' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1449' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_144b' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_13df']], 'CreatePipe' : [ 0x0, ['__unnamed_13e3']], 'CreateMailslot' : [ 0x0, ['__unnamed_13e7']], 'Read' : [ 0x0, ['__unnamed_13e9']], 'Write' : [ 0x0, ['__unnamed_13e9']], 'QueryDirectory' : [ 0x0, ['__unnamed_13ed']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13ef']], 'QueryFile' : [ 0x0, ['__unnamed_13f1']], 'SetFile' : [ 0x0, ['__unnamed_13f3']], 'QueryEa' : [ 0x0, ['__unnamed_13f5']], 'SetEa' : [ 0x0, ['__unnamed_13f7']], 'QueryVolume' : [ 0x0, ['__unnamed_13fb']], 'SetVolume' : [ 0x0, ['__unnamed_13fb']], 'FileSystemControl' : [ 0x0, ['__unnamed_13fd']], 'LockControl' : [ 0x0, ['__unnamed_13ff']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1401']], 'QuerySecurity' : [ 0x0, ['__unnamed_1403']], 'SetSecurity' : [ 0x0, ['__unnamed_1405']], 'MountVolume' : [ 0x0, ['__unnamed_1409']], 'VerifyVolume' : [ 0x0, ['__unnamed_1409']], 'Scsi' : [ 0x0, ['__unnamed_140d']], 'QueryQuota' : [ 0x0, ['__unnamed_1411']], 'SetQuota' : [ 0x0, ['__unnamed_13f7']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1415']], 'QueryInterface' : [ 0x0, ['__unnamed_1419']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_141d']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1421']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1423']], 'SetLock' : [ 0x0, ['__unnamed_1425']], 'QueryId' : [ 0x0, ['__unnamed_1429']], 'QueryDeviceText' : [ 0x0, ['__unnamed_142d']], 'UsageNotification' : [ 0x0, ['__unnamed_1431']], 'WaitWake' : [ 0x0, ['__unnamed_1435']], 'PowerSequence' : [ 0x0, ['__unnamed_1439']], 'Power' : [ 0x0, ['__unnamed_1441']], 'StartDevice' : [ 0x0, ['__unnamed_1445']], 'WMI' : [ 0x0, ['__unnamed_1447']], 'Others' : [ 0x0, ['__unnamed_1449']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_144b']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1461' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1461']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x10, ['unsigned long long']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x28, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], 'SiloContext' : [ 0x20, ['pointer64', ['_EJOB']]], } ], '_EJOB' : [ 0x528, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb8, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xc0, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0xc8, ['unsigned long long']], 'TotalPageFaultCount' : [ 0xd0, ['unsigned long']], 'TotalProcesses' : [ 0xd4, ['unsigned long']], 'ActiveProcesses' : [ 0xd8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xdc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xe0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf8, ['unsigned long long']], 'LimitFlags' : [ 0x100, ['unsigned long']], 'ActiveProcessLimit' : [ 0x104, ['unsigned long']], 'Affinity' : [ 0x108, ['_KAFFINITY_EX']], 'AccessState' : [ 0x1b0, ['pointer64', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0x1b8, ['pointer64', ['void']]], 'UIRestrictionsClass' : [ 0x1c0, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x1c4, ['unsigned long']], 'CompletionPort' : [ 0x1c8, ['pointer64', ['void']]], 'CompletionKey' : [ 0x1d0, ['pointer64', ['void']]], 'CompletionCount' : [ 0x1d8, ['unsigned long long']], 'SessionId' : [ 0x1e0, ['unsigned long']], 'SchedulingClass' : [ 0x1e4, ['unsigned long']], 'ReadOperationCount' : [ 0x1e8, ['unsigned long long']], 'WriteOperationCount' : [ 0x1f0, ['unsigned long long']], 'OtherOperationCount' : [ 0x1f8, ['unsigned long long']], 'ReadTransferCount' : [ 0x200, ['unsigned long long']], 'WriteTransferCount' : [ 0x208, ['unsigned long long']], 'OtherTransferCount' : [ 0x210, ['unsigned long long']], 'DiskIoInfo' : [ 0x218, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x240, ['unsigned long long']], 'JobMemoryLimit' : [ 0x248, ['unsigned long long']], 'JobTotalMemoryLimit' : [ 0x250, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x258, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x260, ['unsigned long long']], 'EffectiveAffinity' : [ 0x268, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x310, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x318, ['unsigned long long']], 'EffectiveMaximumWorkingSetSize' : [ 0x320, ['unsigned long long']], 'EffectiveProcessMemoryLimit' : [ 0x328, ['unsigned long long']], 'EffectiveProcessMemoryLimitJob' : [ 0x330, ['pointer64', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x338, ['pointer64', ['_EJOB']]], 'EffectiveDiskIoRateLimitJob' : [ 0x340, ['pointer64', ['_EJOB']]], 'EffectiveNetIoRateLimitJob' : [ 0x348, ['pointer64', ['_EJOB']]], 'EffectiveHeapAttributionJob' : [ 0x350, ['pointer64', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x358, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x35c, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x360, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x364, ['unsigned long']], 'EffectiveSwapCount' : [ 0x368, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x36c, ['unsigned long']], 'EffectivePriorityClass' : [ 0x370, ['unsigned char']], 'PriorityClass' : [ 0x371, ['unsigned char']], 'NestingDepth' : [ 0x372, ['unsigned char']], 'Reserved1' : [ 0x373, ['array', 1, ['unsigned char']]], 'CompletionFilter' : [ 0x374, ['unsigned long']], 'WakeChannel' : [ 0x378, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x378, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x3b0, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x3b8, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x3bc, ['unsigned long']], 'NotificationLink' : [ 0x3c0, ['pointer64', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x3c8, ['unsigned long long']], 'NotificationInfo' : [ 0x3d0, ['pointer64', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x3d8, ['pointer64', ['void']]], 'NotificationPacket' : [ 0x3e0, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x3e8, ['pointer64', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x3f0, ['pointer64', ['void']]], 'ReadyTime' : [ 0x3f8, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x400, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x408, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x418, ['_LIST_ENTRY']], 'ParentJob' : [ 0x428, ['pointer64', ['_EJOB']]], 'RootJob' : [ 0x430, ['pointer64', ['_EJOB']]], 'IteratorListHead' : [ 0x438, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x448, ['unsigned long long']], 'Ancestors' : [ 0x450, ['pointer64', ['pointer64', ['_EJOB']]]], 'SessionObject' : [ 0x450, ['pointer64', ['void']]], 'Accounting' : [ 0x458, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x4a8, ['unsigned long']], 'ActiveAuxiliaryProcessCount' : [ 0x4ac, ['unsigned long']], 'SequenceNumber' : [ 0x4b0, ['unsigned long']], 'TimerListLock' : [ 0x4b8, ['unsigned long long']], 'TimerListHead' : [ 0x4c0, ['_LIST_ENTRY']], 'ContainerId' : [ 0x4d0, ['_GUID']], 'Container' : [ 0x4e0, ['pointer64', ['_SILO_CONTEXT']]], 'PropertySet' : [ 0x4e8, ['_PS_PROPERTY_SET']], 'NetRateControl' : [ 0x500, ['pointer64', ['_JOB_NET_RATE_CONTROL']]], 'IoRateControl' : [ 0x508, ['pointer64', ['_JOB_IO_RATE_CONTROL']]], 'JobFlags' : [ 0x510, ['unsigned long']], 'CloseDone' : [ 0x510, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x510, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x510, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x510, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x510, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x510, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x510, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x510, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x510, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x510, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x510, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x510, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x510, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x510, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x510, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x510, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x510, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x510, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x510, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x510, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x510, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x510, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x510, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x510, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x510, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'NetRateControlActive' : [ 0x510, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'OwnNetRateControl' : [ 0x510, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IoRateControlActive' : [ 0x510, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'OwnIoRateControl' : [ 0x510, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'DisallowNewProcesses' : [ 0x510, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x510, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x514, ['unsigned long']], 'EnergyValues' : [ 0x518, ['pointer64', ['_PROCESS_ENERGY_VALUES']]], 'SharedCommitCharge' : [ 0x520, ['unsigned long long']], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'AllocationProcessorNumber' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x70, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer64', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x60, ['pointer64', ['void']]], 'UserContext' : [ 0x68, ['pointer64', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'Oplock' : [ 0x58, ['pointer64', ['void']]], 'ReservedForRemote' : [ 0x58, ['pointer64', ['void']]], 'ReservedContext' : [ 0x60, ['pointer64', ['void']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_TlgProvider_t' : [ 0x40, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x8, ['pointer64', ['unsigned short']]], 'KeywordAny' : [ 0x10, ['unsigned long long']], 'KeywordAll' : [ 0x18, ['unsigned long long']], 'RegHandle' : [ 0x20, ['unsigned long long']], 'EnableCallback' : [ 0x28, ['pointer64', ['void']]], 'CallbackContext' : [ 0x30, ['pointer64', ['void']]], 'AnnotationFunc' : [ 0x38, ['pointer64', ['void']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '__unnamed_164b' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_164b']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND' : [ 0x10, { 'LocalLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'State' : [ 0x8, ['_EX_PUSH_LOCK_AUTO_EXPAND_STATE']], 'Stats' : [ 0xc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'ReservedLowFlags' : [ 0x1a, ['unsigned char']], 'WaiterPriority' : [ 0x1b, ['unsigned char']], 'SharedWaiters' : [ 0x20, ['_KWAIT_CHAIN']], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_1683' : [ 0x8, { 'Flink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeFlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 64, native_type='unsigned long long')]], 'WsIndex' : [ 0x0, ['unsigned long long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1687' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1689' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1687']], } ], '__unnamed_1695' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'Channel' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 38, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'Partition' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 50, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 52, native_type='unsigned long long')]], 'FileOnly' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'PfnExists' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], } ], '_MMPFN' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'u1' : [ 0x0, ['__unnamed_1683']], 'PteAddress' : [ 0x8, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer64', ['void']]], 'PteLong' : [ 0x8, ['unsigned long long']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'u2' : [ 0x18, ['_MIPFNBLINK']], 'u3' : [ 0x20, ['__unnamed_1689']], 'NodeBlinkLow' : [ 0x24, ['unsigned short']], 'Unused' : [ 0x26, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'VaType' : [ 0x26, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'ViewCount' : [ 0x27, ['unsigned char']], 'NodeFlinkLow' : [ 0x27, ['unsigned char']], 'u4' : [ 0x28, ['__unnamed_1695']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x60, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'BasePte' : [ 0x10, ['pointer64', ['_MMPTE']]], 'Flags' : [ 0x18, ['unsigned long']], 'VaType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaMaximumType', 15: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x30, ['unsigned long long']], 'GlobalPushLock' : [ 0x30, ['pointer64', ['_EX_PUSH_LOCK']]], 'Vm' : [ 0x38, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x40, ['unsigned long long']], 'Hint' : [ 0x48, ['unsigned long long']], 'CachedPtes' : [ 0x50, ['pointer64', ['_MI_CACHED_PTES']]], 'TotalFreeSystemPtes' : [ 0x58, ['unsigned long long']], } ], '_MMCLONE_DESCRIPTOR' : [ 0x50, { 'CloneNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Next' : [ 0x0, ['pointer64', ['_MMCLONE_DESCRIPTOR']]], 'StartingCloneBlock' : [ 0x18, ['pointer64', ['_MMCLONE_BLOCK']]], 'EndingCloneBlock' : [ 0x20, ['pointer64', ['_MMCLONE_BLOCK']]], 'NumberOfPtes' : [ 0x28, ['unsigned long long']], 'NumberOfReferences' : [ 0x30, ['unsigned long long']], 'CloneHeader' : [ 0x38, ['pointer64', ['_MMCLONE_HEADER']]], 'NonPagedPoolQuotaCharge' : [ 0x40, ['unsigned long long']], 'NestingLevel' : [ 0x48, ['unsigned long long']], } ], '__unnamed_16c7' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_16c7']], } ], '_MMWSL' : [ 0x350, { 'FirstFree' : [ 0x0, ['unsigned long long']], 'FirstDynamic' : [ 0x8, ['unsigned long long']], 'LastEntry' : [ 0x10, ['unsigned long long']], 'NextSlot' : [ 0x18, ['unsigned long long']], 'LastInitializedWsle' : [ 0x20, ['unsigned long long']], 'NextAgingSlot' : [ 0x28, ['unsigned long long']], 'NextAccessClearingSlot' : [ 0x30, ['unsigned long long']], 'LastAccessClearingRemainder' : [ 0x38, ['unsigned long']], 'LastAgingRemainder' : [ 0x3c, ['unsigned long']], 'WsleSize' : [ 0x40, ['unsigned long']], 'NonDirectCount' : [ 0x48, ['unsigned long long']], 'LowestPagableAddress' : [ 0x50, ['pointer64', ['void']]], 'NonDirectHash' : [ 0x58, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x60, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x68, ['pointer64', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x70, ['array', 16, ['unsigned long long']]], 'ActiveWsles' : [ 0xf0, ['array', 16, ['_MI_ACTIVE_WSLE_LISTHEAD']]], 'Wsle' : [ 0x1f0, ['pointer64', ['_MMWSLE']]], 'UserVaInfo' : [ 0x1f8, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0xf8, { 'WorkingSetLock' : [ 0x0, ['long']], 'ExitOutswapGate' : [ 0x8, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x10, ['pointer64', ['void']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long long']]], 'MinimumWorkingSetSize' : [ 0x60, ['unsigned long long']], 'WorkingSetLeafSize' : [ 0x68, ['unsigned long long']], 'WorkingSetLeafPrivateSize' : [ 0x70, ['unsigned long long']], 'WorkingSetSize' : [ 0x78, ['unsigned long long']], 'WorkingSetPrivateSize' : [ 0x80, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0x88, ['unsigned long long']], 'ChargedWslePages' : [ 0x90, ['unsigned long long']], 'ActualWslePages' : [ 0x98, ['unsigned long long']], 'WorkingSetSizeOverhead' : [ 0xa0, ['unsigned long long']], 'PeakWorkingSetSize' : [ 0xa8, ['unsigned long long']], 'HardFaultCount' : [ 0xb0, ['unsigned long']], 'PartitionId' : [ 0xb4, ['unsigned short']], 'Pad0' : [ 0xb6, ['unsigned short']], 'VmWorkingSetList' : [ 0xb8, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0xc0, ['unsigned short']], 'LastTrimStamp' : [ 0xc2, ['unsigned short']], 'PageFaultCount' : [ 0xc4, ['unsigned long']], 'TrimmedPageCount' : [ 0xc8, ['unsigned long long']], 'Reserved0' : [ 0xd0, ['unsigned long long']], 'Flags' : [ 0xd8, ['_MMSUPPORT_FLAGS']], 'ReleasedCommitDebt' : [ 0xe0, ['unsigned long long']], 'WsSwapSupport' : [ 0xe8, ['pointer64', ['void']]], 'CommitReAcquireFailSupport' : [ 0xf0, ['pointer64', ['void']]], } ], '__unnamed_16e3' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_16e7' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x48, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_16e3']], 'u2' : [ 0x38, ['__unnamed_16e7']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], } ], '__unnamed_16ec' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_16ef' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS2']], } ], '__unnamed_16f9' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long')]], 'SystemImage' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'StrongCode' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_16fb' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_16f9']], } ], '_CONTROL_AREA' : [ 0x78, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_16ec']], 'u1' : [ 0x3c, ['__unnamed_16ef']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'WaitList' : [ 0x50, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x58, ['__unnamed_16fb']], 'LockedPages' : [ 0x68, ['unsigned long long']], 'FileObjectLock' : [ 0x70, ['_EX_PUSH_LOCK']], } ], '__unnamed_1709' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_170c' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x40, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer64', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0x18, ['unsigned long']], 'EndingVpn' : [ 0x1c, ['unsigned long']], 'StartingVpnHigh' : [ 0x20, ['unsigned char']], 'EndingVpnHigh' : [ 0x21, ['unsigned char']], 'CommitChargeHigh' : [ 0x22, ['unsigned char']], 'SpareNT64VadUChar' : [ 0x23, ['unsigned char']], 'ReferenceCount' : [ 0x24, ['long']], 'PushLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u' : [ 0x30, ['__unnamed_1709']], 'u1' : [ 0x34, ['__unnamed_170c']], 'EventList' : [ 0x38, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], } ], '_MI_PARTITION' : [ 0x2740, { 'Core' : [ 0x0, ['_MI_PARTITION_CORE']], 'Modwriter' : [ 0x158, ['_MI_PARTITION_MODWRITES']], 'Store' : [ 0x430, ['_MI_PARTITION_STORES']], 'Segments' : [ 0x4c0, ['_MI_PARTITION_SEGMENTS']], 'PageLists' : [ 0x640, ['_MI_PARTITION_PAGE_LISTS']], 'Commit' : [ 0x1380, ['_MI_PARTITION_COMMIT']], 'Zeroing' : [ 0x1400, ['_MI_PARTITION_ZEROING']], 'PageCombine' : [ 0x1468, ['_MI_PAGE_COMBINING_SUPPORT']], 'WorkingSetControl' : [ 0x15f0, ['pointer64', ['void']]], 'WorkingSetExpansionHead' : [ 0x15f8, ['_MMWORKING_SET_EXPANSION_HEAD']], 'Vp' : [ 0x1640, ['_MI_VISIBLE_PARTITION']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0x120, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'FreeReservationSpace' : [ 0x30, ['unsigned long long']], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x40, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x50, ['_SLIST_HEADER']], 'PageFileName' : [ 0x60, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x70, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x78, ['unsigned long']], 'LargestAllocationCluster' : [ 0x7c, ['unsigned long']], 'RefreshAllocationCluster' : [ 0x80, ['unsigned long']], 'LastRefreshAllocationCluster' : [ 0x84, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x88, ['unsigned long']], 'MaximumRunLengthInBitmaps' : [ 0x8c, ['unsigned long']], 'BitmapsCacheLengthTree' : [ 0x90, ['_RTL_RB_TREE']], 'BitmapsCacheLocationTree' : [ 0xa0, ['_RTL_RB_TREE']], 'BitmapsCacheFreeList' : [ 0xb0, ['_LIST_ENTRY']], 'BitmapsCacheEntries' : [ 0xc0, ['pointer64', ['_MI_PAGEFILE_BITMAPS_CACHE_ENTRY']]], 'ToBeEvictedCount' : [ 0xc8, ['unsigned long']], 'HybridPriority' : [ 0xc8, ['unsigned long']], 'PageFileNumber' : [ 0xcc, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0xcc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'NoReservations' : [ 0xcc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'VirtualStorePagefile' : [ 0xcc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SwapSupported' : [ 0xcc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'NodeInserted' : [ 0xcc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'StackNotified' : [ 0xcc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0xcc, ['BitField', dict(start_bit = 10, end_bit = 15, native_type='unsigned short')]], 'AdriftMdls' : [ 0xce, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0xce, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'IgnoreReservations' : [ 0xcf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare2' : [ 0xcf, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0xd0, ['unsigned long']], 'PageHashPagesPeak' : [ 0xd4, ['unsigned long']], 'PageHash' : [ 0xd8, ['pointer64', ['unsigned long']]], 'FileHandle' : [ 0xe0, ['pointer64', ['void']]], 'Lock' : [ 0xe8, ['unsigned long long']], 'LockOwner' : [ 0xf0, ['pointer64', ['_ETHREAD']]], 'FlowThroughReadRoot' : [ 0xf8, ['_RTL_AVL_TREE']], 'Partition' : [ 0x100, ['pointer64', ['_MI_PARTITION']]], 'FileObjectNode' : [ 0x108, ['_RTL_BALANCED_NODE']], } ], 'tagSWITCH_CONTEXT' : [ 0x68, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '_CMP_SILO_CONTEXT' : [ 0x20, { 'LockEntryHead' : [ 0x0, ['_LIST_ENTRY']], 'LockListUnderCleanup' : [ 0x10, ['unsigned char']], 'ContextLock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_1756' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry', 21: '_CmpMountPreloadedHives', 22: '_CmpLoadHiveThread'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1759' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_175b' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_175f' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1761' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_1765' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_1769' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_176b' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_1756']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_1756']]], 'RegistryIO' : [ 0xd0, ['__unnamed_1759']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_175b']], 'CheckKey' : [ 0xf0, ['__unnamed_175f']], 'CheckValueList' : [ 0x110, ['__unnamed_1761']], 'CheckHive' : [ 0x128, ['__unnamed_1765']], 'CheckHive1' : [ 0x138, ['__unnamed_1765']], 'CheckBin' : [ 0x148, ['__unnamed_1769']], 'RecoverData' : [ 0x158, ['__unnamed_176b']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xc0, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'ParkingStatus' : [ 0x80, ['unsigned long']], 'CurrentFrequency' : [ 0x84, ['unsigned long']], 'PercentMaxFrequency' : [ 0x88, ['unsigned long']], 'StateFlags' : [ 0x8c, ['unsigned long']], 'NominalThroughput' : [ 0x90, ['unsigned long']], 'ActiveThroughput' : [ 0x94, ['unsigned long']], 'ScaledThroughput' : [ 0x98, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0xa0, ['unsigned long long']], 'AverageIdleTime' : [ 0xa8, ['unsigned long long']], 'IdleBreakEvents' : [ 0xb0, ['unsigned long long']], 'PerformanceLimit' : [ 0xb8, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xbc, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_TEB32' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['unsigned long']]], 'SystemReserved1' : [ 0x10c, ['array', 38, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_TEB64' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['unsigned long long']]], 'SystemReserved1' : [ 0x190, ['array', 38, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_HV_X64_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState_Deprecated' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable_Deprecated' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ExtendedGvaRangesForFlushVirtualAddressListAvailable' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'FastHypercallOutputAvailable' : [ 0xc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SvmFeaturesAvailable' : [ 0xc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SintPollingModeAvailable' : [ 0xc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HypercallMsrLockAvailable' : [ 0xc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeReg' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicRegs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerRegs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessIntrCtrlRegs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetReg' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsReg' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleReg' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyRegs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugRegs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'AccessVpExitTracing' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'EnableExtendedGvaRangesForFlushVirtualAddressList' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 48, native_type='unsigned long long')]], 'AccessVsm' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 49, native_type='unsigned long long')]], 'AccessVpRegisters' : [ 0x0, ['BitField', dict(start_bit = 49, end_bit = 50, native_type='unsigned long long')]], 'UnusedBit' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 51, native_type='unsigned long long')]], 'FastHypercallOutput' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'EnableExtendedHypercalls' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'StartVirtualProcessor' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x260, { 'Lock' : [ 0x0, ['unsigned long long']], 'ReadySummary' : [ 0x8, ['unsigned long']], 'ReadyListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x210, ['array', 64, ['unsigned char']]], 'Span' : [ 0x250, ['unsigned char']], 'LowProcIndex' : [ 0x251, ['unsigned char']], 'QueueIndex' : [ 0x252, ['unsigned char']], 'ProcCount' : [ 0x253, ['unsigned char']], 'ScanOwner' : [ 0x254, ['unsigned char']], 'Spare' : [ 0x255, ['array', 3, ['unsigned char']]], 'Affinity' : [ 0x258, ['unsigned long long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'Spare1' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'OutputBuffer' : [ 0xd8, ['unsigned long long']], 'OutputLength' : [ 0xe0, ['unsigned long long']], 'Spare2' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'Fill4' : [ 0x18c, ['unsigned long']], } ], '__unnamed_1866' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1868' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_186c' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x2c8, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x58, ['long']], 'FxRemoveEvent' : [ 0x60, ['_KEVENT']], 'FxActivationCount' : [ 0x78, ['long']], 'FxSleepCount' : [ 0x7c, ['long']], 'Plugin' : [ 0x80, ['pointer64', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x88, ['unsigned long']], 'CurrentPowerState' : [ 0x8c, ['_POWER_STATE']], 'Notify' : [ 0x90, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xf8, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0x118, ['_UNICODE_STRING']], 'PowerFlags' : [ 0x128, ['unsigned long']], 'State' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x134, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x184, ['unsigned long']], 'CompletionStatus' : [ 0x188, ['long']], 'Flags' : [ 0x18c, ['unsigned long']], 'UserFlags' : [ 0x190, ['unsigned long']], 'Problem' : [ 0x194, ['unsigned long']], 'ProblemStatus' : [ 0x198, ['long']], 'ResourceList' : [ 0x1a0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x1b0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x1b8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x1c4, ['unsigned long']], 'ChildInterfaceType' : [ 0x1c8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x1cc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x1d0, ['unsigned short']], 'RemovalPolicy' : [ 0x1d2, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x1d3, ['unsigned char']], 'TargetDeviceNotify' : [ 0x1d8, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x1e8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1f8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x208, ['unsigned short']], 'QueryTranslatorMask' : [ 0x20a, ['unsigned short']], 'NoArbiterMask' : [ 0x20c, ['unsigned short']], 'QueryArbiterMask' : [ 0x20e, ['unsigned short']], 'OverUsed1' : [ 0x210, ['__unnamed_1866']], 'OverUsed2' : [ 0x218, ['__unnamed_1868']], 'BootResources' : [ 0x220, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x228, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x230, ['unsigned long']], 'DockInfo' : [ 0x238, ['__unnamed_186c']], 'DisableableDepends' : [ 0x258, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x260, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x270, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x280, ['unsigned long']], 'PreviousParent' : [ 0x288, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x290, ['long']], 'NumaNodeIndex' : [ 0x294, ['unsigned long']], 'ContainerID' : [ 0x298, ['_GUID']], 'OverrideFlags' : [ 0x2a8, ['unsigned char']], 'DeviceIdsHash' : [ 0x2ac, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x2b0, ['unsigned char']], 'PendingEjectRelations' : [ 0x2b8, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x2c0, ['unsigned long']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x48, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x30, ['pointer64', ['unsigned long']]], 'EnableKeyWords' : [ 0x38, ['pointer64', ['unsigned long long']]], 'EnableLevel' : [ 0x40, ['pointer64', ['unsigned char']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x68, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependencyNode' : [ 0x50, ['pointer64', ['void']]], 'InterruptContext' : [ 0x58, ['pointer64', ['void']]], 'VerifierContext' : [ 0x60, ['pointer64', ['void']]], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KAFFINITY_EX' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 20, ['unsigned long long']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1969' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'WriteCustomBreakPoint' : [ 0x0, ['_DBGKD_WRITE_CUSTOM_BREAKPOINT']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1969']], } ], '__unnamed_1970' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1970']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PEP_ACPI_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'IoMemory' : [ 0x0, ['_PEP_ACPI_IO_MEMORY_RESOURCE']], 'Interrupt' : [ 0x0, ['_PEP_ACPI_INTERRUPT_RESOURCE']], 'Gpio' : [ 0x0, ['_PEP_ACPI_GPIO_RESOURCE']], 'SpbI2c' : [ 0x0, ['_PEP_ACPI_SPB_I2C_RESOURCE']], 'SpbSpi' : [ 0x0, ['_PEP_ACPI_SPB_SPI_RESOURCE']], 'SpbUart' : [ 0x0, ['_PEP_ACPI_SPB_UART_RESOURCE']], 'ExtendedAddress' : [ 0x0, ['_PEP_ACPI_EXTENDED_ADDRESS']], } ], '_PEP_ACPI_IO_MEMORY_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Information' : [ 0x4, ['unsigned char']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '_PEP_ACPI_INTERRUPT_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'InterruptType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Flags' : [ 0xc, ['_PEP_ACPI_RESOURCE_FLAGS']], 'Count' : [ 0x10, ['unsigned char']], 'Pins' : [ 0x18, ['pointer64', ['unsigned long']]], } ], '_PEP_ACPI_GPIO_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'InterruptType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'PinConfig' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PullDefault', 1: 'PullUp', 2: 'PullDown', 3: 'PullNone'})]], 'IoRestrictionType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'IoRestrictionNone', 1: 'IoRestrictionInputOnly', 2: 'IoRestrictionOutputOnly', 3: 'IoRestrictionNoneAndPreserve'})]], 'DriveStrength' : [ 0x18, ['unsigned short']], 'DebounceTimeout' : [ 0x1a, ['unsigned short']], 'PinTable' : [ 0x20, ['pointer64', ['unsigned short']]], 'PinCount' : [ 0x28, ['unsigned short']], 'ResourceSourceIndex' : [ 0x2a, ['unsigned char']], 'ResourceSourceName' : [ 0x30, ['pointer64', ['_UNICODE_STRING']]], 'VendorData' : [ 0x38, ['pointer64', ['unsigned char']]], 'VendorDataLength' : [ 0x40, ['unsigned short']], } ], '_PEP_ACPI_SPB_I2C_RESOURCE' : [ 0x30, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x28, ['unsigned long']], 'SlaveAddress' : [ 0x2c, ['unsigned short']], } ], '_PEP_ACPI_SPB_UART_RESOURCE' : [ 0x38, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'BaudRate' : [ 0x28, ['unsigned long']], 'RxBufferSize' : [ 0x2c, ['unsigned short']], 'TxBufferSize' : [ 0x2e, ['unsigned short']], 'Parity' : [ 0x30, ['unsigned char']], 'LinesInUse' : [ 0x31, ['unsigned char']], } ], '_PEP_ACPI_SPB_SPI_RESOURCE' : [ 0x38, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x28, ['unsigned long']], 'DataBitLength' : [ 0x2c, ['unsigned char']], 'Phase' : [ 0x2d, ['unsigned char']], 'Polarity' : [ 0x2e, ['unsigned char']], 'DeviceSelection' : [ 0x30, ['unsigned short']], } ], '_PEP_ACPI_EXTENDED_ADDRESS' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'ResourceFlags' : [ 0x8, ['unsigned char']], 'GeneralFlags' : [ 0x9, ['unsigned char']], 'TypeSpecificFlags' : [ 0xa, ['unsigned char']], 'RevisionId' : [ 0xb, ['unsigned char']], 'Reserved' : [ 0xc, ['unsigned char']], 'Granularity' : [ 0x10, ['unsigned long long']], 'MinimumAddress' : [ 0x18, ['unsigned long long']], 'MaximumAddress' : [ 0x20, ['unsigned long long']], 'TranslationAddress' : [ 0x28, ['unsigned long long']], 'AddressLength' : [ 0x30, ['unsigned long long']], 'TypeAttribute' : [ 0x38, ['unsigned long long']], 'DescriptorName' : [ 0x40, ['pointer64', ['_UNICODE_STRING']]], } ], '_PPM_PLATFORM_STATES' : [ 0x1c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'InterfaceVersion' : [ 0x4, ['unsigned long']], 'ProcessorCount' : [ 0x8, ['unsigned long']], 'CoordinatedInterface' : [ 0xc, ['unsigned char']], 'IdleTest' : [ 0x10, ['pointer64', ['void']]], 'IdlePreExecute' : [ 0x18, ['pointer64', ['void']]], 'IdleComplete' : [ 0x20, ['pointer64', ['void']]], 'QueryPlatformStateResidency' : [ 0x28, ['pointer64', ['void']]], 'Accounting' : [ 0x30, ['pointer64', ['_PLATFORM_IDLE_ACCOUNTING']]], 'State' : [ 0x40, ['array', 1, ['_PPM_PLATFORM_STATE']]], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_PPM_PROFILE' : [ 0xb30, { 'Name' : [ 0x0, ['pointer64', ['unsigned short']]], 'Id' : [ 0x8, ['unsigned char']], 'Guid' : [ 0xc, ['_GUID']], 'Flags' : [ 0x1c, ['unsigned long']], 'Priority' : [ 0x20, ['unsigned char']], 'Settings' : [ 0x28, ['array', 2, ['_PPM_ENGINE_SETTINGS']]], 'StartTime' : [ 0xb08, ['unsigned long long']], 'Count' : [ 0xb10, ['unsigned long long']], 'MaxDuration' : [ 0xb18, ['unsigned long long']], 'MinDuration' : [ 0xb20, ['unsigned long long']], 'TotalDuration' : [ 0xb28, ['unsigned long long']], } ], '_PPM_ENGINE_SETTINGS' : [ 0x570, { 'ExplicitSetting' : [ 0x0, ['array', 2, ['_PPM_POLICY_SETTINGS_MASK']]], 'ThrottlingPolicy' : [ 0x10, ['unsigned char']], 'PerfTimeCheck' : [ 0x14, ['unsigned long']], 'PerfHistoryCount' : [ 0x18, ['array', 2, ['unsigned char']]], 'PerfMinPolicy' : [ 0x1a, ['array', 2, ['unsigned char']]], 'PerfMaxPolicy' : [ 0x1c, ['array', 2, ['unsigned char']]], 'PerfDecreaseTime' : [ 0x1e, ['array', 2, ['unsigned char']]], 'PerfIncreaseTime' : [ 0x20, ['array', 2, ['unsigned char']]], 'PerfDecreasePolicy' : [ 0x22, ['array', 2, ['unsigned char']]], 'PerfIncreasePolicy' : [ 0x24, ['array', 2, ['unsigned char']]], 'PerfDecreaseThreshold' : [ 0x26, ['array', 2, ['unsigned char']]], 'PerfIncreaseThreshold' : [ 0x28, ['array', 2, ['unsigned char']]], 'PerfBoostPolicy' : [ 0x2c, ['unsigned long']], 'PerfBoostMode' : [ 0x30, ['unsigned long']], 'PerfReductionTolerance' : [ 0x34, ['unsigned long']], 'EnergyPerfPreference' : [ 0x38, ['unsigned long']], 'AutonomousActivityWindow' : [ 0x3c, ['unsigned long']], 'AutonomousPreference' : [ 0x40, ['unsigned char']], 'LatencyHintPerf' : [ 0x41, ['array', 2, ['unsigned char']]], 'LatencyHintUnpark' : [ 0x43, ['array', 2, ['unsigned char']]], 'DutyCycling' : [ 0x45, ['unsigned char']], 'ParkingPerfState' : [ 0x46, ['array', 2, ['unsigned char']]], 'DistributeUtility' : [ 0x48, ['unsigned char']], 'CoreParkingOverUtilizationThreshold' : [ 0x49, ['unsigned char']], 'CoreParkingConcurrencyThreshold' : [ 0x4a, ['unsigned char']], 'CoreParkingHeadroomThreshold' : [ 0x4b, ['unsigned char']], 'CoreParkingDistributionThreshold' : [ 0x4c, ['unsigned char']], 'CoreParkingDecreasePolicy' : [ 0x4d, ['unsigned char']], 'CoreParkingIncreasePolicy' : [ 0x4e, ['unsigned char']], 'CoreParkingDecreaseTime' : [ 0x50, ['unsigned long']], 'CoreParkingIncreaseTime' : [ 0x54, ['unsigned long']], 'CoreParkingMinCores' : [ 0x58, ['array', 2, ['unsigned char']]], 'CoreParkingMaxCores' : [ 0x5a, ['array', 2, ['unsigned char']]], 'AllowScaling' : [ 0x5c, ['unsigned char']], 'IdleDisabled' : [ 0x5d, ['unsigned char']], 'IdleTimeCheck' : [ 0x60, ['unsigned long']], 'IdleDemotePercent' : [ 0x64, ['unsigned char']], 'IdlePromotePercent' : [ 0x65, ['unsigned char']], 'HeteroDecreaseTime' : [ 0x66, ['unsigned char']], 'HeteroIncreaseTime' : [ 0x67, ['unsigned char']], 'HeteroDecreaseThreshold' : [ 0x68, ['array', 640, ['unsigned char']]], 'HeteroIncreaseThreshold' : [ 0x2e8, ['array', 640, ['unsigned char']]], 'Class0FloorPerformance' : [ 0x568, ['unsigned char']], 'Class1InitialPerformance' : [ 0x569, ['unsigned char']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_PERF_FLAGS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'Progress' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 27, native_type='unsigned long')]], 'Synchronicity' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 29, native_type='unsigned long')]], 'RequestPepCompleted' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'RequestSucceeded' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NestedCallback' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'IrpFirstPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IrpLastPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0xd0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x20, ['unsigned long long']], 'LogHandleContext' : [ 0x28, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0xc0, ['unsigned long']], 'PagesQueuedToDisk' : [ 0xc4, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0xc8, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x210, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'V1' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0x100, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x118, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0x150, ['_LARGE_INTEGER']], 'Event' : [ 0x158, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x170, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x178, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1f0, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1f8, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x200, ['unsigned long']], 'WritesInProgress' : [ 0x204, ['unsigned long']], 'AsyncReadRequestCount' : [ 0x208, ['unsigned long']], } ], '__unnamed_1a53' : [ 0x10, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_1a53']], 'ArrayHead' : [ 0x20, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1a77' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1a79' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1a7b' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_1a7d' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a7f' : [ 0x30, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x8, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x10, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x28, ['unsigned char']], } ], '__unnamed_1a83' : [ 0x58, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'FileOffset' : [ 0x8, ['_LARGE_INTEGER']], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Length' : [ 0x18, ['unsigned long']], 'PrefetchList' : [ 0x20, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'PrefetchPagePriority' : [ 0x28, ['unsigned long']], 'Mdl' : [ 0x30, ['pointer64', ['_MDL']]], 'IoStatusBlock' : [ 0x38, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallbackContext' : [ 0x40, ['pointer64', ['_CC_ASYNC_READ_CONTEXT']]], 'OriginatingProcess' : [ 0x48, ['pointer64', ['_EPROCESS']]], 'RequestorMode' : [ 0x50, ['unsigned char']], 'NestingLevel' : [ 0x54, ['unsigned long']], } ], '__unnamed_1a85' : [ 0x58, { 'Read' : [ 0x0, ['__unnamed_1a77']], 'Write' : [ 0x0, ['__unnamed_1a79']], 'Event' : [ 0x0, ['__unnamed_1a7b']], 'Notification' : [ 0x0, ['__unnamed_1a7d']], 'LowPriWrite' : [ 0x0, ['__unnamed_1a7f']], 'AsyncRead' : [ 0x0, ['__unnamed_1a83']], } ], '_WORK_QUEUE_ENTRY' : [ 0x70, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_1a85']], 'Function' : [ 0x68, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x30, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x8, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x20, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x98, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x10, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x18, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x30, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x68, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x6c, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x70, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x78, ['pointer64', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x80, ['unsigned long long']], 'LastLWTimeStamp' : [ 0x88, ['_LARGE_INTEGER']], 'Flags' : [ 0x90, ['unsigned long']], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x298, { 'Segment' : [ 0x0, ['_HEAP_SEGMENT']], 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x90, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x94, ['unsigned long']], 'Signature' : [ 0x98, ['unsigned long']], 'SegmentReserve' : [ 0xa0, ['unsigned long long']], 'SegmentCommit' : [ 0xa8, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb0, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xb8, ['unsigned long long']], 'TotalFreeSize' : [ 0xc0, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xc8, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd0, ['unsigned short']], 'HeaderValidateLength' : [ 0xd2, ['unsigned short']], 'HeaderValidateCopy' : [ 0xd8, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe0, ['unsigned short']], 'MaximumTagIndex' : [ 0xe2, ['unsigned short']], 'TagEntries' : [ 0xe8, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf0, ['_LIST_ENTRY']], 'AlignRound' : [ 0x100, ['unsigned long long']], 'AlignMask' : [ 0x108, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x110, ['_LIST_ENTRY']], 'SegmentList' : [ 0x120, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x130, ['unsigned short']], 'NonDedicatedListLength' : [ 0x134, ['unsigned long']], 'BlocksIndex' : [ 0x138, ['pointer64', ['void']]], 'UCRIndex' : [ 0x140, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x148, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x150, ['_LIST_ENTRY']], 'LockVariable' : [ 0x160, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x168, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x170, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x178, ['unsigned short']], 'FrontEndHeapType' : [ 0x17a, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0x17b, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0x180, ['pointer64', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0x188, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0x18a, ['array', 129, ['unsigned char']]], 'Counters' : [ 0x210, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x288, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1af3' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_1af3']], } ], '_HEAP_ENTRY' : [ 0x10, { 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'HeapEntry' : [ 0x0, ['_HEAP_ENTRY']], 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1b46' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1b48' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b46']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1b4a' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1b4c' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1b4a']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1b48']], 'u2' : [ 0x4, ['__unnamed_1b4c']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x30, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer64', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], } ], '__unnamed_1b67' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1b69' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1b67']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x30, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1b69']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x18, ['long long']], 'Lock' : [ 0x20, ['_EX_PUSH_LOCK']], } ], '__unnamed_1b7b' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1b7d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b7b']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_1b7d']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_1b86' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1b88' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b86']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_1b88']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_1b8e' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1b90' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b8e']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_1b90']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x40, ['pointer64', ['_KALPC_MESSAGE']]], } ], '__unnamed_1bae' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1bb0' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bae']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1d8, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa0, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0xb8, ['_LIST_ENTRY']], 'DirectQueueLock' : [ 0xc8, ['_EX_PUSH_LOCK']], 'DirectQueue' : [ 0xd0, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0xe0, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0xe8, ['_LIST_ENTRY']], 'Semaphore' : [ 0xf8, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xf8, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0x100, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x150, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0x168, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0x170, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x178, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x180, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x190, ['long']], 'ReferenceNo' : [ 0x194, ['long']], 'ReferenceNoWait' : [ 0x198, ['pointer64', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0x1a0, ['__unnamed_1bb0']], 'TargetQueuePort' : [ 0x1a8, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x1b0, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x1b8, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x1c0, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x1c4, ['unsigned long']], 'PendingQueueLength' : [ 0x1c8, ['unsigned long']], 'DirectQueueLength' : [ 0x1cc, ['unsigned long']], 'CanceledQueueLength' : [ 0x1d0, ['unsigned long']], 'WaitQueueLength' : [ 0x1d4, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0xa0, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'CompletionListLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x20, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x28, ['pointer64', ['void']]], 'UserLimit' : [ 0x30, ['pointer64', ['void']]], 'DataUserVa' : [ 0x38, ['pointer64', ['void']]], 'SystemVa' : [ 0x40, ['pointer64', ['void']]], 'TotalSize' : [ 0x48, ['unsigned long long']], 'Header' : [ 0x50, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x58, ['pointer64', ['void']]], 'ListSize' : [ 0x60, ['unsigned long long']], 'Bitmap' : [ 0x68, ['pointer64', ['void']]], 'BitmapSize' : [ 0x70, ['unsigned long long']], 'Data' : [ 0x78, ['pointer64', ['void']]], 'DataSize' : [ 0x80, ['unsigned long long']], 'BitmapLimit' : [ 0x88, ['unsigned long']], 'BitmapNextHint' : [ 0x8c, ['unsigned long']], 'ConcurrencyCount' : [ 0x90, ['unsigned long']], 'AttributeFlags' : [ 0x94, ['unsigned long']], 'AttributeSize' : [ 0x98, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0xd8, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'Key' : [ 0xc0, ['unsigned long']], 'CallbackList' : [ 0xc8, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x20, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x18, ['long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1b48']], 'u2' : [ 0x4, ['__unnamed_1b4c']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1bd6' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1bd8' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bd6']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x108, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'u1' : [ 0x28, ['__unnamed_1bd8']], 'SequenceNo' : [ 0x2c, ['long']], 'QuotaProcess' : [ 0x30, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x30, ['pointer64', ['void']]], 'CancelSequencePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x40, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x48, ['long']], 'CancelListEntry' : [ 0x50, ['_LIST_ENTRY']], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x68, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xa8, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xb0, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xb8, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xc0, ['pointer64', ['_ETHREAD']]], 'WakeReference' : [ 0xc8, ['pointer64', ['void']]], 'ExtensionBuffer' : [ 0xd0, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0xd8, ['unsigned long long']], 'PortMessage' : [ 0xe0, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x40, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'DirectEvent' : [ 0x28, ['_KALPC_DIRECT_EVENT']], 'Flags' : [ 0x30, ['unsigned long']], 'TotalLength' : [ 0x34, ['unsigned short']], 'Type' : [ 0x36, ['unsigned short']], 'DataInfoOffset' : [ 0x38, ['unsigned short']], 'SignalCompletion' : [ 0x3a, ['unsigned char']], 'PostedToCompletionList' : [ 0x3b, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x30, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x40, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], 'DirectEvent' : [ 0x38, ['_KALPC_DIRECT_EVENT']], } ], '__unnamed_1c1c' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1c1e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c1c']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1c1e']], } ], '_KALPC_DIRECT_EVENT' : [ 0x8, { 'Event' : [ 0x0, ['unsigned long long']], 'Referenced' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x30, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer64', ['void']]], 'ActivityId' : [ 0x10, ['_GUID']], 'Timestamp' : [ 0x20, ['_LARGE_INTEGER']], 'ZeroingOffset' : [ 0x20, ['unsigned long']], 'FsTrackOffsetBlob' : [ 0x20, ['pointer64', ['_IO_IRP_EXT_TRACK_OFFSET_HEADER']]], 'FsTrackedOffset' : [ 0x28, ['long long']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x50, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xc0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'AccessMode' : [ 0x94, ['unsigned char']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1ce5' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x118, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1ce5']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer64', ['unsigned short']]], 'LogFileName' : [ 0x40, ['pointer64', ['unsigned short']]], 'TimeZone' : [ 0x48, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf8, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0x100, ['_LARGE_INTEGER']], 'StartTime' : [ 0x108, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x110, ['unsigned long']], 'BuffersLost' : [ 0x114, ['unsigned long']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x390, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 2, ['unsigned long']]], 'ErrorMarker' : [ 0x1c, ['unsigned long']], 'SizeMask' : [ 0x20, ['unsigned long']], 'GetCpuClock' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'FailureReason' : [ 0x3c, ['unsigned long']], 'BufferQueue' : [ 0x40, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x58, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x70, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x80, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x90, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x90, ['_EX_FAST_REF']], 'LoggerName' : [ 0x98, ['_UNICODE_STRING']], 'LogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xb8, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xc8, ['_UNICODE_STRING']], 'ClockType' : [ 0xd8, ['unsigned long']], 'LastFlushedBuffer' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'FlushThreshold' : [ 0xe4, ['unsigned long']], 'ByteOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xf0, ['unsigned long']], 'BuffersAvailable' : [ 0xf4, ['long']], 'NumberOfBuffers' : [ 0xf8, ['long']], 'MaximumBuffers' : [ 0xfc, ['unsigned long']], 'EventsLost' : [ 0x100, ['unsigned long']], 'PeakBuffersCount' : [ 0x104, ['long']], 'BuffersWritten' : [ 0x108, ['unsigned long']], 'LogBuffersLost' : [ 0x10c, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x110, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x114, ['unsigned long']], 'SequencePtr' : [ 0x118, ['pointer64', ['long']]], 'LocalSequence' : [ 0x120, ['unsigned long']], 'InstanceGuid' : [ 0x124, ['_GUID']], 'MaximumFileSize' : [ 0x134, ['unsigned long']], 'FileCounter' : [ 0x138, ['long']], 'PoolType' : [ 0x13c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x140, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0x150, ['long']], 'ProviderInfoSize' : [ 0x154, ['unsigned long']], 'Consumers' : [ 0x158, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x168, ['unsigned long']], 'TransitionConsumer' : [ 0x170, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x178, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x180, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x190, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x1a0, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1a8, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1b0, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1b8, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1c0, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1d0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1d8, ['_KEVENT']], 'FlushEvent' : [ 0x1f0, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x208, ['_KTIMER']], 'LoggerDpc' : [ 0x248, ['_KDPC']], 'LoggerMutex' : [ 0x288, ['_KMUTANT']], 'LoggerLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2c8, ['unsigned long long']], 'BufferListPushLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2d0, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x318, ['pointer64', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x320, ['_EX_FAST_REF']], 'StartTime' : [ 0x328, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x330, ['pointer64', ['void']]], 'BufferSequenceNumber' : [ 0x338, ['long long']], 'Flags' : [ 0x340, ['unsigned long']], 'Persistent' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x340, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x340, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x340, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x340, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x340, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x340, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x340, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x340, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x340, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x340, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x340, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x340, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'StackLookasideListAllocated' : [ 0x340, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SecurityTrace' : [ 0x340, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'SpareFlags1' : [ 0x340, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x340, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x340, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x340, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x344, ['unsigned long']], 'DbgRequestNewFile' : [ 0x344, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x344, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x344, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x344, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x344, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x344, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x344, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x344, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDeferredFlush' : [ 0x344, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDeferredFlushTimer' : [ 0x344, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x344, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x344, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x344, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x348, ['_RTL_BITMAP']], 'StackCache' : [ 0x358, ['pointer64', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x360, ['pointer64', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x368, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x378, ['pointer64', ['pointer64', ['_WMI_BUFFER_HEADER']]]], 'DisallowedGuids' : [ 0x380, ['_DISALLOWED_GUIDS']], } ], '_ETW_PMC_SUPPORT' : [ 0x28, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer64', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_SILODRIVERSTATE' : [ 0x13a8, { 'EtwpSecurityProviderGuidEntry' : [ 0x0, ['_ETW_GUID_ENTRY']], 'EtwpLoggerRundown' : [ 0x190, ['array', 64, ['pointer64', ['_EX_RUNDOWN_REF_CACHE_AWARE']]]], 'WmipLoggerContext' : [ 0x390, ['array', 64, ['pointer64', ['_WMI_LOGGER_CONTEXT']]]], 'EtwpGuidHashTable' : [ 0x590, ['array', 64, ['_ETW_HASH_BUCKET']]], 'EtwpSecurityLoggers' : [ 0x1390, ['array', 8, ['unsigned short']]], 'EtwpSecurityProviderEnableMask' : [ 0x13a0, ['unsigned char']], 'EtwpShutdownInProgress' : [ 0x13a1, ['unsigned char']], 'EtwpSecurityProviderPID' : [ 0x13a4, ['unsigned long']], } ], '_EX_RUNDOWN_REF_CACHE_AWARE' : [ 0x18, { 'RunRefs' : [ 0x0, ['pointer64', ['_EX_RUNDOWN_REF']]], 'PoolToFree' : [ 0x8, ['pointer64', ['void']]], 'RunRefSize' : [ 0x10, ['unsigned long']], 'Number' : [ 0x14, ['unsigned long']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x480, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0xa0, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa8, ['pointer64', ['void']]], 'DynamicPart' : [ 0xb0, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb8, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc8, ['unsigned long']], 'TokenInUse' : [ 0xcc, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xd0, ['unsigned long']], 'MandatoryPolicy' : [ 0xd4, ['unsigned long']], 'LogonSession' : [ 0xd8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe0, ['_LUID']], 'SidHash' : [ 0xe8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f8, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x308, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x310, ['pointer64', ['void']]], 'Capabilities' : [ 0x318, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x320, ['unsigned long']], 'CapabilitiesHash' : [ 0x328, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x438, ['pointer64', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x440, ['pointer64', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x448, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x450, ['pointer64', ['void']]], 'TrustLinkedToken' : [ 0x458, ['pointer64', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x460, ['pointer64', ['void']]], 'TokenSidValues' : [ 0x468, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], 'IndexEntry' : [ 0x470, ['pointer64', ['_SEP_LUID_TO_INDEX_MAP_ENTRY']]], 'VariablePart' : [ 0x478, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0xb0, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['long long']], 'Flags' : [ 0x20, ['unsigned long']], 'pDeviceMap' : [ 0x28, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x30, ['pointer64', ['void']]], 'AccountName' : [ 0x38, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x48, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x58, ['_SEP_LOWBOX_HANDLES_TABLE']], 'SharedDataLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x70, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x78, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], 'RevocationBlock' : [ 0x80, ['_OB_HANDLE_REVOCATION_BLOCK']], 'ServerSilo' : [ 0xa0, ['pointer64', ['_EJOB']]], 'SiblingAuthId' : [ 0xa8, ['_LUID']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'DbgRefTrace' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'NewObject' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0x1b, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0x1b, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0x1b, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0x1b, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0x1b, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare' : [ 0x1c, ['unsigned long']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x10, { 'SecurityDescriptor' : [ 0x0, ['pointer64', ['void']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_REVOCATION_INFO' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'RevocationBlock' : [ 0x10, ['pointer64', ['_OB_HANDLE_REVOCATION_BLOCK']]], 'Padding1' : [ 0x18, ['array', 4, ['unsigned char']]], 'Padding2' : [ 0x1c, ['array', 4, ['unsigned char']]], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x28, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'EntryLink' : [ 0x10, ['pointer64', ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0x18, ['unsigned long']], 'HashIndex' : [ 0x1c, ['unsigned short']], 'DirectoryLocked' : [ 0x1e, ['unsigned char']], 'LockedExclusive' : [ 0x1f, ['unsigned char']], 'LockStateSignature' : [ 0x20, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x158, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x138, ['pointer64', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0x140, ['unsigned long']], 'NamespaceEntry' : [ 0x148, ['pointer64', ['void']]], 'Flags' : [ 0x150, ['unsigned long']], } ], '_OBP_SILODRIVERSTATE' : [ 0x2e0, { 'SystemDeviceMap' : [ 0x0, ['pointer64', ['_DEVICE_MAP']]], 'SystemDosDeviceState' : [ 0x8, ['_OBP_SYSTEM_DOS_DEVICE_STATE']], 'DeviceMapLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'PrivateNamespaceLookupTable' : [ 0x80, ['_OBJECT_NAMESPACE_LOOKUPTABLE']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_WHEAP_INFO_BLOCK' : [ 0x18, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x8, ['pointer64', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x10, ['pointer64', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x428, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x10, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x14, ['unsigned long']], 'ErrorCount' : [ 0x18, ['long']], 'RecordCount' : [ 0x1c, ['unsigned long']], 'RecordLength' : [ 0x20, ['unsigned long']], 'PoolTag' : [ 0x24, ['unsigned long']], 'Type' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x30, ['pointer64', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x38, ['pointer64', ['void']]], 'SectionCount' : [ 0x40, ['unsigned long']], 'SectionLength' : [ 0x44, ['unsigned long']], 'TickCountAtLastError' : [ 0x48, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x50, ['unsigned long']], 'TotalErrors' : [ 0x54, ['unsigned long']], 'Deferred' : [ 0x58, ['unsigned char']], 'Descriptor' : [ 0x59, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xf0, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x10, ['unsigned long']], 'ProcessorNumber' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x1c, ['long']], 'ErrorSource' : [ 0x20, ['pointer64', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x28, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x30, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'ConnectLock' : [ 0x8, ['_KEVENT']], 'LineMasked' : [ 0x20, ['unsigned char']], 'InterruptList' : [ 0x28, ['pointer64', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'Arm64ControlSet' : [ 0x0, ['_ARM64_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long long']], 'WorkQueue' : [ 0x20, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x60, ['pointer64', ['void']]], 'AcceptProcessorNotification' : [ 0x68, ['pointer64', ['void']]], 'AcceptAcpiNotification' : [ 0x70, ['pointer64', ['void']]], 'WorkOrderCount' : [ 0x78, ['unsigned long']], 'WorkOrders' : [ 0x80, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_MI_PARTITION_SEGMENTS' : [ 0x180, { 'DeleteSubsectionCleanup' : [ 0x0, ['_KEVENT']], 'UnusedSegmentCleanup' : [ 0x18, ['_KEVENT']], 'SubsectionDeletePtes' : [ 0x30, ['unsigned long long']], 'DereferenceSegmentHeader' : [ 0x38, ['_MMDEREFERENCE_SEGMENT_HEADER']], 'DeleteOnCloseList' : [ 0x68, ['_LIST_ENTRY']], 'DeleteOnCloseTimer' : [ 0x78, ['_KTIMER']], 'DeleteOnCloseTimerActive' : [ 0xb8, ['unsigned char']], 'DeleteOnCloseCount' : [ 0xbc, ['unsigned long']], 'UnusedSegmentList' : [ 0xc0, ['_LIST_ENTRY']], 'UnusedSubsectionList' : [ 0xd0, ['_LIST_ENTRY']], 'DeleteSubsectionList' : [ 0xe0, ['_LIST_ENTRY']], 'ControlAreaDeleteEvent' : [ 0xf0, ['_KEVENT']], 'ControlAreaDeleteList' : [ 0x108, ['_SINGLE_LIST_ENTRY']], 'SegmentListLock' : [ 0x140, ['long']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_PS_TRUSTLET_ATTRIBUTE_TYPE' : [ 0x4, { 'Version' : [ 0x0, ['unsigned char']], 'DataCount' : [ 0x1, ['unsigned char']], 'SemanticType' : [ 0x2, ['unsigned char']], 'AccessRights' : [ 0x3, ['_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS']], 'AttributeType' : [ 0x0, ['unsigned long']], } ], '_KENTROPY_TIMING_STATE' : [ 0x150, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x108, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x148, ['unsigned long']], } ], '_HEAP_UNPACKED_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], } ], '_PEP_ACPI_SPB_RESOURCE' : [ 0x28, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'TypeSpecificFlags' : [ 0x8, ['unsigned short']], 'ResourceSourceIndex' : [ 0xa, ['unsigned char']], 'ResourceSourceName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'VendorData' : [ 0x18, ['pointer64', ['unsigned char']]], 'VendorDataLength' : [ 0x20, ['unsigned short']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2Reserved1' : [ 0x2, ['unsigned char']], 'Timer2Reserved2' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Tagged' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'EnergyProfiling' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Minimal' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved4' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_ETW_GUID_ENTRY' : [ 0x190, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long long']], 'Guid' : [ 0x18, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['pointer64', ['_ETW_FILTER_HEADER']]], 'HostSilo' : [ 0x178, ['unsigned char']], 'Lock' : [ 0x180, ['_EX_PUSH_LOCK']], 'LockOwner' : [ 0x188, ['pointer64', ['_ETHREAD']]], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'WaitResponse' : [ 0xc, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], } ], '_HEAP_COUNTERS' : [ 0x78, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'PollIntervalCounter' : [ 0x48, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x4c, ['unsigned long']], 'HeapPollInterval' : [ 0x50, ['unsigned long']], 'AllocAndFreeOps' : [ 0x54, ['unsigned long']], 'AllocationIndicesActive' : [ 0x58, ['unsigned long']], 'InBlockDeccommits' : [ 0x5c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x60, ['unsigned long long']], 'HighWatermarkSize' : [ 0x68, ['unsigned long long']], 'LastPolledSize' : [ 0x70, ['unsigned long long']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_MI_VISIBLE_PARTITION' : [ 0x1100, { 'LowestPhysicalPage' : [ 0x0, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x8, ['unsigned long long']], 'NumberOfPhysicalPages' : [ 0x10, ['unsigned long long']], 'NumberOfPagingFiles' : [ 0x18, ['unsigned long']], 'PagingFile' : [ 0x20, ['array', 16, ['pointer64', ['_MMPAGING_FILE']]]], 'AvailablePages' : [ 0xc0, ['unsigned long long']], 'ResidentAvailablePages' : [ 0x100, ['unsigned long long']], 'TotalCommittedPages' : [ 0x108, ['unsigned long long']], 'ModifiedPageListHead' : [ 0x140, ['_MMPFNLIST']], 'ModifiedNoWritePageListHead' : [ 0x180, ['_MMPFNLIST']], 'TotalCommitLimit' : [ 0x1a8, ['unsigned long long']], 'TotalPagesForPagingFile' : [ 0x1b0, ['unsigned long long']], 'VadPhysicalPages' : [ 0x1b8, ['unsigned long long']], 'ProcessLockedFilePages' : [ 0x1c0, ['unsigned long long']], 'ChargeCommitmentFailures' : [ 0x1c8, ['array', 4, ['unsigned long']]], 'PageTableBitmapPages' : [ 0x1d8, ['unsigned long long']], 'PageFileTraceIndex' : [ 0x1e0, ['long']], 'PageFileTraces' : [ 0x1e8, ['array', 32, ['_MI_PAGEFILE_TRACES']]], } ], '_OB_HANDLE_REVOCATION_BLOCK' : [ 0x20, { 'RevocationInfos' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Rundown' : [ 0x18, ['_EX_RUNDOWN_REF']], } ], '_SYSPTES_HEADER' : [ 0x118, { 'ListHead' : [ 0x0, ['array', 16, ['_LIST_ENTRY']]], 'Count' : [ 0x100, ['unsigned long long']], 'NumberOfEntries' : [ 0x108, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x110, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x68, ['unsigned char']], 'DeleteType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_PPM_PLATFORM_STATE' : [ 0x180, { 'Latency' : [ 0x0, ['unsigned long']], 'BreakEvenDuration' : [ 0x4, ['unsigned long']], 'VetoAccounting' : [ 0x8, ['_PPM_VETO_ACCOUNTING']], 'TransitionDebugger' : [ 0x30, ['unsigned char']], 'Platform' : [ 0x31, ['unsigned char']], 'DependencyListCount' : [ 0x34, ['unsigned long']], 'Processors' : [ 0x38, ['_KAFFINITY_EX']], 'Name' : [ 0xe0, ['_UNICODE_STRING']], 'DependencyLists' : [ 0xf0, ['pointer64', ['_PPM_SELECTION_DEPENDENCY']]], 'Synchronization' : [ 0xf8, ['_PPM_COORDINATED_SYNCHRONIZATION']], 'EnterTime' : [ 0x100, ['unsigned long long']], 'RefCount' : [ 0x140, ['long']], 'CacheAlign0' : [ 0x140, ['array', 64, ['unsigned char']]], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x58, { 'SidHash' : [ 0x0, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x10, ['pointer64', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0x18, ['_LUID']], 'TokenType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x28, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x2c, ['unsigned long']], 'AppContainerNumber' : [ 0x30, ['unsigned long']], 'PackageSid' : [ 0x38, ['pointer64', ['void']]], 'CapabilitiesHash' : [ 0x40, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'TrustLevelSid' : [ 0x48, ['pointer64', ['void']]], 'SecurityAttributes' : [ 0x50, ['pointer64', ['void']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_WORK_ORDER' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x20, ['long']], 'Context' : [ 0x28, ['pointer64', ['void']]], 'WatchdogTimerInfo' : [ 0x30, ['pointer64', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ForceCollision' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'Reserved' : [ 0x20, ['array', 3, ['pointer64', ['void']]]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['unsigned long long']], 'Key' : [ 0x8, ['unsigned long']], 'Pattern' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolType' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 20, native_type='unsigned long')]], 'SlushSize' : [ 0xc, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x50, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ulTargetPlatform' : [ 0x8, ['unsigned long']], 'ullContextMinimum' : [ 0x10, ['unsigned long long']], 'guPlatform' : [ 0x18, ['_GUID']], 'guMinPlatform' : [ 0x28, ['_GUID']], 'ulContextSource' : [ 0x38, ['unsigned long']], 'ulElementCount' : [ 0x3c, ['unsigned long']], 'guElements' : [ 0x40, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x30, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x18, ['_KEVENT']], } ], '_ETW_HASH_BUCKET' : [ 0x38, { 'ListHead' : [ 0x0, ['array', 3, ['_LIST_ENTRY']]], 'BucketLock' : [ 0x30, ['_EX_PUSH_LOCK']], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x10, ['unsigned char']], 'BlockState' : [ 0x11, ['unsigned char']], 'WaitKey' : [ 0x12, ['unsigned short']], 'SpareLong' : [ 0x14, ['long']], 'Thread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NotificationQueue' : [ 0x18, ['pointer64', ['_KQUEUE']]], 'Object' : [ 0x20, ['pointer64', ['void']]], 'SparePtr' : [ 0x28, ['pointer64', ['void']]], } ], '_ARM64_DBGKD_CONTROL_SET' : [ 0x18, { 'Continue' : [ 0x0, ['unsigned long']], 'TraceFlag' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x10, ['unsigned long long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'ThermalStandbyTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], 'MinimumThrottle' : [ 0x50, ['unsigned long']], 'OverThrottleThreshold' : [ 0x54, ['unsigned long']], } ], '__unnamed_1ed8' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1eda' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1ed8']], 'Private' : [ 0x0, ['__unnamed_1eda']], } ], '_KTIMER2' : [ 0x88, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'RbNodes' : [ 0x18, ['array', 2, ['_RTL_BALANCED_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'DueTime' : [ 0x48, ['array', 2, ['unsigned long long']]], 'Period' : [ 0x58, ['long long']], 'Callback' : [ 0x60, ['pointer64', ['void']]], 'CallbackContext' : [ 0x68, ['pointer64', ['void']]], 'DisableCallback' : [ 0x70, ['pointer64', ['void']]], 'DisableContext' : [ 0x78, ['pointer64', ['void']]], 'AbsoluteSystemTime' : [ 0x80, ['unsigned char']], 'TypeFlags' : [ 0x81, ['unsigned char']], 'Unused' : [ 0x81, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IdleResilient' : [ 0x81, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HighResolution' : [ 0x81, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'NoWake' : [ 0x81, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Unused1' : [ 0x81, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CollectionIndex' : [ 0x82, ['array', 2, ['unsigned char']]], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SubsectionMappedDirect' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'DynamicRelocations' : [ 0x0, ['pointer64', ['void']]], 'SecurityContext' : [ 0x8, ['_IMAGE_SECURITY_CONTEXT']], 'StrongImageReference' : [ 0x10, ['unsigned long long']], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x260, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x10, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x20, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x130, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x240, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x248, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x250, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x258, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 28, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PPM_IDLE_STATES' : [ 0x418, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'UnaccountedTransition' : [ 0x5, ['unsigned char']], 'IdleDurationLimited' : [ 0x6, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0xe0, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x188, ['pointer64', ['void']]], 'IdlePreExecute' : [ 0x190, ['pointer64', ['void']]], 'IdleExecute' : [ 0x198, ['pointer64', ['void']]], 'IdlePreselect' : [ 0x1a0, ['pointer64', ['void']]], 'IdleTest' : [ 0x1a8, ['pointer64', ['void']]], 'IdleAvailabilityCheck' : [ 0x1b0, ['pointer64', ['void']]], 'IdleComplete' : [ 0x1b8, ['pointer64', ['void']]], 'IdleCancel' : [ 0x1c0, ['pointer64', ['void']]], 'IdleIsHalted' : [ 0x1c8, ['pointer64', ['void']]], 'IdleInitiateWake' : [ 0x1d0, ['pointer64', ['void']]], 'PrepareInfo' : [ 0x1d8, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'DeepIdleSnapshot' : [ 0x230, ['_KAFFINITY_EX']], 'Tracing' : [ 0x2d8, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'CoordinatedTracing' : [ 0x2e0, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'ProcessorMenu' : [ 0x2e8, ['_PPM_SELECTION_MENU']], 'CoordinatedMenu' : [ 0x2f8, ['_PPM_SELECTION_MENU']], 'CoordinatedSelection' : [ 0x308, ['_PPM_COORDINATED_SELECTION']], 'State' : [ 0x320, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PPM_VETO_ACCOUNTING' : [ 0x28, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x8, ['_LIST_ENTRY']], 'CsAccountingBlocks' : [ 0x18, ['unsigned char']], 'BlocksDrips' : [ 0x19, ['unsigned char']], 'PreallocatedVetoCount' : [ 0x1c, ['unsigned long']], 'PreallocatedVetoList' : [ 0x20, ['pointer64', ['_PPM_VETO_ENTRY']]], } ], '_PEB' : [ 0x7a0, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'SparePvoid0' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pUnused' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x388, ['unsigned long long']], 'TppWorkerpList' : [ 0x390, ['_LIST_ENTRY']], 'WaitOnAddressHashTable' : [ 0x3a0, ['array', 128, ['pointer64', ['void']]]], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x98, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned short']], 'Flags' : [ 0x5a, ['unsigned char']], 'ShutDownRequested' : [ 0x5a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x5a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x5a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x5a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Wow' : [ 0x5a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'EventsLostCount' : [ 0x88, ['pointer64', ['unsigned long']]], 'BuffersLostCount' : [ 0x90, ['pointer64', ['unsigned long']]], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x50, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x38, ['pointer64', ['void']]], 'DvCallbacks' : [ 0x40, ['pointer64', ['void']]], 'VerifierContext' : [ 0x48, ['pointer64', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x88, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x10, ['unsigned long long']], 'ItemCount' : [ 0x18, ['long']], 'Dpc' : [ 0x20, ['_KDPC']], 'WorkItem' : [ 0x60, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x80, ['pointer64', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x100, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'EmulateActiveBoth' : [ 0x65, ['unsigned char']], 'ActiveCount' : [ 0x66, ['unsigned short']], 'InternalState' : [ 0x68, ['long']], 'Mode' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x74, ['unsigned long']], 'DispatchCount' : [ 0x78, ['unsigned long']], 'PassiveEvent' : [ 0x80, ['pointer64', ['_KEVENT']]], 'TrapFrame' : [ 0x88, ['pointer64', ['_KTRAP_FRAME']]], 'DisconnectData' : [ 0x90, ['pointer64', ['void']]], 'ServiceThread' : [ 0x98, ['pointer64', ['_KTHREAD']]], 'ConnectionData' : [ 0xa0, ['pointer64', ['_INTERRUPT_CONNECTION_DATA']]], 'IntTrackEntry' : [ 0xa8, ['pointer64', ['void']]], 'IsrDpcStats' : [ 0xb0, ['_ISRDPCSTATS']], 'RedirectObject' : [ 0xf0, ['pointer64', ['void']]], 'Padding' : [ 0xf8, ['array', 8, ['unsigned char']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x98, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], 'FilePath' : [ 0x88, ['_UNICODE_STRING']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '__unnamed_1fa4' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1fa4']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x2d0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x2b0, ['pointer64', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x2b8, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x2bc, ['unsigned long']], 'ThreadCount' : [ 0x2c0, ['long']], 'MinThreads' : [ 0x2c4, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x2c4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x2c8, ['long']], 'QueueIndex' : [ 0x2cc, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_MI_FLAGS' : [ 0x4, { 'EntireFlags' : [ 0x0, ['long']], 'VerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'KernelVerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LargePageKernel' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StopOn4d' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'InitializationPhase' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'PageKernelStacks' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CheckZeroPages' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ProcessorPrewalks' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ProcessorPostwalks' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'CoverageBuild' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AccessBitReplacementDisabled' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CheckExecute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ZeroNonCachedByConverting' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ZeroWriteCombinedByConverting' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectedPagesEnabled' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'StrongCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'HardCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ExecutePagePrivilegeRequired' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'StrongPageIdentity' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'SecureRelocations' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PS_PROPERTY_SET' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['unsigned long long']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x86, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS' : [ 0x1, { 'Trustlet' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Ntos' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'WriteHandle' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ReadHandle' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'AccessRights' : [ 0x0, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x58, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'WorkingOnBehalfClient' : [ 0x38, ['pointer64', ['void']]], 'Type' : [ 0x40, ['unsigned long']], 'ActivityId' : [ 0x44, ['_GUID']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ManySubsections' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Enclave' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x88, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x40, ['_KDPC']], 'WorkOrder' : [ 0x80, ['pointer64', ['_POP_FX_WORK_ORDER']]], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], 'SecureInfo' : [ 0x10, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x10, ['_RTL_BITMAP_EX']], 'InPageSupport' : [ 0x10, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'LargePage' : [ 0x10, ['pointer64', ['_MI_LARGEPAGE_MEMORY_INFO']]], 'CreatingThread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'PebTeb' : [ 0x10, ['_MI_SUB64K_FREE_RANGES']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_SEP_LUID_TO_INDEX_MAP_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'Luid' : [ 0x20, ['unsigned long long']], 'IndexIntoGlobalSingletonTable' : [ 0x28, ['unsigned long long']], 'MarkedForDeletion' : [ 0x30, ['unsigned char']], } ], '_KTIMER2_COLLECTION' : [ 0x18, { 'Tree' : [ 0x0, ['_RTL_RB_TREE']], 'NextDueTime' : [ 0x10, ['unsigned long long']], } ], '_MIPFNBLINK' : [ 0x8, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeBlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 56, native_type='unsigned long long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 60, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 62, native_type='unsigned long long')]], 'PageBlinkDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'PageBlinkLockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'ShareCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 62, native_type='unsigned long long')]], 'PageShareCountDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'PageShareCountLockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], 'Lock' : [ 0x0, ['long long']], 'LockNotUsed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 62, native_type='unsigned long long')]], 'DeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'LockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_MMCLONE_HEADER' : [ 0x18, { 'NumberOfPtes' : [ 0x0, ['unsigned long long']], 'NumberOfProcessReferences' : [ 0x8, ['unsigned long long']], 'ClonePtes' : [ 0x10, ['pointer64', ['_MMCLONE_BLOCK']]], } ], '_SESSION_LOWBOX_MAP' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'LowboxMap' : [ 0x18, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0xb8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'ArgumentStatus' : [ 0x14, ['long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'RefCount' : [ 0x40, ['unsigned long']], 'Lock' : [ 0x44, ['unsigned long']], 'Cancel' : [ 0x48, ['unsigned char']], 'Parent' : [ 0x50, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'ActivityId' : [ 0x58, ['_GUID']], 'Data' : [ 0x68, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x48, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x10, ['pointer64', ['_IRP']]], 'OplockRequestFileObject' : [ 0x18, ['pointer64', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x28, ['pointer64', ['_ETHREAD']]], 'Flags' : [ 0x30, ['unsigned long']], 'AtomicLinks' : [ 0x38, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_KWAIT_CHAIN' : [ 0x8, { 'Head' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_RTL_BITMAP_EX' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_MI_PARTITION_PAGE_LISTS' : [ 0xd40, { 'FreePagesByColor' : [ 0x0, ['array', 2, ['pointer64', ['_MMPFNLIST']]]], 'FreePageSlist' : [ 0x10, ['array', 2, ['pointer64', ['_SLIST_HEADER']]]], 'ZeroedPageListHead' : [ 0x40, ['_MMPFNLIST']], 'FreePageListHead' : [ 0x80, ['_MMPFNLIST']], 'StandbyPageListHead' : [ 0xc0, ['_MMPFNLIST']], 'StandbyPageListByPriority' : [ 0x100, ['array', 8, ['_MMPFNLIST']]], 'ModifiedPageListNoReservation' : [ 0x240, ['_MMPFNLIST']], 'ModifiedPageListByReservation' : [ 0x280, ['array', 16, ['_MMPFNLIST']]], 'MappedPageListHead' : [ 0x500, ['array', 16, ['_MMPFNLIST']]], 'BadPageListHead' : [ 0x780, ['_MMPFNLIST']], 'EnclavePageListHead' : [ 0x7c0, ['_MMPFNLIST']], 'PageLocationList' : [ 0x7e8, ['array', 8, ['pointer64', ['_MMPFNLIST']]]], 'StandbyRepurposedByPriority' : [ 0x828, ['array', 8, ['unsigned long']]], 'MappedPageListHeadEvent' : [ 0x848, ['array', 16, ['_KEVENT']]], 'DecayClusterTimerHeads' : [ 0x9c8, ['array', 4, ['_MI_DECAY_TIMER_LINK']]], 'DecayHand' : [ 0x9e8, ['unsigned long']], 'LastDecayHandUpdateTime' : [ 0x9f0, ['unsigned long long']], 'LastChanceLdwContext' : [ 0x9f8, ['_MI_LDW_WORK_CONTEXT']], 'AvailableEventsLock' : [ 0xa40, ['unsigned long long']], 'AvailablePageWaitStates' : [ 0xa48, ['array', 3, ['_MI_AVAILABLE_PAGE_WAIT_STATES']]], 'LowMemoryThreshold' : [ 0xaa8, ['unsigned long long']], 'HighMemoryThreshold' : [ 0xab0, ['unsigned long long']], 'TransitionPrivatePages' : [ 0xac0, ['unsigned long long']], 'StandbyListDiscard' : [ 0xac8, ['unsigned long']], 'FreeListDiscard' : [ 0xacc, ['unsigned char']], 'RebuildLargePagesInitialized' : [ 0xacd, ['unsigned char']], 'RebuildLargePagesItem' : [ 0xad0, ['_MI_REBUILD_LARGE_PAGES']], 'AddMemoryNotifyList' : [ 0xcf8, ['_LIST_ENTRY']], 'MirrorListLocks' : [ 0xd08, ['pointer64', ['void']]], } ], '_XSTATE_CONFIGURATION' : [ 0x330, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CompactionEnabled' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], 'EnabledSupervisorFeatures' : [ 0x218, ['unsigned long long']], 'AlignedFeatures' : [ 0x220, ['unsigned long long']], 'AllFeatureSize' : [ 0x228, ['unsigned long']], 'AllFeatures' : [ 0x22c, ['array', 64, ['unsigned long']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_KLOCK_ENTRY' : [ 0x60, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'EntryFlags' : [ 0x18, ['unsigned long']], 'EntryOffset' : [ 0x18, ['unsigned char']], 'ThreadLocalFlags' : [ 0x19, ['unsigned char']], 'WaitingBit' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare0' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'AcquiredByte' : [ 0x1a, ['unsigned char']], 'AcquiredBit' : [ 0x1a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadFlags' : [ 0x1b, ['unsigned char']], 'HeadNodeBit' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IoPriorityBit' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare1' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'StaticState' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'AllFlags' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'SpareFlags' : [ 0x1c, ['unsigned long']], 'LockState' : [ 0x20, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x20, ['pointer64', ['void']]], 'CrossThreadReleasableAndBusyByte' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x21, ['array', 6, ['unsigned char']]], 'InTreeByte' : [ 0x27, ['unsigned char']], 'SessionState' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], 'SessionPad' : [ 0x2c, ['unsigned long']], 'OwnerTree' : [ 0x30, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x40, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x30, ['unsigned char']], 'EntryLock' : [ 0x50, ['unsigned long long']], 'AllBoosts' : [ 0x58, ['unsigned short']], 'IoBoost' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'CpuBoostsBitmap' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x5a, ['unsigned short']], 'SparePad' : [ 0x5c, ['unsigned short']], } ], '_OBP_SYSTEM_DOS_DEVICE_STATE' : [ 0x6c, { 'GlobalDeviceMap' : [ 0x0, ['unsigned long']], 'LocalDeviceCount' : [ 0x4, ['array', 26, ['unsigned long']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 24, native_type='unsigned long long')]], 'LocalPartition' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2080' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x108, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_2080']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x2c, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x30, ['_KAPC']], 'ByteCount' : [ 0x88, ['unsigned long']], 'ChargedPages' : [ 0x8c, ['unsigned long']], 'PagingFile' : [ 0x90, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0xa0, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0xa8, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0xb0, ['_LARGE_INTEGER']], 'IssueTime' : [ 0xb8, ['_LARGE_INTEGER']], 'Partition' : [ 0xc0, ['pointer64', ['_MI_PARTITION']]], 'PointerMdl' : [ 0xc8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0xd0, ['_MDL']], 'Page' : [ 0x100, ['array', 1, ['unsigned long long']]], } ], '_MI_PARTITION_COMMIT' : [ 0x80, { 'PeakCommitment' : [ 0x0, ['unsigned long long']], 'TotalCommitLimitMaximum' : [ 0x8, ['unsigned long long']], 'Popups' : [ 0x10, ['array', 2, ['long']]], 'LowCommitThreshold' : [ 0x18, ['unsigned long long']], 'HighCommitThreshold' : [ 0x20, ['unsigned long long']], 'EventLock' : [ 0x28, ['unsigned long long']], 'SystemCommitReserve' : [ 0x30, ['unsigned long long']], 'OverCommit' : [ 0x40, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x1d0, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x8, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x10, ['unsigned long long']], 'IdleTimeTotal' : [ 0x18, ['unsigned long long']], 'IdleTimeEntry' : [ 0x20, ['unsigned long long']], 'IdleTimeExpiration' : [ 0x28, ['unsigned long long']], 'NonInterruptibleTransition' : [ 0x30, ['unsigned char']], 'PepWokenTransition' : [ 0x31, ['unsigned char']], 'Class' : [ 0x32, ['unsigned char']], 'TargetIdleState' : [ 0x34, ['unsigned long']], 'IdlePolicy' : [ 0x38, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x40, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x48, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xd8, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower', 3: 'ProcHypervisorHvCounters'})]], 'LastSysTime' : [ 0xdc, ['unsigned long']], 'WmiDispatchPtr' : [ 0xe0, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0xe8, ['long']], 'FFHThrottleStateInfo' : [ 0xf0, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x110, ['_KDPC']], 'PerfActionMask' : [ 0x150, ['long']], 'HvIdleCheck' : [ 0x158, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x168, ['pointer64', ['_PROC_PERF_CHECK']]], 'Domain' : [ 0x170, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x178, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x180, ['pointer64', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x188, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x190, ['pointer64', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x198, ['unsigned char']], 'HvTargetState' : [ 0x199, ['unsigned char']], 'Parked' : [ 0x19a, ['unsigned char']], 'LatestPerformancePercent' : [ 0x19c, ['unsigned long']], 'AveragePerformancePercent' : [ 0x1a0, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x1a4, ['unsigned long']], 'RelativePerformance' : [ 0x1a8, ['unsigned long']], 'Utility' : [ 0x1ac, ['unsigned long']], 'AffinitizedUtility' : [ 0x1b0, ['unsigned long']], 'SnapTimeLast' : [ 0x1b8, ['unsigned long long']], 'EnergyConsumed' : [ 0x1b8, ['unsigned long long']], 'ActiveTime' : [ 0x1c0, ['unsigned long long']], 'TotalTime' : [ 0x1c8, ['unsigned long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SystemChargedPage' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_THREAD_ENERGY_VALUES' : [ 0x40, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_CC_ASYNC_READ_CONTEXT' : [ 0x20, { 'CompletionRoutine' : [ 0x0, ['pointer64', ['void']]], 'Context' : [ 0x8, ['pointer64', ['void']]], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'RequestorMode' : [ 0x18, ['unsigned char']], 'NestingLevel' : [ 0x1c, ['unsigned long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0x17a8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0xa68, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0xa98, ['_LIST_ENTRY']], 'HiveList' : [ 0xaa8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0xab8, ['_LIST_ENTRY']], 'FailedUnloadList' : [ 0xac8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0xad8, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0xae0, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0xaf0, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0xaf8, ['unsigned long']], 'DeletedKcbTable' : [ 0xb00, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0xb08, ['unsigned long']], 'Identity' : [ 0xb0c, ['unsigned long']], 'HiveLock' : [ 0xb10, ['pointer64', ['_FAST_MUTEX']]], 'WriterLock' : [ 0xb18, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0xb20, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0xb28, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0xb38, ['unsigned long']], 'FlushLogEntry' : [ 0xb40, ['pointer64', ['unsigned char']]], 'FlushLogEntrySize' : [ 0xb48, ['unsigned long']], 'FlushHiveTruncated' : [ 0xb4c, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0xb50, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0xb58, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0xb68, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0xb70, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0xb78, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0xb80, ['pointer64', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0xb88, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0xb90, ['unsigned long']], 'LastShrinkHiveSize' : [ 0xb94, ['unsigned long']], 'ActualFileSize' : [ 0xb98, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0xba0, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0xbb0, ['_UNICODE_STRING']], 'FileUserName' : [ 0xbc0, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0xbd0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0xbe0, ['unsigned long']], 'SecurityCacheSize' : [ 0xbe4, ['unsigned long']], 'SecurityHitHint' : [ 0xbe8, ['long']], 'SecurityCache' : [ 0xbf0, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0xbf8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xff8, ['unsigned long']], 'UnloadEventArray' : [ 0x1000, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0x1008, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x1010, ['unsigned char']], 'UnloadWorkItem' : [ 0x1018, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x1020, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x1048, ['unsigned char']], 'GrowOffset' : [ 0x104c, ['unsigned long']], 'KcbConvertListHead' : [ 0x1050, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x1060, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0x1068, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0x14f0, ['unsigned long']], 'TrustClassEntry' : [ 0x14f8, ['_LIST_ENTRY']], 'DirtyTime' : [ 0x1508, ['unsigned long long']], 'UnreconciledTime' : [ 0x1510, ['unsigned long long']], 'CmRm' : [ 0x1518, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x1520, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x1524, ['long']], 'CreatorOwner' : [ 0x1528, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0x1530, ['pointer64', ['_KTHREAD']]], 'LastWriteTime' : [ 0x1538, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0x1540, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0x1558, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0x1570, ['unsigned long']], 'FlushActive' : [ 0x1570, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0x1570, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0x1570, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0x1570, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0x1574, ['unsigned long']], 'ReferenceCount' : [ 0x1578, ['long']], 'UnloadHistoryIndex' : [ 0x157c, ['long']], 'UnloadHistory' : [ 0x1580, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0x1780, ['unsigned long']], 'UnaccessedStart' : [ 0x1784, ['unsigned long']], 'UnaccessedEnd' : [ 0x1788, ['unsigned long']], 'LoadedKeyCount' : [ 0x178c, ['unsigned long']], 'HandleClosePending' : [ 0x1790, ['unsigned long']], 'HandleClosePendingEvent' : [ 0x1798, ['_EX_PUSH_LOCK']], 'FinalFlushSucceeded' : [ 0x17a0, ['unsigned char']], 'FailedUnload' : [ 0x17a1, ['unsigned char']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x38, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long long']], 'DirtyPageThresholdTop' : [ 0x8, ['unsigned long long']], 'DirtyPageThresholdBottom' : [ 0x10, ['unsigned long long']], 'DirtyPageTarget' : [ 0x18, ['unsigned long']], 'AggregateAvailablePages' : [ 0x20, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x28, ['unsigned long long']], 'AvailableHistory' : [ 0x30, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Reserved0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceAge' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'NewMaximum' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CommitReleaseState' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_PPM_VETO_ENTRY' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'VetoReason' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'HitCount' : [ 0x18, ['unsigned long long']], 'LastActivationTime' : [ 0x20, ['unsigned long long']], 'TotalActiveTime' : [ 0x28, ['unsigned long long']], 'CsActivationTime' : [ 0x30, ['unsigned long long']], 'CsActiveTime' : [ 0x38, ['unsigned long long']], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderZero', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderVsmMemory', 30: 'LoaderFirmwareCode', 31: 'LoaderFirmwareData', 32: 'LoaderFirmwareReserved', 33: 'LoaderEnclaveMemory', 34: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x408, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x28, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x8, ['_RTL_BITMAP']], 'HashTable' : [ 0x18, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x20, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa8, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ExecutePoolTypes' : [ 0x90, ['unsigned long']], 'ExecutePageProtections' : [ 0x94, ['unsigned long']], 'ExecutePageMappings' : [ 0x98, ['unsigned long']], 'ExecuteWriteSections' : [ 0x9c, ['unsigned long']], 'SectionAlignmentFailures' : [ 0xa0, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE' : [ 0x1810, { 'CurrentSize' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'Epoch' : [ 0x8, ['unsigned long']], 'Overflow' : [ 0xc, ['unsigned char']], 'TableEntry' : [ 0x10, ['array', 256, ['_INVERTED_FUNCTION_TABLE_ENTRY']]], } ], '_VF_DRIVER_IO_CALLBACKS' : [ 0x100, { 'DriverInit' : [ 0x0, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x8, ['pointer64', ['void']]], 'DriverUnload' : [ 0x10, ['pointer64', ['void']]], 'AddDevice' : [ 0x18, ['pointer64', ['void']]], 'MajorFunction' : [ 0x20, ['array', 28, ['pointer64', ['void']]]], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0x18, { 'ActiveThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'WaitList' : [ 0x8, ['pointer64', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x10, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x10, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_UMS_CONTROL_BLOCK' : [ 0x90, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsWaitEvent' : [ 0x30, ['_KEVENT']], 'StagingArea' : [ 0x48, ['pointer64', ['void']]], 'UmsPrimaryDeliveredContext' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsFlags' : [ 0x50, ['unsigned long']], 'TebSelector' : [ 0x88, ['unsigned short']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_ETIMER' : [ 0x138, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x40, ['unsigned long long']], 'TimerApc' : [ 0x48, ['_KAPC']], 'TimerDpc' : [ 0xa0, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'Period' : [ 0xf0, ['unsigned long']], 'TimerFlags' : [ 0xf4, ['unsigned char']], 'ApcAssociated' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0xf5, ['unsigned char']], 'Spare2' : [ 0xf6, ['unsigned short']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x110, ['pointer64', ['void']]], 'VirtualizedTimerLinks' : [ 0x118, ['_LIST_ENTRY']], 'DueTime' : [ 0x128, ['unsigned long long']], 'CoalescingWindow' : [ 0x130, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x90, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'Count' : [ 0x28, ['unsigned long long']], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'StackTrace' : [ 0x40, ['array', 8, ['pointer64', ['void']]]], 'Who' : [ 0x80, ['unsigned long']], 'Process' : [ 0x88, ['pointer64', ['_EPROCESS']]], } ], '_MI_CACHED_PTES' : [ 0x48, { 'Bins' : [ 0x0, ['array', 8, ['_MI_CACHED_PTE']]], 'CachedPteCount' : [ 0x40, ['long']], } ], '_EXHANDLE' : [ 0x8, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], } ], '__unnamed_2155' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_2155']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_AUTO_EXPAND_STATE' : [ 0x4, { 'Expanded' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Transitioning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Pageable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x488, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_ARBITER_INSTANCE' : [ 0x150, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MI_SYSTEM_INFORMATION' : [ 0x1bc0, { 'Pools' : [ 0x0, ['_MI_POOL_STATE']], 'Sections' : [ 0x100, ['_MI_SECTION_STATE']], 'SystemImages' : [ 0x380, ['_MI_SYSTEM_IMAGE_STATE']], 'Sessions' : [ 0x440, ['_MI_SESSION_STATE']], 'Processes' : [ 0x4d0, ['_MI_PROCESS_STATE']], 'Hardware' : [ 0x530, ['_MI_HARDWARE_STATE']], 'SystemVa' : [ 0x600, ['_MI_SYSTEM_VA_STATE']], 'PageCombines' : [ 0x8c0, ['_MI_COMBINE_STATE']], 'Partitions' : [ 0xa60, ['_MI_PARTITION_STATE']], 'Shutdowns' : [ 0xac0, ['_MI_SHUTDOWN_STATE']], 'Errors' : [ 0xb40, ['_MI_ERROR_STATE']], 'AccessLog' : [ 0xc00, ['_MI_ACCESS_LOG_STATE']], 'Debugger' : [ 0xc80, ['_MI_DEBUGGER_STATE']], 'Standby' : [ 0xdc0, ['_MI_STANDBY_STATE']], 'SystemPtes' : [ 0xe80, ['_MI_SYSTEM_PTE_STATE']], 'IoPages' : [ 0x1000, ['_MI_IO_PAGE_STATE']], 'PagingIo' : [ 0x1060, ['_MI_PAGING_IO_STATE']], 'CommonPages' : [ 0x10b0, ['_MI_COMMON_PAGE_STATE']], 'Trims' : [ 0x1180, ['_MI_SYSTEM_TRIM_STATE']], 'ResTrack' : [ 0x11c0, ['_MI_RESAVAIL_TRACKER']], 'Cookie' : [ 0x1540, ['unsigned long long']], 'ZeroingDisabled' : [ 0x1548, ['long']], 'BootRegistryRuns' : [ 0x1550, ['pointer64', ['pointer64', ['void']]]], 'FullyInitialized' : [ 0x1558, ['unsigned char']], 'SafeBooted' : [ 0x1559, ['unsigned char']], 'LargePfnBitMap' : [ 0x1560, ['_RTL_BITMAP_EX']], 'TraceLogging' : [ 0x1570, ['pointer64', ['_TlgProvider_t']]], 'Vs' : [ 0x1580, ['_MI_VISIBLE_STATE']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_PPM_SELECTION_DEPENDENCY' : [ 0x18, { 'Processor' : [ 0x0, ['unsigned long']], 'Menu' : [ 0x8, ['_PPM_SELECTION_MENU']], } ], '__unnamed_21cf' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_21d1' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_21cf']], } ], '__unnamed_21d3' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_21d1']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_21d3']], } ], '_MI_VISIBLE_STATE' : [ 0x640, { 'SpecialPool' : [ 0x0, ['_MI_SPECIAL_POOL']], 'SessionWsList' : [ 0x50, ['_LIST_ENTRY']], 'SessionIdBitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'PagedPoolInfo' : [ 0x68, ['_MM_PAGED_POOL_INFO']], 'MaximumNonPagedPoolInPages' : [ 0xa0, ['unsigned long long']], 'SizeOfPagedPoolInPages' : [ 0xa8, ['unsigned long long']], 'SystemPteInfo' : [ 0xb0, ['_MI_SYSTEM_PTE_TYPE']], 'NonPagedPoolCommit' : [ 0x110, ['unsigned long long']], 'BootCommit' : [ 0x118, ['unsigned long long']], 'MdlPagesAllocated' : [ 0x120, ['unsigned long long']], 'SystemPageTableCommit' : [ 0x128, ['unsigned long long']], 'SpecialPagesInUse' : [ 0x130, ['unsigned long long']], 'WsOverheadPages' : [ 0x138, ['unsigned long long']], 'VadBitmapPages' : [ 0x140, ['unsigned long long']], 'ProcessCommit' : [ 0x148, ['unsigned long long']], 'SharedCommit' : [ 0x150, ['unsigned long long']], 'DriverCommit' : [ 0x158, ['long']], 'SystemWs' : [ 0x180, ['array', 3, ['_MMSUPPORT']]], 'MapCacheFailures' : [ 0x468, ['unsigned long']], 'PagefileHashPages' : [ 0x470, ['unsigned long long']], 'PteHeader' : [ 0x478, ['_SYSPTES_HEADER']], 'SessionSpecialPool' : [ 0x590, ['pointer64', ['_MI_SPECIAL_POOL']]], 'SystemVaTypeCount' : [ 0x598, ['array', 14, ['unsigned long long']]], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x5000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'HandleCount' : [ 0x28, ['unsigned long']], 'Handles' : [ 0x30, ['pointer64', ['pointer64', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x58, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'ProcCap' : [ 0x10, ['unsigned long']], 'ProcFloor' : [ 0x14, ['unsigned long']], 'PlatformCap' : [ 0x18, ['unsigned long']], 'ThermalCap' : [ 0x1c, ['unsigned long']], 'LimitReasons' : [ 0x20, ['unsigned long']], 'PlatformCapStartTime' : [ 0x28, ['unsigned long long']], 'TargetPercent' : [ 0x30, ['unsigned long']], 'SelectedPercent' : [ 0x34, ['unsigned long']], 'SelectedFrequency' : [ 0x38, ['unsigned long']], 'PreviousFrequency' : [ 0x3c, ['unsigned long']], 'PreviousPercent' : [ 0x40, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x44, ['unsigned long']], 'SelectedState' : [ 0x48, ['unsigned long long']], 'Force' : [ 0x50, ['unsigned char']], } ], '__unnamed_21ef' : [ 0x20, { 'CallerCompletion' : [ 0x0, ['pointer64', ['void']]], 'CallerContext' : [ 0x8, ['pointer64', ['void']]], 'CallerDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0x18, ['unsigned char']], } ], '__unnamed_21f2' : [ 0x10, { 'NotifyDevice' : [ 0x0, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x8, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0xf8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x30, ['unsigned long long']], 'WatchdogTimer' : [ 0x38, ['_KTIMER']], 'WatchdogDpc' : [ 0x78, ['_KDPC']], 'MinorFunction' : [ 0xb8, ['unsigned char']], 'PowerStateType' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0xc0, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0xc4, ['unsigned char']], 'FxDevice' : [ 0xc8, ['pointer64', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0xd0, ['unsigned char']], 'NotifyPEP' : [ 0xd1, ['unsigned char']], 'Device' : [ 0xd8, ['__unnamed_21ef']], 'System' : [ 0xd8, ['__unnamed_21f2']], } ], '_MI_ERROR_STATE' : [ 0xb8, { 'BadMemoryEventEntry' : [ 0x0, ['_MI_BAD_MEMORY_EVENT_ENTRY']], 'ProbeRaises' : [ 0x38, ['_MI_PROBE_RAISE_TRACKER']], 'ForcedCommits' : [ 0x78, ['_MI_FORCED_COMMITS']], 'WsleFailures' : [ 0x80, ['array', 2, ['unsigned long']]], 'WsLinear' : [ 0x88, ['unsigned long']], 'PageHashErrors' : [ 0x8c, ['unsigned long']], 'CheckZeroCount' : [ 0x90, ['unsigned long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x94, ['long']], 'BadPagesDetected' : [ 0x98, ['long']], 'ScrubPasses' : [ 0x9c, ['long']], 'ScrubBadPagesFound' : [ 0xa0, ['long']], 'UserViewFailures' : [ 0xa4, ['unsigned long']], 'UserViewCollisionFailures' : [ 0xa8, ['unsigned long']], 'ResavailFailures' : [ 0xac, ['_MI_RESAVAIL_FAILURES']], 'PendingBadPages' : [ 0xb4, ['unsigned char']], 'InitFailure' : [ 0xb5, ['unsigned char']], 'StopBadMaps' : [ 0xb6, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0x158, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'HighestTopDownAllocationAddress' : [ 0x8, ['pointer64', ['void']]], 'VadCell' : [ 0x10, ['array', 2, ['_MI_VAD_ALLOCATION_CELL']]], 'VadBitMapCommitment' : [ 0x60, ['unsigned long']], 'MaximumLastVadBit' : [ 0x64, ['unsigned long']], 'VadsBeingDeleted' : [ 0x68, ['long']], 'NumberOfDebugEnclaves' : [ 0x6c, ['long']], 'PhysicalMappingCount' : [ 0x70, ['unsigned long long']], 'LastVadDeletionEvent' : [ 0x78, ['pointer64', ['_KEVENT']]], 'SubVadRanges' : [ 0x80, ['array', 3, ['_LIST_ENTRY']]], 'NumaAware' : [ 0xb0, ['unsigned char']], 'CloneNestingLevel' : [ 0xb8, ['unsigned long long']], 'PrivateFixupVadCount' : [ 0xc0, ['unsigned long long']], 'CfgBitMap' : [ 0xc8, ['array', 2, ['_MI_CFG_BITMAP_INFO']]], 'CommittedPageTableBufferForTopLevel' : [ 0xf8, ['array', 8, ['unsigned long']]], 'CommittedPageTableBitmaps' : [ 0x118, ['array', 3, ['_RTL_BITMAP']]], 'PageTableBitmapPages' : [ 0x148, ['array', 3, ['unsigned long']]], } ], '_PROC_FEEDBACK' : [ 0x90, { 'Lock' : [ 0x0, ['unsigned long long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer64', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x28, ['unsigned long long']], 'UnscaledTime' : [ 0x30, ['unsigned long long']], 'UnaccountedTime' : [ 0x38, ['long long']], 'ScaledTime' : [ 0x40, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x50, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x58, ['unsigned long long']], 'UserTimeLast' : [ 0x60, ['unsigned long']], 'KernelTimeLast' : [ 0x64, ['unsigned long']], 'IdleGenerationNumberLast' : [ 0x68, ['unsigned long long']], 'HvActiveTimeLast' : [ 0x70, ['unsigned long long']], 'StallCyclesLast' : [ 0x78, ['unsigned long long']], 'StallTime' : [ 0x80, ['unsigned long long']], 'KernelTimesIndex' : [ 0x88, ['unsigned char']], } ], '_MI_PAGEFILE_BITMAPS_CACHE_ENTRY' : [ 0x38, { 'LengthTreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_LIST_ENTRY']], 'LocationTreeNode' : [ 0x18, ['_RTL_BALANCED_NODE']], 'StartingIndex' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], } ], '__unnamed_220f' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2213' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_2215' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_2217' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_2219' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_221b' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_221d' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_221f' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2221' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2223' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2225' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_2227' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_220f']], 'Memory' : [ 0x0, ['__unnamed_220f']], 'Interrupt' : [ 0x0, ['__unnamed_2213']], 'Dma' : [ 0x0, ['__unnamed_2215']], 'DmaV3' : [ 0x0, ['__unnamed_2217']], 'Generic' : [ 0x0, ['__unnamed_220f']], 'DevicePrivate' : [ 0x0, ['__unnamed_2219']], 'BusNumber' : [ 0x0, ['__unnamed_221b']], 'ConfigData' : [ 0x0, ['__unnamed_221d']], 'Memory40' : [ 0x0, ['__unnamed_221f']], 'Memory48' : [ 0x0, ['__unnamed_2221']], 'Memory64' : [ 0x0, ['__unnamed_2223']], 'Connection' : [ 0x0, ['__unnamed_2225']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_2227']], } ], '_POP_THERMAL_ZONE' : [ 0x348, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], 'State' : [ 0x40, ['unsigned char']], 'Flags' : [ 0x41, ['unsigned char']], 'Removing' : [ 0x42, ['unsigned char']], 'Mode' : [ 0x43, ['unsigned char']], 'PendingMode' : [ 0x44, ['unsigned char']], 'ActivePoint' : [ 0x45, ['unsigned char']], 'PendingActivePoint' : [ 0x46, ['unsigned char']], 'Critical' : [ 0x47, ['unsigned char']], 'ThermalStandby' : [ 0x48, ['unsigned char']], 'OverThrottled' : [ 0x49, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x4c, ['long']], 'Throttle' : [ 0x50, ['long']], 'PendingThrottle' : [ 0x54, ['long']], 'ThrottleReasons' : [ 0x58, ['unsigned long']], 'LastTime' : [ 0x60, ['unsigned long long']], 'SampleRate' : [ 0x68, ['unsigned long']], 'LastTemp' : [ 0x6c, ['unsigned long']], 'PassiveTimer' : [ 0x70, ['_KTIMER']], 'PassiveDpc' : [ 0xb0, ['_KDPC']], 'Info' : [ 0xf0, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x148, ['_LARGE_INTEGER']], 'Policy' : [ 0x150, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0x168, ['unsigned char']], 'LastActiveStartTime' : [ 0x170, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x178, ['unsigned long long']], 'WorkItem' : [ 0x180, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x1a0, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x1b0, ['_KEVENT']], 'TemperatureUpdated' : [ 0x1c8, ['_KEVENT']], 'InstanceId' : [ 0x1e0, ['unsigned long']], 'TelemetryTracker' : [ 0x1e8, ['_POP_THERMAL_TELEMETRY_TRACKER']], 'Description' : [ 0x338, ['_UNICODE_STRING']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 28, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_MI_REBUILD_LARGE_PAGES' : [ 0x228, { 'Active' : [ 0x0, ['long']], 'Timer' : [ 0x4, ['array', 64, ['array', 4, ['_MI_REBUILD_LARGE_PAGE_COUNTDOWN']]]], 'WorkItem' : [ 0x208, ['_WORK_QUEUE_ITEM']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0xa68, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileWrite' : [ 0x28, ['pointer64', ['void']]], 'FileRead' : [ 0x30, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x38, ['pointer64', ['void']]], 'BaseBlock' : [ 0x40, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x48, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x58, ['unsigned long']], 'DirtyAlloc' : [ 0x5c, ['unsigned long']], 'UnreconciledVector' : [ 0x60, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x70, ['unsigned long']], 'BaseBlockAlloc' : [ 0x74, ['unsigned long']], 'Cluster' : [ 0x78, ['unsigned long']], 'Flat' : [ 0x7c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x7c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SystemCacheBacked' : [ 0x7c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x7c, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x7d, ['unsigned char']], 'HvBinHeadersUse' : [ 0x80, ['unsigned long']], 'HvFreeCellsUse' : [ 0x84, ['unsigned long']], 'HvUsedCellsUse' : [ 0x88, ['unsigned long']], 'CmUsedCellsUse' : [ 0x8c, ['unsigned long']], 'HiveFlags' : [ 0x90, ['unsigned long']], 'CurrentLog' : [ 0x94, ['unsigned long']], 'CurrentLogSequence' : [ 0x98, ['unsigned long']], 'CurrentLogMinimumSequence' : [ 0x9c, ['unsigned long']], 'CurrentLogOffset' : [ 0xa0, ['unsigned long']], 'MinimumLogSequence' : [ 0xa4, ['unsigned long']], 'LogFileSizeCap' : [ 0xa8, ['unsigned long']], 'LogDataPresent' : [ 0xac, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0xae, ['unsigned char']], 'BaseBlockDirty' : [ 0xaf, ['unsigned char']], 'LastLogSwapTime' : [ 0xb0, ['_LARGE_INTEGER']], 'FirstLogFile' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0xb8, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0xb8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0xb8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0xb8, ['unsigned short']], 'LogEntriesRecovered' : [ 0xba, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0xbc, ['unsigned long']], 'StorageTypeCount' : [ 0xc0, ['unsigned long']], 'Version' : [ 0xc4, ['unsigned long']], 'ViewMap' : [ 0xc8, ['_HVIEW_MAP']], 'Storage' : [ 0x578, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_ETW_FILTER_HEADER' : [ 0x48, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x8, ['pointer64', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x10, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0x18, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x20, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x28, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x30, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x38, ['pointer64', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x40, ['pointer64', ['_EVENT_FILTER_HEADER']]], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_POP_THERMAL_TELEMETRY_TRACKER' : [ 0x150, { 'AccountingDisabled' : [ 0x0, ['unsigned char']], 'LastPassiveUpdateTime' : [ 0x8, ['unsigned long long']], 'TotalPassiveTime' : [ 0x10, ['array', 20, ['unsigned long long']]], 'PassiveTimeSnap' : [ 0xb0, ['array', 20, ['unsigned long long']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_HVIEW_MAP' : [ 0x4b0, { 'MappedLength' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Directory' : [ 0x18, ['pointer64', ['_HVIEW_MAP_DIRECTORY']]], 'PagesCharged' : [ 0x20, ['unsigned long']], 'PinLog' : [ 0x28, ['_HVIEW_MAP_PIN_LOG']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_DISALLOWED_GUIDS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x8, ['pointer64', ['_GUID']]], } ], '_HVIEW_MAP_DIRECTORY' : [ 0x400, { 'Tables' : [ 0x0, ['array', 128, ['pointer64', ['_HVIEW_MAP_TABLE']]]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1f, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1e, ['unsigned char']], } ], '__unnamed_229f' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_22a1' : [ 0x20, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_229f']], } ], '_VF_TARGET_DRIVER' : [ 0x38, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_22a1']], 'VerifiedData' : [ 0x30, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_22aa' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_22ac' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_22ae' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceId' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_22b0' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_22b2' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_22b4' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_22b6' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_22b8' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_22ba' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_22bc' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_22aa']], 'TargetDevice' : [ 0x0, ['__unnamed_22ac']], 'InstallDevice' : [ 0x0, ['__unnamed_22ac']], 'CustomNotification' : [ 0x0, ['__unnamed_22ae']], 'ProfileNotification' : [ 0x0, ['__unnamed_22b0']], 'PowerNotification' : [ 0x0, ['__unnamed_22b2']], 'VetoNotification' : [ 0x0, ['__unnamed_22b4']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_22b6']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_22b8']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_22ba']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_22ac']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_22ac']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_22bc']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x58, { 'Context' : [ 0x0, ['pointer64', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x38, ['unsigned long']], 'DependencyUsed' : [ 0x3c, ['unsigned long']], 'DependencyArray' : [ 0x40, ['pointer64', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x48, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x4c, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x50, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '__unnamed_22d8' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_22d8']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_MI_HARDWARE_STATE' : [ 0xa8, { 'NodeMask' : [ 0x0, ['unsigned long']], 'NodeGraph' : [ 0x8, ['pointer64', ['unsigned short']]], 'SystemNodeInformation' : [ 0x10, ['pointer64', ['_MI_SYSTEM_NODE_INFORMATION']]], 'NumaLastRangeIndex' : [ 0x18, ['unsigned long']], 'NumaMemoryRanges' : [ 0x20, ['pointer64', ['_HAL_NODE_RANGE']]], 'NumaTableCaptured' : [ 0x28, ['unsigned char']], 'NodeShift' : [ 0x29, ['unsigned char']], 'ChannelMemoryRanges' : [ 0x30, ['pointer64', ['_HAL_CHANNEL_MEMORY_RANGES']]], 'ChannelShift' : [ 0x38, ['unsigned char']], 'SecondLevelCacheSize' : [ 0x3c, ['unsigned long']], 'FirstLevelCacheSize' : [ 0x40, ['unsigned long']], 'PhysicalAddressBits' : [ 0x44, ['unsigned long']], 'AllMainMemoryMustBeCached' : [ 0x48, ['unsigned char']], 'TotalPagesAllowed' : [ 0x50, ['unsigned long long']], 'SecondaryColorMask' : [ 0x58, ['unsigned long']], 'SecondaryColors' : [ 0x5c, ['unsigned long']], 'FlushTbForAttributeChange' : [ 0x60, ['unsigned long']], 'FlushCacheForAttributeChange' : [ 0x64, ['unsigned long']], 'FlushCacheForPageAttributeChange' : [ 0x68, ['unsigned long']], 'CacheFlushPromoteThreshold' : [ 0x6c, ['unsigned long']], 'FlushTbThreshold' : [ 0x70, ['unsigned long long']], 'ZeroCostCounts' : [ 0x78, ['array', 2, ['_MI_ZERO_COST_COUNTS']]], 'PrimaryPfns' : [ 0x98, ['unsigned long long']], 'HighestPossiblePhysicalPage' : [ 0xa0, ['unsigned long long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x78, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], 'WaitObjectFlagMask' : [ 0x70, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x74, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x76, ['unsigned short']], } ], '__unnamed_231c' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MI_DECAY_TIMER_LINKAGE']], } ], '_MI_DECAY_TIMER_LINK' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_231c']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_HEAP_EXTENDED_ENTRY' : [ 0x10, { 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], } ], '_MI_SYSTEM_VA_STATE' : [ 0x2c0, { 'SystemTablesLock' : [ 0x0, ['unsigned long long']], 'AvailableSystemCacheVa' : [ 0x8, ['unsigned long long']], 'DynamicBitMapSystemPtes' : [ 0x10, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapDriverImages' : [ 0x60, ['array', 2, ['_MI_DYNAMIC_BITMAP']]], 'DynamicBitMapPagedPool' : [ 0x100, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapSpecialPool' : [ 0x150, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapSystemCache' : [ 0x1a0, ['_MI_DYNAMIC_BITMAP']], 'WorkingSetListHashStart' : [ 0x1f0, ['pointer64', ['_MMWSLE_HASH']]], 'WorkingSetListHashEnd' : [ 0x1f8, ['pointer64', ['_MMWSLE_HASH']]], 'WorkingSetListIndirectHashStart' : [ 0x200, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'FreeSystemCacheVa' : [ 0x208, ['_KEVENT']], 'SystemVaLock' : [ 0x220, ['unsigned long long']], 'DeleteKvaLock' : [ 0x228, ['long']], 'FreeSystemCache' : [ 0x230, ['_MI_PTE_CHAIN_HEAD']], 'SystemCacheViewLock' : [ 0x248, ['unsigned long long']], 'UnusableWsles' : [ 0x250, ['array', 5, ['unsigned long long']]], 'PossibleWsles' : [ 0x278, ['array', 5, ['unsigned long long']]], } ], '_DIRTY_PAGE_STATISTICS' : [ 0x18, { 'DirtyPages' : [ 0x0, ['unsigned long long']], 'DirtyPagesLastScan' : [ 0x8, ['unsigned long long']], 'DirtyPagesScheduledLastScan' : [ 0x10, ['unsigned long']], } ], '_DBGKD_WRITE_CUSTOM_BREAKPOINT' : [ 0x18, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointInstruction' : [ 0x8, ['unsigned long long']], 'BreakPointHandle' : [ 0x10, ['unsigned long']], 'BreakPointInstructionSize' : [ 0x14, ['unsigned char']], 'BreakPointInstructionAlignment' : [ 0x15, ['unsigned char']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_MI_DEBUGGER_STATE' : [ 0x118, { 'TransientWrite' : [ 0x0, ['unsigned char']], 'CodePageEdited' : [ 0x1, ['unsigned char']], 'DebugPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'PoisonedTb' : [ 0x10, ['unsigned long']], 'InDebugger' : [ 0x14, ['long']], 'Pfns' : [ 0x18, ['array', 32, ['pointer64', ['void']]]], } ], '_MI_PROCESS_STATE' : [ 0x60, { 'ColorSeed' : [ 0x0, ['unsigned long']], 'CloneDereferenceEvent' : [ 0x8, ['_KEVENT']], 'CloneProtosSListHead' : [ 0x20, ['_SLIST_HEADER']], 'SystemDllBase' : [ 0x30, ['pointer64', ['void']]], 'RotatingUniprocessorNumber' : [ 0x38, ['long']], 'CriticalSectionTimeout' : [ 0x40, ['_LARGE_INTEGER']], 'ProcessList' : [ 0x48, ['_LIST_ENTRY']], 'SharedUserDataPte' : [ 0x58, ['pointer64', ['_MMPTE']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'HighActiveFlink' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'HighActiveBlink' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 56, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'HiberFileType' : [ 0x16, ['unsigned char']], 'AoAcConnectivitySupported' : [ 0x17, ['unsigned char']], 'spare3' : [ 0x18, ['array', 6, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_MI_REBUILD_LARGE_PAGE_COUNTDOWN' : [ 0x2, { 'SecondsLeft' : [ 0x0, ['unsigned char']], 'SecondsAssigned' : [ 0x1, ['unsigned char']], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['unsigned long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x30, ['pointer64', ['long']]], 'NodeTargetCount' : [ 0x38, ['long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x460, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'SparePvoid0' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pUnused' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x250, ['unsigned long']], 'TppWorkerpList' : [ 0x254, ['LIST_ENTRY32']], 'WaitOnAddressHashTable' : [ 0x25c, ['array', 128, ['unsigned long']]], } ], '_IO_IRP_EXT_TRACK_OFFSET_HEADER' : [ 0x10, { 'Validation' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'TrackedOffsetCallback' : [ 0x8, ['pointer64', ['void']]], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_MI_SESSION_STATE' : [ 0x88, { 'SystemSession' : [ 0x0, ['_MMSESSION']], 'CodePageEdited' : [ 0x20, ['unsigned char']], 'DynamicVaBitBuffer' : [ 0x28, ['pointer64', ['unsigned long']]], 'DynamicVaBitBufferPages' : [ 0x30, ['unsigned long long']], 'DynamicPoolBitBuffer' : [ 0x38, ['pointer64', ['unsigned long']]], 'DynamicVaStart' : [ 0x40, ['pointer64', ['void']]], 'DynamicPtesBitBuffer' : [ 0x48, ['pointer64', ['unsigned long']]], 'IdLock' : [ 0x50, ['_EX_PUSH_LOCK']], 'DetachTimeStamp' : [ 0x58, ['unsigned long']], 'LeaderProcess' : [ 0x60, ['pointer64', ['_EPROCESS']]], 'InitializeLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'WorkingSetList' : [ 0x70, ['pointer64', ['_MMWSL']]], 'WsHashStart' : [ 0x78, ['pointer64', ['_MMWSLE_HASH']]], 'WsHashEnd' : [ 0x80, ['pointer64', ['_MMWSLE_HASH']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_MMSESSION' : [ 0x20, { 'SystemSpaceViewLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'SystemSpaceViewLockPointer' : [ 0x8, ['pointer64', ['_EX_PUSH_LOCK']]], 'ViewRoot' : [ 0x10, ['_RTL_AVL_TREE']], 'ViewCount' : [ 0x18, ['unsigned long']], 'BitmapFailures' : [ 0x1c, ['unsigned long']], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_OBJECT_NAMESPACE_LOOKUPTABLE' : [ 0x260, { 'HashBuckets' : [ 0x0, ['array', 37, ['_LIST_ENTRY']]], 'Lock' : [ 0x250, ['_EX_PUSH_LOCK']], 'NumberOfPrivateSpaces' : [ 0x258, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_MI_DECAY_TIMER_LINKAGE' : [ 0x8, { 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'NextDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '__unnamed_23a3' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MI_PARTITION_FLAGS']], } ], '_MI_PARTITION_CORE' : [ 0x158, { 'PartitionId' : [ 0x0, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_23a3']], 'ReferenceCount' : [ 0x8, ['unsigned long long']], 'ParentPartition' : [ 0x10, ['pointer64', ['_MI_PARTITION']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeInformation' : [ 0x28, ['pointer64', ['_MI_NODE_INFORMATION']]], 'MdlPhysicalMemoryBlock' : [ 0x30, ['pointer64', ['_MDL']]], 'MemoryNodeRuns' : [ 0x38, ['pointer64', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'MemoryBlockReferences' : [ 0x40, ['unsigned long long']], 'PfnUnmapWorkItem' : [ 0x48, ['_WORK_QUEUE_ITEM']], 'PfnUnmapActive' : [ 0x68, ['unsigned char']], 'PfnUnmapCount' : [ 0x70, ['unsigned long long']], 'PfnUnmapWaitList' : [ 0x78, ['pointer64', ['void']]], 'MemoryRuns' : [ 0x80, ['pointer64', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'ExitEvent' : [ 0x88, ['_KEVENT']], 'SystemThreadHandles' : [ 0xa0, ['array', 5, ['pointer64', ['void']]]], 'PartitionObject' : [ 0xc8, ['pointer64', ['void']]], 'PartitionObjectHandle' : [ 0xd0, ['pointer64', ['void']]], 'DynamicMemoryPushLock' : [ 0xd8, ['_EX_PUSH_LOCK']], 'DynamicMemoryLock' : [ 0xe0, ['long']], 'TemporaryMemoryEvent' : [ 0xe8, ['_KEVENT']], 'MemoryEvents' : [ 0x100, ['array', 11, ['pointer64', ['_KEVENT']]]], } ], '_MI_PARTITION_MODWRITES' : [ 0x2d0, { 'AttemptForCantExtend' : [ 0x0, ['_MMPAGE_FILE_EXPANSION']], 'PageFileContract' : [ 0x60, ['_MMPAGE_FILE_EXPANSION']], 'NumberOfMappedMdls' : [ 0xc0, ['unsigned long long']], 'NumberOfMappedMdlsInUse' : [ 0xc8, ['long']], 'NumberOfMappedMdlsInUsePeak' : [ 0xcc, ['unsigned long']], 'MappedFileHeader' : [ 0xd0, ['_MMMOD_WRITER_LISTHEAD']], 'NeedMappedMdl' : [ 0xf8, ['unsigned char']], 'NeedPageFileMdl' : [ 0xf9, ['unsigned char']], 'TransitionInserted' : [ 0xfa, ['unsigned char']], 'LastModifiedWriteError' : [ 0xfc, ['long']], 'LastMappedWriteError' : [ 0x100, ['long']], 'MappedFileWriteSucceeded' : [ 0x104, ['unsigned long']], 'MappedWriteBurstCount' : [ 0x108, ['unsigned long']], 'LowPriorityModWritesOutstanding' : [ 0x10c, ['unsigned long']], 'BoostModWriteIoPriorityEvent' : [ 0x110, ['_KEVENT']], 'ModifiedWriterThreadPriority' : [ 0x128, ['long']], 'ModifiedPagesLowPriorityGoal' : [ 0x130, ['unsigned long long']], 'ModifiedPageWriterEvent' : [ 0x138, ['_KEVENT']], 'ModifiedWriterExitedEvent' : [ 0x150, ['_KEVENT']], 'WriteAllPagefilePages' : [ 0x168, ['long']], 'WriteAllMappedPages' : [ 0x16c, ['long']], 'MappedPageWriterEvent' : [ 0x170, ['_KEVENT']], 'ModWriteData' : [ 0x188, ['_MI_MODWRITE_DATA']], 'RescanPageFilesEvent' : [ 0x1c8, ['_KEVENT']], 'PagingFileHeader' : [ 0x1e0, ['_MMMOD_WRITER_LISTHEAD']], 'ModifiedPageWriterThread' : [ 0x208, ['pointer64', ['_ETHREAD']]], 'ModifiedPageWriterRundown' : [ 0x210, ['_EX_RUNDOWN_REF']], 'PagefileScanWorkItem' : [ 0x218, ['_WORK_QUEUE_ITEM']], 'PagefileScanCount' : [ 0x238, ['unsigned long']], 'ClusterWritesDisabled' : [ 0x23c, ['array', 2, ['long']]], 'NotifyStoreMemoryConditions' : [ 0x248, ['_KEVENT']], 'DelayMappedWrite' : [ 0x260, ['unsigned char']], 'PagefileReservationsEnabled' : [ 0x264, ['unsigned long']], 'PageFileCreationLock' : [ 0x268, ['_EX_PUSH_LOCK']], 'TrimPagefileWorkItem' : [ 0x270, ['_WORK_QUEUE_ITEM']], 'LastTrimPagefileTime' : [ 0x290, ['unsigned long long']], 'WsSwapPagefileContractWorkItem' : [ 0x298, ['_WORK_QUEUE_ITEM']], 'WsSwapPageFileContractionInProgress' : [ 0x2b8, ['long']], 'WorkingSetSwapLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'WorkingSetInswapLock' : [ 0x2c8, ['long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_KPRIQUEUE' : [ 0x2b0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x218, ['array', 32, ['long']]], 'MaximumCount' : [ 0x298, ['unsigned long']], 'ThreadListHead' : [ 0x2a0, ['_LIST_ENTRY']], } ], '__unnamed_23c0' : [ 0x4, { 'ChannelsHotCold' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_MI_NODE_INFORMATION' : [ 0x538, { 'LargePageFreeCount' : [ 0x0, ['array', 2, ['unsigned long long']]], 'LargePages' : [ 0x10, ['array', 2, ['array', 2, ['array', 4, ['_LIST_ENTRY']]]]], 'LargePagesCount' : [ 0x110, ['array', 2, ['array', 2, ['array', 4, ['unsigned long long']]]]], 'StandbyPageList' : [ 0x190, ['array', 4, ['array', 8, ['_MMPFNLIST_SHORT']]]], 'FreeCount' : [ 0x490, ['array', 2, ['unsigned long long']]], 'TotalPages' : [ 0x4a0, ['array', 4, ['unsigned long long']]], 'TotalPagesEntireNode' : [ 0x4c0, ['unsigned long long']], 'MmShiftedColor' : [ 0x4c8, ['unsigned long']], 'Color' : [ 0x4cc, ['unsigned long']], 'ChannelFreeCount' : [ 0x4d0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'Flags' : [ 0x510, ['__unnamed_23c0']], 'NodeLock' : [ 0x518, ['_EX_PUSH_LOCK']], 'ChannelStatus' : [ 0x520, ['unsigned char']], 'ChannelOrdering' : [ 0x521, ['array', 4, ['unsigned char']]], 'LockedChannelOrdering' : [ 0x525, ['array', 4, ['unsigned char']]], 'PowerAttribute' : [ 0x529, ['array', 4, ['unsigned char']]], 'LargePageLock' : [ 0x530, ['unsigned long long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_WAITING_IRP' : [ 0x38, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'CompletionRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'Information' : [ 0x30, ['unsigned long']], 'BreakAllRH' : [ 0x34, ['unsigned char']], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_PPM_SELECTION_MENU' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Entries' : [ 0x8, ['pointer64', ['_PPM_SELECTION_MENU_ENTRY']]], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x20, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0x18, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x240, { 'Policy' : [ 0x0, ['_KSCHEDULING_GROUP_POLICY']], 'RelativeWeight' : [ 0x8, ['unsigned long']], 'ChildMinRate' : [ 0xc, ['unsigned long']], 'ChildMinWeight' : [ 0x10, ['unsigned long']], 'ChildTotalWeight' : [ 0x14, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x18, ['unsigned long long']], 'NotificationCycles' : [ 0x20, ['long long']], 'SchedulingGroupList' : [ 0x28, ['_LIST_ENTRY']], 'Sibling' : [ 0x28, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x38, ['pointer64', ['_KDPC']]], 'ChildList' : [ 0x40, ['_LIST_ENTRY']], 'Parent' : [ 0x50, ['pointer64', ['_KSCHEDULING_GROUP']]], 'PerProcessor' : [ 0x80, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 15, native_type='unsigned long long')]], 'ExecutePrivilege' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_MMWORKING_SET_EXPANSION_HEAD' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x30, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'Irp' : [ 0x18, ['pointer64', ['_IRP']]], 'Device' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Static' : [ 0x28, ['unsigned char']], } ], '_POP_POLICY_DEVICE' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], } ], '__unnamed_23f3' : [ 0x8, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], 'RemoteImageFileObject' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RemoteDataFileObject' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], } ], '_SECTION' : [ 0x40, { 'SectionNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u1' : [ 0x28, ['__unnamed_23f3']], 'SizeOfSection' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_16ec']], 'InitialPageProtection' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'SessionId' : [ 0x3c, ['BitField', dict(start_bit = 12, end_bit = 31, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x3c, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MI_SECTION_STATE' : [ 0x280, { 'SectionObjectPointersLock' : [ 0x0, ['long']], 'SectionExtendLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'SectionExtendSetLock' : [ 0x10, ['_EX_PUSH_LOCK']], 'SectionBasedRoot' : [ 0x18, ['_RTL_AVL_TREE']], 'SectionBasedLock' : [ 0x20, ['_EX_PUSH_LOCK']], 'UnusedSubsectionPagedPool' : [ 0x28, ['unsigned long long']], 'UnusedSegmentForceFree' : [ 0x30, ['unsigned long']], 'DataSectionProtectionMask' : [ 0x34, ['unsigned long']], 'HighSectionBase' : [ 0x38, ['pointer64', ['void']]], 'PhysicalSubsection' : [ 0x40, ['_MSUBSECTION']], 'PhysicalControlArea' : [ 0xb0, ['_CONTROL_AREA']], 'DanglingExtentsPages' : [ 0x128, ['pointer64', ['_MMPFN']]], 'DanglingExtentsLock' : [ 0x130, ['long']], 'DanglingExtentsWorkItem' : [ 0x138, ['_WORK_QUEUE_ITEM']], 'DanglingExtentsWorkerActive' : [ 0x158, ['unsigned char']], 'PageFileSectionHead' : [ 0x160, ['_RTL_AVL_TREE']], 'PageFileSectionListSpinLock' : [ 0x168, ['long']], 'SharedSegmentCharges' : [ 0x170, ['_MI_CROSS_PARTITION_CHARGES']], 'SharedPageCombineCharges' : [ 0x198, ['_MI_CROSS_PARTITION_CHARGES']], 'ImageBias' : [ 0x1c0, ['unsigned long']], 'RelocateBitmapsLock' : [ 0x1c8, ['_EX_PUSH_LOCK']], 'ImageBitMap' : [ 0x1d0, ['_RTL_BITMAP']], 'ImageBias64Low' : [ 0x1e0, ['unsigned long']], 'ImageBias64High' : [ 0x1e4, ['unsigned long']], 'ImageBitMap64Low' : [ 0x1e8, ['_RTL_BITMAP']], 'ImageBitMap64High' : [ 0x1f8, ['_RTL_BITMAP']], 'ImageBitMapWow64Dll' : [ 0x208, ['_RTL_BITMAP']], 'ApiSetSection' : [ 0x218, ['pointer64', ['void']]], 'ApiSetSchema' : [ 0x220, ['pointer64', ['void']]], 'ApiSetSchemaSize' : [ 0x228, ['unsigned long long']], 'LostDataFiles' : [ 0x230, ['unsigned long']], 'LostDataPages' : [ 0x234, ['unsigned long']], 'ImageFailureReason' : [ 0x238, ['unsigned long']], 'CfgBitMapSection32' : [ 0x240, ['pointer64', ['_SECTION']]], 'CfgBitMapControlArea32' : [ 0x248, ['pointer64', ['_CONTROL_AREA']]], 'CfgBitMapSection64' : [ 0x250, ['pointer64', ['_SECTION']]], 'CfgBitMapControlArea64' : [ 0x258, ['pointer64', ['_CONTROL_AREA']]], 'ImageCfgFailure' : [ 0x260, ['unsigned long']], 'ImageValidationFailed' : [ 0x264, ['long']], } ], '_MI_PARTITION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PageListsInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StoreReservedPagesCharged' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], } ], '__unnamed_2400' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_2402' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2404' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2406' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_2404']], 'Translated' : [ 0x0, ['__unnamed_2402']], } ], '__unnamed_2408' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_240a' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_240c' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_240e' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_2410' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_2412' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_2414' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_2416' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_2400']], 'Port' : [ 0x0, ['__unnamed_2400']], 'Interrupt' : [ 0x0, ['__unnamed_2402']], 'MessageInterrupt' : [ 0x0, ['__unnamed_2406']], 'Memory' : [ 0x0, ['__unnamed_2400']], 'Dma' : [ 0x0, ['__unnamed_2408']], 'DmaV3' : [ 0x0, ['__unnamed_240a']], 'DevicePrivate' : [ 0x0, ['__unnamed_2219']], 'BusNumber' : [ 0x0, ['__unnamed_240c']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_240e']], 'Memory40' : [ 0x0, ['__unnamed_2410']], 'Memory48' : [ 0x0, ['__unnamed_2412']], 'Memory64' : [ 0x0, ['__unnamed_2414']], 'Connection' : [ 0x0, ['__unnamed_2225']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_2416']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_241e' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_241e']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE_ENTRY' : [ 0x18, { 'FunctionTable' : [ 0x0, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'DynamicTable' : [ 0x0, ['pointer64', ['_DYNAMIC_FUNCTION_TABLE']]], 'ImageBase' : [ 0x8, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'SizeOfTable' : [ 0x14, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'PagedPoolAllocationMap' : [ 0x8, ['_RTL_BITMAP_EX']], 'FirstPteForPagedPool' : [ 0x18, ['pointer64', ['_MMPTE']]], 'MaximumSize' : [ 0x20, ['unsigned long long']], 'PagedPoolHint' : [ 0x28, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x30, ['unsigned long long']], } ], '__unnamed_2430' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_2430']], } ], '_PPM_COORDINATED_SELECTION' : [ 0x18, { 'MaximumStates' : [ 0x0, ['unsigned long']], 'SelectedStates' : [ 0x4, ['unsigned long']], 'DefaultSelection' : [ 0x8, ['unsigned long']], 'Selection' : [ 0x10, ['pointer64', ['unsigned long']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_MI_PAGE_COMBINING_SUPPORT' : [ 0x188, { 'Partition' : [ 0x0, ['pointer64', ['_MI_PARTITION']]], 'ArbitraryPfnMapList' : [ 0x8, ['_LIST_ENTRY']], 'FreeCombinePoolItem' : [ 0x18, ['_MI_COMBINE_WORKITEM']], 'CombiningThreadCount' : [ 0x40, ['unsigned long']], 'CombinePageFreeList' : [ 0x48, ['_LIST_ENTRY']], 'CombineFreeListLock' : [ 0x58, ['unsigned long long']], 'CombinePageListHeads' : [ 0x60, ['array', 16, ['_MI_COMBINE_PAGE_LISTHEAD']]], 'PageCombineStats' : [ 0x160, ['_MI_PAGE_COMBINE_STATISTICS']], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_DEVICE' : [ 0x278, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_POP_IRP_DATA']]], 'Status' : [ 0x20, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'DevNode' : [ 0x30, ['pointer64', ['_DEVICE_NODE']]], 'DpmContext' : [ 0x38, ['pointer64', ['PEPHANDLE__']]], 'Plugin' : [ 0x40, ['pointer64', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x48, ['pointer64', ['PEPHANDLE__']]], 'AcpiPlugin' : [ 0x50, ['pointer64', ['_POP_FX_PLUGIN']]], 'AcpiPluginHandle' : [ 0x58, ['pointer64', ['PEPHANDLE__']]], 'DeviceObject' : [ 0x60, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x68, ['pointer64', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x70, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0xa8, ['pointer64', ['void']]], 'AcpiLink' : [ 0xb0, ['_LIST_ENTRY']], 'DeviceId' : [ 0xc0, ['_UNICODE_STRING']], 'RemoveLock' : [ 0xd0, ['_IO_REMOVE_LOCK']], 'AcpiRemoveLock' : [ 0xf0, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0x110, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0x148, ['unsigned long long']], 'IdleTimer' : [ 0x150, ['_KTIMER']], 'IdleDpc' : [ 0x190, ['_KDPC']], 'IdleTimeout' : [ 0x1d0, ['unsigned long long']], 'IdleStamp' : [ 0x1d8, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x1e0, ['array', 2, ['pointer64', ['_DEVICE_OBJECT']]]], 'NextIrpPowerState' : [ 0x1f0, ['array', 2, ['_POWER_STATE']]], 'NextIrpCallerCompletion' : [ 0x1f8, ['array', 2, ['pointer64', ['void']]]], 'NextIrpCallerContext' : [ 0x208, ['array', 2, ['pointer64', ['void']]]], 'IrpCompleteEvent' : [ 0x218, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x230, ['pointer64', ['void']]], 'Accounting' : [ 0x238, ['_POP_FX_ACCOUNTING']], 'Flags' : [ 0x268, ['unsigned long']], 'ComponentCount' : [ 0x26c, ['unsigned long']], 'Components' : [ 0x270, ['pointer64', ['pointer64', ['_POP_FX_COMPONENT']]]], } ], '_PEP_ACPI_RESOURCE_FLAGS' : [ 0x4, { 'AsULong' : [ 0x0, ['unsigned long']], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Wake' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ResourceUsage' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SlaveMode' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'AddressingMode' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SharedMode' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2458' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_245a' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_2458']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x60, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CoolingExtension' : [ 0x40, ['pointer64', ['_POP_COOLING_EXTENSION']]], 'Volume' : [ 0x48, ['_LIST_ENTRY']], 'Specific' : [ 0x58, ['__unnamed_245a']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MI_COMBINE_STATE' : [ 0x1a0, { 'ActiveSpinLock' : [ 0x0, ['long']], 'CombiningThreadCount' : [ 0x4, ['unsigned long']], 'ActiveThreadTree' : [ 0x8, ['_RTL_AVL_TREE']], 'ZeroPageHashValue' : [ 0x10, ['unsigned long long']], 'CrossPartition' : [ 0x18, ['_MI_PAGE_COMBINING_SUPPORT']], } ], '_MMDEREFERENCE_SEGMENT_HEADER' : [ 0x30, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'ListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x38, { 'BadPageCount' : [ 0x0, ['unsigned long long']], 'BadPagesDetected' : [ 0x8, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0xc, ['long']], 'ScrubPasses' : [ 0x10, ['long']], 'ScrubBadPagesFound' : [ 0x14, ['long']], 'PageHashErrors' : [ 0x18, ['unsigned long']], 'FeatureBits' : [ 0x20, ['unsigned long long']], 'TimeZoneId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['_MI_FLAGS']], 'VsmConnection' : [ 0x30, ['pointer64', ['void']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_DELAY_ACK_FO' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_MI_CROSS_PARTITION_CHARGES' : [ 0x28, { 'CurrentCharges' : [ 0x0, ['unsigned long long']], 'ChargeFailures' : [ 0x8, ['unsigned long long']], 'ChargePeak' : [ 0x10, ['unsigned long long']], 'ChargeMinimum' : [ 0x18, ['unsigned long long']], 'ChargeMaximum' : [ 0x20, ['unsigned long long']], } ], '_MI_BAD_MEMORY_EVENT_ENTRY' : [ 0x38, { 'BugCheckCode' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['long']], 'Data' : [ 0x8, ['unsigned long']], 'PhysicalAddress' : [ 0x10, ['_LARGE_INTEGER']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_MI_SYSTEM_TRIM_STATE' : [ 0x40, { 'ExpansionLock' : [ 0x0, ['unsigned long long']], 'TrimInProgressCount' : [ 0x8, ['long']], 'PeriodicWorkingSetEvent' : [ 0x10, ['_KEVENT']], 'TrimAllPageFaultCount' : [ 0x28, ['array', 3, ['unsigned long']]], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_MI_ZERO_COST_COUNTS' : [ 0x10, { 'NativeSum' : [ 0x0, ['unsigned long long']], 'CachedSum' : [ 0x8, ['unsigned long long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MI_RESAVAIL_TRACKER' : [ 0x380, { 'AllocateKernelStack' : [ 0x0, ['unsigned long long']], 'AllocateGrowKernelStack' : [ 0x8, ['unsigned long long']], 'FreeKernelStack' : [ 0x10, ['unsigned long long']], 'FreeKernelStackError' : [ 0x18, ['unsigned long long']], 'FreeGrowKernelStackError' : [ 0x20, ['unsigned long long']], 'AllocateCreateProcess' : [ 0x28, ['unsigned long long']], 'FreeCreateProcessError' : [ 0x30, ['unsigned long long']], 'FreeDeleteProcess' : [ 0x38, ['unsigned long long']], 'FreeCleanProcess' : [ 0x40, ['unsigned long long']], 'FreeCleanProcessError' : [ 0x48, ['unsigned long long']], 'AllocateAddProcessWsMetaPage' : [ 0x50, ['unsigned long long']], 'AllocateWsIncrease' : [ 0x58, ['unsigned long long']], 'FreeWsIncreaseError' : [ 0x60, ['unsigned long long']], 'FreeWsIncreaseErrorMax' : [ 0x68, ['unsigned long long']], 'FreeWsDecrease' : [ 0x70, ['unsigned long long']], 'AllocateWorkingSetPage' : [ 0x78, ['unsigned long long']], 'FreeWorkingSetPageError' : [ 0x80, ['unsigned long long']], 'FreeDeletePteRange' : [ 0x88, ['unsigned long long']], 'AllocatePageTablesForProcessMetadata' : [ 0x90, ['unsigned long long']], 'FreePageTablesForProcessMetadataError2' : [ 0x98, ['unsigned long long']], 'AllocatePageTablesForSystem' : [ 0xa0, ['unsigned long long']], 'FreePageTablesExcess' : [ 0xa8, ['unsigned long long']], 'FreeSystemVaPageTables' : [ 0xb0, ['unsigned long long']], 'FreeSessionVaPageTables' : [ 0xb8, ['unsigned long long']], 'AllocateCreateSession' : [ 0xc0, ['unsigned long long']], 'FreeSessionWsDereference' : [ 0xc8, ['unsigned long long']], 'FreeSessionDereference' : [ 0xd0, ['unsigned long long']], 'AllocateLockedSessionImage' : [ 0xd8, ['unsigned long long']], 'FreeLockedSessionImage' : [ 0xe0, ['unsigned long long']], 'FreeSessionImageConversion' : [ 0xe8, ['unsigned long long']], 'AllocateWsAdjustPageTable' : [ 0xf0, ['unsigned long long']], 'FreeWsAdjustPageTable' : [ 0xf8, ['unsigned long long']], 'FreeWsAdjustPageTableError' : [ 0x100, ['unsigned long long']], 'AllocateNoLowMemory' : [ 0x108, ['unsigned long long']], 'AllocatePagedPoolLockedDown' : [ 0x110, ['unsigned long long']], 'FreePagedPoolLockedDown' : [ 0x118, ['unsigned long long']], 'AllocateSystemBitmaps' : [ 0x120, ['unsigned long long']], 'FreeSystemBitmapsError' : [ 0x128, ['unsigned long long']], 'AllocateForMdl' : [ 0x130, ['unsigned long long']], 'FreeFromMdl' : [ 0x138, ['unsigned long long']], 'AllocateForMdlPartition' : [ 0x140, ['unsigned long long']], 'FreeFromMdlPartition' : [ 0x148, ['unsigned long long']], 'FreeMdlExcess' : [ 0x150, ['unsigned long long']], 'AllocateExpansionNonPagedPool' : [ 0x158, ['unsigned long long']], 'FreeExpansionNonPagedPool' : [ 0x160, ['unsigned long long']], 'AllocateVad' : [ 0x168, ['unsigned long long']], 'RemoveVad' : [ 0x170, ['unsigned long long']], 'FreeVad' : [ 0x178, ['unsigned long long']], 'AllocateContiguous' : [ 0x180, ['unsigned long long']], 'FreeContiguousPages' : [ 0x188, ['unsigned long long']], 'FreeContiguousError' : [ 0x190, ['unsigned long long']], 'FreeLargePageMemory' : [ 0x198, ['unsigned long long']], 'AllocateSystemWsles' : [ 0x1a0, ['unsigned long long']], 'FreeSystemWsles' : [ 0x1a8, ['unsigned long long']], 'AllocateSystemInitWs' : [ 0x1b0, ['unsigned long long']], 'AllocateSessionInitWs' : [ 0x1b8, ['unsigned long long']], 'FreeSessionInitWsError' : [ 0x1c0, ['unsigned long long']], 'AllocateSystemImage' : [ 0x1c8, ['unsigned long long']], 'AllocateSystemImageLoad' : [ 0x1d0, ['unsigned long long']], 'AllocateSessionSharedImage' : [ 0x1d8, ['unsigned long long']], 'FreeSystemImageInitCode' : [ 0x1e0, ['unsigned long long']], 'FreeSystemImageLargePageConversion' : [ 0x1e8, ['unsigned long long']], 'FreeSystemImageError' : [ 0x1f0, ['unsigned long long']], 'FreeSystemImageLoadExcess' : [ 0x1f8, ['unsigned long long']], 'FreeUnloadSystemImage' : [ 0x200, ['unsigned long long']], 'FreeReloadBootImageLarge' : [ 0x208, ['unsigned long long']], 'FreeIndependent' : [ 0x210, ['unsigned long long']], 'AllocateHotRemove' : [ 0x218, ['unsigned long long']], 'FreeHotAdd' : [ 0x220, ['unsigned long long']], 'AllocateBoot' : [ 0x228, ['unsigned long long']], 'FreeLoaderBlock' : [ 0x230, ['unsigned long long']], 'AllocateNonPagedSpecialPool' : [ 0x238, ['unsigned long long']], 'FreeNonPagedSpecialPoolError' : [ 0x240, ['unsigned long long']], 'FreeNonPagedSpecialPool' : [ 0x248, ['unsigned long long']], 'AllocateSharedSegmentPage' : [ 0x250, ['unsigned long long']], 'FreeSharedSegmentPage' : [ 0x258, ['unsigned long long']], 'AllocateZeroPage' : [ 0x260, ['unsigned long long']], 'FreeZeroPage' : [ 0x268, ['unsigned long long']], 'AllocateForPo' : [ 0x270, ['unsigned long long']], 'AllocateForPoForce' : [ 0x278, ['unsigned long long']], 'FreeForPo' : [ 0x280, ['unsigned long long']], 'AllocateThreadHardFaultBehavior' : [ 0x288, ['unsigned long long']], 'FreeThreadHardFaultBehavior' : [ 0x290, ['unsigned long long']], 'ObtainFaultCharges' : [ 0x298, ['unsigned long long']], 'FreeFaultCharges' : [ 0x2a0, ['unsigned long long']], 'AllocateStoreCharges' : [ 0x2a8, ['unsigned long long']], 'FreeStoreCharges' : [ 0x2b0, ['unsigned long long']], 'ObtainLockedPageCharge' : [ 0x2c0, ['unsigned long long']], 'FreeLockedPageCharge' : [ 0x300, ['unsigned long long']], 'AllocateStore' : [ 0x308, ['unsigned long long']], 'FreeStore' : [ 0x310, ['unsigned long long']], 'AllocateSystemImageProtos' : [ 0x318, ['unsigned long long']], 'FreeSystemImageProtos' : [ 0x320, ['unsigned long long']], 'AllocateModWriterCharge' : [ 0x328, ['unsigned long long']], 'FreeModWriterCharge' : [ 0x330, ['unsigned long long']], 'AllocateMappedWriterCharge' : [ 0x338, ['unsigned long long']], 'FreeMappedWriterCharge' : [ 0x340, ['unsigned long long']], 'AllocateRegistryCharges' : [ 0x348, ['unsigned long long']], 'FreeRegistryCharges' : [ 0x350, ['unsigned long long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'CompactionMask' : [ 0x8, ['unsigned long long']], 'Reserved2' : [ 0x10, ['array', 6, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x38, ['long']], } ], '_MI_COMBINE_PAGE_LISTHEAD' : [ 0x10, { 'Table' : [ 0x0, ['_RTL_AVL_TREE']], 'Lock' : [ 0x8, ['long']], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '__unnamed_24ce' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_24d0' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_24d2' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_24d4' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_24ce']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_24d0']], 'Raw' : [ 0x0, ['__unnamed_24d2']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'Operation' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0xc, ['__unnamed_24d4']], 'Stack' : [ 0x18, ['array', 6, ['pointer64', ['void']]]], } ], '_MI_SYSTEM_NODE_INFORMATION' : [ 0x1a0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'NonPagedPoolSListHeadNx' : [ 0x40, ['array', 3, ['_SLIST_HEADER']]], 'CachedKernelStacks' : [ 0x70, ['array', 2, ['_CACHED_KSTACK_LIST']]], 'NonPagedBitMapMaximum' : [ 0xb0, ['unsigned long long']], 'DynamicBitMapNonPagedPool' : [ 0xb8, ['_MI_DYNAMIC_BITMAP']], 'NonPagedPoolLowestPage' : [ 0x108, ['unsigned long long']], 'NonPagedPoolHighestPage' : [ 0x110, ['unsigned long long']], 'AllocatedNonPagedPool' : [ 0x118, ['unsigned long long']], 'PartialLargePoolRegions' : [ 0x120, ['unsigned long long']], 'PagesInPartialLargePoolRegions' : [ 0x128, ['unsigned long long']], 'CachedNonPagedPoolCount' : [ 0x130, ['unsigned long long']], 'NonPagedPoolSpinLock' : [ 0x138, ['unsigned long long']], 'CachedNonPagedPool' : [ 0x140, ['pointer64', ['_MMPFN']]], 'NonPagedPoolFirstVa' : [ 0x148, ['pointer64', ['void']]], 'NonPagedPoolLastVa' : [ 0x150, ['pointer64', ['void']]], 'NonPagedBitMap' : [ 0x158, ['array', 3, ['_RTL_BITMAP_EX']]], 'NonPagedHint' : [ 0x188, ['array', 2, ['unsigned long long']]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x10, { 'CrossThreadReleasable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 63, native_type='unsigned long long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'LockState' : [ 0x0, ['pointer64', ['void']]], 'SessionState' : [ 0x8, ['pointer64', ['void']]], 'SessionId' : [ 0x8, ['unsigned long']], 'SessionPad' : [ 0xc, ['unsigned long']], } ], '__unnamed_24e4' : [ 0x4, { 'FlushCompleting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'FlushInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='long')]], 'Long' : [ 0x0, ['long']], } ], '_MI_PARTITION_STORES' : [ 0x80, { 'WriteAllStoreHintedPages' : [ 0x0, ['__unnamed_24e4']], 'VirtualPageFileNumber' : [ 0x4, ['unsigned long']], 'Registered' : [ 0x8, ['unsigned long']], 'ReadClusterSizeMax' : [ 0xc, ['unsigned long']], 'EvictFlushRequestCount' : [ 0x10, ['unsigned long']], 'ModifiedWriteDisableCount' : [ 0x14, ['unsigned long']], 'WriteIssueFailures' : [ 0x18, ['unsigned long']], 'EvictionThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'EvictEvent' : [ 0x28, ['_KEVENT']], 'EvictFlushCompleteEvent' : [ 0x40, ['_KEVENT']], 'WriteSupportSListHead' : [ 0x60, ['_SLIST_HEADER']], 'EvictFlushLock' : [ 0x70, ['long']], 'ModifiedWriteFailedBitmap' : [ 0x78, ['pointer64', ['_RTL_BITMAP']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x10, ['unsigned long']], 'SyncCallback' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x14, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_MI_SUB64K_FREE_RANGES' : [ 0x30, { 'BitMap' : [ 0x0, ['_RTL_BITMAP_EX']], 'ListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Vad' : [ 0x20, ['pointer64', ['_MMVAD_SHORT']]], 'SubListIndex' : [ 0x28, ['unsigned short']], 'Hint' : [ 0x2a, ['unsigned short']], 'SetBits' : [ 0x2c, ['unsigned long']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0x10, ['pointer64', ['_HANDLE_TABLE']]], 'Flags' : [ 0x18, ['unsigned long']], 'NumberOfBuckets' : [ 0x1c, ['unsigned long']], 'Buckets' : [ 0x20, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_2522' : [ 0x18, { 'RequestedTime' : [ 0x0, ['unsigned long long']], 'ProgrammedTime' : [ 0x8, ['unsigned long long']], 'TimerInfo' : [ 0x10, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0x110, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'WakeFirstUnattendedTime' : [ 0x58, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x68, ['array', 3, ['__unnamed_2522']]], 'WakeAlarmPaused' : [ 0xb0, ['unsigned char']], 'WakeAlarmLastTime' : [ 0xb8, ['unsigned long long']], 'FilteredCapabilities' : [ 0xc0, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'InProgressFlags' : [ 0x28, ['unsigned char']], 'KernelApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3e0, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa0, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer64', ['_MMPTE']]], } ], '_PPM_SELECTION_MENU_ENTRY' : [ 0x18, { 'StrictDependency' : [ 0x0, ['unsigned char']], 'InitiatingState' : [ 0x1, ['unsigned char']], 'DependentState' : [ 0x2, ['unsigned char']], 'StateIndex' : [ 0x4, ['unsigned long']], 'Dependencies' : [ 0x8, ['unsigned long']], 'DependencyList' : [ 0x10, ['pointer64', ['_PPM_SELECTION_DEPENDENCY']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x28, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x8, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0x18, ['_RTL_BITMAP']], 'EvictedBitmap' : [ 0x18, ['_RTL_BITMAP']], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_MI_COMBINE_WORKITEM' : [ 0x28, { 'NextEntry' : [ 0x0, ['pointer64', ['void']]], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x410, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], 'PackageDependencyData' : [ 0x400, ['pointer64', ['void']]], 'ProcessGroupId' : [ 0x408, ['unsigned long']], 'LoaderThreads' : [ 0x40c, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_LOCK_HEADER' : [ 0x20, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x8, ['unsigned long long']], 'Lock' : [ 0x10, ['unsigned long long']], 'Valid' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MMSECTION_FLAGS2' : [ 0x4, { 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'NumberOfChildViews' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_KSPECIAL_REGISTERS' : [ 0xe0, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], 'Xcr0' : [ 0xd8, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_PEB64' : [ 0x7a0, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'SparePvoid0' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pUnused' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x388, ['unsigned long long']], 'TppWorkerpList' : [ 0x390, ['LIST_ENTRY64']], 'WaitOnAddressHashTable' : [ 0x3a0, ['array', 128, ['unsigned long long']]], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_MSUBSECTION' : [ 0x70, { 'Core' : [ 0x0, ['_SUBSECTION']], 'SubsectionNode' : [ 0x38, ['_RTL_BALANCED_NODE']], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x68, ['unsigned long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_25ee' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1f40, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_25ee']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long long']], 'NonPagablePages' : [ 0x28, ['unsigned long long']], 'CommittedPages' : [ 0x30, ['unsigned long long']], 'PagedPoolStart' : [ 0x38, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x40, ['pointer64', ['void']]], 'SessionObject' : [ 0x48, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x50, ['pointer64', ['void']]], 'SessionPoolAllocationFailures' : [ 0x58, ['array', 4, ['unsigned long']]], 'ImageTree' : [ 0x68, ['_RTL_AVL_TREE']], 'LocaleId' : [ 0x70, ['unsigned long']], 'AttachCount' : [ 0x74, ['unsigned long']], 'AttachGate' : [ 0x78, ['_KGATE']], 'WsListEntry' : [ 0x90, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb60, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xb98, ['_MMSUPPORT']], 'Wsle' : [ 0xc90, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc98, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xcc0, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e00, ['_MMPTE']], 'SessionVaLock' : [ 0x1e08, ['_EX_PUSH_LOCK']], 'DynamicVaBitMap' : [ 0x1e10, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e20, ['unsigned long']], 'SpecialPool' : [ 0x1e28, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1e78, ['_EX_PUSH_LOCK']], 'PoolBigEntriesInUse' : [ 0x1e80, ['long']], 'PagedPoolPdeCount' : [ 0x1e84, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1e88, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1e8c, ['unsigned long']], 'SystemPteInfo' : [ 0x1e90, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1ef0, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1ef8, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1f00, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f08, ['unsigned long long']], 'IoState' : [ 0x1f10, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f14, ['unsigned long']], 'IoNotificationEvent' : [ 0x1f18, ['_KEVENT']], 'ServerSilo' : [ 0x1f30, ['pointer64', ['_EJOB']]], 'CreateTime' : [ 0x1f38, ['unsigned long long']], } ], '_MMPAGE_FILE_EXPANSION' : [ 0x60, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'Partition' : [ 0x18, ['pointer64', ['_MI_PARTITION']]], 'RequestedExpansionSize' : [ 0x20, ['unsigned long long']], 'ActualExpansion' : [ 0x28, ['unsigned long long']], 'Event' : [ 0x30, ['_KEVENT']], 'InProgress' : [ 0x48, ['long']], 'u' : [ 0x4c, ['_MMPAGE_FILE_EXPANSION_FLAGS']], 'ActiveEntry' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'AttemptForCantExtend' : [ 0x58, ['unsigned char']], 'PageFileContract' : [ 0x59, ['unsigned char']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_25ff' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_2603' : [ 0x8, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x88, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x40, ['__unnamed_25ff']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u4' : [ 0x78, ['__unnamed_2603']], 'FileObject' : [ 0x80, ['pointer64', ['_FILE_OBJECT']]], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x20, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x8, ['long long']], 'SidCount' : [ 0x10, ['unsigned long']], 'SidValuesStart' : [ 0x18, ['unsigned long long']], } ], '_MI_PARTITION_STATE' : [ 0x60, { 'PartitionLock' : [ 0x0, ['unsigned long long']], 'PartitionIdLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'InitialPartitionIdBits' : [ 0x10, ['unsigned long long']], 'PartitionList' : [ 0x18, ['_LIST_ENTRY']], 'PartitionIdBitmap' : [ 0x28, ['pointer64', ['_RTL_BITMAP']]], 'InitialPartitionIdBitmap' : [ 0x30, ['_RTL_BITMAP']], 'TempPartitionPointers' : [ 0x40, ['array', 1, ['pointer64', ['_MI_PARTITION']]]], 'Partition' : [ 0x48, ['pointer64', ['pointer64', ['_MI_PARTITION']]]], 'TotalPagesInChildPartitions' : [ 0x50, ['unsigned long long']], 'CrossPartitionDenials' : [ 0x58, ['unsigned long']], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Gate' : [ 0x10, ['_KGATE']], 'Event' : [ 0x10, ['_KEVENT']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0xa0, { 'IrpExclusiveOplock' : [ 0x0, ['pointer64', ['_IRP']]], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'WaiterPriority' : [ 0x20, ['unsigned char']], 'IrpOplocksR' : [ 0x28, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x38, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x48, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x58, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x68, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x78, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x88, ['pointer64', ['_GUID']]], 'OplockState' : [ 0x90, ['unsigned long']], 'FastMutex' : [ 0x98, ['pointer64', ['_FAST_MUTEX']]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x10, ['pointer64', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0x18, ['unsigned long']], 'LargeImageBias' : [ 0x1c, ['unsigned char']], 'Spare' : [ 0x1d, ['array', 3, ['unsigned char']]], 'ActualImageViewSize' : [ 0x20, ['unsigned long long']], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PROCESS_ENERGY_VALUES' : [ 0x90, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'DiskEnergy' : [ 0x40, ['unsigned long long']], 'NetworkTailEnergy' : [ 0x48, ['unsigned long long']], 'MBBTailEnergy' : [ 0x50, ['unsigned long long']], 'NetworkTxRxBytes' : [ 0x58, ['unsigned long long']], 'MBBTxRxBytes' : [ 0x60, ['unsigned long long']], 'Foreground' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'WindowInformation' : [ 0x68, ['unsigned long']], 'PixelArea' : [ 0x6c, ['unsigned long']], 'PixelReportTimestamp' : [ 0x70, ['long long']], 'PixelTime' : [ 0x78, ['unsigned long long']], 'ForegroundReportTimestamp' : [ 0x80, ['long long']], 'ForegroundTime' : [ 0x88, ['unsigned long long']], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_MI_COMMON_PAGE_STATE' : [ 0x98, { 'PageOfOnesPfn' : [ 0x0, ['pointer64', ['_MMPFN']]], 'PageOfOnes' : [ 0x8, ['unsigned long long']], 'DummyPagePfn' : [ 0x10, ['pointer64', ['_MMPFN']]], 'DummyPage' : [ 0x18, ['unsigned long long']], 'PageOfZeroes' : [ 0x20, ['unsigned long long']], 'ZeroMapping' : [ 0x28, ['pointer64', ['void']]], 'OnesMapping' : [ 0x30, ['pointer64', ['void']]], 'BitmapGapFrames' : [ 0x38, ['array', 4, ['unsigned long long']]], 'PfnGapFrames' : [ 0x58, ['array', 4, ['unsigned long long']]], 'PageTableOfZeroes' : [ 0x78, ['unsigned long long']], 'PdeOfZeroes' : [ 0x80, ['_MMPTE']], 'PageTableOfOnes' : [ 0x88, ['unsigned long long']], 'PdeOfOnes' : [ 0x90, ['_MMPTE']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_MMPFNLIST_SHORT' : [ 0x18, { 'Total' : [ 0x0, ['unsigned long long']], 'Flink' : [ 0x8, ['unsigned long long']], 'Blink' : [ 0x10, ['unsigned long long']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'SystemVaAllocated' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PreferredFsCompressionBoundary' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'UsingFileExtents' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MI_VAD_ALLOCATION_CELL' : [ 0x28, { 'AllocationBitMap' : [ 0x0, ['_RTL_BITMAP']], 'BitMapHint' : [ 0x10, ['unsigned long']], 'LastAllocationSize' : [ 0x14, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x18, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x1c, ['unsigned long']], 'LowestBottomUpAllocationAddress' : [ 0x20, ['pointer64', ['void']]], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x28, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x10, ['pointer64', ['void']]], 'SessionViewVa' : [ 0x10, ['pointer64', ['void']]], 'VadsProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Type' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionType' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SectionOffset' : [ 0x20, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '__unnamed_2647' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x78, { 'Status' : [ 0x0, ['long']], 'PartitionId' : [ 0x4, ['unsigned short']], 'Priority' : [ 0x6, ['unsigned char']], 'IrpPriority' : [ 0x7, ['unsigned char']], 'ReservationWrite' : [ 0x8, ['unsigned char']], 'CurrentTime' : [ 0x10, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x18, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x20, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x28, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x30, ['unsigned long long']], 'ModifiedPagefileNoReservationPages' : [ 0x38, ['unsigned long long']], 'MdlHack' : [ 0x40, ['__unnamed_2647']], } ], '_PROC_PERF_DOMAIN' : [ 0x190, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0xc0, ['unsigned long']], 'Class' : [ 0xc4, ['unsigned char']], 'Spare' : [ 0xc5, ['array', 3, ['unsigned char']]], 'Processors' : [ 0xc8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0xd0, ['pointer64', ['void']]], 'TimeWindowHandler' : [ 0xd8, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0xe0, ['pointer64', ['void']]], 'BoostModeHandler' : [ 0xe8, ['pointer64', ['void']]], 'EnergyPerfPreferenceHandler' : [ 0xf0, ['pointer64', ['void']]], 'AutonomousActivityWindowHandler' : [ 0xf8, ['pointer64', ['void']]], 'AutonomousModeHandler' : [ 0x100, ['pointer64', ['void']]], 'ReinitializeHandler' : [ 0x108, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0x110, ['pointer64', ['void']]], 'PerfControlHandler' : [ 0x118, ['pointer64', ['void']]], 'MaxFrequency' : [ 0x120, ['unsigned long']], 'NominalFrequency' : [ 0x124, ['unsigned long']], 'MaxPercent' : [ 0x128, ['unsigned long']], 'MinPerfPercent' : [ 0x12c, ['unsigned long']], 'MinThrottlePercent' : [ 0x130, ['unsigned long']], 'MinimumRelativePerformance' : [ 0x138, ['unsigned long long']], 'NominalRelativePerformance' : [ 0x140, ['unsigned long long']], 'Coordination' : [ 0x148, ['unsigned char']], 'HardPlatformCap' : [ 0x149, ['unsigned char']], 'AffinitizeControl' : [ 0x14a, ['unsigned char']], 'EfficientThrottle' : [ 0x14b, ['unsigned char']], 'AutonomousMode' : [ 0x14c, ['unsigned char']], 'SelectedPercent' : [ 0x150, ['unsigned long']], 'SelectedFrequency' : [ 0x154, ['unsigned long']], 'DesiredPercent' : [ 0x158, ['unsigned long']], 'MaxPolicyPercent' : [ 0x15c, ['unsigned long']], 'MinPolicyPercent' : [ 0x160, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x164, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x168, ['unsigned long']], 'GuaranteedPercent' : [ 0x16c, ['unsigned long']], 'TolerancePercent' : [ 0x170, ['unsigned long']], 'SelectedState' : [ 0x178, ['unsigned long long']], 'PerfChangeTime' : [ 0x180, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x188, ['unsigned long']], 'Force' : [ 0x18c, ['unsigned char']], 'ProvideGuidance' : [ 0x18d, ['unsigned char']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HVIEW_MAP_TABLE' : [ 0x800, { 'Entries' : [ 0x0, ['array', 64, ['_HVIEW_MAP_ENTRY']]], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_TRIAGE_9F_PNP' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'CompletionQueue' : [ 0x8, ['pointer64', ['_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE']]], 'DelayedWorkQueue' : [ 0x10, ['pointer64', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_RELATION_LIST' : [ 0x10, { 'DeviceObjectList' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT_LIST']]], 'Sorted' : [ 0x8, ['unsigned char']], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MI_STANDBY_STATE' : [ 0xc0, { 'TransitionSharedPages' : [ 0x0, ['unsigned long long']], 'TransitionSharedPagesPeak' : [ 0x8, ['array', 3, ['unsigned long long']]], 'FirstDecayPage' : [ 0x20, ['unsigned long long']], 'PfnDecayFreeSList' : [ 0x30, ['_SLIST_HEADER']], 'PfnRepurposeLog' : [ 0x40, ['pointer64', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'AllocatePfnRepurposeDpc' : [ 0x48, ['_KDPC']], } ], '_MI_ACCESS_LOG_STATE' : [ 0x80, { 'CcAccessLog' : [ 0x0, ['pointer64', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'Enabled' : [ 0x8, ['unsigned long']], 'DisableAccessLogging' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'MinLoggingPriority' : [ 0x30, ['unsigned long']], 'AccessLoggingLock' : [ 0x40, ['unsigned long long']], } ], '_ETW_BUFFER_QUEUE' : [ 0x18, { 'QueueHead' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x10, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long long']], 'SpecialPoolPdes' : [ 0x40, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x8, { 'LogHandleContext' : [ 0x0, ['pointer64', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x18, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'DeviceState' : [ 0x10, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '__unnamed_2691' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_2695' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_2691']], 'Bits' : [ 0x4, ['__unnamed_2695']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'DataLow' : [ 0x0, ['long long']], 'DataHigh' : [ 0x8, ['long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_FAST_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x80, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x10, ['short']], 'SpecialApcDisable' : [ 0x12, ['short']], 'CombinedApcDisable' : [ 0x10, ['unsigned long']], 'Irql' : [ 0x14, ['unsigned char']], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_DYNAMIC_FUNCTION_TABLE' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FunctionTable' : [ 0x10, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'TimeStamp' : [ 0x18, ['_LARGE_INTEGER']], 'MinimumAddress' : [ 0x20, ['unsigned long long']], 'MaximumAddress' : [ 0x28, ['unsigned long long']], 'BaseAddress' : [ 0x30, ['unsigned long long']], 'Callback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'OutOfProcessCallbackDll' : [ 0x48, ['pointer64', ['unsigned short']]], 'Type' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'RF_SORTED', 1: 'RF_UNSORTED', 2: 'RF_CALLBACK', 3: 'RF_KERNEL_DYNAMIC'})]], 'EntryCount' : [ 0x54, ['unsigned long']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x8, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_PROC_IDLE_POLICY' : [ 0x6, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], 'ForceLightIdle' : [ 0x5, ['unsigned char']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '__unnamed_26b7' : [ 0x4, { 'PercentLevel' : [ 0x0, ['unsigned long']], } ], '__unnamed_26b9' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_26b7']], 'Button' : [ 0x10, ['__unnamed_26b9']], } ], '_KDPC_DATA' : [ 0x28, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], 'ActiveDpc' : [ 0x20, ['pointer64', ['_KDPC']]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0x198, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'MinQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'MaxQuotaCycleTarget' : [ 0x10, ['unsigned long long']], 'RankCycleTarget' : [ 0x18, ['unsigned long long']], 'LongTermCycles' : [ 0x20, ['unsigned long long']], 'LastReportedCycles' : [ 0x28, ['unsigned long long']], 'OverQuotaHistory' : [ 0x30, ['unsigned long long']], 'ReadyTime' : [ 0x38, ['unsigned long long']], 'InsertTime' : [ 0x40, ['unsigned long long']], 'PerProcessorList' : [ 0x48, ['_LIST_ENTRY']], 'QueueNode' : [ 0x58, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x70, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'MaxOverQuota' : [ 0x70, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'MinOverQuota' : [ 0x70, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x70, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SoftCap' : [ 0x70, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare1' : [ 0x70, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Depth' : [ 0x71, ['unsigned char']], 'ReadySummary' : [ 0x72, ['unsigned short']], 'Rank' : [ 0x74, ['unsigned long']], 'ReadyListHead' : [ 0x78, ['array', 16, ['_LIST_ENTRY']]], 'ChildScbQueue' : [ 0x178, ['_RTL_RB_TREE']], 'Parent' : [ 0x188, ['pointer64', ['_KSCB']]], 'Root' : [ 0x190, ['pointer64', ['_KSCB']]], } ], '__unnamed_26c8' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_26c9' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_26c8']], 'Merged' : [ 0x10, ['__unnamed_26c9']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'UtilityTotal' : [ 0x8, ['unsigned long']], 'AffinitizedUtilityTotal' : [ 0xc, ['unsigned long']], 'FrequencyTotal' : [ 0x10, ['unsigned long']], 'TaggedPercentTotal' : [ 0x14, ['array', 2, ['unsigned long']]], 'HistoryList' : [ 0x1c, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_MI_PARTITION_ZEROING' : [ 0x68, { 'PageEvent' : [ 0x0, ['_KEVENT']], 'ThreadActive' : [ 0x18, ['unsigned char']], 'ZeroFreePageSlistMinimum' : [ 0x1c, ['long']], 'FirstReservedZeroingPte' : [ 0x20, ['pointer64', ['_MMPTE']]], 'RebalanceZeroFreeWorkItem' : [ 0x28, ['_WORK_QUEUE_ITEM']], 'ThreadCount' : [ 0x48, ['long']], 'Gate' : [ 0x50, ['_KGATE']], } ], '_IMAGE_RUNTIME_FUNCTION_ENTRY' : [ 0xc, { 'BeginAddress' : [ 0x0, ['unsigned long']], 'EndAddress' : [ 0x4, ['unsigned long']], 'UnwindInfoAddress' : [ 0x8, ['unsigned long']], 'UnwindData' : [ 0x8, ['unsigned long']], } ], '__unnamed_26d8' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_26d8']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long long']], 'Processors' : [ 0x8, ['unsigned long']], 'ActiveProcessors' : [ 0xc, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_26f0' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_26f2' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_26f0']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x110, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_26f2']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], 'ExecutePoolTypes' : [ 0xf8, ['unsigned long']], 'ExecutePageProtections' : [ 0xfc, ['unsigned long']], 'ExecutePageMappings' : [ 0x100, ['unsigned long']], 'ExecuteWriteSections' : [ 0x104, ['unsigned long']], 'SectionAlignmentFailures' : [ 0x108, ['unsigned long']], } ], '_TRIAGE_DEVICE_NODE' : [ 0x58, { 'Sibling' : [ 0x0, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_TRIAGE_POP_FX_DEVICE']]], } ], '_PRIVATE_CACHE_MAP' : [ 0x78, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long long']], 'PipelinedReadAheadRequestSize' : [ 0x58, ['unsigned long']], 'ReadAheadGrowth' : [ 0x5c, ['unsigned long']], 'PrivateLinks' : [ 0x60, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x70, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_MI_SYSTEM_IMAGE_STATE' : [ 0xc0, { 'FixupLock' : [ 0x0, ['long']], 'FixupList' : [ 0x8, ['_LIST_ENTRY']], 'LoadLock' : [ 0x18, ['_KMUTANT']], 'FirstLoadEver' : [ 0x50, ['unsigned char']], 'LargePageAll' : [ 0x51, ['unsigned char']], 'LastPage' : [ 0x58, ['unsigned long long']], 'LargePageList' : [ 0x60, ['_LIST_ENTRY']], 'BeingDeleted' : [ 0x70, ['pointer64', ['_KLDR_DATA_TABLE_ENTRY']]], 'MappingRangesPushLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'MappingRanges' : [ 0x80, ['array', 2, ['pointer64', ['_MI_DRIVER_VA']]]], 'PageCount' : [ 0x90, ['unsigned long long']], 'PageCounts' : [ 0x98, ['_MM_SYSTEM_PAGE_COUNTS']], 'CollidedLock' : [ 0xa8, ['_EX_PUSH_LOCK']], 'ErrataPte' : [ 0xb0, ['pointer64', ['_MMPTE']]], 'ErrataPteMapped' : [ 0xb8, ['unsigned long']], } ], '_PTE_TRACKER' : [ 0x80, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'GuardPte' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x48, ['array', 7, ['pointer64', ['void']]]], } ], '_HV_GET_CELL_CONTEXT' : [ 0x4, { 'Cell' : [ 0x0, ['unsigned long']], 'IsInTempBin' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '__unnamed_2724' : [ 0x2, { 'SignatureLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'SignatureType' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned short')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'EntireField' : [ 0x0, ['unsigned short']], } ], '_KLDR_DATA_TABLE_ENTRY' : [ 0xa0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'ExceptionTable' : [ 0x10, ['pointer64', ['void']]], 'ExceptionTableSize' : [ 0x18, ['unsigned long']], 'GpValue' : [ 0x20, ['pointer64', ['void']]], 'NonPagedDebugInfo' : [ 0x28, ['pointer64', ['_NON_PAGED_DEBUG_INFO']]], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'u1' : [ 0x6e, ['__unnamed_2724']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'CoverageSectionSize' : [ 0x7c, ['unsigned long']], 'CoverageSection' : [ 0x80, ['pointer64', ['void']]], 'LoadedImports' : [ 0x88, ['pointer64', ['void']]], 'Spare' : [ 0x90, ['pointer64', ['void']]], 'SizeOfImageNotRounded' : [ 0x98, ['unsigned long']], 'TimeDateStamp' : [ 0x9c, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x30, { 'InstantaneousRead' : [ 0x0, ['pointer64', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer64', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'Scaling' : [ 0x22, ['unsigned char']], 'Context' : [ 0x28, ['unsigned long long']], } ], '_PPM_COORDINATED_SYNCHRONIZATION' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'EnterProcessor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'ExitProcessor' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 24, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 26, native_type='unsigned long')]], 'Entered' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'EntryPriority' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_MI_PAGING_IO_STATE' : [ 0x50, { 'PageFileHead' : [ 0x0, ['_RTL_AVL_TREE']], 'PageFileHeadSpinLock' : [ 0x8, ['long']], 'PrefetchSeekThreshold' : [ 0xc, ['long']], 'InPageSupportSListHead' : [ 0x10, ['array', 2, ['_SLIST_HEADER']]], 'InPageSupportSListMinimum' : [ 0x30, ['array', 2, ['unsigned char']]], 'InPageSinglePages' : [ 0x34, ['unsigned long']], 'DelayPageFaults' : [ 0x38, ['long']], 'FileCompressionBoundary' : [ 0x3c, ['unsigned long']], 'MdlsAdjusted' : [ 0x40, ['unsigned char']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_MI_FORCED_COMMITS' : [ 0x8, { 'Regular' : [ 0x0, ['unsigned long']], 'Wrap' : [ 0x4, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x28, { 'BlockOffset' : [ 0x0, ['unsigned long long']], 'PermanentBinAddress' : [ 0x8, ['unsigned long long']], 'TemporaryBinAddress' : [ 0x10, ['unsigned long long']], 'TemporaryBinRundown' : [ 0x18, ['_EX_RUNDOWN_REF']], 'MemAlloc' : [ 0x20, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x30, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'Reference' : [ 0x10, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x28, ['unsigned char']], 'Name' : [ 0x2a, ['array', 1, ['wchar']]], } ], '_PLATFORM_IDLE_ACCOUNTING' : [ 0x400, { 'ResetCount' : [ 0x0, ['unsigned long']], 'StateCount' : [ 0x4, ['unsigned long']], 'DeepSleepCount' : [ 0x8, ['unsigned long']], 'TimeUnit' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['_PLATFORM_IDLE_STATE_ACCOUNTING']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x260, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x270, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x8, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2753' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_2756' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0x1b0, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x10, ['_LIST_ENTRY']], 'Event' : [ 0x20, ['_KEVENT']], 'CollidedEvent' : [ 0x38, ['_KEVENT']], 'IoStatus' : [ 0x50, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x60, ['_LARGE_INTEGER']], 'ApcState' : [ 0x68, ['_KAPC_STATE']], 'Thread' : [ 0x98, ['pointer64', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0xa0, ['pointer64', ['_MMPFN']]], 'PteContents' : [ 0xa8, ['_MMPTE']], 'WaitCount' : [ 0xb0, ['long']], 'ByteCount' : [ 0xb4, ['unsigned long']], 'u3' : [ 0xb8, ['__unnamed_2753']], 'u1' : [ 0xbc, ['__unnamed_2756']], 'FilePointer' : [ 0xc0, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0xc8, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0xc8, ['pointer64', ['_SUBSECTION']]], 'Autoboost' : [ 0xd0, ['pointer64', ['void']]], 'FaultingAddress' : [ 0xd8, ['pointer64', ['void']]], 'PointerPte' : [ 0xe0, ['pointer64', ['_MMPTE']]], 'BasePte' : [ 0xe8, ['pointer64', ['_MMPTE']]], 'Pfn' : [ 0xf0, ['pointer64', ['_MMPFN']]], 'PrefetchMdl' : [ 0xf8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x100, ['_MDL']], 'Page' : [ 0x130, ['array', 16, ['unsigned long long']]], 'FlowThrough' : [ 0x130, ['_MMINPAGE_SUPPORT_FLOW_THROUGH']], } ], '_HAL_NODE_RANGE' : [ 0x10, { 'PageFrameIndex' : [ 0x0, ['unsigned long long']], 'Node' : [ 0x8, ['unsigned long']], } ], '_MMCLONE_BLOCK' : [ 0x20, { 'ProtoPte' : [ 0x0, ['_MMPTE']], 'PaddingFor16ByteAlignment' : [ 0x8, ['unsigned long long']], 'CloneCommitCount' : [ 0x10, ['unsigned long long']], 'u1' : [ 0x10, ['_MI_CLONE_BLOCK_FLAGS']], 'CloneRefCount' : [ 0x18, ['unsigned long long']], } ], '_PS_TRUSTLET_TKSESSION_ID' : [ 0x20, { 'SessionId' : [ 0x0, ['array', 4, ['unsigned long long']]], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions', 24: 'ConfigureDeviceReset'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], 'ActivityId' : [ 0x38, ['_GUID']], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'LowboxNumber' : [ 0x28, ['unsigned long']], 'AtomTable' : [ 0x30, ['pointer64', ['void']]], } ], '_MI_LDW_WORK_CONTEXT' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'FileObject' : [ 0x20, ['pointer64', ['_FILE_OBJECT']]], 'ErrorStatus' : [ 0x28, ['long']], 'Active' : [ 0x2c, ['long']], 'FreeWhenDone' : [ 0x30, ['unsigned char']], } ], '_MI_CFG_BITMAP_INFO' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'RegionSize' : [ 0x8, ['unsigned long long']], 'BitmapVad' : [ 0x10, ['pointer64', ['_MMVAD']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MI_SHUTDOWN_STATE' : [ 0x80, { 'CrashDumpInitialized' : [ 0x0, ['unsigned char']], 'ConnectedStandbyActive' : [ 0x1, ['unsigned char']], 'SystemShutdown' : [ 0x4, ['unsigned long']], 'ShutdownFlushInProgress' : [ 0x8, ['long']], 'ResumeItem' : [ 0x10, ['_MI_RESUME_WORKITEM']], 'MirrorHoldsPfn' : [ 0x48, ['pointer64', ['_ETHREAD']]], 'MirroringActive' : [ 0x50, ['unsigned long']], 'MirrorBitMaps' : [ 0x58, ['array', 2, ['_RTL_BITMAP_EX']]], 'CrashDumpPte' : [ 0x78, ['pointer64', ['_MMPTE']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'OperatingSystemVersion' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ComPlusPrefer32bit' : [ 0x33, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x70, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x10, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x20, ['pointer64', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x28, ['pointer64', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x30, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x30, ['array', 4, ['pointer64', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x30, ['pointer64', ['void']]], 'SessionId' : [ 0x38, ['unsigned long']], 'Process' : [ 0x50, ['pointer64', ['_EPROCESS']]], 'CallbackContext' : [ 0x50, ['pointer64', ['void']]], 'Callback' : [ 0x58, ['pointer64', ['void']]], 'Index' : [ 0x60, ['unsigned short']], 'Flags' : [ 0x62, ['unsigned char']], 'DbgKernelRegistration' : [ 0x62, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x62, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x62, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x62, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x62, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x62, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x62, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x62, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x63, ['unsigned char']], 'GroupEnableMask' : [ 0x64, ['unsigned char']], 'UseDescriptorType' : [ 0x65, ['unsigned char']], 'Traits' : [ 0x68, ['pointer64', ['_ETW_PROVIDER_TRAITS']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_HVIEW_MAP_PIN_LOG' : [ 0x488, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Entries' : [ 0x8, ['array', 16, ['_HVIEW_MAP_PIN_LOG_ENTRY']]], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_MI_PROBE_RAISE_TRACKER' : [ 0x40, { 'UserRangeInKernel' : [ 0x0, ['unsigned long']], 'FaultFailed' : [ 0x4, ['unsigned long']], 'WriteFaultFailed' : [ 0x8, ['unsigned long']], 'LargePageFailed' : [ 0xc, ['unsigned long']], 'UserAccessToKernelPte' : [ 0x10, ['unsigned long']], 'BadPageLocation' : [ 0x14, ['unsigned long']], 'InsufficientCharge' : [ 0x18, ['unsigned long']], 'PageTableCharge' : [ 0x1c, ['unsigned long']], 'NoPhysicalMapping' : [ 0x20, ['unsigned long']], 'NoIoReference' : [ 0x24, ['unsigned long']], 'ProbeFailed' : [ 0x28, ['unsigned long']], 'PteIsZero' : [ 0x2c, ['unsigned long']], 'StrongCodeWrite' : [ 0x30, ['unsigned long']], 'ReducedCloneCommitChargeFailed' : [ 0x34, ['unsigned long']], 'CopyOnWriteAtDispatchNoPages' : [ 0x38, ['unsigned long']], 'EnclavePageFailed' : [ 0x3c, ['unsigned long']], } ], '_ETW_PROVIDER_TRAITS' : [ 0x20, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Traits' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0x60, { 'Count' : [ 0x0, ['unsigned long']], 'Vectors' : [ 0x8, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_MI_CLONE_BLOCK_FLAGS' : [ 0x8, { 'ActualCloneCommit' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 59, native_type='unsigned long long')]], 'CloneProtection' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x118, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x68, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x68, ['unsigned long']], 'PackagedBinary' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x68, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x68, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LoadConfigProcessed' : [ 0x68, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectDelayLoad' : [ 0x68, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x68, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x68, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x68, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x68, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x68, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x68, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x68, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x68, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x68, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x68, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x68, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Lock' : [ 0x90, ['pointer64', ['void']]], 'DdagNode' : [ 0x98, ['pointer64', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0xa0, ['_LIST_ENTRY']], 'LoadContext' : [ 0xb0, ['pointer64', ['_LDRP_LOAD_CONTEXT']]], 'ParentDllBase' : [ 0xb8, ['pointer64', ['void']]], 'SwitchBackContext' : [ 0xc0, ['pointer64', ['void']]], 'BaseAddressIndexNode' : [ 0xc8, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0xe0, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0xf8, ['unsigned long long']], 'LoadTime' : [ 0x100, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x108, ['unsigned long']], 'LoadReason' : [ 0x10c, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x110, ['unsigned long']], 'ReferenceCount' : [ 0x114, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], 'AllStacksInUse' : [ 0x1c, ['unsigned long']], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GetExtents' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'VmLockNotNeeded' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_MI_DRIVER_VA' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_DRIVER_VA']]], 'PointerPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BitMap' : [ 0x10, ['_RTL_BITMAP']], 'Hint' : [ 0x20, ['unsigned long']], } ], '_LDR_DDAG_NODE' : [ 0x50, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x10, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0x18, ['unsigned long']], 'LoadWhileUnloadingCount' : [ 0x1c, ['unsigned long']], 'LowestLink' : [ 0x20, ['unsigned long']], 'Dependencies' : [ 0x28, ['_LDRP_CSLIST']], 'IncomingDependencies' : [ 0x30, ['_LDRP_CSLIST']], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x48, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1d0, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'Order' : [ 0x30, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x1a8, ['_LIST_ENTRY']], 'Status' : [ 0x1b8, ['long']], 'FailedDevice' : [ 0x1c0, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1c8, ['unsigned char']], 'Cancelled' : [ 0x1c9, ['unsigned char']], 'IgnoreErrors' : [ 0x1ca, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1cb, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1cc, ['unsigned char']], } ], '_KHETERO_PROCESSOR_SET' : [ 0x10, { 'PreferredMask' : [ 0x0, ['unsigned long long']], 'AvailableMask' : [ 0x8, ['unsigned long long']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x10, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_KWAIT_CHAIN_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '__unnamed_27d1' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '__unnamed_27d3' : [ 0x4, { 'NumberOfChildViews' : [ 0x0, ['unsigned long']], } ], '__unnamed_27d5' : [ 0x4, { 'AlignmentNoAccessPtes' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'GlobalPerSessionHead' : [ 0x18, ['_RTL_AVL_TREE']], 'CreationWaitList' : [ 0x18, ['pointer64', ['_MI_SUBSECTION_WAIT_BLOCK']]], 'SessionDriverProtos' : [ 0x18, ['pointer64', ['_MI_PER_SESSION_PROTOS']]], 'u' : [ 0x20, ['__unnamed_27d1']], 'StartingSector' : [ 0x24, ['unsigned long']], 'NumberOfFullSectors' : [ 0x28, ['unsigned long']], 'PtesInSubsection' : [ 0x2c, ['unsigned long']], 'u1' : [ 0x30, ['__unnamed_27d3']], 'UnusedPtes' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x34, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u2' : [ 0x34, ['__unnamed_27d5']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0xf8, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Name' : [ 0xa8, ['_UNICODE_STRING']], 'Latency' : [ 0xb8, ['unsigned long']], 'BreakEvenDuration' : [ 0xbc, ['unsigned long']], 'Power' : [ 0xc0, ['unsigned long']], 'StateFlags' : [ 0xc4, ['unsigned long']], 'VetoAccounting' : [ 0xc8, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0xf0, ['unsigned char']], 'InterruptsEnabled' : [ 0xf1, ['unsigned char']], 'Interruptible' : [ 0xf2, ['unsigned char']], 'ContextRetained' : [ 0xf3, ['unsigned char']], 'CacheCoherent' : [ 0xf4, ['unsigned char']], 'WakesSpuriously' : [ 0xf5, ['unsigned char']], 'PlatformOnly' : [ 0xf6, ['unsigned char']], 'NoCState' : [ 0xf7, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MI_SYSTEM_PTE_STATE' : [ 0x180, { 'DeadPteTrackerSListHead' : [ 0x0, ['_SLIST_HEADER']], 'PteTrackerLock' : [ 0x10, ['unsigned long long']], 'MdlTrackerLookaside' : [ 0x40, ['_NPAGED_LOOKASIDE_LIST']], 'PteTrackingBitmap' : [ 0xc0, ['_RTL_BITMAP_EX']], 'CachedPteHeads' : [ 0xd0, ['pointer64', ['_MI_CACHED_PTES']]], 'SystemViewPteInfo' : [ 0xd8, ['_MI_SYSTEM_PTE_TYPE']], 'KernelStackPages' : [ 0x138, ['unsigned char']], 'QueuedStacks' : [ 0x140, ['_SLIST_HEADER']], 'StackGrowthFailures' : [ 0x150, ['unsigned long']], 'TrackPtesAborted' : [ 0x154, ['unsigned char']], 'AdjustCounter' : [ 0x155, ['unsigned char']], 'QueuedStacksWorkItem' : [ 0x158, ['_MI_QUEUED_DEADSTACK_WORKITEM']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x40, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x10, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x18, ['long']], 'HighWaterMark' : [ 0x1c, ['unsigned long']], 'Reserved' : [ 0x20, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_PPM_POLICY_SETTINGS_MASK' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'PerfDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PerfIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerfDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PerfIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PerfDecreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PerfIncreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'PerfMinPolicy' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'PerfMaxPolicy' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PerfTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PerfBoostPolicy' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PerfBoostMode' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AllowThrottling' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PerfHistoryCount' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ParkingPerfState' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LatencyHintPerf' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LatencyHintUnpark' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CoreParkingMinCores' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CoreParkingMaxCores' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'CoreParkingDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'CoreParkingIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CoreParkingDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CoreParkingIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CoreParkingOverUtilizationThreshold' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'CoreParkingDistributeUtility' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CoreParkingConcurrencyThreshold' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CoreParkingHeadroomThreshold' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CoreParkingDistributionThreshold' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IdleAllowScaling' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'IdleDisable' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'IdleTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'IdleDemoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'IdlePromoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HeteroDecreaseTime' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HeteroIncreaseTime' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HeteroDecreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HeteroIncreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Class0FloorPerformance' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Class1InitialPerformance' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnergyPerfPreference' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AutonomousActivityWindow' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AutonomousMode' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DutyCycling' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2805' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x20, { 'NodeRangeSize' : [ 0x0, ['unsigned long long']], 'NodeCount' : [ 0x8, ['unsigned long long']], 'Tables' : [ 0x10, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x18, ['unsigned long']], 'u1' : [ 0x1c, ['__unnamed_2805']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_POP_FX_ACCOUNTING' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned char']], 'DripsRequiredState' : [ 0xc, ['unsigned long']], 'Level' : [ 0x10, ['long']], 'ActiveStamp' : [ 0x18, ['long long']], 'CsActiveTime' : [ 0x20, ['unsigned long long']], 'CriticalActiveTime' : [ 0x28, ['long long']], } ], '_MI_RESUME_WORKITEM' : [ 0x38, { 'ResumeCompleteEvent' : [ 0x0, ['_KEVENT']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ISR_THUNK' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_TRIAGE_EX_WORK_QUEUE' : [ 0x2b0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x8, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'TaggedPercent' : [ 0x5, ['array', 2, ['unsigned char']]], } ], '_POP_FX_COMPONENT' : [ 0x100, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x18, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x58, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x60, ['long']], 'ActiveEvent' : [ 0x68, ['_KEVENT']], 'IdleLock' : [ 0x80, ['unsigned long long']], 'IdleConditionComplete' : [ 0x88, ['long']], 'IdleStateComplete' : [ 0x8c, ['long']], 'IdleStamp' : [ 0x90, ['unsigned long long']], 'CurrentIdleState' : [ 0x98, ['unsigned long']], 'IdleStateCount' : [ 0x9c, ['unsigned long']], 'IdleStates' : [ 0xa0, ['pointer64', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0xa8, ['unsigned long']], 'ProviderCount' : [ 0xac, ['unsigned long']], 'Providers' : [ 0xb0, ['pointer64', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0xb8, ['unsigned long']], 'DependentCount' : [ 0xbc, ['unsigned long']], 'Dependents' : [ 0xc0, ['pointer64', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0xc8, ['_POP_FX_ACCOUNTING']], 'Performance' : [ 0xf8, ['pointer64', ['_POP_FX_PERF_INFO']]], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x10, { 'DeviceHandle' : [ 0x0, ['pointer64', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x38, { 'ComponentActive' : [ 0x0, ['pointer64', ['void']]], 'ComponentIdle' : [ 0x8, ['pointer64', ['void']]], 'ComponentIdleState' : [ 0x10, ['pointer64', ['void']]], 'DevicePowerRequired' : [ 0x18, ['pointer64', ['void']]], 'DevicePowerNotRequired' : [ 0x20, ['pointer64', ['void']]], 'PowerControl' : [ 0x28, ['pointer64', ['void']]], 'ComponentCriticalTransition' : [ 0x30, ['pointer64', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x10, ['unsigned char']], 'Spare' : [ 0x11, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0x14, ['unsigned long']], 'DebugId' : [ 0x18, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8180, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'StackLimitHits' : [ 0x8038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x803c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x8040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8044, ['unsigned long']], 'TotalReleases' : [ 0x8048, ['unsigned long']], 'RootNodesDeleted' : [ 0x804c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x8050, ['unsigned long']], 'Instigator' : [ 0x8058, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8060, ['unsigned long']], 'Participant' : [ 0x8068, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8168, ['long']], 'StackType' : [ 0x816c, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x8170, ['unsigned long long']], 'StackHighLimit' : [ 0x8178, ['unsigned long long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_MM_SYSTEM_PAGE_COUNTS' : [ 0x10, { 'SystemCodePage' : [ 0x0, ['unsigned long']], 'SystemDriverPage' : [ 0x4, ['unsigned long']], 'TotalSystemCodePages' : [ 0x8, ['long']], 'TotalSystemDriverPages' : [ 0xc, ['long']], } ], '_MI_MODWRITE_DATA' : [ 0x40, { 'PagesLoad' : [ 0x0, ['long long']], 'PagesAverage' : [ 0x8, ['unsigned long long']], 'AverageAvailablePages' : [ 0x10, ['unsigned long long']], 'PagesWritten' : [ 0x18, ['unsigned long long']], 'WritesIssued' : [ 0x20, ['unsigned long']], 'IgnoredReservationsCount' : [ 0x24, ['unsigned long']], 'FreedReservationsCount' : [ 0x28, ['unsigned long']], 'WriteBurstCount' : [ 0x2c, ['unsigned long']], 'IgnoreReservationsStartTime' : [ 0x30, ['unsigned long long']], 'ReservationClusterInfo' : [ 0x38, ['_MI_RESERVATION_CLUSTER_INFO']], 'IgnoreReservations' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare' : [ 0x3c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'Spare1' : [ 0x3e, ['unsigned short']], } ], '_PLATFORM_IDLE_STATE_ACCOUNTING' : [ 0x3e8, { 'CancelCount' : [ 0x0, ['unsigned long']], 'FailureCount' : [ 0x4, ['unsigned long']], 'SuccessCount' : [ 0x8, ['unsigned long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'TotalTime' : [ 0x20, ['unsigned long long']], 'InvalidBucketIndex' : [ 0x28, ['unsigned long']], 'SelectionStatistics' : [ 0x30, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa8, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x30, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'ExpectedWakeReason' : [ 0x2d, ['unsigned char']], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PrivateDemandZero' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2880' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2882' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2880']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2882']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_2897' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_2897']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_HVIEW_MAP_ENTRY' : [ 0x20, { 'ViewStart' : [ 0x0, ['pointer64', ['void']]], 'IsPinned' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Bcb' : [ 0x8, ['pointer64', ['void']]], 'PinnedPages' : [ 0x10, ['unsigned long long']], 'Size' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_POP_COOLING_EXTENSION' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'RequestListHead' : [ 0x10, ['_LIST_ENTRY']], 'Lock' : [ 0x20, ['_POP_RW_LOCK']], 'DeviceObject' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'NotificationEntry' : [ 0x38, ['pointer64', ['void']]], 'Enabled' : [ 0x40, ['unsigned char']], 'ActiveEngaged' : [ 0x41, ['unsigned char']], 'ThrottleLimit' : [ 0x42, ['unsigned char']], 'UpdatingToCurrent' : [ 0x43, ['unsigned char']], 'RemovalFlushEvent' : [ 0x48, ['pointer64', ['_KEVENT']]], 'PnpFlushEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Interface' : [ 0x58, ['_THERMAL_COOLING_INTERFACE']], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_CM_INDEX' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'NameHint' : [ 0x4, ['array', 4, ['unsigned char']]], 'HashKey' : [ 0x4, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_THERMAL_POLICY' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ThermalStandby' : [ 0x7, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], 'OverThrottled' : [ 0x14, ['unsigned char']], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_RTL_UMS_CONTEXT' : [ 0x520, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'PrimaryUmsContext' : [ 0x500, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x508, ['unsigned long']], 'KernelYieldCount' : [ 0x50c, ['unsigned long']], 'MixedYieldCount' : [ 0x510, ['unsigned long']], 'YieldCount' : [ 0x514, ['unsigned long']], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_MI_AVAILABLE_PAGE_WAIT_STATES' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'EventSets' : [ 0x18, ['unsigned long']], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_COLORED_PAGE_INFO' : [ 0x18, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long long']], 'PfnAllocation' : [ 0x10, ['pointer64', ['_MMPFN']]], } ], '_TRIAGE_9F_POWER' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'IrpList' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'ThreadList' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'DelayedWorkQueue' : [ 0x18, ['pointer64', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_MI_POOL_STATE' : [ 0xf8, { 'MaximumNonPagedPoolThreshold' : [ 0x0, ['unsigned long long']], 'NonPagedPoolSListMaximum' : [ 0x8, ['array', 3, ['unsigned long']]], 'AllocatedNonPagedPool' : [ 0x18, ['unsigned long long']], 'BadPoolHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'HighEventSets' : [ 0x28, ['unsigned long']], 'HighEventSetsValid' : [ 0x2c, ['unsigned char']], 'PoolFailures' : [ 0x30, ['array', 3, ['array', 3, ['unsigned long']]]], 'PoolFailureReasons' : [ 0x54, ['_MI_POOL_FAILURE_REASONS']], 'LowPagedPoolThreshold' : [ 0x80, ['unsigned long long']], 'HighPagedPoolThreshold' : [ 0x88, ['unsigned long long']], 'PagedPoolSListMaximum' : [ 0x90, ['unsigned long']], 'PreemptiveTrims' : [ 0x94, ['array', 4, ['unsigned long']]], 'SpecialPagesInUsePeak' : [ 0xa8, ['unsigned long long']], 'SpecialPoolRejected' : [ 0xb0, ['array', 9, ['unsigned long']]], 'SpecialPagesNonPaged' : [ 0xd8, ['unsigned long long']], 'SpecialPoolPdes' : [ 0xe0, ['long']], 'SessionSpecialPoolPdesMax' : [ 0xe4, ['unsigned long']], 'TotalPagedPoolQuota' : [ 0xe8, ['unsigned long long']], 'TotalNonPagedPoolQuota' : [ 0xf0, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_POP_POWER_SETTING_VALUES' : [ 0x13c, { 'StructureSize' : [ 0x0, ['unsigned long']], 'PopPolicy' : [ 0x4, ['_SYSTEM_POWER_POLICY']], 'CurrentAcDcPowerState' : [ 0xec, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'AwayModeEnabled' : [ 0xf0, ['unsigned char']], 'AwayModeEngaged' : [ 0xf1, ['unsigned char']], 'AwayModePolicyAllowed' : [ 0xf2, ['unsigned char']], 'AwayModeIgnoreUserPresent' : [ 0xf4, ['long']], 'AwayModeIgnoreAction' : [ 0xf8, ['long']], 'DisableFastS4' : [ 0xfc, ['unsigned char']], 'DisableStandbyStates' : [ 0xfd, ['unsigned char']], 'UnattendSleepTimeout' : [ 0x100, ['unsigned long']], 'DiskIgnoreTime' : [ 0x104, ['unsigned long']], 'DeviceIdlePolicy' : [ 0x108, ['unsigned long']], 'VideoDimTimeout' : [ 0x10c, ['unsigned long']], 'VideoNormalBrightness' : [ 0x110, ['unsigned long']], 'VideoDimBrightness' : [ 0x114, ['unsigned long']], 'AlsOffset' : [ 0x118, ['unsigned long']], 'AlsEnabled' : [ 0x11c, ['unsigned long']], 'EsBrightness' : [ 0x120, ['unsigned long']], 'SwitchShutdownForced' : [ 0x124, ['unsigned char']], 'SystemCoolingPolicy' : [ 0x128, ['unsigned long']], 'MediaBufferingEngaged' : [ 0x12c, ['unsigned char']], 'OffloadedAudio' : [ 0x12d, ['unsigned char']], 'NonOffloadedAudio' : [ 0x12e, ['unsigned char']], 'FullscreenVideoPlayback' : [ 0x12f, ['unsigned char']], 'EsBatteryThreshold' : [ 0x130, ['unsigned long']], 'EsUserAwaySetting' : [ 0x134, ['unsigned char']], 'WiFiInStandby' : [ 0x138, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_2911' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2913' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2911']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2913']], } ], '_MI_RESAVAIL_FAILURES' : [ 0x8, { 'Wrap' : [ 0x0, ['unsigned long']], 'NoCharge' : [ 0x4, ['unsigned long']], } ], '_MI_IO_PAGE_STATE' : [ 0x58, { 'IoPfnLock' : [ 0x0, ['unsigned long long']], 'IoPfnRoot' : [ 0x8, ['array', 3, ['_RTL_AVL_TREE']]], 'UnusedCachedMaps' : [ 0x20, ['_LIST_ENTRY']], 'OldestCacheFlushTimeStamp' : [ 0x30, ['unsigned long']], 'IoCacheStats' : [ 0x38, ['_MI_IO_CACHE_STATS']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_VF_AVL_TABLE' : [ 0xc0, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x70, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1e, { 'PerUserPolicy' : [ 0x0, ['array', 30, ['unsigned char']]], } ], '_TRIAGE_POP_FX_DEVICE' : [ 0x38, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_TRIAGE_POP_IRP_DATA']]], 'Status' : [ 0x20, ['long']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'DeviceNode' : [ 0x30, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], } ], '__unnamed_292f' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_2931' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_2937' : [ 0x10, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], 'OutputInformation' : [ 0x8, ['pointer64', ['_FS_FILTER_SECTION_SYNC_OUTPUT']]], } ], '__unnamed_293b' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_293d' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_292f']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2931']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2937']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_293b']], 'Others' : [ 0x0, ['__unnamed_293d']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x8, { 'Function' : [ 0x0, ['pointer64', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long long']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x78, { 'SelectedCount' : [ 0x0, ['unsigned long long']], 'VetoCount' : [ 0x8, ['unsigned long long']], 'PreVetoCount' : [ 0x10, ['unsigned long long']], 'WrongProcessorCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'IdleDurationCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'PlatformOnlyCount' : [ 0x40, ['unsigned long long']], 'InterruptibleCount' : [ 0x48, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x50, ['unsigned long long']], 'CstateCheckCount' : [ 0x58, ['unsigned long long']], 'NoCStateCount' : [ 0x60, ['unsigned long long']], 'CoordinatedDependencyCount' : [ 0x68, ['unsigned long long']], 'PreVetoAccounting' : [ 0x70, ['pointer64', ['_PPM_VETO_ACCOUNTING']]], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x8, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_MI_PAGE_COMBINE_STATISTICS' : [ 0x28, { 'PagesScannedActive' : [ 0x0, ['unsigned long long']], 'PagesScannedStandby' : [ 0x8, ['unsigned long long']], 'PagesCombined' : [ 0x10, ['unsigned long long']], 'CombineScanCount' : [ 0x18, ['unsigned long']], 'CombinedBlocksInUse' : [ 0x1c, ['long']], 'SumCombinedBlocksReferenceCount' : [ 0x20, ['long']], } ], '_THERMAL_COOLING_INTERFACE' : [ 0x38, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'ActiveCooling' : [ 0x28, ['pointer64', ['void']]], 'PassiveCooling' : [ 0x30, ['pointer64', ['void']]], } ], '_HIVE_WAIT_PACKET' : [ 0x28, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Next' : [ 0x20, ['pointer64', ['_HIVE_WAIT_PACKET']]], } ], '_PROC_PERF_CHECK' : [ 0xc0, { 'LastActive' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'LastStall' : [ 0x10, ['unsigned long long']], 'Snap' : [ 0x18, ['_PROC_PERF_CHECK_SNAP']], 'TempSnap' : [ 0x68, ['_PROC_PERF_CHECK_SNAP']], 'TaggedThreadPercent' : [ 0xb8, ['array', 2, ['unsigned char']]], 'Class0FloorPerfSelection' : [ 0xba, ['unsigned char']], 'Class1MinimumPerfSelection' : [ 0xbb, ['unsigned char']], } ], '__unnamed_2956' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_2958' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_295a' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_2956']], 'Interrupt' : [ 0x0, ['__unnamed_2958']], 'LocalInterrupt' : [ 0x0, ['__unnamed_2958']], 'Sci' : [ 0x0, ['__unnamed_2958']], 'Nmi' : [ 0x0, ['__unnamed_2958']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_295a']], } ], '_POP_HIBER_CONTEXT' : [ 0x1d0, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'HvCaptureReadyBarrier' : [ 0x14, ['long']], 'HvCaptureCompletedBarrier' : [ 0x18, ['long']], 'MapFrozen' : [ 0x1c, ['unsigned char']], 'DiscardMap' : [ 0x20, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x30, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x40, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x50, ['unsigned long']], 'ClonedPageCount' : [ 0x58, ['unsigned long long']], 'CurrentMap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x68, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x70, ['unsigned long long']], 'LoaderMdl' : [ 0x78, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x80, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x88, ['unsigned long long']], 'IoPages' : [ 0x90, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x98, ['unsigned long']], 'CurrentMcb' : [ 0xa0, ['pointer64', ['void']]], 'DumpStack' : [ 0xa8, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xb0, ['pointer64', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0xb8, ['unsigned long']], 'Status' : [ 0xbc, ['long']], 'GraphicsProc' : [ 0xc0, ['unsigned long']], 'MemoryImage' : [ 0xc8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0xd8, ['pointer64', ['_MDL']]], 'SiLogOffset' : [ 0xe0, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0xe8, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0xf0, ['pointer64', ['void']]], 'ResumeContext' : [ 0xf8, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x100, ['unsigned long']], 'SecurePages' : [ 0x104, ['unsigned long']], 'ProcessorCount' : [ 0x108, ['unsigned long']], 'ProcessorContext' : [ 0x110, ['pointer64', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0x118, ['pointer64', ['unsigned char']]], 'ProdConsSize' : [ 0x120, ['unsigned long']], 'MaxDataPages' : [ 0x124, ['unsigned long']], 'ExtraBuffer' : [ 0x128, ['pointer64', ['void']]], 'ExtraBufferSize' : [ 0x130, ['unsigned long long']], 'ExtraMapVa' : [ 0x138, ['pointer64', ['void']]], 'BitlockerKeyPFN' : [ 0x140, ['unsigned long long']], 'IoInfo' : [ 0x148, ['_POP_IO_INFO']], 'IoChecksums' : [ 0x1b8, ['pointer64', ['unsigned short']]], 'IoChecksumsSize' : [ 0x1c0, ['unsigned long long']], 'HardwareConfigurationSignature' : [ 0x1c8, ['unsigned long']], 'IumEnabled' : [ 0x1cc, ['unsigned char']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_POP_FX_PERF_INFO' : [ 0xa0, { 'Component' : [ 0x0, ['pointer64', ['_POP_FX_COMPONENT']]], 'CompletedEvent' : [ 0x8, ['_KEVENT']], 'ComponentPerfState' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['_POP_FX_PERF_FLAGS']], 'LastChange' : [ 0x30, ['pointer64', ['_PO_FX_PERF_STATE_CHANGE']]], 'LastChangeCount' : [ 0x38, ['unsigned long']], 'LastChangeStamp' : [ 0x40, ['unsigned long long']], 'LastChangeNominal' : [ 0x48, ['unsigned char']], 'PepRegistered' : [ 0x49, ['unsigned char']], 'QueryOnIdleStates' : [ 0x4a, ['unsigned char']], 'RequestDriverContext' : [ 0x50, ['pointer64', ['void']]], 'WorkOrder' : [ 0x58, ['_POP_FX_WORK_ORDER']], 'SetsCount' : [ 0x90, ['unsigned long']], 'Sets' : [ 0x98, ['pointer64', ['_POP_FX_PERF_SET']]], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_HAL_CHANNEL_MEMORY_RANGES' : [ 0x10, { 'PageFrameIndex' : [ 0x0, ['unsigned long long']], 'MpnId' : [ 0x8, ['unsigned short']], 'Node' : [ 0xa, ['unsigned short']], 'Channel' : [ 0xc, ['unsigned short']], 'IsPowerManageable' : [ 0xe, ['unsigned char']], 'DeepPowerState' : [ 0xf, ['unsigned char']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x178, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x108, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x110, ['pointer64', ['void']]], 'PointersLength' : [ 0x118, ['unsigned long']], 'ModulePrefix' : [ 0x120, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0x128, ['_LIST_ENTRY']], 'InitMsg' : [ 0x138, ['_STRING']], 'ProgMsg' : [ 0x148, ['_STRING']], 'DoneMsg' : [ 0x158, ['_STRING']], 'FileObject' : [ 0x168, ['pointer64', ['void']]], 'UsageType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0x18, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x8, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x48, { 'InitiatingThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ThreadId' : [ 0x10, ['pointer64', ['void']]], 'ProcessId' : [ 0x18, ['pointer64', ['void']]], 'Code' : [ 0x20, ['unsigned long']], 'Parameter1' : [ 0x28, ['unsigned long long']], 'Parameter2' : [ 0x30, ['unsigned long long']], 'Parameter3' : [ 0x38, ['unsigned long long']], 'Parameter4' : [ 0x40, ['unsigned long long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_FS_FILTER_SECTION_SYNC_OUTPUT' : [ 0x10, { 'StructureSize' : [ 0x0, ['unsigned long']], 'SizeReturned' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DesiredReadAlignment' : [ 0xc, ['unsigned long']], } ], '_HVIEW_MAP_PIN_LOG_ENTRY' : [ 0x48, { 'ViewOffset' : [ 0x0, ['unsigned long']], 'Pinned' : [ 0x4, ['unsigned char']], 'PinMask' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Stack' : [ 0x18, ['array', 6, ['pointer64', ['void']]]], } ], '__unnamed_299a' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_299a']], } ], '__unnamed_299e' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_299e']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_MI_SUBSECTION_WAIT_BLOCK' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SUBSECTION_WAIT_BLOCK']]], 'Gate' : [ 0x8, ['_KGATE']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_KSCHEDULING_GROUP_POLICY' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long']], 'Weight' : [ 0x0, ['unsigned short']], 'MinRate' : [ 0x0, ['unsigned short']], 'MaxRate' : [ 0x2, ['unsigned short']], 'AllFlags' : [ 0x4, ['unsigned long']], 'Type' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare1' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x3b0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long long']], 'HiberFlags' : [ 0x38, ['unsigned char']], 'spare' : [ 0x39, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x3c, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'NumPagesForLoader' : [ 0x58, ['unsigned long long']], 'FirstSecureRestorePage' : [ 0x60, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x68, ['unsigned long long']], 'FirstKernelRestorePage' : [ 0x70, ['unsigned long long']], 'FirstChecksumRestorePage' : [ 0x78, ['unsigned long long']], 'NoChecksumEntries' : [ 0x80, ['unsigned long long']], 'PerfInfo' : [ 0x88, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x268, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x270, ['array', 1, ['unsigned long long']]], 'SiLogOffset' : [ 0x278, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x27c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x280, ['array', 24, ['unsigned long long']]], 'NotUsed' : [ 0x340, ['unsigned long']], 'ResumeContextCheck' : [ 0x344, ['unsigned long']], 'ResumeContextPages' : [ 0x348, ['unsigned long']], 'Hiberboot' : [ 0x34c, ['unsigned char']], 'HvCr3' : [ 0x350, ['unsigned long long']], 'HvEntryPoint' : [ 0x358, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x360, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x368, ['unsigned long long']], 'BootFlags' : [ 0x370, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x378, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x380, ['unsigned long long']], 'BitlockerKeyPfns' : [ 0x388, ['array', 4, ['unsigned long long']]], 'HardwareSignature' : [ 0x3a8, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x18, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned short']], 'Flags' : [ 0x16, ['unsigned short']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1e0, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'HiberChecksumTicks' : [ 0x30, ['unsigned long long']], 'HiberChecksumIoTicks' : [ 0x38, ['unsigned long long']], 'TotalHibernateTime' : [ 0x40, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x48, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x4c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x50, ['unsigned long']], 'ResumeAppTicks' : [ 0x58, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x60, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x68, ['unsigned long long']], 'ResumeInitTicks' : [ 0x70, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x78, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x80, ['unsigned long long']], 'ResumeIoTicks' : [ 0x88, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x90, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x98, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0xa0, ['unsigned long long']], 'ResumeMapTicks' : [ 0xa8, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xb0, ['unsigned long long']], 'ResumeChecksumTicks' : [ 0xb8, ['unsigned long long']], 'ResumeChecksumIoTicks' : [ 0xc0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xc8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xd0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xd8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xe0, ['unsigned long long']], 'HalTscOffset' : [ 0xe8, ['unsigned long long']], 'HvlTscOffset' : [ 0xf0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xf8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0x100, ['unsigned long long']], 'IoBoundedness' : [ 0x108, ['unsigned long long']], 'KernelDecompressTicks' : [ 0x110, ['unsigned long long']], 'KernelIoTicks' : [ 0x118, ['unsigned long long']], 'KernelCopyTicks' : [ 0x120, ['unsigned long long']], 'ReadCheckCount' : [ 0x128, ['unsigned long long']], 'KernelInitTicks' : [ 0x130, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x138, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x140, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x148, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x150, ['unsigned long long']], 'KernelChecksumTicks' : [ 0x158, ['unsigned long long']], 'KernelChecksumIoTicks' : [ 0x160, ['unsigned long long']], 'AnimationStart' : [ 0x168, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x170, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x178, ['unsigned long']], 'SecurePagesProcessed' : [ 0x180, ['unsigned long long']], 'BootPagesProcessed' : [ 0x188, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x190, ['unsigned long long']], 'BootBytesWritten' : [ 0x198, ['unsigned long long']], 'KernelBytesWritten' : [ 0x1a0, ['unsigned long long']], 'BootPagesWritten' : [ 0x1a8, ['unsigned long long']], 'KernelPagesWritten' : [ 0x1b0, ['unsigned long long']], 'BytesWritten' : [ 0x1b8, ['unsigned long long']], 'PagesWritten' : [ 0x1c0, ['unsigned long']], 'FileRuns' : [ 0x1c4, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x1c8, ['unsigned long']], 'MaxHuffRatio' : [ 0x1cc, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x1d0, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1d8, ['unsigned long long']], } ], '_MI_QUEUED_DEADSTACK_WORKITEM' : [ 0x28, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Active' : [ 0x20, ['long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_MMINPAGE_SUPPORT_FLOW_THROUGH' : [ 0x38, { 'Page' : [ 0x0, ['array', 1, ['unsigned long long']]], 'InitialInPageSupport' : [ 0x8, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'PagingFile' : [ 0x10, ['pointer64', ['_MMPAGING_FILE']]], 'PageFileOffset' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['_RTL_BALANCED_NODE']], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x80, { 'UncompressedData' : [ 0x0, ['pointer64', ['unsigned char']]], 'MappingVa' : [ 0x8, ['pointer64', ['void']]], 'XpressEncodeWorkspace' : [ 0x10, ['pointer64', ['void']]], 'CompressedDataBuffer' : [ 0x18, ['pointer64', ['unsigned char']]], 'CopyTicks' : [ 0x20, ['unsigned long long']], 'CompressTicks' : [ 0x28, ['unsigned long long']], 'BytesCopied' : [ 0x30, ['unsigned long long']], 'PagesProcessed' : [ 0x38, ['unsigned long long']], 'DecompressTicks' : [ 0x40, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x48, ['unsigned long long']], 'SharedBufferTicks' : [ 0x50, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x68, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x78, ['unsigned long']], 'HuffCompressCount' : [ 0x7c, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x20, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_MI_DYNAMIC_BITMAP' : [ 0x50, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'MaximumSize' : [ 0x10, ['unsigned long long']], 'Hint' : [ 0x18, ['unsigned long long']], 'BaseVa' : [ 0x20, ['pointer64', ['void']]], 'SizeTopDown' : [ 0x28, ['unsigned long long']], 'HintTopDown' : [ 0x30, ['unsigned long long']], 'BaseVaTopDown' : [ 0x38, ['pointer64', ['void']]], 'SpinLock' : [ 0x40, ['unsigned long long']], 'Vm' : [ 0x48, ['pointer64', ['_MMSUPPORT']]], } ], '_POP_IO_INFO' : [ 0x70, { 'DumpMdl' : [ 0x0, ['pointer64', ['_MDL']]], 'IoStatus' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x10, ['unsigned long long']], 'IoBytesCompleted' : [ 0x18, ['unsigned long long']], 'IoBytesInProgress' : [ 0x20, ['unsigned long long']], 'RequestSize' : [ 0x28, ['unsigned long long']], 'IoLocation' : [ 0x30, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x38, ['unsigned long long']], 'Buffer' : [ 0x40, ['pointer64', ['void']]], 'AsyncCapable' : [ 0x48, ['unsigned char']], 'BytesToRead' : [ 0x50, ['unsigned long long']], 'Pages' : [ 0x58, ['unsigned long']], 'HighestChecksumIndex' : [ 0x60, ['unsigned long long']], 'PreviousChecksum' : [ 0x68, ['unsigned short']], } ], '_LDRP_CSLIST' : [ 0x8, { 'Tail' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_NON_PAGED_DEBUG_INFO' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Machine' : [ 0x8, ['unsigned short']], 'Characteristics' : [ 0xa, ['unsigned short']], 'TimeDateStamp' : [ 0xc, ['unsigned long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'SizeOfImage' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], } ], '_POP_FX_PERF_SET' : [ 0x20, { 'PerfSet' : [ 0x0, ['pointer64', ['_PO_FX_COMPONENT_PERF_SET']]], 'CurrentPerf' : [ 0x8, ['unsigned long long']], 'CurrentPerfStamp' : [ 0x10, ['unsigned long long']], 'CurrentPerfNominal' : [ 0x18, ['unsigned char']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LeakedPoolDeliberately' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '__unnamed_29dd' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_29df' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_29e2' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_29e6' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x58, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x18, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x28, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x38, ['__unnamed_29dd']], 'HvDeviceId' : [ 0x40, ['unsigned long long']], 'XapicMessage' : [ 0x48, ['__unnamed_29df']], 'Hypertransport' : [ 0x48, ['__unnamed_29e2']], 'GenericMessage' : [ 0x48, ['__unnamed_29df']], 'MessageRequest' : [ 0x48, ['__unnamed_29e6']], } ], '_MMPAGE_FILE_EXPANSION_FLAGS' : [ 0x4, { 'PageFileNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'IgnoreCurrentCommit' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreaseMinimumSize' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare3' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '__unnamed_29f4' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['pointer64', ['_PO_FX_PERF_STATE']]], } ], '__unnamed_29f6' : [ 0x10, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], } ], '_PO_FX_COMPONENT_PERF_SET' : [ 0x30, { 'Name' : [ 0x0, ['_UNICODE_STRING']], 'Flags' : [ 0x10, ['unsigned long long']], 'Unit' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateUnitOther', 1: 'PoFxPerfStateUnitFrequency', 2: 'PoFxPerfStateUnitBandwidth', 3: 'PoFxPerfStateUnitMaximum'})]], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateTypeDiscrete', 1: 'PoFxPerfStateTypeRange', 2: 'PoFxPerfStateTypeMaximum'})]], 'Discrete' : [ 0x20, ['__unnamed_29f4']], 'Range' : [ 0x20, ['__unnamed_29f6']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2a07' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2a09' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2a0b' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2a07']], 'Gpt' : [ 0x0, ['__unnamed_2a09']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x108, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MarkMemoryOnly' : [ 0x69, ['unsigned char']], 'HiberResume' : [ 0x6a, ['unsigned char']], 'Reserved1' : [ 0x6b, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_2a0b']], 'ReadRoutine' : [ 0xa0, ['pointer64', ['void']]], 'GetDriveTelemetryRoutine' : [ 0xa8, ['pointer64', ['void']]], 'LogSectionTruncateSize' : [ 0xb0, ['unsigned long']], 'Parameters' : [ 0xb4, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DumpNotifyRoutine' : [ 0x100, ['pointer64', ['void']]], } ], '_MI_IO_CACHE_STATS' : [ 0x20, { 'UnusedBlocks' : [ 0x0, ['unsigned long long']], 'ActiveCacheMatch' : [ 0x8, ['unsigned long']], 'ActiveCacheOverride' : [ 0xc, ['unsigned long']], 'UnmappedCacheFlush' : [ 0x10, ['unsigned long']], 'UnmappedCacheMatch' : [ 0x14, ['unsigned long']], 'UnmappedCacheConflict' : [ 0x18, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '_ETW_QUEUE_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x10, ['pointer64', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0x18, ['pointer64', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x20, ['pointer64', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x28, ['pointer64', ['void']]], 'RegIndex' : [ 0x30, ['unsigned short']], 'ReplyIndex' : [ 0x32, ['unsigned short']], 'Flags' : [ 0x34, ['unsigned long']], } ], '_MI_RESERVATION_CLUSTER_INFO' : [ 0x4, { 'ClusterSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'EntireInfo' : [ 0x0, ['long']], } ], '_TRIAGE_POP_IRP_DATA' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_KDPC_LIST' : [ 0x10, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x178, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_MI_POOL_FAILURE_REASONS' : [ 0x2c, { 'NonPagedNoPtes' : [ 0x0, ['unsigned long']], 'PriorityTooLow' : [ 0x4, ['unsigned long']], 'NonPagedNoPagesAvailable' : [ 0x8, ['unsigned long']], 'PagedNoPtes' : [ 0xc, ['unsigned long']], 'SessionPagedNoPtes' : [ 0x10, ['unsigned long']], 'PagedNoPagesAvailable' : [ 0x14, ['unsigned long']], 'SessionPagedNoPagesAvailable' : [ 0x18, ['unsigned long']], 'PagedNoCommit' : [ 0x1c, ['unsigned long']], 'SessionPagedNoCommit' : [ 0x20, ['unsigned long']], 'NonPagedNoResidentAvailable' : [ 0x24, ['unsigned long']], 'NonPagedNoCommit' : [ 0x28, ['unsigned long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x20, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer64', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '__unnamed_2a42' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2a44' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2a42']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2a47' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2a49' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2a47']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_2a44']], 'HighPart' : [ 0x4, ['__unnamed_2a49']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_PROC_PERF_CHECK_SNAP' : [ 0x50, { 'Time' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned long long']], 'Stall' : [ 0x10, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x18, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledKernelActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], 'TaggedThreadCycles' : [ 0x40, ['array', 2, ['unsigned long long']]], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_2a57' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x30, { 'SessionProtoNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeList' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'DriverAddress' : [ 0x0, ['pointer64', ['void']]], 'SessionId' : [ 0x18, ['unsigned long']], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionBase' : [ 0x20, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x28, ['__unnamed_2a57']], } ], '_PO_FX_PERF_STATE_CHANGE' : [ 0x10, { 'Set' : [ 0x0, ['unsigned long']], 'StateIndex' : [ 0x8, ['unsigned long']], 'StateValue' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2a5d' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_2a5f' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_2a5d']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_2a5f']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_PO_FX_PERF_STATE' : [ 0x10, { 'Value' : [ 0x0, ['unsigned long long']], 'Context' : [ 0x8, ['pointer64', ['void']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win2003.py0000644000000000000000000001623513131215405026037 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (Gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net This file provides support for Windows 2003. """ #pylint: disable-msg=C0111 import volatility.plugins.overlays.windows.windows as windows import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.obj as obj class Win2003x86Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x2)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xff)]], }]} profile.merge_overlay(overlay) class Win2003x64Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x2)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0x7f)]], }]} profile.merge_overlay(overlay) class Win2003KDBG(windows.AbstractKDBGMod): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x >= 2} kdbgsize = 0x318 class Win2003SP0x86DTB(obj.ProfileModification): # Make sure we apply after the normal Win2003 DTB before = ['WindowsOverlay', 'Win2003x86DTB'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2, 'build': lambda x: x == 3789} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature': [ None, ['VolatilityMagic', dict(value = "\x03\x00\x1b\x00")]]} ]} profile.merge_overlay(overlay) class Win2003x86DTB(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature': [ None, ['VolatilityMagic', dict(value = "\x03\x00\x1e\x00")]]} ]} profile.merge_overlay(overlay) class Win2003x64DTB(obj.ProfileModification): before = ['WindowsOverlay', 'Windows64Overlay'] conditions = {'os': lambda x : x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'KPCR' : [ None, ['VolatilityKPCR', dict(configname = "KPCR")]], 'DTBSignature': [ None, ['VolatilityMagic', dict(value = "\x03\x00\x2e\x00")]]} ]} profile.merge_overlay(overlay) class EThreadCreateTime(obj.ProfileModification): before = ['WindowsOverlay'] def check(self, profile): m = profile.metadata return (m.get('os', None) == 'windows' and ((m.get('major', 0) == 5 and m.get('minor', 0) >= 2) or m.get('major', 0) >= 6) and profile.__class__.__name__ != 'Win2003SP0x86') def modification(self, profile): overlay = {'_ETHREAD': [ None, { 'CreateTime' : [ None, ['WinTimeStamp', {}]]} ]} profile.merge_overlay(overlay) class Win2003SP0x86(obj.Profile): """ A Profile for Windows 2003 SP0 x86 """ _md_os = 'windows' _md_major = 5 _md_minor = 2 # FIXME: 2003's build numbers didn't differentiate between SP0 and SP1/2 # despite there being a large change. As such we fake a special build number # for 2003 SP0 to help us differentiate it _md_build = 3789 _md_memory_model = '32bit' _md_vtype_module = 'volatility.plugins.overlays.windows.win2003_sp0_x86_vtypes' _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2003SP1x86(obj.Profile): """ A Profile for Windows 2003 SP1 x86 """ _md_os = 'windows' _md_major = 5 _md_minor = 2 _md_build = 3790 _md_memory_model = '32bit' _md_vtype_module = 'volatility.plugins.overlays.windows.win2003_sp1_x86_vtypes' _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2003SP2x86(obj.Profile): """ A Profile for Windows 2003 SP2 x86 """ _md_os = 'windows' _md_major = 5 _md_minor = 2 # This is a fake build number. See the comment in Win2003SP0x86 _md_build = 3791 _md_memory_model = '32bit' _md_vtype_module = 'volatility.plugins.overlays.windows.win2003_sp2_x86_vtypes' _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2003SP1x64(obj.Profile): """ A Profile for Windows 2003 SP1 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 5 _md_minor = 2 _md_build = 3790 _md_vtype_module = 'volatility.plugins.overlays.windows.win2003_sp1_x64_vtypes' _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2003SP2x64(obj.Profile): """ A Profile for Windows 2003 SP2 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 5 _md_minor = 2 # This is a fake build number. See the comment in Win2003SP0x86 _md_build = 3791 _md_vtype_module = 'volatility.plugins.overlays.windows.win2003_sp2_x64_vtypes' _md_product = ["NtProductLanManNt", "NtProductServer"] class WinXPSP1x64(Win2003SP1x64): """ A Profile for Windows XP SP1 x64 """ _md_product = ["NtProductWinNt"] class WinXPSP2x64(Win2003SP2x64): """ A Profile for Windows XP SP2 x64 """ _md_product = ["NtProductWinNt"] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7_sp0_x86_vtypes.py0000644000000000000000000163117013131215405030524 0ustar rootrootntkrnlmp_types = { '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '__unnamed_2008' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x80, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_2008']], 'TargetProcessors' : [ 0x30, ['_KAFFINITY_EX']], 'PStateHandler' : [ 0x3c, ['pointer', ['void']]], 'PStateContext' : [ 0x40, ['unsigned long']], 'TStateHandler' : [ 0x44, ['pointer', ['void']]], 'TStateContext' : [ 0x48, ['unsigned long']], 'FeedbackHandler' : [ 0x4c, ['pointer', ['void']]], 'GetFFHThrottleState' : [ 0x50, ['pointer', ['void']]], 'State' : [ 0x58, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'ProgrammedRTCTime' : [ 0x50, ['unsigned long long']], 'WakeOnRTC' : [ 0x58, ['unsigned char']], 'WakeTimerInfo' : [ 0x5c, ['pointer', ['_DIAGNOSTIC_BUFFER']]], 'FilteredCapabilities' : [ 0x60, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x28, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x228, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTransitions' : [ 0x8, ['unsigned long']], 'FailedTransitions' : [ 0xc, ['unsigned long']], 'InvalidBucketIndex' : [ 0x10, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 16, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_204b' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_204d' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_204b']], 'Button' : [ 0xc, ['__unnamed_204d']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xe8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'EmInfFileImage' : [ 0x14, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x18, ['unsigned long']], 'TriageDumpBlock' : [ 0x1c, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x20, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x24, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x28, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x2c, ['pointer', ['void']]], 'DrvDBSize' : [ 0x30, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x34, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x38, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x3c, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x40, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x48, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x4c, ['unsigned long']], 'LastBootSucceeded' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LastBootShutdown' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPortAccessSupported' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x54, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x58, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x60, ['pointer', ['void']]], 'BootIdentifier' : [ 0x64, ['_GUID']], 'ResumePages' : [ 0x74, ['unsigned long']], 'DumpHeader' : [ 0x78, ['pointer', ['void']]], 'BgContext' : [ 0x7c, ['pointer', ['void']]], 'NumaLocalityInfo' : [ 0x80, ['pointer', ['void']]], 'NumaGroupAssignment' : [ 0x84, ['pointer', ['void']]], 'AttachedHives' : [ 0x88, ['_LIST_ENTRY']], 'MemoryCachingRequirementsCount' : [ 0x90, ['unsigned long']], 'MemoryCachingRequirements' : [ 0x94, ['pointer', ['void']]], 'TpmBootEntropyResult' : [ 0x98, ['_TPM_BOOT_ENTROPY_LDR_RESULT']], 'ProcessorCounterFrequency' : [ 0xe0, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x298, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x18, { 'Mdl' : [ 0x0, ['pointer', ['_MDL']]], 'UserVa' : [ 0x4, ['pointer', ['void']]], 'UserLimit' : [ 0x8, ['pointer', ['void']]], 'SystemVa' : [ 0xc, ['pointer', ['void']]], 'SystemLimit' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_PROC_HISTORY_ENTRY' : [ 0x4, { 'Utility' : [ 0x0, ['unsigned short']], 'Frequency' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_20df' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_20df']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'SessionPoolAllocationFailures' : [ 0x40, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x50, ['_LIST_ENTRY']], 'LocaleId' : [ 0x58, ['unsigned long']], 'AttachCount' : [ 0x5c, ['unsigned long']], 'AttachGate' : [ 0x60, ['_KGATE']], 'WsListEntry' : [ 0x70, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xddc, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xde0, ['pointer', ['void']]], 'PagedPool' : [ 0xe00, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1f40, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1f44, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f68, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1f88, ['long']], 'PagedPoolPdeCount' : [ 0x1f8c, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f90, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f94, ['unsigned long']], 'SystemPteInfo' : [ 0x1f98, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1fc8, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1fcc, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1fd0, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fd4, ['unsigned long']], 'IoState' : [ 0x1fd8, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fdc, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fe0, ['_KEVENT']], 'SessionPoolPdes' : [ 0x1ff0, ['_RTL_BITMAP']], 'CpuQuotaBlock' : [ 0x1ff8, ['pointer', ['_PS_CPU_QUOTA_BLOCK']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x78, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'FeedbackHandler' : [ 0x18, ['pointer', ['void']]], 'GetFFHThrottleState' : [ 0x1c, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x20, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x24, ['pointer', ['void']]], 'PerfHandler' : [ 0x28, ['pointer', ['void']]], 'Processors' : [ 0x2c, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'PerfChangeTime' : [ 0x30, ['unsigned long long']], 'ProcessorCount' : [ 0x38, ['unsigned long']], 'PreviousFrequencyMhz' : [ 0x3c, ['unsigned long']], 'CurrentFrequencyMhz' : [ 0x40, ['unsigned long']], 'PreviousFrequency' : [ 0x44, ['unsigned long']], 'CurrentFrequency' : [ 0x48, ['unsigned long']], 'CurrentPerfContext' : [ 0x4c, ['unsigned long']], 'DesiredFrequency' : [ 0x50, ['unsigned long']], 'MaxFrequency' : [ 0x54, ['unsigned long']], 'MinPerfPercent' : [ 0x58, ['unsigned long']], 'MinThrottlePercent' : [ 0x5c, ['unsigned long']], 'MaxPercent' : [ 0x60, ['unsigned long']], 'MinPercent' : [ 0x64, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x68, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x6c, ['unsigned long']], 'Coordination' : [ 0x70, ['unsigned char']], 'PerfChangeIntervalCount' : [ 0x74, ['long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_TP_NBQ_GUARD' : [ 0x10, { 'GuardLinks' : [ 0x0, ['_LIST_ENTRY']], 'Guards' : [ 0x8, ['array', 2, ['pointer', ['void']]]], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x14, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x24, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'Lock' : [ 0x4, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_SPECIAL_POOL_PTE_LIST']], 'NonPaged' : [ 0x10, ['_MI_SPECIAL_POOL_PTE_LIST']], 'PagesInUse' : [ 0x18, ['long']], 'SpecialPoolPdes' : [ 0x1c, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_216f' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_2171' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_216f']], 'Merged' : [ 0x10, ['__unnamed_2171']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_2179' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_2179']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_1ef2']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_1f80']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x38, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], 'UpdateCapsule' : [ 0x2c, ['unsigned long']], 'QueryCapsuleCapabilities' : [ 0x30, ['unsigned long']], 'QueryVariableInfo' : [ 0x34, ['unsigned long']], } ], '_MI_SPECIAL_POOL_PTE_LIST' : [ 0x8, { 'FreePteHead' : [ 0x0, ['_MMPTE']], 'FreePteTail' : [ 0x4, ['_MMPTE']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_218f' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_2193' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_218f']], 'u2' : [ 0x24, ['__unnamed_2193']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x2c, ['array', 1, ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '__unnamed_219c' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_219e' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_219c']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x90, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_219e']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x54, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_TPM_BOOT_ENTROPY_LDR_RESULT' : [ 0x48, { 'Policy' : [ 0x0, ['unsigned long long']], 'ResultCode' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'TpmBootEntropyStructureUninitialized', 1: 'TpmBootEntropyDisabledByPolicy', 2: 'TpmBootEntropyNoTpmFound', 3: 'TpmBootEntropyTpmError', 4: 'TpmBootEntropySuccess'})]], 'ResultStatus' : [ 0xc, ['long']], 'Time' : [ 0x10, ['unsigned long long']], 'EntropyLength' : [ 0x18, ['unsigned long']], 'EntropyData' : [ 0x1c, ['array', 40, ['unsigned char']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x28, ['pointer', ['void']]], 'CallersCaller' : [ 0x2c, ['pointer', ['void']]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x2c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'EnableMask' : [ 0x10, ['unsigned char']], 'SessionId' : [ 0x14, ['unsigned long']], 'ReplyQueue' : [ 0x14, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x14, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x24, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x24, ['pointer', ['void']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1a8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x190, ['_LIST_ENTRY']], 'Status' : [ 0x198, ['long']], 'FailedDevice' : [ 0x19c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1a0, ['unsigned char']], 'Cancelled' : [ 0x1a1, ['unsigned char']], 'IgnoreErrors' : [ 0x1a2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1a3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1a4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ContainsDebug' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x40, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'IdleCheck' : [ 0xc, ['pointer', ['void']]], 'IdleHandler' : [ 0x10, ['pointer', ['void']]], 'HvConfig' : [ 0x18, ['unsigned long long']], 'Context' : [ 0x20, ['pointer', ['void']]], 'Latency' : [ 0x24, ['unsigned long']], 'Power' : [ 0x28, ['unsigned long']], 'TimeCheck' : [ 0x2c, ['unsigned long']], 'StateFlags' : [ 0x30, ['unsigned long']], 'PromotePercent' : [ 0x34, ['unsigned char']], 'DemotePercent' : [ 0x35, ['unsigned char']], 'PromotePercentBase' : [ 0x36, ['unsigned char']], 'DemotePercentBase' : [ 0x37, ['unsigned char']], 'StateType' : [ 0x38, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2215' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x40, { 'Lock' : [ 0x0, ['long']], 'NodeToFree' : [ 0x4, ['pointer', ['void']]], 'NodeRangeSize' : [ 0x8, ['unsigned long']], 'NodeCount' : [ 0xc, ['unsigned long']], 'Tables' : [ 0x10, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_2215']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_RELATION_LIST_ENTRY' : [ 0xc, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40d8, ['long']], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'Group' : [ 0x14, ['unsigned short']], 'GroupIndex' : [ 0x16, ['unsigned short']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2270' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2272' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2270']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2272']], } ], '_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA' : [ 0x8, { 'CapturedCpuShareWeight' : [ 0x0, ['unsigned long']], 'CapturedTotalWeight' : [ 0x4, ['unsigned long']], 'CombinedData' : [ 0x0, ['long long']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_2285' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_2285']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x18, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x3c, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_22db' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_22dd' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_22e1' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_22e5' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_22e7' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_22db']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_22dd']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_22e1']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_22e5']], 'Others' : [ 0x0, ['__unnamed_22e7']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0xa0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'Reset' : [ 0x3, ['unsigned char']], 'HiberFlags' : [ 0x4, ['unsigned char']], 'WroteHiberFile' : [ 0x5, ['unsigned char']], 'MapFrozen' : [ 0x6, ['unsigned char']], 'MemoryMap' : [ 0x8, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x10, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x18, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x20, ['unsigned long']], 'NextCloneRange' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x28, ['unsigned long']], 'LoaderMdl' : [ 0x2c, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x30, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x38, ['unsigned long long']], 'IoPages' : [ 0x40, ['pointer', ['void']]], 'IoPagesCount' : [ 0x44, ['unsigned long']], 'CurrentMcb' : [ 0x48, ['pointer', ['void']]], 'DumpStack' : [ 0x4c, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x50, ['pointer', ['_KPROCESSOR_STATE']]], 'PreferredIoWriteSize' : [ 0x54, ['unsigned long']], 'IoProgress' : [ 0x58, ['unsigned long']], 'HiberVa' : [ 0x5c, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'CompressionWorkspace' : [ 0x70, ['pointer', ['void']]], 'CompressedWriteBuffer' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBufferSize' : [ 0x78, ['unsigned long']], 'MaxCompressedOutputSize' : [ 0x7c, ['unsigned long']], 'PerformanceStats' : [ 0x80, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x84, ['pointer', ['void']]], 'DmaIO' : [ 0x88, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x8c, ['pointer', ['void']]], 'BootLoaderLogMdl' : [ 0x90, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0x94, ['pointer', ['_MDL']]], 'ResumeContext' : [ 0x98, ['pointer', ['void']]], 'ResumeContextPages' : [ 0x9c, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x20, { 'ThreadHandle' : [ 0x0, ['pointer', ['void']]], 'ThreadId' : [ 0x4, ['pointer', ['void']]], 'ProcessId' : [ 0x8, ['pointer', ['void']]], 'Code' : [ 0xc, ['unsigned long']], 'Parameter1' : [ 0x10, ['unsigned long']], 'Parameter2' : [ 0x14, ['unsigned long']], 'Parameter3' : [ 0x18, ['unsigned long']], 'Parameter4' : [ 0x1c, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '__unnamed_230b' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_230b']], } ], '__unnamed_230f' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_230f']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xe0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'FirstTablePage' : [ 0x4c, ['unsigned long']], 'PerfInfo' : [ 0x50, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xa8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xac, ['array', 1, ['unsigned long']]], 'NoBootLoaderLogPages' : [ 0xb0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xb4, ['array', 8, ['unsigned long']]], 'NotUsed' : [ 0xd4, ['unsigned long']], 'ResumeContextCheck' : [ 0xd8, ['unsigned long']], 'ResumeContextPages' : [ 0xdc, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x58, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'ElapsedTicks' : [ 0x18, ['unsigned long long']], 'CompressTicks' : [ 0x20, ['unsigned long long']], 'ResumeAppTime' : [ 0x28, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x30, ['unsigned long long']], 'BytesCopied' : [ 0x38, ['unsigned long long']], 'PagesProcessed' : [ 0x40, ['unsigned long long']], 'PagesWritten' : [ 0x48, ['unsigned long']], 'DumpCount' : [ 0x4c, ['unsigned long']], 'FileRuns' : [ 0x50, ['unsigned long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x18, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], 'ViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x10, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '__unnamed_2337' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2339' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_233b' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2337']], 'Gpt' : [ 0x0, ['__unnamed_2339']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_233b']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x30, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x8, ['unsigned long']], 'Hint' : [ 0xc, ['unsigned long']], 'BasePte' : [ 0x10, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'Vm' : [ 0x18, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x1c, ['long']], 'TotalFreeSystemPtes' : [ 0x20, ['long']], 'CachedPteCount' : [ 0x24, ['long']], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x2c, ['unsigned long']], 'GlobalMutex' : [ 0x2c, ['pointer', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x170, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 9, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TscQpcData' : [ 0x2ed, ['unsigned char']], 'TscQpcEnabled' : [ 0x2ed, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TscQpcSpareFlag' : [ 0x2ed, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TscQpcShift' : [ 0x2ed, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'TscQpcPad' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved5' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned short']], 'Reserved4' : [ 0x3c6, ['unsigned short']], 'AitSamplingValue' : [ 0x3c8, ['unsigned long']], 'AppCompatFlag' : [ 0x3cc, ['unsigned long']], 'SystemDllNativeRelocation' : [ 0x3d0, ['unsigned long long']], 'SystemDllWowRelocation' : [ 0x3d8, ['unsigned long']], 'XStatePad' : [ 0x3dc, ['array', 1, ['unsigned long']]], 'XState' : [ 0x3e0, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1041' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1041']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1045' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1045']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_105e' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1060' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_105e']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1060']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_INVALID'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TP_TASK' : [ 0x20, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], 'NumaNode' : [ 0x4, ['unsigned long']], 'IdealProcessor' : [ 0x8, ['unsigned char']], 'PostGuard' : [ 0xc, ['_TP_NBQ_GUARD']], 'NBQNode' : [ 0x1c, ['pointer', ['void']]], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_DIRECT' : [ 0xc, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'NumaNode' : [ 0x4, ['unsigned long']], 'IdealProcessor' : [ 0x8, ['unsigned char']], } ], '_TEB' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KPCR' : [ 0x3748, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x3628, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x338, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'PrcbPad0' : [ 0x3be, ['array', 2, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'CpuVendor' : [ 0x3c4, ['unsigned char']], 'GroupIndex' : [ 0x3c5, ['unsigned char']], 'Group' : [ 0x3c6, ['unsigned short']], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'PrcbPad1' : [ 0x3d0, ['array', 72, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x4a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x4a4, ['unsigned long']], 'KernelTime' : [ 0x4a8, ['unsigned long']], 'UserTime' : [ 0x4ac, ['unsigned long']], 'DpcTime' : [ 0x4b0, ['unsigned long']], 'DpcTimeCount' : [ 0x4b4, ['unsigned long']], 'InterruptTime' : [ 0x4b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4bc, ['unsigned long']], 'PageColor' : [ 0x4c0, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c4, ['unsigned char']], 'NodeColor' : [ 0x4c5, ['unsigned char']], 'PrcbPad20' : [ 0x4c6, ['array', 2, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'ParentNode' : [ 0x4cc, ['pointer', ['_KNODE']]], 'SecondaryColorMask' : [ 0x4d0, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d4, ['unsigned long']], 'PrcbPad21' : [ 0x4d8, ['array', 2, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x1820, ['unsigned long']], 'ReverseStall' : [ 0x1824, ['long']], 'IpiFrame' : [ 0x1828, ['pointer', ['void']]], 'PrcbPad3' : [ 0x182c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x1860, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x186c, ['unsigned long']], 'WorkerRoutine' : [ 0x1870, ['pointer', ['void']]], 'IpiFrozen' : [ 0x1874, ['unsigned long']], 'PrcbPad4' : [ 0x1878, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x18a0, ['unsigned long']], 'SignalDone' : [ 0x18a4, ['pointer', ['_KPRCB']]], 'PrcbPad50' : [ 0x18a8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x18e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1908, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x190c, ['long']], 'DpcRequestRate' : [ 0x1910, ['unsigned long']], 'MinimumDpcRate' : [ 0x1914, ['unsigned long']], 'DpcLastCount' : [ 0x1918, ['unsigned long']], 'PrcbLock' : [ 0x191c, ['unsigned long']], 'DpcGate' : [ 0x1920, ['_KGATE']], 'ThreadDpcEnable' : [ 0x1930, ['unsigned char']], 'QuantumEnd' : [ 0x1931, ['unsigned char']], 'DpcRoutineActive' : [ 0x1932, ['unsigned char']], 'IdleSchedule' : [ 0x1933, ['unsigned char']], 'DpcRequestSummary' : [ 0x1934, ['long']], 'DpcRequestSlot' : [ 0x1934, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x1934, ['short']], 'DpcThreadActive' : [ 0x1936, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ThreadDpcState' : [ 0x1936, ['short']], 'TimerHand' : [ 0x1938, ['unsigned long']], 'LastTick' : [ 0x193c, ['unsigned long']], 'MasterOffset' : [ 0x1940, ['long']], 'PrcbPad41' : [ 0x1944, ['array', 2, ['unsigned long']]], 'PeriodicCount' : [ 0x194c, ['unsigned long']], 'PeriodicBias' : [ 0x1950, ['unsigned long']], 'TickOffset' : [ 0x1958, ['unsigned long long']], 'TimerTable' : [ 0x1960, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x31a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x31c0, ['long']], 'ClockCheckSlot' : [ 0x31c4, ['unsigned char']], 'ClockPollCycle' : [ 0x31c5, ['unsigned char']], 'PrcbPad6' : [ 0x31c6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x31c8, ['long']], 'DpcWatchdogCount' : [ 0x31cc, ['long']], 'ThreadWatchdogPeriod' : [ 0x31d0, ['long']], 'ThreadWatchdogCount' : [ 0x31d4, ['long']], 'KeSpinLockOrdering' : [ 0x31d8, ['long']], 'PrcbPad70' : [ 0x31dc, ['array', 1, ['unsigned long']]], 'WaitListHead' : [ 0x31e0, ['_LIST_ENTRY']], 'WaitLock' : [ 0x31e8, ['unsigned long']], 'ReadySummary' : [ 0x31ec, ['unsigned long']], 'QueueIndex' : [ 0x31f0, ['unsigned long']], 'DeferredReadyListHead' : [ 0x31f4, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x31f8, ['unsigned long long']], 'CycleTime' : [ 0x3200, ['unsigned long long']], 'HighCycleTime' : [ 0x3208, ['unsigned long']], 'PrcbPad71' : [ 0x320c, ['unsigned long']], 'PrcbPad72' : [ 0x3210, ['array', 2, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3220, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3320, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3324, ['long']], 'MmPageFaultCount' : [ 0x3328, ['long']], 'MmCopyOnWriteCount' : [ 0x332c, ['long']], 'MmTransitionCount' : [ 0x3330, ['long']], 'MmCacheTransitionCount' : [ 0x3334, ['long']], 'MmDemandZeroCount' : [ 0x3338, ['long']], 'MmPageReadCount' : [ 0x333c, ['long']], 'MmPageReadIoCount' : [ 0x3340, ['long']], 'MmCacheReadCount' : [ 0x3344, ['long']], 'MmCacheIoCount' : [ 0x3348, ['long']], 'MmDirtyPagesWriteCount' : [ 0x334c, ['long']], 'MmDirtyWriteIoCount' : [ 0x3350, ['long']], 'MmMappedPagesWriteCount' : [ 0x3354, ['long']], 'MmMappedWriteIoCount' : [ 0x3358, ['long']], 'CachedCommit' : [ 0x335c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3360, ['unsigned long']], 'HyperPte' : [ 0x3364, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3368, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x336c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3379, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x337a, ['unsigned char']], 'PrcbPad9' : [ 0x337b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x3380, ['unsigned long']], 'UpdateSignature' : [ 0x3388, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3390, ['unsigned long long']], 'RuntimeAccumulation' : [ 0x3398, ['unsigned long long']], 'PowerState' : [ 0x33a0, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x3468, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3488, ['_KTIMER']], 'WheaInfo' : [ 0x34b0, ['pointer', ['void']]], 'EtwSupport' : [ 0x34b4, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x34b8, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x34c0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x34c8, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x34cc, ['pointer', ['void']]], 'StatisticsPage' : [ 0x34d0, ['pointer', ['unsigned long long']]], 'RateControl' : [ 0x34d4, ['pointer', ['void']]], 'Cache' : [ 0x34d8, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3514, ['unsigned long']], 'CacheProcessorMask' : [ 0x3518, ['array', 5, ['unsigned long']]], 'PackageProcessorSet' : [ 0x352c, ['_KAFFINITY_EX']], 'PrcbPad91' : [ 0x3538, ['array', 1, ['unsigned long']]], 'CoreProcessorSet' : [ 0x353c, ['unsigned long']], 'TimerExpirationDpc' : [ 0x3540, ['_KDPC']], 'SpinLockAcquireCount' : [ 0x3560, ['unsigned long']], 'SpinLockContentionCount' : [ 0x3564, ['unsigned long']], 'SpinLockSpinCount' : [ 0x3568, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0x356c, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x3570, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x3574, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x3578, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x357c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x3580, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x3584, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x3588, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x358c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x3590, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x3594, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x3598, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x359c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x35a0, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x35a4, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x35a8, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x35ac, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x35b0, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x35b4, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x35b8, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x35bc, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x35c0, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x35c4, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x35c8, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x35cc, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x35d0, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x35d4, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x35d8, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x35dc, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x35e0, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x35e4, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x35e8, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x35ec, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x35f0, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x35f4, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x35f8, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x35fc, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0x3600, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0x3604, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0x3608, ['unsigned long']], 'ExBoostSharedOwners' : [ 0x360c, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0x3610, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0x3614, ['unsigned long']], 'Context' : [ 0x3618, ['pointer', ['_CONTEXT']]], 'ContextFlags' : [ 0x361c, ['unsigned long']], 'ExtendedState' : [ 0x3620, ['pointer', ['_XSAVE_AREA']]], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x200, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'WaitRegister' : [ 0x38, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x39, ['unsigned char']], 'Alerted' : [ 0x3a, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x3c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x3c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x3c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x3c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x3c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x3c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x3c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x3c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x3c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x3c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x3c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'TimerActive' : [ 0x3c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Reserved' : [ 0x3c, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x3c, ['long']], 'ApcState' : [ 0x40, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x40, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x57, ['unsigned char']], 'NextProcessor' : [ 0x58, ['unsigned long']], 'DeferredProcessor' : [ 0x5c, ['unsigned long']], 'ApcQueueLock' : [ 0x60, ['unsigned long']], 'ContextSwitches' : [ 0x64, ['unsigned long']], 'State' : [ 0x68, ['unsigned char']], 'NpxState' : [ 0x69, ['unsigned char']], 'WaitIrql' : [ 0x6a, ['unsigned char']], 'WaitMode' : [ 0x6b, ['unsigned char']], 'WaitStatus' : [ 0x6c, ['long']], 'WaitBlockList' : [ 0x70, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x74, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x74, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x7c, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x80, ['unsigned long']], 'KernelApcDisable' : [ 0x84, ['short']], 'SpecialApcDisable' : [ 0x86, ['short']], 'CombinedApcDisable' : [ 0x84, ['unsigned long']], 'Teb' : [ 0x88, ['pointer', ['void']]], 'Timer' : [ 0x90, ['_KTIMER']], 'AutoAlignment' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CalloutActive' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'GuiThread' : [ 0xb8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb8, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb8, ['long']], 'ServiceTable' : [ 0xbc, ['pointer', ['void']]], 'WaitBlock' : [ 0xc0, ['array', 4, ['_KWAIT_BLOCK']]], 'QueueListEntry' : [ 0x120, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x128, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x12c, ['pointer', ['void']]], 'CallbackStack' : [ 0x130, ['pointer', ['void']]], 'CallbackDepth' : [ 0x130, ['unsigned long']], 'ApcStateIndex' : [ 0x134, ['unsigned char']], 'BasePriority' : [ 0x135, ['unsigned char']], 'PriorityDecrement' : [ 0x136, ['unsigned char']], 'ForegroundBoost' : [ 0x136, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x136, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x137, ['unsigned char']], 'AdjustReason' : [ 0x138, ['unsigned char']], 'AdjustIncrement' : [ 0x139, ['unsigned char']], 'PreviousMode' : [ 0x13a, ['unsigned char']], 'Saturation' : [ 0x13b, ['unsigned char']], 'SystemCallNumber' : [ 0x13c, ['unsigned long']], 'FreezeCount' : [ 0x140, ['unsigned long']], 'UserAffinity' : [ 0x144, ['_GROUP_AFFINITY']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x154, ['_GROUP_AFFINITY']], 'IdealProcessor' : [ 0x160, ['unsigned long']], 'UserIdealProcessor' : [ 0x164, ['unsigned long']], 'ApcStatePointer' : [ 0x168, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x170, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x170, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x187, ['unsigned char']], 'SuspendCount' : [ 0x188, ['unsigned char']], 'Spare1' : [ 0x189, ['unsigned char']], 'OtherPlatformFill' : [ 0x18a, ['unsigned char']], 'Win32Thread' : [ 0x18c, ['pointer', ['void']]], 'StackBase' : [ 0x190, ['pointer', ['void']]], 'SuspendApc' : [ 0x194, ['_KAPC']], 'SuspendApcFill0' : [ 0x194, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x195, ['unsigned char']], 'SuspendApcFill1' : [ 0x194, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x197, ['unsigned char']], 'SuspendApcFill2' : [ 0x194, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x198, ['unsigned long']], 'SuspendApcFill3' : [ 0x194, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b8, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x194, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1bc, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x194, ['array', 47, ['unsigned char']]], 'LargeStack' : [ 0x1c3, ['unsigned char']], 'UserTime' : [ 0x1c4, ['unsigned long']], 'SuspendSemaphore' : [ 0x1c8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1c8, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1dc, ['unsigned long']], 'ThreadListEntry' : [ 0x1e0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1e8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1f0, ['pointer', ['void']]], 'ThreadCounters' : [ 0x1f4, ['pointer', ['_KTHREAD_COUNTERS']]], 'XStateSave' : [ 0x1f8, ['pointer', ['_XSTATE_SAVE']]], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x2b8, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x200, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x208, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x208, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x210, ['long']], 'PostBlockList' : [ 0x214, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x214, ['pointer', ['void']]], 'StartAddress' : [ 0x218, ['pointer', ['void']]], 'TerminationPort' : [ 0x21c, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x21c, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x21c, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x220, ['unsigned long']], 'ActiveTimerListHead' : [ 0x224, ['_LIST_ENTRY']], 'Cid' : [ 0x22c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x234, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x234, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x248, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x24c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x254, ['unsigned long']], 'DeviceToVerify' : [ 0x258, ['pointer', ['_DEVICE_OBJECT']]], 'CpuQuotaApc' : [ 0x25c, ['pointer', ['_PSP_CPU_QUOTA_APC']]], 'Win32StartAddress' : [ 0x260, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x264, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x268, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x270, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x274, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x278, ['unsigned long']], 'MmLockOrdering' : [ 0x27c, ['long']], 'CrossThreadFlags' : [ 0x280, ['unsigned long']], 'Terminated' : [ 0x280, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x280, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x280, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x280, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x280, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x280, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x280, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x280, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x280, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x280, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x280, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x280, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x280, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NeedsWorkingSetAging' : [ 0x280, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x284, ['unsigned long']], 'ActiveExWorker' : [ 0x284, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x284, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x284, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x284, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x284, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x284, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x284, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x288, ['unsigned long']], 'Spare' : [ 0x288, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x288, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x288, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x288, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x288, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x289, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x289, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x289, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x289, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x289, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x289, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x289, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x289, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x28a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x28a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x28a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x28a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x28a, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x28a, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x28b, ['unsigned char']], 'CacheManagerActive' : [ 0x28c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x28d, ['unsigned char']], 'ActiveFaultCount' : [ 0x28e, ['unsigned char']], 'LockOrderState' : [ 0x28f, ['unsigned char']], 'AlpcMessageId' : [ 0x290, ['unsigned long']], 'AlpcMessage' : [ 0x294, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x294, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x298, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x2a0, ['unsigned long']], 'IoBoostCount' : [ 0x2a4, ['unsigned long']], 'IrpListLock' : [ 0x2a8, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x2ac, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x2b0, ['_SINGLE_LIST_ENTRY']], } ], '_EPROCESS' : [ 0x2c0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x98, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xa0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xa8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xb0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0xc0, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xc8, ['array', 2, ['unsigned long']]], 'CommitCharge' : [ 0xd0, ['unsigned long']], 'QuotaBlock' : [ 0xd4, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0xd8, ['pointer', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0xdc, ['unsigned long']], 'VirtualSize' : [ 0xe0, ['unsigned long']], 'SessionProcessLinks' : [ 0xe4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xec, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xf0, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xf0, ['unsigned long']], 'ExceptionPortState' : [ 0xf0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xf4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xf8, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xfc, ['unsigned long']], 'AddressCreationLock' : [ 0x100, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x108, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x10c, ['unsigned long']], 'PhysicalVadRoot' : [ 0x110, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x114, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x118, ['unsigned long']], 'NumberOfLockedPages' : [ 0x11c, ['unsigned long']], 'Win32Process' : [ 0x120, ['pointer', ['void']]], 'Job' : [ 0x124, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x128, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x12c, ['pointer', ['void']]], 'Cookie' : [ 0x130, ['unsigned long']], 'Spare8' : [ 0x134, ['unsigned long']], 'WorkingSetWatch' : [ 0x138, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x13c, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x140, ['pointer', ['void']]], 'LdtInformation' : [ 0x144, ['pointer', ['void']]], 'VdmObjects' : [ 0x148, ['pointer', ['void']]], 'ConsoleHostProcess' : [ 0x14c, ['unsigned long']], 'DeviceMap' : [ 0x150, ['pointer', ['void']]], 'EtwDataSource' : [ 0x154, ['pointer', ['void']]], 'FreeTebHint' : [ 0x158, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x160, ['_HARDWARE_PTE']], 'Filler' : [ 0x160, ['unsigned long long']], 'Session' : [ 0x168, ['pointer', ['void']]], 'ImageFileName' : [ 0x16c, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x17b, ['unsigned char']], 'JobLinks' : [ 0x17c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x184, ['pointer', ['void']]], 'ThreadListHead' : [ 0x188, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x190, ['pointer', ['void']]], 'PaeTop' : [ 0x194, ['pointer', ['void']]], 'ActiveThreads' : [ 0x198, ['unsigned long']], 'ImagePathHash' : [ 0x19c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a0, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1a4, ['long']], 'Peb' : [ 0x1a8, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1ac, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e0, ['unsigned long']], 'CommitChargePeak' : [ 0x1e4, ['unsigned long']], 'AweInfo' : [ 0x1e8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1ec, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x25c, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x264, ['pointer', ['void']]], 'ModifiedPageCount' : [ 0x268, ['unsigned long']], 'Flags2' : [ 0x26c, ['unsigned long']], 'JobNotReallyActive' : [ 0x26c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x26c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x26c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x26c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x26c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x26c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x26c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x26c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x26c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x26c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x26c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x26c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x26c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x26c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x26c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x26c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x26c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x26c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x26c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x26c, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Flags' : [ 0x270, ['unsigned long']], 'CreateReported' : [ 0x270, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x270, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x270, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x270, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x270, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x270, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x270, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x270, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x270, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x270, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x270, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x270, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x270, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x270, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x270, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x270, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x270, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x270, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x270, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x270, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x270, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x270, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x270, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x270, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x270, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x270, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x270, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x270, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x270, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x274, ['long']], 'VadRoot' : [ 0x278, ['_MM_AVL_TABLE']], 'AlpcContext' : [ 0x298, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x2a8, ['_LIST_ENTRY']], 'RequestedTimerResolution' : [ 0x2b0, ['unsigned long']], 'ActiveThreadsHighWatermark' : [ 0x2b4, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2b8, ['unsigned long']], 'TimerResolutionStackRecord' : [ 0x2bc, ['pointer', ['_PO_DIAG_STACK_RECORD']]], } ], '_KPROCESS' : [ 0x98, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'Affinity' : [ 0x38, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x44, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x4c, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x50, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ActiveGroupsMask' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x5c, ['long']], 'BasePriority' : [ 0x60, ['unsigned char']], 'QuantumReset' : [ 0x61, ['unsigned char']], 'Visited' : [ 0x62, ['unsigned char']], 'Unused3' : [ 0x63, ['unsigned char']], 'ThreadSeed' : [ 0x64, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x68, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x6a, ['unsigned short']], 'Flags' : [ 0x6c, ['_KEXECUTE_OPTIONS']], 'Unused1' : [ 0x6d, ['unsigned char']], 'IopmOffset' : [ 0x6e, ['unsigned short']], 'Unused4' : [ 0x70, ['unsigned long']], 'StackCount' : [ 0x74, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x78, ['_LIST_ENTRY']], 'CycleTime' : [ 0x80, ['unsigned long long']], 'KernelTime' : [ 0x88, ['unsigned long']], 'UserTime' : [ 0x8c, ['unsigned long']], 'VdmTrapcHandler' : [ 0x90, ['pointer', ['void']]], } ], '__unnamed_1291' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1291']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc0, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], } ], '__unnamed_12a0' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_12a5' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_12a7' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_12a5']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_12b2' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_12b4' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_12b2']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_12a0']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_12a7']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_12b4']], } ], '__unnamed_12bb' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_12bf' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_12c3' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_12c5' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_12c9' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_12cb' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_12cd' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], } ], '__unnamed_12cf' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12d1' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_12d3' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_12d7' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_12d9' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12dc' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_12de' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12e0' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_12e2' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_12e6' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_12ea' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_12ee' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_12f2' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_12f8' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12fc' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1300' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1302' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1304' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1308' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_130c' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1310' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1314' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1318' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1320' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1324' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1326' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1328' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_132a' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_12bb']], 'CreatePipe' : [ 0x0, ['__unnamed_12bf']], 'CreateMailslot' : [ 0x0, ['__unnamed_12c3']], 'Read' : [ 0x0, ['__unnamed_12c5']], 'Write' : [ 0x0, ['__unnamed_12c5']], 'QueryDirectory' : [ 0x0, ['__unnamed_12c9']], 'NotifyDirectory' : [ 0x0, ['__unnamed_12cb']], 'QueryFile' : [ 0x0, ['__unnamed_12cd']], 'SetFile' : [ 0x0, ['__unnamed_12cf']], 'QueryEa' : [ 0x0, ['__unnamed_12d1']], 'SetEa' : [ 0x0, ['__unnamed_12d3']], 'QueryVolume' : [ 0x0, ['__unnamed_12d7']], 'SetVolume' : [ 0x0, ['__unnamed_12d7']], 'FileSystemControl' : [ 0x0, ['__unnamed_12d9']], 'LockControl' : [ 0x0, ['__unnamed_12dc']], 'DeviceIoControl' : [ 0x0, ['__unnamed_12de']], 'QuerySecurity' : [ 0x0, ['__unnamed_12e0']], 'SetSecurity' : [ 0x0, ['__unnamed_12e2']], 'MountVolume' : [ 0x0, ['__unnamed_12e6']], 'VerifyVolume' : [ 0x0, ['__unnamed_12e6']], 'Scsi' : [ 0x0, ['__unnamed_12ea']], 'QueryQuota' : [ 0x0, ['__unnamed_12ee']], 'SetQuota' : [ 0x0, ['__unnamed_12d3']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_12f2']], 'QueryInterface' : [ 0x0, ['__unnamed_12f8']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_12fc']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1300']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1302']], 'SetLock' : [ 0x0, ['__unnamed_1304']], 'QueryId' : [ 0x0, ['__unnamed_1308']], 'QueryDeviceText' : [ 0x0, ['__unnamed_130c']], 'UsageNotification' : [ 0x0, ['__unnamed_1310']], 'WaitWake' : [ 0x0, ['__unnamed_1314']], 'PowerSequence' : [ 0x0, ['__unnamed_1318']], 'Power' : [ 0x0, ['__unnamed_1320']], 'StartDevice' : [ 0x0, ['__unnamed_1324']], 'WMI' : [ 0x0, ['__unnamed_1326']], 'Others' : [ 0x0, ['__unnamed_1328']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_132a']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1340' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_1340']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x40, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '__unnamed_14ad' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_14ad']], } ], '__unnamed_14be' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x88, { 'OsMajorVersion' : [ 0x0, ['unsigned long']], 'OsMinorVersion' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'LoadOrderListHead' : [ 0x10, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x18, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x28, ['unsigned long']], 'Prcb' : [ 0x2c, ['unsigned long']], 'Process' : [ 0x30, ['unsigned long']], 'Thread' : [ 0x34, ['unsigned long']], 'RegistryLength' : [ 0x38, ['unsigned long']], 'RegistryBase' : [ 0x3c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x40, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x44, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x48, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x4c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x50, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x54, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x58, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x5c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x60, ['pointer', ['void']]], 'Extension' : [ 0x64, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x68, ['__unnamed_14be']], 'FirmwareInformation' : [ 0x74, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '__unnamed_14ef' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_14f1' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_14f4' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_14f6' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_14f4']], } ], '__unnamed_14fb' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_14ef']], 'u2' : [ 0x4, ['__unnamed_14f1']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0x8, ['long']], 'PteLong' : [ 0x8, ['unsigned long']], 'u3' : [ 0xc, ['__unnamed_14f6']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_14fb']], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x6c, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x4, ['pointer', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer', ['void']]], 'WorkingSetExpansionLinks' : [ 0xc, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x14, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x30, ['unsigned long']], 'WorkingSetSize' : [ 0x34, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x38, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x3c, ['unsigned long']], 'ChargedWslePages' : [ 0x40, ['unsigned long']], 'ActualWslePages' : [ 0x44, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x48, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x4c, ['unsigned long']], 'HardFaultCount' : [ 0x50, ['unsigned long']], 'VmWorkingSetList' : [ 0x54, ['pointer', ['_MMWSL']]], 'NextPageColor' : [ 0x58, ['unsigned short']], 'LastTrimStamp' : [ 0x5a, ['unsigned short']], 'PageFaultCount' : [ 0x5c, ['unsigned long']], 'RepurposeCount' : [ 0x60, ['unsigned long']], 'Spare' : [ 0x64, ['array', 1, ['unsigned long']]], 'Flags' : [ 0x68, ['_MMSUPPORT_FLAGS']], } ], '_MMWSL' : [ 0x6a8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextAgingSlot' : [ 0x1c, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x20, ['unsigned long']], 'VadBitMapHint' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LastVadBit' : [ 0x2c, ['unsigned long']], 'MaximumLastVadBit' : [ 0x30, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x34, ['unsigned long']], 'LastAllocationSize' : [ 0x38, ['unsigned long']], 'NonDirectHash' : [ 0x3c, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x40, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x44, ['pointer', ['_MMWSLE_HASH']]], 'UsedPageTableEntries' : [ 0x48, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x648, ['array', 24, ['unsigned long']]], } ], '__unnamed_152b' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_152b']], } ], '__unnamed_153a' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1544' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1546' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1544']], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_153a']], 'FlushInProgressCount' : [ 0x20, ['unsigned long']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'ModifiedWriteCount' : [ 0x2c, ['unsigned long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitingForDeletion' : [ 0x30, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x34, ['__unnamed_1546']], 'LockedPages' : [ 0x40, ['long long']], 'ViewList' : [ 0x48, ['_LIST_ENTRY']], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'EvictStoreBitmap' : [ 0x30, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x34, ['unsigned long']], 'LastAllocationSize' : [ 0x38, ['unsigned long']], 'ToBeEvictedCount' : [ 0x3c, ['unsigned long']], 'PageFileNumber' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x40, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x42, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x42, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x44, ['pointer', ['void']]], 'Lock' : [ 0x48, ['unsigned long']], 'LockOwner' : [ 0x4c, ['pointer', ['_ETHREAD']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_1580' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_1583' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1586' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_1580']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1583']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1586']], } ], '__unnamed_158e' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_158e']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '__unnamed_1593' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_1580']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1583']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1586']], 'u2' : [ 0x20, ['__unnamed_1593']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x30, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x38, ['pointer', ['_EPROCESS']]], } ], '__unnamed_159e' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_159e']], } ], '__unnamed_15a4' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_15a6' : [ 0x4, { 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_15a4']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_15a6']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_HHIVE' : [ 0x2ec, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x24, ['pointer', ['void']]], 'BaseBlock' : [ 0x28, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x2c, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x34, ['unsigned long']], 'DirtyAlloc' : [ 0x38, ['unsigned long']], 'BaseBlockAlloc' : [ 0x3c, ['unsigned long']], 'Cluster' : [ 0x40, ['unsigned long']], 'Flat' : [ 0x44, ['unsigned char']], 'ReadOnly' : [ 0x45, ['unsigned char']], 'DirtyFlag' : [ 0x46, ['unsigned char']], 'HvBinHeadersUse' : [ 0x48, ['unsigned long']], 'HvFreeCellsUse' : [ 0x4c, ['unsigned long']], 'HvUsedCellsUse' : [ 0x50, ['unsigned long']], 'CmUsedCellsUse' : [ 0x54, ['unsigned long']], 'HiveFlags' : [ 0x58, ['unsigned long']], 'CurrentLog' : [ 0x5c, ['unsigned long']], 'LogSize' : [ 0x60, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x68, ['unsigned long']], 'StorageTypeCount' : [ 0x6c, ['unsigned long']], 'Version' : [ 0x70, ['unsigned long']], 'Storage' : [ 0x74, ['array', 2, ['_DUAL']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_CMHIVE' : [ 0x630, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2ec, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x304, ['_LIST_ENTRY']], 'HiveList' : [ 0x30c, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x314, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x31c, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x320, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x328, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x32c, ['unsigned long']], 'Identity' : [ 0x330, ['unsigned long']], 'HiveLock' : [ 0x334, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x338, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x33c, ['pointer', ['_KTHREAD']]], 'ViewLockLast' : [ 0x340, ['unsigned long']], 'ViewUnLockLast' : [ 0x344, ['unsigned long']], 'WriterLock' : [ 0x348, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x34c, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x350, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x358, ['pointer', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x35c, ['unsigned long']], 'FlushHiveTruncated' : [ 0x360, ['unsigned long']], 'FlushLock2' : [ 0x364, ['pointer', ['_FAST_MUTEX']]], 'SecurityLock' : [ 0x368, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x36c, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x374, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x37c, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x384, ['unsigned short']], 'PinnedViewCount' : [ 0x386, ['unsigned short']], 'UseCount' : [ 0x388, ['unsigned long']], 'ViewsPerHive' : [ 0x38c, ['unsigned long']], 'FileObject' : [ 0x390, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x394, ['unsigned long']], 'ActualFileSize' : [ 0x398, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x3a0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x3a8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x3b0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x3b8, ['unsigned long']], 'SecurityCacheSize' : [ 0x3bc, ['unsigned long']], 'SecurityHitHint' : [ 0x3c0, ['long']], 'SecurityCache' : [ 0x3c4, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x3c8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x5c8, ['unsigned long']], 'UnloadEventArray' : [ 0x5cc, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x5d0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x5d4, ['unsigned char']], 'UnloadWorkItem' : [ 0x5d8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x5dc, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x5f0, ['unsigned char']], 'GrowOffset' : [ 0x5f4, ['unsigned long']], 'KcbConvertListHead' : [ 0x5f8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x600, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x608, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x60c, ['unsigned long']], 'TrustClassEntry' : [ 0x610, ['_LIST_ENTRY']], 'FlushCount' : [ 0x618, ['unsigned long']], 'CmRm' : [ 0x61c, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x620, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x624, ['long']], 'CreatorOwner' : [ 0x628, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0x62c, ['pointer', ['_KTHREAD']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0xc, ['_CM_KEY_HASH']], 'ConvKey' : [ 0xc, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x14, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], 'KcbPushlock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x20, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x20, ['long']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x6c, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x74, ['_LIST_ENTRY']], 'Stolen' : [ 0x74, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x7c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x80, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x88, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x90, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x98, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x9c, ['pointer', ['_UNICODE_STRING']]], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '__unnamed_162b' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_HvpRecoverWholeHive', 10: '_HvpMapFileImageAndBuildMap', 11: '_CmpValidateHiveSecurityDescriptors', 12: '_HvpEnlistBinInMap', 13: '_CmCheckRegistry', 14: '_CmRegistryIO', 15: '_CmCheckRegistry2', 16: '_CmpCheckKey', 17: '_CmpCheckValueList', 18: '_HvCheckHive', 19: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_162e' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_1630' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1632' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_1634' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_1638' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_163c' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_163e' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_162b']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_162b']]], 'RegistryIO' : [ 0xcc, ['__unnamed_162e']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_1630']], 'CheckKey' : [ 0xdc, ['__unnamed_1632']], 'CheckValueList' : [ 0xec, ['__unnamed_1634']], 'CheckHive' : [ 0xfc, ['__unnamed_1638']], 'CheckHive1' : [ 0x108, ['__unnamed_1638']], 'CheckBin' : [ 0x114, ['__unnamed_163c']], 'RecoverData' : [ 0x11c, ['__unnamed_163e']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0x80, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'DpcCount' : [ 0x38, ['unsigned long']], 'DpcRate' : [ 0x3c, ['unsigned long']], 'C1Time' : [ 0x40, ['unsigned long long']], 'C2Time' : [ 0x48, ['unsigned long long']], 'C3Time' : [ 0x50, ['unsigned long long']], 'C1Transitions' : [ 0x58, ['unsigned long long']], 'C2Transitions' : [ 0x60, ['unsigned long long']], 'C3Transitions' : [ 0x68, ['unsigned long long']], 'ParkingStatus' : [ 0x70, ['unsigned long']], 'CurrentFrequency' : [ 0x74, ['unsigned long']], 'PercentMaxFrequency' : [ 0x78, ['unsigned long']], 'StateFlags' : [ 0x7c, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_TEB32' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], } ], '_TEB64' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0xc, { 'Affinity' : [ 0x0, ['pointer', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x4, ['unsigned long']], 'CurrentIndex' : [ 0x8, ['unsigned short']], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_FXSAVE_FORMAT' : [ 0x1e0, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 192, ['unsigned char']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_KSTACK_AREA' : [ 0x210, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'NpxFrame' : [ 0x0, ['_FXSAVE_FORMAT']], 'StackControl' : [ 0x1e0, ['_KERNEL_STACK_CONTROL']], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], 'Padding' : [ 0x200, ['array', 4, ['unsigned long']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x3c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependentList' : [ 0x2c, ['_LIST_ENTRY']], 'ProviderList' : [ 0x34, ['_LIST_ENTRY']], } ], '__unnamed_1740' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1742' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1746' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x188, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Level' : [ 0x28, ['unsigned long']], 'Notify' : [ 0x2c, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x78, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x7c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x80, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xd0, ['unsigned long']], 'CompletionStatus' : [ 0xd4, ['long']], 'Flags' : [ 0xd8, ['unsigned long']], 'UserFlags' : [ 0xdc, ['unsigned long']], 'Problem' : [ 0xe0, ['unsigned long']], 'ResourceList' : [ 0xe4, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0xec, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xf0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xf4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xf8, ['unsigned long']], 'ChildInterfaceType' : [ 0xfc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x100, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x104, ['unsigned short']], 'RemovalPolicy' : [ 0x106, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x107, ['unsigned char']], 'TargetDeviceNotify' : [ 0x108, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x110, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x118, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x120, ['unsigned short']], 'QueryTranslatorMask' : [ 0x122, ['unsigned short']], 'NoArbiterMask' : [ 0x124, ['unsigned short']], 'QueryArbiterMask' : [ 0x126, ['unsigned short']], 'OverUsed1' : [ 0x128, ['__unnamed_1740']], 'OverUsed2' : [ 0x12c, ['__unnamed_1742']], 'BootResources' : [ 0x130, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x134, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x138, ['unsigned long']], 'DockInfo' : [ 0x13c, ['__unnamed_1746']], 'DisableableDepends' : [ 0x14c, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x150, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x158, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x160, ['unsigned long']], 'PreviousParent' : [ 0x164, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x168, ['unsigned long']], 'NumaNodeIndex' : [ 0x16c, ['unsigned long']], 'ContainerID' : [ 0x170, ['_GUID']], 'OverrideFlags' : [ 0x180, ['unsigned char']], 'RequiresUnloadedDriver' : [ 0x181, ['unsigned char']], 'PendingEjectRelations' : [ 0x184, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'Affinity' : [ 0x20, ['_GROUP_AFFINITY']], 'ProximityId' : [ 0x2c, ['unsigned long']], 'NodeNumber' : [ 0x30, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x32, ['unsigned short']], 'MaximumProcessors' : [ 0x34, ['unsigned char']], 'Color' : [ 0x35, ['unsigned char']], 'Flags' : [ 0x36, ['_flags']], 'NodePad0' : [ 0x37, ['unsigned char']], 'Seed' : [ 0x38, ['unsigned long']], 'MmShiftedColor' : [ 0x3c, ['unsigned long']], 'FreeCount' : [ 0x40, ['array', 2, ['unsigned long']]], 'CachedKernelStacks' : [ 0x48, ['_CACHED_KSTACK_LIST']], 'ParkLock' : [ 0x60, ['long']], 'NodePad1' : [ 0x64, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_17ef' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_17ef']], } ], '__unnamed_17f6' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_17f6']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x20, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x1c, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x158, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'LogHandle' : [ 0x98, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x9c, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa0, ['unsigned long']], 'LazyWritePassCount' : [ 0xa4, ['unsigned long']], 'UninitializeEvent' : [ 0xa8, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xac, ['_KGUARDED_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'Event' : [ 0xd8, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf0, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x148, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x14c, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x150, ['unsigned long']], 'WritesInProgress' : [ 0x154, ['unsigned long']], } ], '__unnamed_1866' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1866']], 'Links' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1884' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1886' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1888' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_188a' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_188c' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_1884']], 'Write' : [ 0x0, ['__unnamed_1886']], 'Event' : [ 0x0, ['__unnamed_1888']], 'Notification' : [ 0x0, ['__unnamed_188a']], } ], '_WORK_QUEUE_ENTRY' : [ 0x10, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_188c']], 'Function' : [ 0xc, ['unsigned char']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x138, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x130, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_18dd' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_18dd']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_PEB' : [ 0x248, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pContextData' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x78, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], 'ContextInformation' : [ 0x68, ['pointer', ['void']]], 'OriginalBase' : [ 0x6c, ['unsigned long']], 'LoadTime' : [ 0x70, ['_LARGE_INTEGER']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '__unnamed_195c' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_195e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_195c']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1960' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1962' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1960']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_195e']], 'u2' : [ 0x4, ['__unnamed_1962']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x24, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], 'LookasideIndex' : [ 0x20, ['unsigned long']], } ], '__unnamed_197e' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1980' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_197e']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1980']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Pad' : [ 0x14, ['unsigned long']], } ], '__unnamed_1992' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1994' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1992']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1994']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_199a' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_199c' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_199a']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_199c']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_19a2' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19a4' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19a2']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_19a4']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x24, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19c0' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19c2' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c0']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0xfc, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x5c, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x64, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x6c, ['_LIST_ENTRY']], 'WaitQueue' : [ 0x74, ['_LIST_ENTRY']], 'Semaphore' : [ 0x7c, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x80, ['_ALPC_PORT_ATTRIBUTES']], 'Lock' : [ 0xac, ['_EX_PUSH_LOCK']], 'ResourceListLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xb4, ['_LIST_ENTRY']], 'CompletionList' : [ 0xbc, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0xc0, ['pointer', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0xc4, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xc8, ['pointer', ['void']]], 'CanceledQueue' : [ 0xcc, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xd4, ['long']], 'u1' : [ 0xd8, ['__unnamed_19c2']], 'TargetQueuePort' : [ 0xdc, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xe0, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0xe4, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xe8, ['unsigned long']], 'PendingQueueLength' : [ 0xec, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xf0, ['unsigned long']], 'CanceledQueueLength' : [ 0xf4, ['unsigned long']], 'WaitQueueLength' : [ 0xf8, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x88, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'Key' : [ 0x7c, ['unsigned long']], 'CallbackList' : [ 0x80, ['_LIST_ENTRY']], } ], '__unnamed_19da' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_19dc' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19da']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x88, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x8, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0xc, ['unsigned long']], 'QuotaProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x10, ['pointer', ['void']]], 'SequenceNo' : [ 0x14, ['long']], 'u1' : [ 0x18, ['__unnamed_19dc']], 'CancelSequencePort' : [ 0x1c, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x24, ['long']], 'CancelListEntry' : [ 0x28, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x38, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x3c, ['pointer', ['_ALPC_PORT']]], 'MessageAttributes' : [ 0x40, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x5c, ['pointer', ['void']]], 'DataSystemVa' : [ 0x60, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x64, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x68, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x6c, ['pointer', ['_ETHREAD']]], 'PortMessage' : [ 0x70, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a19' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a1b' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a19']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1a1b']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'Flags' : [ 0x14, ['unsigned long']], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x24, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 7, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'DriverCreateContext' : [ 0x5c, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x238, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'CollectionOn' : [ 0xc, ['long']], 'LoggerMode' : [ 0x10, ['unsigned long']], 'AcceptNewEvents' : [ 0x14, ['long']], 'GetCpuClock' : [ 0x18, ['pointer', ['void']]], 'StartTime' : [ 0x20, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x28, ['pointer', ['void']]], 'LoggerThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x30, ['long']], 'NBQHead' : [ 0x34, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x38, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x40, ['_SLIST_HEADER']], 'GlobalList' : [ 0x48, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x50, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x50, ['_EX_FAST_REF']], 'LoggerName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x64, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x6c, ['_UNICODE_STRING']], 'ClockType' : [ 0x74, ['unsigned long']], 'MaximumFileSize' : [ 0x78, ['unsigned long']], 'LastFlushedBuffer' : [ 0x7c, ['unsigned long']], 'FlushTimer' : [ 0x80, ['unsigned long']], 'FlushThreshold' : [ 0x84, ['unsigned long']], 'ByteOffset' : [ 0x88, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x90, ['unsigned long']], 'BuffersAvailable' : [ 0x94, ['long']], 'NumberOfBuffers' : [ 0x98, ['long']], 'MaximumBuffers' : [ 0x9c, ['unsigned long']], 'EventsLost' : [ 0xa0, ['unsigned long']], 'BuffersWritten' : [ 0xa4, ['unsigned long']], 'LogBuffersLost' : [ 0xa8, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xac, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xb0, ['unsigned long']], 'SequencePtr' : [ 0xb4, ['pointer', ['long']]], 'LocalSequence' : [ 0xb8, ['unsigned long']], 'InstanceGuid' : [ 0xbc, ['_GUID']], 'FileCounter' : [ 0xcc, ['long']], 'BufferCallback' : [ 0xd0, ['pointer', ['void']]], 'PoolType' : [ 0xd4, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd8, ['_ETW_REF_CLOCK']], 'Consumers' : [ 0xe8, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xf0, ['unsigned long']], 'TransitionConsumer' : [ 0xf4, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0xf8, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0xfc, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x108, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x120, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x128, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x130, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x138, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x14c, ['_KEVENT']], 'FlushEvent' : [ 0x15c, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x170, ['_KTIMER']], 'FlushDpc' : [ 0x198, ['_KDPC']], 'LoggerMutex' : [ 0x1b8, ['_KMUTANT']], 'LoggerLock' : [ 0x1d8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1dc, ['unsigned long']], 'BufferListPushLock' : [ 0x1dc, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1e0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x21c, ['_EX_FAST_REF']], 'BufferSequenceNumber' : [ 0x220, ['long long']], 'Flags' : [ 0x228, ['unsigned long']], 'Persistent' : [ 0x228, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x228, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x228, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x228, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x228, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x228, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x228, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x228, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x228, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x228, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'RequestFlag' : [ 0x22c, ['unsigned long']], 'RequestNewFie' : [ 0x22c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x22c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x22c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x22c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x22c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RequestConnectConsumer' : [ 0x22c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HookIdMap' : [ 0x230, ['_RTL_BITMAP']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_BUFFER_HANDLE' : [ 0x8, { 'TraceBuffer' : [ 0x0, ['pointer', ['_WMI_BUFFER_HEADER']]], 'BufferFastRef' : [ 0x4, ['pointer', ['_EX_FAST_REF']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_NBQUEUE_BLOCK' : [ 0x18, { 'SListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Next' : [ 0x8, ['unsigned long long']], 'Data' : [ 0x10, ['unsigned long long']], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x178, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['array', 8, ['pointer', ['_EVENT_FILTER_HEADER']]]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e0, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'LogonSession' : [ 0xbc, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc0, ['_LUID']], 'SidHash' : [ 0xc8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x150, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1d8, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'VariablePart' : [ 0x1dc, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x14, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], 'HashIndex' : [ 0xc, ['unsigned short']], 'DirectoryLocked' : [ 0xe, ['unsigned char']], 'LockedExclusive' : [ 0xf, ['unsigned char']], 'LockStateSignature' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Coalescable' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KeepShifting' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CpuThrottled' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x54, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'AllocAndFreeOps' : [ 0x40, ['unsigned long']], 'InBlockDeccommits' : [ 0x44, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x48, ['unsigned long']], 'HighWatermarkSize' : [ 0x4c, ['unsigned long']], 'LastPolledSize' : [ 0x50, ['unsigned long']], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_HANDLE_TABLE' : [ 0x3c, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['unsigned long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], 'HandleCountHighWatermark' : [ 0x38, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'BlockState' : [ 0x17, ['unsigned char']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['_KAFFINITY_EX']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_1c1b' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1c1d' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1c1b']], 'Private' : [ 0x0, ['__unnamed_1c1d']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_1c3f' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1c45' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x48, { 'u1' : [ 0x0, ['__unnamed_1580']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1583']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1586']], 'u2' : [ 0x20, ['__unnamed_1593']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x30, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x38, ['pointer', ['_EPROCESS']]], 'u3' : [ 0x3c, ['__unnamed_1c3f']], 'u4' : [ 0x44, ['__unnamed_1c45']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x138, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0x98, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'LimitFlags' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['_KAFFINITY_EX']], 'PriorityClass' : [ 0xb4, ['unsigned char']], 'AccessState' : [ 0xb8, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xbc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x108, ['unsigned long']], 'JobMemoryLimit' : [ 0x10c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x110, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x114, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x118, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x120, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x124, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x12c, ['unsigned long']], 'JobFlags' : [ 0x130, ['unsigned long']], } ], '__unnamed_1c56' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x68, { 'Count' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['__unnamed_1c56']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'OldState' : [ 0x10, ['unsigned long']], 'NewlyUnparked' : [ 0x14, ['unsigned char']], 'TargetProcessors' : [ 0x18, ['_KAFFINITY_EX']], 'State' : [ 0x28, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '__unnamed_1c5f' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_1c5f']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x50, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned long']], 'ShutDownRequested' : [ 0x34, ['unsigned char']], 'NewBuffersLost' : [ 0x35, ['unsigned char']], 'Disconnected' : [ 0x36, ['unsigned char']], 'ReservedBufferSpaceBitMap' : [ 0x38, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x40, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x44, ['unsigned long']], 'UserPagesAllocated' : [ 0x48, ['unsigned long']], 'UserPagesReused' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1c68' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1c6e' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1c70' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1c68']], 'Bits' : [ 0x0, ['__unnamed_1c6e']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1c70']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_KGUARDED_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['pointer', ['pointer', ['void']]]], 'PendingFreeDepth' : [ 0x104, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x278, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'Pad' : [ 0x39, ['array', 3, ['unsigned char']]], 'Mode' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x44, ['unsigned long']], 'DispatchCount' : [ 0x48, ['unsigned long']], 'Rsvd1' : [ 0x50, ['unsigned long long']], 'DispatchCode' : [ 0x58, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x58, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x54, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'UserVa' : [ 0x10, ['pointer', ['void']]], 'UserLimit' : [ 0x14, ['pointer', ['void']]], 'DataUserVa' : [ 0x18, ['pointer', ['void']]], 'SystemVa' : [ 0x1c, ['pointer', ['void']]], 'TotalSize' : [ 0x20, ['unsigned long']], 'Header' : [ 0x24, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x28, ['pointer', ['void']]], 'ListSize' : [ 0x2c, ['unsigned long']], 'Bitmap' : [ 0x30, ['pointer', ['void']]], 'BitmapSize' : [ 0x34, ['unsigned long']], 'Data' : [ 0x38, ['pointer', ['void']]], 'DataSize' : [ 0x3c, ['unsigned long']], 'BitmapLimit' : [ 0x40, ['unsigned long']], 'BitmapNextHint' : [ 0x44, ['unsigned long']], 'ConcurrencyCount' : [ 0x48, ['unsigned long']], 'AttributeFlags' : [ 0x4c, ['unsigned long']], 'AttributeSize' : [ 0x50, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_IO_WORKITEM' : [ 0x20, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'Type' : [ 0x1c, ['unsigned long']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x64, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_ALIGNED_AFFINITY_SUMMARY' : [ 0x40, { 'CpuSet' : [ 0x0, ['_KAFFINITY_EX']], 'SMTSet' : [ 0xc, ['_KAFFINITY_EX']], } ], '_XSTATE_CONFIGURATION' : [ 0x210, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'OptimizedSave' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x10, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0xc8, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleAccounting' : [ 0x20, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'Hypervisor' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'PerfHistoryTotal' : [ 0x28, ['unsigned long']], 'ThermalConstraint' : [ 0x2c, ['unsigned char']], 'PerfHistoryCount' : [ 0x2d, ['unsigned char']], 'PerfHistorySlot' : [ 0x2e, ['unsigned char']], 'Reserved' : [ 0x2f, ['unsigned char']], 'LastSysTime' : [ 0x30, ['unsigned long']], 'WmiDispatchPtr' : [ 0x34, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0x38, ['long']], 'FFHThrottleStateInfo' : [ 0x40, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x60, ['_KDPC']], 'PerfActionMask' : [ 0x80, ['long']], 'IdleCheck' : [ 0x88, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x98, ['_PROC_IDLE_SNAP']], 'Domain' : [ 0xa8, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0xac, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Load' : [ 0xb0, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0xb4, ['pointer', ['_PROC_HISTORY_ENTRY']]], 'Utility' : [ 0xb8, ['unsigned long']], 'OverUtilizedHistory' : [ 0xbc, ['unsigned long']], 'AffinityCount' : [ 0xc0, ['unsigned long']], 'AffinityHistory' : [ 0xc4, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x2c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'BucketLimits' : [ 0x18, ['array', 16, ['unsigned long long']]], 'State' : [ 0x98, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x84, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x78, ['unsigned long']], 'PreviousActivityCounter' : [ 0x7c, ['unsigned long']], 'WorkerTrimRequests' : [ 0x80, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x4, ['_KGATE']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1dc5' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1dc5']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x5ec, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa8, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x348, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e8, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '__unnamed_1e1e' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e20' : [ 0x8, { 'Last' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_1e1e']], } ], '__unnamed_1e22' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1e1e']], } ], '__unnamed_1e24' : [ 0x8, { 'OldCell' : [ 0x0, ['__unnamed_1e20']], 'NewCell' : [ 0x0, ['__unnamed_1e22']], } ], '_HCELL' : [ 0xc, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e24']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x24, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'PercentageCap' : [ 0x8, ['unsigned long']], 'ThermalCap' : [ 0xc, ['unsigned long']], 'TargetFrequency' : [ 0x10, ['unsigned long']], 'AcumulatedFullFrequency' : [ 0x14, ['unsigned long']], 'AcumulatedZeroFrequency' : [ 0x18, ['unsigned long']], 'FrequencyHistoryTotal' : [ 0x1c, ['unsigned long']], 'AverageFrequency' : [ 0x20, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], 'Pad0' : [ 0x14, ['unsigned long']], } ], '__unnamed_1e37' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e3b' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1e3d' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1e3f' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1e41' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1e43' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1e45' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e47' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e49' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e4b' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1e37']], 'Memory' : [ 0x0, ['__unnamed_1e37']], 'Interrupt' : [ 0x0, ['__unnamed_1e3b']], 'Dma' : [ 0x0, ['__unnamed_1e3d']], 'Generic' : [ 0x0, ['__unnamed_1e37']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e3f']], 'BusNumber' : [ 0x0, ['__unnamed_1e41']], 'ConfigData' : [ 0x0, ['__unnamed_1e43']], 'Memory40' : [ 0x0, ['__unnamed_1e45']], 'Memory48' : [ 0x0, ['__unnamed_1e47']], 'Memory64' : [ 0x0, ['__unnamed_1e49']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1e4b']], } ], '_POP_THERMAL_ZONE' : [ 0x150, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xe0, ['_LARGE_INTEGER']], 'Metrics' : [ 0xe8, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x68, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x38, ['unsigned long']], 'PassiveCount' : [ 0x3c, ['unsigned long']], 'LastActiveStartTick' : [ 0x40, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x48, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x50, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x58, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x60, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '__unnamed_1e88' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1e8a' : [ 0xc, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1e88']], } ], '_VF_TARGET_DRIVER' : [ 0x18, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x8, ['__unnamed_1e8a']], 'VerifiedData' : [ 0x14, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_1e92' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1e94' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1e96' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1e98' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1e9a' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1e9c' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1e9e' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1ea0' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1ea2' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ea4' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1ea6' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1e92']], 'TargetDevice' : [ 0x0, ['__unnamed_1e94']], 'InstallDevice' : [ 0x0, ['__unnamed_1e96']], 'CustomNotification' : [ 0x0, ['__unnamed_1e98']], 'ProfileNotification' : [ 0x0, ['__unnamed_1e9a']], 'PowerNotification' : [ 0x0, ['__unnamed_1e9c']], 'VetoNotification' : [ 0x0, ['__unnamed_1e9e']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1ea0']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1ea2']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1ea4']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1e96']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_1ea6']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 192, ['unsigned char']]], 'StackControl' : [ 0x1e0, ['array', 7, ['unsigned long']]], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_PS_CPU_QUOTA_BLOCK' : [ 0x880, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'CpuShareWeight' : [ 0xc, ['unsigned long']], 'CapturedWeightData' : [ 0x10, ['_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA']], 'DuplicateInputMarker' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x18, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x18, ['long']], 'BlockCurrentGenerationLock' : [ 0x0, ['unsigned long']], 'CyclesAccumulated' : [ 0x8, ['unsigned long long']], 'CycleCredit' : [ 0x40, ['unsigned long long']], 'BlockCurrentGeneration' : [ 0x48, ['unsigned long']], 'CpuCyclePercent' : [ 0x4c, ['unsigned long']], 'CyclesFinishedForCurrentGeneration' : [ 0x50, ['unsigned char']], 'Cpu' : [ 0x80, ['array', 32, ['_PS_PER_CPU_QUOTA_CACHE_AWARE']]], } ], '__unnamed_1ec1' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1ec1']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x50, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], } ], '__unnamed_1ef2' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_1ef2']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_PS_PER_CPU_QUOTA_CACHE_AWARE' : [ 0x40, { 'SortedListEntry' : [ 0x0, ['_LIST_ENTRY']], 'IdleOnlyListHead' : [ 0x8, ['_LIST_ENTRY']], 'CycleBaseAllowance' : [ 0x10, ['unsigned long long']], 'CyclesRemaining' : [ 0x18, ['long long']], 'CurrentGeneration' : [ 0x20, ['unsigned long']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_POP_SYSTEM_IDLE' : [ 0x38, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned char']], 'IdleWorker' : [ 0x25, ['unsigned char']], 'Sampling' : [ 0x26, ['unsigned char']], 'LastTick' : [ 0x28, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x30, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0xc, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x18, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x14, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1f53' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f55' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f57' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f59' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1f57']], 'Translated' : [ 0x0, ['__unnamed_1f55']], } ], '__unnamed_1f5b' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f5d' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f5f' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f61' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f63' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f65' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f67' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1f53']], 'Port' : [ 0x0, ['__unnamed_1f53']], 'Interrupt' : [ 0x0, ['__unnamed_1f55']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1f59']], 'Memory' : [ 0x0, ['__unnamed_1f53']], 'Dma' : [ 0x0, ['__unnamed_1f5b']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e3f']], 'BusNumber' : [ 0x0, ['__unnamed_1f5d']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1f5f']], 'Memory40' : [ 0x0, ['__unnamed_1f61']], 'Memory48' : [ 0x0, ['__unnamed_1f63']], 'Memory64' : [ 0x0, ['__unnamed_1f65']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1f67']], } ], '__unnamed_1f6c' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1f6c']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1f76' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1f76']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1f80' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_1ef2']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_1f80']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f88' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f8a' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1f88']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x40, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x30, ['_LIST_ENTRY']], 'Specific' : [ 0x38, ['__unnamed_1f8a']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'WorkItem' : [ 0x20, ['_WORK_QUEUE_ITEM']], 'FailingDriver' : [ 0x30, ['pointer', ['_DRIVER_OBJECT']]], 'ReferenceCount' : [ 0x34, ['long']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7_sp0_x64_vtypes.py0000644000000000000000000172610713131215405030525 0ustar rootrootntkrnlmp_types = { '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x68, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'WorkItem' : [ 0x38, ['_WORK_QUEUE_ITEM']], 'FailingDriver' : [ 0x58, ['pointer64', ['_DRIVER_OBJECT']]], 'ReferenceCount' : [ 0x60, ['long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '__unnamed_205d' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0xb0, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_205d']], 'TargetProcessors' : [ 0x30, ['_KAFFINITY_EX']], 'PStateHandler' : [ 0x58, ['pointer64', ['void']]], 'PStateContext' : [ 0x60, ['unsigned long long']], 'TStateHandler' : [ 0x68, ['pointer64', ['void']]], 'TStateContext' : [ 0x70, ['unsigned long long']], 'FeedbackHandler' : [ 0x78, ['pointer64', ['void']]], 'GetFFHThrottleState' : [ 0x80, ['pointer64', ['void']]], 'State' : [ 0x88, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xc0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'ProgrammedRTCTime' : [ 0x58, ['unsigned long long']], 'WakeOnRTC' : [ 0x60, ['unsigned char']], 'WakeTimerInfo' : [ 0x68, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], 'FilteredCapabilities' : [ 0x70, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x228, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTransitions' : [ 0x8, ['unsigned long']], 'FailedTransitions' : [ 0xc, ['unsigned long']], 'InvalidBucketIndex' : [ 0x10, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 16, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_209f' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_20a1' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_209f']], 'Button' : [ 0x10, ['__unnamed_20a1']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x148, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'EmInfFileImage' : [ 0x18, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x28, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x30, ['unsigned long long']], 'HeadlessLoaderBlock' : [ 0x38, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x40, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x48, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x50, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x58, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x60, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x70, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x78, ['unsigned long']], 'LastBootSucceeded' : [ 0x7c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LastBootShutdown' : [ 0x7c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPortAccessSupported' : [ 0x7c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x7c, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x80, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x88, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x98, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa0, ['_GUID']], 'ResumePages' : [ 0xb0, ['unsigned long']], 'DumpHeader' : [ 0xb8, ['pointer64', ['void']]], 'BgContext' : [ 0xc0, ['pointer64', ['void']]], 'NumaLocalityInfo' : [ 0xc8, ['pointer64', ['void']]], 'NumaGroupAssignment' : [ 0xd0, ['pointer64', ['void']]], 'AttachedHives' : [ 0xd8, ['_LIST_ENTRY']], 'MemoryCachingRequirementsCount' : [ 0xe8, ['unsigned long']], 'MemoryCachingRequirements' : [ 0xf0, ['pointer64', ['void']]], 'TpmBootEntropyResult' : [ 0xf8, ['_TPM_BOOT_ENTROPY_LDR_RESULT']], 'ProcessorCounterFrequency' : [ 0x140, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x400, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x30, { 'Mdl' : [ 0x0, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x8, ['pointer64', ['void']]], 'UserLimit' : [ 0x10, ['pointer64', ['void']]], 'SystemVa' : [ 0x18, ['pointer64', ['void']]], 'SystemLimit' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_PROC_HISTORY_ENTRY' : [ 0x4, { 'Utility' : [ 0x0, ['unsigned short']], 'Frequency' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x380, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pContextData' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_2146' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1f80, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2146']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'SessionPoolAllocationFailures' : [ 0x64, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachGate' : [ 0x90, ['_KGATE']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc88, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc90, ['pointer64', ['void']]], 'PagedPool' : [ 0xcc0, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e00, ['_MMPTE']], 'SessionVaLock' : [ 0x1e08, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1e40, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e50, ['unsigned long']], 'SpecialPool' : [ 0x1e58, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1ea0, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1ed8, ['long']], 'PagedPoolPdeCount' : [ 0x1edc, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1ee0, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1ee4, ['unsigned long']], 'SystemPteInfo' : [ 0x1ee8, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f30, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f38, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1f40, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f48, ['unsigned long long']], 'IoState' : [ 0x1f50, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f54, ['unsigned long']], 'IoNotificationEvent' : [ 0x1f58, ['_KEVENT']], 'CpuQuotaBlock' : [ 0x1f70, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'FeedbackHandler' : [ 0x40, ['pointer64', ['void']]], 'GetFFHThrottleState' : [ 0x48, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0x50, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0x58, ['pointer64', ['void']]], 'PerfHandler' : [ 0x60, ['pointer64', ['void']]], 'Processors' : [ 0x68, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'PerfChangeTime' : [ 0x70, ['unsigned long long']], 'ProcessorCount' : [ 0x78, ['unsigned long']], 'PreviousFrequencyMhz' : [ 0x7c, ['unsigned long']], 'CurrentFrequencyMhz' : [ 0x80, ['unsigned long']], 'PreviousFrequency' : [ 0x84, ['unsigned long']], 'CurrentFrequency' : [ 0x88, ['unsigned long']], 'CurrentPerfContext' : [ 0x8c, ['unsigned long']], 'DesiredFrequency' : [ 0x90, ['unsigned long']], 'MaxFrequency' : [ 0x94, ['unsigned long']], 'MinPerfPercent' : [ 0x98, ['unsigned long']], 'MinThrottlePercent' : [ 0x9c, ['unsigned long']], 'MaxPercent' : [ 0xa0, ['unsigned long']], 'MinPercent' : [ 0xa4, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0xa8, ['unsigned long']], 'ConstrainedMinPercent' : [ 0xac, ['unsigned long']], 'Coordination' : [ 0xb0, ['unsigned char']], 'PerfChangeIntervalCount' : [ 0xb4, ['long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_TP_NBQ_GUARD' : [ 0x20, { 'GuardLinks' : [ 0x0, ['_LIST_ENTRY']], 'Guards' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer64', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'Lock' : [ 0x8, ['unsigned long long']], 'Paged' : [ 0x10, ['_MI_SPECIAL_POOL_PTE_LIST']], 'NonPaged' : [ 0x20, ['_MI_SPECIAL_POOL_PTE_LIST']], 'PagesInUse' : [ 0x30, ['long long']], 'SpecialPoolPdes' : [ 0x38, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '__unnamed_21bf' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_21c3' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_21bf']], 'Bits' : [ 0x4, ['__unnamed_21c3']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_21df' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_21e1' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_21df']], 'Merged' : [ 0x10, ['__unnamed_21e1']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_21e9' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_21e9']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_1f32']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_1fd4']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x70, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], 'UpdateCapsule' : [ 0x58, ['unsigned long long']], 'QueryCapsuleCapabilities' : [ 0x60, ['unsigned long long']], 'QueryVariableInfo' : [ 0x68, ['unsigned long long']], } ], '_MI_SPECIAL_POOL_PTE_LIST' : [ 0x10, { 'FreePteHead' : [ 0x0, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_21ff' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_2203' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x50, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_21ff']], 'u2' : [ 0x38, ['__unnamed_2203']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x48, ['array', 1, ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_220c' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_220e' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_220c']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x100, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_220e']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x60, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_TPM_BOOT_ENTROPY_LDR_RESULT' : [ 0x48, { 'Policy' : [ 0x0, ['unsigned long long']], 'ResultCode' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'TpmBootEntropyStructureUninitialized', 1: 'TpmBootEntropyDisabledByPolicy', 2: 'TpmBootEntropyNoTpmFound', 3: 'TpmBootEntropyTpmError', 4: 'TpmBootEntropySuccess'})]], 'ResultStatus' : [ 0xc, ['long']], 'Time' : [ 0x10, ['unsigned long long']], 'EntropyLength' : [ 0x18, ['unsigned long']], 'EntropyData' : [ 0x1c, ['array', 40, ['unsigned char']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x48, ['pointer64', ['void']]], 'CallersCaller' : [ 0x50, ['pointer64', ['void']]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'SessionId' : [ 0x20, ['unsigned long']], 'ReplyQueue' : [ 0x20, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x40, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'CallbackContext' : [ 0x48, ['pointer64', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2f8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x2d0, ['_LIST_ENTRY']], 'Status' : [ 0x2e0, ['long']], 'FailedDevice' : [ 0x2e8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2f0, ['unsigned char']], 'Cancelled' : [ 0x2f1, ['unsigned char']], 'IgnoreErrors' : [ 0x2f2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2f3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2f4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ContainsDebug' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x60, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'IdleCheck' : [ 0x28, ['pointer64', ['void']]], 'IdleHandler' : [ 0x30, ['pointer64', ['void']]], 'HvConfig' : [ 0x38, ['unsigned long long']], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Latency' : [ 0x48, ['unsigned long']], 'Power' : [ 0x4c, ['unsigned long']], 'TimeCheck' : [ 0x50, ['unsigned long']], 'StateFlags' : [ 0x54, ['unsigned long']], 'PromotePercent' : [ 0x58, ['unsigned char']], 'DemotePercent' : [ 0x59, ['unsigned char']], 'PromotePercentBase' : [ 0x5a, ['unsigned char']], 'DemotePercentBase' : [ 0x5b, ['unsigned char']], 'StateType' : [ 0x5c, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2293' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x40, { 'Lock' : [ 0x0, ['long']], 'NodeToFree' : [ 0x8, ['pointer64', ['void']]], 'NodeRangeSize' : [ 0x10, ['unsigned long long']], 'NodeCount' : [ 0x18, ['unsigned long long']], 'Tables' : [ 0x20, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x28, ['unsigned long']], 'u1' : [ 0x2c, ['__unnamed_2293']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_RELATION_LIST_ENTRY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8160, ['long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'Group' : [ 0x14, ['unsigned short']], 'GroupIndex' : [ 0x16, ['unsigned short']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_22e0' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_22e2' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_22e0']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_22e2']], } ], '_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA' : [ 0x8, { 'CapturedCpuShareWeight' : [ 0x0, ['unsigned long']], 'CapturedTotalWeight' : [ 0x4, ['unsigned long']], 'CombinedData' : [ 0x0, ['long long']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_22f5' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_22f5']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x70, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_234b' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_234d' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_2351' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2355' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_2357' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_234b']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_234d']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2351']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2355']], 'Others' : [ 0x0, ['__unnamed_2357']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x110, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'Reset' : [ 0x3, ['unsigned char']], 'HiberFlags' : [ 0x4, ['unsigned char']], 'WroteHiberFile' : [ 0x5, ['unsigned char']], 'MapFrozen' : [ 0x6, ['unsigned char']], 'MemoryMap' : [ 0x8, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x28, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x38, ['unsigned long']], 'NextCloneRange' : [ 0x40, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x48, ['unsigned long long']], 'LoaderMdl' : [ 0x50, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x58, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x60, ['unsigned long long']], 'IoPages' : [ 0x68, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x70, ['unsigned long']], 'CurrentMcb' : [ 0x78, ['pointer64', ['void']]], 'DumpStack' : [ 0x80, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x88, ['pointer64', ['_KPROCESSOR_STATE']]], 'PreferredIoWriteSize' : [ 0x90, ['unsigned long']], 'IoProgress' : [ 0x94, ['unsigned long']], 'HiberVa' : [ 0x98, ['unsigned long long']], 'HiberPte' : [ 0xa0, ['_LARGE_INTEGER']], 'Status' : [ 0xa8, ['long']], 'MemoryImage' : [ 0xb0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'CompressionWorkspace' : [ 0xb8, ['pointer64', ['void']]], 'CompressedWriteBuffer' : [ 0xc0, ['pointer64', ['unsigned char']]], 'CompressedWriteBufferSize' : [ 0xc8, ['unsigned long']], 'MaxCompressedOutputSize' : [ 0xcc, ['unsigned long']], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xd8, ['pointer64', ['void']]], 'DmaIO' : [ 0xe0, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xe8, ['pointer64', ['void']]], 'BootLoaderLogMdl' : [ 0xf0, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0xf8, ['pointer64', ['_MDL']]], 'ResumeContext' : [ 0x100, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x108, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x40, { 'ThreadHandle' : [ 0x0, ['pointer64', ['void']]], 'ThreadId' : [ 0x8, ['pointer64', ['void']]], 'ProcessId' : [ 0x10, ['pointer64', ['void']]], 'Code' : [ 0x18, ['unsigned long']], 'Parameter1' : [ 0x20, ['unsigned long long']], 'Parameter2' : [ 0x28, ['unsigned long long']], 'Parameter3' : [ 0x30, ['unsigned long long']], 'Parameter4' : [ 0x38, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '__unnamed_237d' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_237d']], } ], '__unnamed_2381' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2381']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x128, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'FirstTablePage' : [ 0x60, ['unsigned long long']], 'PerfInfo' : [ 0x68, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xc0, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xc8, ['array', 1, ['unsigned long long']]], 'NoBootLoaderLogPages' : [ 0xd0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xd8, ['array', 8, ['unsigned long long']]], 'NotUsed' : [ 0x118, ['unsigned long']], 'ResumeContextCheck' : [ 0x11c, ['unsigned long']], 'ResumeContextPages' : [ 0x120, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x58, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'ElapsedTicks' : [ 0x18, ['unsigned long long']], 'CompressTicks' : [ 0x20, ['unsigned long long']], 'ResumeAppTime' : [ 0x28, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x30, ['unsigned long long']], 'BytesCopied' : [ 0x38, ['unsigned long long']], 'PagesProcessed' : [ 0x40, ['unsigned long long']], 'PagesWritten' : [ 0x48, ['unsigned long']], 'DumpCount' : [ 0x4c, ['unsigned long']], 'FileRuns' : [ 0x50, ['unsigned long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x30, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], 'ViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x20, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '__unnamed_23ab' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_23ad' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_23af' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_23ab']], 'Gpt' : [ 0x0, ['__unnamed_23ad']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_23af']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x48, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x10, ['unsigned long']], 'Hint' : [ 0x14, ['unsigned long']], 'BasePte' : [ 0x18, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'Vm' : [ 0x28, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x30, ['long']], 'TotalFreeSystemPtes' : [ 0x34, ['long']], 'CachedPteCount' : [ 0x38, ['long']], 'PteFailures' : [ 0x3c, ['unsigned long']], 'SpinLock' : [ 0x40, ['unsigned long long']], 'GlobalMutex' : [ 0x40, ['pointer64', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x298, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 9, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TscQpcData' : [ 0x2ed, ['unsigned char']], 'TscQpcEnabled' : [ 0x2ed, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TscQpcSpareFlag' : [ 0x2ed, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TscQpcShift' : [ 0x2ed, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'TscQpcPad' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved5' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned short']], 'Reserved4' : [ 0x3c6, ['unsigned short']], 'AitSamplingValue' : [ 0x3c8, ['unsigned long']], 'AppCompatFlag' : [ 0x3cc, ['unsigned long']], 'SystemDllNativeRelocation' : [ 0x3d0, ['unsigned long long']], 'SystemDllWowRelocation' : [ 0x3d8, ['unsigned long']], 'XStatePad' : [ 0x3dc, ['array', 1, ['unsigned long']]], 'XState' : [ 0x3e0, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1043' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1043']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1047' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1047']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_105f' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1061' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_105f']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_1061']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_INVALID'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TP_TASK' : [ 0x38, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], 'NumaNode' : [ 0x8, ['unsigned long']], 'IdealProcessor' : [ 0xc, ['unsigned char']], 'PostGuard' : [ 0x10, ['_TP_NBQ_GUARD']], 'NBQNode' : [ 0x30, ['pointer64', ['void']]], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_DIRECT' : [ 0x10, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'NumaNode' : [ 0x8, ['unsigned long']], 'IdealProcessor' : [ 0xc, ['unsigned char']], } ], '_TEB' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KPCR' : [ 0x4e80, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x4d00, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'PrcbPad00' : [ 0x21, ['array', 3, ['unsigned char']]], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PrcbPad01' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'Group' : [ 0x658, ['unsigned short']], 'GroupSetMember' : [ 0x660, ['unsigned long long']], 'GroupIndex' : [ 0x668, ['unsigned char']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2080, ['long']], 'DeferredReadyListHead' : [ 0x2088, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2090, ['long']], 'MmCopyOnWriteCount' : [ 0x2094, ['long']], 'MmTransitionCount' : [ 0x2098, ['long']], 'MmDemandZeroCount' : [ 0x209c, ['long']], 'MmPageReadCount' : [ 0x20a0, ['long']], 'MmPageReadIoCount' : [ 0x20a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x20a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x20ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x20b0, ['long']], 'MmMappedWriteIoCount' : [ 0x20b4, ['long']], 'KeSystemCalls' : [ 0x20b8, ['unsigned long']], 'KeContextSwitches' : [ 0x20bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x20c0, ['unsigned long']], 'CcFastReadWait' : [ 0x20c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x20c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x20cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x20d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x20d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x20d8, ['long']], 'IoReadOperationCount' : [ 0x20dc, ['long']], 'IoWriteOperationCount' : [ 0x20e0, ['long']], 'IoOtherOperationCount' : [ 0x20e4, ['long']], 'IoReadTransferCount' : [ 0x20e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x20f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x20f8, ['_LARGE_INTEGER']], 'TargetCount' : [ 0x2100, ['long']], 'IpiFrozen' : [ 0x2104, ['unsigned long']], 'DpcData' : [ 0x2180, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x21c0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x21c8, ['long']], 'DpcRequestRate' : [ 0x21cc, ['unsigned long']], 'MinimumDpcRate' : [ 0x21d0, ['unsigned long']], 'DpcLastCount' : [ 0x21d4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x21d8, ['unsigned char']], 'QuantumEnd' : [ 0x21d9, ['unsigned char']], 'DpcRoutineActive' : [ 0x21da, ['unsigned char']], 'IdleSchedule' : [ 0x21db, ['unsigned char']], 'DpcRequestSummary' : [ 0x21dc, ['long']], 'DpcRequestSlot' : [ 0x21dc, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x21dc, ['short']], 'DpcThreadActive' : [ 0x21de, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ThreadDpcState' : [ 0x21de, ['short']], 'TimerHand' : [ 0x21e0, ['unsigned long']], 'MasterOffset' : [ 0x21e4, ['long']], 'LastTick' : [ 0x21e8, ['unsigned long']], 'UnusedPad' : [ 0x21ec, ['unsigned long']], 'PrcbPad50' : [ 0x21f0, ['array', 2, ['unsigned long long']]], 'TimerTable' : [ 0x2200, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x4400, ['_KGATE']], 'PrcbPad52' : [ 0x4418, ['pointer64', ['void']]], 'CallDpc' : [ 0x4420, ['_KDPC']], 'ClockKeepAlive' : [ 0x4460, ['long']], 'ClockCheckSlot' : [ 0x4464, ['unsigned char']], 'ClockPollCycle' : [ 0x4465, ['unsigned char']], 'NmiActive' : [ 0x4466, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x4468, ['long']], 'DpcWatchdogCount' : [ 0x446c, ['long']], 'TickOffset' : [ 0x4470, ['unsigned long long']], 'KeSpinLockOrdering' : [ 0x4478, ['long']], 'PrcbPad70' : [ 0x447c, ['unsigned long']], 'WaitListHead' : [ 0x4480, ['_LIST_ENTRY']], 'WaitLock' : [ 0x4490, ['unsigned long long']], 'ReadySummary' : [ 0x4498, ['unsigned long']], 'QueueIndex' : [ 0x449c, ['unsigned long']], 'TimerExpirationDpc' : [ 0x44a0, ['_KDPC']], 'PrcbPad72' : [ 0x44e0, ['array', 4, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x4500, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x4700, ['unsigned long']], 'KernelTime' : [ 0x4704, ['unsigned long']], 'UserTime' : [ 0x4708, ['unsigned long']], 'DpcTime' : [ 0x470c, ['unsigned long']], 'InterruptTime' : [ 0x4710, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4714, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4718, ['unsigned char']], 'PrcbPad80' : [ 0x4719, ['array', 7, ['unsigned char']]], 'DpcTimeCount' : [ 0x4720, ['unsigned long']], 'DpcTimeLimit' : [ 0x4724, ['unsigned long']], 'PeriodicCount' : [ 0x4728, ['unsigned long']], 'PeriodicBias' : [ 0x472c, ['unsigned long']], 'AvailableTime' : [ 0x4730, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x4734, ['unsigned long']], 'ParentNode' : [ 0x4738, ['pointer64', ['_KNODE']]], 'StartCycles' : [ 0x4740, ['unsigned long long']], 'PrcbPad82' : [ 0x4748, ['array', 3, ['unsigned long long']]], 'MmSpinLockOrdering' : [ 0x4760, ['long']], 'PageColor' : [ 0x4764, ['unsigned long']], 'NodeColor' : [ 0x4768, ['unsigned long']], 'NodeShiftedColor' : [ 0x476c, ['unsigned long']], 'SecondaryColorMask' : [ 0x4770, ['unsigned long']], 'PrcbPad83' : [ 0x4774, ['unsigned long']], 'CycleTime' : [ 0x4778, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x4780, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x4784, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x4788, ['unsigned long']], 'CcMapDataNoWait' : [ 0x478c, ['unsigned long']], 'CcMapDataWait' : [ 0x4790, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x4794, ['unsigned long']], 'CcPinReadNoWait' : [ 0x4798, ['unsigned long']], 'CcPinReadWait' : [ 0x479c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x47a0, ['unsigned long']], 'CcMdlReadWait' : [ 0x47a4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x47a8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x47ac, ['unsigned long']], 'CcLazyWritePages' : [ 0x47b0, ['unsigned long']], 'CcDataFlushes' : [ 0x47b4, ['unsigned long']], 'CcDataPages' : [ 0x47b8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x47bc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x47c0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x47c4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x47c8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x47cc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x47d0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x47d4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x47d8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x47dc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x47e0, ['unsigned long']], 'CcReadAheadIos' : [ 0x47e4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x47e8, ['long']], 'MmCacheReadCount' : [ 0x47ec, ['long']], 'MmCacheIoCount' : [ 0x47f0, ['long']], 'PrcbPad91' : [ 0x47f4, ['array', 1, ['unsigned long']]], 'RuntimeAccumulation' : [ 0x47f8, ['unsigned long long']], 'PowerState' : [ 0x4800, ['_PROCESSOR_POWER_STATE']], 'PrcbPad92' : [ 0x4900, ['array', 16, ['unsigned char']]], 'KeAlignmentFixupCount' : [ 0x4910, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x4918, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x4958, ['_KTIMER']], 'Cache' : [ 0x4998, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x49d4, ['unsigned long']], 'CachedCommit' : [ 0x49d8, ['unsigned long']], 'CachedResidentAvailable' : [ 0x49dc, ['unsigned long']], 'HyperPte' : [ 0x49e0, ['pointer64', ['void']]], 'WheaInfo' : [ 0x49e8, ['pointer64', ['void']]], 'EtwSupport' : [ 0x49f0, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x4a00, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x4a10, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x4a20, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x4a28, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x4a30, ['pointer64', ['unsigned long long']]], 'RateControl' : [ 0x4a38, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x4a40, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x4a68, ['_KAFFINITY_EX']], 'CoreProcessorSet' : [ 0x4a90, ['unsigned long long']], 'PebsIndexAddress' : [ 0x4a98, ['pointer64', ['void']]], 'PrcbPad93' : [ 0x4aa0, ['array', 12, ['unsigned long long']]], 'SpinLockAcquireCount' : [ 0x4b00, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4b04, ['unsigned long']], 'SpinLockSpinCount' : [ 0x4b08, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0x4b0c, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x4b10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x4b14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x4b18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x4b1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x4b20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x4b24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x4b28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x4b2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x4b30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x4b34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x4b38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x4b3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x4b40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x4b44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x4b48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4b4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x4b50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x4b54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x4b58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x4b5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x4b60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x4b64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x4b68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x4b6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x4b70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x4b74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x4b78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x4b7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x4b80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x4b84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x4b88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x4b8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x4b90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x4b94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x4b98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x4b9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0x4ba0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0x4ba4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0x4ba8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0x4bac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0x4bb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0x4bb4, ['unsigned long']], 'VendorString' : [ 0x4bb8, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x4bc5, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x4bc8, ['unsigned long']], 'UpdateSignature' : [ 0x4bd0, ['_LARGE_INTEGER']], 'Context' : [ 0x4bd8, ['pointer64', ['_CONTEXT']]], 'ContextFlags' : [ 0x4be0, ['unsigned long']], 'ExtendedState' : [ 0x4be8, ['pointer64', ['_XSAVE_AREA']]], 'Mailbox' : [ 0x4c00, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x4c80, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_KTHREAD' : [ 0x360, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'WaitRegister' : [ 0x48, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x49, ['unsigned char']], 'Alerted' : [ 0x4a, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x4c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x4c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x4c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x4c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x4c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x4c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x4c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x4c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x4c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x4c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x4c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x4c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'TimerActive' : [ 0x4c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Reserved' : [ 0x4c, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x4c, ['long']], 'ApcState' : [ 0x50, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x50, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x7b, ['unsigned char']], 'NextProcessor' : [ 0x7c, ['unsigned long']], 'DeferredProcessor' : [ 0x80, ['unsigned long']], 'ApcQueueLock' : [ 0x88, ['unsigned long long']], 'WaitStatus' : [ 0x90, ['long long']], 'WaitBlockList' : [ 0x98, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xa0, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xb0, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb8, ['pointer64', ['void']]], 'Timer' : [ 0xc0, ['_KTIMER']], 'AutoAlignment' : [ 0x100, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x100, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0x100, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0x100, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CalloutActive' : [ 0x100, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ApcQueueable' : [ 0x100, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x100, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'GuiThread' : [ 0x100, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x100, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0x100, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x100, ['long']], 'Spare0' : [ 0x104, ['unsigned long']], 'WaitBlock' : [ 0x108, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x108, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x134, ['unsigned long']], 'WaitBlockFill5' : [ 0x108, ['array', 92, ['unsigned char']]], 'State' : [ 0x164, ['unsigned char']], 'NpxState' : [ 0x165, ['unsigned char']], 'WaitIrql' : [ 0x166, ['unsigned char']], 'WaitMode' : [ 0x167, ['unsigned char']], 'WaitBlockFill6' : [ 0x108, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x194, ['unsigned long']], 'WaitBlockFill7' : [ 0x108, ['array', 168, ['unsigned char']]], 'TebMappedLowVa' : [ 0x1b0, ['pointer64', ['void']]], 'Ucb' : [ 0x1b8, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'WaitBlockFill8' : [ 0x108, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1c4, ['short']], 'SpecialApcDisable' : [ 0x1c6, ['short']], 'CombinedApcDisable' : [ 0x1c4, ['unsigned long']], 'QueueListEntry' : [ 0x1c8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1d8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1e0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1e8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1e8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1f0, ['unsigned char']], 'BasePriority' : [ 0x1f1, ['unsigned char']], 'PriorityDecrement' : [ 0x1f2, ['unsigned char']], 'ForegroundBoost' : [ 0x1f2, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x1f2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x1f3, ['unsigned char']], 'AdjustReason' : [ 0x1f4, ['unsigned char']], 'AdjustIncrement' : [ 0x1f5, ['unsigned char']], 'PreviousMode' : [ 0x1f6, ['unsigned char']], 'Saturation' : [ 0x1f7, ['unsigned char']], 'SystemCallNumber' : [ 0x1f8, ['unsigned long']], 'FreezeCount' : [ 0x1fc, ['unsigned long']], 'UserAffinity' : [ 0x200, ['_GROUP_AFFINITY']], 'Process' : [ 0x210, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x218, ['_GROUP_AFFINITY']], 'IdealProcessor' : [ 0x228, ['unsigned long']], 'UserIdealProcessor' : [ 0x22c, ['unsigned long']], 'ApcStatePointer' : [ 0x230, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x240, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x240, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x26b, ['unsigned char']], 'SuspendCount' : [ 0x26c, ['unsigned char']], 'Spare1' : [ 0x26d, ['unsigned char']], 'CodePatchInProgress' : [ 0x26e, ['unsigned char']], 'Win32Thread' : [ 0x270, ['pointer64', ['void']]], 'StackBase' : [ 0x278, ['pointer64', ['void']]], 'SuspendApc' : [ 0x280, ['_KAPC']], 'SuspendApcFill0' : [ 0x280, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x281, ['unsigned char']], 'SuspendApcFill1' : [ 0x280, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x283, ['unsigned char']], 'SuspendApcFill2' : [ 0x280, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x284, ['unsigned long']], 'SuspendApcFill3' : [ 0x280, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c0, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x280, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2c8, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x280, ['array', 83, ['unsigned char']]], 'LargeStack' : [ 0x2d3, ['unsigned char']], 'UserTime' : [ 0x2d4, ['unsigned long']], 'SuspendSemaphore' : [ 0x2d8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2d8, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2f4, ['unsigned long']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x318, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x320, ['long long']], 'WriteOperationCount' : [ 0x328, ['long long']], 'OtherOperationCount' : [ 0x330, ['long long']], 'ReadTransferCount' : [ 0x338, ['long long']], 'WriteTransferCount' : [ 0x340, ['long long']], 'OtherTransferCount' : [ 0x348, ['long long']], 'ThreadCounters' : [ 0x350, ['pointer64', ['_KTHREAD_COUNTERS']]], 'XStateSave' : [ 0x358, ['pointer64', ['_XSTATE_SAVE']]], } ], '_KSTACK_AREA' : [ 0x250, { 'StackControl' : [ 0x0, ['_KERNEL_STACK_CONTROL']], 'NpxFrame' : [ 0x50, ['_XSAVE_FORMAT']], } ], '_KERNEL_STACK_CONTROL' : [ 0x50, { 'Current' : [ 0x0, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x28, ['_KERNEL_STACK_SEGMENT']], } ], '_UMS_CONTROL_BLOCK' : [ 0x98, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'PrimaryFlags' : [ 0x88, ['unsigned long']], 'UmsContextHeaderReady' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsContextHeader' : [ 0x30, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'UmsWaitGate' : [ 0x38, ['_KGATE']], 'StagingArea' : [ 0x50, ['pointer64', ['void']]], 'Flags' : [ 0x58, ['long']], 'UmsForceQueueTermination' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsPrimaryDeliveredContext' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TebSelector' : [ 0x90, ['unsigned short']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_11ca' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_11cf' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_11d2' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_11ca']], 'Header16' : [ 0x0, ['__unnamed_11cf']], 'HeaderX64' : [ 0x0, ['__unnamed_11d2']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_IO_STATUS_BLOCK32' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x498, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x360, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x368, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x368, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x378, ['long']], 'PostBlockList' : [ 0x380, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x380, ['pointer64', ['void']]], 'StartAddress' : [ 0x388, ['pointer64', ['void']]], 'TerminationPort' : [ 0x390, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x390, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x390, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x398, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x3a0, ['_LIST_ENTRY']], 'Cid' : [ 0x3b0, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x3c0, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x3c0, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3e0, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3e8, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3f8, ['unsigned long long']], 'DeviceToVerify' : [ 0x400, ['pointer64', ['_DEVICE_OBJECT']]], 'CpuQuotaApc' : [ 0x408, ['pointer64', ['_PSP_CPU_QUOTA_APC']]], 'Win32StartAddress' : [ 0x410, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x418, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x420, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x430, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x438, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x440, ['unsigned long']], 'MmLockOrdering' : [ 0x444, ['long']], 'CrossThreadFlags' : [ 0x448, ['unsigned long']], 'Terminated' : [ 0x448, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x448, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x448, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x448, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x448, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x448, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x448, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x448, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x448, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x448, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x448, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x448, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x448, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NeedsWorkingSetAging' : [ 0x448, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x44c, ['unsigned long']], 'ActiveExWorker' : [ 0x44c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x44c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x44c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x44c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x44c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x44c, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x44c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x450, ['unsigned long']], 'Spare' : [ 0x450, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x450, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x450, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x450, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x450, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x451, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x451, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x451, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x451, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x451, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x451, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x451, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x451, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x452, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x452, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x452, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x452, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x452, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x452, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x453, ['unsigned char']], 'CacheManagerActive' : [ 0x454, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x455, ['unsigned char']], 'ActiveFaultCount' : [ 0x456, ['unsigned char']], 'LockOrderState' : [ 0x457, ['unsigned char']], 'AlpcMessageId' : [ 0x458, ['unsigned long long']], 'AlpcMessage' : [ 0x460, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x460, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x468, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x478, ['unsigned long']], 'IoBoostCount' : [ 0x47c, ['unsigned long']], 'IrpListLock' : [ 0x480, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x488, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x490, ['_SINGLE_LIST_ENTRY']], } ], '_EPROCESS' : [ 0x4d0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x168, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x170, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x178, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x180, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x188, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0x198, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x1a8, ['array', 2, ['unsigned long long']]], 'CommitCharge' : [ 0x1b8, ['unsigned long long']], 'QuotaBlock' : [ 0x1c0, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0x1c8, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0x1d0, ['unsigned long long']], 'VirtualSize' : [ 0x1d8, ['unsigned long long']], 'SessionProcessLinks' : [ 0x1e0, ['_LIST_ENTRY']], 'DebugPort' : [ 0x1f0, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x1f8, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x1f8, ['unsigned long long']], 'ExceptionPortState' : [ 0x1f8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x200, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x208, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x210, ['unsigned long long']], 'AddressCreationLock' : [ 0x218, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x220, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x228, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x230, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x238, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x240, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x248, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x250, ['unsigned long long']], 'Win32Process' : [ 0x258, ['pointer64', ['void']]], 'Job' : [ 0x260, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x268, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x270, ['pointer64', ['void']]], 'Cookie' : [ 0x278, ['unsigned long']], 'UmsScheduledThreads' : [ 0x27c, ['unsigned long']], 'WorkingSetWatch' : [ 0x280, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x288, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x290, ['pointer64', ['void']]], 'LdtInformation' : [ 0x298, ['pointer64', ['void']]], 'Spare' : [ 0x2a0, ['pointer64', ['void']]], 'ConsoleHostProcess' : [ 0x2a8, ['unsigned long long']], 'DeviceMap' : [ 0x2b0, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x2b8, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x2c0, ['pointer64', ['void']]], 'FreeUmsTebHint' : [ 0x2c8, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x2d0, ['_HARDWARE_PTE']], 'Filler' : [ 0x2d0, ['unsigned long long']], 'Session' : [ 0x2d8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x2e0, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x2ef, ['unsigned char']], 'JobLinks' : [ 0x2f0, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x300, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x308, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x318, ['pointer64', ['void']]], 'Wow64Process' : [ 0x320, ['pointer64', ['void']]], 'ActiveThreads' : [ 0x328, ['unsigned long']], 'ImagePathHash' : [ 0x32c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x330, ['unsigned long']], 'LastThreadExitStatus' : [ 0x334, ['long']], 'Peb' : [ 0x338, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x340, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x348, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x350, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x358, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x360, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x368, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x370, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x378, ['unsigned long long']], 'CommitChargePeak' : [ 0x380, ['unsigned long long']], 'AweInfo' : [ 0x388, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x390, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x398, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x420, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x430, ['pointer64', ['void']]], 'ModifiedPageCount' : [ 0x438, ['unsigned long']], 'Flags2' : [ 0x43c, ['unsigned long']], 'JobNotReallyActive' : [ 0x43c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x43c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x43c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x43c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x43c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x43c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x43c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x43c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x43c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x43c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x43c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x43c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x43c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x43c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x43c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x43c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x43c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x43c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x43c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x43c, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Flags' : [ 0x440, ['unsigned long']], 'CreateReported' : [ 0x440, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x440, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x440, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x440, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x440, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x440, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x440, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x440, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x440, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x440, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x440, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x440, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x440, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x440, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x440, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x440, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x440, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x440, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x440, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x440, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x440, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x440, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x440, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x440, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x440, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x440, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x440, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x440, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x440, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x444, ['long']], 'VadRoot' : [ 0x448, ['_MM_AVL_TABLE']], 'AlpcContext' : [ 0x488, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x4a8, ['_LIST_ENTRY']], 'RequestedTimerResolution' : [ 0x4b8, ['unsigned long']], 'ActiveThreadsHighWatermark' : [ 0x4bc, ['unsigned long']], 'SmallestTimerResolution' : [ 0x4c0, ['unsigned long']], 'TimerResolutionStackRecord' : [ 0x4c8, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], } ], '_KPROCESS' : [ 0x160, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long long']], 'Affinity' : [ 0x48, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x80, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x88, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ActiveGroupsMask' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0xb0, ['long']], 'BasePriority' : [ 0xb4, ['unsigned char']], 'QuantumReset' : [ 0xb5, ['unsigned char']], 'Visited' : [ 0xb6, ['unsigned char']], 'Unused3' : [ 0xb7, ['unsigned char']], 'ThreadSeed' : [ 0xb8, ['array', 4, ['unsigned long']]], 'IdealNode' : [ 0xc8, ['array', 4, ['unsigned short']]], 'IdealGlobalNode' : [ 0xd0, ['unsigned short']], 'Flags' : [ 0xd2, ['_KEXECUTE_OPTIONS']], 'Unused1' : [ 0xd3, ['unsigned char']], 'Unused2' : [ 0xd4, ['unsigned long']], 'Unused4' : [ 0xd8, ['unsigned long']], 'StackCount' : [ 0xdc, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'CycleTime' : [ 0xf0, ['unsigned long long']], 'KernelTime' : [ 0xf8, ['unsigned long']], 'UserTime' : [ 0xfc, ['unsigned long']], 'InstrumentationCallback' : [ 0x100, ['pointer64', ['void']]], 'LdtSystemDescriptor' : [ 0x108, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x118, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x120, ['_KGUARDED_MUTEX']], 'LdtFreeSelectorHint' : [ 0x158, ['unsigned short']], 'LdtTableLength' : [ 0x15a, ['unsigned short']], } ], '__unnamed_12d7' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_12d7']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xd8, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], } ], '__unnamed_12e6' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_12eb' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_12ed' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_12eb']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_12f8' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_12fa' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_12f8']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_12e6']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_12ed']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_12fa']], } ], '__unnamed_1301' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1305' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1309' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_130b' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_130f' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1311' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1313' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], } ], '__unnamed_1315' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1317' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1319' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_131d' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_131f' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1321' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1323' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1325' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1327' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_132b' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_132f' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1333' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1337' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_133d' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1341' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1345' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1347' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1349' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_134d' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_1351' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1355' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1359' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_135d' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1365' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1369' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_136b' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_136d' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_136f' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1301']], 'CreatePipe' : [ 0x0, ['__unnamed_1305']], 'CreateMailslot' : [ 0x0, ['__unnamed_1309']], 'Read' : [ 0x0, ['__unnamed_130b']], 'Write' : [ 0x0, ['__unnamed_130b']], 'QueryDirectory' : [ 0x0, ['__unnamed_130f']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1311']], 'QueryFile' : [ 0x0, ['__unnamed_1313']], 'SetFile' : [ 0x0, ['__unnamed_1315']], 'QueryEa' : [ 0x0, ['__unnamed_1317']], 'SetEa' : [ 0x0, ['__unnamed_1319']], 'QueryVolume' : [ 0x0, ['__unnamed_131d']], 'SetVolume' : [ 0x0, ['__unnamed_131d']], 'FileSystemControl' : [ 0x0, ['__unnamed_131f']], 'LockControl' : [ 0x0, ['__unnamed_1321']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1323']], 'QuerySecurity' : [ 0x0, ['__unnamed_1325']], 'SetSecurity' : [ 0x0, ['__unnamed_1327']], 'MountVolume' : [ 0x0, ['__unnamed_132b']], 'VerifyVolume' : [ 0x0, ['__unnamed_132b']], 'Scsi' : [ 0x0, ['__unnamed_132f']], 'QueryQuota' : [ 0x0, ['__unnamed_1333']], 'SetQuota' : [ 0x0, ['__unnamed_1319']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1337']], 'QueryInterface' : [ 0x0, ['__unnamed_133d']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1341']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1345']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1347']], 'SetLock' : [ 0x0, ['__unnamed_1349']], 'QueryId' : [ 0x0, ['__unnamed_134d']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1351']], 'UsageNotification' : [ 0x0, ['__unnamed_1355']], 'WaitWake' : [ 0x0, ['__unnamed_1359']], 'PowerSequence' : [ 0x0, ['__unnamed_135d']], 'Power' : [ 0x0, ['__unnamed_1365']], 'StartDevice' : [ 0x0, ['__unnamed_1369']], 'WMI' : [ 0x0, ['__unnamed_136b']], 'Others' : [ 0x0, ['__unnamed_136d']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_136f']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1385' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1385']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '__unnamed_14ed' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_14ed']], } ], '__unnamed_14fe' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xf0, { 'OsMajorVersion' : [ 0x0, ['unsigned long']], 'OsMinorVersion' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'LoadOrderListHead' : [ 0x10, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x20, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x30, ['_LIST_ENTRY']], 'KernelStack' : [ 0x40, ['unsigned long long']], 'Prcb' : [ 0x48, ['unsigned long long']], 'Process' : [ 0x50, ['unsigned long long']], 'Thread' : [ 0x58, ['unsigned long long']], 'RegistryLength' : [ 0x60, ['unsigned long']], 'RegistryBase' : [ 0x68, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x70, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x78, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x80, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x88, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x90, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x98, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0xa0, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0xa8, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xb0, ['pointer64', ['void']]], 'Extension' : [ 0xb8, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xc0, ['__unnamed_14fe']], 'FirmwareInformation' : [ 0xd0, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_152d' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_152f' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1532' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1534' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1532']], } ], '__unnamed_153c' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_152d']], 'u2' : [ 0x8, ['__unnamed_152f']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['long']], 'PteLong' : [ 0x10, ['unsigned long long']], 'u3' : [ 0x18, ['__unnamed_1534']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_153c']], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x88, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x8, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x10, ['pointer64', ['void']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x4c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x50, ['unsigned long']], 'ChargedWslePages' : [ 0x54, ['unsigned long']], 'ActualWslePages' : [ 0x58, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x5c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x60, ['unsigned long']], 'HardFaultCount' : [ 0x64, ['unsigned long']], 'VmWorkingSetList' : [ 0x68, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0x70, ['unsigned short']], 'LastTrimStamp' : [ 0x72, ['unsigned short']], 'PageFaultCount' : [ 0x74, ['unsigned long']], 'RepurposeCount' : [ 0x78, ['unsigned long']], 'Spare' : [ 0x7c, ['array', 2, ['unsigned long']]], 'Flags' : [ 0x84, ['_MMSUPPORT_FLAGS']], } ], '_MMWSL' : [ 0x488, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextAgingSlot' : [ 0x24, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x28, ['unsigned long']], 'VadBitMapHint' : [ 0x2c, ['unsigned long']], 'NonDirectCount' : [ 0x30, ['unsigned long']], 'LastVadBit' : [ 0x34, ['unsigned long']], 'MaximumLastVadBit' : [ 0x38, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x3c, ['unsigned long']], 'LastAllocationSize' : [ 0x40, ['unsigned long']], 'NonDirectHash' : [ 0x48, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x50, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x58, ['pointer64', ['_MMWSLE_HASH']]], 'MaximumUserPageTablePages' : [ 0x60, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x64, ['unsigned long']], 'CommittedPageTables' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x70, ['unsigned long']], 'CommittedPageDirectories' : [ 0x78, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x478, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x480, ['array', 1, ['unsigned long long']]], } ], '__unnamed_156a' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_156a']], } ], '__unnamed_1579' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1583' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1585' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1583']], } ], '_CONTROL_AREA' : [ 0x80, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_1579']], 'FlushInProgressCount' : [ 0x3c, ['unsigned long']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'StartingFrame' : [ 0x4c, ['unsigned long']], 'WaitingForDeletion' : [ 0x50, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x58, ['__unnamed_1585']], 'LockedPages' : [ 0x68, ['long long']], 'ViewList' : [ 0x70, ['_LIST_ENTRY']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0x90, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'EvictStoreBitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x68, ['unsigned long']], 'LastAllocationSize' : [ 0x6c, ['unsigned long']], 'ToBeEvictedCount' : [ 0x70, ['unsigned long']], 'PageFileNumber' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x76, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x76, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['unsigned long long']], 'LockOwner' : [ 0x88, ['pointer64', ['_ETHREAD']]], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_15be' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_15c1' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_15c4' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_15be']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c4']], } ], '__unnamed_15cc' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_15cc']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '__unnamed_15d1' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_15be']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c4']], 'u2' : [ 0x40, ['__unnamed_15d1']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_15dc' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_15dc']], } ], '__unnamed_15e2' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_15e4' : [ 0x8, { 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_15e2']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_15e4']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_HHIVE' : [ 0x598, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x48, ['pointer64', ['void']]], 'BaseBlock' : [ 0x50, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x58, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x68, ['unsigned long']], 'DirtyAlloc' : [ 0x6c, ['unsigned long']], 'BaseBlockAlloc' : [ 0x70, ['unsigned long']], 'Cluster' : [ 0x74, ['unsigned long']], 'Flat' : [ 0x78, ['unsigned char']], 'ReadOnly' : [ 0x79, ['unsigned char']], 'DirtyFlag' : [ 0x7a, ['unsigned char']], 'HvBinHeadersUse' : [ 0x7c, ['unsigned long']], 'HvFreeCellsUse' : [ 0x80, ['unsigned long']], 'HvUsedCellsUse' : [ 0x84, ['unsigned long']], 'CmUsedCellsUse' : [ 0x88, ['unsigned long']], 'HiveFlags' : [ 0x8c, ['unsigned long']], 'CurrentLog' : [ 0x90, ['unsigned long']], 'LogSize' : [ 0x94, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x9c, ['unsigned long']], 'StorageTypeCount' : [ 0xa0, ['unsigned long']], 'Version' : [ 0xa4, ['unsigned long']], 'Storage' : [ 0xa8, ['array', 2, ['_DUAL']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_CMHIVE' : [ 0xbe0, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x598, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c8, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x5e8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x5f8, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x600, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x610, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x618, ['unsigned long']], 'Identity' : [ 0x61c, ['unsigned long']], 'HiveLock' : [ 0x620, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x628, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x630, ['pointer64', ['_KTHREAD']]], 'ViewLockLast' : [ 0x638, ['unsigned long']], 'ViewUnLockLast' : [ 0x63c, ['unsigned long']], 'WriterLock' : [ 0x640, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x648, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x650, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x660, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x668, ['unsigned long']], 'FlushHiveTruncated' : [ 0x66c, ['unsigned long']], 'FlushLock2' : [ 0x670, ['pointer64', ['_FAST_MUTEX']]], 'SecurityLock' : [ 0x678, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x680, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x690, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x6a0, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x6b0, ['unsigned short']], 'PinnedViewCount' : [ 0x6b2, ['unsigned short']], 'UseCount' : [ 0x6b4, ['unsigned long']], 'ViewsPerHive' : [ 0x6b8, ['unsigned long']], 'FileObject' : [ 0x6c0, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x6c8, ['unsigned long']], 'ActualFileSize' : [ 0x6d0, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x6d8, ['_UNICODE_STRING']], 'FileUserName' : [ 0x6e8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x6f8, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x708, ['unsigned long']], 'SecurityCacheSize' : [ 0x70c, ['unsigned long']], 'SecurityHitHint' : [ 0x710, ['long']], 'SecurityCache' : [ 0x718, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x720, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xb20, ['unsigned long']], 'UnloadEventArray' : [ 0xb28, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xb30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xb38, ['unsigned char']], 'UnloadWorkItem' : [ 0xb40, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0xb48, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xb70, ['unsigned char']], 'GrowOffset' : [ 0xb74, ['unsigned long']], 'KcbConvertListHead' : [ 0xb78, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xb88, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb98, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xba0, ['unsigned long']], 'TrustClassEntry' : [ 0xba8, ['_LIST_ENTRY']], 'FlushCount' : [ 0xbb8, ['unsigned long']], 'CmRm' : [ 0xbc0, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xbc8, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xbcc, ['long']], 'CreatorOwner' : [ 0xbd0, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0xbd8, ['pointer64', ['_KTHREAD']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '__unnamed_1668' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_HvpRecoverWholeHive', 10: '_HvpMapFileImageAndBuildMap', 11: '_CmpValidateHiveSecurityDescriptors', 12: '_HvpEnlistBinInMap', 13: '_CmCheckRegistry', 14: '_CmRegistryIO', 15: '_CmCheckRegistry2', 16: '_CmpCheckKey', 17: '_CmpCheckValueList', 18: '_HvCheckHive', 19: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_166b' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_166d' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_166f' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1671' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_1675' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_1679' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_167b' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_1668']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_1668']]], 'RegistryIO' : [ 0xd0, ['__unnamed_166b']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_166d']], 'CheckKey' : [ 0xf0, ['__unnamed_166f']], 'CheckValueList' : [ 0x110, ['__unnamed_1671']], 'CheckHive' : [ 0x128, ['__unnamed_1675']], 'CheckHive1' : [ 0x138, ['__unnamed_1675']], 'CheckBin' : [ 0x148, ['__unnamed_1679']], 'RecoverData' : [ 0x158, ['__unnamed_167b']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0x80, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'DpcCount' : [ 0x38, ['unsigned long']], 'DpcRate' : [ 0x3c, ['unsigned long']], 'C1Time' : [ 0x40, ['unsigned long long']], 'C2Time' : [ 0x48, ['unsigned long long']], 'C3Time' : [ 0x50, ['unsigned long long']], 'C1Transitions' : [ 0x58, ['unsigned long long']], 'C2Transitions' : [ 0x60, ['unsigned long long']], 'C3Transitions' : [ 0x68, ['unsigned long long']], 'ParkingStatus' : [ 0x70, ['unsigned long']], 'CurrentFrequency' : [ 0x74, ['unsigned long']], 'PercentMaxFrequency' : [ 0x78, ['unsigned long']], 'StateFlags' : [ 0x7c, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0x28, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 4, ['unsigned long long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0x18, { 'Affinity' : [ 0x0, ['pointer64', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x8, ['unsigned long long']], 'CurrentIndex' : [ 0x10, ['unsigned short']], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependentList' : [ 0x50, ['_LIST_ENTRY']], 'ProviderList' : [ 0x60, ['_LIST_ENTRY']], } ], '__unnamed_1761' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1763' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1767' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x268, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Level' : [ 0x50, ['unsigned long']], 'Notify' : [ 0x58, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xc0, ['_PO_IRP_MANAGER']], 'State' : [ 0xe0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xe8, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x138, ['unsigned long']], 'CompletionStatus' : [ 0x13c, ['long']], 'Flags' : [ 0x140, ['unsigned long']], 'UserFlags' : [ 0x144, ['unsigned long']], 'Problem' : [ 0x148, ['unsigned long']], 'ResourceList' : [ 0x150, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x158, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x160, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x168, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x174, ['unsigned long']], 'ChildInterfaceType' : [ 0x178, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x17c, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x180, ['unsigned short']], 'RemovalPolicy' : [ 0x182, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x183, ['unsigned char']], 'TargetDeviceNotify' : [ 0x188, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x198, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1a8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x1b8, ['unsigned short']], 'QueryTranslatorMask' : [ 0x1ba, ['unsigned short']], 'NoArbiterMask' : [ 0x1bc, ['unsigned short']], 'QueryArbiterMask' : [ 0x1be, ['unsigned short']], 'OverUsed1' : [ 0x1c0, ['__unnamed_1761']], 'OverUsed2' : [ 0x1c8, ['__unnamed_1763']], 'BootResources' : [ 0x1d0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1d8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1e0, ['unsigned long']], 'DockInfo' : [ 0x1e8, ['__unnamed_1767']], 'DisableableDepends' : [ 0x208, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x210, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x220, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x230, ['unsigned long']], 'PreviousParent' : [ 0x238, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x240, ['unsigned long']], 'NumaNodeIndex' : [ 0x244, ['unsigned long']], 'ContainerID' : [ 0x248, ['_GUID']], 'OverrideFlags' : [ 0x258, ['unsigned char']], 'RequiresUnloadedDriver' : [ 0x259, ['unsigned char']], 'PendingEjectRelations' : [ 0x260, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'Affinity' : [ 0x40, ['_GROUP_AFFINITY']], 'ProximityId' : [ 0x50, ['unsigned long']], 'NodeNumber' : [ 0x54, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x56, ['unsigned short']], 'MaximumProcessors' : [ 0x58, ['unsigned char']], 'Color' : [ 0x59, ['unsigned char']], 'Flags' : [ 0x5a, ['_flags']], 'NodePad0' : [ 0x5b, ['unsigned char']], 'Seed' : [ 0x5c, ['unsigned long']], 'MmShiftedColor' : [ 0x60, ['unsigned long']], 'FreeCount' : [ 0x68, ['array', 2, ['unsigned long long']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], 'ParkLock' : [ 0xa0, ['long']], 'NodePad1' : [ 0xa4, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_180f' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_180f']], } ], '__unnamed_1816' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1816']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_VOLUME_CACHE_MAP' : [ 0x38, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], 'DirtyPages' : [ 0x28, ['unsigned long long']], 'PagesQueuedToDisk' : [ 0x30, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1f0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x100, ['unsigned long']], 'LazyWritePassCount' : [ 0x104, ['unsigned long']], 'UninitializeEvent' : [ 0x108, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x110, ['_KGUARDED_MUTEX']], 'LastUnmapBehindOffset' : [ 0x148, ['_LARGE_INTEGER']], 'Event' : [ 0x150, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x168, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x170, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1d8, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1e0, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1e8, ['unsigned long']], 'WritesInProgress' : [ 0x1ec, ['unsigned long']], } ], '__unnamed_1888' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_1888']], 'Links' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '__unnamed_18a6' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_18a8' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_18aa' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_18ac' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_18ae' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_18a6']], 'Write' : [ 0x0, ['__unnamed_18a8']], 'Event' : [ 0x0, ['__unnamed_18aa']], 'Notification' : [ 0x0, ['__unnamed_18ac']], } ], '_WORK_QUEUE_ENTRY' : [ 0x20, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_18ae']], 'Function' : [ 0x18, ['unsigned char']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x208, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1f8, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_18ff' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_18ff']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_PEB' : [ 0x380, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pContextData' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xe0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], 'ContextInformation' : [ 0xc8, ['pointer64', ['void']]], 'OriginalBase' : [ 0xd0, ['unsigned long long']], 'LoadTime' : [ 0xd8, ['_LARGE_INTEGER']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '__unnamed_197d' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_197f' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_197d']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1981' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1983' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1981']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_197f']], 'u2' : [ 0x4, ['__unnamed_1983']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x38, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], 'LookasideIndex' : [ 0x30, ['unsigned long']], } ], '__unnamed_199c' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_199e' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_199c']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x20, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_199e']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x14, ['long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_19b1' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_19b3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19b1']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_19b3']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_19b9' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_19bb' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19b9']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_19bb']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_19c1' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19c3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c1']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_19c3']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x40, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19df' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19e1' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19df']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1a0, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x88, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x98, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa8, ['_LIST_ENTRY']], 'WaitQueue' : [ 0xb8, ['_LIST_ENTRY']], 'Semaphore' : [ 0xc8, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xc8, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0xd0, ['_ALPC_PORT_ATTRIBUTES']], 'Lock' : [ 0x118, ['_EX_PUSH_LOCK']], 'ResourceListLock' : [ 0x120, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x128, ['_LIST_ENTRY']], 'CompletionList' : [ 0x138, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0x140, ['pointer64', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0x148, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x150, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x158, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x168, ['long']], 'u1' : [ 0x16c, ['__unnamed_19e1']], 'TargetQueuePort' : [ 0x170, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x178, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x180, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x188, ['unsigned long']], 'PendingQueueLength' : [ 0x18c, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x190, ['unsigned long']], 'CanceledQueueLength' : [ 0x194, ['unsigned long']], 'WaitQueueLength' : [ 0x198, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0xd0, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'Key' : [ 0xb8, ['unsigned long']], 'CallbackList' : [ 0xc0, ['_LIST_ENTRY']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_197f']], 'u2' : [ 0x4, ['__unnamed_1983']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_19fe' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1a00' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19fe']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x100, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x10, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0x18, ['unsigned long long']], 'QuotaProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x20, ['pointer64', ['void']]], 'SequenceNo' : [ 0x28, ['long']], 'u1' : [ 0x2c, ['__unnamed_1a00']], 'CancelSequencePort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x40, ['long']], 'CancelListEntry' : [ 0x48, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x68, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x70, ['pointer64', ['_ALPC_PORT']]], 'MessageAttributes' : [ 0x78, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb0, ['pointer64', ['void']]], 'DataSystemVa' : [ 0xb8, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xc0, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xc8, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xd0, ['pointer64', ['_ETHREAD']]], 'PortMessage' : [ 0xd8, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer64', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a3f' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a41' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a3f']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1a41']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'Flags' : [ 0x28, ['unsigned long']], 'TotalLength' : [ 0x2c, ['unsigned short']], 'Type' : [ 0x2e, ['unsigned short']], 'DataInfoOffset' : [ 0x30, ['unsigned short']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x48, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x330, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'CollectionOn' : [ 0xc, ['long']], 'LoggerMode' : [ 0x10, ['unsigned long']], 'AcceptNewEvents' : [ 0x14, ['long']], 'GetCpuClock' : [ 0x18, ['pointer64', ['void']]], 'StartTime' : [ 0x20, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'NBQHead' : [ 0x40, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x48, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x50, ['_SLIST_HEADER']], 'GlobalList' : [ 0x60, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x70, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x70, ['_EX_FAST_REF']], 'LoggerName' : [ 0x78, ['_UNICODE_STRING']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x98, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'ClockType' : [ 0xb8, ['unsigned long']], 'MaximumFileSize' : [ 0xbc, ['unsigned long']], 'LastFlushedBuffer' : [ 0xc0, ['unsigned long']], 'FlushTimer' : [ 0xc4, ['unsigned long']], 'FlushThreshold' : [ 0xc8, ['unsigned long']], 'ByteOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xd8, ['unsigned long']], 'BuffersAvailable' : [ 0xdc, ['long']], 'NumberOfBuffers' : [ 0xe0, ['long']], 'MaximumBuffers' : [ 0xe4, ['unsigned long']], 'EventsLost' : [ 0xe8, ['unsigned long']], 'BuffersWritten' : [ 0xec, ['unsigned long']], 'LogBuffersLost' : [ 0xf0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xf4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xf8, ['unsigned long']], 'SequencePtr' : [ 0x100, ['pointer64', ['long']]], 'LocalSequence' : [ 0x108, ['unsigned long']], 'InstanceGuid' : [ 0x10c, ['_GUID']], 'FileCounter' : [ 0x11c, ['long']], 'BufferCallback' : [ 0x120, ['pointer64', ['void']]], 'PoolType' : [ 0x128, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x130, ['_ETW_REF_CLOCK']], 'Consumers' : [ 0x140, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x150, ['unsigned long']], 'TransitionConsumer' : [ 0x158, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x160, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x168, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x178, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x180, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x188, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x190, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x198, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1a0, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1a8, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1b8, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1c0, ['_KEVENT']], 'FlushEvent' : [ 0x1d8, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x1f0, ['_KTIMER']], 'FlushDpc' : [ 0x230, ['_KDPC']], 'LoggerMutex' : [ 0x270, ['_KMUTANT']], 'LoggerLock' : [ 0x2a8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2b0, ['unsigned long long']], 'BufferListPushLock' : [ 0x2b0, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2b8, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x300, ['_EX_FAST_REF']], 'BufferSequenceNumber' : [ 0x308, ['long long']], 'Flags' : [ 0x310, ['unsigned long']], 'Persistent' : [ 0x310, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x310, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x310, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x310, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x310, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x310, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x310, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x310, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x310, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x310, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'RequestFlag' : [ 0x314, ['unsigned long']], 'RequestNewFie' : [ 0x314, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x314, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x314, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x314, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x314, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RequestConnectConsumer' : [ 0x314, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HookIdMap' : [ 0x318, ['_RTL_BITMAP']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_BUFFER_HANDLE' : [ 0x10, { 'TraceBuffer' : [ 0x0, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'BufferFastRef' : [ 0x8, ['pointer64', ['_EX_FAST_REF']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_NBQUEUE_BLOCK' : [ 0x20, { 'SListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'Next' : [ 0x10, ['unsigned long long']], 'Data' : [ 0x18, ['unsigned long long']], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x1b0, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['array', 8, ['pointer64', ['_EVENT_FILTER_HEADER']]]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x310, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'LogonSession' : [ 0xd0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xd8, ['_LUID']], 'SidHash' : [ 0xe0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f0, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x300, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'VariablePart' : [ 0x308, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], 'HashIndex' : [ 0x14, ['unsigned short']], 'DirectoryLocked' : [ 0x16, ['unsigned char']], 'LockedExclusive' : [ 0x17, ['unsigned char']], 'LockStateSignature' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Coalescable' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KeepShifting' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CpuThrottled' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x70, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'AllocAndFreeOps' : [ 0x50, ['unsigned long']], 'InBlockDeccommits' : [ 0x54, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], 'HighWatermarkSize' : [ 0x60, ['unsigned long long']], 'LastPolledSize' : [ 0x68, ['unsigned long long']], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x68, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['unsigned long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], 'HandleCountHighWatermark' : [ 0x60, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'BlockState' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x78, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['_KAFFINITY_EX']], 'SamplingPeriod' : [ 0x38, ['unsigned long']], 'CurrentTemperature' : [ 0x3c, ['unsigned long']], 'PassiveTripPoint' : [ 0x40, ['unsigned long']], 'CriticalTripPoint' : [ 0x44, ['unsigned long']], 'ActiveTripPointCount' : [ 0x48, ['unsigned char']], 'ActiveTripPoint' : [ 0x4c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x74, ['unsigned long']], } ], '__unnamed_1c5a' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1c5c' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1c5a']], 'Private' : [ 0x0, ['__unnamed_1c5c']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_1c7d' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1c83' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x90, { 'u1' : [ 0x0, ['__unnamed_15be']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c4']], 'u2' : [ 0x40, ['__unnamed_15d1']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u3' : [ 0x78, ['__unnamed_1c7d']], 'u4' : [ 0x88, ['__unnamed_1c83']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x1c8, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xe0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'LimitFlags' : [ 0xf0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xf4, ['unsigned long']], 'Affinity' : [ 0xf8, ['_KAFFINITY_EX']], 'PriorityClass' : [ 0x120, ['unsigned char']], 'AccessState' : [ 0x128, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x130, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x134, ['unsigned long']], 'CompletionPort' : [ 0x138, ['pointer64', ['void']]], 'CompletionKey' : [ 0x140, ['pointer64', ['void']]], 'SessionId' : [ 0x148, ['unsigned long']], 'SchedulingClass' : [ 0x14c, ['unsigned long']], 'ReadOperationCount' : [ 0x150, ['unsigned long long']], 'WriteOperationCount' : [ 0x158, ['unsigned long long']], 'OtherOperationCount' : [ 0x160, ['unsigned long long']], 'ReadTransferCount' : [ 0x168, ['unsigned long long']], 'WriteTransferCount' : [ 0x170, ['unsigned long long']], 'OtherTransferCount' : [ 0x178, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x180, ['unsigned long long']], 'JobMemoryLimit' : [ 0x188, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x190, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x198, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x1a0, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x1a8, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x1b0, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1c0, ['unsigned long']], 'JobFlags' : [ 0x1c4, ['unsigned long']], } ], '__unnamed_1c97' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0xa0, { 'Count' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['__unnamed_1c97']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'OldState' : [ 0x10, ['unsigned long']], 'NewlyUnparked' : [ 0x14, ['unsigned char']], 'TargetProcessors' : [ 0x18, ['_KAFFINITY_EX']], 'State' : [ 0x40, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '__unnamed_1ca0' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1ca0']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x88, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned long']], 'ShutDownRequested' : [ 0x5c, ['unsigned char']], 'NewBuffersLost' : [ 0x5d, ['unsigned char']], 'Disconnected' : [ 0x5e, ['unsigned char']], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'Wow' : [ 0x84, ['unsigned char']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_KGUARDED_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['pointer64', ['pointer64', ['void']]]], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'Pad' : [ 0x65, ['array', 3, ['unsigned char']]], 'Mode' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x70, ['unsigned long']], 'DispatchCount' : [ 0x74, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x88, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x20, ['pointer64', ['void']]], 'UserLimit' : [ 0x28, ['pointer64', ['void']]], 'DataUserVa' : [ 0x30, ['pointer64', ['void']]], 'SystemVa' : [ 0x38, ['pointer64', ['void']]], 'TotalSize' : [ 0x40, ['unsigned long long']], 'Header' : [ 0x48, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x50, ['pointer64', ['void']]], 'ListSize' : [ 0x58, ['unsigned long long']], 'Bitmap' : [ 0x60, ['pointer64', ['void']]], 'BitmapSize' : [ 0x68, ['unsigned long long']], 'Data' : [ 0x70, ['pointer64', ['void']]], 'DataSize' : [ 0x78, ['unsigned long long']], 'BitmapLimit' : [ 0x80, ['unsigned long']], 'BitmapNextHint' : [ 0x84, ['unsigned long']], 'ConcurrencyCount' : [ 0x88, ['unsigned long']], 'AttributeFlags' : [ 0x8c, ['unsigned long']], 'AttributeSize' : [ 0x90, ['unsigned long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_IO_WORKITEM' : [ 0x40, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'Type' : [ 0x38, ['unsigned long']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_ALIGNED_AFFINITY_SUMMARY' : [ 0x80, { 'CpuSet' : [ 0x0, ['_KAFFINITY_EX']], 'SMTSet' : [ 0x28, ['_KAFFINITY_EX']], } ], '_XSTATE_CONFIGURATION' : [ 0x210, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'OptimizedSave' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x10, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_RTL_UMS_CONTEXT' : [ 0x540, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HasQuantumReq' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HasAffinityReq' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HasPriorityReq' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4f0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x4f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'QuantumValue' : [ 0x500, ['unsigned long long']], 'AffinityMask' : [ 0x508, ['_GROUP_AFFINITY']], 'Priority' : [ 0x518, ['long']], 'PrimaryUmsContext' : [ 0x520, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x528, ['unsigned long']], 'KernelYieldCount' : [ 0x52c, ['unsigned long']], 'MixedYieldCount' : [ 0x530, ['unsigned long']], 'YieldCount' : [ 0x534, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x100, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleAccounting' : [ 0x20, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'Hypervisor' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'PerfHistoryTotal' : [ 0x2c, ['unsigned long']], 'ThermalConstraint' : [ 0x30, ['unsigned char']], 'PerfHistoryCount' : [ 0x31, ['unsigned char']], 'PerfHistorySlot' : [ 0x32, ['unsigned char']], 'Reserved' : [ 0x33, ['unsigned char']], 'LastSysTime' : [ 0x34, ['unsigned long']], 'WmiDispatchPtr' : [ 0x38, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x40, ['long']], 'FFHThrottleStateInfo' : [ 0x48, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x68, ['_KDPC']], 'PerfActionMask' : [ 0xa8, ['long']], 'IdleCheck' : [ 0xb0, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0xc0, ['_PROC_IDLE_SNAP']], 'Domain' : [ 0xd0, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0xd8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Load' : [ 0xe0, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0xe8, ['pointer64', ['_PROC_HISTORY_ENTRY']]], 'Utility' : [ 0xf0, ['unsigned long']], 'OverUtilizedHistory' : [ 0xf4, ['unsigned long']], 'AffinityCount' : [ 0xf8, ['unsigned long']], 'AffinityHistory' : [ 0xfc, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x2c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'BucketLimits' : [ 0x18, ['array', 16, ['unsigned long long']]], 'State' : [ 0x98, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_TEB64' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x90, ['unsigned long']], 'PreviousActivityCounter' : [ 0x94, ['unsigned long']], 'WorkerTrimRequests' : [ 0x98, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x8, ['_KGATE']], } ], '_ETIMER' : [ 0x110, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1e02' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1e02']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x698, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x150, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3f0, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x690, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '__unnamed_1e5b' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e5d' : [ 0x8, { 'Last' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_1e5b']], } ], '__unnamed_1e5f' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1e5b']], } ], '__unnamed_1e61' : [ 0x8, { 'OldCell' : [ 0x0, ['__unnamed_1e5d']], 'NewCell' : [ 0x0, ['__unnamed_1e5f']], } ], '_HCELL' : [ 0xc, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e61']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x30, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'PercentageCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'TargetFrequency' : [ 0x18, ['unsigned long']], 'AcumulatedFullFrequency' : [ 0x1c, ['unsigned long']], 'AcumulatedZeroFrequency' : [ 0x20, ['unsigned long']], 'FrequencyHistoryTotal' : [ 0x24, ['unsigned long']], 'AverageFrequency' : [ 0x28, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], 'Pad0' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1e74' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e78' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1e7a' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1e7c' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1e7e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1e80' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1e82' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e84' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e86' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e88' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1e74']], 'Memory' : [ 0x0, ['__unnamed_1e74']], 'Interrupt' : [ 0x0, ['__unnamed_1e78']], 'Dma' : [ 0x0, ['__unnamed_1e7a']], 'Generic' : [ 0x0, ['__unnamed_1e74']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e7c']], 'BusNumber' : [ 0x0, ['__unnamed_1e7e']], 'ConfigData' : [ 0x0, ['__unnamed_1e80']], 'Memory40' : [ 0x0, ['__unnamed_1e82']], 'Memory48' : [ 0x0, ['__unnamed_1e84']], 'Memory64' : [ 0x0, ['__unnamed_1e86']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1e88']], } ], '_POP_THERMAL_ZONE' : [ 0x1e8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x148, ['_LARGE_INTEGER']], 'Metrics' : [ 0x150, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x98, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x68, ['unsigned long']], 'PassiveCount' : [ 0x6c, ['unsigned long']], 'LastActiveStartTick' : [ 0x70, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x78, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x80, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x88, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x90, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '__unnamed_1ec3' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1ec5' : [ 0x18, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1ec3']], } ], '_VF_TARGET_DRIVER' : [ 0x30, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_1ec5']], 'VerifiedData' : [ 0x28, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_1ecd' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1ecf' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ed1' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ed3' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_1ed5' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1ed7' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ed9' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1edb' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1edd' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1edf' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1ee1' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1ecd']], 'TargetDevice' : [ 0x0, ['__unnamed_1ecf']], 'InstallDevice' : [ 0x0, ['__unnamed_1ed1']], 'CustomNotification' : [ 0x0, ['__unnamed_1ed3']], 'ProfileNotification' : [ 0x0, ['__unnamed_1ed5']], 'PowerNotification' : [ 0x0, ['__unnamed_1ed7']], 'VetoNotification' : [ 0x0, ['__unnamed_1ed9']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1edb']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1edd']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1edf']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1ed1']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1ee1']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_PS_CPU_QUOTA_BLOCK' : [ 0x4080, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'CpuShareWeight' : [ 0x14, ['unsigned long']], 'CapturedWeightData' : [ 0x18, ['_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA']], 'DuplicateInputMarker' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x20, ['long']], 'BlockCurrentGenerationLock' : [ 0x0, ['unsigned long long']], 'CyclesAccumulated' : [ 0x8, ['unsigned long long']], 'CycleCredit' : [ 0x40, ['unsigned long long']], 'BlockCurrentGeneration' : [ 0x48, ['unsigned long']], 'CpuCyclePercent' : [ 0x4c, ['unsigned long']], 'CyclesFinishedForCurrentGeneration' : [ 0x50, ['unsigned char']], 'Cpu' : [ 0x80, ['array', 256, ['_PS_PER_CPU_QUOTA_CACHE_AWARE']]], } ], '__unnamed_1efd' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1efd']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '__unnamed_1f32' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_1f32']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_PS_PER_CPU_QUOTA_CACHE_AWARE' : [ 0x40, { 'SortedListEntry' : [ 0x0, ['_LIST_ENTRY']], 'IdleOnlyListHead' : [ 0x10, ['_LIST_ENTRY']], 'CycleBaseAllowance' : [ 0x20, ['unsigned long long']], 'CyclesRemaining' : [ 0x28, ['long long']], 'CurrentGeneration' : [ 0x30, ['unsigned long']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x248, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pContextData' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_KBUGCHECK_ACTIVE_STATE' : [ 0x4, { 'BugCheckState' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'RecursionCount' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'BugCheckOwner' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['long']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_SYSTEM_IDLE' : [ 0x38, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned char']], 'IdleWorker' : [ 0x25, ['unsigned char']], 'Sampling' : [ 0x26, ['unsigned char']], 'LastTick' : [ 0x28, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x30, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x18, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_1fa7' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fa9' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1fab' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1fad' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_1fab']], 'Translated' : [ 0x0, ['__unnamed_1fa9']], } ], '__unnamed_1faf' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb1' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb3' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb5' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb7' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb9' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fbb' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1fa7']], 'Port' : [ 0x0, ['__unnamed_1fa7']], 'Interrupt' : [ 0x0, ['__unnamed_1fa9']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1fad']], 'Memory' : [ 0x0, ['__unnamed_1fa7']], 'Dma' : [ 0x0, ['__unnamed_1faf']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e7c']], 'BusNumber' : [ 0x0, ['__unnamed_1fb1']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1fb3']], 'Memory40' : [ 0x0, ['__unnamed_1fb5']], 'Memory48' : [ 0x0, ['__unnamed_1fb7']], 'Memory64' : [ 0x0, ['__unnamed_1fb9']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1fbb']], } ], '__unnamed_1fc0' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1fc0']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1fca' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1fca']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1fd4' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_1f32']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_1fd4']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1fdc' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1fde' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1fdc']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x58, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x40, ['_LIST_ENTRY']], 'Specific' : [ 0x50, ['__unnamed_1fde']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_kdbg.py0000644000000000000000000002722613131215405026613 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import struct import volatility.obj as obj import volatility.addrspace as addrspace import volatility.constants as constants import volatility.utils as utils import volatility.plugins.overlays.windows.win8 as win8 import volatility.plugins.overlays.windows.windows as windows_main import volatility.plugins.patchguard as patchguard import volatility.registry as registry try: import distorm3 has_distorm = True except ImportError: has_distorm = False class VolatilityKDBG(obj.VolatilityMagic): """A Scanner for KDBG data within an address space. This implementation is specific for Windows 8 / 2012 64-bit versions because the KDBG block is encoded. We have to find it a special way and then perform the decoding routine before Volatility plugins can run. """ def v(self): """The --kdbg parameter for this Win8/2012 KDBG structure is the virtual address of the nt!KdCopyDataBlock function (see kdbgscan output). """ if self.value is None: return self.get_best_suggestion() else: return self.copy_data_block(self.value) def get_suggestions(self): if self.value: yield self.copy_data_block(self.value) for x in self.generate_suggestions(): yield x def decode_kdbg(self, vals): """Decoder the KDBG block using the provided magic values and the algorithm reversed from the Windows kernel file.""" block_encoded, kdbg_block, wait_never, wait_always = vals # just take the maximum. if we decode a tiny bit of # extra data in some cases, its totally fine. kdbg_size = max(self.unique_sizes()) buffer = "" entries = obj.Object("Array", targetType = "unsigned long long", count = kdbg_size / 8, offset = kdbg_block, vm = self.obj_vm) for entry in entries: low_byte = (wait_never & 0xFFFFFFFF) & 0xFF entry = patchguard.rol(entry ^ wait_never, low_byte) swap_xor = block_encoded.obj_offset | 0xFFFF000000000000 entry = patchguard.bswap(entry ^ swap_xor) buffer += struct.pack("Q", entry ^ wait_always) return buffer def unique_sizes(self): """Determine the possible KDBG sizes to scan for, across all profiles Win8 x64 and above. We do this by reflecting back on the profile modifications to see which ones would trigger and then grabbing the KDBG size.""" items = registry.get_plugin_classes(windows_main.AbstractKDBGMod).items() sizes = set() for name, cls in items: try: if (not cls.conditions["os"]("windows") or not cls.conditions["major"](6)): continue sizes.add(cls.kdbgsize) except: continue return sizes def copy_data_block(self, full_addr): """This function emulates nt!KdCopyDataBlock on a live machine by finding the encoded KDBG structure and using the required entropy values to decode it.""" sizes = self.unique_sizes() alignment = 8 addr_space = self.obj_vm bits = distorm3.Decode64Bits # nt!KdCopyDataBlock is about 100 bytes, we don't want to read # too little and truncate the function, but too much will reach # into other function's space code = addr_space.read(full_addr, 300) # potentially we crossed a boundary into swapped or unallocated space if code == None: return obj.NoneObject("Crossed a code boundary") found_size = False for size in sizes: val = struct.pack("I", size / alignment) if code.find(val) != -1: found_size = True break if not found_size: return obj.NoneObject("Cannot find KDBG size signature") version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) if version < (6, 4): # we don't perform this check for Windows 10.x found_str = False for size in sizes: val = struct.pack("I", size) if code.find(val) != -1: found_str = True break if not found_str: return obj.NoneObject("Cannot find KDBG size signature") ops = list(distorm3.Decompose(full_addr, code, bits)) # nt!KdDebuggerDataBlock kdbg_block = None # nt!KiWaitNever wait_never = None # nt!KiWaitAlways wait_always = None # nt!KdpDataBlockEncoded block_encoded = None # collect instructions up to the first RET before_ret = [] # we need a bswap instruction to be valid found_bswap = False for op in ops: if op.mnemonic == "BSWAP": found_bswap = True elif op.mnemonic == "RET": break else: before_ret.append(op) if not found_bswap: return obj.NoneObject("No bswap instruction found") for op in before_ret: # cmp cs:KdpDataBlockEncoded, 0 if (not block_encoded and op.mnemonic == "CMP" and op.operands[0].type == "AbsoluteMemory" and op.operands[1].type == "Immediate" and op.operands[1].value == 0): # an x64 RIP turned absolute offset = op.address + op.size + op.operands[0].disp block_encoded = obj.Object("unsigned char", offset = offset, vm = addr_space) # lea rdx, KdDebuggerDataBlock elif (not kdbg_block and op.mnemonic == "LEA" and op.operands[0].type == "Register" and op.operands[0].size == 64 and op.operands[1].type == "AbsoluteMemory" and op.operands[1].dispSize == 32): kdbg_block = op.address + op.size + op.operands[1].disp # mov r10, cs:KiWaitNever elif (not wait_never and op.mnemonic == "MOV" and op.operands[0].type == "Register" and op.operands[0].size == 64 and op.operands[1].type == "AbsoluteMemory" and op.operands[1].dispSize == 32): offset = op.address + op.size + op.operands[1].disp wait_never = obj.Object("unsigned long long", offset = offset, vm = addr_space) # mov r11, cs:KiWaitAlways (Win 8 x64) # xor rdx, cs:KiWaitAlways (Win 8.1 x64) elif (not wait_always and op.mnemonic in ["MOV", "XOR"] and op.operands[0].type == "Register" and op.operands[0].size == 64 and op.operands[1].type == "AbsoluteMemory" and op.operands[1].dispSize == 32): offset = op.address + op.size + op.operands[1].disp wait_always = obj.Object("unsigned long long", offset = offset, vm = addr_space) break # check if we've found all the required offsets if (block_encoded != None and kdbg_block != None and wait_never != None and wait_always != None): # some acquisition tools decode the KDBG block but leave # nt!KdpDataBlockEncoded set, so we handle it here. tag_offset = addr_space.profile.get_obj_offset("_DBGKD_DEBUG_DATA_HEADER64", "OwnerTag") signature = addr_space.read(kdbg_block + tag_offset, 4) if block_encoded == 1 and signature != "KDBG": vals = block_encoded, kdbg_block, wait_never, wait_always data = self.decode_kdbg(vals) buff = addrspace.BufferAddressSpace( config = addr_space.get_config(), base_offset = kdbg_block, data = data) kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = kdbg_block, vm = buff, native_vm = addr_space) else: kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = kdbg_block, vm = addr_space) kdbg.newattr('KdCopyDataBlock', full_addr) kdbg.newattr('block_encoded', block_encoded == 1 and signature != "KDBG") kdbg.newattr('wait_never', wait_never) kdbg.newattr('wait_always', wait_always) if kdbg.Header.OwnerTag == 0x4742444b: return kdbg return obj.NoneObject("Cannot find decoding entropy values") def generate_suggestions(self): """Generates a list of possible KDBG structure locations""" if not has_distorm: raise StopIteration("The distorm3 Python library is required") overlap = 20 offset = 0 current_offset = offset addr_space = self.obj_vm addresses = sorted(addr_space.get_available_addresses()) for (range_start, range_size) in addresses: # Jump to the next available point to scan from current_offset = max(range_start, current_offset) range_end = range_start + range_size if current_offset < 0xf80000000000: continue while (current_offset < range_end): # Figure out how much data to read l = min(constants.SCAN_BLOCKSIZE + overlap, range_end - current_offset) data = addr_space.zread(current_offset, l) for addr in utils.iterfind(data, "\x80\x3D"): full_addr = addr + current_offset result = self.copy_data_block(full_addr) if result: yield result current_offset += min(constants.SCAN_BLOCKSIZE, l) class Win8x64VolatilityKDBG(obj.ProfileModification): """Apply the KDBG finder for x64""" before = ['WindowsOverlay', 'WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 2, 'memory_model': lambda x: x == "64bit"} def modification(self, profile): profile.object_classes.update({"VolatilityKDBG": VolatilityKDBG}) volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista_sp0_x86_syscalls.py0000644000000000000000000012474413131215405031274 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2011 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAddDriverEntry', # 0xa 'NtAdjustGroupsToken', # 0xb 'NtAdjustPrivilegesToken', # 0xc 'NtAlertResumeThread', # 0xd 'NtAlertThread', # 0xe 'NtAllocateLocallyUniqueId', # 0xf 'NtAllocateUserPhysicalPages', # 0x10 'NtAllocateUuids', # 0x11 'NtAllocateVirtualMemory', # 0x12 'NtAlpcAcceptConnectPort', # 0x13 'NtAlpcCancelMessage', # 0x14 'NtAlpcConnectPort', # 0x15 'NtAlpcCreatePort', # 0x16 'NtAlpcCreatePortSection', # 0x17 'NtAlpcCreateResourceReserve', # 0x18 'NtAlpcCreateSectionView', # 0x19 'NtAlpcCreateSecurityContext', # 0x1a 'NtAlpcDeletePortSection', # 0x1b 'NtAlpcDeleteResourceReserve', # 0x1c 'NtAlpcDeleteSectionView', # 0x1d 'NtAlpcDeleteSecurityContext', # 0x1e 'NtAlpcDisconnectPort', # 0x1f 'NtAlpcImpersonateClientOfPort', # 0x20 'NtAlpcOpenSenderProcess', # 0x21 'NtAlpcOpenSenderThread', # 0x22 'NtAlpcQueryInformation', # 0x23 'NtAlpcQueryInformationMessage', # 0x24 'NtAlpcRevokeSecurityContext', # 0x25 'NtAlpcSendWaitReceivePort', # 0x26 'NtAlpcSetInformation', # 0x27 'NtApphelpCacheControl', # 0x28 'NtAreMappedFilesTheSame', # 0x29 'NtAssignProcessToJobObject', # 0x2a 'NtCallbackReturn', # 0x2b 'NtCancelDeviceWakeupRequest', # 0x2c 'NtCancelIoFile', # 0x2d 'NtCancelTimer', # 0x2e 'NtClearEvent', # 0x2f 'NtClose', # 0x30 'NtCloseObjectAuditAlarm', # 0x31 'NtCompactKeys', # 0x32 'NtCompareTokens', # 0x33 'NtCompleteConnectPort', # 0x34 'NtCompressKey', # 0x35 'NtConnectPort', # 0x36 'NtContinue', # 0x37 'NtCreateDebugObject', # 0x38 'NtCreateDirectoryObject', # 0x39 'NtCreateEvent', # 0x3a 'NtCreateEventPair', # 0x3b 'NtCreateFile', # 0x3c 'NtCreateIoCompletion', # 0x3d 'NtCreateJobObject', # 0x3e 'NtCreateJobSet', # 0x3f 'NtCreateKey', # 0x40 'NtCreateKeyTransacted', # 0x41 'NtCreateMailslotFile', # 0x42 'NtCreateMutant', # 0x43 'NtCreateNamedPipeFile', # 0x44 'NtCreatePrivateNamespace', # 0x45 'NtCreatePagingFile', # 0x46 'NtCreatePort', # 0x47 'NtCreateProcess', # 0x48 'NtCreateProcessEx', # 0x49 'NtCreateProfile', # 0x4a 'NtCreateSection', # 0x4b 'NtCreateSemaphore', # 0x4c 'NtCreateSymbolicLinkObject', # 0x4d 'NtCreateThread', # 0x4e 'NtCreateTimer', # 0x4f 'NtCreateToken', # 0x50 'NtCreateTransaction', # 0x51 'NtOpenTransaction', # 0x52 'NtQueryInformationTransaction', # 0x53 'NtQueryInformationTransactionManager', # 0x54 'NtPrePrepareEnlistment', # 0x55 'NtPrepareEnlistment', # 0x56 'NtCommitEnlistment', # 0x57 'NtReadOnlyEnlistment', # 0x58 'NtRollbackComplete', # 0x59 'NtRollbackEnlistment', # 0x5a 'NtCommitTransaction', # 0x5b 'NtRollbackTransaction', # 0x5c 'NtPrePrepareComplete', # 0x5d 'NtPrepareComplete', # 0x5e 'NtCommitComplete', # 0x5f 'NtSinglePhaseReject', # 0x60 'NtSetInformationTransaction', # 0x61 'NtSetInformationTransactionManager', # 0x62 'NtSetInformationResourceManager', # 0x63 'NtCreateTransactionManager', # 0x64 'NtOpenTransactionManager', # 0x65 'NtRollforwardTransactionManager', # 0x66 'NtRecoverEnlistment', # 0x67 'NtRecoverResourceManager', # 0x68 'NtRecoverTransactionManager', # 0x69 'NtCreateResourceManager', # 0x6a 'NtOpenResourceManager', # 0x6b 'NtGetNotificationResourceManager', # 0x6c 'NtQueryInformationResourceManager', # 0x6d 'NtCreateEnlistment', # 0x6e 'NtOpenEnlistment', # 0x6f 'NtSetInformationEnlistment', # 0x70 'NtQueryInformationEnlistment', # 0x71 'NtStartTm', # 0x72 'NtCreateWaitablePort', # 0x73 'NtDebugActiveProcess', # 0x74 'NtDebugContinue', # 0x75 'NtDelayExecution', # 0x76 'NtDeleteAtom', # 0x77 'NtDeleteBootEntry', # 0x78 'NtDeleteDriverEntry', # 0x79 'NtDeleteFile', # 0x7a 'NtDeleteKey', # 0x7b 'NtDeletePrivateNamespace', # 0x7c 'NtDeleteObjectAuditAlarm', # 0x7d 'NtDeleteValueKey', # 0x7e 'NtDeviceIoControlFile', # 0x7f 'NtDisplayString', # 0x80 'NtDuplicateObject', # 0x81 'NtDuplicateToken', # 0x82 'NtEnumerateBootEntries', # 0x83 'NtEnumerateDriverEntries', # 0x84 'NtEnumerateKey', # 0x85 'NtEnumerateSystemEnvironmentValuesEx', # 0x86 'NtEnumerateTransactionObject', # 0x87 'NtEnumerateValueKey', # 0x88 'NtExtendSection', # 0x89 'NtFilterToken', # 0x8a 'NtFindAtom', # 0x8b 'NtFlushBuffersFile', # 0x8c 'NtFlushInstructionCache', # 0x8d 'NtFlushKey', # 0x8e 'NtFlushProcessWriteBuffers', # 0x8f 'NtFlushVirtualMemory', # 0x90 'NtFlushWriteBuffer', # 0x91 'NtFreeUserPhysicalPages', # 0x92 'NtFreeVirtualMemory', # 0x93 'NtFreezeRegistry', # 0x94 'NtFreezeTransactions', # 0x95 'NtFsControlFile', # 0x96 'NtGetContextThread', # 0x97 'NtGetDevicePowerState', # 0x98 'NtGetNlsSectionPtr', # 0x99 'NtGetPlugPlayEvent', # 0x9a 'NtGetWriteWatch', # 0x9b 'NtImpersonateAnonymousToken', # 0x9c 'NtImpersonateClientOfPort', # 0x9d 'NtImpersonateThread', # 0x9e 'NtInitializeNlsFiles', # 0x9f 'NtInitializeRegistry', # 0xa0 'NtInitiatePowerAction', # 0xa1 'NtIsProcessInJob', # 0xa2 'NtIsSystemResumeAutomatic', # 0xa3 'NtListenPort', # 0xa4 'NtLoadDriver', # 0xa5 'NtLoadKey', # 0xa6 'NtLoadKey2', # 0xa7 'NtLoadKeyEx', # 0xa8 'NtLockFile', # 0xa9 'NtLockProductActivationKeys', # 0xaa 'NtLockRegistryKey', # 0xab 'NtLockVirtualMemory', # 0xac 'NtMakePermanentObject', # 0xad 'NtMakeTemporaryObject', # 0xae 'NtMapUserPhysicalPages', # 0xaf 'NtMapUserPhysicalPagesScatter', # 0xb0 'NtMapViewOfSection', # 0xb1 'NtModifyBootEntry', # 0xb2 'NtModifyDriverEntry', # 0xb3 'NtNotifyChangeDirectoryFile', # 0xb4 'NtNotifyChangeKey', # 0xb5 'NtNotifyChangeMultipleKeys', # 0xb6 'NtOpenDirectoryObject', # 0xb7 'NtOpenEvent', # 0xb8 'NtOpenEventPair', # 0xb9 'NtOpenFile', # 0xba 'NtOpenIoCompletion', # 0xbb 'NtOpenJobObject', # 0xbc 'NtOpenKey', # 0xbd 'NtOpenKeyTransacted', # 0xbe 'NtOpenMutant', # 0xbf 'NtOpenPrivateNamespace', # 0xc0 'NtOpenObjectAuditAlarm', # 0xc1 'NtOpenProcess', # 0xc2 'NtOpenProcessToken', # 0xc3 'NtOpenProcessTokenEx', # 0xc4 'NtOpenSection', # 0xc5 'NtOpenSemaphore', # 0xc6 'NtOpenSession', # 0xc7 'NtOpenSymbolicLinkObject', # 0xc8 'NtOpenThread', # 0xc9 'NtOpenThreadToken', # 0xca 'NtOpenThreadTokenEx', # 0xcb 'NtOpenTimer', # 0xcc 'NtPlugPlayControl', # 0xcd 'NtPowerInformation', # 0xce 'NtPrivilegeCheck', # 0xcf 'NtPrivilegeObjectAuditAlarm', # 0xd0 'NtPrivilegedServiceAuditAlarm', # 0xd1 'NtProtectVirtualMemory', # 0xd2 'NtPulseEvent', # 0xd3 'NtQueryAttributesFile', # 0xd4 'NtQueryBootEntryOrder', # 0xd5 'NtQueryBootOptions', # 0xd6 'NtQueryDebugFilterState', # 0xd7 'NtQueryDefaultLocale', # 0xd8 'NtQueryDefaultUILanguage', # 0xd9 'NtQueryDirectoryFile', # 0xda 'NtQueryDirectoryObject', # 0xdb 'NtQueryDriverEntryOrder', # 0xdc 'NtQueryEaFile', # 0xdd 'NtQueryEvent', # 0xde 'NtQueryFullAttributesFile', # 0xdf 'NtQueryInformationAtom', # 0xe0 'NtQueryInformationFile', # 0xe1 'NtQueryInformationJobObject', # 0xe2 'NtQueryInformationPort', # 0xe3 'NtQueryInformationProcess', # 0xe4 'NtQueryInformationThread', # 0xe5 'NtQueryInformationToken', # 0xe6 'NtQueryInstallUILanguage', # 0xe7 'NtQueryIntervalProfile', # 0xe8 'NtQueryIoCompletion', # 0xe9 'NtQueryKey', # 0xea 'NtQueryMultipleValueKey', # 0xeb 'NtQueryMutant', # 0xec 'NtQueryObject', # 0xed 'NtQueryOpenSubKeys', # 0xee 'NtQueryOpenSubKeysEx', # 0xef 'NtQueryPerformanceCounter', # 0xf0 'NtQueryQuotaInformationFile', # 0xf1 'NtQuerySection', # 0xf2 'NtQuerySecurityObject', # 0xf3 'NtQuerySemaphore', # 0xf4 'NtQuerySymbolicLinkObject', # 0xf5 'NtQuerySystemEnvironmentValue', # 0xf6 'NtQuerySystemEnvironmentValueEx', # 0xf7 'NtQuerySystemInformation', # 0xf8 'NtQuerySystemTime', # 0xf9 'NtQueryTimer', # 0xfa 'NtQueryTimerResolution', # 0xfb 'NtQueryValueKey', # 0xfc 'NtQueryVirtualMemory', # 0xfd 'NtQueryVolumeInformationFile', # 0xfe 'NtQueueApcThread', # 0xff 'NtRaiseException', # 0x100 'NtRaiseHardError', # 0x101 'NtReadFile', # 0x102 'NtReadFileScatter', # 0x103 'NtReadRequestData', # 0x104 'NtReadVirtualMemory', # 0x105 'NtRegisterThreadTerminatePort', # 0x106 'NtReleaseMutant', # 0x107 'NtReleaseSemaphore', # 0x108 'NtRemoveIoCompletion', # 0x109 'NtRemoveProcessDebug', # 0x10a 'NtRenameKey', # 0x10b 'NtReplaceKey', # 0x10c 'NtReplyPort', # 0x10d 'NtReplyWaitReceivePort', # 0x10e 'NtReplyWaitReceivePortEx', # 0x10f 'NtReplyWaitReplyPort', # 0x110 'NtRequestDeviceWakeup', # 0x111 'NtRequestPort', # 0x112 'NtRequestWaitReplyPort', # 0x113 'NtRequestWakeupLatency', # 0x114 'NtResetEvent', # 0x115 'NtResetWriteWatch', # 0x116 'NtRestoreKey', # 0x117 'NtResumeProcess', # 0x118 'NtResumeThread', # 0x119 'NtSaveKey', # 0x11a 'NtSaveKeyEx', # 0x11b 'NtSaveMergedKeys', # 0x11c 'NtClearSavepointTransaction', # 0x11d 'NtClearAllSavepointsTransaction', # 0x11e 'NtRollbackSavepointTransaction', # 0x11f 'NtSavepointTransaction', # 0x120 'NtSavepointComplete', # 0x121 'NtSecureConnectPort', # 0x122 'NtSetBootEntryOrder', # 0x123 'NtSetBootOptions', # 0x124 'NtSetContextThread', # 0x125 'NtSetDebugFilterState', # 0x126 'NtSetDefaultHardErrorPort', # 0x127 'NtSetDefaultLocale', # 0x128 'NtSetDefaultUILanguage', # 0x129 'NtSetDriverEntryOrder', # 0x12a 'NtSetEaFile', # 0x12b 'NtSetEvent', # 0x12c 'NtSetEventBoostPriority', # 0x12d 'NtSetHighEventPair', # 0x12e 'NtSetHighWaitLowEventPair', # 0x12f 'NtSetInformationDebugObject', # 0x130 'NtSetInformationFile', # 0x131 'NtSetInformationJobObject', # 0x132 'NtSetInformationKey', # 0x133 'NtSetInformationObject', # 0x134 'NtSetInformationProcess', # 0x135 'NtSetInformationThread', # 0x136 'NtSetInformationToken', # 0x137 'NtSetIntervalProfile', # 0x138 'NtSetIoCompletion', # 0x139 'NtSetLdtEntries', # 0x13a 'NtSetLowEventPair', # 0x13b 'NtSetLowWaitHighEventPair', # 0x13c 'NtSetQuotaInformationFile', # 0x13d 'NtSetSecurityObject', # 0x13e 'NtSetSystemEnvironmentValue', # 0x13f 'NtSetSystemEnvironmentValueEx', # 0x140 'NtSetSystemInformation', # 0x141 'NtSetSystemPowerState', # 0x142 'NtSetSystemTime', # 0x143 'NtSetThreadExecutionState', # 0x144 'NtSetTimer', # 0x145 'NtSetTimerResolution', # 0x146 'NtSetUuidSeed', # 0x147 'NtSetValueKey', # 0x148 'NtSetVolumeInformationFile', # 0x149 'NtShutdownSystem', # 0x14a 'NtSignalAndWaitForSingleObject', # 0x14b 'NtStartProfile', # 0x14c 'NtStopProfile', # 0x14d 'NtSuspendProcess', # 0x14e 'NtSuspendThread', # 0x14f 'NtSystemDebugControl', # 0x150 'NtTerminateJobObject', # 0x151 'NtTerminateProcess', # 0x152 'NtTerminateThread', # 0x153 'NtTestAlert', # 0x154 'NtThawRegistry', # 0x155 'NtThawTransactions', # 0x156 'NtTraceEvent', # 0x157 'NtTraceControl', # 0x158 'NtTranslateFilePath', # 0x159 'NtUnloadDriver', # 0x15a 'NtUnloadKey', # 0x15b 'NtUnloadKey2', # 0x15c 'NtUnloadKeyEx', # 0x15d 'NtUnlockFile', # 0x15e 'NtUnlockVirtualMemory', # 0x15f 'NtUnmapViewOfSection', # 0x160 'NtVdmControl', # 0x161 'NtWaitForDebugEvent', # 0x162 'NtWaitForMultipleObjects', # 0x163 'NtWaitForSingleObject', # 0x164 'NtWaitHighEventPair', # 0x165 'NtWaitLowEventPair', # 0x166 'NtWriteFile', # 0x167 'NtWriteFileGather', # 0x168 'NtWriteRequestData', # 0x169 'NtWriteVirtualMemory', # 0x16a 'NtYieldExecution', # 0x16b 'NtCreateKeyedEvent', # 0x16c 'NtOpenKeyedEvent', # 0x16d 'NtReleaseKeyedEvent', # 0x16e 'NtWaitForKeyedEvent', # 0x16f 'NtQueryPortInformationProcess', # 0x170 'NtGetCurrentProcessorNumber', # 0x171 'NtWaitForMultipleObjects32', # 0x172 'NtGetNextProcess', # 0x173 'NtGetNextThread', # 0x174 'NtCancelIoFileEx', # 0x175 'NtCancelSynchronousIoFile', # 0x176 'NtRemoveIoCompletionEx', # 0x177 'NtRegisterProtocolAddressInformation', # 0x178 'NtPullTransaction', # 0x179 'NtMarshallTransaction', # 0x17a 'NtPropagationComplete', # 0x17b 'NtPropagationFailed', # 0x17c 'NtCreateWorkerFactory', # 0x17d 'NtReleaseWorkerFactoryWorker', # 0x17e 'NtWaitForWorkViaWorkerFactory', # 0x17f 'NtSetInformationWorkerFactory', # 0x180 'NtQueryInformationWorkerFactory', # 0x181 'NtWorkerFactoryWorkerReady', # 0x182 'NtShutdownWorkerFactory', # 0x183 'NtCreateThreadEx', # 0x184 'NtCreateUserProcess', # 0x185 'NtQueryLicenseValue', # 0x186 'NtMapCMFModule', # 0x187 'NtListTransactions', # 0x188 'NtIsUILanguageComitted', # 0x189 'NtFlushInstallUILanguage', # 0x18a 'NtGetMUIRegistryInfo', # 0x18b 'NtAcquireCMFViewOwnership', # 0x18c 'NtReleaseCMFViewOwnership', # 0x18d ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginPath', # 0xc 'NtGdiBitBlt', # 0xd 'NtGdiCancelDC', # 0xe 'NtGdiCheckBitmapBits', # 0xf 'NtGdiCloseFigure', # 0x10 'NtGdiClearBitmapAttributes', # 0x11 'NtGdiClearBrushAttributes', # 0x12 'NtGdiColorCorrectPalette', # 0x13 'NtGdiCombineRgn', # 0x14 'NtGdiCombineTransform', # 0x15 'NtGdiComputeXformCoefficients', # 0x16 'NtGdiConfigureOPMProtectedOutput', # 0x17 'NtGdiConsoleTextOut', # 0x18 'NtGdiConvertMetafileRect', # 0x19 'NtGdiCreateBitmap', # 0x1a 'NtGdiCreateClientObj', # 0x1b 'NtGdiCreateColorSpace', # 0x1c 'NtGdiCreateColorTransform', # 0x1d 'NtGdiCreateCompatibleBitmap', # 0x1e 'NtGdiCreateCompatibleDC', # 0x1f 'NtGdiCreateDIBBrush', # 0x20 'NtGdiCreateDIBitmapInternal', # 0x21 'NtGdiCreateDIBSection', # 0x22 'NtGdiCreateEllipticRgn', # 0x23 'NtGdiCreateHalftonePalette', # 0x24 'NtGdiCreateHatchBrushInternal', # 0x25 'NtGdiCreateMetafileDC', # 0x26 'NtGdiCreateOPMProtectedOutputs', # 0x27 'NtGdiCreatePaletteInternal', # 0x28 'NtGdiCreatePatternBrushInternal', # 0x29 'NtGdiCreatePen', # 0x2a 'NtGdiCreateRectRgn', # 0x2b 'NtGdiCreateRoundRectRgn', # 0x2c 'NtGdiCreateServerMetaFile', # 0x2d 'NtGdiCreateSolidBrush', # 0x2e 'NtGdiD3dContextCreate', # 0x2f 'NtGdiD3dContextDestroy', # 0x30 'NtGdiD3dContextDestroyAll', # 0x31 'NtGdiD3dValidateTextureStageState', # 0x32 'NtGdiD3dDrawPrimitives2', # 0x33 'NtGdiDdGetDriverState', # 0x34 'NtGdiDdAddAttachedSurface', # 0x35 'NtGdiDdAlphaBlt', # 0x36 'NtGdiDdAttachSurface', # 0x37 'NtGdiDdBeginMoCompFrame', # 0x38 'NtGdiDdBlt', # 0x39 'NtGdiDdCanCreateSurface', # 0x3a 'NtGdiDdCanCreateD3DBuffer', # 0x3b 'NtGdiDdColorControl', # 0x3c 'NtGdiDdCreateDirectDrawObject', # 0x3d 'NtGdiDdCreateSurface', # 0x3e 'NtGdiDdCreateD3DBuffer', # 0x3f 'NtGdiDdCreateMoComp', # 0x40 'NtGdiDdCreateSurfaceObject', # 0x41 'NtGdiDdDeleteDirectDrawObject', # 0x42 'NtGdiDdDeleteSurfaceObject', # 0x43 'NtGdiDdDestroyMoComp', # 0x44 'NtGdiDdDestroySurface', # 0x45 'NtGdiDdDestroyD3DBuffer', # 0x46 'NtGdiDdEndMoCompFrame', # 0x47 'NtGdiDdFlip', # 0x48 'NtGdiDdFlipToGDISurface', # 0x49 'NtGdiDdGetAvailDriverMemory', # 0x4a 'NtGdiDdGetBltStatus', # 0x4b 'NtGdiDdGetDC', # 0x4c 'NtGdiDdGetDriverInfo', # 0x4d 'NtGdiDdGetDxHandle', # 0x4e 'NtGdiDdGetFlipStatus', # 0x4f 'NtGdiDdGetInternalMoCompInfo', # 0x50 'NtGdiDdGetMoCompBuffInfo', # 0x51 'NtGdiDdGetMoCompGuids', # 0x52 'NtGdiDdGetMoCompFormats', # 0x53 'NtGdiDdGetScanLine', # 0x54 'NtGdiDdLock', # 0x55 'NtGdiDdLockD3D', # 0x56 'NtGdiDdQueryDirectDrawObject', # 0x57 'NtGdiDdQueryMoCompStatus', # 0x58 'NtGdiDdReenableDirectDrawObject', # 0x59 'NtGdiDdReleaseDC', # 0x5a 'NtGdiDdRenderMoComp', # 0x5b 'NtGdiDdResetVisrgn', # 0x5c 'NtGdiDdSetColorKey', # 0x5d 'NtGdiDdSetExclusiveMode', # 0x5e 'NtGdiDdSetGammaRamp', # 0x5f 'NtGdiDdCreateSurfaceEx', # 0x60 'NtGdiDdSetOverlayPosition', # 0x61 'NtGdiDdUnattachSurface', # 0x62 'NtGdiDdUnlock', # 0x63 'NtGdiDdUnlockD3D', # 0x64 'NtGdiDdUpdateOverlay', # 0x65 'NtGdiDdWaitForVerticalBlank', # 0x66 'NtGdiDvpCanCreateVideoPort', # 0x67 'NtGdiDvpColorControl', # 0x68 'NtGdiDvpCreateVideoPort', # 0x69 'NtGdiDvpDestroyVideoPort', # 0x6a 'NtGdiDvpFlipVideoPort', # 0x6b 'NtGdiDvpGetVideoPortBandwidth', # 0x6c 'NtGdiDvpGetVideoPortField', # 0x6d 'NtGdiDvpGetVideoPortFlipStatus', # 0x6e 'NtGdiDvpGetVideoPortInputFormats', # 0x6f 'NtGdiDvpGetVideoPortLine', # 0x70 'NtGdiDvpGetVideoPortOutputFormats', # 0x71 'NtGdiDvpGetVideoPortConnectInfo', # 0x72 'NtGdiDvpGetVideoSignalStatus', # 0x73 'NtGdiDvpUpdateVideoPort', # 0x74 'NtGdiDvpWaitForVideoPortSync', # 0x75 'NtGdiDvpAcquireNotification', # 0x76 'NtGdiDvpReleaseNotification', # 0x77 'NtGdiDxgGenericThunk', # 0x78 'NtGdiDeleteClientObj', # 0x79 'NtGdiDeleteColorSpace', # 0x7a 'NtGdiDeleteColorTransform', # 0x7b 'NtGdiDeleteObjectApp', # 0x7c 'NtGdiDescribePixelFormat', # 0x7d 'NtGdiDestroyOPMProtectedOutput', # 0x7e 'NtGdiGetPerBandInfo', # 0x7f 'NtGdiDoBanding', # 0x80 'NtGdiDoPalette', # 0x81 'NtGdiDrawEscape', # 0x82 'NtGdiEllipse', # 0x83 'NtGdiEnableEudc', # 0x84 'NtGdiEndDoc', # 0x85 'NtGdiEndPage', # 0x86 'NtGdiEndPath', # 0x87 'NtGdiEnumFontChunk', # 0x88 'NtGdiEnumFontClose', # 0x89 'NtGdiEnumFontOpen', # 0x8a 'NtGdiEnumObjects', # 0x8b 'NtGdiEqualRgn', # 0x8c 'NtGdiEudcLoadUnloadLink', # 0x8d 'NtGdiExcludeClipRect', # 0x8e 'NtGdiExtCreatePen', # 0x8f 'NtGdiExtCreateRegion', # 0x90 'NtGdiExtEscape', # 0x91 'NtGdiExtFloodFill', # 0x92 'NtGdiExtGetObjectW', # 0x93 'NtGdiExtSelectClipRgn', # 0x94 'NtGdiExtTextOutW', # 0x95 'NtGdiFillPath', # 0x96 'NtGdiFillRgn', # 0x97 'NtGdiFlattenPath', # 0x98 'NtGdiFlush', # 0x99 'NtGdiForceUFIMapping', # 0x9a 'NtGdiFrameRgn', # 0x9b 'NtGdiFullscreenControl', # 0x9c 'NtGdiGetAndSetDCDword', # 0x9d 'NtGdiGetAppClipBox', # 0x9e 'NtGdiGetBitmapBits', # 0x9f 'NtGdiGetBitmapDimension', # 0xa0 'NtGdiGetBoundsRect', # 0xa1 'NtGdiGetCertificate', # 0xa2 'NtGdiGetCertificateSize', # 0xa3 'NtGdiGetCharABCWidthsW', # 0xa4 'NtGdiGetCharacterPlacementW', # 0xa5 'NtGdiGetCharSet', # 0xa6 'NtGdiGetCharWidthW', # 0xa7 'NtGdiGetCharWidthInfo', # 0xa8 'NtGdiGetColorAdjustment', # 0xa9 'NtGdiGetColorSpaceforBitmap', # 0xaa 'NtGdiGetCOPPCompatibleOPMInformation', # 0xab 'NtGdiGetDCDword', # 0xac 'NtGdiGetDCforBitmap', # 0xad 'NtGdiGetDCObject', # 0xae 'NtGdiGetDCPoint', # 0xaf 'NtGdiGetDeviceCaps', # 0xb0 'NtGdiGetDeviceGammaRamp', # 0xb1 'NtGdiGetDeviceCapsAll', # 0xb2 'NtGdiGetDIBitsInternal', # 0xb3 'NtGdiGetETM', # 0xb4 'NtGdiGetEudcTimeStampEx', # 0xb5 'NtGdiGetFontData', # 0xb6 'NtGdiGetFontResourceInfoInternalW', # 0xb7 'NtGdiGetGlyphIndicesW', # 0xb8 'NtGdiGetGlyphIndicesWInternal', # 0xb9 'NtGdiGetGlyphOutline', # 0xba 'NtGdiGetOPMInformation', # 0xbb 'NtGdiGetKerningPairs', # 0xbc 'NtGdiGetLinkedUFIs', # 0xbd 'NtGdiGetMiterLimit', # 0xbe 'NtGdiGetMonitorID', # 0xbf 'NtGdiGetNearestColor', # 0xc0 'NtGdiGetNearestPaletteIndex', # 0xc1 'NtGdiGetObjectBitmapHandle', # 0xc2 'NtGdiGetOPMRandomNumber', # 0xc3 'NtGdiGetOutlineTextMetricsInternalW', # 0xc4 'NtGdiGetPath', # 0xc5 'NtGdiGetPixel', # 0xc6 'NtGdiGetRandomRgn', # 0xc7 'NtGdiGetRasterizerCaps', # 0xc8 'NtGdiGetRealizationInfo', # 0xc9 'NtGdiGetRegionData', # 0xca 'NtGdiGetRgnBox', # 0xcb 'NtGdiGetServerMetaFileBits', # 0xcc 'NtGdiGetSpoolMessage', # 0xcd 'NtGdiGetStats', # 0xce 'NtGdiGetStockObject', # 0xcf 'NtGdiGetStringBitmapW', # 0xd0 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0xd1 'NtGdiGetSystemPaletteUse', # 0xd2 'NtGdiGetTextCharsetInfo', # 0xd3 'NtGdiGetTextExtent', # 0xd4 'NtGdiGetTextExtentExW', # 0xd5 'NtGdiGetTextFaceW', # 0xd6 'NtGdiGetTextMetricsW', # 0xd7 'NtGdiGetTransform', # 0xd8 'NtGdiGetUFI', # 0xd9 'NtGdiGetEmbUFI', # 0xda 'NtGdiGetUFIPathname', # 0xdb 'NtGdiGetEmbedFonts', # 0xdc 'NtGdiChangeGhostFont', # 0xdd 'NtGdiAddEmbFontToDC', # 0xde 'NtGdiGetFontUnicodeRanges', # 0xdf 'NtGdiGetWidthTable', # 0xe0 'NtGdiGradientFill', # 0xe1 'NtGdiHfontCreate', # 0xe2 'NtGdiIcmBrushInfo', # 0xe3 'NtGdiInit', # 0xe4 'NtGdiInitSpool', # 0xe5 'NtGdiIntersectClipRect', # 0xe6 'NtGdiInvertRgn', # 0xe7 'NtGdiLineTo', # 0xe8 'NtGdiMakeFontDir', # 0xe9 'NtGdiMakeInfoDC', # 0xea 'NtGdiMaskBlt', # 0xeb 'NtGdiModifyWorldTransform', # 0xec 'NtGdiMonoBitmap', # 0xed 'NtGdiMoveTo', # 0xee 'NtGdiOffsetClipRgn', # 0xef 'NtGdiOffsetRgn', # 0xf0 'NtGdiOpenDCW', # 0xf1 'NtGdiPatBlt', # 0xf2 'NtGdiPolyPatBlt', # 0xf3 'NtGdiPathToRegion', # 0xf4 'NtGdiPlgBlt', # 0xf5 'NtGdiPolyDraw', # 0xf6 'NtGdiPolyPolyDraw', # 0xf7 'NtGdiPolyTextOutW', # 0xf8 'NtGdiPtInRegion', # 0xf9 'NtGdiPtVisible', # 0xfa 'NtGdiQueryFonts', # 0xfb 'NtGdiQueryFontAssocInfo', # 0xfc 'NtGdiRectangle', # 0xfd 'NtGdiRectInRegion', # 0xfe 'NtGdiRectVisible', # 0xff 'NtGdiRemoveFontResourceW', # 0x100 'NtGdiRemoveFontMemResourceEx', # 0x101 'NtGdiResetDC', # 0x102 'NtGdiResizePalette', # 0x103 'NtGdiRestoreDC', # 0x104 'NtGdiRoundRect', # 0x105 'NtGdiSaveDC', # 0x106 'NtGdiScaleViewportExtEx', # 0x107 'NtGdiScaleWindowExtEx', # 0x108 'NtGdiSelectBitmap', # 0x109 'NtGdiSelectBrush', # 0x10a 'NtGdiSelectClipPath', # 0x10b 'NtGdiSelectFont', # 0x10c 'NtGdiSelectPen', # 0x10d 'NtGdiSetBitmapAttributes', # 0x10e 'NtGdiSetBitmapBits', # 0x10f 'NtGdiSetBitmapDimension', # 0x110 'NtGdiSetBoundsRect', # 0x111 'NtGdiSetBrushAttributes', # 0x112 'NtGdiSetBrushOrg', # 0x113 'NtGdiSetColorAdjustment', # 0x114 'NtGdiSetColorSpace', # 0x115 'NtGdiSetDeviceGammaRamp', # 0x116 'NtGdiSetDIBitsToDeviceInternal', # 0x117 'NtGdiSetFontEnumeration', # 0x118 'NtGdiSetFontXform', # 0x119 'NtGdiSetIcmMode', # 0x11a 'NtGdiSetLinkedUFIs', # 0x11b 'NtGdiSetMagicColors', # 0x11c 'NtGdiSetMetaRgn', # 0x11d 'NtGdiSetMiterLimit', # 0x11e 'NtGdiGetDeviceWidth', # 0x11f 'NtGdiMirrorWindowOrg', # 0x120 'NtGdiSetLayout', # 0x121 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x122 'NtGdiSetPixel', # 0x123 'NtGdiSetPixelFormat', # 0x124 'NtGdiSetRectRgn', # 0x125 'NtGdiSetSystemPaletteUse', # 0x126 'NtGdiSetTextJustification', # 0x127 'NtGdiSetupPublicCFONT', # 0x128 'NtGdiSetVirtualResolution', # 0x129 'NtGdiSetSizeDevice', # 0x12a 'NtGdiStartDoc', # 0x12b 'NtGdiStartPage', # 0x12c 'NtGdiStretchBlt', # 0x12d 'NtGdiStretchDIBitsInternal', # 0x12e 'NtGdiStrokeAndFillPath', # 0x12f 'NtGdiStrokePath', # 0x130 'NtGdiSwapBuffers', # 0x131 'NtGdiTransformPoints', # 0x132 'NtGdiTransparentBlt', # 0x133 'NtGdiUnloadPrinterDriver', # 0x134 'NtGdiUnmapMemFont', # 0x135 'NtGdiUnrealizeObject', # 0x136 'NtGdiUpdateColors', # 0x137 'NtGdiWidenPath', # 0x138 'NtUserActivateKeyboardLayout', # 0x139 'NtUserAddClipboardFormatListener', # 0x13a 'NtUserAlterWindowStyle', # 0x13b 'NtUserAssociateInputContext', # 0x13c 'NtUserAttachThreadInput', # 0x13d 'NtUserBeginPaint', # 0x13e 'NtUserBitBltSysBmp', # 0x13f 'NtUserBlockInput', # 0x140 'NtUserBuildHimcList', # 0x141 'NtUserBuildHwndList', # 0x142 'NtUserBuildNameList', # 0x143 'NtUserBuildPropList', # 0x144 'NtUserCallHwnd', # 0x145 'NtUserCallHwndLock', # 0x146 'NtUserCallHwndOpt', # 0x147 'NtUserCallHwndParam', # 0x148 'NtUserCallHwndParamLock', # 0x149 'NtUserCallMsgFilter', # 0x14a 'NtUserCallNextHookEx', # 0x14b 'NtUserCallNoParam', # 0x14c 'NtUserCallOneParam', # 0x14d 'NtUserCallTwoParam', # 0x14e 'NtUserChangeClipboardChain', # 0x14f 'NtUserChangeDisplaySettings', # 0x150 'NtUserCheckAccessForIntegrityLevel', # 0x151 'NtUserCheckDesktopByThreadId', # 0x152 'NtUserCheckWindowThreadDesktop', # 0x153 'NtUserCheckImeHotKey', # 0x154 'NtUserCheckMenuItem', # 0x155 'NtUserChildWindowFromPointEx', # 0x156 'NtUserClipCursor', # 0x157 'NtUserCloseClipboard', # 0x158 'NtUserCloseDesktop', # 0x159 'NtUserCloseWindowStation', # 0x15a 'NtUserConsoleControl', # 0x15b 'NtUserConvertMemHandle', # 0x15c 'NtUserCopyAcceleratorTable', # 0x15d 'NtUserCountClipboardFormats', # 0x15e 'NtUserCreateAcceleratorTable', # 0x15f 'NtUserCreateCaret', # 0x160 'NtUserCreateDesktopEx', # 0x161 'NtUserCreateInputContext', # 0x162 'NtUserCreateLocalMemHandle', # 0x163 'NtUserCreateWindowEx', # 0x164 'NtUserCreateWindowStation', # 0x165 'NtUserDdeInitialize', # 0x166 'NtUserDeferWindowPos', # 0x167 'NtUserDefSetText', # 0x168 'NtUserDeleteMenu', # 0x169 'NtUserDestroyAcceleratorTable', # 0x16a 'NtUserDestroyCursor', # 0x16b 'NtUserDestroyInputContext', # 0x16c 'NtUserDestroyMenu', # 0x16d 'NtUserDestroyWindow', # 0x16e 'NtUserDisableThreadIme', # 0x16f 'NtUserDispatchMessage', # 0x170 'NtUserDoSoundConnect', # 0x171 'NtUserDoSoundDisconnect', # 0x172 'NtUserDragDetect', # 0x173 'NtUserDragObject', # 0x174 'NtUserDrawAnimatedRects', # 0x175 'NtUserDrawCaption', # 0x176 'NtUserDrawCaptionTemp', # 0x177 'NtUserDrawIconEx', # 0x178 'NtUserDrawMenuBarTemp', # 0x179 'NtUserEmptyClipboard', # 0x17a 'NtUserEnableMenuItem', # 0x17b 'NtUserEnableScrollBar', # 0x17c 'NtUserEndDeferWindowPosEx', # 0x17d 'NtUserEndMenu', # 0x17e 'NtUserEndPaint', # 0x17f 'NtUserEnumDisplayDevices', # 0x180 'NtUserEnumDisplayMonitors', # 0x181 'NtUserEnumDisplaySettings', # 0x182 'NtUserEvent', # 0x183 'NtUserExcludeUpdateRgn', # 0x184 'NtUserFillWindow', # 0x185 'NtUserFindExistingCursorIcon', # 0x186 'NtUserFindWindowEx', # 0x187 'NtUserFlashWindowEx', # 0x188 'NtUserFrostCrashedWindow', # 0x189 'NtUserGetAltTabInfo', # 0x18a 'NtUserGetAncestor', # 0x18b 'NtUserGetAppImeLevel', # 0x18c 'NtUserGetAsyncKeyState', # 0x18d 'NtUserGetAtomName', # 0x18e 'NtUserGetCaretBlinkTime', # 0x18f 'NtUserGetCaretPos', # 0x190 'NtUserGetClassInfoEx', # 0x191 'NtUserGetClassName', # 0x192 'NtUserGetClipboardData', # 0x193 'NtUserGetClipboardFormatName', # 0x194 'NtUserGetClipboardOwner', # 0x195 'NtUserGetClipboardSequenceNumber', # 0x196 'NtUserGetClipboardViewer', # 0x197 'NtUserGetClipCursor', # 0x198 'NtUserGetComboBoxInfo', # 0x199 'NtUserGetControlBrush', # 0x19a 'NtUserGetControlColor', # 0x19b 'NtUserGetCPD', # 0x19c 'NtUserGetCursorFrameInfo', # 0x19d 'NtUserGetCursorInfo', # 0x19e 'NtUserGetDC', # 0x19f 'NtUserGetDCEx', # 0x1a0 'NtUserGetDoubleClickTime', # 0x1a1 'NtUserGetForegroundWindow', # 0x1a2 'NtUserGetGuiResources', # 0x1a3 'NtUserGetGUIThreadInfo', # 0x1a4 'NtUserGetIconInfo', # 0x1a5 'NtUserGetIconSize', # 0x1a6 'NtUserGetImeHotKey', # 0x1a7 'NtUserGetImeInfoEx', # 0x1a8 'NtUserGetInternalWindowPos', # 0x1a9 'NtUserGetKeyboardLayoutList', # 0x1aa 'NtUserGetKeyboardLayoutName', # 0x1ab 'NtUserGetKeyboardState', # 0x1ac 'NtUserGetKeyNameText', # 0x1ad 'NtUserGetKeyState', # 0x1ae 'NtUserGetListBoxInfo', # 0x1af 'NtUserGetMenuBarInfo', # 0x1b0 'NtUserGetMenuIndex', # 0x1b1 'NtUserGetMenuItemRect', # 0x1b2 'NtUserGetMessage', # 0x1b3 'NtUserGetMouseMovePointsEx', # 0x1b4 'NtUserGetObjectInformation', # 0x1b5 'NtUserGetOpenClipboardWindow', # 0x1b6 'NtUserGetPriorityClipboardFormat', # 0x1b7 'NtUserGetProcessWindowStation', # 0x1b8 'NtUserGetRawInputBuffer', # 0x1b9 'NtUserGetRawInputData', # 0x1ba 'NtUserGetRawInputDeviceInfo', # 0x1bb 'NtUserGetRawInputDeviceList', # 0x1bc 'NtUserGetRegisteredRawInputDevices', # 0x1bd 'NtUserGetScrollBarInfo', # 0x1be 'NtUserGetSystemMenu', # 0x1bf 'NtUserGetThreadDesktop', # 0x1c0 'NtUserGetThreadState', # 0x1c1 'NtUserGetTitleBarInfo', # 0x1c2 'NtUserGetUpdatedClipboardFormats', # 0x1c3 'NtUserGetUpdateRect', # 0x1c4 'NtUserGetUpdateRgn', # 0x1c5 'NtUserGetWindowDC', # 0x1c6 'NtUserGetWindowPlacement', # 0x1c7 'NtUserGetWOWClass', # 0x1c8 'NtUserGhostWindowFromHungWindow', # 0x1c9 'NtUserHardErrorControl', # 0x1ca 'NtUserHideCaret', # 0x1cb 'NtUserHiliteMenuItem', # 0x1cc 'NtUserHungWindowFromGhostWindow', # 0x1cd 'NtUserImpersonateDdeClientWindow', # 0x1ce 'NtUserInitialize', # 0x1cf 'NtUserInitializeClientPfnArrays', # 0x1d0 'NtUserInitTask', # 0x1d1 'NtUserInternalGetWindowText', # 0x1d2 'NtUserInternalGetWindowIcon', # 0x1d3 'NtUserInvalidateRect', # 0x1d4 'NtUserInvalidateRgn', # 0x1d5 'NtUserIsClipboardFormatAvailable', # 0x1d6 'NtUserKillTimer', # 0x1d7 'NtUserLoadKeyboardLayoutEx', # 0x1d8 'NtUserLockWindowStation', # 0x1d9 'NtUserLockWindowUpdate', # 0x1da 'NtUserLockWorkStation', # 0x1db 'NtUserLogicalToPhysicalPoint', # 0x1dc 'NtUserMapVirtualKeyEx', # 0x1dd 'NtUserMenuItemFromPoint', # 0x1de 'NtUserMessageCall', # 0x1df 'NtUserMinMaximize', # 0x1e0 'NtUserMNDragLeave', # 0x1e1 'NtUserMNDragOver', # 0x1e2 'NtUserModifyUserStartupInfoFlags', # 0x1e3 'NtUserMoveWindow', # 0x1e4 'NtUserNotifyIMEStatus', # 0x1e5 'NtUserNotifyProcessCreate', # 0x1e6 'NtUserNotifyWinEvent', # 0x1e7 'NtUserOpenClipboard', # 0x1e8 'NtUserOpenDesktop', # 0x1e9 'NtUserOpenInputDesktop', # 0x1ea 'NtUserOpenThreadDesktop', # 0x1eb 'NtUserOpenWindowStation', # 0x1ec 'NtUserPaintDesktop', # 0x1ed 'NtUserPaintMonitor', # 0x1ee 'NtUserPeekMessage', # 0x1ef 'NtUserPhysicalToLogicalPoint', # 0x1f0 'NtUserPostMessage', # 0x1f1 'NtUserPostThreadMessage', # 0x1f2 'NtUserPrintWindow', # 0x1f3 'NtUserProcessConnect', # 0x1f4 'NtUserQueryInformationThread', # 0x1f5 'NtUserQueryInputContext', # 0x1f6 'NtUserQuerySendMessage', # 0x1f7 'NtUserQueryWindow', # 0x1f8 'NtUserRealChildWindowFromPoint', # 0x1f9 'NtUserRealInternalGetMessage', # 0x1fa 'NtUserRealWaitMessageEx', # 0x1fb 'NtUserRedrawWindow', # 0x1fc 'NtUserRegisterClassExWOW', # 0x1fd 'NtUserRegisterErrorReportingDialog', # 0x1fe 'NtUserRegisterUserApiHook', # 0x1ff 'NtUserRegisterHotKey', # 0x200 'NtUserRegisterRawInputDevices', # 0x201 'NtUserRegisterTasklist', # 0x202 'NtUserRegisterWindowMessage', # 0x203 'NtUserRemoveClipboardFormatListener', # 0x204 'NtUserRemoveMenu', # 0x205 'NtUserRemoveProp', # 0x206 'NtUserResolveDesktop', # 0x207 'NtUserResolveDesktopForWOW', # 0x208 'NtUserSBGetParms', # 0x209 'NtUserScrollDC', # 0x20a 'NtUserScrollWindowEx', # 0x20b 'NtUserSelectPalette', # 0x20c 'NtUserSendInput', # 0x20d 'NtUserSetActiveWindow', # 0x20e 'NtUserSetAppImeLevel', # 0x20f 'NtUserSetCapture', # 0x210 'NtUserSetClassLong', # 0x211 'NtUserSetClassWord', # 0x212 'NtUserSetClipboardData', # 0x213 'NtUserSetClipboardViewer', # 0x214 'NtUserSetConsoleReserveKeys', # 0x215 'NtUserSetCursor', # 0x216 'NtUserSetCursorContents', # 0x217 'NtUserSetCursorIconData', # 0x218 'NtUserSetFocus', # 0x219 'NtUserSetImeHotKey', # 0x21a 'NtUserSetImeInfoEx', # 0x21b 'NtUserSetImeOwnerWindow', # 0x21c 'NtUserSetInformationProcess', # 0x21d 'NtUserSetInformationThread', # 0x21e 'NtUserSetInternalWindowPos', # 0x21f 'NtUserSetKeyboardState', # 0x220 'NtUserSetMenu', # 0x221 'NtUserSetMenuContextHelpId', # 0x222 'NtUserSetMenuDefaultItem', # 0x223 'NtUserSetMenuFlagRtoL', # 0x224 'NtUserSetObjectInformation', # 0x225 'NtUserSetParent', # 0x226 'NtUserSetProcessWindowStation', # 0x227 'NtUserGetProp', # 0x228 'NtUserSetProp', # 0x229 'NtUserSetScrollInfo', # 0x22a 'NtUserSetShellWindowEx', # 0x22b 'NtUserSetSysColors', # 0x22c 'NtUserSetSystemCursor', # 0x22d 'NtUserSetSystemMenu', # 0x22e 'NtUserSetSystemTimer', # 0x22f 'NtUserSetThreadDesktop', # 0x230 'NtUserSetThreadLayoutHandles', # 0x231 'NtUserSetThreadState', # 0x232 'NtUserSetTimer', # 0x233 'NtUserSetProcessDPIAware', # 0x234 'NtUserSetWindowFNID', # 0x235 'NtUserSetWindowLong', # 0x236 'NtUserSetWindowPlacement', # 0x237 'NtUserSetWindowPos', # 0x238 'NtUserSetWindowRgn', # 0x239 'NtUserGetWindowRgnEx', # 0x23a 'NtUserSetWindowRgnEx', # 0x23b 'NtUserSetWindowsHookAW', # 0x23c 'NtUserSetWindowsHookEx', # 0x23d 'NtUserSetWindowStationUser', # 0x23e 'NtUserSetWindowWord', # 0x23f 'NtUserSetWinEventHook', # 0x240 'NtUserShowCaret', # 0x241 'NtUserShowScrollBar', # 0x242 'NtUserShowWindow', # 0x243 'NtUserShowWindowAsync', # 0x244 'NtUserSoundSentry', # 0x245 'NtUserSwitchDesktop', # 0x246 'NtUserSystemParametersInfo', # 0x247 'NtUserTestForInteractiveUser', # 0x248 'NtUserThunkedMenuInfo', # 0x249 'NtUserThunkedMenuItemInfo', # 0x24a 'NtUserToUnicodeEx', # 0x24b 'NtUserTrackMouseEvent', # 0x24c 'NtUserTrackPopupMenuEx', # 0x24d 'NtUserCalcMenuBar', # 0x24e 'NtUserPaintMenuBar', # 0x24f 'NtUserTranslateAccelerator', # 0x250 'NtUserTranslateMessage', # 0x251 'NtUserUnhookWindowsHookEx', # 0x252 'NtUserUnhookWinEvent', # 0x253 'NtUserUnloadKeyboardLayout', # 0x254 'NtUserUnlockWindowStation', # 0x255 'NtUserUnregisterClass', # 0x256 'NtUserUnregisterUserApiHook', # 0x257 'NtUserUnregisterHotKey', # 0x258 'NtUserUpdateInputContext', # 0x259 'NtUserUpdateInstance', # 0x25a 'NtUserUpdateLayeredWindow', # 0x25b 'NtUserGetLayeredWindowAttributes', # 0x25c 'NtUserSetLayeredWindowAttributes', # 0x25d 'NtUserUpdatePerUserSystemParameters', # 0x25e 'NtUserUserHandleGrantAccess', # 0x25f 'NtUserValidateHandleSecure', # 0x260 'NtUserValidateRect', # 0x261 'NtUserValidateTimerCallback', # 0x262 'NtUserVkKeyScanEx', # 0x263 'NtUserWaitForInputIdle', # 0x264 'NtUserWaitForMsgAndEvent', # 0x265 'NtUserWaitMessage', # 0x266 'NtUserWin32PoolAllocationStats', # 0x267 'NtUserWindowFromPhysicalPoint', # 0x268 'NtUserWindowFromPoint', # 0x269 'NtUserYieldTask', # 0x26a 'NtUserRemoteConnect', # 0x26b 'NtUserRemoteRedrawRectangle', # 0x26c 'NtUserRemoteRedrawScreen', # 0x26d 'NtUserRemoteStopScreenUpdates', # 0x26e 'NtUserCtxDisplayIOCtl', # 0x26f 'NtUserRegisterSessionPort', # 0x270 'NtUserUnregisterSessionPort', # 0x271 'NtUserUpdateWindowTransform', # 0x272 'NtUserDwmStartRedirection', # 0x273 'NtUserDwmStopRedirection', # 0x274 'NtUserDwmHintDxUpdate', # 0x275 'NtUserDwmGetDxRgn', # 0x276 'NtUserGetWindowMinimizeRect', # 0x277 'NtGdiEngAssociateSurface', # 0x278 'NtGdiEngCreateBitmap', # 0x279 'NtGdiEngCreateDeviceSurface', # 0x27a 'NtGdiEngCreateDeviceBitmap', # 0x27b 'NtGdiEngCreatePalette', # 0x27c 'NtGdiEngComputeGlyphSet', # 0x27d 'NtGdiEngCopyBits', # 0x27e 'NtGdiEngDeletePalette', # 0x27f 'NtGdiEngDeleteSurface', # 0x280 'NtGdiEngEraseSurface', # 0x281 'NtGdiEngUnlockSurface', # 0x282 'NtGdiEngLockSurface', # 0x283 'NtGdiEngBitBlt', # 0x284 'NtGdiEngStretchBlt', # 0x285 'NtGdiEngPlgBlt', # 0x286 'NtGdiEngMarkBandingSurface', # 0x287 'NtGdiEngStrokePath', # 0x288 'NtGdiEngFillPath', # 0x289 'NtGdiEngStrokeAndFillPath', # 0x28a 'NtGdiEngPaint', # 0x28b 'NtGdiEngLineTo', # 0x28c 'NtGdiEngAlphaBlend', # 0x28d 'NtGdiEngGradientFill', # 0x28e 'NtGdiEngTransparentBlt', # 0x28f 'NtGdiEngTextOut', # 0x290 'NtGdiEngStretchBltROP', # 0x291 'NtGdiXLATEOBJ_cGetPalette', # 0x292 'NtGdiXLATEOBJ_iXlate', # 0x293 'NtGdiXLATEOBJ_hGetColorTransform', # 0x294 'NtGdiCLIPOBJ_bEnum', # 0x295 'NtGdiCLIPOBJ_cEnumStart', # 0x296 'NtGdiCLIPOBJ_ppoGetPath', # 0x297 'NtGdiEngDeletePath', # 0x298 'NtGdiEngCreateClip', # 0x299 'NtGdiEngDeleteClip', # 0x29a 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x29b 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x29c 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x29d 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x29e 'NtGdiXFORMOBJ_bApplyXform', # 0x29f 'NtGdiXFORMOBJ_iGetXform', # 0x2a0 'NtGdiFONTOBJ_vGetInfo', # 0x2a1 'NtGdiFONTOBJ_pxoGetXform', # 0x2a2 'NtGdiFONTOBJ_cGetGlyphs', # 0x2a3 'NtGdiFONTOBJ_pifi', # 0x2a4 'NtGdiFONTOBJ_pfdg', # 0x2a5 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x2a6 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x2a7 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x2a8 'NtGdiSTROBJ_bEnum', # 0x2a9 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x2aa 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x2ab 'NtGdiSTROBJ_vEnumStart', # 0x2ac 'NtGdiSTROBJ_dwGetCodePage', # 0x2ad 'NtGdiPATHOBJ_vGetBounds', # 0x2ae 'NtGdiPATHOBJ_bEnum', # 0x2af 'NtGdiPATHOBJ_vEnumStart', # 0x2b0 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x2b1 'NtGdiPATHOBJ_bEnumClipLines', # 0x2b2 'NtGdiGetDhpdev', # 0x2b3 'NtGdiEngCheckAbort', # 0x2b4 'NtGdiHT_Get8BPPFormatPalette', # 0x2b5 'NtGdiHT_Get8BPPMaskPalette', # 0x2b6 'NtGdiUpdateTransform', # 0x2b7 'NtGdiSetPUMPDOBJ', # 0x2b8 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x2b9 'NtGdiUMPDEngFreeUserMem', # 0x2ba 'NtGdiDrawStream', # 0x2bb 'NtGdiDwmGetDirtyRgn', # 0x2bc 'NtGdiDwmGetSurfaceData', # 0x2bd 'NtGdiDdDDICreateAllocation', # 0x2be 'NtGdiDdDDIQueryResourceInfo', # 0x2bf 'NtGdiDdDDIOpenResource', # 0x2c0 'NtGdiDdDDIDestroyAllocation', # 0x2c1 'NtGdiDdDDISetAllocationPriority', # 0x2c2 'NtGdiDdDDIQueryAllocationResidency', # 0x2c3 'NtGdiDdDDICreateDevice', # 0x2c4 'NtGdiDdDDIDestroyDevice', # 0x2c5 'NtGdiDdDDICreateContext', # 0x2c6 'NtGdiDdDDIDestroyContext', # 0x2c7 'NtGdiDdDDICreateSynchronizationObject', # 0x2c8 'NtGdiDdDDIDestroySynchronizationObject', # 0x2c9 'NtGdiDdDDIWaitForSynchronizationObject', # 0x2ca 'NtGdiDdDDISignalSynchronizationObject', # 0x2cb 'NtGdiDdDDIGetRuntimeData', # 0x2cc 'NtGdiDdDDIQueryAdapterInfo', # 0x2cd 'NtGdiDdDDILock', # 0x2ce 'NtGdiDdDDIUnlock', # 0x2cf 'NtGdiDdDDIGetDisplayModeList', # 0x2d0 'NtGdiDdDDISetDisplayMode', # 0x2d1 'NtGdiDdDDIGetMultisampleMethodList', # 0x2d2 'NtGdiDdDDIPresent', # 0x2d3 'NtGdiDdDDIRender', # 0x2d4 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x2d5 'NtGdiDdDDIOpenAdapterFromHdc', # 0x2d6 'NtGdiDdDDICloseAdapter', # 0x2d7 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x2d8 'NtGdiDdDDIEscape', # 0x2d9 'NtGdiDdDDIQueryStatistics', # 0x2da 'NtGdiDdDDISetVidPnSourceOwner', # 0x2db 'NtGdiDdDDIGetPresentHistory', # 0x2dc 'NtGdiDdDDICreateOverlay', # 0x2dd 'NtGdiDdDDIUpdateOverlay', # 0x2de 'NtGdiDdDDIFlipOverlay', # 0x2df 'NtGdiDdDDIDestroyOverlay', # 0x2e0 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x2e1 'NtGdiDdDDISetGammaRamp', # 0x2e2 'NtGdiDdDDIGetDeviceState', # 0x2e3 'NtGdiDdDDICreateDCFromMemory', # 0x2e4 'NtGdiDdDDIDestroyDCFromMemory', # 0x2e5 'NtGdiDdDDISetContextSchedulingPriority', # 0x2e6 'NtGdiDdDDIGetContextSchedulingPriority', # 0x2e7 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x2e8 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x2e9 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x2ea 'NtGdiDdDDIGetScanLine', # 0x2eb 'NtGdiDdDDISetQueuedLimit', # 0x2ec 'NtGdiDdDDIPollDisplayChildren', # 0x2ed 'NtGdiDdDDIInvalidateActiveVidPn', # 0x2ee 'NtGdiDdDDICheckOcclusion', # 0x2ef 'NtGdiDdDDIWaitForIdle', # 0x2f0 'NtGdiDdDDICheckMonitorPowerState', # 0x2f1 'NtGdiDdDDICheckExclusiveOwnership', # 0x2f2 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x2f3 'NtGdiDdDDISharedPrimaryLockNotification', # 0x2f4 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x2f5 'DxgStubEnableDirectDrawRedirection', # 0x2f6 'DxgStubDeleteDirectDrawObject', # 0x2f7 'NtGdiGetNumberOfPhysicalMonitors', # 0x2f8 'NtGdiGetPhysicalMonitors', # 0x2f9 'NtGdiGetPhysicalMonitorDescription', # 0x2fa 'NtGdiDestroyPhysicalMonitor', # 0x2fb 'NtGdiDDCCIGetVCPFeature', # 0x2fc 'NtGdiDDCCISetVCPFeature', # 0x2fd 'NtGdiDDCCISaveCurrentSettings', # 0x2fe 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x2ff 'NtGdiDDCCIGetCapabilitiesString', # 0x300 'NtGdiDDCCIGetTimingReport', # 0x301 'NtUserSetMirrorRendering', # 0x302 'NtUserShowSystemCursor', # 0x303 ], ] ././@LongLink0000644000000000000000000000014700000000000011605 Lustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7_sp1_x86_BBA98F40_vtypes.pyvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7_sp1_x86_BBA98F40_vtypes.0000755000000000000000000164317113131215405031262 0ustar rootrootntkrnlmp_types = { '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_2005' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_1f77']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_2005']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '__unnamed_200d' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_200f' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_200d']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x40, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x30, ['_LIST_ENTRY']], 'Specific' : [ 0x38, ['__unnamed_200f']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'WorkItem' : [ 0x20, ['_WORK_QUEUE_ITEM']], 'FailingDriver' : [ 0x30, ['pointer', ['_DRIVER_OBJECT']]], 'ReferenceCount' : [ 0x34, ['long']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '__unnamed_208d' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x80, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_208d']], 'TargetProcessors' : [ 0x30, ['_KAFFINITY_EX']], 'PStateHandler' : [ 0x3c, ['pointer', ['void']]], 'PStateContext' : [ 0x40, ['unsigned long']], 'TStateHandler' : [ 0x44, ['pointer', ['void']]], 'TStateContext' : [ 0x48, ['unsigned long']], 'FeedbackHandler' : [ 0x4c, ['pointer', ['void']]], 'GetFFHThrottleState' : [ 0x50, ['pointer', ['void']]], 'State' : [ 0x58, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'ProgrammedRTCTime' : [ 0x50, ['unsigned long long']], 'WakeOnRTC' : [ 0x58, ['unsigned char']], 'WakeTimerInfo' : [ 0x5c, ['pointer', ['_DIAGNOSTIC_BUFFER']]], 'FilteredCapabilities' : [ 0x60, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x28, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x228, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTransitions' : [ 0x8, ['unsigned long']], 'FailedTransitions' : [ 0xc, ['unsigned long']], 'InvalidBucketIndex' : [ 0x10, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 16, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_20d0' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_20d2' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_20d0']], 'Button' : [ 0xc, ['__unnamed_20d2']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xe8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'EmInfFileImage' : [ 0x14, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x18, ['unsigned long']], 'TriageDumpBlock' : [ 0x1c, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x20, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x24, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x28, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x2c, ['pointer', ['void']]], 'DrvDBSize' : [ 0x30, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x34, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x38, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x3c, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x40, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x48, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x4c, ['unsigned long']], 'LastBootSucceeded' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LastBootShutdown' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPortAccessSupported' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x54, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x58, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x60, ['pointer', ['void']]], 'BootIdentifier' : [ 0x64, ['_GUID']], 'ResumePages' : [ 0x74, ['unsigned long']], 'DumpHeader' : [ 0x78, ['pointer', ['void']]], 'BgContext' : [ 0x7c, ['pointer', ['void']]], 'NumaLocalityInfo' : [ 0x80, ['pointer', ['void']]], 'NumaGroupAssignment' : [ 0x84, ['pointer', ['void']]], 'AttachedHives' : [ 0x88, ['_LIST_ENTRY']], 'MemoryCachingRequirementsCount' : [ 0x90, ['unsigned long']], 'MemoryCachingRequirements' : [ 0x94, ['pointer', ['void']]], 'TpmBootEntropyResult' : [ 0x98, ['_TPM_BOOT_ENTROPY_LDR_RESULT']], 'ProcessorCounterFrequency' : [ 0xe0, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x298, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x18, { 'Mdl' : [ 0x0, ['pointer', ['_MDL']]], 'UserVa' : [ 0x4, ['pointer', ['void']]], 'UserLimit' : [ 0x8, ['pointer', ['void']]], 'SystemVa' : [ 0xc, ['pointer', ['void']]], 'SystemLimit' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_PROC_HISTORY_ENTRY' : [ 0x4, { 'Utility' : [ 0x0, ['unsigned short']], 'Frequency' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_2164' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2040, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2164']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'SessionPoolAllocationFailures' : [ 0x40, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x50, ['_LIST_ENTRY']], 'LocaleId' : [ 0x58, ['unsigned long']], 'AttachCount' : [ 0x5c, ['unsigned long']], 'AttachGate' : [ 0x60, ['_KGATE']], 'WsListEntry' : [ 0x70, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xddc, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xde0, ['pointer', ['void']]], 'PagedPool' : [ 0xe00, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1f40, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1f44, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f68, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1f88, ['long']], 'PagedPoolPdeCount' : [ 0x1f8c, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f90, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f94, ['unsigned long']], 'SystemPteInfo' : [ 0x1f98, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1fc8, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1fcc, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1fd0, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fd4, ['unsigned long']], 'IoState' : [ 0x1fd8, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fdc, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fe0, ['_KEVENT']], 'CreateTime' : [ 0x1ff0, ['unsigned long long']], 'SessionPoolPdes' : [ 0x1ff8, ['_RTL_BITMAP']], 'CpuQuotaBlock' : [ 0x2000, ['pointer', ['_PS_CPU_QUOTA_BLOCK']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x78, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'FeedbackHandler' : [ 0x18, ['pointer', ['void']]], 'GetFFHThrottleState' : [ 0x1c, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x20, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x24, ['pointer', ['void']]], 'PerfHandler' : [ 0x28, ['pointer', ['void']]], 'Processors' : [ 0x2c, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'PerfChangeTime' : [ 0x30, ['unsigned long long']], 'ProcessorCount' : [ 0x38, ['unsigned long']], 'PreviousFrequencyMhz' : [ 0x3c, ['unsigned long']], 'CurrentFrequencyMhz' : [ 0x40, ['unsigned long']], 'PreviousFrequency' : [ 0x44, ['unsigned long']], 'CurrentFrequency' : [ 0x48, ['unsigned long']], 'CurrentPerfContext' : [ 0x4c, ['unsigned long']], 'DesiredFrequency' : [ 0x50, ['unsigned long']], 'MaxFrequency' : [ 0x54, ['unsigned long']], 'MinPerfPercent' : [ 0x58, ['unsigned long']], 'MinThrottlePercent' : [ 0x5c, ['unsigned long']], 'MaxPercent' : [ 0x60, ['unsigned long']], 'MinPercent' : [ 0x64, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x68, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x6c, ['unsigned long']], 'Coordination' : [ 0x70, ['unsigned char']], 'PerfChangeIntervalCount' : [ 0x74, ['long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x14, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x24, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'Lock' : [ 0x4, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_SPECIAL_POOL_PTE_LIST']], 'NonPaged' : [ 0x10, ['_MI_SPECIAL_POOL_PTE_LIST']], 'PagesInUse' : [ 0x18, ['long']], 'SpecialPoolPdes' : [ 0x1c, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_21f1' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_21f3' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_21f1']], 'Merged' : [ 0x10, ['__unnamed_21f3']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_21fb' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_21fb']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x3c, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_1f77']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_2005']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x38, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x38, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], 'UpdateCapsule' : [ 0x2c, ['unsigned long']], 'QueryCapsuleCapabilities' : [ 0x30, ['unsigned long']], 'QueryVariableInfo' : [ 0x34, ['unsigned long']], } ], '_MI_SPECIAL_POOL_PTE_LIST' : [ 0x8, { 'FreePteHead' : [ 0x0, ['_MMPTE']], 'FreePteTail' : [ 0x4, ['_MMPTE']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_2211' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_2215' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_2211']], 'u2' : [ 0x24, ['__unnamed_2215']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x2c, ['array', 1, ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '__unnamed_221e' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2220' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_221e']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x90, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_2220']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x54, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_TPM_BOOT_ENTROPY_LDR_RESULT' : [ 0x48, { 'Policy' : [ 0x0, ['unsigned long long']], 'ResultCode' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'TpmBootEntropyStructureUninitialized', 1: 'TpmBootEntropyDisabledByPolicy', 2: 'TpmBootEntropyNoTpmFound', 3: 'TpmBootEntropyTpmError', 4: 'TpmBootEntropySuccess'})]], 'ResultStatus' : [ 0xc, ['long']], 'Time' : [ 0x10, ['unsigned long long']], 'EntropyLength' : [ 0x18, ['unsigned long']], 'EntropyData' : [ 0x1c, ['array', 40, ['unsigned char']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x28, ['pointer', ['void']]], 'CallersCaller' : [ 0x2c, ['pointer', ['void']]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x3c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x8, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x14, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'GroupEnableMask' : [ 0x1d, ['unsigned char']], 'UseDescriptorType' : [ 0x1e, ['unsigned char']], 'SessionId' : [ 0x20, ['unsigned long']], 'ReplyQueue' : [ 0x20, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x30, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x30, ['pointer', ['void']]], 'CallbackContext' : [ 0x34, ['pointer', ['void']]], 'Traits' : [ 0x38, ['pointer', ['_ETW_PROVIDER_TRAITS']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_ETW_PROVIDER_TRAITS' : [ 0x14, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'Traits' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1a8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x190, ['_LIST_ENTRY']], 'Status' : [ 0x198, ['long']], 'FailedDevice' : [ 0x19c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1a0, ['unsigned char']], 'Cancelled' : [ 0x1a1, ['unsigned char']], 'IgnoreErrors' : [ 0x1a2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1a3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1a4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ContainsDebug' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x40, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'IdleCheck' : [ 0xc, ['pointer', ['void']]], 'IdleHandler' : [ 0x10, ['pointer', ['void']]], 'HvConfig' : [ 0x18, ['unsigned long long']], 'Context' : [ 0x20, ['pointer', ['void']]], 'Latency' : [ 0x24, ['unsigned long']], 'Power' : [ 0x28, ['unsigned long']], 'TimeCheck' : [ 0x2c, ['unsigned long']], 'StateFlags' : [ 0x30, ['unsigned long']], 'PromotePercent' : [ 0x34, ['unsigned char']], 'DemotePercent' : [ 0x35, ['unsigned char']], 'PromotePercentBase' : [ 0x36, ['unsigned char']], 'DemotePercentBase' : [ 0x37, ['unsigned char']], 'StateType' : [ 0x38, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_229b' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x40, { 'Lock' : [ 0x0, ['long']], 'NodeToFree' : [ 0x4, ['pointer', ['void']]], 'NodeRangeSize' : [ 0x8, ['unsigned long']], 'NodeCount' : [ 0xc, ['unsigned long']], 'Tables' : [ 0x10, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_229b']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_RELATION_LIST_ENTRY' : [ 0xc, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40d8, ['long']], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'Group' : [ 0x14, ['unsigned short']], 'GroupIndex' : [ 0x16, ['unsigned short']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_22f8' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_22fa' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_22f8']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_22fa']], } ], '_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA' : [ 0x8, { 'CapturedCpuShareWeight' : [ 0x0, ['unsigned long']], 'CapturedTotalWeight' : [ 0x4, ['unsigned long']], 'CombinedData' : [ 0x0, ['long long']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_230d' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_230d']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x18, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x3c, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_2365' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_2367' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_236b' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_236f' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_2371' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2365']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2367']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_236b']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_236f']], 'Others' : [ 0x0, ['__unnamed_2371']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0xa0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'Reset' : [ 0x3, ['unsigned char']], 'HiberFlags' : [ 0x4, ['unsigned char']], 'WroteHiberFile' : [ 0x5, ['unsigned char']], 'MapFrozen' : [ 0x6, ['unsigned char']], 'MemoryMap' : [ 0x8, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x10, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x18, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x20, ['unsigned long']], 'NextCloneRange' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x28, ['unsigned long']], 'LoaderMdl' : [ 0x2c, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x30, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x38, ['unsigned long long']], 'IoPages' : [ 0x40, ['pointer', ['void']]], 'IoPagesCount' : [ 0x44, ['unsigned long']], 'CurrentMcb' : [ 0x48, ['pointer', ['void']]], 'DumpStack' : [ 0x4c, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x50, ['pointer', ['_KPROCESSOR_STATE']]], 'PreferredIoWriteSize' : [ 0x54, ['unsigned long']], 'IoProgress' : [ 0x58, ['unsigned long']], 'HiberVa' : [ 0x5c, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'CompressionWorkspace' : [ 0x70, ['pointer', ['void']]], 'CompressedWriteBuffer' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBufferSize' : [ 0x78, ['unsigned long']], 'MaxCompressedOutputSize' : [ 0x7c, ['unsigned long']], 'PerformanceStats' : [ 0x80, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x84, ['pointer', ['void']]], 'DmaIO' : [ 0x88, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x8c, ['pointer', ['void']]], 'BootLoaderLogMdl' : [ 0x90, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0x94, ['pointer', ['_MDL']]], 'ResumeContext' : [ 0x98, ['pointer', ['void']]], 'ResumeContextPages' : [ 0x9c, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x20, { 'ThreadHandle' : [ 0x0, ['pointer', ['void']]], 'ThreadId' : [ 0x4, ['pointer', ['void']]], 'ProcessId' : [ 0x8, ['pointer', ['void']]], 'Code' : [ 0xc, ['unsigned long']], 'Parameter1' : [ 0x10, ['unsigned long']], 'Parameter2' : [ 0x14, ['unsigned long']], 'Parameter3' : [ 0x18, ['unsigned long']], 'Parameter4' : [ 0x1c, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '__unnamed_2395' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_2395']], } ], '__unnamed_2399' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2399']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xe0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'FirstTablePage' : [ 0x4c, ['unsigned long']], 'PerfInfo' : [ 0x50, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xa8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xac, ['array', 1, ['unsigned long']]], 'NoBootLoaderLogPages' : [ 0xb0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xb4, ['array', 8, ['unsigned long']]], 'NotUsed' : [ 0xd4, ['unsigned long']], 'ResumeContextCheck' : [ 0xd8, ['unsigned long']], 'ResumeContextPages' : [ 0xdc, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x58, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'ElapsedTicks' : [ 0x18, ['unsigned long long']], 'CompressTicks' : [ 0x20, ['unsigned long long']], 'ResumeAppTime' : [ 0x28, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x30, ['unsigned long long']], 'BytesCopied' : [ 0x38, ['unsigned long long']], 'PagesProcessed' : [ 0x40, ['unsigned long long']], 'PagesWritten' : [ 0x48, ['unsigned long']], 'DumpCount' : [ 0x4c, ['unsigned long']], 'FileRuns' : [ 0x50, ['unsigned long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x18, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], 'ViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x10, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '__unnamed_23c1' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_23c3' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_23c5' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_23c1']], 'Gpt' : [ 0x0, ['__unnamed_23c3']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_23c5']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x30, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x8, ['unsigned long']], 'Hint' : [ 0xc, ['unsigned long']], 'BasePte' : [ 0x10, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'Vm' : [ 0x18, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x1c, ['long']], 'TotalFreeSystemPtes' : [ 0x20, ['long']], 'CachedPteCount' : [ 0x24, ['long']], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x2c, ['unsigned long']], 'GlobalMutex' : [ 0x2c, ['pointer', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x170, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 9, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TscQpcData' : [ 0x2ed, ['unsigned char']], 'TscQpcEnabled' : [ 0x2ed, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TscQpcSpareFlag' : [ 0x2ed, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TscQpcShift' : [ 0x2ed, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'TscQpcPad' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'DEPRECATED_Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved5' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned short']], 'Reserved4' : [ 0x3c6, ['unsigned short']], 'AitSamplingValue' : [ 0x3c8, ['unsigned long']], 'AppCompatFlag' : [ 0x3cc, ['unsigned long']], 'DEPRECATED_SystemDllNativeRelocation' : [ 0x3d0, ['unsigned long long']], 'DEPRECATED_SystemDllWowRelocation' : [ 0x3d8, ['unsigned long']], 'XStatePad' : [ 0x3dc, ['array', 1, ['unsigned long']]], 'XState' : [ 0x3e0, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1041' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1041']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1045' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1045']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_105e' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1060' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_105e']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1060']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_INVALID'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TP_TASK' : [ 0x14, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], 'NumaNode' : [ 0x4, ['unsigned long']], 'IdealProcessor' : [ 0x8, ['unsigned char']], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_DIRECT' : [ 0xc, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'NumaNode' : [ 0x4, ['unsigned long']], 'IdealProcessor' : [ 0x8, ['unsigned char']], } ], '_TEB' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KPCR' : [ 0x3748, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x3628, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x338, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'PrcbPad0' : [ 0x3be, ['array', 2, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'CpuVendor' : [ 0x3c4, ['unsigned char']], 'GroupIndex' : [ 0x3c5, ['unsigned char']], 'Group' : [ 0x3c6, ['unsigned short']], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'PrcbPad1' : [ 0x3d0, ['array', 72, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x4a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x4a4, ['unsigned long']], 'KernelTime' : [ 0x4a8, ['unsigned long']], 'UserTime' : [ 0x4ac, ['unsigned long']], 'DpcTime' : [ 0x4b0, ['unsigned long']], 'DpcTimeCount' : [ 0x4b4, ['unsigned long']], 'InterruptTime' : [ 0x4b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4bc, ['unsigned long']], 'PageColor' : [ 0x4c0, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c4, ['unsigned char']], 'NodeColor' : [ 0x4c5, ['unsigned char']], 'PrcbPad20' : [ 0x4c6, ['array', 2, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'ParentNode' : [ 0x4cc, ['pointer', ['_KNODE']]], 'SecondaryColorMask' : [ 0x4d0, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d4, ['unsigned long']], 'PrcbPad21' : [ 0x4d8, ['array', 2, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x1820, ['unsigned long']], 'ReverseStall' : [ 0x1824, ['long']], 'IpiFrame' : [ 0x1828, ['pointer', ['void']]], 'PrcbPad3' : [ 0x182c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x1860, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x186c, ['unsigned long']], 'WorkerRoutine' : [ 0x1870, ['pointer', ['void']]], 'IpiFrozen' : [ 0x1874, ['unsigned long']], 'PrcbPad4' : [ 0x1878, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x18a0, ['unsigned long']], 'SignalDone' : [ 0x18a4, ['pointer', ['_KPRCB']]], 'PrcbPad50' : [ 0x18a8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x18e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1908, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x190c, ['long']], 'DpcRequestRate' : [ 0x1910, ['unsigned long']], 'MinimumDpcRate' : [ 0x1914, ['unsigned long']], 'DpcLastCount' : [ 0x1918, ['unsigned long']], 'PrcbLock' : [ 0x191c, ['unsigned long']], 'DpcGate' : [ 0x1920, ['_KGATE']], 'ThreadDpcEnable' : [ 0x1930, ['unsigned char']], 'QuantumEnd' : [ 0x1931, ['unsigned char']], 'DpcRoutineActive' : [ 0x1932, ['unsigned char']], 'IdleSchedule' : [ 0x1933, ['unsigned char']], 'DpcRequestSummary' : [ 0x1934, ['long']], 'DpcRequestSlot' : [ 0x1934, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x1934, ['short']], 'DpcThreadActive' : [ 0x1936, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ThreadDpcState' : [ 0x1936, ['short']], 'TimerHand' : [ 0x1938, ['unsigned long']], 'LastTick' : [ 0x193c, ['unsigned long']], 'MasterOffset' : [ 0x1940, ['long']], 'PrcbPad41' : [ 0x1944, ['array', 2, ['unsigned long']]], 'PeriodicCount' : [ 0x194c, ['unsigned long']], 'PeriodicBias' : [ 0x1950, ['unsigned long']], 'TickOffset' : [ 0x1958, ['unsigned long long']], 'TimerTable' : [ 0x1960, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x31a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x31c0, ['long']], 'ClockCheckSlot' : [ 0x31c4, ['unsigned char']], 'ClockPollCycle' : [ 0x31c5, ['unsigned char']], 'PrcbPad6' : [ 0x31c6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x31c8, ['long']], 'DpcWatchdogCount' : [ 0x31cc, ['long']], 'ThreadWatchdogPeriod' : [ 0x31d0, ['long']], 'ThreadWatchdogCount' : [ 0x31d4, ['long']], 'KeSpinLockOrdering' : [ 0x31d8, ['long']], 'PrcbPad70' : [ 0x31dc, ['array', 1, ['unsigned long']]], 'WaitListHead' : [ 0x31e0, ['_LIST_ENTRY']], 'WaitLock' : [ 0x31e8, ['unsigned long']], 'ReadySummary' : [ 0x31ec, ['unsigned long']], 'QueueIndex' : [ 0x31f0, ['unsigned long']], 'DeferredReadyListHead' : [ 0x31f4, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x31f8, ['unsigned long long']], 'CycleTime' : [ 0x3200, ['unsigned long long']], 'HighCycleTime' : [ 0x3208, ['unsigned long']], 'PrcbPad71' : [ 0x320c, ['unsigned long']], 'PrcbPad72' : [ 0x3210, ['array', 2, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3220, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3320, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3324, ['long']], 'MmPageFaultCount' : [ 0x3328, ['long']], 'MmCopyOnWriteCount' : [ 0x332c, ['long']], 'MmTransitionCount' : [ 0x3330, ['long']], 'MmCacheTransitionCount' : [ 0x3334, ['long']], 'MmDemandZeroCount' : [ 0x3338, ['long']], 'MmPageReadCount' : [ 0x333c, ['long']], 'MmPageReadIoCount' : [ 0x3340, ['long']], 'MmCacheReadCount' : [ 0x3344, ['long']], 'MmCacheIoCount' : [ 0x3348, ['long']], 'MmDirtyPagesWriteCount' : [ 0x334c, ['long']], 'MmDirtyWriteIoCount' : [ 0x3350, ['long']], 'MmMappedPagesWriteCount' : [ 0x3354, ['long']], 'MmMappedWriteIoCount' : [ 0x3358, ['long']], 'CachedCommit' : [ 0x335c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3360, ['unsigned long']], 'HyperPte' : [ 0x3364, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3368, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x336c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3379, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x337a, ['unsigned char']], 'PrcbPad9' : [ 0x337b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x3380, ['unsigned long']], 'UpdateSignature' : [ 0x3388, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3390, ['unsigned long long']], 'RuntimeAccumulation' : [ 0x3398, ['unsigned long long']], 'PowerState' : [ 0x33a0, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x3468, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3488, ['_KTIMER']], 'WheaInfo' : [ 0x34b0, ['pointer', ['void']]], 'EtwSupport' : [ 0x34b4, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x34b8, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x34c0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x34c8, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x34cc, ['pointer', ['void']]], 'StatisticsPage' : [ 0x34d0, ['pointer', ['unsigned long long']]], 'RateControl' : [ 0x34d4, ['pointer', ['void']]], 'Cache' : [ 0x34d8, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3514, ['unsigned long']], 'CacheProcessorMask' : [ 0x3518, ['array', 5, ['unsigned long']]], 'PackageProcessorSet' : [ 0x352c, ['_KAFFINITY_EX']], 'PrcbPad91' : [ 0x3538, ['array', 1, ['unsigned long']]], 'CoreProcessorSet' : [ 0x353c, ['unsigned long']], 'TimerExpirationDpc' : [ 0x3540, ['_KDPC']], 'SpinLockAcquireCount' : [ 0x3560, ['unsigned long']], 'SpinLockContentionCount' : [ 0x3564, ['unsigned long']], 'SpinLockSpinCount' : [ 0x3568, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0x356c, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x3570, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x3574, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x3578, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x357c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x3580, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x3584, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x3588, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x358c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x3590, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x3594, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x3598, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x359c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x35a0, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x35a4, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x35a8, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x35ac, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x35b0, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x35b4, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x35b8, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x35bc, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x35c0, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x35c4, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x35c8, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x35cc, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x35d0, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x35d4, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x35d8, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x35dc, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x35e0, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x35e4, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x35e8, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x35ec, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x35f0, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x35f4, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x35f8, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x35fc, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0x3600, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0x3604, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0x3608, ['unsigned long']], 'ExBoostSharedOwners' : [ 0x360c, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0x3610, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0x3614, ['unsigned long']], 'Context' : [ 0x3618, ['pointer', ['_CONTEXT']]], 'ContextFlags' : [ 0x361c, ['unsigned long']], 'ExtendedState' : [ 0x3620, ['pointer', ['_XSAVE_AREA']]], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x200, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'WaitRegister' : [ 0x38, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x39, ['unsigned char']], 'Alerted' : [ 0x3a, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x3c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x3c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x3c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x3c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x3c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x3c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x3c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x3c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x3c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x3c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x3c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'TimerActive' : [ 0x3c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SystemThread' : [ 0x3c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved' : [ 0x3c, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x3c, ['long']], 'ApcState' : [ 0x40, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x40, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x57, ['unsigned char']], 'NextProcessor' : [ 0x58, ['unsigned long']], 'DeferredProcessor' : [ 0x5c, ['unsigned long']], 'ApcQueueLock' : [ 0x60, ['unsigned long']], 'ContextSwitches' : [ 0x64, ['unsigned long']], 'State' : [ 0x68, ['unsigned char']], 'NpxState' : [ 0x69, ['unsigned char']], 'WaitIrql' : [ 0x6a, ['unsigned char']], 'WaitMode' : [ 0x6b, ['unsigned char']], 'WaitStatus' : [ 0x6c, ['long']], 'WaitBlockList' : [ 0x70, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x74, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x74, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x7c, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x80, ['unsigned long']], 'KernelApcDisable' : [ 0x84, ['short']], 'SpecialApcDisable' : [ 0x86, ['short']], 'CombinedApcDisable' : [ 0x84, ['unsigned long']], 'Teb' : [ 0x88, ['pointer', ['void']]], 'Timer' : [ 0x90, ['_KTIMER']], 'AutoAlignment' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CalloutActive' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'GuiThread' : [ 0xb8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'VdmSafe' : [ 0xb8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'UmsDispatched' : [ 0xb8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb8, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb8, ['long']], 'ServiceTable' : [ 0xbc, ['pointer', ['void']]], 'WaitBlock' : [ 0xc0, ['array', 4, ['_KWAIT_BLOCK']]], 'QueueListEntry' : [ 0x120, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x128, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x12c, ['pointer', ['void']]], 'CallbackStack' : [ 0x130, ['pointer', ['void']]], 'CallbackDepth' : [ 0x130, ['unsigned long']], 'ApcStateIndex' : [ 0x134, ['unsigned char']], 'BasePriority' : [ 0x135, ['unsigned char']], 'PriorityDecrement' : [ 0x136, ['unsigned char']], 'ForegroundBoost' : [ 0x136, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x136, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x137, ['unsigned char']], 'AdjustReason' : [ 0x138, ['unsigned char']], 'AdjustIncrement' : [ 0x139, ['unsigned char']], 'PreviousMode' : [ 0x13a, ['unsigned char']], 'Saturation' : [ 0x13b, ['unsigned char']], 'SystemCallNumber' : [ 0x13c, ['unsigned long']], 'FreezeCount' : [ 0x140, ['unsigned long']], 'UserAffinity' : [ 0x144, ['_GROUP_AFFINITY']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x154, ['_GROUP_AFFINITY']], 'IdealProcessor' : [ 0x160, ['unsigned long']], 'UserIdealProcessor' : [ 0x164, ['unsigned long']], 'ApcStatePointer' : [ 0x168, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x170, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x170, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x187, ['unsigned char']], 'SuspendCount' : [ 0x188, ['unsigned char']], 'Spare1' : [ 0x189, ['unsigned char']], 'OtherPlatformFill' : [ 0x18a, ['unsigned char']], 'Win32Thread' : [ 0x18c, ['pointer', ['void']]], 'StackBase' : [ 0x190, ['pointer', ['void']]], 'SuspendApc' : [ 0x194, ['_KAPC']], 'SuspendApcFill0' : [ 0x194, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x195, ['unsigned char']], 'SuspendApcFill1' : [ 0x194, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x197, ['unsigned char']], 'SuspendApcFill2' : [ 0x194, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x198, ['unsigned long']], 'SuspendApcFill3' : [ 0x194, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b8, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x194, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1bc, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x194, ['array', 47, ['unsigned char']]], 'LargeStack' : [ 0x1c3, ['unsigned char']], 'UserTime' : [ 0x1c4, ['unsigned long']], 'SuspendSemaphore' : [ 0x1c8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1c8, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1dc, ['unsigned long']], 'ThreadListEntry' : [ 0x1e0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1e8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1f0, ['pointer', ['void']]], 'ThreadCounters' : [ 0x1f4, ['pointer', ['_KTHREAD_COUNTERS']]], 'XStateSave' : [ 0x1f8, ['pointer', ['_XSTATE_SAVE']]], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x2b8, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x200, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x208, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x208, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x210, ['long']], 'PostBlockList' : [ 0x214, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x214, ['pointer', ['void']]], 'StartAddress' : [ 0x218, ['pointer', ['void']]], 'TerminationPort' : [ 0x21c, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x21c, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x21c, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x220, ['unsigned long']], 'ActiveTimerListHead' : [ 0x224, ['_LIST_ENTRY']], 'Cid' : [ 0x22c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x234, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x234, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x248, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x24c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x254, ['unsigned long']], 'DeviceToVerify' : [ 0x258, ['pointer', ['_DEVICE_OBJECT']]], 'CpuQuotaApc' : [ 0x25c, ['pointer', ['_PSP_CPU_QUOTA_APC']]], 'Win32StartAddress' : [ 0x260, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x264, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x268, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x270, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x274, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x278, ['unsigned long']], 'MmLockOrdering' : [ 0x27c, ['long']], 'CrossThreadFlags' : [ 0x280, ['unsigned long']], 'Terminated' : [ 0x280, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x280, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x280, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x280, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x280, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x280, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x280, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x280, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x280, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x280, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x280, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x280, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x280, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NeedsWorkingSetAging' : [ 0x280, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x284, ['unsigned long']], 'ActiveExWorker' : [ 0x284, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x284, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x284, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x284, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x284, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x284, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x284, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x288, ['unsigned long']], 'Spare' : [ 0x288, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x288, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x288, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x288, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x288, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x289, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x289, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x289, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x289, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x289, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x289, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x289, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x289, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x28a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x28a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x28a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x28a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x28a, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x28a, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x28b, ['unsigned char']], 'CacheManagerActive' : [ 0x28c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x28d, ['unsigned char']], 'ActiveFaultCount' : [ 0x28e, ['unsigned char']], 'LockOrderState' : [ 0x28f, ['unsigned char']], 'AlpcMessageId' : [ 0x290, ['unsigned long']], 'AlpcMessage' : [ 0x294, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x294, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x298, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x2a0, ['unsigned long']], 'IoBoostCount' : [ 0x2a4, ['unsigned long']], 'IrpListLock' : [ 0x2a8, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x2ac, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x2b0, ['_SINGLE_LIST_ENTRY']], 'KernelStackReference' : [ 0x2b4, ['unsigned long']], } ], '_EPROCESS' : [ 0x2d8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x98, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xa0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xa8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xb0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0xc0, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xc8, ['array', 2, ['unsigned long']]], 'CommitCharge' : [ 0xd0, ['unsigned long']], 'QuotaBlock' : [ 0xd4, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0xd8, ['pointer', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0xdc, ['unsigned long']], 'VirtualSize' : [ 0xe0, ['unsigned long']], 'SessionProcessLinks' : [ 0xe4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xec, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xf0, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xf0, ['unsigned long']], 'ExceptionPortState' : [ 0xf0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xf4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xf8, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xfc, ['unsigned long']], 'AddressCreationLock' : [ 0x100, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x108, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x10c, ['unsigned long']], 'PhysicalVadRoot' : [ 0x110, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x114, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x118, ['unsigned long']], 'NumberOfLockedPages' : [ 0x11c, ['unsigned long']], 'Win32Process' : [ 0x120, ['pointer', ['void']]], 'Job' : [ 0x124, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x128, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x12c, ['pointer', ['void']]], 'Cookie' : [ 0x130, ['unsigned long']], 'Spare8' : [ 0x134, ['unsigned long']], 'WorkingSetWatch' : [ 0x138, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x13c, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x140, ['pointer', ['void']]], 'LdtInformation' : [ 0x144, ['pointer', ['void']]], 'VdmObjects' : [ 0x148, ['pointer', ['void']]], 'ConsoleHostProcess' : [ 0x14c, ['unsigned long']], 'DeviceMap' : [ 0x150, ['pointer', ['void']]], 'EtwDataSource' : [ 0x154, ['pointer', ['void']]], 'FreeTebHint' : [ 0x158, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x160, ['_HARDWARE_PTE']], 'Filler' : [ 0x160, ['unsigned long long']], 'Session' : [ 0x168, ['pointer', ['void']]], 'ImageFileName' : [ 0x16c, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x17b, ['unsigned char']], 'JobLinks' : [ 0x17c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x184, ['pointer', ['void']]], 'ThreadListHead' : [ 0x188, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x190, ['pointer', ['void']]], 'PaeTop' : [ 0x194, ['pointer', ['void']]], 'ActiveThreads' : [ 0x198, ['unsigned long']], 'ImagePathHash' : [ 0x19c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a0, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1a4, ['long']], 'Peb' : [ 0x1a8, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1ac, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e0, ['unsigned long']], 'CommitChargePeak' : [ 0x1e4, ['unsigned long']], 'AweInfo' : [ 0x1e8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1ec, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x25c, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x264, ['pointer', ['void']]], 'ModifiedPageCount' : [ 0x268, ['unsigned long']], 'Flags2' : [ 0x26c, ['unsigned long']], 'JobNotReallyActive' : [ 0x26c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x26c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x26c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x26c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x26c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x26c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x26c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x26c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x26c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x26c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x26c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x26c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x26c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x26c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x26c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x26c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x26c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x26c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x26c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x26c, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Spare1' : [ 0x26c, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0x26c, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0x26c, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'LowVaAccessible' : [ 0x26c, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Flags' : [ 0x270, ['unsigned long']], 'CreateReported' : [ 0x270, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x270, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x270, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x270, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x270, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x270, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x270, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x270, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x270, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x270, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x270, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x270, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x270, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x270, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x270, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x270, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x270, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x270, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x270, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x270, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x270, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x270, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x270, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x270, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x270, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x270, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x270, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x270, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x270, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x274, ['long']], 'VadRoot' : [ 0x278, ['_MM_AVL_TABLE']], 'AlpcContext' : [ 0x298, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x2a8, ['_LIST_ENTRY']], 'RequestedTimerResolution' : [ 0x2b0, ['unsigned long']], 'ActiveThreadsHighWatermark' : [ 0x2b4, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2b8, ['unsigned long']], 'TimerResolutionStackRecord' : [ 0x2bc, ['pointer', ['_PO_DIAG_STACK_RECORD']]], 'SequenceNumber' : [ 0x2c0, ['unsigned long long']], 'CreateInterruptTime' : [ 0x2c8, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x2d0, ['unsigned long long']], } ], '_KPROCESS' : [ 0x98, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'Affinity' : [ 0x38, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x44, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x4c, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x50, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ActiveGroupsMask' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x5c, ['long']], 'BasePriority' : [ 0x60, ['unsigned char']], 'QuantumReset' : [ 0x61, ['unsigned char']], 'Visited' : [ 0x62, ['unsigned char']], 'Unused3' : [ 0x63, ['unsigned char']], 'ThreadSeed' : [ 0x64, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x68, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x6a, ['unsigned short']], 'Flags' : [ 0x6c, ['_KEXECUTE_OPTIONS']], 'Unused1' : [ 0x6d, ['unsigned char']], 'IopmOffset' : [ 0x6e, ['unsigned short']], 'Unused4' : [ 0x70, ['unsigned long']], 'StackCount' : [ 0x74, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x78, ['_LIST_ENTRY']], 'CycleTime' : [ 0x80, ['unsigned long long']], 'KernelTime' : [ 0x88, ['unsigned long']], 'UserTime' : [ 0x8c, ['unsigned long']], 'VdmTrapcHandler' : [ 0x90, ['pointer', ['void']]], } ], '__unnamed_1292' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1292']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc0, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], } ], '__unnamed_12a1' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_12a6' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_12a8' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_12a6']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_12b3' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_12b5' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_12b3']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_12a1']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_12a8']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_12b5']], } ], '__unnamed_12bc' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_12c0' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_12c4' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_12c6' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_12ca' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_12cc' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_12ce' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], } ], '__unnamed_12d0' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12d2' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_12d4' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_12d8' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsMaximumInformation'})]], } ], '__unnamed_12da' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12dd' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_12df' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12e1' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_12e3' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_12e7' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_12eb' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_12ef' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_12f3' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_12f9' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12fd' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1301' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1303' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1305' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1309' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_130d' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1311' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1315' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1319' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1321' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1325' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1327' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1329' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_132b' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_12bc']], 'CreatePipe' : [ 0x0, ['__unnamed_12c0']], 'CreateMailslot' : [ 0x0, ['__unnamed_12c4']], 'Read' : [ 0x0, ['__unnamed_12c6']], 'Write' : [ 0x0, ['__unnamed_12c6']], 'QueryDirectory' : [ 0x0, ['__unnamed_12ca']], 'NotifyDirectory' : [ 0x0, ['__unnamed_12cc']], 'QueryFile' : [ 0x0, ['__unnamed_12ce']], 'SetFile' : [ 0x0, ['__unnamed_12d0']], 'QueryEa' : [ 0x0, ['__unnamed_12d2']], 'SetEa' : [ 0x0, ['__unnamed_12d4']], 'QueryVolume' : [ 0x0, ['__unnamed_12d8']], 'SetVolume' : [ 0x0, ['__unnamed_12d8']], 'FileSystemControl' : [ 0x0, ['__unnamed_12da']], 'LockControl' : [ 0x0, ['__unnamed_12dd']], 'DeviceIoControl' : [ 0x0, ['__unnamed_12df']], 'QuerySecurity' : [ 0x0, ['__unnamed_12e1']], 'SetSecurity' : [ 0x0, ['__unnamed_12e3']], 'MountVolume' : [ 0x0, ['__unnamed_12e7']], 'VerifyVolume' : [ 0x0, ['__unnamed_12e7']], 'Scsi' : [ 0x0, ['__unnamed_12eb']], 'QueryQuota' : [ 0x0, ['__unnamed_12ef']], 'SetQuota' : [ 0x0, ['__unnamed_12d4']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_12f3']], 'QueryInterface' : [ 0x0, ['__unnamed_12f9']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_12fd']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1301']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1303']], 'SetLock' : [ 0x0, ['__unnamed_1305']], 'QueryId' : [ 0x0, ['__unnamed_1309']], 'QueryDeviceText' : [ 0x0, ['__unnamed_130d']], 'UsageNotification' : [ 0x0, ['__unnamed_1311']], 'WaitWake' : [ 0x0, ['__unnamed_1315']], 'PowerSequence' : [ 0x0, ['__unnamed_1319']], 'Power' : [ 0x0, ['__unnamed_1321']], 'StartDevice' : [ 0x0, ['__unnamed_1325']], 'WMI' : [ 0x0, ['__unnamed_1327']], 'Others' : [ 0x0, ['__unnamed_1329']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_132b']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1341' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_1341']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x40, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '__unnamed_14ae' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_14ae']], } ], '__unnamed_14bf' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x88, { 'OsMajorVersion' : [ 0x0, ['unsigned long']], 'OsMinorVersion' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'LoadOrderListHead' : [ 0x10, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x18, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x28, ['unsigned long']], 'Prcb' : [ 0x2c, ['unsigned long']], 'Process' : [ 0x30, ['unsigned long']], 'Thread' : [ 0x34, ['unsigned long']], 'RegistryLength' : [ 0x38, ['unsigned long']], 'RegistryBase' : [ 0x3c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x40, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x44, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x48, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x4c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x50, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x54, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x58, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x5c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x60, ['pointer', ['void']]], 'Extension' : [ 0x64, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x68, ['__unnamed_14bf']], 'FirmwareInformation' : [ 0x74, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '__unnamed_14f0' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_14f2' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_14f5' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_14f7' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_14f5']], } ], '__unnamed_14fc' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_14f0']], 'u2' : [ 0x4, ['__unnamed_14f2']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0x8, ['long']], 'PteLong' : [ 0x8, ['unsigned long']], 'u3' : [ 0xc, ['__unnamed_14f7']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_14fc']], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x6c, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x4, ['pointer', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer', ['void']]], 'WorkingSetExpansionLinks' : [ 0xc, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x14, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x30, ['unsigned long']], 'WorkingSetSize' : [ 0x34, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x38, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x3c, ['unsigned long']], 'ChargedWslePages' : [ 0x40, ['unsigned long']], 'ActualWslePages' : [ 0x44, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x48, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x4c, ['unsigned long']], 'HardFaultCount' : [ 0x50, ['unsigned long']], 'VmWorkingSetList' : [ 0x54, ['pointer', ['_MMWSL']]], 'NextPageColor' : [ 0x58, ['unsigned short']], 'LastTrimStamp' : [ 0x5a, ['unsigned short']], 'PageFaultCount' : [ 0x5c, ['unsigned long']], 'RepurposeCount' : [ 0x60, ['unsigned long']], 'Spare' : [ 0x64, ['array', 1, ['unsigned long']]], 'Flags' : [ 0x68, ['_MMSUPPORT_FLAGS']], } ], '_MMWSL' : [ 0x6a8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextAgingSlot' : [ 0x1c, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x20, ['unsigned long']], 'VadBitMapHint' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LastVadBit' : [ 0x2c, ['unsigned long']], 'MaximumLastVadBit' : [ 0x30, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x34, ['unsigned long']], 'LastAllocationSize' : [ 0x38, ['unsigned long']], 'NonDirectHash' : [ 0x3c, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x40, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x44, ['pointer', ['_MMWSLE_HASH']]], 'UsedPageTableEntries' : [ 0x48, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x648, ['array', 24, ['unsigned long']]], } ], '__unnamed_152c' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_152c']], } ], '__unnamed_1538' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1542' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1544' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1542']], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_1538']], 'FlushInProgressCount' : [ 0x20, ['unsigned long']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'ModifiedWriteCount' : [ 0x2c, ['unsigned long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitList' : [ 0x30, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x34, ['__unnamed_1544']], 'LockedPages' : [ 0x40, ['unsigned long long']], 'ViewList' : [ 0x48, ['_LIST_ENTRY']], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'EvictStoreBitmap' : [ 0x30, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x34, ['unsigned long']], 'LastAllocationSize' : [ 0x38, ['unsigned long']], 'ToBeEvictedCount' : [ 0x3c, ['unsigned long']], 'PageFileNumber' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x40, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x42, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x42, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x44, ['pointer', ['void']]], 'Lock' : [ 0x48, ['unsigned long']], 'LockOwner' : [ 0x4c, ['pointer', ['_ETHREAD']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_1584' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_1587' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_158a' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_1584']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1587']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_158a']], } ], '__unnamed_1592' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_1592']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '__unnamed_1597' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_1584']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1587']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_158a']], 'u2' : [ 0x20, ['__unnamed_1597']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x30, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x38, ['pointer', ['_EPROCESS']]], } ], '__unnamed_15a2' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_15a2']], } ], '__unnamed_15a8' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_15aa' : [ 0x4, { 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_15a8']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_15aa']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_HHIVE' : [ 0x2ec, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x24, ['pointer', ['void']]], 'BaseBlock' : [ 0x28, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x2c, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x34, ['unsigned long']], 'DirtyAlloc' : [ 0x38, ['unsigned long']], 'BaseBlockAlloc' : [ 0x3c, ['unsigned long']], 'Cluster' : [ 0x40, ['unsigned long']], 'Flat' : [ 0x44, ['unsigned char']], 'ReadOnly' : [ 0x45, ['unsigned char']], 'DirtyFlag' : [ 0x46, ['unsigned char']], 'HvBinHeadersUse' : [ 0x48, ['unsigned long']], 'HvFreeCellsUse' : [ 0x4c, ['unsigned long']], 'HvUsedCellsUse' : [ 0x50, ['unsigned long']], 'CmUsedCellsUse' : [ 0x54, ['unsigned long']], 'HiveFlags' : [ 0x58, ['unsigned long']], 'CurrentLog' : [ 0x5c, ['unsigned long']], 'LogSize' : [ 0x60, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x68, ['unsigned long']], 'StorageTypeCount' : [ 0x6c, ['unsigned long']], 'Version' : [ 0x70, ['unsigned long']], 'Storage' : [ 0x74, ['array', 2, ['_DUAL']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_CMHIVE' : [ 0x638, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2ec, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x304, ['_LIST_ENTRY']], 'HiveList' : [ 0x30c, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x314, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x31c, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x320, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x328, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x32c, ['unsigned long']], 'Identity' : [ 0x330, ['unsigned long']], 'HiveLock' : [ 0x334, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x338, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x33c, ['pointer', ['_KTHREAD']]], 'ViewLockLast' : [ 0x340, ['unsigned long']], 'ViewUnLockLast' : [ 0x344, ['unsigned long']], 'WriterLock' : [ 0x348, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x34c, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x350, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x358, ['pointer', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x35c, ['unsigned long']], 'FlushHiveTruncated' : [ 0x360, ['unsigned long']], 'FlushLock2' : [ 0x364, ['pointer', ['_FAST_MUTEX']]], 'SecurityLock' : [ 0x368, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x36c, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x374, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x37c, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x384, ['unsigned short']], 'PinnedViewCount' : [ 0x386, ['unsigned short']], 'UseCount' : [ 0x388, ['unsigned long']], 'ViewsPerHive' : [ 0x38c, ['unsigned long']], 'FileObject' : [ 0x390, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x394, ['unsigned long']], 'ActualFileSize' : [ 0x398, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x3a0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x3a8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x3b0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x3b8, ['unsigned long']], 'SecurityCacheSize' : [ 0x3bc, ['unsigned long']], 'SecurityHitHint' : [ 0x3c0, ['long']], 'SecurityCache' : [ 0x3c4, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x3c8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x5c8, ['unsigned long']], 'UnloadEventArray' : [ 0x5cc, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x5d0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x5d4, ['unsigned char']], 'UnloadWorkItem' : [ 0x5d8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x5dc, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x5f0, ['unsigned char']], 'GrowOffset' : [ 0x5f4, ['unsigned long']], 'KcbConvertListHead' : [ 0x5f8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x600, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x608, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x60c, ['unsigned long']], 'TrustClassEntry' : [ 0x610, ['_LIST_ENTRY']], 'FlushCount' : [ 0x618, ['unsigned long']], 'CmRm' : [ 0x61c, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x620, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x624, ['long']], 'CreatorOwner' : [ 0x628, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0x62c, ['pointer', ['_KTHREAD']]], 'LastWriteTime' : [ 0x630, ['_LARGE_INTEGER']], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0xc, ['_CM_KEY_HASH']], 'ConvKey' : [ 0xc, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x14, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], 'KcbPushlock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x20, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x20, ['long']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x6c, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x74, ['_LIST_ENTRY']], 'Stolen' : [ 0x74, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x7c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x80, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x88, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x90, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x98, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x9c, ['pointer', ['_UNICODE_STRING']]], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '__unnamed_162f' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_HvpRecoverWholeHive', 10: '_HvpMapFileImageAndBuildMap', 11: '_CmpValidateHiveSecurityDescriptors', 12: '_HvpEnlistBinInMap', 13: '_CmCheckRegistry', 14: '_CmRegistryIO', 15: '_CmCheckRegistry2', 16: '_CmpCheckKey', 17: '_CmpCheckValueList', 18: '_HvCheckHive', 19: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1632' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_1634' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1636' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_1638' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_163c' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_1640' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_1642' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_162f']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_162f']]], 'RegistryIO' : [ 0xcc, ['__unnamed_1632']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_1634']], 'CheckKey' : [ 0xdc, ['__unnamed_1636']], 'CheckValueList' : [ 0xec, ['__unnamed_1638']], 'CheckHive' : [ 0xfc, ['__unnamed_163c']], 'CheckHive1' : [ 0x108, ['__unnamed_163c']], 'CheckBin' : [ 0x114, ['__unnamed_1640']], 'RecoverData' : [ 0x11c, ['__unnamed_1642']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0x80, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'DpcCount' : [ 0x38, ['unsigned long']], 'DpcRate' : [ 0x3c, ['unsigned long']], 'C1Time' : [ 0x40, ['unsigned long long']], 'C2Time' : [ 0x48, ['unsigned long long']], 'C3Time' : [ 0x50, ['unsigned long long']], 'C1Transitions' : [ 0x58, ['unsigned long long']], 'C2Transitions' : [ 0x60, ['unsigned long long']], 'C3Transitions' : [ 0x68, ['unsigned long long']], 'ParkingStatus' : [ 0x70, ['unsigned long']], 'CurrentFrequency' : [ 0x74, ['unsigned long']], 'PercentMaxFrequency' : [ 0x78, ['unsigned long']], 'StateFlags' : [ 0x7c, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_TEB32' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], } ], '_TEB64' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0xc, { 'Affinity' : [ 0x0, ['pointer', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x4, ['unsigned long']], 'CurrentIndex' : [ 0x8, ['unsigned short']], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_FXSAVE_FORMAT' : [ 0x1e0, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 192, ['unsigned char']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_KSTACK_AREA' : [ 0x210, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'NpxFrame' : [ 0x0, ['_FXSAVE_FORMAT']], 'StackControl' : [ 0x1e0, ['_KERNEL_STACK_CONTROL']], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], 'Padding' : [ 0x200, ['array', 4, ['unsigned long']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x3c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependentList' : [ 0x2c, ['_LIST_ENTRY']], 'ProviderList' : [ 0x34, ['_LIST_ENTRY']], } ], '__unnamed_1744' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1746' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_174a' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x188, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Level' : [ 0x28, ['unsigned long']], 'Notify' : [ 0x2c, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x78, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x7c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x80, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xd0, ['unsigned long']], 'CompletionStatus' : [ 0xd4, ['long']], 'Flags' : [ 0xd8, ['unsigned long']], 'UserFlags' : [ 0xdc, ['unsigned long']], 'Problem' : [ 0xe0, ['unsigned long']], 'ResourceList' : [ 0xe4, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0xec, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xf0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xf4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xf8, ['unsigned long']], 'ChildInterfaceType' : [ 0xfc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x100, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x104, ['unsigned short']], 'RemovalPolicy' : [ 0x106, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x107, ['unsigned char']], 'TargetDeviceNotify' : [ 0x108, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x110, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x118, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x120, ['unsigned short']], 'QueryTranslatorMask' : [ 0x122, ['unsigned short']], 'NoArbiterMask' : [ 0x124, ['unsigned short']], 'QueryArbiterMask' : [ 0x126, ['unsigned short']], 'OverUsed1' : [ 0x128, ['__unnamed_1744']], 'OverUsed2' : [ 0x12c, ['__unnamed_1746']], 'BootResources' : [ 0x130, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x134, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x138, ['unsigned long']], 'DockInfo' : [ 0x13c, ['__unnamed_174a']], 'DisableableDepends' : [ 0x14c, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x150, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x158, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x160, ['unsigned long']], 'PreviousParent' : [ 0x164, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x168, ['unsigned long']], 'NumaNodeIndex' : [ 0x16c, ['unsigned long']], 'ContainerID' : [ 0x170, ['_GUID']], 'OverrideFlags' : [ 0x180, ['unsigned char']], 'RequiresUnloadedDriver' : [ 0x181, ['unsigned char']], 'PendingEjectRelations' : [ 0x184, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'Affinity' : [ 0x20, ['_GROUP_AFFINITY']], 'ProximityId' : [ 0x2c, ['unsigned long']], 'NodeNumber' : [ 0x30, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x32, ['unsigned short']], 'MaximumProcessors' : [ 0x34, ['unsigned char']], 'Color' : [ 0x35, ['unsigned char']], 'Flags' : [ 0x36, ['_flags']], 'NodePad0' : [ 0x37, ['unsigned char']], 'Seed' : [ 0x38, ['unsigned long']], 'MmShiftedColor' : [ 0x3c, ['unsigned long']], 'FreeCount' : [ 0x40, ['array', 2, ['unsigned long']]], 'CachedKernelStacks' : [ 0x48, ['_CACHED_KSTACK_LIST']], 'ParkLock' : [ 0x60, ['long']], 'NodePad1' : [ 0x64, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_17f3' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_17f3']], } ], '__unnamed_17fa' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_17fa']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x20, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x1c, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x160, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'LogHandle' : [ 0x98, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x9c, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa0, ['unsigned long']], 'LazyWritePassCount' : [ 0xa4, ['unsigned long']], 'UninitializeEvent' : [ 0xa8, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xac, ['_KGUARDED_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'Event' : [ 0xd8, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf0, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x148, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x14c, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x150, ['unsigned long']], 'WritesInProgress' : [ 0x154, ['unsigned long']], 'PipelinedReadAheadSize' : [ 0x158, ['unsigned long']], } ], '__unnamed_186a' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_186a']], 'Links' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1888' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_188a' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_188c' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_188e' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1890' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_1888']], 'Write' : [ 0x0, ['__unnamed_188a']], 'Event' : [ 0x0, ['__unnamed_188c']], 'Notification' : [ 0x0, ['__unnamed_188e']], } ], '_WORK_QUEUE_ENTRY' : [ 0x10, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_1890']], 'Function' : [ 0xc, ['unsigned char']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x138, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x130, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_18e1' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_18e1']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_PEB' : [ 0x248, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pContextData' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x78, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], 'ContextInformation' : [ 0x68, ['pointer', ['void']]], 'OriginalBase' : [ 0x6c, ['unsigned long']], 'LoadTime' : [ 0x70, ['_LARGE_INTEGER']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1960' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1962' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1960']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1964' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1966' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1964']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1962']], 'u2' : [ 0x4, ['__unnamed_1966']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x24, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], 'LookasideIndex' : [ 0x20, ['unsigned long']], } ], '__unnamed_1982' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1984' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1982']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1984']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Pad' : [ 0x14, ['unsigned long']], } ], '__unnamed_1996' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1998' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1996']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1998']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_199e' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_19a0' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_199e']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_19a0']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_19a6' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19a8' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19a6']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_19a8']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x24, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19c4' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19c6' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c4']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0xfc, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x5c, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x64, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x6c, ['_LIST_ENTRY']], 'WaitQueue' : [ 0x74, ['_LIST_ENTRY']], 'Semaphore' : [ 0x7c, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x80, ['_ALPC_PORT_ATTRIBUTES']], 'Lock' : [ 0xac, ['_EX_PUSH_LOCK']], 'ResourceListLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xb4, ['_LIST_ENTRY']], 'CompletionList' : [ 0xbc, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0xc0, ['pointer', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0xc4, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xc8, ['pointer', ['void']]], 'CanceledQueue' : [ 0xcc, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xd4, ['long']], 'u1' : [ 0xd8, ['__unnamed_19c6']], 'TargetQueuePort' : [ 0xdc, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xe0, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0xe4, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xe8, ['unsigned long']], 'PendingQueueLength' : [ 0xec, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xf0, ['unsigned long']], 'CanceledQueueLength' : [ 0xf4, ['unsigned long']], 'WaitQueueLength' : [ 0xf8, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x88, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'Key' : [ 0x7c, ['unsigned long']], 'CallbackList' : [ 0x80, ['_LIST_ENTRY']], } ], '__unnamed_19df' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_19e1' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19df']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x88, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x8, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0xc, ['unsigned long']], 'QuotaProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x10, ['pointer', ['void']]], 'SequenceNo' : [ 0x14, ['long']], 'u1' : [ 0x18, ['__unnamed_19e1']], 'CancelSequencePort' : [ 0x1c, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x24, ['long']], 'CancelListEntry' : [ 0x28, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x38, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x3c, ['pointer', ['_ALPC_PORT']]], 'MessageAttributes' : [ 0x40, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x5c, ['pointer', ['void']]], 'DataSystemVa' : [ 0x60, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x64, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x68, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x6c, ['pointer', ['_ETHREAD']]], 'PortMessage' : [ 0x70, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a1e' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a20' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a1e']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1a20']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'Flags' : [ 0x14, ['unsigned long']], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x24, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 7, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'DriverCreateContext' : [ 0x5c, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_RTL_RB_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_RTL_BALANCED_NODE' : [ 0xc, { 'Children' : [ 0x0, ['array', 2, ['pointer', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x8, ['unsigned long']], } ], '_RTL_AVL_TREE' : [ 0x4, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_WMI_LOGGER_CONTEXT' : [ 0x248, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'CollectionOn' : [ 0xc, ['long']], 'LoggerMode' : [ 0x10, ['unsigned long']], 'AcceptNewEvents' : [ 0x14, ['long']], 'GetCpuClock' : [ 0x18, ['pointer', ['void']]], 'StartTime' : [ 0x20, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x28, ['pointer', ['void']]], 'LoggerThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x30, ['long']], 'NBQHead' : [ 0x34, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x38, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x40, ['_SLIST_HEADER']], 'GlobalList' : [ 0x48, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x50, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x50, ['_EX_FAST_REF']], 'LoggerName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x64, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x6c, ['_UNICODE_STRING']], 'ClockType' : [ 0x74, ['unsigned long']], 'MaximumFileSize' : [ 0x78, ['unsigned long']], 'LastFlushedBuffer' : [ 0x7c, ['unsigned long']], 'FlushTimer' : [ 0x80, ['unsigned long']], 'FlushThreshold' : [ 0x84, ['unsigned long']], 'ByteOffset' : [ 0x88, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x90, ['unsigned long']], 'BuffersAvailable' : [ 0x94, ['long']], 'NumberOfBuffers' : [ 0x98, ['long']], 'MaximumBuffers' : [ 0x9c, ['unsigned long']], 'EventsLost' : [ 0xa0, ['unsigned long']], 'BuffersWritten' : [ 0xa4, ['unsigned long']], 'LogBuffersLost' : [ 0xa8, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xac, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xb0, ['unsigned long']], 'SequencePtr' : [ 0xb4, ['pointer', ['long']]], 'LocalSequence' : [ 0xb8, ['unsigned long']], 'InstanceGuid' : [ 0xbc, ['_GUID']], 'FileCounter' : [ 0xcc, ['long']], 'BufferCallback' : [ 0xd0, ['pointer', ['void']]], 'PoolType' : [ 0xd4, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd8, ['_ETW_REF_CLOCK']], 'Consumers' : [ 0xe8, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xf0, ['unsigned long']], 'TransitionConsumer' : [ 0xf4, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0xf8, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0xfc, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x108, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x120, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x128, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x130, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x138, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x14c, ['_KEVENT']], 'FlushEvent' : [ 0x15c, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x170, ['_KTIMER']], 'FlushDpc' : [ 0x198, ['_KDPC']], 'LoggerMutex' : [ 0x1b8, ['_KMUTANT']], 'LoggerLock' : [ 0x1d8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1dc, ['unsigned long']], 'BufferListPushLock' : [ 0x1dc, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1e0, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x21c, ['pointer', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x220, ['_EX_FAST_REF']], 'BufferSequenceNumber' : [ 0x228, ['long long']], 'Flags' : [ 0x230, ['unsigned long']], 'Persistent' : [ 0x230, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x230, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x230, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x230, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x230, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x230, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x230, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x230, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x230, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x230, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'RequestFlag' : [ 0x234, ['unsigned long']], 'RequestNewFie' : [ 0x234, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x234, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x234, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x234, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x234, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RequestConnectConsumer' : [ 0x234, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HookIdMap' : [ 0x238, ['_RTL_BITMAP']], 'DisallowedGuids' : [ 0x240, ['_DISALLOWED_GUIDS']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_BUFFER_HANDLE' : [ 0x8, { 'TraceBuffer' : [ 0x0, ['pointer', ['_WMI_BUFFER_HEADER']]], 'BufferFastRef' : [ 0x4, ['pointer', ['_EX_FAST_REF']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_NBQUEUE_BLOCK' : [ 0x18, { 'SListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Next' : [ 0x8, ['unsigned long long']], 'Data' : [ 0x10, ['unsigned long long']], } ], '_TlgProvider_t' : [ 0x30, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x4, ['pointer', ['unsigned short']]], 'KeywordAny' : [ 0x8, ['unsigned long long']], 'KeywordAll' : [ 0x10, ['unsigned long long']], 'RegHandle' : [ 0x18, ['unsigned long long']], 'EnableCallback' : [ 0x20, ['pointer', ['void']]], 'CallbackContext' : [ 0x24, ['pointer', ['void']]], 'AnnotationFunc' : [ 0x28, ['pointer', ['void']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x178, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['array', 8, ['pointer', ['_EVENT_FILTER_HEADER']]]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e0, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'LogonSession' : [ 0xbc, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc0, ['_LUID']], 'SidHash' : [ 0xc8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x150, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1d8, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'VariablePart' : [ 0x1dc, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x14, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], 'HashIndex' : [ 0xc, ['unsigned short']], 'DirectoryLocked' : [ 0xe, ['unsigned char']], 'LockedExclusive' : [ 0xf, ['unsigned char']], 'LockStateSignature' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Coalescable' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KeepShifting' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CpuThrottled' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'WaitResponse' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_HEAP_COUNTERS' : [ 0x54, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'AllocAndFreeOps' : [ 0x40, ['unsigned long']], 'InBlockDeccommits' : [ 0x44, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x48, ['unsigned long']], 'HighWatermarkSize' : [ 0x4c, ['unsigned long']], 'LastPolledSize' : [ 0x50, ['unsigned long']], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x24, { 'SidHash' : [ 0x0, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x8, ['pointer', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0xc, ['_LUID']], 'TokenType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x1c, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x20, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_HANDLE_TABLE' : [ 0x3c, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['unsigned long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], 'HandleCountHighWatermark' : [ 0x38, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'BlockState' : [ 0x17, ['unsigned char']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['_KAFFINITY_EX']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_1c9d' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1c9f' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1c9d']], 'Private' : [ 0x0, ['__unnamed_1c9f']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_1cc1' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1cc7' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x48, { 'u1' : [ 0x0, ['__unnamed_1584']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1587']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_158a']], 'u2' : [ 0x20, ['__unnamed_1597']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x30, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x38, ['pointer', ['_EPROCESS']]], 'u3' : [ 0x3c, ['__unnamed_1cc1']], 'u4' : [ 0x44, ['__unnamed_1cc7']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x138, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0x98, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'LimitFlags' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['_KAFFINITY_EX']], 'PriorityClass' : [ 0xb4, ['unsigned char']], 'AccessState' : [ 0xb8, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xbc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x108, ['unsigned long']], 'JobMemoryLimit' : [ 0x10c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x110, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x114, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x118, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x120, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x124, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x12c, ['unsigned long']], 'JobFlags' : [ 0x130, ['unsigned long']], } ], '__unnamed_1cd8' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x60, { 'Count' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['__unnamed_1cd8']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'OldState' : [ 0x10, ['unsigned long']], 'TargetProcessors' : [ 0x14, ['_KAFFINITY_EX']], 'State' : [ 0x20, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '__unnamed_1ce1' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_1ce1']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x50, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned long']], 'ShutDownRequested' : [ 0x34, ['unsigned char']], 'NewBuffersLost' : [ 0x35, ['unsigned char']], 'Disconnected' : [ 0x36, ['unsigned char']], 'ReservedBufferSpaceBitMap' : [ 0x38, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x40, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x44, ['unsigned long']], 'UserPagesAllocated' : [ 0x48, ['unsigned long']], 'UserPagesReused' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1cea' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1cf0' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1cf2' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1cea']], 'Bits' : [ 0x0, ['__unnamed_1cf0']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1cf2']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_KGUARDED_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['pointer', ['pointer', ['void']]]], 'PendingFreeDepth' : [ 0x104, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x278, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'Pad' : [ 0x39, ['array', 3, ['unsigned char']]], 'Mode' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x44, ['unsigned long']], 'DispatchCount' : [ 0x48, ['unsigned long']], 'Rsvd1' : [ 0x50, ['unsigned long long']], 'DispatchCode' : [ 0x58, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['unsigned long']], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x58, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x54, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'UserVa' : [ 0x10, ['pointer', ['void']]], 'UserLimit' : [ 0x14, ['pointer', ['void']]], 'DataUserVa' : [ 0x18, ['pointer', ['void']]], 'SystemVa' : [ 0x1c, ['pointer', ['void']]], 'TotalSize' : [ 0x20, ['unsigned long']], 'Header' : [ 0x24, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x28, ['pointer', ['void']]], 'ListSize' : [ 0x2c, ['unsigned long']], 'Bitmap' : [ 0x30, ['pointer', ['void']]], 'BitmapSize' : [ 0x34, ['unsigned long']], 'Data' : [ 0x38, ['pointer', ['void']]], 'DataSize' : [ 0x3c, ['unsigned long']], 'BitmapLimit' : [ 0x40, ['unsigned long']], 'BitmapNextHint' : [ 0x44, ['unsigned long']], 'ConcurrencyCount' : [ 0x48, ['unsigned long']], 'AttributeFlags' : [ 0x4c, ['unsigned long']], 'AttributeSize' : [ 0x50, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_IO_WORKITEM' : [ 0x20, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'Type' : [ 0x1c, ['unsigned long']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x64, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_ALIGNED_AFFINITY_SUMMARY' : [ 0x40, { 'CpuSet' : [ 0x0, ['_KAFFINITY_EX']], 'SMTSet' : [ 0xc, ['_KAFFINITY_EX']], } ], '_XSTATE_CONFIGURATION' : [ 0x210, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'OptimizedSave' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x10, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0xc8, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleAccounting' : [ 0x20, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'Hypervisor' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'PerfHistoryTotal' : [ 0x28, ['unsigned long']], 'ThermalConstraint' : [ 0x2c, ['unsigned char']], 'PerfHistoryCount' : [ 0x2d, ['unsigned char']], 'PerfHistorySlot' : [ 0x2e, ['unsigned char']], 'Reserved' : [ 0x2f, ['unsigned char']], 'LastSysTime' : [ 0x30, ['unsigned long']], 'WmiDispatchPtr' : [ 0x34, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0x38, ['long']], 'FFHThrottleStateInfo' : [ 0x40, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x60, ['_KDPC']], 'PerfActionMask' : [ 0x80, ['long']], 'IdleCheck' : [ 0x88, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x98, ['_PROC_IDLE_SNAP']], 'Domain' : [ 0xa8, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0xac, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Load' : [ 0xb0, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0xb4, ['pointer', ['_PROC_HISTORY_ENTRY']]], 'Utility' : [ 0xb8, ['unsigned long']], 'OverUtilizedHistory' : [ 0xbc, ['unsigned long']], 'AffinityCount' : [ 0xc0, ['unsigned long']], 'AffinityHistory' : [ 0xc4, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x2c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'BucketLimits' : [ 0x18, ['array', 16, ['unsigned long long']]], 'State' : [ 0x98, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x84, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x78, ['unsigned long']], 'PreviousActivityCounter' : [ 0x7c, ['unsigned long']], 'WorkerTrimRequests' : [ 0x80, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1e46' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1e46']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x5ec, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa8, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x348, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e8, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '__unnamed_1e9f' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ea1' : [ 0x8, { 'Last' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_1e9f']], } ], '__unnamed_1ea3' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1e9f']], } ], '__unnamed_1ea5' : [ 0x8, { 'OldCell' : [ 0x0, ['__unnamed_1ea1']], 'NewCell' : [ 0x0, ['__unnamed_1ea3']], } ], '_HCELL' : [ 0xc, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1ea5']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x24, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'PercentageCap' : [ 0x8, ['unsigned long']], 'ThermalCap' : [ 0xc, ['unsigned long']], 'TargetFrequency' : [ 0x10, ['unsigned long']], 'AcumulatedFullFrequency' : [ 0x14, ['unsigned long']], 'AcumulatedZeroFrequency' : [ 0x18, ['unsigned long']], 'FrequencyHistoryTotal' : [ 0x1c, ['unsigned long']], 'AverageFrequency' : [ 0x20, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], 'Pad0' : [ 0x14, ['unsigned long']], } ], '__unnamed_1eba' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ebe' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1ec0' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ec2' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1ec4' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1ec6' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ec8' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1eca' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ecc' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ece' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1eba']], 'Memory' : [ 0x0, ['__unnamed_1eba']], 'Interrupt' : [ 0x0, ['__unnamed_1ebe']], 'Dma' : [ 0x0, ['__unnamed_1ec0']], 'Generic' : [ 0x0, ['__unnamed_1eba']], 'DevicePrivate' : [ 0x0, ['__unnamed_1ec2']], 'BusNumber' : [ 0x0, ['__unnamed_1ec4']], 'ConfigData' : [ 0x0, ['__unnamed_1ec6']], 'Memory40' : [ 0x0, ['__unnamed_1ec8']], 'Memory48' : [ 0x0, ['__unnamed_1eca']], 'Memory64' : [ 0x0, ['__unnamed_1ecc']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1ece']], } ], '_POP_THERMAL_ZONE' : [ 0x150, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xe0, ['_LARGE_INTEGER']], 'Metrics' : [ 0xe8, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x68, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x38, ['unsigned long']], 'PassiveCount' : [ 0x3c, ['unsigned long']], 'LastActiveStartTick' : [ 0x40, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x48, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x50, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x58, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x60, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_DISALLOWED_GUIDS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x4, ['pointer', ['_GUID']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '__unnamed_1f0d' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1f0f' : [ 0xc, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1f0d']], } ], '_VF_TARGET_DRIVER' : [ 0x18, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x8, ['__unnamed_1f0f']], 'VerifiedData' : [ 0x14, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_1f17' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1f19' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f1b' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f1d' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1f1f' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1f21' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f23' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1f25' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1f27' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f29' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1f2b' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1f17']], 'TargetDevice' : [ 0x0, ['__unnamed_1f19']], 'InstallDevice' : [ 0x0, ['__unnamed_1f1b']], 'CustomNotification' : [ 0x0, ['__unnamed_1f1d']], 'ProfileNotification' : [ 0x0, ['__unnamed_1f1f']], 'PowerNotification' : [ 0x0, ['__unnamed_1f21']], 'VetoNotification' : [ 0x0, ['__unnamed_1f23']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1f25']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1f27']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1f29']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1f1b']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_1f2b']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 192, ['unsigned char']]], 'StackControl' : [ 0x1e0, ['array', 7, ['unsigned long']]], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_PS_CPU_QUOTA_BLOCK' : [ 0x880, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'CpuShareWeight' : [ 0xc, ['unsigned long']], 'CapturedWeightData' : [ 0x10, ['_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA']], 'DuplicateInputMarker' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x18, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x18, ['long']], 'BlockCurrentGenerationLock' : [ 0x0, ['unsigned long']], 'CyclesAccumulated' : [ 0x8, ['unsigned long long']], 'CycleCredit' : [ 0x40, ['unsigned long long']], 'BlockCurrentGeneration' : [ 0x48, ['unsigned long']], 'CpuCyclePercent' : [ 0x4c, ['unsigned long']], 'CyclesFinishedForCurrentGeneration' : [ 0x50, ['unsigned char']], 'Cpu' : [ 0x80, ['array', 32, ['_PS_PER_CPU_QUOTA_CACHE_AWARE']]], } ], '__unnamed_1f46' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1f46']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x50, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], } ], '__unnamed_1f77' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_1f77']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_PS_PER_CPU_QUOTA_CACHE_AWARE' : [ 0x40, { 'SortedListEntry' : [ 0x0, ['_LIST_ENTRY']], 'IdleOnlyListHead' : [ 0x8, ['_LIST_ENTRY']], 'CycleBaseAllowance' : [ 0x10, ['unsigned long long']], 'CyclesRemaining' : [ 0x18, ['long long']], 'CurrentGeneration' : [ 0x20, ['unsigned long']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_POP_SYSTEM_IDLE' : [ 0x38, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned char']], 'IdleWorker' : [ 0x25, ['unsigned char']], 'Sampling' : [ 0x26, ['unsigned char']], 'LastTick' : [ 0x28, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x30, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0xc, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x18, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x14, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1fd8' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fda' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fdc' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fde' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1fdc']], 'Translated' : [ 0x0, ['__unnamed_1fda']], } ], '__unnamed_1fe0' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fe2' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fe4' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fe6' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fe8' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fea' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fec' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1fd8']], 'Port' : [ 0x0, ['__unnamed_1fd8']], 'Interrupt' : [ 0x0, ['__unnamed_1fda']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1fde']], 'Memory' : [ 0x0, ['__unnamed_1fd8']], 'Dma' : [ 0x0, ['__unnamed_1fe0']], 'DevicePrivate' : [ 0x0, ['__unnamed_1ec2']], 'BusNumber' : [ 0x0, ['__unnamed_1fe2']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1fe4']], 'Memory40' : [ 0x0, ['__unnamed_1fe6']], 'Memory48' : [ 0x0, ['__unnamed_1fe8']], 'Memory64' : [ 0x0, ['__unnamed_1fea']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1fec']], } ], '__unnamed_1ff1' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1ff1']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1ffb' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1ffb']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_sp1_x64_vtypes.py0000644000000000000000000231350413131215405030521 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'Reserved2' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrement32' : [ 0x368, ['unsigned long']], 'QpcInterruptTimeIncrement32' : [ 0x36c, ['unsigned long']], 'QpcSystemTimeIncrementShift' : [ 0x370, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x371, ['unsigned char']], 'Reserved8' : [ 0x372, ['array', 14, ['unsigned char']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_107f' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_107f']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1083' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1083']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_109b' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109d' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109b']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_109d']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TEB' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'Padding1' : [ 0x2ec, ['array', 4, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'PerflibData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], 'ReservedForWdf' : [ 0x1818, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0x18, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_BALANCED_NODE' : [ 0x18, { 'Children' : [ 0x0, ['array', 2, ['pointer64', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x10, ['unsigned long long']], } ], '_RTL_RB_TREE' : [ 0x10, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_RTL_AVL_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x5d40, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x5bc0, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'ClockOwner' : [ 0x21, ['unsigned char']], 'PendingTickFlags' : [ 0x22, ['unsigned char']], 'PendingTick' : [ 0x22, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x22, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'PrcbPad00' : [ 0x23, ['array', 1, ['unsigned char']]], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PriorityState' : [ 0x38, ['pointer64', ['unsigned char']]], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ParentNode' : [ 0x640, ['pointer64', ['_KNODE']]], 'GroupSetMember' : [ 0x648, ['unsigned long long']], 'Group' : [ 0x650, ['unsigned char']], 'GroupIndex' : [ 0x651, ['unsigned char']], 'PrcbPad05' : [ 0x652, ['array', 2, ['unsigned char']]], 'ApicMask' : [ 0x654, ['unsigned long']], 'CFlushSize' : [ 0x658, ['unsigned long']], 'AcpiReserved' : [ 0x660, ['pointer64', ['void']]], 'InitialApicId' : [ 0x668, ['unsigned long']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x2080, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PrcbPad20' : [ 0x2c80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2c88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2c90, ['long']], 'MmCopyOnWriteCount' : [ 0x2c94, ['long']], 'MmTransitionCount' : [ 0x2c98, ['long']], 'MmDemandZeroCount' : [ 0x2c9c, ['long']], 'MmPageReadCount' : [ 0x2ca0, ['long']], 'MmPageReadIoCount' : [ 0x2ca4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x2ca8, ['long']], 'MmDirtyWriteIoCount' : [ 0x2cac, ['long']], 'MmMappedPagesWriteCount' : [ 0x2cb0, ['long']], 'MmMappedWriteIoCount' : [ 0x2cb4, ['long']], 'KeSystemCalls' : [ 0x2cb8, ['unsigned long']], 'KeContextSwitches' : [ 0x2cbc, ['unsigned long']], 'LdtSelector' : [ 0x2cc0, ['unsigned short']], 'PrcbPad40' : [ 0x2cc2, ['unsigned short']], 'CcFastReadNoWait' : [ 0x2cc4, ['unsigned long']], 'CcFastReadWait' : [ 0x2cc8, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2ccc, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x2cd0, ['unsigned long']], 'CcCopyReadWait' : [ 0x2cd4, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2cd8, ['unsigned long']], 'IoReadOperationCount' : [ 0x2cdc, ['long']], 'IoWriteOperationCount' : [ 0x2ce0, ['long']], 'IoOtherOperationCount' : [ 0x2ce4, ['long']], 'IoReadTransferCount' : [ 0x2ce8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x2cf0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x2cf8, ['_LARGE_INTEGER']], 'PacketBarrier' : [ 0x2d00, ['long']], 'TargetCount' : [ 0x2d04, ['long']], 'IpiFrozen' : [ 0x2d08, ['unsigned long']], 'IsrDpcStats' : [ 0x2d10, ['pointer64', ['void']]], 'DeviceInterrupts' : [ 0x2d18, ['unsigned long']], 'LookasideIrpFloat' : [ 0x2d1c, ['long']], 'InterruptLastCount' : [ 0x2d20, ['unsigned long']], 'InterruptRate' : [ 0x2d24, ['unsigned long']], 'PrcbPad41' : [ 0x2d28, ['array', 22, ['unsigned long']]], 'DpcData' : [ 0x2d80, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2dd0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2dd8, ['long']], 'DpcRequestRate' : [ 0x2ddc, ['unsigned long']], 'MinimumDpcRate' : [ 0x2de0, ['unsigned long']], 'DpcLastCount' : [ 0x2de4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x2de8, ['unsigned char']], 'QuantumEnd' : [ 0x2de9, ['unsigned char']], 'DpcRoutineActive' : [ 0x2dea, ['unsigned char']], 'IdleSchedule' : [ 0x2deb, ['unsigned char']], 'DpcRequestSummary' : [ 0x2dec, ['long']], 'DpcRequestSlot' : [ 0x2dec, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x2dec, ['short']], 'ThreadDpcState' : [ 0x2dee, ['short']], 'DpcNormalProcessingActive' : [ 0x2dec, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x2dec, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x2dec, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x2dec, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x2dec, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x2dec, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x2dec, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x2dec, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x2dec, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x2dec, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2df0, ['unsigned long']], 'LastTick' : [ 0x2df4, ['unsigned long']], 'ClockInterrupts' : [ 0x2df8, ['unsigned long']], 'ReadyScanTick' : [ 0x2dfc, ['unsigned long']], 'TimerTable' : [ 0x2e00, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x5000, ['_KGATE']], 'PrcbPad52' : [ 0x5018, ['pointer64', ['void']]], 'CallDpc' : [ 0x5020, ['_KDPC']], 'ClockKeepAlive' : [ 0x5060, ['long']], 'PrcbPad60' : [ 0x5064, ['array', 2, ['unsigned char']]], 'NmiActive' : [ 0x5066, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x5068, ['long']], 'DpcWatchdogCount' : [ 0x506c, ['long']], 'KeSpinLockOrdering' : [ 0x5070, ['long']], 'PrcbPad70' : [ 0x5074, ['array', 1, ['unsigned long']]], 'CachedPtes' : [ 0x5078, ['pointer64', ['void']]], 'WaitListHead' : [ 0x5080, ['_LIST_ENTRY']], 'WaitLock' : [ 0x5090, ['unsigned long long']], 'ReadySummary' : [ 0x5098, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x509c, ['long']], 'QueueIndex' : [ 0x50a0, ['unsigned long']], 'PrcbPad75' : [ 0x50a4, ['array', 3, ['unsigned long']]], 'TimerExpirationDpc' : [ 0x50b0, ['_KDPC']], 'ScbQueue' : [ 0x50f0, ['_RTL_RB_TREE']], 'DispatcherReadyListHead' : [ 0x5100, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x5300, ['unsigned long']], 'KernelTime' : [ 0x5304, ['unsigned long']], 'UserTime' : [ 0x5308, ['unsigned long']], 'DpcTime' : [ 0x530c, ['unsigned long']], 'InterruptTime' : [ 0x5310, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5314, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x5318, ['unsigned char']], 'GroupSchedulingOverQuota' : [ 0x5319, ['unsigned char']], 'DeepSleep' : [ 0x531a, ['unsigned char']], 'PrcbPad80' : [ 0x531b, ['array', 1, ['unsigned char']]], 'ScbOffset' : [ 0x531c, ['unsigned long']], 'DpcTimeCount' : [ 0x5320, ['unsigned long']], 'DpcTimeLimit' : [ 0x5324, ['unsigned long']], 'PeriodicCount' : [ 0x5328, ['unsigned long']], 'PeriodicBias' : [ 0x532c, ['unsigned long']], 'AvailableTime' : [ 0x5330, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x5334, ['unsigned long']], 'StartCycles' : [ 0x5338, ['unsigned long long']], 'GenerationTarget' : [ 0x5340, ['unsigned long long']], 'AffinitizedCycles' : [ 0x5348, ['unsigned long long']], 'PrcbPad81' : [ 0x5350, ['array', 2, ['unsigned long long']]], 'MmSpinLockOrdering' : [ 0x5360, ['long']], 'PageColor' : [ 0x5364, ['unsigned long']], 'NodeColor' : [ 0x5368, ['unsigned long']], 'NodeShiftedColor' : [ 0x536c, ['unsigned long']], 'SecondaryColorMask' : [ 0x5370, ['unsigned long']], 'PrcbPad83' : [ 0x5374, ['unsigned long']], 'CycleTime' : [ 0x5378, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x5380, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x5384, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x5388, ['unsigned long']], 'CcMapDataNoWait' : [ 0x538c, ['unsigned long']], 'CcMapDataWait' : [ 0x5390, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x5394, ['unsigned long']], 'CcPinReadNoWait' : [ 0x5398, ['unsigned long']], 'CcPinReadWait' : [ 0x539c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x53a0, ['unsigned long']], 'CcMdlReadWait' : [ 0x53a4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x53a8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x53ac, ['unsigned long']], 'CcLazyWritePages' : [ 0x53b0, ['unsigned long']], 'CcDataFlushes' : [ 0x53b4, ['unsigned long']], 'CcDataPages' : [ 0x53b8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x53bc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x53c0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x53c4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x53c8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x53cc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x53d0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x53d4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x53d8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x53dc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x53e0, ['unsigned long']], 'CcReadAheadIos' : [ 0x53e4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x53e8, ['long']], 'MmCacheReadCount' : [ 0x53ec, ['long']], 'MmCacheIoCount' : [ 0x53f0, ['long']], 'PrcbPad91' : [ 0x53f4, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x5400, ['_PROCESSOR_POWER_STATE']], 'ScbList' : [ 0x55e0, ['_LIST_ENTRY']], 'PrcbPad92' : [ 0x55f0, ['array', 19, ['unsigned long']]], 'KeAlignmentFixupCount' : [ 0x563c, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x5640, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x5680, ['_KTIMER']], 'Cache' : [ 0x56c0, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x56fc, ['unsigned long']], 'CachedCommit' : [ 0x5700, ['unsigned long']], 'CachedResidentAvailable' : [ 0x5704, ['unsigned long']], 'HyperPte' : [ 0x5708, ['pointer64', ['void']]], 'WheaInfo' : [ 0x5710, ['pointer64', ['void']]], 'EtwSupport' : [ 0x5718, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x5720, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x5730, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x5740, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x5748, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x5750, ['pointer64', ['unsigned long long']]], 'PackageProcessorSet' : [ 0x5758, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x5800, ['unsigned long long']], 'SharedReadyQueue' : [ 0x5808, ['pointer64', ['_KSHARED_READY_QUEUE']]], 'CoreProcessorSet' : [ 0x5810, ['unsigned long long']], 'ScanSiblingMask' : [ 0x5818, ['unsigned long long']], 'LLCMask' : [ 0x5820, ['unsigned long long']], 'CacheProcessorMask' : [ 0x5828, ['array', 5, ['unsigned long long']]], 'ScanSiblingIndex' : [ 0x5850, ['unsigned long']], 'SharedReadyQueueOffset' : [ 0x5854, ['unsigned long']], 'ProcessorProfileControlArea' : [ 0x5858, ['pointer64', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x5860, ['pointer64', ['void']]], 'PrcbPad94' : [ 0x5868, ['array', 3, ['unsigned long long']]], 'SynchCounters' : [ 0x5880, ['_SYNCH_COUNTERS']], 'PteBitCache' : [ 0x5938, ['unsigned long long']], 'PteBitOffset' : [ 0x5940, ['unsigned long']], 'FsCounters' : [ 0x5948, ['_FILESYSTEM_DISK_COUNTERS']], 'VendorString' : [ 0x5958, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x5965, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x5968, ['unsigned long long']], 'PrcbPad11' : [ 0x5970, ['unsigned long']], 'UpdateSignature' : [ 0x5978, ['_LARGE_INTEGER']], 'Context' : [ 0x5980, ['pointer64', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x5988, ['unsigned long']], 'ExtendedState' : [ 0x5990, ['pointer64', ['_XSAVE_AREA']]], 'IsrStack' : [ 0x5998, ['pointer64', ['void']]], 'EntropyTimingState' : [ 0x59a0, ['_KENTROPY_TIMING_STATE']], 'AbSelfIoBoostsList' : [ 0x5af0, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x5af8, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x5b00, ['_KDPC']], 'Mailbox' : [ 0x5b40, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x5b80, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KFLOATING_SAVE' : [ 0x4, { 'Dummy' : [ 0x0, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_KTHREAD' : [ 0x5d0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x18, ['pointer64', ['void']]], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'StackBase' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'CycleTime' : [ 0x48, ['unsigned long long']], 'CurrentRunTime' : [ 0x50, ['unsigned long']], 'ExpectedRunTime' : [ 0x54, ['unsigned long']], 'KernelStack' : [ 0x58, ['pointer64', ['void']]], 'StateSaveArea' : [ 0x60, ['pointer64', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x68, ['pointer64', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x70, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x71, ['unsigned char']], 'Alerted' : [ 0x72, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x74, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'TimerActive' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SystemThread' : [ 0x74, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x74, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'CalloutActive' : [ 0x74, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ApcQueueable' : [ 0x74, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x74, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x74, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ApcPendingReload' : [ 0x74, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x74, ['long']], 'AutoAlignment' : [ 0x78, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x78, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UserAffinitySet' : [ 0x78, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x78, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x78, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x78, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x78, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x78, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x78, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x78, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x78, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x78, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x78, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x78, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x78, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ReservedFlags' : [ 0x78, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x78, ['long']], 'Spare0' : [ 0x7c, ['unsigned long']], 'SystemCallNumber' : [ 0x80, ['unsigned long']], 'Spare1' : [ 0x84, ['unsigned long']], 'FirstArgument' : [ 0x88, ['pointer64', ['void']]], 'TrapFrame' : [ 0x90, ['pointer64', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x98, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x98, ['array', 43, ['unsigned char']]], 'Priority' : [ 0xc3, ['unsigned char']], 'UserIdealProcessor' : [ 0xc4, ['unsigned long']], 'WaitStatus' : [ 0xc8, ['long long']], 'WaitBlockList' : [ 0xd0, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xd8, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xe8, ['pointer64', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xf0, ['pointer64', ['void']]], 'RelativeTimerBias' : [ 0xf8, ['unsigned long long']], 'Timer' : [ 0x100, ['_KTIMER']], 'WaitBlock' : [ 0x140, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x140, ['array', 20, ['unsigned char']]], 'ContextSwitches' : [ 0x154, ['unsigned long']], 'WaitBlockFill5' : [ 0x140, ['array', 68, ['unsigned char']]], 'State' : [ 0x184, ['unsigned char']], 'NpxState' : [ 0x185, ['unsigned char']], 'WaitIrql' : [ 0x186, ['unsigned char']], 'WaitMode' : [ 0x187, ['unsigned char']], 'WaitBlockFill6' : [ 0x140, ['array', 116, ['unsigned char']]], 'WaitTime' : [ 0x1b4, ['unsigned long']], 'WaitBlockFill7' : [ 0x140, ['array', 164, ['unsigned char']]], 'KernelApcDisable' : [ 0x1e4, ['short']], 'SpecialApcDisable' : [ 0x1e6, ['short']], 'CombinedApcDisable' : [ 0x1e4, ['unsigned long']], 'WaitBlockFill8' : [ 0x140, ['array', 40, ['unsigned char']]], 'ThreadCounters' : [ 0x168, ['pointer64', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0x140, ['array', 88, ['unsigned char']]], 'XStateSave' : [ 0x198, ['pointer64', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0x140, ['array', 136, ['unsigned char']]], 'Win32Thread' : [ 0x1c8, ['pointer64', ['void']]], 'WaitBlockFill11' : [ 0x140, ['array', 176, ['unsigned char']]], 'Ucb' : [ 0x1f0, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'Uch' : [ 0x1f8, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'TebMappedLowVa' : [ 0x200, ['pointer64', ['void']]], 'QueueListEntry' : [ 0x208, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x218, ['unsigned long']], 'NextProcessorNumber' : [ 0x218, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x218, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x21c, ['long']], 'Process' : [ 0x220, ['pointer64', ['_KPROCESS']]], 'UserAffinity' : [ 0x228, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x228, ['array', 10, ['unsigned char']]], 'PreviousMode' : [ 0x232, ['unsigned char']], 'BasePriority' : [ 0x233, ['unsigned char']], 'PriorityDecrement' : [ 0x234, ['unsigned char']], 'ForegroundBoost' : [ 0x234, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x234, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x235, ['unsigned char']], 'AdjustReason' : [ 0x236, ['unsigned char']], 'AdjustIncrement' : [ 0x237, ['unsigned char']], 'Affinity' : [ 0x238, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x238, ['array', 10, ['unsigned char']]], 'ApcStateIndex' : [ 0x242, ['unsigned char']], 'WaitBlockCount' : [ 0x243, ['unsigned char']], 'IdealProcessor' : [ 0x244, ['unsigned long']], 'ApcStatePointer' : [ 0x248, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x258, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x258, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x283, ['unsigned char']], 'SuspendCount' : [ 0x284, ['unsigned char']], 'Saturation' : [ 0x285, ['unsigned char']], 'SListFaultCount' : [ 0x286, ['unsigned short']], 'SchedulerApc' : [ 0x288, ['_KAPC']], 'SchedulerApcFill0' : [ 0x288, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x289, ['unsigned char']], 'SchedulerApcFill1' : [ 0x288, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x28b, ['unsigned char']], 'SchedulerApcFill2' : [ 0x288, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x28c, ['unsigned long']], 'SchedulerApcFill3' : [ 0x288, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c8, ['pointer64', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x288, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2d0, ['pointer64', ['void']]], 'SchedulerApcFill5' : [ 0x288, ['array', 83, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x2db, ['unsigned char']], 'UserTime' : [ 0x2dc, ['unsigned long']], 'SuspendEvent' : [ 0x2e0, ['_KEVENT']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'LockEntriesFreeList' : [ 0x318, ['_SINGLE_LIST_ENTRY']], 'LockEntries' : [ 0x320, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x560, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x568, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x570, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x580, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x584, ['long']], 'AbReferenceCount' : [ 0x588, ['short']], 'AbFreeEntryCount' : [ 0x58a, ['unsigned char']], 'AbWaitEntryCount' : [ 0x58b, ['unsigned char']], 'ForegroundLossTime' : [ 0x58c, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x590, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x590, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x598, ['unsigned long long']], 'ReadOperationCount' : [ 0x5a0, ['long long']], 'WriteOperationCount' : [ 0x5a8, ['long long']], 'OtherOperationCount' : [ 0x5b0, ['long long']], 'ReadTransferCount' : [ 0x5b8, ['long long']], 'WriteTransferCount' : [ 0x5c0, ['long long']], 'OtherTransferCount' : [ 0x5c8, ['long long']], } ], '_KSTACK_CONTROL' : [ 0x30, { 'StackBase' : [ 0x0, ['unsigned long long']], 'ActualLimit' : [ 0x8, ['unsigned long long']], 'StackExpansion' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_122d' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'HeaderX64' : [ 0x0, ['__unnamed_122d']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer64', ['void']]], 'DeleteContext' : [ 0x10, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0xc0, { 'DeepIdleSet' : [ 0x0, ['unsigned long long']], 'SharedReadyQueueLeaders' : [ 0x8, ['unsigned long long']], 'ProximityId' : [ 0x40, ['unsigned long']], 'NodeNumber' : [ 0x44, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x46, ['unsigned short']], 'MaximumProcessors' : [ 0x48, ['unsigned char']], 'Flags' : [ 0x49, ['_flags']], 'Stride' : [ 0x4a, ['unsigned char']], 'LowIndex' : [ 0x4b, ['unsigned char']], 'Affinity' : [ 0x50, ['_GROUP_AFFINITY']], 'IdleCpuSet' : [ 0x60, ['unsigned long long']], 'IdleSmtSet' : [ 0x68, ['unsigned long long']], 'NonParkedSet' : [ 0x80, ['unsigned long long']], 'Seed' : [ 0x88, ['unsigned long']], 'Lowest' : [ 0x8c, ['unsigned long']], 'Highest' : [ 0x90, ['unsigned long']], 'ParkLock' : [ 0x94, ['long']], } ], '_ENODE' : [ 0x7c0, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueue' : [ 0xc0, ['array', 2, ['_EX_WORK_QUEUE']]], 'ExpThreadSetManagerEvent' : [ 0x640, ['_KEVENT']], 'ExpBalancerExitEvent' : [ 0x658, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x670, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x6b0, ['_KEVENT']], 'WaitBlocks' : [ 0x6c8, ['array', 4, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x788, ['pointer64', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x790, ['unsigned long']], 'ExWorkerFullInit' : [ 0x794, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x794, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x794, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x80, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long long']], 'QuotaProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'HandleTableList' : [ 0x18, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], 'StrictFIFO' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x2c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x2c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x38, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x40, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x40, ['array', 32, ['unsigned char']]], 'DebugInfo' : [ 0x60, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'VolatileLowValue' : [ 0x0, ['long long']], 'LowValue' : [ 0x0, ['long long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 17, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 20, native_type='unsigned long long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 64, native_type='unsigned long long')]], 'HighValue' : [ 0x8, ['long long']], 'NextFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x8, ['_EXHANDLE']], 'GrantedAccessBits' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Spare' : [ 0x8, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], 'TypeInfo' : [ 0xc, ['unsigned long']], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1322' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_1322']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xe0, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xd8, ['unsigned char']], } ], '_ETHREAD' : [ 0x778, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x5d0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x5d8, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x5d8, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x5e8, ['pointer64', ['void']]], 'PostBlockList' : [ 0x5f0, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x5f0, ['pointer64', ['void']]], 'StartAddress' : [ 0x5f8, ['pointer64', ['void']]], 'TerminationPort' : [ 0x600, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x600, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x600, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x608, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x610, ['_LIST_ENTRY']], 'Cid' : [ 0x620, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x630, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x630, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x650, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x658, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x668, ['unsigned long long']], 'DeviceToVerify' : [ 0x670, ['pointer64', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x678, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x680, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x688, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x698, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x6a0, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x6a8, ['unsigned long']], 'MmLockOrdering' : [ 0x6ac, ['long']], 'CmLockOrdering' : [ 0x6b0, ['long']], 'CrossThreadFlags' : [ 0x6b4, ['unsigned long']], 'Terminated' : [ 0x6b4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x6b4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x6b4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x6b4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x6b4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x6b4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x6b4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x6b4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x6b4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x6b4, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x6b4, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x6b4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x6b4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x6b4, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x6b8, ['unsigned long']], 'ActiveExWorker' : [ 0x6b8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x6b8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ClonedThread' : [ 0x6b8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x6b8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SelfTerminate' : [ 0x6b8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x6bc, ['unsigned long']], 'HardFaultBehavior' : [ 0x6bc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x6bc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x6bc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x6bc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x6bc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x6bc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x6bc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x6bc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x6bd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x6bd, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x6bd, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x6bd, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x6bd, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x6bd, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x6bd, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x6bd, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x6be, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x6be, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x6be, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x6be, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x6be, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare2' : [ 0x6be, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x6bf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x6bf, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'Spare3' : [ 0x6bf, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x6c0, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x6c1, ['unsigned char']], 'ActiveFaultCount' : [ 0x6c2, ['unsigned char']], 'LockOrderState' : [ 0x6c3, ['unsigned char']], 'AlpcMessageId' : [ 0x6c8, ['unsigned long long']], 'AlpcMessage' : [ 0x6d0, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x6d0, ['unsigned long']], 'ExitStatus' : [ 0x6d8, ['long']], 'AlpcWaitListEntry' : [ 0x6e0, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x6f0, ['unsigned long']], 'IoBoostCount' : [ 0x6f4, ['unsigned long']], 'BoostList' : [ 0x6f8, ['_LIST_ENTRY']], 'DeboostList' : [ 0x708, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x718, ['unsigned long long']], 'IrpListLock' : [ 0x720, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x728, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x730, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x738, ['pointer64', ['_GUID']]], 'SeLearningModeListHead' : [ 0x740, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x748, ['pointer64', ['void']]], 'KernelStackReference' : [ 0x750, ['unsigned long']], 'AdjustedClientToken' : [ 0x758, ['pointer64', ['void']]], 'UserFsBase' : [ 0x760, ['unsigned long']], 'UserGsBase' : [ 0x768, ['unsigned long long']], 'PicoContext' : [ 0x770, ['pointer64', ['void']]], } ], '_EPROCESS' : [ 0x6b8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x2d0, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x2d8, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x2e0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x2e8, ['_LIST_ENTRY']], 'Flags2' : [ 0x2f8, ['unsigned long']], 'JobNotReallyActive' : [ 0x2f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x2f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x2f8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x2f8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x2f8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x2f8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0x2f8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x2f8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x2f8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x2f8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0x2f8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0x2f8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x2f8, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x2f8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x2f8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x2f8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x2f8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x2f8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x2f8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x2f8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0x2f8, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0x2f8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0x2f8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0x2f8, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0x2f8, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0x2f8, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0x2f8, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0x2f8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x2fc, ['unsigned long']], 'CreateReported' : [ 0x2fc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x2fc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x2fc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x2fc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0x2fc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x2fc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x2fc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x2fc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x2fc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x2fc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x2fc, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x2fc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x2fc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x2fc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x2fc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x2fc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x2fc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x2fc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x2fc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0x2fc, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x2fc, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x2fc, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x2fc, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x2fc, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0x2fc, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x2fc, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x2fc, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x2fc, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x2fc, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ProcessQuotaUsage' : [ 0x300, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x310, ['array', 2, ['unsigned long long']]], 'PeakVirtualSize' : [ 0x320, ['unsigned long long']], 'VirtualSize' : [ 0x328, ['unsigned long long']], 'SessionProcessLinks' : [ 0x330, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0x340, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x340, ['unsigned long long']], 'ExceptionPortState' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Token' : [ 0x348, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x350, ['unsigned long long']], 'AddressCreationLock' : [ 0x358, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x360, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x368, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x370, ['pointer64', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x378, ['pointer64', ['_EJOB']]], 'CloneRoot' : [ 0x380, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x388, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x390, ['unsigned long long']], 'Win32Process' : [ 0x398, ['pointer64', ['void']]], 'Job' : [ 0x3a0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x3a8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x3b0, ['pointer64', ['void']]], 'Cookie' : [ 0x3b8, ['unsigned long']], 'WorkingSetWatch' : [ 0x3c0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x3c8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x3d0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x3d8, ['pointer64', ['void']]], 'OwnerProcessId' : [ 0x3e0, ['unsigned long long']], 'Peb' : [ 0x3e8, ['pointer64', ['_PEB']]], 'Session' : [ 0x3f0, ['pointer64', ['void']]], 'AweInfo' : [ 0x3f8, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x400, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x408, ['pointer64', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x410, ['pointer64', ['void']]], 'Wow64Process' : [ 0x418, ['pointer64', ['void']]], 'DeviceMap' : [ 0x420, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x428, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x430, ['unsigned long long']], 'ImageFileName' : [ 0x438, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x447, ['unsigned char']], 'SecurityPort' : [ 0x448, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x450, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x458, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x468, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x470, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x480, ['unsigned long']], 'ImagePathHash' : [ 0x484, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x488, ['unsigned long']], 'LastThreadExitStatus' : [ 0x48c, ['long']], 'PrefetchTrace' : [ 0x490, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x498, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x4a0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x4a8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x4b0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x4b8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x4c0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x4c8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x4d0, ['unsigned long long']], 'CommitCharge' : [ 0x4d8, ['unsigned long long']], 'CommitChargePeak' : [ 0x4e0, ['unsigned long long']], 'Vm' : [ 0x4e8, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x5c0, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x5d0, ['unsigned long']], 'ExitStatus' : [ 0x5d4, ['long']], 'VadRoot' : [ 0x5d8, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x5e0, ['pointer64', ['void']]], 'VadCount' : [ 0x5e8, ['unsigned long long']], 'VadPhysicalPages' : [ 0x5f0, ['unsigned long long']], 'VadPhysicalPagesLimit' : [ 0x5f8, ['unsigned long long']], 'AlpcContext' : [ 0x600, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x620, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x630, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x638, ['unsigned long']], 'SmallestTimerResolution' : [ 0x63c, ['unsigned long']], 'ExitTime' : [ 0x640, ['_LARGE_INTEGER']], 'InvertedFunctionTable' : [ 0x648, ['pointer64', ['_INVERTED_FUNCTION_TABLE']]], 'InvertedFunctionTableLock' : [ 0x650, ['_EX_PUSH_LOCK']], 'ActiveThreadsHighWatermark' : [ 0x658, ['unsigned long']], 'LargePrivateVadCount' : [ 0x65c, ['unsigned long']], 'ThreadListLock' : [ 0x660, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x668, ['pointer64', ['void']]], 'Spare0' : [ 0x670, ['unsigned long long']], 'SignatureLevel' : [ 0x678, ['unsigned char']], 'SectionSignatureLevel' : [ 0x679, ['unsigned char']], 'Protection' : [ 0x67a, ['_PS_PROTECTION']], 'SpareByte20' : [ 0x67b, ['array', 1, ['unsigned char']]], 'Flags3' : [ 0x67c, ['unsigned long']], 'Minimal' : [ 0x67c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SvmReserved' : [ 0x680, ['long']], 'SvmReserved1' : [ 0x688, ['pointer64', ['void']]], 'SvmReserved2' : [ 0x690, ['unsigned long long']], 'LastFreezeInterruptTime' : [ 0x698, ['unsigned long long']], 'DiskCounters' : [ 0x6a0, ['pointer64', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x6a8, ['pointer64', ['void']]], 'KeepAliveCounter' : [ 0x6b0, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x6b4, ['unsigned long']], } ], '_KPROCESS' : [ 0x2c8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long']], 'Spare0' : [ 0x44, ['unsigned long']], 'Affinity' : [ 0x48, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0xf0, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x108, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x1b0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x1b0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x1b0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'AffinitySet' : [ 0x1b0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='long')]], 'DeepFreeze' : [ 0x1b0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x1b0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x1b0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x1b0, ['BitField', dict(start_bit = 7, end_bit = 27, native_type='unsigned long')]], 'ReservedFlags' : [ 0x1b0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x1b0, ['long']], 'BasePriority' : [ 0x1b4, ['unsigned char']], 'QuantumReset' : [ 0x1b5, ['unsigned char']], 'Visited' : [ 0x1b6, ['unsigned char']], 'Flags' : [ 0x1b7, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x1b8, ['array', 20, ['unsigned long']]], 'IdealNode' : [ 0x208, ['array', 20, ['unsigned short']]], 'IdealGlobalNode' : [ 0x230, ['unsigned short']], 'Spare1' : [ 0x232, ['unsigned short']], 'StackCount' : [ 0x234, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x238, ['_LIST_ENTRY']], 'CycleTime' : [ 0x248, ['unsigned long long']], 'ContextSwitches' : [ 0x250, ['unsigned long long']], 'SchedulingGroup' : [ 0x258, ['pointer64', ['_KSCHEDULING_GROUP']]], 'FreezeCount' : [ 0x260, ['unsigned long']], 'KernelTime' : [ 0x264, ['unsigned long']], 'UserTime' : [ 0x268, ['unsigned long']], 'LdtFreeSelectorHint' : [ 0x26c, ['unsigned short']], 'LdtTableLength' : [ 0x26e, ['unsigned short']], 'LdtSystemDescriptor' : [ 0x270, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x280, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x288, ['_FAST_MUTEX']], 'InstrumentationCallback' : [ 0x2c0, ['pointer64', ['void']]], } ], '__unnamed_137c' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1382' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1384' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1382']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_138f' : [ 0x58, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x50, ['pointer64', ['void']]], } ], '__unnamed_1391' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_138f']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'AllocationProcessorNumber' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_137c']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_1384']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_1391']], } ], '__unnamed_1398' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_139c' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_13a0' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_13a2' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13a6' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13a8' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_13aa' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileMaximumInformation'})]], } ], '__unnamed_13ac' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13ae' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13b0' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13b4' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMaximumInformation'})]], } ], '__unnamed_13b6' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13b8' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13ba' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13bc' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_13be' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_13c2' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_13c6' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_13ca' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_13ce' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_13d2' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13d6' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_13da' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_13dc' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_13de' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_13e2' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_13e6' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_13ea' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_13ee' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_13f2' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_13fa' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_13fe' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1400' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1402' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1404' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1398']], 'CreatePipe' : [ 0x0, ['__unnamed_139c']], 'CreateMailslot' : [ 0x0, ['__unnamed_13a0']], 'Read' : [ 0x0, ['__unnamed_13a2']], 'Write' : [ 0x0, ['__unnamed_13a2']], 'QueryDirectory' : [ 0x0, ['__unnamed_13a6']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13a8']], 'QueryFile' : [ 0x0, ['__unnamed_13aa']], 'SetFile' : [ 0x0, ['__unnamed_13ac']], 'QueryEa' : [ 0x0, ['__unnamed_13ae']], 'SetEa' : [ 0x0, ['__unnamed_13b0']], 'QueryVolume' : [ 0x0, ['__unnamed_13b4']], 'SetVolume' : [ 0x0, ['__unnamed_13b4']], 'FileSystemControl' : [ 0x0, ['__unnamed_13b6']], 'LockControl' : [ 0x0, ['__unnamed_13b8']], 'DeviceIoControl' : [ 0x0, ['__unnamed_13ba']], 'QuerySecurity' : [ 0x0, ['__unnamed_13bc']], 'SetSecurity' : [ 0x0, ['__unnamed_13be']], 'MountVolume' : [ 0x0, ['__unnamed_13c2']], 'VerifyVolume' : [ 0x0, ['__unnamed_13c2']], 'Scsi' : [ 0x0, ['__unnamed_13c6']], 'QueryQuota' : [ 0x0, ['__unnamed_13ca']], 'SetQuota' : [ 0x0, ['__unnamed_13b0']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_13ce']], 'QueryInterface' : [ 0x0, ['__unnamed_13d2']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_13d6']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_13da']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_13dc']], 'SetLock' : [ 0x0, ['__unnamed_13de']], 'QueryId' : [ 0x0, ['__unnamed_13e2']], 'QueryDeviceText' : [ 0x0, ['__unnamed_13e6']], 'UsageNotification' : [ 0x0, ['__unnamed_13ea']], 'WaitWake' : [ 0x0, ['__unnamed_13ee']], 'PowerSequence' : [ 0x0, ['__unnamed_13f2']], 'Power' : [ 0x0, ['__unnamed_13fa']], 'StartDevice' : [ 0x0, ['__unnamed_13fe']], 'WMI' : [ 0x0, ['__unnamed_1400']], 'Others' : [ 0x0, ['__unnamed_1402']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1404']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_141a' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_141a']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x10, ['unsigned long long']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'AllocationProcessorNumber' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x70, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer64', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x60, ['pointer64', ['void']]], 'UserContext' : [ 0x68, ['pointer64', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'Oplock' : [ 0x58, ['pointer64', ['void']]], 'ReservedForRemote' : [ 0x58, ['pointer64', ['void']]], 'ReservedContext' : [ 0x60, ['pointer64', ['void']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '__unnamed_159c' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_159c']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'ReservedLowFlags' : [ 0x1a, ['unsigned char']], 'WaiterPriority' : [ 0x1b, ['unsigned char']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_15e0' : [ 0x8, { 'Flink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeFlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 64, native_type='unsigned long long')]], 'WsIndex' : [ 0x0, ['unsigned long long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_15e5' : [ 0x8, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeBlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 56, native_type='unsigned long long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 60, native_type='unsigned long long')]], 'SpareBlink' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15e8' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_15ea' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_15e8']], } ], '__unnamed_15f4' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'Channel' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 38, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'Unused3' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 53, native_type='unsigned long long')]], 'PfnExists' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_15e0']], 'u2' : [ 0x8, ['__unnamed_15e5']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['long']], 'PteLong' : [ 0x10, ['unsigned long long']], 'u3' : [ 0x18, ['__unnamed_15ea']], 'NodeBlinkLow' : [ 0x1c, ['unsigned short']], 'Unused' : [ 0x1e, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'VaType' : [ 0x1e, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'ViewCount' : [ 0x1f, ['unsigned char']], 'NodeFlinkLow' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'u4' : [ 0x28, ['__unnamed_15f4']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x68, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'BasePte' : [ 0x10, ['pointer64', ['_MMPTE']]], 'Flags' : [ 0x18, ['unsigned long']], 'VaType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaMaximumType', 15: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x30, ['unsigned long long']], 'GlobalMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'Vm' : [ 0x38, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x40, ['unsigned long long']], 'Hint' : [ 0x48, ['unsigned long long']], 'CachedPtes' : [ 0x50, ['pointer64', ['_MI_CACHED_PTE']]], 'TotalFreeSystemPtes' : [ 0x58, ['unsigned long long']], 'CachedPteCount' : [ 0x60, ['long']], } ], '__unnamed_1616' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1616']], } ], '_MMWSL' : [ 0x260, { 'FirstFree' : [ 0x0, ['unsigned long long']], 'FirstDynamic' : [ 0x8, ['unsigned long long']], 'LastEntry' : [ 0x10, ['unsigned long long']], 'NextSlot' : [ 0x18, ['unsigned long long']], 'LastInitializedWsle' : [ 0x20, ['unsigned long long']], 'NextAgingSlot' : [ 0x28, ['unsigned long long']], 'NextAccessClearingSlot' : [ 0x30, ['unsigned long long']], 'LastAccessClearingRemainder' : [ 0x38, ['unsigned long']], 'LastAgingRemainder' : [ 0x3c, ['unsigned long']], 'WsleSize' : [ 0x40, ['unsigned long']], 'NonDirectCount' : [ 0x48, ['unsigned long long']], 'LowestPagableAddress' : [ 0x50, ['pointer64', ['void']]], 'NonDirectHash' : [ 0x58, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x60, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x68, ['pointer64', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x70, ['array', 8, ['unsigned long long']]], 'ActiveWsles' : [ 0xb0, ['array', 8, ['_MI_ACTIVE_WSLE_LISTHEAD']]], 'Wsle' : [ 0x130, ['pointer64', ['_MMWSLE']]], 'UserVaInfo' : [ 0x138, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0xd8, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x8, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x10, ['pointer64', ['void']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long long']]], 'MinimumWorkingSetSize' : [ 0x60, ['unsigned long long']], 'WorkingSetSize' : [ 0x68, ['unsigned long long']], 'WorkingSetPrivateSize' : [ 0x70, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0x78, ['unsigned long long']], 'ChargedWslePages' : [ 0x80, ['unsigned long long']], 'ActualWslePages' : [ 0x88, ['unsigned long long']], 'WorkingSetSizeOverhead' : [ 0x90, ['unsigned long long']], 'PeakWorkingSetSize' : [ 0x98, ['unsigned long long']], 'HardFaultCount' : [ 0xa0, ['unsigned long']], 'VmWorkingSetList' : [ 0xa8, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0xb0, ['unsigned short']], 'LastTrimStamp' : [ 0xb2, ['unsigned short']], 'PageFaultCount' : [ 0xb4, ['unsigned long']], 'TrimmedPageCount' : [ 0xb8, ['unsigned long long']], 'ForceTrimPages' : [ 0xc0, ['unsigned long long']], 'Flags' : [ 0xc8, ['_MMSUPPORT_FLAGS']], 'WsSwapSupport' : [ 0xd0, ['pointer64', ['void']]], } ], '__unnamed_162f' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1639' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_163b' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1639']], } ], '_CONTROL_AREA' : [ 0x78, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_162f']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'WaitList' : [ 0x50, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x58, ['__unnamed_163b']], 'LockedPages' : [ 0x68, ['unsigned long long']], 'FileObjectLock' : [ 0x70, ['_EX_PUSH_LOCK']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0xe0, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'FreeReservationSpace' : [ 0x30, ['unsigned long long']], 'LargestReserveCluster' : [ 0x38, ['unsigned long long']], 'File' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x48, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x60, ['_SLIST_HEADER']], 'PageFileName' : [ 0x70, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x80, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x88, ['unsigned long']], 'ReservationBitmapHint' : [ 0x8c, ['unsigned long']], 'LargestNonReservedClusterSize' : [ 0x90, ['unsigned long']], 'RefreshClusterSize' : [ 0x94, ['unsigned long']], 'LastRefreshClusterSize' : [ 0x98, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x9c, ['unsigned long']], 'ToBeEvictedCount' : [ 0xa0, ['unsigned long']], 'HybridPriority' : [ 0xa4, ['unsigned long']], 'PageFileNumber' : [ 0xa8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0xa8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0xa8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'NoReservations' : [ 0xa8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Spare0' : [ 0xa8, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0xaa, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0xaa, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0xab, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0xac, ['unsigned long']], 'PageHashPagesPeak' : [ 0xb0, ['unsigned long']], 'PageHash' : [ 0xb8, ['pointer64', ['unsigned long']]], 'FileHandle' : [ 0xc0, ['pointer64', ['void']]], 'Lock' : [ 0xc8, ['unsigned long long']], 'LockOwner' : [ 0xd0, ['pointer64', ['_ETHREAD']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x30, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x8, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0x18, ['_RTL_BITMAP']], 'EvictStoreBitmap' : [ 0x28, ['pointer64', ['_RTL_BITMAP']]], } ], 'tagSWITCH_CONTEXT' : [ 0x60, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '__unnamed_167c' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_167f' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_1681' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1685' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1687' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_168b' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_168f' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_1691' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_167c']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_167c']]], 'RegistryIO' : [ 0xd0, ['__unnamed_167f']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_1681']], 'CheckKey' : [ 0xf0, ['__unnamed_1685']], 'CheckValueList' : [ 0x110, ['__unnamed_1687']], 'CheckHive' : [ 0x128, ['__unnamed_168b']], 'CheckHive1' : [ 0x138, ['__unnamed_168b']], 'CheckBin' : [ 0x148, ['__unnamed_168f']], 'RecoverData' : [ 0x158, ['__unnamed_1691']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xb8, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'ParkingStatus' : [ 0x78, ['unsigned long']], 'CurrentFrequency' : [ 0x7c, ['unsigned long']], 'PercentMaxFrequency' : [ 0x80, ['unsigned long']], 'StateFlags' : [ 0x84, ['unsigned long']], 'NominalThroughput' : [ 0x88, ['unsigned long']], 'ActiveThroughput' : [ 0x8c, ['unsigned long']], 'ScaledThroughput' : [ 0x90, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0x98, ['unsigned long long']], 'AverageIdleTime' : [ 0xa0, ['unsigned long long']], 'IdleBreakEvents' : [ 0xa8, ['unsigned long long']], 'PerformanceLimit' : [ 0xb0, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xb4, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '__unnamed_16fb' : [ 0x10, { 'ReservedEax' : [ 0x0, ['unsigned long']], 'ReservedEbx' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'InitialApicId' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ReservedEcx' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HypervisorPresent' : [ 0x8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_CPUID_RESULT' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'VersionAndFeatures' : [ 0x0, ['__unnamed_16fb']], 'HvVendorAndMaxFunction' : [ 0x0, ['_HV_VENDOR_AND_MAX_FUNCTION']], 'HvInterface' : [ 0x0, ['_HV_HYPERVISOR_INTERFACE_INFO']], 'MsHvVersion' : [ 0x0, ['_HV_HYPERVISOR_VERSION_INFO']], 'MsHvFeatures' : [ 0x0, ['_HV_HYPERVISOR_FEATURES']], 'MsHvEnlightenmentInformation' : [ 0x0, ['_HV_ENLIGHTENMENT_INFORMATION']], 'MsHvImplementationLimits' : [ 0x0, ['_HV_IMPLEMENTATION_LIMITS']], 'MsHvHardwareFeatures' : [ 0x0, ['_HV_HYPERVISOR_HARDWARE_FEATURES']], } ], '_HV_VENDOR_AND_MAX_FUNCTION' : [ 0x10, { 'MaxFunction' : [ 0x0, ['unsigned long']], 'VendorName' : [ 0x4, ['array', 12, ['unsigned char']]], } ], '_HV_HYPERVISOR_INTERFACE_INFO' : [ 0x10, { 'Interface' : [ 0x0, ['unsigned long']], 'ReservedEbx' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_HYPERVISOR_VERSION_INFO' : [ 0x10, { 'BuildNumber' : [ 0x0, ['unsigned long']], 'MinorVersion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'MajorVersion' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ServicePack' : [ 0x8, ['unsigned long']], 'ServiceNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'ServiceBranch' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_HV_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugMsrsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], } ], '_HV_HYPERVISOR_HARDWARE_FEATURES' : [ 0x10, { 'ApicOverlayAssistInUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MsrBitmapsInUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ArchitecturalPerformanceCountersInUse' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SecondLevelAddressTranslationInUse' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DmaRemappingInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'InterruptRemappingInUse' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'MemoryPatrolScrubberPresent' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'ReservedEbx' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_ENLIGHTENMENT_INFORMATION' : [ 0x10, { 'UseHypercallForAddressSpaceSwitch' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UseHypercallForLocalFlush' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UseHypercallForRemoteFlush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UseApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UseMsrForReset' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UseRelaxedTiming' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UseDmaRemapping' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UseInterruptRemapping' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UseX2ApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeprecateAutoEoi' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'LongSpinWaitCount' : [ 0x4, ['unsigned long']], 'ReservedEcx' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_IMPLEMENTATION_LIMITS' : [ 0x10, { 'MaxVirtualProcessorCount' : [ 0x0, ['unsigned long']], 'MaxLogicalProcessorCount' : [ 0x4, ['unsigned long']], 'MaxInterruptMappingCount' : [ 0x8, ['unsigned long']], 'ReservedEdx' : [ 0xc, ['unsigned long']], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeMsr' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicMsrs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerMsrs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessApicMsrs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetMsr' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsMsr' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleMsr' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyMsrs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugMsrs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'EnableExpandedStackwalking' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x268, { 'Lock' : [ 0x0, ['unsigned long long']], 'ReadySummary' : [ 0x8, ['unsigned long']], 'ReadyListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x210, ['array', 64, ['unsigned char']]], 'Span' : [ 0x250, ['unsigned long']], 'LowProcIndex' : [ 0x254, ['unsigned long']], 'QueueIndex' : [ 0x258, ['unsigned long']], 'ProcCount' : [ 0x25c, ['unsigned long']], 'Affinity' : [ 0x260, ['unsigned long long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'Spare1' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'OutputBuffer' : [ 0xd8, ['unsigned long long']], 'OutputLength' : [ 0xe0, ['unsigned long long']], 'Spare2' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'Fill4' : [ 0x18c, ['unsigned long']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x48, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x30, ['pointer64', ['unsigned long']]], 'EnableKeyWords' : [ 0x38, ['pointer64', ['unsigned long long']]], 'EnableLevel' : [ 0x40, ['pointer64', ['unsigned char']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependencyNode' : [ 0x50, ['pointer64', ['void']]], 'VerifierContext' : [ 0x58, ['pointer64', ['void']]], } ], '__unnamed_17fc' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_17fe' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1802' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x2c8, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x58, ['long']], 'FxRemoveEvent' : [ 0x60, ['_KEVENT']], 'FxActivationCount' : [ 0x78, ['long']], 'FxSleepCount' : [ 0x7c, ['long']], 'Plugin' : [ 0x80, ['pointer64', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x88, ['unsigned long']], 'CurrentPowerState' : [ 0x8c, ['_POWER_STATE']], 'Notify' : [ 0x90, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xf8, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0x118, ['_UNICODE_STRING']], 'PowerFlags' : [ 0x128, ['unsigned long']], 'State' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x134, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x184, ['unsigned long']], 'CompletionStatus' : [ 0x188, ['long']], 'Flags' : [ 0x18c, ['unsigned long']], 'UserFlags' : [ 0x190, ['unsigned long']], 'Problem' : [ 0x194, ['unsigned long']], 'ProblemStatus' : [ 0x198, ['long']], 'ResourceList' : [ 0x1a0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x1b0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x1b8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x1c4, ['unsigned long']], 'ChildInterfaceType' : [ 0x1c8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x1cc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x1d0, ['unsigned short']], 'RemovalPolicy' : [ 0x1d2, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x1d3, ['unsigned char']], 'TargetDeviceNotify' : [ 0x1d8, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x1e8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1f8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x208, ['unsigned short']], 'QueryTranslatorMask' : [ 0x20a, ['unsigned short']], 'NoArbiterMask' : [ 0x20c, ['unsigned short']], 'QueryArbiterMask' : [ 0x20e, ['unsigned short']], 'OverUsed1' : [ 0x210, ['__unnamed_17fc']], 'OverUsed2' : [ 0x218, ['__unnamed_17fe']], 'BootResources' : [ 0x220, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x228, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x230, ['unsigned long']], 'DockInfo' : [ 0x238, ['__unnamed_1802']], 'DisableableDepends' : [ 0x258, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x260, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x270, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x280, ['unsigned long']], 'PreviousParent' : [ 0x288, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x290, ['unsigned long']], 'NumaNodeIndex' : [ 0x294, ['unsigned long']], 'ContainerID' : [ 0x298, ['_GUID']], 'OverrideFlags' : [ 0x2a8, ['unsigned char']], 'DeviceIdsHash' : [ 0x2ac, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x2b0, ['unsigned char']], 'PendingEjectRelations' : [ 0x2b8, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x2c0, ['unsigned long']], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KAFFINITY_EX' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 20, ['unsigned long long']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_18b9' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_18b9']], } ], '__unnamed_18c0' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_18c0']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PROCESSOR_POWER_STATE' : [ 0x1e0, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x8, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x10, ['unsigned long long']], 'IdleTimeTotal' : [ 0x18, ['unsigned long long']], 'IdleTimeEntry' : [ 0x20, ['unsigned long long']], 'Reserved' : [ 0x28, ['unsigned long long']], 'IdlePolicy' : [ 0x30, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x38, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x40, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xb0, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'LastSysTime' : [ 0xb4, ['unsigned long']], 'WmiDispatchPtr' : [ 0xb8, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0xc0, ['long']], 'FFHThrottleStateInfo' : [ 0xc8, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xe8, ['_KDPC']], 'PerfActionMask' : [ 0x128, ['long']], 'HvIdleCheck' : [ 0x130, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x140, ['_PROC_PERF_SNAP']], 'Domain' : [ 0x180, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x188, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x190, ['pointer64', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x198, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x1a0, ['pointer64', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x1a8, ['unsigned char']], 'HvTargetState' : [ 0x1a9, ['unsigned char']], 'Parked' : [ 0x1aa, ['unsigned char']], 'OverUtilized' : [ 0x1ab, ['unsigned char']], 'LatestPerformancePercent' : [ 0x1ac, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x1b0, ['unsigned long']], 'ExpectedUtility' : [ 0x1b4, ['unsigned long']], 'Utility' : [ 0x1b8, ['array', 3, ['_PROC_PERF_UTILITY']]], } ], '_PROC_PERF_UTILITY' : [ 0xc, { 'Affinitized' : [ 0x0, ['unsigned long']], 'Performance' : [ 0x4, ['unsigned long']], 'Total' : [ 0x8, ['unsigned long']], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CompleteIdleStatePending' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0xd0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x20, ['unsigned long long']], 'LogHandleContext' : [ 0x28, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0xc0, ['unsigned long']], 'PagesQueuedToDisk' : [ 0xc4, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0xc8, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x208, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'V1' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0x100, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x118, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0x150, ['_LARGE_INTEGER']], 'Event' : [ 0x158, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x170, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x178, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1f0, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1f8, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x200, ['unsigned long']], 'WritesInProgress' : [ 0x204, ['unsigned long']], } ], '__unnamed_1968' : [ 0x10, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_1968']], 'ArrayHead' : [ 0x20, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1989' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_198b' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_198d' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_198f' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1991' : [ 0x30, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x8, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x10, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x28, ['unsigned char']], } ], '__unnamed_1993' : [ 0x30, { 'Read' : [ 0x0, ['__unnamed_1989']], 'Write' : [ 0x0, ['__unnamed_198b']], 'Event' : [ 0x0, ['__unnamed_198d']], 'Notification' : [ 0x0, ['__unnamed_198f']], 'LowPriWrite' : [ 0x0, ['__unnamed_1991']], } ], '_WORK_QUEUE_ENTRY' : [ 0x48, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_1993']], 'Function' : [ 0x40, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x30, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x8, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x20, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x98, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x10, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x18, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x30, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x68, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x6c, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x70, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x78, ['pointer64', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x80, ['unsigned long long']], 'LastLWTimeStamp' : [ 0x88, ['_LARGE_INTEGER']], 'Flags' : [ 0x90, ['unsigned long']], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x298, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x90, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x94, ['unsigned long']], 'Signature' : [ 0x98, ['unsigned long']], 'SegmentReserve' : [ 0xa0, ['unsigned long long']], 'SegmentCommit' : [ 0xa8, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb0, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xb8, ['unsigned long long']], 'TotalFreeSize' : [ 0xc0, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xc8, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd0, ['unsigned short']], 'HeaderValidateLength' : [ 0xd2, ['unsigned short']], 'HeaderValidateCopy' : [ 0xd8, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe0, ['unsigned short']], 'MaximumTagIndex' : [ 0xe2, ['unsigned short']], 'TagEntries' : [ 0xe8, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf0, ['_LIST_ENTRY']], 'AlignRound' : [ 0x100, ['unsigned long long']], 'AlignMask' : [ 0x108, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x110, ['_LIST_ENTRY']], 'SegmentList' : [ 0x120, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x130, ['unsigned short']], 'NonDedicatedListLength' : [ 0x134, ['unsigned long']], 'BlocksIndex' : [ 0x138, ['pointer64', ['void']]], 'UCRIndex' : [ 0x140, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x148, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x150, ['_LIST_ENTRY']], 'LockVariable' : [ 0x160, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x168, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x170, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x178, ['unsigned short']], 'FrontEndHeapType' : [ 0x17a, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0x17b, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0x180, ['pointer64', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0x188, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0x18a, ['array', 129, ['unsigned char']]], 'Counters' : [ 0x210, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x288, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_19fe' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_19fe']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1a50' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1a52' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a50']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a54' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1a56' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1a54']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1a52']], 'u2' : [ 0x4, ['__unnamed_1a56']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x30, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer64', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], } ], '__unnamed_1a71' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1a73' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1a71']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x30, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1a73']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x18, ['long long']], 'Lock' : [ 0x20, ['_EX_PUSH_LOCK']], } ], '__unnamed_1a85' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a87' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a85']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_1a87']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_1a90' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1a92' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a90']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_1a92']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_1a98' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1a9a' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a98']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_1a9a']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x40, ['pointer64', ['_KALPC_MESSAGE']]], } ], '__unnamed_1ab8' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1aba' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1ab8']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1c0, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa0, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0xb8, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0xc8, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0xd0, ['_LIST_ENTRY']], 'Semaphore' : [ 0xe0, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xe0, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0xe8, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x130, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x138, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0x150, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0x158, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x160, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x168, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x178, ['long']], 'ReferenceNo' : [ 0x17c, ['long']], 'ReferenceNoWait' : [ 0x180, ['pointer64', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0x188, ['__unnamed_1aba']], 'TargetQueuePort' : [ 0x190, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x198, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x1a0, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x1a8, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x1ac, ['unsigned long']], 'PendingQueueLength' : [ 0x1b0, ['unsigned long']], 'CanceledQueueLength' : [ 0x1b4, ['unsigned long']], 'WaitQueueLength' : [ 0x1b8, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0xa0, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'CompletionListLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x20, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x28, ['pointer64', ['void']]], 'UserLimit' : [ 0x30, ['pointer64', ['void']]], 'DataUserVa' : [ 0x38, ['pointer64', ['void']]], 'SystemVa' : [ 0x40, ['pointer64', ['void']]], 'TotalSize' : [ 0x48, ['unsigned long long']], 'Header' : [ 0x50, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x58, ['pointer64', ['void']]], 'ListSize' : [ 0x60, ['unsigned long long']], 'Bitmap' : [ 0x68, ['pointer64', ['void']]], 'BitmapSize' : [ 0x70, ['unsigned long long']], 'Data' : [ 0x78, ['pointer64', ['void']]], 'DataSize' : [ 0x80, ['unsigned long long']], 'BitmapLimit' : [ 0x88, ['unsigned long']], 'BitmapNextHint' : [ 0x8c, ['unsigned long']], 'ConcurrencyCount' : [ 0x90, ['unsigned long']], 'AttributeFlags' : [ 0x94, ['unsigned long']], 'AttributeSize' : [ 0x98, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0xd8, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'Key' : [ 0xc0, ['unsigned long']], 'CallbackList' : [ 0xc8, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x20, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x18, ['long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1a52']], 'u2' : [ 0x4, ['__unnamed_1a56']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1ae2' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1ae4' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1ae2']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x100, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'u1' : [ 0x28, ['__unnamed_1ae4']], 'SequenceNo' : [ 0x2c, ['long']], 'QuotaProcess' : [ 0x30, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x30, ['pointer64', ['void']]], 'CancelSequencePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x40, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x48, ['long']], 'CancelListEntry' : [ 0x50, ['_LIST_ENTRY']], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x68, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xa0, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xa8, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xb0, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xb8, ['pointer64', ['_ETHREAD']]], 'WakeReference' : [ 0xc0, ['pointer64', ['void']]], 'ExtensionBuffer' : [ 0xc8, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0xd0, ['unsigned long long']], 'PortMessage' : [ 0xd8, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'Flags' : [ 0x28, ['unsigned long']], 'TotalLength' : [ 0x2c, ['unsigned short']], 'Type' : [ 0x2e, ['unsigned short']], 'DataInfoOffset' : [ 0x30, ['unsigned short']], 'SignalCompletion' : [ 0x32, ['unsigned char']], 'PostedToCompletionList' : [ 0x33, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x30, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1b26' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1b28' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b26']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1b28']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x28, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'TimeStamped' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer64', ['void']]], 'ActivityId' : [ 0x10, ['_GUID']], 'Timestamp' : [ 0x20, ['_LARGE_INTEGER']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x48, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'AccessMode' : [ 0x94, ['unsigned char']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1bed' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x118, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1bed']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer64', ['unsigned short']]], 'LogFileName' : [ 0x40, ['pointer64', ['unsigned short']]], 'TimeZone' : [ 0x48, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf8, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0x100, ['_LARGE_INTEGER']], 'StartTime' : [ 0x108, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x110, ['unsigned long']], 'BuffersLost' : [ 0x114, ['unsigned long']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x378, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 2, ['unsigned long']]], 'ErrorMarker' : [ 0x1c, ['unsigned long']], 'SizeMask' : [ 0x20, ['unsigned long']], 'GetCpuClock' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'FailureReason' : [ 0x3c, ['unsigned long']], 'BufferQueue' : [ 0x40, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x58, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x70, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x80, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x90, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x90, ['_EX_FAST_REF']], 'LoggerName' : [ 0x98, ['_UNICODE_STRING']], 'LogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xb8, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xc8, ['_UNICODE_STRING']], 'ClockType' : [ 0xd8, ['unsigned long']], 'LastFlushedBuffer' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'FlushThreshold' : [ 0xe4, ['unsigned long']], 'ByteOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xf0, ['unsigned long']], 'BuffersAvailable' : [ 0xf4, ['long']], 'NumberOfBuffers' : [ 0xf8, ['long']], 'MaximumBuffers' : [ 0xfc, ['unsigned long']], 'EventsLost' : [ 0x100, ['unsigned long']], 'PeakBuffersCount' : [ 0x104, ['long']], 'BuffersWritten' : [ 0x108, ['unsigned long']], 'LogBuffersLost' : [ 0x10c, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x110, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x114, ['unsigned long']], 'SequencePtr' : [ 0x118, ['pointer64', ['long']]], 'LocalSequence' : [ 0x120, ['unsigned long']], 'InstanceGuid' : [ 0x124, ['_GUID']], 'MaximumFileSize' : [ 0x134, ['unsigned long']], 'FileCounter' : [ 0x138, ['long']], 'PoolType' : [ 0x13c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x140, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0x150, ['long']], 'ProviderInfoSize' : [ 0x154, ['unsigned long']], 'Consumers' : [ 0x158, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x168, ['unsigned long']], 'TransitionConsumer' : [ 0x170, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x178, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x180, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x190, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x1a0, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1a8, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1b0, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1b8, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1c0, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1d0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1d8, ['_KEVENT']], 'FlushEvent' : [ 0x1f0, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x208, ['_KTIMER']], 'LoggerDpc' : [ 0x248, ['_KDPC']], 'LoggerMutex' : [ 0x288, ['_KMUTANT']], 'LoggerLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2c8, ['unsigned long long']], 'BufferListPushLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2d0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x318, ['_EX_FAST_REF']], 'StartTime' : [ 0x320, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x328, ['pointer64', ['void']]], 'BufferSequenceNumber' : [ 0x330, ['long long']], 'Flags' : [ 0x338, ['unsigned long']], 'Persistent' : [ 0x338, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x338, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x338, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x338, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x338, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x338, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x338, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x338, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x338, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x338, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x338, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x338, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x338, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SpareFlags1' : [ 0x338, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x338, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x338, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x338, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x33c, ['unsigned long']], 'DbgRequestNewFie' : [ 0x33c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x33c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x33c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x33c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x33c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x33c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x33c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x33c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDefferdFlush' : [ 0x33c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDefferdFlushTimer' : [ 0x33c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x33c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x33c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x33c, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x340, ['_RTL_BITMAP']], 'StackCache' : [ 0x350, ['pointer64', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x358, ['pointer64', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x360, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x370, ['pointer64', ['pointer64', ['_WMI_BUFFER_HEADER']]]], } ], '_ETW_PMC_SUPPORT' : [ 0x28, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer64', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x468, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0xa0, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa8, ['pointer64', ['void']]], 'DynamicPart' : [ 0xb0, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb8, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc8, ['unsigned long']], 'TokenInUse' : [ 0xcc, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xd0, ['unsigned long']], 'MandatoryPolicy' : [ 0xd4, ['unsigned long']], 'LogonSession' : [ 0xd8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe0, ['_LUID']], 'SidHash' : [ 0xe8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f8, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x308, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x310, ['pointer64', ['void']]], 'Capabilities' : [ 0x318, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x320, ['unsigned long']], 'CapabilitiesHash' : [ 0x328, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x438, ['pointer64', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x440, ['pointer64', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x448, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x450, ['pointer64', ['void']]], 'TrustLinkedToken' : [ 0x458, ['pointer64', ['_TOKEN']]], 'VariablePart' : [ 0x460, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x68, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['long long']], 'Flags' : [ 0x20, ['unsigned long']], 'pDeviceMap' : [ 0x28, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x30, ['pointer64', ['void']]], 'AccountName' : [ 0x38, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x48, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x58, ['_SEP_LOWBOX_HANDLES_TABLE']], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'DbgRefTrace' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'NewObject' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0x1b, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0x1b, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0x1b, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0x1b, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0x1b, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare' : [ 0x1c, ['unsigned long']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x10, { 'SecurityDescriptor' : [ 0x0, ['pointer64', ['void']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x28, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'EntryLink' : [ 0x10, ['pointer64', ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0x18, ['unsigned long']], 'HashIndex' : [ 0x1c, ['unsigned short']], 'DirectoryLocked' : [ 0x1e, ['unsigned char']], 'LockedExclusive' : [ 0x1f, ['unsigned char']], 'LockStateSignature' : [ 0x20, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x130, ['pointer64', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_WHEAP_INFO_BLOCK' : [ 0x18, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x8, ['pointer64', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x10, ['pointer64', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x428, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x10, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x14, ['unsigned long']], 'ErrorCount' : [ 0x18, ['long']], 'RecordCount' : [ 0x1c, ['unsigned long']], 'RecordLength' : [ 0x20, ['unsigned long']], 'PoolTag' : [ 0x24, ['unsigned long']], 'Type' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x30, ['pointer64', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x38, ['pointer64', ['void']]], 'SectionCount' : [ 0x40, ['unsigned long']], 'SectionLength' : [ 0x44, ['unsigned long']], 'TickCountAtLastError' : [ 0x48, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x50, ['unsigned long']], 'TotalErrors' : [ 0x54, ['unsigned long']], 'Deferred' : [ 0x58, ['unsigned char']], 'Descriptor' : [ 0x59, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xf0, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x10, ['unsigned long']], 'ProcessorNumber' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x1c, ['long']], 'ErrorSource' : [ 0x20, ['pointer64', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x28, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x30, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'ConnectLock' : [ 0x8, ['_KEVENT']], 'LineMasked' : [ 0x20, ['unsigned char']], 'InterruptList' : [ 0x28, ['pointer64', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0xb0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long long']], 'WorkQueue' : [ 0x20, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x60, ['pointer64', ['void']]], 'AcceptProcessorNotification' : [ 0x68, ['pointer64', ['void']]], 'WorkOrderCount' : [ 0x70, ['unsigned long']], 'WorkOrders' : [ 0x78, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x150, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x108, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x148, ['unsigned long']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Signalling' : [ 0x1, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Reserved1' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved2' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Reserved3' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Minimal' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved4' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Reserved5' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'WaitResponse' : [ 0xc, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], } ], '_HEAP_COUNTERS' : [ 0x78, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'PollIntervalCounter' : [ 0x48, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x4c, ['unsigned long']], 'HeapPollInterval' : [ 0x50, ['unsigned long']], 'AllocAndFreeOps' : [ 0x54, ['unsigned long']], 'AllocationIndicesActive' : [ 0x58, ['unsigned long']], 'InBlockDeccommits' : [ 0x5c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x60, ['unsigned long long']], 'HighWatermarkSize' : [ 0x68, ['unsigned long long']], 'LastPolledSize' : [ 0x70, ['unsigned long long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x68, ['unsigned char']], 'DeleteType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_WORK_ORDER' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x20, ['long']], 'Context' : [ 0x28, ['pointer64', ['void']]], 'WatchdogTimerInfo' : [ 0x30, ['pointer64', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'Reserved' : [ 0x20, ['array', 3, ['pointer64', ['void']]]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['unsigned long long']], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x48, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ullContextMinimum' : [ 0x8, ['unsigned long long']], 'guPlatform' : [ 0x10, ['_GUID']], 'guMinPlatform' : [ 0x20, ['_GUID']], 'ulContextSource' : [ 0x30, ['unsigned long']], 'ulElementCount' : [ 0x34, ['unsigned long']], 'guElements' : [ 0x38, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x30, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x18, ['_KEVENT']], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x10, ['unsigned char']], 'BlockState' : [ 0x11, ['unsigned char']], 'WaitKey' : [ 0x12, ['unsigned short']], 'SpareLong' : [ 0x14, ['long']], 'Thread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NotificationQueue' : [ 0x18, ['pointer64', ['_KQUEUE']]], 'Object' : [ 0x20, ['pointer64', ['void']]], 'SparePtr' : [ 0x28, ['pointer64', ['void']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'CriticalTripPoint' : [ 0x18, ['unsigned long']], 'ActiveTripPointCount' : [ 0x1c, ['unsigned char']], 'ActiveTripPoint' : [ 0x20, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x48, ['unsigned long']], 'MinimumThrottle' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1d80' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1d82' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1d80']], 'Private' : [ 0x0, ['__unnamed_1d82']], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long long']], 'Processors' : [ 0x8, ['unsigned long']], 'ActiveProcessors' : [ 0xc, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x10, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x260, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x10, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x20, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x130, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x240, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x248, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x250, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x258, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 28, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x4b0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb8, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xc0, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0xc8, ['unsigned long long']], 'TotalPageFaultCount' : [ 0xd0, ['unsigned long']], 'TotalProcesses' : [ 0xd4, ['unsigned long']], 'ActiveProcesses' : [ 0xd8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xdc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xe0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf8, ['unsigned long long']], 'LimitFlags' : [ 0x100, ['unsigned long']], 'ActiveProcessLimit' : [ 0x104, ['unsigned long']], 'Affinity' : [ 0x108, ['_KAFFINITY_EX']], 'AccessState' : [ 0x1b0, ['pointer64', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0x1b8, ['pointer64', ['void']]], 'UIRestrictionsClass' : [ 0x1c0, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x1c4, ['unsigned long']], 'CompletionPort' : [ 0x1c8, ['pointer64', ['void']]], 'CompletionKey' : [ 0x1d0, ['pointer64', ['void']]], 'CompletionCount' : [ 0x1d8, ['unsigned long long']], 'SessionId' : [ 0x1e0, ['unsigned long']], 'SchedulingClass' : [ 0x1e4, ['unsigned long']], 'ReadOperationCount' : [ 0x1e8, ['unsigned long long']], 'WriteOperationCount' : [ 0x1f0, ['unsigned long long']], 'OtherOperationCount' : [ 0x1f8, ['unsigned long long']], 'ReadTransferCount' : [ 0x200, ['unsigned long long']], 'WriteTransferCount' : [ 0x208, ['unsigned long long']], 'OtherTransferCount' : [ 0x210, ['unsigned long long']], 'DiskIoInfo' : [ 0x218, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x240, ['unsigned long long']], 'JobMemoryLimit' : [ 0x248, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x250, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x258, ['unsigned long long']], 'EffectiveAffinity' : [ 0x260, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x308, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x310, ['unsigned long long']], 'EffectiveMaximumWorkingSetSize' : [ 0x318, ['unsigned long long']], 'EffectiveProcessMemoryLimit' : [ 0x320, ['unsigned long long']], 'EffectiveProcessMemoryLimitJob' : [ 0x328, ['pointer64', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x330, ['pointer64', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x338, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x33c, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x340, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x344, ['unsigned long']], 'EffectiveSwapCount' : [ 0x348, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x34c, ['unsigned long']], 'EffectivePriorityClass' : [ 0x350, ['unsigned char']], 'PriorityClass' : [ 0x351, ['unsigned char']], 'Reserved1' : [ 0x352, ['array', 2, ['unsigned char']]], 'CompletionFilter' : [ 0x354, ['unsigned long']], 'WakeChannel' : [ 0x358, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x358, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x390, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x398, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x39c, ['unsigned long']], 'NotificationLink' : [ 0x3a0, ['pointer64', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x3a8, ['unsigned long long']], 'NotificationInfo' : [ 0x3b0, ['pointer64', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x3b8, ['pointer64', ['void']]], 'NotificationPacket' : [ 0x3c0, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x3c8, ['pointer64', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x3d0, ['pointer64', ['void']]], 'ReadyTime' : [ 0x3d8, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x3e0, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x3e8, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x3f8, ['_LIST_ENTRY']], 'ParentJob' : [ 0x408, ['pointer64', ['_EJOB']]], 'RootJob' : [ 0x410, ['pointer64', ['_EJOB']]], 'IteratorListHead' : [ 0x418, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x428, ['unsigned long long']], 'Ancestors' : [ 0x430, ['pointer64', ['pointer64', ['_EJOB']]]], 'Accounting' : [ 0x438, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x488, ['unsigned long']], 'SequenceNumber' : [ 0x48c, ['unsigned long']], 'TimerListLock' : [ 0x490, ['unsigned long long']], 'TimerListHead' : [ 0x498, ['_LIST_ENTRY']], 'JobFlags' : [ 0x4a8, ['unsigned long']], 'CloseDone' : [ 0x4a8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x4a8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x4a8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x4a8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x4a8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x4a8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x4a8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x4a8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x4a8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x4a8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x4a8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x4a8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x4a8, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x4a8, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x4a8, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x4a8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x4a8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x4a8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x4a8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x4a8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x4a8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x4a8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x4a8, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x4a8, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x4a8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x4a8, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x4ac, ['unsigned long']], } ], '_PPM_IDLE_STATES' : [ 0x318, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0xe0, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x188, ['pointer64', ['void']]], 'IdleExecute' : [ 0x190, ['pointer64', ['void']]], 'IdlePreselect' : [ 0x198, ['pointer64', ['void']]], 'IdleTest' : [ 0x1a0, ['pointer64', ['void']]], 'IdleComplete' : [ 0x1a8, ['pointer64', ['void']]], 'IdleCancel' : [ 0x1b0, ['pointer64', ['void']]], 'IdleIsHalted' : [ 0x1b8, ['pointer64', ['void']]], 'IdleInitiateWake' : [ 0x1c0, ['pointer64', ['void']]], 'QueryPlatformStateResidency' : [ 0x1c8, ['pointer64', ['void']]], 'PrepareInfo' : [ 0x1d0, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'Tracing' : [ 0x238, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'State' : [ 0x240, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x388, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'SparePvoid0' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pUnused' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x98, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned short']], 'Flags' : [ 0x5a, ['unsigned char']], 'ShutDownRequested' : [ 0x5a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x5a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x5a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x5a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Wow' : [ 0x5a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'EventsLostCount' : [ 0x88, ['pointer64', ['unsigned long']]], 'BuffersLostCount' : [ 0x90, ['pointer64', ['unsigned long']]], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x50, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x38, ['pointer64', ['void']]], 'DvCallbacks' : [ 0x40, ['pointer64', ['void']]], 'VerifierContext' : [ 0x48, ['pointer64', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x88, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x10, ['unsigned long long']], 'ItemCount' : [ 0x18, ['long']], 'Dpc' : [ 0x20, ['_KDPC']], 'WorkItem' : [ 0x60, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x80, ['pointer64', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x100, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'EmulateActiveBoth' : [ 0x65, ['unsigned char']], 'ActiveCount' : [ 0x66, ['unsigned short']], 'InternalState' : [ 0x68, ['long']], 'Mode' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x74, ['unsigned long']], 'DispatchCount' : [ 0x78, ['unsigned long']], 'PassiveEvent' : [ 0x80, ['pointer64', ['_KEVENT']]], 'TrapFrame' : [ 0x88, ['pointer64', ['_KTRAP_FRAME']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], 'DisconnectData' : [ 0xa0, ['pointer64', ['void']]], 'ServiceThread' : [ 0xa8, ['pointer64', ['_KTHREAD']]], 'IsrDpcStats' : [ 0xb0, ['_ISRDPCSTATS']], 'ConnectionData' : [ 0xf0, ['pointer64', ['_INTERRUPT_CONNECTION_DATA']]], 'Padding' : [ 0xf8, ['array', 8, ['unsigned char']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_HIVE_LIST_ENTRY' : [ 0x88, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '__unnamed_1e4e' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1e4e']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x2c0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'WorkItemsProcessed' : [ 0x2b0, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x2b4, ['unsigned long']], 'ThreadCount' : [ 0x2b8, ['long']], 'TryFailed' : [ 0x2bc, ['unsigned char']], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x86, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x50, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'Type' : [ 0x38, ['unsigned long']], 'ActivityId' : [ 0x3c, ['_GUID']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x88, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x40, ['_KDPC']], 'WorkOrder' : [ 0x80, ['pointer64', ['_POP_FX_WORK_ORDER']]], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_SESSION_LOWBOX_MAP' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'LowboxMap' : [ 0x18, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0xa8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'RefCount' : [ 0x40, ['unsigned long']], 'Lock' : [ 0x44, ['unsigned long']], 'Cancel' : [ 0x48, ['unsigned char']], 'Parent' : [ 0x50, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'Data' : [ 0x58, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PROC_IDLE_POLICY' : [ 0x5, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x48, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x10, ['pointer64', ['_IRP']]], 'OplockRequestFileObject' : [ 0x18, ['pointer64', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x28, ['pointer64', ['_ETHREAD']]], 'Flags' : [ 0x30, ['unsigned long']], 'AtomicLinks' : [ 0x38, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_RTL_BITMAP_EX' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_XSTATE_CONFIGURATION' : [ 0x218, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_KLOCK_ENTRY' : [ 0x60, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ThreadUnsafe' : [ 0x18, ['pointer64', ['void']]], 'HeadNodeByte' : [ 0x18, ['unsigned char']], 'Reserved1' : [ 0x19, ['array', 6, ['unsigned char']]], 'AcquiredByte' : [ 0x1f, ['unsigned char']], 'LockState' : [ 0x20, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x20, ['pointer64', ['void']]], 'WaitingAndBusyByte' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x21, ['array', 6, ['unsigned char']]], 'InTreeByte' : [ 0x27, ['unsigned char']], 'SessionState' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], 'SessionPad' : [ 0x2c, ['unsigned long']], 'OwnerTree' : [ 0x30, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x40, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x30, ['unsigned char']], 'EntryLock' : [ 0x50, ['unsigned long long']], 'AllBoosts' : [ 0x58, ['unsigned short']], 'IoBoost' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'CpuBoostsBitmap' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x5a, ['unsigned short']], 'IoPriorityBit' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'AbSpare' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'SparePad' : [ 0x5d, ['array', 3, ['unsigned char']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 25, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1eee' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_1eee']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['_MODWRITER_FLAGS']], 'ByteCount' : [ 0x2c, ['unsigned long']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0x1358, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x5a0, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5d0, ['_LIST_ENTRY']], 'HiveList' : [ 0x5e0, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x5f0, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x600, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x608, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x618, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x620, ['unsigned long']], 'DeletedKcbTable' : [ 0x628, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x630, ['unsigned long']], 'Identity' : [ 0x634, ['unsigned long']], 'HiveLock' : [ 0x638, ['pointer64', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x640, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x648, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x650, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0x660, ['unsigned long']], 'FlushLogEntry' : [ 0x668, ['pointer64', ['unsigned char']]], 'FlushLogEntrySize' : [ 0x670, ['unsigned long']], 'FlushHiveTruncated' : [ 0x674, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0x678, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0x680, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0x690, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0x698, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0x6a0, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0x6a8, ['pointer64', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0x6b0, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x6b8, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x6bc, ['unsigned long']], 'ActualFileSize' : [ 0x6c0, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x6c8, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x6d8, ['_UNICODE_STRING']], 'FileUserName' : [ 0x6e8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x6f8, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x708, ['unsigned long']], 'SecurityCacheSize' : [ 0x70c, ['unsigned long']], 'SecurityHitHint' : [ 0x710, ['long']], 'SecurityCache' : [ 0x718, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x720, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xb20, ['unsigned long']], 'UnloadEventArray' : [ 0xb28, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xb30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xb38, ['unsigned char']], 'UnloadWorkItem' : [ 0xb40, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0xb48, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xb70, ['unsigned char']], 'GrowOffset' : [ 0xb74, ['unsigned long']], 'KcbConvertListHead' : [ 0xb78, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xb88, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb98, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0xba0, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0x10a8, ['unsigned long']], 'TrustClassEntry' : [ 0x10b0, ['_LIST_ENTRY']], 'DirtyTime' : [ 0x10c0, ['unsigned long long']], 'UnreconciledTime' : [ 0x10c8, ['unsigned long long']], 'CmRm' : [ 0x10d0, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x10d8, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x10dc, ['long']], 'CreatorOwner' : [ 0x10e0, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0x10e8, ['pointer64', ['_KTHREAD']]], 'LastWriteTime' : [ 0x10f0, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0x10f8, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0x1110, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0x1128, ['unsigned long']], 'FlushActive' : [ 0x1128, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0x1128, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0x1128, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0x1128, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0x112c, ['unsigned long']], 'ReferenceCount' : [ 0x1130, ['long']], 'UnloadHistoryIndex' : [ 0x1134, ['long']], 'UnloadHistory' : [ 0x1138, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0x1338, ['unsigned long']], 'UnaccessedStart' : [ 0x133c, ['unsigned long']], 'UnaccessedEnd' : [ 0x1340, ['unsigned long']], 'LoadedKeyCount' : [ 0x1344, ['unsigned long']], 'HandleClosePending' : [ 0x1348, ['unsigned long']], 'HandleClosePendingEvent' : [ 0x1350, ['_EX_PUSH_LOCK']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x38, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long long']], 'DirtyPageThresholdTop' : [ 0x8, ['unsigned long long']], 'DirtyPageThresholdBottom' : [ 0x10, ['unsigned long long']], 'DirtyPageTarget' : [ 0x18, ['unsigned long']], 'AggregateAvailablePages' : [ 0x20, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x28, ['unsigned long long']], 'AvailableHistory' : [ 0x30, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ForceCredits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x3f8, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x28, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x8, ['_RTL_BITMAP']], 'HashTable' : [ 0x18, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x20, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_TEB64' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'Padding1' : [ 0x2ec, ['array', 4, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x90, ['unsigned long']], 'PreviousActivityCounter' : [ 0x94, ['unsigned long']], 'WorkerTrimRequests' : [ 0x98, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE' : [ 0x1810, { 'CurrentSize' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'Epoch' : [ 0x8, ['unsigned long']], 'Overflow' : [ 0xc, ['unsigned char']], 'TableEntry' : [ 0x10, ['array', 256, ['_INVERTED_FUNCTION_TABLE_ENTRY']]], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0x18, { 'ActiveThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'WaitList' : [ 0x8, ['pointer64', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x10, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_UMS_CONTROL_BLOCK' : [ 0x90, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsWaitEvent' : [ 0x30, ['_KEVENT']], 'StagingArea' : [ 0x48, ['pointer64', ['void']]], 'UmsPrimaryDeliveredContext' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsFlags' : [ 0x50, ['unsigned long']], 'TebSelector' : [ 0x88, ['unsigned short']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_ETIMER' : [ 0x138, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x40, ['unsigned long long']], 'TimerApc' : [ 0x48, ['_KAPC']], 'TimerDpc' : [ 0xa0, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'Period' : [ 0xf0, ['unsigned long']], 'TimerFlags' : [ 0xf4, ['unsigned char']], 'ApcAssociated' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0xf5, ['unsigned char']], 'Spare2' : [ 0xf6, ['unsigned short']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x110, ['pointer64', ['void']]], 'VirtualizedTimerLinks' : [ 0x118, ['_LIST_ENTRY']], 'DueTime' : [ 0x128, ['unsigned long long']], 'CoalescingWindow' : [ 0x130, ['unsigned long']], } ], '_PROC_PERF_SNAP' : [ 0x40, { 'Time' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'Active' : [ 0x10, ['unsigned long long']], 'LastActive' : [ 0x18, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x90, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'Count' : [ 0x28, ['unsigned long long']], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'StackTrace' : [ 0x40, ['array', 8, ['pointer64', ['void']]]], 'Who' : [ 0x80, ['unsigned long']], 'Process' : [ 0x88, ['pointer64', ['_EPROCESS']]], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_EXHANDLE' : [ 0x8, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x508, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_ARBITER_INSTANCE' : [ 0x150, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '__unnamed_2001' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_2003' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2001']], } ], '__unnamed_2005' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_2003']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2005']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x3000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'HandleCount' : [ 0x28, ['unsigned long']], 'Handles' : [ 0x30, ['pointer64', ['pointer64', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x58, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'PlatformCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'LimitReasons' : [ 0x18, ['unsigned long']], 'PlatformCapStartTime' : [ 0x20, ['unsigned long long']], 'TargetPercent' : [ 0x28, ['unsigned long']], 'DesiredPercent' : [ 0x2c, ['unsigned long']], 'SelectedPercent' : [ 0x30, ['unsigned long']], 'SelectedFrequency' : [ 0x34, ['unsigned long']], 'PreviousFrequency' : [ 0x38, ['unsigned long']], 'PreviousPercent' : [ 0x3c, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x40, ['unsigned long']], 'SelectedState' : [ 0x48, ['unsigned long long']], 'Force' : [ 0x50, ['unsigned char']], } ], '__unnamed_2018' : [ 0x20, { 'CallerCompletion' : [ 0x0, ['pointer64', ['void']]], 'CallerContext' : [ 0x8, ['pointer64', ['void']]], 'CallerDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0x18, ['unsigned char']], } ], '__unnamed_201b' : [ 0x10, { 'NotifyDevice' : [ 0x0, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x8, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0xf8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x30, ['unsigned long long']], 'WatchdogTimer' : [ 0x38, ['_KTIMER']], 'WatchdogDpc' : [ 0x78, ['_KDPC']], 'MinorFunction' : [ 0xb8, ['unsigned char']], 'PowerStateType' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0xc0, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0xc4, ['unsigned char']], 'FxDevice' : [ 0xc8, ['pointer64', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0xd0, ['unsigned char']], 'NotifyPEP' : [ 0xd1, ['unsigned char']], 'Device' : [ 0xd8, ['__unnamed_2018']], 'System' : [ 0xd8, ['__unnamed_201b']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0x128, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'PhysicalMappingCount' : [ 0x4, ['unsigned long']], 'VadBitMapHint' : [ 0x8, ['unsigned long']], 'LastAllocationSizeHint' : [ 0xc, ['unsigned long']], 'LastAllocationSize' : [ 0x10, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x14, ['unsigned long']], 'VadBitMapSize' : [ 0x18, ['unsigned long']], 'VadBitMapCommitment' : [ 0x1c, ['unsigned long']], 'MaximumLastVadBit' : [ 0x20, ['unsigned long']], 'VadsBeingDeleted' : [ 0x24, ['long']], 'LastVadDeletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'VadBitBuffer' : [ 0x30, ['pointer64', ['unsigned long']]], 'LowestBottomUpAllocationAddress' : [ 0x38, ['pointer64', ['void']]], 'HighestTopDownAllocationAddress' : [ 0x40, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x48, ['pointer64', ['void']]], 'NumaAware' : [ 0x50, ['unsigned char']], 'PrivateFixupVadCount' : [ 0x58, ['unsigned long long']], 'CfgBitMap' : [ 0x60, ['array', 3, ['_MI_CFG_BITMAP_INFO']]], 'CommittedPageTableBufferForTopLevel' : [ 0xc0, ['array', 8, ['unsigned long']]], 'CommittedPageTableBitmaps' : [ 0xe0, ['array', 3, ['_RTL_BITMAP']]], 'PageTableBitmapPages' : [ 0x110, ['array', 3, ['unsigned long']]], 'FreeUmsTebHint' : [ 0x120, ['pointer64', ['void']]], } ], '_PROC_FEEDBACK' : [ 0x70, { 'Lock' : [ 0x0, ['unsigned long long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer64', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x28, ['unsigned long long']], 'UnscaledTime' : [ 0x30, ['unsigned long long']], 'UnaccountedTime' : [ 0x38, ['long long']], 'ScaledTime' : [ 0x40, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x50, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x58, ['unsigned long long']], 'UserTimeLast' : [ 0x60, ['unsigned long']], 'KernelTimeLast' : [ 0x64, ['unsigned long']], 'KernelTimesIndex' : [ 0x68, ['unsigned char']], } ], '__unnamed_2030' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2034' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_2036' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_2038' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_203a' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_203c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_203e' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_2040' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2042' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2044' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_2046' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_2048' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_2030']], 'Memory' : [ 0x0, ['__unnamed_2030']], 'Interrupt' : [ 0x0, ['__unnamed_2034']], 'Dma' : [ 0x0, ['__unnamed_2036']], 'DmaV3' : [ 0x0, ['__unnamed_2038']], 'Generic' : [ 0x0, ['__unnamed_2030']], 'DevicePrivate' : [ 0x0, ['__unnamed_203a']], 'BusNumber' : [ 0x0, ['__unnamed_203c']], 'ConfigData' : [ 0x0, ['__unnamed_203e']], 'Memory40' : [ 0x0, ['__unnamed_2040']], 'Memory48' : [ 0x0, ['__unnamed_2042']], 'Memory64' : [ 0x0, ['__unnamed_2044']], 'Connection' : [ 0x0, ['__unnamed_2046']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_2048']], } ], '_POP_THERMAL_ZONE' : [ 0x1f0, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], 'State' : [ 0x40, ['unsigned char']], 'Flags' : [ 0x41, ['unsigned char']], 'Removing' : [ 0x42, ['unsigned char']], 'Mode' : [ 0x43, ['unsigned char']], 'PendingMode' : [ 0x44, ['unsigned char']], 'ActivePoint' : [ 0x45, ['unsigned char']], 'PendingActivePoint' : [ 0x46, ['unsigned char']], 'Critical' : [ 0x47, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x48, ['long']], 'Throttle' : [ 0x4c, ['long']], 'PendingThrottle' : [ 0x50, ['long']], 'ThrottleReasons' : [ 0x54, ['unsigned long']], 'LastTime' : [ 0x58, ['unsigned long long']], 'SampleRate' : [ 0x60, ['unsigned long']], 'LastTemp' : [ 0x64, ['unsigned long']], 'PassiveTimer' : [ 0x68, ['_KTIMER']], 'PassiveDpc' : [ 0xa8, ['_KDPC']], 'Info' : [ 0xe8, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x138, ['_LARGE_INTEGER']], 'Policy' : [ 0x140, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0x154, ['unsigned char']], 'Metrics' : [ 0x158, ['_POP_THERMAL_ZONE_METRICS']], 'WorkItem' : [ 0x188, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x1a8, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x1b8, ['_KEVENT']], 'TemperatureUpdated' : [ 0x1d0, ['_KEVENT']], 'InstanceId' : [ 0x1e8, ['unsigned long']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 28, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x5a0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'Allocate' : [ 0x10, ['pointer64', ['void']]], 'Free' : [ 0x18, ['pointer64', ['void']]], 'FileWrite' : [ 0x20, ['pointer64', ['void']]], 'FileRead' : [ 0x28, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x30, ['pointer64', ['void']]], 'BaseBlock' : [ 0x38, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x40, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x50, ['unsigned long']], 'DirtyAlloc' : [ 0x54, ['unsigned long']], 'UnreconciledVector' : [ 0x58, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x68, ['unsigned long']], 'BaseBlockAlloc' : [ 0x6c, ['unsigned long']], 'Cluster' : [ 0x70, ['unsigned long']], 'Flat' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x75, ['unsigned char']], 'HvBinHeadersUse' : [ 0x78, ['unsigned long']], 'HvFreeCellsUse' : [ 0x7c, ['unsigned long']], 'HvUsedCellsUse' : [ 0x80, ['unsigned long']], 'CmUsedCellsUse' : [ 0x84, ['unsigned long']], 'HiveFlags' : [ 0x88, ['unsigned long']], 'CurrentLog' : [ 0x8c, ['unsigned long']], 'CurrentLogSequence' : [ 0x90, ['unsigned long']], 'CurrentLogOffset' : [ 0x94, ['unsigned long']], 'MinimumLogSequence' : [ 0x98, ['unsigned long']], 'LogDataPresent' : [ 0x9c, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0x9e, ['unsigned char']], 'BaseBlockDirty' : [ 0x9f, ['unsigned char']], 'FirstLogFile' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0xa0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0xa0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0xa0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0xa0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0xa0, ['unsigned short']], 'LogEntriesRecovered' : [ 0xa2, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0xa4, ['unsigned long']], 'StorageTypeCount' : [ 0xa8, ['unsigned long']], 'Version' : [ 0xac, ['unsigned long']], 'Storage' : [ 0xb0, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x30, { 'ActiveCount' : [ 0x0, ['unsigned long']], 'PassiveCount' : [ 0x4, ['unsigned long']], 'LastActiveStartTime' : [ 0x8, ['unsigned long long']], 'AverageActiveTime' : [ 0x10, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x18, ['unsigned long long']], 'AveragePassiveTime' : [ 0x20, ['unsigned long long']], 'StartTickSinceLastReset' : [ 0x28, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1e, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1d, ['unsigned char']], } ], '__unnamed_209b' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_209d' : [ 0x20, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_209b']], } ], '_VF_TARGET_DRIVER' : [ 0x38, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_209d']], 'VerifiedData' : [ 0x30, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_20a6' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_20a8' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20aa' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceId' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_20ac' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_20ae' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_20b0' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20b2' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_20b4' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20b6' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_20b8' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_20a6']], 'TargetDevice' : [ 0x0, ['__unnamed_20a8']], 'InstallDevice' : [ 0x0, ['__unnamed_20a8']], 'CustomNotification' : [ 0x0, ['__unnamed_20aa']], 'ProfileNotification' : [ 0x0, ['__unnamed_20ac']], 'PowerNotification' : [ 0x0, ['__unnamed_20ae']], 'VetoNotification' : [ 0x0, ['__unnamed_20b0']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20b2']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_20b4']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_20b6']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_20a8']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_20a8']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_20b8']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x68, { 'Context' : [ 0x0, ['pointer64', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x48, ['unsigned long']], 'DependencyUsed' : [ 0x4c, ['unsigned long']], 'DependencyArray' : [ 0x50, ['pointer64', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x58, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x5c, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x60, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '__unnamed_20d4' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_20d4']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x78, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], 'WaitObjectFlagMask' : [ 0x70, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x74, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x76, ['unsigned short']], } ], '__unnamed_210d' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['_RTL_AVL_TREE']], 'u' : [ 0x28, ['__unnamed_210d']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0x18, { 'DirtyPages' : [ 0x0, ['unsigned long long']], 'DirtyPagesLastScan' : [ 0x8, ['unsigned long long']], 'DirtyPagesScheduledLastScan' : [ 0x10, ['unsigned long']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'HighActiveFlink' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'HighActiveBlink' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 56, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x30, ['pointer64', ['long']]], 'NodeTargetCount' : [ 0x38, ['long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x250, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'SparePvoid0' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pUnused' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_KPRIQUEUE' : [ 0x2b0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x218, ['array', 32, ['long']]], 'MaximumCount' : [ 0x298, ['unsigned long']], 'ThreadListHead' : [ 0x2a0, ['_LIST_ENTRY']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_WAITING_IRP' : [ 0x38, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'CompletionRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'Information' : [ 0x30, ['unsigned long']], 'BreakAllRH' : [ 0x34, ['unsigned char']], } ], '_POP_SYSTEM_IDLE' : [ 0x40, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned long']], 'IdleWorker' : [ 0x28, ['unsigned char']], 'Sampling' : [ 0x29, ['unsigned char']], 'LastTick' : [ 0x30, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x38, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x20, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0x18, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x1c0, { 'Value' : [ 0x0, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'HardCap' : [ 0x3, ['unsigned char']], 'RelativeWeight' : [ 0x4, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x8, ['unsigned long long']], 'NotificationCycles' : [ 0x10, ['long long']], 'SchedulingGroupList' : [ 0x18, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x28, ['pointer64', ['_KDPC']]], 'PerProcessor' : [ 0x40, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x30, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'Irp' : [ 0x18, ['pointer64', ['_IRP']]], 'Device' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Static' : [ 0x28, ['unsigned char']], } ], '_POP_POLICY_DEVICE' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], } ], '__unnamed_2195' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_2197' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2199' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_219b' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_2199']], 'Translated' : [ 0x0, ['__unnamed_2197']], } ], '__unnamed_219d' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_219f' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_21a1' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_21a3' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_21a5' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_21a7' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_21a9' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_21ab' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_2195']], 'Port' : [ 0x0, ['__unnamed_2195']], 'Interrupt' : [ 0x0, ['__unnamed_2197']], 'MessageInterrupt' : [ 0x0, ['__unnamed_219b']], 'Memory' : [ 0x0, ['__unnamed_2195']], 'Dma' : [ 0x0, ['__unnamed_219d']], 'DmaV3' : [ 0x0, ['__unnamed_219f']], 'DevicePrivate' : [ 0x0, ['__unnamed_203a']], 'BusNumber' : [ 0x0, ['__unnamed_21a1']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_21a3']], 'Memory40' : [ 0x0, ['__unnamed_21a5']], 'Memory48' : [ 0x0, ['__unnamed_21a7']], 'Memory64' : [ 0x0, ['__unnamed_21a9']], 'Connection' : [ 0x0, ['__unnamed_2046']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_21ab']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_21b3' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_21b3']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE_ENTRY' : [ 0x18, { 'FunctionTable' : [ 0x0, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'DynamicTable' : [ 0x0, ['pointer64', ['_DYNAMIC_FUNCTION_TABLE']]], 'ImageBase' : [ 0x8, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'SizeOfTable' : [ 0x14, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_21c3' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_21c3']], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_DEVICE' : [ 0x218, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_POP_IRP_DATA']]], 'Status' : [ 0x20, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'Plugin' : [ 0x30, ['pointer64', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x38, ['pointer64', ['PEPHANDLE__']]], 'MiniPlugin' : [ 0x40, ['pointer64', ['_POP_FX_PLUGIN']]], 'MiniPluginHandle' : [ 0x48, ['pointer64', ['PEPHANDLE__']]], 'DevNode' : [ 0x50, ['pointer64', ['_DEVICE_NODE']]], 'DeviceObject' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x60, ['pointer64', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x68, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0xa0, ['pointer64', ['void']]], 'RemoveLock' : [ 0xa8, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0xc8, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0x100, ['unsigned long long']], 'IdleTimer' : [ 0x108, ['_KTIMER']], 'IdleDpc' : [ 0x148, ['_KDPC']], 'IdleTimeout' : [ 0x188, ['unsigned long long']], 'IdleStamp' : [ 0x190, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x198, ['pointer64', ['_DEVICE_OBJECT']]], 'NextIrpPowerState' : [ 0x1a0, ['_POWER_STATE']], 'NextIrpCallerCompletion' : [ 0x1a8, ['pointer64', ['void']]], 'NextIrpCallerContext' : [ 0x1b0, ['pointer64', ['void']]], 'IrpCompleteEvent' : [ 0x1b8, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x1d0, ['pointer64', ['void']]], 'Accounting' : [ 0x1d8, ['_POP_FX_ACCOUNTING']], 'ComponentCount' : [ 0x208, ['unsigned long']], 'Components' : [ 0x210, ['array', 1, ['pointer64', ['_POP_FX_COMPONENT']]]], } ], '__unnamed_21dc' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_21de' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_21dc']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x58, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x40, ['_LIST_ENTRY']], 'Specific' : [ 0x50, ['__unnamed_21de']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x28, { 'BadPageCount' : [ 0x0, ['unsigned long long']], 'BadPagesDetected' : [ 0x8, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0xc, ['long']], 'ScrubPasses' : [ 0x10, ['long']], 'ScrubBadPagesFound' : [ 0x14, ['long']], 'FeatureBits' : [ 0x18, ['unsigned long long']], 'TimeZoneId' : [ 0x20, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'InProgressFlags' : [ 0x28, ['unsigned char']], 'KernelApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_DELAY_ACK_FO' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x38, ['long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '__unnamed_2244' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_2246' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_2248' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_224a' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_2244']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_2246']], 'Raw' : [ 0x0, ['__unnamed_2248']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x50, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'Operation' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0xc, ['__unnamed_224a']], 'Stack' : [ 0x18, ['array', 7, ['pointer64', ['void']]]], } ], '__unnamed_2251' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_2254' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x40, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer64', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0x18, ['unsigned long']], 'EndingVpn' : [ 0x1c, ['unsigned long']], 'StartingVpnHigh' : [ 0x20, ['unsigned char']], 'EndingVpnHigh' : [ 0x21, ['unsigned char']], 'CommitChargeHigh' : [ 0x22, ['unsigned char']], 'LargeImageBias' : [ 0x23, ['unsigned char']], 'ReferenceCount' : [ 0x24, ['long']], 'PushLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u' : [ 0x30, ['__unnamed_2251']], 'u1' : [ 0x34, ['__unnamed_2254']], 'EventList' : [ 0x38, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x10, { 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 63, native_type='unsigned long long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'LockState' : [ 0x0, ['pointer64', ['void']]], 'SessionState' : [ 0x8, ['pointer64', ['void']]], 'SessionId' : [ 0x8, ['unsigned long']], 'SessionPad' : [ 0xc, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x10, ['unsigned long']], 'SyncCallback' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x14, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0x10, ['pointer64', ['_HANDLE_TABLE']]], 'Flags' : [ 0x18, ['unsigned long']], 'NumberOfBuckets' : [ 0x1c, ['unsigned long']], 'Buckets' : [ 0x20, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_2299' : [ 0x10, { 'ProgrammedTime' : [ 0x0, ['unsigned long long']], 'TimerInfo' : [ 0x8, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0xe0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x60, ['array', 3, ['__unnamed_2299']]], 'FilteredCapabilities' : [ 0x90, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3d0, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0x90, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x410, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], 'PackageDependencyData' : [ 0x400, ['pointer64', ['void']]], 'ProcessGroupId' : [ 0x408, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_LOCK_HEADER' : [ 0x20, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x8, ['unsigned long long']], 'Lock' : [ 0x10, ['unsigned long long']], 'Valid' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xe0, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], 'Xcr0' : [ 0xd8, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_PEB64' : [ 0x388, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'SparePvoid0' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pUnused' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_2351' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2351']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long long']], 'NonPagablePages' : [ 0x28, ['unsigned long long']], 'CommittedPages' : [ 0x30, ['unsigned long long']], 'PagedPoolStart' : [ 0x38, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x40, ['pointer64', ['void']]], 'SessionObject' : [ 0x48, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x50, ['pointer64', ['void']]], 'SessionPoolAllocationFailures' : [ 0x58, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x68, ['_LIST_ENTRY']], 'LocaleId' : [ 0x78, ['unsigned long']], 'AttachCount' : [ 0x7c, ['unsigned long']], 'AttachGate' : [ 0x80, ['_KGATE']], 'WsListEntry' : [ 0x98, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xcd8, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xce0, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xd00, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e40, ['_MMPTE']], 'SessionVaLock' : [ 0x1e48, ['_FAST_MUTEX']], 'DynamicVaBitMap' : [ 0x1e80, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e90, ['unsigned long']], 'SpecialPool' : [ 0x1e98, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1ee8, ['_FAST_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1f20, ['long']], 'PagedPoolPdeCount' : [ 0x1f24, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f28, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f2c, ['unsigned long']], 'SystemPteInfo' : [ 0x1f30, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f98, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1fa0, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1fa8, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fb0, ['unsigned long long']], 'IoState' : [ 0x1fb8, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fbc, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fc0, ['_KEVENT']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_2361' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_2364' : [ 0x8, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x80, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x40, ['__unnamed_2361']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u4' : [ 0x78, ['__unnamed_2364']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0xa0, { 'IrpExclusiveOplock' : [ 0x0, ['pointer64', ['_IRP']]], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'WaiterPriority' : [ 0x20, ['unsigned char']], 'IrpOplocksR' : [ 0x28, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x38, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x48, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x58, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x68, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x78, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x88, ['pointer64', ['_GUID']]], 'OplockState' : [ 0x90, ['unsigned long']], 'FastMutex' : [ 0x98, ['pointer64', ['_FAST_MUTEX']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_FAST_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP_EX']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'MaximumSize' : [ 0x50, ['unsigned long long']], 'PagedPoolHint' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x28, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x10, ['pointer64', ['void']]], 'SessionViewVa' : [ 0x10, ['pointer64', ['void']]], 'VadsProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Type' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionType' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SectionOffset' : [ 0x20, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x158, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0xc0, ['unsigned long']], 'Processors' : [ 0xc8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0xd0, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0xd8, ['pointer64', ['void']]], 'BoostModeHandler' : [ 0xe0, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0xe8, ['pointer64', ['void']]], 'PerfControlHandler' : [ 0xf0, ['pointer64', ['void']]], 'MaxFrequency' : [ 0xf8, ['unsigned long']], 'NominalFrequency' : [ 0xfc, ['unsigned long']], 'MaxPercent' : [ 0x100, ['unsigned long']], 'MinPerfPercent' : [ 0x104, ['unsigned long']], 'MinThrottlePercent' : [ 0x108, ['unsigned long']], 'Coordination' : [ 0x10c, ['unsigned char']], 'HardPlatformCap' : [ 0x10d, ['unsigned char']], 'AffinitizeControl' : [ 0x10e, ['unsigned char']], 'SelectedPercent' : [ 0x110, ['unsigned long']], 'SelectedFrequency' : [ 0x114, ['unsigned long']], 'DesiredPercent' : [ 0x118, ['unsigned long']], 'MaxPolicyPercent' : [ 0x11c, ['unsigned long']], 'MinPolicyPercent' : [ 0x120, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x124, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x128, ['unsigned long']], 'GuaranteedPercent' : [ 0x12c, ['unsigned long']], 'TolerancePercent' : [ 0x130, ['unsigned long']], 'SelectedState' : [ 0x138, ['unsigned long long']], 'Force' : [ 0x140, ['unsigned char']], 'PerfChangeTime' : [ 0x148, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x150, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_RELATION_LIST' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer64', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ETW_BUFFER_QUEUE' : [ 0x18, { 'QueueHead' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x10, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long long']], 'SpecialPoolPdes' : [ 0x40, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x8, { 'LogHandleContext' : [ 0x0, ['pointer64', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x18, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'DeviceState' : [ 0x10, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '__unnamed_23d1' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_23d5' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_23d1']], 'Bits' : [ 0x4, ['__unnamed_23d5']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'DataLow' : [ 0x0, ['long long']], 'DataHigh' : [ 0x8, ['long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_FAST_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x80, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x10, ['short']], 'SpecialApcDisable' : [ 0x12, ['short']], 'CombinedApcDisable' : [ 0x10, ['unsigned long']], 'Irql' : [ 0x14, ['unsigned char']], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_DYNAMIC_FUNCTION_TABLE' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FunctionTable' : [ 0x10, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'TimeStamp' : [ 0x18, ['_LARGE_INTEGER']], 'MinimumAddress' : [ 0x20, ['unsigned long long']], 'MaximumAddress' : [ 0x28, ['unsigned long long']], 'BaseAddress' : [ 0x30, ['unsigned long long']], 'Callback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'OutOfProcessCallbackDll' : [ 0x48, ['pointer64', ['unsigned short']]], 'Type' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'RF_SORTED', 1: 'RF_UNSORTED', 2: 'RF_CALLBACK', 3: 'RF_KERNEL_DYNAMIC'})]], 'EntryCount' : [ 0x54, ['unsigned long']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x8, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '__unnamed_23f2' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_23f4' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_23f2']], 'Button' : [ 0x10, ['__unnamed_23f4']], } ], '_KDPC_DATA' : [ 0x28, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], 'ActiveDpc' : [ 0x20, ['pointer64', ['_KDPC']]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0x170, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'UnderQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'RankCycleTarget' : [ 0x10, ['unsigned long long']], 'LongTermCycles' : [ 0x18, ['unsigned long long']], 'LastReportedCycles' : [ 0x20, ['unsigned long long']], 'OverQuotaHistory' : [ 0x28, ['unsigned long long']], 'ReadyTime' : [ 0x30, ['unsigned long long']], 'InsertTime' : [ 0x38, ['unsigned long long']], 'PerProcessorList' : [ 0x40, ['_LIST_ENTRY']], 'QueueNode' : [ 0x50, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OverQuota' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardCap' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Spare1' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x69, ['unsigned char']], 'ReadySummary' : [ 0x6a, ['unsigned short']], 'Rank' : [ 0x6c, ['unsigned long']], 'ReadyListHead' : [ 0x70, ['array', 16, ['_LIST_ENTRY']]], } ], '__unnamed_2404' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2406' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2404']], 'Merged' : [ 0x10, ['__unnamed_2406']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'HistoryList' : [ 0x8, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_IMAGE_RUNTIME_FUNCTION_ENTRY' : [ 0xc, { 'BeginAddress' : [ 0x0, ['unsigned long']], 'EndAddress' : [ 0x4, ['unsigned long']], 'UnwindInfoAddress' : [ 0x8, ['unsigned long']], 'UnwindData' : [ 0x8, ['unsigned long']], } ], '__unnamed_2414' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_2414']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer64', ['_MMPTE']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_2428' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_242c' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x48, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_2428']], 'u2' : [ 0x38, ['__unnamed_242c']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_2435' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2437' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_2435']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x100, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_2437']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PRIVATE_CACHE_MAP' : [ 0x78, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long long']], 'PipelinedReadAheadRequestSize' : [ 0x58, ['unsigned long']], 'ReadAheadGrowth' : [ 0x5c, ['unsigned long']], 'PrivateLinks' : [ 0x60, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x70, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PTE_TRACKER' : [ 0x80, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x48, ['array', 7, ['pointer64', ['void']]]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x30, { 'InstantaneousRead' : [ 0x0, ['pointer64', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer64', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'DisableInterrupts' : [ 0x22, ['unsigned char']], 'Context' : [ 0x28, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_HMAP_ENTRY' : [ 0x18, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'MemAlloc' : [ 0x10, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x30, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'Reference' : [ 0x10, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x28, ['unsigned char']], 'Name' : [ 0x2a, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x260, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x270, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x8, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'LowboxNumber' : [ 0x28, ['unsigned long']], 'AtomTable' : [ 0x30, ['pointer64', ['void']]], } ], '_MI_CFG_BITMAP_INFO' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'RegionSize' : [ 0x8, ['unsigned long long']], 'VadBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'BitmapVad' : [ 0x18, ['pointer64', ['_MMVAD']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_FAST_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_FAST_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x18, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x18, ['array', 4, ['pointer64', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x18, ['pointer64', ['void']]], 'SessionId' : [ 0x20, ['unsigned long']], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'CallbackContext' : [ 0x38, ['pointer64', ['void']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'Index' : [ 0x48, ['unsigned short']], 'Flags' : [ 0x4a, ['unsigned char']], 'DbgKernelRegistration' : [ 0x4a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x4a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x4a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x4a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x4a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x4a, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x4a, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x4a, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x4b, ['unsigned char']], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'OriginalAffinity' : [ 0x8, ['_GROUP_AFFINITY']], 'SteeringListEntry' : [ 0x18, ['_LIST_ENTRY']], 'SteeringListRoot' : [ 0x28, ['pointer64', ['void']]], 'IsrTime' : [ 0x30, ['unsigned long long']], 'DpcTime' : [ 0x38, ['unsigned long long']], 'IsrLoad' : [ 0x40, ['unsigned long']], 'DpcLoad' : [ 0x44, ['unsigned long']], 'IsPrimaryInterrupt' : [ 0x48, ['unsigned char']], 'InterruptObjectArray' : [ 0x50, ['pointer64', ['pointer64', ['_KINTERRUPT']]]], 'InterruptObjectCount' : [ 0x58, ['unsigned long']], 'Vectors' : [ 0x60, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x118, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'InProgressLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x68, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x68, ['unsigned long']], 'PackagedBinary' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x68, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x68, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReservedFlags2' : [ 0x68, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x68, ['BitField', dict(start_bit = 15, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x68, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x68, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x68, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x68, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x68, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x68, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x68, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x68, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x68, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x68, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x68, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Spare' : [ 0x90, ['pointer64', ['void']]], 'DdagNode' : [ 0x98, ['pointer64', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0xa0, ['_LIST_ENTRY']], 'SnapContext' : [ 0xb0, ['pointer64', ['_LDRP_DLL_SNAP_CONTEXT']]], 'ParentDllBase' : [ 0xb8, ['pointer64', ['void']]], 'SwitchBackContext' : [ 0xc0, ['pointer64', ['void']]], 'BaseAddressIndexNode' : [ 0xc8, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0xe0, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0xf8, ['unsigned long long']], 'LoadTime' : [ 0x100, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x108, ['unsigned long']], 'LoadReason' : [ 0x10c, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x110, ['unsigned long']], } ], '_LDR_DDAG_NODE' : [ 0x50, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x10, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'DependencyCount' : [ 0x20, ['unsigned long']], 'Dependencies' : [ 0x28, ['_LDRP_CSLIST']], 'RemovalLink' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'IncomingDependencies' : [ 0x30, ['_LDRP_CSLIST']], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x48, ['unsigned long']], 'LowestLink' : [ 0x4c, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1d0, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'Order' : [ 0x30, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x1a8, ['_LIST_ENTRY']], 'Status' : [ 0x1b8, ['long']], 'FailedDevice' : [ 0x1c0, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1c8, ['unsigned char']], 'Cancelled' : [ 0x1c9, ['unsigned char']], 'IgnoreErrors' : [ 0x1ca, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1cb, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1cc, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LockedPages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ILOnly' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x10, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xfe8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0xd8, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Latency' : [ 0xa8, ['unsigned long']], 'BreakEvenDuration' : [ 0xac, ['unsigned long']], 'Power' : [ 0xb0, ['unsigned long']], 'StateFlags' : [ 0xb4, ['unsigned long']], 'VetoAccounting' : [ 0xb8, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0xd0, ['unsigned char']], 'InterruptsEnabled' : [ 0xd1, ['unsigned char']], 'Interruptible' : [ 0xd2, ['unsigned char']], 'ContextRetained' : [ 0xd3, ['unsigned char']], 'CacheCoherent' : [ 0xd4, ['unsigned char']], 'WakesSpuriously' : [ 0xd5, ['unsigned char']], 'PlatformOnly' : [ 0xd6, ['unsigned char']], 'NoCState' : [ 0xd7, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x40, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x10, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x18, ['long']], 'HighWaterMark' : [ 0x1c, ['unsigned long']], 'Reserved' : [ 0x20, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_24f7' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x20, { 'NodeRangeSize' : [ 0x0, ['unsigned long long']], 'NodeCount' : [ 0x8, ['unsigned long long']], 'Tables' : [ 0x10, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x18, ['unsigned long']], 'u1' : [ 0x1c, ['__unnamed_24f7']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_POP_FX_ACCOUNTING' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned char']], 'DripsRequiredState' : [ 0xc, ['unsigned long']], 'Level' : [ 0x10, ['long']], 'ActiveStamp' : [ 0x18, ['long long']], 'CsActiveTime' : [ 0x20, ['unsigned long long']], 'CriticalActiveTime' : [ 0x28, ['long long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RELATION_LIST_ENTRY' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['_DEVICE_OBJECT_LIST_ENTRY']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x6, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], } ], '_POP_FX_COMPONENT' : [ 0xf8, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x18, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x58, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x60, ['long']], 'ActiveEvent' : [ 0x68, ['_KEVENT']], 'IdleLock' : [ 0x80, ['unsigned long long']], 'IdleConditionComplete' : [ 0x88, ['long']], 'IdleStateComplete' : [ 0x8c, ['long']], 'IdleStamp' : [ 0x90, ['unsigned long long']], 'CurrentIdleState' : [ 0x98, ['unsigned long']], 'IdleStateCount' : [ 0x9c, ['unsigned long']], 'IdleStates' : [ 0xa0, ['pointer64', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0xa8, ['unsigned long']], 'ProviderCount' : [ 0xac, ['unsigned long']], 'Providers' : [ 0xb0, ['pointer64', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0xb8, ['unsigned long']], 'DependentCount' : [ 0xbc, ['unsigned long']], 'Dependents' : [ 0xc0, ['pointer64', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0xc8, ['_POP_FX_ACCOUNTING']], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x10, { 'DeviceHandle' : [ 0x0, ['pointer64', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x38, { 'ComponentActive' : [ 0x0, ['pointer64', ['void']]], 'ComponentIdle' : [ 0x8, ['pointer64', ['void']]], 'ComponentIdleState' : [ 0x10, ['pointer64', ['void']]], 'DevicePowerRequired' : [ 0x18, ['pointer64', ['void']]], 'DevicePowerNotRequired' : [ 0x20, ['pointer64', ['void']]], 'PowerControl' : [ 0x28, ['pointer64', ['void']]], 'ComponentCriticalTransition' : [ 0x30, ['pointer64', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x10, ['unsigned char']], 'Spare' : [ 0x11, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0x14, ['unsigned long']], 'DebugId' : [ 0x18, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8180, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'StackLimitHits' : [ 0x8038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x803c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x8040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8044, ['unsigned long']], 'TotalReleases' : [ 0x8048, ['unsigned long']], 'RootNodesDeleted' : [ 0x804c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x8050, ['unsigned long']], 'Instigator' : [ 0x8058, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8060, ['unsigned long']], 'Participant' : [ 0x8068, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8168, ['long']], 'StackType' : [ 0x816c, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x8170, ['unsigned long long']], 'StackHighLimit' : [ 0x8178, ['unsigned long long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x40, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'IRHints' : [ 0x30, ['unsigned long']], 'IRTruncatedHints' : [ 0x34, ['unsigned long']], 'ExpectedWakeReason' : [ 0x38, ['unsigned char']], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2564' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2566' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2564']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2566']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_2578' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_2578']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_THERMAL_POLICY' : [ 0x14, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_RTL_UMS_CONTEXT' : [ 0x520, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'PrimaryUmsContext' : [ 0x500, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x508, ['unsigned long']], 'KernelYieldCount' : [ 0x50c, ['unsigned long']], 'MixedYieldCount' : [ 0x510, ['unsigned long']], 'YieldCount' : [ 0x514, ['unsigned long']], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_ETW_GUID_ENTRY' : [ 0x178, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long long']], 'Guid' : [ 0x18, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['pointer64', ['_ETW_FILTER_HEADER']]], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_25e1' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_25e3' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_25e1']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_25e3']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0xc0, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x70, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1d, { 'PerUserPolicy' : [ 0x0, ['array', 29, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_25f7' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_25f9' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_25fd' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2601' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_2603' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_25f7']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_25f9']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_25fd']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2601']], 'Others' : [ 0x0, ['__unnamed_2603']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x8, { 'Function' : [ 0x0, ['pointer64', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long long']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x68, { 'PlatformOnlyCount' : [ 0x0, ['unsigned long long']], 'PreVetoCount' : [ 0x8, ['unsigned long long']], 'VetoCount' : [ 0x10, ['unsigned long long']], 'IdleDurationCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'InterruptibleCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'WrongProcessorCount' : [ 0x40, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x48, ['unsigned long long']], 'CstateCheckCount' : [ 0x50, ['unsigned long long']], 'NoCStateCount' : [ 0x58, ['unsigned long long']], 'SelectedCount' : [ 0x60, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x8, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_HIVE_WAIT_PACKET' : [ 0x28, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Next' : [ 0x20, ['pointer64', ['_HIVE_WAIT_PACKET']]], } ], '__unnamed_2612' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_2614' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_2616' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_2612']], 'Interrupt' : [ 0x0, ['__unnamed_2614']], 'LocalInterrupt' : [ 0x0, ['__unnamed_2614']], 'Sci' : [ 0x0, ['__unnamed_2614']], 'Nmi' : [ 0x0, ['__unnamed_2614']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_2616']], } ], '_POP_HIBER_CONTEXT' : [ 0x1a0, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'MapFrozen' : [ 0x14, ['unsigned char']], 'DiscardMap' : [ 0x18, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x18, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x38, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x48, ['unsigned long']], 'ClonedPageCount' : [ 0x50, ['unsigned long long']], 'CurrentMap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x60, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x68, ['unsigned long long']], 'LoaderMdl' : [ 0x70, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x78, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x80, ['unsigned long long']], 'IoPages' : [ 0x88, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x90, ['unsigned long']], 'CurrentMcb' : [ 0x98, ['pointer64', ['void']]], 'DumpStack' : [ 0xa0, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xa8, ['pointer64', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0xb0, ['unsigned long']], 'Status' : [ 0xb4, ['long']], 'GraphicsProc' : [ 0xb8, ['unsigned long']], 'MemoryImage' : [ 0xc0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0xc8, ['pointer64', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0xd0, ['pointer64', ['_MDL']]], 'SiLogOffset' : [ 0xd8, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0xe0, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0xe8, ['pointer64', ['void']]], 'ResumeContext' : [ 0xf0, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0xf8, ['unsigned long']], 'ProcessorCount' : [ 0xfc, ['unsigned long']], 'ProcessorContext' : [ 0x100, ['pointer64', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0x108, ['pointer64', ['unsigned char']]], 'ProdConsSize' : [ 0x110, ['unsigned long']], 'MaxDataPages' : [ 0x114, ['unsigned long']], 'ExtraBuffer' : [ 0x118, ['pointer64', ['void']]], 'ExtraBufferSize' : [ 0x120, ['unsigned long long']], 'ExtraMapVa' : [ 0x128, ['pointer64', ['void']]], 'BitlockerKeyPFN' : [ 0x130, ['unsigned long long']], 'IoInfo' : [ 0x138, ['_POP_IO_INFO']], 'HardwareConfigurationSignature' : [ 0x198, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x178, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x108, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x110, ['pointer64', ['void']]], 'PointersLength' : [ 0x118, ['unsigned long']], 'ModulePrefix' : [ 0x120, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0x128, ['_LIST_ENTRY']], 'InitMsg' : [ 0x138, ['_STRING']], 'ProgMsg' : [ 0x148, ['_STRING']], 'DoneMsg' : [ 0x158, ['_STRING']], 'FileObject' : [ 0x168, ['pointer64', ['void']]], 'UsageType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_PPM_VETO_ACCOUNTING' : [ 0x18, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x48, { 'InitiatingThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ThreadId' : [ 0x10, ['pointer64', ['void']]], 'ProcessId' : [ 0x18, ['pointer64', ['void']]], 'Code' : [ 0x20, ['unsigned long']], 'Parameter1' : [ 0x28, ['unsigned long long']], 'Parameter2' : [ 0x30, ['unsigned long long']], 'Parameter3' : [ 0x38, ['unsigned long long']], 'Parameter4' : [ 0x40, ['unsigned long long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 31, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], 'SecureInfo' : [ 0x10, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x10, ['_RTL_BITMAP_EX']], 'InPageSupport' : [ 0x10, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'PhysicalMemory' : [ 0x10, ['_MI_PHYSMEM_BLOCK']], 'LargePage' : [ 0x10, ['pointer64', ['_MI_LARGEPAGE_MEMORY_INFO']]], } ], '__unnamed_2653' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_2653']], } ], '__unnamed_2657' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2657']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x360, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long long']], 'HiberFlags' : [ 0x38, ['unsigned char']], 'spare' : [ 0x39, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x3c, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'NumPagesForLoader' : [ 0x58, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x60, ['unsigned long long']], 'FirstKernelRestorePage' : [ 0x68, ['unsigned long long']], 'PerfInfo' : [ 0x70, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x218, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x220, ['array', 1, ['unsigned long long']]], 'SiLogOffset' : [ 0x228, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x22c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x230, ['array', 24, ['unsigned long long']]], 'NotUsed' : [ 0x2f0, ['unsigned long']], 'ResumeContextCheck' : [ 0x2f4, ['unsigned long']], 'ResumeContextPages' : [ 0x2f8, ['unsigned long']], 'Hiberboot' : [ 0x2fc, ['unsigned char']], 'HvCr3' : [ 0x300, ['unsigned long long']], 'HvEntryPoint' : [ 0x308, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x310, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x318, ['unsigned long long']], 'BootFlags' : [ 0x320, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x328, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x330, ['unsigned long long']], 'BitlockerKeyPfns' : [ 0x338, ['array', 4, ['unsigned long long']]], 'HardwareSignature' : [ 0x358, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x18, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned short']], 'Flags' : [ 0x16, ['unsigned short']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1a8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'TotalHibernateTime' : [ 0x30, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x38, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x3c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x40, ['unsigned long']], 'ResumeAppTicks' : [ 0x48, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x50, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x58, ['unsigned long long']], 'ResumeInitTicks' : [ 0x60, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x70, ['unsigned long long']], 'ResumeIoTicks' : [ 0x78, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x80, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x88, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0x90, ['unsigned long long']], 'ResumeMapTicks' : [ 0x98, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xa0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xa8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xb0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xb8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xc0, ['unsigned long long']], 'HalTscOffset' : [ 0xc8, ['unsigned long long']], 'HvlTscOffset' : [ 0xd0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xd8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0xe0, ['unsigned long long']], 'IoBoundedness' : [ 0xe8, ['unsigned long long']], 'KernelDecompressTicks' : [ 0xf0, ['unsigned long long']], 'KernelIoTicks' : [ 0xf8, ['unsigned long long']], 'KernelCopyTicks' : [ 0x100, ['unsigned long long']], 'ReadCheckCount' : [ 0x108, ['unsigned long long']], 'KernelInitTicks' : [ 0x110, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x118, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x120, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x128, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x130, ['unsigned long long']], 'AnimationStart' : [ 0x138, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x140, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x148, ['unsigned long']], 'BootPagesProcessed' : [ 0x150, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x158, ['unsigned long long']], 'BootBytesWritten' : [ 0x160, ['unsigned long long']], 'KernelBytesWritten' : [ 0x168, ['unsigned long long']], 'BootPagesWritten' : [ 0x170, ['unsigned long long']], 'KernelPagesWritten' : [ 0x178, ['unsigned long long']], 'BytesWritten' : [ 0x180, ['unsigned long long']], 'PagesWritten' : [ 0x188, ['unsigned long']], 'FileRuns' : [ 0x18c, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x190, ['unsigned long']], 'MaxHuffRatio' : [ 0x194, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x198, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1a0, ['unsigned long long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '__unnamed_2676' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_2676']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_MI_PHYSMEM_BLOCK' : [ 0x8, { 'IoTracker' : [ 0x0, ['pointer64', ['_MMIO_TRACKER']]], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x80, { 'UncompressedData' : [ 0x0, ['pointer64', ['unsigned char']]], 'MappingVa' : [ 0x8, ['pointer64', ['void']]], 'XpressEncodeWorkspace' : [ 0x10, ['pointer64', ['void']]], 'CompressedDataBuffer' : [ 0x18, ['pointer64', ['unsigned char']]], 'CopyTicks' : [ 0x20, ['unsigned long long']], 'CompressTicks' : [ 0x28, ['unsigned long long']], 'BytesCopied' : [ 0x30, ['unsigned long long']], 'PagesProcessed' : [ 0x38, ['unsigned long long']], 'DecompressTicks' : [ 0x40, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x48, ['unsigned long long']], 'SharedBufferTicks' : [ 0x50, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x68, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x78, ['unsigned long']], 'HuffCompressCount' : [ 0x7c, ['unsigned long']], } ], '_DEVICE_OBJECT_LIST_ENTRY' : [ 0x10, { 'DeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceRelation', 1: 'Dependent', 2: 'DirectDescendant'})]], 'Flags' : [ 0xc, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x20, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_POP_IO_INFO' : [ 0x60, { 'DumpMdl' : [ 0x0, ['pointer64', ['_MDL']]], 'IoStatus' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x10, ['unsigned long long']], 'IoBytesCompleted' : [ 0x18, ['unsigned long long']], 'IoBytesInProgress' : [ 0x20, ['unsigned long long']], 'RequestSize' : [ 0x28, ['unsigned long long']], 'IoLocation' : [ 0x30, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x38, ['unsigned long long']], 'Buffer' : [ 0x40, ['pointer64', ['void']]], 'AsyncCapable' : [ 0x48, ['unsigned char']], 'BytesToRead' : [ 0x50, ['unsigned long long']], 'Pages' : [ 0x58, ['unsigned long']], } ], '_LDRP_CSLIST' : [ 0x8, { 'Tail' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_MMVIEW' : [ 0x38, { 'PteOffset' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['unsigned long long']], 'u1' : [ 0x10, ['_MMVIEW_CONTROL_AREA']], 'ViewLinks' : [ 0x18, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x30, ['unsigned long']], 'SessionIdForGlobalSubsections' : [ 0x34, ['unsigned long']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_FILTER_HEADER' : [ 0x48, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x8, ['pointer64', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x10, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0x18, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x20, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x28, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x30, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x38, ['pointer64', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x40, ['pointer64', ['_EVENT_FILTER_HEADER']]], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_MMVIEW_CONTROL_AREA' : [ 0x8, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ExceptionForInPageErrors' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'UsedForControlArea' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_26ad' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_26af' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_26b2' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_26b6' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x18, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x28, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x38, ['__unnamed_26ad']], 'XapicMessage' : [ 0x38, ['__unnamed_26af']], 'Hypertransport' : [ 0x38, ['__unnamed_26b2']], 'GenericMessage' : [ 0x38, ['__unnamed_26af']], 'MessageRequest' : [ 0x38, ['__unnamed_26b6']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_26c9' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_26cb' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_26cd' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_26c9']], 'Gpt' : [ 0x0, ['__unnamed_26cb']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x108, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MarkMemoryOnly' : [ 0x69, ['unsigned char']], 'HiberResume' : [ 0x6a, ['unsigned char']], 'Reserved1' : [ 0x6b, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_26cd']], 'ReadRoutine' : [ 0xa0, ['pointer64', ['void']]], 'GetDriveTelemetryRoutine' : [ 0xa8, ['pointer64', ['void']]], 'LogSectionTruncateSize' : [ 0xb0, ['unsigned long']], 'Parameters' : [ 0xb4, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DumpNotifyRoutine' : [ 0x100, ['pointer64', ['void']]], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '_ETW_QUEUE_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x10, ['pointer64', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0x18, ['pointer64', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x20, ['pointer64', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x28, ['pointer64', ['void']]], 'RegIndex' : [ 0x30, ['unsigned short']], 'ReplyIndex' : [ 0x32, ['unsigned short']], 'Flags' : [ 0x34, ['unsigned long']], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_KDPC_LIST' : [ 0x10, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x178, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x20, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer64', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '__unnamed_2701' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2703' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2701']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2706' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2708' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2706']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_2703']], 'HighPart' : [ 0x4, ['__unnamed_2708']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x10, ['pointer64', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0x18, ['unsigned long']], } ], '__unnamed_271a' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_271c' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_271a']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_271c']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_MMIO_TRACKER' : [ 0x70, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameIndex' : [ 0x10, ['unsigned long long']], 'NumberOfPages' : [ 0x18, ['unsigned long long']], 'BaseVa' : [ 0x20, ['pointer64', ['void']]], 'CacheFlushTimeStamp' : [ 0x20, ['unsigned long']], 'Mdl' : [ 0x28, ['pointer64', ['_MDL']]], 'MdlPages' : [ 0x30, ['unsigned long long']], 'StackTrace' : [ 0x38, ['array', 6, ['pointer64', ['void']]]], 'CacheInfo' : [ 0x68, ['array', 1, ['_IO_CACHE_INFO']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2728' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_272b' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0x180, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x10, ['_LIST_ENTRY']], 'Event' : [ 0x20, ['_KEVENT']], 'CollidedEvent' : [ 0x38, ['_KEVENT']], 'IoStatus' : [ 0x50, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x60, ['_LARGE_INTEGER']], 'PteContents' : [ 0x68, ['_MMPTE']], 'Thread' : [ 0x70, ['pointer64', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0x78, ['pointer64', ['_MMPFN']]], 'WaitCount' : [ 0x80, ['long']], 'ByteCount' : [ 0x84, ['unsigned long']], 'u3' : [ 0x88, ['__unnamed_2728']], 'u1' : [ 0x8c, ['__unnamed_272b']], 'FilePointer' : [ 0x90, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x98, ['pointer64', ['_CONTROL_AREA']]], 'Autoboost' : [ 0xa0, ['pointer64', ['void']]], 'FaultingAddress' : [ 0xa8, ['pointer64', ['void']]], 'PointerPte' : [ 0xb0, ['pointer64', ['_MMPTE']]], 'BasePte' : [ 0xb8, ['pointer64', ['_MMPTE']]], 'Pfn' : [ 0xc0, ['pointer64', ['_MMPFN']]], 'PrefetchMdl' : [ 0xc8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0xd0, ['_MDL']], 'Page' : [ 0x100, ['array', 16, ['unsigned long long']]], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'BoostedPriority' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare1' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_COLORED_PAGE_INFO' : [ 0x18, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long long']], 'PfnAllocation' : [ 0x10, ['pointer64', ['_MMPFN']]], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0x18, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x8, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_IO_CACHE_INFO' : [ 0x1, { 'CacheAttribute' : [ 0x0, ['unsigned char']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x8, ['pointer64', ['unsigned short']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista_sp1_x64_vtypes.py0000644000000000000000000160255613131215405030771 0ustar rootrootntkrnlmp_types = { '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_202d' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_202f' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_202d']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_202f']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_2041' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_2041']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x18, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x28, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x30, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x50, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_PPM_DIA_STATS' : [ 0xc, { 'PerfLevel' : [ 0x0, ['unsigned long']], 'IdleTime' : [ 0x4, ['unsigned long']], 'TimeInterval' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x50, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], 'LimitModifiedPages' : [ 0x48, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_2098' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_209a' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_209e' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_20a2' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_20a4' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2098']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_209a']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_209e']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_20a2']], 'Others' : [ 0x0, ['__unnamed_20a4']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x178, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x18, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x38, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x48, ['unsigned long']], 'NextCloneRange' : [ 0x50, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x58, ['unsigned long long']], 'LoaderMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x68, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x70, ['unsigned long long']], 'IoPages' : [ 0x78, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x80, ['unsigned long']], 'CurrentMcb' : [ 0x88, ['pointer64', ['void']]], 'DumpStack' : [ 0x90, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x98, ['pointer64', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0xa0, ['unsigned long long']], 'HiberPte' : [ 0xa8, ['_LARGE_INTEGER']], 'Status' : [ 0xb0, ['long']], 'MemoryImage' : [ 0xb8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0xc0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0xc8, ['pointer64', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0xd0, ['pointer64', ['unsigned char']]], 'PerformanceStats' : [ 0xd8, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xe0, ['pointer64', ['void']]], 'DmaIO' : [ 0xe8, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xf0, ['pointer64', ['void']]], 'PerfInfo' : [ 0xf8, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0x158, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0x160, ['pointer64', ['_MDL']]], 'ResumeContext' : [ 0x168, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x170, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x40, { 'ThreadHandle' : [ 0x0, ['pointer64', ['void']]], 'ThreadId' : [ 0x8, ['pointer64', ['void']]], 'ProcessId' : [ 0x10, ['pointer64', ['void']]], 'Code' : [ 0x18, ['unsigned long']], 'Parameter1' : [ 0x20, ['unsigned long long']], 'Parameter2' : [ 0x28, ['unsigned long long']], 'Parameter3' : [ 0x30, ['unsigned long long']], 'Parameter4' : [ 0x38, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x10, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'ImageMerge' : [ 0x8, ['pointer64', ['void']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS' : [ 0x8, { 'ProcessorType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'InstructionSet' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Operation' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Flags' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Level' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'CPUVersion' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CPUBrandString' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'ProcessorId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'TargetAddress' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InstructionPointer' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_20ce' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_20ce']], } ], '__unnamed_20d2' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_20d2']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x140, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'TotalPages' : [ 0x60, ['unsigned long long']], 'FirstTablePage' : [ 0x68, ['unsigned long long']], 'LastFilePage' : [ 0x70, ['unsigned long long']], 'PerfInfo' : [ 0x78, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xd8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xe0, ['array', 1, ['unsigned long long']]], 'NoBootLoaderLogPages' : [ 0xe8, ['unsigned long']], 'BootLoaderLogPages' : [ 0xf0, ['array', 8, ['unsigned long long']]], 'NotUsed' : [ 0x130, ['unsigned long']], 'ResumeContextCheck' : [ 0x134, ['unsigned long']], 'ResumeContextPages' : [ 0x138, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x10, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '__unnamed_20f1' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_20f3' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20f5' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20f7' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_20f9' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_20fb' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_20fd' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20ff' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_2101' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2103' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_2105' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_20f1']], 'TargetDevice' : [ 0x0, ['__unnamed_20f3']], 'InstallDevice' : [ 0x0, ['__unnamed_20f5']], 'CustomNotification' : [ 0x0, ['__unnamed_20f7']], 'ProfileNotification' : [ 0x0, ['__unnamed_20f9']], 'PowerNotification' : [ 0x0, ['__unnamed_20fb']], 'VetoNotification' : [ 0x0, ['__unnamed_20fd']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20ff']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_2101']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2103']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_2105']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0x10, ['_LIST_ENTRY']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_211c' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_211e' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2120' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_211c']], 'Gpt' : [ 0x0, ['__unnamed_211e']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_2120']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x48, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Hint' : [ 0x10, ['unsigned long']], 'BasePte' : [ 0x18, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'Vm' : [ 0x28, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x30, ['long']], 'TotalFreeSystemPtes' : [ 0x34, ['long']], 'CachedPteCount' : [ 0x38, ['long']], 'PteFailures' : [ 0x3c, ['unsigned long']], 'GlobalMutex' : [ 0x40, ['pointer64', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x250, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x20, { 'PageNo' : [ 0x0, ['unsigned long long']], 'StartPage' : [ 0x8, ['unsigned long long']], 'EndPage' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x18, { 'Next' : [ 0x0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x8, ['unsigned long long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'EntryCount' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '__unnamed_2150' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_2154' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_2150']], 'Bits' : [ 0x4, ['__unnamed_2154']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_101f' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_101f']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1024' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1024']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_103d' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_103f' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_103d']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_103f']], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_TASK' : [ 0x8, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x8, { 'Callback' : [ 0x0, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_KPRCB' : [ 0x3b20, { 'MxCsr' : [ 0x0, ['unsigned long']], 'Number' : [ 0x4, ['unsigned short']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'Group' : [ 0x21, ['unsigned char']], 'PrcbPad00' : [ 0x22, ['array', 6, ['unsigned char']]], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'SetMember' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'PrcbPad01' : [ 0x658, ['array', 3, ['unsigned long long']]], 'LockQueue' : [ 0x670, ['array', 49, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x980, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0xa80, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1680, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2280, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2288, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2290, ['long']], 'MmCopyOnWriteCount' : [ 0x2294, ['long']], 'MmTransitionCount' : [ 0x2298, ['long']], 'MmDemandZeroCount' : [ 0x229c, ['long']], 'MmPageReadCount' : [ 0x22a0, ['long']], 'MmPageReadIoCount' : [ 0x22a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x22a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x22ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x22b0, ['long']], 'MmMappedWriteIoCount' : [ 0x22b4, ['long']], 'KeSystemCalls' : [ 0x22b8, ['unsigned long']], 'KeContextSwitches' : [ 0x22bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x22c0, ['unsigned long']], 'CcFastReadWait' : [ 0x22c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x22c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x22cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x22d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x22d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x22d8, ['long']], 'IoReadOperationCount' : [ 0x22dc, ['long']], 'IoWriteOperationCount' : [ 0x22e0, ['long']], 'IoOtherOperationCount' : [ 0x22e4, ['long']], 'IoReadTransferCount' : [ 0x22e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x22f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x22f8, ['_LARGE_INTEGER']], 'TargetSet' : [ 0x2300, ['unsigned long long']], 'IpiFrozen' : [ 0x2308, ['unsigned long']], 'PrcbPad3' : [ 0x230c, ['array', 116, ['unsigned char']]], 'RequestMailbox' : [ 0x2380, ['array', 64, ['_REQUEST_MAILBOX']]], 'SenderSummary' : [ 0x3380, ['unsigned long long']], 'PrcbPad4' : [ 0x3388, ['array', 120, ['unsigned char']]], 'DpcData' : [ 0x3400, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x3440, ['pointer64', ['void']]], 'SparePtr0' : [ 0x3448, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x3450, ['long']], 'DpcRequestRate' : [ 0x3454, ['unsigned long']], 'MinimumDpcRate' : [ 0x3458, ['unsigned long']], 'DpcInterruptRequested' : [ 0x345c, ['unsigned char']], 'DpcThreadRequested' : [ 0x345d, ['unsigned char']], 'DpcRoutineActive' : [ 0x345e, ['unsigned char']], 'DpcThreadActive' : [ 0x345f, ['unsigned char']], 'TimerHand' : [ 0x3460, ['unsigned long long']], 'TimerRequest' : [ 0x3460, ['unsigned long long']], 'TickOffset' : [ 0x3468, ['long']], 'MasterOffset' : [ 0x346c, ['long']], 'DpcLastCount' : [ 0x3470, ['unsigned long']], 'ThreadDpcEnable' : [ 0x3474, ['unsigned char']], 'QuantumEnd' : [ 0x3475, ['unsigned char']], 'PrcbPad50' : [ 0x3476, ['unsigned char']], 'IdleSchedule' : [ 0x3477, ['unsigned char']], 'DpcSetEventRequest' : [ 0x3478, ['long']], 'KeExceptionDispatchCount' : [ 0x347c, ['unsigned long']], 'DpcEvent' : [ 0x3480, ['_KEVENT']], 'PrcbPad51' : [ 0x3498, ['pointer64', ['void']]], 'CallDpc' : [ 0x34a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x34e0, ['long']], 'ClockCheckSlot' : [ 0x34e4, ['unsigned char']], 'ClockPollCycle' : [ 0x34e5, ['unsigned char']], 'PrcbPad6' : [ 0x34e6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x34e8, ['long']], 'DpcWatchdogCount' : [ 0x34ec, ['long']], 'PrcbPad70' : [ 0x34f0, ['array', 2, ['unsigned long long']]], 'WaitListHead' : [ 0x3500, ['_LIST_ENTRY']], 'WaitLock' : [ 0x3510, ['unsigned long long']], 'ReadySummary' : [ 0x3518, ['unsigned long']], 'QueueIndex' : [ 0x351c, ['unsigned long']], 'PrcbPad71' : [ 0x3520, ['array', 12, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3580, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x3780, ['unsigned long']], 'KernelTime' : [ 0x3784, ['unsigned long']], 'UserTime' : [ 0x3788, ['unsigned long']], 'DpcTime' : [ 0x378c, ['unsigned long']], 'InterruptTime' : [ 0x3790, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x3794, ['unsigned long']], 'SkipTick' : [ 0x3798, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x3799, ['unsigned char']], 'PollSlot' : [ 0x379a, ['unsigned char']], 'PrcbPad80' : [ 0x379b, ['array', 5, ['unsigned char']]], 'DpcTimeCount' : [ 0x37a0, ['unsigned long']], 'DpcTimeLimit' : [ 0x37a4, ['unsigned long']], 'PeriodicCount' : [ 0x37a8, ['unsigned long']], 'PeriodicBias' : [ 0x37ac, ['unsigned long']], 'PrcbPad81' : [ 0x37b0, ['array', 2, ['unsigned long long']]], 'ParentNode' : [ 0x37c0, ['pointer64', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x37c8, ['unsigned long long']], 'MultiThreadSetMaster' : [ 0x37d0, ['pointer64', ['_KPRCB']]], 'StartCycles' : [ 0x37d8, ['unsigned long long']], 'MmSpinLockOrdering' : [ 0x37e0, ['long']], 'PageColor' : [ 0x37e4, ['unsigned long']], 'NodeColor' : [ 0x37e8, ['unsigned long']], 'NodeShiftedColor' : [ 0x37ec, ['unsigned long']], 'SecondaryColorMask' : [ 0x37f0, ['unsigned long']], 'Sleeping' : [ 0x37f4, ['long']], 'CycleTime' : [ 0x37f8, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x3800, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x3804, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x3808, ['unsigned long']], 'CcMapDataNoWait' : [ 0x380c, ['unsigned long']], 'CcMapDataWait' : [ 0x3810, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x3814, ['unsigned long']], 'CcPinReadNoWait' : [ 0x3818, ['unsigned long']], 'CcPinReadWait' : [ 0x381c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x3820, ['unsigned long']], 'CcMdlReadWait' : [ 0x3824, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x3828, ['unsigned long']], 'CcLazyWriteIos' : [ 0x382c, ['unsigned long']], 'CcLazyWritePages' : [ 0x3830, ['unsigned long']], 'CcDataFlushes' : [ 0x3834, ['unsigned long']], 'CcDataPages' : [ 0x3838, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x383c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x3840, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x3844, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x3848, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x384c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x3850, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x3854, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x3858, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x385c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x3860, ['unsigned long']], 'CcReadAheadIos' : [ 0x3864, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x3868, ['long']], 'MmCacheReadCount' : [ 0x386c, ['long']], 'MmCacheIoCount' : [ 0x3870, ['long']], 'PrcbPad91' : [ 0x3874, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x3880, ['_PROCESSOR_POWER_STATE']], 'KeAlignmentFixupCount' : [ 0x3998, ['unsigned long']], 'VendorString' : [ 0x399c, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x39a9, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x39ac, ['unsigned long']], 'UpdateSignature' : [ 0x39b0, ['_LARGE_INTEGER']], 'DpcWatchdogDpc' : [ 0x39b8, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x39f8, ['_KTIMER']], 'Cache' : [ 0x3a38, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3a74, ['unsigned long']], 'CachedCommit' : [ 0x3a78, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3a7c, ['unsigned long']], 'HyperPte' : [ 0x3a80, ['pointer64', ['void']]], 'WheaInfo' : [ 0x3a88, ['pointer64', ['void']]], 'EtwSupport' : [ 0x3a90, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x3aa0, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x3ab0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x3ac0, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x3ac8, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x3ad0, ['pointer64', ['unsigned long long']]], 'RateControl' : [ 0x3ad8, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x3ae0, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x3b08, ['unsigned long long']], 'CoreProcessorSet' : [ 0x3b10, ['unsigned long long']], } ], '_KTHREAD' : [ 0x330, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'ApcState' : [ 0x48, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x48, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x73, ['unsigned char']], 'NextProcessor' : [ 0x74, ['unsigned short']], 'DeferredProcessor' : [ 0x76, ['unsigned short']], 'ApcQueueLock' : [ 0x78, ['unsigned long long']], 'WaitStatus' : [ 0x80, ['long long']], 'WaitBlockList' : [ 0x88, ['pointer64', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x88, ['pointer64', ['_KGATE']]], 'KernelStackResident' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x90, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x90, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x90, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x90, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x90, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x90, ['long']], 'WaitReason' : [ 0x94, ['unsigned char']], 'SwapBusy' : [ 0x95, ['unsigned char']], 'Alerted' : [ 0x96, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x98, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x98, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb0, ['pointer64', ['void']]], 'Timer' : [ 0xb8, ['_KTIMER']], 'TimerFill' : [ 0xb8, ['array', 60, ['unsigned char']]], 'AutoAlignment' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xf4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xf4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xf4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xf4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xf4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xf4, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xf4, ['long']], 'WaitBlock' : [ 0xf8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xf8, ['array', 43, ['unsigned char']]], 'IdealProcessor' : [ 0x123, ['unsigned char']], 'WaitBlockFill1' : [ 0xf8, ['array', 91, ['unsigned char']]], 'PreviousMode' : [ 0x153, ['unsigned char']], 'WaitBlockFill2' : [ 0xf8, ['array', 139, ['unsigned char']]], 'ResourceIndex' : [ 0x183, ['unsigned char']], 'WaitBlockFill3' : [ 0xf8, ['array', 187, ['unsigned char']]], 'LargeStack' : [ 0x1b3, ['unsigned char']], 'WaitBlockFill4' : [ 0xf8, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x124, ['unsigned long']], 'WaitBlockFill5' : [ 0xf8, ['array', 92, ['unsigned char']]], 'State' : [ 0x154, ['unsigned char']], 'NpxState' : [ 0x155, ['unsigned char']], 'WaitIrql' : [ 0x156, ['unsigned char']], 'WaitMode' : [ 0x157, ['unsigned char']], 'WaitBlockFill6' : [ 0xf8, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x184, ['unsigned long']], 'WaitBlockFill7' : [ 0xf8, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1b4, ['short']], 'SpecialApcDisable' : [ 0x1b6, ['short']], 'CombinedApcDisable' : [ 0x1b4, ['unsigned long']], 'QueueListEntry' : [ 0x1b8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1c8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1d0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1d8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1d8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1e0, ['unsigned char']], 'BasePriority' : [ 0x1e1, ['unsigned char']], 'PriorityDecrement' : [ 0x1e2, ['unsigned char']], 'Preempted' : [ 0x1e3, ['unsigned char']], 'AdjustReason' : [ 0x1e4, ['unsigned char']], 'AdjustIncrement' : [ 0x1e5, ['unsigned char']], 'Spare01' : [ 0x1e6, ['unsigned char']], 'Saturation' : [ 0x1e7, ['unsigned char']], 'SystemCallNumber' : [ 0x1e8, ['unsigned long']], 'FreezeCount' : [ 0x1ec, ['unsigned long']], 'UserAffinity' : [ 0x1f0, ['unsigned long long']], 'Process' : [ 0x1f8, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x200, ['unsigned long long']], 'ApcStatePointer' : [ 0x208, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x218, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x218, ['array', 43, ['unsigned char']]], 'Spare02' : [ 0x243, ['unsigned char']], 'SuspendCount' : [ 0x244, ['unsigned char']], 'UserIdealProcessor' : [ 0x245, ['unsigned char']], 'Spare03' : [ 0x246, ['unsigned char']], 'CodePatchInProgress' : [ 0x247, ['unsigned char']], 'Win32Thread' : [ 0x248, ['pointer64', ['void']]], 'StackBase' : [ 0x250, ['pointer64', ['void']]], 'SuspendApc' : [ 0x258, ['_KAPC']], 'SuspendApcFill0' : [ 0x258, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x259, ['unsigned char']], 'SuspendApcFill1' : [ 0x258, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x25b, ['unsigned char']], 'SuspendApcFill2' : [ 0x258, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x25c, ['unsigned long']], 'SuspendApcFill3' : [ 0x258, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x298, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x258, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2a0, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x258, ['array', 83, ['unsigned char']]], 'PowerState' : [ 0x2ab, ['unsigned char']], 'UserTime' : [ 0x2ac, ['unsigned long']], 'SuspendSemaphore' : [ 0x2b0, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2b0, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2cc, ['unsigned long']], 'ThreadListEntry' : [ 0x2d0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x2e0, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x2f0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x2f8, ['long long']], 'WriteOperationCount' : [ 0x300, ['long long']], 'OtherOperationCount' : [ 0x308, ['long long']], 'ReadTransferCount' : [ 0x310, ['long long']], 'WriteTransferCount' : [ 0x318, ['long long']], 'OtherTransferCount' : [ 0x320, ['long long']], 'MdlForLockedTeb' : [ 0x328, ['pointer64', ['void']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x250, { 'XmmSaveArea' : [ 0x0, ['_XMM_SAVE_AREA32']], 'Current' : [ 0x200, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x228, ['_KERNEL_STACK_SEGMENT']], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '__unnamed_1119' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_111e' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_1119']], 'Header16' : [ 0x0, ['__unnamed_111e']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x450, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x330, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x338, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x338, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x348, ['long']], 'OfsChain' : [ 0x348, ['pointer64', ['void']]], 'PostBlockList' : [ 0x350, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x350, ['pointer64', ['void']]], 'StartAddress' : [ 0x358, ['pointer64', ['void']]], 'TerminationPort' : [ 0x360, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x360, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x360, ['pointer64', ['void']]], 'Win32StartParameter' : [ 0x360, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x368, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x370, ['_LIST_ENTRY']], 'Cid' : [ 0x380, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3b0, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3b8, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3c8, ['unsigned long long']], 'DeviceToVerify' : [ 0x3d0, ['pointer64', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x3d8, ['pointer64', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x3e0, ['pointer64', ['void']]], 'SparePtr0' : [ 0x3e8, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x3f0, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x400, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x408, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x410, ['unsigned long']], 'MmLockOrdering' : [ 0x414, ['long']], 'CrossThreadFlags' : [ 0x418, ['unsigned long']], 'Terminated' : [ 0x418, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x418, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x418, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x418, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x418, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x418, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x418, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x418, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x418, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x418, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x418, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x418, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x418, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x41c, ['unsigned long']], 'ActiveExWorker' : [ 0x41c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x41c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x41c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x41c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x41c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x41c, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x41c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x420, ['unsigned long']], 'Spare' : [ 0x420, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x420, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x420, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x421, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x421, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x421, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x421, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x421, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x421, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x421, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x421, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x422, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x423, ['unsigned char']], 'CacheManagerActive' : [ 0x424, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x425, ['unsigned char']], 'ActiveFaultCount' : [ 0x426, ['unsigned char']], 'AlpcMessageId' : [ 0x428, ['unsigned long long']], 'AlpcMessage' : [ 0x430, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x430, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x438, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x448, ['unsigned long']], } ], '_EPROCESS' : [ 0x3e8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xc0, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xc8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xd0, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xd8, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xe0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0xe8, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xf8, ['array', 3, ['unsigned long long']]], 'QuotaPeak' : [ 0x110, ['array', 3, ['unsigned long long']]], 'CommitCharge' : [ 0x128, ['unsigned long long']], 'PeakVirtualSize' : [ 0x130, ['unsigned long long']], 'VirtualSize' : [ 0x138, ['unsigned long long']], 'SessionProcessLinks' : [ 0x140, ['_LIST_ENTRY']], 'DebugPort' : [ 0x150, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x158, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x158, ['unsigned long long']], 'ExceptionPortState' : [ 0x158, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x160, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x168, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x170, ['unsigned long long']], 'AddressCreationLock' : [ 0x178, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x180, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x188, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x190, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x198, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x1a0, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x1a8, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x1b0, ['unsigned long long']], 'Win32Process' : [ 0x1b8, ['pointer64', ['void']]], 'Job' : [ 0x1c0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x1c8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x1d0, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x1d8, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x1e0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x1e8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x1f0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x1f8, ['pointer64', ['void']]], 'Spare' : [ 0x200, ['pointer64', ['void']]], 'VdmObjects' : [ 0x208, ['pointer64', ['void']]], 'DeviceMap' : [ 0x210, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x218, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x220, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x228, ['_HARDWARE_PTE']], 'Filler' : [ 0x228, ['unsigned long long']], 'Session' : [ 0x230, ['pointer64', ['void']]], 'ImageFileName' : [ 0x238, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x248, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x258, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x260, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x270, ['pointer64', ['void']]], 'Wow64Process' : [ 0x278, ['pointer64', ['_WOW64_PROCESS']]], 'ActiveThreads' : [ 0x280, ['unsigned long']], 'ImagePathHash' : [ 0x284, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x288, ['unsigned long']], 'LastThreadExitStatus' : [ 0x28c, ['long']], 'Peb' : [ 0x290, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x298, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x2a0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x2a8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x2b0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x2b8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x2c0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x2c8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x2d0, ['unsigned long long']], 'CommitChargePeak' : [ 0x2d8, ['unsigned long long']], 'AweInfo' : [ 0x2e0, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x2e8, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x2f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x358, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x368, ['unsigned long']], 'Flags2' : [ 0x36c, ['unsigned long']], 'JobNotReallyActive' : [ 0x36c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x36c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x36c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x36c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x36c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x36c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x36c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x36c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x36c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x36c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x36c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x36c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x36c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x36c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x36c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x36c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x36c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Flags' : [ 0x370, ['unsigned long']], 'CreateReported' : [ 0x370, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x370, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x370, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x370, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x370, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x370, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x370, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x370, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x370, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x370, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x370, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x370, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x370, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x370, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x370, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x370, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x370, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x370, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x370, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x370, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x370, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x370, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x370, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x370, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x370, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x370, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SpareProcessFlags' : [ 0x370, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x374, ['long']], 'Spare7' : [ 0x378, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x37a, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x37b, ['unsigned char']], 'SubSystemVersion' : [ 0x37a, ['unsigned short']], 'PriorityClass' : [ 0x37c, ['unsigned char']], 'VadRoot' : [ 0x380, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x3c0, ['unsigned long']], 'AlpcContext' : [ 0x3c8, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_11ea' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_11ea']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '__unnamed_11f8' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_11fd' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_11ff' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_11fd']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_120a' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_120c' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_120a']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_11f8']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_11ff']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_120c']], } ], '__unnamed_1212' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1216' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_121a' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_121c' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1220' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1222' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1224' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], } ], '__unnamed_1226' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1228' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_122a' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_122e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_1230' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1232' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1234' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1236' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1238' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_123c' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1240' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1244' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1248' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_124f' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1253' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1257' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1259' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_125b' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_125f' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1263' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1267' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_126b' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_126f' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1277' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_127b' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_127d' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_127f' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1281' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1212']], 'CreatePipe' : [ 0x0, ['__unnamed_1216']], 'CreateMailslot' : [ 0x0, ['__unnamed_121a']], 'Read' : [ 0x0, ['__unnamed_121c']], 'Write' : [ 0x0, ['__unnamed_121c']], 'QueryDirectory' : [ 0x0, ['__unnamed_1220']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1222']], 'QueryFile' : [ 0x0, ['__unnamed_1224']], 'SetFile' : [ 0x0, ['__unnamed_1226']], 'QueryEa' : [ 0x0, ['__unnamed_1228']], 'SetEa' : [ 0x0, ['__unnamed_122a']], 'QueryVolume' : [ 0x0, ['__unnamed_122e']], 'SetVolume' : [ 0x0, ['__unnamed_122e']], 'FileSystemControl' : [ 0x0, ['__unnamed_1230']], 'LockControl' : [ 0x0, ['__unnamed_1232']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1234']], 'QuerySecurity' : [ 0x0, ['__unnamed_1236']], 'SetSecurity' : [ 0x0, ['__unnamed_1238']], 'MountVolume' : [ 0x0, ['__unnamed_123c']], 'VerifyVolume' : [ 0x0, ['__unnamed_123c']], 'Scsi' : [ 0x0, ['__unnamed_1240']], 'QueryQuota' : [ 0x0, ['__unnamed_1244']], 'SetQuota' : [ 0x0, ['__unnamed_122a']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1248']], 'QueryInterface' : [ 0x0, ['__unnamed_124f']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1253']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1257']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1259']], 'SetLock' : [ 0x0, ['__unnamed_125b']], 'QueryId' : [ 0x0, ['__unnamed_125f']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1263']], 'UsageNotification' : [ 0x0, ['__unnamed_1267']], 'WaitWake' : [ 0x0, ['__unnamed_126b']], 'PowerSequence' : [ 0x0, ['__unnamed_126f']], 'Power' : [ 0x0, ['__unnamed_1277']], 'StartDevice' : [ 0x0, ['__unnamed_127b']], 'WMI' : [ 0x0, ['__unnamed_127d']], 'Others' : [ 0x0, ['__unnamed_127f']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1281']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Type' : [ 0x10, ['pointer64', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0x18, ['unsigned char']], 'HandleInfoOffset' : [ 0x19, ['unsigned char']], 'QuotaInfoOffset' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'QueryReferences' : [ 0x18, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x38, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x30, ['_LARGE_INTEGER']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '__unnamed_132b' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIXBUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['_WHEA_ERROR_PACKET_FLAGS']], 'Size' : [ 0x8, ['unsigned long']], 'RawDataLength' : [ 0xc, ['unsigned long']], 'Reserved1' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Reserved2' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_132b']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaRawDataFormatIPFSalRecord', 1: 'WheaRawDataFormatIA32MCA', 2: 'WheaRawDataFormatIntel64MCA', 3: 'WheaRawDataFormatAMD64MCA', 4: 'WheaRawDataFormatMemory', 5: 'WheaRawDataFormatPCIExpress', 6: 'WheaRawDataFormatNMIPort', 7: 'WheaRawDataFormatPCIXBus', 8: 'WheaRawDataFormatPCIXDevice', 9: 'WheaRawDataFormatGeneric', 10: 'WheaRawDataFormatMax'})]], 'RawDataOffset' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0xc0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'Unused0' : [ 0x30, ['unsigned long long']], 'IopmOffset' : [ 0x38, ['unsigned short']], 'ActiveProcessors' : [ 0x40, ['unsigned long long']], 'KernelTime' : [ 0x48, ['unsigned long']], 'UserTime' : [ 0x4c, ['unsigned long']], 'ReadyListHead' : [ 0x50, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'InstrumentationCallback' : [ 0x68, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x70, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x80, ['unsigned long long']], 'Affinity' : [ 0x88, ['unsigned long long']], 'AutoAlignment' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x90, ['long']], 'BasePriority' : [ 0x94, ['unsigned char']], 'QuantumReset' : [ 0x95, ['unsigned char']], 'State' : [ 0x96, ['unsigned char']], 'ThreadSeed' : [ 0x97, ['unsigned char']], 'PowerState' : [ 0x98, ['unsigned char']], 'IdealNode' : [ 0x99, ['unsigned char']], 'Visited' : [ 0x9a, ['unsigned char']], 'Flags' : [ 0x9b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x9b, ['unsigned char']], 'StackCount' : [ 0xa0, ['unsigned long long']], 'ProcessListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'CycleTime' : [ 0xb8, ['unsigned long long']], } ], '__unnamed_13eb' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xe8, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x10, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x30, ['unsigned long long']], 'Prcb' : [ 0x38, ['unsigned long long']], 'Process' : [ 0x40, ['unsigned long long']], 'Thread' : [ 0x48, ['unsigned long long']], 'RegistryLength' : [ 0x50, ['unsigned long']], 'RegistryBase' : [ 0x58, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x60, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x68, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x70, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x78, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x80, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x88, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0x90, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x98, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xa0, ['pointer64', ['void']]], 'SetupLoaderBlock' : [ 0xa8, ['pointer64', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0xb0, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xb8, ['__unnamed_13eb']], 'FirmwareInformation' : [ 0xc8, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '__unnamed_1408' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'HardLarge' : [ 0x0, ['_MMPTE_HARDWARE_LARGEPAGE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1408']], } ], '__unnamed_1417' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1419' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_141d' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_141f' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_1421' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_141d']], 'e3' : [ 0x0, ['__unnamed_141f']], } ], '__unnamed_1429' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1417']], 'u2' : [ 0x8, ['__unnamed_1419']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'u3' : [ 0x18, ['__unnamed_1421']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_1429']], } ], '_MMPTE_FLUSH_LIST' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'MaximumCount' : [ 0x4, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 20, ['pointer64', ['void']]]], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x68, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x10, ['unsigned short']], 'NextPageColor' : [ 0x12, ['unsigned short']], 'Flags' : [ 0x14, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x18, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x1c, ['unsigned long']], 'ChargedWslePages' : [ 0x20, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x24, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x28, ['unsigned long']], 'VmWorkingSetList' : [ 0x30, ['pointer64', ['_MMWSL']]], 'Claim' : [ 0x38, ['unsigned long']], 'ActualWslePages' : [ 0x3c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x40, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'ExitGate' : [ 0x50, ['pointer64', ['_KGATE']]], 'WorkingSetMutex' : [ 0x58, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x60, ['pointer64', ['void']]], } ], '__unnamed_144d' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_144d']], } ], '_MMWSL' : [ 0x498, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextEstimationSlot' : [ 0x24, ['unsigned long']], 'NextAgingSlot' : [ 0x28, ['unsigned long']], 'EstimatedAvailable' : [ 0x2c, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x30, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x34, ['unsigned long']], 'VadBitMapHint' : [ 0x38, ['unsigned long']], 'NonDirectCount' : [ 0x3c, ['unsigned long']], 'LastVadBit' : [ 0x40, ['unsigned long']], 'MaximumLastVadBit' : [ 0x44, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x48, ['unsigned long']], 'LastAllocationSize' : [ 0x4c, ['unsigned long']], 'NonDirectHash' : [ 0x50, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x58, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x60, ['pointer64', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x68, ['pointer64', ['void']]], 'MaximumUserPageTablePages' : [ 0x70, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x74, ['unsigned long']], 'CommittedPageTables' : [ 0x78, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x80, ['unsigned long']], 'CommittedPageDirectories' : [ 0x88, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x488, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x490, ['array', 1, ['unsigned long long']]], } ], '__unnamed_1467' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1469' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_146b' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_1469']], } ], '__unnamed_1475' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1477' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1475']], } ], '_CONTROL_AREA' : [ 0x70, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_1467']], 'u1' : [ 0x3c, ['__unnamed_146b']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'StartingFrame' : [ 0x4c, ['unsigned long']], 'WaitingForDeletion' : [ 0x50, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x58, ['__unnamed_1477']], 'LockedPages' : [ 0x68, ['long long']], } ], '_MMPAGING_FILE' : [ 0xa0, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x60, ['unsigned long']], 'LastAllocationSize' : [ 0x64, ['unsigned long']], 'PageFileNumber' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x6a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x6a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x70, ['pointer64', ['void']]], 'AvailableList' : [ 0x80, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x90, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x10, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x8, ['unsigned long']], } ], '__unnamed_14aa' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_14ad' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14b0' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_14aa']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ad']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b0']], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_14ba' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x60, { 'u1' : [ 0x0, ['__unnamed_14aa']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ad']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b0']], 'u2' : [ 0x40, ['__unnamed_14ba']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], } ], '__unnamed_14ca' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_14ca']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '__unnamed_14cf' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14cf']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '__unnamed_14d5' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer64', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14d7' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x38, { 'u1' : [ 0x0, ['__unnamed_14d5']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0x18, ['unsigned long']], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'SubsectionBase' : [ 0x28, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x30, ['__unnamed_14d7']], } ], '__unnamed_14e0' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14e2' : [ 0x8, { 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_14e0']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_14e2']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '__unnamed_14ea' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_14ea']], } ], '_HHIVE' : [ 0x590, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'BaseBlock' : [ 0x48, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x50, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x60, ['unsigned long']], 'DirtyAlloc' : [ 0x64, ['unsigned long']], 'BaseBlockAlloc' : [ 0x68, ['unsigned long']], 'Cluster' : [ 0x6c, ['unsigned long']], 'Flat' : [ 0x70, ['unsigned char']], 'ReadOnly' : [ 0x71, ['unsigned char']], 'DirtyFlag' : [ 0x72, ['unsigned char']], 'HvBinHeadersUse' : [ 0x74, ['unsigned long']], 'HvFreeCellsUse' : [ 0x78, ['unsigned long']], 'HvUsedCellsUse' : [ 0x7c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x80, ['unsigned long']], 'HiveFlags' : [ 0x84, ['unsigned long']], 'CurrentLog' : [ 0x88, ['unsigned long']], 'LogSize' : [ 0x8c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x94, ['unsigned long']], 'StorageTypeCount' : [ 0x98, ['unsigned long']], 'Version' : [ 0x9c, ['unsigned long']], 'Storage' : [ 0xa0, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_TEB' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Period' : [ 0x38, ['long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'SpareByte' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '__unnamed_15bb' : [ 0x8, { 'IdleTransitionTime' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15bd' : [ 0x8, { 'LastIdleCheck' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15c4' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0x118, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x8, ['unsigned long long']], 'IdleTimeAccumulated' : [ 0x10, ['unsigned long long']], 'Native' : [ 0x18, ['__unnamed_15bb']], 'Hv' : [ 0x18, ['__unnamed_15bd']], 'IdleAccounting' : [ 0x20, ['pointer64', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x28, ['pointer64', ['_PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x30, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x34, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x38, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x40, ['unsigned long long']], 'ThermalConstraint' : [ 0x48, ['unsigned char']], 'LastBusyPercentage' : [ 0x49, ['unsigned char']], 'Flags' : [ 0x4a, ['__unnamed_15c4']], 'PerfTimer' : [ 0x50, ['_KTIMER']], 'PerfDpc' : [ 0x90, ['_KDPC']], 'LastSysTime' : [ 0xd0, ['unsigned long']], 'PStateMaster' : [ 0xd8, ['pointer64', ['_KPRCB']]], 'PStateSet' : [ 0xe0, ['unsigned long long']], 'CurrentPState' : [ 0xe8, ['unsigned long']], 'DesiredPState' : [ 0xec, ['unsigned long']], 'PStateIdleStartTime' : [ 0xf0, ['unsigned long']], 'PStateIdleTime' : [ 0xf4, ['unsigned long']], 'LastPStateIdleTime' : [ 0xf8, ['unsigned long']], 'PStateStartTime' : [ 0xfc, ['unsigned long']], 'DiaIndex' : [ 0x100, ['unsigned long']], 'Reserved0' : [ 0x104, ['unsigned long']], 'WmiDispatchPtr' : [ 0x108, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x110, ['long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'DispatchedList' : [ 0x10, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x20, ['_KSEMAPHORE']], 'CompletedList' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_15f5' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_15f5']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '__unnamed_1607' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1609' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_160d' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x220, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'Level' : [ 0x20, ['unsigned long']], 'Notify' : [ 0x28, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x88, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x8c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x90, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xe0, ['unsigned long']], 'CompletionStatus' : [ 0xe4, ['long']], 'PendingIrp' : [ 0xe8, ['pointer64', ['_IRP']]], 'Flags' : [ 0xf0, ['unsigned long']], 'UserFlags' : [ 0xf4, ['unsigned long']], 'Problem' : [ 0xf8, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x100, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x108, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x110, ['pointer64', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x118, ['_UNICODE_STRING']], 'ServiceName' : [ 0x128, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x140, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x14c, ['unsigned long']], 'ChildInterfaceType' : [ 0x150, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x154, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x158, ['unsigned short']], 'RemovalPolicy' : [ 0x15a, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x15b, ['unsigned char']], 'TargetDeviceNotify' : [ 0x160, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x170, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x180, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x190, ['unsigned short']], 'QueryTranslatorMask' : [ 0x192, ['unsigned short']], 'NoArbiterMask' : [ 0x194, ['unsigned short']], 'QueryArbiterMask' : [ 0x196, ['unsigned short']], 'OverUsed1' : [ 0x198, ['__unnamed_1607']], 'OverUsed2' : [ 0x1a0, ['__unnamed_1609']], 'BootResources' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1b0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1b8, ['unsigned long']], 'DockInfo' : [ 0x1c0, ['__unnamed_160d']], 'DisableableDepends' : [ 0x1e0, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x1e8, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x1f8, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x208, ['unsigned long']], 'PreviousParent' : [ 0x210, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x218, ['unsigned long']], 'NumaNodeIndex' : [ 0x21c, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16ad' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16ad']], } ], '__unnamed_16b4' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16b4']], } ], '_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1d0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x68, ['pointer64', ['_VACB']]], 'NeedToZero' : [ 0x70, ['pointer64', ['void']]], 'ActivePage' : [ 0x78, ['unsigned long']], 'NeedToZeroPage' : [ 0x7c, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x80, ['unsigned long long']], 'VacbActiveCount' : [ 0x88, ['unsigned long']], 'DirtyPages' : [ 0x8c, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x90, ['_LIST_ENTRY']], 'Flags' : [ 0xa0, ['unsigned long']], 'Status' : [ 0xa4, ['long']], 'Mbcb' : [ 0xa8, ['pointer64', ['_MBCB']]], 'Section' : [ 0xb0, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xc0, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc8, ['unsigned long']], 'BeyondLastFlush' : [ 0xd0, ['long long']], 'Callbacks' : [ 0xd8, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xe0, ['pointer64', ['void']]], 'PrivateList' : [ 0xe8, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf8, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x100, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0x118, ['pointer64', ['_VACB']]], 'BcbSpinLock' : [ 0x120, ['unsigned long long']], 'Reserved' : [ 0x128, ['pointer64', ['void']]], 'Event' : [ 0x130, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x148, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x150, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1b8, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1c0, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1c8, ['unsigned long']], 'MappedWritesInProgress' : [ 0x1cc, ['unsigned long']], } ], '__unnamed_16f6' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_16f6']], 'LruList' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1704' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1706' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1708' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_170a' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_170c' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_1704']], 'Write' : [ 0x0, ['__unnamed_1706']], 'Event' : [ 0x0, ['__unnamed_1708']], 'Notification' : [ 0x0, ['__unnamed_170a']], } ], '_WORK_QUEUE_ENTRY' : [ 0x30, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x10, ['_LIST_ENTRY']], 'Parameters' : [ 0x20, ['__unnamed_170c']], 'Function' : [ 0x28, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x1f8, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1e8, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xc8, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x370, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer64', ['void']]], 'LoggerThread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x18, ['long']], 'LoggerId' : [ 0x1c, ['unsigned long']], 'NBQHead' : [ 0x20, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x28, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x30, ['_SLIST_HEADER']], 'GlobalList' : [ 0x40, ['_SLIST_HEADER']], 'BatchedBufferList' : [ 0x50, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'LoggerName' : [ 0x58, ['_UNICODE_STRING']], 'LogFileName' : [ 0x68, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x78, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x88, ['_UNICODE_STRING']], 'ClockType' : [ 0x98, ['unsigned long']], 'CollectionOn' : [ 0x9c, ['long']], 'MaximumFileSize' : [ 0xa0, ['unsigned long']], 'LoggerMode' : [ 0xa4, ['unsigned long']], 'LastFlushedBuffer' : [ 0xa8, ['unsigned long']], 'FlushTimer' : [ 0xac, ['unsigned long']], 'FlushThreshold' : [ 0xb0, ['unsigned long']], 'ByteOffset' : [ 0xb8, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0xc0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xc8, ['unsigned long']], 'BuffersAvailable' : [ 0xcc, ['long']], 'NumberOfBuffers' : [ 0xd0, ['long']], 'MaximumBuffers' : [ 0xd4, ['unsigned long']], 'EventsLost' : [ 0xd8, ['unsigned long']], 'BuffersWritten' : [ 0xdc, ['unsigned long']], 'LogBuffersLost' : [ 0xe0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xe4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xe8, ['unsigned long']], 'BufferSize' : [ 0xec, ['unsigned long']], 'MaximumEventSize' : [ 0xf0, ['unsigned long']], 'SequencePtr' : [ 0xf8, ['pointer64', ['long']]], 'LocalSequence' : [ 0x100, ['unsigned long']], 'InstanceGuid' : [ 0x104, ['_GUID']], 'GetCpuClock' : [ 0x118, ['pointer64', ['void']]], 'FileCounter' : [ 0x120, ['long']], 'BufferCallback' : [ 0x128, ['pointer64', ['void']]], 'PoolType' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x138, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0x148, ['unsigned char']], 'Consumers' : [ 0x150, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x160, ['unsigned long']], 'Connecting' : [ 0x168, ['_LIST_ENTRY']], 'NewConsumer' : [ 0x178, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0x180, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x188, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x1a0, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x1a8, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1b0, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1b8, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1c0, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1c8, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x1d8, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x1dc, ['unsigned long']], 'NewRTEventsLost' : [ 0x1e0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1e8, ['_KEVENT']], 'FlushEvent' : [ 0x200, ['_KEVENT']], 'FlushDpc' : [ 0x218, ['_KDPC']], 'LoggerMutex' : [ 0x258, ['_KMUTANT']], 'LoggerLock' : [ 0x290, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x298, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x2e0, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x2e8, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x330, ['long long']], 'AcceptNewEvents' : [ 0x338, ['long']], 'Flags' : [ 0x33c, ['unsigned long']], 'Persistent' : [ 0x33c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x33c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x33c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x33c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x33c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x33c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x33c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x340, ['unsigned long']], 'RequestNewFie' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x340, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x340, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x340, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x340, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x344, ['unsigned short']], 'StackTraceFilter' : [ 0x346, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'Padding2' : [ 0x38, ['pointer64', ['void']]], 'GlobalEntry' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x170, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_17fa' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_17fc' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_17fa']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_17fe' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1800' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_17fe']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_17fc']], 'u2' : [ 0x4, ['__unnamed_1800']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_BLOB_TYPE' : [ 0x38, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], 'LookasideIndex' : [ 0x30, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1817' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1819' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1817']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x20, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1819']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x14, ['long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_1824' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1826' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1824']], } ], '_KALPC_SECTION' : [ 0x50, { 'u1' : [ 0x0, ['__unnamed_1826']], 'SectionObject' : [ 0x8, ['pointer64', ['void']]], 'Size' : [ 0x10, ['unsigned long long']], 'HandleTable' : [ 0x18, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x20, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x28, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'NumberOfRegions' : [ 0x38, ['unsigned long']], 'RegionListHead' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_1833' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1835' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1833']], } ], '_KALPC_REGION' : [ 0x60, { 'u1' : [ 0x0, ['__unnamed_1835']], 'RegionListEntry' : [ 0x8, ['_LIST_ENTRY']], 'Section' : [ 0x18, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x20, ['unsigned long long']], 'Size' : [ 0x28, ['unsigned long long']], 'ViewSize' : [ 0x30, ['unsigned long long']], 'ReadOnlyView' : [ 0x38, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x40, ['pointer64', ['_KALPC_VIEW']]], 'NumberOfViews' : [ 0x48, ['unsigned long']], 'ViewListHead' : [ 0x50, ['_LIST_ENTRY']], } ], '__unnamed_183b' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_183d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_183b']], } ], '_KALPC_VIEW' : [ 0x68, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_183d']], 'Region' : [ 0x18, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x28, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x30, ['pointer64', ['void']]], 'Size' : [ 0x38, ['unsigned long long']], 'SecureViewHandle' : [ 0x40, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x48, ['pointer64', ['void']]], 'NumberOfOwnerMessages' : [ 0x50, ['unsigned long']], 'ProcessViewListEntry' : [ 0x58, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_1855' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1857' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1855']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x198, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'SequenceNo' : [ 0x20, ['unsigned long']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x38, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x40, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x48, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'PendingQueue' : [ 0xa0, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xb0, ['_LIST_ENTRY']], 'WaitQueue' : [ 0xc0, ['_LIST_ENTRY']], 'Semaphore' : [ 0xd0, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xd0, ['pointer64', ['_KEVENT']]], 'Lock' : [ 0xd8, ['_EX_PUSH_LOCK']], 'PortAttributes' : [ 0xe0, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x128, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x130, ['_LIST_ENTRY']], 'CompletionList' : [ 0x140, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0x148, ['pointer64', ['_ALPC_MESSAGE_ZONE']]], 'CanceledQueue' : [ 0x150, ['_LIST_ENTRY']], 'u1' : [ 0x160, ['__unnamed_1857']], 'TargetQueuePort' : [ 0x168, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x170, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x178, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x180, ['unsigned long']], 'PendingQueueLength' : [ 0x184, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x188, ['unsigned long']], 'CanceledQueueLength' : [ 0x18c, ['unsigned long']], 'WaitQueueLength' : [ 0x190, ['unsigned long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_17fc']], 'u2' : [ 0x4, ['__unnamed_1800']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1873' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], } ], '__unnamed_1875' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1873']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x108, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x10, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0x18, ['unsigned long long']], 'QuotaProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x20, ['pointer64', ['void']]], 'SequenceNo' : [ 0x28, ['long']], 'u1' : [ 0x2c, ['__unnamed_1875']], 'CancelSequencePort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x40, ['long']], 'CancelListEntry' : [ 0x48, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x68, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x70, ['pointer64', ['_ALPC_PORT']]], 'UniqueTableEntry' : [ 0x78, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'MessageAttributes' : [ 0x80, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb8, ['pointer64', ['void']]], 'DataSystemVa' : [ 0xc0, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xc8, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xd0, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xd8, ['pointer64', ['_ETHREAD']]], 'PortMessage' : [ 0xe0, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_HANDLE_DATA' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer64', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_18b4' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_18b6' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18b4']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_18b6']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'Flags' : [ 0x18, ['unsigned long']], 'TargetThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'TotalLength' : [ 0x30, ['unsigned short']], 'Type' : [ 0x32, ['unsigned short']], 'DataInfoOffset' : [ 0x34, ['unsigned short']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x318, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'ProxyData' : [ 0xd0, ['pointer64', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xd8, ['pointer64', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xe0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe8, ['_LUID']], 'SidHash' : [ 0xf0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x200, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x310, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], 'HashIndex' : [ 0x14, ['unsigned short']], 'DirectoryLocked' : [ 0x16, ['unsigned char']], 'LockStateSignature' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x238, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'Mutex' : [ 0xb0, ['_ERESOURCE']], 'TypeLock' : [ 0x118, ['_EX_PUSH_LOCK']], 'Key' : [ 0x120, ['unsigned long']], 'ObjectLocks' : [ 0x128, ['array', 32, ['_EX_PUSH_LOCK']]], 'CallbackList' : [ 0x228, ['_LIST_ENTRY']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x60, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'InBlockDeccommits' : [ 0x50, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x20, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer64', ['void']]], 'FileObject' : [ 0x10, ['pointer64', ['void']]], 'ThreadId' : [ 0x18, ['unsigned long']], 'ByteCount' : [ 0x1c, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_DEVPROPKEY' : [ 0x14, { 'fmtid' : [ 0x0, ['_GUID']], 'pid' : [ 0x10, ['unsigned long']], } ], '_WHEA_NMI_ERROR' : [ 0xc, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], 'Flags' : [ 0x8, ['_WHEA_NMI_ERROR_FLAGS']], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x60, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x78, { 'CancelLock' : [ 0x0, ['unsigned long long']], 'IssueLock' : [ 0x8, ['unsigned long long']], 'Counters' : [ 0x10, ['array', 25, ['long']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['unsigned long']], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_XMM_SAVE_AREA32' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CpuValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_19bc' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_19be' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_19bc']], 'Private' : [ 0x0, ['__unnamed_19be']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_CMHIVE' : [ 0xb48, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x590, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c0, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d0, ['_LIST_ENTRY']], 'HiveLock' : [ 0x5e0, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x5e8, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x5f0, ['pointer64', ['_KTHREAD']]], 'ViewLockLast' : [ 0x5f8, ['unsigned long']], 'ViewUnLockLast' : [ 0x5fc, ['unsigned long']], 'WriterLock' : [ 0x600, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x608, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x610, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x618, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x628, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x638, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x648, ['unsigned short']], 'PinnedViewCount' : [ 0x64a, ['unsigned short']], 'UseCount' : [ 0x64c, ['unsigned long']], 'ViewsPerHive' : [ 0x650, ['unsigned long']], 'FileObject' : [ 0x658, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x660, ['unsigned long']], 'ActualFileSize' : [ 0x668, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x670, ['_UNICODE_STRING']], 'FileUserName' : [ 0x680, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x690, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x6a0, ['unsigned long']], 'SecurityCacheSize' : [ 0x6a4, ['unsigned long']], 'SecurityHitHint' : [ 0x6a8, ['long']], 'SecurityCache' : [ 0x6b0, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x6b8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xab8, ['unsigned long']], 'UnloadEventArray' : [ 0xac0, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xac8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xad0, ['unsigned char']], 'UnloadWorkItem' : [ 0xad8, ['pointer64', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0xae0, ['unsigned char']], 'GrowOffset' : [ 0xae4, ['unsigned long']], 'KcbConvertListHead' : [ 0xae8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xaf8, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb08, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xb10, ['unsigned long']], 'TrustClassEntry' : [ 0xb18, ['_LIST_ENTRY']], 'FlushCount' : [ 0xb28, ['unsigned long']], 'CmRm' : [ 0xb30, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xb38, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xb3c, ['long']], 'CreatorOwner' : [ 0xb40, ['pointer64', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_19ed' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_19f3' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_14aa']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ad']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b0']], 'u2' : [ 0x40, ['__unnamed_14ba']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'u3' : [ 0x60, ['__unnamed_19ed']], 'u4' : [ 0x70, ['__unnamed_19f3']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_EJOB' : [ 0x1b0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0xe0, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'ActiveProcessLimit' : [ 0xf8, ['unsigned long']], 'Affinity' : [ 0x100, ['unsigned long long']], 'PriorityClass' : [ 0x108, ['unsigned char']], 'AccessState' : [ 0x110, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x118, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x11c, ['unsigned long']], 'CompletionPort' : [ 0x120, ['pointer64', ['void']]], 'CompletionKey' : [ 0x128, ['pointer64', ['void']]], 'SessionId' : [ 0x130, ['unsigned long']], 'SchedulingClass' : [ 0x134, ['unsigned long']], 'ReadOperationCount' : [ 0x138, ['unsigned long long']], 'WriteOperationCount' : [ 0x140, ['unsigned long long']], 'OtherOperationCount' : [ 0x148, ['unsigned long long']], 'ReadTransferCount' : [ 0x150, ['unsigned long long']], 'WriteTransferCount' : [ 0x158, ['unsigned long long']], 'OtherTransferCount' : [ 0x160, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x168, ['unsigned long long']], 'JobMemoryLimit' : [ 0x170, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x178, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x180, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x188, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x190, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x198, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1a8, ['unsigned long']], 'JobFlags' : [ 0x1ac, ['unsigned long']], } ], '__unnamed_1a06' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hypervisor' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x48, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_1a06']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long long']], 'State' : [ 0x20, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'SparePebPtr0' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], } ], '__unnamed_1a1f' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1a1f']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_POOL_DESCRIPTOR' : [ 0x1048, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x20, ['pointer64', ['void']]], 'PendingFrees' : [ 0x28, ['pointer64', ['pointer64', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x30, ['long']], 'PendingFreeDepth' : [ 0x34, ['long']], 'TotalBytes' : [ 0x38, ['unsigned long long']], 'Spare0' : [ 0x40, ['unsigned long long']], 'ListHeads' : [ 0x48, ['array', 256, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned char']], 'ShareVector' : [ 0x61, ['unsigned char']], 'Mode' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x6c, ['unsigned long']], 'DispatchCount' : [ 0x70, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x38, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmHive2' : [ 0x28, ['pointer64', ['_CMHIVE']]], 'ThreadFinished' : [ 0x30, ['unsigned char']], 'ThreadStarted' : [ 0x31, ['unsigned char']], 'Allocate' : [ 0x32, ['unsigned char']], 'WinPERequired' : [ 0x33, ['unsigned char']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XMM_SAVE_AREA32']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x20, { 'Flags' : [ 0x0, ['unsigned long']], 'Handles' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'StackTrace' : [ 0x8, ['array', 63, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x20, ['pointer64', ['void']]], 'UserLimit' : [ 0x28, ['pointer64', ['void']]], 'DataUserVa' : [ 0x30, ['pointer64', ['void']]], 'SystemVa' : [ 0x38, ['pointer64', ['void']]], 'TotalSize' : [ 0x40, ['unsigned long long']], 'Header' : [ 0x48, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x50, ['pointer64', ['void']]], 'ListSize' : [ 0x58, ['unsigned long long']], 'Bitmap' : [ 0x60, ['pointer64', ['void']]], 'BitmapSize' : [ 0x68, ['unsigned long long']], 'Data' : [ 0x70, ['pointer64', ['void']]], 'DataSize' : [ 0x78, ['unsigned long long']], 'BitmapLimit' : [ 0x80, ['unsigned long']], 'BitmapNextHint' : [ 0x84, ['unsigned long']], 'ConcurrencyCount' : [ 0x88, ['unsigned long']], 'AttributeFlags' : [ 0x8c, ['unsigned long']], 'AttributeSize' : [ 0x90, ['unsigned long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x98, { 'WorkQueue' : [ 0x0, ['_LIST_ENTRY']], 'ScanDpc' : [ 0x10, ['_KDPC']], 'ScanTimer' : [ 0x50, ['_KTIMER']], 'ScanActive' : [ 0x90, ['unsigned char']], 'OtherWork' : [ 0x91, ['unsigned char']], 'PendingTeardown' : [ 0x92, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PCIXDEVICE_ERROR' : [ 0x68, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['_WHEA_PCIXDEVICE_ID']], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 4, ['WHEA_PCIXDEVICE_REGISTER_PAIR']]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '__unnamed_1aa7' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_1aa7']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned char']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x100, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x30, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x38, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x40, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x50, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x50, ['unsigned long']], 'SubKeyCount' : [ 0x50, ['unsigned long']], 'KeyBodyListHead' : [ 0x58, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x58, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x68, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x88, ['pointer64', ['void']]], 'KcbLastWriteTime' : [ 0x90, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x98, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x9a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x9c, ['unsigned long']], 'KcbUserFlags' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xa0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xa0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xa0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xa8, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xb0, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0xc0, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xc8, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0xd8, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0xe8, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0xf0, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0xf8, ['pointer64', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0x8, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x38, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 0, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'LastSubsectionHint' : [ 0x30, ['pointer64', ['_MSUBSECTION']]], } ], '_TEB64' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_WHEA_PCIXBUS_ERROR' : [ 0x48, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXBUS_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['_WHEA_PCIXBUS_ID']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['_WHEA_PCIXBUS_COMMAND']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'CompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x18, ['unsigned long']], 'ObjectMask' : [ 0x1c, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'OwnerCount' : [ 0x8, ['long']], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x8, ['_KGATE']], } ], '_ETIMER' : [ 0x108, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeTimer' : [ 0xf5, ['unsigned char']], 'WakeTimerListEntry' : [ 0xf8, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_WHEA_PCIXBUS_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusData' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BusCommand' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterId' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1b88' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1b88']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_ARBITER_INSTANCE' : [ 0x698, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x150, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3f0, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x690, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bf2' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1bf8' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1bfa' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1bfc' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1bfe' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1c00' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1c02' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c04' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c06' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c08' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1bf2']], 'Memory' : [ 0x0, ['__unnamed_1bf2']], 'Interrupt' : [ 0x0, ['__unnamed_1bf8']], 'Dma' : [ 0x0, ['__unnamed_1bfa']], 'Generic' : [ 0x0, ['__unnamed_1bf2']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bfc']], 'BusNumber' : [ 0x0, ['__unnamed_1bfe']], 'ConfigData' : [ 0x0, ['__unnamed_1c00']], 'Memory40' : [ 0x0, ['__unnamed_1c02']], 'Memory48' : [ 0x0, ['__unnamed_1c04']], 'Memory64' : [ 0x0, ['__unnamed_1c06']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1c08']], } ], '_POP_THERMAL_ZONE' : [ 0x128, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_WHEA_PCIXBUS_COMMAND' : [ 0x8, { 'Command' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 56, native_type='unsigned long long')]], 'PCIXCommand' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_CM_TRANS' : [ 0xb0, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 8, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x48, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ParseContext' : [ 0x10, ['pointer64', ['void']]], 'ProbeMode' : [ 0x18, ['unsigned char']], 'PagedPoolCharge' : [ 0x1c, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x20, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x24, ['unsigned long']], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'SecurityQos' : [ 0x30, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x38, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_MBCB' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x58, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x88, ['_BITMAP_RANGE']], } ], '__unnamed_1c4b' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1c4b']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_PCIXDEVICE_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfo' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumber' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], 'WHEA_PCIXDEVICE_REGISTER_PAIR' : [ 0x10, { 'Register' : [ 0x0, ['unsigned long long']], 'Data' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_WOW64_PROCESS' : [ 0x8, { 'Wow64' : [ 0x0, ['pointer64', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'SparePebPtr0' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KBUGCHECK_ACTIVE_STATE' : [ 0x4, { 'BugCheckState' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'RecursionCount' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'BugCheckOwner' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['long']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_PCIXBUS_ID' : [ 0x2, { 'BusNumber' : [ 0x0, ['unsigned char']], 'BusSegment' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x30, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'ObjectType' : [ 0x18, ['pointer64', ['_OBJECT_TYPE']]], 'TargetAccess' : [ 0x20, ['unsigned long']], 'ObjectInfo' : [ 0x24, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x28, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_1cec' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cee' : [ 0x10, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1cf0' : [ 0x10, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1cf2' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_1cf0']], 'Translated' : [ 0x0, ['__unnamed_1cee']], } ], '__unnamed_1cf4' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf6' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf8' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cfa' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cfc' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cfe' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1d00' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1cec']], 'Port' : [ 0x0, ['__unnamed_1cec']], 'Interrupt' : [ 0x0, ['__unnamed_1cee']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1cf2']], 'Memory' : [ 0x0, ['__unnamed_1cec']], 'Dma' : [ 0x0, ['__unnamed_1cf4']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bfc']], 'BusNumber' : [ 0x0, ['__unnamed_1cf6']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1cf8']], 'Memory40' : [ 0x0, ['__unnamed_1cfa']], 'Memory48' : [ 0x0, ['__unnamed_1cfc']], 'Memory64' : [ 0x0, ['__unnamed_1cfe']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1d00']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '__unnamed_1d07' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1d07']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMPTE_HARDWARE_LARGEPAGE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PAT' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 21, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 48, native_type='unsigned long long')]], 'reserved2' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1d24' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1d24']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1d2e' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_14cf']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_1d2e']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '__unnamed_1d34' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1d36' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1d34']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x98, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'TotalBusyCount' : [ 0x8, ['unsigned long']], 'ConservationIdleTime' : [ 0xc, ['unsigned long']], 'PerformanceIdleTime' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'DeviceType' : [ 0x30, ['unsigned char']], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x40, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x50, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x60, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x80, ['_LIST_ENTRY']], 'Specific' : [ 0x90, ['__unnamed_1d36']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x38, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DriveMap' : [ 0x14, ['unsigned long']], 'DriveType' : [ 0x18, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidBits' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR_VALIDBITS']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaPciExpressEndpoint', 1: 'WheaPciExpressLegacyEndpoint', 4: 'WheaPciExpressRootPort', 5: 'WheaPciExpressUpstreamSwitchPort', 6: 'WheaPciExpressDownstreamSwitchPort', 7: 'WheaPciExpressToPciXBridge', 8: 'WheaPciXToExpressBridge', 9: 'WheaPciExpressRootComplexIntegratedEndpoint', 10: 'WheaPciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['_WHEA_PCIEXPRESS_VERSION']], 'CommandStatus' : [ 0x10, ['_WHEA_PCIEXPRESS_COMMAND_STATUS']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_WHEA_PCIEXPRESS_DEVICE_ID']], 'DeviceSerialNumber' : [ 0x28, ['unsigned long long']], 'BridgeControlStatus' : [ 0x30, ['_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '__unnamed_1da8' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x98, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_1da8']], 'TargetProcessors' : [ 0x30, ['unsigned long long']], 'PStateHandler' : [ 0x38, ['pointer64', ['void']]], 'PStateContext' : [ 0x40, ['unsigned long long']], 'TStateHandler' : [ 0x48, ['pointer64', ['void']]], 'TStateContext' : [ 0x50, ['unsigned long long']], 'FeedbackHandler' : [ 0x58, ['pointer64', ['void']]], 'DiaStats' : [ 0x60, ['pointer64', ['_PPM_DIA_STATS']]], 'DiaStatsCount' : [ 0x68, ['unsigned long']], 'State' : [ 0x70, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'RequestSummary' : [ 0x0, ['long long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'Virtual' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_WHEA_NMI_ERROR_FLAGS' : [ 0x4, { 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x40, ['pointer64', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x48, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x50, ['unsigned long long']], 'SleepTime' : [ 0x58, ['unsigned long long']], 'FilteredCapabilities' : [ 0x60, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x18, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x28, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x30, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x38, ['unsigned long']], 'ActiveChild' : [ 0x3c, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1e04' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e06' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_1e04']], 'Button' : [ 0x10, ['__unnamed_1e06']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xc8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x20, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x28, ['unsigned long']], 'TriageDumpBlock' : [ 0x30, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x38, ['unsigned long long']], 'HeadlessLoaderBlock' : [ 0x40, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x48, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x50, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x58, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x60, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x68, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x78, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x80, ['unsigned long']], 'BootViaWinload' : [ 0x84, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x84, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x88, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x90, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0xa0, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa8, ['_GUID']], 'ResumePages' : [ 0xb8, ['unsigned long']], 'DumpHeader' : [ 0xc0, ['pointer64', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_WHEA_PCIEXPRESS_VERSION' : [ 0x4, { 'MinorVersion' : [ 0x0, ['unsigned char']], 'MajorVersion' : [ 0x1, ['unsigned char']], 'Reserved' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x3f8, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], 'StartAddress' : [ 0x28, ['pointer64', ['void']]], 'EndAddress' : [ 0x30, ['pointer64', ['void']]], 'Flags' : [ 0x38, ['unsigned long']], 'Signature' : [ 0x40, ['unsigned long long']], 'PoolPageHeaders' : [ 0x50, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x60, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x70, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x74, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x78, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x7c, ['unsigned long']], 'PagedBytes' : [ 0x80, ['unsigned long long']], 'NonPagedBytes' : [ 0x88, ['unsigned long long']], 'PeakPagedBytes' : [ 0x90, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x98, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x30, { 'Mdl' : [ 0x0, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x8, ['pointer64', ['void']]], 'UserLimit' : [ 0x10, ['pointer64', ['void']]], 'SystemVa' : [ 0x18, ['pointer64', ['void']]], 'SystemLimit' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'SparePebPtr0' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_1eac' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1e00, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1eac']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'ImageLoadingCount' : [ 0x64, ['long']], 'SessionPoolAllocationFailures' : [ 0x68, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachGate' : [ 0x90, ['_KGATE']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc68, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc70, ['pointer64', ['void']]], 'PagedPool' : [ 0xc78, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1cc0, ['_MMPTE']], 'SessionVaLock' : [ 0x1cc8, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1d00, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1d10, ['unsigned long']], 'SpecialPool' : [ 0x1d18, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1d48, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1d80, ['long']], 'PagedPoolPdeCount' : [ 0x1d84, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1d88, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1d8c, ['unsigned long']], 'SystemPteInfo' : [ 0x1d90, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1dd8, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1de0, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1de8, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1df0, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequesterId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x30, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'FreePteHead' : [ 0x8, ['_MMPTE']], 'FreePteTail' : [ 0x10, ['_MMPTE']], 'PagesInUse' : [ 0x18, ['long long']], 'SpecialPoolPdes' : [ 0x20, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS' : [ 0x4, { 'BridgeSecondaryStatus' : [ 0x0, ['unsigned short']], 'BridgeControl' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1f26' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1f28' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1f26']], 'Merged' : [ 0x10, ['__unnamed_1f28']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['void']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_1f31' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1f31']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14cf']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_1d2e']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x70, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], 'UpdateCapsule' : [ 0x58, ['unsigned long long']], 'QueryCapsuleCapabilities' : [ 0x60, ['unsigned long long']], 'QueryVariableInfo' : [ 0x68, ['unsigned long long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WHEA_MEMORY_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer64', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1f51' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_1f55' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x50, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_1f51']], 'u2' : [ 0x38, ['__unnamed_1f55']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x48, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIXDEVICE_ID' : [ 0x10, { 'VendorId' : [ 0x0, ['unsigned short']], 'DeviceId' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'BusNumber' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'SegmentNumber' : [ 0x8, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'Reserved1' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['unsigned long']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x60, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x48, ['pointer64', ['void']]], 'CallersCaller' : [ 0x50, ['pointer64', ['void']]], } ], '_MMPFNLIST' : [ 0x20, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], } ], '_DEVOBJ_EXTENSION' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependentList' : [ 0x50, ['_LIST_ENTRY']], 'ProviderList' : [ 0x60, ['_LIST_ENTRY']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_WHEA_PCIEXPRESS_COMMAND_STATUS' : [ 0x4, { 'Command' : [ 0x0, ['unsigned short']], 'Status' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR_VALIDBITS' : [ 0x8, { 'PortType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Version' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'CommandStatus' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'DeviceId' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'DeviceSerialNumber' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BridgeControlStatus' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'ExpressCapability' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AerInfo' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'ReplyQueue' : [ 0x20, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x40, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'CallbackContext' : [ 0x48, ['pointer64', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x40, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x50, ['unsigned long long']], 'Color' : [ 0x58, ['unsigned char']], 'Seed' : [ 0x59, ['unsigned char']], 'NodeNumber' : [ 0x5a, ['unsigned char']], 'Flags' : [ 0x5b, ['_flags']], 'MmShiftedColor' : [ 0x5c, ['unsigned long']], 'FreeCount' : [ 0x60, ['array', 2, ['unsigned long long']]], 'PfnDeferredList' : [ 0x70, ['pointer64', ['_SLIST_ENTRY']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2b8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x288, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x28c, ['long']], 'Pending' : [ 0x290, ['_LIST_ENTRY']], 'Status' : [ 0x2a0, ['long']], 'FailedDevice' : [ 0x2a8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2b0, ['unsigned char']], 'Cancelled' : [ 0x2b1, ['unsigned char']], 'IgnoreErrors' : [ 0x2b2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2b3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2b4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x30, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], } ], '_PPM_IDLE_STATE' : [ 0x28, { 'IdleHandler' : [ 0x0, ['pointer64', ['void']]], 'Context' : [ 0x8, ['pointer64', ['void']]], 'Latency' : [ 0x10, ['unsigned long']], 'Power' : [ 0x14, ['unsigned long']], 'TimeCheck' : [ 0x18, ['unsigned long']], 'StateFlags' : [ 0x1c, ['unsigned long']], 'PromotePercent' : [ 0x20, ['unsigned char']], 'DemotePercent' : [ 0x21, ['unsigned char']], 'PromotePercentBase' : [ 0x22, ['unsigned char']], 'DemotePercentBase' : [ 0x23, ['unsigned char']], 'StateType' : [ 0x24, ['unsigned char']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x90, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8160, ['long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x80, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x28, ['_KEVENT']], 'PowerOnEvent' : [ 0x40, ['_KEVENT']], 'DoneEvent' : [ 0x58, ['_KEVENT']], 'WorkerQueued' : [ 0x70, ['unsigned long']], 'WorkerAbort' : [ 0x74, ['unsigned long']], 'NoResumeUI' : [ 0x78, ['unsigned long']], } ], '_KPCR' : [ 0x3ca0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KTM' : [ 0x3a0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win2003_sp0_x86_vtypes.py0000644000000000000000000106357513131215405030752 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_100a' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_100a']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '__unnamed_101b' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101b']], 'QuadPart' : [ 0x0, ['long long']], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KPRCB' : [ 0xdd0, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'PrcbPad0' : [ 0x3bc, ['array', 92, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 16, ['_KSPIN_LOCK_QUEUE']]], 'PrcbPad1' : [ 0x498, ['array', 8, ['unsigned char']]], 'NpxThread' : [ 0x4a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x4a4, ['unsigned long']], 'KernelTime' : [ 0x4a8, ['unsigned long']], 'UserTime' : [ 0x4ac, ['unsigned long']], 'DpcTime' : [ 0x4b0, ['unsigned long']], 'DebugDpcTime' : [ 0x4b4, ['unsigned long']], 'InterruptTime' : [ 0x4b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4bc, ['unsigned long']], 'PageColor' : [ 0x4c0, ['unsigned long']], 'SkipTick' : [ 0x4c4, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x4c5, ['unsigned char']], 'Spare1' : [ 0x4c6, ['array', 6, ['unsigned char']]], 'ParentNode' : [ 0x4cc, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x4d0, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x4d4, ['pointer', ['_KPRCB']]], 'ThreadStartCount' : [ 0x4d8, ['array', 2, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x4f8, ['unsigned long']], 'SpareCounter0' : [ 0x4fc, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x500, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x504, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x508, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x50c, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x510, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x514, ['unsigned long']], 'KeSystemCalls' : [ 0x518, ['unsigned long']], 'SpareCounter1' : [ 0x51c, ['unsigned long']], 'PPLookasideList' : [ 0x520, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x5a0, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0x6a0, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0x7a0, ['unsigned long']], 'ReverseStall' : [ 0x7a4, ['unsigned long']], 'IpiFrame' : [ 0x7a8, ['pointer', ['void']]], 'PrcbPad2' : [ 0x7ac, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x7e0, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x7ec, ['unsigned long']], 'WorkerRoutine' : [ 0x7f0, ['pointer', ['void']]], 'IpiFrozen' : [ 0x7f4, ['unsigned long']], 'PrcbPad3' : [ 0x7f8, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x820, ['unsigned long']], 'SignalDone' : [ 0x824, ['pointer', ['_KPRCB']]], 'PrcbPad4' : [ 0x828, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x860, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x888, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x88c, ['unsigned long']], 'DpcRequestRate' : [ 0x890, ['unsigned long']], 'MinimumDpcRate' : [ 0x894, ['unsigned long']], 'DpcInterruptRequested' : [ 0x898, ['unsigned char']], 'DpcThreadRequested' : [ 0x899, ['unsigned char']], 'DpcRoutineActive' : [ 0x89a, ['unsigned char']], 'DpcThreadActive' : [ 0x89b, ['unsigned char']], 'PrcbLock' : [ 0x89c, ['unsigned long']], 'DpcLastCount' : [ 0x8a0, ['unsigned long']], 'TimerHand' : [ 0x8a4, ['unsigned long']], 'TimerRequest' : [ 0x8a8, ['unsigned long']], 'DpcThread' : [ 0x8ac, ['pointer', ['void']]], 'DpcEvent' : [ 0x8b0, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x8c0, ['unsigned char']], 'QuantumEnd' : [ 0x8c1, ['unsigned char']], 'PrcbPad50' : [ 0x8c2, ['unsigned char']], 'IdleSchedule' : [ 0x8c3, ['unsigned char']], 'DpcSetEventRequest' : [ 0x8c4, ['long']], 'PrcbPad5' : [ 0x8c8, ['array', 22, ['unsigned char']]], 'CallDpc' : [ 0x8e0, ['_KDPC']], 'PrcbPad7' : [ 0x900, ['array', 8, ['unsigned long']]], 'WaitListHead' : [ 0x920, ['_LIST_ENTRY']], 'ReadySummary' : [ 0x928, ['unsigned long']], 'SelectNextLast' : [ 0x92c, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x930, ['array', 32, ['_LIST_ENTRY']]], 'DeferredReadyListHead' : [ 0xa30, ['_SINGLE_LIST_ENTRY']], 'PrcbPad72' : [ 0xa34, ['array', 11, ['unsigned long']]], 'ChainedInterruptList' : [ 0xa60, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0xa64, ['long']], 'SpareFields0' : [ 0xa68, ['array', 4, ['unsigned long']]], 'VendorString' : [ 0xa78, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0xa85, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0xa86, ['unsigned char']], 'MHz' : [ 0xa88, ['unsigned long']], 'FeatureBits' : [ 0xa8c, ['unsigned long']], 'UpdateSignature' : [ 0xa90, ['_LARGE_INTEGER']], 'IsrTime' : [ 0xa98, ['unsigned long long']], 'NpxSaveArea' : [ 0xaa0, ['_FX_SAVE_AREA']], 'PowerState' : [ 0xcb0, ['_PROCESSOR_POWER_STATE']], } ], '_KPCR' : [ 0xef0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'PerfGlobalGroupMask' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Spare0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_KTHREAD' : [ 0x1c8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x10, ['_LIST_ENTRY']], 'InitialStack' : [ 0x18, ['pointer', ['void']]], 'StackLimit' : [ 0x1c, ['pointer', ['void']]], 'KernelStack' : [ 0x20, ['pointer', ['void']]], 'ThreadLock' : [ 0x24, ['unsigned long']], 'ContextSwitches' : [ 0x28, ['unsigned long']], 'State' : [ 0x2c, ['unsigned char']], 'NpxState' : [ 0x2d, ['unsigned char']], 'WaitIrql' : [ 0x2e, ['unsigned char']], 'WaitMode' : [ 0x2f, ['unsigned char']], 'Teb' : [ 0x30, ['pointer', ['void']]], 'ApcState' : [ 0x34, ['_KAPC_STATE']], 'ApcQueueLock' : [ 0x4c, ['unsigned long']], 'WaitStatus' : [ 0x50, ['long']], 'WaitBlockList' : [ 0x54, ['pointer', ['_KWAIT_BLOCK']]], 'Alertable' : [ 0x58, ['unsigned char']], 'WaitNext' : [ 0x59, ['unsigned char']], 'WaitReason' : [ 0x5a, ['unsigned char']], 'Priority' : [ 0x5b, ['unsigned char']], 'EnableStackSwap' : [ 0x5c, ['unsigned char']], 'SwapBusy' : [ 0x5d, ['unsigned char']], 'Alerted' : [ 0x5e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x60, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x68, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x6c, ['unsigned long']], 'KernelApcDisable' : [ 0x70, ['short']], 'SpecialApcDisable' : [ 0x72, ['short']], 'CombinedApcDisable' : [ 0x70, ['unsigned long']], 'Timer' : [ 0x78, ['_KTIMER']], 'WaitBlock' : [ 0xa0, ['array', 4, ['_KWAIT_BLOCK']]], 'QueueListEntry' : [ 0x100, ['_LIST_ENTRY']], 'ApcStateIndex' : [ 0x108, ['unsigned char']], 'ApcQueueable' : [ 0x109, ['unsigned char']], 'Preempted' : [ 0x10a, ['unsigned char']], 'ProcessReadyQueue' : [ 0x10b, ['unsigned char']], 'KernelStackResident' : [ 0x10c, ['unsigned char']], 'Saturation' : [ 0x10d, ['unsigned char']], 'IdealProcessor' : [ 0x10e, ['unsigned char']], 'NextProcessor' : [ 0x10f, ['unsigned char']], 'BasePriority' : [ 0x110, ['unsigned char']], 'Spare4' : [ 0x111, ['unsigned char']], 'PriorityDecrement' : [ 0x112, ['unsigned char']], 'Quantum' : [ 0x113, ['unsigned char']], 'SystemAffinityActive' : [ 0x114, ['unsigned char']], 'PreviousMode' : [ 0x115, ['unsigned char']], 'ResourceIndex' : [ 0x116, ['unsigned char']], 'DisableBoost' : [ 0x117, ['unsigned char']], 'UserAffinity' : [ 0x118, ['unsigned long']], 'Process' : [ 0x11c, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x120, ['unsigned long']], 'ServiceTable' : [ 0x124, ['pointer', ['void']]], 'ApcStatePointer' : [ 0x128, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x130, ['_KAPC_STATE']], 'CallbackStack' : [ 0x148, ['pointer', ['void']]], 'Win32Thread' : [ 0x14c, ['pointer', ['void']]], 'TrapFrame' : [ 0x150, ['pointer', ['_KTRAP_FRAME']]], 'KernelTime' : [ 0x154, ['unsigned long']], 'UserTime' : [ 0x158, ['unsigned long']], 'StackBase' : [ 0x15c, ['pointer', ['void']]], 'SuspendApc' : [ 0x160, ['_KAPC']], 'SuspendSemaphore' : [ 0x190, ['_KSEMAPHORE']], 'TlsArray' : [ 0x1a4, ['pointer', ['void']]], 'LegoData' : [ 0x1a8, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x1ac, ['_LIST_ENTRY']], 'LargeStack' : [ 0x1b4, ['unsigned char']], 'PowerState' : [ 0x1b5, ['unsigned char']], 'NpxIrql' : [ 0x1b6, ['unsigned char']], 'Spare5' : [ 0x1b7, ['unsigned char']], 'AutoAlignment' : [ 0x1b8, ['unsigned char']], 'Iopl' : [ 0x1b9, ['unsigned char']], 'FreezeCount' : [ 0x1ba, ['unsigned char']], 'SuspendCount' : [ 0x1bb, ['unsigned char']], 'Spare0' : [ 0x1bc, ['array', 1, ['unsigned char']]], 'UserIdealProcessor' : [ 0x1bd, ['unsigned char']], 'DeferredProcessor' : [ 0x1be, ['unsigned char']], 'AdjustReason' : [ 0x1bf, ['unsigned char']], 'AdjustIncrement' : [ 0x1c0, ['unsigned char']], 'Spare2' : [ 0x1c1, ['array', 3, ['unsigned char']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x100, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x100, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Exclusive' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x24, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['unsigned long']], 'Exclusive' : [ 0x20, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x260, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1c8, ['_LARGE_INTEGER']], 'NestedFaultCount' : [ 0x1c8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'ApcNeeded' : [ 0x1c8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitTime' : [ 0x1d0, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x1d0, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x1d0, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1d8, ['long']], 'OfsChain' : [ 0x1d8, ['pointer', ['void']]], 'PostBlockList' : [ 0x1dc, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x1e4, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1e4, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1e4, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x1e8, ['unsigned long']], 'ActiveTimerListHead' : [ 0x1ec, ['_LIST_ENTRY']], 'Cid' : [ 0x1f4, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x1fc, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x1fc, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x210, ['pointer', ['void']]], 'LpcWaitingOnPort' : [ 0x210, ['pointer', ['void']]], 'ImpersonationInfo' : [ 0x214, ['pointer', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x218, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x220, ['unsigned long']], 'DeviceToVerify' : [ 0x224, ['pointer', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x228, ['pointer', ['_EPROCESS']]], 'StartAddress' : [ 0x22c, ['pointer', ['void']]], 'Win32StartAddress' : [ 0x230, ['pointer', ['void']]], 'LpcReceivedMessageId' : [ 0x230, ['unsigned long']], 'ThreadListEntry' : [ 0x234, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x23c, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x240, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x244, ['unsigned long']], 'ReadClusterSize' : [ 0x248, ['unsigned long']], 'GrantedAccess' : [ 0x24c, ['unsigned long']], 'CrossThreadFlags' : [ 0x250, ['unsigned long']], 'Terminated' : [ 0x250, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x250, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x250, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x250, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x250, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x250, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x250, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x250, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x250, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x254, ['unsigned long']], 'ActiveExWorker' : [ 0x254, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x254, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x254, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x254, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x258, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x258, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x258, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x258, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x25c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x25d, ['unsigned char']], } ], '_EPROCESS' : [ 0x278, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x6c, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x70, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x78, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x80, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x84, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0x88, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0x90, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0x9c, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xa8, ['unsigned long']], 'PeakVirtualSize' : [ 0xac, ['unsigned long']], 'VirtualSize' : [ 0xb0, ['unsigned long']], 'SessionProcessLinks' : [ 0xb4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xbc, ['pointer', ['void']]], 'ExceptionPort' : [ 0xc0, ['pointer', ['void']]], 'ObjectTable' : [ 0xc4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xc8, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xcc, ['unsigned long']], 'AddressCreationLock' : [ 0xd0, ['_KGUARDED_MUTEX']], 'HyperSpaceLock' : [ 0xf0, ['unsigned long']], 'ForkInProgress' : [ 0xf4, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0xf8, ['unsigned long']], 'PhysicalVadRoot' : [ 0xfc, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x100, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x104, ['unsigned long']], 'NumberOfLockedPages' : [ 0x108, ['unsigned long']], 'Win32Process' : [ 0x10c, ['pointer', ['void']]], 'Job' : [ 0x110, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x114, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x118, ['pointer', ['void']]], 'QuotaBlock' : [ 0x11c, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x120, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x124, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x128, ['pointer', ['void']]], 'LdtInformation' : [ 0x12c, ['pointer', ['void']]], 'VadFreeHint' : [ 0x130, ['pointer', ['void']]], 'VdmObjects' : [ 0x134, ['pointer', ['void']]], 'DeviceMap' : [ 0x138, ['pointer', ['void']]], 'Spare0' : [ 0x13c, ['array', 3, ['pointer', ['void']]]], 'PageDirectoryPte' : [ 0x148, ['_HARDWARE_PTE']], 'Filler' : [ 0x148, ['unsigned long long']], 'Session' : [ 0x150, ['pointer', ['void']]], 'ImageFileName' : [ 0x154, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x164, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x16c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x170, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x178, ['pointer', ['void']]], 'PaeTop' : [ 0x17c, ['pointer', ['void']]], 'ActiveThreads' : [ 0x180, ['unsigned long']], 'GrantedAccess' : [ 0x184, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x188, ['unsigned long']], 'LastThreadExitStatus' : [ 0x18c, ['long']], 'Peb' : [ 0x190, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x194, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x198, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1a0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1c8, ['unsigned long']], 'CommitChargePeak' : [ 0x1cc, ['unsigned long']], 'AweInfo' : [ 0x1d0, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1d4, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1d8, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x238, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x240, ['unsigned long']], 'JobStatus' : [ 0x244, ['unsigned long']], 'Flags' : [ 0x248, ['unsigned long']], 'CreateReported' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x248, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x248, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x248, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x248, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x248, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x248, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x248, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x248, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x248, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x248, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x248, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x248, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x248, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x248, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x248, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x248, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'Unused' : [ 0x248, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x24c, ['long']], 'NextPageColor' : [ 0x250, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x252, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x253, ['unsigned char']], 'SubSystemVersion' : [ 0x252, ['unsigned short']], 'PriorityClass' : [ 0x254, ['unsigned char']], 'VadRoot' : [ 0x258, ['_MM_AVL_TABLE']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x190, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x38, ['_LIST_ENTRY']], 'Name' : [ 0x40, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x48, ['pointer', ['void']]], 'Index' : [ 0x4c, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x50, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x54, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x58, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x5c, ['unsigned long']], 'TypeInfo' : [ 0x60, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0xac, ['unsigned long']], 'ObjectLocks' : [ 0xb0, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_KPROCESS' : [ 0x6c, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['array', 2, ['unsigned long']]], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Iopl' : [ 0x32, ['unsigned char']], 'Unused' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'StackCount' : [ 0x60, ['unsigned short']], 'BasePriority' : [ 0x62, ['unsigned char']], 'ThreadQuantum' : [ 0x63, ['unsigned char']], 'AutoAlignment' : [ 0x64, ['unsigned char']], 'State' : [ 0x65, ['unsigned char']], 'ThreadSeed' : [ 0x66, ['unsigned char']], 'DisableBoost' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'DisableQuantum' : [ 0x69, ['unsigned char']], 'IdealNode' : [ 0x6a, ['unsigned char']], 'Spare' : [ 0x6b, ['unsigned char']], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned short']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_1128' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_1128']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '__unnamed_1132' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1136' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1139' : [ 0x4, { 'ShortFlags' : [ 0x0, ['unsigned short']], 'ReferenceCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_113b' : [ 0x4, { 'e1' : [ 0x0, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1139']], } ], '__unnamed_1144' : [ 0x4, { 'EntireFrame' : [ 0x0, ['unsigned long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 26, native_type='unsigned long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'LockCharged' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'KernelStack' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'MustBeCached' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1132']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'u2' : [ 0x8, ['__unnamed_1136']], 'u3' : [ 0xc, ['__unnamed_113b']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_1144']], } ], '__unnamed_114e' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_114e']], } ], '_MMPAGING_FILE' : [ 0x3c, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'CurrentUsage' : [ 0x10, ['unsigned long']], 'PeakUsage' : [ 0x14, ['unsigned long']], 'HighestPage' : [ 0x18, ['unsigned long']], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x28, ['_UNICODE_STRING']], 'Bitmap' : [ 0x30, ['pointer', ['_RTL_BITMAP']]], 'PageFileNumber' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'ReferenceCount' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'BootPartition' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Reserved' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'FileHandle' : [ 0x38, ['pointer', ['void']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_11ca' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_11ca']], } ], '__unnamed_11d1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_11d1']], } ], '__unnamed_11e0' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_11e0']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], } ], '_SHARED_CACHE_MAP' : [ 0x130, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObject' : [ 0x44, ['pointer', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'VacbPushLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '__unnamed_1202' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_1204' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0x588, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'ForceFlags' : [ 0x10, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x14, ['unsigned long']], 'SegmentReserve' : [ 0x18, ['unsigned long']], 'SegmentCommit' : [ 0x1c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x20, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x24, ['unsigned long']], 'TotalFreeSize' : [ 0x28, ['unsigned long']], 'MaximumAllocationSize' : [ 0x2c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x30, ['unsigned short']], 'HeaderValidateLength' : [ 0x32, ['unsigned short']], 'HeaderValidateCopy' : [ 0x34, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x38, ['unsigned short']], 'MaximumTagIndex' : [ 0x3a, ['unsigned short']], 'TagEntries' : [ 0x3c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x40, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x44, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x48, ['unsigned long']], 'AlignMask' : [ 0x4c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x50, ['_LIST_ENTRY']], 'Segments' : [ 0x58, ['array', 64, ['pointer', ['_HEAP_SEGMENT']]]], 'u' : [ 0x158, ['__unnamed_1202']], 'u2' : [ 0x168, ['__unnamed_1204']], 'AllocatorBackTraceIndex' : [ 0x16a, ['unsigned short']], 'NonDedicatedListLength' : [ 0x16c, ['unsigned long']], 'LargeBlocksIndex' : [ 0x170, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0x174, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x178, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0x578, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x57c, ['pointer', ['void']]], 'FrontEndHeap' : [ 0x580, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0x584, ['unsigned short']], 'FrontEndHeapType' : [ 0x586, ['unsigned char']], 'LastSegmentIndex' : [ 0x587, ['unsigned char']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'Bucket' : [ 0x0, ['pointer', ['void']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'FreeThreshold' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_TOKEN' : [ 0xa8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x6c, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x70, ['pointer', ['void']]], 'Privileges' : [ 0x74, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x78, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0x7c, ['pointer', ['_ACL']]], 'TokenType' : [ 0x80, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x84, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0x88, ['unsigned char']], 'TokenInUse' : [ 0x89, ['unsigned char']], 'ProxyData' : [ 0x8c, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0x90, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0x94, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0x98, ['_LUID']], 'VariablePart' : [ 0xa0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x18, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long']], 'pDeviceMap' : [ 0x14, ['pointer', ['_DEVICE_MAP']]], } ], '_HEAP_UCR_SEGMENT' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x4, ['unsigned long']], 'CommittedSize' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerThreads' : [ 0x18, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x28, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x2c, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x2e, ['unsigned short']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x50, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x128, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long']], 'ResourceDatabase' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x30, ['pointer', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x34, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x38, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x3c, ['unsigned long']], 'NodesSearched' : [ 0x40, ['unsigned long']], 'MaxNodesSearched' : [ 0x44, ['unsigned long']], 'SequenceNumber' : [ 0x48, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4c, ['unsigned long']], 'SearchedNodesLimit' : [ 0x50, ['unsigned long']], 'DepthLimitHits' : [ 0x54, ['unsigned long']], 'SearchLimitHits' : [ 0x58, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x5c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x60, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x64, ['unsigned long']], 'TotalReleases' : [ 0x68, ['unsigned long']], 'RootNodesDeleted' : [ 0x6c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x70, ['unsigned long']], 'PoolTrimCounter' : [ 0x74, ['unsigned long']], 'FreeResourceList' : [ 0x78, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x80, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0x88, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0x90, ['unsigned long']], 'FreeThreadCount' : [ 0x94, ['unsigned long']], 'FreeNodeCount' : [ 0x98, ['unsigned long']], 'Instigator' : [ 0x9c, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0xa0, ['unsigned long']], 'Participant' : [ 0xa4, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x124, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SEGMENT_OBJECT' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x20, ['pointer', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x24, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x28, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_12ea' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x30, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x18, ['unsigned long']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_12ea']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'FlushInProgressCount' : [ 0x2e, ['unsigned short']], } ], '_HANDLE_TABLE' : [ 0x44, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleTableLock' : [ 0xc, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x1c, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x24, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x28, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x2c, ['long']], 'FirstFree' : [ 0x30, ['unsigned long']], 'LastFree' : [ 0x34, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x38, ['unsigned long']], 'HandleCount' : [ 0x3c, ['long']], 'Flags' : [ 0x40, ['unsigned long']], 'StrictFIFO' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_MMSUPPORT' : [ 0x60, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimTime' : [ 0x8, ['_LARGE_INTEGER']], 'Flags' : [ 0x10, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x14, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x18, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x1c, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x20, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x24, ['unsigned long']], 'VmWorkingSetList' : [ 0x28, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x2c, ['unsigned long']], 'NextEstimationSlot' : [ 0x30, ['unsigned long']], 'NextAgingSlot' : [ 0x34, ['unsigned long']], 'EstimatedAvailable' : [ 0x38, ['unsigned long']], 'WorkingSetSize' : [ 0x3c, ['unsigned long']], 'WorkingSetMutex' : [ 0x40, ['_KGUARDED_MUTEX']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['unsigned short']]], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x40, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x30, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessCount' : [ 0x3c, ['unsigned long']], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EVENT_COUNTER' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'RefCount' : [ 0x4, ['unsigned long']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_EJOB' : [ 0x180, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'UIRestrictionsClass' : [ 0xb0, ['unsigned long']], 'SecurityLimitFlags' : [ 0xb4, ['unsigned long']], 'Token' : [ 0xb8, ['pointer', ['void']]], 'Filter' : [ 0xbc, ['pointer', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'IoInfo' : [ 0x108, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x138, ['unsigned long']], 'JobMemoryLimit' : [ 0x13c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x140, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x144, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x148, ['unsigned long']], 'MemoryLimitsLock' : [ 0x14c, ['_KGUARDED_MUTEX']], 'JobSetLinks' : [ 0x16c, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x174, ['unsigned long']], 'JobFlags' : [ 0x178, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x40, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSubsections' : [ 0x18, ['unsigned short']], 'FlushInProgressCount' : [ 0x1a, ['unsigned short']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_12ea']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'NumberOfSystemCacheViews' : [ 0x2e, ['unsigned short']], 'StartingFrame' : [ 0x30, ['unsigned long']], 'UserGlobalList' : [ 0x34, ['_LIST_ENTRY']], 'SessionId' : [ 0x3c, ['unsigned long']], } ], '__unnamed_1326' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_132d' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_132f' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1326']], 'Bits' : [ 0x0, ['__unnamed_132d']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_132f']], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x24, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x8, ['unsigned long']], 'CapturedGroupCount' : [ 0xc, ['unsigned long']], 'CapturedGroups' : [ 0x10, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x14, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x18, ['unsigned long']], 'CapturedPrivileges' : [ 0x1c, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x20, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x70, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'Reserved' : [ 0x68, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_FILE_OBJECT' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'HadUserReference' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x1c, { 'Name' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'CmHive' : [ 0x8, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0xc, ['unsigned long']], 'CmHiveFlags' : [ 0x10, ['unsigned long']], 'CmHive2' : [ 0x14, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x18, ['unsigned char']], 'ThreadStarted' : [ 0x19, ['unsigned char']], 'Allocate' : [ 0x1a, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0xc, { 'Token' : [ 0x0, ['pointer', ['void']]], 'CopyOnOpen' : [ 0x4, ['unsigned char']], 'EffectiveOnly' : [ 0x5, ['unsigned char']], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_1393' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], } ], '__unnamed_1395' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1399' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x114, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x20, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x70, ['unsigned long']], 'CompletionStatus' : [ 0x74, ['long']], 'PendingIrp' : [ 0x78, ['pointer', ['_IRP']]], 'Flags' : [ 0x7c, ['unsigned long']], 'UserFlags' : [ 0x80, ['unsigned long']], 'Problem' : [ 0x84, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x88, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x8c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x90, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x94, ['_UNICODE_STRING']], 'ServiceName' : [ 0x9c, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xa4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xa8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xb0, ['unsigned long']], 'ChildInterfaceType' : [ 0xb4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xb8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xbc, ['unsigned short']], 'RemovalPolicy' : [ 0xbe, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xbf, ['unsigned char']], 'TargetDeviceNotify' : [ 0xc0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xc8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0xd0, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0xd8, ['unsigned short']], 'QueryTranslatorMask' : [ 0xda, ['unsigned short']], 'NoArbiterMask' : [ 0xdc, ['unsigned short']], 'QueryArbiterMask' : [ 0xde, ['unsigned short']], 'OverUsed1' : [ 0xe0, ['__unnamed_1393']], 'OverUsed2' : [ 0xe4, ['__unnamed_1395']], 'BootResources' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0xec, ['unsigned long']], 'DockInfo' : [ 0xf0, ['__unnamed_1399']], 'DisableableDepends' : [ 0x100, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x104, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x10c, ['_LIST_ENTRY']], } ], '__unnamed_139e' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_139e']], } ], '_MMCOLOR_TABLES' : [ 0xc, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_13b3' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1f00, { 'GlobalVirtualAddress' : [ 0x0, ['pointer', ['_MM_SESSION_SPACE']]], 'ReferenceCount' : [ 0x4, ['unsigned long']], 'u' : [ 0x8, ['__unnamed_13b3']], 'SessionId' : [ 0xc, ['unsigned long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'PagedPoolBasePde' : [ 0x34, ['pointer', ['_MMPTE']]], 'Color' : [ 0x38, ['unsigned long']], 'ProcessOutSwapCount' : [ 0x3c, ['unsigned long']], 'SessionPoolAllocationFailures' : [ 0x40, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x50, ['_LIST_ENTRY']], 'LocaleId' : [ 0x58, ['unsigned long']], 'AttachCount' : [ 0x5c, ['unsigned long']], 'AttachEvent' : [ 0x60, ['_KEVENT']], 'LastProcess' : [ 0x70, ['pointer', ['_EPROCESS']]], 'ProcessReferenceToSession' : [ 0x74, ['long']], 'WsListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 26, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd80, ['_MMSESSION']], 'PagedPoolMutex' : [ 0xdc0, ['_KGUARDED_MUTEX']], 'PagedPoolInfo' : [ 0xde0, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xe00, ['_MMSUPPORT']], 'Wsle' : [ 0xe60, ['pointer', ['_MMWSLE']]], 'Win32KDriverUnload' : [ 0xe64, ['pointer', ['void']]], 'PagedPool' : [ 0xe68, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1e98, ['pointer', ['_MMPTE']]], 'ImageLoadingCount' : [ 0x1e9c, ['long']], } ], '_PEB' : [ 0x230, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'SpareBool' : [ 0x3, ['unsigned char']], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'SparePtr1' : [ 0x20, ['pointer', ['void']]], 'SparePtr2' : [ 0x24, ['pointer', ['void']]], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'ExecuteOptions' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'SpareBits' : [ 0x34, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'FreeList' : [ 0x38, ['pointer', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['pointer', ['void']]]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '__unnamed_13e3' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x8, ['_LARGE_INTEGER']], 'u' : [ 0x10, ['__unnamed_13e3']], 'Irp' : [ 0x18, ['pointer', ['_IRP']]], 'LastPageToWrite' : [ 0x1c, ['unsigned long']], 'PagingListHead' : [ 0x20, ['pointer', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x28, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x30, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x34, ['pointer', ['_ERESOURCE']]], 'IssueTime' : [ 0x38, ['_LARGE_INTEGER']], 'Mdl' : [ 0x40, ['_MDL']], 'Page' : [ 0x5c, ['array', 1, ['unsigned long']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x10, { 'Usage' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], 'Peak' : [ 0x8, ['unsigned long']], 'Return' : [ 0xc, ['unsigned long']], } ], '__unnamed_13f9' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_13f9']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x120, { 'IdleFunction' : [ 0x0, ['pointer', ['void']]], 'Idle0KernelTimeLimit' : [ 0x4, ['unsigned long']], 'Idle0LastTime' : [ 0x8, ['unsigned long']], 'IdleHandlers' : [ 0xc, ['pointer', ['void']]], 'IdleState' : [ 0x10, ['pointer', ['void']]], 'IdleHandlersCount' : [ 0x14, ['unsigned long']], 'LastCheck' : [ 0x18, ['unsigned long long']], 'IdleTimes' : [ 0x20, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x40, ['unsigned long']], 'PromotionCheck' : [ 0x44, ['unsigned long']], 'IdleTime2' : [ 0x48, ['unsigned long']], 'CurrentThrottle' : [ 0x4c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x4d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x4e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x4f, ['unsigned char']], 'PerfSystemTime' : [ 0x50, ['unsigned long']], 'PerfIdleTime' : [ 0x54, ['unsigned long']], 'DebugDelta' : [ 0x58, ['unsigned long long']], 'DebugCount' : [ 0x60, ['unsigned long']], 'LastSysTime' : [ 0x64, ['unsigned long']], 'TotalIdleStateTime' : [ 0x68, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x80, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0x90, ['unsigned long long']], 'KneeThrottleIndex' : [ 0x98, ['unsigned char']], 'ThrottleLimitIndex' : [ 0x99, ['unsigned char']], 'PerfStatesCount' : [ 0x9a, ['unsigned char']], 'ProcessorMinThrottle' : [ 0x9b, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x9c, ['unsigned char']], 'LastBusyPercentage' : [ 0x9d, ['unsigned char']], 'LastC3Percentage' : [ 0x9e, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0x9f, ['unsigned char']], 'PromotionCount' : [ 0xa0, ['unsigned long']], 'DemotionCount' : [ 0xa4, ['unsigned long']], 'ErrorCount' : [ 0xa8, ['unsigned long']], 'RetryCount' : [ 0xac, ['unsigned long']], 'Flags' : [ 0xb0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xb8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xc0, ['unsigned long']], 'PerfTimer' : [ 0xc8, ['_KTIMER']], 'PerfDpc' : [ 0xf0, ['_KDPC']], 'PerfStates' : [ 0x110, ['pointer', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x114, ['pointer', ['void']]], 'Spare1' : [ 0x118, ['array', 2, ['unsigned long']]], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x4, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned long')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x4c, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x10, ['_LIST_ENTRY']], 'DeviceType' : [ 0x18, ['unsigned char']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x20, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x28, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x30, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x44, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Available0' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'GrowWsleHash' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredUnsafe' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Available' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POP_THERMAL_ZONE' : [ 0xd0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x7c, ['pointer', ['_IRP']]], 'Info' : [ 0x80, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CMHIVE' : [ 0x56c, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2d0, ['array', 3, ['pointer', ['void']]]], 'NotifyList' : [ 0x2dc, ['_LIST_ENTRY']], 'HiveList' : [ 0x2e4, ['_LIST_ENTRY']], 'HiveLock' : [ 0x2ec, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x2f0, ['pointer', ['_FAST_MUTEX']]], 'LRUViewListHead' : [ 0x2f4, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x2fc, ['_LIST_ENTRY']], 'FileObject' : [ 0x304, ['pointer', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x308, ['_UNICODE_STRING']], 'FileUserName' : [ 0x310, ['_UNICODE_STRING']], 'MappedViews' : [ 0x318, ['unsigned short']], 'PinnedViews' : [ 0x31a, ['unsigned short']], 'UseCount' : [ 0x31c, ['unsigned long']], 'SecurityCount' : [ 0x320, ['unsigned long']], 'SecurityCacheSize' : [ 0x324, ['unsigned long']], 'SecurityHitHint' : [ 0x328, ['long']], 'SecurityCache' : [ 0x32c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x330, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0x530, ['pointer', ['_KEVENT']]], 'RootKcb' : [ 0x534, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x538, ['unsigned char']], 'UnloadWorkItem' : [ 0x53c, ['pointer', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0x540, ['unsigned char']], 'GrowOffset' : [ 0x544, ['unsigned long']], 'KcbConvertListHead' : [ 0x548, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x550, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x558, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x55c, ['unsigned long']], 'TrustClassEntry' : [ 0x560, ['_LIST_ENTRY']], 'FlushCount' : [ 0x568, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_HHIVE' : [ 0x2d0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'Log' : [ 0x42, ['unsigned char']], 'HiveFlags' : [ 0x44, ['unsigned long']], 'LogSize' : [ 0x48, ['unsigned long']], 'RefreshCount' : [ 0x4c, ['unsigned long']], 'StorageTypeCount' : [ 0x50, ['unsigned long']], 'Version' : [ 0x54, ['unsigned long']], 'Storage' : [ 0x58, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x18, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['pointer', ['void']]], 'WatchInfo' : [ 0x10, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_14c7' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_14c7']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x24, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x8, ['_LIST_ENTRY']], 'FileOffset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewAddress' : [ 0x18, ['pointer', ['unsigned long']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'UseCount' : [ 0x20, ['unsigned long']], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_KUSER_SHARED_DATA' : [ 0x330, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'Fill0' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['array', 4, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x4c, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x2c, ['pointer', ['void']]], 'OpenProcedure' : [ 0x30, ['pointer', ['void']]], 'CloseProcedure' : [ 0x34, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x38, ['pointer', ['void']]], 'ParseProcedure' : [ 0x3c, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x40, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x44, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x48, ['pointer', ['void']]], } ], '__unnamed_1515' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'u' : [ 0x4, ['__unnamed_1515']], 'StartingSector' : [ 0x8, ['unsigned long']], 'NumberOfFullSectors' : [ 0xc, ['unsigned long']], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'UnusedPtes' : [ 0x14, ['unsigned long']], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'NextSubsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], } ], '__unnamed_151e' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_1521' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1524' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_1527' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_152d' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x34, { 'u1' : [ 0x0, ['__unnamed_151e']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1521']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_1524']], 'u3' : [ 0x28, ['__unnamed_1527']], 'u4' : [ 0x30, ['__unnamed_152d']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'PhysicalMapping' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ImageMap' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'UserPhysicalPages' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'WriteWatch' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POOL_DESCRIPTOR' : [ 0x1030, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['void']]], 'PendingFreeDepth' : [ 0x24, ['long']], 'TotalBytes' : [ 0x28, ['unsigned long']], 'Spare0' : [ 0x2c, ['unsigned long']], 'ListHeads' : [ 0x30, ['array', 512, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x28, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x20, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x4, ['pointer', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0x8, ['pointer', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x10, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x14, ['unsigned long']], 'PagedPoolCommit' : [ 0x18, ['unsigned long']], 'AllocatedPagedPool' : [ 0x1c, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['unsigned short']]], } ], '_MMSESSION' : [ 0x40, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewStart' : [ 0x24, ['pointer', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x28, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x30, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x34, ['unsigned long']], 'BitmapFailures' : [ 0x38, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x3c, ['pointer', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long']], 'QuotaObject' : [ 0xc, ['pointer', ['void']]], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x8, { 'FaultingPc' : [ 0x0, ['pointer', ['void']]], 'FaultingVa' : [ 0x4, ['pointer', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 31, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_DEADLOCK_NODE' : [ 0x68, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x24, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x48, ['array', 8, ['pointer', ['void']]]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0xd8, { 'Next' : [ 0x0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtMutex' : [ 0x10, ['_FAST_MUTEX']], 'Slot' : [ 0x30, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x38, ['pointer', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x40, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x44, ['unsigned long']], 'VendorId' : [ 0x48, ['unsigned short']], 'DeviceId' : [ 0x4a, ['unsigned short']], 'SubsystemVendorId' : [ 0x4c, ['unsigned short']], 'SubsystemId' : [ 0x4e, ['unsigned short']], 'RevisionId' : [ 0x50, ['unsigned char']], 'ProgIf' : [ 0x51, ['unsigned char']], 'SubClass' : [ 0x52, ['unsigned char']], 'BaseClass' : [ 0x53, ['unsigned char']], 'AdditionalResourceCount' : [ 0x54, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x55, ['unsigned char']], 'InterruptPin' : [ 0x56, ['unsigned char']], 'RawInterruptLine' : [ 0x57, ['unsigned char']], 'CapabilitiesPtr' : [ 0x58, ['unsigned char']], 'SavedLatencyTimer' : [ 0x59, ['unsigned char']], 'SavedCacheLineSize' : [ 0x5a, ['unsigned char']], 'HeaderType' : [ 0x5b, ['unsigned char']], 'NotPresent' : [ 0x5c, ['unsigned char']], 'ReportedMissing' : [ 0x5d, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x5e, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x5f, ['unsigned char']], 'LegacyDriver' : [ 0x60, ['unsigned char']], 'UpdateHardware' : [ 0x61, ['unsigned char']], 'MovedDevice' : [ 0x62, ['unsigned char']], 'DisablePowerDown' : [ 0x63, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x64, ['unsigned char']], 'IDEInNativeMode' : [ 0x65, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x66, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x67, ['unsigned char']], 'OnDebugPath' : [ 0x68, ['unsigned char']], 'PowerState' : [ 0x6c, ['PCI_POWER_STATE']], 'Dependent' : [ 0xac, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xb0, ['unsigned long long']], 'Resources' : [ 0xb8, ['pointer', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xbc, ['pointer', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xc0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0xc4, ['pointer', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0xc8, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0xd0, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0xd2, ['unsigned char']], 'CommandEnables' : [ 0xd4, ['unsigned short']], 'InitialCommand' : [ 0xd6, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_QUAD' : [ 0x8, { 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '__unnamed_15a1' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_15a3' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_15a1']], 'Merged' : [ 0x10, ['__unnamed_15a3']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_HEAP_SEGMENT' : [ 0x3c, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Heap' : [ 0x10, ['pointer', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x14, ['unsigned long']], 'BaseAddress' : [ 0x18, ['pointer', ['void']]], 'NumberOfPages' : [ 0x1c, ['unsigned long']], 'FirstEntry' : [ 0x20, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x28, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x2c, ['unsigned long']], 'UnCommittedRanges' : [ 0x30, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'LastEntryInSegment' : [ 0x38, ['pointer', ['_HEAP_ENTRY']]], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_15d4' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0xe0, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtMutex' : [ 0x10, ['_FAST_MUTEX']], 'PhysicalDeviceObject' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x38, ['pointer', ['_DEVICE_OBJECT']]], 'ChildListMutex' : [ 0x3c, ['_FAST_MUTEX']], 'ChildPdoList' : [ 0x5c, ['pointer', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x60, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x64, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x68, ['pointer', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x6c, ['pointer', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x70, ['unsigned char']], 'BusHandler' : [ 0x74, ['pointer', ['_BUS_HANDLER']]], 'BaseBus' : [ 0x78, ['unsigned char']], 'Fake' : [ 0x79, ['unsigned char']], 'Scanned' : [ 0x7a, ['unsigned char']], 'ArbitersInitialized' : [ 0x7b, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0x7c, ['unsigned char']], 'Hibernated' : [ 0x7d, ['unsigned char']], 'PowerState' : [ 0x80, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xc0, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0xc4, ['unsigned long']], 'IchHackConfig' : [ 0xc8, ['pointer', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0xcc, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0xd4, ['__unnamed_15d4']], 'BusHackFlags' : [ 0xdc, ['unsigned long']], } ], '__unnamed_15d8' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_15da' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_15dc' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_15de' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_15e0' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_15e2' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_15e4' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_15d8']], 'Port' : [ 0x0, ['__unnamed_15d8']], 'Interrupt' : [ 0x0, ['__unnamed_15da']], 'Memory' : [ 0x0, ['__unnamed_15d8']], 'Dma' : [ 0x0, ['__unnamed_15dc']], 'DevicePrivate' : [ 0x0, ['__unnamed_15de']], 'BusNumber' : [ 0x0, ['__unnamed_15e0']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_15e2']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_15e4']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x48, { 'RefCount' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KcbLastWriteTime' : [ 0x38, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x40, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x42, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x44, ['unsigned long']], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['short']], 'Number' : [ 0x2, ['unsigned char']], 'Importance' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ReadConfig' : [ 0x10, ['pointer', ['void']]], 'WriteConfig' : [ 0x14, ['pointer', ['void']]], 'PinToLine' : [ 0x18, ['pointer', ['void']]], 'LineToPin' : [ 0x1c, ['pointer', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x10, ['unsigned long']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '__unnamed_161e' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1624' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1626' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1624']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_162e' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1630' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_162e']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_161e']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_1626']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_1630']], } ], '_PCI_LOCK' : [ 0x8, { 'Atom' : [ 0x0, ['unsigned long']], 'OldIrql' : [ 0x4, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '__unnamed_163b' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_163b']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_1641' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0xc, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_1641']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_1658' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_1658']], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '__unnamed_1660' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_1660']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x290, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockQueuedSpinLock', 7: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x28, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0xc, ['unsigned char']], 'OrderLevel' : [ 0xd, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Node' : [ 0x14, ['pointer', ['void']]], 'DeviceName' : [ 0x18, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x1c, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x20, ['unsigned long']], 'ActiveChild' : [ 0x24, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '__unnamed_1684' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_1686' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_1684']], 'type1' : [ 0x0, ['__unnamed_1686']], 'type2' : [ 0x0, ['__unnamed_1686']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x1e4, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'ServiceContext' : [ 0x10, ['pointer', ['void']]], 'SpinLock' : [ 0x14, ['unsigned long']], 'TickCount' : [ 0x18, ['unsigned long']], 'ActualLock' : [ 0x1c, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x20, ['pointer', ['void']]], 'Vector' : [ 0x24, ['unsigned long']], 'Irql' : [ 0x28, ['unsigned char']], 'SynchronizeIrql' : [ 0x29, ['unsigned char']], 'FloatingSave' : [ 0x2a, ['unsigned char']], 'Connected' : [ 0x2b, ['unsigned char']], 'Number' : [ 0x2c, ['unsigned char']], 'ShareVector' : [ 0x2d, ['unsigned char']], 'Mode' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x34, ['unsigned long']], 'DispatchCount' : [ 0x38, ['unsigned long']], 'DispatchCode' : [ 0x3c, ['array', 106, ['unsigned long']]], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0xe0, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0xc, ['pointer', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x10, ['pointer', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x14, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x44, ['_ARBITER_INSTANCE']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x20, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x4, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x8, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0xc, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x14, ['pointer', ['void']]], 'OtherIrpDispatchStyle' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x1c, ['pointer', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'SameProtectAsProto' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_DIRECTORY' : [ 0xa0, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['unsigned long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x698, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x14, ['unsigned long']], 'NonDirectCount' : [ 0x18, ['unsigned long']], 'HashTable' : [ 0x1c, ['pointer', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x20, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x24, ['unsigned long']], 'HashTableStart' : [ 0x28, ['pointer', ['void']]], 'HighestPermittedHashAddress' : [ 0x2c, ['pointer', ['void']]], 'NumberOfImageWaiters' : [ 0x30, ['unsigned long']], 'VadBitMapHint' : [ 0x34, ['unsigned long']], 'UsedPageTableEntries' : [ 0x38, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x638, ['array', 24, ['unsigned long']]], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x150, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '__unnamed_16f4' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_16f8' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x40, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'WritableUserReferences' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x18, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x1c, ['unsigned long']], 'ExtendInfo' : [ 0x20, ['pointer', ['_MMEXTEND_INFO']]], 'SegmentFlags' : [ 0x24, ['_SEGMENT_FLAGS']], 'BasedAddress' : [ 0x28, ['pointer', ['void']]], 'u1' : [ 0x2c, ['__unnamed_16f4']], 'u2' : [ 0x30, ['__unnamed_16f8']], 'PrototypePte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x38, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x30, { 'Next' : [ 0x0, ['pointer', ['void']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtMutex' : [ 0x10, ['_FAST_MUTEX']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x20, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x1c, ['pointer', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x2c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_TEB' : [ 0xfb8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStack' : [ 0x1a8, ['_ACTIVATION_CONTEXT_STACK']], 'SpareBytes1' : [ 0x1bc, ['array', 24, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 16, ['pointer', ['void']]]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'Spare3' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'Wx86Thread' : [ 0xf88, ['_Wx86ThreadState']], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], } ], 'PCI_SECONDARY_EXTENSION' : [ 0xc, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_1737' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_1737']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'Spare1' : [ 0x23, ['unsigned char']], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'Reserved' : [ 0x28, ['array', 2, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_KNODE' : [ 0x30, { 'ProcessorMask' : [ 0x0, ['unsigned long']], 'Color' : [ 0x4, ['unsigned long']], 'MmShiftedColor' : [ 0x8, ['unsigned long']], 'FreeCount' : [ 0xc, ['array', 2, ['unsigned long']]], 'DeadStackList' : [ 0x18, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x20, ['_SLIST_HEADER']], 'PfnDeferredList' : [ 0x28, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'Seed' : [ 0x2c, ['unsigned char']], 'NodeNumber' : [ 0x2d, ['unsigned char']], 'Flags' : [ 0x2e, ['_flags']], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x1c, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'MinSize' : [ 0x4, ['unsigned short']], 'MinVersion' : [ 0x6, ['unsigned short']], 'MaxVersion' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['long']], 'Signature' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x14, ['pointer', ['void']]], 'Initializer' : [ 0x18, ['pointer', ['void']]], } ], '_MMVAD' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_151e']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1521']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_1524']], } ], '_POP_POWER_ACTION' : [ 0x40, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x24, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x28, ['pointer', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x30, ['unsigned long long']], 'SleepTime' : [ 0x38, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_151e']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1521']], } ], '__unnamed_1782' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1782']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x28, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x9c, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0xc, ['long']], 'Allocation' : [ 0x10, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x18, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x20, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x28, ['long']], 'Interface' : [ 0x2c, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x30, ['unsigned long']], 'AllocationStack' : [ 0x34, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x38, ['pointer', ['void']]], 'PackResource' : [ 0x3c, ['pointer', ['void']]], 'UnpackResource' : [ 0x40, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x44, ['pointer', ['void']]], 'TestAllocation' : [ 0x48, ['pointer', ['void']]], 'RetestAllocation' : [ 0x4c, ['pointer', ['void']]], 'CommitAllocation' : [ 0x50, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x54, ['pointer', ['void']]], 'BootAllocation' : [ 0x58, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x5c, ['pointer', ['void']]], 'QueryConflict' : [ 0x60, ['pointer', ['void']]], 'AddReserved' : [ 0x64, ['pointer', ['void']]], 'StartArbiter' : [ 0x68, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x6c, ['pointer', ['void']]], 'AllocateEntry' : [ 0x70, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x74, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x78, ['pointer', ['void']]], 'AddAllocation' : [ 0x7c, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x80, ['pointer', ['void']]], 'OverrideConflict' : [ 0x84, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x88, ['unsigned char']], 'Extension' : [ 0x8c, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x90, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x94, ['pointer', ['void']]], 'ConflictCallback' : [ 0x98, ['pointer', ['void']]], } ], '_BUS_HANDLER' : [ 0x6c, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x14, ['pointer', ['_BUS_HANDLER']]], 'BusData' : [ 0x18, ['pointer', ['void']]], 'DeviceControlExtensionSize' : [ 0x1c, ['unsigned long']], 'BusAddresses' : [ 0x20, ['pointer', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x24, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x34, ['pointer', ['void']]], 'SetBusData' : [ 0x38, ['pointer', ['void']]], 'AdjustResourceList' : [ 0x3c, ['pointer', ['void']]], 'AssignSlotResources' : [ 0x40, ['pointer', ['void']]], 'GetInterruptVector' : [ 0x44, ['pointer', ['void']]], 'TranslateBusAddress' : [ 0x48, ['pointer', ['void']]], 'Spare1' : [ 0x4c, ['pointer', ['void']]], 'Spare2' : [ 0x50, ['pointer', ['void']]], 'Spare3' : [ 0x54, ['pointer', ['void']]], 'Spare4' : [ 0x58, ['pointer', ['void']]], 'Spare5' : [ 0x5c, ['pointer', ['void']]], 'Spare6' : [ 0x60, ['pointer', ['void']]], 'Spare7' : [ 0x64, ['pointer', ['void']]], 'Spare8' : [ 0x68, ['pointer', ['void']]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x8, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x4, ['pointer', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x620, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x18, ['unsigned long']], 'Thread' : [ 0x1c, ['pointer', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x20, ['unsigned char']], 'Order' : [ 0x24, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x26c, ['long']], 'FailedDevice' : [ 0x270, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x274, ['unsigned char']], 'Cancelled' : [ 0x275, ['unsigned char']], 'IgnoreErrors' : [ 0x276, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x277, ['unsigned char']], 'WaitAny' : [ 0x278, ['unsigned char']], 'WaitAll' : [ 0x279, ['unsigned char']], 'PresentIrpQueue' : [ 0x27c, ['_LIST_ENTRY']], 'Head' : [ 0x284, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x2b0, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x14, { 'Flags' : [ 0x0, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x4, ['unsigned long']], 'ActiveFrame' : [ 0x8, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0xc, ['_LIST_ENTRY']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['unsigned short']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x40, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x2c, ['pointer', ['_IRP']]], 'SavedCancelRoutine' : [ 0x30, ['pointer', ['void']]], 'Paging' : [ 0x34, ['long']], 'Hibernate' : [ 0x38, ['long']], 'CrashDump' : [ 0x3c, ['long']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '__unnamed_1824' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1828' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_182c' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_182e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1832' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1834' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1836' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], } ], '__unnamed_1838' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_183a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_183c' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1840' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_1842' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1844' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1846' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1848' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_184a' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_184c' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1850' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1854' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1858' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_185a' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_185e' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1860' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1862' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1864' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1868' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_186c' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1870' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1872' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1876' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_187a' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_187c' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_187e' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1880' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1882' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_1824']], 'CreatePipe' : [ 0x0, ['__unnamed_1828']], 'CreateMailslot' : [ 0x0, ['__unnamed_182c']], 'Read' : [ 0x0, ['__unnamed_182e']], 'Write' : [ 0x0, ['__unnamed_182e']], 'QueryDirectory' : [ 0x0, ['__unnamed_1832']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1834']], 'QueryFile' : [ 0x0, ['__unnamed_1836']], 'SetFile' : [ 0x0, ['__unnamed_1838']], 'QueryEa' : [ 0x0, ['__unnamed_183a']], 'SetEa' : [ 0x0, ['__unnamed_183c']], 'QueryVolume' : [ 0x0, ['__unnamed_1840']], 'SetVolume' : [ 0x0, ['__unnamed_1840']], 'FileSystemControl' : [ 0x0, ['__unnamed_1842']], 'LockControl' : [ 0x0, ['__unnamed_1844']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1846']], 'QuerySecurity' : [ 0x0, ['__unnamed_1848']], 'SetSecurity' : [ 0x0, ['__unnamed_184a']], 'MountVolume' : [ 0x0, ['__unnamed_184c']], 'VerifyVolume' : [ 0x0, ['__unnamed_184c']], 'Scsi' : [ 0x0, ['__unnamed_1850']], 'QueryQuota' : [ 0x0, ['__unnamed_1854']], 'SetQuota' : [ 0x0, ['__unnamed_183c']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1858']], 'QueryInterface' : [ 0x0, ['__unnamed_185a']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_185e']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1860']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1862']], 'SetLock' : [ 0x0, ['__unnamed_1864']], 'QueryId' : [ 0x0, ['__unnamed_1868']], 'QueryDeviceText' : [ 0x0, ['__unnamed_186c']], 'UsageNotification' : [ 0x0, ['__unnamed_1870']], 'WaitWake' : [ 0x0, ['__unnamed_1872']], 'PowerSequence' : [ 0x0, ['__unnamed_1876']], 'Power' : [ 0x0, ['__unnamed_187a']], 'StartDevice' : [ 0x0, ['__unnamed_187c']], 'WMI' : [ 0x0, ['__unnamed_187e']], 'Others' : [ 0x0, ['__unnamed_1880']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_1882']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1889' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_188b' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_188d' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_188f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1891' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1893' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1889']], 'Memory' : [ 0x0, ['__unnamed_1889']], 'Interrupt' : [ 0x0, ['__unnamed_188b']], 'Dma' : [ 0x0, ['__unnamed_188d']], 'Generic' : [ 0x0, ['__unnamed_1889']], 'DevicePrivate' : [ 0x0, ['__unnamed_15de']], 'BusNumber' : [ 0x0, ['__unnamed_188f']], 'ConfigData' : [ 0x0, ['__unnamed_1891']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1893']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_CM_KEY_BODY' : [ 0x44, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'Callers' : [ 0x10, ['unsigned long']], 'CallerAddress' : [ 0x14, ['array', 10, ['pointer', ['void']]]], 'KeyBodyList' : [ 0x3c, ['_LIST_ENTRY']], } ], '__unnamed_18a2' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_18a4' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18a2']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_18a6' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_18a8' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_18a6']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_18a4']], 'u2' : [ 0x4, ['__unnamed_18a8']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0xe0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0xc, ['unsigned long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x14, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x1c, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x24, ['unsigned long']], 'NextCloneRange' : [ 0x28, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x2c, ['unsigned long']], 'LoaderMdl' : [ 0x30, ['pointer', ['_MDL']]], 'Clones' : [ 0x34, ['pointer', ['_MDL']]], 'NextClone' : [ 0x38, ['pointer', ['unsigned char']]], 'NoClones' : [ 0x3c, ['unsigned long']], 'Spares' : [ 0x40, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x48, ['unsigned long long']], 'IoPage' : [ 0x50, ['pointer', ['void']]], 'CurrentMcb' : [ 0x54, ['pointer', ['void']]], 'DumpStack' : [ 0x58, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x5c, ['pointer', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0x60, ['unsigned long']], 'HiberVa' : [ 0x64, ['unsigned long']], 'HiberPte' : [ 0x68, ['_LARGE_INTEGER']], 'Status' : [ 0x70, ['long']], 'MemoryImage' : [ 0x74, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x78, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x7c, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x80, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x88, ['pointer', ['void']]], 'DmaIO' : [ 0x8c, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x90, ['pointer', ['void']]], 'PerfInfo' : [ 0x98, ['_PO_HIBER_PERF']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x8, { 'StartVpn' : [ 0x0, ['unsigned long']], 'EndVpn' : [ 0x4, ['unsigned long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x14, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x4, ['unsigned long']], 'Parameter2' : [ 0x8, ['unsigned long']], 'Parameter3' : [ 0xc, ['unsigned long']], 'Parameter4' : [ 0x10, ['unsigned long']], } ], '__unnamed_18e5' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_18e7' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_18e5']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_18e7']], } ], '_Wx86ThreadState' : [ 0xc, { 'CallBx86Eip' : [ 0x0, ['pointer', ['unsigned long']]], 'DeallocationCpu' : [ 0x4, ['pointer', ['void']]], 'UseKnownWx86Dll' : [ 0x8, ['unsigned char']], 'OleStubInvoked' : [ 0x9, ['unsigned char']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xa0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x28, ['unsigned long']], 'Memory' : [ 0x30, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x50, ['unsigned long']], 'PrefetchMemory' : [ 0x58, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x78, ['unsigned long']], 'Dma' : [ 0x80, ['_SUPPORTED_RANGE']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '__unnamed_191a' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_191c' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_1920' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_1922' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_1924' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1926' : [ 0x10, { 'TestAllocation' : [ 0x0, ['__unnamed_191a']], 'RetestAllocation' : [ 0x0, ['__unnamed_191a']], 'BootAllocation' : [ 0x0, ['__unnamed_191c']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_1920']], 'QueryConflict' : [ 0x0, ['__unnamed_1922']], 'QueryArbitrate' : [ 0x0, ['__unnamed_191c']], 'AddReserved' : [ 0x0, ['__unnamed_1924']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_1926']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], 'PO_MEMORY_IMAGE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'ImageType' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x3c, ['unsigned long']], 'HiberPte' : [ 0x40, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'TotalPages' : [ 0x54, ['unsigned long']], 'FirstTablePage' : [ 0x58, ['unsigned long']], 'LastFilePage' : [ 0x5c, ['unsigned long']], 'PerfInfo' : [ 0x60, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Spare' : [ 0x18, ['array', 2, ['unsigned long']]], } ], '__unnamed_1949' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_194b' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_194d' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_194f' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1951' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1953' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1955' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1957' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1959' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_195b' : [ 0x14, { 'DeviceClass' : [ 0x0, ['__unnamed_1949']], 'TargetDevice' : [ 0x0, ['__unnamed_194b']], 'InstallDevice' : [ 0x0, ['__unnamed_194d']], 'CustomNotification' : [ 0x0, ['__unnamed_194f']], 'ProfileNotification' : [ 0x0, ['__unnamed_1951']], 'PowerNotification' : [ 0x0, ['__unnamed_1953']], 'VetoNotification' : [ 0x0, ['__unnamed_1955']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1957']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1959']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x38, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_195b']], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_1972' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1974' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_1976' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1972']], 'Gpt' : [ 0x0, ['__unnamed_1974']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_1976']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x248, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x10, ['unsigned long']], 'ActiveCount' : [ 0x14, ['unsigned long']], 'WaitSleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x20, ['_LIST_ENTRY']], 'Pending' : [ 0x28, ['_LIST_ENTRY']], 'Complete' : [ 0x30, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x38, ['_LIST_ENTRY']], 'WaitS0' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_19a6' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_19a6']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x8, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], } ], '_POP_DEVICE_POWER_IRP' : [ 0x2c, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x4, ['pointer', ['_IRP']]], 'Notify' : [ 0x8, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0xc, ['_LIST_ENTRY']], 'Complete' : [ 0x14, ['_LIST_ENTRY']], 'Abort' : [ 0x1c, ['_LIST_ENTRY']], 'Failed' : [ 0x24, ['_LIST_ENTRY']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x4, ['unsigned long']], 'SystemBase' : [ 0x8, ['long long']], 'Base' : [ 0x10, ['long long']], 'Limit' : [ 0x18, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['unsigned long']], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x30, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x24, ['array', 3, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_1a34' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_1a36' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_1a3a' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a3c' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1a34']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1a36']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1a3a']], 'Others' : [ 0x0, ['__unnamed_1a3c']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista_sp0_x64_vtypes.py0000644000000000000000000145571213131215405030770 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_101f' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_101f']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1024' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1024']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_103d' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_103f' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_103d']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_103f']], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_TASK' : [ 0x8, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x8, { 'Callback' : [ 0x0, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_KPRCB' : [ 0x3a20, { 'MxCsr' : [ 0x0, ['unsigned long']], 'Number' : [ 0x4, ['unsigned short']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'Group' : [ 0x21, ['unsigned char']], 'PrcbPad00' : [ 0x22, ['array', 6, ['unsigned char']]], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'SetMember' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'PrcbPad01' : [ 0x658, ['array', 3, ['unsigned long long']]], 'LockQueue' : [ 0x670, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x880, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x980, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1580, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2180, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2188, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2190, ['long']], 'MmCopyOnWriteCount' : [ 0x2194, ['long']], 'MmTransitionCount' : [ 0x2198, ['long']], 'MmDemandZeroCount' : [ 0x219c, ['long']], 'MmPageReadCount' : [ 0x21a0, ['long']], 'MmPageReadIoCount' : [ 0x21a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x21a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x21ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x21b0, ['long']], 'MmMappedWriteIoCount' : [ 0x21b4, ['long']], 'KeSystemCalls' : [ 0x21b8, ['unsigned long']], 'KeContextSwitches' : [ 0x21bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x21c0, ['unsigned long']], 'CcFastReadWait' : [ 0x21c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x21c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x21cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x21d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x21d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x21d8, ['long']], 'IoReadOperationCount' : [ 0x21dc, ['long']], 'IoWriteOperationCount' : [ 0x21e0, ['long']], 'IoOtherOperationCount' : [ 0x21e4, ['long']], 'IoReadTransferCount' : [ 0x21e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x21f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x21f8, ['_LARGE_INTEGER']], 'TargetSet' : [ 0x2200, ['unsigned long long']], 'IpiFrozen' : [ 0x2208, ['unsigned long']], 'PrcbPad3' : [ 0x220c, ['array', 116, ['unsigned char']]], 'RequestMailbox' : [ 0x2280, ['array', 64, ['_REQUEST_MAILBOX']]], 'SenderSummary' : [ 0x3280, ['unsigned long long']], 'PrcbPad4' : [ 0x3288, ['array', 120, ['unsigned char']]], 'DpcData' : [ 0x3300, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x3340, ['pointer64', ['void']]], 'SavedRsp' : [ 0x3348, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x3350, ['long']], 'DpcRequestRate' : [ 0x3354, ['unsigned long']], 'MinimumDpcRate' : [ 0x3358, ['unsigned long']], 'DpcInterruptRequested' : [ 0x335c, ['unsigned char']], 'DpcThreadRequested' : [ 0x335d, ['unsigned char']], 'DpcRoutineActive' : [ 0x335e, ['unsigned char']], 'DpcThreadActive' : [ 0x335f, ['unsigned char']], 'TimerHand' : [ 0x3360, ['unsigned long long']], 'TimerRequest' : [ 0x3360, ['unsigned long long']], 'TickOffset' : [ 0x3368, ['long']], 'MasterOffset' : [ 0x336c, ['long']], 'DpcLastCount' : [ 0x3370, ['unsigned long']], 'ThreadDpcEnable' : [ 0x3374, ['unsigned char']], 'QuantumEnd' : [ 0x3375, ['unsigned char']], 'PrcbPad50' : [ 0x3376, ['unsigned char']], 'IdleSchedule' : [ 0x3377, ['unsigned char']], 'DpcSetEventRequest' : [ 0x3378, ['long']], 'KeExceptionDispatchCount' : [ 0x337c, ['unsigned long']], 'DpcEvent' : [ 0x3380, ['_KEVENT']], 'PrcbPad51' : [ 0x3398, ['pointer64', ['void']]], 'CallDpc' : [ 0x33a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x33e0, ['long']], 'ClockCheckSlot' : [ 0x33e4, ['unsigned char']], 'ClockPollCycle' : [ 0x33e5, ['unsigned char']], 'PrcbPad6' : [ 0x33e6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x33e8, ['long']], 'DpcWatchdogCount' : [ 0x33ec, ['long']], 'PrcbPad70' : [ 0x33f0, ['array', 2, ['unsigned long long']]], 'WaitListHead' : [ 0x3400, ['_LIST_ENTRY']], 'WaitLock' : [ 0x3410, ['unsigned long long']], 'ReadySummary' : [ 0x3418, ['unsigned long']], 'QueueIndex' : [ 0x341c, ['unsigned long']], 'PrcbPad71' : [ 0x3420, ['array', 12, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3480, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x3680, ['unsigned long']], 'KernelTime' : [ 0x3684, ['unsigned long']], 'UserTime' : [ 0x3688, ['unsigned long']], 'DpcTime' : [ 0x368c, ['unsigned long']], 'InterruptTime' : [ 0x3690, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x3694, ['unsigned long']], 'SkipTick' : [ 0x3698, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x3699, ['unsigned char']], 'PollSlot' : [ 0x369a, ['unsigned char']], 'PrcbPad80' : [ 0x369b, ['array', 5, ['unsigned char']]], 'DpcTimeCount' : [ 0x36a0, ['unsigned long']], 'DpcTimeLimit' : [ 0x36a4, ['unsigned long']], 'PeriodicCount' : [ 0x36a8, ['unsigned long']], 'PeriodicBias' : [ 0x36ac, ['unsigned long']], 'PrcbPad81' : [ 0x36b0, ['array', 2, ['unsigned long long']]], 'ParentNode' : [ 0x36c0, ['pointer64', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x36c8, ['unsigned long long']], 'MultiThreadSetMaster' : [ 0x36d0, ['pointer64', ['_KPRCB']]], 'StartCycles' : [ 0x36d8, ['unsigned long long']], 'MmSpinLockOrdering' : [ 0x36e0, ['long']], 'PageColor' : [ 0x36e4, ['unsigned long']], 'NodeColor' : [ 0x36e8, ['unsigned long']], 'NodeShiftedColor' : [ 0x36ec, ['unsigned long']], 'SecondaryColorMask' : [ 0x36f0, ['unsigned long']], 'Sleeping' : [ 0x36f4, ['long']], 'CycleTime' : [ 0x36f8, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x3700, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x3704, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x3708, ['unsigned long']], 'CcMapDataNoWait' : [ 0x370c, ['unsigned long']], 'CcMapDataWait' : [ 0x3710, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x3714, ['unsigned long']], 'CcPinReadNoWait' : [ 0x3718, ['unsigned long']], 'CcPinReadWait' : [ 0x371c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x3720, ['unsigned long']], 'CcMdlReadWait' : [ 0x3724, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x3728, ['unsigned long']], 'CcLazyWriteIos' : [ 0x372c, ['unsigned long']], 'CcLazyWritePages' : [ 0x3730, ['unsigned long']], 'CcDataFlushes' : [ 0x3734, ['unsigned long']], 'CcDataPages' : [ 0x3738, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x373c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x3740, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x3744, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x3748, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x374c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x3750, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x3754, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x3758, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x375c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x3760, ['unsigned long']], 'CcReadAheadIos' : [ 0x3764, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x3768, ['long']], 'MmCacheReadCount' : [ 0x376c, ['long']], 'MmCacheIoCount' : [ 0x3770, ['long']], 'PrcbPad91' : [ 0x3774, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x3780, ['_PROCESSOR_POWER_STATE']], 'KeAlignmentFixupCount' : [ 0x38b8, ['unsigned long']], 'VendorString' : [ 0x38bc, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x38c9, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x38cc, ['unsigned long']], 'UpdateSignature' : [ 0x38d0, ['_LARGE_INTEGER']], 'DpcWatchdogDpc' : [ 0x38d8, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3918, ['_KTIMER']], 'Cache' : [ 0x3958, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3994, ['unsigned long']], 'CachedCommit' : [ 0x3998, ['unsigned long']], 'CachedResidentAvailable' : [ 0x399c, ['unsigned long']], 'HyperPte' : [ 0x39a0, ['pointer64', ['void']]], 'WheaInfo' : [ 0x39a8, ['pointer64', ['void']]], 'EtwSupport' : [ 0x39b0, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x39c0, ['_SLIST_HEADER']], 'HypercallPagePhysical' : [ 0x39d0, ['_LARGE_INTEGER']], 'HypercallPageVirtual' : [ 0x39d8, ['pointer64', ['void']]], 'RateControl' : [ 0x39e0, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x39e8, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x3a10, ['unsigned long long']], 'CoreProcessorSet' : [ 0x3a18, ['unsigned long long']], } ], '_KTHREAD' : [ 0x330, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'ApcState' : [ 0x48, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x48, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x73, ['unsigned char']], 'NextProcessor' : [ 0x74, ['unsigned short']], 'DeferredProcessor' : [ 0x76, ['unsigned short']], 'ApcQueueLock' : [ 0x78, ['unsigned long long']], 'WaitStatus' : [ 0x80, ['long long']], 'WaitBlockList' : [ 0x88, ['pointer64', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x88, ['pointer64', ['_KGATE']]], 'KernelStackResident' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x90, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x90, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x90, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x90, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x90, ['long']], 'WaitReason' : [ 0x94, ['unsigned char']], 'SwapBusy' : [ 0x95, ['unsigned char']], 'Alerted' : [ 0x96, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x98, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x98, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb0, ['pointer64', ['void']]], 'Timer' : [ 0xb8, ['_KTIMER']], 'TimerFill' : [ 0xb8, ['array', 60, ['unsigned char']]], 'AutoAlignment' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xf4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xf4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xf4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xf4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xf4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xf4, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xf4, ['long']], 'WaitBlock' : [ 0xf8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xf8, ['array', 43, ['unsigned char']]], 'IdealProcessor' : [ 0x123, ['unsigned char']], 'WaitBlockFill1' : [ 0xf8, ['array', 91, ['unsigned char']]], 'PreviousMode' : [ 0x153, ['unsigned char']], 'WaitBlockFill2' : [ 0xf8, ['array', 139, ['unsigned char']]], 'ResourceIndex' : [ 0x183, ['unsigned char']], 'WaitBlockFill3' : [ 0xf8, ['array', 187, ['unsigned char']]], 'LargeStack' : [ 0x1b3, ['unsigned char']], 'WaitBlockFill4' : [ 0xf8, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x124, ['unsigned long']], 'WaitBlockFill5' : [ 0xf8, ['array', 92, ['unsigned char']]], 'State' : [ 0x154, ['unsigned char']], 'NpxState' : [ 0x155, ['unsigned char']], 'WaitIrql' : [ 0x156, ['unsigned char']], 'WaitMode' : [ 0x157, ['unsigned char']], 'WaitBlockFill6' : [ 0xf8, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x184, ['unsigned long']], 'WaitBlockFill7' : [ 0xf8, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1b4, ['short']], 'SpecialApcDisable' : [ 0x1b6, ['short']], 'CombinedApcDisable' : [ 0x1b4, ['unsigned long']], 'QueueListEntry' : [ 0x1b8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1c8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1d0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1d8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1d8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1e0, ['unsigned char']], 'BasePriority' : [ 0x1e1, ['unsigned char']], 'PriorityDecrement' : [ 0x1e2, ['unsigned char']], 'Preempted' : [ 0x1e3, ['unsigned char']], 'AdjustReason' : [ 0x1e4, ['unsigned char']], 'AdjustIncrement' : [ 0x1e5, ['unsigned char']], 'Spare01' : [ 0x1e6, ['unsigned char']], 'Saturation' : [ 0x1e7, ['unsigned char']], 'SystemCallNumber' : [ 0x1e8, ['unsigned long']], 'Spare02' : [ 0x1ec, ['unsigned long']], 'UserAffinity' : [ 0x1f0, ['unsigned long long']], 'Process' : [ 0x1f8, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x200, ['unsigned long long']], 'ApcStatePointer' : [ 0x208, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x218, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x218, ['array', 43, ['unsigned char']]], 'FreezeCount' : [ 0x243, ['unsigned char']], 'SuspendCount' : [ 0x244, ['unsigned char']], 'UserIdealProcessor' : [ 0x245, ['unsigned char']], 'Spare03' : [ 0x246, ['unsigned char']], 'CodePatchInProgress' : [ 0x247, ['unsigned char']], 'Win32Thread' : [ 0x248, ['pointer64', ['void']]], 'StackBase' : [ 0x250, ['pointer64', ['void']]], 'SuspendApc' : [ 0x258, ['_KAPC']], 'SuspendApcFill0' : [ 0x258, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x259, ['unsigned char']], 'SuspendApcFill1' : [ 0x258, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x25b, ['unsigned char']], 'SuspendApcFill2' : [ 0x258, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x25c, ['unsigned long']], 'SuspendApcFill3' : [ 0x258, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x298, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x258, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2a0, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x258, ['array', 83, ['unsigned char']]], 'PowerState' : [ 0x2ab, ['unsigned char']], 'UserTime' : [ 0x2ac, ['unsigned long']], 'SuspendSemaphore' : [ 0x2b0, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2b0, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2cc, ['unsigned long']], 'ThreadListEntry' : [ 0x2d0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x2e0, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x2f0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x2f8, ['long long']], 'WriteOperationCount' : [ 0x300, ['long long']], 'OtherOperationCount' : [ 0x308, ['long long']], 'ReadTransferCount' : [ 0x310, ['long long']], 'WriteTransferCount' : [ 0x318, ['long long']], 'OtherTransferCount' : [ 0x320, ['long long']], 'MdlForLockedTeb' : [ 0x328, ['pointer64', ['void']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x250, { 'XmmSaveArea' : [ 0x0, ['_XMM_SAVE_AREA32']], 'Current' : [ 0x200, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x228, ['_KERNEL_STACK_SEGMENT']], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '__unnamed_1115' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_111a' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_1115']], 'Header16' : [ 0x0, ['__unnamed_111a']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x450, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x330, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x338, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x338, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x348, ['long']], 'OfsChain' : [ 0x348, ['pointer64', ['void']]], 'PostBlockList' : [ 0x350, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x350, ['pointer64', ['void']]], 'StartAddress' : [ 0x358, ['pointer64', ['void']]], 'TerminationPort' : [ 0x360, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x360, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x360, ['pointer64', ['void']]], 'Win32StartParameter' : [ 0x360, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x368, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x370, ['_LIST_ENTRY']], 'Cid' : [ 0x380, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3b0, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3b8, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3c8, ['unsigned long long']], 'DeviceToVerify' : [ 0x3d0, ['pointer64', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x3d8, ['pointer64', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x3e0, ['pointer64', ['void']]], 'SparePtr0' : [ 0x3e8, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x3f0, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x400, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x408, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x410, ['unsigned long']], 'MmLockOrdering' : [ 0x414, ['long']], 'CrossThreadFlags' : [ 0x418, ['unsigned long']], 'Terminated' : [ 0x418, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x418, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x418, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x418, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x418, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x418, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x418, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x418, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x418, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x418, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x418, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x418, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x418, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x41c, ['unsigned long']], 'ActiveExWorker' : [ 0x41c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x41c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x41c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x41c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x41c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x41c, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x41c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x420, ['unsigned long']], 'Spare' : [ 0x420, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x420, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x420, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x421, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x421, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x421, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x421, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x421, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x421, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x421, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x421, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x422, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'CacheManagerActive' : [ 0x424, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x425, ['unsigned char']], 'ActiveFaultCount' : [ 0x426, ['unsigned char']], 'AlpcMessageId' : [ 0x428, ['unsigned long long']], 'AlpcMessage' : [ 0x430, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x430, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x438, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x448, ['unsigned long']], } ], '_EPROCESS' : [ 0x3e8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xc0, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xc8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xd0, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xd8, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xe0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0xe8, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xf8, ['array', 3, ['unsigned long long']]], 'QuotaPeak' : [ 0x110, ['array', 3, ['unsigned long long']]], 'CommitCharge' : [ 0x128, ['unsigned long long']], 'PeakVirtualSize' : [ 0x130, ['unsigned long long']], 'VirtualSize' : [ 0x138, ['unsigned long long']], 'SessionProcessLinks' : [ 0x140, ['_LIST_ENTRY']], 'DebugPort' : [ 0x150, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x158, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x158, ['unsigned long long']], 'ExceptionPortState' : [ 0x158, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x160, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x168, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x170, ['unsigned long long']], 'AddressCreationLock' : [ 0x178, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x180, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x188, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x190, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x198, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x1a0, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x1a8, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x1b0, ['unsigned long long']], 'Win32Process' : [ 0x1b8, ['pointer64', ['void']]], 'Job' : [ 0x1c0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x1c8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x1d0, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x1d8, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x1e0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x1e8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x1f0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x1f8, ['pointer64', ['void']]], 'VadFreeHint' : [ 0x200, ['pointer64', ['void']]], 'VdmObjects' : [ 0x208, ['pointer64', ['void']]], 'DeviceMap' : [ 0x210, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x218, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x220, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x228, ['_HARDWARE_PTE']], 'Filler' : [ 0x228, ['unsigned long long']], 'Session' : [ 0x230, ['pointer64', ['void']]], 'ImageFileName' : [ 0x238, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x248, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x258, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x260, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x270, ['pointer64', ['void']]], 'Wow64Process' : [ 0x278, ['pointer64', ['_WOW64_PROCESS']]], 'ActiveThreads' : [ 0x280, ['unsigned long']], 'ImagePathHash' : [ 0x284, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x288, ['unsigned long']], 'LastThreadExitStatus' : [ 0x28c, ['long']], 'Peb' : [ 0x290, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x298, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x2a0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x2a8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x2b0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x2b8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x2c0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x2c8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x2d0, ['unsigned long long']], 'CommitChargePeak' : [ 0x2d8, ['unsigned long long']], 'AweInfo' : [ 0x2e0, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x2e8, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x2f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x358, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x368, ['unsigned long']], 'Flags2' : [ 0x36c, ['unsigned long']], 'JobNotReallyActive' : [ 0x36c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x36c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x36c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x36c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x36c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x36c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x36c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x36c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x36c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x36c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x36c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x36c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x36c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x36c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Flags' : [ 0x370, ['unsigned long']], 'CreateReported' : [ 0x370, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x370, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x370, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x370, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x370, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x370, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x370, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x370, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x370, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x370, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x370, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x370, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x370, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x370, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x370, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x370, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x370, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x370, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x370, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x370, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x370, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x370, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x370, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x370, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x370, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'SparePsFlags1' : [ 0x370, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x374, ['long']], 'Spare7' : [ 0x378, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x37a, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x37b, ['unsigned char']], 'SubSystemVersion' : [ 0x37a, ['unsigned short']], 'PriorityClass' : [ 0x37c, ['unsigned char']], 'VadRoot' : [ 0x380, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x3c0, ['unsigned long']], 'AlpcContext' : [ 0x3c8, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_1202' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1207' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1209' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1207']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1214' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1216' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_1214']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_1202']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_1209']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_1216']], } ], '__unnamed_121c' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1220' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1224' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1226' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_122a' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_122c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_122e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], } ], '__unnamed_1230' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1232' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1234' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1238' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_123a' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_123c' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_123e' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1240' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1242' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1246' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_124a' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_124e' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1252' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1259' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_125d' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1261' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1263' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1265' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1269' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_126d' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1271' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1275' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1279' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1281' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1285' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1287' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1289' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_128b' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_121c']], 'CreatePipe' : [ 0x0, ['__unnamed_1220']], 'CreateMailslot' : [ 0x0, ['__unnamed_1224']], 'Read' : [ 0x0, ['__unnamed_1226']], 'Write' : [ 0x0, ['__unnamed_1226']], 'QueryDirectory' : [ 0x0, ['__unnamed_122a']], 'NotifyDirectory' : [ 0x0, ['__unnamed_122c']], 'QueryFile' : [ 0x0, ['__unnamed_122e']], 'SetFile' : [ 0x0, ['__unnamed_1230']], 'QueryEa' : [ 0x0, ['__unnamed_1232']], 'SetEa' : [ 0x0, ['__unnamed_1234']], 'QueryVolume' : [ 0x0, ['__unnamed_1238']], 'SetVolume' : [ 0x0, ['__unnamed_1238']], 'FileSystemControl' : [ 0x0, ['__unnamed_123a']], 'LockControl' : [ 0x0, ['__unnamed_123c']], 'DeviceIoControl' : [ 0x0, ['__unnamed_123e']], 'QuerySecurity' : [ 0x0, ['__unnamed_1240']], 'SetSecurity' : [ 0x0, ['__unnamed_1242']], 'MountVolume' : [ 0x0, ['__unnamed_1246']], 'VerifyVolume' : [ 0x0, ['__unnamed_1246']], 'Scsi' : [ 0x0, ['__unnamed_124a']], 'QueryQuota' : [ 0x0, ['__unnamed_124e']], 'SetQuota' : [ 0x0, ['__unnamed_1234']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1252']], 'QueryInterface' : [ 0x0, ['__unnamed_1259']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_125d']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1261']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1263']], 'SetLock' : [ 0x0, ['__unnamed_1265']], 'QueryId' : [ 0x0, ['__unnamed_1269']], 'QueryDeviceText' : [ 0x0, ['__unnamed_126d']], 'UsageNotification' : [ 0x0, ['__unnamed_1271']], 'WaitWake' : [ 0x0, ['__unnamed_1275']], 'PowerSequence' : [ 0x0, ['__unnamed_1279']], 'Power' : [ 0x0, ['__unnamed_1281']], 'StartDevice' : [ 0x0, ['__unnamed_1285']], 'WMI' : [ 0x0, ['__unnamed_1287']], 'Others' : [ 0x0, ['__unnamed_1289']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_128b']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Type' : [ 0x10, ['pointer64', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0x18, ['unsigned char']], 'HandleInfoOffset' : [ 0x19, ['unsigned char']], 'QuotaInfoOffset' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'QueryReferences' : [ 0x18, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x38, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x30, ['_LARGE_INTEGER']], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xd0, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x88, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['unsigned short']], 'ValidationBits' : [ 0xa, ['unsigned char']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '__unnamed_1339' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIX_BUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIX_DEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'RawDataLength' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeOther', 6: 'WheaErrSrcTypeMax'})]], 'Reserved1' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_1339']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrorStatusFormatIPFSalRecord', 1: 'WheaErrorStatusFormatIA32MCA', 2: 'WheaErrorStatusFormatEM64TMCA', 3: 'WheaErrorStatusFormatAMD64MCA', 4: 'WheaErrorStatusFormatPCIExpress', 5: 'WheaErrorStatusFormatNMIPort', 6: 'WheaErrorStatusFormatOther', 7: 'WheaErrorStatusFormatMax'})]], 'Reserved2' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0xc0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'Unused0' : [ 0x30, ['unsigned long long']], 'IopmOffset' : [ 0x38, ['unsigned short']], 'ActiveProcessors' : [ 0x40, ['unsigned long long']], 'KernelTime' : [ 0x48, ['unsigned long']], 'UserTime' : [ 0x4c, ['unsigned long']], 'ReadyListHead' : [ 0x50, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'InstrumentationCallback' : [ 0x68, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x70, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x80, ['unsigned long long']], 'Affinity' : [ 0x88, ['unsigned long long']], 'AutoAlignment' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x90, ['long']], 'BasePriority' : [ 0x94, ['unsigned char']], 'QuantumReset' : [ 0x95, ['unsigned char']], 'State' : [ 0x96, ['unsigned char']], 'ThreadSeed' : [ 0x97, ['unsigned char']], 'PowerState' : [ 0x98, ['unsigned char']], 'IdealNode' : [ 0x99, ['unsigned char']], 'Visited' : [ 0x9a, ['unsigned char']], 'Flags' : [ 0x9b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x9b, ['unsigned char']], 'StackCount' : [ 0xa0, ['unsigned long long']], 'ProcessListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'CycleTime' : [ 0xb8, ['unsigned long long']], } ], '__unnamed_13f3' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'HardLarge' : [ 0x0, ['_MMPTE_HARDWARE_LARGEPAGE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_13f3']], } ], '_PTE_QUEUE_POINTER' : [ 0x8, { 'PointerPte' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 48, native_type='long long')]], 'TimeStamp' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], 'Data' : [ 0x0, ['long long']], } ], '__unnamed_140c' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xe8, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x10, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x30, ['unsigned long long']], 'Prcb' : [ 0x38, ['unsigned long long']], 'Process' : [ 0x40, ['unsigned long long']], 'Thread' : [ 0x48, ['unsigned long long']], 'RegistryLength' : [ 0x50, ['unsigned long']], 'RegistryBase' : [ 0x58, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x60, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x68, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x70, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x78, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x80, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x88, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0x90, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x98, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xa0, ['pointer64', ['void']]], 'SetupLoaderBlock' : [ 0xa8, ['pointer64', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0xb0, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xb8, ['__unnamed_140c']], 'FirmwareInformation' : [ 0xc8, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '__unnamed_1428' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_142a' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_142e' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1430' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_1432' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_142e']], 'e3' : [ 0x0, ['__unnamed_1430']], } ], '__unnamed_143a' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1428']], 'u2' : [ 0x8, ['__unnamed_142a']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'u3' : [ 0x18, ['__unnamed_1432']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_143a']], } ], '__unnamed_1446' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1446']], } ], '_MMWSL' : [ 0x488, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextEstimationSlot' : [ 0x24, ['unsigned long']], 'NextAgingSlot' : [ 0x28, ['unsigned long']], 'EstimatedAvailable' : [ 0x2c, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x30, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x34, ['unsigned long']], 'VadBitMapHint' : [ 0x38, ['unsigned long']], 'NonDirectCount' : [ 0x3c, ['unsigned long']], 'NonDirectHash' : [ 0x40, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x48, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x50, ['pointer64', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x58, ['pointer64', ['void']]], 'MaximumUserPageTablePages' : [ 0x60, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x64, ['unsigned long']], 'CommittedPageTables' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x70, ['unsigned long']], 'CommittedPageDirectories' : [ 0x78, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x478, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x480, ['array', 1, ['unsigned long long']]], } ], '_MMSUPPORT' : [ 0x68, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x10, ['unsigned short']], 'NextPageColor' : [ 0x12, ['unsigned short']], 'Flags' : [ 0x14, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x18, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x1c, ['unsigned long']], 'Spare0' : [ 0x20, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x24, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x28, ['unsigned long']], 'VmWorkingSetList' : [ 0x30, ['pointer64', ['_MMWSL']]], 'Claim' : [ 0x38, ['unsigned long']], 'Spare' : [ 0x3c, ['array', 1, ['unsigned long']]], 'WorkingSetPrivateSize' : [ 0x40, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'ExitEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'WorkingSetMutex' : [ 0x58, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x60, ['pointer64', ['void']]], } ], '__unnamed_146a' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_146c' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_146e' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_146c']], } ], '__unnamed_147a' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_147c' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_147a']], } ], '_CONTROL_AREA' : [ 0x60, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x1c, ['unsigned long']], 'NumberOfMappedViews' : [ 0x20, ['unsigned long']], 'NumberOfUserReferences' : [ 0x24, ['unsigned long']], 'u' : [ 0x28, ['__unnamed_146a']], 'u1' : [ 0x2c, ['__unnamed_146e']], 'FilePointer' : [ 0x30, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x38, ['long']], 'StartingFrame' : [ 0x3c, ['unsigned long']], 'WaitingForDeletion' : [ 0x40, ['pointer64', ['_MI_SECTION_CREATION_EVENT']]], 'u2' : [ 0x48, ['__unnamed_147c']], 'LockedPages' : [ 0x58, ['long long']], } ], '_MMPAGING_FILE' : [ 0xa0, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x60, ['unsigned long']], 'LastAllocationSize' : [ 0x64, ['unsigned long']], 'PageFileNumber' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x6a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x6a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x70, ['pointer64', ['void']]], 'AvailableList' : [ 0x80, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x90, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x10, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x8, ['unsigned long']], } ], '__unnamed_14ae' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_14b1' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14b4' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_14ae']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14b1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b4']], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_14be' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x60, { 'u1' : [ 0x0, ['__unnamed_14ae']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14b1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b4']], 'u2' : [ 0x40, ['__unnamed_14be']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '__unnamed_14d0' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_14d0']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '__unnamed_14d5' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14d5']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '__unnamed_14db' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer64', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14dd' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x38, { 'u1' : [ 0x0, ['__unnamed_14db']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0x18, ['unsigned long']], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'SubsectionBase' : [ 0x28, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x30, ['__unnamed_14dd']], } ], '__unnamed_14e6' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14e8' : [ 0x8, { 'LastPageToWrite' : [ 0x0, ['unsigned long long']], 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_14e6']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_14e8']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '__unnamed_14f0' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_14f0']], } ], '_HHIVE' : [ 0x590, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'BaseBlock' : [ 0x48, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x50, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x60, ['unsigned long']], 'DirtyAlloc' : [ 0x64, ['unsigned long']], 'BaseBlockAlloc' : [ 0x68, ['unsigned long']], 'Cluster' : [ 0x6c, ['unsigned long']], 'Flat' : [ 0x70, ['unsigned char']], 'ReadOnly' : [ 0x71, ['unsigned char']], 'DirtyFlag' : [ 0x72, ['unsigned char']], 'HvBinHeadersUse' : [ 0x74, ['unsigned long']], 'HvFreeCellsUse' : [ 0x78, ['unsigned long']], 'HvUsedCellsUse' : [ 0x7c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x80, ['unsigned long']], 'HiveFlags' : [ 0x84, ['unsigned long']], 'CurrentLog' : [ 0x88, ['unsigned long']], 'LogSize' : [ 0x8c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x94, ['unsigned long']], 'StorageTypeCount' : [ 0x98, ['unsigned long']], 'Version' : [ 0x9c, ['unsigned long']], 'Storage' : [ 0xa0, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_TEB' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Period' : [ 0x38, ['long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'SpareByte' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '__unnamed_15c8' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0x138, { 'IdleFunction' : [ 0x0, ['pointer64', ['void']]], 'IdleStates' : [ 0x8, ['pointer64', ['PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x10, ['unsigned long long']], 'LastIdleTime' : [ 0x18, ['unsigned long long']], 'IdleTimes' : [ 0x20, ['PROCESSOR_IDLE_TIMES']], 'IdleAccounting' : [ 0x40, ['pointer64', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x48, ['pointer64', ['PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x50, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x54, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x58, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x60, ['unsigned long long']], 'ThermalConstraint' : [ 0x68, ['unsigned char']], 'LastBusyPercentage' : [ 0x69, ['unsigned char']], 'Flags' : [ 0x6a, ['__unnamed_15c8']], 'PerfTimer' : [ 0x70, ['_KTIMER']], 'PerfDpc' : [ 0xb0, ['_KDPC']], 'LastSysTime' : [ 0xf0, ['unsigned long']], 'PStateMaster' : [ 0xf8, ['pointer64', ['_KPRCB']]], 'PStateSet' : [ 0x100, ['unsigned long long']], 'CurrentPState' : [ 0x108, ['unsigned long']], 'Reserved0' : [ 0x10c, ['unsigned long']], 'DesiredPState' : [ 0x110, ['unsigned long']], 'Reserved1' : [ 0x114, ['unsigned long']], 'PStateIdleStartTime' : [ 0x118, ['unsigned long']], 'PStateIdleTime' : [ 0x11c, ['unsigned long']], 'LastPStateIdleTime' : [ 0x120, ['unsigned long']], 'PStateStartTime' : [ 0x124, ['unsigned long']], 'WmiDispatchPtr' : [ 0x128, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x130, ['long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'DispatchedList' : [ 0x10, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x20, ['_KSEMAPHORE']], 'CompletedList' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_15f9' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_15f9']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '__unnamed_160b' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_160d' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1611' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x220, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'Level' : [ 0x20, ['unsigned long']], 'Notify' : [ 0x28, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x88, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x8c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x90, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xe0, ['unsigned long']], 'CompletionStatus' : [ 0xe4, ['long']], 'PendingIrp' : [ 0xe8, ['pointer64', ['_IRP']]], 'Flags' : [ 0xf0, ['unsigned long']], 'UserFlags' : [ 0xf4, ['unsigned long']], 'Problem' : [ 0xf8, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x100, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x108, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x110, ['pointer64', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x118, ['_UNICODE_STRING']], 'ServiceName' : [ 0x128, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x140, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x14c, ['unsigned long']], 'ChildInterfaceType' : [ 0x150, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x154, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x158, ['unsigned short']], 'RemovalPolicy' : [ 0x15a, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x15b, ['unsigned char']], 'TargetDeviceNotify' : [ 0x160, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x170, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x180, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x190, ['unsigned short']], 'QueryTranslatorMask' : [ 0x192, ['unsigned short']], 'NoArbiterMask' : [ 0x194, ['unsigned short']], 'QueryArbiterMask' : [ 0x196, ['unsigned short']], 'OverUsed1' : [ 0x198, ['__unnamed_160b']], 'OverUsed2' : [ 0x1a0, ['__unnamed_160d']], 'BootResources' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1b0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1b8, ['unsigned long']], 'DockInfo' : [ 0x1c0, ['__unnamed_1611']], 'DisableableDepends' : [ 0x1e0, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x1e8, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x1f8, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x208, ['unsigned long']], 'PreviousParent' : [ 0x210, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x218, ['unsigned long']], 'NumaNodeIndex' : [ 0x21c, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16b1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16b1']], } ], '__unnamed_16b8' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16b8']], } ], '_VOLUME_CACHE_MAP' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1c8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x68, ['pointer64', ['_VACB']]], 'NeedToZero' : [ 0x70, ['pointer64', ['void']]], 'ActivePage' : [ 0x78, ['unsigned long']], 'NeedToZeroPage' : [ 0x7c, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x80, ['unsigned long long']], 'VacbActiveCount' : [ 0x88, ['unsigned long']], 'DirtyPages' : [ 0x8c, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x90, ['_LIST_ENTRY']], 'Flags' : [ 0xa0, ['unsigned long']], 'Status' : [ 0xa4, ['long']], 'Mbcb' : [ 0xa8, ['pointer64', ['_MBCB']]], 'Section' : [ 0xb0, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xc0, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc8, ['unsigned long']], 'BeyondLastFlush' : [ 0xd0, ['long long']], 'Callbacks' : [ 0xd8, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xe0, ['pointer64', ['void']]], 'PrivateList' : [ 0xe8, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf8, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x100, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0x118, ['pointer64', ['_VACB']]], 'BcbSpinLock' : [ 0x120, ['unsigned long long']], 'Reserved' : [ 0x128, ['pointer64', ['void']]], 'Event' : [ 0x130, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x148, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x150, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1b0, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1b8, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1c0, ['unsigned long']], 'MappedWritesInProgress' : [ 0x1c4, ['unsigned long']], } ], '__unnamed_16f3' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_16f3']], 'LruList' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1701' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1703' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1705' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_1707' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1709' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_1701']], 'Write' : [ 0x0, ['__unnamed_1703']], 'Event' : [ 0x0, ['__unnamed_1705']], 'Notification' : [ 0x0, ['__unnamed_1707']], } ], '_WORK_QUEUE_ENTRY' : [ 0x30, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x10, ['_LIST_ENTRY']], 'Parameters' : [ 0x20, ['__unnamed_1709']], 'Function' : [ 0x28, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x1f8, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1e8, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xc8, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x350, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer64', ['void']]], 'LoggerThread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x18, ['long']], 'LoggerId' : [ 0x1c, ['unsigned long']], 'NBQHead' : [ 0x20, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x28, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x30, ['_SLIST_HEADER']], 'GlobalList' : [ 0x40, ['_SLIST_HEADER']], 'LoggerName' : [ 0x50, ['_UNICODE_STRING']], 'LogFileName' : [ 0x60, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x70, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x80, ['_UNICODE_STRING']], 'ClockType' : [ 0x90, ['unsigned long']], 'CollectionOn' : [ 0x94, ['long']], 'MaximumFileSize' : [ 0x98, ['unsigned long']], 'LoggerMode' : [ 0x9c, ['unsigned long']], 'LastFlushedBuffer' : [ 0xa0, ['unsigned long']], 'FlushTimer' : [ 0xa4, ['unsigned long']], 'ByteOffset' : [ 0xa8, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0xb0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xb8, ['unsigned long']], 'BuffersAvailable' : [ 0xbc, ['long']], 'NumberOfBuffers' : [ 0xc0, ['long']], 'MaximumBuffers' : [ 0xc4, ['unsigned long']], 'EventsLost' : [ 0xc8, ['unsigned long']], 'BuffersWritten' : [ 0xcc, ['unsigned long']], 'LogBuffersLost' : [ 0xd0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xd4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xd8, ['unsigned long']], 'BufferSize' : [ 0xdc, ['unsigned long']], 'MaximumEventSize' : [ 0xe0, ['unsigned long']], 'SequencePtr' : [ 0xe8, ['pointer64', ['long']]], 'LocalSequence' : [ 0xf0, ['unsigned long']], 'InstanceGuid' : [ 0xf4, ['_GUID']], 'GetCpuClock' : [ 0x108, ['pointer64', ['void']]], 'FileCounter' : [ 0x110, ['long']], 'BufferCallback' : [ 0x118, ['pointer64', ['void']]], 'PoolType' : [ 0x120, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x128, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0x138, ['unsigned char']], 'Consumers' : [ 0x140, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x150, ['unsigned long']], 'Connecting' : [ 0x158, ['_LIST_ENTRY']], 'NewConsumer' : [ 0x168, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0x170, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x178, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x188, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x190, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1a0, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1a8, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1b0, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x1c0, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x1c4, ['unsigned long']], 'NewRTEventsLost' : [ 0x1c8, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1d0, ['_KEVENT']], 'FlushEvent' : [ 0x1e8, ['_KEVENT']], 'FlushDpc' : [ 0x200, ['_KDPC']], 'LoggerMutex' : [ 0x240, ['_KMUTANT']], 'ClientSecurityContext' : [ 0x278, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c0, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x2c8, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x310, ['long long']], 'AcceptNewEvents' : [ 0x318, ['long']], 'Flags' : [ 0x31c, ['unsigned long']], 'Persistent' : [ 0x31c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x31c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x31c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x31c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x31c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x31c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x31c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x320, ['unsigned long']], 'RequestNewFie' : [ 0x320, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x320, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x320, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x320, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x320, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x324, ['unsigned short']], 'StackTraceFilter' : [ 0x326, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Spare0' : [ 0x20, ['unsigned long']], 'Spare1' : [ 0x24, ['unsigned long']], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'SlistEntry' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x38, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'GlobalEntry' : [ 0x40, ['_SINGLE_LIST_ENTRY']], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_GUID_ENTRY' : [ 0x170, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LegacyEnableContext' : [ 0x40, ['_TRACE_ENABLE_CONTEXT']], 'LegacyProviderEnabled' : [ 0x48, ['unsigned long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x318, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'ProxyData' : [ 0xd0, ['pointer64', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xd8, ['pointer64', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xe0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe8, ['_LUID']], 'SidHash' : [ 0xf0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x200, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x310, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x60, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'InBlockDeccommits' : [ 0x50, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x20, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer64', ['void']]], 'FileObject' : [ 0x10, ['pointer64', ['void']]], 'ThreadId' : [ 0x18, ['unsigned long']], 'ByteCount' : [ 0x1c, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_WHEA_NMI_ERROR' : [ 0x8, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x60, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x78, { 'CancelLock' : [ 0x0, ['unsigned long long']], 'IssueLock' : [ 0x8, ['unsigned long long']], 'Counters' : [ 0x10, ['array', 25, ['long']]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x60, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['unsigned long']], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'KeyBodyLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'ContextListHead' : [ 0x50, ['_LIST_ENTRY']], } ], '_XMM_SAVE_AREA32' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_18ac' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_18ae' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_18ac']], 'Private' : [ 0x0, ['__unnamed_18ae']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_CMHIVE' : [ 0xb38, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x590, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c0, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d0, ['_LIST_ENTRY']], 'HiveLock' : [ 0x5e0, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x5e8, ['pointer64', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x5f0, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x5f8, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x600, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x608, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x618, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x628, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x638, ['unsigned short']], 'PinnedViewCount' : [ 0x63a, ['unsigned short']], 'UseCount' : [ 0x63c, ['unsigned long']], 'ViewsPerHive' : [ 0x640, ['unsigned long']], 'FileObject' : [ 0x648, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x650, ['unsigned long']], 'ActualFileSize' : [ 0x658, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x660, ['_UNICODE_STRING']], 'FileUserName' : [ 0x670, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x680, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x690, ['unsigned long']], 'SecurityCacheSize' : [ 0x694, ['unsigned long']], 'SecurityHitHint' : [ 0x698, ['long']], 'SecurityCache' : [ 0x6a0, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x6a8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xaa8, ['unsigned long']], 'UnloadEventArray' : [ 0xab0, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xab8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xac0, ['unsigned char']], 'UnloadWorkItem' : [ 0xac8, ['pointer64', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0xad0, ['unsigned char']], 'GrowOffset' : [ 0xad4, ['unsigned long']], 'KcbConvertListHead' : [ 0xad8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xae8, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xaf8, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xb00, ['unsigned long']], 'TrustClassEntry' : [ 0xb08, ['_LIST_ENTRY']], 'FlushCount' : [ 0xb18, ['unsigned long']], 'CmRm' : [ 0xb20, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xb28, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xb2c, ['long']], 'CreatorOwner' : [ 0xb30, ['pointer64', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '__unnamed_18d6' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_18dc' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_14ae']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14b1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b4']], 'u2' : [ 0x40, ['__unnamed_14be']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'u3' : [ 0x60, ['__unnamed_18d6']], 'u4' : [ 0x70, ['__unnamed_18dc']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_EJOB' : [ 0x1b0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0xe0, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'ActiveProcessLimit' : [ 0xf8, ['unsigned long']], 'Affinity' : [ 0x100, ['unsigned long long']], 'PriorityClass' : [ 0x108, ['unsigned char']], 'AccessState' : [ 0x110, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x118, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x11c, ['unsigned long']], 'CompletionPort' : [ 0x120, ['pointer64', ['void']]], 'CompletionKey' : [ 0x128, ['pointer64', ['void']]], 'SessionId' : [ 0x130, ['unsigned long']], 'SchedulingClass' : [ 0x134, ['unsigned long']], 'ReadOperationCount' : [ 0x138, ['unsigned long long']], 'WriteOperationCount' : [ 0x140, ['unsigned long long']], 'OtherOperationCount' : [ 0x148, ['unsigned long long']], 'ReadTransferCount' : [ 0x150, ['unsigned long long']], 'WriteTransferCount' : [ 0x158, ['unsigned long long']], 'OtherTransferCount' : [ 0x160, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x168, ['unsigned long long']], 'JobMemoryLimit' : [ 0x170, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x178, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x180, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x188, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x190, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x198, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1a8, ['unsigned long']], 'JobFlags' : [ 0x1ac, ['unsigned long']], } ], '__unnamed_18ee' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], 'PPM_IDLE_STATES' : [ 0x48, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_18ee']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long long']], 'State' : [ 0x20, ['array', 1, ['PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['pointer64', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], } ], '__unnamed_1908' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1908']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_POOL_DESCRIPTOR' : [ 0x1048, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x20, ['pointer64', ['void']]], 'PendingFrees' : [ 0x28, ['pointer64', ['pointer64', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x30, ['long']], 'PendingFreeDepth' : [ 0x34, ['long']], 'TotalBytes' : [ 0x38, ['unsigned long long']], 'Spare0' : [ 0x40, ['unsigned long long']], 'ListHeads' : [ 0x48, ['array', 256, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x88, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['unsigned short']], 'Reserved1' : [ 0x6, ['unsigned short']], 'Reserved2' : [ 0x8, ['unsigned short']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidationBits' : [ 0x10, ['unsigned long']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_LARGE_INTEGER']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['unsigned long']], 'PersistenceInfo' : [ 0x70, ['_WHEA_PERSISTENCE_INFO']], 'Reserved3' : [ 0x78, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned char']], 'ShareVector' : [ 0x61, ['unsigned char']], 'Mode' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x6c, ['unsigned long']], 'DispatchCount' : [ 0x70, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x38, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmHive2' : [ 0x28, ['pointer64', ['_CMHIVE']]], 'ThreadFinished' : [ 0x30, ['unsigned char']], 'ThreadStarted' : [ 0x31, ['unsigned char']], 'Allocate' : [ 0x32, ['unsigned char']], 'WinPERequired' : [ 0x33, ['unsigned char']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XMM_SAVE_AREA32']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'StackTrace' : [ 0x8, ['array', 63, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WHEA_PCIX_BUS_ERROR' : [ 0x48, { 'ValidationBits' : [ 0x0, ['_WHEA_PCIX_BUS_VALIDATION_BITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['unsigned short']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['unsigned long long']], 'BusRequestorId' : [ 0x30, ['unsigned long long']], 'BusCompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_PEB_FREE_BLOCK' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '__unnamed_1981' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_1981']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned char']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x48, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x100, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x30, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x38, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x40, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x50, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x50, ['unsigned long']], 'SubKeyCount' : [ 0x50, ['unsigned long']], 'KeyBodyListHead' : [ 0x58, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x58, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x68, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x88, ['pointer64', ['void']]], 'KcbLastWriteTime' : [ 0x90, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x98, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x9a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x9c, ['unsigned long']], 'KcbUserFlags' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xa0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xa0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xa0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xa8, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xb0, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0xc0, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xc8, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0xd8, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0xe8, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0xf0, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0xf8, ['pointer64', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_1a07' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], 'PPM_PERF_STATES' : [ 0x80, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'MaxPerfState' : [ 0x8, ['unsigned long']], 'MinPerfState' : [ 0xc, ['unsigned long']], 'LowestPState' : [ 0x10, ['unsigned long']], 'IncreaseTime' : [ 0x14, ['unsigned long']], 'DecreaseTime' : [ 0x18, ['unsigned long']], 'BusyAdjThreshold' : [ 0x1c, ['unsigned char']], 'Reserved' : [ 0x1d, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x1e, ['unsigned char']], 'PolicyType' : [ 0x1f, ['unsigned char']], 'TimerInterval' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['__unnamed_1a07']], 'TargetProcessors' : [ 0x28, ['unsigned long long']], 'PStateHandler' : [ 0x30, ['pointer64', ['void']]], 'PStateContext' : [ 0x38, ['unsigned long long']], 'TStateHandler' : [ 0x40, ['pointer64', ['void']]], 'TStateContext' : [ 0x48, ['unsigned long long']], 'FeedbackHandler' : [ 0x50, ['pointer64', ['void']]], 'State' : [ 0x58, ['array', 1, ['PPM_PERF_STATE']]], } ], 'PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], 'PPM_IDLE_STATE' : [ 0x28, { 'IdleHandler' : [ 0x0, ['pointer64', ['void']]], 'Context' : [ 0x8, ['unsigned long long']], 'Latency' : [ 0x10, ['unsigned long']], 'Power' : [ 0x14, ['unsigned long']], 'TimeCheck' : [ 0x18, ['unsigned long']], 'StateFlags' : [ 0x1c, ['unsigned long']], 'PromotePercent' : [ 0x20, ['unsigned char']], 'DemotePercent' : [ 0x21, ['unsigned char']], 'PromotePercentBase' : [ 0x22, ['unsigned char']], 'DemotePercentBase' : [ 0x23, ['unsigned char']], 'StateType' : [ 0x24, ['unsigned char']], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderMaximum'})]], 'BasePage' : [ 0x14, ['unsigned long']], 'PageCount' : [ 0x18, ['unsigned long']], } ], '_WHEA_PCIX_DEVICE_ERROR' : [ 0x68, { 'ValidationBits' : [ 0x0, ['_WHEA_PCIX_DEV_VALIDATION_BITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['array', 16, ['unsigned char']]], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 64, ['unsigned char']]], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x40, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'NonExtendedPtes' : [ 0xc, ['unsigned long']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'SegmentFlags' : [ 0x30, ['_SEGMENT_FLAGS']], 'LastSubsectionHint' : [ 0x38, ['pointer64', ['_MSUBSECTION']]], } ], '_TEB64' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x18, ['unsigned long']], 'ObjectMask' : [ 0x1c, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'OwnerCount' : [ 0x8, ['long']], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_ETIMER' : [ 0x108, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeTimer' : [ 0xf5, ['unsigned char']], 'WakeTimerListEntry' : [ 0xf8, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1a66' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1a66']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_ARBITER_INSTANCE' : [ 0x690, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'Extension' : [ 0x128, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x130, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x138, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x140, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x148, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3e8, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x688, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x50, { 'ValidationBits' : [ 0x0, ['unsigned long long']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequestorId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1acc' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ad2' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1ad4' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ad6' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1ad8' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1ada' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1adc' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ade' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ae0' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ae2' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1acc']], 'Memory' : [ 0x0, ['__unnamed_1acc']], 'Interrupt' : [ 0x0, ['__unnamed_1ad2']], 'Dma' : [ 0x0, ['__unnamed_1ad4']], 'Generic' : [ 0x0, ['__unnamed_1acc']], 'DevicePrivate' : [ 0x0, ['__unnamed_1ad6']], 'BusNumber' : [ 0x0, ['__unnamed_1ad8']], 'ConfigData' : [ 0x0, ['__unnamed_1ada']], 'Memory40' : [ 0x0, ['__unnamed_1adc']], 'Memory48' : [ 0x0, ['__unnamed_1ade']], 'Memory64' : [ 0x0, ['__unnamed_1ae0']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1ae2']], } ], '_POP_THERMAL_ZONE' : [ 0x128, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_CM_TRANS' : [ 0xb0, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 8, ['pointer64', ['_CMHIVE']]]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x48, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ParseContext' : [ 0x10, ['pointer64', ['void']]], 'ProbeMode' : [ 0x18, ['unsigned char']], 'PagedPoolCharge' : [ 0x1c, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x20, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x24, ['unsigned long']], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'SecurityQos' : [ 0x30, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x38, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1b, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1a, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_MBCB' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x58, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x88, ['_BITMAP_RANGE']], } ], '__unnamed_1b1e' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1b1e']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_WOW64_PROCESS' : [ 0x8, { 'Wow64' : [ 0x0, ['pointer64', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_MI_SECTION_CREATION_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SECTION_CREATION_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_PEB32' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '__unnamed_1b63' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1b65' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b63']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1b67' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1b69' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1b67']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1b65']], 'u2' : [ 0x4, ['__unnamed_1b69']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_1b90' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b92' : [ 0x10, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1b94' : [ 0x10, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1b96' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_1b94']], 'Translated' : [ 0x0, ['__unnamed_1b92']], } ], '__unnamed_1b98' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b9a' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b9c' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b9e' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ba0' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ba2' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ba4' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1b90']], 'Port' : [ 0x0, ['__unnamed_1b90']], 'Interrupt' : [ 0x0, ['__unnamed_1b92']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1b96']], 'Memory' : [ 0x0, ['__unnamed_1b90']], 'Dma' : [ 0x0, ['__unnamed_1b98']], 'DevicePrivate' : [ 0x0, ['__unnamed_1ad6']], 'BusNumber' : [ 0x0, ['__unnamed_1b9a']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1b9c']], 'Memory40' : [ 0x0, ['__unnamed_1b9e']], 'Memory48' : [ 0x0, ['__unnamed_1ba0']], 'Memory64' : [ 0x0, ['__unnamed_1ba2']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1ba4']], } ], '__unnamed_1ba9' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1ba9']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMPTE_HARDWARE_LARGEPAGE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PAT' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 21, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 40, native_type='unsigned long long')]], 'reserved2' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1bc6' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1bc6']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bd0' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_14d5']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_1bd0']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x88, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x18, ['_LIST_ENTRY']], 'DeviceType' : [ 0x28, ['unsigned char']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x30, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x40, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x50, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x70, ['_LIST_ENTRY']], 'PreviousIdleCount' : [ 0x80, ['unsigned long']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentSavepointing', 270: 'KEnlistmentAborting', 271: 'KEnlistmentReadOnly', 272: 'KEnlistmentOutcomeUnavailable', 273: 'KEnlistmentOffline', 274: 'KEnlistmentPrePrepared', 275: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x38, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DriveMap' : [ 0x14, ['unsigned long']], 'DriveType' : [ 0x18, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidationBits' : [ 0x0, ['unsigned long long']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PciExpressEndpoint', 1: 'PciExpressLegacyEndpoint', 4: 'PciExpressRootPort', 5: 'PciExpressUpstreamSwitchPort', 6: 'PciExpressDownstreamSwitchPort', 7: 'PciExpressToPciXBridge', 8: 'PciXToExpressBridge', 9: 'PciExpressRootComplexIntegratedEndpoint', 10: 'PciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['unsigned long']], 'CommandStatus' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_PCIE_DEVICE_ID']], 'DeviceSN' : [ 0x28, ['unsigned long long']], 'BridgeCtrlSts' : [ 0x30, ['unsigned long']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_OBJECT_TYPE' : [ 0x220, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x68, ['_LIST_ENTRY']], 'Name' : [ 0x78, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x88, ['pointer64', ['void']]], 'Index' : [ 0x90, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x94, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x98, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x9c, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0xa0, ['unsigned long']], 'TypeInfo' : [ 0xa8, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0x118, ['unsigned long']], 'ObjectLocks' : [ 0x120, ['array', 32, ['_EX_PUSH_LOCK']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'RequestSummary' : [ 0x0, ['long long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'Virtual' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x40, ['pointer64', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x48, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x50, ['unsigned long long']], 'SleepTime' : [ 0x58, ['unsigned long long']], 'SystemContext' : [ 0x60, ['_SYSTEM_POWER_STATE_CONTEXT']], 'FilteredCapabilities' : [ 0x64, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x18, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x28, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x30, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x38, ['unsigned long']], 'ActiveChild' : [ 0x3c, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1cb0' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1cb2' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_1cb0']], 'Button' : [ 0x10, ['__unnamed_1cb2']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentSavepointing', 270: 'KEnlistmentAborting', 271: 'KEnlistmentReadOnly', 272: 'KEnlistmentOutcomeUnavailable', 273: 'KEnlistmentOffline', 274: 'KEnlistmentPrePrepared', 275: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xb8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x20, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x28, ['unsigned long']], 'TriageDumpBlock' : [ 0x30, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x38, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x40, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x48, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x50, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x58, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x60, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x68, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x78, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x80, ['unsigned long']], 'BootViaWinload' : [ 0x84, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x84, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x88, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x90, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0xa0, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa8, ['_GUID']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x3f8, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], 'StartAddress' : [ 0x28, ['pointer64', ['void']]], 'EndAddress' : [ 0x30, ['pointer64', ['void']]], 'Flags' : [ 0x38, ['unsigned long']], 'Signature' : [ 0x40, ['unsigned long long']], 'PoolPageHeaders' : [ 0x50, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x60, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x70, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x74, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x78, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x7c, ['unsigned long']], 'PagedBytes' : [ 0x80, ['unsigned long long']], 'NonPagedBytes' : [ 0x88, ['unsigned long long']], 'PeakPagedBytes' : [ 0x90, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x98, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_1d51' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1e00, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1d51']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'ImageLoadingCount' : [ 0x64, ['long']], 'SessionPoolAllocationFailures' : [ 0x68, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachEvent' : [ 0x90, ['_KEVENT']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc68, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc70, ['pointer64', ['void']]], 'PagedPool' : [ 0xc78, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1cc0, ['_MMPTE']], 'SessionVaLock' : [ 0x1cc8, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1d00, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1d10, ['unsigned long']], 'SpecialPool' : [ 0x1d18, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1d48, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1d80, ['long']], 'PagedPoolPdeCount' : [ 0x1d84, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1d88, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1d8c, ['unsigned long']], 'SessionPteFreeHead' : [ 0x1d90, ['_MMPTE']], 'SystemPteInfo' : [ 0x1d98, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1db8, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1dc0, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1dc8, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1dd0, ['unsigned long long']], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['unsigned long long']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequestorId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x30, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'FreePteHead' : [ 0x8, ['_MMPTE']], 'FreePteTail' : [ 0x10, ['_MMPTE']], 'PagesInUse' : [ 0x18, ['long long']], 'SpecialPoolPdes' : [ 0x20, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1dca' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1dcc' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1dca']], 'Merged' : [ 0x10, ['__unnamed_1dcc']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '__unnamed_1dd3' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1dd3']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14d5']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_1bd0']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x58, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer64', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1de9' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_1ded' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x58, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'NonExtendedPtes' : [ 0xc, ['unsigned long']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'SegmentFlags' : [ 0x30, ['_SEGMENT_FLAGS']], 'u1' : [ 0x38, ['__unnamed_1de9']], 'u2' : [ 0x40, ['__unnamed_1ded']], 'PrototypePte' : [ 0x48, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x50, ['array', 1, ['_MMPTE']]], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x60, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_MMPFNLIST' : [ 0x20, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], } ], '_DEVOBJ_EXTENSION' : [ 0x50, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_WHEA_PCIX_BUS_VALIDATION_BITS' : [ 0x8, { 'ErrorStatusValid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorTypeValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusIdValid' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddressValid' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusDataValid' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'CommandValid' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequestorIdValid' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterIdValid' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetIdValid' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'ReplyQueue' : [ 0x20, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x40, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'CallbackContext' : [ 0x48, ['pointer64', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x40, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x50, ['unsigned long long']], 'Color' : [ 0x58, ['unsigned char']], 'Seed' : [ 0x59, ['unsigned char']], 'NodeNumber' : [ 0x5a, ['unsigned char']], 'Flags' : [ 0x5b, ['_flags']], 'MmShiftedColor' : [ 0x5c, ['unsigned long']], 'FreeCount' : [ 0x60, ['array', 2, ['unsigned long long']]], 'PfnDeferredList' : [ 0x70, ['pointer64', ['_SLIST_ENTRY']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2b8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x288, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x28c, ['long']], 'Pending' : [ 0x290, ['_LIST_ENTRY']], 'Status' : [ 0x2a0, ['long']], 'FailedDevice' : [ 0x2a8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2b0, ['unsigned char']], 'Cancelled' : [ 0x2b1, ['unsigned char']], 'IgnoreErrors' : [ 0x2b2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2b3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2b4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x8, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 63, native_type='unsigned long long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_TEB32' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x30, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x80, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x8160, ['unsigned long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x80, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x28, ['_KEVENT']], 'PowerOnEvent' : [ 0x40, ['_KEVENT']], 'DoneEvent' : [ 0x58, ['_KEVENT']], 'WorkerQueued' : [ 0x70, ['unsigned long']], 'WorkerAbort' : [ 0x74, ['unsigned long']], 'NoResumeUI' : [ 0x78, ['unsigned long']], } ], '_KPCR' : [ 0x3ba0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KTM' : [ 0x380, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'TmRmHandle' : [ 0x298, ['pointer64', ['void']]], 'TmRm' : [ 0x2a0, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2a8, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c0, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e0, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2e8, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x308, ['_ERESOURCE']], 'LogFlags' : [ 0x370, ['unsigned long']], 'LogFullStatus' : [ 0x374, ['long']], 'RecoveryStatus' : [ 0x378, ['long']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '__unnamed_1e94' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_1e94']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x268, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionSavepointing', 12: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'NextSavepoint' : [ 0x1fc, ['unsigned long']], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_1ecb' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_1ecb']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x18, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x28, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x30, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 46, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 48, native_type='unsigned long long')]], 'Signature' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_PCIE_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_WHEA_PCIX_DEV_VALIDATION_BITS' : [ 0x8, { 'ErrorStatusValid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfoValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumberValid' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumberValid' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairValid' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], } ], '_DEFERRED_WRITE' : [ 0x50, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], 'LimitModifiedPages' : [ 0x48, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1a, { 'PerUserPolicy' : [ 0x0, ['array', 26, ['unsigned char']]], } ], '__unnamed_1f1d' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_1f1f' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_1f23' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f27' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_1f29' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1f1d']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1f1f']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1f23']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_1f27']], 'Others' : [ 0x0, ['__unnamed_1f29']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0x158, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x18, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x38, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x48, ['unsigned long']], 'NextCloneRange' : [ 0x50, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x58, ['unsigned long long']], 'LoaderMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x68, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x70, ['unsigned long long']], 'IoPages' : [ 0x78, ['pointer64', ['void']]], 'CurrentMcb' : [ 0x80, ['pointer64', ['void']]], 'DumpStack' : [ 0x88, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x90, ['pointer64', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0x98, ['unsigned long long']], 'HiberPte' : [ 0xa0, ['_LARGE_INTEGER']], 'Status' : [ 0xa8, ['long']], 'MemoryImage' : [ 0xb0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0xb8, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0xc0, ['pointer64', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0xc8, ['pointer64', ['unsigned char']]], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xd8, ['pointer64', ['void']]], 'DmaIO' : [ 0xe0, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xe8, ['pointer64', ['void']]], 'PerfInfo' : [ 0xf0, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0x150, ['pointer64', ['_MDL']]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x28, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x8, ['unsigned long long']], 'Parameter2' : [ 0x10, ['unsigned long long']], 'Parameter3' : [ 0x18, ['unsigned long long']], 'Parameter4' : [ 0x20, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x4, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '__unnamed_1f51' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_1f51']], } ], '__unnamed_1f55' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_1f55']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x128, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'TotalPages' : [ 0x60, ['unsigned long long']], 'FirstTablePage' : [ 0x68, ['unsigned long long']], 'LastFilePage' : [ 0x70, ['unsigned long long']], 'PerfInfo' : [ 0x78, ['_PO_HIBER_PERF']], 'NoBootLoaderLogPages' : [ 0xd8, ['unsigned long']], 'BootLoaderLogPages' : [ 0xe0, ['array', 8, ['unsigned long long']]], 'TotalPhysicalMemoryCount' : [ 0x120, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x10, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '__unnamed_1f74' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1f76' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f78' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f7a' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_1f7c' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1f7e' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f80' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1f82' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1f84' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f86' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_1f88' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1f74']], 'TargetDevice' : [ 0x0, ['__unnamed_1f76']], 'InstallDevice' : [ 0x0, ['__unnamed_1f78']], 'CustomNotification' : [ 0x0, ['__unnamed_1f7a']], 'ProfileNotification' : [ 0x0, ['__unnamed_1f7c']], 'PowerNotification' : [ 0x0, ['__unnamed_1f7e']], 'VetoNotification' : [ 0x0, ['__unnamed_1f80']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1f82']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1f84']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1f86']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1f88']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0x10, ['_LIST_ENTRY']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_1f9f' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1fa1' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_1fa3' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1f9f']], 'Gpt' : [ 0x0, ['__unnamed_1fa1']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_1fa3']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x20, { 'FirstFreePte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x8, ['pointer64', ['unsigned long']]], 'GlobalMutex' : [ 0x10, ['pointer64', ['_KGUARDED_MUTEX']]], 'TbFlushTimeStamp' : [ 0x18, ['unsigned long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x250, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x20, { 'PageNo' : [ 0x0, ['unsigned long long']], 'StartPage' : [ 0x8, ['unsigned long long']], 'EndPage' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x18, { 'Next' : [ 0x0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x8, ['unsigned long long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'EntryCount' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '__unnamed_1fda' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_1fde' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_1fda']], 'Bits' : [ 0x4, ['__unnamed_1fde']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/__init__.py0000644000000000000000000000000013131215405026453 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista_sp0_x86_vtypes.py0000644000000000000000000134265613131215405030776 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_1019' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1019']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_101e' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101e']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_1037' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1039' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_1037']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x20, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1039']], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_TASK' : [ 0x4, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x4, { 'Callback' : [ 0x0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_KPRCB' : [ 0x1f98, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'CpuStepping' : [ 0x1a, ['unsigned char']], 'CpuModel' : [ 0x1b, ['unsigned char']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3bc, ['unsigned long']], 'PrcbPad0' : [ 0x3c0, ['array', 88, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x520, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x524, ['unsigned long']], 'KernelTime' : [ 0x528, ['unsigned long']], 'UserTime' : [ 0x52c, ['unsigned long']], 'DpcTime' : [ 0x530, ['unsigned long']], 'DpcTimeCount' : [ 0x534, ['unsigned long']], 'InterruptTime' : [ 0x538, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x53c, ['unsigned long']], 'PageColor' : [ 0x540, ['unsigned long']], 'SkipTick' : [ 0x544, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x545, ['unsigned char']], 'NodeColor' : [ 0x546, ['unsigned char']], 'PollSlot' : [ 0x547, ['unsigned char']], 'NodeShiftedColor' : [ 0x548, ['unsigned long']], 'ParentNode' : [ 0x54c, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x550, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x554, ['pointer', ['_KPRCB']]], 'SecondaryColorMask' : [ 0x558, ['unsigned long']], 'DpcTimeLimit' : [ 0x55c, ['unsigned long']], 'CcFastReadNoWait' : [ 0x560, ['unsigned long']], 'CcFastReadWait' : [ 0x564, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x568, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x56c, ['unsigned long']], 'CcCopyReadWait' : [ 0x570, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x578, ['long']], 'IoReadOperationCount' : [ 0x57c, ['long']], 'IoWriteOperationCount' : [ 0x580, ['long']], 'IoOtherOperationCount' : [ 0x584, ['long']], 'IoReadTransferCount' : [ 0x588, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x590, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x598, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x5a0, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x5a4, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x5a8, ['unsigned long']], 'CcMapDataNoWait' : [ 0x5ac, ['unsigned long']], 'CcMapDataWait' : [ 0x5b0, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x5b4, ['unsigned long']], 'CcPinReadNoWait' : [ 0x5b8, ['unsigned long']], 'CcPinReadWait' : [ 0x5bc, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x5c0, ['unsigned long']], 'CcMdlReadWait' : [ 0x5c4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x5c8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x5cc, ['unsigned long']], 'CcLazyWritePages' : [ 0x5d0, ['unsigned long']], 'CcDataFlushes' : [ 0x5d4, ['unsigned long']], 'CcDataPages' : [ 0x5d8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x5dc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x5e0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x5e4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x5e8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x5ec, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x5f0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x5f4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x5f8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x5fc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x600, ['unsigned long']], 'CcReadAheadIos' : [ 0x604, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x608, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x60c, ['unsigned long']], 'KeSystemCalls' : [ 0x610, ['unsigned long']], 'PrcbPad1' : [ 0x614, ['array', 3, ['unsigned long']]], 'PPLookasideList' : [ 0x620, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x6a0, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0xfa0, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x18a0, ['unsigned long']], 'ReverseStall' : [ 0x18a4, ['long']], 'IpiFrame' : [ 0x18a8, ['pointer', ['void']]], 'PrcbPad2' : [ 0x18ac, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x18e0, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x18ec, ['unsigned long']], 'WorkerRoutine' : [ 0x18f0, ['pointer', ['void']]], 'IpiFrozen' : [ 0x18f4, ['unsigned long']], 'PrcbPad3' : [ 0x18f8, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x1920, ['unsigned long']], 'SignalDone' : [ 0x1924, ['pointer', ['_KPRCB']]], 'PrcbPad4' : [ 0x1928, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x1960, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1988, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x198c, ['long']], 'DpcRequestRate' : [ 0x1990, ['unsigned long']], 'MinimumDpcRate' : [ 0x1994, ['unsigned long']], 'DpcInterruptRequested' : [ 0x1998, ['unsigned char']], 'DpcThreadRequested' : [ 0x1999, ['unsigned char']], 'DpcRoutineActive' : [ 0x199a, ['unsigned char']], 'DpcThreadActive' : [ 0x199b, ['unsigned char']], 'PrcbLock' : [ 0x199c, ['unsigned long']], 'DpcLastCount' : [ 0x19a0, ['unsigned long']], 'TimerHand' : [ 0x19a4, ['unsigned long']], 'TimerRequest' : [ 0x19a8, ['unsigned long']], 'PrcbPad41' : [ 0x19ac, ['pointer', ['void']]], 'DpcEvent' : [ 0x19b0, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x19c0, ['unsigned char']], 'QuantumEnd' : [ 0x19c1, ['unsigned char']], 'PrcbPad50' : [ 0x19c2, ['unsigned char']], 'IdleSchedule' : [ 0x19c3, ['unsigned char']], 'DpcSetEventRequest' : [ 0x19c4, ['long']], 'Sleeping' : [ 0x19c8, ['long']], 'PeriodicCount' : [ 0x19cc, ['unsigned long']], 'PeriodicBias' : [ 0x19d0, ['unsigned long']], 'PrcbPad5' : [ 0x19d4, ['array', 6, ['unsigned char']]], 'TickOffset' : [ 0x19dc, ['long']], 'CallDpc' : [ 0x19e0, ['_KDPC']], 'ClockKeepAlive' : [ 0x1a00, ['long']], 'ClockCheckSlot' : [ 0x1a04, ['unsigned char']], 'ClockPollCycle' : [ 0x1a05, ['unsigned char']], 'PrcbPad6' : [ 0x1a06, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x1a08, ['long']], 'DpcWatchdogCount' : [ 0x1a0c, ['long']], 'ThreadWatchdogPeriod' : [ 0x1a10, ['long']], 'ThreadWatchdogCount' : [ 0x1a14, ['long']], 'PrcbPad70' : [ 0x1a18, ['array', 2, ['unsigned long']]], 'WaitListHead' : [ 0x1a20, ['_LIST_ENTRY']], 'WaitLock' : [ 0x1a28, ['unsigned long']], 'ReadySummary' : [ 0x1a2c, ['unsigned long']], 'QueueIndex' : [ 0x1a30, ['unsigned long']], 'DeferredReadyListHead' : [ 0x1a34, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x1a38, ['unsigned long long']], 'CycleTime' : [ 0x1a40, ['unsigned long long']], 'PrcbPad71' : [ 0x1a48, ['array', 3, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x1a60, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x1b60, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x1b64, ['long']], 'MmPageFaultCount' : [ 0x1b68, ['long']], 'MmCopyOnWriteCount' : [ 0x1b6c, ['long']], 'MmTransitionCount' : [ 0x1b70, ['long']], 'MmCacheTransitionCount' : [ 0x1b74, ['long']], 'MmDemandZeroCount' : [ 0x1b78, ['long']], 'MmPageReadCount' : [ 0x1b7c, ['long']], 'MmPageReadIoCount' : [ 0x1b80, ['long']], 'MmCacheReadCount' : [ 0x1b84, ['long']], 'MmCacheIoCount' : [ 0x1b88, ['long']], 'MmDirtyPagesWriteCount' : [ 0x1b8c, ['long']], 'MmDirtyWriteIoCount' : [ 0x1b90, ['long']], 'MmMappedPagesWriteCount' : [ 0x1b94, ['long']], 'MmMappedWriteIoCount' : [ 0x1b98, ['long']], 'CachedCommit' : [ 0x1b9c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x1ba0, ['unsigned long']], 'HyperPte' : [ 0x1ba4, ['pointer', ['void']]], 'CpuVendor' : [ 0x1ba8, ['unsigned char']], 'PrcbPad9' : [ 0x1ba9, ['array', 3, ['unsigned char']]], 'VendorString' : [ 0x1bac, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x1bb9, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x1bba, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x1bbb, ['unsigned char']], 'MHz' : [ 0x1bbc, ['unsigned long']], 'FeatureBits' : [ 0x1bc0, ['unsigned long']], 'UpdateSignature' : [ 0x1bc8, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x1bd0, ['unsigned long long']], 'SpareField1' : [ 0x1bd8, ['unsigned long long']], 'NpxSaveArea' : [ 0x1be0, ['_FX_SAVE_AREA']], 'PowerState' : [ 0x1df0, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x1ed0, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x1ef0, ['_KTIMER']], 'WheaInfo' : [ 0x1f18, ['pointer', ['void']]], 'EtwSupport' : [ 0x1f1c, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x1f20, ['_SLIST_HEADER']], 'HypercallPagePhysical' : [ 0x1f28, ['_LARGE_INTEGER']], 'HypercallPageVirtual' : [ 0x1f30, ['pointer', ['void']]], 'RateControl' : [ 0x1f34, ['pointer', ['void']]], 'Cache' : [ 0x1f38, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x1f74, ['unsigned long']], 'CacheProcessorMask' : [ 0x1f78, ['array', 5, ['unsigned long']]], 'LogicalProcessorsPerCore' : [ 0x1f8c, ['unsigned char']], 'PrcbPad8' : [ 0x1f8d, ['array', 3, ['unsigned char']]], 'PackageProcessorSet' : [ 0x1f90, ['unsigned long']], 'CoreProcessorSet' : [ 0x1f94, ['unsigned long']], } ], '_KPCR' : [ 0x20b8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x1e0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'ApcState' : [ 0x38, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x38, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x4f, ['unsigned char']], 'NextProcessor' : [ 0x50, ['unsigned short']], 'DeferredProcessor' : [ 0x52, ['unsigned short']], 'ApcQueueLock' : [ 0x54, ['unsigned long']], 'ContextSwitches' : [ 0x58, ['unsigned long']], 'State' : [ 0x5c, ['unsigned char']], 'NpxState' : [ 0x5d, ['unsigned char']], 'WaitIrql' : [ 0x5e, ['unsigned char']], 'WaitMode' : [ 0x5f, ['unsigned char']], 'WaitStatus' : [ 0x60, ['long']], 'WaitBlockList' : [ 0x64, ['pointer', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x64, ['pointer', ['_KGATE']]], 'KernelStackResident' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x68, ['long']], 'WaitReason' : [ 0x6c, ['unsigned char']], 'SwapBusy' : [ 0x6d, ['unsigned char']], 'Alerted' : [ 0x6e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x70, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x78, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x7c, ['unsigned long']], 'KernelApcDisable' : [ 0x80, ['short']], 'SpecialApcDisable' : [ 0x82, ['short']], 'CombinedApcDisable' : [ 0x80, ['unsigned long']], 'Teb' : [ 0x84, ['pointer', ['void']]], 'Timer' : [ 0x88, ['_KTIMER']], 'TimerFill' : [ 0x88, ['array', 40, ['unsigned char']]], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xb0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xb0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xb0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb0, ['long']], 'WaitBlock' : [ 0xb8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xb8, ['array', 23, ['unsigned char']]], 'IdealProcessor' : [ 0xcf, ['unsigned char']], 'WaitBlockFill1' : [ 0xb8, ['array', 47, ['unsigned char']]], 'PreviousMode' : [ 0xe7, ['unsigned char']], 'WaitBlockFill2' : [ 0xb8, ['array', 71, ['unsigned char']]], 'ResourceIndex' : [ 0xff, ['unsigned char']], 'WaitBlockFill3' : [ 0xb8, ['array', 95, ['unsigned char']]], 'LargeStack' : [ 0x117, ['unsigned char']], 'QueueListEntry' : [ 0x118, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x120, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x124, ['pointer', ['void']]], 'CallbackStack' : [ 0x128, ['pointer', ['void']]], 'CallbackDepth' : [ 0x128, ['unsigned long']], 'ServiceTable' : [ 0x12c, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x130, ['unsigned char']], 'BasePriority' : [ 0x131, ['unsigned char']], 'PriorityDecrement' : [ 0x132, ['unsigned char']], 'Preempted' : [ 0x133, ['unsigned char']], 'AdjustReason' : [ 0x134, ['unsigned char']], 'AdjustIncrement' : [ 0x135, ['unsigned char']], 'Spare01' : [ 0x136, ['unsigned char']], 'Saturation' : [ 0x137, ['unsigned char']], 'SystemCallNumber' : [ 0x138, ['unsigned long']], 'Spare02' : [ 0x13c, ['unsigned long']], 'UserAffinity' : [ 0x140, ['unsigned long']], 'Process' : [ 0x144, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x148, ['unsigned long']], 'ApcStatePointer' : [ 0x14c, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x154, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x154, ['array', 23, ['unsigned char']]], 'FreezeCount' : [ 0x16b, ['unsigned char']], 'SuspendCount' : [ 0x16c, ['unsigned char']], 'UserIdealProcessor' : [ 0x16d, ['unsigned char']], 'Spare03' : [ 0x16e, ['unsigned char']], 'Iopl' : [ 0x16f, ['unsigned char']], 'Win32Thread' : [ 0x170, ['pointer', ['void']]], 'StackBase' : [ 0x174, ['pointer', ['void']]], 'SuspendApc' : [ 0x178, ['_KAPC']], 'SuspendApcFill0' : [ 0x178, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x179, ['unsigned char']], 'SuspendApcFill1' : [ 0x178, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x17b, ['unsigned char']], 'SuspendApcFill2' : [ 0x178, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x17c, ['unsigned long']], 'SuspendApcFill3' : [ 0x178, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x19c, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x178, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1a0, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x178, ['array', 47, ['unsigned char']]], 'PowerState' : [ 0x1a7, ['unsigned char']], 'UserTime' : [ 0x1a8, ['unsigned long']], 'SuspendSemaphore' : [ 0x1ac, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1ac, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1c0, ['unsigned long']], 'ThreadListEntry' : [ 0x1c4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1cc, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1d4, ['pointer', ['void']]], 'MdlForLockedTeb' : [ 0x1d8, ['pointer', ['void']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x288, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1e0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1e8, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x1e8, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1f0, ['long']], 'OfsChain' : [ 0x1f0, ['pointer', ['void']]], 'PostBlockList' : [ 0x1f4, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x1f4, ['pointer', ['void']]], 'StartAddress' : [ 0x1f8, ['pointer', ['void']]], 'TerminationPort' : [ 0x1fc, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1fc, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1fc, ['pointer', ['void']]], 'Win32StartParameter' : [ 0x1fc, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x200, ['unsigned long']], 'ActiveTimerListHead' : [ 0x204, ['_LIST_ENTRY']], 'Cid' : [ 0x20c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x228, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x22c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x234, ['unsigned long']], 'DeviceToVerify' : [ 0x238, ['pointer', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x23c, ['pointer', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x240, ['pointer', ['void']]], 'SparePtr0' : [ 0x244, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x248, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x250, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x254, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x258, ['unsigned long']], 'MmLockOrdering' : [ 0x25c, ['long']], 'CrossThreadFlags' : [ 0x260, ['unsigned long']], 'Terminated' : [ 0x260, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x260, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x260, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x260, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x260, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x260, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x260, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x260, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x260, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x260, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x260, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x260, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x260, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x264, ['unsigned long']], 'ActiveExWorker' : [ 0x264, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x264, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x264, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x264, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x264, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x264, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x264, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x268, ['unsigned long']], 'Spare' : [ 0x268, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x268, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x268, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x269, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x269, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x269, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x269, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x269, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x269, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x269, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x269, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x26a, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'CacheManagerActive' : [ 0x26c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x26d, ['unsigned char']], 'ActiveFaultCount' : [ 0x26e, ['unsigned char']], 'AlpcMessageId' : [ 0x270, ['unsigned long']], 'AlpcMessage' : [ 0x274, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x274, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x278, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x280, ['unsigned long']], } ], '_EPROCESS' : [ 0x270, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x88, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x90, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x98, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x9c, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xa0, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xa8, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0xb4, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xc0, ['unsigned long']], 'PeakVirtualSize' : [ 0xc4, ['unsigned long']], 'VirtualSize' : [ 0xc8, ['unsigned long']], 'SessionProcessLinks' : [ 0xcc, ['_LIST_ENTRY']], 'DebugPort' : [ 0xd4, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xd8, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xd8, ['unsigned long']], 'ExceptionPortState' : [ 0xd8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xdc, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xe0, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xe4, ['unsigned long']], 'AddressCreationLock' : [ 0xe8, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0xec, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0xf0, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0xf4, ['unsigned long']], 'PhysicalVadRoot' : [ 0xf8, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0xfc, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x100, ['unsigned long']], 'NumberOfLockedPages' : [ 0x104, ['unsigned long']], 'Win32Process' : [ 0x108, ['pointer', ['void']]], 'Job' : [ 0x10c, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x110, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x114, ['pointer', ['void']]], 'QuotaBlock' : [ 0x118, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x11c, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x120, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x124, ['pointer', ['void']]], 'LdtInformation' : [ 0x128, ['pointer', ['void']]], 'VadFreeHint' : [ 0x12c, ['pointer', ['void']]], 'VdmObjects' : [ 0x130, ['pointer', ['void']]], 'DeviceMap' : [ 0x134, ['pointer', ['void']]], 'EtwDataSource' : [ 0x138, ['pointer', ['void']]], 'FreeTebHint' : [ 0x13c, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x140, ['_HARDWARE_PTE']], 'Filler' : [ 0x140, ['unsigned long long']], 'Session' : [ 0x148, ['pointer', ['void']]], 'ImageFileName' : [ 0x14c, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x15c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x164, ['pointer', ['void']]], 'ThreadListHead' : [ 0x168, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x170, ['pointer', ['void']]], 'PaeTop' : [ 0x174, ['pointer', ['void']]], 'ActiveThreads' : [ 0x178, ['unsigned long']], 'ImagePathHash' : [ 0x17c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x180, ['unsigned long']], 'LastThreadExitStatus' : [ 0x184, ['long']], 'Peb' : [ 0x188, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x18c, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x190, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x198, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1a0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1c0, ['unsigned long']], 'CommitChargePeak' : [ 0x1c4, ['unsigned long']], 'AweInfo' : [ 0x1c8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1cc, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1d0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x218, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x220, ['unsigned long']], 'Flags2' : [ 0x224, ['unsigned long']], 'JobNotReallyActive' : [ 0x224, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x224, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x224, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x224, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x224, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x224, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x224, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x224, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x224, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x224, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x224, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x224, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x224, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x224, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x224, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x224, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Flags' : [ 0x228, ['unsigned long']], 'CreateReported' : [ 0x228, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x228, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x228, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x228, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x228, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x228, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x228, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x228, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x228, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x228, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x228, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x228, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x228, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x228, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x228, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x228, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x228, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x228, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x228, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x228, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x228, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x228, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x228, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x228, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x228, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'SparePsFlags1' : [ 0x228, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x22c, ['long']], 'Spare7' : [ 0x230, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x232, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x233, ['unsigned char']], 'SubSystemVersion' : [ 0x232, ['unsigned short']], 'PriorityClass' : [ 0x234, ['unsigned char']], 'VadRoot' : [ 0x238, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x258, ['unsigned long']], 'AlpcContext' : [ 0x25c, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_11f4' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_11f9' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_11fb' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_11f9']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1206' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1208' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_1206']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_11f4']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_11fb']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_1208']], } ], '__unnamed_120e' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1212' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1216' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1218' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_121c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_121e' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1220' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], } ], '__unnamed_1222' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1224' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1226' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_122a' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_122c' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_122f' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1231' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1233' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_1235' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1239' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_123d' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1241' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1245' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_124c' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1250' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1254' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1256' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1258' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_125c' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1260' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1264' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1268' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_126c' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1274' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1278' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_127a' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_127c' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_127e' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_120e']], 'CreatePipe' : [ 0x0, ['__unnamed_1212']], 'CreateMailslot' : [ 0x0, ['__unnamed_1216']], 'Read' : [ 0x0, ['__unnamed_1218']], 'Write' : [ 0x0, ['__unnamed_1218']], 'QueryDirectory' : [ 0x0, ['__unnamed_121c']], 'NotifyDirectory' : [ 0x0, ['__unnamed_121e']], 'QueryFile' : [ 0x0, ['__unnamed_1220']], 'SetFile' : [ 0x0, ['__unnamed_1222']], 'QueryEa' : [ 0x0, ['__unnamed_1224']], 'SetEa' : [ 0x0, ['__unnamed_1226']], 'QueryVolume' : [ 0x0, ['__unnamed_122a']], 'SetVolume' : [ 0x0, ['__unnamed_122a']], 'FileSystemControl' : [ 0x0, ['__unnamed_122c']], 'LockControl' : [ 0x0, ['__unnamed_122f']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1231']], 'QuerySecurity' : [ 0x0, ['__unnamed_1233']], 'SetSecurity' : [ 0x0, ['__unnamed_1235']], 'MountVolume' : [ 0x0, ['__unnamed_1239']], 'VerifyVolume' : [ 0x0, ['__unnamed_1239']], 'Scsi' : [ 0x0, ['__unnamed_123d']], 'QueryQuota' : [ 0x0, ['__unnamed_1241']], 'SetQuota' : [ 0x0, ['__unnamed_1226']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1245']], 'QueryInterface' : [ 0x0, ['__unnamed_124c']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1250']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1254']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1256']], 'SetLock' : [ 0x0, ['__unnamed_1258']], 'QueryId' : [ 0x0, ['__unnamed_125c']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1260']], 'UsageNotification' : [ 0x0, ['__unnamed_1264']], 'WaitWake' : [ 0x0, ['__unnamed_1268']], 'PowerSequence' : [ 0x0, ['__unnamed_126c']], 'Power' : [ 0x0, ['__unnamed_1274']], 'StartDevice' : [ 0x0, ['__unnamed_1278']], 'WMI' : [ 0x0, ['__unnamed_127a']], 'Others' : [ 0x0, ['__unnamed_127c']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_127e']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x30, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x28, ['_LARGE_INTEGER']], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xd0, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x88, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['unsigned short']], 'ValidationBits' : [ 0xa, ['unsigned char']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '__unnamed_1332' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIX_BUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIX_DEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'RawDataLength' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeOther', 6: 'WheaErrSrcTypeMax'})]], 'Reserved1' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_1332']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrorStatusFormatIPFSalRecord', 1: 'WheaErrorStatusFormatIA32MCA', 2: 'WheaErrorStatusFormatEM64TMCA', 3: 'WheaErrorStatusFormatAMD64MCA', 4: 'WheaErrorStatusFormatPCIExpress', 5: 'WheaErrorStatusFormatNMIPort', 6: 'WheaErrorStatusFormatOther', 7: 'WheaErrorStatusFormatMax'})]], 'Reserved2' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0x80, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'Unused0' : [ 0x1c, ['unsigned long']], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Iopl' : [ 0x32, ['unsigned char']], 'Unused' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'AutoAlignment' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x60, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x60, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x60, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x60, ['long']], 'BasePriority' : [ 0x64, ['unsigned char']], 'QuantumReset' : [ 0x65, ['unsigned char']], 'State' : [ 0x66, ['unsigned char']], 'ThreadSeed' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'IdealNode' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], 'StackCount' : [ 0x6c, ['unsigned long']], 'ProcessListEntry' : [ 0x70, ['_LIST_ENTRY']], 'CycleTime' : [ 0x78, ['unsigned long long']], } ], '__unnamed_13e7' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_13e7']], } ], '_PTE_QUEUE_POINTER' : [ 0x8, { 'PointerPte' : [ 0x0, ['long']], 'TimeStamp' : [ 0x4, ['long']], 'Data' : [ 0x0, ['long long']], } ], '__unnamed_13ff' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x7c, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x8, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x10, ['_LIST_ENTRY']], 'KernelStack' : [ 0x18, ['unsigned long']], 'Prcb' : [ 0x1c, ['unsigned long']], 'Process' : [ 0x20, ['unsigned long']], 'Thread' : [ 0x24, ['unsigned long']], 'RegistryLength' : [ 0x28, ['unsigned long']], 'RegistryBase' : [ 0x2c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x30, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x34, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x38, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x3c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x40, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x44, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x48, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x4c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x50, ['pointer', ['void']]], 'SetupLoaderBlock' : [ 0x54, ['pointer', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0x58, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x5c, ['__unnamed_13ff']], 'FirmwareInformation' : [ 0x68, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '__unnamed_1423' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_1423']], } ], '_MMWSL' : [ 0x6a8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextEstimationSlot' : [ 0x1c, ['unsigned long']], 'NextAgingSlot' : [ 0x20, ['unsigned long']], 'EstimatedAvailable' : [ 0x24, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x28, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x2c, ['unsigned long']], 'VadBitMapHint' : [ 0x30, ['unsigned long']], 'NonDirectCount' : [ 0x34, ['unsigned long']], 'NonDirectHash' : [ 0x38, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x3c, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x40, ['pointer', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x44, ['pointer', ['void']]], 'UsedPageTableEntries' : [ 0x48, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x648, ['array', 24, ['unsigned long']]], } ], '_MMSUPPORT' : [ 0x48, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x8, ['unsigned short']], 'NextPageColor' : [ 0xa, ['unsigned short']], 'Flags' : [ 0xc, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x10, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x14, ['unsigned long']], 'Spare0' : [ 0x18, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x1c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x20, ['unsigned long']], 'VmWorkingSetList' : [ 0x24, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x28, ['unsigned long']], 'Spare' : [ 0x2c, ['array', 1, ['unsigned long']]], 'WorkingSetPrivateSize' : [ 0x30, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x34, ['unsigned long']], 'WorkingSetSize' : [ 0x38, ['unsigned long']], 'ExitEvent' : [ 0x3c, ['pointer', ['_KEVENT']]], 'WorkingSetMutex' : [ 0x40, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x44, ['pointer', ['void']]], } ], '__unnamed_1445' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1447' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_1449' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_1447']], } ], '__unnamed_1455' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1457' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1455']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_1445']], 'u1' : [ 0x20, ['__unnamed_1449']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitingForDeletion' : [ 0x30, ['pointer', ['_MI_SECTION_CREATION_EVENT']]], 'u2' : [ 0x34, ['__unnamed_1457']], 'LockedPages' : [ 0x40, ['long long']], } ], '__unnamed_1463' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1465' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1468' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_146a' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_146c' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1468']], 'e3' : [ 0x0, ['__unnamed_146a']], } ], '__unnamed_1471' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1463']], 'u2' : [ 0x4, ['__unnamed_1465']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'u3' : [ 0xc, ['__unnamed_146c']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_1471']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x30, ['unsigned long']], 'LastAllocationSize' : [ 0x34, ['unsigned long']], 'PageFileNumber' : [ 0x38, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x38, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x38, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x3a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x3a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x3c, ['pointer', ['void']]], 'AvailableList' : [ 0x40, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x48, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x8, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x4, ['unsigned long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '__unnamed_14a3' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_14a6' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14a9' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_14a3']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a6']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a9']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_14b3' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_14a3']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a6']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a9']], 'u2' : [ 0x20, ['__unnamed_14b3']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '__unnamed_14c5' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_14c5']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '__unnamed_14ca' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14ca']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '__unnamed_14d0' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14d2' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x1c, { 'u1' : [ 0x0, ['__unnamed_14d0']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0xc, ['unsigned long']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'EndingVpn' : [ 0x10, ['unsigned long']], 'SubsectionBase' : [ 0x14, ['pointer', ['_MMPTE']]], 'u2' : [ 0x18, ['__unnamed_14d2']], } ], '__unnamed_14db' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14dd' : [ 0x4, { 'LastPageToWrite' : [ 0x0, ['unsigned long']], 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_14db']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_14dd']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '__unnamed_14e5' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_14e5']], } ], '_HHIVE' : [ 0x2e8, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'DirtyFlag' : [ 0x42, ['unsigned char']], 'HvBinHeadersUse' : [ 0x44, ['unsigned long']], 'HvFreeCellsUse' : [ 0x48, ['unsigned long']], 'HvUsedCellsUse' : [ 0x4c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x50, ['unsigned long']], 'HiveFlags' : [ 0x54, ['unsigned long']], 'CurrentLog' : [ 0x58, ['unsigned long']], 'LogSize' : [ 0x5c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x64, ['unsigned long']], 'StorageTypeCount' : [ 0x68, ['unsigned long']], 'Version' : [ 0x6c, ['unsigned long']], 'Storage' : [ 0x70, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_TEB' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'SpareByte' : [ 0x17, ['unsigned char']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x10, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x8, ['_ULARGE_INTEGER']], } ], '__unnamed_15bd' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0xe0, { 'IdleFunction' : [ 0x0, ['pointer', ['void']]], 'IdleStates' : [ 0x4, ['pointer', ['PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x8, ['unsigned long long']], 'LastIdleTime' : [ 0x10, ['unsigned long long']], 'IdleTimes' : [ 0x18, ['PROCESSOR_IDLE_TIMES']], 'IdleAccounting' : [ 0x38, ['pointer', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x3c, ['pointer', ['PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x40, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x44, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x48, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x50, ['unsigned long long']], 'ThermalConstraint' : [ 0x58, ['unsigned char']], 'LastBusyPercentage' : [ 0x59, ['unsigned char']], 'Flags' : [ 0x5a, ['__unnamed_15bd']], 'PerfTimer' : [ 0x60, ['_KTIMER']], 'PerfDpc' : [ 0x88, ['_KDPC']], 'LastSysTime' : [ 0xa8, ['unsigned long']], 'PStateMaster' : [ 0xac, ['pointer', ['_KPRCB']]], 'PStateSet' : [ 0xb0, ['unsigned long']], 'CurrentPState' : [ 0xb4, ['unsigned long']], 'Reserved0' : [ 0xb8, ['unsigned long']], 'DesiredPState' : [ 0xbc, ['unsigned long']], 'Reserved1' : [ 0xc0, ['unsigned long']], 'PStateIdleStartTime' : [ 0xc4, ['unsigned long']], 'PStateIdleTime' : [ 0xc8, ['unsigned long']], 'LastPStateIdleTime' : [ 0xcc, ['unsigned long']], 'PStateStartTime' : [ 0xd0, ['unsigned long']], 'WmiDispatchPtr' : [ 0xd4, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xd8, ['long']], } ], '__unnamed_15c4' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_15c4']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'DispatchedCount' : [ 0x4, ['unsigned long']], 'DispatchedList' : [ 0x8, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x10, ['_KSEMAPHORE']], 'CompletedList' : [ 0x24, ['_LIST_ENTRY']], } ], '__unnamed_15ed' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_15ed']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '__unnamed_15ff' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1601' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1605' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x158, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x38, ['_PO_IRP_MANAGER']], 'State' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x50, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xa0, ['unsigned long']], 'CompletionStatus' : [ 0xa4, ['long']], 'PendingIrp' : [ 0xa8, ['pointer', ['_IRP']]], 'Flags' : [ 0xac, ['unsigned long']], 'UserFlags' : [ 0xb0, ['unsigned long']], 'Problem' : [ 0xb4, ['unsigned long']], 'PhysicalDeviceObject' : [ 0xb8, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0xbc, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xc0, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0xc4, ['_UNICODE_STRING']], 'ServiceName' : [ 0xcc, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xd4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xd8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xdc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xe0, ['unsigned long']], 'ChildInterfaceType' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xe8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xec, ['unsigned short']], 'RemovalPolicy' : [ 0xee, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xef, ['unsigned char']], 'TargetDeviceNotify' : [ 0xf0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xf8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x100, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x108, ['unsigned short']], 'QueryTranslatorMask' : [ 0x10a, ['unsigned short']], 'NoArbiterMask' : [ 0x10c, ['unsigned short']], 'QueryArbiterMask' : [ 0x10e, ['unsigned short']], 'OverUsed1' : [ 0x110, ['__unnamed_15ff']], 'OverUsed2' : [ 0x114, ['__unnamed_1601']], 'BootResources' : [ 0x118, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x120, ['unsigned long']], 'DockInfo' : [ 0x124, ['__unnamed_1605']], 'DisableableDepends' : [ 0x134, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x138, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x140, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x148, ['unsigned long']], 'PreviousParent' : [ 0x14c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x150, ['unsigned long']], 'NumaNodeIndex' : [ 0x154, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16aa' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16aa']], } ], '__unnamed_16b1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16b1']], } ], '_VOLUME_CACHE_MAP' : [ 0x18, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x140, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x130, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x134, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x138, ['unsigned long']], 'MappedWritesInProgress' : [ 0x13c, ['unsigned long']], } ], '__unnamed_16f2' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_16f2']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1700' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1702' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1704' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1706' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1708' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_1700']], 'Write' : [ 0x0, ['__unnamed_1702']], 'Event' : [ 0x0, ['__unnamed_1704']], 'Notification' : [ 0x0, ['__unnamed_1706']], } ], '_WORK_QUEUE_ENTRY' : [ 0x18, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x8, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_1708']], 'Function' : [ 0x14, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x130, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x124, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x68, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x270, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer', ['void']]], 'LoggerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x10, ['long']], 'LoggerId' : [ 0x14, ['unsigned long']], 'NBQHead' : [ 0x18, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x1c, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x20, ['_SLIST_HEADER']], 'GlobalList' : [ 0x28, ['_SLIST_HEADER']], 'LoggerName' : [ 0x30, ['_UNICODE_STRING']], 'LogFileName' : [ 0x38, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x40, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x48, ['_UNICODE_STRING']], 'ClockType' : [ 0x50, ['unsigned long']], 'CollectionOn' : [ 0x54, ['long']], 'MaximumFileSize' : [ 0x58, ['unsigned long']], 'LoggerMode' : [ 0x5c, ['unsigned long']], 'LastFlushedBuffer' : [ 0x60, ['unsigned long']], 'FlushTimer' : [ 0x64, ['unsigned long']], 'ByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0x70, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x78, ['unsigned long']], 'BuffersAvailable' : [ 0x7c, ['long']], 'NumberOfBuffers' : [ 0x80, ['long']], 'MaximumBuffers' : [ 0x84, ['unsigned long']], 'EventsLost' : [ 0x88, ['unsigned long']], 'BuffersWritten' : [ 0x8c, ['unsigned long']], 'LogBuffersLost' : [ 0x90, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x94, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x98, ['unsigned long']], 'BufferSize' : [ 0x9c, ['unsigned long']], 'MaximumEventSize' : [ 0xa0, ['unsigned long']], 'SequencePtr' : [ 0xa4, ['pointer', ['long']]], 'LocalSequence' : [ 0xa8, ['unsigned long']], 'InstanceGuid' : [ 0xac, ['_GUID']], 'GetCpuClock' : [ 0xbc, ['pointer', ['void']]], 'FileCounter' : [ 0xc0, ['long']], 'BufferCallback' : [ 0xc4, ['pointer', ['void']]], 'PoolType' : [ 0xc8, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd0, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0xe0, ['unsigned char']], 'Consumers' : [ 0xe4, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xec, ['unsigned long']], 'Connecting' : [ 0xf0, ['_LIST_ENTRY']], 'NewConsumer' : [ 0xf8, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0xfc, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x100, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x108, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x120, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x128, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x130, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x140, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x144, ['unsigned long']], 'NewRTEventsLost' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x14c, ['_KEVENT']], 'FlushEvent' : [ 0x15c, ['_KEVENT']], 'FlushDpc' : [ 0x16c, ['_KDPC']], 'LoggerMutex' : [ 0x18c, ['_KMUTANT']], 'ClientSecurityContext' : [ 0x1ac, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x1e8, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x1f0, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x238, ['long long']], 'AcceptNewEvents' : [ 0x240, ['long']], 'Flags' : [ 0x244, ['unsigned long']], 'Persistent' : [ 0x244, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x244, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x244, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x244, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x244, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x244, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x244, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x248, ['unsigned long']], 'RequestNewFie' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x24c, ['unsigned short']], 'StackTraceFilter' : [ 0x24e, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Spare0' : [ 0x20, ['unsigned long']], 'Spare1' : [ 0x24, ['unsigned long']], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'SlistEntry' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x38, ['pointer', ['_WMI_BUFFER_HEADER']]], 'GlobalEntry' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_GUID_ENTRY' : [ 0x158, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LegacyEnableContext' : [ 0x28, ['_TRACE_ENABLE_CONTEXT']], 'LegacyProviderEnabled' : [ 0x30, ['unsigned long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'ProxyData' : [ 0xbc, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xc0, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xc4, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc8, ['_LUID']], 'SidHash' : [ 0xd0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x158, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x1e0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x48, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'InBlockDeccommits' : [ 0x40, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x44, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x18, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer', ['void']]], 'FileObject' : [ 0xc, ['pointer', ['void']]], 'ThreadId' : [ 0x10, ['unsigned long']], 'ByteCount' : [ 0x14, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_WHEA_NMI_ERROR' : [ 0x8, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], } ], '_HANDLE_TABLE' : [ 0x38, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x6c, { 'CancelLock' : [ 0x0, ['unsigned long']], 'IssueLock' : [ 0x4, ['unsigned long']], 'Counters' : [ 0x8, ['array', 25, ['long']]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x30, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'KeyBodyLock' : [ 0x24, ['_EX_PUSH_LOCK']], 'ContextListHead' : [ 0x28, ['_LIST_ENTRY']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], } ], '__unnamed_188f' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1891' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_188f']], 'Private' : [ 0x0, ['__unnamed_1891']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_CMHIVE' : [ 0x5d0, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2e8, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x300, ['_LIST_ENTRY']], 'HiveList' : [ 0x308, ['_LIST_ENTRY']], 'HiveLock' : [ 0x310, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x314, ['pointer', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x318, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x31c, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x320, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x324, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x32c, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x334, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x33c, ['unsigned short']], 'PinnedViewCount' : [ 0x33e, ['unsigned short']], 'UseCount' : [ 0x340, ['unsigned long']], 'ViewsPerHive' : [ 0x344, ['unsigned long']], 'FileObject' : [ 0x348, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x34c, ['unsigned long']], 'ActualFileSize' : [ 0x350, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x358, ['_UNICODE_STRING']], 'FileUserName' : [ 0x360, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x368, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x370, ['unsigned long']], 'SecurityCacheSize' : [ 0x374, ['unsigned long']], 'SecurityHitHint' : [ 0x378, ['long']], 'SecurityCache' : [ 0x37c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x380, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x580, ['unsigned long']], 'UnloadEventArray' : [ 0x584, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x588, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x58c, ['unsigned char']], 'UnloadWorkItem' : [ 0x590, ['pointer', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0x594, ['unsigned char']], 'GrowOffset' : [ 0x598, ['unsigned long']], 'KcbConvertListHead' : [ 0x59c, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x5a4, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x5ac, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x5b0, ['unsigned long']], 'TrustClassEntry' : [ 0x5b4, ['_LIST_ENTRY']], 'FlushCount' : [ 0x5bc, ['unsigned long']], 'CmRm' : [ 0x5c0, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x5c4, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x5c8, ['long']], 'CreatorOwner' : [ 0x5cc, ['pointer', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '__unnamed_18b9' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_18bf' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_14a3']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a6']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a9']], 'u2' : [ 0x20, ['__unnamed_14b3']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'u3' : [ 0x30, ['__unnamed_18b9']], 'u4' : [ 0x38, ['__unnamed_18bf']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EJOB' : [ 0x128, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'AccessState' : [ 0xb0, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xb4, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xb8, ['unsigned long']], 'CompletionPort' : [ 0xbc, ['pointer', ['void']]], 'CompletionKey' : [ 0xc0, ['pointer', ['void']]], 'SessionId' : [ 0xc4, ['unsigned long']], 'SchedulingClass' : [ 0xc8, ['unsigned long']], 'ReadOperationCount' : [ 0xd0, ['unsigned long long']], 'WriteOperationCount' : [ 0xd8, ['unsigned long long']], 'OtherOperationCount' : [ 0xe0, ['unsigned long long']], 'ReadTransferCount' : [ 0xe8, ['unsigned long long']], 'WriteTransferCount' : [ 0xf0, ['unsigned long long']], 'OtherTransferCount' : [ 0xf8, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x100, ['unsigned long']], 'JobMemoryLimit' : [ 0x104, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x108, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x10c, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x110, ['unsigned long']], 'MemoryLimitsLock' : [ 0x114, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x118, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x120, ['unsigned long']], 'JobFlags' : [ 0x124, ['unsigned long']], } ], '__unnamed_18ce' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], 'PPM_IDLE_STATES' : [ 0x3c, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_18ce']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['array', 1, ['PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['pointer', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], } ], '__unnamed_18e8' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_18e8']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '__unnamed_18ef' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_18f5' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_18f7' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_18ef']], 'Bits' : [ 0x0, ['__unnamed_18f5']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_18f7']], } ], '_POOL_DESCRIPTOR' : [ 0x1034, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['pointer', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x24, ['long']], 'PendingFreeDepth' : [ 0x28, ['long']], 'TotalBytes' : [ 0x2c, ['unsigned long']], 'Spare0' : [ 0x30, ['unsigned long']], 'ListHeads' : [ 0x34, ['array', 512, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x88, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['unsigned short']], 'Reserved1' : [ 0x6, ['unsigned short']], 'Reserved2' : [ 0x8, ['unsigned short']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidationBits' : [ 0x10, ['unsigned long']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_LARGE_INTEGER']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['unsigned long']], 'PersistenceInfo' : [ 0x70, ['_WHEA_PERSISTENCE_INFO']], 'Reserved3' : [ 0x78, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x270, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned char']], 'ShareVector' : [ 0x35, ['unsigned char']], 'Mode' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x40, ['unsigned long']], 'DispatchCount' : [ 0x44, ['unsigned long']], 'Rsvd1' : [ 0x48, ['unsigned long long']], 'DispatchCode' : [ 0x50, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x20, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmHive2' : [ 0x18, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x1c, ['unsigned char']], 'ThreadStarted' : [ 0x1d, ['unsigned char']], 'Allocate' : [ 0x1e, ['unsigned char']], 'WinPERequired' : [ 0x1f, ['unsigned char']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'StackTrace' : [ 0x4, ['array', 63, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WHEA_PCIX_BUS_ERROR' : [ 0x48, { 'ValidationBits' : [ 0x0, ['_WHEA_PCIX_BUS_VALIDATION_BITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['unsigned short']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['unsigned long long']], 'BusRequestorId' : [ 0x30, ['unsigned long long']], 'BusCompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_PEB_FREE_BLOCK' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '__unnamed_1969' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_1969']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned char']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x28, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x90, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x38, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x48, ['pointer', ['void']]], 'KcbLastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x58, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x5a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x5c, ['unsigned long']], 'KcbUserFlags' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x60, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x60, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x60, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x64, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0x6c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x70, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x78, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x80, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x88, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x8c, ['pointer', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_19f1' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], 'PPM_PERF_STATES' : [ 0x68, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'MaxPerfState' : [ 0x8, ['unsigned long']], 'MinPerfState' : [ 0xc, ['unsigned long']], 'LowestPState' : [ 0x10, ['unsigned long']], 'IncreaseTime' : [ 0x14, ['unsigned long']], 'DecreaseTime' : [ 0x18, ['unsigned long']], 'BusyAdjThreshold' : [ 0x1c, ['unsigned char']], 'Reserved' : [ 0x1d, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x1e, ['unsigned char']], 'PolicyType' : [ 0x1f, ['unsigned char']], 'TimerInterval' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['__unnamed_19f1']], 'TargetProcessors' : [ 0x28, ['unsigned long']], 'PStateHandler' : [ 0x2c, ['pointer', ['void']]], 'PStateContext' : [ 0x30, ['unsigned long']], 'TStateHandler' : [ 0x34, ['pointer', ['void']]], 'TStateContext' : [ 0x38, ['unsigned long']], 'FeedbackHandler' : [ 0x3c, ['pointer', ['void']]], 'State' : [ 0x40, ['array', 1, ['PPM_PERF_STATE']]], } ], 'PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], 'PPM_IDLE_STATE' : [ 0x20, { 'IdleHandler' : [ 0x0, ['pointer', ['void']]], 'Context' : [ 0x4, ['unsigned long']], 'Latency' : [ 0x8, ['unsigned long']], 'Power' : [ 0xc, ['unsigned long']], 'TimeCheck' : [ 0x10, ['unsigned long']], 'StateFlags' : [ 0x14, ['unsigned long']], 'PromotePercent' : [ 0x18, ['unsigned char']], 'DemotePercent' : [ 0x19, ['unsigned char']], 'PromotePercentBase' : [ 0x1a, ['unsigned char']], 'DemotePercentBase' : [ 0x1b, ['unsigned char']], 'StateType' : [ 0x1c, ['unsigned char']], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_WHEA_PCIX_DEVICE_ERROR' : [ 0x68, { 'ValidationBits' : [ 0x0, ['_WHEA_PCIX_DEV_VALIDATION_BITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['array', 16, ['unsigned char']]], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 64, ['unsigned char']]], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x28, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'SegmentFlags' : [ 0x20, ['_SEGMENT_FLAGS']], 'LastSubsectionHint' : [ 0x24, ['pointer', ['_MSUBSECTION']]], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1a49' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1a49']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x5e8, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'Extension' : [ 0x94, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x98, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x9c, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa0, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa4, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x344, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e4, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x50, { 'ValidationBits' : [ 0x0, ['unsigned long long']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequestorId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ab2' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ab8' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1aba' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1abc' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1abe' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1ac0' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ac2' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ac4' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ac6' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ac8' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1ab2']], 'Memory' : [ 0x0, ['__unnamed_1ab2']], 'Interrupt' : [ 0x0, ['__unnamed_1ab8']], 'Dma' : [ 0x0, ['__unnamed_1aba']], 'Generic' : [ 0x0, ['__unnamed_1ab2']], 'DevicePrivate' : [ 0x0, ['__unnamed_1abc']], 'BusNumber' : [ 0x0, ['__unnamed_1abe']], 'ConfigData' : [ 0x0, ['__unnamed_1ac0']], 'Memory40' : [ 0x0, ['__unnamed_1ac2']], 'Memory48' : [ 0x0, ['__unnamed_1ac4']], 'Memory64' : [ 0x0, ['__unnamed_1ac6']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1ac8']], } ], '_POP_THERMAL_ZONE' : [ 0xd8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 8, ['pointer', ['_CMHIVE']]]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1b, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1a, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '__unnamed_1b06' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1b06']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_MI_SECTION_CREATION_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SECTION_CREATION_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '__unnamed_1b3c' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1b3e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b3c']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1b40' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1b42' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1b40']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1b3e']], 'u2' : [ 0x4, ['__unnamed_1b42']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1b6d' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b6f' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b71' : [ 0xc, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b73' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1b71']], 'Translated' : [ 0x0, ['__unnamed_1b6f']], } ], '__unnamed_1b75' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b77' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b79' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b7b' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b7d' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b7f' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b81' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1b6d']], 'Port' : [ 0x0, ['__unnamed_1b6d']], 'Interrupt' : [ 0x0, ['__unnamed_1b6f']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1b73']], 'Memory' : [ 0x0, ['__unnamed_1b6d']], 'Dma' : [ 0x0, ['__unnamed_1b75']], 'DevicePrivate' : [ 0x0, ['__unnamed_1abc']], 'BusNumber' : [ 0x0, ['__unnamed_1b77']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1b79']], 'Memory40' : [ 0x0, ['__unnamed_1b7b']], 'Memory48' : [ 0x0, ['__unnamed_1b7d']], 'Memory64' : [ 0x0, ['__unnamed_1b7f']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1b81']], } ], '__unnamed_1b86' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1b86']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1b9a' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1b9a']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ba4' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_14ca']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_1ba4']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x50, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x10, ['_LIST_ENTRY']], 'DeviceType' : [ 0x18, ['unsigned char']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x20, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x28, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x30, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x44, ['_LIST_ENTRY']], 'PreviousIdleCount' : [ 0x4c, ['unsigned long']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentSavepointing', 270: 'KEnlistmentAborting', 271: 'KEnlistmentReadOnly', 272: 'KEnlistmentOutcomeUnavailable', 273: 'KEnlistmentOffline', 274: 'KEnlistmentPrePrepared', 275: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidationBits' : [ 0x0, ['unsigned long long']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PciExpressEndpoint', 1: 'PciExpressLegacyEndpoint', 4: 'PciExpressRootPort', 5: 'PciExpressUpstreamSwitchPort', 6: 'PciExpressDownstreamSwitchPort', 7: 'PciExpressToPciXBridge', 8: 'PciXToExpressBridge', 9: 'PciExpressRootComplexIntegratedEndpoint', 10: 'PciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['unsigned long']], 'CommandStatus' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_PCIE_DEVICE_ID']], 'DeviceSN' : [ 0x28, ['unsigned long long']], 'BridgeCtrlSts' : [ 0x30, ['unsigned long']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x130, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x38, ['_LIST_ENTRY']], 'Name' : [ 0x40, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x48, ['pointer', ['void']]], 'Index' : [ 0x4c, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x50, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x54, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x58, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x5c, ['unsigned long']], 'TypeInfo' : [ 0x60, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0xac, ['unsigned long']], 'ObjectLocks' : [ 0xb0, ['array', 32, ['_EX_PUSH_LOCK']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x4c, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x2c, ['pointer', ['void']]], 'OpenProcedure' : [ 0x30, ['pointer', ['void']]], 'CloseProcedure' : [ 0x34, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x38, ['pointer', ['void']]], 'ParseProcedure' : [ 0x3c, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x40, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x44, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x48, ['pointer', ['void']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xa0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x38, ['pointer', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x3c, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'SystemContext' : [ 0x50, ['_SYSTEM_POWER_STATE_CONTEXT']], 'FilteredCapabilities' : [ 0x54, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x24, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0xc, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x14, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x18, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x1c, ['unsigned long']], 'ActiveChild' : [ 0x20, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1c7e' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1c80' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_1c7e']], 'Button' : [ 0xc, ['__unnamed_1c80']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentSavepointing', 270: 'KEnlistmentAborting', 271: 'KEnlistmentReadOnly', 272: 'KEnlistmentOutcomeUnavailable', 273: 'KEnlistmentOffline', 274: 'KEnlistmentPrePrepared', 275: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x7c, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x1c, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x24, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x28, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x2c, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x30, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x34, ['pointer', ['void']]], 'DrvDBSize' : [ 0x38, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x3c, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x40, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x44, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x48, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x50, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x54, ['unsigned long']], 'BootViaWinload' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x5c, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x60, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x68, ['pointer', ['void']]], 'BootIdentifier' : [ 0x6c, ['_GUID']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x294, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_1d17' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1e80, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1d17']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'ImageLoadingCount' : [ 0x40, ['long']], 'SessionPoolAllocationFailures' : [ 0x44, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x54, ['_LIST_ENTRY']], 'LocaleId' : [ 0x5c, ['unsigned long']], 'AttachCount' : [ 0x60, ['unsigned long']], 'AttachEvent' : [ 0x64, ['_KEVENT']], 'WsListEntry' : [ 0x74, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xdb8, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xdbc, ['pointer', ['void']]], 'PagedPool' : [ 0xdc0, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1df4, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1df8, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1e10, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1e30, ['long']], 'PagedPoolPdeCount' : [ 0x1e34, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1e38, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1e3c, ['unsigned long']], 'SessionPteFreeHead' : [ 0x1e40, ['_MMPTE']], 'SystemPteInfo' : [ 0x1e44, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1e54, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1e58, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1e5c, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1e60, ['unsigned long']], 'SessionPoolPdes' : [ 0x1e64, ['_RTL_BITMAP']], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['unsigned long long']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequestorId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x18, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'FreePteHead' : [ 0x4, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], 'PagesInUse' : [ 0xc, ['long']], 'SpecialPoolPdes' : [ 0x10, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1d8f' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1d91' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1d8f']], 'Merged' : [ 0x10, ['__unnamed_1d91']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '__unnamed_1d96' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1d96']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14ca']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_1ba4']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x2c, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1dac' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_1db0' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'SegmentFlags' : [ 0x20, ['_SEGMENT_FLAGS']], 'u1' : [ 0x24, ['__unnamed_1dac']], 'u2' : [ 0x28, ['__unnamed_1db0']], 'PrototypePte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '_DEVOBJ_EXTENSION' : [ 0x2c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_WHEA_PCIX_BUS_VALIDATION_BITS' : [ 0x8, { 'ErrorStatusValid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorTypeValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusIdValid' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddressValid' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusDataValid' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'CommandValid' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequestorIdValid' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterIdValid' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetIdValid' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x2c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'EnableMask' : [ 0x10, ['unsigned char']], 'ReplyQueue' : [ 0x14, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x14, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x24, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x24, ['pointer', ['void']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x20, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x28, ['unsigned long']], 'Color' : [ 0x2c, ['unsigned char']], 'Seed' : [ 0x2d, ['unsigned char']], 'NodeNumber' : [ 0x2e, ['unsigned char']], 'Flags' : [ 0x2f, ['_flags']], 'MmShiftedColor' : [ 0x30, ['unsigned long']], 'FreeCount' : [ 0x34, ['array', 2, ['unsigned long']]], 'PfnDeferredList' : [ 0x3c, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'CachedKernelStacks' : [ 0x40, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x188, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x168, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x16c, ['long']], 'Pending' : [ 0x170, ['_LIST_ENTRY']], 'Status' : [ 0x178, ['long']], 'FailedDevice' : [ 0x17c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x180, ['unsigned char']], 'Cancelled' : [ 0x181, ['unsigned char']], 'IgnoreErrors' : [ 0x182, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x183, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x184, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long')]], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x70, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x40d8, ['unsigned long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x50, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x14, ['_KEVENT']], 'PowerOnEvent' : [ 0x24, ['_KEVENT']], 'DoneEvent' : [ 0x34, ['_KEVENT']], 'WorkerQueued' : [ 0x44, ['unsigned long']], 'WorkerAbort' : [ 0x48, ['unsigned long']], 'NoResumeUI' : [ 0x4c, ['unsigned long']], } ], '_KTM' : [ 0x210, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'TmRmHandle' : [ 0x188, ['pointer', ['void']]], 'TmRm' : [ 0x18c, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x190, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a0, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b0, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1b8, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1c8, ['_ERESOURCE']], 'LogFlags' : [ 0x200, ['unsigned long']], 'LogFullStatus' : [ 0x204, ['long']], 'RecoveryStatus' : [ 0x208, ['long']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '__unnamed_1e42' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1e42']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1a8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionSavepointing', 12: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'NextSavepoint' : [ 0x13c, ['unsigned long']], 'Tm' : [ 0x140, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x148, ['long long']], 'TransactionHistory' : [ 0x150, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x1a0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_1e7a' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x68, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_1e7a']], 'StackTrace' : [ 0x28, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x48, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 46, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 48, native_type='unsigned long long')]], 'Signature' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x34, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_PCIE_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_WHEA_PCIX_DEV_VALIDATION_BITS' : [ 0x8, { 'ErrorStatusValid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfoValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumberValid' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumberValid' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairValid' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1a, { 'PerUserPolicy' : [ 0x0, ['array', 26, ['unsigned char']]], } ], '__unnamed_1eca' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_1ecc' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_1ed0' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ed4' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_1ed6' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1eca']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1ecc']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1ed0']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_1ed4']], 'Others' : [ 0x0, ['__unnamed_1ed6']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0xf8, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long']], 'MapFrozen' : [ 0xc, ['unsigned char']], 'MemoryMap' : [ 0x10, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x20, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x28, ['unsigned long']], 'NextCloneRange' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x30, ['unsigned long']], 'LoaderMdl' : [ 0x34, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x38, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x40, ['unsigned long long']], 'IoPages' : [ 0x48, ['pointer', ['void']]], 'CurrentMcb' : [ 0x4c, ['pointer', ['void']]], 'DumpStack' : [ 0x50, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x54, ['pointer', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0x58, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x70, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x78, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x7c, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x80, ['pointer', ['void']]], 'DmaIO' : [ 0x84, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x88, ['pointer', ['void']]], 'PerfInfo' : [ 0x90, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0xf0, ['pointer', ['_MDL']]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x14, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x4, ['unsigned long']], 'Parameter2' : [ 0x8, ['unsigned long']], 'Parameter3' : [ 0xc, ['unsigned long']], 'Parameter4' : [ 0x10, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x4, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '__unnamed_1efb' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_1efb']], } ], '__unnamed_1eff' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_1eff']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xe0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'TotalPages' : [ 0x4c, ['unsigned long']], 'FirstTablePage' : [ 0x50, ['unsigned long']], 'LastFilePage' : [ 0x54, ['unsigned long']], 'PerfInfo' : [ 0x58, ['_PO_HIBER_PERF']], 'NoBootLoaderLogPages' : [ 0xb8, ['unsigned long']], 'BootLoaderLogPages' : [ 0xbc, ['array', 8, ['unsigned long']]], 'TotalPhysicalMemoryCount' : [ 0xdc, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '__unnamed_1f1c' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1f1e' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f20' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f22' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1f24' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1f26' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f28' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1f2a' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1f2c' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f2e' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_1f30' : [ 0x1c, { 'DeviceClass' : [ 0x0, ['__unnamed_1f1c']], 'TargetDevice' : [ 0x0, ['__unnamed_1f1e']], 'InstallDevice' : [ 0x0, ['__unnamed_1f20']], 'CustomNotification' : [ 0x0, ['__unnamed_1f22']], 'ProfileNotification' : [ 0x0, ['__unnamed_1f24']], 'PowerNotification' : [ 0x0, ['__unnamed_1f26']], 'VetoNotification' : [ 0x0, ['__unnamed_1f28']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1f2a']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1f2c']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1f2e']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x40, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_1f30']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_1f47' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f49' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_1f4b' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1f47']], 'Gpt' : [ 0x0, ['__unnamed_1f49']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_1f4b']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x10, { 'FirstFreePte' : [ 0x0, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x4, ['pointer', ['unsigned long']]], 'GlobalMutex' : [ 0x8, ['pointer', ['_KGUARDED_MUTEX']]], 'TbFlushTimeStamp' : [ 0xc, ['unsigned long']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x148, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7.py0000644000000000000000000002304113131215405025612 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: The Volatility Foundation @license: GNU General Public License 2.0 @contact: awalters@4tphi.net This file provides support for Windows 7. """ #pylint: disable-msg=C0111 import windows import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 class Win7Pointer64(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x >= 6, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.native_types.update({'pointer64': [8, '= 1} def modification(self, profile): profile.object_classes.update({'_OBJECT_HEADER': _OBJECT_HEADER}) class Win7x86Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0x1ff)]], }]} profile.merge_overlay(overlay) class Win7x64Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xff)]], }]} profile.merge_overlay(overlay) class Win7SP0x86(obj.Profile): """ A Profile for Windows 7 SP0 x86 """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 1 _md_build = 7600 _md_vtype_module = 'volatility.plugins.overlays.windows.win7_sp0_x86_vtypes' _md_product = ["NtProductWinNt"] class Win7SP1x86(obj.Profile): """ A Profile for Windows 7 SP1 x86 """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 1 _md_build = 7601 _md_vtype_module = 'volatility.plugins.overlays.windows.win7_sp1_x86_vtypes' _md_product = ["NtProductWinNt"] class Win7SP1x86_23418(obj.Profile): """ A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09) """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 1 _md_build = 7601 _md_vtype_module = 'volatility.plugins.overlays.windows.win7_sp1_x86_BBA98F40_vtypes' _md_product = ["NtProductWinNt"] class Win7SP0x64(obj.Profile): """ A Profile for Windows 7 SP0 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 1 _md_build = 7600 _md_vtype_module = 'volatility.plugins.overlays.windows.win7_sp0_x64_vtypes' _md_product = ["NtProductWinNt"] class Win7SP1x64(obj.Profile): """ A Profile for Windows 7 SP1 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 1 _md_build = 7601 _md_vtype_module = 'volatility.plugins.overlays.windows.win7_sp1_x64_vtypes' _md_product = ["NtProductWinNt"] class Win7SP1x64_23418(obj.Profile): """ A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09) """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 1 _md_build = 7601 _md_vtype_module = 'volatility.plugins.overlays.windows.win7_sp1_x64_632B36E0_vtypes' _md_product = ["NtProductWinNt"] class Win2008R2SP0x64(Win7SP0x64): """ A Profile for Windows 2008 R2 SP0 x64 """ _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2008R2SP1x64(Win7SP1x64): """ A Profile for Windows 2008 R2 SP1 x64 """ _md_product = ["NtProductLanManNt", "NtProductServer"] class Win2008R2SP1x64_23418(Win7SP1x64_23418): """ A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09) """ _md_product = ["NtProductLanManNt", "NtProductServer"] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win10_x86_vtypes.py0000644000000000000000000253563213131215405030023 0ustar rootrootntkrpamp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x708, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'NtBuildNumber' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'BootId' : [ 0x2c4, ['unsigned long']], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgMultiSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrementShift' : [ 0x368, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x369, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x36a, ['unsigned short']], 'Reserved8' : [ 0x36c, ['array', 20, ['unsigned char']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_107d' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_107d']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1081' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1081']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_109c' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109e' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109c']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_109e']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TEB' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['pointer', ['void']]]], 'SystemReserved1' : [ 0x10c, ['array', 38, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'PerflibData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], 'ReservedForWdf' : [ 0xfe4, ['pointer', ['void']]], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0xc, { 'Parent' : [ 0x0, ['pointer', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'CurEntry' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_RB_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_RTL_BALANCED_NODE' : [ 0xc, { 'Children' : [ 0x0, ['array', 2, ['pointer', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x8, ['unsigned long']], } ], '_RTL_AVL_TREE' : [ 0x4, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x4a20, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'MxCsr' : [ 0x8, ['unsigned long']], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x4900, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'ParentNode' : [ 0x338, ['pointer', ['_KNODE']]], 'PriorityState' : [ 0x33c, ['pointer', ['unsigned char']]], 'KernelReserved' : [ 0x340, ['array', 14, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'CpuVendor' : [ 0x3be, ['unsigned char']], 'PrcbPad0' : [ 0x3bf, ['array', 1, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'GroupIndex' : [ 0x3c4, ['unsigned char']], 'Group' : [ 0x3c5, ['unsigned char']], 'PrcbPad05' : [ 0x3c6, ['array', 2, ['unsigned char']]], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'ClockOwner' : [ 0x3d0, ['unsigned char']], 'PendingTickFlags' : [ 0x3d1, ['unsigned char']], 'PendingTick' : [ 0x3d1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x3d1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'PrcbPad10' : [ 0x3d2, ['array', 70, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'InterruptCount' : [ 0x4a0, ['unsigned long']], 'KernelTime' : [ 0x4a4, ['unsigned long']], 'UserTime' : [ 0x4a8, ['unsigned long']], 'DpcTime' : [ 0x4ac, ['unsigned long']], 'DpcTimeCount' : [ 0x4b0, ['unsigned long']], 'InterruptTime' : [ 0x4b4, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4b8, ['unsigned long']], 'PageColor' : [ 0x4bc, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c0, ['unsigned char']], 'NodeColor' : [ 0x4c1, ['unsigned char']], 'DeepSleep' : [ 0x4c2, ['unsigned char']], 'PrcbPad20' : [ 0x4c3, ['array', 5, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'SecondaryColorMask' : [ 0x4cc, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d0, ['unsigned long']], 'PrcbPad21' : [ 0x4d4, ['array', 3, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1820, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2120, ['long']], 'ReverseStall' : [ 0x2124, ['long']], 'IpiFrame' : [ 0x2128, ['pointer', ['void']]], 'PrcbPad3' : [ 0x212c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x2160, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x216c, ['unsigned long']], 'WorkerRoutine' : [ 0x2170, ['pointer', ['void']]], 'IpiFrozen' : [ 0x2174, ['unsigned long']], 'PrcbPad4' : [ 0x2178, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x21a0, ['unsigned long']], 'TargetCount' : [ 0x21a4, ['long']], 'PrcbPad50' : [ 0x21a8, ['array', 40, ['unsigned char']]], 'InterruptLastCount' : [ 0x21d0, ['unsigned long']], 'InterruptRate' : [ 0x21d4, ['unsigned long']], 'DeviceInterrupts' : [ 0x21d8, ['unsigned long']], 'IsrDpcStats' : [ 0x21dc, ['pointer', ['void']]], 'DpcData' : [ 0x21e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2210, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2214, ['long']], 'DpcRequestRate' : [ 0x2218, ['unsigned long']], 'MinimumDpcRate' : [ 0x221c, ['unsigned long']], 'DpcLastCount' : [ 0x2220, ['unsigned long']], 'PrcbLock' : [ 0x2224, ['unsigned long']], 'DpcGate' : [ 0x2228, ['_KGATE']], 'IdleState' : [ 0x2238, ['unsigned char']], 'QuantumEnd' : [ 0x2239, ['unsigned char']], 'DpcRoutineActive' : [ 0x223a, ['unsigned char']], 'IdleSchedule' : [ 0x223b, ['unsigned char']], 'DpcRequestSummary' : [ 0x223c, ['long']], 'DpcRequestSlot' : [ 0x223c, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x223c, ['short']], 'ThreadDpcState' : [ 0x223e, ['short']], 'DpcNormalProcessingActive' : [ 0x223c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x223c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x223c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x223c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x223c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x223c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x223c, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x223c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x223c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x223c, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2240, ['unsigned long']], 'LastTick' : [ 0x2244, ['unsigned long']], 'PeriodicCount' : [ 0x2248, ['unsigned long']], 'PeriodicBias' : [ 0x224c, ['unsigned long']], 'ClockInterrupts' : [ 0x2250, ['unsigned long']], 'ReadyScanTick' : [ 0x2254, ['unsigned long']], 'GroupSchedulingOverQuota' : [ 0x2258, ['unsigned char']], 'ThreadDpcEnable' : [ 0x2259, ['unsigned char']], 'PrcbPad41' : [ 0x225a, ['array', 2, ['unsigned char']]], 'TimerTable' : [ 0x2260, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x3aa0, ['_KDPC']], 'ClockKeepAlive' : [ 0x3ac0, ['long']], 'PrcbPad6' : [ 0x3ac4, ['array', 4, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x3ac8, ['long']], 'DpcWatchdogCount' : [ 0x3acc, ['long']], 'KeSpinLockOrdering' : [ 0x3ad0, ['long']], 'PrcbPad70' : [ 0x3ad4, ['array', 1, ['unsigned long']]], 'QueueIndex' : [ 0x3ad8, ['unsigned long']], 'DeferredReadyListHead' : [ 0x3adc, ['_SINGLE_LIST_ENTRY']], 'ReadySummary' : [ 0x3ae0, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x3ae4, ['long']], 'WaitLock' : [ 0x3ae8, ['unsigned long']], 'WaitListHead' : [ 0x3aec, ['_LIST_ENTRY']], 'ScbOffset' : [ 0x3af4, ['unsigned long']], 'StartCycles' : [ 0x3af8, ['unsigned long long']], 'TaggedCyclesStart' : [ 0x3b00, ['unsigned long long']], 'TaggedCycles' : [ 0x3b08, ['array', 2, ['unsigned long long']]], 'GenerationTarget' : [ 0x3b18, ['unsigned long long']], 'CycleTime' : [ 0x3b20, ['unsigned long long']], 'AffinitizedCycles' : [ 0x3b28, ['unsigned long long']], 'HighCycleTime' : [ 0x3b30, ['unsigned long']], 'Cycles' : [ 0x3b38, ['array', 4, ['array', 2, ['unsigned long long']]]], 'PrcbPad71' : [ 0x3b78, ['array', 10, ['unsigned long']]], 'DispatcherReadyListHead' : [ 0x3ba0, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3ca0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3ca4, ['long']], 'ScbQueue' : [ 0x3ca8, ['_RTL_RB_TREE']], 'ScbList' : [ 0x3cb0, ['_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x3cb8, ['long']], 'MmCopyOnWriteCount' : [ 0x3cbc, ['long']], 'MmTransitionCount' : [ 0x3cc0, ['long']], 'MmCacheTransitionCount' : [ 0x3cc4, ['long']], 'MmDemandZeroCount' : [ 0x3cc8, ['long']], 'MmPageReadCount' : [ 0x3ccc, ['long']], 'MmPageReadIoCount' : [ 0x3cd0, ['long']], 'MmCacheReadCount' : [ 0x3cd4, ['long']], 'MmCacheIoCount' : [ 0x3cd8, ['long']], 'MmDirtyPagesWriteCount' : [ 0x3cdc, ['long']], 'MmDirtyWriteIoCount' : [ 0x3ce0, ['long']], 'MmMappedPagesWriteCount' : [ 0x3ce4, ['long']], 'MmMappedWriteIoCount' : [ 0x3ce8, ['long']], 'CachedCommit' : [ 0x3cec, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3cf0, ['unsigned long']], 'HyperPte' : [ 0x3cf4, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3cf8, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x3cfc, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3d09, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x3d0a, ['unsigned char']], 'PrcbPad9' : [ 0x3d0b, ['array', 1, ['unsigned char']]], 'FeatureBits' : [ 0x3d10, ['unsigned long long']], 'UpdateSignature' : [ 0x3d18, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3d20, ['unsigned long long']], 'PrcbPad90' : [ 0x3d28, ['array', 2, ['unsigned long']]], 'PowerState' : [ 0x3d30, ['_PROCESSOR_POWER_STATE']], 'PrcbPad91' : [ 0x3eb0, ['array', 17, ['unsigned long']]], 'DpcWatchdogDpc' : [ 0x3ef4, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3f18, ['_KTIMER']], 'HypercallPageList' : [ 0x3f40, ['_SLIST_HEADER']], 'HypercallCachedPages' : [ 0x3f48, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x3f4c, ['pointer', ['void']]], 'StatisticsPage' : [ 0x3f50, ['pointer', ['unsigned long long']]], 'Cache' : [ 0x3f54, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3f90, ['unsigned long']], 'PackageProcessorSet' : [ 0x3f94, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x3fa0, ['unsigned long']], 'SharedReadyQueue' : [ 0x3fa4, ['pointer', ['_KSHARED_READY_QUEUE']]], 'SharedQueueScanOwner' : [ 0x3fa8, ['unsigned long']], 'CoreProcessorSet' : [ 0x3fac, ['unsigned long']], 'ScanSiblingMask' : [ 0x3fb0, ['unsigned long']], 'LLCMask' : [ 0x3fb4, ['unsigned long']], 'CacheProcessorMask' : [ 0x3fb8, ['array', 5, ['unsigned long']]], 'ScanSiblingIndex' : [ 0x3fcc, ['unsigned long']], 'WheaInfo' : [ 0x3fd0, ['pointer', ['void']]], 'EtwSupport' : [ 0x3fd4, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x3fd8, ['_SLIST_HEADER']], 'PrcbPad92' : [ 0x3fe0, ['array', 3, ['unsigned long']]], 'PteBitCache' : [ 0x3fec, ['unsigned long']], 'PteBitOffset' : [ 0x3ff0, ['unsigned long']], 'PrcbPad93' : [ 0x3ff4, ['unsigned long']], 'ProcessorProfileControlArea' : [ 0x3ff8, ['pointer', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x3ffc, ['pointer', ['void']]], 'TimerExpirationDpc' : [ 0x4000, ['_KDPC']], 'SynchCounters' : [ 0x4020, ['_SYNCH_COUNTERS']], 'FsCounters' : [ 0x40d8, ['_FILESYSTEM_DISK_COUNTERS']], 'Context' : [ 0x40e8, ['pointer', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x40ec, ['unsigned long']], 'ExtendedState' : [ 0x40f0, ['pointer', ['_XSAVE_AREA']]], 'EntropyTimingState' : [ 0x40f4, ['_KENTROPY_TIMING_STATE']], 'IsrStack' : [ 0x421c, ['pointer', ['void']]], 'VectorToInterruptObject' : [ 0x4220, ['array', 208, ['pointer', ['_KINTERRUPT']]]], 'AbSelfIoBoostsList' : [ 0x4560, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x4564, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x4568, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x4588, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x45dc, ['_IOP_IRP_STACK_PROFILER']], 'TimerExpirationTrace' : [ 0x4630, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x4730, ['unsigned long']], 'ExSaPageArray' : [ 0x4734, ['pointer', ['void']]], 'PrcbPad100' : [ 0x4738, ['array', 10, ['unsigned long']]], 'LocalSharedReadyQueue' : [ 0x4760, ['_KSHARED_READY_QUEUE']], 'PrcbPad95' : [ 0x4894, ['array', 12, ['unsigned char']]], 'Mailbox' : [ 0x48a0, ['pointer', ['_REQUEST_MAILBOX']]], 'PrcbPad' : [ 0x48a4, ['array', 60, ['unsigned char']]], 'RequestMailbox' : [ 0x48e0, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'Reserved' : [ 0x14, ['array', 3, ['pointer', ['void']]]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_KPROCESS' : [ 0xa8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x38, ['unsigned long long']], 'Affinity' : [ 0x40, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x4c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x54, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x58, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x64, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x64, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x64, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'DeepFreeze' : [ 0x64, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x64, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x64, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SpareFlags0' : [ 0x64, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x64, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0x64, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x64, ['long']], 'BasePriority' : [ 0x68, ['unsigned char']], 'QuantumReset' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x6c, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x70, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x72, ['unsigned short']], 'Spare1' : [ 0x74, ['unsigned short']], 'IopmOffset' : [ 0x76, ['unsigned short']], 'SchedulingGroup' : [ 0x78, ['pointer', ['_KSCHEDULING_GROUP']]], 'StackCount' : [ 0x7c, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x80, ['_LIST_ENTRY']], 'CycleTime' : [ 0x88, ['unsigned long long']], 'ContextSwitches' : [ 0x90, ['unsigned long long']], 'FreezeCount' : [ 0x98, ['unsigned long']], 'KernelTime' : [ 0x9c, ['unsigned long']], 'UserTime' : [ 0xa0, ['unsigned long']], 'VdmTrapcHandler' : [ 0xa4, ['pointer', ['void']]], } ], '_KTHREAD' : [ 0x348, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x10, ['pointer', ['void']]], 'QuantumTarget' : [ 0x18, ['unsigned long long']], 'InitialStack' : [ 0x20, ['pointer', ['void']]], 'StackLimit' : [ 0x24, ['pointer', ['void']]], 'StackBase' : [ 0x28, ['pointer', ['void']]], 'ThreadLock' : [ 0x2c, ['unsigned long']], 'CycleTime' : [ 0x30, ['unsigned long long']], 'HighCycleTime' : [ 0x38, ['unsigned long']], 'ServiceTable' : [ 0x3c, ['pointer', ['void']]], 'CurrentRunTime' : [ 0x40, ['unsigned long']], 'ExpectedRunTime' : [ 0x44, ['unsigned long']], 'KernelStack' : [ 0x48, ['pointer', ['void']]], 'StateSaveArea' : [ 0x4c, ['pointer', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x50, ['pointer', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x54, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x55, ['unsigned char']], 'Alerted' : [ 0x56, ['array', 2, ['unsigned char']]], 'AutoBoostActive' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitNext' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Alertable' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x58, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x58, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x58, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x58, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'TimerActive' : [ 0x58, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SystemThread' : [ 0x58, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x58, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CalloutActive' : [ 0x58, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x58, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ApcQueueable' : [ 0x58, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x58, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x58, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'TimerSuspended' : [ 0x58, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x58, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SuspendSchedulerApcWait' : [ 0x58, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x58, ['long']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ThreadFlagsSpare0' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x5c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x5c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x5c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x5c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x5c, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x5c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x5c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CommitFailTerminateRequest' : [ 0x5c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ProcessStackCountDecremented' : [ 0x5c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ThreadFlagsSpare' : [ 0x5c, ['BitField', dict(start_bit = 19, end_bit = 24, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x5c, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x5c, ['long']], 'Tag' : [ 0x60, ['unsigned char']], 'SystemHeteroCpuPolicy' : [ 0x61, ['unsigned char']], 'UserHeteroCpuPolicy' : [ 0x62, ['BitField', dict(start_bit = 0, end_bit = 7, native_type='unsigned char')]], 'ExplicitSystemHeteroCpuPolicy' : [ 0x62, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare0' : [ 0x63, ['unsigned char']], 'SystemCallNumber' : [ 0x64, ['unsigned long']], 'FirstArgument' : [ 0x68, ['pointer', ['void']]], 'TrapFrame' : [ 0x6c, ['pointer', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x70, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x70, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x87, ['unsigned char']], 'UserIdealProcessor' : [ 0x88, ['unsigned long']], 'ContextSwitches' : [ 0x8c, ['unsigned long']], 'State' : [ 0x90, ['unsigned char']], 'Spare12' : [ 0x91, ['unsigned char']], 'WaitIrql' : [ 0x92, ['unsigned char']], 'WaitMode' : [ 0x93, ['unsigned char']], 'WaitStatus' : [ 0x94, ['long']], 'WaitBlockList' : [ 0x98, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x9c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x9c, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa4, ['pointer', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xa8, ['pointer', ['void']]], 'RelativeTimerBias' : [ 0xb0, ['unsigned long long']], 'Timer' : [ 0xb8, ['_KTIMER']], 'WaitBlock' : [ 0xe0, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill8' : [ 0xe0, ['array', 20, ['unsigned char']]], 'ThreadCounters' : [ 0xf4, ['pointer', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0xe0, ['array', 44, ['unsigned char']]], 'XStateSave' : [ 0x10c, ['pointer', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0xe0, ['array', 68, ['unsigned char']]], 'Win32Thread' : [ 0x124, ['pointer', ['void']]], 'WaitBlockFill11' : [ 0xe0, ['array', 88, ['unsigned char']]], 'WaitTime' : [ 0x138, ['unsigned long']], 'KernelApcDisable' : [ 0x13c, ['short']], 'SpecialApcDisable' : [ 0x13e, ['short']], 'CombinedApcDisable' : [ 0x13c, ['unsigned long']], 'QueueListEntry' : [ 0x140, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x148, ['unsigned long']], 'NextProcessorNumber' : [ 0x148, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x148, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x14c, ['long']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'UserAffinity' : [ 0x154, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x154, ['array', 6, ['unsigned char']]], 'PreviousMode' : [ 0x15a, ['unsigned char']], 'BasePriority' : [ 0x15b, ['unsigned char']], 'PriorityDecrement' : [ 0x15c, ['unsigned char']], 'ForegroundBoost' : [ 0x15c, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x15c, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x15d, ['unsigned char']], 'AdjustReason' : [ 0x15e, ['unsigned char']], 'AdjustIncrement' : [ 0x15f, ['unsigned char']], 'AffinityVersion' : [ 0x160, ['unsigned long']], 'Affinity' : [ 0x164, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x164, ['array', 6, ['unsigned char']]], 'ApcStateIndex' : [ 0x16a, ['unsigned char']], 'WaitBlockCount' : [ 0x16b, ['unsigned char']], 'IdealProcessor' : [ 0x16c, ['unsigned long']], 'Spare15' : [ 0x170, ['array', 1, ['unsigned long']]], 'SavedApcState' : [ 0x174, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x174, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x18b, ['unsigned char']], 'SuspendCount' : [ 0x18c, ['unsigned char']], 'Saturation' : [ 0x18d, ['unsigned char']], 'SListFaultCount' : [ 0x18e, ['unsigned short']], 'SchedulerApc' : [ 0x190, ['_KAPC']], 'SchedulerApcFill0' : [ 0x190, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x191, ['unsigned char']], 'SchedulerApcFill1' : [ 0x190, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x193, ['unsigned char']], 'SchedulerApcFill2' : [ 0x190, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x194, ['unsigned long']], 'SchedulerApcFill3' : [ 0x190, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b4, ['pointer', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x190, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1b8, ['pointer', ['void']]], 'SchedulerApcFill5' : [ 0x190, ['array', 47, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x1bf, ['unsigned char']], 'UserTime' : [ 0x1c0, ['unsigned long']], 'SuspendEvent' : [ 0x1c4, ['_KEVENT']], 'ThreadListEntry' : [ 0x1d4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1dc, ['_LIST_ENTRY']], 'AbEntrySummary' : [ 0x1e4, ['unsigned char']], 'AbWaitEntryCount' : [ 0x1e5, ['unsigned char']], 'Spare20' : [ 0x1e6, ['unsigned short']], 'LockEntries' : [ 0x1e8, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x308, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x30c, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x310, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x320, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x324, ['long']], 'KeReferenceCount' : [ 0x328, ['short']], 'AbOrphanedEntrySummary' : [ 0x32a, ['unsigned char']], 'AbOwnedEntryCount' : [ 0x32b, ['unsigned char']], 'ForegroundLossTime' : [ 0x32c, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x330, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x330, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x334, ['unsigned long']], 'QueuedScb' : [ 0x338, ['pointer', ['_KSCB']]], 'NpxState' : [ 0x340, ['unsigned long long']], } ], '_KSTACK_CONTROL' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long']], 'ActualLimit' : [ 0x4, ['unsigned long']], 'StackExpansion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousTrapFrame' : [ 0x8, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0xc, ['pointer', ['void']]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'CpuId' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer', ['void']]], 'DeleteContext' : [ 0xc, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0x100, { 'IdleNonParkedCpuSet' : [ 0x0, ['unsigned long']], 'IdleSmtSet' : [ 0x4, ['unsigned long']], 'IdleCpuSet' : [ 0x8, ['unsigned long']], 'DeepIdleSet' : [ 0x40, ['unsigned long']], 'IdleConstrainedSet' : [ 0x44, ['unsigned long']], 'NonParkedSet' : [ 0x48, ['unsigned long']], 'ParkLock' : [ 0x4c, ['long']], 'Seed' : [ 0x50, ['unsigned long']], 'SiblingMask' : [ 0x80, ['unsigned long']], 'Affinity' : [ 0x84, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x84, ['array', 6, ['unsigned char']]], 'NodeNumber' : [ 0x8a, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x8c, ['unsigned short']], 'Stride' : [ 0x8e, ['unsigned char']], 'Spare0' : [ 0x8f, ['unsigned char']], 'SharedReadyQueueLeaders' : [ 0x90, ['unsigned long']], 'ProximityId' : [ 0x94, ['unsigned long']], 'Lowest' : [ 0x98, ['unsigned long']], 'Highest' : [ 0x9c, ['unsigned long']], 'MaximumProcessors' : [ 0xa0, ['unsigned char']], 'Flags' : [ 0xa1, ['_flags']], 'Spare10' : [ 0xa2, ['unsigned char']], 'HeteroSets' : [ 0xa4, ['array', 5, ['_KHETERO_PROCESSOR_SET']]], } ], '_ENODE' : [ 0x380, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0x100, ['array', 8, ['pointer', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0x120, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x2d8, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x2e8, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x310, ['_KEVENT']], 'WaitBlocks' : [ 0x320, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x368, ['pointer', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x36c, ['unsigned long']], 'ExWorkerFullInit' : [ 0x370, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x370, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x370, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x5c, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long']], 'QuotaProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'StrictFIFO' : [ 0x1c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x1c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x1c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x1c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'RaiseUMExceptionOnInvalidHandleClose' : [ 0x1c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x20, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x24, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x28, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x28, ['array', 20, ['unsigned char']]], 'DebugInfo' : [ 0x3c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'VolatileLowValue' : [ 0x0, ['long']], 'LowValue' : [ 0x0, ['long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'HighValue' : [ 0x4, ['long']], 'NextFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x4, ['_EXHANDLE']], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'RefCountField' : [ 0x4, ['long']], 'GrantedAccessBits' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'ProtectFromClose' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'RefCnt' : [ 0x4, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '__unnamed_131d' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_131d']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc4, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xc0, ['unsigned char']], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_ETHREAD' : [ 0x458, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x348, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x350, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x350, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x358, ['pointer', ['void']]], 'PostBlockList' : [ 0x35c, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x35c, ['pointer', ['void']]], 'StartAddress' : [ 0x360, ['pointer', ['void']]], 'TerminationPort' : [ 0x364, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x364, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x364, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x368, ['unsigned long']], 'ActiveTimerListHead' : [ 0x36c, ['_LIST_ENTRY']], 'Cid' : [ 0x374, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x37c, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x37c, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x390, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x394, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x39c, ['unsigned long']], 'DeviceToVerify' : [ 0x3a0, ['pointer', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x3a4, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x3a8, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x3ac, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x3b4, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x3b8, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x3bc, ['unsigned long']], 'MmLockOrdering' : [ 0x3c0, ['long']], 'CmLockOrdering' : [ 0x3c4, ['long']], 'CrossThreadFlags' : [ 0x3c8, ['unsigned long']], 'Terminated' : [ 0x3c8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x3c8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x3c8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x3c8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x3c8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x3c8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x3c8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x3c8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x3c8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x3c8, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x3c8, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x3c8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x3c8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x3c8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x3c8, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x3cc, ['unsigned long']], 'ActiveExWorker' : [ 0x3cc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x3cc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ClonedThread' : [ 0x3cc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x3cc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SelfTerminate' : [ 0x3cc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RespectIoPriority' : [ 0x3cc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReservedSameThreadPassiveFlags' : [ 0x3cc, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x3d0, ['unsigned long']], 'OwnsProcessAddressSpaceExclusive' : [ 0x3d0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x3d0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardFaultBehavior' : [ 0x3d0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x3d0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x3d0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x3d0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Prefetching' : [ 0x3d0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x3d0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x3d1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x3d1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x3d4, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x3d5, ['unsigned char']], 'ActiveFaultCount' : [ 0x3d6, ['unsigned char']], 'LockOrderState' : [ 0x3d7, ['unsigned char']], 'AlpcMessageId' : [ 0x3d8, ['unsigned long']], 'AlpcMessage' : [ 0x3dc, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x3dc, ['unsigned long']], 'ExitStatus' : [ 0x3e0, ['long']], 'AlpcWaitListEntry' : [ 0x3e4, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x3ec, ['unsigned long']], 'IoBoostCount' : [ 0x3f0, ['unsigned long']], 'BoostList' : [ 0x3f4, ['_LIST_ENTRY']], 'DeboostList' : [ 0x3fc, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x404, ['unsigned long']], 'IrpListLock' : [ 0x408, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x40c, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x410, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x414, ['pointer', ['_GUID']]], 'SeLearningModeListHead' : [ 0x418, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x41c, ['pointer', ['void']]], 'KernelStackReference' : [ 0x420, ['unsigned long']], 'AdjustedClientToken' : [ 0x424, ['pointer', ['void']]], 'WorkingOnBehalfClient' : [ 0x428, ['pointer', ['void']]], 'PropertySet' : [ 0x42c, ['_PS_PROPERTY_SET']], 'PicoContext' : [ 0x438, ['pointer', ['void']]], 'UserFsBase' : [ 0x43c, ['unsigned long']], 'UserGsBase' : [ 0x440, ['unsigned long']], 'EnergyValues' : [ 0x444, ['pointer', ['_THREAD_ENERGY_VALUES']]], 'CmCellReferences' : [ 0x448, ['unsigned long']], 'SelectedCpuSets' : [ 0x44c, ['unsigned long']], 'SelectedCpuSetsIndirect' : [ 0x44c, ['pointer', ['unsigned long']]], 'Silo' : [ 0x450, ['pointer', ['_ESILO']]], } ], '_EPROCESS' : [ 0x380, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xa8, ['_EX_PUSH_LOCK']], 'RundownProtect' : [ 0xac, ['_EX_RUNDOWN_REF']], 'VdmObjects' : [ 0xb0, ['pointer', ['void']]], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'Flags2' : [ 0xc0, ['unsigned long']], 'JobNotReallyActive' : [ 0xc0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0xc0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0xc0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0xc0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0xc0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0xc0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0xc0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0xc0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0xc0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0xc0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0xc0, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0xc0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0xc0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0xc0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0xc0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0xc0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0xc0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0xc0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0xc0, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0xc0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0xc0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0xc0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0xc0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0xc0, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0xc0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0xc0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0xc4, ['unsigned long']], 'CreateReported' : [ 0xc4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0xc4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0xc4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0xc4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0xc4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0xc4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0xc4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0xc4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FailFastOnCommitFail' : [ 0xc4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0xc4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0xc4, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0xc4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0xc4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0xc4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0xc4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0xc4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0xc4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0xc4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0xc4, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0xc4, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0xc4, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0xc4, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0xc4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0xc4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0xc4, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0xc4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0xc4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CreateTime' : [ 0xc8, ['_LARGE_INTEGER']], 'ProcessQuotaUsage' : [ 0xd0, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xd8, ['array', 2, ['unsigned long']]], 'PeakVirtualSize' : [ 0xe0, ['unsigned long']], 'VirtualSize' : [ 0xe4, ['unsigned long']], 'SessionProcessLinks' : [ 0xe8, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0xf0, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xf0, ['unsigned long']], 'ExceptionPortState' : [ 0xf0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Token' : [ 0xf4, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xf8, ['unsigned long']], 'AddressCreationLock' : [ 0xfc, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x100, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x108, ['pointer', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x10c, ['pointer', ['_EJOB']]], 'CloneRoot' : [ 0x110, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x114, ['unsigned long']], 'NumberOfLockedPages' : [ 0x118, ['unsigned long']], 'Win32Process' : [ 0x11c, ['pointer', ['void']]], 'Job' : [ 0x120, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x124, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x128, ['pointer', ['void']]], 'Cookie' : [ 0x12c, ['unsigned long']], 'WorkingSetWatch' : [ 0x130, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x134, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x138, ['pointer', ['void']]], 'LdtInformation' : [ 0x13c, ['pointer', ['void']]], 'OwnerProcessId' : [ 0x140, ['unsigned long']], 'Peb' : [ 0x144, ['pointer', ['_PEB']]], 'Session' : [ 0x148, ['pointer', ['void']]], 'AweInfo' : [ 0x14c, ['pointer', ['void']]], 'QuotaBlock' : [ 0x150, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x154, ['pointer', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x158, ['pointer', ['void']]], 'PaeTop' : [ 0x15c, ['pointer', ['void']]], 'DeviceMap' : [ 0x160, ['pointer', ['void']]], 'EtwDataSource' : [ 0x164, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x168, ['unsigned long long']], 'ImageFileName' : [ 0x170, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x17f, ['unsigned char']], 'SecurityPort' : [ 0x180, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x184, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x188, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x190, ['pointer', ['void']]], 'ThreadListHead' : [ 0x194, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x19c, ['unsigned long']], 'ImagePathHash' : [ 0x1a0, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a4, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1a8, ['long']], 'PrefetchTrace' : [ 0x1ac, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x1b0, ['pointer', ['void']]], 'ReadOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e8, ['unsigned long']], 'CommitCharge' : [ 0x1ec, ['unsigned long']], 'CommitChargePeak' : [ 0x1f0, ['unsigned long']], 'Vm' : [ 0x1f4, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x274, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x27c, ['unsigned long']], 'ExitStatus' : [ 0x280, ['long']], 'VadRoot' : [ 0x284, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x288, ['pointer', ['void']]], 'VadCount' : [ 0x28c, ['unsigned long']], 'VadPhysicalPages' : [ 0x290, ['unsigned long']], 'VadPhysicalPagesLimit' : [ 0x294, ['unsigned long']], 'AlpcContext' : [ 0x298, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x2a8, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x2b0, ['pointer', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x2b4, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2b8, ['unsigned long']], 'ExitTime' : [ 0x2c0, ['_LARGE_INTEGER']], 'ActiveThreadsHighWatermark' : [ 0x2c8, ['unsigned long']], 'LargePrivateVadCount' : [ 0x2cc, ['unsigned long']], 'ThreadListLock' : [ 0x2d0, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x2d4, ['pointer', ['void']]], 'Spare0' : [ 0x2d8, ['unsigned long']], 'SignatureLevel' : [ 0x2dc, ['unsigned char']], 'SectionSignatureLevel' : [ 0x2dd, ['unsigned char']], 'Protection' : [ 0x2de, ['_PS_PROTECTION']], 'HangCount' : [ 0x2df, ['unsigned char']], 'Flags3' : [ 0x2e0, ['unsigned long']], 'Minimal' : [ 0x2e0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReplacingPageRoot' : [ 0x2e0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DisableNonSystemFonts' : [ 0x2e0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AuditNonSystemFontLoading' : [ 0x2e0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Crashed' : [ 0x2e0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'JobVadsAreTracked' : [ 0x2e0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'VadTrackingDisabled' : [ 0x2e0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AuxiliaryProcess' : [ 0x2e0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SubsystemProcess' : [ 0x2e0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x2e0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'InPrivate' : [ 0x2e0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DeviceAsid' : [ 0x2e4, ['long']], 'SvmData' : [ 0x2e8, ['pointer', ['void']]], 'SvmProcessLock' : [ 0x2ec, ['_EX_PUSH_LOCK']], 'SvmLock' : [ 0x2f0, ['unsigned long']], 'SvmProcessDeviceListHead' : [ 0x2f4, ['_LIST_ENTRY']], 'LastFreezeInterruptTime' : [ 0x300, ['unsigned long long']], 'DiskCounters' : [ 0x308, ['pointer', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x30c, ['pointer', ['void']]], 'KeepAliveCounter' : [ 0x310, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x314, ['unsigned long']], 'HighPriorityFaultsAllowed' : [ 0x318, ['unsigned long']], 'InstrumentationCallback' : [ 0x31c, ['pointer', ['void']]], 'EnergyValues' : [ 0x320, ['pointer', ['_PROCESS_ENERGY_VALUES']]], 'VmContext' : [ 0x324, ['pointer', ['void']]], 'Silo' : [ 0x328, ['pointer', ['_ESILO']]], 'SiloEntry' : [ 0x32c, ['_LIST_ENTRY']], 'SequenceNumber' : [ 0x338, ['unsigned long long']], 'CreateInterruptTime' : [ 0x340, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x348, ['unsigned long long']], 'TotalUnbiasedFrozenTime' : [ 0x350, ['unsigned long long']], 'LastAppStateUpdateTime' : [ 0x358, ['unsigned long long']], 'LastAppStateUptime' : [ 0x360, ['BitField', dict(start_bit = 0, end_bit = 61, native_type='unsigned long long')]], 'LastAppState' : [ 0x360, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], 'SharedCommitCharge' : [ 0x368, ['unsigned long']], 'SharedCommitLock' : [ 0x36c, ['_EX_PUSH_LOCK']], 'SharedCommitLinks' : [ 0x370, ['_LIST_ENTRY']], 'AllowedCpuSets' : [ 0x378, ['unsigned long']], 'DefaultCpuSets' : [ 0x37c, ['unsigned long']], 'AllowedCpuSetsIndirect' : [ 0x378, ['pointer', ['unsigned long']]], 'DefaultCpuSetsIndirect' : [ 0x37c, ['pointer', ['unsigned long']]], } ], '__unnamed_1376' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_137c' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_137e' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_137c']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1389' : [ 0x2c, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x28, ['pointer', ['void']]], } ], '__unnamed_138b' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_1389']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_1376']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_137e']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_138b']], } ], '__unnamed_1392' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1396' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_139a' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_139c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_13a0' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_13a2' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_13a4' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], } ], '__unnamed_13a6' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13a8' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_13aa' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13ae' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMetadataSizeInformation', 14: 'FileFsMaximumInformation'})]], } ], '__unnamed_13b0' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13b3' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_13b5' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13b7' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_13b9' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_13bd' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_13c1' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_13c5' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_13c9' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_13cd' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13d1' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_13d5' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_13d7' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_13d9' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_13dd' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_13e1' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_13e5' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_13e9' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_13ed' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_13f5' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], } ], '__unnamed_13f9' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_13fb' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13fd' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13ff' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_1392']], 'CreatePipe' : [ 0x0, ['__unnamed_1396']], 'CreateMailslot' : [ 0x0, ['__unnamed_139a']], 'Read' : [ 0x0, ['__unnamed_139c']], 'Write' : [ 0x0, ['__unnamed_139c']], 'QueryDirectory' : [ 0x0, ['__unnamed_13a0']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13a2']], 'QueryFile' : [ 0x0, ['__unnamed_13a4']], 'SetFile' : [ 0x0, ['__unnamed_13a6']], 'QueryEa' : [ 0x0, ['__unnamed_13a8']], 'SetEa' : [ 0x0, ['__unnamed_13aa']], 'QueryVolume' : [ 0x0, ['__unnamed_13ae']], 'SetVolume' : [ 0x0, ['__unnamed_13ae']], 'FileSystemControl' : [ 0x0, ['__unnamed_13b0']], 'LockControl' : [ 0x0, ['__unnamed_13b3']], 'DeviceIoControl' : [ 0x0, ['__unnamed_13b5']], 'QuerySecurity' : [ 0x0, ['__unnamed_13b7']], 'SetSecurity' : [ 0x0, ['__unnamed_13b9']], 'MountVolume' : [ 0x0, ['__unnamed_13bd']], 'VerifyVolume' : [ 0x0, ['__unnamed_13bd']], 'Scsi' : [ 0x0, ['__unnamed_13c1']], 'QueryQuota' : [ 0x0, ['__unnamed_13c5']], 'SetQuota' : [ 0x0, ['__unnamed_13aa']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_13c9']], 'QueryInterface' : [ 0x0, ['__unnamed_13cd']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_13d1']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_13d5']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_13d7']], 'SetLock' : [ 0x0, ['__unnamed_13d9']], 'QueryId' : [ 0x0, ['__unnamed_13dd']], 'QueryDeviceText' : [ 0x0, ['__unnamed_13e1']], 'UsageNotification' : [ 0x0, ['__unnamed_13e5']], 'WaitWake' : [ 0x0, ['__unnamed_13e9']], 'PowerSequence' : [ 0x0, ['__unnamed_13ed']], 'Power' : [ 0x0, ['__unnamed_13f5']], 'StartDevice' : [ 0x0, ['__unnamed_13f9']], 'WMI' : [ 0x0, ['__unnamed_13fb']], 'Others' : [ 0x0, ['__unnamed_13fd']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_13ff']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1415' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_1415']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x8, ['unsigned long']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x68, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x5c, ['pointer', ['void']]], 'UserContext' : [ 0x60, ['pointer', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], 'Oplock' : [ 0x3c, ['pointer', ['void']]], 'ReservedForRemote' : [ 0x3c, ['pointer', ['void']]], 'ReservedContext' : [ 0x40, ['pointer', ['void']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_TlgProvider_t' : [ 0x30, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x4, ['pointer', ['unsigned short']]], 'KeywordAny' : [ 0x8, ['unsigned long long']], 'KeywordAll' : [ 0x10, ['unsigned long long']], 'RegHandle' : [ 0x18, ['unsigned long long']], 'EnableCallback' : [ 0x20, ['pointer', ['void']]], 'CallbackContext' : [ 0x24, ['pointer', ['void']]], 'AnnotationFunc' : [ 0x28, ['pointer', ['void']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '__unnamed_15e3' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'HighLow' : [ 0x0, ['_MMPTE_HIGHLOW']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_15e3']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND' : [ 0xc, { 'LocalLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'State' : [ 0x4, ['_EX_PUSH_LOCK_AUTO_EXPAND_STATE']], 'Stats' : [ 0x8, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'ReservedLowFlags' : [ 0xe, ['unsigned char']], 'WaiterPriority' : [ 0xf, ['unsigned char']], 'SharedWaiters' : [ 0x10, ['_KWAIT_CHAIN']], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '__unnamed_161b' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_161f' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1621' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_161f']], } ], '__unnamed_1626' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], } ], '_MMPFN' : [ 0x1c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'u1' : [ 0x0, ['__unnamed_161b']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x4, ['pointer', ['void']]], 'PteLong' : [ 0x4, ['unsigned long']], 'OriginalPte' : [ 0x8, ['_MMPTE']], 'u2' : [ 0x10, ['_MIPFNBLINK']], 'u3' : [ 0x14, ['__unnamed_1621']], 'u4' : [ 0x18, ['__unnamed_1626']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x34, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'BasePte' : [ 0x8, ['pointer', ['_MMPTE']]], 'Flags' : [ 0xc, ['unsigned long']], 'VaType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaPagedProtoPool', 15: 'MiVaMaximumType', 16: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'PteFailures' : [ 0x18, ['unsigned long']], 'SpinLock' : [ 0x1c, ['unsigned long']], 'GlobalPushLock' : [ 0x1c, ['pointer', ['_EX_PUSH_LOCK']]], 'Vm' : [ 0x20, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x24, ['unsigned long']], 'Hint' : [ 0x28, ['unsigned long']], 'CachedPtes' : [ 0x2c, ['pointer', ['_MI_CACHED_PTES']]], 'TotalFreeSystemPtes' : [ 0x30, ['unsigned long']], } ], '_MMCLONE_DESCRIPTOR' : [ 0x30, { 'CloneNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Next' : [ 0x0, ['pointer', ['_MMCLONE_DESCRIPTOR']]], 'StartingCloneBlock' : [ 0xc, ['pointer', ['_MMCLONE_BLOCK']]], 'EndingCloneBlock' : [ 0x10, ['pointer', ['_MMCLONE_BLOCK']]], 'NumberOfPtes' : [ 0x14, ['unsigned long']], 'NumberOfReferences' : [ 0x18, ['unsigned long']], 'CloneHeader' : [ 0x1c, ['pointer', ['_MMCLONE_HEADER']]], 'NonPagedPoolQuotaCharge' : [ 0x20, ['unsigned long']], 'NestingLevel' : [ 0x28, ['unsigned long long']], } ], '__unnamed_1654' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_1654']], } ], '_MMWSL' : [ 0xe20, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'LastInitializedWsle' : [ 0x10, ['unsigned long']], 'NextAgingSlot' : [ 0x14, ['unsigned long']], 'NextAccessClearingSlot' : [ 0x18, ['unsigned long']], 'LastAccessClearingRemainder' : [ 0x1c, ['unsigned long']], 'LastAgingRemainder' : [ 0x20, ['unsigned long']], 'WsleSize' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LowestPagableAddress' : [ 0x2c, ['pointer', ['void']]], 'NonDirectHash' : [ 0x30, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x34, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x38, ['pointer', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x3c, ['array', 16, ['unsigned long']]], 'ActiveWsles' : [ 0x7c, ['array', 16, ['_MI_ACTIVE_WSLE_LISTHEAD']]], 'Wsle' : [ 0xfc, ['pointer', ['_MMWSLE']]], 'UserVaInfo' : [ 0x100, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0x80, { 'WorkingSetLock' : [ 0x0, ['long']], 'ExitOutswapGate' : [ 0x4, ['pointer', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer', ['void']]], 'WorkingSetExpansionLinks' : [ 0xc, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x14, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x30, ['unsigned long']], 'WorkingSetLeafSize' : [ 0x34, ['unsigned long']], 'WorkingSetLeafPrivateSize' : [ 0x38, ['unsigned long']], 'WorkingSetSize' : [ 0x3c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x40, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x44, ['unsigned long']], 'ChargedWslePages' : [ 0x48, ['unsigned long']], 'ActualWslePages' : [ 0x4c, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x50, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x54, ['unsigned long']], 'HardFaultCount' : [ 0x58, ['unsigned long']], 'VmWorkingSetList' : [ 0x5c, ['pointer', ['_MMWSL']]], 'NextPageColor' : [ 0x60, ['unsigned short']], 'LastTrimStamp' : [ 0x62, ['unsigned short']], 'PageFaultCount' : [ 0x64, ['unsigned long']], 'TrimmedPageCount' : [ 0x68, ['unsigned long']], 'ForceTrimPages' : [ 0x6c, ['unsigned long']], 'Flags' : [ 0x70, ['_MMSUPPORT_FLAGS']], 'ReleasedCommitDebt' : [ 0x74, ['unsigned long']], 'WsSwapSupport' : [ 0x78, ['pointer', ['void']]], 'CommitReAcquireFailSupport' : [ 0x7c, ['pointer', ['void']]], } ], '__unnamed_166f' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_1673' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_166f']], 'u2' : [ 0x24, ['__unnamed_1673']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], } ], '__unnamed_1678' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1683' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long')]], 'SystemImage' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'StrongCode' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1685' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1683']], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'ListHead' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_1678']], 'FilePointer' : [ 0x20, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x24, ['long']], 'ModifiedWriteCount' : [ 0x28, ['unsigned long']], 'WaitList' : [ 0x2c, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x30, ['__unnamed_1685']], 'LockedPages' : [ 0x40, ['unsigned long long']], 'FileObjectLock' : [ 0x48, ['_EX_PUSH_LOCK']], } ], '__unnamed_1696' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1699' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x28, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['long']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u' : [ 0x1c, ['__unnamed_1696']], 'u1' : [ 0x20, ['__unnamed_1699']], 'EventList' : [ 0x24, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], } ], '_MI_PARTITION' : [ 0x1740, { 'Core' : [ 0x0, ['_MI_PARTITION_CORE']], 'Modwriter' : [ 0xe8, ['_MI_PARTITION_MODWRITES']], 'Store' : [ 0x298, ['_MI_PARTITION_STORES']], 'Segments' : [ 0x2e8, ['_MI_PARTITION_SEGMENTS']], 'PageLists' : [ 0x3c0, ['_MI_PARTITION_PAGE_LISTS']], 'Commit' : [ 0xa80, ['_MI_PARTITION_COMMIT']], 'Zeroing' : [ 0xaa0, ['_MI_PARTITION_ZEROING']], 'PageCombine' : [ 0xad0, ['_MI_PAGE_COMBINING_SUPPORT']], 'WorkingSetControl' : [ 0xba8, ['pointer', ['void']]], 'WorkingSetExpansionHead' : [ 0xbac, ['_MMWORKING_SET_EXPANSION_HEAD']], 'Vp' : [ 0xbc0, ['_MI_VISIBLE_PARTITION']], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_MMPAGING_FILE' : [ 0x90, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'FreeReservationSpace' : [ 0x18, ['unsigned long']], 'LargestReserveCluster' : [ 0x1c, ['unsigned long']], 'File' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x24, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x30, ['_SLIST_HEADER']], 'PageFileName' : [ 0x38, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x40, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x44, ['unsigned long']], 'ReservationBitmapHint' : [ 0x48, ['unsigned long']], 'LargestNonReservedClusterSize' : [ 0x4c, ['unsigned long']], 'RefreshClusterSize' : [ 0x50, ['unsigned long']], 'LastRefreshClusterSize' : [ 0x54, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x58, ['unsigned long']], 'ToBeEvictedCount' : [ 0x5c, ['unsigned long']], 'HybridPriority' : [ 0x5c, ['unsigned long']], 'PageFileNumber' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0x60, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'NoReservations' : [ 0x60, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'VirtualStorePagefile' : [ 0x60, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SwapSupported' : [ 0x60, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'NodeInserted' : [ 0x60, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'StackNotified' : [ 0x60, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x60, ['BitField', dict(start_bit = 10, end_bit = 15, native_type='unsigned short')]], 'AdriftMdls' : [ 0x62, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0x62, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x63, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0x64, ['unsigned long']], 'PageHashPagesPeak' : [ 0x68, ['unsigned long']], 'PageHash' : [ 0x6c, ['pointer', ['unsigned long']]], 'FileHandle' : [ 0x70, ['pointer', ['void']]], 'Lock' : [ 0x74, ['unsigned long']], 'LockOwner' : [ 0x78, ['pointer', ['_ETHREAD']]], 'FlowThroughReadRoot' : [ 0x7c, ['_RTL_AVL_TREE']], 'Partition' : [ 0x80, ['pointer', ['_MI_PARTITION']]], 'FileObjectNode' : [ 0x84, ['_RTL_BALANCED_NODE']], } ], 'tagSWITCH_CONTEXT' : [ 0x68, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '__unnamed_16da' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry', 21: '_CmpMountPreloadedHives', 22: '_CmpLoadHiveThread'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_16dd' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_16df' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_16e3' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_16e5' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_16e9' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_16ed' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_16ef' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_16da']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_16da']]], 'RegistryIO' : [ 0xcc, ['__unnamed_16dd']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_16df']], 'CheckKey' : [ 0xdc, ['__unnamed_16e3']], 'CheckValueList' : [ 0xec, ['__unnamed_16e5']], 'CheckHive' : [ 0xfc, ['__unnamed_16e9']], 'CheckHive1' : [ 0x108, ['__unnamed_16e9']], 'CheckBin' : [ 0x114, ['__unnamed_16ed']], 'RecoverData' : [ 0x11c, ['__unnamed_16ef']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xc0, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'ParkingStatus' : [ 0x80, ['unsigned long']], 'CurrentFrequency' : [ 0x84, ['unsigned long']], 'PercentMaxFrequency' : [ 0x88, ['unsigned long']], 'StateFlags' : [ 0x8c, ['unsigned long']], 'NominalThroughput' : [ 0x90, ['unsigned long']], 'ActiveThroughput' : [ 0x94, ['unsigned long']], 'ScaledThroughput' : [ 0x98, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0xa0, ['unsigned long long']], 'AverageIdleTime' : [ 0xa8, ['unsigned long long']], 'IdleBreakEvents' : [ 0xb0, ['unsigned long long']], 'PerformanceLimit' : [ 0xb8, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xbc, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_TEB32' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['unsigned long']]], 'SystemReserved1' : [ 0x10c, ['array', 38, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_TEB64' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['unsigned long long']]], 'SystemReserved1' : [ 0x190, ['array', 38, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_HV_X64_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState_Deprecated' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable_Deprecated' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ExtendedGvaRangesForFlushVirtualAddressListAvailable' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'FastHypercallOutputAvailable' : [ 0xc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SvmFeaturesAvailable' : [ 0xc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SintPollingModeAvailable' : [ 0xc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeReg' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicRegs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerRegs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessIntrCtrlRegs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetReg' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsReg' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleReg' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyRegs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugRegs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'AccessVpExitTracing' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'EnableExtendedGvaRangesForFlushVirtualAddressList' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 48, native_type='unsigned long long')]], 'AccessVsm' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 49, native_type='unsigned long long')]], 'AccessVpRegisters' : [ 0x0, ['BitField', dict(start_bit = 49, end_bit = 50, native_type='unsigned long long')]], 'UnusedBit' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 51, native_type='unsigned long long')]], 'FastHypercallOutput' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'EnableExtendedHypercalls' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'StartVirtualProcessor' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x134, { 'Lock' : [ 0x0, ['unsigned long']], 'ReadySummary' : [ 0x4, ['unsigned long']], 'ReadyListHead' : [ 0x8, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x108, ['array', 32, ['unsigned char']]], 'Span' : [ 0x128, ['unsigned char']], 'LowProcIndex' : [ 0x129, ['unsigned char']], 'QueueIndex' : [ 0x12a, ['unsigned char']], 'ProcCount' : [ 0x12b, ['unsigned char']], 'ScanOwner' : [ 0x12c, ['unsigned char']], 'Spare' : [ 0x12d, ['array', 3, ['unsigned char']]], 'Affinity' : [ 0x130, ['unsigned long']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0xc, { 'Affinity' : [ 0x0, ['pointer', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x4, ['unsigned long']], 'CurrentIndex' : [ 0x8, ['unsigned short']], } ], '__unnamed_17fc' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_17fe' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1802' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x1cc, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'FxDevice' : [ 0x28, ['pointer', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x2c, ['long']], 'FxRemoveEvent' : [ 0x30, ['_KEVENT']], 'FxActivationCount' : [ 0x40, ['long']], 'FxSleepCount' : [ 0x44, ['long']], 'Plugin' : [ 0x48, ['pointer', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x4c, ['unsigned long']], 'CurrentPowerState' : [ 0x50, ['_POWER_STATE']], 'Notify' : [ 0x54, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x90, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0xa0, ['_UNICODE_STRING']], 'PowerFlags' : [ 0xa8, ['unsigned long']], 'State' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xb0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xb4, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x104, ['unsigned long']], 'CompletionStatus' : [ 0x108, ['long']], 'Flags' : [ 0x10c, ['unsigned long']], 'UserFlags' : [ 0x110, ['unsigned long']], 'Problem' : [ 0x114, ['unsigned long']], 'ProblemStatus' : [ 0x118, ['long']], 'ResourceList' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x120, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x124, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x128, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x130, ['unsigned long']], 'ChildInterfaceType' : [ 0x134, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x138, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x13c, ['unsigned short']], 'RemovalPolicy' : [ 0x13e, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x13f, ['unsigned char']], 'TargetDeviceNotify' : [ 0x140, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x148, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x150, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x158, ['unsigned short']], 'QueryTranslatorMask' : [ 0x15a, ['unsigned short']], 'NoArbiterMask' : [ 0x15c, ['unsigned short']], 'QueryArbiterMask' : [ 0x15e, ['unsigned short']], 'OverUsed1' : [ 0x160, ['__unnamed_17fc']], 'OverUsed2' : [ 0x164, ['__unnamed_17fe']], 'BootResources' : [ 0x168, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x16c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x170, ['unsigned long']], 'DockInfo' : [ 0x174, ['__unnamed_1802']], 'DisableableDepends' : [ 0x184, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x190, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x198, ['unsigned long']], 'PreviousParent' : [ 0x19c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1a0, ['long']], 'NumaNodeIndex' : [ 0x1a4, ['unsigned long']], 'ContainerID' : [ 0x1a8, ['_GUID']], 'OverrideFlags' : [ 0x1b8, ['unsigned char']], 'DeviceIdsHash' : [ 0x1bc, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x1c0, ['unsigned char']], 'PendingEjectRelations' : [ 0x1c4, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x1c8, ['unsigned long']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x38, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x2c, ['pointer', ['unsigned long']]], 'EnableKeyWords' : [ 0x30, ['pointer', ['unsigned long long']]], 'EnableLevel' : [ 0x34, ['pointer', ['unsigned char']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x38, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependencyNode' : [ 0x2c, ['pointer', ['void']]], 'InterruptContext' : [ 0x30, ['pointer', ['void']]], 'VerifierContext' : [ 0x34, ['pointer', ['void']]], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_18fc' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'WriteCustomBreakPoint' : [ 0x0, ['_DBGKD_WRITE_CUSTOM_BREAKPOINT']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_18fc']], } ], '__unnamed_1903' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1903']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PEP_ACPI_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'IoMemory' : [ 0x0, ['_PEP_ACPI_IO_MEMORY_RESOURCE']], 'Interrupt' : [ 0x0, ['_PEP_ACPI_INTERRUPT_RESOURCE']], 'Gpio' : [ 0x0, ['_PEP_ACPI_GPIO_RESOURCE']], 'SpbI2c' : [ 0x0, ['_PEP_ACPI_SPB_I2C_RESOURCE']], 'SpbSpi' : [ 0x0, ['_PEP_ACPI_SPB_SPI_RESOURCE']], 'SpbUart' : [ 0x0, ['_PEP_ACPI_SPB_UART_RESOURCE']], 'ExtendedAddress' : [ 0x0, ['_PEP_ACPI_EXTENDED_ADDRESS']], } ], '_PEP_ACPI_IO_MEMORY_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Information' : [ 0x4, ['unsigned char']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '_PEP_ACPI_INTERRUPT_RESOURCE' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'InterruptType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Flags' : [ 0xc, ['_PEP_ACPI_RESOURCE_FLAGS']], 'Count' : [ 0x10, ['unsigned char']], 'Pins' : [ 0x14, ['pointer', ['unsigned long']]], } ], '_PEP_ACPI_GPIO_RESOURCE' : [ 0x30, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'InterruptType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'PinConfig' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PullDefault', 1: 'PullUp', 2: 'PullDown', 3: 'PullNone'})]], 'IoRestrictionType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'IoRestrictionNone', 1: 'IoRestrictionInputOnly', 2: 'IoRestrictionOutputOnly', 3: 'IoRestrictionNoneAndPreserve'})]], 'DriveStrength' : [ 0x18, ['unsigned short']], 'DebounceTimeout' : [ 0x1a, ['unsigned short']], 'PinTable' : [ 0x1c, ['pointer', ['unsigned short']]], 'PinCount' : [ 0x20, ['unsigned short']], 'ResourceSourceIndex' : [ 0x22, ['unsigned char']], 'ResourceSourceName' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'VendorData' : [ 0x28, ['pointer', ['unsigned char']]], 'VendorDataLength' : [ 0x2c, ['unsigned short']], } ], '_PEP_ACPI_SPB_I2C_RESOURCE' : [ 0x20, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x18, ['unsigned long']], 'SlaveAddress' : [ 0x1c, ['unsigned short']], } ], '_PEP_ACPI_SPB_UART_RESOURCE' : [ 0x24, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'BaudRate' : [ 0x18, ['unsigned long']], 'RxBufferSize' : [ 0x1c, ['unsigned short']], 'TxBufferSize' : [ 0x1e, ['unsigned short']], 'Parity' : [ 0x20, ['unsigned char']], 'LinesInUse' : [ 0x21, ['unsigned char']], } ], '_PEP_ACPI_SPB_SPI_RESOURCE' : [ 0x24, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x18, ['unsigned long']], 'DataBitLength' : [ 0x1c, ['unsigned char']], 'Phase' : [ 0x1d, ['unsigned char']], 'Polarity' : [ 0x1e, ['unsigned char']], 'DeviceSelection' : [ 0x20, ['unsigned short']], } ], '_PEP_ACPI_EXTENDED_ADDRESS' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'ResourceFlags' : [ 0x8, ['unsigned char']], 'GeneralFlags' : [ 0x9, ['unsigned char']], 'TypeSpecificFlags' : [ 0xa, ['unsigned char']], 'RevisionId' : [ 0xb, ['unsigned char']], 'Reserved' : [ 0xc, ['unsigned char']], 'Granularity' : [ 0x10, ['unsigned long long']], 'MinimumAddress' : [ 0x18, ['unsigned long long']], 'MaximumAddress' : [ 0x20, ['unsigned long long']], 'TranslationAddress' : [ 0x28, ['unsigned long long']], 'AddressLength' : [ 0x30, ['unsigned long long']], 'TypeAttribute' : [ 0x38, ['unsigned long long']], 'DescriptorName' : [ 0x40, ['pointer', ['_UNICODE_STRING']]], } ], '_PPM_PLATFORM_STATES' : [ 0x100, { 'StateCount' : [ 0x0, ['unsigned long']], 'InterfaceVersion' : [ 0x4, ['unsigned long']], 'ProcessorCount' : [ 0x8, ['unsigned long']], 'CoordinatedInterface' : [ 0xc, ['unsigned char']], 'IdleTest' : [ 0x10, ['pointer', ['void']]], 'IdlePreExecute' : [ 0x14, ['pointer', ['void']]], 'IdleComplete' : [ 0x18, ['pointer', ['void']]], 'QueryPlatformStateResidency' : [ 0x1c, ['pointer', ['void']]], 'Accounting' : [ 0x20, ['pointer', ['_PLATFORM_IDLE_ACCOUNTING']]], 'State' : [ 0x40, ['array', 1, ['_PPM_PLATFORM_STATE']]], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_PPM_PROFILE' : [ 0x1a8, { 'Name' : [ 0x0, ['pointer', ['unsigned short']]], 'Id' : [ 0x4, ['unsigned char']], 'Guid' : [ 0x8, ['_GUID']], 'Flags' : [ 0x18, ['unsigned long']], 'Priority' : [ 0x1c, ['unsigned char']], 'Settings' : [ 0x20, ['array', 2, ['_PPM_ENGINE_SETTINGS']]], 'StartTime' : [ 0x180, ['unsigned long long']], 'Count' : [ 0x188, ['unsigned long long']], 'MaxDuration' : [ 0x190, ['unsigned long long']], 'MinDuration' : [ 0x198, ['unsigned long long']], 'TotalDuration' : [ 0x1a0, ['unsigned long long']], } ], '_PPM_ENGINE_SETTINGS' : [ 0xb0, { 'ExplicitSetting' : [ 0x0, ['array', 2, ['_PPM_POLICY_SETTINGS_MASK']]], 'ThrottlingPolicy' : [ 0x10, ['unsigned char']], 'PerfTimeCheck' : [ 0x14, ['unsigned long']], 'PerfHistoryCount' : [ 0x18, ['array', 2, ['unsigned char']]], 'PerfMinPolicy' : [ 0x1a, ['array', 2, ['unsigned char']]], 'PerfMaxPolicy' : [ 0x1c, ['array', 2, ['unsigned char']]], 'PerfDecreaseTime' : [ 0x1e, ['array', 2, ['unsigned char']]], 'PerfIncreaseTime' : [ 0x20, ['array', 2, ['unsigned char']]], 'PerfDecreasePolicy' : [ 0x22, ['array', 2, ['unsigned char']]], 'PerfIncreasePolicy' : [ 0x24, ['array', 2, ['unsigned char']]], 'PerfDecreaseThreshold' : [ 0x26, ['array', 2, ['unsigned char']]], 'PerfIncreaseThreshold' : [ 0x28, ['array', 2, ['unsigned char']]], 'PerfBoostPolicy' : [ 0x2c, ['unsigned long']], 'PerfBoostMode' : [ 0x30, ['unsigned long']], 'PerfReductionTolerance' : [ 0x34, ['unsigned long']], 'EnergyPerfPreference' : [ 0x38, ['unsigned long']], 'AutonomousActivityWindow' : [ 0x3c, ['unsigned long']], 'AutonomousPreference' : [ 0x40, ['unsigned char']], 'LatencyHintPerf' : [ 0x41, ['array', 2, ['unsigned char']]], 'LatencyHintUnpark' : [ 0x43, ['array', 2, ['unsigned char']]], 'DutyCycling' : [ 0x45, ['unsigned char']], 'ParkingPerfState' : [ 0x46, ['array', 2, ['unsigned char']]], 'DistributeUtility' : [ 0x48, ['unsigned char']], 'CoreParkingOverUtilizationThreshold' : [ 0x49, ['unsigned char']], 'CoreParkingConcurrencyThreshold' : [ 0x4a, ['unsigned char']], 'CoreParkingHeadroomThreshold' : [ 0x4b, ['unsigned char']], 'CoreParkingDistributionThreshold' : [ 0x4c, ['unsigned char']], 'CoreParkingDecreasePolicy' : [ 0x4d, ['unsigned char']], 'CoreParkingIncreasePolicy' : [ 0x4e, ['unsigned char']], 'CoreParkingDecreaseTime' : [ 0x50, ['unsigned long']], 'CoreParkingIncreaseTime' : [ 0x54, ['unsigned long']], 'CoreParkingMinCores' : [ 0x58, ['array', 2, ['unsigned char']]], 'CoreParkingMaxCores' : [ 0x5a, ['array', 2, ['unsigned char']]], 'AllowScaling' : [ 0x5c, ['unsigned char']], 'IdleDisabled' : [ 0x5d, ['unsigned char']], 'IdleTimeCheck' : [ 0x60, ['unsigned long']], 'IdleDemotePercent' : [ 0x64, ['unsigned char']], 'IdlePromotePercent' : [ 0x65, ['unsigned char']], 'HeteroDecreaseTime' : [ 0x66, ['unsigned char']], 'HeteroIncreaseTime' : [ 0x67, ['unsigned char']], 'HeteroDecreaseThreshold' : [ 0x68, ['array', 32, ['unsigned char']]], 'HeteroIncreaseThreshold' : [ 0x88, ['array', 32, ['unsigned char']]], 'Class0FloorPerformance' : [ 0xa8, ['unsigned char']], 'Class1InitialPerformance' : [ 0xa9, ['unsigned char']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_PERF_FLAGS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'Progress' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 27, native_type='unsigned long')]], 'Synchronicity' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 29, native_type='unsigned long')]], 'RequestPepCompleted' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'RequestSucceeded' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NestedCallback' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'IrpFirstPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IrpLastPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0x90, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x14, ['unsigned long']], 'LogHandleContext' : [ 0x18, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0x80, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x84, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0x88, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x178, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'V1' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0xa0, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xb4, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'Event' : [ 0xe0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xf0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x160, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x164, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x168, ['unsigned long']], 'WritesInProgress' : [ 0x16c, ['unsigned long']], 'AsyncReadRequestCount' : [ 0x170, ['unsigned long']], } ], '__unnamed_19e9' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_19e9']], 'ArrayHead' : [ 0x10, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1a0e' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1a10' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1a12' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1a14' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a16' : [ 0x1c, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x4, ['pointer', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x8, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x18, ['unsigned char']], } ], '__unnamed_1a1a' : [ 0x38, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], 'FileOffset' : [ 0x8, ['_LARGE_INTEGER']], 'FileObject' : [ 0x10, ['pointer', ['_FILE_OBJECT']]], 'Length' : [ 0x14, ['unsigned long']], 'PrefetchList' : [ 0x18, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'PrefetchPagePriority' : [ 0x1c, ['unsigned long']], 'Mdl' : [ 0x20, ['pointer', ['_MDL']]], 'IoStatusBlock' : [ 0x24, ['pointer', ['_IO_STATUS_BLOCK']]], 'CallbackContext' : [ 0x28, ['pointer', ['_CC_ASYNC_READ_CONTEXT']]], 'OriginatingProcess' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'RequestorMode' : [ 0x30, ['unsigned char']], 'NestingLevel' : [ 0x34, ['unsigned long']], } ], '__unnamed_1a1c' : [ 0x38, { 'Read' : [ 0x0, ['__unnamed_1a0e']], 'Write' : [ 0x0, ['__unnamed_1a10']], 'Event' : [ 0x0, ['__unnamed_1a12']], 'Notification' : [ 0x0, ['__unnamed_1a14']], 'LowPriWrite' : [ 0x0, ['__unnamed_1a16']], 'AsyncRead' : [ 0x0, ['__unnamed_1a1a']], } ], '_WORK_QUEUE_ENTRY' : [ 0x48, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_1a1c']], 'Function' : [ 0x40, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x18, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0x4, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x10, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x68, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x8, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0xc, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x18, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x40, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x44, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x48, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x50, ['pointer', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x54, ['unsigned long']], 'LastLWTimeStamp' : [ 0x58, ['_LARGE_INTEGER']], 'Flags' : [ 0x60, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x248, { 'Segment' : [ 0x0, ['_HEAP_SEGMENT']], 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x58, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x5c, ['unsigned long']], 'Signature' : [ 0x60, ['unsigned long']], 'SegmentReserve' : [ 0x64, ['unsigned long']], 'SegmentCommit' : [ 0x68, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x6c, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x70, ['unsigned long']], 'TotalFreeSize' : [ 0x74, ['unsigned long']], 'MaximumAllocationSize' : [ 0x78, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x7c, ['unsigned short']], 'HeaderValidateLength' : [ 0x7e, ['unsigned short']], 'HeaderValidateCopy' : [ 0x80, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x84, ['unsigned short']], 'MaximumTagIndex' : [ 0x86, ['unsigned short']], 'TagEntries' : [ 0x88, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x8c, ['_LIST_ENTRY']], 'AlignRound' : [ 0x94, ['unsigned long']], 'AlignMask' : [ 0x98, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x9c, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa4, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xac, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb0, ['unsigned long']], 'BlocksIndex' : [ 0xb4, ['pointer', ['void']]], 'UCRIndex' : [ 0xb8, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xbc, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc0, ['_LIST_ENTRY']], 'LockVariable' : [ 0xc8, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xcc, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd0, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd4, ['unsigned short']], 'FrontEndHeapType' : [ 0xd6, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0xd7, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0xd8, ['pointer', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0xdc, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0xde, ['array', 257, ['unsigned char']]], 'Counters' : [ 0x1e0, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x23c, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1a8a' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_1a8a']], } ], '_HEAP_ENTRY' : [ 0x8, { 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'HeapEntry' : [ 0x0, ['_HEAP_ENTRY']], 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1add' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1adf' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1add']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ae1' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1ae3' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1ae1']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1adf']], 'u2' : [ 0x4, ['__unnamed_1ae3']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x20, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1b00' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1b02' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1b00']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1b02']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Pad' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x14, ['_EX_PUSH_LOCK']], } ], '__unnamed_1b16' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1b18' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b16']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1b18']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_1b21' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1b23' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b21']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_1b23']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_1b29' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1b2b' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b29']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_1b2b']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x28, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x24, ['pointer', ['_KALPC_MESSAGE']]], } ], '__unnamed_1b48' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1b4a' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b48']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x11c, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x5c, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x68, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0x74, ['_LIST_ENTRY']], 'DirectQueueLock' : [ 0x7c, ['_EX_PUSH_LOCK']], 'DirectQueue' : [ 0x80, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0x8c, ['_LIST_ENTRY']], 'Semaphore' : [ 0x94, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x98, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xc4, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xc8, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0xd4, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0xd8, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xdc, ['pointer', ['void']]], 'CanceledQueue' : [ 0xe0, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xe8, ['long']], 'ReferenceNo' : [ 0xec, ['long']], 'ReferenceNoWait' : [ 0xf0, ['pointer', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0xf4, ['__unnamed_1b4a']], 'TargetQueuePort' : [ 0xf8, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xfc, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x100, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x104, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x108, ['unsigned long']], 'PendingQueueLength' : [ 0x10c, ['unsigned long']], 'DirectQueueLength' : [ 0x110, ['unsigned long']], 'CanceledQueueLength' : [ 0x114, ['unsigned long']], 'WaitQueueLength' : [ 0x118, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x58, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'CompletionListLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x10, ['pointer', ['_MDL']]], 'UserVa' : [ 0x14, ['pointer', ['void']]], 'UserLimit' : [ 0x18, ['pointer', ['void']]], 'DataUserVa' : [ 0x1c, ['pointer', ['void']]], 'SystemVa' : [ 0x20, ['pointer', ['void']]], 'TotalSize' : [ 0x24, ['unsigned long']], 'Header' : [ 0x28, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x2c, ['pointer', ['void']]], 'ListSize' : [ 0x30, ['unsigned long']], 'Bitmap' : [ 0x34, ['pointer', ['void']]], 'BitmapSize' : [ 0x38, ['unsigned long']], 'Data' : [ 0x3c, ['pointer', ['void']]], 'DataSize' : [ 0x40, ['unsigned long']], 'BitmapLimit' : [ 0x44, ['unsigned long']], 'BitmapNextHint' : [ 0x48, ['unsigned long']], 'ConcurrencyCount' : [ 0x4c, ['unsigned long']], 'AttributeFlags' : [ 0x50, ['unsigned long']], 'AttributeSize' : [ 0x54, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x90, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'Key' : [ 0x84, ['unsigned long']], 'CallbackList' : [ 0x88, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x14, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x10, ['long']], } ], '__unnamed_1b6d' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1b6f' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b6d']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x90, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'u1' : [ 0x14, ['__unnamed_1b6f']], 'SequenceNo' : [ 0x18, ['long']], 'QuotaProcess' : [ 0x1c, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x1c, ['pointer', ['void']]], 'CancelSequencePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x24, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x28, ['long']], 'CancelListEntry' : [ 0x2c, ['_LIST_ENTRY']], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x38, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x58, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x5c, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x60, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x64, ['pointer', ['_ETHREAD']]], 'WakeReference' : [ 0x68, ['pointer', ['void']]], 'ExtensionBuffer' : [ 0x6c, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0x70, ['unsigned long']], 'PortMessage' : [ 0x78, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x24, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'DirectEvent' : [ 0x14, ['_KALPC_DIRECT_EVENT']], 'Flags' : [ 0x18, ['unsigned long']], 'TotalLength' : [ 0x1c, ['unsigned short']], 'Type' : [ 0x1e, ['unsigned short']], 'DataInfoOffset' : [ 0x20, ['unsigned short']], 'SignalCompletion' : [ 0x22, ['unsigned char']], 'PostedToCompletionList' : [ 0x23, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x20, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x20, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], 'DirectEvent' : [ 0x1c, ['_KALPC_DIRECT_EVENT']], } ], '__unnamed_1bb2' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1bb4' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bb2']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1bb4']], } ], '_KALPC_DIRECT_EVENT' : [ 0x4, { 'Event' : [ 0x0, ['unsigned long']], 'Referenced' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x28, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer', ['void']]], 'ActivityId' : [ 0xc, ['_GUID']], 'Timestamp' : [ 0x1c, ['_LARGE_INTEGER']], 'ZeroingOffset' : [ 0x1c, ['unsigned long']], 'FsTrackOffsetBlob' : [ 0x1c, ['pointer', ['_IO_IRP_EXT_TRACK_OFFSET_HEADER']]], 'FsTrackedOffset' : [ 0x20, ['long long']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x24, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 7, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'AccessMode' : [ 0x5c, ['unsigned char']], 'DriverCreateContext' : [ 0x60, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1c7f' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x110, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1c7f']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer', ['unsigned short']]], 'LogFileName' : [ 0x3c, ['pointer', ['unsigned short']]], 'TimeZone' : [ 0x40, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf0, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0xf8, ['_LARGE_INTEGER']], 'StartTime' : [ 0x100, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x108, ['unsigned long']], 'BuffersLost' : [ 0x10c, ['unsigned long']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x288, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 1, ['unsigned long']]], 'ErrorMarker' : [ 0x18, ['unsigned long']], 'SizeMask' : [ 0x1c, ['unsigned long']], 'GetCpuClock' : [ 0x20, ['pointer', ['void']]], 'LoggerThread' : [ 0x24, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x28, ['long']], 'FailureReason' : [ 0x2c, ['unsigned long']], 'BufferQueue' : [ 0x30, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x3c, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x48, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x50, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x58, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x58, ['_EX_FAST_REF']], 'LoggerName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFileName' : [ 0x64, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x6c, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x74, ['_UNICODE_STRING']], 'ClockType' : [ 0x7c, ['unsigned long']], 'LastFlushedBuffer' : [ 0x80, ['unsigned long']], 'FlushTimer' : [ 0x84, ['unsigned long']], 'FlushThreshold' : [ 0x88, ['unsigned long']], 'ByteOffset' : [ 0x90, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x98, ['unsigned long']], 'BuffersAvailable' : [ 0x9c, ['long']], 'NumberOfBuffers' : [ 0xa0, ['long']], 'MaximumBuffers' : [ 0xa4, ['unsigned long']], 'EventsLost' : [ 0xa8, ['unsigned long']], 'PeakBuffersCount' : [ 0xac, ['long']], 'BuffersWritten' : [ 0xb0, ['unsigned long']], 'LogBuffersLost' : [ 0xb4, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xb8, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xbc, ['unsigned long']], 'SequencePtr' : [ 0xc0, ['pointer', ['long']]], 'LocalSequence' : [ 0xc4, ['unsigned long']], 'InstanceGuid' : [ 0xc8, ['_GUID']], 'MaximumFileSize' : [ 0xd8, ['unsigned long']], 'FileCounter' : [ 0xdc, ['long']], 'PoolType' : [ 0xe0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xe8, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0xf8, ['long']], 'ProviderInfoSize' : [ 0xfc, ['unsigned long']], 'Consumers' : [ 0x100, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x108, ['unsigned long']], 'TransitionConsumer' : [ 0x10c, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x110, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x114, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x128, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x130, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x138, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x140, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x148, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x150, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x160, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x164, ['_KEVENT']], 'FlushEvent' : [ 0x174, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x188, ['_KTIMER']], 'LoggerDpc' : [ 0x1b0, ['_KDPC']], 'LoggerMutex' : [ 0x1d0, ['_KMUTANT']], 'LoggerLock' : [ 0x1f0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1f4, ['unsigned long']], 'BufferListPushLock' : [ 0x1f4, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1f8, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x234, ['pointer', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x238, ['_EX_FAST_REF']], 'StartTime' : [ 0x240, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x248, ['pointer', ['void']]], 'BufferSequenceNumber' : [ 0x250, ['long long']], 'Flags' : [ 0x258, ['unsigned long']], 'Persistent' : [ 0x258, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x258, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x258, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x258, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x258, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x258, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x258, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x258, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x258, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x258, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x258, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x258, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x258, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'StackLookasideListAllocated' : [ 0x258, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SecurityTrace' : [ 0x258, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'SpareFlags1' : [ 0x258, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x258, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x258, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x258, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x25c, ['unsigned long']], 'DbgRequestNewFile' : [ 0x25c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x25c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x25c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x25c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x25c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x25c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x25c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x25c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDeferredFlush' : [ 0x25c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDeferredFlushTimer' : [ 0x25c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x25c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x25c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x25c, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x260, ['_RTL_BITMAP']], 'StackCache' : [ 0x268, ['pointer', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x26c, ['pointer', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x270, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x278, ['pointer', ['pointer', ['_WMI_BUFFER_HEADER']]]], 'DisallowedGuids' : [ 0x27c, ['_DISALLOWED_GUIDS']], 'ServerSilo' : [ 0x284, ['pointer', ['_ESILO']]], } ], '_ETW_PMC_SUPPORT' : [ 0x24, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_SILODRIVERSTATE' : [ 0x190, { 'EtwpSecurityProviderPID' : [ 0x0, ['unsigned long']], 'EtwpSecurityProviderGuidEntry' : [ 0x8, ['_ETW_GUID_ENTRY']], 'AuditLoggerId' : [ 0x168, ['unsigned long']], 'EtwPsProvRegHandle' : [ 0x170, ['unsigned long long']], 'EtwpSecurityLoggers' : [ 0x178, ['array', 8, ['unsigned short']]], 'EtwpSecurityProviderEnableMask' : [ 0x188, ['unsigned char']], 'EtwpShutdownInProgress' : [ 0x189, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x298, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x9c, ['pointer', ['void']]], 'DynamicPart' : [ 0xa0, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa4, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xb0, ['unsigned long']], 'TokenInUse' : [ 0xb4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb8, ['unsigned long']], 'MandatoryPolicy' : [ 0xbc, ['unsigned long']], 'LogonSession' : [ 0xc0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc4, ['_LUID']], 'SidHash' : [ 0xcc, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x154, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1dc, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x1e0, ['pointer', ['void']]], 'Capabilities' : [ 0x1e4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x1e8, ['unsigned long']], 'CapabilitiesHash' : [ 0x1ec, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x274, ['pointer', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x278, ['pointer', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x27c, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x280, ['pointer', ['void']]], 'TrustLinkedToken' : [ 0x284, ['pointer', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x288, ['pointer', ['void']]], 'TokenSidValues' : [ 0x28c, ['pointer', ['_SEP_SID_VALUES_BLOCK']]], 'VariablePart' : [ 0x290, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x5c, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x34, ['_SEP_LOWBOX_HANDLES_TABLE']], 'SharedDataLock' : [ 0x3c, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x40, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x44, ['pointer', ['_SEP_SID_VALUES_BLOCK']]], 'RevocationBlock' : [ 0x48, ['_OB_HANDLE_REVOCATION_BLOCK']], 'ServerSilo' : [ 0x58, ['pointer', ['_ESILO']]], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'DbgRefTrace' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'NewObject' : [ 0xf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0xf, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0xf, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0xf, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0xf, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0xf, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0xf, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0xf, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x8, { 'SecurityDescriptor' : [ 0x0, ['pointer', ['void']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_REVOCATION_INFO' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'RevocationBlock' : [ 0x8, ['pointer', ['_OB_HANDLE_REVOCATION_BLOCK']]], 'Padding1' : [ 0xc, ['array', 4, ['unsigned char']]], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x18, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'EntryLink' : [ 0x8, ['pointer', ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0xc, ['unsigned long']], 'HashIndex' : [ 0x10, ['unsigned short']], 'DirectoryLocked' : [ 0x12, ['unsigned char']], 'LockedExclusive' : [ 0x13, ['unsigned char']], 'LockStateSignature' : [ 0x14, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xac, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x9c, ['pointer', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0xa0, ['unsigned long']], 'NamespaceEntry' : [ 0xa4, ['pointer', ['void']]], 'Flags' : [ 0xa8, ['unsigned long']], } ], '_OBP_SILODRIVERSTATE' : [ 0x74, { 'SystemDeviceMap' : [ 0x0, ['pointer', ['_DEVICE_MAP']]], 'SystemDosDeviceState' : [ 0x4, ['_OBP_SYSTEM_DOS_DEVICE_STATE']], 'DeviceMapLock' : [ 0x70, ['_EX_PUSH_LOCK']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_WHEAP_INFO_BLOCK' : [ 0xc, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x4, ['pointer', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x8, ['pointer', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x418, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x8, ['unsigned long']], 'PlatformErrorSourceId' : [ 0xc, ['unsigned long']], 'ErrorCount' : [ 0x10, ['long']], 'RecordCount' : [ 0x14, ['unsigned long']], 'RecordLength' : [ 0x18, ['unsigned long']], 'PoolTag' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x24, ['pointer', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x28, ['pointer', ['void']]], 'SectionCount' : [ 0x2c, ['unsigned long']], 'SectionLength' : [ 0x30, ['unsigned long']], 'TickCountAtLastError' : [ 0x38, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x40, ['unsigned long']], 'TotalErrors' : [ 0x44, ['unsigned long']], 'Deferred' : [ 0x48, ['unsigned char']], 'Descriptor' : [ 0x49, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xe4, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x8, ['unsigned long']], 'ProcessorNumber' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x14, ['long']], 'ErrorSource' : [ 0x18, ['pointer', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x1c, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x1c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'ConnectLock' : [ 0x4, ['_KEVENT']], 'LineMasked' : [ 0x14, ['unsigned char']], 'InterruptList' : [ 0x18, ['pointer', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'Arm64ControlSet' : [ 0x0, ['_ARM64_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x8, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long long']], 'WorkQueue' : [ 0x18, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x40, ['pointer', ['void']]], 'AcceptProcessorNotification' : [ 0x44, ['pointer', ['void']]], 'AcceptAcpiNotification' : [ 0x48, ['pointer', ['void']]], 'WorkOrderCount' : [ 0x4c, ['unsigned long']], 'WorkOrders' : [ 0x50, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_MI_PARTITION_SEGMENTS' : [ 0xa8, { 'DeleteSubsectionCleanup' : [ 0x0, ['_KEVENT']], 'UnusedSegmentCleanup' : [ 0x10, ['_KEVENT']], 'SubsectionDeletePtes' : [ 0x20, ['unsigned long']], 'DereferenceSegmentHeader' : [ 0x24, ['_MMDEREFERENCE_SEGMENT_HEADER']], 'DeleteOnCloseList' : [ 0x40, ['_LIST_ENTRY']], 'DeleteOnCloseTimer' : [ 0x48, ['_KTIMER']], 'DeleteOnCloseTimerActive' : [ 0x70, ['unsigned char']], 'DeleteOnCloseCount' : [ 0x74, ['unsigned long']], 'UnusedSegmentList' : [ 0x78, ['_LIST_ENTRY']], 'UnusedSubsectionList' : [ 0x80, ['_LIST_ENTRY']], 'DeleteSubsectionList' : [ 0x88, ['_LIST_ENTRY']], 'ControlAreaDeleteEvent' : [ 0x90, ['_KEVENT']], 'ControlAreaDeleteList' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x128, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x104, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x124, ['unsigned long']], } ], '_HEAP_UNPACKED_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], } ], '_PEP_ACPI_SPB_RESOURCE' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'TypeSpecificFlags' : [ 0x8, ['unsigned short']], 'ResourceSourceIndex' : [ 0xa, ['unsigned char']], 'ResourceSourceName' : [ 0xc, ['pointer', ['_UNICODE_STRING']]], 'VendorData' : [ 0x10, ['pointer', ['unsigned char']]], 'VendorDataLength' : [ 0x14, ['unsigned short']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2Reserved1' : [ 0x2, ['unsigned char']], 'Timer2Reserved2' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Tagged' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'EnergyProfiling' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Instrumented' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_ETW_GUID_ENTRY' : [ 0x160, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['pointer', ['_ETW_FILTER_HEADER']]], 'ServerSilo' : [ 0x15c, ['pointer', ['_ESILO']]], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'WaitResponse' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], } ], '_HEAP_COUNTERS' : [ 0x5c, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'PollIntervalCounter' : [ 0x38, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x3c, ['unsigned long']], 'HeapPollInterval' : [ 0x40, ['unsigned long']], 'AllocAndFreeOps' : [ 0x44, ['unsigned long']], 'AllocationIndicesActive' : [ 0x48, ['unsigned long']], 'InBlockDeccommits' : [ 0x4c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x50, ['unsigned long']], 'HighWatermarkSize' : [ 0x54, ['unsigned long']], 'LastPolledSize' : [ 0x58, ['unsigned long']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_MI_VISIBLE_PARTITION' : [ 0xb80, { 'LowestPhysicalPage' : [ 0x0, ['unsigned long']], 'HighestPhysicalPage' : [ 0x4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x8, ['unsigned long']], 'NumberOfPagingFiles' : [ 0xc, ['unsigned long']], 'PagingFile' : [ 0x10, ['array', 16, ['pointer', ['_MMPAGING_FILE']]]], 'AvailablePages' : [ 0x80, ['unsigned long']], 'ResidentAvailablePages' : [ 0xc0, ['unsigned long']], 'TotalCommittedPages' : [ 0xc4, ['unsigned long']], 'ModifiedPageListHead' : [ 0x100, ['_MMPFNLIST']], 'ModifiedNoWritePageListHead' : [ 0x140, ['_MMPFNLIST']], 'TotalCommitLimit' : [ 0x154, ['unsigned long']], 'TotalPagesForPagingFile' : [ 0x158, ['unsigned long']], 'VadPhysicalPages' : [ 0x15c, ['unsigned long']], 'ProcessLockedFilePages' : [ 0x160, ['unsigned long']], 'ChargeCommitmentFailures' : [ 0x164, ['array', 4, ['unsigned long']]], 'PageFileTraceIndex' : [ 0x174, ['long']], 'PageFileTraces' : [ 0x178, ['array', 32, ['_MI_PAGEFILE_TRACES']]], } ], '_OB_HANDLE_REVOCATION_BLOCK' : [ 0x10, { 'RevocationInfos' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'Rundown' : [ 0xc, ['_EX_RUNDOWN_REF']], } ], '_SYSPTES_HEADER' : [ 0x8c, { 'ListHead' : [ 0x0, ['array', 16, ['_LIST_ENTRY']]], 'Count' : [ 0x80, ['unsigned long']], 'NumberOfEntries' : [ 0x84, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x88, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x44, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x3c, ['unsigned char']], 'DeleteType' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_PPM_PLATFORM_STATE' : [ 0xc0, { 'Latency' : [ 0x0, ['unsigned long']], 'BreakEvenDuration' : [ 0x4, ['unsigned long']], 'VetoAccounting' : [ 0x8, ['_PPM_VETO_ACCOUNTING']], 'TransitionDebugger' : [ 0x1c, ['unsigned char']], 'Platform' : [ 0x1d, ['unsigned char']], 'DependencyListCount' : [ 0x20, ['unsigned long']], 'Processors' : [ 0x24, ['_KAFFINITY_EX']], 'Name' : [ 0x30, ['_UNICODE_STRING']], 'DependencyLists' : [ 0x38, ['pointer', ['_PPM_SELECTION_DEPENDENCY']]], 'Synchronization' : [ 0x3c, ['_PPM_COORDINATED_SYNCHRONIZATION']], 'EnterTime' : [ 0x40, ['unsigned long long']], 'RefCount' : [ 0x80, ['long']], 'CacheAlign0' : [ 0x80, ['array', 64, ['unsigned char']]], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x38, { 'SidHash' : [ 0x0, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x8, ['pointer', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0xc, ['_LUID']], 'TokenType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x1c, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x20, ['unsigned long']], 'AppContainerNumber' : [ 0x24, ['unsigned long']], 'PackageSid' : [ 0x28, ['pointer', ['void']]], 'CapabilitiesHash' : [ 0x2c, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'TrustLevelSid' : [ 0x30, ['pointer', ['void']]], 'SecurityAttributes' : [ 0x34, ['pointer', ['void']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER' : [ 0x1c, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x10, ['long']], 'Context' : [ 0x14, ['pointer', ['void']]], 'WatchdogTimerInfo' : [ 0x18, ['pointer', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ForceCollision' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'Pattern' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolType' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 20, native_type='unsigned long')]], 'SlushSize' : [ 0x8, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x50, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ulTargetPlatform' : [ 0x8, ['unsigned long']], 'ullContextMinimum' : [ 0x10, ['unsigned long long']], 'guPlatform' : [ 0x18, ['_GUID']], 'guMinPlatform' : [ 0x28, ['_GUID']], 'ulContextSource' : [ 0x38, ['unsigned long']], 'ulElementCount' : [ 0x3c, ['unsigned long']], 'guElements' : [ 0x40, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x10, ['_KEVENT']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x8, ['unsigned char']], 'BlockState' : [ 0x9, ['unsigned char']], 'WaitKey' : [ 0xa, ['unsigned short']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'NotificationQueue' : [ 0xc, ['pointer', ['_KQUEUE']]], 'Object' : [ 0x10, ['pointer', ['void']]], 'SparePtr' : [ 0x14, ['pointer', ['void']]], } ], '_ARM64_DBGKD_CONTROL_SET' : [ 0x18, { 'Continue' : [ 0x0, ['unsigned long']], 'TraceFlag' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x10, ['unsigned long long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'ThermalStandbyTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], 'MinimumThrottle' : [ 0x50, ['unsigned long']], 'OverThrottleThreshold' : [ 0x54, ['unsigned long']], } ], '__unnamed_1e51' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1e53' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1e51']], 'Private' : [ 0x0, ['__unnamed_1e53']], } ], '_KTIMER2' : [ 0x58, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'RbNodes' : [ 0x10, ['array', 2, ['_RTL_BALANCED_NODE']]], 'ListEntry' : [ 0x10, ['_LIST_ENTRY']], 'DueTime' : [ 0x28, ['unsigned long long']], 'MaximumDueTime' : [ 0x30, ['unsigned long long']], 'Period' : [ 0x38, ['long long']], 'Callback' : [ 0x40, ['pointer', ['void']]], 'CallbackContext' : [ 0x44, ['pointer', ['void']]], 'DisableCallback' : [ 0x48, ['pointer', ['void']]], 'DisableContext' : [ 0x4c, ['pointer', ['void']]], 'AbsoluteSystemTime' : [ 0x50, ['unsigned char']], 'TypeFlags' : [ 0x51, ['unsigned char']], 'Plain' : [ 0x51, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IdleResilient' : [ 0x51, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HighResolution' : [ 0x51, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'NoWake' : [ 0x51, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'NoWakeFinite' : [ 0x51, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Unused' : [ 0x51, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'DynamicRelocations' : [ 0x0, ['pointer', ['void']]], 'SecurityContext' : [ 0x4, ['_IMAGE_SECURITY_CONTEXT']], 'StrongImageReference' : [ 0x8, ['unsigned long']], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x130, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x8, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0xc, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x10, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x98, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x120, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x124, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x128, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x12c, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_MMPTE_HIGHLOW' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x2f8, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x70, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x78, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0x80, ['unsigned long long']], 'TotalPageFaultCount' : [ 0x88, ['unsigned long']], 'TotalProcesses' : [ 0x8c, ['unsigned long']], 'ActiveProcesses' : [ 0x90, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x94, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x98, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xa0, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xa8, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xac, ['unsigned long']], 'LimitFlags' : [ 0xb0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xb4, ['unsigned long']], 'Affinity' : [ 0xb8, ['_KAFFINITY_EX']], 'AccessState' : [ 0xc4, ['pointer', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0xc8, ['pointer', ['void']]], 'UIRestrictionsClass' : [ 0xcc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xd0, ['unsigned long']], 'CompletionPort' : [ 0xd4, ['pointer', ['void']]], 'CompletionKey' : [ 0xd8, ['pointer', ['void']]], 'CompletionCount' : [ 0xe0, ['unsigned long long']], 'SessionId' : [ 0xe8, ['unsigned long']], 'SchedulingClass' : [ 0xec, ['unsigned long']], 'ReadOperationCount' : [ 0xf0, ['unsigned long long']], 'WriteOperationCount' : [ 0xf8, ['unsigned long long']], 'OtherOperationCount' : [ 0x100, ['unsigned long long']], 'ReadTransferCount' : [ 0x108, ['unsigned long long']], 'WriteTransferCount' : [ 0x110, ['unsigned long long']], 'OtherTransferCount' : [ 0x118, ['unsigned long long']], 'DiskIoInfo' : [ 0x120, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x148, ['unsigned long']], 'JobMemoryLimit' : [ 0x14c, ['unsigned long']], 'JobTotalMemoryLimit' : [ 0x150, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x154, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x158, ['unsigned long']], 'EffectiveAffinity' : [ 0x15c, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x168, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x170, ['unsigned long']], 'EffectiveMaximumWorkingSetSize' : [ 0x174, ['unsigned long']], 'EffectiveProcessMemoryLimit' : [ 0x178, ['unsigned long']], 'EffectiveProcessMemoryLimitJob' : [ 0x17c, ['pointer', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x180, ['pointer', ['_EJOB']]], 'EffectiveDiskIoRateLimitJob' : [ 0x184, ['pointer', ['_EJOB']]], 'EffectiveNetIoRateLimitJob' : [ 0x188, ['pointer', ['_EJOB']]], 'EffectiveHeapAttributionJob' : [ 0x18c, ['pointer', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x190, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x194, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x198, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x19c, ['unsigned long']], 'EffectiveSwapCount' : [ 0x1a0, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x1a4, ['unsigned long']], 'EffectivePriorityClass' : [ 0x1a8, ['unsigned char']], 'PriorityClass' : [ 0x1a9, ['unsigned char']], 'NestingDepth' : [ 0x1aa, ['unsigned char']], 'Reserved1' : [ 0x1ab, ['array', 1, ['unsigned char']]], 'CompletionFilter' : [ 0x1ac, ['unsigned long']], 'WakeChannel' : [ 0x1b0, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x1b0, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x1e8, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x1f0, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x1f4, ['unsigned long']], 'NotificationLink' : [ 0x1f8, ['pointer', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x200, ['unsigned long long']], 'NotificationInfo' : [ 0x208, ['pointer', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x20c, ['pointer', ['void']]], 'NotificationPacket' : [ 0x210, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x214, ['pointer', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x218, ['pointer', ['void']]], 'ReadyTime' : [ 0x220, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x228, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x22c, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x234, ['_LIST_ENTRY']], 'ParentJob' : [ 0x23c, ['pointer', ['_EJOB']]], 'RootJob' : [ 0x240, ['pointer', ['_EJOB']]], 'IteratorListHead' : [ 0x244, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x24c, ['unsigned long']], 'Ancestors' : [ 0x250, ['pointer', ['pointer', ['_EJOB']]]], 'SessionObject' : [ 0x250, ['pointer', ['void']]], 'Accounting' : [ 0x258, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x2a8, ['unsigned long']], 'ActiveAuxiliaryProcessCount' : [ 0x2ac, ['unsigned long']], 'SequenceNumber' : [ 0x2b0, ['unsigned long']], 'TimerListLock' : [ 0x2b4, ['unsigned long']], 'TimerListHead' : [ 0x2b8, ['_LIST_ENTRY']], 'ContainerId' : [ 0x2c0, ['_GUID']], 'Container' : [ 0x2d0, ['pointer', ['_ESILO']]], 'PropertySet' : [ 0x2d4, ['_PS_PROPERTY_SET']], 'NetRateControl' : [ 0x2e0, ['pointer', ['_JOB_NET_RATE_CONTROL']]], 'IoRateControl' : [ 0x2e4, ['pointer', ['_JOB_IO_RATE_CONTROL']]], 'JobFlags' : [ 0x2e8, ['unsigned long']], 'CloseDone' : [ 0x2e8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x2e8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x2e8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x2e8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x2e8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x2e8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x2e8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x2e8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x2e8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x2e8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x2e8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x2e8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x2e8, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x2e8, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x2e8, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x2e8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x2e8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x2e8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x2e8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x2e8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x2e8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x2e8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x2e8, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x2e8, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x2e8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'NetRateControlActive' : [ 0x2e8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'OwnNetRateControl' : [ 0x2e8, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IoRateControlActive' : [ 0x2e8, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'OwnIoRateControl' : [ 0x2e8, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'IsContainerRoot' : [ 0x2e8, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x2e8, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x2ec, ['unsigned long']], 'EnergyValues' : [ 0x2f0, ['pointer', ['_PROCESS_ENERGY_VALUES']]], 'SharedCommitCharge' : [ 0x2f4, ['unsigned long']], } ], '_PPM_IDLE_STATES' : [ 0x140, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'UnaccountedTransition' : [ 0x5, ['unsigned char']], 'IdleDurationLimited' : [ 0x6, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0x44, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x50, ['pointer', ['void']]], 'IdlePreExecute' : [ 0x54, ['pointer', ['void']]], 'IdleExecute' : [ 0x58, ['pointer', ['void']]], 'IdlePreselect' : [ 0x5c, ['pointer', ['void']]], 'IdleTest' : [ 0x60, ['pointer', ['void']]], 'IdleAvailabilityCheck' : [ 0x64, ['pointer', ['void']]], 'IdleComplete' : [ 0x68, ['pointer', ['void']]], 'IdleCancel' : [ 0x6c, ['pointer', ['void']]], 'IdleIsHalted' : [ 0x70, ['pointer', ['void']]], 'IdleInitiateWake' : [ 0x74, ['pointer', ['void']]], 'PrepareInfo' : [ 0x78, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'DeepIdleSnapshot' : [ 0xc8, ['_KAFFINITY_EX']], 'Tracing' : [ 0xd4, ['pointer', ['_PERFINFO_PPM_STATE_SELECTION']]], 'CoordinatedTracing' : [ 0xd8, ['pointer', ['_PERFINFO_PPM_STATE_SELECTION']]], 'ProcessorMenu' : [ 0xdc, ['_PPM_SELECTION_MENU']], 'CoordinatedMenu' : [ 0xe4, ['_PPM_SELECTION_MENU']], 'CoordinatedSelection' : [ 0xec, ['_PPM_COORDINATED_SELECTION']], 'State' : [ 0xfc, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PPM_VETO_ACCOUNTING' : [ 0x14, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x4, ['_LIST_ENTRY']], 'PreallocatedVetoCount' : [ 0xc, ['unsigned long']], 'PreallocatedVetoList' : [ 0x10, ['pointer', ['_PPM_VETO_ENTRY']]], } ], '_PEB' : [ 0x250, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'SparePvoid0' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pUnused' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x54, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned char']], 'ShutDownRequested' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x34, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x3c, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x40, ['unsigned long']], 'UserPagesAllocated' : [ 0x44, ['unsigned long']], 'UserPagesReused' : [ 0x48, ['unsigned long']], 'EventsLostCount' : [ 0x4c, ['pointer', ['unsigned long']]], 'BuffersLostCount' : [ 0x50, ['pointer', ['unsigned long']]], } ], '__unnamed_1ecb' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1ed0' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1ed2' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1ecb']], 'Bits' : [ 0x0, ['__unnamed_1ed0']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1ed2']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x104, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x28, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x1c, ['pointer', ['void']]], 'DvCallbacks' : [ 0x20, ['pointer', ['void']]], 'VerifierContext' : [ 0x24, ['pointer', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x44, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['long']], 'Dpc' : [ 0x10, ['_KDPC']], 'WorkItem' : [ 0x30, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x40, ['pointer', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_KINTERRUPT' : [ 0xb0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'EmulateActiveBoth' : [ 0x39, ['unsigned char']], 'ActiveCount' : [ 0x3a, ['unsigned short']], 'InternalState' : [ 0x3c, ['long']], 'Mode' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x48, ['unsigned long']], 'DispatchCount' : [ 0x4c, ['unsigned long']], 'PassiveEvent' : [ 0x50, ['pointer', ['_KEVENT']]], 'DisconnectData' : [ 0x54, ['pointer', ['void']]], 'ServiceThread' : [ 0x58, ['pointer', ['_KTHREAD']]], 'ConnectionData' : [ 0x5c, ['pointer', ['_INTERRUPT_CONNECTION_DATA']]], 'IntTrackEntry' : [ 0x60, ['pointer', ['void']]], 'IsrDpcStats' : [ 0x68, ['_ISRDPCSTATS']], 'RedirectObject' : [ 0xa8, ['pointer', ['void']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x60, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], 'FilePath' : [ 0x58, ['_UNICODE_STRING']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '__unnamed_1f34' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1f34']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x1b8, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x19c, ['pointer', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x1a0, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x1a4, ['unsigned long']], 'ThreadCount' : [ 0x1a8, ['long']], 'MinThreads' : [ 0x1ac, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x1ac, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x1b0, ['long']], 'QueueIndex' : [ 0x1b4, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PS_PROPERTY_SET' : [ 0xc, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x8, ['unsigned long']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x4e, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x34, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'WorkingOnBehalfClient' : [ 0x1c, ['pointer', ['void']]], 'Type' : [ 0x20, ['unsigned long']], 'ActivityId' : [ 0x24, ['_GUID']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ManySubsections' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 31, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x50, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x28, ['_KDPC']], 'WorkOrder' : [ 0x48, ['pointer', ['_POP_FX_WORK_ORDER']]], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x18, { 'Next' : [ 0x0, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'Gate' : [ 0x8, ['_KGATE']], 'SecureInfo' : [ 0x8, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x8, ['_RTL_BITMAP']], 'InPageSupport' : [ 0x8, ['pointer', ['_MMINPAGE_SUPPORT']]], 'LargePage' : [ 0x8, ['pointer', ['_MI_LARGEPAGE_MEMORY_INFO']]], 'CreatingThread' : [ 0x8, ['pointer', ['_ETHREAD']]], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_KTIMER2_COLLECTION' : [ 0x10, { 'Tree' : [ 0x0, ['_RTL_RB_TREE']], 'NextDueTime' : [ 0x8, ['unsigned long long']], } ], '_MIPFNBLINK' : [ 0x4, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PageBlinkDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'PageBlinkLockBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ShareCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'PageShareCountDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PageShareCountLockBit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x0, ['long']], 'LockNotUsed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'DeleteBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'LockBit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_MMCLONE_HEADER' : [ 0xc, { 'NumberOfPtes' : [ 0x0, ['unsigned long']], 'NumberOfProcessReferences' : [ 0x4, ['unsigned long']], 'ClonePtes' : [ 0x8, ['pointer', ['_MMCLONE_BLOCK']]], } ], '_SESSION_LOWBOX_MAP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'LowboxMap' : [ 0xc, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x84, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'RefCount' : [ 0x20, ['unsigned long']], 'Lock' : [ 0x24, ['unsigned long']], 'Cancel' : [ 0x28, ['unsigned char']], 'Parent' : [ 0x2c, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'ActivityId' : [ 0x30, ['_GUID']], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x24, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x8, ['pointer', ['_IRP']]], 'OplockRequestFileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x14, ['pointer', ['_ETHREAD']]], 'Flags' : [ 0x18, ['unsigned long']], 'AtomicLinks' : [ 0x1c, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_KWAIT_CHAIN' : [ 0x4, { 'Head' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_MI_PARTITION_PAGE_LISTS' : [ 0x6c0, { 'FreePagesByColor' : [ 0x0, ['array', 2, ['pointer', ['_MMPFNLIST']]]], 'FreePageSlist' : [ 0x8, ['array', 2, ['pointer', ['_SLIST_HEADER']]]], 'ZeroedPageListHead' : [ 0x40, ['_MMPFNLIST']], 'FreePageListHead' : [ 0x80, ['_MMPFNLIST']], 'StandbyPageListHead' : [ 0xc0, ['_MMPFNLIST']], 'StandbyPageListByPriority' : [ 0x100, ['array', 8, ['_MMPFNLIST']]], 'ModifiedPageListNoReservation' : [ 0x1c0, ['_MMPFNLIST']], 'ModifiedPageListByReservation' : [ 0x200, ['array', 16, ['_MMPFNLIST']]], 'MappedPageListHead' : [ 0x340, ['array', 16, ['_MMPFNLIST']]], 'BadPageListHead' : [ 0x480, ['_MMPFNLIST']], 'PageLocationList' : [ 0x494, ['array', 8, ['pointer', ['_MMPFNLIST']]]], 'StandbyRepurposedByPriority' : [ 0x4b4, ['array', 8, ['unsigned long']]], 'MappedPageListHeadEvent' : [ 0x4d4, ['array', 16, ['_KEVENT']]], 'DecayClusterTimerHeads' : [ 0x5d4, ['array', 4, ['_MI_DECAY_TIMER_LINK']]], 'DecayHand' : [ 0x5e4, ['unsigned long']], 'LastDecayHandUpdateTime' : [ 0x5e8, ['unsigned long long']], 'LastChanceLdwContext' : [ 0x5f0, ['_MI_LDW_WORK_CONTEXT']], 'AvailableEventsLock' : [ 0x640, ['unsigned long']], 'AvailablePageWaitStates' : [ 0x644, ['array', 2, ['_MI_AVAILABLE_PAGE_WAIT_STATES']]], 'LowMemoryThreshold' : [ 0x66c, ['unsigned long']], 'HighMemoryThreshold' : [ 0x670, ['unsigned long']], 'TransitionPrivatePages' : [ 0x680, ['unsigned long']], 'RebuildLargePagesInitialized' : [ 0x684, ['unsigned char']], 'RebuildLargePagesItem' : [ 0x688, ['_MI_REBUILD_LARGE_PAGES']], } ], '_XSTATE_CONFIGURATION' : [ 0x330, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CompactionEnabled' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], 'EnabledSupervisorFeatures' : [ 0x218, ['unsigned long long']], 'AlignedFeatures' : [ 0x220, ['unsigned long long']], 'AllFeatureSize' : [ 0x228, ['unsigned long']], 'AllFeatures' : [ 0x22c, ['array', 64, ['unsigned long']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0xc, ['_CM_KEY_HASH']], 'ConvKey' : [ 0xc, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x14, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], 'KcbPushlock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x20, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x20, ['long']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x6c, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x74, ['_LIST_ENTRY']], 'Stolen' : [ 0x74, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x7c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x80, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x88, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x90, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x98, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x9c, ['pointer', ['_UNICODE_STRING']]], } ], '_KLOCK_ENTRY' : [ 0x30, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'EntryFlags' : [ 0xc, ['unsigned long']], 'EntryOffset' : [ 0xc, ['unsigned char']], 'ThreadLocalFlags' : [ 0xd, ['unsigned char']], 'WaitingBit' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare0' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'AcquiredByte' : [ 0xe, ['unsigned char']], 'AcquiredBit' : [ 0xe, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadFlags' : [ 0xf, ['unsigned char']], 'HeadNodeBit' : [ 0xf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IoPriorityBit' : [ 0xf, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare1' : [ 0xf, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'StaticState' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'AllFlags' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'LockState' : [ 0x10, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x10, ['pointer', ['void']]], 'CrossThreadReleasableAndBusyByte' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['array', 2, ['unsigned char']]], 'InTreeByte' : [ 0x13, ['unsigned char']], 'SessionState' : [ 0x14, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], 'OwnerTree' : [ 0x18, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x20, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x18, ['unsigned char']], 'EntryLock' : [ 0x28, ['unsigned long']], 'AllBoosts' : [ 0x2c, ['unsigned short']], 'IoBoost' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'CpuBoostsBitmap' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x2e, ['unsigned short']], } ], '_OBP_SYSTEM_DOS_DEVICE_STATE' : [ 0x6c, { 'GlobalDeviceMap' : [ 0x0, ['unsigned long']], 'LocalDeviceCount' : [ 0x4, ['array', 26, ['unsigned long']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1ffd' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_1ffd']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x18, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x1c, ['_KAPC']], 'ByteCount' : [ 0x4c, ['unsigned long']], 'ChargedPages' : [ 0x50, ['unsigned long']], 'PagingFile' : [ 0x54, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x58, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x5c, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x60, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x70, ['_LARGE_INTEGER']], 'Partition' : [ 0x78, ['pointer', ['_MI_PARTITION']]], 'PointerMdl' : [ 0x7c, ['pointer', ['_MDL']]], 'Mdl' : [ 0x80, ['_MDL']], 'Page' : [ 0x9c, ['array', 1, ['unsigned long']]], } ], '_MI_PARTITION_COMMIT' : [ 0x20, { 'PeakCommitment' : [ 0x0, ['unsigned long']], 'TotalCommitLimitMaximum' : [ 0x4, ['unsigned long']], 'Popups' : [ 0x8, ['array', 2, ['long']]], 'LowCommitThreshold' : [ 0x10, ['unsigned long']], 'HighCommitThreshold' : [ 0x14, ['unsigned long']], 'EventLock' : [ 0x18, ['unsigned long']], 'SystemCommitReserve' : [ 0x1c, ['unsigned long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x180, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x4, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleTimeExpiration' : [ 0x20, ['unsigned long long']], 'NonInterruptibleTransition' : [ 0x28, ['unsigned char']], 'PepWokenTransition' : [ 0x29, ['unsigned char']], 'Class' : [ 0x2a, ['unsigned char']], 'TargetIdleState' : [ 0x2c, ['unsigned long']], 'IdlePolicy' : [ 0x30, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x38, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x40, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xc8, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower', 3: 'ProcHypervisorHvCounters'})]], 'LastSysTime' : [ 0xcc, ['unsigned long']], 'WmiDispatchPtr' : [ 0xd0, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xd4, ['long']], 'FFHThrottleStateInfo' : [ 0xd8, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xf8, ['_KDPC']], 'PerfActionMask' : [ 0x118, ['long']], 'HvIdleCheck' : [ 0x120, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x130, ['pointer', ['_PROC_PERF_CHECK']]], 'Domain' : [ 0x134, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x138, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x13c, ['pointer', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x140, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x144, ['pointer', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x148, ['unsigned char']], 'HvTargetState' : [ 0x149, ['unsigned char']], 'Parked' : [ 0x14a, ['unsigned char']], 'LatestPerformancePercent' : [ 0x14c, ['unsigned long']], 'AveragePerformancePercent' : [ 0x150, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x154, ['unsigned long']], 'RelativePerformance' : [ 0x158, ['unsigned long']], 'Utility' : [ 0x15c, ['unsigned long']], 'AffinitizedUtility' : [ 0x160, ['unsigned long']], 'SnapTimeLast' : [ 0x168, ['unsigned long long']], 'EnergyConsumed' : [ 0x168, ['unsigned long long']], 'ActiveTime' : [ 0x170, ['unsigned long long']], 'TotalTime' : [ 0x178, ['unsigned long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SystemChargedPage' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_THREAD_ENERGY_VALUES' : [ 0x40, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_CC_ASYNC_READ_CONTEXT' : [ 0x14, { 'CompletionRoutine' : [ 0x0, ['pointer', ['void']]], 'Context' : [ 0x4, ['pointer', ['void']]], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'RequestorMode' : [ 0xc, ['unsigned char']], 'NestingLevel' : [ 0x10, ['unsigned long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0xf20, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x6f0, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x708, ['_LIST_ENTRY']], 'HiveList' : [ 0x710, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x718, ['_LIST_ENTRY']], 'FailedUnloadList' : [ 0x720, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x728, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x72c, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x734, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x738, ['unsigned long']], 'DeletedKcbTable' : [ 0x73c, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x740, ['unsigned long']], 'Identity' : [ 0x744, ['unsigned long']], 'HiveLock' : [ 0x748, ['pointer', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x74c, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x750, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x754, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0x75c, ['unsigned long']], 'FlushLogEntry' : [ 0x760, ['pointer', ['unsigned char']]], 'FlushLogEntrySize' : [ 0x764, ['unsigned long']], 'FlushHiveTruncated' : [ 0x768, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0x76c, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0x770, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0x778, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0x77c, ['pointer', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0x780, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0x784, ['pointer', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0x788, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x78c, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x790, ['unsigned long']], 'ActualFileSize' : [ 0x798, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x7a0, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x7b0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x7b8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x7c0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x7c8, ['unsigned long']], 'SecurityCacheSize' : [ 0x7cc, ['unsigned long']], 'SecurityHitHint' : [ 0x7d0, ['long']], 'SecurityCache' : [ 0x7d4, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x7d8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x9d8, ['unsigned long']], 'UnloadEventArray' : [ 0x9dc, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x9e0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x9e4, ['unsigned char']], 'UnloadWorkItem' : [ 0x9e8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x9ec, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xa00, ['unsigned char']], 'GrowOffset' : [ 0xa04, ['unsigned long']], 'KcbConvertListHead' : [ 0xa08, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xa10, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0xa14, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0xc9c, ['unsigned long']], 'TrustClassEntry' : [ 0xca0, ['_LIST_ENTRY']], 'DirtyTime' : [ 0xca8, ['unsigned long long']], 'UnreconciledTime' : [ 0xcb0, ['unsigned long long']], 'CmRm' : [ 0xcb8, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xcbc, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xcc0, ['long']], 'CreatorOwner' : [ 0xcc4, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0xcc8, ['pointer', ['_KTHREAD']]], 'LastWriteTime' : [ 0xcd0, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0xcd8, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0xce4, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0xcf0, ['unsigned long']], 'FlushActive' : [ 0xcf0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0xcf0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0xcf0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0xcf0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0xcf4, ['unsigned long']], 'ReferenceCount' : [ 0xcf8, ['long']], 'UnloadHistoryIndex' : [ 0xcfc, ['long']], 'UnloadHistory' : [ 0xd00, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0xf00, ['unsigned long']], 'UnaccessedStart' : [ 0xf04, ['unsigned long']], 'UnaccessedEnd' : [ 0xf08, ['unsigned long']], 'LoadedKeyCount' : [ 0xf0c, ['unsigned long']], 'HandleClosePending' : [ 0xf10, ['unsigned long']], 'HandleClosePendingEvent' : [ 0xf14, ['_EX_PUSH_LOCK']], 'FinalFlushSucceeded' : [ 0xf18, ['unsigned char']], 'FailedUnload' : [ 0xf19, ['unsigned char']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x28, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long']], 'DirtyPageThresholdTop' : [ 0x4, ['unsigned long']], 'DirtyPageThresholdBottom' : [ 0x8, ['unsigned long']], 'DirtyPageTarget' : [ 0xc, ['unsigned long']], 'AggregateAvailablePages' : [ 0x10, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x18, ['unsigned long long']], 'AvailableHistory' : [ 0x20, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ForceCredits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceAge' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'NewMaximum' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CommitReleaseState' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_PPM_VETO_ENTRY' : [ 0x10, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'VetoReason' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderZero', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderVsmMemory', 30: 'LoaderFirmwareCode', 31: 'LoaderFirmwareData', 32: 'LoaderFirmwareReserved', 33: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x400, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x14, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x4, ['_RTL_BITMAP']], 'HashTable' : [ 0xc, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x10, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x8c, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ExecutePoolTypes' : [ 0x78, ['unsigned long']], 'ExecutePageProtections' : [ 0x7c, ['unsigned long']], 'ExecutePageMappings' : [ 0x80, ['unsigned long']], 'ExecuteWriteSections' : [ 0x84, ['unsigned long']], 'SectionAlignmentFailures' : [ 0x88, ['unsigned long']], } ], '_VF_DRIVER_IO_CALLBACKS' : [ 0x80, { 'DriverInit' : [ 0x0, ['pointer', ['void']]], 'DriverStartIo' : [ 0x4, ['pointer', ['void']]], 'DriverUnload' : [ 0x8, ['pointer', ['void']]], 'AddDevice' : [ 0xc, ['pointer', ['void']]], 'MajorFunction' : [ 0x10, ['array', 28, ['pointer', ['void']]]], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0xc, { 'ActiveThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'WaitList' : [ 0x4, ['pointer', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x8, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x8, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_ETIMER' : [ 0xb8, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x28, ['unsigned long']], 'TimerApc' : [ 0x2c, ['_KAPC']], 'TimerDpc' : [ 0x5c, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x7c, ['_LIST_ENTRY']], 'Period' : [ 0x84, ['unsigned long']], 'TimerFlags' : [ 0x88, ['unsigned char']], 'ApcAssociated' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0x88, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0x88, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0x89, ['unsigned char']], 'Spare2' : [ 0x8a, ['unsigned short']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x98, ['pointer', ['void']]], 'VirtualizedTimerLinks' : [ 0x9c, ['_LIST_ENTRY']], 'DueTime' : [ 0xa8, ['unsigned long long']], 'CoalescingWindow' : [ 0xb0, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x4c, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'Count' : [ 0x14, ['unsigned long']], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'StackTrace' : [ 0x24, ['array', 8, ['pointer', ['void']]]], 'Who' : [ 0x44, ['unsigned long']], 'Process' : [ 0x48, ['pointer', ['_EPROCESS']]], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_MI_CACHED_PTES' : [ 0x48, { 'Bins' : [ 0x0, ['array', 8, ['_MI_CACHED_PTE']]], 'CachedPteCount' : [ 0x40, ['long']], } ], '_EXHANDLE' : [ 0x4, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], } ], '__unnamed_20e1' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_20e1']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_AUTO_EXPAND_STATE' : [ 0x4, { 'Expanded' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Transitioning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Pageable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x288, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_ARBITER_INSTANCE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MI_SYSTEM_INFORMATION' : [ 0x3cc0, { 'Pools' : [ 0x0, ['_MI_POOL_STATE']], 'Sections' : [ 0x500, ['_MI_SECTION_STATE']], 'SystemImages' : [ 0x640, ['_MI_SYSTEM_IMAGE_STATE']], 'Sessions' : [ 0x6a4, ['_MI_SESSION_STATE']], 'Processes' : [ 0x16e0, ['_MI_PROCESS_STATE']], 'Hardware' : [ 0x1750, ['_MI_HARDWARE_STATE']], 'SystemVa' : [ 0x1800, ['_MI_SYSTEM_VA_STATE']], 'PageCombines' : [ 0x2cc0, ['_MI_COMBINE_STATE']], 'Partitions' : [ 0x2cd8, ['_MI_PARTITION_STATE']], 'Shutdowns' : [ 0x2d08, ['_MI_SHUTDOWN_STATE']], 'Errors' : [ 0x2d58, ['_MI_ERROR_STATE']], 'AccessLog' : [ 0x2e00, ['_MI_ACCESS_LOG_STATE']], 'Debugger' : [ 0x2e80, ['_MI_DEBUGGER_STATE']], 'Standby' : [ 0x2f40, ['_MI_STANDBY_STATE']], 'SystemPtes' : [ 0x2fc0, ['_MI_SYSTEM_PTE_STATE']], 'IoPages' : [ 0x3140, ['_MI_IO_PAGE_STATE']], 'PagingIo' : [ 0x3178, ['_MI_PAGING_IO_STATE']], 'CommonPages' : [ 0x31b0, ['_MI_COMMON_PAGE_STATE']], 'Trims' : [ 0x3200, ['_MI_SYSTEM_TRIM_STATE']], 'ResTrack' : [ 0x3240, ['_MI_RESAVAIL_TRACKER']], 'Cookie' : [ 0x3440, ['unsigned long']], 'ZeroingDisabled' : [ 0x3444, ['long']], 'BootRegistryRuns' : [ 0x3448, ['pointer', ['pointer', ['void']]]], 'FullyInitialized' : [ 0x344c, ['unsigned char']], 'SafeBooted' : [ 0x344d, ['unsigned char']], 'LargePfnBitMap' : [ 0x3450, ['_RTL_BITMAP']], 'PfnBitMap' : [ 0x3458, ['_RTL_BITMAP']], 'TraceLogging' : [ 0x3460, ['pointer', ['_TlgProvider_t']]], 'Vs' : [ 0x3480, ['_MI_VISIBLE_STATE']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_PPM_SELECTION_DEPENDENCY' : [ 0xc, { 'Processor' : [ 0x0, ['unsigned long']], 'Menu' : [ 0x4, ['_PPM_SELECTION_MENU']], } ], '__unnamed_215b' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_215d' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_215b']], } ], '__unnamed_215f' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_215d']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_215f']], } ], '_MI_VISIBLE_STATE' : [ 0x840, { 'SpecialPool' : [ 0x0, ['_MI_SPECIAL_POOL']], 'SessionWsList' : [ 0x48, ['_LIST_ENTRY']], 'SessionIdBitmap' : [ 0x50, ['pointer', ['_RTL_BITMAP']]], 'PagedPoolInfo' : [ 0x54, ['_MM_PAGED_POOL_INFO']], 'MaximumNonPagedPoolInPages' : [ 0x70, ['unsigned long']], 'SizeOfPagedPoolInPages' : [ 0x74, ['unsigned long']], 'SystemPteInfo' : [ 0x78, ['_MI_SYSTEM_PTE_TYPE']], 'NonPagedPoolCommit' : [ 0xac, ['unsigned long']], 'BootCommit' : [ 0xb0, ['unsigned long']], 'MdlPagesAllocated' : [ 0xb4, ['unsigned long']], 'SystemPageTableCommit' : [ 0xb8, ['unsigned long']], 'SpecialPagesInUse' : [ 0xbc, ['unsigned long']], 'WsOverheadPages' : [ 0xc0, ['unsigned long']], 'VadBitmapPages' : [ 0xc4, ['unsigned long']], 'ProcessCommit' : [ 0xc8, ['unsigned long']], 'SharedCommit' : [ 0xcc, ['unsigned long']], 'DriverCommit' : [ 0xd0, ['long']], 'SystemWs' : [ 0x100, ['array', 3, ['_MMSUPPORT']]], 'MapCacheFailures' : [ 0x280, ['unsigned long']], 'LastUnloadedDriver' : [ 0x284, ['unsigned long']], 'UnloadedDrivers' : [ 0x288, ['pointer', ['_UNLOADED_DRIVERS']]], 'PagefileHashPages' : [ 0x28c, ['unsigned long']], 'PteHeader' : [ 0x290, ['_SYSPTES_HEADER']], 'SessionSpecialPool' : [ 0x31c, ['pointer', ['_MI_SPECIAL_POOL']]], 'SystemVaTypeCount' : [ 0x320, ['array', 15, ['unsigned long']]], 'SystemVaType' : [ 0x35c, ['array', 1024, ['unsigned char']]], 'SystemVaTypeCountFailures' : [ 0x75c, ['array', 15, ['unsigned long']]], 'SystemVaTypeCountLimit' : [ 0x798, ['array', 15, ['unsigned long']]], 'SystemVaTypeCountPeak' : [ 0x7d4, ['array', 15, ['unsigned long']]], 'SystemAvailableVa' : [ 0x810, ['unsigned long']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x2800, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'HandleCount' : [ 0x14, ['unsigned long']], 'Handles' : [ 0x18, ['pointer', ['pointer', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x50, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'ProcCap' : [ 0x8, ['unsigned long']], 'ProcFloor' : [ 0xc, ['unsigned long']], 'PlatformCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'LimitReasons' : [ 0x18, ['unsigned long']], 'PlatformCapStartTime' : [ 0x20, ['unsigned long long']], 'TargetPercent' : [ 0x28, ['unsigned long']], 'SelectedPercent' : [ 0x2c, ['unsigned long']], 'SelectedFrequency' : [ 0x30, ['unsigned long']], 'PreviousFrequency' : [ 0x34, ['unsigned long']], 'PreviousPercent' : [ 0x38, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x3c, ['unsigned long']], 'SelectedState' : [ 0x40, ['unsigned long long']], 'Force' : [ 0x48, ['unsigned char']], } ], '__unnamed_217e' : [ 0x10, { 'CallerCompletion' : [ 0x0, ['pointer', ['void']]], 'CallerContext' : [ 0x4, ['pointer', ['void']]], 'CallerDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0xc, ['unsigned char']], } ], '__unnamed_2181' : [ 0x8, { 'NotifyDevice' : [ 0x0, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x4, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x18, ['unsigned long long']], 'WatchdogTimer' : [ 0x20, ['_KTIMER']], 'WatchdogDpc' : [ 0x48, ['_KDPC']], 'MinorFunction' : [ 0x68, ['unsigned char']], 'PowerStateType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0x70, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0x74, ['unsigned char']], 'FxDevice' : [ 0x78, ['pointer', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0x7c, ['unsigned char']], 'NotifyPEP' : [ 0x7d, ['unsigned char']], 'Device' : [ 0x80, ['__unnamed_217e']], 'System' : [ 0x80, ['__unnamed_2181']], } ], '_MI_ERROR_STATE' : [ 0x98, { 'BadMemoryEventEntry' : [ 0x0, ['_MI_BAD_MEMORY_EVENT_ENTRY']], 'ProbeRaises' : [ 0x28, ['_MI_PROBE_RAISE_TRACKER']], 'ForcedCommits' : [ 0x64, ['_MI_FORCED_COMMITS']], 'WsleFailures' : [ 0x6c, ['array', 2, ['unsigned long']]], 'WsLinear' : [ 0x74, ['unsigned long']], 'PageHashErrors' : [ 0x78, ['unsigned long']], 'CheckZeroCount' : [ 0x7c, ['unsigned long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x80, ['long']], 'BadPagesDetected' : [ 0x84, ['long']], 'ScrubPasses' : [ 0x88, ['long']], 'ScrubBadPagesFound' : [ 0x8c, ['long']], 'PendingBadPages' : [ 0x90, ['unsigned char']], 'InitFailure' : [ 0x91, ['unsigned char']], 'StopBadMaps' : [ 0x92, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0xd20, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'VadBitMapHint' : [ 0x4, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x8, ['unsigned long']], 'LastAllocationSize' : [ 0xc, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x10, ['unsigned long']], 'VadBitMapSize' : [ 0x14, ['unsigned long']], 'VadBitMapCommitment' : [ 0x18, ['unsigned long']], 'MaximumLastVadBit' : [ 0x1c, ['unsigned long']], 'VadsBeingDeleted' : [ 0x20, ['long']], 'PhysicalMappingCount' : [ 0x24, ['unsigned long']], 'LastVadDeletionEvent' : [ 0x28, ['pointer', ['_KEVENT']]], 'VadBitBuffer' : [ 0x2c, ['pointer', ['unsigned long']]], 'LowestBottomUpAllocationAddress' : [ 0x30, ['pointer', ['void']]], 'HighestTopDownAllocationAddress' : [ 0x34, ['pointer', ['void']]], 'FreeTebHint' : [ 0x38, ['pointer', ['void']]], 'NumaAware' : [ 0x3c, ['unsigned char']], 'CloneNestingLevel' : [ 0x40, ['unsigned long long']], 'PrivateFixupVadCount' : [ 0x48, ['unsigned long']], 'CfgBitMap' : [ 0x4c, ['array', 1, ['_MI_CFG_BITMAP_INFO']]], 'CommittedPageTableBufferForTopLevel' : [ 0x58, ['array', 48, ['unsigned long']]], 'CommittedPageTableBitmaps' : [ 0x118, ['array', 1, ['_RTL_BITMAP']]], 'UsedPageTableEntries' : [ 0x120, ['array', 1536, ['unsigned short']]], } ], '_PROC_FEEDBACK' : [ 0x88, { 'Lock' : [ 0x0, ['unsigned long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x20, ['unsigned long long']], 'UnscaledTime' : [ 0x28, ['unsigned long long']], 'UnaccountedTime' : [ 0x30, ['long long']], 'ScaledTime' : [ 0x38, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x48, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x50, ['unsigned long long']], 'UserTimeLast' : [ 0x58, ['unsigned long']], 'KernelTimeLast' : [ 0x5c, ['unsigned long']], 'IdleGenerationNumberLast' : [ 0x60, ['unsigned long long']], 'HvActiveTimeLast' : [ 0x68, ['unsigned long long']], 'StallCyclesLast' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'KernelTimesIndex' : [ 0x80, ['unsigned char']], } ], '__unnamed_219b' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_219f' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_21a1' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_21a3' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_21a5' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_21a7' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_21a9' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_21ab' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21ad' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21af' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21b1' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_21b3' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_219b']], 'Memory' : [ 0x0, ['__unnamed_219b']], 'Interrupt' : [ 0x0, ['__unnamed_219f']], 'Dma' : [ 0x0, ['__unnamed_21a1']], 'DmaV3' : [ 0x0, ['__unnamed_21a3']], 'Generic' : [ 0x0, ['__unnamed_219b']], 'DevicePrivate' : [ 0x0, ['__unnamed_21a5']], 'BusNumber' : [ 0x0, ['__unnamed_21a7']], 'ConfigData' : [ 0x0, ['__unnamed_21a9']], 'Memory40' : [ 0x0, ['__unnamed_21ab']], 'Memory48' : [ 0x0, ['__unnamed_21ad']], 'Memory64' : [ 0x0, ['__unnamed_21af']], 'Connection' : [ 0x0, ['__unnamed_21b1']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_21b3']], } ], '_POP_THERMAL_ZONE' : [ 0x2b8, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], 'State' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], 'Removing' : [ 0x22, ['unsigned char']], 'Mode' : [ 0x23, ['unsigned char']], 'PendingMode' : [ 0x24, ['unsigned char']], 'ActivePoint' : [ 0x25, ['unsigned char']], 'PendingActivePoint' : [ 0x26, ['unsigned char']], 'Critical' : [ 0x27, ['unsigned char']], 'ThermalStandby' : [ 0x28, ['unsigned char']], 'OverThrottled' : [ 0x29, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x2c, ['long']], 'Throttle' : [ 0x30, ['long']], 'PendingThrottle' : [ 0x34, ['long']], 'ThrottleReasons' : [ 0x38, ['unsigned long']], 'LastTime' : [ 0x40, ['unsigned long long']], 'SampleRate' : [ 0x48, ['unsigned long']], 'LastTemp' : [ 0x4c, ['unsigned long']], 'PassiveTimer' : [ 0x50, ['_KTIMER']], 'PassiveDpc' : [ 0x78, ['_KDPC']], 'Info' : [ 0x98, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xf0, ['_LARGE_INTEGER']], 'Policy' : [ 0xf8, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0x110, ['unsigned char']], 'LastActiveStartTime' : [ 0x118, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x120, ['unsigned long long']], 'WorkItem' : [ 0x128, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x138, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x140, ['_KEVENT']], 'TemperatureUpdated' : [ 0x150, ['_KEVENT']], 'InstanceId' : [ 0x160, ['unsigned long']], 'TelemetryTracker' : [ 0x168, ['_POP_THERMAL_TELEMETRY_TRACKER']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_MI_REBUILD_LARGE_PAGES' : [ 0x34, { 'Active' : [ 0x0, ['long']], 'Timer' : [ 0x4, ['array', 16, ['array', 1, ['_MI_REBUILD_LARGE_PAGE_COUNTDOWN']]]], 'WorkItem' : [ 0x24, ['_WORK_QUEUE_ITEM']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x6f0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileWrite' : [ 0x14, ['pointer', ['void']]], 'FileRead' : [ 0x18, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x1c, ['pointer', ['void']]], 'BaseBlock' : [ 0x20, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x24, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x2c, ['unsigned long']], 'DirtyAlloc' : [ 0x30, ['unsigned long']], 'UnreconciledVector' : [ 0x34, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x3c, ['unsigned long']], 'BaseBlockAlloc' : [ 0x40, ['unsigned long']], 'Cluster' : [ 0x44, ['unsigned long']], 'Flat' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SystemCacheBacked' : [ 0x48, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x49, ['unsigned char']], 'HvBinHeadersUse' : [ 0x4c, ['unsigned long']], 'HvFreeCellsUse' : [ 0x50, ['unsigned long']], 'HvUsedCellsUse' : [ 0x54, ['unsigned long']], 'CmUsedCellsUse' : [ 0x58, ['unsigned long']], 'HiveFlags' : [ 0x5c, ['unsigned long']], 'CurrentLog' : [ 0x60, ['unsigned long']], 'CurrentLogSequence' : [ 0x64, ['unsigned long']], 'CurrentLogMinimumSequence' : [ 0x68, ['unsigned long']], 'CurrentLogOffset' : [ 0x6c, ['unsigned long']], 'MinimumLogSequence' : [ 0x70, ['unsigned long']], 'LogFileSizeCap' : [ 0x74, ['unsigned long']], 'LogDataPresent' : [ 0x78, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0x7a, ['unsigned char']], 'BaseBlockDirty' : [ 0x7b, ['unsigned char']], 'LastLogSwapTime' : [ 0x80, ['_LARGE_INTEGER']], 'FirstLogFile' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0x88, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0x88, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0x88, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0x88, ['unsigned short']], 'LogEntriesRecovered' : [ 0x8a, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0x8c, ['unsigned long']], 'StorageTypeCount' : [ 0x90, ['unsigned long']], 'Version' : [ 0x94, ['unsigned long']], 'ViewMap' : [ 0x98, ['_HVIEW_MAP']], 'Storage' : [ 0x3b8, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_ETW_FILTER_HEADER' : [ 0x24, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x4, ['pointer', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x8, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0xc, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x10, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x14, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x18, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x1c, ['pointer', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x20, ['pointer', ['_EVENT_FILTER_HEADER']]], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_POP_THERMAL_TELEMETRY_TRACKER' : [ 0x150, { 'AccountingDisabled' : [ 0x0, ['unsigned char']], 'LastPassiveUpdateTime' : [ 0x8, ['unsigned long long']], 'TotalPassiveTime' : [ 0x10, ['array', 20, ['unsigned long long']]], 'PassiveTimeSnap' : [ 0xb0, ['array', 20, ['unsigned long long']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_HVIEW_MAP' : [ 0x320, { 'MappedLength' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x4, ['_EX_PUSH_LOCK']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'Directory' : [ 0xc, ['pointer', ['_HVIEW_MAP_DIRECTORY']]], 'PagesCharged' : [ 0x10, ['unsigned long']], 'PinLog' : [ 0x18, ['_HVIEW_MAP_PIN_LOG']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_DISALLOWED_GUIDS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x4, ['pointer', ['_GUID']]], } ], '_HVIEW_MAP_DIRECTORY' : [ 0x200, { 'Tables' : [ 0x0, ['array', 128, ['pointer', ['_HVIEW_MAP_TABLE']]]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Spare0' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1f, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1e, ['unsigned char']], } ], '__unnamed_2233' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2235' : [ 0x10, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_2233']], } ], '_VF_TARGET_DRIVER' : [ 0x1c, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x8, ['__unnamed_2235']], 'VerifiedData' : [ 0x18, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '__unnamed_2240' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2242' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2244' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceId' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_2246' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_2248' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_224a' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_224c' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_224e' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2250' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_2252' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_2240']], 'TargetDevice' : [ 0x0, ['__unnamed_2242']], 'InstallDevice' : [ 0x0, ['__unnamed_2242']], 'CustomNotification' : [ 0x0, ['__unnamed_2244']], 'ProfileNotification' : [ 0x0, ['__unnamed_2246']], 'PowerNotification' : [ 0x0, ['__unnamed_2248']], 'VetoNotification' : [ 0x0, ['__unnamed_224a']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_224c']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_224e']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2250']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_2242']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_2242']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_2252']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x50, { 'Context' : [ 0x0, ['pointer', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x38, ['unsigned long']], 'DependencyUsed' : [ 0x3c, ['unsigned long']], 'DependencyArray' : [ 0x40, ['pointer', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x44, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x48, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x4c, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], } ], '__unnamed_226d' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_226d']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_MI_HARDWARE_STATE' : [ 0x78, { 'NodeMask' : [ 0x0, ['unsigned long']], 'NodeGraph' : [ 0x4, ['pointer', ['unsigned short']]], 'SystemNodeInformation' : [ 0x8, ['pointer', ['_MI_SYSTEM_NODE_INFORMATION']]], 'NumaLastRangeIndex' : [ 0xc, ['unsigned long']], 'NumaMemoryRanges' : [ 0x10, ['pointer', ['_HAL_NODE_RANGE']]], 'NumaTableCaptured' : [ 0x14, ['unsigned char']], 'NodeShift' : [ 0x15, ['unsigned char']], 'ChannelMemoryRanges' : [ 0x18, ['pointer', ['_HAL_CHANNEL_MEMORY_RANGES']]], 'ChannelShift' : [ 0x1c, ['unsigned char']], 'SecondLevelCacheSize' : [ 0x20, ['unsigned long']], 'FirstLevelCacheSize' : [ 0x24, ['unsigned long']], 'PhysicalAddressBits' : [ 0x28, ['unsigned long']], 'WriteCombiningPtes' : [ 0x2c, ['unsigned char']], 'AllMainMemoryMustBeCached' : [ 0x2d, ['unsigned char']], 'TotalPagesAllowed' : [ 0x30, ['unsigned long']], 'SecondaryColorMask' : [ 0x34, ['unsigned long']], 'SecondaryColors' : [ 0x38, ['unsigned long']], 'FlushTbForAttributeChange' : [ 0x3c, ['unsigned long']], 'FlushCacheForAttributeChange' : [ 0x40, ['unsigned long']], 'FlushCacheForPageAttributeChange' : [ 0x44, ['unsigned long']], 'CacheFlushPromoteThreshold' : [ 0x48, ['unsigned long']], 'FlushTbThreshold' : [ 0x4c, ['unsigned long']], 'ZeroCostCounts' : [ 0x50, ['array', 2, ['_MI_ZERO_COST_COUNTS']]], 'HighestPossiblePhysicalPage' : [ 0x70, ['unsigned long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x58, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], 'WaitObjectFlagMask' : [ 0x50, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x54, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x56, ['unsigned short']], } ], '__unnamed_22b1' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '__unnamed_22b3' : [ 0x4, { 'NumberOfChildViews' : [ 0x0, ['unsigned long']], } ], '_SUBSECTION' : [ 0x28, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'FileExtents' : [ 0xc, ['pointer', ['_MI_FILE_EXTENTS']]], 'GlobalPerSessionHead' : [ 0xc, ['_RTL_AVL_TREE']], 'SessionDriverProtos' : [ 0xc, ['pointer', ['_MI_PER_SESSION_PROTOS']]], 'u' : [ 0x10, ['__unnamed_22b1']], 'StartingSector' : [ 0x14, ['unsigned long']], 'NumberOfFullSectors' : [ 0x18, ['unsigned long']], 'PtesInSubsection' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_22b3']], 'UnusedPtes' : [ 0x24, ['unsigned long']], 'AlignmentNoAccessPtes' : [ 0x24, ['unsigned long']], } ], '__unnamed_22b8' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MI_DECAY_TIMER_LINKAGE']], } ], '_MI_DECAY_TIMER_LINK' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_22b8']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_REQUEST' : [ 0xc, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_TRIAGE_DEVICE_NODE']]], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_HEAP_EXTENDED_ENTRY' : [ 0x8, { 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], } ], '_MI_SYSTEM_VA_STATE' : [ 0x14c0, { 'SystemTablesLock' : [ 0x0, ['unsigned long']], 'SystemVaBias' : [ 0x4, ['unsigned long']], 'SystemAvailableVaLow' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], 'HyperSpaceEnd' : [ 0x10, ['pointer', ['void']]], 'HyperSpaceEndPte' : [ 0x14, ['pointer', ['_MMPTE']]], 'SystemRangeStart' : [ 0x18, ['pointer', ['void']]], 'SystemCachePdeCount' : [ 0x1c, ['array', 1024, ['unsigned char']]], 'SystemCacheReverseMaps' : [ 0x41c, ['array', 1024, ['pointer', ['void']]]], 'WorkingSetListHashStart' : [ 0x141c, ['pointer', ['_MMWSLE_HASH']]], 'WorkingSetListHashEnd' : [ 0x1420, ['pointer', ['_MMWSLE_HASH']]], 'WorkingSetListIndirectHashStart' : [ 0x1424, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'FreeSystemCacheVa' : [ 0x1428, ['_KEVENT']], 'SystemVaLock' : [ 0x1438, ['unsigned long']], 'DeleteKvaLock' : [ 0x143c, ['long']], 'FreeSystemCache' : [ 0x1440, ['_MI_PTE_CHAIN_HEAD']], 'SystemCacheViewLock' : [ 0x1458, ['unsigned long']], 'UnusableWsles' : [ 0x145c, ['array', 5, ['unsigned long']]], 'PossibleWsles' : [ 0x1470, ['array', 5, ['unsigned long']]], } ], '_DIRTY_PAGE_STATISTICS' : [ 0xc, { 'DirtyPages' : [ 0x0, ['unsigned long']], 'DirtyPagesLastScan' : [ 0x4, ['unsigned long']], 'DirtyPagesScheduledLastScan' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_CUSTOM_BREAKPOINT' : [ 0x18, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointInstruction' : [ 0x8, ['unsigned long long']], 'BreakPointHandle' : [ 0x10, ['unsigned long']], 'BreakPointInstructionSize' : [ 0x14, ['unsigned char']], 'BreakPointInstructionAlignment' : [ 0x15, ['unsigned char']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x10, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_MI_DEBUGGER_STATE' : [ 0x90, { 'TransientWrite' : [ 0x0, ['unsigned char']], 'CodePageEdited' : [ 0x1, ['unsigned char']], 'DebugPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'PoisonedTb' : [ 0x8, ['unsigned long']], 'InDebugger' : [ 0xc, ['long']], 'Pfns' : [ 0x10, ['array', 32, ['pointer', ['void']]]], } ], '_MI_PROCESS_STATE' : [ 0x70, { 'ColorSeed' : [ 0x0, ['unsigned long']], 'CloneDereferenceEvent' : [ 0x4, ['_KEVENT']], 'CloneProtosSListHead' : [ 0x18, ['_SLIST_HEADER']], 'SystemDllBase' : [ 0x20, ['pointer', ['void']]], 'RotatingUniprocessorNumber' : [ 0x24, ['long']], 'CriticalSectionTimeout' : [ 0x28, ['_LARGE_INTEGER']], 'ProcessList' : [ 0x30, ['_LIST_ENTRY']], 'SharedUserDataPte' : [ 0x38, ['pointer', ['_MMPTE']]], 'FreePaeEntries' : [ 0x3c, ['unsigned long']], 'FirstFreePae' : [ 0x40, ['_PAE_ENTRY']], 'AllocatedPaePages' : [ 0x60, ['long']], 'PaeLock' : [ 0x64, ['unsigned long']], 'PaeEntrySList' : [ 0x68, ['_SLIST_HEADER']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'HiberFileType' : [ 0x16, ['unsigned char']], 'AoAcConnectivitySupported' : [ 0x17, ['unsigned char']], 'spare3' : [ 0x18, ['array', 6, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_MI_REBUILD_LARGE_PAGE_COUNTDOWN' : [ 0x2, { 'SecondsLeft' : [ 0x0, ['unsigned char']], 'SecondsAssigned' : [ 0x1, ['unsigned char']], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x4, ['unsigned long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x18, ['pointer', ['long']]], 'NodeTargetCount' : [ 0x1c, ['long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_IO_IRP_EXT_TRACK_OFFSET_HEADER' : [ 0x8, { 'Validation' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'TrackedOffsetCallback' : [ 0x4, ['pointer', ['void']]], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_MI_SESSION_STATE' : [ 0x1038, { 'SystemSession' : [ 0x0, ['_MMSESSION']], 'CodePageEdited' : [ 0x14, ['unsigned char']], 'VaReferenceCount' : [ 0x18, ['array', 1024, ['long']]], 'DynamicPtesBitBuffer' : [ 0x1018, ['pointer', ['unsigned long']]], 'IdLock' : [ 0x101c, ['_EX_PUSH_LOCK']], 'DetachTimeStamp' : [ 0x1020, ['unsigned long']], 'LeaderProcess' : [ 0x1024, ['pointer', ['_EPROCESS']]], 'InitializeLock' : [ 0x1028, ['_EX_PUSH_LOCK']], 'WorkingSetList' : [ 0x102c, ['pointer', ['_MMWSL']]], 'WsHashStart' : [ 0x1030, ['pointer', ['_MMWSLE_HASH']]], 'WsHashEnd' : [ 0x1034, ['pointer', ['_MMWSLE_HASH']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_MMSESSION' : [ 0x14, { 'SystemSpaceViewLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'SystemSpaceViewLockPointer' : [ 0x4, ['pointer', ['_EX_PUSH_LOCK']]], 'ViewRoot' : [ 0x8, ['_RTL_AVL_TREE']], 'ViewCount' : [ 0xc, ['unsigned long']], 'BitmapFailures' : [ 0x10, ['unsigned long']], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_MI_DECAY_TIMER_LINKAGE' : [ 0x4, { 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NextDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_233a' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MI_PARTITION_FLAGS']], } ], '_MI_PARTITION_CORE' : [ 0xe8, { 'PartitionId' : [ 0x0, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_233a']], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'ParentPartition' : [ 0xc, ['pointer', ['_MI_PARTITION']]], 'ListEntry' : [ 0x10, ['_LIST_ENTRY']], 'NodeInformation' : [ 0x18, ['pointer', ['_MI_NODE_INFORMATION']]], 'MdlPhysicalMemoryBlock' : [ 0x1c, ['pointer', ['_MDL']]], 'MemoryNodeRuns' : [ 0x20, ['pointer', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'Stats' : [ 0x24, ['_MI_PARTITION_STATISTICS']], 'MemoryRuns' : [ 0x74, ['pointer', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'ExitEvent' : [ 0x78, ['_KEVENT']], 'SystemThreadHandles' : [ 0x88, ['array', 5, ['pointer', ['void']]]], 'PartitionObject' : [ 0x9c, ['pointer', ['void']]], 'PartitionObjectHandle' : [ 0xa0, ['pointer', ['void']]], 'DynamicMemoryPushLock' : [ 0xa4, ['_EX_PUSH_LOCK']], 'DynamicMemoryLock' : [ 0xa8, ['long']], 'TemporaryMemoryEvent' : [ 0xac, ['_KEVENT']], 'MemoryEvents' : [ 0xbc, ['array', 11, ['pointer', ['_KEVENT']]]], } ], '_MI_PARTITION_MODWRITES' : [ 0x1b0, { 'AttemptForCantExtend' : [ 0x0, ['_MMPAGE_FILE_EXPANSION']], 'PageFileContract' : [ 0x38, ['_MMPAGE_FILE_EXPANSION']], 'NumberOfMappedMdls' : [ 0x70, ['unsigned long']], 'NumberOfMappedMdlsInUse' : [ 0x74, ['long']], 'NumberOfMappedMdlsInUsePeak' : [ 0x78, ['unsigned long']], 'MappedFileHeader' : [ 0x7c, ['_MMMOD_WRITER_LISTHEAD']], 'NeedMappedMdl' : [ 0x94, ['unsigned char']], 'NeedPageFileMdl' : [ 0x95, ['unsigned char']], 'TransitionInserted' : [ 0x96, ['unsigned char']], 'LastModifiedWriteError' : [ 0x98, ['long']], 'LastMappedWriteError' : [ 0x9c, ['long']], 'MappedFileWriteSucceeded' : [ 0xa0, ['unsigned long']], 'MappedWriteBurstCount' : [ 0xa4, ['unsigned long']], 'LowPriorityModWritesOutstanding' : [ 0xa8, ['unsigned long']], 'BoostModWriteIoPriorityEvent' : [ 0xac, ['_KEVENT']], 'ModifiedWriterThreadPriority' : [ 0xbc, ['long']], 'ModifiedPagesLowPriorityGoal' : [ 0xc0, ['unsigned long']], 'ModifiedPageWriterEvent' : [ 0xc4, ['_KEVENT']], 'WriteAllPagefilePages' : [ 0xd4, ['long']], 'WriteAllMappedPages' : [ 0xd8, ['long']], 'MappedPageWriterEvent' : [ 0xdc, ['_KEVENT']], 'ModWriteData' : [ 0xf0, ['_MI_MODWRITE_DATA']], 'RescanPageFilesEvent' : [ 0x120, ['_KEVENT']], 'PagingFileHeader' : [ 0x130, ['_MMMOD_WRITER_LISTHEAD']], 'ModifiedPageWriterThread' : [ 0x148, ['pointer', ['_ETHREAD']]], 'ModifiedPageWriterRundown' : [ 0x14c, ['_EX_RUNDOWN_REF']], 'PagefileScanWorkItem' : [ 0x150, ['_WORK_QUEUE_ITEM']], 'PagefileScanCount' : [ 0x160, ['unsigned long']], 'ClusterWritesDisabled' : [ 0x164, ['array', 2, ['long']]], 'DelayMappedWrite' : [ 0x16c, ['unsigned char']], 'PagefileReservationsEnabled' : [ 0x170, ['unsigned long']], 'PageFileCreationLock' : [ 0x174, ['_EX_PUSH_LOCK']], 'TrimPagefileWorkItem' : [ 0x178, ['_WORK_QUEUE_ITEM']], 'LastTrimPagefileTime' : [ 0x188, ['unsigned long long']], 'WsSwapPagefileContractWorkItem' : [ 0x190, ['_WORK_QUEUE_ITEM']], 'WsSwapPageFileContractionInProgress' : [ 0x1a0, ['long']], 'WorkingSetSwapLock' : [ 0x1a4, ['_EX_PUSH_LOCK']], 'WorkingSetInswapLock' : [ 0x1a8, ['long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_KPRIQUEUE' : [ 0x19c, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x110, ['array', 32, ['long']]], 'MaximumCount' : [ 0x190, ['unsigned long']], 'ThreadListHead' : [ 0x194, ['_LIST_ENTRY']], } ], '__unnamed_2354' : [ 0x4, { 'ChannelsHotCold' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_MI_NODE_INFORMATION' : [ 0x68, { 'LargePageFreeCount' : [ 0x0, ['array', 2, ['unsigned long']]], 'LargePages' : [ 0x8, ['array', 2, ['array', 2, ['array', 1, ['_LIST_ENTRY']]]]], 'LargePagesCount' : [ 0x28, ['array', 2, ['array', 2, ['array', 1, ['unsigned long']]]]], 'FreeCount' : [ 0x38, ['array', 2, ['unsigned long']]], 'TotalPages' : [ 0x40, ['array', 1, ['unsigned long']]], 'TotalPagesEntireNode' : [ 0x44, ['unsigned long']], 'MmShiftedColor' : [ 0x48, ['unsigned long']], 'Color' : [ 0x4c, ['unsigned long']], 'ChannelFreeCount' : [ 0x50, ['array', 1, ['array', 2, ['unsigned long']]]], 'Flags' : [ 0x58, ['__unnamed_2354']], 'NodeLock' : [ 0x5c, ['_EX_PUSH_LOCK']], 'ChannelStatus' : [ 0x60, ['unsigned char']], 'ChannelOrdering' : [ 0x61, ['array', 1, ['unsigned char']]], 'LockedChannelOrdering' : [ 0x62, ['array', 1, ['unsigned char']]], 'PowerAttribute' : [ 0x63, ['array', 1, ['unsigned char']]], 'LargePageLock' : [ 0x64, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_WAITING_IRP' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'CompletionRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'Information' : [ 0x18, ['unsigned long']], 'BreakAllRH' : [ 0x1c, ['unsigned char']], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_PPM_SELECTION_MENU' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Entries' : [ 0x4, ['pointer', ['_PPM_SELECTION_MENU_ENTRY']]], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x10, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0xc, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x140, { 'Policy' : [ 0x0, ['_KSCHEDULING_GROUP_POLICY']], 'RelativeWeight' : [ 0x8, ['unsigned long']], 'ChildMinRate' : [ 0xc, ['unsigned long']], 'ChildMinWeight' : [ 0x10, ['unsigned long']], 'ChildTotalWeight' : [ 0x14, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x18, ['unsigned long long']], 'NotificationCycles' : [ 0x20, ['long long']], 'SchedulingGroupList' : [ 0x28, ['_LIST_ENTRY']], 'Sibling' : [ 0x28, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x30, ['pointer', ['_KDPC']]], 'ChildList' : [ 0x34, ['_LIST_ENTRY']], 'Parent' : [ 0x3c, ['pointer', ['_KSCHEDULING_GROUP']]], 'PerProcessor' : [ 0x40, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x18, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x14, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_MMWORKING_SET_EXPANSION_HEAD' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x18, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'Irp' : [ 0xc, ['pointer', ['_IRP']]], 'Device' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Static' : [ 0x14, ['unsigned char']], } ], '_POP_POLICY_DEVICE' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], } ], '_MI_SECTION_STATE' : [ 0x140, { 'SegmentListLock' : [ 0x0, ['long']], 'SectionObjectPointersLock' : [ 0x40, ['long']], 'SectionExtendLock' : [ 0x44, ['_EX_PUSH_LOCK']], 'SectionExtendSetLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'SectionBasedRoot' : [ 0x4c, ['_RTL_AVL_TREE']], 'SectionBasedLock' : [ 0x50, ['_EX_PUSH_LOCK']], 'UnusedSubsectionPagedPool' : [ 0x54, ['unsigned long']], 'UnusedSegmentForceFree' : [ 0x58, ['unsigned long']], 'DataSectionProtectionMask' : [ 0x5c, ['unsigned long']], 'HighSectionBase' : [ 0x60, ['pointer', ['void']]], 'PhysicalSubsection' : [ 0x64, ['_MSUBSECTION']], 'PhysicalControlArea' : [ 0xa8, ['_CONTROL_AREA']], 'PageFileSectionHead' : [ 0xf8, ['_RTL_AVL_TREE']], 'PageFileSectionListSpinLock' : [ 0xfc, ['long']], 'ImageBias' : [ 0x100, ['unsigned long']], 'RelocateBitmapsLock' : [ 0x104, ['_EX_PUSH_LOCK']], 'ImageBitMap' : [ 0x108, ['_RTL_BITMAP']], 'ApiSetSection' : [ 0x110, ['pointer', ['void']]], 'ApiSetSchema' : [ 0x114, ['pointer', ['void']]], 'ApiSetSchemaSize' : [ 0x118, ['unsigned long']], 'LostDataFiles' : [ 0x11c, ['unsigned long']], 'LostDataPages' : [ 0x120, ['unsigned long']], 'ImageFailureReason' : [ 0x124, ['unsigned long']], 'CfgBitMapSection32' : [ 0x128, ['pointer', ['_SECTION']]], 'CfgBitMapControlArea32' : [ 0x12c, ['pointer', ['_CONTROL_AREA']]], 'ImageCfgFailure' : [ 0x130, ['unsigned long']], 'ImageValidationFailed' : [ 0x134, ['long']], } ], '_MI_PARTITION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_238b' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_238d' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_238f' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_2391' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_238f']], 'Translated' : [ 0x0, ['__unnamed_238d']], } ], '__unnamed_2393' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_2395' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_2397' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_2399' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_239b' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_239d' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_239f' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_23a1' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_238b']], 'Port' : [ 0x0, ['__unnamed_238b']], 'Interrupt' : [ 0x0, ['__unnamed_238d']], 'MessageInterrupt' : [ 0x0, ['__unnamed_2391']], 'Memory' : [ 0x0, ['__unnamed_238b']], 'Dma' : [ 0x0, ['__unnamed_2393']], 'DmaV3' : [ 0x0, ['__unnamed_2395']], 'DevicePrivate' : [ 0x0, ['__unnamed_21a5']], 'BusNumber' : [ 0x0, ['__unnamed_2397']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_2399']], 'Memory40' : [ 0x0, ['__unnamed_239b']], 'Memory48' : [ 0x0, ['__unnamed_239d']], 'Memory64' : [ 0x0, ['__unnamed_239f']], 'Connection' : [ 0x0, ['__unnamed_21b1']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_23a1']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_23a9' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_23a9']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_UNLOADED_DRIVERS' : [ 0x18, { 'Name' : [ 0x0, ['_UNICODE_STRING']], 'StartAddress' : [ 0x8, ['pointer', ['void']]], 'EndAddress' : [ 0xc, ['pointer', ['void']]], 'CurrentTime' : [ 0x10, ['_LARGE_INTEGER']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '_MM_PAGED_POOL_INFO' : [ 0x1c, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'PagedPoolAllocationMap' : [ 0x4, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'MaximumSize' : [ 0x10, ['unsigned long']], 'PagedPoolHint' : [ 0x14, ['unsigned long']], 'AllocatedPagedPool' : [ 0x18, ['unsigned long']], } ], '__unnamed_23b7' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_23b7']], } ], '_PPM_COORDINATED_SELECTION' : [ 0x10, { 'MaximumStates' : [ 0x0, ['unsigned long']], 'SelectedStates' : [ 0x4, ['unsigned long']], 'DefaultSelection' : [ 0x8, ['unsigned long']], 'Selection' : [ 0xc, ['pointer', ['unsigned long']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_PAE_ENTRY' : [ 0x20, { 'PteEntry' : [ 0x0, ['array', 4, ['_MMPTE']]], 'PaeEntry' : [ 0x0, ['_PAE_PAGEINFO']], 'NextPae' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '_MI_PAGE_COMBINING_SUPPORT' : [ 0xd8, { 'Partition' : [ 0x0, ['pointer', ['_MI_PARTITION']]], 'ArbitraryPfnMapList' : [ 0x4, ['_LIST_ENTRY']], 'FreeCombinePoolItem' : [ 0xc, ['_MI_COMBINE_WORKITEM']], 'CombiningThreadCount' : [ 0x20, ['unsigned long']], 'CombinePageFreeList' : [ 0x24, ['_LIST_ENTRY']], 'CombineFreeListLock' : [ 0x2c, ['unsigned long']], 'CombinePageListHeads' : [ 0x30, ['array', 16, ['_MI_COMBINE_PAGE_LISTHEAD']]], 'PageCombineStats' : [ 0xb0, ['_MI_PAGE_COMBINE_STATISTICS']], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '_POP_FX_DEVICE' : [ 0x188, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xc, ['pointer', ['_POP_IRP_DATA']]], 'Status' : [ 0x10, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x14, ['long']], 'PowerNotReqCall' : [ 0x18, ['long']], 'DevNode' : [ 0x1c, ['pointer', ['_DEVICE_NODE']]], 'DpmContext' : [ 0x20, ['pointer', ['PEPHANDLE__']]], 'Plugin' : [ 0x24, ['pointer', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x28, ['pointer', ['PEPHANDLE__']]], 'AcpiPlugin' : [ 0x2c, ['pointer', ['_POP_FX_PLUGIN']]], 'AcpiPluginHandle' : [ 0x30, ['pointer', ['PEPHANDLE__']]], 'DeviceObject' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x38, ['pointer', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x3c, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0x58, ['pointer', ['void']]], 'AcpiLink' : [ 0x5c, ['_LIST_ENTRY']], 'DeviceId' : [ 0x64, ['_UNICODE_STRING']], 'RemoveLock' : [ 0x6c, ['_IO_REMOVE_LOCK']], 'AcpiRemoveLock' : [ 0x84, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0x9c, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0xb8, ['unsigned long']], 'IdleTimer' : [ 0xc0, ['_KTIMER']], 'IdleDpc' : [ 0xe8, ['_KDPC']], 'IdleTimeout' : [ 0x108, ['unsigned long long']], 'IdleStamp' : [ 0x110, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x118, ['array', 2, ['pointer', ['_DEVICE_OBJECT']]]], 'NextIrpPowerState' : [ 0x120, ['array', 2, ['_POWER_STATE']]], 'NextIrpCallerCompletion' : [ 0x128, ['array', 2, ['pointer', ['void']]]], 'NextIrpCallerContext' : [ 0x130, ['array', 2, ['pointer', ['void']]]], 'IrpCompleteEvent' : [ 0x138, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x148, ['pointer', ['void']]], 'Accounting' : [ 0x150, ['_POP_FX_ACCOUNTING']], 'Flags' : [ 0x178, ['unsigned long']], 'ComponentCount' : [ 0x17c, ['unsigned long']], 'Components' : [ 0x180, ['pointer', ['pointer', ['_POP_FX_COMPONENT']]]], } ], '_PEP_ACPI_RESOURCE_FLAGS' : [ 0x4, { 'AsULong' : [ 0x0, ['unsigned long']], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Wake' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ResourceUsage' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SlaveMode' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'AddressingMode' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SharedMode' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_23e3' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_23e5' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_23e3']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x44, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CoolingExtension' : [ 0x30, ['pointer', ['_POP_COOLING_EXTENSION']]], 'Volume' : [ 0x34, ['_LIST_ENTRY']], 'Specific' : [ 0x3c, ['__unnamed_23e5']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MI_COMBINE_STATE' : [ 0x18, { 'ActiveSpinLock' : [ 0x0, ['long']], 'CombiningThreadCount' : [ 0x4, ['unsigned long']], 'ActiveThreadTree' : [ 0x8, ['_RTL_AVL_TREE']], 'ZeroPageHashValue' : [ 0x10, ['unsigned long long']], } ], '_MMDEREFERENCE_SEGMENT_HEADER' : [ 0x1c, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'ListHead' : [ 0x14, ['_LIST_ENTRY']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x30, { 'BadPageCount' : [ 0x0, ['unsigned long']], 'BadPagesDetected' : [ 0x4, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x8, ['long']], 'ScrubPasses' : [ 0xc, ['long']], 'ScrubBadPagesFound' : [ 0x10, ['long']], 'PageHashErrors' : [ 0x14, ['unsigned long']], 'FeatureBits' : [ 0x18, ['unsigned long long']], 'TimeZoneId' : [ 0x20, ['unsigned long']], 'ExceptionChainTerminator' : [ 0x24, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'ExceptionChainTerminatorRecord' : [ 0x28, ['_EXCEPTION_REGISTRATION_RECORD']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DELAY_ACK_FO' : [ 0xc, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_MI_BAD_MEMORY_EVENT_ENTRY' : [ 0x28, { 'BugCheckCode' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['long']], 'Data' : [ 0x8, ['unsigned long']], 'PhysicalAddress' : [ 0x10, ['_LARGE_INTEGER']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_MI_SYSTEM_TRIM_STATE' : [ 0x40, { 'ExpansionLock' : [ 0x0, ['unsigned long']], 'TrimInProgressCount' : [ 0x4, ['long']], 'PeriodicWorkingSetEvent' : [ 0x8, ['_KEVENT']], 'TrimAllPageFaultCount' : [ 0x18, ['array', 3, ['unsigned long']]], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_MI_ZERO_COST_COUNTS' : [ 0x10, { 'NativeSum' : [ 0x0, ['unsigned long long']], 'CachedSum' : [ 0x8, ['unsigned long long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MI_PARTITION_STATISTICS' : [ 0x50, { 'DeleteYield' : [ 0x0, ['unsigned long']], 'DeleteBad' : [ 0x4, ['unsigned long']], 'DeleteTrulyBad' : [ 0x8, ['unsigned long']], 'DeleteLargePage' : [ 0xc, ['unsigned long']], 'DeleteLargePageRetry' : [ 0x10, ['unsigned long']], 'DeleteZeroFree' : [ 0x14, ['unsigned long']], 'DeleteTransition' : [ 0x18, ['unsigned long']], 'DeleteStandbyReferenced' : [ 0x1c, ['unsigned long']], 'DeleteStandbyRelinkFailed' : [ 0x20, ['unsigned long']], 'DeleteStandbySharedPagefile' : [ 0x24, ['unsigned long']], 'DeleteStandbySharedFile' : [ 0x28, ['unsigned long']], 'DeleteModifiedReferenced' : [ 0x2c, ['unsigned long']], 'DeleteModified' : [ 0x30, ['unsigned long']], 'DeleteModifiedNoWrite' : [ 0x34, ['unsigned long']], 'DeleteModifiedSharedPagefile' : [ 0x38, ['unsigned long']], 'DeleteModifiedSharedFile' : [ 0x3c, ['unsigned long']], 'DeleteActiveSharedPagefile1' : [ 0x40, ['unsigned long']], 'DeleteActiveSharedPagefile2' : [ 0x44, ['unsigned long']], 'DeleteActiveSharedFile' : [ 0x48, ['unsigned long']], 'DeleteWriteDelay' : [ 0x4c, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MI_RESAVAIL_TRACKER' : [ 0x200, { 'AllocateKernelStack' : [ 0x0, ['unsigned long']], 'AllocateGrowKernelStack' : [ 0x4, ['unsigned long']], 'FreeKernelStack' : [ 0x8, ['unsigned long']], 'FreeKernelStackError' : [ 0xc, ['unsigned long']], 'FreeGrowKernelStackError' : [ 0x10, ['unsigned long']], 'AllocateCreateProcess' : [ 0x14, ['unsigned long']], 'FreeCreateProcessError' : [ 0x18, ['unsigned long']], 'FreeDeleteProcess' : [ 0x1c, ['unsigned long']], 'FreeCleanProcess' : [ 0x20, ['unsigned long']], 'FreeCleanProcessError' : [ 0x24, ['unsigned long']], 'AllocateAddProcessWsMetaPage' : [ 0x28, ['unsigned long']], 'AllocateWsIncrease' : [ 0x2c, ['unsigned long']], 'FreeWsIncreaseError' : [ 0x30, ['unsigned long']], 'FreeWsIncreaseErrorMax' : [ 0x34, ['unsigned long']], 'FreeWsDecrease' : [ 0x38, ['unsigned long']], 'AllocateWorkingSetPage' : [ 0x3c, ['unsigned long']], 'FreeWorkingSetPageError' : [ 0x40, ['unsigned long']], 'FreeDeletePteRange' : [ 0x44, ['unsigned long']], 'AllocatePageTablesForProcessMetadata' : [ 0x48, ['unsigned long']], 'FreePageTablesForProcessMetadataError2' : [ 0x4c, ['unsigned long']], 'AllocatePageTablesForSystem' : [ 0x50, ['unsigned long']], 'FreePageTablesExcess' : [ 0x54, ['unsigned long']], 'FreeSystemVaPageTables' : [ 0x58, ['unsigned long']], 'FreeSessionVaPageTables' : [ 0x5c, ['unsigned long']], 'AllocateCreateSession' : [ 0x60, ['unsigned long']], 'FreeSessionWsDereference' : [ 0x64, ['unsigned long']], 'FreeSessionDereference' : [ 0x68, ['unsigned long']], 'AllocateLockedSessionImage' : [ 0x6c, ['unsigned long']], 'FreeLockedSessionImage' : [ 0x70, ['unsigned long']], 'FreeSessionImageConversion' : [ 0x74, ['unsigned long']], 'AllocateWsAdjustPageTable' : [ 0x78, ['unsigned long']], 'FreeWsAdjustPageTable' : [ 0x7c, ['unsigned long']], 'FreeWsAdjustPageTableError' : [ 0x80, ['unsigned long']], 'AllocateNoLowMemory' : [ 0x84, ['unsigned long']], 'AllocatePagedPoolLockedDown' : [ 0x88, ['unsigned long']], 'FreePagedPoolLockedDown' : [ 0x8c, ['unsigned long']], 'AllocateSystemBitmaps' : [ 0x90, ['unsigned long']], 'FreeSystemBitmapsError' : [ 0x94, ['unsigned long']], 'AllocateForMdl' : [ 0x98, ['unsigned long']], 'FreeFromMdl' : [ 0x9c, ['unsigned long']], 'AllocateForMdlPartition' : [ 0xa0, ['unsigned long']], 'FreeFromMdlPartition' : [ 0xa4, ['unsigned long']], 'FreeMdlExcess' : [ 0xa8, ['unsigned long']], 'AllocateExpansionNonPagedPool' : [ 0xac, ['unsigned long']], 'FreeExpansionNonPagedPool' : [ 0xb0, ['unsigned long']], 'AllocateVad' : [ 0xb4, ['unsigned long']], 'RemoveVad' : [ 0xb8, ['unsigned long']], 'FreeVad' : [ 0xbc, ['unsigned long']], 'AllocateContiguous' : [ 0xc0, ['unsigned long']], 'FreeContiguousPages' : [ 0xc4, ['unsigned long']], 'FreeContiguousError' : [ 0xc8, ['unsigned long']], 'FreeLargePageMemory' : [ 0xcc, ['unsigned long']], 'AllocateSystemWsles' : [ 0xd0, ['unsigned long']], 'FreeSystemWsles' : [ 0xd4, ['unsigned long']], 'AllocateSystemInitWs' : [ 0xd8, ['unsigned long']], 'AllocateSessionInitWs' : [ 0xdc, ['unsigned long']], 'FreeSessionInitWsError' : [ 0xe0, ['unsigned long']], 'AllocateSystemImage' : [ 0xe4, ['unsigned long']], 'AllocateSystemImageLoad' : [ 0xe8, ['unsigned long']], 'AllocateSessionSharedImage' : [ 0xec, ['unsigned long']], 'FreeSystemImageInitCode' : [ 0xf0, ['unsigned long']], 'FreeSystemImageLargePageConversion' : [ 0xf4, ['unsigned long']], 'FreeSystemImageError' : [ 0xf8, ['unsigned long']], 'FreeSystemImageLoadExcess' : [ 0xfc, ['unsigned long']], 'FreeUnloadSystemImage' : [ 0x100, ['unsigned long']], 'FreeReloadBootImageLarge' : [ 0x104, ['unsigned long']], 'FreeIndependent' : [ 0x108, ['unsigned long']], 'AllocateHotAdd' : [ 0x10c, ['unsigned long']], 'AllocateHotRemove' : [ 0x110, ['unsigned long']], 'FreeHotAdd' : [ 0x114, ['unsigned long']], 'FreeHotAddEcc' : [ 0x118, ['unsigned long']], 'FreeHotAddError' : [ 0x11c, ['unsigned long']], 'FreeHotAddUnmap' : [ 0x120, ['unsigned long']], 'AllocateBoot' : [ 0x124, ['unsigned long']], 'FreeLoaderBlock' : [ 0x128, ['unsigned long']], 'AllocateNonPagedSpecialPool' : [ 0x12c, ['unsigned long']], 'FreeNonPagedSpecialPoolError' : [ 0x130, ['unsigned long']], 'FreeNonPagedSpecialPool' : [ 0x134, ['unsigned long']], 'AllocateSharedSegmentPage' : [ 0x138, ['unsigned long']], 'FreeSharedSegmentPage' : [ 0x13c, ['unsigned long']], 'AllocateZeroPage' : [ 0x140, ['unsigned long']], 'FreeZeroPage' : [ 0x144, ['unsigned long']], 'AllocateForPo' : [ 0x148, ['unsigned long']], 'AllocateForPoForce' : [ 0x14c, ['unsigned long']], 'FreeForPo' : [ 0x150, ['unsigned long']], 'AllocateThreadHardFaultBehavior' : [ 0x154, ['unsigned long']], 'FreeThreadHardFaultBehavior' : [ 0x158, ['unsigned long']], 'ObtainFaultCharges' : [ 0x15c, ['unsigned long']], 'FreeFaultCharges' : [ 0x160, ['unsigned long']], 'AllocateStoreCharges' : [ 0x164, ['unsigned long']], 'FreeStoreCharges' : [ 0x168, ['unsigned long']], 'ObtainLockedPageCharge' : [ 0x180, ['unsigned long']], 'FreeLockedPageCharge' : [ 0x1c0, ['unsigned long']], 'AllocateStore' : [ 0x1c4, ['unsigned long']], 'FreeStore' : [ 0x1c8, ['unsigned long']], 'AllocateSystemImageProtos' : [ 0x1cc, ['unsigned long']], 'FreeSystemImageProtos' : [ 0x1d0, ['unsigned long']], 'AllocateModWriterCharge' : [ 0x1d4, ['unsigned long']], 'FreeModWriterCharge' : [ 0x1d8, ['unsigned long']], 'AllocateMappedWriterCharge' : [ 0x1dc, ['unsigned long']], 'FreeMappedWriterCharge' : [ 0x1e0, ['unsigned long']], 'AllocateRegistryCharges' : [ 0x1e4, ['unsigned long']], 'FreeRegistryCharges' : [ 0x1e8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'CompactionMask' : [ 0x8, ['unsigned long long']], 'Reserved2' : [ 0x10, ['array', 6, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x24, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'ReferenceCount' : [ 0x20, ['long']], } ], '_MI_COMBINE_PAGE_LISTHEAD' : [ 0x8, { 'Table' : [ 0x0, ['_RTL_AVL_TREE']], 'Lock' : [ 0x4, ['long']], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '__unnamed_2459' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_245b' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_245d' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_245f' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_2459']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_245b']], 'Raw' : [ 0x0, ['__unnamed_245d']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x28, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'Operation' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0x8, ['__unnamed_245f']], 'Stack' : [ 0x10, ['array', 6, ['pointer', ['void']]]], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_MI_SYSTEM_NODE_INFORMATION' : [ 0xb0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'NonPagedPoolSListHeadNx' : [ 0x20, ['array', 3, ['_SLIST_HEADER']]], 'CachedKernelStacks' : [ 0x38, ['array', 2, ['_CACHED_KSTACK_LIST']]], 'NonPagedPoolLowestPage' : [ 0x68, ['unsigned long']], 'NonPagedPoolHighestPage' : [ 0x6c, ['unsigned long']], 'AllocatedNonPagedPool' : [ 0x70, ['unsigned long']], 'PartialLargePoolRegions' : [ 0x74, ['unsigned long']], 'PagesInPartialLargePoolRegions' : [ 0x78, ['unsigned long']], 'CachedNonPagedPoolCount' : [ 0x7c, ['unsigned long']], 'NonPagedPoolSpinLock' : [ 0x80, ['unsigned long']], 'CachedNonPagedPool' : [ 0x84, ['pointer', ['_MMPFN']]], 'NonPagedPoolFirstVa' : [ 0x88, ['pointer', ['void']]], 'NonPagedPoolLastVa' : [ 0x8c, ['pointer', ['void']]], 'NonPagedBitMap' : [ 0x90, ['array', 3, ['_RTL_BITMAP']]], 'NonPagedHint' : [ 0xa8, ['array', 2, ['unsigned long']]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x8, { 'CrossThreadReleasable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 31, native_type='unsigned long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'LockState' : [ 0x0, ['pointer', ['void']]], 'SessionState' : [ 0x4, ['pointer', ['void']]], 'SessionId' : [ 0x4, ['unsigned long']], } ], '__unnamed_2471' : [ 0x4, { 'FlushCompleting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'FlushInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='long')]], 'Long' : [ 0x0, ['long']], } ], '_MI_PARTITION_STORES' : [ 0x50, { 'WriteAllStoreHintedPages' : [ 0x0, ['__unnamed_2471']], 'VirtualPageFileNumber' : [ 0x4, ['unsigned long']], 'Registered' : [ 0x8, ['unsigned long']], 'ReadClusterSizeMax' : [ 0xc, ['unsigned long']], 'EvictFlushRequestCount' : [ 0x10, ['unsigned long']], 'ModifiedWriteDisableCount' : [ 0x14, ['unsigned long']], 'WriteIssueFailures' : [ 0x18, ['unsigned long']], 'EvictionThread' : [ 0x1c, ['pointer', ['_ETHREAD']]], 'EvictEvent' : [ 0x20, ['_KEVENT']], 'EvictFlushCompleteEvent' : [ 0x30, ['_KEVENT']], 'WriteSupportSListHead' : [ 0x40, ['_SLIST_HEADER']], 'EvictFlushLock' : [ 0x48, ['long']], 'ModifiedWriteFailedBitmap' : [ 0x4c, ['pointer', ['_RTL_BITMAP']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x8, ['unsigned long']], 'SyncCallback' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0xc, ['pointer', ['_HANDLE_TABLE']]], 'Flags' : [ 0x10, ['unsigned long']], 'NumberOfBuckets' : [ 0x14, ['unsigned long']], 'Buckets' : [ 0x18, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_24ad' : [ 0x18, { 'RequestedTime' : [ 0x0, ['unsigned long long']], 'ProgrammedTime' : [ 0x8, ['unsigned long long']], 'TimerInfo' : [ 0x10, ['pointer', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0x100, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x58, ['array', 3, ['__unnamed_24ad']]], 'WakeAlarmPaused' : [ 0xa0, ['unsigned char']], 'WakeAlarmLastTime' : [ 0xa8, ['unsigned long long']], 'FilteredCapabilities' : [ 0xb0, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'InProgressFlags' : [ 0x14, ['unsigned char']], 'KernelApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x28, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3d8, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0x98, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer', ['_MMPTE']]], } ], '_PPM_SELECTION_MENU_ENTRY' : [ 0x10, { 'StrictDependency' : [ 0x0, ['unsigned char']], 'InitiatingState' : [ 0x1, ['unsigned char']], 'DependentState' : [ 0x2, ['unsigned char']], 'StateIndex' : [ 0x4, ['unsigned long']], 'Dependencies' : [ 0x8, ['unsigned long']], 'DependencyList' : [ 0xc, ['pointer', ['_PPM_SELECTION_DEPENDENCY']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x14, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x4, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0xc, ['_RTL_BITMAP']], 'EvictedBitmap' : [ 0xc, ['_RTL_BITMAP']], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_MI_COMBINE_WORKITEM' : [ 0x14, { 'NextEntry' : [ 0x0, ['pointer', ['void']]], 'WorkItem' : [ 0x4, ['_WORK_QUEUE_ITEM']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x2a4, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], 'PackageDependencyData' : [ 0x298, ['pointer', ['void']]], 'ProcessGroupId' : [ 0x29c, ['unsigned long']], 'LoaderThreads' : [ 0x2a0, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_LOCK_HEADER' : [ 0x10, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x4, ['unsigned long']], 'Lock' : [ 0x8, ['unsigned long']], 'Valid' : [ 0xc, ['unsigned long']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_MSUBSECTION' : [ 0x44, { 'Core' : [ 0x0, ['_SUBSECTION']], 'SubsectionNode' : [ 0x28, ['_RTL_BALANCED_NODE']], 'DereferenceList' : [ 0x34, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x3c, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x40, ['unsigned long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_256a' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_256a']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x18, ['unsigned long']], 'NonPagablePages' : [ 0x1c, ['unsigned long']], 'CommittedPages' : [ 0x20, ['unsigned long']], 'PagedPoolStart' : [ 0x24, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x28, ['pointer', ['void']]], 'SessionObject' : [ 0x2c, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x30, ['pointer', ['void']]], 'SessionPoolAllocationFailures' : [ 0x34, ['array', 4, ['unsigned long']]], 'ImageTree' : [ 0x44, ['_RTL_AVL_TREE']], 'LocaleId' : [ 0x48, ['unsigned long']], 'AttachCount' : [ 0x4c, ['unsigned long']], 'AttachGate' : [ 0x50, ['_KGATE']], 'WsListEntry' : [ 0x60, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 24, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xc80, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xc94, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xcb0, ['_MMSUPPORT']], 'Wsle' : [ 0xd30, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xd34, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xd40, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1e80, ['pointer', ['_MMPTE']]], 'PagedPoolBitBuffer' : [ 0x1e84, ['array', 32, ['unsigned long']]], 'SpecialPool' : [ 0x1f08, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f50, ['_EX_PUSH_LOCK']], 'PoolBigEntriesInUse' : [ 0x1f54, ['long']], 'PagedPoolPdeCount' : [ 0x1f58, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f5c, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f60, ['unsigned long']], 'SystemPteInfo' : [ 0x1f64, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f98, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f9c, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1fa0, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fa4, ['unsigned long']], 'IoState' : [ 0x1fa8, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fac, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fb0, ['_KEVENT']], 'ServerSilo' : [ 0x1fc0, ['pointer', ['_ESILO']]], 'CreateTime' : [ 0x1fc8, ['unsigned long long']], } ], '_MMPAGE_FILE_EXPANSION' : [ 0x38, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'Partition' : [ 0xc, ['pointer', ['_MI_PARTITION']]], 'RequestedExpansionSize' : [ 0x10, ['unsigned long']], 'ActualExpansion' : [ 0x14, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'InProgress' : [ 0x28, ['long']], 'u' : [ 0x2c, ['_MMPAGE_FILE_EXPANSION_FLAGS']], 'ActiveEntry' : [ 0x30, ['pointer', ['pointer', ['void']]]], 'AttemptForCantExtend' : [ 0x34, ['unsigned char']], 'PageFileContract' : [ 0x35, ['unsigned char']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_257b' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_257e' : [ 0x4, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x4c, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x28, ['__unnamed_257b']], 'Subsection' : [ 0x2c, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x30, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x38, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x40, ['pointer', ['_EPROCESS']]], 'u4' : [ 0x44, ['__unnamed_257e']], 'FileObject' : [ 0x48, ['pointer', ['_FILE_OBJECT']]], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x10, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'SidCount' : [ 0x8, ['unsigned long']], 'SidValuesStart' : [ 0xc, ['unsigned long']], } ], '_MI_PARTITION_STATE' : [ 0x30, { 'PartitionLock' : [ 0x0, ['unsigned long']], 'PartitionIdLock' : [ 0x4, ['_EX_PUSH_LOCK']], 'InitialPartitionIdBits' : [ 0x8, ['unsigned long long']], 'PartitionList' : [ 0x10, ['_LIST_ENTRY']], 'PartitionIdBitmap' : [ 0x18, ['pointer', ['_RTL_BITMAP']]], 'InitialPartitionIdBitmap' : [ 0x1c, ['_RTL_BITMAP']], 'TempPartitionPointers' : [ 0x24, ['array', 1, ['pointer', ['_MI_PARTITION']]]], 'Partition' : [ 0x28, ['pointer', ['pointer', ['_MI_PARTITION']]]], 'TotalPagesInChildPartitions' : [ 0x2c, ['unsigned long']], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Gate' : [ 0x8, ['_KGATE']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0x50, { 'IrpExclusiveOplock' : [ 0x0, ['pointer', ['_IRP']]], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x8, ['pointer', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'WaiterPriority' : [ 0x10, ['unsigned char']], 'IrpOplocksR' : [ 0x14, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x1c, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x24, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x2c, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x34, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x3c, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x44, ['pointer', ['_GUID']]], 'OplockState' : [ 0x48, ['unsigned long']], 'FastMutex' : [ 0x4c, ['pointer', ['_FAST_MUTEX']]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x8, ['pointer', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PROCESS_ENERGY_VALUES' : [ 0x90, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'DiskEnergy' : [ 0x40, ['unsigned long long']], 'NetworkTailEnergy' : [ 0x48, ['unsigned long long']], 'MBBTailEnergy' : [ 0x50, ['unsigned long long']], 'NetworkTxRxBytes' : [ 0x58, ['unsigned long long']], 'MBBTxRxBytes' : [ 0x60, ['unsigned long long']], 'Foreground' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'WindowInformation' : [ 0x68, ['unsigned long']], 'PixelArea' : [ 0x6c, ['unsigned long']], 'PixelReportTimestamp' : [ 0x70, ['long long']], 'PixelTime' : [ 0x78, ['unsigned long long']], 'ForegroundReportTimestamp' : [ 0x80, ['long long']], 'ForegroundTime' : [ 0x88, ['unsigned long long']], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_MI_COMMON_PAGE_STATE' : [ 0x2c, { 'PageOfOnesPfn' : [ 0x0, ['pointer', ['_MMPFN']]], 'PageOfOnes' : [ 0x4, ['unsigned long']], 'DummyPagePfn' : [ 0x8, ['pointer', ['_MMPFN']]], 'DummyPage' : [ 0xc, ['unsigned long']], 'PageOfZeroes' : [ 0x10, ['unsigned long']], 'ZeroMapping' : [ 0x14, ['pointer', ['void']]], 'OnesMapping' : [ 0x18, ['pointer', ['void']]], 'BitmapGapFrames' : [ 0x1c, ['array', 2, ['unsigned long']]], 'PfnGapFrames' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '__unnamed_25a9' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x18, { 'SessionProtoNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeList' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'DriverAddress' : [ 0x0, ['pointer', ['void']]], 'SessionId' : [ 0xc, ['unsigned long']], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'u2' : [ 0x14, ['__unnamed_25a9']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'SystemVaAllocated' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PreferredFsCompressionBoundary' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'UsingFileExtents' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x18, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x8, ['pointer', ['void']]], 'SessionViewVa' : [ 0x8, ['pointer', ['void']]], 'VadsProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Type' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SubsectionType' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SectionOffset' : [ 0x10, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '__unnamed_25c2' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x50, { 'Status' : [ 0x0, ['long']], 'PartitionId' : [ 0x4, ['unsigned short']], 'Priority' : [ 0x6, ['unsigned char']], 'IrpPriority' : [ 0x7, ['unsigned char']], 'ReservationWrite' : [ 0x8, ['unsigned char']], 'CurrentTime' : [ 0x10, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x18, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x1c, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x24, ['unsigned long']], 'ModifiedPagefileNoReservationPages' : [ 0x28, ['unsigned long']], 'MdlHack' : [ 0x2c, ['__unnamed_25c2']], } ], '_PROC_PERF_DOMAIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0x18, ['unsigned long']], 'Class' : [ 0x1c, ['unsigned char']], 'Spare' : [ 0x1d, ['array', 3, ['unsigned char']]], 'Processors' : [ 0x20, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0x24, ['pointer', ['void']]], 'TimeWindowHandler' : [ 0x28, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x2c, ['pointer', ['void']]], 'BoostModeHandler' : [ 0x30, ['pointer', ['void']]], 'EnergyPerfPreferenceHandler' : [ 0x34, ['pointer', ['void']]], 'AutonomousActivityWindowHandler' : [ 0x38, ['pointer', ['void']]], 'AutonomousModeHandler' : [ 0x3c, ['pointer', ['void']]], 'ReinitializeHandler' : [ 0x40, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x44, ['pointer', ['void']]], 'PerfControlHandler' : [ 0x48, ['pointer', ['void']]], 'MaxFrequency' : [ 0x4c, ['unsigned long']], 'NominalFrequency' : [ 0x50, ['unsigned long']], 'MaxPercent' : [ 0x54, ['unsigned long']], 'MinPerfPercent' : [ 0x58, ['unsigned long']], 'MinThrottlePercent' : [ 0x5c, ['unsigned long']], 'MinimumRelativePerformance' : [ 0x60, ['unsigned long long']], 'NominalRelativePerformance' : [ 0x68, ['unsigned long long']], 'Coordination' : [ 0x70, ['unsigned char']], 'HardPlatformCap' : [ 0x71, ['unsigned char']], 'AffinitizeControl' : [ 0x72, ['unsigned char']], 'EfficientThrottle' : [ 0x73, ['unsigned char']], 'AutonomousMode' : [ 0x74, ['unsigned char']], 'SelectedPercent' : [ 0x78, ['unsigned long']], 'SelectedFrequency' : [ 0x7c, ['unsigned long']], 'DesiredPercent' : [ 0x80, ['unsigned long']], 'MaxPolicyPercent' : [ 0x84, ['unsigned long']], 'MinPolicyPercent' : [ 0x88, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x8c, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x90, ['unsigned long']], 'GuaranteedPercent' : [ 0x94, ['unsigned long']], 'TolerancePercent' : [ 0x98, ['unsigned long']], 'SelectedState' : [ 0xa0, ['unsigned long long']], 'PerfChangeTime' : [ 0xa8, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0xb0, ['unsigned long']], 'Force' : [ 0xb4, ['unsigned char']], 'ProvideGuidance' : [ 0xb5, ['unsigned char']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HVIEW_MAP_TABLE' : [ 0x600, { 'Entries' : [ 0x0, ['array', 64, ['_HVIEW_MAP_ENTRY']]], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_TRIAGE_9F_PNP' : [ 0xc, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'CompletionQueue' : [ 0x4, ['pointer', ['_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE']]], 'DelayedWorkQueue' : [ 0x8, ['pointer', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_RELATION_LIST' : [ 0x8, { 'DeviceObjectList' : [ 0x0, ['pointer', ['_DEVICE_OBJECT_LIST']]], 'Sorted' : [ 0x4, ['unsigned char']], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_MI_STANDBY_STATE' : [ 0x80, { 'TransitionSharedPages' : [ 0x0, ['unsigned long']], 'TransitionSharedPagesPeak' : [ 0x4, ['array', 3, ['unsigned long']]], 'FirstDecayPage' : [ 0x10, ['unsigned long']], 'PfnDecayFreeSList' : [ 0x18, ['_SLIST_HEADER']], 'PfnRepurposeLog' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'AllocatePfnRepurposeDpc' : [ 0x24, ['_KDPC']], } ], '_MI_ACCESS_LOG_STATE' : [ 0x80, { 'CcAccessLog' : [ 0x0, ['pointer', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'Enabled' : [ 0x4, ['unsigned long']], 'DisableAccessLogging' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'MinLoggingPriority' : [ 0x18, ['unsigned long']], 'AccessLoggingLock' : [ 0x40, ['unsigned long']], } ], '_ETW_BUFFER_QUEUE' : [ 0xc, { 'QueueHead' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'Lock' : [ 0x0, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long']], 'SpecialPoolPdes' : [ 0x3c, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x4, { 'LogHandleContext' : [ 0x0, ['pointer', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x10, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'DeviceState' : [ 0xc, ['pointer', ['_POP_DEVICE_SYS_STATE']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_FAST_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x40, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x8, ['short']], 'SpecialApcDisable' : [ 0xa, ['short']], 'CombinedApcDisable' : [ 0x8, ['unsigned long']], 'Irql' : [ 0xc, ['unsigned char']], 'StackTrace' : [ 0x10, ['array', 12, ['pointer', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x4, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_PROC_IDLE_POLICY' : [ 0x5, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2624' : [ 0x4, { 'PercentLevel' : [ 0x0, ['unsigned long']], } ], '__unnamed_2626' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_2624']], 'Button' : [ 0xc, ['__unnamed_2626']], } ], '_KDPC_DATA' : [ 0x18, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], 'ActiveDpc' : [ 0x14, ['pointer', ['_KDPC']]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0xf8, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'MinQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'MaxQuotaCycleTarget' : [ 0x10, ['unsigned long long']], 'RankCycleTarget' : [ 0x18, ['unsigned long long']], 'LongTermCycles' : [ 0x20, ['unsigned long long']], 'LastReportedCycles' : [ 0x28, ['unsigned long long']], 'OverQuotaHistory' : [ 0x30, ['unsigned long long']], 'ReadyTime' : [ 0x38, ['unsigned long long']], 'InsertTime' : [ 0x40, ['unsigned long long']], 'PerProcessorList' : [ 0x48, ['_LIST_ENTRY']], 'QueueNode' : [ 0x50, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'MaxOverQuota' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'MinOverQuota' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SoftCap' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare1' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Depth' : [ 0x5d, ['unsigned char']], 'ReadySummary' : [ 0x5e, ['unsigned short']], 'Rank' : [ 0x60, ['unsigned long']], 'ReadyListHead' : [ 0x64, ['array', 16, ['_LIST_ENTRY']]], 'ChildScbQueue' : [ 0xe4, ['_RTL_RB_TREE']], 'Parent' : [ 0xec, ['pointer', ['_KSCB']]], 'Root' : [ 0xf0, ['pointer', ['_KSCB']]], } ], '__unnamed_2635' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_2636' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2635']], 'Merged' : [ 0x10, ['__unnamed_2636']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'UtilityTotal' : [ 0x8, ['unsigned long']], 'AffinitizedUtilityTotal' : [ 0xc, ['unsigned long']], 'FrequencyTotal' : [ 0x10, ['unsigned long']], 'TaggedPercentTotal' : [ 0x14, ['array', 2, ['unsigned long']]], 'HistoryList' : [ 0x1c, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_MI_PARTITION_ZEROING' : [ 0x2c, { 'PageEvent' : [ 0x0, ['_KEVENT']], 'ThreadActive' : [ 0x10, ['unsigned char']], 'ZeroFreePageSlistMinimum' : [ 0x14, ['long']], 'FirstReservedZeroingPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'RebalanceZeroFreeWorkItem' : [ 0x1c, ['_WORK_QUEUE_ITEM']], } ], '__unnamed_2643' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_2643']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Processors' : [ 0x4, ['unsigned long']], 'ActiveProcessors' : [ 0x8, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '__unnamed_265c' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_265e' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_265c']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0xa8, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_265e']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], 'ExecutePoolTypes' : [ 0x90, ['unsigned long']], 'ExecutePageProtections' : [ 0x94, ['unsigned long']], 'ExecutePageMappings' : [ 0x98, ['unsigned long']], 'ExecuteWriteSections' : [ 0x9c, ['unsigned long']], 'SectionAlignmentFailures' : [ 0xa0, ['unsigned long']], } ], '_TRIAGE_DEVICE_NODE' : [ 0x2c, { 'Sibling' : [ 0x0, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'FxDevice' : [ 0x28, ['pointer', ['_TRIAGE_POP_FX_DEVICE']]], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long']], 'PipelinedReadAheadRequestSize' : [ 0x54, ['unsigned long']], 'ReadAheadGrowth' : [ 0x58, ['unsigned long']], 'PrivateLinks' : [ 0x5c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x64, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_MI_SYSTEM_IMAGE_STATE' : [ 0x64, { 'FixupLock' : [ 0x0, ['long']], 'FixupList' : [ 0x4, ['_LIST_ENTRY']], 'LoadLock' : [ 0xc, ['_KMUTANT']], 'FirstLoadEver' : [ 0x2c, ['unsigned char']], 'LargePageAll' : [ 0x2d, ['unsigned char']], 'LastPage' : [ 0x30, ['unsigned long']], 'LargePageList' : [ 0x34, ['_LIST_ENTRY']], 'BeingDeleted' : [ 0x3c, ['pointer', ['_KLDR_DATA_TABLE_ENTRY']]], 'MappingRangesPushLock' : [ 0x40, ['_EX_PUSH_LOCK']], 'MappingRanges' : [ 0x44, ['array', 2, ['pointer', ['_MI_DRIVER_VA']]]], 'PageCount' : [ 0x4c, ['unsigned long']], 'PageCounts' : [ 0x50, ['_MM_SYSTEM_PAGE_COUNTS']], 'CollidedLock' : [ 0x60, ['_EX_PUSH_LOCK']], } ], '_PTE_TRACKER' : [ 0x44, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'GuardPte' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 7, ['pointer', ['void']]]], } ], '_HV_GET_CELL_CONTEXT' : [ 0x4, { 'Cell' : [ 0x0, ['unsigned long']], 'IsInTempBin' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '__unnamed_268b' : [ 0x2, { 'SignatureLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'SignatureType' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned short')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'EntireField' : [ 0x0, ['unsigned short']], } ], '_KLDR_DATA_TABLE_ENTRY' : [ 0x5c, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'ExceptionTable' : [ 0x8, ['pointer', ['void']]], 'ExceptionTableSize' : [ 0xc, ['unsigned long']], 'GpValue' : [ 0x10, ['pointer', ['void']]], 'NonPagedDebugInfo' : [ 0x14, ['pointer', ['_NON_PAGED_DEBUG_INFO']]], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'u1' : [ 0x3a, ['__unnamed_268b']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'CoverageSectionSize' : [ 0x44, ['unsigned long']], 'CoverageSection' : [ 0x48, ['pointer', ['void']]], 'LoadedImports' : [ 0x4c, ['pointer', ['void']]], 'Spare' : [ 0x50, ['pointer', ['void']]], 'SizeOfImageNotRounded' : [ 0x54, ['unsigned long']], 'TimeDateStamp' : [ 0x58, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x28, { 'InstantaneousRead' : [ 0x0, ['pointer', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'Scaling' : [ 0x22, ['unsigned char']], 'Context' : [ 0x24, ['unsigned long']], } ], '_PPM_COORDINATED_SYNCHRONIZATION' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'EnterProcessor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 14, native_type='unsigned long')]], 'ExitProcessor' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 28, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'Entered' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MI_PAGING_IO_STATE' : [ 0x38, { 'PageFileHead' : [ 0x0, ['_RTL_AVL_TREE']], 'PageFileHeadSpinLock' : [ 0x4, ['long']], 'PrefetchSeekThreshold' : [ 0x8, ['long']], 'InPageSupportSListHead' : [ 0x10, ['array', 2, ['_SLIST_HEADER']]], 'InPageSupportSListMinimum' : [ 0x20, ['array', 2, ['unsigned char']]], 'InPageSinglePages' : [ 0x24, ['unsigned long']], 'DelayPageFaults' : [ 0x28, ['long']], 'FileCompressionBoundary' : [ 0x2c, ['unsigned long']], 'MdlsAdjusted' : [ 0x30, ['unsigned char']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_MI_FORCED_COMMITS' : [ 0x8, { 'Regular' : [ 0x0, ['unsigned long']], 'Wrap' : [ 0x4, ['unsigned long']], } ], '_MI_FILE_EXTENTS' : [ 0x4, { 'WaitList' : [ 0x0, ['pointer', ['_MI_FILE_EXTENTS_WAIT_BLOCK']]], } ], '_HMAP_ENTRY' : [ 0x14, { 'BlockOffset' : [ 0x0, ['unsigned long']], 'PermanentBinAddress' : [ 0x4, ['unsigned long']], 'TemporaryBinAddress' : [ 0x8, ['unsigned long']], 'TemporaryBinRundown' : [ 0xc, ['_EX_RUNDOWN_REF']], 'MemAlloc' : [ 0x10, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x1c, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'Reference' : [ 0x8, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x18, ['unsigned char']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_PLATFORM_IDLE_ACCOUNTING' : [ 0x3f8, { 'ResetCount' : [ 0x0, ['unsigned long']], 'StateCount' : [ 0x4, ['unsigned long']], 'TimeUnit' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['_PLATFORM_IDLE_STATE_ACCOUNTING']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_DUAL' : [ 0x19c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x190, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x198, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x4, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 11, native_type='unsigned long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_26be' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_26c1' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0xf8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], 'CollidedEvent' : [ 0x20, ['_KEVENT']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ApcState' : [ 0x40, ['_KAPC_STATE']], 'Thread' : [ 0x58, ['pointer', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0x5c, ['pointer', ['_MMPFN']]], 'PteContents' : [ 0x60, ['_MMPTE']], 'WaitCount' : [ 0x68, ['long']], 'ByteCount' : [ 0x6c, ['unsigned long']], 'u3' : [ 0x70, ['__unnamed_26be']], 'u1' : [ 0x74, ['__unnamed_26c1']], 'FilePointer' : [ 0x78, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x7c, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x7c, ['pointer', ['_SUBSECTION']]], 'Autoboost' : [ 0x80, ['pointer', ['void']]], 'FaultingAddress' : [ 0x84, ['pointer', ['void']]], 'PointerPte' : [ 0x88, ['pointer', ['_MMPTE']]], 'BasePte' : [ 0x8c, ['pointer', ['_MMPTE']]], 'Pfn' : [ 0x90, ['pointer', ['_MMPFN']]], 'PrefetchMdl' : [ 0x94, ['pointer', ['_MDL']]], 'Mdl' : [ 0x98, ['_MDL']], 'Page' : [ 0xb4, ['array', 16, ['unsigned long']]], 'FlowThrough' : [ 0xb4, ['_MMINPAGE_SUPPORT_FLOW_THROUGH']], } ], '_HAL_NODE_RANGE' : [ 0x8, { 'PageFrameIndex' : [ 0x0, ['unsigned long']], 'Node' : [ 0x4, ['unsigned long']], } ], '_MMCLONE_BLOCK' : [ 0x10, { 'ProtoPte' : [ 0x0, ['_MMPTE']], 'CloneCommitCount' : [ 0x8, ['unsigned long']], 'u1' : [ 0x8, ['_MI_CLONE_BLOCK_FLAGS']], 'CloneRefCount' : [ 0xc, ['unsigned long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions', 24: 'ConfigureDeviceReset'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], 'ActivityId' : [ 0x20, ['_GUID']], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'LowboxNumber' : [ 0x14, ['unsigned long']], 'AtomTable' : [ 0x18, ['pointer', ['void']]], } ], '_MI_LDW_WORK_CONTEXT' : [ 0x20, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'FileObject' : [ 0x10, ['pointer', ['_FILE_OBJECT']]], 'ErrorStatus' : [ 0x14, ['long']], 'Active' : [ 0x18, ['long']], 'FreeWhenDone' : [ 0x1c, ['unsigned char']], } ], '_MI_CFG_BITMAP_INFO' : [ 0xc, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'RegionSize' : [ 0x4, ['unsigned long']], 'BitmapVad' : [ 0x8, ['pointer', ['_MMVAD']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MI_SHUTDOWN_STATE' : [ 0x4c, { 'StandbyListDiscard' : [ 0x0, ['unsigned long']], 'CrashDumpInitialized' : [ 0x4, ['unsigned char']], 'ConnectedStandbyActive' : [ 0x5, ['unsigned char']], 'SystemShutdown' : [ 0x8, ['unsigned long']], 'ShutdownFlushInProgress' : [ 0xc, ['long']], 'ResumeItem' : [ 0x10, ['_MI_RESUME_WORKITEM']], 'FreeListDiscard' : [ 0x30, ['unsigned char']], 'MirrorHoldsPfn' : [ 0x34, ['pointer', ['_ETHREAD']]], 'MirroringActive' : [ 0x38, ['unsigned long']], 'MirrorBitMap' : [ 0x3c, ['pointer', ['_RTL_BITMAP']]], 'MirrorBitMapInterlocked' : [ 0x40, ['pointer', ['_RTL_BITMAP']]], 'MirrorListLocks' : [ 0x44, ['pointer', ['void']]], 'CrashDumpPte' : [ 0x48, ['pointer', ['_MMPTE']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x18, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x1a, ['unsigned short']], 'OperatingSystemVersion' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ComPlusPrefer32bit' : [ 0x23, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x3c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x8, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x14, ['pointer', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x18, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x18, ['array', 4, ['pointer', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x18, ['pointer', ['void']]], 'SessionId' : [ 0x1c, ['unsigned long']], 'Process' : [ 0x28, ['pointer', ['_EPROCESS']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], 'Callback' : [ 0x2c, ['pointer', ['void']]], 'Index' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned char']], 'DbgKernelRegistration' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x32, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x32, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x32, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x32, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x33, ['unsigned char']], 'GroupEnableMask' : [ 0x34, ['unsigned char']], 'UseDescriptorType' : [ 0x35, ['unsigned char']], 'Traits' : [ 0x38, ['pointer', ['_ETW_PROVIDER_TRAITS']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_HVIEW_MAP_PIN_LOG' : [ 0x308, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Entries' : [ 0x8, ['array', 16, ['_HVIEW_MAP_PIN_LOG_ENTRY']]], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_MI_PROBE_RAISE_TRACKER' : [ 0x3c, { 'UserRangeInKernel' : [ 0x0, ['unsigned long']], 'FaultFailed' : [ 0x4, ['unsigned long']], 'WriteFaultFailed' : [ 0x8, ['unsigned long']], 'LargePageFailed' : [ 0xc, ['unsigned long']], 'UserAccessToKernelPte' : [ 0x10, ['unsigned long']], 'BadPageLocation' : [ 0x14, ['unsigned long']], 'InsufficientCharge' : [ 0x18, ['unsigned long']], 'PageTableCharge' : [ 0x1c, ['unsigned long']], 'NoPhysicalMapping' : [ 0x20, ['unsigned long']], 'NoIoReference' : [ 0x24, ['unsigned long']], 'ProbeFailed' : [ 0x28, ['unsigned long']], 'PteIsZero' : [ 0x2c, ['unsigned long']], 'StrongCodeWrite' : [ 0x30, ['unsigned long']], 'ReducedCloneCommitChargeFailed' : [ 0x34, ['unsigned long']], 'CopyOnWriteAtDispatchNoPages' : [ 0x38, ['unsigned long']], } ], '_ETW_PROVIDER_TRAITS' : [ 0x14, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'Traits' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0x50, { 'Count' : [ 0x0, ['unsigned long']], 'Vectors' : [ 0x8, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_MI_CLONE_BLOCK_FLAGS' : [ 0x4, { 'ActualCloneCommit' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 27, native_type='unsigned long')]], 'CloneProtection' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xa0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x34, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x34, ['unsigned long']], 'PackagedBinary' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x34, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x34, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x34, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x34, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x34, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x34, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x34, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x34, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LoadConfigProcessed' : [ 0x34, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectDelayLoad' : [ 0x34, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x34, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x34, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x34, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x34, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x34, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x34, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x34, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x34, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x34, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Lock' : [ 0x4c, ['pointer', ['void']]], 'DdagNode' : [ 0x50, ['pointer', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0x54, ['_LIST_ENTRY']], 'LoadContext' : [ 0x5c, ['pointer', ['_LDRP_LOAD_CONTEXT']]], 'ParentDllBase' : [ 0x60, ['pointer', ['void']]], 'SwitchBackContext' : [ 0x64, ['pointer', ['void']]], 'BaseAddressIndexNode' : [ 0x68, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0x74, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0x80, ['unsigned long']], 'LoadTime' : [ 0x88, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x90, ['unsigned long']], 'LoadReason' : [ 0x94, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x98, ['unsigned long']], 'ReferenceCount' : [ 0x9c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], 'AllStacksInUse' : [ 0x14, ['unsigned long']], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'VmLockNotNeeded' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_MI_DRIVER_VA' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_DRIVER_VA']]], 'PointerPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BitMap' : [ 0x8, ['_RTL_BITMAP']], 'Hint' : [ 0x10, ['unsigned long']], } ], '_LDR_DDAG_NODE' : [ 0x2c, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x8, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0xc, ['unsigned long']], 'LoadWhileUnloadingCount' : [ 0x10, ['unsigned long']], 'LowestLink' : [ 0x14, ['unsigned long']], 'Dependencies' : [ 0x18, ['_LDRP_CSLIST']], 'IncomingDependencies' : [ 0x1c, ['_LDRP_CSLIST']], 'State' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x28, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x104, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'Order' : [ 0x1c, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0xec, ['_LIST_ENTRY']], 'Status' : [ 0xf4, ['long']], 'FailedDevice' : [ 0xf8, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0xfc, ['unsigned char']], 'Cancelled' : [ 0xfd, ['unsigned char']], 'IgnoreErrors' : [ 0xfe, ['unsigned char']], 'IgnoreNotImplemented' : [ 0xff, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x100, ['unsigned char']], } ], '_KHETERO_PROCESSOR_SET' : [ 0x8, { 'PreferredMask' : [ 0x0, ['unsigned long']], 'AvailableMask' : [ 0x4, ['unsigned long']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x8, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x40, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Name' : [ 0xc, ['_UNICODE_STRING']], 'Latency' : [ 0x14, ['unsigned long']], 'BreakEvenDuration' : [ 0x18, ['unsigned long']], 'Power' : [ 0x1c, ['unsigned long']], 'StateFlags' : [ 0x20, ['unsigned long']], 'VetoAccounting' : [ 0x24, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0x38, ['unsigned char']], 'InterruptsEnabled' : [ 0x39, ['unsigned char']], 'Interruptible' : [ 0x3a, ['unsigned char']], 'ContextRetained' : [ 0x3b, ['unsigned char']], 'CacheCoherent' : [ 0x3c, ['unsigned char']], 'WakesSpuriously' : [ 0x3d, ['unsigned char']], 'PlatformOnly' : [ 0x3e, ['unsigned char']], 'NoCState' : [ 0x3f, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MI_SYSTEM_PTE_STATE' : [ 0x180, { 'DeadPteTrackerSListHead' : [ 0x0, ['_SLIST_HEADER']], 'PteTrackerLock' : [ 0x8, ['unsigned long']], 'MdlTrackerLookaside' : [ 0x40, ['_NPAGED_LOOKASIDE_LIST']], 'PteTrackingBitmap' : [ 0x100, ['_RTL_BITMAP']], 'CachedPteHeads' : [ 0x108, ['pointer', ['_MI_CACHED_PTES']]], 'SystemViewPteInfo' : [ 0x10c, ['_MI_SYSTEM_PTE_TYPE']], 'KernelStackPages' : [ 0x140, ['unsigned char']], 'QueuedStacks' : [ 0x148, ['_SLIST_HEADER']], 'StackGrowthFailures' : [ 0x150, ['unsigned long']], 'TrackPtesAborted' : [ 0x154, ['unsigned char']], 'AdjustCounter' : [ 0x155, ['unsigned char']], 'QueuedStacksWorkItem' : [ 0x158, ['_MI_QUEUED_DEADSTACK_WORKITEM']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x34, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x8, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0xc, ['long']], 'HighWaterMark' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_PPM_POLICY_SETTINGS_MASK' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'PerfDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PerfIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerfDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PerfIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PerfDecreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PerfIncreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'PerfMinPolicy' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'PerfMaxPolicy' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PerfTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PerfBoostPolicy' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PerfBoostMode' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AllowThrottling' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PerfHistoryCount' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ParkingPerfState' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LatencyHintPerf' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LatencyHintUnpark' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CoreParkingMinCores' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CoreParkingMaxCores' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'CoreParkingDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'CoreParkingIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CoreParkingDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CoreParkingIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CoreParkingOverUtilizationThreshold' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'CoreParkingDistributeUtility' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CoreParkingConcurrencyThreshold' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CoreParkingHeadroomThreshold' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CoreParkingDistributionThreshold' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IdleAllowScaling' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'IdleDisable' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'IdleTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'IdleDemoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'IdlePromoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HeteroDecreaseTime' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HeteroIncreaseTime' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HeteroDecreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HeteroIncreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Class0FloorPerformance' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Class1InitialPerformance' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnergyPerfPreference' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AutonomousActivityWindow' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AutonomousMode' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DutyCycling' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_275e' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x14, { 'NodeRangeSize' : [ 0x0, ['unsigned long']], 'NodeCount' : [ 0x4, ['unsigned long']], 'Tables' : [ 0x8, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0xc, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_275e']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_POP_FX_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['unsigned char']], 'DripsRequiredState' : [ 0x8, ['unsigned long']], 'Level' : [ 0xc, ['long']], 'ActiveStamp' : [ 0x10, ['long long']], 'CsActiveTime' : [ 0x18, ['unsigned long long']], 'CriticalActiveTime' : [ 0x20, ['long long']], } ], '_MI_RESUME_WORKITEM' : [ 0x20, { 'ResumeCompleteEvent' : [ 0x0, ['_KEVENT']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_TRIAGE_EX_WORK_QUEUE' : [ 0x19c, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x8, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'TaggedPercent' : [ 0x5, ['array', 2, ['unsigned char']]], } ], '_POP_FX_COMPONENT' : [ 0xc0, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x14, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x30, ['pointer', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x34, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x3c, ['long']], 'ActiveEvent' : [ 0x40, ['_KEVENT']], 'IdleLock' : [ 0x50, ['unsigned long']], 'IdleConditionComplete' : [ 0x54, ['long']], 'IdleStateComplete' : [ 0x58, ['long']], 'IdleStamp' : [ 0x60, ['unsigned long long']], 'CurrentIdleState' : [ 0x68, ['unsigned long']], 'IdleStateCount' : [ 0x6c, ['unsigned long']], 'IdleStates' : [ 0x70, ['pointer', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0x74, ['unsigned long']], 'ProviderCount' : [ 0x78, ['unsigned long']], 'Providers' : [ 0x7c, ['pointer', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0x80, ['unsigned long']], 'DependentCount' : [ 0x84, ['unsigned long']], 'Dependents' : [ 0x88, ['pointer', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0x90, ['_POP_FX_ACCOUNTING']], 'Performance' : [ 0xb8, ['pointer', ['_POP_FX_PERF_INFO']]], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x8, { 'DeviceHandle' : [ 0x0, ['pointer', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x4, ['pointer', ['void']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x1c, { 'ComponentActive' : [ 0x0, ['pointer', ['void']]], 'ComponentIdle' : [ 0x4, ['pointer', ['void']]], 'ComponentIdleState' : [ 0x8, ['pointer', ['void']]], 'DevicePowerRequired' : [ 0xc, ['pointer', ['void']]], 'DevicePowerNotRequired' : [ 0x10, ['pointer', ['void']]], 'PowerControl' : [ 0x14, ['pointer', ['void']]], 'ComponentCriticalTransition' : [ 0x18, ['pointer', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x2c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x8, ['unsigned char']], 'Spare' : [ 0x9, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0xc, ['unsigned long']], 'DebugId' : [ 0x10, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40f0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'StackLimitHits' : [ 0x4038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x403c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x4040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4044, ['unsigned long']], 'TotalReleases' : [ 0x4048, ['unsigned long']], 'RootNodesDeleted' : [ 0x404c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x4050, ['unsigned long']], 'Instigator' : [ 0x4054, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4058, ['unsigned long']], 'Participant' : [ 0x405c, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40dc, ['long']], 'StackType' : [ 0x40e0, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x40e4, ['unsigned long']], 'StackHighLimit' : [ 0x40e8, ['unsigned long']], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_MM_SYSTEM_PAGE_COUNTS' : [ 0x10, { 'SystemCodePage' : [ 0x0, ['unsigned long']], 'SystemDriverPage' : [ 0x4, ['unsigned long']], 'TotalSystemCodePages' : [ 0x8, ['long']], 'TotalSystemDriverPages' : [ 0xc, ['long']], } ], '_MI_MODWRITE_DATA' : [ 0x30, { 'PagesLoad' : [ 0x0, ['long']], 'PagesAverage' : [ 0x4, ['unsigned long']], 'AverageAvailablePages' : [ 0x8, ['unsigned long']], 'PagesWritten' : [ 0xc, ['unsigned long']], 'WritesIssued' : [ 0x10, ['unsigned long']], 'IgnoredReservationsCount' : [ 0x14, ['unsigned long']], 'FreedReservationsCount' : [ 0x18, ['unsigned long']], 'WriteBurstCount' : [ 0x1c, ['unsigned long']], 'IgnoreReservationsStartTime' : [ 0x20, ['unsigned long long']], 'ReservationClusterInfo' : [ 0x28, ['_MI_RESERVATION_CLUSTER_INFO']], 'IgnoreReservations' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'Spare1' : [ 0x2e, ['unsigned short']], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_PLATFORM_IDLE_STATE_ACCOUNTING' : [ 0x3e0, { 'CancelCount' : [ 0x0, ['unsigned long']], 'FailureCount' : [ 0x4, ['unsigned long']], 'SuccessCount' : [ 0x8, ['unsigned long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'TotalTime' : [ 0x20, ['unsigned long long']], 'InvalidBucketIndex' : [ 0x28, ['unsigned long']], 'SelectionStatistics' : [ 0x30, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa0, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x30, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'ExpectedWakeReason' : [ 0x2d, ['unsigned char']], } ], '_KREQUEST_PACKET' : [ 0x10, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer', ['void']]]], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PrivateDemandZero' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_27d9' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_27db' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_27d9']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_27db']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_27f0' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_27f0']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_HVIEW_MAP_ENTRY' : [ 0x18, { 'ViewStart' : [ 0x0, ['pointer', ['void']]], 'IsPinned' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Bcb' : [ 0x4, ['pointer', ['void']]], 'PinnedPages' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_POP_COOLING_EXTENSION' : [ 0x48, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'RequestListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['_POP_RW_LOCK']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'NotificationEntry' : [ 0x1c, ['pointer', ['void']]], 'Enabled' : [ 0x20, ['unsigned char']], 'ActiveEngaged' : [ 0x21, ['unsigned char']], 'ThrottleLimit' : [ 0x22, ['unsigned char']], 'UpdatingToCurrent' : [ 0x23, ['unsigned char']], 'RemovalFlushEvent' : [ 0x24, ['pointer', ['_KEVENT']]], 'PnpFlushEvent' : [ 0x28, ['pointer', ['_KEVENT']]], 'Interface' : [ 0x2c, ['_THERMAL_COOLING_INTERFACE']], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_CM_INDEX' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'NameHint' : [ 0x4, ['array', 4, ['unsigned char']]], 'HashKey' : [ 0x4, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x18, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_THERMAL_POLICY' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ThermalStandby' : [ 0x7, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], 'OverThrottled' : [ 0x14, ['unsigned char']], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_MI_AVAILABLE_PAGE_WAIT_STATES' : [ 0x14, { 'Event' : [ 0x0, ['_KEVENT']], 'EventSets' : [ 0x10, ['unsigned long']], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_COLORED_PAGE_INFO' : [ 0x10, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long']], 'PfnAllocation' : [ 0xc, ['pointer', ['_MMPFN']]], } ], '_TRIAGE_9F_POWER' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'IrpList' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'ThreadList' : [ 0x8, ['pointer', ['_LIST_ENTRY']]], 'DelayedWorkQueue' : [ 0xc, ['pointer', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_MI_POOL_STATE' : [ 0x4e0, { 'MaximumNonPagedPoolThreshold' : [ 0x0, ['unsigned long']], 'NonPagedPoolSListMaximum' : [ 0x4, ['array', 3, ['unsigned long']]], 'AllocatedNonPagedPool' : [ 0x10, ['unsigned long']], 'BadPoolHead' : [ 0x14, ['_SINGLE_LIST_ENTRY']], 'PoolFailures' : [ 0x18, ['array', 3, ['array', 3, ['unsigned long']]]], 'PoolFailureReasons' : [ 0x3c, ['array', 11, ['unsigned long']]], 'LowPagedPoolThreshold' : [ 0x68, ['unsigned long']], 'HighPagedPoolThreshold' : [ 0x6c, ['unsigned long']], 'SpecialPoolPdesMax' : [ 0x70, ['long']], 'NonPagedPoolNodes' : [ 0x74, ['array', 1024, ['unsigned char']]], 'PagedProtoPoolInfo' : [ 0x474, ['_MM_PAGED_POOL_INFO']], 'PagedPoolSListMaximum' : [ 0x490, ['unsigned long']], 'PreemptiveTrims' : [ 0x494, ['array', 4, ['unsigned long']]], 'SpecialPagesInUsePeak' : [ 0x4a4, ['unsigned long']], 'SpecialPoolRejected' : [ 0x4a8, ['array', 9, ['unsigned long']]], 'SpecialPagesNonPaged' : [ 0x4cc, ['unsigned long']], 'SpecialPoolPdes' : [ 0x4d0, ['long']], 'SessionSpecialPoolPdesMax' : [ 0x4d4, ['unsigned long']], 'TotalPagedPoolQuota' : [ 0x4d8, ['unsigned long']], 'TotalNonPagedPoolQuota' : [ 0x4dc, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_POP_POWER_SETTING_VALUES' : [ 0x13c, { 'StructureSize' : [ 0x0, ['unsigned long']], 'PopPolicy' : [ 0x4, ['_SYSTEM_POWER_POLICY']], 'CurrentAcDcPowerState' : [ 0xec, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'AwayModeEnabled' : [ 0xf0, ['unsigned char']], 'AwayModeEngaged' : [ 0xf1, ['unsigned char']], 'AwayModePolicyAllowed' : [ 0xf2, ['unsigned char']], 'AwayModeIgnoreUserPresent' : [ 0xf4, ['long']], 'AwayModeIgnoreAction' : [ 0xf8, ['long']], 'DisableFastS4' : [ 0xfc, ['unsigned char']], 'DisableStandbyStates' : [ 0xfd, ['unsigned char']], 'UnattendSleepTimeout' : [ 0x100, ['unsigned long']], 'DiskIgnoreTime' : [ 0x104, ['unsigned long']], 'DeviceIdlePolicy' : [ 0x108, ['unsigned long']], 'VideoDimTimeout' : [ 0x10c, ['unsigned long']], 'VideoNormalBrightness' : [ 0x110, ['unsigned long']], 'VideoDimBrightness' : [ 0x114, ['unsigned long']], 'AlsOffset' : [ 0x118, ['unsigned long']], 'AlsEnabled' : [ 0x11c, ['unsigned long']], 'EsBrightness' : [ 0x120, ['unsigned long']], 'SwitchShutdownForced' : [ 0x124, ['unsigned char']], 'SystemCoolingPolicy' : [ 0x128, ['unsigned long']], 'MediaBufferingEngaged' : [ 0x12c, ['unsigned char']], 'OffloadedAudio' : [ 0x12d, ['unsigned char']], 'NonOffloadedAudio' : [ 0x12e, ['unsigned char']], 'FullscreenVideoPlayback' : [ 0x12f, ['unsigned char']], 'EsBatteryThreshold' : [ 0x130, ['unsigned long']], 'EsUserAwaySetting' : [ 0x134, ['unsigned char']], 'WiFiInStandby' : [ 0x138, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_285f' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2861' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_285f']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2861']], } ], '_MI_IO_PAGE_STATE' : [ 0x34, { 'IoPfnLock' : [ 0x0, ['unsigned long']], 'IoPfnRoot' : [ 0x4, ['array', 3, ['_RTL_AVL_TREE']]], 'UnusedCachedMaps' : [ 0x10, ['_LIST_ENTRY']], 'OldestCacheFlushTimeStamp' : [ 0x18, ['unsigned long']], 'IoCacheStats' : [ 0x1c, ['_MI_IO_CACHE_STATS']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_VF_AVL_TABLE' : [ 0x80, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x3c, ['pointer', ['void']]], 'Lock' : [ 0x40, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1e, { 'PerUserPolicy' : [ 0x0, ['array', 30, ['unsigned char']]], } ], '_TRIAGE_POP_FX_DEVICE' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xc, ['pointer', ['_TRIAGE_POP_IRP_DATA']]], 'Status' : [ 0x10, ['long']], 'PowerReqCall' : [ 0x14, ['long']], 'PowerNotReqCall' : [ 0x18, ['long']], 'DeviceNode' : [ 0x1c, ['pointer', ['_TRIAGE_DEVICE_NODE']]], } ], '__unnamed_2879' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_287b' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_2881' : [ 0xc, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], 'OutputInformation' : [ 0x8, ['pointer', ['_FS_FILTER_SECTION_SYNC_OUTPUT']]], } ], '__unnamed_2885' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_2887' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2879']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_287b']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2881']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2885']], 'Others' : [ 0x0, ['__unnamed_2887']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x4, { 'Function' : [ 0x0, ['pointer', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x70, { 'SelectedCount' : [ 0x0, ['unsigned long long']], 'VetoCount' : [ 0x8, ['unsigned long long']], 'PreVetoCount' : [ 0x10, ['unsigned long long']], 'WrongProcessorCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'IdleDurationCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'PlatformOnlyCount' : [ 0x40, ['unsigned long long']], 'InterruptibleCount' : [ 0x48, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x50, ['unsigned long long']], 'CstateCheckCount' : [ 0x58, ['unsigned long long']], 'NoCStateCount' : [ 0x60, ['unsigned long long']], 'CoordinatedDependencyCount' : [ 0x68, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x4, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_MI_PAGE_COMBINE_STATISTICS' : [ 0x28, { 'PagesScannedActive' : [ 0x0, ['unsigned long long']], 'PagesScannedStandby' : [ 0x8, ['unsigned long long']], 'PagesCombined' : [ 0x10, ['unsigned long long']], 'CombineScanCount' : [ 0x18, ['unsigned long']], 'CombinedBlocksInUse' : [ 0x1c, ['long']], 'SumCombinedBlocksReferenceCount' : [ 0x20, ['long']], } ], '__unnamed_2895' : [ 0x4, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], 'RemoteImageFileObject' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RemoteDataFileObject' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '_SECTION' : [ 0x28, { 'SectionNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u1' : [ 0x14, ['__unnamed_2895']], 'SizeOfSection' : [ 0x18, ['unsigned long long']], 'u' : [ 0x20, ['__unnamed_1678']], 'InitialPageProtection' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'SessionId' : [ 0x24, ['BitField', dict(start_bit = 12, end_bit = 31, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x24, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_THERMAL_COOLING_INTERFACE' : [ 0x1c, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'Flags' : [ 0x10, ['unsigned long']], 'ActiveCooling' : [ 0x14, ['pointer', ['void']]], 'PassiveCooling' : [ 0x18, ['pointer', ['void']]], } ], '_HIVE_WAIT_PACKET' : [ 0x18, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Next' : [ 0x14, ['pointer', ['_HIVE_WAIT_PACKET']]], } ], '_PROC_PERF_CHECK' : [ 0xc0, { 'LastActive' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'LastStall' : [ 0x10, ['unsigned long long']], 'Snap' : [ 0x18, ['_PROC_PERF_CHECK_SNAP']], 'TempSnap' : [ 0x68, ['_PROC_PERF_CHECK_SNAP']], 'TaggedThreadPercent' : [ 0xb8, ['array', 2, ['unsigned char']]], 'Class0FloorPerfSelection' : [ 0xba, ['unsigned char']], 'Class1MinimumPerfSelection' : [ 0xbb, ['unsigned char']], } ], '__unnamed_28a5' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_28a7' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_28a9' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_28a5']], 'Interrupt' : [ 0x0, ['__unnamed_28a7']], 'LocalInterrupt' : [ 0x0, ['__unnamed_28a7']], 'Sci' : [ 0x0, ['__unnamed_28a7']], 'Nmi' : [ 0x0, ['__unnamed_28a7']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_28a9']], } ], '_POP_HIBER_CONTEXT' : [ 0x140, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'HvCaptureReadyBarrier' : [ 0x14, ['long']], 'HvCaptureCompletedBarrier' : [ 0x18, ['long']], 'MapFrozen' : [ 0x1c, ['unsigned char']], 'DiscardMap' : [ 0x20, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x30, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x38, ['unsigned long']], 'ClonedPageCount' : [ 0x40, ['unsigned long long']], 'CurrentMap' : [ 0x48, ['pointer', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x4c, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x50, ['unsigned long']], 'LoaderMdl' : [ 0x54, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x58, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x60, ['unsigned long long']], 'IoPages' : [ 0x68, ['pointer', ['void']]], 'IoPagesCount' : [ 0x6c, ['unsigned long']], 'CurrentMcb' : [ 0x70, ['pointer', ['void']]], 'DumpStack' : [ 0x74, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x78, ['pointer', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0x7c, ['unsigned long']], 'Status' : [ 0x80, ['long']], 'GraphicsProc' : [ 0x84, ['unsigned long']], 'MemoryImage' : [ 0x88, ['pointer', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0x8c, ['pointer', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0x90, ['pointer', ['_MDL']]], 'SiLogOffset' : [ 0x94, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0x98, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0x9c, ['pointer', ['void']]], 'ResumeContext' : [ 0xa0, ['pointer', ['void']]], 'ResumeContextPages' : [ 0xa4, ['unsigned long']], 'ProcessorCount' : [ 0xa8, ['unsigned long']], 'ProcessorContext' : [ 0xac, ['pointer', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0xb0, ['pointer', ['unsigned char']]], 'ProdConsSize' : [ 0xb4, ['unsigned long']], 'MaxDataPages' : [ 0xb8, ['unsigned long']], 'ExtraBuffer' : [ 0xbc, ['pointer', ['void']]], 'ExtraBufferSize' : [ 0xc0, ['unsigned long']], 'ExtraMapVa' : [ 0xc4, ['pointer', ['void']]], 'BitlockerKeyPFN' : [ 0xc8, ['unsigned long']], 'IoInfo' : [ 0xd0, ['_POP_IO_INFO']], 'IoChecksums' : [ 0x130, ['pointer', ['unsigned short']]], 'IoChecksumsSize' : [ 0x134, ['unsigned long']], 'HardwareConfigurationSignature' : [ 0x138, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_POP_FX_PERF_INFO' : [ 0x60, { 'Component' : [ 0x0, ['pointer', ['_POP_FX_COMPONENT']]], 'CompletedEvent' : [ 0x4, ['_KEVENT']], 'ComponentPerfState' : [ 0x14, ['pointer', ['void']]], 'Flags' : [ 0x18, ['_POP_FX_PERF_FLAGS']], 'LastChange' : [ 0x1c, ['pointer', ['_PO_FX_PERF_STATE_CHANGE']]], 'LastChangeCount' : [ 0x20, ['unsigned long']], 'LastChangeStamp' : [ 0x28, ['unsigned long long']], 'LastChangeNominal' : [ 0x30, ['unsigned char']], 'PepRegistered' : [ 0x31, ['unsigned char']], 'QueryOnIdleStates' : [ 0x32, ['unsigned char']], 'RequestDriverContext' : [ 0x34, ['pointer', ['void']]], 'WorkOrder' : [ 0x38, ['_POP_FX_WORK_ORDER']], 'SetsCount' : [ 0x54, ['unsigned long']], 'Sets' : [ 0x58, ['pointer', ['_POP_FX_PERF_SET']]], } ], '_HAL_CHANNEL_MEMORY_RANGES' : [ 0xc, { 'PageFrameIndex' : [ 0x0, ['unsigned long']], 'MpnId' : [ 0x4, ['unsigned short']], 'Node' : [ 0x6, ['unsigned short']], 'Channel' : [ 0x8, ['unsigned short']], 'IsPowerManageable' : [ 0xa, ['unsigned char']], 'DeepPowerState' : [ 0xb, ['unsigned char']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x100, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xc0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xc8, ['pointer', ['void']]], 'PointersLength' : [ 0xcc, ['unsigned long']], 'ModulePrefix' : [ 0xd0, ['pointer', ['unsigned short']]], 'DriverList' : [ 0xd4, ['_LIST_ENTRY']], 'InitMsg' : [ 0xdc, ['_STRING']], 'ProgMsg' : [ 0xe4, ['_STRING']], 'DoneMsg' : [ 0xec, ['_STRING']], 'FileObject' : [ 0xf4, ['pointer', ['void']]], 'UsageType' : [ 0xf8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_PAE_PAGEINFO' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameNumber' : [ 0x8, ['unsigned long']], 'EntriesInUse' : [ 0xc, ['unsigned long']], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x4, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x24, { 'InitiatingThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ThreadId' : [ 0x8, ['pointer', ['void']]], 'ProcessId' : [ 0xc, ['pointer', ['void']]], 'Code' : [ 0x10, ['unsigned long']], 'Parameter1' : [ 0x14, ['unsigned long']], 'Parameter2' : [ 0x18, ['unsigned long']], 'Parameter3' : [ 0x1c, ['unsigned long']], 'Parameter4' : [ 0x20, ['unsigned long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_FS_FILTER_SECTION_SYNC_OUTPUT' : [ 0x10, { 'StructureSize' : [ 0x0, ['unsigned long']], 'SizeReturned' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DesiredReadAlignment' : [ 0xc, ['unsigned long']], } ], '_HVIEW_MAP_PIN_LOG_ENTRY' : [ 0x30, { 'ViewOffset' : [ 0x0, ['unsigned long']], 'Pinned' : [ 0x4, ['unsigned char']], 'PinMask' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer', ['_KTHREAD']]], 'Stack' : [ 0x14, ['array', 6, ['pointer', ['void']]]], } ], '__unnamed_28e9' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_28e9']], } ], '__unnamed_28ed' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_28ed']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_MI_FILE_EXTENTS_WAIT_BLOCK' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_FILE_EXTENTS_WAIT_BLOCK']]], 'Gate' : [ 0x4, ['_KGATE']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_KSCHEDULING_GROUP_POLICY' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long']], 'Weight' : [ 0x0, ['unsigned short']], 'MinRate' : [ 0x0, ['unsigned short']], 'MaxRate' : [ 0x2, ['unsigned short']], 'AllFlags' : [ 0x4, ['unsigned long']], 'Type' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare1' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x310, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long long']], 'HiberFlags' : [ 0x30, ['unsigned char']], 'spare' : [ 0x31, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x34, ['unsigned long']], 'HiberVa' : [ 0x38, ['unsigned long']], 'NoFreePages' : [ 0x3c, ['unsigned long']], 'FreeMapCheck' : [ 0x40, ['unsigned long']], 'WakeCheck' : [ 0x44, ['unsigned long']], 'NumPagesForLoader' : [ 0x48, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x50, ['unsigned long']], 'FirstKernelRestorePage' : [ 0x54, ['unsigned long']], 'FirstChecksumRestorePage' : [ 0x58, ['unsigned long']], 'NoChecksumEntries' : [ 0x60, ['unsigned long long']], 'PerfInfo' : [ 0x68, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x248, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x24c, ['array', 1, ['unsigned long']]], 'SiLogOffset' : [ 0x250, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x254, ['unsigned long']], 'BootLoaderLogPages' : [ 0x258, ['array', 24, ['unsigned long']]], 'NotUsed' : [ 0x2b8, ['unsigned long']], 'ResumeContextCheck' : [ 0x2bc, ['unsigned long']], 'ResumeContextPages' : [ 0x2c0, ['unsigned long']], 'Hiberboot' : [ 0x2c4, ['unsigned char']], 'HvCr3' : [ 0x2c8, ['unsigned long long']], 'HvEntryPoint' : [ 0x2d0, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x2d8, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x2e0, ['unsigned long long']], 'BootFlags' : [ 0x2e8, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x2f0, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x2f8, ['unsigned long']], 'BitlockerKeyPfns' : [ 0x2fc, ['array', 4, ['unsigned long']]], 'HardwareSignature' : [ 0x30c, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x10, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1e0, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'HiberChecksumTicks' : [ 0x30, ['unsigned long long']], 'HiberChecksumIoTicks' : [ 0x38, ['unsigned long long']], 'TotalHibernateTime' : [ 0x40, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x48, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x4c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x50, ['unsigned long']], 'ResumeAppTicks' : [ 0x58, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x60, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x68, ['unsigned long long']], 'ResumeInitTicks' : [ 0x70, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x78, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x80, ['unsigned long long']], 'ResumeIoTicks' : [ 0x88, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x90, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x98, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0xa0, ['unsigned long long']], 'ResumeMapTicks' : [ 0xa8, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xb0, ['unsigned long long']], 'ResumeChecksumTicks' : [ 0xb8, ['unsigned long long']], 'ResumeChecksumIoTicks' : [ 0xc0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xc8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xd0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xd8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xe0, ['unsigned long long']], 'HalTscOffset' : [ 0xe8, ['unsigned long long']], 'HvlTscOffset' : [ 0xf0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xf8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0x100, ['unsigned long long']], 'IoBoundedness' : [ 0x108, ['unsigned long long']], 'KernelDecompressTicks' : [ 0x110, ['unsigned long long']], 'KernelIoTicks' : [ 0x118, ['unsigned long long']], 'KernelCopyTicks' : [ 0x120, ['unsigned long long']], 'ReadCheckCount' : [ 0x128, ['unsigned long long']], 'KernelInitTicks' : [ 0x130, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x138, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x140, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x148, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x150, ['unsigned long long']], 'KernelChecksumTicks' : [ 0x158, ['unsigned long long']], 'KernelChecksumIoTicks' : [ 0x160, ['unsigned long long']], 'AnimationStart' : [ 0x168, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x170, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x178, ['unsigned long']], 'SecurePagesProcessed' : [ 0x180, ['unsigned long long']], 'BootPagesProcessed' : [ 0x188, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x190, ['unsigned long long']], 'BootBytesWritten' : [ 0x198, ['unsigned long long']], 'KernelBytesWritten' : [ 0x1a0, ['unsigned long long']], 'BootPagesWritten' : [ 0x1a8, ['unsigned long long']], 'KernelPagesWritten' : [ 0x1b0, ['unsigned long long']], 'BytesWritten' : [ 0x1b8, ['unsigned long long']], 'PagesWritten' : [ 0x1c0, ['unsigned long']], 'FileRuns' : [ 0x1c4, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x1c8, ['unsigned long']], 'MaxHuffRatio' : [ 0x1cc, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x1d0, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1d8, ['unsigned long long']], } ], '_MI_QUEUED_DEADSTACK_WORKITEM' : [ 0x14, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Active' : [ 0x10, ['long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x10, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_MMINPAGE_SUPPORT_FLOW_THROUGH' : [ 0x1c, { 'Page' : [ 0x0, ['array', 1, ['unsigned long']]], 'InitialInPageSupport' : [ 0x4, ['pointer', ['_MMINPAGE_SUPPORT']]], 'PagingFile' : [ 0x8, ['pointer', ['_MMPAGING_FILE']]], 'PageFileOffset' : [ 0xc, ['unsigned long']], 'Node' : [ 0x10, ['_RTL_BALANCED_NODE']], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x70, { 'UncompressedData' : [ 0x0, ['pointer', ['unsigned char']]], 'MappingVa' : [ 0x4, ['pointer', ['void']]], 'XpressEncodeWorkspace' : [ 0x8, ['pointer', ['void']]], 'CompressedDataBuffer' : [ 0xc, ['pointer', ['unsigned char']]], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'CompressTicks' : [ 0x18, ['unsigned long long']], 'BytesCopied' : [ 0x20, ['unsigned long long']], 'PagesProcessed' : [ 0x28, ['unsigned long long']], 'DecompressTicks' : [ 0x30, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x38, ['unsigned long long']], 'SharedBufferTicks' : [ 0x40, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x48, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x68, ['unsigned long']], 'HuffCompressCount' : [ 0x6c, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x18, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_POP_IO_INFO' : [ 0x60, { 'DumpMdl' : [ 0x0, ['pointer', ['_MDL']]], 'IoStatus' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x8, ['unsigned long long']], 'IoBytesCompleted' : [ 0x10, ['unsigned long long']], 'IoBytesInProgress' : [ 0x18, ['unsigned long long']], 'RequestSize' : [ 0x20, ['unsigned long long']], 'IoLocation' : [ 0x28, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x30, ['unsigned long long']], 'Buffer' : [ 0x38, ['pointer', ['void']]], 'AsyncCapable' : [ 0x3c, ['unsigned char']], 'BytesToRead' : [ 0x40, ['unsigned long long']], 'Pages' : [ 0x48, ['unsigned long']], 'HighestChecksumIndex' : [ 0x50, ['unsigned long long']], 'PreviousChecksum' : [ 0x58, ['unsigned short']], } ], '_LDRP_CSLIST' : [ 0x4, { 'Tail' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_NON_PAGED_DEBUG_INFO' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Machine' : [ 0x8, ['unsigned short']], 'Characteristics' : [ 0xa, ['unsigned short']], 'TimeDateStamp' : [ 0xc, ['unsigned long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'SizeOfImage' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], } ], '_POP_FX_PERF_SET' : [ 0x20, { 'PerfSet' : [ 0x0, ['pointer', ['_PO_FX_COMPONENT_PERF_SET']]], 'CurrentPerf' : [ 0x8, ['unsigned long long']], 'CurrentPerfStamp' : [ 0x10, ['unsigned long long']], 'CurrentPerfNominal' : [ 0x18, ['unsigned char']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LeakedPoolDeliberately' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '__unnamed_292a' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_292c' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_292f' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_2933' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x14, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x20, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x30, ['__unnamed_292a']], 'XapicMessage' : [ 0x38, ['__unnamed_292c']], 'Hypertransport' : [ 0x38, ['__unnamed_292f']], 'GenericMessage' : [ 0x38, ['__unnamed_292c']], 'MessageRequest' : [ 0x38, ['__unnamed_2933']], } ], '_MMPAGE_FILE_EXPANSION_FLAGS' : [ 0x4, { 'PageFileNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'IgnoreCurrentCommit' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreaseMinimumSize' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare3' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '__unnamed_2941' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x4, ['pointer', ['_PO_FX_PERF_STATE']]], } ], '__unnamed_2943' : [ 0x10, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], } ], '_PO_FX_COMPONENT_PERF_SET' : [ 0x28, { 'Name' : [ 0x0, ['_UNICODE_STRING']], 'Flags' : [ 0x8, ['unsigned long long']], 'Unit' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateUnitOther', 1: 'PoFxPerfStateUnitFrequency', 2: 'PoFxPerfStateUnitBandwidth', 3: 'PoFxPerfStateUnitMaximum'})]], 'Type' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateTypeDiscrete', 1: 'PoFxPerfStateTypeRange', 2: 'PoFxPerfStateTypeMaximum'})]], 'Discrete' : [ 0x18, ['__unnamed_2941']], 'Range' : [ 0x18, ['__unnamed_2943']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2954' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2956' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2958' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2954']], 'Gpt' : [ 0x0, ['__unnamed_2956']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xc0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MarkMemoryOnly' : [ 0x45, ['unsigned char']], 'HiberResume' : [ 0x46, ['unsigned char']], 'Reserved1' : [ 0x47, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_2958']], 'ReadRoutine' : [ 0x6c, ['pointer', ['void']]], 'GetDriveTelemetryRoutine' : [ 0x70, ['pointer', ['void']]], 'LogSectionTruncateSize' : [ 0x74, ['unsigned long']], 'Parameters' : [ 0x78, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xb8, ['pointer', ['void']]], 'DumpNotifyRoutine' : [ 0xbc, ['pointer', ['void']]], } ], '_MI_IO_CACHE_STATS' : [ 0x18, { 'UnusedBlocks' : [ 0x0, ['unsigned long']], 'ActiveCacheMatch' : [ 0x4, ['unsigned long']], 'ActiveCacheOverride' : [ 0x8, ['unsigned long']], 'UnmappedCacheFlush' : [ 0xc, ['unsigned long']], 'UnmappedCacheMatch' : [ 0x10, ['unsigned long']], 'UnmappedCacheConflict' : [ 0x14, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '_ETW_QUEUE_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x8, ['pointer', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0xc, ['pointer', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x10, ['pointer', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x14, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned short']], 'ReplyIndex' : [ 0x1a, ['unsigned short']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_MI_RESERVATION_CLUSTER_INFO' : [ 0x4, { 'ClusterSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'EntireInfo' : [ 0x0, ['long']], } ], '_TRIAGE_POP_IRP_DATA' : [ 0x10, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], } ], '_KDPC_LIST' : [ 0x8, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0xd0, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x18, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '__unnamed_298b' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_298d' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_298b']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2990' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2992' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2990']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_298d']], 'HighPart' : [ 0x4, ['__unnamed_2992']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_PROC_PERF_CHECK_SNAP' : [ 0x50, { 'Time' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned long long']], 'Stall' : [ 0x10, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x18, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledKernelActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], 'TaggedThreadCycles' : [ 0x40, ['array', 2, ['unsigned long long']]], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_PO_FX_PERF_STATE_CHANGE' : [ 0x10, { 'Set' : [ 0x0, ['unsigned long']], 'StateIndex' : [ 0x8, ['unsigned long']], 'StateValue' : [ 0x8, ['unsigned long long']], } ], '__unnamed_29a2' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_29a4' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_29a2']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_29a4']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Xcr0' : [ 0x3c, ['unsigned long long']], 'ExceptionList' : [ 0x44, ['unsigned long']], 'Reserved' : [ 0x48, ['array', 3, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_PO_FX_PERF_STATE' : [ 0x10, { 'Value' : [ 0x0, ['unsigned long long']], 'Context' : [ 0x8, ['pointer', ['void']]], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista_sp2_x86_vtypes.py0000644000000000000000000146274413131215405031001 0ustar rootrootntkrnlmp_types = { '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_PPM_DIA_STATS' : [ 0xc, { 'PerfLevel' : [ 0x0, ['unsigned long']], 'IdleTime' : [ 0x4, ['unsigned long']], 'TimeInterval' : [ 0x8, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_203f' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_2041' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_2045' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2049' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_204b' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_203f']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2041']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2045']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2049']], 'Others' : [ 0x0, ['__unnamed_204b']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x100, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long']], 'MapFrozen' : [ 0xc, ['unsigned char']], 'MemoryMap' : [ 0x10, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x20, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x28, ['unsigned long']], 'NextCloneRange' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x30, ['unsigned long']], 'LoaderMdl' : [ 0x34, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x38, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x40, ['unsigned long long']], 'IoPages' : [ 0x48, ['pointer', ['void']]], 'IoPagesCount' : [ 0x4c, ['unsigned long']], 'CurrentMcb' : [ 0x50, ['pointer', ['void']]], 'DumpStack' : [ 0x54, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x58, ['pointer', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0x5c, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x70, ['pointer', ['_PO_MEMORY_RANGE_TABLE']]], 'CompressionWorkspace' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x78, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x7c, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x80, ['pointer', ['void']]], 'DmaIO' : [ 0x84, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x88, ['pointer', ['void']]], 'PerfInfo' : [ 0x90, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0xf0, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0xf4, ['pointer', ['_MDL']]], 'ResumeContext' : [ 0xf8, ['pointer', ['void']]], 'ResumeContextPages' : [ 0xfc, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x20, { 'ThreadHandle' : [ 0x0, ['pointer', ['void']]], 'ThreadId' : [ 0x4, ['pointer', ['void']]], 'ProcessId' : [ 0x8, ['pointer', ['void']]], 'Code' : [ 0xc, ['unsigned long']], 'Parameter1' : [ 0x10, ['unsigned long']], 'Parameter2' : [ 0x14, ['unsigned long']], 'Parameter3' : [ 0x18, ['unsigned long']], 'Parameter4' : [ 0x1c, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'ImageMerge' : [ 0x4, ['pointer', ['void']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS' : [ 0x8, { 'ProcessorType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'InstructionSet' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Operation' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Flags' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Level' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'CPUVersion' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CPUBrandString' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'ProcessorId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'TargetAddress' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InstructionPointer' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_2072' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_2072']], } ], '__unnamed_2076' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2076']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xf0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'TotalPages' : [ 0x4c, ['unsigned long']], 'FirstTablePage' : [ 0x50, ['unsigned long']], 'PerfInfo' : [ 0x58, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xb8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xbc, ['array', 1, ['unsigned long']]], 'NoBootLoaderLogPages' : [ 0xc0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xc4, ['array', 8, ['unsigned long']]], 'NotUsed' : [ 0xe4, ['unsigned long']], 'ResumeContextCheck' : [ 0xe8, ['unsigned long']], 'ResumeContextPages' : [ 0xec, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '__unnamed_2093' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2095' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2097' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2099' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_209b' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_209d' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_209f' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20a1' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_20a3' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20a5' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_20a7' : [ 0x1c, { 'DeviceClass' : [ 0x0, ['__unnamed_2093']], 'TargetDevice' : [ 0x0, ['__unnamed_2095']], 'InstallDevice' : [ 0x0, ['__unnamed_2097']], 'CustomNotification' : [ 0x0, ['__unnamed_2099']], 'ProfileNotification' : [ 0x0, ['__unnamed_209b']], 'PowerNotification' : [ 0x0, ['__unnamed_209d']], 'VetoNotification' : [ 0x0, ['__unnamed_209f']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20a1']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_20a3']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_20a5']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x40, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_20a7']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '__unnamed_20ba' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_20bc' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_20be' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_20ba']], 'Gpt' : [ 0x0, ['__unnamed_20bc']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_20be']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x2c, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Hint' : [ 0x8, ['unsigned long']], 'BasePte' : [ 0xc, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x10, ['pointer', ['unsigned long']]], 'Vm' : [ 0x14, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x18, ['long']], 'TotalFreeSystemPtes' : [ 0x1c, ['long']], 'CachedPteCount' : [ 0x20, ['long']], 'PteFailures' : [ 0x24, ['unsigned long']], 'GlobalMutex' : [ 0x28, ['pointer', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x148, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_PO_MEMORY_RANGE_TABLE' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_TABLE']]], 'NextTable' : [ 0x4, ['unsigned long']], 'EntryCount' : [ 0x8, ['unsigned long']], 'Range' : [ 0xc, ['array', 1, ['_PO_MEMORY_RANGE']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_PO_MEMORY_RANGE' : [ 0x8, { 'StartPage' : [ 0x0, ['unsigned long']], 'EndPage' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_1019' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1019']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_101e' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101e']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_1037' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1039' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_1037']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x20, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1039']], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_TASK' : [ 0x4, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x4, { 'Callback' : [ 0x0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_KPRCB' : [ 0x2008, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'CpuStepping' : [ 0x1a, ['unsigned char']], 'CpuModel' : [ 0x1b, ['unsigned char']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3bc, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3c0, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3c1, ['unsigned char']], 'PrcbPad0' : [ 0x3c2, ['array', 2, ['unsigned char']]], 'MHz' : [ 0x3c4, ['unsigned long']], 'PrcbPad1' : [ 0x3c8, ['array', 80, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 49, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x5a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x5a4, ['unsigned long']], 'KernelTime' : [ 0x5a8, ['unsigned long']], 'UserTime' : [ 0x5ac, ['unsigned long']], 'DpcTime' : [ 0x5b0, ['unsigned long']], 'DpcTimeCount' : [ 0x5b4, ['unsigned long']], 'InterruptTime' : [ 0x5b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5bc, ['unsigned long']], 'PageColor' : [ 0x5c0, ['unsigned long']], 'SkipTick' : [ 0x5c4, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x5c5, ['unsigned char']], 'NodeColor' : [ 0x5c6, ['unsigned char']], 'PollSlot' : [ 0x5c7, ['unsigned char']], 'NodeShiftedColor' : [ 0x5c8, ['unsigned long']], 'ParentNode' : [ 0x5cc, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x5d0, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x5d4, ['pointer', ['_KPRCB']]], 'SecondaryColorMask' : [ 0x5d8, ['unsigned long']], 'DpcTimeLimit' : [ 0x5dc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x5e0, ['unsigned long']], 'CcFastReadWait' : [ 0x5e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x5e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x5ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x5f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x5f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x5f8, ['long']], 'IoReadOperationCount' : [ 0x5fc, ['long']], 'IoWriteOperationCount' : [ 0x600, ['long']], 'IoOtherOperationCount' : [ 0x604, ['long']], 'IoReadTransferCount' : [ 0x608, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x610, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x618, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x620, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x624, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x628, ['unsigned long']], 'CcMapDataNoWait' : [ 0x62c, ['unsigned long']], 'CcMapDataWait' : [ 0x630, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x634, ['unsigned long']], 'CcPinReadNoWait' : [ 0x638, ['unsigned long']], 'CcPinReadWait' : [ 0x63c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x640, ['unsigned long']], 'CcMdlReadWait' : [ 0x644, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x648, ['unsigned long']], 'CcLazyWriteIos' : [ 0x64c, ['unsigned long']], 'CcLazyWritePages' : [ 0x650, ['unsigned long']], 'CcDataFlushes' : [ 0x654, ['unsigned long']], 'CcDataPages' : [ 0x658, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x65c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x660, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x664, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x668, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x66c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x670, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x674, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x678, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x67c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x680, ['unsigned long']], 'CcReadAheadIos' : [ 0x684, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x688, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x68c, ['unsigned long']], 'KeSystemCalls' : [ 0x690, ['unsigned long']], 'PrcbPad2' : [ 0x694, ['array', 3, ['unsigned long']]], 'PPLookasideList' : [ 0x6a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x720, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1020, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x1920, ['unsigned long']], 'ReverseStall' : [ 0x1924, ['long']], 'IpiFrame' : [ 0x1928, ['pointer', ['void']]], 'PrcbPad3' : [ 0x192c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x1960, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x196c, ['unsigned long']], 'WorkerRoutine' : [ 0x1970, ['pointer', ['void']]], 'IpiFrozen' : [ 0x1974, ['unsigned long']], 'PrcbPad4' : [ 0x1978, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x19a0, ['unsigned long']], 'SignalDone' : [ 0x19a4, ['pointer', ['_KPRCB']]], 'PrcbPad5' : [ 0x19a8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x19e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1a08, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x1a0c, ['long']], 'DpcRequestRate' : [ 0x1a10, ['unsigned long']], 'MinimumDpcRate' : [ 0x1a14, ['unsigned long']], 'DpcInterruptRequested' : [ 0x1a18, ['unsigned char']], 'DpcThreadRequested' : [ 0x1a19, ['unsigned char']], 'DpcRoutineActive' : [ 0x1a1a, ['unsigned char']], 'DpcThreadActive' : [ 0x1a1b, ['unsigned char']], 'PrcbLock' : [ 0x1a1c, ['unsigned long']], 'DpcLastCount' : [ 0x1a20, ['unsigned long']], 'TimerHand' : [ 0x1a24, ['unsigned long']], 'TimerRequest' : [ 0x1a28, ['unsigned long']], 'PrcbPad41' : [ 0x1a2c, ['pointer', ['void']]], 'DpcEvent' : [ 0x1a30, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x1a40, ['unsigned char']], 'QuantumEnd' : [ 0x1a41, ['unsigned char']], 'PrcbPad50' : [ 0x1a42, ['unsigned char']], 'IdleSchedule' : [ 0x1a43, ['unsigned char']], 'DpcSetEventRequest' : [ 0x1a44, ['long']], 'Sleeping' : [ 0x1a48, ['long']], 'PeriodicCount' : [ 0x1a4c, ['unsigned long']], 'PeriodicBias' : [ 0x1a50, ['unsigned long']], 'PrcbPad51' : [ 0x1a54, ['array', 6, ['unsigned char']]], 'TickOffset' : [ 0x1a5c, ['long']], 'CallDpc' : [ 0x1a60, ['_KDPC']], 'ClockKeepAlive' : [ 0x1a80, ['long']], 'ClockCheckSlot' : [ 0x1a84, ['unsigned char']], 'ClockPollCycle' : [ 0x1a85, ['unsigned char']], 'PrcbPad6' : [ 0x1a86, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x1a88, ['long']], 'DpcWatchdogCount' : [ 0x1a8c, ['long']], 'ThreadWatchdogPeriod' : [ 0x1a90, ['long']], 'ThreadWatchdogCount' : [ 0x1a94, ['long']], 'PrcbPad70' : [ 0x1a98, ['array', 2, ['unsigned long']]], 'WaitListHead' : [ 0x1aa0, ['_LIST_ENTRY']], 'WaitLock' : [ 0x1aa8, ['unsigned long']], 'ReadySummary' : [ 0x1aac, ['unsigned long']], 'QueueIndex' : [ 0x1ab0, ['unsigned long']], 'DeferredReadyListHead' : [ 0x1ab4, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x1ab8, ['unsigned long long']], 'CycleTime' : [ 0x1ac0, ['unsigned long long']], 'PrcbPad71' : [ 0x1ac8, ['array', 3, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x1ae0, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x1be0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x1be4, ['long']], 'MmPageFaultCount' : [ 0x1be8, ['long']], 'MmCopyOnWriteCount' : [ 0x1bec, ['long']], 'MmTransitionCount' : [ 0x1bf0, ['long']], 'MmCacheTransitionCount' : [ 0x1bf4, ['long']], 'MmDemandZeroCount' : [ 0x1bf8, ['long']], 'MmPageReadCount' : [ 0x1bfc, ['long']], 'MmPageReadIoCount' : [ 0x1c00, ['long']], 'MmCacheReadCount' : [ 0x1c04, ['long']], 'MmCacheIoCount' : [ 0x1c08, ['long']], 'MmDirtyPagesWriteCount' : [ 0x1c0c, ['long']], 'MmDirtyWriteIoCount' : [ 0x1c10, ['long']], 'MmMappedPagesWriteCount' : [ 0x1c14, ['long']], 'MmMappedWriteIoCount' : [ 0x1c18, ['long']], 'CachedCommit' : [ 0x1c1c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x1c20, ['unsigned long']], 'HyperPte' : [ 0x1c24, ['pointer', ['void']]], 'CpuVendor' : [ 0x1c28, ['unsigned char']], 'PrcbPad8' : [ 0x1c29, ['array', 3, ['unsigned char']]], 'VendorString' : [ 0x1c2c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x1c39, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x1c3a, ['unsigned char']], 'PrcbPad9' : [ 0x1c3b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x1c40, ['unsigned long']], 'UpdateSignature' : [ 0x1c48, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x1c50, ['unsigned long long']], 'SpareField1' : [ 0x1c58, ['unsigned long long']], 'NpxSaveArea' : [ 0x1c60, ['_FX_SAVE_AREA']], 'PowerState' : [ 0x1e70, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x1f38, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x1f58, ['_KTIMER']], 'WheaInfo' : [ 0x1f80, ['pointer', ['void']]], 'EtwSupport' : [ 0x1f84, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x1f88, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x1f90, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x1f98, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x1f9c, ['pointer', ['void']]], 'StatisticsPage' : [ 0x1fa0, ['pointer', ['unsigned long long']]], 'RateControl' : [ 0x1fa4, ['pointer', ['void']]], 'Cache' : [ 0x1fa8, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x1fe4, ['unsigned long']], 'CacheProcessorMask' : [ 0x1fe8, ['array', 5, ['unsigned long']]], 'PackageProcessorSet' : [ 0x1ffc, ['unsigned long']], 'CoreProcessorSet' : [ 0x2000, ['unsigned long']], } ], '_KPCR' : [ 0x2128, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x1e0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'ApcState' : [ 0x38, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x38, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x4f, ['unsigned char']], 'NextProcessor' : [ 0x50, ['unsigned short']], 'DeferredProcessor' : [ 0x52, ['unsigned short']], 'ApcQueueLock' : [ 0x54, ['unsigned long']], 'ContextSwitches' : [ 0x58, ['unsigned long']], 'State' : [ 0x5c, ['unsigned char']], 'NpxState' : [ 0x5d, ['unsigned char']], 'WaitIrql' : [ 0x5e, ['unsigned char']], 'WaitMode' : [ 0x5f, ['unsigned char']], 'WaitStatus' : [ 0x60, ['long']], 'WaitBlockList' : [ 0x64, ['pointer', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x64, ['pointer', ['_KGATE']]], 'KernelStackResident' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x68, ['long']], 'WaitReason' : [ 0x6c, ['unsigned char']], 'SwapBusy' : [ 0x6d, ['unsigned char']], 'Alerted' : [ 0x6e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x70, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x78, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x7c, ['unsigned long']], 'KernelApcDisable' : [ 0x80, ['short']], 'SpecialApcDisable' : [ 0x82, ['short']], 'CombinedApcDisable' : [ 0x80, ['unsigned long']], 'Teb' : [ 0x84, ['pointer', ['void']]], 'Timer' : [ 0x88, ['_KTIMER']], 'TimerFill' : [ 0x88, ['array', 40, ['unsigned char']]], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xb0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xb0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xb0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb0, ['long']], 'WaitBlock' : [ 0xb8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xb8, ['array', 23, ['unsigned char']]], 'IdealProcessor' : [ 0xcf, ['unsigned char']], 'WaitBlockFill1' : [ 0xb8, ['array', 47, ['unsigned char']]], 'PreviousMode' : [ 0xe7, ['unsigned char']], 'WaitBlockFill2' : [ 0xb8, ['array', 71, ['unsigned char']]], 'ResourceIndex' : [ 0xff, ['unsigned char']], 'WaitBlockFill3' : [ 0xb8, ['array', 95, ['unsigned char']]], 'LargeStack' : [ 0x117, ['unsigned char']], 'QueueListEntry' : [ 0x118, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x120, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x124, ['pointer', ['void']]], 'CallbackStack' : [ 0x128, ['pointer', ['void']]], 'CallbackDepth' : [ 0x128, ['unsigned long']], 'ServiceTable' : [ 0x12c, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x130, ['unsigned char']], 'BasePriority' : [ 0x131, ['unsigned char']], 'PriorityDecrement' : [ 0x132, ['unsigned char']], 'Preempted' : [ 0x133, ['unsigned char']], 'AdjustReason' : [ 0x134, ['unsigned char']], 'AdjustIncrement' : [ 0x135, ['unsigned char']], 'Spare01' : [ 0x136, ['unsigned char']], 'Saturation' : [ 0x137, ['unsigned char']], 'SystemCallNumber' : [ 0x138, ['unsigned long']], 'FreezeCount' : [ 0x13c, ['unsigned long']], 'UserAffinity' : [ 0x140, ['unsigned long']], 'Process' : [ 0x144, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x148, ['unsigned long']], 'ApcStatePointer' : [ 0x14c, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x154, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x154, ['array', 23, ['unsigned char']]], 'Spare02' : [ 0x16b, ['unsigned char']], 'SuspendCount' : [ 0x16c, ['unsigned char']], 'UserIdealProcessor' : [ 0x16d, ['unsigned char']], 'Spare03' : [ 0x16e, ['unsigned char']], 'OtherPlatformFill' : [ 0x16f, ['unsigned char']], 'Win32Thread' : [ 0x170, ['pointer', ['void']]], 'StackBase' : [ 0x174, ['pointer', ['void']]], 'SuspendApc' : [ 0x178, ['_KAPC']], 'SuspendApcFill0' : [ 0x178, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x179, ['unsigned char']], 'SuspendApcFill1' : [ 0x178, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x17b, ['unsigned char']], 'SuspendApcFill2' : [ 0x178, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x17c, ['unsigned long']], 'SuspendApcFill3' : [ 0x178, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x19c, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x178, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1a0, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x178, ['array', 47, ['unsigned char']]], 'PowerState' : [ 0x1a7, ['unsigned char']], 'UserTime' : [ 0x1a8, ['unsigned long']], 'SuspendSemaphore' : [ 0x1ac, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1ac, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1c0, ['unsigned long']], 'ThreadListEntry' : [ 0x1c4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1cc, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1d4, ['pointer', ['void']]], 'MdlForLockedTeb' : [ 0x1d8, ['pointer', ['void']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x288, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1e0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1e8, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x1e8, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1f0, ['long']], 'OfsChain' : [ 0x1f0, ['pointer', ['void']]], 'PostBlockList' : [ 0x1f4, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x1f4, ['pointer', ['void']]], 'StartAddress' : [ 0x1f8, ['pointer', ['void']]], 'TerminationPort' : [ 0x1fc, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1fc, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1fc, ['pointer', ['void']]], 'Win32StartParameter' : [ 0x1fc, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x200, ['unsigned long']], 'ActiveTimerListHead' : [ 0x204, ['_LIST_ENTRY']], 'Cid' : [ 0x20c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x228, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x22c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x234, ['unsigned long']], 'DeviceToVerify' : [ 0x238, ['pointer', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x23c, ['pointer', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x240, ['pointer', ['void']]], 'SparePtr0' : [ 0x244, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x248, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x250, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x254, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x258, ['unsigned long']], 'MmLockOrdering' : [ 0x25c, ['long']], 'CrossThreadFlags' : [ 0x260, ['unsigned long']], 'Terminated' : [ 0x260, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x260, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x260, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x260, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x260, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x260, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x260, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x260, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x260, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x260, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x260, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x260, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x260, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x264, ['unsigned long']], 'ActiveExWorker' : [ 0x264, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x264, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x264, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x264, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x264, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x264, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x264, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x268, ['unsigned long']], 'Spare' : [ 0x268, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x268, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x268, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x269, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x269, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x269, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x269, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x269, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x269, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x269, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x269, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x26a, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x26b, ['unsigned char']], 'CacheManagerActive' : [ 0x26c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x26d, ['unsigned char']], 'ActiveFaultCount' : [ 0x26e, ['unsigned char']], 'AlpcMessageId' : [ 0x270, ['unsigned long']], 'AlpcMessage' : [ 0x274, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x274, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x278, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x280, ['unsigned long']], } ], '_EPROCESS' : [ 0x270, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x88, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x90, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x98, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x9c, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xa0, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xa8, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0xb4, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xc0, ['unsigned long']], 'PeakVirtualSize' : [ 0xc4, ['unsigned long']], 'VirtualSize' : [ 0xc8, ['unsigned long']], 'SessionProcessLinks' : [ 0xcc, ['_LIST_ENTRY']], 'DebugPort' : [ 0xd4, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xd8, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xd8, ['unsigned long']], 'ExceptionPortState' : [ 0xd8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xdc, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xe0, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xe4, ['unsigned long']], 'AddressCreationLock' : [ 0xe8, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0xec, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0xf0, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0xf4, ['unsigned long']], 'PhysicalVadRoot' : [ 0xf8, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0xfc, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x100, ['unsigned long']], 'NumberOfLockedPages' : [ 0x104, ['unsigned long']], 'Win32Process' : [ 0x108, ['pointer', ['void']]], 'Job' : [ 0x10c, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x110, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x114, ['pointer', ['void']]], 'QuotaBlock' : [ 0x118, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x11c, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x120, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x124, ['pointer', ['void']]], 'LdtInformation' : [ 0x128, ['pointer', ['void']]], 'Spare' : [ 0x12c, ['pointer', ['void']]], 'VdmObjects' : [ 0x130, ['pointer', ['void']]], 'DeviceMap' : [ 0x134, ['pointer', ['void']]], 'EtwDataSource' : [ 0x138, ['pointer', ['void']]], 'FreeTebHint' : [ 0x13c, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x140, ['_HARDWARE_PTE']], 'Filler' : [ 0x140, ['unsigned long long']], 'Session' : [ 0x148, ['pointer', ['void']]], 'ImageFileName' : [ 0x14c, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x15c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x164, ['pointer', ['void']]], 'ThreadListHead' : [ 0x168, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x170, ['pointer', ['void']]], 'PaeTop' : [ 0x174, ['pointer', ['void']]], 'ActiveThreads' : [ 0x178, ['unsigned long']], 'ImagePathHash' : [ 0x17c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x180, ['unsigned long']], 'LastThreadExitStatus' : [ 0x184, ['long']], 'Peb' : [ 0x188, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x18c, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x190, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x198, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1a0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1c0, ['unsigned long']], 'CommitChargePeak' : [ 0x1c4, ['unsigned long']], 'AweInfo' : [ 0x1c8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1cc, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1d0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x218, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x220, ['unsigned long']], 'Flags2' : [ 0x224, ['unsigned long']], 'JobNotReallyActive' : [ 0x224, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x224, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x224, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x224, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x224, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x224, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x224, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x224, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x224, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x224, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x224, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x224, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x224, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x224, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x224, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x224, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x224, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x224, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x224, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Flags' : [ 0x228, ['unsigned long']], 'CreateReported' : [ 0x228, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x228, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x228, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x228, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x228, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x228, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x228, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x228, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x228, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x228, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x228, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x228, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x228, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x228, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x228, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x228, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x228, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x228, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x228, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x228, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x228, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x228, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x228, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x228, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x228, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x228, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SpareProcessFlags' : [ 0x228, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x22c, ['long']], 'Spare7' : [ 0x230, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x232, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x233, ['unsigned char']], 'SubSystemVersion' : [ 0x232, ['unsigned short']], 'PriorityClass' : [ 0x234, ['unsigned char']], 'VadRoot' : [ 0x238, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x258, ['unsigned long']], 'AlpcContext' : [ 0x25c, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_11d8' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_11d8']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '__unnamed_11e6' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_11eb' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_11ed' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_11eb']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_11f8' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_11fa' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_11f8']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_11e6']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_11ed']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_11fa']], } ], '__unnamed_1200' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1204' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1208' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_120a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_120e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1210' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1212' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], } ], '__unnamed_1214' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1216' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1218' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_121c' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_121e' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1221' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1223' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1225' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_1227' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_122b' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_122f' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1233' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1237' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_123e' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1242' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1246' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1248' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_124a' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_124e' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1252' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1256' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_125a' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_125e' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1266' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_126a' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_126c' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_126e' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1270' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_1200']], 'CreatePipe' : [ 0x0, ['__unnamed_1204']], 'CreateMailslot' : [ 0x0, ['__unnamed_1208']], 'Read' : [ 0x0, ['__unnamed_120a']], 'Write' : [ 0x0, ['__unnamed_120a']], 'QueryDirectory' : [ 0x0, ['__unnamed_120e']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1210']], 'QueryFile' : [ 0x0, ['__unnamed_1212']], 'SetFile' : [ 0x0, ['__unnamed_1214']], 'QueryEa' : [ 0x0, ['__unnamed_1216']], 'SetEa' : [ 0x0, ['__unnamed_1218']], 'QueryVolume' : [ 0x0, ['__unnamed_121c']], 'SetVolume' : [ 0x0, ['__unnamed_121c']], 'FileSystemControl' : [ 0x0, ['__unnamed_121e']], 'LockControl' : [ 0x0, ['__unnamed_1221']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1223']], 'QuerySecurity' : [ 0x0, ['__unnamed_1225']], 'SetSecurity' : [ 0x0, ['__unnamed_1227']], 'MountVolume' : [ 0x0, ['__unnamed_122b']], 'VerifyVolume' : [ 0x0, ['__unnamed_122b']], 'Scsi' : [ 0x0, ['__unnamed_122f']], 'QueryQuota' : [ 0x0, ['__unnamed_1233']], 'SetQuota' : [ 0x0, ['__unnamed_1218']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1237']], 'QueryInterface' : [ 0x0, ['__unnamed_123e']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1242']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1246']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1248']], 'SetLock' : [ 0x0, ['__unnamed_124a']], 'QueryId' : [ 0x0, ['__unnamed_124e']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1252']], 'UsageNotification' : [ 0x0, ['__unnamed_1256']], 'WaitWake' : [ 0x0, ['__unnamed_125a']], 'PowerSequence' : [ 0x0, ['__unnamed_125e']], 'Power' : [ 0x0, ['__unnamed_1266']], 'StartDevice' : [ 0x0, ['__unnamed_126a']], 'WMI' : [ 0x0, ['__unnamed_126c']], 'Others' : [ 0x0, ['__unnamed_126e']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_1270']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x30, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x28, ['_LARGE_INTEGER']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '__unnamed_1320' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIXBUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['_WHEA_ERROR_PACKET_FLAGS']], 'Size' : [ 0x8, ['unsigned long']], 'RawDataLength' : [ 0xc, ['unsigned long']], 'Reserved1' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Reserved2' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_1320']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaRawDataFormatIPFSalRecord', 1: 'WheaRawDataFormatIA32MCA', 2: 'WheaRawDataFormatIntel64MCA', 3: 'WheaRawDataFormatAMD64MCA', 4: 'WheaRawDataFormatMemory', 5: 'WheaRawDataFormatPCIExpress', 6: 'WheaRawDataFormatNMIPort', 7: 'WheaRawDataFormatPCIXBus', 8: 'WheaRawDataFormatPCIXDevice', 9: 'WheaRawDataFormatGeneric', 10: 'WheaRawDataFormatMax'})]], 'RawDataOffset' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0x80, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'Unused0' : [ 0x1c, ['unsigned long']], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Unused1' : [ 0x32, ['unsigned char']], 'Unused2' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'AutoAlignment' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x60, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x60, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x60, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x60, ['long']], 'BasePriority' : [ 0x64, ['unsigned char']], 'QuantumReset' : [ 0x65, ['unsigned char']], 'State' : [ 0x66, ['unsigned char']], 'ThreadSeed' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'IdealNode' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], 'StackCount' : [ 0x6c, ['unsigned long']], 'ProcessListEntry' : [ 0x70, ['_LIST_ENTRY']], 'CycleTime' : [ 0x78, ['unsigned long long']], } ], '__unnamed_13d6' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_13d6']], } ], '__unnamed_13ea' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x7c, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x8, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x10, ['_LIST_ENTRY']], 'KernelStack' : [ 0x18, ['unsigned long']], 'Prcb' : [ 0x1c, ['unsigned long']], 'Process' : [ 0x20, ['unsigned long']], 'Thread' : [ 0x24, ['unsigned long']], 'RegistryLength' : [ 0x28, ['unsigned long']], 'RegistryBase' : [ 0x2c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x30, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x34, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x38, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x3c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x40, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x44, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x48, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x4c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x50, ['pointer', ['void']]], 'SetupLoaderBlock' : [ 0x54, ['pointer', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0x58, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x5c, ['__unnamed_13ea']], 'FirmwareInformation' : [ 0x68, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_MMPTE_FLUSH_LIST' : [ 0x8c, { 'Count' : [ 0x0, ['unsigned long']], 'MaximumCount' : [ 0x4, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 33, ['pointer', ['void']]]], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x48, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x8, ['unsigned short']], 'NextPageColor' : [ 0xa, ['unsigned short']], 'Flags' : [ 0xc, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x10, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x14, ['unsigned long']], 'ChargedWslePages' : [ 0x18, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x1c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x20, ['unsigned long']], 'VmWorkingSetList' : [ 0x24, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x28, ['unsigned long']], 'ActualWslePages' : [ 0x2c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x30, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x34, ['unsigned long']], 'WorkingSetSize' : [ 0x38, ['unsigned long']], 'ExitGate' : [ 0x3c, ['pointer', ['_KGATE']]], 'WorkingSetMutex' : [ 0x40, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x44, ['pointer', ['void']]], } ], '__unnamed_1424' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1426' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1429' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_142b' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_142d' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1429']], 'e3' : [ 0x0, ['__unnamed_142b']], } ], '__unnamed_1432' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1424']], 'u2' : [ 0x4, ['__unnamed_1426']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'u3' : [ 0xc, ['__unnamed_142d']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_1432']], } ], '__unnamed_143c' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_143c']], } ], '_MMWSL' : [ 0x6b8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextEstimationSlot' : [ 0x1c, ['unsigned long']], 'NextAgingSlot' : [ 0x20, ['unsigned long']], 'EstimatedAvailable' : [ 0x24, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x28, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x2c, ['unsigned long']], 'VadBitMapHint' : [ 0x30, ['unsigned long']], 'NonDirectCount' : [ 0x34, ['unsigned long']], 'LastVadBit' : [ 0x38, ['unsigned long']], 'MaximumLastVadBit' : [ 0x3c, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x40, ['unsigned long']], 'LastAllocationSize' : [ 0x44, ['unsigned long']], 'NonDirectHash' : [ 0x48, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x4c, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x50, ['pointer', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x54, ['pointer', ['void']]], 'UsedPageTableEntries' : [ 0x58, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x658, ['array', 24, ['unsigned long']]], } ], '__unnamed_1454' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1456' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_1458' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_1456']], } ], '__unnamed_1462' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1464' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1462']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_1454']], 'u1' : [ 0x20, ['__unnamed_1458']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitingForDeletion' : [ 0x30, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x34, ['__unnamed_1464']], 'LockedPages' : [ 0x40, ['long long']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x30, ['unsigned long']], 'LastAllocationSize' : [ 0x34, ['unsigned long']], 'PageFileNumber' : [ 0x38, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x38, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x38, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x3a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x3a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x3c, ['pointer', ['void']]], 'AvailableList' : [ 0x40, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x48, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x8, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x4, ['unsigned long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '__unnamed_149d' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_14a0' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14a3' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_14ac' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], 'u2' : [ 0x20, ['__unnamed_14ac']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], } ], '__unnamed_14be' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14c0' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x1c, { 'u1' : [ 0x0, ['__unnamed_14be']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0xc, ['unsigned long']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'EndingVpn' : [ 0x10, ['unsigned long']], 'SubsectionBase' : [ 0x14, ['pointer', ['_MMPTE']]], 'u2' : [ 0x18, ['__unnamed_14c0']], } ], '__unnamed_14c5' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14c5']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '__unnamed_14ce' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14d0' : [ 0x4, { 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_14ce']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_14d0']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '__unnamed_14d9' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_14d9']], } ], '_HHIVE' : [ 0x2e8, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'DirtyFlag' : [ 0x42, ['unsigned char']], 'HvBinHeadersUse' : [ 0x44, ['unsigned long']], 'HvFreeCellsUse' : [ 0x48, ['unsigned long']], 'HvUsedCellsUse' : [ 0x4c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x50, ['unsigned long']], 'HiveFlags' : [ 0x54, ['unsigned long']], 'CurrentLog' : [ 0x58, ['unsigned long']], 'LogSize' : [ 0x5c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x64, ['unsigned long']], 'StorageTypeCount' : [ 0x68, ['unsigned long']], 'Version' : [ 0x6c, ['unsigned long']], 'Storage' : [ 0x70, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_TEB' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'SpareByte' : [ 0x17, ['unsigned char']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x10, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x8, ['_ULARGE_INTEGER']], } ], '__unnamed_15ab' : [ 0x8, { 'IdleTransitionTime' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15ad' : [ 0x8, { 'LastIdleCheck' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15b4' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0xc8, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x8, ['unsigned long long']], 'IdleTimeAccumulated' : [ 0x10, ['unsigned long long']], 'Native' : [ 0x18, ['__unnamed_15ab']], 'Hv' : [ 0x18, ['__unnamed_15ad']], 'IdleAccounting' : [ 0x20, ['pointer', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x24, ['pointer', ['_PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x28, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x2c, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x30, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x38, ['unsigned long long']], 'ThermalConstraint' : [ 0x40, ['unsigned char']], 'LastBusyPercentage' : [ 0x41, ['unsigned char']], 'Flags' : [ 0x42, ['__unnamed_15b4']], 'PerfTimer' : [ 0x48, ['_KTIMER']], 'PerfDpc' : [ 0x70, ['_KDPC']], 'LastSysTime' : [ 0x90, ['unsigned long']], 'PStateMaster' : [ 0x94, ['pointer', ['_KPRCB']]], 'PStateSet' : [ 0x98, ['unsigned long']], 'CurrentPState' : [ 0x9c, ['unsigned long']], 'DesiredPState' : [ 0xa0, ['unsigned long']], 'PStateIdleStartTime' : [ 0xa4, ['unsigned long']], 'PStateIdleTime' : [ 0xa8, ['unsigned long']], 'LastPStateIdleTime' : [ 0xac, ['unsigned long']], 'PStateStartTime' : [ 0xb0, ['unsigned long']], 'DiaIndex' : [ 0xb4, ['unsigned long']], 'Reserved0' : [ 0xb8, ['unsigned long']], 'WmiDispatchPtr' : [ 0xbc, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xc0, ['long']], } ], '__unnamed_15bb' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_15bb']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'DispatchedCount' : [ 0x4, ['unsigned long']], 'DispatchedList' : [ 0x8, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x10, ['_KSEMAPHORE']], 'CompletedList' : [ 0x24, ['_LIST_ENTRY']], } ], '__unnamed_15e4' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_15e4']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '__unnamed_15f6' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_15f8' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_15fc' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x158, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x38, ['_PO_IRP_MANAGER']], 'State' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x50, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xa0, ['unsigned long']], 'CompletionStatus' : [ 0xa4, ['long']], 'PendingIrp' : [ 0xa8, ['pointer', ['_IRP']]], 'Flags' : [ 0xac, ['unsigned long']], 'UserFlags' : [ 0xb0, ['unsigned long']], 'Problem' : [ 0xb4, ['unsigned long']], 'PhysicalDeviceObject' : [ 0xb8, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0xbc, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xc0, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0xc4, ['_UNICODE_STRING']], 'ServiceName' : [ 0xcc, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xd4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xd8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xdc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xe0, ['unsigned long']], 'ChildInterfaceType' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xe8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xec, ['unsigned short']], 'RemovalPolicy' : [ 0xee, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xef, ['unsigned char']], 'TargetDeviceNotify' : [ 0xf0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xf8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x100, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x108, ['unsigned short']], 'QueryTranslatorMask' : [ 0x10a, ['unsigned short']], 'NoArbiterMask' : [ 0x10c, ['unsigned short']], 'QueryArbiterMask' : [ 0x10e, ['unsigned short']], 'OverUsed1' : [ 0x110, ['__unnamed_15f6']], 'OverUsed2' : [ 0x114, ['__unnamed_15f8']], 'BootResources' : [ 0x118, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x120, ['unsigned long']], 'DockInfo' : [ 0x124, ['__unnamed_15fc']], 'DisableableDepends' : [ 0x134, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x138, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x140, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x148, ['unsigned long']], 'PreviousParent' : [ 0x14c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x150, ['unsigned long']], 'NumaNodeIndex' : [ 0x154, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16a1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16a1']], } ], '__unnamed_16a8' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16a8']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x18, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x140, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x130, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x134, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x138, ['unsigned long']], 'MappedWritesInProgress' : [ 0x13c, ['unsigned long']], } ], '__unnamed_16f0' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_16f0']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_16fe' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1700' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1702' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1704' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1706' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_16fe']], 'Write' : [ 0x0, ['__unnamed_1700']], 'Event' : [ 0x0, ['__unnamed_1702']], 'Notification' : [ 0x0, ['__unnamed_1704']], } ], '_WORK_QUEUE_ENTRY' : [ 0x18, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x8, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_1706']], 'Function' : [ 0x14, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x130, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x124, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x68, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x280, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer', ['void']]], 'LoggerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x10, ['long']], 'LoggerId' : [ 0x14, ['unsigned long']], 'NBQHead' : [ 0x18, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x1c, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x20, ['_SLIST_HEADER']], 'GlobalList' : [ 0x28, ['_SLIST_HEADER']], 'BatchedBufferList' : [ 0x30, ['pointer', ['_WMI_BUFFER_HEADER']]], 'LoggerName' : [ 0x34, ['_UNICODE_STRING']], 'LogFileName' : [ 0x3c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x44, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x4c, ['_UNICODE_STRING']], 'ClockType' : [ 0x54, ['unsigned long']], 'CollectionOn' : [ 0x58, ['long']], 'MaximumFileSize' : [ 0x5c, ['unsigned long']], 'LoggerMode' : [ 0x60, ['unsigned long']], 'LastFlushedBuffer' : [ 0x64, ['unsigned long']], 'FlushTimer' : [ 0x68, ['unsigned long']], 'FlushThreshold' : [ 0x6c, ['unsigned long']], 'ByteOffset' : [ 0x70, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0x78, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x80, ['unsigned long']], 'BuffersAvailable' : [ 0x84, ['long']], 'NumberOfBuffers' : [ 0x88, ['long']], 'MaximumBuffers' : [ 0x8c, ['unsigned long']], 'EventsLost' : [ 0x90, ['unsigned long']], 'BuffersWritten' : [ 0x94, ['unsigned long']], 'LogBuffersLost' : [ 0x98, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x9c, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xa0, ['unsigned long']], 'BufferSize' : [ 0xa4, ['unsigned long']], 'MaximumEventSize' : [ 0xa8, ['unsigned long']], 'SequencePtr' : [ 0xac, ['pointer', ['long']]], 'LocalSequence' : [ 0xb0, ['unsigned long']], 'InstanceGuid' : [ 0xb4, ['_GUID']], 'GetCpuClock' : [ 0xc4, ['pointer', ['void']]], 'FileCounter' : [ 0xc8, ['long']], 'BufferCallback' : [ 0xcc, ['pointer', ['void']]], 'PoolType' : [ 0xd0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd8, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0xe8, ['unsigned char']], 'Consumers' : [ 0xec, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xf4, ['unsigned long']], 'Connecting' : [ 0xf8, ['_LIST_ENTRY']], 'NewConsumer' : [ 0x100, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0x104, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x108, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x128, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x130, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x138, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x140, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x150, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x154, ['unsigned long']], 'NewRTEventsLost' : [ 0x158, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x15c, ['_KEVENT']], 'FlushEvent' : [ 0x16c, ['_KEVENT']], 'FlushDpc' : [ 0x17c, ['_KDPC']], 'LoggerMutex' : [ 0x19c, ['_KMUTANT']], 'LoggerLock' : [ 0x1bc, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1c0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x1fc, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x200, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x248, ['long long']], 'AcceptNewEvents' : [ 0x250, ['long']], 'Flags' : [ 0x254, ['unsigned long']], 'Persistent' : [ 0x254, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x254, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x254, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x254, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x254, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x254, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x254, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x258, ['unsigned long']], 'RequestNewFie' : [ 0x258, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x258, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x258, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x258, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x258, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x25c, ['unsigned short']], 'StackTraceFilter' : [ 0x25e, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'Padding2' : [ 0x38, ['pointer', ['void']]], 'GlobalEntry' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x158, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_17f1' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_17f3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_17f1']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_17f5' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_17f7' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_17f5']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_17f3']], 'u2' : [ 0x4, ['__unnamed_17f7']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_BLOB_TYPE' : [ 0x24, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], 'LookasideIndex' : [ 0x20, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_180e' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1810' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_180e']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1810']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Pad' : [ 0x14, ['unsigned long']], } ], '__unnamed_1818' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_181a' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1818']], } ], '_KALPC_SECTION' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_181a']], 'SectionObject' : [ 0x4, ['pointer', ['void']]], 'Size' : [ 0x8, ['unsigned long']], 'HandleTable' : [ 0xc, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x10, ['pointer', ['void']]], 'OwnerProcess' : [ 0x14, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer', ['_ALPC_PORT']]], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_1827' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1829' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1827']], } ], '_KALPC_REGION' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1829']], 'RegionListEntry' : [ 0x4, ['_LIST_ENTRY']], 'Section' : [ 0xc, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewSize' : [ 0x18, ['unsigned long']], 'ReadOnlyView' : [ 0x1c, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x20, ['pointer', ['_KALPC_VIEW']]], 'NumberOfViews' : [ 0x24, ['unsigned long']], 'ViewListHead' : [ 0x28, ['_LIST_ENTRY']], } ], '__unnamed_182f' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1831' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_182f']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1831']], 'Region' : [ 0xc, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x14, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x18, ['pointer', ['void']]], 'Size' : [ 0x1c, ['unsigned long']], 'SecureViewHandle' : [ 0x20, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x24, ['pointer', ['void']]], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x24, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_1849' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_184b' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1849']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0xf4, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'SequenceNo' : [ 0x10, ['unsigned long']], 'CompletionPort' : [ 0x14, ['pointer', ['void']]], 'CompletionKey' : [ 0x18, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x1c, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x20, ['pointer', ['void']]], 'StaticSecurity' : [ 0x24, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x68, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x70, ['_LIST_ENTRY']], 'WaitQueue' : [ 0x78, ['_LIST_ENTRY']], 'Semaphore' : [ 0x80, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x80, ['pointer', ['_KEVENT']]], 'Lock' : [ 0x84, ['_EX_PUSH_LOCK']], 'PortAttributes' : [ 0x88, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xb4, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xb8, ['_LIST_ENTRY']], 'CompletionList' : [ 0xc0, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0xc4, ['pointer', ['_ALPC_MESSAGE_ZONE']]], 'CanceledQueue' : [ 0xc8, ['_LIST_ENTRY']], 'u1' : [ 0xd0, ['__unnamed_184b']], 'TargetQueuePort' : [ 0xd4, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xd8, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0xdc, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xe0, ['unsigned long']], 'PendingQueueLength' : [ 0xe4, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xe8, ['unsigned long']], 'CanceledQueueLength' : [ 0xec, ['unsigned long']], 'WaitQueueLength' : [ 0xf0, ['unsigned long']], } ], '__unnamed_1862' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], } ], '__unnamed_1864' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1862']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x90, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x8, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0xc, ['unsigned long']], 'QuotaProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x10, ['pointer', ['void']]], 'SequenceNo' : [ 0x14, ['long']], 'u1' : [ 0x18, ['__unnamed_1864']], 'CancelSequencePort' : [ 0x1c, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x24, ['long']], 'CancelListEntry' : [ 0x28, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x38, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x3c, ['pointer', ['_ALPC_PORT']]], 'UniqueTableEntry' : [ 0x40, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'MessageAttributes' : [ 0x44, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x60, ['pointer', ['void']]], 'DataSystemVa' : [ 0x64, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x68, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x6c, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x70, ['pointer', ['_ETHREAD']]], 'PortMessage' : [ 0x78, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_HANDLE_DATA' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_18a2' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_18a4' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18a2']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_18a4']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'Flags' : [ 0xc, ['unsigned long']], 'TargetThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'ProxyData' : [ 0xbc, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xc0, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xc4, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc8, ['_LUID']], 'SidHash' : [ 0xd0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x158, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x1e0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x14, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], 'HashIndex' : [ 0xc, ['unsigned short']], 'DirectoryLocked' : [ 0xe, ['unsigned char']], 'LockStateSignature' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x140, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'Mutex' : [ 0x78, ['_ERESOURCE']], 'TypeLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'Key' : [ 0xb4, ['unsigned long']], 'ObjectLocks' : [ 0xb8, ['array', 32, ['_EX_PUSH_LOCK']]], 'CallbackList' : [ 0x138, ['_LIST_ENTRY']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x48, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'InBlockDeccommits' : [ 0x40, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x44, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x18, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer', ['void']]], 'FileObject' : [ 0xc, ['pointer', ['void']]], 'ThreadId' : [ 0x10, ['unsigned long']], 'ByteCount' : [ 0x14, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_DEVPROPKEY' : [ 0x14, { 'fmtid' : [ 0x0, ['_GUID']], 'pid' : [ 0x10, ['unsigned long']], } ], '_WHEA_NMI_ERROR' : [ 0xc, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], 'Flags' : [ 0x8, ['_WHEA_NMI_ERROR_FLAGS']], } ], '_HANDLE_TABLE' : [ 0x38, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x6c, { 'CancelLock' : [ 0x0, ['unsigned long']], 'IssueLock' : [ 0x4, ['unsigned long']], 'Counters' : [ 0x8, ['array', 25, ['long']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CpuValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1991' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1993' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1991']], 'Private' : [ 0x0, ['__unnamed_1993']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_CMHIVE' : [ 0x5e0, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2e8, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x300, ['_LIST_ENTRY']], 'HiveList' : [ 0x308, ['_LIST_ENTRY']], 'HiveLock' : [ 0x310, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x314, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x318, ['pointer', ['_KTHREAD']]], 'ViewLockLast' : [ 0x31c, ['unsigned long']], 'ViewUnLockLast' : [ 0x320, ['unsigned long']], 'WriterLock' : [ 0x324, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x328, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x32c, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x330, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x338, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x340, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x348, ['unsigned short']], 'PinnedViewCount' : [ 0x34a, ['unsigned short']], 'UseCount' : [ 0x34c, ['unsigned long']], 'ViewsPerHive' : [ 0x350, ['unsigned long']], 'FileObject' : [ 0x354, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x358, ['unsigned long']], 'ActualFileSize' : [ 0x360, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x368, ['_UNICODE_STRING']], 'FileUserName' : [ 0x370, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x378, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x380, ['unsigned long']], 'SecurityCacheSize' : [ 0x384, ['unsigned long']], 'SecurityHitHint' : [ 0x388, ['long']], 'SecurityCache' : [ 0x38c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x390, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x590, ['unsigned long']], 'UnloadEventArray' : [ 0x594, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x598, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x59c, ['unsigned char']], 'UnloadWorkItem' : [ 0x5a0, ['pointer', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0x5a4, ['unsigned char']], 'GrowOffset' : [ 0x5a8, ['unsigned long']], 'KcbConvertListHead' : [ 0x5ac, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x5b4, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x5bc, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x5c0, ['unsigned long']], 'TrustClassEntry' : [ 0x5c4, ['_LIST_ENTRY']], 'FlushCount' : [ 0x5cc, ['unsigned long']], 'CmRm' : [ 0x5d0, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x5d4, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x5d8, ['long']], 'CreatorOwner' : [ 0x5dc, ['pointer', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_19c2' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_19c8' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], 'u2' : [ 0x20, ['__unnamed_14ac']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'u3' : [ 0x30, ['__unnamed_19c2']], 'u4' : [ 0x38, ['__unnamed_19c8']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EJOB' : [ 0x128, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'AccessState' : [ 0xb0, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xb4, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xb8, ['unsigned long']], 'CompletionPort' : [ 0xbc, ['pointer', ['void']]], 'CompletionKey' : [ 0xc0, ['pointer', ['void']]], 'SessionId' : [ 0xc4, ['unsigned long']], 'SchedulingClass' : [ 0xc8, ['unsigned long']], 'ReadOperationCount' : [ 0xd0, ['unsigned long long']], 'WriteOperationCount' : [ 0xd8, ['unsigned long long']], 'OtherOperationCount' : [ 0xe0, ['unsigned long long']], 'ReadTransferCount' : [ 0xe8, ['unsigned long long']], 'WriteTransferCount' : [ 0xf0, ['unsigned long long']], 'OtherTransferCount' : [ 0xf8, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x100, ['unsigned long']], 'JobMemoryLimit' : [ 0x104, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x108, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x10c, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x110, ['unsigned long']], 'MemoryLimitsLock' : [ 0x114, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x118, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x120, ['unsigned long']], 'JobFlags' : [ 0x124, ['unsigned long']], } ], '__unnamed_19d8' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hypervisor' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x3c, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_19d8']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'SparePebPtr0' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], } ], '__unnamed_19f0' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_19f0']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '__unnamed_19f7' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_19fd' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_19ff' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_19f7']], 'Bits' : [ 0x0, ['__unnamed_19fd']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_19ff']], } ], '_POOL_DESCRIPTOR' : [ 0x1034, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['pointer', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x24, ['long']], 'PendingFreeDepth' : [ 0x28, ['long']], 'TotalBytes' : [ 0x2c, ['unsigned long']], 'Spare0' : [ 0x30, ['unsigned long']], 'ListHeads' : [ 0x34, ['array', 512, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x270, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned char']], 'ShareVector' : [ 0x35, ['unsigned char']], 'Mode' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x40, ['unsigned long']], 'DispatchCount' : [ 0x44, ['unsigned long']], 'Rsvd1' : [ 0x48, ['unsigned long long']], 'DispatchCode' : [ 0x50, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x20, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmHive2' : [ 0x18, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x1c, ['unsigned char']], 'ThreadStarted' : [ 0x1d, ['unsigned char']], 'Allocate' : [ 0x1e, ['unsigned char']], 'WinPERequired' : [ 0x1f, ['unsigned char']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'Handles' : [ 0x4, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'StackTrace' : [ 0x4, ['array', 63, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x54, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'UserVa' : [ 0x10, ['pointer', ['void']]], 'UserLimit' : [ 0x14, ['pointer', ['void']]], 'DataUserVa' : [ 0x18, ['pointer', ['void']]], 'SystemVa' : [ 0x1c, ['pointer', ['void']]], 'TotalSize' : [ 0x20, ['unsigned long']], 'Header' : [ 0x24, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x28, ['pointer', ['void']]], 'ListSize' : [ 0x2c, ['unsigned long']], 'Bitmap' : [ 0x30, ['pointer', ['void']]], 'BitmapSize' : [ 0x34, ['unsigned long']], 'Data' : [ 0x38, ['pointer', ['void']]], 'DataSize' : [ 0x3c, ['unsigned long']], 'BitmapLimit' : [ 0x40, ['unsigned long']], 'BitmapNextHint' : [ 0x44, ['unsigned long']], 'ConcurrencyCount' : [ 0x48, ['unsigned long']], 'AttributeFlags' : [ 0x4c, ['unsigned long']], 'AttributeSize' : [ 0x50, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x58, { 'WorkQueue' : [ 0x0, ['_LIST_ENTRY']], 'ScanDpc' : [ 0x8, ['_KDPC']], 'ScanTimer' : [ 0x28, ['_KTIMER']], 'ScanActive' : [ 0x50, ['unsigned char']], 'OtherWork' : [ 0x51, ['unsigned char']], 'PendingTeardown' : [ 0x52, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_PCIXDEVICE_ERROR' : [ 0x68, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['_WHEA_PCIXDEVICE_ID']], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 4, ['WHEA_PCIXDEVICE_REGISTER_PAIR']]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a7e' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_1a7e']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned char']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x90, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x38, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x48, ['pointer', ['void']]], 'KcbLastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x58, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x5a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x5c, ['unsigned long']], 'KcbUserFlags' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x60, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x60, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x60, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x64, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0x6c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x70, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x78, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x80, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x88, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x8c, ['pointer', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0x8, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x24, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 0, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x28, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'LastSubsectionHint' : [ 0x20, ['pointer', ['_MSUBSECTION']]], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_WHEA_PCIXBUS_ERROR' : [ 0x48, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXBUS_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['_WHEA_PCIXBUS_ID']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['_WHEA_PCIXBUS_COMMAND']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'CompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x4, ['_KGATE']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_WHEA_PCIXBUS_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusData' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BusCommand' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterId' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1b64' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1b64']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x5ec, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa8, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x348, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e8, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bd0' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1bd6' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1bd8' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1bda' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1bdc' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1bde' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1be0' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1be2' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1be4' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1be6' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1bd0']], 'Memory' : [ 0x0, ['__unnamed_1bd0']], 'Interrupt' : [ 0x0, ['__unnamed_1bd6']], 'Dma' : [ 0x0, ['__unnamed_1bd8']], 'Generic' : [ 0x0, ['__unnamed_1bd0']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bda']], 'BusNumber' : [ 0x0, ['__unnamed_1bdc']], 'ConfigData' : [ 0x0, ['__unnamed_1bde']], 'Memory40' : [ 0x0, ['__unnamed_1be0']], 'Memory48' : [ 0x0, ['__unnamed_1be2']], 'Memory64' : [ 0x0, ['__unnamed_1be4']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1be6']], } ], '_POP_THERMAL_ZONE' : [ 0xd8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_WHEA_PCIXBUS_COMMAND' : [ 0x8, { 'Command' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 56, native_type='unsigned long long')]], 'PCIXCommand' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 8, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '_MMPTE_TIMESTAMP' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '__unnamed_1c2b' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1c2b']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x50, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_PCIXDEVICE_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfo' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumber' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], 'WHEA_PCIXDEVICE_REGISTER_PAIR' : [ 0x10, { 'Register' : [ 0x0, ['unsigned long long']], 'Data' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_PCIXBUS_ID' : [ 0x2, { 'BusNumber' : [ 0x0, ['unsigned char']], 'BusSegment' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x1c, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'ObjectType' : [ 0xc, ['pointer', ['_OBJECT_TYPE']]], 'TargetAccess' : [ 0x10, ['unsigned long']], 'ObjectInfo' : [ 0x14, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x18, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1cbe' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc0' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc2' : [ 0xc, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc4' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1cc2']], 'Translated' : [ 0x0, ['__unnamed_1cc0']], } ], '__unnamed_1cc6' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc8' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cca' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ccc' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cce' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd0' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd2' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1cbe']], 'Port' : [ 0x0, ['__unnamed_1cbe']], 'Interrupt' : [ 0x0, ['__unnamed_1cc0']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1cc4']], 'Memory' : [ 0x0, ['__unnamed_1cbe']], 'Dma' : [ 0x0, ['__unnamed_1cc6']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bda']], 'BusNumber' : [ 0x0, ['__unnamed_1cc8']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1cca']], 'Memory40' : [ 0x0, ['__unnamed_1ccc']], 'Memory48' : [ 0x0, ['__unnamed_1cce']], 'Memory64' : [ 0x0, ['__unnamed_1cd0']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1cd2']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '__unnamed_1cd9' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1cd9']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1ced' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1ced']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1cf7' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_14c5']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_1cf7']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '__unnamed_1cfd' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1cff' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1cfd']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x60, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'TotalBusyCount' : [ 0x8, ['unsigned long']], 'ConservationIdleTime' : [ 0xc, ['unsigned long']], 'PerformanceIdleTime' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x18, ['_LIST_ENTRY']], 'DeviceType' : [ 0x20, ['unsigned char']], 'IdleState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x2c, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x34, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x3c, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x50, ['_LIST_ENTRY']], 'Specific' : [ 0x58, ['__unnamed_1cff']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidBits' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR_VALIDBITS']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaPciExpressEndpoint', 1: 'WheaPciExpressLegacyEndpoint', 4: 'WheaPciExpressRootPort', 5: 'WheaPciExpressUpstreamSwitchPort', 6: 'WheaPciExpressDownstreamSwitchPort', 7: 'WheaPciExpressToPciXBridge', 8: 'WheaPciXToExpressBridge', 9: 'WheaPciExpressRootComplexIntegratedEndpoint', 10: 'WheaPciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['_WHEA_PCIEXPRESS_VERSION']], 'CommandStatus' : [ 0x10, ['_WHEA_PCIEXPRESS_COMMAND_STATUS']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_WHEA_PCIEXPRESS_DEVICE_ID']], 'DeviceSerialNumber' : [ 0x28, ['unsigned long long']], 'BridgeControlStatus' : [ 0x30, ['_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_1d74' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x78, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_1d74']], 'TargetProcessors' : [ 0x30, ['unsigned long']], 'PStateHandler' : [ 0x34, ['pointer', ['void']]], 'PStateContext' : [ 0x38, ['unsigned long']], 'TStateHandler' : [ 0x3c, ['pointer', ['void']]], 'TStateContext' : [ 0x40, ['unsigned long']], 'FeedbackHandler' : [ 0x44, ['pointer', ['void']]], 'DiaStats' : [ 0x48, ['pointer', ['_PPM_DIA_STATS']]], 'DiaStatsCount' : [ 0x4c, ['unsigned long']], 'State' : [ 0x50, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_WHEA_NMI_ERROR_FLAGS' : [ 0x4, { 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xa0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x38, ['pointer', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x3c, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'FilteredCapabilities' : [ 0x50, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x24, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0xc, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x14, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x18, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x1c, ['unsigned long']], 'ActiveChild' : [ 0x20, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1dc7' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1dc9' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_1dc7']], 'Button' : [ 0xc, ['__unnamed_1dc9']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x84, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x1c, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x24, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x28, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x2c, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x30, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x34, ['pointer', ['void']]], 'DrvDBSize' : [ 0x38, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x3c, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x40, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x44, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x48, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x50, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x54, ['unsigned long']], 'BootViaWinload' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x5c, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x60, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x68, ['pointer', ['void']]], 'BootIdentifier' : [ 0x6c, ['_GUID']], 'ResumePages' : [ 0x7c, ['unsigned long']], 'DumpHeader' : [ 0x80, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_WHEA_PCIEXPRESS_VERSION' : [ 0x4, { 'MinorVersion' : [ 0x0, ['unsigned char']], 'MajorVersion' : [ 0x1, ['unsigned char']], 'Reserved' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '__unnamed_1e33' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_1e33']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x294, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x18, { 'Mdl' : [ 0x0, ['pointer', ['_MDL']]], 'UserVa' : [ 0x4, ['pointer', ['void']]], 'UserLimit' : [ 0x8, ['pointer', ['void']]], 'SystemVa' : [ 0xc, ['pointer', ['void']]], 'SystemLimit' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_1e6b' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1ec0, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e6b']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'ImageLoadingCount' : [ 0x40, ['long']], 'SessionPoolAllocationFailures' : [ 0x44, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x54, ['_LIST_ENTRY']], 'LocaleId' : [ 0x5c, ['unsigned long']], 'AttachCount' : [ 0x60, ['unsigned long']], 'AttachGate' : [ 0x64, ['_KGATE']], 'WsListEntry' : [ 0x74, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xdb8, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xdbc, ['pointer', ['void']]], 'PagedPool' : [ 0xdc0, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1df4, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1df8, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1e10, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1e30, ['long']], 'PagedPoolPdeCount' : [ 0x1e34, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1e38, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1e3c, ['unsigned long']], 'SystemPteInfo' : [ 0x1e40, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1e6c, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1e70, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1e74, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1e78, ['unsigned long']], 'SessionPoolPdes' : [ 0x1e7c, ['_RTL_BITMAP']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequesterId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x18, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'FreePteHead' : [ 0x4, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], 'PagesInUse' : [ 0xc, ['long']], 'SpecialPoolPdes' : [ 0x10, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS' : [ 0x4, { 'BridgeSecondaryStatus' : [ 0x0, ['unsigned short']], 'BridgeControl' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1ee4' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1ee6' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1ee4']], 'Merged' : [ 0x10, ['__unnamed_1ee6']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['void']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_1eed' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1eed']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14c5']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_1cf7']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x38, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], 'UpdateCapsule' : [ 0x2c, ['unsigned long']], 'QueryCapsuleCapabilities' : [ 0x30, ['unsigned long']], 'QueryVariableInfo' : [ 0x34, ['unsigned long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WHEA_MEMORY_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1f11' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_1f15' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_1f11']], 'u2' : [ 0x24, ['__unnamed_1f15']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x2c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIXDEVICE_ID' : [ 0x10, { 'VendorId' : [ 0x0, ['unsigned short']], 'DeviceId' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'BusNumber' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'SegmentNumber' : [ 0x8, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'Reserved1' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['unsigned long']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x54, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x28, ['pointer', ['void']]], 'CallersCaller' : [ 0x2c, ['pointer', ['void']]], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '_DEVOBJ_EXTENSION' : [ 0x3c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependentList' : [ 0x2c, ['_LIST_ENTRY']], 'ProviderList' : [ 0x34, ['_LIST_ENTRY']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_COMMAND_STATUS' : [ 0x4, { 'Command' : [ 0x0, ['unsigned short']], 'Status' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR_VALIDBITS' : [ 0x8, { 'PortType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Version' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'CommandStatus' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'DeviceId' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'DeviceSerialNumber' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BridgeControlStatus' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'ExpressCapability' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AerInfo' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_ETW_REG_ENTRY' : [ 0x2c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'EnableMask' : [ 0x10, ['unsigned char']], 'ReplyQueue' : [ 0x14, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x14, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x24, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x24, ['pointer', ['void']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x20, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x28, ['unsigned long']], 'Color' : [ 0x2c, ['unsigned char']], 'Seed' : [ 0x2d, ['unsigned char']], 'NodeNumber' : [ 0x2e, ['unsigned char']], 'Flags' : [ 0x2f, ['_flags']], 'MmShiftedColor' : [ 0x30, ['unsigned long']], 'FreeCount' : [ 0x34, ['array', 2, ['unsigned long']]], 'PfnDeferredList' : [ 0x3c, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'CachedKernelStacks' : [ 0x40, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x188, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x168, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x16c, ['long']], 'Pending' : [ 0x170, ['_LIST_ENTRY']], 'Status' : [ 0x178, ['long']], 'FailedDevice' : [ 0x17c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x180, ['unsigned char']], 'Cancelled' : [ 0x181, ['unsigned char']], 'IgnoreErrors' : [ 0x182, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x183, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x184, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_PPM_IDLE_STATE' : [ 0x20, { 'IdleHandler' : [ 0x0, ['pointer', ['void']]], 'Context' : [ 0x4, ['pointer', ['void']]], 'Latency' : [ 0x8, ['unsigned long']], 'Power' : [ 0xc, ['unsigned long']], 'TimeCheck' : [ 0x10, ['unsigned long']], 'StateFlags' : [ 0x14, ['unsigned long']], 'PromotePercent' : [ 0x18, ['unsigned char']], 'DemotePercent' : [ 0x19, ['unsigned char']], 'PromotePercentBase' : [ 0x1a, ['unsigned char']], 'DemotePercentBase' : [ 0x1b, ['unsigned char']], 'StateType' : [ 0x1c, ['unsigned char']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x78, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40d8, ['long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x50, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x14, ['_KEVENT']], 'PowerOnEvent' : [ 0x24, ['_KEVENT']], 'DoneEvent' : [ 0x34, ['_KEVENT']], 'WorkerQueued' : [ 0x44, ['unsigned long']], 'WorkerAbort' : [ 0x48, ['unsigned long']], 'NoResumeUI' : [ 0x4c, ['unsigned long']], } ], '_KTM' : [ 0x228, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_1fd5' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1fd7' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_1fd5']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1fd7']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_1fe9' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_1fe9']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win10.py0000644000000000000000000005266013131215405025675 0ustar rootroot# Volatility # Copyright (c) 2008-2015 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: The Volatility Foundation @license: GNU General Public License 2.0 @contact: awalters@4tphi.net This file provides support for Windows 10. """ import volatility.plugins.overlays.windows.windows as windows import volatility.obj as obj import volatility.win32.tasks as tasks import volatility.debug as debug import volatility.plugins.overlays.windows.win8 as win8 try: import distorm3 has_distorm = True except ImportError: has_distorm = False class _HMAP_ENTRY(obj.CType): @property def BlockAddress(self): return self.PermanentBinAddress & 0xFFFFFFFFFFF0 class Win10Registry(obj.ProfileModification): """The Windows 10 registry HMAP""" conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 4} def modification(self, profile): profile.object_classes.update({"_HMAP_ENTRY": _HMAP_ENTRY}) class Win10x64DTB(obj.ProfileModification): """The Windows 10 64-bit DTB signature""" before = ['WindowsOverlay', 'Windows64Overlay', 'Win8x64DTB'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 4, 'memory_model': lambda x: x == '64bit', } def modification(self, profile): profile.merge_overlay({ 'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "\x03\x00\xb6\x00")]], }]}) class Win10x86DTB(obj.ProfileModification): """The Windows 10 32-bit DTB signature""" before = ['WindowsOverlay', 'Win8x86DTB'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 4, 'memory_model': lambda x: x == '32bit', } def modification(self, profile): build = profile.metadata.get("build", 0) if build >= 15063: signature = "\x03\x00\x2C\x00" else: signature = "\x03\x00\x2A\x00" profile.merge_overlay({ 'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = signature)]], }]}) class Win10KDBG(windows.AbstractKDBGMod): """The Windows 10 KDBG signatures""" before = ['Win8KDBG'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 4, 'build': lambda x: x >= 14393} kdbgsize = 0x368 class ObHeaderCookieStore(object): """A class for finding and storing the nt!ObHeaderCookie value""" _instance = None def __init__(self): self._cookie = None def cookie(self): return self._cookie def findcookie(self, kernel_space): """Find and read the nt!ObHeaderCookie value. On success, return True and save the cookie value in self._cookie. On Failure, return False. This method must be called before performing any tasks that require object header validation including handles, psxview (due to pspcid) and the object scanning plugins (psscan, etc). NOTE: this cannot be implemented as a volatility "magic" class, because it must be persistent across various classes and sources. We don't want to recalculate the cookie value multiple times. """ meta = kernel_space.profile.metadata vers = (meta.get("major", 0), meta.get("minor", 0)) # this algorithm only applies to Windows 10 or greater if vers < (6, 4): return True # prevent subsequent attempts from recalculating the existing value if self._cookie: return True if not has_distorm: debug.warning("distorm3 module is not installed") return False kdbg = tasks.get_kdbg(kernel_space) if not kdbg: debug.warning("Cannot find KDBG") return False nt_mod = None for mod in kdbg.modules(): nt_mod = mod break if nt_mod == None: debug.warning("Cannot find NT module") return False addr = nt_mod.getprocaddress("ObGetObjectType") if addr == None: debug.warning("Cannot find nt!ObGetObjectType") return False # produce an absolute address by adding the DLL base to the RVA addr += nt_mod.DllBase if not nt_mod.obj_vm.is_valid_address(addr): debug.warning("nt!ObGetObjectType at {0} is invalid".format(addr)) return False # in theory...but so far we haven't tested 32-bits model = meta.get("memory_model") if model == "32bit": mode = distorm3.Decode32Bits else: mode = distorm3.Decode64Bits data = nt_mod.obj_vm.read(addr, 100) ops = distorm3.Decompose(addr, data, mode, distorm3.DF_STOP_ON_RET) addr = None # search backwards from the RET and find the MOVZX if model == "32bit": # movzx ecx, byte ptr ds:_ObHeaderCookie for op in reversed(ops): if (op.size == 7 and 'FLAG_DST_WR' in op.flags and len(op.operands) == 2 and op.operands[0].type == 'Register' and op.operands[1].type == 'AbsoluteMemoryAddress' and op.operands[1].size == 8): addr = op.operands[1].disp & 0xFFFFFFFF break else: # movzx ecx, byte ptr cs:ObHeaderCookie for op in reversed(ops): if (op.size == 7 and 'FLAG_RIP_RELATIVE' in op.flags and len(op.operands) == 2 and op.operands[0].type == 'Register' and op.operands[1].type == 'AbsoluteMemory' and op.operands[1].size == 8): addr = op.address + op.size + op.operands[1].disp break if not addr: debug.warning("Cannot find nt!ObHeaderCookie") return False if not nt_mod.obj_vm.is_valid_address(addr): debug.warning("nt!ObHeaderCookie at {0} is not valid".format(addr)) return False cookie = obj.Object("unsigned int", offset = addr, vm = nt_mod.obj_vm) self._cookie = int(cookie) return True @staticmethod def instance(): if not ObHeaderCookieStore._instance: ObHeaderCookieStore._instance = ObHeaderCookieStore() return ObHeaderCookieStore._instance class VolatilityCookie(obj.VolatilityMagic): """The Windows 10 Cookie Finder""" def v(self): if self.value is None: return self.get_best_suggestion() else: return self.value def get_suggestions(self): if self.value: yield self.value for x in self.generate_suggestions(): yield x def generate_suggestions(self): store = ObHeaderCookieStore.instance() store.findcookie(self.obj_vm) yield store.cookie() class Win10Cookie(obj.ProfileModification): """The Windows 10 Cookie Finder""" before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 4, } def modification(self, profile): profile.merge_overlay({ 'VOLATILITY_MAGIC': [ None, { 'ObHeaderCookie' : [ 0x0, ['VolatilityCookie', dict(configname = "COOKIE")]], }]}) profile.object_classes.update({'VolatilityCookie': VolatilityCookie}) class _OBJECT_HEADER_10(win8._OBJECT_HEADER): @property def TypeIndex(self): """Wrap the TypeIndex member with a property that decodes it with the nt!ObHeaderCookie value.""" cook = obj.VolMagic(self.obj_vm).ObHeaderCookie.v() addr = self.obj_offset indx = int(self.m("TypeIndex")) return ((addr >> 8) ^ cook ^ indx) & 0xFF def is_valid(self): """Determine if a given object header is valid""" if not obj.CType.is_valid(self): return False if self.InfoMask > 0x88: return False if self.PointerCount > 0x1000000 or self.PointerCount < 0: return False return True type_map = { 2: 'Type', 3: 'Directory', 4: 'SymbolicLink', 5: 'Token', 6: 'Job', 7: 'Process', 8: 'Thread', 9: 'UserApcReserve', 10: 'IoCompletionReserve', 11: 'Silo', 12: 'DebugObject', 13: 'Event', 14: 'Mutant', 15: 'Callback', 16: 'Semaphore', 17: 'Timer', 18: 'IRTimer', 19: 'Profile', 20: 'KeyedEvent', 21: 'WindowStation', 22: 'Desktop', 23: 'Composition', 24: 'RawInputManager', 25: 'TpWorkerFactory', 26: 'Adapter', 27: 'Controller', 28: 'Device', 29: 'Driver', 30: 'IoCompletion', 31: 'WaitCompletionPacket', 32: 'File', 33: 'TmTm', 34: 'TmTx', 35: 'TmRm', 36: 'TmEn', 37: 'Section', 38: 'Session', 39: 'Partition', 40: 'Key', 41: 'ALPC Port', 42: 'PowerRequest', 43: 'WmiGuid', 44: 'EtwRegistration', 45: 'EtwConsumer', 46: 'DmaAdapter', 47: 'DmaDomain', 48: 'PcwObject', 49: 'FilterConnectionPort', 50: 'FilterCommunicationPort', 51: 'NetworkNamespace', 52: 'DxgkSharedResource', 53: 'DxgkSharedSyncObject', 54: 'DxgkSharedSwapChainObject', } class _OBJECT_HEADER_10_1AC738FB(_OBJECT_HEADER_10): type_map = { 2: 'Type', 3: 'Directory', 4: 'SymbolicLink', 5: 'Token', 6: 'Job', 7: 'Process', 8: 'Thread', 9: 'UserApcReserve', 10: 'IoCompletionReserve', 11: 'DebugObject', 12: 'Event', 13: 'Mutant', 14: 'Callback', 15: 'Semaphore', 16: 'Timer', 17: 'IRTimer', 18: 'Profile', 19: 'KeyedEvent', 20: 'WindowStation', 21: 'Desktop', 22: 'Composition', 23: 'RawInputManager', 24: 'TpWorkerFactory', 25: 'Adapter', 26: 'Controller', 27: 'Device', 28: 'Driver', 29: 'IoCompletion', 30: 'WaitCompletionPacket', 31: 'File', 32: 'TmTm', 33: 'TmTx', 34: 'TmRm', 35: 'TmEn', 36: 'Section', 37: 'Session', 38: 'Partition', 39: 'Key', 40: 'ALPC Port', 41: 'PowerRequest', 42: 'WmiGuid', 43: 'EtwRegistration', 44: 'EtwConsumer', 45: 'DmaAdapter', 46: 'DmaDomain', 47: 'PcwObject', 48: 'FilterConnectionPort', 49: 'FilterCommunicationPort', 50: 'NetworkNamespace', 51: 'DxgkSharedResource', 52: 'DxgkSharedSyncObject', 53: 'DxgkSharedSwapChainObject', } class _OBJECT_HEADER_10_DD08DD42(_OBJECT_HEADER_10): type_map = { 2: 'Type', 3: 'Directory', 4: 'SymbolicLink', 5: 'Token', 6: 'Job', 7: 'Process', 8: 'Thread', 9: 'UserApcReserve', 10: 'IoCompletionReserve', 11: 'PsSiloContextPaged', 12: 'PsSiloContextNonPaged', 13: 'DebugObject', 14: 'Event', 15: 'Mutant', 16: 'Callback', 17: 'Semaphore', 18: 'Timer', 19: 'IRTimer', 20: 'Profile', 21: 'KeyedEvent', 22: 'WindowStation', 23: 'Desktop', 24: 'Composition', 25: 'RawInputManager', 26: 'CoreMessaging', 27: 'TpWorkerFactory', 28: 'Adapter', 29: 'Controller', 30: 'Device', 31: 'Driver', 32: 'IoCompletion', 33: 'WaitCompletionPacket', 34: 'File', 35: 'TmTm', 36: 'TmTx', 37: 'TmRm', 38: 'TmEn', 39: 'Section', 40: 'Session', 41: 'Partition', 42: 'Key', 43: 'RegistryTransaction', 44: 'ALPC', 45: 'PowerRequest', 46: 'WmiGuid', 47: 'EtwRegistration', 48: 'EtwConsumer', 49: 'DmaAdapter', 50: 'DmaDomain', 51: 'PcwObject', 52: 'FilterConnectionPort', 53: 'FilterCommunicationPort', 54: 'NdisCmState', 55: 'DxgkSharedResource', 56: 'DxgkSharedSyncObject', 57: 'DxgkSharedSwapChainObject', 58: 'VRegConfigurationContext', 59: 'VirtualKey', } class _OBJECT_HEADER_10_15063(_OBJECT_HEADER_10): type_map = { 2: 'Type', 3: 'Directory', 4: 'SymbolicLink', 5: 'Token', 6: 'Job', 7: 'Process', 8: 'Thread', 9: 'UserApcReserve', 10: 'IoCompletionReserve', 11: 'ActivityReference', 12: 'PsSiloContextPaged', 13: 'PsSiloContextNonPaged', 14: 'DebugObject', 15: 'Event', 16: 'Mutant', 17: 'Callback', 18: 'Semaphore', 19: 'Timer', 20: 'IRTimer', 21: 'Profile', 22: 'KeyedEvent', 23: 'WindowStation', 24: 'Desktop', 25: 'Composition', 26: 'RawInputManager', 27: 'CoreMessaging', 28: 'TpWorkerFactory', 29: 'Adapter', 30: 'Controller', 31: 'Device', 32: 'Driver', 33: 'IoCompletion', 34: 'WaitCompletionPacket', 35: 'File', 36: 'TmTm', 37: 'TmTx', 38: 'TmRm', 39: 'TmEn', 40: 'Section', 41: 'Session', 42: 'Partition', 43: 'Key', 44: 'RegistryTransaction', 45: 'ALPC Port', 46: 'PowerRequest', 47: 'WmiGuid', 48: 'EtwRegistration', 49: 'EtwSessionDemuxEntry', 50: 'EtwConsumer', 51: 'DmaAdapter', 52: 'DmaDomain', 53: 'PcwObject', 54: 'FilterConnectionPort', 55: 'FilterCommunicationPort', 56: 'NdisCmState', 57: 'DxgkSharedResource', 58: 'DxgkSharedSyncObject', 59: 'DxgkSharedSwapChainObject', 60: 'DxgkCurrentDxgProcessObject', 61: 'VRegConfigurationContext' } class _HANDLE_TABLE_10_DD08DD42(win8._HANDLE_TABLE_81R264): def decode_pointer(self, value): value = value & 0xFFFFFFFFFFFFFFF8 value = value >> self.DECODE_MAGIC if (value & (1 << 47)): value = value | 0xFFFF000000000000 return value class Win10ObjectHeader(obj.ProfileModification): before = ["Win8ObjectClasses"] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 4} def modification(self, profile): metadata = profile.metadata build = metadata.get("build", 0) if build >= 15063: header = _OBJECT_HEADER_10_15063 ## update the handle table here as well if metadata.get("memory_model") == "64bit": profile.object_classes.update({ "_HANDLE_TABLE": _HANDLE_TABLE_10_DD08DD42}) elif build >= 14393: header = _OBJECT_HEADER_10_DD08DD42 ## update the handle table here as well if metadata.get("memory_model") == "64bit": profile.object_classes.update({ "_HANDLE_TABLE": _HANDLE_TABLE_10_DD08DD42}) elif build >= 10240: header = _OBJECT_HEADER_10_1AC738FB else: header = _OBJECT_HEADER_10 profile.object_classes.update({"_OBJECT_HEADER": header}) class Win10PoolHeader(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 4, 'build': lambda x: x == 10240} def modification(self, profile): meta = profile.metadata memory_model = meta.get("memory_model", "32bit") if memory_model == "32bit": pool_types = {'_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], }]} else: pool_types = {'_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], }]} profile.vtypes.update(pool_types) class Win10x64(obj.Profile): """ A Profile for Windows 10 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 4 _md_build = 9841 _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x64_vtypes' _md_product = ["NtProductWinNt"] class Win10x64_10586(obj.Profile): """ A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23) """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 4 _md_build = 10240 _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x64_1AC738FB_vtypes' _md_product = ["NtProductWinNt"] class Win10x64_14393(obj.Profile): """ A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16) """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 4 _md_build = 14393 _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x64_DD08DD42_vtypes' _md_product = ["NtProductWinNt"] class Win10x86(obj.Profile): """ A Profile for Windows 10 x86 """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 4 _md_build = 9841 _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x86_vtypes' _md_product = ["NtProductWinNt"] class Win10x86_10586(obj.Profile): """ A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28) """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 4 _md_build = 10240 _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x86_44B89EEA_vtypes' _md_product = ["NtProductWinNt"] class Win10x86_14393(obj.Profile): """ A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16) """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 4 _md_build = 14393 _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x86_9619274A_vtypes' _md_product = ["NtProductWinNt"] class Win2016x64_14393(Win10x64_14393): """ A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16) """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 4 _md_build = 14393 _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x64_DD08DD42_vtypes' _md_product = ["NtProductLanManNt", "NtProductServer"] class Win10x86_15063(obj.Profile): """ A Profile for Windows 10 x86 (10.0.15063.0 / 2017-04-04) """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 4 _md_build = 15063 _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x86_15063_vtypes' _md_product = ["NtProductWinNt"] class Win10x64_15063(obj.Profile): """ A Profile for Windows 10 x64 (10.0.15063.0 / 2017-04-04) """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 4 _md_build = 15063 _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x64_15063_vtypes' _md_product = ["NtProductWinNt"] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win10_x64_15063_vtypes.py0000644000000000000000000303154113131215405030544 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_PS_MITIGATION_OPTIONS_MAP' : [ 0x10, { 'Map' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_KUSER_SHARED_DATA' : [ 0x708, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'NtBuildNumber' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'BootId' : [ 0x2c4, ['unsigned long']], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'VirtualizationFlags' : [ 0x2ed, ['unsigned char']], 'Reserved12' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgMultiSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgMultiUsersInSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCall' : [ 0x308, ['unsigned long']], 'SystemCallPad0' : [ 0x30c, ['unsigned long']], 'SystemCallPad' : [ 0x310, ['array', 2, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrementShift' : [ 0x368, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x369, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x36a, ['unsigned short']], 'EnclaveFeatureMask' : [ 0x36c, ['array', 4, ['unsigned long']]], 'Reserved8' : [ 0x37c, ['unsigned long']], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1087' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1087']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_109f' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_10a1' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109f']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_10a1']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TEB' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['pointer64', ['void']]]], 'SystemReserved1' : [ 0x190, ['array', 32, ['pointer64', ['void']]]], '_ActivationStack' : [ 0x290, ['_ACTIVATION_CONTEXT_STACK']], 'WorkingOnBehalfTicket' : [ 0x2b8, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'PerflibData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SkipLoaderInit' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], 'ReservedForWdf' : [ 0x1818, ['pointer64', ['void']]], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0x18, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'CurEntry' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['wchar']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '__unnamed_1112' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1112']], 'QuadPart' : [ 0x0, ['long long']], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_BALANCED_NODE' : [ 0x18, { 'Children' : [ 0x0, ['array', 2, ['pointer64', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x10, ['unsigned long long']], } ], '_RTL_RB_TREE' : [ 0x10, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Encoded' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Min' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_RTL_AVL_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x6bc0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x6a40, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'ClockOwner' : [ 0x21, ['unsigned char']], 'PendingTickFlags' : [ 0x22, ['unsigned char']], 'PendingTick' : [ 0x22, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x22, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IdleState' : [ 0x23, ['unsigned char']], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PriorityState' : [ 0x38, ['pointer64', ['unsigned char']]], 'CpuType' : [ 0x40, ['unsigned char']], 'CpuID' : [ 0x41, ['unsigned char']], 'CpuStep' : [ 0x42, ['unsigned short']], 'CpuStepping' : [ 0x42, ['unsigned char']], 'CpuModel' : [ 0x43, ['unsigned char']], 'MHz' : [ 0x44, ['unsigned long']], 'HalReserved' : [ 0x48, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x88, ['unsigned short']], 'MajorVersion' : [ 0x8a, ['unsigned short']], 'BuildType' : [ 0x8c, ['unsigned char']], 'CpuVendor' : [ 0x8d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x8e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x8f, ['unsigned char']], 'PrcbPad04' : [ 0x90, ['array', 6, ['unsigned long long']]], 'ParentNode' : [ 0xc0, ['pointer64', ['_KNODE']]], 'GroupSetMember' : [ 0xc8, ['unsigned long long']], 'Group' : [ 0xd0, ['unsigned char']], 'GroupIndex' : [ 0xd1, ['unsigned char']], 'PrcbPad05' : [ 0xd2, ['array', 2, ['unsigned char']]], 'InitialApicId' : [ 0xd4, ['unsigned long']], 'ScbOffset' : [ 0xd8, ['unsigned long']], 'ApicMask' : [ 0xdc, ['unsigned long']], 'AcpiReserved' : [ 0xe0, ['pointer64', ['void']]], 'CFlushSize' : [ 0xe8, ['unsigned long']], 'PrcbPad10' : [ 0xec, ['unsigned long']], 'PrcbPad11' : [ 0xf0, ['array', 2, ['unsigned long long']]], 'ProcessorState' : [ 0x100, ['_KPROCESSOR_STATE']], 'PrcbPad12' : [ 0x6c0, ['array', 6, ['unsigned long long']]], 'LockQueue' : [ 0x6f0, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x800, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x900, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0x1500, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x2100, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PrcbPad20' : [ 0x2d00, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2d08, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2d10, ['long']], 'MmCopyOnWriteCount' : [ 0x2d14, ['long']], 'MmTransitionCount' : [ 0x2d18, ['long']], 'MmDemandZeroCount' : [ 0x2d1c, ['long']], 'MmPageReadCount' : [ 0x2d20, ['long']], 'MmPageReadIoCount' : [ 0x2d24, ['long']], 'MmDirtyPagesWriteCount' : [ 0x2d28, ['long']], 'MmDirtyWriteIoCount' : [ 0x2d2c, ['long']], 'MmMappedPagesWriteCount' : [ 0x2d30, ['long']], 'MmMappedWriteIoCount' : [ 0x2d34, ['long']], 'KeSystemCalls' : [ 0x2d38, ['unsigned long']], 'KeContextSwitches' : [ 0x2d3c, ['unsigned long']], 'PrcbPad40' : [ 0x2d40, ['unsigned long']], 'CcFastReadNoWait' : [ 0x2d44, ['unsigned long']], 'CcFastReadWait' : [ 0x2d48, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2d4c, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x2d50, ['unsigned long']], 'CcCopyReadWait' : [ 0x2d54, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2d58, ['unsigned long']], 'IoReadOperationCount' : [ 0x2d5c, ['long']], 'IoWriteOperationCount' : [ 0x2d60, ['long']], 'IoOtherOperationCount' : [ 0x2d64, ['long']], 'IoReadTransferCount' : [ 0x2d68, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x2d70, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x2d78, ['_LARGE_INTEGER']], 'PacketBarrier' : [ 0x2d80, ['long']], 'TargetCount' : [ 0x2d84, ['long']], 'IpiFrozen' : [ 0x2d88, ['unsigned long']], 'IsrDpcStats' : [ 0x2d90, ['pointer64', ['void']]], 'DeviceInterrupts' : [ 0x2d98, ['unsigned long']], 'LookasideIrpFloat' : [ 0x2d9c, ['long']], 'InterruptLastCount' : [ 0x2da0, ['unsigned long']], 'InterruptRate' : [ 0x2da4, ['unsigned long']], 'LastNonHrTimerExpiration' : [ 0x2da8, ['unsigned long long']], 'PrcbPad41' : [ 0x2db0, ['array', 20, ['unsigned long']]], 'DpcData' : [ 0x2e00, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2e50, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2e58, ['long']], 'DpcRequestRate' : [ 0x2e5c, ['unsigned long']], 'MinimumDpcRate' : [ 0x2e60, ['unsigned long']], 'DpcLastCount' : [ 0x2e64, ['unsigned long']], 'ThreadDpcEnable' : [ 0x2e68, ['unsigned char']], 'QuantumEnd' : [ 0x2e69, ['unsigned char']], 'DpcRoutineActive' : [ 0x2e6a, ['unsigned char']], 'IdleSchedule' : [ 0x2e6b, ['unsigned char']], 'DpcRequestSummary' : [ 0x2e6c, ['long']], 'DpcRequestSlot' : [ 0x2e6c, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x2e6c, ['short']], 'ThreadDpcState' : [ 0x2e6e, ['short']], 'DpcNormalProcessingActive' : [ 0x2e6c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x2e6c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x2e6c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x2e6c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x2e6c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x2e6c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x2e6c, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x2e6c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x2e6c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x2e6c, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2e70, ['unsigned long']], 'LastTick' : [ 0x2e74, ['unsigned long']], 'ClockInterrupts' : [ 0x2e78, ['unsigned long']], 'ReadyScanTick' : [ 0x2e7c, ['unsigned long']], 'InterruptObject' : [ 0x2e80, ['array', 256, ['pointer64', ['void']]]], 'TimerTable' : [ 0x3680, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x5880, ['_KGATE']], 'PrcbPad52' : [ 0x5898, ['pointer64', ['void']]], 'CallDpc' : [ 0x58a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x58e0, ['long']], 'PrcbPad60' : [ 0x58e4, ['array', 2, ['unsigned char']]], 'NmiActive' : [ 0x58e6, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x58e8, ['long']], 'DpcWatchdogCount' : [ 0x58ec, ['long']], 'KeSpinLockOrdering' : [ 0x58f0, ['long']], 'DpcWatchdogProfileCumulativeDpcThreshold' : [ 0x58f4, ['unsigned long']], 'CachedPtes' : [ 0x58f8, ['pointer64', ['void']]], 'WaitListHead' : [ 0x5900, ['_LIST_ENTRY']], 'WaitLock' : [ 0x5910, ['unsigned long long']], 'ReadySummary' : [ 0x5918, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x591c, ['long']], 'QueueIndex' : [ 0x5920, ['unsigned long']], 'PrcbPad75' : [ 0x5924, ['array', 3, ['unsigned long']]], 'TimerExpirationDpc' : [ 0x5930, ['_KDPC']], 'ScbQueue' : [ 0x5970, ['_RTL_RB_TREE']], 'DispatcherReadyListHead' : [ 0x5980, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x5b80, ['unsigned long']], 'KernelTime' : [ 0x5b84, ['unsigned long']], 'UserTime' : [ 0x5b88, ['unsigned long']], 'DpcTime' : [ 0x5b8c, ['unsigned long']], 'InterruptTime' : [ 0x5b90, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5b94, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x5b98, ['unsigned char']], 'GroupSchedulingOverQuota' : [ 0x5b99, ['unsigned char']], 'DeepSleep' : [ 0x5b9a, ['unsigned char']], 'PrcbPad80' : [ 0x5b9b, ['array', 5, ['unsigned char']]], 'DpcTimeCount' : [ 0x5ba0, ['unsigned long']], 'DpcTimeLimit' : [ 0x5ba4, ['unsigned long']], 'PeriodicCount' : [ 0x5ba8, ['unsigned long']], 'PeriodicBias' : [ 0x5bac, ['unsigned long']], 'AvailableTime' : [ 0x5bb0, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x5bb4, ['unsigned long']], 'ReadyThreadCount' : [ 0x5bb8, ['unsigned long']], 'StartCycles' : [ 0x5bc0, ['unsigned long long']], 'TaggedCyclesStart' : [ 0x5bc8, ['unsigned long long']], 'TaggedCycles' : [ 0x5bd0, ['array', 2, ['unsigned long long']]], 'GenerationTarget' : [ 0x5be0, ['unsigned long long']], 'AffinitizedCycles' : [ 0x5be8, ['unsigned long long']], 'ImportantCycles' : [ 0x5bf0, ['unsigned long long']], 'UnimportantCycles' : [ 0x5bf8, ['unsigned long long']], 'ReadyQueueExpectedRunTime' : [ 0x5c00, ['unsigned long long']], 'PrcbPad81' : [ 0x5c08, ['array', 21, ['unsigned long']]], 'DpcWatchdogProfileSingleDpcThreshold' : [ 0x5c5c, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x5c60, ['long']], 'PageColor' : [ 0x5c64, ['unsigned long']], 'NodeColor' : [ 0x5c68, ['unsigned long']], 'NodeShiftedColor' : [ 0x5c6c, ['unsigned long']], 'SecondaryColorMask' : [ 0x5c70, ['unsigned long']], 'PrcbPad83' : [ 0x5c74, ['unsigned long']], 'CycleTime' : [ 0x5c78, ['unsigned long long']], 'Cycles' : [ 0x5c80, ['array', 4, ['array', 2, ['unsigned long long']]]], 'PrcbPad84' : [ 0x5cc0, ['array', 16, ['unsigned long']]], 'CcFastMdlReadNoWait' : [ 0x5d00, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x5d04, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x5d08, ['unsigned long']], 'CcMapDataNoWait' : [ 0x5d0c, ['unsigned long']], 'CcMapDataWait' : [ 0x5d10, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x5d14, ['unsigned long']], 'CcPinReadNoWait' : [ 0x5d18, ['unsigned long']], 'CcPinReadWait' : [ 0x5d1c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x5d20, ['unsigned long']], 'CcMdlReadWait' : [ 0x5d24, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x5d28, ['unsigned long']], 'CcLazyWriteIos' : [ 0x5d2c, ['unsigned long']], 'CcLazyWritePages' : [ 0x5d30, ['unsigned long']], 'CcDataFlushes' : [ 0x5d34, ['unsigned long']], 'CcDataPages' : [ 0x5d38, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x5d3c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x5d40, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x5d44, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x5d48, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x5d4c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x5d50, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x5d54, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x5d58, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x5d5c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x5d60, ['unsigned long']], 'CcReadAheadIos' : [ 0x5d64, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x5d68, ['long']], 'MmCacheReadCount' : [ 0x5d6c, ['long']], 'MmCacheIoCount' : [ 0x5d70, ['long']], 'PrcbPad91' : [ 0x5d74, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x5d80, ['_PROCESSOR_POWER_STATE']], 'ScbList' : [ 0x5f58, ['_LIST_ENTRY']], 'ForceIdleDpc' : [ 0x5f68, ['_KDPC']], 'PrcbPad92' : [ 0x5fa8, ['array', 18, ['unsigned long']]], 'KeAlignmentFixupCount' : [ 0x5ff0, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x5ff8, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x6038, ['_KTIMER']], 'Cache' : [ 0x6078, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x60b4, ['unsigned long']], 'CachedCommit' : [ 0x60b8, ['unsigned long']], 'CachedResidentAvailable' : [ 0x60bc, ['unsigned long']], 'HyperPte' : [ 0x60c0, ['pointer64', ['void']]], 'WheaInfo' : [ 0x60c8, ['pointer64', ['void']]], 'EtwSupport' : [ 0x60d0, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x60e0, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x60f0, ['_SLIST_HEADER']], 'HypercallCachedPages' : [ 0x6100, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x6108, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x6110, ['pointer64', ['unsigned long long']]], 'PackageProcessorSet' : [ 0x6118, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x61c0, ['unsigned long long']], 'SharedReadyQueue' : [ 0x61c8, ['pointer64', ['_KSHARED_READY_QUEUE']]], 'SharedQueueScanOwner' : [ 0x61d0, ['unsigned long']], 'ScanSiblingIndex' : [ 0x61d4, ['unsigned long']], 'CoreProcessorSet' : [ 0x61d8, ['unsigned long long']], 'ScanSiblingMask' : [ 0x61e0, ['unsigned long long']], 'LLCMask' : [ 0x61e8, ['unsigned long long']], 'CacheProcessorMask' : [ 0x61f0, ['array', 5, ['unsigned long long']]], 'ProcessorProfileControlArea' : [ 0x6218, ['pointer64', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x6220, ['pointer64', ['void']]], 'DpcWatchdogProfile' : [ 0x6228, ['pointer64', ['pointer64', ['void']]]], 'DpcWatchdogProfileCurrentEmptyCapture' : [ 0x6230, ['pointer64', ['pointer64', ['void']]]], 'PrcbPad94' : [ 0x6238, ['array', 9, ['unsigned long long']]], 'SynchCounters' : [ 0x6280, ['_SYNCH_COUNTERS']], 'PteBitCache' : [ 0x6338, ['unsigned long long']], 'PteBitOffset' : [ 0x6340, ['unsigned long']], 'FsCounters' : [ 0x6348, ['_FILESYSTEM_DISK_COUNTERS']], 'VendorString' : [ 0x6358, ['array', 13, ['unsigned char']]], 'PrcbPad100' : [ 0x6365, ['array', 2, ['unsigned char']]], 'PendingVirtualLittle' : [ 0x6367, ['unsigned char']], 'FeatureBits' : [ 0x6368, ['unsigned long long']], 'PrcbPad110' : [ 0x6370, ['unsigned long']], 'UpdateSignature' : [ 0x6378, ['_LARGE_INTEGER']], 'Context' : [ 0x6380, ['pointer64', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x6388, ['unsigned long']], 'ExtendedState' : [ 0x6390, ['pointer64', ['_XSAVE_AREA']]], 'IsrStack' : [ 0x6398, ['pointer64', ['void']]], 'EntropyTimingState' : [ 0x63a0, ['_KENTROPY_TIMING_STATE']], 'AbSelfIoBoostsList' : [ 0x64f0, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x64f8, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x6500, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x6540, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x6594, ['_IOP_IRP_STACK_PROFILER']], 'LocalSharedReadyQueue' : [ 0x6600, ['_KSHARED_READY_QUEUE']], 'TimerExpirationTrace' : [ 0x6870, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x6970, ['unsigned long']], 'ExSaPageArray' : [ 0x6978, ['pointer64', ['void']]], 'SecureFault' : [ 0x6980, ['_KSECURE_FAULT_INFORMATION']], 'Mailbox' : [ 0x69c0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x6a00, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KFLOATING_SAVE' : [ 0x4, { 'Dummy' : [ 0x0, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_PS_TRUSTLET_CREATE_ATTRIBUTES' : [ 0x18, { 'TrustletIdentity' : [ 0x0, ['unsigned long long']], 'Attributes' : [ 0x8, ['array', 1, ['_PS_TRUSTLET_ATTRIBUTE_DATA']]], } ], '_PS_TRUSTLET_ATTRIBUTE_DATA' : [ 0x10, { 'Header' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_HEADER']], 'Data' : [ 0x8, ['array', 1, ['unsigned long long']]], } ], '_PS_TRUSTLET_ATTRIBUTE_HEADER' : [ 0x8, { 'AttributeType' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_TYPE']], 'InstanceNumber' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_TRUSTLET_MAILBOX_KEY' : [ 0x10, { 'SecretValue' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_TRUSTLET_COLLABORATION_ID' : [ 0x10, { 'Value' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_KPROCESS' : [ 0x2d8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long']], 'ProcessTimerDelay' : [ 0x44, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x48, ['unsigned long long']], 'Affinity' : [ 0x50, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0xf8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x108, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x110, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x1b8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x1b8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x1b8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'DeepFreeze' : [ 0x1b8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x1b8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x1b8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'PpmPolicy' : [ 0x1b8, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x1b8, ['BitField', dict(start_bit = 8, end_bit = 28, native_type='unsigned long')]], 'ReservedFlags' : [ 0x1b8, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x1b8, ['long']], 'BasePriority' : [ 0x1bc, ['unsigned char']], 'QuantumReset' : [ 0x1bd, ['unsigned char']], 'Visited' : [ 0x1be, ['unsigned char']], 'Flags' : [ 0x1bf, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x1c0, ['array', 20, ['unsigned long']]], 'IdealNode' : [ 0x210, ['array', 20, ['unsigned short']]], 'IdealGlobalNode' : [ 0x238, ['unsigned short']], 'Spare1' : [ 0x23a, ['unsigned short']], 'StackCount' : [ 0x23c, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x240, ['_LIST_ENTRY']], 'CycleTime' : [ 0x250, ['unsigned long long']], 'ContextSwitches' : [ 0x258, ['unsigned long long']], 'SchedulingGroup' : [ 0x260, ['pointer64', ['_KSCHEDULING_GROUP']]], 'FreezeCount' : [ 0x268, ['unsigned long']], 'KernelTime' : [ 0x26c, ['unsigned long']], 'UserTime' : [ 0x270, ['unsigned long']], 'ReadyTime' : [ 0x274, ['unsigned long']], 'Spare2' : [ 0x278, ['array', 80, ['unsigned char']]], 'InstrumentationCallback' : [ 0x2c8, ['pointer64', ['void']]], 'SecurePid' : [ 0x2d0, ['unsigned long long']], } ], '_KTHREAD' : [ 0x5e8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x18, ['pointer64', ['void']]], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'StackBase' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'CycleTime' : [ 0x48, ['unsigned long long']], 'CurrentRunTime' : [ 0x50, ['unsigned long']], 'ExpectedRunTime' : [ 0x54, ['unsigned long']], 'KernelStack' : [ 0x58, ['pointer64', ['void']]], 'StateSaveArea' : [ 0x60, ['pointer64', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x68, ['pointer64', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x70, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x71, ['unsigned char']], 'Alerted' : [ 0x72, ['array', 2, ['unsigned char']]], 'AutoBoostActive' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitNext' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x74, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Alertable' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'TimerActive' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SystemThread' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x74, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CalloutActive' : [ 0x74, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ApcQueueable' : [ 0x74, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x74, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x74, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'TimerSuspended' : [ 0x74, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x74, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SuspendSchedulerApcWait' : [ 0x74, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x74, ['long']], 'AutoAlignment' : [ 0x78, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x78, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BamEppImportant' : [ 0x78, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x78, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x78, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x78, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x78, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x78, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x78, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x78, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x78, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x78, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x78, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x78, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x78, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'TerminateRequestReason' : [ 0x78, ['BitField', dict(start_bit = 17, end_bit = 19, native_type='unsigned long')]], 'ProcessStackCountDecremented' : [ 0x78, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'RestrictedGuiThread' : [ 0x78, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ThreadFlagsSpare' : [ 0x78, ['BitField', dict(start_bit = 21, end_bit = 24, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x78, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x78, ['long']], 'Tag' : [ 0x7c, ['unsigned char']], 'SystemHeteroCpuPolicy' : [ 0x7d, ['unsigned char']], 'UserHeteroCpuPolicy' : [ 0x7e, ['BitField', dict(start_bit = 0, end_bit = 7, native_type='unsigned char')]], 'ExplicitSystemHeteroCpuPolicy' : [ 0x7e, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare0' : [ 0x7f, ['unsigned char']], 'SystemCallNumber' : [ 0x80, ['unsigned long']], 'ReadyTime' : [ 0x84, ['unsigned long']], 'FirstArgument' : [ 0x88, ['pointer64', ['void']]], 'TrapFrame' : [ 0x90, ['pointer64', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x98, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x98, ['array', 43, ['unsigned char']]], 'Priority' : [ 0xc3, ['unsigned char']], 'UserIdealProcessor' : [ 0xc4, ['unsigned long']], 'WaitStatus' : [ 0xc8, ['long long']], 'WaitBlockList' : [ 0xd0, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xd8, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xe8, ['pointer64', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xf0, ['pointer64', ['void']]], 'RelativeTimerBias' : [ 0xf8, ['unsigned long long']], 'Timer' : [ 0x100, ['_KTIMER']], 'WaitBlock' : [ 0x140, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x140, ['array', 20, ['unsigned char']]], 'ContextSwitches' : [ 0x154, ['unsigned long']], 'WaitBlockFill5' : [ 0x140, ['array', 68, ['unsigned char']]], 'State' : [ 0x184, ['unsigned char']], 'Spare13' : [ 0x185, ['unsigned char']], 'WaitIrql' : [ 0x186, ['unsigned char']], 'WaitMode' : [ 0x187, ['unsigned char']], 'WaitBlockFill6' : [ 0x140, ['array', 116, ['unsigned char']]], 'WaitTime' : [ 0x1b4, ['unsigned long']], 'WaitBlockFill7' : [ 0x140, ['array', 164, ['unsigned char']]], 'KernelApcDisable' : [ 0x1e4, ['short']], 'SpecialApcDisable' : [ 0x1e6, ['short']], 'CombinedApcDisable' : [ 0x1e4, ['unsigned long']], 'WaitBlockFill8' : [ 0x140, ['array', 40, ['unsigned char']]], 'ThreadCounters' : [ 0x168, ['pointer64', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0x140, ['array', 88, ['unsigned char']]], 'XStateSave' : [ 0x198, ['pointer64', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0x140, ['array', 136, ['unsigned char']]], 'Win32Thread' : [ 0x1c8, ['pointer64', ['void']]], 'WaitBlockFill11' : [ 0x140, ['array', 176, ['unsigned char']]], 'Ucb' : [ 0x1f0, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'Uch' : [ 0x1f8, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'Spare21' : [ 0x200, ['pointer64', ['void']]], 'QueueListEntry' : [ 0x208, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x218, ['unsigned long']], 'NextProcessorNumber' : [ 0x218, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x218, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x21c, ['long']], 'Process' : [ 0x220, ['pointer64', ['_KPROCESS']]], 'UserAffinity' : [ 0x228, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x228, ['array', 10, ['unsigned char']]], 'PreviousMode' : [ 0x232, ['unsigned char']], 'BasePriority' : [ 0x233, ['unsigned char']], 'PriorityDecrement' : [ 0x234, ['unsigned char']], 'ForegroundBoost' : [ 0x234, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x234, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x235, ['unsigned char']], 'AdjustReason' : [ 0x236, ['unsigned char']], 'AdjustIncrement' : [ 0x237, ['unsigned char']], 'AffinityVersion' : [ 0x238, ['unsigned long long']], 'Affinity' : [ 0x240, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x240, ['array', 10, ['unsigned char']]], 'ApcStateIndex' : [ 0x24a, ['unsigned char']], 'WaitBlockCount' : [ 0x24b, ['unsigned char']], 'IdealProcessor' : [ 0x24c, ['unsigned long']], 'NpxState' : [ 0x250, ['unsigned long long']], 'SavedApcState' : [ 0x258, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x258, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x283, ['unsigned char']], 'SuspendCount' : [ 0x284, ['unsigned char']], 'Saturation' : [ 0x285, ['unsigned char']], 'SListFaultCount' : [ 0x286, ['unsigned short']], 'SchedulerApc' : [ 0x288, ['_KAPC']], 'SchedulerApcFill0' : [ 0x288, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x289, ['unsigned char']], 'SchedulerApcFill1' : [ 0x288, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x28b, ['unsigned char']], 'SchedulerApcFill2' : [ 0x288, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x28c, ['unsigned long']], 'SchedulerApcFill3' : [ 0x288, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c8, ['pointer64', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x288, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2d0, ['pointer64', ['void']]], 'SchedulerApcFill5' : [ 0x288, ['array', 83, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x2db, ['unsigned char']], 'UserTime' : [ 0x2dc, ['unsigned long']], 'SuspendEvent' : [ 0x2e0, ['_KEVENT']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'AbEntrySummary' : [ 0x318, ['unsigned char']], 'AbWaitEntryCount' : [ 0x319, ['unsigned char']], 'AbAllocationRegionCount' : [ 0x31a, ['unsigned char']], 'Spare20' : [ 0x31b, ['unsigned char']], 'SecureThreadCookie' : [ 0x31c, ['unsigned long']], 'LockEntries' : [ 0x320, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x560, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x568, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x570, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x580, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x584, ['long']], 'AbCompletedIoQoSBoostCount' : [ 0x588, ['long']], 'KeReferenceCount' : [ 0x58c, ['short']], 'AbOrphanedEntrySummary' : [ 0x58e, ['unsigned char']], 'AbOwnedEntryCount' : [ 0x58f, ['unsigned char']], 'ForegroundLossTime' : [ 0x590, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x598, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x598, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x5a0, ['unsigned long long']], 'ReadOperationCount' : [ 0x5a8, ['long long']], 'WriteOperationCount' : [ 0x5b0, ['long long']], 'OtherOperationCount' : [ 0x5b8, ['long long']], 'ReadTransferCount' : [ 0x5c0, ['long long']], 'WriteTransferCount' : [ 0x5c8, ['long long']], 'OtherTransferCount' : [ 0x5d0, ['long long']], 'QueuedScb' : [ 0x5d8, ['pointer64', ['_KSCB']]], 'ThreadTimerDelay' : [ 0x5e0, ['unsigned long']], 'Spare22' : [ 0x5e4, ['long']], } ], '_KSTACK_CONTROL' : [ 0x30, { 'StackBase' : [ 0x0, ['unsigned long long']], 'ActualLimit' : [ 0x8, ['unsigned long long']], 'StackExpansion' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_1287' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'HeaderX64' : [ 0x0, ['__unnamed_1287']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer64', ['void']]], 'DeleteContext' : [ 0x10, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0x140, { 'IdleNonParkedCpuSet' : [ 0x0, ['unsigned long long']], 'IdleSmtSet' : [ 0x8, ['unsigned long long']], 'IdleCpuSet' : [ 0x10, ['unsigned long long']], 'DeepIdleSet' : [ 0x40, ['unsigned long long']], 'IdleConstrainedSet' : [ 0x48, ['unsigned long long']], 'NonParkedSet' : [ 0x50, ['unsigned long long']], 'ParkLock' : [ 0x58, ['long']], 'Seed' : [ 0x5c, ['unsigned long']], 'SiblingMask' : [ 0x80, ['unsigned long']], 'Affinity' : [ 0x88, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x88, ['array', 10, ['unsigned char']]], 'NodeNumber' : [ 0x92, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x94, ['unsigned short']], 'Stride' : [ 0x96, ['unsigned char']], 'Spare0' : [ 0x97, ['unsigned char']], 'SharedReadyQueueLeaders' : [ 0x98, ['unsigned long long']], 'ProximityId' : [ 0xa0, ['unsigned long']], 'Lowest' : [ 0xa4, ['unsigned long']], 'Highest' : [ 0xa8, ['unsigned long']], 'MaximumProcessors' : [ 0xac, ['unsigned char']], 'Flags' : [ 0xad, ['_flags']], 'Spare10' : [ 0xae, ['unsigned char']], 'HeteroSets' : [ 0xb0, ['array', 5, ['_KHETERO_PROCESSOR_SET']]], } ], '_ENODE' : [ 0x840, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0x140, ['array', 8, ['pointer64', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0x180, ['_EX_WORK_QUEUE']], 'IoWorkQueue' : [ 0x450, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x720, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x738, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x778, ['_KEVENT']], 'WaitBlocks' : [ 0x790, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x820, ['pointer64', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x828, ['unsigned long']], 'ExWorkerFullInit' : [ 0x82c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x82c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x82c, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x80, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long long']], 'QuotaProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'HandleTableList' : [ 0x18, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], 'StrictFIFO' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x2c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x2c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'RaiseUMExceptionOnInvalidHandleClose' : [ 0x2c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x38, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x40, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x40, ['array', 32, ['unsigned char']]], 'DebugInfo' : [ 0x60, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x8, { 'AuditMask' : [ 0x0, ['unsigned long']], 'MaxRelativeAccessMask' : [ 0x4, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'VolatileLowValue' : [ 0x0, ['long long']], 'LowValue' : [ 0x0, ['long long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'HighValue' : [ 0x8, ['long long']], 'NextFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x8, ['_EXHANDLE']], 'RefCountField' : [ 0x0, ['long long']], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 17, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 20, native_type='unsigned long long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 64, native_type='unsigned long long')]], 'GrantedAccessBits' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Spare1' : [ 0x8, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], 'Spare2' : [ 0xc, ['unsigned long']], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1379' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_1379']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xe0, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xd8, ['unsigned char']], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EPROCESS' : [ 0x818, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x2d8, ['_EX_PUSH_LOCK']], 'UniqueProcessId' : [ 0x2e0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x2e8, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x2f8, ['_EX_RUNDOWN_REF']], 'Flags2' : [ 0x300, ['unsigned long']], 'JobNotReallyActive' : [ 0x300, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x300, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x300, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x300, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x300, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x300, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0x300, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x300, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x300, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x300, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0x300, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0x300, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x300, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x300, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x300, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x300, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x300, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x300, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x300, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x300, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0x300, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0x300, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0x300, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0x300, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0x300, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0x300, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0x300, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0x300, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x304, ['unsigned long']], 'CreateReported' : [ 0x304, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x304, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x304, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x304, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0x304, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x304, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x304, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x304, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FailFastOnCommitFail' : [ 0x304, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x304, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x304, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x304, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x304, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x304, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x304, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x304, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x304, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x304, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x304, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0x304, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x304, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x304, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x304, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x304, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0x304, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x304, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x304, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x304, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x304, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CreateTime' : [ 0x308, ['_LARGE_INTEGER']], 'ProcessQuotaUsage' : [ 0x310, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x320, ['array', 2, ['unsigned long long']]], 'PeakVirtualSize' : [ 0x330, ['unsigned long long']], 'VirtualSize' : [ 0x338, ['unsigned long long']], 'SessionProcessLinks' : [ 0x340, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0x350, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x350, ['unsigned long long']], 'ExceptionPortState' : [ 0x350, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Token' : [ 0x358, ['_EX_FAST_REF']], 'MmReserved' : [ 0x360, ['unsigned long long']], 'AddressCreationLock' : [ 0x368, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x370, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x378, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x380, ['pointer64', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x388, ['pointer64', ['_EJOB']]], 'CloneRoot' : [ 0x390, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x398, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x3a0, ['unsigned long long']], 'Win32Process' : [ 0x3a8, ['pointer64', ['void']]], 'Job' : [ 0x3b0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x3b8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x3c0, ['pointer64', ['void']]], 'Cookie' : [ 0x3c8, ['unsigned long']], 'WorkingSetWatch' : [ 0x3d0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x3d8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x3e0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x3e8, ['pointer64', ['void']]], 'OwnerProcessId' : [ 0x3f0, ['unsigned long long']], 'Peb' : [ 0x3f8, ['pointer64', ['_PEB']]], 'Session' : [ 0x400, ['pointer64', ['_MM_SESSION_SPACE']]], 'AweInfo' : [ 0x408, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x410, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x418, ['pointer64', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x420, ['pointer64', ['void']]], 'WoW64Process' : [ 0x428, ['pointer64', ['_EWOW64PROCESS']]], 'DeviceMap' : [ 0x430, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x438, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x440, ['unsigned long long']], 'ImageFilePointer' : [ 0x448, ['pointer64', ['_FILE_OBJECT']]], 'ImageFileName' : [ 0x450, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x45f, ['unsigned char']], 'SecurityPort' : [ 0x460, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x468, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x470, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x480, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x488, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x498, ['unsigned long']], 'ImagePathHash' : [ 0x49c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x4a0, ['unsigned long']], 'LastThreadExitStatus' : [ 0x4a4, ['long']], 'PrefetchTrace' : [ 0x4a8, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x4b0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x4b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x4c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x4c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x4d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x4d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x4e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x4e8, ['unsigned long long']], 'CommitCharge' : [ 0x4f0, ['unsigned long long']], 'CommitChargePeak' : [ 0x4f8, ['unsigned long long']], 'Vm' : [ 0x500, ['_MMSUPPORT_FULL']], 'MmProcessLinks' : [ 0x610, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x620, ['unsigned long']], 'ExitStatus' : [ 0x624, ['long']], 'VadRoot' : [ 0x628, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x630, ['pointer64', ['void']]], 'VadCount' : [ 0x638, ['unsigned long long']], 'VadPhysicalPages' : [ 0x640, ['unsigned long long']], 'VadPhysicalPagesLimit' : [ 0x648, ['unsigned long long']], 'AlpcContext' : [ 0x650, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x670, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x680, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x688, ['unsigned long']], 'SmallestTimerResolution' : [ 0x68c, ['unsigned long']], 'ExitTime' : [ 0x690, ['_LARGE_INTEGER']], 'InvertedFunctionTable' : [ 0x698, ['pointer64', ['_INVERTED_FUNCTION_TABLE']]], 'InvertedFunctionTableLock' : [ 0x6a0, ['_EX_PUSH_LOCK']], 'ActiveThreadsHighWatermark' : [ 0x6a8, ['unsigned long']], 'LargePrivateVadCount' : [ 0x6ac, ['unsigned long']], 'ThreadListLock' : [ 0x6b0, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x6b8, ['pointer64', ['void']]], 'ServerSilo' : [ 0x6c0, ['pointer64', ['_EJOB']]], 'SignatureLevel' : [ 0x6c8, ['unsigned char']], 'SectionSignatureLevel' : [ 0x6c9, ['unsigned char']], 'Protection' : [ 0x6ca, ['_PS_PROTECTION']], 'HangCount' : [ 0x6cb, ['unsigned char']], 'Flags3' : [ 0x6cc, ['unsigned long']], 'Minimal' : [ 0x6cc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReplacingPageRoot' : [ 0x6cc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DisableNonSystemFonts' : [ 0x6cc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AuditNonSystemFontLoading' : [ 0x6cc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Crashed' : [ 0x6cc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'JobVadsAreTracked' : [ 0x6cc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'VadTrackingDisabled' : [ 0x6cc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AuxiliaryProcess' : [ 0x6cc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SubsystemProcess' : [ 0x6cc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x6cc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'InPrivate' : [ 0x6cc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProhibitRemoteImageMap' : [ 0x6cc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProhibitLowILImageMap' : [ 0x6cc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SignatureMitigationOptIn' : [ 0x6cc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DisableDynamicCodeAllowOptOut' : [ 0x6cc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'EnableFilteredWin32kAPIs' : [ 0x6cc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'AuditFilteredWin32kAPIs' : [ 0x6cc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PreferSystem32Images' : [ 0x6cc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'RelinquishedCommit' : [ 0x6cc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AutomaticallyOverrideChildProcessPolicy' : [ 0x6cc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'HighGraphicsPriority' : [ 0x6cc, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CommitFailLogged' : [ 0x6cc, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ReserveFailLogged' : [ 0x6cc, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DisableDynamicCodeAllowRemoteDowngrade' : [ 0x6cc, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'LoaderIntegrityContinuityEnabled' : [ 0x6cc, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'LoaderIntegrityContinuityAudit' : [ 0x6cc, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ControlFlowGuardExportSuppressionEnabled' : [ 0x6cc, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'FatalAccessTerminationRequested' : [ 0x6cc, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'DisableSystemAllowedCpuSet' : [ 0x6cc, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ControlFlowGuardStrict' : [ 0x6cc, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'DeviceAsid' : [ 0x6d0, ['long']], 'SvmData' : [ 0x6d8, ['pointer64', ['void']]], 'SvmProcessLock' : [ 0x6e0, ['_EX_PUSH_LOCK']], 'SvmLock' : [ 0x6e8, ['unsigned long long']], 'SvmProcessDeviceListHead' : [ 0x6f0, ['_LIST_ENTRY']], 'LastFreezeInterruptTime' : [ 0x700, ['unsigned long long']], 'DiskCounters' : [ 0x708, ['pointer64', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x710, ['pointer64', ['void']]], 'TrustletIdentity' : [ 0x718, ['unsigned long long']], 'HighPriorityFaultsAllowed' : [ 0x720, ['unsigned long']], 'EnergyContext' : [ 0x728, ['pointer64', ['_PO_PROCESS_ENERGY_CONTEXT']]], 'VmContext' : [ 0x730, ['pointer64', ['void']]], 'SequenceNumber' : [ 0x738, ['unsigned long long']], 'CreateInterruptTime' : [ 0x740, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x748, ['unsigned long long']], 'TotalUnbiasedFrozenTime' : [ 0x750, ['unsigned long long']], 'LastAppStateUpdateTime' : [ 0x758, ['unsigned long long']], 'LastAppStateUptime' : [ 0x760, ['BitField', dict(start_bit = 0, end_bit = 61, native_type='unsigned long long')]], 'LastAppState' : [ 0x760, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], 'SharedCommitCharge' : [ 0x768, ['unsigned long long']], 'SharedCommitLock' : [ 0x770, ['_EX_PUSH_LOCK']], 'SharedCommitLinks' : [ 0x778, ['_LIST_ENTRY']], 'AllowedCpuSets' : [ 0x788, ['unsigned long long']], 'DefaultCpuSets' : [ 0x790, ['unsigned long long']], 'AllowedCpuSetsIndirect' : [ 0x788, ['pointer64', ['unsigned long long']]], 'DefaultCpuSetsIndirect' : [ 0x790, ['pointer64', ['unsigned long long']]], 'DiskIoAttribution' : [ 0x798, ['pointer64', ['void']]], 'DxgProcess' : [ 0x7a0, ['pointer64', ['void']]], 'Win32KFilterSet' : [ 0x7a8, ['unsigned long']], 'ProcessTimerDelay' : [ 0x7b0, ['_PS_INTERLOCKED_TIMER_DELAY_VALUES']], 'KTimerSets' : [ 0x7b8, ['unsigned long']], 'KTimer2Sets' : [ 0x7bc, ['unsigned long']], 'ThreadTimerSets' : [ 0x7c0, ['unsigned long']], 'VirtualTimerListLock' : [ 0x7c8, ['unsigned long long']], 'VirtualTimerListHead' : [ 0x7d0, ['_LIST_ENTRY']], 'WakeChannel' : [ 0x7e0, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x7e0, ['_PS_PROCESS_WAKE_INFORMATION']], 'Flags4' : [ 0x810, ['unsigned long']], 'PicoCreated' : [ 0x810, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RestrictSetThreadContext' : [ 0x810, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '_EWOW64PROCESS' : [ 0x10, { 'Peb' : [ 0x0, ['pointer64', ['void']]], 'Machine' : [ 0x8, ['unsigned short']], } ], '_ETHREAD' : [ 0x810, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x5e8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x5f0, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x5f0, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x600, ['pointer64', ['void']]], 'PostBlockList' : [ 0x608, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x608, ['pointer64', ['void']]], 'StartAddress' : [ 0x610, ['pointer64', ['void']]], 'TerminationPort' : [ 0x618, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x618, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x618, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x620, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x628, ['_LIST_ENTRY']], 'Cid' : [ 0x638, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x648, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x648, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x668, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x670, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x680, ['unsigned long long']], 'DeviceToVerify' : [ 0x688, ['pointer64', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x690, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x698, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x6a0, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x6b0, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x6b8, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x6c0, ['unsigned long']], 'MmLockOrdering' : [ 0x6c4, ['long']], 'CrossThreadFlags' : [ 0x6c8, ['unsigned long']], 'Terminated' : [ 0x6c8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x6c8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x6c8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x6c8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x6c8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x6c8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x6c8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x6c8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x6c8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x6c8, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x6c8, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x6c8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x6c8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x6c8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DisableDynamicCodeOptOut' : [ 0x6c8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ExplicitCaseSensitivity' : [ 0x6c8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PicoNotifyExit' : [ 0x6c8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'DbgWerUserReportActive' : [ 0x6c8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x6c8, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x6cc, ['unsigned long']], 'ActiveExWorker' : [ 0x6cc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x6cc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'StoreLockThread' : [ 0x6cc, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'ClonedThread' : [ 0x6cc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x6cc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SelfTerminate' : [ 0x6cc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RespectIoPriority' : [ 0x6cc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ActivePageLists' : [ 0x6cc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedSameThreadPassiveFlags' : [ 0x6cc, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x6d0, ['unsigned long']], 'OwnsProcessAddressSpaceExclusive' : [ 0x6d0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x6d0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardFaultBehavior' : [ 0x6d0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x6d0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x6d0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x6d0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Prefetching' : [ 0x6d0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x6d0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x6d1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x6d1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x6d4, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x6d5, ['unsigned char']], 'ActiveFaultCount' : [ 0x6d6, ['unsigned char']], 'LockOrderState' : [ 0x6d7, ['unsigned char']], 'AlpcMessageId' : [ 0x6d8, ['unsigned long long']], 'AlpcMessage' : [ 0x6e0, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x6e0, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x6e8, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x6f8, ['long']], 'CacheManagerCount' : [ 0x6fc, ['unsigned long']], 'IoBoostCount' : [ 0x700, ['unsigned long']], 'IoQoSBoostCount' : [ 0x704, ['unsigned long']], 'IoQoSThrottleCount' : [ 0x708, ['unsigned long']], 'BoostList' : [ 0x710, ['_LIST_ENTRY']], 'DeboostList' : [ 0x720, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x730, ['unsigned long long']], 'IrpListLock' : [ 0x738, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x740, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x748, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x750, ['pointer64', ['_GUID']]], 'SeLearningModeListHead' : [ 0x758, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x760, ['pointer64', ['void']]], 'KernelStackReference' : [ 0x768, ['unsigned long']], 'AdjustedClientToken' : [ 0x770, ['pointer64', ['void']]], 'WorkOnBehalfThread' : [ 0x778, ['pointer64', ['void']]], 'PropertySet' : [ 0x780, ['_PS_PROPERTY_SET']], 'PicoContext' : [ 0x798, ['pointer64', ['void']]], 'UserFsBase' : [ 0x7a0, ['unsigned long long']], 'UserGsBase' : [ 0x7a8, ['unsigned long long']], 'EnergyValues' : [ 0x7b0, ['pointer64', ['_THREAD_ENERGY_VALUES']]], 'CmDbgInfo' : [ 0x7b8, ['pointer64', ['void']]], 'SelectedCpuSets' : [ 0x7c0, ['unsigned long long']], 'SelectedCpuSetsIndirect' : [ 0x7c0, ['pointer64', ['unsigned long long']]], 'Silo' : [ 0x7c8, ['pointer64', ['_EJOB']]], 'ThreadName' : [ 0x7d0, ['pointer64', ['_UNICODE_STRING']]], 'SetContextState' : [ 0x7d8, ['pointer64', ['_CONTEXT']]], 'LastExpectedRunTime' : [ 0x7e0, ['unsigned long']], 'OwnerEntryListHead' : [ 0x7e8, ['_LIST_ENTRY']], 'DisownedOwnerEntryListLock' : [ 0x7f8, ['unsigned long long']], 'DisownedOwnerEntryListHead' : [ 0x800, ['_LIST_ENTRY']], } ], '__unnamed_13ed' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_13f3' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_13f5' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_13f3']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_13fe' : [ 0x58, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x50, ['pointer64', ['void']]], } ], '__unnamed_1400' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_13fe']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'AllocationProcessorNumber' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_13ed']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_13f5']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_1400']], } ], '__unnamed_1407' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_140b' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_140f' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1411' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1415' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileDesiredStorageClassInformation', 68: 'FileStatInformation', 69: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1417' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1419' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileDesiredStorageClassInformation', 68: 'FileStatInformation', 69: 'FileMaximumInformation'})]], } ], '__unnamed_141b' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileDesiredStorageClassInformation', 68: 'FileStatInformation', 69: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_141d' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_141f' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1423' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMetadataSizeInformation', 14: 'FileFsMaximumInformation'})]], } ], '__unnamed_1425' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1427' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1429' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_142b' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_142d' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1431' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1435' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1439' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_143d' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_1441' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1445' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1449' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_144b' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_144d' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1451' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_1455' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1459' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_145d' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1461' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1469' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], } ], '__unnamed_146d' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_146f' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1471' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1473' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1407']], 'CreatePipe' : [ 0x0, ['__unnamed_140b']], 'CreateMailslot' : [ 0x0, ['__unnamed_140f']], 'Read' : [ 0x0, ['__unnamed_1411']], 'Write' : [ 0x0, ['__unnamed_1411']], 'QueryDirectory' : [ 0x0, ['__unnamed_1415']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1417']], 'QueryFile' : [ 0x0, ['__unnamed_1419']], 'SetFile' : [ 0x0, ['__unnamed_141b']], 'QueryEa' : [ 0x0, ['__unnamed_141d']], 'SetEa' : [ 0x0, ['__unnamed_141f']], 'QueryVolume' : [ 0x0, ['__unnamed_1423']], 'SetVolume' : [ 0x0, ['__unnamed_1423']], 'FileSystemControl' : [ 0x0, ['__unnamed_1425']], 'LockControl' : [ 0x0, ['__unnamed_1427']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1429']], 'QuerySecurity' : [ 0x0, ['__unnamed_142b']], 'SetSecurity' : [ 0x0, ['__unnamed_142d']], 'MountVolume' : [ 0x0, ['__unnamed_1431']], 'VerifyVolume' : [ 0x0, ['__unnamed_1431']], 'Scsi' : [ 0x0, ['__unnamed_1435']], 'QueryQuota' : [ 0x0, ['__unnamed_1439']], 'SetQuota' : [ 0x0, ['__unnamed_141f']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_143d']], 'QueryInterface' : [ 0x0, ['__unnamed_1441']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1445']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1449']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_144b']], 'SetLock' : [ 0x0, ['__unnamed_144d']], 'QueryId' : [ 0x0, ['__unnamed_1451']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1455']], 'UsageNotification' : [ 0x0, ['__unnamed_1459']], 'WaitWake' : [ 0x0, ['__unnamed_145d']], 'PowerSequence' : [ 0x0, ['__unnamed_1461']], 'Power' : [ 0x0, ['__unnamed_1469']], 'StartDevice' : [ 0x0, ['__unnamed_146d']], 'WMI' : [ 0x0, ['__unnamed_146f']], 'Others' : [ 0x0, ['__unnamed_1471']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1473']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1489' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1489']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x10, ['unsigned long long']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x28, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], 'SiloContext' : [ 0x20, ['pointer64', ['_EJOB']]], } ], '_EJOB' : [ 0x610, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb8, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xc0, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0xc8, ['unsigned long long']], 'TotalPageFaultCount' : [ 0xd0, ['unsigned long']], 'TotalProcesses' : [ 0xd4, ['unsigned long']], 'ActiveProcesses' : [ 0xd8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xdc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xe0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf8, ['unsigned long long']], 'LimitFlags' : [ 0x100, ['unsigned long']], 'ActiveProcessLimit' : [ 0x104, ['unsigned long']], 'Affinity' : [ 0x108, ['_KAFFINITY_EX']], 'AccessState' : [ 0x1b0, ['pointer64', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0x1b8, ['pointer64', ['void']]], 'UIRestrictionsClass' : [ 0x1c0, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x1c4, ['unsigned long']], 'CompletionPort' : [ 0x1c8, ['pointer64', ['void']]], 'CompletionKey' : [ 0x1d0, ['pointer64', ['void']]], 'CompletionCount' : [ 0x1d8, ['unsigned long long']], 'SessionId' : [ 0x1e0, ['unsigned long']], 'SchedulingClass' : [ 0x1e4, ['unsigned long']], 'ReadOperationCount' : [ 0x1e8, ['unsigned long long']], 'WriteOperationCount' : [ 0x1f0, ['unsigned long long']], 'OtherOperationCount' : [ 0x1f8, ['unsigned long long']], 'ReadTransferCount' : [ 0x200, ['unsigned long long']], 'WriteTransferCount' : [ 0x208, ['unsigned long long']], 'OtherTransferCount' : [ 0x210, ['unsigned long long']], 'DiskIoInfo' : [ 0x218, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x240, ['unsigned long long']], 'JobMemoryLimit' : [ 0x248, ['unsigned long long']], 'JobTotalMemoryLimit' : [ 0x250, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x258, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x260, ['unsigned long long']], 'EffectiveAffinity' : [ 0x268, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x310, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x318, ['unsigned long long']], 'EffectiveMaximumWorkingSetSize' : [ 0x320, ['unsigned long long']], 'EffectiveProcessMemoryLimit' : [ 0x328, ['unsigned long long']], 'EffectiveProcessMemoryLimitJob' : [ 0x330, ['pointer64', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x338, ['pointer64', ['_EJOB']]], 'EffectiveNetIoRateLimitJob' : [ 0x340, ['pointer64', ['_EJOB']]], 'EffectiveHeapAttributionJob' : [ 0x348, ['pointer64', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x350, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x354, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x358, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x35c, ['unsigned long']], 'EffectiveSwapCount' : [ 0x360, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x364, ['unsigned long']], 'EffectivePriorityClass' : [ 0x368, ['unsigned char']], 'PriorityClass' : [ 0x369, ['unsigned char']], 'NestingDepth' : [ 0x36a, ['unsigned char']], 'Reserved1' : [ 0x36b, ['array', 1, ['unsigned char']]], 'CompletionFilter' : [ 0x36c, ['unsigned long']], 'WakeChannel' : [ 0x370, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x370, ['_PS_JOB_WAKE_INFORMATION']], 'WakeFilter' : [ 0x3b8, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x3c0, ['unsigned long']], 'NotificationLink' : [ 0x3c8, ['pointer64', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x3d0, ['unsigned long long']], 'NotificationInfo' : [ 0x3d8, ['pointer64', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x3e0, ['pointer64', ['void']]], 'NotificationPacket' : [ 0x3e8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x3f0, ['pointer64', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x3f8, ['pointer64', ['void']]], 'ReadyTime' : [ 0x400, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x408, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x410, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x420, ['_LIST_ENTRY']], 'ParentJob' : [ 0x430, ['pointer64', ['_EJOB']]], 'RootJob' : [ 0x438, ['pointer64', ['_EJOB']]], 'IteratorListHead' : [ 0x440, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x450, ['unsigned long long']], 'Ancestors' : [ 0x458, ['pointer64', ['pointer64', ['_EJOB']]]], 'SessionObject' : [ 0x458, ['pointer64', ['void']]], 'Accounting' : [ 0x460, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x4b8, ['unsigned long']], 'ActiveAuxiliaryProcessCount' : [ 0x4bc, ['unsigned long']], 'SequenceNumber' : [ 0x4c0, ['unsigned long']], 'JobId' : [ 0x4c4, ['unsigned long']], 'ContainerId' : [ 0x4c8, ['_GUID']], 'ContainerTelemetryId' : [ 0x4d8, ['_GUID']], 'ServerSiloGlobals' : [ 0x4e8, ['pointer64', ['_ESERVERSILO_GLOBALS']]], 'PropertySet' : [ 0x4f0, ['_PS_PROPERTY_SET']], 'Storage' : [ 0x508, ['pointer64', ['_PSP_STORAGE']]], 'NetRateControl' : [ 0x510, ['pointer64', ['_JOB_NET_RATE_CONTROL']]], 'JobFlags' : [ 0x518, ['unsigned long']], 'CloseDone' : [ 0x518, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x518, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x518, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x518, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x518, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x518, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x518, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x518, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x518, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x518, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x518, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x518, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x518, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x518, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x518, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x518, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x518, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x518, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x518, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x518, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x518, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x518, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x518, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x518, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x518, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'NetRateControlActive' : [ 0x518, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'OwnNetRateControl' : [ 0x518, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IoRateControlActive' : [ 0x518, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'OwnIoRateControl' : [ 0x518, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'DisallowNewProcesses' : [ 0x518, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Silo' : [ 0x518, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ContainerTelemetryIdSet' : [ 0x518, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'JobFlags2' : [ 0x51c, ['unsigned long']], 'ParentLocked' : [ 0x51c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'EnableUsermodeSiloThreadImpersonation' : [ 0x51c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DisallowUsermodeSiloThreadImpersonation' : [ 0x51c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EnergyValues' : [ 0x520, ['pointer64', ['_PROCESS_EXTENDED_ENERGY_VALUES']]], 'SharedCommitCharge' : [ 0x528, ['unsigned long long']], 'DiskIoAttributionUserRefCount' : [ 0x530, ['unsigned long']], 'DiskIoAttributionRefCount' : [ 0x534, ['unsigned long']], 'DiskIoAttributionContext' : [ 0x538, ['pointer64', ['void']]], 'DiskIoAttributionOwnerJob' : [ 0x538, ['pointer64', ['_EJOB']]], 'IoRateControlHeader' : [ 0x540, ['_JOB_RATE_CONTROL_HEADER']], 'GlobalIoControl' : [ 0x568, ['_PS_IO_CONTROL_ENTRY']], 'IoControlStateLock' : [ 0x5a0, ['long']], 'VolumeIoControlTree' : [ 0x5a8, ['_RTL_RB_TREE']], 'IoRateOverQuotaHistory' : [ 0x5b8, ['unsigned long long']], 'IoRateCurrentGeneration' : [ 0x5c0, ['unsigned long']], 'IoRateLastQueryGeneration' : [ 0x5c4, ['unsigned long']], 'IoRateGenerationLength' : [ 0x5c8, ['unsigned long']], 'IoRateOverQuotaNotifySequenceId' : [ 0x5cc, ['unsigned long']], 'IoControlLock' : [ 0x5d0, ['_EX_PUSH_LOCK']], 'SiloHardReferenceCount' : [ 0x5d8, ['unsigned long long']], 'RundownWorkItem' : [ 0x5e0, ['_WORK_QUEUE_ITEM']], 'MemoryPartitionObject' : [ 0x600, ['pointer64', ['void']]], 'EnergyTrackingState' : [ 0x608, ['_JOBOBJECT_ENERGY_TRACKING_STATE']], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'AllocationProcessorNumber' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x70, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer64', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x60, ['pointer64', ['void']]], 'UserContext' : [ 0x68, ['pointer64', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_PROCESS_EXTENDED_ENERGY_VALUES' : [ 0x158, { 'Base' : [ 0x0, ['_PROCESS_ENERGY_VALUES']], 'Extension' : [ 0x110, ['_PROCESS_ENERGY_VALUES_EXTENSION']], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'Oplock' : [ 0x58, ['pointer64', ['void']]], 'ReservedForRemote' : [ 0x58, ['pointer64', ['void']]], 'ReservedContext' : [ 0x60, ['pointer64', ['void']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_TlgProvider_t' : [ 0x40, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x8, ['pointer64', ['unsigned short']]], 'KeywordAny' : [ 0x10, ['unsigned long long']], 'KeywordAll' : [ 0x18, ['unsigned long long']], 'RegHandle' : [ 0x20, ['unsigned long long']], 'EnableCallback' : [ 0x28, ['pointer64', ['void']]], 'CallbackContext' : [ 0x30, ['pointer64', ['void']]], 'AnnotationFunc' : [ 0x38, ['pointer64', ['void']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '__unnamed_1679' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1679']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND' : [ 0x10, { 'LocalLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'State' : [ 0x8, ['_EX_PUSH_LOCK_AUTO_EXPAND_STATE']], 'Stats' : [ 0xc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'ReservedLowFlags' : [ 0x1a, ['unsigned char']], 'WaiterPriority' : [ 0x1b, ['unsigned char']], 'SharedWaiters' : [ 0x20, ['pointer64', ['void']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['void']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '_MMCLONE_DESCRIPTOR' : [ 0x50, { 'CloneNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Next' : [ 0x0, ['pointer64', ['_MMCLONE_DESCRIPTOR']]], 'StartingCloneBlock' : [ 0x18, ['pointer64', ['_MMCLONE_BLOCK']]], 'EndingCloneBlock' : [ 0x20, ['pointer64', ['_MMCLONE_BLOCK']]], 'NumberOfPtes' : [ 0x28, ['unsigned long long']], 'NumberOfReferences' : [ 0x30, ['unsigned long long']], 'CloneHeader' : [ 0x38, ['pointer64', ['_MMCLONE_HEADER']]], 'NonPagedPoolQuotaCharge' : [ 0x40, ['unsigned long long']], 'NestingLevel' : [ 0x48, ['unsigned long long']], } ], '__unnamed_16ba' : [ 0x4, { 'MustNotBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], } ], '__unnamed_16bc' : [ 0x8, { 'Flink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeFlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 64, native_type='unsigned long long')]], 'PageTableWsle' : [ 0x0, ['__unnamed_16ba']], 'WsIndex' : [ 0x0, ['unsigned long long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_16c1' : [ 0x2, { 'ReferenceCount' : [ 0x0, ['unsigned short']], } ], '__unnamed_16c3' : [ 0x4, { 'EntireField' : [ 0x0, ['unsigned long']], } ], '__unnamed_16c5' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY1']], 'e3' : [ 0x3, ['_MMPFNENTRY3']], 'e2' : [ 0x0, ['__unnamed_16c1']], 'e4' : [ 0x0, ['__unnamed_16c3']], } ], '__unnamed_16d1' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'Channel' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 38, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'Partition' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 50, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 52, native_type='unsigned long long')]], 'FileOnly' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'PfnExists' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], } ], '_MMPFN' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'u1' : [ 0x0, ['__unnamed_16bc']], 'PteAddress' : [ 0x8, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer64', ['void']]], 'PteLong' : [ 0x8, ['unsigned long long']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'u2' : [ 0x18, ['_MIPFNBLINK']], 'u3' : [ 0x20, ['__unnamed_16c5']], 'NodeBlinkLow' : [ 0x24, ['unsigned short']], 'Unused' : [ 0x26, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Unused2' : [ 0x26, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'ViewCount' : [ 0x27, ['unsigned char']], 'NodeFlinkLow' : [ 0x27, ['unsigned char']], 'u4' : [ 0x28, ['__unnamed_16d1']], } ], '__unnamed_16dc' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcessId' : [ 0x0, ['unsigned long']], } ], '__unnamed_16e0' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x48, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_16dc']], 'u2' : [ 0x38, ['__unnamed_16e0']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], } ], '__unnamed_16e5' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_16e8' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS2']], } ], '__unnamed_16f1' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'LargePage' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SystemImage' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'StrongCode' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 20, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 23, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_16f3' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_16f1']], } ], '__unnamed_16f5' : [ 0x8, { 'IoAttributionContext' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], 'ImageCrossPartitionCharge' : [ 0x0, ['unsigned long long']], 'CommittedPageCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], } ], '_CONTROL_AREA' : [ 0x80, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_16e5']], 'u1' : [ 0x3c, ['__unnamed_16e8']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'WaitList' : [ 0x50, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x58, ['__unnamed_16f3']], 'FileObjectLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'LockedPages' : [ 0x70, ['unsigned long long']], 'u3' : [ 0x78, ['__unnamed_16f5']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x68, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'BasePte' : [ 0x10, ['pointer64', ['_MMPTE']]], 'Flags' : [ 0x18, ['unsigned long']], 'VaType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaMaximumType', 15: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x30, ['unsigned long long']], 'GlobalPushLock' : [ 0x30, ['pointer64', ['_EX_PUSH_LOCK']]], 'Vm' : [ 0x38, ['pointer64', ['_MMSUPPORT_INSTANCE']]], 'TotalSystemPtes' : [ 0x40, ['unsigned long long']], 'Hint' : [ 0x48, ['unsigned long long']], 'LowestBitEverAllocated' : [ 0x50, ['unsigned long long']], 'CachedPtes' : [ 0x58, ['pointer64', ['_MI_CACHED_PTES']]], 'TotalFreeSystemPtes' : [ 0x60, ['unsigned long long']], } ], '__unnamed_170f' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1712' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x40, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer64', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0x18, ['unsigned long']], 'EndingVpn' : [ 0x1c, ['unsigned long']], 'StartingVpnHigh' : [ 0x20, ['unsigned char']], 'EndingVpnHigh' : [ 0x21, ['unsigned char']], 'CommitChargeHigh' : [ 0x22, ['unsigned char']], 'SpareNT64VadUChar' : [ 0x23, ['unsigned char']], 'ReferenceCount' : [ 0x24, ['long']], 'PushLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u' : [ 0x30, ['__unnamed_170f']], 'u1' : [ 0x34, ['__unnamed_1712']], 'EventList' : [ 0x38, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_HHIVE' : [ 0xa68, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileWrite' : [ 0x28, ['pointer64', ['void']]], 'FileRead' : [ 0x30, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x38, ['pointer64', ['void']]], 'BaseBlock' : [ 0x40, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x48, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x58, ['unsigned long']], 'DirtyAlloc' : [ 0x5c, ['unsigned long']], 'UnreconciledVector' : [ 0x60, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x70, ['unsigned long']], 'BaseBlockAlloc' : [ 0x74, ['unsigned long']], 'Cluster' : [ 0x78, ['unsigned long']], 'Flat' : [ 0x7c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x7c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SystemCacheBacked' : [ 0x7c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x7c, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x7d, ['unsigned char']], 'HvBinHeadersUse' : [ 0x80, ['unsigned long']], 'HvFreeCellsUse' : [ 0x84, ['unsigned long']], 'HvUsedCellsUse' : [ 0x88, ['unsigned long']], 'CmUsedCellsUse' : [ 0x8c, ['unsigned long']], 'HiveFlags' : [ 0x90, ['unsigned long']], 'CurrentLog' : [ 0x94, ['unsigned long']], 'CurrentLogSequence' : [ 0x98, ['unsigned long']], 'CurrentLogMinimumSequence' : [ 0x9c, ['unsigned long']], 'CurrentLogOffset' : [ 0xa0, ['unsigned long']], 'MinimumLogSequence' : [ 0xa4, ['unsigned long']], 'LogFileSizeCap' : [ 0xa8, ['unsigned long']], 'LogDataPresent' : [ 0xac, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0xae, ['unsigned char']], 'BaseBlockDirty' : [ 0xaf, ['unsigned char']], 'LastLogSwapTime' : [ 0xb0, ['_LARGE_INTEGER']], 'FirstLogFile' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0xb8, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0xb8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0xb8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0xb8, ['unsigned short']], 'LogEntriesRecovered' : [ 0xba, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0xbc, ['unsigned long']], 'StorageTypeCount' : [ 0xc0, ['unsigned long']], 'Version' : [ 0xc4, ['unsigned long']], 'ViewMap' : [ 0xc8, ['_HVIEW_MAP']], 'Storage' : [ 0x578, ['array', 2, ['_DUAL']]], } ], '_HV_GET_CELL_CONTEXT' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'BinContext' : [ 0x4, ['_HV_GET_BIN_CONTEXT']], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Discarded' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['_CM_PATH_HASH']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'KcbPushlock' : [ 0x28, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x30, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x30, ['long']], 'DelayedDeref' : [ 0x38, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DelayedClose' : [ 0x38, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Parking' : [ 0x38, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'LayerSemantics' : [ 0x39, ['unsigned char']], 'LayerHeight' : [ 0x3a, ['short']], 'SlotHint' : [ 0x3c, ['unsigned long']], 'ParentKcb' : [ 0x40, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x48, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x50, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x58, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x68, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x68, ['unsigned long']], 'SubKeyCount' : [ 0x68, ['unsigned long']], 'KeyBodyListHead' : [ 0x70, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x70, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x80, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa0, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xa8, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xaa, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xac, ['unsigned long']], 'KcbUserFlags' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'Spare3' : [ 0xb4, ['unsigned long']], 'LayerInfo' : [ 0xb8, ['pointer64', ['_CM_KCB_LAYER_INFO']]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], 'FullKCBNameStale' : [ 0x120, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x120, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], } ], 'tagSWITCH_CONTEXT' : [ 0x358, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'Trans' : [ 0x38, ['_CM_TRANS_PTR']], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '__unnamed_1780' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry', 21: '_CmpMountPreloadedHives', 22: '_CmpLoadHiveThread', 23: '_CmpCheckLeaf'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1783' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_1785' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1787' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1789' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_178d' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_1791' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_1793' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned short']], 'RecoverableIndex' : [ 0xa, ['unsigned short']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_1780']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_1780']]], 'RegistryIO' : [ 0xd0, ['__unnamed_1783']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_1785']], 'CheckKey' : [ 0xf0, ['__unnamed_1787']], 'CheckValueList' : [ 0x110, ['__unnamed_1789']], 'CheckHive' : [ 0x128, ['__unnamed_178d']], 'CheckHive1' : [ 0x138, ['__unnamed_178d']], 'CheckBin' : [ 0x148, ['__unnamed_1791']], 'RecoverData' : [ 0x158, ['__unnamed_1793']], } ], '_CM_KCB_UOW' : [ 0x78, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ParentUoW' : [ 0x50, ['pointer64', ['_CM_KCB_UOW']]], 'ChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x58, ['unsigned long']], 'OldValueCell' : [ 0x58, ['unsigned long']], 'NewValueCell' : [ 0x5c, ['unsigned long']], 'UserFlags' : [ 0x58, ['unsigned long']], 'LastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'TxCachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'TxSecurityCell' : [ 0x60, ['unsigned long']], 'OldChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x60, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x60, ['unsigned long']], 'PrepareDataPointer' : [ 0x68, ['pointer64', ['void']]], 'SecurityData' : [ 0x68, ['pointer64', ['_CM_UOW_SET_SD_DATA']]], 'ModifyKeysData' : [ 0x68, ['pointer64', ['_CM_UOW_KEY_STATE_MODIFICATION']]], 'SetValueData' : [ 0x68, ['pointer64', ['_CM_UOW_SET_VALUE_LIST_DATA']]], 'ValueData' : [ 0x70, ['pointer64', ['_CM_UOW_SET_VALUE_KEY_DATA']]], 'DiscardReplaceContext' : [ 0x70, ['pointer64', ['_CMP_DISCARD_AND_REPLACE_KCB_CONTEXT']]], } ], '_CM_TRANS' : [ 0xb0, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Prepared' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Aborted' : [ 0x30, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Committed' : [ 0x30, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Initializing' : [ 0x30, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Invalid' : [ 0x30, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UseReservation' : [ 0x30, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'TmCallbacksActive' : [ 0x30, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LightWeight' : [ 0x30, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Freed1' : [ 0x30, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Freed2' : [ 0x30, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x30, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'Freed' : [ 0x30, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Spare' : [ 0x30, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long')]], 'TransState' : [ 0x30, ['unsigned long']], 'Trans' : [ 0x38, ['_CM_TRANS_PTR']], 'CmRm' : [ 0x40, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x48, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x50, ['pointer64', ['void']]], 'KtmUow' : [ 0x58, ['_GUID']], 'StartLsn' : [ 0x68, ['unsigned long long']], 'HiveCount' : [ 0x70, ['unsigned long']], 'HiveArray' : [ 0x78, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xc0, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'ParkingStatus' : [ 0x80, ['unsigned long']], 'CurrentFrequency' : [ 0x84, ['unsigned long']], 'PercentMaxFrequency' : [ 0x88, ['unsigned long']], 'StateFlags' : [ 0x8c, ['unsigned long']], 'NominalThroughput' : [ 0x90, ['unsigned long']], 'ActiveThroughput' : [ 0x94, ['unsigned long']], 'ScaledThroughput' : [ 0x98, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0xa0, ['unsigned long long']], 'AverageIdleTime' : [ 0xa8, ['unsigned long long']], 'IdleBreakEvents' : [ 0xb0, ['unsigned long long']], 'PerformanceLimit' : [ 0xb8, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xbc, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0x10, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], 'TemperatureHighPrecision' : [ 0xc, ['unsigned long']], } ], '_TEB32' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['unsigned long']]], 'SystemReserved1' : [ 0x10c, ['array', 30, ['unsigned long']]], '_ActivationStack' : [ 0x184, ['_ACTIVATION_CONTEXT_STACK32']], 'WorkingOnBehalfTicket' : [ 0x19c, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SkipLoaderInit' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_TEB64' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['unsigned long long']]], 'SystemReserved1' : [ 0x190, ['array', 32, ['unsigned long long']]], '_ActivationStack' : [ 0x290, ['_ACTIVATION_CONTEXT_STACK64']], 'WorkingOnBehalfTicket' : [ 0x2b8, ['array', 8, ['unsigned char']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SkipLoaderInit' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_HV_X64_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState_Deprecated' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable_Deprecated' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ExtendedGvaRangesForFlushVirtualAddressListAvailable' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'FastHypercallOutputAvailable' : [ 0xc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SvmFeaturesAvailable' : [ 0xc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SintPollingModeAvailable' : [ 0xc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HypercallMsrLockAvailable' : [ 0xc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'DirectSyntheticTimers' : [ 0xc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'RegisterPatAvailable' : [ 0xc, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'RegisterBndcfgsAvailable' : [ 0xc, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'WatchdogTimerAvailable' : [ 0xc, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long')]], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeReg' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicRegs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerRegs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessIntrCtrlRegs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetReg' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsReg' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleReg' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyRegs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugRegs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'AccessReenlightenmentControls' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'AccessVpExitTracing' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'EnableExtendedGvaRangesForFlushVirtualAddressList' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 48, native_type='unsigned long long')]], 'AccessVsm' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 49, native_type='unsigned long long')]], 'AccessVpRegisters' : [ 0x0, ['BitField', dict(start_bit = 49, end_bit = 50, native_type='unsigned long long')]], 'UnusedBit' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 51, native_type='unsigned long long')]], 'FastHypercallOutput' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'EnableExtendedHypercalls' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'StartVirtualProcessor' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x270, { 'Lock' : [ 0x0, ['unsigned long long']], 'ReadySummary' : [ 0x8, ['unsigned long']], 'ReadyListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x210, ['array', 64, ['unsigned char']]], 'Span' : [ 0x250, ['unsigned char']], 'LowProcIndex' : [ 0x251, ['unsigned char']], 'QueueIndex' : [ 0x252, ['unsigned char']], 'ProcCount' : [ 0x253, ['unsigned char']], 'ScanOwner' : [ 0x254, ['unsigned char']], 'Spare' : [ 0x255, ['array', 3, ['unsigned char']]], 'Affinity' : [ 0x258, ['unsigned long long']], 'ReadyThreadCount' : [ 0x260, ['unsigned long']], 'ReadyQueueExpectedRunTime' : [ 0x268, ['unsigned long long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'Spare1' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'OutputBuffer' : [ 0xd8, ['unsigned long long']], 'OutputLength' : [ 0xe0, ['unsigned long long']], 'Spare2' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'Fill4' : [ 0x18c, ['unsigned long']], } ], '__unnamed_18c5' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_18c7' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_18cb' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['wchar']]], } ], '_DEVICE_NODE' : [ 0x2d0, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x58, ['long']], 'FxRemoveEvent' : [ 0x60, ['_KEVENT']], 'FxActivationCount' : [ 0x78, ['long']], 'FxSleepCount' : [ 0x7c, ['long']], 'Plugin' : [ 0x80, ['pointer64', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x88, ['unsigned long']], 'CurrentPowerState' : [ 0x8c, ['_POWER_STATE']], 'Notify' : [ 0x90, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xf8, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0x118, ['_UNICODE_STRING']], 'PowerFlags' : [ 0x128, ['unsigned long']], 'State' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x134, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x184, ['unsigned long']], 'CompletionStatus' : [ 0x188, ['long']], 'Flags' : [ 0x18c, ['unsigned long']], 'UserFlags' : [ 0x190, ['unsigned long']], 'Problem' : [ 0x194, ['unsigned long']], 'ProblemStatus' : [ 0x198, ['long']], 'ResourceList' : [ 0x1a0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x1b0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x1b8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x1c4, ['unsigned long']], 'ChildInterfaceType' : [ 0x1c8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x1cc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x1d0, ['unsigned short']], 'RemovalPolicy' : [ 0x1d2, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x1d3, ['unsigned char']], 'TargetDeviceNotify' : [ 0x1d8, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x1e8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1f8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x208, ['unsigned short']], 'QueryTranslatorMask' : [ 0x20a, ['unsigned short']], 'NoArbiterMask' : [ 0x20c, ['unsigned short']], 'QueryArbiterMask' : [ 0x20e, ['unsigned short']], 'OverUsed1' : [ 0x210, ['__unnamed_18c5']], 'OverUsed2' : [ 0x218, ['__unnamed_18c7']], 'BootResources' : [ 0x220, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x228, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x230, ['unsigned long']], 'DockInfo' : [ 0x238, ['__unnamed_18cb']], 'DisableableDepends' : [ 0x258, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x260, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x270, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x280, ['unsigned long']], 'PreviousParent' : [ 0x288, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x290, ['long']], 'NumaNodeIndex' : [ 0x294, ['unsigned long']], 'ContainerID' : [ 0x298, ['_GUID']], 'OverrideFlags' : [ 0x2a8, ['unsigned char']], 'DeviceIdsHash' : [ 0x2ac, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x2b0, ['unsigned char']], 'PendingEjectRelations' : [ 0x2b8, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x2c0, ['unsigned long']], 'RebalanceContext' : [ 0x2c8, ['pointer64', ['_PNP_REBALANCE_TRACE_CONTEXT']]], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x48, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x30, ['pointer64', ['unsigned long']]], 'EnableKeyWords' : [ 0x38, ['pointer64', ['unsigned long long']]], 'EnableLevel' : [ 0x40, ['pointer64', ['unsigned char']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x68, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependencyNode' : [ 0x50, ['pointer64', ['void']]], 'InterruptContext' : [ 0x58, ['pointer64', ['void']]], 'VerifierContext' : [ 0x60, ['pointer64', ['void']]], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KAFFINITY_EX' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 20, ['unsigned long long']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_19c4' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'WriteCustomBreakPoint' : [ 0x0, ['_DBGKD_WRITE_CUSTOM_BREAKPOINT']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_19c4']], } ], '__unnamed_19cb' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_19cb']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PEP_ACPI_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'IoMemory' : [ 0x0, ['_PEP_ACPI_IO_MEMORY_RESOURCE']], 'Interrupt' : [ 0x0, ['_PEP_ACPI_INTERRUPT_RESOURCE']], 'Gpio' : [ 0x0, ['_PEP_ACPI_GPIO_RESOURCE']], 'SpbI2c' : [ 0x0, ['_PEP_ACPI_SPB_I2C_RESOURCE']], 'SpbSpi' : [ 0x0, ['_PEP_ACPI_SPB_SPI_RESOURCE']], 'SpbUart' : [ 0x0, ['_PEP_ACPI_SPB_UART_RESOURCE']], 'ExtendedAddress' : [ 0x0, ['_PEP_ACPI_EXTENDED_ADDRESS']], } ], '_PEP_ACPI_IO_MEMORY_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Information' : [ 0x4, ['unsigned char']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '_PEP_ACPI_INTERRUPT_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'InterruptType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Flags' : [ 0xc, ['_PEP_ACPI_RESOURCE_FLAGS']], 'Count' : [ 0x10, ['unsigned char']], 'Pins' : [ 0x18, ['pointer64', ['unsigned long']]], } ], '_PEP_ACPI_GPIO_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'InterruptType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'PinConfig' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PullDefault', 1: 'PullUp', 2: 'PullDown', 3: 'PullNone'})]], 'IoRestrictionType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'IoRestrictionNone', 1: 'IoRestrictionInputOnly', 2: 'IoRestrictionOutputOnly', 3: 'IoRestrictionNoneAndPreserve'})]], 'DriveStrength' : [ 0x18, ['unsigned short']], 'DebounceTimeout' : [ 0x1a, ['unsigned short']], 'PinTable' : [ 0x20, ['pointer64', ['unsigned short']]], 'PinCount' : [ 0x28, ['unsigned short']], 'ResourceSourceIndex' : [ 0x2a, ['unsigned char']], 'ResourceSourceName' : [ 0x30, ['pointer64', ['_UNICODE_STRING']]], 'VendorData' : [ 0x38, ['pointer64', ['unsigned char']]], 'VendorDataLength' : [ 0x40, ['unsigned short']], } ], '_PEP_ACPI_SPB_I2C_RESOURCE' : [ 0x30, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x28, ['unsigned long']], 'SlaveAddress' : [ 0x2c, ['unsigned short']], } ], '_PEP_ACPI_SPB_UART_RESOURCE' : [ 0x38, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'BaudRate' : [ 0x28, ['unsigned long']], 'RxBufferSize' : [ 0x2c, ['unsigned short']], 'TxBufferSize' : [ 0x2e, ['unsigned short']], 'Parity' : [ 0x30, ['unsigned char']], 'LinesInUse' : [ 0x31, ['unsigned char']], } ], '_PEP_ACPI_SPB_SPI_RESOURCE' : [ 0x38, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x28, ['unsigned long']], 'DataBitLength' : [ 0x2c, ['unsigned char']], 'Phase' : [ 0x2d, ['unsigned char']], 'Polarity' : [ 0x2e, ['unsigned char']], 'DeviceSelection' : [ 0x30, ['unsigned short']], } ], '_PEP_ACPI_EXTENDED_ADDRESS' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'ResourceFlags' : [ 0x8, ['unsigned char']], 'GeneralFlags' : [ 0x9, ['unsigned char']], 'TypeSpecificFlags' : [ 0xa, ['unsigned char']], 'RevisionId' : [ 0xb, ['unsigned char']], 'Reserved' : [ 0xc, ['unsigned char']], 'Granularity' : [ 0x10, ['unsigned long long']], 'MinimumAddress' : [ 0x18, ['unsigned long long']], 'MaximumAddress' : [ 0x20, ['unsigned long long']], 'TranslationAddress' : [ 0x28, ['unsigned long long']], 'AddressLength' : [ 0x30, ['unsigned long long']], 'TypeAttribute' : [ 0x38, ['unsigned long long']], 'DescriptorName' : [ 0x40, ['pointer64', ['_UNICODE_STRING']]], } ], '_PPM_PLATFORM_STATES' : [ 0x1c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'InterfaceVersion' : [ 0x4, ['unsigned long']], 'ProcessorCount' : [ 0x8, ['unsigned long']], 'CoordinatedInterface' : [ 0xc, ['unsigned char']], 'IdleTest' : [ 0x10, ['pointer64', ['void']]], 'IdlePreExecute' : [ 0x18, ['pointer64', ['void']]], 'IdleComplete' : [ 0x20, ['pointer64', ['void']]], 'QueryPlatformStateResidency' : [ 0x28, ['pointer64', ['void']]], 'Accounting' : [ 0x30, ['pointer64', ['_PLATFORM_IDLE_ACCOUNTING']]], 'State' : [ 0x40, ['array', 1, ['_PPM_PLATFORM_STATE']]], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_PPM_PROFILE' : [ 0xb40, { 'Name' : [ 0x0, ['pointer64', ['wchar']]], 'Id' : [ 0x8, ['unsigned char']], 'Guid' : [ 0xc, ['_GUID']], 'Flags' : [ 0x1c, ['unsigned long']], 'Priority' : [ 0x20, ['unsigned char']], 'Settings' : [ 0x28, ['array', 2, ['_PPM_ENGINE_SETTINGS']]], 'StartTime' : [ 0xb18, ['unsigned long long']], 'Count' : [ 0xb20, ['unsigned long long']], 'MaxDuration' : [ 0xb28, ['unsigned long long']], 'MinDuration' : [ 0xb30, ['unsigned long long']], 'TotalDuration' : [ 0xb38, ['unsigned long long']], } ], '_PPM_ENGINE_SETTINGS' : [ 0x578, { 'ExplicitSetting' : [ 0x0, ['array', 2, ['_PPM_POLICY_SETTINGS_MASK']]], 'ThrottlingPolicy' : [ 0x10, ['unsigned char']], 'PerfTimeCheck' : [ 0x14, ['unsigned long']], 'PerfHistoryCount' : [ 0x18, ['array', 2, ['unsigned char']]], 'PerfMinPolicy' : [ 0x1a, ['array', 2, ['unsigned char']]], 'PerfMaxPolicy' : [ 0x1c, ['array', 2, ['unsigned char']]], 'PerfDecreaseTime' : [ 0x1e, ['array', 2, ['unsigned char']]], 'PerfIncreaseTime' : [ 0x20, ['array', 2, ['unsigned char']]], 'PerfDecreasePolicy' : [ 0x22, ['array', 2, ['unsigned char']]], 'PerfIncreasePolicy' : [ 0x24, ['array', 2, ['unsigned char']]], 'PerfDecreaseThreshold' : [ 0x26, ['array', 2, ['unsigned char']]], 'PerfIncreaseThreshold' : [ 0x28, ['array', 2, ['unsigned char']]], 'PerfFrequencyCap' : [ 0x2c, ['array', 2, ['unsigned long']]], 'PerfBoostPolicy' : [ 0x34, ['unsigned long']], 'PerfBoostMode' : [ 0x38, ['unsigned long']], 'PerfReductionTolerance' : [ 0x3c, ['unsigned long']], 'EnergyPerfPreference' : [ 0x40, ['unsigned long']], 'AutonomousActivityWindow' : [ 0x44, ['unsigned long']], 'AutonomousPreference' : [ 0x48, ['unsigned char']], 'LatencyHintPerf' : [ 0x49, ['array', 2, ['unsigned char']]], 'LatencyHintUnpark' : [ 0x4b, ['array', 2, ['unsigned char']]], 'DutyCycling' : [ 0x4d, ['unsigned char']], 'ParkingPerfState' : [ 0x4e, ['array', 2, ['unsigned char']]], 'DistributeUtility' : [ 0x50, ['unsigned char']], 'CoreParkingOverUtilizationThreshold' : [ 0x51, ['unsigned char']], 'CoreParkingConcurrencyThreshold' : [ 0x52, ['unsigned char']], 'CoreParkingHeadroomThreshold' : [ 0x53, ['unsigned char']], 'CoreParkingDistributionThreshold' : [ 0x54, ['unsigned char']], 'CoreParkingDecreasePolicy' : [ 0x55, ['unsigned char']], 'CoreParkingIncreasePolicy' : [ 0x56, ['unsigned char']], 'CoreParkingDecreaseTime' : [ 0x58, ['unsigned long']], 'CoreParkingIncreaseTime' : [ 0x5c, ['unsigned long']], 'CoreParkingMinCores' : [ 0x60, ['array', 2, ['unsigned char']]], 'CoreParkingMaxCores' : [ 0x62, ['array', 2, ['unsigned char']]], 'AllowScaling' : [ 0x64, ['unsigned char']], 'IdleDisabled' : [ 0x65, ['unsigned char']], 'IdleTimeCheck' : [ 0x68, ['unsigned long']], 'IdleDemotePercent' : [ 0x6c, ['unsigned char']], 'IdlePromotePercent' : [ 0x6d, ['unsigned char']], 'HeteroDecreaseTime' : [ 0x6e, ['unsigned char']], 'HeteroIncreaseTime' : [ 0x6f, ['unsigned char']], 'HeteroDecreaseThreshold' : [ 0x70, ['array', 640, ['unsigned char']]], 'HeteroIncreaseThreshold' : [ 0x2f0, ['array', 640, ['unsigned char']]], 'Class0FloorPerformance' : [ 0x570, ['unsigned char']], 'Class1InitialPerformance' : [ 0x571, ['unsigned char']], } ], '_ESERVERSILO_GLOBALS' : [ 0x460, { 'ObSiloState' : [ 0x0, ['_OBP_SILODRIVERSTATE']], 'SeSiloState' : [ 0x2e0, ['_SEP_SILOSTATE']], 'SeRmSiloState' : [ 0x310, ['_SEP_RM_LSA_CONNECTION_STATE']], 'EtwSiloState' : [ 0x360, ['pointer64', ['_ETW_SILODRIVERSTATE']]], 'MiSessionLeaderProcess' : [ 0x368, ['pointer64', ['_EPROCESS']]], 'ExpDefaultErrorPortProcess' : [ 0x370, ['pointer64', ['_EPROCESS']]], 'ExpDefaultErrorPort' : [ 0x378, ['pointer64', ['void']]], 'HardErrorState' : [ 0x380, ['unsigned long']], 'WnfSiloState' : [ 0x388, ['_WNF_SILODRIVERSTATE']], 'PsProtectedCurrentDirectory' : [ 0x3c0, ['_UNICODE_STRING']], 'PsProtectedEnvironment' : [ 0x3d0, ['_UNICODE_STRING']], 'ApiSetSection' : [ 0x3e0, ['pointer64', ['void']]], 'ApiSetSchema' : [ 0x3e8, ['pointer64', ['void']]], 'OneCoreForwardersEnabled' : [ 0x3f0, ['unsigned char']], 'NtSystemRoot' : [ 0x3f8, ['_UNICODE_STRING']], 'SiloRootDirectoryName' : [ 0x408, ['_UNICODE_STRING']], 'Storage' : [ 0x418, ['pointer64', ['_PSP_STORAGE']]], 'State' : [ 0x420, ['Enumeration', dict(target = 'long', choices = {0: 'SERVERSILO_INITING', 1: 'SERVERSILO_STARTED', 2: 'SERVERSILO_SHUTTING_DOWN', 3: 'SERVERSILO_TERMINATING', 4: 'SERVERSILO_TERMINATED'})]], 'ExitStatus' : [ 0x424, ['long']], 'DeleteEvent' : [ 0x428, ['pointer64', ['_KEVENT']]], 'UserSharedData' : [ 0x430, ['pointer64', ['_SILO_USER_SHARED_DATA']]], 'UserSharedSection' : [ 0x438, ['pointer64', ['void']]], 'TerminateWorkItem' : [ 0x440, ['_WORK_QUEUE_ITEM']], } ], '_SILO_USER_SHARED_DATA' : [ 0x248, { 'ServiceSessionId' : [ 0x0, ['unsigned long']], 'ActiveConsoleId' : [ 0x4, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x8, ['long long']], 'NtProductType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'SuiteMask' : [ 0x14, ['unsigned long']], 'SharedUserSessionId' : [ 0x18, ['unsigned long']], 'IsMultiSessionSku' : [ 0x1c, ['unsigned char']], 'NtSystemRoot' : [ 0x1e, ['array', 260, ['wchar']]], 'UserModeGlobalLogger' : [ 0x226, ['array', 16, ['unsigned short']]], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_PERF_FLAGS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'Progress' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 27, native_type='unsigned long')]], 'Synchronicity' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 29, native_type='unsigned long')]], 'RequestPepCompleted' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'RequestSucceeded' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NestedCallback' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'IrpFirstPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IrpLastPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0xd0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x20, ['unsigned long long']], 'LogHandleContext' : [ 0x28, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0xc0, ['unsigned long']], 'PagesQueuedToDisk' : [ 0xc4, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0xc8, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x218, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'V1' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0x100, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x118, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0x150, ['_LARGE_INTEGER']], 'Event' : [ 0x158, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x170, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x178, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1f0, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1f8, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x200, ['unsigned long']], 'WritesInProgress' : [ 0x204, ['unsigned long']], 'AsyncReadRequestCount' : [ 0x208, ['unsigned long']], 'Partition' : [ 0x210, ['pointer64', ['_CC_PARTITION']]], } ], '__unnamed_1acd' : [ 0x10, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_1acd']], 'ArrayHead' : [ 0x20, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '_CC_PARTITION' : [ 0x3c0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'MasterLock' : [ 0x40, ['unsigned long long']], 'WorkQueueLock' : [ 0x80, ['unsigned long long']], 'PartitionID' : [ 0x88, ['unsigned short']], 'PartitionLinks' : [ 0x90, ['_LIST_ENTRY']], 'CleanSharedCacheMapList' : [ 0xa0, ['_LIST_ENTRY']], 'CleanSharedCacheMapWithLogHandleList' : [ 0xb0, ['_LIST_ENTRY']], 'DirtySharedCacheMapList' : [ 0xc0, ['_SHARED_CACHE_MAP_LIST_CURSOR']], 'LazyWriterCursor' : [ 0xd8, ['_SHARED_CACHE_MAP_LIST_CURSOR']], 'DirtySharedCacheMapWithLogHandleList' : [ 0xf0, ['_LIST_ENTRY']], 'ChangeSharedCacheMapFileLock' : [ 0x100, ['_EX_PUSH_LOCK']], 'ConsecutiveWorklessLazyScanCount' : [ 0x108, ['unsigned long']], 'ForcedDisableLazywriteScan' : [ 0x10c, ['unsigned char']], 'NumberWorkerThreads' : [ 0x110, ['unsigned long']], 'NumberActiveWorkerThreads' : [ 0x114, ['unsigned long']], 'IdleWorkerThreadList' : [ 0x118, ['_LIST_ENTRY']], 'FastTeardownWorkQueue' : [ 0x128, ['_LIST_ENTRY']], 'ExpressWorkQueue' : [ 0x138, ['_LIST_ENTRY']], 'RegularWorkQueue' : [ 0x148, ['_LIST_ENTRY']], 'PostTickWorkQueue' : [ 0x158, ['_LIST_ENTRY']], 'IdleExtraWriteBehindThreadList' : [ 0x168, ['_LIST_ENTRY']], 'ActiveExtraWriteBehindThreads' : [ 0x178, ['unsigned long']], 'MaxExtraWriteBehindThreads' : [ 0x17c, ['unsigned long']], 'QueueThrottle' : [ 0x180, ['unsigned char']], 'PostTickWorkItemCount' : [ 0x184, ['unsigned long']], 'ThreadsActiveBeforeThrottle' : [ 0x188, ['unsigned long']], 'ExtraWBThreadsActiveBeforeThrottle' : [ 0x18c, ['unsigned long']], 'ExecutingWriteBehindWorkItems' : [ 0x190, ['unsigned long']], 'ExecutingHighPriorityWorkItem' : [ 0x194, ['unsigned long']], 'LowMemoryEvent' : [ 0x198, ['_KEVENT']], 'PowerEvent' : [ 0x1b0, ['_KEVENT']], 'PeriodicEvent' : [ 0x1c8, ['_KEVENT']], 'WaitingForTeardownEvent' : [ 0x1e0, ['_KEVENT']], 'CoalescingFlushEvent' : [ 0x1f8, ['_KEVENT']], 'PagesYetToWrite' : [ 0x210, ['unsigned long']], 'LazyWriter' : [ 0x218, ['_LAZY_WRITER']], 'DirtyPageStatistics' : [ 0x2a0, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x2b8, ['_DIRTY_PAGE_THRESHOLDS']], 'ThroughputStats' : [ 0x2f0, ['pointer64', ['_WRITE_BEHIND_THROUGHPUT']]], 'ThroughputTrend' : [ 0x2f8, ['long']], 'AverageAvailablePages' : [ 0x300, ['unsigned long long']], 'AverageDirtyPages' : [ 0x308, ['unsigned long long']], 'PagesSkippedDueToHotSpot' : [ 0x310, ['unsigned long long']], 'PrevRegularQueueItemRunTime' : [ 0x318, ['_LARGE_INTEGER']], 'PrevExtraWBThreadCheckTime' : [ 0x320, ['_LARGE_INTEGER']], 'AddExtraWriteBehindThreads' : [ 0x328, ['unsigned char']], 'RemoveExtraThreadPending' : [ 0x329, ['unsigned char']], 'DeferredWrites' : [ 0x330, ['_LIST_ENTRY']], 'DeferredWriteSpinLock' : [ 0x340, ['unsigned long long']], 'IdleAsyncReadWorkerThreadList' : [ 0x348, ['pointer64', ['_LIST_ENTRY']]], 'NumberActiveAsyncReadWorkerThreads' : [ 0x350, ['pointer64', ['unsigned long']]], 'NumberActiveCompleteAsyncReadWorkItems' : [ 0x358, ['pointer64', ['unsigned long']]], 'AsyncReadWorkQueue' : [ 0x360, ['pointer64', ['_LIST_ENTRY']]], 'AsyncReadCompletionWorkQueue' : [ 0x368, ['pointer64', ['_LIST_ENTRY']]], 'NewAsyncReadRequestEvent' : [ 0x370, ['pointer64', ['_KEVENT']]], 'ReaderThreadsStats' : [ 0x378, ['pointer64', ['_ASYNC_READ_THREAD_STATS']]], 'AsyncReadWorkQueueLock' : [ 0x380, ['_EX_PUSH_LOCK']], } ], '__unnamed_1af1' : [ 0x10, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], 'DiskIoAttribution' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1af3' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1af5' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_1af7' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1af9' : [ 0x30, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x8, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x10, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x28, ['unsigned char']], } ], '__unnamed_1afd' : [ 0x68, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], 'FileOffset' : [ 0x8, ['_LARGE_INTEGER']], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Length' : [ 0x18, ['unsigned long']], 'PrefetchList' : [ 0x20, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'PrefetchPagePriority' : [ 0x28, ['unsigned long']], 'Mdl' : [ 0x30, ['pointer64', ['_MDL']]], 'IoStatusBlock' : [ 0x38, ['pointer64', ['_IO_STATUS_BLOCK']]], 'CallbackContext' : [ 0x40, ['pointer64', ['_CC_ASYNC_READ_CONTEXT']]], 'OriginatingProcess' : [ 0x48, ['pointer64', ['_EPROCESS']]], 'IoIssuerThread' : [ 0x50, ['pointer64', ['_ETHREAD']]], 'DiskIoAttribution' : [ 0x58, ['pointer64', ['void']]], 'RequestorMode' : [ 0x60, ['unsigned char']], 'NestingLevel' : [ 0x64, ['unsigned long']], } ], '__unnamed_1aff' : [ 0x68, { 'Read' : [ 0x0, ['__unnamed_1af1']], 'Write' : [ 0x0, ['__unnamed_1af3']], 'Event' : [ 0x0, ['__unnamed_1af5']], 'Notification' : [ 0x0, ['__unnamed_1af7']], 'LowPriWrite' : [ 0x0, ['__unnamed_1af9']], 'AsyncRead' : [ 0x0, ['__unnamed_1afd']], } ], '_WORK_QUEUE_ENTRY' : [ 0x88, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_1aff']], 'Function' : [ 0x78, ['unsigned char']], 'Partition' : [ 0x80, ['pointer64', ['_CC_PARTITION']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x30, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x8, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x20, ['_LIST_ENTRY']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x98, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x10, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x18, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x30, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x68, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x6c, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x70, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x78, ['pointer64', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x80, ['unsigned long long']], 'LastLWTimeStamp' : [ 0x88, ['_LARGE_INTEGER']], 'Flags' : [ 0x90, ['unsigned long']], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x86, ['unsigned char']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_SUBALLOCATOR_CALLBACKS' : [ 0x28, { 'Allocate' : [ 0x0, ['unsigned long long']], 'Free' : [ 0x8, ['unsigned long long']], 'Commit' : [ 0x10, ['unsigned long long']], 'Decommit' : [ 0x18, ['unsigned long long']], 'ExtendContext' : [ 0x20, ['unsigned long long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x2a0, { 'Segment' : [ 0x0, ['_HEAP_SEGMENT']], 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x90, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x94, ['unsigned long']], 'Signature' : [ 0x98, ['unsigned long']], 'SegmentReserve' : [ 0xa0, ['unsigned long long']], 'SegmentCommit' : [ 0xa8, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb0, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xb8, ['unsigned long long']], 'TotalFreeSize' : [ 0xc0, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xc8, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd0, ['unsigned short']], 'HeaderValidateLength' : [ 0xd2, ['unsigned short']], 'HeaderValidateCopy' : [ 0xd8, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe0, ['unsigned short']], 'MaximumTagIndex' : [ 0xe2, ['unsigned short']], 'TagEntries' : [ 0xe8, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf0, ['_LIST_ENTRY']], 'AlignRound' : [ 0x100, ['unsigned long long']], 'AlignMask' : [ 0x108, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x110, ['_LIST_ENTRY']], 'SegmentList' : [ 0x120, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x130, ['unsigned short']], 'NonDedicatedListLength' : [ 0x134, ['unsigned long']], 'BlocksIndex' : [ 0x138, ['pointer64', ['void']]], 'UCRIndex' : [ 0x140, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x148, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x150, ['_LIST_ENTRY']], 'LockVariable' : [ 0x160, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x168, ['pointer64', ['void']]], 'StackTraceInitVar' : [ 0x170, ['_RTL_RUN_ONCE']], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0x183, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0x188, ['pointer64', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0x190, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0x192, ['array', 129, ['unsigned char']]], 'Counters' : [ 0x218, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x290, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1b99' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_1b99']], } ], '_HEAP_ENTRY' : [ 0x10, { 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'HeapEntry' : [ 0x0, ['_HEAP_ENTRY']], 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1bec' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1bee' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bec']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bf0' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1bf2' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1bf0']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1bee']], 'u2' : [ 0x4, ['__unnamed_1bf2']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x30, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer64', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], } ], '__unnamed_1c0d' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1c0f' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1c0d']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x30, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1c0f']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x18, ['long long']], 'Lock' : [ 0x20, ['_EX_PUSH_LOCK']], } ], '__unnamed_1c21' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1c23' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c21']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_1c23']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_1c2c' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1c2e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c2c']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_1c2e']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_1c34' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1c36' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c34']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_1c36']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x40, ['pointer64', ['_KALPC_MESSAGE']]], } ], '__unnamed_1c54' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1c56' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c54']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1d8, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa0, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0xb8, ['_LIST_ENTRY']], 'DirectQueueLock' : [ 0xc8, ['_EX_PUSH_LOCK']], 'DirectQueue' : [ 0xd0, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0xe0, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0xe8, ['_LIST_ENTRY']], 'Semaphore' : [ 0xf8, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xf8, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0x100, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x150, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0x168, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0x170, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x178, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x180, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x190, ['long']], 'ReferenceNo' : [ 0x194, ['long']], 'ReferenceNoWait' : [ 0x198, ['pointer64', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0x1a0, ['__unnamed_1c56']], 'TargetQueuePort' : [ 0x1a8, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x1b0, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x1b8, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x1c0, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x1c4, ['unsigned long']], 'PendingQueueLength' : [ 0x1c8, ['unsigned long']], 'DirectQueueLength' : [ 0x1cc, ['unsigned long']], 'CanceledQueueLength' : [ 0x1d0, ['unsigned long']], 'WaitQueueLength' : [ 0x1d4, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0xa0, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'CompletionListLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x20, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x28, ['pointer64', ['void']]], 'UserLimit' : [ 0x30, ['pointer64', ['void']]], 'DataUserVa' : [ 0x38, ['pointer64', ['void']]], 'SystemVa' : [ 0x40, ['pointer64', ['void']]], 'TotalSize' : [ 0x48, ['unsigned long long']], 'Header' : [ 0x50, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x58, ['pointer64', ['void']]], 'ListSize' : [ 0x60, ['unsigned long long']], 'Bitmap' : [ 0x68, ['pointer64', ['void']]], 'BitmapSize' : [ 0x70, ['unsigned long long']], 'Data' : [ 0x78, ['pointer64', ['void']]], 'DataSize' : [ 0x80, ['unsigned long long']], 'BitmapLimit' : [ 0x88, ['unsigned long']], 'BitmapNextHint' : [ 0x8c, ['unsigned long']], 'ConcurrencyCount' : [ 0x90, ['unsigned long']], 'AttributeFlags' : [ 0x94, ['unsigned long']], 'AttributeSize' : [ 0x98, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0xd8, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'Key' : [ 0xc0, ['unsigned long']], 'CallbackList' : [ 0xc8, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x20, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x18, ['long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1bee']], 'u2' : [ 0x4, ['__unnamed_1bf2']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1c7c' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1c7e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1c7c']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x118, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'u1' : [ 0x28, ['__unnamed_1c7e']], 'SequenceNo' : [ 0x2c, ['long']], 'QuotaProcess' : [ 0x30, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x30, ['pointer64', ['void']]], 'CancelSequencePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x40, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x48, ['long']], 'CancelListEntry' : [ 0x50, ['_LIST_ENTRY']], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x68, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb0, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xb8, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xc0, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xc8, ['pointer64', ['_ETHREAD']]], 'WakeReference' : [ 0xd0, ['pointer64', ['void']]], 'WakeReference2' : [ 0xd8, ['pointer64', ['void']]], 'ExtensionBuffer' : [ 0xe0, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0xe8, ['unsigned long long']], 'PortMessage' : [ 0xf0, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x40, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'DirectEvent' : [ 0x28, ['_KALPC_DIRECT_EVENT']], 'Flags' : [ 0x30, ['unsigned long']], 'TotalLength' : [ 0x34, ['unsigned short']], 'Type' : [ 0x36, ['unsigned short']], 'DataInfoOffset' : [ 0x38, ['unsigned short']], 'SignalCompletion' : [ 0x3a, ['unsigned char']], 'PostedToCompletionList' : [ 0x3b, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x30, { 'ObjectType' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x48, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], 'DirectEvent' : [ 0x38, ['_KALPC_DIRECT_EVENT']], 'WorkOnBehalfData' : [ 0x40, ['_KALPC_WORK_ON_BEHALF_DATA']], } ], '__unnamed_1cc3' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1cc5' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1cc3']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1cc5']], } ], '_KALPC_DIRECT_EVENT' : [ 0x8, { 'Event' : [ 0x0, ['unsigned long long']], 'Referenced' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x38, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer64', ['void']]], 'DiskIoAttributionHandle' : [ 0x10, ['unsigned long long']], 'ActivityId' : [ 0x18, ['_GUID']], 'Timestamp' : [ 0x28, ['_LARGE_INTEGER']], 'ZeroingOffset' : [ 0x28, ['unsigned long']], 'FsTrackOffsetBlob' : [ 0x28, ['pointer64', ['_IO_IRP_EXT_TRACK_OFFSET_HEADER']]], 'FsTrackedOffset' : [ 0x30, ['long long']], 'AdapterCryptoParameters' : [ 0x28, ['_IO_ADAPTER_CRYPTO_PARAMETERS']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x50, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'FileInformation' : [ 0x70, ['pointer64', ['void']]], 'CreateFileType' : [ 0x78, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x80, ['pointer64', ['void']]], 'Override' : [ 0x88, ['unsigned char']], 'QueryOnly' : [ 0x89, ['unsigned char']], 'DeleteOnly' : [ 0x8a, ['unsigned char']], 'FullAttributes' : [ 0x8b, ['unsigned char']], 'LocalFileObject' : [ 0x90, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x98, ['unsigned long']], 'AccessMode' : [ 0x9c, ['unsigned char']], 'DriverCreateContext' : [ 0xa0, ['_IO_DRIVER_CREATE_CONTEXT']], 'FileInformationClass' : [ 0xc8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileDesiredStorageClassInformation', 68: 'FileStatInformation', 69: 'FileMaximumInformation'})]], 'FileInformationLength' : [ 0xcc, ['unsigned long']], 'FilterQuery' : [ 0xd0, ['unsigned char']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1d8c' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x118, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1d8c']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer64', ['wchar']]], 'LogFileName' : [ 0x40, ['pointer64', ['wchar']]], 'TimeZone' : [ 0x48, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf8, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0x100, ['_LARGE_INTEGER']], 'StartTime' : [ 0x108, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x110, ['unsigned long']], 'BuffersLost' : [ 0x114, ['unsigned long']], } ], '_RTL_HASH_TABLE' : [ 0x10, { 'EntryCount' : [ 0x0, ['unsigned long']], 'MaskBitCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'BucketCount' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'Buckets' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_HASH_ENTRY' : [ 0x10, { 'BucketLink' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Key' : [ 0x8, ['unsigned long long']], } ], '_RTL_HASH_TABLE_ITERATOR' : [ 0x18, { 'Hash' : [ 0x0, ['pointer64', ['_RTL_HASH_TABLE']]], 'HashEntry' : [ 0x8, ['pointer64', ['_RTL_HASH_ENTRY']]], 'Bucket' : [ 0x10, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_CHASH_TABLE' : [ 0x18, { 'Table' : [ 0x0, ['pointer64', ['_RTL_CHASH_ENTRY']]], 'EntrySizeShift' : [ 0x8, ['unsigned long']], 'EntryMax' : [ 0xc, ['unsigned long']], 'EntryCount' : [ 0x10, ['unsigned long']], } ], '_RTL_CHASH_ENTRY' : [ 0x8, { 'Key' : [ 0x0, ['unsigned long long']], } ], '_ETW_BUFFER_QUEUE' : [ 0x10, { 'QueueTail' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStatePendingCompression', 5: 'EtwBufferStateCompressed', 6: 'EtwBufferStatePlaceholder', 7: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_WMI_LOGGER_CONTEXT' : [ 0x468, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 2, ['unsigned long']]], 'ErrorMarker' : [ 0x1c, ['unsigned long']], 'SizeMask' : [ 0x20, ['unsigned long']], 'GetCpuClock' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'FailureReason' : [ 0x3c, ['unsigned long']], 'BufferQueue' : [ 0x40, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x50, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x60, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x70, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x80, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x80, ['_EX_FAST_REF']], 'LoggerName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileName' : [ 0x98, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xa8, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xb8, ['_UNICODE_STRING']], 'ClockType' : [ 0xc8, ['unsigned long']], 'LastFlushedBuffer' : [ 0xcc, ['unsigned long']], 'FlushTimer' : [ 0xd0, ['unsigned long']], 'FlushThreshold' : [ 0xd4, ['unsigned long']], 'ByteOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xe0, ['unsigned long']], 'BuffersAvailable' : [ 0xe4, ['long']], 'NumberOfBuffers' : [ 0xe8, ['long']], 'MaximumBuffers' : [ 0xec, ['unsigned long']], 'EventsLost' : [ 0xf0, ['unsigned long']], 'PeakBuffersCount' : [ 0xf4, ['long']], 'BuffersWritten' : [ 0xf8, ['unsigned long']], 'LogBuffersLost' : [ 0xfc, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x100, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x104, ['unsigned long']], 'SequencePtr' : [ 0x108, ['pointer64', ['long']]], 'LocalSequence' : [ 0x110, ['unsigned long']], 'InstanceGuid' : [ 0x114, ['_GUID']], 'MaximumFileSize' : [ 0x124, ['unsigned long']], 'FileCounter' : [ 0x128, ['long']], 'PoolType' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x130, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0x140, ['long']], 'ProviderInfoSize' : [ 0x144, ['unsigned long']], 'Consumers' : [ 0x148, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x158, ['unsigned long']], 'TransitionConsumer' : [ 0x160, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x168, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x170, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x180, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x188, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x190, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x198, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1a0, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1a8, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1b0, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1c8, ['_KEVENT']], 'FlushEvent' : [ 0x1e0, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x1f8, ['_KTIMER']], 'LoggerDpc' : [ 0x238, ['_KDPC']], 'LoggerMutex' : [ 0x278, ['_KMUTANT']], 'LoggerLock' : [ 0x2b0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2b8, ['unsigned long long']], 'BufferListPushLock' : [ 0x2b8, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2c0, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x308, ['pointer64', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x310, ['_EX_FAST_REF']], 'StartTime' : [ 0x318, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x320, ['pointer64', ['void']]], 'BufferSequenceNumber' : [ 0x328, ['long long']], 'Flags' : [ 0x330, ['unsigned long']], 'Persistent' : [ 0x330, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x330, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x330, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x330, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x330, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x330, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x330, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x330, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x330, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x330, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x330, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x330, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x330, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'StackLookasideListAllocated' : [ 0x330, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SecurityTrace' : [ 0x330, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'SpareFlags1' : [ 0x330, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x330, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x330, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x330, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x334, ['unsigned long']], 'DbgRequestNewFile' : [ 0x334, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x334, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x334, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x334, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x334, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x334, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x334, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x334, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDeferredFlush' : [ 0x334, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDeferredFlushTimer' : [ 0x334, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x334, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x334, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x334, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x338, ['_RTL_BITMAP']], 'StackCache' : [ 0x348, ['pointer64', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x350, ['pointer64', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x358, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x368, ['pointer64', ['pointer64', ['_WMI_BUFFER_HEADER']]]], 'DisallowedGuids' : [ 0x370, ['_DISALLOWED_GUIDS']], 'RelativeTimerDueTime' : [ 0x380, ['long long']], 'PeriodicCaptureStateGuids' : [ 0x388, ['_PERIODIC_CAPTURE_STATE_GUIDS']], 'PeriodicCaptureStateTimer' : [ 0x398, ['pointer64', ['_EX_TIMER']]], 'PeriodicCaptureStateTimerState' : [ 0x3a0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwpPeriodicTimerUnset', 1: 'EtwpPeriodicTimerSet'})]], 'SoftRestartContext' : [ 0x3a8, ['pointer64', ['_ETW_SOFT_RESTART_CONTEXT']]], 'SiloState' : [ 0x3b0, ['pointer64', ['_ETW_SILODRIVERSTATE']]], 'CompressionWorkItem' : [ 0x3b8, ['_WORK_QUEUE_ITEM']], 'CompressionWorkItemState' : [ 0x3d8, ['long']], 'CompressionLock' : [ 0x3e0, ['_EX_PUSH_LOCK']], 'CompressionTarget' : [ 0x3e8, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CompressionWorkspace' : [ 0x3f0, ['pointer64', ['void']]], 'CompressionOn' : [ 0x3f8, ['long']], 'CompressionRatioGuess' : [ 0x3fc, ['unsigned long']], 'PartialBufferCompressionLevel' : [ 0x400, ['unsigned long']], 'CompressionResumptionMode' : [ 0x404, ['Enumeration', dict(target = 'long', choices = {0: 'EtwCompressionModeRestart', 1: 'EtwCompressionModeNoDisable', 2: 'EtwCompressionModeNoRestart'})]], 'PlaceholderList' : [ 0x408, ['_SINGLE_LIST_ENTRY']], 'CompressionDpc' : [ 0x410, ['_KDPC']], 'LastBufferSwitchTime' : [ 0x450, ['_LARGE_INTEGER']], 'BufferWriteDuration' : [ 0x458, ['_LARGE_INTEGER']], 'BufferCompressDuration' : [ 0x460, ['_LARGE_INTEGER']], } ], '_ETW_PMC_SUPPORT' : [ 0x38, { 'Source' : [ 0x0, ['array', -32, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x20, ['unsigned long']], 'HookId' : [ 0x24, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x2c, ['unsigned long']], 'ProcessorCtrs' : [ 0x30, ['array', 1, ['pointer64', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_SILODRIVERSTATE' : [ 0x13f8, { 'SiloGlobals' : [ 0x0, ['pointer64', ['_ESERVERSILO_GLOBALS']]], 'EtwpSecurityProviderGuidEntry' : [ 0x8, ['_ETW_GUID_ENTRY']], 'EtwpLoggerRundown' : [ 0x198, ['array', 64, ['pointer64', ['_EX_RUNDOWN_REF_CACHE_AWARE']]]], 'WmipLoggerContext' : [ 0x398, ['array', 64, ['pointer64', ['_WMI_LOGGER_CONTEXT']]]], 'EtwpGuidHashTable' : [ 0x598, ['array', 64, ['_ETW_HASH_BUCKET']]], 'EtwpSecurityLoggers' : [ 0x1398, ['array', 8, ['unsigned short']]], 'EtwpSecurityProviderEnableMask' : [ 0x13a8, ['unsigned char']], 'EtwpShutdownInProgress' : [ 0x13ac, ['long']], 'EtwpSecurityProviderPID' : [ 0x13b0, ['unsigned long']], 'PrivHandleDemuxTable' : [ 0x13b8, ['_ETW_PRIV_HANDLE_DEMUX_TABLE']], 'EtwpCounters' : [ 0x13d8, ['_ETW_COUNTERS']], 'LogfileBytesWritten' : [ 0x13e8, ['_LARGE_INTEGER']], 'ProcessorBlocks' : [ 0x13f0, ['pointer64', ['_ETW_SILO_TRACING_BLOCK']]], } ], '_EX_RUNDOWN_REF_CACHE_AWARE' : [ 0x18, { 'RunRefs' : [ 0x0, ['pointer64', ['_EX_RUNDOWN_REF']]], 'PoolToFree' : [ 0x8, ['pointer64', ['void']]], 'RunRefSize' : [ 0x10, ['unsigned long']], 'Number' : [ 0x14, ['unsigned long']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_SEP_SILOSTATE' : [ 0x30, { 'SystemLogonSession' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'AnonymousLogonSession' : [ 0x8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'AnonymousLogonToken' : [ 0x10, ['pointer64', ['void']]], 'AnonymousLogonTokenNoEveryone' : [ 0x18, ['pointer64', ['void']]], 'UncSystemPaths' : [ 0x20, ['pointer64', ['_UNICODE_STRING']]], 'NgenPaths' : [ 0x28, ['pointer64', ['_CI_NGEN_PATHS']]], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x498, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0xa0, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa8, ['pointer64', ['void']]], 'DynamicPart' : [ 0xb0, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb8, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc8, ['unsigned long']], 'TokenInUse' : [ 0xcc, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xd0, ['unsigned long']], 'MandatoryPolicy' : [ 0xd4, ['unsigned long']], 'LogonSession' : [ 0xd8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe0, ['_LUID']], 'SidHash' : [ 0xe8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f8, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x308, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x310, ['pointer64', ['void']]], 'Capabilities' : [ 0x318, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x320, ['unsigned long']], 'CapabilitiesHash' : [ 0x328, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x438, ['pointer64', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x440, ['pointer64', ['_SEP_CACHED_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x448, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x450, ['pointer64', ['void']]], 'TrustLinkedToken' : [ 0x458, ['pointer64', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x460, ['pointer64', ['void']]], 'TokenSidValues' : [ 0x468, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], 'IndexEntry' : [ 0x470, ['pointer64', ['_SEP_LUID_TO_INDEX_MAP_ENTRY']]], 'DiagnosticInfo' : [ 0x478, ['pointer64', ['_SEP_TOKEN_DIAG_TRACK_ENTRY']]], 'BnoIsolationHandlesEntry' : [ 0x480, ['pointer64', ['_SEP_CACHED_HANDLES_ENTRY']]], 'SessionObject' : [ 0x488, ['pointer64', ['void']]], 'VariablePart' : [ 0x490, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0xc0, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['long long']], 'Flags' : [ 0x20, ['unsigned long']], 'pDeviceMap' : [ 0x28, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x30, ['pointer64', ['void']]], 'AccountName' : [ 0x38, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x48, ['_UNICODE_STRING']], 'CachedHandlesTable' : [ 0x58, ['_SEP_CACHED_HANDLES_TABLE']], 'SharedDataLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x70, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x78, ['pointer64', ['_SEP_SID_VALUES_BLOCK']]], 'RevocationBlock' : [ 0x80, ['_OB_HANDLE_REVOCATION_BLOCK']], 'ServerSilo' : [ 0xa0, ['pointer64', ['_EJOB']]], 'SiblingAuthId' : [ 0xa8, ['_LUID']], 'TokenList' : [ 0xb0, ['_LIST_ENTRY']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'DbgRefTrace' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'NewObject' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0x1b, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0x1b, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0x1b, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0x1b, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0x1b, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Reserved' : [ 0x1c, ['unsigned long']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved2' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], 'Reserved' : [ 0x1c, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved1' : [ 0x1a, ['unsigned short']], 'Reserved2' : [ 0x1c, ['unsigned long']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x10, { 'SecurityDescriptor' : [ 0x0, ['pointer64', ['void']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_EXTENDED_INFO' : [ 0x10, { 'Footer' : [ 0x0, ['pointer64', ['_OBJECT_FOOTER']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_FOOTER' : [ 0x30, { 'HandleRevocationInfo' : [ 0x0, ['_HANDLE_REVOCATION_INFO']], 'ExtendedUserInfo' : [ 0x20, ['_OB_EXTENDED_USER_INFO']], } ], '_OB_EXTENDED_USER_INFO' : [ 0x10, { 'Context1' : [ 0x0, ['pointer64', ['void']]], 'Context2' : [ 0x8, ['pointer64', ['void']]], } ], '_HANDLE_REVOCATION_INFO' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'RevocationBlock' : [ 0x10, ['pointer64', ['_OB_HANDLE_REVOCATION_BLOCK']]], 'AllowHandleRevocation' : [ 0x18, ['unsigned char']], 'Padding1' : [ 0x19, ['array', 3, ['unsigned char']]], 'Padding2' : [ 0x1c, ['array', 4, ['unsigned char']]], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x28, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'EntryLink' : [ 0x10, ['pointer64', ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0x18, ['unsigned long']], 'HashIndex' : [ 0x1c, ['unsigned short']], 'DirectoryLocked' : [ 0x1e, ['unsigned char']], 'LockedExclusive' : [ 0x1f, ['unsigned char']], 'LockStateSignature' : [ 0x20, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x158, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x138, ['pointer64', ['_OBJECT_DIRECTORY']]], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'SessionObject' : [ 0x148, ['pointer64', ['void']]], 'Flags' : [ 0x150, ['unsigned long']], 'SessionId' : [ 0x154, ['unsigned long']], } ], '_OBP_SILODRIVERSTATE' : [ 0x2e0, { 'SystemDeviceMap' : [ 0x0, ['pointer64', ['_DEVICE_MAP']]], 'SystemDosDeviceState' : [ 0x8, ['_OBP_SYSTEM_DOS_DEVICE_STATE']], 'DeviceMapLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'PrivateNamespaceLookupTable' : [ 0x80, ['_OBJECT_NAMESPACE_LOOKUPTABLE']], } ], '_WHEAP_INFO_BLOCK' : [ 0x18, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x8, ['pointer64', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x10, ['pointer64', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x428, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x10, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x14, ['unsigned long']], 'ErrorCount' : [ 0x18, ['long']], 'RecordCount' : [ 0x1c, ['unsigned long']], 'RecordLength' : [ 0x20, ['unsigned long']], 'PoolTag' : [ 0x24, ['unsigned long']], 'Type' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x30, ['pointer64', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x38, ['pointer64', ['void']]], 'SectionCount' : [ 0x40, ['unsigned long']], 'SectionLength' : [ 0x44, ['unsigned long']], 'TickCountAtLastError' : [ 0x48, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x50, ['unsigned long']], 'TotalErrors' : [ 0x54, ['unsigned long']], 'Deferred' : [ 0x58, ['unsigned char']], 'Descriptor' : [ 0x59, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xf0, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x10, ['unsigned long']], 'ProcessorNumber' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x1c, ['long']], 'ErrorSource' : [ 0x20, ['pointer64', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x28, ['_WHEA_ERROR_RECORD']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ImageControlAreaOnRemovableMedia' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'SystemVaAllocated' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PreferredFsCompressionBoundary' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'UsingFileExtents' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PageSize64K' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PEP_ACPI_SPB_RESOURCE' : [ 0x28, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'TypeSpecificFlags' : [ 0x8, ['unsigned short']], 'ResourceSourceIndex' : [ 0xa, ['unsigned char']], 'ResourceSourceName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'VendorData' : [ 0x18, ['pointer64', ['unsigned char']]], 'VendorDataLength' : [ 0x20, ['unsigned short']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x40, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x10, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x18, ['long']], 'HighWaterMark' : [ 0x1c, ['unsigned long']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_KDPC_DATA' : [ 0x28, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], 'ActiveDpc' : [ 0x20, ['pointer64', ['_KDPC']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_PLATFORM_IDLE_ACCOUNTING' : [ 0x408, { 'ResetCount' : [ 0x0, ['unsigned long']], 'StateCount' : [ 0x4, ['unsigned long']], 'DeepSleepCount' : [ 0x8, ['unsigned long']], 'TimeUnit' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['_PLATFORM_IDLE_STATE_ACCOUNTING']]], } ], '_ACTIVATION_CONTEXT_STACK32' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['unsigned long']], 'FrameListCache' : [ 0x4, ['LIST_ENTRY32']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '__unnamed_1f67' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x4000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1f67']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long long']], 'NonPagablePages' : [ 0x28, ['unsigned long long']], 'CommittedPages' : [ 0x30, ['unsigned long long']], 'PagedPoolStart' : [ 0x38, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x40, ['pointer64', ['void']]], 'SessionObject' : [ 0x48, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x50, ['pointer64', ['void']]], 'SessionPoolAllocationFailures' : [ 0x58, ['array', 4, ['unsigned long']]], 'ImageTree' : [ 0x68, ['_RTL_AVL_TREE']], 'LocaleId' : [ 0x70, ['unsigned long']], 'AttachCount' : [ 0x74, ['unsigned long']], 'AttachGate' : [ 0x78, ['_KGATE']], 'WsListEntry' : [ 0x90, ['_LIST_ENTRY']], 'PagedPoolInfo' : [ 0xa0, ['_MM_PAGED_POOL_INFO']], 'Lookaside' : [ 0x100, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb80, ['_MMSESSION']], 'Vm' : [ 0xbc0, ['_MMSUPPORT_FULL']], 'WorkingSetList' : [ 0xd00, ['_MMWSL_INSTANCE']], 'AggregateSessionWs' : [ 0xd40, ['_MMSUPPORT_AGGREGATION']], 'PagedPool' : [ 0xd80, ['_POOL_DESCRIPTOR']], 'DriverUnload' : [ 0x1ec0, ['_MI_SESSION_DRIVER_UNLOAD']], 'PageDirectory' : [ 0x1ec8, ['_MMPTE']], 'SessionVaLock' : [ 0x1ed0, ['_EX_PUSH_LOCK']], 'DynamicVaBitMap' : [ 0x1ed8, ['_RTL_BITMAP_EX']], 'DynamicVaHint' : [ 0x1ee8, ['unsigned long long']], 'SpecialPool' : [ 0x1ef0, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f30, ['_EX_PUSH_LOCK']], 'PoolBigEntriesInUse' : [ 0x1f38, ['long']], 'PagedPoolPdeCount' : [ 0x1f3c, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f40, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f44, ['unsigned long']], 'SystemPteInfo' : [ 0x1f48, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1fb0, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1fb8, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1fc0, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fc8, ['unsigned long long']], 'IoState' : [ 0x1fd0, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fd4, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fd8, ['_KEVENT']], 'ServerSilo' : [ 0x1ff0, ['pointer64', ['_EJOB']]], 'CreateTime' : [ 0x1ff8, ['unsigned long long']], 'PoolTags' : [ 0x2000, ['array', 8192, ['unsigned char']]], } ], '_OBJECT_NAMESPACE_LOOKUPTABLE' : [ 0x260, { 'HashBuckets' : [ 0x0, ['array', 37, ['_LIST_ENTRY']]], 'Lock' : [ 0x250, ['_EX_PUSH_LOCK']], 'NumberOfPrivateSpaces' : [ 0x258, ['unsigned long']], } ], '_MI_CACHED_PTES' : [ 0x48, { 'Bins' : [ 0x0, ['array', 8, ['_MI_CACHED_PTE']]], 'CachedPteCount' : [ 0x40, ['long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x78, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned short']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UseExtendedParameters' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'ParseProcedureEx' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], 'WaitObjectFlagMask' : [ 0x70, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x74, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x76, ['unsigned short']], } ], '_KLOCK_ENTRY' : [ 0x60, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'EntryFlags' : [ 0x18, ['unsigned long']], 'EntryOffset' : [ 0x18, ['unsigned char']], 'ThreadLocalFlags' : [ 0x19, ['unsigned char']], 'WaitingBit' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare0' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'AcquiredByte' : [ 0x1a, ['unsigned char']], 'AcquiredBit' : [ 0x1a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadFlags' : [ 0x1b, ['unsigned char']], 'HeadNodeBit' : [ 0x1b, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IoPriorityBit' : [ 0x1b, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IoQoSWaiter' : [ 0x1b, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0x1b, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'StaticState' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'AllFlags' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'SpareFlags' : [ 0x1c, ['unsigned long']], 'LockState' : [ 0x20, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x20, ['pointer64', ['void']]], 'CrossThreadReleasableAndBusyByte' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x21, ['array', 6, ['unsigned char']]], 'InTreeByte' : [ 0x27, ['unsigned char']], 'SessionState' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], 'SessionPad' : [ 0x2c, ['unsigned long']], 'OwnerTree' : [ 0x30, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x40, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x30, ['unsigned char']], 'EntryLock' : [ 0x50, ['unsigned long long']], 'BoostBitmap' : [ 0x58, ['_KLOCK_ENTRY_BOOST_BITMAP']], 'SparePad' : [ 0x5c, ['unsigned long']], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'Arm64ControlSet' : [ 0x0, ['_ARM64_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ManySubsections' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Enclave' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PageSize64K' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'RfgControlStack' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_COUNTERS' : [ 0x78, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'PollIntervalCounter' : [ 0x48, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x4c, ['unsigned long']], 'HeapPollInterval' : [ 0x50, ['unsigned long']], 'AllocAndFreeOps' : [ 0x54, ['unsigned long']], 'AllocationIndicesActive' : [ 0x58, ['unsigned long']], 'InBlockDeccommits' : [ 0x5c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x60, ['unsigned long long']], 'HighWatermarkSize' : [ 0x68, ['unsigned long long']], 'LastPolledSize' : [ 0x70, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x30, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'Irp' : [ 0x18, ['pointer64', ['_IRP']]], 'Device' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Static' : [ 0x28, ['unsigned char']], } ], '__unnamed_1fcc' : [ 0x20, { 'CallerCompletion' : [ 0x0, ['pointer64', ['void']]], 'CallerContext' : [ 0x8, ['pointer64', ['void']]], 'CallerDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0x18, ['unsigned char']], } ], '__unnamed_1fcf' : [ 0x10, { 'NotifyDevice' : [ 0x0, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x8, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0xf8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x30, ['unsigned long long']], 'WatchdogTimer' : [ 0x38, ['_KTIMER']], 'WatchdogDpc' : [ 0x78, ['_KDPC']], 'MinorFunction' : [ 0xb8, ['unsigned char']], 'PowerStateType' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0xc0, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0xc4, ['unsigned char']], 'FxDevice' : [ 0xc8, ['pointer64', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0xd0, ['unsigned char']], 'NotifyPEP' : [ 0xd1, ['unsigned char']], 'Device' : [ 0xd8, ['__unnamed_1fcc']], 'System' : [ 0xd8, ['__unnamed_1fcf']], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_KLOCK_ENTRY_BOOST_BITMAP' : [ 0x4, { 'AllFields' : [ 0x0, ['unsigned long']], 'AllBoosts' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 17, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], 'CpuBoostsBitmap' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 15, native_type='unsigned short')]], 'IoBoost' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'IoQoSBoost' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned short')]], 'IoQoSWaiterCount' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_PPM_IDLE_STATES' : [ 0x428, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'IdleOverride' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'UnaccountedTransition' : [ 0x5, ['unsigned char']], 'IdleDurationLimited' : [ 0x6, ['unsigned char']], 'IdleCheckLimited' : [ 0x7, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'LevelId' : [ 0x28, ['unsigned long long']], 'ReasonFlags' : [ 0x30, ['unsigned short']], 'InitiateWakeStamp' : [ 0x38, ['unsigned long long']], 'PreviousStatus' : [ 0x40, ['long']], 'PreviousCancelReason' : [ 0x44, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x48, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0xf0, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x198, ['pointer64', ['void']]], 'IdlePreExecute' : [ 0x1a0, ['pointer64', ['void']]], 'IdleExecute' : [ 0x1a8, ['pointer64', ['void']]], 'IdlePreselect' : [ 0x1b0, ['pointer64', ['void']]], 'IdleTest' : [ 0x1b8, ['pointer64', ['void']]], 'IdleAvailabilityCheck' : [ 0x1c0, ['pointer64', ['void']]], 'IdleComplete' : [ 0x1c8, ['pointer64', ['void']]], 'IdleCancel' : [ 0x1d0, ['pointer64', ['void']]], 'IdleIsHalted' : [ 0x1d8, ['pointer64', ['void']]], 'IdleInitiateWake' : [ 0x1e0, ['pointer64', ['void']]], 'PrepareInfo' : [ 0x1e8, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'DeepIdleSnapshot' : [ 0x240, ['_KAFFINITY_EX']], 'Tracing' : [ 0x2e8, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'CoordinatedTracing' : [ 0x2f0, ['pointer64', ['_PERFINFO_PPM_STATE_SELECTION']]], 'ProcessorMenu' : [ 0x2f8, ['_PPM_SELECTION_MENU']], 'CoordinatedMenu' : [ 0x308, ['_PPM_SELECTION_MENU']], 'CoordinatedSelection' : [ 0x318, ['_PPM_COORDINATED_SELECTION']], 'State' : [ 0x330, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_ETW_HASH_BUCKET' : [ 0x38, { 'ListHead' : [ 0x0, ['array', 3, ['_LIST_ENTRY']]], 'BucketLock' : [ 0x30, ['_EX_PUSH_LOCK']], } ], '__unnamed_201e' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], 'GenErrDescriptorV2' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR_V2']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeGenericV2', 13: 'WheaErrSrcTypeSCIGenericV2', 14: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_201e']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_SEP_TOKEN_DIAG_TRACK_ENTRY' : [ 0x120, { 'ProcessCid' : [ 0x0, ['pointer64', ['void']]], 'ThreadCid' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'CreateMethod' : [ 0x20, ['unsigned long']], 'CreateTrace' : [ 0x28, ['array', 30, ['unsigned long long']]], 'Count' : [ 0x118, ['long']], 'CaptureCount' : [ 0x11c, ['long']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND_STATE' : [ 0x4, { 'Expanded' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Transitioning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Pageable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_PPM_POLICY_SETTINGS_MASK' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'PerfDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PerfIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerfDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PerfIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PerfDecreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PerfIncreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'PerfMinPolicy' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'PerfMaxPolicy' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PerfTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PerfBoostPolicy' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PerfBoostMode' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AllowThrottling' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PerfHistoryCount' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ParkingPerfState' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LatencyHintPerf' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LatencyHintUnpark' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CoreParkingMinCores' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CoreParkingMaxCores' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'CoreParkingDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'CoreParkingIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CoreParkingDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CoreParkingIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CoreParkingOverUtilizationThreshold' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'CoreParkingDistributeUtility' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CoreParkingConcurrencyThreshold' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CoreParkingHeadroomThreshold' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CoreParkingDistributionThreshold' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IdleAllowScaling' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'IdleDisable' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'IdleTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'IdleDemoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'IdlePromoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HeteroDecreaseTime' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HeteroIncreaseTime' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HeteroDecreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HeteroIncreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Class0FloorPerformance' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Class1InitialPerformance' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnergyPerfPreference' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AutonomousActivityWindow' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AutonomousMode' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DutyCycling' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'FrequencyCap' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_KSCHEDULING_GROUP' : [ 0x240, { 'Policy' : [ 0x0, ['_KSCHEDULING_GROUP_POLICY']], 'RelativeWeight' : [ 0x8, ['unsigned long']], 'ChildMinRate' : [ 0xc, ['unsigned long']], 'ChildMinWeight' : [ 0x10, ['unsigned long']], 'ChildTotalWeight' : [ 0x14, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x18, ['unsigned long long']], 'NotificationCycles' : [ 0x20, ['long long']], 'MaxQuotaLimitCycles' : [ 0x28, ['long long']], 'MaxQuotaCyclesRemaining' : [ 0x30, ['long long']], 'SchedulingGroupList' : [ 0x38, ['_LIST_ENTRY']], 'Sibling' : [ 0x38, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x48, ['pointer64', ['_KDPC']]], 'ChildList' : [ 0x50, ['_LIST_ENTRY']], 'Parent' : [ 0x60, ['pointer64', ['_KSCHEDULING_GROUP']]], 'PerProcessor' : [ 0x80, ['array', 1, ['_KSCB']]], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x260, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x10, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x20, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x130, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x240, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x248, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x250, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x258, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'SecureDevice' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_JOBOBJECT_ENERGY_TRACKING_STATE' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'UpdateMask' : [ 0x0, ['unsigned long']], 'DesiredState' : [ 0x4, ['unsigned long']], } ], '_LOCK_HEADER' : [ 0x20, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x8, ['unsigned long long']], 'Lock' : [ 0x10, ['unsigned long long']], 'Valid' : [ 0x18, ['unsigned long']], } ], '_SEP_CACHED_HANDLES_ENTRY' : [ 0x48, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'EntryDescriptor' : [ 0x20, ['_SEP_CACHED_HANDLES_ENTRY_DESCRIPTOR']], 'HandleCount' : [ 0x38, ['unsigned long']], 'Handles' : [ 0x40, ['pointer64', ['pointer64', ['void']]]], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_KHETERO_PROCESSOR_SET' : [ 0x18, { 'IdealMask' : [ 0x0, ['unsigned long long']], 'PreferredMask' : [ 0x8, ['unsigned long long']], 'AvailableMask' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x20, { 'SystemSpaceViewLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'SystemSpaceViewLockPointer' : [ 0x8, ['pointer64', ['_EX_PUSH_LOCK']]], 'ViewRoot' : [ 0x10, ['_RTL_AVL_TREE']], 'ViewCount' : [ 0x18, ['unsigned long']], 'BitmapFailures' : [ 0x1c, ['unsigned long']], } ], '_CC_ASYNC_READ_CONTEXT' : [ 0x20, { 'CompletionRoutine' : [ 0x0, ['pointer64', ['void']]], 'Context' : [ 0x8, ['pointer64', ['void']]], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'RequestorMode' : [ 0x18, ['unsigned char']], 'NestingLevel' : [ 0x1c, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0x18, { 'DirtyPages' : [ 0x0, ['unsigned long long']], 'DirtyPagesLastScan' : [ 0x8, ['unsigned long long']], 'DirtyPagesScheduledLastScan' : [ 0x10, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x58, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'ReadyTime' : [ 0x10, ['unsigned long long']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'ContextSwitches' : [ 0x20, ['unsigned long long']], 'ReadOperationCount' : [ 0x28, ['long long']], 'WriteOperationCount' : [ 0x30, ['long long']], 'OtherOperationCount' : [ 0x38, ['long long']], 'ReadTransferCount' : [ 0x40, ['long long']], 'WriteTransferCount' : [ 0x48, ['long long']], 'OtherTransferCount' : [ 0x50, ['long long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x48, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], 'ServerSilo' : [ 0x40, ['pointer64', ['_EJOB']]], } ], '_RTL_BITMAP_EX' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 15, native_type='unsigned long long')]], 'ExecutePrivilege' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_TRIAGE_9F_PNP' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'CompletionQueue' : [ 0x8, ['pointer64', ['_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE']]], 'DelayedWorkQueue' : [ 0x10, ['pointer64', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_POP_CURRENT_BROADCAST' : [ 0x18, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'DeviceState' : [ 0x10, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'ReservedForHardware' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'ReservedForSoftware' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 56, native_type='unsigned long long')]], 'WsleAge' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 60, native_type='unsigned long long')]], 'WsleProtection' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LeakedPoolDeliberately' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_JOB_RATE_CONTROL_HEADER' : [ 0x28, { 'RateControlQuotaReference' : [ 0x0, ['pointer64', ['void']]], 'OverQuotaHistory' : [ 0x8, ['_RTL_BITMAP']], 'BitMapBuffer' : [ 0x18, ['pointer64', ['unsigned char']]], 'BitMapBufferSize' : [ 0x20, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR_V2' : [ 0x50, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'ReadAckAddressSpaceID' : [ 0x34, ['unsigned char']], 'ReadAckAddressBitWidth' : [ 0x35, ['unsigned char']], 'ReadAckAddressBitOffset' : [ 0x36, ['unsigned char']], 'ReadAckAddressAccessSize' : [ 0x37, ['unsigned char']], 'ReadAckAddress' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAckPreserveMask' : [ 0x40, ['unsigned long long']], 'ReadAckWriteMask' : [ 0x48, ['unsigned long long']], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_MI_SPECIAL_POOL' : [ 0x40, { 'Lock' : [ 0x0, ['unsigned long long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long long']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_DBGKD_WRITE_CUSTOM_BREAKPOINT' : [ 0x18, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointInstruction' : [ 0x8, ['unsigned long long']], 'BreakPointHandle' : [ 0x10, ['unsigned long']], 'BreakPointInstructionSize' : [ 0x14, ['unsigned char']], 'BreakPointInstructionAlignment' : [ 0x15, ['unsigned char']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x10, ['unsigned char']], 'Spare' : [ 0x11, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0x14, ['unsigned long']], 'DebugId' : [ 0x18, ['_CVDD']], } ], '_PS_PROPERTY_SET' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['unsigned long long']], } ], '_TRIAGE_EX_WORK_QUEUE' : [ 0x2b0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x30, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'ExpectedWakeReason' : [ 0x2d, ['unsigned char']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_THREAD_ENERGY_VALUES' : [ 0xc8, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'AttributedCycles' : [ 0x40, ['array', 4, ['array', 2, ['unsigned long long']]]], 'WorkOnBehalfCycles' : [ 0x80, ['array', 4, ['array', 2, ['unsigned long long']]]], 'CpuTimeline' : [ 0xc0, ['_TIMELINE_BITMAP']], } ], '_WHEAP_WORK_QUEUE' : [ 0x88, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x10, ['unsigned long long']], 'ItemCount' : [ 0x18, ['long']], 'Dpc' : [ 0x20, ['_KDPC']], 'WorkItem' : [ 0x60, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x80, ['pointer64', ['void']]], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_RTL_RUN_ONCE' : [ 0x8, { 'Ptr' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], } ], '_CM_PATH_HASH' : [ 0x4, { 'Hash' : [ 0x0, ['unsigned long']], } ], '_EXHANDLE' : [ 0x8, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_FAST_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['wchar']]], 'DriverName' : [ 0x50, ['pointer64', ['wchar']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x260, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x270, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x48, { 'Next' : [ 0x0, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], 'Gate' : [ 0x8, ['_KGATE']], 'SecureInfo' : [ 0x8, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x8, ['_RTL_BITMAP_EX']], 'InPageSupport' : [ 0x8, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'LargePage' : [ 0x8, ['_MI_LARGEPAGE_IMAGE_INFO']], 'CreatingThread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'PebTebRfg' : [ 0x8, ['_MI_SUB64K_FREE_RANGES']], 'RfgProtectedStack' : [ 0x8, ['_MI_RFG_PROTECTED_STACK']], 'WaitReason' : [ 0x40, ['unsigned long']], } ], '__unnamed_210f' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '__unnamed_2112' : [ 0x4, { 'e1' : [ 0x0, ['_MI_SUBSECTION_ENTRY1']], 'EntireField' : [ 0x0, ['unsigned long']], } ], '__unnamed_2114' : [ 0x4, { 'AlignmentNoAccessPtes' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'GlobalPerSessionHead' : [ 0x18, ['_RTL_AVL_TREE']], 'CreationWaitList' : [ 0x18, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'SessionDriverProtos' : [ 0x18, ['pointer64', ['_MI_PER_SESSION_PROTOS']]], 'u' : [ 0x20, ['__unnamed_210f']], 'StartingSector' : [ 0x24, ['unsigned long']], 'NumberOfFullSectors' : [ 0x28, ['unsigned long']], 'PtesInSubsection' : [ 0x2c, ['unsigned long']], 'u1' : [ 0x30, ['__unnamed_2112']], 'UnusedPtes' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'ExtentQueryNeeded' : [ 0x34, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x34, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u2' : [ 0x34, ['__unnamed_2114']], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['unsigned long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x30, ['pointer64', ['long']]], 'NodeTargetCount' : [ 0x38, ['long']], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_FAST_ERESOURCE' : [ 0x68, { 'Reserved1' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'Reserved2' : [ 0x18, ['unsigned long']], 'Reserved3' : [ 0x20, ['array', 4, ['pointer64', ['void']]]], 'Reserved4' : [ 0x40, ['array', 4, ['unsigned long']]], 'Reserved5' : [ 0x50, ['pointer64', ['void']]], 'Reserved6' : [ 0x58, ['array', 2, ['pointer64', ['void']]]], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x10, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_SEP_RM_LSA_CONNECTION_STATE' : [ 0x50, { 'LsaProcessHandle' : [ 0x0, ['pointer64', ['void']]], 'LsaCommandPortHandle' : [ 0x8, ['pointer64', ['void']]], 'SepRmThreadHandle' : [ 0x10, ['pointer64', ['void']]], 'RmCommandPortHandle' : [ 0x18, ['pointer64', ['void']]], 'RmCommandServerPortHandle' : [ 0x20, ['pointer64', ['void']]], 'LsaCommandPortSectionHandle' : [ 0x28, ['pointer64', ['void']]], 'LsaCommandPortSectionSize' : [ 0x30, ['_LARGE_INTEGER']], 'LsaViewPortMemory' : [ 0x38, ['pointer64', ['void']]], 'RmViewPortMemory' : [ 0x40, ['pointer64', ['void']]], 'LsaCommandPortMemoryDelta' : [ 0x48, ['long']], 'LsaCommandPortActive' : [ 0x4c, ['unsigned char']], } ], '_CM_KCB_LAYER_INFO' : [ 0x30, { 'LayerListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Kcb' : [ 0x10, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'LowerLayer' : [ 0x18, ['pointer64', ['_CM_KCB_LAYER_INFO']]], 'UpperLayerListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'PagedPoolAllocationMap' : [ 0x8, ['_RTL_BITMAP_EX']], 'FirstPteForPagedPool' : [ 0x18, ['pointer64', ['_MMPTE']]], 'MaximumSize' : [ 0x20, ['unsigned long long']], 'PagedPoolHint' : [ 0x28, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x30, ['unsigned long long']], } ], '_PPM_IDLE_STATE' : [ 0xf8, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Name' : [ 0xa8, ['_UNICODE_STRING']], 'Latency' : [ 0xb8, ['unsigned long']], 'BreakEvenDuration' : [ 0xbc, ['unsigned long']], 'Power' : [ 0xc0, ['unsigned long']], 'StateFlags' : [ 0xc4, ['unsigned long']], 'VetoAccounting' : [ 0xc8, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0xf0, ['unsigned char']], 'InterruptsEnabled' : [ 0xf1, ['unsigned char']], 'Interruptible' : [ 0xf2, ['unsigned char']], 'ContextRetained' : [ 0xf3, ['unsigned char']], 'CacheCoherent' : [ 0xf4, ['unsigned char']], 'WakesSpuriously' : [ 0xf5, ['unsigned char']], 'PlatformOnly' : [ 0xf6, ['unsigned char']], 'NoCState' : [ 0xf7, ['unsigned char']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '__unnamed_214b' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_214d' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_214b']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x120, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_214d']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], 'ExecutePoolTypes' : [ 0xf8, ['unsigned long']], 'ExecutePageProtections' : [ 0xfc, ['unsigned long']], 'ExecutePageMappings' : [ 0x100, ['unsigned long']], 'ExecuteWriteSections' : [ 0x104, ['unsigned long']], 'SectionAlignmentFailures' : [ 0x108, ['unsigned long']], 'UnsupportedRelocs' : [ 0x10c, ['unsigned long']], 'IATInExecutableSection' : [ 0x110, ['unsigned long']], } ], '_SEP_LUID_TO_INDEX_MAP_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'Luid' : [ 0x20, ['unsigned long long']], 'IndexIntoGlobalSingletonTable' : [ 0x28, ['unsigned long long']], 'MarkedForDeletion' : [ 0x30, ['unsigned char']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'DynamicRelocations' : [ 0x0, ['pointer64', ['void']]], 'SecurityContext' : [ 0x8, ['_IMAGE_SECURITY_CONTEXT']], 'StrongImageReference' : [ 0x10, ['unsigned long long']], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderZero', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderVsmMemory', 30: 'LoaderFirmwareCode', 31: 'LoaderFirmwareData', 32: 'LoaderFirmwareReserved', 33: 'LoaderEnclaveMemory', 34: 'LoaderFirmwareKsr', 35: 'LoaderEnclaveKsr', 36: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_OBP_SYSTEM_DOS_DEVICE_STATE' : [ 0x6c, { 'GlobalDeviceMap' : [ 0x0, ['unsigned long']], 'LocalDeviceCount' : [ 0x4, ['array', 26, ['unsigned long']]], } ], '_WNF_SILODRIVERSTATE' : [ 0x38, { 'ScopeMap' : [ 0x0, ['pointer64', ['_WNF_SCOPE_MAP']]], 'PermanentNameStoreRootKey' : [ 0x8, ['pointer64', ['void']]], 'PersistentNameStoreRootKey' : [ 0x10, ['pointer64', ['void']]], 'PermanentNameSequenceNumber' : [ 0x18, ['long long']], 'PermanentNameSequenceNumberLock' : [ 0x20, ['_WNF_LOCK']], 'PermanentNameSequenceNumberPool' : [ 0x28, ['long long']], 'RuntimeNameSequenceNumber' : [ 0x30, ['long long']], } ], '_DELAY_ACK_FO' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2ComponentId' : [ 0x2, ['unsigned char']], 'Timer2RelativeId' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Tagged' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'EnergyProfiling' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Minimal' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved4' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OB_HANDLE_REVOCATION_BLOCK' : [ 0x20, { 'RevocationInfos' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Rundown' : [ 0x18, ['_EX_RUNDOWN_REF']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x38, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long long']], 'DirtyPageThresholdTop' : [ 0x8, ['unsigned long long']], 'DirtyPageThresholdBottom' : [ 0x10, ['unsigned long long']], 'DirtyPageTarget' : [ 0x18, ['unsigned long']], 'AggregateAvailablePages' : [ 0x20, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x28, ['unsigned long long']], 'AvailableHistory' : [ 0x30, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x90, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'Count' : [ 0x28, ['unsigned long long']], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'StackTrace' : [ 0x40, ['array', 8, ['pointer64', ['void']]]], 'Who' : [ 0x80, ['unsigned long']], 'Process' : [ 0x88, ['pointer64', ['_EPROCESS']]], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_MMSECTION_FLAGS2' : [ 0x4, { 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'NoCrossPartitionAccess' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SubsectionCrossPartitionReferenceOverflow' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer64', ['_MMPTE']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS' : [ 0x1, { 'Trustlet' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Ntos' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'WriteHandle' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ReadHandle' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'AccessRights' : [ 0x0, ['unsigned char']], } ], '_KSECURE_FAULT_INFORMATION' : [ 0x10, { 'FaultCode' : [ 0x0, ['unsigned long long']], 'FaultVa' : [ 0x8, ['unsigned long long']], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_PS_PROCESS_WAKE_INFORMATION' : [ 0x30, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 7, ['unsigned long']]], 'WakeFilter' : [ 0x24, ['_JOBOBJECT_WAKE_FILTER']], 'NoWakeCounter' : [ 0x2c, ['unsigned long']], } ], '__unnamed_21a3' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_21a5' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_21a3']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_21a5']], } ], '_PROCESS_ENERGY_VALUES' : [ 0x110, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'DiskEnergy' : [ 0x40, ['unsigned long long']], 'NetworkTailEnergy' : [ 0x48, ['unsigned long long']], 'MBBTailEnergy' : [ 0x50, ['unsigned long long']], 'NetworkTxRxBytes' : [ 0x58, ['unsigned long long']], 'MBBTxRxBytes' : [ 0x60, ['unsigned long long']], 'Durations' : [ 0x68, ['array', 3, ['_ENERGY_STATE_DURATION']]], 'ForegroundDuration' : [ 0x68, ['_ENERGY_STATE_DURATION']], 'DesktopVisibleDuration' : [ 0x70, ['_ENERGY_STATE_DURATION']], 'PSMForegroundDuration' : [ 0x78, ['_ENERGY_STATE_DURATION']], 'CompositionRendered' : [ 0x80, ['unsigned long']], 'CompositionDirtyGenerated' : [ 0x84, ['unsigned long']], 'CompositionDirtyPropagated' : [ 0x88, ['unsigned long']], 'Reserved1' : [ 0x8c, ['unsigned long']], 'AttributedCycles' : [ 0x90, ['array', 4, ['array', 2, ['unsigned long long']]]], 'WorkOnBehalfCycles' : [ 0xd0, ['array', 4, ['array', 2, ['unsigned long long']]]], } ], '_MMCLONE_HEADER' : [ 0x18, { 'NumberOfPtes' : [ 0x0, ['unsigned long long']], 'NumberOfProcessReferences' : [ 0x8, ['unsigned long long']], 'ClonePtes' : [ 0x10, ['pointer64', ['_MMCLONE_BLOCK']]], } ], '_MI_SYSTEM_INFORMATION' : [ 0x1b40, { 'Pools' : [ 0x0, ['_MI_POOL_STATE']], 'Sections' : [ 0x100, ['_MI_SECTION_STATE']], 'SystemImages' : [ 0x340, ['_MI_SYSTEM_IMAGE_STATE']], 'Sessions' : [ 0x3f8, ['_MI_SESSION_STATE']], 'Processes' : [ 0x480, ['_MI_PROCESS_STATE']], 'Hardware' : [ 0x4b0, ['_MI_HARDWARE_STATE']], 'SystemVa' : [ 0x5c0, ['_MI_SYSTEM_VA_STATE']], 'PageCombines' : [ 0x940, ['_MI_COMBINE_STATE']], 'PageLists' : [ 0xae0, ['_MI_PAGELIST_STATE']], 'Partitions' : [ 0xaf0, ['_MI_PARTITION_STATE']], 'Shutdowns' : [ 0xb50, ['_MI_SHUTDOWN_STATE']], 'Errors' : [ 0xbc8, ['_MI_ERROR_STATE']], 'AccessLog' : [ 0xc80, ['_MI_ACCESS_LOG_STATE']], 'Debugger' : [ 0xd00, ['_MI_DEBUGGER_STATE']], 'Standby' : [ 0xe20, ['_MI_STANDBY_STATE']], 'SystemPtes' : [ 0xec0, ['_MI_SYSTEM_PTE_STATE']], 'IoPages' : [ 0x1040, ['_MI_IO_PAGE_STATE']], 'PagingIo' : [ 0x10b0, ['_MI_PAGING_IO_STATE']], 'CommonPages' : [ 0x1100, ['_MI_COMMON_PAGE_STATE']], 'Trims' : [ 0x11c0, ['_MI_SYSTEM_TRIM_STATE']], 'Cookie' : [ 0x1200, ['unsigned long long']], 'BootRegistryRuns' : [ 0x1208, ['pointer64', ['pointer64', ['void']]]], 'ZeroingDisabled' : [ 0x1210, ['long']], 'FullyInitialized' : [ 0x1214, ['unsigned char']], 'SafeBooted' : [ 0x1215, ['unsigned char']], 'TraceLogging' : [ 0x1218, ['pointer64', ['_TlgProvider_t']]], 'Vs' : [ 0x1240, ['_MI_VISIBLE_STATE']], } ], '_ETW_SILO_TRACING_BLOCK' : [ 0x400, { 'ProcessorBuffers' : [ 0x0, ['array', 64, ['_EX_FAST_REF']]], 'EventsLoggedCount' : [ 0x200, ['array', 64, ['unsigned long long']]], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x30, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x18, ['_KEVENT']], } ], '__unnamed_21d3' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_21d5' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_21d3']], } ], '__unnamed_21d7' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_21d5']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_21d7']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '__unnamed_21df' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_21df']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x10, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], } ], '_MI_LARGEPAGE_IMAGE_INFO' : [ 0x10, { 'LargeImageBias' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'ActualImageViewSize' : [ 0x8, ['unsigned long long']], } ], '__unnamed_21ec' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x28, { 'NodeRangeSize' : [ 0x0, ['unsigned long long']], 'NodeCount' : [ 0x8, ['unsigned long long']], 'Tables' : [ 0x10, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x18, ['unsigned long']], 'UseSessionId' : [ 0x1c, ['unsigned char']], 'u1' : [ 0x20, ['__unnamed_21ec']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_MMSUPPORT_FULL' : [ 0x110, { 'Instance' : [ 0x0, ['_MMSUPPORT_INSTANCE']], 'Shared' : [ 0xc8, ['_MMSUPPORT_SHARED']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_MI_PROCESS_STATE' : [ 0x30, { 'SystemDllBase' : [ 0x0, ['pointer64', ['void']]], 'ColorSeed' : [ 0x8, ['unsigned long']], 'RotatingUniprocessorNumber' : [ 0xc, ['long']], 'CriticalSectionTimeout' : [ 0x10, ['_LARGE_INTEGER']], 'ProcessList' : [ 0x18, ['_LIST_ENTRY']], 'SharedUserDataPte' : [ 0x28, ['pointer64', ['_MMPTE']]], } ], '_MMSUPPORT_AGGREGATION' : [ 0x20, { 'PageFaultCount' : [ 0x0, ['unsigned long']], 'WorkingSetSize' : [ 0x8, ['unsigned long long']], 'WorkingSetLeafSize' : [ 0x10, ['unsigned long long']], 'PeakWorkingSetSize' : [ 0x18, ['unsigned long long']], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_PRIVATE_CACHE_MAP' : [ 0x78, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long long']], 'PipelinedReadAheadRequestSize' : [ 0x58, ['unsigned long']], 'ReadAheadGrowth' : [ 0x5c, ['unsigned long']], 'PrivateLinks' : [ 0x60, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x70, ['pointer64', ['void']]], } ], '_ETW_GUID_ENTRY' : [ 0x190, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long long']], 'Guid' : [ 0x18, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['pointer64', ['_ETW_FILTER_HEADER']]], 'SiloState' : [ 0x178, ['pointer64', ['_ETW_SILODRIVERSTATE']]], 'Lock' : [ 0x180, ['_EX_PUSH_LOCK']], 'LockOwner' : [ 0x188, ['pointer64', ['_ETHREAD']]], } ], '_ARBITER_INSTANCE' : [ 0x150, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['wchar']]], 'OrderingName' : [ 0x18, ['pointer64', ['wchar']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '_MI_SYSTEM_IMAGE_STATE' : [ 0xb8, { 'FixupList' : [ 0x0, ['_LIST_ENTRY']], 'LoadLock' : [ 0x10, ['_KMUTANT']], 'FixupLock' : [ 0x48, ['long']], 'FirstLoadEver' : [ 0x4c, ['unsigned char']], 'LargePageAll' : [ 0x4d, ['unsigned char']], 'LastPage' : [ 0x50, ['unsigned long long']], 'LargePageList' : [ 0x58, ['_LIST_ENTRY']], 'StrongCodeLoadFailureList' : [ 0x68, ['_LIST_ENTRY']], 'BeingDeleted' : [ 0x78, ['pointer64', ['_KLDR_DATA_TABLE_ENTRY']]], 'MappingRangesPushLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'MappingRanges' : [ 0x88, ['array', 2, ['pointer64', ['_MI_DRIVER_VA']]]], 'PageCount' : [ 0x98, ['unsigned long long']], 'PageCounts' : [ 0xa0, ['_MM_SYSTEM_PAGE_COUNTS']], 'CollidedLock' : [ 0xb0, ['_EX_PUSH_LOCK']], } ], '_MMPFNENTRY1' : [ 0x1, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_MI_FLAGS' : [ 0x4, { 'EntireFlags' : [ 0x0, ['long']], 'VerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'KernelVerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LargePageKernel' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StopOn4d' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'InitializationPhase' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'PageKernelStacks' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CheckZeroPages' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ProcessorPrewalks' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ProcessorPostwalks' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'CoverageBuild' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AccessBitReplacementDisabled' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CheckExecute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ProtectedPagesEnabled' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SecureRelocations' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'StrongPageIdentity' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'StrongCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'HardCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ExecutePagePrivilegeRequired' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SecureKernelCfgEnabled' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'FullHvci' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SlatKernelCodeProtected' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'BootDebuggerActive' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x68, ['unsigned char']], 'DeleteType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x10, ['unsigned long']], 'SyncCallback' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ZeroMapRegisters' : [ 0x14, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x14, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'HiberFileType' : [ 0x16, ['unsigned char']], 'AoAcConnectivitySupported' : [ 0x17, ['unsigned char']], 'spare3' : [ 0x18, ['array', 6, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_EX_WORK_QUEUE' : [ 0x2d0, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x2b0, ['pointer64', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x2b8, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x2bc, ['unsigned long']], 'ThreadCount' : [ 0x2c0, ['long']], 'MinThreads' : [ 0x2c4, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x2c4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x2c8, ['long']], 'QueueIndex' : [ 0x2cc, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'IoPoolUntrusted', 2: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_KWAIT_CHAIN' : [ 0x8, { 'Head' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_VF_DRIVER_IO_CALLBACKS' : [ 0x100, { 'DriverInit' : [ 0x0, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x8, ['pointer64', ['void']]], 'DriverUnload' : [ 0x10, ['pointer64', ['void']]], 'AddDevice' : [ 0x18, ['pointer64', ['void']]], 'MajorFunction' : [ 0x20, ['array', 28, ['pointer64', ['void']]]], } ], '_CM_UOW_SET_VALUE_KEY_DATA' : [ 0x10, { 'PreparedCell' : [ 0x0, ['unsigned long']], 'OldValueCell' : [ 0x4, ['unsigned long']], 'NameLength' : [ 0x8, ['unsigned short']], 'DataSize' : [ 0xc, ['unsigned long']], } ], '_MI_PARTITION_STATE' : [ 0x60, { 'PartitionLock' : [ 0x0, ['unsigned long long']], 'PartitionIdLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'InitialPartitionIdBits' : [ 0x10, ['unsigned long long']], 'PartitionList' : [ 0x18, ['_LIST_ENTRY']], 'PartitionIdBitmap' : [ 0x28, ['pointer64', ['_RTL_BITMAP']]], 'InitialPartitionIdBitmap' : [ 0x30, ['_RTL_BITMAP']], 'TempPartitionPointers' : [ 0x40, ['array', 1, ['pointer64', ['_MI_PARTITION']]]], 'Partition' : [ 0x48, ['pointer64', ['pointer64', ['_MI_PARTITION']]]], 'TotalPagesInChildPartitions' : [ 0x50, ['unsigned long long']], 'CrossPartitionDenials' : [ 0x58, ['unsigned long']], 'MultiplePartitionsExist' : [ 0x5c, ['unsigned char']], } ], '_POP_THERMAL_ZONE' : [ 0x368, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], 'State' : [ 0x40, ['unsigned char']], 'Flags' : [ 0x41, ['unsigned char']], 'Removing' : [ 0x42, ['unsigned char']], 'Mode' : [ 0x43, ['unsigned char']], 'PendingMode' : [ 0x44, ['unsigned char']], 'ActivePoint' : [ 0x45, ['unsigned char']], 'PendingActivePoint' : [ 0x46, ['unsigned char']], 'Critical' : [ 0x47, ['unsigned char']], 'ThermalStandby' : [ 0x48, ['unsigned char']], 'OverThrottled' : [ 0x49, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x4c, ['long']], 'Throttle' : [ 0x50, ['long']], 'PendingThrottle' : [ 0x54, ['long']], 'ThrottleReasons' : [ 0x58, ['unsigned long']], 'LastPassiveTime' : [ 0x60, ['unsigned long long']], 'SampleRate' : [ 0x68, ['unsigned long']], 'LastTemp' : [ 0x6c, ['unsigned long']], 'Info' : [ 0x70, ['_THERMAL_INFORMATION_EX']], 'Policy' : [ 0xcc, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0xe4, ['unsigned char']], 'PollingRate' : [ 0xe8, ['unsigned long']], 'LastTemperatureTime' : [ 0xf0, ['unsigned long long']], 'LastActiveStartTime' : [ 0xf8, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x100, ['unsigned long long']], 'WorkItem' : [ 0x108, ['_WORK_QUEUE_ITEM']], 'ZoneUpdateTimer' : [ 0x128, ['_KTIMER2']], 'Lock' : [ 0x1b0, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x1c0, ['_KEVENT']], 'TemperatureUpdated' : [ 0x1d8, ['_KEVENT']], 'InstanceId' : [ 0x1f0, ['unsigned long']], 'TelemetryTracker' : [ 0x1f8, ['_POP_THERMAL_TELEMETRY_TRACKER']], 'Description' : [ 0x358, ['_UNICODE_STRING']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_MMPFNENTRY3' : [ 0x1, { 'Priority' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SystemChargedPage' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x20, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x8, ['long long']], 'SidCount' : [ 0x10, ['unsigned long']], 'SidValuesStart' : [ 0x18, ['unsigned long long']], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x8, { 'Function' : [ 0x0, ['pointer64', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long long']], } ], '__unnamed_22ea' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_22ec' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_22ea']], 'Private' : [ 0x0, ['__unnamed_22ec']], } ], '_CM_TRANS_PTR' : [ 0x8, { 'LightWeight' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'TransPtr' : [ 0x0, ['pointer64', ['void']]], } ], '_PS_TRUSTLET_ATTRIBUTE_TYPE' : [ 0x4, { 'Version' : [ 0x0, ['unsigned char']], 'DataCount' : [ 0x1, ['unsigned char']], 'SemanticType' : [ 0x2, ['unsigned char']], 'AccessRights' : [ 0x3, ['_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS']], 'AttributeType' : [ 0x0, ['unsigned long']], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['_CM_PATH_HASH']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PS_IO_CONTROL_ENTRY' : [ 0x38, { 'VolumeTreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ReservedForParentValue' : [ 0x10, ['unsigned long long']], 'VolumeKey' : [ 0x18, ['unsigned long long']], 'Rundown' : [ 0x20, ['_EX_RUNDOWN_REF']], 'IoControl' : [ 0x28, ['pointer64', ['void']]], 'VolumeIoAttribution' : [ 0x30, ['pointer64', ['void']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_CM_UOW_SET_VALUE_LIST_DATA' : [ 0xc, { 'RefCount' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['_CHILD_LIST']], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'PagesAllocated' : [ 0x48, ['unsigned long long']], 'BigPagesAllocated' : [ 0x50, ['unsigned long long']], 'BytesAllocated' : [ 0x58, ['unsigned long long']], 'RunningDeallocs' : [ 0x80, ['long']], 'PagesDeallocated' : [ 0x88, ['unsigned long long']], 'BigPagesDeallocated' : [ 0x90, ['unsigned long long']], 'BytesDeallocated' : [ 0x98, ['unsigned long long']], 'PoolIndex' : [ 0xc0, ['unsigned long']], 'PoolTypeCopy' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'ThreadsProcessingDeferrals' : [ 0x108, ['long']], 'PendingFreeDepth' : [ 0x10c, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SUBSECTION_ENTRY1' : [ 0x4, { 'CrossPartitionReferences' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'SubsectionMappedLarge' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2363' : [ 0x4, { 'PercentLevel' : [ 0x0, ['unsigned long']], } ], '__unnamed_2365' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_2363']], 'Button' : [ 0x10, ['__unnamed_2365']], } ], '_RTL_ATOM_TABLE' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0x10, ['pointer64', ['_HANDLE_TABLE']]], 'Flags' : [ 0x18, ['unsigned long']], 'NumberOfBuckets' : [ 0x1c, ['unsigned long']], 'Buckets' : [ 0x20, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_KTIMER2' : [ 0x88, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'RbNodes' : [ 0x18, ['array', 2, ['_RTL_BALANCED_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'DueTime' : [ 0x48, ['array', 2, ['unsigned long long']]], 'Period' : [ 0x58, ['long long']], 'Callback' : [ 0x60, ['pointer64', ['void']]], 'CallbackContext' : [ 0x68, ['pointer64', ['void']]], 'DisableCallback' : [ 0x70, ['pointer64', ['void']]], 'DisableContext' : [ 0x78, ['pointer64', ['void']]], 'AbsoluteSystemTime' : [ 0x80, ['unsigned char']], 'TypeFlags' : [ 0x81, ['unsigned char']], 'Unused' : [ 0x81, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IdleResilient' : [ 0x81, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HighResolution' : [ 0x81, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'NoWake' : [ 0x81, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Unused1' : [ 0x81, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CollectionIndex' : [ 0x82, ['array', 2, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_MI_SESSION_STATE' : [ 0x88, { 'SystemSession' : [ 0x0, ['_MMSESSION']], 'DetachTimeStamp' : [ 0x20, ['unsigned long']], 'CodePageEdited' : [ 0x24, ['unsigned char']], 'DynamicPoolBitBuffer' : [ 0x28, ['pointer64', ['unsigned long']]], 'DynamicVaBitBuffer' : [ 0x30, ['pointer64', ['unsigned long long']]], 'DynamicVaBitBufferPages' : [ 0x38, ['unsigned long long']], 'DynamicVaStart' : [ 0x40, ['pointer64', ['void']]], 'ImageVaStart' : [ 0x48, ['pointer64', ['void']]], 'DynamicPtesBitBuffer' : [ 0x50, ['pointer64', ['unsigned long']]], 'IdLock' : [ 0x58, ['_EX_PUSH_LOCK']], 'LeaderProcess' : [ 0x60, ['pointer64', ['_EPROCESS']]], 'InitializeLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'WorkingSetList' : [ 0x70, ['pointer64', ['_MMWSL_INSTANCE']]], 'SessionBase' : [ 0x78, ['pointer64', ['void']]], 'SessionCore' : [ 0x80, ['pointer64', ['void']]], } ], '_XSTATE_CONFIGURATION' : [ 0x330, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'ControlFlags' : [ 0x14, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CompactionEnabled' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], 'EnabledSupervisorFeatures' : [ 0x218, ['unsigned long long']], 'AlignedFeatures' : [ 0x220, ['unsigned long long']], 'AllFeatureSize' : [ 0x228, ['unsigned long']], 'AllFeatures' : [ 0x22c, ['array', 64, ['unsigned long']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'Callback' : [ 0x8, ['pointer64', ['void']]], 'CallbackContext' : [ 0x10, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'AccessMask' : [ 0x20, ['unsigned long']], } ], '_MI_SECTION_STATE' : [ 0x240, { 'SectionObjectPointersLock' : [ 0x0, ['long']], 'SectionBasedRoot' : [ 0x8, ['_RTL_AVL_TREE']], 'SectionBasedLock' : [ 0x10, ['_EX_PUSH_LOCK']], 'UnusedSubsectionPagedPool' : [ 0x18, ['unsigned long long']], 'UnusedSegmentForceFree' : [ 0x20, ['unsigned long']], 'DataSectionProtectionMask' : [ 0x24, ['unsigned long']], 'HighSectionBase' : [ 0x28, ['pointer64', ['void']]], 'PhysicalSubsection' : [ 0x30, ['_MSUBSECTION']], 'PhysicalControlArea' : [ 0xa0, ['_CONTROL_AREA']], 'DanglingExtentsPages' : [ 0x120, ['pointer64', ['_MMPFN']]], 'DanglingExtentsLock' : [ 0x128, ['long']], 'DanglingExtentsWorkItem' : [ 0x130, ['_WORK_QUEUE_ITEM']], 'DanglingExtentsWorkerActive' : [ 0x150, ['unsigned char']], 'PageFileSectionHead' : [ 0x158, ['_RTL_AVL_TREE']], 'PageFileSectionListSpinLock' : [ 0x160, ['long']], 'ImageBias' : [ 0x164, ['unsigned long']], 'RelocateBitmapsLock' : [ 0x168, ['_EX_PUSH_LOCK']], 'ImageBitMap' : [ 0x170, ['_RTL_BITMAP']], 'ImageBias64Low' : [ 0x180, ['unsigned long']], 'ImageBias64High' : [ 0x184, ['unsigned long']], 'ImageBitMap64Low' : [ 0x188, ['_RTL_BITMAP']], 'ImageBitMap64High' : [ 0x198, ['_RTL_BITMAP']], 'ImageBitMapWow64Dll' : [ 0x1a8, ['_RTL_BITMAP']], 'ApiSetSection' : [ 0x1b8, ['pointer64', ['void']]], 'ApiSetSchema' : [ 0x1c0, ['pointer64', ['void']]], 'ApiSetSchemaSize' : [ 0x1c8, ['unsigned long long']], 'LostDataFiles' : [ 0x1d0, ['unsigned long']], 'LostDataPages' : [ 0x1d4, ['unsigned long']], 'ImageFailureReason' : [ 0x1d8, ['unsigned long']], 'CfgBitMapSection32' : [ 0x1e0, ['pointer64', ['_SECTION']]], 'CfgBitMapControlArea32' : [ 0x1e8, ['pointer64', ['_CONTROL_AREA']]], 'CfgBitMapSection64' : [ 0x1f0, ['pointer64', ['_SECTION']]], 'CfgBitMapControlArea64' : [ 0x1f8, ['pointer64', ['_CONTROL_AREA']]], 'KernelCfgBitMap' : [ 0x200, ['_RTL_BITMAP_EX']], 'KernelCfgBitMapLock' : [ 0x210, ['_EX_PUSH_LOCK']], 'ImageCfgFailure' : [ 0x218, ['unsigned long']], 'ImageChecksumBreakpoint' : [ 0x21c, ['unsigned long']], 'ImageSizeBreakpoint' : [ 0x220, ['unsigned long']], 'ImageValidationFailed' : [ 0x224, ['long']], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x30, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'Reference' : [ 0x10, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x28, ['unsigned char']], 'Name' : [ 0x2a, ['array', 1, ['wchar']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_UOW_KEY_STATE_MODIFICATION' : [ 0x14, { 'RefCount' : [ 0x0, ['unsigned long']], 'SubKeyListCount' : [ 0x4, ['array', 2, ['unsigned long']]], 'NewSubKeyList' : [ 0xc, ['array', 2, ['unsigned long']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'WaitResponse' : [ 0xc, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_ETW_FILTER_HEADER' : [ 0x50, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x8, ['pointer64', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x10, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0x18, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x20, ['pointer64', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x28, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x30, ['pointer64', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x38, ['pointer64', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x40, ['pointer64', ['_EVENT_FILTER_HEADER']]], 'EventNameFilter' : [ 0x48, ['pointer64', ['_ETW_FILTER_EVENT_NAME_DATA']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 24, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xb0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ExecutePoolTypes' : [ 0x90, ['unsigned long']], 'ExecutePageProtections' : [ 0x94, ['unsigned long']], 'ExecutePageMappings' : [ 0x98, ['unsigned long']], 'ExecuteWriteSections' : [ 0x9c, ['unsigned long']], 'SectionAlignmentFailures' : [ 0xa0, ['unsigned long']], 'UnsupportedRelocs' : [ 0xa4, ['unsigned long']], 'IATInExecutableSection' : [ 0xa8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PEB' : [ 0x7a0, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'IsLongPathAwareProcess' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['_SLIST_HEADER']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessPreviouslyThrottled' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ProcessCurrentlyThrottled' : [ 0x50, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'SharedData' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pUnused' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x388, ['unsigned long long']], 'TppWorkerpList' : [ 0x390, ['_LIST_ENTRY']], 'WaitOnAddressHashTable' : [ 0x3a0, ['array', 128, ['pointer64', ['void']]]], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '__unnamed_23e0' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_23e5' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_23e0']], 'Bits' : [ 0x4, ['__unnamed_23e5']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'DataLow' : [ 0x0, ['long long']], 'DataHigh' : [ 0x8, ['long long']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_MI_SUB64K_FREE_RANGES' : [ 0x38, { 'BitMap' : [ 0x0, ['_RTL_BITMAP_EX']], 'ListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Vad' : [ 0x20, ['pointer64', ['_MMVAD_SHORT']]], 'SetBits' : [ 0x28, ['unsigned long']], 'FullSetBits' : [ 0x2c, ['unsigned long']], 'SubListIndex' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Hint' : [ 0x30, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '__unnamed_23fb' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_23fe' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0x1b0, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x10, ['_LIST_ENTRY']], 'Event' : [ 0x20, ['_KEVENT']], 'CollidedEvent' : [ 0x38, ['_KEVENT']], 'IoStatus' : [ 0x50, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x60, ['_LARGE_INTEGER']], 'ApcState' : [ 0x68, ['_KAPC_STATE']], 'Thread' : [ 0x98, ['pointer64', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0xa0, ['pointer64', ['_MMPFN']]], 'PteContents' : [ 0xa8, ['_MMPTE']], 'WaitCount' : [ 0xb0, ['long']], 'ByteCount' : [ 0xb4, ['unsigned long']], 'u3' : [ 0xb8, ['__unnamed_23fb']], 'u1' : [ 0xbc, ['__unnamed_23fe']], 'FilePointer' : [ 0xc0, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0xc8, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0xc8, ['pointer64', ['_SUBSECTION']]], 'Autoboost' : [ 0xd0, ['pointer64', ['void']]], 'FaultingAddress' : [ 0xd8, ['pointer64', ['void']]], 'PointerPte' : [ 0xe0, ['pointer64', ['_MMPTE']]], 'BasePte' : [ 0xe8, ['pointer64', ['_MMPTE']]], 'Pfn' : [ 0xf0, ['pointer64', ['_MMPFN']]], 'PrefetchMdl' : [ 0xf8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x100, ['_MDL']], 'Page' : [ 0x130, ['array', 16, ['unsigned long long']]], 'FlowThrough' : [ 0x130, ['_MMINPAGE_SUPPORT_FLOW_THROUGH']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_CMP_DISCARD_AND_REPLACE_KCB_CONTEXT' : [ 0x20, { 'BaseKcb' : [ 0x0, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'PrepareStatus' : [ 0x8, ['long']], 'ClonedKcbListHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions', 24: 'ConfigureDeviceReset'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], 'ActivityId' : [ 0x38, ['_GUID']], 'RefCount' : [ 0x48, ['long']], 'Dequeued' : [ 0x4c, ['unsigned char']], 'CancelLock' : [ 0x50, ['_EX_PUSH_LOCK']], 'CancelRequested' : [ 0x58, ['unsigned char']], } ], '_PPM_PLATFORM_STATE' : [ 0x180, { 'LevelId' : [ 0x0, ['unsigned long long']], 'Latency' : [ 0x8, ['unsigned long']], 'BreakEvenDuration' : [ 0xc, ['unsigned long']], 'VetoAccounting' : [ 0x10, ['_PPM_VETO_ACCOUNTING']], 'TransitionDebugger' : [ 0x38, ['unsigned char']], 'Platform' : [ 0x39, ['unsigned char']], 'DependencyListCount' : [ 0x3c, ['unsigned long']], 'Processors' : [ 0x40, ['_KAFFINITY_EX']], 'Name' : [ 0xe8, ['_UNICODE_STRING']], 'DependencyLists' : [ 0xf8, ['pointer64', ['_PPM_SELECTION_DEPENDENCY']]], 'Synchronization' : [ 0x100, ['_PPM_COORDINATED_SYNCHRONIZATION']], 'EnterTime' : [ 0x108, ['unsigned long long']], 'RefCount' : [ 0x140, ['long']], 'CacheAlign0' : [ 0x140, ['array', 64, ['unsigned char']]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'Reserved' : [ 0x20, ['array', 3, ['pointer64', ['void']]]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_ETW_COUNTERS' : [ 0x10, { 'GuidCount' : [ 0x0, ['long']], 'PoolUsage' : [ 0x4, ['array', 2, ['long']]], 'SessionCount' : [ 0xc, ['long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['long long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'LowboxNumber' : [ 0x28, ['unsigned long']], 'AtomTable' : [ 0x30, ['pointer64', ['void']]], } ], '_PPM_SELECTION_MENU' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Entries' : [ 0x8, ['pointer64', ['_PPM_SELECTION_MENU_ENTRY']]], } ], '_MI_PARTITION' : [ 0x27c0, { 'Core' : [ 0x0, ['_MI_PARTITION_CORE']], 'Modwriter' : [ 0x1c8, ['_MI_PARTITION_MODWRITES']], 'Store' : [ 0x4a0, ['_MI_PARTITION_STORES']], 'Segments' : [ 0x540, ['_MI_PARTITION_SEGMENTS']], 'PageLists' : [ 0x780, ['_MI_PARTITION_PAGE_LISTS']], 'Commit' : [ 0x1340, ['_MI_PARTITION_COMMIT']], 'Zeroing' : [ 0x13c0, ['_MI_PARTITION_ZEROING']], 'PageCombine' : [ 0x1420, ['_MI_PAGE_COMBINING_SUPPORT']], 'WorkingSetControl' : [ 0x15a8, ['pointer64', ['void']]], 'WorkingSetExpansionHead' : [ 0x15b0, ['_MMWORKING_SET_EXPANSION_HEAD']], 'Vp' : [ 0x15c0, ['_MI_VISIBLE_PARTITION']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_IO_WORKITEM' : [ 0x58, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'WorkOnBehalfThread' : [ 0x38, ['pointer64', ['_ETHREAD']]], 'Type' : [ 0x40, ['unsigned long']], 'ActivityId' : [ 0x44, ['_GUID']], } ], '_DISALLOWED_GUIDS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x8, ['pointer64', ['_GUID']]], } ], '_MMWSL_INSTANCE' : [ 0x28, { 'NextPteToTrim' : [ 0x0, ['pointer64', ['_MMPTE']]], 'NextPteToAge' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextPteToAccessClear' : [ 0x10, ['pointer64', ['_MMPTE']]], 'LastAccessClearingRemainder' : [ 0x18, ['unsigned long']], 'LastAgingRemainder' : [ 0x1c, ['unsigned long']], 'LockedEntries' : [ 0x20, ['unsigned long long']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_CMHIVE' : [ 0x17a8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0xa68, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0xa98, ['_LIST_ENTRY']], 'HiveList' : [ 0xaa8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0xab8, ['_LIST_ENTRY']], 'FailedUnloadList' : [ 0xac8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0xad8, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0xae0, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0xaf0, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0xaf8, ['unsigned long']], 'DeletedKcbTable' : [ 0xb00, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0xb08, ['unsigned long']], 'Identity' : [ 0xb0c, ['unsigned long']], 'HiveLock' : [ 0xb10, ['pointer64', ['_FAST_MUTEX']]], 'WriterLock' : [ 0xb18, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0xb20, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0xb28, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0xb38, ['unsigned long']], 'FlushLogEntry' : [ 0xb40, ['pointer64', ['unsigned char']]], 'FlushLogEntrySize' : [ 0xb48, ['unsigned long']], 'FlushHiveTruncated' : [ 0xb4c, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0xb50, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0xb58, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0xb68, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0xb70, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0xb78, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0xb80, ['pointer64', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0xb88, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0xb90, ['unsigned long']], 'LastShrinkHiveSize' : [ 0xb94, ['unsigned long']], 'ActualFileSize' : [ 0xb98, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0xba0, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0xbb0, ['_UNICODE_STRING']], 'FileUserName' : [ 0xbc0, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0xbd0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0xbe0, ['unsigned long']], 'SecurityCacheSize' : [ 0xbe4, ['unsigned long']], 'SecurityHitHint' : [ 0xbe8, ['long']], 'SecurityCache' : [ 0xbf0, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0xbf8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xff8, ['unsigned long']], 'UnloadEventArray' : [ 0x1000, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0x1008, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x1010, ['unsigned char']], 'UnloadWorkItem' : [ 0x1018, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x1020, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x1048, ['unsigned char']], 'GrowOffset' : [ 0x104c, ['unsigned long']], 'KcbConvertListHead' : [ 0x1050, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x1060, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0x1068, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0x14f0, ['unsigned long']], 'TrustClassEntry' : [ 0x14f8, ['_LIST_ENTRY']], 'DirtyTime' : [ 0x1508, ['unsigned long long']], 'UnreconciledTime' : [ 0x1510, ['unsigned long long']], 'CmRm' : [ 0x1518, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x1520, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x1524, ['long']], 'CreatorOwner' : [ 0x1528, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0x1530, ['pointer64', ['_KTHREAD']]], 'LastWriteTime' : [ 0x1538, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0x1540, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0x1558, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0x1570, ['unsigned long']], 'FlushActive' : [ 0x1570, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0x1570, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0x1570, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0x1570, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0x1574, ['unsigned long']], 'ReferenceCount' : [ 0x1578, ['long']], 'UnloadHistoryIndex' : [ 0x157c, ['long']], 'UnloadHistory' : [ 0x1580, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0x1780, ['unsigned long']], 'UnaccessedStart' : [ 0x1784, ['unsigned long']], 'UnaccessedEnd' : [ 0x1788, ['unsigned long']], 'LoadedKeyCount' : [ 0x178c, ['unsigned long']], 'HandleClosePending' : [ 0x1790, ['unsigned long']], 'HandleClosePendingEvent' : [ 0x1798, ['_EX_PUSH_LOCK']], 'FinalFlushSucceeded' : [ 0x17a0, ['unsigned char']], 'FailedUnload' : [ 0x17a1, ['unsigned char']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_KPROCESSOR_STATE' : [ 0x5c0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xf0, ['_CONTEXT']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'InProgressFlags' : [ 0x28, ['unsigned char']], 'KernelApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_PEP_ACPI_RESOURCE_FLAGS' : [ 0x4, { 'AsULong' : [ 0x0, ['unsigned long']], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Wake' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ResourceUsage' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SlaveMode' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'AddressingMode' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SharedMode' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_IO_ADAPTER_CRYPTO_PARAMETERS' : [ 0x10, { 'Tweak' : [ 0x0, ['unsigned long long']], 'KeyDescriptor' : [ 0x8, ['pointer64', ['_IO_ADAPTER_CRYPTO_KEY_DESCRIPTOR']]], } ], '_MI_PARTITION_PAGE_LISTS' : [ 0xbc0, { 'FreePagesByColor' : [ 0x0, ['array', 2, ['pointer64', ['_MMPFNLIST']]]], 'ZeroedPageListHead' : [ 0x40, ['_MMPFNLIST']], 'FreePageListHead' : [ 0x80, ['_MMPFNLIST']], 'StandbyPageListHead' : [ 0xc0, ['_MMPFNLIST']], 'StandbyPageListByPriority' : [ 0x100, ['array', 8, ['_MMPFNLIST']]], 'ModifiedPageListNoReservation' : [ 0x240, ['_MMPFNLIST']], 'ModifiedPageListByReservation' : [ 0x280, ['array', 16, ['_MMPFNLIST']]], 'MappedPageListHead' : [ 0x500, ['array', 16, ['_MMPFNLIST']]], 'BadPageListHead' : [ 0x780, ['_MMPFNLIST']], 'EnclavePageListHead' : [ 0x7c0, ['_MMPFNLIST']], 'FreePageSlist' : [ 0x7e8, ['array', 2, ['pointer64', ['_SLIST_HEADER']]]], 'PageLocationList' : [ 0x7f8, ['array', 8, ['pointer64', ['_MMPFNLIST']]]], 'StandbyRepurposedByPriority' : [ 0x838, ['array', 8, ['unsigned long']]], 'TransitionSharedPages' : [ 0x880, ['unsigned long long']], 'TransitionSharedPagesPeak' : [ 0x888, ['array', 3, ['unsigned long long']]], 'MappedPageListHeadEvent' : [ 0x8a0, ['array', 16, ['_KEVENT']]], 'DecayClusterTimerHeads' : [ 0xa20, ['array', 4, ['_MI_DECAY_TIMER_LINK']]], 'DecayHand' : [ 0xa40, ['unsigned long']], 'StandbyListDiscard' : [ 0xa44, ['unsigned char']], 'FreeListDiscard' : [ 0xa45, ['unsigned char']], 'LargePfnBitMapsReady' : [ 0xa46, ['unsigned char']], 'LastDecayHandUpdateTime' : [ 0xa48, ['unsigned long long']], 'LastChanceLdwContext' : [ 0xa50, ['_MI_LDW_WORK_CONTEXT']], 'AvailableEventsLock' : [ 0xac0, ['unsigned long long']], 'AvailablePageWaitStates' : [ 0xac8, ['array', 3, ['_MI_AVAILABLE_PAGE_WAIT_STATES']]], 'MirrorListLocks' : [ 0xb28, ['pointer64', ['void']]], 'TransitionPrivatePages' : [ 0xb40, ['unsigned long long']], 'LargePfnBitMap' : [ 0xb48, ['array', 2, ['_RTL_BITMAP_EX']]], 'LowMemoryThreshold' : [ 0xb68, ['unsigned long long']], 'HighMemoryThreshold' : [ 0xb70, ['unsigned long long']], 'LargePfnBitMapLock' : [ 0xb80, ['unsigned long long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '__unnamed_24b4' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_24b6' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_24b8' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_24b4']], 'Interrupt' : [ 0x0, ['__unnamed_24b6']], 'LocalInterrupt' : [ 0x0, ['__unnamed_24b6']], 'Sci' : [ 0x0, ['__unnamed_24b6']], 'Nmi' : [ 0x0, ['__unnamed_24b6']], 'Sea' : [ 0x0, ['__unnamed_24b6']], 'Sei' : [ 0x0, ['__unnamed_24b6']], 'Gsiv' : [ 0x0, ['__unnamed_24b6']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_24b8']], } ], '_THERMAL_INFORMATION_EX' : [ 0x5c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'ThermalStandbyTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], 'MinimumThrottle' : [ 0x50, ['unsigned long']], 'OverThrottleThreshold' : [ 0x54, ['unsigned long']], 'PollingPeriod' : [ 0x58, ['unsigned long']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x8, { 'LogHandleContext' : [ 0x0, ['pointer64', ['_LOG_HANDLE_CONTEXT']]], } ], '_KPRIQUEUE' : [ 0x2b0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x218, ['array', 32, ['long']]], 'MaximumCount' : [ 0x298, ['unsigned long']], 'ThreadListHead' : [ 0x2a0, ['_LIST_ENTRY']], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_KSCB' : [ 0x1a8, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'MinQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'MaxQuotaCycleTarget' : [ 0x10, ['unsigned long long']], 'RankCycleTarget' : [ 0x18, ['unsigned long long']], 'LongTermCycles' : [ 0x20, ['unsigned long long']], 'LastReportedCycles' : [ 0x28, ['unsigned long long']], 'OverQuotaHistory' : [ 0x30, ['unsigned long long']], 'ReadyTime' : [ 0x38, ['unsigned long long']], 'InsertTime' : [ 0x40, ['unsigned long long']], 'PerProcessorList' : [ 0x48, ['_LIST_ENTRY']], 'QueueNode' : [ 0x58, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x70, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'MaxOverQuota' : [ 0x70, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'MinOverQuota' : [ 0x70, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x70, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SoftCap' : [ 0x70, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ShareRankOwner' : [ 0x70, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x70, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Depth' : [ 0x71, ['unsigned char']], 'ReadySummary' : [ 0x72, ['unsigned short']], 'Rank' : [ 0x74, ['unsigned long']], 'ShareRank' : [ 0x78, ['pointer64', ['unsigned long']]], 'OwnerShareRank' : [ 0x80, ['unsigned long']], 'ReadyListHead' : [ 0x88, ['array', 16, ['_LIST_ENTRY']]], 'ChildScbQueue' : [ 0x188, ['_RTL_RB_TREE']], 'Parent' : [ 0x198, ['pointer64', ['_KSCB']]], 'Root' : [ 0x1a0, ['pointer64', ['_KSCB']]], } ], '__unnamed_24d6' : [ 0x2, { 'SignatureLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'SignatureType' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned short')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'EntireField' : [ 0x0, ['unsigned short']], } ], '_KLDR_DATA_TABLE_ENTRY' : [ 0xa0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'ExceptionTable' : [ 0x10, ['pointer64', ['void']]], 'ExceptionTableSize' : [ 0x18, ['unsigned long']], 'GpValue' : [ 0x20, ['pointer64', ['void']]], 'NonPagedDebugInfo' : [ 0x28, ['pointer64', ['_NON_PAGED_DEBUG_INFO']]], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'u1' : [ 0x6e, ['__unnamed_24d6']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'CoverageSectionSize' : [ 0x7c, ['unsigned long']], 'CoverageSection' : [ 0x80, ['pointer64', ['void']]], 'LoadedImports' : [ 0x88, ['pointer64', ['void']]], 'Spare' : [ 0x90, ['pointer64', ['void']]], 'SizeOfImageNotRounded' : [ 0x98, ['unsigned long']], 'TimeDateStamp' : [ 0x9c, ['unsigned long']], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_MI_SYSTEM_TRIM_STATE' : [ 0x40, { 'ExpansionLock' : [ 0x0, ['unsigned long long']], 'TrimInProgressCount' : [ 0x8, ['long']], 'PeriodicWorkingSetEvent' : [ 0x10, ['_KEVENT']], 'TrimAllPageFaultCount' : [ 0x28, ['array', 3, ['unsigned long']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0x18, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x8, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_MM_SYSTEM_PAGE_COUNTS' : [ 0x10, { 'SystemCodePage' : [ 0x0, ['unsigned long']], 'SystemDriverPage' : [ 0x4, ['unsigned long']], 'TotalSystemCodePages' : [ 0x8, ['long']], 'TotalSystemDriverPages' : [ 0xc, ['long']], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_THERMAL_POLICY' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ThermalStandby' : [ 0x7, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], 'OverThrottled' : [ 0x14, ['unsigned char']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MI_ACCESS_LOG_STATE' : [ 0x80, { 'CcAccessLog' : [ 0x0, ['pointer64', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'DisableAccessLogging' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'Enabled' : [ 0x28, ['unsigned long']], 'MinLoggingPriority' : [ 0x2c, ['unsigned long']], 'AccessLoggingLock' : [ 0x40, ['unsigned long long']], } ], '_HMAP_TABLE' : [ 0x5000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '__unnamed_2508' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_250a' : [ 0x20, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_2508']], } ], '_VF_TARGET_DRIVER' : [ 0x40, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE_EX']], 'u1' : [ 0x18, ['__unnamed_250a']], 'VerifiedData' : [ 0x38, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_ENERGY_STATE_DURATION' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'LastChangeTime' : [ 0x0, ['unsigned long']], 'Duration' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'IsInState' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x30, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x10, ['pointer64', ['void']]], 'SessionViewVa' : [ 0x10, ['pointer64', ['void']]], 'VadsProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Type' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionType' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SystemCacheAttributes' : [ 0x20, ['_MI_SYSTEM_CACHE_VIEW_ATTRIBUTES']], 'SectionOffset' : [ 0x20, ['unsigned long long']], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0x18, { 'ActiveThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'WaitList' : [ 0x8, ['pointer64', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x10, ['unsigned long']], } ], '_MI_SYSTEM_PTE_STATE' : [ 0x180, { 'MdlTrackerLookaside' : [ 0x0, ['_NPAGED_LOOKASIDE_LIST']], 'DeadPteTrackerSListHead' : [ 0x80, ['_SLIST_HEADER']], 'PteTrackerLock' : [ 0x90, ['unsigned long long']], 'PteTrackingBitmap' : [ 0x98, ['_RTL_BITMAP_EX']], 'CachedPteHeads' : [ 0xa8, ['pointer64', ['_MI_CACHED_PTES']]], 'SystemViewPteInfo' : [ 0xb0, ['_MI_SYSTEM_PTE_TYPE']], 'StackGrowthFailures' : [ 0x118, ['unsigned long']], 'KernelStackPages' : [ 0x11c, ['unsigned char']], 'TrackPtesAborted' : [ 0x11d, ['unsigned char']], 'AdjustCounter' : [ 0x11e, ['unsigned char']], 'ReservedMappingLock' : [ 0x120, ['long']], 'ReservedMappingTree' : [ 0x128, ['_RTL_AVL_TREE']], 'ReservedMappingPageTablePfns' : [ 0x130, ['pointer64', ['_MMPFN']]], 'OutswappedKernelStackRoot' : [ 0x138, ['_RTL_AVL_TREE']], 'OutswappedKernelStackLock' : [ 0x140, ['long']], } ], '__unnamed_251e' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MI_PARTITION_FLAGS']], } ], '_MI_PARTITION_CORE' : [ 0x1c8, { 'PartitionId' : [ 0x0, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_251e']], 'Signature' : [ 0x8, ['unsigned long']], 'MemoryConfigurationChanged' : [ 0xc, ['unsigned char']], 'ReferenceCount' : [ 0x10, ['unsigned long long']], 'ParentPartition' : [ 0x18, ['pointer64', ['_MI_PARTITION']]], 'ListEntry' : [ 0x20, ['_LIST_ENTRY']], 'NodeInformation' : [ 0x30, ['pointer64', ['_MI_NODE_INFORMATION']]], 'PageRoot' : [ 0x38, ['_RTL_AVL_TREE']], 'MemoryNodeRuns' : [ 0x40, ['pointer64', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'MemoryBlockReferences' : [ 0x48, ['unsigned long long']], 'PfnUnmapWorkItem' : [ 0x50, ['_WORK_QUEUE_ITEM']], 'PfnUnmapCount' : [ 0x70, ['unsigned long long']], 'PfnUnmapWaitList' : [ 0x78, ['pointer64', ['void']]], 'MemoryRuns' : [ 0x80, ['pointer64', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'ExitEvent' : [ 0x88, ['_KEVENT']], 'SystemThreadHandles' : [ 0xa0, ['array', 5, ['pointer64', ['void']]]], 'PartitionObject' : [ 0xc8, ['pointer64', ['void']]], 'PartitionObjectHandle' : [ 0xd0, ['pointer64', ['void']]], 'PartitionSystemThreadsLock' : [ 0xd8, ['_EX_PUSH_LOCK']], 'DynamicMemoryPushLock' : [ 0xe0, ['_EX_PUSH_LOCK']], 'DynamicMemoryLock' : [ 0xe8, ['long']], 'PfnUnmapActive' : [ 0xec, ['unsigned char']], 'TemporaryMemoryEvent' : [ 0xf0, ['_KEVENT']], 'RootDirectory' : [ 0x108, ['pointer64', ['void']]], 'KernelObjectsDirectory' : [ 0x110, ['pointer64', ['void']]], 'MemoryEvents' : [ 0x118, ['array', 11, ['pointer64', ['_KEVENT']]]], 'MemoryEventHandles' : [ 0x170, ['array', 11, ['pointer64', ['void']]]], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '__unnamed_252a' : [ 0x8, { 'InstancedWorkingSet' : [ 0x0, ['pointer64', ['void']]], } ], '_MMSUPPORT_INSTANCE' : [ 0xc8, { 'NextPageColor' : [ 0x0, ['unsigned short']], 'LastTrimStamp' : [ 0x2, ['unsigned short']], 'PageFaultCount' : [ 0x4, ['unsigned long']], 'TrimmedPageCount' : [ 0x8, ['unsigned long long']], 'VmWorkingSetList' : [ 0x10, ['pointer64', ['_MMWSL_INSTANCE']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 8, ['unsigned long long']]], 'ExitOutswapGate' : [ 0x68, ['pointer64', ['_KGATE']]], 'MinimumWorkingSetSize' : [ 0x70, ['unsigned long long']], 'WorkingSetLeafSize' : [ 0x78, ['unsigned long long']], 'WorkingSetLeafPrivateSize' : [ 0x80, ['unsigned long long']], 'WorkingSetSize' : [ 0x88, ['unsigned long long']], 'WorkingSetPrivateSize' : [ 0x90, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0x98, ['unsigned long long']], 'PeakWorkingSetSize' : [ 0xa0, ['unsigned long long']], 'HardFaultCount' : [ 0xa8, ['unsigned long']], 'PartitionId' : [ 0xac, ['unsigned short']], 'Pad0' : [ 0xae, ['unsigned short']], 'u1' : [ 0xb0, ['__unnamed_252a']], 'Reserved0' : [ 0xb8, ['unsigned long long']], 'Flags' : [ 0xc0, ['_MMSUPPORT_FLAGS']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x10, ['unsigned char']], 'BlockState' : [ 0x11, ['unsigned char']], 'WaitKey' : [ 0x12, ['unsigned short']], 'SpareLong' : [ 0x14, ['long']], 'Thread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NotificationQueue' : [ 0x18, ['pointer64', ['_KQUEUE']]], 'Object' : [ 0x20, ['pointer64', ['void']]], 'SparePtr' : [ 0x28, ['pointer64', ['void']]], } ], '_PPM_SELECTION_MENU_ENTRY' : [ 0x18, { 'StrictDependency' : [ 0x0, ['unsigned char']], 'InitiatingState' : [ 0x1, ['unsigned char']], 'DependentState' : [ 0x2, ['unsigned char']], 'StateIndex' : [ 0x4, ['unsigned long']], 'Dependencies' : [ 0x8, ['unsigned long']], 'DependencyList' : [ 0x10, ['pointer64', ['_PPM_SELECTION_DEPENDENCY']]], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_HV_GET_BIN_CONTEXT' : [ 0x2, { 'OutstandingReference' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredRundown' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], } ], '_INVERTED_FUNCTION_TABLE' : [ 0x1810, { 'CurrentSize' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'Epoch' : [ 0x8, ['unsigned long']], 'Overflow' : [ 0xc, ['unsigned char']], 'TableEntry' : [ 0x10, ['array', 256, ['_INVERTED_FUNCTION_TABLE_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long long']], 'WorkQueue' : [ 0x20, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x60, ['pointer64', ['void']]], 'AcceptProcessorNotification' : [ 0x68, ['pointer64', ['void']]], 'AcceptAcpiNotification' : [ 0x70, ['pointer64', ['void']]], 'WorkOrderCount' : [ 0x78, ['unsigned long']], 'WorkOrders' : [ 0x80, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_ETW_REG_ENTRY' : [ 0x70, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x10, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x20, ['pointer64', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x28, ['pointer64', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x30, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x30, ['array', 4, ['pointer64', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x30, ['pointer64', ['void']]], 'SessionId' : [ 0x38, ['unsigned long']], 'Process' : [ 0x50, ['pointer64', ['_EPROCESS']]], 'CallbackContext' : [ 0x50, ['pointer64', ['void']]], 'Callback' : [ 0x58, ['pointer64', ['void']]], 'Index' : [ 0x60, ['unsigned short']], 'Flags' : [ 0x62, ['unsigned short']], 'DbgKernelRegistration' : [ 0x62, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgUserRegistration' : [ 0x62, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgReplyRegistration' : [ 0x62, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgClassicRegistration' : [ 0x62, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgSessionSpaceRegistration' : [ 0x62, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgModernRegistration' : [ 0x62, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClosed' : [ 0x62, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgInserted' : [ 0x62, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DbgWow64' : [ 0x62, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'EnableMask' : [ 0x64, ['unsigned char']], 'GroupEnableMask' : [ 0x65, ['unsigned char']], 'UseDescriptorType' : [ 0x66, ['unsigned char']], 'Traits' : [ 0x68, ['pointer64', ['_ETW_PROVIDER_TRAITS']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_PS_INTERLOCKED_TIMER_DELAY_VALUES' : [ 0x8, { 'DelayMs' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long long')]], 'CoalescingWindowMs' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 60, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 61, native_type='unsigned long long')]], 'NewTimerWheel' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 62, native_type='unsigned long long')]], 'Retry' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'Locked' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'All' : [ 0x0, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_MI_SYSTEM_VA_STATE' : [ 0x380, { 'SystemTablesLock' : [ 0x0, ['unsigned long long']], 'AvailableSystemCacheVa' : [ 0x8, ['unsigned long long']], 'DynamicBitMapSystemPtes' : [ 0x10, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapDriverImages' : [ 0x58, ['array', 2, ['_MI_DYNAMIC_BITMAP']]], 'DynamicBitMapPagedPool' : [ 0xe8, ['_MI_DYNAMIC_BITMAP']], 'DynamicBitMapSpecialPool' : [ 0x130, ['array', 2, ['_MI_DYNAMIC_BITMAP']]], 'DynamicBitMapSystemCache' : [ 0x1c0, ['_MI_DYNAMIC_BITMAP']], 'HalPrivateVaStart' : [ 0x208, ['pointer64', ['void']]], 'HalPrivateVaSize' : [ 0x210, ['unsigned long long']], 'SystemVaAssignment' : [ 0x218, ['array', 8, ['unsigned long']]], 'SystemVaAssignmentHint' : [ 0x238, ['unsigned long']], 'DeleteKvaLock' : [ 0x23c, ['long']], 'WsleArrays' : [ 0x240, ['array', 5, ['pointer64', ['_MI_WSLE']]]], 'PagableHyperSpace' : [ 0x268, ['pointer64', ['_MI_HYPER_SPACE']]], 'HyperSpaceEnd' : [ 0x270, ['pointer64', ['void']]], 'FreeSystemCacheVa' : [ 0x278, ['_KEVENT']], 'SystemVaLock' : [ 0x290, ['unsigned long long']], 'SystemCacheViewLock' : [ 0x298, ['unsigned long long']], 'SystemWorkingSetList' : [ 0x2a0, ['array', 5, ['_MMWSL_INSTANCE']]], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MMSUPPORT_SHARED' : [ 0x48, { 'WorkingSetLock' : [ 0x0, ['long']], 'GoodCitizenWaiting' : [ 0x4, ['long']], 'ReleasedCommitDebt' : [ 0x8, ['unsigned long long']], 'ResetPagesRepurposedCount' : [ 0x10, ['unsigned long long']], 'WsSwapSupport' : [ 0x18, ['pointer64', ['void']]], 'CommitReleaseContext' : [ 0x20, ['pointer64', ['void']]], 'AccessLog' : [ 0x28, ['pointer64', ['void']]], 'ChargedWslePages' : [ 0x30, ['unsigned long long']], 'ActualWslePages' : [ 0x38, ['unsigned long long']], 'Reserved0' : [ 0x40, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_ASYNC_READ_THREAD_STATS' : [ 0x194, { 'CurrentLoad' : [ 0x0, ['array', 101, ['unsigned long']]], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_MMCLONE_BLOCK' : [ 0x20, { 'ProtoPte' : [ 0x0, ['_MMPTE']], 'PaddingFor16ByteAlignment' : [ 0x8, ['unsigned long long']], 'CloneCommitCount' : [ 0x10, ['unsigned long long']], 'u1' : [ 0x10, ['_MI_CLONE_BLOCK_FLAGS']], 'CloneRefCount' : [ 0x18, ['unsigned long long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Propagated' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PS_TRUSTLET_TKSESSION_ID' : [ 0x20, { 'SessionId' : [ 0x0, ['array', 4, ['unsigned long long']]], } ], '__unnamed_25c1' : [ 0x8, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], 'RemoteImageFileObject' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RemoteDataFileObject' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], } ], '_SECTION' : [ 0x40, { 'SectionNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u1' : [ 0x28, ['__unnamed_25c1']], 'SizeOfSection' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_16e5']], 'InitialPageProtection' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'SessionId' : [ 0x3c, ['BitField', dict(start_bit = 12, end_bit = 31, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x3c, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_FAST_OWNER_ENTRY' : [ 0x48, { 'Reserved' : [ 0x0, ['array', 9, ['pointer64', ['void']]]], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'CompactionMask' : [ 0x8, ['unsigned long long']], 'Reserved2' : [ 0x10, ['array', 6, ['unsigned long long']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0xb8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'ArgumentStatus' : [ 0x14, ['long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'RefCount' : [ 0x40, ['unsigned long']], 'Lock' : [ 0x44, ['unsigned long']], 'Cancel' : [ 0x48, ['unsigned char']], 'Parent' : [ 0x50, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'ActivityId' : [ 0x58, ['_GUID']], 'Data' : [ 0x68, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_PROCESS_ENERGY_VALUES_EXTENSION' : [ 0x48, { 'Timelines' : [ 0x0, ['array', 9, ['_TIMELINE_BITMAP']]], 'CpuTimeline' : [ 0x0, ['_TIMELINE_BITMAP']], 'DiskTimeline' : [ 0x8, ['_TIMELINE_BITMAP']], 'NetworkTimeline' : [ 0x10, ['_TIMELINE_BITMAP']], 'MBBTimeline' : [ 0x18, ['_TIMELINE_BITMAP']], 'ForegroundTimeline' : [ 0x20, ['_TIMELINE_BITMAP']], 'DesktopVisibleTimeline' : [ 0x28, ['_TIMELINE_BITMAP']], 'CompositionRenderedTimeline' : [ 0x30, ['_TIMELINE_BITMAP']], 'CompositionDirtyGeneratedTimeline' : [ 0x38, ['_TIMELINE_BITMAP']], 'CompositionDirtyPropagatedTimeline' : [ 0x40, ['_TIMELINE_BITMAP']], } ], '_MI_LDW_WORK_CONTEXT' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'FileObject' : [ 0x20, ['pointer64', ['_FILE_OBJECT']]], 'ErrorStatus' : [ 0x28, ['long']], 'Active' : [ 0x2c, ['long']], 'FreeWhenDone' : [ 0x30, ['unsigned char']], } ], '_MI_DEBUGGER_STATE' : [ 0x118, { 'TransientWrite' : [ 0x0, ['unsigned char']], 'CodePageEdited' : [ 0x1, ['unsigned char']], 'DebugPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'PoisonedTb' : [ 0x10, ['unsigned long']], 'InDebugger' : [ 0x14, ['long']], 'Pfns' : [ 0x18, ['array', 32, ['pointer64', ['void']]]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x10, { 'CrossThreadReleasable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 63, native_type='unsigned long long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'LockState' : [ 0x0, ['pointer64', ['void']]], 'SessionState' : [ 0x8, ['pointer64', ['void']]], 'SessionId' : [ 0x8, ['unsigned long']], 'SessionPad' : [ 0xc, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_ETIMER' : [ 0x138, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x40, ['unsigned long long']], 'TimerApc' : [ 0x48, ['_KAPC']], 'TimerDpc' : [ 0xa0, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'Period' : [ 0xf0, ['unsigned long']], 'TimerFlags' : [ 0xf4, ['unsigned char']], 'ApcAssociated' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0xf5, ['unsigned char']], 'Spare2' : [ 0xf6, ['unsigned short']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x110, ['pointer64', ['void']]], 'VirtualizedTimerLinks' : [ 0x118, ['_LIST_ENTRY']], 'DueTime' : [ 0x128, ['unsigned long long']], 'CoalescingWindow' : [ 0x130, ['unsigned long']], } ], '_MI_SHUTDOWN_STATE' : [ 0x78, { 'CrashDumpInitialized' : [ 0x0, ['unsigned char']], 'ConnectedStandbyActive' : [ 0x1, ['unsigned char']], 'ZeroPageFileAtShutdown' : [ 0x2, ['unsigned char']], 'SystemShutdown' : [ 0x4, ['unsigned long']], 'ShutdownFlushInProgress' : [ 0x8, ['long']], 'MirroringActive' : [ 0xc, ['unsigned long']], 'ResumeItem' : [ 0x10, ['_MI_RESUME_WORKITEM']], 'MirrorHoldsPfn' : [ 0x48, ['pointer64', ['_ETHREAD']]], 'MirrorBitMaps' : [ 0x50, ['array', 2, ['_RTL_BITMAP_EX']]], 'CrashDumpPte' : [ 0x70, ['pointer64', ['_MMPTE']]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_ETW_PRIV_HANDLE_DEMUX_TABLE' : [ 0x20, { 'Tree' : [ 0x0, ['_RTL_RB_TREE']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'SequenceNumber' : [ 0x18, ['unsigned short']], } ], '_ARM64_DBGKD_CONTROL_SET' : [ 0x18, { 'Continue' : [ 0x0, ['unsigned long']], 'TraceFlag' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x10, ['unsigned long long']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoQoSPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PERIODIC_CAPTURE_STATE_GUIDS' : [ 0x10, { 'ProviderCount' : [ 0x0, ['unsigned short']], 'Providers' : [ 0x8, ['pointer64', ['_GUID']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_ACTIVATION_CONTEXT_STACK64' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['unsigned long long']], 'FrameListCache' : [ 0x8, ['LIST_ENTRY64']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x1d8, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x8, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x10, ['unsigned long long']], 'IdleTimeTotal' : [ 0x18, ['unsigned long long']], 'IdleTimeEntry' : [ 0x20, ['unsigned long long']], 'IdleTimeExpiration' : [ 0x28, ['unsigned long long']], 'NonInterruptibleTransition' : [ 0x30, ['unsigned char']], 'PepWokenTransition' : [ 0x31, ['unsigned char']], 'EfficiencyClass' : [ 0x32, ['unsigned char']], 'SchedulingClass' : [ 0x33, ['unsigned char']], 'TargetIdleState' : [ 0x34, ['unsigned long']], 'IdlePolicy' : [ 0x38, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x40, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x48, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xd8, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower', 3: 'ProcHypervisorHvCounters'})]], 'LastSysTime' : [ 0xdc, ['unsigned long']], 'WmiDispatchPtr' : [ 0xe0, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0xe8, ['long']], 'FFHThrottleStateInfo' : [ 0xf0, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x110, ['_KDPC']], 'PerfActionMask' : [ 0x150, ['long']], 'HvIdleCheck' : [ 0x158, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x168, ['pointer64', ['_PROC_PERF_CHECK']]], 'Domain' : [ 0x170, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x178, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x180, ['pointer64', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'ClassConcurrency' : [ 0x188, ['pointer64', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x190, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x198, ['pointer64', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x1a0, ['unsigned char']], 'HvTargetState' : [ 0x1a1, ['unsigned char']], 'Parked' : [ 0x1a2, ['unsigned char']], 'LatestPerformancePercent' : [ 0x1a4, ['unsigned long']], 'AveragePerformancePercent' : [ 0x1a8, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x1ac, ['unsigned long']], 'RelativePerformance' : [ 0x1b0, ['unsigned long']], 'Utility' : [ 0x1b4, ['unsigned long']], 'AffinitizedUtility' : [ 0x1b8, ['unsigned long']], 'SnapTimeLast' : [ 0x1c0, ['unsigned long long']], 'EnergyConsumed' : [ 0x1c0, ['unsigned long long']], 'ActiveTime' : [ 0x1c8, ['unsigned long long']], 'TotalTime' : [ 0x1d0, ['unsigned long long']], } ], '_MI_PARTITION_SEGMENTS' : [ 0x240, { 'SegmentListLock' : [ 0x0, ['long']], 'DeleteOnCloseCount' : [ 0x4, ['unsigned long']], 'FsControlAreaCount' : [ 0x8, ['long long']], 'PfControlAreaCount' : [ 0x10, ['long long']], 'DeleteSubsectionCleanup' : [ 0x18, ['_KEVENT']], 'UnusedSegmentCleanup' : [ 0x30, ['_KEVENT']], 'SubsectionDeletePtes' : [ 0x48, ['unsigned long long']], 'DereferenceSegmentHeader' : [ 0x50, ['_MMDEREFERENCE_SEGMENT_HEADER']], 'DeleteOnCloseList' : [ 0x80, ['_LIST_ENTRY']], 'DeleteOnCloseTimer' : [ 0x90, ['_KTIMER']], 'DeleteOnCloseTimerActive' : [ 0xd0, ['unsigned char']], 'UnusedSegmentList' : [ 0xd8, ['_LIST_ENTRY']], 'UnusedSubsectionList' : [ 0xe8, ['_LIST_ENTRY']], 'DeleteSubsectionList' : [ 0xf8, ['_LIST_ENTRY']], 'ControlAreaDeleteEvent' : [ 0x108, ['_KEVENT']], 'ControlAreaDeleteList' : [ 0x120, ['_SINGLE_LIST_ENTRY']], 'FreeSystemCache' : [ 0x128, ['_MI_PTE_CHAIN_HEAD']], 'CloneDereferenceEvent' : [ 0x140, ['_KEVENT']], 'CloneProtosSListHead' : [ 0x160, ['_SLIST_HEADER']], 'SystemCacheInitLock' : [ 0x170, ['_EX_PUSH_LOCK']], 'SharedCharges' : [ 0x178, ['array', 4, ['_MI_CROSS_PARTITION_CHARGES']]], 'SharedChargesDrainEvent' : [ 0x1f8, ['pointer64', ['_KEVENT']]], 'PagefileControlAreasDrainEvent' : [ 0x200, ['pointer64', ['_KEVENT']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_AVAILABLE_PAGE_WAIT_STATES' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'EventSets' : [ 0x18, ['unsigned long']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_POP_FX_DEVICE' : [ 0x2a0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_POP_IRP_DATA']]], 'Status' : [ 0x20, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'DevNode' : [ 0x30, ['pointer64', ['_DEVICE_NODE']]], 'DpmContext' : [ 0x38, ['pointer64', ['PEPHANDLE__']]], 'Plugin' : [ 0x40, ['pointer64', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x48, ['pointer64', ['PEPHANDLE__']]], 'AcpiPlugin' : [ 0x50, ['pointer64', ['_POP_FX_PLUGIN']]], 'AcpiPluginHandle' : [ 0x58, ['pointer64', ['PEPHANDLE__']]], 'DeviceObject' : [ 0x60, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x68, ['pointer64', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x70, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0xb0, ['pointer64', ['void']]], 'AcpiLink' : [ 0xb8, ['_LIST_ENTRY']], 'DeviceId' : [ 0xc8, ['_UNICODE_STRING']], 'RemoveLock' : [ 0xd8, ['_IO_REMOVE_LOCK']], 'AcpiRemoveLock' : [ 0xf8, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0x118, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0x150, ['unsigned long long']], 'IdleTimer' : [ 0x158, ['_KTIMER']], 'IdleDpc' : [ 0x198, ['_KDPC']], 'IdleTimeout' : [ 0x1d8, ['unsigned long long']], 'IdleStamp' : [ 0x1e0, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x1e8, ['array', 2, ['pointer64', ['_DEVICE_OBJECT']]]], 'NextIrpPowerState' : [ 0x1f8, ['array', 2, ['_POWER_STATE']]], 'NextIrpCallerCompletion' : [ 0x200, ['array', 2, ['pointer64', ['void']]]], 'NextIrpCallerContext' : [ 0x210, ['array', 2, ['pointer64', ['void']]]], 'IrpCompleteEvent' : [ 0x220, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x238, ['pointer64', ['void']]], 'Accounting' : [ 0x240, ['_POP_FX_ACCOUNTING']], 'Flags' : [ 0x270, ['unsigned long']], 'ComponentCount' : [ 0x274, ['unsigned long']], 'Components' : [ 0x278, ['pointer64', ['pointer64', ['_POP_FX_COMPONENT']]]], 'LogEntries' : [ 0x280, ['unsigned long']], 'Log' : [ 0x288, ['pointer64', ['_POP_FX_LOG_ENTRY']]], 'LogIndex' : [ 0x290, ['long']], 'DripsWatchdogDriverObject' : [ 0x298, ['pointer64', ['_DRIVER_OBJECT']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_IOV_IRP_TRACE' : [ 0x80, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x10, ['short']], 'SpecialApcDisable' : [ 0x12, ['short']], 'CombinedApcDisable' : [ 0x10, ['unsigned long']], 'Irql' : [ 0x14, ['unsigned char']], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '_MI_CLONE_BLOCK_FLAGS' : [ 0x8, { 'ActualCloneCommit' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 59, native_type='unsigned long long')]], 'CloneProtection' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], } ], '_PS_JOB_WAKE_INFORMATION' : [ 0x48, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 7, ['unsigned long long']]], 'NoWakeCounter' : [ 0x40, ['unsigned long long']], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GetExtents' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'VmLockNotNeeded' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_IO_ADAPTER_CRYPTO_KEY_DESCRIPTOR' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'CryptoIndex' : [ 0x8, ['unsigned long']], 'AlgorithmId' : [ 0xc, ['unsigned long']], 'DataUnitSize' : [ 0x10, ['unsigned long']], 'KeySize' : [ 0x14, ['unsigned long']], 'KeyHash' : [ 0x18, ['array', 32, ['unsigned char']]], 'KeyVirtualAddress' : [ 0x38, ['pointer64', ['void']]], 'KeyPhysicalAddress' : [ 0x40, ['_LARGE_INTEGER']], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long long']], 'Processors' : [ 0x8, ['unsigned long']], 'ActiveProcessors' : [ 0xc, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_SEP_CACHED_HANDLES_ENTRY_DESCRIPTOR' : [ 0x18, { 'DescriptorType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SepCachedHandlesEntryLowbox', 1: 'SepCachedHandlesEntryBnoIsolation'})]], 'PackageSid' : [ 0x8, ['pointer64', ['void']]], 'IsolationPrefix' : [ 0x8, ['_UNICODE_STRING']], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_AVL_TABLE' : [ 0xc0, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x70, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['long']], } ], '__unnamed_2679' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_267b' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_2679']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x60, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CoolingExtension' : [ 0x40, ['pointer64', ['_POP_COOLING_EXTENSION']]], 'Volume' : [ 0x48, ['_LIST_ENTRY']], 'Specific' : [ 0x58, ['__unnamed_267b']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_CM_UOW_SET_SD_DATA' : [ 0x4, { 'SecurityCell' : [ 0x0, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x38, ['long']], } ], '_WRITE_BEHIND_THROUGHPUT' : [ 0x8, { 'PagesYetToWrite' : [ 0x0, ['unsigned long']], 'Throughput' : [ 0x4, ['unsigned long']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_PPM_COORDINATED_SYNCHRONIZATION' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'EnterProcessor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'ExitProcessor' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 24, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 26, native_type='unsigned long')]], 'Entered' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'EntryPriority' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_KDPC_LIST' : [ 0x10, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['_CM_COMPONENT_HASH']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_THERMAL_TELEMETRY_TRACKER' : [ 0x160, { 'AccountingDisabled' : [ 0x0, ['unsigned char']], 'LastPassiveUpdateTime' : [ 0x8, ['unsigned long long']], 'TotalPassiveTime' : [ 0x10, ['array', 21, ['unsigned long long']]], 'PassiveTimeSnap' : [ 0xb8, ['array', 21, ['unsigned long long']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_POP_FX_LOG_ENTRY' : [ 0x18, { 'Timestamp' : [ 0x0, ['unsigned long long']], 'Operation' : [ 0x8, ['unsigned char']], 'Component' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'Process' : [ 0xc, ['unsigned short']], 'Thread' : [ 0xe, ['unsigned short']], 'Information' : [ 0x10, ['unsigned long long']], } ], '_MI_VISIBLE_PARTITION' : [ 0x1200, { 'LowestPhysicalPage' : [ 0x0, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x8, ['unsigned long long']], 'NumberOfPhysicalPages' : [ 0x10, ['unsigned long long']], 'NumberOfPagingFiles' : [ 0x18, ['unsigned long']], 'SystemCacheInitialized' : [ 0x1c, ['unsigned char']], 'PagingFile' : [ 0x20, ['array', 16, ['pointer64', ['_MMPAGING_FILE']]]], 'AvailablePages' : [ 0xc0, ['unsigned long long']], 'ResidentAvailablePages' : [ 0x100, ['unsigned long long']], 'PartitionWs' : [ 0x140, ['array', 1, ['_MMSUPPORT_INSTANCE']]], 'PartitionWorkingSetLists' : [ 0x208, ['array', 1, ['_MMWSL_INSTANCE']]], 'TotalCommittedPages' : [ 0x230, ['unsigned long long']], 'ModifiedPageListHead' : [ 0x240, ['_MMPFNLIST']], 'ModifiedNoWritePageListHead' : [ 0x280, ['_MMPFNLIST']], 'TotalCommitLimit' : [ 0x2a8, ['unsigned long long']], 'TotalPagesForPagingFile' : [ 0x2b0, ['unsigned long long']], 'VadPhysicalPages' : [ 0x2b8, ['unsigned long long']], 'ProcessLockedFilePages' : [ 0x2c0, ['unsigned long long']], 'SharedCommit' : [ 0x2c8, ['unsigned long long']], 'ChargeCommitmentFailures' : [ 0x2d0, ['array', 4, ['unsigned long']]], 'PageFileTraceIndex' : [ 0x2e0, ['long']], 'PageFileTraces' : [ 0x2e8, ['array', 32, ['_MI_PAGEFILE_TRACES']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x58, { 'Context' : [ 0x0, ['pointer64', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x38, ['unsigned long']], 'DependencyUsed' : [ 0x3c, ['unsigned long']], 'DependencyArray' : [ 0x40, ['pointer64', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x48, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x4c, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x50, ['unsigned long']], } ], '_PNP_REBALANCE_TRACE_CONTEXT' : [ 0x70, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'RebalancePhase' : [ 0x4, ['unsigned long']], 'Reason' : [ 0x8, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'RebalanceReasonUnknown', 1: 'RebalanceReasonRequirementsChanged', 2: 'RebalanceReasonNewDevice'})]]], 'Failure' : [ 0x10, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'RebalanceFailureNone', 1: 'RebalanceFailureDisabled', 2: 'RebalanceFailureNoMemory', 3: 'RebalanceFailureQueryStopUnexpectedVeto', 4: 'RebalanceFailureNoRequirements', 5: 'RebalanceFailureNoCandidates', 6: 'RebalanceFailureNoConfiguration'})]]], 'SubtreeRoot' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'SubtreeIncludesRoot' : [ 0x20, ['unsigned char']], 'TriggerRoot' : [ 0x28, ['pointer64', ['_DEVICE_NODE']]], 'RebalanceDueToDynamicPartitioning' : [ 0x30, ['unsigned char']], 'BeginTime' : [ 0x38, ['unsigned long long']], 'VetoNode' : [ 0x40, ['array', 2, ['pointer64', ['_DEVICE_NODE']]]], 'VetoQueryRebalanceReason' : [ 0x50, ['array', -8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceQueryRebalanceSucceeded', 1: 'DeviceQueryStopFailed', 2: 'DeviceFailedGetNewResourceRequirement', 3: 'DeviceInUnexpectedState', 4: 'DeviceNotSupportQueryRebalance'})]]], 'ConflictContext' : [ 0x58, ['_PNP_RESOURCE_CONFLICT_TRACE_CONTEXT']], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x28, { 'BlockOffset' : [ 0x0, ['unsigned long long']], 'PermanentBinAddress' : [ 0x8, ['unsigned long long']], 'TemporaryBinAddress' : [ 0x10, ['unsigned long long']], 'TemporaryBinRundown' : [ 0x18, ['_EX_RUNDOWN_REF']], 'MemAlloc' : [ 0x20, ['unsigned long']], } ], '__unnamed_26e5' : [ 0x18, { 'RequestedTime' : [ 0x0, ['unsigned long long']], 'ProgrammedTime' : [ 0x8, ['unsigned long long']], 'TimerInfo' : [ 0x10, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0x110, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'WakeFirstUnattendedTime' : [ 0x58, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x68, ['array', 3, ['__unnamed_26e5']]], 'WakeAlarmPaused' : [ 0xb0, ['unsigned char']], 'WakeAlarmLastTime' : [ 0xb8, ['unsigned long long']], 'FilteredCapabilities' : [ 0xc0, ['SYSTEM_POWER_CAPABILITIES']], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_WNF_LOCK' : [ 0x8, { 'PushLock' : [ 0x0, ['_EX_PUSH_LOCK']], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '_ISR_THUNK' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KINTERRUPT' : [ 0x100, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'EmulateActiveBoth' : [ 0x65, ['unsigned char']], 'ActiveCount' : [ 0x66, ['unsigned short']], 'InternalState' : [ 0x68, ['long']], 'Mode' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x74, ['unsigned long']], 'DispatchCount' : [ 0x78, ['unsigned long']], 'PassiveEvent' : [ 0x80, ['pointer64', ['_KEVENT']]], 'TrapFrame' : [ 0x88, ['pointer64', ['_KTRAP_FRAME']]], 'DisconnectData' : [ 0x90, ['pointer64', ['void']]], 'ServiceThread' : [ 0x98, ['pointer64', ['_KTHREAD']]], 'ConnectionData' : [ 0xa0, ['pointer64', ['_INTERRUPT_CONNECTION_DATA']]], 'IntTrackEntry' : [ 0xa8, ['pointer64', ['void']]], 'IsrDpcStats' : [ 0xb0, ['_ISRDPCSTATS']], 'RedirectObject' : [ 0xf0, ['pointer64', ['void']]], 'Padding' : [ 0xf8, ['array', 8, ['unsigned char']]], } ], '_MI_PARTITION_ZEROING' : [ 0x60, { 'PageEvent' : [ 0x0, ['_KEVENT']], 'ThreadActive' : [ 0x18, ['unsigned char']], 'ZeroFreePageSlistMinimum' : [ 0x1c, ['long']], 'RebalanceZeroFreeWorkItem' : [ 0x20, ['_WORK_QUEUE_ITEM']], 'ThreadCount' : [ 0x40, ['long']], 'Gate' : [ 0x48, ['_KGATE']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x40, { 'ComponentActive' : [ 0x0, ['pointer64', ['void']]], 'ComponentIdle' : [ 0x8, ['pointer64', ['void']]], 'ComponentIdleState' : [ 0x10, ['pointer64', ['void']]], 'DevicePowerRequired' : [ 0x18, ['pointer64', ['void']]], 'DevicePowerNotRequired' : [ 0x20, ['pointer64', ['void']]], 'PowerControl' : [ 0x28, ['pointer64', ['void']]], 'ComponentCriticalTransition' : [ 0x30, ['pointer64', ['void']]], 'DripsWatchdogCallback' : [ 0x38, ['pointer64', ['void']]], } ], '_FAST_ERESOURCE_INTERNAL' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'ReservedPointer' : [ 0x10, ['pointer64', ['void']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['_KWAIT_CHAIN']], 'ExclusiveWaiters' : [ 0x28, ['_KWAIT_CHAIN']], 'OwnerEntryListHead' : [ 0x30, ['_LIST_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'ReservedWin64OnlyPointer' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Reserved0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'u1' : [ 0x0, ['unsigned short']], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ForceAge' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ForceTrim' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'UnlockInProgress' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'NewMaximum' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CommitReleaseState' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'u2' : [ 0x3, ['unsigned char']], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_MI_SYSTEM_CACHE_VIEW_ATTRIBUTES' : [ 0x10, { 'NumberOfPtes' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long long')]], 'SectionOffset' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 48, native_type='unsigned long long')]], } ], '_WAITING_IRP' : [ 0x38, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'CompletionRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'Information' : [ 0x30, ['unsigned long']], 'BreakAllRH' : [ 0x34, ['unsigned char']], } ], '_MI_DYNAMIC_BITMAP' : [ 0x48, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP_EX']], 'MaximumSize' : [ 0x10, ['unsigned long long']], 'Hint' : [ 0x18, ['unsigned long long']], 'BaseVa' : [ 0x20, ['pointer64', ['void']]], 'SizeTopDown' : [ 0x28, ['unsigned long long']], 'HintTopDown' : [ 0x30, ['unsigned long long']], 'BaseVaTopDown' : [ 0x38, ['pointer64', ['void']]], 'SpinLock' : [ 0x40, ['unsigned long long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x8, { 'PushImm' : [ 0x0, ['unsigned char']], 'Vector' : [ 0x1, ['unsigned char']], 'PushRbp' : [ 0x2, ['unsigned char']], 'JmpOp' : [ 0x3, ['unsigned char']], 'JmpOffset' : [ 0x4, ['long']], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 28, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 64, native_type='unsigned long long')]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PLATFORM_IDLE_STATE_ACCOUNTING' : [ 0x3f0, { 'CancelCount' : [ 0x0, ['unsigned long']], 'FailureCount' : [ 0x4, ['unsigned long']], 'SuccessCount' : [ 0x8, ['unsigned long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'TotalTime' : [ 0x20, ['unsigned long long']], 'InvalidBucketIndex' : [ 0x28, ['unsigned long']], 'SelectionStatistics' : [ 0x30, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xb0, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_PROC_FEEDBACK' : [ 0x90, { 'Lock' : [ 0x0, ['unsigned long long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer64', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x28, ['unsigned long long']], 'UnscaledTime' : [ 0x30, ['unsigned long long']], 'UnaccountedTime' : [ 0x38, ['long long']], 'ScaledTime' : [ 0x40, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x50, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x58, ['unsigned long long']], 'UserTimeLast' : [ 0x60, ['unsigned long']], 'KernelTimeLast' : [ 0x64, ['unsigned long']], 'IdleGenerationNumberLast' : [ 0x68, ['unsigned long long']], 'HvActiveTimeLast' : [ 0x70, ['unsigned long long']], 'StallCyclesLast' : [ 0x78, ['unsigned long long']], 'StallTime' : [ 0x80, ['unsigned long long']], 'KernelTimesIndex' : [ 0x88, ['unsigned char']], } ], '_TIMELINE_BITMAP' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x0, ['unsigned long']], 'Bitmap' : [ 0x4, ['unsigned long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x30, { 'InstantaneousRead' : [ 0x0, ['pointer64', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer64', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'Scaling' : [ 0x22, ['unsigned char']], 'Context' : [ 0x28, ['unsigned long long']], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_MI_DRIVER_VA' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_DRIVER_VA']]], 'PointerPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BitMap' : [ 0x10, ['_RTL_BITMAP']], 'Hint' : [ 0x20, ['unsigned long']], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_PEB64' : [ 0x7a0, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'IsLongPathAwareProcess' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Padding0' : [ 0x4, ['array', 4, ['unsigned char']]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessPreviouslyThrottled' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ProcessCurrentlyThrottled' : [ 0x50, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'Padding1' : [ 0x54, ['array', 4, ['unsigned char']]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'Padding2' : [ 0x74, ['array', 4, ['unsigned char']]], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'SharedData' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'Padding3' : [ 0x10c, ['array', 4, ['unsigned char']]], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'Padding4' : [ 0x134, ['array', 4, ['unsigned char']]], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'Padding5' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pUnused' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Padding6' : [ 0x37c, ['array', 4, ['unsigned char']]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x388, ['unsigned long long']], 'TppWorkerpList' : [ 0x390, ['LIST_ENTRY64']], 'WaitOnAddressHashTable' : [ 0x3a0, ['array', 128, ['unsigned long long']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned short']], 'Flags' : [ 0x5a, ['unsigned char']], 'ShutDownRequested' : [ 0x5a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x5a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x5a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x5a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Wow' : [ 0x5a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'EventsLostCount' : [ 0x88, ['pointer64', ['unsigned long']]], 'BuffersLostCount' : [ 0x90, ['pointer64', ['unsigned long']]], 'SiloState' : [ 0x98, ['pointer64', ['_ETW_SILODRIVERSTATE']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_POP_HIBER_CONTEXT' : [ 0x1d0, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x3, ['unsigned char']], 'InitializationFinished' : [ 0x4, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'HvCaptureReadyBarrier' : [ 0x14, ['long']], 'HvCaptureCompletedBarrier' : [ 0x18, ['long']], 'MapFrozen' : [ 0x1c, ['unsigned char']], 'DiscardMap' : [ 0x20, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x30, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x40, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x50, ['unsigned long']], 'ClonedPageCount' : [ 0x58, ['unsigned long long']], 'CurrentMap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x68, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x70, ['unsigned long long']], 'LoaderMdl' : [ 0x78, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x80, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x88, ['unsigned long long']], 'IoPages' : [ 0x90, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x98, ['unsigned long']], 'CurrentMcb' : [ 0xa0, ['pointer64', ['void']]], 'DumpStack' : [ 0xa8, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xb0, ['pointer64', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0xb8, ['unsigned long']], 'Status' : [ 0xbc, ['long']], 'GraphicsProc' : [ 0xc0, ['unsigned long']], 'MemoryImage' : [ 0xc8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0xd8, ['pointer64', ['_MDL']]], 'SiLogOffset' : [ 0xe0, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0xe8, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0xf0, ['pointer64', ['void']]], 'ResumeContext' : [ 0xf8, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x100, ['unsigned long']], 'SecurePages' : [ 0x104, ['unsigned long']], 'ProcessorCount' : [ 0x108, ['unsigned long']], 'ProcessorContext' : [ 0x110, ['pointer64', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0x118, ['pointer64', ['unsigned char']]], 'ProdConsSize' : [ 0x120, ['unsigned long']], 'MaxDataPages' : [ 0x124, ['unsigned long']], 'ExtraBuffer' : [ 0x128, ['pointer64', ['void']]], 'ExtraBufferSize' : [ 0x130, ['unsigned long long']], 'ExtraMapVa' : [ 0x138, ['pointer64', ['void']]], 'BitlockerKeyPFN' : [ 0x140, ['unsigned long long']], 'IoInfo' : [ 0x148, ['_POP_IO_INFO']], 'IoChecksums' : [ 0x1b8, ['pointer64', ['unsigned short']]], 'IoChecksumsSize' : [ 0x1c0, ['unsigned long long']], 'HardwareConfigurationSignature' : [ 0x1c8, ['unsigned long']], 'IumEnabled' : [ 0x1cc, ['unsigned char']], } ], '_SEP_CACHED_HANDLES_TABLE' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x8, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '__unnamed_2778' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MI_DECAY_TIMER_LINKAGE']], } ], '_MI_DECAY_TIMER_LINK' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2778']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '__unnamed_277f' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_277f']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '_MI_PARTITION_COMMIT' : [ 0x80, { 'PeakCommitment' : [ 0x0, ['unsigned long long']], 'TotalCommitLimitMaximum' : [ 0x8, ['unsigned long long']], 'Popups' : [ 0x10, ['array', 2, ['long']]], 'LowCommitThreshold' : [ 0x18, ['unsigned long long']], 'HighCommitThreshold' : [ 0x20, ['unsigned long long']], 'EventLock' : [ 0x28, ['unsigned long long']], 'SystemCommitReserve' : [ 0x30, ['unsigned long long']], 'OverCommit' : [ 0x40, ['unsigned long long']], } ], '_TRIAGE_DEVICE_NODE' : [ 0x58, { 'Sibling' : [ 0x0, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'FxDevice' : [ 0x50, ['pointer64', ['_TRIAGE_POP_FX_DEVICE']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x48, { 'InitiatingThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ThreadId' : [ 0x10, ['pointer64', ['void']]], 'ProcessId' : [ 0x18, ['pointer64', ['void']]], 'Code' : [ 0x20, ['unsigned long']], 'Parameter1' : [ 0x28, ['unsigned long long']], 'Parameter2' : [ 0x30, ['unsigned long long']], 'Parameter3' : [ 0x38, ['unsigned long long']], 'Parameter4' : [ 0x40, ['unsigned long long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x8, ['pointer64', ['wchar']]], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8180, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'StackLimitHits' : [ 0x8038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x803c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x8040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8044, ['unsigned long']], 'TotalReleases' : [ 0x8048, ['unsigned long']], 'RootNodesDeleted' : [ 0x804c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x8050, ['unsigned long']], 'Instigator' : [ 0x8058, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8060, ['unsigned long']], 'Participant' : [ 0x8068, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8168, ['long']], 'StackType' : [ 0x816c, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'DebuggerStackLimits', 8: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x8170, ['unsigned long long']], 'StackHighLimit' : [ 0x8178, ['unsigned long long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'PO_MEMORY_IMAGE' : [ 0x3d8, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long long']], 'HiberFlags' : [ 0x38, ['unsigned char']], 'spare' : [ 0x39, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x3c, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'NumPagesForLoader' : [ 0x58, ['unsigned long long']], 'FirstSecureRestorePage' : [ 0x60, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x68, ['unsigned long long']], 'FirstKernelRestorePage' : [ 0x70, ['unsigned long long']], 'FirstChecksumRestorePage' : [ 0x78, ['unsigned long long']], 'NoChecksumEntries' : [ 0x80, ['unsigned long long']], 'PerfInfo' : [ 0x88, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x280, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x288, ['array', 1, ['unsigned long long']]], 'SiLogOffset' : [ 0x290, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x294, ['unsigned long']], 'BootLoaderLogPages' : [ 0x298, ['array', 24, ['unsigned long long']]], 'NotUsed' : [ 0x358, ['unsigned long']], 'ResumeContextCheck' : [ 0x35c, ['unsigned long']], 'ResumeContextPages' : [ 0x360, ['unsigned long']], 'Hiberboot' : [ 0x364, ['unsigned char']], 'HvCr3' : [ 0x368, ['unsigned long long']], 'HvEntryPoint' : [ 0x370, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x378, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x380, ['unsigned long long']], 'BootFlags' : [ 0x388, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x390, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x398, ['unsigned long long']], 'BitlockerKeyPfns' : [ 0x3a0, ['array', 4, ['unsigned long long']]], 'HardwareSignature' : [ 0x3c0, ['unsigned long']], 'SMBiosTablePhysicalAddress' : [ 0x3c8, ['_LARGE_INTEGER']], 'SMBiosTableLength' : [ 0x3d0, ['unsigned long']], 'SMBiosMajorVersion' : [ 0x3d4, ['unsigned char']], 'SMBiosMinorVersion' : [ 0x3d5, ['unsigned char']], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_MI_PAGING_IO_STATE' : [ 0x50, { 'PageFileHead' : [ 0x0, ['_RTL_AVL_TREE']], 'PageFileHeadSpinLock' : [ 0x8, ['long']], 'PrefetchSeekThreshold' : [ 0xc, ['long']], 'InPageSupportSListHead' : [ 0x10, ['array', 2, ['_SLIST_HEADER']]], 'InPageSupportSListMinimum' : [ 0x30, ['array', 2, ['unsigned char']]], 'InPageSinglePages' : [ 0x34, ['unsigned long']], 'DelayPageFaults' : [ 0x38, ['long']], 'FileCompressionBoundary' : [ 0x3c, ['unsigned long']], 'MdlsAdjusted' : [ 0x40, ['unsigned char']], } ], '_MI_STANDBY_STATE' : [ 0x70, { 'FirstDecayPage' : [ 0x0, ['unsigned long long']], 'PfnDecayFreeSList' : [ 0x10, ['_SLIST_HEADER']], 'PfnRepurposeLog' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'AllocatePfnRepurposeDpc' : [ 0x28, ['_KDPC']], } ], '_MI_DECAY_TIMER_LINKAGE' : [ 0x8, { 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'NextDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x150, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x108, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x148, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_TRIAGE_9F_POWER' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'IrpList' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'ThreadList' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'DelayedWorkQueue' : [ 0x18, ['pointer64', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_MMINPAGE_SUPPORT_FLOW_THROUGH' : [ 0x38, { 'Page' : [ 0x0, ['array', 1, ['unsigned long long']]], 'InitialInPageSupport' : [ 0x8, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'PagingFile' : [ 0x10, ['pointer64', ['_MMPAGING_FILE']]], 'PageFileOffset' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['_RTL_BALANCED_NODE']], } ], '_MI_COMBINE_STATE' : [ 0x1a0, { 'ActiveSpinLock' : [ 0x0, ['long']], 'CombiningThreadCount' : [ 0x4, ['unsigned long']], 'ActiveThreadTree' : [ 0x8, ['_RTL_AVL_TREE']], 'ZeroPageHashValue' : [ 0x10, ['unsigned long long']], 'CrossPartition' : [ 0x18, ['_MI_PAGE_COMBINING_SUPPORT']], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_PTE_TRACKER' : [ 0x80, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'GuardPte' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x48, ['array', 7, ['pointer64', ['void']]]], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_HIVE_WAIT_PACKET' : [ 0x28, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Next' : [ 0x20, ['pointer64', ['_HIVE_WAIT_PACKET']]], } ], '_VF_AVL_TREE_NODE_EX' : [ 0x18, { 'Base' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'SessionId' : [ 0x10, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_CM_INDEX' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'NameHint' : [ 0x4, ['_CM_FAST_LEAF_HINT']], 'HashKey' : [ 0x4, ['_CM_COMPONENT_HASH']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_MMPAGING_FILE' : [ 0x120, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'FreeReservationSpace' : [ 0x30, ['unsigned long long']], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x40, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x50, ['_SLIST_HEADER']], 'PageFileName' : [ 0x60, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x70, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x78, ['unsigned long']], 'LargestAllocationCluster' : [ 0x7c, ['unsigned long']], 'RefreshAllocationCluster' : [ 0x80, ['unsigned long']], 'LastRefreshAllocationCluster' : [ 0x84, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x88, ['unsigned long']], 'MaximumRunLengthInBitmaps' : [ 0x8c, ['unsigned long']], 'BitmapsCacheLengthTree' : [ 0x90, ['_RTL_RB_TREE']], 'BitmapsCacheLocationTree' : [ 0xa0, ['_RTL_RB_TREE']], 'BitmapsCacheFreeList' : [ 0xb0, ['_LIST_ENTRY']], 'BitmapsCacheEntries' : [ 0xc0, ['pointer64', ['_MI_PAGEFILE_BITMAPS_CACHE_ENTRY']]], 'ToBeEvictedCount' : [ 0xc8, ['unsigned long']], 'HybridPriority' : [ 0xc8, ['unsigned long']], 'PageFileNumber' : [ 0xcc, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0xcc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'NoReservations' : [ 0xcc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'VirtualStorePagefile' : [ 0xcc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SwapSupported' : [ 0xcc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'NodeInserted' : [ 0xcc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'StackNotified' : [ 0xcc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'BackedBySCM' : [ 0xcc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'Spare0' : [ 0xcc, ['BitField', dict(start_bit = 11, end_bit = 15, native_type='unsigned short')]], 'AdriftMdls' : [ 0xce, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0xce, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'IgnoreReservations' : [ 0xcf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare2' : [ 0xcf, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0xd0, ['unsigned long']], 'PageHashPagesPeak' : [ 0xd4, ['unsigned long']], 'PageHash' : [ 0xd8, ['pointer64', ['unsigned long']]], 'FileHandle' : [ 0xe0, ['pointer64', ['void']]], 'Lock' : [ 0xe8, ['unsigned long long']], 'LockOwner' : [ 0xf0, ['pointer64', ['_ETHREAD']]], 'FlowThroughReadRoot' : [ 0xf8, ['_RTL_AVL_TREE']], 'Partition' : [ 0x100, ['pointer64', ['_MI_PARTITION']]], 'FileObjectNode' : [ 0x108, ['_RTL_BALANCED_NODE']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_HVIEW_MAP' : [ 0x4b0, { 'MappedLength' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Directory' : [ 0x18, ['pointer64', ['_HVIEW_MAP_DIRECTORY']]], 'PagesCharged' : [ 0x20, ['unsigned long']], 'PinLog' : [ 0x28, ['_HVIEW_MAP_PIN_LOG']], } ], '_POP_FX_WORK_ORDER' : [ 0x38, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x20, ['long']], 'Context' : [ 0x28, ['pointer64', ['void']]], 'WatchdogTimerInfo' : [ 0x30, ['pointer64', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x18, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned short']], 'Flags' : [ 0x16, ['unsigned short']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_PAGELIST_STATE' : [ 0x10, { 'ActiveSpinLock' : [ 0x0, ['long']], 'ActiveThreadTree' : [ 0x8, ['_RTL_AVL_TREE']], } ], '_CRITICAL_PROCESS_EXCEPTION_DATA' : [ 0x30, { 'ReportId' : [ 0x0, ['_GUID']], 'ModuleName' : [ 0x10, ['_UNICODE_STRING']], 'ModuleTimestamp' : [ 0x20, ['unsigned long']], 'ModuleSize' : [ 0x24, ['unsigned long']], 'Offset' : [ 0x28, ['unsigned long long']], } ], '__unnamed_2825' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2827' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2825']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2827']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_RELATION_LIST' : [ 0x10, { 'DeviceObjectList' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT_LIST']]], 'Sorted' : [ 0x8, ['unsigned char']], } ], '_IO_IRP_EXT_TRACK_OFFSET_HEADER' : [ 0x10, { 'Validation' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'TrackedOffsetCallback' : [ 0x8, ['pointer64', ['void']]], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x340, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ulTargetPlatform' : [ 0x8, ['unsigned long']], 'ullContextMinimum' : [ 0x10, ['unsigned long long']], 'guPlatform' : [ 0x18, ['_GUID']], 'guMinPlatform' : [ 0x28, ['_GUID']], 'ulContextSource' : [ 0x38, ['unsigned long']], 'ulElementCount' : [ 0x3c, ['unsigned long']], 'guElements' : [ 0x40, ['array', 48, ['_GUID']]], } ], '_SESSION_LOWBOX_MAP' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'LowboxMap' : [ 0x18, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_POP_IO_INFO' : [ 0x70, { 'DumpMdl' : [ 0x0, ['pointer64', ['_MDL']]], 'IoStatus' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x10, ['unsigned long long']], 'IoBytesCompleted' : [ 0x18, ['unsigned long long']], 'IoBytesInProgress' : [ 0x20, ['unsigned long long']], 'RequestSize' : [ 0x28, ['unsigned long long']], 'IoLocation' : [ 0x30, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x38, ['unsigned long long']], 'Buffer' : [ 0x40, ['pointer64', ['void']]], 'AsyncCapable' : [ 0x48, ['unsigned char']], 'BytesToRead' : [ 0x50, ['unsigned long long']], 'Pages' : [ 0x58, ['unsigned long']], 'HighestChecksumIndex' : [ 0x60, ['unsigned long long']], 'PreviousChecksum' : [ 0x68, ['unsigned short']], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x58, { 'SidHash' : [ 0x0, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x10, ['pointer64', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0x18, ['_LUID']], 'TokenType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x28, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x2c, ['unsigned long']], 'AppContainerNumber' : [ 0x30, ['unsigned long']], 'PackageSid' : [ 0x38, ['pointer64', ['void']]], 'CapabilitiesHash' : [ 0x40, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'TrustLevelSid' : [ 0x48, ['pointer64', ['void']]], 'SecurityAttributes' : [ 0x50, ['pointer64', ['void']]], } ], '_MIPFNBLINK' : [ 0x8, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeBlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 56, native_type='unsigned long long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 60, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 62, native_type='unsigned long long')]], 'PageBlinkDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'PageBlinkLockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'ShareCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 62, native_type='unsigned long long')]], 'PageShareCountDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'PageShareCountLockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], 'Lock' : [ 0x0, ['long long']], 'LockNotUsed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 62, native_type='unsigned long long')]], 'DeleteBit' : [ 0x0, ['BitField', dict(start_bit = 62, end_bit = 63, native_type='unsigned long long')]], 'LockBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x24, ['unsigned long']], } ], '_PPM_COORDINATED_SELECTION' : [ 0x18, { 'MaximumStates' : [ 0x0, ['unsigned long']], 'SelectedStates' : [ 0x4, ['unsigned long']], 'DefaultSelection' : [ 0x8, ['unsigned long']], 'Selection' : [ 0x10, ['pointer64', ['unsigned long']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '__unnamed_2865' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x78, { 'Status' : [ 0x0, ['long']], 'PartitionId' : [ 0x4, ['unsigned short']], 'Priority' : [ 0x6, ['unsigned char']], 'IrpPriority' : [ 0x7, ['unsigned char']], 'ReservationWrite' : [ 0x8, ['unsigned char']], 'CurrentTime' : [ 0x10, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x18, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x20, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x28, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x30, ['unsigned long long']], 'ModifiedPagefileNoReservationPages' : [ 0x38, ['unsigned long long']], 'MdlHack' : [ 0x40, ['__unnamed_2865']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['unsigned long long']], 'Key' : [ 0x8, ['unsigned long']], 'Pattern' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolType' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 20, native_type='unsigned long')]], 'SlushSize' : [ 0xc, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '__unnamed_2872' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_2872']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_PROC_PERF_HISTORY' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'UtilityTotal' : [ 0x8, ['unsigned long']], 'AffinitizedUtilityTotal' : [ 0xc, ['unsigned long']], 'FrequencyTotal' : [ 0x10, ['unsigned long']], 'TaggedPercentTotal' : [ 0x14, ['array', 2, ['unsigned long']]], 'HistoryList' : [ 0x1c, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '__unnamed_2883' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_2886' : [ 0x8, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x88, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x40, ['__unnamed_2883']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u4' : [ 0x78, ['__unnamed_2886']], 'FileObject' : [ 0x80, ['pointer64', ['_FILE_OBJECT']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1f, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1e, ['unsigned char']], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x410, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_UMS_CONTROL_BLOCK' : [ 0x88, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsWaitEvent' : [ 0x30, ['_KEVENT']], 'StagingArea' : [ 0x48, ['pointer64', ['void']]], 'UmsPrimaryDeliveredContext' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsFlags' : [ 0x50, ['unsigned long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '_KALPC_WORK_ON_BEHALF_DATA' : [ 0x8, { 'Ticket' : [ 0x0, ['_ALPC_WORK_ON_BEHALF_TICKET']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x120, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x68, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x68, ['unsigned long']], 'PackagedBinary' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x68, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x68, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LoadConfigProcessed' : [ 0x68, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectDelayLoad' : [ 0x68, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x68, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x68, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x68, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x68, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x68, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x68, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x68, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x68, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x68, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x68, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x68, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Lock' : [ 0x90, ['pointer64', ['void']]], 'DdagNode' : [ 0x98, ['pointer64', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0xa0, ['_LIST_ENTRY']], 'LoadContext' : [ 0xb0, ['pointer64', ['_LDRP_LOAD_CONTEXT']]], 'ParentDllBase' : [ 0xb8, ['pointer64', ['void']]], 'SwitchBackContext' : [ 0xc0, ['pointer64', ['void']]], 'BaseAddressIndexNode' : [ 0xc8, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0xe0, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0xf8, ['unsigned long long']], 'LoadTime' : [ 0x100, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x108, ['unsigned long']], 'LoadReason' : [ 0x10c, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x110, ['unsigned long']], 'ReferenceCount' : [ 0x114, ['unsigned long']], 'DependentLoadFlags' : [ 0x118, ['unsigned long']], 'SigningLevel' : [ 0x11c, ['unsigned char']], } ], '_KTIMER2_COLLECTION' : [ 0x18, { 'Tree' : [ 0x0, ['_RTL_RB_TREE']], 'NextDueTime' : [ 0x10, ['unsigned long long']], } ], '__unnamed_28b3' : [ 0x1, { 'Age' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_28b5' : [ 0x1, { 'EntireWsle' : [ 0x0, ['unsigned char']], } ], '__unnamed_28b7' : [ 0x1, { 'e1' : [ 0x0, ['__unnamed_28b3']], 'e2' : [ 0x0, ['__unnamed_28b5']], } ], '_MI_WSLE' : [ 0x1, { 'u1' : [ 0x0, ['__unnamed_28b7']], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PrivateDemandZero' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_MI_PARTITION_MODWRITES' : [ 0x2d0, { 'AttemptForCantExtend' : [ 0x0, ['_MMPAGE_FILE_EXPANSION']], 'PageFileContract' : [ 0x60, ['_MMPAGE_FILE_EXPANSION']], 'NumberOfMappedMdls' : [ 0xc0, ['unsigned long long']], 'NumberOfMappedMdlsInUse' : [ 0xc8, ['long']], 'NumberOfMappedMdlsInUsePeak' : [ 0xcc, ['unsigned long']], 'MappedFileHeader' : [ 0xd0, ['_MMMOD_WRITER_LISTHEAD']], 'NeedMappedMdl' : [ 0xf8, ['unsigned char']], 'NeedPageFileMdl' : [ 0xf9, ['unsigned char']], 'TransitionInserted' : [ 0xfa, ['unsigned char']], 'LastModifiedWriteError' : [ 0xfc, ['long']], 'LastMappedWriteError' : [ 0x100, ['long']], 'MappedFileWriteSucceeded' : [ 0x104, ['unsigned long']], 'MappedWriteBurstCount' : [ 0x108, ['unsigned long']], 'LowPriorityModWritesOutstanding' : [ 0x10c, ['unsigned long']], 'BoostModWriteIoPriorityEvent' : [ 0x110, ['_KEVENT']], 'ModifiedWriterThreadPriority' : [ 0x128, ['long']], 'ModifiedPagesLowPriorityGoal' : [ 0x130, ['unsigned long long']], 'ModifiedPageWriterEvent' : [ 0x138, ['_KEVENT']], 'ModifiedWriterExitedEvent' : [ 0x150, ['_KEVENT']], 'WriteAllPagefilePages' : [ 0x168, ['long']], 'WriteAllMappedPages' : [ 0x16c, ['long']], 'MappedPageWriterEvent' : [ 0x170, ['_KEVENT']], 'ModWriteData' : [ 0x188, ['_MI_MODWRITE_DATA']], 'RescanPageFilesEvent' : [ 0x1c8, ['_KEVENT']], 'PagingFileHeader' : [ 0x1e0, ['_MMMOD_WRITER_LISTHEAD']], 'ModifiedPageWriterThread' : [ 0x208, ['pointer64', ['_ETHREAD']]], 'ModifiedPageWriterRundown' : [ 0x210, ['_EX_RUNDOWN_REF']], 'PagefileScanWorkItem' : [ 0x218, ['_WORK_QUEUE_ITEM']], 'PagefileScanCount' : [ 0x238, ['unsigned long']], 'ClusterWritesDisabled' : [ 0x23c, ['array', 2, ['long']]], 'NotifyStoreMemoryConditions' : [ 0x248, ['_KEVENT']], 'DelayMappedWrite' : [ 0x260, ['unsigned char']], 'PagefileReservationsEnabled' : [ 0x264, ['unsigned long']], 'PageFileCreationLock' : [ 0x268, ['_EX_PUSH_LOCK']], 'TrimPagefileWorkItem' : [ 0x270, ['_WORK_QUEUE_ITEM']], 'LastTrimPagefileTime' : [ 0x290, ['unsigned long long']], 'WsSwapPagefileContractWorkItem' : [ 0x298, ['_WORK_QUEUE_ITEM']], 'WsSwapPageFileContractionInProgress' : [ 0x2b8, ['long']], 'WorkingSetSwapLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'WorkingSetInswapLock' : [ 0x2c8, ['long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_OB_EXTENDED_PARSE_PARAMETERS' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'RestrictedAccessMask' : [ 0x4, ['unsigned long']], 'Silo' : [ 0x8, ['pointer64', ['_EJOB']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_MMWORKING_SET_EXPANSION_HEAD' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_POP_FX_ACCOUNTING' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned char']], 'DripsRequiredState' : [ 0xc, ['unsigned long']], 'Level' : [ 0x10, ['long']], 'ActiveStamp' : [ 0x18, ['long long']], 'CsActiveTime' : [ 0x20, ['unsigned long long']], 'CriticalActiveTime' : [ 0x28, ['long long']], } ], '_KSCHEDULING_GROUP_POLICY' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long']], 'Weight' : [ 0x0, ['unsigned short']], 'MinRate' : [ 0x0, ['unsigned short']], 'MaxRate' : [ 0x2, ['unsigned short']], 'AllFlags' : [ 0x4, ['unsigned long']], 'Type' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RankBias' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Spare1' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_POP_POLICY_DEVICE' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyImmediateDozeS4AdaptiveBudget', 14: 'PolicyImmediateDozeS4AdaptiveReserveNoWake', 15: 'PolicyDeviceMax'})]], 'Notification' : [ 0x18, ['pointer64', ['void']]], 'Name' : [ 0x20, ['_UNICODE_STRING']], 'Device' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x38, ['pointer64', ['_IRP']]], } ], '_INVERTED_FUNCTION_TABLE_ENTRY' : [ 0x18, { 'FunctionTable' : [ 0x0, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'DynamicTable' : [ 0x0, ['pointer64', ['_DYNAMIC_FUNCTION_TABLE']]], 'ImageBase' : [ 0x8, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'SizeOfTable' : [ 0x14, ['unsigned long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x80, { 'SelectedCount' : [ 0x0, ['unsigned long long']], 'VetoCount' : [ 0x8, ['unsigned long long']], 'PreVetoCount' : [ 0x10, ['unsigned long long']], 'WrongProcessorCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'IdleDurationCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'PlatformOnlyCount' : [ 0x40, ['unsigned long long']], 'InterruptibleCount' : [ 0x48, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x50, ['unsigned long long']], 'CstateCheckCount' : [ 0x58, ['unsigned long long']], 'NoCStateCount' : [ 0x60, ['unsigned long long']], 'CoordinatedDependencyCount' : [ 0x68, ['unsigned long long']], 'NotClockOwnerCount' : [ 0x70, ['unsigned long long']], 'PreVetoAccounting' : [ 0x78, ['pointer64', ['_PPM_VETO_ACCOUNTING']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '__unnamed_291a' : [ 0x4, { 'FlushCompleting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'FlushInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='long')]], 'Long' : [ 0x0, ['long']], } ], '_MI_PARTITION_STORES' : [ 0x80, { 'WriteAllStoreHintedPages' : [ 0x0, ['__unnamed_291a']], 'VirtualPageFileNumber' : [ 0x4, ['unsigned long']], 'Registered' : [ 0x8, ['unsigned long']], 'ReadClusterSizeMax' : [ 0xc, ['unsigned long']], 'EvictFlushRequestCount' : [ 0x10, ['unsigned long']], 'ModifiedWriteDisableCount' : [ 0x14, ['unsigned long']], 'WriteIssueFailures' : [ 0x18, ['unsigned long']], 'EvictFlushLock' : [ 0x1c, ['long']], 'EvictionThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'EvictEvent' : [ 0x28, ['_KEVENT']], 'WriteSupportSListHead' : [ 0x40, ['_SLIST_HEADER']], 'EvictFlushCompleteEvent' : [ 0x50, ['_KEVENT']], 'ModifiedWriteFailedBitmap' : [ 0x68, ['pointer64', ['_RTL_BITMAP']]], 'StoreProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], } ], '_MI_RFG_PROTECTED_STACK' : [ 0x18, { 'ControlStackBase' : [ 0x0, ['pointer64', ['void']]], 'ControlStackVad' : [ 0x8, ['pointer64', ['_MMVAD_SHORT']]], 'OwnerThread' : [ 0x10, ['pointer64', ['void']]], } ], '_POP_FX_COMPONENT' : [ 0x100, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x18, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x50, ['pointer64', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x58, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x60, ['long']], 'ActiveEvent' : [ 0x68, ['_KEVENT']], 'IdleLock' : [ 0x80, ['unsigned long long']], 'IdleConditionComplete' : [ 0x88, ['long']], 'IdleStateComplete' : [ 0x8c, ['long']], 'IdleStamp' : [ 0x90, ['unsigned long long']], 'CurrentIdleState' : [ 0x98, ['unsigned long']], 'IdleStateCount' : [ 0x9c, ['unsigned long']], 'IdleStates' : [ 0xa0, ['pointer64', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0xa8, ['unsigned long']], 'ProviderCount' : [ 0xac, ['unsigned long']], 'Providers' : [ 0xb0, ['pointer64', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0xb8, ['unsigned long']], 'DependentCount' : [ 0xbc, ['unsigned long']], 'Dependents' : [ 0xc0, ['pointer64', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0xc8, ['_POP_FX_ACCOUNTING']], 'Performance' : [ 0xf8, ['pointer64', ['_POP_FX_PERF_INFO']]], } ], '_DYNAMIC_FUNCTION_TABLE' : [ 0x70, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FunctionTable' : [ 0x10, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'TimeStamp' : [ 0x18, ['_LARGE_INTEGER']], 'MinimumAddress' : [ 0x20, ['unsigned long long']], 'MaximumAddress' : [ 0x28, ['unsigned long long']], 'BaseAddress' : [ 0x30, ['unsigned long long']], 'Callback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'OutOfProcessCallbackDll' : [ 0x48, ['pointer64', ['wchar']]], 'Type' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'RF_SORTED', 1: 'RF_UNSORTED', 2: 'RF_CALLBACK', 3: 'RF_KERNEL_DYNAMIC'})]], 'EntryCount' : [ 0x54, ['unsigned long']], 'TreeNode' : [ 0x58, ['_RTL_BALANCED_NODE']], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MMPAGE_FILE_EXPANSION' : [ 0x60, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'Partition' : [ 0x18, ['pointer64', ['_MI_PARTITION']]], 'RequestedExpansionSize' : [ 0x20, ['unsigned long long']], 'ActualExpansion' : [ 0x28, ['unsigned long long']], 'Event' : [ 0x30, ['_KEVENT']], 'InProgress' : [ 0x48, ['long']], 'u' : [ 0x4c, ['_MMPAGE_FILE_EXPANSION_FLAGS']], 'ActiveEntry' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'AttemptForCantExtend' : [ 0x58, ['unsigned char']], 'PageFileContract' : [ 0x59, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'Unused' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ForceCollision' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_HVIEW_MAP_PIN_LOG' : [ 0x488, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Entries' : [ 0x8, ['array', 16, ['_HVIEW_MAP_PIN_LOG_ENTRY']]], } ], '_IO_REMOVE_LOCK' : [ 0x20, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '__unnamed_294b' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_294b']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_FAST_OWNER_ENTRY_INTERNAL' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AbLockHandle' : [ 0x10, ['unsigned char']], 'Disowned' : [ 0x11, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DynamicallyAllocated' : [ 0x11, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CallerExclusive' : [ 0x11, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsSublistHead' : [ 0x12, ['unsigned char']], 'IsWaiting' : [ 0x13, ['unsigned char']], 'LockAddress' : [ 0x18, ['pointer64', ['void']]], 'ThreadAddress' : [ 0x20, ['pointer64', ['void']]], 'SublistHead' : [ 0x28, ['_LIST_ENTRY']], 'LockListEntry' : [ 0x38, ['_LIST_ENTRY']], } ], '_MI_POOL_STATE' : [ 0xe8, { 'MaximumNonPagedPoolThreshold' : [ 0x0, ['unsigned long long']], 'NonPagedPoolSListMaximum' : [ 0x8, ['array', 3, ['unsigned long']]], 'AllocatedNonPagedPool' : [ 0x18, ['unsigned long long']], 'BadPoolHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'HighEventSets' : [ 0x28, ['unsigned long']], 'HighEventSetsValid' : [ 0x2c, ['unsigned char']], 'PoolFailures' : [ 0x30, ['array', 3, ['array', 3, ['unsigned long']]]], 'PoolFailureReasons' : [ 0x54, ['_MI_POOL_FAILURE_REASONS']], 'LowPagedPoolThreshold' : [ 0x80, ['unsigned long long']], 'HighPagedPoolThreshold' : [ 0x88, ['unsigned long long']], 'PagedPoolSListMaximum' : [ 0x90, ['unsigned long']], 'PreemptiveTrims' : [ 0x94, ['array', 4, ['unsigned long']]], 'SpecialPagesInUsePeak' : [ 0xa8, ['unsigned long long']], 'SpecialPoolRejected' : [ 0xb0, ['array', 6, ['unsigned long']]], 'SpecialPagesNonPaged' : [ 0xc8, ['unsigned long long']], 'SpecialPoolPdes' : [ 0xd0, ['long']], 'SessionSpecialPoolPdesMax' : [ 0xd4, ['unsigned long']], 'TotalPagedPoolQuota' : [ 0xd8, ['unsigned long long']], 'TotalNonPagedPoolQuota' : [ 0xe0, ['unsigned long long']], } ], '_IMAGE_RUNTIME_FUNCTION_ENTRY' : [ 0xc, { 'BeginAddress' : [ 0x0, ['unsigned long']], 'EndAddress' : [ 0x4, ['unsigned long']], 'UnwindInfoAddress' : [ 0x8, ['unsigned long']], 'UnwindData' : [ 0x8, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'OperatingSystemVersion' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ComPlusPrefer32bit' : [ 0x33, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x30, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'ConnectLock' : [ 0x8, ['_KEVENT']], 'LineMasked' : [ 0x20, ['unsigned char']], 'InterruptList' : [ 0x28, ['pointer64', ['_KINTERRUPT']]], } ], '_PPM_SELECTION_DEPENDENCY' : [ 0x18, { 'Processor' : [ 0x0, ['unsigned long']], 'Menu' : [ 0x8, ['_PPM_SELECTION_MENU']], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_MI_HARDWARE_STATE' : [ 0xf0, { 'NodeMask' : [ 0x0, ['unsigned long']], 'NumaLastRangeIndex' : [ 0x4, ['unsigned long']], 'NumaTableCaptured' : [ 0x8, ['unsigned char']], 'NodeShift' : [ 0x9, ['unsigned char']], 'ChannelShift' : [ 0xa, ['unsigned char']], 'NodeGraph' : [ 0x10, ['pointer64', ['unsigned short']]], 'SystemNodeInformation' : [ 0x18, ['pointer64', ['_MI_SYSTEM_NODE_INFORMATION']]], 'NumaMemoryRanges' : [ 0x20, ['pointer64', ['_HAL_NODE_RANGE']]], 'ChannelMemoryRanges' : [ 0x28, ['pointer64', ['_HAL_CHANNEL_MEMORY_RANGES']]], 'SecondLevelCacheSize' : [ 0x30, ['unsigned long']], 'FirstLevelCacheSize' : [ 0x34, ['unsigned long']], 'PhysicalAddressBits' : [ 0x38, ['unsigned long']], 'TotalPagesAllowed' : [ 0x40, ['unsigned long long']], 'SecondaryColorMask' : [ 0x48, ['unsigned long']], 'SecondaryColors' : [ 0x4c, ['unsigned long']], 'FlushTbForAttributeChange' : [ 0x50, ['unsigned long']], 'FlushCacheForAttributeChange' : [ 0x54, ['unsigned long']], 'FlushCacheForPageAttributeChange' : [ 0x58, ['unsigned long']], 'CacheFlushPromoteThreshold' : [ 0x5c, ['unsigned long']], 'FlushTbThreshold' : [ 0x60, ['unsigned long long']], 'OptimalZeroingAttribute' : [ 0x68, ['array', 4, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'MiNonCached', 1: 'MiCached', 2: 'MiWriteCombined', 3: 'MiNotMapped'})]]]], 'AttributeChangeRequiresReZero' : [ 0xa8, ['unsigned char']], 'ZeroCostCounts' : [ 0xb0, ['array', 2, ['_MI_ZERO_COST_COUNTS']]], 'PrimaryPfns' : [ 0xd0, ['unsigned long long']], 'HighestPossiblePhysicalPage' : [ 0xd8, ['unsigned long long']], 'EnclaveRegions' : [ 0xe0, ['_RTL_AVL_TREE']], 'VsmKernelPageCount' : [ 0xe8, ['unsigned long long']], } ], '_PPM_VETO_ACCOUNTING' : [ 0x28, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x8, ['_LIST_ENTRY']], 'CsAccountingBlocks' : [ 0x18, ['unsigned char']], 'BlocksDrips' : [ 0x19, ['unsigned char']], 'PreallocatedVetoCount' : [ 0x1c, ['unsigned long']], 'PreallocatedVetoList' : [ 0x20, ['pointer64', ['_PPM_VETO_ENTRY']]], } ], '__unnamed_297c' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_297c']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x118, { 'ListHead' : [ 0x0, ['array', 16, ['_LIST_ENTRY']]], 'Count' : [ 0x100, ['unsigned long long']], 'NumberOfEntries' : [ 0x108, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x110, ['unsigned long long']], } ], '_MI_ERROR_STATE' : [ 0xb8, { 'BadMemoryEventEntry' : [ 0x0, ['_MI_BAD_MEMORY_EVENT_ENTRY']], 'PageOfInterest' : [ 0x38, ['unsigned long long']], 'ProbeRaises' : [ 0x40, ['_MI_PROBE_RAISE_TRACKER']], 'ForcedCommits' : [ 0x80, ['_MI_FORCED_COMMITS']], 'WsleFailures' : [ 0x88, ['array', 1, ['unsigned long']]], 'PageHashErrors' : [ 0x8c, ['unsigned long']], 'CheckZeroCount' : [ 0x90, ['unsigned long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x94, ['long']], 'BadPagesDetected' : [ 0x98, ['long']], 'ScrubPasses' : [ 0x9c, ['long']], 'ScrubBadPagesFound' : [ 0xa0, ['long']], 'UserViewFailures' : [ 0xa4, ['unsigned long']], 'UserViewCollisionFailures' : [ 0xa8, ['unsigned long']], 'ResavailFailures' : [ 0xac, ['_MI_RESAVAIL_FAILURES']], 'PendingBadPages' : [ 0xb4, ['unsigned char']], 'InitFailure' : [ 0xb5, ['unsigned char']], 'StopBadMaps' : [ 0xb6, ['unsigned char']], } ], '_PROC_PERF_DOMAIN' : [ 0x1e0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'DomainContext' : [ 0xc0, ['unsigned long long']], 'ProcessorCount' : [ 0xc8, ['unsigned long']], 'EfficiencyClass' : [ 0xcc, ['unsigned char']], 'NominalPerformanceClass' : [ 0xcd, ['unsigned char']], 'HighestPerformanceClass' : [ 0xce, ['unsigned char']], 'Spare' : [ 0xcf, ['unsigned char']], 'Processors' : [ 0xd0, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0xd8, ['pointer64', ['void']]], 'TimeWindowHandler' : [ 0xe0, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0xe8, ['pointer64', ['void']]], 'BoostModeHandler' : [ 0xf0, ['pointer64', ['void']]], 'EnergyPerfPreferenceHandler' : [ 0xf8, ['pointer64', ['void']]], 'AutonomousActivityWindowHandler' : [ 0x100, ['pointer64', ['void']]], 'AutonomousModeHandler' : [ 0x108, ['pointer64', ['void']]], 'ReinitializeHandler' : [ 0x110, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0x118, ['pointer64', ['void']]], 'PerfControlHandler' : [ 0x120, ['pointer64', ['void']]], 'DomainPerfControlHandler' : [ 0x128, ['pointer64', ['void']]], 'MaxFrequency' : [ 0x130, ['unsigned long']], 'NominalFrequency' : [ 0x134, ['unsigned long']], 'MaxPercent' : [ 0x138, ['unsigned long']], 'MinPerfPercent' : [ 0x13c, ['unsigned long']], 'MinThrottlePercent' : [ 0x140, ['unsigned long']], 'MinimumRelativePerformance' : [ 0x148, ['unsigned long long']], 'NominalRelativePerformance' : [ 0x150, ['unsigned long long']], 'NominalRelativePerformancePercent' : [ 0x158, ['unsigned char']], 'Coordination' : [ 0x159, ['unsigned char']], 'HardPlatformCap' : [ 0x15a, ['unsigned char']], 'AffinitizeControl' : [ 0x15b, ['unsigned char']], 'EfficientThrottle' : [ 0x15c, ['unsigned char']], 'AllowVirtualHeterogeneity' : [ 0x15d, ['unsigned char']], 'InitiateAllProcessors' : [ 0x15e, ['unsigned char']], 'AutonomousMode' : [ 0x15f, ['unsigned char']], 'DesiredPercent' : [ 0x160, ['unsigned long']], 'MaxPolicyPercent' : [ 0x164, ['unsigned long']], 'MaxEquivalentFrequencyPercent' : [ 0x168, ['unsigned long']], 'MinPolicyPercent' : [ 0x16c, ['unsigned long']], 'GuaranteedPercent' : [ 0x170, ['unsigned long']], 'SelectionGeneration' : [ 0x174, ['unsigned long']], 'BackgroundSelectionGeneration' : [ 0x178, ['unsigned long']], 'Selection' : [ 0x180, ['_PERF_CONTROL_STATE_SELECTION']], 'BackgroundSelection' : [ 0x1a8, ['_PERF_CONTROL_STATE_SELECTION']], 'PerfChangeTime' : [ 0x1d0, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x1d8, ['unsigned long']], 'Force' : [ 0x1dc, ['unsigned char']], 'ProvideGuidance' : [ 0x1dd, ['unsigned char']], } ], '_MI_COMMON_PAGE_STATE' : [ 0xa8, { 'PageOfOnesPfn' : [ 0x0, ['pointer64', ['_MMPFN']]], 'PageOfOnes' : [ 0x8, ['unsigned long long']], 'DummyPagePfn' : [ 0x10, ['pointer64', ['_MMPFN']]], 'DummyPage' : [ 0x18, ['unsigned long long']], 'PageOfZeroes' : [ 0x20, ['unsigned long long']], 'ZeroMapping' : [ 0x28, ['pointer64', ['void']]], 'OnesMapping' : [ 0x30, ['pointer64', ['void']]], 'ZeroCrc' : [ 0x38, ['unsigned long long']], 'OnesCrc' : [ 0x40, ['unsigned long long']], 'BitmapGapFrames' : [ 0x48, ['array', 4, ['unsigned long long']]], 'PfnGapFrames' : [ 0x68, ['array', 4, ['unsigned long long']]], 'PageTableOfZeroes' : [ 0x88, ['unsigned long long']], 'PdeOfZeroes' : [ 0x90, ['_MMPTE']], 'PageTableOfOnes' : [ 0x98, ['unsigned long long']], 'PdeOfOnes' : [ 0xa0, ['_MMPTE']], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_HEAP_EXTENDED_ENTRY' : [ 0x10, { 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SiloSessionId' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'IoTracker' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_POP_COOLING_EXTENSION' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'RequestListHead' : [ 0x10, ['_LIST_ENTRY']], 'Lock' : [ 0x20, ['_POP_RW_LOCK']], 'DeviceObject' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'NotificationEntry' : [ 0x38, ['pointer64', ['void']]], 'Enabled' : [ 0x40, ['unsigned char']], 'ActiveEngaged' : [ 0x41, ['unsigned char']], 'ThrottleLimit' : [ 0x42, ['unsigned char']], 'UpdatingToCurrent' : [ 0x43, ['unsigned char']], 'RemovalFlushEvent' : [ 0x48, ['pointer64', ['_KEVENT']]], 'PnpFlushEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Interface' : [ 0x58, ['_THERMAL_COOLING_INTERFACE']], } ], '__unnamed_29b1' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_29b1']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_POP_POWER_SETTING_VALUES' : [ 0x140, { 'StructureSize' : [ 0x0, ['unsigned long']], 'PopPolicy' : [ 0x4, ['_SYSTEM_POWER_POLICY']], 'CurrentAcDcPowerState' : [ 0xec, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'AwayModeEnabled' : [ 0xf0, ['unsigned char']], 'AwayModeEngaged' : [ 0xf1, ['unsigned char']], 'AwayModePolicyAllowed' : [ 0xf2, ['unsigned char']], 'AwayModeIgnoreUserPresent' : [ 0xf4, ['long']], 'AwayModeIgnoreAction' : [ 0xf8, ['long']], 'DisableFastS4' : [ 0xfc, ['unsigned char']], 'DisableStandbyStates' : [ 0xfd, ['unsigned char']], 'UnattendSleepTimeout' : [ 0x100, ['unsigned long']], 'DiskIgnoreTime' : [ 0x104, ['unsigned long']], 'DeviceIdlePolicy' : [ 0x108, ['unsigned long']], 'VideoDimTimeout' : [ 0x10c, ['unsigned long']], 'VideoNormalBrightness' : [ 0x110, ['unsigned long']], 'VideoDimBrightness' : [ 0x114, ['unsigned long']], 'AlsOffset' : [ 0x118, ['unsigned long']], 'AlsEnabled' : [ 0x11c, ['unsigned long']], 'EsBrightness' : [ 0x120, ['unsigned long']], 'SwitchShutdownForced' : [ 0x124, ['unsigned char']], 'SystemCoolingPolicy' : [ 0x128, ['unsigned long']], 'MediaBufferingEngaged' : [ 0x12c, ['unsigned char']], 'AudioActivity' : [ 0x12d, ['unsigned char']], 'FullscreenVideoPlayback' : [ 0x12e, ['unsigned char']], 'EsBatteryThreshold' : [ 0x130, ['unsigned long']], 'EsAggressive' : [ 0x134, ['unsigned char']], 'EsUserAwaySetting' : [ 0x135, ['unsigned char']], 'ConnectivityInStandby' : [ 0x138, ['unsigned long']], 'DisconnectedStandbyMode' : [ 0x13c, ['unsigned long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x8, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'TaggedPercent' : [ 0x5, ['array', 2, ['unsigned char']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '__unnamed_29c4' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_29c4']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_MI_ZERO_COST_COUNTS' : [ 0x10, { 'NativeSum' : [ 0x0, ['unsigned long long']], 'CachedSum' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x88, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x40, ['_KDPC']], 'WorkOrder' : [ 0x80, ['pointer64', ['_POP_FX_WORK_ORDER']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '__unnamed_29d9' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_29d9']], } ], '__unnamed_29dd' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_29e1' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_29e3' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_29e5' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_29e7' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_29e9' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_29eb' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_29ed' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_29ef' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_29f1' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_29f3' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_29f5' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_29dd']], 'Memory' : [ 0x0, ['__unnamed_29dd']], 'Interrupt' : [ 0x0, ['__unnamed_29e1']], 'Dma' : [ 0x0, ['__unnamed_29e3']], 'DmaV3' : [ 0x0, ['__unnamed_29e5']], 'Generic' : [ 0x0, ['__unnamed_29dd']], 'DevicePrivate' : [ 0x0, ['__unnamed_29e7']], 'BusNumber' : [ 0x0, ['__unnamed_29e9']], 'ConfigData' : [ 0x0, ['__unnamed_29eb']], 'Memory40' : [ 0x0, ['__unnamed_29ed']], 'Memory48' : [ 0x0, ['__unnamed_29ef']], 'Memory64' : [ 0x0, ['__unnamed_29f1']], 'Connection' : [ 0x0, ['__unnamed_29f3']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_29f5']], } ], '_HEAP_UNPACKED_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'SubSegmentCode' : [ 0x8, ['unsigned long']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x50, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x38, ['pointer64', ['void']]], 'DvCallbacks' : [ 0x40, ['pointer64', ['void']]], 'VerifierContext' : [ 0x48, ['pointer64', ['void']]], } ], '_ETW_PROVIDER_TRAITS' : [ 0x20, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Traits' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '_ETW_QUEUE_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x10, ['pointer64', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0x18, ['pointer64', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x20, ['pointer64', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x28, ['pointer64', ['void']]], 'RegIndex' : [ 0x30, ['unsigned short']], 'ReplyIndex' : [ 0x32, ['unsigned short']], 'Flags' : [ 0x34, ['unsigned long']], } ], '_MI_PARTITION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PageListsInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StoreReservedPagesCharged' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PureHoldingPartition' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0x60, { 'Count' : [ 0x0, ['unsigned long']], 'Vectors' : [ 0x8, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_NON_PAGED_DEBUG_INFO' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Machine' : [ 0x8, ['unsigned short']], 'Characteristics' : [ 0xa, ['unsigned short']], 'TimeDateStamp' : [ 0xc, ['unsigned long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'SizeOfImage' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Gate' : [ 0x10, ['_KGATE']], 'Event' : [ 0x10, ['_KEVENT']], } ], '__unnamed_2a19' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x108, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_2a19']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x2c, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x30, ['_KAPC']], 'ByteCount' : [ 0x88, ['unsigned long']], 'ChargedPages' : [ 0x8c, ['unsigned long']], 'PagingFile' : [ 0x90, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0xa0, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0xa8, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0xb0, ['_LARGE_INTEGER']], 'IssueTime' : [ 0xb8, ['_LARGE_INTEGER']], 'Partition' : [ 0xc0, ['pointer64', ['_MI_PARTITION']]], 'PointerMdl' : [ 0xc8, ['pointer64', ['_MDL']]], 'Mdl' : [ 0xd0, ['_MDL']], 'Page' : [ 0x100, ['array', 1, ['unsigned long long']]], } ], '_NONOPAQUE_OPLOCK' : [ 0xa0, { 'IrpExclusiveOplock' : [ 0x0, ['pointer64', ['_IRP']]], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'WaiterPriority' : [ 0x20, ['unsigned char']], 'IrpOplocksR' : [ 0x28, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x38, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x48, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x58, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x68, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x78, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x88, ['pointer64', ['_GUID']]], 'OplockState' : [ 0x90, ['unsigned long']], 'FastMutex' : [ 0x98, ['pointer64', ['_FAST_MUTEX']]], } ], '__unnamed_2a22' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2a23' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2a22']], 'Merged' : [ 0x10, ['__unnamed_2a23']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '__unnamed_2a27' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_2a29' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2a2b' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2a2d' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_2a2b']], 'Translated' : [ 0x0, ['__unnamed_2a29']], } ], '__unnamed_2a2f' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_2a31' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_2a33' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_2a35' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_2a37' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_2a39' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_2a3b' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_2a3d' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_2a27']], 'Port' : [ 0x0, ['__unnamed_2a27']], 'Interrupt' : [ 0x0, ['__unnamed_2a29']], 'MessageInterrupt' : [ 0x0, ['__unnamed_2a2d']], 'Memory' : [ 0x0, ['__unnamed_2a27']], 'Dma' : [ 0x0, ['__unnamed_2a2f']], 'DmaV3' : [ 0x0, ['__unnamed_2a31']], 'DevicePrivate' : [ 0x0, ['__unnamed_29e7']], 'BusNumber' : [ 0x0, ['__unnamed_2a33']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_2a35']], 'Memory40' : [ 0x0, ['__unnamed_2a37']], 'Memory48' : [ 0x0, ['__unnamed_2a39']], 'Memory64' : [ 0x0, ['__unnamed_2a3b']], 'Connection' : [ 0x0, ['__unnamed_29f3']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_2a3d']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_ETW_FILTER_EVENT_NAME_DATA' : [ 0x28, { 'FilterIn' : [ 0x0, ['unsigned char']], 'Level' : [ 0x1, ['unsigned char']], 'MatchAnyKeyword' : [ 0x8, ['unsigned long long']], 'MatchAllKeyword' : [ 0x10, ['unsigned long long']], 'NameTable' : [ 0x18, ['_RTL_HASH_TABLE']], } ], '_MI_VISIBLE_STATE' : [ 0x900, { 'SpecialPool' : [ 0x0, ['_MI_SPECIAL_POOL']], 'SessionWsList' : [ 0x40, ['_LIST_ENTRY']], 'SessionIdBitmap' : [ 0x50, ['pointer64', ['_RTL_BITMAP']]], 'PagedPoolInfo' : [ 0x58, ['_MM_PAGED_POOL_INFO']], 'MaximumNonPagedPoolInPages' : [ 0x90, ['unsigned long long']], 'SizeOfPagedPoolInPages' : [ 0x98, ['unsigned long long']], 'SystemPteInfo' : [ 0xa0, ['_MI_SYSTEM_PTE_TYPE']], 'NonPagedPoolCommit' : [ 0x108, ['unsigned long long']], 'SmallNonPagedPtesCommit' : [ 0x110, ['unsigned long long']], 'BootCommit' : [ 0x118, ['unsigned long long']], 'MdlPagesAllocated' : [ 0x120, ['unsigned long long']], 'SystemPageTableCommit' : [ 0x128, ['unsigned long long']], 'SpecialPagesInUse' : [ 0x130, ['unsigned long long']], 'ProcessCommit' : [ 0x138, ['unsigned long long']], 'DriverCommit' : [ 0x140, ['long']], 'PfnDatabaseCommit' : [ 0x148, ['unsigned long long']], 'SystemWs' : [ 0x180, ['array', 3, ['_MMSUPPORT_FULL']]], 'SystemCacheShared' : [ 0x4c0, ['_MMSUPPORT_SHARED']], 'AggregateSystemWs' : [ 0x540, ['array', 1, ['_MMSUPPORT_AGGREGATION']]], 'MapCacheFailures' : [ 0x560, ['unsigned long']], 'PagefileHashPages' : [ 0x568, ['unsigned long long']], 'PteHeader' : [ 0x570, ['_SYSPTES_HEADER']], 'SessionSpecialPool' : [ 0x688, ['pointer64', ['_MI_SPECIAL_POOL']]], 'SystemVaTypeCount' : [ 0x690, ['array', 14, ['unsigned long long']]], 'SystemVaType' : [ 0x700, ['array', 256, ['unsigned char']]], 'SystemVaRegions' : [ 0x800, ['array', 13, ['_MI_SYSTEM_VA_ASSIGNMENT']]], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_CM_COMPONENT_HASH' : [ 0x4, { 'Hash' : [ 0x0, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0xf0, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], 'Xcr0' : [ 0xd8, ['unsigned long long']], 'MsrFsBase' : [ 0xe0, ['unsigned long long']], 'SpecialPadding0' : [ 0xe8, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x48, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x10, ['pointer64', ['_IRP']]], 'OplockRequestFileObject' : [ 0x18, ['pointer64', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x28, ['pointer64', ['_ETHREAD']]], 'Flags' : [ 0x30, ['unsigned long']], 'AtomicLinks' : [ 0x38, ['_LIST_ENTRY']], } ], '_MSUBSECTION' : [ 0x70, { 'Core' : [ 0x0, ['_SUBSECTION']], 'SubsectionNode' : [ 0x38, ['_RTL_BALANCED_NODE']], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x68, ['unsigned long']], 'LargeViews' : [ 0x6c, ['unsigned long']], } ], '_PROC_PERF_CHECK' : [ 0x118, { 'LastActive' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'LastStall' : [ 0x10, ['unsigned long long']], 'LastPerfCheckSnap' : [ 0x18, ['_PROC_PERF_CHECK_SNAP']], 'CurrentSnap' : [ 0x68, ['_PROC_PERF_CHECK_SNAP']], 'LastDeliveredSnap' : [ 0xb8, ['_PROC_PERF_CHECK_SNAP']], 'LastDeliveredPerformance' : [ 0x108, ['unsigned long']], 'LastDeliveredFrequency' : [ 0x10c, ['unsigned long']], 'TaggedThreadPercent' : [ 0x110, ['array', 2, ['unsigned char']]], 'Class0FloorPerfSelection' : [ 0x112, ['unsigned char']], 'Class1MinimumPerfSelection' : [ 0x113, ['unsigned char']], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_PEB32' : [ 0x460, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'IsLongPathAwareProcess' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessPreviouslyThrottled' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ProcessCurrentlyThrottled' : [ 0x28, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'SharedData' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pUnused' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x250, ['unsigned long']], 'TppWorkerpList' : [ 0x254, ['LIST_ENTRY32']], 'WaitOnAddressHashTable' : [ 0x25c, ['array', 128, ['unsigned long']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1d0, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'Order' : [ 0x30, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x1a8, ['_LIST_ENTRY']], 'Status' : [ 0x1b8, ['long']], 'FailedDevice' : [ 0x1c0, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1c8, ['unsigned char']], 'Cancelled' : [ 0x1c9, ['unsigned char']], 'IgnoreErrors' : [ 0x1ca, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1cb, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1cc, ['unsigned char']], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x98, { 'FileName' : [ 0x0, ['pointer64', ['wchar']]], 'BaseName' : [ 0x8, ['pointer64', ['wchar']]], 'RegRootName' : [ 0x10, ['pointer64', ['wchar']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], 'FilePath' : [ 0x88, ['_UNICODE_STRING']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x178, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_PPM_VETO_ENTRY' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'VetoReason' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'HitCount' : [ 0x18, ['unsigned long long']], 'LastActivationTime' : [ 0x20, ['unsigned long long']], 'TotalActiveTime' : [ 0x28, ['unsigned long long']], 'CsActivationTime' : [ 0x30, ['unsigned long long']], 'CsActiveTime' : [ 0x38, ['unsigned long long']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_BAD_MEMORY_EVENT_ENTRY' : [ 0x38, { 'BugCheckCode' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['long']], 'Data' : [ 0x8, ['unsigned long']], 'PhysicalAddress' : [ 0x10, ['_LARGE_INTEGER']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_KWAIT_CHAIN_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned char']], 'LayerSemantics' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Spare1' : [ 0xd, ['BitField', dict(start_bit = 2, end_bit = 7, native_type='unsigned char')]], 'InheritClass' : [ 0xd, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0xe, ['unsigned short']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x28, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x8, ['_RTL_BITMAP']], 'HashTable' : [ 0x18, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x20, ['unsigned char']], } ], '_MMDEREFERENCE_SEGMENT_HEADER' : [ 0x30, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'ListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '__unnamed_2aa7' : [ 0x4, { 'ChannelsHotCold' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_MI_NODE_INFORMATION' : [ 0x888, { 'LargePageFreeCount' : [ 0x0, ['array', 3, ['array', 2, ['unsigned long long']]]], 'LargePages' : [ 0x30, ['array', 3, ['array', 2, ['array', 2, ['array', 4, ['_LIST_ENTRY']]]]]], 'LargePagesCount' : [ 0x330, ['array', 3, ['array', 2, ['array', 2, ['array', 4, ['unsigned long long']]]]]], 'LargePageRebuildTimer' : [ 0x4b0, ['_MI_REBUILD_LARGE_PAGE_TIMER']], 'StandbyPageList' : [ 0x4d8, ['array', 4, ['array', 8, ['_MMPFNLIST_SHORT']]]], 'FreeCount' : [ 0x7d8, ['array', 2, ['unsigned long long']]], 'TotalPages' : [ 0x7e8, ['array', 4, ['unsigned long long']]], 'TotalPagesEntireNode' : [ 0x808, ['unsigned long long']], 'MmShiftedColor' : [ 0x810, ['unsigned long']], 'Color' : [ 0x814, ['unsigned long']], 'ChannelFreeCount' : [ 0x818, ['array', 4, ['array', 2, ['unsigned long long']]]], 'Flags' : [ 0x858, ['__unnamed_2aa7']], 'NodeLock' : [ 0x860, ['_EX_PUSH_LOCK']], 'ZeroThreadHugeMapLock' : [ 0x868, ['unsigned long long']], 'ChannelStatus' : [ 0x870, ['unsigned char']], 'ChannelOrdering' : [ 0x871, ['array', 4, ['unsigned char']]], 'LockedChannelOrdering' : [ 0x875, ['array', 4, ['unsigned char']]], 'PowerAttribute' : [ 0x879, ['array', 4, ['unsigned char']]], 'LargePageLock' : [ 0x880, ['unsigned long long']], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_MI_HYPER_SPACE' : [ 0x10804000, { 'VadBitmap' : [ 0x0, ['array', 268435456, ['unsigned char']]], 'PageDirectoryCommitmentBitmap' : [ 0x10000000, ['array', 16384, ['unsigned char']]], 'PageTableCommitmentBitmap' : [ 0x10004000, ['array', 8388608, ['unsigned char']]], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_TRIAGE_POP_FX_DEVICE' : [ 0x38, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x18, ['pointer64', ['_TRIAGE_POP_IRP_DATA']]], 'Status' : [ 0x20, ['long']], 'PowerReqCall' : [ 0x24, ['long']], 'PowerNotReqCall' : [ 0x28, ['long']], 'DeviceNode' : [ 0x30, ['pointer64', ['_TRIAGE_DEVICE_NODE']]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '_MI_SYSTEM_NODE_INFORMATION' : [ 0x190, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'NonPagedPoolSListHeadNx' : [ 0x40, ['array', 3, ['_SLIST_HEADER']]], 'CachedKernelStacks' : [ 0x70, ['array', 2, ['_CACHED_KSTACK_LIST']]], 'NonPagedBitMapMaximum' : [ 0xb0, ['unsigned long long']], 'DynamicBitMapNonPagedPool' : [ 0xb8, ['_MI_DYNAMIC_BITMAP']], 'NonPagedPoolLowestPage' : [ 0x100, ['unsigned long long']], 'NonPagedPoolHighestPage' : [ 0x108, ['unsigned long long']], 'AllocatedNonPagedPool' : [ 0x110, ['unsigned long long']], 'PartialLargePoolRegions' : [ 0x118, ['unsigned long long']], 'PagesInPartialLargePoolRegions' : [ 0x120, ['unsigned long long']], 'CachedNonPagedPoolCount' : [ 0x128, ['unsigned long long']], 'NonPagedPoolSpinLock' : [ 0x130, ['unsigned long long']], 'CachedNonPagedPool' : [ 0x138, ['pointer64', ['_MMPFN']]], 'NonPagedPoolFirstVa' : [ 0x140, ['pointer64', ['void']]], 'NonPagedPoolLastVa' : [ 0x148, ['pointer64', ['void']]], 'NonPagedBitMap' : [ 0x150, ['array', 3, ['_RTL_BITMAP_EX']]], 'NonPagedHint' : [ 0x180, ['array', 2, ['unsigned long long']]], } ], '_MI_PAGE_COMBINING_SUPPORT' : [ 0x188, { 'Partition' : [ 0x0, ['pointer64', ['_MI_PARTITION']]], 'ArbitraryPfnMapList' : [ 0x8, ['_LIST_ENTRY']], 'FreeCombinePoolItem' : [ 0x18, ['_MI_COMBINE_WORKITEM']], 'CombiningThreadCount' : [ 0x40, ['unsigned long']], 'CombinePageFreeList' : [ 0x48, ['_LIST_ENTRY']], 'CombineFreeListLock' : [ 0x58, ['unsigned long long']], 'CombinePageListHeads' : [ 0x60, ['array', 16, ['_MI_COMBINE_PAGE_LISTHEAD']]], 'PageCombineStats' : [ 0x160, ['_MI_PAGE_COMBINE_STATISTICS']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x38, { 'BadPageCount' : [ 0x0, ['unsigned long long']], 'BadPagesDetected' : [ 0x8, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0xc, ['long']], 'ScrubPasses' : [ 0x10, ['long']], 'ScrubBadPagesFound' : [ 0x14, ['long']], 'PageHashErrors' : [ 0x18, ['unsigned long']], 'FeatureBits' : [ 0x20, ['unsigned long long']], 'TimeZoneId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['_MI_FLAGS']], 'VsmConnection' : [ 0x30, ['pointer64', ['void']]], } ], '_MI_FORCED_COMMITS' : [ 0x8, { 'Regular' : [ 0x0, ['unsigned long']], 'Wrap' : [ 0x4, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x20, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0x18, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_PERF_CONTROL_STATE_SELECTION' : [ 0x28, { 'SelectedState' : [ 0x0, ['unsigned long long']], 'SelectedPercent' : [ 0x8, ['unsigned long']], 'SelectedFrequency' : [ 0xc, ['unsigned long']], 'MinPercent' : [ 0x10, ['unsigned long']], 'MaxPercent' : [ 0x14, ['unsigned long']], 'TolerancePercent' : [ 0x18, ['unsigned long']], 'EppPercent' : [ 0x1c, ['unsigned long']], 'AutonomousActivityWindow' : [ 0x20, ['unsigned long']], 'Autonomous' : [ 0x24, ['unsigned char']], 'InheritFromDomain' : [ 0x25, ['unsigned char']], } ], '_MI_REBUILD_LARGE_PAGE_TIMER' : [ 0x28, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'SecondsLeft' : [ 0x20, ['unsigned char']], 'RebuildActive' : [ 0x21, ['unsigned char']], 'NextPassDelta' : [ 0x22, ['unsigned char']], 'LargeSubPagesActive' : [ 0x23, ['unsigned char']], } ], '_MI_IO_PAGE_STATE' : [ 0x68, { 'IoPfnLock' : [ 0x0, ['unsigned long long']], 'IoPfnRoot' : [ 0x8, ['array', 3, ['_RTL_AVL_TREE']]], 'UnusedCachedMaps' : [ 0x20, ['_LIST_ENTRY']], 'OldestCacheFlushTimeStamp' : [ 0x30, ['unsigned long']], 'IoCacheStats' : [ 0x38, ['_MI_IO_CACHE_STATS']], 'InvariantIoSpace' : [ 0x60, ['_RTL_AVL_TREE']], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_MI_CROSS_PARTITION_CHARGES' : [ 0x20, { 'CurrentCharges' : [ 0x0, ['unsigned long long']], 'ChargeFailures' : [ 0x8, ['unsigned long long']], 'ChargePeak' : [ 0x10, ['unsigned long long']], 'ChargeMinimum' : [ 0x18, ['unsigned long long']], } ], '__unnamed_2aec' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x30, { 'SessionProtoNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeList' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'DriverAddress' : [ 0x0, ['pointer64', ['void']]], 'SessionId' : [ 0x18, ['unsigned long']], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SubsectionBase' : [ 0x20, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x28, ['__unnamed_2aec']], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_MI_MODWRITE_DATA' : [ 0x40, { 'PagesLoad' : [ 0x0, ['long long']], 'PagesAverage' : [ 0x8, ['unsigned long long']], 'AverageAvailablePages' : [ 0x10, ['unsigned long long']], 'PagesWritten' : [ 0x18, ['unsigned long long']], 'WritesIssued' : [ 0x20, ['unsigned long']], 'IgnoredReservationsCount' : [ 0x24, ['unsigned long']], 'FreedReservationsCount' : [ 0x28, ['unsigned long']], 'WriteBurstCount' : [ 0x2c, ['unsigned long']], 'IgnoreReservationsStartTime' : [ 0x30, ['unsigned long long']], 'ReservationClusterInfo' : [ 0x38, ['_MI_RESERVATION_CLUSTER_INFO']], 'IgnoreReservations' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare' : [ 0x3c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'Spare1' : [ 0x3e, ['unsigned short']], } ], '_PROC_IDLE_POLICY' : [ 0x6, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], 'ForceLightIdle' : [ 0x5, ['unsigned char']], } ], '_MI_RESAVAIL_FAILURES' : [ 0x8, { 'Wrap' : [ 0x0, ['unsigned long']], 'NoCharge' : [ 0x4, ['unsigned long']], } ], '_ALPC_WORK_ON_BEHALF_TICKET' : [ 0x8, { 'ThreadId' : [ 0x0, ['unsigned long']], 'ThreadCreationTimeLow' : [ 0x4, ['unsigned long']], } ], '_PO_HIBER_PERF' : [ 0x1f8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'HiberChecksumTicks' : [ 0x30, ['unsigned long long']], 'HiberChecksumIoTicks' : [ 0x38, ['unsigned long long']], 'TotalHibernateTime' : [ 0x40, ['_LARGE_INTEGER']], 'HibernateCompleteTimestamp' : [ 0x48, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x50, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x54, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x58, ['unsigned long']], 'ResumeAppTicks' : [ 0x60, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x70, ['unsigned long long']], 'ResumeInitTicks' : [ 0x78, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x80, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x88, ['unsigned long long']], 'ResumeIoTicks' : [ 0x90, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x98, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0xa0, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0xa8, ['unsigned long long']], 'ResumeMapTicks' : [ 0xb0, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xb8, ['unsigned long long']], 'ResumeChecksumTicks' : [ 0xc0, ['unsigned long long']], 'ResumeChecksumIoTicks' : [ 0xc8, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xd0, ['unsigned long long']], 'CyclesPerMs' : [ 0xd8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xe0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xe8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xf0, ['unsigned long long']], 'HalTscOffset' : [ 0xf8, ['unsigned long long']], 'HvlTscOffset' : [ 0x100, ['unsigned long long']], 'SleeperThreadEnd' : [ 0x108, ['unsigned long long']], 'PostCmosUpdateTimestamp' : [ 0x110, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0x118, ['unsigned long long']], 'IoBoundedness' : [ 0x120, ['unsigned long long']], 'KernelDecompressTicks' : [ 0x128, ['unsigned long long']], 'KernelIoTicks' : [ 0x130, ['unsigned long long']], 'KernelCopyTicks' : [ 0x138, ['unsigned long long']], 'ReadCheckCount' : [ 0x140, ['unsigned long long']], 'KernelInitTicks' : [ 0x148, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x150, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x158, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x160, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x168, ['unsigned long long']], 'KernelChecksumTicks' : [ 0x170, ['unsigned long long']], 'KernelChecksumIoTicks' : [ 0x178, ['unsigned long long']], 'AnimationStart' : [ 0x180, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x188, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x190, ['unsigned long']], 'SecurePagesProcessed' : [ 0x198, ['unsigned long long']], 'BootPagesProcessed' : [ 0x1a0, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x1a8, ['unsigned long long']], 'BootBytesWritten' : [ 0x1b0, ['unsigned long long']], 'KernelBytesWritten' : [ 0x1b8, ['unsigned long long']], 'BootPagesWritten' : [ 0x1c0, ['unsigned long long']], 'KernelPagesWritten' : [ 0x1c8, ['unsigned long long']], 'BytesWritten' : [ 0x1d0, ['unsigned long long']], 'PagesWritten' : [ 0x1d8, ['unsigned long']], 'FileRuns' : [ 0x1dc, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x1e0, ['unsigned long']], 'MaxHuffRatio' : [ 0x1e4, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x1e8, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1f0, ['unsigned long long']], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1e, { 'PerUserPolicy' : [ 0x0, ['array', 30, ['unsigned char']]], } ], '_MI_PROBE_RAISE_TRACKER' : [ 0x40, { 'UserRangeInKernel' : [ 0x0, ['unsigned long']], 'FaultFailed' : [ 0x4, ['unsigned long']], 'WriteFaultFailed' : [ 0x8, ['unsigned long']], 'LargePageFailed' : [ 0xc, ['unsigned long']], 'UserAccessToKernelPte' : [ 0x10, ['unsigned long']], 'BadPageLocation' : [ 0x14, ['unsigned long']], 'InsufficientCharge' : [ 0x18, ['unsigned long']], 'PageTableCharge' : [ 0x1c, ['unsigned long']], 'NoPhysicalMapping' : [ 0x20, ['unsigned long']], 'NoIoReference' : [ 0x24, ['unsigned long']], 'ProbeFailed' : [ 0x28, ['unsigned long']], 'PteIsZero' : [ 0x2c, ['unsigned long']], 'StrongCodeWrite' : [ 0x30, ['unsigned long']], 'ReducedCloneCommitChargeFailed' : [ 0x34, ['unsigned long']], 'CopyOnWriteAtDispatchNoPages' : [ 0x38, ['unsigned long']], 'EnclavePageFailed' : [ 0x3c, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '__unnamed_2b12' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2b14' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_2b17' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_2b1b' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x58, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x18, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x28, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x38, ['__unnamed_2b12']], 'HvDeviceId' : [ 0x40, ['unsigned long long']], 'XapicMessage' : [ 0x48, ['__unnamed_2b14']], 'Hypertransport' : [ 0x48, ['__unnamed_2b17']], 'GenericMessage' : [ 0x48, ['__unnamed_2b14']], 'MessageRequest' : [ 0x48, ['__unnamed_2b1b']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['_CM_COMPONENT_HASH']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_LDR_DDAG_NODE' : [ 0x50, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x10, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0x18, ['unsigned long']], 'LoadWhileUnloadingCount' : [ 0x1c, ['unsigned long']], 'LowestLink' : [ 0x20, ['unsigned long']], 'Dependencies' : [ 0x28, ['_LDRP_CSLIST']], 'IncomingDependencies' : [ 0x30, ['_LDRP_CSLIST']], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x48, ['unsigned long']], } ], '_DUMP_STACK_CONTEXT' : [ 0x178, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x108, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x110, ['pointer64', ['void']]], 'StorageInfo' : [ 0x110, ['pointer64', ['void']]], 'UseStorageInfo' : [ 0x118, ['unsigned char']], 'PointersLength' : [ 0x11c, ['unsigned long']], 'ModulePrefix' : [ 0x120, ['pointer64', ['wchar']]], 'DriverList' : [ 0x128, ['_LIST_ENTRY']], 'InitMsg' : [ 0x138, ['_STRING']], 'ProgMsg' : [ 0x148, ['_STRING']], 'DoneMsg' : [ 0x158, ['_STRING']], 'FileObject' : [ 0x168, ['pointer64', ['void']]], 'UsageType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_HAL_NODE_RANGE' : [ 0x10, { 'PageFrameIndex' : [ 0x0, ['unsigned long long']], 'Node' : [ 0x8, ['unsigned long']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_MI_PAGEFILE_BITMAPS_CACHE_ENTRY' : [ 0x38, { 'LengthTreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_LIST_ENTRY']], 'LocationTreeNode' : [ 0x18, ['_RTL_BALANCED_NODE']], 'StartingIndex' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], } ], '_RTL_UMS_CONTEXT' : [ 0x520, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'PrimaryUmsContext' : [ 0x500, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x508, ['unsigned long']], 'KernelYieldCount' : [ 0x50c, ['unsigned long']], 'MixedYieldCount' : [ 0x510, ['unsigned long']], 'YieldCount' : [ 0x514, ['unsigned long']], } ], '_MI_RESUME_WORKITEM' : [ 0x38, { 'ResumeCompleteEvent' : [ 0x0, ['_KEVENT']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2b43' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2b45' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2b47' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceId' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_2b49' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_2b4b' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_2b4d' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_2b4f' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_2b51' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2b53' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_2b55' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_2b43']], 'TargetDevice' : [ 0x0, ['__unnamed_2b45']], 'InstallDevice' : [ 0x0, ['__unnamed_2b45']], 'CustomNotification' : [ 0x0, ['__unnamed_2b47']], 'ProfileNotification' : [ 0x0, ['__unnamed_2b49']], 'PowerNotification' : [ 0x0, ['__unnamed_2b4b']], 'VetoNotification' : [ 0x0, ['__unnamed_2b4d']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_2b4f']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_2b51']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2b53']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_2b45']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_2b45']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_2b55']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], '_HVIEW_MAP_DIRECTORY' : [ 0x400, { 'Tables' : [ 0x0, ['array', 128, ['pointer64', ['_HVIEW_MAP_TABLE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], 'AllStacksInUse' : [ 0x1c, ['unsigned long']], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_HAL_CHANNEL_MEMORY_RANGES' : [ 0x10, { 'PageFrameIndex' : [ 0x0, ['unsigned long long']], 'MpnId' : [ 0x8, ['unsigned short']], 'Node' : [ 0xa, ['unsigned short']], 'Channel' : [ 0xc, ['unsigned short']], 'IsPowerManageable' : [ 0xe, ['unsigned char']], 'DeepPowerState' : [ 0xf, ['unsigned char']], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x90, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'PlatformCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'LimitReasons' : [ 0x18, ['unsigned long']], 'PlatformCapStartTime' : [ 0x20, ['unsigned long long']], 'VirtualLittle' : [ 0x28, ['unsigned char']], 'ResolvedVirtualLittle' : [ 0x29, ['unsigned char']], 'LastVirtualTranstionTsc' : [ 0x30, ['unsigned long long']], 'VirtualTranstionHysteresis' : [ 0x38, ['unsigned long long']], 'ProcCap' : [ 0x40, ['unsigned long']], 'ProcFloor' : [ 0x44, ['unsigned long']], 'TargetPercent' : [ 0x48, ['unsigned long']], 'Selection' : [ 0x50, ['_PERF_CONTROL_STATE_SELECTION']], 'DomainSelectionGeneration' : [ 0x78, ['unsigned long']], 'PreviousFrequency' : [ 0x7c, ['unsigned long']], 'PreviousPercent' : [ 0x80, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x84, ['unsigned long']], 'Force' : [ 0x88, ['unsigned char']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3e8, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa8, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x20, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x10, { 'DeviceHandle' : [ 0x0, ['pointer64', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x8, ['pointer64', ['void']]], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x488, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x410, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], 'PackageDependencyData' : [ 0x400, ['pointer64', ['void']]], 'ProcessGroupId' : [ 0x408, ['unsigned long']], 'LoaderThreads' : [ 0x40c, ['unsigned long']], } ], '_MI_IO_CACHE_STATS' : [ 0x28, { 'UnusedBlocks' : [ 0x0, ['unsigned long long']], 'ActiveCacheMatch' : [ 0x8, ['unsigned long']], 'ActiveCacheOverride' : [ 0xc, ['unsigned long']], 'UnmappedCacheFlush' : [ 0x10, ['unsigned long']], 'UnmappedCacheMatch' : [ 0x14, ['unsigned long']], 'UnmappedCacheConflict' : [ 0x18, ['unsigned long']], 'PermanentIoAttributeConflict' : [ 0x1c, ['unsigned long']], 'PermanentIoNodeConflict' : [ 0x20, ['unsigned long']], } ], '__unnamed_2b99' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2b9b' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2b9d' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2b99']], 'Gpt' : [ 0x0, ['__unnamed_2b9b']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x108, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MarkMemoryOnly' : [ 0x69, ['unsigned char']], 'HiberResume' : [ 0x6a, ['unsigned char']], 'Reserved1' : [ 0x6b, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_2b9d']], 'ReadRoutine' : [ 0xa0, ['pointer64', ['void']]], 'GetDriveTelemetryRoutine' : [ 0xa8, ['pointer64', ['void']]], 'LogSectionTruncateSize' : [ 0xb0, ['unsigned long']], 'Parameters' : [ 0xb4, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DumpNotifyRoutine' : [ 0x100, ['pointer64', ['void']]], } ], '_CM_FAST_LEAF_HINT' : [ 0x4, { 'Characters' : [ 0x0, ['array', 4, ['unsigned char']]], 'FullHint' : [ 0x0, ['unsigned long']], } ], '_THERMAL_COOLING_INTERFACE' : [ 0x38, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'ActiveCooling' : [ 0x28, ['pointer64', ['void']]], 'PassiveCooling' : [ 0x30, ['pointer64', ['void']]], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_POP_FX_PERF_INFO' : [ 0xa0, { 'Component' : [ 0x0, ['pointer64', ['_POP_FX_COMPONENT']]], 'CompletedEvent' : [ 0x8, ['_KEVENT']], 'ComponentPerfState' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['_POP_FX_PERF_FLAGS']], 'LastChange' : [ 0x30, ['pointer64', ['_PO_FX_PERF_STATE_CHANGE']]], 'LastChangeCount' : [ 0x38, ['unsigned long']], 'LastChangeStamp' : [ 0x40, ['unsigned long long']], 'LastChangeNominal' : [ 0x48, ['unsigned char']], 'PepRegistered' : [ 0x49, ['unsigned char']], 'QueryOnIdleStates' : [ 0x4a, ['unsigned char']], 'RequestDriverContext' : [ 0x50, ['pointer64', ['void']]], 'WorkOrder' : [ 0x58, ['_POP_FX_WORK_ORDER']], 'SetsCount' : [ 0x90, ['unsigned long']], 'Sets' : [ 0x98, ['pointer64', ['_POP_FX_PERF_SET']]], } ], '_MMPAGE_FILE_EXPANSION_FLAGS' : [ 0x4, { 'PageFileNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'IgnoreCurrentCommit' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreaseMinimumSize' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare3' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '_MMPFNLIST_SHORT' : [ 0x18, { 'Total' : [ 0x0, ['unsigned long long']], 'Flink' : [ 0x8, ['unsigned long long']], 'Blink' : [ 0x10, ['unsigned long long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x8, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_TRIAGE_POP_IRP_DATA' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_2bce' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_2bd0' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_2bd2' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_2bd4' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_2bce']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_2bd0']], 'Raw' : [ 0x0, ['__unnamed_2bd2']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'Operation' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0xc, ['__unnamed_2bd4']], 'Stack' : [ 0x18, ['array', 6, ['pointer64', ['void']]]], } ], '_MI_COMBINE_PAGE_LISTHEAD' : [ 0x10, { 'Table' : [ 0x0, ['_RTL_AVL_TREE']], 'Lock' : [ 0x8, ['long']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x28, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x8, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0x18, ['_RTL_BITMAP']], 'EvictedBitmap' : [ 0x18, ['_RTL_BITMAP']], } ], '_MI_SYSTEM_VA_ASSIGNMENT' : [ 0x10, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2be4' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2be6' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2be4']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2be9' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2beb' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_2be9']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_2be6']], 'HighPart' : [ 0x4, ['__unnamed_2beb']], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x80, { 'UncompressedData' : [ 0x0, ['pointer64', ['unsigned char']]], 'MappingVa' : [ 0x8, ['pointer64', ['void']]], 'XpressEncodeWorkspace' : [ 0x10, ['pointer64', ['void']]], 'CompressedDataBuffer' : [ 0x18, ['pointer64', ['unsigned char']]], 'CopyTicks' : [ 0x20, ['unsigned long long']], 'CompressTicks' : [ 0x28, ['unsigned long long']], 'BytesCopied' : [ 0x30, ['unsigned long long']], 'PagesProcessed' : [ 0x38, ['unsigned long long']], 'DecompressTicks' : [ 0x40, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x48, ['unsigned long long']], 'SharedBufferTicks' : [ 0x50, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x68, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x78, ['unsigned long']], 'HuffCompressCount' : [ 0x7c, ['unsigned long']], } ], '_PROC_PERF_CHECK_SNAP' : [ 0x50, { 'Time' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned long long']], 'Stall' : [ 0x10, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x18, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledKernelActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], 'TaggedThreadCycles' : [ 0x40, ['array', 2, ['unsigned long long']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_HVIEW_MAP_PIN_LOG_ENTRY' : [ 0x48, { 'ViewOffset' : [ 0x0, ['unsigned long']], 'Pinned' : [ 0x4, ['unsigned char']], 'PinMask' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Stack' : [ 0x18, ['array', 6, ['pointer64', ['void']]]], } ], '_MI_COMBINE_WORKITEM' : [ 0x28, { 'NextEntry' : [ 0x0, ['pointer64', ['void']]], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], } ], '_PNP_RESOURCE_CONFLICT_TRACE_CONTEXT' : [ 0x18, { 'ResourceType' : [ 0x0, ['unsigned char']], 'AlternativeCount' : [ 0x4, ['unsigned long']], 'ResourceRequests' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ArbiterInstance' : [ 0x10, ['pointer64', ['void']]], } ], '_MI_POOL_FAILURE_REASONS' : [ 0x2c, { 'NonPagedNoPtes' : [ 0x0, ['unsigned long']], 'PriorityTooLow' : [ 0x4, ['unsigned long']], 'NonPagedNoPagesAvailable' : [ 0x8, ['unsigned long']], 'PagedNoPtes' : [ 0xc, ['unsigned long']], 'SessionPagedNoPtes' : [ 0x10, ['unsigned long']], 'PagedNoPagesAvailable' : [ 0x14, ['unsigned long']], 'SessionPagedNoPagesAvailable' : [ 0x18, ['unsigned long']], 'PagedNoCommit' : [ 0x1c, ['unsigned long']], 'SessionPagedNoCommit' : [ 0x20, ['unsigned long']], 'NonPagedNoResidentAvailable' : [ 0x24, ['unsigned long']], 'NonPagedNoCommit' : [ 0x28, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_MI_PAGE_COMBINE_STATISTICS' : [ 0x28, { 'PagesScannedActive' : [ 0x0, ['unsigned long long']], 'PagesScannedStandby' : [ 0x8, ['unsigned long long']], 'PagesCombined' : [ 0x10, ['unsigned long long']], 'CombineScanCount' : [ 0x18, ['unsigned long']], 'CombinedBlocksInUse' : [ 0x1c, ['long']], 'SumCombinedBlocksReferenceCount' : [ 0x20, ['long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_HVIEW_MAP_TABLE' : [ 0x800, { 'Entries' : [ 0x0, ['array', 64, ['_HVIEW_MAP_ENTRY']]], } ], '_LDRP_CSLIST' : [ 0x8, { 'Tail' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_MI_RESERVATION_CLUSTER_INFO' : [ 0x4, { 'ClusterSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'EntireInfo' : [ 0x0, ['long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeFilteredPrivateLogger', 12: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer64', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_FS_FILTER_CALLBACKS' : [ 0x78, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], 'PreQueryOpen' : [ 0x68, ['pointer64', ['void']]], 'PostQueryOpen' : [ 0x70, ['pointer64', ['void']]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_POP_FX_PERF_SET' : [ 0x20, { 'PerfSet' : [ 0x0, ['pointer64', ['_PO_FX_COMPONENT_PERF_SET']]], 'CurrentPerf' : [ 0x8, ['unsigned long long']], 'CurrentPerfStamp' : [ 0x10, ['unsigned long long']], 'CurrentPerfNominal' : [ 0x18, ['unsigned char']], } ], '_PO_FX_PERF_STATE_CHANGE' : [ 0x10, { 'Set' : [ 0x0, ['unsigned long']], 'StateIndex' : [ 0x8, ['unsigned long']], 'StateValue' : [ 0x8, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x8, ['unsigned long']], } ], '_HVIEW_MAP_ENTRY' : [ 0x20, { 'ViewStart' : [ 0x0, ['pointer64', ['void']]], 'IsPinned' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Bcb' : [ 0x8, ['pointer64', ['void']]], 'PinnedPages' : [ 0x10, ['unsigned long long']], 'Size' : [ 0x18, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '__unnamed_2c3e' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['pointer64', ['_PO_FX_PERF_STATE']]], } ], '__unnamed_2c40' : [ 0x10, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], } ], '_PO_FX_COMPONENT_PERF_SET' : [ 0x30, { 'Name' : [ 0x0, ['_UNICODE_STRING']], 'Flags' : [ 0x10, ['unsigned long long']], 'Unit' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateUnitOther', 1: 'PoFxPerfStateUnitFrequency', 2: 'PoFxPerfStateUnitBandwidth', 3: 'PoFxPerfStateUnitMaximum'})]], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateTypeDiscrete', 1: 'PoFxPerfStateTypeRange', 2: 'PoFxPerfStateTypeMaximum'})]], 'Discrete' : [ 0x20, ['__unnamed_2c3e']], 'Range' : [ 0x20, ['__unnamed_2c40']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '__unnamed_2c46' : [ 0xc, { 'MessageAddressHigh' : [ 0x0, ['unsigned long']], 'MessageAddressLow' : [ 0x4, ['unsigned long']], 'MessageData' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['unsigned short']], } ], '__unnamed_2c48' : [ 0xc, { 'Msi' : [ 0x0, ['__unnamed_2c46']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_2c48']], } ], '_PO_FX_PERF_STATE' : [ 0x10, { 'Value' : [ 0x0, ['unsigned long long']], 'Context' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2c4e' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_2c50' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_2c56' : [ 0x10, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], 'OutputInformation' : [ 0x8, ['pointer64', ['_FS_FILTER_SECTION_SYNC_OUTPUT']]], } ], '__unnamed_2c5a' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_2c5c' : [ 0x20, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'FileInformation' : [ 0x8, ['pointer64', ['void']]], 'Length' : [ 0x10, ['pointer64', ['unsigned long']]], 'FileInformationClass' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileDispositionInformationEx', 65: 'FileRenameInformationEx', 66: 'FileRenameInformationExBypassAccessCheck', 67: 'FileDesiredStorageClassInformation', 68: 'FileStatInformation', 69: 'FileMaximumInformation'})]], } ], '__unnamed_2c5e' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2c4e']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2c50']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2c56']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2c5a']], 'QueryOpen' : [ 0x0, ['__unnamed_2c5c']], 'Others' : [ 0x0, ['__unnamed_2c5e']], } ], '_FS_FILTER_SECTION_SYNC_OUTPUT' : [ 0x10, { 'StructureSize' : [ 0x0, ['unsigned long']], 'SizeReturned' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DesiredReadAlignment' : [ 0xc, ['unsigned long']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/xp_sp3_x86_vtypes.py0000644000000000000000000107211613131215405030271 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '__unnamed_1016' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1016']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_101b' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_101b']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Spare0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_KPRCB' : [ 0xc50, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'PrcbPad0' : [ 0x3bc, ['array', 92, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 16, ['_KSPIN_LOCK_QUEUE']]], 'PrcbPad1' : [ 0x498, ['array', 8, ['unsigned char']]], 'NpxThread' : [ 0x4a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x4a4, ['unsigned long']], 'KernelTime' : [ 0x4a8, ['unsigned long']], 'UserTime' : [ 0x4ac, ['unsigned long']], 'DpcTime' : [ 0x4b0, ['unsigned long']], 'DebugDpcTime' : [ 0x4b4, ['unsigned long']], 'InterruptTime' : [ 0x4b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4bc, ['unsigned long']], 'PageColor' : [ 0x4c0, ['unsigned long']], 'SkipTick' : [ 0x4c4, ['unsigned long']], 'MultiThreadSetBusy' : [ 0x4c8, ['unsigned char']], 'Spare2' : [ 0x4c9, ['array', 3, ['unsigned char']]], 'ParentNode' : [ 0x4cc, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x4d0, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x4d4, ['pointer', ['_KPRCB']]], 'ThreadStartCount' : [ 0x4d8, ['array', 2, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x4f8, ['unsigned long']], 'KeContextSwitches' : [ 0x4fc, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x500, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x504, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x508, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x50c, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x510, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x514, ['unsigned long']], 'KeSystemCalls' : [ 0x518, ['unsigned long']], 'SpareCounter0' : [ 0x51c, ['array', 1, ['unsigned long']]], 'PPLookasideList' : [ 0x520, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x5a0, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0x6a0, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0x7a0, ['unsigned long']], 'ReverseStall' : [ 0x7a4, ['unsigned long']], 'IpiFrame' : [ 0x7a8, ['pointer', ['void']]], 'PrcbPad2' : [ 0x7ac, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x7e0, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x7ec, ['unsigned long']], 'WorkerRoutine' : [ 0x7f0, ['pointer', ['void']]], 'IpiFrozen' : [ 0x7f4, ['unsigned long']], 'PrcbPad3' : [ 0x7f8, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x820, ['unsigned long']], 'SignalDone' : [ 0x824, ['pointer', ['_KPRCB']]], 'PrcbPad4' : [ 0x828, ['array', 56, ['unsigned char']]], 'DpcListHead' : [ 0x860, ['_LIST_ENTRY']], 'DpcStack' : [ 0x868, ['pointer', ['void']]], 'DpcCount' : [ 0x86c, ['unsigned long']], 'DpcQueueDepth' : [ 0x870, ['unsigned long']], 'DpcRoutineActive' : [ 0x874, ['unsigned long']], 'DpcInterruptRequested' : [ 0x878, ['unsigned long']], 'DpcLastCount' : [ 0x87c, ['unsigned long']], 'DpcRequestRate' : [ 0x880, ['unsigned long']], 'MaximumDpcQueueDepth' : [ 0x884, ['unsigned long']], 'MinimumDpcRate' : [ 0x888, ['unsigned long']], 'QuantumEnd' : [ 0x88c, ['unsigned long']], 'PrcbPad5' : [ 0x890, ['array', 16, ['unsigned char']]], 'DpcLock' : [ 0x8a0, ['unsigned long']], 'PrcbPad6' : [ 0x8a4, ['array', 28, ['unsigned char']]], 'CallDpc' : [ 0x8c0, ['_KDPC']], 'ChainedInterruptList' : [ 0x8e0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x8e4, ['long']], 'SpareFields0' : [ 0x8e8, ['array', 6, ['unsigned long']]], 'VendorString' : [ 0x900, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x90d, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x90e, ['unsigned char']], 'MHz' : [ 0x910, ['unsigned long']], 'FeatureBits' : [ 0x914, ['unsigned long']], 'UpdateSignature' : [ 0x918, ['_LARGE_INTEGER']], 'NpxSaveArea' : [ 0x920, ['_FX_SAVE_AREA']], 'PowerState' : [ 0xb30, ['_PROCESSOR_POWER_STATE']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x100, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x100, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Exclusive' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x1c, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x14, ['unsigned long']], 'Exclusive' : [ 0x18, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x258, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1c0, ['_LARGE_INTEGER']], 'NestedFaultCount' : [ 0x1c0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'ApcNeeded' : [ 0x1c0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitTime' : [ 0x1c8, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x1c8, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x1c8, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1d0, ['long']], 'OfsChain' : [ 0x1d0, ['pointer', ['void']]], 'PostBlockList' : [ 0x1d4, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x1dc, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1dc, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1dc, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x1e0, ['unsigned long']], 'ActiveTimerListHead' : [ 0x1e4, ['_LIST_ENTRY']], 'Cid' : [ 0x1ec, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x1f4, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x1f4, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x208, ['pointer', ['void']]], 'LpcWaitingOnPort' : [ 0x208, ['pointer', ['void']]], 'ImpersonationInfo' : [ 0x20c, ['pointer', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x210, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x218, ['unsigned long']], 'DeviceToVerify' : [ 0x21c, ['pointer', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x220, ['pointer', ['_EPROCESS']]], 'StartAddress' : [ 0x224, ['pointer', ['void']]], 'Win32StartAddress' : [ 0x228, ['pointer', ['void']]], 'LpcReceivedMessageId' : [ 0x228, ['unsigned long']], 'ThreadListEntry' : [ 0x22c, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x234, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x238, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x23c, ['unsigned long']], 'ReadClusterSize' : [ 0x240, ['unsigned long']], 'GrantedAccess' : [ 0x244, ['unsigned long']], 'CrossThreadFlags' : [ 0x248, ['unsigned long']], 'Terminated' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x248, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x24c, ['unsigned long']], 'ActiveExWorker' : [ 0x24c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x24c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x24c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x250, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x250, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x250, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x250, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x254, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x255, ['unsigned char']], } ], '_EPROCESS' : [ 0x260, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x6c, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x70, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x78, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x80, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x84, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0x88, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0x90, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0x9c, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xa8, ['unsigned long']], 'PeakVirtualSize' : [ 0xac, ['unsigned long']], 'VirtualSize' : [ 0xb0, ['unsigned long']], 'SessionProcessLinks' : [ 0xb4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xbc, ['pointer', ['void']]], 'ExceptionPort' : [ 0xc0, ['pointer', ['void']]], 'ObjectTable' : [ 0xc4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xc8, ['_EX_FAST_REF']], 'WorkingSetLock' : [ 0xcc, ['_FAST_MUTEX']], 'WorkingSetPage' : [ 0xec, ['unsigned long']], 'AddressCreationLock' : [ 0xf0, ['_FAST_MUTEX']], 'HyperSpaceLock' : [ 0x110, ['unsigned long']], 'ForkInProgress' : [ 0x114, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x118, ['unsigned long']], 'VadRoot' : [ 0x11c, ['pointer', ['void']]], 'VadHint' : [ 0x120, ['pointer', ['void']]], 'CloneRoot' : [ 0x124, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x128, ['unsigned long']], 'NumberOfLockedPages' : [ 0x12c, ['unsigned long']], 'Win32Process' : [ 0x130, ['pointer', ['void']]], 'Job' : [ 0x134, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x138, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x13c, ['pointer', ['void']]], 'QuotaBlock' : [ 0x140, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x144, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x148, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x14c, ['pointer', ['void']]], 'LdtInformation' : [ 0x150, ['pointer', ['void']]], 'VadFreeHint' : [ 0x154, ['pointer', ['void']]], 'VdmObjects' : [ 0x158, ['pointer', ['void']]], 'DeviceMap' : [ 0x15c, ['pointer', ['void']]], 'PhysicalVadList' : [ 0x160, ['_LIST_ENTRY']], 'PageDirectoryPte' : [ 0x168, ['_HARDWARE_PTE']], 'Filler' : [ 0x168, ['unsigned long long']], 'Session' : [ 0x170, ['pointer', ['void']]], 'ImageFileName' : [ 0x174, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x184, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x18c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x190, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x198, ['pointer', ['void']]], 'PaeTop' : [ 0x19c, ['pointer', ['void']]], 'ActiveThreads' : [ 0x1a0, ['unsigned long']], 'GrantedAccess' : [ 0x1a4, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a8, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1ac, ['long']], 'Peb' : [ 0x1b0, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1b4, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e8, ['unsigned long']], 'CommitChargePeak' : [ 0x1ec, ['unsigned long']], 'AweInfo' : [ 0x1f0, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1f4, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1f8, ['_MMSUPPORT']], 'LastFaultCount' : [ 0x238, ['unsigned long']], 'ModifiedPageCount' : [ 0x23c, ['unsigned long']], 'NumberOfVads' : [ 0x240, ['unsigned long']], 'JobStatus' : [ 0x244, ['unsigned long']], 'Flags' : [ 0x248, ['unsigned long']], 'CreateReported' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x248, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'HasPhysicalVad' : [ 0x248, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x248, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x248, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x248, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x248, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x248, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x248, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x248, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x248, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x248, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x248, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x248, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Unused3' : [ 0x248, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Unused4' : [ 0x248, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x248, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'Unused' : [ 0x248, ['BitField', dict(start_bit = 25, end_bit = 30, native_type='unsigned long')]], 'Unused1' : [ 0x248, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Unused2' : [ 0x248, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x24c, ['long']], 'NextPageColor' : [ 0x250, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x252, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x253, ['unsigned char']], 'SubSystemVersion' : [ 0x252, ['unsigned short']], 'PriorityClass' : [ 0x254, ['unsigned char']], 'WorkingSetAcquiredUnsafe' : [ 0x255, ['unsigned char']], 'Cookie' : [ 0x258, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x190, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x38, ['_LIST_ENTRY']], 'Name' : [ 0x40, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x48, ['pointer', ['void']]], 'Index' : [ 0x4c, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x50, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x54, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x58, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x5c, ['unsigned long']], 'TypeInfo' : [ 0x60, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0xac, ['unsigned long']], 'ObjectLocks' : [ 0xb0, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_KTHREAD' : [ 0x1c0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x10, ['_LIST_ENTRY']], 'InitialStack' : [ 0x18, ['pointer', ['void']]], 'StackLimit' : [ 0x1c, ['pointer', ['void']]], 'Teb' : [ 0x20, ['pointer', ['void']]], 'TlsArray' : [ 0x24, ['pointer', ['void']]], 'KernelStack' : [ 0x28, ['pointer', ['void']]], 'DebugActive' : [ 0x2c, ['unsigned char']], 'State' : [ 0x2d, ['unsigned char']], 'Alerted' : [ 0x2e, ['array', 2, ['unsigned char']]], 'Iopl' : [ 0x30, ['unsigned char']], 'NpxState' : [ 0x31, ['unsigned char']], 'Saturation' : [ 0x32, ['unsigned char']], 'Priority' : [ 0x33, ['unsigned char']], 'ApcState' : [ 0x34, ['_KAPC_STATE']], 'ContextSwitches' : [ 0x4c, ['unsigned long']], 'IdleSwapBlock' : [ 0x50, ['unsigned char']], 'Spare0' : [ 0x51, ['array', 3, ['unsigned char']]], 'WaitStatus' : [ 0x54, ['long']], 'WaitIrql' : [ 0x58, ['unsigned char']], 'WaitMode' : [ 0x59, ['unsigned char']], 'WaitNext' : [ 0x5a, ['unsigned char']], 'WaitReason' : [ 0x5b, ['unsigned char']], 'WaitBlockList' : [ 0x5c, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x60, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'WaitTime' : [ 0x68, ['unsigned long']], 'BasePriority' : [ 0x6c, ['unsigned char']], 'DecrementCount' : [ 0x6d, ['unsigned char']], 'PriorityDecrement' : [ 0x6e, ['unsigned char']], 'Quantum' : [ 0x6f, ['unsigned char']], 'WaitBlock' : [ 0x70, ['array', 4, ['_KWAIT_BLOCK']]], 'LegoData' : [ 0xd0, ['pointer', ['void']]], 'KernelApcDisable' : [ 0xd4, ['unsigned long']], 'UserAffinity' : [ 0xd8, ['unsigned long']], 'SystemAffinityActive' : [ 0xdc, ['unsigned char']], 'PowerState' : [ 0xdd, ['unsigned char']], 'NpxIrql' : [ 0xde, ['unsigned char']], 'InitialNode' : [ 0xdf, ['unsigned char']], 'ServiceTable' : [ 0xe0, ['pointer', ['void']]], 'Queue' : [ 0xe4, ['pointer', ['_KQUEUE']]], 'ApcQueueLock' : [ 0xe8, ['unsigned long']], 'Timer' : [ 0xf0, ['_KTIMER']], 'QueueListEntry' : [ 0x118, ['_LIST_ENTRY']], 'SoftAffinity' : [ 0x120, ['unsigned long']], 'Affinity' : [ 0x124, ['unsigned long']], 'Preempted' : [ 0x128, ['unsigned char']], 'ProcessReadyQueue' : [ 0x129, ['unsigned char']], 'KernelStackResident' : [ 0x12a, ['unsigned char']], 'NextProcessor' : [ 0x12b, ['unsigned char']], 'CallbackStack' : [ 0x12c, ['pointer', ['void']]], 'Win32Thread' : [ 0x130, ['pointer', ['void']]], 'TrapFrame' : [ 0x134, ['pointer', ['_KTRAP_FRAME']]], 'ApcStatePointer' : [ 0x138, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'PreviousMode' : [ 0x140, ['unsigned char']], 'EnableStackSwap' : [ 0x141, ['unsigned char']], 'LargeStack' : [ 0x142, ['unsigned char']], 'ResourceIndex' : [ 0x143, ['unsigned char']], 'KernelTime' : [ 0x144, ['unsigned long']], 'UserTime' : [ 0x148, ['unsigned long']], 'SavedApcState' : [ 0x14c, ['_KAPC_STATE']], 'Alertable' : [ 0x164, ['unsigned char']], 'ApcStateIndex' : [ 0x165, ['unsigned char']], 'ApcQueueable' : [ 0x166, ['unsigned char']], 'AutoAlignment' : [ 0x167, ['unsigned char']], 'StackBase' : [ 0x168, ['pointer', ['void']]], 'SuspendApc' : [ 0x16c, ['_KAPC']], 'SuspendSemaphore' : [ 0x19c, ['_KSEMAPHORE']], 'ThreadListEntry' : [ 0x1b0, ['_LIST_ENTRY']], 'FreezeCount' : [ 0x1b8, ['unsigned char']], 'SuspendCount' : [ 0x1b9, ['unsigned char']], 'IdealProcessor' : [ 0x1ba, ['unsigned char']], 'DisableBoost' : [ 0x1bb, ['unsigned char']], } ], '__unnamed_10f2' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_10f2']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '__unnamed_10fe' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_10fe']], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_116f' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_116f']], } ], '__unnamed_1176' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1176']], } ], '__unnamed_117f' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_117f']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], } ], '_SHARED_CACHE_MAP' : [ 0x130, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObject' : [ 0x44, ['pointer', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'VacbPushLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], } ], '__unnamed_11a9' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_11ab' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0x588, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'ForceFlags' : [ 0x10, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x14, ['unsigned long']], 'SegmentReserve' : [ 0x18, ['unsigned long']], 'SegmentCommit' : [ 0x1c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x20, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x24, ['unsigned long']], 'TotalFreeSize' : [ 0x28, ['unsigned long']], 'MaximumAllocationSize' : [ 0x2c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x30, ['unsigned short']], 'HeaderValidateLength' : [ 0x32, ['unsigned short']], 'HeaderValidateCopy' : [ 0x34, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x38, ['unsigned short']], 'MaximumTagIndex' : [ 0x3a, ['unsigned short']], 'TagEntries' : [ 0x3c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x40, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x44, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x48, ['unsigned long']], 'AlignMask' : [ 0x4c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x50, ['_LIST_ENTRY']], 'Segments' : [ 0x58, ['array', 64, ['pointer', ['_HEAP_SEGMENT']]]], 'u' : [ 0x158, ['__unnamed_11a9']], 'u2' : [ 0x168, ['__unnamed_11ab']], 'AllocatorBackTraceIndex' : [ 0x16a, ['unsigned short']], 'NonDedicatedListLength' : [ 0x16c, ['unsigned long']], 'LargeBlocksIndex' : [ 0x170, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0x174, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x178, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0x578, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x57c, ['pointer', ['void']]], 'FrontEndHeap' : [ 0x580, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0x584, ['unsigned short']], 'FrontEndHeapType' : [ 0x586, ['unsigned char']], 'LastSegmentIndex' : [ 0x587, ['unsigned char']], } ], '_HEAP_SEGMENT' : [ 0x3c, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Heap' : [ 0x10, ['pointer', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x14, ['unsigned long']], 'BaseAddress' : [ 0x18, ['pointer', ['void']]], 'NumberOfPages' : [ 0x1c, ['unsigned long']], 'FirstEntry' : [ 0x20, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x28, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x2c, ['unsigned long']], 'UnCommittedRanges' : [ 0x30, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'LastEntryInSegment' : [ 0x38, ['pointer', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'Bucket' : [ 0x0, ['pointer', ['void']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'FreeThreshold' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_HEAP_UCR_SEGMENT' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x4, ['unsigned long']], 'CommittedSize' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x50, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['void']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x110, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long']], 'ResourceDatabase' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x30, ['pointer', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x34, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x38, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x3c, ['unsigned long']], 'NodesSearched' : [ 0x40, ['unsigned long']], 'MaxNodesSearched' : [ 0x44, ['unsigned long']], 'SequenceNumber' : [ 0x48, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4c, ['unsigned long']], 'SearchedNodesLimit' : [ 0x50, ['unsigned long']], 'DepthLimitHits' : [ 0x54, ['unsigned long']], 'SearchLimitHits' : [ 0x58, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x5c, ['unsigned long']], 'FreeResourceList' : [ 0x60, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x68, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0x70, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0x78, ['unsigned long']], 'FreeThreadCount' : [ 0x7c, ['unsigned long']], 'FreeNodeCount' : [ 0x80, ['unsigned long']], 'Instigator' : [ 0x84, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x88, ['unsigned long']], 'Participant' : [ 0x8c, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x10c, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WMI_LOGGER_CONTEXT' : [ 0x1c8, { 'BufferSpinLock' : [ 0x0, ['unsigned long']], 'StartTime' : [ 0x8, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x10, ['pointer', ['void']]], 'LoggerSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'LoggerThread' : [ 0x28, ['pointer', ['_ETHREAD']]], 'LoggerEvent' : [ 0x2c, ['_KEVENT']], 'FlushEvent' : [ 0x3c, ['_KEVENT']], 'LoggerStatus' : [ 0x4c, ['long']], 'LoggerId' : [ 0x50, ['unsigned long']], 'BuffersAvailable' : [ 0x54, ['long']], 'UsePerfClock' : [ 0x58, ['unsigned long']], 'WriteFailureLimit' : [ 0x5c, ['unsigned long']], 'BuffersDirty' : [ 0x60, ['unsigned long']], 'BuffersInUse' : [ 0x64, ['unsigned long']], 'SwitchingInProgress' : [ 0x68, ['unsigned long']], 'FreeList' : [ 0x70, ['_SLIST_HEADER']], 'FlushList' : [ 0x78, ['_SLIST_HEADER']], 'GlobalList' : [ 0x80, ['_SLIST_HEADER']], 'ProcessorBuffers' : [ 0x88, ['pointer', ['_SLIST_HEADER']]], 'LoggerName' : [ 0x8c, ['_UNICODE_STRING']], 'LogFileName' : [ 0x94, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x9c, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xa4, ['_UNICODE_STRING']], 'EndPageMarker' : [ 0xac, ['pointer', ['unsigned char']]], 'CollectionOn' : [ 0xb0, ['long']], 'KernelTraceOn' : [ 0xb4, ['unsigned long']], 'PerfLogInTransition' : [ 0xb8, ['long']], 'RequestFlag' : [ 0xbc, ['unsigned long']], 'EnableFlags' : [ 0xc0, ['unsigned long']], 'MaximumFileSize' : [ 0xc4, ['unsigned long']], 'LoggerMode' : [ 0xc8, ['unsigned long']], 'LoggerModeFlags' : [ 0xc8, ['_WMI_LOGGER_MODE']], 'LastFlushedBuffer' : [ 0xcc, ['unsigned long']], 'RefCount' : [ 0xd0, ['unsigned long']], 'FlushTimer' : [ 0xd4, ['unsigned long']], 'FirstBufferOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'ByteOffset' : [ 0xe0, ['_LARGE_INTEGER']], 'BufferAgeLimit' : [ 0xe8, ['_LARGE_INTEGER']], 'MaximumBuffers' : [ 0xf0, ['unsigned long']], 'MinimumBuffers' : [ 0xf4, ['unsigned long']], 'EventsLost' : [ 0xf8, ['unsigned long']], 'BuffersWritten' : [ 0xfc, ['unsigned long']], 'LogBuffersLost' : [ 0x100, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x104, ['unsigned long']], 'BufferSize' : [ 0x108, ['unsigned long']], 'NumberOfBuffers' : [ 0x10c, ['long']], 'SequencePtr' : [ 0x110, ['pointer', ['long']]], 'InstanceGuid' : [ 0x114, ['_GUID']], 'LoggerHeader' : [ 0x124, ['pointer', ['void']]], 'GetCpuClock' : [ 0x128, ['pointer', ['void']]], 'ClientSecurityContext' : [ 0x12c, ['_SECURITY_CLIENT_CONTEXT']], 'LoggerExtension' : [ 0x168, ['pointer', ['void']]], 'ReleaseQueue' : [ 0x16c, ['long']], 'EnableFlagExtension' : [ 0x170, ['_TRACE_ENABLE_FLAG_EXTENSION']], 'LocalSequence' : [ 0x174, ['unsigned long']], 'MaximumIrql' : [ 0x178, ['unsigned long']], 'EnableFlagArray' : [ 0x17c, ['pointer', ['unsigned long']]], 'LoggerMutex' : [ 0x180, ['_KMUTANT']], 'MutexCount' : [ 0x1a0, ['long']], 'FileCounter' : [ 0x1a4, ['unsigned long']], 'BufferCallback' : [ 0x1a8, ['pointer', ['void']]], 'CallbackContext' : [ 0x1ac, ['pointer', ['void']]], 'PoolType' : [ 0x1b0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceSystemTime' : [ 0x1b8, ['_LARGE_INTEGER']], 'ReferenceTimeStamp' : [ 0x1c0, ['_LARGE_INTEGER']], } ], '_SEGMENT_OBJECT' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x20, ['pointer', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x24, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x28, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_123f' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x30, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSubsections' : [ 0x18, ['unsigned short']], 'FlushInProgressCount' : [ 0x1a, ['unsigned short']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_123f']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'NumberOfSystemCacheViews' : [ 0x2e, ['unsigned short']], } ], '_HANDLE_TABLE' : [ 0x44, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleTableLock' : [ 0xc, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x1c, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x24, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x28, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x2c, ['long']], 'FirstFree' : [ 0x30, ['unsigned long']], 'LastFree' : [ 0x34, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x38, ['unsigned long']], 'HandleCount' : [ 0x3c, ['long']], 'Flags' : [ 0x40, ['unsigned long']], 'StrictFIFO' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'ProcessBilled' : [ 0x4, ['pointer', ['_EPROCESS']]], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned short']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_MMSUPPORT' : [ 0x40, { 'LastTrimTime' : [ 0x0, ['_LARGE_INTEGER']], 'Flags' : [ 0x8, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0xc, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x10, ['unsigned long']], 'WorkingSetSize' : [ 0x14, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x18, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x1c, ['unsigned long']], 'VmWorkingSetList' : [ 0x20, ['pointer', ['_MMWSL']]], 'WorkingSetExpansionLinks' : [ 0x24, ['_LIST_ENTRY']], 'Claim' : [ 0x2c, ['unsigned long']], 'NextEstimationSlot' : [ 0x30, ['unsigned long']], 'NextAgingSlot' : [ 0x34, ['unsigned long']], 'EstimatedAvailable' : [ 0x38, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x3c, ['unsigned long']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['unsigned short']]], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x40, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x30, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessCount' : [ 0x3c, ['unsigned long']], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_EVENT_COUNTER' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'RefCount' : [ 0x4, ['unsigned long']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_EJOB' : [ 0x180, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'UIRestrictionsClass' : [ 0xb0, ['unsigned long']], 'SecurityLimitFlags' : [ 0xb4, ['unsigned long']], 'Token' : [ 0xb8, ['pointer', ['void']]], 'Filter' : [ 0xbc, ['pointer', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'IoInfo' : [ 0x108, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x138, ['unsigned long']], 'JobMemoryLimit' : [ 0x13c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x140, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x144, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x148, ['unsigned long']], 'MemoryLimitsLock' : [ 0x14c, ['_FAST_MUTEX']], 'JobSetLinks' : [ 0x16c, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x174, ['unsigned long']], 'JobFlags' : [ 0x178, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x40, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSubsections' : [ 0x18, ['unsigned short']], 'FlushInProgressCount' : [ 0x1a, ['unsigned short']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_123f']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'NumberOfSystemCacheViews' : [ 0x2e, ['unsigned short']], 'StartingFrame' : [ 0x30, ['unsigned long']], 'UserGlobalList' : [ 0x34, ['_LIST_ENTRY']], 'SessionId' : [ 0x3c, ['unsigned long']], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x24, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x8, ['unsigned long']], 'CapturedGroupCount' : [ 0xc, ['unsigned long']], 'CapturedGroups' : [ 0x10, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x14, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x18, ['unsigned long']], 'CapturedPrivileges' : [ 0x1c, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x20, ['unsigned long']], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x70, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'Reserved' : [ 0x68, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_FILE_OBJECT' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'HadUserReference' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_TRACE_ENABLE_FLAG_EXTENSION' : [ 0x4, { 'Offset' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned char']], 'Flag' : [ 0x3, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x18, { 'Name' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'CmHive' : [ 0x8, ['pointer', ['_CMHIVE']]], 'Flags' : [ 0xc, ['unsigned long']], 'CmHive2' : [ 0x10, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x14, ['unsigned char']], 'ThreadStarted' : [ 0x15, ['unsigned char']], 'Allocate' : [ 0x16, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0xc, { 'Token' : [ 0x0, ['pointer', ['void']]], 'CopyOnOpen' : [ 0x4, ['unsigned char']], 'EffectiveOnly' : [ 0x5, ['unsigned char']], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_12ed' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], } ], '__unnamed_12ef' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_12f3' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x118, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted'})]], 'PreviousState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted'})]], 'StateHistory' : [ 0x20, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted'})]]], 'StateHistoryEntry' : [ 0x70, ['unsigned long']], 'CompletionStatus' : [ 0x74, ['long']], 'PendingIrp' : [ 0x78, ['pointer', ['_IRP']]], 'Flags' : [ 0x7c, ['unsigned long']], 'UserFlags' : [ 0x80, ['unsigned long']], 'Problem' : [ 0x84, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x88, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x8c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x90, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x94, ['_UNICODE_STRING']], 'ServiceName' : [ 0x9c, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xa4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xa8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xb0, ['unsigned long']], 'ChildInterfaceType' : [ 0xb4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xb8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xbc, ['unsigned short']], 'RemovalPolicy' : [ 0xbe, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xbf, ['unsigned char']], 'TargetDeviceNotify' : [ 0xc0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xc8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0xd0, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0xd8, ['unsigned short']], 'QueryTranslatorMask' : [ 0xda, ['unsigned short']], 'NoArbiterMask' : [ 0xdc, ['unsigned short']], 'QueryArbiterMask' : [ 0xde, ['unsigned short']], 'OverUsed1' : [ 0xe0, ['__unnamed_12ed']], 'OverUsed2' : [ 0xe4, ['__unnamed_12ef']], 'BootResources' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0xec, ['unsigned long']], 'DockInfo' : [ 0xf0, ['__unnamed_12f3']], 'DisableableDepends' : [ 0x100, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x104, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x10c, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x114, ['unsigned long']], } ], '__unnamed_12f8' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_12f8']], } ], '_KPCR' : [ 0xd70, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'DebugActive' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_MMCOLOR_TABLES' : [ 0xc, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_1317' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1319' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_131c' : [ 0x4, { 'ShortFlags' : [ 0x0, ['unsigned short']], 'ReferenceCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_131e' : [ 0x4, { 'e1' : [ 0x0, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_131c']], } ], '__unnamed_1325' : [ 0x4, { 'EntireFrame' : [ 0x0, ['unsigned long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 26, native_type='unsigned long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'LockCharged' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'KernelStack' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1317']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'u2' : [ 0x8, ['__unnamed_1319']], 'u3' : [ 0xc, ['__unnamed_131e']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'u4' : [ 0x14, ['__unnamed_1325']], } ], '__unnamed_132b' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1278, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_132b']], 'SessionId' : [ 0x8, ['unsigned long']], 'SessionPageDirectoryIndex' : [ 0xc, ['unsigned long']], 'GlobalVirtualAddress' : [ 0x10, ['pointer', ['_MM_SESSION_SPACE']]], 'ProcessList' : [ 0x14, ['_LIST_ENTRY']], 'NonPagedPoolBytes' : [ 0x1c, ['unsigned long']], 'PagedPoolBytes' : [ 0x20, ['unsigned long']], 'NonPagedPoolAllocations' : [ 0x24, ['unsigned long']], 'PagedPoolAllocations' : [ 0x28, ['unsigned long']], 'NonPagablePages' : [ 0x2c, ['unsigned long']], 'CommittedPages' : [ 0x30, ['unsigned long']], 'LastProcessSwappedOutTime' : [ 0x38, ['_LARGE_INTEGER']], 'PageTables' : [ 0x40, ['pointer', ['_MMPTE']]], 'PagedPoolMutex' : [ 0x44, ['_FAST_MUTEX']], 'PagedPoolStart' : [ 0x64, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x68, ['pointer', ['void']]], 'PagedPoolBasePde' : [ 0x6c, ['pointer', ['_MMPTE']]], 'PagedPoolInfo' : [ 0x70, ['_MM_PAGED_POOL_INFO']], 'Color' : [ 0x94, ['unsigned long']], 'ProcessOutSwapCount' : [ 0x98, ['unsigned long']], 'ImageList' : [ 0x9c, ['_LIST_ENTRY']], 'GlobalPteEntry' : [ 0xa4, ['pointer', ['_MMPTE']]], 'CopyOnWriteCount' : [ 0xa8, ['unsigned long']], 'SessionPoolAllocationFailures' : [ 0xac, ['array', 4, ['unsigned long']]], 'AttachCount' : [ 0xbc, ['unsigned long']], 'AttachEvent' : [ 0xc0, ['_KEVENT']], 'LastProcess' : [ 0xd0, ['pointer', ['_EPROCESS']]], 'Vm' : [ 0xd8, ['_MMSUPPORT']], 'Wsle' : [ 0x118, ['pointer', ['_MMWSLE']]], 'WsLock' : [ 0x11c, ['_ERESOURCE']], 'WsListEntry' : [ 0x154, ['_LIST_ENTRY']], 'Session' : [ 0x15c, ['_MMSESSION']], 'Win32KDriverObject' : [ 0x198, ['_DRIVER_OBJECT']], 'WorkingSetLockOwner' : [ 0x240, ['pointer', ['_ETHREAD']]], 'PagedPool' : [ 0x244, ['_POOL_DESCRIPTOR']], 'ProcessReferenceToSession' : [ 0x126c, ['long']], 'LocaleId' : [ 0x1270, ['unsigned long']], } ], '_PEB' : [ 0x210, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'SpareBool' : [ 0x3, ['unsigned char']], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'FastPebLockRoutine' : [ 0x20, ['pointer', ['void']]], 'FastPebUnlockRoutine' : [ 0x24, ['pointer', ['void']]], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['pointer', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['void']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['void']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['void']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['void']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['void']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerThreads' : [ 0x18, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x28, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x2c, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x2e, ['unsigned short']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x10, { 'Usage' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], 'Peak' : [ 0x8, ['unsigned long']], 'Return' : [ 0xc, ['unsigned long']], } ], '__unnamed_1362' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1362']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'Reserved1' : [ 0x0, ['unsigned long long']], 'Reserved2' : [ 0x8, ['unsigned long long']], 'Reserved3' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['pointer', ['void']]], 'SlistEntry' : [ 0x1c, ['_SINGLE_LIST_ENTRY']], 'Entry' : [ 0x18, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x0, ['long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'UsePerfClock' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['_WMI_CLIENT_CONTEXT']], 'State' : [ 0x2c, ['_WMI_BUFFER_STATE']], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'EventsLost' : [ 0x34, ['unsigned long']], 'InstanceGuid' : [ 0x38, ['_GUID']], 'LoggerContext' : [ 0x38, ['pointer', ['void']]], 'GlobalEntry' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x120, { 'IdleFunction' : [ 0x0, ['pointer', ['void']]], 'Idle0KernelTimeLimit' : [ 0x4, ['unsigned long']], 'Idle0LastTime' : [ 0x8, ['unsigned long']], 'IdleHandlers' : [ 0xc, ['pointer', ['void']]], 'IdleState' : [ 0x10, ['pointer', ['void']]], 'IdleHandlersCount' : [ 0x14, ['unsigned long']], 'LastCheck' : [ 0x18, ['unsigned long long']], 'IdleTimes' : [ 0x20, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x40, ['unsigned long']], 'PromotionCheck' : [ 0x44, ['unsigned long']], 'IdleTime2' : [ 0x48, ['unsigned long']], 'CurrentThrottle' : [ 0x4c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x4d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x4e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x4f, ['unsigned char']], 'LastKernelUserTime' : [ 0x50, ['unsigned long']], 'LastIdleThreadKernelTime' : [ 0x54, ['unsigned long']], 'PackageIdleStartTime' : [ 0x58, ['unsigned long']], 'PackageIdleTime' : [ 0x5c, ['unsigned long']], 'DebugCount' : [ 0x60, ['unsigned long']], 'LastSysTime' : [ 0x64, ['unsigned long']], 'TotalIdleStateTime' : [ 0x68, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x80, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0x90, ['unsigned long long']], 'KneeThrottleIndex' : [ 0x98, ['unsigned char']], 'ThrottleLimitIndex' : [ 0x99, ['unsigned char']], 'PerfStatesCount' : [ 0x9a, ['unsigned char']], 'ProcessorMinThrottle' : [ 0x9b, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x9c, ['unsigned char']], 'EnableIdleAccounting' : [ 0x9d, ['unsigned char']], 'LastC3Percentage' : [ 0x9e, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0x9f, ['unsigned char']], 'PromotionCount' : [ 0xa0, ['unsigned long']], 'DemotionCount' : [ 0xa4, ['unsigned long']], 'ErrorCount' : [ 0xa8, ['unsigned long']], 'RetryCount' : [ 0xac, ['unsigned long']], 'Flags' : [ 0xb0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xb8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xc0, ['unsigned long']], 'PerfTimer' : [ 0xc8, ['_KTIMER']], 'PerfDpc' : [ 0xf0, ['_KDPC']], 'PerfStates' : [ 0x110, ['pointer', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x114, ['pointer', ['void']]], 'LastC3KernelUserTime' : [ 0x118, ['unsigned long']], 'LastPackageIdleTime' : [ 0x11c, ['unsigned long']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x4, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned long')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned long')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LockCharged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x4c, { 'IdleCount' : [ 0x0, ['unsigned long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x10, ['_LIST_ENTRY']], 'DeviceType' : [ 0x18, ['unsigned char']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x20, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x28, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x30, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x44, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'AddressSpaceBeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'AllowWorkingSetAdjustment' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'MemoryPriority' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POP_THERMAL_ZONE' : [ 0xd0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x7c, ['pointer', ['_IRP']]], 'Info' : [ 0x80, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CMHIVE' : [ 0x49c, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x210, ['array', 3, ['pointer', ['void']]]], 'NotifyList' : [ 0x21c, ['_LIST_ENTRY']], 'HiveList' : [ 0x224, ['_LIST_ENTRY']], 'HiveLock' : [ 0x22c, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x230, ['pointer', ['_FAST_MUTEX']]], 'LRUViewListHead' : [ 0x234, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x23c, ['_LIST_ENTRY']], 'FileObject' : [ 0x244, ['pointer', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x248, ['_UNICODE_STRING']], 'FileUserName' : [ 0x250, ['_UNICODE_STRING']], 'MappedViews' : [ 0x258, ['unsigned short']], 'PinnedViews' : [ 0x25a, ['unsigned short']], 'UseCount' : [ 0x25c, ['unsigned long']], 'SecurityCount' : [ 0x260, ['unsigned long']], 'SecurityCacheSize' : [ 0x264, ['unsigned long']], 'SecurityHitHint' : [ 0x268, ['long']], 'SecurityCache' : [ 0x26c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x270, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0x470, ['pointer', ['_KEVENT']]], 'RootKcb' : [ 0x474, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x478, ['unsigned char']], 'UnloadWorkItem' : [ 0x47c, ['pointer', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0x480, ['unsigned char']], 'GrowOffset' : [ 0x484, ['unsigned long']], 'KcbConvertListHead' : [ 0x488, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x490, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x498, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x50004, { 'CurrentStackIndex' : [ 0x0, ['unsigned long']], 'TraceDb' : [ 0x4, ['array', 4096, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x210, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'RealWrites' : [ 0x38, ['unsigned char']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'Log' : [ 0x42, ['unsigned char']], 'HiveFlags' : [ 0x44, ['unsigned long']], 'LogSize' : [ 0x48, ['unsigned long']], 'RefreshCount' : [ 0x4c, ['unsigned long']], 'StorageTypeCount' : [ 0x50, ['unsigned long']], 'Version' : [ 0x54, ['unsigned long']], 'Storage' : [ 0x58, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x18, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['pointer', ['void']]], 'WatchInfo' : [ 0x10, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Filler0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long')]], 'HasWsLock' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_WMI_BUFFER_STATE' : [ 0x4, { 'Free' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'InUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Flush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_MMFREE_POOL_ENTRY' : [ 0x14, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Size' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], 'Owner' : [ 0x10, ['pointer', ['_MMFREE_POOL_ENTRY']]], } ], '__unnamed_143b' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_143b']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x24, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x8, ['_LIST_ENTRY']], 'FileOffset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewAddress' : [ 0x18, ['pointer', ['unsigned long']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'UseCount' : [ 0x20, ['unsigned long']], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_KUSER_SHARED_DATA' : [ 0x338, { 'TickCountLow' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'Reserved2' : [ 0x244, ['array', 8, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x4c, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x2c, ['pointer', ['void']]], 'OpenProcedure' : [ 0x30, ['pointer', ['void']]], 'CloseProcedure' : [ 0x34, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x38, ['pointer', ['void']]], 'ParseProcedure' : [ 0x3c, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x40, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x44, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x48, ['pointer', ['void']]], } ], '__unnamed_1481' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'u' : [ 0x4, ['__unnamed_1481']], 'StartingSector' : [ 0x8, ['unsigned long']], 'NumberOfFullSectors' : [ 0xc, ['unsigned long']], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'UnusedPtes' : [ 0x14, ['unsigned long']], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'NextSubsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], } ], '_WMI_LOGGER_MODE' : [ 0x4, { 'SequentialFile' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CircularFile' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'AppendFile' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'RealTime' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DelayOpenFile' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'BufferOnly' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PrivateLogger' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'AddHeader' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'UseExisting' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'UseGlobalSequence' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'UseLocalSequence' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '__unnamed_1492' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1495' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_1498' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_149e' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x34, { 'StartingVpn' : [ 0x0, ['unsigned long']], 'EndingVpn' : [ 0x4, ['unsigned long']], 'Parent' : [ 0x8, ['pointer', ['_MMVAD']]], 'LeftChild' : [ 0xc, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer', ['_MMVAD']]], 'u' : [ 0x14, ['__unnamed_1492']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_1495']], 'u3' : [ 0x28, ['__unnamed_1498']], 'u4' : [ 0x30, ['__unnamed_149e']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'PhysicalMapping' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ImageMap' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'UserPhysicalPages' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'WriteWatch' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POOL_DESCRIPTOR' : [ 0x1028, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['void']]], 'PendingFreeDepth' : [ 0x24, ['long']], 'ListHeads' : [ 0x28, ['array', 512, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x28, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x24, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x4, ['pointer', ['_RTL_BITMAP']]], 'PagedPoolLargeSessionAllocationMap' : [ 0x8, ['pointer', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0x10, ['pointer', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x14, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x18, ['unsigned long']], 'PagedPoolCommit' : [ 0x1c, ['unsigned long']], 'AllocatedPagedPool' : [ 0x20, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['unsigned short']]], } ], '_MMSESSION' : [ 0x3c, { 'SystemSpaceViewLock' : [ 0x0, ['_FAST_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_FAST_MUTEX']]], 'SystemSpaceViewStart' : [ 0x24, ['pointer', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x28, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x30, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x34, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x38, ['pointer', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0xc, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long']], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x8, { 'FaultingPc' : [ 0x0, ['pointer', ['void']]], 'FaultingVa' : [ 0x4, ['pointer', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 31, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_DEADLOCK_NODE' : [ 0x68, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SequenceNumber' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x48, ['array', 8, ['pointer', ['void']]]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0xc8, { 'Next' : [ 0x0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'Slot' : [ 0x20, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x28, ['pointer', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x2c, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x30, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x34, ['unsigned long']], 'VendorId' : [ 0x38, ['unsigned short']], 'DeviceId' : [ 0x3a, ['unsigned short']], 'SubsystemVendorId' : [ 0x3c, ['unsigned short']], 'SubsystemId' : [ 0x3e, ['unsigned short']], 'RevisionId' : [ 0x40, ['unsigned char']], 'ProgIf' : [ 0x41, ['unsigned char']], 'SubClass' : [ 0x42, ['unsigned char']], 'BaseClass' : [ 0x43, ['unsigned char']], 'AdditionalResourceCount' : [ 0x44, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x45, ['unsigned char']], 'InterruptPin' : [ 0x46, ['unsigned char']], 'RawInterruptLine' : [ 0x47, ['unsigned char']], 'CapabilitiesPtr' : [ 0x48, ['unsigned char']], 'SavedLatencyTimer' : [ 0x49, ['unsigned char']], 'SavedCacheLineSize' : [ 0x4a, ['unsigned char']], 'HeaderType' : [ 0x4b, ['unsigned char']], 'NotPresent' : [ 0x4c, ['unsigned char']], 'ReportedMissing' : [ 0x4d, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x4e, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x4f, ['unsigned char']], 'LegacyDriver' : [ 0x50, ['unsigned char']], 'UpdateHardware' : [ 0x51, ['unsigned char']], 'MovedDevice' : [ 0x52, ['unsigned char']], 'DisablePowerDown' : [ 0x53, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x54, ['unsigned char']], 'SwitchedIDEToNativeMode' : [ 0x55, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x56, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x57, ['unsigned char']], 'OnDebugPath' : [ 0x58, ['unsigned char']], 'PowerState' : [ 0x5c, ['PCI_POWER_STATE']], 'Dependent' : [ 0x9c, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xa0, ['unsigned long long']], 'Resources' : [ 0xa8, ['pointer', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xac, ['pointer', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xb0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0xb4, ['pointer', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0xb8, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0xc0, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0xc2, ['unsigned char']], 'CommandEnables' : [ 0xc4, ['unsigned short']], 'InitialCommand' : [ 0xc6, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_QUAD' : [ 0x8, { 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '__unnamed_150f' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1511' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_150f']], 'Merged' : [ 0x10, ['__unnamed_1511']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_KPROCESS' : [ 0x6c, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['array', 2, ['unsigned long']]], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Iopl' : [ 0x32, ['unsigned char']], 'Unused' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'StackCount' : [ 0x60, ['unsigned short']], 'BasePriority' : [ 0x62, ['unsigned char']], 'ThreadQuantum' : [ 0x63, ['unsigned char']], 'AutoAlignment' : [ 0x64, ['unsigned char']], 'State' : [ 0x65, ['unsigned char']], 'ThreadSeed' : [ 0x66, ['unsigned char']], 'DisableBoost' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'DisableQuantum' : [ 0x69, ['unsigned char']], 'IdealNode' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_153a' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1541' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1543' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_153a']], 'Bits' : [ 0x0, ['__unnamed_1541']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1543']], } ], '__unnamed_154d' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0xc0, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x28, ['pointer', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x2c, ['_KEVENT']], 'ChildPdoList' : [ 0x3c, ['pointer', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x40, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x44, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x48, ['pointer', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x4c, ['pointer', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x50, ['unsigned char']], 'BusHandler' : [ 0x54, ['pointer', ['_BUS_HANDLER']]], 'BaseBus' : [ 0x58, ['unsigned char']], 'Fake' : [ 0x59, ['unsigned char']], 'ChildDelete' : [ 0x5a, ['unsigned char']], 'Scanned' : [ 0x5b, ['unsigned char']], 'ArbitersInitialized' : [ 0x5c, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0x5d, ['unsigned char']], 'Hibernated' : [ 0x5e, ['unsigned char']], 'PowerState' : [ 0x60, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0xa4, ['unsigned long']], 'PreservedConfig' : [ 0xa8, ['pointer', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0xac, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0xb4, ['__unnamed_154d']], 'BusHackFlags' : [ 0xbc, ['unsigned long']], } ], '__unnamed_1551' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1553' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1555' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1557' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1559' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_155b' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_155d' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1551']], 'Port' : [ 0x0, ['__unnamed_1551']], 'Interrupt' : [ 0x0, ['__unnamed_1553']], 'Memory' : [ 0x0, ['__unnamed_1551']], 'Dma' : [ 0x0, ['__unnamed_1555']], 'DevicePrivate' : [ 0x0, ['__unnamed_1557']], 'BusNumber' : [ 0x0, ['__unnamed_1559']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_155b']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_155d']], } ], '_SYSPTES_HEADER' : [ 0xc, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x50, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KcbLastWriteTime' : [ 0x38, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x40, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x42, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x44, ['unsigned long']], 'KcbUserFlags' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x48, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x48, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x48, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['short']], 'Number' : [ 0x2, ['unsigned char']], 'Importance' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'Lock' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ReadConfig' : [ 0x10, ['pointer', ['void']]], 'WriteConfig' : [ 0x14, ['pointer', ['void']]], 'PinToLine' : [ 0x18, ['pointer', ['void']]], 'LineToPin' : [ 0x1c, ['pointer', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x10, ['unsigned long']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '__unnamed_159b' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_15a2' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_15a4' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_15a2']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_15a9' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_15ab' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_15a9']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_159b']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_15a4']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_15ab']], } ], '_PCI_LOCK' : [ 0x8, { 'Atom' : [ 0x0, ['unsigned long']], 'OldIrql' : [ 0x4, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '__unnamed_15b4' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_15b4']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_15ba' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0xc, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_15ba']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_161d' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_161d']], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x290, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockFastMutex', 3: 'VfDeadlockFastMutexUnsafe', 4: 'VfDeadlockSpinLock', 5: 'VfDeadlockQueuedSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x28, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0xc, ['unsigned char']], 'OrderLevel' : [ 0xd, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Node' : [ 0x14, ['pointer', ['void']]], 'DeviceName' : [ 0x18, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x1c, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x20, ['unsigned long']], 'ActiveChild' : [ 0x24, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '__unnamed_1649' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_164b' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_1649']], 'type1' : [ 0x0, ['__unnamed_164b']], 'type2' : [ 0x0, ['__unnamed_164b']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x1e4, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'ServiceContext' : [ 0x10, ['pointer', ['void']]], 'SpinLock' : [ 0x14, ['unsigned long']], 'TickCount' : [ 0x18, ['unsigned long']], 'ActualLock' : [ 0x1c, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x20, ['pointer', ['void']]], 'Vector' : [ 0x24, ['unsigned long']], 'Irql' : [ 0x28, ['unsigned char']], 'SynchronizeIrql' : [ 0x29, ['unsigned char']], 'FloatingSave' : [ 0x2a, ['unsigned char']], 'Connected' : [ 0x2b, ['unsigned char']], 'Number' : [ 0x2c, ['unsigned char']], 'ShareVector' : [ 0x2d, ['unsigned char']], 'Mode' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x34, ['unsigned long']], 'DispatchCount' : [ 0x38, ['unsigned long']], 'DispatchCode' : [ 0x3c, ['array', 106, ['unsigned long']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0xe0, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0xc, ['pointer', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x10, ['pointer', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x14, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x44, ['_ARBITER_INSTANCE']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_MMPAGING_FILE' : [ 0x44, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'CurrentUsage' : [ 0x10, ['unsigned long']], 'PeakUsage' : [ 0x14, ['unsigned long']], 'Hint' : [ 0x18, ['unsigned long']], 'HighestPage' : [ 0x1c, ['unsigned long']], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'Bitmap' : [ 0x28, ['pointer', ['_RTL_BITMAP']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'PageFileName' : [ 0x30, ['_UNICODE_STRING']], 'PageFileNumber' : [ 0x38, ['unsigned long']], 'Extended' : [ 0x3c, ['unsigned char']], 'HintSetToZero' : [ 0x3d, ['unsigned char']], 'BootPartition' : [ 0x3e, ['unsigned char']], 'FileHandle' : [ 0x40, ['pointer', ['void']]], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x20, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x4, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x8, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0xc, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x14, ['pointer', ['void']]], 'OtherIrpDispatchStyle' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x1c, ['pointer', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_DIRECTORY' : [ 0xa4, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'Reserved' : [ 0xa0, ['unsigned short']], 'SymbolicLinkUsageCount' : [ 0xa2, ['unsigned short']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_WMI_CLIENT_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x69c, { 'Quota' : [ 0x0, ['unsigned long']], 'FirstFree' : [ 0x4, ['unsigned long']], 'FirstDynamic' : [ 0x8, ['unsigned long']], 'LastEntry' : [ 0xc, ['unsigned long']], 'NextSlot' : [ 0x10, ['unsigned long']], 'Wsle' : [ 0x14, ['pointer', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NonDirectCount' : [ 0x1c, ['unsigned long']], 'HashTable' : [ 0x20, ['pointer', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x24, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x28, ['unsigned long']], 'HashTableStart' : [ 0x2c, ['pointer', ['void']]], 'HighestPermittedHashAddress' : [ 0x30, ['pointer', ['void']]], 'NumberOfImageWaiters' : [ 0x34, ['unsigned long']], 'VadBitMapHint' : [ 0x38, ['unsigned long']], 'UsedPageTableEntries' : [ 0x3c, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x63c, ['array', 24, ['unsigned long']]], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x150, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '__unnamed_16c4' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_16c8' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x40, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'WritableUserReferences' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x18, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x1c, ['unsigned long']], 'ExtendInfo' : [ 0x20, ['pointer', ['_MMEXTEND_INFO']]], 'SystemImageBase' : [ 0x24, ['pointer', ['void']]], 'BasedAddress' : [ 0x28, ['pointer', ['void']]], 'u1' : [ 0x2c, ['__unnamed_16c4']], 'u2' : [ 0x30, ['__unnamed_16c8']], 'PrototypePte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x38, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['void']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x20, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x1c, ['pointer', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x2c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TOKEN' : [ 0xa8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x6c, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x70, ['pointer', ['void']]], 'Privileges' : [ 0x74, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x78, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0x7c, ['pointer', ['_ACL']]], 'TokenType' : [ 0x80, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x84, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0x88, ['unsigned long']], 'TokenInUse' : [ 0x8c, ['unsigned char']], 'ProxyData' : [ 0x90, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0x94, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'OriginatingLogonSession' : [ 0x98, ['_LUID']], 'VariablePart' : [ 0xa0, ['unsigned long']], } ], '_TEB' : [ 0xfb8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStack' : [ 0x1a8, ['_ACTIVATION_CONTEXT_STACK']], 'SpareBytes1' : [ 0x1bc, ['array', 24, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorsAreDisabled' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 16, ['pointer', ['void']]]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'Spare3' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'Wx86Thread' : [ 0xf88, ['_Wx86ThreadState']], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'SafeThunkCall' : [ 0xfb4, ['unsigned char']], 'BooleanSpare' : [ 0xfb5, ['array', 3, ['unsigned char']]], } ], 'PCI_SECONDARY_EXTENSION' : [ 0xc, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_170f' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_170f']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'Spare1' : [ 0x23, ['unsigned char']], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'Reserved' : [ 0x2c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_KNODE' : [ 0x30, { 'ProcessorMask' : [ 0x0, ['unsigned long']], 'Color' : [ 0x4, ['unsigned long']], 'MmShiftedColor' : [ 0x8, ['unsigned long']], 'FreeCount' : [ 0xc, ['array', 2, ['unsigned long']]], 'DeadStackList' : [ 0x18, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x20, ['_SLIST_HEADER']], 'PfnDeferredList' : [ 0x28, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'Seed' : [ 0x2c, ['unsigned char']], 'Flags' : [ 0x2d, ['_flags']], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned long']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x1c, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'MinSize' : [ 0x4, ['unsigned short']], 'MinVersion' : [ 0x6, ['unsigned short']], 'MaxVersion' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['long']], 'Signature' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x14, ['pointer', ['void']]], 'Initializer' : [ 0x18, ['pointer', ['void']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MMVAD' : [ 0x28, { 'StartingVpn' : [ 0x0, ['unsigned long']], 'EndingVpn' : [ 0x4, ['unsigned long']], 'Parent' : [ 0x8, ['pointer', ['_MMVAD']]], 'LeftChild' : [ 0xc, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer', ['_MMVAD']]], 'u' : [ 0x14, ['__unnamed_1492']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_1495']], } ], '__unnamed_1743' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x8, ['_LARGE_INTEGER']], 'u' : [ 0x10, ['__unnamed_1743']], 'Irp' : [ 0x18, ['pointer', ['_IRP']]], 'LastPageToWrite' : [ 0x1c, ['unsigned long']], 'PagingListHead' : [ 0x20, ['pointer', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x28, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x30, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x34, ['pointer', ['_ERESOURCE']]], 'Mdl' : [ 0x38, ['_MDL']], 'Page' : [ 0x54, ['array', 1, ['unsigned long']]], } ], '_POP_POWER_ACTION' : [ 0x40, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x24, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x28, ['pointer', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x30, ['unsigned long long']], 'SleepTime' : [ 0x38, ['unsigned long long']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x18, { 'StartingVpn' : [ 0x0, ['unsigned long']], 'EndingVpn' : [ 0x4, ['unsigned long']], 'Parent' : [ 0x8, ['pointer', ['_MMVAD']]], 'LeftChild' : [ 0xc, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer', ['_MMVAD']]], 'u' : [ 0x14, ['__unnamed_1492']], } ], '__unnamed_175f' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_175f']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_FAST_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x28, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_INSTANCE' : [ 0x9c, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0xc, ['long']], 'Allocation' : [ 0x10, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x18, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x20, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x28, ['long']], 'Interface' : [ 0x2c, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x30, ['unsigned long']], 'AllocationStack' : [ 0x34, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x38, ['pointer', ['void']]], 'PackResource' : [ 0x3c, ['pointer', ['void']]], 'UnpackResource' : [ 0x40, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x44, ['pointer', ['void']]], 'TestAllocation' : [ 0x48, ['pointer', ['void']]], 'RetestAllocation' : [ 0x4c, ['pointer', ['void']]], 'CommitAllocation' : [ 0x50, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x54, ['pointer', ['void']]], 'BootAllocation' : [ 0x58, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x5c, ['pointer', ['void']]], 'QueryConflict' : [ 0x60, ['pointer', ['void']]], 'AddReserved' : [ 0x64, ['pointer', ['void']]], 'StartArbiter' : [ 0x68, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x6c, ['pointer', ['void']]], 'AllocateEntry' : [ 0x70, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x74, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x78, ['pointer', ['void']]], 'AddAllocation' : [ 0x7c, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x80, ['pointer', ['void']]], 'OverrideConflict' : [ 0x84, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x88, ['unsigned char']], 'Extension' : [ 0x8c, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x90, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x94, ['pointer', ['void']]], 'ConflictCallback' : [ 0x98, ['pointer', ['void']]], } ], '_BUS_HANDLER' : [ 0x6c, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x14, ['pointer', ['_BUS_HANDLER']]], 'BusData' : [ 0x18, ['pointer', ['void']]], 'DeviceControlExtensionSize' : [ 0x1c, ['unsigned long']], 'BusAddresses' : [ 0x20, ['pointer', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x24, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x34, ['pointer', ['void']]], 'SetBusData' : [ 0x38, ['pointer', ['void']]], 'AdjustResourceList' : [ 0x3c, ['pointer', ['void']]], 'AssignSlotResources' : [ 0x40, ['pointer', ['void']]], 'GetInterruptVector' : [ 0x44, ['pointer', ['void']]], 'TranslateBusAddress' : [ 0x48, ['pointer', ['void']]], 'Spare1' : [ 0x4c, ['pointer', ['void']]], 'Spare2' : [ 0x50, ['pointer', ['void']]], 'Spare3' : [ 0x54, ['pointer', ['void']]], 'Spare4' : [ 0x58, ['pointer', ['void']]], 'Spare5' : [ 0x5c, ['pointer', ['void']]], 'Spare6' : [ 0x60, ['pointer', ['void']]], 'Spare7' : [ 0x64, ['pointer', ['void']]], 'Spare8' : [ 0x68, ['pointer', ['void']]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x8, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x4, ['pointer', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x620, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x18, ['unsigned long']], 'Thread' : [ 0x1c, ['pointer', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x20, ['unsigned char']], 'Order' : [ 0x24, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x26c, ['long']], 'FailedDevice' : [ 0x270, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x274, ['unsigned char']], 'Cancelled' : [ 0x275, ['unsigned char']], 'IgnoreErrors' : [ 0x276, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x277, ['unsigned char']], 'WaitAny' : [ 0x278, ['unsigned char']], 'WaitAll' : [ 0x279, ['unsigned char']], 'PresentIrpQueue' : [ 0x27c, ['_LIST_ENTRY']], 'Head' : [ 0x284, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x2b0, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x14, { 'Flags' : [ 0x0, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x4, ['unsigned long']], 'ActiveFrame' : [ 0x8, ['pointer', ['void']]], 'FrameListCache' : [ 0xc, ['_LIST_ENTRY']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['unsigned short']]], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x40, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x2c, ['pointer', ['_IRP']]], 'SavedCancelRoutine' : [ 0x30, ['pointer', ['void']]], 'Paging' : [ 0x34, ['long']], 'Hibernate' : [ 0x38, ['long']], 'CrashDump' : [ 0x3c, ['long']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_1803' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1807' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_180b' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_180d' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1812' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1814' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1816' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], } ], '__unnamed_1818' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_181a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_181c' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1820' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_1822' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1824' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1826' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1828' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_182a' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_182c' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1830' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1834' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1838' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_183a' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_183e' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1840' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1842' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1844' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1848' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_184c' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1850' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1852' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1856' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_185a' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_185c' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_185e' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1860' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1862' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_1803']], 'CreatePipe' : [ 0x0, ['__unnamed_1807']], 'CreateMailslot' : [ 0x0, ['__unnamed_180b']], 'Read' : [ 0x0, ['__unnamed_180d']], 'Write' : [ 0x0, ['__unnamed_180d']], 'QueryDirectory' : [ 0x0, ['__unnamed_1812']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1814']], 'QueryFile' : [ 0x0, ['__unnamed_1816']], 'SetFile' : [ 0x0, ['__unnamed_1818']], 'QueryEa' : [ 0x0, ['__unnamed_181a']], 'SetEa' : [ 0x0, ['__unnamed_181c']], 'QueryVolume' : [ 0x0, ['__unnamed_1820']], 'SetVolume' : [ 0x0, ['__unnamed_1820']], 'FileSystemControl' : [ 0x0, ['__unnamed_1822']], 'LockControl' : [ 0x0, ['__unnamed_1824']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1826']], 'QuerySecurity' : [ 0x0, ['__unnamed_1828']], 'SetSecurity' : [ 0x0, ['__unnamed_182a']], 'MountVolume' : [ 0x0, ['__unnamed_182c']], 'VerifyVolume' : [ 0x0, ['__unnamed_182c']], 'Scsi' : [ 0x0, ['__unnamed_1830']], 'QueryQuota' : [ 0x0, ['__unnamed_1834']], 'SetQuota' : [ 0x0, ['__unnamed_181c']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1838']], 'QueryInterface' : [ 0x0, ['__unnamed_183a']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_183e']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1840']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1842']], 'SetLock' : [ 0x0, ['__unnamed_1844']], 'QueryId' : [ 0x0, ['__unnamed_1848']], 'QueryDeviceText' : [ 0x0, ['__unnamed_184c']], 'UsageNotification' : [ 0x0, ['__unnamed_1850']], 'WaitWake' : [ 0x0, ['__unnamed_1852']], 'PowerSequence' : [ 0x0, ['__unnamed_1856']], 'Power' : [ 0x0, ['__unnamed_185a']], 'StartDevice' : [ 0x0, ['__unnamed_185c']], 'WMI' : [ 0x0, ['__unnamed_185e']], 'Others' : [ 0x0, ['__unnamed_1860']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_1862']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1869' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_186b' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_186d' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_186f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1871' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1873' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1869']], 'Memory' : [ 0x0, ['__unnamed_1869']], 'Interrupt' : [ 0x0, ['__unnamed_186b']], 'Dma' : [ 0x0, ['__unnamed_186d']], 'Generic' : [ 0x0, ['__unnamed_1869']], 'DevicePrivate' : [ 0x0, ['__unnamed_1557']], 'BusNumber' : [ 0x0, ['__unnamed_186f']], 'ConfigData' : [ 0x0, ['__unnamed_1871']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1873']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'ListIndex' : [ 0x0, ['unsigned long']], 'Verifier' : [ 0x4, ['pointer', ['_MI_VERIFIER_DRIVER_ENTRY']]], } ], '_CM_KEY_BODY' : [ 0x44, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'Callers' : [ 0x10, ['unsigned long']], 'CallerAddress' : [ 0x14, ['array', 10, ['pointer', ['void']]]], 'KeyBodyList' : [ 0x3c, ['_LIST_ENTRY']], } ], '__unnamed_1884' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1886' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1884']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1888' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_188a' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1888']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1886']], 'u2' : [ 0x4, ['__unnamed_188a']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0xdc, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_RTL_BITMAP']]], 'FreeSummary' : [ 0xd0, ['unsigned long']], 'FreeBins' : [ 0xd4, ['_LIST_ENTRY']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0xe0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0xc, ['unsigned long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x14, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x1c, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x24, ['unsigned long']], 'NextCloneRange' : [ 0x28, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x2c, ['unsigned long']], 'LoaderMdl' : [ 0x30, ['pointer', ['_MDL']]], 'Clones' : [ 0x34, ['pointer', ['_MDL']]], 'NextClone' : [ 0x38, ['pointer', ['unsigned char']]], 'NoClones' : [ 0x3c, ['unsigned long']], 'Spares' : [ 0x40, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x48, ['unsigned long long']], 'IoPage' : [ 0x50, ['pointer', ['void']]], 'CurrentMcb' : [ 0x54, ['pointer', ['void']]], 'DumpStack' : [ 0x58, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x5c, ['pointer', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0x60, ['unsigned long']], 'HiberVa' : [ 0x64, ['unsigned long']], 'HiberPte' : [ 0x68, ['_LARGE_INTEGER']], 'Status' : [ 0x70, ['long']], 'MemoryImage' : [ 0x74, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x78, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x7c, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x80, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x88, ['pointer', ['void']]], 'DmaIO' : [ 0x8c, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x90, ['pointer', ['void']]], 'PerfInfo' : [ 0x98, ['_PO_HIBER_PERF']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x8, { 'StartVpn' : [ 0x0, ['unsigned long']], 'EndVpn' : [ 0x4, ['unsigned long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x14, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x4, ['unsigned long']], 'Parameter2' : [ 0x8, ['unsigned long']], 'Parameter3' : [ 0xc, ['unsigned long']], 'Parameter4' : [ 0x10, ['unsigned long']], } ], '__unnamed_18c9' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_18cb' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_18c9']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_18cb']], } ], '_Wx86ThreadState' : [ 0xc, { 'CallBx86Eip' : [ 0x0, ['pointer', ['unsigned long']]], 'DeallocationCpu' : [ 0x4, ['pointer', ['void']]], 'UseKnownWx86Dll' : [ 0x8, ['unsigned char']], 'OleStubInvoked' : [ 0x9, ['unsigned char']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xa0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x28, ['unsigned long']], 'Memory' : [ 0x30, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x50, ['unsigned long']], 'PrefetchMemory' : [ 0x58, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x78, ['unsigned long']], 'Dma' : [ 0x80, ['_SUPPORTED_RANGE']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_18f1' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_18f3' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_18f7' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_18f9' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_18fb' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_18fd' : [ 0x10, { 'TestAllocation' : [ 0x0, ['__unnamed_18f1']], 'RetestAllocation' : [ 0x0, ['__unnamed_18f1']], 'BootAllocation' : [ 0x0, ['__unnamed_18f3']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_18f7']], 'QueryConflict' : [ 0x0, ['__unnamed_18f9']], 'QueryArbitrate' : [ 0x0, ['__unnamed_18f3']], 'AddReserved' : [ 0x0, ['__unnamed_18fb']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_18fd']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'Reserved' : [ 0x28, ['unsigned long']], 'VerifierPoolLock' : [ 0x2c, ['unsigned long']], 'PoolHash' : [ 0x30, ['pointer', ['_VI_POOL_ENTRY']]], 'PoolHashSize' : [ 0x34, ['unsigned long']], 'PoolHashFree' : [ 0x38, ['unsigned long']], 'PoolHashReserved' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], 'PO_MEMORY_IMAGE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'ImageType' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x3c, ['unsigned long']], 'HiberPte' : [ 0x40, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'TotalPages' : [ 0x54, ['unsigned long']], 'FirstTablePage' : [ 0x58, ['unsigned long']], 'LastFilePage' : [ 0x5c, ['unsigned long']], 'PerfInfo' : [ 0x60, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Spare' : [ 0x18, ['array', 2, ['unsigned long']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '__unnamed_192c' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_192e' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1930' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1932' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1934' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1936' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1938' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_193a' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_193c' : [ 0x14, { 'DeviceClass' : [ 0x0, ['__unnamed_192c']], 'TargetDevice' : [ 0x0, ['__unnamed_192e']], 'InstallDevice' : [ 0x0, ['__unnamed_1930']], 'CustomNotification' : [ 0x0, ['__unnamed_1932']], 'ProfileNotification' : [ 0x0, ['__unnamed_1934']], 'PowerNotification' : [ 0x0, ['__unnamed_1936']], 'VetoNotification' : [ 0x0, ['__unnamed_1938']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_193a']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x38, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_193c']], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '__unnamed_1942' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '__unnamed_1944' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['__unnamed_1942']], 'Link' : [ 0x0, ['__unnamed_1944']], } ], '__unnamed_1956' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1958' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_195a' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1956']], 'Gpt' : [ 0x0, ['__unnamed_1958']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_195a']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x248, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x10, ['unsigned long']], 'ActiveCount' : [ 0x14, ['unsigned long']], 'WaitSleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x20, ['_LIST_ENTRY']], 'Pending' : [ 0x28, ['_LIST_ENTRY']], 'Complete' : [ 0x30, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x38, ['_LIST_ENTRY']], 'WaitS0' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_198f' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_198f']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x8, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'FreeListNext' : [ 0x0, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x2c, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x4, ['pointer', ['_IRP']]], 'Notify' : [ 0x8, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0xc, ['_LIST_ENTRY']], 'Complete' : [ 0x14, ['_LIST_ENTRY']], 'Abort' : [ 0x1c, ['_LIST_ENTRY']], 'Failed' : [ 0x24, ['_LIST_ENTRY']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x4, ['unsigned long']], 'SystemBase' : [ 0x8, ['long long']], 'Base' : [ 0x10, ['long long']], 'Limit' : [ 0x18, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x30, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x24, ['array', 3, ['unsigned long']]], } ], '__unnamed_19d2' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_19d4' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_19d8' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_19da' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_19d2']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_19d4']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_19d8']], 'Others' : [ 0x0, ['__unnamed_19da']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win10_x86_44B89EEA_vtypes.py0000644000000000000000000255555513131215405031136 0ustar rootrootntkrpamp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x708, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'NtBuildNumber' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'BootId' : [ 0x2c4, ['unsigned long']], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgMultiSessionSku' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCall' : [ 0x308, ['unsigned long']], 'SystemCallPad0' : [ 0x30c, ['unsigned long']], 'SystemCallPad' : [ 0x310, ['array', 2, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateLock' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrementShift' : [ 0x368, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x369, ['unsigned char']], 'UnparkedProcessorCount' : [ 0x36a, ['unsigned short']], 'EnclaveFeatureMask' : [ 0x36c, ['array', 4, ['unsigned long']]], 'Reserved8' : [ 0x37c, ['unsigned long']], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'QpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'QpcData' : [ 0x3c6, ['unsigned short']], 'QpcBypassEnabled' : [ 0x3c6, ['unsigned char']], 'QpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_107d' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_107d']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1081' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1081']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_109c' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109e' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109c']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_109e']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TEB' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['pointer', ['void']]]], 'SystemReserved1' : [ 0x10c, ['array', 38, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'PerflibData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], 'ReservedForWdf' : [ 0xfe4, ['pointer', ['void']]], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0xc, { 'Parent' : [ 0x0, ['pointer', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'CurEntry' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_RB_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_RTL_BALANCED_NODE' : [ 0xc, { 'Children' : [ 0x0, ['array', 2, ['pointer', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x4, ['pointer', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x8, ['unsigned long']], } ], '_RTL_AVL_TREE' : [ 0x4, { 'Root' : [ 0x0, ['pointer', ['_RTL_BALANCED_NODE']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KPCR' : [ 0x4a20, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'MxCsr' : [ 0x8, ['unsigned long']], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x4900, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'ParentNode' : [ 0x338, ['pointer', ['_KNODE']]], 'PriorityState' : [ 0x33c, ['pointer', ['unsigned char']]], 'KernelReserved' : [ 0x340, ['array', 14, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'CpuVendor' : [ 0x3be, ['unsigned char']], 'PrcbPad0' : [ 0x3bf, ['array', 1, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'GroupIndex' : [ 0x3c4, ['unsigned char']], 'Group' : [ 0x3c5, ['unsigned char']], 'PrcbPad05' : [ 0x3c6, ['array', 2, ['unsigned char']]], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'ClockOwner' : [ 0x3d0, ['unsigned char']], 'PendingTickFlags' : [ 0x3d1, ['unsigned char']], 'PendingTick' : [ 0x3d1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'PendingBackupTick' : [ 0x3d1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'PrcbPad10' : [ 0x3d2, ['array', 70, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'InterruptCount' : [ 0x4a0, ['unsigned long']], 'KernelTime' : [ 0x4a4, ['unsigned long']], 'UserTime' : [ 0x4a8, ['unsigned long']], 'DpcTime' : [ 0x4ac, ['unsigned long']], 'DpcTimeCount' : [ 0x4b0, ['unsigned long']], 'InterruptTime' : [ 0x4b4, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4b8, ['unsigned long']], 'PageColor' : [ 0x4bc, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c0, ['unsigned char']], 'NodeColor' : [ 0x4c1, ['unsigned char']], 'DeepSleep' : [ 0x4c2, ['unsigned char']], 'PrcbPad20' : [ 0x4c3, ['array', 5, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'SecondaryColorMask' : [ 0x4cc, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d0, ['unsigned long']], 'PrcbPad21' : [ 0x4d4, ['array', 3, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1820, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2120, ['long']], 'ReverseStall' : [ 0x2124, ['long']], 'IpiFrame' : [ 0x2128, ['pointer', ['void']]], 'PrcbPad3' : [ 0x212c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x2160, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x216c, ['unsigned long']], 'WorkerRoutine' : [ 0x2170, ['pointer', ['void']]], 'IpiFrozen' : [ 0x2174, ['unsigned long']], 'PrcbPad4' : [ 0x2178, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x21a0, ['unsigned long']], 'TargetCount' : [ 0x21a4, ['long']], 'PrcbPad50' : [ 0x21a8, ['array', 40, ['unsigned char']]], 'InterruptLastCount' : [ 0x21d0, ['unsigned long']], 'InterruptRate' : [ 0x21d4, ['unsigned long']], 'DeviceInterrupts' : [ 0x21d8, ['unsigned long']], 'IsrDpcStats' : [ 0x21dc, ['pointer', ['void']]], 'DpcData' : [ 0x21e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2210, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2214, ['long']], 'DpcRequestRate' : [ 0x2218, ['unsigned long']], 'MinimumDpcRate' : [ 0x221c, ['unsigned long']], 'DpcLastCount' : [ 0x2220, ['unsigned long']], 'PrcbLock' : [ 0x2224, ['unsigned long']], 'DpcGate' : [ 0x2228, ['_KGATE']], 'IdleState' : [ 0x2238, ['unsigned char']], 'QuantumEnd' : [ 0x2239, ['unsigned char']], 'DpcRoutineActive' : [ 0x223a, ['unsigned char']], 'IdleSchedule' : [ 0x223b, ['unsigned char']], 'DpcRequestSummary' : [ 0x223c, ['long']], 'DpcRequestSlot' : [ 0x223c, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x223c, ['short']], 'ThreadDpcState' : [ 0x223e, ['short']], 'DpcNormalProcessingActive' : [ 0x223c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x223c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x223c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x223c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x223c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x223c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x223c, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x223c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x223c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x223c, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2240, ['unsigned long']], 'LastTick' : [ 0x2244, ['unsigned long']], 'PeriodicCount' : [ 0x2248, ['unsigned long']], 'PeriodicBias' : [ 0x224c, ['unsigned long']], 'ClockInterrupts' : [ 0x2250, ['unsigned long']], 'ReadyScanTick' : [ 0x2254, ['unsigned long']], 'GroupSchedulingOverQuota' : [ 0x2258, ['unsigned char']], 'ThreadDpcEnable' : [ 0x2259, ['unsigned char']], 'PrcbPad41' : [ 0x225a, ['array', 2, ['unsigned char']]], 'TimerTable' : [ 0x2260, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x3aa0, ['_KDPC']], 'ClockKeepAlive' : [ 0x3ac0, ['long']], 'PrcbPad6' : [ 0x3ac4, ['array', 4, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x3ac8, ['long']], 'DpcWatchdogCount' : [ 0x3acc, ['long']], 'KeSpinLockOrdering' : [ 0x3ad0, ['long']], 'PrcbPad70' : [ 0x3ad4, ['array', 1, ['unsigned long']]], 'QueueIndex' : [ 0x3ad8, ['unsigned long']], 'DeferredReadyListHead' : [ 0x3adc, ['_SINGLE_LIST_ENTRY']], 'ReadySummary' : [ 0x3ae0, ['unsigned long']], 'AffinitizedSelectionMask' : [ 0x3ae4, ['long']], 'WaitLock' : [ 0x3ae8, ['unsigned long']], 'WaitListHead' : [ 0x3aec, ['_LIST_ENTRY']], 'ScbOffset' : [ 0x3af4, ['unsigned long']], 'StartCycles' : [ 0x3af8, ['unsigned long long']], 'TaggedCyclesStart' : [ 0x3b00, ['unsigned long long']], 'TaggedCycles' : [ 0x3b08, ['array', 2, ['unsigned long long']]], 'GenerationTarget' : [ 0x3b18, ['unsigned long long']], 'CycleTime' : [ 0x3b20, ['unsigned long long']], 'AffinitizedCycles' : [ 0x3b28, ['unsigned long long']], 'HighCycleTime' : [ 0x3b30, ['unsigned long']], 'Cycles' : [ 0x3b38, ['array', 4, ['array', 2, ['unsigned long long']]]], 'PrcbPad71' : [ 0x3b78, ['array', 10, ['unsigned long']]], 'DispatcherReadyListHead' : [ 0x3ba0, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3ca0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3ca4, ['long']], 'ScbQueue' : [ 0x3ca8, ['_RTL_RB_TREE']], 'ScbList' : [ 0x3cb0, ['_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x3cb8, ['long']], 'MmCopyOnWriteCount' : [ 0x3cbc, ['long']], 'MmTransitionCount' : [ 0x3cc0, ['long']], 'MmCacheTransitionCount' : [ 0x3cc4, ['long']], 'MmDemandZeroCount' : [ 0x3cc8, ['long']], 'MmPageReadCount' : [ 0x3ccc, ['long']], 'MmPageReadIoCount' : [ 0x3cd0, ['long']], 'MmCacheReadCount' : [ 0x3cd4, ['long']], 'MmCacheIoCount' : [ 0x3cd8, ['long']], 'MmDirtyPagesWriteCount' : [ 0x3cdc, ['long']], 'MmDirtyWriteIoCount' : [ 0x3ce0, ['long']], 'MmMappedPagesWriteCount' : [ 0x3ce4, ['long']], 'MmMappedWriteIoCount' : [ 0x3ce8, ['long']], 'CachedCommit' : [ 0x3cec, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3cf0, ['unsigned long']], 'HyperPte' : [ 0x3cf4, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3cf8, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x3cfc, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3d09, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x3d0a, ['unsigned char']], 'PrcbPad9' : [ 0x3d0b, ['array', 1, ['unsigned char']]], 'FeatureBits' : [ 0x3d10, ['unsigned long long']], 'UpdateSignature' : [ 0x3d18, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3d20, ['unsigned long long']], 'PrcbPad90' : [ 0x3d28, ['array', 2, ['unsigned long']]], 'PowerState' : [ 0x3d30, ['_PROCESSOR_POWER_STATE']], 'PrcbPad91' : [ 0x3eb0, ['array', 17, ['unsigned long']]], 'DpcWatchdogDpc' : [ 0x3ef4, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3f18, ['_KTIMER']], 'HypercallPageList' : [ 0x3f40, ['_SLIST_HEADER']], 'HypercallCachedPages' : [ 0x3f48, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x3f4c, ['pointer', ['void']]], 'StatisticsPage' : [ 0x3f50, ['pointer', ['unsigned long long']]], 'Cache' : [ 0x3f54, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3f90, ['unsigned long']], 'PackageProcessorSet' : [ 0x3f94, ['_KAFFINITY_EX']], 'SharedReadyQueueMask' : [ 0x3fa0, ['unsigned long']], 'SharedReadyQueue' : [ 0x3fa4, ['pointer', ['_KSHARED_READY_QUEUE']]], 'SharedQueueScanOwner' : [ 0x3fa8, ['unsigned long']], 'CoreProcessorSet' : [ 0x3fac, ['unsigned long']], 'ScanSiblingMask' : [ 0x3fb0, ['unsigned long']], 'LLCMask' : [ 0x3fb4, ['unsigned long']], 'CacheProcessorMask' : [ 0x3fb8, ['array', 5, ['unsigned long']]], 'ScanSiblingIndex' : [ 0x3fcc, ['unsigned long']], 'WheaInfo' : [ 0x3fd0, ['pointer', ['void']]], 'EtwSupport' : [ 0x3fd4, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x3fd8, ['_SLIST_HEADER']], 'PrcbPad92' : [ 0x3fe0, ['array', 3, ['unsigned long']]], 'PteBitCache' : [ 0x3fec, ['unsigned long']], 'PteBitOffset' : [ 0x3ff0, ['unsigned long']], 'PrcbPad93' : [ 0x3ff4, ['unsigned long']], 'ProcessorProfileControlArea' : [ 0x3ff8, ['pointer', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x3ffc, ['pointer', ['void']]], 'TimerExpirationDpc' : [ 0x4000, ['_KDPC']], 'SynchCounters' : [ 0x4020, ['_SYNCH_COUNTERS']], 'FsCounters' : [ 0x40d8, ['_FILESYSTEM_DISK_COUNTERS']], 'Context' : [ 0x40e8, ['pointer', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x40ec, ['unsigned long']], 'ExtendedState' : [ 0x40f0, ['pointer', ['_XSAVE_AREA']]], 'EntropyTimingState' : [ 0x40f4, ['_KENTROPY_TIMING_STATE']], 'IsrStack' : [ 0x421c, ['pointer', ['void']]], 'VectorToInterruptObject' : [ 0x4220, ['array', 208, ['pointer', ['_KINTERRUPT']]]], 'AbSelfIoBoostsList' : [ 0x4560, ['_SINGLE_LIST_ENTRY']], 'AbPropagateBoostsList' : [ 0x4564, ['_SINGLE_LIST_ENTRY']], 'AbDpc' : [ 0x4568, ['_KDPC']], 'IoIrpStackProfilerCurrent' : [ 0x4588, ['_IOP_IRP_STACK_PROFILER']], 'IoIrpStackProfilerPrevious' : [ 0x45dc, ['_IOP_IRP_STACK_PROFILER']], 'TimerExpirationTrace' : [ 0x4630, ['array', 16, ['_KTIMER_EXPIRATION_TRACE']]], 'TimerExpirationTraceCount' : [ 0x4730, ['unsigned long']], 'ExSaPageArray' : [ 0x4734, ['pointer', ['void']]], 'PrcbPad100' : [ 0x4738, ['array', 10, ['unsigned long']]], 'LocalSharedReadyQueue' : [ 0x4760, ['_KSHARED_READY_QUEUE']], 'PrcbPad95' : [ 0x4894, ['array', 12, ['unsigned char']]], 'Mailbox' : [ 0x48a0, ['pointer', ['_REQUEST_MAILBOX']]], 'PrcbPad' : [ 0x48a4, ['array', 60, ['unsigned char']]], 'RequestMailbox' : [ 0x48e0, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'Reserved' : [ 0x14, ['array', 3, ['pointer', ['void']]]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_CPU_INFO' : [ 0x10, { 'AsUINT32' : [ 0x0, ['array', 4, ['unsigned long']]], 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_EXT_SET_PARAMETERS_V0' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'NoWakeTolerance' : [ 0x8, ['long long']], } ], '_PS_TRUSTLET_CREATE_ATTRIBUTES' : [ 0x18, { 'TrustletIdentity' : [ 0x0, ['unsigned long long']], 'Attributes' : [ 0x8, ['array', 1, ['_PS_TRUSTLET_ATTRIBUTE_DATA']]], } ], '_PS_TRUSTLET_ATTRIBUTE_DATA' : [ 0x10, { 'Header' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_HEADER']], 'Data' : [ 0x8, ['array', 1, ['unsigned long long']]], } ], '_PS_TRUSTLET_ATTRIBUTE_HEADER' : [ 0x8, { 'AttributeType' : [ 0x0, ['_PS_TRUSTLET_ATTRIBUTE_TYPE']], 'InstanceNumber' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_TRUSTLET_MAILBOX_KEY' : [ 0x10, { 'SecretValue' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_TRUSTLET_COLLABORATION_ID' : [ 0x10, { 'Value' : [ 0x0, ['array', 2, ['unsigned long long']]], } ], '_KPROCESS' : [ 0xa8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'DeepFreezeStartTime' : [ 0x38, ['unsigned long long']], 'Affinity' : [ 0x40, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x4c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x54, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x58, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x64, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x64, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x64, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'DeepFreeze' : [ 0x64, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x64, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CheckStackExtents' : [ 0x64, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SpareFlags0' : [ 0x64, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x64, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0x64, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x64, ['long']], 'BasePriority' : [ 0x68, ['unsigned char']], 'QuantumReset' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x6c, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x70, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x72, ['unsigned short']], 'Spare1' : [ 0x74, ['unsigned short']], 'IopmOffset' : [ 0x76, ['unsigned short']], 'SchedulingGroup' : [ 0x78, ['pointer', ['_KSCHEDULING_GROUP']]], 'StackCount' : [ 0x7c, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x80, ['_LIST_ENTRY']], 'CycleTime' : [ 0x88, ['unsigned long long']], 'ContextSwitches' : [ 0x90, ['unsigned long long']], 'FreezeCount' : [ 0x98, ['unsigned long']], 'KernelTime' : [ 0x9c, ['unsigned long']], 'UserTime' : [ 0xa0, ['unsigned long']], 'VdmTrapcHandler' : [ 0xa4, ['pointer', ['void']]], } ], '_KTHREAD' : [ 0x348, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x10, ['pointer', ['void']]], 'QuantumTarget' : [ 0x18, ['unsigned long long']], 'InitialStack' : [ 0x20, ['pointer', ['void']]], 'StackLimit' : [ 0x24, ['pointer', ['void']]], 'StackBase' : [ 0x28, ['pointer', ['void']]], 'ThreadLock' : [ 0x2c, ['unsigned long']], 'CycleTime' : [ 0x30, ['unsigned long long']], 'HighCycleTime' : [ 0x38, ['unsigned long']], 'ServiceTable' : [ 0x3c, ['pointer', ['void']]], 'CurrentRunTime' : [ 0x40, ['unsigned long']], 'ExpectedRunTime' : [ 0x44, ['unsigned long']], 'KernelStack' : [ 0x48, ['pointer', ['void']]], 'StateSaveArea' : [ 0x4c, ['pointer', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x50, ['pointer', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x54, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x55, ['unsigned char']], 'Alerted' : [ 0x56, ['array', 2, ['unsigned char']]], 'AutoBoostActive' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitNext' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Alertable' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x58, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x58, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x58, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x58, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'TimerActive' : [ 0x58, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SystemThread' : [ 0x58, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x58, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CalloutActive' : [ 0x58, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x58, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ApcQueueable' : [ 0x58, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x58, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x58, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'TimerSuspended' : [ 0x58, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SuspendedWaitMode' : [ 0x58, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'SuspendSchedulerApcWait' : [ 0x58, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x58, ['long']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ThreadFlagsSpare0' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x5c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlySchedulingGroup' : [ 0x5c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x5c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x5c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SharedReadyQueueAffinity' : [ 0x5c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x5c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'TerminationApcRequest' : [ 0x5c, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'AutoBoostEntriesExhausted' : [ 0x5c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'KernelStackResident' : [ 0x5c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CommitFailTerminateRequest' : [ 0x5c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ProcessStackCountDecremented' : [ 0x5c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ThreadFlagsSpare' : [ 0x5c, ['BitField', dict(start_bit = 19, end_bit = 24, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x5c, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x5c, ['long']], 'Tag' : [ 0x60, ['unsigned char']], 'SystemHeteroCpuPolicy' : [ 0x61, ['unsigned char']], 'UserHeteroCpuPolicy' : [ 0x62, ['BitField', dict(start_bit = 0, end_bit = 7, native_type='unsigned char')]], 'ExplicitSystemHeteroCpuPolicy' : [ 0x62, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare0' : [ 0x63, ['unsigned char']], 'SystemCallNumber' : [ 0x64, ['unsigned long']], 'FirstArgument' : [ 0x68, ['pointer', ['void']]], 'TrapFrame' : [ 0x6c, ['pointer', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x70, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x70, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x87, ['unsigned char']], 'UserIdealProcessor' : [ 0x88, ['unsigned long']], 'ContextSwitches' : [ 0x8c, ['unsigned long']], 'State' : [ 0x90, ['unsigned char']], 'Spare12' : [ 0x91, ['unsigned char']], 'WaitIrql' : [ 0x92, ['unsigned char']], 'WaitMode' : [ 0x93, ['unsigned char']], 'WaitStatus' : [ 0x94, ['long']], 'WaitBlockList' : [ 0x98, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x9c, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x9c, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa4, ['pointer', ['_DISPATCHER_HEADER']]], 'Teb' : [ 0xa8, ['pointer', ['void']]], 'RelativeTimerBias' : [ 0xb0, ['unsigned long long']], 'Timer' : [ 0xb8, ['_KTIMER']], 'WaitBlock' : [ 0xe0, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill8' : [ 0xe0, ['array', 20, ['unsigned char']]], 'ThreadCounters' : [ 0xf4, ['pointer', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0xe0, ['array', 44, ['unsigned char']]], 'XStateSave' : [ 0x10c, ['pointer', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0xe0, ['array', 68, ['unsigned char']]], 'Win32Thread' : [ 0x124, ['pointer', ['void']]], 'WaitBlockFill11' : [ 0xe0, ['array', 88, ['unsigned char']]], 'WaitTime' : [ 0x138, ['unsigned long']], 'KernelApcDisable' : [ 0x13c, ['short']], 'SpecialApcDisable' : [ 0x13e, ['short']], 'CombinedApcDisable' : [ 0x13c, ['unsigned long']], 'QueueListEntry' : [ 0x140, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x148, ['unsigned long']], 'NextProcessorNumber' : [ 0x148, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'SharedReadyQueue' : [ 0x148, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'QueuePriority' : [ 0x14c, ['long']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'UserAffinity' : [ 0x154, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x154, ['array', 6, ['unsigned char']]], 'PreviousMode' : [ 0x15a, ['unsigned char']], 'BasePriority' : [ 0x15b, ['unsigned char']], 'PriorityDecrement' : [ 0x15c, ['unsigned char']], 'ForegroundBoost' : [ 0x15c, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x15c, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x15d, ['unsigned char']], 'AdjustReason' : [ 0x15e, ['unsigned char']], 'AdjustIncrement' : [ 0x15f, ['unsigned char']], 'AffinityVersion' : [ 0x160, ['unsigned long']], 'Affinity' : [ 0x164, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x164, ['array', 6, ['unsigned char']]], 'ApcStateIndex' : [ 0x16a, ['unsigned char']], 'WaitBlockCount' : [ 0x16b, ['unsigned char']], 'IdealProcessor' : [ 0x16c, ['unsigned long']], 'Spare15' : [ 0x170, ['array', 1, ['unsigned long']]], 'SavedApcState' : [ 0x174, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x174, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x18b, ['unsigned char']], 'SuspendCount' : [ 0x18c, ['unsigned char']], 'Saturation' : [ 0x18d, ['unsigned char']], 'SListFaultCount' : [ 0x18e, ['unsigned short']], 'SchedulerApc' : [ 0x190, ['_KAPC']], 'SchedulerApcFill0' : [ 0x190, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x191, ['unsigned char']], 'SchedulerApcFill1' : [ 0x190, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x193, ['unsigned char']], 'SchedulerApcFill2' : [ 0x190, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x194, ['unsigned long']], 'SchedulerApcFill3' : [ 0x190, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b4, ['pointer', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x190, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1b8, ['pointer', ['void']]], 'SchedulerApcFill5' : [ 0x190, ['array', 47, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x1bf, ['unsigned char']], 'UserTime' : [ 0x1c0, ['unsigned long']], 'SuspendEvent' : [ 0x1c4, ['_KEVENT']], 'ThreadListEntry' : [ 0x1d4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1dc, ['_LIST_ENTRY']], 'AbEntrySummary' : [ 0x1e4, ['unsigned char']], 'AbWaitEntryCount' : [ 0x1e5, ['unsigned char']], 'Spare20' : [ 0x1e6, ['unsigned short']], 'LockEntries' : [ 0x1e8, ['array', 6, ['_KLOCK_ENTRY']]], 'PropagateBoostsEntry' : [ 0x308, ['_SINGLE_LIST_ENTRY']], 'IoSelfBoostsEntry' : [ 0x30c, ['_SINGLE_LIST_ENTRY']], 'PriorityFloorCounts' : [ 0x310, ['array', 16, ['unsigned char']]], 'PriorityFloorSummary' : [ 0x320, ['unsigned long']], 'AbCompletedIoBoostCount' : [ 0x324, ['long']], 'KeReferenceCount' : [ 0x328, ['short']], 'AbOrphanedEntrySummary' : [ 0x32a, ['unsigned char']], 'AbOwnedEntryCount' : [ 0x32b, ['unsigned char']], 'ForegroundLossTime' : [ 0x32c, ['unsigned long']], 'GlobalForegroundListEntry' : [ 0x330, ['_LIST_ENTRY']], 'ForegroundDpcStackListEntry' : [ 0x330, ['_SINGLE_LIST_ENTRY']], 'InGlobalForegroundList' : [ 0x334, ['unsigned long']], 'QueuedScb' : [ 0x338, ['pointer', ['_KSCB']]], 'NpxState' : [ 0x340, ['unsigned long long']], } ], '_KSTACK_CONTROL' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long']], 'ActualLimit' : [ 0x4, ['unsigned long']], 'StackExpansion' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousTrapFrame' : [ 0x8, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0xc, ['pointer', ['void']]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'CpuId' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_EXT_DELETE_PARAMETERS' : [ 0x10, { 'Version' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'DeleteCallback' : [ 0x8, ['pointer', ['void']]], 'DeleteContext' : [ 0xc, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0x100, { 'IdleNonParkedCpuSet' : [ 0x0, ['unsigned long']], 'IdleSmtSet' : [ 0x4, ['unsigned long']], 'IdleCpuSet' : [ 0x8, ['unsigned long']], 'DeepIdleSet' : [ 0x40, ['unsigned long']], 'IdleConstrainedSet' : [ 0x44, ['unsigned long']], 'NonParkedSet' : [ 0x48, ['unsigned long']], 'ParkLock' : [ 0x4c, ['long']], 'Seed' : [ 0x50, ['unsigned long']], 'SiblingMask' : [ 0x80, ['unsigned long']], 'Affinity' : [ 0x84, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x84, ['array', 6, ['unsigned char']]], 'NodeNumber' : [ 0x8a, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x8c, ['unsigned short']], 'Stride' : [ 0x8e, ['unsigned char']], 'Spare0' : [ 0x8f, ['unsigned char']], 'SharedReadyQueueLeaders' : [ 0x90, ['unsigned long']], 'ProximityId' : [ 0x94, ['unsigned long']], 'Lowest' : [ 0x98, ['unsigned long']], 'Highest' : [ 0x9c, ['unsigned long']], 'MaximumProcessors' : [ 0xa0, ['unsigned char']], 'Flags' : [ 0xa1, ['_flags']], 'Spare10' : [ 0xa2, ['unsigned char']], 'HeteroSets' : [ 0xa4, ['array', 5, ['_KHETERO_PROCESSOR_SET']]], } ], '_ENODE' : [ 0x380, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkQueues' : [ 0x100, ['array', 8, ['pointer', ['_EX_WORK_QUEUE']]]], 'ExWorkQueue' : [ 0x120, ['_EX_WORK_QUEUE']], 'ExpThreadSetManagerEvent' : [ 0x2d8, ['_KEVENT']], 'ExpDeadlockTimer' : [ 0x2e8, ['_KTIMER']], 'ExpThreadReaperEvent' : [ 0x310, ['_KEVENT']], 'WaitBlocks' : [ 0x320, ['array', 3, ['_KWAIT_BLOCK']]], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x368, ['pointer', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x36c, ['unsigned long']], 'ExWorkerFullInit' : [ 0x370, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x370, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x370, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x5c, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long']], 'QuotaProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'StrictFIFO' : [ 0x1c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x1c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x1c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x1c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'RaiseUMExceptionOnInvalidHandleClose' : [ 0x1c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x20, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x24, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x28, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x28, ['array', 20, ['unsigned char']]], 'DebugInfo' : [ 0x3c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'VolatileLowValue' : [ 0x0, ['long']], 'LowValue' : [ 0x0, ['long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'HighValue' : [ 0x4, ['long']], 'NextFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x4, ['_EXHANDLE']], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'RefCountField' : [ 0x4, ['long']], 'GrantedAccessBits' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'ProtectFromClose' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'NoRightsUpgrade' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'RefCnt' : [ 0x4, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '__unnamed_1336' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1336']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc4, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xc0, ['unsigned char']], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_ETHREAD' : [ 0x458, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x348, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x350, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x350, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x358, ['pointer', ['void']]], 'PostBlockList' : [ 0x35c, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x35c, ['pointer', ['void']]], 'StartAddress' : [ 0x360, ['pointer', ['void']]], 'TerminationPort' : [ 0x364, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x364, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x364, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x368, ['unsigned long']], 'ActiveTimerListHead' : [ 0x36c, ['_LIST_ENTRY']], 'Cid' : [ 0x374, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x37c, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x37c, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x390, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x394, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x39c, ['unsigned long']], 'DeviceToVerify' : [ 0x3a0, ['pointer', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x3a4, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x3a8, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x3ac, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x3b4, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x3b8, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x3bc, ['unsigned long']], 'MmLockOrdering' : [ 0x3c0, ['long']], 'CmLockOrdering' : [ 0x3c4, ['long']], 'CrossThreadFlags' : [ 0x3c8, ['unsigned long']], 'Terminated' : [ 0x3c8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x3c8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x3c8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x3c8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x3c8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x3c8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x3c8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x3c8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x3c8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x3c8, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x3c8, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x3c8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x3c8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x3c8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x3c8, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x3cc, ['unsigned long']], 'ActiveExWorker' : [ 0x3cc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x3cc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'StoreLockThread' : [ 0x3cc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x3cc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x3cc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SelfTerminate' : [ 0x3cc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'RespectIoPriority' : [ 0x3cc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'ReservedSameThreadPassiveFlags' : [ 0x3cc, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x3d0, ['unsigned long']], 'OwnsProcessAddressSpaceExclusive' : [ 0x3d0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x3d0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardFaultBehavior' : [ 0x3d0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x3d0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x3d0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x3d0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Prefetching' : [ 0x3d0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x3d0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SystemPagePriorityActive' : [ 0x3d1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SystemPagePriority' : [ 0x3d1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'CacheManagerActive' : [ 0x3d4, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x3d5, ['unsigned char']], 'ActiveFaultCount' : [ 0x3d6, ['unsigned char']], 'LockOrderState' : [ 0x3d7, ['unsigned char']], 'AlpcMessageId' : [ 0x3d8, ['unsigned long']], 'AlpcMessage' : [ 0x3dc, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x3dc, ['unsigned long']], 'ExitStatus' : [ 0x3e0, ['long']], 'AlpcWaitListEntry' : [ 0x3e4, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x3ec, ['unsigned long']], 'IoBoostCount' : [ 0x3f0, ['unsigned long']], 'BoostList' : [ 0x3f4, ['_LIST_ENTRY']], 'DeboostList' : [ 0x3fc, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x404, ['unsigned long']], 'IrpListLock' : [ 0x408, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x40c, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x410, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x414, ['pointer', ['_GUID']]], 'SeLearningModeListHead' : [ 0x418, ['_SINGLE_LIST_ENTRY']], 'VerifierContext' : [ 0x41c, ['pointer', ['void']]], 'KernelStackReference' : [ 0x420, ['unsigned long']], 'AdjustedClientToken' : [ 0x424, ['pointer', ['void']]], 'WorkingOnBehalfClient' : [ 0x428, ['pointer', ['void']]], 'PropertySet' : [ 0x42c, ['_PS_PROPERTY_SET']], 'PicoContext' : [ 0x438, ['pointer', ['void']]], 'UserFsBase' : [ 0x43c, ['unsigned long']], 'UserGsBase' : [ 0x440, ['unsigned long']], 'EnergyValues' : [ 0x444, ['pointer', ['_THREAD_ENERGY_VALUES']]], 'CmCellReferences' : [ 0x448, ['unsigned long']], 'SelectedCpuSets' : [ 0x44c, ['unsigned long']], 'SelectedCpuSetsIndirect' : [ 0x44c, ['pointer', ['unsigned long']]], 'Silo' : [ 0x450, ['pointer', ['_EJOB']]], } ], '_EPROCESS' : [ 0x370, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xa8, ['_EX_PUSH_LOCK']], 'RundownProtect' : [ 0xac, ['_EX_RUNDOWN_REF']], 'VdmObjects' : [ 0xb0, ['pointer', ['void']]], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'Flags2' : [ 0xc0, ['unsigned long']], 'JobNotReallyActive' : [ 0xc0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0xc0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0xc0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0xc0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0xc0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ForceWakeCharge' : [ 0xc0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0xc0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0xc0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0xc0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DisableDynamicCode' : [ 0xc0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0xc0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0xc0, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0xc0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0xc0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0xc0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0xc0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0xc0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0xc0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0xc0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0xc0, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0xc0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0xc0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0xc0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0xc0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0xc0, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0xc0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0xc0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0xc4, ['unsigned long']], 'CreateReported' : [ 0xc4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0xc4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0xc4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0xc4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ControlFlowGuardEnabled' : [ 0xc4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0xc4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0xc4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0xc4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FailFastOnCommitFail' : [ 0xc4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0xc4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0xc4, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0xc4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0xc4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0xc4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0xc4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0xc4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0xc4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0xc4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0xc4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0xc4, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0xc4, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0xc4, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0xc4, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ProcessRundown' : [ 0xc4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0xc4, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0xc4, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0xc4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0xc4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CreateTime' : [ 0xc8, ['_LARGE_INTEGER']], 'ProcessQuotaUsage' : [ 0xd0, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xd8, ['array', 2, ['unsigned long']]], 'PeakVirtualSize' : [ 0xe0, ['unsigned long']], 'VirtualSize' : [ 0xe4, ['unsigned long']], 'SessionProcessLinks' : [ 0xe8, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0xf0, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xf0, ['unsigned long']], 'ExceptionPortState' : [ 0xf0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Token' : [ 0xf4, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xf8, ['unsigned long']], 'AddressCreationLock' : [ 0xfc, ['_EX_PUSH_LOCK']], 'PageTableCommitmentLock' : [ 0x100, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x108, ['pointer', ['_ETHREAD']]], 'CommitChargeJob' : [ 0x10c, ['pointer', ['_EJOB']]], 'CloneRoot' : [ 0x110, ['_RTL_AVL_TREE']], 'NumberOfPrivatePages' : [ 0x114, ['unsigned long']], 'NumberOfLockedPages' : [ 0x118, ['unsigned long']], 'Win32Process' : [ 0x11c, ['pointer', ['void']]], 'Job' : [ 0x120, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x124, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x128, ['pointer', ['void']]], 'Cookie' : [ 0x12c, ['unsigned long']], 'WorkingSetWatch' : [ 0x130, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x134, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x138, ['pointer', ['void']]], 'LdtInformation' : [ 0x13c, ['pointer', ['void']]], 'OwnerProcessId' : [ 0x140, ['unsigned long']], 'Peb' : [ 0x144, ['pointer', ['_PEB']]], 'Session' : [ 0x148, ['pointer', ['void']]], 'AweInfo' : [ 0x14c, ['pointer', ['void']]], 'QuotaBlock' : [ 0x150, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x154, ['pointer', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x158, ['pointer', ['void']]], 'PaeTop' : [ 0x15c, ['pointer', ['void']]], 'DeviceMap' : [ 0x160, ['pointer', ['void']]], 'EtwDataSource' : [ 0x164, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x168, ['unsigned long long']], 'ImageFilePointer' : [ 0x170, ['pointer', ['_FILE_OBJECT']]], 'ImageFileName' : [ 0x174, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x183, ['unsigned char']], 'SecurityPort' : [ 0x184, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x188, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x18c, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x194, ['pointer', ['void']]], 'ThreadListHead' : [ 0x198, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x1a0, ['unsigned long']], 'ImagePathHash' : [ 0x1a4, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a8, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1ac, ['long']], 'PrefetchTrace' : [ 0x1b0, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x1b4, ['pointer', ['void']]], 'ReadOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e8, ['unsigned long']], 'CommitCharge' : [ 0x1ec, ['unsigned long']], 'CommitChargePeak' : [ 0x1f0, ['unsigned long']], 'Vm' : [ 0x1f4, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x274, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x27c, ['unsigned long']], 'ExitStatus' : [ 0x280, ['long']], 'VadRoot' : [ 0x284, ['_RTL_AVL_TREE']], 'VadHint' : [ 0x288, ['pointer', ['void']]], 'VadCount' : [ 0x28c, ['unsigned long']], 'VadPhysicalPages' : [ 0x290, ['unsigned long']], 'VadPhysicalPagesLimit' : [ 0x294, ['unsigned long']], 'AlpcContext' : [ 0x298, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x2a8, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x2b0, ['pointer', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x2b4, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2b8, ['unsigned long']], 'ExitTime' : [ 0x2c0, ['_LARGE_INTEGER']], 'ActiveThreadsHighWatermark' : [ 0x2c8, ['unsigned long']], 'LargePrivateVadCount' : [ 0x2cc, ['unsigned long']], 'ThreadListLock' : [ 0x2d0, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x2d4, ['pointer', ['void']]], 'Spare0' : [ 0x2d8, ['unsigned long']], 'SignatureLevel' : [ 0x2dc, ['unsigned char']], 'SectionSignatureLevel' : [ 0x2dd, ['unsigned char']], 'Protection' : [ 0x2de, ['_PS_PROTECTION']], 'HangCount' : [ 0x2df, ['unsigned char']], 'Flags3' : [ 0x2e0, ['unsigned long']], 'Minimal' : [ 0x2e0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReplacingPageRoot' : [ 0x2e0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DisableNonSystemFonts' : [ 0x2e0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AuditNonSystemFontLoading' : [ 0x2e0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Crashed' : [ 0x2e0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'JobVadsAreTracked' : [ 0x2e0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'VadTrackingDisabled' : [ 0x2e0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AuxiliaryProcess' : [ 0x2e0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SubsystemProcess' : [ 0x2e0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IndirectCpuSets' : [ 0x2e0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'InPrivate' : [ 0x2e0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProhibitRemoteImageMap' : [ 0x2e0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ProhibitLowILImageMap' : [ 0x2e0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SignatureMitigationOptIn' : [ 0x2e0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeviceAsid' : [ 0x2e4, ['long']], 'SvmData' : [ 0x2e8, ['pointer', ['void']]], 'SvmProcessLock' : [ 0x2ec, ['_EX_PUSH_LOCK']], 'SvmLock' : [ 0x2f0, ['unsigned long']], 'SvmProcessDeviceListHead' : [ 0x2f4, ['_LIST_ENTRY']], 'LastFreezeInterruptTime' : [ 0x300, ['unsigned long long']], 'DiskCounters' : [ 0x308, ['pointer', ['_PROCESS_DISK_COUNTERS']]], 'PicoContext' : [ 0x30c, ['pointer', ['void']]], 'KeepAliveCounter' : [ 0x310, ['unsigned long']], 'NoWakeKeepAliveCounter' : [ 0x314, ['unsigned long']], 'HighPriorityFaultsAllowed' : [ 0x318, ['unsigned long']], 'InstrumentationCallback' : [ 0x31c, ['pointer', ['void']]], 'EnergyValues' : [ 0x320, ['pointer', ['_PROCESS_ENERGY_VALUES']]], 'VmContext' : [ 0x324, ['pointer', ['void']]], 'SequenceNumber' : [ 0x328, ['unsigned long long']], 'CreateInterruptTime' : [ 0x330, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x338, ['unsigned long long']], 'TotalUnbiasedFrozenTime' : [ 0x340, ['unsigned long long']], 'LastAppStateUpdateTime' : [ 0x348, ['unsigned long long']], 'LastAppStateUptime' : [ 0x350, ['BitField', dict(start_bit = 0, end_bit = 61, native_type='unsigned long long')]], 'LastAppState' : [ 0x350, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], 'SharedCommitCharge' : [ 0x358, ['unsigned long']], 'SharedCommitLock' : [ 0x35c, ['_EX_PUSH_LOCK']], 'SharedCommitLinks' : [ 0x360, ['_LIST_ENTRY']], 'AllowedCpuSets' : [ 0x368, ['unsigned long']], 'DefaultCpuSets' : [ 0x36c, ['unsigned long']], 'AllowedCpuSetsIndirect' : [ 0x368, ['pointer', ['unsigned long']]], 'DefaultCpuSetsIndirect' : [ 0x36c, ['pointer', ['unsigned long']]], } ], '__unnamed_1390' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1396' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1398' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1396']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_13a1' : [ 0x2c, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x28, ['pointer', ['void']]], } ], '__unnamed_13a3' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_13a1']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_1390']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_1398']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_13a3']], } ], '__unnamed_13aa' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_13ae' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_13b2' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_13b4' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_13b8' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_13ba' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_13bc' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], } ], '__unnamed_13be' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileUnusedInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileReplaceCompletionInformation', 62: 'FileHardLinkFullIdInformation', 63: 'FileIdExtdBothDirectoryInformation', 64: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13c0' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_13c2' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13c6' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMetadataSizeInformation', 14: 'FileFsMaximumInformation'})]], } ], '__unnamed_13c8' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13cb' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_13cd' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13cf' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_13d1' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_13d5' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_13d9' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_13dd' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_13e1' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_13e5' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_13e9' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_13ed' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_13ef' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_13f1' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_13f5' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_13f9' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_13fd' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_1401' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1405' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_140d' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], } ], '__unnamed_1411' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1413' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1415' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1417' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_13aa']], 'CreatePipe' : [ 0x0, ['__unnamed_13ae']], 'CreateMailslot' : [ 0x0, ['__unnamed_13b2']], 'Read' : [ 0x0, ['__unnamed_13b4']], 'Write' : [ 0x0, ['__unnamed_13b4']], 'QueryDirectory' : [ 0x0, ['__unnamed_13b8']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13ba']], 'QueryFile' : [ 0x0, ['__unnamed_13bc']], 'SetFile' : [ 0x0, ['__unnamed_13be']], 'QueryEa' : [ 0x0, ['__unnamed_13c0']], 'SetEa' : [ 0x0, ['__unnamed_13c2']], 'QueryVolume' : [ 0x0, ['__unnamed_13c6']], 'SetVolume' : [ 0x0, ['__unnamed_13c6']], 'FileSystemControl' : [ 0x0, ['__unnamed_13c8']], 'LockControl' : [ 0x0, ['__unnamed_13cb']], 'DeviceIoControl' : [ 0x0, ['__unnamed_13cd']], 'QuerySecurity' : [ 0x0, ['__unnamed_13cf']], 'SetSecurity' : [ 0x0, ['__unnamed_13d1']], 'MountVolume' : [ 0x0, ['__unnamed_13d5']], 'VerifyVolume' : [ 0x0, ['__unnamed_13d5']], 'Scsi' : [ 0x0, ['__unnamed_13d9']], 'QueryQuota' : [ 0x0, ['__unnamed_13dd']], 'SetQuota' : [ 0x0, ['__unnamed_13c2']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_13e1']], 'QueryInterface' : [ 0x0, ['__unnamed_13e5']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_13e9']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_13ed']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_13ef']], 'SetLock' : [ 0x0, ['__unnamed_13f1']], 'QueryId' : [ 0x0, ['__unnamed_13f5']], 'QueryDeviceText' : [ 0x0, ['__unnamed_13f9']], 'UsageNotification' : [ 0x0, ['__unnamed_13fd']], 'WaitWake' : [ 0x0, ['__unnamed_1401']], 'PowerSequence' : [ 0x0, ['__unnamed_1405']], 'Power' : [ 0x0, ['__unnamed_140d']], 'StartDevice' : [ 0x0, ['__unnamed_1411']], 'WMI' : [ 0x0, ['__unnamed_1413']], 'Others' : [ 0x0, ['__unnamed_1415']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_1417']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_142d' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_142d']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'TargetInfoAsUlong' : [ 0x0, ['unsigned long']], 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_SINGLE_LIST_ENTRY']], 'ProcessorHistory' : [ 0x8, ['unsigned long']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x14, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], 'SiloContext' : [ 0x10, ['pointer', ['_EJOB']]], } ], '_EJOB' : [ 0x2f8, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x70, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x78, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0x80, ['unsigned long long']], 'TotalPageFaultCount' : [ 0x88, ['unsigned long']], 'TotalProcesses' : [ 0x8c, ['unsigned long']], 'ActiveProcesses' : [ 0x90, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x94, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x98, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xa0, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xa8, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xac, ['unsigned long']], 'LimitFlags' : [ 0xb0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xb4, ['unsigned long']], 'Affinity' : [ 0xb8, ['_KAFFINITY_EX']], 'AccessState' : [ 0xc4, ['pointer', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0xc8, ['pointer', ['void']]], 'UIRestrictionsClass' : [ 0xcc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xd0, ['unsigned long']], 'CompletionPort' : [ 0xd4, ['pointer', ['void']]], 'CompletionKey' : [ 0xd8, ['pointer', ['void']]], 'CompletionCount' : [ 0xe0, ['unsigned long long']], 'SessionId' : [ 0xe8, ['unsigned long']], 'SchedulingClass' : [ 0xec, ['unsigned long']], 'ReadOperationCount' : [ 0xf0, ['unsigned long long']], 'WriteOperationCount' : [ 0xf8, ['unsigned long long']], 'OtherOperationCount' : [ 0x100, ['unsigned long long']], 'ReadTransferCount' : [ 0x108, ['unsigned long long']], 'WriteTransferCount' : [ 0x110, ['unsigned long long']], 'OtherTransferCount' : [ 0x118, ['unsigned long long']], 'DiskIoInfo' : [ 0x120, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x148, ['unsigned long']], 'JobMemoryLimit' : [ 0x14c, ['unsigned long']], 'JobTotalMemoryLimit' : [ 0x150, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x154, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x158, ['unsigned long']], 'EffectiveAffinity' : [ 0x15c, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x168, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x170, ['unsigned long']], 'EffectiveMaximumWorkingSetSize' : [ 0x174, ['unsigned long']], 'EffectiveProcessMemoryLimit' : [ 0x178, ['unsigned long']], 'EffectiveProcessMemoryLimitJob' : [ 0x17c, ['pointer', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x180, ['pointer', ['_EJOB']]], 'EffectiveDiskIoRateLimitJob' : [ 0x184, ['pointer', ['_EJOB']]], 'EffectiveNetIoRateLimitJob' : [ 0x188, ['pointer', ['_EJOB']]], 'EffectiveHeapAttributionJob' : [ 0x18c, ['pointer', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x190, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x194, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x198, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x19c, ['unsigned long']], 'EffectiveSwapCount' : [ 0x1a0, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x1a4, ['unsigned long']], 'EffectivePriorityClass' : [ 0x1a8, ['unsigned char']], 'PriorityClass' : [ 0x1a9, ['unsigned char']], 'NestingDepth' : [ 0x1aa, ['unsigned char']], 'Reserved1' : [ 0x1ab, ['array', 1, ['unsigned char']]], 'CompletionFilter' : [ 0x1ac, ['unsigned long']], 'WakeChannel' : [ 0x1b0, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x1b0, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x1e8, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x1f0, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x1f4, ['unsigned long']], 'NotificationLink' : [ 0x1f8, ['pointer', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x200, ['unsigned long long']], 'NotificationInfo' : [ 0x208, ['pointer', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x20c, ['pointer', ['void']]], 'NotificationPacket' : [ 0x210, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x214, ['pointer', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x218, ['pointer', ['void']]], 'ReadyTime' : [ 0x220, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x228, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x22c, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x234, ['_LIST_ENTRY']], 'ParentJob' : [ 0x23c, ['pointer', ['_EJOB']]], 'RootJob' : [ 0x240, ['pointer', ['_EJOB']]], 'IteratorListHead' : [ 0x244, ['_LIST_ENTRY']], 'AncestorCount' : [ 0x24c, ['unsigned long']], 'Ancestors' : [ 0x250, ['pointer', ['pointer', ['_EJOB']]]], 'SessionObject' : [ 0x250, ['pointer', ['void']]], 'Accounting' : [ 0x258, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x2a8, ['unsigned long']], 'ActiveAuxiliaryProcessCount' : [ 0x2ac, ['unsigned long']], 'SequenceNumber' : [ 0x2b0, ['unsigned long']], 'TimerListLock' : [ 0x2b4, ['unsigned long']], 'TimerListHead' : [ 0x2b8, ['_LIST_ENTRY']], 'ContainerId' : [ 0x2c0, ['_GUID']], 'Container' : [ 0x2d0, ['pointer', ['_SILO_CONTEXT']]], 'PropertySet' : [ 0x2d4, ['_PS_PROPERTY_SET']], 'NetRateControl' : [ 0x2e0, ['pointer', ['_JOB_NET_RATE_CONTROL']]], 'IoRateControl' : [ 0x2e4, ['pointer', ['_JOB_IO_RATE_CONTROL']]], 'JobFlags' : [ 0x2e8, ['unsigned long']], 'CloseDone' : [ 0x2e8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x2e8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x2e8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x2e8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x2e8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x2e8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x2e8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x2e8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x2e8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x2e8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x2e8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x2e8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x2e8, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x2e8, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x2e8, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x2e8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x2e8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x2e8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x2e8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x2e8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x2e8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x2e8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x2e8, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DropNoWakeCharges' : [ 0x2e8, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'NoWakeChargePolicyDecided' : [ 0x2e8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'NetRateControlActive' : [ 0x2e8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'OwnNetRateControl' : [ 0x2e8, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IoRateControlActive' : [ 0x2e8, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'OwnIoRateControl' : [ 0x2e8, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'DisallowNewProcesses' : [ 0x2e8, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x2e8, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x2ec, ['unsigned long']], 'EnergyValues' : [ 0x2f0, ['pointer', ['_PROCESS_ENERGY_VALUES']]], 'SharedCommitCharge' : [ 0x2f4, ['unsigned long']], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x68, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x5c, ['pointer', ['void']]], 'UserContext' : [ 0x60, ['pointer', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], 'Oplock' : [ 0x3c, ['pointer', ['void']]], 'ReservedForRemote' : [ 0x3c, ['pointer', ['void']]], 'ReservedContext' : [ 0x40, ['pointer', ['void']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_TlgProvider_t' : [ 0x30, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x4, ['pointer', ['unsigned short']]], 'KeywordAny' : [ 0x8, ['unsigned long long']], 'KeywordAll' : [ 0x10, ['unsigned long long']], 'RegHandle' : [ 0x18, ['unsigned long long']], 'EnableCallback' : [ 0x20, ['pointer', ['void']]], 'CallbackContext' : [ 0x24, ['pointer', ['void']]], 'AnnotationFunc' : [ 0x28, ['pointer', ['void']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '__unnamed_1618' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'HighLow' : [ 0x0, ['_MMPTE_HIGHLOW']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1618']], } ], '_EX_PUSH_LOCK_AUTO_EXPAND' : [ 0xc, { 'LocalLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'State' : [ 0x4, ['_EX_PUSH_LOCK_AUTO_EXPAND_STATE']], 'Stats' : [ 0x8, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'ReservedLowFlags' : [ 0xe, ['unsigned char']], 'WaiterPriority' : [ 0xf, ['unsigned char']], 'SharedWaiters' : [ 0x10, ['_KWAIT_CHAIN']], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '__unnamed_1650' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1654' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1656' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1654']], } ], '__unnamed_165b' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], } ], '_MMPFN' : [ 0x1c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'u1' : [ 0x0, ['__unnamed_1650']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x4, ['pointer', ['void']]], 'PteLong' : [ 0x4, ['unsigned long']], 'OriginalPte' : [ 0x8, ['_MMPTE']], 'u2' : [ 0x10, ['_MIPFNBLINK']], 'u3' : [ 0x14, ['__unnamed_1656']], 'u4' : [ 0x18, ['__unnamed_165b']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x34, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'BasePte' : [ 0x8, ['pointer', ['_MMPTE']]], 'Flags' : [ 0xc, ['unsigned long']], 'VaType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'MiVaUnused', 1: 'MiVaSessionSpace', 2: 'MiVaProcessSpace', 3: 'MiVaBootLoaded', 4: 'MiVaPfnDatabase', 5: 'MiVaNonPagedPool', 6: 'MiVaPagedPool', 7: 'MiVaSpecialPoolPaged', 8: 'MiVaSystemCache', 9: 'MiVaSystemPtes', 10: 'MiVaHal', 11: 'MiVaSessionGlobalSpace', 12: 'MiVaDriverImages', 13: 'MiVaSpecialPoolNonPaged', 14: 'MiVaPagedProtoPool', 15: 'MiVaMaximumType', 16: 'MiVaSystemPtesLarge'})]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'PteFailures' : [ 0x18, ['unsigned long']], 'SpinLock' : [ 0x1c, ['unsigned long']], 'GlobalPushLock' : [ 0x1c, ['pointer', ['_EX_PUSH_LOCK']]], 'Vm' : [ 0x20, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x24, ['unsigned long']], 'Hint' : [ 0x28, ['unsigned long']], 'CachedPtes' : [ 0x2c, ['pointer', ['_MI_CACHED_PTES']]], 'TotalFreeSystemPtes' : [ 0x30, ['unsigned long']], } ], '_MMCLONE_DESCRIPTOR' : [ 0x30, { 'CloneNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Next' : [ 0x0, ['pointer', ['_MMCLONE_DESCRIPTOR']]], 'StartingCloneBlock' : [ 0xc, ['pointer', ['_MMCLONE_BLOCK']]], 'EndingCloneBlock' : [ 0x10, ['pointer', ['_MMCLONE_BLOCK']]], 'NumberOfPtes' : [ 0x14, ['unsigned long']], 'NumberOfReferences' : [ 0x18, ['unsigned long']], 'CloneHeader' : [ 0x1c, ['pointer', ['_MMCLONE_HEADER']]], 'NonPagedPoolQuotaCharge' : [ 0x20, ['unsigned long']], 'NestingLevel' : [ 0x28, ['unsigned long long']], } ], '__unnamed_168b' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_168b']], } ], '_MMWSL' : [ 0xe48, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'LastInitializedWsle' : [ 0x10, ['unsigned long']], 'NextAgingSlot' : [ 0x14, ['unsigned long']], 'NextAccessClearingSlot' : [ 0x18, ['unsigned long']], 'LastAccessClearingRemainder' : [ 0x1c, ['unsigned long']], 'LastAgingRemainder' : [ 0x20, ['unsigned long']], 'WsleSize' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LowestPagableAddress' : [ 0x2c, ['pointer', ['void']]], 'NonDirectHash' : [ 0x30, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x34, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x38, ['pointer', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x3c, ['array', 16, ['unsigned long']]], 'ActiveWsles' : [ 0x7c, ['array', 16, ['_MI_ACTIVE_WSLE_LISTHEAD']]], 'Wsle' : [ 0xfc, ['pointer', ['_MMWSLE']]], 'UserVaInfo' : [ 0x100, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0x80, { 'WorkingSetLock' : [ 0x0, ['long']], 'ExitOutswapGate' : [ 0x4, ['pointer', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer', ['void']]], 'WorkingSetExpansionLinks' : [ 0xc, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x14, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x30, ['unsigned long']], 'WorkingSetLeafSize' : [ 0x34, ['unsigned long']], 'WorkingSetLeafPrivateSize' : [ 0x38, ['unsigned long']], 'WorkingSetSize' : [ 0x3c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x40, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x44, ['unsigned long']], 'ChargedWslePages' : [ 0x48, ['unsigned long']], 'ActualWslePages' : [ 0x4c, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x50, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x54, ['unsigned long']], 'HardFaultCount' : [ 0x58, ['unsigned long']], 'VmWorkingSetList' : [ 0x5c, ['pointer', ['_MMWSL']]], 'NextPageColor' : [ 0x60, ['unsigned short']], 'LastTrimStamp' : [ 0x62, ['unsigned short']], 'PageFaultCount' : [ 0x64, ['unsigned long']], 'TrimmedPageCount' : [ 0x68, ['unsigned long']], 'Reserved0' : [ 0x6c, ['unsigned long']], 'Flags' : [ 0x70, ['_MMSUPPORT_FLAGS']], 'ReleasedCommitDebt' : [ 0x74, ['unsigned long']], 'WsSwapSupport' : [ 0x78, ['pointer', ['void']]], 'CommitReAcquireFailSupport' : [ 0x7c, ['pointer', ['void']]], } ], '__unnamed_16a6' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_16aa' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_16a6']], 'u2' : [ 0x24, ['__unnamed_16aa']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], } ], '__unnamed_16af' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_16b9' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long')]], 'SystemImage' : [ 0x4, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'StrongCode' : [ 0x4, ['BitField', dict(start_bit = 26, end_bit = 28, native_type='unsigned long')]], 'CantMove' : [ 0x4, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'FlushInProgressCount' : [ 0x8, ['unsigned long']], 'NumberOfSubsections' : [ 0x8, ['unsigned long']], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_16bb' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_16b9']], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'ListHead' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_16af']], 'FilePointer' : [ 0x20, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x24, ['long']], 'ModifiedWriteCount' : [ 0x28, ['unsigned long']], 'WaitList' : [ 0x2c, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x30, ['__unnamed_16bb']], 'LockedPages' : [ 0x40, ['unsigned long long']], 'FileObjectLock' : [ 0x48, ['_EX_PUSH_LOCK']], } ], '__unnamed_16d0' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_16d3' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x28, { 'VadNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'NextVad' : [ 0x0, ['pointer', ['_MMVAD_SHORT']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['long']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u' : [ 0x1c, ['__unnamed_16d0']], 'u1' : [ 0x20, ['__unnamed_16d3']], 'EventList' : [ 0x24, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], } ], '_MI_PARTITION' : [ 0x18c0, { 'Core' : [ 0x0, ['_MI_PARTITION_CORE']], 'Modwriter' : [ 0xb8, ['_MI_PARTITION_MODWRITES']], 'Store' : [ 0x288, ['_MI_PARTITION_STORES']], 'Segments' : [ 0x300, ['_MI_PARTITION_SEGMENTS']], 'PageLists' : [ 0x400, ['_MI_PARTITION_PAGE_LISTS']], 'Commit' : [ 0xb80, ['_MI_PARTITION_COMMIT']], 'Zeroing' : [ 0xc00, ['_MI_PARTITION_ZEROING']], 'PageCombine' : [ 0xc40, ['_MI_PAGE_COMBINING_SUPPORT']], 'WorkingSetControl' : [ 0xd18, ['pointer', ['void']]], 'WorkingSetExpansionHead' : [ 0xd1c, ['_MMWORKING_SET_EXPANSION_HEAD']], 'Vp' : [ 0xd40, ['_MI_VISIBLE_PARTITION']], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_MMPAGING_FILE' : [ 0xa8, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'FreeReservationSpace' : [ 0x18, ['unsigned long']], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PfnsToFree' : [ 0x28, ['_SLIST_HEADER']], 'PageFileName' : [ 0x30, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x38, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x3c, ['unsigned long']], 'LargestAllocationCluster' : [ 0x40, ['unsigned long']], 'RefreshAllocationCluster' : [ 0x44, ['unsigned long']], 'LastRefreshAllocationCluster' : [ 0x48, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x4c, ['unsigned long']], 'MaximumRunLengthInBitmaps' : [ 0x50, ['unsigned long']], 'BitmapsCacheLengthTree' : [ 0x54, ['_RTL_RB_TREE']], 'BitmapsCacheLocationTree' : [ 0x5c, ['_RTL_RB_TREE']], 'BitmapsCacheFreeList' : [ 0x64, ['_LIST_ENTRY']], 'BitmapsCacheEntries' : [ 0x6c, ['pointer', ['_MI_PAGEFILE_BITMAPS_CACHE_ENTRY']]], 'ToBeEvictedCount' : [ 0x70, ['unsigned long']], 'HybridPriority' : [ 0x70, ['unsigned long']], 'PageFileNumber' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'NoReservations' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'VirtualStorePagefile' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SwapSupported' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'NodeInserted' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'StackNotified' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 15, native_type='unsigned short')]], 'AdriftMdls' : [ 0x76, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0x76, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'IgnoreReservations' : [ 0x77, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare2' : [ 0x77, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PageHashPages' : [ 0x78, ['unsigned long']], 'PageHashPagesPeak' : [ 0x7c, ['unsigned long']], 'PageHash' : [ 0x80, ['pointer', ['unsigned long']]], 'FileHandle' : [ 0x84, ['pointer', ['void']]], 'Lock' : [ 0x88, ['unsigned long']], 'LockOwner' : [ 0x8c, ['pointer', ['_ETHREAD']]], 'FlowThroughReadRoot' : [ 0x90, ['_RTL_AVL_TREE']], 'Partition' : [ 0x94, ['pointer', ['_MI_PARTITION']]], 'FileObjectNode' : [ 0x98, ['_RTL_BALANCED_NODE']], } ], 'tagSWITCH_CONTEXT' : [ 0x68, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '_CMP_SILO_CONTEXT' : [ 0x10, { 'LockEntryHead' : [ 0x0, ['_LIST_ENTRY']], 'LockListUnderCleanup' : [ 0x8, ['unsigned char']], 'ContextLock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '__unnamed_171e' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapForLoaderHive', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpMapHiveImage', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin', 18: '_HvpGetLogEntryDirtyVector', 19: '_HvpReadLogEntryHeader', 20: '_HvpReadLogEntry', 21: '_CmpMountPreloadedHives', 22: '_CmpLoadHiveThread'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1721' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_1723' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1727' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_1729' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_172d' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_1731' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_1733' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_171e']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_171e']]], 'RegistryIO' : [ 0xcc, ['__unnamed_1721']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_1723']], 'CheckKey' : [ 0xdc, ['__unnamed_1727']], 'CheckValueList' : [ 0xec, ['__unnamed_1729']], 'CheckHive' : [ 0xfc, ['__unnamed_172d']], 'CheckHive1' : [ 0x108, ['__unnamed_172d']], 'CheckBin' : [ 0x114, ['__unnamed_1731']], 'RecoverData' : [ 0x11c, ['__unnamed_1733']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xc0, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'ParkingStatus' : [ 0x80, ['unsigned long']], 'CurrentFrequency' : [ 0x84, ['unsigned long']], 'PercentMaxFrequency' : [ 0x88, ['unsigned long']], 'StateFlags' : [ 0x8c, ['unsigned long']], 'NominalThroughput' : [ 0x90, ['unsigned long']], 'ActiveThroughput' : [ 0x94, ['unsigned long']], 'ScaledThroughput' : [ 0x98, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0xa0, ['unsigned long long']], 'AverageIdleTime' : [ 0xa8, ['unsigned long long']], 'IdleBreakEvents' : [ 0xb0, ['unsigned long long']], 'PerformanceLimit' : [ 0xb8, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xbc, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_THERMAL_ZONE_COUNTERS' : [ 0xc, { 'Temperature' : [ 0x0, ['unsigned long']], 'ThrottleLimit' : [ 0x4, ['unsigned long']], 'ThrottleReasons' : [ 0x8, ['unsigned long']], } ], '_TEB32' : [ 0x1000, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0xcc, ['array', 16, ['unsigned long']]], 'SystemReserved1' : [ 0x10c, ['array', 38, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'InstrumentationCallbackSp' : [ 0x1ac, ['unsigned long']], 'InstrumentationCallbackPreviousPc' : [ 0x1b0, ['unsigned long']], 'InstrumentationCallbackPreviousSp' : [ 0x1b4, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x1b8, ['unsigned char']], 'SpareBytes' : [ 0x1b9, ['array', 23, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0xfca, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'WowTebOffset' : [ 0xfdc, ['long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], 'ReservedForCrt' : [ 0xfe8, ['unsigned long long']], 'EffectiveContainerId' : [ 0xff0, ['_GUID']], } ], '_TEB64' : [ 0x1838, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'ReservedForDebuggerInstrumentation' : [ 0x110, ['array', 16, ['unsigned long long']]], 'SystemReserved1' : [ 0x190, ['array', 38, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'Padding0' : [ 0x2c4, ['array', 4, ['unsigned char']]], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'InstrumentationCallbackSp' : [ 0x2d0, ['unsigned long long']], 'InstrumentationCallbackPreviousPc' : [ 0x2d8, ['unsigned long long']], 'InstrumentationCallbackPreviousSp' : [ 0x2e0, ['unsigned long long']], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'InstrumentationCallbackDisabled' : [ 0x2ec, ['unsigned char']], 'Padding1' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'Padding2' : [ 0x1254, ['array', 4, ['unsigned char']]], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'Padding3' : [ 0x1472, ['array', 6, ['unsigned char']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Padding4' : [ 0x16b4, ['array', 4, ['unsigned char']]], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'Padding5' : [ 0x174c, ['array', 4, ['unsigned char']]], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'Padding6' : [ 0x1764, ['array', 4, ['unsigned char']]], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'Padding7' : [ 0x17b4, ['array', 4, ['unsigned char']]], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'LoadOwner' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'LoaderWorker' : [ 0x17ee, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 14, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'WowTebOffset' : [ 0x180c, ['long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], 'ReservedForCrt' : [ 0x1820, ['unsigned long long']], 'EffectiveContainerId' : [ 0x1828, ['_GUID']], } ], '_HV_X64_HYPERVISOR_FEATURES' : [ 0x10, { 'PartitionPrivileges' : [ 0x0, ['_HV_PARTITION_PRIVILEGE_MASK']], 'MaxSupportedCState' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'HpetNeededForC3PowerState_Deprecated' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'MwaitAvailable_Deprecated' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'GuestDebuggingAvailable' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerformanceMonitorsAvailable' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'CpuDynamicPartitioningAvailable' : [ 0xc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'XmmRegistersForFastHypercallAvailable' : [ 0xc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'GuestIdleAvailable' : [ 0xc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HypervisorSleepStateSupportAvailable' : [ 0xc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NumaDistanceQueryAvailable' : [ 0xc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'FrequencyRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SyntheticMachineCheckAvailable' : [ 0xc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'GuestCrashRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DebugRegsAvailable' : [ 0xc, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Npiep1Available' : [ 0xc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DisableHypervisorAvailable' : [ 0xc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ExtendedGvaRangesForFlushVirtualAddressListAvailable' : [ 0xc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'FastHypercallOutputAvailable' : [ 0xc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SvmFeaturesAvailable' : [ 0xc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SintPollingModeAvailable' : [ 0xc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HypercallMsrLockAvailable' : [ 0xc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], } ], '_HV_PARTITION_PRIVILEGE_MASK' : [ 0x8, { 'AsUINT64' : [ 0x0, ['unsigned long long']], 'AccessVpRunTimeReg' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'AccessPartitionReferenceCounter' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'AccessSynicRegs' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'AccessSyntheticTimerRegs' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'AccessIntrCtrlRegs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'AccessHypercallMsrs' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'AccessVpIndex' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AccessResetReg' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'AccessStatsReg' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'AccessPartitionReferenceTsc' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'AccessGuestIdleReg' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'AccessFrequencyRegs' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'AccessDebugRegs' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long long')]], 'CreatePartitions' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'AccessPartitionId' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 34, native_type='unsigned long long')]], 'AccessMemoryPool' : [ 0x0, ['BitField', dict(start_bit = 34, end_bit = 35, native_type='unsigned long long')]], 'AdjustMessageBuffers' : [ 0x0, ['BitField', dict(start_bit = 35, end_bit = 36, native_type='unsigned long long')]], 'PostMessages' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], 'SignalEvents' : [ 0x0, ['BitField', dict(start_bit = 37, end_bit = 38, native_type='unsigned long long')]], 'CreatePort' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 39, native_type='unsigned long long')]], 'ConnectPort' : [ 0x0, ['BitField', dict(start_bit = 39, end_bit = 40, native_type='unsigned long long')]], 'AccessStats' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 41, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 41, end_bit = 43, native_type='unsigned long long')]], 'Debugging' : [ 0x0, ['BitField', dict(start_bit = 43, end_bit = 44, native_type='unsigned long long')]], 'CpuManagement' : [ 0x0, ['BitField', dict(start_bit = 44, end_bit = 45, native_type='unsigned long long')]], 'ConfigureProfiler' : [ 0x0, ['BitField', dict(start_bit = 45, end_bit = 46, native_type='unsigned long long')]], 'AccessVpExitTracing' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 47, native_type='unsigned long long')]], 'EnableExtendedGvaRangesForFlushVirtualAddressList' : [ 0x0, ['BitField', dict(start_bit = 47, end_bit = 48, native_type='unsigned long long')]], 'AccessVsm' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 49, native_type='unsigned long long')]], 'AccessVpRegisters' : [ 0x0, ['BitField', dict(start_bit = 49, end_bit = 50, native_type='unsigned long long')]], 'UnusedBit' : [ 0x0, ['BitField', dict(start_bit = 50, end_bit = 51, native_type='unsigned long long')]], 'FastHypercallOutput' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'EnableExtendedHypercalls' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 53, native_type='unsigned long long')]], 'StartVirtualProcessor' : [ 0x0, ['BitField', dict(start_bit = 53, end_bit = 54, native_type='unsigned long long')]], 'Reserved3' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 64, native_type='unsigned long long')]], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KSHARED_READY_QUEUE' : [ 0x134, { 'Lock' : [ 0x0, ['unsigned long']], 'ReadySummary' : [ 0x4, ['unsigned long']], 'ReadyListHead' : [ 0x8, ['array', 32, ['_LIST_ENTRY']]], 'RunningSummary' : [ 0x108, ['array', 32, ['unsigned char']]], 'Span' : [ 0x128, ['unsigned char']], 'LowProcIndex' : [ 0x129, ['unsigned char']], 'QueueIndex' : [ 0x12a, ['unsigned char']], 'ProcCount' : [ 0x12b, ['unsigned char']], 'ScanOwner' : [ 0x12c, ['unsigned char']], 'Spare' : [ 0x12d, ['array', 3, ['unsigned char']]], 'Affinity' : [ 0x130, ['unsigned long']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0xc, { 'Affinity' : [ 0x0, ['pointer', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x4, ['unsigned long']], 'CurrentIndex' : [ 0x8, ['unsigned short']], } ], '__unnamed_1841' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1843' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1847' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x1cc, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'FxDevice' : [ 0x28, ['pointer', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0x2c, ['long']], 'FxRemoveEvent' : [ 0x30, ['_KEVENT']], 'FxActivationCount' : [ 0x40, ['long']], 'FxSleepCount' : [ 0x44, ['long']], 'Plugin' : [ 0x48, ['pointer', ['_POP_FX_PLUGIN']]], 'Level' : [ 0x4c, ['unsigned long']], 'CurrentPowerState' : [ 0x50, ['_POWER_STATE']], 'Notify' : [ 0x54, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x90, ['_PO_IRP_MANAGER']], 'UniqueId' : [ 0xa0, ['_UNICODE_STRING']], 'PowerFlags' : [ 0xa8, ['unsigned long']], 'State' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xb0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xb4, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x104, ['unsigned long']], 'CompletionStatus' : [ 0x108, ['long']], 'Flags' : [ 0x10c, ['unsigned long']], 'UserFlags' : [ 0x110, ['unsigned long']], 'Problem' : [ 0x114, ['unsigned long']], 'ProblemStatus' : [ 0x118, ['long']], 'ResourceList' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x120, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x124, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x128, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x130, ['unsigned long']], 'ChildInterfaceType' : [ 0x134, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x138, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x13c, ['unsigned short']], 'RemovalPolicy' : [ 0x13e, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x13f, ['unsigned char']], 'TargetDeviceNotify' : [ 0x140, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x148, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x150, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x158, ['unsigned short']], 'QueryTranslatorMask' : [ 0x15a, ['unsigned short']], 'NoArbiterMask' : [ 0x15c, ['unsigned short']], 'QueryArbiterMask' : [ 0x15e, ['unsigned short']], 'OverUsed1' : [ 0x160, ['__unnamed_1841']], 'OverUsed2' : [ 0x164, ['__unnamed_1843']], 'BootResources' : [ 0x168, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x16c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x170, ['unsigned long']], 'DockInfo' : [ 0x174, ['__unnamed_1847']], 'DisableableDepends' : [ 0x184, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x190, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x198, ['unsigned long']], 'PreviousParent' : [ 0x19c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1a0, ['long']], 'NumaNodeIndex' : [ 0x1a4, ['unsigned long']], 'ContainerID' : [ 0x1a8, ['_GUID']], 'OverrideFlags' : [ 0x1b8, ['unsigned char']], 'DeviceIdsHash' : [ 0x1bc, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x1c0, ['unsigned char']], 'PendingEjectRelations' : [ 0x1c4, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x1c8, ['unsigned long']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x38, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x2c, ['pointer', ['unsigned long']]], 'EnableKeyWords' : [ 0x30, ['pointer', ['unsigned long long']]], 'EnableLevel' : [ 0x34, ['pointer', ['unsigned char']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x38, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependencyNode' : [ 0x2c, ['pointer', ['void']]], 'InterruptContext' : [ 0x30, ['pointer', ['void']]], 'VerifierContext' : [ 0x34, ['pointer', ['void']]], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_X86_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned char']], 'EntropyQueueDpc' : [ 0x49, ['unsigned char']], 'Reserved' : [ 0x4a, ['array', 2, ['unsigned char']]], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_X86_KTRAP_FRAME_BLUE' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['unsigned long']], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1941' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'WriteCustomBreakPoint' : [ 0x0, ['_DBGKD_WRITE_CUSTOM_BREAKPOINT']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1941']], } ], '__unnamed_1948' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1948']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PEP_ACPI_RESOURCE' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'IoMemory' : [ 0x0, ['_PEP_ACPI_IO_MEMORY_RESOURCE']], 'Interrupt' : [ 0x0, ['_PEP_ACPI_INTERRUPT_RESOURCE']], 'Gpio' : [ 0x0, ['_PEP_ACPI_GPIO_RESOURCE']], 'SpbI2c' : [ 0x0, ['_PEP_ACPI_SPB_I2C_RESOURCE']], 'SpbSpi' : [ 0x0, ['_PEP_ACPI_SPB_SPI_RESOURCE']], 'SpbUart' : [ 0x0, ['_PEP_ACPI_SPB_UART_RESOURCE']], 'ExtendedAddress' : [ 0x0, ['_PEP_ACPI_EXTENDED_ADDRESS']], } ], '_PEP_ACPI_IO_MEMORY_RESOURCE' : [ 0x20, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Information' : [ 0x4, ['unsigned char']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '_PEP_ACPI_INTERRUPT_RESOURCE' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'InterruptType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Flags' : [ 0xc, ['_PEP_ACPI_RESOURCE_FLAGS']], 'Count' : [ 0x10, ['unsigned char']], 'Pins' : [ 0x14, ['pointer', ['unsigned long']]], } ], '_PEP_ACPI_GPIO_RESOURCE' : [ 0x30, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'InterruptType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'InterruptPolarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'PinConfig' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PullDefault', 1: 'PullUp', 2: 'PullDown', 3: 'PullNone'})]], 'IoRestrictionType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'IoRestrictionNone', 1: 'IoRestrictionInputOnly', 2: 'IoRestrictionOutputOnly', 3: 'IoRestrictionNoneAndPreserve'})]], 'DriveStrength' : [ 0x18, ['unsigned short']], 'DebounceTimeout' : [ 0x1a, ['unsigned short']], 'PinTable' : [ 0x1c, ['pointer', ['unsigned short']]], 'PinCount' : [ 0x20, ['unsigned short']], 'ResourceSourceIndex' : [ 0x22, ['unsigned char']], 'ResourceSourceName' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'VendorData' : [ 0x28, ['pointer', ['unsigned char']]], 'VendorDataLength' : [ 0x2c, ['unsigned short']], } ], '_PEP_ACPI_SPB_I2C_RESOURCE' : [ 0x20, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x18, ['unsigned long']], 'SlaveAddress' : [ 0x1c, ['unsigned short']], } ], '_PEP_ACPI_SPB_UART_RESOURCE' : [ 0x24, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'BaudRate' : [ 0x18, ['unsigned long']], 'RxBufferSize' : [ 0x1c, ['unsigned short']], 'TxBufferSize' : [ 0x1e, ['unsigned short']], 'Parity' : [ 0x20, ['unsigned char']], 'LinesInUse' : [ 0x21, ['unsigned char']], } ], '_PEP_ACPI_SPB_SPI_RESOURCE' : [ 0x24, { 'SpbCommon' : [ 0x0, ['_PEP_ACPI_SPB_RESOURCE']], 'ConnectionSpeed' : [ 0x18, ['unsigned long']], 'DataBitLength' : [ 0x1c, ['unsigned char']], 'Phase' : [ 0x1d, ['unsigned char']], 'Polarity' : [ 0x1e, ['unsigned char']], 'DeviceSelection' : [ 0x20, ['unsigned short']], } ], '_PEP_ACPI_EXTENDED_ADDRESS' : [ 0x48, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'ResourceFlags' : [ 0x8, ['unsigned char']], 'GeneralFlags' : [ 0x9, ['unsigned char']], 'TypeSpecificFlags' : [ 0xa, ['unsigned char']], 'RevisionId' : [ 0xb, ['unsigned char']], 'Reserved' : [ 0xc, ['unsigned char']], 'Granularity' : [ 0x10, ['unsigned long long']], 'MinimumAddress' : [ 0x18, ['unsigned long long']], 'MaximumAddress' : [ 0x20, ['unsigned long long']], 'TranslationAddress' : [ 0x28, ['unsigned long long']], 'AddressLength' : [ 0x30, ['unsigned long long']], 'TypeAttribute' : [ 0x38, ['unsigned long long']], 'DescriptorName' : [ 0x40, ['pointer', ['_UNICODE_STRING']]], } ], '_PPM_PLATFORM_STATES' : [ 0x100, { 'StateCount' : [ 0x0, ['unsigned long']], 'InterfaceVersion' : [ 0x4, ['unsigned long']], 'ProcessorCount' : [ 0x8, ['unsigned long']], 'CoordinatedInterface' : [ 0xc, ['unsigned char']], 'IdleTest' : [ 0x10, ['pointer', ['void']]], 'IdlePreExecute' : [ 0x14, ['pointer', ['void']]], 'IdleComplete' : [ 0x18, ['pointer', ['void']]], 'QueryPlatformStateResidency' : [ 0x1c, ['pointer', ['void']]], 'Accounting' : [ 0x20, ['pointer', ['_PLATFORM_IDLE_ACCOUNTING']]], 'State' : [ 0x40, ['array', 1, ['_PPM_PLATFORM_STATE']]], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_PPM_PROFILE' : [ 0x1a8, { 'Name' : [ 0x0, ['pointer', ['unsigned short']]], 'Id' : [ 0x4, ['unsigned char']], 'Guid' : [ 0x8, ['_GUID']], 'Flags' : [ 0x18, ['unsigned long']], 'Priority' : [ 0x1c, ['unsigned char']], 'Settings' : [ 0x20, ['array', 2, ['_PPM_ENGINE_SETTINGS']]], 'StartTime' : [ 0x180, ['unsigned long long']], 'Count' : [ 0x188, ['unsigned long long']], 'MaxDuration' : [ 0x190, ['unsigned long long']], 'MinDuration' : [ 0x198, ['unsigned long long']], 'TotalDuration' : [ 0x1a0, ['unsigned long long']], } ], '_PPM_ENGINE_SETTINGS' : [ 0xb0, { 'ExplicitSetting' : [ 0x0, ['array', 2, ['_PPM_POLICY_SETTINGS_MASK']]], 'ThrottlingPolicy' : [ 0x10, ['unsigned char']], 'PerfTimeCheck' : [ 0x14, ['unsigned long']], 'PerfHistoryCount' : [ 0x18, ['array', 2, ['unsigned char']]], 'PerfMinPolicy' : [ 0x1a, ['array', 2, ['unsigned char']]], 'PerfMaxPolicy' : [ 0x1c, ['array', 2, ['unsigned char']]], 'PerfDecreaseTime' : [ 0x1e, ['array', 2, ['unsigned char']]], 'PerfIncreaseTime' : [ 0x20, ['array', 2, ['unsigned char']]], 'PerfDecreasePolicy' : [ 0x22, ['array', 2, ['unsigned char']]], 'PerfIncreasePolicy' : [ 0x24, ['array', 2, ['unsigned char']]], 'PerfDecreaseThreshold' : [ 0x26, ['array', 2, ['unsigned char']]], 'PerfIncreaseThreshold' : [ 0x28, ['array', 2, ['unsigned char']]], 'PerfBoostPolicy' : [ 0x2c, ['unsigned long']], 'PerfBoostMode' : [ 0x30, ['unsigned long']], 'PerfReductionTolerance' : [ 0x34, ['unsigned long']], 'EnergyPerfPreference' : [ 0x38, ['unsigned long']], 'AutonomousActivityWindow' : [ 0x3c, ['unsigned long']], 'AutonomousPreference' : [ 0x40, ['unsigned char']], 'LatencyHintPerf' : [ 0x41, ['array', 2, ['unsigned char']]], 'LatencyHintUnpark' : [ 0x43, ['array', 2, ['unsigned char']]], 'DutyCycling' : [ 0x45, ['unsigned char']], 'ParkingPerfState' : [ 0x46, ['array', 2, ['unsigned char']]], 'DistributeUtility' : [ 0x48, ['unsigned char']], 'CoreParkingOverUtilizationThreshold' : [ 0x49, ['unsigned char']], 'CoreParkingConcurrencyThreshold' : [ 0x4a, ['unsigned char']], 'CoreParkingHeadroomThreshold' : [ 0x4b, ['unsigned char']], 'CoreParkingDistributionThreshold' : [ 0x4c, ['unsigned char']], 'CoreParkingDecreasePolicy' : [ 0x4d, ['unsigned char']], 'CoreParkingIncreasePolicy' : [ 0x4e, ['unsigned char']], 'CoreParkingDecreaseTime' : [ 0x50, ['unsigned long']], 'CoreParkingIncreaseTime' : [ 0x54, ['unsigned long']], 'CoreParkingMinCores' : [ 0x58, ['array', 2, ['unsigned char']]], 'CoreParkingMaxCores' : [ 0x5a, ['array', 2, ['unsigned char']]], 'AllowScaling' : [ 0x5c, ['unsigned char']], 'IdleDisabled' : [ 0x5d, ['unsigned char']], 'IdleTimeCheck' : [ 0x60, ['unsigned long']], 'IdleDemotePercent' : [ 0x64, ['unsigned char']], 'IdlePromotePercent' : [ 0x65, ['unsigned char']], 'HeteroDecreaseTime' : [ 0x66, ['unsigned char']], 'HeteroIncreaseTime' : [ 0x67, ['unsigned char']], 'HeteroDecreaseThreshold' : [ 0x68, ['array', 32, ['unsigned char']]], 'HeteroIncreaseThreshold' : [ 0x88, ['array', 32, ['unsigned char']]], 'Class0FloorPerformance' : [ 0xa8, ['unsigned char']], 'Class1InitialPerformance' : [ 0xa9, ['unsigned char']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_PERF_FLAGS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'Progress' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 27, native_type='unsigned long')]], 'Synchronicity' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 29, native_type='unsigned long')]], 'RequestPepCompleted' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'RequestSucceeded' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NestedCallback' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'IrpFirstPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'IrpLastPendingIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0x90, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x14, ['unsigned long']], 'LogHandleContext' : [ 0x18, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0x80, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x84, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0x88, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x178, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'V1' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0x98, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0xa0, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xb4, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'Event' : [ 0xe0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xf0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x160, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x164, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x168, ['unsigned long']], 'WritesInProgress' : [ 0x16c, ['unsigned long']], 'AsyncReadRequestCount' : [ 0x170, ['unsigned long']], } ], '__unnamed_1a2d' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1a2d']], 'ArrayHead' : [ 0x10, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1a52' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1a54' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1a56' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1a58' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a5a' : [ 0x1c, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], 'IoStatus' : [ 0x4, ['pointer', ['_IO_STATUS_BLOCK']]], 'CallerWaitEvent' : [ 0x8, ['_KEVENT']], 'IsLowPriWriteBehind' : [ 0x18, ['unsigned char']], } ], '__unnamed_1a5e' : [ 0x38, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], 'FileOffset' : [ 0x8, ['_LARGE_INTEGER']], 'FileObject' : [ 0x10, ['pointer', ['_FILE_OBJECT']]], 'Length' : [ 0x14, ['unsigned long']], 'PrefetchList' : [ 0x18, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'PrefetchPagePriority' : [ 0x1c, ['unsigned long']], 'Mdl' : [ 0x20, ['pointer', ['_MDL']]], 'IoStatusBlock' : [ 0x24, ['pointer', ['_IO_STATUS_BLOCK']]], 'CallbackContext' : [ 0x28, ['pointer', ['_CC_ASYNC_READ_CONTEXT']]], 'OriginatingProcess' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'RequestorMode' : [ 0x30, ['unsigned char']], 'NestingLevel' : [ 0x34, ['unsigned long']], } ], '__unnamed_1a60' : [ 0x38, { 'Read' : [ 0x0, ['__unnamed_1a52']], 'Write' : [ 0x0, ['__unnamed_1a54']], 'Event' : [ 0x0, ['__unnamed_1a56']], 'Notification' : [ 0x0, ['__unnamed_1a58']], 'LowPriWrite' : [ 0x0, ['__unnamed_1a5a']], 'AsyncRead' : [ 0x0, ['__unnamed_1a5e']], } ], '_WORK_QUEUE_ENTRY' : [ 0x48, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_1a60']], 'Function' : [ 0x40, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x18, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0x4, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x10, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x68, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x8, ['pointer', ['void']]], 'DirtyPageStatistics' : [ 0xc, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x18, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x40, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x44, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x48, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x50, ['pointer', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x54, ['unsigned long']], 'LastLWTimeStamp' : [ 0x58, ['_LARGE_INTEGER']], 'Flags' : [ 0x60, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x248, { 'Segment' : [ 0x0, ['_HEAP_SEGMENT']], 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x58, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x5c, ['unsigned long']], 'Signature' : [ 0x60, ['unsigned long']], 'SegmentReserve' : [ 0x64, ['unsigned long']], 'SegmentCommit' : [ 0x68, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x6c, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x70, ['unsigned long']], 'TotalFreeSize' : [ 0x74, ['unsigned long']], 'MaximumAllocationSize' : [ 0x78, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x7c, ['unsigned short']], 'HeaderValidateLength' : [ 0x7e, ['unsigned short']], 'HeaderValidateCopy' : [ 0x80, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x84, ['unsigned short']], 'MaximumTagIndex' : [ 0x86, ['unsigned short']], 'TagEntries' : [ 0x88, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x8c, ['_LIST_ENTRY']], 'AlignRound' : [ 0x94, ['unsigned long']], 'AlignMask' : [ 0x98, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x9c, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa4, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xac, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb0, ['unsigned long']], 'BlocksIndex' : [ 0xb4, ['pointer', ['void']]], 'UCRIndex' : [ 0xb8, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xbc, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc0, ['_LIST_ENTRY']], 'LockVariable' : [ 0xc8, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xcc, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd0, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd4, ['unsigned short']], 'FrontEndHeapType' : [ 0xd6, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0xd7, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0xd8, ['pointer', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0xdc, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0xde, ['array', 257, ['unsigned char']]], 'Counters' : [ 0x1e0, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x23c, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1ace' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_1ace']], } ], '_HEAP_ENTRY' : [ 0x8, { 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'HeapEntry' : [ 0x0, ['_HEAP_ENTRY']], 'UnpackedEntry' : [ 0x0, ['_HEAP_UNPACKED_ENTRY']], 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'ExtendedEntry' : [ 0x0, ['_HEAP_EXTENDED_ENTRY']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'Code234' : [ 0x4, ['unsigned long']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1b21' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1b23' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b21']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1b25' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1b27' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1b25']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1b23']], 'u2' : [ 0x4, ['__unnamed_1b27']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x20, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1b44' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1b46' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1b44']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1b46']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Pad' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x14, ['_EX_PUSH_LOCK']], } ], '__unnamed_1b5a' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1b5c' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b5a']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1b5c']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_1b65' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1b67' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b65']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_1b67']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_1b6d' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1b6f' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b6d']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_1b6f']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x28, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], 'CloseMessage' : [ 0x24, ['pointer', ['_KALPC_MESSAGE']]], } ], '__unnamed_1b8c' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1b8e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b8c']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x11c, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x5c, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x68, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0x74, ['_LIST_ENTRY']], 'DirectQueueLock' : [ 0x7c, ['_EX_PUSH_LOCK']], 'DirectQueue' : [ 0x80, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0x8c, ['_LIST_ENTRY']], 'Semaphore' : [ 0x94, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x98, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xc4, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xc8, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0xd4, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'CallbackObject' : [ 0xd8, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xdc, ['pointer', ['void']]], 'CanceledQueue' : [ 0xe0, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xe8, ['long']], 'ReferenceNo' : [ 0xec, ['long']], 'ReferenceNoWait' : [ 0xf0, ['pointer', ['_PALPC_PORT_REFERENCE_WAIT_BLOCK']]], 'u1' : [ 0xf4, ['__unnamed_1b8e']], 'TargetQueuePort' : [ 0xf8, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xfc, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x100, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x104, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x108, ['unsigned long']], 'PendingQueueLength' : [ 0x10c, ['unsigned long']], 'DirectQueueLength' : [ 0x110, ['unsigned long']], 'CanceledQueueLength' : [ 0x114, ['unsigned long']], 'WaitQueueLength' : [ 0x118, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x58, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'CompletionListLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x10, ['pointer', ['_MDL']]], 'UserVa' : [ 0x14, ['pointer', ['void']]], 'UserLimit' : [ 0x18, ['pointer', ['void']]], 'DataUserVa' : [ 0x1c, ['pointer', ['void']]], 'SystemVa' : [ 0x20, ['pointer', ['void']]], 'TotalSize' : [ 0x24, ['unsigned long']], 'Header' : [ 0x28, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x2c, ['pointer', ['void']]], 'ListSize' : [ 0x30, ['unsigned long']], 'Bitmap' : [ 0x34, ['pointer', ['void']]], 'BitmapSize' : [ 0x38, ['unsigned long']], 'Data' : [ 0x3c, ['pointer', ['void']]], 'DataSize' : [ 0x40, ['unsigned long']], 'BitmapLimit' : [ 0x44, ['unsigned long']], 'BitmapNextHint' : [ 0x48, ['unsigned long']], 'ConcurrencyCount' : [ 0x4c, ['unsigned long']], 'AttributeFlags' : [ 0x50, ['unsigned long']], 'AttributeSize' : [ 0x54, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x90, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'Key' : [ 0x84, ['unsigned long']], 'CallbackList' : [ 0x88, ['_LIST_ENTRY']], } ], '_PALPC_PORT_REFERENCE_WAIT_BLOCK' : [ 0x14, { 'DesiredReferenceNoEvent' : [ 0x0, ['_KEVENT']], 'DesiredReferenceNo' : [ 0x10, ['long']], } ], '__unnamed_1bb1' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1bb3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bb1']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x90, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'u1' : [ 0x14, ['__unnamed_1bb3']], 'SequenceNo' : [ 0x18, ['long']], 'QuotaProcess' : [ 0x1c, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x1c, ['pointer', ['void']]], 'CancelSequencePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x24, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x28, ['long']], 'CancelListEntry' : [ 0x2c, ['_LIST_ENTRY']], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x38, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x58, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x5c, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x60, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x64, ['pointer', ['_ETHREAD']]], 'WakeReference' : [ 0x68, ['pointer', ['void']]], 'ExtensionBuffer' : [ 0x6c, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0x70, ['unsigned long']], 'PortMessage' : [ 0x78, ['_PORT_MESSAGE']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x24, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'DirectEvent' : [ 0x14, ['_KALPC_DIRECT_EVENT']], 'Flags' : [ 0x18, ['unsigned long']], 'TotalLength' : [ 0x1c, ['unsigned short']], 'Type' : [ 0x1e, ['unsigned short']], 'DataInfoOffset' : [ 0x20, ['unsigned short']], 'SignalCompletion' : [ 0x22, ['unsigned char']], 'PostedToCompletionList' : [ 0x23, ['unsigned char']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x20, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['_OB_DUPLICATE_OBJECT_STATE']], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x20, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], 'DirectEvent' : [ 0x1c, ['_KALPC_DIRECT_EVENT']], } ], '__unnamed_1bf6' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1bf8' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1bf6']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1bf8']], } ], '_KALPC_DIRECT_EVENT' : [ 0x4, { 'Event' : [ 0x0, ['unsigned long']], 'Referenced' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x28, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'GenericExtension' : [ 0x4, ['array', 4, ['unsigned char']]], 'VerifierContext' : [ 0x8, ['pointer', ['void']]], 'ActivityId' : [ 0xc, ['_GUID']], 'Timestamp' : [ 0x1c, ['_LARGE_INTEGER']], 'ZeroingOffset' : [ 0x1c, ['unsigned long']], 'FsTrackOffsetBlob' : [ 0x1c, ['pointer', ['_IO_IRP_EXT_TRACK_OFFSET_HEADER']]], 'FsTrackedOffset' : [ 0x20, ['long long']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x28, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 8, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x78, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'AccessMode' : [ 0x5c, ['unsigned char']], 'DriverCreateContext' : [ 0x60, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1cc1' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x110, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1cc1']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer', ['unsigned short']]], 'LogFileName' : [ 0x3c, ['pointer', ['unsigned short']]], 'TimeZone' : [ 0x40, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf0, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0xf8, ['_LARGE_INTEGER']], 'StartTime' : [ 0x100, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x108, ['unsigned long']], 'BuffersLost' : [ 0x10c, ['unsigned long']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x288, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 1, ['unsigned long']]], 'ErrorMarker' : [ 0x18, ['unsigned long']], 'SizeMask' : [ 0x1c, ['unsigned long']], 'GetCpuClock' : [ 0x20, ['pointer', ['void']]], 'LoggerThread' : [ 0x24, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x28, ['long']], 'FailureReason' : [ 0x2c, ['unsigned long']], 'BufferQueue' : [ 0x30, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x3c, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x48, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x50, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x58, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x58, ['_EX_FAST_REF']], 'LoggerName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFileName' : [ 0x64, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x6c, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x74, ['_UNICODE_STRING']], 'ClockType' : [ 0x7c, ['unsigned long']], 'LastFlushedBuffer' : [ 0x80, ['unsigned long']], 'FlushTimer' : [ 0x84, ['unsigned long']], 'FlushThreshold' : [ 0x88, ['unsigned long']], 'ByteOffset' : [ 0x90, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x98, ['unsigned long']], 'BuffersAvailable' : [ 0x9c, ['long']], 'NumberOfBuffers' : [ 0xa0, ['long']], 'MaximumBuffers' : [ 0xa4, ['unsigned long']], 'EventsLost' : [ 0xa8, ['unsigned long']], 'PeakBuffersCount' : [ 0xac, ['long']], 'BuffersWritten' : [ 0xb0, ['unsigned long']], 'LogBuffersLost' : [ 0xb4, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xb8, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xbc, ['unsigned long']], 'SequencePtr' : [ 0xc0, ['pointer', ['long']]], 'LocalSequence' : [ 0xc4, ['unsigned long']], 'InstanceGuid' : [ 0xc8, ['_GUID']], 'MaximumFileSize' : [ 0xd8, ['unsigned long']], 'FileCounter' : [ 0xdc, ['long']], 'PoolType' : [ 0xe0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xe8, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0xf8, ['long']], 'ProviderInfoSize' : [ 0xfc, ['unsigned long']], 'Consumers' : [ 0x100, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x108, ['unsigned long']], 'TransitionConsumer' : [ 0x10c, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x110, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x114, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x128, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x130, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x138, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x140, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x148, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x150, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x160, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x164, ['_KEVENT']], 'FlushEvent' : [ 0x174, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x188, ['_KTIMER']], 'LoggerDpc' : [ 0x1b0, ['_KDPC']], 'LoggerMutex' : [ 0x1d0, ['_KMUTANT']], 'LoggerLock' : [ 0x1f0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1f4, ['unsigned long']], 'BufferListPushLock' : [ 0x1f4, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1f8, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x234, ['pointer', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x238, ['_EX_FAST_REF']], 'StartTime' : [ 0x240, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x248, ['pointer', ['void']]], 'BufferSequenceNumber' : [ 0x250, ['long long']], 'Flags' : [ 0x258, ['unsigned long']], 'Persistent' : [ 0x258, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x258, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x258, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x258, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x258, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x258, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x258, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x258, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x258, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x258, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x258, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x258, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x258, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'StackLookasideListAllocated' : [ 0x258, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SecurityTrace' : [ 0x258, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'SpareFlags1' : [ 0x258, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x258, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x258, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x258, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x25c, ['unsigned long']], 'DbgRequestNewFile' : [ 0x25c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x25c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x25c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x25c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x25c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x25c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x25c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x25c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDeferredFlush' : [ 0x25c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDeferredFlushTimer' : [ 0x25c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x25c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x25c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x25c, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x260, ['_RTL_BITMAP']], 'StackCache' : [ 0x268, ['pointer', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x26c, ['pointer', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x270, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x278, ['pointer', ['pointer', ['_WMI_BUFFER_HEADER']]]], 'DisallowedGuids' : [ 0x27c, ['_DISALLOWED_GUIDS']], } ], '_ETW_PMC_SUPPORT' : [ 0x24, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_SILODRIVERSTATE' : [ 0xa80, { 'EtwpSecurityProviderGuidEntry' : [ 0x0, ['_ETW_GUID_ENTRY']], 'EtwpLoggerRundown' : [ 0x168, ['array', 64, ['pointer', ['_EX_RUNDOWN_REF_CACHE_AWARE']]]], 'WmipLoggerContext' : [ 0x268, ['array', 64, ['pointer', ['_WMI_LOGGER_CONTEXT']]]], 'EtwpGuidHashTable' : [ 0x368, ['array', 64, ['_ETW_HASH_BUCKET']]], 'EtwpSecurityLoggers' : [ 0xa68, ['array', 8, ['unsigned short']]], 'EtwpSecurityProviderEnableMask' : [ 0xa78, ['unsigned char']], 'EtwpShutdownInProgress' : [ 0xa79, ['unsigned char']], 'EtwpSecurityProviderPID' : [ 0xa7c, ['unsigned long']], } ], '_EX_RUNDOWN_REF_CACHE_AWARE' : [ 0x10, { 'RunRefs' : [ 0x0, ['pointer', ['_EX_RUNDOWN_REF']]], 'PoolToFree' : [ 0x4, ['pointer', ['void']]], 'RunRefSize' : [ 0x8, ['unsigned long']], 'Number' : [ 0xc, ['unsigned long']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x298, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x9c, ['pointer', ['void']]], 'DynamicPart' : [ 0xa0, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa4, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xb0, ['unsigned long']], 'TokenInUse' : [ 0xb4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb8, ['unsigned long']], 'MandatoryPolicy' : [ 0xbc, ['unsigned long']], 'LogonSession' : [ 0xc0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc4, ['_LUID']], 'SidHash' : [ 0xcc, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x154, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1dc, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x1e0, ['pointer', ['void']]], 'Capabilities' : [ 0x1e4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x1e8, ['unsigned long']], 'CapabilitiesHash' : [ 0x1ec, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x274, ['pointer', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x278, ['pointer', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x27c, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'TrustLevelSid' : [ 0x280, ['pointer', ['void']]], 'TrustLinkedToken' : [ 0x284, ['pointer', ['_TOKEN']]], 'IntegrityLevelSidValue' : [ 0x288, ['pointer', ['void']]], 'TokenSidValues' : [ 0x28c, ['pointer', ['_SEP_SID_VALUES_BLOCK']]], 'IndexEntry' : [ 0x290, ['pointer', ['_SEP_LUID_TO_INDEX_MAP_ENTRY']]], 'VariablePart' : [ 0x294, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x64, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x34, ['_SEP_LOWBOX_HANDLES_TABLE']], 'SharedDataLock' : [ 0x3c, ['_EX_PUSH_LOCK']], 'SharedClaimAttributes' : [ 0x40, ['pointer', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'SharedSidValues' : [ 0x44, ['pointer', ['_SEP_SID_VALUES_BLOCK']]], 'RevocationBlock' : [ 0x48, ['_OB_HANDLE_REVOCATION_BLOCK']], 'ServerSilo' : [ 0x58, ['pointer', ['_EJOB']]], 'SiblingAuthId' : [ 0x5c, ['_LUID']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'DbgRefTrace' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'NewObject' : [ 0xf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'KernelObject' : [ 0xf, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelOnlyAccess' : [ 0xf, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ExclusiveObject' : [ 0xf, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PermanentObject' : [ 0xf, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DefaultSecurityQuota' : [ 0xf, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SingleHandleEntry' : [ 0xf, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DeletedInline' : [ 0xf, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x8, { 'SecurityDescriptor' : [ 0x0, ['pointer', ['void']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_REVOCATION_INFO' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'RevocationBlock' : [ 0x8, ['pointer', ['_OB_HANDLE_REVOCATION_BLOCK']]], 'Padding1' : [ 0xc, ['array', 4, ['unsigned char']]], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x18, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'EntryLink' : [ 0x8, ['pointer', ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0xc, ['unsigned long']], 'HashIndex' : [ 0x10, ['unsigned short']], 'DirectoryLocked' : [ 0x12, ['unsigned char']], 'LockedExclusive' : [ 0x13, ['unsigned char']], 'LockStateSignature' : [ 0x14, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xac, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x9c, ['pointer', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0xa0, ['unsigned long']], 'NamespaceEntry' : [ 0xa4, ['pointer', ['void']]], 'Flags' : [ 0xa8, ['unsigned long']], } ], '_OBP_SILODRIVERSTATE' : [ 0x1a4, { 'SystemDeviceMap' : [ 0x0, ['pointer', ['_DEVICE_MAP']]], 'SystemDosDeviceState' : [ 0x4, ['_OBP_SYSTEM_DOS_DEVICE_STATE']], 'DeviceMapLock' : [ 0x70, ['_EX_PUSH_LOCK']], 'PrivateNamespaceLookupTable' : [ 0x74, ['_OBJECT_NAMESPACE_LOOKUPTABLE']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_WHEAP_INFO_BLOCK' : [ 0xc, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x4, ['pointer', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x8, ['pointer', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x418, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x8, ['unsigned long']], 'PlatformErrorSourceId' : [ 0xc, ['unsigned long']], 'ErrorCount' : [ 0x10, ['long']], 'RecordCount' : [ 0x14, ['unsigned long']], 'RecordLength' : [ 0x18, ['unsigned long']], 'PoolTag' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x24, ['pointer', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x28, ['pointer', ['void']]], 'SectionCount' : [ 0x2c, ['unsigned long']], 'SectionLength' : [ 0x30, ['unsigned long']], 'TickCountAtLastError' : [ 0x38, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x40, ['unsigned long']], 'TotalErrors' : [ 0x44, ['unsigned long']], 'Deferred' : [ 0x48, ['unsigned char']], 'Descriptor' : [ 0x49, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xe4, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x8, ['unsigned long']], 'ProcessorNumber' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x14, ['long']], 'ErrorSource' : [ 0x18, ['pointer', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x1c, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x1c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'ConnectLock' : [ 0x4, ['_KEVENT']], 'LineMasked' : [ 0x14, ['unsigned char']], 'InterruptList' : [ 0x18, ['pointer', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'Arm64ControlSet' : [ 0x0, ['_ARM64_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0x70, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x8, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long long']], 'WorkQueue' : [ 0x18, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x40, ['pointer', ['void']]], 'AcceptProcessorNotification' : [ 0x44, ['pointer', ['void']]], 'AcceptAcpiNotification' : [ 0x48, ['pointer', ['void']]], 'WorkOrderCount' : [ 0x4c, ['unsigned long']], 'WorkOrders' : [ 0x50, ['array', 1, ['_POP_FX_WORK_ORDER']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_MI_PARTITION_SEGMENTS' : [ 0x100, { 'DeleteSubsectionCleanup' : [ 0x0, ['_KEVENT']], 'UnusedSegmentCleanup' : [ 0x10, ['_KEVENT']], 'SubsectionDeletePtes' : [ 0x20, ['unsigned long']], 'DereferenceSegmentHeader' : [ 0x24, ['_MMDEREFERENCE_SEGMENT_HEADER']], 'DeleteOnCloseList' : [ 0x40, ['_LIST_ENTRY']], 'DeleteOnCloseTimer' : [ 0x48, ['_KTIMER']], 'DeleteOnCloseTimerActive' : [ 0x70, ['unsigned char']], 'DeleteOnCloseCount' : [ 0x74, ['unsigned long']], 'UnusedSegmentList' : [ 0x78, ['_LIST_ENTRY']], 'UnusedSubsectionList' : [ 0x80, ['_LIST_ENTRY']], 'DeleteSubsectionList' : [ 0x88, ['_LIST_ENTRY']], 'ControlAreaDeleteEvent' : [ 0x90, ['_KEVENT']], 'ControlAreaDeleteList' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'SegmentListLock' : [ 0xc0, ['long']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_PS_TRUSTLET_ATTRIBUTE_TYPE' : [ 0x4, { 'Version' : [ 0x0, ['unsigned char']], 'DataCount' : [ 0x1, ['unsigned char']], 'SemanticType' : [ 0x2, ['unsigned char']], 'AccessRights' : [ 0x3, ['_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS']], 'AttributeType' : [ 0x0, ['unsigned long']], } ], '_KENTROPY_TIMING_STATE' : [ 0x128, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x104, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x124, ['unsigned long']], } ], '_HEAP_UNPACKED_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['unsigned long']], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], } ], '_PEP_ACPI_SPB_RESOURCE' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PepAcpiMemory', 1: 'PepAcpiIoPort', 2: 'PepAcpiInterrupt', 3: 'PepAcpiGpioIo', 4: 'PepAcpiGpioInt', 5: 'PepAcpiSpbI2c', 6: 'PepAcpiSpbSpi', 7: 'PepAcpiSpbUart', 8: 'PepAcpiExtendedMemory', 9: 'PepAcpiExtendedIo'})]], 'Flags' : [ 0x4, ['_PEP_ACPI_RESOURCE_FLAGS']], 'TypeSpecificFlags' : [ 0x8, ['unsigned short']], 'ResourceSourceIndex' : [ 0xa, ['unsigned char']], 'ResourceSourceName' : [ 0xc, ['pointer', ['_UNICODE_STRING']]], 'VendorData' : [ 0x10, ['pointer', ['unsigned char']]], 'VendorDataLength' : [ 0x14, ['unsigned short']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'Type' : [ 0x0, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Reserved1' : [ 0x3, ['unsigned char']], 'TimerType' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Timer2Type' : [ 0x0, ['unsigned char']], 'Timer2Flags' : [ 0x1, ['unsigned char']], 'Timer2Inserted' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Timer2Expiring' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Timer2CancelPending' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Timer2SetPending' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Timer2Running' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Timer2Disabled' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Timer2ReservedFlags' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Timer2Reserved1' : [ 0x2, ['unsigned char']], 'Timer2Reserved2' : [ 0x3, ['unsigned char']], 'QueueType' : [ 0x0, ['unsigned char']], 'QueueControlFlags' : [ 0x1, ['unsigned char']], 'Abandoned' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DisableIncrement' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'QueueReservedControlFlags' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'QueueSize' : [ 0x2, ['unsigned char']], 'QueueReserved' : [ 0x3, ['unsigned char']], 'ThreadType' : [ 0x0, ['unsigned char']], 'ThreadReserved' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Tagged' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'EnergyProfiling' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Instrumented' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ThreadReservedControlFlags' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'MutantType' : [ 0x0, ['unsigned char']], 'MutantSize' : [ 0x1, ['unsigned char']], 'DpcActive' : [ 0x2, ['unsigned char']], 'MutantReserved' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_ETW_GUID_ENTRY' : [ 0x168, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['pointer', ['_ETW_FILTER_HEADER']]], 'HostSilo' : [ 0x15c, ['unsigned char']], 'Lock' : [ 0x160, ['_EX_PUSH_LOCK']], 'LockOwner' : [ 0x164, ['pointer', ['_ETHREAD']]], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'WaitResponse' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], } ], '_HEAP_COUNTERS' : [ 0x5c, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'PollIntervalCounter' : [ 0x38, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x3c, ['unsigned long']], 'HeapPollInterval' : [ 0x40, ['unsigned long']], 'AllocAndFreeOps' : [ 0x44, ['unsigned long']], 'AllocationIndicesActive' : [ 0x48, ['unsigned long']], 'InBlockDeccommits' : [ 0x4c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x50, ['unsigned long']], 'HighWatermarkSize' : [ 0x54, ['unsigned long']], 'LastPolledSize' : [ 0x58, ['unsigned long']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_MI_VISIBLE_PARTITION' : [ 0xb80, { 'LowestPhysicalPage' : [ 0x0, ['unsigned long']], 'HighestPhysicalPage' : [ 0x4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x8, ['unsigned long']], 'NumberOfPagingFiles' : [ 0xc, ['unsigned long']], 'PagingFile' : [ 0x10, ['array', 16, ['pointer', ['_MMPAGING_FILE']]]], 'AvailablePages' : [ 0x80, ['unsigned long']], 'ResidentAvailablePages' : [ 0xc0, ['unsigned long']], 'TotalCommittedPages' : [ 0xc4, ['unsigned long']], 'ModifiedPageListHead' : [ 0x100, ['_MMPFNLIST']], 'ModifiedNoWritePageListHead' : [ 0x140, ['_MMPFNLIST']], 'TotalCommitLimit' : [ 0x154, ['unsigned long']], 'TotalPagesForPagingFile' : [ 0x158, ['unsigned long']], 'VadPhysicalPages' : [ 0x15c, ['unsigned long']], 'ProcessLockedFilePages' : [ 0x160, ['unsigned long']], 'ChargeCommitmentFailures' : [ 0x164, ['array', 4, ['unsigned long']]], 'PageFileTraceIndex' : [ 0x174, ['long']], 'PageFileTraces' : [ 0x178, ['array', 32, ['_MI_PAGEFILE_TRACES']]], } ], '_OB_HANDLE_REVOCATION_BLOCK' : [ 0x10, { 'RevocationInfos' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'Rundown' : [ 0xc, ['_EX_RUNDOWN_REF']], } ], '_SYSPTES_HEADER' : [ 0x8c, { 'ListHead' : [ 0x0, ['array', 16, ['_LIST_ENTRY']]], 'Count' : [ 0x80, ['unsigned long']], 'NumberOfEntries' : [ 0x84, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x88, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_MI_ACTIVE_WSLE_LISTHEAD' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x44, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], 'DequeuePending' : [ 0x3c, ['unsigned char']], 'DeleteType' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'QueryRemoveDevice', 1: 'CancelRemoveDevice', 2: 'RemoveDevice', 3: 'SurpriseRemoveDevice', 4: 'EjectDevice', 5: 'RemoveFailedDevice', 6: 'RemoveUnstartedFailedDevice', 7: 'MaxDeviceDeleteType'})]], } ], '_PPM_PLATFORM_STATE' : [ 0xc0, { 'Latency' : [ 0x0, ['unsigned long']], 'BreakEvenDuration' : [ 0x4, ['unsigned long']], 'VetoAccounting' : [ 0x8, ['_PPM_VETO_ACCOUNTING']], 'TransitionDebugger' : [ 0x20, ['unsigned char']], 'Platform' : [ 0x21, ['unsigned char']], 'DependencyListCount' : [ 0x24, ['unsigned long']], 'Processors' : [ 0x28, ['_KAFFINITY_EX']], 'Name' : [ 0x34, ['_UNICODE_STRING']], 'DependencyLists' : [ 0x3c, ['pointer', ['_PPM_SELECTION_DEPENDENCY']]], 'Synchronization' : [ 0x40, ['_PPM_COORDINATED_SYNCHRONIZATION']], 'EnterTime' : [ 0x48, ['unsigned long long']], 'RefCount' : [ 0x80, ['long']], 'CacheAlign0' : [ 0x80, ['array', 64, ['unsigned char']]], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x38, { 'SidHash' : [ 0x0, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x8, ['pointer', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0xc, ['_LUID']], 'TokenType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x1c, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x20, ['unsigned long']], 'AppContainerNumber' : [ 0x24, ['unsigned long']], 'PackageSid' : [ 0x28, ['pointer', ['void']]], 'CapabilitiesHash' : [ 0x2c, ['pointer', ['_SID_AND_ATTRIBUTES_HASH']]], 'TrustLevelSid' : [ 0x30, ['pointer', ['void']]], 'SecurityAttributes' : [ 0x34, ['pointer', ['void']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER' : [ 0x1c, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x10, ['long']], 'Context' : [ 0x14, ['pointer', ['void']]], 'WatchdogTimerInfo' : [ 0x18, ['pointer', ['_POP_FX_WORK_ORDER_WATCHDOG_INFO']]], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'Short0' : [ 0x0, ['unsigned short']], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'UChar1' : [ 0x2, ['unsigned char']], 'ForceCollision' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ImageSigningType' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'UChar2' : [ 0x3, ['unsigned char']], } ], '_KTIMER_EXPIRATION_TRACE' : [ 0x10, { 'InterruptTime' : [ 0x0, ['unsigned long long']], 'PerformanceCounter' : [ 0x8, ['_LARGE_INTEGER']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'Pattern' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolType' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 20, native_type='unsigned long')]], 'SlushSize' : [ 0x8, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x50, { 'ullOsMaxVersionTested' : [ 0x0, ['unsigned long long']], 'ulTargetPlatform' : [ 0x8, ['unsigned long']], 'ullContextMinimum' : [ 0x10, ['unsigned long long']], 'guPlatform' : [ 0x18, ['_GUID']], 'guMinPlatform' : [ 0x28, ['_GUID']], 'ulContextSource' : [ 0x38, ['unsigned long']], 'ulElementCount' : [ 0x3c, ['unsigned long']], 'guElements' : [ 0x40, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x10, ['_KEVENT']], } ], '_ETW_HASH_BUCKET' : [ 0x1c, { 'ListHead' : [ 0x0, ['array', 3, ['_LIST_ENTRY']]], 'BucketLock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x8, ['unsigned char']], 'BlockState' : [ 0x9, ['unsigned char']], 'WaitKey' : [ 0xa, ['unsigned short']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'NotificationQueue' : [ 0xc, ['pointer', ['_KQUEUE']]], 'Object' : [ 0x10, ['pointer', ['void']]], 'SparePtr' : [ 0x14, ['pointer', ['void']]], } ], '_ARM64_DBGKD_CONTROL_SET' : [ 0x18, { 'Continue' : [ 0x0, ['unsigned long']], 'TraceFlag' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x10, ['unsigned long long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'ThermalStandbyTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], 'MinimumThrottle' : [ 0x50, ['unsigned long']], 'OverThrottleThreshold' : [ 0x54, ['unsigned long']], } ], '__unnamed_1ea3' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1ea5' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1ea3']], 'Private' : [ 0x0, ['__unnamed_1ea5']], } ], '_KTIMER2' : [ 0x58, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'RbNodes' : [ 0x10, ['array', 2, ['_RTL_BALANCED_NODE']]], 'ListEntry' : [ 0x10, ['_LIST_ENTRY']], 'DueTime' : [ 0x28, ['array', 2, ['unsigned long long']]], 'Period' : [ 0x38, ['long long']], 'Callback' : [ 0x40, ['pointer', ['void']]], 'CallbackContext' : [ 0x44, ['pointer', ['void']]], 'DisableCallback' : [ 0x48, ['pointer', ['void']]], 'DisableContext' : [ 0x4c, ['pointer', ['void']]], 'AbsoluteSystemTime' : [ 0x50, ['unsigned char']], 'TypeFlags' : [ 0x51, ['unsigned char']], 'Unused' : [ 0x51, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IdleResilient' : [ 0x51, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HighResolution' : [ 0x51, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'NoWake' : [ 0x51, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Unused1' : [ 0x51, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'CollectionIndex' : [ 0x52, ['array', 2, ['unsigned char']]], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SubsectionMappedDirect' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'OnDereferenceList' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'DynamicRelocations' : [ 0x0, ['pointer', ['void']]], 'SecurityContext' : [ 0x4, ['_IMAGE_SECURITY_CONTEXT']], 'StrongImageReference' : [ 0x8, ['unsigned long']], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x130, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x8, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0xc, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x10, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x98, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x120, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x124, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x128, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x12c, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_MMPTE_HIGHLOW' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PPM_IDLE_STATES' : [ 0x140, { 'InterfaceVersion' : [ 0x0, ['unsigned char']], 'ForceIdle' : [ 0x1, ['unsigned char']], 'EstimateIdleDuration' : [ 0x2, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x3, ['unsigned char']], 'NonInterruptibleTransition' : [ 0x4, ['unsigned char']], 'UnaccountedTransition' : [ 0x5, ['unsigned char']], 'IdleDurationLimited' : [ 0x6, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x8, ['unsigned long']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'ProcessorIdleCount' : [ 0x1c, ['unsigned long']], 'Type' : [ 0x20, ['unsigned long']], 'ReasonFlags' : [ 0x24, ['unsigned short']], 'InitiateWakeStamp' : [ 0x28, ['unsigned long long']], 'PreviousStatus' : [ 0x30, ['long']], 'PreviousCancelReason' : [ 0x34, ['unsigned long']], 'PrimaryProcessorMask' : [ 0x38, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0x44, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x50, ['pointer', ['void']]], 'IdlePreExecute' : [ 0x54, ['pointer', ['void']]], 'IdleExecute' : [ 0x58, ['pointer', ['void']]], 'IdlePreselect' : [ 0x5c, ['pointer', ['void']]], 'IdleTest' : [ 0x60, ['pointer', ['void']]], 'IdleAvailabilityCheck' : [ 0x64, ['pointer', ['void']]], 'IdleComplete' : [ 0x68, ['pointer', ['void']]], 'IdleCancel' : [ 0x6c, ['pointer', ['void']]], 'IdleIsHalted' : [ 0x70, ['pointer', ['void']]], 'IdleInitiateWake' : [ 0x74, ['pointer', ['void']]], 'PrepareInfo' : [ 0x78, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'DeepIdleSnapshot' : [ 0xc8, ['_KAFFINITY_EX']], 'Tracing' : [ 0xd4, ['pointer', ['_PERFINFO_PPM_STATE_SELECTION']]], 'CoordinatedTracing' : [ 0xd8, ['pointer', ['_PERFINFO_PPM_STATE_SELECTION']]], 'ProcessorMenu' : [ 0xdc, ['_PPM_SELECTION_MENU']], 'CoordinatedMenu' : [ 0xe4, ['_PPM_SELECTION_MENU']], 'CoordinatedSelection' : [ 0xec, ['_PPM_COORDINATED_SELECTION']], 'State' : [ 0xfc, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PPM_VETO_ACCOUNTING' : [ 0x18, { 'VetoPresent' : [ 0x0, ['long']], 'VetoListHead' : [ 0x4, ['_LIST_ENTRY']], 'CsAccountingBlocks' : [ 0xc, ['unsigned char']], 'BlocksDrips' : [ 0xd, ['unsigned char']], 'PreallocatedVetoCount' : [ 0x10, ['unsigned long']], 'PreallocatedVetoList' : [ 0x14, ['pointer', ['_PPM_VETO_ENTRY']]], } ], '_PEB' : [ 0x460, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsProtectedProcessLight' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'SparePvoid0' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pUnused' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], 'TppWorkerpListLock' : [ 0x250, ['unsigned long']], 'TppWorkerpList' : [ 0x254, ['_LIST_ENTRY']], 'WaitOnAddressHashTable' : [ 0x25c, ['array', 128, ['pointer', ['void']]]], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x54, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned char']], 'ShutDownRequested' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x34, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x3c, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x40, ['unsigned long']], 'UserPagesAllocated' : [ 0x44, ['unsigned long']], 'UserPagesReused' : [ 0x48, ['unsigned long']], 'EventsLostCount' : [ 0x4c, ['pointer', ['unsigned long']]], 'BuffersLostCount' : [ 0x50, ['pointer', ['unsigned long']]], } ], '__unnamed_1f0b' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1f10' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1f12' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1f0b']], 'Bits' : [ 0x0, ['__unnamed_1f10']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1f12']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x104, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x28, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x1c, ['pointer', ['void']]], 'DvCallbacks' : [ 0x20, ['pointer', ['void']]], 'VerifierContext' : [ 0x24, ['pointer', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x44, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['long']], 'Dpc' : [ 0x10, ['_KDPC']], 'WorkItem' : [ 0x30, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x40, ['pointer', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_KINTERRUPT' : [ 0xb0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'EmulateActiveBoth' : [ 0x39, ['unsigned char']], 'ActiveCount' : [ 0x3a, ['unsigned short']], 'InternalState' : [ 0x3c, ['long']], 'Mode' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'ServiceCount' : [ 0x48, ['unsigned long']], 'DispatchCount' : [ 0x4c, ['unsigned long']], 'PassiveEvent' : [ 0x50, ['pointer', ['_KEVENT']]], 'DisconnectData' : [ 0x54, ['pointer', ['void']]], 'ServiceThread' : [ 0x58, ['pointer', ['_KTHREAD']]], 'ConnectionData' : [ 0x5c, ['pointer', ['_INTERRUPT_CONNECTION_DATA']]], 'IntTrackEntry' : [ 0x60, ['pointer', ['void']]], 'IsrDpcStats' : [ 0x68, ['_ISRDPCSTATS']], 'RedirectObject' : [ 0xa8, ['pointer', ['void']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x60, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], 'FilePath' : [ 0x58, ['_UNICODE_STRING']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '__unnamed_1f74' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1f74']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x1b8, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], 'Node' : [ 0x19c, ['pointer', ['_ENODE']]], 'WorkItemsProcessed' : [ 0x1a0, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x1a4, ['unsigned long']], 'ThreadCount' : [ 0x1a8, ['long']], 'MinThreads' : [ 0x1ac, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='long')]], 'TryFailed' : [ 0x1ac, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'MaxThreads' : [ 0x1b0, ['long']], 'QueueIndex' : [ 0x1b4, ['Enumeration', dict(target = 'long', choices = {0: 'ExPoolUntrusted', 1: 'ExPoolTrusted', 8: 'ExPoolMax'})]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PS_PROPERTY_SET' : [ 0xc, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Lock' : [ 0x8, ['unsigned long']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x4e, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS' : [ 0x1, { 'Trustlet' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Ntos' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'WriteHandle' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ReadHandle' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'AccessRights' : [ 0x0, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x34, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'WorkingOnBehalfClient' : [ 0x1c, ['pointer', ['void']]], 'Type' : [ 0x20, ['unsigned long']], 'ActivityId' : [ 0x24, ['_GUID']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ManySubsections' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Enclave' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_POP_FX_WORK_ORDER_WATCHDOG_INFO' : [ 0x50, { 'Timer' : [ 0x0, ['_KTIMER']], 'Dpc' : [ 0x28, ['_KDPC']], 'WorkOrder' : [ 0x48, ['pointer', ['_POP_FX_WORK_ORDER']]], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x24, { 'Next' : [ 0x0, ['pointer', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x4, ['unsigned long']], 'Gate' : [ 0x8, ['_KGATE']], 'SecureInfo' : [ 0x8, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x8, ['_RTL_BITMAP']], 'InPageSupport' : [ 0x8, ['pointer', ['_MMINPAGE_SUPPORT']]], 'LargePage' : [ 0x8, ['pointer', ['_MI_LARGEPAGE_MEMORY_INFO']]], 'CreatingThread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'PebTeb' : [ 0x8, ['_MI_SUB64K_FREE_RANGES']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_SEP_LUID_TO_INDEX_MAP_ENTRY' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'Luid' : [ 0x10, ['unsigned long long']], 'IndexIntoGlobalSingletonTable' : [ 0x18, ['unsigned long long']], 'MarkedForDeletion' : [ 0x20, ['unsigned char']], } ], '_KTIMER2_COLLECTION' : [ 0x10, { 'Tree' : [ 0x0, ['_RTL_RB_TREE']], 'NextDueTime' : [ 0x8, ['unsigned long long']], } ], '_MIPFNBLINK' : [ 0x4, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PageBlinkDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'PageBlinkLockBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ShareCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'PageShareCountDeleteBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PageShareCountLockBit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'EntireField' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x0, ['long']], 'LockNotUsed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'DeleteBit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'LockBit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_MMCLONE_HEADER' : [ 0xc, { 'NumberOfPtes' : [ 0x0, ['unsigned long']], 'NumberOfProcessReferences' : [ 0x4, ['unsigned long']], 'ClonePtes' : [ 0x8, ['pointer', ['_MMCLONE_BLOCK']]], } ], '_SESSION_LOWBOX_MAP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'LowboxMap' : [ 0xc, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x88, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'ArgumentStatus' : [ 0xc, ['long']], 'CallerEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'VetoType' : [ 0x1c, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x20, ['pointer', ['_UNICODE_STRING']]], 'RefCount' : [ 0x24, ['unsigned long']], 'Lock' : [ 0x28, ['unsigned long']], 'Cancel' : [ 0x2c, ['unsigned char']], 'Parent' : [ 0x30, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'ActivityId' : [ 0x34, ['_GUID']], 'Data' : [ 0x44, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x38, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 5, ['unsigned long long']]], 'NoWakeCounter' : [ 0x30, ['unsigned long long']], } ], '_RH_OP_CONTEXT' : [ 0x24, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OplockRequestIrp' : [ 0x8, ['pointer', ['_IRP']]], 'OplockRequestFileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'OplockRequestProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OplockOwnerThread' : [ 0x14, ['pointer', ['_ETHREAD']]], 'Flags' : [ 0x18, ['unsigned long']], 'AtomicLinks' : [ 0x1c, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_KWAIT_CHAIN' : [ 0x4, { 'Head' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '_ISRDPCSTATS' : [ 0x40, { 'IsrTime' : [ 0x0, ['unsigned long long']], 'IsrTimeStart' : [ 0x8, ['unsigned long long']], 'IsrCount' : [ 0x10, ['unsigned long long']], 'DpcTime' : [ 0x18, ['unsigned long long']], 'DpcTimeStart' : [ 0x20, ['unsigned long long']], 'DpcCount' : [ 0x28, ['unsigned long long']], 'IsrActive' : [ 0x30, ['unsigned char']], 'Reserved' : [ 0x31, ['array', 15, ['unsigned char']]], } ], '_MI_PARTITION_PAGE_LISTS' : [ 0x780, { 'FreePagesByColor' : [ 0x0, ['array', 2, ['pointer', ['_MMPFNLIST']]]], 'FreePageSlist' : [ 0x8, ['array', 2, ['pointer', ['_SLIST_HEADER']]]], 'ZeroedPageListHead' : [ 0x40, ['_MMPFNLIST']], 'FreePageListHead' : [ 0x80, ['_MMPFNLIST']], 'StandbyPageListHead' : [ 0xc0, ['_MMPFNLIST']], 'StandbyPageListByPriority' : [ 0x100, ['array', 8, ['_MMPFNLIST']]], 'ModifiedPageListNoReservation' : [ 0x1c0, ['_MMPFNLIST']], 'ModifiedPageListByReservation' : [ 0x200, ['array', 16, ['_MMPFNLIST']]], 'MappedPageListHead' : [ 0x340, ['array', 16, ['_MMPFNLIST']]], 'BadPageListHead' : [ 0x480, ['_MMPFNLIST']], 'EnclavePageListHead' : [ 0x4c0, ['_MMPFNLIST']], 'PageLocationList' : [ 0x4d4, ['array', 8, ['pointer', ['_MMPFNLIST']]]], 'StandbyRepurposedByPriority' : [ 0x4f4, ['array', 8, ['unsigned long']]], 'MappedPageListHeadEvent' : [ 0x514, ['array', 16, ['_KEVENT']]], 'DecayClusterTimerHeads' : [ 0x614, ['array', 4, ['_MI_DECAY_TIMER_LINK']]], 'DecayHand' : [ 0x624, ['unsigned long']], 'LastDecayHandUpdateTime' : [ 0x628, ['unsigned long long']], 'LastChanceLdwContext' : [ 0x630, ['_MI_LDW_WORK_CONTEXT']], 'AvailableEventsLock' : [ 0x680, ['unsigned long']], 'AvailablePageWaitStates' : [ 0x684, ['array', 3, ['_MI_AVAILABLE_PAGE_WAIT_STATES']]], 'LowMemoryThreshold' : [ 0x6c0, ['unsigned long']], 'HighMemoryThreshold' : [ 0x6c4, ['unsigned long']], 'TransitionPrivatePages' : [ 0x700, ['unsigned long']], 'StandbyListDiscard' : [ 0x704, ['unsigned long']], 'FreeListDiscard' : [ 0x708, ['unsigned char']], 'RebuildLargePagesInitialized' : [ 0x709, ['unsigned char']], 'RebuildLargePagesItem' : [ 0x70c, ['_MI_REBUILD_LARGE_PAGES']], 'AddMemoryNotifyList' : [ 0x740, ['_LIST_ENTRY']], 'MirrorListLocks' : [ 0x748, ['pointer', ['void']]], } ], '_XSTATE_CONFIGURATION' : [ 0x330, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CompactionEnabled' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], 'EnabledSupervisorFeatures' : [ 0x218, ['unsigned long long']], 'AlignedFeatures' : [ 0x220, ['unsigned long long']], 'AllFeatureSize' : [ 0x228, ['unsigned long']], 'AllFeatures' : [ 0x22c, ['array', 64, ['unsigned long']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0xc, ['_CM_KEY_HASH']], 'ConvKey' : [ 0xc, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x14, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], 'KcbPushlock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x20, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x20, ['long']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x6c, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x74, ['_LIST_ENTRY']], 'Stolen' : [ 0x74, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x7c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x80, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x88, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x90, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x98, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x9c, ['pointer', ['_UNICODE_STRING']]], } ], '_KLOCK_ENTRY' : [ 0x30, { 'TreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'EntryFlags' : [ 0xc, ['unsigned long']], 'EntryOffset' : [ 0xc, ['unsigned char']], 'ThreadLocalFlags' : [ 0xd, ['unsigned char']], 'WaitingBit' : [ 0xd, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare0' : [ 0xd, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'AcquiredByte' : [ 0xe, ['unsigned char']], 'AcquiredBit' : [ 0xe, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadFlags' : [ 0xf, ['unsigned char']], 'HeadNodeBit' : [ 0xf, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IoPriorityBit' : [ 0xf, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare1' : [ 0xf, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'StaticState' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'AllFlags' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'LockState' : [ 0x10, ['_KLOCK_ENTRY_LOCK_STATE']], 'LockUnsafe' : [ 0x10, ['pointer', ['void']]], 'CrossThreadReleasableAndBusyByte' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['array', 2, ['unsigned char']]], 'InTreeByte' : [ 0x13, ['unsigned char']], 'SessionState' : [ 0x14, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], 'OwnerTree' : [ 0x18, ['_RTL_RB_TREE']], 'WaiterTree' : [ 0x20, ['_RTL_RB_TREE']], 'CpuPriorityKey' : [ 0x18, ['unsigned char']], 'EntryLock' : [ 0x28, ['unsigned long']], 'AllBoosts' : [ 0x2c, ['unsigned short']], 'IoBoost' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'CpuBoostsBitmap' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'IoNormalPriorityWaiterCount' : [ 0x2e, ['unsigned short']], } ], '_OBP_SYSTEM_DOS_DEVICE_STATE' : [ 0x6c, { 'GlobalDeviceMap' : [ 0x0, ['unsigned long']], 'LocalDeviceCount' : [ 0x4, ['array', 26, ['unsigned long']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2041' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_2041']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['_MODWRITER_FLAGS']], 'StoreWriteRefCount' : [ 0x18, ['unsigned long']], 'StoreWriteCompletionApc' : [ 0x1c, ['_KAPC']], 'ByteCount' : [ 0x4c, ['unsigned long']], 'ChargedPages' : [ 0x50, ['unsigned long']], 'PagingFile' : [ 0x54, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x58, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x5c, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x60, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x70, ['_LARGE_INTEGER']], 'Partition' : [ 0x78, ['pointer', ['_MI_PARTITION']]], 'PointerMdl' : [ 0x7c, ['pointer', ['_MDL']]], 'Mdl' : [ 0x80, ['_MDL']], 'Page' : [ 0x9c, ['array', 1, ['unsigned long']]], } ], '_MI_PARTITION_COMMIT' : [ 0x80, { 'PeakCommitment' : [ 0x0, ['unsigned long']], 'TotalCommitLimitMaximum' : [ 0x4, ['unsigned long']], 'Popups' : [ 0x8, ['array', 2, ['long']]], 'LowCommitThreshold' : [ 0x10, ['unsigned long']], 'HighCommitThreshold' : [ 0x14, ['unsigned long']], 'EventLock' : [ 0x18, ['unsigned long']], 'SystemCommitReserve' : [ 0x1c, ['unsigned long']], 'OverCommit' : [ 0x40, ['unsigned long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x180, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x4, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleTimeExpiration' : [ 0x20, ['unsigned long long']], 'NonInterruptibleTransition' : [ 0x28, ['unsigned char']], 'PepWokenTransition' : [ 0x29, ['unsigned char']], 'Class' : [ 0x2a, ['unsigned char']], 'TargetIdleState' : [ 0x2c, ['unsigned long']], 'IdlePolicy' : [ 0x30, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x38, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x40, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xc8, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower', 3: 'ProcHypervisorHvCounters'})]], 'LastSysTime' : [ 0xcc, ['unsigned long']], 'WmiDispatchPtr' : [ 0xd0, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xd4, ['long']], 'FFHThrottleStateInfo' : [ 0xd8, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xf8, ['_KDPC']], 'PerfActionMask' : [ 0x118, ['long']], 'HvIdleCheck' : [ 0x120, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x130, ['pointer', ['_PROC_PERF_CHECK']]], 'Domain' : [ 0x134, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x138, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x13c, ['pointer', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x140, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x144, ['pointer', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x148, ['unsigned char']], 'HvTargetState' : [ 0x149, ['unsigned char']], 'Parked' : [ 0x14a, ['unsigned char']], 'LatestPerformancePercent' : [ 0x14c, ['unsigned long']], 'AveragePerformancePercent' : [ 0x150, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x154, ['unsigned long']], 'RelativePerformance' : [ 0x158, ['unsigned long']], 'Utility' : [ 0x15c, ['unsigned long']], 'AffinitizedUtility' : [ 0x160, ['unsigned long']], 'SnapTimeLast' : [ 0x168, ['unsigned long long']], 'EnergyConsumed' : [ 0x168, ['unsigned long long']], 'ActiveTime' : [ 0x170, ['unsigned long long']], 'TotalTime' : [ 0x178, ['unsigned long long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SystemChargedPage' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_THREAD_ENERGY_VALUES' : [ 0x40, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_CC_ASYNC_READ_CONTEXT' : [ 0x14, { 'CompletionRoutine' : [ 0x0, ['pointer', ['void']]], 'Context' : [ 0x4, ['pointer', ['void']]], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'RequestorMode' : [ 0xc, ['unsigned char']], 'NestingLevel' : [ 0x10, ['unsigned long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0xf20, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x6f0, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x708, ['_LIST_ENTRY']], 'HiveList' : [ 0x710, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x718, ['_LIST_ENTRY']], 'FailedUnloadList' : [ 0x720, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x728, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x72c, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x734, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x738, ['unsigned long']], 'DeletedKcbTable' : [ 0x73c, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x740, ['unsigned long']], 'Identity' : [ 0x744, ['unsigned long']], 'HiveLock' : [ 0x748, ['pointer', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x74c, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x750, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x754, ['_RTL_BITMAP']], 'FlushDirtyVectorSize' : [ 0x75c, ['unsigned long']], 'FlushLogEntry' : [ 0x760, ['pointer', ['unsigned char']]], 'FlushLogEntrySize' : [ 0x764, ['unsigned long']], 'FlushHiveTruncated' : [ 0x768, ['unsigned long']], 'FlushBaseBlockDirty' : [ 0x76c, ['unsigned char']], 'CapturedUnreconciledVector' : [ 0x770, ['_RTL_BITMAP']], 'CapturedUnreconciledVectorSize' : [ 0x778, ['unsigned long']], 'UnreconciledOffsetArray' : [ 0x77c, ['pointer', ['CMP_OFFSET_ARRAY']]], 'UnreconciledOffsetArrayCount' : [ 0x780, ['unsigned long']], 'UnreconciledBaseBlock' : [ 0x784, ['pointer', ['_HBASE_BLOCK']]], 'SecurityLock' : [ 0x788, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x78c, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x790, ['unsigned long']], 'ActualFileSize' : [ 0x798, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x7a0, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x7b0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x7b8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x7c0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x7c8, ['unsigned long']], 'SecurityCacheSize' : [ 0x7cc, ['unsigned long']], 'SecurityHitHint' : [ 0x7d0, ['long']], 'SecurityCache' : [ 0x7d4, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x7d8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x9d8, ['unsigned long']], 'UnloadEventArray' : [ 0x9dc, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x9e0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x9e4, ['unsigned char']], 'UnloadWorkItem' : [ 0x9e8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x9ec, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xa00, ['unsigned char']], 'GrowOffset' : [ 0xa04, ['unsigned long']], 'KcbConvertListHead' : [ 0xa08, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xa10, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'DirtyVectorLog' : [ 0xa14, ['_CM_DIRTY_VECTOR_LOG']], 'Flags' : [ 0xc9c, ['unsigned long']], 'TrustClassEntry' : [ 0xca0, ['_LIST_ENTRY']], 'DirtyTime' : [ 0xca8, ['unsigned long long']], 'UnreconciledTime' : [ 0xcb0, ['unsigned long long']], 'CmRm' : [ 0xcb8, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xcbc, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xcc0, ['long']], 'CreatorOwner' : [ 0xcc4, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0xcc8, ['pointer', ['_KTHREAD']]], 'LastWriteTime' : [ 0xcd0, ['_LARGE_INTEGER']], 'FlushQueue' : [ 0xcd8, ['_HIVE_WRITE_WAIT_QUEUE']], 'ReconcileQueue' : [ 0xce4, ['_HIVE_WRITE_WAIT_QUEUE']], 'FlushFlags' : [ 0xcf0, ['unsigned long']], 'FlushActive' : [ 0xcf0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReconcileActive' : [ 0xcf0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PrimaryFilePurged' : [ 0xcf0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DiskFileBad' : [ 0xcf0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PrimaryFileSizeBeforeLastFlush' : [ 0xcf4, ['unsigned long']], 'ReferenceCount' : [ 0xcf8, ['long']], 'UnloadHistoryIndex' : [ 0xcfc, ['long']], 'UnloadHistory' : [ 0xd00, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0xf00, ['unsigned long']], 'UnaccessedStart' : [ 0xf04, ['unsigned long']], 'UnaccessedEnd' : [ 0xf08, ['unsigned long']], 'LoadedKeyCount' : [ 0xf0c, ['unsigned long']], 'HandleClosePending' : [ 0xf10, ['unsigned long']], 'HandleClosePendingEvent' : [ 0xf14, ['_EX_PUSH_LOCK']], 'FinalFlushSucceeded' : [ 0xf18, ['unsigned char']], 'FailedUnload' : [ 0xf19, ['unsigned char']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x28, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long']], 'DirtyPageThresholdTop' : [ 0x4, ['unsigned long']], 'DirtyPageThresholdBottom' : [ 0x8, ['unsigned long']], 'DirtyPageTarget' : [ 0xc, ['unsigned long']], 'AggregateAvailablePages' : [ 0x10, ['unsigned long long']], 'AggregateDirtyPages' : [ 0x18, ['unsigned long long']], 'AvailableHistory' : [ 0x20, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Reserved0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['unsigned char']], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SvmEnabled' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceAge' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'NewMaximum' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CommitReleaseState' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_PPM_VETO_ENTRY' : [ 0x38, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'VetoReason' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'HitCount' : [ 0x10, ['unsigned long long']], 'LastActivationTime' : [ 0x18, ['unsigned long long']], 'TotalActiveTime' : [ 0x20, ['unsigned long long']], 'CsActivationTime' : [ 0x28, ['unsigned long long']], 'CsActiveTime' : [ 0x30, ['unsigned long long']], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderZero', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderVsmMemory', 30: 'LoaderFirmwareCode', 31: 'LoaderFirmwareData', 32: 'LoaderFirmwareReserved', 33: 'LoaderEnclaveMemory', 34: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x408, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x14, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x4, ['_RTL_BITMAP']], 'HashTable' : [ 0xc, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x10, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x8c, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ExecutePoolTypes' : [ 0x78, ['unsigned long']], 'ExecutePageProtections' : [ 0x7c, ['unsigned long']], 'ExecutePageMappings' : [ 0x80, ['unsigned long']], 'ExecuteWriteSections' : [ 0x84, ['unsigned long']], 'SectionAlignmentFailures' : [ 0x88, ['unsigned long']], } ], '_VF_DRIVER_IO_CALLBACKS' : [ 0x80, { 'DriverInit' : [ 0x0, ['pointer', ['void']]], 'DriverStartIo' : [ 0x4, ['pointer', ['void']]], 'DriverUnload' : [ 0x8, ['pointer', ['void']]], 'AddDevice' : [ 0xc, ['pointer', ['void']]], 'MajorFunction' : [ 0x10, ['array', 28, ['pointer', ['void']]]], } ], '_HIVE_WRITE_WAIT_QUEUE' : [ 0xc, { 'ActiveThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'WaitList' : [ 0x4, ['pointer', ['_HIVE_WAIT_PACKET']]], 'OwnerBoosted' : [ 0x8, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x8, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_ETIMER' : [ 0xb8, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x28, ['unsigned long']], 'TimerApc' : [ 0x2c, ['_KAPC']], 'TimerDpc' : [ 0x5c, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x7c, ['_LIST_ENTRY']], 'Period' : [ 0x84, ['unsigned long']], 'TimerFlags' : [ 0x88, ['unsigned char']], 'ApcAssociated' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0x88, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0x88, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0x89, ['unsigned char']], 'Spare2' : [ 0x8a, ['unsigned short']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x98, ['pointer', ['void']]], 'VirtualizedTimerLinks' : [ 0x9c, ['_LIST_ENTRY']], 'DueTime' : [ 0xa8, ['unsigned long long']], 'CoalescingWindow' : [ 0xb0, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOCK_TRACKER' : [ 0x4c, { 'LockTrackerNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'Count' : [ 0x14, ['unsigned long']], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'StackTrace' : [ 0x24, ['array', 8, ['pointer', ['void']]]], 'Who' : [ 0x44, ['unsigned long']], 'Process' : [ 0x48, ['pointer', ['_EPROCESS']]], } ], '_MI_CACHED_PTES' : [ 0x48, { 'Bins' : [ 0x0, ['array', 8, ['_MI_CACHED_PTE']]], 'CachedPteCount' : [ 0x40, ['long']], } ], '_EXHANDLE' : [ 0x4, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], } ], '__unnamed_2119' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'FlagsLong' : [ 0x0, ['unsigned long']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2119']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_AUTO_EXPAND_STATE' : [ 0x4, { 'Expanded' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Transitioning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Pageable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_CM_DIRTY_VECTOR_LOG' : [ 0x288, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Log' : [ 0x8, ['array', 16, ['_CM_DIRTY_VECTOR_LOG_ENTRY']]], } ], '_ARBITER_INSTANCE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MI_SYSTEM_INFORMATION' : [ 0x3cc0, { 'Pools' : [ 0x0, ['_MI_POOL_STATE']], 'Sections' : [ 0x500, ['_MI_SECTION_STATE']], 'SystemImages' : [ 0x640, ['_MI_SYSTEM_IMAGE_STATE']], 'Sessions' : [ 0x6ac, ['_MI_SESSION_STATE']], 'Processes' : [ 0x16e8, ['_MI_PROCESS_STATE']], 'Hardware' : [ 0x1758, ['_MI_HARDWARE_STATE']], 'SystemVa' : [ 0x1800, ['_MI_SYSTEM_VA_STATE']], 'PageCombines' : [ 0x2cc0, ['_MI_COMBINE_STATE']], 'Partitions' : [ 0x2cd8, ['_MI_PARTITION_STATE']], 'Shutdowns' : [ 0x2d10, ['_MI_SHUTDOWN_STATE']], 'Errors' : [ 0x2d58, ['_MI_ERROR_STATE']], 'AccessLog' : [ 0x2e00, ['_MI_ACCESS_LOG_STATE']], 'Debugger' : [ 0x2e80, ['_MI_DEBUGGER_STATE']], 'Standby' : [ 0x2f40, ['_MI_STANDBY_STATE']], 'SystemPtes' : [ 0x2fc0, ['_MI_SYSTEM_PTE_STATE']], 'IoPages' : [ 0x3140, ['_MI_IO_PAGE_STATE']], 'PagingIo' : [ 0x3178, ['_MI_PAGING_IO_STATE']], 'CommonPages' : [ 0x31b0, ['_MI_COMMON_PAGE_STATE']], 'Trims' : [ 0x3200, ['_MI_SYSTEM_TRIM_STATE']], 'ResTrack' : [ 0x3240, ['_MI_RESAVAIL_TRACKER']], 'Cookie' : [ 0x3440, ['unsigned long']], 'ZeroingDisabled' : [ 0x3444, ['long']], 'BootRegistryRuns' : [ 0x3448, ['pointer', ['pointer', ['void']]]], 'FullyInitialized' : [ 0x344c, ['unsigned char']], 'SafeBooted' : [ 0x344d, ['unsigned char']], 'LargePfnBitMap' : [ 0x3450, ['_RTL_BITMAP']], 'PfnBitMap' : [ 0x3458, ['_RTL_BITMAP']], 'TraceLogging' : [ 0x3460, ['pointer', ['_TlgProvider_t']]], 'Vs' : [ 0x3480, ['_MI_VISIBLE_STATE']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_PPM_SELECTION_DEPENDENCY' : [ 0xc, { 'Processor' : [ 0x0, ['unsigned long']], 'Menu' : [ 0x4, ['_PPM_SELECTION_MENU']], } ], '__unnamed_2193' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_2195' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_2193']], } ], '__unnamed_2197' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_2195']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2197']], } ], '_MI_VISIBLE_STATE' : [ 0x840, { 'SpecialPool' : [ 0x0, ['_MI_SPECIAL_POOL']], 'SessionWsList' : [ 0x48, ['_LIST_ENTRY']], 'SessionIdBitmap' : [ 0x50, ['pointer', ['_RTL_BITMAP']]], 'PagedPoolInfo' : [ 0x54, ['_MM_PAGED_POOL_INFO']], 'MaximumNonPagedPoolInPages' : [ 0x70, ['unsigned long']], 'SizeOfPagedPoolInPages' : [ 0x74, ['unsigned long']], 'SystemPteInfo' : [ 0x78, ['_MI_SYSTEM_PTE_TYPE']], 'NonPagedPoolCommit' : [ 0xac, ['unsigned long']], 'BootCommit' : [ 0xb0, ['unsigned long']], 'MdlPagesAllocated' : [ 0xb4, ['unsigned long']], 'SystemPageTableCommit' : [ 0xb8, ['unsigned long']], 'SpecialPagesInUse' : [ 0xbc, ['unsigned long']], 'WsOverheadPages' : [ 0xc0, ['unsigned long']], 'VadBitmapPages' : [ 0xc4, ['unsigned long']], 'ProcessCommit' : [ 0xc8, ['unsigned long']], 'SharedCommit' : [ 0xcc, ['unsigned long']], 'DriverCommit' : [ 0xd0, ['long']], 'SystemWs' : [ 0x100, ['array', 3, ['_MMSUPPORT']]], 'MapCacheFailures' : [ 0x280, ['unsigned long']], 'PagefileHashPages' : [ 0x284, ['unsigned long']], 'PteHeader' : [ 0x288, ['_SYSPTES_HEADER']], 'SessionSpecialPool' : [ 0x314, ['pointer', ['_MI_SPECIAL_POOL']]], 'SystemVaTypeCount' : [ 0x318, ['array', 15, ['unsigned long']]], 'SystemVaType' : [ 0x354, ['array', 1024, ['unsigned char']]], 'SystemVaTypeCountFailures' : [ 0x754, ['array', 15, ['unsigned long']]], 'SystemVaTypeCountLimit' : [ 0x790, ['array', 15, ['unsigned long']]], 'SystemVaTypeCountPeak' : [ 0x7cc, ['array', 15, ['unsigned long']]], 'SystemAvailableVa' : [ 0x808, ['unsigned long']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x2800, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'HandleCount' : [ 0x14, ['unsigned long']], 'Handles' : [ 0x18, ['pointer', ['pointer', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x50, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'ProcCap' : [ 0x8, ['unsigned long']], 'ProcFloor' : [ 0xc, ['unsigned long']], 'PlatformCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'LimitReasons' : [ 0x18, ['unsigned long']], 'PlatformCapStartTime' : [ 0x20, ['unsigned long long']], 'TargetPercent' : [ 0x28, ['unsigned long']], 'SelectedPercent' : [ 0x2c, ['unsigned long']], 'SelectedFrequency' : [ 0x30, ['unsigned long']], 'PreviousFrequency' : [ 0x34, ['unsigned long']], 'PreviousPercent' : [ 0x38, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x3c, ['unsigned long']], 'SelectedState' : [ 0x40, ['unsigned long long']], 'Force' : [ 0x48, ['unsigned char']], } ], '__unnamed_21b4' : [ 0x10, { 'CallerCompletion' : [ 0x0, ['pointer', ['void']]], 'CallerContext' : [ 0x4, ['pointer', ['void']]], 'CallerDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0xc, ['unsigned char']], } ], '__unnamed_21b7' : [ 0x8, { 'NotifyDevice' : [ 0x0, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x4, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0x90, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x18, ['unsigned long long']], 'WatchdogTimer' : [ 0x20, ['_KTIMER']], 'WatchdogDpc' : [ 0x48, ['_KDPC']], 'MinorFunction' : [ 0x68, ['unsigned char']], 'PowerStateType' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0x70, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0x74, ['unsigned char']], 'FxDevice' : [ 0x78, ['pointer', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0x7c, ['unsigned char']], 'NotifyPEP' : [ 0x7d, ['unsigned char']], 'Device' : [ 0x80, ['__unnamed_21b4']], 'System' : [ 0x80, ['__unnamed_21b7']], } ], '_MI_ERROR_STATE' : [ 0xa8, { 'BadMemoryEventEntry' : [ 0x0, ['_MI_BAD_MEMORY_EVENT_ENTRY']], 'ProbeRaises' : [ 0x28, ['_MI_PROBE_RAISE_TRACKER']], 'ForcedCommits' : [ 0x68, ['_MI_FORCED_COMMITS']], 'WsleFailures' : [ 0x70, ['array', 2, ['unsigned long']]], 'WsLinear' : [ 0x78, ['unsigned long']], 'PageHashErrors' : [ 0x7c, ['unsigned long']], 'CheckZeroCount' : [ 0x80, ['unsigned long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x84, ['long']], 'BadPagesDetected' : [ 0x88, ['long']], 'ScrubPasses' : [ 0x8c, ['long']], 'ScrubBadPagesFound' : [ 0x90, ['long']], 'UserViewFailures' : [ 0x94, ['unsigned long']], 'UserViewCollisionFailures' : [ 0x98, ['unsigned long']], 'ResavailFailures' : [ 0x9c, ['_MI_RESAVAIL_FAILURES']], 'PendingBadPages' : [ 0xa4, ['unsigned char']], 'InitFailure' : [ 0xa5, ['unsigned char']], 'StopBadMaps' : [ 0xa6, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'WakeFromInterrupt' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0xd48, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'HighestTopDownAllocationAddress' : [ 0x4, ['pointer', ['void']]], 'VadCell' : [ 0x8, ['array', 2, ['_MI_VAD_ALLOCATION_CELL']]], 'VadBitMapCommitment' : [ 0x40, ['unsigned long']], 'MaximumLastVadBit' : [ 0x44, ['unsigned long']], 'VadsBeingDeleted' : [ 0x48, ['long']], 'NumberOfDebugEnclaves' : [ 0x4c, ['long']], 'PhysicalMappingCount' : [ 0x50, ['unsigned long']], 'LastVadDeletionEvent' : [ 0x54, ['pointer', ['_KEVENT']]], 'SubVadRanges' : [ 0x58, ['array', 1, ['_LIST_ENTRY']]], 'NumaAware' : [ 0x60, ['unsigned char']], 'CloneNestingLevel' : [ 0x68, ['unsigned long long']], 'PrivateFixupVadCount' : [ 0x70, ['unsigned long']], 'CfgBitMap' : [ 0x74, ['array', 1, ['_MI_CFG_BITMAP_INFO']]], 'CommittedPageTableBufferForTopLevel' : [ 0x80, ['array', 48, ['unsigned long']]], 'CommittedPageTableBitmaps' : [ 0x140, ['array', 1, ['_RTL_BITMAP']]], 'UsedPageTableEntries' : [ 0x148, ['array', 1536, ['unsigned short']]], } ], '_PROC_FEEDBACK' : [ 0x88, { 'Lock' : [ 0x0, ['unsigned long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x20, ['unsigned long long']], 'UnscaledTime' : [ 0x28, ['unsigned long long']], 'UnaccountedTime' : [ 0x30, ['long long']], 'ScaledTime' : [ 0x38, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x48, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x50, ['unsigned long long']], 'UserTimeLast' : [ 0x58, ['unsigned long']], 'KernelTimeLast' : [ 0x5c, ['unsigned long']], 'IdleGenerationNumberLast' : [ 0x60, ['unsigned long long']], 'HvActiveTimeLast' : [ 0x68, ['unsigned long long']], 'StallCyclesLast' : [ 0x70, ['unsigned long long']], 'StallTime' : [ 0x78, ['unsigned long long']], 'KernelTimesIndex' : [ 0x80, ['unsigned char']], } ], '_MI_PAGEFILE_BITMAPS_CACHE_ENTRY' : [ 0x20, { 'LengthTreeNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeListEntry' : [ 0x0, ['_LIST_ENTRY']], 'LocationTreeNode' : [ 0xc, ['_RTL_BALANCED_NODE']], 'StartingIndex' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], } ], '__unnamed_21d7' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21db' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_21dd' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_21df' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_21e1' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_21e3' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_21e5' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_21e7' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21e9' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21eb' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_21ed' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_21ef' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_21d7']], 'Memory' : [ 0x0, ['__unnamed_21d7']], 'Interrupt' : [ 0x0, ['__unnamed_21db']], 'Dma' : [ 0x0, ['__unnamed_21dd']], 'DmaV3' : [ 0x0, ['__unnamed_21df']], 'Generic' : [ 0x0, ['__unnamed_21d7']], 'DevicePrivate' : [ 0x0, ['__unnamed_21e1']], 'BusNumber' : [ 0x0, ['__unnamed_21e3']], 'ConfigData' : [ 0x0, ['__unnamed_21e5']], 'Memory40' : [ 0x0, ['__unnamed_21e7']], 'Memory48' : [ 0x0, ['__unnamed_21e9']], 'Memory64' : [ 0x0, ['__unnamed_21eb']], 'Connection' : [ 0x0, ['__unnamed_21ed']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_21ef']], } ], '_POP_THERMAL_ZONE' : [ 0x2c0, { 'PolicyDevice' : [ 0x0, ['_POP_POLICY_DEVICE']], 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], 'State' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], 'Removing' : [ 0x22, ['unsigned char']], 'Mode' : [ 0x23, ['unsigned char']], 'PendingMode' : [ 0x24, ['unsigned char']], 'ActivePoint' : [ 0x25, ['unsigned char']], 'PendingActivePoint' : [ 0x26, ['unsigned char']], 'Critical' : [ 0x27, ['unsigned char']], 'ThermalStandby' : [ 0x28, ['unsigned char']], 'OverThrottled' : [ 0x29, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x2c, ['long']], 'Throttle' : [ 0x30, ['long']], 'PendingThrottle' : [ 0x34, ['long']], 'ThrottleReasons' : [ 0x38, ['unsigned long']], 'LastTime' : [ 0x40, ['unsigned long long']], 'SampleRate' : [ 0x48, ['unsigned long']], 'LastTemp' : [ 0x4c, ['unsigned long']], 'PassiveTimer' : [ 0x50, ['_KTIMER']], 'PassiveDpc' : [ 0x78, ['_KDPC']], 'Info' : [ 0x98, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xf0, ['_LARGE_INTEGER']], 'Policy' : [ 0xf8, ['_THERMAL_POLICY']], 'PolicyDriver' : [ 0x110, ['unsigned char']], 'LastActiveStartTime' : [ 0x118, ['unsigned long long']], 'LastPassiveStartTime' : [ 0x120, ['unsigned long long']], 'WorkItem' : [ 0x128, ['_WORK_QUEUE_ITEM']], 'Lock' : [ 0x138, ['_POP_RW_LOCK']], 'ZoneStopped' : [ 0x140, ['_KEVENT']], 'TemperatureUpdated' : [ 0x150, ['_KEVENT']], 'InstanceId' : [ 0x160, ['unsigned long']], 'TelemetryTracker' : [ 0x168, ['_POP_THERMAL_TELEMETRY_TRACKER']], 'Description' : [ 0x2b8, ['_UNICODE_STRING']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_MI_REBUILD_LARGE_PAGES' : [ 0x34, { 'Active' : [ 0x0, ['long']], 'Timer' : [ 0x4, ['array', 16, ['array', 1, ['_MI_REBUILD_LARGE_PAGE_COUNTDOWN']]]], 'WorkItem' : [ 0x24, ['_WORK_QUEUE_ITEM']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x6f0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileWrite' : [ 0x14, ['pointer', ['void']]], 'FileRead' : [ 0x18, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x1c, ['pointer', ['void']]], 'BaseBlock' : [ 0x20, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x24, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x2c, ['unsigned long']], 'DirtyAlloc' : [ 0x30, ['unsigned long']], 'UnreconciledVector' : [ 0x34, ['_RTL_BITMAP']], 'UnreconciledCount' : [ 0x3c, ['unsigned long']], 'BaseBlockAlloc' : [ 0x40, ['unsigned long']], 'Cluster' : [ 0x44, ['unsigned long']], 'Flat' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ReadOnly' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SystemCacheBacked' : [ 0x48, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DirtyFlag' : [ 0x49, ['unsigned char']], 'HvBinHeadersUse' : [ 0x4c, ['unsigned long']], 'HvFreeCellsUse' : [ 0x50, ['unsigned long']], 'HvUsedCellsUse' : [ 0x54, ['unsigned long']], 'CmUsedCellsUse' : [ 0x58, ['unsigned long']], 'HiveFlags' : [ 0x5c, ['unsigned long']], 'CurrentLog' : [ 0x60, ['unsigned long']], 'CurrentLogSequence' : [ 0x64, ['unsigned long']], 'CurrentLogMinimumSequence' : [ 0x68, ['unsigned long']], 'CurrentLogOffset' : [ 0x6c, ['unsigned long']], 'MinimumLogSequence' : [ 0x70, ['unsigned long']], 'LogFileSizeCap' : [ 0x74, ['unsigned long']], 'LogDataPresent' : [ 0x78, ['array', 2, ['unsigned char']]], 'PrimaryFileValid' : [ 0x7a, ['unsigned char']], 'BaseBlockDirty' : [ 0x7b, ['unsigned char']], 'LastLogSwapTime' : [ 0x80, ['_LARGE_INTEGER']], 'FirstLogFile' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'SecondLogFile' : [ 0x88, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned short')]], 'HeaderRecovered' : [ 0x88, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'LegacyRecoveryIndicated' : [ 0x88, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RecoveryInformationReserved' : [ 0x88, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'RecoveryInformation' : [ 0x88, ['unsigned short']], 'LogEntriesRecovered' : [ 0x8a, ['array', 2, ['unsigned char']]], 'RefreshCount' : [ 0x8c, ['unsigned long']], 'StorageTypeCount' : [ 0x90, ['unsigned long']], 'Version' : [ 0x94, ['unsigned long']], 'ViewMap' : [ 0x98, ['_HVIEW_MAP']], 'Storage' : [ 0x3b8, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_ETW_FILTER_HEADER' : [ 0x24, { 'FilterFlags' : [ 0x0, ['long']], 'PidFilter' : [ 0x4, ['pointer', ['_ETW_FILTER_PID']]], 'ExeFilter' : [ 0x8, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgIdFilter' : [ 0xc, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'PkgAppIdFilter' : [ 0x10, ['pointer', ['_ETW_FILTER_STRING_TOKEN']]], 'StackWalkFilter' : [ 0x14, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'EventIdFilter' : [ 0x18, ['pointer', ['_ETW_PERFECT_HASH_FUNCTION']]], 'PayloadFilter' : [ 0x1c, ['pointer', ['_ETW_PAYLOAD_FILTER']]], 'ProviderSideFilter' : [ 0x20, ['pointer', ['_EVENT_FILTER_HEADER']]], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_ETW_PAYLOAD_FILTER' : [ 0x58, { 'RefCount' : [ 0x0, ['long']], 'PayloadFilter' : [ 0x8, ['_AGGREGATED_PAYLOAD_FILTER']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_POP_THERMAL_TELEMETRY_TRACKER' : [ 0x150, { 'AccountingDisabled' : [ 0x0, ['unsigned char']], 'LastPassiveUpdateTime' : [ 0x8, ['unsigned long long']], 'TotalPassiveTime' : [ 0x10, ['array', 20, ['unsigned long long']]], 'PassiveTimeSnap' : [ 0xb0, ['array', 20, ['unsigned long long']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_HVIEW_MAP' : [ 0x320, { 'MappedLength' : [ 0x0, ['unsigned long']], 'Lock' : [ 0x4, ['_EX_PUSH_LOCK']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'Directory' : [ 0xc, ['pointer', ['_HVIEW_MAP_DIRECTORY']]], 'PagesCharged' : [ 0x10, ['unsigned long']], 'PinLog' : [ 0x18, ['_HVIEW_MAP_PIN_LOG']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_DISALLOWED_GUIDS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x4, ['pointer', ['_GUID']]], } ], '_HVIEW_MAP_DIRECTORY' : [ 0x200, { 'Tables' : [ 0x0, ['array', 128, ['pointer', ['_HVIEW_MAP_TABLE']]]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Spare0' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1f, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1e, ['unsigned char']], } ], '__unnamed_226c' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_226e' : [ 0x10, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_226c']], } ], '_VF_TARGET_DRIVER' : [ 0x1c, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x8, ['__unnamed_226e']], 'VerifiedData' : [ 0x18, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '__unnamed_2279' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_227b' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_227d' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceId' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_227f' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_2281' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_2283' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_2285' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_2287' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2289' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_228b' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_2279']], 'TargetDevice' : [ 0x0, ['__unnamed_227b']], 'InstallDevice' : [ 0x0, ['__unnamed_227b']], 'CustomNotification' : [ 0x0, ['__unnamed_227d']], 'ProfileNotification' : [ 0x0, ['__unnamed_227f']], 'PowerNotification' : [ 0x0, ['__unnamed_2281']], 'VetoNotification' : [ 0x0, ['__unnamed_2283']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_2285']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_2287']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2289']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_227b']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_227b']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_228b']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x50, { 'Context' : [ 0x0, ['pointer', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x38, ['unsigned long']], 'DependencyUsed' : [ 0x3c, ['unsigned long']], 'DependencyArray' : [ 0x40, ['pointer', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x44, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x48, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x4c, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], } ], '__unnamed_22a7' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_22a7']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_MI_HARDWARE_STATE' : [ 0x78, { 'NodeMask' : [ 0x0, ['unsigned long']], 'NodeGraph' : [ 0x4, ['pointer', ['unsigned short']]], 'SystemNodeInformation' : [ 0x8, ['pointer', ['_MI_SYSTEM_NODE_INFORMATION']]], 'NumaLastRangeIndex' : [ 0xc, ['unsigned long']], 'NumaMemoryRanges' : [ 0x10, ['pointer', ['_HAL_NODE_RANGE']]], 'NumaTableCaptured' : [ 0x14, ['unsigned char']], 'NodeShift' : [ 0x15, ['unsigned char']], 'ChannelMemoryRanges' : [ 0x18, ['pointer', ['_HAL_CHANNEL_MEMORY_RANGES']]], 'ChannelShift' : [ 0x1c, ['unsigned char']], 'SecondLevelCacheSize' : [ 0x20, ['unsigned long']], 'FirstLevelCacheSize' : [ 0x24, ['unsigned long']], 'PhysicalAddressBits' : [ 0x28, ['unsigned long']], 'AllMainMemoryMustBeCached' : [ 0x2c, ['unsigned char']], 'TotalPagesAllowed' : [ 0x30, ['unsigned long']], 'SecondaryColorMask' : [ 0x34, ['unsigned long']], 'SecondaryColors' : [ 0x38, ['unsigned long']], 'FlushTbForAttributeChange' : [ 0x3c, ['unsigned long']], 'FlushCacheForAttributeChange' : [ 0x40, ['unsigned long']], 'FlushCacheForPageAttributeChange' : [ 0x44, ['unsigned long']], 'CacheFlushPromoteThreshold' : [ 0x48, ['unsigned long']], 'FlushTbThreshold' : [ 0x4c, ['unsigned long']], 'ZeroCostCounts' : [ 0x50, ['array', 2, ['_MI_ZERO_COST_COUNTS']]], 'HighestPossiblePhysicalPage' : [ 0x70, ['unsigned long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x58, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], 'WaitObjectFlagMask' : [ 0x50, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x54, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x56, ['unsigned short']], } ], '__unnamed_22e8' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MI_DECAY_TIMER_LINKAGE']], } ], '_MI_DECAY_TIMER_LINK' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_22e8']], } ], '_TRIAGE_PNP_DEVICE_COMPLETION_REQUEST' : [ 0xc, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_TRIAGE_DEVICE_NODE']]], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_HEAP_EXTENDED_ENTRY' : [ 0x8, { 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], } ], '_MI_SYSTEM_VA_STATE' : [ 0x14c0, { 'SystemTablesLock' : [ 0x0, ['unsigned long']], 'SystemVaBias' : [ 0x4, ['unsigned long']], 'SystemAvailableVaLow' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], 'HyperSpaceEnd' : [ 0x10, ['pointer', ['void']]], 'HyperSpaceEndPte' : [ 0x14, ['pointer', ['_MMPTE']]], 'SystemRangeStart' : [ 0x18, ['pointer', ['void']]], 'SystemCachePdeCount' : [ 0x1c, ['array', 1024, ['unsigned char']]], 'SystemCacheReverseMaps' : [ 0x41c, ['array', 1024, ['pointer', ['void']]]], 'WorkingSetListHashStart' : [ 0x141c, ['pointer', ['_MMWSLE_HASH']]], 'WorkingSetListHashEnd' : [ 0x1420, ['pointer', ['_MMWSLE_HASH']]], 'WorkingSetListIndirectHashStart' : [ 0x1424, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'FreeSystemCacheVa' : [ 0x1428, ['_KEVENT']], 'SystemVaLock' : [ 0x1438, ['unsigned long']], 'DeleteKvaLock' : [ 0x143c, ['long']], 'FreeSystemCache' : [ 0x1440, ['_MI_PTE_CHAIN_HEAD']], 'SystemCacheViewLock' : [ 0x1458, ['unsigned long']], 'UnusableWsles' : [ 0x145c, ['array', 5, ['unsigned long']]], 'PossibleWsles' : [ 0x1470, ['array', 5, ['unsigned long']]], } ], '_DIRTY_PAGE_STATISTICS' : [ 0xc, { 'DirtyPages' : [ 0x0, ['unsigned long']], 'DirtyPagesLastScan' : [ 0x4, ['unsigned long']], 'DirtyPagesScheduledLastScan' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_CUSTOM_BREAKPOINT' : [ 0x18, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointInstruction' : [ 0x8, ['unsigned long long']], 'BreakPointHandle' : [ 0x10, ['unsigned long']], 'BreakPointInstructionSize' : [ 0x14, ['unsigned char']], 'BreakPointInstructionAlignment' : [ 0x15, ['unsigned char']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x10, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_MI_DEBUGGER_STATE' : [ 0x90, { 'TransientWrite' : [ 0x0, ['unsigned char']], 'CodePageEdited' : [ 0x1, ['unsigned char']], 'DebugPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'PoisonedTb' : [ 0x8, ['unsigned long']], 'InDebugger' : [ 0xc, ['long']], 'Pfns' : [ 0x10, ['array', 32, ['pointer', ['void']]]], } ], '_MI_PROCESS_STATE' : [ 0x70, { 'ColorSeed' : [ 0x0, ['unsigned long']], 'CloneDereferenceEvent' : [ 0x4, ['_KEVENT']], 'CloneProtosSListHead' : [ 0x18, ['_SLIST_HEADER']], 'SystemDllBase' : [ 0x20, ['pointer', ['void']]], 'RotatingUniprocessorNumber' : [ 0x24, ['long']], 'CriticalSectionTimeout' : [ 0x28, ['_LARGE_INTEGER']], 'ProcessList' : [ 0x30, ['_LIST_ENTRY']], 'SharedUserDataPte' : [ 0x38, ['pointer', ['_MMPTE']]], 'FreePaeEntries' : [ 0x3c, ['unsigned long']], 'FirstFreePae' : [ 0x40, ['_PAE_ENTRY']], 'AllocatedPaePages' : [ 0x60, ['long']], 'PaeLock' : [ 0x64, ['unsigned long']], 'PaeEntrySList' : [ 0x68, ['_SLIST_HEADER']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'HiberFileType' : [ 0x16, ['unsigned char']], 'AoAcConnectivitySupported' : [ 0x17, ['unsigned char']], 'spare3' : [ 0x18, ['array', 6, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_MI_REBUILD_LARGE_PAGE_COUNTDOWN' : [ 0x2, { 'SecondsLeft' : [ 0x0, ['unsigned char']], 'SecondsAssigned' : [ 0x1, ['unsigned char']], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x4, ['unsigned long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x18, ['pointer', ['long']]], 'NodeTargetCount' : [ 0x1c, ['long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_IO_IRP_EXT_TRACK_OFFSET_HEADER' : [ 0x8, { 'Validation' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'TrackedOffsetCallback' : [ 0x4, ['pointer', ['void']]], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_MI_SESSION_STATE' : [ 0x1038, { 'SystemSession' : [ 0x0, ['_MMSESSION']], 'CodePageEdited' : [ 0x14, ['unsigned char']], 'VaReferenceCount' : [ 0x18, ['array', 1024, ['long']]], 'DynamicPtesBitBuffer' : [ 0x1018, ['pointer', ['unsigned long']]], 'IdLock' : [ 0x101c, ['_EX_PUSH_LOCK']], 'DetachTimeStamp' : [ 0x1020, ['unsigned long']], 'LeaderProcess' : [ 0x1024, ['pointer', ['_EPROCESS']]], 'InitializeLock' : [ 0x1028, ['_EX_PUSH_LOCK']], 'WorkingSetList' : [ 0x102c, ['pointer', ['_MMWSL']]], 'WsHashStart' : [ 0x1030, ['pointer', ['_MMWSLE_HASH']]], 'WsHashEnd' : [ 0x1034, ['pointer', ['_MMWSLE_HASH']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_MMSESSION' : [ 0x14, { 'SystemSpaceViewLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'SystemSpaceViewLockPointer' : [ 0x4, ['pointer', ['_EX_PUSH_LOCK']]], 'ViewRoot' : [ 0x8, ['_RTL_AVL_TREE']], 'ViewCount' : [ 0xc, ['unsigned long']], 'BitmapFailures' : [ 0x10, ['unsigned long']], } ], '_IOP_IRP_STACK_PROFILER' : [ 0x54, { 'Profile' : [ 0x0, ['array', 20, ['unsigned long']]], 'TotalIrps' : [ 0x50, ['unsigned long']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_OBJECT_NAMESPACE_LOOKUPTABLE' : [ 0x130, { 'HashBuckets' : [ 0x0, ['array', 37, ['_LIST_ENTRY']]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'NumberOfPrivateSpaces' : [ 0x12c, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_MI_DECAY_TIMER_LINKAGE' : [ 0x4, { 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NextDecayPfn' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_236d' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MI_PARTITION_FLAGS']], } ], '_MI_PARTITION_CORE' : [ 0xb8, { 'PartitionId' : [ 0x0, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_236d']], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'ParentPartition' : [ 0xc, ['pointer', ['_MI_PARTITION']]], 'ListEntry' : [ 0x10, ['_LIST_ENTRY']], 'NodeInformation' : [ 0x18, ['pointer', ['_MI_NODE_INFORMATION']]], 'MdlPhysicalMemoryBlock' : [ 0x1c, ['pointer', ['_MDL']]], 'MemoryNodeRuns' : [ 0x20, ['pointer', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'MemoryBlockReferences' : [ 0x24, ['unsigned long']], 'PfnUnmapWorkItem' : [ 0x28, ['_WORK_QUEUE_ITEM']], 'PfnUnmapActive' : [ 0x38, ['unsigned char']], 'PfnUnmapCount' : [ 0x3c, ['unsigned long']], 'PfnUnmapWaitList' : [ 0x40, ['pointer', ['void']]], 'MemoryRuns' : [ 0x44, ['pointer', ['_PHYSICAL_MEMORY_DESCRIPTOR']]], 'ExitEvent' : [ 0x48, ['_KEVENT']], 'SystemThreadHandles' : [ 0x58, ['array', 5, ['pointer', ['void']]]], 'PartitionObject' : [ 0x6c, ['pointer', ['void']]], 'PartitionObjectHandle' : [ 0x70, ['pointer', ['void']]], 'DynamicMemoryPushLock' : [ 0x74, ['_EX_PUSH_LOCK']], 'DynamicMemoryLock' : [ 0x78, ['long']], 'TemporaryMemoryEvent' : [ 0x7c, ['_KEVENT']], 'MemoryEvents' : [ 0x8c, ['array', 11, ['pointer', ['_KEVENT']]]], } ], '_MI_PARTITION_MODWRITES' : [ 0x1d0, { 'AttemptForCantExtend' : [ 0x0, ['_MMPAGE_FILE_EXPANSION']], 'PageFileContract' : [ 0x38, ['_MMPAGE_FILE_EXPANSION']], 'NumberOfMappedMdls' : [ 0x70, ['unsigned long']], 'NumberOfMappedMdlsInUse' : [ 0x74, ['long']], 'NumberOfMappedMdlsInUsePeak' : [ 0x78, ['unsigned long']], 'MappedFileHeader' : [ 0x7c, ['_MMMOD_WRITER_LISTHEAD']], 'NeedMappedMdl' : [ 0x94, ['unsigned char']], 'NeedPageFileMdl' : [ 0x95, ['unsigned char']], 'TransitionInserted' : [ 0x96, ['unsigned char']], 'LastModifiedWriteError' : [ 0x98, ['long']], 'LastMappedWriteError' : [ 0x9c, ['long']], 'MappedFileWriteSucceeded' : [ 0xa0, ['unsigned long']], 'MappedWriteBurstCount' : [ 0xa4, ['unsigned long']], 'LowPriorityModWritesOutstanding' : [ 0xa8, ['unsigned long']], 'BoostModWriteIoPriorityEvent' : [ 0xac, ['_KEVENT']], 'ModifiedWriterThreadPriority' : [ 0xbc, ['long']], 'ModifiedPagesLowPriorityGoal' : [ 0xc0, ['unsigned long']], 'ModifiedPageWriterEvent' : [ 0xc4, ['_KEVENT']], 'ModifiedWriterExitedEvent' : [ 0xd4, ['_KEVENT']], 'WriteAllPagefilePages' : [ 0xe4, ['long']], 'WriteAllMappedPages' : [ 0xe8, ['long']], 'MappedPageWriterEvent' : [ 0xec, ['_KEVENT']], 'ModWriteData' : [ 0x100, ['_MI_MODWRITE_DATA']], 'RescanPageFilesEvent' : [ 0x130, ['_KEVENT']], 'PagingFileHeader' : [ 0x140, ['_MMMOD_WRITER_LISTHEAD']], 'ModifiedPageWriterThread' : [ 0x158, ['pointer', ['_ETHREAD']]], 'ModifiedPageWriterRundown' : [ 0x15c, ['_EX_RUNDOWN_REF']], 'PagefileScanWorkItem' : [ 0x160, ['_WORK_QUEUE_ITEM']], 'PagefileScanCount' : [ 0x170, ['unsigned long']], 'ClusterWritesDisabled' : [ 0x174, ['array', 2, ['long']]], 'NotifyStoreMemoryConditions' : [ 0x17c, ['_KEVENT']], 'DelayMappedWrite' : [ 0x18c, ['unsigned char']], 'PagefileReservationsEnabled' : [ 0x190, ['unsigned long']], 'PageFileCreationLock' : [ 0x194, ['_EX_PUSH_LOCK']], 'TrimPagefileWorkItem' : [ 0x198, ['_WORK_QUEUE_ITEM']], 'LastTrimPagefileTime' : [ 0x1a8, ['unsigned long long']], 'WsSwapPagefileContractWorkItem' : [ 0x1b0, ['_WORK_QUEUE_ITEM']], 'WsSwapPageFileContractionInProgress' : [ 0x1c0, ['long']], 'WorkingSetSwapLock' : [ 0x1c4, ['_EX_PUSH_LOCK']], 'WorkingSetInswapLock' : [ 0x1c8, ['long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_KPRIQUEUE' : [ 0x19c, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['array', 32, ['_LIST_ENTRY']]], 'CurrentCount' : [ 0x110, ['array', 32, ['long']]], 'MaximumCount' : [ 0x190, ['unsigned long']], 'ThreadListHead' : [ 0x194, ['_LIST_ENTRY']], } ], '__unnamed_2385' : [ 0x4, { 'ChannelsHotCold' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_MI_NODE_INFORMATION' : [ 0x68, { 'LargePageFreeCount' : [ 0x0, ['array', 2, ['unsigned long']]], 'LargePages' : [ 0x8, ['array', 2, ['array', 2, ['array', 1, ['_LIST_ENTRY']]]]], 'LargePagesCount' : [ 0x28, ['array', 2, ['array', 2, ['array', 1, ['unsigned long']]]]], 'FreeCount' : [ 0x38, ['array', 2, ['unsigned long']]], 'TotalPages' : [ 0x40, ['array', 1, ['unsigned long']]], 'TotalPagesEntireNode' : [ 0x44, ['unsigned long']], 'MmShiftedColor' : [ 0x48, ['unsigned long']], 'Color' : [ 0x4c, ['unsigned long']], 'ChannelFreeCount' : [ 0x50, ['array', 1, ['array', 2, ['unsigned long']]]], 'Flags' : [ 0x58, ['__unnamed_2385']], 'NodeLock' : [ 0x5c, ['_EX_PUSH_LOCK']], 'ChannelStatus' : [ 0x60, ['unsigned char']], 'ChannelOrdering' : [ 0x61, ['array', 1, ['unsigned char']]], 'LockedChannelOrdering' : [ 0x62, ['array', 1, ['unsigned char']]], 'PowerAttribute' : [ 0x63, ['array', 1, ['unsigned char']]], 'LargePageLock' : [ 0x64, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_WAITING_IRP' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'CompletionRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'Information' : [ 0x18, ['unsigned long']], 'BreakAllRH' : [ 0x1c, ['unsigned char']], } ], '_ETW_FILTER_PID' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Pids' : [ 0x4, ['array', 8, ['unsigned long']]], } ], '_PPM_SELECTION_MENU' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Entries' : [ 0x4, ['pointer', ['_PPM_SELECTION_MENU_ENTRY']]], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x10, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0xc, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x140, { 'Policy' : [ 0x0, ['_KSCHEDULING_GROUP_POLICY']], 'RelativeWeight' : [ 0x8, ['unsigned long']], 'ChildMinRate' : [ 0xc, ['unsigned long']], 'ChildMinWeight' : [ 0x10, ['unsigned long']], 'ChildTotalWeight' : [ 0x14, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x18, ['unsigned long long']], 'NotificationCycles' : [ 0x20, ['long long']], 'SchedulingGroupList' : [ 0x28, ['_LIST_ENTRY']], 'Sibling' : [ 0x28, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x30, ['pointer', ['_KDPC']]], 'ChildList' : [ 0x34, ['_LIST_ENTRY']], 'Parent' : [ 0x3c, ['pointer', ['_KSCHEDULING_GROUP']]], 'PerProcessor' : [ 0x40, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x18, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x14, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_MMWORKING_SET_EXPANSION_HEAD' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x18, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'Irp' : [ 0xc, ['pointer', ['_IRP']]], 'Device' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Static' : [ 0x14, ['unsigned char']], } ], '_POP_POLICY_DEVICE' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'DeviceType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyDeviceMax'})]], 'Notification' : [ 0xc, ['pointer', ['void']]], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'Device' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'Irp' : [ 0x1c, ['pointer', ['_IRP']]], } ], '__unnamed_23b6' : [ 0x4, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], 'RemoteImageFileObject' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RemoteDataFileObject' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '_SECTION' : [ 0x28, { 'SectionNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u1' : [ 0x14, ['__unnamed_23b6']], 'SizeOfSection' : [ 0x18, ['unsigned long long']], 'u' : [ 0x20, ['__unnamed_16af']], 'InitialPageProtection' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'SessionId' : [ 0x24, ['BitField', dict(start_bit = 12, end_bit = 31, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x24, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MI_SECTION_STATE' : [ 0x140, { 'SectionObjectPointersLock' : [ 0x0, ['long']], 'SectionExtendLock' : [ 0x4, ['_EX_PUSH_LOCK']], 'SectionExtendSetLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'SectionBasedRoot' : [ 0xc, ['_RTL_AVL_TREE']], 'SectionBasedLock' : [ 0x10, ['_EX_PUSH_LOCK']], 'UnusedSubsectionPagedPool' : [ 0x14, ['unsigned long']], 'UnusedSegmentForceFree' : [ 0x18, ['unsigned long']], 'DataSectionProtectionMask' : [ 0x1c, ['unsigned long']], 'HighSectionBase' : [ 0x20, ['pointer', ['void']]], 'PhysicalSubsection' : [ 0x24, ['_MSUBSECTION']], 'PhysicalControlArea' : [ 0x68, ['_CONTROL_AREA']], 'DanglingExtentsPages' : [ 0xb8, ['pointer', ['_MMPFN']]], 'DanglingExtentsLock' : [ 0xbc, ['long']], 'DanglingExtentsWorkItem' : [ 0xc0, ['_WORK_QUEUE_ITEM']], 'DanglingExtentsWorkerActive' : [ 0xd0, ['unsigned char']], 'PageFileSectionHead' : [ 0xd4, ['_RTL_AVL_TREE']], 'PageFileSectionListSpinLock' : [ 0xd8, ['long']], 'ImageBias' : [ 0xdc, ['unsigned long']], 'RelocateBitmapsLock' : [ 0xe0, ['_EX_PUSH_LOCK']], 'ImageBitMap' : [ 0xe4, ['_RTL_BITMAP']], 'ApiSetSection' : [ 0xec, ['pointer', ['void']]], 'ApiSetSchema' : [ 0xf0, ['pointer', ['void']]], 'ApiSetSchemaSize' : [ 0xf4, ['unsigned long']], 'LostDataFiles' : [ 0xf8, ['unsigned long']], 'LostDataPages' : [ 0xfc, ['unsigned long']], 'ImageFailureReason' : [ 0x100, ['unsigned long']], 'CfgBitMapSection32' : [ 0x104, ['pointer', ['_SECTION']]], 'CfgBitMapControlArea32' : [ 0x108, ['pointer', ['_CONTROL_AREA']]], 'ImageCfgFailure' : [ 0x10c, ['unsigned long']], 'ImageValidationFailed' : [ 0x110, ['long']], } ], '_MI_PARTITION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PageListsInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StoreReservedPagesCharged' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], } ], '__unnamed_23c2' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_23c4' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_23c6' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_23c8' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_23c6']], 'Translated' : [ 0x0, ['__unnamed_23c4']], } ], '__unnamed_23ca' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_23cc' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_23ce' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_23d0' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_23d2' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_23d4' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_23d6' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_23d8' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_23c2']], 'Port' : [ 0x0, ['__unnamed_23c2']], 'Interrupt' : [ 0x0, ['__unnamed_23c4']], 'MessageInterrupt' : [ 0x0, ['__unnamed_23c8']], 'Memory' : [ 0x0, ['__unnamed_23c2']], 'Dma' : [ 0x0, ['__unnamed_23ca']], 'DmaV3' : [ 0x0, ['__unnamed_23cc']], 'DevicePrivate' : [ 0x0, ['__unnamed_21e1']], 'BusNumber' : [ 0x0, ['__unnamed_23ce']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_23d0']], 'Memory40' : [ 0x0, ['__unnamed_23d2']], 'Memory48' : [ 0x0, ['__unnamed_23d4']], 'Memory64' : [ 0x0, ['__unnamed_23d6']], 'Connection' : [ 0x0, ['__unnamed_21ed']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_23d8']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_23e0' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_23e0']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '_MM_PAGED_POOL_INFO' : [ 0x1c, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'PagedPoolAllocationMap' : [ 0x4, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'MaximumSize' : [ 0x10, ['unsigned long']], 'PagedPoolHint' : [ 0x14, ['unsigned long']], 'AllocatedPagedPool' : [ 0x18, ['unsigned long']], } ], '__unnamed_23ec' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_23ec']], } ], '_PPM_COORDINATED_SELECTION' : [ 0x10, { 'MaximumStates' : [ 0x0, ['unsigned long']], 'SelectedStates' : [ 0x4, ['unsigned long']], 'DefaultSelection' : [ 0x8, ['unsigned long']], 'Selection' : [ 0xc, ['pointer', ['unsigned long']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_PAE_ENTRY' : [ 0x20, { 'PteEntry' : [ 0x0, ['array', 4, ['_MMPTE']]], 'PaeEntry' : [ 0x0, ['_PAE_PAGEINFO']], 'NextPae' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '_MI_PAGE_COMBINING_SUPPORT' : [ 0xd8, { 'Partition' : [ 0x0, ['pointer', ['_MI_PARTITION']]], 'ArbitraryPfnMapList' : [ 0x4, ['_LIST_ENTRY']], 'FreeCombinePoolItem' : [ 0xc, ['_MI_COMBINE_WORKITEM']], 'CombiningThreadCount' : [ 0x20, ['unsigned long']], 'CombinePageFreeList' : [ 0x24, ['_LIST_ENTRY']], 'CombineFreeListLock' : [ 0x2c, ['unsigned long']], 'CombinePageListHeads' : [ 0x30, ['array', 16, ['_MI_COMBINE_PAGE_LISTHEAD']]], 'PageCombineStats' : [ 0xb0, ['_MI_PAGE_COMBINE_STATISTICS']], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '_POP_FX_DEVICE' : [ 0x188, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xc, ['pointer', ['_POP_IRP_DATA']]], 'Status' : [ 0x10, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0x14, ['long']], 'PowerNotReqCall' : [ 0x18, ['long']], 'DevNode' : [ 0x1c, ['pointer', ['_DEVICE_NODE']]], 'DpmContext' : [ 0x20, ['pointer', ['PEPHANDLE__']]], 'Plugin' : [ 0x24, ['pointer', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x28, ['pointer', ['PEPHANDLE__']]], 'AcpiPlugin' : [ 0x2c, ['pointer', ['_POP_FX_PLUGIN']]], 'AcpiPluginHandle' : [ 0x30, ['pointer', ['PEPHANDLE__']]], 'DeviceObject' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x38, ['pointer', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x3c, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0x58, ['pointer', ['void']]], 'AcpiLink' : [ 0x5c, ['_LIST_ENTRY']], 'DeviceId' : [ 0x64, ['_UNICODE_STRING']], 'RemoveLock' : [ 0x6c, ['_IO_REMOVE_LOCK']], 'AcpiRemoveLock' : [ 0x84, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0x9c, ['_POP_FX_WORK_ORDER']], 'IdleLock' : [ 0xb8, ['unsigned long']], 'IdleTimer' : [ 0xc0, ['_KTIMER']], 'IdleDpc' : [ 0xe8, ['_KDPC']], 'IdleTimeout' : [ 0x108, ['unsigned long long']], 'IdleStamp' : [ 0x110, ['unsigned long long']], 'NextIrpDeviceObject' : [ 0x118, ['array', 2, ['pointer', ['_DEVICE_OBJECT']]]], 'NextIrpPowerState' : [ 0x120, ['array', 2, ['_POWER_STATE']]], 'NextIrpCallerCompletion' : [ 0x128, ['array', 2, ['pointer', ['void']]]], 'NextIrpCallerContext' : [ 0x130, ['array', 2, ['pointer', ['void']]]], 'IrpCompleteEvent' : [ 0x138, ['_KEVENT']], 'PowerOnDumpDeviceCallback' : [ 0x148, ['pointer', ['void']]], 'Accounting' : [ 0x150, ['_POP_FX_ACCOUNTING']], 'Flags' : [ 0x178, ['unsigned long']], 'ComponentCount' : [ 0x17c, ['unsigned long']], 'Components' : [ 0x180, ['pointer', ['pointer', ['_POP_FX_COMPONENT']]]], } ], '_PEP_ACPI_RESOURCE_FLAGS' : [ 0x4, { 'AsULong' : [ 0x0, ['unsigned long']], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Wake' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ResourceUsage' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SlaveMode' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'AddressingMode' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SharedMode' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2418' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_241a' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_2418']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x44, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CoolingExtension' : [ 0x30, ['pointer', ['_POP_COOLING_EXTENSION']]], 'Volume' : [ 0x34, ['_LIST_ENTRY']], 'Specific' : [ 0x3c, ['__unnamed_241a']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_MI_COMBINE_STATE' : [ 0x18, { 'ActiveSpinLock' : [ 0x0, ['long']], 'CombiningThreadCount' : [ 0x4, ['unsigned long']], 'ActiveThreadTree' : [ 0x8, ['_RTL_AVL_TREE']], 'ZeroPageHashValue' : [ 0x10, ['unsigned long long']], } ], '_MMDEREFERENCE_SEGMENT_HEADER' : [ 0x1c, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'ListHead' : [ 0x14, ['_LIST_ENTRY']], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x38, { 'BadPageCount' : [ 0x0, ['unsigned long']], 'BadPagesDetected' : [ 0x4, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0x8, ['long']], 'ScrubPasses' : [ 0xc, ['long']], 'ScrubBadPagesFound' : [ 0x10, ['long']], 'PageHashErrors' : [ 0x14, ['unsigned long']], 'FeatureBits' : [ 0x18, ['unsigned long long']], 'TimeZoneId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['_MI_FLAGS']], 'VsmConnection' : [ 0x28, ['pointer', ['void']]], 'ExceptionChainTerminator' : [ 0x2c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'ExceptionChainTerminatorRecord' : [ 0x30, ['_EXCEPTION_REGISTRATION_RECORD']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DELAY_ACK_FO' : [ 0xc, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'OriginalFileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_MI_BAD_MEMORY_EVENT_ENTRY' : [ 0x28, { 'BugCheckCode' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['long']], 'Data' : [ 0x8, ['unsigned long']], 'PhysicalAddress' : [ 0x10, ['_LARGE_INTEGER']], 'WorkItem' : [ 0x18, ['_WORK_QUEUE_ITEM']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_MI_SYSTEM_TRIM_STATE' : [ 0x40, { 'ExpansionLock' : [ 0x0, ['unsigned long']], 'TrimInProgressCount' : [ 0x4, ['long']], 'PeriodicWorkingSetEvent' : [ 0x8, ['_KEVENT']], 'TrimAllPageFaultCount' : [ 0x18, ['array', 3, ['unsigned long']]], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_MI_ZERO_COST_COUNTS' : [ 0x10, { 'NativeSum' : [ 0x0, ['unsigned long long']], 'CachedSum' : [ 0x8, ['unsigned long long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MI_RESAVAIL_TRACKER' : [ 0x200, { 'AllocateKernelStack' : [ 0x0, ['unsigned long']], 'AllocateGrowKernelStack' : [ 0x4, ['unsigned long']], 'FreeKernelStack' : [ 0x8, ['unsigned long']], 'FreeKernelStackError' : [ 0xc, ['unsigned long']], 'FreeGrowKernelStackError' : [ 0x10, ['unsigned long']], 'AllocateCreateProcess' : [ 0x14, ['unsigned long']], 'FreeCreateProcessError' : [ 0x18, ['unsigned long']], 'FreeDeleteProcess' : [ 0x1c, ['unsigned long']], 'FreeCleanProcess' : [ 0x20, ['unsigned long']], 'FreeCleanProcessError' : [ 0x24, ['unsigned long']], 'AllocateAddProcessWsMetaPage' : [ 0x28, ['unsigned long']], 'AllocateWsIncrease' : [ 0x2c, ['unsigned long']], 'FreeWsIncreaseError' : [ 0x30, ['unsigned long']], 'FreeWsIncreaseErrorMax' : [ 0x34, ['unsigned long']], 'FreeWsDecrease' : [ 0x38, ['unsigned long']], 'AllocateWorkingSetPage' : [ 0x3c, ['unsigned long']], 'FreeWorkingSetPageError' : [ 0x40, ['unsigned long']], 'FreeDeletePteRange' : [ 0x44, ['unsigned long']], 'AllocatePageTablesForProcessMetadata' : [ 0x48, ['unsigned long']], 'FreePageTablesForProcessMetadataError2' : [ 0x4c, ['unsigned long']], 'AllocatePageTablesForSystem' : [ 0x50, ['unsigned long']], 'FreePageTablesExcess' : [ 0x54, ['unsigned long']], 'FreeSystemVaPageTables' : [ 0x58, ['unsigned long']], 'FreeSessionVaPageTables' : [ 0x5c, ['unsigned long']], 'AllocateCreateSession' : [ 0x60, ['unsigned long']], 'FreeSessionWsDereference' : [ 0x64, ['unsigned long']], 'FreeSessionDereference' : [ 0x68, ['unsigned long']], 'AllocateLockedSessionImage' : [ 0x6c, ['unsigned long']], 'FreeLockedSessionImage' : [ 0x70, ['unsigned long']], 'FreeSessionImageConversion' : [ 0x74, ['unsigned long']], 'AllocateWsAdjustPageTable' : [ 0x78, ['unsigned long']], 'FreeWsAdjustPageTable' : [ 0x7c, ['unsigned long']], 'FreeWsAdjustPageTableError' : [ 0x80, ['unsigned long']], 'AllocateNoLowMemory' : [ 0x84, ['unsigned long']], 'AllocatePagedPoolLockedDown' : [ 0x88, ['unsigned long']], 'FreePagedPoolLockedDown' : [ 0x8c, ['unsigned long']], 'AllocateSystemBitmaps' : [ 0x90, ['unsigned long']], 'FreeSystemBitmapsError' : [ 0x94, ['unsigned long']], 'AllocateForMdl' : [ 0x98, ['unsigned long']], 'FreeFromMdl' : [ 0x9c, ['unsigned long']], 'AllocateForMdlPartition' : [ 0xa0, ['unsigned long']], 'FreeFromMdlPartition' : [ 0xa4, ['unsigned long']], 'FreeMdlExcess' : [ 0xa8, ['unsigned long']], 'AllocateExpansionNonPagedPool' : [ 0xac, ['unsigned long']], 'FreeExpansionNonPagedPool' : [ 0xb0, ['unsigned long']], 'AllocateVad' : [ 0xb4, ['unsigned long']], 'RemoveVad' : [ 0xb8, ['unsigned long']], 'FreeVad' : [ 0xbc, ['unsigned long']], 'AllocateContiguous' : [ 0xc0, ['unsigned long']], 'FreeContiguousPages' : [ 0xc4, ['unsigned long']], 'FreeContiguousError' : [ 0xc8, ['unsigned long']], 'FreeLargePageMemory' : [ 0xcc, ['unsigned long']], 'AllocateSystemWsles' : [ 0xd0, ['unsigned long']], 'FreeSystemWsles' : [ 0xd4, ['unsigned long']], 'AllocateSystemInitWs' : [ 0xd8, ['unsigned long']], 'AllocateSessionInitWs' : [ 0xdc, ['unsigned long']], 'FreeSessionInitWsError' : [ 0xe0, ['unsigned long']], 'AllocateSystemImage' : [ 0xe4, ['unsigned long']], 'AllocateSystemImageLoad' : [ 0xe8, ['unsigned long']], 'AllocateSessionSharedImage' : [ 0xec, ['unsigned long']], 'FreeSystemImageInitCode' : [ 0xf0, ['unsigned long']], 'FreeSystemImageLargePageConversion' : [ 0xf4, ['unsigned long']], 'FreeSystemImageError' : [ 0xf8, ['unsigned long']], 'FreeSystemImageLoadExcess' : [ 0xfc, ['unsigned long']], 'FreeUnloadSystemImage' : [ 0x100, ['unsigned long']], 'FreeReloadBootImageLarge' : [ 0x104, ['unsigned long']], 'FreeIndependent' : [ 0x108, ['unsigned long']], 'AllocateHotRemove' : [ 0x10c, ['unsigned long']], 'FreeHotAdd' : [ 0x110, ['unsigned long']], 'AllocateBoot' : [ 0x114, ['unsigned long']], 'FreeLoaderBlock' : [ 0x118, ['unsigned long']], 'AllocateNonPagedSpecialPool' : [ 0x11c, ['unsigned long']], 'FreeNonPagedSpecialPoolError' : [ 0x120, ['unsigned long']], 'FreeNonPagedSpecialPool' : [ 0x124, ['unsigned long']], 'AllocateSharedSegmentPage' : [ 0x128, ['unsigned long']], 'FreeSharedSegmentPage' : [ 0x12c, ['unsigned long']], 'AllocateZeroPage' : [ 0x130, ['unsigned long']], 'FreeZeroPage' : [ 0x134, ['unsigned long']], 'AllocateForPo' : [ 0x138, ['unsigned long']], 'AllocateForPoForce' : [ 0x13c, ['unsigned long']], 'FreeForPo' : [ 0x140, ['unsigned long']], 'AllocateThreadHardFaultBehavior' : [ 0x144, ['unsigned long']], 'FreeThreadHardFaultBehavior' : [ 0x148, ['unsigned long']], 'ObtainFaultCharges' : [ 0x14c, ['unsigned long']], 'FreeFaultCharges' : [ 0x150, ['unsigned long']], 'AllocateStoreCharges' : [ 0x154, ['unsigned long']], 'FreeStoreCharges' : [ 0x158, ['unsigned long']], 'ObtainLockedPageCharge' : [ 0x180, ['unsigned long']], 'FreeLockedPageCharge' : [ 0x1c0, ['unsigned long']], 'AllocateStore' : [ 0x1c4, ['unsigned long']], 'FreeStore' : [ 0x1c8, ['unsigned long']], 'AllocateSystemImageProtos' : [ 0x1cc, ['unsigned long']], 'FreeSystemImageProtos' : [ 0x1d0, ['unsigned long']], 'AllocateModWriterCharge' : [ 0x1d4, ['unsigned long']], 'FreeModWriterCharge' : [ 0x1d8, ['unsigned long']], 'AllocateMappedWriterCharge' : [ 0x1dc, ['unsigned long']], 'FreeMappedWriterCharge' : [ 0x1e0, ['unsigned long']], 'AllocateRegistryCharges' : [ 0x1e4, ['unsigned long']], 'FreeRegistryCharges' : [ 0x1e8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'CompactionMask' : [ 0x8, ['unsigned long long']], 'Reserved2' : [ 0x10, ['array', 6, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x24, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'ReferenceCount' : [ 0x20, ['long']], } ], '_MI_COMBINE_PAGE_LISTHEAD' : [ 0x8, { 'Table' : [ 0x0, ['_RTL_AVL_TREE']], 'Lock' : [ 0x4, ['long']], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '__unnamed_248d' : [ 0x8, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_248f' : [ 0x8, { 'RangeCount' : [ 0x0, ['unsigned long']], 'SetBitCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_2491' : [ 0x8, { 'Context1' : [ 0x0, ['unsigned long']], 'Context2' : [ 0x4, ['unsigned long']], } ], '__unnamed_2493' : [ 0x8, { 'DirtyVectorModifiedContext' : [ 0x0, ['__unnamed_248d']], 'DirtyDataCaptureContext' : [ 0x0, ['__unnamed_248f']], 'Raw' : [ 0x0, ['__unnamed_2491']], } ], '_CM_DIRTY_VECTOR_LOG_ENTRY' : [ 0x28, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'Operation' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DirtyVectorModified', 1: 'DirtyDataCaptureStart', 2: 'DirtyDataCaptureEnd'})]], 'Data' : [ 0x8, ['__unnamed_2493']], 'Stack' : [ 0x10, ['array', 6, ['pointer', ['void']]]], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'TempSegCs' : [ 0xc, ['unsigned short']], 'Logging' : [ 0xe, ['unsigned char']], 'FrameType' : [ 0xf, ['unsigned char']], 'TempEsp' : [ 0x10, ['unsigned long']], 'Dr0' : [ 0x14, ['unsigned long']], 'Dr1' : [ 0x18, ['unsigned long']], 'Dr2' : [ 0x1c, ['unsigned long']], 'Dr3' : [ 0x20, ['unsigned long']], 'Dr6' : [ 0x24, ['unsigned long']], 'Dr7' : [ 0x28, ['unsigned long']], 'SegGs' : [ 0x2c, ['unsigned long']], 'SegEs' : [ 0x30, ['unsigned long']], 'SegDs' : [ 0x34, ['unsigned long']], 'Edx' : [ 0x38, ['unsigned long']], 'Ecx' : [ 0x3c, ['unsigned long']], 'Eax' : [ 0x40, ['unsigned long']], 'PreviousPreviousMode' : [ 0x44, ['unsigned char']], 'EntropyQueueDpc' : [ 0x45, ['unsigned char']], 'Reserved' : [ 0x46, ['array', 2, ['unsigned char']]], 'MxCsr' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_MI_SYSTEM_NODE_INFORMATION' : [ 0xb0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'NonPagedPoolSListHeadNx' : [ 0x20, ['array', 3, ['_SLIST_HEADER']]], 'CachedKernelStacks' : [ 0x38, ['array', 2, ['_CACHED_KSTACK_LIST']]], 'NonPagedPoolLowestPage' : [ 0x68, ['unsigned long']], 'NonPagedPoolHighestPage' : [ 0x6c, ['unsigned long']], 'AllocatedNonPagedPool' : [ 0x70, ['unsigned long']], 'PartialLargePoolRegions' : [ 0x74, ['unsigned long']], 'PagesInPartialLargePoolRegions' : [ 0x78, ['unsigned long']], 'CachedNonPagedPoolCount' : [ 0x7c, ['unsigned long']], 'NonPagedPoolSpinLock' : [ 0x80, ['unsigned long']], 'CachedNonPagedPool' : [ 0x84, ['pointer', ['_MMPFN']]], 'NonPagedPoolFirstVa' : [ 0x88, ['pointer', ['void']]], 'NonPagedPoolLastVa' : [ 0x8c, ['pointer', ['void']]], 'NonPagedBitMap' : [ 0x90, ['array', 3, ['_RTL_BITMAP']]], 'NonPagedHint' : [ 0xa8, ['array', 2, ['unsigned long']]], } ], '_KLOCK_ENTRY_LOCK_STATE' : [ 0x8, { 'CrossThreadReleasable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Busy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 31, native_type='unsigned long')]], 'InTree' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'LockState' : [ 0x0, ['pointer', ['void']]], 'SessionState' : [ 0x4, ['pointer', ['void']]], 'SessionId' : [ 0x4, ['unsigned long']], } ], '__unnamed_24a5' : [ 0x4, { 'FlushCompleting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'FlushInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='long')]], 'Long' : [ 0x0, ['long']], } ], '_MI_PARTITION_STORES' : [ 0x50, { 'WriteAllStoreHintedPages' : [ 0x0, ['__unnamed_24a5']], 'VirtualPageFileNumber' : [ 0x4, ['unsigned long']], 'Registered' : [ 0x8, ['unsigned long']], 'ReadClusterSizeMax' : [ 0xc, ['unsigned long']], 'EvictFlushRequestCount' : [ 0x10, ['unsigned long']], 'ModifiedWriteDisableCount' : [ 0x14, ['unsigned long']], 'WriteIssueFailures' : [ 0x18, ['unsigned long']], 'EvictionThread' : [ 0x1c, ['pointer', ['_ETHREAD']]], 'EvictEvent' : [ 0x20, ['_KEVENT']], 'EvictFlushCompleteEvent' : [ 0x30, ['_KEVENT']], 'WriteSupportSListHead' : [ 0x40, ['_SLIST_HEADER']], 'EvictFlushLock' : [ 0x48, ['long']], 'ModifiedWriteFailedBitmap' : [ 0x4c, ['pointer', ['_RTL_BITMAP']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x8, ['unsigned long']], 'SyncCallback' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0xc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0xc, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '_MI_FLAGS' : [ 0x4, { 'EntireFlags' : [ 0x0, ['long']], 'VerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'KernelVerifierEnabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LargePageKernel' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'StopOn4d' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'InitializationPhase' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'PageKernelStacks' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'CheckZeroPages' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ProcessorPrewalks' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ProcessorPostwalks' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'CoverageBuild' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AccessBitReplacementDisabled' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CheckExecute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ZeroNonCachedByConverting' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ZeroWriteCombinedByConverting' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectedPagesEnabled' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'StrongCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'HardCodeGuarantees' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'ExecutePagePrivilegeRequired' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'StrongPageIdentity' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'SecureRelocations' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], } ], '_MI_SUB64K_FREE_RANGES' : [ 0x1c, { 'BitMap' : [ 0x0, ['_RTL_BITMAP']], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'Vad' : [ 0x10, ['pointer', ['_MMVAD_SHORT']]], 'SubListIndex' : [ 0x14, ['unsigned short']], 'Hint' : [ 0x16, ['unsigned short']], 'SetBits' : [ 0x18, ['unsigned long']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0xc, ['pointer', ['_HANDLE_TABLE']]], 'Flags' : [ 0x10, ['unsigned long']], 'NumberOfBuckets' : [ 0x14, ['unsigned long']], 'Buckets' : [ 0x18, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_24e2' : [ 0x18, { 'RequestedTime' : [ 0x0, ['unsigned long long']], 'ProgrammedTime' : [ 0x8, ['unsigned long long']], 'TimerInfo' : [ 0x10, ['pointer', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0x108, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'WakeFirstUnattendedTime' : [ 0x50, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x60, ['array', 3, ['__unnamed_24e2']]], 'WakeAlarmPaused' : [ 0xa8, ['unsigned char']], 'WakeAlarmLastTime' : [ 0xb0, ['unsigned long long']], 'FilteredCapabilities' : [ 0xb8, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x8, { 'ProcessorIndex' : [ 0x0, ['unsigned long']], 'ExpectedState' : [ 0x4, ['unsigned char']], 'AllowDeeperStates' : [ 0x5, ['unsigned char']], 'LooseDependency' : [ 0x6, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'InProgressFlags' : [ 0x14, ['unsigned char']], 'KernelApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpecialApcInProgress' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x28, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x3e0, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'SelectionStatistics' : [ 0x28, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa0, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_PERFINFO_PPM_STATE_SELECTION' : [ 0xc, { 'SelectedState' : [ 0x0, ['unsigned long']], 'VetoedStates' : [ 0x4, ['unsigned long']], 'VetoReason' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'ModifiedStoreWrite' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer', ['_MMPTE']]], } ], '_PPM_SELECTION_MENU_ENTRY' : [ 0x10, { 'StrictDependency' : [ 0x0, ['unsigned char']], 'InitiatingState' : [ 0x1, ['unsigned char']], 'DependentState' : [ 0x2, ['unsigned char']], 'StateIndex' : [ 0x4, ['unsigned long']], 'Dependencies' : [ 0x8, ['unsigned long']], 'DependencyList' : [ 0xc, ['pointer', ['_PPM_SELECTION_DEPENDENCY']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x14, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x4, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0xc, ['_RTL_BITMAP']], 'EvictedBitmap' : [ 0xc, ['_RTL_BITMAP']], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_MI_COMBINE_WORKITEM' : [ 0x14, { 'NextEntry' : [ 0x0, ['pointer', ['void']]], 'WorkItem' : [ 0x4, ['_WORK_QUEUE_ITEM']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x2a4, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], 'PackageDependencyData' : [ 0x298, ['pointer', ['void']]], 'ProcessGroupId' : [ 0x29c, ['unsigned long']], 'LoaderThreads' : [ 0x2a0, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_LOCK_HEADER' : [ 0x10, { 'LockTree' : [ 0x0, ['_RTL_AVL_TREE']], 'Count' : [ 0x4, ['unsigned long']], 'Lock' : [ 0x8, ['unsigned long']], 'Valid' : [ 0xc, ['unsigned long']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_PS_PROTECTION' : [ 0x1, { 'Level' : [ 0x0, ['unsigned char']], 'Type' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Audit' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Signer' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_MSUBSECTION' : [ 0x44, { 'Core' : [ 0x0, ['_SUBSECTION']], 'SubsectionNode' : [ 0x28, ['_RTL_BALANCED_NODE']], 'DereferenceList' : [ 0x34, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x3c, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x40, ['unsigned long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_259c' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_259c']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x18, ['unsigned long']], 'NonPagablePages' : [ 0x1c, ['unsigned long']], 'CommittedPages' : [ 0x20, ['unsigned long']], 'PagedPoolStart' : [ 0x24, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x28, ['pointer', ['void']]], 'SessionObject' : [ 0x2c, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x30, ['pointer', ['void']]], 'SessionPoolAllocationFailures' : [ 0x34, ['array', 4, ['unsigned long']]], 'ImageTree' : [ 0x44, ['_RTL_AVL_TREE']], 'LocaleId' : [ 0x48, ['unsigned long']], 'AttachCount' : [ 0x4c, ['unsigned long']], 'AttachGate' : [ 0x50, ['_KGATE']], 'WsListEntry' : [ 0x60, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 24, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xc80, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xc94, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xcb0, ['_MMSUPPORT']], 'Wsle' : [ 0xd30, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xd34, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xd40, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1e80, ['pointer', ['_MMPTE']]], 'PagedPoolBitBuffer' : [ 0x1e84, ['array', 32, ['unsigned long']]], 'SpecialPool' : [ 0x1f08, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f50, ['_EX_PUSH_LOCK']], 'PoolBigEntriesInUse' : [ 0x1f54, ['long']], 'PagedPoolPdeCount' : [ 0x1f58, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f5c, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f60, ['unsigned long']], 'SystemPteInfo' : [ 0x1f64, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f98, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f9c, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1fa0, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fa4, ['unsigned long']], 'IoState' : [ 0x1fa8, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fac, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fb0, ['_KEVENT']], 'ServerSilo' : [ 0x1fc0, ['pointer', ['_EJOB']]], 'CreateTime' : [ 0x1fc8, ['unsigned long long']], } ], '_MMPAGE_FILE_EXPANSION' : [ 0x38, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'Partition' : [ 0xc, ['pointer', ['_MI_PARTITION']]], 'RequestedExpansionSize' : [ 0x10, ['unsigned long']], 'ActualExpansion' : [ 0x14, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'InProgress' : [ 0x28, ['long']], 'u' : [ 0x2c, ['_MMPAGE_FILE_EXPANSION_FLAGS']], 'ActiveEntry' : [ 0x30, ['pointer', ['pointer', ['void']]]], 'AttemptForCantExtend' : [ 0x34, ['unsigned char']], 'PageFileContract' : [ 0x35, ['unsigned char']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_25ad' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_25b1' : [ 0x4, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x4c, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x28, ['__unnamed_25ad']], 'Subsection' : [ 0x2c, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x30, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x38, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x40, ['pointer', ['_EPROCESS']]], 'u4' : [ 0x44, ['__unnamed_25b1']], 'FileObject' : [ 0x48, ['pointer', ['_FILE_OBJECT']]], } ], '_SEP_SID_VALUES_BLOCK' : [ 0x10, { 'BlockLength' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'SidCount' : [ 0x8, ['unsigned long']], 'SidValuesStart' : [ 0xc, ['unsigned long']], } ], '_MI_PARTITION_STATE' : [ 0x38, { 'PartitionLock' : [ 0x0, ['unsigned long']], 'PartitionIdLock' : [ 0x4, ['_EX_PUSH_LOCK']], 'InitialPartitionIdBits' : [ 0x8, ['unsigned long long']], 'PartitionList' : [ 0x10, ['_LIST_ENTRY']], 'PartitionIdBitmap' : [ 0x18, ['pointer', ['_RTL_BITMAP']]], 'InitialPartitionIdBitmap' : [ 0x1c, ['_RTL_BITMAP']], 'TempPartitionPointers' : [ 0x24, ['array', 1, ['pointer', ['_MI_PARTITION']]]], 'Partition' : [ 0x28, ['pointer', ['pointer', ['_MI_PARTITION']]]], 'TotalPagesInChildPartitions' : [ 0x2c, ['unsigned long']], 'CrossPartitionDenials' : [ 0x30, ['unsigned long']], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Gate' : [ 0x8, ['_KGATE']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0x50, { 'IrpExclusiveOplock' : [ 0x0, ['pointer', ['_IRP']]], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x8, ['pointer', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'WaiterPriority' : [ 0x10, ['unsigned char']], 'IrpOplocksR' : [ 0x14, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x1c, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x24, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x2c, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x34, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x3c, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x44, ['pointer', ['_GUID']]], 'OplockState' : [ 0x48, ['unsigned long']], 'FastMutex' : [ 0x4c, ['pointer', ['_FAST_MUTEX']]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x8, ['pointer', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PROCESS_ENERGY_VALUES' : [ 0x90, { 'Cycles' : [ 0x0, ['array', 4, ['array', 2, ['unsigned long long']]]], 'DiskEnergy' : [ 0x40, ['unsigned long long']], 'NetworkTailEnergy' : [ 0x48, ['unsigned long long']], 'MBBTailEnergy' : [ 0x50, ['unsigned long long']], 'NetworkTxRxBytes' : [ 0x58, ['unsigned long long']], 'MBBTxRxBytes' : [ 0x60, ['unsigned long long']], 'Foreground' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'WindowInformation' : [ 0x68, ['unsigned long']], 'PixelArea' : [ 0x6c, ['unsigned long']], 'PixelReportTimestamp' : [ 0x70, ['long long']], 'PixelTime' : [ 0x78, ['unsigned long long']], 'ForegroundReportTimestamp' : [ 0x80, ['long long']], 'ForegroundTime' : [ 0x88, ['unsigned long long']], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_MI_COMMON_PAGE_STATE' : [ 0x2c, { 'PageOfOnesPfn' : [ 0x0, ['pointer', ['_MMPFN']]], 'PageOfOnes' : [ 0x4, ['unsigned long']], 'DummyPagePfn' : [ 0x8, ['pointer', ['_MMPFN']]], 'DummyPage' : [ 0xc, ['unsigned long']], 'PageOfZeroes' : [ 0x10, ['unsigned long']], 'ZeroMapping' : [ 0x14, ['pointer', ['void']]], 'OnesMapping' : [ 0x18, ['pointer', ['void']]], 'BitmapGapFrames' : [ 0x1c, ['array', 2, ['unsigned long']]], 'PfnGapFrames' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'SystemVaAllocated' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PreferredFsCompressionBoundary' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'UsingFileExtents' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MI_VAD_ALLOCATION_CELL' : [ 0x1c, { 'AllocationBitMap' : [ 0x0, ['_RTL_BITMAP']], 'BitMapHint' : [ 0x8, ['unsigned long']], 'LastAllocationSize' : [ 0xc, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x10, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x14, ['unsigned long']], 'LowestBottomUpAllocationAddress' : [ 0x18, ['pointer', ['void']]], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x18, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x8, ['pointer', ['void']]], 'SessionViewVa' : [ 0x8, ['pointer', ['void']]], 'VadsProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Type' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SubsectionType' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SectionOffset' : [ 0x10, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '__unnamed_25f2' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x50, { 'Status' : [ 0x0, ['long']], 'PartitionId' : [ 0x4, ['unsigned short']], 'Priority' : [ 0x6, ['unsigned char']], 'IrpPriority' : [ 0x7, ['unsigned char']], 'ReservationWrite' : [ 0x8, ['unsigned char']], 'CurrentTime' : [ 0x10, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x18, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x1c, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x24, ['unsigned long']], 'ModifiedPagefileNoReservationPages' : [ 0x28, ['unsigned long']], 'MdlHack' : [ 0x2c, ['__unnamed_25f2']], } ], '_PROC_PERF_DOMAIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0x18, ['unsigned long']], 'Class' : [ 0x1c, ['unsigned char']], 'Spare' : [ 0x1d, ['array', 3, ['unsigned char']]], 'Processors' : [ 0x20, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0x24, ['pointer', ['void']]], 'TimeWindowHandler' : [ 0x28, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x2c, ['pointer', ['void']]], 'BoostModeHandler' : [ 0x30, ['pointer', ['void']]], 'EnergyPerfPreferenceHandler' : [ 0x34, ['pointer', ['void']]], 'AutonomousActivityWindowHandler' : [ 0x38, ['pointer', ['void']]], 'AutonomousModeHandler' : [ 0x3c, ['pointer', ['void']]], 'ReinitializeHandler' : [ 0x40, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x44, ['pointer', ['void']]], 'PerfControlHandler' : [ 0x48, ['pointer', ['void']]], 'MaxFrequency' : [ 0x4c, ['unsigned long']], 'NominalFrequency' : [ 0x50, ['unsigned long']], 'MaxPercent' : [ 0x54, ['unsigned long']], 'MinPerfPercent' : [ 0x58, ['unsigned long']], 'MinThrottlePercent' : [ 0x5c, ['unsigned long']], 'MinimumRelativePerformance' : [ 0x60, ['unsigned long long']], 'NominalRelativePerformance' : [ 0x68, ['unsigned long long']], 'Coordination' : [ 0x70, ['unsigned char']], 'HardPlatformCap' : [ 0x71, ['unsigned char']], 'AffinitizeControl' : [ 0x72, ['unsigned char']], 'EfficientThrottle' : [ 0x73, ['unsigned char']], 'AutonomousMode' : [ 0x74, ['unsigned char']], 'SelectedPercent' : [ 0x78, ['unsigned long']], 'SelectedFrequency' : [ 0x7c, ['unsigned long']], 'DesiredPercent' : [ 0x80, ['unsigned long']], 'MaxPolicyPercent' : [ 0x84, ['unsigned long']], 'MinPolicyPercent' : [ 0x88, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x8c, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x90, ['unsigned long']], 'GuaranteedPercent' : [ 0x94, ['unsigned long']], 'TolerancePercent' : [ 0x98, ['unsigned long']], 'SelectedState' : [ 0xa0, ['unsigned long long']], 'PerfChangeTime' : [ 0xa8, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0xb0, ['unsigned long']], 'Force' : [ 0xb4, ['unsigned char']], 'ProvideGuidance' : [ 0xb5, ['unsigned char']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HVIEW_MAP_TABLE' : [ 0x600, { 'Entries' : [ 0x0, ['array', 64, ['_HVIEW_MAP_ENTRY']]], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_TRIAGE_9F_PNP' : [ 0xc, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'CompletionQueue' : [ 0x4, ['pointer', ['_TRIAGE_PNP_DEVICE_COMPLETION_QUEUE']]], 'DelayedWorkQueue' : [ 0x8, ['pointer', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_RELATION_LIST' : [ 0x8, { 'DeviceObjectList' : [ 0x0, ['pointer', ['_DEVICE_OBJECT_LIST']]], 'Sorted' : [ 0x4, ['unsigned char']], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_MI_STANDBY_STATE' : [ 0x80, { 'TransitionSharedPages' : [ 0x0, ['unsigned long']], 'TransitionSharedPagesPeak' : [ 0x4, ['array', 3, ['unsigned long']]], 'FirstDecayPage' : [ 0x10, ['unsigned long']], 'PfnDecayFreeSList' : [ 0x18, ['_SLIST_HEADER']], 'PfnRepurposeLog' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'AllocatePfnRepurposeDpc' : [ 0x24, ['_KDPC']], } ], '_MI_ACCESS_LOG_STATE' : [ 0x80, { 'CcAccessLog' : [ 0x0, ['pointer', ['_MM_PAGE_ACCESS_INFO_HEADER']]], 'Enabled' : [ 0x4, ['unsigned long']], 'DisableAccessLogging' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'MinLoggingPriority' : [ 0x18, ['unsigned long']], 'AccessLoggingLock' : [ 0x40, ['unsigned long']], } ], '_ETW_BUFFER_QUEUE' : [ 0xc, { 'QueueHead' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x8, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'Lock' : [ 0x0, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long']], 'SpecialPoolPdes' : [ 0x3c, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x4, { 'LogHandleContext' : [ 0x0, ['pointer', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x10, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'DeviceState' : [ 0xc, ['pointer', ['_POP_DEVICE_SYS_STATE']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_FAST_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x40, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x8, ['short']], 'SpecialApcDisable' : [ 0xa, ['short']], 'CombinedApcDisable' : [ 0x8, ['unsigned long']], 'Irql' : [ 0xc, ['unsigned char']], 'StackTrace' : [ 0x10, ['array', 12, ['pointer', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x8, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x4, ['pointer', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_PROC_IDLE_POLICY' : [ 0x6, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], 'ForceLightIdle' : [ 0x5, ['unsigned char']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2657' : [ 0x4, { 'PercentLevel' : [ 0x0, ['unsigned long']], } ], '__unnamed_2659' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceFan', 10: 'PolicyCsBatterySaver', 11: 'PolicyImmediateDozeS4Predicted', 12: 'PolicyImmediateDozeS4PredictedNoWake', 13: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_2657']], 'Button' : [ 0xc, ['__unnamed_2659']], } ], '_KDPC_DATA' : [ 0x18, { 'DpcList' : [ 0x0, ['_KDPC_LIST']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], 'ActiveDpc' : [ 0x14, ['pointer', ['_KDPC']]], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0xf8, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'MinQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'MaxQuotaCycleTarget' : [ 0x10, ['unsigned long long']], 'RankCycleTarget' : [ 0x18, ['unsigned long long']], 'LongTermCycles' : [ 0x20, ['unsigned long long']], 'LastReportedCycles' : [ 0x28, ['unsigned long long']], 'OverQuotaHistory' : [ 0x30, ['unsigned long long']], 'ReadyTime' : [ 0x38, ['unsigned long long']], 'InsertTime' : [ 0x40, ['unsigned long long']], 'PerProcessorList' : [ 0x48, ['_LIST_ENTRY']], 'QueueNode' : [ 0x50, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'MaxOverQuota' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'MinOverQuota' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SoftCap' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare1' : [ 0x5c, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Depth' : [ 0x5d, ['unsigned char']], 'ReadySummary' : [ 0x5e, ['unsigned short']], 'Rank' : [ 0x60, ['unsigned long']], 'ReadyListHead' : [ 0x64, ['array', 16, ['_LIST_ENTRY']]], 'ChildScbQueue' : [ 0xe4, ['_RTL_RB_TREE']], 'Parent' : [ 0xec, ['pointer', ['_KSCB']]], 'Root' : [ 0xf0, ['pointer', ['_KSCB']]], } ], '__unnamed_2668' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_2669' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2668']], 'Merged' : [ 0x10, ['__unnamed_2669']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'UtilityTotal' : [ 0x8, ['unsigned long']], 'AffinitizedUtilityTotal' : [ 0xc, ['unsigned long']], 'FrequencyTotal' : [ 0x10, ['unsigned long']], 'TaggedPercentTotal' : [ 0x14, ['array', 2, ['unsigned long']]], 'HistoryList' : [ 0x1c, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_MI_PARTITION_ZEROING' : [ 0x40, { 'PageEvent' : [ 0x0, ['_KEVENT']], 'ThreadActive' : [ 0x10, ['unsigned char']], 'ZeroFreePageSlistMinimum' : [ 0x14, ['long']], 'FirstReservedZeroingPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'RebalanceZeroFreeWorkItem' : [ 0x1c, ['_WORK_QUEUE_ITEM']], 'ThreadCount' : [ 0x2c, ['long']], 'Gate' : [ 0x30, ['_KGATE']], } ], '__unnamed_2676' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_2676']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Processors' : [ 0x4, ['unsigned long']], 'ActiveProcessors' : [ 0x8, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '__unnamed_268e' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2690' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_268e']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0xa8, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_2690']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], 'ExecutePoolTypes' : [ 0x90, ['unsigned long']], 'ExecutePageProtections' : [ 0x94, ['unsigned long']], 'ExecutePageMappings' : [ 0x98, ['unsigned long']], 'ExecuteWriteSections' : [ 0x9c, ['unsigned long']], 'SectionAlignmentFailures' : [ 0xa0, ['unsigned long']], } ], '_TRIAGE_DEVICE_NODE' : [ 0x2c, { 'Sibling' : [ 0x0, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_TRIAGE_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'FxDevice' : [ 0x28, ['pointer', ['_TRIAGE_POP_FX_DEVICE']]], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long']], 'PipelinedReadAheadRequestSize' : [ 0x54, ['unsigned long']], 'ReadAheadGrowth' : [ 0x58, ['unsigned long']], 'PrivateLinks' : [ 0x5c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x64, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_MI_SYSTEM_IMAGE_STATE' : [ 0x6c, { 'FixupLock' : [ 0x0, ['long']], 'FixupList' : [ 0x4, ['_LIST_ENTRY']], 'LoadLock' : [ 0xc, ['_KMUTANT']], 'FirstLoadEver' : [ 0x2c, ['unsigned char']], 'LargePageAll' : [ 0x2d, ['unsigned char']], 'LastPage' : [ 0x30, ['unsigned long']], 'LargePageList' : [ 0x34, ['_LIST_ENTRY']], 'BeingDeleted' : [ 0x3c, ['pointer', ['_KLDR_DATA_TABLE_ENTRY']]], 'MappingRangesPushLock' : [ 0x40, ['_EX_PUSH_LOCK']], 'MappingRanges' : [ 0x44, ['array', 2, ['pointer', ['_MI_DRIVER_VA']]]], 'PageCount' : [ 0x4c, ['unsigned long']], 'PageCounts' : [ 0x50, ['_MM_SYSTEM_PAGE_COUNTS']], 'CollidedLock' : [ 0x60, ['_EX_PUSH_LOCK']], 'ErrataPte' : [ 0x64, ['pointer', ['_MMPTE']]], 'ErrataPteMapped' : [ 0x68, ['unsigned long']], } ], '_PTE_TRACKER' : [ 0x44, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'GuardPte' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 7, ['pointer', ['void']]]], } ], '_HV_GET_CELL_CONTEXT' : [ 0x4, { 'Cell' : [ 0x0, ['unsigned long']], 'IsInTempBin' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '__unnamed_26c2' : [ 0x2, { 'SignatureLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'SignatureType' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned short')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'EntireField' : [ 0x0, ['unsigned short']], } ], '_KLDR_DATA_TABLE_ENTRY' : [ 0x5c, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'ExceptionTable' : [ 0x8, ['pointer', ['void']]], 'ExceptionTableSize' : [ 0xc, ['unsigned long']], 'GpValue' : [ 0x10, ['pointer', ['void']]], 'NonPagedDebugInfo' : [ 0x14, ['pointer', ['_NON_PAGED_DEBUG_INFO']]], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'u1' : [ 0x3a, ['__unnamed_26c2']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'CoverageSectionSize' : [ 0x44, ['unsigned long']], 'CoverageSection' : [ 0x48, ['pointer', ['void']]], 'LoadedImports' : [ 0x4c, ['pointer', ['void']]], 'Spare' : [ 0x50, ['pointer', ['void']]], 'SizeOfImageNotRounded' : [ 0x54, ['unsigned long']], 'TimeDateStamp' : [ 0x58, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x28, { 'InstantaneousRead' : [ 0x0, ['pointer', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'Scaling' : [ 0x22, ['unsigned char']], 'Context' : [ 0x24, ['unsigned long']], } ], '_PPM_COORDINATED_SYNCHRONIZATION' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'EnterProcessor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long')]], 'ExitProcessor' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 24, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 26, native_type='unsigned long')]], 'Entered' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'EntryPriority' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_MI_PAGING_IO_STATE' : [ 0x38, { 'PageFileHead' : [ 0x0, ['_RTL_AVL_TREE']], 'PageFileHeadSpinLock' : [ 0x4, ['long']], 'PrefetchSeekThreshold' : [ 0x8, ['long']], 'InPageSupportSListHead' : [ 0x10, ['array', 2, ['_SLIST_HEADER']]], 'InPageSupportSListMinimum' : [ 0x20, ['array', 2, ['unsigned char']]], 'InPageSinglePages' : [ 0x24, ['unsigned long']], 'DelayPageFaults' : [ 0x28, ['long']], 'FileCompressionBoundary' : [ 0x2c, ['unsigned long']], 'MdlsAdjusted' : [ 0x30, ['unsigned char']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCIES' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x8, ['array', 1, ['_PROCESSOR_PLATFORM_STATE_RESIDENCY']]], } ], '_MI_FORCED_COMMITS' : [ 0x8, { 'Regular' : [ 0x0, ['unsigned long']], 'Wrap' : [ 0x4, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x14, { 'BlockOffset' : [ 0x0, ['unsigned long']], 'PermanentBinAddress' : [ 0x4, ['unsigned long']], 'TemporaryBinAddress' : [ 0x8, ['unsigned long']], 'TemporaryBinRundown' : [ 0xc, ['_EX_RUNDOWN_REF']], 'MemAlloc' : [ 0x10, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x1c, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'Reference' : [ 0x8, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x18, ['unsigned char']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_PLATFORM_IDLE_ACCOUNTING' : [ 0x400, { 'ResetCount' : [ 0x0, ['unsigned long']], 'StateCount' : [ 0x4, ['unsigned long']], 'DeepSleepCount' : [ 0x8, ['unsigned long']], 'TimeUnit' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['_PLATFORM_IDLE_STATE_ACCOUNTING']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_DUAL' : [ 0x19c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x190, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x198, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x4, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 11, native_type='unsigned long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_26f1' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_26f4' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0xf8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], 'CollidedEvent' : [ 0x20, ['_KEVENT']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ApcState' : [ 0x40, ['_KAPC_STATE']], 'Thread' : [ 0x58, ['pointer', ['_ETHREAD']]], 'LockedProtoPfn' : [ 0x5c, ['pointer', ['_MMPFN']]], 'PteContents' : [ 0x60, ['_MMPTE']], 'WaitCount' : [ 0x68, ['long']], 'ByteCount' : [ 0x6c, ['unsigned long']], 'u3' : [ 0x70, ['__unnamed_26f1']], 'u1' : [ 0x74, ['__unnamed_26f4']], 'FilePointer' : [ 0x78, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x7c, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x7c, ['pointer', ['_SUBSECTION']]], 'Autoboost' : [ 0x80, ['pointer', ['void']]], 'FaultingAddress' : [ 0x84, ['pointer', ['void']]], 'PointerPte' : [ 0x88, ['pointer', ['_MMPTE']]], 'BasePte' : [ 0x8c, ['pointer', ['_MMPTE']]], 'Pfn' : [ 0x90, ['pointer', ['_MMPFN']]], 'PrefetchMdl' : [ 0x94, ['pointer', ['_MDL']]], 'Mdl' : [ 0x98, ['_MDL']], 'Page' : [ 0xb4, ['array', 16, ['unsigned long']]], 'FlowThrough' : [ 0xb4, ['_MMINPAGE_SUPPORT_FLOW_THROUGH']], } ], '_HAL_NODE_RANGE' : [ 0x8, { 'PageFrameIndex' : [ 0x0, ['unsigned long']], 'Node' : [ 0x4, ['unsigned long']], } ], '_MMCLONE_BLOCK' : [ 0x10, { 'ProtoPte' : [ 0x0, ['_MMPTE']], 'CloneCommitCount' : [ 0x8, ['unsigned long']], 'u1' : [ 0x8, ['_MI_CLONE_BLOCK_FLAGS']], 'CloneRefCount' : [ 0xc, ['unsigned long']], } ], '_PS_TRUSTLET_TKSESSION_ID' : [ 0x20, { 'SessionId' : [ 0x0, ['array', 4, ['unsigned long long']]], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass', 23: 'ConfigureDeviceExtensions', 24: 'ConfigureDeviceReset'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], 'ActivityId' : [ 0x20, ['_GUID']], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x1c, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0xc, ['long']], 'PackageSid' : [ 0x10, ['pointer', ['void']]], 'LowboxNumber' : [ 0x14, ['unsigned long']], 'AtomTable' : [ 0x18, ['pointer', ['void']]], } ], '_MI_LDW_WORK_CONTEXT' : [ 0x20, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'FileObject' : [ 0x10, ['pointer', ['_FILE_OBJECT']]], 'ErrorStatus' : [ 0x14, ['long']], 'Active' : [ 0x18, ['long']], 'FreeWhenDone' : [ 0x1c, ['unsigned char']], } ], '_MI_CFG_BITMAP_INFO' : [ 0xc, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'RegionSize' : [ 0x4, ['unsigned long']], 'BitmapVad' : [ 0x8, ['pointer', ['_MMVAD']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MI_SHUTDOWN_STATE' : [ 0x48, { 'CrashDumpInitialized' : [ 0x0, ['unsigned char']], 'ConnectedStandbyActive' : [ 0x1, ['unsigned char']], 'SystemShutdown' : [ 0x4, ['unsigned long']], 'ShutdownFlushInProgress' : [ 0x8, ['long']], 'ResumeItem' : [ 0xc, ['_MI_RESUME_WORKITEM']], 'MirrorHoldsPfn' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'MirroringActive' : [ 0x30, ['unsigned long']], 'MirrorBitMaps' : [ 0x34, ['array', 2, ['_RTL_BITMAP']]], 'CrashDumpPte' : [ 0x44, ['pointer', ['_MMPTE']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x18, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x1a, ['unsigned short']], 'OperatingSystemVersion' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ComPlusPrefer32bit' : [ 0x23, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x3c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x8, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x14, ['pointer', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x18, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x18, ['array', 4, ['pointer', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x18, ['pointer', ['void']]], 'SessionId' : [ 0x1c, ['unsigned long']], 'Process' : [ 0x28, ['pointer', ['_EPROCESS']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], 'Callback' : [ 0x2c, ['pointer', ['void']]], 'Index' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned char']], 'DbgKernelRegistration' : [ 0x32, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x32, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x32, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x32, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x32, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x32, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x32, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x32, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x33, ['unsigned char']], 'GroupEnableMask' : [ 0x34, ['unsigned char']], 'UseDescriptorType' : [ 0x35, ['unsigned char']], 'Traits' : [ 0x38, ['pointer', ['_ETW_PROVIDER_TRAITS']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_HVIEW_MAP_PIN_LOG' : [ 0x308, { 'Next' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'Entries' : [ 0x8, ['array', 16, ['_HVIEW_MAP_PIN_LOG_ENTRY']]], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_MI_PROBE_RAISE_TRACKER' : [ 0x40, { 'UserRangeInKernel' : [ 0x0, ['unsigned long']], 'FaultFailed' : [ 0x4, ['unsigned long']], 'WriteFaultFailed' : [ 0x8, ['unsigned long']], 'LargePageFailed' : [ 0xc, ['unsigned long']], 'UserAccessToKernelPte' : [ 0x10, ['unsigned long']], 'BadPageLocation' : [ 0x14, ['unsigned long']], 'InsufficientCharge' : [ 0x18, ['unsigned long']], 'PageTableCharge' : [ 0x1c, ['unsigned long']], 'NoPhysicalMapping' : [ 0x20, ['unsigned long']], 'NoIoReference' : [ 0x24, ['unsigned long']], 'ProbeFailed' : [ 0x28, ['unsigned long']], 'PteIsZero' : [ 0x2c, ['unsigned long']], 'StrongCodeWrite' : [ 0x30, ['unsigned long']], 'ReducedCloneCommitChargeFailed' : [ 0x34, ['unsigned long']], 'CopyOnWriteAtDispatchNoPages' : [ 0x38, ['unsigned long']], 'EnclavePageFailed' : [ 0x3c, ['unsigned long']], } ], '_ETW_PROVIDER_TRAITS' : [ 0x14, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'Traits' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_INTERRUPT_CONNECTION_DATA' : [ 0x58, { 'Count' : [ 0x0, ['unsigned long']], 'Vectors' : [ 0x8, ['array', 1, ['_INTERRUPT_VECTOR_DATA']]], } ], '_MI_CLONE_BLOCK_FLAGS' : [ 0x4, { 'ActualCloneCommit' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 27, native_type='unsigned long')]], 'CloneProtection' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 32, native_type='unsigned long')]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xa0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x34, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x34, ['unsigned long']], 'PackagedBinary' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x34, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x34, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x34, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x34, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x34, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x34, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x34, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x34, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LoadConfigProcessed' : [ 0x34, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x34, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ProtectDelayLoad' : [ 0x34, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x34, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x34, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x34, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x34, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x34, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x34, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x34, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x34, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x34, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Lock' : [ 0x4c, ['pointer', ['void']]], 'DdagNode' : [ 0x50, ['pointer', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0x54, ['_LIST_ENTRY']], 'LoadContext' : [ 0x5c, ['pointer', ['_LDRP_LOAD_CONTEXT']]], 'ParentDllBase' : [ 0x60, ['pointer', ['void']]], 'SwitchBackContext' : [ 0x64, ['pointer', ['void']]], 'BaseAddressIndexNode' : [ 0x68, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0x74, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0x80, ['unsigned long']], 'LoadTime' : [ 0x88, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x90, ['unsigned long']], 'LoadReason' : [ 0x94, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], 'ImplicitPathOptions' : [ 0x98, ['unsigned long']], 'ReferenceCount' : [ 0x9c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], 'AllStacksInUse' : [ 0x14, ['unsigned long']], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GetExtents' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFilePageHashActive' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CoalescedIo' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'VmLockNotNeeded' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_MI_DRIVER_VA' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_DRIVER_VA']]], 'PointerPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BitMap' : [ 0x8, ['_RTL_BITMAP']], 'Hint' : [ 0x10, ['unsigned long']], } ], '_LDR_DDAG_NODE' : [ 0x2c, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x8, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0xc, ['unsigned long']], 'LoadWhileUnloadingCount' : [ 0x10, ['unsigned long']], 'LowestLink' : [ 0x14, ['unsigned long']], 'Dependencies' : [ 0x18, ['_LDRP_CSLIST']], 'IncomingDependencies' : [ 0x1c, ['_LDRP_CSLIST']], 'State' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x28, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x104, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'Order' : [ 0x1c, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0xec, ['_LIST_ENTRY']], 'Status' : [ 0xf4, ['long']], 'FailedDevice' : [ 0xf8, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0xfc, ['unsigned char']], 'Cancelled' : [ 0xfd, ['unsigned char']], 'IgnoreErrors' : [ 0xfe, ['unsigned char']], 'IgnoreNotImplemented' : [ 0xff, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x100, ['unsigned char']], } ], '_KHETERO_PROCESSOR_SET' : [ 0x8, { 'PreferredMask' : [ 0x0, ['unsigned long']], 'AvailableMask' : [ 0x4, ['unsigned long']], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x8, { 'LogHandle' : [ 0x0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x4, ['pointer', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_KWAIT_CHAIN_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Event' : [ 0x4, ['_KEVENT']], } ], '__unnamed_276f' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '__unnamed_2771' : [ 0x4, { 'NumberOfChildViews' : [ 0x0, ['unsigned long']], } ], '__unnamed_2773' : [ 0x4, { 'AlignmentNoAccessPtes' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SUBSECTION' : [ 0x28, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'GlobalPerSessionHead' : [ 0xc, ['_RTL_AVL_TREE']], 'CreationWaitList' : [ 0xc, ['pointer', ['_MI_SUBSECTION_WAIT_BLOCK']]], 'SessionDriverProtos' : [ 0xc, ['pointer', ['_MI_PER_SESSION_PROTOS']]], 'u' : [ 0x10, ['__unnamed_276f']], 'StartingSector' : [ 0x14, ['unsigned long']], 'NumberOfFullSectors' : [ 0x18, ['unsigned long']], 'PtesInSubsection' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_2771']], 'UnusedPtes' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'DirtyPages' : [ 0x24, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u2' : [ 0x24, ['__unnamed_2773']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x44, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Name' : [ 0xc, ['_UNICODE_STRING']], 'Latency' : [ 0x14, ['unsigned long']], 'BreakEvenDuration' : [ 0x18, ['unsigned long']], 'Power' : [ 0x1c, ['unsigned long']], 'StateFlags' : [ 0x20, ['unsigned long']], 'VetoAccounting' : [ 0x24, ['_PPM_VETO_ACCOUNTING']], 'StateType' : [ 0x3c, ['unsigned char']], 'InterruptsEnabled' : [ 0x3d, ['unsigned char']], 'Interruptible' : [ 0x3e, ['unsigned char']], 'ContextRetained' : [ 0x3f, ['unsigned char']], 'CacheCoherent' : [ 0x40, ['unsigned char']], 'WakesSpuriously' : [ 0x41, ['unsigned char']], 'PlatformOnly' : [ 0x42, ['unsigned char']], 'NoCState' : [ 0x43, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MI_SYSTEM_PTE_STATE' : [ 0x180, { 'DeadPteTrackerSListHead' : [ 0x0, ['_SLIST_HEADER']], 'PteTrackerLock' : [ 0x8, ['unsigned long']], 'MdlTrackerLookaside' : [ 0x40, ['_NPAGED_LOOKASIDE_LIST']], 'PteTrackingBitmap' : [ 0x100, ['_RTL_BITMAP']], 'CachedPteHeads' : [ 0x108, ['pointer', ['_MI_CACHED_PTES']]], 'SystemViewPteInfo' : [ 0x10c, ['_MI_SYSTEM_PTE_TYPE']], 'KernelStackPages' : [ 0x140, ['unsigned char']], 'QueuedStacks' : [ 0x148, ['_SLIST_HEADER']], 'StackGrowthFailures' : [ 0x150, ['unsigned long']], 'TrackPtesAborted' : [ 0x154, ['unsigned char']], 'AdjustCounter' : [ 0x155, ['unsigned char']], 'QueuedStacksWorkItem' : [ 0x158, ['_MI_QUEUED_DEADSTACK_WORKITEM']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x34, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x4, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x8, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0xc, ['long']], 'HighWaterMark' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_AGGREGATED_PAYLOAD_FILTER' : [ 0x50, { 'MagicValue' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned short')]], 'DescriptorVersion' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'Size' : [ 0x2, ['unsigned short']], 'PredicateCount' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'HashedEventIdBitmap' : [ 0x8, ['unsigned long long']], 'ProviderGuid' : [ 0x10, ['_GUID']], 'EachEventTableOffset' : [ 0x20, ['unsigned short']], 'EachEventTableLength' : [ 0x22, ['unsigned short']], 'PayloadDecoderTableOffset' : [ 0x24, ['unsigned short']], 'PayloadDecoderTableLength' : [ 0x26, ['unsigned short']], 'EventFilterTableOffset' : [ 0x28, ['unsigned short']], 'EventFilterTableLength' : [ 0x2a, ['unsigned short']], 'UNICODEStringTableOffset' : [ 0x2c, ['unsigned short']], 'UNICODEStringTableLength' : [ 0x2e, ['unsigned short']], 'ANSIStringTableOffset' : [ 0x30, ['unsigned short']], 'ANSIStringTableLength' : [ 0x32, ['unsigned short']], 'PredicateTable' : [ 0x38, ['array', 1, ['_EVENT_PAYLOAD_PREDICATE']]], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'HasRenderingCommand' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_PPM_POLICY_SETTINGS_MASK' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long long']], 'PerfDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PerfIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PerfDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PerfIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PerfDecreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PerfIncreaseThreshold' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'PerfMinPolicy' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'PerfMaxPolicy' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PerfTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PerfBoostPolicy' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PerfBoostMode' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'AllowThrottling' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PerfHistoryCount' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ParkingPerfState' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LatencyHintPerf' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LatencyHintUnpark' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CoreParkingMinCores' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CoreParkingMaxCores' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'CoreParkingDecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'CoreParkingIncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CoreParkingDecreaseTime' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CoreParkingIncreaseTime' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CoreParkingOverUtilizationThreshold' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'CoreParkingDistributeUtility' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CoreParkingConcurrencyThreshold' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CoreParkingHeadroomThreshold' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CoreParkingDistributionThreshold' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'IdleAllowScaling' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'IdleDisable' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'IdleTimeCheck' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'IdleDemoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'IdlePromoteThreshold' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'HeteroDecreaseTime' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HeteroIncreaseTime' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HeteroDecreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HeteroIncreaseThreshold' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Class0FloorPerformance' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Class1InitialPerformance' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnergyPerfPreference' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'AutonomousActivityWindow' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AutonomousMode' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DutyCycling' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_27a3' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x14, { 'NodeRangeSize' : [ 0x0, ['unsigned long']], 'NodeCount' : [ 0x4, ['unsigned long']], 'Tables' : [ 0x8, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0xc, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_27a3']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_POP_FX_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long']], 'Active' : [ 0x4, ['unsigned char']], 'DripsRequiredState' : [ 0x8, ['unsigned long']], 'Level' : [ 0xc, ['long']], 'ActiveStamp' : [ 0x10, ['long long']], 'CsActiveTime' : [ 0x18, ['unsigned long long']], 'CriticalActiveTime' : [ 0x20, ['long long']], } ], '_MI_RESUME_WORKITEM' : [ 0x20, { 'ResumeCompleteEvent' : [ 0x0, ['_KEVENT']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_TRIAGE_EX_WORK_QUEUE' : [ 0x19c, { 'WorkPriQueue' : [ 0x0, ['_KPRIQUEUE']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x8, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'TaggedPercent' : [ 0x5, ['array', 2, ['unsigned char']]], } ], '_POP_FX_COMPONENT' : [ 0xc0, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x14, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x30, ['pointer', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x34, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x3c, ['long']], 'ActiveEvent' : [ 0x40, ['_KEVENT']], 'IdleLock' : [ 0x50, ['unsigned long']], 'IdleConditionComplete' : [ 0x54, ['long']], 'IdleStateComplete' : [ 0x58, ['long']], 'IdleStamp' : [ 0x60, ['unsigned long long']], 'CurrentIdleState' : [ 0x68, ['unsigned long']], 'IdleStateCount' : [ 0x6c, ['unsigned long']], 'IdleStates' : [ 0x70, ['pointer', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0x74, ['unsigned long']], 'ProviderCount' : [ 0x78, ['unsigned long']], 'Providers' : [ 0x7c, ['pointer', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0x80, ['unsigned long']], 'DependentCount' : [ 0x84, ['unsigned long']], 'Dependents' : [ 0x88, ['pointer', ['_POP_FX_DEPENDENT']]], 'Accounting' : [ 0x90, ['_POP_FX_ACCOUNTING']], 'Performance' : [ 0xb8, ['pointer', ['_POP_FX_PERF_INFO']]], } ], '_PEP_CRASHDUMP_INFORMATION' : [ 0x8, { 'DeviceHandle' : [ 0x0, ['pointer', ['PEPHANDLE__']]], 'DeviceContext' : [ 0x4, ['pointer', ['void']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x1c, { 'ComponentActive' : [ 0x0, ['pointer', ['void']]], 'ComponentIdle' : [ 0x4, ['pointer', ['void']]], 'ComponentIdleState' : [ 0x8, ['pointer', ['void']]], 'DevicePowerRequired' : [ 0xc, ['pointer', ['void']]], 'DevicePowerNotRequired' : [ 0x10, ['pointer', ['void']]], 'PowerControl' : [ 0x14, ['pointer', ['void']]], 'ComponentCriticalTransition' : [ 0x18, ['pointer', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x2c, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x8, ['unsigned char']], 'Spare' : [ 0x9, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0xc, ['unsigned long']], 'DebugId' : [ 0x10, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40f0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'StackLimitHits' : [ 0x4038, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x403c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x4040, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4044, ['unsigned long']], 'TotalReleases' : [ 0x4048, ['unsigned long']], 'RootNodesDeleted' : [ 0x404c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x4050, ['unsigned long']], 'Instigator' : [ 0x4054, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4058, ['unsigned long']], 'Participant' : [ 0x405c, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40dc, ['long']], 'StackType' : [ 0x40e0, ['Enumeration', dict(target = 'long', choices = {0: 'BugcheckStackLimits', 1: 'DPCStackLimits', 2: 'ExpandedStackLimits', 3: 'NormalStackLimits', 4: 'Win32kStackLimits', 5: 'SwapBusyStackLimits', 6: 'IsrStackLimits', 7: 'MaximumStackLimits'})]], 'StackLowLimit' : [ 0x40e4, ['unsigned long']], 'StackHighLimit' : [ 0x40e8, ['unsigned long']], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_MM_SYSTEM_PAGE_COUNTS' : [ 0x10, { 'SystemCodePage' : [ 0x0, ['unsigned long']], 'SystemDriverPage' : [ 0x4, ['unsigned long']], 'TotalSystemCodePages' : [ 0x8, ['long']], 'TotalSystemDriverPages' : [ 0xc, ['long']], } ], '_MI_MODWRITE_DATA' : [ 0x30, { 'PagesLoad' : [ 0x0, ['long']], 'PagesAverage' : [ 0x4, ['unsigned long']], 'AverageAvailablePages' : [ 0x8, ['unsigned long']], 'PagesWritten' : [ 0xc, ['unsigned long']], 'WritesIssued' : [ 0x10, ['unsigned long']], 'IgnoredReservationsCount' : [ 0x14, ['unsigned long']], 'FreedReservationsCount' : [ 0x18, ['unsigned long']], 'WriteBurstCount' : [ 0x1c, ['unsigned long']], 'IgnoreReservationsStartTime' : [ 0x20, ['unsigned long long']], 'ReservationClusterInfo' : [ 0x28, ['_MI_RESERVATION_CLUSTER_INFO']], 'IgnoreReservations' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'Spare1' : [ 0x2e, ['unsigned short']], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_PLATFORM_IDLE_STATE_ACCOUNTING' : [ 0x3e8, { 'CancelCount' : [ 0x0, ['unsigned long']], 'FailureCount' : [ 0x4, ['unsigned long']], 'SuccessCount' : [ 0x8, ['unsigned long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'TotalTime' : [ 0x20, ['unsigned long long']], 'InvalidBucketIndex' : [ 0x28, ['unsigned long']], 'SelectionStatistics' : [ 0x30, ['_PPM_SELECTION_STATISTICS']], 'IdleTimeBuckets' : [ 0xa8, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 38, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 64, native_type='unsigned long long')]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x30, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long long']], 'OverrideState' : [ 0x20, ['unsigned long']], 'TimeCheck' : [ 0x24, ['unsigned long']], 'PromotePercent' : [ 0x28, ['unsigned char']], 'DemotePercent' : [ 0x29, ['unsigned char']], 'Parked' : [ 0x2a, ['unsigned char']], 'Interruptible' : [ 0x2b, ['unsigned char']], 'PlatformIdle' : [ 0x2c, ['unsigned char']], 'ExpectedWakeReason' : [ 0x2d, ['unsigned char']], } ], '_KREQUEST_PACKET' : [ 0x10, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer', ['void']]]], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'PrivateDemandZero' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_281d' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_281f' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_281d']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_281f']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoDelete' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequiresPteReversal' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ExclusiveSecure' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_2834' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_2834']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_HVIEW_MAP_ENTRY' : [ 0x18, { 'ViewStart' : [ 0x0, ['pointer', ['void']]], 'IsPinned' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Bcb' : [ 0x4, ['pointer', ['void']]], 'PinnedPages' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_POP_COOLING_EXTENSION' : [ 0x48, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'RequestListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x10, ['_POP_RW_LOCK']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'NotificationEntry' : [ 0x1c, ['pointer', ['void']]], 'Enabled' : [ 0x20, ['unsigned char']], 'ActiveEngaged' : [ 0x21, ['unsigned char']], 'ThrottleLimit' : [ 0x22, ['unsigned char']], 'UpdatingToCurrent' : [ 0x23, ['unsigned char']], 'RemovalFlushEvent' : [ 0x24, ['pointer', ['_KEVENT']]], 'PnpFlushEvent' : [ 0x28, ['pointer', ['_KEVENT']]], 'Interface' : [ 0x2c, ['_THERMAL_COOLING_INTERFACE']], } ], '_EVENT_PAYLOAD_PREDICATE' : [ 0x18, { 'FieldIndex' : [ 0x0, ['unsigned short']], 'CompareOp' : [ 0x2, ['unsigned short']], 'Value' : [ 0x8, ['array', 2, ['unsigned long long']]], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_CM_INDEX' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'NameHint' : [ 0x4, ['array', 4, ['unsigned char']]], 'HashKey' : [ 0x4, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x18, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_THERMAL_POLICY' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'WaitForUpdate' : [ 0x4, ['unsigned char']], 'Hibernate' : [ 0x5, ['unsigned char']], 'Critical' : [ 0x6, ['unsigned char']], 'ThermalStandby' : [ 0x7, ['unsigned char']], 'ActivationReasons' : [ 0x8, ['unsigned long']], 'PassiveLimit' : [ 0xc, ['unsigned long']], 'ActiveLevel' : [ 0x10, ['unsigned long']], 'OverThrottled' : [ 0x14, ['unsigned char']], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_MI_AVAILABLE_PAGE_WAIT_STATES' : [ 0x14, { 'Event' : [ 0x0, ['_KEVENT']], 'EventSets' : [ 0x10, ['unsigned long']], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_COLORED_PAGE_INFO' : [ 0x10, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long']], 'PfnAllocation' : [ 0xc, ['pointer', ['_MMPFN']]], } ], '_TRIAGE_9F_POWER' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'IrpList' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'ThreadList' : [ 0x8, ['pointer', ['_LIST_ENTRY']]], 'DelayedWorkQueue' : [ 0xc, ['pointer', ['_TRIAGE_EX_WORK_QUEUE']]], } ], '_MI_POOL_STATE' : [ 0x4e8, { 'MaximumNonPagedPoolThreshold' : [ 0x0, ['unsigned long']], 'NonPagedPoolSListMaximum' : [ 0x4, ['array', 3, ['unsigned long']]], 'AllocatedNonPagedPool' : [ 0x10, ['unsigned long']], 'BadPoolHead' : [ 0x14, ['_SINGLE_LIST_ENTRY']], 'HighEventSets' : [ 0x18, ['unsigned long']], 'HighEventSetsValid' : [ 0x1c, ['unsigned char']], 'PoolFailures' : [ 0x20, ['array', 3, ['array', 3, ['unsigned long']]]], 'PoolFailureReasons' : [ 0x44, ['_MI_POOL_FAILURE_REASONS']], 'LowPagedPoolThreshold' : [ 0x70, ['unsigned long']], 'HighPagedPoolThreshold' : [ 0x74, ['unsigned long']], 'SpecialPoolPdesMax' : [ 0x78, ['long']], 'NonPagedPoolNodes' : [ 0x7c, ['array', 1024, ['unsigned char']]], 'PagedProtoPoolInfo' : [ 0x47c, ['_MM_PAGED_POOL_INFO']], 'PagedPoolSListMaximum' : [ 0x498, ['unsigned long']], 'PreemptiveTrims' : [ 0x49c, ['array', 4, ['unsigned long']]], 'SpecialPagesInUsePeak' : [ 0x4ac, ['unsigned long']], 'SpecialPoolRejected' : [ 0x4b0, ['array', 9, ['unsigned long']]], 'SpecialPagesNonPaged' : [ 0x4d4, ['unsigned long']], 'SpecialPoolPdes' : [ 0x4d8, ['long']], 'SessionSpecialPoolPdesMax' : [ 0x4dc, ['unsigned long']], 'TotalPagedPoolQuota' : [ 0x4e0, ['unsigned long']], 'TotalNonPagedPoolQuota' : [ 0x4e4, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_POP_POWER_SETTING_VALUES' : [ 0x13c, { 'StructureSize' : [ 0x0, ['unsigned long']], 'PopPolicy' : [ 0x4, ['_SYSTEM_POWER_POLICY']], 'CurrentAcDcPowerState' : [ 0xec, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'AwayModeEnabled' : [ 0xf0, ['unsigned char']], 'AwayModeEngaged' : [ 0xf1, ['unsigned char']], 'AwayModePolicyAllowed' : [ 0xf2, ['unsigned char']], 'AwayModeIgnoreUserPresent' : [ 0xf4, ['long']], 'AwayModeIgnoreAction' : [ 0xf8, ['long']], 'DisableFastS4' : [ 0xfc, ['unsigned char']], 'DisableStandbyStates' : [ 0xfd, ['unsigned char']], 'UnattendSleepTimeout' : [ 0x100, ['unsigned long']], 'DiskIgnoreTime' : [ 0x104, ['unsigned long']], 'DeviceIdlePolicy' : [ 0x108, ['unsigned long']], 'VideoDimTimeout' : [ 0x10c, ['unsigned long']], 'VideoNormalBrightness' : [ 0x110, ['unsigned long']], 'VideoDimBrightness' : [ 0x114, ['unsigned long']], 'AlsOffset' : [ 0x118, ['unsigned long']], 'AlsEnabled' : [ 0x11c, ['unsigned long']], 'EsBrightness' : [ 0x120, ['unsigned long']], 'SwitchShutdownForced' : [ 0x124, ['unsigned char']], 'SystemCoolingPolicy' : [ 0x128, ['unsigned long']], 'MediaBufferingEngaged' : [ 0x12c, ['unsigned char']], 'OffloadedAudio' : [ 0x12d, ['unsigned char']], 'NonOffloadedAudio' : [ 0x12e, ['unsigned char']], 'FullscreenVideoPlayback' : [ 0x12f, ['unsigned char']], 'EsBatteryThreshold' : [ 0x130, ['unsigned long']], 'EsUserAwaySetting' : [ 0x134, ['unsigned char']], 'WiFiInStandby' : [ 0x138, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_28a5' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_28a7' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_28a5']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_28a7']], } ], '_MI_RESAVAIL_FAILURES' : [ 0x8, { 'Wrap' : [ 0x0, ['unsigned long']], 'NoCharge' : [ 0x4, ['unsigned long']], } ], '_MI_IO_PAGE_STATE' : [ 0x34, { 'IoPfnLock' : [ 0x0, ['unsigned long']], 'IoPfnRoot' : [ 0x4, ['array', 3, ['_RTL_AVL_TREE']]], 'UnusedCachedMaps' : [ 0x10, ['_LIST_ENTRY']], 'OldestCacheFlushTimeStamp' : [ 0x18, ['unsigned long']], 'IoCacheStats' : [ 0x1c, ['_MI_IO_CACHE_STATS']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_VF_AVL_TABLE' : [ 0x80, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x3c, ['pointer', ['void']]], 'Lock' : [ 0x40, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1e, { 'PerUserPolicy' : [ 0x0, ['array', 30, ['unsigned char']]], } ], '_TRIAGE_POP_FX_DEVICE' : [ 0x20, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'IrpData' : [ 0xc, ['pointer', ['_TRIAGE_POP_IRP_DATA']]], 'Status' : [ 0x10, ['long']], 'PowerReqCall' : [ 0x14, ['long']], 'PowerNotReqCall' : [ 0x18, ['long']], 'DeviceNode' : [ 0x1c, ['pointer', ['_TRIAGE_DEVICE_NODE']]], } ], '__unnamed_28c3' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_28c5' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_28cb' : [ 0xc, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], 'OutputInformation' : [ 0x8, ['pointer', ['_FS_FILTER_SECTION_SYNC_OUTPUT']]], } ], '__unnamed_28cf' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_28d1' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_28c3']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_28c5']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_28cb']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_28cf']], 'Others' : [ 0x0, ['__unnamed_28d1']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x4, { 'Function' : [ 0x0, ['pointer', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long']], } ], '_PPM_SELECTION_STATISTICS' : [ 0x78, { 'SelectedCount' : [ 0x0, ['unsigned long long']], 'VetoCount' : [ 0x8, ['unsigned long long']], 'PreVetoCount' : [ 0x10, ['unsigned long long']], 'WrongProcessorCount' : [ 0x18, ['unsigned long long']], 'LatencyCount' : [ 0x20, ['unsigned long long']], 'IdleDurationCount' : [ 0x28, ['unsigned long long']], 'DeviceDependencyCount' : [ 0x30, ['unsigned long long']], 'ProcessorDependencyCount' : [ 0x38, ['unsigned long long']], 'PlatformOnlyCount' : [ 0x40, ['unsigned long long']], 'InterruptibleCount' : [ 0x48, ['unsigned long long']], 'LegacyOverrideCount' : [ 0x50, ['unsigned long long']], 'CstateCheckCount' : [ 0x58, ['unsigned long long']], 'NoCStateCount' : [ 0x60, ['unsigned long long']], 'CoordinatedDependencyCount' : [ 0x68, ['unsigned long long']], 'PreVetoAccounting' : [ 0x70, ['pointer', ['_PPM_VETO_ACCOUNTING']]], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x4, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_MI_PAGE_COMBINE_STATISTICS' : [ 0x28, { 'PagesScannedActive' : [ 0x0, ['unsigned long long']], 'PagesScannedStandby' : [ 0x8, ['unsigned long long']], 'PagesCombined' : [ 0x10, ['unsigned long long']], 'CombineScanCount' : [ 0x18, ['unsigned long']], 'CombinedBlocksInUse' : [ 0x1c, ['long']], 'SumCombinedBlocksReferenceCount' : [ 0x20, ['long']], } ], '_THERMAL_COOLING_INTERFACE' : [ 0x1c, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'Flags' : [ 0x10, ['unsigned long']], 'ActiveCooling' : [ 0x14, ['pointer', ['void']]], 'PassiveCooling' : [ 0x18, ['pointer', ['void']]], } ], '_HIVE_WAIT_PACKET' : [ 0x18, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Next' : [ 0x14, ['pointer', ['_HIVE_WAIT_PACKET']]], } ], '_PROC_PERF_CHECK' : [ 0xc0, { 'LastActive' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'LastStall' : [ 0x10, ['unsigned long long']], 'Snap' : [ 0x18, ['_PROC_PERF_CHECK_SNAP']], 'TempSnap' : [ 0x68, ['_PROC_PERF_CHECK_SNAP']], 'TaggedThreadPercent' : [ 0xb8, ['array', 2, ['unsigned char']]], 'Class0FloorPerfSelection' : [ 0xba, ['unsigned char']], 'Class1MinimumPerfSelection' : [ 0xbb, ['unsigned char']], } ], '__unnamed_28ea' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_28ec' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_28ee' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_28ea']], 'Interrupt' : [ 0x0, ['__unnamed_28ec']], 'LocalInterrupt' : [ 0x0, ['__unnamed_28ec']], 'Sci' : [ 0x0, ['__unnamed_28ec']], 'Nmi' : [ 0x0, ['__unnamed_28ec']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_28ee']], } ], '_POP_HIBER_CONTEXT' : [ 0x140, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'HvCaptureReadyBarrier' : [ 0x14, ['long']], 'HvCaptureCompletedBarrier' : [ 0x18, ['long']], 'MapFrozen' : [ 0x1c, ['unsigned char']], 'DiscardMap' : [ 0x20, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x20, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x30, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x38, ['unsigned long']], 'ClonedPageCount' : [ 0x40, ['unsigned long long']], 'CurrentMap' : [ 0x48, ['pointer', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x4c, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x50, ['unsigned long']], 'LoaderMdl' : [ 0x54, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x58, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x60, ['unsigned long long']], 'IoPages' : [ 0x68, ['pointer', ['void']]], 'IoPagesCount' : [ 0x6c, ['unsigned long']], 'CurrentMcb' : [ 0x70, ['pointer', ['void']]], 'DumpStack' : [ 0x74, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x78, ['pointer', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0x7c, ['unsigned long']], 'Status' : [ 0x80, ['long']], 'GraphicsProc' : [ 0x84, ['unsigned long']], 'MemoryImage' : [ 0x88, ['pointer', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0x8c, ['pointer', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0x90, ['pointer', ['_MDL']]], 'SiLogOffset' : [ 0x94, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0x98, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0x9c, ['pointer', ['void']]], 'ResumeContext' : [ 0xa0, ['pointer', ['void']]], 'ResumeContextPages' : [ 0xa4, ['unsigned long']], 'ProcessorCount' : [ 0xa8, ['unsigned long']], 'ProcessorContext' : [ 0xac, ['pointer', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0xb0, ['pointer', ['unsigned char']]], 'ProdConsSize' : [ 0xb4, ['unsigned long']], 'MaxDataPages' : [ 0xb8, ['unsigned long']], 'ExtraBuffer' : [ 0xbc, ['pointer', ['void']]], 'ExtraBufferSize' : [ 0xc0, ['unsigned long']], 'ExtraMapVa' : [ 0xc4, ['pointer', ['void']]], 'BitlockerKeyPFN' : [ 0xc8, ['unsigned long']], 'IoInfo' : [ 0xd0, ['_POP_IO_INFO']], 'IoChecksums' : [ 0x130, ['pointer', ['unsigned short']]], 'IoChecksumsSize' : [ 0x134, ['unsigned long']], 'HardwareConfigurationSignature' : [ 0x138, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_POP_FX_PERF_INFO' : [ 0x60, { 'Component' : [ 0x0, ['pointer', ['_POP_FX_COMPONENT']]], 'CompletedEvent' : [ 0x4, ['_KEVENT']], 'ComponentPerfState' : [ 0x14, ['pointer', ['void']]], 'Flags' : [ 0x18, ['_POP_FX_PERF_FLAGS']], 'LastChange' : [ 0x1c, ['pointer', ['_PO_FX_PERF_STATE_CHANGE']]], 'LastChangeCount' : [ 0x20, ['unsigned long']], 'LastChangeStamp' : [ 0x28, ['unsigned long long']], 'LastChangeNominal' : [ 0x30, ['unsigned char']], 'PepRegistered' : [ 0x31, ['unsigned char']], 'QueryOnIdleStates' : [ 0x32, ['unsigned char']], 'RequestDriverContext' : [ 0x34, ['pointer', ['void']]], 'WorkOrder' : [ 0x38, ['_POP_FX_WORK_ORDER']], 'SetsCount' : [ 0x54, ['unsigned long']], 'Sets' : [ 0x58, ['pointer', ['_POP_FX_PERF_SET']]], } ], '_HAL_CHANNEL_MEMORY_RANGES' : [ 0xc, { 'PageFrameIndex' : [ 0x0, ['unsigned long']], 'MpnId' : [ 0x4, ['unsigned short']], 'Node' : [ 0x6, ['unsigned short']], 'Channel' : [ 0x8, ['unsigned short']], 'IsPowerManageable' : [ 0xa, ['unsigned char']], 'DeepPowerState' : [ 0xb, ['unsigned char']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x100, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xc0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xc8, ['pointer', ['void']]], 'PointersLength' : [ 0xcc, ['unsigned long']], 'ModulePrefix' : [ 0xd0, ['pointer', ['unsigned short']]], 'DriverList' : [ 0xd4, ['_LIST_ENTRY']], 'InitMsg' : [ 0xdc, ['_STRING']], 'ProgMsg' : [ 0xe4, ['_STRING']], 'DoneMsg' : [ 0xec, ['_STRING']], 'FileObject' : [ 0xf4, ['pointer', ['void']]], 'UsageType' : [ 0xf8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_PAE_PAGEINFO' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameNumber' : [ 0x8, ['unsigned long']], 'EntriesInUse' : [ 0xc, ['unsigned long']], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_ETW_FILTER_STRING_TOKEN' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Tokens' : [ 0x4, ['array', 1, ['_ETW_FILTER_STRING_TOKEN_ELEMENT']]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x24, { 'InitiatingThread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ThreadId' : [ 0x8, ['pointer', ['void']]], 'ProcessId' : [ 0xc, ['pointer', ['void']]], 'Code' : [ 0x10, ['unsigned long']], 'Parameter1' : [ 0x14, ['unsigned long']], 'Parameter2' : [ 0x18, ['unsigned long']], 'Parameter3' : [ 0x1c, ['unsigned long']], 'Parameter4' : [ 0x20, ['unsigned long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_FS_FILTER_SECTION_SYNC_OUTPUT' : [ 0x10, { 'StructureSize' : [ 0x0, ['unsigned long']], 'SizeReturned' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DesiredReadAlignment' : [ 0xc, ['unsigned long']], } ], '_HVIEW_MAP_PIN_LOG_ENTRY' : [ 0x30, { 'ViewOffset' : [ 0x0, ['unsigned long']], 'Pinned' : [ 0x4, ['unsigned char']], 'PinMask' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer', ['_KTHREAD']]], 'Stack' : [ 0x14, ['array', 6, ['pointer', ['void']]]], } ], '__unnamed_292e' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_292e']], } ], '__unnamed_2932' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2932']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_MI_SUBSECTION_WAIT_BLOCK' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SUBSECTION_WAIT_BLOCK']]], 'Gate' : [ 0x4, ['_KGATE']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject', 8: 'PowerActionDisplayOff'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_KSCHEDULING_GROUP_POLICY' : [ 0x8, { 'Value' : [ 0x0, ['unsigned long']], 'Weight' : [ 0x0, ['unsigned short']], 'MinRate' : [ 0x0, ['unsigned short']], 'MaxRate' : [ 0x2, ['unsigned short']], 'AllFlags' : [ 0x4, ['unsigned long']], 'Type' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare1' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x310, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long long']], 'HiberFlags' : [ 0x30, ['unsigned char']], 'spare' : [ 0x31, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x34, ['unsigned long']], 'HiberVa' : [ 0x38, ['unsigned long']], 'NoFreePages' : [ 0x3c, ['unsigned long']], 'FreeMapCheck' : [ 0x40, ['unsigned long']], 'WakeCheck' : [ 0x44, ['unsigned long']], 'NumPagesForLoader' : [ 0x48, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x50, ['unsigned long']], 'FirstKernelRestorePage' : [ 0x54, ['unsigned long']], 'FirstChecksumRestorePage' : [ 0x58, ['unsigned long']], 'NoChecksumEntries' : [ 0x60, ['unsigned long long']], 'PerfInfo' : [ 0x68, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x248, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x24c, ['array', 1, ['unsigned long']]], 'SiLogOffset' : [ 0x250, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x254, ['unsigned long']], 'BootLoaderLogPages' : [ 0x258, ['array', 24, ['unsigned long']]], 'NotUsed' : [ 0x2b8, ['unsigned long']], 'ResumeContextCheck' : [ 0x2bc, ['unsigned long']], 'ResumeContextPages' : [ 0x2c0, ['unsigned long']], 'Hiberboot' : [ 0x2c4, ['unsigned char']], 'HvCr3' : [ 0x2c8, ['unsigned long long']], 'HvEntryPoint' : [ 0x2d0, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x2d8, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x2e0, ['unsigned long long']], 'BootFlags' : [ 0x2e8, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x2f0, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x2f8, ['unsigned long']], 'BitlockerKeyPfns' : [ 0x2fc, ['array', 4, ['unsigned long']]], 'HardwareSignature' : [ 0x30c, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x10, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1e0, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'HiberChecksumTicks' : [ 0x30, ['unsigned long long']], 'HiberChecksumIoTicks' : [ 0x38, ['unsigned long long']], 'TotalHibernateTime' : [ 0x40, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x48, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x4c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x50, ['unsigned long']], 'ResumeAppTicks' : [ 0x58, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x60, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x68, ['unsigned long long']], 'ResumeInitTicks' : [ 0x70, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x78, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x80, ['unsigned long long']], 'ResumeIoTicks' : [ 0x88, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x90, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x98, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0xa0, ['unsigned long long']], 'ResumeMapTicks' : [ 0xa8, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xb0, ['unsigned long long']], 'ResumeChecksumTicks' : [ 0xb8, ['unsigned long long']], 'ResumeChecksumIoTicks' : [ 0xc0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xc8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xd0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xd8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xe0, ['unsigned long long']], 'HalTscOffset' : [ 0xe8, ['unsigned long long']], 'HvlTscOffset' : [ 0xf0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xf8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0x100, ['unsigned long long']], 'IoBoundedness' : [ 0x108, ['unsigned long long']], 'KernelDecompressTicks' : [ 0x110, ['unsigned long long']], 'KernelIoTicks' : [ 0x118, ['unsigned long long']], 'KernelCopyTicks' : [ 0x120, ['unsigned long long']], 'ReadCheckCount' : [ 0x128, ['unsigned long long']], 'KernelInitTicks' : [ 0x130, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x138, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x140, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x148, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x150, ['unsigned long long']], 'KernelChecksumTicks' : [ 0x158, ['unsigned long long']], 'KernelChecksumIoTicks' : [ 0x160, ['unsigned long long']], 'AnimationStart' : [ 0x168, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x170, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x178, ['unsigned long']], 'SecurePagesProcessed' : [ 0x180, ['unsigned long long']], 'BootPagesProcessed' : [ 0x188, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x190, ['unsigned long long']], 'BootBytesWritten' : [ 0x198, ['unsigned long long']], 'KernelBytesWritten' : [ 0x1a0, ['unsigned long long']], 'BootPagesWritten' : [ 0x1a8, ['unsigned long long']], 'KernelPagesWritten' : [ 0x1b0, ['unsigned long long']], 'BytesWritten' : [ 0x1b8, ['unsigned long long']], 'PagesWritten' : [ 0x1c0, ['unsigned long']], 'FileRuns' : [ 0x1c4, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x1c8, ['unsigned long']], 'MaxHuffRatio' : [ 0x1cc, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x1d0, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1d8, ['unsigned long long']], } ], '_MI_QUEUED_DEADSTACK_WORKITEM' : [ 0x14, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Active' : [ 0x10, ['long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x10, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_MMINPAGE_SUPPORT_FLOW_THROUGH' : [ 0x1c, { 'Page' : [ 0x0, ['array', 1, ['unsigned long']]], 'InitialInPageSupport' : [ 0x4, ['pointer', ['_MMINPAGE_SUPPORT']]], 'PagingFile' : [ 0x8, ['pointer', ['_MMPAGING_FILE']]], 'PageFileOffset' : [ 0xc, ['unsigned long']], 'Node' : [ 0x10, ['_RTL_BALANCED_NODE']], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x70, { 'UncompressedData' : [ 0x0, ['pointer', ['unsigned char']]], 'MappingVa' : [ 0x4, ['pointer', ['void']]], 'XpressEncodeWorkspace' : [ 0x8, ['pointer', ['void']]], 'CompressedDataBuffer' : [ 0xc, ['pointer', ['unsigned char']]], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'CompressTicks' : [ 0x18, ['unsigned long long']], 'BytesCopied' : [ 0x20, ['unsigned long long']], 'PagesProcessed' : [ 0x28, ['unsigned long long']], 'DecompressTicks' : [ 0x30, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x38, ['unsigned long long']], 'SharedBufferTicks' : [ 0x40, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x48, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x68, ['unsigned long']], 'HuffCompressCount' : [ 0x6c, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x18, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_POP_IO_INFO' : [ 0x60, { 'DumpMdl' : [ 0x0, ['pointer', ['_MDL']]], 'IoStatus' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x8, ['unsigned long long']], 'IoBytesCompleted' : [ 0x10, ['unsigned long long']], 'IoBytesInProgress' : [ 0x18, ['unsigned long long']], 'RequestSize' : [ 0x20, ['unsigned long long']], 'IoLocation' : [ 0x28, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x30, ['unsigned long long']], 'Buffer' : [ 0x38, ['pointer', ['void']]], 'AsyncCapable' : [ 0x3c, ['unsigned char']], 'BytesToRead' : [ 0x40, ['unsigned long long']], 'Pages' : [ 0x48, ['unsigned long']], 'HighestChecksumIndex' : [ 0x50, ['unsigned long long']], 'PreviousChecksum' : [ 0x58, ['unsigned short']], } ], '_LDRP_CSLIST' : [ 0x4, { 'Tail' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_NON_PAGED_DEBUG_INFO' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Machine' : [ 0x8, ['unsigned short']], 'Characteristics' : [ 0xa, ['unsigned short']], 'TimeDateStamp' : [ 0xc, ['unsigned long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'SizeOfImage' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], } ], '_POP_FX_PERF_SET' : [ 0x20, { 'PerfSet' : [ 0x0, ['pointer', ['_PO_FX_COMPONENT_PERF_SET']]], 'CurrentPerf' : [ 0x8, ['unsigned long long']], 'CurrentPerfStamp' : [ 0x10, ['unsigned long long']], 'CurrentPerfNominal' : [ 0x18, ['unsigned char']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LeakedPoolDeliberately' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '__unnamed_296f' : [ 0x8, { 'Gsiv' : [ 0x0, ['unsigned long']], 'WakeInterrupt' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2971' : [ 0x10, { 'Address' : [ 0x0, ['_LARGE_INTEGER']], 'DataPayload' : [ 0x8, ['unsigned long']], } ], '__unnamed_2974' : [ 0x8, { 'IntrInfo' : [ 0x0, ['_INTERRUPT_HT_INTR_INFO']], } ], '__unnamed_2978' : [ 0x4, { 'DestinationMode' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'ApicDestinationModePhysical', 2: 'ApicDestinationModeLogicalFlat', 3: 'ApicDestinationModeLogicalClustered', 4: 'ApicDestinationModeUnknown'})]], } ], '_INTERRUPT_VECTOR_DATA' : [ 0x50, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptTypeControllerInput', 1: 'InterruptTypeXapicMessage', 2: 'InterruptTypeHypertransport', 3: 'InterruptTypeMessageRequest'})]], 'Vector' : [ 0x4, ['unsigned long']], 'Irql' : [ 0x8, ['unsigned char']], 'Polarity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBothTriggerLow', 4: 'InterruptActiveBothTriggerHigh'})]], 'Mode' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'TargetProcessors' : [ 0x14, ['_GROUP_AFFINITY']], 'IntRemapInfo' : [ 0x20, ['_INTERRUPT_REMAPPING_INFO']], 'ControllerInput' : [ 0x30, ['__unnamed_296f']], 'HvDeviceId' : [ 0x38, ['unsigned long long']], 'XapicMessage' : [ 0x40, ['__unnamed_2971']], 'Hypertransport' : [ 0x40, ['__unnamed_2974']], 'GenericMessage' : [ 0x40, ['__unnamed_2971']], 'MessageRequest' : [ 0x40, ['__unnamed_2978']], } ], '_MMPAGE_FILE_EXPANSION_FLAGS' : [ 0x4, { 'PageFileNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'IgnoreCurrentCommit' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreaseMinimumSize' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Spare3' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '__unnamed_2986' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'States' : [ 0x4, ['pointer', ['_PO_FX_PERF_STATE']]], } ], '__unnamed_2988' : [ 0x10, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], } ], '_PO_FX_COMPONENT_PERF_SET' : [ 0x28, { 'Name' : [ 0x0, ['_UNICODE_STRING']], 'Flags' : [ 0x8, ['unsigned long long']], 'Unit' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateUnitOther', 1: 'PoFxPerfStateUnitFrequency', 2: 'PoFxPerfStateUnitBandwidth', 3: 'PoFxPerfStateUnitMaximum'})]], 'Type' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PoFxPerfStateTypeDiscrete', 1: 'PoFxPerfStateTypeRange', 2: 'PoFxPerfStateTypeMaximum'})]], 'Discrete' : [ 0x18, ['__unnamed_2986']], 'Range' : [ 0x18, ['__unnamed_2988']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_2999' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_299b' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_299d' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2999']], 'Gpt' : [ 0x0, ['__unnamed_299b']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xc0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MarkMemoryOnly' : [ 0x45, ['unsigned char']], 'HiberResume' : [ 0x46, ['unsigned char']], 'Reserved1' : [ 0x47, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_299d']], 'ReadRoutine' : [ 0x6c, ['pointer', ['void']]], 'GetDriveTelemetryRoutine' : [ 0x70, ['pointer', ['void']]], 'LogSectionTruncateSize' : [ 0x74, ['unsigned long']], 'Parameters' : [ 0x78, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xb8, ['pointer', ['void']]], 'DumpNotifyRoutine' : [ 0xbc, ['pointer', ['void']]], } ], '_MI_IO_CACHE_STATS' : [ 0x18, { 'UnusedBlocks' : [ 0x0, ['unsigned long']], 'ActiveCacheMatch' : [ 0x4, ['unsigned long']], 'ActiveCacheOverride' : [ 0x8, ['unsigned long']], 'UnmappedCacheFlush' : [ 0xc, ['unsigned long']], 'UnmappedCacheMatch' : [ 0x10, ['unsigned long']], 'UnmappedCacheConflict' : [ 0x14, ['unsigned long']], } ], '_PROCESSOR_PLATFORM_STATE_RESIDENCY' : [ 0x10, { 'Residency' : [ 0x0, ['unsigned long long']], 'TransitionCount' : [ 0x8, ['unsigned long long']], } ], '_ETW_QUEUE_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x8, ['pointer', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0xc, ['pointer', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x10, ['pointer', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x14, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned short']], 'ReplyIndex' : [ 0x1a, ['unsigned short']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_MI_RESERVATION_CLUSTER_INFO' : [ 0x4, { 'ClusterSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'EntireInfo' : [ 0x0, ['long']], } ], '_TRIAGE_POP_IRP_DATA' : [ 0x10, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'Pdo' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], } ], '_KDPC_LIST' : [ 0x8, { 'ListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'LastEntry' : [ 0x4, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0xd0, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_MI_POOL_FAILURE_REASONS' : [ 0x2c, { 'NonPagedNoPtes' : [ 0x0, ['unsigned long']], 'PriorityTooLow' : [ 0x4, ['unsigned long']], 'NonPagedNoPagesAvailable' : [ 0x8, ['unsigned long']], 'PagedNoPtes' : [ 0xc, ['unsigned long']], 'SessionPagedNoPtes' : [ 0x10, ['unsigned long']], 'PagedNoPagesAvailable' : [ 0x14, ['unsigned long']], 'SessionPagedNoPagesAvailable' : [ 0x18, ['unsigned long']], 'PagedNoCommit' : [ 0x1c, ['unsigned long']], 'SessionPagedNoCommit' : [ 0x20, ['unsigned long']], 'NonPagedNoResidentAvailable' : [ 0x24, ['unsigned long']], 'NonPagedNoCommit' : [ 0x28, ['unsigned long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x18, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeInProcSession', 11: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '__unnamed_29d2' : [ 0x4, { 'Mask' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Polarity' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MessageType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], 'RequestEOI' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DestinationMode' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'MessageType3' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Destination' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Vector' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'ExtendedAddress' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_29d4' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_29d2']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_29d7' : [ 0x4, { 'ExtendedDestination' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 30, native_type='unsigned long')]], 'PassPW' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'WaitingForEOI' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_29d9' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_29d7']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_INTERRUPT_HT_INTR_INFO' : [ 0x8, { 'LowPart' : [ 0x0, ['__unnamed_29d4']], 'HighPart' : [ 0x4, ['__unnamed_29d9']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_PROC_PERF_CHECK_SNAP' : [ 0x50, { 'Time' : [ 0x0, ['unsigned long long']], 'Active' : [ 0x8, ['unsigned long long']], 'Stall' : [ 0x10, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x18, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledKernelActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], 'TaggedThreadCycles' : [ 0x40, ['array', 2, ['unsigned long long']]], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_29e7' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x18, { 'SessionProtoNode' : [ 0x0, ['_RTL_BALANCED_NODE']], 'FreeList' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'DriverAddress' : [ 0x0, ['pointer', ['void']]], 'SessionId' : [ 0xc, ['unsigned long']], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'u2' : [ 0x14, ['__unnamed_29e7']], } ], '_PO_FX_PERF_STATE_CHANGE' : [ 0x10, { 'Set' : [ 0x0, ['unsigned long']], 'StateIndex' : [ 0x8, ['unsigned long']], 'StateValue' : [ 0x8, ['unsigned long long']], } ], '__unnamed_29ed' : [ 0x8, { 'MessageAddressLow' : [ 0x0, ['unsigned long']], 'MessageData' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], } ], '__unnamed_29ef' : [ 0x8, { 'RemappedFormat' : [ 0x0, ['_ULARGE_INTEGER']], 'Msi' : [ 0x0, ['__unnamed_29ed']], } ], '_INTERRUPT_REMAPPING_INFO' : [ 0x10, { 'IrtIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'FlagHalInternal' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'FlagTranslated' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_29ef']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Xcr0' : [ 0x3c, ['unsigned long long']], 'ExceptionList' : [ 0x44, ['unsigned long']], 'Reserved' : [ 0x48, ['array', 3, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ETW_FILTER_STRING_TOKEN_ELEMENT' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'String' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_PO_FX_PERF_STATE' : [ 0x10, { 'Value' : [ 0x0, ['unsigned long long']], 'Context' : [ 0x8, ['pointer', ['void']]], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/hibernate_vtypes.py0000644000000000000000000001677213131215405030316 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj hibernate_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'NextTable' : [ 0x4, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x10, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], '_IMAGE_XPRESS_HEADER' : [ 0x20 , { 'u09' : [ 0x9, ['unsigned char']], 'u0A' : [ 0xA, ['unsigned char']], 'u0B' : [ 0xB, ['unsigned char']], } ] } hibernate_vistasp01_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'NextTable' : [ 0x4, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x10, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberVistaSP01x86(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x <= 6001, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(hibernate_vistasp01_vtypes) hibernate_vistasp2_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'NextTable' : [ 0x4, ['unsigned long']], 'EntryCount' : [ 0x8, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x8, { 'StartPage' : [ 0x0, ['unsigned long']], 'EndPage' : [ 0x4, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0xc, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberVistaSP2x86(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6002, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(hibernate_vistasp2_vtypes) hibernate_win7_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'NextTable' : [ 0x0, ['unsigned long']], 'EntryCount' : [ 0x4, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x8, { 'StartPage' : [ 0x0, ['unsigned long']], 'EndPage' : [ 0x4, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x8, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberWin7SP01x86(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x: x <= 7601, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(hibernate_win7_vtypes) hibernate_win7_x64_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'NextTable' : [ 0x0, ['unsigned long long']], 'EntryCount' : [ 0x8, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'StartPage' : [ 0x0, ['unsigned long long']], 'EndPage' : [ 0x8, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x10, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberWin7SP01x64(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x: x <= 7601, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(hibernate_win7_x64_vtypes) hibernate_x64_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x20, { 'NextTable' : [ 0x8, ['unsigned long long']], 'EntryCount' : [ 0x14, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x20, { 'StartPage' : [ 0x8, ['unsigned long long']], 'EndPage' : [ 0x10, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x40, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x20, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberWin2003x64(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x == 2, 'build': lambda x: x <= 3791, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(hibernate_x64_vtypes) class HiberVistaSP01x64(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x <= 6001, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(hibernate_x64_vtypes) hibernate_vistaSP2_x64_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x18, { 'NextTable' : [ 0x8, ['unsigned long long']], 'EntryCount' : [ 0x10, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'StartPage' : [ 0x0, ['unsigned long long']], 'EndPage' : [ 0x8, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x28, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x18, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberVistaSP2x64(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6002, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(hibernate_vistaSP2_x64_vtypes) volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/vista_sp12_x86_syscalls.py0000644000000000000000000012424213131215405031350 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAddDriverEntry', # 0xa 'NtAdjustGroupsToken', # 0xb 'NtAdjustPrivilegesToken', # 0xc 'NtAlertResumeThread', # 0xd 'NtAlertThread', # 0xe 'NtAllocateLocallyUniqueId', # 0xf 'NtAllocateUserPhysicalPages', # 0x10 'NtAllocateUuids', # 0x11 'NtAllocateVirtualMemory', # 0x12 'NtAlpcAcceptConnectPort', # 0x13 'NtAlpcCancelMessage', # 0x14 'NtAlpcConnectPort', # 0x15 'NtAlpcCreatePort', # 0x16 'NtAlpcCreatePortSection', # 0x17 'NtAlpcCreateResourceReserve', # 0x18 'NtAlpcCreateSectionView', # 0x19 'NtAlpcCreateSecurityContext', # 0x1a 'NtAlpcDeletePortSection', # 0x1b 'NtAlpcDeleteResourceReserve', # 0x1c 'NtAlpcDeleteSectionView', # 0x1d 'NtAlpcDeleteSecurityContext', # 0x1e 'NtAlpcDisconnectPort', # 0x1f 'NtAlpcImpersonateClientOfPort', # 0x20 'NtAlpcOpenSenderProcess', # 0x21 'NtAlpcOpenSenderThread', # 0x22 'NtAlpcQueryInformation', # 0x23 'NtAlpcQueryInformationMessage', # 0x24 'NtAlpcRevokeSecurityContext', # 0x25 'NtAlpcSendWaitReceivePort', # 0x26 'NtAlpcSetInformation', # 0x27 'NtApphelpCacheControl', # 0x28 'NtAreMappedFilesTheSame', # 0x29 'NtAssignProcessToJobObject', # 0x2a 'NtCallbackReturn', # 0x2b 'NtCancelDeviceWakeupRequest', # 0x2c 'NtCancelIoFile', # 0x2d 'NtCancelTimer', # 0x2e 'NtClearEvent', # 0x2f 'NtClose', # 0x30 'NtCloseObjectAuditAlarm', # 0x31 'NtCompactKeys', # 0x32 'NtCompareTokens', # 0x33 'NtCompleteConnectPort', # 0x34 'NtCompressKey', # 0x35 'NtConnectPort', # 0x36 'NtContinue', # 0x37 'NtCreateDebugObject', # 0x38 'NtCreateDirectoryObject', # 0x39 'NtCreateEvent', # 0x3a 'NtCreateEventPair', # 0x3b 'NtCreateFile', # 0x3c 'NtCreateIoCompletion', # 0x3d 'NtCreateJobObject', # 0x3e 'NtCreateJobSet', # 0x3f 'NtCreateKey', # 0x40 'NtCreateKeyTransacted', # 0x41 'NtCreateMailslotFile', # 0x42 'NtCreateMutant', # 0x43 'NtCreateNamedPipeFile', # 0x44 'NtCreatePrivateNamespace', # 0x45 'NtCreatePagingFile', # 0x46 'NtCreatePort', # 0x47 'NtCreateProcess', # 0x48 'NtCreateProcessEx', # 0x49 'NtCreateProfile', # 0x4a 'NtCreateSection', # 0x4b 'NtCreateSemaphore', # 0x4c 'NtCreateSymbolicLinkObject', # 0x4d 'NtCreateThread', # 0x4e 'NtCreateTimer', # 0x4f 'NtCreateToken', # 0x50 'NtCreateTransaction', # 0x51 'NtOpenTransaction', # 0x52 'NtQueryInformationTransaction', # 0x53 'NtQueryInformationTransactionManager', # 0x54 'NtPrePrepareEnlistment', # 0x55 'NtPrepareEnlistment', # 0x56 'NtCommitEnlistment', # 0x57 'NtReadOnlyEnlistment', # 0x58 'NtRollbackComplete', # 0x59 'NtRollbackEnlistment', # 0x5a 'NtCommitTransaction', # 0x5b 'NtRollbackTransaction', # 0x5c 'NtPrePrepareComplete', # 0x5d 'NtPrepareComplete', # 0x5e 'NtCommitComplete', # 0x5f 'NtSinglePhaseReject', # 0x60 'NtSetInformationTransaction', # 0x61 'NtSetInformationTransactionManager', # 0x62 'NtSetInformationResourceManager', # 0x63 'NtCreateTransactionManager', # 0x64 'NtOpenTransactionManager', # 0x65 'NtRenameTransactionManager', # 0x66 'NtRollforwardTransactionManager', # 0x67 'NtRecoverEnlistment', # 0x68 'NtRecoverResourceManager', # 0x69 'NtRecoverTransactionManager', # 0x6a 'NtCreateResourceManager', # 0x6b 'NtOpenResourceManager', # 0x6c 'NtGetNotificationResourceManager', # 0x6d 'NtQueryInformationResourceManager', # 0x6e 'NtCreateEnlistment', # 0x6f 'NtOpenEnlistment', # 0x70 'NtSetInformationEnlistment', # 0x71 'NtQueryInformationEnlistment', # 0x72 'NtCreateWaitablePort', # 0x73 'NtDebugActiveProcess', # 0x74 'NtDebugContinue', # 0x75 'NtDelayExecution', # 0x76 'NtDeleteAtom', # 0x77 'NtDeleteBootEntry', # 0x78 'NtDeleteDriverEntry', # 0x79 'NtDeleteFile', # 0x7a 'NtDeleteKey', # 0x7b 'NtDeletePrivateNamespace', # 0x7c 'NtDeleteObjectAuditAlarm', # 0x7d 'NtDeleteValueKey', # 0x7e 'NtDeviceIoControlFile', # 0x7f 'NtDisplayString', # 0x80 'NtDuplicateObject', # 0x81 'NtDuplicateToken', # 0x82 'NtEnumerateBootEntries', # 0x83 'NtEnumerateDriverEntries', # 0x84 'NtEnumerateKey', # 0x85 'NtEnumerateSystemEnvironmentValuesEx', # 0x86 'NtEnumerateTransactionObject', # 0x87 'NtEnumerateValueKey', # 0x88 'NtExtendSection', # 0x89 'NtFilterToken', # 0x8a 'NtFindAtom', # 0x8b 'NtFlushBuffersFile', # 0x8c 'NtFlushInstructionCache', # 0x8d 'NtFlushKey', # 0x8e 'NtFlushProcessWriteBuffers', # 0x8f 'NtFlushVirtualMemory', # 0x90 'NtFlushWriteBuffer', # 0x91 'NtFreeUserPhysicalPages', # 0x92 'NtFreeVirtualMemory', # 0x93 'NtFreezeRegistry', # 0x94 'NtFreezeTransactions', # 0x95 'NtFsControlFile', # 0x96 'NtGetContextThread', # 0x97 'NtGetDevicePowerState', # 0x98 'NtGetNlsSectionPtr', # 0x99 'NtGetPlugPlayEvent', # 0x9a 'NtGetWriteWatch', # 0x9b 'NtImpersonateAnonymousToken', # 0x9c 'NtImpersonateClientOfPort', # 0x9d 'NtImpersonateThread', # 0x9e 'NtInitializeNlsFiles', # 0x9f 'NtInitializeRegistry', # 0xa0 'NtInitiatePowerAction', # 0xa1 'NtIsProcessInJob', # 0xa2 'NtIsSystemResumeAutomatic', # 0xa3 'NtListenPort', # 0xa4 'NtLoadDriver', # 0xa5 'NtLoadKey', # 0xa6 'NtLoadKey2', # 0xa7 'NtLoadKeyEx', # 0xa8 'NtLockFile', # 0xa9 'NtLockProductActivationKeys', # 0xaa 'NtLockRegistryKey', # 0xab 'NtLockVirtualMemory', # 0xac 'NtMakePermanentObject', # 0xad 'NtMakeTemporaryObject', # 0xae 'NtMapUserPhysicalPages', # 0xaf 'NtMapUserPhysicalPagesScatter', # 0xb0 'NtMapViewOfSection', # 0xb1 'NtModifyBootEntry', # 0xb2 'NtModifyDriverEntry', # 0xb3 'NtNotifyChangeDirectoryFile', # 0xb4 'NtNotifyChangeKey', # 0xb5 'NtNotifyChangeMultipleKeys', # 0xb6 'NtOpenDirectoryObject', # 0xb7 'NtOpenEvent', # 0xb8 'NtOpenEventPair', # 0xb9 'NtOpenFile', # 0xba 'NtOpenIoCompletion', # 0xbb 'NtOpenJobObject', # 0xbc 'NtOpenKey', # 0xbd 'NtOpenKeyTransacted', # 0xbe 'NtOpenMutant', # 0xbf 'NtOpenPrivateNamespace', # 0xc0 'NtOpenObjectAuditAlarm', # 0xc1 'NtOpenProcess', # 0xc2 'NtOpenProcessToken', # 0xc3 'NtOpenProcessTokenEx', # 0xc4 'NtOpenSection', # 0xc5 'NtOpenSemaphore', # 0xc6 'NtOpenSession', # 0xc7 'NtOpenSymbolicLinkObject', # 0xc8 'NtOpenThread', # 0xc9 'NtOpenThreadToken', # 0xca 'NtOpenThreadTokenEx', # 0xcb 'NtOpenTimer', # 0xcc 'NtPlugPlayControl', # 0xcd 'NtPowerInformation', # 0xce 'NtPrivilegeCheck', # 0xcf 'NtPrivilegeObjectAuditAlarm', # 0xd0 'NtPrivilegedServiceAuditAlarm', # 0xd1 'NtProtectVirtualMemory', # 0xd2 'NtPulseEvent', # 0xd3 'NtQueryAttributesFile', # 0xd4 'NtQueryBootEntryOrder', # 0xd5 'NtQueryBootOptions', # 0xd6 'NtQueryDebugFilterState', # 0xd7 'NtQueryDefaultLocale', # 0xd8 'NtQueryDefaultUILanguage', # 0xd9 'NtQueryDirectoryFile', # 0xda 'NtQueryDirectoryObject', # 0xdb 'NtQueryDriverEntryOrder', # 0xdc 'NtQueryEaFile', # 0xdd 'NtQueryEvent', # 0xde 'NtQueryFullAttributesFile', # 0xdf 'NtQueryInformationAtom', # 0xe0 'NtQueryInformationFile', # 0xe1 'NtQueryInformationJobObject', # 0xe2 'NtQueryInformationPort', # 0xe3 'NtQueryInformationProcess', # 0xe4 'NtQueryInformationThread', # 0xe5 'NtQueryInformationToken', # 0xe6 'NtQueryInstallUILanguage', # 0xe7 'NtQueryIntervalProfile', # 0xe8 'NtQueryIoCompletion', # 0xe9 'NtQueryKey', # 0xea 'NtQueryMultipleValueKey', # 0xeb 'NtQueryMutant', # 0xec 'NtQueryObject', # 0xed 'NtQueryOpenSubKeys', # 0xee 'NtQueryOpenSubKeysEx', # 0xef 'NtQueryPerformanceCounter', # 0xf0 'NtQueryQuotaInformationFile', # 0xf1 'NtQuerySection', # 0xf2 'NtQuerySecurityObject', # 0xf3 'NtQuerySemaphore', # 0xf4 'NtQuerySymbolicLinkObject', # 0xf5 'NtQuerySystemEnvironmentValue', # 0xf6 'NtQuerySystemEnvironmentValueEx', # 0xf7 'NtQuerySystemInformation', # 0xf8 'NtQuerySystemTime', # 0xf9 'NtQueryTimer', # 0xfa 'NtQueryTimerResolution', # 0xfb 'NtQueryValueKey', # 0xfc 'NtQueryVirtualMemory', # 0xfd 'NtQueryVolumeInformationFile', # 0xfe 'NtQueueApcThread', # 0xff 'NtRaiseException', # 0x100 'NtRaiseHardError', # 0x101 'NtReadFile', # 0x102 'NtReadFileScatter', # 0x103 'NtReadRequestData', # 0x104 'NtReadVirtualMemory', # 0x105 'NtRegisterThreadTerminatePort', # 0x106 'NtReleaseMutant', # 0x107 'NtReleaseSemaphore', # 0x108 'NtRemoveIoCompletion', # 0x109 'NtRemoveProcessDebug', # 0x10a 'NtRenameKey', # 0x10b 'NtReplaceKey', # 0x10c 'NtReplacePartitionUnit', # 0x10d 'NtReplyPort', # 0x10e 'NtReplyWaitReceivePort', # 0x10f 'NtReplyWaitReceivePortEx', # 0x110 'NtReplyWaitReplyPort', # 0x111 'NtRequestDeviceWakeup', # 0x112 'NtRequestPort', # 0x113 'NtRequestWaitReplyPort', # 0x114 'NtRequestWakeupLatency', # 0x115 'NtResetEvent', # 0x116 'NtResetWriteWatch', # 0x117 'NtRestoreKey', # 0x118 'NtResumeProcess', # 0x119 'NtResumeThread', # 0x11a 'NtSaveKey', # 0x11b 'NtSaveKeyEx', # 0x11c 'NtSaveMergedKeys', # 0x11d 'NtSecureConnectPort', # 0x11e 'NtSetBootEntryOrder', # 0x11f 'NtSetBootOptions', # 0x120 'NtSetContextThread', # 0x121 'NtSetDebugFilterState', # 0x122 'NtSetDefaultHardErrorPort', # 0x123 'NtSetDefaultLocale', # 0x124 'NtSetDefaultUILanguage', # 0x125 'NtSetDriverEntryOrder', # 0x126 'NtSetEaFile', # 0x127 'NtSetEvent', # 0x128 'NtSetEventBoostPriority', # 0x129 'NtSetHighEventPair', # 0x12a 'NtSetHighWaitLowEventPair', # 0x12b 'NtSetInformationDebugObject', # 0x12c 'NtSetInformationFile', # 0x12d 'NtSetInformationJobObject', # 0x12e 'NtSetInformationKey', # 0x12f 'NtSetInformationObject', # 0x130 'NtSetInformationProcess', # 0x131 'NtSetInformationThread', # 0x132 'NtSetInformationToken', # 0x133 'NtSetIntervalProfile', # 0x134 'NtSetIoCompletion', # 0x135 'NtSetLdtEntries', # 0x136 'NtSetLowEventPair', # 0x137 'NtSetLowWaitHighEventPair', # 0x138 'NtSetQuotaInformationFile', # 0x139 'NtSetSecurityObject', # 0x13a 'NtSetSystemEnvironmentValue', # 0x13b 'NtSetSystemEnvironmentValueEx', # 0x13c 'NtSetSystemInformation', # 0x13d 'NtSetSystemPowerState', # 0x13e 'NtSetSystemTime', # 0x13f 'NtSetThreadExecutionState', # 0x140 'NtSetTimer', # 0x141 'NtSetTimerResolution', # 0x142 'NtSetUuidSeed', # 0x143 'NtSetValueKey', # 0x144 'NtSetVolumeInformationFile', # 0x145 'NtShutdownSystem', # 0x146 'NtSignalAndWaitForSingleObject', # 0x147 'NtStartProfile', # 0x148 'NtStopProfile', # 0x149 'NtSuspendProcess', # 0x14a 'NtSuspendThread', # 0x14b 'NtSystemDebugControl', # 0x14c 'NtTerminateJobObject', # 0x14d 'NtTerminateProcess', # 0x14e 'NtTerminateThread', # 0x14f 'NtTestAlert', # 0x150 'NtThawRegistry', # 0x151 'NtThawTransactions', # 0x152 'NtTraceEvent', # 0x153 'NtTraceControl', # 0x154 'NtTranslateFilePath', # 0x155 'NtUnloadDriver', # 0x156 'NtUnloadKey', # 0x157 'NtUnloadKey2', # 0x158 'NtUnloadKeyEx', # 0x159 'NtUnlockFile', # 0x15a 'NtUnlockVirtualMemory', # 0x15b 'NtUnmapViewOfSection', # 0x15c 'NtVdmControl', # 0x15d 'NtWaitForDebugEvent', # 0x15e 'NtWaitForMultipleObjects', # 0x15f 'NtWaitForSingleObject', # 0x160 'NtWaitHighEventPair', # 0x161 'NtWaitLowEventPair', # 0x162 'NtWriteFile', # 0x163 'NtWriteFileGather', # 0x164 'NtWriteRequestData', # 0x165 'NtWriteVirtualMemory', # 0x166 'NtYieldExecution', # 0x167 'NtCreateKeyedEvent', # 0x168 'NtOpenKeyedEvent', # 0x169 'NtReleaseKeyedEvent', # 0x16a 'NtWaitForKeyedEvent', # 0x16b 'NtQueryPortInformationProcess', # 0x16c 'NtGetCurrentProcessorNumber', # 0x16d 'NtWaitForMultipleObjects32', # 0x16e 'NtGetNextProcess', # 0x16f 'NtGetNextThread', # 0x170 'NtCancelIoFileEx', # 0x171 'NtCancelSynchronousIoFile', # 0x172 'NtRemoveIoCompletionEx', # 0x173 'NtRegisterProtocolAddressInformation', # 0x174 'NtPropagationComplete', # 0x175 'NtPropagationFailed', # 0x176 'NtCreateWorkerFactory', # 0x177 'NtReleaseWorkerFactoryWorker', # 0x178 'NtWaitForWorkViaWorkerFactory', # 0x179 'NtSetInformationWorkerFactory', # 0x17a 'NtQueryInformationWorkerFactory', # 0x17b 'NtWorkerFactoryWorkerReady', # 0x17c 'NtShutdownWorkerFactory', # 0x17d 'NtCreateThreadEx', # 0x17e 'NtCreateUserProcess', # 0x17f 'NtQueryLicenseValue', # 0x180 'NtMapCMFModule', # 0x181 'NtIsUILanguageComitted', # 0x182 'NtFlushInstallUILanguage', # 0x183 'NtGetMUIRegistryInfo', # 0x184 'NtAcquireCMFViewOwnership', # 0x185 'NtReleaseCMFViewOwnership', # 0x186 ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginPath', # 0xc 'NtGdiBitBlt', # 0xd 'NtGdiCancelDC', # 0xe 'NtGdiCheckBitmapBits', # 0xf 'NtGdiCloseFigure', # 0x10 'NtGdiClearBitmapAttributes', # 0x11 'NtGdiClearBrushAttributes', # 0x12 'NtGdiColorCorrectPalette', # 0x13 'NtGdiCombineRgn', # 0x14 'NtGdiCombineTransform', # 0x15 'NtGdiComputeXformCoefficients', # 0x16 'NtGdiConfigureOPMProtectedOutput', # 0x17 'NtGdiConsoleTextOut', # 0x18 'NtGdiConvertMetafileRect', # 0x19 'NtGdiCreateBitmap', # 0x1a 'NtGdiCreateClientObj', # 0x1b 'NtGdiCreateColorSpace', # 0x1c 'NtGdiCreateColorTransform', # 0x1d 'NtGdiCreateCompatibleBitmap', # 0x1e 'NtGdiCreateCompatibleDC', # 0x1f 'NtGdiCreateDIBBrush', # 0x20 'NtGdiCreateDIBitmapInternal', # 0x21 'NtGdiCreateDIBSection', # 0x22 'NtGdiCreateEllipticRgn', # 0x23 'NtGdiCreateHalftonePalette', # 0x24 'NtGdiCreateHatchBrushInternal', # 0x25 'NtGdiCreateMetafileDC', # 0x26 'NtGdiCreateOPMProtectedOutputs', # 0x27 'NtGdiCreatePaletteInternal', # 0x28 'NtGdiCreatePatternBrushInternal', # 0x29 'NtGdiCreatePen', # 0x2a 'NtGdiCreateRectRgn', # 0x2b 'NtGdiCreateRoundRectRgn', # 0x2c 'NtGdiCreateServerMetaFile', # 0x2d 'NtGdiCreateSolidBrush', # 0x2e 'NtGdiD3dContextCreate', # 0x2f 'NtGdiD3dContextDestroy', # 0x30 'NtGdiD3dContextDestroyAll', # 0x31 'NtGdiD3dValidateTextureStageState', # 0x32 'NtGdiD3dDrawPrimitives2', # 0x33 'NtGdiDdGetDriverState', # 0x34 'NtGdiDdAddAttachedSurface', # 0x35 'NtGdiDdAlphaBlt', # 0x36 'NtGdiDdAttachSurface', # 0x37 'NtGdiDdBeginMoCompFrame', # 0x38 'NtGdiDdBlt', # 0x39 'NtGdiDdCanCreateSurface', # 0x3a 'NtGdiDdCanCreateD3DBuffer', # 0x3b 'NtGdiDdColorControl', # 0x3c 'NtGdiDdCreateDirectDrawObject', # 0x3d 'NtGdiDdCreateSurface', # 0x3e 'NtGdiDdCreateD3DBuffer', # 0x3f 'NtGdiDdCreateMoComp', # 0x40 'NtGdiDdCreateSurfaceObject', # 0x41 'NtGdiDdDeleteDirectDrawObject', # 0x42 'NtGdiDdDeleteSurfaceObject', # 0x43 'NtGdiDdDestroyMoComp', # 0x44 'NtGdiDdDestroySurface', # 0x45 'NtGdiDdDestroyD3DBuffer', # 0x46 'NtGdiDdEndMoCompFrame', # 0x47 'NtGdiDdFlip', # 0x48 'NtGdiDdFlipToGDISurface', # 0x49 'NtGdiDdGetAvailDriverMemory', # 0x4a 'NtGdiDdGetBltStatus', # 0x4b 'NtGdiDdGetDC', # 0x4c 'NtGdiDdGetDriverInfo', # 0x4d 'NtGdiDdGetDxHandle', # 0x4e 'NtGdiDdGetFlipStatus', # 0x4f 'NtGdiDdGetInternalMoCompInfo', # 0x50 'NtGdiDdGetMoCompBuffInfo', # 0x51 'NtGdiDdGetMoCompGuids', # 0x52 'NtGdiDdGetMoCompFormats', # 0x53 'NtGdiDdGetScanLine', # 0x54 'NtGdiDdLock', # 0x55 'NtGdiDdLockD3D', # 0x56 'NtGdiDdQueryDirectDrawObject', # 0x57 'NtGdiDdQueryMoCompStatus', # 0x58 'NtGdiDdReenableDirectDrawObject', # 0x59 'NtGdiDdReleaseDC', # 0x5a 'NtGdiDdRenderMoComp', # 0x5b 'NtGdiDdResetVisrgn', # 0x5c 'NtGdiDdSetColorKey', # 0x5d 'NtGdiDdSetExclusiveMode', # 0x5e 'NtGdiDdSetGammaRamp', # 0x5f 'NtGdiDdCreateSurfaceEx', # 0x60 'NtGdiDdSetOverlayPosition', # 0x61 'NtGdiDdUnattachSurface', # 0x62 'NtGdiDdUnlock', # 0x63 'NtGdiDdUnlockD3D', # 0x64 'NtGdiDdUpdateOverlay', # 0x65 'NtGdiDdWaitForVerticalBlank', # 0x66 'NtGdiDvpCanCreateVideoPort', # 0x67 'NtGdiDvpColorControl', # 0x68 'NtGdiDvpCreateVideoPort', # 0x69 'NtGdiDvpDestroyVideoPort', # 0x6a 'NtGdiDvpFlipVideoPort', # 0x6b 'NtGdiDvpGetVideoPortBandwidth', # 0x6c 'NtGdiDvpGetVideoPortField', # 0x6d 'NtGdiDvpGetVideoPortFlipStatus', # 0x6e 'NtGdiDvpGetVideoPortInputFormats', # 0x6f 'NtGdiDvpGetVideoPortLine', # 0x70 'NtGdiDvpGetVideoPortOutputFormats', # 0x71 'NtGdiDvpGetVideoPortConnectInfo', # 0x72 'NtGdiDvpGetVideoSignalStatus', # 0x73 'NtGdiDvpUpdateVideoPort', # 0x74 'NtGdiDvpWaitForVideoPortSync', # 0x75 'NtGdiDvpAcquireNotification', # 0x76 'NtGdiDvpReleaseNotification', # 0x77 'NtGdiDxgGenericThunk', # 0x78 'NtGdiDeleteClientObj', # 0x79 'NtGdiDeleteColorSpace', # 0x7a 'NtGdiDeleteColorTransform', # 0x7b 'NtGdiDeleteObjectApp', # 0x7c 'NtGdiDescribePixelFormat', # 0x7d 'NtGdiDestroyOPMProtectedOutput', # 0x7e 'NtGdiGetPerBandInfo', # 0x7f 'NtGdiDoBanding', # 0x80 'NtGdiDoPalette', # 0x81 'NtGdiDrawEscape', # 0x82 'NtGdiEllipse', # 0x83 'NtGdiEnableEudc', # 0x84 'NtGdiEndDoc', # 0x85 'NtGdiEndPage', # 0x86 'NtGdiEndPath', # 0x87 'NtGdiEnumFontChunk', # 0x88 'NtGdiEnumFontClose', # 0x89 'NtGdiEnumFontOpen', # 0x8a 'NtGdiEnumObjects', # 0x8b 'NtGdiEqualRgn', # 0x8c 'NtGdiEudcLoadUnloadLink', # 0x8d 'NtGdiExcludeClipRect', # 0x8e 'NtGdiExtCreatePen', # 0x8f 'NtGdiExtCreateRegion', # 0x90 'NtGdiExtEscape', # 0x91 'NtGdiExtFloodFill', # 0x92 'NtGdiExtGetObjectW', # 0x93 'NtGdiExtSelectClipRgn', # 0x94 'NtGdiExtTextOutW', # 0x95 'NtGdiFillPath', # 0x96 'NtGdiFillRgn', # 0x97 'NtGdiFlattenPath', # 0x98 'NtGdiFlush', # 0x99 'NtGdiForceUFIMapping', # 0x9a 'NtGdiFrameRgn', # 0x9b 'NtGdiFullscreenControl', # 0x9c 'NtGdiGetAndSetDCDword', # 0x9d 'NtGdiGetAppClipBox', # 0x9e 'NtGdiGetBitmapBits', # 0x9f 'NtGdiGetBitmapDimension', # 0xa0 'NtGdiGetBoundsRect', # 0xa1 'NtGdiGetCertificate', # 0xa2 'NtGdiGetCertificateSize', # 0xa3 'NtGdiGetCharABCWidthsW', # 0xa4 'NtGdiGetCharacterPlacementW', # 0xa5 'NtGdiGetCharSet', # 0xa6 'NtGdiGetCharWidthW', # 0xa7 'NtGdiGetCharWidthInfo', # 0xa8 'NtGdiGetColorAdjustment', # 0xa9 'NtGdiGetColorSpaceforBitmap', # 0xaa 'NtGdiGetCOPPCompatibleOPMInformation', # 0xab 'NtGdiGetDCDword', # 0xac 'NtGdiGetDCforBitmap', # 0xad 'NtGdiGetDCObject', # 0xae 'NtGdiGetDCPoint', # 0xaf 'NtGdiGetDeviceCaps', # 0xb0 'NtGdiGetDeviceGammaRamp', # 0xb1 'NtGdiGetDeviceCapsAll', # 0xb2 'NtGdiGetDIBitsInternal', # 0xb3 'NtGdiGetETM', # 0xb4 'NtGdiGetEudcTimeStampEx', # 0xb5 'NtGdiGetFontData', # 0xb6 'NtGdiGetFontResourceInfoInternalW', # 0xb7 'NtGdiGetGlyphIndicesW', # 0xb8 'NtGdiGetGlyphIndicesWInternal', # 0xb9 'NtGdiGetGlyphOutline', # 0xba 'NtGdiGetOPMInformation', # 0xbb 'NtGdiGetKerningPairs', # 0xbc 'NtGdiGetLinkedUFIs', # 0xbd 'NtGdiGetMiterLimit', # 0xbe 'NtGdiGetMonitorID', # 0xbf 'NtGdiGetNearestColor', # 0xc0 'NtGdiGetNearestPaletteIndex', # 0xc1 'NtGdiGetObjectBitmapHandle', # 0xc2 'NtGdiGetOPMRandomNumber', # 0xc3 'NtGdiGetOutlineTextMetricsInternalW', # 0xc4 'NtGdiGetPath', # 0xc5 'NtGdiGetPixel', # 0xc6 'NtGdiGetRandomRgn', # 0xc7 'NtGdiGetRasterizerCaps', # 0xc8 'NtGdiGetRealizationInfo', # 0xc9 'NtGdiGetRegionData', # 0xca 'NtGdiGetRgnBox', # 0xcb 'NtGdiGetServerMetaFileBits', # 0xcc 'NtGdiGetSpoolMessage', # 0xcd 'NtGdiGetStats', # 0xce 'NtGdiGetStockObject', # 0xcf 'NtGdiGetStringBitmapW', # 0xd0 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0xd1 'NtGdiGetSystemPaletteUse', # 0xd2 'NtGdiGetTextCharsetInfo', # 0xd3 'NtGdiGetTextExtent', # 0xd4 'NtGdiGetTextExtentExW', # 0xd5 'NtGdiGetTextFaceW', # 0xd6 'NtGdiGetTextMetricsW', # 0xd7 'NtGdiGetTransform', # 0xd8 'NtGdiGetUFI', # 0xd9 'NtGdiGetEmbUFI', # 0xda 'NtGdiGetUFIPathname', # 0xdb 'NtGdiGetEmbedFonts', # 0xdc 'NtGdiChangeGhostFont', # 0xdd 'NtGdiAddEmbFontToDC', # 0xde 'NtGdiGetFontUnicodeRanges', # 0xdf 'NtGdiGetWidthTable', # 0xe0 'NtGdiGradientFill', # 0xe1 'NtGdiHfontCreate', # 0xe2 'NtGdiIcmBrushInfo', # 0xe3 'NtGdiInit', # 0xe4 'NtGdiInitSpool', # 0xe5 'NtGdiIntersectClipRect', # 0xe6 'NtGdiInvertRgn', # 0xe7 'NtGdiLineTo', # 0xe8 'NtGdiMakeFontDir', # 0xe9 'NtGdiMakeInfoDC', # 0xea 'NtGdiMaskBlt', # 0xeb 'NtGdiModifyWorldTransform', # 0xec 'NtGdiMonoBitmap', # 0xed 'NtGdiMoveTo', # 0xee 'NtGdiOffsetClipRgn', # 0xef 'NtGdiOffsetRgn', # 0xf0 'NtGdiOpenDCW', # 0xf1 'NtGdiPatBlt', # 0xf2 'NtGdiPolyPatBlt', # 0xf3 'NtGdiPathToRegion', # 0xf4 'NtGdiPlgBlt', # 0xf5 'NtGdiPolyDraw', # 0xf6 'NtGdiPolyPolyDraw', # 0xf7 'NtGdiPolyTextOutW', # 0xf8 'NtGdiPtInRegion', # 0xf9 'NtGdiPtVisible', # 0xfa 'NtGdiQueryFonts', # 0xfb 'NtGdiQueryFontAssocInfo', # 0xfc 'NtGdiRectangle', # 0xfd 'NtGdiRectInRegion', # 0xfe 'NtGdiRectVisible', # 0xff 'NtGdiRemoveFontResourceW', # 0x100 'NtGdiRemoveFontMemResourceEx', # 0x101 'NtGdiResetDC', # 0x102 'NtGdiResizePalette', # 0x103 'NtGdiRestoreDC', # 0x104 'NtGdiRoundRect', # 0x105 'NtGdiSaveDC', # 0x106 'NtGdiScaleViewportExtEx', # 0x107 'NtGdiScaleWindowExtEx', # 0x108 'NtGdiSelectBitmap', # 0x109 'NtGdiSelectBrush', # 0x10a 'NtGdiSelectClipPath', # 0x10b 'NtGdiSelectFont', # 0x10c 'NtGdiSelectPen', # 0x10d 'NtGdiSetBitmapAttributes', # 0x10e 'NtGdiSetBitmapBits', # 0x10f 'NtGdiSetBitmapDimension', # 0x110 'NtGdiSetBoundsRect', # 0x111 'NtGdiSetBrushAttributes', # 0x112 'NtGdiSetBrushOrg', # 0x113 'NtGdiSetColorAdjustment', # 0x114 'NtGdiSetColorSpace', # 0x115 'NtGdiSetDeviceGammaRamp', # 0x116 'NtGdiSetDIBitsToDeviceInternal', # 0x117 'NtGdiSetFontEnumeration', # 0x118 'NtGdiSetFontXform', # 0x119 'NtGdiSetIcmMode', # 0x11a 'NtGdiSetLinkedUFIs', # 0x11b 'NtGdiSetMagicColors', # 0x11c 'NtGdiSetMetaRgn', # 0x11d 'NtGdiSetMiterLimit', # 0x11e 'NtGdiGetDeviceWidth', # 0x11f 'NtGdiMirrorWindowOrg', # 0x120 'NtGdiSetLayout', # 0x121 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x122 'NtGdiSetPixel', # 0x123 'NtGdiSetPixelFormat', # 0x124 'NtGdiSetRectRgn', # 0x125 'NtGdiSetSystemPaletteUse', # 0x126 'NtGdiSetTextJustification', # 0x127 'NtGdiSetupPublicCFONT', # 0x128 'NtGdiSetVirtualResolution', # 0x129 'NtGdiSetSizeDevice', # 0x12a 'NtGdiStartDoc', # 0x12b 'NtGdiStartPage', # 0x12c 'NtGdiStretchBlt', # 0x12d 'NtGdiStretchDIBitsInternal', # 0x12e 'NtGdiStrokeAndFillPath', # 0x12f 'NtGdiStrokePath', # 0x130 'NtGdiSwapBuffers', # 0x131 'NtGdiTransformPoints', # 0x132 'NtGdiTransparentBlt', # 0x133 'NtGdiUnloadPrinterDriver', # 0x134 'NtGdiUnmapMemFont', # 0x135 'NtGdiUnrealizeObject', # 0x136 'NtGdiUpdateColors', # 0x137 'NtGdiWidenPath', # 0x138 'NtUserActivateKeyboardLayout', # 0x139 'NtUserAddClipboardFormatListener', # 0x13a 'NtUserAlterWindowStyle', # 0x13b 'NtUserAssociateInputContext', # 0x13c 'NtUserAttachThreadInput', # 0x13d 'NtUserBeginPaint', # 0x13e 'NtUserBitBltSysBmp', # 0x13f 'NtUserBlockInput', # 0x140 'NtUserBuildHimcList', # 0x141 'NtUserBuildHwndList', # 0x142 'NtUserBuildNameList', # 0x143 'NtUserBuildPropList', # 0x144 'NtUserCallHwnd', # 0x145 'NtUserCallHwndLock', # 0x146 'NtUserCallHwndOpt', # 0x147 'NtUserCallHwndParam', # 0x148 'NtUserCallHwndParamLock', # 0x149 'NtUserCallMsgFilter', # 0x14a 'NtUserCallNextHookEx', # 0x14b 'NtUserCallNoParam', # 0x14c 'NtUserCallOneParam', # 0x14d 'NtUserCallTwoParam', # 0x14e 'NtUserChangeClipboardChain', # 0x14f 'NtUserChangeDisplaySettings', # 0x150 'NtUserCheckAccessForIntegrityLevel', # 0x151 'NtUserCheckDesktopByThreadId', # 0x152 'NtUserCheckWindowThreadDesktop', # 0x153 'NtUserCheckImeHotKey', # 0x154 'NtUserCheckMenuItem', # 0x155 'NtUserChildWindowFromPointEx', # 0x156 'NtUserClipCursor', # 0x157 'NtUserCloseClipboard', # 0x158 'NtUserCloseDesktop', # 0x159 'NtUserCloseWindowStation', # 0x15a 'NtUserConsoleControl', # 0x15b 'NtUserConvertMemHandle', # 0x15c 'NtUserCopyAcceleratorTable', # 0x15d 'NtUserCountClipboardFormats', # 0x15e 'NtUserCreateAcceleratorTable', # 0x15f 'NtUserCreateCaret', # 0x160 'NtUserCreateDesktopEx', # 0x161 'NtUserCreateInputContext', # 0x162 'NtUserCreateLocalMemHandle', # 0x163 'NtUserCreateWindowEx', # 0x164 'NtUserCreateWindowStation', # 0x165 'NtUserDdeInitialize', # 0x166 'NtUserDeferWindowPos', # 0x167 'NtUserDefSetText', # 0x168 'NtUserDeleteMenu', # 0x169 'NtUserDestroyAcceleratorTable', # 0x16a 'NtUserDestroyCursor', # 0x16b 'NtUserDestroyInputContext', # 0x16c 'NtUserDestroyMenu', # 0x16d 'NtUserDestroyWindow', # 0x16e 'NtUserDisableThreadIme', # 0x16f 'NtUserDispatchMessage', # 0x170 'NtUserDoSoundConnect', # 0x171 'NtUserDoSoundDisconnect', # 0x172 'NtUserDragDetect', # 0x173 'NtUserDragObject', # 0x174 'NtUserDrawAnimatedRects', # 0x175 'NtUserDrawCaption', # 0x176 'NtUserDrawCaptionTemp', # 0x177 'NtUserDrawIconEx', # 0x178 'NtUserDrawMenuBarTemp', # 0x179 'NtUserEmptyClipboard', # 0x17a 'NtUserEnableMenuItem', # 0x17b 'NtUserEnableScrollBar', # 0x17c 'NtUserEndDeferWindowPosEx', # 0x17d 'NtUserEndMenu', # 0x17e 'NtUserEndPaint', # 0x17f 'NtUserEnumDisplayDevices', # 0x180 'NtUserEnumDisplayMonitors', # 0x181 'NtUserEnumDisplaySettings', # 0x182 'NtUserEvent', # 0x183 'NtUserExcludeUpdateRgn', # 0x184 'NtUserFillWindow', # 0x185 'NtUserFindExistingCursorIcon', # 0x186 'NtUserFindWindowEx', # 0x187 'NtUserFlashWindowEx', # 0x188 'NtUserFrostCrashedWindow', # 0x189 'NtUserGetAltTabInfo', # 0x18a 'NtUserGetAncestor', # 0x18b 'NtUserGetAppImeLevel', # 0x18c 'NtUserGetAsyncKeyState', # 0x18d 'NtUserGetAtomName', # 0x18e 'NtUserGetCaretBlinkTime', # 0x18f 'NtUserGetCaretPos', # 0x190 'NtUserGetClassInfoEx', # 0x191 'NtUserGetClassName', # 0x192 'NtUserGetClipboardData', # 0x193 'NtUserGetClipboardFormatName', # 0x194 'NtUserGetClipboardOwner', # 0x195 'NtUserGetClipboardSequenceNumber', # 0x196 'NtUserGetClipboardViewer', # 0x197 'NtUserGetClipCursor', # 0x198 'NtUserGetComboBoxInfo', # 0x199 'NtUserGetControlBrush', # 0x19a 'NtUserGetControlColor', # 0x19b 'NtUserGetCPD', # 0x19c 'NtUserGetCursorFrameInfo', # 0x19d 'NtUserGetCursorInfo', # 0x19e 'NtUserGetDC', # 0x19f 'NtUserGetDCEx', # 0x1a0 'NtUserGetDoubleClickTime', # 0x1a1 'NtUserGetForegroundWindow', # 0x1a2 'NtUserGetGuiResources', # 0x1a3 'NtUserGetGUIThreadInfo', # 0x1a4 'NtUserGetIconInfo', # 0x1a5 'NtUserGetIconSize', # 0x1a6 'NtUserGetImeHotKey', # 0x1a7 'NtUserGetImeInfoEx', # 0x1a8 'NtUserGetInternalWindowPos', # 0x1a9 'NtUserGetKeyboardLayoutList', # 0x1aa 'NtUserGetKeyboardLayoutName', # 0x1ab 'NtUserGetKeyboardState', # 0x1ac 'NtUserGetKeyNameText', # 0x1ad 'NtUserGetKeyState', # 0x1ae 'NtUserGetListBoxInfo', # 0x1af 'NtUserGetMenuBarInfo', # 0x1b0 'NtUserGetMenuIndex', # 0x1b1 'NtUserGetMenuItemRect', # 0x1b2 'NtUserGetMessage', # 0x1b3 'NtUserGetMouseMovePointsEx', # 0x1b4 'NtUserGetObjectInformation', # 0x1b5 'NtUserGetOpenClipboardWindow', # 0x1b6 'NtUserGetPriorityClipboardFormat', # 0x1b7 'NtUserGetProcessWindowStation', # 0x1b8 'NtUserGetRawInputBuffer', # 0x1b9 'NtUserGetRawInputData', # 0x1ba 'NtUserGetRawInputDeviceInfo', # 0x1bb 'NtUserGetRawInputDeviceList', # 0x1bc 'NtUserGetRegisteredRawInputDevices', # 0x1bd 'NtUserGetScrollBarInfo', # 0x1be 'NtUserGetSystemMenu', # 0x1bf 'NtUserGetThreadDesktop', # 0x1c0 'NtUserGetThreadState', # 0x1c1 'NtUserGetTitleBarInfo', # 0x1c2 'NtUserGetUpdatedClipboardFormats', # 0x1c3 'NtUserGetUpdateRect', # 0x1c4 'NtUserGetUpdateRgn', # 0x1c5 'NtUserGetWindowDC', # 0x1c6 'NtUserGetWindowPlacement', # 0x1c7 'NtUserGetWOWClass', # 0x1c8 'NtUserGhostWindowFromHungWindow', # 0x1c9 'NtUserHardErrorControl', # 0x1ca 'NtUserHideCaret', # 0x1cb 'NtUserHiliteMenuItem', # 0x1cc 'NtUserHungWindowFromGhostWindow', # 0x1cd 'NtUserImpersonateDdeClientWindow', # 0x1ce 'NtUserInitialize', # 0x1cf 'NtUserInitializeClientPfnArrays', # 0x1d0 'NtUserInitTask', # 0x1d1 'NtUserInternalGetWindowText', # 0x1d2 'NtUserInternalGetWindowIcon', # 0x1d3 'NtUserInvalidateRect', # 0x1d4 'NtUserInvalidateRgn', # 0x1d5 'NtUserIsClipboardFormatAvailable', # 0x1d6 'NtUserKillTimer', # 0x1d7 'NtUserLoadKeyboardLayoutEx', # 0x1d8 'NtUserLockWindowStation', # 0x1d9 'NtUserLockWindowUpdate', # 0x1da 'NtUserLockWorkStation', # 0x1db 'NtUserLogicalToPhysicalPoint', # 0x1dc 'NtUserMapVirtualKeyEx', # 0x1dd 'NtUserMenuItemFromPoint', # 0x1de 'NtUserMessageCall', # 0x1df 'NtUserMinMaximize', # 0x1e0 'NtUserMNDragLeave', # 0x1e1 'NtUserMNDragOver', # 0x1e2 'NtUserModifyUserStartupInfoFlags', # 0x1e3 'NtUserMoveWindow', # 0x1e4 'NtUserNotifyIMEStatus', # 0x1e5 'NtUserNotifyProcessCreate', # 0x1e6 'NtUserNotifyWinEvent', # 0x1e7 'NtUserOpenClipboard', # 0x1e8 'NtUserOpenDesktop', # 0x1e9 'NtUserOpenInputDesktop', # 0x1ea 'NtUserOpenThreadDesktop', # 0x1eb 'NtUserOpenWindowStation', # 0x1ec 'NtUserPaintDesktop', # 0x1ed 'NtUserPaintMonitor', # 0x1ee 'NtUserPeekMessage', # 0x1ef 'NtUserPhysicalToLogicalPoint', # 0x1f0 'NtUserPostMessage', # 0x1f1 'NtUserPostThreadMessage', # 0x1f2 'NtUserPrintWindow', # 0x1f3 'NtUserProcessConnect', # 0x1f4 'NtUserQueryInformationThread', # 0x1f5 'NtUserQueryInputContext', # 0x1f6 'NtUserQuerySendMessage', # 0x1f7 'NtUserQueryWindow', # 0x1f8 'NtUserRealChildWindowFromPoint', # 0x1f9 'NtUserRealInternalGetMessage', # 0x1fa 'NtUserRealWaitMessageEx', # 0x1fb 'NtUserRedrawWindow', # 0x1fc 'NtUserRegisterClassExWOW', # 0x1fd 'NtUserRegisterErrorReportingDialog', # 0x1fe 'NtUserRegisterUserApiHook', # 0x1ff 'NtUserRegisterHotKey', # 0x200 'NtUserRegisterRawInputDevices', # 0x201 'NtUserRegisterTasklist', # 0x202 'NtUserRegisterWindowMessage', # 0x203 'NtUserRemoveClipboardFormatListener', # 0x204 'NtUserRemoveMenu', # 0x205 'NtUserRemoveProp', # 0x206 'NtUserResolveDesktop', # 0x207 'NtUserResolveDesktopForWOW', # 0x208 'NtUserSBGetParms', # 0x209 'NtUserScrollDC', # 0x20a 'NtUserScrollWindowEx', # 0x20b 'NtUserSelectPalette', # 0x20c 'NtUserSendInput', # 0x20d 'NtUserSetActiveWindow', # 0x20e 'NtUserSetAppImeLevel', # 0x20f 'NtUserSetCapture', # 0x210 'NtUserSetClassLong', # 0x211 'NtUserSetClassWord', # 0x212 'NtUserSetClipboardData', # 0x213 'NtUserSetClipboardViewer', # 0x214 'NtUserSetConsoleReserveKeys', # 0x215 'NtUserSetCursor', # 0x216 'NtUserSetCursorContents', # 0x217 'NtUserSetCursorIconData', # 0x218 'NtUserSetFocus', # 0x219 'NtUserSetImeHotKey', # 0x21a 'NtUserSetImeInfoEx', # 0x21b 'NtUserSetImeOwnerWindow', # 0x21c 'NtUserSetInformationProcess', # 0x21d 'NtUserSetInformationThread', # 0x21e 'NtUserSetInternalWindowPos', # 0x21f 'NtUserSetKeyboardState', # 0x220 'NtUserSetMenu', # 0x221 'NtUserSetMenuContextHelpId', # 0x222 'NtUserSetMenuDefaultItem', # 0x223 'NtUserSetMenuFlagRtoL', # 0x224 'NtUserSetObjectInformation', # 0x225 'NtUserSetParent', # 0x226 'NtUserSetProcessWindowStation', # 0x227 'NtUserGetProp', # 0x228 'NtUserSetProp', # 0x229 'NtUserSetScrollInfo', # 0x22a 'NtUserSetShellWindowEx', # 0x22b 'NtUserSetSysColors', # 0x22c 'NtUserSetSystemCursor', # 0x22d 'NtUserSetSystemMenu', # 0x22e 'NtUserSetSystemTimer', # 0x22f 'NtUserSetThreadDesktop', # 0x230 'NtUserSetThreadLayoutHandles', # 0x231 'NtUserSetThreadState', # 0x232 'NtUserSetTimer', # 0x233 'NtUserSetProcessDPIAware', # 0x234 'NtUserSetWindowFNID', # 0x235 'NtUserSetWindowLong', # 0x236 'NtUserSetWindowPlacement', # 0x237 'NtUserSetWindowPos', # 0x238 'NtUserSetWindowRgn', # 0x239 'NtUserGetWindowRgnEx', # 0x23a 'NtUserSetWindowRgnEx', # 0x23b 'NtUserSetWindowsHookAW', # 0x23c 'NtUserSetWindowsHookEx', # 0x23d 'NtUserSetWindowStationUser', # 0x23e 'NtUserSetWindowWord', # 0x23f 'NtUserSetWinEventHook', # 0x240 'NtUserShowCaret', # 0x241 'NtUserShowScrollBar', # 0x242 'NtUserShowWindow', # 0x243 'NtUserShowWindowAsync', # 0x244 'NtUserSoundSentry', # 0x245 'NtUserSwitchDesktop', # 0x246 'NtUserSystemParametersInfo', # 0x247 'NtUserTestForInteractiveUser', # 0x248 'NtUserThunkedMenuInfo', # 0x249 'NtUserThunkedMenuItemInfo', # 0x24a 'NtUserToUnicodeEx', # 0x24b 'NtUserTrackMouseEvent', # 0x24c 'NtUserTrackPopupMenuEx', # 0x24d 'NtUserCalcMenuBar', # 0x24e 'NtUserPaintMenuBar', # 0x24f 'NtUserTranslateAccelerator', # 0x250 'NtUserTranslateMessage', # 0x251 'NtUserUnhookWindowsHookEx', # 0x252 'NtUserUnhookWinEvent', # 0x253 'NtUserUnloadKeyboardLayout', # 0x254 'NtUserUnlockWindowStation', # 0x255 'NtUserUnregisterClass', # 0x256 'NtUserUnregisterUserApiHook', # 0x257 'NtUserUnregisterHotKey', # 0x258 'NtUserUpdateInputContext', # 0x259 'NtUserUpdateInstance', # 0x25a 'NtUserUpdateLayeredWindow', # 0x25b 'NtUserGetLayeredWindowAttributes', # 0x25c 'NtUserSetLayeredWindowAttributes', # 0x25d 'NtUserUpdatePerUserSystemParameters', # 0x25e 'NtUserUserHandleGrantAccess', # 0x25f 'NtUserValidateHandleSecure', # 0x260 'NtUserValidateRect', # 0x261 'NtUserValidateTimerCallback', # 0x262 'NtUserVkKeyScanEx', # 0x263 'NtUserWaitForInputIdle', # 0x264 'NtUserWaitForMsgAndEvent', # 0x265 'NtUserWaitMessage', # 0x266 'NtUserWin32PoolAllocationStats', # 0x267 'NtUserWindowFromPhysicalPoint', # 0x268 'NtUserWindowFromPoint', # 0x269 'NtUserYieldTask', # 0x26a 'NtUserRemoteConnect', # 0x26b 'NtUserRemoteRedrawRectangle', # 0x26c 'NtUserRemoteRedrawScreen', # 0x26d 'NtUserRemoteStopScreenUpdates', # 0x26e 'NtUserCtxDisplayIOCtl', # 0x26f 'NtUserRegisterSessionPort', # 0x270 'NtUserUnregisterSessionPort', # 0x271 'NtUserUpdateWindowTransform', # 0x272 'NtUserDwmStartRedirection', # 0x273 'NtUserDwmStopRedirection', # 0x274 'NtUserDwmHintDxUpdate', # 0x275 'NtUserDwmGetDxRgn', # 0x276 'NtUserGetWindowMinimizeRect', # 0x277 'NtGdiEngAssociateSurface', # 0x278 'NtGdiEngCreateBitmap', # 0x279 'NtGdiEngCreateDeviceSurface', # 0x27a 'NtGdiEngCreateDeviceBitmap', # 0x27b 'NtGdiEngCreatePalette', # 0x27c 'NtGdiEngComputeGlyphSet', # 0x27d 'NtGdiEngCopyBits', # 0x27e 'NtGdiEngDeletePalette', # 0x27f 'NtGdiEngDeleteSurface', # 0x280 'NtGdiEngEraseSurface', # 0x281 'NtGdiEngUnlockSurface', # 0x282 'NtGdiEngLockSurface', # 0x283 'NtGdiEngBitBlt', # 0x284 'NtGdiEngStretchBlt', # 0x285 'NtGdiEngPlgBlt', # 0x286 'NtGdiEngMarkBandingSurface', # 0x287 'NtGdiEngStrokePath', # 0x288 'NtGdiEngFillPath', # 0x289 'NtGdiEngStrokeAndFillPath', # 0x28a 'NtGdiEngPaint', # 0x28b 'NtGdiEngLineTo', # 0x28c 'NtGdiEngAlphaBlend', # 0x28d 'NtGdiEngGradientFill', # 0x28e 'NtGdiEngTransparentBlt', # 0x28f 'NtGdiEngTextOut', # 0x290 'NtGdiEngStretchBltROP', # 0x291 'NtGdiXLATEOBJ_cGetPalette', # 0x292 'NtGdiXLATEOBJ_iXlate', # 0x293 'NtGdiXLATEOBJ_hGetColorTransform', # 0x294 'NtGdiCLIPOBJ_bEnum', # 0x295 'NtGdiCLIPOBJ_cEnumStart', # 0x296 'NtGdiCLIPOBJ_ppoGetPath', # 0x297 'NtGdiEngDeletePath', # 0x298 'NtGdiEngCreateClip', # 0x299 'NtGdiEngDeleteClip', # 0x29a 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x29b 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x29c 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x29d 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x29e 'NtGdiXFORMOBJ_bApplyXform', # 0x29f 'NtGdiXFORMOBJ_iGetXform', # 0x2a0 'NtGdiFONTOBJ_vGetInfo', # 0x2a1 'NtGdiFONTOBJ_pxoGetXform', # 0x2a2 'NtGdiFONTOBJ_cGetGlyphs', # 0x2a3 'NtGdiFONTOBJ_pifi', # 0x2a4 'NtGdiFONTOBJ_pfdg', # 0x2a5 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x2a6 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x2a7 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x2a8 'NtGdiSTROBJ_bEnum', # 0x2a9 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x2aa 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x2ab 'NtGdiSTROBJ_vEnumStart', # 0x2ac 'NtGdiSTROBJ_dwGetCodePage', # 0x2ad 'NtGdiPATHOBJ_vGetBounds', # 0x2ae 'NtGdiPATHOBJ_bEnum', # 0x2af 'NtGdiPATHOBJ_vEnumStart', # 0x2b0 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x2b1 'NtGdiPATHOBJ_bEnumClipLines', # 0x2b2 'NtGdiGetDhpdev', # 0x2b3 'NtGdiEngCheckAbort', # 0x2b4 'NtGdiHT_Get8BPPFormatPalette', # 0x2b5 'NtGdiHT_Get8BPPMaskPalette', # 0x2b6 'NtGdiUpdateTransform', # 0x2b7 'NtGdiSetPUMPDOBJ', # 0x2b8 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x2b9 'NtGdiUMPDEngFreeUserMem', # 0x2ba 'NtGdiDrawStream', # 0x2bb 'NtGdiDwmGetDirtyRgn', # 0x2bc 'NtGdiDwmGetSurfaceData', # 0x2bd 'NtGdiDdDDICreateAllocation', # 0x2be 'NtGdiDdDDIQueryResourceInfo', # 0x2bf 'NtGdiDdDDIOpenResource', # 0x2c0 'NtGdiDdDDIDestroyAllocation', # 0x2c1 'NtGdiDdDDISetAllocationPriority', # 0x2c2 'NtGdiDdDDIQueryAllocationResidency', # 0x2c3 'NtGdiDdDDICreateDevice', # 0x2c4 'NtGdiDdDDIDestroyDevice', # 0x2c5 'NtGdiDdDDICreateContext', # 0x2c6 'NtGdiDdDDIDestroyContext', # 0x2c7 'NtGdiDdDDICreateSynchronizationObject', # 0x2c8 'NtGdiDdDDIDestroySynchronizationObject', # 0x2c9 'NtGdiDdDDIWaitForSynchronizationObject', # 0x2ca 'NtGdiDdDDISignalSynchronizationObject', # 0x2cb 'NtGdiDdDDIGetRuntimeData', # 0x2cc 'NtGdiDdDDIQueryAdapterInfo', # 0x2cd 'NtGdiDdDDILock', # 0x2ce 'NtGdiDdDDIUnlock', # 0x2cf 'NtGdiDdDDIGetDisplayModeList', # 0x2d0 'NtGdiDdDDISetDisplayMode', # 0x2d1 'NtGdiDdDDIGetMultisampleMethodList', # 0x2d2 'NtGdiDdDDIPresent', # 0x2d3 'NtGdiDdDDIRender', # 0x2d4 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x2d5 'NtGdiDdDDIOpenAdapterFromHdc', # 0x2d6 'NtGdiDdDDICloseAdapter', # 0x2d7 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x2d8 'NtGdiDdDDIEscape', # 0x2d9 'NtGdiDdDDIQueryStatistics', # 0x2da 'NtGdiDdDDISetVidPnSourceOwner', # 0x2db 'NtGdiDdDDIGetPresentHistory', # 0x2dc 'NtGdiDdDDICreateOverlay', # 0x2dd 'NtGdiDdDDIUpdateOverlay', # 0x2de 'NtGdiDdDDIFlipOverlay', # 0x2df 'NtGdiDdDDIDestroyOverlay', # 0x2e0 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x2e1 'NtGdiDdDDISetGammaRamp', # 0x2e2 'NtGdiDdDDIGetDeviceState', # 0x2e3 'NtGdiDdDDICreateDCFromMemory', # 0x2e4 'NtGdiDdDDIDestroyDCFromMemory', # 0x2e5 'NtGdiDdDDISetContextSchedulingPriority', # 0x2e6 'NtGdiDdDDIGetContextSchedulingPriority', # 0x2e7 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x2e8 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x2e9 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x2ea 'NtGdiDdDDIGetScanLine', # 0x2eb 'NtGdiDdDDISetQueuedLimit', # 0x2ec 'NtGdiDdDDIPollDisplayChildren', # 0x2ed 'NtGdiDdDDIInvalidateActiveVidPn', # 0x2ee 'NtGdiDdDDICheckOcclusion', # 0x2ef 'NtGdiDdDDIWaitForIdle', # 0x2f0 'NtGdiDdDDICheckMonitorPowerState', # 0x2f1 'NtGdiDdDDICheckExclusiveOwnership', # 0x2f2 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x2f3 'NtGdiDdDDISharedPrimaryLockNotification', # 0x2f4 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x2f5 'DxgStubEnableDirectDrawRedirection', # 0x2f6 'DxgStubDeleteDirectDrawObject', # 0x2f7 'NtGdiGetNumberOfPhysicalMonitors', # 0x2f8 'NtGdiGetPhysicalMonitors', # 0x2f9 'NtGdiGetPhysicalMonitorDescription', # 0x2fa 'NtGdiDestroyPhysicalMonitor', # 0x2fb 'NtGdiDDCCIGetVCPFeature', # 0x2fc 'NtGdiDDCCISetVCPFeature', # 0x2fd 'NtGdiDDCCISaveCurrentSettings', # 0x2fe 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x2ff 'NtGdiDDCCIGetCapabilitiesString', # 0x300 'NtGdiDDCCIGetTimingReport', # 0x301 'NtUserSetMirrorRendering', # 0x302 'NtUserShowSystemCursor', # 0x303 ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/pe_vtypes.py0000644000000000000000000011701113131215405026745 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import struct import volatility.exceptions as exceptions import volatility.obj as obj import volatility.debug as debug import volatility.addrspace as addrspace pe_vtypes = { '_IMAGE_EXPORT_DIRECTORY': [ 0x28, { 'Base': [ 0x10, ['unsigned int']], 'NumberOfFunctions': [ 0x14, ['unsigned int']], 'NumberOfNames': [ 0x18, ['unsigned int']], 'AddressOfFunctions': [ 0x1C, ['unsigned int']], 'AddressOfNames': [ 0x20, ['unsigned int']], 'AddressOfNameOrdinals': [ 0x24, ['unsigned int']], }], '_IMAGE_IMPORT_DESCRIPTOR': [ 0x14, { # 0 for terminating null import descriptor 'OriginalFirstThunk': [ 0x0, ['unsigned int']], 'TimeDateStamp': [ 0x4, ['unsigned int']], 'ForwarderChain': [ 0x8, ['unsigned int']], 'Name': [ 0xC, ['unsigned int']], # If bound this has actual addresses 'FirstThunk': [ 0x10, ['unsigned int']], }], '_IMAGE_THUNK_DATA' : [ 0x4, { # Fake member for testing if the highest bit is set 'OrdinalBit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32)]], 'Function' : [ 0x0, ['pointer', ['void']]], 'Ordinal' : [ 0x0, ['unsigned long']], 'AddressOfData' : [ 0x0, ['unsigned int']], 'ForwarderString' : [ 0x0, ['unsigned int']], }], '_IMAGE_IMPORT_BY_NAME' : [ None, { 'Hint' : [ 0x0, ['unsigned short']], 'Name' : [ 0x2, ['String', dict(length = 128)]], }], '_IMAGE_RESOURCE_DIRECTORY' : [ 0x12, { 'Characteristics' : [ 0x0, ['unsigned long']], 'Timestamp' : [ 0x4, ['unsigned long']], 'MajorVersion': [ 0x8, ['unsigned short']], 'Minorversion': [ 0xa, ['unsigned short']], 'NamedEntriesCount': [ 0xc, ['unsigned short']], 'IdEntriesCount': [0xe, ['unsigned short']], 'Entries': [0x10, ['array', lambda x: x.NamedEntriesCount + x.IdEntriesCount, ['_IMAGE_RESOURCE_DIRECTORY_ENTRY']]], } ], '_IMAGE_RESOURCE_DIRECTORY_ENTRY': [0x8, { 'Name' : [ 0x0, ['unsigned long']], 'DataOffset' : [ 0x4, ['unsigned long']], } ], '_IMAGE_RESOURCE_DATA_ENTRY' : [0x10, { 'DataOffset' : [0x0, ['unsigned long']], 'Size' : [0x4, ['unsigned long']], 'CodePage' : [0x8, ['unsigned long']], 'Reserved' : [0xc, ['unsigned long']], } ], '_IMAGE_RESOURCE_DIR_STRING_U' : [0x4, { 'Length': [0x0, ['unsigned short']], 'Value' : [0x2, ['array', lambda x: x.Length, ['unsigned short']]], } ], '_VS_VERSION_INFO' : [0x26, { 'Length': [0x0, ['unsigned short']], 'ValueLength': [0x2, ['unsigned short']], 'Type': [0x4, ['unsigned short']], 'Key': [0x6, ['array', len("VS_VERSION_INFO "), ['unsigned short']]], 'FileInfo': [lambda x: (((x.Key.obj_offset + x.Key.size() + 3) / 4) * 4), ['_VS_FIXEDFILEINFO']], } ], 'VerStruct' : [0x26, { 'Length': [0x0, ['unsigned short']], 'ValueLength': [0x2, ['unsigned short']], 'Type': [0x4, ['unsigned short']], 'Key': [0x6, ['array', 260, ['unsigned short']]], } ], '_VS_FIXEDFILEINFO': [0x34, { 'Signature': [0x0, ['unsigned long']], 'StructVer': [0x4, ['unsigned long']], 'FileVerMS': [0x8, ['unsigned long']], 'FileVerLS': [0xC, ['unsigned long']], 'ProdVerMS': [0x10, ['unsigned long']], 'ProdVerLS': [0x14, ['unsigned long']], 'FileFlagsMask': [0x18, ['unsigned long']], 'FileFlags': [0x1C, ['unsigned long']], 'FileOS': [0x20, ['Enumeration', {'choices': { 0x0: 'Unknown', 0x10000: 'DOS', 0x20000: 'OS/2 16-bit', 0x30000: 'OS/2 32-bit', 0x40000: 'Windows NT', 0x1: 'Windows 16-bit', 0x2: 'Presentation Manager 16-bit', 0x3: 'Presentation Manager 32-bit', 0x4: 'Windows 32-bit', 0x10001: 'Windows 16-bit running on DOS', 0x10004: 'Windows 32-bit running on DOS', 0x20002: 'Presentation Manager running on OS/2 (16-bit)', 0x30003: 'Presentation Manager running on OS/2 (32-bit)', 0x40004: 'Windows NT', }} ]], 'FileType': [0x24, ['Enumeration', {'choices': { 0x0: 'Unknown', 0x1: 'Application', 0x2: 'Dynamic Link Library', 0x3: 'Driver', 0x4: 'Font', 0x5: 'Virtual Device', 0x7: 'Static Library', }} ]], 'FileSubType': [0x28, ['unsigned long']], 'FileDate': [0x2C, ['WinTimeStamp']], } ], '_IMAGE_OPTIONAL_HEADER32' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], } pe_vtypes_64 = { '_IMAGE_THUNK_DATA' : [ 0x8, { # Fake member for testing if the highest bit is set 'OrdinalBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64)]], 'Function' : [ 0x0, ['pointer64', ['void']]], 'Ordinal' : [ 0x0, ['unsigned long long']], 'AddressOfData' : [ 0x0, ['unsigned long long']], 'ForwarderString' : [ 0x0, ['unsigned long long']], }], } resource_types = { 'RT_CURSOR' : 1, 'RT_BITMAP' : 2, 'RT_ICON' : 3, 'RT_MENU' : 4, 'RT_DIALOG' : 5, 'RT_STRING' : 6, 'RT_FONTDIR' : 7, 'RT_FONT' : 8, 'RT_ACCELERATOR' : 9, 'RT_RCDATA' : 10, 'RT_MESSAGETABLE' : 11, 'RT_GROUP_CURSOR' : 12, 'RT_GROUP_ICON' : 14, 'RT_VERSION' : 16, 'RT_DLGINCLUDE' : 17, 'RT_PLUGPLAY' : 19, 'RT_VXD' : 20, 'RT_ANICURSOR' : 21, 'RT_ANIICON' : 22, 'RT_HTML' : 23, } IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b class _IMAGE_EXPORT_DIRECTORY(obj.CType): """Class for PE export directory""" def valid(self, nt_header): """ Check the sanity of export table fields. The RVAs cannot be larger than the module size. The function and name counts cannot be larger than 32K. """ try: return (self.AddressOfFunctions < nt_header.OptionalHeader.SizeOfImage and self.AddressOfNameOrdinals < nt_header.OptionalHeader.SizeOfImage and self.AddressOfNames < nt_header.OptionalHeader.SizeOfImage and self.NumberOfFunctions < 0x7FFF and self.NumberOfNames < 0x7FFF) except obj.InvalidOffsetError: return False def _name(self, name_rva): """ Return a String object for the function name. Names are truncated at 128 characters although its possible they may be longer. Thus, infrequently a function name will be missing some data. However, that's better than hard-coding a larger value which frequently causes us to cross page boundaries and return a NoneObject anyway. """ return obj.Object("String", offset = self.obj_parent.DllBase + name_rva, vm = self.obj_native_vm, length = 128) def _exported_functions(self): """ Generator for exported functions. @return: tuple (Ordinal, FunctionRVA, Name) Ordinal is an integer and should never be None. If the function is forwarded, FunctionRVA is None. Otherwise, FunctionRVA is an RVA to the function's code (relative to module base). Name is a String containing the exported function's name. If the Name is paged, it will be None. If the function is forwarded, Name is the forwarded function name including the DLL (ntdll.EtwLogTraceEvent). """ mod_base = self.obj_parent.DllBase exp_dir = self.obj_parent.export_dir() # PE files with a large number of functions will have arrays # that spans multiple pages. Thus the first entries may be valid, # last entries may be valid, but middle entries may be invalid # (paged). In the various checks below, we test for None (paged) # and zero (non-paged but invalid RVA). # Array of RVAs to function code address_of_functions = obj.Object('Array', offset = mod_base + self.AddressOfFunctions, targetType = 'unsigned int', count = self.NumberOfFunctions, vm = self.obj_native_vm) # Array of RVAs to function names address_of_names = obj.Object('Array', offset = mod_base + self.AddressOfNames, targetType = 'unsigned int', count = self.NumberOfNames, vm = self.obj_native_vm) # Array of RVAs to function ordinals address_of_name_ordinals = obj.Object('Array', offset = mod_base + self.AddressOfNameOrdinals, targetType = 'unsigned short', count = self.NumberOfNames, vm = self.obj_native_vm) # When functions are exported by Name, it will increase # NumberOfNames by 1 and NumberOfFunctions by 1. When # functions are exported by Ordinal, only the NumberOfFunctions # will increase. First we enum functions exported by Name # and track their corresponding Ordinals, so that when we enum # functions exported by Ordinal only, we don't duplicate. seen_ordinals = [] # Handle functions exported by name *and* ordinal for i in range(self.NumberOfNames): name_rva = address_of_names[i] ordinal = address_of_name_ordinals[i] if name_rva in (0, None): continue # Check the sanity of ordinal values before using it as an index if ordinal == None or ordinal >= self.NumberOfFunctions: continue func_rva = address_of_functions[ordinal] if func_rva in (0, None): continue # Handle forwarded exports. If the function's RVA is inside the exports # section (as given by the VirtualAddress and Size fields in the # DataDirectory), the symbol is forwarded. Return the name of the # forwarded function and None as the function address. if (func_rva >= exp_dir.VirtualAddress and func_rva < exp_dir.VirtualAddress + exp_dir.Size): n = self._name(func_rva) f = obj.NoneObject("Ordinal function {0} in module {1} forwards to {2}".format( ordinal, str(self.obj_parent.BaseDllName or ''), n)) else: n = self._name(name_rva) f = func_rva # Add the ordinal base and save it ordinal += self.Base seen_ordinals.append(ordinal) yield ordinal, f, n # Handle functions exported by ordinal only for i in range(self.NumberOfFunctions): ordinal = self.Base + i # Skip functions already enumberated above if ordinal not in seen_ordinals: func_rva = address_of_functions[i] if func_rva in (0, None): continue seen_ordinals.append(ordinal) # There is no name RVA yield ordinal, func_rva, obj.NoneObject("Name RVA not accessible") class _IMAGE_IMPORT_DESCRIPTOR(obj.CType): """Handles IID entries for imported functions""" def valid(self, nt_header): """Check the validity of some fields""" try: return (self.OriginalFirstThunk != 0 and self.OriginalFirstThunk < nt_header.OptionalHeader.SizeOfImage and self.FirstThunk != 0 and self.FirstThunk < nt_header.OptionalHeader.SizeOfImage and self.Name < nt_header.OptionalHeader.SizeOfImage) except obj.InvalidOffsetError: return False def _name(self, name_rva): """Return a String object for the name at the given RVA""" return obj.Object("String", offset = self.obj_parent.DllBase + name_rva, vm = self.obj_native_vm, length = 128) def dll_name(self): """Returns the name of the DLL for this IID""" return self._name(self.Name) def _imported_functions(self): """ Generator for imported functions. @return: tuple (Ordinal, FunctionVA, Name) If the function is imported by ordinal, then Ordinal is the ordinal value and Name is None. If the function is imported by name, then Ordinal is the hint and Name is the imported function name (or None if its paged). FunctionVA is the virtual address of the imported function, as applied to the IAT by the Windows loader. If the FirstThunk is paged, then FunctionVA will be None. """ i = 0 while 1: thunk = obj.Object('_IMAGE_THUNK_DATA', offset = self.obj_parent.DllBase + self.OriginalFirstThunk + i * self.obj_vm.profile.get_obj_size('_IMAGE_THUNK_DATA'), vm = self.obj_native_vm) # We've reached the end when the element is zero if thunk == None or thunk.AddressOfData == 0: break o = obj.NoneObject("Ordinal not accessible?") n = obj.NoneObject("Imported by ordinal?") f = obj.NoneObject("FirstThunk not accessible") # If the highest bit (32 for x86 and 64 for x64) is set, the function is # imported by ordinal and the lowest 16-bits contain the ordinal value. # Otherwise, the lowest bits (0-31 for x86 and 0-63 for x64) contain an # RVA to an _IMAGE_IMPORT_BY_NAME struct. if thunk.OrdinalBit == 1: o = thunk.Ordinal & 0xFFFF else: iibn = obj.Object("_IMAGE_IMPORT_BY_NAME", offset = self.obj_parent.DllBase + thunk.AddressOfData, vm = self.obj_native_vm) o = iibn.Hint n = iibn.Name # See if the import is bound (i.e. resolved) first_thunk = obj.Object('_IMAGE_THUNK_DATA', offset = self.obj_parent.DllBase + self.FirstThunk + i * self.obj_vm.profile.get_obj_size('_IMAGE_THUNK_DATA'), vm = self.obj_native_vm) if first_thunk: f = first_thunk.Function.v() yield o, f, str(n or '') i += 1 def is_list_end(self): """Returns True if we've reached the list end""" data = self.obj_vm.zread( self.obj_offset, self.obj_vm.profile.get_obj_size('_IMAGE_IMPORT_DESCRIPTOR') ) return data.count(chr(0)) == len(data) class _LDR_DATA_TABLE_ENTRY(obj.CType): """ Class for PE file / modules If these classes are instantiated by _EPROCESS.list_*_modules() then its guaranteed to be in the process address space. FIXME: If these classes are found by modscan, ensure we can dereference properly with obj_native_vm. """ def load_time(self): if hasattr(self, "LoadTime"): return str(self.LoadTime) else: return "" def _nt_header(self): """Return the _IMAGE_NT_HEADERS object""" try: dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = self.DllBase, vm = self.obj_native_vm) return dos_header.get_nt_header() except ValueError: return obj.NoneObject("Failed initial sanity checks") except exceptions.SanityCheckException: return obj.NoneObject("Failed initial sanity checks. Try -u or --unsafe") def _directory(self, dir_index): """Return the requested IMAGE_DATA_DIRECTORY""" nt_header = self._nt_header() if nt_header == None: raise ValueError('No directory index {0}'.format(dir_index)) data_dir = nt_header.OptionalHeader.DataDirectory[dir_index] if data_dir == None: raise ValueError('No directory index {0}'.format(dir_index)) # Make sure the directory exists if data_dir.VirtualAddress == 0 or data_dir.Size == 0: raise ValueError('No directory index {0}'.format(dir_index)) # Make sure the directory VA and Size are sane if data_dir.VirtualAddress + data_dir.Size > nt_header.OptionalHeader.SizeOfImage: raise ValueError('Invalid directory for index {0}'.format(dir_index)) return data_dir def export_dir(self): """Return the IMAGE_DATA_DIRECTORY for exports""" return self._directory(0) # DIRECTORY_ENTRY_EXPORT def import_dir(self): """Return the IMAGE_DATA_DIRECTORY for imports""" return self._directory(1) # DIRECTORY_ENTRY_IMPORT def debug_dir(self): """Return the IMAGE_DEBUG_DIRECTORY for debug info""" return self._directory(6) # IMAGE_DEBUG_DIRECTORY def security_dir(self): """Return the IMAGE_SECURITY_DIRECTORY""" return self._directory(4) # IMAGE_DIRECTORY_ENTRY_SECURITY def get_debug_directory(self): """Return the debug directory object for this PE""" try: data_dir = self.debug_dir() except ValueError, why: return obj.NoneObject(str(why)) return obj.Object("_IMAGE_DEBUG_DIRECTORY", offset = self.DllBase + data_dir.VirtualAddress, vm = self.obj_native_vm) def getprocaddress(self, func): """Return the RVA of func""" for _, f, n in self.exports(): if str(n or '') == func: return f return None def imports(self): """ Generator for the PE's imported functions. The _DIRECTORY_ENTRY_IMPORT.VirtualAddress points to an array of _IMAGE_IMPORT_DESCRIPTOR structures. The end is reached when the IID structure is all zeros. """ try: data_dir = self.import_dir() except ValueError, why: raise StopIteration(why) i = 0 desc_size = self.obj_vm.profile.get_obj_size('_IMAGE_IMPORT_DESCRIPTOR') while 1: desc = obj.Object('_IMAGE_IMPORT_DESCRIPTOR', vm = self.obj_native_vm, offset = self.DllBase + data_dir.VirtualAddress + (i * desc_size), parent = self) # Stop if the IID is paged or all zeros if desc == None or desc.is_list_end(): break # Stop if the IID contains invalid fields if not desc.valid(self._nt_header()): break dll_name = desc.dll_name() for o, f, n in desc._imported_functions(): yield dll_name, o, f, n i += 1 def exports(self): """Generator for the PE's exported functions""" try: data_dir = self.export_dir() except ValueError, why: raise StopIteration(why) expdir = obj.Object('_IMAGE_EXPORT_DIRECTORY', offset = self.DllBase + data_dir.VirtualAddress, vm = self.obj_native_vm, parent = self) if expdir.valid(self._nt_header()): # Ordinal, Function RVA, and Name Object for o, f, n in expdir._exported_functions(): yield o, f, n class _IMAGE_DOS_HEADER(obj.CType): """DOS header""" def get_nt_header(self): """Get the NT header""" if self.e_magic != 0x5a4d: raise ValueError('e_magic {0:04X} is not a valid DOS signature.'.format(self.e_magic)) nt_header = obj.Object("_IMAGE_NT_HEADERS", offset = self.e_lfanew + self.obj_offset, vm = self.obj_vm, native_vm = self.obj_native_vm) if nt_header.Signature != 0x4550: raise ValueError('NT header signature {0:04X} is not a valid'.format(nt_header.Signature)) return nt_header def get_version_info(self): """Get the _VS_VERSION_INFO structure""" try: nt_header = self.get_nt_header() except ValueError, ve: return obj.NoneObject("PE file failed initial sanity checks: {0}".format(ve)) try: unsafe = self.obj_vm.get_config().UNSAFE except AttributeError: unsafe = False for sect in nt_header.get_sections(unsafe): if str(sect.Name) == '.rsrc': root = obj.Object("_IMAGE_RESOURCE_DIRECTORY", self.obj_offset + sect.VirtualAddress, self.obj_vm) for rname, rentry, rdata in root.get_entries(): # We're a VERSION resource and we have subelements if rname == resource_types['RT_VERSION'] and rentry: for sname, sentry, sdata in rdata.get_entries(): # We're the single sub element of the VERSION if sname == 1 and sentry: # Get the string tables for _stname, stentry, stdata in sdata.get_entries(): if not stentry: return obj.Object("_VS_VERSION_INFO", offset = (stdata.DataOffset + self.obj_offset), vm = self.obj_vm) return obj.NoneObject("Cannot find a _VS_VERSION_INFO structure") def get_code(self, data_start, data_size, offset): """Returns a single section of re-created data from a file image""" first_block = 0x1000 - data_start % 0x1000 full_blocks = ((data_size + (data_start % 0x1000)) / 0x1000) - 1 left_over = (data_size + data_start) % 0x1000 code = "" # Deal with reads that are smaller than a block if data_size < first_block: data_read = self.obj_vm.zread(data_start, data_size) code += data_read return (offset, code) data_read = self.obj_vm.zread(data_start, first_block) code += data_read # The middle part of the read new_vaddr = data_start + first_block for _i in range(0, full_blocks): data_read = self.obj_vm.zread(new_vaddr, 0x1000) code += data_read new_vaddr = new_vaddr + 0x1000 # The last part of the read if left_over > 0: data_read = self.obj_vm.zread(new_vaddr, left_over) code += data_read return (offset, code) def round(self, addr, align, up = False): """Rounds down an address based on an alignment""" if addr % align == 0: return addr else: if up: return (addr + (align - (addr % align))) return (addr - (addr % align)) def _get_image_exe(self, unsafe, fix): nt_header = self.get_nt_header() soh = nt_header.OptionalHeader.SizeOfHeaders header = self.obj_vm.zread(self.obj_offset, soh) if fix: header = self._fix_header_image_base(header, nt_header) yield (0, header) fa = nt_header.OptionalHeader.FileAlignment for sect in nt_header.get_sections(unsafe): foa = self.round(sect.PointerToRawData, fa) if foa != sect.PointerToRawData: debug.warning("Section start on disk not aligned to file alignment.\n") debug.warning("Adjusted section start from {0} to {1}.\n".format(sect.PointerToRawData, foa)) yield self.get_code(sect.VirtualAddress + self.obj_offset, sect.SizeOfRawData, foa) def replace_header_field(self, sect, header, item, value): """Replaces a field in a sector header""" field_size = item.size() start = item.obj_offset - sect.obj_offset end = start + field_size newval = struct.pack(item.format_string, int(value)) result = header[:start] + newval + header[end:] return result def _fix_header_image_base(self, header, nt_header): """ returns a modified header buffer with the image base changed to the provided base address """ opthdr = nt_header.OptionalHeader if opthdr.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC: if opthdr.obj_vm.profile.metadata.get("memory_model") == "64bit": opthdr = opthdr.cast("_IMAGE_OPTIONAL_HEADER32") imb_offs = opthdr.ImageBase.obj_offset - self.obj_offset imb = opthdr.ImageBase newval = struct.pack(imb.format_string, int(self.obj_offset)) return header[:imb_offs] + newval + header[imb_offs+imb.size():] def _get_image_mem(self, unsafe, fix): nt_header = self.get_nt_header() sa = nt_header.OptionalHeader.SectionAlignment shs = self.obj_vm.profile.get_obj_size('_IMAGE_SECTION_HEADER') offset, data = self.get_code(self.obj_offset, nt_header.OptionalHeader.SizeOfImage, 0) if fix: data = self._fix_header_image_base(data, nt_header) yield offset, data prevsect = None sect_sizes = [] for sect in nt_header.get_sections(unsafe): if prevsect is not None: sect_sizes.append(sect.VirtualAddress - prevsect.VirtualAddress) prevsect = sect if prevsect is not None: sect_sizes.append(self.round(prevsect.Misc.VirtualSize, sa, up = True)) counter = 0 start_addr = nt_header.FileHeader.SizeOfOptionalHeader + (nt_header.OptionalHeader.obj_offset - self.obj_offset) for sect in nt_header.get_sections(unsafe): sectheader = self.obj_vm.read(sect.obj_offset, shs) if not sectheader: break # Change the PointerToRawData sectheader = self.replace_header_field(sect, sectheader, sect.PointerToRawData, sect.VirtualAddress) sectheader = self.replace_header_field(sect, sectheader, sect.SizeOfRawData, sect_sizes[counter]) sectheader = self.replace_header_field(sect, sectheader, sect.Misc.VirtualSize, sect_sizes[counter]) yield (start_addr + (counter * shs), sectheader) counter += 1 def get_image(self, unsafe = False, memory = False, fix = False): if memory: return self._get_image_mem(unsafe, fix) else: return self._get_image_exe(unsafe, fix) class _IMAGE_NT_HEADERS(obj.CType): """PE header""" def get_sections(self, unsafe = False): """Get the PE sections""" sect_size = self.obj_vm.profile.get_obj_size("_IMAGE_SECTION_HEADER") start_addr = self.FileHeader.SizeOfOptionalHeader + self.OptionalHeader.obj_offset for i in range(self.FileHeader.NumberOfSections): s_addr = start_addr + (i * sect_size) sect = obj.Object("_IMAGE_SECTION_HEADER", offset = s_addr, vm = self.obj_vm, parent = self, native_vm = self.obj_native_vm) ## deal with swapped sections... if not sect: continue if not unsafe: sect.sanity_check_section() yield sect class _IMAGE_SECTION_HEADER(obj.CType): """PE section""" def sanity_check_section(self): """Sanity checks address boundaries""" # Note: all addresses here are RVAs image_size = self.obj_parent.OptionalHeader.SizeOfImage if self.VirtualAddress > image_size: raise exceptions.SanityCheckException('VirtualAddress {0:08x} is past the end of image.'.format(self.VirtualAddress)) if self.Misc.VirtualSize > image_size: raise exceptions.SanityCheckException('VirtualSize {0:08x} is larger than image size.'.format(self.Misc.VirtualSize)) if self.SizeOfRawData > image_size: raise exceptions.SanityCheckException('SizeOfRawData {0:08x} is larger than image size.'.format(self.SizeOfRawData)) class VerStruct(obj.CType): """Generic Version Structure""" def _determine_key(self, findend = False): """Determines the string value for or end location of the key""" if self.Key != None: name = None for n in self.Key: if n == None: return n # If the letter's valid, then deal with it if n == 0: if findend: return n.obj_offset + n.size() name = self.obj_vm.read(self.Key.obj_offset, n.obj_offset - self.Key.obj_offset).decode("utf16", "ignore").encode("ascii", 'backslashreplace') break return name return self.Key def get_key(self): """Returns the VerStruct Name""" return self._determine_key() def offset_pad(self, offset): """Pads an offset to a 32-bit alignment""" return (((offset + 3) / 4) * 4) def get_children(self): """Returns the available children""" offset = self.offset_pad(self._determine_key(True)) if self.ValueLength > 0: # Nasty hardcoding unicode (length*2) length in here, # but what else can we do? return self.obj_vm.read(offset, self.ValueLength * 2) else: return self._recurse_children(offset) def _recurse_children(self, offset): """Recurses thorugh the available children""" while offset < self.obj_offset + self.Length: item = obj.Object("VerStruct", offset = offset, vm = self.obj_vm, parent = self) if item.Length < 1 or item.get_key() == None: raise StopIteration("Could not recover a key for a child at offset {0}".format(item.obj_offset)) yield item.get_key(), item.get_children() offset = self.offset_pad(offset + item.Length) raise StopIteration("No children") def display_unicode(self, string): """Renders a UTF16 string""" if string is None: return '' return string.decode("utf16", "ignore").encode("ascii", 'backslashreplace') def get_file_strings(self): for name, children in self.get_children(): if name == 'StringFileInfo': for _codepage, strings in children: for string, value in strings: # Make sure value isn't a generator, and we've a subtree to deal with if isinstance(value, type(strings)): debug.debug(" {0} : Subtrees not yet implemented\n".format(string)) else: yield string, self.display_unicode(value) class _VS_VERSION_INFO(VerStruct): """Version Information""" def get_children(self): """Recurses through the children of a Version Info records""" if not self.FileInfo: raise StopIteration("No children") offset = self.offset_pad(self.FileInfo.obj_offset + self.ValueLength) return self._recurse_children(offset) class _VS_FIXEDFILEINFO(obj.CType): """Fixed (language and codepage independent) information""" def file_version(self): """Returns the file version""" return self.get_version(self.FileVerMS) + "." + self.get_version(self.FileVerLS) def product_version(self): """Returns the product version""" return self.get_version(self.ProdVerMS) + "." + self.get_version(self.ProdVerLS) def get_version(self, value): """Returns a version in four parts""" version = [] for i in range(2): version = [(value >> (i * 16)) & 0xFFFF] + version return '.'.join([str(x) for x in version]) def file_type(self): """Returns the type of the file""" ftype = str(self.FileType) choices = None if self.FileType == 'Driver': choices = { 0x0: 'Unknown', 0x1: 'Printer', 0x2: 'Keyboard', 0x3: 'Language', 0x4: 'Display', 0x5: 'Mouse', 0x6: 'Network', 0x7: 'System', 0x8: 'Installable', 0x9: 'Sound', 0xA: 'Comms', 0xB: 'Input Method', 0xC: 'Versioned Printer', } elif self.FileType == 'Font': choices = { 0x1: 'Raster', 0x2: 'Vector', 0x3: 'Truetype', } if choices != None: subtype = obj.Object('Enumeration', 0x28, vm = self.obj_vm, parent = self, choices = choices) ftype += " (" + str(subtype) + ")" return ftype def flags(self): """Returns the file's flags""" data = struct.pack('=I', self.FileFlags & self.FileFlagsMask) addr_space = addrspace.BufferAddressSpace(self.obj_vm.get_config(), 0, data) bitmap = {'Debug': 0, 'Prerelease': 1, 'Patched': 2, 'Private Build': 3, 'Info Inferred': 4, 'Special Build' : 5, } return obj.Object('Flags', offset = 0, vm = addr_space, bitmap = bitmap) def v(self): """Returns the value of the structure""" val = ("File version : {0}\n" + "Product version : {1}\n" + "Flags : {2}\n" + "OS : {3}\n" + "File Type : {4}\n" + "File Date : {5}").format(self.file_version(), self.product_version(), self.flags(), self.FileOS, self.file_type(), self.FileDate or '') return val class _IMAGE_RESOURCE_DIR_STRING_U(obj.CType): """Handles Unicode-esque strings in IMAGE_RESOURCE_DIRECTORY structures""" # This is very similar to a UNICODE object, perhaps they should be merged somehow? def v(self): """Value function for _IMAGE_RESOURCE_DIR_STRING_U""" try: length = self.Length.v() if length > 1024: length = 0 data = self.obj_vm.read(self.Value.obj_offset, length) return data.decode("utf16", "ignore").encode("ascii", 'backslashreplace') except Exception, _e: return '' class _IMAGE_RESOURCE_DIRECTORY(obj.CType): """Handles Directory Entries""" def __init__(self, theType = None, offset = None, vm = None, parent = None, *args, **kwargs): self.sectoffset = offset obj.CType.__init__(self, theType = theType, offset = offset, vm = vm, parent = parent, *args, **kwargs) def get_entries(self): """Gets a tree of the entries from the top level IRD""" for irde in self.Entries: if irde != None: if irde.Name & 0x80000000: # Points to a Name object name = obj.Object("_IMAGE_RESOURCE_DIR_STRING_U", (irde.Name & 0x7FFFFFFF) + self.sectoffset, vm = self.obj_vm, parent = irde) else: name = int(irde.Name) if irde.DataOffset & 0x80000000: # We're another DIRECTORY retobj = obj.Object("_IMAGE_RESOURCE_DIRECTORY", (irde.DataOffset & 0x7FFFFFFF) + self.sectoffset, vm = self.obj_vm, parent = irde) retobj.sectoffset = self.sectoffset else: # We're a DATA_ENTRY retobj = obj.Object("_IMAGE_RESOURCE_DATA_ENTRY", irde.DataOffset + self.sectoffset, vm = self.obj_vm, parent = irde) yield (name, bool(irde.DataOffset & 0x80000000), retobj) class WinPEVTypes(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows'} def modification(self, profile): profile.vtypes.update(pe_vtypes) class WinPEx64VTypes(obj.ProfileModification): before = ['WinPEVTypes'] conditions = {'os': lambda x : x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(pe_vtypes_64) class WinPEObjectClasses(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows'} def modification(self, profile): profile.object_classes.update({ '_IMAGE_EXPORT_DIRECTORY': _IMAGE_EXPORT_DIRECTORY, '_IMAGE_IMPORT_DESCRIPTOR': _IMAGE_IMPORT_DESCRIPTOR, '_LDR_DATA_TABLE_ENTRY': _LDR_DATA_TABLE_ENTRY, '_IMAGE_DOS_HEADER': _IMAGE_DOS_HEADER, '_IMAGE_NT_HEADERS': _IMAGE_NT_HEADERS, '_IMAGE_SECTION_HEADER': _IMAGE_SECTION_HEADER, '_IMAGE_RESOURCE_DIRECTORY': _IMAGE_RESOURCE_DIRECTORY, '_IMAGE_RESOURCE_DIR_STRING_U': _IMAGE_RESOURCE_DIR_STRING_U, '_VS_FIXEDFILEINFO': _VS_FIXEDFILEINFO, '_VS_VERSION_INFO': _VS_VERSION_INFO, 'VerStruct': VerStruct, }) volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_sp0_x64_vtypes.py0000644000000000000000000215713213131215405030523 0ustar rootrootntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'AitSamplingValue' : [ 0x248, ['unsigned long']], 'AppCompatFlag' : [ 0x24c, ['unsigned long']], 'RNGSeedVersion' : [ 0x250, ['unsigned long long']], 'GlobalValidationRunlevel' : [ 0x258, ['unsigned long']], 'TimeZoneBiasStamp' : [ 0x25c, ['long']], 'Reserved2' : [ 0x260, ['unsigned long']], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'Reserved0' : [ 0x269, ['array', 1, ['unsigned char']]], 'NativeProcessorArchitecture' : [ 0x26a, ['unsigned short']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'MitigationPolicies' : [ 0x2d5, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'SEHValidationPolicy' : [ 0x2d5, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned char')]], 'CurDirDevicesSkippedForDlls' : [ 0x2d5, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Reserved' : [ 0x2d5, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Reserved6' : [ 0x2d6, ['array', 2, ['unsigned char']]], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'Reserved12' : [ 0x2ed, ['array', 3, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgLkgEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgConsoleBrokerEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgSecureBootEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'QpcFrequency' : [ 0x300, ['long long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'TimeUpdateSequence' : [ 0x340, ['unsigned long long']], 'BaselineSystemTimeQpc' : [ 0x348, ['unsigned long long']], 'BaselineInterruptTimeQpc' : [ 0x350, ['unsigned long long']], 'QpcSystemTimeIncrement' : [ 0x358, ['unsigned long long']], 'QpcInterruptTimeIncrement' : [ 0x360, ['unsigned long long']], 'QpcSystemTimeIncrement32' : [ 0x368, ['unsigned long']], 'QpcInterruptTimeIncrement32' : [ 0x36c, ['unsigned long']], 'QpcSystemTimeIncrementShift' : [ 0x370, ['unsigned char']], 'QpcInterruptTimeIncrementShift' : [ 0x371, ['unsigned char']], 'Reserved8' : [ 0x372, ['array', 14, ['unsigned char']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved4' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned char']], 'Reserved9' : [ 0x3c5, ['unsigned char']], 'TscQpcData' : [ 0x3c6, ['unsigned short']], 'TscQpcEnabled' : [ 0x3c6, ['unsigned char']], 'TscQpcShift' : [ 0x3c7, ['unsigned char']], 'TimeZoneBiasEffectiveStart' : [ 0x3c8, ['_LARGE_INTEGER']], 'TimeZoneBiasEffectiveEnd' : [ 0x3d0, ['_LARGE_INTEGER']], 'XState' : [ 0x3d8, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_107f' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_107f']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1083' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1083']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_109b' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_109d' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_109b']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_109d']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_COUNT'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TEB' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'PerflibData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], 'ReservedForWdf' : [ 0x1818, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_SPLAY_LINKS' : [ 0x18, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_SPLAY_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_SPLAY_LINKS']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_RTL_BALANCED_NODE' : [ 0x18, { 'Children' : [ 0x0, ['array', 2, ['pointer64', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x10, ['unsigned long long']], } ], '_RTL_RB_TREE' : [ 0x10, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_RTL_AVL_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_KPCR' : [ 0x5d00, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x5b80, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'ClockOwner' : [ 0x21, ['unsigned char']], 'PendingTick' : [ 0x22, ['unsigned char']], 'PrcbPad00' : [ 0x23, ['array', 1, ['unsigned char']]], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PrcbPad01' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'Group' : [ 0x658, ['unsigned short']], 'GroupSetMember' : [ 0x660, ['unsigned long long']], 'GroupIndex' : [ 0x668, ['unsigned char']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNxPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPNPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x2080, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PrcbPad20' : [ 0x2c80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2c88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2c90, ['long']], 'MmCopyOnWriteCount' : [ 0x2c94, ['long']], 'MmTransitionCount' : [ 0x2c98, ['long']], 'MmDemandZeroCount' : [ 0x2c9c, ['long']], 'MmPageReadCount' : [ 0x2ca0, ['long']], 'MmPageReadIoCount' : [ 0x2ca4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x2ca8, ['long']], 'MmDirtyWriteIoCount' : [ 0x2cac, ['long']], 'MmMappedPagesWriteCount' : [ 0x2cb0, ['long']], 'MmMappedWriteIoCount' : [ 0x2cb4, ['long']], 'KeSystemCalls' : [ 0x2cb8, ['unsigned long']], 'KeContextSwitches' : [ 0x2cbc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x2cc0, ['unsigned long']], 'CcFastReadWait' : [ 0x2cc4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2cc8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x2ccc, ['unsigned long']], 'CcCopyReadWait' : [ 0x2cd0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2cd4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x2cd8, ['long']], 'IoReadOperationCount' : [ 0x2cdc, ['long']], 'IoWriteOperationCount' : [ 0x2ce0, ['long']], 'IoOtherOperationCount' : [ 0x2ce4, ['long']], 'IoReadTransferCount' : [ 0x2ce8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x2cf0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x2cf8, ['_LARGE_INTEGER']], 'PacketBarrier' : [ 0x2d00, ['long']], 'TargetCount' : [ 0x2d04, ['long']], 'IpiFrozen' : [ 0x2d08, ['unsigned long']], 'PrcbPad40' : [ 0x2d0c, ['array', 29, ['unsigned long']]], 'DpcData' : [ 0x2d80, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x2dc0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x2dc8, ['long']], 'DpcRequestRate' : [ 0x2dcc, ['unsigned long']], 'MinimumDpcRate' : [ 0x2dd0, ['unsigned long']], 'DpcLastCount' : [ 0x2dd4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x2dd8, ['unsigned char']], 'QuantumEnd' : [ 0x2dd9, ['unsigned char']], 'DpcRoutineActive' : [ 0x2dda, ['unsigned char']], 'IdleSchedule' : [ 0x2ddb, ['unsigned char']], 'DpcRequestSummary' : [ 0x2ddc, ['long']], 'DpcRequestSlot' : [ 0x2ddc, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x2ddc, ['short']], 'ThreadDpcState' : [ 0x2dde, ['short']], 'DpcNormalProcessingActive' : [ 0x2ddc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DpcNormalProcessingRequested' : [ 0x2ddc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DpcNormalThreadSignal' : [ 0x2ddc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DpcNormalTimerExpiration' : [ 0x2ddc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DpcNormalDpcPresent' : [ 0x2ddc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DpcNormalLocalInterrupt' : [ 0x2ddc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DpcNormalSpare' : [ 0x2ddc, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'DpcThreadActive' : [ 0x2ddc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DpcThreadRequested' : [ 0x2ddc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DpcThreadSpare' : [ 0x2ddc, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'LastTimerHand' : [ 0x2de0, ['unsigned long']], 'LastTick' : [ 0x2de4, ['unsigned long']], 'ClockInterrupts' : [ 0x2de8, ['unsigned long']], 'ReadyScanTick' : [ 0x2dec, ['unsigned long']], 'BalanceState' : [ 0x2df0, ['unsigned char']], 'PrcbPad50' : [ 0x2df1, ['array', 7, ['unsigned char']]], 'InterruptLastCount' : [ 0x2df8, ['unsigned long']], 'InterruptRate' : [ 0x2dfc, ['unsigned long']], 'TimerTable' : [ 0x2e00, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x5000, ['_KGATE']], 'PrcbPad52' : [ 0x5018, ['pointer64', ['void']]], 'CallDpc' : [ 0x5020, ['_KDPC']], 'ClockKeepAlive' : [ 0x5060, ['long']], 'PrcbPad60' : [ 0x5064, ['array', 2, ['unsigned char']]], 'NmiActive' : [ 0x5066, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x5068, ['long']], 'DpcWatchdogCount' : [ 0x506c, ['long']], 'KeSpinLockOrdering' : [ 0x5070, ['long']], 'PrcbPad70' : [ 0x5074, ['array', 1, ['unsigned long']]], 'CachedPtes' : [ 0x5078, ['pointer64', ['void']]], 'WaitListHead' : [ 0x5080, ['_LIST_ENTRY']], 'WaitLock' : [ 0x5090, ['unsigned long long']], 'ReadySummary' : [ 0x5098, ['unsigned long']], 'QueueIndex' : [ 0x509c, ['unsigned long']], 'ReadyQueueWeight' : [ 0x50a0, ['unsigned long']], 'PrcbPad75' : [ 0x50a4, ['unsigned long']], 'TimerExpirationDpc' : [ 0x50a8, ['_KDPC']], 'BuddyPrcb' : [ 0x50e8, ['pointer64', ['_KPRCB']]], 'ScbQueue' : [ 0x50f0, ['_RTL_RB_TREE']], 'DispatcherReadyListHead' : [ 0x5100, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x5300, ['unsigned long']], 'KernelTime' : [ 0x5304, ['unsigned long']], 'UserTime' : [ 0x5308, ['unsigned long']], 'DpcTime' : [ 0x530c, ['unsigned long']], 'InterruptTime' : [ 0x5310, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5314, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x5318, ['unsigned char']], 'GroupSchedulingOverQuota' : [ 0x5319, ['unsigned char']], 'DeepSleep' : [ 0x531a, ['unsigned char']], 'PrcbPad80' : [ 0x531b, ['array', 1, ['unsigned char']]], 'ScbOffset' : [ 0x531c, ['unsigned long']], 'DpcTimeCount' : [ 0x5320, ['unsigned long']], 'DpcTimeLimit' : [ 0x5324, ['unsigned long']], 'PeriodicCount' : [ 0x5328, ['unsigned long']], 'PeriodicBias' : [ 0x532c, ['unsigned long']], 'AvailableTime' : [ 0x5330, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x5334, ['unsigned long']], 'ParentNode' : [ 0x5338, ['pointer64', ['_KNODE']]], 'StartCycles' : [ 0x5340, ['unsigned long long']], 'GenerationTarget' : [ 0x5348, ['unsigned long long']], 'AffinitizedCycles' : [ 0x5350, ['unsigned long long']], 'PrcbPad81' : [ 0x5358, ['unsigned long long']], 'MmSpinLockOrdering' : [ 0x5360, ['long']], 'PageColor' : [ 0x5364, ['unsigned long']], 'NodeColor' : [ 0x5368, ['unsigned long']], 'NodeShiftedColor' : [ 0x536c, ['unsigned long']], 'SecondaryColorMask' : [ 0x5370, ['unsigned long']], 'PrcbPad83' : [ 0x5374, ['unsigned long']], 'CycleTime' : [ 0x5378, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x5380, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x5384, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x5388, ['unsigned long']], 'CcMapDataNoWait' : [ 0x538c, ['unsigned long']], 'CcMapDataWait' : [ 0x5390, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x5394, ['unsigned long']], 'CcPinReadNoWait' : [ 0x5398, ['unsigned long']], 'CcPinReadWait' : [ 0x539c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x53a0, ['unsigned long']], 'CcMdlReadWait' : [ 0x53a4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x53a8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x53ac, ['unsigned long']], 'CcLazyWritePages' : [ 0x53b0, ['unsigned long']], 'CcDataFlushes' : [ 0x53b4, ['unsigned long']], 'CcDataPages' : [ 0x53b8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x53bc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x53c0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x53c4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x53c8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x53cc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x53d0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x53d4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x53d8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x53dc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x53e0, ['unsigned long']], 'CcReadAheadIos' : [ 0x53e4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x53e8, ['long']], 'MmCacheReadCount' : [ 0x53ec, ['long']], 'MmCacheIoCount' : [ 0x53f0, ['long']], 'PrcbPad91' : [ 0x53f4, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x5400, ['_PROCESSOR_POWER_STATE']], 'ScbList' : [ 0x55c8, ['_LIST_ENTRY']], 'PrcbPad92' : [ 0x55d8, ['array', 22, ['unsigned long']]], 'KeAlignmentFixupCount' : [ 0x5630, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x5638, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x5678, ['_KTIMER']], 'Cache' : [ 0x56b8, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x56f4, ['unsigned long']], 'CachedCommit' : [ 0x56f8, ['unsigned long']], 'CachedResidentAvailable' : [ 0x56fc, ['unsigned long']], 'HyperPte' : [ 0x5700, ['pointer64', ['void']]], 'WheaInfo' : [ 0x5708, ['pointer64', ['void']]], 'EtwSupport' : [ 0x5710, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x5720, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x5730, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x5740, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x5748, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x5750, ['pointer64', ['unsigned long long']]], 'PackageProcessorSet' : [ 0x5758, ['_KAFFINITY_EX']], 'CacheProcessorMask' : [ 0x5800, ['array', 5, ['unsigned long long']]], 'ScanSiblingMask' : [ 0x5828, ['unsigned long long']], 'ScanSiblingIndex' : [ 0x5830, ['unsigned long']], 'LLCLevel' : [ 0x5834, ['unsigned long']], 'CoreProcessorSet' : [ 0x5838, ['unsigned long long']], 'ProcessorProfileControlArea' : [ 0x5840, ['pointer64', ['_PROCESSOR_PROFILE_CONTROL_AREA']]], 'ProfileEventIndexAddress' : [ 0x5848, ['pointer64', ['void']]], 'PrcbPad94' : [ 0x5850, ['array', 6, ['unsigned long long']]], 'SynchCounters' : [ 0x5880, ['_SYNCH_COUNTERS']], 'FsCounters' : [ 0x5938, ['_FILESYSTEM_DISK_COUNTERS']], 'VendorString' : [ 0x5948, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x5955, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x5958, ['unsigned long']], 'UpdateSignature' : [ 0x5960, ['_LARGE_INTEGER']], 'Context' : [ 0x5968, ['pointer64', ['_CONTEXT']]], 'ContextFlagsInit' : [ 0x5970, ['unsigned long']], 'ExtendedState' : [ 0x5978, ['pointer64', ['_XSAVE_AREA']]], 'EntropyTimingState' : [ 0x5980, ['_KENTROPY_TIMING_STATE']], 'Mailbox' : [ 0x5b00, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x5b40, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_KFLOATING_SAVE' : [ 0x4, { 'Dummy' : [ 0x0, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_KTHREAD' : [ 0x348, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'SListFaultAddress' : [ 0x18, ['pointer64', ['void']]], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'StackBase' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'CycleTime' : [ 0x48, ['unsigned long long']], 'CurrentRunTime' : [ 0x50, ['unsigned long']], 'ExpectedRunTime' : [ 0x54, ['unsigned long']], 'KernelStack' : [ 0x58, ['pointer64', ['void']]], 'StateSaveArea' : [ 0x60, ['pointer64', ['_XSAVE_FORMAT']]], 'SchedulingGroup' : [ 0x68, ['pointer64', ['_KSCHEDULING_GROUP']]], 'WaitRegister' : [ 0x70, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x71, ['unsigned char']], 'Alerted' : [ 0x72, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x74, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x74, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'CodePatchInProgress' : [ 0x74, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x74, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x74, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x74, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x74, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'TimerActive' : [ 0x74, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'SystemThread' : [ 0x74, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ProcessDetachActive' : [ 0x74, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'CalloutActive' : [ 0x74, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ScbReadyQueue' : [ 0x74, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ApcQueueable' : [ 0x74, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReservedStackInUse' : [ 0x74, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x74, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x74, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x74, ['long']], 'AutoAlignment' : [ 0x78, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x78, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UserAffinitySet' : [ 0x78, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'AlertedByThreadId' : [ 0x78, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'QuantumDonation' : [ 0x78, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x78, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GuiThread' : [ 0x78, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DisableQuantum' : [ 0x78, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ChargeOnlyGroup' : [ 0x78, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QueueDeferPreemption' : [ 0x78, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x78, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ExplicitIdealProcessor' : [ 0x78, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'FreezeCount' : [ 0x78, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EtwStackTraceApcInserted' : [ 0x78, ['BitField', dict(start_bit = 14, end_bit = 22, native_type='unsigned long')]], 'ReservedFlags' : [ 0x78, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x78, ['long']], 'Spare0' : [ 0x7c, ['unsigned long']], 'SystemCallNumber' : [ 0x80, ['unsigned long']], 'Spare1' : [ 0x84, ['unsigned long']], 'FirstArgument' : [ 0x88, ['pointer64', ['void']]], 'TrapFrame' : [ 0x90, ['pointer64', ['_KTRAP_FRAME']]], 'ApcState' : [ 0x98, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x98, ['array', 43, ['unsigned char']]], 'Priority' : [ 0xc3, ['unsigned char']], 'UserIdealProcessor' : [ 0xc4, ['unsigned long']], 'WaitStatus' : [ 0xc8, ['long long']], 'WaitBlockList' : [ 0xd0, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xd8, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xe8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xf0, ['pointer64', ['void']]], 'RelativeTimerBias' : [ 0xf8, ['unsigned long long']], 'Timer' : [ 0x100, ['_KTIMER']], 'WaitBlock' : [ 0x140, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x140, ['array', 20, ['unsigned char']]], 'ContextSwitches' : [ 0x154, ['unsigned long']], 'WaitBlockFill5' : [ 0x140, ['array', 68, ['unsigned char']]], 'State' : [ 0x184, ['unsigned char']], 'NpxState' : [ 0x185, ['unsigned char']], 'WaitIrql' : [ 0x186, ['unsigned char']], 'WaitMode' : [ 0x187, ['unsigned char']], 'WaitBlockFill6' : [ 0x140, ['array', 116, ['unsigned char']]], 'WaitTime' : [ 0x1b4, ['unsigned long']], 'WaitBlockFill7' : [ 0x140, ['array', 164, ['unsigned char']]], 'KernelApcDisable' : [ 0x1e4, ['short']], 'SpecialApcDisable' : [ 0x1e6, ['short']], 'CombinedApcDisable' : [ 0x1e4, ['unsigned long']], 'WaitBlockFill8' : [ 0x140, ['array', 40, ['unsigned char']]], 'ThreadCounters' : [ 0x168, ['pointer64', ['_KTHREAD_COUNTERS']]], 'WaitBlockFill9' : [ 0x140, ['array', 88, ['unsigned char']]], 'XStateSave' : [ 0x198, ['pointer64', ['_XSTATE_SAVE']]], 'WaitBlockFill10' : [ 0x140, ['array', 136, ['unsigned char']]], 'Win32Thread' : [ 0x1c8, ['pointer64', ['void']]], 'WaitBlockFill11' : [ 0x140, ['array', 176, ['unsigned char']]], 'Ucb' : [ 0x1f0, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'Uch' : [ 0x1f8, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'TebMappedLowVa' : [ 0x200, ['pointer64', ['void']]], 'QueueListEntry' : [ 0x208, ['_LIST_ENTRY']], 'NextProcessor' : [ 0x218, ['unsigned long']], 'DeferredProcessor' : [ 0x21c, ['unsigned long']], 'Process' : [ 0x220, ['pointer64', ['_KPROCESS']]], 'UserAffinity' : [ 0x228, ['_GROUP_AFFINITY']], 'UserAffinityFill' : [ 0x228, ['array', 10, ['unsigned char']]], 'PreviousMode' : [ 0x232, ['unsigned char']], 'BasePriority' : [ 0x233, ['unsigned char']], 'PriorityDecrement' : [ 0x234, ['unsigned char']], 'ForegroundBoost' : [ 0x234, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x234, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x235, ['unsigned char']], 'AdjustReason' : [ 0x236, ['unsigned char']], 'AdjustIncrement' : [ 0x237, ['unsigned char']], 'Affinity' : [ 0x238, ['_GROUP_AFFINITY']], 'AffinityFill' : [ 0x238, ['array', 10, ['unsigned char']]], 'ApcStateIndex' : [ 0x242, ['unsigned char']], 'WaitBlockCount' : [ 0x243, ['unsigned char']], 'IdealProcessor' : [ 0x244, ['unsigned long']], 'ApcStatePointer' : [ 0x248, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x258, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x258, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x283, ['unsigned char']], 'SuspendCount' : [ 0x284, ['unsigned char']], 'Saturation' : [ 0x285, ['unsigned char']], 'SListFaultCount' : [ 0x286, ['unsigned short']], 'SchedulerApc' : [ 0x288, ['_KAPC']], 'SchedulerApcFill0' : [ 0x288, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x289, ['unsigned char']], 'SchedulerApcFill1' : [ 0x288, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x28b, ['unsigned char']], 'SchedulerApcFill2' : [ 0x288, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x28c, ['unsigned long']], 'SchedulerApcFill3' : [ 0x288, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c8, ['pointer64', ['_KPRCB']]], 'SchedulerApcFill4' : [ 0x288, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2d0, ['pointer64', ['void']]], 'SchedulerApcFill5' : [ 0x288, ['array', 83, ['unsigned char']]], 'CallbackNestingLevel' : [ 0x2db, ['unsigned char']], 'UserTime' : [ 0x2dc, ['unsigned long']], 'SuspendEvent' : [ 0x2e0, ['_KEVENT']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'ReadOperationCount' : [ 0x318, ['long long']], 'WriteOperationCount' : [ 0x320, ['long long']], 'OtherOperationCount' : [ 0x328, ['long long']], 'ReadTransferCount' : [ 0x330, ['long long']], 'WriteTransferCount' : [ 0x338, ['long long']], 'OtherTransferCount' : [ 0x340, ['long long']], } ], '_KSTACK_CONTROL' : [ 0x30, { 'StackBase' : [ 0x0, ['unsigned long long']], 'ActualLimit' : [ 0x8, ['unsigned long long']], 'StackExpansion' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Previous' : [ 0x10, ['_KERNEL_STACK_SEGMENT']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_121f' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1224' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_121f']], 'HeaderX64' : [ 0x0, ['__unnamed_1224']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_KNODE' : [ 0xc0, { 'DeepIdleSet' : [ 0x0, ['unsigned long long']], 'ProximityId' : [ 0x40, ['unsigned long']], 'NodeNumber' : [ 0x44, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x46, ['unsigned short']], 'MaximumProcessors' : [ 0x48, ['unsigned char']], 'Flags' : [ 0x49, ['_flags']], 'Stride' : [ 0x4a, ['unsigned char']], 'NodePad0' : [ 0x4b, ['unsigned char']], 'Affinity' : [ 0x50, ['_GROUP_AFFINITY']], 'IdleCpuSet' : [ 0x60, ['unsigned long long']], 'IdleSmtSet' : [ 0x68, ['unsigned long long']], 'Seed' : [ 0x80, ['unsigned long']], 'Lowest' : [ 0x84, ['unsigned long']], 'Highest' : [ 0x88, ['unsigned long']], 'ParkLock' : [ 0x8c, ['long']], 'NonParkedSet' : [ 0x90, ['unsigned long long']], } ], '_ENODE' : [ 0x340, { 'Ncb' : [ 0x0, ['_KNODE']], 'ExWorkerQueues' : [ 0xc0, ['array', 7, ['_EX_WORK_QUEUE']]], 'ExpThreadSetManagerEvent' : [ 0x2f0, ['_KEVENT']], 'ExpWorkerThreadBalanceManagerPtr' : [ 0x308, ['pointer64', ['_ETHREAD']]], 'ExpWorkerSeed' : [ 0x310, ['unsigned long']], 'ExWorkerFullInit' : [ 0x314, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerStructInit' : [ 0x314, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExWorkerFlags' : [ 0x314, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x80, { 'NextHandleNeedingPool' : [ 0x0, ['unsigned long']], 'ExtraInfoPages' : [ 0x4, ['long']], 'TableCode' : [ 0x8, ['unsigned long long']], 'QuotaProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'HandleTableList' : [ 0x18, ['_LIST_ENTRY']], 'UniqueProcessId' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], 'StrictFIFO' : [ 0x2c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'EnableHandleExceptions' : [ 0x2c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Rundown' : [ 0x2c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Duplicated' : [ 0x2c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'HandleTableLock' : [ 0x38, ['_EX_PUSH_LOCK']], 'FreeLists' : [ 0x40, ['array', 1, ['_HANDLE_TABLE_FREE_LIST']]], 'ActualEntry' : [ 0x40, ['array', 32, ['unsigned char']]], 'DebugInfo' : [ 0x60, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'VolatileLowValue' : [ 0x0, ['long long']], 'LowValue' : [ 0x0, ['long long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Unlocked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 20, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long long')]], 'ObjectPointerBits' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], 'HighValue' : [ 0x8, ['long long']], 'NextFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LeafHandleValue' : [ 0x8, ['_EXHANDLE']], 'GrantedAccessBits' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'Spare' : [ 0x8, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'TypeInfo' : [ 0xc, ['unsigned long']], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1321' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_1321']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xe0, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], 'GenerateStagingEvents' : [ 0xd8, ['unsigned char']], } ], '_ETHREAD' : [ 0x4d0, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x348, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x350, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x350, ['_LIST_ENTRY']], 'ChargeOnlySession' : [ 0x360, ['pointer64', ['void']]], 'PostBlockList' : [ 0x368, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x368, ['pointer64', ['void']]], 'StartAddress' : [ 0x370, ['pointer64', ['void']]], 'TerminationPort' : [ 0x378, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x378, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x378, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x380, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x388, ['_LIST_ENTRY']], 'Cid' : [ 0x398, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x3a8, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x3a8, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3c8, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3d0, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3e0, ['unsigned long long']], 'DeviceToVerify' : [ 0x3e8, ['pointer64', ['_DEVICE_OBJECT']]], 'Win32StartAddress' : [ 0x3f0, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x3f8, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x400, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x410, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x418, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x420, ['unsigned long']], 'MmLockOrdering' : [ 0x424, ['long']], 'CmLockOrdering' : [ 0x428, ['long']], 'CrossThreadFlags' : [ 0x42c, ['unsigned long']], 'Terminated' : [ 0x42c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x42c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x42c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x42c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x42c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x42c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x42c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x42c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x42c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x42c, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x42c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'RundownFail' : [ 0x42c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UmsForceQueueTermination' : [ 0x42c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReservedCrossThreadFlags' : [ 0x42c, ['BitField', dict(start_bit = 17, end_bit = 32, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x430, ['unsigned long']], 'ActiveExWorker' : [ 0x430, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MemoryMaker' : [ 0x430, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ClonedThread' : [ 0x430, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x430, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SelfTerminate' : [ 0x430, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x434, ['unsigned long']], 'Spare' : [ 0x434, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x434, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwCalloutActive' : [ 0x434, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x434, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x434, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x434, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x434, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x434, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x435, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x435, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x435, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x435, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x435, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsVadExclusive' : [ 0x435, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x435, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x435, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x436, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x436, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x436, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x436, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x436, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare2' : [ 0x436, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x437, ['unsigned char']], 'CacheManagerActive' : [ 0x438, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x439, ['unsigned char']], 'ActiveFaultCount' : [ 0x43a, ['unsigned char']], 'LockOrderState' : [ 0x43b, ['unsigned char']], 'AlpcMessageId' : [ 0x440, ['unsigned long long']], 'AlpcMessage' : [ 0x448, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x448, ['unsigned long']], 'ExitStatus' : [ 0x450, ['long']], 'AlpcWaitListEntry' : [ 0x458, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x468, ['unsigned long']], 'IoBoostCount' : [ 0x46c, ['unsigned long']], 'BoostList' : [ 0x470, ['_LIST_ENTRY']], 'DeboostList' : [ 0x480, ['_LIST_ENTRY']], 'BoostListLock' : [ 0x490, ['unsigned long long']], 'IrpListLock' : [ 0x498, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x4a0, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x4a8, ['_SINGLE_LIST_ENTRY']], 'ActivityId' : [ 0x4b0, ['pointer64', ['_GUID']]], 'WnfContext' : [ 0x4b8, ['pointer64', ['void']]], 'SeLearningModeListHead' : [ 0x4c0, ['_SINGLE_LIST_ENTRY']], 'KernelStackReference' : [ 0x4c8, ['unsigned long']], } ], '_EPROCESS' : [ 0x660, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x2d0, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x2d8, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x2e0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x2e8, ['_LIST_ENTRY']], 'Flags2' : [ 0x2f8, ['unsigned long']], 'JobNotReallyActive' : [ 0x2f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x2f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x2f8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x2f8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x2f8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x2f8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoWakeCharge' : [ 0x2f8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x2f8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x2f8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x2f8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x2f8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'EmptyJobEvaluated' : [ 0x2f8, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x2f8, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x2f8, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x2f8, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x2f8, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x2f8, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x2f8, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x2f8, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x2f8, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ProcessExecutionState' : [ 0x2f8, ['BitField', dict(start_bit = 22, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0x2f8, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'HighEntropyASLREnabled' : [ 0x2f8, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ExtensionPointDisable' : [ 0x2f8, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0x2f8, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'ProcessStateChangeRequest' : [ 0x2f8, ['BitField', dict(start_bit = 28, end_bit = 30, native_type='unsigned long')]], 'ProcessStateChangeInProgress' : [ 0x2f8, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'DisallowWin32kSystemCalls' : [ 0x2f8, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x2fc, ['unsigned long']], 'CreateReported' : [ 0x2fc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x2fc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x2fc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x2fc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x2fc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x2fc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x2fc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x2fc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x2fc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x2fc, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x2fc, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x2fc, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x2fc, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x2fc, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x2fc, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x2fc, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x2fc, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x2fc, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x2fc, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'Background' : [ 0x2fc, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x2fc, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x2fc, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x2fc, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x2fc, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x2fc, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x2fc, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x2fc, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x2fc, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x2fc, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ProcessQuotaUsage' : [ 0x300, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x310, ['array', 2, ['unsigned long long']]], 'PeakVirtualSize' : [ 0x320, ['unsigned long long']], 'VirtualSize' : [ 0x328, ['unsigned long long']], 'SessionProcessLinks' : [ 0x330, ['_LIST_ENTRY']], 'ExceptionPortData' : [ 0x340, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x340, ['unsigned long long']], 'ExceptionPortState' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Token' : [ 0x348, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x350, ['unsigned long long']], 'AddressCreationLock' : [ 0x358, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x360, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x368, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x370, ['unsigned long long']], 'CommitChargeJob' : [ 0x378, ['pointer64', ['_EJOB']]], 'CloneRoot' : [ 0x380, ['pointer64', ['_MM_AVL_TABLE']]], 'NumberOfPrivatePages' : [ 0x388, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x390, ['unsigned long long']], 'Win32Process' : [ 0x398, ['pointer64', ['void']]], 'Job' : [ 0x3a0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x3a8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x3b0, ['pointer64', ['void']]], 'Cookie' : [ 0x3b8, ['unsigned long']], 'WorkingSetWatch' : [ 0x3c0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x3c8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x3d0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x3d8, ['pointer64', ['void']]], 'CreatorProcess' : [ 0x3e0, ['pointer64', ['_EPROCESS']]], 'ConsoleHostProcess' : [ 0x3e0, ['unsigned long long']], 'Peb' : [ 0x3e8, ['pointer64', ['_PEB']]], 'Session' : [ 0x3f0, ['pointer64', ['void']]], 'AweInfo' : [ 0x3f8, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x400, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'ObjectTable' : [ 0x408, ['pointer64', ['_HANDLE_TABLE']]], 'DebugPort' : [ 0x410, ['pointer64', ['void']]], 'Wow64Process' : [ 0x418, ['pointer64', ['void']]], 'DeviceMap' : [ 0x420, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x428, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x430, ['unsigned long long']], 'ImageFileName' : [ 0x438, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x447, ['unsigned char']], 'SecurityPort' : [ 0x448, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x450, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'JobLinks' : [ 0x458, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x468, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x470, ['_LIST_ENTRY']], 'ActiveThreads' : [ 0x480, ['unsigned long']], 'ImagePathHash' : [ 0x484, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x488, ['unsigned long']], 'LastThreadExitStatus' : [ 0x48c, ['long']], 'PrefetchTrace' : [ 0x490, ['_EX_FAST_REF']], 'LockedPagesList' : [ 0x498, ['pointer64', ['_MM_AVL_TABLE']]], 'ReadOperationCount' : [ 0x4a0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x4a8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x4b0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x4b8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x4c0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x4c8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x4d0, ['unsigned long long']], 'CommitCharge' : [ 0x4d8, ['unsigned long long']], 'CommitChargePeak' : [ 0x4e0, ['unsigned long long']], 'Vm' : [ 0x4e8, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x578, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x588, ['unsigned long']], 'ExitStatus' : [ 0x58c, ['long']], 'VadRoot' : [ 0x590, ['_MM_AVL_TABLE']], 'VadPhysicalPages' : [ 0x5c0, ['unsigned long long']], 'VadPhysicalPagesLimit' : [ 0x5c8, ['unsigned long long']], 'AlpcContext' : [ 0x5d0, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x5f0, ['_LIST_ENTRY']], 'TimerResolutionStackRecord' : [ 0x600, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], 'RequestedTimerResolution' : [ 0x608, ['unsigned long']], 'SmallestTimerResolution' : [ 0x60c, ['unsigned long']], 'ExitTime' : [ 0x610, ['_LARGE_INTEGER']], 'InvertedFunctionTable' : [ 0x618, ['pointer64', ['_INVERTED_FUNCTION_TABLE']]], 'InvertedFunctionTableLock' : [ 0x620, ['_EX_PUSH_LOCK']], 'ActiveThreadsHighWatermark' : [ 0x628, ['unsigned long']], 'LargePrivateVadCount' : [ 0x62c, ['unsigned long']], 'ThreadListLock' : [ 0x630, ['_EX_PUSH_LOCK']], 'WnfContext' : [ 0x638, ['pointer64', ['void']]], 'SectionMappingSize' : [ 0x640, ['unsigned long long']], 'SignatureLevel' : [ 0x648, ['unsigned char']], 'SectionSignatureLevel' : [ 0x649, ['unsigned char']], 'SpareByte20' : [ 0x64a, ['array', 2, ['unsigned char']]], 'KeepAliveCounter' : [ 0x64c, ['unsigned long']], 'DiskCounters' : [ 0x650, ['pointer64', ['_PROCESS_DISK_COUNTERS']]], 'LastFreezeInterruptTime' : [ 0x658, ['unsigned long long']], } ], '_KPROCESS' : [ 0x2c8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long']], 'Spare0' : [ 0x44, ['unsigned long']], 'Affinity' : [ 0x48, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0xf0, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x108, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x1b0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x1b0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x1b0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'AffinitySet' : [ 0x1b0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='long')]], 'DeepFreeze' : [ 0x1b0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'TimerVirtualization' : [ 0x1b0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ActiveGroupsMask' : [ 0x1b0, ['BitField', dict(start_bit = 6, end_bit = 26, native_type='unsigned long')]], 'ReservedFlags' : [ 0x1b0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x1b0, ['long']], 'BasePriority' : [ 0x1b4, ['unsigned char']], 'QuantumReset' : [ 0x1b5, ['unsigned char']], 'Visited' : [ 0x1b6, ['unsigned char']], 'Flags' : [ 0x1b7, ['_KEXECUTE_OPTIONS']], 'ThreadSeed' : [ 0x1b8, ['array', 20, ['unsigned long']]], 'IdealNode' : [ 0x208, ['array', 20, ['unsigned short']]], 'IdealGlobalNode' : [ 0x230, ['unsigned short']], 'Spare1' : [ 0x232, ['unsigned short']], 'StackCount' : [ 0x234, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x238, ['_LIST_ENTRY']], 'CycleTime' : [ 0x248, ['unsigned long long']], 'ContextSwitches' : [ 0x250, ['unsigned long long']], 'SchedulingGroup' : [ 0x258, ['pointer64', ['_KSCHEDULING_GROUP']]], 'FreezeCount' : [ 0x260, ['unsigned long']], 'KernelTime' : [ 0x264, ['unsigned long']], 'UserTime' : [ 0x268, ['unsigned long']], 'LdtFreeSelectorHint' : [ 0x26c, ['unsigned short']], 'LdtTableLength' : [ 0x26e, ['unsigned short']], 'LdtSystemDescriptor' : [ 0x270, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x280, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x288, ['_FAST_MUTEX']], 'InstrumentationCallback' : [ 0x2c0, ['pointer64', ['void']]], } ], '__unnamed_137d' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1383' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1385' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1383']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1390' : [ 0x58, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], 'IrpExtension' : [ 0x50, ['pointer64', ['void']]], } ], '__unnamed_1392' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_1390']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'AllocationProcessorNumber' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_137d']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_1385']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_1392']], } ], '__unnamed_1399' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_139d' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_13a1' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_13a3' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13a7' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13a9' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_13ab' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileMaximumInformation'})]], } ], '__unnamed_13ad' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileRenameInformationBypassAccessCheck', 57: 'FileLinkInformationBypassAccessCheck', 58: 'FileVolumeNameInformation', 59: 'FileIdInformation', 60: 'FileIdExtdDirectoryInformation', 61: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13af' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_13b1' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_13b5' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsDataCopyInformation', 13: 'FileFsMaximumInformation'})]], } ], '__unnamed_13b7' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13b9' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_13bb' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13bd' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_13bf' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_13c3' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_13c7' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_13cb' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_13cf' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_13d3' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_13d7' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_13db' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_13dd' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_13df' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_13e3' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_13e7' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_13eb' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '__unnamed_13ef' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_13f3' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_13fb' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_13ff' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1401' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1403' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1405' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1399']], 'CreatePipe' : [ 0x0, ['__unnamed_139d']], 'CreateMailslot' : [ 0x0, ['__unnamed_13a1']], 'Read' : [ 0x0, ['__unnamed_13a3']], 'Write' : [ 0x0, ['__unnamed_13a3']], 'QueryDirectory' : [ 0x0, ['__unnamed_13a7']], 'NotifyDirectory' : [ 0x0, ['__unnamed_13a9']], 'QueryFile' : [ 0x0, ['__unnamed_13ab']], 'SetFile' : [ 0x0, ['__unnamed_13ad']], 'QueryEa' : [ 0x0, ['__unnamed_13af']], 'SetEa' : [ 0x0, ['__unnamed_13b1']], 'QueryVolume' : [ 0x0, ['__unnamed_13b5']], 'SetVolume' : [ 0x0, ['__unnamed_13b5']], 'FileSystemControl' : [ 0x0, ['__unnamed_13b7']], 'LockControl' : [ 0x0, ['__unnamed_13b9']], 'DeviceIoControl' : [ 0x0, ['__unnamed_13bb']], 'QuerySecurity' : [ 0x0, ['__unnamed_13bd']], 'SetSecurity' : [ 0x0, ['__unnamed_13bf']], 'MountVolume' : [ 0x0, ['__unnamed_13c3']], 'VerifyVolume' : [ 0x0, ['__unnamed_13c3']], 'Scsi' : [ 0x0, ['__unnamed_13c7']], 'QueryQuota' : [ 0x0, ['__unnamed_13cb']], 'SetQuota' : [ 0x0, ['__unnamed_13b1']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_13cf']], 'QueryInterface' : [ 0x0, ['__unnamed_13d3']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_13d7']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_13db']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_13dd']], 'SetLock' : [ 0x0, ['__unnamed_13df']], 'QueryId' : [ 0x0, ['__unnamed_13e3']], 'QueryDeviceText' : [ 0x0, ['__unnamed_13e7']], 'UsageNotification' : [ 0x0, ['__unnamed_13eb']], 'WaitWake' : [ 0x0, ['__unnamed_13ef']], 'PowerSequence' : [ 0x0, ['__unnamed_13f3']], 'Power' : [ 0x0, ['__unnamed_13fb']], 'StartDevice' : [ 0x0, ['__unnamed_13ff']], 'WMI' : [ 0x0, ['__unnamed_1401']], 'Others' : [ 0x0, ['__unnamed_1403']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1405']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_141b' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_141b']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'AllocationProcessorNumber' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_EVENT_RECORD' : [ 0x70, { 'EventHeader' : [ 0x0, ['_EVENT_HEADER']], 'BufferContext' : [ 0x50, ['_ETW_BUFFER_CONTEXT']], 'ExtendedDataCount' : [ 0x54, ['unsigned short']], 'UserDataLength' : [ 0x56, ['unsigned short']], 'ExtendedData' : [ 0x58, ['pointer64', ['_EVENT_HEADER_EXTENDED_DATA_ITEM']]], 'UserData' : [ 0x60, ['pointer64', ['void']]], 'UserContext' : [ 0x68, ['pointer64', ['void']]], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x60, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], 'Oplock' : [ 0x58, ['pointer64', ['void']]], 'ReservedForRemote' : [ 0x58, ['pointer64', ['void']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '__unnamed_15a0' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_15a0']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'ReservedLowFlags' : [ 0x1a, ['unsigned char']], 'WaiterPriority' : [ 0x1b, ['unsigned char']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_MI_CACHED_PTE' : [ 0x8, { 'GlobalTimeStamp' : [ 0x0, ['unsigned long']], 'PteIndex' : [ 0x4, ['unsigned long']], 'Long' : [ 0x0, ['long long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_15dc' : [ 0x8, { 'Flink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeFlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 64, native_type='unsigned long long')]], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_15e1' : [ 0x8, { 'Blink' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'NodeBlinkHigh' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 56, native_type='unsigned long long')]], 'TbFlushStamp' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 60, native_type='unsigned long long')]], 'SpareBlink' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15e4' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], 'VolatileShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_15e6' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_15e4']], } ], '__unnamed_15ee' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'Channel' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 38, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 38, end_bit = 54, native_type='unsigned long long')]], 'PfnExists' : [ 0x0, ['BitField', dict(start_bit = 54, end_bit = 55, native_type='unsigned long long')]], 'PageIdentity' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], 'EntireField' : [ 0x0, ['unsigned long long']], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_15dc']], 'u2' : [ 0x8, ['__unnamed_15e1']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['long']], 'PteLong' : [ 0x10, ['unsigned long long']], 'u3' : [ 0x18, ['__unnamed_15e6']], 'NodeBlinkLow' : [ 0x1c, ['unsigned short']], 'Unused' : [ 0x1e, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'VaType' : [ 0x1e, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'ViewCount' : [ 0x1f, ['unsigned char']], 'NodeFlinkLow' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'u4' : [ 0x28, ['__unnamed_15ee']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x50, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x10, ['unsigned long']], 'Hint' : [ 0x14, ['unsigned long']], 'BasePte' : [ 0x18, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'Vm' : [ 0x28, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x30, ['long']], 'TotalFreeSystemPtes' : [ 0x34, ['long']], 'CachedPteCount' : [ 0x38, ['long']], 'PteFailures' : [ 0x3c, ['unsigned long']], 'SpinLock' : [ 0x40, ['unsigned long long']], 'GlobalMutex' : [ 0x40, ['pointer64', ['_FAST_MUTEX']]], 'CachedPtes' : [ 0x48, ['pointer64', ['_MI_CACHED_PTE']]], } ], '__unnamed_160d' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_160d']], } ], '_MMWSL' : [ 0x530, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'LastInitializedWsle' : [ 0x10, ['unsigned long']], 'NextAgingSlot' : [ 0x14, ['unsigned long']], 'NextAccessClearingSlot' : [ 0x18, ['unsigned long']], 'LastAccessClearingRemainder' : [ 0x1c, ['unsigned long']], 'LastAgingRemainder' : [ 0x20, ['unsigned long']], 'WsleSize' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LowestPagableAddress' : [ 0x30, ['pointer64', ['void']]], 'NonDirectHash' : [ 0x38, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x40, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x48, ['pointer64', ['_MMWSLE_HASH']]], 'ActiveWsleCounts' : [ 0x50, ['array', 8, ['unsigned long']]], 'ActiveWsles' : [ 0x70, ['array', 8, ['_MI_ACTIVE_WSLE']]], 'Wsle' : [ 0xb0, ['pointer64', ['_MMWSLE']]], 'UserVaInfo' : [ 0xb8, ['_MI_USER_VA_INFO']], } ], '_MMSUPPORT' : [ 0x90, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x8, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x10, ['pointer64', ['void']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x4c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x50, ['unsigned long']], 'ChargedWslePages' : [ 0x54, ['unsigned long']], 'ActualWslePages' : [ 0x58, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x5c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x60, ['unsigned long']], 'HardFaultCount' : [ 0x64, ['unsigned long']], 'VmWorkingSetList' : [ 0x68, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0x70, ['unsigned short']], 'LastTrimStamp' : [ 0x72, ['unsigned short']], 'PageFaultCount' : [ 0x74, ['unsigned long']], 'TrimmedPageCount' : [ 0x78, ['unsigned long']], 'Spare' : [ 0x7c, ['unsigned long']], 'ForceTrimPages' : [ 0x80, ['unsigned long']], 'Flags' : [ 0x84, ['_MMSUPPORT_FLAGS']], 'WsSwapSupport' : [ 0x88, ['pointer64', ['void']]], } ], '__unnamed_162a' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1633' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 29, native_type='unsigned long')]], 'BitMap' : [ 0x4, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1635' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1633']], } ], '_CONTROL_AREA' : [ 0x70, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'ListHead' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_162a']], 'FlushInProgressCount' : [ 0x3c, ['unsigned long']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'WaitList' : [ 0x50, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x58, ['__unnamed_1635']], 'LockedPages' : [ 0x68, ['unsigned long long']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0xa8, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'FreeReservationSpace' : [ 0x30, ['unsigned long long']], 'LargestReserveCluster' : [ 0x38, ['unsigned long long']], 'File' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x48, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x58, ['_UNICODE_STRING']], 'Bitmaps' : [ 0x68, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmapHint' : [ 0x70, ['unsigned long']], 'ReservationBitmapHint' : [ 0x74, ['unsigned long']], 'LargestNonReservedClusterSize' : [ 0x78, ['unsigned long']], 'RefreshClusterSize' : [ 0x7c, ['unsigned long']], 'LastRefreshClusterSize' : [ 0x80, ['unsigned long']], 'ReservedClusterSizeAggregate' : [ 0x84, ['unsigned long']], 'ToBeEvictedCount' : [ 0x88, ['unsigned long']], 'PageFileNumber' : [ 0x8c, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x8c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'WsSwapPagefile' : [ 0x8c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'NoReservations' : [ 0x8c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Spare0' : [ 0x8c, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x8e, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare1' : [ 0x8e, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x8f, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'FileHandle' : [ 0x90, ['pointer64', ['void']]], 'Lock' : [ 0x98, ['unsigned long long']], 'LockOwner' : [ 0xa0, ['pointer64', ['_ETHREAD']]], } ], '_MI_PAGING_FILE_SPACE_BITMAPS' : [ 0x30, { 'RefCount' : [ 0x0, ['unsigned long']], 'Anchor' : [ 0x0, ['pointer64', ['_MI_PAGING_FILE_SPACE_BITMAPS']]], 'AllocationBitmap' : [ 0x8, ['_RTL_BITMAP']], 'ReservationBitmap' : [ 0x18, ['_RTL_BITMAP']], 'EvictStoreBitmap' : [ 0x28, ['pointer64', ['_RTL_BITMAP']]], } ], 'tagSWITCH_CONTEXT' : [ 0x58, { 'Attribute' : [ 0x0, ['tagSWITCH_CONTEXT_ATTRIBUTE']], 'Data' : [ 0x18, ['tagSWITCH_CONTEXT_DATA']], } ], '__unnamed_1676' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_CmpValidateHiveSecurityDescriptors', 10: '_HvpEnlistBinInMap', 11: '_CmCheckRegistry', 12: '_CmRegistryIO', 13: '_CmCheckRegistry2', 14: '_CmpCheckKey', 15: '_CmpCheckValueList', 16: '_HvCheckHive', 17: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_1679' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_167b' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_167f' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1681' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_1685' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_1689' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_168b' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_1676']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_1676']]], 'RegistryIO' : [ 0xd0, ['__unnamed_1679']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_167b']], 'CheckKey' : [ 0xf0, ['__unnamed_167f']], 'CheckValueList' : [ 0x110, ['__unnamed_1681']], 'CheckHive' : [ 0x128, ['__unnamed_1685']], 'CheckHive1' : [ 0x138, ['__unnamed_1685']], 'CheckBin' : [ 0x148, ['__unnamed_1689']], 'RecoverData' : [ 0x158, ['__unnamed_168b']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0xb8, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'ClockInterrupts' : [ 0x38, ['unsigned long']], 'DpcCount' : [ 0x3c, ['unsigned long']], 'DpcRate' : [ 0x40, ['unsigned long']], 'C1Time' : [ 0x48, ['unsigned long long']], 'C2Time' : [ 0x50, ['unsigned long long']], 'C3Time' : [ 0x58, ['unsigned long long']], 'C1Transitions' : [ 0x60, ['unsigned long long']], 'C2Transitions' : [ 0x68, ['unsigned long long']], 'C3Transitions' : [ 0x70, ['unsigned long long']], 'ParkingStatus' : [ 0x78, ['unsigned long']], 'CurrentFrequency' : [ 0x7c, ['unsigned long']], 'PercentMaxFrequency' : [ 0x80, ['unsigned long']], 'StateFlags' : [ 0x84, ['unsigned long']], 'NominalThroughput' : [ 0x88, ['unsigned long']], 'ActiveThroughput' : [ 0x8c, ['unsigned long']], 'ScaledThroughput' : [ 0x90, ['unsigned long long']], 'ScaledKernelThroughput' : [ 0x98, ['unsigned long long']], 'AverageIdleTime' : [ 0xa0, ['unsigned long long']], 'IdleBreakEvents' : [ 0xa8, ['unsigned long long']], 'PerformanceLimit' : [ 0xb0, ['unsigned long']], 'PerformanceLimitFlags' : [ 0xb4, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_SYNCH_COUNTERS' : [ 0xb8, { 'SpinLockAcquireCount' : [ 0x0, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4, ['unsigned long']], 'SpinLockSpinCount' : [ 0x8, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0xc, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0xa0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0xa4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0xa8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0xac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0xb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0xb4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_FILESYSTEM_DISK_COUNTERS' : [ 0x10, { 'FsBytesRead' : [ 0x0, ['unsigned long long']], 'FsBytesWritten' : [ 0x8, ['unsigned long long']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'Spare1' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'OutputBuffer' : [ 0xd8, ['unsigned long long']], 'OutputLength' : [ 0xe0, ['unsigned long long']], 'Spare2' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_MCGEN_TRACE_CONTEXT' : [ 0x48, { 'RegistrationHandle' : [ 0x0, ['unsigned long long']], 'Logger' : [ 0x8, ['unsigned long long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], 'Flags' : [ 0x20, ['unsigned long']], 'IsEnabled' : [ 0x24, ['unsigned long']], 'Level' : [ 0x28, ['unsigned char']], 'Reserve' : [ 0x29, ['unsigned char']], 'EnableBitsCount' : [ 0x2a, ['unsigned short']], 'EnableBitMask' : [ 0x30, ['pointer64', ['unsigned long']]], 'EnableKeyWords' : [ 0x38, ['pointer64', ['unsigned long long']]], 'EnableLevel' : [ 0x40, ['pointer64', ['unsigned char']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependentList' : [ 0x50, ['_LIST_ENTRY']], 'ProviderList' : [ 0x60, ['_LIST_ENTRY']], } ], '__unnamed_1785' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1787' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_178b' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x2c8, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Level' : [ 0x50, ['unsigned long']], 'CurrentPowerState' : [ 0x54, ['_POWER_STATE']], 'Notify' : [ 0x58, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xc0, ['_PO_IRP_MANAGER']], 'FxDevice' : [ 0xe0, ['pointer64', ['_POP_FX_DEVICE']]], 'FxDeviceLock' : [ 0xe8, ['long']], 'FxRemoveEvent' : [ 0xf0, ['_KEVENT']], 'FxActivationCount' : [ 0x108, ['long']], 'FxSleepCount' : [ 0x10c, ['long']], 'Plugin' : [ 0x110, ['pointer64', ['_POP_FX_PLUGIN']]], 'UniqueId' : [ 0x118, ['_UNICODE_STRING']], 'PowerFlags' : [ 0x128, ['unsigned long']], 'State' : [ 0x12c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x134, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x184, ['unsigned long']], 'CompletionStatus' : [ 0x188, ['long']], 'Flags' : [ 0x18c, ['unsigned long']], 'UserFlags' : [ 0x190, ['unsigned long']], 'Problem' : [ 0x194, ['unsigned long']], 'ProblemStatus' : [ 0x198, ['long']], 'ResourceList' : [ 0x1a0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x1b0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x1b8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x1c4, ['unsigned long']], 'ChildInterfaceType' : [ 0x1c8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x1cc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x1d0, ['unsigned short']], 'RemovalPolicy' : [ 0x1d2, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x1d3, ['unsigned char']], 'TargetDeviceNotify' : [ 0x1d8, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x1e8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1f8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x208, ['unsigned short']], 'QueryTranslatorMask' : [ 0x20a, ['unsigned short']], 'NoArbiterMask' : [ 0x20c, ['unsigned short']], 'QueryArbiterMask' : [ 0x20e, ['unsigned short']], 'OverUsed1' : [ 0x210, ['__unnamed_1785']], 'OverUsed2' : [ 0x218, ['__unnamed_1787']], 'BootResources' : [ 0x220, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x228, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x230, ['unsigned long']], 'DockInfo' : [ 0x238, ['__unnamed_178b']], 'DisableableDepends' : [ 0x258, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x260, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x270, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x280, ['unsigned long']], 'PreviousParent' : [ 0x288, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x290, ['unsigned long']], 'NumaNodeIndex' : [ 0x294, ['unsigned long']], 'ContainerID' : [ 0x298, ['_GUID']], 'OverrideFlags' : [ 0x2a8, ['unsigned char']], 'DeviceIdsHash' : [ 0x2ac, ['unsigned long']], 'RequiresUnloadedDriver' : [ 0x2b0, ['unsigned char']], 'PendingEjectRelations' : [ 0x2b8, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], 'StateFlags' : [ 0x2c0, ['unsigned long']], } ], '_KAFFINITY_EX' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 20, ['unsigned long long']]], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1835' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1835']], } ], '__unnamed_183c' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], 'SetContextEx' : [ 0x0, ['_DBGKD_CONTEXT_EX']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_183c']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_POP_FX_COMPONENT_FLAGS' : [ 0x8, { 'Value' : [ 0x0, ['long']], 'Value2' : [ 0x4, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'Idling' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Active' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'CriticalIdleOverride' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ResidentOverride' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_POP_FX_DEVICE_STATUS' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'SystemTransition' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PepD0Notify' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IdleTimerOn' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'IgnoreIdleTimeout' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'IrpInUse' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'IrpPending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DPNRDeviceNotified' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DPNRReceivedFromPep' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_POP_RW_LOCK' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], } ], '_VOLUME_CACHE_MAP' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'DirtyPages' : [ 0x20, ['unsigned long long']], 'LogHandleContext' : [ 0x28, ['_LOG_HANDLE_CONTEXT']], 'Flags' : [ 0xa8, ['unsigned long']], 'PagesQueuedToDisk' : [ 0xac, ['unsigned long']], 'LoggedPagesQueuedToDisk' : [ 0xb0, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x208, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'V1' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V1']], 'V2' : [ 0xf0, ['_LOGGED_STREAM_CALLBACK_V2']], 'LargestLSN' : [ 0x100, ['_LARGE_INTEGER']], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x118, ['_FAST_MUTEX']], 'LastUnmapBehindOffset' : [ 0x150, ['_LARGE_INTEGER']], 'Event' : [ 0x158, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x170, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x178, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1f0, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1f8, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x200, ['unsigned long']], 'WritesInProgress' : [ 0x204, ['unsigned long']], } ], '__unnamed_18c0' : [ 0x10, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], 'Links' : [ 0x0, ['_LIST_ENTRY']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_18c0']], 'ArrayHead' : [ 0x20, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_18e1' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_18e3' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_18e5' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_18e7' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_18e9' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_18e1']], 'Write' : [ 0x0, ['__unnamed_18e3']], 'Event' : [ 0x0, ['__unnamed_18e5']], 'Notification' : [ 0x0, ['__unnamed_18e7']], } ], '_WORK_QUEUE_ENTRY' : [ 0x20, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_18e9']], 'Function' : [ 0x18, ['unsigned char']], } ], '_CC_EXTERNAL_CACHE_INFO' : [ 0x30, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x8, ['_DIRTY_PAGE_STATISTICS']], 'Links' : [ 0x20, ['_LIST_ENTRY']], } ], '_LOG_HANDLE_CONTEXT' : [ 0x80, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], 'QueryLogHandleInfoRoutine' : [ 0x10, ['pointer64', ['void']]], 'DirtyPageStatistics' : [ 0x18, ['_DIRTY_PAGE_STATISTICS']], 'DirtyPageThresholds' : [ 0x30, ['_DIRTY_PAGE_THRESHOLDS']], 'AdditionalPagesToWrite' : [ 0x50, ['unsigned long']], 'CcLWScanDPThreshold' : [ 0x54, ['unsigned long']], 'LargestLsnForCurrentLWScan' : [ 0x58, ['_LARGE_INTEGER']], 'RelatedFileObject' : [ 0x60, ['pointer64', ['_FILE_OBJECT']]], 'LargestLsnFileObjectKey' : [ 0x68, ['unsigned long long']], 'LastLWTimeStamp' : [ 0x70, ['_LARGE_INTEGER']], 'Flags' : [ 0x78, ['unsigned long']], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x298, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'Interceptor' : [ 0x90, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x94, ['unsigned long']], 'Signature' : [ 0x98, ['unsigned long']], 'SegmentReserve' : [ 0xa0, ['unsigned long long']], 'SegmentCommit' : [ 0xa8, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb0, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xb8, ['unsigned long long']], 'TotalFreeSize' : [ 0xc0, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xc8, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd0, ['unsigned short']], 'HeaderValidateLength' : [ 0xd2, ['unsigned short']], 'HeaderValidateCopy' : [ 0xd8, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe0, ['unsigned short']], 'MaximumTagIndex' : [ 0xe2, ['unsigned short']], 'TagEntries' : [ 0xe8, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf0, ['_LIST_ENTRY']], 'AlignRound' : [ 0x100, ['unsigned long long']], 'AlignMask' : [ 0x108, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x110, ['_LIST_ENTRY']], 'SegmentList' : [ 0x120, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x130, ['unsigned short']], 'NonDedicatedListLength' : [ 0x134, ['unsigned long']], 'BlocksIndex' : [ 0x138, ['pointer64', ['void']]], 'UCRIndex' : [ 0x140, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x148, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x150, ['_LIST_ENTRY']], 'LockVariable' : [ 0x160, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x168, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x170, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x178, ['unsigned short']], 'FrontEndHeapType' : [ 0x17a, ['unsigned char']], 'RequestedFrontEndHeapType' : [ 0x17b, ['unsigned char']], 'FrontEndHeapUsageData' : [ 0x180, ['pointer64', ['unsigned short']]], 'FrontEndHeapMaximumIndex' : [ 0x188, ['unsigned short']], 'FrontEndHeapStatusBitmap' : [ 0x18a, ['array', 129, ['unsigned char']]], 'Counters' : [ 0x210, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x288, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1956' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_1956']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'Code234' : [ 0xc, ['unsigned long']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_19ab' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_19ad' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19ab']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_19af' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_19b1' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_19af']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_19ad']], 'u2' : [ 0x4, ['__unnamed_19b1']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x30, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'LookasideIndex' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Counters' : [ 0x10, ['pointer64', ['_BLOB_COUNTERS']]], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], } ], '__unnamed_19cc' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_19ce' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_19cc']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x20, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_19ce']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x14, ['long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_19dd' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_19df' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19dd']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_19df']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_19e8' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_19ea' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19e8']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_19ea']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_19f0' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19f2' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19f0']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_19f2']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x40, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_1a0e' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_1a10' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a0e']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1b8, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'IncomingQueueLock' : [ 0x88, ['_EX_PUSH_LOCK']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa0, ['_LIST_ENTRY']], 'PendingQueueLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'PendingQueue' : [ 0xb8, ['_LIST_ENTRY']], 'WaitQueueLock' : [ 0xc8, ['_EX_PUSH_LOCK']], 'WaitQueue' : [ 0xd0, ['_LIST_ENTRY']], 'Semaphore' : [ 0xe0, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xe0, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0xe8, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x130, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x138, ['_LIST_ENTRY']], 'PortObjectLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'CompletionList' : [ 0x150, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0x158, ['pointer64', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0x160, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x168, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x170, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x180, ['long']], 'u1' : [ 0x184, ['__unnamed_1a10']], 'TargetQueuePort' : [ 0x188, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x190, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x198, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x1a0, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x1a4, ['unsigned long']], 'PendingQueueLength' : [ 0x1a8, ['unsigned long']], 'CanceledQueueLength' : [ 0x1ac, ['unsigned long']], 'WaitQueueLength' : [ 0x1b0, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0xa0, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'CompletionListLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'Mdl' : [ 0x20, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x28, ['pointer64', ['void']]], 'UserLimit' : [ 0x30, ['pointer64', ['void']]], 'DataUserVa' : [ 0x38, ['pointer64', ['void']]], 'SystemVa' : [ 0x40, ['pointer64', ['void']]], 'TotalSize' : [ 0x48, ['unsigned long long']], 'Header' : [ 0x50, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x58, ['pointer64', ['void']]], 'ListSize' : [ 0x60, ['unsigned long long']], 'Bitmap' : [ 0x68, ['pointer64', ['void']]], 'BitmapSize' : [ 0x70, ['unsigned long long']], 'Data' : [ 0x78, ['pointer64', ['void']]], 'DataSize' : [ 0x80, ['unsigned long long']], 'BitmapLimit' : [ 0x88, ['unsigned long']], 'BitmapNextHint' : [ 0x8c, ['unsigned long']], 'ConcurrencyCount' : [ 0x90, ['unsigned long']], 'AttributeFlags' : [ 0x94, ['unsigned long']], 'AttributeSize' : [ 0x98, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0xd8, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'Key' : [ 0xc0, ['unsigned long']], 'CallbackList' : [ 0xc8, ['_LIST_ENTRY']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_19ad']], 'u2' : [ 0x4, ['__unnamed_19b1']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1a32' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1a34' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a32']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x108, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'PortQueue' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'WaitingThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'u1' : [ 0x28, ['__unnamed_1a34']], 'SequenceNo' : [ 0x2c, ['long']], 'QuotaProcess' : [ 0x30, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x30, ['pointer64', ['void']]], 'CancelSequencePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x40, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x48, ['long']], 'CancelListEntry' : [ 0x50, ['_LIST_ENTRY']], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'MessageAttributes' : [ 0x68, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xa0, ['pointer64', ['void']]], 'DataSystemVa' : [ 0xa8, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xb0, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xb8, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xc0, ['pointer64', ['_ETHREAD']]], 'WakeReference' : [ 0xc8, ['pointer64', ['void']]], 'ExtensionBuffer' : [ 0xd0, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0xd8, ['unsigned long long']], 'PortMessage' : [ 0xe0, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer64', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a6b' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a6d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a6b']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1a6d']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'Flags' : [ 0x28, ['unsigned long']], 'TotalLength' : [ 0x2c, ['unsigned short']], 'Type' : [ 0x2e, ['unsigned short']], 'DataInfoOffset' : [ 0x30, ['unsigned short']], 'SignalCompletion' : [ 0x32, ['unsigned char']], 'PostedToCompletionList' : [ 0x33, ['unsigned char']], } ], '_IOP_IRP_EXTENSION' : [ 0x20, { 'ExtensionFlags' : [ 0x0, ['unsigned short']], 'Allocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PropagateId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'TimeStamped' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SpareBits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'TypesAllocated' : [ 0x2, ['unsigned short']], 'ActivityId' : [ 0x4, ['_GUID']], 'Timestamp' : [ 0x18, ['_LARGE_INTEGER']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x48, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'ReferencedDeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'AccessMode' : [ 0x94, ['unsigned char']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '__unnamed_1b34' : [ 0x4, { 'MajorVersion' : [ 0x0, ['unsigned char']], 'MinorVersion' : [ 0x1, ['unsigned char']], 'SubVersion' : [ 0x2, ['unsigned char']], 'SubMinorVersion' : [ 0x3, ['unsigned char']], } ], '_TRACE_LOGFILE_HEADER' : [ 0x118, { 'BufferSize' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'VersionDetail' : [ 0x4, ['__unnamed_1b34']], 'ProviderVersion' : [ 0x8, ['unsigned long']], 'NumberOfProcessors' : [ 0xc, ['unsigned long']], 'EndTime' : [ 0x10, ['_LARGE_INTEGER']], 'TimerResolution' : [ 0x18, ['unsigned long']], 'MaximumFileSize' : [ 0x1c, ['unsigned long']], 'LogFileMode' : [ 0x20, ['unsigned long']], 'BuffersWritten' : [ 0x24, ['unsigned long']], 'LogInstanceGuid' : [ 0x28, ['_GUID']], 'StartBuffers' : [ 0x28, ['unsigned long']], 'PointerSize' : [ 0x2c, ['unsigned long']], 'EventsLost' : [ 0x30, ['unsigned long']], 'CpuSpeedInMHz' : [ 0x34, ['unsigned long']], 'LoggerName' : [ 0x38, ['pointer64', ['unsigned short']]], 'LogFileName' : [ 0x40, ['pointer64', ['unsigned short']]], 'TimeZone' : [ 0x48, ['_RTL_TIME_ZONE_INFORMATION']], 'BootTime' : [ 0xf8, ['_LARGE_INTEGER']], 'PerfFreq' : [ 0x100, ['_LARGE_INTEGER']], 'StartTime' : [ 0x108, ['_LARGE_INTEGER']], 'ReservedFlags' : [ 0x110, ['unsigned long']], 'BuffersLost' : [ 0x114, ['unsigned long']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x378, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'LoggerMode' : [ 0xc, ['unsigned long']], 'AcceptNewEvents' : [ 0x10, ['long']], 'EventMarker' : [ 0x14, ['array', 2, ['unsigned long']]], 'ErrorMarker' : [ 0x1c, ['unsigned long']], 'SizeMask' : [ 0x20, ['unsigned long']], 'GetCpuClock' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'FailureReason' : [ 0x3c, ['unsigned long']], 'BufferQueue' : [ 0x40, ['_ETW_BUFFER_QUEUE']], 'OverflowQueue' : [ 0x58, ['_ETW_BUFFER_QUEUE']], 'GlobalList' : [ 0x70, ['_LIST_ENTRY']], 'ProviderBinaryList' : [ 0x80, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x90, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x90, ['_EX_FAST_REF']], 'LoggerName' : [ 0x98, ['_UNICODE_STRING']], 'LogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xb8, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xc8, ['_UNICODE_STRING']], 'ClockType' : [ 0xd8, ['unsigned long']], 'LastFlushedBuffer' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'FlushThreshold' : [ 0xe4, ['unsigned long']], 'ByteOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xf0, ['unsigned long']], 'BuffersAvailable' : [ 0xf4, ['long']], 'NumberOfBuffers' : [ 0xf8, ['long']], 'MaximumBuffers' : [ 0xfc, ['unsigned long']], 'EventsLost' : [ 0x100, ['unsigned long']], 'BuffersWritten' : [ 0x104, ['unsigned long']], 'LogBuffersLost' : [ 0x108, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x10c, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x110, ['unsigned long']], 'SequencePtr' : [ 0x118, ['pointer64', ['long']]], 'LocalSequence' : [ 0x120, ['unsigned long']], 'InstanceGuid' : [ 0x124, ['_GUID']], 'MaximumFileSize' : [ 0x134, ['unsigned long']], 'FileCounter' : [ 0x138, ['long']], 'PoolType' : [ 0x13c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x140, ['_ETW_REF_CLOCK']], 'CollectionOn' : [ 0x150, ['long']], 'ProviderInfoSize' : [ 0x154, ['unsigned long']], 'Consumers' : [ 0x158, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x168, ['unsigned long']], 'TransitionConsumer' : [ 0x170, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x178, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x180, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x190, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x1a0, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1a8, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1b0, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1b8, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1c0, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1d0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1d8, ['_KEVENT']], 'FlushEvent' : [ 0x1f0, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x208, ['_KTIMER']], 'LoggerDpc' : [ 0x248, ['_KDPC']], 'LoggerMutex' : [ 0x288, ['_KMUTANT']], 'LoggerLock' : [ 0x2c0, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2c8, ['unsigned long long']], 'BufferListPushLock' : [ 0x2c8, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2d0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x318, ['_EX_FAST_REF']], 'StartTime' : [ 0x320, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x328, ['pointer64', ['void']]], 'BufferSequenceNumber' : [ 0x330, ['long long']], 'Flags' : [ 0x338, ['unsigned long']], 'Persistent' : [ 0x338, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x338, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x338, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x338, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x338, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x338, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x338, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x338, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x338, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x338, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PebsTracing' : [ 0x338, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PmcCounters' : [ 0x338, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageAlignBuffers' : [ 0x338, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SpareFlags1' : [ 0x338, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'SystemLoggerIndex' : [ 0x338, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'StackCaching' : [ 0x338, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SpareFlags2' : [ 0x338, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long')]], 'RequestFlag' : [ 0x33c, ['unsigned long']], 'DbgRequestNewFie' : [ 0x33c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgRequestUpdateFile' : [ 0x33c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgRequestFlush' : [ 0x33c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgRequestDisableRealtime' : [ 0x33c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgRequestDisconnectConsumer' : [ 0x33c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgRequestConnectConsumer' : [ 0x33c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgRequestNotifyConsumer' : [ 0x33c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DbgRequestUpdateHeader' : [ 0x33c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'DbgRequestDefferdFlush' : [ 0x33c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DbgRequestDefferdFlushTimer' : [ 0x33c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DbgRequestFlushTimer' : [ 0x33c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DbgRequestUpdateDebugger' : [ 0x33c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DbgSpareRequestFlags' : [ 0x33c, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], 'HookIdMap' : [ 0x340, ['_RTL_BITMAP']], 'StackCache' : [ 0x350, ['pointer64', ['_ETW_STACK_CACHE']]], 'PmcData' : [ 0x358, ['pointer64', ['_ETW_PMC_SUPPORT']]], 'WinRtProviderBinaryList' : [ 0x360, ['_LIST_ENTRY']], 'ScratchArray' : [ 0x370, ['pointer64', ['pointer64', ['_WMI_BUFFER_HEADER']]]], } ], '_ETW_PMC_SUPPORT' : [ 0x28, { 'Source' : [ 0x0, ['array', -16, ['Enumeration', dict(target = 'long', choices = {0: 'ProfileTime', 1: 'ProfileAlignmentFixup', 2: 'ProfileTotalIssues', 3: 'ProfilePipelineDry', 4: 'ProfileLoadInstructions', 5: 'ProfilePipelineFrozen', 6: 'ProfileBranchInstructions', 7: 'ProfileTotalNonissues', 8: 'ProfileDcacheMisses', 9: 'ProfileIcacheMisses', 10: 'ProfileCacheMisses', 11: 'ProfileBranchMispredictions', 12: 'ProfileStoreInstructions', 13: 'ProfileFpInstructions', 14: 'ProfileIntegerInstructions', 15: 'Profile2Issue', 16: 'Profile3Issue', 17: 'Profile4Issue', 18: 'ProfileSpecialInstructions', 19: 'ProfileTotalCycles', 20: 'ProfileIcacheIssues', 21: 'ProfileDcacheAccesses', 22: 'ProfileMemoryBarrierCycles', 23: 'ProfileLoadLinkedIssues', 24: 'ProfileMaximum'})]]], 'HookIdCount' : [ 0x10, ['unsigned long']], 'HookId' : [ 0x14, ['array', 4, ['unsigned short']]], 'CountersCount' : [ 0x1c, ['unsigned long']], 'ProcessorCtrs' : [ 0x20, ['array', 1, ['pointer64', ['_HAL_PMC_COUNTERS']]]], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x458, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x78, ['unsigned long']], 'UserAndGroupCount' : [ 0x7c, ['unsigned long']], 'RestrictedSidCount' : [ 0x80, ['unsigned long']], 'VariableLength' : [ 0x84, ['unsigned long']], 'DynamicCharged' : [ 0x88, ['unsigned long']], 'DynamicAvailable' : [ 0x8c, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x90, ['unsigned long']], 'UserAndGroups' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0xa0, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa8, ['pointer64', ['void']]], 'DynamicPart' : [ 0xb0, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb8, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xc4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc8, ['unsigned long']], 'TokenInUse' : [ 0xcc, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xd0, ['unsigned long']], 'MandatoryPolicy' : [ 0xd4, ['unsigned long']], 'LogonSession' : [ 0xd8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe0, ['_LUID']], 'SidHash' : [ 0xe8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f8, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x308, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'Package' : [ 0x310, ['pointer64', ['void']]], 'Capabilities' : [ 0x318, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapabilityCount' : [ 0x320, ['unsigned long']], 'CapabilitiesHash' : [ 0x328, ['_SID_AND_ATTRIBUTES_HASH']], 'LowboxNumberEntry' : [ 0x438, ['pointer64', ['_SEP_LOWBOX_NUMBER_ENTRY']]], 'LowboxHandlesEntry' : [ 0x440, ['pointer64', ['_SEP_LOWBOX_HANDLES_ENTRY']]], 'pClaimAttributes' : [ 0x448, ['pointer64', ['_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION']]], 'VariablePart' : [ 0x450, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x60, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], 'LowBoxHandlesTable' : [ 0x50, ['_SEP_LOWBOX_HANDLES_TABLE']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'DbgRefTrace' : [ 0x19, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgTracePermanent' : [ 0x19, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'Spare' : [ 0x1c, ['unsigned long']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBJECT_HEADER_AUDIT_INFO' : [ 0x10, { 'SecurityDescriptor' : [ 0x0, ['pointer64', ['void']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x28, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'EntryLink' : [ 0x10, ['pointer64', ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'HashValue' : [ 0x18, ['unsigned long']], 'HashIndex' : [ 0x1c, ['unsigned short']], 'DirectoryLocked' : [ 0x1e, ['unsigned char']], 'LockedExclusive' : [ 0x1f, ['unsigned char']], 'LockStateSignature' : [ 0x20, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'ShadowDirectory' : [ 0x130, ['pointer64', ['_OBJECT_DIRECTORY']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_WHEAP_INFO_BLOCK' : [ 0x18, { 'ErrorSourceCount' : [ 0x0, ['unsigned long']], 'ErrorSourceTable' : [ 0x8, ['pointer64', ['_WHEAP_ERROR_SOURCE_TABLE']]], 'WorkQueue' : [ 0x10, ['pointer64', ['_WHEAP_WORK_QUEUE']]], } ], '_WHEAP_ERROR_SOURCE' : [ 0x428, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FailedAllocations' : [ 0x10, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x14, ['unsigned long']], 'ErrorCount' : [ 0x18, ['long']], 'RecordCount' : [ 0x1c, ['unsigned long']], 'RecordLength' : [ 0x20, ['unsigned long']], 'PoolTag' : [ 0x24, ['unsigned long']], 'Type' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Records' : [ 0x30, ['pointer64', ['_WHEAP_ERROR_RECORD_WRAPPER']]], 'Context' : [ 0x38, ['pointer64', ['void']]], 'SectionCount' : [ 0x40, ['unsigned long']], 'SectionLength' : [ 0x44, ['unsigned long']], 'TickCountAtLastError' : [ 0x48, ['_LARGE_INTEGER']], 'AccumulatedErrors' : [ 0x50, ['unsigned long']], 'TotalErrors' : [ 0x54, ['unsigned long']], 'Deferred' : [ 0x58, ['unsigned char']], 'Descriptor' : [ 0x59, ['_WHEA_ERROR_SOURCE_DESCRIPTOR']], } ], '_WHEAP_ERROR_RECORD_WRAPPER' : [ 0xf0, { 'WorkEntry' : [ 0x0, ['_LIST_ENTRY']], 'Length' : [ 0x10, ['unsigned long']], 'ProcessorNumber' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['_WHEAP_ERROR_RECORD_WRAPPER_FLAGS']], 'InUse' : [ 0x1c, ['long']], 'ErrorSource' : [ 0x20, ['pointer64', ['_WHEAP_ERROR_SOURCE']]], 'ErrorRecord' : [ 0x28, ['_WHEA_ERROR_RECORD']], } ], '_KSECONDARY_IDT_ENTRY' : [ 0x30, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'ConnectLock' : [ 0x8, ['_KEVENT']], 'LineMasked' : [ 0x20, ['unsigned char']], 'InterruptList' : [ 0x28, ['pointer64', ['_KINTERRUPT']]], } ], '_WNF_STATE_NAME' : [ 0x8, { 'Data' : [ 0x0, ['array', 2, ['unsigned long']]], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'ArmCeControlSet' : [ 0x0, ['_ARMCE_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_POP_FX_PLUGIN' : [ 0x98, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Version' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long long']], 'WorkOrder' : [ 0x20, ['_POP_FX_WORK_ORDER']], 'WorkQueue' : [ 0x48, ['_KQUEUE']], 'AcceptDeviceNotification' : [ 0x88, ['pointer64', ['void']]], 'AcceptProcessorNotification' : [ 0x90, ['pointer64', ['void']]], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_KENTROPY_TIMING_STATE' : [ 0x150, { 'EntropyCount' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['array', 64, ['unsigned long']]], 'Dpc' : [ 0x108, ['_KDPC']], 'LastDeliveredBuffer' : [ 0x148, ['unsigned long']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Wake' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupScheduling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'AffinitySet' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'LockNV' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'WaitResponse' : [ 0xc, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], } ], '_HEAP_COUNTERS' : [ 0x78, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'PollIntervalCounter' : [ 0x48, ['unsigned long']], 'DecommitsSinceLastCheck' : [ 0x4c, ['unsigned long']], 'HeapPollInterval' : [ 0x50, ['unsigned long']], 'AllocAndFreeOps' : [ 0x54, ['unsigned long']], 'AllocationIndicesActive' : [ 0x58, ['unsigned long']], 'InBlockDeccommits' : [ 0x5c, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x60, ['unsigned long long']], 'HighWatermarkSize' : [ 0x68, ['unsigned long long']], 'LastPolledSize' : [ 0x70, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_POP_FX_WORK_ORDER' : [ 0x28, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkCount' : [ 0x20, ['long']], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'Reserved' : [ 0x20, ['array', 3, ['pointer64', ['void']]]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['unsigned long long']], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], 'tagSWITCH_CONTEXT_DATA' : [ 0x40, { 'guPlatform' : [ 0x0, ['_GUID']], 'guMinPlatform' : [ 0x10, ['_GUID']], 'ulElementCount' : [ 0x20, ['unsigned long']], 'ulContextMinimum' : [ 0x24, ['unsigned short']], 'ullOsMaxVersionTested' : [ 0x28, ['unsigned long long']], 'guElements' : [ 0x30, ['array', 1, ['_GUID']]], } ], '_WHEAP_ERROR_SOURCE_TABLE' : [ 0x30, { 'Signature' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['long']], 'Items' : [ 0x8, ['_LIST_ENTRY']], 'InsertLock' : [ 0x18, ['_KEVENT']], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WaitType' : [ 0x10, ['unsigned char']], 'BlockState' : [ 0x11, ['unsigned char']], 'WaitKey' : [ 0x12, ['unsigned short']], 'SpareLong' : [ 0x14, ['long']], 'Thread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NotificationQueue' : [ 0x18, ['pointer64', ['_KQUEUE']]], 'Object' : [ 0x20, ['pointer64', ['void']]], 'SparePtr' : [ 0x28, ['pointer64', ['void']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'DemandFillProto' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'HiberVerifyConverted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Combined' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'SamplingPeriod' : [ 0xc, ['unsigned long']], 'CurrentTemperature' : [ 0x10, ['unsigned long']], 'PassiveTripPoint' : [ 0x14, ['unsigned long']], 'CriticalTripPoint' : [ 0x18, ['unsigned long']], 'ActiveTripPointCount' : [ 0x1c, ['unsigned char']], 'ActiveTripPoint' : [ 0x20, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x48, ['unsigned long']], } ], '__unnamed_1cb1' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1cb3' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1cb1']], 'Private' : [ 0x0, ['__unnamed_1cb3']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x10, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], } ], '_AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION' : [ 0x260, { 'DeviceGroupsCount' : [ 0x0, ['unsigned long']], 'pDeviceGroups' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedDeviceGroupsCount' : [ 0x10, ['unsigned long']], 'pRestrictedDeviceGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'DeviceGroupsHash' : [ 0x20, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedDeviceGroupsHash' : [ 0x130, ['_SID_AND_ATTRIBUTES_HASH']], 'pUserSecurityAttributes' : [ 0x240, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pDeviceSecurityAttributes' : [ 0x248, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedUserSecurityAttributes' : [ 0x250, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'pRestrictedDeviceSecurityAttributes' : [ 0x258, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_LEARNING_MODE_DATA' : [ 0x8, { 'Settings' : [ 0x0, ['unsigned long']], 'Enabled' : [ 0x4, ['unsigned char']], 'PermissiveModeEnabled' : [ 0x5, ['unsigned char']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x4a8, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'TotalCycleTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb8, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xc0, ['_LARGE_INTEGER']], 'TotalContextSwitches' : [ 0xc8, ['unsigned long long']], 'TotalPageFaultCount' : [ 0xd0, ['unsigned long']], 'TotalProcesses' : [ 0xd4, ['unsigned long']], 'ActiveProcesses' : [ 0xd8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xdc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xe0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xe8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf8, ['unsigned long long']], 'LimitFlags' : [ 0x100, ['unsigned long']], 'ActiveProcessLimit' : [ 0x104, ['unsigned long']], 'Affinity' : [ 0x108, ['_KAFFINITY_EX']], 'AccessState' : [ 0x1b0, ['pointer64', ['_JOB_ACCESS_STATE']]], 'AccessStateQuotaReference' : [ 0x1b8, ['pointer64', ['void']]], 'UIRestrictionsClass' : [ 0x1c0, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x1c4, ['unsigned long']], 'CompletionPort' : [ 0x1c8, ['pointer64', ['void']]], 'CompletionKey' : [ 0x1d0, ['pointer64', ['void']]], 'CompletionCount' : [ 0x1d8, ['unsigned long long']], 'SessionId' : [ 0x1e0, ['unsigned long']], 'SchedulingClass' : [ 0x1e4, ['unsigned long']], 'ReadOperationCount' : [ 0x1e8, ['unsigned long long']], 'WriteOperationCount' : [ 0x1f0, ['unsigned long long']], 'OtherOperationCount' : [ 0x1f8, ['unsigned long long']], 'ReadTransferCount' : [ 0x200, ['unsigned long long']], 'WriteTransferCount' : [ 0x208, ['unsigned long long']], 'OtherTransferCount' : [ 0x210, ['unsigned long long']], 'DiskIoInfo' : [ 0x218, ['_PROCESS_DISK_COUNTERS']], 'ProcessMemoryLimit' : [ 0x240, ['unsigned long long']], 'JobMemoryLimit' : [ 0x248, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x250, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x258, ['unsigned long long']], 'EffectiveAffinity' : [ 0x260, ['_KAFFINITY_EX']], 'EffectivePerProcessUserTimeLimit' : [ 0x308, ['_LARGE_INTEGER']], 'EffectiveMinimumWorkingSetSize' : [ 0x310, ['unsigned long long']], 'EffectiveMaximumWorkingSetSize' : [ 0x318, ['unsigned long long']], 'EffectiveProcessMemoryLimit' : [ 0x320, ['unsigned long long']], 'EffectiveProcessMemoryLimitJob' : [ 0x328, ['pointer64', ['_EJOB']]], 'EffectivePerProcessUserTimeLimitJob' : [ 0x330, ['pointer64', ['_EJOB']]], 'EffectiveLimitFlags' : [ 0x338, ['unsigned long']], 'EffectiveSchedulingClass' : [ 0x33c, ['unsigned long']], 'EffectiveFreezeCount' : [ 0x340, ['unsigned long']], 'EffectiveBackgroundCount' : [ 0x344, ['unsigned long']], 'EffectiveSwapCount' : [ 0x348, ['unsigned long']], 'EffectiveNotificationLimitCount' : [ 0x34c, ['unsigned long']], 'EffectivePriorityClass' : [ 0x350, ['unsigned char']], 'PriorityClass' : [ 0x351, ['unsigned char']], 'Reserved1' : [ 0x352, ['array', 2, ['unsigned char']]], 'CompletionFilter' : [ 0x354, ['unsigned long']], 'WakeChannel' : [ 0x358, ['_WNF_STATE_NAME']], 'WakeInfo' : [ 0x358, ['_PS_WAKE_INFORMATION']], 'WakeFilter' : [ 0x3a0, ['_JOBOBJECT_WAKE_FILTER']], 'LowEdgeLatchFilter' : [ 0x3a8, ['unsigned long']], 'OwnedHighEdgeFilters' : [ 0x3ac, ['unsigned long']], 'NotificationLink' : [ 0x3b0, ['pointer64', ['_EJOB']]], 'CurrentJobMemoryUsed' : [ 0x3b8, ['unsigned long long']], 'NotificationInfo' : [ 0x3c0, ['pointer64', ['_JOB_NOTIFICATION_INFORMATION']]], 'NotificationInfoQuotaReference' : [ 0x3c8, ['pointer64', ['void']]], 'NotificationPacket' : [ 0x3d0, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'CpuRateControl' : [ 0x3d8, ['pointer64', ['_JOB_CPU_RATE_CONTROL']]], 'EffectiveSchedulingGroup' : [ 0x3e0, ['pointer64', ['void']]], 'MemoryLimitsLock' : [ 0x3e8, ['_EX_PUSH_LOCK']], 'SiblingJobLinks' : [ 0x3f0, ['_LIST_ENTRY']], 'ChildJobListHead' : [ 0x400, ['_LIST_ENTRY']], 'ParentJob' : [ 0x410, ['pointer64', ['_EJOB']]], 'RootJob' : [ 0x418, ['pointer64', ['_EJOB']]], 'IteratorListHead' : [ 0x420, ['_LIST_ENTRY']], 'Accounting' : [ 0x430, ['_EPROCESS_VALUES']], 'ShadowActiveProcessCount' : [ 0x480, ['unsigned long']], 'SequenceNumber' : [ 0x484, ['unsigned long']], 'TimerListLock' : [ 0x488, ['unsigned long long']], 'TimerListHead' : [ 0x490, ['_LIST_ENTRY']], 'JobFlags' : [ 0x4a0, ['unsigned long']], 'CloseDone' : [ 0x4a0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MultiGroup' : [ 0x4a0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OutstandingNotification' : [ 0x4a0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NotificationInProgress' : [ 0x4a0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UILimits' : [ 0x4a0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CpuRateControlActive' : [ 0x4a0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OwnCpuRateControl' : [ 0x4a0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Terminating' : [ 0x4a0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'WorkingSetLock' : [ 0x4a0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'JobFrozen' : [ 0x4a0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Background' : [ 0x4a0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeNotificationAllocated' : [ 0x4a0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeNotificationEnabled' : [ 0x4a0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeNotificationPending' : [ 0x4a0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'LimitNotificationRequired' : [ 0x4a0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ZeroCountNotificationRequired' : [ 0x4a0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'CycleTimeNotificationRequired' : [ 0x4a0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'CycleTimeNotificationPending' : [ 0x4a0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'TimersVirtualized' : [ 0x4a0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'JobSwapped' : [ 0x4a0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ViolationDetected' : [ 0x4a0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'EmptyJobNotified' : [ 0x4a0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoSystemCharge' : [ 0x4a0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'SpareJobFlags' : [ 0x4a0, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long')]], 'EffectiveHighEdgeFilters' : [ 0x4a4, ['unsigned long']], } ], '_PPM_IDLE_STATES' : [ 0x2d8, { 'ForceIdle' : [ 0x0, ['unsigned char']], 'EstimateIdleDuration' : [ 0x1, ['unsigned char']], 'ExitLatencyTraceEnabled' : [ 0x2, ['unsigned char']], 'ExitLatencyCountdown' : [ 0x4, ['unsigned long']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'ActualPlatformState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'OverrideIndex' : [ 0x18, ['unsigned long']], 'PlatformIdleCount' : [ 0x1c, ['unsigned long']], 'ProcessorIdleCount' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['unsigned long']], 'ReasonFlags' : [ 0x28, ['unsigned long']], 'InitiateWakeStamp' : [ 0x30, ['long long']], 'PreviousStatus' : [ 0x38, ['long']], 'PrimaryProcessorMask' : [ 0x40, ['_KAFFINITY_EX']], 'SecondaryProcessorMask' : [ 0xe8, ['_KAFFINITY_EX']], 'IdlePrepare' : [ 0x190, ['pointer64', ['void']]], 'IdleExecute' : [ 0x198, ['pointer64', ['void']]], 'IdleComplete' : [ 0x1a0, ['pointer64', ['void']]], 'IdleCancel' : [ 0x1a8, ['pointer64', ['void']]], 'IdleIsHalted' : [ 0x1b0, ['pointer64', ['void']]], 'IdleInitiateWake' : [ 0x1b8, ['pointer64', ['void']]], 'PrepareInfo' : [ 0x1c0, ['_PROCESSOR_IDLE_PREPARE_INFO']], 'State' : [ 0x218, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x388, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pUnused' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x88, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned short']], 'Flags' : [ 0x5a, ['unsigned char']], 'ShutDownRequested' : [ 0x5a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'NewBuffersLost' : [ 0x5a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Disconnected' : [ 0x5a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Notified' : [ 0x5a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Wow' : [ 0x5a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_FAST_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['_SINGLE_LIST_ENTRY']], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_BLOB_COUNTERS' : [ 0x8, { 'CreatedObjects' : [ 0x0, ['unsigned long']], 'DeletedObjects' : [ 0x4, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x48, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], 'KseCallbacks' : [ 0x38, ['pointer64', ['void']]], 'DvCallbacks' : [ 0x40, ['pointer64', ['void']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_WHEAP_WORK_QUEUE' : [ 0x88, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ListLock' : [ 0x10, ['unsigned long long']], 'ItemCount' : [ 0x18, ['long']], 'Dpc' : [ 0x20, ['_KDPC']], 'WorkItem' : [ 0x60, ['_WORK_QUEUE_ITEM']], 'WorkRoutine' : [ 0x80, ['pointer64', ['void']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xb0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'ActiveCount' : [ 0x66, ['unsigned short']], 'InternalState' : [ 0x68, ['long']], 'Mode' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptRisingEdge', 2: 'InterruptFallingEdge', 3: 'InterruptActiveBoth'})]], 'ServiceCount' : [ 0x74, ['unsigned long']], 'DispatchCount' : [ 0x78, ['unsigned long']], 'PassiveEvent' : [ 0x80, ['pointer64', ['_KEVENT']]], 'TrapFrame' : [ 0x88, ['pointer64', ['_KTRAP_FRAME']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], 'DisconnectData' : [ 0xa0, ['pointer64', ['void']]], 'ServiceThread' : [ 0xa8, ['pointer64', ['_KTHREAD']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_HIVE_LIST_ENTRY' : [ 0x88, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '__unnamed_1d69' : [ 0x3a4, { 'XpfMceDescriptor' : [ 0x0, ['_WHEA_XPF_MCE_DESCRIPTOR']], 'XpfCmcDescriptor' : [ 0x0, ['_WHEA_XPF_CMC_DESCRIPTOR']], 'XpfNmiDescriptor' : [ 0x0, ['_WHEA_XPF_NMI_DESCRIPTOR']], 'IpfMcaDescriptor' : [ 0x0, ['_WHEA_IPF_MCA_DESCRIPTOR']], 'IpfCmcDescriptor' : [ 0x0, ['_WHEA_IPF_CMC_DESCRIPTOR']], 'IpfCpeDescriptor' : [ 0x0, ['_WHEA_IPF_CPE_DESCRIPTOR']], 'AerRootportDescriptor' : [ 0x0, ['_WHEA_AER_ROOTPORT_DESCRIPTOR']], 'AerEndpointDescriptor' : [ 0x0, ['_WHEA_AER_ENDPOINT_DESCRIPTOR']], 'AerBridgeDescriptor' : [ 0x0, ['_WHEA_AER_BRIDGE_DESCRIPTOR']], 'GenErrDescriptor' : [ 0x0, ['_WHEA_GENERIC_ERROR_DESCRIPTOR']], } ], '_WHEA_ERROR_SOURCE_DESCRIPTOR' : [ 0x3cc, { 'Length' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'State' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {1: 'WheaErrSrcStateStopped', 2: 'WheaErrSrcStateStarted'})]], 'MaxRawDataLength' : [ 0x10, ['unsigned long']], 'NumRecordsToPreallocate' : [ 0x14, ['unsigned long']], 'MaxSectionsPerRecord' : [ 0x18, ['unsigned long']], 'ErrorSourceId' : [ 0x1c, ['unsigned long']], 'PlatformErrorSourceId' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['unsigned long']], 'Info' : [ 0x28, ['__unnamed_1d69']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_EX_WORK_QUEUE' : [ 0x50, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'WorkItemsProcessed' : [ 0x40, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x44, ['unsigned long']], 'ThreadCount' : [ 0x48, ['long']], 'TryFailed' : [ 0x4c, ['unsigned char']], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_IOP_IRP_EXTENSION_STATUS' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ActivityId' : [ 0x4, ['unsigned long']], 'IoTracking' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], 'PendingCoalescingFlushScan' : [ 0x86, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DEVICE_DESCRIPTION' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Master' : [ 0x4, ['unsigned char']], 'ScatterGather' : [ 0x5, ['unsigned char']], 'DemandMode' : [ 0x6, ['unsigned char']], 'AutoInitialize' : [ 0x7, ['unsigned char']], 'Dma32BitAddresses' : [ 0x8, ['unsigned char']], 'IgnoreCount' : [ 0x9, ['unsigned char']], 'Reserved1' : [ 0xa, ['unsigned char']], 'Dma64BitAddresses' : [ 0xb, ['unsigned char']], 'BusNumber' : [ 0xc, ['unsigned long']], 'DmaChannel' : [ 0x10, ['unsigned long']], 'InterfaceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'DmaWidth' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'Width8Bits', 1: 'Width16Bits', 2: 'Width32Bits', 3: 'Width64Bits', 4: 'WidthNoWrap', 5: 'MaximumDmaWidth'})]], 'DmaSpeed' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'Compatible', 1: 'TypeA', 2: 'TypeB', 3: 'TypeC', 4: 'TypeF', 5: 'MaximumDmaSpeed'})]], 'MaximumLength' : [ 0x20, ['unsigned long']], 'DmaPort' : [ 0x24, ['unsigned long']], 'DmaAddressWidth' : [ 0x28, ['unsigned long']], 'DmaControllerInstance' : [ 0x2c, ['unsigned long']], 'DmaRequestLine' : [ 0x30, ['unsigned long']], 'DeviceAddress' : [ 0x38, ['_LARGE_INTEGER']], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_PROCESS_DISK_COUNTERS' : [ 0x28, { 'BytesRead' : [ 0x0, ['unsigned long long']], 'BytesWritten' : [ 0x8, ['unsigned long long']], 'ReadOperationCount' : [ 0x10, ['unsigned long long']], 'WriteOperationCount' : [ 0x18, ['unsigned long long']], 'FlushOperationCount' : [ 0x20, ['unsigned long long']], } ], '_IO_WORKITEM' : [ 0x50, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'Type' : [ 0x38, ['unsigned long']], 'ActivityId' : [ 0x3c, ['_GUID']], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_JOBOBJECT_WAKE_FILTER' : [ 0x8, { 'HighEdgeFilter' : [ 0x0, ['unsigned long']], 'LowEdgeFilter' : [ 0x4, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_MI_ACTIVE_WSLE' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_SESSION_LOWBOX_MAP' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'LowboxMap' : [ 0x18, ['_SEP_LOWBOX_NUMBER_MAPPING']], } ], '_PROCESSOR_PROFILE_CONTROL_AREA' : [ 0x60, { 'PebsDsSaveArea' : [ 0x0, ['_PEBS_DS_SAVE_AREA']], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0xa8, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'RefCount' : [ 0x40, ['unsigned long']], 'Lock' : [ 0x44, ['unsigned long']], 'Cancel' : [ 0x48, ['unsigned char']], 'Parent' : [ 0x50, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'Data' : [ 0x58, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_PS_WAKE_INFORMATION' : [ 0x48, { 'NotificationChannel' : [ 0x0, ['unsigned long long']], 'WakeCounters' : [ 0x8, ['array', 8, ['unsigned long long']]], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_XSTATE_CONFIGURATION' : [ 0x218, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'EnabledVolatileFeatures' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'OptimizedSave' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x18, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'PageFileReserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'PageFileAllocated' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 25, native_type='unsigned long long')]], 'DbgCrc' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1dfc' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_1dfc']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['_MODWRITER_FLAGS']], 'ByteCount' : [ 0x2c, ['unsigned long']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'ClockType' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'Frequency' : [ 0x20, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_EPROCESS_VALUES' : [ 0x50, { 'KernelTime' : [ 0x0, ['unsigned long long']], 'UserTime' : [ 0x8, ['unsigned long long']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'ContextSwitches' : [ 0x18, ['unsigned long long']], 'ReadOperationCount' : [ 0x20, ['long long']], 'WriteOperationCount' : [ 0x28, ['long long']], 'OtherOperationCount' : [ 0x30, ['long long']], 'ReadTransferCount' : [ 0x38, ['long long']], 'WriteTransferCount' : [ 0x40, ['long long']], 'OtherTransferCount' : [ 0x48, ['long long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x1c8, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleAccounting' : [ 0x8, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'PlatformIdleAccounting' : [ 0x10, ['pointer64', ['_PLATFORM_IDLE_ACCOUNTING']]], 'IdleTimeLast' : [ 0x18, ['unsigned long long']], 'IdleTimeTotal' : [ 0x20, ['unsigned long long']], 'IdleTimeEntry' : [ 0x28, ['unsigned long long']], 'Reserved' : [ 0x30, ['unsigned long long']], 'IdlePolicy' : [ 0x38, ['_PROC_IDLE_POLICY']], 'Synchronization' : [ 0x40, ['_PPM_IDLE_SYNCHRONIZATION_STATE']], 'PerfFeedback' : [ 0x48, ['_PROC_FEEDBACK']], 'Hypervisor' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'LastSysTime' : [ 0xbc, ['unsigned long']], 'WmiDispatchPtr' : [ 0xc0, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0xc8, ['long']], 'FFHThrottleStateInfo' : [ 0xd0, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0xf0, ['_KDPC']], 'PerfActionMask' : [ 0x130, ['long']], 'HvIdleCheck' : [ 0x138, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x148, ['_PROC_PERF_SNAP']], 'Domain' : [ 0x188, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0x190, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Concurrency' : [ 0x198, ['pointer64', ['_PPM_CONCURRENCY_ACCOUNTING']]], 'Load' : [ 0x1a0, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0x1a8, ['pointer64', ['_PROC_PERF_HISTORY']]], 'GuaranteedPerformancePercent' : [ 0x1b0, ['unsigned char']], 'HvTargetState' : [ 0x1b1, ['unsigned char']], 'Parked' : [ 0x1b2, ['unsigned char']], 'OverUtilized' : [ 0x1b3, ['unsigned char']], 'LatestPerformancePercent' : [ 0x1b4, ['unsigned long']], 'AveragePerformancePercent' : [ 0x1b8, ['unsigned long']], 'LatestAffinitizedPercent' : [ 0x1bc, ['unsigned long']], 'Utility' : [ 0x1c0, ['unsigned long']], 'AffinitizedUtility' : [ 0x1c4, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'OnProtectedStandby' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Spare' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_CMHIVE' : [ 0xdd8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x580, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5b0, ['_LIST_ENTRY']], 'HiveList' : [ 0x5c0, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x5d0, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x5e0, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x5e8, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x5f8, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x600, ['unsigned long']], 'DeletedKcbTable' : [ 0x608, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'DeletedKcbTableSize' : [ 0x610, ['unsigned long']], 'Identity' : [ 0x614, ['unsigned long']], 'HiveLock' : [ 0x618, ['pointer64', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x620, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x628, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x630, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x640, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x648, ['unsigned long']], 'FlushBaseBlock' : [ 0x650, ['pointer64', ['_HBASE_BLOCK']]], 'FlushHiveTruncated' : [ 0x658, ['unsigned long']], 'SecurityLock' : [ 0x660, ['_EX_PUSH_LOCK']], 'UseCount' : [ 0x668, ['unsigned long']], 'LastShrinkHiveSize' : [ 0x66c, ['unsigned long']], 'ActualFileSize' : [ 0x670, ['_LARGE_INTEGER']], 'LogFileSizes' : [ 0x678, ['array', 2, ['_LARGE_INTEGER']]], 'FileFullPath' : [ 0x688, ['_UNICODE_STRING']], 'FileUserName' : [ 0x698, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x6a8, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x6b8, ['unsigned long']], 'SecurityCacheSize' : [ 0x6bc, ['unsigned long']], 'SecurityHitHint' : [ 0x6c0, ['long']], 'SecurityCache' : [ 0x6c8, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x6d0, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xad0, ['unsigned long']], 'UnloadEventArray' : [ 0xad8, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xae0, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xae8, ['unsigned char']], 'UnloadWorkItem' : [ 0xaf0, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0xaf8, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xb20, ['unsigned char']], 'GrowOffset' : [ 0xb24, ['unsigned long']], 'KcbConvertListHead' : [ 0xb28, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xb38, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb48, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xb50, ['unsigned long']], 'TrustClassEntry' : [ 0xb58, ['_LIST_ENTRY']], 'DirtyTime' : [ 0xb68, ['unsigned long long']], 'CmRm' : [ 0xb70, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xb78, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xb7c, ['long']], 'CreatorOwner' : [ 0xb80, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0xb88, ['pointer64', ['_KTHREAD']]], 'ActiveFlushThread' : [ 0xb90, ['pointer64', ['_ETHREAD']]], 'FlushBoostLock' : [ 0xb98, ['_EX_PUSH_LOCK']], 'LastWriteTime' : [ 0xba0, ['_LARGE_INTEGER']], 'ReferenceCount' : [ 0xba8, ['long']], 'FlushFlags' : [ 0xbac, ['unsigned long']], 'FlushActive' : [ 0xbac, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DiskFileBad' : [ 0xbac, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FlushBoosted' : [ 0xbac, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PrimaryWritePending' : [ 0xbac, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PriorPurgeComplete' : [ 0xbac, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'FlushWaitList' : [ 0xbb0, ['pointer64', ['_HIVE_WAIT_PACKET']]], 'UnloadHistoryIndex' : [ 0xbb8, ['long']], 'UnloadHistory' : [ 0xbbc, ['array', 128, ['unsigned long']]], 'BootStart' : [ 0xdbc, ['unsigned long']], 'UnaccessedStart' : [ 0xdc0, ['unsigned long']], 'UnaccessedEnd' : [ 0xdc4, ['unsigned long']], 'LoadedKeyCount' : [ 0xdc8, ['unsigned long']], 'HandleClosePending' : [ 0xdcc, ['unsigned long']], 'HandleClosePendingEvent' : [ 0xdd0, ['_EX_PUSH_LOCK']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DIRTY_PAGE_THRESHOLDS' : [ 0x20, { 'DirtyPageThreshold' : [ 0x0, ['unsigned long long']], 'DirtyPageThresholdTop' : [ 0x8, ['unsigned long long']], 'DirtyPageThresholdBottom' : [ 0x10, ['unsigned long long']], 'DirtyPageTarget' : [ 0x18, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ForceCredits' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 6, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x390, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'AbortCount' : [ 0xc, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'PriorIdleTime' : [ 0x18, ['unsigned long long']], 'TimeUnit' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'State' : [ 0x28, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_SEP_LOWBOX_NUMBER_MAPPING' : [ 0x28, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Bitmap' : [ 0x8, ['_RTL_BITMAP']], 'HashTable' : [ 0x18, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], 'Active' : [ 0x20, ['unsigned char']], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_TEB64' : [ 0x1820, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'PerflibData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'ReservedForCodeCoverage' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0x17b2, ['unsigned short']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], 'ReservedForWdf' : [ 0x1818, ['unsigned long long']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x90, ['unsigned long']], 'PreviousActivityCounter' : [ 0x94, ['unsigned long']], 'WorkerTrimRequests' : [ 0x98, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE' : [ 0x1810, { 'CurrentSize' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'Epoch' : [ 0x8, ['unsigned long']], 'Overflow' : [ 0xc, ['unsigned char']], 'TableEntry' : [ 0x10, ['array', 256, ['_INVERTED_FUNCTION_TABLE_ENTRY']]], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_UMS_CONTROL_BLOCK' : [ 0x90, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsWaitEvent' : [ 0x30, ['_KEVENT']], 'StagingArea' : [ 0x48, ['pointer64', ['void']]], 'UmsPrimaryDeliveredContext' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsFlags' : [ 0x50, ['unsigned long']], 'TebSelector' : [ 0x88, ['unsigned short']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_ETIMER' : [ 0x138, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'Lock' : [ 0x40, ['unsigned long long']], 'TimerApc' : [ 0x48, ['_KAPC']], 'TimerDpc' : [ 0xa0, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'Period' : [ 0xf0, ['unsigned long']], 'TimerFlags' : [ 0xf4, ['unsigned char']], 'ApcAssociated' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FlushDpcs' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Paused' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Spare1' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'DueTimeType' : [ 0xf5, ['unsigned char']], 'Spare2' : [ 0xf6, ['unsigned short']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], 'VirtualizedTimerCookie' : [ 0x110, ['pointer64', ['void']]], 'VirtualizedTimerLinks' : [ 0x118, ['_LIST_ENTRY']], 'DueTime' : [ 0x128, ['unsigned long long']], 'CoalescingWindow' : [ 0x130, ['unsigned long']], } ], '_PROC_PERF_SNAP' : [ 0x40, { 'Time' : [ 0x0, ['unsigned long long']], 'LastTime' : [ 0x8, ['unsigned long long']], 'Active' : [ 0x10, ['unsigned long long']], 'LastActive' : [ 0x18, ['unsigned long long']], 'FrequencyScaledActive' : [ 0x20, ['unsigned long long']], 'PerformanceScaledActive' : [ 0x28, ['unsigned long long']], 'CyclesActive' : [ 0x30, ['unsigned long long']], 'CyclesAffinitized' : [ 0x38, ['unsigned long long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_EXHANDLE' : [ 0x8, { 'TagBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'Index' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'GenericHandleOverlay' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DBGKD_CONTEXT_EX' : [ 0xc, { 'Offset' : [ 0x0, ['unsigned long']], 'ByteCount' : [ 0x4, ['unsigned long']], 'BytesCopied' : [ 0x8, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x698, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x150, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3f0, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x690, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '__unnamed_1f24' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1f26' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1f24']], } ], '__unnamed_1f28' : [ 0x4, { 'NewCell' : [ 0x0, ['__unnamed_1f26']], } ], '_HCELL' : [ 0x8, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1f28']], } ], '_WHEA_GENERIC_ERROR_DESCRIPTOR' : [ 0x34, { 'Type' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned char']], 'Enabled' : [ 0x3, ['unsigned char']], 'ErrStatusBlockLength' : [ 0x4, ['unsigned long']], 'RelatedErrorSourceId' : [ 0x8, ['unsigned long']], 'ErrStatusAddressSpaceID' : [ 0xc, ['unsigned char']], 'ErrStatusAddressBitWidth' : [ 0xd, ['unsigned char']], 'ErrStatusAddressBitOffset' : [ 0xe, ['unsigned char']], 'ErrStatusAddressAccessSize' : [ 0xf, ['unsigned char']], 'ErrStatusAddress' : [ 0x10, ['_LARGE_INTEGER']], 'Notify' : [ 0x18, ['_WHEA_NOTIFICATION_DESCRIPTOR']], } ], '_HMAP_TABLE' : [ 0x3000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_SEP_LOWBOX_HANDLES_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'HandleCount' : [ 0x28, ['unsigned long']], 'Handles' : [ 0x30, ['pointer64', ['pointer64', ['void']]]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x58, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'PlatformCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'LimitReasons' : [ 0x18, ['unsigned long']], 'PlatformCapStartTime' : [ 0x20, ['unsigned long long']], 'TargetPercent' : [ 0x28, ['unsigned long']], 'DesiredPercent' : [ 0x2c, ['unsigned long']], 'SelectedPercent' : [ 0x30, ['unsigned long']], 'SelectedFrequency' : [ 0x34, ['unsigned long']], 'PreviousFrequency' : [ 0x38, ['unsigned long']], 'PreviousPercent' : [ 0x3c, ['unsigned long']], 'LatestFrequencyPercent' : [ 0x40, ['unsigned long']], 'SelectedState' : [ 0x48, ['unsigned long long']], 'Force' : [ 0x50, ['unsigned char']], } ], '__unnamed_1f3b' : [ 0x20, { 'CallerCompletion' : [ 0x0, ['pointer64', ['void']]], 'CallerContext' : [ 0x8, ['pointer64', ['void']]], 'CallerDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SystemWake' : [ 0x18, ['unsigned char']], } ], '__unnamed_1f3e' : [ 0x10, { 'NotifyDevice' : [ 0x0, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'FxDeviceActivated' : [ 0x8, ['unsigned char']], } ], '_POP_IRP_DATA' : [ 0xf8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'Pdo' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentDevice' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'WatchdogStart' : [ 0x30, ['unsigned long long']], 'WatchdogTimer' : [ 0x38, ['_KTIMER']], 'WatchdogDpc' : [ 0x78, ['_KDPC']], 'MinorFunction' : [ 0xb8, ['unsigned char']], 'PowerStateType' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'PowerState' : [ 0xc0, ['_POWER_STATE']], 'WatchdogEnabled' : [ 0xc4, ['unsigned char']], 'FxDevice' : [ 0xc8, ['pointer64', ['_POP_FX_DEVICE']]], 'SystemTransition' : [ 0xd0, ['unsigned char']], 'NotifyPEP' : [ 0xd1, ['unsigned char']], 'Device' : [ 0xd8, ['__unnamed_1f3b']], 'System' : [ 0xd8, ['__unnamed_1f3e']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_MI_USER_VA_INFO' : [ 0x478, { 'NumberOfCommittedPageTables' : [ 0x0, ['unsigned long']], 'PhysicalMappingCount' : [ 0x4, ['unsigned long']], 'VadBitMapHint' : [ 0x8, ['unsigned long']], 'LastAllocationSizeHint' : [ 0xc, ['unsigned long']], 'LastAllocationSize' : [ 0x10, ['unsigned long']], 'LowestBottomUpVadBit' : [ 0x14, ['unsigned long']], 'VadBitMapSize' : [ 0x18, ['unsigned long']], 'MaximumLastVadBit' : [ 0x1c, ['unsigned long']], 'VadsBeingDeleted' : [ 0x20, ['long']], 'LastVadDeletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'VadBitBuffer' : [ 0x30, ['pointer64', ['unsigned long']]], 'LowestBottomUpAllocationAddress' : [ 0x38, ['pointer64', ['void']]], 'HighestTopDownAllocationAddress' : [ 0x40, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x48, ['pointer64', ['void']]], 'PrivateFixupVadCount' : [ 0x50, ['unsigned long long']], 'FreeUmsTebHint' : [ 0x58, ['pointer64', ['void']]], 'CommittedPageTables' : [ 0x60, ['pointer64', ['unsigned long']]], 'PageTableBitmapPages' : [ 0x68, ['unsigned long']], 'CommittedPageDirectories' : [ 0x70, ['array', 128, ['unsigned long long']]], 'CommittedPageDirectoryParents' : [ 0x470, ['array', 1, ['unsigned long long']]], } ], '_PROC_FEEDBACK' : [ 0x70, { 'Lock' : [ 0x0, ['unsigned long long']], 'CyclesLast' : [ 0x8, ['unsigned long long']], 'CyclesActive' : [ 0x10, ['unsigned long long']], 'Counters' : [ 0x18, ['array', 2, ['pointer64', ['_PROC_FEEDBACK_COUNTER']]]], 'LastUpdateTime' : [ 0x28, ['unsigned long long']], 'UnscaledTime' : [ 0x30, ['unsigned long long']], 'UnaccountedTime' : [ 0x38, ['long long']], 'ScaledTime' : [ 0x40, ['array', 2, ['unsigned long long']]], 'UnaccountedKernelTime' : [ 0x50, ['unsigned long long']], 'PerformanceScaledKernelTime' : [ 0x58, ['unsigned long long']], 'UserTimeLast' : [ 0x60, ['unsigned long']], 'KernelTimeLast' : [ 0x64, ['unsigned long']], 'KernelTimesIndex' : [ 0x68, ['unsigned char']], } ], '__unnamed_1f50' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f54' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1f56' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f58' : [ 0x10, { 'RequestLine' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'Channel' : [ 0x8, ['unsigned long']], 'TransferWidth' : [ 0xc, ['unsigned long']], } ], '__unnamed_1f5a' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1f5c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1f5e' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f60' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f62' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f64' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f66' : [ 0xc, { 'Class' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'Reserved1' : [ 0x2, ['unsigned char']], 'Reserved2' : [ 0x3, ['unsigned char']], 'IdLowPart' : [ 0x4, ['unsigned long']], 'IdHighPart' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f68' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1f50']], 'Memory' : [ 0x0, ['__unnamed_1f50']], 'Interrupt' : [ 0x0, ['__unnamed_1f54']], 'Dma' : [ 0x0, ['__unnamed_1f56']], 'DmaV3' : [ 0x0, ['__unnamed_1f58']], 'Generic' : [ 0x0, ['__unnamed_1f50']], 'DevicePrivate' : [ 0x0, ['__unnamed_1f5a']], 'BusNumber' : [ 0x0, ['__unnamed_1f5c']], 'ConfigData' : [ 0x0, ['__unnamed_1f5e']], 'Memory40' : [ 0x0, ['__unnamed_1f60']], 'Memory48' : [ 0x0, ['__unnamed_1f62']], 'Memory64' : [ 0x0, ['__unnamed_1f64']], 'Connection' : [ 0x0, ['__unnamed_1f66']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1f68']], } ], '_POP_THERMAL_ZONE' : [ 0x1d0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'HighPrecisionThrottle' : [ 0x18, ['long']], 'Throttle' : [ 0x1c, ['long']], 'PendingThrottle' : [ 0x20, ['long']], 'ThrottleStartTime' : [ 0x28, ['unsigned long long']], 'LastTime' : [ 0x30, ['unsigned long long']], 'SampleRate' : [ 0x38, ['unsigned long']], 'LastTemp' : [ 0x3c, ['unsigned long']], 'PassiveTimer' : [ 0x40, ['_KTIMER']], 'PassiveDpc' : [ 0x80, ['_KDPC']], 'OverThrottled' : [ 0xc0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xd8, ['pointer64', ['_IRP']]], 'Info' : [ 0xe0, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x130, ['_LARGE_INTEGER']], 'Metrics' : [ 0x138, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x580, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'Allocate' : [ 0x10, ['pointer64', ['void']]], 'Free' : [ 0x18, ['pointer64', ['void']]], 'FileWrite' : [ 0x20, ['pointer64', ['void']]], 'FileRead' : [ 0x28, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x30, ['pointer64', ['void']]], 'BaseBlock' : [ 0x38, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x40, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x50, ['unsigned long']], 'DirtyAlloc' : [ 0x54, ['unsigned long']], 'BaseBlockAlloc' : [ 0x58, ['unsigned long']], 'Cluster' : [ 0x5c, ['unsigned long']], 'Flat' : [ 0x60, ['unsigned char']], 'ReadOnly' : [ 0x61, ['unsigned char']], 'DirtyFlag' : [ 0x62, ['unsigned char']], 'HvBinHeadersUse' : [ 0x64, ['unsigned long']], 'HvFreeCellsUse' : [ 0x68, ['unsigned long']], 'HvUsedCellsUse' : [ 0x6c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x70, ['unsigned long']], 'HiveFlags' : [ 0x74, ['unsigned long']], 'CurrentLog' : [ 0x78, ['unsigned long']], 'LogSize' : [ 0x7c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x84, ['unsigned long']], 'StorageTypeCount' : [ 0x88, ['unsigned long']], 'Version' : [ 0x8c, ['unsigned long']], 'Storage' : [ 0x90, ['array', 2, ['_DUAL']]], } ], '_WHEA_XPF_NMI_DESCRIPTOR' : [ 0x3, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x98, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x68, ['unsigned long']], 'PassiveCount' : [ 0x6c, ['unsigned long']], 'LastActiveStartTick' : [ 0x70, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x78, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x80, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x88, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x90, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_RTL_TIME_ZONE_INFORMATION' : [ 0xac, { 'Bias' : [ 0x0, ['long']], 'StandardName' : [ 0x4, ['array', 32, ['wchar']]], 'StandardStart' : [ 0x44, ['_TIME_FIELDS']], 'StandardBias' : [ 0x54, ['long']], 'DaylightName' : [ 0x58, ['array', 32, ['wchar']]], 'DaylightStart' : [ 0x98, ['_TIME_FIELDS']], 'DaylightBias' : [ 0xa8, ['long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1e, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1d, ['unsigned char']], } ], '__unnamed_1fb7' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1fb9' : [ 0x20, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1fb7']], } ], '_VF_TARGET_DRIVER' : [ 0x38, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_1fb9']], 'VerifiedData' : [ 0x30, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '_MM_AVL_TABLE' : [ 0x30, { 'BalancedRoot' : [ 0x0, ['_MM_AVL_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'TableType' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x20, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x28, ['pointer64', ['void']]], } ], '__unnamed_1fc7' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1fc9' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1fcb' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceId' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_1fcd' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1fcf' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1fd1' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1fd3' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1fd5' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1fd7' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1fd9' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1fc7']], 'TargetDevice' : [ 0x0, ['__unnamed_1fc9']], 'InstallDevice' : [ 0x0, ['__unnamed_1fc9']], 'CustomNotification' : [ 0x0, ['__unnamed_1fcb']], 'ProfileNotification' : [ 0x0, ['__unnamed_1fcd']], 'PowerNotification' : [ 0x0, ['__unnamed_1fcf']], 'VetoNotification' : [ 0x0, ['__unnamed_1fd1']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1fd3']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1fd5']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1fd7']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1fc9']], 'DeviceInstanceNotification' : [ 0x0, ['__unnamed_1fc9']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'DeviceInstanceStartedEvent', 12: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1fd9']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_PROCESSOR_IDLE_PREPARE_INFO' : [ 0x58, { 'Context' : [ 0x0, ['pointer64', ['void']]], 'Constraints' : [ 0x8, ['_PROCESSOR_IDLE_CONSTRAINTS']], 'DependencyCount' : [ 0x38, ['unsigned long']], 'DependencyUsed' : [ 0x3c, ['unsigned long']], 'DependencyArray' : [ 0x40, ['pointer64', ['_PROCESSOR_IDLE_DEPENDENCY']]], 'PlatformIdleStateIndex' : [ 0x48, ['unsigned long']], 'ProcessorIdleStateIndex' : [ 0x4c, ['unsigned long']], 'IdleSelectFailureMask' : [ 0x50, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '__unnamed_1ff5' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1ff5']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_PEBS_DS_SAVE_AREA' : [ 0x60, { 'BtsBufferBase' : [ 0x0, ['unsigned long long']], 'BtsIndex' : [ 0x8, ['unsigned long long']], 'BtsAbsoluteMaximum' : [ 0x10, ['unsigned long long']], 'BtsInterruptThreshold' : [ 0x18, ['unsigned long long']], 'PebsBufferBase' : [ 0x20, ['unsigned long long']], 'PebsIndex' : [ 0x28, ['unsigned long long']], 'PebsAbsoluteMaximum' : [ 0x30, ['unsigned long long']], 'PebsInterruptThreshold' : [ 0x38, ['unsigned long long']], 'PebsCounterReset0' : [ 0x40, ['unsigned long long']], 'PebsCounterReset1' : [ 0x48, ['unsigned long long']], 'PebsCounterReset2' : [ 0x50, ['unsigned long long']], 'PebsCounterReset3' : [ 0x58, ['unsigned long long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x78, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], 'WaitObjectFlagMask' : [ 0x70, ['unsigned long']], 'WaitObjectFlagOffset' : [ 0x74, ['unsigned short']], 'WaitObjectPointerOffset' : [ 0x76, ['unsigned short']], } ], '__unnamed_202b' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_202b']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], 'tagSWITCH_CONTEXT_ATTRIBUTE' : [ 0x18, { 'ulContextUpdateCounter' : [ 0x0, ['unsigned long long']], 'fAllowContextUpdate' : [ 0x8, ['long']], 'fEnableTrace' : [ 0xc, ['long']], 'EtwHandle' : [ 0x10, ['unsigned long long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_DIRTY_PAGE_STATISTICS' : [ 0x18, { 'DirtyPages' : [ 0x0, ['unsigned long long']], 'DirtyPagesLastScan' : [ 0x8, ['unsigned long long']], 'DirtyPagesScheduledLastScan' : [ 0x10, ['unsigned long']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x20, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], 'ExecuteOptionsNV' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_XPF_MCE_DESCRIPTOR' : [ 0x398, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['_XPF_MCE_FLAGS']], 'MCG_Capability' : [ 0x8, ['unsigned long long']], 'MCG_GlobalControl' : [ 0x10, ['unsigned long long']], 'Banks' : [ 0x18, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], 'NodeTargetCountAddr' : [ 0x30, ['pointer64', ['long']]], 'NodeTargetCount' : [ 0x38, ['long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_WHEA_XPF_CMC_DESCRIPTOR' : [ 0x3a4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'NumberOfBanks' : [ 0x3, ['unsigned char']], 'Reserved' : [ 0x4, ['unsigned long']], 'Notify' : [ 0x8, ['_WHEA_NOTIFICATION_DESCRIPTOR']], 'Banks' : [ 0x24, ['array', 32, ['_WHEA_XPF_MC_BANK_DESCRIPTOR']]], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x250, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pUnused' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x248, ['unsigned long long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '__unnamed_207b' : [ 0x8, { 'ProviderPdo' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ProviderReservation' : [ 0x0, ['pointer64', ['_PNP_RESERVED_PROVIDER_INFO']]], } ], '_PNP_PROVIDER_INFO' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ProviderType' : [ 0x10, ['unsigned char']], 'Satisfied' : [ 0x11, ['unsigned char']], 'Flags' : [ 0x12, ['unsigned short']], 'u' : [ 0x18, ['__unnamed_207b']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_EVENT_HEADER' : [ 0x50, { 'Size' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned short']], 'Flags' : [ 0x4, ['unsigned short']], 'EventProperty' : [ 0x6, ['unsigned short']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'ProviderId' : [ 0x18, ['_GUID']], 'EventDescriptor' : [ 0x28, ['_EVENT_DESCRIPTOR']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ProcessorTime' : [ 0x38, ['unsigned long long']], 'ActivityId' : [ 0x40, ['_GUID']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_SYSTEM_IDLE' : [ 0x40, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned long']], 'IdleWorker' : [ 0x28, ['unsigned char']], 'Sampling' : [ 0x29, ['unsigned char']], 'LastTick' : [ 0x30, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x38, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x20, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'XdvSharedExportThunks' : [ 0x18, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_KSCHEDULING_GROUP' : [ 0x1c0, { 'Value' : [ 0x0, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'HardCap' : [ 0x3, ['unsigned char']], 'RelativeWeight' : [ 0x4, ['unsigned long']], 'QueryHistoryTimeStamp' : [ 0x8, ['unsigned long long']], 'NotificationCycles' : [ 0x10, ['long long']], 'SchedulingGroupList' : [ 0x18, ['_LIST_ENTRY']], 'NotificationDpc' : [ 0x28, ['pointer64', ['_KDPC']]], 'PerProcessor' : [ 0x40, ['array', 1, ['_KSCB']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_POP_IRP_WORKER_ENTRY' : [ 0x30, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'Irp' : [ 0x18, ['pointer64', ['_IRP']]], 'Device' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Static' : [ 0x28, ['unsigned char']], } ], '__unnamed_20ad' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_20af' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_20b1' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_20b3' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_20b1']], 'Translated' : [ 0x0, ['__unnamed_20af']], } ], '__unnamed_20b5' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_20b7' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'RequestLine' : [ 0x4, ['unsigned long']], 'TransferWidth' : [ 0x8, ['unsigned char']], 'Reserved1' : [ 0x9, ['unsigned char']], 'Reserved2' : [ 0xa, ['unsigned char']], 'Reserved3' : [ 0xb, ['unsigned char']], } ], '__unnamed_20b9' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_20bb' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_20bd' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_20bf' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_20c1' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_20c3' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_20ad']], 'Port' : [ 0x0, ['__unnamed_20ad']], 'Interrupt' : [ 0x0, ['__unnamed_20af']], 'MessageInterrupt' : [ 0x0, ['__unnamed_20b3']], 'Memory' : [ 0x0, ['__unnamed_20ad']], 'Dma' : [ 0x0, ['__unnamed_20b5']], 'DmaV3' : [ 0x0, ['__unnamed_20b7']], 'DevicePrivate' : [ 0x0, ['__unnamed_1f5a']], 'BusNumber' : [ 0x0, ['__unnamed_20b9']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_20bb']], 'Memory40' : [ 0x0, ['__unnamed_20bd']], 'Memory48' : [ 0x0, ['__unnamed_20bf']], 'Memory64' : [ 0x0, ['__unnamed_20c1']], 'Connection' : [ 0x0, ['__unnamed_1f66']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_20c3']], } ], '_OBJECT_HEADER_PADDING_INFO' : [ 0x4, { 'PaddingAmount' : [ 0x0, ['unsigned long']], } ], '__unnamed_20cb' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_20cb']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_INVERTED_FUNCTION_TABLE_ENTRY' : [ 0x18, { 'FunctionTable' : [ 0x0, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'DynamicTable' : [ 0x0, ['pointer64', ['_DYNAMIC_FUNCTION_TABLE']]], 'ImageBase' : [ 0x8, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'SizeOfTable' : [ 0x14, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_20db' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_20db']], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '_POP_FX_DEVICE' : [ 0x1d0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Plugin' : [ 0x10, ['pointer64', ['_POP_FX_PLUGIN']]], 'PluginHandle' : [ 0x18, ['pointer64', ['PEPHANDLE__']]], 'MiniPlugin' : [ 0x20, ['pointer64', ['_POP_FX_PLUGIN']]], 'MiniPluginHandle' : [ 0x28, ['pointer64', ['PEPHANDLE__']]], 'DevNode' : [ 0x30, ['pointer64', ['_DEVICE_NODE']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'TargetDevice' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'Callbacks' : [ 0x48, ['_POP_FX_DRIVER_CALLBACKS']], 'DriverContext' : [ 0x80, ['pointer64', ['void']]], 'RemoveLock' : [ 0x88, ['_IO_REMOVE_LOCK']], 'WorkOrder' : [ 0xa8, ['_POP_FX_WORK_ORDER']], 'Status' : [ 0xd0, ['_POP_FX_DEVICE_STATUS']], 'PowerReqCall' : [ 0xd4, ['long']], 'PowerNotReqCall' : [ 0xd8, ['long']], 'IdleLock' : [ 0xe0, ['unsigned long long']], 'IdleTimer' : [ 0xe8, ['_KTIMER']], 'IdleDpc' : [ 0x128, ['_KDPC']], 'IdleTimeout' : [ 0x168, ['unsigned long long']], 'IdleStamp' : [ 0x170, ['unsigned long long']], 'Irp' : [ 0x178, ['pointer64', ['_IRP']]], 'IrpData' : [ 0x180, ['pointer64', ['_POP_IRP_DATA']]], 'NextIrpDeviceObject' : [ 0x188, ['pointer64', ['_DEVICE_OBJECT']]], 'NextIrpPowerState' : [ 0x190, ['_POWER_STATE']], 'NextIrpCallerCompletion' : [ 0x198, ['pointer64', ['void']]], 'NextIrpCallerContext' : [ 0x1a0, ['pointer64', ['void']]], 'IrpCompleteEvent' : [ 0x1a8, ['_KEVENT']], 'ComponentCount' : [ 0x1c0, ['unsigned long']], 'Components' : [ 0x1c8, ['array', 1, ['pointer64', ['_POP_FX_COMPONENT']]]], } ], '__unnamed_20ee' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_20f0' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_20ee']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x58, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x40, ['_LIST_ENTRY']], 'Specific' : [ 0x50, ['__unnamed_20f0']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_TRIAGE_DUMP_DATA' : [ 0x20, { 'BadPageCount' : [ 0x0, ['unsigned long long']], 'BadPagesDetected' : [ 0x8, ['long']], 'ZeroedPageSingleBitErrorsDetected' : [ 0xc, ['long']], 'ScrubPasses' : [ 0x10, ['long']], 'ScrubBadPagesFound' : [ 0x14, ['long']], 'FeatureBits' : [ 0x18, ['unsigned long']], 'TimeZoneId' : [ 0x1c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x180, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x40, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x48, ['unsigned long']], 'LastCallbackId' : [ 0x4c, ['unsigned long']], 'PostCount' : [ 0x80, ['unsigned long']], 'ReturnCount' : [ 0xc0, ['unsigned long']], 'LogSequenceNumber' : [ 0x100, ['unsigned long']], 'UserLock' : [ 0x140, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x148, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_WHEA_AER_ENDPOINT_DESCRIPTOR' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ENDPOINT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'SpareUlong' : [ 0x4, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_ARMCE_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x40, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x38, ['long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '__unnamed_2152' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_2155' : [ 0x4, { 'LongFlags1' : [ 0x0, ['unsigned long']], 'VadFlags1' : [ 0x0, ['_MMVAD_FLAGS1']], } ], '_MMVAD_SHORT' : [ 0x40, { 'VadNode' : [ 0x0, ['_MM_AVL_NODE']], 'StartingVpn' : [ 0x18, ['unsigned long']], 'EndingVpn' : [ 0x1c, ['unsigned long']], 'PushLock' : [ 0x20, ['_EX_PUSH_LOCK']], 'u' : [ 0x28, ['__unnamed_2152']], 'u1' : [ 0x2c, ['__unnamed_2155']], 'EventList' : [ 0x30, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], 'ReferenceCount' : [ 0x38, ['long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DmaWaitEntry' : [ 0x0, ['_LIST_ENTRY']], 'NumberOfChannels' : [ 0x10, ['unsigned long']], 'SyncCallback' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DmaContext' : [ 0x14, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x14, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'LastReorganizeTime' : [ 0xa8, ['unsigned long long']], 'Reserved1' : [ 0xb0, ['array', 83, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPoolBase', 1: 'PagedPool', 2: 'NonPagedPoolBaseMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolBaseCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolBaseCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 516: 'NonPagedPoolNxCacheAligned', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 512: 'NonPagedPoolNx', 544: 'NonPagedPoolSessionNx', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned long']], 'ReferenceCount' : [ 0x4, ['long']], 'PushLock' : [ 0x8, ['_EX_PUSH_LOCK']], 'ExHandleTable' : [ 0x10, ['pointer64', ['_HANDLE_TABLE']]], 'Flags' : [ 0x18, ['unsigned long']], 'NumberOfBuckets' : [ 0x1c, ['unsigned long']], 'Buckets' : [ 0x20, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '__unnamed_2194' : [ 0x10, { 'ProgrammedTime' : [ 0x0, ['unsigned long long']], 'TimerInfo' : [ 0x8, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], } ], '_POP_POWER_ACTION' : [ 0xe0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'WakeAlarmSignaled' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'PoAc', 1: 'PoDc', 2: 'PoHot', 3: 'PoConditionMaximum'})]], 'WakeAlarm' : [ 0x60, ['array', 3, ['__unnamed_2194']]], 'FilteredCapabilities' : [ 0x90, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_WHEA_IPF_CMC_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_PROCESSOR_IDLE_DEPENDENCY' : [ 0x6, { 'Processor' : [ 0x0, ['_PROCESSOR_NUMBER']], 'ExpectedState' : [ 0x4, ['unsigned char']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_WHEA_AER_ROOTPORT_DESCRIPTOR' : [ 0x24, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_ROOTPORT_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'RootErrorCommand' : [ 0x20, ['unsigned long']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x368, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'CancelCount' : [ 0x8, ['unsigned long']], 'FailureCount' : [ 0xc, ['unsigned long']], 'SuccessCount' : [ 0x10, ['unsigned long']], 'InvalidBucketIndex' : [ 0x14, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_21ba' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_21bc' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceWakeAlarm', 9: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_21ba']], 'Button' : [ 0x10, ['__unnamed_21bc']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_MODWRITER_FLAGS' : [ 0x4, { 'KeepForever' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPriority' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long')]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x410, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], 'PackageDependencyData' : [ 0x400, ['pointer64', ['void']]], 'ProcessGroupId' : [ 0x408, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x30, { 'Mdl' : [ 0x0, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x8, ['pointer64', ['void']]], 'UserLimit' : [ 0x10, ['pointer64', ['void']]], 'SystemVa' : [ 0x18, ['pointer64', ['void']]], 'SystemLimit' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_WHEA_IPF_MCA_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xe0, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], 'Xcr0' : [ 0xd8, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_PEB64' : [ 0x388, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'IsPackagedProcess' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IsAppContainer' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pUnused' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LibLoaderTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'CsrServerReadOnlySharedMemoryBase' : [ 0x380, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_224c' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1f80, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_224c']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long long']], 'NonPagablePages' : [ 0x28, ['unsigned long long']], 'CommittedPages' : [ 0x30, ['unsigned long long']], 'PagedPoolStart' : [ 0x38, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x40, ['pointer64', ['void']]], 'SessionObject' : [ 0x48, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x50, ['pointer64', ['void']]], 'SessionPoolAllocationFailures' : [ 0x58, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x68, ['_LIST_ENTRY']], 'LocaleId' : [ 0x78, ['unsigned long']], 'AttachCount' : [ 0x7c, ['unsigned long']], 'AttachGate' : [ 0x80, ['_KGATE']], 'WsListEntry' : [ 0x98, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xbf8, ['_MMSUPPORT']], 'Wsle' : [ 0xc88, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc90, ['_MI_SESSION_DRIVER_UNLOAD']], 'PagedPool' : [ 0xcc0, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e00, ['_MMPTE']], 'SessionVaLock' : [ 0x1e08, ['_FAST_MUTEX']], 'DynamicVaBitMap' : [ 0x1e40, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e50, ['unsigned long']], 'SpecialPool' : [ 0x1e58, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1ea8, ['_FAST_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1ee0, ['long']], 'PagedPoolPdeCount' : [ 0x1ee4, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1ee8, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1eec, ['unsigned long']], 'SystemPteInfo' : [ 0x1ef0, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f40, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f48, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1f50, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f58, ['unsigned long long']], 'IoState' : [ 0x1f60, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f64, ['unsigned long']], 'IoNotificationEvent' : [ 0x1f68, ['_KEVENT']], } ], '_WHEA_XPF_MC_BANK_DESCRIPTOR' : [ 0x1c, { 'BankNumber' : [ 0x0, ['unsigned char']], 'ClearOnInitialization' : [ 0x1, ['unsigned char']], 'StatusDataFormat' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['_XPF_MC_BANK_FLAGS']], 'ControlMsr' : [ 0x4, ['unsigned long']], 'StatusMsr' : [ 0x8, ['unsigned long']], 'AddressMsr' : [ 0xc, ['unsigned long']], 'MiscMsr' : [ 0x10, ['unsigned long']], 'ControlData' : [ 0x14, ['unsigned long long']], } ], '__unnamed_225c' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_2261' : [ 0x8, { 'SequentialVa' : [ 0x0, ['_MI_VAD_SEQUENTIAL_INFO']], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD' : [ 0x80, { 'Core' : [ 0x0, ['_MMVAD_SHORT']], 'u2' : [ 0x40, ['__unnamed_225c']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u4' : [ 0x78, ['__unnamed_2261']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_NONOPAQUE_OPLOCK' : [ 0xa0, { 'IrpExclusiveOplock' : [ 0x0, ['pointer64', ['_IRP']]], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'ExclusiveOplockOwner' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'ExclusiveOplockOwnerThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'WaiterPriority' : [ 0x20, ['unsigned char']], 'IrpOplocksR' : [ 0x28, ['_LIST_ENTRY']], 'IrpOplocksRH' : [ 0x38, ['_LIST_ENTRY']], 'RHBreakQueue' : [ 0x48, ['_LIST_ENTRY']], 'WaitingIrps' : [ 0x58, ['_LIST_ENTRY']], 'DelayAckFileObjectQueue' : [ 0x68, ['_LIST_ENTRY']], 'AtomicQueue' : [ 0x78, ['_LIST_ENTRY']], 'DeleterParentKey' : [ 0x88, ['pointer64', ['_GUID']]], 'OplockState' : [ 0x90, ['unsigned long']], 'FastMutex' : [ 0x98, ['pointer64', ['_FAST_MUTEX']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'PrefetchCreated' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 26, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x60, { 'Mutex' : [ 0x0, ['_FAST_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'AllocatedPagedPool' : [ 0x58, ['unsigned long long']], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_MI_REVERSE_VIEW_MAP' : [ 0x28, { 'ViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'SystemCacheVa' : [ 0x10, ['pointer64', ['void']]], 'SessionViewVa' : [ 0x10, ['pointer64', ['void']]], 'VadsProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Type' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'SectionOffset' : [ 0x20, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x158, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'ProcessorCount' : [ 0xc0, ['unsigned long']], 'Processors' : [ 0xc8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'GetFFHThrottleState' : [ 0xd0, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0xd8, ['pointer64', ['void']]], 'BoostModeHandler' : [ 0xe0, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0xe8, ['pointer64', ['void']]], 'PerfControlHandler' : [ 0xf0, ['pointer64', ['void']]], 'MaxFrequency' : [ 0xf8, ['unsigned long']], 'NominalFrequency' : [ 0xfc, ['unsigned long']], 'MaxPercent' : [ 0x100, ['unsigned long']], 'MinPerfPercent' : [ 0x104, ['unsigned long']], 'MinThrottlePercent' : [ 0x108, ['unsigned long']], 'Coordination' : [ 0x10c, ['unsigned char']], 'HardPlatformCap' : [ 0x10d, ['unsigned char']], 'AffinitizeControl' : [ 0x10e, ['unsigned char']], 'SelectedPercent' : [ 0x110, ['unsigned long']], 'SelectedFrequency' : [ 0x114, ['unsigned long']], 'DesiredPercent' : [ 0x118, ['unsigned long']], 'MaxPolicyPercent' : [ 0x11c, ['unsigned long']], 'MinPolicyPercent' : [ 0x120, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x124, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x128, ['unsigned long']], 'GuaranteedPercent' : [ 0x12c, ['unsigned long']], 'TolerancePercent' : [ 0x130, ['unsigned long']], 'SelectedState' : [ 0x138, ['unsigned long long']], 'Force' : [ 0x140, ['unsigned char']], 'PerfChangeTime' : [ 0x148, ['unsigned long long']], 'PerfChangeIntervalCount' : [ 0x150, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_WHEA_IPF_CPE_DESCRIPTOR' : [ 0x4, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer64', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_22c9' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MM_AVL_NODE']]], } ], '_MM_AVL_NODE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_22c9']], 'LeftChild' : [ 0x8, ['pointer64', ['_MM_AVL_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MM_AVL_NODE']]], } ], '_ETW_BUFFER_QUEUE' : [ 0x18, { 'QueueHead' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueTail' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'QueueEntry' : [ 0x10, ['_SINGLE_LIST_ENTRY']], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Paged' : [ 0x8, ['_MI_PTE_CHAIN_HEAD']], 'NonPaged' : [ 0x20, ['_MI_PTE_CHAIN_HEAD']], 'PagesInUse' : [ 0x38, ['unsigned long long']], 'SpecialPoolPdes' : [ 0x40, ['_RTL_BITMAP']], } ], '_LOGGED_STREAM_CALLBACK_V2' : [ 0x8, { 'LogHandleContext' : [ 0x0, ['pointer64', ['_LOG_HANDLE_CONTEXT']]], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_POP_CURRENT_BROADCAST' : [ 0x18, { 'InProgress' : [ 0x0, ['unsigned char']], 'SystemContext' : [ 0x4, ['_SYSTEM_POWER_STATE_CONTEXT']], 'PowerAction' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'DeviceState' : [ 0x10, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], 'PEPHANDLE__' : [ 0x4, { 'unused' : [ 0x0, ['long']], } ], '__unnamed_22e3' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_22e7' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_22e3']], 'Bits' : [ 0x4, ['__unnamed_22e7']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'DataLow' : [ 0x0, ['long long']], 'DataHigh' : [ 0x8, ['long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_FAST_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_IOV_IRP_TRACE' : [ 0x80, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'KernelApcDisable' : [ 0x10, ['short']], 'SpecialApcDisable' : [ 0x12, ['short']], 'CombinedApcDisable' : [ 0x10, ['unsigned long']], 'Irql' : [ 0x14, ['unsigned char']], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_DYNAMIC_FUNCTION_TABLE' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'FunctionTable' : [ 0x10, ['pointer64', ['_IMAGE_RUNTIME_FUNCTION_ENTRY']]], 'TimeStamp' : [ 0x18, ['_LARGE_INTEGER']], 'MinimumAddress' : [ 0x20, ['unsigned long long']], 'MaximumAddress' : [ 0x28, ['unsigned long long']], 'BaseAddress' : [ 0x30, ['unsigned long long']], 'Callback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'OutOfProcessCallbackDll' : [ 0x48, ['pointer64', ['unsigned short']]], 'Type' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'RF_SORTED', 1: 'RF_UNSORTED', 2: 'RF_CALLBACK', 3: 'RF_KERNEL_DYNAMIC'})]], 'EntryCount' : [ 0x54, ['unsigned long']], } ], '_SEP_LOWBOX_HANDLES_TABLE' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'HashTable' : [ 0x8, ['pointer64', ['_RTL_DYNAMIC_HASH_TABLE']]], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_PROC_IDLE_POLICY' : [ 0x5, { 'PromotePercent' : [ 0x0, ['unsigned char']], 'DemotePercent' : [ 0x1, ['unsigned char']], 'PromotePercentBase' : [ 0x2, ['unsigned char']], 'DemotePercentBase' : [ 0x3, ['unsigned char']], 'AllowScaling' : [ 0x4, ['unsigned char']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_KSCB' : [ 0x160, { 'GenerationCycles' : [ 0x0, ['unsigned long long']], 'UnderQuotaCycleTarget' : [ 0x8, ['unsigned long long']], 'RankCycleTarget' : [ 0x10, ['unsigned long long']], 'LongTermCycles' : [ 0x18, ['unsigned long long']], 'LastReportedCycles' : [ 0x20, ['unsigned long long']], 'OverQuotaHistory' : [ 0x28, ['unsigned long long']], 'PerProcessorList' : [ 0x30, ['_LIST_ENTRY']], 'QueueNode' : [ 0x40, ['_RTL_BALANCED_NODE']], 'Inserted' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OverQuota' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'HardCap' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'RankBias' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Spare1' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Spare2' : [ 0x59, ['unsigned char']], 'ReadySummary' : [ 0x5a, ['unsigned short']], 'Rank' : [ 0x5c, ['unsigned long']], 'ReadyListHead' : [ 0x60, ['array', 16, ['_LIST_ENTRY']]], } ], '__unnamed_230f' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2311' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_230f']], 'Merged' : [ 0x10, ['__unnamed_2311']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '_PROC_PERF_HISTORY' : [ 0x1c, { 'Count' : [ 0x0, ['unsigned long']], 'Slot' : [ 0x4, ['unsigned long']], 'UtilityTotal' : [ 0x8, ['unsigned long']], 'AffinitizedUtilityTotal' : [ 0xc, ['unsigned long']], 'FrequencyTotal' : [ 0x10, ['unsigned long']], 'HistoryList' : [ 0x14, ['array', 1, ['_PROC_PERF_HISTORY_ENTRY']]], } ], '_IMAGE_RUNTIME_FUNCTION_ENTRY' : [ 0xc, { 'BeginAddress' : [ 0x0, ['unsigned long']], 'EndAddress' : [ 0x4, ['unsigned long']], 'UnwindInfoAddress' : [ 0x8, ['unsigned long']], 'UnwindData' : [ 0x8, ['unsigned long']], } ], '__unnamed_231f' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_231f']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x70, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_202b']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'SubsectionNode' : [ 0x38, ['_MM_AVL_NODE']], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x68, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_MI_PTE_CHAIN_HEAD' : [ 0x18, { 'Flink' : [ 0x0, ['_MMPTE']], 'Blink' : [ 0x8, ['_MMPTE']], 'PteBase' : [ 0x10, ['pointer64', ['_MMPTE']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'Hiberboot' : [ 0x12, ['unsigned char']], 'WakeAlarmPresent' : [ 0x13, ['unsigned char']], 'AoAc' : [ 0x14, ['unsigned char']], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_PPM_IDLE_SYNCHRONIZATION_STATE' : [ 0x4, { 'AsLong' : [ 0x0, ['long']], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='long')]], 'State' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_CONCURRENCY_ACCOUNTING' : [ 0x28, { 'Lock' : [ 0x0, ['unsigned long long']], 'Processors' : [ 0x8, ['unsigned long']], 'ActiveProcessors' : [ 0xc, ['unsigned long']], 'LastUpdateTime' : [ 0x10, ['unsigned long long']], 'TotalTime' : [ 0x18, ['unsigned long long']], 'AccumulatedTime' : [ 0x20, ['array', 1, ['unsigned long long']]], } ], '__unnamed_233a' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_233e' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x48, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_233a']], 'u2' : [ 0x38, ['__unnamed_233e']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_2347' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_2349' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_2347']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x100, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_2349']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], } ], '_MMVAD_FLAGS1' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 31, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PRIVATE_CACHE_MAP' : [ 0x78, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'PrevReadAheadBeyondLastByte' : [ 0x48, ['unsigned long long']], 'ReadAheadSpinLock' : [ 0x50, ['unsigned long long']], 'PipelinedReadAheadRequestSize' : [ 0x58, ['unsigned long']], 'ReadAheadGrowth' : [ 0x5c, ['unsigned long']], 'PrivateLinks' : [ 0x60, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x70, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'AccessBits' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_AER_ROOTPORT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'RootErrorCommandRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_PTE_TRACKER' : [ 0x80, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x48, ['array', 7, ['pointer64', ['void']]]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_PROC_FEEDBACK_COUNTER' : [ 0x30, { 'InstantaneousRead' : [ 0x0, ['pointer64', ['void']]], 'DifferentialRead' : [ 0x0, ['pointer64', ['void']]], 'LastActualCount' : [ 0x8, ['unsigned long long']], 'LastReferenceCount' : [ 0x10, ['unsigned long long']], 'CachedValue' : [ 0x18, ['unsigned long']], 'Affinitized' : [ 0x20, ['unsigned char']], 'Differential' : [ 0x21, ['unsigned char']], 'DisableInterrupts' : [ 0x22, ['unsigned char']], 'Context' : [ 0x28, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x18, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'MemAlloc' : [ 0x10, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x30, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'Reference' : [ 0x10, ['_RTL_ATOM_TABLE_REFERENCE']], 'NameLength' : [ 0x28, ['unsigned char']], 'Name' : [ 0x2a, ['array', 1, ['wchar']]], } ], '_PLATFORM_IDLE_ACCOUNTING' : [ 0x388, { 'ResetCount' : [ 0x0, ['unsigned long']], 'StateCount' : [ 0x4, ['unsigned long']], 'TimeUnit' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PpmIdleBucketTimeInQpc', 1: 'PpmIdleBucketTimeIn100ns', 2: 'PpmIdleBucketTimeMaximum'})]], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['_PLATFORM_IDLE_STATE_ACCOUNTING']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeBins' : [ 0x260, ['_LIST_ENTRY']], 'FreeSummary' : [ 0x270, ['unsigned long']], } ], '_MI_VAD_SEQUENTIAL_INFO' : [ 0x8, { 'Length' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 12, native_type='unsigned long long')]], 'Vpn' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1', 19: 'NotifyTransportRelationsChange', 20: 'NotifyEjectionRelationsChange', 21: 'ConfigureDevice', 22: 'ConfigureDeviceClass'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], } ], '_SEP_LOWBOX_NUMBER_ENTRY' : [ 0x38, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'PackageSid' : [ 0x20, ['pointer64', ['void']]], 'LowboxNumber' : [ 0x28, ['unsigned long']], 'AtomTable' : [ 0x30, ['pointer64', ['void']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_FAST_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_FAST_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'ReplyQueue' : [ 0x18, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x18, ['array', 4, ['pointer64', ['_ETW_QUEUE_ENTRY']]]], 'Caller' : [ 0x18, ['pointer64', ['void']]], 'SessionId' : [ 0x20, ['unsigned long']], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'CallbackContext' : [ 0x38, ['pointer64', ['void']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'Index' : [ 0x48, ['unsigned short']], 'Flags' : [ 0x4a, ['unsigned char']], 'DbgKernelRegistration' : [ 0x4a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DbgUserRegistration' : [ 0x4a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DbgReplyRegistration' : [ 0x4a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'DbgClassicRegistration' : [ 0x4a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'DbgSessionSpaceRegistration' : [ 0x4a, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DbgModernRegistration' : [ 0x4a, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DbgClosed' : [ 0x4a, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'DbgInserted' : [ 0x4a, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'EnableMask' : [ 0x4b, ['unsigned char']], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'ACPIBus', 18: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x110, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'InProgressLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'FlagGroup' : [ 0x68, ['array', 4, ['unsigned char']]], 'Flags' : [ 0x68, ['unsigned long']], 'PackagedBinary' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MarkedForRemoval' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ImageDll' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'LoadNotificationsSent' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TelemetryEntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ProcessStaticImport' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'InLegacyLists' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'InIndexes' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ShimDll' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'InExceptionTable' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags1' : [ 0x68, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'LoadInProgress' : [ 0x68, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReservedFlags2' : [ 0x68, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'EntryProcessed' : [ 0x68, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'ReservedFlags3' : [ 0x68, ['BitField', dict(start_bit = 15, end_bit = 18, native_type='unsigned long')]], 'DontCallForThreads' : [ 0x68, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'ProcessAttachCalled' : [ 0x68, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ProcessAttachFailed' : [ 0x68, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'CorDeferredValidate' : [ 0x68, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CorImage' : [ 0x68, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'DontRelocate' : [ 0x68, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'CorILOnly' : [ 0x68, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ReservedFlags5' : [ 0x68, ['BitField', dict(start_bit = 25, end_bit = 28, native_type='unsigned long')]], 'Redirected' : [ 0x68, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ReservedFlags6' : [ 0x68, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'CompatDatabaseProcessed' : [ 0x68, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ObsoleteLoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'DdagNode' : [ 0x98, ['pointer64', ['_LDR_DDAG_NODE']]], 'NodeModuleLink' : [ 0xa0, ['_LIST_ENTRY']], 'SnapContext' : [ 0xb0, ['pointer64', ['_LDRP_DLL_SNAP_CONTEXT']]], 'ParentDllBase' : [ 0xb8, ['pointer64', ['void']]], 'SwitchBackContext' : [ 0xc0, ['pointer64', ['void']]], 'BaseAddressIndexNode' : [ 0xc8, ['_RTL_BALANCED_NODE']], 'MappingInfoIndexNode' : [ 0xe0, ['_RTL_BALANCED_NODE']], 'OriginalBase' : [ 0xf8, ['unsigned long long']], 'LoadTime' : [ 0x100, ['_LARGE_INTEGER']], 'BaseNameHashValue' : [ 0x108, ['unsigned long']], 'LoadReason' : [ 0x10c, ['Enumeration', dict(target = 'long', choices = {0: 'LoadReasonStaticDependency', 1: 'LoadReasonStaticForwarderDependency', 2: 'LoadReasonDynamicForwarderDependency', 3: 'LoadReasonDelayloadDependency', 4: 'LoadReasonDynamicLoad', 5: 'LoadReasonAsImageLoad', 6: 'LoadReasonAsDataLoad', -1: 'LoadReasonUnknown'})]], } ], '_LDR_DDAG_NODE' : [ 0x50, { 'Modules' : [ 0x0, ['_LIST_ENTRY']], 'ServiceTagList' : [ 0x10, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'LoadCount' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'DependencyCount' : [ 0x20, ['unsigned long']], 'Dependencies' : [ 0x28, ['_LDRP_CSLIST']], 'RemovalLink' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'IncomingDependencies' : [ 0x30, ['_LDRP_CSLIST']], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LdrModulesPlaceHolder', 1: 'LdrModulesMapping', 2: 'LdrModulesMapped', 3: 'LdrModulesWaitingForDependencies', 4: 'LdrModulesSnapping', 5: 'LdrModulesSnapped', 6: 'LdrModulesCondensed', 7: 'LdrModulesReadyToInit', 8: 'LdrModulesInitializing', 9: 'LdrModulesReadyToRun', '\xfb': 'LdrModulesMerged', '\xfd': 'LdrModulesSnapError', '\xfc': 'LdrModulesInitError', -1: 'LdrModulesUnloading', '\xfe': 'LdrModulesUnloaded'})]], 'CondenseLink' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PreorderNumber' : [ 0x48, ['unsigned long']], 'LowestLink' : [ 0x4c, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1d0, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'Order' : [ 0x30, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x1a8, ['_LIST_ENTRY']], 'Status' : [ 0x1b8, ['long']], 'FailedDevice' : [ 0x1c0, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1c8, ['unsigned char']], 'Cancelled' : [ 0x1c9, ['unsigned char']], 'IgnoreErrors' : [ 0x1ca, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1cb, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1cc, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned short')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned short')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned short')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'FloppyMedia' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'DefaultProtectionMask' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Binary32' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ContainsDebug' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ILOnly' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Spare' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'ImageSigningLevel' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_LOGGED_STREAM_CALLBACK_V1' : [ 0x10, { 'LogHandle' : [ 0x0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x8, ['pointer64', ['void']]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xfe8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'PerflibData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'ReservedForCodeCoverage' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned short']], 'LowFragHeapDataSlot' : [ 0xfaa, ['unsigned short']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SessionAware' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], 'ReservedForWdf' : [ 0xfe4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0xc0, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'Latency' : [ 0xa8, ['unsigned long']], 'Power' : [ 0xac, ['unsigned long']], 'StateFlags' : [ 0xb0, ['unsigned long']], 'StateType' : [ 0xb4, ['unsigned char']], 'InterruptsEnabled' : [ 0xb5, ['unsigned char']], 'Interruptible' : [ 0xb6, ['unsigned char']], 'ContextRetained' : [ 0xb7, ['unsigned char']], 'CacheCoherent' : [ 0xb8, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_FREE_LIST' : [ 0x40, { 'FreeListLock' : [ 0x0, ['_EX_PUSH_LOCK']], 'FirstFreeHandleEntry' : [ 0x8, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'LastFreeHandleEntry' : [ 0x10, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x18, ['long']], 'HighWaterMark' : [ 0x1c, ['unsigned long']], 'Reserved' : [ 0x20, ['array', 8, ['unsigned long']]], } ], '_WHEAP_ERROR_RECORD_WRAPPER_FLAGS' : [ 0x4, { 'Preallocated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'FromPersistentStore' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2400' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x20, { 'NodeRangeSize' : [ 0x0, ['unsigned long long']], 'NodeCount' : [ 0x8, ['unsigned long long']], 'Tables' : [ 0x10, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x18, ['unsigned long']], 'u1' : [ 0x1c, ['__unnamed_2400']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_AER_ENDPOINT_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_RELATION_LIST_ENTRY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_PROC_PERF_HISTORY_ENTRY' : [ 0x6, { 'Utility' : [ 0x0, ['unsigned short']], 'AffinitizedUtility' : [ 0x2, ['unsigned short']], 'Frequency' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], } ], '_POP_FX_COMPONENT' : [ 0xb8, { 'Id' : [ 0x0, ['_GUID']], 'Index' : [ 0x10, ['unsigned long']], 'WorkOrder' : [ 0x18, ['_POP_FX_WORK_ORDER']], 'Device' : [ 0x40, ['pointer64', ['_POP_FX_DEVICE']]], 'Flags' : [ 0x48, ['_POP_FX_COMPONENT_FLAGS']], 'Resident' : [ 0x50, ['long']], 'ActiveEvent' : [ 0x58, ['_KEVENT']], 'IdleLock' : [ 0x70, ['unsigned long long']], 'IdleConditionComplete' : [ 0x78, ['long']], 'IdleStateComplete' : [ 0x7c, ['long']], 'IdleStamp' : [ 0x80, ['unsigned long long']], 'CurrentIdleState' : [ 0x88, ['unsigned long']], 'IdleStateCount' : [ 0x8c, ['unsigned long']], 'IdleStates' : [ 0x90, ['pointer64', ['_POP_FX_IDLE_STATE']]], 'DeepestWakeableIdleState' : [ 0x98, ['unsigned long']], 'ProviderCount' : [ 0x9c, ['unsigned long']], 'Providers' : [ 0xa0, ['pointer64', ['_POP_FX_PROVIDER']]], 'IdleProviderCount' : [ 0xa8, ['unsigned long']], 'DependentCount' : [ 0xac, ['unsigned long']], 'Dependents' : [ 0xb0, ['pointer64', ['_POP_FX_DEPENDENT']]], } ], '_POP_FX_DRIVER_CALLBACKS' : [ 0x38, { 'ComponentActive' : [ 0x0, ['pointer64', ['void']]], 'ComponentIdle' : [ 0x8, ['pointer64', ['void']]], 'ComponentIdleState' : [ 0x10, ['pointer64', ['void']]], 'DevicePowerRequired' : [ 0x18, ['pointer64', ['void']]], 'DevicePowerNotRequired' : [ 0x20, ['pointer64', ['void']]], 'PowerControl' : [ 0x28, ['pointer64', ['void']]], 'ComponentCriticalTransition' : [ 0x30, ['pointer64', ['void']]], } ], '_PROVIDER_BINARY_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'ConsumersNotified' : [ 0x10, ['unsigned char']], 'Spare' : [ 0x11, ['array', 3, ['unsigned char']]], 'DebugIdSize' : [ 0x14, ['unsigned long']], 'DebugId' : [ 0x18, ['_CVDD']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8160, ['long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_PLATFORM_IDLE_STATE_ACCOUNTING' : [ 0x370, { 'CancelCount' : [ 0x0, ['unsigned long']], 'FailureCount' : [ 0x4, ['unsigned long']], 'SuccessCount' : [ 0x8, ['unsigned long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'TotalTime' : [ 0x20, ['unsigned long long']], 'InvalidBucketIndex' : [ 0x28, ['unsigned long']], 'IdleTimeBuckets' : [ 0x30, ['array', 26, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'PipelineReadAheads' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_PROCESSOR_IDLE_CONSTRAINTS' : [ 0x30, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTime' : [ 0x8, ['unsigned long long']], 'ExpectedIdleDuration' : [ 0x10, ['unsigned long long']], 'MaxIdleDuration' : [ 0x18, ['unsigned long']], 'OverrideState' : [ 0x1c, ['unsigned long']], 'TimeCheck' : [ 0x20, ['unsigned long']], 'PromotePercent' : [ 0x24, ['unsigned char']], 'DemotePercent' : [ 0x25, ['unsigned char']], 'Parked' : [ 0x26, ['unsigned char']], 'Interruptible' : [ 0x27, ['unsigned char']], 'PlatformIdle' : [ 0x28, ['unsigned char']], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'Large' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'TrimBehind' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'NoValidationNeeded' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2463' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2465' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2463']], 'Value' : [ 0x0, ['long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2465']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_2477' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_2477']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_EVENT_HEADER_EXTENDED_DATA_ITEM' : [ 0x10, { 'Reserved1' : [ 0x0, ['unsigned short']], 'ExtType' : [ 0x2, ['unsigned short']], 'Linkage' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Reserved2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'DataSize' : [ 0x6, ['unsigned short']], 'DataPtr' : [ 0x8, ['unsigned long long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_RTL_UMS_CONTEXT' : [ 0x520, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'PrimaryUmsContext' : [ 0x500, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x508, ['unsigned long']], 'KernelYieldCount' : [ 0x50c, ['unsigned long']], 'MixedYieldCount' : [ 0x510, ['unsigned long']], 'YieldCount' : [ 0x514, ['unsigned long']], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_ETW_GUID_ENTRY' : [ 0x178, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['pointer64', ['pointer64', ['_EVENT_FILTER_HEADER']]]], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_24dd' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_24df' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_24dd']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_24df']], } ], '_PNP_RESERVED_PROVIDER_INFO' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DependentList' : [ 0x10, ['_LIST_ENTRY']], 'ReservationId' : [ 0x20, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x30, ['long']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'BaseBelow4gb' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0xc0, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], 'NodeToFree' : [ 0x70, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['long']], } ], '_XPF_MC_BANK_FLAGS' : [ 0x1, { 'ClearOnInitializationRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ControlDataRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1d, { 'PerUserPolicy' : [ 0x0, ['array', 29, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_24f5' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_24f7' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_24fb' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_24ff' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_2501' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_24f5']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_24f7']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_24fb']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_24ff']], 'Others' : [ 0x0, ['__unnamed_2501']], } ], '_MI_SESSION_DRIVER_UNLOAD' : [ 0x8, { 'Function' : [ 0x0, ['pointer64', ['void']]], 'FunctionValue' : [ 0x0, ['unsigned long long']], } ], '_LDR_SERVICE_TAG_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_LDR_SERVICE_TAG_RECORD']]], 'ServiceTag' : [ 0x8, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_HIVE_WAIT_PACKET' : [ 0x30, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Next' : [ 0x20, ['pointer64', ['_HIVE_WAIT_PACKET']]], 'PrimaryFileWritten' : [ 0x28, ['unsigned char']], } ], '__unnamed_250e' : [ 0x4, { 'PollInterval' : [ 0x0, ['unsigned long']], } ], '__unnamed_2510' : [ 0x18, { 'PollInterval' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'SwitchToPollingThreshold' : [ 0x8, ['unsigned long']], 'SwitchToPollingWindow' : [ 0xc, ['unsigned long']], 'ErrorThreshold' : [ 0x10, ['unsigned long']], 'ErrorThresholdWindow' : [ 0x14, ['unsigned long']], } ], '__unnamed_2512' : [ 0x18, { 'Polled' : [ 0x0, ['__unnamed_250e']], 'Interrupt' : [ 0x0, ['__unnamed_2510']], 'LocalInterrupt' : [ 0x0, ['__unnamed_2510']], 'Sci' : [ 0x0, ['__unnamed_2510']], 'Nmi' : [ 0x0, ['__unnamed_2510']], } ], '_WHEA_NOTIFICATION_DESCRIPTOR' : [ 0x1c, { 'Type' : [ 0x0, ['unsigned char']], 'Length' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['_WHEA_NOTIFICATION_FLAGS']], 'u' : [ 0x4, ['__unnamed_2512']], } ], '_POP_HIBER_CONTEXT' : [ 0x1a0, { 'Reset' : [ 0x0, ['unsigned char']], 'HiberFlags' : [ 0x1, ['unsigned char']], 'WroteHiberFile' : [ 0x2, ['unsigned char']], 'VerifyKernelPhaseOnResume' : [ 0x3, ['unsigned char']], 'KernelPhaseVerificationActive' : [ 0x4, ['unsigned char']], 'InitializationFinished' : [ 0x5, ['unsigned char']], 'NextTableLockHeld' : [ 0x8, ['long']], 'BootPhaseFinishedBarrier' : [ 0xc, ['long']], 'KernelResumeFinishedBarrier' : [ 0x10, ['long']], 'MapFrozen' : [ 0x14, ['unsigned char']], 'DiscardMap' : [ 0x18, ['_RTL_BITMAP']], 'KernelPhaseMap' : [ 0x18, ['_RTL_BITMAP']], 'BootPhaseMap' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x38, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x48, ['unsigned long']], 'ClonedPageCount' : [ 0x50, ['unsigned long long']], 'CurrentMap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'NextCloneRange' : [ 0x60, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x68, ['unsigned long long']], 'LoaderMdl' : [ 0x70, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x78, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x80, ['unsigned long long']], 'IoPages' : [ 0x88, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x90, ['unsigned long']], 'CurrentMcb' : [ 0x98, ['pointer64', ['void']]], 'DumpStack' : [ 0xa0, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xa8, ['pointer64', ['_KPROCESSOR_STATE']]], 'IoProgress' : [ 0xb0, ['unsigned long']], 'Status' : [ 0xb4, ['long']], 'GraphicsProc' : [ 0xb8, ['unsigned long']], 'MemoryImage' : [ 0xc0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'PerformanceStats' : [ 0xc8, ['pointer64', ['unsigned long']]], 'BootLoaderLogMdl' : [ 0xd0, ['pointer64', ['_MDL']]], 'SiLogOffset' : [ 0xd8, ['unsigned long']], 'FirmwareRuntimeInformationMdl' : [ 0xe0, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationVa' : [ 0xe8, ['pointer64', ['void']]], 'ResumeContext' : [ 0xf0, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0xf8, ['unsigned long']], 'ProcessorCount' : [ 0xfc, ['unsigned long']], 'ProcessorContext' : [ 0x100, ['pointer64', ['_POP_PER_PROCESSOR_CONTEXT']]], 'ProdConsBuffer' : [ 0x108, ['pointer64', ['unsigned char']]], 'ProdConsSize' : [ 0x110, ['unsigned long']], 'MaxDataPages' : [ 0x114, ['unsigned long']], 'ExtraBuffer' : [ 0x118, ['pointer64', ['void']]], 'ExtraBufferSize' : [ 0x120, ['unsigned long long']], 'ExtraMapVa' : [ 0x128, ['pointer64', ['void']]], 'BitlockerKeyPFN' : [ 0x130, ['unsigned long long']], 'IoInfo' : [ 0x138, ['_POP_IO_INFO']], 'HardwareConfigurationSignature' : [ 0x198, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_CVDD' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'NB10' : [ 0x0, ['_NB10']], 'RsDs' : [ 0x0, ['_RSDS']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_WHEA_AER_BRIDGE_DESCRIPTOR' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned short']], 'Enabled' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'BusNumber' : [ 0x4, ['unsigned long']], 'Slot' : [ 0x8, ['_WHEA_PCI_SLOT_NUMBER']], 'DeviceControl' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['_AER_BRIDGE_DESCRIPTOR_FLAGS']], 'UncorrectableErrorMask' : [ 0x10, ['unsigned long']], 'UncorrectableErrorSeverity' : [ 0x14, ['unsigned long']], 'CorrectableErrorMask' : [ 0x18, ['unsigned long']], 'AdvancedCapsAndControl' : [ 0x1c, ['unsigned long']], 'SecondaryUncorrectableErrorMask' : [ 0x20, ['unsigned long']], 'SecondaryUncorrectableErrorSev' : [ 0x24, ['unsigned long']], 'SecondaryCapsAndControl' : [ 0x28, ['unsigned long']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x178, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x108, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x110, ['pointer64', ['void']]], 'PointersLength' : [ 0x118, ['unsigned long']], 'ModulePrefix' : [ 0x120, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0x128, ['_LIST_ENTRY']], 'InitMsg' : [ 0x138, ['_STRING']], 'ProgMsg' : [ 0x148, ['_STRING']], 'DoneMsg' : [ 0x158, ['_STRING']], 'FileObject' : [ 0x168, ['pointer64', ['void']]], 'UsageType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile', 4: 'DeviceUsageTypeBoot', 5: 'DeviceUsageTypePostDisplay'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x48, { 'InitiatingThread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'InitiatingProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ThreadId' : [ 0x10, ['pointer64', ['void']]], 'ProcessId' : [ 0x18, ['pointer64', ['void']]], 'Code' : [ 0x20, ['unsigned long']], 'Parameter1' : [ 0x28, ['unsigned long long']], 'Parameter2' : [ 0x30, ['unsigned long long']], 'Parameter3' : [ 0x38, ['unsigned long long']], 'Parameter4' : [ 0x40, ['unsigned long long']], } ], '_NB10' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'Offset' : [ 0x4, ['unsigned long']], 'TimeStamp' : [ 0x8, ['unsigned long']], 'Age' : [ 0xc, ['unsigned long']], 'PdbName' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'VadType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 14, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'PrivateFixup' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 31, native_type='unsigned long')]], 'DeleteInProgress' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_MI_VAD_EVENT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_VAD_EVENT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], 'SecureInfo' : [ 0x10, ['_MMADDRESS_LIST']], 'BitMap' : [ 0x10, ['_RTL_BITMAP_EX']], 'InPageSupport' : [ 0x10, ['pointer64', ['_MMINPAGE_SUPPORT']]], 'PhysicalMemory' : [ 0x10, ['_MI_PHYSMEM_BLOCK']], 'LargePage' : [ 0x10, ['pointer64', ['_MI_LARGEPAGE_MEMORY_INFO']]], } ], '__unnamed_254e' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_254e']], } ], '__unnamed_2552' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2552']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_RTL_BITMAP_EX' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_RSDS' : [ 0x1c, { 'Signature' : [ 0x0, ['unsigned long']], 'Guid' : [ 0x4, ['_GUID']], 'Age' : [ 0x14, ['unsigned long']], 'PdbName' : [ 0x18, ['array', 1, ['unsigned char']]], } ], 'PO_MEMORY_IMAGE' : [ 0x360, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'NumPagesForLoader' : [ 0x58, ['unsigned long long']], 'FirstBootRestorePage' : [ 0x60, ['unsigned long long']], 'FirstKernelRestorePage' : [ 0x68, ['unsigned long long']], 'PerfInfo' : [ 0x70, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0x218, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0x220, ['array', 1, ['unsigned long long']]], 'SiLogOffset' : [ 0x228, ['unsigned long']], 'NoBootLoaderLogPages' : [ 0x22c, ['unsigned long']], 'BootLoaderLogPages' : [ 0x230, ['array', 24, ['unsigned long long']]], 'NotUsed' : [ 0x2f0, ['unsigned long']], 'ResumeContextCheck' : [ 0x2f4, ['unsigned long']], 'ResumeContextPages' : [ 0x2f8, ['unsigned long']], 'Hiberboot' : [ 0x2fc, ['unsigned char']], 'HvCr3' : [ 0x300, ['unsigned long long']], 'HvEntryPoint' : [ 0x308, ['unsigned long long']], 'HvReservedTransitionAddress' : [ 0x310, ['unsigned long long']], 'HvReservedTransitionAddressSize' : [ 0x318, ['unsigned long long']], 'BootFlags' : [ 0x320, ['unsigned long long']], 'HalEntryPointPhysical' : [ 0x328, ['unsigned long long']], 'HighestPhysicalPage' : [ 0x330, ['unsigned long long']], 'BitlockerKeyPfns' : [ 0x338, ['array', 4, ['unsigned long long']]], 'HardwareSignature' : [ 0x358, ['unsigned long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_RTL_ATOM_TABLE_REFERENCE' : [ 0x18, { 'LowBoxList' : [ 0x0, ['_LIST_ENTRY']], 'LowBoxID' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned short']], 'Flags' : [ 0x16, ['unsigned short']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x1a8, { 'HiberIoTicks' : [ 0x0, ['unsigned long long']], 'HiberIoCpuTicks' : [ 0x8, ['unsigned long long']], 'HiberInitTicks' : [ 0x10, ['unsigned long long']], 'HiberHiberFileTicks' : [ 0x18, ['unsigned long long']], 'HiberCompressTicks' : [ 0x20, ['unsigned long long']], 'HiberSharedBufferTicks' : [ 0x28, ['unsigned long long']], 'TotalHibernateTime' : [ 0x30, ['_LARGE_INTEGER']], 'POSTTime' : [ 0x38, ['unsigned long']], 'ResumeBootMgrTime' : [ 0x3c, ['unsigned long']], 'BootmgrUserInputTime' : [ 0x40, ['unsigned long']], 'ResumeAppTicks' : [ 0x48, ['unsigned long long']], 'ResumeAppStartTimestamp' : [ 0x50, ['unsigned long long']], 'ResumeLibraryInitTicks' : [ 0x58, ['unsigned long long']], 'ResumeInitTicks' : [ 0x60, ['unsigned long long']], 'ResumeRestoreImageStartTimestamp' : [ 0x68, ['unsigned long long']], 'ResumeHiberFileTicks' : [ 0x70, ['unsigned long long']], 'ResumeIoTicks' : [ 0x78, ['unsigned long long']], 'ResumeDecompressTicks' : [ 0x80, ['unsigned long long']], 'ResumeAllocateTicks' : [ 0x88, ['unsigned long long']], 'ResumeUserInOutTicks' : [ 0x90, ['unsigned long long']], 'ResumeMapTicks' : [ 0x98, ['unsigned long long']], 'ResumeUnmapTicks' : [ 0xa0, ['unsigned long long']], 'ResumeKernelSwitchTimestamp' : [ 0xa8, ['unsigned long long']], 'WriteLogDataTimestamp' : [ 0xb0, ['unsigned long long']], 'KernelReturnFromHandler' : [ 0xb8, ['unsigned long long']], 'TimeStampCounterAtSwitchTime' : [ 0xc0, ['unsigned long long']], 'HalTscOffset' : [ 0xc8, ['unsigned long long']], 'HvlTscOffset' : [ 0xd0, ['unsigned long long']], 'SleeperThreadEnd' : [ 0xd8, ['unsigned long long']], 'KernelReturnSystemPowerStateTimestamp' : [ 0xe0, ['unsigned long long']], 'IoBoundedness' : [ 0xe8, ['unsigned long long']], 'KernelDecompressTicks' : [ 0xf0, ['unsigned long long']], 'KernelIoTicks' : [ 0xf8, ['unsigned long long']], 'KernelCopyTicks' : [ 0x100, ['unsigned long long']], 'ReadCheckCount' : [ 0x108, ['unsigned long long']], 'KernelInitTicks' : [ 0x110, ['unsigned long long']], 'KernelResumeHiberFileTicks' : [ 0x118, ['unsigned long long']], 'KernelIoCpuTicks' : [ 0x120, ['unsigned long long']], 'KernelSharedBufferTicks' : [ 0x128, ['unsigned long long']], 'KernelAnimationTicks' : [ 0x130, ['unsigned long long']], 'AnimationStart' : [ 0x138, ['_LARGE_INTEGER']], 'AnimationStop' : [ 0x140, ['_LARGE_INTEGER']], 'DeviceResumeTime' : [ 0x148, ['unsigned long']], 'BootPagesProcessed' : [ 0x150, ['unsigned long long']], 'KernelPagesProcessed' : [ 0x158, ['unsigned long long']], 'BootBytesWritten' : [ 0x160, ['unsigned long long']], 'KernelBytesWritten' : [ 0x168, ['unsigned long long']], 'BootPagesWritten' : [ 0x170, ['unsigned long long']], 'KernelPagesWritten' : [ 0x178, ['unsigned long long']], 'BytesWritten' : [ 0x180, ['unsigned long long']], 'PagesWritten' : [ 0x188, ['unsigned long']], 'FileRuns' : [ 0x18c, ['unsigned long']], 'NoMultiStageResumeReason' : [ 0x190, ['unsigned long']], 'MaxHuffRatio' : [ 0x194, ['unsigned long']], 'AdjustedTotalResumeTime' : [ 0x198, ['unsigned long long']], 'ResumeCompleteTimestamp' : [ 0x1a0, ['unsigned long long']], } ], '_POP_FX_PROVIDER' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'Activating' : [ 0x4, ['unsigned char']], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Hint' : [ 0x4, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '__unnamed_2573' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_2573']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_MI_PHYSMEM_BLOCK' : [ 0x8, { 'IoTracker' : [ 0x0, ['pointer64', ['_MMIO_TRACKER']]], } ], '_POP_PER_PROCESSOR_CONTEXT' : [ 0x80, { 'UncompressedData' : [ 0x0, ['pointer64', ['unsigned char']]], 'MappingVa' : [ 0x8, ['pointer64', ['void']]], 'XpressEncodeWorkspace' : [ 0x10, ['pointer64', ['void']]], 'CompressedDataBuffer' : [ 0x18, ['pointer64', ['unsigned char']]], 'CopyTicks' : [ 0x20, ['unsigned long long']], 'CompressTicks' : [ 0x28, ['unsigned long long']], 'BytesCopied' : [ 0x30, ['unsigned long long']], 'PagesProcessed' : [ 0x38, ['unsigned long long']], 'DecompressTicks' : [ 0x40, ['unsigned long long']], 'ResumeCopyTicks' : [ 0x48, ['unsigned long long']], 'SharedBufferTicks' : [ 0x50, ['unsigned long long']], 'DecompressTicksByMethod' : [ 0x58, ['array', 2, ['unsigned long long']]], 'DecompressSizeByMethod' : [ 0x68, ['array', 2, ['unsigned long long']]], 'CompressCount' : [ 0x78, ['unsigned long']], 'HuffCompressCount' : [ 0x7c, ['unsigned long']], } ], '_IO_REMOVE_LOCK' : [ 0x20, { 'Common' : [ 0x0, ['_IO_REMOVE_LOCK_COMMON_BLOCK']], } ], '_POP_IO_INFO' : [ 0x60, { 'DumpMdl' : [ 0x0, ['pointer64', ['_MDL']]], 'IoStatus' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IoReady', 1: 'IoPending', 2: 'IoDone'})]], 'IoStartCount' : [ 0x10, ['unsigned long long']], 'IoBytesCompleted' : [ 0x18, ['unsigned long long']], 'IoBytesInProgress' : [ 0x20, ['unsigned long long']], 'RequestSize' : [ 0x28, ['unsigned long long']], 'IoLocation' : [ 0x30, ['_LARGE_INTEGER']], 'FileOffset' : [ 0x38, ['unsigned long long']], 'Buffer' : [ 0x40, ['pointer64', ['void']]], 'AsyncCapable' : [ 0x48, ['unsigned char']], 'BytesToRead' : [ 0x50, ['unsigned long long']], 'Pages' : [ 0x58, ['unsigned long']], } ], '_LDRP_CSLIST' : [ 0x8, { 'Tail' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_MMVIEW' : [ 0x38, { 'PteOffset' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['unsigned long long']], 'u1' : [ 0x10, ['_MMVIEW_CONTROL_AREA']], 'ViewLinks' : [ 0x18, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x28, ['pointer64', ['void']]], 'SessionId' : [ 0x30, ['unsigned long']], 'SessionIdForGlobalSubsections' : [ 0x34, ['unsigned long']], } ], '_AER_BRIDGE_DESCRIPTOR_FLAGS' : [ 0x2, { 'UncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'UncorrectableErrorSeverityRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'CorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'AdvancedCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SecondaryUncorrectableErrorMaskRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'SecondaryUncorrectableErrorSevRW' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'SecondaryCapsAndControlRW' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_MMVIEW_CONTROL_AREA' : [ 0x8, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ExceptionForInPageErrors' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'UsedForControlArea' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_POP_FX_DEPENDENT' : [ 0x8, { 'Index' : [ 0x0, ['unsigned long']], 'ProviderIndex' : [ 0x4, ['unsigned long']], } ], '_XPF_MCE_FLAGS' : [ 0x4, { 'MCG_CapabilityRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MCG_GlobalControlRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '__unnamed_25a3' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_25a5' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_25a7' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_25a3']], 'Gpt' : [ 0x0, ['__unnamed_25a5']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x108, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MarkMemoryOnly' : [ 0x69, ['unsigned char']], 'HiberResume' : [ 0x6a, ['unsigned char']], 'Reserved1' : [ 0x6b, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_25a7']], 'ReadRoutine' : [ 0xa0, ['pointer64', ['void']]], 'GetDriveTelemetryRoutine' : [ 0xa8, ['pointer64', ['void']]], 'LogSectionTruncateSize' : [ 0xb0, ['unsigned long']], 'Parameters' : [ 0xb4, ['array', 16, ['unsigned long']]], 'GetTransferSizesRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DumpNotifyRoutine' : [ 0x100, ['pointer64', ['void']]], } ], '_ETW_QUEUE_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DataBlock' : [ 0x10, ['pointer64', ['_ETWP_NOTIFICATION_HEADER']]], 'RegEntry' : [ 0x18, ['pointer64', ['_ETW_REG_ENTRY']]], 'ReplyObject' : [ 0x20, ['pointer64', ['_ETW_REG_ENTRY']]], 'WakeReference' : [ 0x28, ['pointer64', ['void']]], 'RegIndex' : [ 0x30, ['unsigned short']], 'ReplyIndex' : [ 0x32, ['unsigned short']], 'Flags' : [ 0x34, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x178, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 5, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_IO_REMOVE_LOCK_COMMON_BLOCK' : [ 0x20, { 'Removed' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'IoCount' : [ 0x4, ['long']], 'RemoveEvent' : [ 0x8, ['_KEVENT']], } ], '_POP_FX_IDLE_STATE' : [ 0x18, { 'TransitionLatency' : [ 0x0, ['unsigned long long']], 'ResidencyRequirement' : [ 0x8, ['unsigned long long']], 'NominalPower' : [ 0x10, ['unsigned long']], } ], '_WHEA_NOTIFICATION_FLAGS' : [ 0x2, { 'PollIntervalRW' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'SwitchToPollingThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'SwitchToPollingWindowRW' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'ErrorThresholdRW' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'ErrorThresholdWindowRW' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_ETWP_NOTIFICATION_HEADER' : [ 0x48, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'EtwNotificationTypeNoReply', 2: 'EtwNotificationTypeLegacyEnable', 3: 'EtwNotificationTypeEnable', 4: 'EtwNotificationTypePrivateLogger', 5: 'EtwNotificationTypePerflib', 6: 'EtwNotificationTypeAudio', 7: 'EtwNotificationTypeSession', 8: 'EtwNotificationTypeReserved', 9: 'EtwNotificationTypeCredentialUI', 10: 'EtwNotificationTypeMax'})]], 'NotificationSize' : [ 0x4, ['unsigned long']], 'RefCount' : [ 0x8, ['long']], 'ReplyRequested' : [ 0xc, ['unsigned char']], 'ReplyIndex' : [ 0x10, ['unsigned long']], 'Timeout' : [ 0x10, ['unsigned long']], 'ReplyCount' : [ 0x14, ['unsigned long']], 'NotifyeeCount' : [ 0x14, ['unsigned long']], 'ReplyHandle' : [ 0x18, ['unsigned long long']], 'ReplyObject' : [ 0x18, ['pointer64', ['void']]], 'RegIndex' : [ 0x18, ['unsigned long']], 'TargetPID' : [ 0x20, ['unsigned long']], 'SourcePID' : [ 0x24, ['unsigned long']], 'DestinationGuid' : [ 0x28, ['_GUID']], 'SourceGuid' : [ 0x38, ['_GUID']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_MI_LARGEPAGE_MEMORY_INFO' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'ColoredPageInfoBase' : [ 0x10, ['pointer64', ['_COLORED_PAGE_INFO']]], 'PagesNeedZeroing' : [ 0x18, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_MMIO_TRACKER' : [ 0x70, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PageFrameIndex' : [ 0x10, ['unsigned long long']], 'NumberOfPages' : [ 0x18, ['unsigned long long']], 'BaseVa' : [ 0x20, ['pointer64', ['void']]], 'CacheFlushTimeStamp' : [ 0x20, ['unsigned long']], 'Mdl' : [ 0x28, ['pointer64', ['_MDL']]], 'MdlPages' : [ 0x30, ['unsigned long long']], 'StackTrace' : [ 0x38, ['array', 6, ['pointer64', ['void']]]], 'CacheInfo' : [ 0x68, ['array', 1, ['_IO_CACHE_INFO']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '__unnamed_25eb' : [ 0x4, { 'ImagePteOffset' : [ 0x0, ['unsigned long']], 'TossPage' : [ 0x0, ['unsigned long']], } ], '__unnamed_25ee' : [ 0x4, { 'e1' : [ 0x0, ['_MMINPAGE_FLAGS']], 'LongFlags' : [ 0x0, ['unsigned long']], } ], '_MMINPAGE_SUPPORT' : [ 0x178, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'ListHead' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['_KEVENT']], 'CollidedEvent' : [ 0x40, ['_KEVENT']], 'IoStatus' : [ 0x58, ['_IO_STATUS_BLOCK']], 'ReadOffset' : [ 0x68, ['_LARGE_INTEGER']], 'PteContents' : [ 0x70, ['_MMPTE']], 'LockedProtoPfn' : [ 0x78, ['pointer64', ['_MMPFN']]], 'WaitCount' : [ 0x80, ['long']], 'ByteCount' : [ 0x84, ['unsigned long']], 'u3' : [ 0x88, ['__unnamed_25eb']], 'u1' : [ 0x8c, ['__unnamed_25ee']], 'FilePointer' : [ 0x90, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x98, ['pointer64', ['_CONTROL_AREA']]], 'FaultingAddress' : [ 0xa0, ['pointer64', ['void']]], 'PointerPte' : [ 0xa8, ['pointer64', ['_MMPTE']]], 'BasePte' : [ 0xb0, ['pointer64', ['_MMPTE']]], 'Pfn' : [ 0xb8, ['pointer64', ['_MMPFN']]], 'PrefetchMdl' : [ 0xc0, ['pointer64', ['_MDL']]], 'Mdl' : [ 0xc8, ['_MDL']], 'Page' : [ 0xf8, ['array', 16, ['unsigned long long']]], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_MMINPAGE_FLAGS' : [ 0x4, { 'InjectRetry' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CrossThreadPadding' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'PrefetchSystemVmType' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'VaPrefetchReadBlock' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'CollidedFlowThrough' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceCollisions' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'InPageExpanded' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'IssuedAtLowPriority' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'FaultFromStore' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PagePriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PerformRelocations' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ClusteredPagePriority' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned char')]], 'MakeClusterValid' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ZeroLastPage' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UserFault' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'BoostedPriority' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'StandbyProtectionNeeded' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PteChanged' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PageFileFault' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 12, native_type='unsigned long')]], } ], '_COLORED_PAGE_INFO' : [ 0x18, { 'BeingZeroed' : [ 0x0, ['long']], 'Processor' : [ 0x4, ['unsigned long']], 'PagesQueued' : [ 0x8, ['unsigned long long']], 'PfnAllocation' : [ 0x10, ['pointer64', ['_MMPFN']]], } ], '_IO_CACHE_INFO' : [ 0x1, { 'CacheAttribute' : [ 0x0, ['unsigned char']], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7_sp01_x64_syscalls.py0000644000000000000000000013206013131215405031075 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Windows 7 SP0 and SP1 x64. """ syscalls = [ [ 'NtMapUserPhysicalPagesScatter', # 0x0 'NtWaitForSingleObject', # 0x1 'NtCallbackReturn', # 0x2 'NtReadFile', # 0x3 'NtDeviceIoControlFile', # 0x4 'NtWriteFile', # 0x5 'NtRemoveIoCompletion', # 0x6 'NtReleaseSemaphore', # 0x7 'NtReplyWaitReceivePort', # 0x8 'NtReplyPort', # 0x9 'NtSetInformationThread', # 0xa 'NtSetEvent', # 0xb 'NtClose', # 0xc 'NtQueryObject', # 0xd 'NtQueryInformationFile', # 0xe 'NtOpenKey', # 0xf 'NtEnumerateValueKey', # 0x10 'NtFindAtom', # 0x11 'NtQueryDefaultLocale', # 0x12 'NtQueryKey', # 0x13 'NtQueryValueKey', # 0x14 'NtAllocateVirtualMemory', # 0x15 'NtQueryInformationProcess', # 0x16 'NtWaitForMultipleObjects32', # 0x17 'NtWriteFileGather', # 0x18 'NtSetInformationProcess', # 0x19 'NtCreateKey', # 0x1a 'NtFreeVirtualMemory', # 0x1b 'NtImpersonateClientOfPort', # 0x1c 'NtReleaseMutant', # 0x1d 'NtQueryInformationToken', # 0x1e 'NtRequestWaitReplyPort', # 0x1f 'NtQueryVirtualMemory', # 0x20 'NtOpenThreadToken', # 0x21 'NtQueryInformationThread', # 0x22 'NtOpenProcess', # 0x23 'NtSetInformationFile', # 0x24 'NtMapViewOfSection', # 0x25 'NtAccessCheckAndAuditAlarm', # 0x26 'NtUnmapViewOfSection', # 0x27 'NtReplyWaitReceivePortEx', # 0x28 'NtTerminateProcess', # 0x29 'NtSetEventBoostPriority', # 0x2a 'NtReadFileScatter', # 0x2b 'NtOpenThreadTokenEx', # 0x2c 'NtOpenProcessTokenEx', # 0x2d 'NtQueryPerformanceCounter', # 0x2e 'NtEnumerateKey', # 0x2f 'NtOpenFile', # 0x30 'NtDelayExecution', # 0x31 'NtQueryDirectoryFile', # 0x32 'NtQuerySystemInformation', # 0x33 'NtOpenSection', # 0x34 'NtQueryTimer', # 0x35 'NtFsControlFile', # 0x36 'NtWriteVirtualMemory', # 0x37 'NtCloseObjectAuditAlarm', # 0x38 'NtDuplicateObject', # 0x39 'NtQueryAttributesFile', # 0x3a 'NtClearEvent', # 0x3b 'NtReadVirtualMemory', # 0x3c 'NtOpenEvent', # 0x3d 'NtAdjustPrivilegesToken', # 0x3e 'NtDuplicateToken', # 0x3f 'NtContinue', # 0x40 'NtQueryDefaultUILanguage', # 0x41 'NtQueueApcThread', # 0x42 'NtYieldExecution', # 0x43 'NtAddAtom', # 0x44 'NtCreateEvent', # 0x45 'NtQueryVolumeInformationFile', # 0x46 'NtCreateSection', # 0x47 'NtFlushBuffersFile', # 0x48 'NtApphelpCacheControl', # 0x49 'NtCreateProcessEx', # 0x4a 'NtCreateThread', # 0x4b 'NtIsProcessInJob', # 0x4c 'NtProtectVirtualMemory', # 0x4d 'NtQuerySection', # 0x4e 'NtResumeThread', # 0x4f 'NtTerminateThread', # 0x50 'NtReadRequestData', # 0x51 'NtCreateFile', # 0x52 'NtQueryEvent', # 0x53 'NtWriteRequestData', # 0x54 'NtOpenDirectoryObject', # 0x55 'NtAccessCheckByTypeAndAuditAlarm', # 0x56 'NtQuerySystemTime', # 0x57 'NtWaitForMultipleObjects', # 0x58 'NtSetInformationObject', # 0x59 'NtCancelIoFile', # 0x5a 'NtTraceEvent', # 0x5b 'NtPowerInformation', # 0x5c 'NtSetValueKey', # 0x5d 'NtCancelTimer', # 0x5e 'NtSetTimer', # 0x5f 'NtAcceptConnectPort', # 0x60 'NtAccessCheck', # 0x61 'NtAccessCheckByType', # 0x62 'NtAccessCheckByTypeResultList', # 0x63 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x64 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x65 'NtAddBootEntry', # 0x66 'NtAddDriverEntry', # 0x67 'NtAdjustGroupsToken', # 0x68 'NtAlertResumeThread', # 0x69 'NtAlertThread', # 0x6a 'NtAllocateLocallyUniqueId', # 0x6b 'NtAllocateReserveObject', # 0x6c 'NtAllocateUserPhysicalPages', # 0x6d 'NtAllocateUuids', # 0x6e 'NtAlpcAcceptConnectPort', # 0x6f 'NtAlpcCancelMessage', # 0x70 'NtAlpcConnectPort', # 0x71 'NtAlpcCreatePort', # 0x72 'NtAlpcCreatePortSection', # 0x73 'NtAlpcCreateResourceReserve', # 0x74 'NtAlpcCreateSectionView', # 0x75 'NtAlpcCreateSecurityContext', # 0x76 'NtAlpcDeletePortSection', # 0x77 'NtAlpcDeleteResourceReserve', # 0x78 'NtAlpcDeleteSectionView', # 0x79 'NtAlpcDeleteSecurityContext', # 0x7a 'NtAlpcDisconnectPort', # 0x7b 'NtAlpcImpersonateClientOfPort', # 0x7c 'NtAlpcOpenSenderProcess', # 0x7d 'NtAlpcOpenSenderThread', # 0x7e 'NtAlpcQueryInformation', # 0x7f 'NtAlpcQueryInformationMessage', # 0x80 'NtAlpcRevokeSecurityContext', # 0x81 'NtAlpcSendWaitReceivePort', # 0x82 'NtAlpcSetInformation', # 0x83 'NtAreMappedFilesTheSame', # 0x84 'NtAssignProcessToJobObject', # 0x85 'NtCancelIoFileEx', # 0x86 'NtCancelSynchronousIoFile', # 0x87 'NtCommitComplete', # 0x88 'NtCommitEnlistment', # 0x89 'NtCommitTransaction', # 0x8a 'NtCompactKeys', # 0x8b 'NtCompareTokens', # 0x8c 'NtCompleteConnectPort', # 0x8d 'NtCompressKey', # 0x8e 'NtConnectPort', # 0x8f 'NtCreateDebugObject', # 0x90 'NtCreateDirectoryObject', # 0x91 'NtCreateEnlistment', # 0x92 'NtCreateEventPair', # 0x93 'NtCreateIoCompletion', # 0x94 'NtCreateJobObject', # 0x95 'NtCreateJobSet', # 0x96 'NtCreateKeyTransacted', # 0x97 'NtCreateKeyedEvent', # 0x98 'NtCreateMailslotFile', # 0x99 'NtCreateMutant', # 0x9a 'NtCreateNamedPipeFile', # 0x9b 'NtCreatePagingFile', # 0x9c 'NtCreatePort', # 0x9d 'NtCreatePrivateNamespace', # 0x9e 'NtCreateProcess', # 0x9f 'NtCreateProfile', # 0xa0 'NtCreateProfileEx', # 0xa1 'NtCreateResourceManager', # 0xa2 'NtCreateSemaphore', # 0xa3 'NtCreateSymbolicLinkObject', # 0xa4 'NtCreateThreadEx', # 0xa5 'NtCreateTimer', # 0xa6 'NtCreateToken', # 0xa7 'NtCreateTransaction', # 0xa8 'NtCreateTransactionManager', # 0xa9 'NtCreateUserProcess', # 0xaa 'NtCreateWaitablePort', # 0xab 'NtCreateWorkerFactory', # 0xac 'NtDebugActiveProcess', # 0xad 'NtDebugContinue', # 0xae 'NtDeleteAtom', # 0xaf 'NtDeleteBootEntry', # 0xb0 'NtDeleteDriverEntry', # 0xb1 'NtDeleteFile', # 0xb2 'NtDeleteKey', # 0xb3 'NtDeleteObjectAuditAlarm', # 0xb4 'NtDeletePrivateNamespace', # 0xb5 'NtDeleteValueKey', # 0xb6 'NtDisableLastKnownGood', # 0xb7 'NtDisplayString', # 0xb8 'NtDrawText', # 0xb9 'NtEnableLastKnownGood', # 0xba 'NtEnumerateBootEntries', # 0xbb 'NtEnumerateDriverEntries', # 0xbc 'NtEnumerateSystemEnvironmentValuesEx', # 0xbd 'NtEnumerateTransactionObject', # 0xbe 'NtExtendSection', # 0xbf 'NtFilterToken', # 0xc0 'NtFlushInstallUILanguage', # 0xc1 'NtFlushInstructionCache', # 0xc2 'NtFlushKey', # 0xc3 'NtFlushProcessWriteBuffers', # 0xc4 'NtFlushVirtualMemory', # 0xc5 'NtFlushWriteBuffer', # 0xc6 'NtFreeUserPhysicalPages', # 0xc7 'NtFreezeRegistry', # 0xc8 'NtFreezeTransactions', # 0xc9 'NtGetContextThread', # 0xca 'NtGetCurrentProcessorNumber', # 0xcb 'NtGetDevicePowerState', # 0xcc 'NtGetMUIRegistryInfo', # 0xcd 'NtGetNextProcess', # 0xce 'NtGetNextThread', # 0xcf 'NtGetNlsSectionPtr', # 0xd0 'NtGetNotificationResourceManager', # 0xd1 'NtGetPlugPlayEvent', # 0xd2 'NtGetWriteWatch', # 0xd3 'NtImpersonateAnonymousToken', # 0xd4 'NtImpersonateThread', # 0xd5 'NtInitializeNlsFiles', # 0xd6 'NtInitializeRegistry', # 0xd7 'NtInitiatePowerAction', # 0xd8 'NtIsSystemResumeAutomatic', # 0xd9 'NtIsUILanguageComitted', # 0xda 'NtListenPort', # 0xdb 'NtLoadDriver', # 0xdc 'NtLoadKey', # 0xdd 'NtLoadKey2', # 0xde 'NtLoadKeyEx', # 0xdf 'NtLockFile', # 0xe0 'NtLockProductActivationKeys', # 0xe1 'NtLockRegistryKey', # 0xe2 'NtLockVirtualMemory', # 0xe3 'NtMakePermanentObject', # 0xe4 'NtMakeTemporaryObject', # 0xe5 'NtMapCMFModule', # 0xe6 'NtMapUserPhysicalPages', # 0xe7 'NtModifyBootEntry', # 0xe8 'NtModifyDriverEntry', # 0xe9 'NtNotifyChangeDirectoryFile', # 0xea 'NtNotifyChangeKey', # 0xeb 'NtNotifyChangeMultipleKeys', # 0xec 'NtNotifyChangeSession', # 0xed 'NtOpenEnlistment', # 0xee 'NtOpenEventPair', # 0xef 'NtOpenIoCompletion', # 0xf0 'NtOpenJobObject', # 0xf1 'NtOpenKeyEx', # 0xf2 'NtOpenKeyTransacted', # 0xf3 'NtOpenKeyTransactedEx', # 0xf4 'NtOpenKeyedEvent', # 0xf5 'NtOpenMutant', # 0xf6 'NtOpenObjectAuditAlarm', # 0xf7 'NtOpenPrivateNamespace', # 0xf8 'NtOpenProcessToken', # 0xf9 'NtOpenResourceManager', # 0xfa 'NtOpenSemaphore', # 0xfb 'NtOpenSession', # 0xfc 'NtOpenSymbolicLinkObject', # 0xfd 'NtOpenThread', # 0xfe 'NtOpenTimer', # 0xff 'NtOpenTransaction', # 0x100 'NtOpenTransactionManager', # 0x101 'NtPlugPlayControl', # 0x102 'NtPrePrepareComplete', # 0x103 'NtPrePrepareEnlistment', # 0x104 'NtPrepareComplete', # 0x105 'NtPrepareEnlistment', # 0x106 'NtPrivilegeCheck', # 0x107 'NtPrivilegeObjectAuditAlarm', # 0x108 'NtPrivilegedServiceAuditAlarm', # 0x109 'NtPropagationComplete', # 0x10a 'NtPropagationFailed', # 0x10b 'NtPulseEvent', # 0x10c 'NtQueryBootEntryOrder', # 0x10d 'NtQueryBootOptions', # 0x10e 'NtQueryDebugFilterState', # 0x10f 'NtQueryDirectoryObject', # 0x110 'NtQueryDriverEntryOrder', # 0x111 'NtQueryEaFile', # 0x112 'NtQueryFullAttributesFile', # 0x113 'NtQueryInformationAtom', # 0x114 'NtQueryInformationEnlistment', # 0x115 'NtQueryInformationJobObject', # 0x116 'NtQueryInformationPort', # 0x117 'NtQueryInformationResourceManager', # 0x118 'NtQueryInformationTransaction', # 0x119 'NtQueryInformationTransactionManager', # 0x11a 'NtQueryInformationWorkerFactory', # 0x11b 'NtQueryInstallUILanguage', # 0x11c 'NtQueryIntervalProfile', # 0x11d 'NtQueryIoCompletion', # 0x11e 'NtQueryLicenseValue', # 0x11f 'NtQueryMultipleValueKey', # 0x120 'NtQueryMutant', # 0x121 'NtQueryOpenSubKeys', # 0x122 'NtQueryOpenSubKeysEx', # 0x123 'NtQueryPortInformationProcess', # 0x124 'NtQueryQuotaInformationFile', # 0x125 'NtQuerySecurityAttributesToken', # 0x126 'NtQuerySecurityObject', # 0x127 'NtQuerySemaphore', # 0x128 'NtQuerySymbolicLinkObject', # 0x129 'NtQuerySystemEnvironmentValue', # 0x12a 'NtQuerySystemEnvironmentValueEx', # 0x12b 'NtQuerySystemInformationEx', # 0x12c 'NtQueryTimerResolution', # 0x12d 'NtQueueApcThreadEx', # 0x12e 'NtRaiseException', # 0x12f 'NtRaiseHardError', # 0x130 'NtReadOnlyEnlistment', # 0x131 'NtRecoverEnlistment', # 0x132 'NtRecoverResourceManager', # 0x133 'NtRecoverTransactionManager', # 0x134 'NtRegisterProtocolAddressInformation', # 0x135 'NtRegisterThreadTerminatePort', # 0x136 'NtReleaseKeyedEvent', # 0x137 'NtReleaseWorkerFactoryWorker', # 0x138 'NtRemoveIoCompletionEx', # 0x139 'NtRemoveProcessDebug', # 0x13a 'NtRenameKey', # 0x13b 'NtRenameTransactionManager', # 0x13c 'NtReplaceKey', # 0x13d 'NtReplacePartitionUnit', # 0x13e 'NtReplyWaitReplyPort', # 0x13f 'NtRequestPort', # 0x140 'NtResetEvent', # 0x141 'NtResetWriteWatch', # 0x142 'NtRestoreKey', # 0x143 'NtResumeProcess', # 0x144 'NtRollbackComplete', # 0x145 'NtRollbackEnlistment', # 0x146 'NtRollbackTransaction', # 0x147 'NtRollforwardTransactionManager', # 0x148 'NtSaveKey', # 0x149 'NtSaveKeyEx', # 0x14a 'NtSaveMergedKeys', # 0x14b 'NtSecureConnectPort', # 0x14c 'NtSerializeBoot', # 0x14d 'NtSetBootEntryOrder', # 0x14e 'NtSetBootOptions', # 0x14f 'NtSetContextThread', # 0x150 'NtSetDebugFilterState', # 0x151 'NtSetDefaultHardErrorPort', # 0x152 'NtSetDefaultLocale', # 0x153 'NtSetDefaultUILanguage', # 0x154 'NtSetDriverEntryOrder', # 0x155 'NtSetEaFile', # 0x156 'NtSetHighEventPair', # 0x157 'NtSetHighWaitLowEventPair', # 0x158 'NtSetInformationDebugObject', # 0x159 'NtSetInformationEnlistment', # 0x15a 'NtSetInformationJobObject', # 0x15b 'NtSetInformationKey', # 0x15c 'NtSetInformationResourceManager', # 0x15d 'NtSetInformationToken', # 0x15e 'NtSetInformationTransaction', # 0x15f 'NtSetInformationTransactionManager', # 0x160 'NtSetInformationWorkerFactory', # 0x161 'NtSetIntervalProfile', # 0x162 'NtSetIoCompletion', # 0x163 'NtSetIoCompletionEx', # 0x164 'NtSetLdtEntries', # 0x165 'NtSetLowEventPair', # 0x166 'NtSetLowWaitHighEventPair', # 0x167 'NtSetQuotaInformationFile', # 0x168 'NtSetSecurityObject', # 0x169 'NtSetSystemEnvironmentValue', # 0x16a 'NtSetSystemEnvironmentValueEx', # 0x16b 'NtSetSystemInformation', # 0x16c 'NtSetSystemPowerState', # 0x16d 'NtSetSystemTime', # 0x16e 'NtSetThreadExecutionState', # 0x16f 'NtSetTimerEx', # 0x170 'NtSetTimerResolution', # 0x171 'NtSetUuidSeed', # 0x172 'NtSetVolumeInformationFile', # 0x173 'NtShutdownSystem', # 0x174 'NtShutdownWorkerFactory', # 0x175 'NtSignalAndWaitForSingleObject', # 0x176 'NtSinglePhaseReject', # 0x177 'NtStartProfile', # 0x178 'NtStopProfile', # 0x179 'NtSuspendProcess', # 0x17a 'NtSuspendThread', # 0x17b 'NtSystemDebugControl', # 0x17c 'NtTerminateJobObject', # 0x17d 'NtTestAlert', # 0x17e 'NtThawRegistry', # 0x17f 'NtThawTransactions', # 0x180 'NtTraceControl', # 0x181 'NtTranslateFilePath', # 0x182 'NtUmsThreadYield', # 0x183 'NtUnloadDriver', # 0x184 'NtUnloadKey', # 0x185 'NtUnloadKey2', # 0x186 'NtUnloadKeyEx', # 0x187 'NtUnlockFile', # 0x188 'NtUnlockVirtualMemory', # 0x189 'NtVdmControl', # 0x18a 'NtWaitForDebugEvent', # 0x18b 'NtWaitForKeyedEvent', # 0x18c 'NtWaitForWorkViaWorkerFactory', # 0x18d 'NtWaitHighEventPair', # 0x18e 'NtWaitLowEventPair', # 0x18f 'NtWorkerFactoryWorkerReady', # 0x190 ], [ 'NtUserGetThreadState', # 0x0 'NtUserPeekMessage', # 0x1 'NtUserCallOneParam', # 0x2 'NtUserGetKeyState', # 0x3 'NtUserInvalidateRect', # 0x4 'NtUserCallNoParam', # 0x5 'NtUserGetMessage', # 0x6 'NtUserMessageCall', # 0x7 'NtGdiBitBlt', # 0x8 'NtGdiGetCharSet', # 0x9 'NtUserGetDC', # 0xa 'NtGdiSelectBitmap', # 0xb 'NtUserWaitMessage', # 0xc 'NtUserTranslateMessage', # 0xd 'NtUserGetProp', # 0xe 'NtUserPostMessage', # 0xf 'NtUserQueryWindow', # 0x10 'NtUserTranslateAccelerator', # 0x11 'NtGdiFlush', # 0x12 'NtUserRedrawWindow', # 0x13 'NtUserWindowFromPoint', # 0x14 'NtUserCallMsgFilter', # 0x15 'NtUserValidateTimerCallback', # 0x16 'NtUserBeginPaint', # 0x17 'NtUserSetTimer', # 0x18 'NtUserEndPaint', # 0x19 'NtUserSetCursor', # 0x1a 'NtUserKillTimer', # 0x1b 'NtUserBuildHwndList', # 0x1c 'NtUserSelectPalette', # 0x1d 'NtUserCallNextHookEx', # 0x1e 'NtUserHideCaret', # 0x1f 'NtGdiIntersectClipRect', # 0x20 'NtUserCallHwndLock', # 0x21 'NtUserGetProcessWindowStation', # 0x22 'NtGdiDeleteObjectApp', # 0x23 'NtUserSetWindowPos', # 0x24 'NtUserShowCaret', # 0x25 'NtUserEndDeferWindowPosEx', # 0x26 'NtUserCallHwndParamLock', # 0x27 'NtUserVkKeyScanEx', # 0x28 'NtGdiSetDIBitsToDeviceInternal', # 0x29 'NtUserCallTwoParam', # 0x2a 'NtGdiGetRandomRgn', # 0x2b 'NtUserCopyAcceleratorTable', # 0x2c 'NtUserNotifyWinEvent', # 0x2d 'NtGdiExtSelectClipRgn', # 0x2e 'NtUserIsClipboardFormatAvailable', # 0x2f 'NtUserSetScrollInfo', # 0x30 'NtGdiStretchBlt', # 0x31 'NtUserCreateCaret', # 0x32 'NtGdiRectVisible', # 0x33 'NtGdiCombineRgn', # 0x34 'NtGdiGetDCObject', # 0x35 'NtUserDispatchMessage', # 0x36 'NtUserRegisterWindowMessage', # 0x37 'NtGdiExtTextOutW', # 0x38 'NtGdiSelectFont', # 0x39 'NtGdiRestoreDC', # 0x3a 'NtGdiSaveDC', # 0x3b 'NtUserGetForegroundWindow', # 0x3c 'NtUserShowScrollBar', # 0x3d 'NtUserFindExistingCursorIcon', # 0x3e 'NtGdiGetDCDword', # 0x3f 'NtGdiGetRegionData', # 0x40 'NtGdiLineTo', # 0x41 'NtUserSystemParametersInfo', # 0x42 'NtGdiGetAppClipBox', # 0x43 'NtUserGetAsyncKeyState', # 0x44 'NtUserGetCPD', # 0x45 'NtUserRemoveProp', # 0x46 'NtGdiDoPalette', # 0x47 'NtGdiPolyPolyDraw', # 0x48 'NtUserSetCapture', # 0x49 'NtUserEnumDisplayMonitors', # 0x4a 'NtGdiCreateCompatibleBitmap', # 0x4b 'NtUserSetProp', # 0x4c 'NtGdiGetTextCharsetInfo', # 0x4d 'NtUserSBGetParms', # 0x4e 'NtUserGetIconInfo', # 0x4f 'NtUserExcludeUpdateRgn', # 0x50 'NtUserSetFocus', # 0x51 'NtGdiExtGetObjectW', # 0x52 'NtUserDeferWindowPos', # 0x53 'NtUserGetUpdateRect', # 0x54 'NtGdiCreateCompatibleDC', # 0x55 'NtUserGetClipboardSequenceNumber', # 0x56 'NtGdiCreatePen', # 0x57 'NtUserShowWindow', # 0x58 'NtUserGetKeyboardLayoutList', # 0x59 'NtGdiPatBlt', # 0x5a 'NtUserMapVirtualKeyEx', # 0x5b 'NtUserSetWindowLong', # 0x5c 'NtGdiHfontCreate', # 0x5d 'NtUserMoveWindow', # 0x5e 'NtUserPostThreadMessage', # 0x5f 'NtUserDrawIconEx', # 0x60 'NtUserGetSystemMenu', # 0x61 'NtGdiDrawStream', # 0x62 'NtUserInternalGetWindowText', # 0x63 'NtUserGetWindowDC', # 0x64 'NtGdiD3dDrawPrimitives2', # 0x65 'NtGdiInvertRgn', # 0x66 'NtGdiGetRgnBox', # 0x67 'NtGdiGetAndSetDCDword', # 0x68 'NtGdiMaskBlt', # 0x69 'NtGdiGetWidthTable', # 0x6a 'NtUserScrollDC', # 0x6b 'NtUserGetObjectInformation', # 0x6c 'NtGdiCreateBitmap', # 0x6d 'NtUserFindWindowEx', # 0x6e 'NtGdiPolyPatBlt', # 0x6f 'NtUserUnhookWindowsHookEx', # 0x70 'NtGdiGetNearestColor', # 0x71 'NtGdiTransformPoints', # 0x72 'NtGdiGetDCPoint', # 0x73 'NtGdiCreateDIBBrush', # 0x74 'NtGdiGetTextMetricsW', # 0x75 'NtUserCreateWindowEx', # 0x76 'NtUserSetParent', # 0x77 'NtUserGetKeyboardState', # 0x78 'NtUserToUnicodeEx', # 0x79 'NtUserGetControlBrush', # 0x7a 'NtUserGetClassName', # 0x7b 'NtGdiAlphaBlend', # 0x7c 'NtGdiDdBlt', # 0x7d 'NtGdiOffsetRgn', # 0x7e 'NtUserDefSetText', # 0x7f 'NtGdiGetTextFaceW', # 0x80 'NtGdiStretchDIBitsInternal', # 0x81 'NtUserSendInput', # 0x82 'NtUserGetThreadDesktop', # 0x83 'NtGdiCreateRectRgn', # 0x84 'NtGdiGetDIBitsInternal', # 0x85 'NtUserGetUpdateRgn', # 0x86 'NtGdiDeleteClientObj', # 0x87 'NtUserGetIconSize', # 0x88 'NtUserFillWindow', # 0x89 'NtGdiExtCreateRegion', # 0x8a 'NtGdiComputeXformCoefficients', # 0x8b 'NtUserSetWindowsHookEx', # 0x8c 'NtUserNotifyProcessCreate', # 0x8d 'NtGdiUnrealizeObject', # 0x8e 'NtUserGetTitleBarInfo', # 0x8f 'NtGdiRectangle', # 0x90 'NtUserSetThreadDesktop', # 0x91 'NtUserGetDCEx', # 0x92 'NtUserGetScrollBarInfo', # 0x93 'NtGdiGetTextExtent', # 0x94 'NtUserSetWindowFNID', # 0x95 'NtGdiSetLayout', # 0x96 'NtUserCalcMenuBar', # 0x97 'NtUserThunkedMenuItemInfo', # 0x98 'NtGdiExcludeClipRect', # 0x99 'NtGdiCreateDIBSection', # 0x9a 'NtGdiGetDCforBitmap', # 0x9b 'NtUserDestroyCursor', # 0x9c 'NtUserDestroyWindow', # 0x9d 'NtUserCallHwndParam', # 0x9e 'NtGdiCreateDIBitmapInternal', # 0x9f 'NtUserOpenWindowStation', # 0xa0 'NtGdiDdDeleteSurfaceObject', # 0xa1 'NtGdiDdCanCreateSurface', # 0xa2 'NtGdiDdCreateSurface', # 0xa3 'NtUserSetCursorIconData', # 0xa4 'NtGdiDdDestroySurface', # 0xa5 'NtUserCloseDesktop', # 0xa6 'NtUserOpenDesktop', # 0xa7 'NtUserSetProcessWindowStation', # 0xa8 'NtUserGetAtomName', # 0xa9 'NtGdiDdResetVisrgn', # 0xaa 'NtGdiExtCreatePen', # 0xab 'NtGdiCreatePaletteInternal', # 0xac 'NtGdiSetBrushOrg', # 0xad 'NtUserBuildNameList', # 0xae 'NtGdiSetPixel', # 0xaf 'NtUserRegisterClassExWOW', # 0xb0 'NtGdiCreatePatternBrushInternal', # 0xb1 'NtUserGetAncestor', # 0xb2 'NtGdiGetOutlineTextMetricsInternalW', # 0xb3 'NtGdiSetBitmapBits', # 0xb4 'NtUserCloseWindowStation', # 0xb5 'NtUserGetDoubleClickTime', # 0xb6 'NtUserEnableScrollBar', # 0xb7 'NtGdiCreateSolidBrush', # 0xb8 'NtUserGetClassInfoEx', # 0xb9 'NtGdiCreateClientObj', # 0xba 'NtUserUnregisterClass', # 0xbb 'NtUserDeleteMenu', # 0xbc 'NtGdiRectInRegion', # 0xbd 'NtUserScrollWindowEx', # 0xbe 'NtGdiGetPixel', # 0xbf 'NtUserSetClassLong', # 0xc0 'NtUserGetMenuBarInfo', # 0xc1 'NtGdiDdCreateSurfaceEx', # 0xc2 'NtGdiDdCreateSurfaceObject', # 0xc3 'NtGdiGetNearestPaletteIndex', # 0xc4 'NtGdiDdLockD3D', # 0xc5 'NtGdiDdUnlockD3D', # 0xc6 'NtGdiGetCharWidthW', # 0xc7 'NtUserInvalidateRgn', # 0xc8 'NtUserGetClipboardOwner', # 0xc9 'NtUserSetWindowRgn', # 0xca 'NtUserBitBltSysBmp', # 0xcb 'NtGdiGetCharWidthInfo', # 0xcc 'NtUserValidateRect', # 0xcd 'NtUserCloseClipboard', # 0xce 'NtUserOpenClipboard', # 0xcf 'NtGdiGetStockObject', # 0xd0 'NtUserSetClipboardData', # 0xd1 'NtUserEnableMenuItem', # 0xd2 'NtUserAlterWindowStyle', # 0xd3 'NtGdiFillRgn', # 0xd4 'NtUserGetWindowPlacement', # 0xd5 'NtGdiModifyWorldTransform', # 0xd6 'NtGdiGetFontData', # 0xd7 'NtUserGetOpenClipboardWindow', # 0xd8 'NtUserSetThreadState', # 0xd9 'NtGdiOpenDCW', # 0xda 'NtUserTrackMouseEvent', # 0xdb 'NtGdiGetTransform', # 0xdc 'NtUserDestroyMenu', # 0xdd 'NtGdiGetBitmapBits', # 0xde 'NtUserConsoleControl', # 0xdf 'NtUserSetActiveWindow', # 0xe0 'NtUserSetInformationThread', # 0xe1 'NtUserSetWindowPlacement', # 0xe2 'NtUserGetControlColor', # 0xe3 'NtGdiSetMetaRgn', # 0xe4 'NtGdiSetMiterLimit', # 0xe5 'NtGdiSetVirtualResolution', # 0xe6 'NtGdiGetRasterizerCaps', # 0xe7 'NtUserSetWindowWord', # 0xe8 'NtUserGetClipboardFormatName', # 0xe9 'NtUserRealInternalGetMessage', # 0xea 'NtUserCreateLocalMemHandle', # 0xeb 'NtUserAttachThreadInput', # 0xec 'NtGdiCreateHalftonePalette', # 0xed 'NtUserPaintMenuBar', # 0xee 'NtUserSetKeyboardState', # 0xef 'NtGdiCombineTransform', # 0xf0 'NtUserCreateAcceleratorTable', # 0xf1 'NtUserGetCursorFrameInfo', # 0xf2 'NtUserGetAltTabInfo', # 0xf3 'NtUserGetCaretBlinkTime', # 0xf4 'NtGdiQueryFontAssocInfo', # 0xf5 'NtUserProcessConnect', # 0xf6 'NtUserEnumDisplayDevices', # 0xf7 'NtUserEmptyClipboard', # 0xf8 'NtUserGetClipboardData', # 0xf9 'NtUserRemoveMenu', # 0xfa 'NtGdiSetBoundsRect', # 0xfb 'NtGdiGetBitmapDimension', # 0xfc 'NtUserConvertMemHandle', # 0xfd 'NtUserDestroyAcceleratorTable', # 0xfe 'NtUserGetGUIThreadInfo', # 0xff 'NtGdiCloseFigure', # 0x100 'NtUserSetWindowsHookAW', # 0x101 'NtUserSetMenuDefaultItem', # 0x102 'NtUserCheckMenuItem', # 0x103 'NtUserSetWinEventHook', # 0x104 'NtUserUnhookWinEvent', # 0x105 'NtUserLockWindowUpdate', # 0x106 'NtUserSetSystemMenu', # 0x107 'NtUserThunkedMenuInfo', # 0x108 'NtGdiBeginPath', # 0x109 'NtGdiEndPath', # 0x10a 'NtGdiFillPath', # 0x10b 'NtUserCallHwnd', # 0x10c 'NtUserDdeInitialize', # 0x10d 'NtUserModifyUserStartupInfoFlags', # 0x10e 'NtUserCountClipboardFormats', # 0x10f 'NtGdiAddFontMemResourceEx', # 0x110 'NtGdiEqualRgn', # 0x111 'NtGdiGetSystemPaletteUse', # 0x112 'NtGdiRemoveFontMemResourceEx', # 0x113 'NtUserEnumDisplaySettings', # 0x114 'NtUserPaintDesktop', # 0x115 'NtGdiExtEscape', # 0x116 'NtGdiSetBitmapDimension', # 0x117 'NtGdiSetFontEnumeration', # 0x118 'NtUserChangeClipboardChain', # 0x119 'NtUserSetClipboardViewer', # 0x11a 'NtUserShowWindowAsync', # 0x11b 'NtGdiCreateColorSpace', # 0x11c 'NtGdiDeleteColorSpace', # 0x11d 'NtUserActivateKeyboardLayout', # 0x11e 'NtGdiAbortDoc', # 0x11f 'NtGdiAbortPath', # 0x120 'NtGdiAddEmbFontToDC', # 0x121 'NtGdiAddFontResourceW', # 0x122 'NtGdiAddRemoteFontToDC', # 0x123 'NtGdiAddRemoteMMInstanceToDC', # 0x124 'NtGdiAngleArc', # 0x125 'NtGdiAnyLinkedFonts', # 0x126 'NtGdiArcInternal', # 0x127 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x128 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x129 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x12a 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x12b 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x12c 'NtGdiBeginGdiRendering', # 0x12d 'NtGdiCLIPOBJ_bEnum', # 0x12e 'NtGdiCLIPOBJ_cEnumStart', # 0x12f 'NtGdiCLIPOBJ_ppoGetPath', # 0x130 'NtGdiCancelDC', # 0x131 'NtGdiChangeGhostFont', # 0x132 'NtGdiCheckBitmapBits', # 0x133 'NtGdiClearBitmapAttributes', # 0x134 'NtGdiClearBrushAttributes', # 0x135 'NtGdiColorCorrectPalette', # 0x136 'NtGdiConfigureOPMProtectedOutput', # 0x137 'NtGdiConvertMetafileRect', # 0x138 'NtGdiCreateBitmapFromDxSurface', # 0x139 'NtGdiCreateColorTransform', # 0x13a 'NtGdiCreateEllipticRgn', # 0x13b 'NtGdiCreateHatchBrushInternal', # 0x13c 'NtGdiCreateMetafileDC', # 0x13d 'NtGdiCreateOPMProtectedOutputs', # 0x13e 'NtGdiCreateRoundRectRgn', # 0x13f 'NtGdiCreateServerMetaFile', # 0x140 'NtGdiD3dContextCreate', # 0x141 'NtGdiD3dContextDestroy', # 0x142 'NtGdiD3dContextDestroyAll', # 0x143 'NtGdiD3dValidateTextureStageState', # 0x144 'NtGdiDDCCIGetCapabilitiesString', # 0x145 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x146 'NtGdiDDCCIGetTimingReport', # 0x147 'NtGdiDDCCIGetVCPFeature', # 0x148 'NtGdiDDCCISaveCurrentSettings', # 0x149 'NtGdiDDCCISetVCPFeature', # 0x14a 'NtGdiDdAddAttachedSurface', # 0x14b 'NtGdiDdAlphaBlt', # 0x14c 'NtGdiDdAttachSurface', # 0x14d 'NtGdiDdBeginMoCompFrame', # 0x14e 'NtGdiDdCanCreateD3DBuffer', # 0x14f 'NtGdiDdColorControl', # 0x150 'NtGdiDdCreateD3DBuffer', # 0x151 'NtGdiDdCreateDirectDrawObject', # 0x152 'NtGdiDdCreateFullscreenSprite', # 0x153 'NtGdiDdCreateMoComp', # 0x154 'NtGdiDdDDIAcquireKeyedMutex', # 0x155 'NtGdiDdDDICheckExclusiveOwnership', # 0x156 'NtGdiDdDDICheckMonitorPowerState', # 0x157 'NtGdiDdDDICheckOcclusion', # 0x158 'NtGdiDdDDICheckSharedResourceAccess', # 0x159 'NtGdiDdDDICheckVidPnExclusiveOwnership', # 0x15a 'NtGdiDdDDICloseAdapter', # 0x15b 'NtGdiDdDDIConfigureSharedResource', # 0x15c 'NtGdiDdDDICreateAllocation', # 0x15d 'NtGdiDdDDICreateContext', # 0x15e 'NtGdiDdDDICreateDCFromMemory', # 0x15f 'NtGdiDdDDICreateDevice', # 0x160 'NtGdiDdDDICreateKeyedMutex', # 0x161 'NtGdiDdDDICreateOverlay', # 0x162 'NtGdiDdDDICreateSynchronizationObject', # 0x163 'NtGdiDdDDIDestroyAllocation', # 0x164 'NtGdiDdDDIDestroyContext', # 0x165 'NtGdiDdDDIDestroyDCFromMemory', # 0x166 'NtGdiDdDDIDestroyDevice', # 0x167 'NtGdiDdDDIDestroyKeyedMutex', # 0x168 'NtGdiDdDDIDestroyOverlay', # 0x169 'NtGdiDdDDIDestroySynchronizationObject', # 0x16a 'NtGdiDdDDIEscape', # 0x16b 'NtGdiDdDDIFlipOverlay', # 0x16c 'NtGdiDdDDIGetContextSchedulingPriority', # 0x16d 'NtGdiDdDDIGetDeviceState', # 0x16e 'NtGdiDdDDIGetDisplayModeList', # 0x16f 'NtGdiDdDDIGetMultisampleMethodList', # 0x170 'NtGdiDdDDIGetOverlayState', # 0x171 'NtGdiDdDDIGetPresentHistory', # 0x172 'NtGdiDdDDIGetPresentQueueEvent', # 0x173 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x174 'NtGdiDdDDIGetRuntimeData', # 0x175 'NtGdiDdDDIGetScanLine', # 0x176 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x177 'NtGdiDdDDIInvalidateActiveVidPn', # 0x178 'NtGdiDdDDILock', # 0x179 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x17a 'NtGdiDdDDIOpenAdapterFromHdc', # 0x17b 'NtGdiDdDDIOpenKeyedMutex', # 0x17c 'NtGdiDdDDIOpenResource', # 0x17d 'NtGdiDdDDIOpenSynchronizationObject', # 0x17e 'NtGdiDdDDIPollDisplayChildren', # 0x17f 'NtGdiDdDDIPresent', # 0x180 'NtGdiDdDDIQueryAdapterInfo', # 0x181 'NtGdiDdDDIQueryAllocationResidency', # 0x182 'NtGdiDdDDIQueryResourceInfo', # 0x183 'NtGdiDdDDIQueryStatistics', # 0x184 'NtGdiDdDDIReleaseKeyedMutex', # 0x185 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x186 'NtGdiDdDDIRender', # 0x187 'NtGdiDdDDISetAllocationPriority', # 0x188 'NtGdiDdDDISetContextSchedulingPriority', # 0x189 'NtGdiDdDDISetDisplayMode', # 0x18a 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x18b 'NtGdiDdDDISetGammaRamp', # 0x18c 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x18d 'NtGdiDdDDISetQueuedLimit', # 0x18e 'NtGdiDdDDISetVidPnSourceOwner', # 0x18f 'NtGdiDdDDISharedPrimaryLockNotification', # 0x190 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x191 'NtGdiDdDDISignalSynchronizationObject', # 0x192 'NtGdiDdDDIUnlock', # 0x193 'NtGdiDdDDIUpdateOverlay', # 0x194 'NtGdiDdDDIWaitForIdle', # 0x195 'NtGdiDdDDIWaitForSynchronizationObject', # 0x196 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x197 'NtGdiDdDeleteDirectDrawObject', # 0x198 'NtGdiDdDestroyD3DBuffer', # 0x199 'NtGdiDdDestroyFullscreenSprite', # 0x19a 'NtGdiDdDestroyMoComp', # 0x19b 'NtGdiDdEndMoCompFrame', # 0x19c 'NtGdiDdFlip', # 0x19d 'NtGdiDdFlipToGDISurface', # 0x19e 'NtGdiDdGetAvailDriverMemory', # 0x19f 'NtGdiDdGetBltStatus', # 0x1a0 'NtGdiDdGetDC', # 0x1a1 'NtGdiDdGetDriverInfo', # 0x1a2 'NtGdiDdGetDriverState', # 0x1a3 'NtGdiDdGetDxHandle', # 0x1a4 'NtGdiDdGetFlipStatus', # 0x1a5 'NtGdiDdGetInternalMoCompInfo', # 0x1a6 'NtGdiDdGetMoCompBuffInfo', # 0x1a7 'NtGdiDdGetMoCompFormats', # 0x1a8 'NtGdiDdGetMoCompGuids', # 0x1a9 'NtGdiDdGetScanLine', # 0x1aa 'NtGdiDdLock', # 0x1ab 'NtGdiDdNotifyFullscreenSpriteUpdate', # 0x1ac 'NtGdiDdQueryDirectDrawObject', # 0x1ad 'NtGdiDdQueryMoCompStatus', # 0x1ae 'NtGdiDdQueryVisRgnUniqueness', # 0x1af 'NtGdiDdReenableDirectDrawObject', # 0x1b0 'NtGdiDdReleaseDC', # 0x1b1 'NtGdiDdRenderMoComp', # 0x1b2 'NtGdiDdSetColorKey', # 0x1b3 'NtGdiDdSetExclusiveMode', # 0x1b4 'NtGdiDdSetGammaRamp', # 0x1b5 'NtGdiDdSetOverlayPosition', # 0x1b6 'NtGdiDdUnattachSurface', # 0x1b7 'NtGdiDdUnlock', # 0x1b8 'NtGdiDdUpdateOverlay', # 0x1b9 'NtGdiDdWaitForVerticalBlank', # 0x1ba 'NtGdiDeleteColorTransform', # 0x1bb 'NtGdiDescribePixelFormat', # 0x1bc 'NtGdiDestroyOPMProtectedOutput', # 0x1bd 'NtGdiDestroyPhysicalMonitor', # 0x1be 'NtGdiDoBanding', # 0x1bf 'NtGdiDrawEscape', # 0x1c0 'NtGdiDvpAcquireNotification', # 0x1c1 'NtGdiDvpCanCreateVideoPort', # 0x1c2 'NtGdiDvpColorControl', # 0x1c3 'NtGdiDvpCreateVideoPort', # 0x1c4 'NtGdiDvpDestroyVideoPort', # 0x1c5 'NtGdiDvpFlipVideoPort', # 0x1c6 'NtGdiDvpGetVideoPortBandwidth', # 0x1c7 'NtGdiDvpGetVideoPortConnectInfo', # 0x1c8 'NtGdiDvpGetVideoPortField', # 0x1c9 'NtGdiDvpGetVideoPortFlipStatus', # 0x1ca 'NtGdiDvpGetVideoPortInputFormats', # 0x1cb 'NtGdiDvpGetVideoPortLine', # 0x1cc 'NtGdiDvpGetVideoPortOutputFormats', # 0x1cd 'NtGdiDvpGetVideoSignalStatus', # 0x1ce 'NtGdiDvpReleaseNotification', # 0x1cf 'NtGdiDvpUpdateVideoPort', # 0x1d0 'NtGdiDvpWaitForVideoPortSync', # 0x1d1 'NtGdiDxgGenericThunk', # 0x1d2 'NtGdiEllipse', # 0x1d3 'NtGdiEnableEudc', # 0x1d4 'NtGdiEndDoc', # 0x1d5 'NtGdiEndGdiRendering', # 0x1d6 'NtGdiEndPage', # 0x1d7 'NtGdiEngAlphaBlend', # 0x1d8 'NtGdiEngAssociateSurface', # 0x1d9 'NtGdiEngBitBlt', # 0x1da 'NtGdiEngCheckAbort', # 0x1db 'NtGdiEngComputeGlyphSet', # 0x1dc 'NtGdiEngCopyBits', # 0x1dd 'NtGdiEngCreateBitmap', # 0x1de 'NtGdiEngCreateClip', # 0x1df 'NtGdiEngCreateDeviceBitmap', # 0x1e0 'NtGdiEngCreateDeviceSurface', # 0x1e1 'NtGdiEngCreatePalette', # 0x1e2 'NtGdiEngDeleteClip', # 0x1e3 'NtGdiEngDeletePalette', # 0x1e4 'NtGdiEngDeletePath', # 0x1e5 'NtGdiEngDeleteSurface', # 0x1e6 'NtGdiEngEraseSurface', # 0x1e7 'NtGdiEngFillPath', # 0x1e8 'NtGdiEngGradientFill', # 0x1e9 'NtGdiEngLineTo', # 0x1ea 'NtGdiEngLockSurface', # 0x1eb 'NtGdiEngMarkBandingSurface', # 0x1ec 'NtGdiEngPaint', # 0x1ed 'NtGdiEngPlgBlt', # 0x1ee 'NtGdiEngStretchBlt', # 0x1ef 'NtGdiEngStretchBltROP', # 0x1f0 'NtGdiEngStrokeAndFillPath', # 0x1f1 'NtGdiEngStrokePath', # 0x1f2 'NtGdiEngTextOut', # 0x1f3 'NtGdiEngTransparentBlt', # 0x1f4 'NtGdiEngUnlockSurface', # 0x1f5 'NtGdiEnumFonts', # 0x1f6 'NtGdiEnumObjects', # 0x1f7 'NtGdiEudcLoadUnloadLink', # 0x1f8 'NtGdiExtFloodFill', # 0x1f9 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x1fa 'NtGdiFONTOBJ_cGetGlyphs', # 0x1fb 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x1fc 'NtGdiFONTOBJ_pfdg', # 0x1fd 'NtGdiFONTOBJ_pifi', # 0x1fe 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x1ff 'NtGdiFONTOBJ_pxoGetXform', # 0x200 'NtGdiFONTOBJ_vGetInfo', # 0x201 'NtGdiFlattenPath', # 0x202 'NtGdiFontIsLinked', # 0x203 'NtGdiForceUFIMapping', # 0x204 'NtGdiFrameRgn', # 0x205 'NtGdiFullscreenControl', # 0x206 'NtGdiGetBoundsRect', # 0x207 'NtGdiGetCOPPCompatibleOPMInformation', # 0x208 'NtGdiGetCertificate', # 0x209 'NtGdiGetCertificateSize', # 0x20a 'NtGdiGetCharABCWidthsW', # 0x20b 'NtGdiGetCharacterPlacementW', # 0x20c 'NtGdiGetColorAdjustment', # 0x20d 'NtGdiGetColorSpaceforBitmap', # 0x20e 'NtGdiGetDeviceCaps', # 0x20f 'NtGdiGetDeviceCapsAll', # 0x210 'NtGdiGetDeviceGammaRamp', # 0x211 'NtGdiGetDeviceWidth', # 0x212 'NtGdiGetDhpdev', # 0x213 'NtGdiGetETM', # 0x214 'NtGdiGetEmbUFI', # 0x215 'NtGdiGetEmbedFonts', # 0x216 'NtGdiGetEudcTimeStampEx', # 0x217 'NtGdiGetFontFileData', # 0x218 'NtGdiGetFontFileInfo', # 0x219 'NtGdiGetFontResourceInfoInternalW', # 0x21a 'NtGdiGetFontUnicodeRanges', # 0x21b 'NtGdiGetGlyphIndicesW', # 0x21c 'NtGdiGetGlyphIndicesWInternal', # 0x21d 'NtGdiGetGlyphOutline', # 0x21e 'NtGdiGetKerningPairs', # 0x21f 'NtGdiGetLinkedUFIs', # 0x220 'NtGdiGetMiterLimit', # 0x221 'NtGdiGetMonitorID', # 0x222 'NtGdiGetNumberOfPhysicalMonitors', # 0x223 'NtGdiGetOPMInformation', # 0x224 'NtGdiGetOPMRandomNumber', # 0x225 'NtGdiGetObjectBitmapHandle', # 0x226 'NtGdiGetPath', # 0x227 'NtGdiGetPerBandInfo', # 0x228 'NtGdiGetPhysicalMonitorDescription', # 0x229 'NtGdiGetPhysicalMonitors', # 0x22a 'NtGdiGetRealizationInfo', # 0x22b 'NtGdiGetServerMetaFileBits', # 0x22c 'NtGdiGetSpoolMessage', # 0x22d 'NtGdiGetStats', # 0x22e 'NtGdiGetStringBitmapW', # 0x22f 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0x230 'NtGdiGetTextExtentExW', # 0x231 'NtGdiGetUFI', # 0x232 'NtGdiGetUFIPathname', # 0x233 'NtGdiGradientFill', # 0x234 'NtGdiHLSurfGetInformation', # 0x235 'NtGdiHLSurfSetInformation', # 0x236 'NtGdiHT_Get8BPPFormatPalette', # 0x237 'NtGdiHT_Get8BPPMaskPalette', # 0x238 'NtGdiIcmBrushInfo', # 0x239 'NtGdiInit', # 0x23a 'NtGdiInitSpool', # 0x23b 'NtGdiMakeFontDir', # 0x23c 'NtGdiMakeInfoDC', # 0x23d 'NtGdiMakeObjectUnXferable', # 0x23e 'NtGdiMakeObjectXferable', # 0x23f 'NtGdiMirrorWindowOrg', # 0x240 'NtGdiMonoBitmap', # 0x241 'NtGdiMoveTo', # 0x242 'NtGdiOffsetClipRgn', # 0x243 'NtGdiPATHOBJ_bEnum', # 0x244 'NtGdiPATHOBJ_bEnumClipLines', # 0x245 'NtGdiPATHOBJ_vEnumStart', # 0x246 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x247 'NtGdiPATHOBJ_vGetBounds', # 0x248 'NtGdiPathToRegion', # 0x249 'NtGdiPlgBlt', # 0x24a 'NtGdiPolyDraw', # 0x24b 'NtGdiPolyTextOutW', # 0x24c 'NtGdiPtInRegion', # 0x24d 'NtGdiPtVisible', # 0x24e 'NtGdiQueryFonts', # 0x24f 'NtGdiRemoveFontResourceW', # 0x250 'NtGdiRemoveMergeFont', # 0x251 'NtGdiResetDC', # 0x252 'NtGdiResizePalette', # 0x253 'NtGdiRoundRect', # 0x254 'NtGdiSTROBJ_bEnum', # 0x255 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x256 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x257 'NtGdiSTROBJ_dwGetCodePage', # 0x258 'NtGdiSTROBJ_vEnumStart', # 0x259 'NtGdiScaleViewportExtEx', # 0x25a 'NtGdiScaleWindowExtEx', # 0x25b 'NtGdiSelectBrush', # 0x25c 'NtGdiSelectClipPath', # 0x25d 'NtGdiSelectPen', # 0x25e 'NtGdiSetBitmapAttributes', # 0x25f 'NtGdiSetBrushAttributes', # 0x260 'NtGdiSetColorAdjustment', # 0x261 'NtGdiSetColorSpace', # 0x262 'NtGdiSetDeviceGammaRamp', # 0x263 'NtGdiSetFontXform', # 0x264 'NtGdiSetIcmMode', # 0x265 'NtGdiSetLinkedUFIs', # 0x266 'NtGdiSetMagicColors', # 0x267 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x268 'NtGdiSetPUMPDOBJ', # 0x269 'NtGdiSetPixelFormat', # 0x26a 'NtGdiSetRectRgn', # 0x26b 'NtGdiSetSizeDevice', # 0x26c 'NtGdiSetSystemPaletteUse', # 0x26d 'NtGdiSetTextJustification', # 0x26e 'NtGdiSfmGetNotificationTokens', # 0x26f 'NtGdiStartDoc', # 0x270 'NtGdiStartPage', # 0x271 'NtGdiStrokeAndFillPath', # 0x272 'NtGdiStrokePath', # 0x273 'NtGdiSwapBuffers', # 0x274 'NtGdiTransparentBlt', # 0x275 'NtGdiUMPDEngFreeUserMem', # 0x276 'NtGdiUnloadPrinterDriver', # 0x277 'NtGdiUnmapMemFont', # 0x278 'NtGdiUpdateColors', # 0x279 'NtGdiUpdateTransform', # 0x27a 'NtGdiWidenPath', # 0x27b 'NtGdiXFORMOBJ_bApplyXform', # 0x27c 'NtGdiXFORMOBJ_iGetXform', # 0x27d 'NtGdiXLATEOBJ_cGetPalette', # 0x27e 'NtGdiXLATEOBJ_hGetColorTransform', # 0x27f 'NtGdiXLATEOBJ_iXlate', # 0x280 'NtUserAddClipboardFormatListener', # 0x281 'NtUserAssociateInputContext', # 0x282 'NtUserBlockInput', # 0x283 'NtUserBuildHimcList', # 0x284 'NtUserBuildPropList', # 0x285 'NtUserCalculatePopupWindowPosition', # 0x286 'NtUserCallHwndOpt', # 0x287 'NtUserChangeDisplaySettings', # 0x288 'NtUserChangeWindowMessageFilterEx', # 0x289 'NtUserCheckAccessForIntegrityLevel', # 0x28a 'NtUserCheckDesktopByThreadId', # 0x28b 'NtUserCheckWindowThreadDesktop', # 0x28c 'NtUserChildWindowFromPointEx', # 0x28d 'NtUserClipCursor', # 0x28e 'NtUserCreateDesktopEx', # 0x28f 'NtUserCreateInputContext', # 0x290 'NtUserCreateWindowStation', # 0x291 'NtUserCtxDisplayIOCtl', # 0x292 'NtUserDestroyInputContext', # 0x293 'NtUserDisableThreadIme', # 0x294 'NtUserDisplayConfigGetDeviceInfo', # 0x295 'NtUserDisplayConfigSetDeviceInfo', # 0x296 'NtUserDoSoundConnect', # 0x297 'NtUserDoSoundDisconnect', # 0x298 'NtUserDragDetect', # 0x299 'NtUserDragObject', # 0x29a 'NtUserDrawAnimatedRects', # 0x29b 'NtUserDrawCaption', # 0x29c 'NtUserDrawCaptionTemp', # 0x29d 'NtUserDrawMenuBarTemp', # 0x29e 'NtUserDwmStartRedirection', # 0x29f 'NtUserDwmStopRedirection', # 0x2a0 'NtUserEndMenu', # 0x2a1 'NtUserEndTouchOperation', # 0x2a2 'NtUserEvent', # 0x2a3 'NtUserFlashWindowEx', # 0x2a4 'NtUserFrostCrashedWindow', # 0x2a5 'NtUserGetAppImeLevel', # 0x2a6 'NtUserGetCaretPos', # 0x2a7 'NtUserGetClipCursor', # 0x2a8 'NtUserGetClipboardViewer', # 0x2a9 'NtUserGetComboBoxInfo', # 0x2aa 'NtUserGetCursorInfo', # 0x2ab 'NtUserGetDisplayConfigBufferSizes', # 0x2ac 'NtUserGetGestureConfig', # 0x2ad 'NtUserGetGestureExtArgs', # 0x2ae 'NtUserGetGestureInfo', # 0x2af 'NtUserGetGuiResources', # 0x2b0 'NtUserGetImeHotKey', # 0x2b1 'NtUserGetImeInfoEx', # 0x2b2 'NtUserGetInputLocaleInfo', # 0x2b3 'NtUserGetInternalWindowPos', # 0x2b4 'NtUserGetKeyNameText', # 0x2b5 'NtUserGetKeyboardLayoutName', # 0x2b6 'NtUserGetLayeredWindowAttributes', # 0x2b7 'NtUserGetListBoxInfo', # 0x2b8 'NtUserGetMenuIndex', # 0x2b9 'NtUserGetMenuItemRect', # 0x2ba 'NtUserGetMouseMovePointsEx', # 0x2bb 'NtUserGetPriorityClipboardFormat', # 0x2bc 'NtUserGetRawInputBuffer', # 0x2bd 'NtUserGetRawInputData', # 0x2be 'NtUserGetRawInputDeviceInfo', # 0x2bf 'NtUserGetRawInputDeviceList', # 0x2c0 'NtUserGetRegisteredRawInputDevices', # 0x2c1 'NtUserGetTopLevelWindow', # 0x2c2 'NtUserGetTouchInputInfo', # 0x2c3 'NtUserGetUpdatedClipboardFormats', # 0x2c4 'NtUserGetWOWClass', # 0x2c5 'NtUserGetWindowCompositionAttribute', # 0x2c6 'NtUserGetWindowCompositionInfo', # 0x2c7 'NtUserGetWindowDisplayAffinity', # 0x2c8 'NtUserGetWindowMinimizeRect', # 0x2c9 'NtUserGetWindowRgnEx', # 0x2ca 'NtUserGhostWindowFromHungWindow', # 0x2cb 'NtUserHardErrorControl', # 0x2cc 'NtUserHiliteMenuItem', # 0x2cd 'NtUserHungWindowFromGhostWindow', # 0x2ce 'NtUserHwndQueryRedirectionInfo', # 0x2cf 'NtUserHwndSetRedirectionInfo', # 0x2d0 'NtUserImpersonateDdeClientWindow', # 0x2d1 'NtUserInitTask', # 0x2d2 'NtUserInitialize', # 0x2d3 'NtUserInitializeClientPfnArrays', # 0x2d4 'NtUserInjectGesture', # 0x2d5 'NtUserInternalGetWindowIcon', # 0x2d6 'NtUserIsTopLevelWindow', # 0x2d7 'NtUserIsTouchWindow', # 0x2d8 'NtUserLoadKeyboardLayoutEx', # 0x2d9 'NtUserLockWindowStation', # 0x2da 'NtUserLockWorkStation', # 0x2db 'NtUserLogicalToPhysicalPoint', # 0x2dc 'NtUserMNDragLeave', # 0x2dd 'NtUserMNDragOver', # 0x2de 'NtUserMagControl', # 0x2df 'NtUserMagGetContextInformation', # 0x2e0 'NtUserMagSetContextInformation', # 0x2e1 'NtUserManageGestureHandlerWindow', # 0x2e2 'NtUserMenuItemFromPoint', # 0x2e3 'NtUserMinMaximize', # 0x2e4 'NtUserModifyWindowTouchCapability', # 0x2e5 'NtUserNotifyIMEStatus', # 0x2e6 'NtUserOpenInputDesktop', # 0x2e7 'NtUserOpenThreadDesktop', # 0x2e8 'NtUserPaintMonitor', # 0x2e9 'NtUserPhysicalToLogicalPoint', # 0x2ea 'NtUserPrintWindow', # 0x2eb 'NtUserQueryDisplayConfig', # 0x2ec 'NtUserQueryInformationThread', # 0x2ed 'NtUserQueryInputContext', # 0x2ee 'NtUserQuerySendMessage', # 0x2ef 'NtUserRealChildWindowFromPoint', # 0x2f0 'NtUserRealWaitMessageEx', # 0x2f1 'NtUserRegisterErrorReportingDialog', # 0x2f2 'NtUserRegisterHotKey', # 0x2f3 'NtUserRegisterRawInputDevices', # 0x2f4 'NtUserRegisterServicesProcess', # 0x2f5 'NtUserRegisterSessionPort', # 0x2f6 'NtUserRegisterTasklist', # 0x2f7 'NtUserRegisterUserApiHook', # 0x2f8 'NtUserRemoteConnect', # 0x2f9 'NtUserRemoteRedrawRectangle', # 0x2fa 'NtUserRemoteRedrawScreen', # 0x2fb 'NtUserRemoteStopScreenUpdates', # 0x2fc 'NtUserRemoveClipboardFormatListener', # 0x2fd 'NtUserResolveDesktopForWOW', # 0x2fe 'NtUserSendTouchInput', # 0x2ff 'NtUserSetAppImeLevel', # 0x300 'NtUserSetChildWindowNoActivate', # 0x301 'NtUserSetClassWord', # 0x302 'NtUserSetCursorContents', # 0x303 'NtUserSetDisplayConfig', # 0x304 'NtUserSetGestureConfig', # 0x305 'NtUserSetImeHotKey', # 0x306 'NtUserSetImeInfoEx', # 0x307 'NtUserSetImeOwnerWindow', # 0x308 'NtUserSetInternalWindowPos', # 0x309 'NtUserSetLayeredWindowAttributes', # 0x30a 'NtUserSetMenu', # 0x30b 'NtUserSetMenuContextHelpId', # 0x30c 'NtUserSetMenuFlagRtoL', # 0x30d 'NtUserSetMirrorRendering', # 0x30e 'NtUserSetObjectInformation', # 0x30f 'NtUserSetProcessDPIAware', # 0x310 'NtUserSetShellWindowEx', # 0x311 'NtUserSetSysColors', # 0x312 'NtUserSetSystemCursor', # 0x313 'NtUserSetSystemTimer', # 0x314 'NtUserSetThreadLayoutHandles', # 0x315 'NtUserSetWindowCompositionAttribute', # 0x316 'NtUserSetWindowDisplayAffinity', # 0x317 'NtUserSetWindowRgnEx', # 0x318 'NtUserSetWindowStationUser', # 0x319 'NtUserSfmDestroyLogicalSurfaceBinding', # 0x31a 'NtUserSfmDxBindSwapChain', # 0x31b 'NtUserSfmDxGetSwapChainStats', # 0x31c 'NtUserSfmDxOpenSwapChain', # 0x31d 'NtUserSfmDxQuerySwapChainBindingStatus', # 0x31e 'NtUserSfmDxReleaseSwapChain', # 0x31f 'NtUserSfmDxReportPendingBindingsToDwm', # 0x320 'NtUserSfmDxSetSwapChainBindingStatus', # 0x321 'NtUserSfmDxSetSwapChainStats', # 0x322 'NtUserSfmGetLogicalSurfaceBinding', # 0x323 'NtUserShowSystemCursor', # 0x324 'NtUserSoundSentry', # 0x325 'NtUserSwitchDesktop', # 0x326 'NtUserTestForInteractiveUser', # 0x327 'NtUserTrackPopupMenuEx', # 0x328 'NtUserUnloadKeyboardLayout', # 0x329 'NtUserUnlockWindowStation', # 0x32a 'NtUserUnregisterHotKey', # 0x32b 'NtUserUnregisterSessionPort', # 0x32c 'NtUserUnregisterUserApiHook', # 0x32d 'NtUserUpdateInputContext', # 0x32e 'NtUserUpdateInstance', # 0x32f 'NtUserUpdateLayeredWindow', # 0x330 'NtUserUpdatePerUserSystemParameters', # 0x331 'NtUserUpdateWindowTransform', # 0x332 'NtUserUserHandleGrantAccess', # 0x333 'NtUserValidateHandleSecure', # 0x334 'NtUserWaitForInputIdle', # 0x335 'NtUserWaitForMsgAndEvent', # 0x336 'NtUserWindowFromPhysicalPoint', # 0x337 'NtUserYieldTask', # 0x338 'NtUserSetClassLongPtr', # 0x339 'NtUserSetWindowLongPtr', # 0x33a ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/tcpip_vtypes.py0000644000000000000000000004762313131215405027473 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj # Structures used by connections, connscan, sockets, sockscan. # Used by x86 XP (all service packs) and x86 2003 SP0. tcpip_vtypes = { '_ADDRESS_OBJECT' : [ 0x68, { 'Next' : [ 0x0, ['pointer', ['_ADDRESS_OBJECT']]], 'LocalIpAddress' : [ 0x2c, ['IpAddress']], 'LocalPort' : [ 0x30, ['unsigned be short']], 'Protocol' : [ 0x32, ['unsigned short']], 'Pid' : [ 0x148, ['unsigned long']], 'CreateTime' : [ 0x158, ['WinTimeStamp', dict(is_utc = True)]], }], '_TCPT_OBJECT' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_TCPT_OBJECT']]], 'RemoteIpAddress' : [ 0xc, ['IpAddress']], 'LocalIpAddress' : [ 0x10, ['IpAddress']], 'RemotePort' : [ 0x14, ['unsigned be short']], 'LocalPort' : [ 0x16, ['unsigned be short']], 'Pid' : [ 0x18, ['unsigned long']], }], } # Structures used by connections, connscan, sockets, sockscan. # Used by x64 XP and x64 2003 (all service packs). tcpip_vtypes_2003_x64 = { '_ADDRESS_OBJECT' : [ None, { 'Next' : [ 0x0, ['pointer', ['_ADDRESS_OBJECT']]], 'LocalIpAddress' : [ 0x58, ['IpAddress']], 'LocalPort' : [ 0x5c, ['unsigned be short']], 'Protocol' : [ 0x5e, ['unsigned short']], 'Pid' : [ 0x238, ['unsigned long']], 'CreateTime' : [ 0x248, ['WinTimeStamp', dict(is_utc = True)]], }], '_TCPT_OBJECT' : [ None, { 'Next' : [ 0x0, ['pointer', ['_TCPT_OBJECT']]], 'RemoteIpAddress' : [ 0x14, ['IpAddress']], 'LocalIpAddress' : [ 0x18, ['IpAddress']], 'RemotePort' : [ 0x1c, ['unsigned be short']], 'LocalPort' : [ 0x1e, ['unsigned be short']], 'Pid' : [ 0x20, ['unsigned long']], }], } # Structures used by sockets and sockscan. # Used by x86 2003 SP1 and SP2 only. tcpip_vtypes_2003_sp1_sp2 = { '_ADDRESS_OBJECT' : [ 0x68, { 'Next' : [ 0x0, ['pointer', ['_ADDRESS_OBJECT']]], 'LocalIpAddress' : [ 0x30, ['IpAddress']], 'LocalPort' : [ 0x34, ['unsigned be short']], 'Protocol' : [ 0x36, ['unsigned short']], 'Pid' : [ 0x14C, ['unsigned long']], 'CreateTime' : [ 0x158, ['WinTimeStamp', dict(is_utc = True)]], }], } TCP_STATE_ENUM = { 0: 'CLOSED', 1: 'LISTENING', 2: 'SYN_SENT', 3: 'SYN_RCVD', 4: 'ESTABLISHED', 5: 'FIN_WAIT1', 6: 'FIN_WAIT2', 7: 'CLOSE_WAIT', 8: 'CLOSING', 9: 'LAST_ACK', 12: 'TIME_WAIT', 13: 'DELETE_TCB' } # Structures used by netscan for x86 Vista and 2008 (all service packs). tcpip_vtypes_vista = { '_IN_ADDR' : [ None, { 'addr4' : [ 0x0, ['IpAddress']], 'addr6' : [ 0x0, ['Ipv6Address']], }], '_LOCAL_ADDRESS' : [ None, { 'pData' : [ 0xC, ['pointer', ['pointer', ['_IN_ADDR']]]], }], '_TCP_LISTENER': [ None, { # TcpL 'Owner' : [ 0x18, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x20, ['WinTimeStamp', dict(is_utc = True)]], 'LocalAddr' : [ 0x34, ['pointer', ['_LOCAL_ADDRESS']]], 'InetAF' : [ 0x38, ['pointer', ['_INETAF']]], 'Port' : [ 0x3E, ['unsigned be short']], }], '_TCP_ENDPOINT': [ None, { # TcpE 'InetAF' : [ 0xC, ['pointer', ['_INETAF']]], 'AddrInfo' : [ 0x10, ['pointer', ['_ADDRINFO']]], 'ListEntry': [ 0x14, ['_LIST_ENTRY']], 'State' : [ 0x28, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x2C, ['unsigned be short']], 'RemotePort' : [ 0x2E, ['unsigned be short']], 'Owner' : [ 0x160, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_TCP_SYN_ENDPOINT': [ None, { 'ListEntry': [ 8, ['_LIST_ENTRY']], 'InetAF' : [ 0x18, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x3c, ['unsigned be short']], 'RemotePort' : [ 0x3e, ['unsigned be short']], 'LocalAddr' : [ 0x1c, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x28, ['pointer', ['_IN_ADDR']]], 'Owner' : [ 0x20, ['pointer', ['_SYN_OWNER']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_SYN_OWNER': [ None, { 'Process': [ 0x18, ['pointer', ['_EPROCESS']]], }], '_TCP_TIMEWAIT_ENDPOINT': [ None, { 'ListEntry': [ 0x14, ['_LIST_ENTRY']], 'InetAF' : [ 0xc, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x1c, ['unsigned be short']], 'RemotePort' : [ 0x1e, ['unsigned be short']], 'LocalAddr' : [ 0x20, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x24, ['pointer', ['_IN_ADDR']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_INETAF' : [ None, { 'AddressFamily' : [ 0xC, ['unsigned short']], }], '_ADDRINFO' : [ None, { 'Local' : [ 0x0, ['pointer', ['_LOCAL_ADDRESS']]], 'Remote' : [ 0x8, ['pointer', ['_IN_ADDR']]], }], '_UDP_ENDPOINT': [ None, { # UdpA 'Owner' : [ 0x18, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x30, ['WinTimeStamp', dict(is_utc = True)]], 'LocalAddr' : [ 0x38, ['pointer', ['_LOCAL_ADDRESS']]], 'InetAF' : [ 0x14, ['pointer', ['_INETAF']]], 'Port' : [ 0x48, ['unsigned be short']], }], } # Structures for netscan on x86 Windows 7 (all service packs). tcpip_vtypes_7 = { '_TCP_ENDPOINT': [ None, { # TcpE 'InetAF' : [ 0xC, ['pointer', ['_INETAF']]], 'AddrInfo' : [ 0x10, ['pointer', ['_ADDRINFO']]], 'ListEntry': [ 0x14, ['_LIST_ENTRY']], 'State' : [ 0x34, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x38, ['unsigned be short']], 'RemotePort' : [ 0x3A, ['unsigned be short']], 'Owner' : [ 0x174, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_TCP_SYN_ENDPOINT': [ None, { 'ListEntry': [ 8, ['_LIST_ENTRY']], 'InetAF' : [ 0x24, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x48, ['unsigned be short']], 'RemotePort' : [ 0x4a, ['unsigned be short']], 'LocalAddr' : [ 0x28, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x34, ['pointer', ['_IN_ADDR']]], 'Owner' : [ 0x2c, ['pointer', ['_SYN_OWNER']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_TCP_TIMEWAIT_ENDPOINT': [ None, { 'ListEntry': [ 0, ['_LIST_ENTRY']], 'InetAF' : [ 0x18, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x28, ['unsigned be short']], 'RemotePort' : [ 0x2a, ['unsigned be short']], 'LocalAddr' : [ 0x2c, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x30, ['pointer', ['_IN_ADDR']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], } # Structures for netscan on x64 Vista SP0 and 2008 SP0 tcpip_vtypes_vista_64 = { '_IN_ADDR' : [ None, { 'addr4' : [ 0x0, ['IpAddress']], 'addr6' : [ 0x0, ['Ipv6Address']], }], '_TCP_LISTENER': [ None, { # TcpL 'Owner' : [ 0x28, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x20, ['WinTimeStamp', dict(is_utc = True)]], 'LocalAddr' : [ 0x58, ['pointer', ['_LOCAL_ADDRESS']]], 'InetAF' : [ 0x60, ['pointer', ['_INETAF']]], 'Port' : [ 0x6a, ['unsigned be short']], }], '_INETAF' : [ None, { 'AddressFamily' : [ 0x14, ['unsigned short']], }], '_LOCAL_ADDRESS' : [ None, { 'pData' : [ 0x10, ['pointer', ['pointer', ['_IN_ADDR']]]], }], '_ADDRINFO' : [ None, { 'Local' : [ 0x0, ['pointer', ['_LOCAL_ADDRESS']]], 'Remote' : [ 0x10, ['pointer', ['_IN_ADDR']]], }], '_TCP_ENDPOINT': [ None, { # TcpE 'InetAF' : [ 0x18, ['pointer', ['_INETAF']]], 'AddrInfo' : [ 0x20, ['pointer', ['_ADDRINFO']]], 'ListEntry': [ 0x28, ['_LIST_ENTRY']], 'State' : [ 0x50, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x54, ['unsigned be short']], 'RemotePort' : [ 0x56, ['unsigned be short']], 'Owner' : [ 0x208, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_TCP_SYN_ENDPOINT': [ None, { 'ListEntry': [ 0x10, ['_LIST_ENTRY']], 'InetAF' : [ 0x30, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x64, ['unsigned be short']], 'RemotePort' : [ 0x66, ['unsigned be short']], 'LocalAddr' : [ 0x38, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x50, ['pointer', ['_IN_ADDR']]], 'Owner' : [ 0x40, ['pointer', ['_SYN_OWNER']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_SYN_OWNER': [ None, { 'Process': [ 0x28, ['pointer', ['_EPROCESS']]], }], '_TCP_TIMEWAIT_ENDPOINT': [ None, { 'ListEntry': [ 0, ['_LIST_ENTRY']], 'InetAF' : [ 0x18, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x30, ['unsigned be short']], 'RemotePort' : [ 0x32, ['unsigned be short']], 'LocalAddr' : [ 0x38, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x40, ['pointer', ['_IN_ADDR']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_UDP_ENDPOINT': [ None, { # UdpA 'Owner' : [ 0x28, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x58, ['WinTimeStamp', dict(is_utc = True)]], 'LocalAddr' : [ 0x60, ['pointer', ['_LOCAL_ADDRESS']]], 'InetAF' : [ 0x20, ['pointer', ['_INETAF']]], 'Port' : [ 0x80, ['unsigned be short']], }], } # Structures for netscan on x64 Windows 10 tcpip_vtypes_win_10_x64 = { '_IN_ADDR' : [ None, { 'addr4' : [ 0x0, ['IpAddress']], 'addr6' : [ 0x0, ['Ipv6Address']], }], '_INETAF' : [ None, { 'AddressFamily' : [ 0x18, ['unsigned short']], }], '_LOCAL_ADDRESS_WIN10_UDP' : [ None, { 'pData' : [ 0x0, ['pointer', ['_IN_ADDR']]], }], '_LOCAL_ADDRESS' : [ None, { 'pData' : [ 0x10, ['pointer', ['pointer', ['_IN_ADDR']]]], }], '_ADDRINFO' : [ None, { 'Local' : [ 0x0, ['pointer', ['_LOCAL_ADDRESS']]], 'Remote' : [ 0x10, ['pointer', ['_IN_ADDR']]], }], '_TCP_LISTENER': [ None, { # TcpL 'Owner' : [ 0x30, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x40, ['WinTimeStamp', dict(is_utc = True)]], 'LocalAddr' : [ 0x60, ['pointer', ['_LOCAL_ADDRESS']]], 'InetAF' : [ 0x28, ['pointer', ['_INETAF']]], 'Port' : [ 0x72, ['unsigned be short']], }], '_TCP_ENDPOINT': [ None, { # TcpE 'InetAF' : [ 0x10, ['pointer', ['_INETAF']]], 'AddrInfo' : [ 0x18, ['pointer', ['_ADDRINFO']]], 'State' : [ 0x6C, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x70, ['unsigned be short']], 'RemotePort' : [ 0x72, ['unsigned be short']], 'Owner' : [ 0x258, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x268, ['WinTimeStamp', dict(is_utc = True)]], }], '_UDP_ENDPOINT': [ None, { # UdpA 'Owner' : [ 0x28, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x58, ['WinTimeStamp', dict(is_utc = True)]], 'LocalAddr' : [ 0x80, ['pointer', ['_LOCAL_ADDRESS_WIN10_UDP']]], 'InetAF' : [ 0x20, ['pointer', ['_INETAF']]], 'Port' : [ 0x78, ['unsigned be short']], }], } class _ADDRESS_OBJECT(obj.CType): def is_valid(self): return obj.CType.is_valid(self) and self.CreateTime.v() > 0 class WinXP2003AddressObject(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows', 'major': lambda x : x == 5} def modification(self, profile): profile.object_classes.update({'_ADDRESS_OBJECT': _ADDRESS_OBJECT}) class WinXP2003Tcpipx64(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 5, 'minor': lambda x : x == 2} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_2003_x64) class Win2003SP12Tcpip(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 5, 'minor': lambda x : x == 2, 'build': lambda x : x != 3789} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_2003_sp1_sp2) class Vista2008Tcpip(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x >= 0} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_vista) class Win7Tcpip(obj.ProfileModification): before = ['Vista2008Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 1} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_7) class Win7Vista2008x64Tcpip(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x >= 0} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_vista_64) class VistaSP12x64Tcpip(obj.ProfileModification): before = ['Win7Vista2008x64Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 0, 'build': lambda x : x >= 6001} def modification(self, profile): profile.merge_overlay({ '_TCP_ENDPOINT': [ None, { 'Owner' : [ 0x210, ['pointer', ['_EPROCESS']]], }], }) class Win7x64Tcpip(obj.ProfileModification): before = ['Win7Vista2008x64Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 1} def modification(self, profile): profile.merge_overlay({ '_TCP_ENDPOINT': [ None, { 'State' : [ 0x68, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x6c, ['unsigned be short']], 'RemotePort' : [ 0x6e, ['unsigned be short']], 'Owner' : [ 0x238, ['pointer', ['_EPROCESS']]], }], '_TCP_SYN_ENDPOINT': [ None, { 'InetAF' : [ 0x48, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x7c, ['unsigned be short']], 'RemotePort' : [ 0x7e, ['unsigned be short']], 'LocalAddr' : [ 0x50, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x68, ['pointer', ['_IN_ADDR']]], 'Owner' : [ 0x58, ['pointer', ['_SYN_OWNER']]], }], '_TCP_TIMEWAIT_ENDPOINT': [ None, { 'InetAF' : [ 0x30, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x48, ['unsigned be short']], 'RemotePort' : [ 0x4a, ['unsigned be short']], 'LocalAddr' : [ 0x50, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x58, ['pointer', ['_IN_ADDR']]], }], }) class Win8Tcpip(obj.ProfileModification): before = ['Vista2008Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x >= 2} def modification(self, profile): profile.merge_overlay({ '_TCP_ENDPOINT': [ None, { 'InetAF' : [ 0x8, ['pointer', ['_INETAF']]], 'AddrInfo' : [ 0xC, ['pointer', ['_ADDRINFO']]], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x3C, ['unsigned be short']], 'RemotePort' : [ 0x3E, ['unsigned be short']], 'Owner' : [ 0x174, ['pointer', ['_EPROCESS']]], }], '_ADDRINFO' : [ None, { 'Remote' : [ 0xC, ['pointer', ['_IN_ADDR']]], }], }) class Win81Tcpip(obj.ProfileModification): before = ['Win8Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 3} def modification(self, profile): profile.merge_overlay({ '_TCP_ENDPOINT': [ None, { 'Owner' : [ 0x1a8, ['pointer', ['_EPROCESS']]], }], }) class Win10Tcpip(obj.ProfileModification): before = ['Win8Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x >= 4} def modification(self, profile): profile.merge_overlay({ '_ADDRINFO' : [ None, { 'Local' : [ 0x0, ['pointer', ['_LOCAL_ADDRESS']]], 'Remote' : [ 0xC, ['pointer', ['_IN_ADDR']]], }], '_TCP_ENDPOINT': [ None, { 'InetAF' : [ 0x8, ['pointer', ['_INETAF']]], 'AddrInfo' : [ 0xC, ['pointer', ['_ADDRINFO']]], 'State' : [ 0x38, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x3C, ['unsigned be short']], 'RemotePort' : [ 0x3E, ['unsigned be short']], 'Owner' : [ 0x1b0, ['pointer', ['_EPROCESS']]], }], }) if profile.metadata.get("build") >= 14393: profile.merge_overlay({ '_TCP_ENDPOINT': [ None, { 'Owner' : [ 0x1b4, ['pointer', ['_EPROCESS']]], }], }) class Win8x64Tcpip(obj.ProfileModification): before = ['Win7Vista2008x64Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x >= 2} def modification(self, profile): profile.merge_overlay({ '_INETAF' : [ None, { 'AddressFamily' : [ 0x18, ['unsigned short']], }], '_TCP_ENDPOINT': [ None, { 'InetAF' : [ 0x10, ['pointer', ['_INETAF']]], 'AddrInfo' : [ 0x18, ['pointer', ['_ADDRINFO']]], 'State' : [ 0x6C, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x70, ['unsigned be short']], 'RemotePort' : [ 0x72, ['unsigned be short']], 'Owner' : [ 0x250, ['pointer', ['_EPROCESS']]], }], }) class Win81x64Tcpip(obj.ProfileModification): before = ['Win8x64Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 3} def modification(self, profile): profile.merge_overlay({ '_TCP_ENDPOINT': [ None, { 'Owner' : [ 0x258, ['pointer', ['_EPROCESS']]], }], }) class Win10x64Tcpip(obj.ProfileModification): before = ['Win81x64Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 4} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_win_10_x64) volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7_sp01_x86_syscalls.py0000644000000000000000000013161213131215405031103 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2011 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAddDriverEntry', # 0xa 'NtAdjustGroupsToken', # 0xb 'NtAdjustPrivilegesToken', # 0xc 'NtAlertResumeThread', # 0xd 'NtAlertThread', # 0xe 'NtAllocateLocallyUniqueId', # 0xf 'NtAllocateReserveObject', # 0x10 'NtAllocateUserPhysicalPages', # 0x11 'NtAllocateUuids', # 0x12 'NtAllocateVirtualMemory', # 0x13 'NtAlpcAcceptConnectPort', # 0x14 'NtAlpcCancelMessage', # 0x15 'NtAlpcConnectPort', # 0x16 'NtAlpcCreatePort', # 0x17 'NtAlpcCreatePortSection', # 0x18 'NtAlpcCreateResourceReserve', # 0x19 'NtAlpcCreateSectionView', # 0x1a 'NtAlpcCreateSecurityContext', # 0x1b 'NtAlpcDeletePortSection', # 0x1c 'NtAlpcDeleteResourceReserve', # 0x1d 'NtAlpcDeleteSectionView', # 0x1e 'NtAlpcDeleteSecurityContext', # 0x1f 'NtAlpcDisconnectPort', # 0x20 'NtAlpcImpersonateClientOfPort', # 0x21 'NtAlpcOpenSenderProcess', # 0x22 'NtAlpcOpenSenderThread', # 0x23 'NtAlpcQueryInformation', # 0x24 'NtAlpcQueryInformationMessage', # 0x25 'NtAlpcRevokeSecurityContext', # 0x26 'NtAlpcSendWaitReceivePort', # 0x27 'NtAlpcSetInformation', # 0x28 'NtApphelpCacheControl', # 0x29 'NtAreMappedFilesTheSame', # 0x2a 'NtAssignProcessToJobObject', # 0x2b 'NtCallbackReturn', # 0x2c 'NtCancelIoFile', # 0x2d 'NtCancelIoFileEx', # 0x2e 'NtCancelSynchronousIoFile', # 0x2f 'NtCancelTimer', # 0x30 'NtClearEvent', # 0x31 'NtClose', # 0x32 'NtCloseObjectAuditAlarm', # 0x33 'NtCommitComplete', # 0x34 'NtCommitEnlistment', # 0x35 'NtCommitTransaction', # 0x36 'NtCompactKeys', # 0x37 'NtCompareTokens', # 0x38 'NtCompleteConnectPort', # 0x39 'NtCompressKey', # 0x3a 'NtConnectPort', # 0x3b 'NtContinue', # 0x3c 'NtCreateDebugObject', # 0x3d 'NtCreateDirectoryObject', # 0x3e 'NtCreateEnlistment', # 0x3f 'NtCreateEvent', # 0x40 'NtCreateEventPair', # 0x41 'NtCreateFile', # 0x42 'NtCreateIoCompletion', # 0x43 'NtCreateJobObject', # 0x44 'NtCreateJobSet', # 0x45 'NtCreateKey', # 0x46 'NtCreateKeyedEvent', # 0x47 'NtCreateKeyTransacted', # 0x48 'NtCreateMailslotFile', # 0x49 'NtCreateMutant', # 0x4a 'NtCreateNamedPipeFile', # 0x4b 'NtCreatePagingFile', # 0x4c 'NtCreatePort', # 0x4d 'NtCreatePrivateNamespace', # 0x4e 'NtCreateProcess', # 0x4f 'NtCreateProcessEx', # 0x50 'NtCreateProfile', # 0x51 'NtCreateProfileEx', # 0x52 'NtCreateResourceManager', # 0x53 'NtCreateSection', # 0x54 'NtCreateSemaphore', # 0x55 'NtCreateSymbolicLinkObject', # 0x56 'NtCreateThread', # 0x57 'NtCreateThreadEx', # 0x58 'NtCreateTimer', # 0x59 'NtCreateToken', # 0x5a 'NtCreateTransaction', # 0x5b 'NtCreateTransactionManager', # 0x5c 'NtCreateUserProcess', # 0x5d 'NtCreateWaitablePort', # 0x5e 'NtCreateWorkerFactory', # 0x5f 'NtDebugActiveProcess', # 0x60 'NtDebugContinue', # 0x61 'NtDelayExecution', # 0x62 'NtDeleteAtom', # 0x63 'NtDeleteBootEntry', # 0x64 'NtDeleteDriverEntry', # 0x65 'NtDeleteFile', # 0x66 'NtDeleteKey', # 0x67 'NtDeleteObjectAuditAlarm', # 0x68 'NtDeletePrivateNamespace', # 0x69 'NtDeleteValueKey', # 0x6a 'NtDeviceIoControlFile', # 0x6b 'NtDisableLastKnownGood', # 0x6c 'NtDisplayString', # 0x6d 'NtDrawText', # 0x6e 'NtDuplicateObject', # 0x6f 'NtDuplicateToken', # 0x70 'NtEnableLastKnownGood', # 0x71 'NtEnumerateBootEntries', # 0x72 'NtEnumerateDriverEntries', # 0x73 'NtEnumerateKey', # 0x74 'NtEnumerateSystemEnvironmentValuesEx', # 0x75 'NtEnumerateTransactionObject', # 0x76 'NtEnumerateValueKey', # 0x77 'NtExtendSection', # 0x78 'NtFilterToken', # 0x79 'NtFindAtom', # 0x7a 'NtFlushBuffersFile', # 0x7b 'NtFlushInstallUILanguage', # 0x7c 'NtFlushInstructionCache', # 0x7d 'NtFlushKey', # 0x7e 'NtFlushProcessWriteBuffers', # 0x7f 'NtFlushVirtualMemory', # 0x80 'NtFlushWriteBuffer', # 0x81 'NtFreeUserPhysicalPages', # 0x82 'NtFreeVirtualMemory', # 0x83 'NtFreezeRegistry', # 0x84 'NtFreezeTransactions', # 0x85 'NtFsControlFile', # 0x86 'NtGetContextThread', # 0x87 'NtGetCurrentProcessorNumber', # 0x88 'NtGetDevicePowerState', # 0x89 'NtGetMUIRegistryInfo', # 0x8a 'NtGetNextProcess', # 0x8b 'NtGetNextThread', # 0x8c 'NtGetNlsSectionPtr', # 0x8d 'NtGetNotificationResourceManager', # 0x8e 'NtGetPlugPlayEvent', # 0x8f 'NtGetWriteWatch', # 0x90 'NtImpersonateAnonymousToken', # 0x91 'NtImpersonateClientOfPort', # 0x92 'NtImpersonateThread', # 0x93 'NtInitializeNlsFiles', # 0x94 'NtInitializeRegistry', # 0x95 'NtInitiatePowerAction', # 0x96 'NtIsProcessInJob', # 0x97 'NtIsSystemResumeAutomatic', # 0x98 'NtIsUILanguageComitted', # 0x99 'NtListenPort', # 0x9a 'NtLoadDriver', # 0x9b 'NtLoadKey', # 0x9c 'NtLoadKey2', # 0x9d 'NtLoadKeyEx', # 0x9e 'NtLockFile', # 0x9f 'NtLockProductActivationKeys', # 0xa0 'NtLockRegistryKey', # 0xa1 'NtLockVirtualMemory', # 0xa2 'NtMakePermanentObject', # 0xa3 'NtMakeTemporaryObject', # 0xa4 'NtMapCMFModule', # 0xa5 'NtMapUserPhysicalPages', # 0xa6 'NtMapUserPhysicalPagesScatter', # 0xa7 'NtMapViewOfSection', # 0xa8 'NtModifyBootEntry', # 0xa9 'NtModifyDriverEntry', # 0xaa 'NtNotifyChangeDirectoryFile', # 0xab 'NtNotifyChangeKey', # 0xac 'NtNotifyChangeMultipleKeys', # 0xad 'NtNotifyChangeSession', # 0xae 'NtOpenDirectoryObject', # 0xaf 'NtOpenEnlistment', # 0xb0 'NtOpenEvent', # 0xb1 'NtOpenEventPair', # 0xb2 'NtOpenFile', # 0xb3 'NtOpenIoCompletion', # 0xb4 'NtOpenJobObject', # 0xb5 'NtOpenKey', # 0xb6 'NtOpenKeyEx', # 0xb7 'NtOpenKeyedEvent', # 0xb8 'NtOpenKeyTransacted', # 0xb9 'NtOpenKeyTransactedEx', # 0xba 'NtOpenMutant', # 0xbb 'NtOpenObjectAuditAlarm', # 0xbc 'NtOpenPrivateNamespace', # 0xbd 'NtOpenProcess', # 0xbe 'NtOpenProcessToken', # 0xbf 'NtOpenProcessTokenEx', # 0xc0 'NtOpenResourceManager', # 0xc1 'NtOpenSection', # 0xc2 'NtOpenSemaphore', # 0xc3 'NtOpenSession', # 0xc4 'NtOpenSymbolicLinkObject', # 0xc5 'NtOpenThread', # 0xc6 'NtOpenThreadToken', # 0xc7 'NtOpenThreadTokenEx', # 0xc8 'NtOpenTimer', # 0xc9 'NtOpenTransaction', # 0xca 'NtOpenTransactionManager', # 0xcb 'NtPlugPlayControl', # 0xcc 'NtPowerInformation', # 0xcd 'NtPrepareComplete', # 0xce 'NtPrepareEnlistment', # 0xcf 'NtPrePrepareComplete', # 0xd0 'NtPrePrepareEnlistment', # 0xd1 'NtPrivilegeCheck', # 0xd2 'NtPrivilegedServiceAuditAlarm', # 0xd3 'NtPrivilegeObjectAuditAlarm', # 0xd4 'NtPropagationComplete', # 0xd5 'NtPropagationFailed', # 0xd6 'NtProtectVirtualMemory', # 0xd7 'NtPulseEvent', # 0xd8 'NtQueryAttributesFile', # 0xd9 'NtQueryBootEntryOrder', # 0xda 'NtQueryBootOptions', # 0xdb 'NtQueryDebugFilterState', # 0xdc 'NtQueryDefaultLocale', # 0xdd 'NtQueryDefaultUILanguage', # 0xde 'NtQueryDirectoryFile', # 0xdf 'NtQueryDirectoryObject', # 0xe0 'NtQueryDriverEntryOrder', # 0xe1 'NtQueryEaFile', # 0xe2 'NtQueryEvent', # 0xe3 'NtQueryFullAttributesFile', # 0xe4 'NtQueryInformationAtom', # 0xe5 'NtQueryInformationEnlistment', # 0xe6 'NtQueryInformationFile', # 0xe7 'NtQueryInformationJobObject', # 0xe8 'NtQueryInformationPort', # 0xe9 'NtQueryInformationProcess', # 0xea 'NtQueryInformationResourceManager', # 0xeb 'NtQueryInformationThread', # 0xec 'NtQueryInformationToken', # 0xed 'NtQueryInformationTransaction', # 0xee 'NtQueryInformationTransactionManager', # 0xef 'NtQueryInformationWorkerFactory', # 0xf0 'NtQueryInstallUILanguage', # 0xf1 'NtQueryIntervalProfile', # 0xf2 'NtQueryIoCompletion', # 0xf3 'NtQueryKey', # 0xf4 'NtQueryLicenseValue', # 0xf5 'NtQueryMultipleValueKey', # 0xf6 'NtQueryMutant', # 0xf7 'NtQueryObject', # 0xf8 'NtQueryOpenSubKeys', # 0xf9 'NtQueryOpenSubKeysEx', # 0xfa 'NtQueryPerformanceCounter', # 0xfb 'NtQueryPortInformationProcess', # 0xfc 'NtQueryQuotaInformationFile', # 0xfd 'NtQuerySection', # 0xfe 'NtQuerySecurityAttributesToken', # 0xff 'NtQuerySecurityObject', # 0x100 'NtQuerySemaphore', # 0x101 'NtQuerySymbolicLinkObject', # 0x102 'NtQuerySystemEnvironmentValue', # 0x103 'NtQuerySystemEnvironmentValueEx', # 0x104 'NtQuerySystemInformation', # 0x105 'NtQuerySystemInformationEx', # 0x106 'NtQuerySystemTime', # 0x107 'NtQueryTimer', # 0x108 'NtQueryTimerResolution', # 0x109 'NtQueryValueKey', # 0x10a 'NtQueryVirtualMemory', # 0x10b 'NtQueryVolumeInformationFile', # 0x10c 'NtQueueApcThread', # 0x10d 'NtQueueApcThreadEx', # 0x10e 'NtRaiseException', # 0x10f 'NtRaiseHardError', # 0x110 'NtReadFile', # 0x111 'NtReadFileScatter', # 0x112 'NtReadOnlyEnlistment', # 0x113 'NtReadRequestData', # 0x114 'NtReadVirtualMemory', # 0x115 'NtRecoverEnlistment', # 0x116 'NtRecoverResourceManager', # 0x117 'NtRecoverTransactionManager', # 0x118 'NtRegisterProtocolAddressInformation', # 0x119 'NtRegisterThreadTerminatePort', # 0x11a 'NtReleaseKeyedEvent', # 0x11b 'NtReleaseMutant', # 0x11c 'NtReleaseSemaphore', # 0x11d 'NtReleaseWorkerFactoryWorker', # 0x11e 'NtRemoveIoCompletion', # 0x11f 'NtRemoveIoCompletionEx', # 0x120 'NtRemoveProcessDebug', # 0x121 'NtRenameKey', # 0x122 'NtRenameTransactionManager', # 0x123 'NtReplaceKey', # 0x124 'NtReplacePartitionUnit', # 0x125 'NtReplyPort', # 0x126 'NtReplyWaitReceivePort', # 0x127 'NtReplyWaitReceivePortEx', # 0x128 'NtReplyWaitReplyPort', # 0x129 'NtRequestPort', # 0x12a 'NtRequestWaitReplyPort', # 0x12b 'NtResetEvent', # 0x12c 'NtResetWriteWatch', # 0x12d 'NtRestoreKey', # 0x12e 'NtResumeProcess', # 0x12f 'NtResumeThread', # 0x130 'NtRollbackComplete', # 0x131 'NtRollbackEnlistment', # 0x132 'NtRollbackTransaction', # 0x133 'NtRollforwardTransactionManager', # 0x134 'NtSaveKey', # 0x135 'NtSaveKeyEx', # 0x136 'NtSaveMergedKeys', # 0x137 'NtSecureConnectPort', # 0x138 'NtSerializeBoot', # 0x139 'NtSetBootEntryOrder', # 0x13a 'NtSetBootOptions', # 0x13b 'NtSetContextThread', # 0x13c 'NtSetDebugFilterState', # 0x13d 'NtSetDefaultHardErrorPort', # 0x13e 'NtSetDefaultLocale', # 0x13f 'NtSetDefaultUILanguage', # 0x140 'NtSetDriverEntryOrder', # 0x141 'NtSetEaFile', # 0x142 'NtSetEvent', # 0x143 'NtSetEventBoostPriority', # 0x144 'NtSetHighEventPair', # 0x145 'NtSetHighWaitLowEventPair', # 0x146 'NtSetInformationDebugObject', # 0x147 'NtSetInformationEnlistment', # 0x148 'NtSetInformationFile', # 0x149 'NtSetInformationJobObject', # 0x14a 'NtSetInformationKey', # 0x14b 'NtSetInformationObject', # 0x14c 'NtSetInformationProcess', # 0x14d 'NtSetInformationResourceManager', # 0x14e 'NtSetInformationThread', # 0x14f 'NtSetInformationToken', # 0x150 'NtSetInformationTransaction', # 0x151 'NtSetInformationTransactionManager', # 0x152 'NtSetInformationWorkerFactory', # 0x153 'NtSetIntervalProfile', # 0x154 'NtSetIoCompletion', # 0x155 'NtSetIoCompletionEx', # 0x156 'NtSetLdtEntries', # 0x157 'NtSetLowEventPair', # 0x158 'NtSetLowWaitHighEventPair', # 0x159 'NtSetQuotaInformationFile', # 0x15a 'NtSetSecurityObject', # 0x15b 'NtSetSystemEnvironmentValue', # 0x15c 'NtSetSystemEnvironmentValueEx', # 0x15d 'NtSetSystemInformation', # 0x15e 'NtSetSystemPowerState', # 0x15f 'NtSetSystemTime', # 0x160 'NtSetThreadExecutionState', # 0x161 'NtSetTimer', # 0x162 'NtSetTimerEx', # 0x163 'NtSetTimerResolution', # 0x164 'NtSetUuidSeed', # 0x165 'NtSetValueKey', # 0x166 'NtSetVolumeInformationFile', # 0x167 'NtShutdownSystem', # 0x168 'NtShutdownWorkerFactory', # 0x169 'NtSignalAndWaitForSingleObject', # 0x16a 'NtSinglePhaseReject', # 0x16b 'NtStartProfile', # 0x16c 'NtStopProfile', # 0x16d 'NtSuspendProcess', # 0x16e 'NtSuspendThread', # 0x16f 'NtSystemDebugControl', # 0x170 'NtTerminateJobObject', # 0x171 'NtTerminateProcess', # 0x172 'NtTerminateThread', # 0x173 'NtTestAlert', # 0x174 'NtThawRegistry', # 0x175 'NtThawTransactions', # 0x176 'NtTraceControl', # 0x177 'NtTraceEvent', # 0x178 'NtTranslateFilePath', # 0x179 'NtUmsThreadYield', # 0x17a 'NtUnloadDriver', # 0x17b 'NtUnloadKey', # 0x17c 'NtUnloadKey2', # 0x17d 'NtUnloadKeyEx', # 0x17e 'NtUnlockFile', # 0x17f 'NtUnlockVirtualMemory', # 0x180 'NtUnmapViewOfSection', # 0x181 'NtVdmControl', # 0x182 'NtWaitForDebugEvent', # 0x183 'NtWaitForKeyedEvent', # 0x184 'NtWaitForMultipleObjects', # 0x185 'NtWaitForMultipleObjects32', # 0x186 'NtWaitForSingleObject', # 0x187 'NtWaitForWorkViaWorkerFactory', # 0x188 'NtWaitHighEventPair', # 0x189 'NtWaitLowEventPair', # 0x18a 'NtWorkerFactoryWorkerReady', # 0x18b 'NtWriteFile', # 0x18c 'NtWriteFileGather', # 0x18d 'NtWriteRequestData', # 0x18e 'NtWriteVirtualMemory', # 0x18f 'NtYieldExecution', # 0x190 ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginGdiRendering', # 0xc 'NtGdiBeginPath', # 0xd 'NtGdiBitBlt', # 0xe 'NtGdiCancelDC', # 0xf 'NtGdiCheckBitmapBits', # 0x10 'NtGdiCloseFigure', # 0x11 'NtGdiClearBitmapAttributes', # 0x12 'NtGdiClearBrushAttributes', # 0x13 'NtGdiColorCorrectPalette', # 0x14 'NtGdiCombineRgn', # 0x15 'NtGdiCombineTransform', # 0x16 'NtGdiComputeXformCoefficients', # 0x17 'NtGdiConfigureOPMProtectedOutput', # 0x18 'NtGdiConvertMetafileRect', # 0x19 'NtGdiCreateBitmap', # 0x1a 'NtGdiCreateBitmapFromDxSurface', # 0x1b 'NtGdiCreateClientObj', # 0x1c 'NtGdiCreateColorSpace', # 0x1d 'NtGdiCreateColorTransform', # 0x1e 'NtGdiCreateCompatibleBitmap', # 0x1f 'NtGdiCreateCompatibleDC', # 0x20 'NtGdiCreateDIBBrush', # 0x21 'NtGdiCreateDIBitmapInternal', # 0x22 'NtGdiCreateDIBSection', # 0x23 'NtGdiCreateEllipticRgn', # 0x24 'NtGdiCreateHalftonePalette', # 0x25 'NtGdiCreateHatchBrushInternal', # 0x26 'NtGdiCreateMetafileDC', # 0x27 'NtGdiCreateOPMProtectedOutputs', # 0x28 'NtGdiCreatePaletteInternal', # 0x29 'NtGdiCreatePatternBrushInternal', # 0x2a 'NtGdiCreatePen', # 0x2b 'NtGdiCreateRectRgn', # 0x2c 'NtGdiCreateRoundRectRgn', # 0x2d 'NtGdiCreateServerMetaFile', # 0x2e 'NtGdiCreateSolidBrush', # 0x2f 'NtGdiD3dContextCreate', # 0x30 'NtGdiD3dContextDestroy', # 0x31 'NtGdiD3dContextDestroyAll', # 0x32 'NtGdiD3dValidateTextureStageState', # 0x33 'NtGdiD3dDrawPrimitives2', # 0x34 'NtGdiDdGetDriverState', # 0x35 'NtGdiDdAddAttachedSurface', # 0x36 'NtGdiDdAlphaBlt', # 0x37 'NtGdiDdAttachSurface', # 0x38 'NtGdiDdBeginMoCompFrame', # 0x39 'NtGdiDdBlt', # 0x3a 'NtGdiDdCanCreateSurface', # 0x3b 'NtGdiDdCanCreateD3DBuffer', # 0x3c 'NtGdiDdColorControl', # 0x3d 'NtGdiDdCreateDirectDrawObject', # 0x3e 'NtGdiDdCreateSurface', # 0x3f 'NtGdiDdCreateD3DBuffer', # 0x40 'NtGdiDdCreateMoComp', # 0x41 'NtGdiDdCreateSurfaceObject', # 0x42 'NtGdiDdDeleteDirectDrawObject', # 0x43 'NtGdiDdDeleteSurfaceObject', # 0x44 'NtGdiDdDestroyMoComp', # 0x45 'NtGdiDdDestroySurface', # 0x46 'NtGdiDdDestroyD3DBuffer', # 0x47 'NtGdiDdEndMoCompFrame', # 0x48 'NtGdiDdFlip', # 0x49 'NtGdiDdFlipToGDISurface', # 0x4a 'NtGdiDdGetAvailDriverMemory', # 0x4b 'NtGdiDdGetBltStatus', # 0x4c 'NtGdiDdGetDC', # 0x4d 'NtGdiDdGetDriverInfo', # 0x4e 'NtGdiDdGetDxHandle', # 0x4f 'NtGdiDdGetFlipStatus', # 0x50 'NtGdiDdGetInternalMoCompInfo', # 0x51 'NtGdiDdGetMoCompBuffInfo', # 0x52 'NtGdiDdGetMoCompGuids', # 0x53 'NtGdiDdGetMoCompFormats', # 0x54 'NtGdiDdGetScanLine', # 0x55 'NtGdiDdLock', # 0x56 'NtGdiDdLockD3D', # 0x57 'NtGdiDdQueryDirectDrawObject', # 0x58 'NtGdiDdQueryMoCompStatus', # 0x59 'NtGdiDdReenableDirectDrawObject', # 0x5a 'NtGdiDdReleaseDC', # 0x5b 'NtGdiDdRenderMoComp', # 0x5c 'NtGdiDdResetVisrgn', # 0x5d 'NtGdiDdSetColorKey', # 0x5e 'NtGdiDdSetExclusiveMode', # 0x5f 'NtGdiDdSetGammaRamp', # 0x60 'NtGdiDdCreateSurfaceEx', # 0x61 'NtGdiDdSetOverlayPosition', # 0x62 'NtGdiDdUnattachSurface', # 0x63 'NtGdiDdUnlock', # 0x64 'NtGdiDdUnlockD3D', # 0x65 'NtGdiDdUpdateOverlay', # 0x66 'NtGdiDdWaitForVerticalBlank', # 0x67 'NtGdiDvpCanCreateVideoPort', # 0x68 'NtGdiDvpColorControl', # 0x69 'NtGdiDvpCreateVideoPort', # 0x6a 'NtGdiDvpDestroyVideoPort', # 0x6b 'NtGdiDvpFlipVideoPort', # 0x6c 'NtGdiDvpGetVideoPortBandwidth', # 0x6d 'NtGdiDvpGetVideoPortField', # 0x6e 'NtGdiDvpGetVideoPortFlipStatus', # 0x6f 'NtGdiDvpGetVideoPortInputFormats', # 0x70 'NtGdiDvpGetVideoPortLine', # 0x71 'NtGdiDvpGetVideoPortOutputFormats', # 0x72 'NtGdiDvpGetVideoPortConnectInfo', # 0x73 'NtGdiDvpGetVideoSignalStatus', # 0x74 'NtGdiDvpUpdateVideoPort', # 0x75 'NtGdiDvpWaitForVideoPortSync', # 0x76 'NtGdiDvpAcquireNotification', # 0x77 'NtGdiDvpReleaseNotification', # 0x78 'NtGdiDxgGenericThunk', # 0x79 'NtGdiDeleteClientObj', # 0x7a 'NtGdiDeleteColorSpace', # 0x7b 'NtGdiDeleteColorTransform', # 0x7c 'NtGdiDeleteObjectApp', # 0x7d 'NtGdiDescribePixelFormat', # 0x7e 'NtGdiDestroyOPMProtectedOutput', # 0x7f 'NtGdiGetPerBandInfo', # 0x80 'NtGdiDoBanding', # 0x81 'NtGdiDoPalette', # 0x82 'NtGdiDrawEscape', # 0x83 'NtGdiEllipse', # 0x84 'NtGdiEnableEudc', # 0x85 'NtGdiEndDoc', # 0x86 'NtGdiEndGdiRendering', # 0x87 'NtGdiEndPage', # 0x88 'NtGdiEndPath', # 0x89 'NtGdiEnumFonts', # 0x8a 'NtGdiEnumObjects', # 0x8b 'NtGdiEqualRgn', # 0x8c 'NtGdiEudcLoadUnloadLink', # 0x8d 'NtGdiExcludeClipRect', # 0x8e 'NtGdiExtCreatePen', # 0x8f 'NtGdiExtCreateRegion', # 0x90 'NtGdiExtEscape', # 0x91 'NtGdiExtFloodFill', # 0x92 'NtGdiExtGetObjectW', # 0x93 'NtGdiExtSelectClipRgn', # 0x94 'NtGdiExtTextOutW', # 0x95 'NtGdiFillPath', # 0x96 'NtGdiFillRgn', # 0x97 'NtGdiFlattenPath', # 0x98 'NtGdiFlush', # 0x99 'NtGdiForceUFIMapping', # 0x9a 'NtGdiFrameRgn', # 0x9b 'NtGdiFullscreenControl', # 0x9c 'NtGdiGetAndSetDCDword', # 0x9d 'NtGdiGetAppClipBox', # 0x9e 'NtGdiGetBitmapBits', # 0x9f 'NtGdiGetBitmapDimension', # 0xa0 'NtGdiGetBoundsRect', # 0xa1 'NtGdiGetCertificate', # 0xa2 'NtGdiGetCertificateSize', # 0xa3 'NtGdiGetCharABCWidthsW', # 0xa4 'NtGdiGetCharacterPlacementW', # 0xa5 'NtGdiGetCharSet', # 0xa6 'NtGdiGetCharWidthW', # 0xa7 'NtGdiGetCharWidthInfo', # 0xa8 'NtGdiGetColorAdjustment', # 0xa9 'NtGdiGetColorSpaceforBitmap', # 0xaa 'NtGdiGetCOPPCompatibleOPMInformation', # 0xab 'NtGdiGetDCDword', # 0xac 'NtGdiGetDCforBitmap', # 0xad 'NtGdiGetDCObject', # 0xae 'NtGdiGetDCPoint', # 0xaf 'NtGdiGetDeviceCaps', # 0xb0 'NtGdiGetDeviceGammaRamp', # 0xb1 'NtGdiGetDeviceCapsAll', # 0xb2 'NtGdiGetDIBitsInternal', # 0xb3 'NtGdiGetETM', # 0xb4 'NtGdiGetEudcTimeStampEx', # 0xb5 'NtGdiGetFontData', # 0xb6 'NtGdiGetFontFileData', # 0xb7 'NtGdiGetFontFileInfo', # 0xb8 'NtGdiGetFontResourceInfoInternalW', # 0xb9 'NtGdiGetGlyphIndicesW', # 0xba 'NtGdiGetGlyphIndicesWInternal', # 0xbb 'NtGdiGetGlyphOutline', # 0xbc 'NtGdiGetOPMInformation', # 0xbd 'NtGdiGetKerningPairs', # 0xbe 'NtGdiGetLinkedUFIs', # 0xbf 'NtGdiGetMiterLimit', # 0xc0 'NtGdiGetMonitorID', # 0xc1 'NtGdiGetNearestColor', # 0xc2 'NtGdiGetNearestPaletteIndex', # 0xc3 'NtGdiGetObjectBitmapHandle', # 0xc4 'NtGdiGetOPMRandomNumber', # 0xc5 'NtGdiGetOutlineTextMetricsInternalW', # 0xc6 'NtGdiGetPath', # 0xc7 'NtGdiGetPixel', # 0xc8 'NtGdiGetRandomRgn', # 0xc9 'NtGdiGetRasterizerCaps', # 0xca 'NtGdiGetRealizationInfo', # 0xcb 'NtGdiGetRegionData', # 0xcc 'NtGdiGetRgnBox', # 0xcd 'NtGdiGetServerMetaFileBits', # 0xce 'NtGdiGetSpoolMessage', # 0xcf 'NtGdiGetStats', # 0xd0 'NtGdiGetStockObject', # 0xd1 'NtGdiGetStringBitmapW', # 0xd2 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0xd3 'NtGdiGetSystemPaletteUse', # 0xd4 'NtGdiGetTextCharsetInfo', # 0xd5 'NtGdiGetTextExtent', # 0xd6 'NtGdiGetTextExtentExW', # 0xd7 'NtGdiGetTextFaceW', # 0xd8 'NtGdiGetTextMetricsW', # 0xd9 'NtGdiGetTransform', # 0xda 'NtGdiGetUFI', # 0xdb 'NtGdiGetEmbUFI', # 0xdc 'NtGdiGetUFIPathname', # 0xdd 'NtGdiGetEmbedFonts', # 0xde 'NtGdiChangeGhostFont', # 0xdf 'NtGdiAddEmbFontToDC', # 0xe0 'NtGdiGetFontUnicodeRanges', # 0xe1 'NtGdiGetWidthTable', # 0xe2 'NtGdiGradientFill', # 0xe3 'NtGdiHfontCreate', # 0xe4 'NtGdiIcmBrushInfo', # 0xe5 'NtGdiInit', # 0xe6 'NtGdiInitSpool', # 0xe7 'NtGdiIntersectClipRect', # 0xe8 'NtGdiInvertRgn', # 0xe9 'NtGdiLineTo', # 0xea 'NtGdiMakeFontDir', # 0xeb 'NtGdiMakeInfoDC', # 0xec 'NtGdiMaskBlt', # 0xed 'NtGdiModifyWorldTransform', # 0xee 'NtGdiMonoBitmap', # 0xef 'NtGdiMoveTo', # 0xf0 'NtGdiOffsetClipRgn', # 0xf1 'NtGdiOffsetRgn', # 0xf2 'NtGdiOpenDCW', # 0xf3 'NtGdiPatBlt', # 0xf4 'NtGdiPolyPatBlt', # 0xf5 'NtGdiPathToRegion', # 0xf6 'NtGdiPlgBlt', # 0xf7 'NtGdiPolyDraw', # 0xf8 'NtGdiPolyPolyDraw', # 0xf9 'NtGdiPolyTextOutW', # 0xfa 'NtGdiPtInRegion', # 0xfb 'NtGdiPtVisible', # 0xfc 'NtGdiQueryFonts', # 0xfd 'NtGdiQueryFontAssocInfo', # 0xfe 'NtGdiRectangle', # 0xff 'NtGdiRectInRegion', # 0x100 'NtGdiRectVisible', # 0x101 'NtGdiRemoveFontResourceW', # 0x102 'NtGdiRemoveFontMemResourceEx', # 0x103 'NtGdiResetDC', # 0x104 'NtGdiResizePalette', # 0x105 'NtGdiRestoreDC', # 0x106 'NtGdiRoundRect', # 0x107 'NtGdiSaveDC', # 0x108 'NtGdiScaleViewportExtEx', # 0x109 'NtGdiScaleWindowExtEx', # 0x10a 'NtGdiSelectBitmap', # 0x10b 'NtGdiSelectBrush', # 0x10c 'NtGdiSelectClipPath', # 0x10d 'NtGdiSelectFont', # 0x10e 'NtGdiSelectPen', # 0x10f 'NtGdiSetBitmapAttributes', # 0x110 'NtGdiSetBitmapBits', # 0x111 'NtGdiSetBitmapDimension', # 0x112 'NtGdiSetBoundsRect', # 0x113 'NtGdiSetBrushAttributes', # 0x114 'NtGdiSetBrushOrg', # 0x115 'NtGdiSetColorAdjustment', # 0x116 'NtGdiSetColorSpace', # 0x117 'NtGdiSetDeviceGammaRamp', # 0x118 'NtGdiSetDIBitsToDeviceInternal', # 0x119 'NtGdiSetFontEnumeration', # 0x11a 'NtGdiSetFontXform', # 0x11b 'NtGdiSetIcmMode', # 0x11c 'NtGdiSetLinkedUFIs', # 0x11d 'NtGdiSetMagicColors', # 0x11e 'NtGdiSetMetaRgn', # 0x11f 'NtGdiSetMiterLimit', # 0x120 'NtGdiGetDeviceWidth', # 0x121 'NtGdiMirrorWindowOrg', # 0x122 'NtGdiSetLayout', # 0x123 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x124 'NtGdiSetPixel', # 0x125 'NtGdiSetPixelFormat', # 0x126 'NtGdiSetRectRgn', # 0x127 'NtGdiSetSystemPaletteUse', # 0x128 'NtGdiSetTextJustification', # 0x129 'NtGdiSetVirtualResolution', # 0x12a 'NtGdiSetSizeDevice', # 0x12b 'NtGdiStartDoc', # 0x12c 'NtGdiStartPage', # 0x12d 'NtGdiStretchBlt', # 0x12e 'NtGdiStretchDIBitsInternal', # 0x12f 'NtGdiStrokeAndFillPath', # 0x130 'NtGdiStrokePath', # 0x131 'NtGdiSwapBuffers', # 0x132 'NtGdiTransformPoints', # 0x133 'NtGdiTransparentBlt', # 0x134 'NtGdiUnloadPrinterDriver', # 0x135 'NtGdiUnmapMemFont', # 0x136 'NtGdiUnrealizeObject', # 0x137 'NtGdiUpdateColors', # 0x138 'NtGdiWidenPath', # 0x139 'NtUserActivateKeyboardLayout', # 0x13a 'NtUserAddClipboardFormatListener', # 0x13b 'NtUserAlterWindowStyle', # 0x13c 'NtUserAssociateInputContext', # 0x13d 'NtUserAttachThreadInput', # 0x13e 'NtUserBeginPaint', # 0x13f 'NtUserBitBltSysBmp', # 0x140 'NtUserBlockInput', # 0x141 'NtUserBuildHimcList', # 0x142 'NtUserBuildHwndList', # 0x143 'NtUserBuildNameList', # 0x144 'NtUserBuildPropList', # 0x145 'NtUserCallHwnd', # 0x146 'NtUserCallHwndLock', # 0x147 'NtUserCallHwndOpt', # 0x148 'NtUserCallHwndParam', # 0x149 'NtUserCallHwndParamLock', # 0x14a 'NtUserCallMsgFilter', # 0x14b 'NtUserCallNextHookEx', # 0x14c 'NtUserCallNoParam', # 0x14d 'NtUserCallOneParam', # 0x14e 'NtUserCallTwoParam', # 0x14f 'NtUserChangeClipboardChain', # 0x150 'NtUserChangeDisplaySettings', # 0x151 'NtUserGetDisplayConfigBufferSizes', # 0x152 'NtUserSetDisplayConfig', # 0x153 'NtUserQueryDisplayConfig', # 0x154 'NtUserDisplayConfigGetDeviceInfo', # 0x155 'NtUserDisplayConfigSetDeviceInfo', # 0x156 'NtUserCheckAccessForIntegrityLevel', # 0x157 'NtUserCheckDesktopByThreadId', # 0x158 'NtUserCheckWindowThreadDesktop', # 0x159 'NtUserCheckMenuItem', # 0x15a 'NtUserChildWindowFromPointEx', # 0x15b 'NtUserClipCursor', # 0x15c 'NtUserCloseClipboard', # 0x15d 'NtUserCloseDesktop', # 0x15e 'NtUserCloseWindowStation', # 0x15f 'NtUserConsoleControl', # 0x160 'NtUserConvertMemHandle', # 0x161 'NtUserCopyAcceleratorTable', # 0x162 'NtUserCountClipboardFormats', # 0x163 'NtUserCreateAcceleratorTable', # 0x164 'NtUserCreateCaret', # 0x165 'NtUserCreateDesktopEx', # 0x166 'NtUserCreateInputContext', # 0x167 'NtUserCreateLocalMemHandle', # 0x168 'NtUserCreateWindowEx', # 0x169 'NtUserCreateWindowStation', # 0x16a 'NtUserDdeInitialize', # 0x16b 'NtUserDeferWindowPos', # 0x16c 'NtUserDefSetText', # 0x16d 'NtUserDeleteMenu', # 0x16e 'NtUserDestroyAcceleratorTable', # 0x16f 'NtUserDestroyCursor', # 0x170 'NtUserDestroyInputContext', # 0x171 'NtUserDestroyMenu', # 0x172 'NtUserDestroyWindow', # 0x173 'NtUserDisableThreadIme', # 0x174 'NtUserDispatchMessage', # 0x175 'NtUserDoSoundConnect', # 0x176 'NtUserDoSoundDisconnect', # 0x177 'NtUserDragDetect', # 0x178 'NtUserDragObject', # 0x179 'NtUserDrawAnimatedRects', # 0x17a 'NtUserDrawCaption', # 0x17b 'NtUserDrawCaptionTemp', # 0x17c 'NtUserDrawIconEx', # 0x17d 'NtUserDrawMenuBarTemp', # 0x17e 'NtUserEmptyClipboard', # 0x17f 'NtUserEnableMenuItem', # 0x180 'NtUserEnableScrollBar', # 0x181 'NtUserEndDeferWindowPosEx', # 0x182 'NtUserEndMenu', # 0x183 'NtUserEndPaint', # 0x184 'NtUserEnumDisplayDevices', # 0x185 'NtUserEnumDisplayMonitors', # 0x186 'NtUserEnumDisplaySettings', # 0x187 'NtUserEvent', # 0x188 'NtUserExcludeUpdateRgn', # 0x189 'NtUserFillWindow', # 0x18a 'NtUserFindExistingCursorIcon', # 0x18b 'NtUserFindWindowEx', # 0x18c 'NtUserFlashWindowEx', # 0x18d 'NtUserFrostCrashedWindow', # 0x18e 'NtUserGetAltTabInfo', # 0x18f 'NtUserGetAncestor', # 0x190 'NtUserGetAppImeLevel', # 0x191 'NtUserGetAsyncKeyState', # 0x192 'NtUserGetAtomName', # 0x193 'NtUserGetCaretBlinkTime', # 0x194 'NtUserGetCaretPos', # 0x195 'NtUserGetClassInfoEx', # 0x196 'NtUserGetClassName', # 0x197 'NtUserGetClipboardData', # 0x198 'NtUserGetClipboardFormatName', # 0x199 'NtUserGetClipboardOwner', # 0x19a 'NtUserGetClipboardSequenceNumber', # 0x19b 'NtUserGetClipboardViewer', # 0x19c 'NtUserGetClipCursor', # 0x19d 'NtUserGetComboBoxInfo', # 0x19e 'NtUserGetControlBrush', # 0x19f 'NtUserGetControlColor', # 0x1a0 'NtUserGetCPD', # 0x1a1 'NtUserGetCursorFrameInfo', # 0x1a2 'NtUserGetCursorInfo', # 0x1a3 'NtUserGetDC', # 0x1a4 'NtUserGetDCEx', # 0x1a5 'NtUserGetDoubleClickTime', # 0x1a6 'NtUserGetForegroundWindow', # 0x1a7 'NtUserGetGuiResources', # 0x1a8 'NtUserGetGUIThreadInfo', # 0x1a9 'NtUserGetIconInfo', # 0x1aa 'NtUserGetIconSize', # 0x1ab 'NtUserGetImeHotKey', # 0x1ac 'NtUserGetImeInfoEx', # 0x1ad 'NtUserGetInputLocaleInfo', # 0x1ae 'NtUserGetInternalWindowPos', # 0x1af 'NtUserGetKeyboardLayoutList', # 0x1b0 'NtUserGetKeyboardLayoutName', # 0x1b1 'NtUserGetKeyboardState', # 0x1b2 'NtUserGetKeyNameText', # 0x1b3 'NtUserGetKeyState', # 0x1b4 'NtUserGetListBoxInfo', # 0x1b5 'NtUserGetMenuBarInfo', # 0x1b6 'NtUserGetMenuIndex', # 0x1b7 'NtUserGetMenuItemRect', # 0x1b8 'NtUserGetMessage', # 0x1b9 'NtUserGetMouseMovePointsEx', # 0x1ba 'NtUserGetObjectInformation', # 0x1bb 'NtUserGetOpenClipboardWindow', # 0x1bc 'NtUserGetPriorityClipboardFormat', # 0x1bd 'NtUserGetProcessWindowStation', # 0x1be 'NtUserGetRawInputBuffer', # 0x1bf 'NtUserGetRawInputData', # 0x1c0 'NtUserGetRawInputDeviceInfo', # 0x1c1 'NtUserGetRawInputDeviceList', # 0x1c2 'NtUserGetRegisteredRawInputDevices', # 0x1c3 'NtUserGetScrollBarInfo', # 0x1c4 'NtUserGetSystemMenu', # 0x1c5 'NtUserGetThreadDesktop', # 0x1c6 'NtUserGetThreadState', # 0x1c7 'NtUserGetTitleBarInfo', # 0x1c8 'NtUserGetTopLevelWindow', # 0x1c9 'NtUserGetUpdatedClipboardFormats', # 0x1ca 'NtUserGetUpdateRect', # 0x1cb 'NtUserGetUpdateRgn', # 0x1cc 'NtUserGetWindowCompositionInfo', # 0x1cd 'NtUserGetWindowCompositionAttribute', # 0x1ce 'NtUserGetWindowDC', # 0x1cf 'NtUserGetWindowDisplayAffinity', # 0x1d0 'NtUserGetWindowPlacement', # 0x1d1 'NtUserGetWOWClass', # 0x1d2 'NtUserGhostWindowFromHungWindow', # 0x1d3 'NtUserHardErrorControl', # 0x1d4 'NtUserHideCaret', # 0x1d5 'NtUserHiliteMenuItem', # 0x1d6 'NtUserHungWindowFromGhostWindow', # 0x1d7 'NtUserImpersonateDdeClientWindow', # 0x1d8 'NtUserInitialize', # 0x1d9 'NtUserInitializeClientPfnArrays', # 0x1da 'NtUserInitTask', # 0x1db 'NtUserInternalGetWindowText', # 0x1dc 'NtUserInternalGetWindowIcon', # 0x1dd 'NtUserInvalidateRect', # 0x1de 'NtUserInvalidateRgn', # 0x1df 'NtUserIsClipboardFormatAvailable', # 0x1e0 'NtUserIsTopLevelWindow', # 0x1e1 'NtUserKillTimer', # 0x1e2 'NtUserLoadKeyboardLayoutEx', # 0x1e3 'NtUserLockWindowStation', # 0x1e4 'NtUserLockWindowUpdate', # 0x1e5 'NtUserLockWorkStation', # 0x1e6 'NtUserLogicalToPhysicalPoint', # 0x1e7 'NtUserMapVirtualKeyEx', # 0x1e8 'NtUserMenuItemFromPoint', # 0x1e9 'NtUserMessageCall', # 0x1ea 'NtUserMinMaximize', # 0x1eb 'NtUserMNDragLeave', # 0x1ec 'NtUserMNDragOver', # 0x1ed 'NtUserModifyUserStartupInfoFlags', # 0x1ee 'NtUserMoveWindow', # 0x1ef 'NtUserNotifyIMEStatus', # 0x1f0 'NtUserNotifyProcessCreate', # 0x1f1 'NtUserNotifyWinEvent', # 0x1f2 'NtUserOpenClipboard', # 0x1f3 'NtUserOpenDesktop', # 0x1f4 'NtUserOpenInputDesktop', # 0x1f5 'NtUserOpenThreadDesktop', # 0x1f6 'NtUserOpenWindowStation', # 0x1f7 'NtUserPaintDesktop', # 0x1f8 'NtUserPaintMonitor', # 0x1f9 'NtUserPeekMessage', # 0x1fa 'NtUserPhysicalToLogicalPoint', # 0x1fb 'NtUserPostMessage', # 0x1fc 'NtUserPostThreadMessage', # 0x1fd 'NtUserPrintWindow', # 0x1fe 'NtUserProcessConnect', # 0x1ff 'NtUserQueryInformationThread', # 0x200 'NtUserQueryInputContext', # 0x201 'NtUserQuerySendMessage', # 0x202 'NtUserQueryWindow', # 0x203 'NtUserRealChildWindowFromPoint', # 0x204 'NtUserRealInternalGetMessage', # 0x205 'NtUserRealWaitMessageEx', # 0x206 'NtUserRedrawWindow', # 0x207 'NtUserRegisterClassExWOW', # 0x208 'NtUserRegisterErrorReportingDialog', # 0x209 'NtUserRegisterUserApiHook', # 0x20a 'NtUserRegisterHotKey', # 0x20b 'NtUserRegisterRawInputDevices', # 0x20c 'NtUserRegisterServicesProcess', # 0x20d 'NtUserRegisterTasklist', # 0x20e 'NtUserRegisterWindowMessage', # 0x20f 'NtUserRemoveClipboardFormatListener', # 0x210 'NtUserRemoveMenu', # 0x211 'NtUserRemoveProp', # 0x212 'NtUserResolveDesktopForWOW', # 0x213 'NtUserSBGetParms', # 0x214 'NtUserScrollDC', # 0x215 'NtUserScrollWindowEx', # 0x216 'NtUserSelectPalette', # 0x217 'NtUserSendInput', # 0x218 'NtUserSetActiveWindow', # 0x219 'NtUserSetAppImeLevel', # 0x21a 'NtUserSetCapture', # 0x21b 'NtUserSetChildWindowNoActivate', # 0x21c 'NtUserSetClassLong', # 0x21d 'NtUserSetClassWord', # 0x21e 'NtUserSetClipboardData', # 0x21f 'NtUserSetClipboardViewer', # 0x220 'NtUserSetCursor', # 0x221 'NtUserSetCursorContents', # 0x222 'NtUserSetCursorIconData', # 0x223 'NtUserSetFocus', # 0x224 'NtUserSetImeHotKey', # 0x225 'NtUserSetImeInfoEx', # 0x226 'NtUserSetImeOwnerWindow', # 0x227 'NtUserSetInformationThread', # 0x228 'NtUserSetInternalWindowPos', # 0x229 'NtUserSetKeyboardState', # 0x22a 'NtUserSetMenu', # 0x22b 'NtUserSetMenuContextHelpId', # 0x22c 'NtUserSetMenuDefaultItem', # 0x22d 'NtUserSetMenuFlagRtoL', # 0x22e 'NtUserSetObjectInformation', # 0x22f 'NtUserSetParent', # 0x230 'NtUserSetProcessWindowStation', # 0x231 'NtUserGetProp', # 0x232 'NtUserSetProp', # 0x233 'NtUserSetScrollInfo', # 0x234 'NtUserSetShellWindowEx', # 0x235 'NtUserSetSysColors', # 0x236 'NtUserSetSystemCursor', # 0x237 'NtUserSetSystemMenu', # 0x238 'NtUserSetSystemTimer', # 0x239 'NtUserSetThreadDesktop', # 0x23a 'NtUserSetThreadLayoutHandles', # 0x23b 'NtUserSetThreadState', # 0x23c 'NtUserSetTimer', # 0x23d 'NtUserSetProcessDPIAware', # 0x23e 'NtUserSetWindowCompositionAttribute', # 0x23f 'NtUserSetWindowDisplayAffinity', # 0x240 'NtUserSetWindowFNID', # 0x241 'NtUserSetWindowLong', # 0x242 'NtUserSetWindowPlacement', # 0x243 'NtUserSetWindowPos', # 0x244 'NtUserSetWindowRgn', # 0x245 'NtUserGetWindowRgnEx', # 0x246 'NtUserSetWindowRgnEx', # 0x247 'NtUserSetWindowsHookAW', # 0x248 'NtUserSetWindowsHookEx', # 0x249 'NtUserSetWindowStationUser', # 0x24a 'NtUserSetWindowWord', # 0x24b 'NtUserSetWinEventHook', # 0x24c 'NtUserShowCaret', # 0x24d 'NtUserShowScrollBar', # 0x24e 'NtUserShowWindow', # 0x24f 'NtUserShowWindowAsync', # 0x250 'NtUserSoundSentry', # 0x251 'NtUserSwitchDesktop', # 0x252 'NtUserSystemParametersInfo', # 0x253 'NtUserTestForInteractiveUser', # 0x254 'NtUserThunkedMenuInfo', # 0x255 'NtUserThunkedMenuItemInfo', # 0x256 'NtUserToUnicodeEx', # 0x257 'NtUserTrackMouseEvent', # 0x258 'NtUserTrackPopupMenuEx', # 0x259 'NtUserCalculatePopupWindowPosition', # 0x25a 'NtUserCalcMenuBar', # 0x25b 'NtUserPaintMenuBar', # 0x25c 'NtUserTranslateAccelerator', # 0x25d 'NtUserTranslateMessage', # 0x25e 'NtUserUnhookWindowsHookEx', # 0x25f 'NtUserUnhookWinEvent', # 0x260 'NtUserUnloadKeyboardLayout', # 0x261 'NtUserUnlockWindowStation', # 0x262 'NtUserUnregisterClass', # 0x263 'NtUserUnregisterUserApiHook', # 0x264 'NtUserUnregisterHotKey', # 0x265 'NtUserUpdateInputContext', # 0x266 'NtUserUpdateInstance', # 0x267 'NtUserUpdateLayeredWindow', # 0x268 'NtUserGetLayeredWindowAttributes', # 0x269 'NtUserSetLayeredWindowAttributes', # 0x26a 'NtUserUpdatePerUserSystemParameters', # 0x26b 'NtUserUserHandleGrantAccess', # 0x26c 'NtUserValidateHandleSecure', # 0x26d 'NtUserValidateRect', # 0x26e 'NtUserValidateTimerCallback', # 0x26f 'NtUserVkKeyScanEx', # 0x270 'NtUserWaitForInputIdle', # 0x271 'NtUserWaitForMsgAndEvent', # 0x272 'NtUserWaitMessage', # 0x273 'NtUserWindowFromPhysicalPoint', # 0x274 'NtUserWindowFromPoint', # 0x275 'NtUserYieldTask', # 0x276 'NtUserRemoteConnect', # 0x277 'NtUserRemoteRedrawRectangle', # 0x278 'NtUserRemoteRedrawScreen', # 0x279 'NtUserRemoteStopScreenUpdates', # 0x27a 'NtUserCtxDisplayIOCtl', # 0x27b 'NtUserRegisterSessionPort', # 0x27c 'NtUserUnregisterSessionPort', # 0x27d 'NtUserUpdateWindowTransform', # 0x27e 'NtUserDwmStartRedirection', # 0x27f 'NtUserDwmStopRedirection', # 0x280 'NtUserGetWindowMinimizeRect', # 0x281 'NtUserSfmDxBindSwapChain', # 0x282 'NtUserSfmDxOpenSwapChain', # 0x283 'NtUserSfmDxReleaseSwapChain', # 0x284 'NtUserSfmDxSetSwapChainBindingStatus', # 0x285 'NtUserSfmDxQuerySwapChainBindingStatus', # 0x286 'NtUserSfmDxReportPendingBindingsToDwm', # 0x287 'NtUserSfmDxGetSwapChainStats', # 0x288 'NtUserSfmDxSetSwapChainStats', # 0x289 'NtUserSfmGetLogicalSurfaceBinding', # 0x28a 'NtUserSfmDestroyLogicalSurfaceBinding', # 0x28b 'NtUserModifyWindowTouchCapability', # 0x28c 'NtUserIsTouchWindow', # 0x28d 'NtUserSendTouchInput', # 0x28e 'NtUserEndTouchOperation', # 0x28f 'NtUserGetTouchInputInfo', # 0x290 'NtUserChangeWindowMessageFilterEx', # 0x291 'NtUserInjectGesture', # 0x292 'NtUserGetGestureInfo', # 0x293 'NtUserGetGestureExtArgs', # 0x294 'NtUserManageGestureHandlerWindow', # 0x295 'NtUserSetGestureConfig', # 0x296 'NtUserGetGestureConfig', # 0x297 'NtGdiEngAssociateSurface', # 0x298 'NtGdiEngCreateBitmap', # 0x299 'NtGdiEngCreateDeviceSurface', # 0x29a 'NtGdiEngCreateDeviceBitmap', # 0x29b 'NtGdiEngCreatePalette', # 0x29c 'NtGdiEngComputeGlyphSet', # 0x29d 'NtGdiEngCopyBits', # 0x29e 'NtGdiEngDeletePalette', # 0x29f 'NtGdiEngDeleteSurface', # 0x2a0 'NtGdiEngEraseSurface', # 0x2a1 'NtGdiEngUnlockSurface', # 0x2a2 'NtGdiEngLockSurface', # 0x2a3 'NtGdiEngBitBlt', # 0x2a4 'NtGdiEngStretchBlt', # 0x2a5 'NtGdiEngPlgBlt', # 0x2a6 'NtGdiEngMarkBandingSurface', # 0x2a7 'NtGdiEngStrokePath', # 0x2a8 'NtGdiEngFillPath', # 0x2a9 'NtGdiEngStrokeAndFillPath', # 0x2aa 'NtGdiEngPaint', # 0x2ab 'NtGdiEngLineTo', # 0x2ac 'NtGdiEngAlphaBlend', # 0x2ad 'NtGdiEngGradientFill', # 0x2ae 'NtGdiEngTransparentBlt', # 0x2af 'NtGdiEngTextOut', # 0x2b0 'NtGdiEngStretchBltROP', # 0x2b1 'NtGdiXLATEOBJ_cGetPalette', # 0x2b2 'NtGdiXLATEOBJ_iXlate', # 0x2b3 'NtGdiXLATEOBJ_hGetColorTransform', # 0x2b4 'NtGdiCLIPOBJ_bEnum', # 0x2b5 'NtGdiCLIPOBJ_cEnumStart', # 0x2b6 'NtGdiCLIPOBJ_ppoGetPath', # 0x2b7 'NtGdiEngDeletePath', # 0x2b8 'NtGdiEngCreateClip', # 0x2b9 'NtGdiEngDeleteClip', # 0x2ba 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x2bb 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x2bc 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x2bd 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x2be 'NtGdiXFORMOBJ_bApplyXform', # 0x2bf 'NtGdiXFORMOBJ_iGetXform', # 0x2c0 'NtGdiFONTOBJ_vGetInfo', # 0x2c1 'NtGdiFONTOBJ_pxoGetXform', # 0x2c2 'NtGdiFONTOBJ_cGetGlyphs', # 0x2c3 'NtGdiFONTOBJ_pifi', # 0x2c4 'NtGdiFONTOBJ_pfdg', # 0x2c5 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x2c6 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x2c7 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x2c8 'NtGdiSTROBJ_bEnum', # 0x2c9 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x2ca 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x2cb 'NtGdiSTROBJ_vEnumStart', # 0x2cc 'NtGdiSTROBJ_dwGetCodePage', # 0x2cd 'NtGdiPATHOBJ_vGetBounds', # 0x2ce 'NtGdiPATHOBJ_bEnum', # 0x2cf 'NtGdiPATHOBJ_vEnumStart', # 0x2d0 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x2d1 'NtGdiPATHOBJ_bEnumClipLines', # 0x2d2 'NtGdiGetDhpdev', # 0x2d3 'NtGdiEngCheckAbort', # 0x2d4 'NtGdiHT_Get8BPPFormatPalette', # 0x2d5 'NtGdiHT_Get8BPPMaskPalette', # 0x2d6 'NtGdiUpdateTransform', # 0x2d7 'NtGdiSetPUMPDOBJ', # 0x2d8 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x2d9 'NtGdiUMPDEngFreeUserMem', # 0x2da 'NtGdiDrawStream', # 0x2db 'NtGdiSfmGetNotificationTokens', # 0x2dc 'NtGdiHLSurfGetInformation', # 0x2dd 'NtGdiHLSurfSetInformation', # 0x2de 'NtGdiDdDDICreateAllocation', # 0x2df 'NtGdiDdDDIQueryResourceInfo', # 0x2e0 'NtGdiDdDDIOpenResource', # 0x2e1 'NtGdiDdDDIDestroyAllocation', # 0x2e2 'NtGdiDdDDISetAllocationPriority', # 0x2e3 'NtGdiDdDDIQueryAllocationResidency', # 0x2e4 'NtGdiDdDDICreateDevice', # 0x2e5 'NtGdiDdDDIDestroyDevice', # 0x2e6 'NtGdiDdDDICreateContext', # 0x2e7 'NtGdiDdDDIDestroyContext', # 0x2e8 'NtGdiDdDDICreateSynchronizationObject', # 0x2e9 'NtGdiDdDDIOpenSynchronizationObject', # 0x2ea 'NtGdiDdDDIDestroySynchronizationObject', # 0x2eb 'NtGdiDdDDIWaitForSynchronizationObject', # 0x2ec 'NtGdiDdDDISignalSynchronizationObject', # 0x2ed 'NtGdiDdDDIGetRuntimeData', # 0x2ee 'NtGdiDdDDIQueryAdapterInfo', # 0x2ef 'NtGdiDdDDILock', # 0x2f0 'NtGdiDdDDIUnlock', # 0x2f1 'NtGdiDdDDIGetDisplayModeList', # 0x2f2 'NtGdiDdDDISetDisplayMode', # 0x2f3 'NtGdiDdDDIGetMultisampleMethodList', # 0x2f4 'NtGdiDdDDIPresent', # 0x2f5 'NtGdiDdDDIRender', # 0x2f6 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x2f7 'NtGdiDdDDIOpenAdapterFromHdc', # 0x2f8 'NtGdiDdDDICloseAdapter', # 0x2f9 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x2fa 'NtGdiDdDDIEscape', # 0x2fb 'NtGdiDdDDIQueryStatistics', # 0x2fc 'NtGdiDdDDISetVidPnSourceOwner', # 0x2fd 'NtGdiDdDDIGetPresentHistory', # 0x2fe 'NtGdiDdDDIGetPresentQueueEvent', # 0x2ff 'NtGdiDdDDICreateOverlay', # 0x300 'NtGdiDdDDIUpdateOverlay', # 0x301 'NtGdiDdDDIFlipOverlay', # 0x302 'NtGdiDdDDIDestroyOverlay', # 0x303 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x304 'NtGdiDdDDISetGammaRamp', # 0x305 'NtGdiDdDDIGetDeviceState', # 0x306 'NtGdiDdDDICreateDCFromMemory', # 0x307 'NtGdiDdDDIDestroyDCFromMemory', # 0x308 'NtGdiDdDDISetContextSchedulingPriority', # 0x309 'NtGdiDdDDIGetContextSchedulingPriority', # 0x30a 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x30b 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x30c 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x30d 'NtGdiDdDDIGetScanLine', # 0x30e 'NtGdiDdDDISetQueuedLimit', # 0x30f 'NtGdiDdDDIPollDisplayChildren', # 0x310 'NtGdiDdDDIInvalidateActiveVidPn', # 0x311 'NtGdiDdDDICheckOcclusion', # 0x312 'NtGdiDdDDIWaitForIdle', # 0x313 'NtGdiDdDDICheckMonitorPowerState', # 0x314 'NtGdiDdDDICheckExclusiveOwnership', # 0x315 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x316 'NtGdiDdDDISharedPrimaryLockNotification', # 0x317 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x318 'NtGdiDdDDICreateKeyedMutex', # 0x319 'NtGdiDdDDIOpenKeyedMutex', # 0x31a 'NtGdiDdDDIDestroyKeyedMutex', # 0x31b 'NtGdiDdDDIAcquireKeyedMutex', # 0x31c 'NtGdiDdDDIReleaseKeyedMutex', # 0x31d 'NtGdiDdDDIConfigureSharedResource', # 0x31e 'NtGdiDdDDIGetOverlayState', # 0x31f 'NtGdiDdDDICheckVidPnExclusiveOwnership', # 0x320 'NtGdiDdDDICheckSharedResourceAccess', # 0x321 'DxgStubEnableDirectDrawRedirection', # 0x322 'DxgStubDeleteDirectDrawObject', # 0x323 'NtGdiGetNumberOfPhysicalMonitors', # 0x324 'NtGdiGetPhysicalMonitors', # 0x325 'NtGdiGetPhysicalMonitorDescription', # 0x326 'NtGdiDestroyPhysicalMonitor', # 0x327 'NtGdiDDCCIGetVCPFeature', # 0x328 'NtGdiDDCCISetVCPFeature', # 0x329 'NtGdiDDCCISaveCurrentSettings', # 0x32a 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x32b 'NtGdiDDCCIGetCapabilitiesString', # 0x32c 'NtGdiDDCCIGetTimingReport', # 0x32d 'NtGdiDdCreateFullscreenSprite', # 0x32e 'NtGdiDdNotifyFullscreenSpriteUpdate', # 0x32f 'NtGdiDdDestroyFullscreenSprite', # 0x330 'NtGdiDdQueryVisRgnUniqueness', # 0x331 'NtUserSetMirrorRendering', # 0x332 'NtUserShowSystemCursor', # 0x333 'NtUserMagControl', # 0x334 'NtUserMagSetContextInformation', # 0x335 'NtUserMagGetContextInformation', # 0x336 'NtUserHwndQueryRedirectionInfo', # 0x337 'NtUserHwndSetRedirectionInfo', # 0x338 ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win8_sp0_x64_syscalls.py0000755000000000000000000015102313131215405031020 0ustar rootrootsyscalls = [ [ 'NtWorkerFactoryWorkerReady', # 0x0 'NtMapUserPhysicalPagesScatter', # 0x1 'NtWaitForSingleObject', # 0x2 'NtCallbackReturn', # 0x3 'NtReadFile', # 0x4 'NtDeviceIoControlFile', # 0x5 'NtWriteFile', # 0x6 'NtRemoveIoCompletion', # 0x7 'NtReleaseSemaphore', # 0x8 'NtReplyWaitReceivePort', # 0x9 'NtReplyPort', # 0xa 'NtSetInformationThread', # 0xb 'NtSetEvent', # 0xc 'NtClose', # 0xd 'NtQueryObject', # 0xe 'NtQueryInformationFile', # 0xf 'NtOpenKey', # 0x10 'NtEnumerateValueKey', # 0x11 'NtFindAtom', # 0x12 'NtQueryDefaultLocale', # 0x13 'NtQueryKey', # 0x14 'NtQueryValueKey', # 0x15 'NtAllocateVirtualMemory', # 0x16 'NtQueryInformationProcess', # 0x17 'NtWaitForMultipleObjects32', # 0x18 'NtWriteFileGather', # 0x19 'NtSetInformationProcess', # 0x1a 'NtCreateKey', # 0x1b 'NtFreeVirtualMemory', # 0x1c 'NtImpersonateClientOfPort', # 0x1d 'NtReleaseMutant', # 0x1e 'NtQueryInformationToken', # 0x1f 'NtRequestWaitReplyPort', # 0x20 'NtQueryVirtualMemory', # 0x21 'NtOpenThreadToken', # 0x22 'NtQueryInformationThread', # 0x23 'NtOpenProcess', # 0x24 'NtSetInformationFile', # 0x25 'NtMapViewOfSection', # 0x26 'NtAccessCheckAndAuditAlarm', # 0x27 'NtUnmapViewOfSection', # 0x28 'NtReplyWaitReceivePortEx', # 0x29 'NtTerminateProcess', # 0x2a 'NtSetEventBoostPriority', # 0x2b 'NtReadFileScatter', # 0x2c 'NtOpenThreadTokenEx', # 0x2d 'NtOpenProcessTokenEx', # 0x2e 'NtQueryPerformanceCounter', # 0x2f 'NtEnumerateKey', # 0x30 'NtOpenFile', # 0x31 'NtDelayExecution', # 0x32 'NtQueryDirectoryFile', # 0x33 'NtQuerySystemInformation', # 0x34 'NtOpenSection', # 0x35 'NtQueryTimer', # 0x36 'NtFsControlFile', # 0x37 'NtWriteVirtualMemory', # 0x38 'NtCloseObjectAuditAlarm', # 0x39 'NtDuplicateObject', # 0x3a 'NtQueryAttributesFile', # 0x3b 'NtClearEvent', # 0x3c 'NtReadVirtualMemory', # 0x3d 'NtOpenEvent', # 0x3e 'NtAdjustPrivilegesToken', # 0x3f 'NtDuplicateToken', # 0x40 'NtContinue', # 0x41 'NtQueryDefaultUILanguage', # 0x42 'NtQueueApcThread', # 0x43 'NtYieldExecution', # 0x44 'NtAddAtom', # 0x45 'NtCreateEvent', # 0x46 'NtQueryVolumeInformationFile', # 0x47 'NtCreateSection', # 0x48 'NtFlushBuffersFile', # 0x49 'NtApphelpCacheControl', # 0x4a 'NtCreateProcessEx', # 0x4b 'NtCreateThread', # 0x4c 'NtIsProcessInJob', # 0x4d 'NtProtectVirtualMemory', # 0x4e 'NtQuerySection', # 0x4f 'NtResumeThread', # 0x50 'NtTerminateThread', # 0x51 'NtReadRequestData', # 0x52 'NtCreateFile', # 0x53 'NtQueryEvent', # 0x54 'NtWriteRequestData', # 0x55 'NtOpenDirectoryObject', # 0x56 'NtAccessCheckByTypeAndAuditAlarm', # 0x57 'UNKNOWN', # 0x58 'NtWaitForMultipleObjects', # 0x59 'NtSetInformationObject', # 0x5a 'NtCancelIoFile', # 0x5b 'NtTraceEvent', # 0x5c 'NtPowerInformation', # 0x5d 'NtSetValueKey', # 0x5e 'NtCancelTimer', # 0x5f 'NtSetTimer', # 0x60 'NtAcceptConnectPort', # 0x61 'NtAccessCheck', # 0x62 'NtAccessCheckByType', # 0x63 'NtAccessCheckByTypeResultList', # 0x64 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x65 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x66 'NtAddAtomEx', # 0x67 'NtAddBootEntry', # 0x68 'NtAddDriverEntry', # 0x69 'NtAdjustGroupsToken', # 0x6a 'NtAdjustTokenClaimsAndDeviceGroups', # 0x6b 'NtAlertResumeThread', # 0x6c 'NtAlertThread', # 0x6d 'NtAlertThreadByThreadId', # 0x6e 'NtAllocateLocallyUniqueId', # 0x6f 'NtAllocateReserveObject', # 0x70 'NtAllocateUserPhysicalPages', # 0x71 'NtAllocateUuids', # 0x72 'NtAlpcAcceptConnectPort', # 0x73 'NtAlpcCancelMessage', # 0x74 'NtAlpcConnectPort', # 0x75 'NtAlpcConnectPortEx', # 0x76 'NtAlpcCreatePort', # 0x77 'NtAlpcCreatePortSection', # 0x78 'NtAlpcCreateResourceReserve', # 0x79 'NtAlpcCreateSectionView', # 0x7a 'NtAlpcCreateSecurityContext', # 0x7b 'NtAlpcDeletePortSection', # 0x7c 'NtAlpcDeleteResourceReserve', # 0x7d 'NtAlpcDeleteSectionView', # 0x7e 'NtAlpcDeleteSecurityContext', # 0x7f 'NtAlpcDisconnectPort', # 0x80 'NtAlpcImpersonateClientOfPort', # 0x81 'NtAlpcOpenSenderProcess', # 0x82 'NtAlpcOpenSenderThread', # 0x83 'NtAlpcQueryInformation', # 0x84 'NtAlpcQueryInformationMessage', # 0x85 'NtAlpcRevokeSecurityContext', # 0x86 'NtAlpcSendWaitReceivePort', # 0x87 'NtAlpcSetInformation', # 0x88 'NtAreMappedFilesTheSame', # 0x89 'NtAssignProcessToJobObject', # 0x8a 'NtAssociateWaitCompletionPacket', # 0x8b 'NtCancelIoFileEx', # 0x8c 'NtCancelSynchronousIoFile', # 0x8d 'NtCancelWaitCompletionPacket', # 0x8e 'NtCommitComplete', # 0x8f 'NtCommitEnlistment', # 0x90 'NtCommitTransaction', # 0x91 'NtCompactKeys', # 0x92 'NtCompareTokens', # 0x93 'NtCompleteConnectPort', # 0x94 'NtCompressKey', # 0x95 'NtConnectPort', # 0x96 'NtCreateDebugObject', # 0x97 'NtCreateDirectoryObject', # 0x98 'NtCreateDirectoryObjectEx', # 0x99 'NtCreateEnlistment', # 0x9a 'NtCreateEventPair', # 0x9b 'NtCreateIRTimer', # 0x9c 'NtCreateIoCompletion', # 0x9d 'NtCreateJobObject', # 0x9e 'NtCreateJobSet', # 0x9f 'NtCreateKeyTransacted', # 0xa0 'NtCreateKeyedEvent', # 0xa1 'NtCreateLowBoxToken', # 0xa2 'NtCreateMailslotFile', # 0xa3 'NtCreateMutant', # 0xa4 'NtCreateNamedPipeFile', # 0xa5 'NtCreatePagingFile', # 0xa6 'NtCreatePort', # 0xa7 'NtCreatePrivateNamespace', # 0xa8 'NtCreateProcess', # 0xa9 'NtCreateProfile', # 0xaa 'NtCreateProfileEx', # 0xab 'NtCreateResourceManager', # 0xac 'NtCreateSemaphore', # 0xad 'NtCreateSymbolicLinkObject', # 0xae 'NtCreateThreadEx', # 0xaf 'NtCreateTimer', # 0xb0 'NtCreateToken', # 0xb1 'NtCreateTokenEx', # 0xb2 'NtCreateTransaction', # 0xb3 'NtCreateTransactionManager', # 0xb4 'NtCreateUserProcess', # 0xb5 'NtCreateWaitCompletionPacket', # 0xb6 'NtCreateWaitablePort', # 0xb7 'NtCreateWnfStateName', # 0xb8 'NtCreateWorkerFactory', # 0xb9 'NtDebugActiveProcess', # 0xba 'NtDebugContinue', # 0xbb 'NtDeleteAtom', # 0xbc 'NtDeleteBootEntry', # 0xbd 'NtDeleteDriverEntry', # 0xbe 'NtDeleteFile', # 0xbf 'NtDeleteKey', # 0xc0 'NtDeleteObjectAuditAlarm', # 0xc1 'NtDeletePrivateNamespace', # 0xc2 'NtDeleteValueKey', # 0xc3 'NtDeleteWnfStateData', # 0xc4 'NtDeleteWnfStateName', # 0xc5 'NtDisableLastKnownGood', # 0xc6 'NtDisplayString', # 0xc7 'NtDrawText', # 0xc8 'NtEnableLastKnownGood', # 0xc9 'NtEnumerateBootEntries', # 0xca 'NtEnumerateDriverEntries', # 0xcb 'NtEnumerateSystemEnvironmentValuesEx', # 0xcc 'NtEnumerateTransactionObject', # 0xcd 'NtExtendSection', # 0xce 'NtFilterBootOption', # 0xcf 'NtFilterToken', # 0xd0 'NtFilterTokenEx', # 0xd1 'NtFlushBuffersFileEx', # 0xd2 'NtFlushInstallUILanguage', # 0xd3 'NtFlushInstructionCache', # 0xd4 'NtFlushKey', # 0xd5 'NtFlushProcessWriteBuffers', # 0xd6 'NtFlushVirtualMemory', # 0xd7 'NtFlushWriteBuffer', # 0xd8 'NtFreeUserPhysicalPages', # 0xd9 'NtFreezeRegistry', # 0xda 'NtFreezeTransactions', # 0xdb 'NtGetCachedSigningLevel', # 0xdc 'NtGetContextThread', # 0xdd 'NtGetCurrentProcessorNumber', # 0xde 'NtGetDevicePowerState', # 0xdf 'NtGetMUIRegistryInfo', # 0xe0 'NtGetNextProcess', # 0xe1 'NtGetNextThread', # 0xe2 'NtGetNlsSectionPtr', # 0xe3 'NtGetNotificationResourceManager', # 0xe4 'NtGetWriteWatch', # 0xe5 'NtImpersonateAnonymousToken', # 0xe6 'NtImpersonateThread', # 0xe7 'NtInitializeNlsFiles', # 0xe8 'NtInitializeRegistry', # 0xe9 'NtInitiatePowerAction', # 0xea 'NtIsSystemResumeAutomatic', # 0xeb 'NtIsUILanguageComitted', # 0xec 'NtListenPort', # 0xed 'NtLoadDriver', # 0xee 'NtLoadKey', # 0xef 'NtLoadKey2', # 0xf0 'NtLoadKeyEx', # 0xf1 'NtLockFile', # 0xf2 'NtLockProductActivationKeys', # 0xf3 'NtLockRegistryKey', # 0xf4 'NtLockVirtualMemory', # 0xf5 'NtMakePermanentObject', # 0xf6 'NtMakeTemporaryObject', # 0xf7 'NtMapCMFModule', # 0xf8 'NtMapUserPhysicalPages', # 0xf9 'NtModifyBootEntry', # 0xfa 'NtModifyDriverEntry', # 0xfb 'NtNotifyChangeDirectoryFile', # 0xfc 'NtNotifyChangeKey', # 0xfd 'NtNotifyChangeMultipleKeys', # 0xfe 'NtNotifyChangeSession', # 0xff 'NtOpenEnlistment', # 0x100 'NtOpenEventPair', # 0x101 'NtOpenIoCompletion', # 0x102 'NtOpenJobObject', # 0x103 'NtOpenKeyEx', # 0x104 'NtOpenKeyTransacted', # 0x105 'NtOpenKeyTransactedEx', # 0x106 'NtOpenKeyedEvent', # 0x107 'NtOpenMutant', # 0x108 'NtOpenObjectAuditAlarm', # 0x109 'NtOpenPrivateNamespace', # 0x10a 'NtOpenProcessToken', # 0x10b 'NtOpenResourceManager', # 0x10c 'NtOpenSemaphore', # 0x10d 'NtOpenSession', # 0x10e 'NtOpenSymbolicLinkObject', # 0x10f 'NtOpenThread', # 0x110 'NtOpenTimer', # 0x111 'NtOpenTransaction', # 0x112 'NtOpenTransactionManager', # 0x113 'NtPlugPlayControl', # 0x114 'NtPrePrepareComplete', # 0x115 'NtPrePrepareEnlistment', # 0x116 'NtPrepareComplete', # 0x117 'NtPrepareEnlistment', # 0x118 'NtPrivilegeCheck', # 0x119 'NtPrivilegeObjectAuditAlarm', # 0x11a 'NtPrivilegedServiceAuditAlarm', # 0x11b 'NtPropagationComplete', # 0x11c 'NtPropagationFailed', # 0x11d 'NtPulseEvent', # 0x11e 'NtQueryBootEntryOrder', # 0x11f 'NtQueryBootOptions', # 0x120 'NtQueryDebugFilterState', # 0x121 'NtQueryDirectoryObject', # 0x122 'NtQueryDriverEntryOrder', # 0x123 'NtQueryEaFile', # 0x124 'NtQueryFullAttributesFile', # 0x125 'NtQueryInformationAtom', # 0x126 'NtQueryInformationEnlistment', # 0x127 'NtQueryInformationJobObject', # 0x128 'NtQueryInformationPort', # 0x129 'NtQueryInformationResourceManager', # 0x12a 'NtQueryInformationTransaction', # 0x12b 'NtQueryInformationTransactionManager', # 0x12c 'NtQueryInformationWorkerFactory', # 0x12d 'NtQueryInstallUILanguage', # 0x12e 'NtQueryIntervalProfile', # 0x12f 'NtQueryIoCompletion', # 0x130 'NtQueryLicenseValue', # 0x131 'NtQueryMultipleValueKey', # 0x132 'NtQueryMutant', # 0x133 'NtQueryOpenSubKeys', # 0x134 'NtQueryOpenSubKeysEx', # 0x135 'NtQueryPortInformationProcess', # 0x136 'NtQueryQuotaInformationFile', # 0x137 'NtQuerySecurityAttributesToken', # 0x138 'NtQuerySecurityObject', # 0x139 'NtQuerySemaphore', # 0x13a 'NtQuerySymbolicLinkObject', # 0x13b 'NtQuerySystemEnvironmentValue', # 0x13c 'NtQuerySystemEnvironmentValueEx', # 0x13d 'NtQuerySystemInformationEx', # 0x13e 'NtQueryTimerResolution', # 0x13f 'NtQueryWnfStateData', # 0x140 'NtQueryWnfStateNameInformation', # 0x141 'NtQueueApcThreadEx', # 0x142 'NtRaiseException', # 0x143 'NtRaiseHardError', # 0x144 'NtReadOnlyEnlistment', # 0x145 'NtRecoverEnlistment', # 0x146 'NtRecoverResourceManager', # 0x147 'NtRecoverTransactionManager', # 0x148 'NtRegisterProtocolAddressInformation', # 0x149 'NtRegisterThreadTerminatePort', # 0x14a 'NtReleaseKeyedEvent', # 0x14b 'NtReleaseWorkerFactoryWorker', # 0x14c 'NtRemoveIoCompletionEx', # 0x14d 'NtRemoveProcessDebug', # 0x14e 'NtRenameKey', # 0x14f 'NtRenameTransactionManager', # 0x150 'NtReplaceKey', # 0x151 'NtReplacePartitionUnit', # 0x152 'NtReplyWaitReplyPort', # 0x153 'NtRequestPort', # 0x154 'NtResetEvent', # 0x155 'NtResetWriteWatch', # 0x156 'NtRestoreKey', # 0x157 'NtResumeProcess', # 0x158 'NtRollbackComplete', # 0x159 'NtRollbackEnlistment', # 0x15a 'NtRollbackTransaction', # 0x15b 'NtRollforwardTransactionManager', # 0x15c 'NtSaveKey', # 0x15d 'NtSaveKeyEx', # 0x15e 'NtSaveMergedKeys', # 0x15f 'NtSecureConnectPort', # 0x160 'NtSerializeBoot', # 0x161 'NtSetBootEntryOrder', # 0x162 'NtSetBootOptions', # 0x163 'NtSetCachedSigningLevel', # 0x164 'NtSetContextThread', # 0x165 'NtSetDebugFilterState', # 0x166 'NtSetDefaultHardErrorPort', # 0x167 'NtSetDefaultLocale', # 0x168 'NtSetDefaultUILanguage', # 0x169 'NtSetDriverEntryOrder', # 0x16a 'NtSetEaFile', # 0x16b 'NtSetHighEventPair', # 0x16c 'NtSetHighWaitLowEventPair', # 0x16d 'NtSetIRTimer', # 0x16e 'NtSetInformationDebugObject', # 0x16f 'NtSetInformationEnlistment', # 0x170 'NtSetInformationJobObject', # 0x171 'NtSetInformationKey', # 0x172 'NtSetInformationResourceManager', # 0x173 'NtSetInformationToken', # 0x174 'NtSetInformationTransaction', # 0x175 'NtSetInformationTransactionManager', # 0x176 'NtSetInformationVirtualMemory', # 0x177 'NtSetInformationWorkerFactory', # 0x178 'NtSetIntervalProfile', # 0x179 'NtSetIoCompletion', # 0x17a 'NtSetIoCompletionEx', # 0x17b 'NtSetLdtEntries', # 0x17c 'NtSetLowEventPair', # 0x17d 'NtSetLowWaitHighEventPair', # 0x17e 'NtSetQuotaInformationFile', # 0x17f 'NtSetSecurityObject', # 0x180 'NtSetSystemEnvironmentValue', # 0x181 'NtSetSystemEnvironmentValueEx', # 0x182 'NtSetSystemInformation', # 0x183 'NtSetSystemPowerState', # 0x184 'NtSetSystemTime', # 0x185 'NtSetThreadExecutionState', # 0x186 'NtSetTimerEx', # 0x187 'NtSetTimerResolution', # 0x188 'NtSetUuidSeed', # 0x189 'NtSetVolumeInformationFile', # 0x18a 'NtShutdownSystem', # 0x18b 'NtShutdownWorkerFactory', # 0x18c 'NtSignalAndWaitForSingleObject', # 0x18d 'NtSinglePhaseReject', # 0x18e 'NtStartProfile', # 0x18f 'NtStopProfile', # 0x190 'NtSubscribeWnfStateChange', # 0x191 'NtSuspendProcess', # 0x192 'NtSuspendThread', # 0x193 'NtSystemDebugControl', # 0x194 'NtTerminateJobObject', # 0x195 'NtTestAlert', # 0x196 'NtThawRegistry', # 0x197 'NtThawTransactions', # 0x198 'NtTraceControl', # 0x199 'NtTranslateFilePath', # 0x19a 'NtUmsThreadYield', # 0x19b 'NtUnloadDriver', # 0x19c 'NtUnloadKey', # 0x19d 'NtUnloadKey2', # 0x19e 'NtUnloadKeyEx', # 0x19f 'NtUnlockFile', # 0x1a0 'NtUnlockVirtualMemory', # 0x1a1 'NtUnmapViewOfSectionEx', # 0x1a2 'NtUnsubscribeWnfStateChange', # 0x1a3 'NtUpdateWnfStateData', # 0x1a4 'NtVdmControl', # 0x1a5 'NtWaitForAlertByThreadId', # 0x1a6 'NtWaitForDebugEvent', # 0x1a7 'NtWaitForKeyedEvent', # 0x1a8 'NtWaitForWnfNotifications', # 0x1a9 'NtWaitForWorkViaWorkerFactory', # 0x1aa 'NtWaitHighEventPair', # 0x1ab 'NtWaitLowEventPair', # 0x1ac ], [ 'NtUserYieldTask', # 0x0 'NtUserGetThreadState', # 0x1 'NtUserPeekMessage', # 0x2 'NtUserCallOneParam', # 0x3 'NtUserGetKeyState', # 0x4 'NtUserInvalidateRect', # 0x5 'NtUserCallNoParam', # 0x6 'NtUserGetMessage', # 0x7 'NtUserMessageCall', # 0x8 'NtGdiBitBlt', # 0x9 'NtGdiGetCharSet', # 0xa 'NtUserGetDC', # 0xb 'NtGdiSelectBitmap', # 0xc 'NtUserWaitMessage', # 0xd 'NtUserTranslateMessage', # 0xe 'NtUserGetProp', # 0xf 'NtUserPostMessage', # 0x10 'NtUserQueryWindow', # 0x11 'NtUserTranslateAccelerator', # 0x12 'NtGdiFlush', # 0x13 'NtUserRedrawWindow', # 0x14 'NtUserWindowFromPoint', # 0x15 'NtUserCallMsgFilter', # 0x16 'NtUserValidateTimerCallback', # 0x17 'NtUserBeginPaint', # 0x18 'NtUserSetTimer', # 0x19 'NtUserEndPaint', # 0x1a 'NtUserSetCursor', # 0x1b 'NtUserKillTimer', # 0x1c 'NtUserBuildHwndList', # 0x1d 'NtUserSelectPalette', # 0x1e 'NtUserCallNextHookEx', # 0x1f 'NtUserHideCaret', # 0x20 'NtGdiIntersectClipRect', # 0x21 'NtUserCallHwndLock', # 0x22 'NtUserGetProcessWindowStation', # 0x23 'NtGdiDeleteObjectApp', # 0x24 'NtUserSetWindowPos', # 0x25 'NtUserShowCaret', # 0x26 'NtUserEndDeferWindowPosEx', # 0x27 'NtUserCallHwndParamLock', # 0x28 'NtUserVkKeyScanEx', # 0x29 'NtGdiSetDIBitsToDeviceInternal', # 0x2a 'NtUserCallTwoParam', # 0x2b 'NtGdiGetRandomRgn', # 0x2c 'NtUserCopyAcceleratorTable', # 0x2d 'NtUserNotifyWinEvent', # 0x2e 'NtGdiExtSelectClipRgn', # 0x2f 'NtUserIsClipboardFormatAvailable', # 0x30 'NtUserSetScrollInfo', # 0x31 'NtGdiStretchBlt', # 0x32 'NtUserCreateCaret', # 0x33 'NtGdiRectVisible', # 0x34 'NtGdiCombineRgn', # 0x35 'NtGdiGetDCObject', # 0x36 'NtUserDispatchMessage', # 0x37 'NtUserRegisterWindowMessage', # 0x38 'NtGdiExtTextOutW', # 0x39 'NtGdiSelectFont', # 0x3a 'NtGdiRestoreDC', # 0x3b 'NtGdiSaveDC', # 0x3c 'NtUserGetForegroundWindow', # 0x3d 'NtUserShowScrollBar', # 0x3e 'NtUserFindExistingCursorIcon', # 0x3f 'NtGdiGetDCDword', # 0x40 'NtGdiGetRegionData', # 0x41 'NtGdiLineTo', # 0x42 'NtUserSystemParametersInfo', # 0x43 'NtGdiGetAppClipBox', # 0x44 'NtUserGetAsyncKeyState', # 0x45 'NtUserGetCPD', # 0x46 'NtUserRemoveProp', # 0x47 'NtGdiDoPalette', # 0x48 'NtGdiPolyPolyDraw', # 0x49 'NtUserSetCapture', # 0x4a 'NtUserEnumDisplayMonitors', # 0x4b 'NtGdiCreateCompatibleBitmap', # 0x4c 'NtUserSetProp', # 0x4d 'NtGdiGetTextCharsetInfo', # 0x4e 'NtUserSBGetParms', # 0x4f 'NtUserGetIconInfo', # 0x50 'NtUserExcludeUpdateRgn', # 0x51 'NtUserSetFocus', # 0x52 'NtGdiExtGetObjectW', # 0x53 'NtUserGetUpdateRect', # 0x54 'NtGdiCreateCompatibleDC', # 0x55 'NtUserGetClipboardSequenceNumber', # 0x56 'NtGdiCreatePen', # 0x57 'NtUserShowWindow', # 0x58 'NtUserGetKeyboardLayoutList', # 0x59 'NtGdiPatBlt', # 0x5a 'NtUserMapVirtualKeyEx', # 0x5b 'NtUserSetWindowLong', # 0x5c 'NtGdiHfontCreate', # 0x5d 'NtUserMoveWindow', # 0x5e 'NtUserPostThreadMessage', # 0x5f 'NtUserDrawIconEx', # 0x60 'NtUserGetSystemMenu', # 0x61 'NtGdiDrawStream', # 0x62 'NtUserInternalGetWindowText', # 0x63 'NtUserGetWindowDC', # 0x64 'NtGdiD3dDrawPrimitives2', # 0x65 'NtGdiInvertRgn', # 0x66 'NtGdiGetRgnBox', # 0x67 'NtGdiGetAndSetDCDword', # 0x68 'NtGdiMaskBlt', # 0x69 'NtGdiGetWidthTable', # 0x6a 'NtUserScrollDC', # 0x6b 'NtUserGetObjectInformation', # 0x6c 'NtGdiCreateBitmap', # 0x6d 'NtUserFindWindowEx', # 0x6e 'NtGdiPolyPatBlt', # 0x6f 'NtUserUnhookWindowsHookEx', # 0x70 'NtGdiGetNearestColor', # 0x71 'NtGdiTransformPoints', # 0x72 'NtGdiGetDCPoint', # 0x73 'NtGdiCreateDIBBrush', # 0x74 'NtGdiGetTextMetricsW', # 0x75 'NtUserCreateWindowEx', # 0x76 'NtUserSetParent', # 0x77 'NtUserGetKeyboardState', # 0x78 'NtUserToUnicodeEx', # 0x79 'NtUserGetControlBrush', # 0x7a 'NtUserGetClassName', # 0x7b 'NtGdiAlphaBlend', # 0x7c 'NtGdiDdBlt', # 0x7d 'NtGdiOffsetRgn', # 0x7e 'NtUserDefSetText', # 0x7f 'NtGdiGetTextFaceW', # 0x80 'NtGdiStretchDIBitsInternal', # 0x81 'NtUserSendInput', # 0x82 'NtUserGetThreadDesktop', # 0x83 'NtGdiCreateRectRgn', # 0x84 'NtGdiGetDIBitsInternal', # 0x85 'NtUserGetUpdateRgn', # 0x86 'NtGdiDeleteClientObj', # 0x87 'NtUserGetIconSize', # 0x88 'NtUserFillWindow', # 0x89 'NtGdiExtCreateRegion', # 0x8a 'NtGdiComputeXformCoefficients', # 0x8b 'NtUserSetWindowsHookEx', # 0x8c 'NtUserNotifyProcessCreate', # 0x8d 'NtGdiUnrealizeObject', # 0x8e 'NtUserGetTitleBarInfo', # 0x8f 'NtGdiRectangle', # 0x90 'NtUserSetThreadDesktop', # 0x91 'NtUserGetDCEx', # 0x92 'NtUserGetScrollBarInfo', # 0x93 'NtGdiGetTextExtent', # 0x94 'NtUserSetWindowFNID', # 0x95 'NtGdiSetLayout', # 0x96 'NtUserCalcMenuBar', # 0x97 'NtUserThunkedMenuItemInfo', # 0x98 'NtGdiExcludeClipRect', # 0x99 'NtGdiCreateDIBSection', # 0x9a 'NtGdiGetDCforBitmap', # 0x9b 'NtUserDestroyCursor', # 0x9c 'NtUserDestroyWindow', # 0x9d 'NtUserCallHwndParam', # 0x9e 'NtGdiCreateDIBitmapInternal', # 0x9f 'NtUserOpenWindowStation', # 0xa0 'NtGdiDdDeleteSurfaceObject', # 0xa1 'NtGdiDdCanCreateSurface', # 0xa2 'NtGdiDdCreateSurface', # 0xa3 'NtUserSetCursorIconData', # 0xa4 'NtGdiDdDestroySurface', # 0xa5 'NtUserCloseDesktop', # 0xa6 'NtUserOpenDesktop', # 0xa7 'NtUserSetProcessWindowStation', # 0xa8 'NtUserGetAtomName', # 0xa9 'NtGdiDdResetVisrgn', # 0xaa 'NtGdiExtCreatePen', # 0xab 'NtGdiCreatePaletteInternal', # 0xac 'NtGdiSetBrushOrg', # 0xad 'NtUserBuildNameList', # 0xae 'NtGdiSetPixel', # 0xaf 'NtUserRegisterClassExWOW', # 0xb0 'NtGdiCreatePatternBrushInternal', # 0xb1 'NtUserGetAncestor', # 0xb2 'NtGdiGetOutlineTextMetricsInternalW', # 0xb3 'NtGdiSetBitmapBits', # 0xb4 'NtUserCloseWindowStation', # 0xb5 'NtUserGetDoubleClickTime', # 0xb6 'NtUserEnableScrollBar', # 0xb7 'NtGdiCreateSolidBrush', # 0xb8 'NtUserGetClassInfoEx', # 0xb9 'NtGdiCreateClientObj', # 0xba 'NtUserUnregisterClass', # 0xbb 'NtUserDeleteMenu', # 0xbc 'NtGdiRectInRegion', # 0xbd 'NtUserScrollWindowEx', # 0xbe 'NtGdiGetPixel', # 0xbf 'NtUserSetClassLong', # 0xc0 'NtUserGetMenuBarInfo', # 0xc1 'NtGdiDdCreateSurfaceEx', # 0xc2 'NtGdiDdCreateSurfaceObject', # 0xc3 'NtGdiGetNearestPaletteIndex', # 0xc4 'NtGdiDdLockD3D', # 0xc5 'NtGdiDdUnlockD3D', # 0xc6 'NtGdiGetCharWidthW', # 0xc7 'NtUserInvalidateRgn', # 0xc8 'NtUserGetClipboardOwner', # 0xc9 'NtUserSetWindowRgn', # 0xca 'NtUserBitBltSysBmp', # 0xcb 'NtGdiGetCharWidthInfo', # 0xcc 'NtUserValidateRect', # 0xcd 'NtUserCloseClipboard', # 0xce 'NtUserOpenClipboard', # 0xcf 'NtGdiGetStockObject', # 0xd0 'NtUserSetClipboardData', # 0xd1 'NtUserEnableMenuItem', # 0xd2 'NtUserAlterWindowStyle', # 0xd3 'NtGdiFillRgn', # 0xd4 'NtUserGetWindowPlacement', # 0xd5 'NtGdiModifyWorldTransform', # 0xd6 'NtGdiGetFontData', # 0xd7 'NtUserGetOpenClipboardWindow', # 0xd8 'NtUserSetThreadState', # 0xd9 'NtGdiOpenDCW', # 0xda 'NtUserTrackMouseEvent', # 0xdb 'NtGdiGetTransform', # 0xdc 'NtUserDestroyMenu', # 0xdd 'NtGdiGetBitmapBits', # 0xde 'NtUserConsoleControl', # 0xdf 'NtUserSetActiveWindow', # 0xe0 'NtUserSetInformationThread', # 0xe1 'NtUserSetWindowPlacement', # 0xe2 'NtUserGetControlColor', # 0xe3 'NtGdiSetMetaRgn', # 0xe4 'NtGdiSetMiterLimit', # 0xe5 'NtGdiSetVirtualResolution', # 0xe6 'NtGdiGetRasterizerCaps', # 0xe7 'NtUserSetWindowWord', # 0xe8 'NtUserGetClipboardFormatName', # 0xe9 'NtUserRealInternalGetMessage', # 0xea 'NtUserCreateLocalMemHandle', # 0xeb 'NtUserAttachThreadInput', # 0xec 'NtGdiCreateHalftonePalette', # 0xed 'NtUserPaintMenuBar', # 0xee 'NtUserSetKeyboardState', # 0xef 'NtGdiCombineTransform', # 0xf0 'NtUserCreateAcceleratorTable', # 0xf1 'NtUserGetCursorFrameInfo', # 0xf2 'NtUserGetAltTabInfo', # 0xf3 'NtUserGetCaretBlinkTime', # 0xf4 'NtGdiQueryFontAssocInfo', # 0xf5 'NtUserProcessConnect', # 0xf6 'NtUserEnumDisplayDevices', # 0xf7 'NtUserEmptyClipboard', # 0xf8 'NtUserGetClipboardData', # 0xf9 'NtUserRemoveMenu', # 0xfa 'NtGdiSetBoundsRect', # 0xfb 'NtGdiGetBitmapDimension', # 0xfc 'NtUserConvertMemHandle', # 0xfd 'NtUserDestroyAcceleratorTable', # 0xfe 'NtUserGetGUIThreadInfo', # 0xff 'NtGdiCloseFigure', # 0x100 'NtUserSetWindowsHookAW', # 0x101 'NtUserSetMenuDefaultItem', # 0x102 'NtUserCheckMenuItem', # 0x103 'NtUserSetWinEventHook', # 0x104 'NtUserUnhookWinEvent', # 0x105 'NtUserLockWindowUpdate', # 0x106 'NtUserSetSystemMenu', # 0x107 'NtUserThunkedMenuInfo', # 0x108 'NtGdiBeginPath', # 0x109 'NtGdiEndPath', # 0x10a 'NtGdiFillPath', # 0x10b 'NtUserCallHwnd', # 0x10c 'NtUserDdeInitialize', # 0x10d 'NtUserModifyUserStartupInfoFlags', # 0x10e 'NtUserCountClipboardFormats', # 0x10f 'NtGdiAddFontMemResourceEx', # 0x110 'NtGdiEqualRgn', # 0x111 'NtGdiGetSystemPaletteUse', # 0x112 'NtGdiRemoveFontMemResourceEx', # 0x113 'NtUserEnumDisplaySettings', # 0x114 'NtUserPaintDesktop', # 0x115 'NtGdiExtEscape', # 0x116 'NtGdiSetBitmapDimension', # 0x117 'NtGdiSetFontEnumeration', # 0x118 'NtUserChangeClipboardChain', # 0x119 'NtUserSetClipboardViewer', # 0x11a 'NtUserShowWindowAsync', # 0x11b 'NtGdiCreateColorSpace', # 0x11c 'NtGdiDeleteColorSpace', # 0x11d 'NtUserActivateKeyboardLayout', # 0x11e 'NtBindCompositionSurface', # 0x11f 'NtCreateCompositionSurfaceHandle', # 0x120 'NtDCompositionAddCrossDeviceVisualChild', # 0x121 'NtDCompositionAddVisualChild', # 0x122 'NtDCompositionBeginFrame', # 0x123 'NtDCompositionCommitChannel', # 0x124 'NtDCompositionConfirmFrame', # 0x125 'NtDCompositionConnectPipe', # 0x126 'NtDCompositionCreateChannel', # 0x127 'NtDCompositionCreateConnectionContext', # 0x128 'NtDCompositionCreateDwmChannel', # 0x129 'NtDCompositionCreateResource', # 0x12a 'NtDCompositionCurrentBatchId', # 0x12b 'NtDCompositionDestroyChannel', # 0x12c 'NtDCompositionDestroyConnectionContext', # 0x12d 'NtDCompositionDiscardFrame', # 0x12e 'NtDCompositionDwmSyncFlush', # 0x12f 'NtDCompositionGetChannels', # 0x130 'NtDCompositionGetConnectionContextBatch', # 0x131 'NtDCompositionGetDeletedResources', # 0x132 'NtDCompositionGetFrameLegacyTokens', # 0x133 'NtDCompositionGetFrameStatistics', # 0x134 'NtDCompositionGetFrameSurfaceUpdates', # 0x135 'NtDCompositionReleaseAllResources', # 0x136 'NtDCompositionReleaseResource', # 0x137 'NtDCompositionRemoveCrossDeviceVisualChild', # 0x138 'NtDCompositionRemoveVisualChild', # 0x139 'NtDCompositionReplaceVisualChildren', # 0x13a 'NtDCompositionRetireFrame', # 0x13b 'NtDCompositionSetChannelCommitCompletionEvent', # 0x13c 'NtDCompositionSetResourceAnimationProperty', # 0x13d 'NtDCompositionSetResourceBufferProperty', # 0x13e 'NtDCompositionSetResourceDeletedNotificationTag', # 0x13f 'NtDCompositionSetResourceFloatProperty', # 0x140 'NtDCompositionSetResourceIntegerProperty', # 0x141 'NtDCompositionSetResourceReferenceArrayProperty', # 0x142 'NtDCompositionSetResourceReferenceProperty', # 0x143 'NtDCompositionSignalGpuFence', # 0x144 'NtDCompositionSubmitDWMBatch', # 0x145 'NtDCompositionSynchronize', # 0x146 'NtDCompositionTelemetryTouchInteractionBegin', # 0x147 'NtDCompositionTelemetryTouchInteractionEnd', # 0x148 'NtDCompositionTelemetryTouchInteractionUpdate', # 0x149 'NtDCompositionValidateAndReferenceSystemVisualForHwndTarget', # 0x14a 'NtDCompositionWaitForChannel', # 0x14b 'NtGdiAbortDoc', # 0x14c 'NtGdiAbortPath', # 0x14d 'NtGdiAddEmbFontToDC', # 0x14e 'NtGdiAddFontResourceW', # 0x14f 'NtGdiAddRemoteFontToDC', # 0x150 'NtGdiAddRemoteMMInstanceToDC', # 0x151 'NtGdiAngleArc', # 0x152 'NtGdiAnyLinkedFonts', # 0x153 'NtGdiArcInternal', # 0x154 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x155 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x156 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x157 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x158 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x159 'NtGdiBeginGdiRendering', # 0x15a 'NtGdiCLIPOBJ_bEnum', # 0x15b 'NtGdiCLIPOBJ_cEnumStart', # 0x15c 'NtGdiCLIPOBJ_ppoGetPath', # 0x15d 'NtGdiCancelDC', # 0x15e 'NtGdiChangeGhostFont', # 0x15f 'NtGdiCheckBitmapBits', # 0x160 'NtGdiClearBitmapAttributes', # 0x161 'NtGdiClearBrushAttributes', # 0x162 'NtGdiColorCorrectPalette', # 0x163 'NtGdiConfigureOPMProtectedOutput', # 0x164 'NtGdiConvertMetafileRect', # 0x165 'NtGdiCreateBitmapFromDxSurface', # 0x166 'NtGdiCreateBitmapFromDxSurface2', # 0x167 'NtGdiCreateColorTransform', # 0x168 'NtGdiCreateEllipticRgn', # 0x169 'NtGdiCreateHatchBrushInternal', # 0x16a 'NtGdiCreateMetafileDC', # 0x16b 'NtGdiCreateOPMProtectedOutputs', # 0x16c 'NtGdiCreateRoundRectRgn', # 0x16d 'NtGdiCreateServerMetaFile', # 0x16e 'NtGdiCreateSessionMappedDIBSection', # 0x16f 'NtGdiD3dContextCreate', # 0x170 'NtGdiD3dContextDestroy', # 0x171 'NtGdiD3dContextDestroyAll', # 0x172 'NtGdiD3dValidateTextureStageState', # 0x173 'NtGdiDDCCIGetCapabilitiesString', # 0x174 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x175 'NtGdiDDCCIGetTimingReport', # 0x176 'NtGdiDDCCIGetVCPFeature', # 0x177 'NtGdiDDCCISaveCurrentSettings', # 0x178 'NtGdiDDCCISetVCPFeature', # 0x179 'NtGdiDdAddAttachedSurface', # 0x17a 'NtGdiDdAlphaBlt', # 0x17b 'NtGdiDdAttachSurface', # 0x17c 'NtGdiDdBeginMoCompFrame', # 0x17d 'NtGdiDdCanCreateD3DBuffer', # 0x17e 'NtGdiDdColorControl', # 0x17f 'NtGdiDdCreateD3DBuffer', # 0x180 'NtGdiDdCreateDirectDrawObject', # 0x181 'NtGdiDdCreateFullscreenSprite', # 0x182 'NtGdiDdCreateMoComp', # 0x183 'NtGdiDdDDIAcquireKeyedMutex', # 0x184 'NtGdiDdDDIAcquireKeyedMutex2', # 0x185 'NtGdiDdDDICheckExclusiveOwnership', # 0x186 'NtGdiDdDDICheckMonitorPowerState', # 0x187 'NtGdiDdDDICheckOcclusion', # 0x188 'NtGdiDdDDICheckSharedResourceAccess', # 0x189 'NtGdiDdDDICheckVidPnExclusiveOwnership', # 0x18a 'NtGdiDdDDICloseAdapter', # 0x18b 'NtGdiDdDDIConfigureSharedResource', # 0x18c 'NtGdiDdDDICreateAllocation', # 0x18d 'NtGdiDdDDICreateContext', # 0x18e 'NtGdiDdDDICreateDCFromMemory', # 0x18f 'NtGdiDdDDICreateDevice', # 0x190 'NtGdiDdDDICreateKeyedMutex', # 0x191 'NtGdiDdDDICreateKeyedMutex2', # 0x192 'NtGdiDdDDICreateOutputDupl', # 0x193 'NtGdiDdDDICreateOverlay', # 0x194 'NtGdiDdDDICreateSynchronizationObject', # 0x195 'NtGdiDdDDIDestroyAllocation', # 0x196 'NtGdiDdDDIDestroyContext', # 0x197 'NtGdiDdDDIDestroyDCFromMemory', # 0x198 'NtGdiDdDDIDestroyDevice', # 0x199 'NtGdiDdDDIDestroyKeyedMutex', # 0x19a 'NtGdiDdDDIDestroyOutputDupl', # 0x19b 'NtGdiDdDDIDestroyOverlay', # 0x19c 'NtGdiDdDDIDestroySynchronizationObject', # 0x19d 'NtGdiDdDDIEnumAdapters', # 0x19e 'NtGdiDdDDIEscape', # 0x19f 'NtGdiDdDDIFlipOverlay', # 0x1a0 'NtGdiDdDDIGetContextInProcessSchedulingPriority', # 0x1a1 'NtGdiDdDDIGetContextSchedulingPriority', # 0x1a2 'NtGdiDdDDIGetDeviceState', # 0x1a3 'NtGdiDdDDIGetDisplayModeList', # 0x1a4 'NtGdiDdDDIGetMultisampleMethodList', # 0x1a5 'NtGdiDdDDIGetOverlayState', # 0x1a6 'NtGdiDdDDIGetPresentHistory', # 0x1a7 'NtGdiDdDDIGetPresentQueueEvent', # 0x1a8 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x1a9 'NtGdiDdDDIGetRuntimeData', # 0x1aa 'NtGdiDdDDIGetScanLine', # 0x1ab 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x1ac 'NtGdiDdDDIGetSharedResourceAdapterLuid', # 0x1ad 'NtGdiDdDDIInvalidateActiveVidPn', # 0x1ae 'NtGdiDdDDILock', # 0x1af 'NtGdiDdDDIOfferAllocations', # 0x1b0 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x1b1 'NtGdiDdDDIOpenAdapterFromHdc', # 0x1b2 'NtGdiDdDDIOpenAdapterFromLuid', # 0x1b3 'NtGdiDdDDIOpenKeyedMutex', # 0x1b4 'NtGdiDdDDIOpenKeyedMutex2', # 0x1b5 'NtGdiDdDDIOpenNtHandleFromName', # 0x1b6 'NtGdiDdDDIOpenResource', # 0x1b7 'NtGdiDdDDIOpenResourceFromNtHandle', # 0x1b8 'NtGdiDdDDIOpenSyncObjectFromNtHandle', # 0x1b9 'NtGdiDdDDIOpenSynchronizationObject', # 0x1ba 'NtGdiDdDDIOutputDuplGetFrameInfo', # 0x1bb 'NtGdiDdDDIOutputDuplGetMetaData', # 0x1bc 'NtGdiDdDDIOutputDuplGetPointerShapeData', # 0x1bd 'NtGdiDdDDIOutputDuplPresent', # 0x1be 'NtGdiDdDDIOutputDuplReleaseFrame', # 0x1bf 'NtGdiDdDDIPinDirectFlipResources', # 0x1c0 'NtGdiDdDDIPollDisplayChildren', # 0x1c1 'NtGdiDdDDIPresent', # 0x1c2 'NtGdiDdDDIQueryAdapterInfo', # 0x1c3 'NtGdiDdDDIQueryAllocationResidency', # 0x1c4 'NtGdiDdDDIQueryRemoteVidPnSourceFromGdiDisplayName', # 0x1c5 'NtGdiDdDDIQueryResourceInfo', # 0x1c6 'NtGdiDdDDIQueryResourceInfoFromNtHandle', # 0x1c7 'NtGdiDdDDIQueryStatistics', # 0x1c8 'NtGdiDdDDIReclaimAllocations', # 0x1c9 'NtGdiDdDDIReleaseKeyedMutex', # 0x1ca 'NtGdiDdDDIReleaseKeyedMutex2', # 0x1cb 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x1cc 'NtGdiDdDDIRender', # 0x1cd 'NtGdiDdDDISetAllocationPriority', # 0x1ce 'NtGdiDdDDISetContextInProcessSchedulingPriority', # 0x1cf 'NtGdiDdDDISetContextSchedulingPriority', # 0x1d0 'NtGdiDdDDISetDisplayMode', # 0x1d1 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x1d2 'NtGdiDdDDISetGammaRamp', # 0x1d3 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x1d4 'NtGdiDdDDISetQueuedLimit', # 0x1d5 'NtGdiDdDDISetStereoEnabled', # 0x1d6 'NtGdiDdDDISetVidPnSourceOwner', # 0x1d7 'NtGdiDdDDISetVidPnSourceOwner1', # 0x1d8 'NtGdiDdDDIShareObjects', # 0x1d9 'NtGdiDdDDISharedPrimaryLockNotification', # 0x1da 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x1db 'NtGdiDdDDISignalSynchronizationObject', # 0x1dc 'NtGdiDdDDIUnlock', # 0x1dd 'NtGdiDdDDIUnpinDirectFlipResources', # 0x1de 'NtGdiDdDDIUpdateOverlay', # 0x1df 'NtGdiDdDDIWaitForIdle', # 0x1e0 'NtGdiDdDDIWaitForSynchronizationObject', # 0x1e1 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x1e2 'NtGdiDdDDIWaitForVerticalBlankEvent2', # 0x1e3 'NtGdiDdDeleteDirectDrawObject', # 0x1e4 'NtGdiDdDestroyD3DBuffer', # 0x1e5 'NtGdiDdDestroyFullscreenSprite', # 0x1e6 'NtGdiDdDestroyMoComp', # 0x1e7 'NtGdiDdEndMoCompFrame', # 0x1e8 'NtGdiDdFlip', # 0x1e9 'NtGdiDdFlipToGDISurface', # 0x1ea 'NtGdiDdGetAvailDriverMemory', # 0x1eb 'NtGdiDdGetBltStatus', # 0x1ec 'NtGdiDdGetDC', # 0x1ed 'NtGdiDdGetDriverInfo', # 0x1ee 'NtGdiDdGetDriverState', # 0x1ef 'NtGdiDdGetDxHandle', # 0x1f0 'NtGdiDdGetFlipStatus', # 0x1f1 'NtGdiDdGetInternalMoCompInfo', # 0x1f2 'NtGdiDdGetMoCompBuffInfo', # 0x1f3 'NtGdiDdGetMoCompFormats', # 0x1f4 'NtGdiDdGetMoCompGuids', # 0x1f5 'NtGdiDdGetScanLine', # 0x1f6 'NtGdiDdLock', # 0x1f7 'NtGdiDdNotifyFullscreenSpriteUpdate', # 0x1f8 'NtGdiDdQueryDirectDrawObject', # 0x1f9 'NtGdiDdQueryMoCompStatus', # 0x1fa 'NtGdiDdQueryVisRgnUniqueness', # 0x1fb 'NtGdiDdReenableDirectDrawObject', # 0x1fc 'NtGdiDdReleaseDC', # 0x1fd 'NtGdiDdRenderMoComp', # 0x1fe 'NtGdiDdSetColorKey', # 0x1ff 'NtGdiDdSetExclusiveMode', # 0x200 'NtGdiDdSetGammaRamp', # 0x201 'NtGdiDdSetOverlayPosition', # 0x202 'NtGdiDdUnattachSurface', # 0x203 'NtGdiDdUnlock', # 0x204 'NtGdiDdUpdateOverlay', # 0x205 'NtGdiDdWaitForVerticalBlank', # 0x206 'NtGdiDeleteColorTransform', # 0x207 'NtGdiDescribePixelFormat', # 0x208 'NtGdiDestroyOPMProtectedOutput', # 0x209 'NtGdiDestroyPhysicalMonitor', # 0x20a 'NtGdiDoBanding', # 0x20b 'NtGdiDrawEscape', # 0x20c 'NtGdiDvpAcquireNotification', # 0x20d 'NtGdiDvpCanCreateVideoPort', # 0x20e 'NtGdiDvpColorControl', # 0x20f 'NtGdiDvpCreateVideoPort', # 0x210 'NtGdiDvpDestroyVideoPort', # 0x211 'NtGdiDvpFlipVideoPort', # 0x212 'NtGdiDvpGetVideoPortBandwidth', # 0x213 'NtGdiDvpGetVideoPortConnectInfo', # 0x214 'NtGdiDvpGetVideoPortField', # 0x215 'NtGdiDvpGetVideoPortFlipStatus', # 0x216 'NtGdiDvpGetVideoPortInputFormats', # 0x217 'NtGdiDvpGetVideoPortLine', # 0x218 'NtGdiDvpGetVideoPortOutputFormats', # 0x219 'NtGdiDvpGetVideoSignalStatus', # 0x21a 'NtGdiDvpReleaseNotification', # 0x21b 'NtGdiDvpUpdateVideoPort', # 0x21c 'NtGdiDvpWaitForVideoPortSync', # 0x21d 'NtGdiDwmCreatedBitmapRemotingOutput', # 0x21e 'NtGdiDxgGenericThunk', # 0x21f 'NtGdiEllipse', # 0x220 'NtGdiEnableEudc', # 0x221 'NtGdiEndDoc', # 0x222 'NtGdiEndGdiRendering', # 0x223 'NtGdiEndPage', # 0x224 'NtGdiEngAlphaBlend', # 0x225 'NtGdiEngAssociateSurface', # 0x226 'NtGdiEngBitBlt', # 0x227 'NtGdiEngCheckAbort', # 0x228 'NtGdiEngComputeGlyphSet', # 0x229 'NtGdiEngCopyBits', # 0x22a 'NtGdiEngCreateBitmap', # 0x22b 'NtGdiEngCreateClip', # 0x22c 'NtGdiEngCreateDeviceBitmap', # 0x22d 'NtGdiEngCreateDeviceSurface', # 0x22e 'NtGdiEngCreatePalette', # 0x22f 'NtGdiEngDeleteClip', # 0x230 'NtGdiEngDeletePalette', # 0x231 'NtGdiEngDeletePath', # 0x232 'NtGdiEngDeleteSurface', # 0x233 'NtGdiEngEraseSurface', # 0x234 'NtGdiEngFillPath', # 0x235 'NtGdiEngGradientFill', # 0x236 'NtGdiEngLineTo', # 0x237 'NtGdiEngLockSurface', # 0x238 'NtGdiEngMarkBandingSurface', # 0x239 'NtGdiEngPaint', # 0x23a 'NtGdiEngPlgBlt', # 0x23b 'NtGdiEngStretchBlt', # 0x23c 'NtGdiEngStretchBltROP', # 0x23d 'NtGdiEngStrokeAndFillPath', # 0x23e 'NtGdiEngStrokePath', # 0x23f 'NtGdiEngTextOut', # 0x240 'NtGdiEngTransparentBlt', # 0x241 'NtGdiEngUnlockSurface', # 0x242 'NtGdiEnumFonts', # 0x243 'NtGdiEnumObjects', # 0x244 'NtGdiEudcLoadUnloadLink', # 0x245 'NtGdiExtFloodFill', # 0x246 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x247 'NtGdiFONTOBJ_cGetGlyphs', # 0x248 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x249 'NtGdiFONTOBJ_pfdg', # 0x24a 'NtGdiFONTOBJ_pifi', # 0x24b 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x24c 'NtGdiFONTOBJ_pxoGetXform', # 0x24d 'NtGdiFONTOBJ_vGetInfo', # 0x24e 'NtGdiFlattenPath', # 0x24f 'NtGdiFontIsLinked', # 0x250 'NtGdiForceUFIMapping', # 0x251 'NtGdiFrameRgn', # 0x252 'NtGdiFullscreenControl', # 0x253 'NtGdiGetBoundsRect', # 0x254 'NtGdiGetCOPPCompatibleOPMInformation', # 0x255 'NtGdiGetCertificate', # 0x256 'NtGdiGetCertificateSize', # 0x257 'NtGdiGetCharABCWidthsW', # 0x258 'NtGdiGetCharacterPlacementW', # 0x259 'NtGdiGetColorAdjustment', # 0x25a 'NtGdiGetColorSpaceforBitmap', # 0x25b 'NtGdiGetDeviceCaps', # 0x25c 'NtGdiGetDeviceCapsAll', # 0x25d 'NtGdiGetDeviceGammaRamp', # 0x25e 'NtGdiGetDeviceWidth', # 0x25f 'NtGdiGetDhpdev', # 0x260 'NtGdiGetETM', # 0x261 'NtGdiGetEmbUFI', # 0x262 'NtGdiGetEmbedFonts', # 0x263 'NtGdiGetEudcTimeStampEx', # 0x264 'NtGdiGetFontFileData', # 0x265 'NtGdiGetFontFileInfo', # 0x266 'NtGdiGetFontResourceInfoInternalW', # 0x267 'NtGdiGetFontUnicodeRanges', # 0x268 'NtGdiGetGlyphIndicesW', # 0x269 'NtGdiGetGlyphIndicesWInternal', # 0x26a 'NtGdiGetGlyphOutline', # 0x26b 'NtGdiGetKerningPairs', # 0x26c 'NtGdiGetLinkedUFIs', # 0x26d 'NtGdiGetMiterLimit', # 0x26e 'NtGdiGetMonitorID', # 0x26f 'NtGdiGetNumberOfPhysicalMonitors', # 0x270 'NtGdiGetOPMInformation', # 0x271 'NtGdiGetOPMRandomNumber', # 0x272 'NtGdiGetObjectBitmapHandle', # 0x273 'NtGdiGetPath', # 0x274 'NtGdiGetPerBandInfo', # 0x275 'NtGdiGetPhysicalMonitorDescription', # 0x276 'NtGdiGetPhysicalMonitors', # 0x277 'NtGdiGetRealizationInfo', # 0x278 'NtGdiGetServerMetaFileBits', # 0x279 'NtGdiGetSpoolMessage', # 0x27a 'NtGdiGetStats', # 0x27b 'NtGdiGetStringBitmapW', # 0x27c 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0x27d 'NtGdiGetTextExtentExW', # 0x27e 'NtGdiGetUFI', # 0x27f 'NtGdiGetUFIPathname', # 0x280 'NtGdiGradientFill', # 0x281 'NtGdiHLSurfGetInformation', # 0x282 'NtGdiHLSurfSetInformation', # 0x283 'NtGdiHT_Get8BPPFormatPalette', # 0x284 'NtGdiHT_Get8BPPMaskPalette', # 0x285 'NtGdiIcmBrushInfo', # 0x286 'NtGdiInit', # 0x287 'NtGdiInitSpool', # 0x288 'NtGdiMakeFontDir', # 0x289 'NtGdiMakeInfoDC', # 0x28a 'NtGdiMakeObjectUnXferable', # 0x28b 'NtGdiMakeObjectXferable', # 0x28c 'NtGdiMirrorWindowOrg', # 0x28d 'NtGdiMonoBitmap', # 0x28e 'NtGdiMoveTo', # 0x28f 'NtGdiOffsetClipRgn', # 0x290 'NtGdiPATHOBJ_bEnum', # 0x291 'NtGdiPATHOBJ_bEnumClipLines', # 0x292 'NtGdiPATHOBJ_vEnumStart', # 0x293 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x294 'NtGdiPATHOBJ_vGetBounds', # 0x295 'NtGdiPathToRegion', # 0x296 'NtGdiPlgBlt', # 0x297 'NtGdiPolyDraw', # 0x298 'NtGdiPolyTextOutW', # 0x299 'NtGdiPtInRegion', # 0x29a 'NtGdiPtVisible', # 0x29b 'NtGdiQueryFonts', # 0x29c 'NtGdiRemoveFontResourceW', # 0x29d 'NtGdiRemoveMergeFont', # 0x29e 'NtGdiResetDC', # 0x29f 'NtGdiResizePalette', # 0x2a0 'NtGdiRoundRect', # 0x2a1 'NtGdiSTROBJ_bEnum', # 0x2a2 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x2a3 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x2a4 'NtGdiSTROBJ_dwGetCodePage', # 0x2a5 'NtGdiSTROBJ_vEnumStart', # 0x2a6 'NtGdiScaleViewportExtEx', # 0x2a7 'NtGdiScaleWindowExtEx', # 0x2a8 'NtGdiSelectBrush', # 0x2a9 'NtGdiSelectClipPath', # 0x2aa 'NtGdiSelectPen', # 0x2ab 'NtGdiSetBitmapAttributes', # 0x2ac 'NtGdiSetBrushAttributes', # 0x2ad 'NtGdiSetColorAdjustment', # 0x2ae 'NtGdiSetColorSpace', # 0x2af 'NtGdiSetDeviceGammaRamp', # 0x2b0 'NtGdiSetFontXform', # 0x2b1 'NtGdiSetIcmMode', # 0x2b2 'NtGdiSetLinkedUFIs', # 0x2b3 'NtGdiSetMagicColors', # 0x2b4 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x2b5 'NtGdiSetPUMPDOBJ', # 0x2b6 'NtGdiSetPixelFormat', # 0x2b7 'NtGdiSetRectRgn', # 0x2b8 'NtGdiSetSizeDevice', # 0x2b9 'NtGdiSetSystemPaletteUse', # 0x2ba 'NtGdiSetTextJustification', # 0x2bb 'NtGdiSetUMPDSandboxState', # 0x2bc 'NtGdiStartDoc', # 0x2bd 'NtGdiStartPage', # 0x2be 'NtGdiStrokeAndFillPath', # 0x2bf 'NtGdiStrokePath', # 0x2c0 'NtGdiSwapBuffers', # 0x2c1 'NtGdiTransparentBlt', # 0x2c2 'NtGdiUMPDEngFreeUserMem', # 0x2c3 'NtGdiUnloadPrinterDriver', # 0x2c4 'NtGdiUnmapMemFont', # 0x2c5 'NtGdiUpdateColors', # 0x2c6 'NtGdiUpdateTransform', # 0x2c7 'NtGdiWidenPath', # 0x2c8 'NtGdiXFORMOBJ_bApplyXform', # 0x2c9 'NtGdiXFORMOBJ_iGetXform', # 0x2ca 'NtGdiXLATEOBJ_cGetPalette', # 0x2cb 'NtGdiXLATEOBJ_hGetColorTransform', # 0x2cc 'NtGdiXLATEOBJ_iXlate', # 0x2cd 'NtNotifyPresentToCompositionSurface', # 0x2ce 'NtOpenCompositionSurfaceDirtyRegion', # 0x2cf 'NtOpenCompositionSurfaceSectionInfo', # 0x2d0 'NtOpenCompositionSurfaceSwapChainHandleInfo', # 0x2d1 'NtQueryCompositionSurfaceBinding', # 0x2d2 'NtQueryCompositionSurfaceRenderingRealization', # 0x2d3 'NtQueryCompositionSurfaceStatistics', # 0x2d4 'NtSetCompositionSurfaceOutOfFrameDirectFlipNotification', # 0x2d5 'NtSetCompositionSurfaceStatistics', # 0x2d6 'NtTokenManagerGetOutOfFrameDirectFlipSurfaceUpdates', # 0x2d7 'NtTokenManagerOpenEvent', # 0x2d8 'NtTokenManagerThread', # 0x2d9 'NtUnBindCompositionSurface', # 0x2da 'NtUserAcquireIAMKey', # 0x2db 'NtUserAddClipboardFormatListener', # 0x2dc 'NtUserAssociateInputContext', # 0x2dd 'NtUserAutoPromoteMouseInPointer', # 0x2de 'NtUserAutoRotateScreen', # 0x2df 'NtUserBlockInput', # 0x2e0 'NtUserBuildHimcList', # 0x2e1 'NtUserBuildPropList', # 0x2e2 'NtUserCalculatePopupWindowPosition', # 0x2e3 'NtUserCallHwndOpt', # 0x2e4 'NtUserCanBrokerForceForeground', # 0x2e5 'NtUserChangeDisplaySettings', # 0x2e6 'NtUserChangeWindowMessageFilterEx', # 0x2e7 'NtUserCheckAccessForIntegrityLevel', # 0x2e8 'NtUserCheckProcessForClipboardAccess', # 0x2e9 'NtUserCheckProcessSession', # 0x2ea 'NtUserCheckWindowThreadDesktop', # 0x2eb 'NtUserChildWindowFromPointEx', # 0x2ec 'NtUserClipCursor', # 0x2ed 'NtUserCreateDCompositionHwndTarget', # 0x2ee 'NtUserCreateDesktopEx', # 0x2ef 'NtUserCreateInputContext', # 0x2f0 'NtUserCreateWindowStation', # 0x2f1 'NtUserCtxDisplayIOCtl', # 0x2f2 'NtUserDeferWindowPosAndBand', # 0x2f3 'NtUserDelegateCapturePointers', # 0x2f4 'NtUserDelegateInput', # 0x2f5 'NtUserDestroyDCompositionHwndTarget', # 0x2f6 'NtUserDestroyInputContext', # 0x2f7 'NtUserDisableImmersiveOwner', # 0x2f8 'NtUserDisableProcessWindowFiltering', # 0x2f9 'NtUserDisableThreadIme', # 0x2fa 'NtUserDiscardPointerFrameMessages', # 0x2fb 'NtUserDisplayConfigGetDeviceInfo', # 0x2fc 'NtUserDisplayConfigSetDeviceInfo', # 0x2fd 'NtUserDoSoundConnect', # 0x2fe 'NtUserDoSoundDisconnect', # 0x2ff 'NtUserDragDetect', # 0x300 'NtUserDragObject', # 0x301 'NtUserDrawAnimatedRects', # 0x302 'NtUserDrawCaption', # 0x303 'NtUserDrawCaptionTemp', # 0x304 'NtUserDrawMenuBarTemp', # 0x305 'NtUserDwmGetRemoteSessionOcclusionEvent', # 0x306 'NtUserDwmGetRemoteSessionOcclusionState', # 0x307 'NtUserDwmStartRedirection', # 0x308 'NtUserDwmStopRedirection', # 0x309 'NtUserDwmValidateWindow', # 0x30a 'NtUserEnableIAMAccess', # 0x30b 'NtUserEnableMouseInPointer', # 0x30c 'NtUserEnableMouseInputForCursorSuppression', # 0x30d 'NtUserEndMenu', # 0x30e 'NtUserEvent', # 0x30f 'NtUserFlashWindowEx', # 0x310 'NtUserFrostCrashedWindow', # 0x311 'NtUserGetAppImeLevel', # 0x312 'NtUserGetAutoRotationState', # 0x313 'NtUserGetCIMSSM', # 0x314 'NtUserGetCaretPos', # 0x315 'NtUserGetClipCursor', # 0x316 'NtUserGetClipboardAccessToken', # 0x317 'NtUserGetClipboardViewer', # 0x318 'NtUserGetComboBoxInfo', # 0x319 'NtUserGetCurrentInputMessageSource', # 0x31a 'NtUserGetCursorInfo', # 0x31b 'NtUserGetDesktopID', # 0x31c 'NtUserGetDisplayAutoRotationPreferences', # 0x31d 'NtUserGetDisplayAutoRotationPreferencesByProcessId', # 0x31e 'NtUserGetDisplayConfigBufferSizes', # 0x31f 'NtUserGetGestureConfig', # 0x320 'NtUserGetGestureExtArgs', # 0x321 'NtUserGetGestureInfo', # 0x322 'NtUserGetGlobalIMEStatus', # 0x323 'NtUserGetGuiResources', # 0x324 'NtUserGetImeHotKey', # 0x325 'NtUserGetImeInfoEx', # 0x326 'NtUserGetInputLocaleInfo', # 0x327 'NtUserGetInternalWindowPos', # 0x328 'NtUserGetKeyNameText', # 0x329 'NtUserGetKeyboardLayoutName', # 0x32a 'NtUserGetLayeredWindowAttributes', # 0x32b 'NtUserGetListBoxInfo', # 0x32c 'NtUserGetMenuIndex', # 0x32d 'NtUserGetMenuItemRect', # 0x32e 'NtUserGetMouseMovePointsEx', # 0x32f 'NtUserGetPointerCursorId', # 0x330 'NtUserGetPointerDevice', # 0x331 'NtUserGetPointerDeviceCursors', # 0x332 'NtUserGetPointerDeviceProperties', # 0x333 'NtUserGetPointerDeviceRects', # 0x334 'NtUserGetPointerDevices', # 0x335 'NtUserGetPointerInfoList', # 0x336 'NtUserGetPointerType', # 0x337 'NtUserGetPriorityClipboardFormat', # 0x338 'NtUserGetProcessUIContextInformation', # 0x339 'NtUserGetQueueEventStatus', # 0x33a 'NtUserGetRawInputBuffer', # 0x33b 'NtUserGetRawInputData', # 0x33c 'NtUserGetRawInputDeviceInfo', # 0x33d 'NtUserGetRawInputDeviceList', # 0x33e 'NtUserGetRawPointerDeviceData', # 0x33f 'NtUserGetRegisteredRawInputDevices', # 0x340 'NtUserGetTopLevelWindow', # 0x341 'NtUserGetTouchInputInfo', # 0x342 'NtUserGetTouchValidationStatus', # 0x343 'NtUserGetUpdatedClipboardFormats', # 0x344 'NtUserGetWOWClass', # 0x345 'NtUserGetWindowBand', # 0x346 'NtUserGetWindowCompositionAttribute', # 0x347 'NtUserGetWindowCompositionInfo', # 0x348 'NtUserGetWindowDisplayAffinity', # 0x349 'NtUserGetWindowFeedbackSetting', # 0x34a 'NtUserGetWindowMinimizeRect', # 0x34b 'NtUserGetWindowRgnEx', # 0x34c 'NtUserGhostWindowFromHungWindow', # 0x34d 'NtUserHandleDelegatedInput', # 0x34e 'NtUserHardErrorControl', # 0x34f 'NtUserHidePointerContactVisualization', # 0x350 'NtUserHiliteMenuItem', # 0x351 'NtUserHungWindowFromGhostWindow', # 0x352 'NtUserHwndQueryRedirectionInfo', # 0x353 'NtUserHwndSetRedirectionInfo', # 0x354 'NtUserImpersonateDdeClientWindow', # 0x355 'NtUserInitTask', # 0x356 'NtUserInitialize', # 0x357 'NtUserInitializeClientPfnArrays', # 0x358 'NtUserInitializeTouchInjection', # 0x359 'NtUserInjectGesture', # 0x35a 'NtUserInjectTouchInput', # 0x35b 'NtUserInternalClipCursor', # 0x35c 'NtUserInternalGetWindowIcon', # 0x35d 'NtUserIsMouseInPointerEnabled', # 0x35e 'NtUserIsMouseInputEnabled', # 0x35f 'NtUserIsTopLevelWindow', # 0x360 'NtUserIsTouchWindow', # 0x361 'NtUserLayoutCompleted', # 0x362 'NtUserLoadKeyboardLayoutEx', # 0x363 'NtUserLockWindowStation', # 0x364 'NtUserLockWorkStation', # 0x365 'NtUserLogicalToPhysicalPoint', # 0x366 'NtUserMNDragLeave', # 0x367 'NtUserMNDragOver', # 0x368 'NtUserMagControl', # 0x369 'NtUserMagGetContextInformation', # 0x36a 'NtUserMagSetContextInformation', # 0x36b 'NtUserMenuItemFromPoint', # 0x36c 'NtUserMinMaximize', # 0x36d 'NtUserModifyWindowTouchCapability', # 0x36e 'NtUserNotifyIMEStatus', # 0x36f 'NtUserOpenInputDesktop', # 0x370 'NtUserOpenThreadDesktop', # 0x371 'NtUserPaintMonitor', # 0x372 'NtUserPhysicalToLogicalPoint', # 0x373 'NtUserPrintWindow', # 0x374 'NtUserPromoteMouseInPointer', # 0x375 'NtUserPromotePointer', # 0x376 'NtUserQueryBSDRWindow', # 0x377 'NtUserQueryDisplayConfig', # 0x378 'NtUserQueryInformationThread', # 0x379 'NtUserQueryInputContext', # 0x37a 'NtUserQuerySendMessage', # 0x37b 'NtUserRealChildWindowFromPoint', # 0x37c 'NtUserRealWaitMessageEx', # 0x37d 'NtUserRegisterBSDRWindow', # 0x37e 'NtUserRegisterEdgy', # 0x37f 'NtUserRegisterErrorReportingDialog', # 0x380 'NtUserRegisterHotKey', # 0x381 'NtUserRegisterPointerDeviceNotifications', # 0x382 'NtUserRegisterPointerInputTarget', # 0x383 'NtUserRegisterRawInputDevices', # 0x384 'NtUserRegisterServicesProcess', # 0x385 'NtUserRegisterSessionPort', # 0x386 'NtUserRegisterTasklist', # 0x387 'NtUserRegisterTouchHitTestingWindow', # 0x388 'NtUserRegisterUserApiHook', # 0x389 'NtUserRemoteConnect', # 0x38a 'NtUserRemoteRedrawRectangle', # 0x38b 'NtUserRemoteRedrawScreen', # 0x38c 'NtUserRemoteStopScreenUpdates', # 0x38d 'NtUserRemoveClipboardFormatListener', # 0x38e 'NtUserResolveDesktopForWOW', # 0x38f 'NtUserSendEventMessage', # 0x390 'NtUserSetActiveProcess', # 0x391 'NtUserSetAppImeLevel', # 0x392 'NtUserSetAutoRotation', # 0x393 'NtUserSetBrokeredForeground', # 0x394 'NtUserSetCalibrationData', # 0x395 'NtUserSetChildWindowNoActivate', # 0x396 'NtUserSetClassWord', # 0x397 'NtUserSetCursorContents', # 0x398 'NtUserSetDisplayAutoRotationPreferences', # 0x399 'NtUserSetDisplayConfig', # 0x39a 'NtUserSetDisplayMapping', # 0x39b 'NtUserSetFallbackForeground', # 0x39c 'NtUserSetGestureConfig', # 0x39d 'NtUserSetImeHotKey', # 0x39e 'NtUserSetImeInfoEx', # 0x39f 'NtUserSetImeOwnerWindow', # 0x3a0 'NtUserSetImmersiveBackgroundWindow', # 0x3a1 'NtUserSetInternalWindowPos', # 0x3a2 'NtUserSetLayeredWindowAttributes', # 0x3a3 'NtUserSetMenu', # 0x3a4 'NtUserSetMenuContextHelpId', # 0x3a5 'NtUserSetMenuFlagRtoL', # 0x3a6 'NtUserSetMirrorRendering', # 0x3a7 'NtUserSetObjectInformation', # 0x3a8 'NtUserSetProcessDPIAware', # 0x3a9 'NtUserSetProcessRestrictionExemption', # 0x3aa 'NtUserSetProcessUIAccessZorder', # 0x3ab 'NtUserSetSensorPresence', # 0x3ac 'NtUserSetShellWindowEx', # 0x3ad 'NtUserSetSysColors', # 0x3ae 'NtUserSetSystemCursor', # 0x3af 'NtUserSetSystemTimer', # 0x3b0 'NtUserSetThreadInputBlocked', # 0x3b1 'NtUserSetThreadLayoutHandles', # 0x3b2 'NtUserSetWindowBand', # 0x3b3 'NtUserSetWindowCompositionAttribute', # 0x3b4 'NtUserSetWindowCompositionTransition', # 0x3b5 'NtUserSetWindowDisplayAffinity', # 0x3b6 'NtUserSetWindowFeedbackSetting', # 0x3b7 'NtUserSetWindowRgnEx', # 0x3b8 'NtUserSetWindowStationUser', # 0x3b9 'NtUserShowSystemCursor', # 0x3ba 'NtUserShutdownBlockReasonCreate', # 0x3bb 'NtUserShutdownBlockReasonQuery', # 0x3bc 'NtUserShutdownReasonDestroy', # 0x3bd 'NtUserSignalRedirectionStartComplete', # 0x3be 'NtUserSlicerControl', # 0x3bf 'NtUserSoundSentry', # 0x3c0 'NtUserSwitchDesktop', # 0x3c1 'NtUserTestForInteractiveUser', # 0x3c2 'NtUserTrackPopupMenuEx', # 0x3c3 'NtUserUndelegateInput', # 0x3c4 'NtUserUnloadKeyboardLayout', # 0x3c5 'NtUserUnlockWindowStation', # 0x3c6 'NtUserUnregisterHotKey', # 0x3c7 'NtUserUnregisterSessionPort', # 0x3c8 'NtUserUnregisterUserApiHook', # 0x3c9 'NtUserUpdateDefaultDesktopThumbnail', # 0x3ca 'NtUserUpdateInputContext', # 0x3cb 'NtUserUpdateInstance', # 0x3cc 'NtUserUpdateLayeredWindow', # 0x3cd 'NtUserUpdatePerUserSystemParameters', # 0x3ce 'NtUserUpdateWindowTransform', # 0x3cf 'NtUserUserHandleGrantAccess', # 0x3d0 'NtUserValidateHandleSecure', # 0x3d1 'NtUserWaitAvailableMessageEx', # 0x3d2 'NtUserWaitForInputIdle', # 0x3d3 'NtUserWaitForMsgAndEvent', # 0x3d4 'NtUserWaitForRedirectionStartComplete', # 0x3d5 'NtUserWindowFromPhysicalPoint', # 0x3d6 'NtValidateCompositionSurfaceHandle', # 0x3d7 'NtUserSetClassLongPtr', # 0x3d8 'NtUserSetWindowLongPtr', # 0x3d9 ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/crash_vtypes.py0000644000000000000000000001035713131215405027446 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # crash_vtypes = { ## These types are for crash dumps '_DMP_HEADER' : [ 0x1000, { 'Signature' : [ 0x0, ['array', 4, ['unsigned char']]], 'ValidDump' : [ 0x4, ['array', 4, ['unsigned char']]], 'MajorVersion' : [ 0x8, ['unsigned long']], 'MinorVersion' : [ 0xc, ['unsigned long']], 'DirectoryTableBase' : [ 0x10, ['unsigned long']], 'PfnDataBase' : [ 0x14, ['unsigned long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long']], 'PsActiveProcessHead' : [ 0x1c, ['unsigned long']], 'MachineImageType' : [ 0x20, ['unsigned long']], 'NumberProcessors' : [ 0x24, ['unsigned long']], 'BugCheckCode' : [ 0x28, ['unsigned long']], 'BugCheckCodeParameter' : [ 0x2c, ['array', 4, ['unsigned long']]], 'VersionUser' : [ 0x3c, ['array', 32, ['unsigned char']]], 'PaeEnabled' : [ 0x5c, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5d, ['unsigned char']], 'VersionUser2' : [ 0x5e, ['array', 2, ['unsigned char']]], 'KdDebuggerDataBlock' : [ 0x60, ['unsigned long']], 'PhysicalMemoryBlockBuffer' : [ 0x64, ['_PHYSICAL_MEMORY_DESCRIPTOR']], 'ContextRecord' : [ 0x320, ['array', 1200, ['unsigned char']]], 'Exception' : [ 0x7d0, ['_EXCEPTION_RECORD32']], 'Comment' : [ 0x820, ['array', 128, ['unsigned char']]], 'DumpType' : [ 0xf88, ['unsigned long']], 'MiniDumpFields' : [ 0xf8c, ['unsigned long']], 'SecondaryDataState' : [ 0xf90, ['unsigned long']], 'ProductType' : [ 0xf94, ['unsigned long']], 'SuiteMask' : [ 0xf98, ['unsigned long']], 'WriterStatus' : [ 0xf9c, ['unsigned long']], 'RequiredDumpSpace' : [ 0xfa0, ['unsigned long long']], 'SystemUpTime' : [ 0xfb8, ['unsigned long long']], 'SystemTime' : [ 0xfc0, ['unsigned long long']], 'reserved3' : [ 0xfc8, ['array', 56, ['unsigned char']]], } ], '_DMP_HEADER64' : [ 0x2000, { 'Signature' : [ 0x0, ['array', 4, ['unsigned char']]], 'ValidDump' : [ 0x4, ['array', 4, ['unsigned char']]], 'MajorVersion' : [ 0x8, ['unsigned long']], 'MinorVersion' : [ 0xc, ['unsigned long']], 'DirectoryTableBase' : [ 0x10, ['unsigned long long']], 'PfnDataBase' : [ 0x18, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x20, ['unsigned long long']], 'PsActiveProcessHead' : [ 0x28, ['unsigned long long']], 'MachineImageType' : [ 0x30, ['unsigned long']], 'NumberProcessors' : [ 0x34, ['unsigned long']], 'BugCheckCode' : [ 0x38, ['unsigned long']], 'BugCheckCodeParameter' : [ 0x40, ['array', 4, ['unsigned long long']]], 'KdDebuggerDataBlock' : [0x80, ['unsigned long long']], 'PhysicalMemoryBlockBuffer' : [ 0x88, ['_PHYSICAL_MEMORY_DESCRIPTOR']], 'ContextRecord' : [ 0x348, ['array', 3000, ['unsigned char']]], 'Exception' : [ 0xf00, ['_EXCEPTION_RECORD64']], 'DumpType' : [ 0xf98, ['unsigned long']], 'RequiredDumpSpace' : [ 0xfa0, ['unsigned long long']], 'SystemTime' : [ 0xfa8, ['unsigned long long']], 'Comment' : [ 0xfb0, ['array', 128, ['unsigned char']]], 'SystemUpTime' : [ 0x1030, ['unsigned long long']], 'MiniDumpFields' : [ 0x1038, ['unsigned long']], 'SecondaryDataState' : [ 0x103c, ['unsigned long']], 'ProductType' : [ 0x1040, ['unsigned long']], 'SuiteMask' : [ 0x1044, ['unsigned long']], 'WriterStatus' : [ 0x1048, ['unsigned long']], 'Unused1' : [ 0x104c, ['unsigned char']], 'KdSecondaryVersion' : [ 0x104d, ['unsigned char']], 'Unused' : [ 0x104e, ['array', 2, ['unsigned char']]], '_reserved0' : [ 0x1050, ['array', 4016, ['unsigned char']]], } ], } ././@LongLink0000644000000000000000000000014700000000000011605 Lustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7_sp1_x64_632B36E0_vtypes.pyvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7_sp1_x64_632B36E0_vtypes.0000755000000000000000000174025213131215405031207 0ustar rootrootntkrnlmp_types = { '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_KBUGCHECK_ACTIVE_STATE' : [ 0x4, { 'BugCheckState' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'RecursionCount' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'BugCheckOwner' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['long']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_SYSTEM_IDLE' : [ 0x38, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned char']], 'IdleWorker' : [ 0x25, ['unsigned char']], 'Sampling' : [ 0x26, ['unsigned char']], 'LastTick' : [ 0x28, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x30, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x18, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_202c' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_202e' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2030' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2032' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_2030']], 'Translated' : [ 0x0, ['__unnamed_202e']], } ], '__unnamed_2034' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_2036' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_2038' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_203a' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_203c' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_203e' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_2040' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_202c']], 'Port' : [ 0x0, ['__unnamed_202c']], 'Interrupt' : [ 0x0, ['__unnamed_202e']], 'MessageInterrupt' : [ 0x0, ['__unnamed_2032']], 'Memory' : [ 0x0, ['__unnamed_202c']], 'Dma' : [ 0x0, ['__unnamed_2034']], 'DevicePrivate' : [ 0x0, ['__unnamed_1eff']], 'BusNumber' : [ 0x0, ['__unnamed_2036']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_2038']], 'Memory40' : [ 0x0, ['__unnamed_203a']], 'Memory48' : [ 0x0, ['__unnamed_203c']], 'Memory64' : [ 0x0, ['__unnamed_203e']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_2040']], } ], '__unnamed_2045' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_2045']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_204f' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_204f']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_2059' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_1fb7']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_2059']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '__unnamed_2061' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_2063' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_2061']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x58, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x40, ['_LIST_ENTRY']], 'Specific' : [ 0x50, ['__unnamed_2063']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x68, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'WorkItem' : [ 0x38, ['_WORK_QUEUE_ITEM']], 'FailingDriver' : [ 0x58, ['pointer64', ['_DRIVER_OBJECT']]], 'ReferenceCount' : [ 0x60, ['long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RefCount' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '__unnamed_20e2' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0xb0, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_20e2']], 'TargetProcessors' : [ 0x30, ['_KAFFINITY_EX']], 'PStateHandler' : [ 0x58, ['pointer64', ['void']]], 'PStateContext' : [ 0x60, ['unsigned long long']], 'TStateHandler' : [ 0x68, ['pointer64', ['void']]], 'TStateContext' : [ 0x70, ['unsigned long long']], 'FeedbackHandler' : [ 0x78, ['pointer64', ['void']]], 'GetFFHThrottleState' : [ 0x80, ['pointer64', ['void']]], 'State' : [ 0x88, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xc0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'ProgrammedRTCTime' : [ 0x58, ['unsigned long long']], 'WakeOnRTC' : [ 0x60, ['unsigned char']], 'WakeTimerInfo' : [ 0x68, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], 'FilteredCapabilities' : [ 0x70, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x228, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTransitions' : [ 0x8, ['unsigned long']], 'FailedTransitions' : [ 0xc, ['unsigned long']], 'InvalidBucketIndex' : [ 0x10, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 16, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2124' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_2126' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_2124']], 'Button' : [ 0x10, ['__unnamed_2126']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x148, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'EmInfFileImage' : [ 0x18, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x28, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x30, ['unsigned long long']], 'HeadlessLoaderBlock' : [ 0x38, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x40, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x48, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x50, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x58, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x60, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x70, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x78, ['unsigned long']], 'LastBootSucceeded' : [ 0x7c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LastBootShutdown' : [ 0x7c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPortAccessSupported' : [ 0x7c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x7c, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x80, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x88, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x98, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa0, ['_GUID']], 'ResumePages' : [ 0xb0, ['unsigned long']], 'DumpHeader' : [ 0xb8, ['pointer64', ['void']]], 'BgContext' : [ 0xc0, ['pointer64', ['void']]], 'NumaLocalityInfo' : [ 0xc8, ['pointer64', ['void']]], 'NumaGroupAssignment' : [ 0xd0, ['pointer64', ['void']]], 'AttachedHives' : [ 0xd8, ['_LIST_ENTRY']], 'MemoryCachingRequirementsCount' : [ 0xe8, ['unsigned long']], 'MemoryCachingRequirements' : [ 0xf0, ['pointer64', ['void']]], 'TpmBootEntropyResult' : [ 0xf8, ['_TPM_BOOT_ENTROPY_LDR_RESULT']], 'ProcessorCounterFrequency' : [ 0x140, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x400, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x30, { 'Mdl' : [ 0x0, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x8, ['pointer64', ['void']]], 'UserLimit' : [ 0x10, ['pointer64', ['void']]], 'SystemVa' : [ 0x18, ['pointer64', ['void']]], 'SystemLimit' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_PROC_HISTORY_ENTRY' : [ 0x4, { 'Utility' : [ 0x0, ['unsigned short']], 'Frequency' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x380, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pContextData' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_21ca' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1f80, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_21ca']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'SessionPoolAllocationFailures' : [ 0x64, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachGate' : [ 0x90, ['_KGATE']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc88, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc90, ['pointer64', ['void']]], 'PagedPool' : [ 0xcc0, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e00, ['_MMPTE']], 'SessionVaLock' : [ 0x1e08, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1e40, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e50, ['unsigned long']], 'SpecialPool' : [ 0x1e58, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1ea0, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1ed8, ['long']], 'PagedPoolPdeCount' : [ 0x1edc, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1ee0, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1ee4, ['unsigned long']], 'SystemPteInfo' : [ 0x1ee8, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f30, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f38, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1f40, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f48, ['unsigned long long']], 'IoState' : [ 0x1f50, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f54, ['unsigned long']], 'IoNotificationEvent' : [ 0x1f58, ['_KEVENT']], 'CreateTime' : [ 0x1f70, ['unsigned long long']], 'CpuQuotaBlock' : [ 0x1f78, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'AttemptingDelete' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'FeedbackHandler' : [ 0x40, ['pointer64', ['void']]], 'GetFFHThrottleState' : [ 0x48, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0x50, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0x58, ['pointer64', ['void']]], 'PerfHandler' : [ 0x60, ['pointer64', ['void']]], 'Processors' : [ 0x68, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'PerfChangeTime' : [ 0x70, ['unsigned long long']], 'ProcessorCount' : [ 0x78, ['unsigned long']], 'PreviousFrequencyMhz' : [ 0x7c, ['unsigned long']], 'CurrentFrequencyMhz' : [ 0x80, ['unsigned long']], 'PreviousFrequency' : [ 0x84, ['unsigned long']], 'CurrentFrequency' : [ 0x88, ['unsigned long']], 'CurrentPerfContext' : [ 0x8c, ['unsigned long']], 'DesiredFrequency' : [ 0x90, ['unsigned long']], 'MaxFrequency' : [ 0x94, ['unsigned long']], 'MinPerfPercent' : [ 0x98, ['unsigned long']], 'MinThrottlePercent' : [ 0x9c, ['unsigned long']], 'MaxPercent' : [ 0xa0, ['unsigned long']], 'MinPercent' : [ 0xa4, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0xa8, ['unsigned long']], 'ConstrainedMinPercent' : [ 0xac, ['unsigned long']], 'Coordination' : [ 0xb0, ['unsigned char']], 'PerfChangeIntervalCount' : [ 0xb4, ['long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer64', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'Lock' : [ 0x8, ['unsigned long long']], 'Paged' : [ 0x10, ['_MI_SPECIAL_POOL_PTE_LIST']], 'NonPaged' : [ 0x20, ['_MI_SPECIAL_POOL_PTE_LIST']], 'PagesInUse' : [ 0x30, ['long long']], 'SpecialPoolPdes' : [ 0x38, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '__unnamed_2240' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_2244' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_2240']], 'Bits' : [ 0x4, ['__unnamed_2244']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_2260' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_2262' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2260']], 'Merged' : [ 0x10, ['__unnamed_2262']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_226a' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_226a']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x70, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_1fb7']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_2059']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x68, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x70, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], 'UpdateCapsule' : [ 0x58, ['unsigned long long']], 'QueryCapsuleCapabilities' : [ 0x60, ['unsigned long long']], 'QueryVariableInfo' : [ 0x68, ['unsigned long long']], } ], '_MI_SPECIAL_POOL_PTE_LIST' : [ 0x10, { 'FreePteHead' : [ 0x0, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_2280' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_2284' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x50, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_2280']], 'u2' : [ 0x38, ['__unnamed_2284']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x48, ['array', 1, ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_228d' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_228f' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_228d']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x100, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_228f']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x60, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_TPM_BOOT_ENTROPY_LDR_RESULT' : [ 0x48, { 'Policy' : [ 0x0, ['unsigned long long']], 'ResultCode' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'TpmBootEntropyStructureUninitialized', 1: 'TpmBootEntropyDisabledByPolicy', 2: 'TpmBootEntropyNoTpmFound', 3: 'TpmBootEntropyTpmError', 4: 'TpmBootEntropySuccess'})]], 'ResultStatus' : [ 0xc, ['long']], 'Time' : [ 0x10, ['unsigned long long']], 'EntropyLength' : [ 0x18, ['unsigned long']], 'EntropyData' : [ 0x1c, ['array', 40, ['unsigned char']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x48, ['pointer64', ['void']]], 'CallersCaller' : [ 0x50, ['pointer64', ['void']]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x70, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GroupRegList' : [ 0x10, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x20, ['pointer64', ['_ETW_GUID_ENTRY']]], 'GroupEntry' : [ 0x28, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x30, ['unsigned short']], 'Flags' : [ 0x32, ['unsigned short']], 'EnableMask' : [ 0x34, ['unsigned char']], 'GroupEnableMask' : [ 0x35, ['unsigned char']], 'UseDescriptorType' : [ 0x36, ['unsigned char']], 'SessionId' : [ 0x38, ['unsigned long']], 'ReplyQueue' : [ 0x38, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x38, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x58, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x58, ['pointer64', ['void']]], 'CallbackContext' : [ 0x60, ['pointer64', ['void']]], 'Traits' : [ 0x68, ['pointer64', ['_ETW_PROVIDER_TRAITS']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_ETW_PROVIDER_TRAITS' : [ 0x20, { 'Node' : [ 0x0, ['_RTL_BALANCED_NODE']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Traits' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2f8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x2d0, ['_LIST_ENTRY']], 'Status' : [ 0x2e0, ['long']], 'FailedDevice' : [ 0x2e8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2f0, ['unsigned char']], 'Cancelled' : [ 0x2f1, ['unsigned char']], 'IgnoreErrors' : [ 0x2f2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2f3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2f4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ContainsDebug' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x60, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'IdleCheck' : [ 0x28, ['pointer64', ['void']]], 'IdleHandler' : [ 0x30, ['pointer64', ['void']]], 'HvConfig' : [ 0x38, ['unsigned long long']], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Latency' : [ 0x48, ['unsigned long']], 'Power' : [ 0x4c, ['unsigned long']], 'TimeCheck' : [ 0x50, ['unsigned long']], 'StateFlags' : [ 0x54, ['unsigned long']], 'PromotePercent' : [ 0x58, ['unsigned char']], 'DemotePercent' : [ 0x59, ['unsigned char']], 'PromotePercentBase' : [ 0x5a, ['unsigned char']], 'DemotePercentBase' : [ 0x5b, ['unsigned char']], 'StateType' : [ 0x5c, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2318' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x40, { 'Lock' : [ 0x0, ['long']], 'NodeToFree' : [ 0x8, ['pointer64', ['void']]], 'NodeRangeSize' : [ 0x10, ['unsigned long long']], 'NodeCount' : [ 0x18, ['unsigned long long']], 'Tables' : [ 0x20, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x28, ['unsigned long']], 'u1' : [ 0x2c, ['__unnamed_2318']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_RELATION_LIST_ENTRY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8160, ['long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'Group' : [ 0x14, ['unsigned short']], 'GroupIndex' : [ 0x16, ['unsigned short']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2367' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2369' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2367']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2369']], } ], '_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA' : [ 0x8, { 'CapturedCpuShareWeight' : [ 0x0, ['unsigned long']], 'CapturedTotalWeight' : [ 0x4, ['unsigned long']], 'CombinedData' : [ 0x0, ['long long']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_237c' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_237c']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x70, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_23d4' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_23d6' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_23da' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_23de' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_23e0' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_23d4']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_23d6']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_23da']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_23de']], 'Others' : [ 0x0, ['__unnamed_23e0']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x110, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'Reset' : [ 0x3, ['unsigned char']], 'HiberFlags' : [ 0x4, ['unsigned char']], 'WroteHiberFile' : [ 0x5, ['unsigned char']], 'MapFrozen' : [ 0x6, ['unsigned char']], 'MemoryMap' : [ 0x8, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x28, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x38, ['unsigned long']], 'NextCloneRange' : [ 0x40, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x48, ['unsigned long long']], 'LoaderMdl' : [ 0x50, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x58, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x60, ['unsigned long long']], 'IoPages' : [ 0x68, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x70, ['unsigned long']], 'CurrentMcb' : [ 0x78, ['pointer64', ['void']]], 'DumpStack' : [ 0x80, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x88, ['pointer64', ['_KPROCESSOR_STATE']]], 'PreferredIoWriteSize' : [ 0x90, ['unsigned long']], 'IoProgress' : [ 0x94, ['unsigned long']], 'HiberVa' : [ 0x98, ['unsigned long long']], 'HiberPte' : [ 0xa0, ['_LARGE_INTEGER']], 'Status' : [ 0xa8, ['long']], 'MemoryImage' : [ 0xb0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'CompressionWorkspace' : [ 0xb8, ['pointer64', ['void']]], 'CompressedWriteBuffer' : [ 0xc0, ['pointer64', ['unsigned char']]], 'CompressedWriteBufferSize' : [ 0xc8, ['unsigned long']], 'MaxCompressedOutputSize' : [ 0xcc, ['unsigned long']], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xd8, ['pointer64', ['void']]], 'DmaIO' : [ 0xe0, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xe8, ['pointer64', ['void']]], 'BootLoaderLogMdl' : [ 0xf0, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0xf8, ['pointer64', ['_MDL']]], 'ResumeContext' : [ 0x100, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x108, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x40, { 'ThreadHandle' : [ 0x0, ['pointer64', ['void']]], 'ThreadId' : [ 0x8, ['pointer64', ['void']]], 'ProcessId' : [ 0x10, ['pointer64', ['void']]], 'Code' : [ 0x18, ['unsigned long']], 'Parameter1' : [ 0x20, ['unsigned long long']], 'Parameter2' : [ 0x28, ['unsigned long long']], 'Parameter3' : [ 0x30, ['unsigned long long']], 'Parameter4' : [ 0x38, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '__unnamed_2406' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_2406']], } ], '__unnamed_240a' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_240a']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x128, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'FirstTablePage' : [ 0x60, ['unsigned long long']], 'PerfInfo' : [ 0x68, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xc0, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xc8, ['array', 1, ['unsigned long long']]], 'NoBootLoaderLogPages' : [ 0xd0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xd8, ['array', 8, ['unsigned long long']]], 'NotUsed' : [ 0x118, ['unsigned long']], 'ResumeContextCheck' : [ 0x11c, ['unsigned long']], 'ResumeContextPages' : [ 0x120, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x58, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'ElapsedTicks' : [ 0x18, ['unsigned long long']], 'CompressTicks' : [ 0x20, ['unsigned long long']], 'ResumeAppTime' : [ 0x28, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x30, ['unsigned long long']], 'BytesCopied' : [ 0x38, ['unsigned long long']], 'PagesProcessed' : [ 0x40, ['unsigned long long']], 'PagesWritten' : [ 0x48, ['unsigned long']], 'DumpCount' : [ 0x4c, ['unsigned long']], 'FileRuns' : [ 0x50, ['unsigned long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x30, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], 'ViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x20, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '__unnamed_2434' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2436' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2438' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2434']], 'Gpt' : [ 0x0, ['__unnamed_2436']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_2438']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x48, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x10, ['unsigned long']], 'Hint' : [ 0x14, ['unsigned long']], 'BasePte' : [ 0x18, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'Vm' : [ 0x28, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x30, ['long']], 'TotalFreeSystemPtes' : [ 0x34, ['long']], 'CachedPteCount' : [ 0x38, ['long']], 'PteFailures' : [ 0x3c, ['unsigned long']], 'SpinLock' : [ 0x40, ['unsigned long long']], 'GlobalMutex' : [ 0x40, ['pointer64', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x298, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 9, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TscQpcData' : [ 0x2ed, ['unsigned char']], 'TscQpcEnabled' : [ 0x2ed, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TscQpcSpareFlag' : [ 0x2ed, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TscQpcShift' : [ 0x2ed, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'TscQpcPad' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'DEPRECATED_Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved5' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned short']], 'Reserved4' : [ 0x3c6, ['unsigned short']], 'AitSamplingValue' : [ 0x3c8, ['unsigned long']], 'AppCompatFlag' : [ 0x3cc, ['unsigned long']], 'DEPRECATED_SystemDllNativeRelocation' : [ 0x3d0, ['unsigned long long']], 'DEPRECATED_SystemDllWowRelocation' : [ 0x3d8, ['unsigned long']], 'XStatePad' : [ 0x3dc, ['array', 1, ['unsigned long']]], 'XState' : [ 0x3e0, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1043' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1043']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1047' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1047']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_105f' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1061' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_105f']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_1061']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_INVALID'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TP_TASK' : [ 0x20, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], 'NumaNode' : [ 0x8, ['unsigned long']], 'IdealProcessor' : [ 0xc, ['unsigned char']], 'ListEntry' : [ 0x10, ['_LIST_ENTRY']], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_DIRECT' : [ 0x10, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'NumaNode' : [ 0x8, ['unsigned long']], 'IdealProcessor' : [ 0xc, ['unsigned char']], } ], '_TEB' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KPCR' : [ 0x4e80, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x4d00, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'PrcbPad00' : [ 0x21, ['array', 3, ['unsigned char']]], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PrcbPad01' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'Group' : [ 0x658, ['unsigned short']], 'GroupSetMember' : [ 0x660, ['unsigned long long']], 'GroupIndex' : [ 0x668, ['unsigned char']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2080, ['long']], 'DeferredReadyListHead' : [ 0x2088, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2090, ['long']], 'MmCopyOnWriteCount' : [ 0x2094, ['long']], 'MmTransitionCount' : [ 0x2098, ['long']], 'MmDemandZeroCount' : [ 0x209c, ['long']], 'MmPageReadCount' : [ 0x20a0, ['long']], 'MmPageReadIoCount' : [ 0x20a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x20a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x20ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x20b0, ['long']], 'MmMappedWriteIoCount' : [ 0x20b4, ['long']], 'KeSystemCalls' : [ 0x20b8, ['unsigned long']], 'KeContextSwitches' : [ 0x20bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x20c0, ['unsigned long']], 'CcFastReadWait' : [ 0x20c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x20c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x20cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x20d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x20d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x20d8, ['long']], 'IoReadOperationCount' : [ 0x20dc, ['long']], 'IoWriteOperationCount' : [ 0x20e0, ['long']], 'IoOtherOperationCount' : [ 0x20e4, ['long']], 'IoReadTransferCount' : [ 0x20e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x20f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x20f8, ['_LARGE_INTEGER']], 'TargetCount' : [ 0x2100, ['long']], 'IpiFrozen' : [ 0x2104, ['unsigned long']], 'DpcData' : [ 0x2180, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x21c0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x21c8, ['long']], 'DpcRequestRate' : [ 0x21cc, ['unsigned long']], 'MinimumDpcRate' : [ 0x21d0, ['unsigned long']], 'DpcLastCount' : [ 0x21d4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x21d8, ['unsigned char']], 'QuantumEnd' : [ 0x21d9, ['unsigned char']], 'DpcRoutineActive' : [ 0x21da, ['unsigned char']], 'IdleSchedule' : [ 0x21db, ['unsigned char']], 'DpcRequestSummary' : [ 0x21dc, ['long']], 'DpcRequestSlot' : [ 0x21dc, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x21dc, ['short']], 'DpcThreadActive' : [ 0x21de, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ThreadDpcState' : [ 0x21de, ['short']], 'TimerHand' : [ 0x21e0, ['unsigned long']], 'MasterOffset' : [ 0x21e4, ['long']], 'LastTick' : [ 0x21e8, ['unsigned long']], 'UnusedPad' : [ 0x21ec, ['unsigned long']], 'PrcbPad50' : [ 0x21f0, ['array', 2, ['unsigned long long']]], 'TimerTable' : [ 0x2200, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x4400, ['_KGATE']], 'PrcbPad52' : [ 0x4418, ['pointer64', ['void']]], 'CallDpc' : [ 0x4420, ['_KDPC']], 'ClockKeepAlive' : [ 0x4460, ['long']], 'ClockCheckSlot' : [ 0x4464, ['unsigned char']], 'ClockPollCycle' : [ 0x4465, ['unsigned char']], 'NmiActive' : [ 0x4466, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x4468, ['long']], 'DpcWatchdogCount' : [ 0x446c, ['long']], 'TickOffset' : [ 0x4470, ['unsigned long long']], 'KeSpinLockOrdering' : [ 0x4478, ['long']], 'PrcbPad70' : [ 0x447c, ['unsigned long']], 'WaitListHead' : [ 0x4480, ['_LIST_ENTRY']], 'WaitLock' : [ 0x4490, ['unsigned long long']], 'ReadySummary' : [ 0x4498, ['unsigned long']], 'QueueIndex' : [ 0x449c, ['unsigned long']], 'TimerExpirationDpc' : [ 0x44a0, ['_KDPC']], 'PrcbPad72' : [ 0x44e0, ['array', 4, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x4500, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x4700, ['unsigned long']], 'KernelTime' : [ 0x4704, ['unsigned long']], 'UserTime' : [ 0x4708, ['unsigned long']], 'DpcTime' : [ 0x470c, ['unsigned long']], 'InterruptTime' : [ 0x4710, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4714, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4718, ['unsigned char']], 'PrcbPad80' : [ 0x4719, ['array', 7, ['unsigned char']]], 'DpcTimeCount' : [ 0x4720, ['unsigned long']], 'DpcTimeLimit' : [ 0x4724, ['unsigned long']], 'PeriodicCount' : [ 0x4728, ['unsigned long']], 'PeriodicBias' : [ 0x472c, ['unsigned long']], 'AvailableTime' : [ 0x4730, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x4734, ['unsigned long']], 'ParentNode' : [ 0x4738, ['pointer64', ['_KNODE']]], 'StartCycles' : [ 0x4740, ['unsigned long long']], 'PrcbPad82' : [ 0x4748, ['array', 3, ['unsigned long long']]], 'MmSpinLockOrdering' : [ 0x4760, ['long']], 'PageColor' : [ 0x4764, ['unsigned long']], 'NodeColor' : [ 0x4768, ['unsigned long']], 'NodeShiftedColor' : [ 0x476c, ['unsigned long']], 'SecondaryColorMask' : [ 0x4770, ['unsigned long']], 'PrcbPad83' : [ 0x4774, ['unsigned long']], 'CycleTime' : [ 0x4778, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x4780, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x4784, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x4788, ['unsigned long']], 'CcMapDataNoWait' : [ 0x478c, ['unsigned long']], 'CcMapDataWait' : [ 0x4790, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x4794, ['unsigned long']], 'CcPinReadNoWait' : [ 0x4798, ['unsigned long']], 'CcPinReadWait' : [ 0x479c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x47a0, ['unsigned long']], 'CcMdlReadWait' : [ 0x47a4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x47a8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x47ac, ['unsigned long']], 'CcLazyWritePages' : [ 0x47b0, ['unsigned long']], 'CcDataFlushes' : [ 0x47b4, ['unsigned long']], 'CcDataPages' : [ 0x47b8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x47bc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x47c0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x47c4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x47c8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x47cc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x47d0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x47d4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x47d8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x47dc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x47e0, ['unsigned long']], 'CcReadAheadIos' : [ 0x47e4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x47e8, ['long']], 'MmCacheReadCount' : [ 0x47ec, ['long']], 'MmCacheIoCount' : [ 0x47f0, ['long']], 'PrcbPad91' : [ 0x47f4, ['array', 1, ['unsigned long']]], 'RuntimeAccumulation' : [ 0x47f8, ['unsigned long long']], 'PowerState' : [ 0x4800, ['_PROCESSOR_POWER_STATE']], 'PrcbPad92' : [ 0x4900, ['array', 16, ['unsigned char']]], 'KeAlignmentFixupCount' : [ 0x4910, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x4918, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x4958, ['_KTIMER']], 'Cache' : [ 0x4998, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x49d4, ['unsigned long']], 'CachedCommit' : [ 0x49d8, ['unsigned long']], 'CachedResidentAvailable' : [ 0x49dc, ['unsigned long']], 'HyperPte' : [ 0x49e0, ['pointer64', ['void']]], 'WheaInfo' : [ 0x49e8, ['pointer64', ['void']]], 'EtwSupport' : [ 0x49f0, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x4a00, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x4a10, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x4a20, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x4a28, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x4a30, ['pointer64', ['unsigned long long']]], 'RateControl' : [ 0x4a38, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x4a40, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x4a68, ['_KAFFINITY_EX']], 'CoreProcessorSet' : [ 0x4a90, ['unsigned long long']], 'PebsIndexAddress' : [ 0x4a98, ['pointer64', ['void']]], 'PrcbPad93' : [ 0x4aa0, ['array', 12, ['unsigned long long']]], 'SpinLockAcquireCount' : [ 0x4b00, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4b04, ['unsigned long']], 'SpinLockSpinCount' : [ 0x4b08, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0x4b0c, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x4b10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x4b14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x4b18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x4b1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x4b20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x4b24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x4b28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x4b2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x4b30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x4b34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x4b38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x4b3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x4b40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x4b44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x4b48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4b4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x4b50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x4b54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x4b58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x4b5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x4b60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x4b64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x4b68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x4b6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x4b70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x4b74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x4b78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x4b7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x4b80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x4b84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x4b88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x4b8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x4b90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x4b94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x4b98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x4b9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0x4ba0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0x4ba4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0x4ba8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0x4bac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0x4bb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0x4bb4, ['unsigned long']], 'VendorString' : [ 0x4bb8, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x4bc5, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x4bc8, ['unsigned long']], 'UpdateSignature' : [ 0x4bd0, ['_LARGE_INTEGER']], 'Context' : [ 0x4bd8, ['pointer64', ['_CONTEXT']]], 'ContextFlags' : [ 0x4be0, ['unsigned long']], 'ExtendedState' : [ 0x4be8, ['pointer64', ['_XSAVE_AREA']]], 'Mailbox' : [ 0x4c00, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x4c80, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_KTHREAD' : [ 0x368, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'WaitRegister' : [ 0x48, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x49, ['unsigned char']], 'Alerted' : [ 0x4a, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x4c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x4c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x4c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x4c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x4c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x4c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x4c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x4c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x4c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x4c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x4c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x4c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'TimerActive' : [ 0x4c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SystemThread' : [ 0x4c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved' : [ 0x4c, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x4c, ['long']], 'ApcState' : [ 0x50, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x50, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x7b, ['unsigned char']], 'NextProcessor' : [ 0x7c, ['unsigned long']], 'DeferredProcessor' : [ 0x80, ['unsigned long']], 'ApcQueueLock' : [ 0x88, ['unsigned long long']], 'WaitStatus' : [ 0x90, ['long long']], 'WaitBlockList' : [ 0x98, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xa0, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xb0, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb8, ['pointer64', ['void']]], 'Timer' : [ 0xc0, ['_KTIMER']], 'AutoAlignment' : [ 0x100, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x100, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0x100, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0x100, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CalloutActive' : [ 0x100, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ApcQueueable' : [ 0x100, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x100, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'GuiThread' : [ 0x100, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x100, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'VdmSafe' : [ 0x100, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'UmsDispatched' : [ 0x100, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReservedFlags' : [ 0x100, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x100, ['long']], 'Spare0' : [ 0x104, ['unsigned long']], 'WaitBlock' : [ 0x108, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x108, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x134, ['unsigned long']], 'WaitBlockFill5' : [ 0x108, ['array', 92, ['unsigned char']]], 'State' : [ 0x164, ['unsigned char']], 'NpxState' : [ 0x165, ['unsigned char']], 'WaitIrql' : [ 0x166, ['unsigned char']], 'WaitMode' : [ 0x167, ['unsigned char']], 'WaitBlockFill6' : [ 0x108, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x194, ['unsigned long']], 'WaitBlockFill7' : [ 0x108, ['array', 168, ['unsigned char']]], 'TebMappedLowVa' : [ 0x1b0, ['pointer64', ['void']]], 'Ucb' : [ 0x1b8, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'WaitBlockFill8' : [ 0x108, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1c4, ['short']], 'SpecialApcDisable' : [ 0x1c6, ['short']], 'CombinedApcDisable' : [ 0x1c4, ['unsigned long']], 'QueueListEntry' : [ 0x1c8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1d8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1e0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1e8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1e8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1f0, ['unsigned char']], 'BasePriority' : [ 0x1f1, ['unsigned char']], 'PriorityDecrement' : [ 0x1f2, ['unsigned char']], 'ForegroundBoost' : [ 0x1f2, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x1f2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x1f3, ['unsigned char']], 'AdjustReason' : [ 0x1f4, ['unsigned char']], 'AdjustIncrement' : [ 0x1f5, ['unsigned char']], 'PreviousMode' : [ 0x1f6, ['unsigned char']], 'Saturation' : [ 0x1f7, ['unsigned char']], 'SystemCallNumber' : [ 0x1f8, ['unsigned long']], 'FreezeCount' : [ 0x1fc, ['unsigned long']], 'UserAffinity' : [ 0x200, ['_GROUP_AFFINITY']], 'Process' : [ 0x210, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x218, ['_GROUP_AFFINITY']], 'IdealProcessor' : [ 0x228, ['unsigned long']], 'UserIdealProcessor' : [ 0x22c, ['unsigned long']], 'ApcStatePointer' : [ 0x230, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x240, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x240, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x26b, ['unsigned char']], 'SuspendCount' : [ 0x26c, ['unsigned char']], 'Spare1' : [ 0x26d, ['unsigned char']], 'CodePatchInProgress' : [ 0x26e, ['unsigned char']], 'Win32Thread' : [ 0x270, ['pointer64', ['void']]], 'StackBase' : [ 0x278, ['pointer64', ['void']]], 'SuspendApc' : [ 0x280, ['_KAPC']], 'SuspendApcFill0' : [ 0x280, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x281, ['unsigned char']], 'SuspendApcFill1' : [ 0x280, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x283, ['unsigned char']], 'SuspendApcFill2' : [ 0x280, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x284, ['unsigned long']], 'SuspendApcFill3' : [ 0x280, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c0, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x280, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2c8, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x280, ['array', 83, ['unsigned char']]], 'LargeStack' : [ 0x2d3, ['unsigned char']], 'UserTime' : [ 0x2d4, ['unsigned long']], 'SuspendSemaphore' : [ 0x2d8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2d8, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2f4, ['unsigned long']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x318, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x320, ['long long']], 'WriteOperationCount' : [ 0x328, ['long long']], 'OtherOperationCount' : [ 0x330, ['long long']], 'ReadTransferCount' : [ 0x338, ['long long']], 'WriteTransferCount' : [ 0x340, ['long long']], 'OtherTransferCount' : [ 0x348, ['long long']], 'ThreadCounters' : [ 0x350, ['pointer64', ['_KTHREAD_COUNTERS']]], 'StateSaveArea' : [ 0x358, ['pointer64', ['_XSAVE_FORMAT']]], 'XStateSave' : [ 0x360, ['pointer64', ['_XSTATE_SAVE']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x50, { 'Current' : [ 0x0, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x28, ['_KERNEL_STACK_SEGMENT']], } ], '_UMS_CONTROL_BLOCK' : [ 0x98, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'PrimaryFlags' : [ 0x88, ['unsigned long']], 'UmsContextHeaderReady' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsContextHeader' : [ 0x30, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'UmsWaitGate' : [ 0x38, ['_KGATE']], 'StagingArea' : [ 0x50, ['pointer64', ['void']]], 'Flags' : [ 0x58, ['long']], 'UmsForceQueueTermination' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsPrimaryDeliveredContext' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UmsPerformingSingleStep' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'TebSelector' : [ 0x90, ['unsigned short']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_11c8' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_11cd' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_11d0' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_11c8']], 'Header16' : [ 0x0, ['__unnamed_11cd']], 'HeaderX64' : [ 0x0, ['__unnamed_11d0']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_IO_STATUS_BLOCK32' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x4a8, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x368, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x370, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x370, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x380, ['long']], 'PostBlockList' : [ 0x388, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x388, ['pointer64', ['void']]], 'StartAddress' : [ 0x390, ['pointer64', ['void']]], 'TerminationPort' : [ 0x398, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x398, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x398, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x3a0, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x3a8, ['_LIST_ENTRY']], 'Cid' : [ 0x3b8, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x3c8, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x3c8, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3e8, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3f0, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x400, ['unsigned long long']], 'DeviceToVerify' : [ 0x408, ['pointer64', ['_DEVICE_OBJECT']]], 'CpuQuotaApc' : [ 0x410, ['pointer64', ['_PSP_CPU_QUOTA_APC']]], 'Win32StartAddress' : [ 0x418, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x420, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x428, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x438, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x440, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x448, ['unsigned long']], 'MmLockOrdering' : [ 0x44c, ['long']], 'CrossThreadFlags' : [ 0x450, ['unsigned long']], 'Terminated' : [ 0x450, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x450, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x450, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x450, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x450, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x450, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x450, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x450, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x450, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x450, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x450, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x450, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x450, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NeedsWorkingSetAging' : [ 0x450, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x454, ['unsigned long']], 'ActiveExWorker' : [ 0x454, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x454, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x454, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x454, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x454, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x454, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x454, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x458, ['unsigned long']], 'Spare' : [ 0x458, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x458, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x458, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x458, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x458, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x458, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x458, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x458, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x459, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x459, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x459, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x459, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x459, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x459, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x459, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x459, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x45a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x45a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x45a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x45a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x45a, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x45a, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x45b, ['unsigned char']], 'CacheManagerActive' : [ 0x45c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x45d, ['unsigned char']], 'ActiveFaultCount' : [ 0x45e, ['unsigned char']], 'LockOrderState' : [ 0x45f, ['unsigned char']], 'AlpcMessageId' : [ 0x460, ['unsigned long long']], 'AlpcMessage' : [ 0x468, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x468, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x470, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x480, ['unsigned long']], 'IoBoostCount' : [ 0x484, ['unsigned long']], 'IrpListLock' : [ 0x488, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x490, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x498, ['_SINGLE_LIST_ENTRY']], 'KernelStackReference' : [ 0x4a0, ['unsigned long']], } ], '_EPROCESS' : [ 0x4e8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x168, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x170, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x178, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x180, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x188, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0x198, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x1a8, ['array', 2, ['unsigned long long']]], 'CommitCharge' : [ 0x1b8, ['unsigned long long']], 'QuotaBlock' : [ 0x1c0, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0x1c8, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0x1d0, ['unsigned long long']], 'VirtualSize' : [ 0x1d8, ['unsigned long long']], 'SessionProcessLinks' : [ 0x1e0, ['_LIST_ENTRY']], 'DebugPort' : [ 0x1f0, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x1f8, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x1f8, ['unsigned long long']], 'ExceptionPortState' : [ 0x1f8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x200, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x208, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x210, ['unsigned long long']], 'AddressCreationLock' : [ 0x218, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x220, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x228, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x230, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x238, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x240, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x248, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x250, ['unsigned long long']], 'Win32Process' : [ 0x258, ['pointer64', ['void']]], 'Job' : [ 0x260, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x268, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x270, ['pointer64', ['void']]], 'Cookie' : [ 0x278, ['unsigned long']], 'UmsScheduledThreads' : [ 0x27c, ['unsigned long']], 'WorkingSetWatch' : [ 0x280, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x288, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x290, ['pointer64', ['void']]], 'LdtInformation' : [ 0x298, ['pointer64', ['void']]], 'Spare' : [ 0x2a0, ['pointer64', ['void']]], 'ConsoleHostProcess' : [ 0x2a8, ['unsigned long long']], 'DeviceMap' : [ 0x2b0, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x2b8, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x2c0, ['pointer64', ['void']]], 'FreeUmsTebHint' : [ 0x2c8, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x2d0, ['_HARDWARE_PTE']], 'Filler' : [ 0x2d0, ['unsigned long long']], 'Session' : [ 0x2d8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x2e0, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x2ef, ['unsigned char']], 'JobLinks' : [ 0x2f0, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x300, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x308, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x318, ['pointer64', ['void']]], 'Wow64Process' : [ 0x320, ['pointer64', ['void']]], 'ActiveThreads' : [ 0x328, ['unsigned long']], 'ImagePathHash' : [ 0x32c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x330, ['unsigned long']], 'LastThreadExitStatus' : [ 0x334, ['long']], 'Peb' : [ 0x338, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x340, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x348, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x350, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x358, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x360, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x368, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x370, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x378, ['unsigned long long']], 'CommitChargePeak' : [ 0x380, ['unsigned long long']], 'AweInfo' : [ 0x388, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x390, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x398, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x420, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x430, ['pointer64', ['void']]], 'ModifiedPageCount' : [ 0x438, ['unsigned long']], 'Flags2' : [ 0x43c, ['unsigned long']], 'JobNotReallyActive' : [ 0x43c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x43c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x43c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x43c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x43c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x43c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x43c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x43c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x43c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x43c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x43c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x43c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x43c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x43c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x43c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x43c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x43c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x43c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x43c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x43c, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Spare1' : [ 0x43c, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ForceRelocateImages' : [ 0x43c, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'DisallowStrippedImages' : [ 0x43c, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'LowVaAccessible' : [ 0x43c, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'Flags' : [ 0x440, ['unsigned long']], 'CreateReported' : [ 0x440, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x440, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x440, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x440, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x440, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x440, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x440, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x440, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x440, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x440, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x440, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x440, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x440, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x440, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x440, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x440, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x440, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x440, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x440, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x440, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x440, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x440, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x440, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x440, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x440, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x440, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x440, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x440, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x440, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x444, ['long']], 'VadRoot' : [ 0x448, ['_MM_AVL_TABLE']], 'AlpcContext' : [ 0x488, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x4a8, ['_LIST_ENTRY']], 'RequestedTimerResolution' : [ 0x4b8, ['unsigned long']], 'ActiveThreadsHighWatermark' : [ 0x4bc, ['unsigned long']], 'SmallestTimerResolution' : [ 0x4c0, ['unsigned long']], 'TimerResolutionStackRecord' : [ 0x4c8, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], 'SequenceNumber' : [ 0x4d0, ['unsigned long long']], 'CreateInterruptTime' : [ 0x4d8, ['unsigned long long']], 'CreateUnbiasedInterruptTime' : [ 0x4e0, ['unsigned long long']], } ], '_KPROCESS' : [ 0x160, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long long']], 'Affinity' : [ 0x48, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x80, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x88, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ActiveGroupsMask' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0xb0, ['long']], 'BasePriority' : [ 0xb4, ['unsigned char']], 'QuantumReset' : [ 0xb5, ['unsigned char']], 'Visited' : [ 0xb6, ['unsigned char']], 'Unused3' : [ 0xb7, ['unsigned char']], 'ThreadSeed' : [ 0xb8, ['array', 4, ['unsigned long']]], 'IdealNode' : [ 0xc8, ['array', 4, ['unsigned short']]], 'IdealGlobalNode' : [ 0xd0, ['unsigned short']], 'Flags' : [ 0xd2, ['_KEXECUTE_OPTIONS']], 'Unused1' : [ 0xd3, ['unsigned char']], 'Unused2' : [ 0xd4, ['unsigned long']], 'Unused4' : [ 0xd8, ['unsigned long']], 'StackCount' : [ 0xdc, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'CycleTime' : [ 0xf0, ['unsigned long long']], 'KernelTime' : [ 0xf8, ['unsigned long']], 'UserTime' : [ 0xfc, ['unsigned long']], 'InstrumentationCallback' : [ 0x100, ['pointer64', ['void']]], 'LdtSystemDescriptor' : [ 0x108, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x118, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x120, ['_KGUARDED_MUTEX']], 'LdtFreeSelectorHint' : [ 0x158, ['unsigned short']], 'LdtTableLength' : [ 0x15a, ['unsigned short']], } ], '__unnamed_12d4' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_12d4']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xd8, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], } ], '__unnamed_12e3' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_12e8' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_12ea' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_12e8']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_12f5' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_12f7' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_12f5']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_12e3']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_12ea']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_12f7']], } ], '__unnamed_12fe' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1302' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1306' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1308' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_130c' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_130e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1310' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], } ], '__unnamed_1312' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1314' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1316' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_131a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsSectorSizeInformation', 12: 'FileFsMaximumInformation'})]], } ], '__unnamed_131c' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_131e' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1320' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1322' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1324' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1328' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_132c' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1330' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1334' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_133a' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_133e' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1342' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1344' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1346' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_134a' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_134e' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1352' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1356' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_135a' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1362' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1366' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1368' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_136a' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_136c' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_12fe']], 'CreatePipe' : [ 0x0, ['__unnamed_1302']], 'CreateMailslot' : [ 0x0, ['__unnamed_1306']], 'Read' : [ 0x0, ['__unnamed_1308']], 'Write' : [ 0x0, ['__unnamed_1308']], 'QueryDirectory' : [ 0x0, ['__unnamed_130c']], 'NotifyDirectory' : [ 0x0, ['__unnamed_130e']], 'QueryFile' : [ 0x0, ['__unnamed_1310']], 'SetFile' : [ 0x0, ['__unnamed_1312']], 'QueryEa' : [ 0x0, ['__unnamed_1314']], 'SetEa' : [ 0x0, ['__unnamed_1316']], 'QueryVolume' : [ 0x0, ['__unnamed_131a']], 'SetVolume' : [ 0x0, ['__unnamed_131a']], 'FileSystemControl' : [ 0x0, ['__unnamed_131c']], 'LockControl' : [ 0x0, ['__unnamed_131e']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1320']], 'QuerySecurity' : [ 0x0, ['__unnamed_1322']], 'SetSecurity' : [ 0x0, ['__unnamed_1324']], 'MountVolume' : [ 0x0, ['__unnamed_1328']], 'VerifyVolume' : [ 0x0, ['__unnamed_1328']], 'Scsi' : [ 0x0, ['__unnamed_132c']], 'QueryQuota' : [ 0x0, ['__unnamed_1330']], 'SetQuota' : [ 0x0, ['__unnamed_1316']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1334']], 'QueryInterface' : [ 0x0, ['__unnamed_133a']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_133e']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1342']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1344']], 'SetLock' : [ 0x0, ['__unnamed_1346']], 'QueryId' : [ 0x0, ['__unnamed_134a']], 'QueryDeviceText' : [ 0x0, ['__unnamed_134e']], 'UsageNotification' : [ 0x0, ['__unnamed_1352']], 'WaitWake' : [ 0x0, ['__unnamed_1356']], 'PowerSequence' : [ 0x0, ['__unnamed_135a']], 'Power' : [ 0x0, ['__unnamed_1362']], 'StartDevice' : [ 0x0, ['__unnamed_1366']], 'WMI' : [ 0x0, ['__unnamed_1368']], 'Others' : [ 0x0, ['__unnamed_136a']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_136c']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1382' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1382']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'Type' : [ 0xc, ['unsigned char']], 'Reserved1' : [ 0xd, ['unsigned char']], 'Reserved2' : [ 0xe, ['unsigned short']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '__unnamed_14ee' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_14ee']], } ], '__unnamed_14ff' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xf0, { 'OsMajorVersion' : [ 0x0, ['unsigned long']], 'OsMinorVersion' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'LoadOrderListHead' : [ 0x10, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x20, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x30, ['_LIST_ENTRY']], 'KernelStack' : [ 0x40, ['unsigned long long']], 'Prcb' : [ 0x48, ['unsigned long long']], 'Process' : [ 0x50, ['unsigned long long']], 'Thread' : [ 0x58, ['unsigned long long']], 'RegistryLength' : [ 0x60, ['unsigned long']], 'RegistryBase' : [ 0x68, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x70, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x78, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x80, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x88, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x90, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x98, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0xa0, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0xa8, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xb0, ['pointer64', ['void']]], 'Extension' : [ 0xb8, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xc0, ['__unnamed_14ff']], 'FirmwareInformation' : [ 0xd0, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_152e' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1530' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1533' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1535' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1533']], } ], '__unnamed_153d' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_152e']], 'u2' : [ 0x8, ['__unnamed_1530']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['long']], 'PteLong' : [ 0x10, ['unsigned long long']], 'u3' : [ 0x18, ['__unnamed_1535']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_153d']], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x88, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x8, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x10, ['pointer64', ['void']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x4c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x50, ['unsigned long']], 'ChargedWslePages' : [ 0x54, ['unsigned long']], 'ActualWslePages' : [ 0x58, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x5c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x60, ['unsigned long']], 'HardFaultCount' : [ 0x64, ['unsigned long']], 'VmWorkingSetList' : [ 0x68, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0x70, ['unsigned short']], 'LastTrimStamp' : [ 0x72, ['unsigned short']], 'PageFaultCount' : [ 0x74, ['unsigned long']], 'RepurposeCount' : [ 0x78, ['unsigned long']], 'Spare' : [ 0x7c, ['array', 2, ['unsigned long']]], 'Flags' : [ 0x84, ['_MMSUPPORT_FLAGS']], } ], '_MMWSL' : [ 0x488, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextAgingSlot' : [ 0x24, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x28, ['unsigned long']], 'VadBitMapHint' : [ 0x2c, ['unsigned long']], 'NonDirectCount' : [ 0x30, ['unsigned long']], 'LastVadBit' : [ 0x34, ['unsigned long']], 'MaximumLastVadBit' : [ 0x38, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x3c, ['unsigned long']], 'LastAllocationSize' : [ 0x40, ['unsigned long']], 'NonDirectHash' : [ 0x48, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x50, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x58, ['pointer64', ['_MMWSLE_HASH']]], 'MaximumUserPageTablePages' : [ 0x60, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x64, ['unsigned long']], 'CommittedPageTables' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x70, ['unsigned long']], 'CommittedPageDirectories' : [ 0x78, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x478, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x480, ['array', 1, ['unsigned long long']]], } ], '__unnamed_156b' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_156b']], } ], '__unnamed_1577' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1581' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1583' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1581']], } ], '_CONTROL_AREA' : [ 0x80, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_1577']], 'FlushInProgressCount' : [ 0x3c, ['unsigned long']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'StartingFrame' : [ 0x4c, ['unsigned long']], 'WaitList' : [ 0x50, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'u2' : [ 0x58, ['__unnamed_1583']], 'LockedPages' : [ 0x68, ['unsigned long long']], 'ViewList' : [ 0x70, ['_LIST_ENTRY']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0x90, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'EvictStoreBitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x68, ['unsigned long']], 'LastAllocationSize' : [ 0x6c, ['unsigned long']], 'ToBeEvictedCount' : [ 0x70, ['unsigned long']], 'PageFileNumber' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x76, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x76, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['unsigned long long']], 'LockOwner' : [ 0x88, ['pointer64', ['_ETHREAD']]], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_15bf' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_15c2' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_15c5' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_15bf']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c2']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c5']], } ], '__unnamed_15cd' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_15cd']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '__unnamed_15d2' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_15bf']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c2']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c5']], 'u2' : [ 0x40, ['__unnamed_15d2']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_15dd' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_15dd']], } ], '__unnamed_15e3' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_15e5' : [ 0x8, { 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_15e3']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_15e5']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_HHIVE' : [ 0x598, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x48, ['pointer64', ['void']]], 'BaseBlock' : [ 0x50, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x58, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x68, ['unsigned long']], 'DirtyAlloc' : [ 0x6c, ['unsigned long']], 'BaseBlockAlloc' : [ 0x70, ['unsigned long']], 'Cluster' : [ 0x74, ['unsigned long']], 'Flat' : [ 0x78, ['unsigned char']], 'ReadOnly' : [ 0x79, ['unsigned char']], 'DirtyFlag' : [ 0x7a, ['unsigned char']], 'HvBinHeadersUse' : [ 0x7c, ['unsigned long']], 'HvFreeCellsUse' : [ 0x80, ['unsigned long']], 'HvUsedCellsUse' : [ 0x84, ['unsigned long']], 'CmUsedCellsUse' : [ 0x88, ['unsigned long']], 'HiveFlags' : [ 0x8c, ['unsigned long']], 'CurrentLog' : [ 0x90, ['unsigned long']], 'LogSize' : [ 0x94, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x9c, ['unsigned long']], 'StorageTypeCount' : [ 0xa0, ['unsigned long']], 'Version' : [ 0xa4, ['unsigned long']], 'Storage' : [ 0xa8, ['array', 2, ['_DUAL']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_CMHIVE' : [ 0xbe8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x598, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c8, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x5e8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x5f8, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x600, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x610, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x618, ['unsigned long']], 'Identity' : [ 0x61c, ['unsigned long']], 'HiveLock' : [ 0x620, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x628, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x630, ['pointer64', ['_KTHREAD']]], 'ViewLockLast' : [ 0x638, ['unsigned long']], 'ViewUnLockLast' : [ 0x63c, ['unsigned long']], 'WriterLock' : [ 0x640, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x648, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x650, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x660, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x668, ['unsigned long']], 'FlushHiveTruncated' : [ 0x66c, ['unsigned long']], 'FlushLock2' : [ 0x670, ['pointer64', ['_FAST_MUTEX']]], 'SecurityLock' : [ 0x678, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x680, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x690, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x6a0, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x6b0, ['unsigned short']], 'PinnedViewCount' : [ 0x6b2, ['unsigned short']], 'UseCount' : [ 0x6b4, ['unsigned long']], 'ViewsPerHive' : [ 0x6b8, ['unsigned long']], 'FileObject' : [ 0x6c0, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x6c8, ['unsigned long']], 'ActualFileSize' : [ 0x6d0, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x6d8, ['_UNICODE_STRING']], 'FileUserName' : [ 0x6e8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x6f8, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x708, ['unsigned long']], 'SecurityCacheSize' : [ 0x70c, ['unsigned long']], 'SecurityHitHint' : [ 0x710, ['long']], 'SecurityCache' : [ 0x718, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x720, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xb20, ['unsigned long']], 'UnloadEventArray' : [ 0xb28, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xb30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xb38, ['unsigned char']], 'UnloadWorkItem' : [ 0xb40, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0xb48, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xb70, ['unsigned char']], 'GrowOffset' : [ 0xb74, ['unsigned long']], 'KcbConvertListHead' : [ 0xb78, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xb88, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb98, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xba0, ['unsigned long']], 'TrustClassEntry' : [ 0xba8, ['_LIST_ENTRY']], 'FlushCount' : [ 0xbb8, ['unsigned long']], 'CmRm' : [ 0xbc0, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xbc8, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xbcc, ['long']], 'CreatorOwner' : [ 0xbd0, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0xbd8, ['pointer64', ['_KTHREAD']]], 'LastWriteTime' : [ 0xbe0, ['_LARGE_INTEGER']], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '__unnamed_1669' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_HvpRecoverWholeHive', 10: '_HvpMapFileImageAndBuildMap', 11: '_CmpValidateHiveSecurityDescriptors', 12: '_HvpEnlistBinInMap', 13: '_CmCheckRegistry', 14: '_CmRegistryIO', 15: '_CmCheckRegistry2', 16: '_CmpCheckKey', 17: '_CmpCheckValueList', 18: '_HvCheckHive', 19: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_166c' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_166e' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1670' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1672' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_1676' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_167a' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_167c' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_1669']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_1669']]], 'RegistryIO' : [ 0xd0, ['__unnamed_166c']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_166e']], 'CheckKey' : [ 0xf0, ['__unnamed_1670']], 'CheckValueList' : [ 0x110, ['__unnamed_1672']], 'CheckHive' : [ 0x128, ['__unnamed_1676']], 'CheckHive1' : [ 0x138, ['__unnamed_1676']], 'CheckBin' : [ 0x148, ['__unnamed_167a']], 'RecoverData' : [ 0x158, ['__unnamed_167c']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0x80, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'DpcCount' : [ 0x38, ['unsigned long']], 'DpcRate' : [ 0x3c, ['unsigned long']], 'C1Time' : [ 0x40, ['unsigned long long']], 'C2Time' : [ 0x48, ['unsigned long long']], 'C3Time' : [ 0x50, ['unsigned long long']], 'C1Transitions' : [ 0x58, ['unsigned long long']], 'C2Transitions' : [ 0x60, ['unsigned long long']], 'C3Transitions' : [ 0x68, ['unsigned long long']], 'ParkingStatus' : [ 0x70, ['unsigned long']], 'CurrentFrequency' : [ 0x74, ['unsigned long']], 'PercentMaxFrequency' : [ 0x78, ['unsigned long']], 'StateFlags' : [ 0x7c, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0x28, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 4, ['unsigned long long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0x18, { 'Affinity' : [ 0x0, ['pointer64', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x8, ['unsigned long long']], 'CurrentIndex' : [ 0x10, ['unsigned short']], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependentList' : [ 0x50, ['_LIST_ENTRY']], 'ProviderList' : [ 0x60, ['_LIST_ENTRY']], } ], '__unnamed_1763' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1765' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1769' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x268, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Level' : [ 0x50, ['unsigned long']], 'Notify' : [ 0x58, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xc0, ['_PO_IRP_MANAGER']], 'State' : [ 0xe0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xe8, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x138, ['unsigned long']], 'CompletionStatus' : [ 0x13c, ['long']], 'Flags' : [ 0x140, ['unsigned long']], 'UserFlags' : [ 0x144, ['unsigned long']], 'Problem' : [ 0x148, ['unsigned long']], 'ResourceList' : [ 0x150, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x158, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x160, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x168, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x174, ['unsigned long']], 'ChildInterfaceType' : [ 0x178, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x17c, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x180, ['unsigned short']], 'RemovalPolicy' : [ 0x182, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x183, ['unsigned char']], 'TargetDeviceNotify' : [ 0x188, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x198, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1a8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x1b8, ['unsigned short']], 'QueryTranslatorMask' : [ 0x1ba, ['unsigned short']], 'NoArbiterMask' : [ 0x1bc, ['unsigned short']], 'QueryArbiterMask' : [ 0x1be, ['unsigned short']], 'OverUsed1' : [ 0x1c0, ['__unnamed_1763']], 'OverUsed2' : [ 0x1c8, ['__unnamed_1765']], 'BootResources' : [ 0x1d0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1d8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1e0, ['unsigned long']], 'DockInfo' : [ 0x1e8, ['__unnamed_1769']], 'DisableableDepends' : [ 0x208, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x210, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x220, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x230, ['unsigned long']], 'PreviousParent' : [ 0x238, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x240, ['unsigned long']], 'NumaNodeIndex' : [ 0x244, ['unsigned long']], 'ContainerID' : [ 0x248, ['_GUID']], 'OverrideFlags' : [ 0x258, ['unsigned char']], 'RequiresUnloadedDriver' : [ 0x259, ['unsigned char']], 'PendingEjectRelations' : [ 0x260, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'Affinity' : [ 0x40, ['_GROUP_AFFINITY']], 'ProximityId' : [ 0x50, ['unsigned long']], 'NodeNumber' : [ 0x54, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x56, ['unsigned short']], 'MaximumProcessors' : [ 0x58, ['unsigned char']], 'Color' : [ 0x59, ['unsigned char']], 'Flags' : [ 0x5a, ['_flags']], 'NodePad0' : [ 0x5b, ['unsigned char']], 'Seed' : [ 0x5c, ['unsigned long']], 'MmShiftedColor' : [ 0x60, ['unsigned long']], 'FreeCount' : [ 0x68, ['array', 2, ['unsigned long long']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], 'ParkLock' : [ 0xa0, ['long']], 'NodePad1' : [ 0xa4, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1811' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1811']], } ], '__unnamed_1818' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1818']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_VOLUME_CACHE_MAP' : [ 0x38, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], 'DirtyPages' : [ 0x28, ['unsigned long long']], 'PagesQueuedToDisk' : [ 0x30, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1f8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x100, ['unsigned long']], 'LazyWritePassCount' : [ 0x104, ['unsigned long']], 'UninitializeEvent' : [ 0x108, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x110, ['_KGUARDED_MUTEX']], 'LastUnmapBehindOffset' : [ 0x148, ['_LARGE_INTEGER']], 'Event' : [ 0x150, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x168, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x170, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1d8, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1e0, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1e8, ['unsigned long']], 'WritesInProgress' : [ 0x1ec, ['unsigned long']], 'PipelinedReadAheadSize' : [ 0x1f0, ['unsigned long']], } ], '__unnamed_188a' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_188a']], 'Links' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '__unnamed_18a8' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_18aa' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_18ac' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_18ae' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_18b0' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_18a8']], 'Write' : [ 0x0, ['__unnamed_18aa']], 'Event' : [ 0x0, ['__unnamed_18ac']], 'Notification' : [ 0x0, ['__unnamed_18ae']], } ], '_WORK_QUEUE_ENTRY' : [ 0x20, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_18b0']], 'Function' : [ 0x18, ['unsigned char']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x208, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1f8, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1901' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_1901']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_PEB' : [ 0x380, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pContextData' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xe0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], 'ContextInformation' : [ 0xc8, ['pointer64', ['void']]], 'OriginalBase' : [ 0xd0, ['unsigned long long']], 'LoadTime' : [ 0xd8, ['_LARGE_INTEGER']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '__unnamed_197f' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1981' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_197f']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1983' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1985' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1983']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1981']], 'u2' : [ 0x4, ['__unnamed_1985']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x38, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], 'LookasideIndex' : [ 0x30, ['unsigned long']], } ], '__unnamed_199e' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_19a0' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_199e']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x20, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_19a0']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x14, ['long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_19b3' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_19b5' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19b3']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_19b5']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_19bb' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_19bd' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19bb']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_19bd']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_19c3' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19c5' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c3']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_19c5']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x40, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19e1' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19e3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19e1']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1a0, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x88, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x98, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa8, ['_LIST_ENTRY']], 'WaitQueue' : [ 0xb8, ['_LIST_ENTRY']], 'Semaphore' : [ 0xc8, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xc8, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0xd0, ['_ALPC_PORT_ATTRIBUTES']], 'Lock' : [ 0x118, ['_EX_PUSH_LOCK']], 'ResourceListLock' : [ 0x120, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x128, ['_LIST_ENTRY']], 'CompletionList' : [ 0x138, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0x140, ['pointer64', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0x148, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x150, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x158, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x168, ['long']], 'u1' : [ 0x16c, ['__unnamed_19e3']], 'TargetQueuePort' : [ 0x170, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x178, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x180, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x188, ['unsigned long']], 'PendingQueueLength' : [ 0x18c, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x190, ['unsigned long']], 'CanceledQueueLength' : [ 0x194, ['unsigned long']], 'WaitQueueLength' : [ 0x198, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0xd0, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'Key' : [ 0xb8, ['unsigned long']], 'CallbackList' : [ 0xc0, ['_LIST_ENTRY']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1981']], 'u2' : [ 0x4, ['__unnamed_1985']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1a02' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1a04' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a02']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x100, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x10, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0x18, ['unsigned long long']], 'QuotaProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x20, ['pointer64', ['void']]], 'SequenceNo' : [ 0x28, ['long']], 'u1' : [ 0x2c, ['__unnamed_1a04']], 'CancelSequencePort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x40, ['long']], 'CancelListEntry' : [ 0x48, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x68, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x70, ['pointer64', ['_ALPC_PORT']]], 'MessageAttributes' : [ 0x78, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb0, ['pointer64', ['void']]], 'DataSystemVa' : [ 0xb8, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xc0, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xc8, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xd0, ['pointer64', ['_ETHREAD']]], 'PortMessage' : [ 0xd8, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer64', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a42' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a44' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a42']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1a44']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'Flags' : [ 0x28, ['unsigned long']], 'TotalLength' : [ 0x2c, ['unsigned short']], 'Type' : [ 0x2e, ['unsigned short']], 'DataInfoOffset' : [ 0x30, ['unsigned short']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x48, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_RTL_RB_TREE' : [ 0x10, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Min' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_RTL_BALANCED_NODE' : [ 0x18, { 'Children' : [ 0x0, ['array', 2, ['pointer64', ['_RTL_BALANCED_NODE']]]], 'Left' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Right' : [ 0x8, ['pointer64', ['_RTL_BALANCED_NODE']]], 'Red' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Balance' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'ParentValue' : [ 0x10, ['unsigned long long']], } ], '_RTL_AVL_TREE' : [ 0x8, { 'Root' : [ 0x0, ['pointer64', ['_RTL_BALANCED_NODE']]], } ], '_WMI_LOGGER_CONTEXT' : [ 0x340, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'CollectionOn' : [ 0xc, ['long']], 'LoggerMode' : [ 0x10, ['unsigned long']], 'AcceptNewEvents' : [ 0x14, ['long']], 'GetCpuClock' : [ 0x18, ['pointer64', ['void']]], 'StartTime' : [ 0x20, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'NBQHead' : [ 0x40, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x48, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x50, ['_SLIST_HEADER']], 'GlobalList' : [ 0x60, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x70, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x70, ['_EX_FAST_REF']], 'LoggerName' : [ 0x78, ['_UNICODE_STRING']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x98, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'ClockType' : [ 0xb8, ['unsigned long']], 'MaximumFileSize' : [ 0xbc, ['unsigned long']], 'LastFlushedBuffer' : [ 0xc0, ['unsigned long']], 'FlushTimer' : [ 0xc4, ['unsigned long']], 'FlushThreshold' : [ 0xc8, ['unsigned long']], 'ByteOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xd8, ['unsigned long']], 'BuffersAvailable' : [ 0xdc, ['long']], 'NumberOfBuffers' : [ 0xe0, ['long']], 'MaximumBuffers' : [ 0xe4, ['unsigned long']], 'EventsLost' : [ 0xe8, ['unsigned long']], 'BuffersWritten' : [ 0xec, ['unsigned long']], 'LogBuffersLost' : [ 0xf0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xf4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xf8, ['unsigned long']], 'SequencePtr' : [ 0x100, ['pointer64', ['long']]], 'LocalSequence' : [ 0x108, ['unsigned long']], 'InstanceGuid' : [ 0x10c, ['_GUID']], 'FileCounter' : [ 0x11c, ['long']], 'BufferCallback' : [ 0x120, ['pointer64', ['void']]], 'PoolType' : [ 0x128, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x130, ['_ETW_REF_CLOCK']], 'Consumers' : [ 0x140, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x150, ['unsigned long']], 'TransitionConsumer' : [ 0x158, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x160, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x168, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x178, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x180, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x188, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x190, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x198, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1a0, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1a8, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1b8, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1c0, ['_KEVENT']], 'FlushEvent' : [ 0x1d8, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x1f0, ['_KTIMER']], 'FlushDpc' : [ 0x230, ['_KDPC']], 'LoggerMutex' : [ 0x270, ['_KMUTANT']], 'LoggerLock' : [ 0x2a8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2b0, ['unsigned long long']], 'BufferListPushLock' : [ 0x2b0, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2b8, ['_SECURITY_CLIENT_CONTEXT']], 'TokenAccessInformation' : [ 0x300, ['pointer64', ['_TOKEN_ACCESS_INFORMATION']]], 'SecurityDescriptor' : [ 0x308, ['_EX_FAST_REF']], 'BufferSequenceNumber' : [ 0x310, ['long long']], 'Flags' : [ 0x318, ['unsigned long']], 'Persistent' : [ 0x318, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x318, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x318, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x318, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x318, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x318, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x318, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x318, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x318, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x318, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'RequestFlag' : [ 0x31c, ['unsigned long']], 'RequestNewFie' : [ 0x31c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x31c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x31c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x31c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x31c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RequestConnectConsumer' : [ 0x31c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HookIdMap' : [ 0x320, ['_RTL_BITMAP']], 'DisallowedGuids' : [ 0x330, ['_DISALLOWED_GUIDS']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_BUFFER_HANDLE' : [ 0x10, { 'TraceBuffer' : [ 0x0, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'BufferFastRef' : [ 0x8, ['pointer64', ['_EX_FAST_REF']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_NBQUEUE_BLOCK' : [ 0x20, { 'SListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'Next' : [ 0x10, ['unsigned long long']], 'Data' : [ 0x18, ['unsigned long long']], } ], '_TlgProvider_t' : [ 0x40, { 'LevelPlus1' : [ 0x0, ['unsigned long']], 'ProviderMetadataPtr' : [ 0x8, ['pointer64', ['unsigned short']]], 'KeywordAny' : [ 0x10, ['unsigned long long']], 'KeywordAll' : [ 0x18, ['unsigned long long']], 'RegHandle' : [ 0x20, ['unsigned long long']], 'EnableCallback' : [ 0x28, ['pointer64', ['void']]], 'CallbackContext' : [ 0x30, ['pointer64', ['void']]], 'AnnotationFunc' : [ 0x38, ['pointer64', ['void']]], } ], '_EVENT_FILTER_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], } ], '_TlgProviderMetadata_t' : [ 0x13, { 'Type' : [ 0x0, ['unsigned char']], 'ProviderId' : [ 0x1, ['_GUID']], 'RemainingSize' : [ 0x11, ['unsigned short']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x1b0, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['array', 8, ['pointer64', ['_EVENT_FILTER_HEADER']]]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x310, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'LogonSession' : [ 0xd0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xd8, ['_LUID']], 'SidHash' : [ 0xe0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f0, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x300, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'VariablePart' : [ 0x308, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], 'HashIndex' : [ 0x14, ['unsigned short']], 'DirectoryLocked' : [ 0x16, ['unsigned char']], 'LockedExclusive' : [ 0x17, ['unsigned char']], 'LockStateSignature' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Coalescable' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KeepShifting' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CpuThrottled' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_MI_CONTROL_AREA_WAIT_BLOCK' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_MI_CONTROL_AREA_WAIT_BLOCK']]], 'WaitReason' : [ 0x8, ['unsigned long']], 'WaitResponse' : [ 0xc, ['unsigned long']], 'Gate' : [ 0x10, ['_KGATE']], } ], '_TraceLoggingMetadata_t' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned char']], 'Flags' : [ 0x7, ['unsigned char']], 'Magic' : [ 0x8, ['unsigned long long']], } ], '_HEAP_COUNTERS' : [ 0x70, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'AllocAndFreeOps' : [ 0x50, ['unsigned long']], 'InBlockDeccommits' : [ 0x54, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], 'HighWatermarkSize' : [ 0x60, ['unsigned long long']], 'LastPolledSize' : [ 0x68, ['unsigned long long']], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_TOKEN_ACCESS_INFORMATION' : [ 0x30, { 'SidHash' : [ 0x0, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'RestrictedSidHash' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES_HASH']]], 'Privileges' : [ 0x10, ['pointer64', ['_TOKEN_PRIVILEGES']]], 'AuthenticationId' : [ 0x18, ['_LUID']], 'TokenType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'MandatoryPolicy' : [ 0x28, ['_TOKEN_MANDATORY_POLICY']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x68, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['unsigned long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], 'HandleCountHighWatermark' : [ 0x60, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'BlockState' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x78, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['_KAFFINITY_EX']], 'SamplingPeriod' : [ 0x38, ['unsigned long']], 'CurrentTemperature' : [ 0x3c, ['unsigned long']], 'PassiveTripPoint' : [ 0x40, ['unsigned long']], 'CriticalTripPoint' : [ 0x44, ['unsigned long']], 'ActiveTripPointCount' : [ 0x48, ['unsigned char']], 'ActiveTripPoint' : [ 0x4c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x74, ['unsigned long']], } ], '__unnamed_1cdf' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1ce1' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1cdf']], 'Private' : [ 0x0, ['__unnamed_1ce1']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_1d02' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1d08' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x90, { 'u1' : [ 0x0, ['__unnamed_15bf']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c2']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c5']], 'u2' : [ 0x40, ['__unnamed_15d2']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u3' : [ 0x78, ['__unnamed_1d02']], 'u4' : [ 0x88, ['__unnamed_1d08']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x1c8, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xe0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'LimitFlags' : [ 0xf0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xf4, ['unsigned long']], 'Affinity' : [ 0xf8, ['_KAFFINITY_EX']], 'PriorityClass' : [ 0x120, ['unsigned char']], 'AccessState' : [ 0x128, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x130, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x134, ['unsigned long']], 'CompletionPort' : [ 0x138, ['pointer64', ['void']]], 'CompletionKey' : [ 0x140, ['pointer64', ['void']]], 'SessionId' : [ 0x148, ['unsigned long']], 'SchedulingClass' : [ 0x14c, ['unsigned long']], 'ReadOperationCount' : [ 0x150, ['unsigned long long']], 'WriteOperationCount' : [ 0x158, ['unsigned long long']], 'OtherOperationCount' : [ 0x160, ['unsigned long long']], 'ReadTransferCount' : [ 0x168, ['unsigned long long']], 'WriteTransferCount' : [ 0x170, ['unsigned long long']], 'OtherTransferCount' : [ 0x178, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x180, ['unsigned long long']], 'JobMemoryLimit' : [ 0x188, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x190, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x198, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x1a0, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x1a8, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x1b0, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1c0, ['unsigned long']], 'JobFlags' : [ 0x1c4, ['unsigned long']], } ], '__unnamed_1d1c' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0xa0, { 'Count' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['__unnamed_1d1c']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'OldState' : [ 0x10, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['_KAFFINITY_EX']], 'State' : [ 0x40, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '__unnamed_1d25' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1d25']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x88, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned long']], 'ShutDownRequested' : [ 0x5c, ['unsigned char']], 'NewBuffersLost' : [ 0x5d, ['unsigned char']], 'Disconnected' : [ 0x5e, ['unsigned char']], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'Wow' : [ 0x84, ['unsigned char']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_KGUARDED_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['pointer64', ['pointer64', ['void']]]], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_TOKEN_MANDATORY_POLICY' : [ 0x4, { 'Policy' : [ 0x0, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'Pad' : [ 0x65, ['array', 3, ['unsigned char']]], 'Mode' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x70, ['unsigned long']], 'DispatchCount' : [ 0x74, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['unsigned long']], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x88, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x20, ['pointer64', ['void']]], 'UserLimit' : [ 0x28, ['pointer64', ['void']]], 'DataUserVa' : [ 0x30, ['pointer64', ['void']]], 'SystemVa' : [ 0x38, ['pointer64', ['void']]], 'TotalSize' : [ 0x40, ['unsigned long long']], 'Header' : [ 0x48, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x50, ['pointer64', ['void']]], 'ListSize' : [ 0x58, ['unsigned long long']], 'Bitmap' : [ 0x60, ['pointer64', ['void']]], 'BitmapSize' : [ 0x68, ['unsigned long long']], 'Data' : [ 0x70, ['pointer64', ['void']]], 'DataSize' : [ 0x78, ['unsigned long long']], 'BitmapLimit' : [ 0x80, ['unsigned long']], 'BitmapNextHint' : [ 0x84, ['unsigned long']], 'ConcurrencyCount' : [ 0x88, ['unsigned long']], 'AttributeFlags' : [ 0x8c, ['unsigned long']], 'AttributeSize' : [ 0x90, ['unsigned long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_IO_WORKITEM' : [ 0x40, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'Type' : [ 0x38, ['unsigned long']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_ALIGNED_AFFINITY_SUMMARY' : [ 0x80, { 'CpuSet' : [ 0x0, ['_KAFFINITY_EX']], 'SMTSet' : [ 0x28, ['_KAFFINITY_EX']], } ], '_XSTATE_CONFIGURATION' : [ 0x210, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'OptimizedSave' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x10, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_RTL_UMS_CONTEXT' : [ 0x540, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HasQuantumReq' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HasAffinityReq' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HasPriorityReq' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4f0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x4f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'QuantumValue' : [ 0x500, ['unsigned long long']], 'AffinityMask' : [ 0x508, ['_GROUP_AFFINITY']], 'Priority' : [ 0x518, ['long']], 'PrimaryUmsContext' : [ 0x520, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x528, ['unsigned long']], 'KernelYieldCount' : [ 0x52c, ['unsigned long']], 'MixedYieldCount' : [ 0x530, ['unsigned long']], 'YieldCount' : [ 0x534, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TOKEN_PRIVILEGES' : [ 0x10, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Privileges' : [ 0x4, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x100, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleAccounting' : [ 0x20, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'Hypervisor' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'PerfHistoryTotal' : [ 0x2c, ['unsigned long']], 'ThermalConstraint' : [ 0x30, ['unsigned char']], 'PerfHistoryCount' : [ 0x31, ['unsigned char']], 'PerfHistorySlot' : [ 0x32, ['unsigned char']], 'Reserved' : [ 0x33, ['unsigned char']], 'LastSysTime' : [ 0x34, ['unsigned long']], 'WmiDispatchPtr' : [ 0x38, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x40, ['long']], 'FFHThrottleStateInfo' : [ 0x48, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x68, ['_KDPC']], 'PerfActionMask' : [ 0xa8, ['long']], 'IdleCheck' : [ 0xb0, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0xc0, ['_PROC_IDLE_SNAP']], 'Domain' : [ 0xd0, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0xd8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Load' : [ 0xe0, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0xe8, ['pointer64', ['_PROC_HISTORY_ENTRY']]], 'Utility' : [ 0xf0, ['unsigned long']], 'OverUtilizedHistory' : [ 0xf4, ['unsigned long']], 'AffinityCount' : [ 0xf8, ['unsigned long']], 'AffinityHistory' : [ 0xfc, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x2c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'BucketLimits' : [ 0x18, ['array', 16, ['unsigned long long']]], 'State' : [ 0x98, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_TEB64' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x90, ['unsigned long']], 'PreviousActivityCounter' : [ 0x94, ['unsigned long']], 'WorkerTrimRequests' : [ 0x98, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_ETIMER' : [ 0x110, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1e83' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1e83']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x698, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x150, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3f0, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x690, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '__unnamed_1edc' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ede' : [ 0x8, { 'Last' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_1edc']], } ], '__unnamed_1ee0' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1edc']], } ], '__unnamed_1ee2' : [ 0x8, { 'OldCell' : [ 0x0, ['__unnamed_1ede']], 'NewCell' : [ 0x0, ['__unnamed_1ee0']], } ], '_HCELL' : [ 0xc, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1ee2']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x30, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'PercentageCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'TargetFrequency' : [ 0x18, ['unsigned long']], 'AcumulatedFullFrequency' : [ 0x1c, ['unsigned long']], 'AcumulatedZeroFrequency' : [ 0x20, ['unsigned long']], 'FrequencyHistoryTotal' : [ 0x24, ['unsigned long']], 'AverageFrequency' : [ 0x28, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], 'Pad0' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1ef7' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1efb' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1efd' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1eff' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1f01' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1f03' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f05' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f07' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f09' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1f0b' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1ef7']], 'Memory' : [ 0x0, ['__unnamed_1ef7']], 'Interrupt' : [ 0x0, ['__unnamed_1efb']], 'Dma' : [ 0x0, ['__unnamed_1efd']], 'Generic' : [ 0x0, ['__unnamed_1ef7']], 'DevicePrivate' : [ 0x0, ['__unnamed_1eff']], 'BusNumber' : [ 0x0, ['__unnamed_1f01']], 'ConfigData' : [ 0x0, ['__unnamed_1f03']], 'Memory40' : [ 0x0, ['__unnamed_1f05']], 'Memory48' : [ 0x0, ['__unnamed_1f07']], 'Memory64' : [ 0x0, ['__unnamed_1f09']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1f0b']], } ], '_POP_THERMAL_ZONE' : [ 0x1e8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x148, ['_LARGE_INTEGER']], 'Metrics' : [ 0x150, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x98, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x68, ['unsigned long']], 'PassiveCount' : [ 0x6c, ['unsigned long']], 'LastActiveStartTick' : [ 0x70, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x78, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x80, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x88, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x90, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_DISALLOWED_GUIDS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Guids' : [ 0x8, ['pointer64', ['_GUID']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '__unnamed_1f48' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1f4a' : [ 0x18, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1f48']], } ], '_VF_TARGET_DRIVER' : [ 0x30, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_1f4a']], 'VerifiedData' : [ 0x28, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_1f52' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1f54' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f56' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f58' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_1f5a' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1f5c' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f5e' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1f60' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1f62' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f64' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1f66' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1f52']], 'TargetDevice' : [ 0x0, ['__unnamed_1f54']], 'InstallDevice' : [ 0x0, ['__unnamed_1f56']], 'CustomNotification' : [ 0x0, ['__unnamed_1f58']], 'ProfileNotification' : [ 0x0, ['__unnamed_1f5a']], 'PowerNotification' : [ 0x0, ['__unnamed_1f5c']], 'VetoNotification' : [ 0x0, ['__unnamed_1f5e']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1f60']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1f62']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1f64']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1f56']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1f66']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_PS_CPU_QUOTA_BLOCK' : [ 0x4080, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'CpuShareWeight' : [ 0x14, ['unsigned long']], 'CapturedWeightData' : [ 0x18, ['_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA']], 'DuplicateInputMarker' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x20, ['long']], 'BlockCurrentGenerationLock' : [ 0x0, ['unsigned long long']], 'CyclesAccumulated' : [ 0x8, ['unsigned long long']], 'CycleCredit' : [ 0x40, ['unsigned long long']], 'BlockCurrentGeneration' : [ 0x48, ['unsigned long']], 'CpuCyclePercent' : [ 0x4c, ['unsigned long']], 'CyclesFinishedForCurrentGeneration' : [ 0x50, ['unsigned char']], 'Cpu' : [ 0x80, ['array', 256, ['_PS_PER_CPU_QUOTA_CACHE_AWARE']]], } ], '__unnamed_1f82' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1f82']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'CacheAligned' : [ 0x2, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '__unnamed_1fb7' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_1fb7']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_PS_PER_CPU_QUOTA_CACHE_AWARE' : [ 0x40, { 'SortedListEntry' : [ 0x0, ['_LIST_ENTRY']], 'IdleOnlyListHead' : [ 0x10, ['_LIST_ENTRY']], 'CycleBaseAllowance' : [ 0x20, ['unsigned long long']], 'CyclesRemaining' : [ 0x28, ['long long']], 'CurrentGeneration' : [ 0x30, ['unsigned long']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'ProcessorIndex' : [ 0x0, ['unsigned short']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x248, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pContextData' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win7_sp1_x86_vtypes.py0000644000000000000000000163176513131215405030537 0ustar rootrootntkrnlmp_types = { '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '__unnamed_200a' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x80, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_200a']], 'TargetProcessors' : [ 0x30, ['_KAFFINITY_EX']], 'PStateHandler' : [ 0x3c, ['pointer', ['void']]], 'PStateContext' : [ 0x40, ['unsigned long']], 'TStateHandler' : [ 0x44, ['pointer', ['void']]], 'TStateContext' : [ 0x48, ['unsigned long']], 'FeedbackHandler' : [ 0x4c, ['pointer', ['void']]], 'GetFFHThrottleState' : [ 0x50, ['pointer', ['void']]], 'State' : [ 0x58, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'ProgrammedRTCTime' : [ 0x50, ['unsigned long long']], 'WakeOnRTC' : [ 0x58, ['unsigned char']], 'WakeTimerInfo' : [ 0x5c, ['pointer', ['_DIAGNOSTIC_BUFFER']]], 'FilteredCapabilities' : [ 0x60, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x28, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x228, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTransitions' : [ 0x8, ['unsigned long']], 'FailedTransitions' : [ 0xc, ['unsigned long']], 'InvalidBucketIndex' : [ 0x10, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 16, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_204d' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_204f' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_204d']], 'Button' : [ 0xc, ['__unnamed_204f']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xe8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'EmInfFileImage' : [ 0x14, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x18, ['unsigned long']], 'TriageDumpBlock' : [ 0x1c, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x20, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x24, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x28, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x2c, ['pointer', ['void']]], 'DrvDBSize' : [ 0x30, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x34, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x38, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x3c, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x40, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x48, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x4c, ['unsigned long']], 'LastBootSucceeded' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LastBootShutdown' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPortAccessSupported' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x54, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x58, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x60, ['pointer', ['void']]], 'BootIdentifier' : [ 0x64, ['_GUID']], 'ResumePages' : [ 0x74, ['unsigned long']], 'DumpHeader' : [ 0x78, ['pointer', ['void']]], 'BgContext' : [ 0x7c, ['pointer', ['void']]], 'NumaLocalityInfo' : [ 0x80, ['pointer', ['void']]], 'NumaGroupAssignment' : [ 0x84, ['pointer', ['void']]], 'AttachedHives' : [ 0x88, ['_LIST_ENTRY']], 'MemoryCachingRequirementsCount' : [ 0x90, ['unsigned long']], 'MemoryCachingRequirements' : [ 0x94, ['pointer', ['void']]], 'TpmBootEntropyResult' : [ 0x98, ['_TPM_BOOT_ENTROPY_LDR_RESULT']], 'ProcessorCounterFrequency' : [ 0xe0, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x298, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x18, { 'Mdl' : [ 0x0, ['pointer', ['_MDL']]], 'UserVa' : [ 0x4, ['pointer', ['void']]], 'UserLimit' : [ 0x8, ['pointer', ['void']]], 'SystemVa' : [ 0xc, ['pointer', ['void']]], 'SystemLimit' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_PROC_HISTORY_ENTRY' : [ 0x4, { 'Utility' : [ 0x0, ['unsigned short']], 'Frequency' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_20e1' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_20e1']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'SessionPoolAllocationFailures' : [ 0x40, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x50, ['_LIST_ENTRY']], 'LocaleId' : [ 0x58, ['unsigned long']], 'AttachCount' : [ 0x5c, ['unsigned long']], 'AttachGate' : [ 0x60, ['_KGATE']], 'WsListEntry' : [ 0x70, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xddc, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xde0, ['pointer', ['void']]], 'PagedPool' : [ 0xe00, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1f40, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1f44, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f68, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1f88, ['long']], 'PagedPoolPdeCount' : [ 0x1f8c, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f90, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f94, ['unsigned long']], 'SystemPteInfo' : [ 0x1f98, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1fc8, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1fcc, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1fd0, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fd4, ['unsigned long']], 'IoState' : [ 0x1fd8, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fdc, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fe0, ['_KEVENT']], 'SessionPoolPdes' : [ 0x1ff0, ['_RTL_BITMAP']], 'CpuQuotaBlock' : [ 0x1ff8, ['pointer', ['_PS_CPU_QUOTA_BLOCK']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x78, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'FeedbackHandler' : [ 0x18, ['pointer', ['void']]], 'GetFFHThrottleState' : [ 0x1c, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x20, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x24, ['pointer', ['void']]], 'PerfHandler' : [ 0x28, ['pointer', ['void']]], 'Processors' : [ 0x2c, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'PerfChangeTime' : [ 0x30, ['unsigned long long']], 'ProcessorCount' : [ 0x38, ['unsigned long']], 'PreviousFrequencyMhz' : [ 0x3c, ['unsigned long']], 'CurrentFrequencyMhz' : [ 0x40, ['unsigned long']], 'PreviousFrequency' : [ 0x44, ['unsigned long']], 'CurrentFrequency' : [ 0x48, ['unsigned long']], 'CurrentPerfContext' : [ 0x4c, ['unsigned long']], 'DesiredFrequency' : [ 0x50, ['unsigned long']], 'MaxFrequency' : [ 0x54, ['unsigned long']], 'MinPerfPercent' : [ 0x58, ['unsigned long']], 'MinThrottlePercent' : [ 0x5c, ['unsigned long']], 'MaxPercent' : [ 0x60, ['unsigned long']], 'MinPercent' : [ 0x64, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x68, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x6c, ['unsigned long']], 'Coordination' : [ 0x70, ['unsigned char']], 'PerfChangeIntervalCount' : [ 0x74, ['long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_TP_NBQ_GUARD' : [ 0x10, { 'GuardLinks' : [ 0x0, ['_LIST_ENTRY']], 'Guards' : [ 0x8, ['array', 2, ['pointer', ['void']]]], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x14, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x24, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'Lock' : [ 0x4, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_SPECIAL_POOL_PTE_LIST']], 'NonPaged' : [ 0x10, ['_MI_SPECIAL_POOL_PTE_LIST']], 'PagesInUse' : [ 0x18, ['long']], 'SpecialPoolPdes' : [ 0x1c, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_2171' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_2173' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2171']], 'Merged' : [ 0x10, ['__unnamed_2173']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_217b' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_217b']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_1ef4']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_1f82']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x38, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], 'UpdateCapsule' : [ 0x2c, ['unsigned long']], 'QueryCapsuleCapabilities' : [ 0x30, ['unsigned long']], 'QueryVariableInfo' : [ 0x34, ['unsigned long']], } ], '_MI_SPECIAL_POOL_PTE_LIST' : [ 0x8, { 'FreePteHead' : [ 0x0, ['_MMPTE']], 'FreePteTail' : [ 0x4, ['_MMPTE']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_2191' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_2195' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_2191']], 'u2' : [ 0x24, ['__unnamed_2195']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x2c, ['array', 1, ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '__unnamed_219e' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_21a0' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_219e']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x90, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_21a0']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x54, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_TPM_BOOT_ENTROPY_LDR_RESULT' : [ 0x48, { 'Policy' : [ 0x0, ['unsigned long long']], 'ResultCode' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'TpmBootEntropyStructureUninitialized', 1: 'TpmBootEntropyDisabledByPolicy', 2: 'TpmBootEntropyNoTpmFound', 3: 'TpmBootEntropyTpmError', 4: 'TpmBootEntropySuccess'})]], 'ResultStatus' : [ 0xc, ['long']], 'Time' : [ 0x10, ['unsigned long long']], 'EntropyLength' : [ 0x18, ['unsigned long']], 'EntropyData' : [ 0x1c, ['array', 40, ['unsigned char']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x28, ['pointer', ['void']]], 'CallersCaller' : [ 0x2c, ['pointer', ['void']]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x2c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'EnableMask' : [ 0x10, ['unsigned char']], 'SessionId' : [ 0x14, ['unsigned long']], 'ReplyQueue' : [ 0x14, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x14, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x24, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x24, ['pointer', ['void']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1a8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x190, ['_LIST_ENTRY']], 'Status' : [ 0x198, ['long']], 'FailedDevice' : [ 0x19c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1a0, ['unsigned char']], 'Cancelled' : [ 0x1a1, ['unsigned char']], 'IgnoreErrors' : [ 0x1a2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1a3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1a4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ContainsDebug' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x40, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'IdleCheck' : [ 0xc, ['pointer', ['void']]], 'IdleHandler' : [ 0x10, ['pointer', ['void']]], 'HvConfig' : [ 0x18, ['unsigned long long']], 'Context' : [ 0x20, ['pointer', ['void']]], 'Latency' : [ 0x24, ['unsigned long']], 'Power' : [ 0x28, ['unsigned long']], 'TimeCheck' : [ 0x2c, ['unsigned long']], 'StateFlags' : [ 0x30, ['unsigned long']], 'PromotePercent' : [ 0x34, ['unsigned char']], 'DemotePercent' : [ 0x35, ['unsigned char']], 'PromotePercentBase' : [ 0x36, ['unsigned char']], 'DemotePercentBase' : [ 0x37, ['unsigned char']], 'StateType' : [ 0x38, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2217' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x40, { 'Lock' : [ 0x0, ['long']], 'NodeToFree' : [ 0x4, ['pointer', ['void']]], 'NodeRangeSize' : [ 0x8, ['unsigned long']], 'NodeCount' : [ 0xc, ['unsigned long']], 'Tables' : [ 0x10, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_2217']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_RELATION_LIST_ENTRY' : [ 0xc, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40d8, ['long']], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'Group' : [ 0x14, ['unsigned short']], 'GroupIndex' : [ 0x16, ['unsigned short']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2272' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2274' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2272']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2274']], } ], '_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA' : [ 0x8, { 'CapturedCpuShareWeight' : [ 0x0, ['unsigned long']], 'CapturedTotalWeight' : [ 0x4, ['unsigned long']], 'CombinedData' : [ 0x0, ['long long']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_2287' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_2287']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x18, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x3c, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_22dd' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_22df' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_22e3' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_22e7' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_22e9' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_22dd']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_22df']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_22e3']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_22e7']], 'Others' : [ 0x0, ['__unnamed_22e9']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0xa0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'Reset' : [ 0x3, ['unsigned char']], 'HiberFlags' : [ 0x4, ['unsigned char']], 'WroteHiberFile' : [ 0x5, ['unsigned char']], 'MapFrozen' : [ 0x6, ['unsigned char']], 'MemoryMap' : [ 0x8, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x10, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x18, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x20, ['unsigned long']], 'NextCloneRange' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x28, ['unsigned long']], 'LoaderMdl' : [ 0x2c, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x30, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x38, ['unsigned long long']], 'IoPages' : [ 0x40, ['pointer', ['void']]], 'IoPagesCount' : [ 0x44, ['unsigned long']], 'CurrentMcb' : [ 0x48, ['pointer', ['void']]], 'DumpStack' : [ 0x4c, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x50, ['pointer', ['_KPROCESSOR_STATE']]], 'PreferredIoWriteSize' : [ 0x54, ['unsigned long']], 'IoProgress' : [ 0x58, ['unsigned long']], 'HiberVa' : [ 0x5c, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'CompressionWorkspace' : [ 0x70, ['pointer', ['void']]], 'CompressedWriteBuffer' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBufferSize' : [ 0x78, ['unsigned long']], 'MaxCompressedOutputSize' : [ 0x7c, ['unsigned long']], 'PerformanceStats' : [ 0x80, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x84, ['pointer', ['void']]], 'DmaIO' : [ 0x88, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x8c, ['pointer', ['void']]], 'BootLoaderLogMdl' : [ 0x90, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0x94, ['pointer', ['_MDL']]], 'ResumeContext' : [ 0x98, ['pointer', ['void']]], 'ResumeContextPages' : [ 0x9c, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x20, { 'ThreadHandle' : [ 0x0, ['pointer', ['void']]], 'ThreadId' : [ 0x4, ['pointer', ['void']]], 'ProcessId' : [ 0x8, ['pointer', ['void']]], 'Code' : [ 0xc, ['unsigned long']], 'Parameter1' : [ 0x10, ['unsigned long']], 'Parameter2' : [ 0x14, ['unsigned long']], 'Parameter3' : [ 0x18, ['unsigned long']], 'Parameter4' : [ 0x1c, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '__unnamed_230d' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_230d']], } ], '__unnamed_2311' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2311']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xe0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'FirstTablePage' : [ 0x4c, ['unsigned long']], 'PerfInfo' : [ 0x50, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xa8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xac, ['array', 1, ['unsigned long']]], 'NoBootLoaderLogPages' : [ 0xb0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xb4, ['array', 8, ['unsigned long']]], 'NotUsed' : [ 0xd4, ['unsigned long']], 'ResumeContextCheck' : [ 0xd8, ['unsigned long']], 'ResumeContextPages' : [ 0xdc, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x58, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'ElapsedTicks' : [ 0x18, ['unsigned long long']], 'CompressTicks' : [ 0x20, ['unsigned long long']], 'ResumeAppTime' : [ 0x28, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x30, ['unsigned long long']], 'BytesCopied' : [ 0x38, ['unsigned long long']], 'PagesProcessed' : [ 0x40, ['unsigned long long']], 'PagesWritten' : [ 0x48, ['unsigned long']], 'DumpCount' : [ 0x4c, ['unsigned long']], 'FileRuns' : [ 0x50, ['unsigned long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x18, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], 'ViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x10, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '__unnamed_2339' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_233b' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_233d' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2339']], 'Gpt' : [ 0x0, ['__unnamed_233b']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_233d']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x30, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x8, ['unsigned long']], 'Hint' : [ 0xc, ['unsigned long']], 'BasePte' : [ 0x10, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'Vm' : [ 0x18, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x1c, ['long']], 'TotalFreeSystemPtes' : [ 0x20, ['long']], 'CachedPteCount' : [ 0x24, ['long']], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x2c, ['unsigned long']], 'GlobalMutex' : [ 0x2c, ['pointer', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x170, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 9, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TscQpcData' : [ 0x2ed, ['unsigned char']], 'TscQpcEnabled' : [ 0x2ed, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TscQpcSpareFlag' : [ 0x2ed, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TscQpcShift' : [ 0x2ed, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'TscQpcPad' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved5' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned short']], 'Reserved4' : [ 0x3c6, ['unsigned short']], 'AitSamplingValue' : [ 0x3c8, ['unsigned long']], 'AppCompatFlag' : [ 0x3cc, ['unsigned long']], 'SystemDllNativeRelocation' : [ 0x3d0, ['unsigned long long']], 'SystemDllWowRelocation' : [ 0x3d8, ['unsigned long']], 'XStatePad' : [ 0x3dc, ['array', 1, ['unsigned long']]], 'XState' : [ 0x3e0, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1041' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1041']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1045' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1045']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_105e' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1060' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_105e']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1060']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_INVALID'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TP_TASK' : [ 0x20, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], 'NumaNode' : [ 0x4, ['unsigned long']], 'IdealProcessor' : [ 0x8, ['unsigned char']], 'PostGuard' : [ 0xc, ['_TP_NBQ_GUARD']], 'NBQNode' : [ 0x1c, ['pointer', ['void']]], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_DIRECT' : [ 0xc, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'NumaNode' : [ 0x4, ['unsigned long']], 'IdealProcessor' : [ 0x8, ['unsigned char']], } ], '_TEB' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KPCR' : [ 0x3748, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x3628, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x338, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'PrcbPad0' : [ 0x3be, ['array', 2, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'CpuVendor' : [ 0x3c4, ['unsigned char']], 'GroupIndex' : [ 0x3c5, ['unsigned char']], 'Group' : [ 0x3c6, ['unsigned short']], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'PrcbPad1' : [ 0x3d0, ['array', 72, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x4a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x4a4, ['unsigned long']], 'KernelTime' : [ 0x4a8, ['unsigned long']], 'UserTime' : [ 0x4ac, ['unsigned long']], 'DpcTime' : [ 0x4b0, ['unsigned long']], 'DpcTimeCount' : [ 0x4b4, ['unsigned long']], 'InterruptTime' : [ 0x4b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4bc, ['unsigned long']], 'PageColor' : [ 0x4c0, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c4, ['unsigned char']], 'NodeColor' : [ 0x4c5, ['unsigned char']], 'PrcbPad20' : [ 0x4c6, ['array', 2, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'ParentNode' : [ 0x4cc, ['pointer', ['_KNODE']]], 'SecondaryColorMask' : [ 0x4d0, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d4, ['unsigned long']], 'PrcbPad21' : [ 0x4d8, ['array', 2, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x1820, ['unsigned long']], 'ReverseStall' : [ 0x1824, ['long']], 'IpiFrame' : [ 0x1828, ['pointer', ['void']]], 'PrcbPad3' : [ 0x182c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x1860, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x186c, ['unsigned long']], 'WorkerRoutine' : [ 0x1870, ['pointer', ['void']]], 'IpiFrozen' : [ 0x1874, ['unsigned long']], 'PrcbPad4' : [ 0x1878, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x18a0, ['unsigned long']], 'SignalDone' : [ 0x18a4, ['pointer', ['_KPRCB']]], 'PrcbPad50' : [ 0x18a8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x18e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1908, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x190c, ['long']], 'DpcRequestRate' : [ 0x1910, ['unsigned long']], 'MinimumDpcRate' : [ 0x1914, ['unsigned long']], 'DpcLastCount' : [ 0x1918, ['unsigned long']], 'PrcbLock' : [ 0x191c, ['unsigned long']], 'DpcGate' : [ 0x1920, ['_KGATE']], 'ThreadDpcEnable' : [ 0x1930, ['unsigned char']], 'QuantumEnd' : [ 0x1931, ['unsigned char']], 'DpcRoutineActive' : [ 0x1932, ['unsigned char']], 'IdleSchedule' : [ 0x1933, ['unsigned char']], 'DpcRequestSummary' : [ 0x1934, ['long']], 'DpcRequestSlot' : [ 0x1934, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x1934, ['short']], 'DpcThreadActive' : [ 0x1936, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ThreadDpcState' : [ 0x1936, ['short']], 'TimerHand' : [ 0x1938, ['unsigned long']], 'LastTick' : [ 0x193c, ['unsigned long']], 'MasterOffset' : [ 0x1940, ['long']], 'PrcbPad41' : [ 0x1944, ['array', 2, ['unsigned long']]], 'PeriodicCount' : [ 0x194c, ['unsigned long']], 'PeriodicBias' : [ 0x1950, ['unsigned long']], 'TickOffset' : [ 0x1958, ['unsigned long long']], 'TimerTable' : [ 0x1960, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x31a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x31c0, ['long']], 'ClockCheckSlot' : [ 0x31c4, ['unsigned char']], 'ClockPollCycle' : [ 0x31c5, ['unsigned char']], 'PrcbPad6' : [ 0x31c6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x31c8, ['long']], 'DpcWatchdogCount' : [ 0x31cc, ['long']], 'ThreadWatchdogPeriod' : [ 0x31d0, ['long']], 'ThreadWatchdogCount' : [ 0x31d4, ['long']], 'KeSpinLockOrdering' : [ 0x31d8, ['long']], 'PrcbPad70' : [ 0x31dc, ['array', 1, ['unsigned long']]], 'WaitListHead' : [ 0x31e0, ['_LIST_ENTRY']], 'WaitLock' : [ 0x31e8, ['unsigned long']], 'ReadySummary' : [ 0x31ec, ['unsigned long']], 'QueueIndex' : [ 0x31f0, ['unsigned long']], 'DeferredReadyListHead' : [ 0x31f4, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x31f8, ['unsigned long long']], 'CycleTime' : [ 0x3200, ['unsigned long long']], 'HighCycleTime' : [ 0x3208, ['unsigned long']], 'PrcbPad71' : [ 0x320c, ['unsigned long']], 'PrcbPad72' : [ 0x3210, ['array', 2, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3220, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3320, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3324, ['long']], 'MmPageFaultCount' : [ 0x3328, ['long']], 'MmCopyOnWriteCount' : [ 0x332c, ['long']], 'MmTransitionCount' : [ 0x3330, ['long']], 'MmCacheTransitionCount' : [ 0x3334, ['long']], 'MmDemandZeroCount' : [ 0x3338, ['long']], 'MmPageReadCount' : [ 0x333c, ['long']], 'MmPageReadIoCount' : [ 0x3340, ['long']], 'MmCacheReadCount' : [ 0x3344, ['long']], 'MmCacheIoCount' : [ 0x3348, ['long']], 'MmDirtyPagesWriteCount' : [ 0x334c, ['long']], 'MmDirtyWriteIoCount' : [ 0x3350, ['long']], 'MmMappedPagesWriteCount' : [ 0x3354, ['long']], 'MmMappedWriteIoCount' : [ 0x3358, ['long']], 'CachedCommit' : [ 0x335c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3360, ['unsigned long']], 'HyperPte' : [ 0x3364, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3368, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x336c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3379, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x337a, ['unsigned char']], 'PrcbPad9' : [ 0x337b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x3380, ['unsigned long']], 'UpdateSignature' : [ 0x3388, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3390, ['unsigned long long']], 'RuntimeAccumulation' : [ 0x3398, ['unsigned long long']], 'PowerState' : [ 0x33a0, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x3468, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3488, ['_KTIMER']], 'WheaInfo' : [ 0x34b0, ['pointer', ['void']]], 'EtwSupport' : [ 0x34b4, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x34b8, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x34c0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x34c8, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x34cc, ['pointer', ['void']]], 'StatisticsPage' : [ 0x34d0, ['pointer', ['unsigned long long']]], 'RateControl' : [ 0x34d4, ['pointer', ['void']]], 'Cache' : [ 0x34d8, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3514, ['unsigned long']], 'CacheProcessorMask' : [ 0x3518, ['array', 5, ['unsigned long']]], 'PackageProcessorSet' : [ 0x352c, ['_KAFFINITY_EX']], 'PrcbPad91' : [ 0x3538, ['array', 1, ['unsigned long']]], 'CoreProcessorSet' : [ 0x353c, ['unsigned long']], 'TimerExpirationDpc' : [ 0x3540, ['_KDPC']], 'SpinLockAcquireCount' : [ 0x3560, ['unsigned long']], 'SpinLockContentionCount' : [ 0x3564, ['unsigned long']], 'SpinLockSpinCount' : [ 0x3568, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0x356c, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x3570, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x3574, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x3578, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x357c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x3580, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x3584, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x3588, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x358c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x3590, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x3594, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x3598, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x359c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x35a0, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x35a4, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x35a8, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x35ac, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x35b0, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x35b4, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x35b8, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x35bc, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x35c0, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x35c4, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x35c8, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x35cc, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x35d0, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x35d4, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x35d8, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x35dc, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x35e0, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x35e4, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x35e8, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x35ec, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x35f0, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x35f4, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x35f8, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x35fc, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0x3600, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0x3604, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0x3608, ['unsigned long']], 'ExBoostSharedOwners' : [ 0x360c, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0x3610, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0x3614, ['unsigned long']], 'Context' : [ 0x3618, ['pointer', ['_CONTEXT']]], 'ContextFlags' : [ 0x361c, ['unsigned long']], 'ExtendedState' : [ 0x3620, ['pointer', ['_XSAVE_AREA']]], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x200, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'WaitRegister' : [ 0x38, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x39, ['unsigned char']], 'Alerted' : [ 0x3a, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x3c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x3c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x3c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x3c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x3c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x3c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x3c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x3c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x3c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x3c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x3c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'TimerActive' : [ 0x3c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SystemThread' : [ 0x3c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved' : [ 0x3c, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x3c, ['long']], 'ApcState' : [ 0x40, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x40, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x57, ['unsigned char']], 'NextProcessor' : [ 0x58, ['unsigned long']], 'DeferredProcessor' : [ 0x5c, ['unsigned long']], 'ApcQueueLock' : [ 0x60, ['unsigned long']], 'ContextSwitches' : [ 0x64, ['unsigned long']], 'State' : [ 0x68, ['unsigned char']], 'NpxState' : [ 0x69, ['unsigned char']], 'WaitIrql' : [ 0x6a, ['unsigned char']], 'WaitMode' : [ 0x6b, ['unsigned char']], 'WaitStatus' : [ 0x6c, ['long']], 'WaitBlockList' : [ 0x70, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x74, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x74, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x7c, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x80, ['unsigned long']], 'KernelApcDisable' : [ 0x84, ['short']], 'SpecialApcDisable' : [ 0x86, ['short']], 'CombinedApcDisable' : [ 0x84, ['unsigned long']], 'Teb' : [ 0x88, ['pointer', ['void']]], 'Timer' : [ 0x90, ['_KTIMER']], 'AutoAlignment' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CalloutActive' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'GuiThread' : [ 0xb8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'VdmSafe' : [ 0xb8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'UmsDispatched' : [ 0xb8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb8, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb8, ['long']], 'ServiceTable' : [ 0xbc, ['pointer', ['void']]], 'WaitBlock' : [ 0xc0, ['array', 4, ['_KWAIT_BLOCK']]], 'QueueListEntry' : [ 0x120, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x128, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x12c, ['pointer', ['void']]], 'CallbackStack' : [ 0x130, ['pointer', ['void']]], 'CallbackDepth' : [ 0x130, ['unsigned long']], 'ApcStateIndex' : [ 0x134, ['unsigned char']], 'BasePriority' : [ 0x135, ['unsigned char']], 'PriorityDecrement' : [ 0x136, ['unsigned char']], 'ForegroundBoost' : [ 0x136, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x136, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x137, ['unsigned char']], 'AdjustReason' : [ 0x138, ['unsigned char']], 'AdjustIncrement' : [ 0x139, ['unsigned char']], 'PreviousMode' : [ 0x13a, ['unsigned char']], 'Saturation' : [ 0x13b, ['unsigned char']], 'SystemCallNumber' : [ 0x13c, ['unsigned long']], 'FreezeCount' : [ 0x140, ['unsigned long']], 'UserAffinity' : [ 0x144, ['_GROUP_AFFINITY']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x154, ['_GROUP_AFFINITY']], 'IdealProcessor' : [ 0x160, ['unsigned long']], 'UserIdealProcessor' : [ 0x164, ['unsigned long']], 'ApcStatePointer' : [ 0x168, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x170, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x170, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x187, ['unsigned char']], 'SuspendCount' : [ 0x188, ['unsigned char']], 'Spare1' : [ 0x189, ['unsigned char']], 'OtherPlatformFill' : [ 0x18a, ['unsigned char']], 'Win32Thread' : [ 0x18c, ['pointer', ['void']]], 'StackBase' : [ 0x190, ['pointer', ['void']]], 'SuspendApc' : [ 0x194, ['_KAPC']], 'SuspendApcFill0' : [ 0x194, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x195, ['unsigned char']], 'SuspendApcFill1' : [ 0x194, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x197, ['unsigned char']], 'SuspendApcFill2' : [ 0x194, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x198, ['unsigned long']], 'SuspendApcFill3' : [ 0x194, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b8, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x194, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1bc, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x194, ['array', 47, ['unsigned char']]], 'LargeStack' : [ 0x1c3, ['unsigned char']], 'UserTime' : [ 0x1c4, ['unsigned long']], 'SuspendSemaphore' : [ 0x1c8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1c8, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1dc, ['unsigned long']], 'ThreadListEntry' : [ 0x1e0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1e8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1f0, ['pointer', ['void']]], 'ThreadCounters' : [ 0x1f4, ['pointer', ['_KTHREAD_COUNTERS']]], 'XStateSave' : [ 0x1f8, ['pointer', ['_XSTATE_SAVE']]], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x2b8, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x200, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x208, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x208, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x210, ['long']], 'PostBlockList' : [ 0x214, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x214, ['pointer', ['void']]], 'StartAddress' : [ 0x218, ['pointer', ['void']]], 'TerminationPort' : [ 0x21c, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x21c, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x21c, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x220, ['unsigned long']], 'ActiveTimerListHead' : [ 0x224, ['_LIST_ENTRY']], 'Cid' : [ 0x22c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x234, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x234, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x248, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x24c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x254, ['unsigned long']], 'DeviceToVerify' : [ 0x258, ['pointer', ['_DEVICE_OBJECT']]], 'CpuQuotaApc' : [ 0x25c, ['pointer', ['_PSP_CPU_QUOTA_APC']]], 'Win32StartAddress' : [ 0x260, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x264, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x268, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x270, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x274, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x278, ['unsigned long']], 'MmLockOrdering' : [ 0x27c, ['long']], 'CrossThreadFlags' : [ 0x280, ['unsigned long']], 'Terminated' : [ 0x280, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x280, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x280, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x280, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x280, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x280, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x280, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x280, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x280, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x280, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x280, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x280, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x280, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NeedsWorkingSetAging' : [ 0x280, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x284, ['unsigned long']], 'ActiveExWorker' : [ 0x284, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x284, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x284, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x284, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x284, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x284, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x284, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x288, ['unsigned long']], 'Spare' : [ 0x288, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x288, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x288, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x288, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x288, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x289, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x289, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x289, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x289, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x289, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x289, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x289, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x289, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x28a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x28a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x28a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x28a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x28a, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x28a, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x28b, ['unsigned char']], 'CacheManagerActive' : [ 0x28c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x28d, ['unsigned char']], 'ActiveFaultCount' : [ 0x28e, ['unsigned char']], 'LockOrderState' : [ 0x28f, ['unsigned char']], 'AlpcMessageId' : [ 0x290, ['unsigned long']], 'AlpcMessage' : [ 0x294, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x294, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x298, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x2a0, ['unsigned long']], 'IoBoostCount' : [ 0x2a4, ['unsigned long']], 'IrpListLock' : [ 0x2a8, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x2ac, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x2b0, ['_SINGLE_LIST_ENTRY']], } ], '_EPROCESS' : [ 0x2c0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x98, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xa0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xa8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xb0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0xc0, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xc8, ['array', 2, ['unsigned long']]], 'CommitCharge' : [ 0xd0, ['unsigned long']], 'QuotaBlock' : [ 0xd4, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0xd8, ['pointer', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0xdc, ['unsigned long']], 'VirtualSize' : [ 0xe0, ['unsigned long']], 'SessionProcessLinks' : [ 0xe4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xec, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xf0, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xf0, ['unsigned long']], 'ExceptionPortState' : [ 0xf0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xf4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xf8, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xfc, ['unsigned long']], 'AddressCreationLock' : [ 0x100, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x108, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x10c, ['unsigned long']], 'PhysicalVadRoot' : [ 0x110, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x114, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x118, ['unsigned long']], 'NumberOfLockedPages' : [ 0x11c, ['unsigned long']], 'Win32Process' : [ 0x120, ['pointer', ['void']]], 'Job' : [ 0x124, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x128, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x12c, ['pointer', ['void']]], 'Cookie' : [ 0x130, ['unsigned long']], 'Spare8' : [ 0x134, ['unsigned long']], 'WorkingSetWatch' : [ 0x138, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x13c, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x140, ['pointer', ['void']]], 'LdtInformation' : [ 0x144, ['pointer', ['void']]], 'VdmObjects' : [ 0x148, ['pointer', ['void']]], 'ConsoleHostProcess' : [ 0x14c, ['unsigned long']], 'DeviceMap' : [ 0x150, ['pointer', ['void']]], 'EtwDataSource' : [ 0x154, ['pointer', ['void']]], 'FreeTebHint' : [ 0x158, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x160, ['_HARDWARE_PTE']], 'Filler' : [ 0x160, ['unsigned long long']], 'Session' : [ 0x168, ['pointer', ['void']]], 'ImageFileName' : [ 0x16c, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x17b, ['unsigned char']], 'JobLinks' : [ 0x17c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x184, ['pointer', ['void']]], 'ThreadListHead' : [ 0x188, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x190, ['pointer', ['void']]], 'PaeTop' : [ 0x194, ['pointer', ['void']]], 'ActiveThreads' : [ 0x198, ['unsigned long']], 'ImagePathHash' : [ 0x19c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a0, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1a4, ['long']], 'Peb' : [ 0x1a8, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1ac, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e0, ['unsigned long']], 'CommitChargePeak' : [ 0x1e4, ['unsigned long']], 'AweInfo' : [ 0x1e8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1ec, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x25c, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x264, ['pointer', ['void']]], 'ModifiedPageCount' : [ 0x268, ['unsigned long']], 'Flags2' : [ 0x26c, ['unsigned long']], 'JobNotReallyActive' : [ 0x26c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x26c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x26c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x26c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x26c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x26c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x26c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x26c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x26c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x26c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x26c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x26c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x26c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x26c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x26c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x26c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x26c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x26c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x26c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x26c, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Flags' : [ 0x270, ['unsigned long']], 'CreateReported' : [ 0x270, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x270, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x270, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x270, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x270, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x270, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x270, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x270, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x270, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x270, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x270, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x270, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x270, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x270, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x270, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x270, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x270, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x270, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x270, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x270, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x270, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x270, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x270, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x270, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x270, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x270, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x270, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x270, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x270, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x274, ['long']], 'VadRoot' : [ 0x278, ['_MM_AVL_TABLE']], 'AlpcContext' : [ 0x298, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x2a8, ['_LIST_ENTRY']], 'RequestedTimerResolution' : [ 0x2b0, ['unsigned long']], 'ActiveThreadsHighWatermark' : [ 0x2b4, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2b8, ['unsigned long']], 'TimerResolutionStackRecord' : [ 0x2bc, ['pointer', ['_PO_DIAG_STACK_RECORD']]], } ], '_KPROCESS' : [ 0x98, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'Affinity' : [ 0x38, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x44, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x4c, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x50, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ActiveGroupsMask' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x5c, ['long']], 'BasePriority' : [ 0x60, ['unsigned char']], 'QuantumReset' : [ 0x61, ['unsigned char']], 'Visited' : [ 0x62, ['unsigned char']], 'Unused3' : [ 0x63, ['unsigned char']], 'ThreadSeed' : [ 0x64, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x68, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x6a, ['unsigned short']], 'Flags' : [ 0x6c, ['_KEXECUTE_OPTIONS']], 'Unused1' : [ 0x6d, ['unsigned char']], 'IopmOffset' : [ 0x6e, ['unsigned short']], 'Unused4' : [ 0x70, ['unsigned long']], 'StackCount' : [ 0x74, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x78, ['_LIST_ENTRY']], 'CycleTime' : [ 0x80, ['unsigned long long']], 'KernelTime' : [ 0x88, ['unsigned long']], 'UserTime' : [ 0x8c, ['unsigned long']], 'VdmTrapcHandler' : [ 0x90, ['pointer', ['void']]], } ], '__unnamed_1293' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1293']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc0, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], } ], '__unnamed_12a2' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_12a7' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_12a9' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_12a7']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_12b4' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_12b6' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_12b4']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_12a2']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_12a9']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_12b6']], } ], '__unnamed_12bd' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_12c1' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_12c5' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_12c7' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_12cb' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_12cd' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_12cf' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], } ], '__unnamed_12d1' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12d3' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_12d5' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_12d9' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_12db' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12de' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_12e0' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12e2' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_12e4' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_12e8' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_12ec' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_12f0' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_12f4' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_12fa' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12fe' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1302' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1304' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1306' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_130a' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_130e' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1312' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1316' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_131a' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1322' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1326' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1328' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_132a' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_132c' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_12bd']], 'CreatePipe' : [ 0x0, ['__unnamed_12c1']], 'CreateMailslot' : [ 0x0, ['__unnamed_12c5']], 'Read' : [ 0x0, ['__unnamed_12c7']], 'Write' : [ 0x0, ['__unnamed_12c7']], 'QueryDirectory' : [ 0x0, ['__unnamed_12cb']], 'NotifyDirectory' : [ 0x0, ['__unnamed_12cd']], 'QueryFile' : [ 0x0, ['__unnamed_12cf']], 'SetFile' : [ 0x0, ['__unnamed_12d1']], 'QueryEa' : [ 0x0, ['__unnamed_12d3']], 'SetEa' : [ 0x0, ['__unnamed_12d5']], 'QueryVolume' : [ 0x0, ['__unnamed_12d9']], 'SetVolume' : [ 0x0, ['__unnamed_12d9']], 'FileSystemControl' : [ 0x0, ['__unnamed_12db']], 'LockControl' : [ 0x0, ['__unnamed_12de']], 'DeviceIoControl' : [ 0x0, ['__unnamed_12e0']], 'QuerySecurity' : [ 0x0, ['__unnamed_12e2']], 'SetSecurity' : [ 0x0, ['__unnamed_12e4']], 'MountVolume' : [ 0x0, ['__unnamed_12e8']], 'VerifyVolume' : [ 0x0, ['__unnamed_12e8']], 'Scsi' : [ 0x0, ['__unnamed_12ec']], 'QueryQuota' : [ 0x0, ['__unnamed_12f0']], 'SetQuota' : [ 0x0, ['__unnamed_12d5']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_12f4']], 'QueryInterface' : [ 0x0, ['__unnamed_12fa']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_12fe']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1302']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1304']], 'SetLock' : [ 0x0, ['__unnamed_1306']], 'QueryId' : [ 0x0, ['__unnamed_130a']], 'QueryDeviceText' : [ 0x0, ['__unnamed_130e']], 'UsageNotification' : [ 0x0, ['__unnamed_1312']], 'WaitWake' : [ 0x0, ['__unnamed_1316']], 'PowerSequence' : [ 0x0, ['__unnamed_131a']], 'Power' : [ 0x0, ['__unnamed_1322']], 'StartDevice' : [ 0x0, ['__unnamed_1326']], 'WMI' : [ 0x0, ['__unnamed_1328']], 'Others' : [ 0x0, ['__unnamed_132a']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_132c']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1342' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_1342']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x40, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '__unnamed_14af' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_14af']], } ], '__unnamed_14c0' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x88, { 'OsMajorVersion' : [ 0x0, ['unsigned long']], 'OsMinorVersion' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'LoadOrderListHead' : [ 0x10, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x18, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x28, ['unsigned long']], 'Prcb' : [ 0x2c, ['unsigned long']], 'Process' : [ 0x30, ['unsigned long']], 'Thread' : [ 0x34, ['unsigned long']], 'RegistryLength' : [ 0x38, ['unsigned long']], 'RegistryBase' : [ 0x3c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x40, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x44, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x48, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x4c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x50, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x54, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x58, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x5c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x60, ['pointer', ['void']]], 'Extension' : [ 0x64, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x68, ['__unnamed_14c0']], 'FirmwareInformation' : [ 0x74, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '__unnamed_14f1' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_14f3' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_14f6' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_14f8' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_14f6']], } ], '__unnamed_14fd' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_14f1']], 'u2' : [ 0x4, ['__unnamed_14f3']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0x8, ['long']], 'PteLong' : [ 0x8, ['unsigned long']], 'u3' : [ 0xc, ['__unnamed_14f8']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_14fd']], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x6c, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x4, ['pointer', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer', ['void']]], 'WorkingSetExpansionLinks' : [ 0xc, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x14, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x30, ['unsigned long']], 'WorkingSetSize' : [ 0x34, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x38, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x3c, ['unsigned long']], 'ChargedWslePages' : [ 0x40, ['unsigned long']], 'ActualWslePages' : [ 0x44, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x48, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x4c, ['unsigned long']], 'HardFaultCount' : [ 0x50, ['unsigned long']], 'VmWorkingSetList' : [ 0x54, ['pointer', ['_MMWSL']]], 'NextPageColor' : [ 0x58, ['unsigned short']], 'LastTrimStamp' : [ 0x5a, ['unsigned short']], 'PageFaultCount' : [ 0x5c, ['unsigned long']], 'RepurposeCount' : [ 0x60, ['unsigned long']], 'Spare' : [ 0x64, ['array', 1, ['unsigned long']]], 'Flags' : [ 0x68, ['_MMSUPPORT_FLAGS']], } ], '_MMWSL' : [ 0x6a8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextAgingSlot' : [ 0x1c, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x20, ['unsigned long']], 'VadBitMapHint' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LastVadBit' : [ 0x2c, ['unsigned long']], 'MaximumLastVadBit' : [ 0x30, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x34, ['unsigned long']], 'LastAllocationSize' : [ 0x38, ['unsigned long']], 'NonDirectHash' : [ 0x3c, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x40, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x44, ['pointer', ['_MMWSLE_HASH']]], 'UsedPageTableEntries' : [ 0x48, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x648, ['array', 24, ['unsigned long']]], } ], '__unnamed_152d' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_152d']], } ], '__unnamed_153c' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1546' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1548' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1546']], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_153c']], 'FlushInProgressCount' : [ 0x20, ['unsigned long']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'ModifiedWriteCount' : [ 0x2c, ['unsigned long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitingForDeletion' : [ 0x30, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x34, ['__unnamed_1548']], 'LockedPages' : [ 0x40, ['long long']], 'ViewList' : [ 0x48, ['_LIST_ENTRY']], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'EvictStoreBitmap' : [ 0x30, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x34, ['unsigned long']], 'LastAllocationSize' : [ 0x38, ['unsigned long']], 'ToBeEvictedCount' : [ 0x3c, ['unsigned long']], 'PageFileNumber' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x40, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x42, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x42, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x44, ['pointer', ['void']]], 'Lock' : [ 0x48, ['unsigned long']], 'LockOwner' : [ 0x4c, ['pointer', ['_ETHREAD']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_1581' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_1584' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1587' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_1581']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1584']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1587']], } ], '__unnamed_158f' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_158f']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '__unnamed_1594' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_1581']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1584']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1587']], 'u2' : [ 0x20, ['__unnamed_1594']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x30, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x38, ['pointer', ['_EPROCESS']]], } ], '__unnamed_159f' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_159f']], } ], '__unnamed_15a5' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_15a7' : [ 0x4, { 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_15a5']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_15a7']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_HHIVE' : [ 0x2ec, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x24, ['pointer', ['void']]], 'BaseBlock' : [ 0x28, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x2c, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x34, ['unsigned long']], 'DirtyAlloc' : [ 0x38, ['unsigned long']], 'BaseBlockAlloc' : [ 0x3c, ['unsigned long']], 'Cluster' : [ 0x40, ['unsigned long']], 'Flat' : [ 0x44, ['unsigned char']], 'ReadOnly' : [ 0x45, ['unsigned char']], 'DirtyFlag' : [ 0x46, ['unsigned char']], 'HvBinHeadersUse' : [ 0x48, ['unsigned long']], 'HvFreeCellsUse' : [ 0x4c, ['unsigned long']], 'HvUsedCellsUse' : [ 0x50, ['unsigned long']], 'CmUsedCellsUse' : [ 0x54, ['unsigned long']], 'HiveFlags' : [ 0x58, ['unsigned long']], 'CurrentLog' : [ 0x5c, ['unsigned long']], 'LogSize' : [ 0x60, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x68, ['unsigned long']], 'StorageTypeCount' : [ 0x6c, ['unsigned long']], 'Version' : [ 0x70, ['unsigned long']], 'Storage' : [ 0x74, ['array', 2, ['_DUAL']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_CMHIVE' : [ 0x638, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2ec, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x304, ['_LIST_ENTRY']], 'HiveList' : [ 0x30c, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x314, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x31c, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x320, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x328, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x32c, ['unsigned long']], 'Identity' : [ 0x330, ['unsigned long']], 'HiveLock' : [ 0x334, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x338, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x33c, ['pointer', ['_KTHREAD']]], 'ViewLockLast' : [ 0x340, ['unsigned long']], 'ViewUnLockLast' : [ 0x344, ['unsigned long']], 'WriterLock' : [ 0x348, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x34c, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x350, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x358, ['pointer', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x35c, ['unsigned long']], 'FlushHiveTruncated' : [ 0x360, ['unsigned long']], 'FlushLock2' : [ 0x364, ['pointer', ['_FAST_MUTEX']]], 'SecurityLock' : [ 0x368, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x36c, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x374, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x37c, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x384, ['unsigned short']], 'PinnedViewCount' : [ 0x386, ['unsigned short']], 'UseCount' : [ 0x388, ['unsigned long']], 'ViewsPerHive' : [ 0x38c, ['unsigned long']], 'FileObject' : [ 0x390, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x394, ['unsigned long']], 'ActualFileSize' : [ 0x398, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x3a0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x3a8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x3b0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x3b8, ['unsigned long']], 'SecurityCacheSize' : [ 0x3bc, ['unsigned long']], 'SecurityHitHint' : [ 0x3c0, ['long']], 'SecurityCache' : [ 0x3c4, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x3c8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x5c8, ['unsigned long']], 'UnloadEventArray' : [ 0x5cc, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x5d0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x5d4, ['unsigned char']], 'UnloadWorkItem' : [ 0x5d8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x5dc, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x5f0, ['unsigned char']], 'GrowOffset' : [ 0x5f4, ['unsigned long']], 'KcbConvertListHead' : [ 0x5f8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x600, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x608, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x60c, ['unsigned long']], 'TrustClassEntry' : [ 0x610, ['_LIST_ENTRY']], 'FlushCount' : [ 0x618, ['unsigned long']], 'CmRm' : [ 0x61c, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x620, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x624, ['long']], 'CreatorOwner' : [ 0x628, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0x62c, ['pointer', ['_KTHREAD']]], 'LastWriteTime' : [ 0x630, ['_LARGE_INTEGER']], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0xc, ['_CM_KEY_HASH']], 'ConvKey' : [ 0xc, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x14, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], 'KcbPushlock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x20, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x20, ['long']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x6c, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x74, ['_LIST_ENTRY']], 'Stolen' : [ 0x74, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x7c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x80, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x88, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x90, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x98, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x9c, ['pointer', ['_UNICODE_STRING']]], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '__unnamed_162c' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_HvpRecoverWholeHive', 10: '_HvpMapFileImageAndBuildMap', 11: '_CmpValidateHiveSecurityDescriptors', 12: '_HvpEnlistBinInMap', 13: '_CmCheckRegistry', 14: '_CmRegistryIO', 15: '_CmCheckRegistry2', 16: '_CmpCheckKey', 17: '_CmpCheckValueList', 18: '_HvCheckHive', 19: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_162f' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_1631' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1633' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_1635' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_1639' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_163d' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_163f' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_162c']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_162c']]], 'RegistryIO' : [ 0xcc, ['__unnamed_162f']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_1631']], 'CheckKey' : [ 0xdc, ['__unnamed_1633']], 'CheckValueList' : [ 0xec, ['__unnamed_1635']], 'CheckHive' : [ 0xfc, ['__unnamed_1639']], 'CheckHive1' : [ 0x108, ['__unnamed_1639']], 'CheckBin' : [ 0x114, ['__unnamed_163d']], 'RecoverData' : [ 0x11c, ['__unnamed_163f']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0x80, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'DpcCount' : [ 0x38, ['unsigned long']], 'DpcRate' : [ 0x3c, ['unsigned long']], 'C1Time' : [ 0x40, ['unsigned long long']], 'C2Time' : [ 0x48, ['unsigned long long']], 'C3Time' : [ 0x50, ['unsigned long long']], 'C1Transitions' : [ 0x58, ['unsigned long long']], 'C2Transitions' : [ 0x60, ['unsigned long long']], 'C3Transitions' : [ 0x68, ['unsigned long long']], 'ParkingStatus' : [ 0x70, ['unsigned long']], 'CurrentFrequency' : [ 0x74, ['unsigned long']], 'PercentMaxFrequency' : [ 0x78, ['unsigned long']], 'StateFlags' : [ 0x7c, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_TEB32' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], } ], '_TEB64' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0xc, { 'Affinity' : [ 0x0, ['pointer', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x4, ['unsigned long']], 'CurrentIndex' : [ 0x8, ['unsigned short']], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_FXSAVE_FORMAT' : [ 0x1e0, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 192, ['unsigned char']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_KSTACK_AREA' : [ 0x210, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'NpxFrame' : [ 0x0, ['_FXSAVE_FORMAT']], 'StackControl' : [ 0x1e0, ['_KERNEL_STACK_CONTROL']], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], 'Padding' : [ 0x200, ['array', 4, ['unsigned long']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x3c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependentList' : [ 0x2c, ['_LIST_ENTRY']], 'ProviderList' : [ 0x34, ['_LIST_ENTRY']], } ], '__unnamed_1742' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1744' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1748' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x188, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Level' : [ 0x28, ['unsigned long']], 'Notify' : [ 0x2c, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x78, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x7c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x80, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xd0, ['unsigned long']], 'CompletionStatus' : [ 0xd4, ['long']], 'Flags' : [ 0xd8, ['unsigned long']], 'UserFlags' : [ 0xdc, ['unsigned long']], 'Problem' : [ 0xe0, ['unsigned long']], 'ResourceList' : [ 0xe4, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0xec, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xf0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xf4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xf8, ['unsigned long']], 'ChildInterfaceType' : [ 0xfc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x100, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x104, ['unsigned short']], 'RemovalPolicy' : [ 0x106, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x107, ['unsigned char']], 'TargetDeviceNotify' : [ 0x108, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x110, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x118, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x120, ['unsigned short']], 'QueryTranslatorMask' : [ 0x122, ['unsigned short']], 'NoArbiterMask' : [ 0x124, ['unsigned short']], 'QueryArbiterMask' : [ 0x126, ['unsigned short']], 'OverUsed1' : [ 0x128, ['__unnamed_1742']], 'OverUsed2' : [ 0x12c, ['__unnamed_1744']], 'BootResources' : [ 0x130, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x134, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x138, ['unsigned long']], 'DockInfo' : [ 0x13c, ['__unnamed_1748']], 'DisableableDepends' : [ 0x14c, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x150, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x158, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x160, ['unsigned long']], 'PreviousParent' : [ 0x164, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x168, ['unsigned long']], 'NumaNodeIndex' : [ 0x16c, ['unsigned long']], 'ContainerID' : [ 0x170, ['_GUID']], 'OverrideFlags' : [ 0x180, ['unsigned char']], 'RequiresUnloadedDriver' : [ 0x181, ['unsigned char']], 'PendingEjectRelations' : [ 0x184, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'Affinity' : [ 0x20, ['_GROUP_AFFINITY']], 'ProximityId' : [ 0x2c, ['unsigned long']], 'NodeNumber' : [ 0x30, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x32, ['unsigned short']], 'MaximumProcessors' : [ 0x34, ['unsigned char']], 'Color' : [ 0x35, ['unsigned char']], 'Flags' : [ 0x36, ['_flags']], 'NodePad0' : [ 0x37, ['unsigned char']], 'Seed' : [ 0x38, ['unsigned long']], 'MmShiftedColor' : [ 0x3c, ['unsigned long']], 'FreeCount' : [ 0x40, ['array', 2, ['unsigned long']]], 'CachedKernelStacks' : [ 0x48, ['_CACHED_KSTACK_LIST']], 'ParkLock' : [ 0x60, ['long']], 'NodePad1' : [ 0x64, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_17f1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_17f1']], } ], '__unnamed_17f8' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_17f8']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x20, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x1c, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x160, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'LogHandle' : [ 0x98, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x9c, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa0, ['unsigned long']], 'LazyWritePassCount' : [ 0xa4, ['unsigned long']], 'UninitializeEvent' : [ 0xa8, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xac, ['_KGUARDED_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'Event' : [ 0xd8, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf0, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x148, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x14c, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x150, ['unsigned long']], 'WritesInProgress' : [ 0x154, ['unsigned long']], 'PipelinedReadAheadSize' : [ 0x158, ['unsigned long']], } ], '__unnamed_1868' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1868']], 'Links' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1886' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1888' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_188a' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_188c' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_188e' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_1886']], 'Write' : [ 0x0, ['__unnamed_1888']], 'Event' : [ 0x0, ['__unnamed_188a']], 'Notification' : [ 0x0, ['__unnamed_188c']], } ], '_WORK_QUEUE_ENTRY' : [ 0x10, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_188e']], 'Function' : [ 0xc, ['unsigned char']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x138, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x130, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_18df' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_18df']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_PEB' : [ 0x248, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pContextData' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x78, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], 'ContextInformation' : [ 0x68, ['pointer', ['void']]], 'OriginalBase' : [ 0x6c, ['unsigned long']], 'LoadTime' : [ 0x70, ['_LARGE_INTEGER']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '__unnamed_195e' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1960' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_195e']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1962' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1964' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1962']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1960']], 'u2' : [ 0x4, ['__unnamed_1964']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x24, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], 'LookasideIndex' : [ 0x20, ['unsigned long']], } ], '__unnamed_1980' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1982' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1980']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1982']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Pad' : [ 0x14, ['unsigned long']], } ], '__unnamed_1994' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1996' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1994']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1996']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_199c' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_199e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_199c']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_199e']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_19a4' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19a6' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19a4']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_19a6']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x24, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19c2' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19c4' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c2']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0xfc, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x5c, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x64, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x6c, ['_LIST_ENTRY']], 'WaitQueue' : [ 0x74, ['_LIST_ENTRY']], 'Semaphore' : [ 0x7c, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x80, ['_ALPC_PORT_ATTRIBUTES']], 'Lock' : [ 0xac, ['_EX_PUSH_LOCK']], 'ResourceListLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xb4, ['_LIST_ENTRY']], 'CompletionList' : [ 0xbc, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0xc0, ['pointer', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0xc4, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xc8, ['pointer', ['void']]], 'CanceledQueue' : [ 0xcc, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xd4, ['long']], 'u1' : [ 0xd8, ['__unnamed_19c4']], 'TargetQueuePort' : [ 0xdc, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xe0, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0xe4, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xe8, ['unsigned long']], 'PendingQueueLength' : [ 0xec, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xf0, ['unsigned long']], 'CanceledQueueLength' : [ 0xf4, ['unsigned long']], 'WaitQueueLength' : [ 0xf8, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x88, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'Key' : [ 0x7c, ['unsigned long']], 'CallbackList' : [ 0x80, ['_LIST_ENTRY']], } ], '__unnamed_19dc' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_19de' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19dc']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x88, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x8, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0xc, ['unsigned long']], 'QuotaProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x10, ['pointer', ['void']]], 'SequenceNo' : [ 0x14, ['long']], 'u1' : [ 0x18, ['__unnamed_19de']], 'CancelSequencePort' : [ 0x1c, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x24, ['long']], 'CancelListEntry' : [ 0x28, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x38, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x3c, ['pointer', ['_ALPC_PORT']]], 'MessageAttributes' : [ 0x40, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x5c, ['pointer', ['void']]], 'DataSystemVa' : [ 0x60, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x64, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x68, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x6c, ['pointer', ['_ETHREAD']]], 'PortMessage' : [ 0x70, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a1b' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a1d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a1b']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1a1d']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'Flags' : [ 0x14, ['unsigned long']], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x24, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 7, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'DriverCreateContext' : [ 0x5c, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x238, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'CollectionOn' : [ 0xc, ['long']], 'LoggerMode' : [ 0x10, ['unsigned long']], 'AcceptNewEvents' : [ 0x14, ['long']], 'GetCpuClock' : [ 0x18, ['pointer', ['void']]], 'StartTime' : [ 0x20, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x28, ['pointer', ['void']]], 'LoggerThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x30, ['long']], 'NBQHead' : [ 0x34, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x38, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x40, ['_SLIST_HEADER']], 'GlobalList' : [ 0x48, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x50, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x50, ['_EX_FAST_REF']], 'LoggerName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x64, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x6c, ['_UNICODE_STRING']], 'ClockType' : [ 0x74, ['unsigned long']], 'MaximumFileSize' : [ 0x78, ['unsigned long']], 'LastFlushedBuffer' : [ 0x7c, ['unsigned long']], 'FlushTimer' : [ 0x80, ['unsigned long']], 'FlushThreshold' : [ 0x84, ['unsigned long']], 'ByteOffset' : [ 0x88, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x90, ['unsigned long']], 'BuffersAvailable' : [ 0x94, ['long']], 'NumberOfBuffers' : [ 0x98, ['long']], 'MaximumBuffers' : [ 0x9c, ['unsigned long']], 'EventsLost' : [ 0xa0, ['unsigned long']], 'BuffersWritten' : [ 0xa4, ['unsigned long']], 'LogBuffersLost' : [ 0xa8, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xac, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xb0, ['unsigned long']], 'SequencePtr' : [ 0xb4, ['pointer', ['long']]], 'LocalSequence' : [ 0xb8, ['unsigned long']], 'InstanceGuid' : [ 0xbc, ['_GUID']], 'FileCounter' : [ 0xcc, ['long']], 'BufferCallback' : [ 0xd0, ['pointer', ['void']]], 'PoolType' : [ 0xd4, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd8, ['_ETW_REF_CLOCK']], 'Consumers' : [ 0xe8, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xf0, ['unsigned long']], 'TransitionConsumer' : [ 0xf4, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0xf8, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0xfc, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x108, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x120, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x128, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x130, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x138, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x14c, ['_KEVENT']], 'FlushEvent' : [ 0x15c, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x170, ['_KTIMER']], 'FlushDpc' : [ 0x198, ['_KDPC']], 'LoggerMutex' : [ 0x1b8, ['_KMUTANT']], 'LoggerLock' : [ 0x1d8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1dc, ['unsigned long']], 'BufferListPushLock' : [ 0x1dc, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1e0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x21c, ['_EX_FAST_REF']], 'BufferSequenceNumber' : [ 0x220, ['long long']], 'Flags' : [ 0x228, ['unsigned long']], 'Persistent' : [ 0x228, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x228, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x228, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x228, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x228, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x228, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x228, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x228, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x228, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x228, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'RequestFlag' : [ 0x22c, ['unsigned long']], 'RequestNewFie' : [ 0x22c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x22c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x22c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x22c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x22c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RequestConnectConsumer' : [ 0x22c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HookIdMap' : [ 0x230, ['_RTL_BITMAP']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_BUFFER_HANDLE' : [ 0x8, { 'TraceBuffer' : [ 0x0, ['pointer', ['_WMI_BUFFER_HEADER']]], 'BufferFastRef' : [ 0x4, ['pointer', ['_EX_FAST_REF']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_NBQUEUE_BLOCK' : [ 0x18, { 'SListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Next' : [ 0x8, ['unsigned long long']], 'Data' : [ 0x10, ['unsigned long long']], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x178, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['array', 8, ['pointer', ['_EVENT_FILTER_HEADER']]]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e0, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'LogonSession' : [ 0xbc, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc0, ['_LUID']], 'SidHash' : [ 0xc8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x150, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1d8, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'VariablePart' : [ 0x1dc, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x14, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], 'HashIndex' : [ 0xc, ['unsigned short']], 'DirectoryLocked' : [ 0xe, ['unsigned char']], 'LockedExclusive' : [ 0xf, ['unsigned char']], 'LockStateSignature' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Coalescable' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KeepShifting' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CpuThrottled' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x54, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'AllocAndFreeOps' : [ 0x40, ['unsigned long']], 'InBlockDeccommits' : [ 0x44, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x48, ['unsigned long']], 'HighWatermarkSize' : [ 0x4c, ['unsigned long']], 'LastPolledSize' : [ 0x50, ['unsigned long']], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_HANDLE_TABLE' : [ 0x3c, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['unsigned long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], 'HandleCountHighWatermark' : [ 0x38, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'BlockState' : [ 0x17, ['unsigned char']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['_KAFFINITY_EX']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_1c1d' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1c1f' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1c1d']], 'Private' : [ 0x0, ['__unnamed_1c1f']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_1c41' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1c47' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x48, { 'u1' : [ 0x0, ['__unnamed_1581']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1584']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1587']], 'u2' : [ 0x20, ['__unnamed_1594']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x30, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x38, ['pointer', ['_EPROCESS']]], 'u3' : [ 0x3c, ['__unnamed_1c41']], 'u4' : [ 0x44, ['__unnamed_1c47']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x138, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0x98, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'LimitFlags' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['_KAFFINITY_EX']], 'PriorityClass' : [ 0xb4, ['unsigned char']], 'AccessState' : [ 0xb8, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xbc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x108, ['unsigned long']], 'JobMemoryLimit' : [ 0x10c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x110, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x114, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x118, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x120, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x124, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x12c, ['unsigned long']], 'JobFlags' : [ 0x130, ['unsigned long']], } ], '__unnamed_1c58' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x60, { 'Count' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['__unnamed_1c58']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'OldState' : [ 0x10, ['unsigned long']], 'TargetProcessors' : [ 0x14, ['_KAFFINITY_EX']], 'State' : [ 0x20, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '__unnamed_1c61' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_1c61']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x50, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned long']], 'ShutDownRequested' : [ 0x34, ['unsigned char']], 'NewBuffersLost' : [ 0x35, ['unsigned char']], 'Disconnected' : [ 0x36, ['unsigned char']], 'ReservedBufferSpaceBitMap' : [ 0x38, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x40, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x44, ['unsigned long']], 'UserPagesAllocated' : [ 0x48, ['unsigned long']], 'UserPagesReused' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1c6a' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1c70' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1c72' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1c6a']], 'Bits' : [ 0x0, ['__unnamed_1c70']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1c72']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_KGUARDED_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['pointer', ['pointer', ['void']]]], 'PendingFreeDepth' : [ 0x104, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x278, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'Pad' : [ 0x39, ['array', 3, ['unsigned char']]], 'Mode' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x44, ['unsigned long']], 'DispatchCount' : [ 0x48, ['unsigned long']], 'Rsvd1' : [ 0x50, ['unsigned long long']], 'DispatchCode' : [ 0x58, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x58, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x54, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'UserVa' : [ 0x10, ['pointer', ['void']]], 'UserLimit' : [ 0x14, ['pointer', ['void']]], 'DataUserVa' : [ 0x18, ['pointer', ['void']]], 'SystemVa' : [ 0x1c, ['pointer', ['void']]], 'TotalSize' : [ 0x20, ['unsigned long']], 'Header' : [ 0x24, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x28, ['pointer', ['void']]], 'ListSize' : [ 0x2c, ['unsigned long']], 'Bitmap' : [ 0x30, ['pointer', ['void']]], 'BitmapSize' : [ 0x34, ['unsigned long']], 'Data' : [ 0x38, ['pointer', ['void']]], 'DataSize' : [ 0x3c, ['unsigned long']], 'BitmapLimit' : [ 0x40, ['unsigned long']], 'BitmapNextHint' : [ 0x44, ['unsigned long']], 'ConcurrencyCount' : [ 0x48, ['unsigned long']], 'AttributeFlags' : [ 0x4c, ['unsigned long']], 'AttributeSize' : [ 0x50, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_IO_WORKITEM' : [ 0x20, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'Type' : [ 0x1c, ['unsigned long']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x64, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_ALIGNED_AFFINITY_SUMMARY' : [ 0x40, { 'CpuSet' : [ 0x0, ['_KAFFINITY_EX']], 'SMTSet' : [ 0xc, ['_KAFFINITY_EX']], } ], '_XSTATE_CONFIGURATION' : [ 0x210, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'OptimizedSave' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x10, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0xc8, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleAccounting' : [ 0x20, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'Hypervisor' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'PerfHistoryTotal' : [ 0x28, ['unsigned long']], 'ThermalConstraint' : [ 0x2c, ['unsigned char']], 'PerfHistoryCount' : [ 0x2d, ['unsigned char']], 'PerfHistorySlot' : [ 0x2e, ['unsigned char']], 'Reserved' : [ 0x2f, ['unsigned char']], 'LastSysTime' : [ 0x30, ['unsigned long']], 'WmiDispatchPtr' : [ 0x34, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0x38, ['long']], 'FFHThrottleStateInfo' : [ 0x40, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x60, ['_KDPC']], 'PerfActionMask' : [ 0x80, ['long']], 'IdleCheck' : [ 0x88, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x98, ['_PROC_IDLE_SNAP']], 'Domain' : [ 0xa8, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0xac, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Load' : [ 0xb0, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0xb4, ['pointer', ['_PROC_HISTORY_ENTRY']]], 'Utility' : [ 0xb8, ['unsigned long']], 'OverUtilizedHistory' : [ 0xbc, ['unsigned long']], 'AffinityCount' : [ 0xc0, ['unsigned long']], 'AffinityHistory' : [ 0xc4, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x2c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'BucketLimits' : [ 0x18, ['array', 16, ['unsigned long long']]], 'State' : [ 0x98, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x84, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x78, ['unsigned long']], 'PreviousActivityCounter' : [ 0x7c, ['unsigned long']], 'WorkerTrimRequests' : [ 0x80, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x4, ['_KGATE']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1dc7' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1dc7']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x5ec, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa8, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x348, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e8, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '__unnamed_1e20' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e22' : [ 0x8, { 'Last' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_1e20']], } ], '__unnamed_1e24' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1e20']], } ], '__unnamed_1e26' : [ 0x8, { 'OldCell' : [ 0x0, ['__unnamed_1e22']], 'NewCell' : [ 0x0, ['__unnamed_1e24']], } ], '_HCELL' : [ 0xc, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e26']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x24, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'PercentageCap' : [ 0x8, ['unsigned long']], 'ThermalCap' : [ 0xc, ['unsigned long']], 'TargetFrequency' : [ 0x10, ['unsigned long']], 'AcumulatedFullFrequency' : [ 0x14, ['unsigned long']], 'AcumulatedZeroFrequency' : [ 0x18, ['unsigned long']], 'FrequencyHistoryTotal' : [ 0x1c, ['unsigned long']], 'AverageFrequency' : [ 0x20, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], 'Pad0' : [ 0x14, ['unsigned long']], } ], '__unnamed_1e39' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e3d' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1e3f' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1e41' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1e43' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1e45' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1e47' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e49' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e4b' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e4d' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1e39']], 'Memory' : [ 0x0, ['__unnamed_1e39']], 'Interrupt' : [ 0x0, ['__unnamed_1e3d']], 'Dma' : [ 0x0, ['__unnamed_1e3f']], 'Generic' : [ 0x0, ['__unnamed_1e39']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e41']], 'BusNumber' : [ 0x0, ['__unnamed_1e43']], 'ConfigData' : [ 0x0, ['__unnamed_1e45']], 'Memory40' : [ 0x0, ['__unnamed_1e47']], 'Memory48' : [ 0x0, ['__unnamed_1e49']], 'Memory64' : [ 0x0, ['__unnamed_1e4b']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1e4d']], } ], '_POP_THERMAL_ZONE' : [ 0x150, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xe0, ['_LARGE_INTEGER']], 'Metrics' : [ 0xe8, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x68, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x38, ['unsigned long']], 'PassiveCount' : [ 0x3c, ['unsigned long']], 'LastActiveStartTick' : [ 0x40, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x48, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x50, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x58, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x60, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '__unnamed_1e8a' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1e8c' : [ 0xc, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1e8a']], } ], '_VF_TARGET_DRIVER' : [ 0x18, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x8, ['__unnamed_1e8c']], 'VerifiedData' : [ 0x14, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_1e94' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1e96' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1e98' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1e9a' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1e9c' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1e9e' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ea0' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1ea2' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1ea4' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ea6' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1ea8' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1e94']], 'TargetDevice' : [ 0x0, ['__unnamed_1e96']], 'InstallDevice' : [ 0x0, ['__unnamed_1e98']], 'CustomNotification' : [ 0x0, ['__unnamed_1e9a']], 'ProfileNotification' : [ 0x0, ['__unnamed_1e9c']], 'PowerNotification' : [ 0x0, ['__unnamed_1e9e']], 'VetoNotification' : [ 0x0, ['__unnamed_1ea0']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1ea2']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1ea4']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1ea6']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1e98']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_1ea8']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 192, ['unsigned char']]], 'StackControl' : [ 0x1e0, ['array', 7, ['unsigned long']]], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_PS_CPU_QUOTA_BLOCK' : [ 0x880, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'CpuShareWeight' : [ 0xc, ['unsigned long']], 'CapturedWeightData' : [ 0x10, ['_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA']], 'DuplicateInputMarker' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x18, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x18, ['long']], 'BlockCurrentGenerationLock' : [ 0x0, ['unsigned long']], 'CyclesAccumulated' : [ 0x8, ['unsigned long long']], 'CycleCredit' : [ 0x40, ['unsigned long long']], 'BlockCurrentGeneration' : [ 0x48, ['unsigned long']], 'CpuCyclePercent' : [ 0x4c, ['unsigned long']], 'CyclesFinishedForCurrentGeneration' : [ 0x50, ['unsigned char']], 'Cpu' : [ 0x80, ['array', 32, ['_PS_PER_CPU_QUOTA_CACHE_AWARE']]], } ], '__unnamed_1ec3' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1ec3']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x50, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], } ], '__unnamed_1ef4' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_1ef4']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_PS_PER_CPU_QUOTA_CACHE_AWARE' : [ 0x40, { 'SortedListEntry' : [ 0x0, ['_LIST_ENTRY']], 'IdleOnlyListHead' : [ 0x8, ['_LIST_ENTRY']], 'CycleBaseAllowance' : [ 0x10, ['unsigned long long']], 'CyclesRemaining' : [ 0x18, ['long long']], 'CurrentGeneration' : [ 0x20, ['unsigned long']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_POP_SYSTEM_IDLE' : [ 0x38, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned char']], 'IdleWorker' : [ 0x25, ['unsigned char']], 'Sampling' : [ 0x26, ['unsigned char']], 'LastTick' : [ 0x28, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x30, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0xc, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x18, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x14, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1f55' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f57' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f59' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f5b' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1f59']], 'Translated' : [ 0x0, ['__unnamed_1f57']], } ], '__unnamed_1f5d' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f5f' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f61' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f63' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f65' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f67' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f69' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1f55']], 'Port' : [ 0x0, ['__unnamed_1f55']], 'Interrupt' : [ 0x0, ['__unnamed_1f57']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1f5b']], 'Memory' : [ 0x0, ['__unnamed_1f55']], 'Dma' : [ 0x0, ['__unnamed_1f5d']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e41']], 'BusNumber' : [ 0x0, ['__unnamed_1f5f']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1f61']], 'Memory40' : [ 0x0, ['__unnamed_1f63']], 'Memory48' : [ 0x0, ['__unnamed_1f65']], 'Memory64' : [ 0x0, ['__unnamed_1f67']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1f69']], } ], '__unnamed_1f6e' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1f6e']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1f78' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1f78']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1f82' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_1ef4']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_1f82']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f8a' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f8c' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1f8a']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x40, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x30, ['_LIST_ENTRY']], 'Specific' : [ 0x38, ['__unnamed_1f8c']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'WorkItem' : [ 0x20, ['_WORK_QUEUE_ITEM']], 'FailingDriver' : [ 0x30, ['pointer', ['_DRIVER_OBJECT']]], 'ReferenceCount' : [ 0x34, ['long']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/windows/win2003_sp12_x64_syscalls.py0000644000000000000000000010440513131215405031317 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Windows 2003 SP1 and SP2 x64. """ syscalls = [ [ 'NtMapUserPhysicalPagesScatter', # 0x0 'NtWaitForSingleObject', # 0x1 'NtCallbackReturn', # 0x2 'NtReadFile', # 0x3 'NtDeviceIoControlFile', # 0x4 'NtWriteFile', # 0x5 'NtRemoveIoCompletion', # 0x6 'NtReleaseSemaphore', # 0x7 'NtReplyWaitReceivePort', # 0x8 'NtReplyPort', # 0x9 'NtSetInformationThread', # 0xa 'NtSetEvent', # 0xb 'NtClose', # 0xc 'NtQueryObject', # 0xd 'NtQueryInformationFile', # 0xe 'NtOpenKey', # 0xf 'NtEnumerateValueKey', # 0x10 'NtFindAtom', # 0x11 'NtQueryDefaultLocale', # 0x12 'NtQueryKey', # 0x13 'NtQueryValueKey', # 0x14 'NtAllocateVirtualMemory', # 0x15 'NtQueryInformationProcess', # 0x16 'NtWaitForMultipleObjects32', # 0x17 'NtWriteFileGather', # 0x18 'NtSetInformationProcess', # 0x19 'NtCreateKey', # 0x1a 'NtFreeVirtualMemory', # 0x1b 'NtImpersonateClientOfPort', # 0x1c 'NtReleaseMutant', # 0x1d 'NtQueryInformationToken', # 0x1e 'NtRequestWaitReplyPort', # 0x1f 'NtQueryVirtualMemory', # 0x20 'NtOpenThreadToken', # 0x21 'NtQueryInformationThread', # 0x22 'NtOpenProcess', # 0x23 'NtSetInformationFile', # 0x24 'NtMapViewOfSection', # 0x25 'NtAccessCheckAndAuditAlarm', # 0x26 'NtUnmapViewOfSection', # 0x27 'NtReplyWaitReceivePortEx', # 0x28 'NtTerminateProcess', # 0x29 'NtSetEventBoostPriority', # 0x2a 'NtReadFileScatter', # 0x2b 'NtOpenThreadTokenEx', # 0x2c 'NtOpenProcessTokenEx', # 0x2d 'NtQueryPerformanceCounter', # 0x2e 'NtEnumerateKey', # 0x2f 'NtOpenFile', # 0x30 'NtDelayExecution', # 0x31 'NtQueryDirectoryFile', # 0x32 'NtQuerySystemInformation', # 0x33 'NtOpenSection', # 0x34 'NtQueryTimer', # 0x35 'NtFsControlFile', # 0x36 'NtWriteVirtualMemory', # 0x37 'NtCloseObjectAuditAlarm', # 0x38 'NtDuplicateObject', # 0x39 'NtQueryAttributesFile', # 0x3a 'NtClearEvent', # 0x3b 'NtReadVirtualMemory', # 0x3c 'NtOpenEvent', # 0x3d 'NtAdjustPrivilegesToken', # 0x3e 'NtDuplicateToken', # 0x3f 'NtContinue', # 0x40 'NtQueryDefaultUILanguage', # 0x41 'NtQueueApcThread', # 0x42 'NtYieldExecution', # 0x43 'NtAddAtom', # 0x44 'NtCreateEvent', # 0x45 'NtQueryVolumeInformationFile', # 0x46 'NtCreateSection', # 0x47 'NtFlushBuffersFile', # 0x48 'NtApphelpCacheControl', # 0x49 'NtCreateProcessEx', # 0x4a 'NtCreateThread', # 0x4b 'NtIsProcessInJob', # 0x4c 'NtProtectVirtualMemory', # 0x4d 'NtQuerySection', # 0x4e 'NtResumeThread', # 0x4f 'NtTerminateThread', # 0x50 'NtReadRequestData', # 0x51 'NtCreateFile', # 0x52 'NtQueryEvent', # 0x53 'NtWriteRequestData', # 0x54 'NtOpenDirectoryObject', # 0x55 'NtAccessCheckByTypeAndAuditAlarm', # 0x56 'NtQuerySystemTime', # 0x57 'NtWaitForMultipleObjects', # 0x58 'NtSetInformationObject', # 0x59 'NtCancelIoFile', # 0x5a 'NtTraceEvent', # 0x5b 'NtPowerInformation', # 0x5c 'NtSetValueKey', # 0x5d 'NtCancelTimer', # 0x5e 'NtSetTimer', # 0x5f 'NtAcceptConnectPort', # 0x60 'NtAccessCheck', # 0x61 'NtAccessCheckByType', # 0x62 'NtAccessCheckByTypeResultList', # 0x63 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x64 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x65 'NtAddBootEntry', # 0x66 'NtAddDriverEntry', # 0x67 'NtAdjustGroupsToken', # 0x68 'NtAlertResumeThread', # 0x69 'NtAlertThread', # 0x6a 'NtAllocateLocallyUniqueId', # 0x6b 'NtAllocateUserPhysicalPages', # 0x6c 'NtAllocateUuids', # 0x6d 'NtAreMappedFilesTheSame', # 0x6e 'NtAssignProcessToJobObject', # 0x6f 'NtCancelDeviceWakeupRequest', # 0x70 'NtCompactKeys', # 0x71 'NtCompareTokens', # 0x72 'NtCompleteConnectPort', # 0x73 'NtCompressKey', # 0x74 'NtConnectPort', # 0x75 'NtCreateDebugObject', # 0x76 'NtCreateDirectoryObject', # 0x77 'NtCreateEventPair', # 0x78 'NtCreateIoCompletion', # 0x79 'NtCreateJobObject', # 0x7a 'NtCreateJobSet', # 0x7b 'NtCreateKeyedEvent', # 0x7c 'NtCreateMailslotFile', # 0x7d 'NtCreateMutant', # 0x7e 'NtCreateNamedPipeFile', # 0x7f 'NtCreatePagingFile', # 0x80 'NtCreatePort', # 0x81 'NtCreateProcess', # 0x82 'NtCreateProfile', # 0x83 'NtCreateSemaphore', # 0x84 'NtCreateSymbolicLinkObject', # 0x85 'NtCreateTimer', # 0x86 'NtCreateToken', # 0x87 'NtCreateWaitablePort', # 0x88 'NtDebugActiveProcess', # 0x89 'NtDebugContinue', # 0x8a 'NtDeleteAtom', # 0x8b 'NtDeleteBootEntry', # 0x8c 'NtDeleteDriverEntry', # 0x8d 'NtDeleteFile', # 0x8e 'NtDeleteKey', # 0x8f 'NtDeleteObjectAuditAlarm', # 0x90 'NtDeleteValueKey', # 0x91 'NtDisplayString', # 0x92 'NtEnumerateBootEntries', # 0x93 'NtEnumerateDriverEntries', # 0x94 'NtEnumerateSystemEnvironmentValuesEx', # 0x95 'NtExtendSection', # 0x96 'NtFilterToken', # 0x97 'NtFlushInstructionCache', # 0x98 'NtFlushKey', # 0x99 'NtFlushVirtualMemory', # 0x9a 'NtFlushWriteBuffer', # 0x9b 'NtFreeUserPhysicalPages', # 0x9c 'NtGetContextThread', # 0x9d 'NtGetCurrentProcessorNumber', # 0x9e 'NtGetDevicePowerState', # 0x9f 'NtGetPlugPlayEvent', # 0xa0 'NtGetWriteWatch', # 0xa1 'NtImpersonateAnonymousToken', # 0xa2 'NtImpersonateThread', # 0xa3 'NtInitializeRegistry', # 0xa4 'NtInitiatePowerAction', # 0xa5 'NtIsSystemResumeAutomatic', # 0xa6 'NtListenPort', # 0xa7 'NtLoadDriver', # 0xa8 'NtLoadKey', # 0xa9 'NtLoadKey2', # 0xaa 'NtLoadKeyEx', # 0xab 'NtLockFile', # 0xac 'NtLockProductActivationKeys', # 0xad 'NtLockRegistryKey', # 0xae 'NtLockVirtualMemory', # 0xaf 'NtMakePermanentObject', # 0xb0 'NtMakeTemporaryObject', # 0xb1 'NtMapUserPhysicalPages', # 0xb2 'NtModifyBootEntry', # 0xb3 'NtModifyDriverEntry', # 0xb4 'NtNotifyChangeDirectoryFile', # 0xb5 'NtNotifyChangeKey', # 0xb6 'NtNotifyChangeMultipleKeys', # 0xb7 'NtOpenEventPair', # 0xb8 'NtOpenIoCompletion', # 0xb9 'NtOpenJobObject', # 0xba 'NtOpenKeyedEvent', # 0xbb 'NtOpenMutant', # 0xbc 'NtOpenObjectAuditAlarm', # 0xbd 'NtOpenProcessToken', # 0xbe 'NtOpenSemaphore', # 0xbf 'NtOpenSymbolicLinkObject', # 0xc0 'NtOpenThread', # 0xc1 'NtOpenTimer', # 0xc2 'NtPlugPlayControl', # 0xc3 'NtPrivilegeCheck', # 0xc4 'NtPrivilegeObjectAuditAlarm', # 0xc5 'NtPrivilegedServiceAuditAlarm', # 0xc6 'NtPulseEvent', # 0xc7 'NtQueryBootEntryOrder', # 0xc8 'NtQueryBootOptions', # 0xc9 'NtQueryDebugFilterState', # 0xca 'NtQueryDirectoryObject', # 0xcb 'NtQueryDriverEntryOrder', # 0xcc 'NtQueryEaFile', # 0xcd 'NtQueryFullAttributesFile', # 0xce 'NtQueryInformationAtom', # 0xcf 'NtQueryInformationJobObject', # 0xd0 'NtQueryInformationPort', # 0xd1 'NtQueryInstallUILanguage', # 0xd2 'NtQueryIntervalProfile', # 0xd3 'NtQueryIoCompletion', # 0xd4 'NtQueryMultipleValueKey', # 0xd5 'NtQueryMutant', # 0xd6 'NtQueryOpenSubKeys', # 0xd7 'NtQueryOpenSubKeysEx', # 0xd8 'NtQueryPortInformationProcess', # 0xd9 'NtQueryQuotaInformationFile', # 0xda 'NtQuerySecurityObject', # 0xdb 'NtQuerySemaphore', # 0xdc 'NtQuerySymbolicLinkObject', # 0xdd 'NtQuerySystemEnvironmentValue', # 0xde 'NtQuerySystemEnvironmentValueEx', # 0xdf 'NtQueryTimerResolution', # 0xe0 'NtRaiseException', # 0xe1 'NtRaiseHardError', # 0xe2 'NtRegisterThreadTerminatePort', # 0xe3 'NtReleaseKeyedEvent', # 0xe4 'NtRemoveProcessDebug', # 0xe5 'NtRenameKey', # 0xe6 'NtReplaceKey', # 0xe7 'NtReplyWaitReplyPort', # 0xe8 'NtRequestDeviceWakeup', # 0xe9 'NtRequestPort', # 0xea 'NtRequestWakeupLatency', # 0xeb 'NtResetEvent', # 0xec 'NtResetWriteWatch', # 0xed 'NtRestoreKey', # 0xee 'NtResumeProcess', # 0xef 'NtSaveKey', # 0xf0 'NtSaveKeyEx', # 0xf1 'NtSaveMergedKeys', # 0xf2 'NtSecureConnectPort', # 0xf3 'NtSetBootEntryOrder', # 0xf4 'NtSetBootOptions', # 0xf5 'NtSetContextThread', # 0xf6 'NtSetDebugFilterState', # 0xf7 'NtSetDefaultHardErrorPort', # 0xf8 'NtSetDefaultLocale', # 0xf9 'NtSetDefaultUILanguage', # 0xfa 'NtSetDriverEntryOrder', # 0xfb 'NtSetEaFile', # 0xfc 'NtSetHighEventPair', # 0xfd 'NtSetHighWaitLowEventPair', # 0xfe 'NtSetInformationDebugObject', # 0xff 'NtSetInformationJobObject', # 0x100 'NtSetInformationKey', # 0x101 'NtSetInformationToken', # 0x102 'NtSetIntervalProfile', # 0x103 'NtSetIoCompletion', # 0x104 'NtSetLdtEntries', # 0x105 'NtSetLowEventPair', # 0x106 'NtSetLowWaitHighEventPair', # 0x107 'NtSetQuotaInformationFile', # 0x108 'NtSetSecurityObject', # 0x109 'NtSetSystemEnvironmentValue', # 0x10a 'NtSetSystemEnvironmentValueEx', # 0x10b 'NtSetSystemInformation', # 0x10c 'NtSetSystemPowerState', # 0x10d 'NtSetSystemTime', # 0x10e 'NtSetThreadExecutionState', # 0x10f 'NtSetTimerResolution', # 0x110 'NtSetUuidSeed', # 0x111 'NtSetVolumeInformationFile', # 0x112 'NtShutdownSystem', # 0x113 'NtSignalAndWaitForSingleObject', # 0x114 'NtStartProfile', # 0x115 'NtStopProfile', # 0x116 'NtSuspendProcess', # 0x117 'NtSuspendThread', # 0x118 'NtSystemDebugControl', # 0x119 'NtTerminateJobObject', # 0x11a 'NtTestAlert', # 0x11b 'NtTranslateFilePath', # 0x11c 'NtUnloadDriver', # 0x11d 'NtUnloadKey', # 0x11e 'NtUnloadKey2', # 0x11f 'NtUnloadKeyEx', # 0x120 'NtUnlockFile', # 0x121 'NtUnlockVirtualMemory', # 0x122 'NtVdmControl', # 0x123 'NtWaitForDebugEvent', # 0x124 'NtWaitForKeyedEvent', # 0x125 'NtWaitHighEventPair', # 0x126 'NtWaitLowEventPair', # 0x127 ], [ 'NtUserGetThreadState', # 0x0 'NtUserPeekMessage', # 0x1 'NtUserCallOneParam', # 0x2 'NtUserGetKeyState', # 0x3 'NtUserInvalidateRect', # 0x4 'NtUserCallNoParam', # 0x5 'NtUserGetMessage', # 0x6 'NtUserMessageCall', # 0x7 'NtGdiBitBlt', # 0x8 'NtGdiGetCharSet', # 0x9 'NtUserGetDC', # 0xa 'NtGdiSelectBitmap', # 0xb 'NtUserWaitMessage', # 0xc 'NtUserTranslateMessage', # 0xd 'NtUserPostMessage', # 0xe 'NtUserQueryWindow', # 0xf 'NtUserTranslateAccelerator', # 0x10 'NtGdiFlush', # 0x11 'NtUserRedrawWindow', # 0x12 'NtUserWindowFromPoint', # 0x13 'NtUserCallMsgFilter', # 0x14 'NtUserValidateTimerCallback', # 0x15 'NtUserBeginPaint', # 0x16 'NtUserSetTimer', # 0x17 'NtUserEndPaint', # 0x18 'NtUserSetCursor', # 0x19 'NtUserKillTimer', # 0x1a 'NtUserBuildHwndList', # 0x1b 'NtUserSelectPalette', # 0x1c 'NtUserCallNextHookEx', # 0x1d 'NtUserHideCaret', # 0x1e 'NtGdiIntersectClipRect', # 0x1f 'NtUserCallHwndLock', # 0x20 'NtUserGetProcessWindowStation', # 0x21 'NtGdiDeleteObjectApp', # 0x22 'NtUserSetWindowPos', # 0x23 'NtUserShowCaret', # 0x24 'NtUserEndDeferWindowPosEx', # 0x25 'NtUserCallHwndParamLock', # 0x26 'NtUserVkKeyScanEx', # 0x27 'NtGdiSetDIBitsToDeviceInternal', # 0x28 'NtUserCallTwoParam', # 0x29 'NtGdiGetRandomRgn', # 0x2a 'NtUserCopyAcceleratorTable', # 0x2b 'NtUserNotifyWinEvent', # 0x2c 'NtGdiExtSelectClipRgn', # 0x2d 'NtUserIsClipboardFormatAvailable', # 0x2e 'NtUserSetScrollInfo', # 0x2f 'NtGdiStretchBlt', # 0x30 'NtUserCreateCaret', # 0x31 'NtGdiRectVisible', # 0x32 'NtGdiCombineRgn', # 0x33 'NtGdiGetDCObject', # 0x34 'NtUserDispatchMessage', # 0x35 'NtUserRegisterWindowMessage', # 0x36 'NtGdiExtTextOutW', # 0x37 'NtGdiSelectFont', # 0x38 'NtGdiRestoreDC', # 0x39 'NtGdiSaveDC', # 0x3a 'NtUserGetForegroundWindow', # 0x3b 'NtUserShowScrollBar', # 0x3c 'NtUserFindExistingCursorIcon', # 0x3d 'NtGdiGetDCDword', # 0x3e 'NtGdiGetRegionData', # 0x3f 'NtGdiLineTo', # 0x40 'NtUserSystemParametersInfo', # 0x41 'NtGdiGetAppClipBox', # 0x42 'NtUserGetAsyncKeyState', # 0x43 'NtUserGetCPD', # 0x44 'NtUserRemoveProp', # 0x45 'NtGdiDoPalette', # 0x46 'NtGdiPolyPolyDraw', # 0x47 'NtUserSetCapture', # 0x48 'NtUserEnumDisplayMonitors', # 0x49 'NtGdiCreateCompatibleBitmap', # 0x4a 'NtUserSetProp', # 0x4b 'NtGdiGetTextCharsetInfo', # 0x4c 'NtUserSBGetParms', # 0x4d 'NtUserGetIconInfo', # 0x4e 'NtUserExcludeUpdateRgn', # 0x4f 'NtUserSetFocus', # 0x50 'NtGdiExtGetObjectW', # 0x51 'NtUserDeferWindowPos', # 0x52 'NtUserGetUpdateRect', # 0x53 'NtGdiCreateCompatibleDC', # 0x54 'NtUserGetClipboardSequenceNumber', # 0x55 'NtGdiCreatePen', # 0x56 'NtUserShowWindow', # 0x57 'NtUserGetKeyboardLayoutList', # 0x58 'NtGdiPatBlt', # 0x59 'NtUserMapVirtualKeyEx', # 0x5a 'NtUserSetWindowLong', # 0x5b 'NtGdiHfontCreate', # 0x5c 'NtUserMoveWindow', # 0x5d 'NtUserPostThreadMessage', # 0x5e 'NtUserDrawIconEx', # 0x5f 'NtUserGetSystemMenu', # 0x60 'NtGdiDrawStream', # 0x61 'NtUserInternalGetWindowText', # 0x62 'NtUserGetWindowDC', # 0x63 'NtGdiD3dDrawPrimitives2', # 0x64 'NtGdiInvertRgn', # 0x65 'NtGdiGetRgnBox', # 0x66 'NtGdiGetAndSetDCDword', # 0x67 'NtGdiMaskBlt', # 0x68 'NtGdiGetWidthTable', # 0x69 'NtUserScrollDC', # 0x6a 'NtUserGetObjectInformation', # 0x6b 'NtGdiCreateBitmap', # 0x6c 'NtGdiConsoleTextOut', # 0x6d 'NtUserFindWindowEx', # 0x6e 'NtGdiPolyPatBlt', # 0x6f 'NtUserUnhookWindowsHookEx', # 0x70 'NtGdiGetNearestColor', # 0x71 'NtGdiTransformPoints', # 0x72 'NtGdiGetDCPoint', # 0x73 'NtUserCheckImeHotKey', # 0x74 'NtGdiCreateDIBBrush', # 0x75 'NtGdiGetTextMetricsW', # 0x76 'NtUserCreateWindowEx', # 0x77 'NtUserSetParent', # 0x78 'NtUserGetKeyboardState', # 0x79 'NtUserToUnicodeEx', # 0x7a 'NtUserGetControlBrush', # 0x7b 'NtUserGetClassName', # 0x7c 'NtGdiAlphaBlend', # 0x7d 'NtGdiDdBlt', # 0x7e 'NtGdiOffsetRgn', # 0x7f 'NtUserDefSetText', # 0x80 'NtGdiGetTextFaceW', # 0x81 'NtGdiStretchDIBitsInternal', # 0x82 'NtUserSendInput', # 0x83 'NtUserGetThreadDesktop', # 0x84 'NtGdiCreateRectRgn', # 0x85 'NtGdiGetDIBitsInternal', # 0x86 'NtUserGetUpdateRgn', # 0x87 'NtGdiDeleteClientObj', # 0x88 'NtUserGetIconSize', # 0x89 'NtUserFillWindow', # 0x8a 'NtGdiExtCreateRegion', # 0x8b 'NtGdiComputeXformCoefficients', # 0x8c 'NtUserSetWindowsHookEx', # 0x8d 'NtUserNotifyProcessCreate', # 0x8e 'NtGdiUnrealizeObject', # 0x8f 'NtUserGetTitleBarInfo', # 0x90 'NtGdiRectangle', # 0x91 'NtUserSetThreadDesktop', # 0x92 'NtUserGetDCEx', # 0x93 'NtUserGetScrollBarInfo', # 0x94 'NtGdiGetTextExtent', # 0x95 'NtUserSetWindowFNID', # 0x96 'NtGdiSetLayout', # 0x97 'NtUserCalcMenuBar', # 0x98 'NtUserThunkedMenuItemInfo', # 0x99 'NtGdiExcludeClipRect', # 0x9a 'NtGdiCreateDIBSection', # 0x9b 'NtGdiGetDCforBitmap', # 0x9c 'NtUserDestroyCursor', # 0x9d 'NtUserDestroyWindow', # 0x9e 'NtUserCallHwndParam', # 0x9f 'NtGdiCreateDIBitmapInternal', # 0xa0 'NtUserOpenWindowStation', # 0xa1 'NtGdiDdDeleteSurfaceObject', # 0xa2 'NtGdiEnumFontClose', # 0xa3 'NtGdiEnumFontOpen', # 0xa4 'NtGdiEnumFontChunk', # 0xa5 'NtGdiDdCanCreateSurface', # 0xa6 'NtGdiDdCreateSurface', # 0xa7 'NtUserSetCursorIconData', # 0xa8 'NtGdiDdDestroySurface', # 0xa9 'NtUserCloseDesktop', # 0xaa 'NtUserOpenDesktop', # 0xab 'NtUserSetProcessWindowStation', # 0xac 'NtUserGetAtomName', # 0xad 'NtGdiDdResetVisrgn', # 0xae 'NtGdiExtCreatePen', # 0xaf 'NtGdiCreatePaletteInternal', # 0xb0 'NtGdiSetBrushOrg', # 0xb1 'NtUserBuildNameList', # 0xb2 'NtGdiSetPixel', # 0xb3 'NtUserRegisterClassExWOW', # 0xb4 'NtGdiCreatePatternBrushInternal', # 0xb5 'NtUserGetAncestor', # 0xb6 'NtGdiGetOutlineTextMetricsInternalW', # 0xb7 'NtGdiSetBitmapBits', # 0xb8 'NtUserCloseWindowStation', # 0xb9 'NtUserGetDoubleClickTime', # 0xba 'NtUserEnableScrollBar', # 0xbb 'NtGdiCreateSolidBrush', # 0xbc 'NtUserGetClassInfoEx', # 0xbd 'NtGdiCreateClientObj', # 0xbe 'NtUserUnregisterClass', # 0xbf 'NtUserDeleteMenu', # 0xc0 'NtGdiRectInRegion', # 0xc1 'NtUserScrollWindowEx', # 0xc2 'NtGdiGetPixel', # 0xc3 'NtUserSetClassLong', # 0xc4 'NtUserGetMenuBarInfo', # 0xc5 'NtGdiDdCreateSurfaceEx', # 0xc6 'NtGdiDdCreateSurfaceObject', # 0xc7 'NtGdiGetNearestPaletteIndex', # 0xc8 'NtGdiDdLockD3D', # 0xc9 'NtGdiDdUnlockD3D', # 0xca 'NtGdiGetCharWidthW', # 0xcb 'NtUserInvalidateRgn', # 0xcc 'NtUserGetClipboardOwner', # 0xcd 'NtUserSetWindowRgn', # 0xce 'NtUserBitBltSysBmp', # 0xcf 'NtGdiGetCharWidthInfo', # 0xd0 'NtUserValidateRect', # 0xd1 'NtUserCloseClipboard', # 0xd2 'NtUserOpenClipboard', # 0xd3 'NtGdiGetStockObject', # 0xd4 'NtUserSetClipboardData', # 0xd5 'NtUserEnableMenuItem', # 0xd6 'NtUserAlterWindowStyle', # 0xd7 'NtGdiFillRgn', # 0xd8 'NtUserGetWindowPlacement', # 0xd9 'NtGdiModifyWorldTransform', # 0xda 'NtGdiGetFontData', # 0xdb 'NtUserGetOpenClipboardWindow', # 0xdc 'NtUserSetThreadState', # 0xdd 'NtGdiOpenDCW', # 0xde 'NtUserTrackMouseEvent', # 0xdf 'NtGdiGetTransform', # 0xe0 'NtUserDestroyMenu', # 0xe1 'NtGdiGetBitmapBits', # 0xe2 'NtUserConsoleControl', # 0xe3 'NtUserSetActiveWindow', # 0xe4 'NtUserSetInformationThread', # 0xe5 'NtUserSetWindowPlacement', # 0xe6 'NtUserGetControlColor', # 0xe7 'NtGdiSetMetaRgn', # 0xe8 'NtGdiSetMiterLimit', # 0xe9 'NtGdiSetVirtualResolution', # 0xea 'NtGdiGetRasterizerCaps', # 0xeb 'NtUserSetWindowWord', # 0xec 'NtUserGetClipboardFormatName', # 0xed 'NtUserRealInternalGetMessage', # 0xee 'NtUserCreateLocalMemHandle', # 0xef 'NtUserAttachThreadInput', # 0xf0 'NtGdiCreateHalftonePalette', # 0xf1 'NtUserPaintMenuBar', # 0xf2 'NtUserSetKeyboardState', # 0xf3 'NtGdiCombineTransform', # 0xf4 'NtUserCreateAcceleratorTable', # 0xf5 'NtUserGetCursorFrameInfo', # 0xf6 'NtUserGetAltTabInfo', # 0xf7 'NtUserGetCaretBlinkTime', # 0xf8 'NtGdiQueryFontAssocInfo', # 0xf9 'NtUserProcessConnect', # 0xfa 'NtUserEnumDisplayDevices', # 0xfb 'NtUserEmptyClipboard', # 0xfc 'NtUserGetClipboardData', # 0xfd 'NtUserRemoveMenu', # 0xfe 'NtGdiSetBoundsRect', # 0xff 'NtUserSetInformationProcess', # 0x100 'NtGdiGetBitmapDimension', # 0x101 'NtUserConvertMemHandle', # 0x102 'NtUserDestroyAcceleratorTable', # 0x103 'NtUserGetGUIThreadInfo', # 0x104 'NtGdiCloseFigure', # 0x105 'NtUserSetWindowsHookAW', # 0x106 'NtUserSetMenuDefaultItem', # 0x107 'NtUserCheckMenuItem', # 0x108 'NtUserSetWinEventHook', # 0x109 'NtUserUnhookWinEvent', # 0x10a 'NtGdiSetupPublicCFONT', # 0x10b 'NtUserLockWindowUpdate', # 0x10c 'NtUserSetSystemMenu', # 0x10d 'NtUserThunkedMenuInfo', # 0x10e 'NtGdiBeginPath', # 0x10f 'NtGdiEndPath', # 0x110 'NtGdiFillPath', # 0x111 'NtUserCallHwnd', # 0x112 'NtUserDdeInitialize', # 0x113 'NtUserModifyUserStartupInfoFlags', # 0x114 'NtUserCountClipboardFormats', # 0x115 'NtGdiAddFontMemResourceEx', # 0x116 'NtGdiEqualRgn', # 0x117 'NtGdiGetSystemPaletteUse', # 0x118 'NtGdiRemoveFontMemResourceEx', # 0x119 'NtUserEnumDisplaySettings', # 0x11a 'NtUserPaintDesktop', # 0x11b 'NtGdiExtEscape', # 0x11c 'NtGdiSetBitmapDimension', # 0x11d 'NtGdiSetFontEnumeration', # 0x11e 'NtUserChangeClipboardChain', # 0x11f 'NtUserResolveDesktop', # 0x120 'NtUserSetClipboardViewer', # 0x121 'NtUserShowWindowAsync', # 0x122 'NtUserSetConsoleReserveKeys', # 0x123 'NtGdiCreateColorSpace', # 0x124 'NtGdiDeleteColorSpace', # 0x125 'NtUserActivateKeyboardLayout', # 0x126 'NtGdiAbortDoc', # 0x127 'NtGdiAbortPath', # 0x128 'NtGdiAddEmbFontToDC', # 0x129 'NtGdiAddFontResourceW', # 0x12a 'NtGdiAddRemoteFontToDC', # 0x12b 'NtGdiAddRemoteMMInstanceToDC', # 0x12c 'NtGdiAngleArc', # 0x12d 'NtGdiAnyLinkedFonts', # 0x12e 'NtGdiArcInternal', # 0x12f 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x130 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x131 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x132 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x133 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x134 'NtGdiCLIPOBJ_bEnum', # 0x135 'NtGdiCLIPOBJ_cEnumStart', # 0x136 'NtGdiCLIPOBJ_ppoGetPath', # 0x137 'NtGdiCancelDC', # 0x138 'NtGdiChangeGhostFont', # 0x139 'NtGdiCheckBitmapBits', # 0x13a 'NtGdiClearBitmapAttributes', # 0x13b 'NtGdiClearBrushAttributes', # 0x13c 'NtGdiColorCorrectPalette', # 0x13d 'NtGdiConvertMetafileRect', # 0x13e 'NtGdiCreateColorTransform', # 0x13f 'NtGdiCreateEllipticRgn', # 0x140 'NtGdiCreateHatchBrushInternal', # 0x141 'NtGdiCreateMetafileDC', # 0x142 'NtGdiCreateRoundRectRgn', # 0x143 'NtGdiCreateServerMetaFile', # 0x144 'NtGdiD3dContextCreate', # 0x145 'NtGdiD3dContextDestroy', # 0x146 'NtGdiD3dContextDestroyAll', # 0x147 'NtGdiD3dValidateTextureStageState', # 0x148 'NtGdiDdAddAttachedSurface', # 0x149 'NtGdiDdAlphaBlt', # 0x14a 'NtGdiDdAttachSurface', # 0x14b 'NtGdiDdBeginMoCompFrame', # 0x14c 'NtGdiDdCanCreateD3DBuffer', # 0x14d 'NtGdiDdColorControl', # 0x14e 'NtGdiDdCreateD3DBuffer', # 0x14f 'NtGdiDdCreateDirectDrawObject', # 0x150 'NtGdiDdCreateMoComp', # 0x151 'NtGdiDdDeleteDirectDrawObject', # 0x152 'NtGdiDdDestroyD3DBuffer', # 0x153 'NtGdiDdDestroyMoComp', # 0x154 'NtGdiDdEndMoCompFrame', # 0x155 'NtGdiDdFlip', # 0x156 'NtGdiDdFlipToGDISurface', # 0x157 'NtGdiDdGetAvailDriverMemory', # 0x158 'NtGdiDdGetBltStatus', # 0x159 'NtGdiDdGetDC', # 0x15a 'NtGdiDdGetDriverInfo', # 0x15b 'NtGdiDdGetDriverState', # 0x15c 'NtGdiDdGetDxHandle', # 0x15d 'NtGdiDdGetFlipStatus', # 0x15e 'NtGdiDdGetInternalMoCompInfo', # 0x15f 'NtGdiDdGetMoCompBuffInfo', # 0x160 'NtGdiDdGetMoCompFormats', # 0x161 'NtGdiDdGetMoCompGuids', # 0x162 'NtGdiDdGetScanLine', # 0x163 'NtGdiDdLock', # 0x164 'NtGdiDdQueryDirectDrawObject', # 0x165 'NtGdiDdQueryMoCompStatus', # 0x166 'NtGdiDdReenableDirectDrawObject', # 0x167 'NtGdiDdReleaseDC', # 0x168 'NtGdiDdRenderMoComp', # 0x169 'NtGdiDdSetColorKey', # 0x16a 'NtGdiDdSetExclusiveMode', # 0x16b 'NtGdiDdSetGammaRamp', # 0x16c 'NtGdiDdSetOverlayPosition', # 0x16d 'NtGdiDdUnattachSurface', # 0x16e 'NtGdiDdUnlock', # 0x16f 'NtGdiDdUpdateOverlay', # 0x170 'NtGdiDdWaitForVerticalBlank', # 0x171 'NtGdiDeleteColorTransform', # 0x172 'NtGdiDescribePixelFormat', # 0x173 'NtGdiDoBanding', # 0x174 'NtGdiDrawEscape', # 0x175 'NtGdiDvpAcquireNotification', # 0x176 'NtGdiDvpCanCreateVideoPort', # 0x177 'NtGdiDvpColorControl', # 0x178 'NtGdiDvpCreateVideoPort', # 0x179 'NtGdiDvpDestroyVideoPort', # 0x17a 'NtGdiDvpFlipVideoPort', # 0x17b 'NtGdiDvpGetVideoPortBandwidth', # 0x17c 'NtGdiDvpGetVideoPortConnectInfo', # 0x17d 'NtGdiDvpGetVideoPortField', # 0x17e 'NtGdiDvpGetVideoPortFlipStatus', # 0x17f 'NtGdiDvpGetVideoPortInputFormats', # 0x180 'NtGdiDvpGetVideoPortLine', # 0x181 'NtGdiDvpGetVideoPortOutputFormats', # 0x182 'NtGdiDvpGetVideoSignalStatus', # 0x183 'NtGdiDvpReleaseNotification', # 0x184 'NtGdiDvpUpdateVideoPort', # 0x185 'NtGdiDvpWaitForVideoPortSync', # 0x186 'NtGdiDxgGenericThunk', # 0x187 'NtGdiEllipse', # 0x188 'NtGdiEnableEudc', # 0x189 'NtGdiEndDoc', # 0x18a 'NtGdiEndPage', # 0x18b 'NtGdiEngAlphaBlend', # 0x18c 'NtGdiEngAssociateSurface', # 0x18d 'NtGdiEngBitBlt', # 0x18e 'NtGdiEngCheckAbort', # 0x18f 'NtGdiEngComputeGlyphSet', # 0x190 'NtGdiEngCopyBits', # 0x191 'NtGdiEngCreateBitmap', # 0x192 'NtGdiEngCreateClip', # 0x193 'NtGdiEngCreateDeviceBitmap', # 0x194 'NtGdiEngCreateDeviceSurface', # 0x195 'NtGdiEngCreatePalette', # 0x196 'NtGdiEngDeleteClip', # 0x197 'NtGdiEngDeletePalette', # 0x198 'NtGdiEngDeletePath', # 0x199 'NtGdiEngDeleteSurface', # 0x19a 'NtGdiEngEraseSurface', # 0x19b 'NtGdiEngFillPath', # 0x19c 'NtGdiEngGradientFill', # 0x19d 'NtGdiEngLineTo', # 0x19e 'NtGdiEngLockSurface', # 0x19f 'NtGdiEngMarkBandingSurface', # 0x1a0 'NtGdiEngPaint', # 0x1a1 'NtGdiEngPlgBlt', # 0x1a2 'NtGdiEngStretchBlt', # 0x1a3 'NtGdiEngStretchBltROP', # 0x1a4 'NtGdiEngStrokeAndFillPath', # 0x1a5 'NtGdiEngStrokePath', # 0x1a6 'NtGdiEngTextOut', # 0x1a7 'NtGdiEngTransparentBlt', # 0x1a8 'NtGdiEngUnlockSurface', # 0x1a9 'NtGdiEnumObjects', # 0x1aa 'NtGdiEudcLoadUnloadLink', # 0x1ab 'NtGdiExtFloodFill', # 0x1ac 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x1ad 'NtGdiFONTOBJ_cGetGlyphs', # 0x1ae 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x1af 'NtGdiFONTOBJ_pfdg', # 0x1b0 'NtGdiFONTOBJ_pifi', # 0x1b1 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x1b2 'NtGdiFONTOBJ_pxoGetXform', # 0x1b3 'NtGdiFONTOBJ_vGetInfo', # 0x1b4 'NtGdiFlattenPath', # 0x1b5 'NtGdiFontIsLinked', # 0x1b6 'NtGdiForceUFIMapping', # 0x1b7 'NtGdiFrameRgn', # 0x1b8 'NtGdiFullscreenControl', # 0x1b9 'NtGdiGetBoundsRect', # 0x1ba 'NtGdiGetCharABCWidthsW', # 0x1bb 'NtGdiGetCharacterPlacementW', # 0x1bc 'NtGdiGetColorAdjustment', # 0x1bd 'NtGdiGetColorSpaceforBitmap', # 0x1be 'NtGdiGetDeviceCaps', # 0x1bf 'NtGdiGetDeviceCapsAll', # 0x1c0 'NtGdiGetDeviceGammaRamp', # 0x1c1 'NtGdiGetDeviceWidth', # 0x1c2 'NtGdiGetDhpdev', # 0x1c3 'NtGdiGetETM', # 0x1c4 'NtGdiGetEmbUFI', # 0x1c5 'NtGdiGetEmbedFonts', # 0x1c6 'NtGdiGetEudcTimeStampEx', # 0x1c7 'NtGdiGetFontResourceInfoInternalW', # 0x1c8 'NtGdiGetFontUnicodeRanges', # 0x1c9 'NtGdiGetGlyphIndicesW', # 0x1ca 'NtGdiGetGlyphIndicesWInternal', # 0x1cb 'NtGdiGetGlyphOutline', # 0x1cc 'NtGdiGetKerningPairs', # 0x1cd 'NtGdiGetLinkedUFIs', # 0x1ce 'NtGdiGetMiterLimit', # 0x1cf 'NtGdiGetMonitorID', # 0x1d0 'NtGdiGetObjectBitmapHandle', # 0x1d1 'NtGdiGetPath', # 0x1d2 'NtGdiGetPerBandInfo', # 0x1d3 'NtGdiGetRealizationInfo', # 0x1d4 'NtGdiGetServerMetaFileBits', # 0x1d5 'NtGdiGetSpoolMessage', # 0x1d6 'NtGdiGetStats', # 0x1d7 'NtGdiGetStringBitmapW', # 0x1d8 'NtGdiGetTextExtentExW', # 0x1d9 'NtGdiGetUFI', # 0x1da 'NtGdiGetUFIPathname', # 0x1db 'NtGdiGradientFill', # 0x1dc 'NtGdiHT_Get8BPPFormatPalette', # 0x1dd 'NtGdiHT_Get8BPPMaskPalette', # 0x1de 'NtGdiIcmBrushInfo', # 0x1df 'NtGdiInit', # 0x1e0 'NtGdiInitSpool', # 0x1e1 'NtGdiMakeFontDir', # 0x1e2 'NtGdiMakeInfoDC', # 0x1e3 'NtGdiMakeObjectUnXferable', # 0x1e4 'NtGdiMakeObjectXferable', # 0x1e5 'NtGdiMirrorWindowOrg', # 0x1e6 'NtGdiMonoBitmap', # 0x1e7 'NtGdiMoveTo', # 0x1e8 'NtGdiOffsetClipRgn', # 0x1e9 'NtGdiPATHOBJ_bEnum', # 0x1ea 'NtGdiPATHOBJ_bEnumClipLines', # 0x1eb 'NtGdiPATHOBJ_vEnumStart', # 0x1ec 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x1ed 'NtGdiPATHOBJ_vGetBounds', # 0x1ee 'NtGdiPathToRegion', # 0x1ef 'NtGdiPlgBlt', # 0x1f0 'NtGdiPolyDraw', # 0x1f1 'NtGdiPolyTextOutW', # 0x1f2 'NtGdiPtInRegion', # 0x1f3 'NtGdiPtVisible', # 0x1f4 'NtGdiQueryFonts', # 0x1f5 'NtGdiRemoveFontResourceW', # 0x1f6 'NtGdiRemoveMergeFont', # 0x1f7 'NtGdiResetDC', # 0x1f8 'NtGdiResizePalette', # 0x1f9 'NtGdiRoundRect', # 0x1fa 'NtGdiSTROBJ_bEnum', # 0x1fb 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x1fc 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x1fd 'NtGdiSTROBJ_dwGetCodePage', # 0x1fe 'NtGdiSTROBJ_vEnumStart', # 0x1ff 'NtGdiScaleViewportExtEx', # 0x200 'NtGdiScaleWindowExtEx', # 0x201 'GreSelectBrush', # 0x202 'NtGdiSelectClipPath', # 0x203 'NtGdiSelectPen', # 0x204 'NtGdiSetBitmapAttributes', # 0x205 'NtGdiSetBrushAttributes', # 0x206 'NtGdiSetColorAdjustment', # 0x207 'NtGdiSetColorSpace', # 0x208 'NtGdiSetDeviceGammaRamp', # 0x209 'NtGdiSetFontXform', # 0x20a 'NtGdiSetIcmMode', # 0x20b 'NtGdiSetLinkedUFIs', # 0x20c 'NtGdiSetMagicColors', # 0x20d 'NtGdiSetPUMPDOBJ', # 0x20e 'NtGdiSetPixelFormat', # 0x20f 'NtGdiSetRectRgn', # 0x210 'NtGdiSetSizeDevice', # 0x211 'NtGdiSetSystemPaletteUse', # 0x212 'NtGdiSetTextJustification', # 0x213 'NtGdiStartDoc', # 0x214 'NtGdiStartPage', # 0x215 'NtGdiStrokeAndFillPath', # 0x216 'NtGdiStrokePath', # 0x217 'NtGdiSwapBuffers', # 0x218 'NtGdiTransparentBlt', # 0x219 'NtGdiUMPDEngFreeUserMem', # 0x21a 'NtGdiUnloadPrinterDriver', # 0x21b 'EngRestoreFloatingPointState', # 0x21c 'NtGdiUpdateColors', # 0x21d 'NtGdiUpdateTransform', # 0x21e 'NtGdiWidenPath', # 0x21f 'NtGdiXFORMOBJ_bApplyXform', # 0x220 'NtGdiXFORMOBJ_iGetXform', # 0x221 'NtGdiXLATEOBJ_cGetPalette', # 0x222 'NtGdiXLATEOBJ_hGetColorTransform', # 0x223 'NtGdiXLATEOBJ_iXlate', # 0x224 'NtUserAssociateInputContext', # 0x225 'NtUserBlockInput', # 0x226 'NtUserBuildHimcList', # 0x227 'NtUserBuildPropList', # 0x228 'NtUserCallHwndOpt', # 0x229 'NtUserChangeDisplaySettings', # 0x22a 'NtUserChildWindowFromPointEx', # 0x22b 'NtUserClipCursor', # 0x22c 'NtUserCreateDesktop', # 0x22d 'NtUserCreateInputContext', # 0x22e 'NtUserCreateWindowStation', # 0x22f 'NtUserCtxDisplayIOCtl', # 0x230 'NtUserDdeGetQualityOfService', # 0x231 'NtUserDdeSetQualityOfService', # 0x232 'NtUserDestroyInputContext', # 0x233 'NtUserDisableThreadIme', # 0x234 'NtUserDragDetect', # 0x235 'NtUserDragObject', # 0x236 'NtUserDrawAnimatedRects', # 0x237 'NtUserDrawCaption', # 0x238 'NtUserDrawCaptionTemp', # 0x239 'NtUserDrawMenuBarTemp', # 0x23a 'NtUserEndMenu', # 0x23b 'NtUserEvent', # 0x23c 'NtUserFlashWindowEx', # 0x23d 'NtUserGetAppImeLevel', # 0x23e 'NtUserGetCaretPos', # 0x23f 'NtUserGetClipCursor', # 0x240 'NtUserGetClipboardViewer', # 0x241 'NtUserGetComboBoxInfo', # 0x242 'NtUserGetCursorInfo', # 0x243 'NtUserGetGuiResources', # 0x244 'NtUserGetImeHotKey', # 0x245 'NtUserGetImeInfoEx', # 0x246 'NtUserGetInternalWindowPos', # 0x247 'NtUserGetKeyNameText', # 0x248 'NtUserGetKeyboardLayoutName', # 0x249 'NtUserGetLayeredWindowAttributes', # 0x24a 'NtUserGetListBoxInfo', # 0x24b 'NtUserGetMenuIndex', # 0x24c 'NtUserGetMenuItemRect', # 0x24d 'NtUserGetMouseMovePointsEx', # 0x24e 'NtUserGetPriorityClipboardFormat', # 0x24f 'NtUserGetRawInputBuffer', # 0x250 'NtUserGetRawInputData', # 0x251 'NtUserGetRawInputDeviceInfo', # 0x252 'NtUserGetRawInputDeviceList', # 0x253 'NtUserGetRegisteredRawInputDevices', # 0x254 'NtUserGetWOWClass', # 0x255 'NtUserHardErrorControl', # 0x256 'NtUserHiliteMenuItem', # 0x257 'NtUserImpersonateDdeClientWindow', # 0x258 'NtUserInitTask', # 0x259 'NtUserInitialize', # 0x25a 'NtUserInitializeClientPfnArrays', # 0x25b 'NtUserLoadKeyboardLayoutEx', # 0x25c 'NtUserLockWindowStation', # 0x25d 'NtUserLockWorkStation', # 0x25e 'NtUserMNDragLeave', # 0x25f 'NtUserMNDragOver', # 0x260 'NtUserMenuItemFromPoint', # 0x261 'NtUserMinMaximize', # 0x262 'NtUserNotifyIMEStatus', # 0x263 'NtUserOpenInputDesktop', # 0x264 'NtUserPrintWindow', # 0x265 'NtUserQueryInformationThread', # 0x266 'NtUserQueryInputContext', # 0x267 'NtUserQuerySendMessage', # 0x268 'NtUserRealChildWindowFromPoint', # 0x269 'NtUserRealWaitMessageEx', # 0x26a 'NtUserRegisterHotKey', # 0x26b 'NtUserRegisterRawInputDevices', # 0x26c 'NtUserRegisterTasklist', # 0x26d 'NtUserRegisterUserApiHook', # 0x26e 'NtUserRemoteConnect', # 0x26f 'NtUserRemoteRedrawRectangle', # 0x270 'NtUserRemoteRedrawScreen', # 0x271 'NtUserRemoteStopScreenUpdates', # 0x272 'NtUserResolveDesktopForWOW', # 0x273 'NtUserSetAppImeLevel', # 0x274 'NtUserSetClassWord', # 0x275 'NtUserSetCursorContents', # 0x276 'NtUserSetImeHotKey', # 0x277 'NtUserSetImeInfoEx', # 0x278 'NtUserSetImeOwnerWindow', # 0x279 'NtUserSetInternalWindowPos', # 0x27a 'NtUserSetLayeredWindowAttributes', # 0x27b 'NtUserSetLogonNotifyWindow', # 0x27c 'NtUserSetMenu', # 0x27d 'NtUserSetMenuContextHelpId', # 0x27e 'NtUserSetMenuFlagRtoL', # 0x27f 'NtUserSetObjectInformation', # 0x280 'NtUserSetShellWindowEx', # 0x281 'NtUserSetSysColors', # 0x282 'NtUserSetSystemCursor', # 0x283 'NtUserSetSystemTimer', # 0x284 'NtUserSetThreadLayoutHandles', # 0x285 'NtUserSetWindowStationUser', # 0x286 'NtUserSoundSentry', # 0x287 'NtUserSwitchDesktop', # 0x288 'NtUserTestForInteractiveUser', # 0x289 'NtUserTrackPopupMenuEx', # 0x28a 'NtUserUnloadKeyboardLayout', # 0x28b 'NtUserUnlockWindowStation', # 0x28c 'NtUserUnregisterHotKey', # 0x28d 'NtUserUnregisterUserApiHook', # 0x28e 'NtUserUpdateInputContext', # 0x28f 'NtUserUpdateInstance', # 0x290 'NtUserUpdateLayeredWindow', # 0x291 'NtUserUpdatePerUserSystemParameters', # 0x292 'NtUserUserHandleGrantAccess', # 0x293 'NtUserValidateHandleSecure', # 0x294 'NtUserWaitForInputIdle', # 0x295 'NtUserWaitForMsgAndEvent', # 0x296 'NtUserSetClassLongPtr', # 0x297 'NtUserSetWindowLongPtr', # 0x298 'NtUserWin32PoolAllocationStats', # 0x299 'NtUserYieldTask', # 0x29a ], ] volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/__init__.py0000644000000000000000000000000013131215405024761 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/mac/0000755000000000000000000000000013131215405023422 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/mac/macho.py0000644000000000000000000006073313131215405025074 0ustar rootroot# Volatility # Copyright (C) 2007-2011 Volatile Systems # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA import volatility.obj as obj macho_types = { 'fat_header': [ 0x8, { 'magic': [0x0, ['unsigned int']], 'nfat_arch': [0x4, ['unsigned int']], }], 'fat_arch': [ 0x14, { 'cputype': [0x0, ['int']], 'cpusubtype': [0x4, ['int']], 'offset': [0x8, ['unsigned int']], 'size': [0xc, ['unsigned int']], 'align': [0x10, ['unsigned int']], }], 'macho64_header': [ 32, { 'magic' : [0, ['unsigned int']], 'cputype' : [4, ['int']], 'cpusubtype': [8, ['int']], 'filetype' : [12, ['unsigned int']], 'ncmds' : [16, ['unsigned int']], 'sizeofcmds': [20, ['unsigned int']], 'flags' : [24, ['unsigned int']], 'reserved' : [28, ['unsigned int']], }], 'macho32_header': [ 28, { 'magic' : [0, ['unsigned int']], 'cputype' : [4, ['int']], 'cpusubtype' : [8, ['int']], 'filetype' : [12, ['unsigned int']], 'ncmds' : [16, ['unsigned int']], 'sizeofcmds' : [20, ['unsigned int']], 'flags' : [24, ['unsigned int']], }], 'macho32_symtab_command': [ 0x18, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], 'symoff': [0x8, ['unsigned int']], 'nsyms': [0xc, ['unsigned int']], 'stroff': [0x10, ['unsigned int']], 'strsize': [0x14, ['unsigned int']], }], 'macho64_symtab_command': [ 0x18, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], 'symoff': [0x8, ['unsigned int']], 'nsyms': [0xc, ['unsigned int']], 'stroff': [0x10, ['unsigned int']], 'strsize': [0x14, ['unsigned int']], }], 'macho64_dysymtab_command': [ 80, { 'cmd' : [0, ['unsigned int']], 'cmdsize' : [4, ['unsigned int']], 'ilocalsym' : [8, ['unsigned int']], 'nlocalsym' : [12, ['unsigned int']], 'iextdefsym' : [16, ['unsigned int']], 'nextdefsym' : [20, ['unsigned int']], 'iundefsym' : [24, ['unsigned int']], 'nundefsym' : [28, ['unsigned int']], 'tocoff' : [32, ['unsigned int']], 'ntoc' : [36, ['unsigned int']], 'modtaboff' : [40, ['unsigned int']], 'nmodtab' : [44, ['unsigned int']], 'extrefsymoff' : [48, ['unsigned int']], 'nextrefsyms' : [52, ['unsigned int']], 'indirectsymoff' : [56, ['unsigned int']], 'nindirectsyms' : [60, ['unsigned int']], 'extreloff' : [64, ['unsigned int']], 'nextrel' : [68, ['unsigned int']], 'locreloff' : [72, ['unsigned int']], 'nlocrel' : [76, ['unsigned int']], }], 'macho32_dysymtab_command': [ 80, { 'cmd' : [0, ['unsigned int']], 'cmdsize' : [4, ['unsigned int']], 'ilocalsym' : [8, ['unsigned int']], 'nlocalsym' : [12, ['unsigned int']], 'iextdefsym' : [16, ['unsigned int']], 'nextdefsym' : [20, ['unsigned int']], 'iundefsym' : [24, ['unsigned int']], 'nundefsym' : [28, ['unsigned int']], 'tocoff' : [32, ['unsigned int']], 'ntoc' : [36, ['unsigned int']], 'modtaboff' : [40, ['unsigned int']], 'nmodtab' : [44, ['unsigned int']], 'extrefsymoff' : [48, ['unsigned int']], 'nextrefsyms' : [52, ['unsigned int']], 'indirectsymoff' : [56, ['unsigned int']], 'nindirectsyms' : [60, ['unsigned int']], 'extreloff' : [64, ['unsigned int']], 'nextrel' : [68, ['unsigned int']], 'locreloff' : [72, ['unsigned int']], 'nlocrel' : [76, ['unsigned int']], }], 'macho32_load_command': [ 0x8, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], }], 'macho64_load_command': [ 0x8, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], }], 'macho32_dylib_command': [ 24, { 'cmd' : [0x0, ['unsigned int']], 'cmdsize' : [0x4, ['unsigned int']], 'name' : [0x8, ['unsigned int']], 'timestamp' : [12, ['unsigned int']], 'current_version' : [16, ['unsigned int']], 'compatibility_version' : [20, ['unsigned int']], }], 'macho64_dylib_command': [ 28, { 'cmd' : [0x0, ['unsigned int']], 'cmdsize' : [0x4, ['unsigned int']], 'name' : [0x8, ['unsigned int']], 'timestamp' : [16, ['unsigned int']], 'current_version' : [20, ['unsigned int']], 'compatibility_version' : [24, ['unsigned int']], }], 'macho32_segment_command': [ 0x38, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], 'segname': [0x8, ['String', dict(length = 16)]], 'vmaddr': [0x18, ['unsigned int']], 'vmsize': [0x1c, ['unsigned int']], 'fileoff': [0x20, ['unsigned int']], 'filesize': [0x24, ['unsigned int']], 'maxprot': [0x28, ['int']], 'initprot': [0x2c, ['int']], 'nsects': [0x30, ['unsigned int']], 'flags': [0x34, ['unsigned int']], }], 'macho64_segment_command': [ 0x48, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], 'segname': [0x8, ['String', dict(length = 16)]], 'vmaddr': [0x18, ['unsigned long long']], 'vmsize': [0x20, ['unsigned long long']], 'fileoff': [0x28, ['unsigned long long']], 'filesize': [0x30, ['unsigned long long']], 'maxprot': [0x38, ['int']], 'initprot': [0x3c, ['int']], 'nsects': [0x40, ['unsigned int']], 'flags': [0x44, ['unsigned int']], }], 'macho64_section': [ 0x50, { 'sectname': [0x0, ['array', 16, ['char']]], 'segname': [0x10, ['array', 16, ['char']]], 'addr': [0x20, ['unsigned long long']], 'size': [0x28, ['unsigned long long']], 'offset': [0x30, ['unsigned int']], 'align': [0x34, ['unsigned int']], 'reloff': [0x38, ['unsigned int']], 'nreloc': [0x3c, ['unsigned int']], 'flags': [0x40, ['unsigned int']], 'reserved1': [0x44, ['unsigned int']], 'reserved2': [0x48, ['unsigned int']], 'reserved3': [0x4c, ['unsigned int']], }], 'macho32_section': [ 0x44, { 'sectname': [0x0, ['array', 16, ['char']]], 'segname': [0x10, ['array', 16, ['char']]], 'addr': [0x20, ['unsigned int']], 'size': [0x24, ['unsigned int']], 'offset': [0x28, ['unsigned int']], 'align': [0x2c, ['unsigned int']], 'reloff': [0x30, ['unsigned int']], 'nreloc': [0x34, ['unsigned int']], 'flags': [0x38, ['unsigned int']], 'reserved1': [0x3c, ['unsigned int']], 'reserved2': [0x40, ['unsigned int']], }], 'macho32_nlist': [ 12, { 'n_strx' : [0, ['unsigned int']], 'n_type' : [4, ['unsigned char']], 'n_sect' : [5, ['unsigned char']], 'n_desc' : [6, ['unsigned short']], 'n_value': [8, ['unsigned int']], }], 'macho64_nlist': [ 16, { 'n_strx' : [0, ['unsigned int']], 'n_type' : [4, ['unsigned char']], 'n_sect' : [5, ['unsigned char']], 'n_desc' : [6, ['unsigned short']], 'n_value': [8, ['unsigned long long']], }], } class macho(obj.CType): def __init__(self, is_header, name32, name64, theType, offset, vm, name = None, **kwargs): self.name32 = name32 self.name64 = name64 self.macho_obj = None if is_header: self._init_cache(offset, vm) else: self.size_cache = -39 obj.CType.__init__(self, theType, offset, vm, name, **kwargs) def is_valid(self): return self.size_cache in [32, 64, -39] def _init_cache(self, offset, vm): self._set_size_cache(offset, vm) self._make_macho_obj(offset, vm) def _init_cache_from_parent(self): self.size_cache = self.obj_parent.size_cache self._make_macho_obj(self.obj_offset, self.obj_vm) def _make_macho_obj(self, offset, vm): if self.size_cache == 32: self.macho_obj = obj.Object(self.name32, offset = offset, vm = vm, parent = self) elif self.size_cache == 64: self.macho_obj = obj.Object(self.name64, offset = offset, vm = vm, parent = self) else: self.macho_obj = None def _set_size_cache(self, offset, vm): ei_class = obj.Object("unsigned int", offset = offset + 4, vm = vm) if ei_class == 7: # CPU_TYPE_I386 / CPU_TYPE_X86 self.size_cache = 32 elif ei_class == 0x1000007: # CPU_TYPE_X86_64 self.size_cache = 64 else: self.size_cache = -42 def _get_typename(self, typename): if self.size_cache == -39: self._init_cache_from_parent() if self.size_cache == 32: typename = "macho32_" + typename else: typename = "macho64_" + typename return typename def get_bits(self): return self.size_cache def __getattr__(self, attr): if self.size_cache == -39: self._init_cache_from_parent() return self.macho_obj.__getattr__(attr) class macho_header(macho): """An macho header""" def __init__(self, theType, offset, vm, name = None, **kwargs): self.cached_strtab = None self.cached_symtab = None self.cached_dysymtab = None self.cached_syms = None self.load_diff = 0 macho.__init__(self, 1, "macho32_header", "macho64_header", theType, offset, vm, name, **kwargs) if self.macho_obj: self._build_symbol_caches() self.calc_load_diff() def is_valid(self): return self.macho_obj != None def calc_load_diff(self): seg = None for s in self.segments(): if str(s.segname) == "__PAGEZERO": continue seg = s break if seg and seg.vmaddr != self.obj_offset: self.load_diff = self.obj_offset - seg.vmaddr def load_commands(self): rtname = self._get_typename("load_command") rtsize = self.obj_vm.profile.get_obj_size(rtname) tname = "macho_load_command" if self.macho_obj == None: return # the load commands start after the header hdr_size = self.macho_obj.size() if hdr_size == 0 or hdr_size > 100000000: return arr_start = self.obj_offset + hdr_size offset = 0 if self.ncmds > 1024: return for i in range(self.ncmds): cmd = obj.Object(tname, offset = arr_start + offset, vm = self.obj_vm, parent = self) yield cmd offset = offset + cmd.cmdsize def load_commands_of_type(self, cmd_type): cmds = [] for cmd in self.load_commands(): if cmd_type == cmd.cmd.v(): cmds.append(cmd) return cmds def load_command_of_type(self, cmd_type): ret = None cmds = self.load_commands_of_type(cmd_type) if cmds and len(cmds) > 1: debug.error("load_command_of_type: Multiple commands of type %d found!" % cmd_type) elif cmds: ret = cmds[0] return ret # used to fill the cache of symbols def get_indirect_syms(self): syms = [] tname = self._get_typename("nlist") obj_size = self.obj_vm.profile.get_obj_size(tname) cnt = self.cached_dysymtab.nindirectsyms if cnt > 100000: cnt = 1024 symtab_idxs = obj.Object(theType="Array", targetType="unsigned int", count=cnt, offset = self.obj_offset + self.cached_dysymtab.indirectsymoff, vm = self.obj_vm, parent = self) for idx in symtab_idxs: sym_addr = self.cached_symtab + (idx * obj_size) sym = obj.Object("macho_nlist", offset = sym_addr, vm = self.obj_vm, parent = self) syms.append(sym) return syms def _get_symtab_syms(self, sym_command, symtab_addr): syms = [] tname = self._get_typename("nlist") obj_size = self.obj_vm.profile.get_obj_size(tname) for i in range(sym_command.nsyms): sym_addr = symtab_addr + (i * obj_size) sym = obj.Object("macho_nlist", offset = sym_addr, vm = self.obj_vm, parent = self) syms.append(sym) return syms def _build_symbol_caches(self): symtab_cmd = self.load_command_of_type(2) # LC_SYMTAB symtab_struct_name = self._get_typename("symtab_command") if symtab_cmd == None: return symtab_command = symtab_cmd.cast(symtab_struct_name) str_strtab = self.obj_offset + symtab_command.stroff symtab_addr = self.obj_offset + symtab_command.symoff self.cached_syms = self._get_symtab_syms(symtab_command, symtab_addr) dysymtab_cmd = self.load_command_of_type(0xb) # LC_DYSYMTAB dystruct_name = self._get_typename("dysymtab_command") if dysymtab_cmd == None: return dysymtab_command = dysymtab_cmd.cast(dystruct_name) self.cached_strtab = str_strtab self.cached_symtab = symtab_addr self.cached_dysymtab = dysymtab_command self.cached_syms = self.cached_syms + self.get_indirect_syms() def symbols(self): if self.cached_syms == None: ret = [] else: ret = self.cached_syms return ret def symbol_name(self, sym): if self.cached_symtab == None: return "" name_addr = self.cached_strtab + sym.n_strx name = self.obj_vm.read(name_addr, 64) if name: idx = name.find("\x00") if idx != -1: name = name[:idx] return name def address_for_symbol(self, sym_name): ret = None for sym in self.symbols(): if self.symbol_name(sym) == sym_name: ret = sym.n_value.v() break return ret def needed_libraries(self): for cmd in self.load_commands_of_type(0xc): # LC_LOAD_DYLIB tname = self._get_typename("dylib_command") dylib_command = cmd.cast(tname) name_addr = cmd.obj_offset + dylib_command.name dylib_name = self.obj_vm.read(name_addr, 256) if dylib_name: idx = dylib_name.find("\x00") if idx != -1: dylib_name = dylib_name[:idx] yield dylib_name def imports(self): # TODO add check for bin & lib, and retest: # symbol resolution # symbol ptr mapping # for 64 bit # for 32 bit sect_type = self._get_typename("section") sect_size = self.obj_vm.profile.get_obj_size(sect_type) if self.get_bits() == 32: idx_type = "unsigned int" else: idx_type = "unsigned long long" num_idxs = sect_size / (self.get_bits() / 8) for seg in self.segments(): if str(seg.segname) == "__DATA": for sect in self.sections_for_segment(seg): if str(sect.sectname) == "__la_symbol_ptr": # the array of (potentially) resolved imports sym_ptr_arr = obj.Object(theType="Array", targetType = idx_type, count = num_idxs, offset = self.obj_offset + sect.offset, vm = self.obj_vm) isyms = self.get_indirect_syms() num_isyms = len(isyms) for (i, sym_ptr) in enumerate(sym_ptr_arr): idx = sect.reserved1 + i if idx >= num_isyms: continue sym = isyms[idx] name = self.symbol_name(sym) yield (name, sym_ptr) def segments(self): LC_SEGMENT = 1 # 32 bit segments LC_SEGMENT_64 = 0x19 # 64 bit segments if self.size_cache == 32: seg_type = LC_SEGMENT else: seg_type = LC_SEGMENT_64 load_commands = self.load_commands_of_type(seg_type) for load_command in load_commands: segment = obj.Object("macho_segment_command", offset = load_command.obj_offset, vm = self.obj_vm, parent = self) yield segment def get_segment(self, segment_name): ret = None for segment in self.get_segments(): if str(segment.segname) == segment_name: ret = segment break return ret def sections_for_segment(self, segment): sect_struct = self._get_typename("section") sect_size = self.obj_vm.profile.get_obj_size(sect_struct) seg_struct = self._get_typename("segment_command") seg_size = self.obj_vm.profile.get_obj_size(seg_struct) cnt = segment.nsects if cnt > 1024: cnt = 1024 for i in range(cnt): sect_addr = segment.obj_offset + seg_size + (i * sect_size) sect = obj.Object("macho_section", offset = sect_addr, vm = self.obj_vm, parent = self) yield sect class macho32_header(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho64_header(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho_section(macho): """ An macho section header """ def __init__(self, theType, offset, vm, name = None, **kwargs): macho.__init__(self, 0, "macho32_section", "macho64_section", theType, offset, vm, name, **kwargs) class macho32_section(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho64_section(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho_segment_command(macho): """ A macho segment command """ def __init__(self, theType, offset, vm, name = None, **kwargs): macho.__init__(self, 0, "macho32_segment_command", "macho64_segment_command", theType, offset, vm, name, **kwargs) @property def vmaddr(self): ret = self.__getattr__("vmaddr") if self.obj_parent.load_diff: ret = ret + self.obj_parent.load_diff if self.obj_parent.filetype == 2: ret = ret + self.obj_parent.obj_offset return ret class macho32_segment_command(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho64_segment_command(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho_load_command(macho): """ A macho load command """ def __init__(self, theType, offset, vm, name = None, **kwargs): macho.__init__(self, 0, "macho32_load_command", "macho64_load_command", theType, offset, vm, name, **kwargs) @property def cmd_type(self): cmd_types = { 1 : "LC_SEGMENT", 2 : "LC_SYMTAB", 25 : "LC_SEGMENT_64", 12 : "LC_LOAD_DYLIB", } cmd = self.cmd.v() if cmd in cmd_types: ret = cmd_types[cmd] else: ret = "" return ret class macho32_load_command(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho64_load_command(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho_symtab_command(macho): """ A macho symtab command """ def __init__(self, theType, offset, vm, name = None, **kwargs): macho.__init__(self, 0, "macho32_symtab_command", "macho64_symtab_command", theType, offset, vm, name, **kwargs) class macho32_symtab_command(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho64_symtab_command(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho_dysymtab_command(macho): """ A macho symtab command """ def __init__(self, theType, offset, vm, name = None, **kwargs): macho.__init__(self, 0, "macho32_dysymtab_command", "macho64_dysymtab_command", theType, offset, vm, name, **kwargs) class macho32_dysymtab_command(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho64_dysymtab_command(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho_nlist(macho): """ A macho nlist """ def __init__(self, theType, offset, vm, name = None, **kwargs): macho.__init__(self, 0, "macho32_nlist", "macho64_nlist", theType, offset, vm, name, **kwargs) class macho32_nlist(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class macho64_nlist(obj.CType): def __init__(self, theType, offset, vm, name = None, **kwargs): obj.CType.__init__(self, theType, offset, vm, name, **kwargs) class MachoTypes(obj.ProfileModification): def modification(self, profile): profile.vtypes.update(macho_types) class MachoModification(obj.ProfileModification): def modification(self, profile): profile.object_classes.update({ 'macho' : macho, 'macho_header' : macho_header, 'macho32_header' : macho32_header, 'macho64_header' : macho64_header, 'macho_section' : macho_section, 'macho32_section' : macho32_section, 'macho64_section' : macho64_section, 'macho_segment_command' : macho_segment_command, 'macho32_segment_command' : macho32_segment_command, 'macho64_segment_command' : macho64_segment_command, 'macho_load_command' : macho_load_command, 'macho32_load_command' : macho32_load_command, 'macho64_load_command' : macho64_load_command, 'macho_symtab_command' : macho_symtab_command, 'macho32_symtab_command' : macho32_symtab_command, 'macho64_symtab_command' : macho64_symtab_command, 'macho_dysymtab_command' : macho_dysymtab_command, 'macho32_dysymtab_command' : macho32_dysymtab_command, 'macho64_dysymtab_command' : macho64_dysymtab_command, 'macho_nlist' : macho_nlist, 'macho32_nlist' : macho32_nlist, 'macho64_nlist' : macho64_nlist, }) macho_overlay = { 'macho32_segment_command' : [ None, { 'segname' : [ None , ['String', dict(length = 16)]], }], 'macho64_segment_command' : [ None, { 'segname' : [ None , ['String', dict(length = 16)]], }], 'macho32_section' : [ None, { 'sectname' : [ None , ['String', dict(length = 16)]], }], 'macho64_section' : [ None, { 'sectname' : [ None , ['String', dict(length = 16)]], }], } class MachoOverlay(obj.ProfileModification): conditions = {'os': lambda x: x == 'mac'} before = ['BasicObjectClasses'] def modification(self, profile): profile.merge_overlay(macho_overlay) volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/mac/mac.py0000644000000000000000000021457213131215405024547 0ustar rootroot# Volatility # Copyright (C) 2010 Brendan Dolan-Gavitt # Copyright (c) 2011 Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re,copy import sys, os import zipfile import struct import time import string from operator import attrgetter import volatility.plugins as plugins import volatility.debug as debug import volatility.obj as obj import volatility.plugins.overlays.basic as basic import volatility.addrspace as addrspace import volatility.scan as scan import volatility.plugins.addrspaces.amd64 as amd64 import volatility.plugins.addrspaces.intel as intel import volatility.plugins.overlays.native_types as native_types import volatility.utils as utils import volatility.plugins.mac.common as common import volatility.plugins.malware.malfind as malfind try: import yara has_yara = True except ImportError: has_yara = False x64_native_types = copy.deepcopy(native_types.x64_native_types) x64_native_types['long'] = [8, '= 0x1000000: continue if shared_start <= start <= shared_end: continue if map.get_perms() != "rw-" or map.get_path() != "": continue for match in malfind.BaseYaraScanner.scan(self, start, length): yield match class DyldTypes(obj.ProfileModification): conditions = {"os" : lambda x : x in ["mac"]} def modification(self, profile): profile.vtypes.update(dyld_vtypes) mig_vtypes_32 = { 'mig_hash_entry' : [16, { 'num' : [0, ['int']], 'routine' : [4, ['pointer', ['void']]], 'size' : [8, ['int']], 'callcount' : [12, ['unsigned int']], }], } mig_vtypes_64 = { 'mig_hash_entry' : [24, { 'num' : [0, ['long long']], 'routine' : [8, ['pointer', ['void']]], 'size' : [16, ['int']], 'callcount' : [20, ['unsigned int']], }], } class MigTypes(obj.ProfileModification): conditions = {"os" : lambda x : x in ["mac"]} def modification(self, profile): if profile.metadata.get('memory_model', '32bit') == "32bit": profile.vtypes.update(mig_vtypes_32) else: profile.vtypes.update(mig_vtypes_64) # this change was introduced in 10.12 (Sierra), which only has 64 bit versions cnode_vtypes = { 'cat_attr': [ 0x78, { 'ca_fileid': [0x0, ['unsigned int']], 'ca_mode': [0x4, ['unsigned short']], 'ca_recflags': [0x6, ['unsigned short']], 'ca_linkcount': [0x8, ['unsigned int']], 'ca_uid': [0xc, ['unsigned int']], 'ca_gid': [0x10, ['unsigned int']], 'ca_atime': [0x18, ['long']], 'ca_atimeondisk': [0x20, ['long']], 'ca_mtime': [0x28, ['long']], 'ca_ctime': [0x30, ['long']], 'ca_itime': [0x38, ['long']], 'ca_btime': [0x40, ['long']], 'ca_flags': [0x48, ['unsigned int']], }], 'cnode': [ 0x148, { 'c_flag': [0x40, ['unsigned int']], 'c_hflag': [0x44, ['unsigned int']], 'c_vp': [0x48, ['pointer', ['vnode']]], 'c_rsrc_vp': [0x50, ['pointer', ['vnode']]], 'c_childhint': [0x68, ['unsigned int']], 'c_dirthreadhint': [0x6c, ['unsigned int']], 'c_attr': [0x88, ['cat_attr']], 'c_dirhinttag': [0x120, ['short']], 'c_dirchangecnt': [0x124, ['unsigned int']], 'c_touch_acctime': [0x138, ['unsigned char']], 'c_touch_chgtime': [0x139, ['unsigned char']], 'c_touch_modtime': [0x13a, ['unsigned char']], 'c_update_txn': [0x13c, ['unsigned int']], }], } class CNodeTypes(obj.ProfileModification): conditions = {"os" : lambda x : x in ["mac"]} def modification(self, profile): if not profile.vtypes.get("cnode"): profile.vtypes.update(cnode_vtypes) class catfishScan(scan.BaseScanner): """ Scanner for Catfish string for Mountain Lion """ checks = [] def __init__(self, needles = None): self.needles = needles self.checks = [ ("MultiStringFinderCheck", {'needles':needles}) ] scan.BaseScanner.__init__(self) def scan(self, address_space, offset = 0, maxlen = None): for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen): yield offset class VolatilityDTB(obj.VolatilityMagic): """A scanner for DTB values.""" def _get_dtb_pre_m_lion(self): profile = self.obj_vm.profile if self.obj_vm.profile.metadata.get('memory_model', '32bit') == "32bit": ret = profile.get_symbol("_IdlePDPT") # on 10.5.x the PDTD symbol is a pointer instead of an array like 10.6 and 10.7 if ret % 0x1000: ret = self.obj_vm.read(ret, 4) ret = struct.unpack(" 0xffffff8000000000: ret = ret - 0xffffff8000000000 return ret ## Based off volafox's method for finding vm_kernel_shift through loGlo & hardcoded Catfish def _get_dtb_m_lion(self): tbl = self.obj_vm.profile.sys_map["kernel"] config = self.obj_vm.get_config() if config.SHIFT: shift_address = config.SHIFT else: scanner = catfishScan(needles = ["Catfish \x00\x00"]) for catfish_offset in scanner.scan(self.obj_vm): shift_address = catfish_offset - (tbl["_lowGlo"][0][0] % 0xFFFFFF80) break self.obj_vm.profile.shift_address = shift_address bootpml4 = (tbl["_BootPML4"][0][0] % 0xFFFFFF80) + shift_address boot_pml4_dtb = amd64.AMD64PagedMemory(self.obj_vm, config, dtb = bootpml4) idlepml4_addr = (tbl['_IdlePML4'][0][0]) + shift_address idlepml4_ptr = obj.Object("unsigned int", offset = idlepml4_addr, vm = boot_pml4_dtb) return idlepml4_ptr.v() def generate_suggestions(self): profile = self.obj_vm.profile bootpml = profile.get_symbol("_BootPML4") if bootpml: ret = self._get_dtb_m_lion() else: ret = self._get_dtb_pre_m_lion() yield ret class VolatilityMacIntelValidAS(obj.VolatilityMagic): """An object to check that an address space is a valid Mac Intel Paged space""" def _set_profile_metadata(self, version): start = version[len("Darwin Kernel Version "):] idx = start.find(":") (major, minor, _) = [int(x) for x in start[:idx].split(".")] setattr(self.obj_vm.profile, '_md_major', major) setattr(self.obj_vm.profile, '_md_minor', minor) def generate_suggestions(self): version_addr = self.obj_vm.profile.get_symbol("_version") string = self.obj_vm.read(version_addr, 60) if string and string.startswith("Darwin"): self._set_profile_metadata(string) yield True else: yield False class ifnet(obj.CType): def sockaddr_dl(self): if hasattr(self, "if_lladdr"): ret = obj.Object("sockaddr_dl", offset = self.if_lladdr.ifa_addr.v(), vm = self.obj_vm) else: ret = obj.Object("sockaddr_dl", offset = self.if_addrhead.tqh_first.ifa_addr.v(), vm = self.obj_vm) return ret class vnode(obj.CType): def is_dir(self): return self.v_type == 2 def is_reg(self): return self.v_type == 1 def _do_calc_path(self, ret, vnodeobj, vname): if vnodeobj == None: return if vname: ret.append(vname) if vnodeobj.v_flag.v() & 0x000001 != 0 and vnodeobj.v_mount.v() != 0: if vnodeobj.v_mount.mnt_vnodecovered.v() != 0: self._do_calc_path(ret, vnodeobj.v_mount.mnt_vnodecovered, vnodeobj.v_mount.mnt_vnodecovered.v_name) else: self._do_calc_path(ret, vnodeobj.v_parent, vnodeobj.v_parent.v_name) def full_path(self): if self.v_flag.v() & 0x000001 != 0 and self.v_mount.v() != 0 and self.v_mount.mnt_flag.v() & 0x00004000 != 0: ret = "/" else: elements = [] files = [] self._do_calc_path(elements, self, self.v_name) elements.reverse() for e in elements: files.append(str(e.dereference())) ret = "/".join(files) if ret: ret = "/" + ret return ret ''' static inline uintptr_t vm_page_unpack_ptr(uintptr_t p) { if (!p) return ((uintptr_t)0); if (p & VM_PACKED_FROM_VM_PAGES_ARRAY) return ((uintptr_t)(&vm_pages[(uint32_t)(p & ~VM_PACKED_FROM_VM_PAGES_ARRAY)])); return (((p << VM_PACKED_POINTER_SHIFT) + (uintptr_t) VM_MIN_KERNEL_AND_KEXT_ADDRESS)); } ''' def _get_next_page(self, memq): # packed pointer, in 10.12+ p = memq.m("next") if p == 0 or p == None: ret = None elif self.obj_vm.profile.metadata.get('memory_model', 0) == "64bit" and p.size() == 4: if p & 0x80000000 != 0: vm_pages_ptr = self.obj_vm.profile.get_symbol("_vm_pages") vm_pages_addr = obj.Object("unsigned long long", offset = vm_pages_ptr, vm = self.obj_vm) ret_addr = vm_pages_addr + ((p & ~0x80000000) * 8) else: ret_addr = (p << 6) + 0xffffff7f80000000 ret = obj.Object("vm_page", offset = ret_addr, vm = self.obj_vm) else: ret = p.dereference_as("vm_page") return ret def get_contents(self): memq = self.v_un.vu_ubcinfo.ui_control.moc_object.memq cur = self._get_next_page(memq) file_size = self.v_un.vu_ubcinfo.ui_size phys_as = self.obj_vm.base idx = 0 written = 0 while cur and cur.is_valid() and cur.offset < file_size: # the last element of the queue seems to track the size of the queue if cur.offset != 0 and cur.offset == idx: break if cur.phys_page != 0 and cur.offset >= 0: sz = 4096 if file_size - written < 4096: sz = file_size - written buf = phys_as.zread(cur.phys_page * 4096, sz) yield (cur.offset.v(), buf) idx = idx + 1 written = written + 4096 cur = self._get_next_page(cur.listq) class fileglob(obj.CType): @property def fg_type(self): ret = self.members.get("fg_type") if ret: ret = self.m("fg_type") else: if self.fg_ops.is_valid(): ret = self.fg_ops.fo_type else: ret = 'INVALID' ret = str(ret) return ret class kauth_scope(obj.CType): @property def ks_identifier(self): ident_ptr = self.m("ks_identifier") ident = self.obj_vm.read(ident_ptr, 256) if ident: idx = ident.find("\x00") if idx != -1: ident = ident[:idx] return ident def listeners(self): ls_array = obj.Object(theType="Array", targetType="kauth_local_listener", offset = self.m("ks_listeners").obj_offset, vm = self.obj_vm, count = 16) for ls in ls_array: if ls.is_valid() and ls.kll_callback != 0: yield ls class thread(obj.CType): def start_time(self): baddr = self.obj_vm.profile.get_symbol("_clock_boottime") boot_time = obj.Object("unsigned long long", offset = baddr, vm = self.obj_vm) abs_time = boot_time + self.sched_stamp try: data = struct.pack(" 0x40000000: continue off = map.start while off < map.end: # test the number of buckets dr = proc_as.read(off + nbuckets_offset, 4) if dr == None: new_off = (off & ~0xfff) + 0xfff + 1 off = new_off continue test = struct.unpack(" 0: pdata = bucket.data if pdata == None: bucket = bucket.next_bucket() continue if bucket.key != None and bucket.data != None and pdata.is_valid() and (0 <= pdata.flags <= 2): if len(str(bucket.key)) > 0 or len(str(bucket.data.path)) > 0: yield bucket bucket = bucket.next_bucket() off = off + 1 def bash_history_entries(self): proc_as = self.get_process_address_space() bit_string = str(self.task.map.pmap.pm_task_map or '')[9:] if bit_string.find("64BIT") == -1: pack_format = "= 0x1000000: continue while off < end: if env_start: break # check the first index addrstr = proc_as.read(off, self.pack_size) if not addrstr: off = (off & ~0xfff) + 0xfff + 1 continue off = off + 4 addr = struct.unpack(self.pack_fmt, addrstr)[0] if addr in seen_ptrs: continue seen_ptrs[addr] = 1 # check first idx... if addr: firstaddrstr = proc_as.read(addr, self.pack_size) if not firstaddrstr or len(firstaddrstr) != self.pack_size: continue firstaddr = struct.unpack(self.pack_fmt, firstaddrstr)[0] if firstaddr in seen_firsts: continue seen_firsts[firstaddr] = 1 buf = proc_as.read(firstaddr, 64) if not buf: continue eqidx = buf.find("=") if eqidx > 0: nullidx = buf.find("\x00") # single char name, = if nullidx >= eqidx: env_start = addr if not dynamic_env_hint: dynamic_env_hint = [start, end, length] break return env_start def _get_env_vars(self, proc_as, env_start): good_vars = [] envars = obj.Object(theType="Array", targetType=self.addr_type, vm=proc_as, offset=env_start, count=256) for var in envars: if not var or not var.is_valid(): break sizes = [32, 64, 128, 256, 8, 16, 384, 512, 1024, 2048, 4096] good_varstr = None for size in sizes: varstr = proc_as.read(var, size) if not varstr: break eqidx = varstr.find("=") idx = varstr.find("\x00") if idx == -1 or eqidx == -1 or idx < eqidx: continue good_varstr = varstr break if good_varstr: good_varstr = good_varstr[:idx] key = good_varstr[:eqidx] val = good_varstr[eqidx+1:] if len(key) > 0 and len(val) > 0 and self._valid_string(key) and self._valid_string(val): good_vars.append((key, val)) else: break return good_vars def _dynamic_env(self, proc_as, pack_format, addr_sz): env_start = 0 if dynamic_env_hint: mappings = [dynamic_env_hint] env_start = self._carve_mappings_for_env(proc_as, mappings) good_vars = self._get_env_vars(proc_as, env_start) if len(good_vars) < 2: env_start = 0 # find either libc itself or all mappings if env_start == 0: mappings = self._get_env_mappings(proc_as) env_start = self._carve_mappings_for_env(proc_as, mappings) if env_start != 0: good_vars = self._get_env_vars(proc_as, env_start) else: good_vars = [] return good_vars def _valid_string(self, test_string): valid = True test_string = str(test_string) for s in test_string: if not s in string.printable: valid = False break return valid def _shell_variables(self, proc_as, pack_format, addr_sz, htable_type): if has_yara == False: return nbuckets_offset = self.obj_vm.profile.get_obj_offset(htable_type, "nbuckets") if addr_sz == 4: edata_type = "mac32_envdata" else: edata_type = "mac64_envdata" seen_ptr = {} s = "{ 40 00 00 00 }" rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}' }) scanner = BashEnvYaraScanner(task = self, rules = rules) for hit, off in scanner.scan(): htable = obj.Object(htable_type, offset = off - addr_sz, vm = proc_as) if not htable.is_valid(): continue for ent in htable: if not ent.m("key").is_valid(): continue if self._valid_string(ent.key): key = str(ent.key) else: key = "" val_addr = ent.data.dereference_as(edata_type).value if val_addr.is_valid() and self._valid_string(val_addr.dereference()): val = str(val_addr.dereference()) else: val = "" if len(key) > 0 and len(val) > 0: yield key, val def _load_time_env(self, proc_as): start = self.user_stack - self.p_argslen skip = len(self.get_arguments()) end = self.p_argslen to_read = end - skip vars_buf = proc_as.read(start + skip, to_read) if vars_buf: ents = vars_buf.split("\x00") for varstr in ents: eqidx = varstr.find("=") if eqidx == -1: continue key = varstr[:eqidx] val = varstr[eqidx+1:] yield (key, val) def psenv(self): proc_as = self.get_process_address_space() # In cases when mm is an invalid pointer if not proc_as: return # don't scan the kernel if self.p_pid == 0: return # Are we dealing with 32 or 64-bit pointers if self.obj_vm.profile.metadata.get('memory_model', '32bit') == '32bit': pack_format = " 100000000: continue # this is related to the shared cache map # contact Andrew for full details if str(seg.segname) == "__LINKEDIT" and seg.vmsize > 20000000: continue cur = seg.vmaddr end = seg.vmaddr + seg.vmsize while cur < end: buffer = buffer + proc_as.zread(cur, 4096) cur = cur + 4096 return buffer def procdump(self): start = self.text_start() if start: ret = self.get_macho(start) else: ret = "" return ret def get_dyld_maps(self): proc_as = self.get_process_address_space() if proc_as == None: return if self.pack_size == 4: dtype = "dyld32_all_image_infos" itype = "dyld32_image_info" else: dtype = "dyld64_all_image_infos" itype = "dyld64_image_info" infos = obj.Object(dtype, offset=self.task.all_image_info_addr, vm=proc_as) if not infos: return # the pointer address info_buf = proc_as.read(infos.infoArray.obj_offset, self.pack_size) if not info_buf: return info_addr = struct.unpack(self.pack_fmt, info_buf)[0] cnt = infos.infoArrayCount if cnt > 4096: cnt = 1024 img_infos = obj.Object(theType = "Array", targetType = itype, offset = info_addr, count = cnt, vm = proc_as) for info_addr in img_infos: if info_addr and info_addr.is_valid(): yield info_addr def get_proc_maps(self): map = self.task.map.hdr.links.next for i in xrange(self.task.map.hdr.nentries): if not map: break yield map map = map.links.next def find_heap_map(self): ret = None for pmap in self.get_proc_maps(): if pmap.get_special_path() == "[heap]": ret = pmap break return None def find_map(self, addr): ret = None for vma in self.get_proc_maps(): if int(vma.links.start) <= int(addr) <= int(vma.links.end): ret = vma break return ret def find_map_path(self, addr): path = "" m = self.find_map(addr) if m: path = m.get_path() if path == "": path = m.get_special_path() return path def search_process_memory(self, s): """Search process memory. @param s: a list of strings like ["one", "two"] """ # Allow for some overlap in case objects are # right on page boundaries overlap = 1024 scan_blk_sz = 1024 * 1024 * 10 addr_space = self.get_process_address_space() for vma in self.get_proc_maps(): offset = vma.links.start out_of_range = vma.links.start + (vma.links.end - vma.links.start) while offset < out_of_range: # Read some data and match it. to_read = min(scan_blk_sz + overlap, out_of_range - offset) data = addr_space.zread(offset, to_read) if not data: break for x in s: for hit in utils.iterfind(data, x): yield offset + hit offset += min(to_read, scan_blk_sz) def search_process_memory_rw_nofile(self, s): """Search process memory. @param s: a list of strings like ["one", "two"] """ # Allow for some overlap in case objects are # right on page boundaries overlap = 1024 scan_blk_sz = 1024 * 1024 * 10 addr_space = self.get_process_address_space() for vma in self.get_proc_maps(): if vma.get_perms() != "rw-" or vma.get_path() != "": if vma.get_special_path() != "[heap]": continue offset = vma.links.start out_of_range = vma.links.start + (vma.links.end - vma.links.start) while offset < out_of_range: # Read some data and match it. to_read = min(scan_blk_sz + overlap, out_of_range - offset) data = addr_space.zread(offset, to_read) if not data: break for x in s: for hit in utils.iterfind(data, x): yield offset + hit offset += min(to_read, scan_blk_sz) def get_environment(self): env = "" for (k, v) in self.psenv(): env = env + "{0}={1} ".format(k, v) return env def get_arguments(self): proc_as = self.get_process_address_space() # We need a valid process AS to continue if not proc_as: return "" argsstart = self.user_stack - self.p_argslen # Stack location may be paged out or not contain any args if (not proc_as.is_valid_address(argsstart) or self.p_argslen == 0 or self.p_argc == 0): return "" # Add one because the first two are usually duplicates argc = self.p_argc + 1 args = [] if argc > 1024: return "" while argc > 0: arg = obj.Object("String", offset = argsstart, vm = proc_as, length = 256) if not arg: break # Initial address of the next string argsstart += len(str(arg)) + 1 # Very first one is aligned in some crack ass way if len(args) == 0: while (proc_as.read(argsstart, 1) == "\x00" and argsstart < self.user_stack): argsstart += 1 args.append(arg) else: # Only add this string if its not a duplicate of the first if str(arg) != str(args[0]): args.append(arg) argc -= 1 return " ".join([str(s) for s in args]) def lsof(self): num_fds = self.p_fd.fd_lastfile nfiles = self.p_fd.fd_nfiles if nfiles > num_fds: num_fds = nfiles if num_fds > 4096: num_fds = 1024 fds = obj.Object('Array', offset = self.p_fd.fd_ofiles, vm = self.obj_vm, targetType = 'Pointer', count = num_fds) for i, fd in enumerate(fds): f = fd.dereference_as("fileproc") if f and f.f_fglob.is_valid(): ftype = f.f_fglob.fg_type if ftype == 'DTYPE_VNODE': vnode = f.f_fglob.fg_data.dereference_as("vnode") path = vnode.full_path() else: path = "<%s>" % ftype.replace("DTYPE_", "").lower() yield f, path, i class rtentry(obj.CType): def get_time(self): if not hasattr(self, "base_calendartime"): return "N/A" data = struct.pack(" 4096: return "" string_object = obj.Object("String", offset = self.string, vm = self.obj_vm, length = self.length) return str(string_object or '') class vm_map_object(obj.CType): def object(self): if hasattr(self, "vm_object"): ret = self.m("vm_object") else: ret = self.vmo_object return ret class vm_map_entry(obj.CType): @property def start(self): return self.links.start @property def end(self): return self.links.end def get_perms(self): permask = "rwx" perms = "" for (ctr, i) in enumerate([1, 3, 5]): if (self.protection & i) == i: perms = perms + permask[ctr] else: perms = perms + "-" return perms # used to find heap, stack, etc. def get_special_path(self): if hasattr(self, "alias"): check = self.alias.v() else: check = self.vme_offset.v() & 0xfff if 0 < check < 10: ret = "[heap]" elif check == 30: ret = "[stack]" else: ret = "" return ret def get_path(self): vnode = self.get_vnode() if type(vnode) == str and vnode == "sub_map": ret = vnode elif vnode: path = [] while vnode: path.append(str(vnode.v_name.dereference() or '')) vnode = vnode.v_parent path.reverse() ret = "/".join(path) else: ret = "" return ret @property def object(self): if hasattr(self, "vme_object"): ret = self.vme_object else: ret = self.m("object") return ret def get_vnode(self): map_obj = self if self.is_sub_map == 1: return "sub_map" # find_vnode_object vnode_object = map_obj.object.object() while vnode_object.shadow.dereference() != None: vnode_object = vnode_object.shadow.dereference() ops = vnode_object.pager.mo_pager_ops.v() if ops == self.obj_vm.profile.get_symbol("_vnode_pager_ops"): vpager = obj.Object("vnode_pager", offset = vnode_object.pager, vm = self.obj_vm) ret = vpager.vnode_handle else: ret = None return ret def resident_count(self): vmobj = self.object.object() if not vmobj: return 0 # based on OBJ_RESIDENT_COUNT # all versions since OS X 10.6 if hasattr(vmobj, "all_reusable"): if vmobj.all_reusable == 1: count = vmobj.wired_page_count.v() else: count = vmobj.resident_page_count.v() - vmobj.reusable_page_count.v() # really old systems - OS X 10.5 else: count = vmobj.resident_page_count.v() return count def is_suspicious(self): ret = False perms = self.get_perms() if perms == "rwx": ret = True elif perms == "r-x" and self.get_path() == "": ret = True return ret class inpcb(obj.CType): def get_tcp_state(self): tcp_states = ( "CLOSED", "LISTEN", "SYN_SENT", "SYN_RECV", "ESTABLISHED", "CLOSE_WAIT", "FIN_WAIT1", "CLOSING", "LAST_ACK", "FIN_WAIT2", "TIME_WAIT") tcpcb = self.inp_ppcb.dereference_as("tcpcb") state_type = tcpcb.t_state if state_type: state = tcp_states[state_type] else: state = "" return state def ipv4_info(self): lip = self.inp_dependladdr.inp46_local.ia46_addr4.s_addr.v() lport = self.inp_lport rip = self.inp_dependfaddr.inp46_foreign.ia46_addr4.s_addr.v() rport = self.inp_fport return [lip, lport, rip, rport] def ipv6_info(self): lip = self.inp_dependladdr.inp6_local.__u6_addr.v() lport = self.inp_lport rip = self.inp_dependfaddr.inp6_foreign.__u6_addr.v() rport = self.inp_fport return [lip, lport, rip, rport] class inpcbinfo(obj.CType): @property def hashbase(self): ret = self.members.get("hashbase") if ret is None: ret = self.ipi_hashbase else: ret = self.m("hashbase") return ret @property def hashmask(self): ret = self.members.get("hashmask") if ret is None: ret = self.ipi_hashmask else: ret = self.m("hashmask") return ret @property def listhead(self): ret = self.members.get("listhead") if ret is None: ret = self.ipi_listhead else: ret = self.m("listhead") return ret class socket(obj.CType): @property def family(self): return self.so_proto.pr_domain.dom_family @property def protocol(self): proto = self.so_proto.pr_protocol if proto == 6: ret = "TCP" elif proto == 17: ret = "UDP" else: ret = "" return ret def _get_tcp_state(self): tcp_states = ( "CLOSED", "LISTEN", "SYN_SENT", "SYN_RECV", "ESTABLISHED", "CLOSE_WAIT", "FIN_WAIT1", "CLOSING", "LAST_ACK", "FIN_WAIT2", "TIME_WAIT") inpcb = self.so_pcb.dereference_as("inpcb") tcpcb = inpcb.inp_ppcb.dereference_as("tcpcb") state = tcpcb.t_state if state: ret = tcp_states[tcpcb.t_state] else: ret = "" return ret @property def state(self): if self.so_proto.pr_protocol == 6: ret = self._get_tcp_state() else: ret = "" return ret def get_connection_info(self): if not self.so_pcb.is_valid(): return None ipcb = self.so_pcb.dereference_as("inpcb") if self.family == 2: ret = ipcb.ipv4_info() else: ret = ipcb.ipv6_info() return ret class sockaddr_dl(obj.CType): def v(self): """Get the value of the sockaddr_dl object.""" ret = "" for i in xrange(self.sdl_alen): try: e = self.sdl_data[self.sdl_nlen + i] e = ord(e.v()) except IndexError: e = 0 ret = ret + "%.02x:" % e if ret and ret[-1] == ":": ret = ret[:-1] return ret class sockaddr(obj.CType): def get_address(self): family = self.sa_family ip = "" if family == 2: # AF_INET addr_in = obj.Object("sockaddr_in", offset = self.obj_offset, vm = self.obj_vm) ip = addr_in.sin_addr.s_addr.v() elif family == 30: # AF_INET6 addr_in6 = obj.Object("sockaddr_in6", offset = self.obj_offset, vm = self.obj_vm) ip = addr_in6.sin6_addr.__u6_addr.v() elif family == 18: # AF_LINK addr_dl = obj.Object("sockaddr_dl", offset = self.obj_offset, vm = self.obj_vm) ip = addr_dl.v() return ip class dyld32_image_info(obj.CType): def is_valid(self): return len(self.imageFilePath) > 1 and self.imageLoadAddress > 0x1000 def _read_ptr(self, addr): addr = self.obj_vm.read(addr, 4) if not addr: ret = None else: ret = struct.unpack(" 1 and self.imageLoadAddress > 0x1000 def _read_ptr(self, addr): addr = self.obj_vm.read(addr, 8) if addr == None: ret = None else: ret = struct.unpack(" name of the symbol nm_tyes -> types as defined by 'nm' (man nm for examples) module -> which module to get the symbol from, default is kernel, otherwise can be any name seen in 'lsmod' This fixes a few issues from the old static hash table method: 1) Conflicting symbols can be handled, if a symbol is found to conflict on any profile, then the plugin will need to provide the nm_type to differentiate, otherwise the plugin will be errored out 2) Can handle symbols gathered from modules on disk as well from the static kernel symtable is stored as a hash table of: symtable[module][sym_name] = [(symbol address, symbol type), (symbol addres, symbol type), ...] The function has overly verbose error checking on purpose... """ symtable = self.sys_map ret = None # check if the module is there... if module in symtable: mod = symtable[module] # check if the requested symbol is in the module if sym_name in mod: sym_list = mod[sym_name] # if a symbol has multiple definitions, then the plugin needs to specify the type if len(sym_list) > 1: if nm_type == "": debug.error("Requested symbol {0:s} in module {1:s} has multiple definitions and no type given\n".format(sym_name, module)) else: for (addr, stype) in sym_list: if stype == nm_type: ret = addr break if ret == None: debug.error("Requested symbol {0:s} in module {1:s} could not be found\n".format(sym_name, module)) else: # get the address of the symbol ret = sym_list[0][0] else: debug.debug("Requested symbol {0:s} not found in module {1:s}\n".format(sym_name, module)) else: debug.info("Requested module {0:s} not found in symbol table\n".format(module)) if self.shift_address and ret: ret = ret + self.shift_address return ret cls = AbstractMacProfile cls.__name__ = 'Mac' + profilename.replace('.', '_') + arch return cls ################################ # Track down the zip files # Push them through the factory # Check whether ProfileModifications will work new_classes = [] for path in set(plugins.__path__): for path, _, files in os.walk(path): for fn in files: if zipfile.is_zipfile(os.path.join(path, fn)): new_classes.append(MacProfileFactory(zipfile.ZipFile(os.path.join(path, fn)))) kext_overlay = { 'kmod_info_class': [None, { 'name' : [ None , ['String', dict(length = 64)]], }], } class KextOverlay(obj.ProfileModification): conditions = {'os': lambda x: x == 'mac'} before = ['BasicObjectClasses'] def modification(self, profile): if 'kmod_info_class' in profile.vtypes: profile.merge_overlay(kext_overlay) class MacOverlay(obj.ProfileModification): conditions = {'os': lambda x: x == 'mac'} before = ['BasicObjectClasses'] def modification(self, profile): profile.merge_overlay(mac_overlay) class MacObjectClasses(obj.ProfileModification): conditions = {'os': lambda x: x == 'mac'} before = ['BasicObjectClasses'] def modification(self, profile): profile.object_classes.update({ 'VolatilityDTB': VolatilityDTB, 'VolatilityMacIntelValidAS' : VolatilityMacIntelValidAS, 'proc' : proc, 'thread' : thread, 'kauth_scope' : kauth_scope, 'dyld32_image_info' : dyld32_image_info, 'dyld64_image_info' : dyld64_image_info, 'fileglob' : fileglob, 'vnode' : vnode, 'ifnet' : ifnet, 'socket' : socket, 'inpcbinfo' : inpcbinfo, 'inpcb' : inpcb, 'zone' : zone, 'OSString' : OSString, 'OSString_class' : OSString, 'sysctl_oid' : sysctl_oid, 'IpAddress': basic.IpAddress, 'Ipv6Address': basic.Ipv6Address, 'sockaddr' : sockaddr, 'sockaddr_dl' : sockaddr_dl, 'vm_map_entry' : vm_map_entry, 'vm_map_object' : vm_map_object, 'rtentry' : rtentry, 'queue_entry' : queue_entry, }) mac_overlay = { 'VOLATILITY_MAGIC': [None, { 'DTB' : [ 0x0, ['VolatilityDTB', dict(configname = "DTB")]], 'IA32ValidAS' : [ 0x0, ['VolatilityMacIntelValidAS']], 'AMD64ValidAS' : [ 0x0, ['VolatilityMacIntelValidAS']], }], 'session' : [ None, { 's_login' : [ None , ['String', dict(length = 256)]], }], 'kfs_event' : [ None, { 'str' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'zone' : [ None, { 'zone_name': [ None, ['pointer', ['String', dict(length = 256)]]], }], 'mac_policy_conf' : [ None, { 'mpc_name' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'proc' : [ None, { 'p_comm' : [ None, ['String', dict(length = 17)]], 'task' : [ None, ['pointer', ['task']]], }], 'ifnet' : [ None, { 'if_name' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'vnode' : [ None, { 'v_name' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'boot_args' : [ None, { 'CommandLine' : [ None, ['String', dict(length = 1024)]], }], 'vfsstatfs' : [ None, { 'f_fstypename' : [ None, ['String', dict(length = 16)]], 'f_mntonname' : [ None, ['String', dict(length = 1024)]], 'f_mntfromname' : [ None, ['String', dict(length = 1024)]], }], 'kmod_info' : [ None, { 'name' : [ None, ['String', dict(length = 64)]], 'version' : [ None, ['String', dict(length = 64)]], }], 'ipf_filter' : [ None, { 'name' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'sysctl_oid' : [ None, { 'oid_name' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'sockaddr_un': [ None, { 'sun_path' : [ None, ['String', dict(length = 104)]], }], 'in_addr' : [ None, { 's_addr' : [ None, ['IpAddress']], }], 'in6_addr' : [ None, { '__u6_addr' : [ None, ['Ipv6Address']], }], 'inpcb' : [ None, { 'inp_lport' : [ None, ['unsigned be short']], 'inp_fport' : [ None, ['unsigned be short']], }], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/mac/__init__.py0000644000000000000000000000000013131215405025521 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/overlays/native_types.py0000644000000000000000000000150613131215405025750 0ustar rootrootimport copy ## The following is a conversion of basic C99 types to python struct ## format strings. NOTE: since volatility is analysing images which ## are not necessarily the same bit size as the currently running ## platform you may not use platform specific format specifiers here ## like l or L - you must use i or I. x86_native_types = { 'int' : [4, 'H'], 'short' : [2, ' # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.taskmods as taskmods from volatility import renderers from volatility.renderers.basic import Address, Hex # Inherit from Dlllist for command line options class Handles(taskmods.DllList): """Print list of open handles for each process""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, help = "Physical Offset", action = "store_true") config.add_option("OBJECT-TYPE", short_option = 't', default = None, help = 'Show these object types (comma-separated)', action = 'store', type = 'str') config.add_option("SILENT", short_option = 's', default = False, action = 'store_true', help = 'Suppress less meaningful results') def generator(self, data): if self._config.OBJECT_TYPE: object_list = [s.lower() for s in self._config.OBJECT_TYPE.split(',')] else: object_list = [] for pid, handle, object_type, name in data: if object_list and object_type.lower() not in object_list: continue if self._config.SILENT: if len(name.replace("'", "")) == 0: continue if not self._config.PHYSICAL_OFFSET: offset = handle.Body.obj_offset else: offset = handle.obj_vm.vtop(handle.Body.obj_offset) yield (0, [Address(offset), int(pid), Hex(handle.HandleValue), Hex(handle.GrantedAccess), str(object_type), str(name)]) def unified_output(self, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" tg = renderers.TreeGrid( [("Offset{0}".format(offsettype), Address), ("Pid", int), ("Handle", Hex), ("Access", Hex), ("Type", str), ("Details", str), ], self.generator(data)) return tg def render_text(self, outfd, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("Pid", ">6"), ("Handle", "[addr]"), ("Access", "[addr]"), ("Type", "16"), ("Details", "") ]) if self._config.OBJECT_TYPE: object_list = [s.lower() for s in self._config.OBJECT_TYPE.split(',')] else: object_list = [] for pid, handle, object_type, name in data: if object_list and object_type.lower() not in object_list: continue if self._config.SILENT: if len(name.replace("'", "")) == 0: continue if not self._config.PHYSICAL_OFFSET: offset = handle.Body.obj_offset else: offset = handle.obj_vm.vtop(handle.Body.obj_offset) self.table_row(outfd, offset, pid, handle.HandleValue, handle.GrantedAccess, object_type, name) def calculate(self): for task in taskmods.DllList.calculate(self): pid = task.UniqueProcessId if task.ObjectTable.HandleTableList: for handle in task.ObjectTable.handles(): if not handle.is_valid(): continue name = "" object_type = handle.get_object_type() if object_type == "File": file_obj = handle.dereference_as("_FILE_OBJECT") name = str(file_obj.file_name_with_device()) elif object_type == "Key": key_obj = handle.dereference_as("_CM_KEY_BODY") name = key_obj.full_key_name() elif object_type == "Process": proc_obj = handle.dereference_as("_EPROCESS") name = "{0}({1})".format(proc_obj.ImageFileName, proc_obj.UniqueProcessId) elif object_type == "Thread": thrd_obj = handle.dereference_as("_ETHREAD") name = "TID {0} PID {1}".format(thrd_obj.Cid.UniqueThread, thrd_obj.Cid.UniqueProcess) elif handle.NameInfo.Name == None: name = '' else: name = str(handle.NameInfo.Name) yield pid, handle, object_type, name volatility_2.6+git20170711.b3db0cc/volatility/plugins/vadinfo.py0000644000000000000000000005127213131215405023025 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Authors: # Brendan Dolan-Gavitt # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # The source code in this file was inspired by the excellent work of # Brendan Dolan-Gavitt. Background information can be found in # the following reference: # "The VAD Tree: A Process-Eye View of Physical Memory," Brendan Dolan-Gavitt import os.path import volatility.obj as obj import volatility.plugins.taskmods as taskmods import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.constants as constants from volatility.renderers import TreeGrid from volatility.renderers.basic import Address # Vad Protections. Also known as page protections. _MMVAD_FLAGS.Protection, # 3-bits, is an index into nt!MmProtectToValue (the following list). PROTECT_FLAGS = dict(enumerate([ 'PAGE_NOACCESS', 'PAGE_READONLY', 'PAGE_EXECUTE', 'PAGE_EXECUTE_READ', 'PAGE_READWRITE', 'PAGE_WRITECOPY', 'PAGE_EXECUTE_READWRITE', 'PAGE_EXECUTE_WRITECOPY', 'PAGE_NOACCESS', 'PAGE_NOCACHE | PAGE_READONLY', 'PAGE_NOCACHE | PAGE_EXECUTE', 'PAGE_NOCACHE | PAGE_EXECUTE_READ', 'PAGE_NOCACHE | PAGE_READWRITE', 'PAGE_NOCACHE | PAGE_WRITECOPY', 'PAGE_NOCACHE | PAGE_EXECUTE_READWRITE', 'PAGE_NOCACHE | PAGE_EXECUTE_WRITECOPY', 'PAGE_NOACCESS', 'PAGE_GUARD | PAGE_READONLY', 'PAGE_GUARD | PAGE_EXECUTE', 'PAGE_GUARD | PAGE_EXECUTE_READ', 'PAGE_GUARD | PAGE_READWRITE', 'PAGE_GUARD | PAGE_WRITECOPY', 'PAGE_GUARD | PAGE_EXECUTE_READWRITE', 'PAGE_GUARD | PAGE_EXECUTE_WRITECOPY', 'PAGE_NOACCESS', 'PAGE_WRITECOMBINE | PAGE_READONLY', 'PAGE_WRITECOMBINE | PAGE_EXECUTE', 'PAGE_WRITECOMBINE | PAGE_EXECUTE_READ', 'PAGE_WRITECOMBINE | PAGE_READWRITE', 'PAGE_WRITECOMBINE | PAGE_WRITECOPY', 'PAGE_WRITECOMBINE | PAGE_EXECUTE_READWRITE', 'PAGE_WRITECOMBINE | PAGE_EXECUTE_WRITECOPY', ])) # Vad Types. The _MMVAD_SHORT.u.VadFlags (_MMVAD_FLAGS) struct on XP has # individual flags, 1-bit each, for these types. The _MMVAD_FLAGS for all # OS after XP has a member _MMVAD_FLAGS.VadType, 3-bits, which is an index # into the following enumeration. MI_VAD_TYPE = dict(enumerate([ 'VadNone', 'VadDevicePhysicalMemory', 'VadImageMap', 'VadAwe', 'VadWriteWatch', 'VadLargePages', 'VadRotatePhysical', 'VadLargePageSection', ])) # Inherit from dlllist just for the config options (__init__) class VADInfo(taskmods.DllList): """Dump the VAD info""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option('ADDR', short_option = 'a', default = None, help = 'Show info on VAD at or containing this address', action = 'store', type = 'int') def unified_output(self, data): return TreeGrid([("Pid", int), ("VADNodeAddress", Address), ("Start", Address), ("End", Address), ("Tag", str), ("Flags", str), ("Protection", str), ("VadType", str), ("ControlArea", Address), ("Segment", Address), ("NumberOfSectionReferences", int), ("NumberOfPfnReferences", int), ("NumberOfMappedViews", int), ("NumberOfUserReferences", int), ("Control Flags", str), ("FileObject", Address), ("FileNameWithDevice", str), ("FirstPrototypePte", Address), ("LastContiguousPte", Address), ("Flags2", str)], self.generator(data)) def generator(self, data): for task in data: for vad in task.VadRoot.traverse(): if (self._config.ADDR is not None and (self._config.ADDR < vad.Start or self._config.ADDR > vad.End)): continue if vad != None: #Init vad control and ext variables controlAreaAddr = 0 segmentAddr = 0 numberOfSectionReferences = -1 numberOfPfnReferences = -1 numberOfMappedViews = -1 numberOfUserReferences = -1 controlFlags = "" fileObjectAddr = 0 fileNameWithDevice = "" firstPrototypePteAddr = 0 lastContiguousPteAddr = 0 flags2 = "" vadType = "" protection = PROTECT_FLAGS.get(vad.VadFlags.Protection.v(), hex(vad.VadFlags.Protection)) # translate the vad type if its available (> XP) if hasattr(vad.VadFlags, "VadType"): vadType = MI_VAD_TYPE.get(vad.VadFlags.VadType.v(), hex(vad.VadFlags.VadType)) try: control_area = vad.ControlArea # even if the ControlArea is not NULL, it is only meaningful # for shared (non private) memory sections. if vad.VadFlags.PrivateMemory != 1 and control_area: if control_area: controlAreaAddr = control_area.dereference().obj_offset segmentAddr = control_area.Segment numberOfSectionReferences = control_area.NumberOfSectionReferences numberOfPfnReferences = control_area.NumberOfPfnReferences numberOfMappedViews = control_area.NumberOfMappedViews numberOfUserReferences = control_area.NumberOfUserReferences controlFlags = control_area.u.Flags file_object = vad.FileObject if file_object: fileObjectAddr = file_object.obj_offset fileNameWithDevice = file_object.file_name_with_device() except AttributeError: pass try: firstPrototypePteAddr = vad.FirstPrototypePte lastContiguousPteAddr = vad.LastContiguousPte flags2 = str(vad.u2.VadFlags2) except AttributeError: pass yield(0, [int(task.UniqueProcessId), Address(vad.obj_offset), Address(vad.Start), Address(vad.End), str(vad.Tag or ''), str(vad.VadFlags or ''), str(protection or ''), str(vadType or ''), Address(controlAreaAddr), Address(segmentAddr), int(numberOfSectionReferences), int(numberOfPfnReferences), int(numberOfMappedViews), int(numberOfUserReferences), str(controlFlags or ''), Address(fileObjectAddr), str(fileNameWithDevice or ''), Address(firstPrototypePteAddr), Address(lastContiguousPteAddr), str(flags2 or '')]) def render_text(self, outfd, data): for task in data: outfd.write("*" * 72 + "\n") outfd.write("Pid: {0:6}\n".format(task.UniqueProcessId)) for vad in task.VadRoot.traverse(): if (self._config.ADDR is not None and (self._config.ADDR < vad.Start or self._config.ADDR > vad.End)): continue if vad == None: outfd.write("Error: {0}".format(vad)) else: self.write_vad_short(outfd, vad) try: self.write_vad_control(outfd, vad) except AttributeError: pass try: self.write_vad_ext(outfd, vad) except AttributeError: pass outfd.write("\n") def write_vad_short(self, outfd, vad): """Renders a text version of a Short Vad""" self.table_header(None, [("VAD node @", str(len("VAD node @"))), ("address", "[addrpad]"), ("Start", "5"), ("startaddr", "[addrpad]"), ("End", "3"), ("endaddr", "[addrpad]"), ("Tag", "3"), ("tagval", ""), ]) self.table_row(outfd, "VAD node @", vad.obj_offset, "Start", vad.Start, "End", vad.End, "Tag", vad.Tag) outfd.write("Flags: {0}\n".format(str(vad.VadFlags))) # although the numeric value of Protection is printed above with VadFlags, # let's show the user a human-readable translation of the protection outfd.write("Protection: {0}\n".format(PROTECT_FLAGS.get(vad.VadFlags.Protection.v(), hex(vad.VadFlags.Protection)))) # translate the vad type if its available (> XP) if hasattr(vad.VadFlags, "VadType"): outfd.write("Vad Type: {0}\n".format(MI_VAD_TYPE.get(vad.VadFlags.VadType.v(), hex(vad.VadFlags.VadType)))) def write_vad_control(self, outfd, vad): """Renders a text version of a (non-short) Vad's control information""" # even if the ControlArea is not NULL, it is only meaningful # for shared (non private) memory sections. if vad.VadFlags.PrivateMemory == 1: return control_area = vad.ControlArea if not control_area: return outfd.write("ControlArea @{0:08x} Segment {1:08x}\n".format(control_area.dereference().obj_offset, control_area.Segment)) outfd.write("NumberOfSectionReferences: {0:10} NumberOfPfnReferences: {1:10}\n".format(control_area.NumberOfSectionReferences, control_area.NumberOfPfnReferences)) outfd.write("NumberOfMappedViews: {0:10} NumberOfUserReferences: {1:10}\n".format(control_area.NumberOfMappedViews, control_area.NumberOfUserReferences)) outfd.write("Control Flags: {0}\n".format(str(control_area.u.Flags))) file_object = vad.FileObject if file_object: outfd.write("FileObject @{0:08x}, Name: {1}\n".format(file_object.obj_offset, str(file_object.file_name_with_device() or ''))) def write_vad_ext(self, outfd, vad): """Renders a text version of a Long Vad""" outfd.write("First prototype PTE: {0:08x} Last contiguous PTE: {1:08x}\n".format(vad.FirstPrototypePte, vad.LastContiguousPte)) outfd.write("Flags2: {0}\n".format(str(vad.u2.VadFlags2))) class VADTree(VADInfo): """Walk the VAD tree and display in tree format""" def render_text(self, outfd, data): for task in data: outfd.write("*" * 72 + "\n") outfd.write("Pid: {0:6}\n".format(task.UniqueProcessId)) levels = {} self.table_header(None, [("indent", ""), ("Start", "[addrpad]"), ("-", "1"), ("End", "[addrpad]") ]) for vad in task.VadRoot.traverse(): if vad: level = levels.get(vad.Parent.obj_offset, -1) + 1 levels[vad.obj_offset] = level self.table_row(outfd, " " * level, vad.Start, "-", vad.End) def render_dot(self, outfd, data): for task in data: outfd.write("/" + "*" * 72 + "/\n") outfd.write("/* Pid: {0:6} */\n".format(task.UniqueProcessId)) outfd.write("digraph processtree {\n") outfd.write("graph [rankdir = \"TB\"];\n") heaps = task.Peb.ProcessHeaps.dereference() modules = [mod.DllBase for mod in task.get_load_modules()] stacks = [] for thread in task.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"): teb = obj.Object("_TEB", offset = thread.Tcb.Teb, vm = task.get_process_address_space()) if teb: stacks.append(teb.NtTib.StackBase) for vad in task.VadRoot.traverse(): if vad: if vad.Parent: outfd.write("vad_{0:08x} -> vad_{1:08x}\n".format(vad.Parent.obj_offset or 0, vad.obj_offset)) fillcolor = "white" if vad.Start in heaps: fillcolor = "red" elif vad.Start in modules: fillcolor = "gray" elif vad.Start in stacks: fillcolor = "green" else: try: if vad.FileObject.FileName: fillcolor = "yellow" except AttributeError: pass outfd.write("vad_{0:08x} [label = \"{{ {1}\\n{2:08x} - {3:08x} }}\"" "shape = \"record\" color = \"blue\" style = \"filled\" fillcolor = \"{4}\"];\n".format( vad.obj_offset, vad.Tag, vad.Start, vad.End, fillcolor)) outfd.write("}\n") class VADWalk(VADInfo): """Walk the VAD tree""" def render_text(self, outfd, data): for task in data: outfd.write("*" * 72 + "\n") outfd.write("Pid: {0:6}\n".format(task.UniqueProcessId)) self.table_header(outfd, [("Address", "[addrpad]"), ("Parent", "[addrpad]"), ("Left", "[addrpad]"), ("Right", "[addrpad]"), ("Start", "[addrpad]"), ("End", "[addrpad]"), ("Tag", "4"), ]) for vad in task.VadRoot.traverse(): # Ignore Vads with bad tags (which we explicitly include as None) if vad: self.table_row(outfd, vad.obj_offset, vad.Parent.obj_offset or 0, vad.LeftChild.dereference().obj_offset or 0, vad.RightChild.dereference().obj_offset or 0, vad.Start, vad.End, vad.Tag) class VADDump(VADInfo): """Dumps out the vad sections to a file""" def __init__(self, config, *args, **kwargs): VADInfo.__init__(self, config, *args, **kwargs) config.remove_option("ADDR") config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump the VAD files') config.add_option('BASE', short_option = 'b', default = None, help = 'Dump VAD with BASE address (in hex)', action = 'store', type = 'int') config.add_option('MAX-SIZE', short_option = 'M', default = 0x40000000, action = 'store', type = 'long', help = 'Set the maximum size (default is 1GB)') def dump_vad(self, path, vad, address_space): """ Dump an MMVAD to a file. @param path: full path to output file @param vad: an MMVAD object @param address_space: process AS for the vad The purpose of this function is to read medium sized vad chunks and write them immediately to a file, rather than building a large buffer in memory and then flushing it at once. This prevents our own analysis process from consuming massive amounts of memory for large vads. @returns path to the image file on success or an error message stating why the file could not be dumped. """ fh = open(path, "wb") if fh: offset = vad.Start out_of_range = vad.Start + vad.Length while offset < out_of_range: to_read = min(constants.SCAN_BLOCKSIZE, out_of_range - offset) data = address_space.zread(offset, to_read) if not data: break fh.write(data) offset += to_read fh.close() return path else: return "Cannot open {0} for writing".format(path) def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") self.table_header(outfd, [("Pid", "10"), ("Process", "20"), ("Start", "[addrpad]"), ("End", "[addrpad]"), ("Result", ""), ]) for task in data: # Walking the VAD tree can be done in kernel AS, but to # carve the actual data, we need a valid process AS. task_space = task.get_process_address_space() if not task_space: outfd.write("Unable to get process AS for {0}\n".format(task.UniqueProcessId)) continue # as a first step, we try to get the physical offset of the # _EPROCESS object using the process address space offset = task_space.vtop(task.obj_offset) # if this fails, we'll get its physical offset using kernel space if offset == None: offset = task.obj_vm.vtop(task.obj_offset) # if this fails we'll manually set the offset to 0 if offset == None: offset = 0 filter = lambda x : x.Length < self._config.MAX_SIZE for vad, _addrspace in task.get_vads(vad_filter = filter, skip_max_commit = True): if self._config.BASE and vad.Start != self._config.BASE: continue # Open the file and initialize the data vad_start = self.format_value(vad.Start, "[addrpad]") vad_end = self.format_value(vad.End, "[addrpad]") path = os.path.join( self._config.DUMP_DIR, "{0}.{1:x}.{2}-{3}.dmp".format( task.ImageFileName, offset, vad_start, vad_end)) result = self.dump_vad(path, vad, task_space) self.table_row(outfd, task.UniqueProcessId, task.ImageFileName, vad.Start, vad.End, result) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/0000755000000000000000000000000013131215405021556 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/netconns.py0000644000000000000000000001110713131215405023757 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_network_conns(common.AbstractMacCommand): """ Lists network connections from kernel network structures """ # in_pcblookup_hash - bsd/netinet/in_pcb.c def _walk_pcb_hash(self, proto_pcbinfo): pcb_hash = obj.Object("Array", offset = proto_pcbinfo.hashbase, vm = self.addr_space, targetType = "Pointer", count = proto_pcbinfo.hashmask + 1) for pcb_ent in pcb_hash: head = pcb_ent.cast("inpcbhead") if not head: continue inpcb = head.lh_first.dereference_as("inpcb") while inpcb: yield inpcb inpcb = inpcb.inp_hash.le_next # in_pcblookup_hash - bsd/netinet/in_pcb.c def _walk_pcb_list(self, proto_pcbinfo): inpcb = proto_pcbinfo.listhead.lh_first.dereference_as("inpcb") while inpcb: yield inpcb inpcb = inpcb.inp_list.le_next def _walk_pcb_entries(self, inpcbinfo_addr): pcbs = {} inpcbinfo = obj.Object("inpcbinfo", offset = inpcbinfo_addr, vm = self.addr_space) for pcbinfo in self._walk_pcb_list(inpcbinfo): pcbs[pcbinfo.obj_offset] = pcbinfo for pcbinfo in self._walk_pcb_hash(inpcbinfo): pcbs[pcbinfo.obj_offset] = pcbinfo for pcbinfo in pcbs.values(): (lip, lport, rip, rport) = pcbinfo.ipv4_info() yield (pcbinfo, lip, lport, rip, rport) def calculate(self): common.set_plugin_members(self) entries = [] tcbinfo_addr = self.addr_space.profile.get_symbol("_tcbinfo") udbinfo_addr = self.addr_space.profile.get_symbol("_udbinfo") ripdbinfo_addr = self.addr_space.profile.get_symbol("_ripcbinfo") info_addrs = [("TCP", tcbinfo_addr), ("UDP", udbinfo_addr), ("RAW", ripdbinfo_addr)] for (proto_str, info_addr) in info_addrs: for (pcbinfo, lip, lport, rip, rport) in self._walk_pcb_entries(info_addr): if proto_str == "TCP": state = pcbinfo.get_tcp_state() else: state = "" yield (proto_str, pcbinfo, lip, lport, rip, rport, state) def unified_output(self, data): return TreeGrid([("Offset (V)", Address), ("Protocol", str), ("Local IP", str), ("Local Port", int), ("Remote IP", str), ("Remote Port", int), ("State", str), ], self.generator(data)) def generator(self, data): for (proto, pcb, lip, lport, rip, rport, state) in data: yield(0, [ Address(pcb.obj_offset), str(proto), str(lip), int(lport), str(rip), int(rport), str(state), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset (V)", "[addrpad]"), ("Protocol", "4"), ("Local IP", "20"), ("Local Port", "6"), ("Remote IP", "20"), ("Remote Port", "6"), ("State", ""), ]) for (proto, pcb, lip, lport, rip, rport, state) in data: self.table_row(outfd, pcb.obj_offset, proto, lip, lport, rip, rport, state) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/recover_filesystem.py0000644000000000000000000000735513131215405026053 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import shutil import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.common as mac_common import volatility.plugins.mac.list_files as mac_list_files class mac_recover_filesystem(mac_common.AbstractMacCommand): """Recover the cached filesystem""" def __init__(self, config, *args, **kwargs): mac_common.AbstractMacCommand.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') def _fix_metadata(self, vnode, path): if vnode and vnode.is_valid(): # currently can only fix metadata of HFS files if vnode.v_tag != 16: return cnode = vnode.v_data.dereference_as("cnode") ents = path.split("/") out_path = os.path.join(self._config.DUMP_DIR, *ents) os.chmod(out_path, cnode.c_attr.ca_mode & 00777) os.chown(out_path, cnode.c_attr.ca_uid, cnode.c_attr.ca_gid) os.utime(out_path, (cnode.c_attr.ca_atime, cnode.c_attr.ca_mtime)) def _write_file(self, vnode, out_path): if vnode and vnode.is_valid() and vnode.is_reg(): ents = out_path.split("/") out_path = os.path.join(self._config.DUMP_DIR, *ents) # this is the ..namedfork/rsrc files. We currently skip those if os.path.exists(out_path) and os.path.isdir(out_path): shutil.rmtree(out_path) if out_path.endswith("..namedfork/rsrc"): ret = 0 else: mac_common.write_vnode_to_file(vnode, out_path) ret = 1 elif vnode.is_dir(): ret = 1 else: ret = 0 return ret def _make_path(self, vnode, file_path): if vnode.is_dir(): ents = file_path.split("/") elif vnode.is_reg(): ents = file_path.split("/")[:-1] else: return 0 out_path = os.path.join(self._config.DUMP_DIR, *ents) try: os.makedirs(out_path) except OSError: pass return 1 def calculate(self): mac_common.set_plugin_members(self) num_files = 0 if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("Please specify an existing output dir (--dump-dir)") ff = mac_list_files.mac_list_files(self._config) for (vnode, path) in ff.calculate(): if self._make_path(vnode, path): self._write_file(vnode, path) num_files = num_files + 1 yield num_files def render_text(self, outfd, data): for (num_files) in data: outfd.write("Recovered %d files\n" % num_files) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/pid_hash_table.py0000644000000000000000000000343713131215405025065 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pslist as pslist import volatility.obj as obj import volatility.plugins.mac.common as common class mac_pid_hash_table(pslist.mac_pslist): """ Walks the pid hash table """ def calculate(self): common.set_plugin_members(self) pidhash_addr = self.addr_space.profile.get_symbol("_pidhash") pidhash = obj.Object("unsigned long", offset = pidhash_addr, vm = self.addr_space) pidhashtbl_addr = self.addr_space.profile.get_symbol("_pidhashtbl") pidhashtbl_ptr = obj.Object("Pointer", offset = pidhashtbl_addr, vm = self.addr_space) pidhash_array = obj.Object("Array", targetType = "pidhashhead", count = pidhash + 1, vm = self.addr_space, offset = pidhashtbl_ptr) for plist in pidhash_array: p = plist.lh_first.dereference() while p: yield p p = p.p_hash.le_next.dereference() volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/malfind.py0000644000000000000000000000510413131215405023542 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.utils as utils import volatility.plugins.malware.malfind as malfind import volatility.plugins.mac.common as mac_common import volatility.plugins.mac.pstasks as mac_pstasks class mac_malfind(mac_pstasks.mac_tasks): """Looks for suspicious process mappings""" def render_text(self, outfd, data): for task in data: proc_as = task.get_process_address_space() bit_string = str(task.task.map.pmap.pm_task_map or '')[9:] if bit_string == "64BIT": bits = '64bit' else: bits = '32bit' for map in task.get_proc_maps(): if map.is_suspicious(): fname = map.get_path() prots = map.get_perms() content = proc_as.zread(map.start, 64) outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format( task.p_comm, task.p_pid, map.start, fname)) outfd.write("Protection: {0}\n".format(prots)) outfd.write("\n") outfd.write("{0}\n".format("\n".join( ["{0:#010x} {1:<48} {2}".format(map.start + o, h, ''.join(c)) for o, h, c in utils.Hexdump(content) ]))) outfd.write("\n") outfd.write("\n".join( ["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(content, map.start, bits = bits) ])) outfd.write("\n\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/timers.py0000644000000000000000000000626413131215405023443 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_timers(common.AbstractMacCommand): """ Reports timers set by kernel drivers """ def calculate(self): common.set_plugin_members(self) kaddr_info = common.get_handler_name_addrs(self) real_ncpus = obj.Object("int", offset = self.addr_space.profile.get_symbol("_real_ncpus"), vm = self.addr_space) ptr = self.addr_space.profile.get_symbol("_cpu_data_ptr") cpu_data_ptrs = obj.Object(theType = 'Array', offset = ptr, vm = self.addr_space, targetType = "unsigned long long", count = real_ncpus) for i in range(real_ncpus): cpu_data = obj.Object('cpu_data', offset = cpu_data_ptrs[i], vm = self.addr_space) c = cpu_data.rtclock_timer q = c.queue ent = q.head.next first = ent seen = {} while ent.is_valid(): seen[ent.v()] = 1 timer = obj.Object("call_entry", offset = ent.v(), vm = self.addr_space) func = timer.func.v() if func < 0x1000 or func == 0xffffffff00000000: break (module, handler_sym) = common.get_handler_name(kaddr_info, func) if hasattr(timer, "entry_time"): entry_time = timer.entry_time.v() else: entry_time = -1 yield func, timer.param0, timer.param1, timer.deadline, entry_time, module, handler_sym ent = timer.q_link.next if ent == first or ent.v() in seen: break def render_text(self, outfd, data): self.table_header(outfd, [("Function", "[addrpad]"), ("Param 0", "[addrpad]"), ("Param 1", "[addrpad]"), ("Deadline", "16"), ("Entry Time", "16"), ("Module", "16"), ("Symbol", ""), ]) for func, p0, p1, deadline, entry_time, module, sym in data: self.table_row(outfd, func, p0, p1, deadline, entry_time, module, sym) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/mac_strings.py0000644000000000000000000000707013131215405024445 0ustar rootroot# Volatility # Copyright (C) 2007,2008 Volatile Systems # Copyright (C) 2009 Timothy D. Morgan (strings optimization) # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA from bisect import bisect_right import volatility.plugins.mac.pstasks as mac_tasks import volatility.plugins.strings as strings import volatility.plugins.mac.common as mac_common import volatility.plugins.mac.lsmod as mac_lsmod class mac_strings(strings.Strings, mac_common.AbstractMacCommand): """Match physical offsets to virtual addresses (may take a while, VERY verbose)""" @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'mac' def get_processes(self, addr_space): """Enumerate processes based on user options. :param addr_space | :returns """ tasks = mac_tasks.mac_tasks(self._config).calculate() try: if self._config.PID is not None: pidlist = [int(p) for p in self._config.PID.split(',')] tasks = [t for t in tasks if int(t.p_pid) in pidlist] except (ValueError, TypeError): debug.error("Invalid PID {0}".format(self._config.PID)) return tasks @classmethod def get_modules(cls, addr_space): """Enumerate the kernel modules. :param addr_space | :returns """ mask = addr_space.address_mask config = addr_space.get_config() modules = mac_lsmod.mac_lsmod(config).calculate() mods = dict((mask(mod.address), mod) for mod in modules) mod_addrs = sorted(mods.keys()) return (mods, mod_addrs) @classmethod def find_module(cls, modlist, mod_addrs, addr_space, vpage): """Determine which module owns a virtual page. :param modlist | mod_addrs | addr_space | vpage | :returns || None """ pos = bisect_right(mod_addrs, vpage) - 1 if pos == -1: return None mod = modlist[mod_addrs[pos]] compare = mod.obj_vm.address_compare if (compare(vpage, mod.address) != -1 and compare(vpage, mod.address + mod.m('size')) == -1): return mod else: return None @classmethod def get_module_name(cls, module): """Get the name of a kernel module. :param module | :returns """ return str(module.m("name")) @classmethod def get_task_pid(cls, task): """Get the PID of a process. :param task | :returns """ return task.p_pid volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/psenv.py0000644000000000000000000000406513131215405023270 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pstasks as pstasks from volatility.renderers import TreeGrid class mac_psenv(pstasks.mac_tasks): """ Prints processes with environment in user land (**envp) """ def unified_output(self, data): return TreeGrid([("Pid", int), ("Name", str), ("Bits", str), ("Arguments", str), ], self.generator(data)) def generator(self, data): for proc in data: yield(0, [ int(proc.p_pid), str(proc.p_comm), str(proc.task.map.pmap.pm_task_map), str(proc.get_environment()), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Bits", "16"), ("Arguments", "")]) for proc in data: self.table_row(outfd, proc.p_pid, proc.p_comm, str(proc.task.map.pmap.pm_task_map or '')[9:], proc.get_environment()) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/lsof.py0000644000000000000000000000400513131215405023072 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid class mac_lsof(pstasks.mac_tasks): """ Lists per-process opened files """ def unified_output(self, data): return TreeGrid([("PID",int), ("File Descriptor", int), ("File Path", str), ], self.generator(data)) def generator(self, data): for proc in data: for (_, filepath, fd) in proc.lsof(): if filepath: yield(0, [ int(proc.p_pid), int(fd), str(filepath), ]) def render_text(self, outfd, data): self.table_header(outfd, [("PID","8"), ("File Descriptor", "6"), ("File Path", ""), ]) for proc in data: for (_, filepath, fd) in proc.lsof(): if filepath: self.table_row(outfd, proc.p_pid, fd, filepath) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/moddump.py0000644000000000000000000001120313131215405023572 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import re import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_moddump(common.AbstractMacCommand): """ Writes the specified kernel extension to disk """ def __init__(self, config, *args, **kwargs): common.AbstractMacCommand.__init__(self, config, *args, **kwargs) self._config.add_option('BASE', short_option = 'b', default = None, help = 'Dump driver with BASE address (in hex)', action = 'store', type = 'int') self._config.add_option('REGEX', short_option = 'r', help = 'Dump modules matching REGEX', action = 'store', type = 'string') self._config.add_option('IGNORE-CASE', short_option = 'i', help = 'Ignore case in pattern match', action = 'store_true', default = False) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') def calculate(self): common.set_plugin_members(self) if self._config.REGEX: try: if self._config.IGNORE_CASE: mod_re = re.compile(self._config.REGEX, re.I) else: mod_re = re.compile(self._config.REGEX) except re.error, e: debug.error('Error parsing regular expression: {0}'.format(e)) if self._config.BASE: module_address = int(self._config.BASE) yield obj.Object("kmod_info", offset = module_address, vm = self.addr_space) else: modules_addr = self.addr_space.profile.get_symbol("_kmod") modules_ptr = obj.Object("Pointer", vm = self.addr_space, offset = modules_addr) mod = modules_ptr.dereference_as("kmod_info") while mod.is_valid(): if self._config.REGEX and not mod_re.search(str(mod.name)): mod = mod.next continue yield mod mod = mod.next def unified_output(self, data): if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("Please specify an existing output dir (--dump-dir)") return TreeGrid([("Address", Address), ("Size", int), ("Output Path", str), ], self.generator(data)) def generator(self, data): for kmod in data: start = kmod.address size = kmod.m("size") file_name = "{0}.{1:#x}.kext".format(kmod.name, kmod.obj_offset) mod_file = open(os.path.join(self._config.DUMP_DIR, file_name), 'wb') mod_data = self.addr_space.zread(kmod.address, size) mod_file.write(mod_data) mod_file.close() yield(0, [ Address(start), int(size), str(file_name), ]) def render_text(self, outfd, data): if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("Please specify an existing output dir (--dump-dir)") self.table_header(outfd, [("Address", "[addrpad]"), ("Size", "8"), ("Output Path", "")]) for kmod in data: start = kmod.address size = kmod.m("size") file_name = "{0}.{1:#x}.kext".format(kmod.name, kmod.obj_offset) mod_file = open(os.path.join(self._config.DUMP_DIR, file_name), 'wb') mod_data = self.addr_space.zread(kmod.address, size) mod_file.write(mod_data) mod_file.close() self.table_row(outfd, start, size, file_name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/mac_volshell.py0000644000000000000000000000657513131215405024615 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.volshell as volshell import volatility.plugins.mac.lsmod as lsmod import volatility.obj as obj class mac_volshell(volshell.volshell): """Shell in the memory image""" @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'mac' def modules(self): mods = lsmod.mac_lsmod(self._config).calculate() for mod in mods: print "{3:16x} {0:48} {1:16x} {2:6d}".format(mod.name, mod.address, mod.m('size'), mod.obj_offset) def getpidlist(self): return list(pstasks.mac_tasks(self._config).allprocs()) def ps(self, procs = None): print "{0:16} {1:6} {2:8}".format("Name", "PID", "Offset") for proc in procs or self.getpidlist(): print "{0:16} {1:<6} {2:#08x}".format(proc.p_comm, proc.p_pid, proc.obj_offset) def context_display(self): dtb = self._proc.task.dereference_as("task").map.pmap.pm_cr3 print "Current context: process {0}, pid={1} DTB={2:#x}".format(self._proc.p_comm, self._proc.p_pid, dtb) def set_context(self, offset = None, pid = None, name = None, physical = None): if pid is not None: offsets = [] for p in self.getpidlist(): if p.p_pid.v() == pid: offsets.append(p) if not offsets: print "Unable to find process matching pid {0}".format(pid) return elif len(offsets) > 1: print "Multiple processes match {0}, please specify by offset".format(pid) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif name is not None: offsets = [] for p in self.getpidlist(): if p.p_comm.find(name) >= 0: offsets.append(p) if not offsets: print "Unable to find process matching name {0}".format(name) return elif len(offsets) > 1: print "Multiple processes match name {0}, please specify by PID or offset".format(name) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif offset is None: print "Must provide one of: offset, name, or pid as a argument." return self._proc = obj.Object("proc", offset = offset, vm = self._addrspace) self.context_display() volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/check_mig_table.py0000644000000000000000000000552213131215405025214 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.debug as debug from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_check_mig_table(common.AbstractMacCommand): """ Lists entires in the kernel's MIG table """ def calculate(self): common.set_plugin_members(self) # we can't use an array as the size of mig_hash_entry # depends on if MAC_COUNTERS is set, which changes between kernels # mig_table_max_displ is declared directly after mig_buckets # which allows us to calculate the size of each entry dynamically di_addr = self.addr_space.profile.get_symbol("_mig_table_max_displ") mig_buckets_addr = self.addr_space.profile.get_symbol("_mig_buckets") ele_size = (di_addr - mig_buckets_addr) / 1024 for i in range(1024): entry = obj.Object("mig_hash_entry", offset = mig_buckets_addr + (i * ele_size), vm = self.addr_space) if entry.routine == 0: continue rname = self.addr_space.profile.get_symbol_by_address("kernel", entry.routine) if not rname or rname == "": rname = "HOOKED" yield (entry.num, rname, entry.routine) def unified_output(self, data): return TreeGrid([("Index", int), ("Routine Name", str), ("Routine Handler", Address), ], self.generator(data)) def generator(self, data): for (num, name, routine) in data: yield(0, [ int(num), str(name), Address(routine), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Index", "8"), ("Routine Name", "100"), ("Routine Handler", "[addrpad]")]) for (num, name, routine) in data: self.table_row(outfd, num, name, routine) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/kevents.py0000644000000000000000000001077313131215405023617 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.pstasks as pstasks class mac_kevents(common.AbstractMacCommand): """ Show parent/child relationship of processes """ def _walk_karray(self, address, count): arr = obj.Object(theType = "Array", targetType = "klist", offset = address, vm = self.addr_space, count = count) for klist in arr: kn = klist.slh_first while kn.is_valid(): yield kn kn = kn.kn_link.sle_next def calculate(self): common.set_plugin_members(self) for task in pstasks.mac_tasks(self._config).calculate(): fdp = task.p_fd # for (i = 0; i < fdp->fd_knlistsize; i++) { # kn = SLIST_FIRST(&fdp->fd_knlist[i]); for kn in self._walk_karray(fdp.fd_knlist, fdp.fd_knlistsize): yield task, kn # if (fdp->fd_knhashmask != 0) { # for (i = 0; i < (int)fdp->fd_knhashmask + 1; i++) { # kn = SLIST_FIRST(&fdp->fd_knhash[i]); mask = fdp.fd_knhashmask if mask != 0: for kn in self._walk_karray(fdp.fd_knhash, mask + 1): yield task, kn kn = task.p_klist.slh_first while kn.is_valid(): yield task, kn kn = kn.kn_link.sle_next def _get_flags(self, fflags, filters): context = "" if fflags != 0: for (flag, idx) in filters: if fflags & idx == idx: context = context + flag + ", " if len(context) > 2 and context[-2:] == ", ": context = context[:-2] return context def render_text(self, outfd, data): event_types = ["INVALID EVENT", "EVFILT_READ", "EVFILT_WRITE", "EVFILT_AIO", "EVFILT_VNODE", "EVFILT_PROC", "EVFILT_SIGNAL"] event_types = event_types + ["EVFILT_TIMER", "EVFILT_MACHPORT", "EVFILT_FS", "EVFILT_USER", "INVALID EVENT", "EVFILT_VM"] vnode_filt = [("NOTE_DELETE", 1), ("NOTE_WRITE", 2), ("NOTE_EXTEND", 4), ("NOTE_ATTRIB", 8)] vnode_filt = vnode_filt + [("NOTE_LINK", 0x10), ("NOTE_RENAME", 0x20), ("NOTE_REVOKE", 0x40)] proc_filt = [("NOTE_EXIT", 0x80000000), ("NOTE_EXITSTATUS", 0x04000000), ("NOTE_FORK", 0x40000000)] proc_filt = proc_filt + [("NOTE_EXEC", 0x20000000), ("NOTE_SIGNAL", 0x08000000), ("NOTE_REAP", 0x10000000)] time_filt = [("NOTE_SECONDS", 1), ("NOTE_USECONDS", 2), ("NOTE_NSECONDS", 4), ("NOTE_ABSOLUTE", 8)] self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "20"), ("Pid", "8"), ("Ident", "6"), ("Filter", "20"), ("Context", ""),]) for task, kn in data: filt_idx = kn.kn_kevent.filter * -1 if 0 < filt_idx < len(event_types): fname = event_types[filt_idx] else: continue context = "" fflags = kn.kn_sfflags # EVFILT_VNODE if filt_idx == 4: context = self._get_flags(fflags, vnode_filt) # EVFILT_PROC elif filt_idx == 5: context = self._get_flags(fflags, proc_filt) elif filt_idx == 7: context = self._get_flags(fflags, time_filt) self.table_row(outfd, kn.v(), str(task.p_comm), task.p_pid, kn.kn_kevent.ident, fname, context) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/check_sysctl.py0000644000000000000000000001242313131215405024610 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address # based on sysctl_sysctl_debug_dump_node class mac_check_sysctl(common.AbstractMacCommand): """ Checks for unknown sysctl handlers """ # returns the value for known, hardcoded-sysctls, otherwise "" def _parse_global_variable_sysctls(self, name): known_sysctls = { "hostname" : "_hostname", "nisdomainname" : "_domainname", } if name in known_sysctls: var_name = known_sysctls[name] var_addr = self.addr_space.profile.get_symbol(var_name) var_str = common.get_string(var_addr, self.addr_space) else: var_str = "" return var_str def _process_sysctl_list(self, sysctl_list, r = 0): if type(sysctl_list) == obj.Pointer: sysctl_list = sysctl_list.dereference_as("sysctl_oid_list") sysctl = sysctl_list.slh_first # skip the head entry if new list (recursive call) if r: sysctl = sysctl.oid_link.sle_next while sysctl and sysctl.is_valid(): name = sysctl.oid_name.dereference() if len(name) == 0: break name = str(name) ctltype = sysctl.get_ctltype() if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid(): val = self._parse_global_variable_sysctls(name) elif ctltype == 'CTLTYPE_NODE': if sysctl.oid_handler == 0: for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1): yield info val = "Node" elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']: val = sysctl.oid_arg1.dereference() elif ctltype == 'CTLTYPE_STRING': ## FIXME: can we do this without get_string? val = common.get_string(sysctl.oid_arg1, self.addr_space) else: val = ctltype yield (sysctl, name, val) sysctl = sysctl.oid_link.sle_next def calculate(self): common.set_plugin_members(self) (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) sysctl_children_addr = self.addr_space.profile.get_symbol("_sysctl__children") sysctl_list = obj.Object("sysctl_oid_list", offset = sysctl_children_addr, vm = self.addr_space) for (sysctl, name, val) in self._process_sysctl_list(sysctl_list): if val == "INVALID -1": continue (is_known, module_name) = common.is_known_address_name(sysctl.oid_handler.v(), kernel_symbol_addresses, kmods) if is_known: status = "OK" else: status = "UNKNOWN" yield (sysctl, name, val, is_known, module_name, status) def unified_output(self, data): return TreeGrid([("Name", str), ("Number", int), ("Perms", str), ("Handler", Address), ("Value", str), ("Module", str), ("Status", str), ], self.generator(data)) def generator(self, data): for (sysctl, name, val, is_known, module_name, status) in data: yield(0, [ str(name), int(sysctl.oid_number), str(sysctl.get_perms()), Address(sysctl.oid_handler), str(val), str(module_name), str(status), ]) def render_text(self, outfd, data): self.table_header(outfd, [ ("Name", "30"), ("Number", "8"), ("Perms", "6"), ("Handler", "[addrpad]"), ("Value", "20"), ("Module", "40"), ("Status", "5")]) for (sysctl, name, val, is_known, module_name, status) in data: self.table_row(outfd, name, sysctl.oid_number, sysctl.get_perms(), sysctl.oid_handler, val, module_name, status) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/bash_env.py0000644000000000000000000000312613131215405023717 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import struct from operator import attrgetter import volatility.obj as obj import volatility.debug as debug import volatility.addrspace as addrspace import volatility.plugins.mac.common as mac_common import volatility.plugins.mac.pstasks as mac_tasks from volatility.renderers import TreeGrid class mac_bash_env(mac_tasks.mac_tasks): """Recover bash's environment variables""" def unified_output(self, data): debug.error("This plugin is deprecated. Please use mac_psenv.") def generator(self, data): debug.error("This plugin is deprecated. Please use mac_psenv.") def render_text(self, outfd, data): debug.error("This plugin is deprecated. Please use mac_psenv.") volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/threads.py0000644000000000000000000005353713131215405023577 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Cem Gurkok @license: GNU General Public License 2.0 @contact: cemgurkok@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.debug as debug import volatility.utils as utils import volatility.plugins.mac.pstasks as mac_tasks from volatility.renderers import TreeGrid from volatility.renderers.basic import Address ## http://hte.sourceforge.net/doxygenized-0.8.0pre1/machostruc_8h-source.html ## documentation for thread state, registry, launch cmd etc thread_overlay = { "thread": [ None, { "options": [None, ['Flags', {'target': 'int', 'bitmap': { "TH_OPT_INTMASK": 0,# interrupt / abort level "TH_OPT_INTMASK": 1,# interrupt / abort level "TH_OPT_VMPRIV": 2, # may allocate reserved memory "TH_OPT_DTRACE": 3, # executing under dtrace_probe "TH_OPT_SYSTEM_CRITICAL": 4, # Thread must always be allowed to run, even under heavy load "TH_OPT_PROC_CPULIMIT": 5, # Thread has a task-wide CPU limit applied to it "TH_OPT_PRVT_CPULIMIT": 6 # Thread has a thread-private CPU limit applied to it }}]], "state": [None, ['Flags', {'target': 'int', 'bitmap': { "TH_WAIT": 0, "TH_SUSP": 1, "TH_RUN": 2, "TH_UNINT": 3, "TH_TERMINATE": 4, "TH_TERMINATE2": 5, "TH_IDLE": 6, # kAppleProfileTriggerClientThreadModeIdle "TH_IDLE_N": 6 << 16 # kAppleProfileTriggerClientThreadModeNotIdle, !TH_IDLE }}]], "sched_mode": [None, ['Flags', {'target': 'int', 'bitmap': { "TH_MODE_REALTIME": 0, # /* time constraints supplied */ "TH_MODE_TIMESHARE": 1, # /* use timesharing algorithm */ "TH_MODE_FAILSAFE": 2, # /* fail-safe has tripped */ "TH_MODE_PROMOTED": 3, # /* sched pri has been promoted */ "TH_MODE_ABORT": 4, # /* abort interruptible waits */ "TH_MODE_ABORTSAFELY": 5, # /* ... but only those at safe point */ # "TH_MODE_ISABORTED": (TH_MODE_ABORT | TH_MODE_ABORTSAFELY) "TH_MODE_DEPRESS": 6, # /* normal depress yield */ "TH_MODE_POLLDEPRESS": 7, # /* polled depress yield */ # "TH_MODE_ISDEPRESSED": (TH_MODE_DEPRESS | TH_MODE_POLLDEPRESS) }}]], "ast": [None, ['Flags', {'target': 'int', 'bitmap': { # Asynchronous System Traps # AST_NONE , no bits set "AST_HALT": 0, "AST_TERMINATE": 1, "AST_BLOCK": 2, "AST_UNUSED": 3, "AST_QUANTUM": 4, "AST_APC": 5, # /* migration APC hook */ "AST_URGENT": 6 }}]], }] } class queue_entry(obj.CType): # needed a separate walk_list function for threads since the original was task specific def thread_walk_list(self, list_head): n = self.next.dereference_as("thread") while n and n.obj_offset != list_head: yield n n = n.task_threads.next.dereference_as("thread") p = self.prev.dereference_as("thread") while p and p.obj_offset != list_head: yield p p = p.task_threads.prev.dereference_as("thread") def walk_list(self, list_head): n = self.next.dereference_as("task") while n and n.obj_offset != list_head: yield n n = n.tasks.next.dereference_as("task") p = self.prev.dereference_as("task") while p and p.obj_offset != list_head: yield p p = p.tasks.prev.dereference_as("task") class MacObjectClasses2(obj.ProfileModification): conditions = {'os': lambda x: x == 'mac'} before = ['BasicObjectClasses'] def modification(self, profile): profile.object_classes.update({ 'queue_entry' : queue_entry }) class MacObjectClasses4(obj.ProfileModification): conditions = {'os': lambda x: x == 'mac'} before = ['BasicObjectClasses'] def modification(self, profile): profile.merge_overlay(thread_overlay) # https://www.opensource.apple.com/source/xnu/xnu-124.1/osfmk/mach/vm_statistics.h dict_alias = { 1: "VM_MEMORY_MALLOC", 2: "VM_MEMORY_MALLOC_SMALL", 3: "VM_MEMORY_MALLOC_LARGE", 4: "VM_MEMORY_MALLOC_HUGE", 5: "VM_MEMORY_SBRK", 6: "VM_MEMORY_REALLOC", 7: "VM_MEMORY_MALLOC_TINY", 8: "VM_MEMORY_MALLOC_LARGE_REUSABLE", 9: "VM_MEMORY_MALLOC_LARGE_REUSED", 10: "VM_MEMORY_ANALYSIS_TOOL", 20: "VM_MEMORY_MACH_MSG", 21: "VM_MEMORY_IOKIT", 30: "VM_MEMORY_STACK", 31: "VM_MEMORY_GUARD", 32: "VM_MEMORY_SHARED_PMAP", 33: "VM_MEMORY_DYLIB", 34: "VM_MEMORY_OBJC_DISPATCHERS", 35: "VM_MEMORY_UNSHARED_PMAP", 40: "VM_MEMORY_APPKIT", 41: "VM_MEMORY_FOUNDATION", 42: "VM_MEMORY_COREGRAPHICS", 43: "VM_MEMORY_CORESERVICES", 44: "VM_MEMORY_JAVA", 50: "VM_MEMORY_ATS", 51: "VM_MEMORY_LAYERKIT", 52: "VM_MEMORY_CGIMAGE", 53: "VM_MEMORY_TCMALLOC", 54: "VM_MEMORY_COREGRAPHICS_DATA", 55: "VM_MEMORY_COREGRAPHICS_SHARED", 56: "VM_MEMORY_COREGRAPHICS_FRAMEBUFFERS", 57: "VM_MEMORY_COREGRAPHICS_BACKINGSTORES", 60: "VM_MEMORY_DYLD", 61: "VM_MEMORY_DYLD_MALLOC", 62: "VM_MEMORY_SQLITE", 63: "VM_MEMORY_JAVASCRIPT_CORE", 64: "VM_MEMORY_JAVASCRIPT_JIT_EXECUTABLE_ALLOCATOR", 65: "VM_MEMORY_JAVASCRIPT_JIT_REGISTER_FILE", 66: "VM_MEMORY_GLSL", 67: "VM_MEMORY_OPENCL", 68: "VM_MEMORY_COREIMAGE", 69: "VM_MEMORY_WEBCORE_PURGEABLE_BUFFERS", 70: "VM_MEMORY_IMAGEIO", 71: "VM_MEMORY_COREPROFILE", 72: "VM_MEMORY_ASSETSD", 240: "VM_MEMORY_APPLICATION_SPECIFIC_1", 241: "VM_MEMORY_APPLICATION_SPECIFIC_2", 242: "VM_MEMORY_APPLICATION_SPECIFIC_3", 243: "VM_MEMORY_APPLICATION_SPECIFIC_4", 244: "VM_MEMORY_APPLICATION_SPECIFIC_5", 245: "VM_MEMORY_APPLICATION_SPECIFIC_6", 246: "VM_MEMORY_APPLICATION_SPECIFIC_7", 247: "VM_MEMORY_APPLICATION_SPECIFIC_8", 248: "VM_MEMORY_APPLICATION_SPECIFIC_9", 249: "VM_MEMORY_APPLICATION_SPECIFIC_10", 250: "VM_MEMORY_APPLICATION_SPECIFIC_11", 251: "VM_MEMORY_APPLICATION_SPECIFIC_12", 252: "VM_MEMORY_APPLICATION_SPECIFIC_13", 253: "VM_MEMORY_APPLICATION_SPECIFIC_14", 254: "VM_MEMORY_APPLICATION_SPECIFIC_15", 255: "VM_MEMORY_APPLICATION_SPECIFIC_16" } class mac_threads(mac_tasks.mac_tasks): """ List Process Threads """ def get_active_threads(self): threads = {} real_ncpus = obj.Object("int", offset = self.addr_space.profile.get_symbol("_real_ncpus"), vm = self.addr_space) cpu_data_ptrs = obj.Object(theType = 'Array', offset = self.addr_space.profile.get_symbol("_cpu_data_ptr"), vm = self.addr_space, targetType = "unsigned long long", count = real_ncpus) for i in range(0, real_ncpus): cpu_data = obj.Object('cpu_data', offset = cpu_data_ptrs[i], vm = self.addr_space) threads[i] = cpu_data.cpu_active_thread return threads def is_thread_active(self, thread, active_threads): for active_thread in active_threads.values(): if active_thread.v() == thread.v(): return True return False def get_stack_map(self, proc, proc_threads, bit_string): proc_addrspace = proc.get_process_address_space() vm_map_slide = 0 vm_map_start = 0 stack_thread_id = None maps = [] for map in proc.get_proc_maps(): vm_map_start = map.links.start map_type = str(dict_alias.get(int(map.alias), "UNKNOWN")) map_path = map.get_path() # see if map is a STACK (not a STACK_GUARD), if so which thread it belongs to # VM_MEMORY_STACK if map_type == "VM_MEMORY_STACK" and map.get_perms() != "---": for thread in proc_threads: # 64bit thread if "64" in bit_string: # isf: interrupt stack frame thread_sp = thread.machine.iss.uss.ss_64.isf.rsp # 32 bit thread else: thread_sp = thread.machine.iss.uss.ss_32.uesp if map.links.start <= thread_sp and thread_sp <= map.links.end: stack_thread_id = thread.thread_id map_path = "thread id {0}".format(thread.thread_id) break if "thread" in map_path: # Based on the vmmap command: # current map is a stack marked as thread, then mark previous map with thread id if stack prev_proc, prev_map, prev_map_path = maps.pop() if str(dict_alias.get(int(prev_map.alias), "UNKNOWN")) == "VM_MEMORY_STACK" and prev_map.get_perms() != "---" and "thread" not in prev_map_path: prev_map_path = "thread id {0}".format(stack_thread_id) maps.append((prev_proc, prev_map, prev_map_path)) else: # if previous map is a stack marked as thread, then mark current map with thread id prev_proc, prev_map, prev_map_path = maps.pop() if str(dict_alias.get(int(prev_map.alias), "UNKNOWN")) == "VM_MEMORY_STACK" and prev_map.get_perms() != "---" and "thread" in prev_map_path: map_path = "thread id {0}".format(stack_thread_id) maps.append((prev_proc, prev_map, prev_map_path)) elif map_type != "VM_MEMORY_STACK": stack_thread_id = None maps.append((proc, map, map_path)) return maps def get_thread_registers(self, thread, bit_string): # http://www.opensource.apple.com/source/xnu/xnu-2050.18.24/osfmk/i386/pcb.c registers_64 = ['rdi','rsi','rdx','rbp','rbx','rcx','rax','cr2','r8','r9','r10','r11','r12','r13','r14','r15','gs','fs'] registers_32 = ['edi','esi','edx','ebp','ebx','uesp','ecx','eax','eip','cr2','gs','cs','fs','es','ds'] registers = {} if "64" in bit_string: registers['rsp'] = "{0:#10x}".format(getattr(thread.machine.iss.uss.ss_64.isf, 'rsp')) registers['rip'] = "{0:#10x}".format(getattr(thread.machine.iss.uss.ss_64.isf, 'rip')) registers['ss'] = "{0:#10x}".format(getattr(thread.machine.iss.uss.ss_64.isf, 'ss')) registers['trapno'] = "{0:#10x}".format(getattr(thread.machine.iss.uss.ss_64.isf, 'trapno')) # check if trap function/sysent is known or hooked trapfn_addr = getattr(thread.machine.iss.uss.ss_64.isf, 'trapfn') if trapfn_addr == 0: trapfn_name = '' else: trapfn_name = self.addr_space.profile.get_symbol_by_address('kernel', trapfn_addr) if trapfn_name == '': trapfn = "UNKNOWN function at {0}".format(trapfn_addr) else: trapfn = "{0} at {1:#10x}".format(trapfn_name, trapfn_addr) registers['trapfn'] = trapfn for reg in registers_64: registers[reg] = "{0:#10x}".format(getattr(thread.machine.iss.uss.ss_64, reg)) else: for reg in registers_32: if hasattr(thread.machine, "iss"): registers[reg] = "{0:#10x}".format(getattr(thread.machine.iss.uss.ss_32, reg)) else: registers[reg] = "" return registers def calculate(self): common.set_plugin_members(self) for proc in mac_tasks.mac_tasks(self._config).calculate(): bit_string = str(proc.task.map.pmap.pm_task_map or '')[9:] # get proc args and arg address args = proc.get_arguments() args_addr = proc.user_stack - proc.p_argslen # get threads qentry = proc.task.threads seen_threads = [] thread_list = [] active_threads = self.get_active_threads() for thread in qentry.thread_walk_list(qentry.obj_offset): if thread.obj_offset not in seen_threads: seen_threads.append(thread.obj_offset) thread_list.append(thread) # get proc maps maps = self.get_stack_map(proc, thread_list, bit_string) # get thread stack start and size for thread in thread_list: stack_start = 0 stack_size = 0 thread_args = "" registers = {} is_active = "NO" dtraced = "NO" debugged = "NO" uid = "NONE" for proc, map, map_path in maps: if "thread id {0}".format(thread.thread_id) in map_path: if stack_start == 0 or stack_start > map.links.start: stack_start = map.links.start stack_size += map.links.end - map.links.start # find thread with args, which probably is main thread if map.links.start < args_addr < map.links.end: thread_args = args # kernel_stack process # thread stack information is empty for kernel threads if str(proc.p_pid) == "0": stack_start = thread.kernel_stack registers = self.get_thread_registers(thread, bit_string) if self.is_thread_active(thread, active_threads): is_active = "YES" # check if thread is being hardware debugged, ids = x86_debug_state64 if thread.machine.ids != 0: debugged = "YES" # check if dtrace probe is applied if "TH_OPT_DTRACE" in str(thread.options): dtraced = "YES" #get thread User ID #if thread.uthread != 0: #uid = thread.uthread.dereference_as('uthread').uu_context.vc_ucred.cr_posix.cr_uid yield proc, thread, stack_start, stack_size, thread_args, registers, is_active, dtraced, debugged, uid proc = proc.p_list.le_next.dereference() self.get_active_threads() def unified_output(self, data): return TreeGrid([("Offset", Address), ("Pid", int), ("Tid", int), ("UID", str), ("State", str), ("Is Active?", str), ("Options", str), ("Priority", int), ("Startup Addr", Address), ("Stack Start Addr", Address), ("Stack Size (bytes)", int), ("HW Debugged",str), ("DTraced", str), ("Arguments", str), ], self.generator(data)) def generator(self, data): for proc, thread, stack_start, stack_size, args, registers, is_active, dtraced, debugged, uid in data: if not thread.is_valid(): continue yield (0, [ Address(thread.v()), int(proc.p_pid), int(thread.thread_id), str(uid), str(thread.state), str(is_active), str(thread.options), int(thread.sched_pri), Address(thread.continuation), Address(stack_start), int(stack_size), str(debugged), str(dtraced), str(args), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset", "[addrpad]"), ("Pid", "8"), ("Tid", "8"), ("UID", "8"), ("State", "30"), ("Is Active?","<10"), ("Options", "30"), ("Priority", "8"), ("Startup Addr", "[addrpad]"), ("Stack Start Addr", "[addrpad]"), ("Stack Size (bytes)", "<18"), ("HW Debugged","<11"), ("DTraced","<7"), ("Arguments", "") ]) for proc, thread, stack_start, stack_size, args, registers, is_active, dtraced, debugged, uid in data: if not thread.is_valid(): continue self.table_row(outfd, thread.v(), str(proc.p_pid), str(thread.thread_id), str(uid), str(thread.state), is_active, str(thread.options), str(thread.sched_pri), thread.continuation, stack_start, stack_size, debugged, dtraced, args ) #for reg in registers: # outfd.write("\t{0:<10} {1:}\n".format(reg, registers[reg].strip())) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/socket_filters.py0000644000000000000000000001027113131215405025151 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.lsmod as lsmod from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_socket_filters(lsmod.mac_lsmod): """ Reports socket filters """ def calculate(self): common.set_plugin_members(self) # get the symbols need to check for if rootkit or not (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) members = ["sf_unregistered", "sf_attach", "sf_detach", "sf_notify", "sf_getpeername", "sf_getsockname"] members = members + ["sf_data_in", "sf_data_out", "sf_connect_in", "sf_connect_out", "sf_bind", "sf_setoption"] members = members + ["sf_getoption", "sf_listen", "sf_ioctl"] sock_filter_head_addr = self.addr_space.profile.get_symbol("_sock_filter_head") sock_filter_list = obj.Object("socket_filter_list", offset = sock_filter_head_addr, vm = self.addr_space) cur = sock_filter_list.tqh_first while cur: filter = cur.sf_filter filter_name = self.addr_space.read(filter.sf_name, 256) idx = filter_name.index("\x00") if idx != -1: filter_name = filter_name[:idx] filter_socket = cur.sf_entry_head.sfe_socket.obj_offset for member in members: ptr = filter.m(member) if not ptr: continue (good, module) = common.is_known_address_name(ptr.v(), kernel_symbol_addresses, kmods) yield good, filter, filter_name, filter_socket, member, ptr, module cur = cur.sf_global_next.tqe_next def unified_output(self, data): return TreeGrid([("Offset (V)", Address), ("Filter Name", str), ("Filter Member", str), ("Socket (V)", Address), ("Handler", Address), ("Module", str), ("Status", str), ], self.generator(data)) def generator(self, data): for (good, filter, filter_name, filter_socket, member, ptr, module) in data: if good == 0: status = "UNKNOWN" else: status = "OK" yield(0, [ Address(filter.obj_offset), str(filter_name), str(member), Address(filter_socket), Address(ptr), str(module), str(status), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset (V)", "[addrpad]"), ("Filter Name", "50"), ("Filter Member", "16"), ("Socket (V)", "[addrpad]"), ("Handler", "[addrpad]"), ("Module", "30"), ("Status", "")]) for (good, filter, filter_name, filter_socket, member, ptr, module) in data: status = "OK" if good == 0: status = "UNKNOWN" self.table_row(outfd, filter.obj_offset, filter_name, member, filter_socket, ptr, module, status) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/pstasks.py0000644000000000000000000000322713131215405023624 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pslist as pslist import volatility.plugins.mac.common as common class mac_tasks(pslist.mac_pslist): """ List Active Tasks """ def __init__(self, config, *args, **kwargs): pslist.mac_pslist.__init__(self, config, *args, **kwargs) def allprocs(self): common.set_plugin_members(self) tasksaddr = self.addr_space.profile.get_symbol("_tasks") queue_entry = obj.Object("queue_entry", offset = tasksaddr, vm = self.addr_space) seen = [tasksaddr] for task in queue_entry.walk_list(list_head = tasksaddr): if (task.bsd_info and task.obj_offset not in seen): proc = task.bsd_info.dereference_as("proc") yield proc seen.append(task.obj_offset) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/netstat.py0000644000000000000000000000675513131215405023627 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pstasks as mac_tasks from volatility.renderers import TreeGrid class mac_netstat(mac_tasks.mac_tasks): """ Lists active per-process network connections """ def unified_output(self, data): return TreeGrid([("Proto", str), ("Local IP", str), ("Local Port", int), ("Remote IP", str), ("Remote Port", int), ("State", str), ("Process", str), ("PID", str) ], self.generator(data)) def generator(self, data): for proc in data: for (family, info) in proc.netstat(): if family == 1: (socket, path) = info if path: yield(0, [ "UNIX", str(path).strip(), 0, "-", 0, "-", "-", "-", ]) elif family in [2, 30]: (socket, proto, lip, lport, rip, rport, state) = info yield(0, [ str(proto), str(lip), int(lport), str(rip), int(rport), str(state), str(proc.p_comm), str(proc.p_pid), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Proto", "6"), ("Local IP", "20"), ("Local Port", "6"), ("Remote IP", "20"), ("Remote Port", "6"), ("State", "20"), ("Process", "24")]) for proc in data: for (family, info) in proc.netstat(): if family == 1: (socket, path) = info if path: outfd.write("UNIX {0}\n".format(path)) elif family in [2, 30]: (socket, proto, lip, lport, rip, rport, state) = info self.table_row(outfd, proto, lip, lport, rip, rport, state, "{}/{}".format(proc.p_comm, proc.p_pid)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/gkextmap.py0000644000000000000000000000362613131215405023757 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.lsmod as lsmod class mac_lsmod_kext_map(lsmod.mac_lsmod): """ Lists loaded kernel modules """ def calculate(self): common.set_plugin_members(self) p = self.addr_space.profile.get_symbol("_g_kext_map") mapaddr = obj.Object("Pointer", offset = p, vm = self.addr_space) kextmap = mapaddr.dereference_as("_vm_map") nentries = kextmap.hdr.nentries kext = kextmap.hdr for i in range(nentries): kext = kext.links.next if not kext: break macho = obj.Object("macho_header", offset = kext.start, vm = self.addr_space) if macho.is_valid(): kmod_start = macho.address_for_symbol("_kmod_info") if kmod_start: kmod = obj.Object("kmod_info", offset = kmod_start, vm = self.addr_space) if kmod.is_valid(): yield kmod volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/check_syscall_table.py0000644000000000000000000001007613131215405026112 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_check_syscalls(common.AbstractMacCommand): """ Checks to see if system call table entries are hooked """ def __init__(self, config, *args, **kwargs): common.AbstractMacCommand.__init__(self, config, *args, **kwargs) self._config.add_option('syscall-indexes', short_option = 'i', default = None, help = 'Path to unistd_{32,64}.h from the target machine', action = 'store', type = 'str') def _parse_handler_names(self): index_names = {} lines = open(self._config.SYSCALL_INDEXES, "r").readlines() for line in lines: ents = line.split() if len(ents) < 6: continue if ents[3] != "{": continue name = ents[5].split("(")[0] try: index_names[int(ents[0])] = name except ValueError: pass return index_names def calculate(self): common.set_plugin_members(self) if self._config.SYSCALL_INDEXES: index_names = self._parse_handler_names() else: index_names = None sym_addrs = self.profile.get_all_addresses() table_addr = self.addr_space.profile.get_symbol("_sysent") nsysent = obj.Object("int", offset = self.addr_space.profile.get_symbol("_nsysent"), vm = self.addr_space) if nsysent == None or nsysent == 0: return sysents = obj.Object(theType = "Array", offset = table_addr, vm = self.addr_space, count = nsysent, targetType = "sysent") if sysents == None: return for (i, sysent) in enumerate(sysents): ent_addr = sysent.sy_call.v() hooked = ent_addr not in sym_addrs if index_names: sym_name = index_names[i] else: sym_name = self.profile.get_symbol_by_address("kernel", ent_addr) if not sym_name: sym_name = "N/A" yield (table_addr, "SyscallTable", i, ent_addr, sym_name, hooked) def unified_output(self, data): return TreeGrid([("Table Name", str), ("Index", int), ("Address", Address), ("Symbol", str), ("Status", str), ], self.generator(data)) def generator(self, data): for (_, table_name, i, call_addr, sym_name, hooked) in data: status = "OK" if hooked: status = "HOOKED" yield(0, [ str(table_name), int(i), Address(call_addr), str(sym_name), str(status), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Table Name", "15"), ("Index", "6"), ("Address", "[addrpad]"), ("Symbol", "<30"), ("Status", "")]) for (_, table_name, i, call_addr, sym_name, hooked) in data: status = "OK" if hooked: status = "HOOKED" self.table_row(outfd, table_name, i, call_addr, sym_name, status) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/dead_procs.py0000644000000000000000000000275313131215405024242 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.list_zones as list_zones import volatility.plugins.mac.pslist as pslist class mac_dead_procs(pslist.mac_pslist): """ Prints terminated/de-allocated processes """ def calculate(self): common.set_plugin_members(self) zones = list_zones.mac_list_zones(self._config).calculate() for zone in zones: name = str(zone.zone_name.dereference()) if name == "proc": procs = zone.get_free_elements("proc") for proc in procs: yield proc volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/arp.py0000644000000000000000000000256613131215405022723 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.route as route class mac_arp(route.mac_route): """ Prints the arp table """ def calculate(self): common.set_plugin_members(self) arp_addr = self.addr_space.profile.get_symbol("_llinfo_arp") ptr = obj.Object("Pointer", offset = arp_addr, vm = self.addr_space) ent = ptr.dereference_as("llinfo_arp") while ent: yield ent.la_rt ent = ent.la_le.le_next volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/dump_map.py0000644000000000000000000004160413131215405023737 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case and Golden G. Richard III @license: GNU General Public License 2.0 @contact: atcuno@gmail.com / golden@arcanealloy.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.common as common import volatility.plugins.mac.proc_maps as proc_maps import struct import WKdm class mac_dump_maps(proc_maps.mac_proc_maps): """ Dumps memory ranges of process(es), optionally including pages in compressed swap """ def __init__(self, config, *args, **kwargs): proc_maps.mac_proc_maps.__init__(self, config, *args, **kwargs) self._config.add_option('MAP-ADDRESS', short_option = 's', default = None, help = 'Filter by starting address of map', action = 'store', type = 'long') self._config.add_option('OUTPUTFILE', short_option = 'O', default = None, help = 'Output File', action = 'store', type = 'str') self._config.add_option('DECOMPRESS-SWAP', default = False, help = 'Also decompress pages in compressed swap', action = 'store_true') self._config.add_option('ONLY-DECOMPRESSED-SWAP', default = False, help = 'Dump only successfully decompressed swap pages, nothing else', action = 'store_true') self._config.add_option('SKIP-WRITING', short_option = 't', help = 'Skip writing pages, just print stats and optionally test decompression', action = 'store_true', default = False) # defined in osfmk/vm/vm_compressor.h; proper decompression relies on these self.C_SEG_BUFSIZE = (1024 * 256) self.C_SEG_ALLOCSIZE = (self.C_SEG_BUFSIZE + 4096) self.C_SEG_SLOT_ARRAYS = 6 self.C_SEG_SLOT_ARRAY_SIZE = 64 self.C_SEG_SLOT_ARRAY_MASK = (self.C_SEG_SLOT_ARRAY_SIZE - 1) self.C_SEG_OFFSET_ALIGNMENT_MASK = 0x3 # defined in osfmk/vm/vm_compressor_pager.c; proper slot lookup relies on these self.COMPRESSOR_SLOTS_CHUNK_SIZE = 512 self.COMPRESSOR_SLOTS_PER_CHUNK = 128 # (COMPRESSOR_SLOTS_CHUNK_SIZE / sizeof (compressor_slot_t)), compressor_slot_t is a 32-bit int # WKdm decompression in Python self.wkdm=WKdm.WKdm() self.dest = [0] * self.wkdm.PAGE_SIZE_IN_WORDS self.successful_decompressions = 0 # don't try to deal with maps larger than this--just skip them self.MAXMAPSIZE = 16000000000 def compressed_page_location(self, outfd, map, addr): # return (seg, idx) pair that identifies the location of a # compressed page starting at 'addr' and belonging to a # vm_map_entry 'map' in the compressor store. Returns (None, # None) if the compressor doesn't own this page. # based on compressor_pager_slot_lookup() in osfmk/vm/vm_compressor_pager.c and # c_decompress_page in osfmk/vm_compressor.c vm_obj = map.object.vm_object if not vm_obj.is_valid() or vm_obj.pager_created == 0 or vm_obj.pager_initialized == 0 or vm_obj.pager_ready == 0: # compressor can't own pages from this object--object has no pager or pager isn't initialized (seg, idx) = (None, None) else: #print "PAGING OFFSET: " + str(vm_obj.paging_offset) addr += vm_obj.paging_offset page_num = addr / self.wkdm.PAGE_SIZE_IN_BYTES pager = vm_obj.pager.dereference_as("compressor_pager") pager_name = pager.cpgr_pager_ops.memory_object_pager_name.dereference_as("char") if pager_name != "c": # "compressor pager" in pager ops # if the pager isn't the compressor_pager, then move on # print " Corresponding pager " + pager_name + " isn't the compressor pager. Substituting zero page." (seg, idx) = (None, None) elif not pager.is_valid(): # pager isn't initialized outfd.write(" Pager isn't initialized. Substituting zero page.\n") (seg, idx) = (None, None) # page is out of range elif page_num > pager.cpgr_num_slots: outfd.write(" page_num > pager.cpgr_num_slots: " + str(page_num) + " " + str(pager.cpgr_num_slots) + ". Substituting zero page.\n") (seg, idx) = (None, None) else: #print "## " + str(pager.cpgr_num_slots) #print "## " + str(self.COMPRESSOR_SLOTS_PER_CHUNK) num_chunks = (pager.cpgr_num_slots + self.COMPRESSOR_SLOTS_PER_CHUNK - 1) / self.COMPRESSOR_SLOTS_PER_CHUNK if num_chunks > 1: # array of chunks chunk_idx = page_num / self.COMPRESSOR_SLOTS_PER_CHUNK cpgr_islots = obj.Object("Array", offset = pager.cpgr_slots.cpgr_islots, targetType = "Pointer", count = num_chunks, vm = self.addr_space) chunks_ptr = cpgr_islots[chunk_idx] if chunks_ptr.is_valid(): chunk = obj.Object("Array", offset = chunks_ptr, targetType = "unsigned int", # compressor_slot_t count = self.COMPRESSOR_SLOTS_PER_CHUNK, vm = self.addr_space) slot_idx = page_num % self.COMPRESSOR_SLOTS_PER_CHUNK # chunk[slot_idx] is actually a c_slot_mapping # struct c_slot_mapping { # uint32_t s_cseg:22, /* segment number + 1 */ # s_cindx:10; /* index in the segment */ # }; # print "DOUBLE LEVEL SEGIDX bitfield is " + str(chunk[slot_idx]) seg = chunk[slot_idx] & 0x3FFFFF idx = chunk[slot_idx] >> 22 else: (seg, idx) = (None, None) else: slot_idx = page_num; cpgr_dslots = obj.Object("Array", offset = pager.cpgr_slots.cpgr_dslots, targetType = "unsigned int", # actually compressor_slot_t, == int; count = pager.cpgr_num_slots, vm = self.addr_space) # unsigned here because we have to # cpgr_dslots[slot_idx] is actually a c_slot_mapping: # struct c_slot_mapping { # uint32_t s_cseg:22, /* segment number + 1 */ # s_cindx:10; /* index in the segment */ # }; # print "SINGLE LEVEL SEGIDX bitfield is " + str(cpgr_dslots[slot_idx]) seg = cpgr_dslots[slot_idx] & 0x3FFFFF idx = cpgr_dslots[slot_idx] >> 22 return (seg, idx) def decompress(self, outfd, seg, idx): # decompress and return 4K page identified by (seg, idx). Returns None if decompression fails. page = None if seg >= self.c_segment_count or seg < 1: outfd.write(" Segment out of bounds: " + str(seg) + ". Must be > 0 and < c_segment_count == " + str(self.c_segment_count) + ". Substituting zero page.\n") else: c_seg = self.c_segments[seg - 1].c_seg # seg is actually segment index + 1 if c_seg.c_ondisk == 1: outfd.write(" Segment " + str(seg) + " is swapped out. Substituting zero page.\n") else: j1 = idx / self.C_SEG_SLOT_ARRAY_SIZE j2 = idx & self.C_SEG_SLOT_ARRAY_MASK cslot_array = c_seg.c_slots[j1] if cslot_array.is_valid(): cslots = obj.Object("Array", offset = cslot_array, targetType = "c_slot", count = self.C_SEG_SLOT_ARRAY_SIZE, vm = self.addr_space) cslot=cslots[j2] (csize, compressed, status) = (4096 / 4, False, "UNCOMPRESSED") if (cslot.c_size == 4095) else (cslot.c_size / 4, True, "COMPRESSED") if csize > 0: outfd.write(" Slot " + str(j1) + ", " + str(j2) + ": offset = " + str(cslot.c_offset * 4) + " bytes, size = " + str(csize * 4) + " bytes, " + status + "\n") page = obj.Object("Array", offset = c_seg.c_store.c_buffer+cslot.c_offset * 4, targetType = "int", count = csize, vm = self.addr_space) if compressed: # try to decompress page. Compressed data is fed to WKdm as an array of 32-bit ints. decompressed = self.wkdm.WKdm_decompress(page, self.dest) if decompressed > 0: page = self.dest[:] outfd.write(" Decompression successful.\n") else: outfd.write(" Decompression failed. Substituting zero page.\n") page = None else: # for uniformity, so len() will work in _read_addr_range() page = page[:] outfd.write(" Decompression successful.\n") return page def render_text(self, outfd, data): common.set_plugin_members(self) if not self._config.OUTPUTFILE: debug.error("Please specify an OUTPUTFILE") elif os.path.exists(self._config.OUTPUTFILE): debug.error("Cowardly refusing to overwrite an existing file.") outfile = open(self._config.OUTPUTFILE, "wb+") map_address = self._config.MAP_ADDRESS size = 0 self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Start", "#018x"), ("End", "#018x"), ("Perms", "9"), ("Map Name", "")]) # from osfmk/vm/vm_object.h. compressor_object is the high level VM object. self.compressor_object = obj.Object("vm_object", offset = self.addr_space.profile.get_symbol("_compressor_object_store"), vm = self.addr_space) # from osfmk/vm/vm_compressor.c. c_segments is an array of c_segu objects, which track and store compressed pages. # c_segment_count is current size of c_segments array. self.c_segment_count = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("_c_segment_count"), vm = self.addr_space) self.c_segments_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("_c_segments"), vm = self.addr_space) self.c_segments = obj.Object("Array", targetType = "c_segu", count = self.c_segment_count, offset = self.c_segments_ptr, vm = self.addr_space) for proc, map in data: self.table_row(outfd, str(proc.p_pid), proc.p_comm, map.links.start, map.links.end, map.get_perms(), map.get_path()) if (map.links.end - map.links.start) > self.MAXMAPSIZE: outfd.write("Skipping suspiciously large map, smearing is suspected. Adjust MAXMAPSIZE to override.\n") continue if not map_address or map_address == map.links.start: for page in self._read_addr_range(outfd, proc, map): if not page is None: size += self.wkdm.PAGE_SIZE_IN_BYTES if not self._config.SKIP_WRITING: for k in range(0, self.wkdm.PAGE_SIZE_IN_WORDS): outfile.write(struct.pack('. # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_proc_maps(pstasks.mac_tasks): """ Gets memory maps of processes """ def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks.calculate(self) for proc in procs: for map in proc.get_proc_maps(): yield proc, map def unified_output(self, data): return TreeGrid([("Pid", int), ("Name", str), ("Start", Address), ("End", Address), ("Perms", str), ("Map Name", str), ], self.generator(data)) def generator(self, data): for (proc, map) in data: path = map.get_path() if path == "": path = map.get_special_path() yield(0, [ int(proc.p_pid), str(proc.p_comm), Address(map.links.start), Address(map.links.end), str(map.get_perms()), str(path), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Start", "#018x"), ("End", "#018x"), ("Perms", "9"), ("Map Name", "")]) for (proc, map) in data: path = map.get_path() if path == "": path = map.get_special_path() self.table_row(outfd, str(proc.p_pid), proc.p_comm, map.links.start, map.links.end, map.get_perms(), path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/version.py0000644000000000000000000000246513131215405023624 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_version(common.AbstractMacCommand): """ Prints the Mac version """ def calculate(self): common.set_plugin_members(self) yield obj.Object("String", offset = self.addr_space.profile.get_symbol("_version"), vm = self.addr_space, length = 256) def render_text(self, outfd, data): for version in data: outfd.write("{0}\n".format(version)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/ifconfig.py0000644000000000000000000000474513131215405023726 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_ifconfig(common.AbstractMacCommand): """ Lists network interface information for all devices """ def calculate(self): common.set_plugin_members(self) list_head_addr = self.addr_space.profile.get_symbol("_dlil_ifnet_head") list_head_ptr = obj.Object("Pointer", offset = list_head_addr, vm = self.addr_space) ifnet = list_head_ptr.dereference_as("ifnet") while ifnet: name = ifnet.if_name.dereference() unit = ifnet.if_unit prom = ifnet.if_flags & 0x100 == 0x100 # IFF_PROMISC addr_dl = ifnet.sockaddr_dl() if addr_dl.is_valid(): mac = addr_dl.v() else: mac = "" ifaddr = ifnet.if_addrhead.tqh_first ips = [] while ifaddr: ip = ifaddr.ifa_addr.get_address() if ip: ips.append(ip) ifaddr = ifaddr.ifa_link.tqe_next yield (name, unit, mac, prom, ips) ifnet = ifnet.if_link.tqe_next def render_text(self, outfd, data): self.table_header(outfd, [("Interface", "10"), ("IP Address", "32"), ("Mac Address", "20"), ("Promiscuous", "")]) for (name, unit, mac, prom, ips) in data: if ips: for ip in ips: self.table_row(outfd, "{0}{1}".format(name, unit), ip, mac, prom) else: # an interface with no IPs self.table_row(outfd, "{0}{1}".format(name, unit), "", mac, prom) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/threads_simple.py0000644000000000000000000000666013131215405025143 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_threads_simple(pstasks.mac_tasks): """ Lists threads along with their start time and priority """ def unified_output(self, data): common.set_plugin_members(self) return TreeGrid([("PID",int), ("Name", str), ("Start Time", str), ("Priority", int), ("Start Function", Address), ("Function Map", str), ], self.generator(data)) def generator(self, data): kaddr_info = common.get_handler_name_addrs(self) for proc in data: for th in proc.threads(): func_addr = th.continuation (module, handler_sym) = common.get_handler_name(kaddr_info, func_addr) if handler_sym: handler = handler_sym elif module: handler = module else: handler = proc.find_map_path(func_addr) yield(0, [ int(proc.p_pid), str(proc.p_comm), str(th.start_time()), int(th.priority), Address(func_addr), str(handler), ]) def render_text(self, outfd, data): common.set_plugin_members(self) self.table_header(outfd, [("PID","8"), ("Name", "16"), ("Start Time", "32"), ("Priority", "6"), ("Start Function", "[addrpad]"), ("Function Map", ""), ]) kaddr_info = common.get_handler_name_addrs(self) for proc in data: for th in proc.threads(): func_addr = th.continuation (module, handler_sym) = common.get_handler_name(kaddr_info, func_addr) if handler_sym: handler = handler_sym elif module: handler = module else: handler = proc.find_map_path(func_addr) self.table_row(outfd, proc.p_pid, proc.p_comm, th.start_time(), th.priority, func_addr, handler) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/trustedbsd.py0000644000000000000000000000733013131215405024316 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import sys import volatility.obj as obj import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address from lsmod import mac_lsmod as mac_lsmod class mac_trustedbsd(mac_lsmod): """ Lists malicious trustedbsd policies """ def get_members(self): h = self.profile.types['mac_policy_ops'] return h.keywords["members"] def calculate(self): common.set_plugin_members(self) # get all the members of 'mac_policy_ops' so that we can check them (they are all function ptrs) ops_members = self.get_members() # get the symbols need to check for if rootkit or not (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) list_addr = self.addr_space.profile.get_symbol("_mac_policy_list") plist = obj.Object("mac_policy_list", offset = list_addr, vm = self.addr_space) parray = obj.Object('Array', offset = plist.entries, vm = self.addr_space, targetType = 'mac_policy_list_element', count = plist.staticmax + 1) for ent in parray: # I don't know how this can happen, but the kernel makes this check all over the place # the policy isn't useful without any ops so a rootkit can't abuse this if ent.mpc == None: continue name = ent.mpc.mpc_name.dereference() ops = obj.Object("mac_policy_ops", offset = ent.mpc.mpc_ops, vm = self.addr_space) # walk each member of the struct for check in ops_members: ptr = ops.__getattr__(check) if ptr.v() != 0 and ptr.is_valid(): (good, module) = common.is_known_address_name(ptr, kernel_symbol_addresses, kmods) yield (good, check, module, name, ptr) def unified_output(self, data): return TreeGrid([("Check", str), ("Name", str), ("Pointer", Address), ("Module", str), ("Status", str), ], self.generator(data)) def generator(self, data): for (good, check, module, name, ptr) in data: status = "HOOKED" if good: status = "OK" yield(0, [ str(check), str(name), Address(ptr), str(module), str(status), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Check", "40"), ("Name", "20"), ("Pointer", "[addrpad]"), ("Module", ""), ("Status", "")]) for (good, check, module, name, ptr) in data: status = "HOOKED" if good: status = "OK" self.table_row(outfd, check, name, ptr, module, status) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/route.py0000644000000000000000000001025113131215405023265 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import datetime import volatility.obj as obj import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid class mac_route(common.AbstractMacCommand): """ Prints the routing table """ def _get_table(self, tbl): rnh = tbl #obj.Object("radix_node", offset=tbl.v(), vm=self.addr_space) rn = rnh.rnh_treetop while rn.is_valid() and rn.rn_bit >= 0: rn = rn.rn_u.rn_node.rn_L rnhash = {} while rn.is_valid(): base = rn if rn in rnhash: break rnhash[rn] = 1 while rn.is_valid() and rn.rn_parent.rn_u.rn_node.rn_R == rn and rn.rn_flags & 2 == 0: rn = rn.rn_parent rn = rn.rn_parent.rn_u.rn_node.rn_R while rn.is_valid() and rn.rn_bit >= 0: rn = rn.rn_u.rn_node.rn_L nextptr = rn while base.v() != 0: rn = base base = rn.rn_u.rn_leaf.rn_Dupedkey if rn.rn_flags & 2 == 0: rt = obj.Object("rtentry", offset = rn, vm = self.addr_space) yield rt rn = nextptr if rn.rn_flags & 2 != 0: break def calculate(self): common.set_plugin_members(self) tables_addr = self.addr_space.profile.get_symbol("_rt_tables") ## FIXME: if we only use ents[2] why do we need to instantiate 32? ents = obj.Object('Array', offset = tables_addr, vm = self.addr_space, targetType = 'Pointer', count = 32) ipv4table = obj.Object("radix_node_head", offset = ents[2], vm = self.addr_space) rts = self._get_table(ipv4table) for rt in rts: yield rt def unified_output(self, data): return TreeGrid([("Source IP", str), ("Dest. IP", str), ("Name", str), ("Sent", int), ("Recv", int), ("Time", str), ("Exp.", int), ("Delta", int) ], self.generator(data)) def generator(self, data): for rt in data: yield (0, [ str(rt.source_ip), str(rt.dest_ip), str(rt.name), int(rt.sent), int(rt.rx), str(rt.get_time()), int(rt.expire()), int(rt.delta), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Source IP", "24"), ("Dest. IP", "24"), ("Name", "^10"), ("Sent", "^18"), ("Recv", "^18"), ("Time", "^30"), ("Exp.", "^10"), ("Delta", "")]) for rt in data: self.table_row(outfd, rt.source_ip, rt.dest_ip, rt.name, rt.sent, rt.rx, rt.get_time(), rt.expire(), rt.delta) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/pslist.py0000644000000000000000000001334613131215405023455 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_pslist(common.AbstractMacCommand): """ List Running Processes """ def __init__(self, config, *args, **kwargs): common.AbstractMacCommand.__init__(self, config, *args, **kwargs) self._config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') self._config.add_option('TASK', short_option = 'T', default = None, help = 'Operate on this process (virtual address from mac_psxview)', action = 'store', type = 'str') @staticmethod def virtual_process_from_physical_offset(addr_space, offset): pspace = utils.load_as(addr_space.get_config(), astype = 'physical') proc = obj.Object("proc", vm = pspace, offset = offset) task = obj.Object("task", vm = addr_space, offset = proc.task) return task.bsd_info.dereference_as("proc") def allprocs(self): p = self.addr_space.profile.get_symbol("_allproc") procsaddr = obj.Object("proclist", offset = p, vm = self.addr_space) proc = obj.Object("proc", offset = procsaddr.lh_first, vm = self.addr_space) seen = [] while proc.is_valid(): if proc.obj_offset in seen: debug.warning("Recursive process list detected (a result of non-atomic acquisition). Use mac_tasks or mac_psxview)") break else: seen.append(proc.obj_offset) yield proc proc = proc.p_list.le_next.dereference() def calculate(self): common.set_plugin_members(self) if self._config.TASK: task_addr = self._config.TASK try: task_addr = int(task_addr, 16) except TypeError: debug.error("Invalid task address given. Must be address in hex.") yield obj.Object("proc", offset = task_addr, vm = self.addr_space) else: pidlist = None try: if self._config.PID: pidlist = [int(p) for p in self._config.PID.split(',')] except: pass for proc in self.allprocs(): if not pidlist or proc.p_pid in pidlist: yield proc def unified_output(self, data): return TreeGrid([("Offset (V)", Address), ("Name", str), ("PID", int), ("Uid", int ), ("Gid", int), ("PGID", int), ("Bits", str), ("DTB", Address), ("Start time", str), ], self.generator(data)) def generator(self, data): for proc in data: if not proc.is_valid() or len(proc.p_comm) == 0: continue # Strip the "TASK_MAP_" prefix from the enumeration bit_string = str(proc.task.map.pmap.pm_task_map or '')[9:] yield (0, [ Address(proc.v()), str(proc.p_comm), int(proc.p_pid), int(proc.p_uid), int(proc.p_gid), int(proc.p_pgrpid), str(bit_string), Address(proc.task.dereference_as("task").map.pmap.pm_cr3), str(proc.start_time()), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "20"), ("Pid", "8"), ("Uid", "8"), ("Gid", "8"), ("PGID", "8"), ("Bits", "12"), ("DTB", "#018x"), ("Start Time", "")]) for proc in data: if not proc.is_valid() or len(proc.p_comm) == 0: continue # Strip the "TASK_MAP_" prefix from the enumeration bit_string = str(proc.task.map.pmap.pm_task_map or '')[9:] self.table_row(outfd, proc.v(), proc.p_comm, str(proc.p_pid), str(proc.p_uid), str(proc.p_gid), str(proc.p_pgrpid), bit_string, proc.task.dereference_as("task").map.pmap.pm_cr3, proc.start_time()) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/vfsevents.py0000644000000000000000000000575113131215405024163 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.common as common class mac_vfsevents(common.AbstractMacCommand): """ Lists processes filtering file system events """ def calculate(self): common.set_plugin_members(self) if not self.addr_space.profile.obj_has_member("fs_event_watcher", "proc_name"): debug.error("This plugin only supports OS X >= 10.8.2. Please file a bug if you are running against a version matching this criteria.") event_types = ["CREATE_FILE", "DELETE", "STAT_CHANGED", "RENAME", "CONTENT_MODIFIED", "EXCHANGE", "FINDER_INFO_CHANGED", "CREATE_DIR", "CHOWN"] event_types = event_types + ["XATTR_MODIFIED", "XATTR_REMOVED", "DOCID_CREATED", "DOCID_CHANGED"] table_addr = self.addr_space.profile.get_symbol("_watcher_table") arr = obj.Object(theType = "Array", targetType = "Pointer", count = 8, vm = self.addr_space, offset = table_addr) for watcher_addr in arr: if not watcher_addr.is_valid(): continue watcher = watcher_addr.dereference_as("fs_event_watcher") name = self.addr_space.read(watcher.proc_name.obj_offset, 33) if name: idx = name.find("\x00") if idx != -1: name = name[:idx] events = "" event_arr = obj.Object(theType = "Array", targetType = "unsigned char", offset = watcher.event_list.v(), count = 13, vm = self.addr_space) for (i, event) in enumerate(event_arr): if event == 1: events = events + event_types[i] + ", " if len(events) and events[-1] == " " and events[-2] == ",": events = events[:-2] yield watcher_addr, name, watcher.pid, events def render_text(self, outfd, data): self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "20"), ("Pid", "8"), ("Events", "")]) for (addr, name, pid, events) in data: self.table_row(outfd, addr, name, pid, events) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/apihooks.py0000644000000000000000000002304613131215405023752 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address import distorm3 class mac_apihooks(pstasks.mac_tasks): """ Checks for API hooks in processes """ def __init__(self, config, *args, **kwargs): self.mapping_cache = {} pstasks.mac_tasks.__init__(self, config, *args, **kwargs) def _is_api_hooked(self, sym_addr, proc_as): hook_type = None addr = None counter = 1 prev_op = None if self.profile.metadata.get('memory_model', '32bit') == '32bit': mode = distorm3.Decode32Bits else: mode = distorm3.Decode64Bits data = proc_as.read(sym_addr, 24) for op in distorm3.Decompose(sym_addr, data, mode): if not op or not op.valid: continue if op.mnemonic == "JMP": hook_type = "JMP" addr = 0 # default in case we cannot extract # check for a mov reg, addr; jmp reg; if prev_op and prev_op.mnemonic == "MOV" and prev_op.operands[0].type == 'Register' and op.operands[0].type == 'Register': prev_name = prev_op.operands[0].name # same register if prev_name == op.operands[0].name: addr = prev_op.operands[1].value else: addr = op.operands[0].value elif op.mnemonic == "CALL": hook_type = "CALL" addr = op.operands[0].value # push xxxx; ret; elif counter == 2 and op.mnemonic == "RET": if prev_op.mnemonic == "MOV" and prev_op.operands[0].type == 'Register' and prev_op.operands[0].name in ["RAX", "EAX"]: break elif prev_op.mnemonic == "XOR" and prev_op.operands[0].type == 'Register' and prev_op.operands[1].type == 'Register': break elif prev_op.mnemonic == "MOV" and prev_op.operands[0].type == 'Register' and prev_op.operands[1].type == 'Register': break hook_type = "RET" addr = sym_addr if hook_type: break counter = counter + 1 if counter == 4: break prev_op = op if hook_type: ret = hook_type, addr else: ret = None return ret def _fill_mapping_cache(self, proc): proc_as = proc.get_process_address_space() self.mapping_cache[proc.v()] = {} ranges = [] for mapping in proc.get_dyld_maps(): m = obj.Object("macho_header", offset = mapping.imageLoadAddress, vm = proc_as) for seg in m.segments(): ranges.append((mapping.imageFilePath, seg.vmaddr, seg.vmaddr + seg.vmsize)) self.mapping_cache[proc.v()] = ranges def _find_mapping(self, proc, addr): ret = None if not proc.v() in self.mapping_cache: self._fill_mapping_cache(proc) mappings = self.mapping_cache[proc.v()] for (path, start, end) in mappings: if start <= addr <= end: ret = (path, start, end) break return ret def _find_mapping_proc_maps(self, proc, addr): ret = None for mapping in proc.get_proc_maps(): if mapping.start <= addr <= mapping.end: ret = (mapping.get_path(), mapping.start, mapping.end) return ret def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks(self._config).calculate() for proc in procs: proc_as = proc.get_process_address_space() for mapping in proc.get_dyld_maps(): path = mapping.imageFilePath macho = obj.Object("macho_header", offset = mapping.imageLoadAddress, vm = proc_as) needed_libraries = {} for n in macho.needed_libraries(): needed_libraries[n] = 1 for (name, addr) in macho.imports(): is_lazy = False is_ptr_hooked = False is_api_hooked = False hook_addr = 0 hook_type = "" vma_mapping = self._find_mapping(proc, addr) if vma_mapping == None: vma_mapping = self._find_mapping_proc_maps(proc, addr) if vma_mapping: (vma_path, vma_start, vma_end) = vma_mapping else: # the address points to a bogus (non-mapped region) vma_path = "" vma_start = addr vma_end = addr addr_mapping = vma_path # non-resolved symbols if vma_start <= mapping.imageLoadAddress <= vma_end: is_lazy = True else: is_ptr_hooked = not addr_mapping in needed_libraries # check if pointing into the shared region # this happens as libraries in the region are not listed as needed if is_ptr_hooked: if proc.task.shared_region.sr_base_address <= addr <= proc.task.shared_region.sr_base_address + proc.task.shared_region.sr_size: is_ptr_hooked = False if not is_ptr_hooked: is_api_hooked = self._is_api_hooked(addr, proc_as) if is_api_hooked: (hook_type, hook_addr) = is_api_hooked yield (proc, name, addr, is_lazy, is_ptr_hooked, is_api_hooked, hook_type, hook_addr, addr_mapping) def unified_output(self, data): return TreeGrid([("Name", str), ("PID", int), ("Symbol", str), ("Sym Address", Address), ("Lazy", str), ("Ptr Hook", str), ("API Hook", str), ("Hook Type", str), ("Hook Addr", Address), ("Hook Library", str), ], self.generator(data)) def generator(self, data): for (task, name, addr, is_lazy, is_ptr_hooked, is_api_hooked, hook_type, hook_addr, addr_mapping) in data: if is_lazy: is_lazy = "True" else: is_lazy = "False" if is_ptr_hooked: is_ptr_hooked = "True" else: is_ptr_hooked = "False" if is_api_hooked: is_api_hooked = "True" else: is_api_hooked = "False" yield(0, [ str(task.p_comm), int(task.p_pid), str(name), Address(addr), str(is_lazy), str(is_ptr_hooked), str(is_api_hooked), str(hook_type), Address(hook_addr), str(addr_mapping), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Name", "16"), ("PID", "6"), ("Symbol", "25"), ("Sym Address", "[addrpad]"), ("Lazy", "5"), ("Ptr Hook", "6"), ("API Hook", "6"), ("Hook Type", "6"), ("Hook Addr", "[addrpad]"), ("Hook Library", ""), ]) for (task, name, addr, is_lazy, is_ptr_hooked, is_api_hooked, hook_type, hook_addr, addr_mapping) in data: if is_lazy: is_lazy = "True" else: is_lazy = "False" if is_ptr_hooked: is_ptr_hooked = "True" else: is_ptr_hooked = "False" if is_api_hooked: is_api_hooked = "True" else: is_api_hooked = "False" self.table_row(outfd, task.p_comm, task.p_pid, name, addr, is_lazy, is_ptr_hooked, is_api_hooked, hook_type, hook_addr, addr_mapping) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/print_boot_cmdline.py0000644000000000000000000000343313131215405026005 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid class mac_print_boot_cmdline(common.AbstractMacCommand): """ Prints kernel boot arguments """ def calculate(self): common.set_plugin_members(self) pe_state_addr = self.addr_space.profile.get_symbol("_PE_state") pe_state = obj.Object("PE_state", offset = pe_state_addr, vm = self.addr_space) bootargs = pe_state.bootArgs.dereference_as("boot_args") yield bootargs.CommandLine def unified_output(self, data): return TreeGrid([("Command Line", str), ], self.generator(data)) def generator(self, data): for cmdline in data: yield(0, [str(cmdline),]) def render_text(self, outfd, data): self.table_header(outfd, [("Command Line", "")]) for cmdline in data: self.table_row(outfd, cmdline) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/session_hash_table.py0000644000000000000000000000557213131215405025776 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pslist as pslist import volatility.obj as obj import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid class mac_list_sessions(pslist.mac_pslist): """ Enumerates sessions """ def calculate(self): common.set_plugin_members(self) shash_addr = self.addr_space.profile.get_symbol("_sesshash") shash = obj.Object("unsigned long", offset = shash_addr, vm = self.addr_space) shashtbl_addr = self.addr_space.profile.get_symbol("_sesshashtbl") shashtbl_ptr = obj.Object("Pointer", offset = shashtbl_addr, vm = self.addr_space) shash_array = obj.Object(theType = "Array", targetType = "sesshashhead", count = shash + 1, vm = self.addr_space, offset = shashtbl_ptr) for sess in shash_array: s = sess.lh_first while s: yield s s = s.s_hash.le_next def unified_output(self, data): return TreeGrid([("Leader (Pid)", int), ("Leader (Name)", str), ("Login Name", str), ], self.generator(data)) def generator(self, data): for sess in data: pid = -1 pname = "" if sess.s_leader: pid = sess.s_leader.p_pid pname = sess.s_leader.p_comm yield(0, [ int(pid), str(pname), str(sess.s_login), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Leader (Pid)", "8"), ("Leader (Name)", "20"), ("Login Name", "25")]) for sess in data: pid = -1 pname = "" if sess.s_leader: pid = sess.s_leader.p_pid pname = sess.s_leader.p_comm self.table_row(outfd, pid, pname, sess.s_login) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/notesapp.py0000644000000000000000000001123613131215405023764 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_notesapp(pstasks.mac_tasks): """ Finds contents of Notes messages """ def __init__(self, config, *args, **kwargs): pstasks.mac_tasks.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks.calculate(self) for proc in procs: if str(proc.p_comm).lower().find("notes") == -1: continue proc_as = proc.get_process_address_space() for map in proc.get_proc_maps(): if map.get_perms() != "rw-" or map.get_path() != "": continue buffer = proc_as.zread(map.start.v(), map.end.v() - map.start.v()) if not buffer: continue iter_idx = 0 while 1: idx = buffer[iter_idx:].find("") if idx == -1: break iter_idx = iter_idx + idx end_idx = buffer[iter_idx:].find("") if end_idx == -1: break msg = buffer[iter_idx:iter_idx + end_idx + 7] yield proc, map.start.v() + iter_idx, msg iter_idx = iter_idx + end_idx def unified_output(self, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") return TreeGrid([("Pid", int), ("Name", str), ("Start", Address), ("Size", int), ("Path", str), ], self.generator(data)) def generator(self, data): for (proc, start, msg) in data: fname = "Notes.{0}.{1:x}.txt".format(proc.p_pid, start) file_path = os.path.join(self._config.DUMP_DIR, fname) fd = open(file_path, "wb+") fd.write(msg) fd.close() yield(0,[ int(proc.p_pid), str(proc.p_comm), Address(start), int(len(msg)), str(file_path), ]) def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Start", "[addrpad]"), ("Size", "8"), ("Path", "")]) for (proc, start, msg) in data: fname = "Notes.{0}.{1:x}.txt".format(proc.p_pid, start) file_path = os.path.join(self._config.DUMP_DIR, fname) fd = open(file_path, "wb+") fd.write(msg) fd.close() self.table_row(outfd, str(proc.p_pid), proc.p_comm, start, len(msg), file_path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/devfs.py0000644000000000000000000000576313131215405023252 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.list_files as mac_list_files class mac_devfs(common.AbstractMacCommand): """ Lists files in the file cache """ def calculate(self): common.set_plugin_members(self) nchrdev_addr = self.addr_space.profile.get_symbol("_nchrdev") nchrdev = obj.Object("unsigned int", offset = nchrdev_addr, vm = self.addr_space) cdevsw_addr = self.addr_space.profile.get_symbol("_cdevsw") cdevsw = obj.Object(theType = "Array", targetType = "cdevsw", offset = cdevsw_addr, vm = self.addr_space, count = nchrdev) kaddr_info = common.get_handler_name_addrs(self) op_members = self.profile.types['cdevsw'].keywords["members"].keys() op_members.remove('d_ttys') op_members.remove('d_type') files = mac_list_files.mac_list_files(self._config).calculate() for vnode, path in files: if vnode.v_type.v() not in [3, 4]: continue if path.startswith("/Macintosh HD"): path = path[13:] dn = vnode.v_data.dereference_as("devnode") dev = dn.dn_typeinfo.dev major = (dev >> 24) & 0xff if not (0 <= major <= nchrdev): continue cdev = cdevsw[major] for member in op_members: ptr = cdev.__getattr__(member).v() if ptr != 0: (module, handler_sym) = common.get_handler_name(kaddr_info, ptr) yield (cdev.v(), path, member, ptr, module, handler_sym) def render_text(self, outfd, data): self.table_header(outfd, [("Offset (V)", "[addrpad]"), ("Path", "16"), ("Member", "16"), ("Handler", "[addrpad]"), ("Module", "32"), ("Handler", "")]) for (cdev, path, member, handler, module, sym) in data: self.table_row(outfd, cdev, path, member, handler, module, sym) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/list_zones.py0000644000000000000000000000541313131215405024324 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid class mac_list_zones(common.AbstractMacCommand): """ Prints active zones """ def calculate(self): common.set_plugin_members(self) first_zone_addr = self.addr_space.profile.get_symbol("_first_zone") zone_ptr = obj.Object("Pointer", offset = first_zone_addr, vm = self.addr_space) zone = zone_ptr.dereference_as("zone") while zone: yield zone zone = zone.next_zone def unified_output(self, data): return TreeGrid([("Name", str), ("Active Count", int), ("Free Count", int), ("Element Size", int) ], self.generator(data)) def generator(self, data): for zone in data: name = zone.zone_name.dereference().replace(" ", ".") # sum_count was introduced in 10.8.x # do not want to overlay as 0 b/c we mess up subtraction sum_count = "N/A" if hasattr(zone, "sum_count"): sum_count = zone.sum_count - zone.count yield(0, [ str(name), int(zone.count), int(sum_count), int(zone.elem_size), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Name", "30"), ("Active Count", ">10"), ("Free Count", ">10"), ("Element Size", ">10")]) for zone in data: name = zone.zone_name.dereference().replace(" ", ".") # sum_count was introduced in 10.8.x # do not want to overlay as 0 b/c we mess up subtraction sum_count = "N/A" if hasattr(zone, "sum_count"): sum_count = zone.sum_count - zone.count self.table_row(outfd, name, zone.count, sum_count, zone.elem_size) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/classes.py0000644000000000000000000000714413131215405023573 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug import volatility.plugins.mac.common as common class mac_kernel_classes(common.AbstractMacCommand): """ Lists loaded c++ classes in the kernel """ def _struct_or_class(self, type_name): """Return the name of a structure or class. More recent versions of OSX define some types as classes instead of structures, so the naming is a little different. """ if self.addr_space.profile.vtypes.has_key(type_name): return type_name else: return type_name + "_class" def calculate(self): common.set_plugin_members(self) kaddr_info = common.get_handler_name_addrs(self) dict_ptr_addr = common.get_cpp_sym("sAllClassesDict", self.addr_space.profile) dict_addr = obj.Object("unsigned long", offset = dict_ptr_addr, vm = self.addr_space) fdict = obj.Object(self._struct_or_class("OSDictionary"), offset = dict_addr.v(), vm = self.addr_space) ents = obj.Object('Array', offset = fdict.dictionary, vm = self.addr_space, targetType = self._struct_or_class("dictEntry"), count = fdict.count) for ent in ents: if ent == None or not ent.is_valid(): continue class_name = str(ent.key.dereference_as(self._struct_or_class("OSString"))) osmeta = obj.Object(self._struct_or_class("OSMetaClass"), offset = ent.value.v(), vm = self.addr_space) cname = str(osmeta.className.dereference_as(self._struct_or_class("OSString"))) offset = 0 if hasattr(osmeta, "metaClass"): arr_start = osmeta.metaClass.v() else: arr_start = obj.Object("Pointer", offset = osmeta.obj_offset, vm = self.addr_space) vptr = obj.Object("unsigned long", offset = arr_start, vm = self.addr_space) while vptr != 0: (module, handler_sym) = common.get_handler_name(kaddr_info, vptr) yield (cname, vptr, module, handler_sym) offset = offset + vptr.size() vptr = obj.Object("unsigned long", offset = arr_start + offset, vm = self.addr_space) def render_text(self, outfd, data): self.table_header(outfd, [("Class", "48"), ("Address", "[addrpad]"), ("Module", "48"), ("Handler", "")]) for (cname, vptr, module, handler_sym) in data: self.table_row(outfd, cname, vptr, module, handler_sym) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/dmesg.py0000644000000000000000000000365213131215405023235 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_dmesg(common.AbstractMacCommand): """ Prints the kernel debug buffer """ def calculate(self): common.set_plugin_members(self) msgbuf_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("_msgbufp"), vm = self.addr_space) msgbufp = msgbuf_ptr.dereference_as("msgbuf") bufx = msgbufp.msg_bufx size = msgbufp.msg_size bufc = self.addr_space.read(msgbufp.msg_bufc, size) if bufc[bufx] == 0 and bufc[0] != 0: ## FIXME: can we do this without get_string? buf = common.get_string(bufc, self.addr_space) else: if bufx > size: bufx = 0 # older messages buf = bufc[bufx:bufx + size] buf = buf + bufc[0:bufx] # strip leading NULLs while ord(buf[0]) == 0x00: buf = buf[1:] yield buf def render_text(self, outfd, data): for buf in data: outfd.write("{0}\n".format(buf)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/memdump.py0000644000000000000000000000460413131215405023600 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.plugins.mac.pstasks as pstasks import volatility.debug as debug class mac_memdump(pstasks.mac_tasks): """ Dump addressable memory pages to a file """ def __init__(self, config, *args, **kwargs): pstasks.mac_tasks.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') def render_text(self, outfd, data): if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("You must speficy a valid path with -D") for proc in data: name = "{0:X}.{1}.dmp".format(proc.obj_offset, proc.p_comm) path = os.path.join(self._config.DUMP_DIR, name) space = proc.get_process_address_space() if not space: outfd.write("Failed to acquire AS for: {0}\n".format(p_comm)) continue handle = open(path, "wb") if not handle: outfd.write("Failed to open file for writing: {0}\n".format(path)) continue bytes = 0 try: for page, size in space.get_available_pages(): data = space.read(page, size) if not data: continue handle.write(data) bytes += size outfd.write("Wrote {0} bytes to {1}\n".format(bytes, path)) except IOError: outfd.write("Error dumping process: {0}\n".format(p_comm)) finally: handle.close() volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/check_trap_table.py0000644000000000000000000001043313131215405025403 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_check_trap_table(common.AbstractMacCommand): """ Checks to see if mach trap table entries are hooked """ def _set_vtypes(self): x86_10_vtypes = { 'mach_trap' : [ 16, { 'mach_trap_function': [ 4, ['pointer', ['void']]] }]} x86_other_vtypes = { 'mach_trap' : [ 8, { 'mach_trap_function': [ 4, ['pointer', ['void']]] }]} x64_10_vtypes = { 'mach_trap' : [ 40, { 'mach_trap_function': [ 8, ['pointer', ['void']]] }]} x64_13_vtypes = { 'mach_trap' : [ 32, { 'mach_trap_function': [ 8, ['pointer', ['void']]] }]} x64_other_vtypes = { 'mach_trap' : [ 16, { 'mach_trap_function': [ 8, ['pointer', ['void']]] }]} arch = self.addr_space.profile.metadata.get('memory_model', '32bit') major = self.addr_space.profile.metadata.get('major', 0) if arch == "32bit": if major == 10: vtypes = x86_10_vtypes else: vtypes = x86_other_vtypes else: if major == 10: vtypes = x64_10_vtypes elif major >= 13: vtypes = x64_13_vtypes else: vtypes = x64_other_vtypes self.addr_space.profile.vtypes.update(vtypes) self.addr_space.profile.compile() def calculate(self): common.set_plugin_members(self) self._set_vtypes() sym_addrs = self.profile.get_all_addresses() table_addr = self.addr_space.profile.get_symbol("_mach_trap_table") ntraps = obj.Object("int", offset = self.addr_space.profile.get_symbol("_mach_trap_count"), vm = self.addr_space) traps = obj.Object(theType = "Array", offset = table_addr, vm = self.addr_space, count = ntraps, targetType = "mach_trap") for (i, trap) in enumerate(traps): ent_addr = trap.mach_trap_function.v() if not ent_addr: continue hooked = ent_addr not in sym_addrs if hooked == False: sym_name = self.profile.get_symbol_by_address("kernel", ent_addr) else: sym_name = "HOOKED" yield (table_addr, "TrapTable", i, ent_addr, sym_name, hooked) def unified_output(self, data): return TreeGrid([("Table Name", str), ("Index", int), ("Address", Address), ("Symbol", str), ], self.generator(data)) def generator(self, data): for (_, table_name, i, call_addr, sym_name, _) in data: yield(0, [ str(table_name), int(i), Address(call_addr), str(sym_name), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Table Name", "15"), ("Index", "6"), ("Address", "[addrpad]"), ("Symbol", "<50")]) for (_, table_name, i, call_addr, sym_name, _) in data: self.table_row(outfd, table_name, i, call_addr, sym_name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/list_files.py0000644000000000000000000001440413131215405024270 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.plugins.mac.common as common import volatility.plugins.mac.mount as mac_mount import volatility.obj as obj class mac_list_files(common.AbstractMacCommand): """ Lists files in the file cache """ def __init__(self, config, *args, **kwargs): common.AbstractMacCommand.__init__(self, config, *args, **kwargs) self._config.add_option('SHOW_ORPHANS', short_option = 's', default = False, help = 'Show orphans (vnodes without a parent)', action = 'store_true') @staticmethod def list_files(config): plugin = mac_mount.mac_mount(config) mounts = plugin.calculate() vnodes = {} parent_vnodes = {} ## build an initial table of all vnodes for mount in mounts: vnode = mount.mnt_vnodelist.tqh_first.dereference() while vnode: ## abort here to prevent going in a loop if vnode.obj_offset in vnodes: break ## its ok to call the slower full_path() ## here because its only done for root ## nodes which is only a couple per system if int(vnode.v_flag) & 1: name = vnode.full_path() entry = [name, None, vnode] vnodes[vnode.obj_offset] = entry else: name = vnode.v_name.dereference() parent = vnode.v_parent.dereference() if parent: par_offset = parent.obj_offset else: if config.SHOW_ORPHANS: par_offset = None else: vnode = vnode.v_mntvnodes.tqe_next.dereference() continue entry = [name, par_offset, vnode] vnodes[vnode.obj_offset] = entry vnode = vnode.v_mntvnodes.tqe_next.dereference() ## account for vnodes that aren't in the list but are ## referenced from other vnode's v_parent pointers for key, val in vnodes.items(): name, parent, vnode = val if not name or not parent: continue parent = obj.Object("vnode", offset = parent, vm = vnode.obj_vm) while parent: if parent.obj_offset in vnodes: break name = parent.v_name.dereference() next_parent = parent.v_parent.dereference() if next_parent: par_offset = next_parent.obj_offset else: par_offset = None entry = [str(name), par_offset, parent] vnodes[parent.obj_offset] = entry parent = next_parent ## build the full paths for all directories for key, val in vnodes.items(): name, parent, vnode = val ## we can't have unnamed files or directories if not name: continue if not vnode.is_dir(): continue name = str(name) if parent in parent_vnodes: full_path = parent_vnodes[parent] + "/" + name else: paths = [name] while parent: entry = vnodes.get(parent) ## a vnode's parent wasn't found or ## we reached the root directory if not entry: break name, parent, _vnode = entry if not name: break paths.append(str(name)) ## build the path in reverse order full_path = "/".join(reversed(paths)) parent_vnodes[key] = full_path ## link everything up with their parents for val in vnodes.values(): name, parent, vnode = val if not name: continue name = str(name) entry = parent_vnodes.get(parent) if not entry: yield vnode, name else: full_path = entry + "/" + name ## add a leading slash if one doesn't exist if full_path[0] != "/": full_path = "/" + full_path ## otherwise in some cases we may have double ## slashes so reduce that down to just one elif full_path[0:2] == "//": full_path = full_path[1:] yield vnode, full_path def calculate(self): common.set_plugin_members(self) config = self._config for result in mac_list_files.list_files(config): yield result def render_text(self, outfd, data): self.table_header(outfd, [("Offset (V)", "[addrpad]"), ("File Path", "")]) for vnode, path in data: self.table_row(outfd, vnode.obj_offset, path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/find_aslr_shift.py0000644000000000000000000000271413131215405025272 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.common as common import volatility.debug as debug class mac_find_aslr_shift(common.AbstractMacCommand): """ Find the ASLR shift value for 10.8+ images """ def calculate(self): common.set_plugin_members(self) yield self.profile.shift_address def render_text(self, outfd, data): self.table_header(outfd, [("Shift Value", "#018x")]) for shift_address in data: if shift_address == 0: debug.error("Shift addresses are only required on 10.8+ images") else: self.table_row(outfd, shift_address) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/WKdm.py0000644000000000000000000005507513131215405023006 0ustar rootroot# # Python port of WKdm compression / decompression by # Golden G. Richard III (@nolaforensix, golden@arcanealloy.com) # December 2013 # # For compression and decompression of 4K pages. # # Based loosely on WKdm.c, by: # # * Paul Wilson -- wilson@cs.utexas.edu # * Scott F. Kaplan -- sfkaplan@cs.utexas.edu # * September 1997 # # but designed specifically to be compatible with the optimized x86_64 # assembler version in xnu-2422.1.72/osfmk/x86_64/WKdmCompress_new* # (Mac OS X Mavericks 10.9 kernel source). Apples's assembler version # eliminates the unused "version word" in the header, reducing header # size to 3 words, making this version incompatible with the original # WKdm.c (for what it's worth). The Apple version also introduces a # compression budget for WKdm_compress, which results in a compression # failure if the budget (expressed in bytes) is exceeded. The # compression budget is also supported by this version for # compatibility. # import math class WKdm: ################################################################## ################################################################## # DO NOT CHANGE THESE: Correct operation depends on 4K page size # and there are various other non-trivial dependencies ################################################################## ################################################################## WORD_SIZE_IN_BYTES = 4 PAGE_SIZE_IN_WORDS = 1024 PAGE_SIZE_IN_BYTES = 4096 DICTIONARY_SIZE_IN_WORDS = 16 HEADER_SIZE_IN_WORDS = 3 TAGS_AREA_OFFSET_IN_WORDS = HEADER_SIZE_IN_WORDS TAGS_AREA_SIZE_IN_WORDS = 64 NUM_LOW_BITS = 10 LOW_BITS_MASK = 0x3FF ALL_ONES_MASK = 0xFFFFFFFF TWO_BITS_PACKING_MASK = 0x03030303 FOUR_BITS_PACKING_MASK = 0x0F0F0F0F TEN_LOW_BITS_MASK = 0x000003FF TWENTY_TWO_HIGH_BITS_MASK = 0xFFFFFC00 ZERO_TAG = 0x0 PARTIAL_TAG = 0x1 MISS_TAG = 0x2 EXACT_TAG = 0x3 SINGLE_BYTE_MASKS = [0x000000FF, 0x0000FF00, 0x00FF0000, 0xFF000000] ################################################################## ################################################################## ################################################################## # These are the constants for the hash function lookup table. # Only zero maps to zero. The rest of the table is the result of # appending 17 randomizations of the multiples of 4 from 4 to 56. ################################################################## HASH_LOOKUP_TABLE_CONTENTS = [ 0, 52, 8, 56, 16, 12, 28, 20, 4, 36, 48, 24, 44, 40, 32, 60, 8, 12, 28, 20, 4, 60, 16, 36, 24, 48, 44, 32, 52, 56, 40, 12, 8, 48, 16, 52, 60, 28, 56, 32, 20, 24, 36, 40, 44, 4, 8, 40, 60, 32, 20, 44, 4, 36, 52, 24, 16, 56, 48, 12, 28, 16, 8, 40, 36, 28, 32, 12, 4, 44, 52, 20, 24, 48, 60, 56, 40, 48, 8, 32, 28, 36, 4, 44, 20, 56, 60, 24, 52, 16, 12, 12, 4, 48, 20, 8, 52, 16, 60, 24, 36, 44, 28, 56, 40, 32, 36, 20, 24, 60, 40, 44, 52, 16, 32, 4, 48, 8, 28, 56, 12, 28, 32, 40, 52, 36, 16, 20, 48, 8, 4, 60, 24, 56, 44, 12, 8, 36, 24, 28, 16, 60, 20, 56, 32, 40, 48, 12, 4, 44, 52, 44, 40, 12, 56, 8, 36, 24, 60, 28, 48, 4, 32, 20, 16, 52, 60, 12, 24, 36, 8, 4, 16, 56, 48, 44, 40, 52, 32, 20, 28, 32, 12, 36, 28, 24, 56, 40, 16, 52, 44, 4, 20, 60, 8, 48, 48, 52, 12, 20, 32, 44, 36, 28, 4, 40, 24, 8, 56, 60, 16, 36, 32, 8, 40, 4, 52, 24, 44, 20, 12, 28, 48, 56, 16, 60, 4, 52, 60, 48, 20, 16, 56, 44, 24, 8, 40, 12, 32, 28, 36, 24, 32, 12, 4, 20, 16, 60, 36, 28, 8, 52, 40, 48, 44, 56 ] ################################################################## # WK_pack_2bits(): Pack some multiple of four words holding # two-bit tags (in the low two bits of each byte) into an integral # number of words, i.e., one fourth as many. Data in the # source_buf is used starting at index 0 up to and not including # index source_end. The packed data is written into the dest_buf # starting at index dest_start. NOTE: Pad the input with zeroes # to a multiple of four words, or else. ################################################################## def WK_pack_2bits(self, source_buf, source_end, dest_buf, dest_start): j = dest_start k = source_end src_next = 0 # loop to repeatedly grab four input words and pack it into 1 # output word. while src_next < source_end: temp = source_buf[src_next] temp |= (source_buf[src_next+1] << 2) temp |= (source_buf[src_next+2] << 4) temp |= (source_buf[src_next+3] << 6) dest_buf[dest_start] = temp dest_start += 1 src_next += 4 return dest_start ################################################################### # WK_pack_4bits(): Pack an even number of words holding 4-bit # patterns in the low bits of each byte into half as many # words. Data in the source_buf is used starting at index 0 up # to and not including index source_end. The packed data is # written into the dest_buf starting at index dest_start. # NOTE: Pad the input with zeroes to an even number of words, # or else. ################################################################## def WK_pack_4bits(self, source_buf, source_end, dest_buf, dest_start): src_next = 0 # loop to repeatedly grab two input words and pack it into 1 # output word. while src_next < source_end: temp = source_buf[src_next] temp |= (source_buf[src_next+1] << 4) dest_buf[dest_start] = temp dest_start += 1 src_next += 2 return dest_start ################################################################### # WK_pack_3_tenbits(): Pack a sequence of three ten bit items # into one word. Data in the source_buf is used starting at # index 0 up to and not including source_end. The packed data # is written into the dest_buf starting at index dest_start. # NOTE: Pad out the input with zeroes to an even number of # words, or else. ################################################################### def WK_pack_3_tenbits(self, source_buf, source_end, dest_buf, dest_start): src_next = 0 # loop to repeatedly grab three input words and pack it into 1 # output word. while src_next < source_end: temp = source_buf[src_next] temp |= (source_buf[src_next+1] << 10) temp |= (source_buf[src_next+2] << 20) dest_buf[dest_start] = temp dest_start += 1 src_next += 3 return dest_start ################################################################### # WK_unpack_2bits(): Take any number of words containing 16 # two-bit values and unpack them into four times as many words # containg those two bit values as bytes (with the low two # bits of each byte holding the actual value). Data is read # from input_buf starting at index input_start and up to but # not including input_end. Unpacked data is placed in # output_buf. ################################################################### def WK_unpack_2bits(self, input_buf, input_start, input_end, output_buf): output_next = 0 # loop to repeatedly grab one input word and unpack it into # 4 output words. while input_start < input_end: temp = input_buf[input_start] output_buf[output_next] = temp & self.TWO_BITS_PACKING_MASK output_buf[output_next+1] = (temp >> 2) & self.TWO_BITS_PACKING_MASK output_buf[output_next+2] = (temp >> 4) & self.TWO_BITS_PACKING_MASK output_buf[output_next+3] = (temp >> 6) & self.TWO_BITS_PACKING_MASK output_next += 4 input_start += 1 return output_next ################################################################### # WK_unpack_4bits(): Unpack four bits consumes any number of # words holding 8 4-bit values per word, and unpacks them into # twice as many words, with each value in a separate byte. # (The four-bit values occupy the low halves of the bytes in # the result). Data is read from input_buf starting at index # input_start and up to but not including input_end. Unpacked # data is placed in output_buf. ################################################################### def WK_unpack_4bits(self, input_buf, input_start, input_end, output_buf): output_next = 0 # loop to repeatedly grab one input word and unpack it into 2 # output words. while input_start < input_end: temp = input_buf[input_start] output_buf[output_next] = temp & self.FOUR_BITS_PACKING_MASK output_buf[output_next+1] = (temp >> 4) & self.FOUR_BITS_PACKING_MASK output_next += 2 input_start += 1 return output_next ################################################################### # WK_unpack_3_tenbits(): Unpack three 10-bit items from the # low 30 bits of any number of 32-bit words. Data is read from # input_buf starting at index input_start and up to but not # including input_end. Unpacked data is placed in output_buf. ################################################################### def WK_unpack_3_tenbits(self, input_buf, input_start, input_end, output_buf): output_next = 0 # loop to fetch 1 word of input, splitting each into three words of # output with 10 meaningful low order bits. while input_start < input_end: temp = input_buf[input_start] output_buf[output_next] = temp & self.LOW_BITS_MASK output_buf[output_next+1] = (temp >> 10) & self.LOW_BITS_MASK output_buf[output_next+2] = temp >> 20 input_start += 1 output_next += 3 return output_next ################################################################### # WKdm_compress(): Compress a src_buf containing num_input_words # 32-bit words into a dest_buf of 32-bit words. Returns size of # dest_buf or -1 if the compression budget (expressed in bytes) is # exceeeded, which also results in undefined contents in dest_buf. ################################################################### def WKdm_compress(self, src_buf, dest_buf, num_input_words, compression_budget): dictionary=[0] * self.DICTIONARY_SIZE_IN_WORDS hashLookupTable = self.HASH_LOOKUP_TABLE_CONTENTS # update compression budget based on fixed overhead compression_budget -= (self.HEADER_SIZE_IN_WORDS + self.TAGS_AREA_SIZE_IN_WORDS) * self.WORD_SIZE_IN_BYTES # arrays that hold output data in intermediate form during modeling # and whose contents are packed into the actual output after modeling tempTagsArray = [0] * 300 # tags for everything tempQPosArray = [0] * 300 # queue positions for matches tempLowBitsArray = [0] * 1200 # low bits for partial matches # boundary_tmp will be used for keeping track of what's where in # the compressed page during packing boundary_tmp=0 next_full_patt = 0 # index into dest_buf next_tag = 0 # index into tempTagsArray next_qp = 0 # index into tempQPosArray next_low_bits = 0 # index into tempLowBitsArray next_input_word = 0 # index into src_buf # initialize dictionary for i in range(0,15): dictionary[i] = 1 # process all input words next_full_patt = self.TAGS_AREA_OFFSET_IN_WORDS + self.TAGS_AREA_SIZE_IN_WORDS while next_input_word < num_input_words: input_word = src_buf[next_input_word] dict_location = hashLookupTable[(input_word >> 10) & 0xFF] / 4 dict_word = dictionary[dict_location] if input_word == dict_word: tempTagsArray[next_tag / 4] |= (self.EXACT_TAG << (((next_tag) % 4) * 8)) next_tag += 1 tempQPosArray[next_qp / 4] |= (dict_location << (((next_qp) % 4) * 8)) next_qp += 1 elif input_word == 0: tempTagsArray[next_tag / 4] |= (self.ZERO_TAG << (((next_tag) % 4) * 8)) next_tag += 1 else: input_high_bits = input_word >> self.NUM_LOW_BITS dict_word_high_bits = dict_word >> self.NUM_LOW_BITS if input_high_bits == dict_word_high_bits: tempTagsArray[next_tag / 4] |= (self.PARTIAL_TAG << (((next_tag) % 4) * 8)) next_tag += 1 tempQPosArray[next_qp / 4] |= (dict_location << (((next_qp) % 4) * 8)) next_qp += 1 tempLowBitsArray[next_low_bits] = input_word & self.LOW_BITS_MASK next_low_bits += 1 dictionary[dict_location] = input_word else: # check compression budget and fail immediately if exhausted compression_budget -= self.WORD_SIZE_IN_BYTES if compression_budget < 0: return -1 tempTagsArray[next_tag / 4] |= (self.MISS_TAG << (((next_tag) % 4) * 8)) next_tag += 1 dest_buf[next_full_patt] = input_word next_full_patt += 1 dictionary[dict_location] = input_word next_input_word += 1 dest_buf[0] = next_full_patt # qpos area start # Pack the tags into the tags area, between the page header # and the full words area. No padding because page size is # assumed to be a multiple of 16. Compression budget associated # with this area has already been deducted. boundary_tmp = self.WK_pack_2bits(tempTagsArray, next_tag / 4, dest_buf, self.TAGS_AREA_OFFSET_IN_WORDS) # Pack the queue positions into the area just after the full # words. Round up the size of the region to a multiple of two # words. endQPosArray = int(math.ceil(next_qp / 8.0)) * 2 next_qp = int(math.ceil(next_qp / 4.0)) # Pad the array with zeros to avoid corrupting real packed # values. while (next_qp < endQPosArray): tempQPosArray[next_qp] = 0 next_qp += 1 # check compression budget and fail immediately if exhausted compression_budget -= (endQPosArray / 2) * self.WORD_SIZE_IN_BYTES if compression_budget < 0: return -1 boundary_tmp = self.WK_pack_4bits(tempQPosArray, endQPosArray, dest_buf, next_full_patt) # Record (in the header) where packing queue positions stopped, # which is where packing of low bits will start. dest_buf[1] = boundary_tmp # Pack the low bit patterns into the area just after the queue # positions. Round up the size of the region region to a # multiple of three words. endLowBitsArray = int(math.ceil(next_low_bits / 3.0)) * 3 # Pad the array with zeros to avoid corrupting real packed # values. while (next_low_bits < endLowBitsArray): tempLowBitsArray[next_low_bits] = 0 next_low_bits += 1 # check compression budget and fail immediately if exhausted compression_budget -= (endLowBitsArray / 3) * self.WORD_SIZE_IN_BYTES if compression_budget < 0: return -1 boundary_tmp = self.WK_pack_3_tenbits (tempLowBitsArray, endLowBitsArray, dest_buf, boundary_tmp) dest_buf[2] = boundary_tmp return boundary_tmp ################################################################### # WKdm_decompress(): Decompress a src_buf containing 32-bit words # into a dest_buf of 32-bit words. Returns size of decompressed # buffer or -1 on decompression error (in which case the # dest_buf contents are undefined). ################################################################### def WKdm_decompress (self, src_buf, dest_buf): dictionary = [0] * self.DICTIONARY_SIZE_IN_WORDS hashLookupTable = self.HASH_LOOKUP_TABLE_CONTENTS # arrays that hold output data in intermediate form during modeling # and whose contents are packed into the actual output after modeling tempTagsArray = [0] * 300 # tags for everything tempQPosArray = [0] * 300 # queue positions for matches tempLowBitsArray = [0] * 1200 # low bits for partial matches # initialize dictionary for i in range(0,15): dictionary[i] = 1 try: self.WK_unpack_2bits(src_buf, self.TAGS_AREA_OFFSET_IN_WORDS, self.TAGS_AREA_OFFSET_IN_WORDS + self.TAGS_AREA_SIZE_IN_WORDS, tempTagsArray) self.WK_unpack_4bits(src_buf, src_buf[0], src_buf[1], tempQPosArray) self.WK_unpack_3_tenbits(src_buf, src_buf[1], src_buf[2], tempLowBitsArray) next_tag = 0 # index into tempTagsArray tags_area_end = self.PAGE_SIZE_IN_WORDS next_qp = 0 # index into tempQPosArray next_low_bits = 0 # index into tempLowBitsArray next_full_word = self.TAGS_AREA_OFFSET_IN_WORDS + self.TAGS_AREA_SIZE_IN_WORDS # index into src_buf next_output = 0 # index into dest_buf while (next_tag < tags_area_end): tag = (tempTagsArray[next_tag / 4] & self.SINGLE_BYTE_MASKS[next_tag % 4]) >> (((next_tag) % 4) * 8) if tag == self.ZERO_TAG: dest_buf[next_output] = 0 elif tag == self.EXACT_TAG: dict_location = (tempQPosArray[next_qp / 4] & self.SINGLE_BYTE_MASKS[next_qp % 4]) >> (((next_qp) % 4) * 8) next_qp += 1 dest_buf[next_output] = dictionary[dict_location] elif tag == self.PARTIAL_TAG: dict_location = (tempQPosArray[next_qp / 4] & self.SINGLE_BYTE_MASKS[next_qp % 4]) >> (((next_qp) % 4) * 8) temp = dictionary[dict_location] # strip out low bits temp = ((temp >> self.NUM_LOW_BITS) << self.NUM_LOW_BITS) # add in stored low bits from temp array temp = temp | tempLowBitsArray[next_low_bits] next_low_bits += 1 # replace old value in dict dictionary[dict_location] = temp dest_buf[next_output] = temp # and echo it to output next_qp += 1 elif tag == self.MISS_TAG: missed_word = src_buf[next_full_word] next_full_word += 1 dict_location = hashLookupTable[(missed_word >> 10) & 0xFF] / 4 dictionary[dict_location] = missed_word dest_buf[next_output] = missed_word else: return -1 # fail, buffer is corrupted #print "BAD TAG!!" next_tag += 1 next_output += 1 return next_output except: return -1 ########################################################### ########################################################### # testing area ########################################################### ########################################################### #from struct import * import sys import time def main(): NUMBER_OF_ITERATIONS=1000 w = WKdm() # src_buf_asm = [0] * (w.PAGE_SIZE_IN_WORDS+100) # dest_buf_asm = [0] * (w.PAGE_SIZE_IN_WORDS+100) src_buf = [0] * (w.PAGE_SIZE_IN_WORDS+100) dest_buf = [0] * (w.PAGE_SIZE_IN_WORDS+100) t=0 for i in range(w.PAGE_SIZE_IN_WORDS): src_buf[i] = i * i + i if i % 10 == 0: src_buf[i] = 0 elif i % 11 == 0: src_buf[i]=0xFFFFFFFF before = time.time() for i in range(NUMBER_OF_ITERATIONS): t += w.WKdm_compress(src_buf, dest_buf, w.PAGE_SIZE_IN_WORDS, 4096) t += w.WKdm_decompress(dest_buf, src_buf) total = time.time() - before print "Python timing: " + str(NUMBER_OF_ITERATIONS / total) + " compression / decompression pairs per second." if __name__ == "__main__": main() volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/librarydump.py0000644000000000000000000000711213131215405024463 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.pstasks as mac_tasks import volatility.plugins.mac.procdump as mac_procdump import volatility.plugins.mac.common as mac_common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_librarydump(mac_tasks.mac_tasks): """ Dumps the executable of a process """ def __init__(self, config, *args, **kwargs): mac_tasks.mac_tasks.__init__(self, config, *args, **kwargs) self._config.add_option('BASE', short_option = 'b', default = None, help = 'Dump driver with BASE address (in hex)', action = 'store', type = 'int') self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') def unified_output(self, data): if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("Please specify an existing output dir (--dump-dir)") return TreeGrid([("Task", str), ("Pid", int), ("Address", Address), ("Path", str) ], self.generator(data)) def generator(self, data): for proc in data: addresses = [] if self._config.BASE: addresses = [self._config.BASE] else: for map in proc.get_dyld_maps(): addresses.append(map.imageLoadAddress) for address in addresses: file_path = mac_common.write_macho_file(self._config.DUMP_DIR, proc, address) yield(0, [ str(proc.p_comm), int(proc.p_pid), Address(address), str(file_path), ]) def render_text(self, outfd, data): if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("Please specify an existing output dir (--dump-dir)") self.table_header(outfd, [("Task", "25"), ("Pid", "6"), ("Address", "[addrpad]"), ("Path", "")]) for proc in data: addresses = [] if self._config.BASE: addresses = [self._config.BASE] else: for map in proc.get_dyld_maps(): addresses.append(map.imageLoadAddress) for address in addresses: file_path = mac_common.write_macho_file(self._config.DUMP_DIR, proc, address) self.table_row(outfd, proc.p_comm, proc.p_pid, address, file_path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/dlyd_maps.py0000644000000000000000000000452613131215405024113 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_dyld_maps(pstasks.mac_tasks): """ Gets memory maps of processes from dyld data structures """ def unified_output(self, data): common.set_plugin_members(self) return TreeGrid([("Pid", int), ("Name", str), ("Start", Address), ("Map Name", str), ], self.generator(data)) def generator(self, data): for proc in data: for map in proc.get_dyld_maps(): yield(0, [ int(proc.p_pid), str(proc.p_comm), Address(map.imageLoadAddress), str(map.imageFilePath), ]) def render_text(self, outfd, data): common.set_plugin_members(self) self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Start", "#018x"), ("Map Name", "")]) for proc in data: for map in proc.get_dyld_maps(): self.table_row(outfd, str(proc.p_pid), proc.p_comm, map.imageLoadAddress, map.imageFilePath) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/keychaindump.py0000644000000000000000000000604013131215405024611 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ ### based entirely on keychaindump from volafox import volatility.obj as obj import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid class mac_keychaindump(pstasks.mac_tasks): """ Recovers possbile keychain keys. Use chainbreaker to open related keychain files """ def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks.calculate(self) if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": ptr_sz = 4 else: ptr_sz = 8 for proc in procs: if str(proc.p_comm) != "securityd": continue proc_as = proc.get_process_address_space() for map in proc.get_proc_maps(): if not (map.start > 0x00007f0000000000 and map.end < 0x00007fff00000000 and map.end - map.start == 0x100000): continue for address in range(map.start, map.end, ptr_sz): signature = obj.Object("unsigned int", offset = address, vm = proc_as) if not signature or signature != 0x18: continue key_buf_ptr = obj.Object("unsigned long", offset = address + ptr_sz, vm = proc_as) if map.start <= key_buf_ptr < map.end: yield proc_as, key_buf_ptr def unified_output(self, data): return TreeGrid([("Key", str), ], self.generator(data)) def generator(self, data): for (proc_as, key_buf_ptr) in data: key_buf = proc_as.read(key_buf_ptr, 24) if not key_buf: continue key = "".join('%02X'%ord(k) for k in key_buf) yield(0, [str(key),]) def render_text(self, outfd, data): self.table_header(outfd, [("Key", "")]) for (proc_as, key_buf_ptr) in data: key_buf = proc_as.read(key_buf_ptr, 24) if not key_buf: continue key = "".join('%02X'%ord(k) for k in key_buf) self.table_row(outfd, key) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/mount.py0000644000000000000000000000450613131215405023277 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid class mac_mount(common.AbstractMacCommand): """ Prints mounted device information """ def calculate(self): common.set_plugin_members(self) mountlist_addr = self.addr_space.profile.get_symbol("_mountlist") mount = obj.Object("mount", offset = mountlist_addr, vm = self.addr_space) mount = mount.mnt_list.tqe_next while mount: yield mount mount = mount.mnt_list.tqe_next def unified_output(self, data): return TreeGrid ([ ("Device", str), ("Mount Point", str), ("Type", str), ], self.generator(data)) def generator(self, data): for mount in data: yield(0, [ str(mount.mnt_vfsstat.f_mntonname), str(mount.mnt_vfsstat.f_mntfromname), str(mount.mnt_vfsstat.f_fstypename), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Device", "30"), ("Mount Point", "60"), ("Type", "")]) for mount in data: self.table_row(outfd, mount.mnt_vfsstat.f_mntonname, mount.mnt_vfsstat.f_mntfromname, mount.mnt_vfsstat.f_fstypename) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/pstree.py0000644000000000000000000000352413131215405023436 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pstasks as pstasks class mac_pstree(pstasks.mac_tasks): """ Show parent/child relationship of processes """ def render_text(self, outfd, data): self.procs_hash = {} self.procs_seen = {} outfd.write("{0:20s} {1:15s} {2:15s}\n".format("Name", "Pid", "Uid")) for proc in data: self.procs_hash[proc.p_pid] = proc for pid in sorted(self.procs_hash.keys()): proc = self.procs_hash[pid] self._recurse_task(outfd, proc, 0) def _recurse_task(self, outfd, proc, level): if proc.p_pid in self.procs_seen: return proc_name = "." * level + proc.p_comm outfd.write("{0:20s} {1:15s} {2:15s}\n".format(proc_name, str(proc.p_pid), str(proc.p_uid))) self.procs_seen[proc.p_pid] = 1 proc = proc.p_children.lh_first while proc.is_valid(): self._recurse_task(outfd, proc, level + 1) proc = proc.p_sibling.le_next volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/machine_info.py0000644000000000000000000000350713131215405024554 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_machine_info(common.AbstractMacCommand): """ Prints machine information about the sample """ def calculate(self): common.set_plugin_members(self) machine_info = obj.Object("machine_info", offset = self.addr_space.profile.get_symbol("_machine_info"), vm = self.addr_space) yield machine_info def render_text(self, outfd, data): for machine_info in data: info = (("Major Version:", machine_info.major_version), ("Minor Version:", machine_info.minor_version), ("Memory Size:", machine_info.max_mem), ("Max CPUs:", machine_info.max_cpus), ("Physical CPUs:", machine_info.physical_cpu), ("Logical CPUs:", machine_info.logical_cpu), ) for i in info: outfd.write("{0:15} {1}\n".format(i[0], i[1])) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/lsmod.py0000644000000000000000000000676613131215405023265 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_lsmod(common.AbstractMacCommand): """ Lists loaded kernel modules """ def __init__(self, config, *args, **kwargs): common.AbstractMacCommand.__init__(self, config, *args, **kwargs) config.add_option('ADDR', short_option = 'a', default = None, help = 'Show info on VAD at or containing this address', action = 'store', type = 'int') def calculate(self): common.set_plugin_members(self) p = self.addr_space.profile.get_symbol("_kmod") kmodaddr = obj.Object("Pointer", offset = p, vm = self.addr_space) if kmodaddr == None: return kmod = kmodaddr.dereference_as("kmod_info") seen = [] ctr = 0 while kmod.is_valid(): # key on .v() instead of .obj_offset due 'next' being at offset 0 if kmod.v() in seen: break seen.append(kmod.v()) if ctr > 1024: break ctr = ctr + 1 if not self._config.ADDR or (kmod.address <= self._config.ADDR <= (kmod.address + kmod.m("size"))): yield kmod kmod = kmod.next def unified_output(self, data): return TreeGrid([("Offset (V)", Address), ("Module Address", Address), ("Size", int), ("Refs", int), ("Version", str), ("Name", str), ], self.generator(data)) def generator(self, data): for kmod in data: yield (0, [ Address(kmod.obj_offset), Address(kmod.address), int(kmod.m('size')), int(kmod.reference_count), str(kmod.version), str(kmod.name), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset (V)", "[addrpad]"), ("Module Address", "[addrpad]"), ("Size", "8"), ("Refs", "^8"), ("Version", "12"), ("Name", "")]) for kmod in data: self.table_row(outfd, kmod, kmod.address, kmod.m('size'), kmod.reference_count, kmod.version, kmod.name) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/list_kauth_scopes.py0000644000000000000000000000675613131215405025671 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug from volatility.renderers import TreeGrid from volatility.renderers.basic import Address import volatility.plugins.mac.common as common class mac_list_kauth_scopes(common.AbstractMacCommand): """ Lists Kauth Scopes and their status """ def calculate(self): common.set_plugin_members(self) scopes_addr = self.addr_space.profile.get_symbol("_kauth_scopes") scopes_ptr = obj.Object("Pointer", offset = scopes_addr, vm = self.addr_space) scope = scopes_ptr.dereference_as("kauth_scope") while scope.is_valid(): yield scope scope = scope.ks_link.tqe_next.dereference() def unified_output(self, data): common.set_plugin_members(self) return TreeGrid([("Offset", Address), ("Name", str), ("IData", Address), ("Listeners", int), ("Callback Addr", Address), ("Callback Mod", str), ("Callback Sym", str), ], self.generator(data)) def generator(self, data): kaddr_info = common.get_handler_name_addrs(self) for scope in data: cb = scope.ks_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) yield(0, [ Address(scope.v()), str(scope.ks_identifier), Address(scope.ks_idata), int(len([l for l in scope.listeners()])), Address(cb), str(module), str(handler_sym), ]) def render_text(self, outfd, data): common.set_plugin_members(self) self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "24"), ("IData", "[addrpad]"), ("Listeners", "5"), ("Callback Addr", "[addrpad]"), ("Callback Mod", "24"), ("Callback Sym", ""),]) kaddr_info = common.get_handler_name_addrs(self) for scope in data: cb = scope.ks_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) self.table_row(outfd, scope.v(), scope.ks_identifier, scope.ks_idata, len([l for l in scope.listeners()]), cb, module, handler_sym) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/list_raw.py0000644000000000000000000000637213131215405023764 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.common as mac_common import volatility.plugins.mac.ifconfig as mac_ifconfig import volatility.plugins.mac.pstasks as mac_pstasks import volatility.debug as debug import volatility.obj as obj from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_list_raw(mac_common.AbstractMacCommand): """List applications with promiscuous sockets""" def __init__(self, config, *args, **kwargs): self.fd_cache = {} mac_common.AbstractMacCommand.__init__(self, config, *args, **kwargs) def _fill_cache(self): for task in mac_pstasks.mac_tasks(self._config).calculate(): for filp, _, fd in task.lsof(): if filp.f_fglob.fg_type == 'DTYPE_SOCKET': socket = filp.f_fglob.fg_data.dereference_as("socket").v() self.fd_cache[socket] = [task, fd] def calculate(self): mac_common.set_plugin_members(self) list_addr = self.profile.get_symbol("_rawcb_list") list_ptr = obj.Object("rawcb_list_head", offset = list_addr, vm = self.addr_space) cur = list_ptr.lh_first self._fill_cache() while cur.is_valid(): socket = cur.rcb_socket.v() if socket in self.fd_cache: (task, fd) = self.fd_cache[socket] yield (task, fd, socket) cur = cur.list.le_next.dereference() def unified_output(self, data): return TreeGrid([("Process", str), ("PID", int), ("File Descriptor", int), ("Socket", Address), ], self.generator(data)) def generator(self, data): for (task, fd, socket) in data: yield(0, [ str(task.p_comm), int(task.p_pid), int(fd), Address(socket), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Process", "16"), ("PID", "6"), ("File Descriptor", "5"), ("Socket", "[addrpad]"), ]) for (task, fd, socket) in data: self.table_row(outfd, task.p_comm, task.p_pid, fd, socket) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/adiummsgs.py0000644000000000000000000001337513131215405024132 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_adium(pstasks.mac_tasks): """ Lists Adium messages """ def __init__(self, config, *args, **kwargs): pstasks.mac_tasks.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') self._config.add_option('WIDE', short_option = 'W', default = False, help = 'Wide character search', action = 'store_true') def _make_uni(self, msg): if self._config.WIDE: return "\x00".join([m for m in msg]) else: return msg def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks.calculate(self) for proc in procs: if proc.p_comm.lower().find("adium") == -1: continue proc_as = proc.get_process_address_space() for map in proc.get_proc_maps(): if map.get_perms() != "rw-" or map.get_path() != "": continue buffer = proc_as.zread(map.start.v(), map.end.v() - map.start.v()) if not buffer: continue msg_search = self._make_uni('') idx = 0 msg_idx = buffer.find(msg_search) while msg_idx != -1: idx = idx + msg_idx msg_end_idx = buffer[idx:].find(end_search) if msg_end_idx == -1: break msg = buffer[idx: idx + msg_end_idx + 14] # to look for time and send search_idx = idx - 200 time_idx = buffer[search_idx : search_idx + 200].find(time_search) msg_time = "" if time_idx != -1: time_end_idx = buffer[search_idx + time_idx: search_idx + time_idx + 130].find(end_search) if time_end_idx != -1: msg_time = buffer[search_idx + time_idx: search_idx + time_idx + time_end_idx + 14] msg_sender = "" send_idx = buffer[idx + search_idx: idx + search_idx + 200].find(send_search) if send_idx != -1: send_end_idx = buffer[search_idx + send_idx: search_idx + send_idx + 60].find(end_search) if send_end_idx != -1: msg_sender = buffer[search_idx + send_idx: search_idx + send_idx + send_end_idx + 14] yield proc, map.start + idx, msg_time + msg_sender + msg idx = idx + 5 msg_idx = buffer[idx:].find(msg_search) def unified_output(self, data): return TreeGrid([("Pid", int), ("Name", str), ("Start", Address), ("Size", int), ("Path", str), ], self.generator(data)) def generator(self, data): for (proc, start, msg) in data: fname = "Adium.{0}.{1:x}.txt".format(proc.p_pid, start) file_path = os.path.join(self._config.DUMP_DIR, fname) fd = open(file_path, "wb+") fd.write(msg) fd.close() yield(0, [ int(proc.p_pid), str(proc.p_comm), Address(start), int(len(msg)), str(file_path), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Start", "[addrpad]"), ("Size", "8"), ("Path", "")]) for (proc, start, msg) in data: fname = "Adium.{0}.{1:x}.txt".format(proc.p_pid, start) file_path = os.path.join(self._config.DUMP_DIR, fname) fd = open(file_path, "wb+") fd.write(msg) fd.close() self.table_row(outfd, str(proc.p_pid), proc.p_comm, start, len(msg), file_path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/get_profile.py0000644000000000000000000002503613131215405024435 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.scan as scan import volatility.utils as utils import volatility.addrspace as addrspace import volatility.registry as registry import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address profiles = [ ["MacYosemite_10_10_2_14C1514x64", 18446743523963607600, 18446743523964534784, 1], ["MacYosemite_10_10_3_14D131_14D136x64", 18446743523963609408, 18446743523964534784, 1], ["MacYosemite_10_10_4_14E46x64", 18446743523963610496, 18446743523964534784, 1], ["MacYosemite_10_10_5_14F1021_14f1509x64", 18446743523963608704, 18446743523964534784, 1], ["MacYosemite_10_10_5_14F1912x64", 18446743523963609312, 18446743523964534784, 1], ["MacYosemite_10_10_5_14F2009_14F2109x64", 18446743523963609536, 18446743523964534784, 1], ["MacYosemite_10_10_5_14F2315x64", 18446743523963601344, 18446743523964534784, 1], ["MacYosemite_10_10_5_14F27x64", 18446743523963608608, 18446743523964534784, 1], ["MacYosemite_10_10_14A389_14B25x64", 18446743523963612480, 18446743523964534784, 1], ["MacElCapitan_10_11_1_15B42x64", 18446743523963517744, 18446743523964555264, 1], ["MacElCapitan_10_11_2_15C50x64", 18446743523963517440, 18446743523964555264, 1], ["MacElCapitan_10_11_3_15D21_15D13bx64", 18446743523963520864, 18446743523964555264, 1], ["MacElCapitan_10_11_4_15E65x64", 18446743523963511520, 18446743523964555264, 1], ["MacElCapitan_10_11_5_15F34x64", 18446743523963513456, 18446743523964555264, 1], ["MacElCapitan_10_11_6_15G1004_15G1108x64", 18446743523963516032, 18446743523964555264, 1], ["MacElCapitan_10_11_6_15G1212x64", 18446743523963503888, 18446743523964555264, 1], ["MacElCapitan_10_11_6_15G1217x64", 18446743523963503456, 18446743523964555264, 1], ["MacElCapitan_10_11_6_15G1421x64", 18446743523963503440, 18446743523964555264, 1], ["MacElCapitan_10_11_15A284x64", 18446743523963516960, 18446743523964547072, 1], ["MacSierra_10_12_0_16A323x64", 18446743523963569392, 18446743523964379136, 1], ["MacSierra_10_12_1_16B2657x64", 18446743523963568512, 18446743523964379136, 1], ["MacSierra_10_12_2_16C63ax64", 18446743523963567232, 18446743523964379136, 1], ["MacSierra_10_12_2_16C67x64", 18446743523963567232, 18446743523964379136, 1], ["MacSierra_10_12_3_16D32x64", 18446743523963567520, 18446743523964379136, 1], ["MacSierra_10_12_4_16E195x64", 18446743523963564384, 18446743523964379136, 1], ["MacLeopard_10_5_3_Intelx86", 4850472, 1708032, 0], ["MacLeopard_10_5_4_Intelx86", 4850488, 1708032, 0], ["MacLeopard_10_5_5_Intelx86", 4850568, 1708032, 0], ["MacLeopard_10_5_6_Intelx86", 4859540, 1712128, 0], ["MacLeopard_10_5_7_Intelx86", 4880064, 1716224, 0], ["MacLeopard_10_5_8_Intelx86", 4882736, 1716224, 0], ["MacLeopard_10_5_Intelx86", 4823024, 1703936, 0], ["MacSnowLeopard_10_6_2_AMDx64", 18446743523959767128, 18446743523956654080, 0], ["MacSnowLeopard_10_6_4_AMDx64", 18446743523959767504, 18446743523956662272, 0], ["MacSnowLeopard_10_6_5_AMDx64", 18446743523959780720, 18446743523956666368, 0], ["MacSnowLeopard_10_6_6_AMDx64", 18446743523959780936, 18446743523956666368, 0], ["MacSnowLeopard_10_6_7_AMDx64", 18446743523959800160, 18446743523956666368, 0], ["MacSnowLeopard_10_6_8_AMDx64", 18446743523959819016, 18446743523956670464, 0], ["MacSnowLeopard_10_6_10_6_1_AMDx64", 18446743523959762264, 18446743523956649984, 0], ["MacSnowLeopard_10_6_2_Intelx86", 6144688, 2748416, 0], ["MacSnowLeopard_10_6_3_Intelx86", 6139684, 2752512, 0], ["MacSnowLeopard_10_6_4_Intelx86", 6143412, 2752512, 0], ["MacSnowLeopard_10_6_5_Intelx86", 6165360, 2760704, 0], ["MacSnowLeopard_10_6_6_Intelx86", 6165676, 2760704, 0], ["MacSnowLeopard_10_6_7_Intelx86", 6186376, 2760704, 0], ["MacSnowLeopard_10_6_8_Intelx86", 6203832, 2764800, 0], ["MacSnowLeopard_10_6_10_6_1_Intelx86", 6139972, 2744320, 0], ["MacLion_10_7_1_AMDx64", 18446743523961030696, 18446743523956600832, 0], ["MacLion_10_7_2_AMDx64", 18446743523961030368, 18446743523956600832, 0], ["MacLion_10_7_3_AMDx64", 18446743523961032256, 18446743523956600832, 0], ["MacLion_10_7_4_AMDx64", 18446743523961048360, 18446743523956609024, 0], ["MacLion_10_7_5_AMDx64", 18446743523961053360, 18446743523956609024, 0], ["MacLion_10_7_AMDx64", 18446743523961030304, 18446743523956600832, 0], ["MacLion_10_7_1_Intelx86", 7447336, 2899968, 0], ["MacLion_10_7_2_Intelx86", 7451396, 2904064, 0], ["MacLion_10_7_3_Intelx86", 7453552, 2904064, 0], ["MacLion_10_7_4_Intelx86", 7464424, 2908160, 0], ["MacLion_10_7_5_Intelx86", 7468772, 2908160, 0], ["MacLion_10_7_Intelx86", 7446904, 2899968, 0], ["MacMountainLion_10_8_1_AMDx64", 18446743523961328192, 18446743523962269696, 1], ["MacMountainLion_10_8_2_12c54_12c60x64", 18446743523961340528, 18446743523962269696, 1], ["MacMountainLion_10_8_3_AMDx64", 18446743523961294000, 18446743523962269696, 1], ["MacMountainLion_10_8_4_12e55_AMDx64", 18446743523961302256, 18446743523962269696, 1], ["MacMountainLion_10_8_5_12F2518_AMDx64", 18446743523961347136, 18446743523962273792, 1], ["MacMountainLion_10_8_5_12f37_AMDx64", 18446743523961347136, 18446743523962273792, 1], ["MacMountainLion_10_8_5_12f45_AMDx64", 18446743523961347136, 18446743523962273792, 1], ["MacMavericks_10_9_1_AMDx64", 18446743523961749984, 18446743523962273792, 1], ["MacMavericks_10_9_2_13C1021_AMDx64", 18446743523961751392, 18446743523962273792, 1], ["MacMavericks_10_9_2_13C64_AMDx64", 18446743523961753424, 18446743523962273792, 1], ["MacMavericks_10_9_3_AMDx64", 18446743523961765744, 18446743523962273792, 1], ["MacMavericks_10_9_4_AMDx64", 18446743523961767008, 18446743523962273792, 1], ["MacMavericks_10_9_5_13F1077_AMDx64", 18446743523961774256, 18446743523962273792, 1], ["MacMavericks_10_9_5_13F1911_AMDx64", 18446743523961774096, 18446743523962273792, 1], ["MacMavericks_10_9_5_AMDx64", 18446743523961765968, 18446743523962273792, 1], ] collisions_10_8_5 = { "MacMountainLion_10_8_5_12F2518_AMDx64" : "xnu-2050.48.19~1", "MacMountainLion_10_8_5_12f37_AMDx64" : "xnu-2050.48.11~1", "MacMountainLion_10_8_5_12f45_AMDx64" : "xnu-2050.48.12~1", } collisions_10_12_2 = { "MacSierra_10_12_2_16C63ax64" : "Tue Nov 29 12:39:07", "MacSierra_10_12_2_16C67x64" : "Thu Nov 17 20:23:58", } collision_sets = [collisions_10_8_5, collisions_10_12_2] class catfishScan(scan.BaseScanner): """ Scanner for Catfish string for Mountain Lion """ checks = [] def __init__(self, needles = None): self.needles = needles self.checks = [ ("MultiStringFinderCheck", {'needles':needles}) ] scan.BaseScanner.__init__(self) def scan(self, address_space, offset = 0, maxlen = None): for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen): yield offset # based on kdbgscan class mac_get_profile(common.AbstractMacCommand): """Automatically detect Mac profiles""" @staticmethod def check_address(profile, ver_addr, aspace): ret = None sig = "Darwin Kernel" if ver_addr > 0xffffffff: ver_addr = ver_addr - 0xffffff8000000000 elif ver_addr > 0xc0000000: ver_addr = ver_addr - 0xc0000000 ver_buf = aspace.read(ver_addr, 128) if ver_buf and ver_buf.startswith(sig): ret = profile for collision_set in collision_sets: # check if profile is within a collision set if profile in collision_set: # if it is, then walk all profiles in that set to find the proper one for test_profile, test_string in collision_set.items(): if ver_buf.find(test_string) != -1: ret = test_profile break # no need to keep looking if we found the profile in a collision set already break return ret @staticmethod def guess_profile(aspace): """Main interface to guessing Mac profiles. Args: aspace: a physical address space. Returns: Tuple containing the profile name and shift address. On failure, it implicitly returns None. """ for data in profiles: ret = mac_get_profile.check_address(data[0], data[1], aspace) if ret: return ret, 0 # didn't find a direct translation, so look for KASLR kernels scanner = catfishScan(needles = ["Catfish \x00\x00"]) for catfish_offset in scanner.scan(aspace): for profile, ver_addr, lowglo, aslr in profiles: if not aslr or not lowglo: continue shift_address = (catfish_offset -\ (lowglo % 0xFFFFFF80)) ver_addr += shift_address ret = mac_get_profile.check_address(profile, ver_addr, aspace) if ret: return ret, shift_address def calculate(self): aspace = utils.load_as(self._config, astype = 'physical') result = mac_get_profile.guess_profile(aspace) if result: yield result else: debug.error("Unable to find an OS X profile for the given memory sample.") def unified_output(self, data): return TreeGrid([("Profile", str), ("Shift Address", Address) ], self.generator(data)) def generator(self, data): for (profile, shift) in data: yield(0, [ str(profile), Address(shift), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Profile", "50"), ("Shift Address", "[addrpad]")]) for profile, shift_address in data: self.table_row(outfd, profile, shift_address) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/interest_handlers.py0000644000000000000000000001515013131215405025647 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug import volatility.plugins.mac.common as common kaddr_info = None class mac_interest_handlers(common.AbstractMacCommand): """ Lists IOKit Interest Handlers """ def _struct_or_class(self, type_name): """Return the name of a structure or class. More recent versions of OSX define some types as classes instead of structures, so the naming is a little different. """ if self.addr_space.profile.vtypes.has_key(type_name): return type_name else: return type_name + "_class" def parse_properties(self, fdict): props = {} ents = obj.Object('Array', offset = fdict.dictionary, vm = self.addr_space, targetType = self._struct_or_class("dictEntry"), count = fdict.count) # walk the current set of notifications for ent in ents: if ent == None or not ent.is_valid(): continue key = str(ent.key.dereference_as(self._struct_or_class("OSString"))) val = ent.value props[key] = val return props def walk_reg_entry(self, reg_addr): regroot = obj.Object(self._struct_or_class("IORegistryEntry"), offset = reg_addr, vm = self.addr_space) fdict = regroot.fRegistryTable props = self.parse_properties(regroot.fPropertyTable) ents = obj.Object('Array', offset = fdict.dictionary, vm = self.addr_space, targetType = self._struct_or_class("dictEntry"), count = fdict.count) keys = [] children = [] current_name = "" device_mem = False for ent in ents: if ent == None or not ent.is_valid(): continue key = str(ent.key.dereference_as(self._struct_or_class("OSString"))) keys.append(key) if key == "IODeviceMemory": current_name = str(ent.value.dereference_as(self._struct_or_class("OSString"))) device_mem = True if key == "IOName" and device_mem == False: current_name = str(ent.value.dereference_as(self._struct_or_class("OSString"))) if key == "IOServiceChildLinks": children.append(ent.value) if current_name == "": if "IOClass" in props: addr = props["IOClass"] s = obj.Object(self._struct_or_class("OSString"), offset = addr, vm = self.addr_space) current_name = "IOCLass: %s" % str(s) if current_name == "": serv = obj.Object(self._struct_or_class("IOService"), offset = reg_addr, vm = self.addr_space) buf = self.addr_space.read(serv.pwrMgt.Name, 128) if buf: idx = buf.find("\x00") if idx != -1: buf = buf[:idx] current_name = buf prop_string = "".join(["%s=%x, " % (k,v) for (k,v) in props.items()]) #print "%-20s | %s | %s" % (current_name, keys, prop_string) offset = self.addr_space.profile.get_obj_offset(self._struct_or_class("_IOServiceInterestNotifier"), "chain") for (k, v) in props.items(): if k.find("nterest") != -1: cmd = obj.Object(self._struct_or_class("IOCommand"), offset = v, vm = self.addr_space) notifier_ptr = cmd.fCommandChain.next first_ptr = notifier_ptr last = 0 while notifier_ptr.is_valid() and notifier_ptr != last: notifier = obj.Object(self._struct_or_class("_IOServiceInterestNotifier"), offset = notifier_ptr - offset, vm = self.addr_space) if not notifier.handler.is_valid(): break last = notifier_ptr notifier_ptr = notifier.chain.next if notifier_ptr == first_ptr: break handler = notifier.handler.v() (module, handler_sym) = common.get_handler_name(kaddr_info, handler) yield k, handler, module, handler_sym for child in children: for k, handler, module, handler_sym in self.walk_child_links(child): yield k, handler, module, handler_sym def walk_child_links(self, addr): val = obj.Object(self._struct_or_class("OSArray"), offset = addr, vm = self.addr_space) arr_ptr = val.array cnt = val.count arr = obj.Object(theType = "Array", targetType = "Pointer", offset = arr_ptr, count = cnt, vm = self.addr_space) for a in arr: for key, handler, module, handler_sym in self.walk_reg_entry(a): yield key, handler, module, handler_sym def calculate(self): common.set_plugin_members(self) global kaddr_info kaddr_info = common.get_handler_name_addrs(self) regroot_addr = common.get_cpp_sym("gRegistryRoot", self.addr_space.profile) p = obj.Object("Pointer", offset = regroot_addr, vm = self.addr_space) for key, handler, module, handler_sym in self.walk_reg_entry(p): yield key, handler, module, handler_sym def render_text(self, outfd, data): self.table_header(outfd, [("Interest", "24"), ("Handler", "[addrpad]"), ("Module", "32"), ("Symbol", "")]) for key, handler, module, handler_sym in data: self.table_row(outfd, key, handler, module, handler_sym) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/ldrmodules.py0000644000000000000000000001124513131215405024305 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as mac_common import volatility.plugins.mac.pslist as mac_pslist from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_ldrmodules(mac_pslist.mac_pslist): """Compares the output of proc maps with the list of libraries from libdl""" def calculate(self): mac_common.set_plugin_members(self) procs = mac_pslist.mac_pslist(self._config).calculate() proc_maps = {} dl_maps = {} seen_starts = [] for task in procs: proc_maps[task.obj_offset] = {} proc_as = task.get_process_address_space() for map in task.get_proc_maps(): sig = proc_as.read(map.start, 4) if sig in ['\xce\xfa\xed\xfe', '\xcf\xfa\xed\xfe']: prot = map.get_perms() if prot in ["rw-", "r--"]: continue fname = map.get_path() proc_maps[task.obj_offset][map.start.v()] = (task, proc_as, fname) dl_maps[task.obj_offset] = {} for so in task.get_dyld_maps(): dl_maps[task.obj_offset][so.imageLoadAddress] = (task, proc_as, str(so.imageFilePath)) for task_offset in dl_maps: for vm_start in dl_maps[task_offset]: seen_starts.append(vm_start) (task, proc_as, vm_name) = dl_maps[task_offset][vm_start] yield (task_offset, task, proc_as, vm_start, vm_name, proc_maps, dl_maps) for task_offset in proc_maps: for vm_start in proc_maps[task_offset]: if vm_start in seen_starts: continue (task, proc_as, vm_name) = proc_maps[task_offset][vm_start] yield (task_offset, task, proc_as, vm_start, vm_name, proc_maps, dl_maps) def unified_output(self, data): return TreeGrid([("Pid", int), ("Name", str), ("Start", Address), ("File Path", str), ("Kernel", str), ("Dyld", str), ], self.generator(data)) def generator(self, data): for task_offset, task, proc_as, vm_start, map_name, proc_maps, dl_maps in data: if vm_start in proc_maps[task_offset]: pmaps = "True" else: pmaps = "False" if vm_start in dl_maps[task_offset]: dmaps = "True" else: dmaps = "False" yield(0, [ int(task.p_pid), str(task.p_comm), Address(vm_start), str(map_name), str(pmaps), str(dmaps), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "16"), ("Start", "#018x"), ("File Path", "100"), ("Kernel", "6"), ("Dyld", "6"), ]) for task_offset, task, proc_as, vm_start, map_name, proc_maps, dl_maps in data: if vm_start in proc_maps[task_offset]: pmaps = "True" else: pmaps = "False" if vm_start in dl_maps[task_offset]: dmaps = "True" else: dmaps = "False" self.table_row(outfd, task.p_pid, str(task.p_comm), vm_start, map_name, pmaps, dmaps) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/check_fop.py0000644000000000000000000001116713131215405024057 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug import volatility.plugins.mac.common as common class mac_check_fop(common.AbstractMacCommand): """ Validate File Operation Pointers """ def _walk_vfstbllist(self, kaddr_info): table_size_ptr = self.addr_space.profile.get_symbol("_maxvfsconf") if table_size_ptr == None: table_size_ptr = self.addr_space.profile.get_symbol("_maxvfsslots") table_size = obj.Object("unsigned int", offset = table_size_ptr, vm = self.addr_space) table_ptr = self.addr_space.profile.get_symbol("_vfstbllist") table = obj.Object(theType = "Array", targetType = "vfstable", offset = table_ptr, count = table_size, vm = self.addr_space) vfs_op_members = self.profile.types['vfsops'].keywords["members"].keys() vfs_op_members.remove("vfs_reserved") for vfs in table: if not vfs.is_valid(): continue name = self.addr_space.read(vfs.vfc_name.obj_offset, 16) if name: idx = name.find("\x00") if idx != -1: name = name[:idx] else: name = "" if name == "": break ops = vfs.vfc_vfsops for member in vfs_op_members: ptr = ops.__getattr__(member).v() if ptr == 0: continue (module, handler_sym) = common.get_handler_name(kaddr_info, ptr) yield (vfs.v(), name, ptr, module, handler_sym) def _walk_opv_desc(self, kaddr_info): table_addr = self.addr_space.profile.get_symbol("_vfs_opv_descs") table = obj.Object(targetType = "unsigned long", theType = "Array", count = 32, vm = self.addr_space, offset = table_addr) for desc in table: if desc.v() == 0: break table_name = self.addr_space.profile.get_symbol_by_address("kernel", desc.v()) if not table_name: table_name = "" vnodeopv_desc = obj.Object("vnodeopv_desc", offset = desc.v(), vm = self.addr_space) vdesc_arr = obj.Object(theType = "Array", targetType = "vnodeopv_entry_desc", offset = vnodeopv_desc.opv_desc_ops, count = 64, vm = self.addr_space) for vdesc in vdesc_arr: ptr = vdesc.opve_impl.v() if ptr == 0: break name = self.addr_space.read(vdesc.opve_op.vdesc_name.v(), 64) if name: idx = name.find("\x00") if idx != -1: name = name[:idx] else: name = "" name = table_name + "/" + name (module, handler_sym) = common.get_handler_name(kaddr_info, ptr) yield (vdesc.v(), name, ptr, module, handler_sym) def calculate(self): common.set_plugin_members(self) kaddr_info = common.get_handler_name_addrs(self) funcs = [self._walk_opv_desc, self._walk_vfstbllist] for func in funcs: for (vfs_ptr, name, ptr, module, handler_sym) in func(kaddr_info): yield (vfs_ptr, name, ptr, module, handler_sym) def render_text(self, outfd, data): self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "48"), ("Handler", "[addrpad]"), ("Module", "32"), ("Handler Sym", "")]) for (vfs_addr, name, handler, module, handler_sym) in data: self.table_row(outfd, vfs_addr, name, handler, module, handler_sym) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/__init__.py0000644000000000000000000000000013131215405023655 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/procdump.py0000644000000000000000000000573713131215405023775 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.pstasks as mac_tasks import volatility.plugins.mac.common as mac_common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_procdump(mac_tasks.mac_tasks): """ Dumps the executable of a process """ def __init__(self, config, *args, **kwargs): mac_tasks.mac_tasks.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') def unified_output(self, data): if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("Please specify an existing output dir (--dump-dir)") return TreeGrid([("Task", str), ("Pid", int), ("Address", Address), ("Path", str), ], self.generator(data)) def generator(self, data): for proc in data: exe_address = proc.text_start() if exe_address: file_path = mac_common.write_macho_file(self._config.DUMP_DIR, proc, exe_address) yield (0, [ str(proc.p_comm), int(proc.p_pid), Address(exe_address), str(file_path), ]) def render_text(self, outfd, data): if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("Please specify an existing output dir (--dump-dir)") self.table_header(outfd, [("Task", "25"), ("Pid", "6"), ("Address", "[addrpad]"), ("Path", "")]) for proc in data: exe_address = proc.text_start() if exe_address: file_path = mac_common.write_macho_file(self._config.DUMP_DIR, proc, exe_address) self.table_row(outfd, proc.p_comm, proc.p_pid, exe_address, file_path) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/psxview.py0000644000000000000000000001262713131215405023645 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.pslist as pslist import volatility.plugins.mac.pid_hash_table as pid_hash_table import volatility.plugins.mac.pgrp_hash_table as pgrp_hash_table import volatility.plugins.mac.session_hash_table as session_hash_table import volatility.plugins.mac.pstasks as pstasks from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_psxview(common.AbstractMacCommand): "Find hidden processes with various process listings" def _get_pslist(self): return [p.v() for p in pslist.mac_pslist(self._config).calculate()] def _get_parent_pointers(self): return [p.p_pptr.v() for p in pslist.mac_pslist(self._config).calculate()] def _get_pid_hash_table(self): return [p.v() for p in pid_hash_table.mac_pid_hash_table(self._config).calculate()] def _get_pgrp_hash_table(self): return [p.v() for p in pgrp_hash_table.mac_pgrp_hash_table(self._config).calculate()] def _get_session_hash_table(self): return [s.s_leader.v() for s in session_hash_table.mac_list_sessions(self._config).calculate() if s.s_leader.is_valid()] def _get_procs_from_tasks(self): return [p.v() for p in pstasks.mac_tasks(self._config).calculate()] def calculate(self): common.set_plugin_members(self) ps_sources = {} ps_sources['pslist'] = self._get_pslist() ps_sources['parents'] = self._get_parent_pointers() ps_sources['pid_hash'] = self._get_pid_hash_table() ps_sources['pgrp_hash_table'] = self._get_pgrp_hash_table() ps_sources['session_hash_table'] = self._get_session_hash_table() ps_sources['procs_from_tasks'] = self._get_procs_from_tasks() # Build a list of offsets from all sources seen_offsets = [] for source in ps_sources: tasks = ps_sources[source] for offset in tasks: if offset not in seen_offsets: seen_offsets.append(offset) yield offset, obj.Object("proc", offset = offset, vm = self.addr_space), ps_sources def unified_output(self, data): return TreeGrid([("Offset(V)", Address), ("Name", str), ("PID", int), ("pslist", str ), ("parents", str), ("pid_hash", str), ("pgrp_hash_table", str), ("session leaders", str), ("task processes", str), ], self.generator(data)) def generator(self, data): for offset, process, ps_sources in data: yield (0, [ Address(offset), str(process.p_comm), int(process.p_pid), str(ps_sources['pslist'].__contains__(offset)), str(ps_sources['parents'].__contains__(offset)), str(ps_sources['pid_hash'].__contains__(offset)), str(ps_sources['pgrp_hash_table'].__contains__(offset)), str(ps_sources['session_hash_table'].__contains__(offset)), str(ps_sources['procs_from_tasks'].__contains__(offset)), ]) def render_text(self, outfd, data): self.table_header(outfd, [('Offset(V)', '[addrpad]'), ('Name', '<20'), ('PID', '>6'), ('pslist', '5'), ('parents', '5'), ('pid_hash', '5'), ('pgrp_hash_table', '5'), ('session leaders', '5'), ('task processes', '5'), ]) for offset, process, ps_sources in data: self.table_row(outfd, offset, process.p_comm, str(process.p_pid), str(ps_sources['pslist'].__contains__(offset)), str(ps_sources['parents'].__contains__(offset)), str(ps_sources['pid_hash'].__contains__(offset)), str(ps_sources['pgrp_hash_table'].__contains__(offset)), str(ps_sources['session_hash_table'].__contains__(offset)), str(ps_sources['procs_from_tasks'].__contains__(offset)), ) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/pgrp_hash_table.py0000644000000000000000000000362413131215405025257 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pslist as pslist import volatility.obj as obj import volatility.plugins.mac.common as common class mac_pgrp_hash_table(pslist.mac_pslist): """ Walks the process group hash table """ def calculate(self): common.set_plugin_members(self) pgrphash_addr = self.addr_space.profile.get_symbol("_pgrphash") pgrphash = obj.Object("unsigned long", offset = pgrphash_addr, vm = self.addr_space) pgrphashtbl_addr = self.addr_space.profile.get_symbol("_pgrphashtbl") pgrphashtbl_ptr = obj.Object("Pointer", offset = pgrphashtbl_addr, vm = self.addr_space) pgrphash_array = obj.Object("Array", targetType = "pgrphashhead", count = pgrphash + 1, vm = self.addr_space, offset = pgrphashtbl_ptr) for plist in pgrphash_array: pgrp = plist.lh_first while pgrp: p = pgrp.pg_members.lh_first while p: yield p p = p.p_pglist.le_next pgrp = pgrp.pg_hash.le_next volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/common.py0000644000000000000000000001760513131215405023431 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.commands as commands import volatility.utils as utils import volatility.obj as obj def set_plugin_members(obj_ref): obj_ref.addr_space = utils.load_as(obj_ref._config) class AbstractMacCommand(commands.Command): def __init__(self, *args, **kwargs): self.addr_space = None commands.Command.__init__(self, *args, **kwargs) @property def profile(self): if self.addr_space: return self.addr_space.profile return None def execute(self, *args, **kwargs): commands.Command.execute(self, *args, **kwargs) @staticmethod def register_options(config): config.add_option("SHIFT", type = 'int', default = 0, help = "Mac KASLR shift address") @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'mac' def is_in_kernel_or_module(handler, ktext_start, ktext_end, kmods): # see if this handler is in a known location good = 0 module = "UNKNOWN" if ktext_start <= handler <= ktext_end: good = 1 module = "__kernel__" elif kmods != []: # see if the address fits in any of the known modules for (start, end, name) in kmods: if start <= handler <= end: good = 1 module = name break return (good, module) def get_handler_name(kaddr_info, handler): (obj_ref, kernel_symbol_addresses, ktext_start, ktext_end, kmods) = kaddr_info module = "UNKNOWN" handler_sym = "" if handler in kernel_symbol_addresses: module = "__kernel__" handler_sym = obj_ref.profile.get_symbol_by_address("kernel", handler) elif ktext_start <= handler <= ktext_end: module = "__kernel__" elif kmods != []: # see if the address fits in any of the known modules for (start, end, name) in kmods: if start <= handler <= end: module = name break return (module, handler_sym) def is_known_address_name(handler, kernel_symbol_addresses, kmods): # see if this handler is in a known location good = 0 module = "UNKNOWN" if handler in kernel_symbol_addresses: good = 1 module = "__kernel__" elif kmods != []: # see if the address fits in any of the known modules for (start, end, name) in kmods: if start <= handler <= end: good = 1 module = name break return (good, module) def is_64bit_capable(addr_space): """Test if the AS is capable of doing 64-bits. @returns True if 64-bit capable. """ x86_64_flag_addr = addr_space.profile.get_symbol("_x86_64_flag") # this symbol no longer exists in 10.9 / Mavericks # this is most likely b/c all Macs are 64 bit by 10.9 if x86_64_flag_addr: x86_64_flag = obj.Object("int", offset = x86_64_flag_addr, vm = addr_space) ret = x86_64_flag == 1 else: ret = True return ret def get_kernel_function_addrs(obj_ref): import volatility.plugins.mac.lsmod as lsmod kernel_symbol_addresses = obj_ref.profile.get_all_function_addresses() # TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text kmods = [(kmod.address, kmod.address + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate() if str(kmod.name) != "com.apple.kpi.unsupported"] return (kernel_symbol_addresses, kmods) def get_kernel_addrs_start_end(obj_ref): import volatility.plugins.mac.lsmod as lsmod s = obj_ref.profile.get_symbol("_vm_kernel_stext") e = obj_ref.profile.get_symbol("_vm_kernel_etext") if s == None: s = obj_ref.profile.get_symbol("_stext") if e == None: e = obj_ref.profile.get_symbol("_etext") start = obj.Object("unsigned long", offset = s, vm = obj_ref.addr_space) end = obj.Object("unsigned long", offset = e, vm = obj_ref.addr_space) # module addresses, tuple of (start, end) # TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text kmods = [(kmod.address.v(), kmod.address.v() + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate() if str(kmod.name) != "com.apple.kpi.unsupported"] return (start, end, kmods) def get_handler_name_addrs(obj_ref): import volatility.plugins.mac.lsmod as lsmod s = obj_ref.profile.get_symbol("_vm_kernel_stext") e = obj_ref.profile.get_symbol("_vm_kernel_etext") if s == None: s = obj_ref.profile.get_symbol("_stext") if e == None: e = obj_ref.profile.get_symbol("_etext") start = obj.Object("unsigned long", offset = s, vm = obj_ref.addr_space) end = obj.Object("unsigned long", offset = e, vm = obj_ref.addr_space) # module addresses, tuple of (start, end) # TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text kmods = [(kmod.address.v(), kmod.address.v() + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate() if str(kmod.name) != "com.apple.kpi.unsupported"] kernel_symbol_addresses = obj_ref.profile.get_all_function_addresses() return (obj_ref, kernel_symbol_addresses, start, end, kmods) def get_kernel_addrs(obj_ref): import volatility.plugins.mac.lsmod as lsmod # all the known addresses in the kernel # TODO -- make more stringent and get only symbols from .text kernel_symbol_addresses = obj_ref.profile.get_all_addresses() # module addresses, tuple of (start, end) # TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text kmods = [(kmod.address.v(), kmod.address.v() + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate() if str(kmod.name) != "com.apple.kpi.unsupported"] return (kernel_symbol_addresses, kmods) ## FIXME: remove this function after all references from plugins are removed def get_string(addr, addr_space, maxlen = 256): name = addr_space.read(addr, maxlen) ret = "" for n in name: if ord(n) == 0: break ret = ret + n return ret # account for c++ symbol name mangling def get_cpp_sym(name, profile): for (cppname, addr) in profile.get_all_symbols(): if cppname.find(name) != -1: return addr return None def write_vnode_to_file(vnode, file_path): fd = open(file_path, "wb") wrote = 0 for (offset, page) in vnode.get_contents(): fd.seek(offset) fd.write(page) wrote = wrote + len(page) fd.close() return wrote def write_macho_file(out_dir, proc, exe_address): exe_contents = proc.get_macho(exe_address) file_name = "task.{0}.{1:#x}.dmp".format(proc.p_pid, exe_address) file_path = os.path.join(out_dir, file_name) outfile = open(file_path, "wb+") outfile.write(exe_contents) outfile.close() return file_path volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/lsmod_iokit.py0000644000000000000000000001035413131215405024450 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_lsmod_iokit(common.AbstractMacCommand): """ Lists loaded kernel modules through IOkit """ def _struct_or_class(self, type_name): """Return the name of a structure or class. More recent versions of OSX define some types as classes instead of structures, so the naming is a little different. """ if self.addr_space.profile.vtypes.has_key(type_name): return type_name else: return type_name + "_class" def calculate(self): common.set_plugin_members(self) saddr = common.get_cpp_sym("sLoadedKexts", self.addr_space.profile) p = obj.Object("Pointer", offset = saddr, vm = self.addr_space) kOSArr = obj.Object(self._struct_or_class("OSArray"), offset = p, vm = self.addr_space) if kOSArr == None: debug.error("The OSArray_class type was not found in the profile. Please file a bug if you are running aginst Mac >= 10.7") kext_arr = obj.Object(theType = "Array", targetType = "Pointer", offset = kOSArr.array, count = kOSArr.capacity, vm = self.addr_space) for (i, kext) in enumerate(kext_arr): kext = kext.dereference_as(self._struct_or_class("OSKext")) if kext and kext.is_valid() and kext.kmod_info.address.is_valid(): yield kext def unified_output(self, data): return TreeGrid([("Offset (V)", Address), ("Module Address", Address), ("Size", str), ("Refs", str), ("Version", str), ("Name", str), ("Path", str) ], self.generator(data)) def generator(self, data): for kext in data: path = kext.path if path: path = str(path.dereference()) yield(0, [ Address(kext.kmod_info), Address(kext.kmod_info.address), str(kext.kmod_info.m("size")), str(kext.kmod_info.reference_count), str(kext.version), str(kext.kmod_info.name), str(path) ]) def render_text(self, outfd, data): self.table_header(outfd, [("Offset (V)", "[addrpad]"), ("Module Address", "[addrpad]"), ("Size", "8"), ("Refs", "^8"), ("Version", "12"), ("Name", "48"), ("Path", "")]) for kext in data: path = kext.path if path: path = str(path.dereference()) self.table_row(outfd, kext.kmod_info, kext.kmod_info.address, kext.kmod_info.m("size"), kext.kmod_info.reference_count, kext.version, kext.kmod_info.name, str(path)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/apihooks_kernel.py0000644000000000000000000006432713131215405025321 0ustar rootroot# Volatility # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA """ @author: Cem Gurkok @license: GNU General Public License 2.0 or later @contact: cemgurkok@gmail.com @organization: """ import volatility.obj as obj import common import volatility.commands as commands import distorm3 import volatility.plugins.mac.check_sysctl as check_sysctl import volatility.plugins.mac.check_trap_table as check_trap_table from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_apihooks_kernel(common.AbstractMacCommand): """ Checks to see if system call and kernel functions are hooked """ def __init__(self, config, *args, **kwargs): self.addr_space = None commands.Command.__init__(self, config, *args, **kwargs) self._config.add_option("CHECKKEXTS", short_option = 'X', default = False, cache_invalidator = False, help = "Check all kext functions in the kext's symbol table for hooking, including kernel symbol table", action = "store_true") self._config.add_option("CHECKKERNEL", short_option = 'K', default = False, cache_invalidator = False, help = "Check only kernel symbol table functions for hooking", action = "store_true") def getKextSymbols(self, kext_obj = None, kext_name = None, kext_addr = 0, onlyFunctions = False, fmodel = '64bit'): # get symbol table based on https://github.com/gdbinit/hydra/blob/master/hydra/hydra/kernel_info.c (works) # and https://github.com/snarez/KernelResolver/blob/master/KernelResolver/KernelResolver.c (http://ho.ax/tag/kexts/, almost works) # return only functions if requested, this is done by checking if symbol entry points to the __TEXT segment's __text section, which contains executable code mach_header_struct = 'macho64_header' segment_command_struct = 'macho64_segment_command' section_struct = 'macho64_section' nlist_struct = 'macho64_nlist' LC_SEGMENT = 0x19 # x64 if fmodel == '32bit': mach_header_struct = 'macho32_header' segment_command_struct = 'macho32_segment_command' section_struct = 'macho32_section' nlist_struct = 'macho32_nlist' LC_SEGMENT = 0x1 # if kext_name is given get kext_address based on name if kext_name != None: if kext_name in ["kernel", "__kernel__"]: kext_addr = self.addr_space.profile.get_symbol("_g_kernel_kmod_info") else: # get list of kexts and loop thru them to find match kmodaddr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("_kmod"), vm = self.addr_space) kmod = kmodaddr.dereference_as("kmod_info") while kmod.is_valid(): if str(kmod.name) == kext_name: kext_addr = kmod.address break kmod = kmod.next if kext_addr == None: yield elif kext_obj != None: kext_addr = kext_obj.adddress # get Mach-O header to get start of segments mh = obj.Object(mach_header_struct, offset = kext_addr, vm=self.addr_space) seg_offset = mh.obj_offset + self.addr_space.profile.get_obj_size(mach_header_struct) linkedit_vmaddr = 0 # the first struct nlist is here symtab_symoff = 0 # specifies the offset in the file to the symbol table symtab_stroff = 0 # specifies the offset in the file to the string table symbol_cnt = 0 linkedit_fileoffset = 0 linkedit_size = 0 text_sect_num = 0 sect_cnt = 0 for i in xrange(0, mh.ncmds): seg = obj.Object(segment_command_struct, offset = seg_offset, vm = self.addr_space) if seg.cmd == 0x19 and seg.segname and str(seg.segname) == "__LINKEDIT": linkedit_vmaddr = seg.vmaddr linkedit_fileoffset = seg.fileoff linkedit_size = seg.filesize elif seg.cmd == 0x02: #SYMTAB symtab = obj.Object('symtab_command', offset = seg_offset, vm = self.addr_space) symtab_symoff = symtab.symoff symtab_stroff = symtab.stroff symbol_cnt = symtab.nsyms # only looking at LC_SEGMENT for sections if seg.cmd == LC_SEGMENT: # loop thru segment's sections to locate __TEXT segment's __text section number, used to determine executable code for j in xrange(0, seg.nsects): sect_cnt += 1 sect = obj.Object(section_struct, offset = seg_offset + self.addr_space.profile.get_obj_size(segment_command_struct) + (self.addr_space.profile.get_obj_size(section_struct) * j), vm = self.addr_space) sect_name = "".join(map(str, str(sect.sectname))).strip(' \t\r\n\0') # find __TEXT segment's __text section since all executable code is here if seg.cmd == 0x19 and seg.segname and str(seg.segname) == "__TEXT" and sect_name == "__text": text_sect_num = sect_cnt seg_offset += seg.cmdsize symbol_offset = symtab_symoff - linkedit_fileoffset string_offset = symtab_stroff- linkedit_fileoffset # loop thru symbols within __LINKEDIT given offset for i in range(0, symbol_cnt-1): sym = obj.Object(nlist_struct, offset = linkedit_vmaddr + symbol_offset + (i * self.addr_space.profile.get_obj_size(nlist_struct)), vm = self.addr_space) sym_addr = sym.n_strx + linkedit_vmaddr + string_offset sym_name = obj.Object('String', offset = sym_addr, vm = self.addr_space, length = 256) if sym_name.is_valid(): if onlyFunctions: if sym.n_sect == text_sect_num: yield (sym_name, sym.n_value) else: yield (sym_name, sym.n_value) def findKextWithAddress(self, addr): # function to find what kext the given address lies within kexts = [] #get kernel kext kp = self.addr_space.profile.get_symbol("_g_kernel_kmod_info") kmodk = obj.Object("kmod_info", offset = kp, vm = self.addr_space) kexts.append(kmodk) # get other kexts p = self.addr_space.profile.get_symbol("_kmod") kmodaddr = obj.Object("Pointer", offset = p, vm = self.addr_space) kmod = kmodaddr.dereference_as("kmod_info") while kmod.is_valid(): kexts.append(kmod) kmod = kmod.next for kext in kexts: if addr >= kext.address and addr <= (kext.address + kext.m('size')): return kext.name return "UNKNOWN" def isCallReferenceModified(self, model, distorm_mode, func_addr, kernel_syms, kmods): # check if CALL targets are within the kernel/kext range to detect possible call reference modification modified = False #modified malware/apihooks.py/check_inline function data = self.addr_space.read(func_addr, 750) # Number of instructions disassembled so far n = 0 # Destination address of hooks d = None # Save the last PUSH before a CALL push_val = None # Save the general purpose registers regs = {} ops = [] for op in distorm3.Decompose(func_addr, data, distorm_mode): ops.append(op) for op in distorm3.Decompose(func_addr, data, distorm_mode): # Quit when a decomposition error is encountered # or when reach function end if not op.valid or op.mnemonic == "NOP": break if op.flowControl == 'FC_CALL': # Clear the push value if push_val: push_val = None if op.mnemonic == "CALL" and op.operands[0].type == 'AbsoluteMemoryAddress': # Check for CALL [ADDR] if model == '32bit': const = op.operands[0].disp & 0xFFFFFFFF d = obj.Object("unsigned int", offset = const, vm = self.addr_space) else: const = op.operands[0].disp d = obj.Object("unsigned long long", offset = const, vm = self.addr_space) if self.outside_module(d, kernel_syms, kmods): break elif op.operands[0].type == 'Immediate': # Check for CALL ADDR d = op.operands[0].value if self.outside_module(d, kernel_syms, kmods): break elif op.operands[0].type == 'Register': # Check for CALL REG d = regs.get(op.operands[0].name) if d and self.outside_module(d, kernel_syms, kmods): break n += 1 # filtering out false positives due to structs, you can tweak this as needed if d and self.outside_module(d, kernel_syms, kmods) == True and str(ops[n+1].mnemonic) not in ["DB 0xff", "ADD", "XCHG", "OUTS"]: modified = True return (modified, d) def isPrologInlined(self, model, distorm_mode, func_addr): ##check if function prologs are modified inlined = False content = self.addr_space.read(func_addr, 24) op_cnt = 1 for op in distorm3.Decompose(func_addr, content, distorm_mode): if op_cnt == 2: if model == "32bit": if (op.mnemonic == "MOV" and len(op.operands) == 2 and op.operands[0].type == "Register" and op.operands[1].type == "Register" and op.operands[0].name == "EBP" and op.operands[1].name == "ESP" and prev_op.mnemonic == "PUSH" and len(prev_op.operands) == 1 and prev_op.operands[0].type == "Register" and prev_op.operands[0].name == "EBP"): pass else: inlined = True elif model == "64bit": if (op.mnemonic == "MOV" and len(op.operands) == 2 and op.operands[0].type == "Register" and op.operands[1].type == "Register" and op.operands[0].name == "RBP" and op.operands[1].name == "RSP" and prev_op.mnemonic == "PUSH" and len(prev_op.operands) == 1 and prev_op.operands[0].type == "Register" and prev_op.operands[0].name == "RBP"): pass elif (prev_op.mnemonic == "PUSH" and len(prev_op.operands) == 1 and prev_op.operands[0].type == "Register" and prev_op.operands[0].name == "RBP" and op.mnemonic == "PUSH" and len(op.operands) == 1 and op.operands[0].type == "Register" and op.operands[0].name in ["RSP","RBX","R12","R13","R14","R15"]): # Registers preserved across calls, http://people.freebsd.org/~lstewart/references/amd64.pdf pass else: inlined = True break prev_op = op op_cnt += 1 return inlined # NOTES FROM ANDREW # This function orignally checked for any call outside the kernel module # This produces too many false positives so its modified to check if the call # is to a known module or a kernel symbol def outside_module(self, addr, kernel_syms, kmods): (good, _) = common.is_known_address_name(addr, kernel_syms, kmods) return not good def isInlined(self, model, distorm_mode, func_addr, kernel_syms, kmods): inlined = False #modified malware/apihooks.py/check_inline function data = self.addr_space.read(func_addr, 24) # Number of instructions disassembled so far n = 0 # Destination address of hooks d = None # Save the last PUSH before a CALL push_val = None # Save the general purpose registers regs = {} ops = [] for op in distorm3.Decompose(func_addr, data, distorm_mode): ops.append(op) for op in distorm3.Decompose(func_addr, data, distorm_mode): # Quit the loop when we have three instructions or when # a decomposition error is encountered, whichever is first. if not op.valid or n == 3: break if op.flowControl == 'FC_CALL': # Clear the push value if push_val: push_val = None if op.mnemonic == "CALL" and op.operands[0].type == 'AbsoluteMemoryAddress': # Check for CALL [ADDR] if model == '32bit': const = op.operands[0].disp & 0xFFFFFFFF d = obj.Object("unsigned int", offset = const, vm = addr_space) else: const = op.operands[0].disp d = obj.Object("unsigned long long", offset = const, vm = addr_space) if self.outside_module(d, kernel_syms, kmods): break elif op.operands[0].type == 'Immediate': # Check for CALL ADDR d = op.operands[0].value if self.outside_module(d, kernel_syms, kmods): break elif op.operands[0].type == 'Register': # Check for CALL REG d = regs.get(op.operands[0].name) if d and self.outside_module(d, kernel_syms, kmods): break elif op.flowControl == 'FC_UNC_BRANCH' and op.mnemonic == "JMP": # Clear the push value if push_val: push_val = None if op.size > 2: if op.operands[0].type == 'AbsoluteMemoryAddress': # Check for JMP [ADDR] if model == '32bit': const = op.operands[0].disp & 0xFFFFFFFF d = obj.Object("unsigned int", offset = const, vm = addr_space) else: const = op.operands[0].disp d = obj.Object("long long", offset = const, vm = addr_space) if self.outside_module(d, kernel_syms, kmods): break elif op.operands[0].type == 'Immediate': # Check for JMP ADDR d = op.operands[0].value if self.outside_module(d, kernel_syms, kmods): break elif op.size == 2 and op.operands[0].type == 'Register': # Check for JMP REG d = regs.get(op.operands[0].name) if d and self.outside_module(d, kernel_syms, kmods): break elif op.flowControl == 'FC_NONE': # Check for PUSH followed by a RET if (op.mnemonic == "PUSH" and op.operands[0].type == 'Immediate' and op.size == 5): # Set the push value push_val = op.operands[0].value # Check for moving immediate values into a register if (op.mnemonic == "MOV" and op.operands[0].type == 'Register' and op.operands[1].type == 'Immediate'): # Clear the push value if push_val: push_val = None # Save the value put into the register regs[op.operands[0].name] = op.operands[1].value elif op.flowControl == 'FC_RET': if push_val: d = push_val if self.outside_module(d, kernel_syms, kmods): break # This causes us to stop disassembling when # reaching the end of a function break n += 1 # filtering out false positives due to structs, you can tweak this as needed if d and self.outside_module(d, kernel_syms, kmods) == True and str(ops[n+1].mnemonic) not in ["DB 0xff", "ADD", "XCHG", "OUTS"]: inlined = True return (inlined, d) def calculate(self): common.set_plugin_members(self) (kernel_symbol_addresses, kmod) = common.get_kernel_function_addrs(self) model = self.addr_space.profile.metadata.get('memory_model', 0) if model == '32bit': distorm_mode = distorm3.Decode32Bits else: distorm_mode = distorm3.Decode64Bits sym_addrs = self.profile.get_all_function_addresses() # get kernel start, end kp = self.addr_space.profile.get_symbol("_g_kernel_kmod_info") kmodk = obj.Object("kmod_info", offset = kp, vm = self.addr_space) k_start = kmodk.address k_end = k_start + kmodk.m('size') ####### STEP 1 - CHECK SYSTEM CALL INLINE HOOKS ############ # get syscall table nsysent = obj.Object("int", offset = self.addr_space.profile.get_symbol("_nsysent"), vm = self.addr_space) sysents = obj.Object(theType = "Array", offset = self.addr_space.profile.get_symbol("_sysent"), vm = self.addr_space, count = nsysent, targetType = "sysent") # check if syscall table entries have been modified dict_syscall_funcs = {} list_syscall_names = [] for (i, sysent) in enumerate(sysents): ent_addr = sysent.sy_call.v() hooked = ent_addr not in sym_addrs # using check_syscalls method inlined, dst_addr = self.isInlined(model, distorm_mode, ent_addr, kernel_symbol_addresses, [kmodk]) prolog_inlined = self.isPrologInlined(model, distorm_mode, ent_addr) if hooked == True or inlined == True or prolog_inlined == True: if dst_addr != None: kext = self.findKextWithAddress(dst_addr) else: kext = self.findKextWithAddress(ent_addr) yield ("SyscallTable1", i, ent_addr, hooked, (inlined or prolog_inlined), False, '-', kext) else: ent_name = self.profile.get_symbol_by_address_type("kernel", ent_addr, "N_FUN") # check for duplicate syscall functions if ent_name != "_nosys" and ent_name in dict_syscall_funcs: prev_ent = dict_syscall_funcs[ent_name] kext = self.findKextWithAddress(ent_addr) yield ("SyscallTable", list_syscall_names.index(ent_name), prev_ent.sy_call.v(), False, False, False, '-', kext) yield ("DuplicateSyscall -> {0}".format(ent_name), i, ent_addr, True, False, False, '-', kext) else: # check for dtrace syscall hooks if ent_name.find("dtrace") > -1: kext = self.findKextWithAddress(ent_addr) yield ("SyscallTable", i, ent_addr, False, False, False, '-', kext) else: # add to list list_syscall_names.append(ent_name) dict_syscall_funcs[ent_name] = sysent ####### STEP 2 - KERNEL & KEXTS ############### # get symbols from kext __TEXT in memory rather than file kext_addr_list = [] # get kernel address kmod = obj.Object("kmod_info", offset = self.addr_space.profile.get_symbol("_g_kernel_kmod_info"), vm = self.addr_space) kext_addr_list.append((kmod.address.v(), kmod.address + kmod.m('size'), '__kernel__')) # get other kext addresses p = self.addr_space.profile.get_symbol("_kmod") kmodaddr = obj.Object("Pointer", offset = p, vm = self.addr_space) kmod = kmodaddr.dereference_as("kmod_info") while kmod.is_valid(): kext_addr_list.append((kmod.address.v(), kmod.address + kmod.m('size'), kmod.name)) kmod = kmod.next # loop thru kexts for kext_address, kext_end, kext_name in kext_addr_list: #loop thru kext functions for func_name, func_addr in self.getKextSymbols(kext_addr = kext_address, onlyFunctions = True, fmodel = model): inlined = False # false positive, remove if needed if func_name in ["pthreads_dummy_symbol"]: continue # check if function's been modified modified, dst_addr = self.isCallReferenceModified(model, distorm_mode, func_addr, kernel_symbol_addresses, kext_addr_list) if modified: if dst_addr != None: hook_kext = self.findKextWithAddress(dst_addr) else: hook_kext = kext_name yield ("SymbolsTable", '-', func_addr, False, modified, False, '-', hook_kext) inlined, dst_addr = self.isInlined(model, distorm_mode, func_addr, kernel_symbol_addresses, kext_addr_list) if inlined: if dst_addr != None: hook_kext = self.findKextWithAddress(dst_addr) else: hook_kext = kext_name yield ("SymbolsTable", '-', func_addr, False, inlined, False, '-', hook_kext) ########## STEP 3 - TRAP TABLE ############### # check if trap table hooked using check_trap_table args = () trap = check_trap_table.mac_check_trap_table(self._config, args) for (table_addr, table_name, i, call_addr, sym_name, hooked) in trap.calculate(): if hooked == True or 'dtrace' in sym_name: kext = self.findKextWithAddress(call_addr) yield ("TrapTable", i, call_addr, hooked, False, False, '-', kext) else: inlined, dst_addr = self.isInlined(model, distorm_mode, call_addr, kernel_symbol_addresses, [kmodk]) if inlined: if dst_addr != None: hook_kext = self.findKextWithAddress(dst_addr) else: hook_kext = kext_name yield ("TrapTable", '-', func_addr, False, inlined, False, '-', hook_kext) else: modified, dst_addr = self.isCallReferenceModified(model, distorm_mode, call_addr, kernel_symbol_addresses, [kmodk]) if modified: if dst_addr != None: hook_kext = self.findKextWithAddress(dst_addr) else: hook_kext = kext_name yield ("TrapTable", '-', func_addr, False, modified, False, '-', hook_kext) def unified_output(self, data): return TreeGrid([("Table Name", str), ("Index", int), ("Address", Address), ("Symbol", str), ("Inlined", str), ("Shadowed",str), ("Perms", str), ("Hook In", str), ], self.generator(data)) def generator(self, data): for (table_name, i, call_addr, hooked, inlined, syscall_shadowed, perms, kext) in data: if hooked == False: sym_name = self.profile.get_symbol_by_address_type("kernel", call_addr, "N_FUN") if sym_name.find("dtrace") > -1: sym_name = "[HOOKED] {0}".format(sym_name) elif hooked == True: sym_name = "HOOKED" else: sym_name = hooked if inlined == False: txt_inlined = "No" elif inlined == True: txt_inlined = "Yes" else: txt_inlined = "-" if syscall_shadowed == False: txt_shadowed = "No" elif syscall_shadowed == True: txt_shadowed = "Yes" else: txt_shadowed = "-" yield(0, [ str(table_name), int(i), Address(call_addr), str(sym_name), str(txt_inlined), str(txt_shadowed), str(perms), str(kext), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Table Name", "<30"), ("Index", "<6"), ("Address", "[addrpad]"), ("Symbol", "<30"), ("Inlined", "<5"), ("Shadowed","<5"), ("Perms","<6"), ("Hook In", "")]) for (table_name, i, call_addr, hooked, inlined, syscall_shadowed, perms, kext) in data: if hooked == False: sym_name = self.profile.get_symbol_by_address_type("kernel", call_addr, "N_FUN") if sym_name.find("dtrace") > -1: sym_name = "[HOOKED] {0}".format(sym_name) elif hooked == True: sym_name = "HOOKED" else: sym_name = hooked if inlined == False: txt_inlined = "No" elif inlined == True: txt_inlined = "Yes" else: txt_inlined = "-" if syscall_shadowed == False: txt_shadowed = "No" elif syscall_shadowed == True: txt_shadowed = "Yes" else: txt_shadowed = "-" self.table_row(outfd, table_name, i, call_addr, sym_name, txt_inlined, txt_shadowed, perms, kext) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/calendar.py0000644000000000000000000001245413131215405023707 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.utils as utils import volatility.plugins.mac.pstasks as pstasks from volatility.renderers import TreeGrid class mac_calendar(pstasks.mac_tasks): """Gets calendar events from Calendar.app""" def calculate(self): common.set_plugin_members(self) ##----------------------------------------------------------- # Local Calendar Events ##----------------------------------------------------------- guid_re = re.compile("[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}") guid_length = 36 seen = [] for page, size in self.addr_space.get_available_pages(): data = self.addr_space.read(page, size) if not data: continue for offset in utils.iterfind(data, "local_"): event = obj.Object("String", offset = page + offset, vm = self.addr_space, encoding = "utf8", length = 512) if "ACCEPTED" not in str(event): continue # determine where the next field starts field_len = len("local_") + guid_length next_field = str(event)[field_len:] # the next field is either a description or GUID match = guid_re.search(next_field) if match.start() == 0: description = "" last_field = next_field[guid_length:] else: description = next_field[:match.start()] last_field = next_field[match.start() + guid_length:] location = last_field.split("ACCEPTED")[0] if (description, location) in seen: continue seen.append((description, location)) yield None, description, location ##----------------------------------------------------------- # Shared / Global Calendar Events ##----------------------------------------------------------- procs = pstasks.mac_tasks.calculate(self) guid_re2 = re.compile("\x25\x00\x00\x00[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x00") for proc in procs: if proc.p_comm.find("Calendar") == -1: continue space = proc.get_process_address_space() for map in proc.get_proc_maps(): # only read/write without filebacks if not (map.get_perms() == "rw-" and not map.get_path()): continue pages = (map.links.end - map.links.start) / 4096 for i in range(pages): start = map.links.start + i * 4096 data = space.zread(start, 4096) for match in guid_re2.finditer(data): event = obj.Object("String", vm = space, length = 128, offset = start + match.start() + 40 + 40, ) yield proc, "", event def unified_output(self, data): return TreeGrid([("Source", str), ("Type", str), ("Description", str), ("Event", str), ],self.generator(data)) def generator(self, data): for proc, description, event in data: if proc == None: tp = "Local" source = "(Kernel)" else: tp = "Other" source = "{0}({1})".format(proc.p_comm, proc.p_pid) yield (0, [ str(source), str(tp), str(description), str(event), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Source", "16"), ("Type", "8"), ("Description", "26"), ("Event", "")]) for proc, description, event in data: if proc == None: tp = "Local" source = "(Kernel)" else: tp = "Other" source = "{0}({1})".format(proc.p_comm, proc.p_pid) self.table_row(outfd, source, tp, description or "(None)", event) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/psaux.py0000644000000000000000000000515713131215405023300 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pstasks as pstasks from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_psaux(pstasks.mac_tasks): """ Prints processes with arguments in user land (**argv) """ def unified_output(self, data): return TreeGrid([("Pid", int), ("Name", str), ("Bits", str), ("Stack", Address), ("Length", int), ("Argc", int), ("Arguments", str) ], self.generator(data)) def generator(self, data): for proc in data: yield(0, [ int(proc.p_pid), str(proc.p_comm), str(proc.task.map.pmap.pm_task_map), Address(proc.user_stack), int(proc.p_argslen), int(proc.p_argc), str(proc.get_arguments()), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Bits", "16"), ("Stack", "#018x"), ("Length", "8"), ("Argc", "8"), ("Arguments", "")]) for proc in data: self.table_row(outfd, proc.p_pid, proc.p_comm, str(proc.task.map.pmap.pm_task_map or '')[9:], proc.user_stack, proc.p_argslen, proc.p_argc, proc.get_arguments()) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/check_syscall_shadow.py0000644000000000000000000001311713131215405026307 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # based on the plugin described by Cem Gurkok at: # http://siliconblade.blogspot.co.uk/2013/07/back-to-defense-finding-hooks-in-os-x.html """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import distorm3 import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.debug as debug from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_check_syscall_shadow(common.AbstractMacCommand): """ Looks for shadow system call tables """ # https://github.com/siliconblade/volatility/blob/master/mac/check_hooks.py#L216 def shadowedSyscalls(self, model, distorm_mode, sysents_addr): #looks like these syscall functions end with a call to _thread_exception_return thread_exc_ret_addr = self.addr_space.profile.get_symbol('_thread_exception_return') prev_op = None sysent_funcs = ['_unix_syscall_return', '_unix_syscall64', '_unix_syscall'] for func in sysent_funcs: func_addr = self.addr_space.profile.get_symbol(func) content = self.addr_space.read(func_addr, 1024) for op in distorm3.Decompose(func_addr, content, distorm_mode): if not op.valid: break if op.mnemonic == "CALL" and op.operands[0].value == thread_exc_ret_addr: break if model == "64bit": #callp = &sysent[63] OR &sysent[code] OR callp == sysent if op.mnemonic in ['ADD','CMP'] and op.operands[0].type == 'Register' and op.operands[0].name in ["RSP","RBX","R12","R13","R14","R15"] and 'FLAG_RIP_RELATIVE' in op.flags: #compare actual sysent tbl address to the one in the instruction, calculated per distorm3 INSTRUCTION_GET_RIP_TARGET op_sysent_ptr = obj.Object('Pointer', offset = (op.address + op.operands[1].disp + op.size), vm = self.addr_space) if sysents_addr != op_sysent_ptr.v(): print "not same: %x | %x" % (sysents_addr, op_sysent_ptr.v()) yield (op_sysent_ptr.v(), func, op) elif model == "32bit": #LEA EAX, [EAX*8+0x82ef20] if op.mnemonic == 'LEA' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and distorm3.Registers[op.operands[1].index] == "EAX" and op.operands[1].scale == 8: if op.operands[1].disp != sysents_addr: shadowtbl_addr = op.operands[1].disp yield (shadowtbl_addr, func, op) break #CMP EAX, 0x82ef20 elif op.mnemonic == 'CMP' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and prev_op.mnemonic in ['LEA','MOV'] and self.addr_space.is_valid_address(op.operands[1].value) == True: if op.operands[1].value != sysents_addr: shadowtbl_addr = op.operands[1].value yield (shadowtbl_addr, func, op) #CMP DWORD [EBP-0x20], 0x82ef20 elif op.mnemonic == 'CMP' and op.operands[0].index != None and distorm3.Registers[op.operands[0].index] == "EBP" and op.operands[0].disp == -32 and op.operands[0].type == "Immediate": if op.operands[1].value != sysents_addr: shadowtbl_addr = op.operands[1].value yield (shadowtbl_addr, func, op) prev_op = op def calculate(self): common.set_plugin_members(self) model = self.addr_space.profile.metadata.get('memory_model', 0) if model == '32bit': distorm_mode = distorm3.Decode32Bits else: distorm_mode = distorm3.Decode64Bits for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")): yield (shadowtbl_addr, func, op) def unified_output(self, data): return TreeGrid([("Hooked Function", str), ("Hook Address", Address), ("Instruction", str), ], self.generator(data)) def generator(self, data): for (shadowtbl_addr, func, op) in data: yield(0, [ str(func), Address(shadowtbl_addr), str(op), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Hooked Function", "30"), ("Hook Address", "[addrpad]"), ("Instruction", "")]) for (shadowtbl_addr, func, op) in data: self.table_row(outfd, func, shadowtbl_addr, op) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/contacts.py0000644000000000000000000000570013131215405023750 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.utils as utils import volatility.plugins.mac.pstasks as pstasks from volatility.renderers import TreeGrid class mac_contacts(pstasks.mac_tasks): """Gets contact names from Contacts.app""" def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks.calculate(self) for proc in procs: space = proc.get_process_address_space() for map in proc.get_proc_maps(): # only read/write without filebacks if not (map.get_perms() == "rw-" and not map.get_path()): continue # check the header for sqlite3 signature header = space.zread(map.links.start, 32) if "SQLite format" not in header: continue # get the whole sqlite3 data now data = space.zread(map.links.start, map.links.end - map.links.start) for offset in utils.iterfind(data, ":ABPerson"): person = obj.Object("String", offset = map.links.start + offset, vm = space, encoding = "utf8", length = 256) yield proc, person def unified_output(self, data): return TreeGrid([("Contact", str), ], self.generator(data)) def generator(self, data): for (proc, person) in data: # strip the header from the string person = str(person)[len(":ABPerson"):] # take a maximum of eight parts items = " ".join(person.split(" ")[:8]) yield(0, [str(items),]) def render_text(self, outfd, data): for (proc, person) in data: # strip the header from the string person = str(person)[len(":ABPerson"):] # take a maximum of eight parts items = " ".join(person.split(" ")[:8]) outfd.write("{0}\n".format(items)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/compressed_swap.py0000644000000000000000000002563713131215405025343 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Golden G. Richard III @license: GNU General Public License 2.0 @contact: golden@arcanealloy.com @organization: Arcane Alloy, LLC """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.common as common from struct import pack import WKdm class mac_compressed_swap(common.AbstractMacCommand): """ Prints Mac OS X VM compressor stats and dumps all compressed pages """ def __init__(self, config, *args, **kwargs): common.AbstractMacCommand.__init__(self, config, *args, **kwargs) if config: self._config.add_option('SKIP-WRITING', short_option = 't', help = 'Skip writing decompressed pages, just print stats and test decompression', action = 'store_true', default = False) # defined in osfmk/vm/vm_compressor.h; proper decompression relies on these self.C_SEG_BUFSIZE = (1024 * 256) self.C_SEG_ALLOCSIZE = (self.C_SEG_BUFSIZE + 4096) self.C_SEG_SLOT_ARRAYS = 6 self.C_SEG_SLOT_ARRAY_SIZE = 64 # defined in osfmk/vm/vm_compressor_pager.c; proper slot lookup relies on these self.COMPRESSOR_SLOTS_CHUNK_SIZE = 512 self.COMPRESSOR_SLOTS_PER_CHUNK = 128 # (COMPRESSOR_SLOTS_CHUNK_SIZE / sizeof (compressor_slot_t)), compressor_slot_t is a 32-bit int # WKdm decompression in Python self.wkdm=WKdm.WKdm() # buffer for decompression self.dest = [0] * self.wkdm.PAGE_SIZE_IN_BYTES def calculate(self): common.set_plugin_members(self) com_obj_addr = self.addr_space.profile.get_symbol("_compressor_object_store") if not com_obj_addr: debug.error("The given memory sample does not utilize compressed swap.") # from osfmk/vm/vm_object.h. compressor_object is the high level VM object. compressor_object = obj.Object("vm_object", offset = com_obj_addr, vm = self.addr_space) # from osfmk/vm/vm_compressor.c. c_segments is an array of c_segu objects, which track and store compressed pages. # c_segment_count is current size of c_segments array. c_segment_count = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("_c_segment_count"), vm = self.addr_space) c_segments_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("_c_segments"), vm = self.addr_space) c_segments = obj.Object("Array", targetType = "c_segu", count = c_segment_count, offset = c_segments_ptr, vm = self.addr_space) c_segments_available = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("_c_segments_available"), vm = self.addr_space) c_segments_busy = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("_c_segments_busy"), vm = self.addr_space) c_segment_compressed_bytes = obj.Object("long long", offset = self.addr_space.profile.get_symbol("_c_segment_compressed_bytes"), vm = self.addr_space) # This is probably a boring stat. Omit. #c_segments_limit = obj.Object("unsigned int", # offset = self.addr_space.profile.get_symbol("_c_segments_limit"), # vm = self.addr_space) #yield ("c_segments_limit", c_segments_limit, "") # from osfmk/vm/vm_compressor.h compressor_bytes_used = obj.Object("long long", offset = self.addr_space.profile.get_symbol("_compressor_bytes_used"), vm = self.addr_space) yield ("Compressor memory used", compressor_bytes_used, "bytes") # from osfmk/vm/vm_page.h vm_page_active_count = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("_vm_page_active_count"), vm = self.addr_space) vm_page_inactive_count = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("_vm_page_inactive_count"), vm = self.addr_space) vm_page_free_count = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("_vm_page_free_count"), vm = self.addr_space) vm_page_speculative_count = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("_vm_page_speculative_count"), vm = self.addr_space) available_uncompressed = vm_page_active_count + vm_page_inactive_count + vm_page_free_count + vm_page_speculative_count yield ("Available uncompressed memory", available_uncompressed, "pages") available_memory = available_uncompressed + compressor_object.resident_page_count yield ("Available memory", available_memory, "pages") yield ("Segments available", c_segments_available, "segments") yield ("Segments busy", c_segments_busy, "segments") yield ("Current segment count", c_segment_count, "segments") for i in range(c_segment_count): if not c_segments[i].c_seg.is_valid(): yield("Segment " + str(i) + " is invalid", "SKIPPING", "") continue if c_segments[i].c_seg.c_ondisk == 1: yield("Segment " + str(i) + " is swapped out", "SKIPPING", "") continue if c_segments[i].c_seg.c_bytes_used < 1 or c_segments[i].c_seg.c_bytes_used > self.C_SEG_ALLOCSIZE: yield("Segment " + str(i) + " size is invalid", "SKIPPING", "") continue yield ("Segment " + str(i), c_segments[i].c_seg.c_bytes_used, "bytes used") yield ("Segment " + str(i), c_segments[i].c_seg.c_bytes_unused, "bytes unused") # walk over the two dimensional slot array (max C_SEG_SLOT_ARRAYS x C_SEG_SLOT_ARRAY SIZE elements) # At least in 10.9, the OS X kernel zeroes an entire c_segment when it's allocated, but doesn't # zero the C_SEG_SLOT_ARRAY_SIZE buffer when a new c_slots row is allocated, which means that # the last valid slot needs to be tracked via the c_nextslot variable. Otherwise, garbage slots # are encountered, which may look valid because of the limited number of bits allocated to fields # in a struct c_slot. j1 = 0 j2 = 0 c_nextslot = c_segments[i].c_seg.c_nextslot yield ("Last valid slot", str((c_nextslot-1) / self.C_SEG_SLOT_ARRAY_SIZE) + ", " + str((c_nextslot-1) % self.C_SEG_SLOT_ARRAY_SIZE) , "") while (j1 < self.C_SEG_SLOT_ARRAYS and j1 * self.C_SEG_SLOT_ARRAY_SIZE + j2 < c_nextslot): cslot_array = c_segments[i].c_seg.c_slots[j1] if cslot_array.is_valid(): cslots = obj.Object("Array", offset = cslot_array, targetType = "c_slot", count = self.C_SEG_SLOT_ARRAY_SIZE, vm = self.addr_space) while (j2 < self.C_SEG_SLOT_ARRAY_SIZE and j1 * self.C_SEG_SLOT_ARRAY_SIZE + j2 < c_nextslot): cslot=cslots[j2] (csize, compressed, status) = (4096 / 4, False, "UNCOMPRESSED") if (cslot.c_size == 4095) else (cslot.c_size / 4, True, "COMPRESSED") if csize > 0: yield (" Slot " + str(j1) + ", " + str(j2) + " offset", str(cslot.c_offset * 4), "bytes") yield (" Slot " + str(j1) + ", " + str(j2) + " size", str(csize * 4), "bytes " + status) cslot_data = obj.Object("Array", offset = c_segments[i].c_seg.c_store.c_buffer+cslot.c_offset * 4, targetType = "int", count = csize, vm = self.addr_space) yield (" Processing page at slot "+ str(j1) + ", " + str(j2),"", "") if compressed: # Try to decompress slot and optionally write result to file. # Compressed data is fed to WKdm as an array of 32-bit ints. decompressed = self.wkdm.WKdm_decompress(cslot_data, self.dest) if decompressed > 0: if not self._config.SKIP_WRITING: f = open(str(i)+"-"+str(j1) + "-" + str(j2) + "-decompressed.out", 'wb') for k in range(decompressed): f.write(pack('12} {2}\n".format(k, v1, v2)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/ip_filters.py0000644000000000000000000000701213131215405024270 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.lsmod as lsmod from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_ip_filters(lsmod.mac_lsmod): """ Reports any hooked IP filters """ def check_filter(self, context, fname, ptr, kernel_symbol_addresses, kmods): if ptr == None: return # change the last paramter to 1 to get messages about which good modules hooks were found in good = common.is_known_address_name(ptr, kernel_symbol_addresses, kmods) return (good, context, fname, ptr) def calculate(self): common.set_plugin_members(self) # get the symbols need to check for if rootkit or not (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) list_addrs = [self.addr_space.profile.get_symbol("_ipv4_filters"), self.addr_space.profile.get_symbol("_ipv6_filters")] for list_addr in list_addrs: plist = obj.Object("ipfilter_list", offset = list_addr, vm = self.addr_space) # type 'ipfilter' cur = plist.tqh_first while cur: filter = cur.ipf_filter name = filter.name.dereference() yield self.check_filter("INPUT", name, filter.ipf_input, kernel_symbol_addresses, kmods) yield self.check_filter("OUTPUT", name, filter.ipf_output, kernel_symbol_addresses, kmods) yield self.check_filter("DETACH", name, filter.ipf_detach, kernel_symbol_addresses, kmods) cur = cur.ipf_link.tqe_next def unified_output(self, data): return TreeGrid([("Context", str), ("Filter", str), ("Pointer", Address), ("Status", str) ], self.generator(data)) def generator(self, data): for (good, context, fname, ptr) in data: status = "OK" if good == 0: status = "UNKNOWN" yield (0,[ str(context), str(fname), Address(ptr), str(status), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Context", "10"), ("Filter", "16"), ("Pointer", "[addrpad]"), ("Status", "")]) for (good, context, fname, ptr) in data: status = "OK" if good == 0: status = "UNKNOWN" self.table_row(outfd, context, fname, ptr, status) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/orphan_threads.py0000644000000000000000000001167613131215405025144 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_orphan_threads(pstasks.mac_tasks): """Lists threads that don't map back to known modules/processes""" def unified_output(self, data): common.set_plugin_members(self) return TreeGrid([("PID",int), ("Process Name", str), ("Start Address", Address), ("Mapping", str), ("Name", str), ("Status", str), ], self.generator(data)) def generator(self, data): (kstart, kend, kmods) = common.get_kernel_addrs_start_end(self) for proc in data: for thread in proc.threads(): start = thread.continuation if start == 0: continue (good, mapping) = common.is_in_kernel_or_module(start, kstart, kend, kmods) if not good: mapping = "UNKNOWN" for map in proc.get_proc_maps(): if map.links.start <= start <= map.links.end: mapping = map.get_path() if mapping == "": mapping = map.get_special_path() good = 1 start = map.links.start if good: status = "OK" else: status = "UNKNOWN" name = "" if thread.uthread: name_buf = self.addr_space.read(thread.uthread.dereference_as("uthread").pth_name, 256) if name_buf: idx = name_buf.find("\x00") if idx != -1: name_buf = name_buf[:idx] name = name_buf yield(0, [ int(proc.p_pid), str(proc.p_comm), Address(start), str(mapping), str(name), str(status), ]) def render_text(self, outfd, data): common.set_plugin_members(self) self.table_header(outfd, [("PID","8"), ("Name", "16"), ("Start Address", "[addrpad]"), ("Mapping", "40"), ("Name", "40"), ("Status", ""), ]) (kstart, kend, kmods) = common.get_kernel_addrs_start_end(self) for proc in data: for thread in proc.threads(): start = thread.continuation if start == 0: continue (good, mapping) = common.is_in_kernel_or_module(start, kstart, kend, kmods) if not good: mapping = "UNKNOWN" for map in proc.get_proc_maps(): if map.links.start <= start <= map.links.end: mapping = map.get_path() if mapping == "": mapping = map.get_special_path() good = 1 start = map.links.start status = "UNKNOWN" if good: status = "OK" name = "" if thread.uthread: name_buf = self.addr_space.read(thread.uthread.dereference_as("uthread").pth_name, 256) if name_buf: idx = name_buf.find("\x00") if idx != -1: name_buf = name_buf[:idx] name = name_buf self.table_row(outfd, proc.p_pid, proc.p_comm, start, mapping, name, status) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/bash.py0000644000000000000000000001432313131215405023050 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import struct, string import volatility.obj as obj import volatility.debug as debug import volatility.addrspace as addrspace import volatility.plugins.mac.common as mac_common import volatility.plugins.mac.pstasks as mac_tasks from volatility.renderers import TreeGrid bash_vtypes = { 'bash32_hist_entry': [ 0xc, { 'line': [0x0, ['pointer', ['String', dict(length = 1024)]]], 'timestamp': [0x4, ['pointer', ['String', dict(length = 1024)]]], 'data': [0x8, ['pointer', ['void']]], }], 'bash64_hist_entry': [ 24, { 'line': [0, ['pointer', ['String', dict(length = 1024)]]], 'timestamp': [8, ['pointer', ['String', dict(length = 1024)]]], 'data': [16, ['pointer', ['void']]], }], } class _mac_hist_entry(obj.CType): """A class for history entries""" def is_valid(self): line_addr = self.line_ptr() time_addr = self.time_ptr() if (not obj.CType.is_valid(self) or not self.obj_vm.is_valid_address(line_addr) or not self.obj_vm.is_valid_address(time_addr)): return False ts = self.obj_vm.read(time_addr, 256) if not ts: return False idx = ts.find("\x00") if idx != -1: ts = ts[:idx] # At this point in time, the epoc integer size will # never be less than 10 characters, and the stamp is # always preceded by a pound/hash character. if len(ts) < 10 or str(ts)[0] != "#": return False # The final check is to make sure the entire string # is composed of numbers. Try to convert to an int. try: int(str(ts)[1:]) except ValueError: return False return True def line(self): line_addr = self.line_ptr() buf = self.obj_vm.read(line_addr, 256) if buf: idx = buf.find("\x00") if idx != -1: buf = buf[:idx] ret = "".join([c for c in buf if c in string.printable]) else: ret = "" return ret @property def time_as_integer(self): # Get the string and remove the leading "#" from the timestamp time_addr = self.time_ptr() ts = self.obj_vm.read(time_addr, 256) ts = ts[1:] idx = ts.find("\x00") if idx != -1: ts = ts[:idx] # Convert the string into an integer (number of seconds) return int(ts) def time_object(self): nsecs = self.time_as_integer # Build a timestamp object from the integer time_val = struct.pack(". # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.list_zones as list_zones import volatility.plugins.mac.netstat as netstat class mac_dead_sockets(netstat.mac_netstat): """ Prints terminated/de-allocated network sockets """ def calculate(self): common.set_plugin_members(self) zones = list_zones.mac_list_zones(self._config).calculate() for zone in zones: name = str(zone.zone_name.dereference()) if name == "socket": sockets = zone.get_free_elements("socket") for socket in sockets: yield socket def render_text(self, outfd, data): self.table_header(outfd, [("Proto", "6"), ("Local IP", "20"), ("Local Port", "6"), ("Remote IP", "20"), ("Remote Port", "6"), ("State", "10")]) for socket in data: family = socket.family if family == 1: upcb = socket.so_pcb.dereference_as("unpcb") path = upcb.unp_addr.sun_path outfd.write("UNIX {0}\n".format(path)) elif family in [2, 30]: proto = socket.protocol state = socket.state ret = socket.get_connection_info() if ret: (lip, lport, rip, rport) = ret else: (lip, lport, rip, rport) = ("", "", "", "") self.table_row(outfd, proto, lip, lport, rip, rport, state) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/list_kauth_listeners.py0000644000000000000000000000576713131215405026406 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug import volatility.plugins.mac.common as common import volatility.plugins.mac.list_kauth_scopes as kauth_scopes from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_list_kauth_listeners(kauth_scopes.mac_list_kauth_scopes): """ Lists Kauth Scope listeners """ def unified_output(self, data): common.set_plugin_members(self) return TreeGrid([("Offset", Address), ("Scope", str), ("IData", Address), ("Callback Addr", Address), ("Callback Mod", str), ("Callback Sym", str), ], self.generator(data)) def generator(self, data): kaddr_info = common.get_handler_name_addrs(self) for scope in data: scope_name = scope.ks_identifier for ls in scope.listeners(): cb = ls.kll_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) yield(0, [ Address(ls.v()), str(scope_name), Address(ls.kll_idata), Address(cb), str(module), str(handler_sym), ]) def render_text(self, outfd, data): common.set_plugin_members(self) self.table_header(outfd, [("Offset", "[addrpad]"), ("Scope", "24"), ("IData", "[addrpad]"), ("Callback Addr", "[addrpad]"), ("Callback Mod", "24"), ("Callback Sym", ""),]) kaddr_info = common.get_handler_name_addrs(self) for scope in data: scope_name = scope.ks_identifier for ls in scope.listeners(): cb = ls.kll_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) self.table_row(outfd, ls.v(), scope_name, ls.kll_idata, cb, module, handler_sym) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/notifiers.py0000644000000000000000000001261113131215405024133 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.lsmod as lsmod from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class mac_notifiers(lsmod.mac_lsmod): """ Detects rootkits that add hooks into I/O Kit (e.g. LogKext) """ def _struct_or_class(self, type_name): """Return the name of a structure or class. More recent versions of OSX define some types as classes instead of structures, so the naming is a little different. """ if self.addr_space.profile.vtypes.has_key(type_name): return type_name else: return type_name + "_class" def calculate(self): common.set_plugin_members(self) (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) gnotify_addr = common.get_cpp_sym("gNotifications", self.addr_space.profile) p = obj.Object("Pointer", offset = gnotify_addr, vm = self.addr_space) gnotifications = p.dereference_as(self._struct_or_class("OSDictionary")) ents = obj.Object('Array', offset = gnotifications.dictionary, vm = self.addr_space, targetType = self._struct_or_class("dictEntry"), count = gnotifications.count) # walk the current set of notifications for ent in ents: if ent == None or not ent.is_valid(): continue key = str(ent.key.dereference_as(self._struct_or_class("OSString"))) # get the value valset = ent.value.dereference_as(self._struct_or_class("OSOrderedSet")) notifiers_ptrs = obj.Object('Array', offset = valset.array, vm = self.addr_space, targetType = 'Pointer', count = valset.count) for ptr in notifiers_ptrs: notifier = ptr.dereference_as(self._struct_or_class("_IOServiceNotifier")) if notifier == None: continue matches = self.get_matching(notifier) # this is the function that handles whatever the notification is for # this should be only in the kernel or in one of the known IOKit # drivers for the specific kernel handler = notifier.handler.v() ch = notifier.compatHandler.v() if ch: handler = ch (good, module) = common.is_known_address_name(handler, kernel_symbol_addresses, kmods) yield (good, module, key, notifier, matches, handler) # returns the list of matching notifiers (serviceMatch) for a notifier as a string def get_matching(self, notifier): matches = [] ents = obj.Object('Array', offset = notifier.matching.dictionary, vm = self.addr_space, targetType = self._struct_or_class("dictEntry"), count = notifier.matching.count) for ent in ents: if ent == None: continue match = ent.value.dereference_as(self._struct_or_class("OSString")) matches.append(str(match)) return ",".join(matches) def unified_output(self, data): return TreeGrid([("Key", str), ("Matches", str), ("Handler", Address), ("Module", str), ("Status", str), ], self.generator(data)) def generator(self, data): for (good, module, key, _, matches, handler) in data: if good == 0: status = "UNKNOWN" else: status = "OK" yield(0, [ str(key), str(matches), Address(handler), str(module), str(status), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Key", "30"), ("Matches", "40"), ("Handler", "[addrpad]"), ("Module", "40"), ("Status", "")]) for (good, module, key, _, matches, handler) in data: status = "OK" if good == 0: status = "UNKNOWN" self.table_row(outfd, key, matches, handler, module, status) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/mac_yarascan.py0000644000000000000000000001362113131215405024554 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.malware.malfind as malfind import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common import volatility.utils as utils import volatility.debug as debug import volatility.obj as obj import re try: import yara has_yara = True except ImportError: has_yara = False class MapYaraScanner(malfind.BaseYaraScanner): """A scanner over all memory regions of a process.""" def __init__(self, task = None, **kwargs): """Scan the process address space through the VMAs. Args: task: The task_struct object for this task. """ self.task = task malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs) def scan(self, offset = 0, maxlen = None, max_size = None): for map in self.task.get_proc_maps(): length = map.links.end - map.links.start if max_size and length > max_size: debug.warning("Skipping max size entry {0:#x} - {1:#x}".format(map.links.start, map.links.end)) continue for match in malfind.BaseYaraScanner.scan(self, map.links.start, length): yield match class mac_yarascan(malfind.YaraScan): """Scan memory for yara signatures""" def __init__(self, config, *args, **kwargs): malfind.YaraScan.__init__(self, config, *args, **kwargs) self._config.add_option('MAX-SIZE', short_option = 'M', default = 0x40000000, action = 'store', type = 'long', help = 'Set the maximum size (default is 1GB)') @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'mac' def filter_tasks(self): tasks = pstasks.mac_tasks(self._config).allprocs() if self._config.PID is not None: try: pidlist = [int(p) for p in self._config.PID.split(',')] except ValueError: debug.error("Invalid PID {0}".format(self._config.PID)) pids = [t for t in tasks if t.p_pid in pidlist] if len(pids) == 0: debug.error("Cannot find PID {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.PID)) return pids if self._config.NAME is not None: try: name_re = re.compile(self._config.NAME, re.I) except re.error: debug.error("Invalid name {0}".format(self._config.NAME)) names = [t for t in tasks if name_re.search(str(t.p_comm))] if len(names) == 0: debug.error("Cannot find name {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.NAME)) return names return tasks def calculate(self): ## we need this module imported if not has_yara: debug.error("Please install Yara from https://plusvic.github.io/yara/") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces common.set_plugin_members(self) if self._config.KERNEL: ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24 if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": if not common.is_64bit_capable(self.addr_space): kernel_start = 0 else: kernel_start = 0xc0000000 else: vm_addr = self.addr_space.profile.get_symbol("_vm_min_kernel_address") kernel_start = obj.Object("unsigned long", offset = vm_addr, vm = self.addr_space) scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space) for hit, address in scanner.scan(start_offset = kernel_start): yield (None, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) else: # Scan each process memory block tasks = self.filter_tasks() for task in tasks: # skip kernel_task if task.p_pid == 0: continue scanner = MapYaraScanner(task = task, rules = rules) for hit, address in scanner.scan(max_size = self._config.MAX_SIZE): yield (task, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) def render_text(self, outfd, data): for task, address, hit, buf in data: if task: outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format( task.p_comm, task.p_pid, hit.rule, address)) else: outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address)) outfd.write("".join(["{0:#018x} {1:<48} {2}\n".format( address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/dump_files.py0000644000000000000000000000443113131215405024261 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.common as common import volatility.plugins.mac.list_files as mac_list_files class mac_dump_file(common.AbstractMacCommand): """ Dumps a specified file """ def __init__(self, config, *args, **kwargs): common.AbstractMacCommand.__init__(self, config, *args, **kwargs) self._config.add_option('FILE-OFFSET', short_option = 'q', default = None, help = 'Virtual address of vnode structure from mac_list_files', action = 'store', type = 'int') self._config.add_option('OUTFILE', short_option = 'O', default = None, help = 'output file path', action = 'store', type = 'str') def calculate(self): common.set_plugin_members(self) outfile = self._config.outfile vnode_off = self._config.FILE_OFFSET if not outfile: debug.error("You must specify an output file (-O/--outfile)") if not vnode_off: debug.error("You must specificy a vnode address (-q/--file-offset) from mac_list_files") vnode = obj.Object("vnode", offset = vnode_off, vm = self.addr_space) wrote = common.write_vnode_to_file(vnode, outfile) yield vnode_off, outfile, wrote def render_text(self, outfd, data): for (vnode_off, outfile, wrote) in data: outfd.write("Wrote {0} bytes to {1} from vnode at address {2:x}\n".format(wrote, outfile, vnode_off)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/bash_hash.py0000644000000000000000000002366713131215405024066 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import struct import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.common as mac_common import volatility.plugins.mac.pslist as mac_pslist from volatility.renderers import TreeGrid mac_bash_hash_vtypes = { 'mac32_pathdata' : [ 8, { 'path' : [0x0, ['pointer', ['String', dict(length = 1024)]]], 'flags': [0x4, ['int']], }], 'mac32_envdata' : [ 8, { 'name' : [0x0, ['pointer', ['String', dict(length = 1024)]]], 'value' : [0x4, ['pointer', ['String', dict(length = 1024)]]], }], 'mac32_bucket_contents' : [ 20, { 'next' : [0x0, ['pointer', ['mac32_bucket_contents']]], 'key' : [0x4, ['pointer', ['String', dict(length = 1024)]]], 'data' : [0x8, ['pointer', ['mac32_pathdata']]], 'times_found' : [16, ['int']], }], 'mac32_bash_hash_table': [ 0xc, { 'bucket_array': [0x0, ['pointer', ['mac32_bucket_contents']]], 'nbuckets': [0x4, ['int']], 'nentries': [0x8, ['int']], }], 'mac64_pathdata' : [ 12, { 'path' : [ 0, ['pointer', ['String', dict(length = 1024)]]], 'flags' : [ 8, ['int']], }], 'mac64_envdata' : [ 16, { 'name' : [0x0, ['pointer', ['String', dict(length = 1024)]]], 'value' : [0x8, ['pointer', ['String', dict(length = 1024)]]], }], 'mac64_bucket_contents' : [ 32, { 'next' : [0, ['pointer', ['mac64_bucket_contents']]], 'key' : [8, ['pointer', ['String', dict(length = 1024)]]], 'data' : [16, ['pointer', ['mac64_pathdata']]], 'times_found' : [28, ['int']], }], 'mac64_bash_hash_table': [ 16, { 'bucket_array': [0, ['pointer', ['mac64_bucket_contents']]], 'nbuckets': [8, ['int']], 'nentries': [12, ['int']], }], } class bash_funcs(obj.CType): def __init__(self, ptr_size, theType, offset, vm, name = None, **kwargs): self.ptr_size = ptr_size obj.CType.__init__(self, theType, offset, vm, name, **kwargs) @property def path(self): addr = self.m("path").obj_offset addr = self.read_ptr(addr) ret = "" if addr: ret = self.obj_vm.read(addr, 256) if ret: idx = ret.find("\x00") if idx != -1: ret = ret[:idx] return ret def next_bucket(self): addr = self.m("next").obj_offset addr = self.read_ptr(addr) if self.ptr_size == 32: ptype = "mac32_bucket_contents" else: ptype = "mac64_bucket_contents" return obj.Object(ptype, offset = addr, vm = self.obj_vm) @property def key(self): addr = self.m("key").obj_offset addr = self.read_ptr(addr) ret = "" if addr: ret = self.obj_vm.read(addr, 256) if ret: idx = ret.find("\x00") if idx != -1: ret = ret[:idx] else: ret = "" return ret @property def data(self): addr = self.m("data").obj_offset addr = self.read_ptr(addr) if self.ptr_size == 32: ptype = "mac32_pathdata" else: ptype = "mac64_pathdata" return obj.Object(ptype, offset = addr, vm = self.obj_vm) @property def bucket_array(self): addr = self.m("bucket_array").obj_offset return self.read_ptr(addr) def read_ptr_32(self, addr): addr = self.obj_vm.read(addr, 4) addr = struct.unpack("= 0): return False return True def __iter__(self): if self.is_valid(): bucket_array = obj.Object(theType="Array", targetType="Pointer", offset = self.bucket_array, vm = self.nbuckets.obj_vm, count = 64) for bucket_ptr in bucket_array: bucket = bucket_ptr.dereference_as("mac64_bucket_contents") seen = {} while bucket.is_valid() and bucket.v() not in seen: yield bucket seen[bucket.v()] = 1 bucket = bucket.next class mac32_bash_hash_table(bash_funcs): def __init__(self, theType, offset, vm, name = None, **kwargs): bash_funcs.__init__(self, 32, theType, offset, vm, name, **kwargs) def is_valid(self): if (not obj.CType.is_valid(self) or not self.obj_vm.is_valid_address(self.bucket_array) or not self.nbuckets == 64 or not self.nentries > 1): return False return True def __iter__(self): if self.is_valid(): bucket_array = obj.Object(theType="Array", targetType="Pointer", offset = self.bucket_array, vm = self.nbuckets.obj_vm, count = 64) for bucket_ptr in bucket_array: bucket = bucket_ptr.dereference_as("mac32_bucket_contents") while bucket.is_valid() and bucket.times_found > 0 and bucket.data.is_valid() and bucket.key != "": yield bucket bucket = bucket.next class mac64_pathdata(bash_funcs): def __init__(self, theType, offset, vm, name = None, **kwargs): bash_funcs.__init__(self, 64, theType, offset, vm, name, **kwargs) class mac32_pathdata(bash_funcs): def __init__(self, theType, offset, vm, name = None, **kwargs): bash_funcs.__init__(self, 32, theType, offset, vm, name, **kwargs) class mac64_bucket_contents(bash_funcs): def __init__(self, theType, offset, vm, name = None, **kwargs): bash_funcs.__init__(self, 64, theType, offset, vm, name, **kwargs) class mac32_bucket_contents(bash_funcs): def __init__(self, theType, offset, vm, name = None, **kwargs): bash_funcs.__init__(self, 32, theType, offset, vm, name, **kwargs) class MacBashHashTypes(obj.ProfileModification): conditions = {"os" : lambda x : x in ["mac"]} def modification(self, profile): profile.vtypes.update(mac_bash_hash_vtypes) profile.object_classes.update({ "mac32_bucket_contents" : mac32_bucket_contents, "mac64_bucket_contents" : mac64_bucket_contents, "mac32_pathdata" : mac32_pathdata, "mac64_pathdata" : mac64_pathdata, "mac32_bash_hash_table" : mac32_bash_hash_table, "mac64_bash_hash_table" : mac64_bash_hash_table, }) class mac_bash_hash(mac_pslist.mac_pslist): """Recover bash hash table from bash process memory""" def __init__(self, config, *args, **kwargs): mac_pslist.mac_pslist.__init__(self, config, *args, **kwargs) self._config.add_option('SCAN_ALL', short_option = 'A', default = False, help = 'scan all processes, not just those named bash', action = 'store_true') def unified_output(self, data): return TreeGrid([("Pid", int), ("Name", str), ("Hits", int), ("Command", str), ("Full Path", str), ], self.generator(data)) def generator(self, data): for task in data: # Do we scan everything or just /bin/bash instances? if not (self._config.SCAN_ALL or str(task.p_comm) == "bash"): continue for bucket in task.bash_hash_entries(): yield (0, [ int(task.p_pid), str(task.p_comm), int(bucket.times_found), str(bucket.key), str(bucket.data.path), ]) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Hits", "6"), ("Command", "25"), ("Full Path", "")]) for task in data: # Do we scan everything or just /bin/bash instances? if not (self._config.SCAN_ALL or str(task.p_comm) == "bash"): continue for bucket in task.bash_hash_entries(): self.table_row(outfd, task.p_pid, task.p_comm, bucket.times_found, str(bucket.key), str(bucket.data.path)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/mac/dead_vnodes.py0000644000000000000000000000323313131215405024404 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.list_zones as list_zones import volatility.plugins.mac.pslist as pslist class mac_dead_vnodes(pslist.mac_pslist): """ Lists freed vnode structures """ def calculate(self): common.set_plugin_members(self) zones = list_zones.mac_list_zones(self._config).calculate() for zone in zones: name = str(zone.zone_name.dereference()) if name == "vnodes": vnodes = zone.get_free_elements("vnode") for vnode in vnodes: yield vnode def render_text(self, outfd, data): for vnode in data: path = vnode.full_path() if path: outfd.write("{0:s}\n".format(path)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/netscan.py0000644000000000000000000002505213131215405023027 0ustar rootroot# Volatility # # Authors: # Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.plugins.common as common import volatility.obj as obj import volatility.cache as cache import volatility.debug as debug import volatility.poolscan as poolscan import socket import volatility.plugins.overlays.windows.tcpip_vtypes as tcpip_vtypes from volatility.renderers import TreeGrid from volatility.renderers.basic import Address # Python's socket.AF_INET6 is 0x1e but Microsoft defines it # as a constant value of 0x17 in their source code. Thus we # need Microsoft's since that's what is found in memory. AF_INET = 2 AF_INET6 = 0x17 # String representations of INADDR_ANY and INADDR6_ANY inaddr_any = utils.inet_ntop(socket.AF_INET, '\0' * 4) inaddr6_any = utils.inet_ntop(socket.AF_INET6, '\0' * 16) #-------------------------------------------------------------------------------- # pool scanners #-------------------------------------------------------------------------------- class PoolScanUdpEndpoint(poolscan.PoolScanner): """PoolScanner for Udp Endpoints""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.pooltag = "UdpA" self.struct_name = "_UDP_ENDPOINT" self.checks = [('CheckPoolSize', dict(condition = lambda x: x >= 0xa8)), ('CheckPoolType', dict(non_paged = True, free = True)), ('CheckPoolIndex', dict(value = lambda x : x < 5)), ] class PoolScanTcpListener(poolscan.PoolScanner): """PoolScanner for Tcp Listeners""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.pooltag = "TcpL" self.struct_name = "_TCP_LISTENER" self.checks = [('CheckPoolSize', dict(condition = lambda x: x >= 0xa8)), ('CheckPoolType', dict(non_paged = True, free = True)), ('CheckPoolIndex', dict(value = lambda x : x < 5)), ] class PoolScanTcpEndpoint(poolscan.PoolScanner): """PoolScanner for TCP Endpoints""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.pooltag = "TcpE" self.struct_name = "_TCP_ENDPOINT" self.checks = [('CheckPoolSize', dict(condition = lambda x: x >= 0x1f0)), ('CheckPoolType', dict(non_paged = True, free = True)), ('CheckPoolIndex', dict(value = lambda x : x < 5)), ] #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _TCP_LISTENER(obj.CType): """Class for objects found in TcpL pools""" @property def AddressFamily(self): return self.InetAF.dereference().AddressFamily @property def Owner(self): return self.m('Owner').dereference() def dual_stack_sockets(self): """Handle Windows dual-stack sockets""" # If this pointer is valid, the socket is bound to # a specific IP address. Otherwise, the socket is # listening on all IP addresses of the address family. local_addr = self.LocalAddr.dereference() # Note the remote address is always INADDR_ANY or # INADDR6_ANY for sockets. The moment a client # connects to the listener, a TCP_ENDPOINT is created # and that structure contains the remote address. if local_addr != None: inaddr = local_addr.inaddr if self.AddressFamily == AF_INET: yield "v4", inaddr.addr4, inaddr_any else: yield "v6", inaddr.addr6, inaddr6_any else: yield "v4", inaddr_any, inaddr_any if self.AddressFamily == AF_INET6: yield "v6", inaddr6_any, inaddr6_any def is_valid(self): return obj.CType.is_valid(self) and self.AddressFamily in (AF_INET, AF_INET6) class _TCP_ENDPOINT(_TCP_LISTENER): """Class for objects found in TcpE pools""" def _ipv4_or_ipv6(self, in_addr): if self.AddressFamily == AF_INET: return in_addr.addr4 else: return in_addr.addr6 @property def LocalAddress(self): inaddr = self.AddrInfo.dereference().Local.\ pData.dereference().dereference() return self._ipv4_or_ipv6(inaddr) @property def RemoteAddress(self): inaddr = self.AddrInfo.dereference().\ Remote.dereference() return self._ipv4_or_ipv6(inaddr) def is_valid(self): if not obj.CType.is_valid(self): return False if self.AddressFamily not in (AF_INET, AF_INET6): return False if (self.State.v() not in tcpip_vtypes.TCP_STATE_ENUM or (not self.LocalAddress and (not self.Owner or self.Owner.UniqueProcessId == 0 or self.Owner.UniqueProcessId > 65535))): return False return True class _UDP_ENDPOINT(_TCP_LISTENER): """Class for objects found in UdpA pools""" class _LOCAL_ADDRESS(obj.CType): @property def inaddr(self): return self.pData.dereference().dereference() class _LOCAL_ADDRESS_WIN10_UDP(obj.CType): @property def inaddr(self): return self.pData.dereference() #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class NetscanObjectClasses(obj.ProfileModification): """Network OCs for Vista, 2008, and 7 x86 and x64""" before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x : x == 6, 'minor': lambda x : x >= 0} def modification(self, profile): profile.object_classes.update({ '_TCP_LISTENER': _TCP_LISTENER, '_TCP_ENDPOINT': _TCP_ENDPOINT, '_LOCAL_ADDRESS': _LOCAL_ADDRESS, '_UDP_ENDPOINT': _UDP_ENDPOINT, '_LOCAL_ADDRESS_WIN10_UDP': _LOCAL_ADDRESS_WIN10_UDP, }) #-------------------------------------------------------------------------------- # netscan plugin #-------------------------------------------------------------------------------- class Netscan(common.AbstractScanCommand): """Scan a Vista (or later) image for connections and sockets""" scanners = [PoolScanUdpEndpoint, PoolScanTcpListener, PoolScanTcpEndpoint] @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 6) def calculate(self): addr_space = utils.load_as(self._config) if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") for objct in self.scan_results(addr_space): if isinstance(objct, _UDP_ENDPOINT): # For UdpA, the state is always blank and the remote end is asterisks for ver, laddr, _ in objct.dual_stack_sockets(): yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", "" elif isinstance(objct, _TCP_ENDPOINT): if objct.AddressFamily == AF_INET: proto = "TCPv4" elif objct.AddressFamily == AF_INET6: proto = "TCPv6" yield objct, proto, objct.LocalAddress, objct.LocalPort, \ objct.RemoteAddress, objct.RemotePort, objct.State elif isinstance(objct, _TCP_LISTENER): # For TcpL, the state is always listening and the remote port is zero for ver, laddr, raddr in objct.dual_stack_sockets(): yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING" def unified_output(self, data): return TreeGrid([(self.offset_column(), Address), ("Proto", str), ("LocalAddr", str), ("ForeignAddr", str), ("State", str), ("PID", int), ("Owner", str), ("Created", str)], self.generator(data)) def generator(self, data): for net_object, proto, laddr, lport, raddr, rport, state in data: lendpoint = "{0}:{1}".format(laddr, lport) rendpoint = "{0}:{1}".format(raddr, rport) pid = -1 owner = "" if net_object.Owner != None: pid = int(net_object.Owner.UniqueProcessId) owner = str(net_object.Owner.ImageFileName) yield (0, [Address(net_object.obj_offset), str(proto), lendpoint, rendpoint, str(state), pid, owner, str(net_object.CreateTime or '')]) def render_text(self, outfd, data): outfd.write("{0:<18} {1:<8} {2:<30} {3:<20} {4:<16} {5:<8} {6:<14} {7}\n".format( self.offset_column(), "Proto", "Local Address", "Foreign Address", "State", "Pid", "Owner", "Created")) for net_object, proto, laddr, lport, raddr, rport, state in data: lendpoint = "{0}:{1}".format(laddr, lport) rendpoint = "{0}:{1}".format(raddr, rport) pid = -1 owner = "" if net_object.Owner != None: pid = int(net_object.Owner.UniqueProcessId) owner = str(net_object.Owner.ImageFileName) outfd.write("{0:<#18x} {1:<8} {2:<30} {3:<20} {4:<16} {5:<8} {6:<14} {7}\n".format( net_object.obj_offset, proto, lendpoint, rendpoint, state, pid, owner, str(net_object.CreateTime or '') )) volatility_2.6+git20170711.b3db0cc/volatility/plugins/vmwareinfo.py0000644000000000000000000001156713131215405023557 0ustar rootroot# Volatility # Copyright (C) 2009-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.plugins.crashinfo as crashinfo import volatility.utils as utils class VMwareInfo(crashinfo.CrashInfo): """Dump VMware VMSS/VMSN information""" target_as = ['VMWareAddressSpace', 'VMWareMetaAddressSpace'] def __init__(self, config, *args, **kwargs): crashinfo.CrashInfo.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Directory in which to dump the screenshot (if available)') @staticmethod def is_valid_profile(profile): return True def render_text(self, outfd, data): header = data.get_header() ## First some of the version meta-data outfd.write("Magic: {0:#x} (Version {1})\n".format(header.Magic, header.Version)) outfd.write("Group count: {0:#x}\n".format(header.GroupCount)) ## Now let's print the runs self.table_header(outfd, [("File Offset", "#018x"), ("PhysMem Offset", "#018x"), ("Size", "#018x")]) for memory_offset, file_offset, length in data.get_runs(): self.table_row(outfd, file_offset, memory_offset, length) outfd.write("\n") ## Go through and print the groups and tags self.table_header(outfd, [("DataOffset", "#018x"), ("DataSize", "#018x"), ("Name", "50"), ("Value", "")]) for group in header.Groups: for tag in group.Tags: ## The indices should look like [0][1] indices = "" for i in tag.TagIndices: indices += "[{0}]".format(i) ## Attempt to format standard values if tag.DataMemSize == 0: value = "" elif tag.DataMemSize == 1: value = "{0}".format(tag.cast_as("unsigned char")) elif tag.DataMemSize == 2: value = "{0}".format(tag.cast_as("unsigned short")) elif tag.DataMemSize == 4: value = "{0:#x}".format(tag.cast_as("unsigned int")) elif tag.DataMemSize == 8: value = "{0:#x}".format(tag.cast_as("unsigned long long")) else: value = "" self.table_row(outfd, tag.RealDataOffset, tag.DataMemSize, "{0}/{1}{2}".format(group.Name, tag.Name, indices), value) ## In verbose mode, when we're *not* dealing with memory segments, ## print a hexdump of the data if (self._config.VERBOSE and tag.DataMemSize > 0 and str(group.Name) != "memory" and value == ""): ## When we read, it must be done via the AS base (FileAddressSpace) addr = tag.RealDataOffset data = tag.obj_vm.read(addr, tag.DataMemSize) outfd.write("".join(["{0:#010x} {1:<48} {2}\n".format(addr + o, h, ''.join(c)) for o, h, c in utils.Hexdump(data) ])) ## If an output directory was supplied, extract the ## snapshot thumbnail image using the code below. if (self._config.DUMP_DIR and str(group.Name) == "MKSVMX" and str(tag.Name) == "imageData"): full_path = os.path.join(self._config.DUMP_DIR, "screenshot.png") with open(full_path, "wb") as fh: fh.write(data) outfd.write("Wrote screenshot to: {0}\n".format(full_path)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/0000755000000000000000000000000013131215405021602 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/win32k_core.py0000644000000000000000000010561413131215405024310 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.gui.constants as consts import volatility.plugins.overlays.windows.windows as windows import volatility.utils as utils import volatility.addrspace as addrspace import volatility.conf as conf import volatility.win32.modules as modules #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _MM_SESSION_SPACE(obj.CType): """A class for session spaces""" def processes(self): """Generator for processes in this session. A process is always associated with exactly one session. """ for p in self.ProcessList.list_of_type("_EPROCESS", "SessionProcessLinks"): if not p.is_valid(): break yield p @property def Win32KBase(self): """Get the base address of the win32k.sys as mapped into this session's memory. Since win32k.sys is always the first image to be mapped, we can just grab the first list entry. Update: we no longer use the session image list, because it seems to have gone away in Win8/2012.""" for mod in modules.lsmod(self.obj_vm): if str(mod.BaseDllName or '').lower() == "win32k.sys": return mod.DllBase return obj.Object("Cannot find win32k.sys base address") def images(self): """Generator for images (modules) loaded into this session's space""" metadata = self.obj_vm.profile.metadata version = (metadata.get("major", 0), metadata.get("minor", 0)) if version >= (6, 2): raise StopIteration else: for i in self.ImageList.list_of_type("_IMAGE_ENTRY_IN_SESSION", "Link"): yield i def _section_chunks(self, sec_name): """Get the win32k.sys section as an array of 32-bit unsigned longs. @param sec_name: name of the PE section in win32k.sys to search for. @returns all chunks on a 4-byte boundary. """ dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = self.Win32KBase, vm = self.obj_vm) if dos_header: try: nt_header = dos_header.get_nt_header() sections = [ sec for sec in nt_header.get_sections() if str(sec.Name) == sec_name ] # There should be exactly one section if sections: desired_section = sections[0] return obj.Object("Array", targetType = "unsigned long", offset = desired_section.VirtualAddress + dos_header.obj_offset, count = desired_section.Misc.VirtualSize / 4, vm = self.obj_vm) except ValueError: ## This catches PE header parsing exceptions pass ## Don't try to read an address that doesn't exist if not self.Win32KBase: return [] ## In the rare case when win32k.sys PE header is paged or corrupted ## thus preventing us from parsing the sections, use the fallback ## mechanism of just reading 5 MB (max size of win32k.sys) from the ## base of the kernel module. data = self.obj_vm.zread(self.Win32KBase, 0x500000) ## Fill a Buffer AS with the zread data and set its base to win32k.sys ## so we can still instantiate an Array and have each chunk at the ## correct offset in virtual memory. buffer_as = addrspace.BufferAddressSpace(conf.ConfObject(), data = data, base_offset = self.Win32KBase) return obj.Object("Array", targetType = "unsigned long", offset = self.Win32KBase, count = len(data) / 4, vm = buffer_as) def find_gahti(self): """Find this session's gahti. This can potentially be much faster by searching for '\0' * sizeof(tagHANDLETYPEINFO) instead of moving on a dword aligned boundary through the section. """ for chunk in self._section_chunks(".rdata"): if not chunk.is_valid(): continue gahti = obj.Object("gahti", offset = chunk.obj_offset, vm = self.obj_vm) ## The sanity check here is based on the fact that the first entry ## in the gahti is always for TYPE_FREE. The fnDestroy pointer will ## be NULL, the alloc tag will be an empty string, and the creation ## flags will be zero. We also then check the alloc tag of the first ## USER handle type which should be Uswd (TYPE_WINDOW). ## Update: fnDestroy is no longer NULL for TYPE_FREE on Win8/2012. if (str(gahti.types[0].dwAllocTag) == '' and gahti.types[0].bObjectCreateFlags == 0 and str(gahti.types[1].dwAllocTag) == "Uswd"): return gahti return obj.NoneObject("Cannot find win32k!_gahti") def find_shared_info(self): """Find this session's tagSHAREDINFO structure. This structure is embedded in win32k's .data section, (i.e. not in dynamically allocated memory). Thus we iterate over each DWORD-aligned possibility and treat it as a tagSHAREDINFO until the sanity checks are met. """ for chunk in self._section_chunks(".data"): # If the base of the value is paged if not chunk.is_valid(): continue # Treat it as a shared info struct shared_info = obj.Object("tagSHAREDINFO", offset = chunk.obj_offset, vm = self.obj_vm) # Sanity check it try: if shared_info.is_valid(): return shared_info except obj.InvalidOffsetError: pass return obj.NoneObject("Cannot find win32k!gSharedInfo") class tagSHAREDINFO(obj.CType): """A class for shared info blocks""" def is_valid(self): """The sanity checks for tagSHAREDINFO structures""" if not obj.CType.is_valid(self): return False # The kernel's version of tagSHAREDINFO should always have # a zeroed-out shared delta member. if self.ulSharedDelta != 0: return False # The pointer to our server information structure must be valid if not self.psi.is_valid(): return False # Annoying check, but required for some samples # whose psi is a valid pointer, but cbHandleTable # cannot be read due to objects that cross page # boundaries. if self.psi.cbHandleTable == None: return False if self.psi.cbHandleTable < 0x1000: return False # The final check is that the total size in bytes of the handle # table is equal to the size of a _HANDLEENTRY multiplied by the # number of _HANDLEENTRY structures. return (self.psi.cbHandleTable / self.obj_vm.profile.get_obj_size("_HANDLEENTRY") == self.psi.cHandleEntries) def handles(self, filters = None): """Carve handles from the shared info block. @param filters: a list of callables that perform checks and return True if the handle should be included in output. """ if filters == None: filters = [] hnds = obj.Object("Array", targetType = "_HANDLEENTRY", offset = self.aheList, vm = self.obj_vm, count = self.psi.cHandleEntries) for i, h in enumerate(hnds): # Sanity check the handle value if the handle Object # has not been freed. if not h.Free: if h.phead.h != (h.wUniq << 16) | (0xFFFF & i): continue b = False # Run the filters and break if any tests fail for filt in filters: if not filt(h): b = True break if not b: yield h class _HANDLEENTRY(obj.CType): """A for USER handle entries""" def reference_object(self): """Reference the object this handle represents. If the object's type is not in our map, we don't know what type of object to instantiate so its filled with obj.NoneObject() instead. """ object_map = dict(TYPE_WINDOW = "tagWND", TYPE_HOOK = "tagHOOK", TYPE_CLIPDATA = "tagCLIPDATA", TYPE_WINEVENTHOOK = "tagEVENTHOOK", TYPE_TIMER = "tagTIMER", ) object_type = object_map.get(str(self.bType), None) if not object_type: return obj.NoneObject("Cannot reference object type") return obj.Object(object_type, offset = self.phead, vm = self.obj_vm) @property def Free(self): """Check if the handle has been freed""" return str(self.bType) == "TYPE_FREE" @property def ThreadOwned(self): """Handles of these types are always thread owned""" return str(self.bType) in [ 'TYPE_WINDOW', 'TYPE_SETWINDOWPOS', 'TYPE_HOOK', 'TYPE_DDEACCESS', 'TYPE_DDECONV', 'TYPE_DDEXACT', 'TYPE_WINEVENTHOOK', 'TYPE_INPUTCONTEXT', 'TYPE_HIDDATA', 'TYPE_TOUCH', 'TYPE_GESTURE'] @property def ProcessOwned(self): """Handles of these types are always process owned""" return str(self.bType) in [ 'TYPE_MENU', 'TYPE_CURSOR', 'TYPE_TIMER', 'TYPE_CALLPROC', 'TYPE_ACCELTABLE'] @property def Thread(self): """Return the ETHREAD if its thread owned""" if self.ThreadOwned: return self.pOwner.\ dereference_as("tagTHREADINFO").\ pEThread.dereference() return obj.NoneObject("Cannot find thread") @property def Process(self): """Return the _EPROCESS if its process or thread owned""" if self.ProcessOwned: return self.pOwner.\ dereference_as("tagPROCESSINFO").\ Process.dereference() elif self.ThreadOwned: return self.pOwner.\ dereference_as("tagTHREADINFO").\ ppi.Process.dereference() return obj.NoneObject("Cannot find process") class tagWINDOWSTATION(obj.CType, windows.ExecutiveObjectMixin): """A class for Windowstation objects""" def is_valid(self): return obj.CType.is_valid(self) and self.dwSessionId < 0xFF @property def PhysicalAddress(self): """This is a simple wrapper to always return the object's physical offset regardless of what AS its instantiated in""" if hasattr(self.obj_vm, "vtop"): return self.obj_vm.vtop(self.obj_offset) else: return self.obj_offset @property def LastRegisteredViewer(self): """The EPROCESS of the last registered clipboard viewer""" return self.spwndClipViewer.head.pti.ppi.Process @property def AtomTable(self): """This atom table belonging to this window station object""" return self.pGlobalAtomTable.dereference_as("_RTL_ATOM_TABLE") @property def Interactive(self): """Check if a window station is interactive""" return not self.dwWSF_Flags & 4 # WSF_NOIO @property def Name(self): """Get the window station name. Since window stations are securable objects, and are managed by the same object manager as processes, threads, etc, there is an object header which stores the name. """ object_hdr = obj.Object("_OBJECT_HEADER", vm = self.obj_vm, offset = self.obj_offset - \ self.obj_vm.profile.get_obj_offset('_OBJECT_HEADER', 'Body'), native_vm = self.obj_native_vm) return str(object_hdr.NameInfo.Name or '') def traverse(self): """A generator that yields window station objects""" # Include this object in the results yield self # Now walk the singly-linked list nextwinsta = self.rpwinstaNext.dereference() while nextwinsta.is_valid() and nextwinsta.v() != 0: yield nextwinsta nextwinsta = nextwinsta.rpwinstaNext.dereference() def desktops(self): """A generator that yields the window station's desktops""" desk = self.rpdeskList.dereference() while desk.is_valid() and desk.v() != 0 and desk.Name: yield desk desk = desk.rpdeskNext.dereference() class tagDESKTOP(tagWINDOWSTATION): """A class for Desktop objects""" def is_valid(self): return (obj.CType.is_valid(self) and self.dwSessionId < 0xFF) @property def WindowStation(self): """Returns this desktop's parent window station""" return self.rpwinstaParent.dereference() @property def DeskInfo(self): """Returns the desktop info object""" return self.pDeskInfo.dereference() def threads(self): """Generator for _EPROCESS objects attached to this desktop""" for ti in self.PtiList.list_of_type("tagTHREADINFO", "PtiLink"): if ti.ppi.Process.is_valid(): yield ti def hook_params(self): """ Parameters for the hooks() method. These are split out into a function so it can be subclassed by tagTHREADINFO. """ return (self.DeskInfo.fsHooks, self.DeskInfo.aphkStart) def hooks(self): """Generator for tagHOOK info. Hooks are carved using the same algorithm, but different starting points for desktop hooks and thread hooks. Thus the algorithm is presented in this function and the starting point is acquired by calling hook_params (which is then sub- classed by tagTHREADINFO. """ (fshooks, aphkstart) = self.hook_params() # Convert the WH_* index into a bit position for the fsHooks fields WHF_FROM_WH = lambda x: (1 << x + 1) for pos, (name, value) in enumerate(consts.MESSAGE_TYPES): # Is the bit for this WH_* value set ? if fshooks & WHF_FROM_WH(value): hook = aphkstart[pos].dereference() for hook in hook.traverse(): yield name, hook def windows(self, win, filter = lambda x: True, level = 0): #pylint: disable-msg=W0622 """Traverses windows in their Z order, bottom to top. @param win: an HWND to start. Usually this is the desktop window currently in focus. @param filter: a callable (usually lambda) to use for filtering the results. See below for examples: # only print subclassed windows filter = lambda x : x.lpfnWndProc == x.pcls.lpfnWndProc # only print processes named csrss.exe filter = lambda x : str(x.head.pti.ppi.Process.ImageFileName).lower() \ == "csrss.exe" if x.head.pti.ppi else False # only print processes by pid filter = lambda x : x.head.pti.pEThread.Cid.UniqueThread == 0x1020 # only print visible windows filter = lambda x : 'WS_VISIBLE' not in x.get_flags() """ seen = set() wins = [] cur = win while cur.is_valid() and cur.v() != 0: if cur.obj_offset in seen: break seen.add(cur.obj_offset) wins.append(cur) cur = cur.spwndNext.dereference() while wins: cur = wins.pop() if not filter(cur): continue yield cur, level if cur.spwndChild.is_valid() and cur.spwndChild.v() != 0: for xwin, xlevel in self.windows(cur.spwndChild, filter = filter, level = level + 1): if xwin.obj_offset in seen: break yield xwin, xlevel seen.add(xwin.obj_offset) def heaps(self): """Generator for the desktop heaps""" for segment in self.pheapDesktop.Heap.segments(): for entry in segment.heap_entries(): yield entry def traverse(self): """Generator for next desktops in the list""" # Include this object in the results yield self # Now walk the singly-linked list nextdesk = self.rpdeskNext.dereference() while nextdesk.is_valid() and nextdesk.v() != 0: yield nextdesk nextdesk = nextdesk.rpdeskNext.dereference() class tagWND(obj.CType): """A class for window structures""" @property def IsClipListener(self): """Check if this window listens to clipboard changes""" return self.bClipboardListener.v() @property def ClassAtom(self): """The class atom for this window""" return self.pcls.atomClassName @property def SuperClassAtom(self): """The window's super class""" return self.pcls.atomNVClassName @property def Process(self): """The EPROCESS that owns the window""" return self.head.pti.ppi.Process.dereference() @property def Thread(self): """The ETHREAD that owns the window""" return self.head.pti.pEThread.dereference() @property def Visible(self): """Is this window visible on the desktop""" return 'WS_VISIBLE' in self.style def _get_flags(self, member, flags): if flags.has_key(member): return flags[member] return ','.join([n for (n, v) in flags.items() if member & v == v]) @property def style(self): """The basic style flags as a string""" return self._get_flags(self.m('style').v(), consts.WINDOW_STYLES) @property def ExStyle(self): """The extended style flags as a string""" return self._get_flags(self.m('ExStyle').v(), consts.WINDOW_STYLES_EX) class tagRECT(obj.CType): """A class for window rects""" def get_tup(self): """Return a tuple of the rect's coordinates""" return (self.left, self.top, self.right, self.bottom) class tagCLIPDATA(obj.CType): """A class for clipboard objects""" def as_string(self, fmt): """Format the clipboard data as a string. @param fmt: the clipboard format. Note: we cannot simply override __str__ for this purpose, because the clipboard format is not a member of (or in a parent-child relationship with) the tagCLIPDATA structure, so we must pass it in as an argument. """ if fmt == "CF_UNICODETEXT": encoding = "utf16" else: encoding = "utf8" return obj.Object("String", offset = self.abData.obj_offset, vm = self.obj_vm, encoding = encoding, length = self.cbData) def as_hex(self): """Format the clipboard contents as a hexdump""" data = ''.join([chr(c) for c in self.abData]) return "".join(["{0:#x} {1:<48} {2}\n".format(self.abData.obj_offset + o, h, ''.join(c)) for o, h, c in utils.Hexdump(data)]) class tagTHREADINFO(tagDESKTOP): """A class for thread information objects""" def get_params(self): """Parameters for the _hooks() function""" return (self.fsHooks, self.aphkStart) class tagHOOK(obj.CType): """A class for message hooks""" def traverse(self): """Find the next hook in a chain""" hook = self while hook.is_valid() and hook.v() != 0: yield hook hook = hook.phkNext.dereference() class tagEVENTHOOK(obj.CType): """A class for event hooks""" @property def dwFlags(self): """Event hook flags need special handling so we can't use vtypes""" # First we shift the value f = self.m('dwFlags') >> 1 flags = [name for (val, name) in consts.EVENT_FLAGS.items() if f & val == val] return '|'.join(flags) class _RTL_ATOM_TABLE(tagWINDOWSTATION): """A class for atom tables""" def __init__(self, *args, **kwargs): """Give ourselves an atom cache for quick lookups""" self.atom_cache = {} tagWINDOWSTATION.__init__(self, *args, **kwargs) def is_valid(self): """Check for validity based on the atom table signature and the maximum allowed number of buckets""" return (obj.CType.is_valid(self) and self.Signature == 0x6d6f7441 and self.NumBuckets < 0xFFFF) @property def NumBuckets(self): """Dynamically retrieve the number of atoms in the hash table. First we take into account the offset from the current profile but if it fails and the profile is Win7SP1x64 then we auto set it to the value found in the recently patched versions. This is a temporary fix until we have support better support for parsing pdb symbols on the fly. """ if self.m('NumBuckets') < 0xFFFF: return self.m('NumBuckets') profile = self.obj_vm.profile meta = profile.metadata major = meta.get('major', 0) minor = meta.get('minor', 0) build = meta.get('build', 0) vers = (major, minor, build) if meta.get('memory_model') != '64bit' or vers != (6, 1, 7601): return self.m('NumBuckets') ## its 0x58 on the patched versions and 0x18 on the non-patched versions ## so we just add 0x40 here to make up the difference offset = profile.get_obj_offset("_RTL_ATOM_TABLE", "NumBuckets") number = obj.Object("unsigned long", offset = self.obj_offset + offset + 0x40, vm = self.obj_vm) return number def atoms(self): """Carve all atoms out of this atom table""" # The default hash buckets should be 0x25 for bkt in self.Buckets: seen = [] cur = bkt.dereference() while cur.is_valid() and cur.v() != 0: if cur.obj_offset in seen: break yield cur seen.append(cur.obj_offset) cur = cur.HashLink.dereference() def find_atom(self, atom_to_find): """Find an atom by its ID. @param atom_to_find: the atom ID (ushort) to find @returns an _RTL_ATOM_TALE_ENTRY object """ # Use the cached results if they exist if self.atom_cache: return self.atom_cache.get(atom_to_find.v(), None) # Build the atom cache self.atom_cache = dict( (atom.Atom.v(), atom) for atom in self.atoms()) return self.atom_cache.get(atom_to_find.v(), None) class _RTL_ATOM_TABLE_ENTRY(obj.CType): """A class for atom table entries""" @property def Pinned(self): """Returns True if the atom is pinned""" return self.Flags == 1 def is_string_atom(self): """Returns True if the atom is a string atom based on its atom ID. A string atom has ID 0xC000 - 0xFFFF """ return self.Atom >= 0xC000 and self.Atom <= 0xFFFF def is_valid(self): """Perform some sanity checks on the Atom""" if not obj.CType.is_valid(self): return False # There is only one flag (and zero) if self.Flags not in (0, 1): return False # There is a maximum name length enforced return self.NameLength <= 255 #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class Win32KCoreClasses(obj.ProfileModification): """Apply the core object classes""" before = ["WindowsObjectClasses"] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ 'tagWINDOWSTATION': tagWINDOWSTATION, 'tagDESKTOP': tagDESKTOP, '_RTL_ATOM_TABLE': _RTL_ATOM_TABLE, '_RTL_ATOM_TABLE_ENTRY': _RTL_ATOM_TABLE_ENTRY, 'tagTHREADINFO': tagTHREADINFO, 'tagHOOK': tagHOOK, '_LARGE_UNICODE_STRING': windows._UNICODE_STRING, #pylint: disable-msg=W0212 'tagWND': tagWND, '_MM_SESSION_SPACE': _MM_SESSION_SPACE, 'tagSHAREDINFO': tagSHAREDINFO, '_HANDLEENTRY': _HANDLEENTRY, 'tagEVENTHOOK': tagEVENTHOOK, 'tagRECT': tagRECT, 'tagCLIPDATA': tagCLIPDATA, }) class Win32KGahtiVType(obj.ProfileModification): """Apply a vtype for win32k!gahti. Adjust the number of handles according to the OS version""" conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): version = (profile.metadata.get('major', 0), profile.metadata.get('minor', 0)) ## Windows 7 and above if version >= (6, 1): num_handles = len(consts.HANDLE_TYPE_ENUM_SEVEN) else: num_handles = len(consts.HANDLE_TYPE_ENUM) profile.vtypes.update({ 'gahti' : [ None, { 'types': [ 0, ['array', num_handles, ['tagHANDLETYPEINFO']]], }]}) class AtomTablex86Overlay(obj.ProfileModification): """Apply the atom table overlays for all x86 Windows""" before = ["WindowsVTypes"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit'} def modification(self, profile): # The type we want to use is not the same as the one already defined # see http://code.google.com/p/volatility/issues/detail?id=131 profile.merge_overlay({ '_RTL_ATOM_TABLE': [ None, { 'Signature': [ 0x0, ['unsigned long']], 'NumBuckets': [ 0xC, ['unsigned long']], 'Buckets': [ 0x10, ['array', lambda x : x.NumBuckets, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], }], '_RTL_ATOM_TABLE_ENTRY': [ None, { 'Name': [ None, ['String', dict(encoding = 'utf16', length = lambda x : x.NameLength * 2)]], }]}) class AtomTablex64Overlay(obj.ProfileModification): """Apply the atom table overlays for all x64 Windows""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): # The type we want to use is not the same as the one already defined # see http://code.google.com/p/volatility/issues/detail?id=131 profile.merge_overlay({ '_RTL_ATOM_TABLE': [ None, { 'Signature': [ 0, ['unsigned long']], 'NumBuckets': [ 0x18, ['unsigned long']], 'Buckets': [ 0x20, ['array', lambda x : x.NumBuckets, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], }], '_RTL_ATOM_TABLE_ENTRY': [ None, { 'Name': [ None, ['String', dict(encoding = 'utf16', length = lambda x : x.NameLength * 2)]], }]}) class XP2003x86TimerVType(obj.ProfileModification): """Apply the tagTIMER for XP and 2003 x86""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x < 6} def modification(self, profile): # http://doxygen.reactos.org/d5/dd0/timer_8h_source.html#l00019 profile.vtypes.update({ 'tagTIMER' : [ None, { 'head' : [ 0x00, ['_HEAD']], 'ListEntry' : [ 0x08, ['_LIST_ENTRY']], 'pti' : [ 0x10, ['pointer', ['tagTHREADINFO']]], 'spwnd' : [ 0x14, ['pointer', ['tagWND']]], 'nID' : [ 0x18, ['unsigned short']], 'cmsCountdown' : [ 0x1C, ['unsigned int']], 'cmsRate' : [ 0x20, ['unsigned int']], 'flags' : [ 0x24, ['Flags', {'bitmap': consts.TIMER_FLAGS}]], 'pfn' : [ 0x28, ['pointer', ['void']]], }]}) class XP2003x64TimerVType(obj.ProfileModification): """Apply the tagTIMER for XP and 2003 x64""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x < 6} def modification(self, profile): profile.vtypes.update({ # http://doxygen.reactos.org/d5/dd0/timer_8h_source.html#l00019 'tagTIMER' : [ None, { 'head' : [ 0x00, ['_HEAD']], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'spwnd' : [ 0x28, ['pointer', ['tagWND']]], 'pti' : [ 0x20, ['pointer', ['tagTHREADINFO']]], 'nID' : [ 0x30, ['unsigned short']], 'cmsCountdown' : [ 0x38, ['unsigned int']], 'cmsRate' : [ 0x3C, ['unsigned int']], 'flags' : [ 0x40, ['Flags', {'bitmap': consts.TIMER_FLAGS}]], 'pfn' : [ 0x48, ['pointer', ['void']]], }]}) class Win32Kx86VTypes(obj.ProfileModification): """Applies to all x86 windows profiles. These are vtypes not included in win32k.sys PDB. """ conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update({ 'tagWIN32HEAP': [ None, { 'Heap': [ 0, ['_HEAP']], }], 'tagCLIPDATA' : [ None, { 'cbData' : [ 0x08, ['unsigned int']], 'abData' : [ 0x0C, ['array', lambda x: x.cbData, ['unsigned char']]], }], '_IMAGE_ENTRY_IN_SESSION': [ None, { 'Link': [ 0, ['_LIST_ENTRY']], 'Address': [ 8, ['pointer', ['address']]], 'LastAddress': [ 12, ['pointer', ['address']]], # This is optional and usually supplied as null 'DataTableEntry': [ 24, ['pointer', ['_LDR_DATA_TABLE_ENTRY']]], }], 'tagEVENTHOOK' : [ 0x30, { 'phkNext' : [ 0xC, ['pointer', ['tagEVENTHOOK']]], 'eventMin' : [ 0x10, ['Enumeration', dict(target = 'unsigned long', choices = consts.EVENT_ID_ENUM)]], 'eventMax' : [ 0x14, ['Enumeration', dict(target = 'unsigned long', choices = consts.EVENT_ID_ENUM)]], 'dwFlags' : [ 0x18, ['unsigned long']], 'idProcess' : [ 0x1C, ['unsigned long']], 'idThread' : [ 0x20, ['unsigned long']], 'offPfn' : [ 0x24, ['unsigned long']], 'ihmod' : [ 0x28, ['long']], }], 'tagHANDLETYPEINFO' : [ 12, { 'fnDestroy' : [ 0, ['pointer', ['void']]], 'dwAllocTag' : [ 4, ['String', dict(length = 4)]], 'bObjectCreateFlags' : [ 8, ['Flags', {'target': 'unsigned char', 'bitmap': {'OCF_THREADOWNED': 0, 'OCF_PROCESSOWNED': 1, 'OCF_MARKPROCESS': 2, 'OCF_USEPOOLQUOTA': 3, 'OCF_DESKTOPHEAP': 4, 'OCF_USEPOOLIFNODESKTOP': 5, 'OCF_SHAREDHEAP': 6, 'OCF_VARIABLESIZE': 7}}]], }], }) class Win32Kx64VTypes(obj.ProfileModification): """Applies to all x64 windows profiles. These are vtypes not included in win32k.sys PDB. """ conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): # Autogen'd vtypes from win32k.sys do not contain these profile.vtypes.update({ 'tagWIN32HEAP': [ None, { 'Heap': [ 0, ['_HEAP']], }], '_IMAGE_ENTRY_IN_SESSION': [ None, { 'Link': [ 0, ['_LIST_ENTRY']], 'Address': [ 0x10, ['pointer', ['void']]], 'LastAddress': [ 0x18, ['pointer', ['address']]], # This is optional and usually supplied as null 'DataTableEntry': [ 0x20, ['pointer', ['_LDR_DATA_TABLE_ENTRY']]], #?? }], 'tagCLIPDATA' : [ None, { 'cbData' : [ 0x10, ['unsigned int']], 'abData' : [ 0x14, ['array', lambda x: x.cbData, ['unsigned char']]], }], 'tagEVENTHOOK' : [ None, { 'phkNext' : [ 0x18, ['pointer', ['tagEVENTHOOK']]], 'eventMin' : [ 0x20, ['Enumeration', dict(target = 'unsigned long', choices = consts.EVENT_ID_ENUM)]], 'eventMax' : [ 0x24, ['Enumeration', dict(target = 'unsigned long', choices = consts.EVENT_ID_ENUM)]], 'dwFlags' : [ 0x28, ['unsigned long']], 'idProcess' : [ 0x2C, ['unsigned long']], 'idThread' : [ 0x30, ['unsigned long']], 'offPfn' : [ 0x40, ['unsigned long long']], 'ihmod' : [ 0x48, ['long']], }], 'tagHANDLETYPEINFO' : [ 16, { 'fnDestroy' : [ 0, ['pointer', ['void']]], 'dwAllocTag' : [ 8, ['String', dict(length = 4)]], 'bObjectCreateFlags' : [ 12, ['Flags', {'target': 'unsigned char', 'bitmap': {'OCF_THREADOWNED': 0, 'OCF_PROCESSOWNED': 1, 'OCF_MARKPROCESS': 2, 'OCF_USEPOOLQUOTA': 3, 'OCF_DESKTOPHEAP': 4, 'OCF_USEPOOLIFNODESKTOP': 5, 'OCF_SHAREDHEAP': 6, 'OCF_VARIABLESIZE': 7}}]], }], }) class XPx86SessionOverlay(obj.ProfileModification): """Apply the ResidentProcessCount overlay for x86 XP session spaces""" ## This just ensures we have an _MM_SESSION_SPACE to overlay before = ["WindowsOverlay"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 1} def modification(self, profile): # This field appears in the auto-generated vtypes for all OS except XP profile.merge_overlay({ '_MM_SESSION_SPACE': [ None, { 'ResidentProcessCount': [ 0x248, ['long']], # nt!MiDereferenceSession }]}) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/sessions.py0000644000000000000000000001032213131215405024020 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.utils as utils import volatility.plugins.common as common import volatility.win32.modules as modules import volatility.win32.tasks as tasks class SessionsMixin(object): """This is a mixin that plugins can inherit for access to the main sessions APIs.""" def session_spaces(self, kernel_space): """ Generators unique _MM_SESSION_SPACE objects referenced by active processes. @param space: a kernel AS for process enumeration @yields _MM_SESSION_SPACE instantiated from the session space native_vm. """ seen = [] for proc in tasks.pslist(kernel_space): if proc.SessionId != None and proc.SessionId.v() not in seen: ps_ad = proc.get_process_address_space() if ps_ad != None: seen.append(proc.SessionId.v()) yield obj.Object("_MM_SESSION_SPACE", offset = proc.Session.v(), vm = ps_ad) def find_session_space(self, kernel_space, session_id): """ Get a session address space by its ID. @param space: a kernel AS for process enumeration @param session_id: the session ID to find. @returns _MM_SESSION_SPACE instantiated from the session space native_vm. """ for proc in tasks.pslist(kernel_space): if proc.SessionId == session_id: ps_ad = proc.get_process_address_space() if ps_ad != None: return obj.Object("_MM_SESSION_SPACE", offset = proc.Session.v(), vm = ps_ad) return obj.NoneObject("Cannot locate a session") class Sessions(common.AbstractWindowsCommand, SessionsMixin): """List details on _MM_SESSION_SPACE (user logon sessions)""" def calculate(self): kernel_space = utils.load_as(self._config) # Once for each unique _MM_SESSION_SPACE for session in self.session_spaces(kernel_space): yield session def render_text(self, outfd, data): # Kernel AS for looking up modules kernel_space = utils.load_as(self._config) # Modules sorted for address lookups mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space)) mod_addrs = sorted(mods.keys()) for session in data: outfd.write("*" * 50 + "\n") outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format( session.obj_offset, session.SessionId, len(list(session.processes())), )) outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format( session.PagedPoolStart, session.PagedPoolEnd, )) for process in session.processes(): outfd.write(" Process: {0} {1} {2}\n".format( process.UniqueProcessId, process.ImageFileName, process.CreateTime, )) for image in session.images(): module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address)) outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format( image.obj_offset, image.Address, str(module and module.BaseDllName or '') )) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/desktops.py0000644000000000000000000001257413131215405024021 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.gui.windowstations as windowstations from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Hex class DeskScan(windowstations.WndScan): """Poolscaner for tagDESKTOP (desktops)""" def unified_output(self, data): return TreeGrid([("Offset", Address), ("Name", str), ("Next", Hex), ("SessionId", int), ("DesktopInfo", Hex), ("fsHooks", int), ("spwnd", Hex), ("Windows", int), ("Heap", Hex), ("Size", Hex), ("Base", Hex), ("Limit", Hex), ("ThreadId", int), ("Process", str), ("PID", int), ("PPID", int) ], self.generator(data)) def generator(self, data): seen = [] for window_station in data: for desktop in window_station.desktops(): offset = desktop.PhysicalAddress if offset in seen: continue seen.append(offset) name = "{0}\\{1}".format(desktop.WindowStation.Name, desktop.Name) for thrd in desktop.threads(): yield (0, [Address(offset), name, Hex(desktop.rpdeskNext.v()), int(desktop.dwSessionId), Hex(desktop.pDeskInfo.v()), int(desktop.DeskInfo.fsHooks), Hex(desktop.DeskInfo.spwnd), int(len(list(desktop.windows(desktop.DeskInfo.spwnd)))), Hex(desktop.pheapDesktop.v()), Hex(desktop.DeskInfo.pvDesktopLimit - desktop.DeskInfo.pvDesktopBase), Hex(desktop.DeskInfo.pvDesktopBase), Hex(desktop.DeskInfo.pvDesktopLimit), int(thrd.pEThread.Cid.UniqueThread), str(thrd.ppi.Process.ImageFileName), int(thrd.ppi.Process.UniqueProcessId), int(thrd.ppi.Process.InheritedFromUniqueProcessId)]) def render_text(self, outfd, data): seen = [] for window_station in data: for desktop in window_station.desktops(): offset = desktop.PhysicalAddress if offset in seen: continue seen.append(offset) outfd.write("*" * 50 + "\n") outfd.write("Desktop: {0:#x}, Name: {1}\\{2}, Next: {3:#x}\n".format( offset, desktop.WindowStation.Name, desktop.Name, desktop.rpdeskNext.v(), )) outfd.write("SessionId: {0}, DesktopInfo: {1:#x}, fsHooks: {2}\n".format( desktop.dwSessionId, desktop.pDeskInfo.v(), desktop.DeskInfo.fsHooks, )) outfd.write("spwnd: {0:#x}, Windows: {1}\n".format( desktop.DeskInfo.spwnd, len(list(desktop.windows(desktop.DeskInfo.spwnd))) )) outfd.write("Heap: {0:#x}, Size: {1:#x}, Base: {2:#x}, Limit: {3:#x}\n".format( desktop.pheapDesktop.v(), desktop.DeskInfo.pvDesktopLimit - desktop.DeskInfo.pvDesktopBase, desktop.DeskInfo.pvDesktopBase, desktop.DeskInfo.pvDesktopLimit, )) ## This is disabled until we bring in the heaps plugin #if self._config.VERBOSE: # granularity = desktop.obj_vm.profile.get_obj_size("_HEAP_ENTRY") # for entry in desktop.heaps(): # outfd.write(" Alloc: {0:#x}, Size: {1:#x} Previous: {2:#x}\n".format( # entry.obj_offset + granularity, # entry.Size, entry.PreviousSize, # )) for thrd in desktop.threads(): outfd.write(" {0} ({1} {2} parent {3})\n".format( thrd.pEThread.Cid.UniqueThread, thrd.ppi.Process.ImageFileName, thrd.ppi.Process.UniqueProcessId, thrd.ppi.Process.InheritedFromUniqueProcessId, )) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/gditimers.py0000644000000000000000000000575313131215405024155 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.common as common import volatility.utils as utils import volatility.plugins.gui.sessions as sessions class GDITimers(common.AbstractWindowsCommand, sessions.SessionsMixin): """Print installed GDI timers and callbacks""" @staticmethod def is_valid_profile(profile): version = (profile.metadata.get('major', 0), profile.metadata.get('minor', 0)) return (profile.metadata.get('os', '') == 'windows' and version < (6, 2)) def calculate(self): kernel_as = utils.load_as(self._config) for session in self.session_spaces(kernel_as): shared_info = session.find_shared_info() if not shared_info: continue filters = [lambda x : str(x.bType) == "TYPE_TIMER"] for handle in shared_info.handles(filters): timer = handle.reference_object() yield session, handle, timer def render_text(self, outfd, data): self.table_header(outfd, [("Sess", "^6"), ("Handle", "[addr]"), ("Object", "[addrpad]"), ("Thread", "8"), ("Process", "20"), ("nID", "[addr]"), ("Rate(ms)", "10"), ("Countdown(ms)", "10"), ("Func", "[addrpad]"), ]) for session, handle, timer in data: # Get the process info from the object handle header if # available, otherwise from the timer object itself. p = handle.Process or timer.pti.ppi.Process process = "{0}:{1}".format(p.ImageFileName, p.UniqueProcessId) self.table_row(outfd, session.SessionId, handle.phead.h, timer.obj_offset, timer.pti.pEThread.Cid.UniqueThread, process, timer.nID, timer.cmsRate, timer.cmsCountdown, timer.pfn) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/gahti.py0000644000000000000000000000526013131215405023253 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # from volatility import renderers from volatility.renderers.basic import Address from volatility.renderers.text import TextRenderer import volatility.utils as utils import volatility.debug as debug import volatility.plugins.gui.constants as consts import volatility.plugins.gui.sessions as sessions class Gahti(sessions.Sessions): """Dump the USER handle type information""" def unified_output(self, data): return renderers.TreeGrid( [("Session", str), ("Type", str), ("Tag", str), ("fnDestroy", Address), ("Flags", str), ], self.generator(data)) def generator(self, data): profile = utils.load_as(self._config).profile # Get the OS version being analyzed version = (profile.metadata.get('major', 0), profile.metadata.get('minor', 0)) # Choose which USER handle enum to use if version >= (6, 1): handle_types = consts.HANDLE_TYPE_ENUM_SEVEN else: handle_types = consts.HANDLE_TYPE_ENUM for session in data: gahti = session.find_gahti() if gahti: for i, h in handle_types.items(): yield (0, [str(session.SessionId), str(h), str(gahti.types[i].dwAllocTag), Address(gahti.types[i].fnDestroy), str(gahti.types[i].bObjectCreateFlags)]) def render_text(self, outfd, data): output = self.unified_output(data) if isinstance(output, renderers.TreeGrid): tr = TextRenderer(self.text_cell_renderers, sort_column = self.text_sort_column) tr.render(outfd, output) else: raise TypeError("Unified Output must return a TreeGrid object") volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/clipboard.py0000644000000000000000000001635513131215405024125 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.debug as debug import volatility.utils as utils import volatility.plugins.common as common import volatility.plugins.gui.sessions as sessions import volatility.plugins.gui.windowstations as windowstations import volatility.plugins.gui.constants as consts from volatility.renderers import TreeGrid from volatility.renderers.basic import Address, Hex, Bytes class Clipboard(common.AbstractWindowsCommand, sessions.SessionsMixin): """Extract the contents of the windows clipboard""" def calculate(self): kernel_space = utils.load_as(self._config) # Dictionary of MM_SESSION_SPACEs by ID sesses = dict((int(session.SessionId), session) for session in self.session_spaces(kernel_space) ) # Dictionary of session USER objects by handle session_handles = {} # If various objects cannot be found or associated, # we'll return none objects e0 = obj.NoneObject("Unknown tagCLIPDATA") e1 = obj.NoneObject("Unknown tagWINDOWSTATION") e2 = obj.NoneObject("Unknown tagCLIP") # Handle type filter filters = [lambda x : str(x.bType) == "TYPE_CLIPDATA"] # Load tagCLIPDATA handles from all sessions for sid, session in sesses.items(): handles = {} shared_info = session.find_shared_info() if not shared_info: debug.debug("No shared info for session {0}".format(sid)) continue for handle in shared_info.handles(filters): handles[int(handle.phead.h)] = handle session_handles[sid] = handles # Each WindowStation for wndsta in windowstations.WndScan(self._config).calculate(): session = sesses.get(int(wndsta.dwSessionId), None) # The session is unknown if not session: continue handles = session_handles.get(int(session.SessionId), None) # No handles in the session if not handles: continue clip_array = wndsta.pClipBase.dereference() # The tagCLIP array is empty or the pointer is invalid if not clip_array: continue # Resolve tagCLIPDATA from tagCLIP.hData for clip in clip_array: handle = handles.get(int(clip.hData), e0) # Remove this handle from the list if handle: handles.pop(int(clip.hData)) yield session, wndsta, clip, handle # Any remaining tagCLIPDATA not matched. This allows us # to still find clipboard data if a window station is not # found or if pClipData or cNumClipFormats were corrupt for sid in sesses.keys(): handles = session_handles.get(sid, None) # No handles in the session if not handles: continue for handle in handles.values(): yield sesses[sid], e1, e2, handle def unified_output(self, data): return TreeGrid([("Session", int), ("WindowStation", str), ("Format", str), ("Handle", Hex), ("Object", Address), ("Data", Bytes)], self.generator(data)) def generator(self, data): for session, wndsta, clip, handle in data: # If no tagCLIP is provided, we do not know the format if not clip: fmt = obj.NoneObject("Format unknown") else: # Try to get the format name, but failing that, print # the format number in hex instead. if clip.fmt.v() in consts.CLIPBOARD_FORMAT_ENUM: fmt = str(clip.fmt) else: fmt = hex(clip.fmt.v()) # Try to get the handle from tagCLIP first, but # fall back to using _HANDLEENTRY.phead. Note: this can # be a value like DUMMY_TEXT_HANDLE (1) etc. if clip: handle_value = clip.hData else: handle_value = handle.phead.h clip_data = "" if handle: try: clip_data = ''.join([chr(c) for c in handle.reference_object().abData]) except AttributeError: pass yield(0, [int(session.SessionId), str(wndsta.Name), str(fmt), Hex(handle_value), Address(handle.phead.v()), Bytes(clip_data) ]) def render_text(self, outfd, data): self.table_header(outfd, [("Session", "10"), ("WindowStation", "12"), ("Format", "18"), ("Handle", "[addr]"), ("Object", "[addrpad]"), ("Data", "50"), ]) for session, wndsta, clip, handle in data: # If no tagCLIP is provided, we do not know the format if not clip: fmt = obj.NoneObject("Format unknown") else: # Try to get the format name, but failing that, print # the format number in hex instead. if clip.fmt.v() in consts.CLIPBOARD_FORMAT_ENUM: fmt = str(clip.fmt) else: fmt = hex(clip.fmt.v()) # Try to get the handle from tagCLIP first, but # fall back to using _HANDLEENTRY.phead. Note: this can # be a value like DUMMY_TEXT_HANDLE (1) etc. if clip: handle_value = clip.hData else: handle_value = handle.phead.h clip_data = "" if handle and "TEXT" in fmt: clip_data = handle.reference_object().as_string(fmt) self.table_row(outfd, session.SessionId, wndsta.Name, fmt, handle_value, handle.phead.v(), clip_data) # Print an additional hexdump if --verbose is specified if self._config.VERBOSE and handle: hex_dump = handle.reference_object().as_hex() outfd.write("{0}".format(hex_dump)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/windows.py0000644000000000000000000001137613131215405023656 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.common as common import volatility.plugins.gui.messagehooks as messagehooks class WinTree(messagehooks.MessageHooks): """Print Z-Order Desktop Windows Tree""" def render_text(self, outfd, data): for winsta, atom_tables in data: for desktop in winsta.desktops(): outfd.write("*" * 50 + "\n") outfd.write("Window context: {0}\\{1}\\{2}\n\n".format( winsta.dwSessionId, winsta.Name, desktop.Name)) for wnd, level in desktop.windows(desktop.DeskInfo.spwnd): outfd.write("{0}{1} {2} {3}:{4} {5}\n".format( "." * level, str(wnd.strName or '') or "#{0:x}".format(wnd.head.h), "(visible)" if wnd.Visible else "", wnd.Process.ImageFileName, wnd.Process.UniqueProcessId, self.translate_atom(winsta, atom_tables, wnd.ClassAtom), )) class Windows(messagehooks.MessageHooks): """Print Desktop Windows (verbose details)""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) # Filter specific processes config.add_option('PID', short_option='p', default=None, help='Operate on these Process IDs (comma-separated)', action='store', type='str') def render_text(self, outfd, data): if self._config.PID: wanted_pids = [int(pid) for pid in self._config.PID.split(',')] else: wanted_pids = None for winsta, atom_tables in data: for desktop in winsta.desktops(): outfd.write("*" * 50 + "\n") outfd.write("Window context: {0}\\{1}\\{2}\n\n".format( winsta.dwSessionId, winsta.Name, desktop.Name)) for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd): # Is this a process we want? if wanted_pids and not wnd.Process.UniqueProcessId in wanted_pids: continue outfd.write("Window Handle: #{0:x} at {1:#x}, Name: {2}\n".format( wnd.head.h, wnd.obj_offset, str(wnd.strName or '') )) outfd.write("ClassAtom: {0:#x}, Class: {1}\n".format( wnd.ClassAtom, self.translate_atom(winsta, atom_tables, wnd.ClassAtom), )) outfd.write("SuperClassAtom: {0:#x}, SuperClass: {1}\n".format( wnd.SuperClassAtom, self.translate_atom(winsta, atom_tables, wnd.SuperClassAtom), )) outfd.write("pti: {0:#x}, Tid: {1} at {2:#x}\n".format( wnd.head.pti.v(), wnd.Thread.Cid.UniqueThread, wnd.Thread.obj_offset, )) outfd.write("ppi: {0:#x}, Process: {1}, Pid: {2}\n".format( wnd.head.pti.ppi.v(), wnd.Process.ImageFileName, wnd.Process.UniqueProcessId, )) outfd.write("Visible: {0}\n".format("Yes" if wnd.Visible else "No")) outfd.write("Left: {0}, Top: {1}, Bottom: {2}, Right: {3}\n".format( wnd.rcClient.left, wnd.rcClient.top, wnd.rcClient.right, wnd.rcClient.bottom )) outfd.write("Style Flags: {0}\n".format(wnd.style)) outfd.write("ExStyle Flags: {0}\n".format(wnd.ExStyle)) outfd.write("Window procedure: {0:#x}\n".format( wnd.lpfnWndProc, )) outfd.write("\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/constants.py0000644000000000000000000002041013131215405024165 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # Copyright (C) 2009 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import copy # Windows assigns several atom IDs by default, but doesn't include # them in the local or global atom tables. Thus when we perform a # lookup, we don't want to exclude these default atoms, so we create # a fake atom structure and assign the values as needed. The search # algorithm will then check the default atoms before moving onto the # atoms found in local/global tables. class FakeAtom(object): def __init__(self, name): self.Name = name DEFAULT_ATOMS = { 0x8000: FakeAtom("PopupMenu (Default)"), 0x8001: FakeAtom("Desktop (Default)"), 0x8002: FakeAtom("Dialog (Default)"), 0x8003: FakeAtom("WinSwitch (Default)"), 0x8004: FakeAtom("IconTitle (Default)"), 0x8006: FakeAtom("ToolTip (Default)"), } WINDOW_STYLES = dict( WS_OVERLAPPED = 0x00000000L, WS_POPUP = 0x80000000L, WS_CHILD = 0x40000000L, WS_MINIMIZE = 0x20000000L, WS_VISIBLE = 0x10000000L, WS_DISABLED = 0x08000000L, WS_CLIPSIBLINGS = 0x04000000L, WS_CLIPCHILDREN = 0x02000000L, WS_MAXIMIZE = 0x01000000L, WS_CAPTION = 0x00C00000L, WS_BORDER = 0x00800000L, WS_DLGFRAME = 0x00400000L, WS_VSCROLL = 0x00200000L, WS_HSCROLL = 0x00100000L, WS_SYSMENU = 0x00080000L, WS_THICKFRAME = 0x00040000L, WS_GROUP = 0x00020000L, WS_TABSTOP = 0x00010000L, WS_MINIMIZEBOX = 0x00020000L, WS_MAXIMIZEBOX = 0x00010000L, ) WINDOW_STYLES_EX = dict( WS_EX_DLGMODALFRAME = 0x00000001L, WS_EX_NOPARENTNOTIFY = 0x00000004L, WS_EX_TOPMOST = 0x00000008L, WS_EX_ACCEPTFILES = 0x00000010L, WS_EX_TRANSPARENT = 0x00000020L, WS_EX_MDICHILD = 0x00000040L, WS_EX_TOOLWINDOW = 0x00000080L, WS_EX_WINDOWEDGE = 0x00000100L, WS_EX_CLIENTEDGE = 0x00000200L, WS_EX_CONTEXTHELP = 0x00000400L, WS_EX_RIGHT = 0x00001000L, WS_EX_LEFT = 0x00000000L, WS_EX_RTLREADING = 0x00002000L, WS_EX_LTRREADING = 0x00000000L, WS_EX_LEFTSCROLLBAR = 0x00004000L, WS_EX_RIGHTSCROLLBAR = 0x00000000L, WS_EX_CONTROLPARENT = 0x00010000L, WS_EX_STATICEDGE = 0x00020000L, WS_EX_APPWINDOW = 0x00040000L, ) # These are message types in the order that they appear in the aphkStart array. MESSAGE_TYPES = [ ('WH_MSGFILTER', -1), ('WH_JOURNALRECORD', 0), ('WH_JOURNALPLAYBACK', 1), ('WH_KEYBOARD', 2), ('WH_GETMESSAGE', 3), ('WH_CALLWNDPROC', 4), ('WH_CBT', 5), ('WH_SYSMSGFILTER', 6), ('WH_MOUSE', 7), ('WH_HARDWARE', 8), ('WH_DEBUG', 9), ('WH_SHELL', 10), ('WH_FOREGROUNDIDLE', 11), ('WH_CALLWNDPROCRET', 12), ('WH_KEYBOARD_LL', 13), ('WH_MOUSE_LL', 14), ] # See http://forum.sysinternals.com/enumerate-windows-hooks_topic23877_post124845.html HOOK_FLAGS = dict( HF_GLOBAL = 0, #0x0001, # Global hooks (for all threads on desktop) HF_ANSI = 1, #0x0002, # Uses Ansi strings instead of Unicode HF_HUNG = 3, #0x0008, # The hook procedure is hung HF_HOOKFAULTED = 4, #0x0010, # The hook procedure caused some fault HF_WX86KNOWNDLL = 6, #0x0040, # Hook Module is x86 machine type HF_DESTROYED = 7, #0x0080, # The object is destroyed (set by FreeHook) HF_INCHECKWHF = 8, #0x0100, # The fsHooks is currently being updated HF_FREED = 9, #0x0200, # The object is freed ) # dwflags parameter to SetWinEventHook EVENT_FLAGS = { #0x0000 : 'WINEVENT_OUTOFCONTEXT', 0x0001 : 'WINEVENT_SKIPOWNTHREAD', 0x0002 : 'WINEVENT_SKIPOWNPROCESS', 0x0004 : 'WINEVENT_INCONTEXT', } # The eventMin and eventMax parameters to SetWinEventHook. EVENT_ID_ENUM = { 0x00000001: 'EVENT_MIN', 0x7FFFFFFF: 'EVENT_MAX', #0x0001: 'EVENT_SYSTEM_SOUND', 0x0002: 'EVENT_SYSTEM_ALERT', 0x0003: 'EVENT_SYSTEM_FOREGROUND', 0x0004: 'EVENT_SYSTEM_MENUSTART', 0x0005: 'EVENT_SYSTEM_MENUEND', 0x0006: 'EVENT_SYSTEM_MENUPOPUPSTART', 0x0007: 'EVENT_SYSTEM_MENUPOPUPEND', 0x0008: 'EVENT_SYSTEM_CAPTURESTART', 0x0009: 'EVENT_SYSTEM_CAPTUREEND', 0x000A: 'EVENT_SYSTEM_MOVESIZESTART', 0x000B: 'EVENT_SYSTEM_MOVESIZEEND', 0x000C: 'EVENT_SYSTEM_CONTEXTHELPSTART', 0x000D: 'EVENT_SYSTEM_CONTEXTHELPEND', 0x000E: 'EVENT_SYSTEM_DRAGDROPSTART', 0x000F: 'EVENT_SYSTEM_DRAGDROPEND', 0x0010: 'EVENT_SYSTEM_DIALOGSTART', 0x0011: 'EVENT_SYSTEM_DIALOGEND', 0x0012: 'EVENT_SYSTEM_SCROLLINGSTART', 0x0013: 'EVENT_SYSTEM_SCROLLINGEND', 0x0014: 'EVENT_SYSTEM_SWITCHSTART', 0x0015: 'EVENT_SYSTEM_SWITCHEND', 0x0016: 'EVENT_SYSTEM_MINIMIZESTART', 0x0017: 'EVENT_SYSTEM_MINIMIZEEND', 0x0020: 'EVENT_SYSTEM_DESKTOPSWITCH', 0x00FF: 'EVENT_SYSTEM_END', 0x0101: 'EVENT_OEM_DEFINED_START', 0x01FF: 'EVENT_OEM_DEFINED_END', 0x4E00: 'EVENT_UIA_EVENTID_START', 0x4EFF: 'EVENT_UIA_EVENTID_END', 0x7500: 'EVENT_UIA_PROPID_START', 0x75FF: 'EVENT_UIA_PROPID_END', 0x4001: 'EVENT_CONSOLE_CARET', 0x4002: 'EVENT_CONSOLE_UPDATE_REGION', 0x4003: 'EVENT_CONSOLE_UPDATE_SIMPLE', 0x4004: 'EVENT_CONSOLE_UPDATE_SCROLL', 0x4005: 'EVENT_CONSOLE_LAYOUT', 0x4006: 'EVENT_CONSOLE_START_APPLICATION', 0x4007: 'EVENT_CONSOLE_END_APPLICATION', 0x40FF: 'EVENT_CONSOLE_END', 0x8000: 'EVENT_OBJECT_CREATE', 0x8001: 'EVENT_OBJECT_DESTROY', 0x8002: 'EVENT_OBJECT_SHOW', 0x8003: 'EVENT_OBJECT_HIDE', 0x8004: 'EVENT_OBJECT_REORDER', 0x8005: 'EVENT_OBJECT_FOCUS', 0x8006: 'EVENT_OBJECT_SELECTION', 0x8007: 'EVENT_OBJECT_SELECTIONADD', 0x8008: 'EVENT_OBJECT_SELECTIONREMOVE', 0x8009: 'EVENT_OBJECT_SELECTIONWITHIN', 0x800A: 'EVENT_OBJECT_STATECHANGE', 0x800B: 'EVENT_OBJECT_LOCATIONCHANGE', 0x800C: 'EVENT_OBJECT_NAMECHANGE', 0x800D: 'EVENT_OBJECT_DESCRIPTIONCHANGE', 0x800E: 'EVENT_OBJECT_VALUECHANGE', 0x800F: 'EVENT_OBJECT_PARENTCHANGE', 0x8010: 'EVENT_OBJECT_HELPCHANGE', 0x8011: 'EVENT_OBJECT_DEFACTIONCHANGE', 0x8012: 'EVENT_OBJECT_ACCELERATORCHANGE', 0x8013: 'EVENT_OBJECT_INVOKED', 0x8014: 'EVENT_OBJECT_TEXTSELECTIONCHANGED', } # USER objects on XP/2003/Vista/2008 HANDLE_TYPE_ENUM = { 0: 'TYPE_FREE', 1: 'TYPE_WINDOW', 2: 'TYPE_MENU', 3: 'TYPE_CURSOR', 4: 'TYPE_SETWINDOWPOS', 5: 'TYPE_HOOK', 6: 'TYPE_CLIPDATA', 7: 'TYPE_CALLPROC', 8: 'TYPE_ACCELTABLE', 9: 'TYPE_DDEACCESS', 10: 'TYPE_DDECONV', 11: 'TYPE_DDEXACT', 12: 'TYPE_MONITOR', 13: 'TYPE_KBDLAYOUT', 14: 'TYPE_KBDFILE', 15: 'TYPE_WINEVENTHOOK', 16: 'TYPE_TIMER', 17: 'TYPE_INPUTCONTEXT', 18: 'TYPE_HIDDATA', 19: 'TYPE_DEVICEINFO', } # USER objects for Windows 7 HANDLE_TYPE_ENUM_SEVEN = copy.copy(HANDLE_TYPE_ENUM) HANDLE_TYPE_ENUM_SEVEN[20] = 'TYPE_TOUCH' HANDLE_TYPE_ENUM_SEVEN[21] = 'TYPE_GESTURE' # Clipboard format types CLIPBOARD_FORMAT_ENUM = { 1: 'CF_TEXT', 2: 'CF_BITMAP', 3: 'CF_METAFILEPICT', 4: 'CF_SYLK', 5: 'CF_DIF', 6: 'CF_TIFF', 7: 'CF_OEMTEXT', 8: 'CF_DIB', 9: 'CF_PALETTE', 10: 'CF_PENDATA', 11: 'CF_RIFF', 12: 'CF_WAVE', 13: 'CF_UNICODETEXT', 14: 'CF_ENHMETAFILE', 15: 'CF_HDROP', 16: 'CF_LOCALE', 17: 'CF_DIBV5', 0x80: 'CF_OWNERDISPLAY', 0x81: 'CF_DSPTEXT', 0x82: 'CF_DSPBITMAP', 0x83: 'CF_DSPMETAFILEPICT', 0x8E: 'CF_DSPENHMETAFILE', ## The following are ranges, not actual formats #0x200: 'CF_PRIVATEFIRST', #0x2FF: 'CF_PRIVATELAST', #0x300: 'CF_GDIOBJFIRST', #0x3FF: 'CF_GDIOBJLAST', } # Flags for timer objects TIMER_FLAGS = dict( TMRF_READY = 0, # 0x0001 TMRF_SYSTEM = 1, # 0x0002 TMRF_RIT = 2, # 0x0004 TMRF_INIT = 3, # 0x0008 TMRF_ONESHOT = 4, # 0x0010 TMRF_WAITING = 5, # 0x0020 TMRF_TIFROMWND = 6, # 0x0040 ) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/screenshot.py0000644000000000000000000000744613131215405024344 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # Copyright (C) 2009 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.plugins.gui.windowstations as windowstations import volatility.debug as debug try: from PIL import Image, ImageDraw has_pil = True except ImportError: has_pil = False class Screenshot(windowstations.WndScan): """Save a pseudo-screenshot based on GDI windows""" def __init__(self, config, *args, **kwargs): windowstations.WndScan.__init__(self, config, *args, **kwargs) config.add_option("DUMP-DIR", short_option = 'D', type = "string", help = "Output directory", action = "store") def draw_text(self, draw, text, left, top, fill = "Black"): """Label windows in the screen shot""" lines = text.split('\x0d\x0a') for line in lines: draw.text( (left, top), line, fill = fill) _, height = draw.textsize(line) top += height def render_text(self, outfd, data): if not has_pil: debug.error("Please install PIL") if not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR): debug.error("Please supply an existing --dump-dir") seen = [] for window_station in data: for desktop in window_station.desktops(): offset = desktop.PhysicalAddress if offset in seen: continue seen.append(offset) # The foreground window win = desktop.DeskInfo.spwnd # Some desktops don't have any windows if not win: debug.warning("{0}\{1}\{2} has no windows\n".format( desktop.dwSessionId, window_station.Name, desktop.Name)) continue im = Image.new("RGB", (win.rcWindow.right + 1, win.rcWindow.bottom + 1), "White") draw = ImageDraw.Draw(im) # Traverse windows, visible only for win, _level in desktop.windows( win = win, filter = lambda x : 'WS_VISIBLE' in str(x.style)): draw.rectangle(win.rcWindow.get_tup(), outline = "Black", fill = "White") draw.rectangle(win.rcClient.get_tup(), outline = "Black", fill = "White") ## Create labels for the windows self.draw_text(draw, str(win.strName or ''), win.rcWindow.left + 2, win.rcWindow.top) file_name = "session_{0}.{1}.{2}.png".format( desktop.dwSessionId, window_station.Name, desktop.Name) file_name = os.path.join(self._config.DUMP_DIR, file_name) try: im.save(file_name, "PNG") result = "Wrote {0}".format(file_name) except SystemError, why: result = why outfd.write("{0}\n".format(result)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/atoms.py0000644000000000000000000002054113131215405023301 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # from volatility import renderers import volatility.obj as obj import volatility.poolscan as poolscan import volatility.plugins.common as common import volatility.plugins.gui.windowstations as windowstations from volatility.renderers.basic import Hex, Address class PoolScanAtom(poolscan.PoolScanner): """Pool scanner for atom tables""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.pooltag = "AtmT" self.struct_name = "_RTL_ATOM_TABLE" self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= 200)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ] ## Note: all OS after XP, there are an extra 8 bytes (for 32-bit) ## or 16 bytes (for 64-bit) between the _POOL_HEADER and _RTL_ATOM_TABLE. ## This is variable length structure, so we can't use the bottom-up ## approach as we do with other object scanners - because the size of an ## _RTL_ATOM_TABLE differs depending on the number of hash buckets. profile = self.address_space.profile build = (profile.metadata.get('major', 0), profile.metadata.get('minor', 0)) if profile.metadata.get('memory_model', '32bit') == '32bit': fixup = 8 if build > (5, 1) else 0 else: fixup = 16 if build > (5, 1) else 0 self.padding = fixup class AtomScan(common.AbstractScanCommand): """Pool scanner for atom tables""" scanners = [PoolScanAtom] def __init__(self, config, *args, **kwargs): common.AbstractScanCommand.__init__(self, config, *args, **kwargs) config.add_option("SORT-BY", short_option = 's', type = "choice", choices = ["atom", "refcount", "offset"], default = "offset", help = "Sort by [offset | atom | refcount]", action = "store") text_sort_column = "Atom" def render_text(self, outfd, data): self.table_header(outfd, [(self.offset_column(), "[addr]"), ("AtomOfs(V)", "[addrpad]"), ("Atom", "[addr]"), ("Refs", "6"), ("Pinned", "6"), ("Name", ""), ]) for atom_table in data: # This defeats the purpose of having a generator, but # its required if we want to be able to sort. We also # filter string atoms here. atoms = [a for a in atom_table.atoms() if a.is_string_atom()] if self._config.SORT_BY == "atom": attr = "Atom" elif self._config.SORT_BY == "refcount": attr = "ReferenceCount" else: attr = "obj_offset" for atom in sorted(atoms, key = lambda x: getattr(x, attr)): self.table_row(outfd, atom_table.obj_offset, atom.obj_offset, atom.Atom, atom.ReferenceCount, atom.Pinned, str(atom.Name or "") ) def unified_output(self, data): return renderers.TreeGrid( [(self.offset_column(), Address), ("AtomOfs(V)", Address), ("Atom", Hex), ("Refs", int), ("Pinned", int), ("Name", str), ], self.generator(data)) def generator(self, data): for atom_table in data: # This defeats the purpose of having a generator, but # its required if we want to be able to sort. We also # filter string atoms here. atoms = [a for a in atom_table.atoms() if a.is_string_atom()] if self._config.SORT_BY == "atom": attr = "Atom" elif self._config.SORT_BY == "refcount": attr = "ReferenceCount" else: attr = "obj_offset" for atom in sorted(atoms, key = lambda x: getattr(x, attr)): yield (0, [Address(atom_table.obj_offset), Address(atom.obj_offset), Hex(atom.Atom), int(atom.ReferenceCount), int(atom.Pinned), str(atom.Name or "")] ) class Atoms(common.AbstractWindowsCommand): """Print session and window station atom tables""" def calculate(self): seen = [] # Find the atom tables that belong to each window station for wndsta in windowstations.WndScan(self._config).calculate(): offset = wndsta.obj_native_vm.vtop(wndsta.pGlobalAtomTable) if offset in seen: continue seen.append(offset) # The atom table is dereferenced in the proper # session space atom_table = wndsta.AtomTable if atom_table.is_valid(): yield atom_table, wndsta # Find atom tables not linked to specific window stations. # This finds win32k!UserAtomHandleTable. for table in AtomScan(self._config).calculate(): if table.PhysicalAddress not in seen: yield table, obj.NoneObject("No windowstation") text_sort_column = "Atom" def unified_output(self, data): return renderers.TreeGrid( [("Offset(V)", Address), ("Session", int), ("WindowStation", str), ("Atom", Hex), ("RefCount", int), ("HIndex", int), ("Pinned", int), ("Name", str), ], self.generator(data)) def generator(self, data): for atom_table, window_station in data: for atom in atom_table.atoms(): ## Filter string atoms if not atom.is_string_atom(): continue yield (0, [Address(atom_table.PhysicalAddress), int(window_station.dwSessionId), str(window_station.Name or ''), Hex(atom.Atom), int(atom.ReferenceCount), int(atom.HandleIndex), int(atom.Pinned), str(atom.Name or "")] ) def render_text(self, outfd, data): self.table_header(outfd, [("Offset(V)", "[addr]"), ("Session", "^10"), ("WindowStation", "^18"), ("Atom", "[addr]"), ("RefCount", "^10"), ("HIndex", "^10"), ("Pinned", "^10"), ("Name", ""), ]) for atom_table, window_station in data: for atom in atom_table.atoms(): ## Filter string atoms if not atom.is_string_atom(): continue self.table_row(outfd, atom_table.PhysicalAddress, window_station.dwSessionId, window_station.Name, atom.Atom, atom.ReferenceCount, atom.HandleIndex, atom.Pinned, str(atom.Name or "") ) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/userhandles.py0000644000000000000000000000707613131215405024503 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.gui.sessions as sessions import volatility.debug as debug class UserHandles(sessions.Sessions): """Dump the USER handle tables""" def __init__(self, config, *args, **kwargs): sessions.Sessions.__init__(self, config, *args, **kwargs) config.add_option('PID', short_option = 'p', help = 'Pid filter', action = 'store', type = 'int') config.add_option('TYPE', short_option = 't', help = 'Handle type', action = 'store', type = 'string') config.add_option('FREE', short_option = 'F', help = 'Include free handles', action = 'store_true', default = False) def render_text(self, outfd, data): for session in data: shared_info = session.find_shared_info() if not shared_info: debug.debug("Cannot find win32k!gSharedInfo") continue outfd.write("*" * 50 + "\n") outfd.write("SharedInfo: {0:#x}, SessionId: {1} Shared delta: {2}\n".format( shared_info.obj_offset, session.SessionId, shared_info.ulSharedDelta, )) outfd.write("aheList: {0:#x}, Table size: {1:#x}, Entry size: {2:#x}\n".format( shared_info.aheList.v(), shared_info.psi.cbHandleTable, shared_info.HeEntrySize if hasattr(shared_info, 'HeEntrySize') else shared_info.obj_vm.profile.get_obj_size("_HANDLEENTRY"), )) outfd.write("\n") filters = [] # Should we display freed handles if not self._config.FREE: filters.append(lambda x : not x.Free) # Should we filter by process ID if self._config.PID: filters.append(lambda x : x.Process.UniqueProcessId == self._config.PID) # Should we filter by object type if self._config.TYPE: filters.append(lambda x : str(x.bType) == self._config.TYPE) self.table_header(outfd, [("Object(V)", "[addrpad]"), ("Handle", "[addr]"), ("bType", "20"), ("Flags", "^8"), ("Thread", "^8"), ("Process", ""), ]) for handle in shared_info.handles(filters): self.table_row(outfd, handle.phead.v(), handle.phead.h if handle.phead else 0, handle.bType, handle.bFlags, handle.Thread.Cid.UniqueThread, handle.Process.UniqueProcessId) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/windowstations.py0000644000000000000000000001104013131215405025244 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug import volatility.poolscan as poolscan import volatility.plugins.common as common import volatility.plugins.gui.sessions as sessions class PoolScanWind(poolscan.PoolScanner): """PoolScanner for window station objects""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.struct_name = "tagWINDOWSTATION" self.object_type = "WindowStation" self.pooltag = obj.VolMagic(address_space).WindPoolTag.v() size = 0x90 # self.address_space.profile.get_obj_size("tagWINDOWSTATION") self.checks = [ # seen as 0x98 on xpsp2 and xpsp3, 0x90 on w2k3*, 0xa0 on w7sp0 ('CheckPoolSize', dict(condition = lambda x: x >= size)), # only look in non-paged or free pools ('CheckPoolType', dict(paged = False, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class WndScan(common.AbstractScanCommand, sessions.SessionsMixin): """Pool scanner for window stations""" scanners = [PoolScanWind] def calculate(self): addr_space = utils.load_as(self._config) seen = [] for wind in self.scan_results(addr_space): # Find an address space for this window station's session session = self.find_session_space( addr_space, wind.dwSessionId) if not session: continue # Reset the object's native VM so pointers are # dereferenced in session space wind.set_native_vm(session.obj_vm) for winsta in wind.traverse(): if winsta.is_valid() and len([desk for desk in winsta.desktops()]) > 0: offset = winsta.PhysicalAddress if offset in seen: continue seen.append(offset) yield winsta def render_text(self, outfd, data): for window_station in data: outfd.write("*" * 50 + "\n") outfd.write("WindowStation: {0:#x}, Name: {1}, Next: {2:#x}\n".format( window_station.PhysicalAddress, window_station.Name, window_station.rpwinstaNext.v(), )) outfd.write("SessionId: {0}, AtomTable: {1:#x}, Interactive: {2}\n".format( window_station.dwSessionId, window_station.pGlobalAtomTable, window_station.Interactive, )) outfd.write("Desktops: {0}\n".format( ', '.join([desk.Name for desk in window_station.desktops()]) )) outfd.write("ptiDrawingClipboard: pid {0} tid {1}\n".format( window_station.ptiDrawingClipboard.pEThread.Cid.UniqueProcess, window_station.ptiDrawingClipboard.pEThread.Cid.UniqueThread )) outfd.write("spwndClipOpen: {0:#x}, spwndClipViewer: {1:#x} {2} {3}\n".format( window_station.spwndClipOpen.v(), window_station.spwndClipViewer.v(), str(window_station.LastRegisteredViewer.UniqueProcessId or ""), str(window_station.LastRegisteredViewer.ImageFileName or ""), )) outfd.write("cNumClipFormats: {0}, iClipSerialNumber: {1}\n".format( window_station.cNumClipFormats, window_station.iClipSerialNumber, )) outfd.write("pClipBase: {0:#x}, Formats: {1}\n".format( window_station.pClipBase, ",".join([str(clip.fmt) for clip in window_station.pClipBase.dereference()]), )) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/0000755000000000000000000000000013131215405023134 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/win8.py0000644000000000000000000001735513131215405024406 0ustar rootroot# Volatility # Copyright (C) 2007-2014 Volatility Foundation # Copyright (C) 2014 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.gui.constants as consts import volatility.plugins.gui.win32k_core as win32k_core import volatility.plugins.gui.vtypes.win7_sp0_x86_vtypes_gui as win7_sp0_x86_vtypes_gui import volatility.plugins.gui.vtypes.win7_sp0_x64_vtypes_gui as win7_sp0_x64_vtypes_gui class _RTL_ATOM_TABLE_ENTRY(win32k_core._RTL_ATOM_TABLE_ENTRY): """A class for atom table entries""" @property def Flags(self): return self.Reference.Flags @property def ReferenceCount(self): return self.Reference.ReferenceCount class Win8x86Gui(obj.ProfileModification): before = ["XP2003x86BaseVTypes", "Win32Kx86VTypes", "AtomTablex86Overlay", "Win32KCoreClasses"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x > 1} def modification(self, profile): profile.vtypes.update(win7_sp0_x86_vtypes_gui.win32k_types) profile.object_classes.update({'_RTL_ATOM_TABLE_ENTRY': _RTL_ATOM_TABLE_ENTRY}) profile.merge_overlay({ 'tagWINDOWSTATION' : [ None, { ## ForceEmptyClipboard ## lea eax, [esi+28h] ## call @HMAssignmentUnlock@4 ; HMAssignmentUnlock(x) ## lea eax, [esi+24h] ## call @HMAssignmentUnlock@4 ; HMAssignmentUnlock(x) 'spwndClipOwner': [0x28, ['pointer', ['tagWND']]], 'spwndClipViewer': [0x24, ['pointer', ['tagWND']]], ## _EnumClipboardFormats ## mov ecx, [esi+30h] 'pClipBase' : [ 0x30, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], ## xxxEmptyClipboard ## mov eax, [ebx+34h] 'cNumClipFormats': [0x34, ['unsigned long']], ## xxxEmptyClipboard ## call @HMAssignmentLock@8 ; HMAssignmentLock(x,x) ## inc dword ptr [ebx+38h] 'iClipSerialNumber': [0x38, ['unsigned long']], ## xxxCreateWindowStation ## lea edi, [edi+48h] ## call _CreateGlobalAtomTab 'pGlobalAtomTable': [ 0x48, ['pointer', ['void']]], }], '_HANDLEENTRY': [ None, { 'bType': [ None, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM_SEVEN)]], }], 'tagCLIP': [ 20, { 'fmt' : [ None, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]], }], 'tagTHREADINFO': [ None, { ## xxxCreateWindowStation ## mov ebx, _gptiCurrent ## mov eax, [ebx+0C4h] 'ppi': [0xc4, ['pointer', ['tagPROCESSINFO']]], ## zzzReattachThreads ## lea ebx, [edi-158h] ## mov ecx, [ebx+130h] 'PtiLink': [0x158, ['_LIST_ENTRY']], }], 'tagDESKTOP': [ None, { ## ParseDesktop ## mov edi, [edi+8] ## test edi, edi 'rpdeskNext': [8, ['pointer', ['tagDESKTOP']]], ## DestroyDesktop ## mov ebx, [ebp+arg_0] ## mov eax, [ebx+0Ch] 'rpwinstaParent': [0xc, ['pointer', ['tagWINDOWSTATION']]], ## DesktopAlloc ## mov eax, [eax+3Ch] ## push edi ## push [ebp+Size] ; Size 'pheapDesktop': [0x3c, ['pointer', ['tagWIN32HEAP']]], ### xxxCreateDesktopEx2 ## add eax, 58h ## mov [eax+4], eax ## mov [eax], eax 'PtiList': [0x58, ['_LIST_ENTRY']], }], '_RTL_ATOM_TABLE': [ None, { 'NumBuckets': [ 0x14, ['unsigned long']], 'Buckets': [ 0x18, ['array', lambda x : x.NumBuckets, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], }], }) class Win8x64Gui(obj.ProfileModification): before = ["Win32KCoreClasses"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x > 1} def modification(self, profile): profile.vtypes.update(win7_sp0_x64_vtypes_gui.win32k_types) profile.object_classes.update({'_RTL_ATOM_TABLE_ENTRY': _RTL_ATOM_TABLE_ENTRY}) profile.merge_overlay({ 'tagWINDOWSTATION': [ None, { ## _EnumClipboardFormats ## mov rcx, [rdi+60h] ## test rcx, rcx 'pClipBase' : [ 0x60, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], ## xxxEmptyClipboard ## mov ebp, [rbx+68h] 'cNumClipFormats': [0x68, ['unsigned long']], ## xxxEmptyClipboard ## call HMAssignmentLock ## inc dword ptr [rbx+6Ch] 'iClipSerialNumber': [0x6c, ['unsigned long']], ## xxxCreateWindowStation ## add rcx, 88h ## call CreateGlobalAtomTable 'pGlobalAtomTable': [ 0x88, ['pointer', ['void']]], }], 'tagDESKTOP': [ None, { ## ParseDesktop ## mov rdi, [rdi+10h] 'rpdeskNext': [0x10, ['pointer', ['tagDESKTOP']]], ## DestroyDesktop ## mov eax, [rcx+20h] ## mov rdi, [rcx+18h] 'rpwinstaParent': [0x18, ['pointer', ['tagWINDOWSTATION']]], ## DesktopAlloc ## mov rcx, [rcx+78h] ## mov r8d, edx ## xor edx, edx 'pheapDesktop': [0x78, ['pointer', ['tagWIN32HEAP']]], ### xxxCreateDesktopEx2 ## add rax, 0A0h ## mov [rax+8], rax 'PtiList': [0xA0, ['_LIST_ENTRY']], }], 'tagTHREADINFO': [ None, { ## xxxCreateWindowStation ## mov rsi, cs:gptiCurrent ## mov rax, [r14+10h] ## mov rcx, [rax+170h] 'ppi': [0x170, ['pointer', ['tagPROCESSINFO']]], ## zzzReattachThreads ## lea rsi, [rdi-280h] ## mov rdx, [rsi+230h] ; struct tagQ * ## cmp rdx, [rsi+178h] 'PtiLink': [0x280, ['_LIST_ENTRY']], }], 'tagCLIP': [ None, { 'fmt' : [ None, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]], }], '_RTL_ATOM_TABLE': [ None, { 'NumBuckets': [ 0x1C, ['unsigned long']], 'Buckets': [ 0x20, ['array', lambda x : x.NumBuckets, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], }], '_HANDLEENTRY': [ None, { 'bType': [ None, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM_SEVEN)]], }], })volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/win7_sp0_x86_vtypes_gui.py0000644000000000000000000035534313131215405030154 0ustar rootrootwin32k_types = { '_HANDLEENTRY': [0xc, { 'pOwner': [4, ['pointer', ['void']]], 'phead': [0, ['pointer', ['_HEAD']]], 'bFlags': [9, ['unsigned char']], 'wUniq': [10, ['unsigned short']], 'bType': [8, ['unsigned char']], }], 'tagTOUCHINPUTINFO': [0x3c, { 'dwcInputs': [12, ['unsigned long']], 'head': [0, ['_THROBJHEAD']], 'uFlags': [16, ['unsigned long']], 'TouchInput': [20, ['array', 1, ['tagTOUCHINPUT']]], }], 'tagHOOK': [0x34, { 'head': [0, ['_THRDESKHEAD']], 'offPfn': [28, ['unsigned long']], 'flags': [32, ['unsigned long']], 'fLastHookHung': [48, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'nTimeout': [48, ['BitField', {'end_bit': 7, 'start_bit': 0}]], 'ihmod': [36, ['long']], 'iHook': [24, ['long']], 'ptiHooked': [40, ['pointer', ['tagTHREADINFO']]], 'phkNext': [20, ['pointer', ['tagHOOK']]], 'rpdesk': [44, ['pointer', ['tagDESKTOP']]], }], 'DEADKEY': [0x8, { 'wchComposed': [4, ['wchar']], 'dwBoth': [0, ['unsigned long']], 'uFlags': [6, ['unsigned short']], }], '__unnamed_179f': [0x4, { 'pRgb256x3x16': [0, ['pointer', ['_D3DDDI_GAMMA_RAMP_RGB256x3x16']]], 'pRaw': [0, ['pointer', ['void']]], 'pDxgi1': [0, ['pointer', ['_D3DDDI_GAMMA_RAMP_DXGI_1']]], }], '_W32THREAD': [0xb4, { 'pRBRecursionCount': [40, ['unsigned long']], 'iVisRgnUniqueness': [176, ['unsigned long']], 'RefCount': [4, ['unsigned long']], 'pDevHTInfo': [148, ['pointer', ['void']]], 'pUMPDHeap': [24, ['pointer', ['void']]], 'pgdiBrushAttr': [16, ['pointer', ['void']]], 'ulWindowSystemRendering': [172, ['unsigned long']], 'tlSpriteState': [48, ['_TLSPRITESTATE']], 'pdcoRender': [160, ['pointer', ['void']]], 'bEnableEngUpdateDeviceSurface': [168, ['unsigned char']], 'pdcoAA': [156, ['pointer', ['void']]], 'pNonRBRecursionCount': [44, ['unsigned long']], 'ptlW32': [8, ['pointer', ['_TL']]], 'GdiTmpTgoList': [32, ['_LIST_ENTRY']], 'pUMPDObjs': [20, ['pointer', ['void']]], 'pgdiDcattr': [12, ['pointer', ['void']]], 'bIncludeSprites': [169, ['unsigned char']], 'pEThread': [0, ['pointer', ['_ETHREAD']]], 'pSpriteState': [144, ['pointer', ['void']]], 'ulDevHTInfoUniqueness': [152, ['unsigned long']], 'pdcoSrc': [164, ['pointer', ['void']]], 'pUMPDObj': [28, ['pointer', ['void']]], }], 'tagPROPLIST': [0x10, { 'aprop': [8, ['array', 1, ['tagPROP']]], 'cEntries': [0, ['unsigned long']], 'iFirstFree': [4, ['unsigned long']], }], 'tagDESKTOPINFO': [0x78, { 'spwndProgman': [96, ['pointer', ['tagWND']]], 'pvwplMessagePPHandler': [112, ['pointer', ['VWPL']]], 'pvDesktopLimit': [4, ['pointer', ['void']]], 'fComposited': [116, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'spwndGestureEngine': [108, ['pointer', ['tagWND']]], 'pvDesktopBase': [0, ['pointer', ['void']]], 'spwndShell': [80, ['pointer', ['tagWND']]], 'ppiShellProcess': [84, ['pointer', ['tagPROCESSINFO']]], 'pvwplShellHook': [100, ['pointer', ['VWPL']]], 'fIsDwmDesktop': [116, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'spwndTaskman': [92, ['pointer', ['tagWND']]], 'aphkStart': [16, ['array', 16, ['pointer', ['tagHOOK']]]], 'fsHooks': [12, ['unsigned long']], 'cntMBox': [104, ['long']], 'spwndBkGnd': [88, ['pointer', ['tagWND']]], 'spwnd': [8, ['pointer', ['tagWND']]], }], 'tagDISPLAYINFO': [0x64, { 'hDev': [0, ['pointer', ['void']]], 'SpatialListHead': [88, ['_KLIST_ENTRY']], 'BitCountMax': [78, ['unsigned short']], 'cyGray': [32, ['long']], 'hdcBits': [16, ['pointer', ['HDC__']]], 'fDesktopIsRect': [80, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'hbmGray': [24, ['pointer', ['HBITMAP__']]], 'pmdev': [4, ['pointer', ['void']]], 'cFullScreen': [96, ['short']], 'cxGray': [28, ['long']], 'dmLogPixels': [76, ['unsigned short']], 'hDevInfo': [8, ['pointer', ['void']]], 'fAnyPalette': [80, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'pspbFirst': [40, ['pointer', ['tagSPB']]], 'pMonitorPrimary': [48, ['pointer', ['tagMONITOR']]], 'Spare0': [98, ['short']], 'pMonitorFirst': [52, ['pointer', ['tagMONITOR']]], 'hdcGray': [20, ['pointer', ['HDC__']]], 'hrgnScreenReal': [72, ['pointer', ['HRGN__']]], 'cMonitors': [44, ['unsigned long']], 'hdcScreen': [12, ['pointer', ['HDC__']]], 'DockThresholdMax': [84, ['unsigned long']], 'rcScreenReal': [56, ['tagRECT']], 'pdceFirst': [36, ['pointer', ['tagDCE']]], }], 'tagTHREADINFO': [0x208, { 'pstrAppName': [220, ['pointer', ['_UNICODE_STRING']]], 'ForceLegacyResizeNCMetr': [280, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'ptl': [180, ['pointer', ['_TL']]], 'timeLast': [236, ['long']], 'DontJournalAttach': [276, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'ppi': [184, ['pointer', ['tagPROCESSINFO']]], 'SendMnuDblClk': [276, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'DDENoSync': [280, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'EditNoMouseHide': [280, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'pDevHTInfo': [148, ['pointer', ['void']]], 'OpenGLEMF': [280, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'dwCompatFlags': [276, ['unsigned long']], 'hTouchInputCurrent': [492, ['pointer', ['HTOUCHINPUT__']]], 'psmsSent': [224, ['pointer', ['tagSMS']]], 'cVisWindows': [404, ['unsigned long']], 'hPrevHidData': [488, ['pointer', ['void']]], 'fsHooks': [300, ['unsigned long']], 'qwCompatFlags2': [280, ['unsigned long long']], 'NoPaddedBorder': [280, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'NoDrawPatRect': [280, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'ForceTTGrapchis': [276, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'GetDeviceCaps': [276, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'pgdiBrushAttr': [16, ['pointer', ['void']]], 'pq': [188, ['pointer', ['tagQ']]], 'ulWindowSystemRendering': [172, ['unsigned long']], 'dwExpWinVer': [272, ['unsigned long']], 'NoSoftCursOnMoveSize': [280, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'psmsReceiveList': [232, ['pointer', ['tagSMS']]], 'sphkCurrent': [304, ['pointer', ['tagHOOK']]], 'No50ExStyles': [280, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'IgnoreFaults': [276, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'pClientInfo': [212, ['pointer', ['tagCLIENTINFO']]], 'pdcoSrc': [164, ['pointer', ['void']]], 'pEventQueueServer': [324, ['pointer', ['_KEVENT']]], 'DealyHwndShakeChk': [276, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'amdesk': [396, ['unsigned long']], 'fsChangeBitsRemoved': [384, ['unsigned short']], 'psmsCurrent': [228, ['pointer', ['tagSMS']]], 'NoBatching': [280, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'StrictLLHook': [280, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'pdcoRender': [160, ['pointer', ['void']]], 'NoShadow': [280, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'EnumHelv': [276, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'fPack': [516, ['BitField', {'end_bit': 28, 'start_bit': 2}]], 'CallTTDevice': [276, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fsReserveKeys': [388, ['unsigned long']], 'Winver31': [276, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'DisableDBCSProp': [276, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'Win30AvgWidth': [276, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'ptlW32': [8, ['pointer', ['_TL']]], 'AlwaysSendSyncPaint': [276, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'IgnoreNoDiscard': [276, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'NoTimeCbProtect': [280, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'MsShellDlg': [280, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'hEventQueueClient': [320, ['pointer', ['void']]], 'cPaintsReady': [252, ['long']], 'SubtractClips': [276, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'PtiLink': [328, ['_LIST_ENTRY']], 'DpiAware': [280, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'spklActive': [192, ['pointer', ['tagKL']]], 'bIncludeSprites': [169, ['unsigned char']], 'mlPost': [372, ['tagMLIST']], 'ptLastReal': [348, ['tagPOINT']], 'fThreadCleanupFinished': [516, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'MultipleBands': [276, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'Random31Ux': [276, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'HackWinFlags': [276, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'cti': [472, ['tagCLIENTTHREADINFO']], 'KCOff': [280, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'wParamHkCurrent': [312, ['unsigned long']], 'readyHead': [508, ['_LIST_ENTRY']], 'UsePrintingEscape': [276, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'NoInitFlagsOnFocus': [280, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'ForceTextBand': [276, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'pEThread': [0, ['pointer', ['_ETHREAD']]], 'ptdb': [264, ['pointer', ['tagTDB']]], 'SpareCompatFlags2': [280, ['BitField', {'end_bit': 64, 'start_bit': 33}]], 'cWindows': [400, ['unsigned long']], 'cEnterCount': [368, ['long']], 'fETWReserved': [516, ['BitField', {'end_bit': 32, 'start_bit': 29}]], 'dwCompatFlags2': [280, ['unsigned long']], 'NoEMFSpooling': [276, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'pMenuState': [260, ['pointer', ['tagMENUSTATE']]], 'pRBRecursionCount': [40, ['unsigned long']], 'SmoothScrolling': [276, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'iVisRgnUniqueness': [176, ['unsigned long']], 'RefCount': [4, ['unsigned long']], 'Win31DevModeSize': [276, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pwinsta': [264, ['pointer', ['tagWINDOWSTATION']]], 'pSBTrack': [316, ['pointer', ['tagSBTRACK']]], 'ActiveMenus': [280, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'spwndDefaultIme': [356, ['pointer', ['tagWND']]], 'NoCustomPaperSize': [280, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'wchInjected': [386, ['wchar']], 'cTimersReady': [256, ['unsigned long']], 'EditSetTextMunge': [276, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'pUMPDHeap': [24, ['pointer', ['void']]], 'fgfSwitchInProgressSetter': [516, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'iCursorLevel': [336, ['long']], 'NoScrollBarCtxMenu': [276, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'ulClientDelta': [208, ['unsigned long']], 'pdcoAA': [156, ['pointer', ['void']]], 'cNestedStableVisRgn': [504, ['unsigned long']], 'TryExceptCallWndProc': [280, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'NcCalcSizeOnMove': [276, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'DisableFontAssoc': [276, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'pcti': [196, ['pointer', ['tagCLIENTTHREADINFO']]], 'MsgPPInfo': [500, ['tagMSGPPINFO']], 'DDE': [280, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ulThreadFlags2': [516, ['unsigned long']], 'tlSpriteState': [48, ['_TLSPRITESTATE']], 'NoCharDeadKey': [280, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'pqAttach': [288, ['pointer', ['tagQ']]], 'TTIgnoreRasterDupe': [276, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'aphkStart': [408, ['array', 16, ['pointer', ['tagHOOK']]]], 'DefaultCharset': [280, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'idLast': [240, ['unsigned long']], 'rpdesk': [200, ['pointer', ['tagDESKTOP']]], 'NoWindowArrangement': [280, ['BitField', {'end_bit': 33, 'start_bit': 32}]], 'AnimationOff': [280, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'No50ExStyleBits': [280, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'TransparentBltMirror': [280, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'DDENoAsyncReg': [280, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bEnableEngUpdateDeviceSurface': [168, ['unsigned char']], 'pDeskInfo': [204, ['pointer', ['tagDESKTOPINFO']]], 'hdesk': [248, ['pointer', ['HDESK__']]], 'pNonRBRecursionCount': [44, ['unsigned long']], 'MoreExtraWndWords': [276, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'hklPrev': [364, ['pointer', ['HKL__']]], 'NoGhost': [280, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'IgnoreTopMost': [276, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'pmsd': [296, ['pointer', ['_MOVESIZEDATA']]], 'NoHRGN1': [276, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'exitCode': [244, ['long']], 'NoDDETrackDying': [280, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'ptLast': [340, ['tagPOINT']], 'hGestureInfoCurrent': [496, ['pointer', ['HGESTUREINFO__']]], 'GdiTmpTgoList': [32, ['_LIST_ENTRY']], 'pUMPDObjs': [20, ['pointer', ['void']]], 'FontSubs': [280, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'GiveUpForegound': [280, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spDefaultImc': [360, ['pointer', ['tagIMC']]], 'pgdiDcattr': [12, ['pointer', ['void']]], 'TIF_flags': [216, ['unsigned long']], 'apEvent': [392, ['pointer', ['pointer', ['_KEVENT']]]], 'HardwareMixer': [280, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'pUMPDObj': [28, ['pointer', ['void']]], 'pSpriteState': [144, ['pointer', ['void']]], 'EnumTTNotDevice': [276, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'lParamHkCurrent': [308, ['long']], 'ulDevHTInfoUniqueness': [152, ['unsigned long']], 'ptiSibling': [292, ['pointer', ['tagTHREADINFO']]], 'psiiList': [268, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'ForceFusion': [280, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'fSpecialInitialization': [516, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'IncreaseStack': [276, ['BitField', {'end_bit': 23, 'start_bit': 22}]], }], '__unnamed_1262': [0x2c, { 'InitialPrivilegeSet': [0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet': [0, ['_PRIVILEGE_SET']], }], '_D3DKMDT_2DREGION': [0x8, { 'cy': [4, ['unsigned long']], 'cx': [0, ['unsigned long']], }], 'tagMONITOR': [0x64, { 'hDev': [56, ['pointer', ['void']]], 'head': [0, ['_HEAD']], 'hDevReal': [60, ['pointer', ['void']]], 'rcWorkReal': [32, ['tagRECT']], 'dwMONFlags': [12, ['unsigned long']], 'Spare0': [52, ['short']], 'rcMonitorReal': [16, ['tagRECT']], 'pMonitorNext': [8, ['pointer', ['tagMONITOR']]], 'Flink': [92, ['pointer', ['tagMONITOR']]], 'Blink': [96, ['pointer', ['tagMONITOR']]], 'hrgnMonitorReal': [48, ['pointer', ['HRGN__']]], 'cWndStack': [54, ['short']], 'DockTargets': [64, ['array', 7, ['array', 4, ['unsigned char']]]], }], '__unnamed_18b4': [0x18, { 'Dma': [0, ['__unnamed_18a8']], 'Generic': [0, ['__unnamed_18a2']], 'Memory': [0, ['__unnamed_18a2']], 'BusNumber': [0, ['__unnamed_18aa']], 'Memory48': [0, ['__unnamed_18b0']], 'Memory40': [0, ['__unnamed_18ae']], 'DevicePrivate': [0, ['__unnamed_177b']], 'ConfigData': [0, ['__unnamed_18ac']], 'Memory64': [0, ['__unnamed_18b2']], 'Interrupt': [0, ['__unnamed_18a6']], 'Port': [0, ['__unnamed_18a2']], }], '__unnamed_18b0': [0x18, { 'Length48': [0, ['unsigned long']], 'Alignment48': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION': [0x10c, { 'APSTriggerBits': [4, ['unsigned long']], 'CopyProtectionType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPMT_UNINITIALIZED', 1: 'D3DKMDT_VPPMT_NOPROTECTION', 2: 'D3DKMDT_VPPMT_MACROVISION_APSTRIGGER', 3: 'D3DKMDT_VPPMT_MACROVISION_FULLSUPPORT', 255: 'D3DKMDT_VPPMT_NOTSPECIFIED'}}]], 'CopyProtectionSupport': [264, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT']], 'OEMCopyProtection': [8, ['array', 256, ['unsigned char']]], }], 'tagHID_TLC_INFO': [0x20, { 'cExcludeRequest': [24, ['unsigned long']], 'link': [0, ['_LIST_ENTRY']], 'cExcludeOrphaned': [28, ['unsigned long']], 'cUsagePageRequest': [20, ['unsigned long']], 'usUsagePage': [8, ['unsigned short']], 'cDevices': [12, ['unsigned long']], 'cDirectRequest': [16, ['unsigned long']], 'usUsage': [10, ['unsigned short']], }], '__unnamed_1777': [0xc, { 'Translated': [0, ['__unnamed_1773']], 'Raw': [0, ['__unnamed_1775']], }], 'HWND__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION': [0x190, { 'TargetMode': [348, ['_D3DKMDT_VIDPN_TARGET_MODE']], 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], }], 'tagQ': [0x108, { 'hwndDblClk': [64, ['pointer', ['HWND__']]], 'timeDblClk': [60, ['unsigned long']], 'spwndFocus': [36, ['pointer', ['tagWND']]], 'ExtraInfo': [256, ['long']], 'cLockCount': [250, ['unsigned short']], 'iCursorLevel': [240, ['long']], 'ptiSysLock': [12, ['pointer', ['tagTHREADINFO']]], 'caret': [180, ['tagCARET']], 'ptiMouse': [24, ['pointer', ['tagTHREADINFO']]], 'spwndActivePrev': [44, ['pointer', ['tagWND']]], 'ptMouseMove': [76, ['tagPOINT']], 'msgDblClk': [52, ['unsigned long']], 'msgJournal': [252, ['unsigned long']], 'ptiKeyboard': [28, ['pointer', ['tagTHREADINFO']]], 'cThreads': [248, ['unsigned short']], 'QF_flags': [244, ['unsigned long']], 'mlInput': [0, ['tagMLIST']], 'spwndActive': [40, ['pointer', ['tagWND']]], 'codeCapture': [48, ['unsigned long']], 'idSysLock': [16, ['unsigned long']], 'spcurCurrent': [236, ['pointer', ['tagCURSOR']]], 'ulEtwReserved1': [260, ['unsigned long']], 'ptDblClk': [68, ['tagPOINT']], 'xbtnDblClk': [56, ['unsigned short']], 'afKeyRecentDown': [84, ['array', 32, ['unsigned char']]], 'afKeyState': [116, ['array', 64, ['unsigned char']]], 'spwndCapture': [32, ['pointer', ['tagWND']]], 'idSysPeek': [20, ['unsigned long']], }], 'tagUSERSTARTUPINFO': [0x1c, { 'wShowWindow': [24, ['unsigned short']], 'dwYSize': [16, ['unsigned long']], 'dwXSize': [12, ['unsigned long']], 'cbReserved2': [26, ['unsigned short']], 'cb': [0, ['unsigned long']], 'dwX': [4, ['unsigned long']], 'dwY': [8, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_DMM_COMMITVIDPNREQUESTSET_SERIALIZATION': [0x8, { 'CommitVidPnRequestOffset': [4, ['array', 1, ['unsigned long']]], 'NumCommitVidPnRequests': [0, ['unsigned char']], }], '_DMM_MONITORDESCRIPTORSET_SERIALIZATION': [0x90, { 'NumDescriptors': [0, ['unsigned char']], 'DescriptorSerialization': [4, ['array', 1, ['_DMM_MONITORDESCRIPTOR_SERIALIZATION']]], }], '_DMM_MONITORSOURCEMODESET_SERIALIZATION': [0x54, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [4, ['array', 1, ['_DMM_MONITOR_SOURCE_MODE_SERIALIZATION']]], }], '_VK_FUNCTION_PARAM': [0x8, { 'NLSFEProcIndex': [0, ['unsigned char']], 'NLSFEProcParam': [4, ['unsigned long']], }], '_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES': [0x10, { 'SecondChannel': [4, ['unsigned long']], 'FourthChannel': [12, ['unsigned long']], 'ThirdChannel': [8, ['unsigned long']], 'FirstChannel': [0, ['unsigned long']], }], 'tagMLIST': [0xc, { 'cMsgs': [8, ['unsigned long']], 'pqmsgRead': [0, ['pointer', ['tagQMSG']]], 'pqmsgWriteLast': [4, ['pointer', ['tagQMSG']]], }], '__unnamed_122d': [0x10, { 'DeviceIoControl': [0, ['__unnamed_11e4']], 'QuerySecurity': [0, ['__unnamed_11e6']], 'ReadWriteConfig': [0, ['__unnamed_1204']], 'Create': [0, ['__unnamed_11c5']], 'SetSecurity': [0, ['__unnamed_11e8']], 'Write': [0, ['__unnamed_11cf']], 'VerifyVolume': [0, ['__unnamed_11ec']], 'WMI': [0, ['__unnamed_1229']], 'CreateMailslot': [0, ['__unnamed_11cd']], 'FilterResourceRequirements': [0, ['__unnamed_1202']], 'SetFile': [0, ['__unnamed_11d9']], 'MountVolume': [0, ['__unnamed_11ec']], 'FileSystemControl': [0, ['__unnamed_11df']], 'UsageNotification': [0, ['__unnamed_1213']], 'Scsi': [0, ['__unnamed_11f0']], 'WaitWake': [0, ['__unnamed_1217']], 'QueryFile': [0, ['__unnamed_11d7']], 'QueryDeviceText': [0, ['__unnamed_120e']], 'CreatePipe': [0, ['__unnamed_11c9']], 'Power': [0, ['__unnamed_1223']], 'QueryDeviceRelations': [0, ['__unnamed_11f4']], 'Read': [0, ['__unnamed_11cf']], 'StartDevice': [0, ['__unnamed_1227']], 'QueryDirectory': [0, ['__unnamed_11d3']], 'PowerSequence': [0, ['__unnamed_121b']], 'QueryId': [0, ['__unnamed_120a']], 'LockControl': [0, ['__unnamed_11e2']], 'NotifyDirectory': [0, ['__unnamed_11d5']], 'QueryInterface': [0, ['__unnamed_11fa']], 'Others': [0, ['__unnamed_122b']], 'QueryVolume': [0, ['__unnamed_11dd']], 'SetLock': [0, ['__unnamed_1206']], 'DeviceCapabilities': [0, ['__unnamed_11fe']], }], '__unnamed_122b': [0x10, { 'Argument4': [12, ['pointer', ['void']]], 'Argument2': [4, ['pointer', ['void']]], 'Argument3': [8, ['pointer', ['void']]], 'Argument1': [0, ['pointer', ['void']]], }], 'tagMENUSTATE': [0x64, { 'fDragAndDrop': [4, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fInsideMenuLoop': [4, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'cxAni': [84, ['long']], 'pGlobalPopupMenu': [0, ['pointer', ['tagPOPUPMENU']]], 'uDraggingIndex': [60, ['unsigned long']], 'uDraggingHitArea': [56, ['unsigned long']], 'fNotifyByPos': [4, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'fButtonDown': [4, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'ixAni': [76, ['long']], 'fInCallHandleMenuMessages': [4, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'mnFocus': [16, ['long']], 'iyAni': [80, ['long']], 'dwLockCount': [28, ['unsigned long']], 'fAutoDismiss': [4, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'fIsSysMenu': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'dwAniStartTime': [72, ['unsigned long']], 'pmnsPrev': [32, ['pointer', ['tagMENUSTATE']]], 'fInEndMenu': [4, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'hbmAni': [92, ['pointer', ['HBITMAP__']]], 'fIgnoreButtonUp': [4, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ptButtonDown': [36, ['tagPOINT']], 'hdcWndAni': [68, ['pointer', ['HDC__']]], 'fAboutToAutoDismiss': [4, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'fMenuStarted': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'uDraggingFlags': [64, ['unsigned long']], 'fUnderline': [4, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'fInDoDragDrop': [4, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'ptiMenuStateOwner': [24, ['pointer', ['tagTHREADINFO']]], 'uButtonDownIndex': [48, ['unsigned long']], 'fModelessMenu': [4, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'cyAni': [88, ['long']], 'uButtonDownHitArea': [44, ['unsigned long']], 'fButtonAlwaysDown': [4, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'iAniDropDir': [4, ['BitField', {'end_bit': 24, 'start_bit': 19}]], 'ptMouseLast': [8, ['tagPOINT']], 'hdcAni': [96, ['pointer', ['HDC__']]], 'vkButtonDown': [52, ['long']], 'fSetCapture': [4, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fDragging': [4, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fActiveNoForeground': [4, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'fMouseOffMenu': [4, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'cmdLast': [20, ['long']], }], 'tagMSGPPINFO': [0x4, { 'dwIndexMsgPP': [0, ['unsigned long']], }], 'VWPLELEMENT': [0x8, { 'DataOrTag': [0, ['unsigned long']], 'pwnd': [4, ['pointer', ['tagWND']]], }], '_WM_VALUES_STRINGS': [0x8, { 'pszName': [0, ['pointer', ['unsigned char']]], 'fInternal': [4, ['unsigned char']], 'fDefined': [5, ['unsigned char']], }], 'tagCLIP': [0xc, { 'fmt': [0, ['unsigned long']], 'fGlobalHandle': [8, ['long']], 'hData': [4, ['pointer', ['void']]], }], '__unnamed_1229': [0x10, { 'Buffer': [12, ['pointer', ['void']]], 'ProviderId': [0, ['unsigned long']], 'BufferSize': [8, ['unsigned long']], 'DataPath': [4, ['pointer', ['void']]], }], '__unnamed_1227': [0x8, { 'AllocatedResources': [0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated': [4, ['pointer', ['_CM_RESOURCE_LIST']]], }], '_HEAD': [0x8, { 'h': [0, ['pointer', ['void']]], 'cLockObj': [4, ['unsigned long']], }], '__unnamed_1223': [0x10, { 'State': [8, ['_POWER_STATE']], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'SystemPowerState', 1: 'DevicePowerState'}}]], 'SystemContext': [0, ['unsigned long']], 'ShutdownType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'}}]], 'SystemPowerStateContext': [0, ['_SYSTEM_POWER_STATE_CONTEXT']], }], '__unnamed_11e6': [0x8, { 'Length': [4, ['unsigned long']], 'SecurityInformation': [0, ['unsigned long']], }], 'tagQMSG': [0x40, { 'FromPen': [52, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'pti': [56, ['pointer', ['tagTHREADINFO']]], 'ExtraInfo': [36, ['long']], 'Wow64Message': [52, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pqmsgPrev': [4, ['pointer', ['tagQMSG']]], 'NoCoalesce': [52, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'Padding': [48, ['BitField', {'end_bit': 32, 'start_bit': 30}]], 'ptMouseReal': [40, ['tagPOINT']], 'pqmsgNext': [0, ['pointer', ['tagQMSG']]], 'dwQEvent': [48, ['BitField', {'end_bit': 30, 'start_bit': 0}]], 'MsgPPInfo': [60, ['tagMSGPPINFO']], 'FromTouch': [52, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'msg': [8, ['tagMSG']], }], 'HWINSTA__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32PoolHead': [0x10, { 'pPrev': [4, ['pointer', ['tagWin32PoolHead']]], 'pTrace': [12, ['pointer', ['pointer', ['void']]]], 'pNext': [8, ['pointer', ['tagWin32PoolHead']]], 'size': [0, ['unsigned long']], }], 'tagTOUCHINPUT': [0x28, { 'hSource': [8, ['pointer', ['void']]], 'dwExtraInfo': [28, ['unsigned long']], 'cxContact': [32, ['unsigned long']], 'dwMask': [20, ['unsigned long']], 'y': [4, ['long']], 'x': [0, ['long']], 'dwID': [12, ['unsigned long']], 'cyContact': [36, ['unsigned long']], 'dwTime': [24, ['unsigned long']], 'dwFlags': [16, ['unsigned long']], }], '_CALLBACKWND': [0xc, { 'hwnd': [0, ['pointer', ['HWND__']]], 'pActCtx': [8, ['pointer', ['_ACTIVATION_CONTEXT']]], 'pwnd': [4, ['pointer', ['tagWND']]], }], 'HMONITOR__': [0x4, { 'unused': [0, ['long']], }], '_D3DKMDT_GRAPHICS_RENDERING_FORMAT': [0x20, { 'VisibleRegionSize': [8, ['_D3DKMDT_2DREGION']], 'Stride': [16, ['unsigned long']], 'PixelFormat': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDIFMT_UNKNOWN', 20: 'D3DDDIFMT_R8G8B8', 21: 'D3DDDIFMT_A8R8G8B8', 22: 'D3DDDIFMT_X8R8G8B8', 23: 'D3DDDIFMT_R5G6B5', 24: 'D3DDDIFMT_X1R5G5B5', 25: 'D3DDDIFMT_A1R5G5B5', 26: 'D3DDDIFMT_A4R4G4B4', 27: 'D3DDDIFMT_R3G3B2', 28: 'D3DDDIFMT_A8', 29: 'D3DDDIFMT_A8R3G3B2', 30: 'D3DDDIFMT_X4R4G4B4', 31: 'D3DDDIFMT_A2B10G10R10', 32: 'D3DDDIFMT_A8B8G8R8', 33: 'D3DDDIFMT_X8B8G8R8', 34: 'D3DDDIFMT_G16R16', 35: 'D3DDDIFMT_A2R10G10B10', 36: 'D3DDDIFMT_A16B16G16R16', 40: 'D3DDDIFMT_A8P8', 41: 'D3DDDIFMT_P8', 50: 'D3DDDIFMT_L8', 51: 'D3DDDIFMT_A8L8', 52: 'D3DDDIFMT_A4L4', 60: 'D3DDDIFMT_V8U8', 61: 'D3DDDIFMT_L6V5U5', 62: 'D3DDDIFMT_X8L8V8U8', 63: 'D3DDDIFMT_Q8W8V8U8', 64: 'D3DDDIFMT_V16U16', 65: 'D3DDDIFMT_W11V11U10', 67: 'D3DDDIFMT_A2W10V10U10', 877942852: 'D3DDDIFMT_DXT4', 70: 'D3DDDIFMT_D16_LOCKABLE', 71: 'D3DDDIFMT_D32', 72: 'D3DDDIFMT_S1D15', 73: 'D3DDDIFMT_D15S1', 74: 'D3DDDIFMT_S8D24', 75: 'D3DDDIFMT_D24S8', 76: 'D3DDDIFMT_X8D24', 77: 'D3DDDIFMT_D24X8', 78: 'D3DDDIFMT_X4S4D24', 79: 'D3DDDIFMT_D24X4S4', 80: 'D3DDDIFMT_D16', 81: 'D3DDDIFMT_L16', 82: 'D3DDDIFMT_D32F_LOCKABLE', 83: 'D3DDDIFMT_D24FS8', 84: 'D3DDDIFMT_D32_LOCKABLE', 85: 'D3DDDIFMT_S8_LOCKABLE', 100: 'D3DDDIFMT_VERTEXDATA', 101: 'D3DDDIFMT_INDEX16', 102: 'D3DDDIFMT_INDEX32', 110: 'D3DDDIFMT_Q16W16V16U16', 111: 'D3DDDIFMT_R16F', 112: 'D3DDDIFMT_G16R16F', 113: 'D3DDDIFMT_A16B16G16R16F', 114: 'D3DDDIFMT_R32F', 115: 'D3DDDIFMT_G32R32F', 116: 'D3DDDIFMT_A32B32G32R32F', 117: 'D3DDDIFMT_CxV8U8', 118: 'D3DDDIFMT_A1', 119: 'D3DDDIFMT_A2B10G10R10_XR_BIAS', 150: 'D3DDDIFMT_PICTUREPARAMSDATA', 151: 'D3DDDIFMT_MACROBLOCKDATA', 152: 'D3DDDIFMT_RESIDUALDIFFERENCEDATA', 153: 'D3DDDIFMT_DEBLOCKINGDATA', 154: 'D3DDDIFMT_INVERSEQUANTIZATIONDATA', 155: 'D3DDDIFMT_SLICECONTROLDATA', 156: 'D3DDDIFMT_BITSTREAMDATA', 157: 'D3DDDIFMT_MOTIONVECTORBUFFER', 158: 'D3DDDIFMT_FILMGRAINBUFFER', 159: 'D3DDDIFMT_DXVA_RESERVED9', 160: 'D3DDDIFMT_DXVA_RESERVED10', 161: 'D3DDDIFMT_DXVA_RESERVED11', 162: 'D3DDDIFMT_DXVA_RESERVED12', 163: 'D3DDDIFMT_DXVA_RESERVED13', 164: 'D3DDDIFMT_DXVA_RESERVED14', 165: 'D3DDDIFMT_DXVA_RESERVED15', 166: 'D3DDDIFMT_DXVA_RESERVED16', 167: 'D3DDDIFMT_DXVA_RESERVED17', 168: 'D3DDDIFMT_DXVA_RESERVED18', 169: 'D3DDDIFMT_DXVA_RESERVED19', 170: 'D3DDDIFMT_DXVA_RESERVED20', 171: 'D3DDDIFMT_DXVA_RESERVED21', 172: 'D3DDDIFMT_DXVA_RESERVED22', 173: 'D3DDDIFMT_DXVA_RESERVED23', 174: 'D3DDDIFMT_DXVA_RESERVED24', 175: 'D3DDDIFMT_DXVA_RESERVED25', 176: 'D3DDDIFMT_DXVA_RESERVED26', 177: 'D3DDDIFMT_DXVA_RESERVED27', 178: 'D3DDDIFMT_DXVA_RESERVED28', 179: 'D3DDDIFMT_DXVA_RESERVED29', 180: 'D3DDDIFMT_DXVA_RESERVED30', 181: 'D3DDDIFMT_DXVACOMPBUFFER_MAX', 844388420: 'D3DDDIFMT_DXT2', 199: 'D3DDDIFMT_BINARYBUFFER', 861165636: 'D3DDDIFMT_DXT3', 827611204: 'D3DDDIFMT_DXT1', 827606349: 'D3DDDIFMT_MULTI2_ARGB8', 1195525970: 'D3DDDIFMT_R8G8_B8G8', 1498831189: 'D3DDDIFMT_UYVY', 844715353: 'D3DDDIFMT_YUY2', 894720068: 'D3DDDIFMT_DXT5', 1111970375: 'D3DDDIFMT_G8R8_G8B8', 2147483647: 'D3DDDIFMT_FORCE_UINT'}}]], 'PixelValueAccessMode': [28, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_PVAM_UNINITIALIZED', 1: 'D3DKMDT_PVAM_DIRECT', 2: 'D3DKMDT_PVAM_PRESETPALETTE', 3: 'D3DKMDT_PVAM_MAXVALID'}}]], 'PrimSurfSize': [0, ['_D3DKMDT_2DREGION']], 'ColorBasis': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], '_VK_TO_WCHAR_TABLE': [0x8, { 'pVkToWchars': [0, ['pointer', ['_VK_TO_WCHARS1']]], 'cbSize': [5, ['unsigned char']], 'nModifications': [4, ['unsigned char']], }], '_TL': [0xc, { 'pfnFree': [8, ['pointer', ['void']]], 'pobj': [4, ['pointer', ['void']]], 'next': [0, ['pointer', ['_TL']]], }], '_MOVESIZEDATA': [0xdc, { 'fmsKbd': [160, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'fMoveFromMax': [160, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fSnapMoving': [160, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'ptRestore': [152, ['tagPOINT']], 'fUsePreviewRect': [160, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'ptStartHitWindowRelative': [192, ['tagPOINT']], 'CurrentHitTarget': [176, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fHasSoftwareCursor': [160, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'fCheckPtForcefullyRestored': [160, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fSnapMovingTemporaryAllowed': [160, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'Unused': [160, ['BitField', {'end_bit': 32, 'start_bit': 28}]], 'fOffScreen': [160, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'fWindowWasSuperMaximized': [160, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'StartCurrentHitTarget': [168, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fSnapSizing': [160, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fIsMoveSizeLoop': [160, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'rcPreviewCursor': [52, ['tagRECT']], 'dyMouse': [136, ['long']], 'fVerticallyMaximizedRight': [160, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'fTrackCancelled': [160, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'impx': [144, ['long']], 'impy': [148, ['long']], 'fLockWindowUpdate': [160, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fStartVerticallyMaximizedLeft': [160, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ptMinTrack': [84, ['tagPOINT']], 'pMonitorCurrentHitTarget': [172, ['pointer', ['tagMONITOR']]], 'rcWindow': [100, ['tagRECT']], 'pStartMonitorCurrentHitTarget': [164, ['pointer', ['tagMONITOR']]], 'cmd': [140, ['long']], 'ptMaxTrack': [92, ['tagPOINT']], 'fForceSizing': [160, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'fThresholdSelector': [160, ['BitField', {'end_bit': 18, 'start_bit': 15}]], 'MoveRectStyle': [180, ['Enumeration', {'target': 'long', 'choices': {0: 'MoveRectKeepPositionAtCursor', 1: 'MoveRectMidTopAtCursor', 2: 'MoveRectKeepAspectRatioAtCursor', 3: 'MoveRectSidewiseKeepPositionAtCursor'}}]], 'fDragFullWindows': [160, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'fForeground': [160, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'ulCountDragOutOfLeftRightTarget': [212, ['unsigned long']], 'ptLastTrack': [200, ['tagPOINT']], 'frcNormalCheckPtValid': [160, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'fIsHitPtOffScreen': [160, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'fSnapSizingTemporaryAllowed': [160, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'fInitSize': [160, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'dxMouse': [132, ['long']], 'fStartVerticallyMaximizedRight': [160, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'ulCountDragOutOfTopTarget': [208, ['unsigned long']], 'fVerticallyMaximizedLeft': [160, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'spwnd': [0, ['pointer', ['tagWND']]], 'fHasPreviewRect': [160, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'rcPreview': [36, ['tagRECT']], 'rcDragCursor': [20, ['tagRECT']], 'Flags': [160, ['unsigned long']], 'ptHitWindowRelative': [184, ['tagPOINT']], 'rcParent': [68, ['tagRECT']], 'ulCountSizeOutOfTopBottomTarget': [216, ['unsigned long']], 'rcNormalStartCheckPt': [116, ['tagRECT']], 'rcDrag': [4, ['tagRECT']], }], '_LARGE_UNICODE_STRING': [0xc, { 'Buffer': [8, ['pointer', ['unsigned short']]], 'Length': [0, ['unsigned long']], 'MaximumLength': [4, ['BitField', {'end_bit': 31, 'start_bit': 0}]], 'bAnsi': [4, ['BitField', {'end_bit': 32, 'start_bit': 31}]], }], 'VSC_LPWSTR': [0x8, { 'vsc': [0, ['unsigned char']], 'pwsz': [4, ['pointer', ['unsigned short']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION': [0x10, { 'Scaling': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPS_UNINITIALIZED', 1: 'D3DKMDT_VPPS_IDENTITY', 2: 'D3DKMDT_VPPS_CENTERED', 3: 'D3DKMDT_VPPS_STRETCHED', 4: 'D3DKMDT_VPPS_ASPECTRATIOCENTEREDMAX', 5: 'D3DKMDT_VPPS_CUSTOM', 253: 'D3DKMDT_VPPS_RESERVED1', 254: 'D3DKMDT_VPPS_UNPINNED', 255: 'D3DKMDT_VPPS_NOTSPECIFIED'}}]], 'RotationSupport': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT']], 'Rotation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPR_UNINITIALIZED', 1: 'D3DKMDT_VPPR_IDENTITY', 2: 'D3DKMDT_VPPR_ROTATE90', 3: 'D3DKMDT_VPPR_ROTATE180', 4: 'D3DKMDT_VPPR_ROTATE270', 254: 'D3DKMDT_VPPR_UNPINNED', 255: 'D3DKMDT_VPPR_NOTSPECIFIED'}}]], 'ScalingSupport': [4, ['_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT']], }], 'tagUAHMENUPOPUPMETRICS': [0x14, { 'rgcx': [0, ['array', 4, ['long']]], 'fUpdateMaxWidths': [16, ['BitField', {'end_bit': 1, 'start_bit': 0}]], }], '_THROBJHEAD': [0xc, { 'h': [0, ['pointer', ['void']]], 'pti': [8, ['pointer', ['tagTHREADINFO']]], 'cLockObj': [4, ['unsigned long']], }], '_DMM_COFUNCPATHSMODALITY_SERIALIZATION': [0x8, { 'NumPathsFromSource': [0, ['unsigned char']], 'PathAndTargetModeSetOffset': [4, ['array', 1, ['unsigned long']]], }], 'tagSBTRACK': [0x44, { 'spwndSBNotify': [12, ['pointer', ['tagWND']]], 'hTimerSB': [40, ['unsigned long']], 'cmdSB': [36, ['unsigned long']], 'xxxpfnSB': [32, ['pointer', ['void']]], 'fTrackVert': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'posNew': [56, ['long']], 'posOld': [52, ['long']], 'fCtlSB': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'rcTrack': [16, ['tagRECT']], 'fTrackRecalc': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'spwndSB': [8, ['pointer', ['tagWND']]], 'spwndTrack': [4, ['pointer', ['tagWND']]], 'dpxThumb': [44, ['long']], 'pxOld': [48, ['long']], 'fHitOld': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pSBCalc': [64, ['pointer', ['tagSBCALC']]], 'nBar': [60, ['long']], }], '__unnamed_18ae': [0x18, { 'Length40': [0, ['unsigned long']], 'Alignment40': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_18ac': [0xc, { 'Priority': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_1217': [0x4, { 'PowerState': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'}}]], }], '__unnamed_18aa': [0x10, { 'MinBusNumber': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], 'Reserved': [12, ['unsigned long']], 'MaxBusNumber': [8, ['unsigned long']], }], 'tagDPISERVERINFO': [0x18, { 'hMsgFont': [8, ['pointer', ['HFONT__']]], 'hCaptionFont': [4, ['pointer', ['HFONT__']]], 'gclBorder': [0, ['long']], 'cxMsgFontChar': [12, ['long']], 'wMaxBtnSize': [20, ['unsigned long']], 'cyMsgFontChar': [16, ['long']], }], 'tagOEMBITMAPINFO': [0x10, { 'y': [4, ['long']], 'x': [0, ['long']], 'cy': [12, ['long']], 'cx': [8, ['long']], }], '__unnamed_1787': [0xc, { 'Dma': [0, ['__unnamed_1779']], 'MessageInterrupt': [0, ['__unnamed_1777']], 'Generic': [0, ['__unnamed_1771']], 'Memory': [0, ['__unnamed_1771']], 'BusNumber': [0, ['__unnamed_177d']], 'DeviceSpecificData': [0, ['__unnamed_177f']], 'Memory48': [0, ['__unnamed_1783']], 'Memory40': [0, ['__unnamed_1781']], 'DevicePrivate': [0, ['__unnamed_177b']], 'Memory64': [0, ['__unnamed_1785']], 'Interrupt': [0, ['__unnamed_1773']], 'Port': [0, ['__unnamed_1771']], }], '__unnamed_1785': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length64': [8, ['unsigned long']], }], '__unnamed_1783': [0xc, { 'Length48': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1781': [0xc, { 'Length40': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], 'HICON__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNTARGETMODESET_SERIALIZATION': [0x38, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [4, ['array', 1, ['_D3DKMDT_VIDPN_TARGET_MODE']]], }], '_D3DMATRIX': [0x40, { '_33': [40, ['float']], '_42': [52, ['float']], '_43': [56, ['float']], '_44': [60, ['float']], '_34': [44, ['float']], '_14': [12, ['float']], '_13': [8, ['float']], '_12': [4, ['float']], '_11': [0, ['float']], '_41': [48, ['float']], '_31': [32, ['float']], '_24': [28, ['float']], '_32': [36, ['float']], '_22': [20, ['float']], '_23': [24, ['float']], '_21': [16, ['float']], }], '__unnamed_18a6': [0x14, { 'AffinityPolicy': [8, ['unsigned short']], 'Group': [10, ['unsigned short']], 'PriorityPolicy': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'}}]], 'MinimumVector': [0, ['unsigned long']], 'MaximumVector': [4, ['unsigned long']], 'TargetedProcessors': [16, ['unsigned long']], }], '__unnamed_18a2': [0x18, { 'Length': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment': [4, ['unsigned long']], }], '__unnamed_18a8': [0x8, { 'MinimumChannel': [0, ['unsigned long']], 'MaximumChannel': [4, ['unsigned long']], }], 'HGESTUREINFO__': [0x4, { 'unused': [0, ['long']], }], '_VK_TO_FUNCTION_TABLE': [0x84, { 'NLSFEProcType': [1, ['unsigned char']], 'NLSFEProcSwitch': [3, ['unsigned char']], 'Vk': [0, ['unsigned char']], 'NLSFEProcCurrent': [2, ['unsigned char']], 'NLSFEProcAlt': [68, ['array', 8, ['_VK_FUNCTION_PARAM']]], 'NLSFEProc': [4, ['array', 8, ['_VK_FUNCTION_PARAM']]], }], '_DMM_VIDPNPATHANDTARGETMODESET_SERIALIZATION': [0x194, { 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], 'TargetModeSet': [348, ['_DMM_VIDPNTARGETMODESET_SERIALIZATION']], }], '__unnamed_11c5': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'EaLength': [12, ['unsigned long']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'FileAttributes': [8, ['unsigned short']], }], 'HDESK__': [0x4, { 'unused': [0, ['long']], }], 'VK_TO_BIT': [0x2, { 'Vk': [0, ['unsigned char']], 'ModBits': [1, ['unsigned char']], }], '__unnamed_11c9': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'Reserved': [8, ['unsigned short']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'Parameters': [12, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], }], 'MODIFIERS': [0x8, { 'wMaxModBits': [4, ['unsigned short']], 'pVkToBit': [0, ['pointer', ['VK_TO_BIT']]], 'ModNumber': [6, ['array', 0, ['unsigned char']]], }], 'tagIMEINFOEX': [0x15c, { 'fSysWow64Only': [344, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'wszImeFile': [184, ['array', 80, ['wchar']]], 'fLoadFlag': [72, ['long']], 'hkl': [0, ['pointer', ['HKL__']]], 'dwImeWinVersion': [80, ['unsigned long']], 'dwProdVersion': [76, ['unsigned long']], 'wszImeDescription': [84, ['array', 50, ['wchar']]], 'fCUASLayer': [344, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'ImeInfo': [4, ['tagIMEINFO']], 'wszUIClass': [32, ['array', 16, ['wchar']]], 'fInitOpen': [68, ['long']], 'fdwInitConvMode': [64, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT': [0x4, { 'MacroVisionFull': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'MacroVisionApsTrigger': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'NoProtection': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Reserved': [0, ['BitField', {'end_bit': 32, 'start_bit': 3}]], }], 'tagWND': [0xb0, { 'bEraseBackground': [20, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'spwndOwner': [60, ['pointer', ['tagWND']]], 'bWS_EX_LAYERED': [28, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bWS_CLIPCHILDREN': [32, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bMaximizeButtonDown': [24, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'cbwndExtra': [144, ['long']], 'bMakeVisibleWhenUnghosted': [28, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bUIStateActive': [28, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'hMod16': [40, ['unsigned short']], 'bWS_TABSTOP': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bUnused8': [32, ['BitField', {'end_bit': 18, 'start_bit': 16}]], 'bWS_EX_NOPARENTNOTIFY': [28, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bForceFullNCPaintClipRgn': [24, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'bDialogWindow': [20, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'lpfnWndProc': [96, ['pointer', ['void']]], 'bWS_EX_RTLREADING': [28, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'bMinimizeButtonDown': [24, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'bUnused2': [28, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bUnused3': [28, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bUnused4': [28, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bHasMeun': [20, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bUnused6': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bUnused7': [32, ['BitField', {'end_bit': 18, 'start_bit': 16}]], 'bWS_SIZEBOX': [32, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'style': [32, ['unsigned long']], 'ppropList': [108, ['pointer', ['tagPROPLIST']]], 'hrgnNewFrame': [128, ['pointer', ['HRGN__']]], 'bHasOverlay': [172, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bUnused9': [32, ['BitField', {'end_bit': 19, 'start_bit': 16}]], 'bClipboardListener': [172, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bScrollBarLineDownBtnDown': [24, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bReserved3': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bRedirectedForPrint': [172, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bWS_EX_RIGHT': [28, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bStartPaint': [24, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bHasCreatestructName': [20, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bWS_EX_COMPOSITED': [28, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bFullScreen': [24, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spwndLastActive': [148, ['pointer', ['tagWND']]], 'hrgnUpdate': [104, ['pointer', ['HRGN__']]], 'head': [0, ['_THRDESKHEAD']], 'bConsoleWindow': [172, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'bHiddenPopup': [20, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'hrgnClip': [124, ['pointer', ['HRGN__']]], 'bWS_EX_CONTROLPARENT': [28, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bWS_EX_TOPMOST': [28, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bSendEraseBackground': [20, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bScrollBarLineUpBtnDown': [24, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bWin50Compat': [24, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'bRecievedQuerySuspendMsg': [20, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bMaximizeMonitorRegion': [24, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bLayeredLimbo': [172, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'bRedrawIfHung': [20, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'FullScreenMode': [24, ['BitField', {'end_bit': 27, 'start_bit': 24}]], 'bLayeredInvalidate': [172, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bVerticallyMaximizedLeft': [172, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_POPUP': [32, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bWS_EX_CONTEXTHELP': [28, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'dwUserData': [156, ['unsigned long']], 'bDisabled': [32, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'bAnsiWindowProc': [20, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bWin40Compat': [24, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bWS_EX_NOINHERITLAYOUT': [28, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'rcClient': [80, ['tagRECT']], 'bAnsiCreator': [20, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bAnyScrollButtonDown': [24, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bWS_EX_LAYOUTRTL': [28, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bUIStateKbdAccelHidden': [28, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bSendSizeMoveMsgs': [20, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'spwndParent': [52, ['pointer', ['tagWND']]], 'bLinked': [172, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bSendNCPaint': [20, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bToggleTopmost': [20, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'bInternalPaint': [20, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bDestroyed': [20, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bHasClientEdge': [24, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bServerSideWindowProc': [20, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bCaptionTextTruncated': [24, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'rcWindow': [64, ['tagRECT']], 'bEndPaintInvalidate': [24, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bHasPalette': [20, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bHasHorizontalScrollbar': [20, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bUIStateFocusRectHidden': [28, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bReserved1': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_COMPOSITEDCompositing': [28, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bWS_EX_MDICHILD': [28, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bHasVerticalScrollbar': [20, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bReserved2': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWMCreateMsgProcessed': [24, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bMinimized': [32, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bWS_EX_NOACTIVATE': [28, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'bWS_EX_APPWINDOW': [28, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'pSBInfo': [112, ['pointer', ['tagSBINFO']]], 'bSmallIconFromWMQueryDrag': [24, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bNoNCPaint': [20, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bCloseButtonDown': [24, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bUnused1': [28, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bHasSPB': [20, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_MINIMIZEBOX': [32, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bMaximized': [32, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bScrollBarVerticalTracking': [24, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bWS_CHILD': [32, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bReserved5': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_DLGMODALFRAME': [28, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bWS_EX_TRANSPARENT': [28, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'spmenu': [120, ['pointer', ['tagMENU']]], 'bWS_THICKFRAME': [32, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bPaintNotProcessed': [20, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bSyncPaintPending': [20, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pcls': [100, ['pointer', ['tagCLS']]], 'bLayeredForDWM': [172, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bMsgBox': [20, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'bShellHookRegistered': [24, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'spwndChild': [56, ['pointer', ['tagWND']]], 'bUnused5': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bHelpButtonDown': [24, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bInDestroy': [24, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'state': [20, ['unsigned long']], 'strName': [132, ['_LARGE_UNICODE_STRING']], 'spwndPrev': [48, ['pointer', ['tagWND']]], 'bRedrawFrameIfHung': [20, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bWS_EX_LEFTSCROLLBAR': [28, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'bWS_EX_TOOLWINDOW': [28, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_VSCROLL': [32, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bMaximizesToMonitor': [20, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bNoMinmaxAnimatedRects': [24, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'fnid': [42, ['unsigned short']], 'ExStyle': [28, ['unsigned long']], 'bRedirected': [28, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bActiveFrame': [20, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bReserved4': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_WINDOWEDGE': [28, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bReserved6': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bReserved7': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_CLIPSIBLINGS': [32, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'bWS_EX_ACCEPTFILE': [28, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bWS_HSCROLL': [32, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bUpdateDirty': [20, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'bBeingActivated': [20, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'state2': [24, ['unsigned long']], 'spwndNext': [44, ['pointer', ['tagWND']]], 'bScrollBarPageDownBtnDown': [24, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bWS_BORDER': [32, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'bWMPaintSent': [24, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bScrollBarPageUpBtnDown': [24, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'pTransform': [164, ['pointer', ['_D3DMATRIX']]], 'bWS_MAXIMIZEBOX': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bVisible': [32, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bVerticallyMaximizedRight': [172, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bWin31Compat': [24, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bWS_EX_STATICEDGE': [28, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bForceMenuDraw': [20, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bForceNCPaint': [24, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'ExStyle2': [172, ['unsigned long']], 'bOldUI': [24, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bWS_DLGFRAME': [32, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bHIGHDPI_UNAWARE_Unused': [172, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bWS_SYSMENU': [32, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'spwndClipboardListenerNext': [168, ['pointer', ['tagWND']]], 'hModule': [36, ['pointer', ['void']]], 'bWS_EX_NOPADDEDBORDER': [28, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pActCtx': [160, ['pointer', ['_ACTIVATION_CONTEXT']]], 'bBottomMost': [24, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'spmenuSys': [116, ['pointer', ['tagMENU']]], 'bRecievedSuspendMsg': [20, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bWS_EX_CLIENTEDGE': [28, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bHasCaption': [20, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'hImc': [152, ['pointer', ['HIMC__']]], 'bChildNoActivate': [172, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bWS_GROUP': [32, ['BitField', {'end_bit': 18, 'start_bit': 17}]], }], 'tagUAHMENUITEMMETRICS': [0x20, { 'rgsizeBar': [0, ['array', 2, ['tagSIZE']]], 'rgsizePopup': [0, ['array', 4, ['tagSIZE']]], }], '__unnamed_11cd': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'Reserved': [8, ['unsigned short']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'Parameters': [12, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], }], '__unnamed_11cf': [0x10, { 'Length': [0, ['unsigned long']], 'ByteOffset': [8, ['_LARGE_INTEGER']], 'Key': [4, ['unsigned long']], }], '_DXGK_DIAG_CODE_POINT_PACKET': [0x40, { 'Header': [0, ['_DXGK_DIAG_HEADER']], 'Param3': [60, ['unsigned long']], 'Param1': [52, ['unsigned long']], 'CodePointType': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_CODE_POINT_TYPE_NONE', 1: 'DXGK_DIAG_CODE_POINT_TYPE_RECOMMEND_FUNC_VIDPN', 2: 'DXGK_DIAG_CODE_POINT_TYPE_OS_RECOMMENDED_VIDPN', 3: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_LOG_FAILURE', 4: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_INVALIDATE_ERROR', 5: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_LOG_FAILURE', 7: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_FAILURE_DB', 8: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_BTL', 9: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_DB', 10: 'DXGK_DIAG_CODE_POINT_TYPE_QDC_LOG_FAILURE', 11: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_GDI', 12: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_GDI', 13: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_MONITOR', 14: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_MONITOR', 15: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_DIM_MONITOR', 16: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_UNDIM_MONITOR', 17: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BACKTRACK', 18: 'DXGK_DIAG_CODE_POINT_TYPE_BML_CLOSEST_TARGET_MODE', 19: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_SOURCE_MODE', 20: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_TARGET_MODE', 21: 'DXGK_DIAG_CODE_POINT_TYPE_BML_SOURCE_MODE_NOT_PINNED', 22: 'DXGK_DIAG_CODE_POINT_TYPE_BML_TARGET_MODE_NOT_PINNED', 23: 'DXGK_DIAG_CODE_POINT_TYPE_BML_RESTARTED', 24: 'DXGK_DIAG_CODE_POINT_TYPE_TDR', 25: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_EVENT_NOTIFICATION', 26: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEMDEV_USE_DEFAULT_MODE', 27: 'DXGK_DIAG_CODE_POINT_TYPE_CONNECTED_SET_LOG_FAILURE', 28: 'DXGK_DIAG_CODE_POINT_TYPE_INVALIDATE_DXGK_MODE_CACHE', 29: 'DXGK_DIAG_CODE_POINT_TYPE_REBUILD_DXGK_MODE_CACHE', 30: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_RELAX_REFRESH_MATCH', 31: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_CCDBML_FAIL_VISTABML_SUCCESSED', 32: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_SOURCE_MODE', 33: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_TARGET_MODE', 34: 'DXGK_DIAG_CODE_POINT_TYPE_ADD_DEVICE', 35: 'DXGK_DIAG_CODE_POINT_TYPE_START_ADAPTER', 36: 'DXGK_DIAG_CODE_POINT_TYPE_STOP_ADAPTER', 37: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING', 38: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING_TARGET', 39: 'DXGK_DIAG_CODE_POINT_TYPE_INDICATE_CHILD_STATUS', 40: 'DXGK_DIAG_CODE_POINT_TYPE_HANDLE_IRP', 41: 'DXGK_DIAG_CODE_POINT_TYPE_CHANGE_UNSUPPORTED_MONITOR_MODE_FLAG', 42: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_NOTIFY_CALLBACK', 43: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_DISABLEGDI', 44: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_ENABLEGDI', 45: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_MODESWITCH', 46: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_SYNC_MONITOR_EVENT', 47: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_NOTIFY_GDI', 48: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_ENABLE_VGA', 49: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_TDR_SWITCH_GDI', 50: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_CREATE_DEVICE_FAILED', 51: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DEVICE_REMOVED', 52: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DRVASSERTMODE_TRUE_FAILED', 53: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_RECREATE_DEVICE_FAILED', 54: 'DXGK_DIAG_CODE_POINT_TYPE_CDD_MAPSHADOWBUFFER_FAILED', 55: 'DXGK_DIAG_CODE_POINT_TYPE_COMMIT_VIDPN_LOG_FAILURE', 56: 'DXGK_DIAG_CODE_POINT_TYPE_DRIVER_RECOMMEND_LOG_FAILURE', 57: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_ENFORCED_CLONE_PATH_INVALID_SOURCE_IDX', 58: 'DXGK_DIAG_CODE_POINT_TYPE_DRVPROBEANDCAPTURE_FAILED', 59: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKCDDENABLE_OPTIMIZED_MODE_CHANGE', 60: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKSETDISPLAYMODE_OPTIMIZED_MODE_CHANGE', 61: 'DXGK_DIAG_CODE_POINT_TYPE_MON_DEPART_GETRECENTTOP_FAIL', 62: 'DXGK_DIAG_CODE_POINT_TYPE_MON_ARRIVE_INC_ADD_FAIL', 63: 'DXGK_DIAG_CODE_POINT_TYPE_CCD_DATABASE_PERSIST', 64: 'DXGK_DIAG_CODE_POINT_TYPE_MAX', -1: 'DXGK_DIAG_CODE_POINT_TYPE_FORCE_UINT32'}}]], 'Param2': [56, ['unsigned long']], }], 'tagW32JOB': [0x28, { 'restrictions': [12, ['unsigned long']], 'Job': [4, ['pointer', ['_EJOB']]], 'ughCrt': [28, ['unsigned long']], 'pgh': [36, ['pointer', ['unsigned long']]], 'ppiTable': [24, ['pointer', ['pointer', ['tagPROCESSINFO']]]], 'ughMax': [32, ['unsigned long']], 'pAtomTable': [8, ['pointer', ['void']]], 'uProcessCount': [16, ['unsigned long']], 'uMaxProcesses': [20, ['unsigned long']], 'pNext': [0, ['pointer', ['tagW32JOB']]], }], 'tagMBSTRING': [0x28, { 'szName': [0, ['array', 15, ['wchar']]], 'uID': [32, ['unsigned long']], 'uStr': [36, ['unsigned long']], }], '_D3DKMDT_VIDPN_TARGET_MODE': [0x34, { 'VideoSignalInfo': [4, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'Id': [0, ['unsigned long']], 'Preference': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], }], 'tagDESKTOP': [0x84, { 'spmenuVScroll': [40, ['pointer', ['tagMENU']]], 'dwMouseHoverTime': [124, ['unsigned long']], 'rpwinstaParent': [16, ['pointer', ['tagWINDOWSTATION']]], 'spmenuDialogSys': [32, ['pointer', ['tagMENU']]], 'spwndForeground': [44, ['pointer', ['tagWND']]], 'spmenuHScroll': [36, ['pointer', ['tagMENU']]], 'spwndTooltip': [56, ['pointer', ['tagWND']]], 'dwSessionId': [0, ['unsigned long']], 'pDeskInfo': [4, ['pointer', ['tagDESKTOPINFO']]], 'spwndMessage': [52, ['pointer', ['tagWND']]], 'cciConsole': [72, ['_CONSOLE_CARET_INFO']], 'PtiList': [92, ['_LIST_ENTRY']], 'spwndTray': [48, ['pointer', ['tagWND']]], 'rpdeskNext': [12, ['pointer', ['tagDESKTOP']]], 'dwDTFlags': [20, ['unsigned long']], 'pMagInputTransform': [128, ['pointer', ['_MAGNIFICATION_INPUT_TRANSFORM']]], 'spwndTrack': [100, ['pointer', ['tagWND']]], 'htEx': [104, ['long']], 'ulHeapSize': [68, ['unsigned long']], 'pheapDesktop': [64, ['pointer', ['tagWIN32HEAP']]], 'hsectionDesktop': [60, ['pointer', ['void']]], 'rcMouseHover': [108, ['tagRECT']], 'dwDesktopId': [24, ['unsigned long']], 'spmenuSys': [28, ['pointer', ['tagMENU']]], 'pDispInfo': [8, ['pointer', ['tagDISPLAYINFO']]], }], 'tagPOOLRECORD': [0x20, { 'ExtraData': [0, ['pointer', ['void']]], 'trace': [8, ['array', 6, ['pointer', ['void']]]], 'size': [4, ['unsigned long']], }], 'tagSPB': [0x28, { 'hbm': [8, ['pointer', ['HBITMAP__']]], 'hrgn': [28, ['pointer', ['HRGN__']]], 'ulSaveId': [36, ['unsigned long']], 'flags': [32, ['unsigned long']], 'rc': [12, ['tagRECT']], 'pspbNext': [0, ['pointer', ['tagSPB']]], 'spwnd': [4, ['pointer', ['tagWND']]], }], '_DMM_COMMITVIDPNREQUEST_DIAGINFO': [0xc, { 'ForceAllActiveVidPnModeListInvalidation': [4, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'ClientType': [0, ['BitField', {'end_bit': 4, 'start_bit': 0}]], 'VidPnChange': [0, ['BitField', {'end_bit': 8, 'start_bit': 4}]], 'ModeChangeRequestId': [8, ['unsigned long']], 'ReclaimClonedTarget': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'CleanupAfterFailedCommitVidPn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], }], 'HFONT__': [0x4, { 'unused': [0, ['long']], }], 'tagTEXTMETRICW': [0x3c, { 'tmCharSet': [56, ['unsigned char']], 'tmDigitizedAspectY': [40, ['long']], 'tmStruckOut': [54, ['unsigned char']], 'tmItalic': [52, ['unsigned char']], 'tmDigitizedAspectX': [36, ['long']], 'tmWeight': [28, ['long']], 'tmFirstChar': [44, ['wchar']], 'tmOverhang': [32, ['long']], 'tmDescent': [8, ['long']], 'tmPitchAndFamily': [55, ['unsigned char']], 'tmDefaultChar': [48, ['wchar']], 'tmLastChar': [46, ['wchar']], 'tmBreakChar': [50, ['wchar']], 'tmMaxCharWidth': [24, ['long']], 'tmUnderlined': [53, ['unsigned char']], 'tmInternalLeading': [12, ['long']], 'tmAscent': [4, ['long']], 'tmHeight': [0, ['long']], 'tmAveCharWidth': [20, ['long']], 'tmExternalLeading': [16, ['long']], }], '_KLIST_ENTRY': [0x8, { 'Flink': [0, ['pointer', ['_KLIST_ENTRY']]], 'Blink': [4, ['pointer', ['_KLIST_ENTRY']]], }], '__unnamed_1244': [0x28, { 'Wcb': [0, ['_WAIT_CONTEXT_BLOCK']], 'ListEntry': [0, ['_LIST_ENTRY']], }], 'tagPROP': [0x8, { 'fs': [6, ['unsigned short']], 'hData': [0, ['pointer', ['void']]], 'atomKey': [4, ['unsigned short']], }], 'tagCLIENTTHREADINFO': [0x10, { 'fsWakeMask': [10, ['unsigned short']], 'CTIF_flags': [0, ['unsigned long']], 'fsWakeBits': [6, ['unsigned short']], 'fsWakeBitsJournal': [8, ['unsigned short']], 'fsChangeBits': [4, ['unsigned short']], 'tickLastMsgChecked': [12, ['unsigned long']], }], 'tagKbdNlsLayer': [0x14, { 'OEMIdentifier': [0, ['unsigned short']], 'NumOfVkToF': [4, ['unsigned long']], 'pusMouseVKey': [16, ['pointer', ['unsigned short']]], 'NumOfMouseVKey': [12, ['long']], 'pVkToF': [8, ['pointer', ['_VK_TO_FUNCTION_TABLE']]], 'LayoutInformation': [2, ['unsigned short']], }], 'HBITMAP__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_11fe': [0x4, { 'Capabilities': [0, ['pointer', ['_DEVICE_CAPABILITIES']]], }], '__unnamed_18b2': [0x18, { 'Length64': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment64': [4, ['unsigned long']], }], '__unnamed_11fa': [0x10, { 'Interface': [8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData': [12, ['pointer', ['void']]], 'Version': [6, ['unsigned short']], 'InterfaceType': [0, ['pointer', ['_GUID']]], 'Size': [4, ['unsigned short']], }], 'tagPROCESS_HID_TABLE': [0x38, { 'UsagePageLast': [48, ['unsigned short']], 'fExclusiveMouseSink': [52, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'fRawKeyboardSink': [52, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'fAppKeys': [52, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fCaptureMouse': [52, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'fNoLegacyMouse': [52, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'UsageLast': [50, ['unsigned short']], 'fRawKeyboard': [52, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fNoLegacyKeyboard': [52, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'nSinks': [40, ['long']], 'fNoHotKeys': [52, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'spwndTargetMouse': [32, ['pointer', ['tagWND']]], 'spwndTargetKbd': [36, ['pointer', ['tagWND']]], 'UsagePageList': [16, ['_LIST_ENTRY']], 'link': [0, ['_LIST_ENTRY']], 'fExclusiveKeyboardSink': [52, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'pLastRequest': [44, ['pointer', ['tagPROCESS_HID_REQUEST']]], 'ExclusionList': [24, ['_LIST_ENTRY']], 'fRawMouse': [52, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'fRawMouseSink': [52, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'InclusionList': [8, ['_LIST_ENTRY']], }], '_KFLOATING_SAVE': [0x20, { 'ErrorOffset': [8, ['unsigned long']], 'DataOffset': [16, ['unsigned long']], 'ControlWord': [0, ['unsigned long']], 'DataSelector': [20, ['unsigned long']], 'Cr0NpxState': [24, ['unsigned long']], 'StatusWord': [4, ['unsigned long']], 'Spare1': [28, ['unsigned long']], 'ErrorSelector': [12, ['unsigned long']], }], 'tagRECT': [0x10, { 'top': [4, ['long']], 'right': [8, ['long']], 'bottom': [12, ['long']], 'left': [0, ['long']], }], '__unnamed_17ff': [0x20, { 'Text': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_TRF_UNINITIALIZED'}}]], 'Graphics': [0, ['_D3DKMDT_GRAPHICS_RENDERING_FORMAT']], }], 'HBRUSH__': [0x4, { 'unused': [0, ['long']], }], '_TLSPRITESTATE': [0x60, { 'flOriginalSurfFlags': [4, ['unsigned long']], 'iSpriteType': [16, ['unsigned long']], 'pfnSaveScreenBits': [84, ['pointer', ['void']]], 'bInsideDriverCall': [0, ['unsigned char']], 'pfnStrokePath': [36, ['pointer', ['void']]], 'pfnTransparentBlt': [68, ['pointer', ['void']]], 'pfnPaint': [44, ['pointer', ['void']]], 'pfnFillPath': [40, ['pointer', ['void']]], 'pfnStretchBltROP': [88, ['pointer', ['void']]], 'iType': [24, ['unsigned long']], 'pfnPlgBlt': [76, ['pointer', ['void']]], 'pfnCopyBits': [52, ['pointer', ['void']]], 'pState': [28, ['pointer', ['void']]], 'iOriginalType': [8, ['unsigned long']], 'pfnTextOut': [60, ['pointer', ['void']]], 'pfnDrawStream': [92, ['pointer', ['void']]], 'pfnStrokeAndFillPath': [32, ['pointer', ['void']]], 'pfnLineTo': [64, ['pointer', ['void']]], 'pfnStretchBlt': [56, ['pointer', ['void']]], 'pfnGradientFill': [80, ['pointer', ['void']]], 'pfnAlphaBlend': [72, ['pointer', ['void']]], 'flags': [20, ['unsigned long']], 'flSpriteSurfFlags': [12, ['unsigned long']], 'pfnBitBlt': [48, ['pointer', ['void']]], }], 'tagSMS': [0x3c, { 'wParam': [40, ['unsigned long']], 'lParam': [44, ['long']], 'lRet': [28, ['long']], 'psmsReceiveNext': [4, ['pointer', ['tagSMS']]], 'tSent': [32, ['unsigned long']], 'psmsNext': [0, ['pointer', ['tagSMS']]], 'ptiCallBackSender': [24, ['pointer', ['tagTHREADINFO']]], 'ptiReceiver': [12, ['pointer', ['tagTHREADINFO']]], 'lpResultCallBack': [16, ['pointer', ['void']]], 'message': [48, ['unsigned long']], 'dwData': [20, ['unsigned long']], 'ptiSender': [8, ['pointer', ['tagTHREADINFO']]], 'flags': [36, ['unsigned long']], 'pvCapture': [56, ['pointer', ['void']]], 'spwnd': [52, ['pointer', ['tagWND']]], }], '_D3DKMDT_FREQUENCY_RANGE': [0x20, { 'MinVSyncFreq': [0, ['_D3DDDI_RATIONAL']], 'MaxVSyncFreq': [8, ['_D3DDDI_RATIONAL']], 'MaxHSyncFreq': [24, ['_D3DDDI_RATIONAL']], 'MinHSyncFreq': [16, ['_D3DDDI_RATIONAL']], }], '__unnamed_11f4': [0x4, { 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'}}]], }], '__unnamed_11f0': [0x4, { 'Srb': [0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], }], 'HRGN__': [0x4, { 'unused': [0, ['long']], }], 'tagSIZE': [0x8, { 'cy': [4, ['long']], 'cx': [0, ['long']], }], 'tagDESKTOPVIEW': [0xc, { 'ulClientDelta': [8, ['unsigned long']], 'pdesk': [4, ['pointer', ['tagDESKTOP']]], 'pdvNext': [0, ['pointer', ['tagDESKTOPVIEW']]], }], '__unnamed_120a': [0x4, { 'IdType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'}}]], }], '__unnamed_120e': [0x8, { 'DeviceTextType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'}}]], 'LocaleId': [4, ['unsigned long']], }], '_DMM_VIDPNPATHSFROMSOURCE_SERIALIZATION': [0x1bc, { 'PathAndTargetModeSerialization': [44, ['array', 1, ['_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION']]], 'NumPathsFromSource': [40, ['unsigned char']], 'SourceMode': [0, ['_D3DKMDT_VIDPN_SOURCE_MODE']], }], '_D3DDDI_GAMMA_RAMP_RGB256x3x16': [0x600, { 'Blue': [1024, ['array', 256, ['unsigned short']]], 'Green': [512, ['array', 256, ['unsigned short']]], 'Red': [0, ['array', 256, ['unsigned short']]], }], '_CALLPROCDATA': [0x20, { 'head': [0, ['_PROCDESKHEAD']], 'pfnClientPrevious': [24, ['unsigned long']], 'wType': [28, ['unsigned short']], 'spcpdNext': [20, ['pointer', ['_CALLPROCDATA']]], }], '_D3DDDI_RATIONAL': [0x8, { 'Denominator': [4, ['unsigned long']], 'Numerator': [0, ['unsigned long']], }], '_PFNCLIENT': [0x5c, { 'pfnDispatchDefWindowProc': [80, ['pointer', ['void']]], 'pfnStaticWndProc': [56, ['pointer', ['void']]], 'pfnDispatchHook': [76, ['pointer', ['void']]], 'pfnDesktopWndProc': [12, ['pointer', ['void']]], 'pfnImeWndProc': [60, ['pointer', ['void']]], 'pfnScrollBarWndProc': [0, ['pointer', ['void']]], 'pfnEditWndProc': [44, ['pointer', ['void']]], 'pfnGhostWndProc': [64, ['pointer', ['void']]], 'pfnMessageWindowProc': [20, ['pointer', ['void']]], 'pfnSwitchWindowProc': [24, ['pointer', ['void']]], 'pfnComboListBoxProc': [36, ['pointer', ['void']]], 'pfnComboBoxWndProc': [32, ['pointer', ['void']]], 'pfnMDIClientWndProc': [52, ['pointer', ['void']]], 'pfnDialogWndProc': [40, ['pointer', ['void']]], 'pfnHkINLPCWPSTRUCT': [68, ['pointer', ['void']]], 'pfnTitleWndProc': [4, ['pointer', ['void']]], 'pfnHkINLPCWPRETSTRUCT': [72, ['pointer', ['void']]], 'pfnButtonWndProc': [28, ['pointer', ['void']]], 'pfnMenuWndProc': [8, ['pointer', ['void']]], 'pfnListBoxWndProc': [48, ['pointer', ['void']]], 'pfnDispatchMessage': [84, ['pointer', ['void']]], 'pfnDefWindowProc': [16, ['pointer', ['void']]], 'pfnMDIActivateDlgProc': [88, ['pointer', ['void']]], }], '_THRDESKHEAD': [0x14, { 'h': [0, ['pointer', ['void']]], 'pSelf': [16, ['pointer', ['unsigned char']]], 'rpdesk': [12, ['pointer', ['tagDESKTOP']]], 'pti': [8, ['pointer', ['tagTHREADINFO']]], 'cLockObj': [4, ['unsigned long']], }], 'tagSVR_INSTANCE_INFO': [0x20, { 'head': [0, ['_THROBJHEAD']], 'next': [12, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'nextInThisThread': [16, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'spwndEvent': [24, ['pointer', ['tagWND']]], 'afCmd': [20, ['unsigned long']], 'pcii': [28, ['pointer', ['void']]], }], '_D3DKMDT_MONITOR_SOURCE_MODE': [0x4c, { 'Origin': [68, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'VideoSignalInfo': [4, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'ColorCoeffDynamicRanges': [52, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'Preference': [72, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], 'Id': [0, ['unsigned long']], 'ColorBasis': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], 'VWPL': [0x10, { 'fTagged': [12, ['long']], 'cElem': [4, ['unsigned long']], 'cThreshhold': [8, ['unsigned long']], 'aElement': [16, ['array', 0, ['VWPLELEMENT']]], 'cPwnd': [0, ['unsigned long']], }], 'tagCURSOR': [0x54, { 'rt': [30, ['unsigned short']], 'head': [0, ['_PROCMARKHEAD']], 'hbmUserAlpha': [68, ['pointer', ['HBITMAP__']]], 'cx': [76, ['unsigned long']], 'xHotspot': [36, ['short']], 'hbmColor': [44, ['pointer', ['HBITMAP__']]], 'pcurNext': [16, ['pointer', ['tagCURSOR']]], 'CURSORF_flags': [32, ['unsigned long']], 'hbmMask': [40, ['pointer', ['HBITMAP__']]], 'bpp': [72, ['unsigned long']], 'cy': [80, ['unsigned long']], 'strName': [20, ['_UNICODE_STRING']], 'rcBounds': [52, ['tagRECT']], 'atomModName': [28, ['unsigned short']], 'hbmAlpha': [48, ['pointer', ['HBITMAP__']]], 'yHotspot': [38, ['short']], }], '__unnamed_1202': [0x4, { 'IoResourceRequirementList': [0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], }], '__unnamed_1206': [0x1, { 'Lock': [0, ['unsigned char']], }], '__unnamed_1204': [0x10, { 'Buffer': [4, ['pointer', ['void']]], 'WhichSpace': [0, ['unsigned long']], 'Length': [12, ['unsigned long']], 'Offset': [8, ['unsigned long']], }], 'HKL__': [0x4, { 'unused': [0, ['long']], }], 'tagDCE': [0x30, { 'hrgnClipPublic': [24, ['pointer', ['HRGN__']]], 'pdceNext': [0, ['pointer', ['tagDCE']]], 'hrgnSavedVis': [28, ['pointer', ['HRGN__']]], 'pwndRedirect': [16, ['pointer', ['tagWND']]], 'pMonitor': [44, ['pointer', ['tagMONITOR']]], 'ppiOwner': [40, ['pointer', ['tagPROCESSINFO']]], 'pwndOrg': [8, ['pointer', ['tagWND']]], 'hrgnClip': [20, ['pointer', ['HRGN__']]], 'hdc': [4, ['pointer', ['HDC__']]], 'ptiOwner': [36, ['pointer', ['tagTHREADINFO']]], 'DCX_flags': [32, ['unsigned long']], 'pwndClip': [12, ['pointer', ['tagWND']]], }], 'tagPROCESS_HID_REQUEST': [0x18, { 'link': [0, ['_LIST_ENTRY']], 'fExclusiveOrphaned': [12, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'spwndTarget': [20, ['pointer', ['tagWND']]], 'fSinkable': [12, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pTLCInfo': [16, ['pointer', ['tagHID_TLC_INFO']]], 'fDevNotify': [12, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fExSinkable': [12, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'usUsage': [10, ['unsigned short']], 'ptr': [16, ['pointer', ['void']]], 'pPORequest': [16, ['pointer', ['tagHID_PAGEONLY_REQUEST']]], 'usUsagePage': [8, ['unsigned short']], }], 'tagWOWTHREADINFO': [0x14, { 'idParentProcess': [12, ['unsigned long']], 'pwtiNext': [0, ['pointer', ['tagWOWTHREADINFO']]], 'idTask': [4, ['unsigned long']], 'pIdleEvent': [16, ['pointer', ['_KEVENT']]], 'idWaitObject': [8, ['unsigned long']], }], '__unnamed_11bb': [0x28, { 'AuxiliaryBuffer': [20, ['pointer', ['unsigned char']]], 'Thread': [16, ['pointer', ['_ETHREAD']]], 'OriginalFileObject': [36, ['pointer', ['_FILE_OBJECT']]], 'DeviceQueueEntry': [0, ['_KDEVICE_QUEUE_ENTRY']], 'PacketType': [32, ['unsigned long']], 'CurrentStackLocation': [32, ['pointer', ['_IO_STACK_LOCATION']]], 'ListEntry': [24, ['_LIST_ENTRY']], 'DriverContext': [0, ['array', 4, ['pointer', ['void']]]], }], '__unnamed_11be': [0x30, { 'Apc': [0, ['_KAPC']], 'CompletionKey': [0, ['pointer', ['void']]], 'Overlay': [0, ['__unnamed_11bb']], }], 'tagSBDATA': [0x10, { 'posMax': [4, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], 'pos': [12, ['long']], }], 'tagIMEINFO': [0x1c, { 'fdwProperty': [4, ['unsigned long']], 'fdwSelectCaps': [24, ['unsigned long']], 'fdwUICaps': [16, ['unsigned long']], 'dwPrivateDataSize': [0, ['unsigned long']], 'fdwSCSCaps': [20, ['unsigned long']], 'fdwSentenceCaps': [12, ['unsigned long']], 'fdwConversionCaps': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_SOURCE_MODE': [0x28, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_RMT_UNINITIALIZED', 1: 'D3DKMDT_RMT_GRAPHICS', 2: 'D3DKMDT_RMT_TEXT'}}]], 'Id': [0, ['unsigned long']], 'Format': [8, ['__unnamed_17ff']], }], '_PROCMARKHEAD': [0x10, { 'h': [0, ['pointer', ['void']]], 'ppi': [12, ['pointer', ['tagPROCESSINFO']]], 'hTaskWow': [8, ['unsigned long']], 'cLockObj': [4, ['unsigned long']], }], 'tagKBDFILE': [0x5c, { 'head': [0, ['_HEAD']], 'awchDllName': [28, ['array', 32, ['wchar']]], 'pKbdTbl': [16, ['pointer', ['tagKbdLayer']]], 'pkfNext': [8, ['pointer', ['tagKBDFILE']]], 'pKbdNlsTbl': [24, ['pointer', ['tagKbdNlsLayer']]], 'hBase': [12, ['pointer', ['void']]], 'Size': [20, ['unsigned long']], }], 'tagCLIENTINFO': [0x8c, { 'msgDbcsCB': [108, ['tagMSG']], 'dwCompatFlags': [12, ['unsigned long']], 'achDbcsCF': [106, ['array', 2, ['unsigned char']]], 'dwTIFlags': [20, ['unsigned long']], 'pClientThreadInfo': [60, ['pointer', ['tagCLIENTTHREADINFO']]], 'CodePage': [104, ['unsigned short']], 'dwKeyCache': [68, ['unsigned long']], 'dwHookCurrent': [52, ['unsigned long']], 'afAsyncKeyStateRecentDown': [92, ['array', 8, ['unsigned char']]], 'dwCompatFlags2': [16, ['unsigned long']], 'fsHooks': [36, ['unsigned long']], 'ulClientDelta': [28, ['unsigned long']], 'pDeskInfo': [24, ['pointer', ['tagDESKTOPINFO']]], 'dwExpWinVer': [8, ['unsigned long']], 'dwHookData': [64, ['unsigned long']], 'afAsyncKeyState': [84, ['array', 8, ['unsigned char']]], 'CallbackWnd': [40, ['_CALLBACKWND']], 'lpdwRegisteredClasses': [136, ['pointer', ['unsigned long']]], 'cInDDEMLCallback': [56, ['long']], 'cSpins': [4, ['unsigned long']], 'hKL': [100, ['pointer', ['HKL__']]], 'dwAsyncKeyCache': [80, ['unsigned long']], 'afKeyState': [72, ['array', 8, ['unsigned char']]], 'CI_flags': [0, ['unsigned long']], 'phkCurrent': [32, ['pointer', ['tagHOOK']]], }], 'tagCLS': [0x5c, { 'spcur': [72, ['pointer', ['tagCURSOR']]], 'cbwndExtra': [60, ['long']], 'pclsClone': [40, ['pointer', ['tagCLS']]], 'lpszClientAnsiMenuName': [24, ['pointer', ['unsigned char']]], 'pclsBase': [36, ['pointer', ['tagCLS']]], 'atomNVClassName': [6, ['unsigned short']], 'style': [48, ['unsigned long']], 'pclsNext': [0, ['pointer', ['tagCLS']]], 'CSF_flags': [22, ['unsigned short']], 'lpfnWndProc': [52, ['pointer', ['void']]], 'lpszAnsiClassName': [84, ['pointer', ['unsigned char']]], 'spcpdFirst': [32, ['pointer', ['_CALLPROCDATA']]], 'lpszClientUnicodeMenuName': [28, ['pointer', ['unsigned short']]], 'cbclsExtra': [56, ['long']], 'lpszMenuName': [80, ['pointer', ['unsigned short']]], 'spicnSm': [88, ['pointer', ['tagCURSOR']]], 'hTaskWow': [20, ['unsigned short']], 'cWndReferenceCount': [44, ['long']], 'hbrBackground': [76, ['pointer', ['HBRUSH__']]], 'spicn': [68, ['pointer', ['tagCURSOR']]], 'fnid': [8, ['unsigned short']], 'pdce': [16, ['pointer', ['tagDCE']]], 'hModule': [64, ['pointer', ['void']]], 'rpdeskParent': [12, ['pointer', ['tagDESKTOP']]], 'atomClassName': [4, ['unsigned short']], }], '_DMM_VIDPN_SERIALIZATION': [0xc, { 'PathsFromSourceSerializationOffsets': [8, ['array', 1, ['unsigned long']]], 'NumActiveSources': [4, ['unsigned char']], 'Size': [0, ['unsigned long']], }], 'tagHID_PAGEONLY_REQUEST': [0x10, { 'usUsagePage': [8, ['unsigned short']], 'link': [0, ['_LIST_ENTRY']], 'cRefCount': [12, ['unsigned long']], }], 'tagWINDOWSTATION': [0x58, { 'pClipBase': [44, ['pointer', ['tagCLIP']]], 'dwSessionId': [0, ['unsigned long']], 'cNumClipFormats': [48, ['unsigned long']], 'luidUser': [76, ['_LUID']], 'pGlobalAtomTable': [64, ['pointer', ['void']]], 'ptiClipLock': [24, ['pointer', ['tagTHREADINFO']]], 'dwWSF_Flags': [16, ['unsigned long']], 'rpdeskList': [8, ['pointer', ['tagDESKTOP']]], 'spklList': [20, ['pointer', ['tagKL']]], 'spwndClipOpen': [32, ['pointer', ['tagWND']]], 'luidEndSession': [68, ['_LUID']], 'pTerm': [12, ['pointer', ['tagTERMINAL']]], 'rpwinstaNext': [4, ['pointer', ['tagWINDOWSTATION']]], 'spwndClipboardListener': [60, ['pointer', ['tagWND']]], 'spwndClipViewer': [36, ['pointer', ['tagWND']]], 'iClipSequenceNumber': [56, ['unsigned long']], 'ptiDrawingClipboard': [28, ['pointer', ['tagTHREADINFO']]], 'spwndClipOwner': [40, ['pointer', ['tagWND']]], 'psidUser': [84, ['pointer', ['void']]], 'iClipSerialNumber': [52, ['unsigned long']], }], '__unnamed_11e4': [0x10, { 'Type3InputBuffer': [12, ['pointer', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'IoControlCode': [8, ['unsigned long']], 'InputBufferLength': [4, ['unsigned long']], }], '__unnamed_11e2': [0x10, { 'Length': [0, ['pointer', ['_LARGE_INTEGER']]], 'ByteOffset': [8, ['_LARGE_INTEGER']], 'Key': [4, ['unsigned long']], }], '__unnamed_11e8': [0x8, { 'SecurityInformation': [0, ['unsigned long']], 'SecurityDescriptor': [4, ['pointer', ['void']]], }], 'tagPROFILEVALUEINFO': [0xc, { 'dwValue': [0, ['unsigned long']], 'uSection': [4, ['unsigned long']], 'pwszKeyName': [8, ['pointer', ['wchar']]], }], '__unnamed_11ec': [0x8, { 'DeviceObject': [4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb': [0, ['pointer', ['_VPB']]], }], '__unnamed_1633': [0x8, { 'ActiveSize': [0, ['_D3DKMDT_2DREGION']], 'MaxPixelRate': [0, ['unsigned long']], }], '_DMM_MONITOR_SERIALIZATION': [0x28, { 'FrequencyRangeSetOffset': [28, ['unsigned long']], 'ModePruningAlgorithm': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_MPA_UNINITIALIZED', 1: 'DMM_MPA_GDI', 2: 'DMM_MPA_VISTA', 3: 'DMM_MPA_MAXVALID'}}]], 'VideoPresentTargetId': [4, ['unsigned long']], 'IsSimulatedMonitor': [12, ['unsigned char']], 'SourceModeSetOffset': [24, ['unsigned long']], 'Orientation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MO_UNINITIALIZED', 1: 'D3DKMDT_MO_0DEG', 2: 'D3DKMDT_MO_90DEG', 3: 'D3DKMDT_MO_180DEG', 4: 'D3DKMDT_MO_270DEG'}}]], 'DescriptorSetOffset': [32, ['unsigned long']], 'MonitorPowerState': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'}}]], 'IsUsingDefaultProfile': [13, ['unsigned char']], 'MonitorType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_VMT_UNINITIALIZED', 1: 'DMM_VMT_PHYSICAL_MONITOR', 2: 'DMM_VMT_BOOT_PERSISTENT_MONITOR', 3: 'DMM_VMT_PERSISTENT_MONITOR', 4: 'DMM_VMT_TEMPORARY_MONITOR', 5: 'DMM_VMT_SIMULATED_MONITOR'}}]], 'Size': [0, ['unsigned long']], }], '_WNDMSG': [0x8, { 'abMsgs': [4, ['pointer', ['unsigned char']]], 'maxMsgs': [0, ['unsigned long']], }], 'tagTDB': [0x18, { 'pti': [12, ['pointer', ['tagTHREADINFO']]], 'TDB_Flags': [22, ['unsigned short']], 'hTaskWow': [20, ['unsigned short']], 'pwti': [16, ['pointer', ['tagWOWTHREADINFO']]], 'nEvents': [4, ['long']], 'nPriority': [8, ['long']], 'ptdbNext': [0, ['pointer', ['tagTDB']]], }], '_LIGATURE1': [0x6, { 'wch': [4, ['array', 1, ['wchar']]], 'VirtualKey': [0, ['unsigned char']], 'ModificationNumber': [2, ['unsigned short']], }], '_D3DKMDT_VIDPN_PRESENT_PATH': [0x15c, { 'GammaRamp': [336, ['_D3DKMDT_GAMMA_RAMP']], 'VidPnSourceId': [0, ['unsigned long']], 'Content': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPC_UNINITIALIZED', 1: 'D3DKMDT_VPPC_GRAPHICS', 2: 'D3DKMDT_VPPC_VIDEO', 255: 'D3DKMDT_VPPC_NOTSPECIFIED'}}]], 'VisibleFromActiveBROffset': [36, ['_D3DKMDT_2DREGION']], 'VidPnTargetColorBasis': [44, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], 'ContentTransformation': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION']], 'VidPnTargetId': [4, ['unsigned long']], 'VisibleFromActiveTLOffset': [28, ['_D3DKMDT_2DREGION']], 'CopyProtection': [68, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION']], 'VidPnTargetColorCoeffDynamicRanges': [48, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'ImportanceOrdinal': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPI_UNINITIALIZED', 1: 'D3DKMDT_VPPI_PRIMARY', 2: 'D3DKMDT_VPPI_SECONDARY', 3: 'D3DKMDT_VPPI_TERTIARY', 4: 'D3DKMDT_VPPI_QUATERNARY', 5: 'D3DKMDT_VPPI_QUINARY', 6: 'D3DKMDT_VPPI_SENARY', 7: 'D3DKMDT_VPPI_SEPTENARY', 8: 'D3DKMDT_VPPI_OCTONARY', 9: 'D3DKMDT_VPPI_NONARY', 10: 'D3DKMDT_VPPI_DENARY', 32: 'D3DKMDT_VPPI_MAX', 255: 'D3DKMDT_VPPI_NOTSPECIFIED'}}]], }], '_PROCDESKHEAD': [0x14, { 'h': [0, ['pointer', ['void']]], 'pSelf': [16, ['pointer', ['unsigned char']]], 'rpdesk': [12, ['pointer', ['tagDESKTOP']]], 'hTaskWow': [8, ['unsigned long']], 'cLockObj': [4, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT': [0x4, { 'Rotate270': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'Rotate90': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Rotate180': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], }], '_CONSOLE_CARET_INFO': [0x14, { 'hwnd': [0, ['pointer', ['HWND__']]], 'rc': [4, ['tagRECT']], }], 'tagPROCESSINFO': [0x1b0, { 'fHasMagContext': [412, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'hwinsta': [324, ['pointer', ['HWINSTA__']]], 'ptiList': [144, ['pointer', ['tagTHREADINFO']]], 'pHidTable': [420, ['pointer', ['tagPROCESS_HID_TABLE']]], 'W32PF_Flags': [8, ['unsigned long']], 'UserHandleCount': [44, ['long']], 'dwhmodLibLoadedMask': [188, ['unsigned long']], 'GDIBrushAttrFreeList': [120, ['_LIST_ENTRY']], 'hdeskStartup': [180, ['pointer', ['HDESK__']]], 'dwImeCompatFlags': [372, ['unsigned long']], 'dwRegisteredClasses': [424, ['unsigned long']], 'pBrushAttrList': [28, ['pointer', ['void']]], 'usi': [384, ['tagUSERSTARTUPINFO']], 'InputIdleEvent': [12, ['pointer', ['_KEVENT']]], 'W32Pid': [32, ['unsigned long']], 'bmHandleFlags': [348, ['_RTL_BITMAP']], 'UserHandleCountPeak': [48, ['unsigned long']], 'GDIEngUserMemAllocTable': [56, ['_RTL_AVL_TABLE']], 'cSysExpunge': [184, ['unsigned long']], 'pdvList': [340, ['pointer', ['tagDESKTOPVIEW']]], 'pwpi': [164, ['pointer', ['tagWOWPROCESSINFO']]], 'ppiNextRunning': [172, ['pointer', ['tagPROCESSINFO']]], 'Process': [0, ['pointer', ['_EPROCESS']]], 'pCursorCache': [356, ['pointer', ['tagCURSOR']]], 'pClientBase': [360, ['pointer', ['void']]], 'dwLpkEntryPoints': [364, ['unsigned long']], 'GDIDcAttrFreeList': [112, ['_LIST_ENTRY']], 'DxProcess': [140, ['pointer', ['void']]], 'NextStart': [20, ['pointer', ['_W32PROCESS']]], 'RefCount': [4, ['unsigned long']], 'dwLayout': [416, ['unsigned long']], 'pclsPublicList': [160, ['pointer', ['tagCLS']]], 'Unused': [412, ['BitField', {'end_bit': 32, 'start_bit': 1}]], 'GDIPushLock': [52, ['_EX_PUSH_LOCK']], 'hMonitor': [336, ['pointer', ['HMONITOR__']]], 'ptiMainThread': [148, ['pointer', ['tagTHREADINFO']]], 'pvwplWndGCList': [428, ['pointer', ['VWPL']]], 'pW32Job': [368, ['pointer', ['tagW32JOB']]], 'luidSession': [376, ['_LUID']], 'GDIHandleCount': [36, ['long']], 'cThreads': [176, ['unsigned long']], 'rpdeskStartup': [152, ['pointer', ['tagDESKTOP']]], 'hSecureGdiSharedHandleTable': [136, ['pointer', ['void']]], 'pclsPrivateList': [156, ['pointer', ['tagCLS']]], 'GDIHandleCountPeak': [40, ['unsigned long']], 'StartCursorHideTime': [16, ['unsigned long']], 'ppiNext': [168, ['pointer', ['tagPROCESSINFO']]], 'Flags': [412, ['unsigned long']], 'dwHotkey': [332, ['unsigned long']], 'amwinsta': [328, ['unsigned long']], 'rpwinsta': [320, ['pointer', ['tagWINDOWSTATION']]], 'ahmodLibLoaded': [192, ['array', 32, ['pointer', ['void']]]], 'iClipSerialNumber': [344, ['unsigned long']], 'GDIW32PIDLockedBitmaps': [128, ['_LIST_ENTRY']], 'pDCAttrList': [24, ['pointer', ['void']]], }], '_DMM_COMMITVIDPNREQUEST_SERIALIZATION': [0x1c, { 'RequestDiagInfo': [4, ['_DMM_COMMITVIDPNREQUEST_DIAGINFO']], 'AffectedVidPnSourceId': [0, ['unsigned long']], 'VidPnSerialization': [16, ['_DMM_VIDPN_SERIALIZATION']], }], 'tagKbdLayer': [0x3c, { 'pVkToWcharTable': [4, ['pointer', ['_VK_TO_WCHAR_TABLE']]], 'pusVSCtoVK': [24, ['pointer', ['unsigned short']]], 'fLocaleFlags': [40, ['unsigned long']], 'pKeyNamesExt': [16, ['pointer', ['VSC_LPWSTR']]], 'dwSubType': [56, ['unsigned long']], 'pDeadKey': [8, ['pointer', ['DEADKEY']]], 'pCharModifiers': [0, ['pointer', ['MODIFIERS']]], 'pKeyNamesDead': [20, ['pointer', ['pointer', ['unsigned short']]]], 'bMaxVSCtoVK': [28, ['unsigned char']], 'pKeyNames': [12, ['pointer', ['VSC_LPWSTR']]], 'dwType': [52, ['unsigned long']], 'pLigature': [48, ['pointer', ['_LIGATURE1']]], 'nLgMax': [44, ['unsigned char']], 'pVSCtoVK_E1': [36, ['pointer', ['_VSC_VK']]], 'pVSCtoVK_E0': [32, ['pointer', ['_VSC_VK']]], 'cbLgEntry': [45, ['unsigned char']], }], 'HDC__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32AllocStats': [0x14, { 'dwMaxAlloc': [8, ['unsigned long']], 'pHead': [16, ['pointer', ['tagWin32PoolHead']]], 'dwMaxMem': [0, ['unsigned long']], 'dwCrtMem': [4, ['unsigned long']], 'dwCrtAlloc': [12, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT': [0x4, { 'Centered': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'AspectRatioCenteredMax': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'Stretched': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Custom': [0, ['BitField', {'end_bit': 5, 'start_bit': 4}]], }], 'tagMSG': [0x1c, { 'wParam': [8, ['unsigned long']], 'lParam': [12, ['long']], 'pt': [20, ['tagPOINT']], 'hwnd': [0, ['pointer', ['HWND__']]], 'time': [16, ['unsigned long']], 'message': [4, ['unsigned long']], }], '__unnamed_11a5': [0x4, { 'IrpCount': [0, ['long']], 'SystemBuffer': [0, ['pointer', ['void']]], 'MasterIrp': [0, ['pointer', ['_IRP']]], }], '_DMM_VIDPNSET_SERIALIZATION': [0x8, { 'VidPnOffset': [4, ['array', 1, ['unsigned long']]], 'NumVidPns': [0, ['unsigned char']], }], 'tagWOWPROCESSINFO': [0x28, { 'ptdbHead': [8, ['pointer', ['tagTDB']]], 'lpfnWowExitTask': [12, ['pointer', ['void']]], 'CSOwningThread': [32, ['pointer', ['tagTHREADINFO']]], 'ptiScheduled': [4, ['pointer', ['tagTHREADINFO']]], 'nSendLock': [24, ['unsigned long']], 'nRecvLock': [28, ['unsigned long']], 'CSLockCount': [36, ['long']], 'hEventWowExecClient': [20, ['pointer', ['void']]], 'pwpiNext': [0, ['pointer', ['tagWOWPROCESSINFO']]], 'pEventWowExec': [16, ['pointer', ['_KEVENT']]], }], '__unnamed_177b': [0xc, { 'Data': [0, ['array', 3, ['unsigned long']]], }], 'tagMENU': [0x6c, { 'iItem': [24, ['long']], 'head': [0, ['_PROCDESKHEAD']], 'umpm': [88, ['tagUAHMENUPOPUPMETRICS']], 'cItems': [32, ['unsigned long']], 'pParentMenus': [56, ['pointer', ['tagMENULIST']]], 'fFlags': [20, ['unsigned long']], 'cxMenu': [36, ['unsigned long']], 'dwContextHelpId': [60, ['unsigned long']], 'hbrBack': [72, ['pointer', ['HBRUSH__']]], 'cxTextAlign': [44, ['unsigned long']], 'cAlloced': [28, ['unsigned long']], 'spwndNotify': [48, ['pointer', ['tagWND']]], 'dwArrowsOn': [84, ['BitField', {'end_bit': 2, 'start_bit': 0}]], 'iMaxTop': [80, ['long']], 'dwMenuData': [68, ['unsigned long']], 'cyMenu': [40, ['unsigned long']], 'rgItems': [52, ['pointer', ['tagITEM']]], 'iTop': [76, ['long']], 'cyMax': [64, ['unsigned long']], }], '__unnamed_177f': [0xc, { 'DataSize': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_177d': [0xc, { 'Start': [0, ['unsigned long']], 'Length': [4, ['unsigned long']], 'Reserved': [8, ['unsigned long']], }], 'tagPOPUPMENU': [0x30, { 'fUseMonitorRect': [0, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'fDroppedLeft': [0, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fHierarchyDropped': [0, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'posDropped': [44, ['unsigned long']], 'spwndNextPopup': [12, ['pointer', ['tagWND']]], 'fIsMenuBar': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'spwndPrevPopup': [16, ['pointer', ['tagWND']]], 'fHasMenuBar': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'spwndActivePopup': [28, ['pointer', ['tagWND']]], 'fTrackMouseEvent': [0, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'fNoNotify': [0, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'posSelectedItem': [40, ['unsigned long']], 'fIsSysMenu': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fFlushDelayedFree': [0, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'ppmDelayedFree': [36, ['pointer', ['tagPOPUPMENU']]], 'fFreed': [0, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fSynchronous': [0, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'fDropNextPopup': [0, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fRightButton': [0, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spmenuAlternate': [24, ['pointer', ['tagMENU']]], 'spmenu': [20, ['pointer', ['tagMENU']]], 'spwndPopupMenu': [8, ['pointer', ['tagWND']]], 'fDestroyed': [0, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'iDropDir': [0, ['BitField', {'end_bit': 28, 'start_bit': 23}]], 'ppopupmenuRoot': [32, ['pointer', ['tagPOPUPMENU']]], 'fFirstClick': [0, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'spwndNotify': [4, ['pointer', ['tagWND']]], 'fRtoL': [0, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'fIsTrackPopup': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'fSendUninit': [0, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'fShowTimer': [0, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'fInCancel': [0, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'fToggle': [0, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fDelayedFree': [0, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'fHideTimer': [0, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'fAboutToHide': [0, ['BitField', {'end_bit': 13, 'start_bit': 12}]], }], '_DMM_MONITORDESCRIPTOR_SERIALIZATION': [0x8c, { 'Origin': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'Data': [12, ['array', 128, ['unsigned char']]], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MDT_UNINITIALIZED', 1: 'D3DKMDT_MDT_VESA_EDID_V1_BASEBLOCK', 2: 'D3DKMDT_MDT_VESA_EDID_V1_BLOCKMAP', 255: 'D3DKMDT_MDT_OTHER'}}]], 'Id': [0, ['unsigned long']], }], '__unnamed_1779': [0xc, { 'Reserved1': [8, ['unsigned long']], 'Port': [4, ['unsigned long']], 'Channel': [0, ['unsigned long']], }], 'HTOUCHINPUT__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_1773': [0xc, { 'Affinity': [8, ['unsigned long']], 'Vector': [4, ['unsigned long']], 'Group': [2, ['unsigned short']], 'Level': [0, ['unsigned short']], }], '_VK_VALUES_STRINGS': [0x8, { 'fReserved': [4, ['unsigned char']], 'pszMultiNames': [0, ['pointer', ['unsigned char']]], }], '__unnamed_1771': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length': [8, ['unsigned long']], }], '_DMM_MONITOR_SOURCE_MODE_SERIALIZATION': [0x50, { 'Info': [0, ['_D3DKMDT_MONITOR_SOURCE_MODE']], 'TimingType': [76, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MTT_UNINITIALIZED', 1: 'D3DKMDT_MTT_ESTABLISHED', 2: 'D3DKMDT_MTT_STANDARD', 3: 'D3DKMDT_MTT_EXTRASTANDARD', 4: 'D3DKMDT_MTT_DETAILED', 5: 'D3DKMDT_MTT_DEFAULTMONITORPROFILE', 6: 'D3DKMDT_MTT_MAXVALID'}}]], }], '__unnamed_1775': [0xc, { 'Affinity': [8, ['unsigned long']], 'Vector': [4, ['unsigned long']], 'Group': [0, ['unsigned short']], 'MessageCount': [2, ['unsigned short']], }], '__unnamed_11ac': [0x8, { 'AsynchronousParameters': [0, ['__unnamed_11aa']], 'AllocationSize': [0, ['_LARGE_INTEGER']], }], '__unnamed_11aa': [0x8, { 'UserApcContext': [4, ['pointer', ['void']]], 'UserApcRoutine': [0, ['pointer', ['void']]], 'IssuingProcess': [0, ['pointer', ['void']]], }], 'tagSBCALC': [0x40, { 'posMax': [4, ['long']], 'pxThumbTop': [52, ['long']], 'pxThumbBottom': [48, ['long']], 'cpxThumb': [32, ['long']], 'pxMin': [60, ['long']], 'pxStart': [44, ['long']], 'pxDownArrow': [40, ['long']], 'pos': [12, ['long']], 'cpx': [56, ['long']], 'pxBottom': [20, ['long']], 'pxTop': [16, ['long']], 'pxLeft': [24, ['long']], 'pxRight': [28, ['long']], 'pxUpArrow': [36, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], }], 'HIMC__': [0x4, { 'unused': [0, ['long']], }], 'tagSBINFO': [0x24, { 'WSBflags': [0, ['long']], 'Horz': [4, ['tagSBDATA']], 'Vert': [20, ['tagSBDATA']], }], '__unnamed_1213': [0x8, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'}}]], 'Reserved': [1, ['array', 3, ['unsigned char']]], 'InPath': [0, ['unsigned char']], }], 'tagITEM': [0x6c, { 'ulX': [56, ['unsigned long']], 'wID': [8, ['unsigned long']], 'dwItemData': [32, ['unsigned long']], 'cyItem': [48, ['unsigned long']], 'hbmpChecked': [16, ['pointer', ['void']]], 'xItem': [36, ['unsigned long']], 'spSubMenu': [12, ['pointer', ['tagMENU']]], 'hbmpUnchecked': [20, ['pointer', ['void']]], 'fState': [4, ['unsigned long']], 'dxTab': [52, ['unsigned long']], 'hbmp': [64, ['pointer', ['HBITMAP__']]], 'yItem': [40, ['unsigned long']], 'fType': [0, ['unsigned long']], 'umim': [76, ['tagUAHMENUITEMMETRICS']], 'cch': [28, ['unsigned long']], 'ulWidth': [60, ['unsigned long']], 'cyBmp': [72, ['long']], 'cxBmp': [68, ['long']], 'lpstr': [24, ['pointer', ['unsigned short']]], 'cxItem': [44, ['unsigned long']], }], '__unnamed_11d9': [0x10, { 'FileInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'AdvanceOnly': [13, ['unsigned char']], 'ClusterCount': [12, ['unsigned long']], 'Length': [0, ['unsigned long']], 'DeleteHandle': [12, ['pointer', ['void']]], 'ReplaceIfExists': [12, ['unsigned char']], 'FileObject': [8, ['pointer', ['_FILE_OBJECT']]], }], '_VSC_VK': [0x4, { 'Vsc': [0, ['unsigned char']], 'Vk': [2, ['unsigned short']], }], '_VK_TO_WCHARS1': [0x4, { 'Attributes': [1, ['unsigned char']], 'VirtualKey': [0, ['unsigned char']], 'wch': [2, ['array', 1, ['wchar']]], }], '__unnamed_121b': [0x4, { 'PowerSequence': [0, ['pointer', ['_POWER_SEQUENCE']]], }], '_DMM_MONITORFREQUENCYRANGESET_SERIALIZATION': [0x34, { 'NumFrequencyRanges': [0, ['unsigned char']], 'FrequencyRangeSerialization': [4, ['array', 1, ['_D3DKMDT_MONITOR_FREQUENCY_RANGE']]], }], '_D3DKMDT_GAMMA_RAMP': [0xc, { 'Data': [8, ['__unnamed_179f']], 'DataSize': [4, ['unsigned long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_GAMMARAMP_UNINITIALIZED', 1: 'D3DDDI_GAMMARAMP_DEFAULT', 2: 'D3DDDI_GAMMARAMP_RGB256x3x16', 3: 'D3DDDI_GAMMARAMP_DXGI_1'}}]], }], '_W32PROCESS': [0x90, { 'GDIPushLock': [52, ['_EX_PUSH_LOCK']], 'DxProcess': [140, ['pointer', ['void']]], 'pBrushAttrList': [28, ['pointer', ['void']]], 'Process': [0, ['pointer', ['_EPROCESS']]], 'NextStart': [20, ['pointer', ['_W32PROCESS']]], 'GDIW32PIDLockedBitmaps': [128, ['_LIST_ENTRY']], 'RefCount': [4, ['unsigned long']], 'StartCursorHideTime': [16, ['unsigned long']], 'GDIBrushAttrFreeList': [120, ['_LIST_ENTRY']], 'InputIdleEvent': [12, ['pointer', ['_KEVENT']]], 'W32PF_Flags': [8, ['unsigned long']], 'GDIHandleCount': [36, ['long']], 'hSecureGdiSharedHandleTable': [136, ['pointer', ['void']]], 'UserHandleCountPeak': [48, ['unsigned long']], 'W32Pid': [32, ['unsigned long']], 'UserHandleCount': [44, ['long']], 'pDCAttrList': [24, ['pointer', ['void']]], 'GDIEngUserMemAllocTable': [56, ['_RTL_AVL_TABLE']], 'GDIHandleCountPeak': [40, ['unsigned long']], 'GDIDcAttrFreeList': [112, ['_LIST_ENTRY']], }], 'tagSERVERINFO': [0xffc, { 'uiShellMsg': [520, ['unsigned long']], 'atomSysClass': [460, ['array', 25, ['unsigned short']]], 'dtScroll': [2276, ['unsigned long']], 'dwKeyCache': [2404, ['unsigned long']], 'atomIconSmProp': [964, ['unsigned short']], 'argbSystemUnmatched': [1876, ['array', 31, ['unsigned long']]], 'atomContextHelpIdProp': [968, ['unsigned short']], 'cySysFontChar': [2308, ['long']], 'mpFnid_serverCBWndProc': [164, ['array', 31, ['unsigned short']]], 'PUSIFlags': [3928, ['unsigned long']], 'dtLBSearch': [2280, ['unsigned long']], 'tmSysFont': [2312, ['tagTEXTMETRICW']], 'ahbrSystem': [2124, ['array', 31, ['pointer', ['HBRUSH__']]]], 'dwDefaultHeapSize': [516, ['unsigned long']], 'dwSRVIFlags': [0, ['unsigned long']], 'BitsPixel': [3925, ['unsigned char']], 'wMaxLeftOverlapChars': [2296, ['long']], 'dwLastSystemRITEventTickCountUpdate': [3940, ['unsigned long']], 'dpiSystem': [2372, ['tagDPISERVERINFO']], 'hIcoWindows': [2400, ['pointer', ['HICON__']]], 'dwAsyncKeyCache': [2408, ['unsigned long']], 'dwTagCount': [4084, ['unsigned long']], 'adwDBGTAGFlags': [3944, ['array', 35, ['unsigned long']]], 'aiSysMet': [1488, ['array', 97, ['long']]], 'acAnsiToOem': [1228, ['array', 256, ['unsigned char']]], 'aStoCidPfn': [136, ['array', 7, ['pointer', ['void']]]], 'dwLastRITEventTickCount': [2268, ['unsigned long']], 'cbHandleTable': [456, ['unsigned long']], 'atomFrostedWindowProp': [970, ['unsigned short']], 'ucWheelScrollLines': [2288, ['unsigned long']], 'ptCursorReal': [2260, ['tagPOINT']], 'ucWheelScrollChars': [2292, ['unsigned long']], 'acOemToAnsi': [972, ['array', 256, ['unsigned char']]], 'hbrGray': [2248, ['pointer', ['HBRUSH__']]], 'BitCount': [3920, ['unsigned short']], 'argbSystem': [2000, ['array', 31, ['unsigned long']]], 'dtCaretBlink': [2284, ['unsigned long']], 'dwInstalledEventHooks': [1484, ['unsigned long']], 'cxSysFontChar': [2304, ['long']], 'wMaxRightOverlapChars': [2300, ['long']], 'oembmi': [2416, ['array', 93, ['tagOEMBITMAPINFO']]], 'apfnClientWorker': [412, ['_PFNCLIENTWORKER']], 'dwDefaultHeapBase': [512, ['unsigned long']], 'apfnClientA': [228, ['_PFNCLIENT']], 'dmLogPixels': [3922, ['unsigned short']], 'nEvents': [2272, ['long']], 'atomIconProp': [966, ['unsigned short']], 'Planes': [3924, ['unsigned char']], 'apfnClientW': [320, ['_PFNCLIENT']], 'MBStrings': [524, ['array', 11, ['tagMBSTRING']]], 'UILangID': [3936, ['unsigned short']], 'dwRIPFlags': [4088, ['unsigned long']], 'uCaretWidth': [3932, ['unsigned long']], 'cCaptures': [2412, ['unsigned long']], 'cHandleEntries': [4, ['unsigned long']], 'ptCursor': [2252, ['tagPOINT']], 'hIconSmWindows': [2396, ['pointer', ['HICON__']]], 'mpFnidPfn': [8, ['array', 32, ['pointer', ['void']]]], 'rcScreenReal': [3904, ['tagRECT']], }], '_D3DKMDT_VIDEO_SIGNAL_INFO': [0x2c, { 'VSyncFreq': [20, ['_D3DDDI_RATIONAL']], 'ActiveSize': [12, ['_D3DKMDT_2DREGION']], 'PixelRate': [36, ['unsigned long']], 'TotalSize': [4, ['_D3DKMDT_2DREGION']], 'VideoStandard': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VSS_UNINITIALIZED', 1: 'D3DKMDT_VSS_VESA_DMT', 2: 'D3DKMDT_VSS_VESA_GTF', 3: 'D3DKMDT_VSS_VESA_CVT', 4: 'D3DKMDT_VSS_IBM', 5: 'D3DKMDT_VSS_APPLE', 6: 'D3DKMDT_VSS_NTSC_M', 7: 'D3DKMDT_VSS_NTSC_J', 8: 'D3DKMDT_VSS_NTSC_443', 9: 'D3DKMDT_VSS_PAL_B', 10: 'D3DKMDT_VSS_PAL_B1', 11: 'D3DKMDT_VSS_PAL_G', 12: 'D3DKMDT_VSS_PAL_H', 13: 'D3DKMDT_VSS_PAL_I', 14: 'D3DKMDT_VSS_PAL_D', 15: 'D3DKMDT_VSS_PAL_N', 16: 'D3DKMDT_VSS_PAL_NC', 17: 'D3DKMDT_VSS_SECAM_B', 18: 'D3DKMDT_VSS_SECAM_D', 19: 'D3DKMDT_VSS_SECAM_G', 20: 'D3DKMDT_VSS_SECAM_H', 21: 'D3DKMDT_VSS_SECAM_K', 22: 'D3DKMDT_VSS_SECAM_K1', 23: 'D3DKMDT_VSS_SECAM_L', 24: 'D3DKMDT_VSS_SECAM_L1', 25: 'D3DKMDT_VSS_EIA_861', 26: 'D3DKMDT_VSS_EIA_861A', 27: 'D3DKMDT_VSS_EIA_861B', 28: 'D3DKMDT_VSS_PAL_K', 29: 'D3DKMDT_VSS_PAL_K1', 30: 'D3DKMDT_VSS_PAL_L', 31: 'D3DKMDT_VSS_PAL_M', 255: 'D3DKMDT_VSS_OTHER'}}]], 'ScanLineOrdering': [40, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_VSSLO_UNINITIALIZED', 1: 'D3DDDI_VSSLO_PROGRESSIVE', 2: 'D3DDDI_VSSLO_INTERLACED_UPPERFIELDFIRST', 3: 'D3DDDI_VSSLO_INTERLACED_LOWERFIELDFIRST', 255: 'D3DDDI_VSSLO_OTHER'}}]], 'HSyncFreq': [28, ['_D3DDDI_RATIONAL']], }], '__unnamed_11dd': [0x8, { 'FsInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'}}]], 'Length': [0, ['unsigned long']], }], '__unnamed_11df': [0x10, { 'Type3InputBuffer': [12, ['pointer', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'FsControlCode': [8, ['unsigned long']], 'InputBufferLength': [4, ['unsigned long']], }], 'D3DDDI_DXGI_RGB': [0xc, { 'Blue': [8, ['float']], 'Green': [4, ['float']], 'Red': [0, ['float']], }], '_MAGNIFICATION_INPUT_TRANSFORM': [0x2c, { 'rcScreen': [16, ['tagRECT']], 'magFactorX': [36, ['long']], 'magFactorY': [40, ['long']], 'ptiMagThreadInfo': [32, ['pointer', ['tagTHREADINFO']]], 'rcSource': [0, ['tagRECT']], }], '_D3DKMDT_MONITOR_FREQUENCY_RANGE': [0x30, { 'Origin': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'ConstraintType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MFRC_UNINITIALIZED', 1: 'D3DKMDT_MFRC_ACTIVESIZE', 2: 'D3DKMDT_MFRC_MAXPIXELRATE'}}]], 'RangeLimits': [4, ['_D3DKMDT_FREQUENCY_RANGE']], 'Constraint': [40, ['__unnamed_1633']], }], '_PFNCLIENTWORKER': [0x2c, { 'pfnComboBoxWndProc': [4, ['pointer', ['void']]], 'pfnMDIClientWndProc': [24, ['pointer', ['void']]], 'pfnDialogWndProc': [12, ['pointer', ['void']]], 'pfnStaticWndProc': [28, ['pointer', ['void']]], 'pfnCtfHookProc': [40, ['pointer', ['void']]], 'pfnButtonWndProc': [0, ['pointer', ['void']]], 'pfnImeWndProc': [32, ['pointer', ['void']]], 'pfnEditWndProc': [16, ['pointer', ['void']]], 'pfnListBoxWndProc': [20, ['pointer', ['void']]], 'pfnGhostWndProc': [36, ['pointer', ['void']]], 'pfnComboListBoxProc': [8, ['pointer', ['void']]], }], '_D3DDDI_GAMMA_RAMP_DXGI_1': [0x3024, { 'GammaCurve': [24, ['array', 1025, ['D3DDDI_DXGI_RGB']]], 'Scale': [0, ['D3DDDI_DXGI_RGB']], 'Offset': [12, ['D3DDDI_DXGI_RGB']], }], '_DXGK_DIAG_HEADER': [0x30, { 'Index': [40, ['unsigned long']], 'ProcessName': [16, ['array', 16, ['unsigned char']]], 'LogTimestamp': [8, ['unsigned long long']], 'ThreadId': [32, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_TYPE_NONE', 1: 'DXGK_DIAG_TYPE_SDC', 2: 'DXGK_DIAG_TYPE_HPD', 3: 'DXGK_DIAG_TYPE_DC_ORIGIN', 4: 'DXGK_DIAG_TYPE_USER_CDS', 5: 'DXGK_DIAG_TYPE_DRV_CDS', 6: 'DXGK_DIAG_TYPE_CODE_POINT', 7: 'DXGK_DIAG_TYPE_QDC', 8: 'DXGK_DIAG_TYPE_MONITOR_MGR', 9: 'DXGK_DIAG_TYPE_CONNECTEDSET_NOT_FOUND', 10: 'DXGK_DIAG_TYPE_DISPDIAG_COLLECTED', 11: 'DXGK_DIAG_TYPE_BML_PACKET', 12: 'DXGK_DIAG_TYPE_BML_PACKET_EX', 13: 'DXGK_DIAG_TYPE_COMMIT_VIDPN_FAILED', 14: 'DXGK_DIAG_TYPE_MAX', -1: 'DXGK_DIAG_TYPE_FORCE_UINT32'}}]], 'WdLogIdx': [44, ['unsigned long']], 'Size': [4, ['unsigned long']], }], '_SM_VALUES_STRINGS': [0x10, { 'StorageType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'SmStorageActual', 1: 'SmStorageNonActual'}}]], 'pszName': [0, ['pointer', ['unsigned char']]], 'ulValue': [4, ['unsigned long']], 'RangeType': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'SmRangeSharedInfo', 1: 'SmRangeNonSharedInfo', 2: 'SmRangeBool'}}]], }], 'tagTERMINAL': [0x20, { 'spwndDesktopOwner': [4, ['pointer', ['tagWND']]], 'dwTERMF_Flags': [0, ['unsigned long']], 'dwNestedLevel': [16, ['unsigned long']], 'pqDesktop': [12, ['pointer', ['tagQ']]], 'pEventInputReady': [28, ['pointer', ['_KEVENT']]], 'rpdeskDestroy': [24, ['pointer', ['tagDESKTOP']]], 'ptiDesktop': [8, ['pointer', ['tagTHREADINFO']]], 'pEventTermInit': [20, ['pointer', ['_KEVENT']]], }], 'tagMENULIST': [0x8, { 'pMenu': [4, ['pointer', ['tagMENU']]], 'pNext': [0, ['pointer', ['tagMENULIST']]], }], '__unnamed_11d5': [0x8, { 'CompletionFilter': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], }], '__unnamed_11d7': [0x8, { 'Length': [0, ['unsigned long']], 'FileInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], }], '__unnamed_11d3': [0x10, { 'Length': [0, ['unsigned long']], 'FileIndex': [12, ['unsigned long']], 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'FileName': [4, ['pointer', ['_UNICODE_STRING']]], }], 'tagPOINT': [0x8, { 'y': [4, ['long']], 'x': [0, ['long']], }], 'tagSHAREDINFO': [0x11c, { 'psi': [0, ['pointer', ['tagSERVERINFO']]], 'DefWindowSpecMsgs': [276, ['_WNDMSG']], 'awmControl': [20, ['array', 31, ['_WNDMSG']]], 'ulSharedDelta': [16, ['unsigned long']], 'pDispInfo': [12, ['pointer', ['tagDISPLAYINFO']]], 'aheList': [4, ['pointer', ['_HANDLEENTRY']]], 'DefWindowMsgs': [268, ['_WNDMSG']], 'HeEntrySize': [8, ['unsigned long']], }], 'tagIMC': [0x20, { 'dwClientImcData': [24, ['unsigned long']], 'head': [0, ['_THRDESKHEAD']], 'hImeWnd': [28, ['pointer', ['HWND__']]], 'pImcNext': [20, ['pointer', ['tagIMC']]], }], 'tagKL': [0x44, { 'uNumTbl': [48, ['unsigned long']], 'pklPrev': [12, ['pointer', ['tagKL']]], 'head': [0, ['_HEAD']], 'pklNext': [8, ['pointer', ['tagKL']]], 'spkfPrimary': [28, ['pointer', ['tagKBDFILE']]], 'dwFontSigs': [32, ['unsigned long']], 'dwLastKbdType': [56, ['unsigned long']], 'CodePage': [40, ['unsigned short']], 'dwKL_Flags': [16, ['unsigned long']], 'iBaseCharset': [36, ['unsigned long']], 'dwKLID': [64, ['unsigned long']], 'spkf': [24, ['pointer', ['tagKBDFILE']]], 'piiex': [44, ['pointer', ['tagIMEINFOEX']]], 'hkl': [20, ['pointer', ['HKL__']]], 'pspkfExtra': [52, ['pointer', ['pointer', ['tagKBDFILE']]]], 'wchDiacritic': [42, ['wchar']], 'dwLastKbdSubType': [60, ['unsigned long']], }], 'tagCARET': [0x38, { 'iHideLevel': [8, ['long']], 'yOwnDc': [44, ['long']], 'y': [16, ['long']], 'cy': [20, ['long']], 'cx': [24, ['long']], 'hBitmap': [28, ['pointer', ['HBITMAP__']]], 'cyOwnDc': [52, ['long']], 'fOn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'hTimer': [32, ['unsigned long']], 'xOwnDc': [40, ['long']], 'fVisible': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'cxOwnDc': [48, ['long']], 'tid': [36, ['unsigned long']], 'x': [12, ['long']], 'spwnd': [0, ['pointer', ['tagWND']]], }], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/xp.py0000644000000000000000000003763313131215405024151 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.gui.constants as consts class XP2003x86BaseVTypes(obj.ProfileModification): """Applies to everything x86 before Windows 7""" def check(self, profile): m = profile.metadata version = (m.get('major', 0), m.get('minor', 0)) return (m.get('os', None) == 'windows' and version < (6, 1) and m.get('memory_model', '32bit') == '32bit') def modification(self, profile): profile.vtypes.update({ 'tagWINDOWSTATION' : [ 0x5C, { 'dwSessionId' : [ 0x0, ['unsigned long']], 'rpwinstaNext' : [ 0x4, ['pointer', ['tagWINDOWSTATION']]], 'rpdeskList' : [ 0x8, ['pointer', ['tagDESKTOP']]], 'dwWSF_Flags' : [ 0x10, ['unsigned long']], 'ptiDrawingClipboard' : [ 0x1C, ['pointer', ['tagTHREADINFO']]], 'spwndClipOpen' : [ 0x20, ['pointer', ['tagWND']]], 'spwndClipViewer' : [ 0x24, ['pointer', ['tagWND']]], 'spwndClipOwner' : [ 0x28, ['pointer', ['tagWND']]], 'pClipBase' : [ 0x2C, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], 'cNumClipFormats' : [ 0x30, ['unsigned int']], 'iClipSerialNumber' : [ 0x34, ['unsigned int']], 'iClipSequenceNumber' : [ 0x38, ['unsigned int']], #'spwndClipboardListener' : [ 0x3C, ['pointer', ['tagWND']]], 'pGlobalAtomTable' : [ 0x40, ['pointer', ['void']]], }], ## This is defined in Windows 7 'tagCLIP' : [ 12, { 'fmt' : [ 0, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]], 'hData' : [ 4, ['unsigned int']], 'fGlobalHandle' : [ 8, ['unsigned int']], }], 'tagDESKTOP' : [ 0x84, { 'dwSessionId' : [ 0x0, ['unsigned long']], 'pDeskInfo' : [ 0x4, ['pointer', ['tagDESKTOPINFO']]], 'rpdeskNext' : [ 0xc, ['pointer', ['tagDESKTOP']]], 'rpwinstaParent' : [ 0x10, ['pointer', ['tagWINDOWSTATION']]], 'hsectionDesktop' : [ 0x40, ['pointer', ['void']]], 'pheapDesktop' : [ 0x44, ['pointer', ['tagWIN32HEAP']]], 'PtiList' : [ 0x64, ['_LIST_ENTRY']], }], 'tagTHREADINFO' : [ None, { # Same as Win32Thread 'pEThread' : [ 0x00, ['pointer', ['_ETHREAD']]], 'ppi' : [ 0x2C, ['pointer', ['tagPROCESSINFO']]], 'pq' : [ 0x30, ['pointer', ['tagQ']]], 'pDeskInfo' : [ 0x40, ['pointer', ['tagDESKTOPINFO']]], 'PtiLink' : [ 0xAC, ['_LIST_ENTRY']], 'fsHooks' : [ 0x98, ['unsigned long']], 'aphkStart' : [ 0xF4, ['array', 16, ['pointer', ['tagHOOK']]]], }], 'tagQ' : [ None, { 'mlInput' : [ 0x00, ['tagMLIST']], }], 'tagMLIST' : [ None, { 'pqmsgRead' : [ 0x00, ['pointer', ['tagQMSG']]], 'cMsgs' : [ 0x08, ['unsigned long']], }], 'tagQMSG' : [ None, { 'pqmsgNext' : [ 0x00, ['pointer', ['tagQMSG']]], 'pqmsgPrev' : [ 0x04, ['pointer', ['tagQMSG']]], 'msg' : [ 0x08, ['tagMSG']], }], 'tagMSG' : [ None, { 'hwnd' : [ 0x00, ['unsigned long']], 'message' : [ 0x04, ['unsigned long']], 'wParam' : [ 0x08, ['unsigned long']], 'lParam' : [ 0x0C, ['unsigned long']], 'time' : [ 0x10, ['unsigned long']], 'pt' : [ 0x14, ['tagPOINT']], }], 'tagPOINT' : [ None, { 'x' : [ 0x00, ['long']], 'y' : [ 0x04, ['long']], }], 'tagHOOK' : [ None, { 'head' : [ 0x0, ['_THRDESKHEAD']], 'phkNext' : [ 0x14, ['pointer', ['tagHOOK']]], 'iHook' : [ 0x18, ['long']], 'offPfn' : [ 0x1c, ['unsigned long']], 'flags': [ 0x20, ['Flags', {'bitmap': consts.HOOK_FLAGS}]], 'ihmod' : [ 0x24, ['long']], 'ptiHooked' : [ 0x28, ['pointer', ['tagTHREADINFO']]], 'rpdesk' : [ 0x2c, ['pointer', ['tagDESKTOP']]], }], 'tagDESKTOPINFO' : [ None, { 'pvDesktopBase' : [ 0x0, ['pointer', ['void']]], 'pvDesktopLimit' : [ 0x4, ['pointer', ['void']]], 'spwnd' : [ 0x08, ['pointer', ['tagWND']]], 'fsHooks' : [ 0x0c, ['unsigned long']], 'aphkStart' : [ 0x10, ['array', 16, ['pointer', ['tagHOOK']]]], }], 'tagSERVERINFO' : [ 0xffc, { 'cHandleEntries' : [ 8, ['unsigned long']], 'cbHandleTable' : [ 0x1bc, ['unsigned long']], }], 'tagSHAREDINFO' : [ 0x11c, { # From Win7SP0x86 'psi' : [ 0x0, ['pointer', ['tagSERVERINFO']]], 'aheList' : [ 0x4, ['pointer', ['_HANDLEENTRY']]], 'ulSharedDelta' : [ 0xC, ['unsigned long']], }], '_HANDLEENTRY' : [ 0xc, { # From Win7SP0x86 'phead' : [ 0x0, ['pointer', ['_HEAD']]], 'pOwner' : [ 0x4, ['pointer', ['void']]], 'bType': [ 8, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM)]], 'bFlags' : [ 0x9, ['unsigned char']], 'wUniq' : [ 0xa, ['unsigned short']], }], '_HEAD' : [ 0x8, { # From Win7SP0x86 'h' : [ 0x0, ['pointer', ['void']]], 'cLockObj' : [ 0x4, ['unsigned long']], }], 'tagPROCESSINFO' : [ None, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], }], '_THRDESKHEAD' : [ 0x14, { 'h' : [ 0x0, ['pointer', ['void']]], 'cLockObj' : [ 0x4, ['unsigned long']], 'pti' : [ 0x8, ['pointer', ['tagTHREADINFO']]], 'rpdesk' : [ 0xc, ['pointer', ['tagDESKTOP']]], 'pSelf' : [ 0x10, ['pointer', ['unsigned char']]], }], 'tagCLS' : [ 0x5c, { 'pclsNext' : [ 0x0, ['pointer', ['tagCLS']]], 'atomClassName' : [ 0x4, ['unsigned short']], 'atomNVClassName' : [ 0x6, ['unsigned short']], }], 'tagRECT' : [ 0x10, { 'left' : [ 0x0, ['long']], 'top' : [ 0x4, ['long']], 'right' : [ 0x8, ['long']], 'bottom' : [ 0xc, ['long']], }], 'tagWND' : [ 0xA4, { 'head' : [ 0x0, ['_THRDESKHEAD']], 'ExStyle' : [ 0x1c, ['unsigned long']], 'style' : [ 0x20, ['unsigned long']], 'hModule' : [ 0x24, ['pointer', ['void']]], 'spwndNext' : [ 0x2c, ['pointer', ['tagWND']]], 'spwndPrev' : [ 0x30, ['pointer', ['tagWND']]], 'spwndParent' : [ 0x34, ['pointer', ['tagWND']]], 'spwndChild' : [ 0x38, ['pointer', ['tagWND']]], 'spwndOwner' : [ 0x3c, ['pointer', ['tagWND']]], 'rcWindow' : [ 0x40, ['tagRECT']], 'rcClient' : [ 0x50, ['tagRECT']], 'lpfnWndProc' : [ 0x60, ['pointer', ['void']]], 'pcls' : [ 0x64, ['pointer', ['tagCLS']]], 'strName' : [ 0x80, ['_LARGE_UNICODE_STRING']], 'cbwndExtra' : [ 0x8C, ['long']], 'dwUserData' : [ 0x98, ['unsigned long']], }], '_LARGE_UNICODE_STRING' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'MaximumLength' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 31)]], 'bAnsi' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32)]], 'Buffer' : [ 0x8, ['pointer', ['unsigned short']]], }], }) class XP2003x64BaseVTypes(obj.ProfileModification): """Applies to Windows XP and 2003 x64""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x < 6} def modification(self, profile): profile.vtypes.update({ 'tagWINDOWSTATION' : [ 0x90, { # !poolfind Wind is 100h 'dwSessionId' : [ 0x0, ['unsigned long']], 'rpwinstaNext' : [ 0x8, ['pointer64', ['tagWINDOWSTATION']]], # FreeWindowStation 'rpdeskList' : [ 0x10, ['pointer64', ['tagDESKTOP']]], 'dwWSF_Flags' : [ 0x20, ['unsigned long']], # FreeWindowStation 'ptiDrawingClipboard' : [ 0x38, ['pointer64', ['tagTHREADINFO']]], # xxxDrawClipboard 'spwndClipOpen' : [ 0x40, ['pointer64', ['tagWND']]], 'spwndClipViewer' : [ 0x48, ['pointer64', ['tagWND']]], 'spwndClipOwner' : [ 0x50, ['pointer64', ['tagWND']]], 'pClipBase' : [ 0x58, ['pointer64', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], # InternalSetClipboardData 'cNumClipFormats' : [ 0x60, ['unsigned int']], # InternalSetClipboardData 'iClipSerialNumber' : [ 0x64, ['unsigned int']], # InternalSetClipboardData 'iClipSequenceNumber' : [ 0x68, ['unsigned int']], # InternalSetClipboardData 'pGlobalAtomTable' : [ 0x70, ['pointer64', ['void']]], }], # From Windows 7 'tagCLIP' : [ 0x18, { 'fmt' : [ 0x0, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]], 'hData' : [ 0x8, ['pointer64', ['void']]], 'fGlobalHandle' : [ 0x10, ['long']], }], 'tagDESKTOP' : [ 0xd0, { # !poolfind Desk is 140h 'dwSessionId' : [ 0x0, ['unsigned long']], 'pDeskInfo' : [ 0x8, ['pointer64', ['tagDESKTOPINFO']]], # xxxCreateDesktop 'rpdeskNext' : [ 0x18, ['pointer64', ['tagDESKTOP']]], # ParseDesktop 'rpwinstaParent' : [ 0x20, ['pointer64', ['tagWINDOWSTATION']]], 'hsectionDesktop' : [ 0x70, ['pointer64', ['void']]], # MapDesktop 'pheapDesktop' : [ 0x78, ['pointer64', ['tagWIN32HEAP']]], # DesktopAlloc 'PtiList' : [ 0xa0, ['_LIST_ENTRY']], # zzzJournalAttach }], 'tagTHREADINFO' : [ None, { 'pEThread' : [ 0x00, ['pointer', ['_ETHREAD']]], 'ppi' : [ 0x68, ['pointer64', ['tagPROCESSINFO']]], # xxxSetThreadDesktop #'pq' : [ 0x30, ['pointer', ['tagQ']]], 'pDeskInfo' : [ 0x90, ['pointer64', ['tagDESKTOPINFO']]], # xxxDesktopThread 'PtiLink' : [ 0x160, ['_LIST_ENTRY']], 'fsHooks' : [ 0x138, ['unsigned long']], # xxxSetThreadDesktop, CheckWHFBits 'aphkStart' : [ 0x140, ['array', 16, ['pointer64', ['tagHOOK']]]], }], 'tagDESKTOPINFO' : [ None, { 'pvDesktopBase' : [ 0x0, ['pointer64', ['void']]], 'pvDesktopLimit' : [ 0x8, ['pointer64', ['void']]], 'spwnd' : [ 0x10, ['pointer64', ['tagWND']]], 'fsHooks' : [ 0x18, ['unsigned long']], # CheckWHFBits 'aphkStart' : [ 0x20, ['array', 16, ['pointer64', ['tagHOOK']]]], }], 'tagWND' : [ None, { 'head' : [ 0x0, ['_THRDESKHEAD']], 'ExStyle' : [ 0x30, ['unsigned long']], # xxxCreateWindowEx 'style' : [ 0x34, ['unsigned long']], # xxxCreateWindowEx 'spwndNext' : [ 0x48, ['pointer64', ['tagWND']]], 'spwndPrev' : [ 0x50, ['pointer64', ['tagWND']]], 'spwndParent' : [ 0x58, ['pointer64', ['tagWND']]], 'spwndChild' : [ 0x60, ['pointer64', ['tagWND']]], 'spwndOwner' : [ 0x68, ['pointer64', ['tagWND']]], 'rcWindow' : [ 0x70, ['tagRECT']], 'rcClient' : [ 0x80, ['tagRECT']], 'lpfnWndProc' : [ 0x90, ['pointer64', ['void']]], 'pcls' : [ 0x98, ['pointer64', ['tagCLS']]], # HMChangeOwnerThread 'strName' : [ 0xd0, ['_LARGE_UNICODE_STRING']], }], 'tagRECT' : [ 0x10, { 'left' : [ 0x0, ['long']], 'top' : [ 0x4, ['long']], 'right' : [ 0x8, ['long']], 'bottom' : [ 0xc, ['long']], }], 'tagCLS' : [ None, { 'pclsNext' : [ 0x0, ['pointer64', ['tagCLS']]], 'atomClassName' : [ 0x8, ['unsigned short']], # HMChangeOwnerThread 'atomNVClassName' : [ 0xA, ['unsigned short']], }], # From Win7 x64 '_LARGE_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MaximumLength' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 31, native_type = 'unsigned long')]], 'bAnsi' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type = 'unsigned long')]], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], }], # From Win7 x64 '_THRDESKHEAD' : [ 0x28, { 'h' : [ 0x0, ['pointer64', ['void']]], 'cLockObj' : [ 0x8, ['unsigned long']], 'pti' : [ 0x10, ['pointer64', ['tagTHREADINFO']]], 'rpdesk' : [ 0x18, ['pointer64', ['tagDESKTOP']]], 'pSelf' : [ 0x20, ['pointer64', ['unsigned char']]], }], # From Win7 x64 'tagSHAREDINFO' : [ None, { 'psi' : [ 0x0, ['pointer64', ['tagSERVERINFO']]], 'aheList' : [ 0x8, ['pointer64', ['_HANDLEENTRY']]], #'HeEntrySize' : [ 0x10, ['unsigned long']], #'pDispInfo' : [ 0x18, ['pointer64', ['tagDISPLAYINFO']]], 'ulSharedDelta' : [ 0x18, ['unsigned long long']], #'awmControl' : [ 0x28, ['array', 31, ['_WNDMSG']]], #'DefWindowMsgs' : [ 0x218, ['_WNDMSG']], #'DefWindowSpecMsgs' : [ 0x228, ['_WNDMSG']], }], # From Win7 x64 '_HANDLEENTRY' : [ 0x18, { 'phead' : [ 0x0, ['pointer64', ['_HEAD']]], 'pOwner' : [ 0x8, ['pointer64', ['void']]], 'bType': [ 0x10, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM)]], 'bFlags' : [ 0x11, ['unsigned char']], 'wUniq' : [ 0x12, ['unsigned short']], }], # From Win7 x64 '_HEAD' : [ 0x10, { 'h' : [ 0x0, ['pointer64', ['void']]], 'cLockObj' : [ 0x8, ['unsigned long']], }], 'tagSERVERINFO' : [ None, { 'cHandleEntries' : [ 8, ['unsigned long']], 'cbHandleTable' : [ 0x330, ['unsigned long']], # HMInitHandleTable }], 'tagPROCESSINFO' : [ None, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], }], # From Win7 x64 'tagHOOK' : [ 0x60, { 'head' : [ 0x0, ['_THRDESKHEAD']], 'phkNext' : [ 0x28, ['pointer64', ['tagHOOK']]], 'iHook' : [ 0x30, ['long']], 'offPfn' : [ 0x38, ['unsigned long long']], 'flags': [ 0x40, ['Flags', {'bitmap': consts.HOOK_FLAGS}]], 'ihmod' : [ 0x44, ['long']], 'ptiHooked' : [ 0x48, ['pointer64', ['tagTHREADINFO']]], 'rpdesk' : [ 0x50, ['pointer64', ['tagDESKTOP']]], 'nTimeout' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 7, native_type = 'unsigned long')]], 'fLastHookHung' : [ 0x58, ['BitField', dict(start_bit = 7, end_bit = 8, native_type = 'long')]], }], }) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/win7_sp1_x86_vtypes_gui.py0000644000000000000000000035650613131215405030157 0ustar rootrootwin32k_types = { '_HANDLEENTRY': [0xc, { 'pOwner': [4, ['pointer', ['void']]], 'phead': [0, ['pointer', ['_HEAD']]], 'bFlags': [9, ['unsigned char']], 'wUniq': [10, ['unsigned short']], 'bType': [8, ['unsigned char']], }], 'tagTOUCHINPUTINFO': [0x3c, { 'dwcInputs': [12, ['unsigned long']], 'head': [0, ['_THROBJHEAD']], 'uFlags': [16, ['unsigned long']], 'TouchInput': [20, ['array', 1, ['tagTOUCHINPUT']]], }], 'tagHOOK': [0x34, { 'head': [0, ['_THRDESKHEAD']], 'offPfn': [28, ['unsigned long']], 'flags': [32, ['unsigned long']], 'fLastHookHung': [48, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'nTimeout': [48, ['BitField', {'end_bit': 7, 'start_bit': 0}]], 'ihmod': [36, ['long']], 'iHook': [24, ['long']], 'ptiHooked': [40, ['pointer', ['tagTHREADINFO']]], 'phkNext': [20, ['pointer', ['tagHOOK']]], 'rpdesk': [44, ['pointer', ['tagDESKTOP']]], }], 'DEADKEY': [0x8, { 'wchComposed': [4, ['wchar']], 'dwBoth': [0, ['unsigned long']], 'uFlags': [6, ['unsigned short']], }], '__unnamed_179f': [0x4, { 'pRgb256x3x16': [0, ['pointer', ['_D3DDDI_GAMMA_RAMP_RGB256x3x16']]], 'pRaw': [0, ['pointer', ['void']]], 'pDxgi1': [0, ['pointer', ['_D3DDDI_GAMMA_RAMP_DXGI_1']]], }], '_W32THREAD': [0xb4, { 'pRBRecursionCount': [40, ['unsigned long']], 'iVisRgnUniqueness': [176, ['unsigned long']], 'RefCount': [4, ['unsigned long']], 'pDevHTInfo': [148, ['pointer', ['void']]], 'pUMPDHeap': [24, ['pointer', ['void']]], 'pgdiBrushAttr': [16, ['pointer', ['void']]], 'ulWindowSystemRendering': [172, ['unsigned long']], 'tlSpriteState': [48, ['_TLSPRITESTATE']], 'pdcoRender': [160, ['pointer', ['void']]], 'bEnableEngUpdateDeviceSurface': [168, ['unsigned char']], 'pdcoAA': [156, ['pointer', ['void']]], 'pNonRBRecursionCount': [44, ['unsigned long']], 'ptlW32': [8, ['pointer', ['_TL']]], 'GdiTmpTgoList': [32, ['_LIST_ENTRY']], 'pUMPDObjs': [20, ['pointer', ['void']]], 'pgdiDcattr': [12, ['pointer', ['void']]], 'bIncludeSprites': [169, ['unsigned char']], 'pEThread': [0, ['pointer', ['_ETHREAD']]], 'pSpriteState': [144, ['pointer', ['void']]], 'ulDevHTInfoUniqueness': [152, ['unsigned long']], 'pdcoSrc': [164, ['pointer', ['void']]], 'pUMPDObj': [28, ['pointer', ['void']]], }], 'tagPROPLIST': [0x10, { 'aprop': [8, ['array', 1, ['tagPROP']]], 'cEntries': [0, ['unsigned long']], 'iFirstFree': [4, ['unsigned long']], }], 'tagDESKTOPINFO': [0x78, { 'spwndProgman': [96, ['pointer', ['tagWND']]], 'pvwplMessagePPHandler': [112, ['pointer', ['VWPL']]], 'pvDesktopLimit': [4, ['pointer', ['void']]], 'fComposited': [116, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'spwndGestureEngine': [108, ['pointer', ['tagWND']]], 'pvDesktopBase': [0, ['pointer', ['void']]], 'spwndShell': [80, ['pointer', ['tagWND']]], 'ppiShellProcess': [84, ['pointer', ['tagPROCESSINFO']]], 'pvwplShellHook': [100, ['pointer', ['VWPL']]], 'fIsDwmDesktop': [116, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'spwndTaskman': [92, ['pointer', ['tagWND']]], 'aphkStart': [16, ['array', 16, ['pointer', ['tagHOOK']]]], 'fsHooks': [12, ['unsigned long']], 'cntMBox': [104, ['long']], 'spwndBkGnd': [88, ['pointer', ['tagWND']]], 'spwnd': [8, ['pointer', ['tagWND']]], }], 'tagDISPLAYINFO': [0x64, { 'hDev': [0, ['pointer', ['void']]], 'SpatialListHead': [88, ['_KLIST_ENTRY']], 'BitCountMax': [78, ['unsigned short']], 'cyGray': [32, ['long']], 'hdcBits': [16, ['pointer', ['HDC__']]], 'fDesktopIsRect': [80, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'hbmGray': [24, ['pointer', ['HBITMAP__']]], 'pmdev': [4, ['pointer', ['void']]], 'cFullScreen': [96, ['short']], 'cxGray': [28, ['long']], 'dmLogPixels': [76, ['unsigned short']], 'hDevInfo': [8, ['pointer', ['void']]], 'fAnyPalette': [80, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'pspbFirst': [40, ['pointer', ['tagSPB']]], 'pMonitorPrimary': [48, ['pointer', ['tagMONITOR']]], 'Spare0': [98, ['short']], 'pMonitorFirst': [52, ['pointer', ['tagMONITOR']]], 'hdcGray': [20, ['pointer', ['HDC__']]], 'hrgnScreenReal': [72, ['pointer', ['HRGN__']]], 'cMonitors': [44, ['unsigned long']], 'hdcScreen': [12, ['pointer', ['HDC__']]], 'DockThresholdMax': [84, ['unsigned long']], 'rcScreenReal': [56, ['tagRECT']], 'pdceFirst': [36, ['pointer', ['tagDCE']]], }], 'tagTHREADINFO': [0x208, { 'pstrAppName': [220, ['pointer', ['_UNICODE_STRING']]], 'ForceLegacyResizeNCMetr': [280, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'ptl': [180, ['pointer', ['_TL']]], 'timeLast': [236, ['long']], 'DontJournalAttach': [276, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'ppi': [184, ['pointer', ['tagPROCESSINFO']]], 'SendMnuDblClk': [276, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'DDENoSync': [280, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'EditNoMouseHide': [280, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'pDevHTInfo': [148, ['pointer', ['void']]], 'OpenGLEMF': [280, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'dwCompatFlags': [276, ['unsigned long']], 'hTouchInputCurrent': [492, ['pointer', ['HTOUCHINPUT__']]], 'psmsSent': [224, ['pointer', ['tagSMS']]], 'cVisWindows': [404, ['unsigned long']], 'hPrevHidData': [488, ['pointer', ['void']]], 'fsHooks': [300, ['unsigned long']], 'qwCompatFlags2': [280, ['unsigned long long']], 'NoPaddedBorder': [280, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'NoDrawPatRect': [280, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'ForceTTGrapchis': [276, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'GetDeviceCaps': [276, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'pgdiBrushAttr': [16, ['pointer', ['void']]], 'pq': [188, ['pointer', ['tagQ']]], 'ulWindowSystemRendering': [172, ['unsigned long']], 'dwExpWinVer': [272, ['unsigned long']], 'NoSoftCursOnMoveSize': [280, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'psmsReceiveList': [232, ['pointer', ['tagSMS']]], 'sphkCurrent': [304, ['pointer', ['tagHOOK']]], 'No50ExStyles': [280, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'IgnoreFaults': [276, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'pClientInfo': [212, ['pointer', ['tagCLIENTINFO']]], 'pdcoSrc': [164, ['pointer', ['void']]], 'pEventQueueServer': [324, ['pointer', ['_KEVENT']]], 'DealyHwndShakeChk': [276, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'amdesk': [396, ['unsigned long']], 'fsChangeBitsRemoved': [384, ['unsigned short']], 'psmsCurrent': [228, ['pointer', ['tagSMS']]], 'NoBatching': [280, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'StrictLLHook': [280, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'pdcoRender': [160, ['pointer', ['void']]], 'NoShadow': [280, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'EnumHelv': [276, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'fPack': [516, ['BitField', {'end_bit': 28, 'start_bit': 2}]], 'CallTTDevice': [276, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fsReserveKeys': [388, ['unsigned long']], 'Winver31': [276, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'DisableDBCSProp': [276, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'Win30AvgWidth': [276, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'ptlW32': [8, ['pointer', ['_TL']]], 'AlwaysSendSyncPaint': [276, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'IgnoreNoDiscard': [276, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'NoTimeCbProtect': [280, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'MsShellDlg': [280, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'hEventQueueClient': [320, ['pointer', ['void']]], 'cPaintsReady': [252, ['long']], 'SubtractClips': [276, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'PtiLink': [328, ['_LIST_ENTRY']], 'DpiAware': [280, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'spklActive': [192, ['pointer', ['tagKL']]], 'bIncludeSprites': [169, ['unsigned char']], 'mlPost': [372, ['tagMLIST']], 'ptLastReal': [348, ['tagPOINT']], 'fThreadCleanupFinished': [516, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'MultipleBands': [276, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'Random31Ux': [276, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'HackWinFlags': [276, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'cti': [472, ['tagCLIENTTHREADINFO']], 'KCOff': [280, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'wParamHkCurrent': [312, ['unsigned long']], 'readyHead': [508, ['_LIST_ENTRY']], 'UsePrintingEscape': [276, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'NoInitFlagsOnFocus': [280, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'ForceTextBand': [276, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'pEThread': [0, ['pointer', ['_ETHREAD']]], 'ptdb': [264, ['pointer', ['tagTDB']]], 'SpareCompatFlags2': [280, ['BitField', {'end_bit': 64, 'start_bit': 33}]], 'cWindows': [400, ['unsigned long']], 'cEnterCount': [368, ['long']], 'fETWReserved': [516, ['BitField', {'end_bit': 32, 'start_bit': 29}]], 'dwCompatFlags2': [280, ['unsigned long']], 'NoEMFSpooling': [276, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'pMenuState': [260, ['pointer', ['tagMENUSTATE']]], 'pRBRecursionCount': [40, ['unsigned long']], 'SmoothScrolling': [276, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'iVisRgnUniqueness': [176, ['unsigned long']], 'RefCount': [4, ['unsigned long']], 'Win31DevModeSize': [276, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pwinsta': [264, ['pointer', ['tagWINDOWSTATION']]], 'pSBTrack': [316, ['pointer', ['tagSBTRACK']]], 'ActiveMenus': [280, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'spwndDefaultIme': [356, ['pointer', ['tagWND']]], 'NoCustomPaperSize': [280, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'wchInjected': [386, ['wchar']], 'cTimersReady': [256, ['unsigned long']], 'EditSetTextMunge': [276, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'pUMPDHeap': [24, ['pointer', ['void']]], 'fgfSwitchInProgressSetter': [516, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'iCursorLevel': [336, ['long']], 'NoScrollBarCtxMenu': [276, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'ulClientDelta': [208, ['unsigned long']], 'pdcoAA': [156, ['pointer', ['void']]], 'cNestedStableVisRgn': [504, ['unsigned long']], 'TryExceptCallWndProc': [280, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'NcCalcSizeOnMove': [276, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'DisableFontAssoc': [276, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'pcti': [196, ['pointer', ['tagCLIENTTHREADINFO']]], 'MsgPPInfo': [500, ['tagMSGPPINFO']], 'DDE': [280, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ulThreadFlags2': [516, ['unsigned long']], 'tlSpriteState': [48, ['_TLSPRITESTATE']], 'NoCharDeadKey': [280, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'pqAttach': [288, ['pointer', ['tagQ']]], 'TTIgnoreRasterDupe': [276, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'aphkStart': [408, ['array', 16, ['pointer', ['tagHOOK']]]], 'DefaultCharset': [280, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'idLast': [240, ['unsigned long']], 'rpdesk': [200, ['pointer', ['tagDESKTOP']]], 'NoWindowArrangement': [280, ['BitField', {'end_bit': 33, 'start_bit': 32}]], 'AnimationOff': [280, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'No50ExStyleBits': [280, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'TransparentBltMirror': [280, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'DDENoAsyncReg': [280, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bEnableEngUpdateDeviceSurface': [168, ['unsigned char']], 'pDeskInfo': [204, ['pointer', ['tagDESKTOPINFO']]], 'hdesk': [248, ['pointer', ['HDESK__']]], 'pNonRBRecursionCount': [44, ['unsigned long']], 'MoreExtraWndWords': [276, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'hklPrev': [364, ['pointer', ['HKL__']]], 'NoGhost': [280, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'IgnoreTopMost': [276, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'pmsd': [296, ['pointer', ['_MOVESIZEDATA']]], 'NoHRGN1': [276, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'exitCode': [244, ['long']], 'NoDDETrackDying': [280, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'ptLast': [340, ['tagPOINT']], 'hGestureInfoCurrent': [496, ['pointer', ['HGESTUREINFO__']]], 'GdiTmpTgoList': [32, ['_LIST_ENTRY']], 'pUMPDObjs': [20, ['pointer', ['void']]], 'FontSubs': [280, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'GiveUpForegound': [280, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spDefaultImc': [360, ['pointer', ['tagIMC']]], 'pgdiDcattr': [12, ['pointer', ['void']]], 'TIF_flags': [216, ['unsigned long']], 'apEvent': [392, ['pointer', ['pointer', ['_KEVENT']]]], 'HardwareMixer': [280, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'pUMPDObj': [28, ['pointer', ['void']]], 'pSpriteState': [144, ['pointer', ['void']]], 'EnumTTNotDevice': [276, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'lParamHkCurrent': [308, ['long']], 'ulDevHTInfoUniqueness': [152, ['unsigned long']], 'ptiSibling': [292, ['pointer', ['tagTHREADINFO']]], 'psiiList': [268, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'ForceFusion': [280, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'fSpecialInitialization': [516, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'IncreaseStack': [276, ['BitField', {'end_bit': 23, 'start_bit': 22}]], }], '__unnamed_1262': [0x2c, { 'InitialPrivilegeSet': [0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet': [0, ['_PRIVILEGE_SET']], }], '_D3DKMDT_2DREGION': [0x8, { 'cy': [4, ['unsigned long']], 'cx': [0, ['unsigned long']], }], 'tagMONITOR': [0x64, { 'hDev': [56, ['pointer', ['void']]], 'head': [0, ['_HEAD']], 'hDevReal': [60, ['pointer', ['void']]], 'rcWorkReal': [32, ['tagRECT']], 'dwMONFlags': [12, ['unsigned long']], 'Spare0': [52, ['short']], 'rcMonitorReal': [16, ['tagRECT']], 'pMonitorNext': [8, ['pointer', ['tagMONITOR']]], 'Flink': [92, ['pointer', ['tagMONITOR']]], 'Blink': [96, ['pointer', ['tagMONITOR']]], 'hrgnMonitorReal': [48, ['pointer', ['HRGN__']]], 'cWndStack': [54, ['short']], 'DockTargets': [64, ['array', 7, ['array', 4, ['unsigned char']]]], }], '__unnamed_18b4': [0x18, { 'Dma': [0, ['__unnamed_18a8']], 'Generic': [0, ['__unnamed_18a2']], 'Memory': [0, ['__unnamed_18a2']], 'BusNumber': [0, ['__unnamed_18aa']], 'Memory48': [0, ['__unnamed_18b0']], 'Memory40': [0, ['__unnamed_18ae']], 'DevicePrivate': [0, ['__unnamed_177b']], 'ConfigData': [0, ['__unnamed_18ac']], 'Memory64': [0, ['__unnamed_18b2']], 'Interrupt': [0, ['__unnamed_18a6']], 'Port': [0, ['__unnamed_18a2']], }], '__unnamed_18b0': [0x18, { 'Length48': [0, ['unsigned long']], 'Alignment48': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION': [0x10c, { 'APSTriggerBits': [4, ['unsigned long']], 'CopyProtectionType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPMT_UNINITIALIZED', 1: 'D3DKMDT_VPPMT_NOPROTECTION', 2: 'D3DKMDT_VPPMT_MACROVISION_APSTRIGGER', 3: 'D3DKMDT_VPPMT_MACROVISION_FULLSUPPORT', 255: 'D3DKMDT_VPPMT_NOTSPECIFIED'}}]], 'CopyProtectionSupport': [264, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT']], 'OEMCopyProtection': [8, ['array', 256, ['unsigned char']]], }], 'tagHID_TLC_INFO': [0x20, { 'cExcludeRequest': [24, ['unsigned long']], 'link': [0, ['_LIST_ENTRY']], 'cExcludeOrphaned': [28, ['unsigned long']], 'cUsagePageRequest': [20, ['unsigned long']], 'usUsagePage': [8, ['unsigned short']], 'cDevices': [12, ['unsigned long']], 'cDirectRequest': [16, ['unsigned long']], 'usUsage': [10, ['unsigned short']], }], '__unnamed_1777': [0xc, { 'Translated': [0, ['__unnamed_1773']], 'Raw': [0, ['__unnamed_1775']], }], 'HWND__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION': [0x190, { 'TargetMode': [348, ['_D3DKMDT_VIDPN_TARGET_MODE']], 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], }], 'tagQ': [0x108, { 'hwndDblClk': [64, ['pointer', ['HWND__']]], 'timeDblClk': [60, ['unsigned long']], 'spwndFocus': [36, ['pointer', ['tagWND']]], 'ExtraInfo': [256, ['long']], 'cLockCount': [250, ['unsigned short']], 'iCursorLevel': [240, ['long']], 'ptiSysLock': [12, ['pointer', ['tagTHREADINFO']]], 'caret': [180, ['tagCARET']], 'ptiMouse': [24, ['pointer', ['tagTHREADINFO']]], 'spwndActivePrev': [44, ['pointer', ['tagWND']]], 'ptMouseMove': [76, ['tagPOINT']], 'msgDblClk': [52, ['unsigned long']], 'msgJournal': [252, ['unsigned long']], 'ptiKeyboard': [28, ['pointer', ['tagTHREADINFO']]], 'cThreads': [248, ['unsigned short']], 'QF_flags': [244, ['unsigned long']], 'mlInput': [0, ['tagMLIST']], 'spwndActive': [40, ['pointer', ['tagWND']]], 'codeCapture': [48, ['unsigned long']], 'idSysLock': [16, ['unsigned long']], 'spcurCurrent': [236, ['pointer', ['tagCURSOR']]], 'ulEtwReserved1': [260, ['unsigned long']], 'ptDblClk': [68, ['tagPOINT']], 'xbtnDblClk': [56, ['unsigned short']], 'afKeyRecentDown': [84, ['array', 32, ['unsigned char']]], 'afKeyState': [116, ['array', 64, ['unsigned char']]], 'spwndCapture': [32, ['pointer', ['tagWND']]], 'idSysPeek': [20, ['unsigned long']], }], 'tagUSERSTARTUPINFO': [0x1c, { 'wShowWindow': [24, ['unsigned short']], 'dwYSize': [16, ['unsigned long']], 'dwXSize': [12, ['unsigned long']], 'cbReserved2': [26, ['unsigned short']], 'cb': [0, ['unsigned long']], 'dwX': [4, ['unsigned long']], 'dwY': [8, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_DMM_COMMITVIDPNREQUESTSET_SERIALIZATION': [0x8, { 'CommitVidPnRequestOffset': [4, ['array', 1, ['unsigned long']]], 'NumCommitVidPnRequests': [0, ['unsigned char']], }], '_DMM_MONITORDESCRIPTORSET_SERIALIZATION': [0x90, { 'NumDescriptors': [0, ['unsigned char']], 'DescriptorSerialization': [4, ['array', 1, ['_DMM_MONITORDESCRIPTOR_SERIALIZATION']]], }], '_DMM_MONITORSOURCEMODESET_SERIALIZATION': [0x54, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [4, ['array', 1, ['_DMM_MONITOR_SOURCE_MODE_SERIALIZATION']]], }], '_VK_FUNCTION_PARAM': [0x8, { 'NLSFEProcIndex': [0, ['unsigned char']], 'NLSFEProcParam': [4, ['unsigned long']], }], '_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES': [0x10, { 'SecondChannel': [4, ['unsigned long']], 'FourthChannel': [12, ['unsigned long']], 'ThirdChannel': [8, ['unsigned long']], 'FirstChannel': [0, ['unsigned long']], }], 'tagMLIST': [0xc, { 'cMsgs': [8, ['unsigned long']], 'pqmsgRead': [0, ['pointer', ['tagQMSG']]], 'pqmsgWriteLast': [4, ['pointer', ['tagQMSG']]], }], '__unnamed_122d': [0x10, { 'DeviceIoControl': [0, ['__unnamed_11e4']], 'QuerySecurity': [0, ['__unnamed_11e6']], 'ReadWriteConfig': [0, ['__unnamed_1204']], 'Create': [0, ['__unnamed_11c5']], 'SetSecurity': [0, ['__unnamed_11e8']], 'Write': [0, ['__unnamed_11cf']], 'VerifyVolume': [0, ['__unnamed_11ec']], 'WMI': [0, ['__unnamed_1229']], 'CreateMailslot': [0, ['__unnamed_11cd']], 'FilterResourceRequirements': [0, ['__unnamed_1202']], 'SetFile': [0, ['__unnamed_11d9']], 'MountVolume': [0, ['__unnamed_11ec']], 'FileSystemControl': [0, ['__unnamed_11df']], 'UsageNotification': [0, ['__unnamed_1213']], 'Scsi': [0, ['__unnamed_11f0']], 'WaitWake': [0, ['__unnamed_1217']], 'QueryFile': [0, ['__unnamed_11d7']], 'QueryDeviceText': [0, ['__unnamed_120e']], 'CreatePipe': [0, ['__unnamed_11c9']], 'Power': [0, ['__unnamed_1223']], 'QueryDeviceRelations': [0, ['__unnamed_11f4']], 'Read': [0, ['__unnamed_11cf']], 'StartDevice': [0, ['__unnamed_1227']], 'QueryDirectory': [0, ['__unnamed_11d3']], 'PowerSequence': [0, ['__unnamed_121b']], 'QueryId': [0, ['__unnamed_120a']], 'LockControl': [0, ['__unnamed_11e2']], 'NotifyDirectory': [0, ['__unnamed_11d5']], 'QueryInterface': [0, ['__unnamed_11fa']], 'Others': [0, ['__unnamed_122b']], 'QueryVolume': [0, ['__unnamed_11dd']], 'SetLock': [0, ['__unnamed_1206']], 'DeviceCapabilities': [0, ['__unnamed_11fe']], }], '__unnamed_122b': [0x10, { 'Argument4': [12, ['pointer', ['void']]], 'Argument2': [4, ['pointer', ['void']]], 'Argument3': [8, ['pointer', ['void']]], 'Argument1': [0, ['pointer', ['void']]], }], 'tagMENUSTATE': [0x64, { 'fDragAndDrop': [4, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fInsideMenuLoop': [4, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'cxAni': [84, ['long']], 'pGlobalPopupMenu': [0, ['pointer', ['tagPOPUPMENU']]], 'uDraggingIndex': [60, ['unsigned long']], 'uDraggingHitArea': [56, ['unsigned long']], 'fNotifyByPos': [4, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'fButtonDown': [4, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'ixAni': [76, ['long']], 'fInCallHandleMenuMessages': [4, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'mnFocus': [16, ['long']], 'iyAni': [80, ['long']], 'dwLockCount': [28, ['unsigned long']], 'fAutoDismiss': [4, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'fIsSysMenu': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'dwAniStartTime': [72, ['unsigned long']], 'pmnsPrev': [32, ['pointer', ['tagMENUSTATE']]], 'fInEndMenu': [4, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'hbmAni': [92, ['pointer', ['HBITMAP__']]], 'fIgnoreButtonUp': [4, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ptButtonDown': [36, ['tagPOINT']], 'hdcWndAni': [68, ['pointer', ['HDC__']]], 'fAboutToAutoDismiss': [4, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'fMenuStarted': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'uDraggingFlags': [64, ['unsigned long']], 'fUnderline': [4, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'fInDoDragDrop': [4, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'ptiMenuStateOwner': [24, ['pointer', ['tagTHREADINFO']]], 'uButtonDownIndex': [48, ['unsigned long']], 'fModelessMenu': [4, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'cyAni': [88, ['long']], 'uButtonDownHitArea': [44, ['unsigned long']], 'fButtonAlwaysDown': [4, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'iAniDropDir': [4, ['BitField', {'end_bit': 24, 'start_bit': 19}]], 'ptMouseLast': [8, ['tagPOINT']], 'hdcAni': [96, ['pointer', ['HDC__']]], 'vkButtonDown': [52, ['long']], 'fSetCapture': [4, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fDragging': [4, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fActiveNoForeground': [4, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'fMouseOffMenu': [4, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'cmdLast': [20, ['long']], }], 'tagMSGPPINFO': [0x4, { 'dwIndexMsgPP': [0, ['unsigned long']], }], 'VWPLELEMENT': [0x8, { 'DataOrTag': [0, ['unsigned long']], 'pwnd': [4, ['pointer', ['tagWND']]], }], '_WM_VALUES_STRINGS': [0x8, { 'pszName': [0, ['pointer', ['unsigned char']]], 'fInternal': [4, ['unsigned char']], 'fDefined': [5, ['unsigned char']], }], 'tagCLIP': [0xc, { 'fmt': [0, ['unsigned long']], 'fGlobalHandle': [8, ['long']], 'hData': [4, ['pointer', ['void']]], }], '__unnamed_1229': [0x10, { 'Buffer': [12, ['pointer', ['void']]], 'ProviderId': [0, ['unsigned long']], 'BufferSize': [8, ['unsigned long']], 'DataPath': [4, ['pointer', ['void']]], }], '__unnamed_1227': [0x8, { 'AllocatedResources': [0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated': [4, ['pointer', ['_CM_RESOURCE_LIST']]], }], '_HEAD': [0x8, { 'h': [0, ['pointer', ['void']]], 'cLockObj': [4, ['unsigned long']], }], '__unnamed_1223': [0x10, { 'State': [8, ['_POWER_STATE']], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'SystemPowerState', 1: 'DevicePowerState'}}]], 'SystemContext': [0, ['unsigned long']], 'ShutdownType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'}}]], 'SystemPowerStateContext': [0, ['_SYSTEM_POWER_STATE_CONTEXT']], }], '__unnamed_11e6': [0x8, { 'Length': [4, ['unsigned long']], 'SecurityInformation': [0, ['unsigned long']], }], 'tagQMSG': [0x40, { 'FromPen': [52, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'pti': [56, ['pointer', ['tagTHREADINFO']]], 'ExtraInfo': [36, ['long']], 'Wow64Message': [52, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pqmsgPrev': [4, ['pointer', ['tagQMSG']]], 'NoCoalesce': [52, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'Padding': [48, ['BitField', {'end_bit': 32, 'start_bit': 30}]], 'ptMouseReal': [40, ['tagPOINT']], 'pqmsgNext': [0, ['pointer', ['tagQMSG']]], 'dwQEvent': [48, ['BitField', {'end_bit': 30, 'start_bit': 0}]], 'MsgPPInfo': [60, ['tagMSGPPINFO']], 'FromTouch': [52, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'msg': [8, ['tagMSG']], }], 'HWINSTA__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32PoolHead': [0x10, { 'pPrev': [4, ['pointer', ['tagWin32PoolHead']]], 'pTrace': [12, ['pointer', ['pointer', ['void']]]], 'pNext': [8, ['pointer', ['tagWin32PoolHead']]], 'size': [0, ['unsigned long']], }], 'tagTOUCHINPUT': [0x28, { 'hSource': [8, ['pointer', ['void']]], 'dwExtraInfo': [28, ['unsigned long']], 'cxContact': [32, ['unsigned long']], 'dwMask': [20, ['unsigned long']], 'y': [4, ['long']], 'x': [0, ['long']], 'dwID': [12, ['unsigned long']], 'cyContact': [36, ['unsigned long']], 'dwTime': [24, ['unsigned long']], 'dwFlags': [16, ['unsigned long']], }], '_CALLBACKWND': [0xc, { 'hwnd': [0, ['pointer', ['HWND__']]], 'pActCtx': [8, ['pointer', ['_ACTIVATION_CONTEXT']]], 'pwnd': [4, ['pointer', ['tagWND']]], }], 'HMONITOR__': [0x4, { 'unused': [0, ['long']], }], '_D3DKMDT_GRAPHICS_RENDERING_FORMAT': [0x20, { 'VisibleRegionSize': [8, ['_D3DKMDT_2DREGION']], 'Stride': [16, ['unsigned long']], 'PixelFormat': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDIFMT_UNKNOWN', 20: 'D3DDDIFMT_R8G8B8', 21: 'D3DDDIFMT_A8R8G8B8', 22: 'D3DDDIFMT_X8R8G8B8', 23: 'D3DDDIFMT_R5G6B5', 24: 'D3DDDIFMT_X1R5G5B5', 25: 'D3DDDIFMT_A1R5G5B5', 26: 'D3DDDIFMT_A4R4G4B4', 27: 'D3DDDIFMT_R3G3B2', 28: 'D3DDDIFMT_A8', 29: 'D3DDDIFMT_A8R3G3B2', 30: 'D3DDDIFMT_X4R4G4B4', 31: 'D3DDDIFMT_A2B10G10R10', 32: 'D3DDDIFMT_A8B8G8R8', 33: 'D3DDDIFMT_X8B8G8R8', 34: 'D3DDDIFMT_G16R16', 35: 'D3DDDIFMT_A2R10G10B10', 36: 'D3DDDIFMT_A16B16G16R16', 40: 'D3DDDIFMT_A8P8', 41: 'D3DDDIFMT_P8', 50: 'D3DDDIFMT_L8', 51: 'D3DDDIFMT_A8L8', 52: 'D3DDDIFMT_A4L4', 60: 'D3DDDIFMT_V8U8', 61: 'D3DDDIFMT_L6V5U5', 62: 'D3DDDIFMT_X8L8V8U8', 63: 'D3DDDIFMT_Q8W8V8U8', 64: 'D3DDDIFMT_V16U16', 65: 'D3DDDIFMT_W11V11U10', 67: 'D3DDDIFMT_A2W10V10U10', 877942852: 'D3DDDIFMT_DXT4', 70: 'D3DDDIFMT_D16_LOCKABLE', 71: 'D3DDDIFMT_D32', 72: 'D3DDDIFMT_S1D15', 73: 'D3DDDIFMT_D15S1', 74: 'D3DDDIFMT_S8D24', 75: 'D3DDDIFMT_D24S8', 76: 'D3DDDIFMT_X8D24', 77: 'D3DDDIFMT_D24X8', 78: 'D3DDDIFMT_X4S4D24', 79: 'D3DDDIFMT_D24X4S4', 80: 'D3DDDIFMT_D16', 81: 'D3DDDIFMT_L16', 82: 'D3DDDIFMT_D32F_LOCKABLE', 83: 'D3DDDIFMT_D24FS8', 84: 'D3DDDIFMT_D32_LOCKABLE', 85: 'D3DDDIFMT_S8_LOCKABLE', 100: 'D3DDDIFMT_VERTEXDATA', 101: 'D3DDDIFMT_INDEX16', 102: 'D3DDDIFMT_INDEX32', 110: 'D3DDDIFMT_Q16W16V16U16', 111: 'D3DDDIFMT_R16F', 112: 'D3DDDIFMT_G16R16F', 113: 'D3DDDIFMT_A16B16G16R16F', 114: 'D3DDDIFMT_R32F', 115: 'D3DDDIFMT_G32R32F', 116: 'D3DDDIFMT_A32B32G32R32F', 117: 'D3DDDIFMT_CxV8U8', 118: 'D3DDDIFMT_A1', 119: 'D3DDDIFMT_A2B10G10R10_XR_BIAS', 150: 'D3DDDIFMT_PICTUREPARAMSDATA', 151: 'D3DDDIFMT_MACROBLOCKDATA', 152: 'D3DDDIFMT_RESIDUALDIFFERENCEDATA', 153: 'D3DDDIFMT_DEBLOCKINGDATA', 154: 'D3DDDIFMT_INVERSEQUANTIZATIONDATA', 155: 'D3DDDIFMT_SLICECONTROLDATA', 156: 'D3DDDIFMT_BITSTREAMDATA', 157: 'D3DDDIFMT_MOTIONVECTORBUFFER', 158: 'D3DDDIFMT_FILMGRAINBUFFER', 159: 'D3DDDIFMT_DXVA_RESERVED9', 160: 'D3DDDIFMT_DXVA_RESERVED10', 161: 'D3DDDIFMT_DXVA_RESERVED11', 162: 'D3DDDIFMT_DXVA_RESERVED12', 163: 'D3DDDIFMT_DXVA_RESERVED13', 164: 'D3DDDIFMT_DXVA_RESERVED14', 165: 'D3DDDIFMT_DXVA_RESERVED15', 166: 'D3DDDIFMT_DXVA_RESERVED16', 167: 'D3DDDIFMT_DXVA_RESERVED17', 168: 'D3DDDIFMT_DXVA_RESERVED18', 169: 'D3DDDIFMT_DXVA_RESERVED19', 170: 'D3DDDIFMT_DXVA_RESERVED20', 171: 'D3DDDIFMT_DXVA_RESERVED21', 172: 'D3DDDIFMT_DXVA_RESERVED22', 173: 'D3DDDIFMT_DXVA_RESERVED23', 174: 'D3DDDIFMT_DXVA_RESERVED24', 175: 'D3DDDIFMT_DXVA_RESERVED25', 176: 'D3DDDIFMT_DXVA_RESERVED26', 177: 'D3DDDIFMT_DXVA_RESERVED27', 178: 'D3DDDIFMT_DXVA_RESERVED28', 179: 'D3DDDIFMT_DXVA_RESERVED29', 180: 'D3DDDIFMT_DXVA_RESERVED30', 181: 'D3DDDIFMT_DXVACOMPBUFFER_MAX', 844388420: 'D3DDDIFMT_DXT2', 199: 'D3DDDIFMT_BINARYBUFFER', 861165636: 'D3DDDIFMT_DXT3', 827611204: 'D3DDDIFMT_DXT1', 827606349: 'D3DDDIFMT_MULTI2_ARGB8', 1195525970: 'D3DDDIFMT_R8G8_B8G8', 1498831189: 'D3DDDIFMT_UYVY', 844715353: 'D3DDDIFMT_YUY2', 894720068: 'D3DDDIFMT_DXT5', 1111970375: 'D3DDDIFMT_G8R8_G8B8', 2147483647: 'D3DDDIFMT_FORCE_UINT'}}]], 'PixelValueAccessMode': [28, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_PVAM_UNINITIALIZED', 1: 'D3DKMDT_PVAM_DIRECT', 2: 'D3DKMDT_PVAM_PRESETPALETTE', 3: 'D3DKMDT_PVAM_MAXVALID'}}]], 'PrimSurfSize': [0, ['_D3DKMDT_2DREGION']], 'ColorBasis': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], '_VK_TO_WCHAR_TABLE': [0x8, { 'pVkToWchars': [0, ['pointer', ['_VK_TO_WCHARS1']]], 'cbSize': [5, ['unsigned char']], 'nModifications': [4, ['unsigned char']], }], '_TL': [0xc, { 'pfnFree': [8, ['pointer', ['void']]], 'pobj': [4, ['pointer', ['void']]], 'next': [0, ['pointer', ['_TL']]], }], '_MOVESIZEDATA': [0xdc, { 'fmsKbd': [160, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'fMoveFromMax': [160, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fSnapMoving': [160, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'ptRestore': [152, ['tagPOINT']], 'fUsePreviewRect': [160, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'ptStartHitWindowRelative': [192, ['tagPOINT']], 'CurrentHitTarget': [176, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fHasSoftwareCursor': [160, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'fCheckPtForcefullyRestored': [160, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fSnapMovingTemporaryAllowed': [160, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'Unused': [160, ['BitField', {'end_bit': 32, 'start_bit': 28}]], 'fOffScreen': [160, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'fWindowWasSuperMaximized': [160, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'StartCurrentHitTarget': [168, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fSnapSizing': [160, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fIsMoveSizeLoop': [160, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'rcPreviewCursor': [52, ['tagRECT']], 'dyMouse': [136, ['long']], 'fVerticallyMaximizedRight': [160, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'fTrackCancelled': [160, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'impx': [144, ['long']], 'impy': [148, ['long']], 'fLockWindowUpdate': [160, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fStartVerticallyMaximizedLeft': [160, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ptMinTrack': [84, ['tagPOINT']], 'pMonitorCurrentHitTarget': [172, ['pointer', ['tagMONITOR']]], 'rcWindow': [100, ['tagRECT']], 'pStartMonitorCurrentHitTarget': [164, ['pointer', ['tagMONITOR']]], 'cmd': [140, ['long']], 'ptMaxTrack': [92, ['tagPOINT']], 'fForceSizing': [160, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'fThresholdSelector': [160, ['BitField', {'end_bit': 18, 'start_bit': 15}]], 'MoveRectStyle': [180, ['Enumeration', {'target': 'long', 'choices': {0: 'MoveRectKeepPositionAtCursor', 1: 'MoveRectMidTopAtCursor', 2: 'MoveRectKeepAspectRatioAtCursor', 3: 'MoveRectSidewiseKeepPositionAtCursor'}}]], 'fDragFullWindows': [160, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'fForeground': [160, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'ulCountDragOutOfLeftRightTarget': [212, ['unsigned long']], 'ptLastTrack': [200, ['tagPOINT']], 'frcNormalCheckPtValid': [160, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'fIsHitPtOffScreen': [160, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'fSnapSizingTemporaryAllowed': [160, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'fInitSize': [160, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'dxMouse': [132, ['long']], 'fStartVerticallyMaximizedRight': [160, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'ulCountDragOutOfTopTarget': [208, ['unsigned long']], 'fVerticallyMaximizedLeft': [160, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'spwnd': [0, ['pointer', ['tagWND']]], 'fHasPreviewRect': [160, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'rcPreview': [36, ['tagRECT']], 'rcDragCursor': [20, ['tagRECT']], 'Flags': [160, ['unsigned long']], 'ptHitWindowRelative': [184, ['tagPOINT']], 'rcParent': [68, ['tagRECT']], 'ulCountSizeOutOfTopBottomTarget': [216, ['unsigned long']], 'rcNormalStartCheckPt': [116, ['tagRECT']], 'rcDrag': [4, ['tagRECT']], }], '_LARGE_UNICODE_STRING': [0xc, { 'Buffer': [8, ['pointer', ['unsigned short']]], 'Length': [0, ['unsigned long']], 'MaximumLength': [4, ['BitField', {'end_bit': 31, 'start_bit': 0}]], 'bAnsi': [4, ['BitField', {'end_bit': 32, 'start_bit': 31}]], }], 'VSC_LPWSTR': [0x8, { 'vsc': [0, ['unsigned char']], 'pwsz': [4, ['pointer', ['unsigned short']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION': [0x10, { 'Scaling': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPS_UNINITIALIZED', 1: 'D3DKMDT_VPPS_IDENTITY', 2: 'D3DKMDT_VPPS_CENTERED', 3: 'D3DKMDT_VPPS_STRETCHED', 4: 'D3DKMDT_VPPS_ASPECTRATIOCENTEREDMAX', 5: 'D3DKMDT_VPPS_CUSTOM', 253: 'D3DKMDT_VPPS_RESERVED1', 254: 'D3DKMDT_VPPS_UNPINNED', 255: 'D3DKMDT_VPPS_NOTSPECIFIED'}}]], 'RotationSupport': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT']], 'Rotation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPR_UNINITIALIZED', 1: 'D3DKMDT_VPPR_IDENTITY', 2: 'D3DKMDT_VPPR_ROTATE90', 3: 'D3DKMDT_VPPR_ROTATE180', 4: 'D3DKMDT_VPPR_ROTATE270', 254: 'D3DKMDT_VPPR_UNPINNED', 255: 'D3DKMDT_VPPR_NOTSPECIFIED'}}]], 'ScalingSupport': [4, ['_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT']], }], 'tagUAHMENUPOPUPMETRICS': [0x14, { 'rgcx': [0, ['array', 4, ['long']]], 'fUpdateMaxWidths': [16, ['BitField', {'end_bit': 1, 'start_bit': 0}]], }], '_THROBJHEAD': [0xc, { 'h': [0, ['pointer', ['void']]], 'pti': [8, ['pointer', ['tagTHREADINFO']]], 'cLockObj': [4, ['unsigned long']], }], '_DMM_COFUNCPATHSMODALITY_SERIALIZATION': [0x8, { 'NumPathsFromSource': [0, ['unsigned char']], 'PathAndTargetModeSetOffset': [4, ['array', 1, ['unsigned long']]], }], 'tagSBTRACK': [0x44, { 'spwndSBNotify': [12, ['pointer', ['tagWND']]], 'hTimerSB': [40, ['unsigned long']], 'cmdSB': [36, ['unsigned long']], 'xxxpfnSB': [32, ['pointer', ['void']]], 'fTrackVert': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'posNew': [56, ['long']], 'posOld': [52, ['long']], 'fCtlSB': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'rcTrack': [16, ['tagRECT']], 'fTrackRecalc': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'spwndSB': [8, ['pointer', ['tagWND']]], 'spwndTrack': [4, ['pointer', ['tagWND']]], 'dpxThumb': [44, ['long']], 'pxOld': [48, ['long']], 'fHitOld': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pSBCalc': [64, ['pointer', ['tagSBCALC']]], 'nBar': [60, ['long']], }], '__unnamed_18ae': [0x18, { 'Length40': [0, ['unsigned long']], 'Alignment40': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_18ac': [0xc, { 'Priority': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_1217': [0x4, { 'PowerState': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'}}]], }], '__unnamed_18aa': [0x10, { 'MinBusNumber': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], 'Reserved': [12, ['unsigned long']], 'MaxBusNumber': [8, ['unsigned long']], }], 'tagDPISERVERINFO': [0x18, { 'hMsgFont': [8, ['pointer', ['HFONT__']]], 'hCaptionFont': [4, ['pointer', ['HFONT__']]], 'gclBorder': [0, ['long']], 'cxMsgFontChar': [12, ['long']], 'wMaxBtnSize': [20, ['unsigned long']], 'cyMsgFontChar': [16, ['long']], }], 'tagOEMBITMAPINFO': [0x10, { 'y': [4, ['long']], 'x': [0, ['long']], 'cy': [12, ['long']], 'cx': [8, ['long']], }], '__unnamed_1787': [0xc, { 'Dma': [0, ['__unnamed_1779']], 'MessageInterrupt': [0, ['__unnamed_1777']], 'Generic': [0, ['__unnamed_1771']], 'Memory': [0, ['__unnamed_1771']], 'BusNumber': [0, ['__unnamed_177d']], 'DeviceSpecificData': [0, ['__unnamed_177f']], 'Memory48': [0, ['__unnamed_1783']], 'Memory40': [0, ['__unnamed_1781']], 'DevicePrivate': [0, ['__unnamed_177b']], 'Memory64': [0, ['__unnamed_1785']], 'Interrupt': [0, ['__unnamed_1773']], 'Port': [0, ['__unnamed_1771']], }], '__unnamed_1785': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length64': [8, ['unsigned long']], }], '__unnamed_1783': [0xc, { 'Length48': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1781': [0xc, { 'Length40': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], 'HICON__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNTARGETMODESET_SERIALIZATION': [0x38, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [4, ['array', 1, ['_D3DKMDT_VIDPN_TARGET_MODE']]], }], '_D3DMATRIX': [0x40, { '_33': [40, ['float']], '_42': [52, ['float']], '_43': [56, ['float']], '_44': [60, ['float']], '_34': [44, ['float']], '_14': [12, ['float']], '_13': [8, ['float']], '_12': [4, ['float']], '_11': [0, ['float']], '_41': [48, ['float']], '_31': [32, ['float']], '_24': [28, ['float']], '_32': [36, ['float']], '_22': [20, ['float']], '_23': [24, ['float']], '_21': [16, ['float']], }], '__unnamed_18a6': [0x14, { 'AffinityPolicy': [8, ['unsigned short']], 'Group': [10, ['unsigned short']], 'PriorityPolicy': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'}}]], 'MinimumVector': [0, ['unsigned long']], 'MaximumVector': [4, ['unsigned long']], 'TargetedProcessors': [16, ['unsigned long']], }], '__unnamed_18a2': [0x18, { 'Length': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment': [4, ['unsigned long']], }], '__unnamed_18a8': [0x8, { 'MinimumChannel': [0, ['unsigned long']], 'MaximumChannel': [4, ['unsigned long']], }], 'HGESTUREINFO__': [0x4, { 'unused': [0, ['long']], }], '_VK_TO_FUNCTION_TABLE': [0x84, { 'NLSFEProcType': [1, ['unsigned char']], 'NLSFEProcSwitch': [3, ['unsigned char']], 'Vk': [0, ['unsigned char']], 'NLSFEProcCurrent': [2, ['unsigned char']], 'NLSFEProcAlt': [68, ['array', 8, ['_VK_FUNCTION_PARAM']]], 'NLSFEProc': [4, ['array', 8, ['_VK_FUNCTION_PARAM']]], }], '_DMM_VIDPNPATHANDTARGETMODESET_SERIALIZATION': [0x194, { 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], 'TargetModeSet': [348, ['_DMM_VIDPNTARGETMODESET_SERIALIZATION']], }], '__unnamed_11c5': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'EaLength': [12, ['unsigned long']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'FileAttributes': [8, ['unsigned short']], }], 'HDESK__': [0x4, { 'unused': [0, ['long']], }], 'VK_TO_BIT': [0x2, { 'Vk': [0, ['unsigned char']], 'ModBits': [1, ['unsigned char']], }], '__unnamed_11c9': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'Reserved': [8, ['unsigned short']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'Parameters': [12, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], }], 'MODIFIERS': [0x8, { 'wMaxModBits': [4, ['unsigned short']], 'pVkToBit': [0, ['pointer', ['VK_TO_BIT']]], 'ModNumber': [6, ['array', 0, ['unsigned char']]], }], 'tagIMEINFOEX': [0x15c, { 'fSysWow64Only': [344, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'wszImeFile': [184, ['array', 80, ['wchar']]], 'fLoadFlag': [72, ['long']], 'hkl': [0, ['pointer', ['HKL__']]], 'dwImeWinVersion': [80, ['unsigned long']], 'dwProdVersion': [76, ['unsigned long']], 'wszImeDescription': [84, ['array', 50, ['wchar']]], 'fCUASLayer': [344, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'ImeInfo': [4, ['tagIMEINFO']], 'wszUIClass': [32, ['array', 16, ['wchar']]], 'fInitOpen': [68, ['long']], 'fdwInitConvMode': [64, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT': [0x4, { 'MacroVisionFull': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'MacroVisionApsTrigger': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'NoProtection': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Reserved': [0, ['BitField', {'end_bit': 32, 'start_bit': 3}]], }], 'tagWND': [0xb0, { 'bEraseBackground': [20, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'spwndOwner': [60, ['pointer', ['tagWND']]], 'bWS_EX_LAYERED': [28, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bWS_CLIPCHILDREN': [32, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bMaximizeButtonDown': [24, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'cbwndExtra': [144, ['long']], 'bMakeVisibleWhenUnghosted': [28, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bUIStateActive': [28, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'hMod16': [40, ['unsigned short']], 'bWS_TABSTOP': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bUnused8': [32, ['BitField', {'end_bit': 18, 'start_bit': 16}]], 'bWS_EX_NOPARENTNOTIFY': [28, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bForceFullNCPaintClipRgn': [24, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'bDialogWindow': [20, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'lpfnWndProc': [96, ['pointer', ['void']]], 'bWS_EX_RTLREADING': [28, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'bMinimizeButtonDown': [24, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'bUnused2': [28, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bUnused3': [28, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bUnused4': [28, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bHasMeun': [20, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bUnused6': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bUnused7': [32, ['BitField', {'end_bit': 18, 'start_bit': 16}]], 'bWS_SIZEBOX': [32, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'style': [32, ['unsigned long']], 'ppropList': [108, ['pointer', ['tagPROPLIST']]], 'hrgnNewFrame': [128, ['pointer', ['HRGN__']]], 'bHasOverlay': [172, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bUnused9': [32, ['BitField', {'end_bit': 19, 'start_bit': 16}]], 'bClipboardListener': [172, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bScrollBarLineDownBtnDown': [24, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bReserved3': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bRedirectedForPrint': [172, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bWS_EX_RIGHT': [28, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bStartPaint': [24, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bHasCreatestructName': [20, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bWS_EX_COMPOSITED': [28, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bFullScreen': [24, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spwndLastActive': [148, ['pointer', ['tagWND']]], 'hrgnUpdate': [104, ['pointer', ['HRGN__']]], 'head': [0, ['_THRDESKHEAD']], 'bConsoleWindow': [172, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'bHiddenPopup': [20, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'hrgnClip': [124, ['pointer', ['HRGN__']]], 'bWS_EX_CONTROLPARENT': [28, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bWS_EX_TOPMOST': [28, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bSendEraseBackground': [20, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bScrollBarLineUpBtnDown': [24, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bWin50Compat': [24, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'bRecievedQuerySuspendMsg': [20, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bMaximizeMonitorRegion': [24, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bLayeredLimbo': [172, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'bRedrawIfHung': [20, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'FullScreenMode': [24, ['BitField', {'end_bit': 27, 'start_bit': 24}]], 'bLayeredInvalidate': [172, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bVerticallyMaximizedLeft': [172, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_POPUP': [32, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bWS_EX_CONTEXTHELP': [28, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'dwUserData': [156, ['unsigned long']], 'bDisabled': [32, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'bAnsiWindowProc': [20, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bWin40Compat': [24, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bWS_EX_NOINHERITLAYOUT': [28, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'rcClient': [80, ['tagRECT']], 'bAnsiCreator': [20, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bAnyScrollButtonDown': [24, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bWS_EX_LAYOUTRTL': [28, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bUIStateKbdAccelHidden': [28, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bSendSizeMoveMsgs': [20, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'spwndParent': [52, ['pointer', ['tagWND']]], 'bLinked': [172, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bSendNCPaint': [20, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bToggleTopmost': [20, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'bInternalPaint': [20, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bDestroyed': [20, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bHasClientEdge': [24, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bServerSideWindowProc': [20, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bCaptionTextTruncated': [24, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'rcWindow': [64, ['tagRECT']], 'bEndPaintInvalidate': [24, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bHasPalette': [20, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bHasHorizontalScrollbar': [20, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bUIStateFocusRectHidden': [28, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bReserved1': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_COMPOSITEDCompositing': [28, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bWS_EX_MDICHILD': [28, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bHasVerticalScrollbar': [20, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bReserved2': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWMCreateMsgProcessed': [24, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bMinimized': [32, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bWS_EX_NOACTIVATE': [28, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'bWS_EX_APPWINDOW': [28, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'pSBInfo': [112, ['pointer', ['tagSBINFO']]], 'bSmallIconFromWMQueryDrag': [24, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bNoNCPaint': [20, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bCloseButtonDown': [24, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bUnused1': [28, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bHasSPB': [20, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_MINIMIZEBOX': [32, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bMaximized': [32, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bScrollBarVerticalTracking': [24, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bWS_CHILD': [32, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bReserved5': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_DLGMODALFRAME': [28, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bWS_EX_TRANSPARENT': [28, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'spmenu': [120, ['pointer', ['tagMENU']]], 'bWS_THICKFRAME': [32, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bPaintNotProcessed': [20, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bSyncPaintPending': [20, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pcls': [100, ['pointer', ['tagCLS']]], 'bLayeredForDWM': [172, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bMsgBox': [20, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'bShellHookRegistered': [24, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'spwndChild': [56, ['pointer', ['tagWND']]], 'bUnused5': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bHelpButtonDown': [24, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bInDestroy': [24, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'state': [20, ['unsigned long']], 'strName': [132, ['_LARGE_UNICODE_STRING']], 'spwndPrev': [48, ['pointer', ['tagWND']]], 'bRedrawFrameIfHung': [20, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bWS_EX_LEFTSCROLLBAR': [28, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'bWS_EX_TOOLWINDOW': [28, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_VSCROLL': [32, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bMaximizesToMonitor': [20, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bNoMinmaxAnimatedRects': [24, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'fnid': [42, ['unsigned short']], 'ExStyle': [28, ['unsigned long']], 'bRedirected': [28, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bActiveFrame': [20, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bReserved4': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_WINDOWEDGE': [28, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bReserved6': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bReserved7': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_CLIPSIBLINGS': [32, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'bWS_EX_ACCEPTFILE': [28, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bWS_HSCROLL': [32, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bUpdateDirty': [20, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'bBeingActivated': [20, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'state2': [24, ['unsigned long']], 'spwndNext': [44, ['pointer', ['tagWND']]], 'bScrollBarPageDownBtnDown': [24, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bWS_BORDER': [32, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'bWMPaintSent': [24, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bScrollBarPageUpBtnDown': [24, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'pTransform': [164, ['pointer', ['_D3DMATRIX']]], 'bWS_MAXIMIZEBOX': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bVisible': [32, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bVerticallyMaximizedRight': [172, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bWin31Compat': [24, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bWS_EX_STATICEDGE': [28, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bForceMenuDraw': [20, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bForceNCPaint': [24, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'ExStyle2': [172, ['unsigned long']], 'bOldUI': [24, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bWS_DLGFRAME': [32, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bHIGHDPI_UNAWARE_Unused': [172, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bWS_SYSMENU': [32, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'spwndClipboardListenerNext': [168, ['pointer', ['tagWND']]], 'hModule': [36, ['pointer', ['void']]], 'bWS_EX_NOPADDEDBORDER': [28, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pActCtx': [160, ['pointer', ['_ACTIVATION_CONTEXT']]], 'bBottomMost': [24, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'spmenuSys': [116, ['pointer', ['tagMENU']]], 'bRecievedSuspendMsg': [20, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bWS_EX_CLIENTEDGE': [28, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bHasCaption': [20, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'hImc': [152, ['pointer', ['HIMC__']]], 'bChildNoActivate': [172, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bWS_GROUP': [32, ['BitField', {'end_bit': 18, 'start_bit': 17}]], }], 'tagUAHMENUITEMMETRICS': [0x20, { 'rgsizeBar': [0, ['array', 2, ['tagSIZE']]], 'rgsizePopup': [0, ['array', 4, ['tagSIZE']]], }], '__unnamed_11cd': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'Reserved': [8, ['unsigned short']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'Parameters': [12, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], }], '__unnamed_11cf': [0x10, { 'Length': [0, ['unsigned long']], 'ByteOffset': [8, ['_LARGE_INTEGER']], 'Key': [4, ['unsigned long']], }], '_DXGK_DIAG_CODE_POINT_PACKET': [0x40, { 'Header': [0, ['_DXGK_DIAG_HEADER']], 'Param3': [60, ['unsigned long']], 'Param1': [52, ['unsigned long']], 'CodePointType': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_CODE_POINT_TYPE_NONE', 1: 'DXGK_DIAG_CODE_POINT_TYPE_RECOMMEND_FUNC_VIDPN', 2: 'DXGK_DIAG_CODE_POINT_TYPE_OS_RECOMMENDED_VIDPN', 3: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_LOG_FAILURE', 4: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_INVALIDATE_ERROR', 5: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_LOG_FAILURE', 7: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_FAILURE_DB', 8: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_BTL', 9: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_DB', 10: 'DXGK_DIAG_CODE_POINT_TYPE_QDC_LOG_FAILURE', 11: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_GDI', 12: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_GDI', 13: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_MONITOR', 14: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_MONITOR', 15: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_DIM_MONITOR', 16: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_UNDIM_MONITOR', 17: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BACKTRACK', 18: 'DXGK_DIAG_CODE_POINT_TYPE_BML_CLOSEST_TARGET_MODE', 19: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_SOURCE_MODE', 20: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_TARGET_MODE', 21: 'DXGK_DIAG_CODE_POINT_TYPE_BML_SOURCE_MODE_NOT_PINNED', 22: 'DXGK_DIAG_CODE_POINT_TYPE_BML_TARGET_MODE_NOT_PINNED', 23: 'DXGK_DIAG_CODE_POINT_TYPE_BML_RESTARTED', 24: 'DXGK_DIAG_CODE_POINT_TYPE_TDR', 25: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_EVENT_NOTIFICATION', 26: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEMDEV_USE_DEFAULT_MODE', 27: 'DXGK_DIAG_CODE_POINT_TYPE_CONNECTED_SET_LOG_FAILURE', 28: 'DXGK_DIAG_CODE_POINT_TYPE_INVALIDATE_DXGK_MODE_CACHE', 29: 'DXGK_DIAG_CODE_POINT_TYPE_REBUILD_DXGK_MODE_CACHE', 30: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_RELAX_REFRESH_MATCH', 31: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_CCDBML_FAIL_VISTABML_SUCCESSED', 32: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_SOURCE_MODE', 33: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_TARGET_MODE', 34: 'DXGK_DIAG_CODE_POINT_TYPE_ADD_DEVICE', 35: 'DXGK_DIAG_CODE_POINT_TYPE_START_ADAPTER', 36: 'DXGK_DIAG_CODE_POINT_TYPE_STOP_ADAPTER', 37: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING', 38: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING_TARGET', 39: 'DXGK_DIAG_CODE_POINT_TYPE_INDICATE_CHILD_STATUS', 40: 'DXGK_DIAG_CODE_POINT_TYPE_HANDLE_IRP', 41: 'DXGK_DIAG_CODE_POINT_TYPE_CHANGE_UNSUPPORTED_MONITOR_MODE_FLAG', 42: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_NOTIFY_CALLBACK', 43: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_DISABLEGDI', 44: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_ENABLEGDI', 45: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_MODESWITCH', 46: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_SYNC_MONITOR_EVENT', 47: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_NOTIFY_GDI', 48: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_ENABLE_VGA', 49: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_TDR_SWITCH_GDI', 50: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_CREATE_DEVICE_FAILED', 51: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DEVICE_REMOVED', 52: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DRVASSERTMODE_TRUE_FAILED', 53: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_RECREATE_DEVICE_FAILED', 54: 'DXGK_DIAG_CODE_POINT_TYPE_CDD_MAPSHADOWBUFFER_FAILED', 55: 'DXGK_DIAG_CODE_POINT_TYPE_COMMIT_VIDPN_LOG_FAILURE', 56: 'DXGK_DIAG_CODE_POINT_TYPE_DRIVER_RECOMMEND_LOG_FAILURE', 57: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_ENFORCED_CLONE_PATH_INVALID_SOURCE_IDX', 58: 'DXGK_DIAG_CODE_POINT_TYPE_DRVPROBEANDCAPTURE_FAILED', 59: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKCDDENABLE_OPTIMIZED_MODE_CHANGE', 60: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKSETDISPLAYMODE_OPTIMIZED_MODE_CHANGE', 61: 'DXGK_DIAG_CODE_POINT_TYPE_MON_DEPART_GETRECENTTOP_FAIL', 62: 'DXGK_DIAG_CODE_POINT_TYPE_MON_ARRIVE_INC_ADD_FAIL', 63: 'DXGK_DIAG_CODE_POINT_TYPE_CCD_DATABASE_PERSIST', 64: 'DXGK_DIAG_CODE_POINT_TYPE_MAX', -1: 'DXGK_DIAG_CODE_POINT_TYPE_FORCE_UINT32'}}]], 'Param2': [56, ['unsigned long']], }], 'tagW32JOB': [0x28, { 'restrictions': [12, ['unsigned long']], 'Job': [4, ['pointer', ['_EJOB']]], 'ughCrt': [28, ['unsigned long']], 'pgh': [36, ['pointer', ['unsigned long']]], 'ppiTable': [24, ['pointer', ['pointer', ['tagPROCESSINFO']]]], 'ughMax': [32, ['unsigned long']], 'pAtomTable': [8, ['pointer', ['void']]], 'uProcessCount': [16, ['unsigned long']], 'uMaxProcesses': [20, ['unsigned long']], 'pNext': [0, ['pointer', ['tagW32JOB']]], }], 'tagMBSTRING': [0x28, { 'szName': [0, ['array', 15, ['wchar']]], 'uID': [32, ['unsigned long']], 'uStr': [36, ['unsigned long']], }], '_D3DKMDT_VIDPN_TARGET_MODE': [0x34, { 'VideoSignalInfo': [4, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'Id': [0, ['unsigned long']], 'Preference': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], }], 'tagDESKTOP': [0x84, { 'spmenuVScroll': [40, ['pointer', ['tagMENU']]], 'dwMouseHoverTime': [124, ['unsigned long']], 'rpwinstaParent': [16, ['pointer', ['tagWINDOWSTATION']]], 'spmenuDialogSys': [32, ['pointer', ['tagMENU']]], 'spwndForeground': [44, ['pointer', ['tagWND']]], 'spmenuHScroll': [36, ['pointer', ['tagMENU']]], 'spwndTooltip': [56, ['pointer', ['tagWND']]], 'dwSessionId': [0, ['unsigned long']], 'pDeskInfo': [4, ['pointer', ['tagDESKTOPINFO']]], 'spwndMessage': [52, ['pointer', ['tagWND']]], 'cciConsole': [72, ['_CONSOLE_CARET_INFO']], 'PtiList': [92, ['_LIST_ENTRY']], 'spwndTray': [48, ['pointer', ['tagWND']]], 'rpdeskNext': [12, ['pointer', ['tagDESKTOP']]], 'dwDTFlags': [20, ['unsigned long']], 'pMagInputTransform': [128, ['pointer', ['_MAGNIFICATION_INPUT_TRANSFORM']]], 'spwndTrack': [100, ['pointer', ['tagWND']]], 'htEx': [104, ['long']], 'ulHeapSize': [68, ['unsigned long']], 'pheapDesktop': [64, ['pointer', ['tagWIN32HEAP']]], 'hsectionDesktop': [60, ['pointer', ['void']]], 'rcMouseHover': [108, ['tagRECT']], 'dwDesktopId': [24, ['unsigned long']], 'spmenuSys': [28, ['pointer', ['tagMENU']]], 'pDispInfo': [8, ['pointer', ['tagDISPLAYINFO']]], }], 'tagPOOLRECORD': [0x20, { 'ExtraData': [0, ['pointer', ['void']]], 'trace': [8, ['array', 6, ['pointer', ['void']]]], 'size': [4, ['unsigned long']], }], 'tagSPB': [0x28, { 'hbm': [8, ['pointer', ['HBITMAP__']]], 'hrgn': [28, ['pointer', ['HRGN__']]], 'ulSaveId': [36, ['unsigned long']], 'flags': [32, ['unsigned long']], 'rc': [12, ['tagRECT']], 'pspbNext': [0, ['pointer', ['tagSPB']]], 'spwnd': [4, ['pointer', ['tagWND']]], }], '_DMM_COMMITVIDPNREQUEST_DIAGINFO': [0xc, { 'ForceAllActiveVidPnModeListInvalidation': [4, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'ClientType': [0, ['BitField', {'end_bit': 4, 'start_bit': 0}]], 'VidPnChange': [0, ['BitField', {'end_bit': 8, 'start_bit': 4}]], 'ModeChangeRequestId': [8, ['unsigned long']], 'ReclaimClonedTarget': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'CleanupAfterFailedCommitVidPn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], }], 'HFONT__': [0x4, { 'unused': [0, ['long']], }], 'tagTEXTMETRICW': [0x3c, { 'tmCharSet': [56, ['unsigned char']], 'tmDigitizedAspectY': [40, ['long']], 'tmStruckOut': [54, ['unsigned char']], 'tmItalic': [52, ['unsigned char']], 'tmDigitizedAspectX': [36, ['long']], 'tmWeight': [28, ['long']], 'tmFirstChar': [44, ['wchar']], 'tmOverhang': [32, ['long']], 'tmDescent': [8, ['long']], 'tmPitchAndFamily': [55, ['unsigned char']], 'tmDefaultChar': [48, ['wchar']], 'tmLastChar': [46, ['wchar']], 'tmBreakChar': [50, ['wchar']], 'tmMaxCharWidth': [24, ['long']], 'tmUnderlined': [53, ['unsigned char']], 'tmInternalLeading': [12, ['long']], 'tmAscent': [4, ['long']], 'tmHeight': [0, ['long']], 'tmAveCharWidth': [20, ['long']], 'tmExternalLeading': [16, ['long']], }], '_KLIST_ENTRY': [0x8, { 'Flink': [0, ['pointer', ['_KLIST_ENTRY']]], 'Blink': [4, ['pointer', ['_KLIST_ENTRY']]], }], '__unnamed_1244': [0x28, { 'Wcb': [0, ['_WAIT_CONTEXT_BLOCK']], 'ListEntry': [0, ['_LIST_ENTRY']], }], 'tagPROP': [0x8, { 'fs': [6, ['unsigned short']], 'hData': [0, ['pointer', ['void']]], 'atomKey': [4, ['unsigned short']], }], 'tagCLIENTTHREADINFO': [0x10, { 'fsWakeMask': [10, ['unsigned short']], 'CTIF_flags': [0, ['unsigned long']], 'fsWakeBits': [6, ['unsigned short']], 'fsWakeBitsJournal': [8, ['unsigned short']], 'fsChangeBits': [4, ['unsigned short']], 'tickLastMsgChecked': [12, ['unsigned long']], }], 'tagKbdNlsLayer': [0x14, { 'OEMIdentifier': [0, ['unsigned short']], 'NumOfVkToF': [4, ['unsigned long']], 'pusMouseVKey': [16, ['pointer', ['unsigned short']]], 'NumOfMouseVKey': [12, ['long']], 'pVkToF': [8, ['pointer', ['_VK_TO_FUNCTION_TABLE']]], 'LayoutInformation': [2, ['unsigned short']], }], 'HBITMAP__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_11fe': [0x4, { 'Capabilities': [0, ['pointer', ['_DEVICE_CAPABILITIES']]], }], '__unnamed_18b2': [0x18, { 'Length64': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment64': [4, ['unsigned long']], }], '__unnamed_11fa': [0x10, { 'Interface': [8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData': [12, ['pointer', ['void']]], 'Version': [6, ['unsigned short']], 'InterfaceType': [0, ['pointer', ['_GUID']]], 'Size': [4, ['unsigned short']], }], 'tagPROCESS_HID_TABLE': [0x38, { 'UsagePageLast': [48, ['unsigned short']], 'fExclusiveMouseSink': [52, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'fRawKeyboardSink': [52, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'fAppKeys': [52, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fCaptureMouse': [52, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'fNoLegacyMouse': [52, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'UsageLast': [50, ['unsigned short']], 'fRawKeyboard': [52, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fNoLegacyKeyboard': [52, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'nSinks': [40, ['long']], 'fNoHotKeys': [52, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'spwndTargetMouse': [32, ['pointer', ['tagWND']]], 'spwndTargetKbd': [36, ['pointer', ['tagWND']]], 'UsagePageList': [16, ['_LIST_ENTRY']], 'link': [0, ['_LIST_ENTRY']], 'fExclusiveKeyboardSink': [52, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'pLastRequest': [44, ['pointer', ['tagPROCESS_HID_REQUEST']]], 'ExclusionList': [24, ['_LIST_ENTRY']], 'fRawMouse': [52, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'fRawMouseSink': [52, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'InclusionList': [8, ['_LIST_ENTRY']], }], '_KFLOATING_SAVE': [0x20, { 'ErrorOffset': [8, ['unsigned long']], 'DataOffset': [16, ['unsigned long']], 'ControlWord': [0, ['unsigned long']], 'DataSelector': [20, ['unsigned long']], 'Cr0NpxState': [24, ['unsigned long']], 'StatusWord': [4, ['unsigned long']], 'Spare1': [28, ['unsigned long']], 'ErrorSelector': [12, ['unsigned long']], }], 'tagRECT': [0x10, { 'top': [4, ['long']], 'right': [8, ['long']], 'bottom': [12, ['long']], 'left': [0, ['long']], }], '__unnamed_17ff': [0x20, { 'Text': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_TRF_UNINITIALIZED'}}]], 'Graphics': [0, ['_D3DKMDT_GRAPHICS_RENDERING_FORMAT']], }], 'HBRUSH__': [0x4, { 'unused': [0, ['long']], }], '_TLSPRITESTATE': [0x60, { 'flOriginalSurfFlags': [4, ['unsigned long']], 'iSpriteType': [16, ['unsigned long']], 'pfnSaveScreenBits': [84, ['pointer', ['void']]], 'bInsideDriverCall': [0, ['unsigned char']], 'pfnStrokePath': [36, ['pointer', ['void']]], 'pfnTransparentBlt': [68, ['pointer', ['void']]], 'pfnPaint': [44, ['pointer', ['void']]], 'pfnFillPath': [40, ['pointer', ['void']]], 'pfnStretchBltROP': [88, ['pointer', ['void']]], 'iType': [24, ['unsigned long']], 'pfnPlgBlt': [76, ['pointer', ['void']]], 'pfnCopyBits': [52, ['pointer', ['void']]], 'pState': [28, ['pointer', ['void']]], 'iOriginalType': [8, ['unsigned long']], 'pfnTextOut': [60, ['pointer', ['void']]], 'pfnDrawStream': [92, ['pointer', ['void']]], 'pfnStrokeAndFillPath': [32, ['pointer', ['void']]], 'pfnLineTo': [64, ['pointer', ['void']]], 'pfnStretchBlt': [56, ['pointer', ['void']]], 'pfnGradientFill': [80, ['pointer', ['void']]], 'pfnAlphaBlend': [72, ['pointer', ['void']]], 'flags': [20, ['unsigned long']], 'flSpriteSurfFlags': [12, ['unsigned long']], 'pfnBitBlt': [48, ['pointer', ['void']]], }], 'tagSMS': [0x3c, { 'wParam': [40, ['unsigned long']], 'lParam': [44, ['long']], 'lRet': [28, ['long']], 'psmsReceiveNext': [4, ['pointer', ['tagSMS']]], 'tSent': [32, ['unsigned long']], 'psmsNext': [0, ['pointer', ['tagSMS']]], 'ptiCallBackSender': [24, ['pointer', ['tagTHREADINFO']]], 'ptiReceiver': [12, ['pointer', ['tagTHREADINFO']]], 'lpResultCallBack': [16, ['pointer', ['void']]], 'message': [48, ['unsigned long']], 'dwData': [20, ['unsigned long']], 'ptiSender': [8, ['pointer', ['tagTHREADINFO']]], 'flags': [36, ['unsigned long']], 'pvCapture': [56, ['pointer', ['void']]], 'spwnd': [52, ['pointer', ['tagWND']]], }], '_D3DKMDT_FREQUENCY_RANGE': [0x20, { 'MinVSyncFreq': [0, ['_D3DDDI_RATIONAL']], 'MaxVSyncFreq': [8, ['_D3DDDI_RATIONAL']], 'MaxHSyncFreq': [24, ['_D3DDDI_RATIONAL']], 'MinHSyncFreq': [16, ['_D3DDDI_RATIONAL']], }], '__unnamed_11f4': [0x4, { 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'}}]], }], '__unnamed_11f0': [0x4, { 'Srb': [0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], }], 'HRGN__': [0x4, { 'unused': [0, ['long']], }], 'tagSIZE': [0x8, { 'cy': [4, ['long']], 'cx': [0, ['long']], }], 'tagDESKTOPVIEW': [0xc, { 'ulClientDelta': [8, ['unsigned long']], 'pdesk': [4, ['pointer', ['tagDESKTOP']]], 'pdvNext': [0, ['pointer', ['tagDESKTOPVIEW']]], }], '__unnamed_120a': [0x4, { 'IdType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'}}]], }], '__unnamed_120e': [0x8, { 'DeviceTextType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'}}]], 'LocaleId': [4, ['unsigned long']], }], '_DMM_VIDPNPATHSFROMSOURCE_SERIALIZATION': [0x1bc, { 'PathAndTargetModeSerialization': [44, ['array', 1, ['_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION']]], 'NumPathsFromSource': [40, ['unsigned char']], 'SourceMode': [0, ['_D3DKMDT_VIDPN_SOURCE_MODE']], }], '_D3DDDI_GAMMA_RAMP_RGB256x3x16': [0x600, { 'Blue': [1024, ['array', 256, ['unsigned short']]], 'Green': [512, ['array', 256, ['unsigned short']]], 'Red': [0, ['array', 256, ['unsigned short']]], }], '_CALLPROCDATA': [0x20, { 'head': [0, ['_PROCDESKHEAD']], 'pfnClientPrevious': [24, ['unsigned long']], 'wType': [28, ['unsigned short']], 'spcpdNext': [20, ['pointer', ['_CALLPROCDATA']]], }], '_D3DDDI_RATIONAL': [0x8, { 'Denominator': [4, ['unsigned long']], 'Numerator': [0, ['unsigned long']], }], '_PFNCLIENT': [0x5c, { 'pfnDispatchDefWindowProc': [80, ['pointer', ['void']]], 'pfnStaticWndProc': [56, ['pointer', ['void']]], 'pfnDispatchHook': [76, ['pointer', ['void']]], 'pfnDesktopWndProc': [12, ['pointer', ['void']]], 'pfnImeWndProc': [60, ['pointer', ['void']]], 'pfnScrollBarWndProc': [0, ['pointer', ['void']]], 'pfnEditWndProc': [44, ['pointer', ['void']]], 'pfnGhostWndProc': [64, ['pointer', ['void']]], 'pfnMessageWindowProc': [20, ['pointer', ['void']]], 'pfnSwitchWindowProc': [24, ['pointer', ['void']]], 'pfnComboListBoxProc': [36, ['pointer', ['void']]], 'pfnComboBoxWndProc': [32, ['pointer', ['void']]], 'pfnMDIClientWndProc': [52, ['pointer', ['void']]], 'pfnDialogWndProc': [40, ['pointer', ['void']]], 'pfnHkINLPCWPSTRUCT': [68, ['pointer', ['void']]], 'pfnTitleWndProc': [4, ['pointer', ['void']]], 'pfnHkINLPCWPRETSTRUCT': [72, ['pointer', ['void']]], 'pfnButtonWndProc': [28, ['pointer', ['void']]], 'pfnMenuWndProc': [8, ['pointer', ['void']]], 'pfnListBoxWndProc': [48, ['pointer', ['void']]], 'pfnDispatchMessage': [84, ['pointer', ['void']]], 'pfnDefWindowProc': [16, ['pointer', ['void']]], 'pfnMDIActivateDlgProc': [88, ['pointer', ['void']]], }], '_THRDESKHEAD': [0x14, { 'h': [0, ['pointer', ['void']]], 'pSelf': [16, ['pointer', ['unsigned char']]], 'rpdesk': [12, ['pointer', ['tagDESKTOP']]], 'pti': [8, ['pointer', ['tagTHREADINFO']]], 'cLockObj': [4, ['unsigned long']], }], 'tagSVR_INSTANCE_INFO': [0x20, { 'head': [0, ['_THROBJHEAD']], 'next': [12, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'nextInThisThread': [16, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'spwndEvent': [24, ['pointer', ['tagWND']]], 'afCmd': [20, ['unsigned long']], 'pcii': [28, ['pointer', ['void']]], }], '_D3DKMDT_MONITOR_SOURCE_MODE': [0x4c, { 'Origin': [68, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'VideoSignalInfo': [4, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'ColorCoeffDynamicRanges': [52, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'Preference': [72, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], 'Id': [0, ['unsigned long']], 'ColorBasis': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], 'VWPL': [0x10, { 'fTagged': [12, ['long']], 'cElem': [4, ['unsigned long']], 'cThreshhold': [8, ['unsigned long']], 'aElement': [16, ['array', 0, ['VWPLELEMENT']]], 'cPwnd': [0, ['unsigned long']], }], 'tagCURSOR': [0x54, { 'rt': [30, ['unsigned short']], 'head': [0, ['_PROCMARKHEAD']], 'hbmUserAlpha': [68, ['pointer', ['HBITMAP__']]], 'cx': [76, ['unsigned long']], 'xHotspot': [36, ['short']], 'hbmColor': [44, ['pointer', ['HBITMAP__']]], 'pcurNext': [16, ['pointer', ['tagCURSOR']]], 'CURSORF_flags': [32, ['unsigned long']], 'hbmMask': [40, ['pointer', ['HBITMAP__']]], 'bpp': [72, ['unsigned long']], 'cy': [80, ['unsigned long']], 'strName': [20, ['_UNICODE_STRING']], 'rcBounds': [52, ['tagRECT']], 'atomModName': [28, ['unsigned short']], 'hbmAlpha': [48, ['pointer', ['HBITMAP__']]], 'yHotspot': [38, ['short']], }], '__unnamed_1202': [0x4, { 'IoResourceRequirementList': [0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], }], '__unnamed_1206': [0x1, { 'Lock': [0, ['unsigned char']], }], '__unnamed_1204': [0x10, { 'Buffer': [4, ['pointer', ['void']]], 'WhichSpace': [0, ['unsigned long']], 'Length': [12, ['unsigned long']], 'Offset': [8, ['unsigned long']], }], 'HKL__': [0x4, { 'unused': [0, ['long']], }], 'tagDCE': [0x30, { 'hrgnClipPublic': [24, ['pointer', ['HRGN__']]], 'pdceNext': [0, ['pointer', ['tagDCE']]], 'hrgnSavedVis': [28, ['pointer', ['HRGN__']]], 'pwndRedirect': [16, ['pointer', ['tagWND']]], 'pMonitor': [44, ['pointer', ['tagMONITOR']]], 'ppiOwner': [40, ['pointer', ['tagPROCESSINFO']]], 'pwndOrg': [8, ['pointer', ['tagWND']]], 'hrgnClip': [20, ['pointer', ['HRGN__']]], 'hdc': [4, ['pointer', ['HDC__']]], 'ptiOwner': [36, ['pointer', ['tagTHREADINFO']]], 'DCX_flags': [32, ['unsigned long']], 'pwndClip': [12, ['pointer', ['tagWND']]], }], 'tagPROCESS_HID_REQUEST': [0x18, { 'link': [0, ['_LIST_ENTRY']], 'fExclusiveOrphaned': [12, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'spwndTarget': [20, ['pointer', ['tagWND']]], 'fSinkable': [12, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pTLCInfo': [16, ['pointer', ['tagHID_TLC_INFO']]], 'fDevNotify': [12, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fExSinkable': [12, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'usUsage': [10, ['unsigned short']], 'ptr': [16, ['pointer', ['void']]], 'pPORequest': [16, ['pointer', ['tagHID_PAGEONLY_REQUEST']]], 'usUsagePage': [8, ['unsigned short']], }], 'tagWOWTHREADINFO': [0x18, { 'pwtiNext': [0, ['pointer', ['tagWOWTHREADINFO']]], 'pIdleEvent': [16, ['pointer', ['_KEVENT']]], 'idParentProcess': [12, ['unsigned long']], 'fAssigned': [20, ['long']], 'idWaitObject': [8, ['unsigned long']], 'idTask': [4, ['unsigned long']], }], '__unnamed_11bb': [0x28, { 'AuxiliaryBuffer': [20, ['pointer', ['unsigned char']]], 'Thread': [16, ['pointer', ['_ETHREAD']]], 'OriginalFileObject': [36, ['pointer', ['_FILE_OBJECT']]], 'DeviceQueueEntry': [0, ['_KDEVICE_QUEUE_ENTRY']], 'PacketType': [32, ['unsigned long']], 'CurrentStackLocation': [32, ['pointer', ['_IO_STACK_LOCATION']]], 'ListEntry': [24, ['_LIST_ENTRY']], 'DriverContext': [0, ['array', 4, ['pointer', ['void']]]], }], '__unnamed_11be': [0x30, { 'Apc': [0, ['_KAPC']], 'CompletionKey': [0, ['pointer', ['void']]], 'Overlay': [0, ['__unnamed_11bb']], }], 'tagSBDATA': [0x10, { 'posMax': [4, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], 'pos': [12, ['long']], }], 'tagIMEINFO': [0x1c, { 'fdwProperty': [4, ['unsigned long']], 'fdwSelectCaps': [24, ['unsigned long']], 'fdwUICaps': [16, ['unsigned long']], 'dwPrivateDataSize': [0, ['unsigned long']], 'fdwSCSCaps': [20, ['unsigned long']], 'fdwSentenceCaps': [12, ['unsigned long']], 'fdwConversionCaps': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_SOURCE_MODE': [0x28, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_RMT_UNINITIALIZED', 1: 'D3DKMDT_RMT_GRAPHICS', 2: 'D3DKMDT_RMT_TEXT'}}]], 'Id': [0, ['unsigned long']], 'Format': [8, ['__unnamed_17ff']], }], '_PROCMARKHEAD': [0x10, { 'h': [0, ['pointer', ['void']]], 'ppi': [12, ['pointer', ['tagPROCESSINFO']]], 'hTaskWow': [8, ['unsigned long']], 'cLockObj': [4, ['unsigned long']], }], 'tagKBDFILE': [0x5c, { 'head': [0, ['_HEAD']], 'awchDllName': [28, ['array', 32, ['wchar']]], 'pKbdTbl': [16, ['pointer', ['tagKbdLayer']]], 'pkfNext': [8, ['pointer', ['tagKBDFILE']]], 'pKbdNlsTbl': [24, ['pointer', ['tagKbdNlsLayer']]], 'hBase': [12, ['pointer', ['void']]], 'Size': [20, ['unsigned long']], }], 'tagCLIENTINFO': [0x8c, { 'msgDbcsCB': [108, ['tagMSG']], 'dwCompatFlags': [12, ['unsigned long']], 'achDbcsCF': [106, ['array', 2, ['unsigned char']]], 'dwTIFlags': [20, ['unsigned long']], 'pClientThreadInfo': [60, ['pointer', ['tagCLIENTTHREADINFO']]], 'CodePage': [104, ['unsigned short']], 'dwKeyCache': [68, ['unsigned long']], 'dwHookCurrent': [52, ['unsigned long']], 'afAsyncKeyStateRecentDown': [92, ['array', 8, ['unsigned char']]], 'dwCompatFlags2': [16, ['unsigned long']], 'fsHooks': [36, ['unsigned long']], 'ulClientDelta': [28, ['unsigned long']], 'pDeskInfo': [24, ['pointer', ['tagDESKTOPINFO']]], 'dwExpWinVer': [8, ['unsigned long']], 'dwHookData': [64, ['unsigned long']], 'afAsyncKeyState': [84, ['array', 8, ['unsigned char']]], 'CallbackWnd': [40, ['_CALLBACKWND']], 'lpdwRegisteredClasses': [136, ['pointer', ['unsigned long']]], 'cInDDEMLCallback': [56, ['long']], 'cSpins': [4, ['unsigned long']], 'hKL': [100, ['pointer', ['HKL__']]], 'dwAsyncKeyCache': [80, ['unsigned long']], 'afKeyState': [72, ['array', 8, ['unsigned char']]], 'CI_flags': [0, ['unsigned long']], 'phkCurrent': [32, ['pointer', ['tagHOOK']]], }], 'tagCLS': [0x5c, { 'spcur': [72, ['pointer', ['tagCURSOR']]], 'cbwndExtra': [60, ['long']], 'pclsClone': [40, ['pointer', ['tagCLS']]], 'lpszClientAnsiMenuName': [24, ['pointer', ['unsigned char']]], 'pclsBase': [36, ['pointer', ['tagCLS']]], 'atomNVClassName': [6, ['unsigned short']], 'style': [48, ['unsigned long']], 'pclsNext': [0, ['pointer', ['tagCLS']]], 'CSF_flags': [22, ['unsigned short']], 'lpfnWndProc': [52, ['pointer', ['void']]], 'lpszAnsiClassName': [84, ['pointer', ['unsigned char']]], 'spcpdFirst': [32, ['pointer', ['_CALLPROCDATA']]], 'lpszClientUnicodeMenuName': [28, ['pointer', ['unsigned short']]], 'cbclsExtra': [56, ['long']], 'lpszMenuName': [80, ['pointer', ['unsigned short']]], 'spicnSm': [88, ['pointer', ['tagCURSOR']]], 'hTaskWow': [20, ['unsigned short']], 'cWndReferenceCount': [44, ['long']], 'hbrBackground': [76, ['pointer', ['HBRUSH__']]], 'spicn': [68, ['pointer', ['tagCURSOR']]], 'fnid': [8, ['unsigned short']], 'pdce': [16, ['pointer', ['tagDCE']]], 'hModule': [64, ['pointer', ['void']]], 'rpdeskParent': [12, ['pointer', ['tagDESKTOP']]], 'atomClassName': [4, ['unsigned short']], }], '_DMM_VIDPN_SERIALIZATION': [0xc, { 'PathsFromSourceSerializationOffsets': [8, ['array', 1, ['unsigned long']]], 'NumActiveSources': [4, ['unsigned char']], 'Size': [0, ['unsigned long']], }], 'tagHID_PAGEONLY_REQUEST': [0x10, { 'usUsagePage': [8, ['unsigned short']], 'link': [0, ['_LIST_ENTRY']], 'cRefCount': [12, ['unsigned long']], }], 'tagWINDOWSTATION': [0x58, { 'pClipBase': [44, ['pointer', ['tagCLIP']]], 'dwSessionId': [0, ['unsigned long']], 'cNumClipFormats': [48, ['unsigned long']], 'luidUser': [76, ['_LUID']], 'pGlobalAtomTable': [64, ['pointer', ['void']]], 'ptiClipLock': [24, ['pointer', ['tagTHREADINFO']]], 'dwWSF_Flags': [16, ['unsigned long']], 'rpdeskList': [8, ['pointer', ['tagDESKTOP']]], 'spklList': [20, ['pointer', ['tagKL']]], 'spwndClipOpen': [32, ['pointer', ['tagWND']]], 'luidEndSession': [68, ['_LUID']], 'pTerm': [12, ['pointer', ['tagTERMINAL']]], 'rpwinstaNext': [4, ['pointer', ['tagWINDOWSTATION']]], 'spwndClipboardListener': [60, ['pointer', ['tagWND']]], 'spwndClipViewer': [36, ['pointer', ['tagWND']]], 'iClipSequenceNumber': [56, ['unsigned long']], 'ptiDrawingClipboard': [28, ['pointer', ['tagTHREADINFO']]], 'spwndClipOwner': [40, ['pointer', ['tagWND']]], 'psidUser': [84, ['pointer', ['void']]], 'iClipSerialNumber': [52, ['unsigned long']], }], '__unnamed_11e4': [0x10, { 'Type3InputBuffer': [12, ['pointer', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'IoControlCode': [8, ['unsigned long']], 'InputBufferLength': [4, ['unsigned long']], }], '__unnamed_11e2': [0x10, { 'Length': [0, ['pointer', ['_LARGE_INTEGER']]], 'ByteOffset': [8, ['_LARGE_INTEGER']], 'Key': [4, ['unsigned long']], }], '__unnamed_163c': [0x8, { 'Attrib': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'WCA_UNDEFINED', 1: 'WCA_NCRENDERING_ENABLED', 2: 'WCA_NCRENDERING_POLICY', 3: 'WCA_TRANSITIONS_FORCEDISABLED', 4: 'WCA_ALLOW_NCPAINT', 5: 'WCA_CAPTION_BUTTON_BOUNDS', 6: 'WCA_NONCLIENT_RTL_LAYOUT', 7: 'WCA_FORCE_ICONIC_REPRESENTATION', 8: 'WCA_FLIP3D_POLICY', 9: 'WCA_EXTENDED_FRAME_BOUNDS', 10: 'WCA_HAS_ICONIC_BITMAP', 11: 'WCA_THEME_ATTRIBUTES', 12: 'WCA_NCRENDERING_EXILED', 13: 'WCA_NCADORNMENTINFO', 14: 'WCA_EXCLUDED_FROM_LIVEPREVIEW', 15: 'WCA_VIDEO_OVERLAY_ACTIVE', 16: 'WCA_FORCE_ACTIVEWINDOW_APPEARANCE', 17: 'WCA_DISALLOW_PEEK', 18: 'WCA_LAST'}}]], 'cbData': [4, ['unsigned long']], }], '__unnamed_11e8': [0x8, { 'SecurityInformation': [0, ['unsigned long']], 'SecurityDescriptor': [4, ['pointer', ['void']]], }], 'tagPROFILEVALUEINFO': [0xc, { 'dwValue': [0, ['unsigned long']], 'uSection': [4, ['unsigned long']], 'pwszKeyName': [8, ['pointer', ['wchar']]], }], '__unnamed_11ec': [0x8, { 'DeviceObject': [4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb': [0, ['pointer', ['_VPB']]], }], '_DMM_MONITOR_SERIALIZATION': [0x28, { 'FrequencyRangeSetOffset': [28, ['unsigned long']], 'ModePruningAlgorithm': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_MPA_UNINITIALIZED', 1: 'DMM_MPA_GDI', 2: 'DMM_MPA_VISTA', 3: 'DMM_MPA_MAXVALID'}}]], 'VideoPresentTargetId': [4, ['unsigned long']], 'IsSimulatedMonitor': [12, ['unsigned char']], 'SourceModeSetOffset': [24, ['unsigned long']], 'Orientation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MO_UNINITIALIZED', 1: 'D3DKMDT_MO_0DEG', 2: 'D3DKMDT_MO_90DEG', 3: 'D3DKMDT_MO_180DEG', 4: 'D3DKMDT_MO_270DEG'}}]], 'DescriptorSetOffset': [32, ['unsigned long']], 'MonitorPowerState': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'}}]], 'IsUsingDefaultProfile': [13, ['unsigned char']], 'MonitorType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_VMT_UNINITIALIZED', 1: 'DMM_VMT_PHYSICAL_MONITOR', 2: 'DMM_VMT_BOOT_PERSISTENT_MONITOR', 3: 'DMM_VMT_PERSISTENT_MONITOR', 4: 'DMM_VMT_TEMPORARY_MONITOR', 5: 'DMM_VMT_SIMULATED_MONITOR'}}]], 'Size': [0, ['unsigned long']], }], '_WNDMSG': [0x8, { 'abMsgs': [4, ['pointer', ['unsigned char']]], 'maxMsgs': [0, ['unsigned long']], }], 'tagTDB': [0x18, { 'pti': [12, ['pointer', ['tagTHREADINFO']]], 'TDB_Flags': [22, ['unsigned short']], 'hTaskWow': [20, ['unsigned short']], 'pwti': [16, ['pointer', ['tagWOWTHREADINFO']]], 'nEvents': [4, ['long']], 'nPriority': [8, ['long']], 'ptdbNext': [0, ['pointer', ['tagTDB']]], }], '_LIGATURE1': [0x6, { 'wch': [4, ['array', 1, ['wchar']]], 'VirtualKey': [0, ['unsigned char']], 'ModificationNumber': [2, ['unsigned short']], }], '_D3DKMDT_VIDPN_PRESENT_PATH': [0x15c, { 'GammaRamp': [336, ['_D3DKMDT_GAMMA_RAMP']], 'VidPnSourceId': [0, ['unsigned long']], 'Content': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPC_UNINITIALIZED', 1: 'D3DKMDT_VPPC_GRAPHICS', 2: 'D3DKMDT_VPPC_VIDEO', 255: 'D3DKMDT_VPPC_NOTSPECIFIED'}}]], 'VisibleFromActiveBROffset': [36, ['_D3DKMDT_2DREGION']], 'VidPnTargetColorBasis': [44, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], 'ContentTransformation': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION']], 'VidPnTargetId': [4, ['unsigned long']], 'VisibleFromActiveTLOffset': [28, ['_D3DKMDT_2DREGION']], 'CopyProtection': [68, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION']], 'VidPnTargetColorCoeffDynamicRanges': [48, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'ImportanceOrdinal': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPI_UNINITIALIZED', 1: 'D3DKMDT_VPPI_PRIMARY', 2: 'D3DKMDT_VPPI_SECONDARY', 3: 'D3DKMDT_VPPI_TERTIARY', 4: 'D3DKMDT_VPPI_QUATERNARY', 5: 'D3DKMDT_VPPI_QUINARY', 6: 'D3DKMDT_VPPI_SENARY', 7: 'D3DKMDT_VPPI_SEPTENARY', 8: 'D3DKMDT_VPPI_OCTONARY', 9: 'D3DKMDT_VPPI_NONARY', 10: 'D3DKMDT_VPPI_DENARY', 32: 'D3DKMDT_VPPI_MAX', 255: 'D3DKMDT_VPPI_NOTSPECIFIED'}}]], }], '_PROCDESKHEAD': [0x14, { 'h': [0, ['pointer', ['void']]], 'pSelf': [16, ['pointer', ['unsigned char']]], 'rpdesk': [12, ['pointer', ['tagDESKTOP']]], 'hTaskWow': [8, ['unsigned long']], 'cLockObj': [4, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT': [0x4, { 'Rotate270': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'Rotate90': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Rotate180': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], }], '_CONSOLE_CARET_INFO': [0x14, { 'hwnd': [0, ['pointer', ['HWND__']]], 'rc': [4, ['tagRECT']], }], 'tagPROCESSINFO': [0x1b0, { 'fHasMagContext': [412, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'hwinsta': [324, ['pointer', ['HWINSTA__']]], 'ptiList': [144, ['pointer', ['tagTHREADINFO']]], 'pHidTable': [420, ['pointer', ['tagPROCESS_HID_TABLE']]], 'W32PF_Flags': [8, ['unsigned long']], 'UserHandleCount': [44, ['long']], 'dwhmodLibLoadedMask': [188, ['unsigned long']], 'GDIBrushAttrFreeList': [120, ['_LIST_ENTRY']], 'hdeskStartup': [180, ['pointer', ['HDESK__']]], 'dwImeCompatFlags': [372, ['unsigned long']], 'dwRegisteredClasses': [424, ['unsigned long']], 'pBrushAttrList': [28, ['pointer', ['void']]], 'usi': [384, ['tagUSERSTARTUPINFO']], 'InputIdleEvent': [12, ['pointer', ['_KEVENT']]], 'W32Pid': [32, ['unsigned long']], 'bmHandleFlags': [348, ['_RTL_BITMAP']], 'UserHandleCountPeak': [48, ['unsigned long']], 'GDIEngUserMemAllocTable': [56, ['_RTL_AVL_TABLE']], 'cSysExpunge': [184, ['unsigned long']], 'pdvList': [340, ['pointer', ['tagDESKTOPVIEW']]], 'pwpi': [164, ['pointer', ['tagWOWPROCESSINFO']]], 'ppiNextRunning': [172, ['pointer', ['tagPROCESSINFO']]], 'Process': [0, ['pointer', ['_EPROCESS']]], 'pCursorCache': [356, ['pointer', ['tagCURSOR']]], 'pClientBase': [360, ['pointer', ['void']]], 'dwLpkEntryPoints': [364, ['unsigned long']], 'GDIDcAttrFreeList': [112, ['_LIST_ENTRY']], 'DxProcess': [140, ['pointer', ['void']]], 'NextStart': [20, ['pointer', ['_W32PROCESS']]], 'RefCount': [4, ['unsigned long']], 'dwLayout': [416, ['unsigned long']], 'pclsPublicList': [160, ['pointer', ['tagCLS']]], 'Unused': [412, ['BitField', {'end_bit': 32, 'start_bit': 1}]], 'GDIPushLock': [52, ['_EX_PUSH_LOCK']], 'hMonitor': [336, ['pointer', ['HMONITOR__']]], 'ptiMainThread': [148, ['pointer', ['tagTHREADINFO']]], 'pvwplWndGCList': [428, ['pointer', ['VWPL']]], 'pW32Job': [368, ['pointer', ['tagW32JOB']]], 'luidSession': [376, ['_LUID']], 'GDIHandleCount': [36, ['long']], 'cThreads': [176, ['unsigned long']], 'rpdeskStartup': [152, ['pointer', ['tagDESKTOP']]], 'hSecureGdiSharedHandleTable': [136, ['pointer', ['void']]], 'pclsPrivateList': [156, ['pointer', ['tagCLS']]], 'GDIHandleCountPeak': [40, ['unsigned long']], 'StartCursorHideTime': [16, ['unsigned long']], 'ppiNext': [168, ['pointer', ['tagPROCESSINFO']]], 'Flags': [412, ['unsigned long']], 'dwHotkey': [332, ['unsigned long']], 'amwinsta': [328, ['unsigned long']], 'rpwinsta': [320, ['pointer', ['tagWINDOWSTATION']]], 'ahmodLibLoaded': [192, ['array', 32, ['pointer', ['void']]]], 'iClipSerialNumber': [344, ['unsigned long']], 'GDIW32PIDLockedBitmaps': [128, ['_LIST_ENTRY']], 'pDCAttrList': [24, ['pointer', ['void']]], }], '_DMM_COMMITVIDPNREQUEST_SERIALIZATION': [0x1c, { 'RequestDiagInfo': [4, ['_DMM_COMMITVIDPNREQUEST_DIAGINFO']], 'AffectedVidPnSourceId': [0, ['unsigned long']], 'VidPnSerialization': [16, ['_DMM_VIDPN_SERIALIZATION']], }], 'tagKbdLayer': [0x3c, { 'pVkToWcharTable': [4, ['pointer', ['_VK_TO_WCHAR_TABLE']]], 'pusVSCtoVK': [24, ['pointer', ['unsigned short']]], 'fLocaleFlags': [40, ['unsigned long']], 'pKeyNamesExt': [16, ['pointer', ['VSC_LPWSTR']]], 'dwSubType': [56, ['unsigned long']], 'pDeadKey': [8, ['pointer', ['DEADKEY']]], 'pCharModifiers': [0, ['pointer', ['MODIFIERS']]], 'pKeyNamesDead': [20, ['pointer', ['pointer', ['unsigned short']]]], 'bMaxVSCtoVK': [28, ['unsigned char']], 'pKeyNames': [12, ['pointer', ['VSC_LPWSTR']]], 'dwType': [52, ['unsigned long']], 'pLigature': [48, ['pointer', ['_LIGATURE1']]], 'nLgMax': [44, ['unsigned char']], 'pVSCtoVK_E1': [36, ['pointer', ['_VSC_VK']]], 'pVSCtoVK_E0': [32, ['pointer', ['_VSC_VK']]], 'cbLgEntry': [45, ['unsigned char']], }], 'HDC__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32AllocStats': [0x14, { 'dwMaxAlloc': [8, ['unsigned long']], 'pHead': [16, ['pointer', ['tagWin32PoolHead']]], 'dwMaxMem': [0, ['unsigned long']], 'dwCrtMem': [4, ['unsigned long']], 'dwCrtAlloc': [12, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT': [0x4, { 'Centered': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'AspectRatioCenteredMax': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'Stretched': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Custom': [0, ['BitField', {'end_bit': 5, 'start_bit': 4}]], }], 'tagMSG': [0x1c, { 'wParam': [8, ['unsigned long']], 'lParam': [12, ['long']], 'pt': [20, ['tagPOINT']], 'hwnd': [0, ['pointer', ['HWND__']]], 'time': [16, ['unsigned long']], 'message': [4, ['unsigned long']], }], '__unnamed_11a5': [0x4, { 'IrpCount': [0, ['long']], 'SystemBuffer': [0, ['pointer', ['void']]], 'MasterIrp': [0, ['pointer', ['_IRP']]], }], '_DMM_VIDPNSET_SERIALIZATION': [0x8, { 'VidPnOffset': [4, ['array', 1, ['unsigned long']]], 'NumVidPns': [0, ['unsigned char']], }], 'tagWOWPROCESSINFO': [0x28, { 'ptdbHead': [8, ['pointer', ['tagTDB']]], 'lpfnWowExitTask': [12, ['pointer', ['void']]], 'CSOwningThread': [32, ['pointer', ['tagTHREADINFO']]], 'ptiScheduled': [4, ['pointer', ['tagTHREADINFO']]], 'nSendLock': [24, ['unsigned long']], 'nRecvLock': [28, ['unsigned long']], 'CSLockCount': [36, ['long']], 'hEventWowExecClient': [20, ['pointer', ['void']]], 'pwpiNext': [0, ['pointer', ['tagWOWPROCESSINFO']]], 'pEventWowExec': [16, ['pointer', ['_KEVENT']]], }], '__unnamed_177b': [0xc, { 'Data': [0, ['array', 3, ['unsigned long']]], }], 'tagMENU': [0x6c, { 'iItem': [24, ['long']], 'head': [0, ['_PROCDESKHEAD']], 'umpm': [88, ['tagUAHMENUPOPUPMETRICS']], 'cItems': [32, ['unsigned long']], 'pParentMenus': [56, ['pointer', ['tagMENULIST']]], 'fFlags': [20, ['unsigned long']], 'cxMenu': [36, ['unsigned long']], 'dwContextHelpId': [60, ['unsigned long']], 'hbrBack': [72, ['pointer', ['HBRUSH__']]], 'cxTextAlign': [44, ['unsigned long']], 'cAlloced': [28, ['unsigned long']], 'spwndNotify': [48, ['pointer', ['tagWND']]], 'dwArrowsOn': [84, ['BitField', {'end_bit': 2, 'start_bit': 0}]], 'iMaxTop': [80, ['long']], 'dwMenuData': [68, ['unsigned long']], 'cyMenu': [40, ['unsigned long']], 'rgItems': [52, ['pointer', ['tagITEM']]], 'iTop': [76, ['long']], 'cyMax': [64, ['unsigned long']], }], '__unnamed_177f': [0xc, { 'DataSize': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_177d': [0xc, { 'Start': [0, ['unsigned long']], 'Length': [4, ['unsigned long']], 'Reserved': [8, ['unsigned long']], }], 'tagPOPUPMENU': [0x30, { 'fUseMonitorRect': [0, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'fDroppedLeft': [0, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fHierarchyDropped': [0, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'posDropped': [44, ['unsigned long']], 'spwndNextPopup': [12, ['pointer', ['tagWND']]], 'fIsMenuBar': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'spwndPrevPopup': [16, ['pointer', ['tagWND']]], 'fHasMenuBar': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'spwndActivePopup': [28, ['pointer', ['tagWND']]], 'fTrackMouseEvent': [0, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'fNoNotify': [0, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'posSelectedItem': [40, ['unsigned long']], 'fIsSysMenu': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fFlushDelayedFree': [0, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'ppmDelayedFree': [36, ['pointer', ['tagPOPUPMENU']]], 'fFreed': [0, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fSynchronous': [0, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'fDropNextPopup': [0, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fRightButton': [0, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spmenuAlternate': [24, ['pointer', ['tagMENU']]], 'spmenu': [20, ['pointer', ['tagMENU']]], 'spwndPopupMenu': [8, ['pointer', ['tagWND']]], 'fDestroyed': [0, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'iDropDir': [0, ['BitField', {'end_bit': 28, 'start_bit': 23}]], 'ppopupmenuRoot': [32, ['pointer', ['tagPOPUPMENU']]], 'fFirstClick': [0, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'spwndNotify': [4, ['pointer', ['tagWND']]], 'fRtoL': [0, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'fIsTrackPopup': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'fSendUninit': [0, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'fShowTimer': [0, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'fInCancel': [0, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'fToggle': [0, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fDelayedFree': [0, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'fHideTimer': [0, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'fAboutToHide': [0, ['BitField', {'end_bit': 13, 'start_bit': 12}]], }], '_DMM_MONITORDESCRIPTOR_SERIALIZATION': [0x8c, { 'Origin': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'Data': [12, ['array', 128, ['unsigned char']]], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MDT_UNINITIALIZED', 1: 'D3DKMDT_MDT_VESA_EDID_V1_BASEBLOCK', 2: 'D3DKMDT_MDT_VESA_EDID_V1_BLOCKMAP', 255: 'D3DKMDT_MDT_OTHER'}}]], 'Id': [0, ['unsigned long']], }], '__unnamed_1779': [0xc, { 'Reserved1': [8, ['unsigned long']], 'Port': [4, ['unsigned long']], 'Channel': [0, ['unsigned long']], }], 'HTOUCHINPUT__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_1773': [0xc, { 'Affinity': [8, ['unsigned long']], 'Vector': [4, ['unsigned long']], 'Group': [2, ['unsigned short']], 'Level': [0, ['unsigned short']], }], '_VK_VALUES_STRINGS': [0x8, { 'fReserved': [4, ['unsigned char']], 'pszMultiNames': [0, ['pointer', ['unsigned char']]], }], '__unnamed_1771': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length': [8, ['unsigned long']], }], '_DMM_MONITOR_SOURCE_MODE_SERIALIZATION': [0x50, { 'Info': [0, ['_D3DKMDT_MONITOR_SOURCE_MODE']], 'TimingType': [76, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MTT_UNINITIALIZED', 1: 'D3DKMDT_MTT_ESTABLISHED', 2: 'D3DKMDT_MTT_STANDARD', 3: 'D3DKMDT_MTT_EXTRASTANDARD', 4: 'D3DKMDT_MTT_DETAILED', 5: 'D3DKMDT_MTT_DEFAULTMONITORPROFILE', 6: 'D3DKMDT_MTT_MAXVALID'}}]], }], '__unnamed_1775': [0xc, { 'Affinity': [8, ['unsigned long']], 'Vector': [4, ['unsigned long']], 'Group': [0, ['unsigned short']], 'MessageCount': [2, ['unsigned short']], }], '__unnamed_11ac': [0x8, { 'AsynchronousParameters': [0, ['__unnamed_11aa']], 'AllocationSize': [0, ['_LARGE_INTEGER']], }], '__unnamed_11aa': [0x8, { 'UserApcContext': [4, ['pointer', ['void']]], 'UserApcRoutine': [0, ['pointer', ['void']]], 'IssuingProcess': [0, ['pointer', ['void']]], }], 'tagSBCALC': [0x40, { 'posMax': [4, ['long']], 'pxThumbTop': [52, ['long']], 'pxThumbBottom': [48, ['long']], 'cpxThumb': [32, ['long']], 'pxMin': [60, ['long']], 'pxStart': [44, ['long']], 'pxDownArrow': [40, ['long']], 'pos': [12, ['long']], 'cpx': [56, ['long']], 'pxBottom': [20, ['long']], 'pxTop': [16, ['long']], 'pxLeft': [24, ['long']], 'pxRight': [28, ['long']], 'pxUpArrow': [36, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], }], 'HIMC__': [0x4, { 'unused': [0, ['long']], }], 'tagSBINFO': [0x24, { 'WSBflags': [0, ['long']], 'Horz': [4, ['tagSBDATA']], 'Vert': [20, ['tagSBDATA']], }], '__unnamed_1213': [0x8, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'}}]], 'Reserved': [1, ['array', 3, ['unsigned char']]], 'InPath': [0, ['unsigned char']], }], 'tagITEM': [0x6c, { 'ulX': [56, ['unsigned long']], 'wID': [8, ['unsigned long']], 'dwItemData': [32, ['unsigned long']], 'cyItem': [48, ['unsigned long']], 'hbmpChecked': [16, ['pointer', ['void']]], 'xItem': [36, ['unsigned long']], 'spSubMenu': [12, ['pointer', ['tagMENU']]], 'hbmpUnchecked': [20, ['pointer', ['void']]], 'fState': [4, ['unsigned long']], 'dxTab': [52, ['unsigned long']], 'hbmp': [64, ['pointer', ['HBITMAP__']]], 'yItem': [40, ['unsigned long']], 'fType': [0, ['unsigned long']], 'umim': [76, ['tagUAHMENUITEMMETRICS']], 'cch': [28, ['unsigned long']], 'ulWidth': [60, ['unsigned long']], 'cyBmp': [72, ['long']], 'cxBmp': [68, ['long']], 'lpstr': [24, ['pointer', ['unsigned short']]], 'cxItem': [44, ['unsigned long']], }], '__unnamed_11d9': [0x10, { 'FileInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'AdvanceOnly': [13, ['unsigned char']], 'ClusterCount': [12, ['unsigned long']], 'Length': [0, ['unsigned long']], 'DeleteHandle': [12, ['pointer', ['void']]], 'ReplaceIfExists': [12, ['unsigned char']], 'FileObject': [8, ['pointer', ['_FILE_OBJECT']]], }], '_VSC_VK': [0x4, { 'Vsc': [0, ['unsigned char']], 'Vk': [2, ['unsigned short']], }], '_VK_TO_WCHARS1': [0x4, { 'Attributes': [1, ['unsigned char']], 'VirtualKey': [0, ['unsigned char']], 'wch': [2, ['array', 1, ['wchar']]], }], '__unnamed_121b': [0x4, { 'PowerSequence': [0, ['pointer', ['_POWER_SEQUENCE']]], }], '_DMM_MONITORFREQUENCYRANGESET_SERIALIZATION': [0x34, { 'NumFrequencyRanges': [0, ['unsigned char']], 'FrequencyRangeSerialization': [4, ['array', 1, ['_D3DKMDT_MONITOR_FREQUENCY_RANGE']]], }], '_D3DKMDT_GAMMA_RAMP': [0xc, { 'Data': [8, ['__unnamed_179f']], 'DataSize': [4, ['unsigned long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_GAMMARAMP_UNINITIALIZED', 1: 'D3DDDI_GAMMARAMP_DEFAULT', 2: 'D3DDDI_GAMMARAMP_RGB256x3x16', 3: 'D3DDDI_GAMMARAMP_DXGI_1'}}]], }], '_W32PROCESS': [0x90, { 'GDIPushLock': [52, ['_EX_PUSH_LOCK']], 'DxProcess': [140, ['pointer', ['void']]], 'pBrushAttrList': [28, ['pointer', ['void']]], 'Process': [0, ['pointer', ['_EPROCESS']]], 'NextStart': [20, ['pointer', ['_W32PROCESS']]], 'GDIW32PIDLockedBitmaps': [128, ['_LIST_ENTRY']], 'RefCount': [4, ['unsigned long']], 'StartCursorHideTime': [16, ['unsigned long']], 'GDIBrushAttrFreeList': [120, ['_LIST_ENTRY']], 'InputIdleEvent': [12, ['pointer', ['_KEVENT']]], 'W32PF_Flags': [8, ['unsigned long']], 'GDIHandleCount': [36, ['long']], 'hSecureGdiSharedHandleTable': [136, ['pointer', ['void']]], 'UserHandleCountPeak': [48, ['unsigned long']], 'W32Pid': [32, ['unsigned long']], 'UserHandleCount': [44, ['long']], 'pDCAttrList': [24, ['pointer', ['void']]], 'GDIEngUserMemAllocTable': [56, ['_RTL_AVL_TABLE']], 'GDIHandleCountPeak': [40, ['unsigned long']], 'GDIDcAttrFreeList': [112, ['_LIST_ENTRY']], }], 'tagSERVERINFO': [0xffc, { 'uiShellMsg': [520, ['unsigned long']], 'atomSysClass': [460, ['array', 25, ['unsigned short']]], 'dtScroll': [2276, ['unsigned long']], 'dwKeyCache': [2404, ['unsigned long']], 'atomIconSmProp': [964, ['unsigned short']], 'argbSystemUnmatched': [1876, ['array', 31, ['unsigned long']]], 'atomContextHelpIdProp': [968, ['unsigned short']], 'cySysFontChar': [2308, ['long']], 'mpFnid_serverCBWndProc': [164, ['array', 31, ['unsigned short']]], 'PUSIFlags': [3928, ['unsigned long']], 'dtLBSearch': [2280, ['unsigned long']], 'tmSysFont': [2312, ['tagTEXTMETRICW']], 'ahbrSystem': [2124, ['array', 31, ['pointer', ['HBRUSH__']]]], 'dwDefaultHeapSize': [516, ['unsigned long']], 'dwSRVIFlags': [0, ['unsigned long']], 'BitsPixel': [3925, ['unsigned char']], 'wMaxLeftOverlapChars': [2296, ['long']], 'dwLastSystemRITEventTickCountUpdate': [3940, ['unsigned long']], 'dpiSystem': [2372, ['tagDPISERVERINFO']], 'hIcoWindows': [2400, ['pointer', ['HICON__']]], 'dwAsyncKeyCache': [2408, ['unsigned long']], 'dwTagCount': [4084, ['unsigned long']], 'adwDBGTAGFlags': [3944, ['array', 35, ['unsigned long']]], 'aiSysMet': [1488, ['array', 97, ['long']]], 'acAnsiToOem': [1228, ['array', 256, ['unsigned char']]], 'aStoCidPfn': [136, ['array', 7, ['pointer', ['void']]]], 'dwLastRITEventTickCount': [2268, ['unsigned long']], 'cbHandleTable': [456, ['unsigned long']], 'atomFrostedWindowProp': [970, ['unsigned short']], 'ucWheelScrollLines': [2288, ['unsigned long']], 'ptCursorReal': [2260, ['tagPOINT']], 'ucWheelScrollChars': [2292, ['unsigned long']], 'acOemToAnsi': [972, ['array', 256, ['unsigned char']]], 'hbrGray': [2248, ['pointer', ['HBRUSH__']]], 'BitCount': [3920, ['unsigned short']], 'argbSystem': [2000, ['array', 31, ['unsigned long']]], 'dtCaretBlink': [2284, ['unsigned long']], 'dwInstalledEventHooks': [1484, ['unsigned long']], 'cxSysFontChar': [2304, ['long']], 'wMaxRightOverlapChars': [2300, ['long']], 'oembmi': [2416, ['array', 93, ['tagOEMBITMAPINFO']]], 'apfnClientWorker': [412, ['_PFNCLIENTWORKER']], 'dwDefaultHeapBase': [512, ['unsigned long']], 'apfnClientA': [228, ['_PFNCLIENT']], 'dmLogPixels': [3922, ['unsigned short']], 'nEvents': [2272, ['long']], 'atomIconProp': [966, ['unsigned short']], 'Planes': [3924, ['unsigned char']], 'apfnClientW': [320, ['_PFNCLIENT']], 'MBStrings': [524, ['array', 11, ['tagMBSTRING']]], 'UILangID': [3936, ['unsigned short']], 'dwRIPFlags': [4088, ['unsigned long']], 'uCaretWidth': [3932, ['unsigned long']], 'cCaptures': [2412, ['unsigned long']], 'cHandleEntries': [4, ['unsigned long']], 'ptCursor': [2252, ['tagPOINT']], 'hIconSmWindows': [2396, ['pointer', ['HICON__']]], 'mpFnidPfn': [8, ['array', 32, ['pointer', ['void']]]], 'rcScreenReal': [3904, ['tagRECT']], }], '_D3DKMDT_VIDEO_SIGNAL_INFO': [0x2c, { 'VSyncFreq': [20, ['_D3DDDI_RATIONAL']], 'ActiveSize': [12, ['_D3DKMDT_2DREGION']], 'PixelRate': [36, ['unsigned long']], 'TotalSize': [4, ['_D3DKMDT_2DREGION']], 'VideoStandard': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VSS_UNINITIALIZED', 1: 'D3DKMDT_VSS_VESA_DMT', 2: 'D3DKMDT_VSS_VESA_GTF', 3: 'D3DKMDT_VSS_VESA_CVT', 4: 'D3DKMDT_VSS_IBM', 5: 'D3DKMDT_VSS_APPLE', 6: 'D3DKMDT_VSS_NTSC_M', 7: 'D3DKMDT_VSS_NTSC_J', 8: 'D3DKMDT_VSS_NTSC_443', 9: 'D3DKMDT_VSS_PAL_B', 10: 'D3DKMDT_VSS_PAL_B1', 11: 'D3DKMDT_VSS_PAL_G', 12: 'D3DKMDT_VSS_PAL_H', 13: 'D3DKMDT_VSS_PAL_I', 14: 'D3DKMDT_VSS_PAL_D', 15: 'D3DKMDT_VSS_PAL_N', 16: 'D3DKMDT_VSS_PAL_NC', 17: 'D3DKMDT_VSS_SECAM_B', 18: 'D3DKMDT_VSS_SECAM_D', 19: 'D3DKMDT_VSS_SECAM_G', 20: 'D3DKMDT_VSS_SECAM_H', 21: 'D3DKMDT_VSS_SECAM_K', 22: 'D3DKMDT_VSS_SECAM_K1', 23: 'D3DKMDT_VSS_SECAM_L', 24: 'D3DKMDT_VSS_SECAM_L1', 25: 'D3DKMDT_VSS_EIA_861', 26: 'D3DKMDT_VSS_EIA_861A', 27: 'D3DKMDT_VSS_EIA_861B', 28: 'D3DKMDT_VSS_PAL_K', 29: 'D3DKMDT_VSS_PAL_K1', 30: 'D3DKMDT_VSS_PAL_L', 31: 'D3DKMDT_VSS_PAL_M', 255: 'D3DKMDT_VSS_OTHER'}}]], 'ScanLineOrdering': [40, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_VSSLO_UNINITIALIZED', 1: 'D3DDDI_VSSLO_PROGRESSIVE', 2: 'D3DDDI_VSSLO_INTERLACED_UPPERFIELDFIRST', 3: 'D3DDDI_VSSLO_INTERLACED_LOWERFIELDFIRST', 255: 'D3DDDI_VSSLO_OTHER'}}]], 'HSyncFreq': [28, ['_D3DDDI_RATIONAL']], }], '__unnamed_11dd': [0x8, { 'FsInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'}}]], 'Length': [0, ['unsigned long']], }], '__unnamed_11df': [0x10, { 'Type3InputBuffer': [12, ['pointer', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'FsControlCode': [8, ['unsigned long']], 'InputBufferLength': [4, ['unsigned long']], }], 'D3DDDI_DXGI_RGB': [0xc, { 'Blue': [8, ['float']], 'Green': [4, ['float']], 'Red': [0, ['float']], }], '_MAGNIFICATION_INPUT_TRANSFORM': [0x2c, { 'rcScreen': [16, ['tagRECT']], 'magFactorX': [36, ['long']], 'magFactorY': [40, ['long']], 'ptiMagThreadInfo': [32, ['pointer', ['tagTHREADINFO']]], 'rcSource': [0, ['tagRECT']], }], '_D3DKMDT_MONITOR_FREQUENCY_RANGE': [0x30, { 'Origin': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'ConstraintType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MFRC_UNINITIALIZED', 1: 'D3DKMDT_MFRC_ACTIVESIZE', 2: 'D3DKMDT_MFRC_MAXPIXELRATE'}}]], 'RangeLimits': [4, ['_D3DKMDT_FREQUENCY_RANGE']], 'Constraint': [40, ['__unnamed_1633']], }], '_PFNCLIENTWORKER': [0x2c, { 'pfnComboBoxWndProc': [4, ['pointer', ['void']]], 'pfnMDIClientWndProc': [24, ['pointer', ['void']]], 'pfnDialogWndProc': [12, ['pointer', ['void']]], 'pfnStaticWndProc': [28, ['pointer', ['void']]], 'pfnCtfHookProc': [40, ['pointer', ['void']]], 'pfnButtonWndProc': [0, ['pointer', ['void']]], 'pfnImeWndProc': [32, ['pointer', ['void']]], 'pfnEditWndProc': [16, ['pointer', ['void']]], 'pfnListBoxWndProc': [20, ['pointer', ['void']]], 'pfnGhostWndProc': [36, ['pointer', ['void']]], 'pfnComboListBoxProc': [8, ['pointer', ['void']]], }], '_D3DDDI_GAMMA_RAMP_DXGI_1': [0x3024, { 'GammaCurve': [24, ['array', 1025, ['D3DDDI_DXGI_RGB']]], 'Scale': [0, ['D3DDDI_DXGI_RGB']], 'Offset': [12, ['D3DDDI_DXGI_RGB']], }], '_DXGK_DIAG_HEADER': [0x30, { 'Index': [40, ['unsigned long']], 'ProcessName': [16, ['array', 16, ['unsigned char']]], 'LogTimestamp': [8, ['unsigned long long']], 'ThreadId': [32, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_TYPE_NONE', 1: 'DXGK_DIAG_TYPE_SDC', 2: 'DXGK_DIAG_TYPE_HPD', 3: 'DXGK_DIAG_TYPE_DC_ORIGIN', 4: 'DXGK_DIAG_TYPE_USER_CDS', 5: 'DXGK_DIAG_TYPE_DRV_CDS', 6: 'DXGK_DIAG_TYPE_CODE_POINT', 7: 'DXGK_DIAG_TYPE_QDC', 8: 'DXGK_DIAG_TYPE_MONITOR_MGR', 9: 'DXGK_DIAG_TYPE_CONNECTEDSET_NOT_FOUND', 10: 'DXGK_DIAG_TYPE_DISPDIAG_COLLECTED', 11: 'DXGK_DIAG_TYPE_BML_PACKET', 12: 'DXGK_DIAG_TYPE_BML_PACKET_EX', 13: 'DXGK_DIAG_TYPE_COMMIT_VIDPN_FAILED', 14: 'DXGK_DIAG_TYPE_MAX', -1: 'DXGK_DIAG_TYPE_FORCE_UINT32'}}]], 'WdLogIdx': [44, ['unsigned long']], 'Size': [4, ['unsigned long']], }], '_SM_VALUES_STRINGS': [0x10, { 'StorageType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'SmStorageActual', 1: 'SmStorageNonActual'}}]], 'pszName': [0, ['pointer', ['unsigned char']]], 'ulValue': [4, ['unsigned long']], 'RangeType': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'SmRangeSharedInfo', 1: 'SmRangeNonSharedInfo', 2: 'SmRangeBool'}}]], }], 'tagTERMINAL': [0x20, { 'spwndDesktopOwner': [4, ['pointer', ['tagWND']]], 'dwTERMF_Flags': [0, ['unsigned long']], 'dwNestedLevel': [16, ['unsigned long']], 'pqDesktop': [12, ['pointer', ['tagQ']]], 'pEventInputReady': [28, ['pointer', ['_KEVENT']]], 'rpdeskDestroy': [24, ['pointer', ['tagDESKTOP']]], 'ptiDesktop': [8, ['pointer', ['tagTHREADINFO']]], 'pEventTermInit': [20, ['pointer', ['_KEVENT']]], }], 'tagMENULIST': [0x8, { 'pMenu': [4, ['pointer', ['tagMENU']]], 'pNext': [0, ['pointer', ['tagMENULIST']]], }], '__unnamed_11d5': [0x8, { 'CompletionFilter': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], }], '__unnamed_11d7': [0x8, { 'Length': [0, ['unsigned long']], 'FileInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], }], '__unnamed_11d3': [0x10, { 'Length': [0, ['unsigned long']], 'FileIndex': [12, ['unsigned long']], 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'FileName': [4, ['pointer', ['_UNICODE_STRING']]], }], 'tagPOINT': [0x8, { 'y': [4, ['long']], 'x': [0, ['long']], }], 'tagSHAREDINFO': [0x11c, { 'psi': [0, ['pointer', ['tagSERVERINFO']]], 'DefWindowSpecMsgs': [276, ['_WNDMSG']], 'awmControl': [20, ['array', 31, ['_WNDMSG']]], 'ulSharedDelta': [16, ['unsigned long']], 'pDispInfo': [12, ['pointer', ['tagDISPLAYINFO']]], 'aheList': [4, ['pointer', ['_HANDLEENTRY']]], 'DefWindowMsgs': [268, ['_WNDMSG']], 'HeEntrySize': [8, ['unsigned long']], }], 'tagIMC': [0x20, { 'dwClientImcData': [24, ['unsigned long']], 'head': [0, ['_THRDESKHEAD']], 'hImeWnd': [28, ['pointer', ['HWND__']]], 'pImcNext': [20, ['pointer', ['tagIMC']]], }], 'tagKL': [0x44, { 'uNumTbl': [48, ['unsigned long']], 'pklPrev': [12, ['pointer', ['tagKL']]], 'head': [0, ['_HEAD']], 'pklNext': [8, ['pointer', ['tagKL']]], 'spkfPrimary': [28, ['pointer', ['tagKBDFILE']]], 'dwFontSigs': [32, ['unsigned long']], 'dwLastKbdType': [56, ['unsigned long']], 'CodePage': [40, ['unsigned short']], 'dwKL_Flags': [16, ['unsigned long']], 'iBaseCharset': [36, ['unsigned long']], 'dwKLID': [64, ['unsigned long']], 'spkf': [24, ['pointer', ['tagKBDFILE']]], 'piiex': [44, ['pointer', ['tagIMEINFOEX']]], 'hkl': [20, ['pointer', ['HKL__']]], 'pspkfExtra': [52, ['pointer', ['pointer', ['tagKBDFILE']]]], 'wchDiacritic': [42, ['wchar']], 'dwLastKbdSubType': [60, ['unsigned long']], }], 'tagCARET': [0x38, { 'iHideLevel': [8, ['long']], 'yOwnDc': [44, ['long']], 'y': [16, ['long']], 'cy': [20, ['long']], 'cx': [24, ['long']], 'hBitmap': [28, ['pointer', ['HBITMAP__']]], 'cyOwnDc': [52, ['long']], 'fOn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'hTimer': [32, ['unsigned long']], 'xOwnDc': [40, ['long']], 'fVisible': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'cxOwnDc': [48, ['long']], 'tid': [36, ['unsigned long']], 'x': [12, ['long']], 'spwnd': [0, ['pointer', ['tagWND']]], }], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/vista.py0000644000000000000000000001142013131215405024632 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.gui.vtypes.win7_sp0_x64_vtypes_gui as win7_sp0_x64_vtypes_gui import volatility.plugins.gui.constants as consts class Vista2008x64GuiVTypes(obj.ProfileModification): before = ["XP2003x64BaseVTypes", "Win32Kx64VTypes"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0} def modification(self, profile): # Enough stayed the same between Vista/2008 and Windows 7, ## so we can re-use the Windows 7 types. This is a bit unconventional ## because we typically when we re-use, we do it forward (i.e. use ## an older OS's types for a newer OS). However since the win32k.sys ## vtypes were never public until Windows 7, we're re-using backward. profile.vtypes.update(win7_sp0_x64_vtypes_gui.win32k_types) # We don't want to overlay or HeEntrySize from Win7 will # appear to be a valid member of the Vista structure. profile.vtypes.update({ 'tagSHAREDINFO' : [ 0x238, { 'psi' : [ 0x0, ['pointer64', ['tagSERVERINFO']]], 'aheList' : [ 0x8, ['pointer64', ['_HANDLEENTRY']]], 'ulSharedDelta' : [ 0x18, ['unsigned long long']], }], }) profile.merge_overlay({ # From Win7SP0x64 'tagDESKTOP' : [ None, { 'pheapDesktop' : [ 0x78, ['pointer64', ['tagWIN32HEAP']]], 'ulHeapSize' : [ 0x80, ['unsigned long']], }], 'tagTHREADINFO' : [ None, { 'ppi' : [ 0x68, ['pointer64', ['tagPROCESSINFO']]], 'PtiLink' : [ 0x160, ['_LIST_ENTRY']], }], 'tagHOOK': [ None, { 'flags': [ None, ['Flags', {'bitmap': consts.HOOK_FLAGS}]] }], '_HANDLEENTRY': [ None, { 'bType': [ None, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM)]], }], 'tagWINDOWSTATION' : [ None, { 'pClipBase' : [ None, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], }], 'tagCLIP': [ None, { 'fmt' : [ 0x0, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]], }], }) class Vista2008x86GuiVTypes(obj.ProfileModification): before = ["XP2003x86BaseVTypes", "Win32Kx86VTypes"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0} def modification(self, profile): profile.merge_overlay({ # The size is very important since we carve from bottom up 'tagWINDOWSTATION' : [ 0x54, { 'pClipBase' : [ None, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], }], 'tagDESKTOP' : [ None, { 'PtiList' : [ 0x64, ['_LIST_ENTRY']], 'hsectionDesktop' : [ 0x3c, ['pointer', ['void']]], 'pheapDesktop' : [ 0x40, ['pointer', ['tagWIN32HEAP']]], 'ulHeapSize' : [ 0x44, ['unsigned long']], }], 'tagTHREADINFO' : [ None, { # same as win2003x86 'PtiLink' : [ 0xB0, ['_LIST_ENTRY']], 'fsHooks' : [ 0x9C, ['unsigned long']], 'aphkStart' : [ 0xF8, ['array', 16, ['pointer', ['tagHOOK']]]], }], 'tagSERVERINFO' : [ None, { 'cHandleEntries' : [ 0x4, ['unsigned long']], 'cbHandleTable' : [ 0x1c8, ['unsigned long']], }], 'tagSHAREDINFO' : [ 0x11c, { # From Win7SP0x86 'psi' : [ 0x0, ['pointer', ['tagSERVERINFO']]], 'aheList' : [ 0x4, ['pointer', ['_HANDLEENTRY']]], 'ulSharedDelta' : [ 0xC, ['unsigned long']], }], 'tagCLIP' : [ 16, { # just a size change }]}) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/win2003.py0000644000000000000000000000417013131215405024612 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj class Win2003x86GuiVTypes(obj.ProfileModification): """Apply the overlays for Windows 2003 x86 (builds on Windows XP x86)""" before = ["XP2003x86BaseVTypes"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): profile.merge_overlay({ 'tagWINDOWSTATION' : [ 0x54, { 'spwndClipOwner' : [ 0x18, ['pointer', ['tagWND']]], 'pGlobalAtomTable' : [ 0x3C, ['pointer', ['void']]], }], 'tagTHREADINFO' : [ None, { 'PtiLink' : [ 0xB0, ['_LIST_ENTRY']], 'fsHooks' : [ 0x9C, ['unsigned long']], 'aphkStart' : [ 0xF8, ['array', 16, ['pointer', ['tagHOOK']]]], }], 'tagDESKTOP' : [ None, { 'hsectionDesktop' : [ 0x3c, ['pointer', ['void']]], 'pheapDesktop' : [ 0x40, ['pointer', ['tagWIN32HEAP']]], 'ulHeapSize' : [ 0x44, ['unsigned long']], 'PtiList' : [ 0x60, ['_LIST_ENTRY']], }], 'tagSERVERINFO' : [ None, { 'cHandleEntries' : [ 4, ['unsigned long']], 'cbHandleTable' : [ 0x1b8, ['unsigned long']], }], }) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/win7_sp1_x64_vtypes_gui.py0000644000000000000000000041451313131215405030144 0ustar rootrootwin32k_types = { '_HANDLEENTRY': [0x18, { 'pOwner': [8, ['pointer64', ['void']]], 'phead': [0, ['pointer64', ['_HEAD']]], 'bFlags': [17, ['unsigned char']], 'wUniq': [18, ['unsigned short']], 'bType': [16, ['unsigned char']], }], 'tagTOUCHINPUTINFO': [0x50, { 'dwcInputs': [24, ['unsigned long']], 'head': [0, ['_THROBJHEAD']], 'uFlags': [28, ['unsigned long']], 'TouchInput': [32, ['array', 1, ['tagTOUCHINPUT']]], }], 'tagHOOK': [0x60, { 'head': [0, ['_THRDESKHEAD']], 'offPfn': [56, ['unsigned long long']], 'flags': [64, ['unsigned long']], 'fLastHookHung': [88, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'nTimeout': [88, ['BitField', {'end_bit': 7, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'ihmod': [68, ['long']], 'iHook': [48, ['long']], 'ptiHooked': [72, ['pointer64', ['tagTHREADINFO']]], 'phkNext': [40, ['pointer64', ['tagHOOK']]], 'rpdesk': [80, ['pointer64', ['tagDESKTOP']]], }], 'DEADKEY': [0x8, { 'wchComposed': [4, ['wchar']], 'dwBoth': [0, ['unsigned long']], 'uFlags': [6, ['unsigned short']], }], '_W32THREAD': [0x150, { 'pRBRecursionCount': [96, ['unsigned long']], 'iVisRgnUniqueness': [328, ['unsigned long']], 'RefCount': [8, ['unsigned long']], 'pDevHTInfo': [280, ['pointer64', ['void']]], 'pUMPDHeap': [48, ['pointer64', ['void']]], 'pgdiBrushAttr': [32, ['pointer64', ['void']]], 'ulWindowSystemRendering': [324, ['unsigned long']], 'tlSpriteState': [104, ['_TLSPRITESTATE']], 'pdcoRender': [304, ['pointer64', ['void']]], 'bEnableEngUpdateDeviceSurface': [320, ['unsigned char']], 'pdcoAA': [296, ['pointer64', ['void']]], 'pNonRBRecursionCount': [100, ['unsigned long']], 'ptlW32': [16, ['pointer64', ['_TL']]], 'GdiTmpTgoList': [80, ['_LIST_ENTRY']], 'pUMPDObjs': [40, ['pointer64', ['void']]], 'pgdiDcattr': [24, ['pointer64', ['void']]], 'bIncludeSprites': [321, ['unsigned char']], 'pEThread': [0, ['pointer64', ['_ETHREAD']]], 'pSpriteState': [272, ['pointer64', ['void']]], 'pProxyPort': [64, ['pointer64', ['void']]], 'ulDevHTInfoUniqueness': [288, ['unsigned long']], 'pdcoSrc': [312, ['pointer64', ['void']]], 'pUMPDObj': [56, ['pointer64', ['void']]], 'pClientID': [72, ['pointer64', ['void']]], }], 'tagPROPLIST': [0x18, { 'aprop': [8, ['array', 1, ['tagPROP']]], 'cEntries': [0, ['unsigned long']], 'iFirstFree': [4, ['unsigned long']], }], 'tagSVR_INSTANCE_INFO': [0x40, { 'head': [0, ['_THROBJHEAD']], 'next': [24, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'nextInThisThread': [32, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'spwndEvent': [48, ['pointer64', ['tagWND']]], 'afCmd': [40, ['unsigned long']], 'pcii': [56, ['pointer64', ['void']]], }], 'tagDESKTOPINFO': [0xf0, { 'spwndProgman': [192, ['pointer64', ['tagWND']]], 'pvwplMessagePPHandler': [224, ['pointer64', ['VWPL']]], 'pvDesktopLimit': [8, ['pointer64', ['void']]], 'fComposited': [232, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'spwndGestureEngine': [216, ['pointer64', ['tagWND']]], 'pvDesktopBase': [0, ['pointer64', ['void']]], 'spwndShell': [160, ['pointer64', ['tagWND']]], 'ppiShellProcess': [168, ['pointer64', ['tagPROCESSINFO']]], 'pvwplShellHook': [200, ['pointer64', ['VWPL']]], 'fIsDwmDesktop': [232, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'spwndTaskman': [184, ['pointer64', ['tagWND']]], 'aphkStart': [32, ['array', 16, ['pointer64', ['tagHOOK']]]], 'fsHooks': [24, ['unsigned long']], 'cntMBox': [208, ['long']], 'spwndBkGnd': [176, ['pointer64', ['tagWND']]], 'spwnd': [16, ['pointer64', ['tagWND']]], }], 'tagDISPLAYINFO': [0xa8, { 'hDev': [0, ['pointer64', ['void']]], 'SpatialListHead': [144, ['_KLIST_ENTRY']], 'BitCountMax': [130, ['unsigned short']], 'cyGray': [60, ['long']], 'hdcBits': [32, ['pointer64', ['HDC__']]], 'fDesktopIsRect': [132, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'hbmGray': [48, ['pointer64', ['HBITMAP__']]], 'pmdev': [8, ['pointer64', ['void']]], 'cFullScreen': [160, ['short']], 'cxGray': [56, ['long']], 'dmLogPixels': [128, ['unsigned short']], 'hDevInfo': [16, ['pointer64', ['void']]], 'fAnyPalette': [132, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'pspbFirst': [72, ['pointer64', ['tagSPB']]], 'pMonitorPrimary': [88, ['pointer64', ['tagMONITOR']]], 'Spare0': [162, ['short']], 'pMonitorFirst': [96, ['pointer64', ['tagMONITOR']]], 'hdcGray': [40, ['pointer64', ['HDC__']]], 'hrgnScreenReal': [120, ['pointer64', ['HRGN__']]], 'cMonitors': [80, ['unsigned long']], 'hdcScreen': [24, ['pointer64', ['HDC__']]], 'DockThresholdMax': [136, ['unsigned long']], 'rcScreenReal': [104, ['tagRECT']], 'pdceFirst': [64, ['pointer64', ['tagDCE']]], }], '__unnamed_1261': [0x20, { 'Buffer': [24, ['pointer64', ['void']]], 'ProviderId': [0, ['unsigned long long']], 'BufferSize': [16, ['unsigned long']], 'DataPath': [8, ['pointer64', ['void']]], }], '__unnamed_1263': [0x20, { 'Argument4': [24, ['pointer64', ['void']]], 'Argument2': [8, ['pointer64', ['void']]], 'Argument3': [16, ['pointer64', ['void']]], 'Argument1': [0, ['pointer64', ['void']]], }], '__unnamed_1265': [0x20, { 'DeviceIoControl': [0, ['__unnamed_121d']], 'QuerySecurity': [0, ['__unnamed_121f']], 'ReadWriteConfig': [0, ['__unnamed_123d']], 'Create': [0, ['__unnamed_11ff']], 'SetSecurity': [0, ['__unnamed_1221']], 'Write': [0, ['__unnamed_1209']], 'VerifyVolume': [0, ['__unnamed_1225']], 'WMI': [0, ['__unnamed_1261']], 'CreateMailslot': [0, ['__unnamed_1207']], 'FilterResourceRequirements': [0, ['__unnamed_123b']], 'SetFile': [0, ['__unnamed_1213']], 'MountVolume': [0, ['__unnamed_1225']], 'FileSystemControl': [0, ['__unnamed_1219']], 'UsageNotification': [0, ['__unnamed_124b']], 'Scsi': [0, ['__unnamed_1229']], 'WaitWake': [0, ['__unnamed_124f']], 'QueryFile': [0, ['__unnamed_1211']], 'QueryDeviceText': [0, ['__unnamed_1247']], 'CreatePipe': [0, ['__unnamed_1203']], 'Power': [0, ['__unnamed_125b']], 'QueryDeviceRelations': [0, ['__unnamed_122d']], 'Read': [0, ['__unnamed_1209']], 'StartDevice': [0, ['__unnamed_125f']], 'QueryDirectory': [0, ['__unnamed_120d']], 'PowerSequence': [0, ['__unnamed_1253']], 'QueryId': [0, ['__unnamed_1243']], 'LockControl': [0, ['__unnamed_121b']], 'NotifyDirectory': [0, ['__unnamed_120f']], 'QueryInterface': [0, ['__unnamed_1233']], 'Others': [0, ['__unnamed_1263']], 'QueryVolume': [0, ['__unnamed_1217']], 'SetLock': [0, ['__unnamed_123f']], 'DeviceCapabilities': [0, ['__unnamed_1237']], }], '_D3DKMDT_2DREGION': [0x8, { 'cy': [4, ['unsigned long']], 'cx': [0, ['unsigned long']], }], 'tagMONITOR': [0x90, { 'hDev': [80, ['pointer64', ['void']]], 'head': [0, ['_HEAD']], 'hDevReal': [88, ['pointer64', ['void']]], 'rcWorkReal': [44, ['tagRECT']], 'dwMONFlags': [24, ['unsigned long']], 'Spare0': [72, ['short']], 'rcMonitorReal': [28, ['tagRECT']], 'pMonitorNext': [16, ['pointer64', ['tagMONITOR']]], 'Flink': [128, ['pointer64', ['tagMONITOR']]], 'Blink': [136, ['pointer64', ['tagMONITOR']]], 'hrgnMonitorReal': [64, ['pointer64', ['HRGN__']]], 'cWndStack': [74, ['short']], 'DockTargets': [96, ['array', 7, ['array', 4, ['unsigned char']]]], }], '__unnamed_123b': [0x8, { 'IoResourceRequirementList': [0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION': [0x10c, { 'APSTriggerBits': [4, ['unsigned long']], 'CopyProtectionType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPMT_UNINITIALIZED', 1: 'D3DKMDT_VPPMT_NOPROTECTION', 2: 'D3DKMDT_VPPMT_MACROVISION_APSTRIGGER', 3: 'D3DKMDT_VPPMT_MACROVISION_FULLSUPPORT', 255: 'D3DKMDT_VPPMT_NOTSPECIFIED'}}]], 'CopyProtectionSupport': [264, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT']], 'OEMCopyProtection': [8, ['array', 256, ['unsigned char']]], }], 'tagHID_TLC_INFO': [0x28, { 'cExcludeRequest': [32, ['unsigned long']], 'link': [0, ['_LIST_ENTRY']], 'cExcludeOrphaned': [36, ['unsigned long']], 'cUsagePageRequest': [28, ['unsigned long']], 'usUsagePage': [16, ['unsigned short']], 'cDevices': [20, ['unsigned long']], 'cDirectRequest': [24, ['unsigned long']], 'usUsage': [18, ['unsigned short']], }], 'HWND__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION': [0x1b0, { 'TargetMode': [360, ['_D3DKMDT_VIDPN_TARGET_MODE']], 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], }], 'tagQ': [0x158, { 'hwndDblClk': [112, ['pointer64', ['HWND__']]], 'timeDblClk': [108, ['unsigned long']], 'spwndFocus': [72, ['pointer64', ['tagWND']]], 'ExtraInfo': [328, ['long long']], 'cLockCount': [322, ['unsigned short']], 'iCursorLevel': [312, ['long']], 'ptiSysLock': [24, ['pointer64', ['tagTHREADINFO']]], 'caret': [232, ['tagCARET']], 'ptiMouse': [48, ['pointer64', ['tagTHREADINFO']]], 'spwndActivePrev': [88, ['pointer64', ['tagWND']]], 'ptMouseMove': [128, ['tagPOINT']], 'msgDblClk': [100, ['unsigned long']], 'msgJournal': [324, ['unsigned long']], 'ptiKeyboard': [56, ['pointer64', ['tagTHREADINFO']]], 'cThreads': [320, ['unsigned short']], 'QF_flags': [316, ['unsigned long']], 'mlInput': [0, ['tagMLIST']], 'spwndActive': [80, ['pointer64', ['tagWND']]], 'codeCapture': [96, ['unsigned long']], 'idSysLock': [32, ['unsigned long long']], 'spcurCurrent': [304, ['pointer64', ['tagCURSOR']]], 'ulEtwReserved1': [336, ['unsigned long']], 'ptDblClk': [120, ['tagPOINT']], 'xbtnDblClk': [104, ['unsigned short']], 'afKeyRecentDown': [136, ['array', 32, ['unsigned char']]], 'afKeyState': [168, ['array', 64, ['unsigned char']]], 'spwndCapture': [64, ['pointer64', ['tagWND']]], 'idSysPeek': [40, ['unsigned long long']], }], 'tagUSERSTARTUPINFO': [0x1c, { 'wShowWindow': [24, ['unsigned short']], 'dwYSize': [16, ['unsigned long']], 'dwXSize': [12, ['unsigned long']], 'cbReserved2': [26, ['unsigned short']], 'cb': [0, ['unsigned long']], 'dwX': [4, ['unsigned long']], 'dwY': [8, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_DMM_COMMITVIDPNREQUESTSET_SERIALIZATION': [0x8, { 'CommitVidPnRequestOffset': [4, ['array', 1, ['unsigned long']]], 'NumCommitVidPnRequests': [0, ['unsigned char']], }], '__unnamed_1805': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length': [8, ['unsigned long']], }], '_DMM_MONITORDESCRIPTORSET_SERIALIZATION': [0x90, { 'NumDescriptors': [0, ['unsigned char']], 'DescriptorSerialization': [4, ['array', 1, ['_DMM_MONITORDESCRIPTOR_SERIALIZATION']]], }], '_DMM_MONITORSOURCEMODESET_SERIALIZATION': [0x70, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [8, ['array', 1, ['_DMM_MONITOR_SOURCE_MODE_SERIALIZATION']]], }], '_VK_FUNCTION_PARAM': [0x8, { 'NLSFEProcIndex': [0, ['unsigned char']], 'NLSFEProcParam': [4, ['unsigned long']], }], '_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES': [0x10, { 'SecondChannel': [4, ['unsigned long']], 'FourthChannel': [12, ['unsigned long']], 'ThirdChannel': [8, ['unsigned long']], 'FirstChannel': [0, ['unsigned long']], }], 'tagMLIST': [0x18, { 'cMsgs': [16, ['unsigned long']], 'pqmsgRead': [0, ['pointer64', ['tagQMSG']]], 'pqmsgWriteLast': [8, ['pointer64', ['tagQMSG']]], }], '__unnamed_122d': [0x4, { 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'}}]], }], 'tagMENUSTATE': [0x90, { 'fDragAndDrop': [8, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fInsideMenuLoop': [8, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'cxAni': [116, ['long']], 'pGlobalPopupMenu': [0, ['pointer64', ['tagPOPUPMENU']]], 'uDraggingIndex': [88, ['unsigned long']], 'uDraggingHitArea': [80, ['unsigned long long']], 'fNotifyByPos': [8, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'fButtonDown': [8, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'ixAni': [108, ['long']], 'fInCallHandleMenuMessages': [8, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'mnFocus': [20, ['long']], 'iyAni': [112, ['long']], 'dwLockCount': [40, ['unsigned long']], 'fAutoDismiss': [8, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'fIsSysMenu': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'dwAniStartTime': [104, ['unsigned long']], 'pmnsPrev': [48, ['pointer64', ['tagMENUSTATE']]], 'fInEndMenu': [8, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'hbmAni': [128, ['pointer64', ['HBITMAP__']]], 'fIgnoreButtonUp': [8, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'ptButtonDown': [56, ['tagPOINT']], 'hdcWndAni': [96, ['pointer64', ['HDC__']]], 'fAboutToAutoDismiss': [8, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'fMenuStarted': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'uDraggingFlags': [92, ['unsigned long']], 'fUnderline': [8, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'fInDoDragDrop': [8, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'ptiMenuStateOwner': [32, ['pointer64', ['tagTHREADINFO']]], 'uButtonDownIndex': [72, ['unsigned long']], 'fModelessMenu': [8, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'cyAni': [120, ['long']], 'uButtonDownHitArea': [64, ['unsigned long long']], 'fButtonAlwaysDown': [8, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'iAniDropDir': [8, ['BitField', {'end_bit': 24, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'ptMouseLast': [12, ['tagPOINT']], 'hdcAni': [136, ['pointer64', ['HDC__']]], 'vkButtonDown': [76, ['long']], 'fSetCapture': [8, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fDragging': [8, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fActiveNoForeground': [8, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'fMouseOffMenu': [8, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'cmdLast': [24, ['long']], }], 'tagMSGPPINFO': [0x4, { 'dwIndexMsgPP': [0, ['unsigned long']], }], 'VWPLELEMENT': [0x10, { 'DataOrTag': [0, ['unsigned long long']], 'pwnd': [8, ['pointer64', ['tagWND']]], }], '_WM_VALUES_STRINGS': [0x10, { 'pszName': [0, ['pointer64', ['unsigned char']]], 'fInternal': [8, ['unsigned char']], 'fDefined': [9, ['unsigned char']], }], 'tagCLIP': [0x18, { 'fmt': [0, ['unsigned long']], 'fGlobalHandle': [16, ['long']], 'hData': [8, ['pointer64', ['void']]], }], '__unnamed_1229': [0x8, { 'Srb': [0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], }], '_HEAD': [0x10, { 'h': [0, ['pointer64', ['void']]], 'cLockObj': [8, ['unsigned long']], }], '__unnamed_1221': [0x10, { 'SecurityInformation': [0, ['unsigned long']], 'SecurityDescriptor': [8, ['pointer64', ['void']]], }], '__unnamed_11e6': [0x10, { 'AsynchronousParameters': [0, ['__unnamed_11e4']], 'AllocationSize': [0, ['_LARGE_INTEGER']], }], 'tagQMSG': [0x68, { 'FromPen': [84, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'pti': [88, ['pointer64', ['tagTHREADINFO']]], 'ExtraInfo': [64, ['long long']], 'Wow64Message': [84, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'pqmsgPrev': [8, ['pointer64', ['tagQMSG']]], 'NoCoalesce': [84, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'Padding': [80, ['BitField', {'end_bit': 32, 'start_bit': 30, 'native_type': 'unsigned long'}]], 'ptMouseReal': [72, ['tagPOINT']], 'pqmsgNext': [0, ['pointer64', ['tagQMSG']]], 'dwQEvent': [80, ['BitField', {'end_bit': 30, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'MsgPPInfo': [96, ['tagMSGPPINFO']], 'FromTouch': [84, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'msg': [16, ['tagMSG']], }], 'HWINSTA__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32PoolHead': [0x20, { 'pPrev': [8, ['pointer64', ['tagWin32PoolHead']]], 'pTrace': [24, ['pointer64', ['pointer64', ['void']]]], 'pNext': [16, ['pointer64', ['tagWin32PoolHead']]], 'size': [0, ['unsigned long long']], }], 'tagTOUCHINPUT': [0x30, { 'hSource': [8, ['pointer64', ['void']]], 'dwExtraInfo': [32, ['unsigned long long']], 'cxContact': [40, ['unsigned long']], 'dwMask': [24, ['unsigned long']], 'y': [4, ['long']], 'x': [0, ['long']], 'dwID': [16, ['unsigned long']], 'cyContact': [44, ['unsigned long']], 'dwTime': [28, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_CALLBACKWND': [0x18, { 'hwnd': [0, ['pointer64', ['HWND__']]], 'pActCtx': [16, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'pwnd': [8, ['pointer64', ['tagWND']]], }], 'HMONITOR__': [0x4, { 'unused': [0, ['long']], }], '_D3DKMDT_GRAPHICS_RENDERING_FORMAT': [0x20, { 'VisibleRegionSize': [8, ['_D3DKMDT_2DREGION']], 'Stride': [16, ['unsigned long']], 'PixelFormat': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDIFMT_UNKNOWN', 20: 'D3DDDIFMT_R8G8B8', 21: 'D3DDDIFMT_A8R8G8B8', 22: 'D3DDDIFMT_X8R8G8B8', 23: 'D3DDDIFMT_R5G6B5', 24: 'D3DDDIFMT_X1R5G5B5', 25: 'D3DDDIFMT_A1R5G5B5', 26: 'D3DDDIFMT_A4R4G4B4', 27: 'D3DDDIFMT_R3G3B2', 28: 'D3DDDIFMT_A8', 29: 'D3DDDIFMT_A8R3G3B2', 30: 'D3DDDIFMT_X4R4G4B4', 31: 'D3DDDIFMT_A2B10G10R10', 32: 'D3DDDIFMT_A8B8G8R8', 33: 'D3DDDIFMT_X8B8G8R8', 34: 'D3DDDIFMT_G16R16', 35: 'D3DDDIFMT_A2R10G10B10', 36: 'D3DDDIFMT_A16B16G16R16', 40: 'D3DDDIFMT_A8P8', 41: 'D3DDDIFMT_P8', 50: 'D3DDDIFMT_L8', 51: 'D3DDDIFMT_A8L8', 52: 'D3DDDIFMT_A4L4', 60: 'D3DDDIFMT_V8U8', 61: 'D3DDDIFMT_L6V5U5', 62: 'D3DDDIFMT_X8L8V8U8', 63: 'D3DDDIFMT_Q8W8V8U8', 64: 'D3DDDIFMT_V16U16', 65: 'D3DDDIFMT_W11V11U10', 67: 'D3DDDIFMT_A2W10V10U10', 877942852: 'D3DDDIFMT_DXT4', 70: 'D3DDDIFMT_D16_LOCKABLE', 71: 'D3DDDIFMT_D32', 72: 'D3DDDIFMT_S1D15', 73: 'D3DDDIFMT_D15S1', 74: 'D3DDDIFMT_S8D24', 75: 'D3DDDIFMT_D24S8', 76: 'D3DDDIFMT_X8D24', 77: 'D3DDDIFMT_D24X8', 78: 'D3DDDIFMT_X4S4D24', 79: 'D3DDDIFMT_D24X4S4', 80: 'D3DDDIFMT_D16', 81: 'D3DDDIFMT_L16', 82: 'D3DDDIFMT_D32F_LOCKABLE', 83: 'D3DDDIFMT_D24FS8', 84: 'D3DDDIFMT_D32_LOCKABLE', 85: 'D3DDDIFMT_S8_LOCKABLE', 100: 'D3DDDIFMT_VERTEXDATA', 101: 'D3DDDIFMT_INDEX16', 102: 'D3DDDIFMT_INDEX32', 110: 'D3DDDIFMT_Q16W16V16U16', 111: 'D3DDDIFMT_R16F', 112: 'D3DDDIFMT_G16R16F', 113: 'D3DDDIFMT_A16B16G16R16F', 114: 'D3DDDIFMT_R32F', 115: 'D3DDDIFMT_G32R32F', 116: 'D3DDDIFMT_A32B32G32R32F', 117: 'D3DDDIFMT_CxV8U8', 118: 'D3DDDIFMT_A1', 119: 'D3DDDIFMT_A2B10G10R10_XR_BIAS', 150: 'D3DDDIFMT_PICTUREPARAMSDATA', 151: 'D3DDDIFMT_MACROBLOCKDATA', 152: 'D3DDDIFMT_RESIDUALDIFFERENCEDATA', 153: 'D3DDDIFMT_DEBLOCKINGDATA', 154: 'D3DDDIFMT_INVERSEQUANTIZATIONDATA', 155: 'D3DDDIFMT_SLICECONTROLDATA', 156: 'D3DDDIFMT_BITSTREAMDATA', 157: 'D3DDDIFMT_MOTIONVECTORBUFFER', 158: 'D3DDDIFMT_FILMGRAINBUFFER', 159: 'D3DDDIFMT_DXVA_RESERVED9', 160: 'D3DDDIFMT_DXVA_RESERVED10', 161: 'D3DDDIFMT_DXVA_RESERVED11', 162: 'D3DDDIFMT_DXVA_RESERVED12', 163: 'D3DDDIFMT_DXVA_RESERVED13', 164: 'D3DDDIFMT_DXVA_RESERVED14', 165: 'D3DDDIFMT_DXVA_RESERVED15', 166: 'D3DDDIFMT_DXVA_RESERVED16', 167: 'D3DDDIFMT_DXVA_RESERVED17', 168: 'D3DDDIFMT_DXVA_RESERVED18', 169: 'D3DDDIFMT_DXVA_RESERVED19', 170: 'D3DDDIFMT_DXVA_RESERVED20', 171: 'D3DDDIFMT_DXVA_RESERVED21', 172: 'D3DDDIFMT_DXVA_RESERVED22', 173: 'D3DDDIFMT_DXVA_RESERVED23', 174: 'D3DDDIFMT_DXVA_RESERVED24', 175: 'D3DDDIFMT_DXVA_RESERVED25', 176: 'D3DDDIFMT_DXVA_RESERVED26', 177: 'D3DDDIFMT_DXVA_RESERVED27', 178: 'D3DDDIFMT_DXVA_RESERVED28', 179: 'D3DDDIFMT_DXVA_RESERVED29', 180: 'D3DDDIFMT_DXVA_RESERVED30', 181: 'D3DDDIFMT_DXVACOMPBUFFER_MAX', 844388420: 'D3DDDIFMT_DXT2', 199: 'D3DDDIFMT_BINARYBUFFER', 861165636: 'D3DDDIFMT_DXT3', 827611204: 'D3DDDIFMT_DXT1', 827606349: 'D3DDDIFMT_MULTI2_ARGB8', 1195525970: 'D3DDDIFMT_R8G8_B8G8', 1498831189: 'D3DDDIFMT_UYVY', 844715353: 'D3DDDIFMT_YUY2', 894720068: 'D3DDDIFMT_DXT5', 1111970375: 'D3DDDIFMT_G8R8_G8B8', 2147483647: 'D3DDDIFMT_FORCE_UINT'}}]], 'PixelValueAccessMode': [28, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_PVAM_UNINITIALIZED', 1: 'D3DKMDT_PVAM_DIRECT', 2: 'D3DKMDT_PVAM_PRESETPALETTE', 3: 'D3DKMDT_PVAM_MAXVALID'}}]], 'PrimSurfSize': [0, ['_D3DKMDT_2DREGION']], 'ColorBasis': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], '_VK_TO_WCHAR_TABLE': [0x10, { 'pVkToWchars': [0, ['pointer64', ['_VK_TO_WCHARS1']]], 'cbSize': [9, ['unsigned char']], 'nModifications': [8, ['unsigned char']], }], '__unnamed_1153': [0x10, { 'Reserved': [8, ['BitField', {'end_bit': 61, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 25, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'Region': [8, ['BitField', {'end_bit': 64, 'start_bit': 61, 'native_type': 'unsigned long long'}]], 'Init': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'NextEntry': [0, ['BitField', {'end_bit': 64, 'start_bit': 25, 'native_type': 'unsigned long long'}]], }], '__unnamed_1158': [0x10, { 'Reserved': [8, ['BitField', {'end_bit': 4, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 64, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'Init': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'NextEntry': [8, ['BitField', {'end_bit': 64, 'start_bit': 4, 'native_type': 'unsigned long long'}]], }], '_TL': [0x18, { 'pfnFree': [16, ['pointer64', ['void']]], 'pobj': [8, ['pointer64', ['void']]], 'next': [0, ['pointer64', ['_TL']]], }], 'tagTHREADINFO': [0x3a8, { 'pstrAppName': [416, ['pointer64', ['_UNICODE_STRING']]], 'ForceLegacyResizeNCMetr': [520, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'unsigned long long'}]], 'ptl': [336, ['pointer64', ['_TL']]], 'timeLast': [448, ['long']], 'DontJournalAttach': [516, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'ppi': [344, ['pointer64', ['tagPROCESSINFO']]], 'SendMnuDblClk': [516, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'DDENoSync': [520, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long long'}]], 'EditNoMouseHide': [520, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long long'}]], 'pDevHTInfo': [280, ['pointer64', ['void']]], 'OpenGLEMF': [520, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long long'}]], 'dwCompatFlags': [516, ['unsigned long']], 'hTouchInputCurrent': [888, ['pointer64', ['HTOUCHINPUT__']]], 'psmsSent': [424, ['pointer64', ['tagSMS']]], 'cVisWindows': [728, ['unsigned long']], 'hPrevHidData': [880, ['pointer64', ['void']]], 'fsHooks': [552, ['unsigned long']], 'qwCompatFlags2': [520, ['unsigned long long']], 'NoPaddedBorder': [520, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long long'}]], 'NoDrawPatRect': [520, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long long'}]], 'ForceTTGrapchis': [516, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'GetDeviceCaps': [516, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'pgdiBrushAttr': [32, ['pointer64', ['void']]], 'pq': [352, ['pointer64', ['tagQ']]], 'ulWindowSystemRendering': [324, ['unsigned long']], 'dwExpWinVer': [512, ['unsigned long']], 'NoSoftCursOnMoveSize': [520, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long long'}]], 'psmsReceiveList': [440, ['pointer64', ['tagSMS']]], 'sphkCurrent': [560, ['pointer64', ['tagHOOK']]], 'No50ExStyles': [520, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'IgnoreFaults': [516, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long'}]], 'pClientInfo': [400, ['pointer64', ['tagCLIENTINFO']]], 'pdcoSrc': [312, ['pointer64', ['void']]], 'pEventQueueServer': [600, ['pointer64', ['_KEVENT']]], 'DealyHwndShakeChk': [516, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'amdesk': [720, ['unsigned long']], 'fsChangeBitsRemoved': [704, ['unsigned short']], 'psmsCurrent': [432, ['pointer64', ['tagSMS']]], 'NoBatching': [520, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long long'}]], 'StrictLLHook': [520, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long long'}]], 'pdcoRender': [304, ['pointer64', ['void']]], 'NoShadow': [520, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long long'}]], 'EnumHelv': [516, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'fPack': [928, ['BitField', {'end_bit': 28, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'CallTTDevice': [516, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'fsReserveKeys': [708, ['unsigned long']], 'Winver31': [516, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'DisableDBCSProp': [516, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'unsigned long'}]], 'Win30AvgWidth': [516, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'ptlW32': [16, ['pointer64', ['_TL']]], 'AlwaysSendSyncPaint': [516, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'IgnoreNoDiscard': [516, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'NoTimeCbProtect': [520, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long long'}]], 'MsShellDlg': [520, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long long'}]], 'hEventQueueClient': [592, ['pointer64', ['void']]], 'cPaintsReady': [480, ['long']], 'SubtractClips': [516, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'PtiLink': [608, ['_LIST_ENTRY']], 'DpiAware': [520, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long long'}]], 'spklActive': [360, ['pointer64', ['tagKL']]], 'bIncludeSprites': [321, ['unsigned char']], 'mlPost': [680, ['tagMLIST']], 'ptLastReal': [636, ['tagPOINT']], 'fThreadCleanupFinished': [928, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'MultipleBands': [516, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'Random31Ux': [516, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long'}]], 'HackWinFlags': [516, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'pProxyPort': [64, ['pointer64', ['void']]], 'KCOff': [520, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'wParamHkCurrent': [576, ['unsigned long long']], 'readyHead': [912, ['_LIST_ENTRY']], 'UsePrintingEscape': [516, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'NoInitFlagsOnFocus': [520, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long long'}]], 'ForceTextBand': [516, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'pEThread': [0, ['pointer64', ['_ETHREAD']]], 'ptdb': [496, ['pointer64', ['tagTDB']]], 'SpareCompatFlags2': [520, ['BitField', {'end_bit': 64, 'start_bit': 33, 'native_type': 'unsigned long long'}]], 'cWindows': [724, ['unsigned long']], 'cEnterCount': [672, ['long']], 'fETWReserved': [928, ['BitField', {'end_bit': 32, 'start_bit': 29, 'native_type': 'unsigned long'}]], 'dwCompatFlags2': [520, ['unsigned long']], 'NoEMFSpooling': [516, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long'}]], 'pMenuState': [488, ['pointer64', ['tagMENUSTATE']]], 'pRBRecursionCount': [96, ['unsigned long']], 'SmoothScrolling': [516, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'unsigned long'}]], 'iVisRgnUniqueness': [328, ['unsigned long']], 'RefCount': [8, ['unsigned long']], 'Win31DevModeSize': [516, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'pwinsta': [496, ['pointer64', ['tagWINDOWSTATION']]], 'pSBTrack': [584, ['pointer64', ['tagSBTRACK']]], 'ActiveMenus': [520, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long long'}]], 'spwndDefaultIme': [648, ['pointer64', ['tagWND']]], 'NoCustomPaperSize': [520, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long long'}]], 'wchInjected': [706, ['wchar']], 'cTimersReady': [484, ['unsigned long']], 'EditSetTextMunge': [516, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'pUMPDHeap': [48, ['pointer64', ['void']]], 'fgfSwitchInProgressSetter': [928, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'iCursorLevel': [624, ['long']], 'NoScrollBarCtxMenu': [516, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long'}]], 'ulClientDelta': [392, ['unsigned long long']], 'pdcoAA': [296, ['pointer64', ['void']]], 'cNestedStableVisRgn': [908, ['unsigned long']], 'TryExceptCallWndProc': [520, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'cti': [864, ['tagCLIENTTHREADINFO']], 'NcCalcSizeOnMove': [516, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'DisableFontAssoc': [516, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'pcti': [368, ['pointer64', ['tagCLIENTTHREADINFO']]], 'MsgPPInfo': [904, ['tagMSGPPINFO']], 'DDE': [520, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long long'}]], 'ulThreadFlags2': [928, ['unsigned long']], 'tlSpriteState': [104, ['_TLSPRITESTATE']], 'NoCharDeadKey': [520, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long long'}]], 'pqAttach': [528, ['pointer64', ['tagQ']]], 'TTIgnoreRasterDupe': [516, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'aphkStart': [736, ['array', 16, ['pointer64', ['tagHOOK']]]], 'DefaultCharset': [520, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long long'}]], 'idLast': [456, ['unsigned long long']], 'rpdesk': [376, ['pointer64', ['tagDESKTOP']]], 'NoWindowArrangement': [520, ['BitField', {'end_bit': 33, 'start_bit': 32, 'native_type': 'unsigned long long'}]], 'AnimationOff': [520, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'No50ExStyleBits': [520, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long long'}]], 'TransparentBltMirror': [520, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long long'}]], 'DDENoAsyncReg': [520, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long long'}]], 'bEnableEngUpdateDeviceSurface': [320, ['unsigned char']], 'pDeskInfo': [384, ['pointer64', ['tagDESKTOPINFO']]], 'hdesk': [472, ['pointer64', ['HDESK__']]], 'pNonRBRecursionCount': [100, ['unsigned long']], 'MoreExtraWndWords': [516, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'hklPrev': [664, ['pointer64', ['HKL__']]], 'NoGhost': [520, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long long'}]], 'IgnoreTopMost': [516, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'pmsd': [544, ['pointer64', ['_MOVESIZEDATA']]], 'NoHRGN1': [516, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'exitCode': [464, ['long']], 'NoDDETrackDying': [520, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long long'}]], 'ptLast': [628, ['tagPOINT']], 'hGestureInfoCurrent': [896, ['pointer64', ['HGESTUREINFO__']]], 'GdiTmpTgoList': [80, ['_LIST_ENTRY']], 'pUMPDObjs': [40, ['pointer64', ['void']]], 'FontSubs': [520, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long long'}]], 'GiveUpForegound': [520, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long long'}]], 'spDefaultImc': [656, ['pointer64', ['tagIMC']]], 'pgdiDcattr': [24, ['pointer64', ['void']]], 'TIF_flags': [408, ['unsigned long']], 'apEvent': [712, ['pointer64', ['pointer64', ['_KEVENT']]]], 'HardwareMixer': [520, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'unsigned long long'}]], 'pUMPDObj': [56, ['pointer64', ['void']]], 'pSpriteState': [272, ['pointer64', ['void']]], 'EnumTTNotDevice': [516, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'lParamHkCurrent': [568, ['long long']], 'ulDevHTInfoUniqueness': [288, ['unsigned long']], 'ptiSibling': [536, ['pointer64', ['tagTHREADINFO']]], 'psiiList': [504, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'ForceFusion': [520, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long long'}]], 'fSpecialInitialization': [928, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'IncreaseStack': [516, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'pClientID': [72, ['pointer64', ['void']]], }], '_MOVESIZEDATA': [0xf0, { 'fmsKbd': [164, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'fMoveFromMax': [164, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fSnapMoving': [164, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'ptRestore': [156, ['tagPOINT']], 'fUsePreviewRect': [164, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long'}]], 'ptStartHitWindowRelative': [208, ['tagPOINT']], 'CurrentHitTarget': [192, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fHasSoftwareCursor': [164, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long'}]], 'fCheckPtForcefullyRestored': [164, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fSnapMovingTemporaryAllowed': [164, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'Unused': [164, ['BitField', {'end_bit': 32, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'fOffScreen': [164, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'fWindowWasSuperMaximized': [164, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'StartCurrentHitTarget': [176, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fSnapSizing': [164, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fIsMoveSizeLoop': [164, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'rcPreviewCursor': [56, ['tagRECT']], 'dyMouse': [140, ['long']], 'fVerticallyMaximizedRight': [164, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'fTrackCancelled': [164, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'impx': [148, ['long']], 'impy': [152, ['long']], 'fLockWindowUpdate': [164, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'fStartVerticallyMaximizedLeft': [164, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'ptMinTrack': [88, ['tagPOINT']], 'pMonitorCurrentHitTarget': [184, ['pointer64', ['tagMONITOR']]], 'rcWindow': [104, ['tagRECT']], 'pStartMonitorCurrentHitTarget': [168, ['pointer64', ['tagMONITOR']]], 'cmd': [144, ['long']], 'ptMaxTrack': [96, ['tagPOINT']], 'fForceSizing': [164, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'fThresholdSelector': [164, ['BitField', {'end_bit': 18, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'MoveRectStyle': [196, ['Enumeration', {'target': 'long', 'choices': {0: 'MoveRectKeepPositionAtCursor', 1: 'MoveRectMidTopAtCursor', 2: 'MoveRectKeepAspectRatioAtCursor', 3: 'MoveRectSidewiseKeepPositionAtCursor'}}]], 'fDragFullWindows': [164, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'fForeground': [164, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'ulCountDragOutOfLeftRightTarget': [228, ['unsigned long']], 'ptLastTrack': [216, ['tagPOINT']], 'frcNormalCheckPtValid': [164, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'fIsHitPtOffScreen': [164, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'fSnapSizingTemporaryAllowed': [164, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'fInitSize': [164, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'dxMouse': [136, ['long']], 'fStartVerticallyMaximizedRight': [164, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'ulCountDragOutOfTopTarget': [224, ['unsigned long']], 'fVerticallyMaximizedLeft': [164, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'spwnd': [0, ['pointer64', ['tagWND']]], 'fHasPreviewRect': [164, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long'}]], 'rcPreview': [40, ['tagRECT']], 'rcDragCursor': [24, ['tagRECT']], 'Flags': [164, ['unsigned long']], 'ptHitWindowRelative': [200, ['tagPOINT']], 'rcParent': [72, ['tagRECT']], 'ulCountSizeOutOfTopBottomTarget': [232, ['unsigned long']], 'rcNormalStartCheckPt': [120, ['tagRECT']], 'rcDrag': [8, ['tagRECT']], }], '_LARGE_UNICODE_STRING': [0x10, { 'Buffer': [8, ['pointer64', ['unsigned short']]], 'Length': [0, ['unsigned long']], 'MaximumLength': [4, ['BitField', {'end_bit': 31, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'bAnsi': [4, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long'}]], }], 'VSC_LPWSTR': [0x10, { 'vsc': [0, ['unsigned char']], 'pwsz': [8, ['pointer64', ['unsigned short']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION': [0x10, { 'Scaling': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPS_UNINITIALIZED', 1: 'D3DKMDT_VPPS_IDENTITY', 2: 'D3DKMDT_VPPS_CENTERED', 3: 'D3DKMDT_VPPS_STRETCHED', 4: 'D3DKMDT_VPPS_ASPECTRATIOCENTEREDMAX', 5: 'D3DKMDT_VPPS_CUSTOM', 253: 'D3DKMDT_VPPS_RESERVED1', 254: 'D3DKMDT_VPPS_UNPINNED', 255: 'D3DKMDT_VPPS_NOTSPECIFIED'}}]], 'RotationSupport': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT']], 'Rotation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPR_UNINITIALIZED', 1: 'D3DKMDT_VPPR_IDENTITY', 2: 'D3DKMDT_VPPR_ROTATE90', 3: 'D3DKMDT_VPPR_ROTATE180', 4: 'D3DKMDT_VPPR_ROTATE270', 254: 'D3DKMDT_VPPR_UNPINNED', 255: 'D3DKMDT_VPPR_NOTSPECIFIED'}}]], 'ScalingSupport': [4, ['_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT']], }], 'tagUAHMENUPOPUPMETRICS': [0x14, { 'rgcx': [0, ['array', 4, ['long']]], 'fUpdateMaxWidths': [16, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], }], '__unnamed_115b': [0x10, { 'NextEntry': [8, ['BitField', {'end_bit': 64, 'start_bit': 4, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Reserved': [8, ['BitField', {'end_bit': 4, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 64, 'start_bit': 16, 'native_type': 'unsigned long long'}]], }], '_THROBJHEAD': [0x18, { 'h': [0, ['pointer64', ['void']]], 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'cLockObj': [8, ['unsigned long']], }], '_DMM_COFUNCPATHSMODALITY_SERIALIZATION': [0x8, { 'NumPathsFromSource': [0, ['unsigned char']], 'PathAndTargetModeSetOffset': [4, ['array', 1, ['unsigned long']]], }], 'tagSBTRACK': [0x68, { 'spwndSBNotify': [24, ['pointer64', ['tagWND']]], 'hTimerSB': [64, ['unsigned long long']], 'cmdSB': [56, ['unsigned long']], 'xxxpfnSB': [48, ['pointer64', ['void']]], 'fTrackVert': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'posNew': [84, ['long']], 'posOld': [80, ['long']], 'fCtlSB': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'rcTrack': [32, ['tagRECT']], 'fTrackRecalc': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'spwndSB': [16, ['pointer64', ['tagWND']]], 'spwndTrack': [8, ['pointer64', ['tagWND']]], 'dpxThumb': [72, ['long']], 'pxOld': [76, ['long']], 'fHitOld': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'pSBCalc': [96, ['pointer64', ['tagSBCALC']]], 'nBar': [88, ['long']], }], '_DMA_ADAPTER': [0x10, { 'Version': [0, ['unsigned short']], 'DmaOperations': [8, ['pointer64', ['_DMA_OPERATIONS']]], 'Size': [2, ['unsigned short']], }], '__unnamed_1217': [0x10, { 'FsInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'}}]], 'Length': [0, ['unsigned long']], }], 'tagDPISERVERINFO': [0x28, { 'hMsgFont': [16, ['pointer64', ['HFONT__']]], 'hCaptionFont': [8, ['pointer64', ['HFONT__']]], 'gclBorder': [0, ['long']], 'cxMsgFontChar': [24, ['long']], 'wMaxBtnSize': [32, ['unsigned long']], 'cyMsgFontChar': [28, ['long']], }], 'HICON__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNTARGETMODESET_SERIALIZATION': [0x50, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [8, ['array', 1, ['_D3DKMDT_VIDPN_TARGET_MODE']]], }], '__unnamed_16c1': [0x8, { 'ActiveSize': [0, ['_D3DKMDT_2DREGION']], 'MaxPixelRate': [0, ['unsigned long long']], }], '__unnamed_127c': [0x48, { 'Wcb': [0, ['_WAIT_CONTEXT_BLOCK']], 'ListEntry': [0, ['_LIST_ENTRY']], }], '_D3DMATRIX': [0x40, { '_33': [40, ['float']], '_42': [52, ['float']], '_43': [56, ['float']], '_44': [60, ['float']], '_34': [44, ['float']], '_14': [12, ['float']], '_13': [8, ['float']], '_12': [4, ['float']], '_11': [0, ['float']], '_41': [48, ['float']], '_31': [32, ['float']], '_24': [28, ['float']], '_32': [36, ['float']], '_22': [20, ['float']], '_23': [24, ['float']], '_21': [16, ['float']], }], '__unnamed_18a1': [0x20, { 'Text': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_TRF_UNINITIALIZED'}}]], 'Graphics': [0, ['_D3DKMDT_GRAPHICS_RENDERING_FORMAT']], }], 'HGESTUREINFO__': [0x4, { 'unused': [0, ['long']], }], '_VK_TO_FUNCTION_TABLE': [0x84, { 'NLSFEProcType': [1, ['unsigned char']], 'NLSFEProcSwitch': [3, ['unsigned char']], 'Vk': [0, ['unsigned char']], 'NLSFEProcCurrent': [2, ['unsigned char']], 'NLSFEProcAlt': [68, ['array', 8, ['_VK_FUNCTION_PARAM']]], 'NLSFEProc': [4, ['array', 8, ['_VK_FUNCTION_PARAM']]], }], #'__unnamed_16ca': [0x10, { # 'Attrib': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'WCA_UNDEFINED', 1: 'WCA_NCRENDERING_ENABLED', 2: 'WCA_NCRENDERING_POLICY', 3: 'WCA_TRANSITIONS_FORCEDISABLED', 4: 'WCA_ALLOW_NCPAINT', 5: 'WCA_CAPTION_BUTTON_BOUNDS', 6: 'WCA_NONCLIENT_RTL_LAYOUT', 7: 'WCA_FORCE_ICONIC_REPRESENTATION', 8: 'WCA_FLIP3D_POLICY', 9: 'WCA_EXTENDED_FRAME_BOUNDS', 10: 'WCA_HAS_ICONIC_BITMAP', 11: 'WCA_THEME_ATTRIBUTES', 12: 'WCA_NCRENDERING_EXILED', 13: 'WCA_NCADORNMENTINFO', 14: 'WCA_EXCLUDED_FROM_LIVEPREVIEW', 15: 'WCA_VIDEO_OVERLAY_ACTIVE', 16: 'WCA_FORCE_ACTIVEWINDOW_APPEARANCE', 17: 'WCA_DISALLOW_PEEK', 18: 'WCA_LAST'}}]], # 'cbData': [8, ['unsigned long long']], # }], '_DMM_VIDPNPATHANDTARGETMODESET_SERIALIZATION': [0x1b8, { 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], 'TargetModeSet': [360, ['_DMM_VIDPNTARGETMODESET_SERIALIZATION']], }], 'HDESK__': [0x4, { 'unused': [0, ['long']], }], 'VK_TO_BIT': [0x2, { 'Vk': [0, ['unsigned char']], 'ModBits': [1, ['unsigned char']], }], 'tagIMEINFOEX': [0x160, { 'fSysWow64Only': [348, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'wszImeFile': [188, ['array', 80, ['wchar']]], 'fLoadFlag': [76, ['long']], 'hkl': [0, ['pointer64', ['HKL__']]], 'dwImeWinVersion': [84, ['unsigned long']], 'dwProdVersion': [80, ['unsigned long']], 'wszImeDescription': [88, ['array', 50, ['wchar']]], 'fCUASLayer': [348, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'ImeInfo': [8, ['tagIMEINFO']], 'wszUIClass': [36, ['array', 16, ['wchar']]], 'fInitOpen': [72, ['long']], 'fdwInitConvMode': [68, ['unsigned long']], }], '__unnamed_12e0': [0x2c, { 'InitialPrivilegeSet': [0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet': [0, ['_PRIVILEGE_SET']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT': [0x4, { 'MacroVisionFull': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'MacroVisionApsTrigger': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'NoProtection': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Reserved': [0, ['BitField', {'end_bit': 32, 'start_bit': 3, 'native_type': 'unsigned long'}]], }], '_SCATTER_GATHER_ELEMENT': [0x18, { 'Length': [8, ['unsigned long']], 'Reserved': [16, ['unsigned long long']], 'Address': [0, ['_LARGE_INTEGER']], }], 'tagWND': [0x128, { 'bEraseBackground': [40, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'spwndOwner': [104, ['pointer64', ['tagWND']]], 'bWS_EX_LAYERED': [48, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bWS_CLIPCHILDREN': [52, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bMaximizeButtonDown': [44, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'cbwndExtra': [232, ['long']], 'bMakeVisibleWhenUnghosted': [48, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bUIStateActive': [48, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'hMod16': [64, ['unsigned short']], 'bWS_TABSTOP': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bUnused8': [52, ['BitField', {'end_bit': 18, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_EX_NOPARENTNOTIFY': [48, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bForceFullNCPaintClipRgn': [44, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'bDialogWindow': [40, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'lpfnWndProc': [144, ['pointer64', ['void']]], 'bWS_EX_RTLREADING': [48, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'bMinimizeButtonDown': [44, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'bUnused2': [48, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bUnused3': [48, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bUnused4': [48, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bHasMeun': [40, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bUnused6': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bUnused7': [52, ['BitField', {'end_bit': 18, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_SIZEBOX': [52, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'style': [52, ['unsigned long']], 'ppropList': [168, ['pointer64', ['tagPROPLIST']]], 'hrgnNewFrame': [208, ['pointer64', ['HRGN__']]], 'bHasOverlay': [288, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bUnused9': [52, ['BitField', {'end_bit': 19, 'start_bit': 16, 'native_type': 'long'}]], 'bClipboardListener': [288, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bScrollBarLineDownBtnDown': [44, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bReserved3': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bRedirectedForPrint': [288, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bWS_EX_RIGHT': [48, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bStartPaint': [44, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bHasCreatestructName': [40, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bWS_EX_COMPOSITED': [48, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bFullScreen': [44, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'spwndLastActive': [240, ['pointer64', ['tagWND']]], 'hrgnUpdate': [160, ['pointer64', ['HRGN__']]], 'head': [0, ['_THRDESKHEAD']], 'bConsoleWindow': [288, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'bHiddenPopup': [40, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'hrgnClip': [200, ['pointer64', ['HRGN__']]], 'bWS_EX_CONTROLPARENT': [48, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_EX_TOPMOST': [48, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bSendEraseBackground': [40, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bScrollBarLineUpBtnDown': [44, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bWin50Compat': [44, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'bRecievedQuerySuspendMsg': [40, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bMaximizeMonitorRegion': [44, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bLayeredLimbo': [288, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'bRedrawIfHung': [40, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'FullScreenMode': [44, ['BitField', {'end_bit': 27, 'start_bit': 24, 'native_type': 'long'}]], 'bLayeredInvalidate': [288, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bVerticallyMaximizedLeft': [288, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_POPUP': [52, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bWS_EX_CONTEXTHELP': [48, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'dwUserData': [256, ['unsigned long long']], 'bDisabled': [52, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'bAnsiWindowProc': [40, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bWin40Compat': [44, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bWS_EX_NOINHERITLAYOUT': [48, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'rcClient': [128, ['tagRECT']], 'bAnsiCreator': [40, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bAnyScrollButtonDown': [44, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'bWS_EX_LAYOUTRTL': [48, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bUIStateKbdAccelHidden': [48, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bSendSizeMoveMsgs': [40, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'spwndParent': [88, ['pointer64', ['tagWND']]], 'bLinked': [288, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bSendNCPaint': [40, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bToggleTopmost': [40, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'bInternalPaint': [40, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bDestroyed': [40, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bHasClientEdge': [44, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bServerSideWindowProc': [40, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bCaptionTextTruncated': [44, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'rcWindow': [112, ['tagRECT']], 'bEndPaintInvalidate': [44, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bHasPalette': [40, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bHasHorizontalScrollbar': [40, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bUIStateFocusRectHidden': [48, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bReserved1': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_COMPOSITEDCompositing': [48, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bWS_EX_MDICHILD': [48, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bHasVerticalScrollbar': [40, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bReserved2': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWMCreateMsgProcessed': [44, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bMinimized': [52, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bWS_EX_NOACTIVATE': [48, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'bWS_EX_APPWINDOW': [48, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'pSBInfo': [176, ['pointer64', ['tagSBINFO']]], 'bSmallIconFromWMQueryDrag': [44, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bNoNCPaint': [40, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bCloseButtonDown': [44, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bUnused1': [48, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bHasSPB': [40, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_MINIMIZEBOX': [52, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bMaximized': [52, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bScrollBarVerticalTracking': [44, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bWS_CHILD': [52, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bReserved5': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_DLGMODALFRAME': [48, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_TRANSPARENT': [48, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'spmenu': [192, ['pointer64', ['tagMENU']]], 'bWS_THICKFRAME': [52, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bPaintNotProcessed': [40, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bSyncPaintPending': [40, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'pcls': [152, ['pointer64', ['tagCLS']]], 'bLayeredForDWM': [288, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bMsgBox': [40, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'bShellHookRegistered': [44, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'spwndChild': [96, ['pointer64', ['tagWND']]], 'bUnused5': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bHelpButtonDown': [44, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bInDestroy': [44, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'state': [40, ['unsigned long']], 'strName': [216, ['_LARGE_UNICODE_STRING']], 'spwndPrev': [80, ['pointer64', ['tagWND']]], 'bRedrawFrameIfHung': [40, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bWS_EX_LEFTSCROLLBAR': [48, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'bWS_EX_TOOLWINDOW': [48, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_VSCROLL': [52, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bMaximizesToMonitor': [40, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bNoMinmaxAnimatedRects': [44, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'fnid': [66, ['unsigned short']], 'ExStyle': [48, ['unsigned long']], 'bRedirected': [48, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bActiveFrame': [40, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bReserved4': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_WINDOWEDGE': [48, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bReserved6': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bReserved7': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_CLIPSIBLINGS': [52, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'bWS_EX_ACCEPTFILE': [48, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bWS_HSCROLL': [52, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'bUpdateDirty': [40, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'bBeingActivated': [40, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'state2': [44, ['unsigned long']], 'spwndNext': [72, ['pointer64', ['tagWND']]], 'bScrollBarPageDownBtnDown': [44, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bWS_BORDER': [52, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'bWMPaintSent': [44, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bScrollBarPageUpBtnDown': [44, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'pTransform': [272, ['pointer64', ['_D3DMATRIX']]], 'bWS_MAXIMIZEBOX': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bVisible': [52, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bVerticallyMaximizedRight': [288, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bWin31Compat': [44, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bWS_EX_STATICEDGE': [48, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bForceMenuDraw': [40, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bForceNCPaint': [44, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'ExStyle2': [288, ['unsigned long']], 'bOldUI': [44, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bWS_DLGFRAME': [52, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bHIGHDPI_UNAWARE_Unused': [288, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bWS_SYSMENU': [52, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'spwndClipboardListenerNext': [280, ['pointer64', ['tagWND']]], 'hModule': [56, ['pointer64', ['void']]], 'bWS_EX_NOPADDEDBORDER': [48, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'pActCtx': [264, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'bBottomMost': [44, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'spmenuSys': [184, ['pointer64', ['tagMENU']]], 'bRecievedSuspendMsg': [40, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bWS_EX_CLIENTEDGE': [48, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bHasCaption': [40, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'hImc': [248, ['pointer64', ['HIMC__']]], 'bChildNoActivate': [288, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bWS_GROUP': [52, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], }], 'tagUAHMENUITEMMETRICS': [0x20, { 'rgsizeBar': [0, ['array', 2, ['tagSIZE']]], 'rgsizePopup': [0, ['array', 4, ['tagSIZE']]], }], '_DXGK_DIAG_CODE_POINT_PACKET': [0x40, { 'Header': [0, ['_DXGK_DIAG_HEADER']], 'Param3': [60, ['unsigned long']], 'Param1': [52, ['unsigned long']], 'CodePointType': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_CODE_POINT_TYPE_NONE', 1: 'DXGK_DIAG_CODE_POINT_TYPE_RECOMMEND_FUNC_VIDPN', 2: 'DXGK_DIAG_CODE_POINT_TYPE_OS_RECOMMENDED_VIDPN', 3: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_LOG_FAILURE', 4: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_INVALIDATE_ERROR', 5: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_LOG_FAILURE', 7: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_FAILURE_DB', 8: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_BTL', 9: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_DB', 10: 'DXGK_DIAG_CODE_POINT_TYPE_QDC_LOG_FAILURE', 11: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_GDI', 12: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_GDI', 13: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_MONITOR', 14: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_MONITOR', 15: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_DIM_MONITOR', 16: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_UNDIM_MONITOR', 17: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BACKTRACK', 18: 'DXGK_DIAG_CODE_POINT_TYPE_BML_CLOSEST_TARGET_MODE', 19: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_SOURCE_MODE', 20: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_TARGET_MODE', 21: 'DXGK_DIAG_CODE_POINT_TYPE_BML_SOURCE_MODE_NOT_PINNED', 22: 'DXGK_DIAG_CODE_POINT_TYPE_BML_TARGET_MODE_NOT_PINNED', 23: 'DXGK_DIAG_CODE_POINT_TYPE_BML_RESTARTED', 24: 'DXGK_DIAG_CODE_POINT_TYPE_TDR', 25: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_EVENT_NOTIFICATION', 26: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEMDEV_USE_DEFAULT_MODE', 27: 'DXGK_DIAG_CODE_POINT_TYPE_CONNECTED_SET_LOG_FAILURE', 28: 'DXGK_DIAG_CODE_POINT_TYPE_INVALIDATE_DXGK_MODE_CACHE', 29: 'DXGK_DIAG_CODE_POINT_TYPE_REBUILD_DXGK_MODE_CACHE', 30: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_RELAX_REFRESH_MATCH', 31: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_CCDBML_FAIL_VISTABML_SUCCESSED', 32: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_SOURCE_MODE', 33: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_TARGET_MODE', 34: 'DXGK_DIAG_CODE_POINT_TYPE_ADD_DEVICE', 35: 'DXGK_DIAG_CODE_POINT_TYPE_START_ADAPTER', 36: 'DXGK_DIAG_CODE_POINT_TYPE_STOP_ADAPTER', 37: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING', 38: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING_TARGET', 39: 'DXGK_DIAG_CODE_POINT_TYPE_INDICATE_CHILD_STATUS', 40: 'DXGK_DIAG_CODE_POINT_TYPE_HANDLE_IRP', 41: 'DXGK_DIAG_CODE_POINT_TYPE_CHANGE_UNSUPPORTED_MONITOR_MODE_FLAG', 42: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_NOTIFY_CALLBACK', 43: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_DISABLEGDI', 44: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_ENABLEGDI', 45: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_MODESWITCH', 46: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_SYNC_MONITOR_EVENT', 47: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_NOTIFY_GDI', 48: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_ENABLE_VGA', 49: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_TDR_SWITCH_GDI', 50: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_CREATE_DEVICE_FAILED', 51: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DEVICE_REMOVED', 52: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DRVASSERTMODE_TRUE_FAILED', 53: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_RECREATE_DEVICE_FAILED', 54: 'DXGK_DIAG_CODE_POINT_TYPE_CDD_MAPSHADOWBUFFER_FAILED', 55: 'DXGK_DIAG_CODE_POINT_TYPE_COMMIT_VIDPN_LOG_FAILURE', 56: 'DXGK_DIAG_CODE_POINT_TYPE_DRIVER_RECOMMEND_LOG_FAILURE', 57: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_ENFORCED_CLONE_PATH_INVALID_SOURCE_IDX', 58: 'DXGK_DIAG_CODE_POINT_TYPE_DRVPROBEANDCAPTURE_FAILED', 59: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKCDDENABLE_OPTIMIZED_MODE_CHANGE', 60: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKSETDISPLAYMODE_OPTIMIZED_MODE_CHANGE', 61: 'DXGK_DIAG_CODE_POINT_TYPE_MON_DEPART_GETRECENTTOP_FAIL', 62: 'DXGK_DIAG_CODE_POINT_TYPE_MON_ARRIVE_INC_ADD_FAIL', 63: 'DXGK_DIAG_CODE_POINT_TYPE_CCD_DATABASE_PERSIST', 64: 'DXGK_DIAG_CODE_POINT_TYPE_MAX', -1: 'DXGK_DIAG_CODE_POINT_TYPE_FORCE_UINT32'}}]], 'Param2': [56, ['unsigned long']], }], 'tagW32JOB': [0x40, { 'restrictions': [24, ['unsigned long']], 'Job': [8, ['pointer64', ['_EJOB']]], 'ughCrt': [48, ['unsigned long']], 'pgh': [56, ['pointer64', ['unsigned long long']]], 'ppiTable': [40, ['pointer64', ['pointer64', ['tagPROCESSINFO']]]], 'ughMax': [52, ['unsigned long']], 'pAtomTable': [16, ['pointer64', ['void']]], 'uProcessCount': [28, ['unsigned long']], 'uMaxProcesses': [32, ['unsigned long']], 'pNext': [0, ['pointer64', ['tagW32JOB']]], }], 'tagMBSTRING': [0x28, { 'szName': [0, ['array', 15, ['wchar']]], 'uID': [32, ['unsigned long']], 'uStr': [36, ['unsigned long']], }], '_D3DKMDT_VIDPN_TARGET_MODE': [0x48, { 'VideoSignalInfo': [8, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'Id': [0, ['unsigned long']], 'Preference': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], }], '__unnamed_124f': [0x4, { 'PowerState': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'}}]], }], '__unnamed_124b': [0x10, { 'Type': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'}}]], 'Reserved': [1, ['array', 3, ['unsigned char']]], 'InPath': [0, ['unsigned char']], }], 'tagDESKTOP': [0xe0, { 'spmenuVScroll': [80, ['pointer64', ['tagMENU']]], 'dwMouseHoverTime': [212, ['unsigned long']], 'rpwinstaParent': [32, ['pointer64', ['tagWINDOWSTATION']]], 'spmenuDialogSys': [64, ['pointer64', ['tagMENU']]], 'spwndForeground': [88, ['pointer64', ['tagWND']]], 'spmenuHScroll': [72, ['pointer64', ['tagMENU']]], 'spwndTooltip': [112, ['pointer64', ['tagWND']]], 'dwSessionId': [0, ['unsigned long']], 'pDeskInfo': [8, ['pointer64', ['tagDESKTOPINFO']]], 'spwndMessage': [104, ['pointer64', ['tagWND']]], 'cciConsole': [144, ['_CONSOLE_CARET_INFO']], 'PtiList': [168, ['_LIST_ENTRY']], 'spwndTray': [96, ['pointer64', ['tagWND']]], 'rpdeskNext': [24, ['pointer64', ['tagDESKTOP']]], 'dwDTFlags': [40, ['unsigned long']], 'pMagInputTransform': [216, ['pointer64', ['_MAGNIFICATION_INPUT_TRANSFORM']]], 'spwndTrack': [184, ['pointer64', ['tagWND']]], 'htEx': [192, ['long']], 'ulHeapSize': [136, ['unsigned long']], 'pheapDesktop': [128, ['pointer64', ['tagWIN32HEAP']]], 'hsectionDesktop': [120, ['pointer64', ['void']]], 'rcMouseHover': [196, ['tagRECT']], 'dwDesktopId': [48, ['unsigned long long']], 'spmenuSys': [56, ['pointer64', ['tagMENU']]], 'pDispInfo': [16, ['pointer64', ['tagDISPLAYINFO']]], }], 'tagPOOLRECORD': [0x40, { 'ExtraData': [0, ['pointer64', ['void']]], 'trace': [16, ['array', 6, ['pointer64', ['void']]]], 'size': [8, ['unsigned long long']], }], 'tagSPB': [0x40, { 'hbm': [16, ['pointer64', ['HBITMAP__']]], 'hrgn': [40, ['pointer64', ['HRGN__']]], 'ulSaveId': [56, ['unsigned long long']], 'flags': [48, ['unsigned long']], 'rc': [24, ['tagRECT']], 'pspbNext': [0, ['pointer64', ['tagSPB']]], 'spwnd': [8, ['pointer64', ['tagWND']]], }], '_DMM_COMMITVIDPNREQUEST_DIAGINFO': [0xc, { 'CleanupAfterFailedCommitVidPn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned char'}]], 'ModeChangeRequestId': [8, ['unsigned long']], 'ReclaimClonedTarget': [4, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned char'}]], 'ForceAllActiveVidPnModeListInvalidation': [4, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned char'}]], }], 'HFONT__': [0x4, { 'unused': [0, ['long']], }], 'tagTEXTMETRICW': [0x3c, { 'tmCharSet': [56, ['unsigned char']], 'tmDigitizedAspectY': [40, ['long']], 'tmStruckOut': [54, ['unsigned char']], 'tmItalic': [52, ['unsigned char']], 'tmDigitizedAspectX': [36, ['long']], 'tmWeight': [28, ['long']], 'tmFirstChar': [44, ['wchar']], 'tmOverhang': [32, ['long']], 'tmDescent': [8, ['long']], 'tmPitchAndFamily': [55, ['unsigned char']], 'tmDefaultChar': [48, ['wchar']], 'tmLastChar': [46, ['wchar']], 'tmBreakChar': [50, ['wchar']], 'tmMaxCharWidth': [24, ['long']], 'tmUnderlined': [53, ['unsigned char']], 'tmInternalLeading': [12, ['long']], 'tmAscent': [4, ['long']], 'tmHeight': [0, ['long']], 'tmAveCharWidth': [20, ['long']], 'tmExternalLeading': [16, ['long']], }], '_KLIST_ENTRY': [0x10, { 'Flink': [0, ['pointer64', ['_KLIST_ENTRY']]], 'Blink': [8, ['pointer64', ['_KLIST_ENTRY']]], }], '__unnamed_1247': [0x10, { 'DeviceTextType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'}}]], 'LocaleId': [8, ['unsigned long']], }], 'tagPROP': [0x10, { 'fs': [10, ['unsigned short']], 'hData': [0, ['pointer64', ['void']]], 'atomKey': [8, ['unsigned short']], }], '__unnamed_1243': [0x4, { 'IdType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'}}]], }], '__unnamed_123d': [0x20, { 'Buffer': [8, ['pointer64', ['void']]], 'WhichSpace': [0, ['unsigned long']], 'Length': [24, ['unsigned long']], 'Offset': [16, ['unsigned long']], }], 'tagCLIENTTHREADINFO': [0x10, { 'fsWakeMask': [10, ['unsigned short']], 'CTIF_flags': [0, ['unsigned long']], 'fsWakeBits': [6, ['unsigned short']], 'fsWakeBitsJournal': [8, ['unsigned short']], 'fsChangeBits': [4, ['unsigned short']], 'tickLastMsgChecked': [12, ['unsigned long']], }], 'tagKbdNlsLayer': [0x20, { 'OEMIdentifier': [0, ['unsigned short']], 'NumOfVkToF': [4, ['unsigned long']], 'pusMouseVKey': [24, ['pointer64', ['unsigned short']]], 'NumOfMouseVKey': [16, ['long']], 'pVkToF': [8, ['pointer64', ['_VK_TO_FUNCTION_TABLE']]], 'LayoutInformation': [2, ['unsigned short']], }], 'HBITMAP__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_11ff': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'EaLength': [24, ['unsigned long']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'FileAttributes': [16, ['unsigned short']], }], 'tagPROCESS_HID_TABLE': [0x68, { 'UsagePageLast': [96, ['unsigned short']], 'fExclusiveMouseSink': [100, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'fRawKeyboardSink': [100, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'fAppKeys': [100, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'fCaptureMouse': [100, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'fNoLegacyMouse': [100, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'UsageLast': [98, ['unsigned short']], 'fRawKeyboard': [100, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'fNoLegacyKeyboard': [100, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'nSinks': [80, ['long']], 'fNoHotKeys': [100, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'spwndTargetMouse': [64, ['pointer64', ['tagWND']]], 'spwndTargetKbd': [72, ['pointer64', ['tagWND']]], 'UsagePageList': [32, ['_LIST_ENTRY']], 'link': [0, ['_LIST_ENTRY']], 'fExclusiveKeyboardSink': [100, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'pLastRequest': [88, ['pointer64', ['tagPROCESS_HID_REQUEST']]], 'ExclusionList': [48, ['_LIST_ENTRY']], 'fRawMouse': [100, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'fRawMouseSink': [100, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'InclusionList': [16, ['_LIST_ENTRY']], }], '__unnamed_1809': [0x10, { 'Affinity': [8, ['unsigned long long']], 'Vector': [4, ['unsigned long']], 'Group': [0, ['unsigned short']], 'MessageCount': [2, ['unsigned short']], }], '_KFLOATING_SAVE': [0x4, { 'Dummy': [0, ['unsigned long']], }], 'tagRECT': [0x10, { 'top': [4, ['long']], 'right': [8, ['long']], 'bottom': [12, ['long']], 'left': [0, ['long']], }], '__unnamed_1807': [0x10, { 'Affinity': [8, ['unsigned long long']], 'Vector': [4, ['unsigned long']], 'Group': [2, ['unsigned short']], 'Level': [0, ['unsigned short']], }], 'HBRUSH__': [0x4, { 'unused': [0, ['long']], }], '_TLSPRITESTATE': [0xa8, { 'flOriginalSurfFlags': [4, ['unsigned long']], 'iSpriteType': [16, ['unsigned long']], 'pfnSaveScreenBits': [144, ['pointer64', ['void']]], 'bInsideDriverCall': [0, ['unsigned char']], 'pfnStrokePath': [48, ['pointer64', ['void']]], 'pfnTransparentBlt': [112, ['pointer64', ['void']]], 'pfnPaint': [64, ['pointer64', ['void']]], 'pfnFillPath': [56, ['pointer64', ['void']]], 'pfnStretchBltROP': [152, ['pointer64', ['void']]], 'iType': [24, ['unsigned long']], 'pfnPlgBlt': [128, ['pointer64', ['void']]], 'pfnCopyBits': [80, ['pointer64', ['void']]], 'pState': [32, ['pointer64', ['void']]], 'iOriginalType': [8, ['unsigned long']], 'pfnTextOut': [96, ['pointer64', ['void']]], 'pfnDrawStream': [160, ['pointer64', ['void']]], 'pfnStrokeAndFillPath': [40, ['pointer64', ['void']]], 'pfnLineTo': [104, ['pointer64', ['void']]], 'pfnStretchBlt': [88, ['pointer64', ['void']]], 'pfnGradientFill': [136, ['pointer64', ['void']]], 'pfnAlphaBlend': [120, ['pointer64', ['void']]], 'flags': [20, ['unsigned long']], 'flSpriteSurfFlags': [12, ['unsigned long']], 'pfnBitBlt': [72, ['pointer64', ['void']]], }], 'tagSMS': [0x70, { 'wParam': [72, ['unsigned long long']], 'lParam': [80, ['long long']], 'lRet': [56, ['long long']], 'psmsReceiveNext': [8, ['pointer64', ['tagSMS']]], 'tSent': [64, ['unsigned long']], 'psmsNext': [0, ['pointer64', ['tagSMS']]], 'ptiCallBackSender': [48, ['pointer64', ['tagTHREADINFO']]], 'ptiReceiver': [24, ['pointer64', ['tagTHREADINFO']]], 'lpResultCallBack': [32, ['pointer64', ['void']]], 'message': [88, ['unsigned long']], 'dwData': [40, ['unsigned long long']], 'ptiSender': [16, ['pointer64', ['tagTHREADINFO']]], 'flags': [68, ['unsigned long']], 'pvCapture': [104, ['pointer64', ['void']]], 'spwnd': [96, ['pointer64', ['tagWND']]], }], '_D3DKMDT_FREQUENCY_RANGE': [0x20, { 'MinVSyncFreq': [0, ['_D3DDDI_RATIONAL']], 'MaxVSyncFreq': [8, ['_D3DDDI_RATIONAL']], 'MaxHSyncFreq': [24, ['_D3DDDI_RATIONAL']], 'MinHSyncFreq': [16, ['_D3DDDI_RATIONAL']], }], '__unnamed_11f8': [0x58, { 'Apc': [0, ['_KAPC']], 'CompletionKey': [0, ['pointer64', ['void']]], 'Overlay': [0, ['__unnamed_11f5']], }], '__unnamed_18bf': [0x4, { 'BaseMiddle': [0, ['unsigned char']], 'BaseHigh': [3, ['unsigned char']], 'Flags1': [1, ['unsigned char']], 'Flags2': [2, ['unsigned char']], }], '__unnamed_11f5': [0x50, { 'AuxiliaryBuffer': [40, ['pointer64', ['unsigned char']]], 'Thread': [32, ['pointer64', ['_ETHREAD']]], 'OriginalFileObject': [72, ['pointer64', ['_FILE_OBJECT']]], 'DeviceQueueEntry': [0, ['_KDEVICE_QUEUE_ENTRY']], 'PacketType': [64, ['unsigned long']], 'CurrentStackLocation': [64, ['pointer64', ['_IO_STACK_LOCATION']]], 'ListEntry': [48, ['_LIST_ENTRY']], 'DriverContext': [0, ['array', 4, ['pointer64', ['void']]]], }], 'HRGN__': [0x4, { 'unused': [0, ['long']], }], 'tagSIZE': [0x8, { 'cy': [4, ['long']], 'cx': [0, ['long']], }], 'tagDESKTOPVIEW': [0x18, { 'ulClientDelta': [16, ['unsigned long long']], 'pdesk': [8, ['pointer64', ['tagDESKTOP']]], 'pdvNext': [0, ['pointer64', ['tagDESKTOPVIEW']]], }], '__unnamed_180b': [0x10, { 'Translated': [0, ['__unnamed_1807']], 'Raw': [0, ['__unnamed_1809']], }], '__unnamed_180d': [0xc, { 'Reserved1': [8, ['unsigned long']], 'Port': [4, ['unsigned long']], 'Channel': [0, ['unsigned long']], }], '__unnamed_180f': [0xc, { 'Data': [0, ['array', 3, ['unsigned long']]], }], 'MODIFIERS': [0x10, { 'wMaxModBits': [8, ['unsigned short']], 'pVkToBit': [0, ['pointer64', ['VK_TO_BIT']]], 'ModNumber': [10, ['array', 0, ['unsigned char']]], }], '__unnamed_120f': [0x10, { 'CompletionFilter': [8, ['unsigned long']], 'Length': [0, ['unsigned long']], }], '__unnamed_120d': [0x20, { 'Length': [0, ['unsigned long']], 'FileIndex': [24, ['unsigned long']], 'FileInformationClass': [16, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'FileName': [8, ['pointer64', ['_UNICODE_STRING']]], }], '_DMM_VIDPNPATHSFROMSOURCE_SERIALIZATION': [0x1e0, { 'PathAndTargetModeSerialization': [48, ['array', 1, ['_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION']]], 'NumPathsFromSource': [40, ['unsigned char']], 'SourceMode': [0, ['_D3DKMDT_VIDPN_SOURCE_MODE']], }], '_D3DDDI_GAMMA_RAMP_RGB256x3x16': [0x600, { 'Blue': [1024, ['array', 256, ['unsigned short']]], 'Green': [512, ['array', 256, ['unsigned short']]], 'Red': [0, ['array', 256, ['unsigned short']]], }], '_CALLPROCDATA': [0x40, { 'head': [0, ['_PROCDESKHEAD']], 'pfnClientPrevious': [48, ['unsigned long long']], 'wType': [56, ['unsigned short']], 'spcpdNext': [40, ['pointer64', ['_CALLPROCDATA']]], }], '_D3DDDI_RATIONAL': [0x8, { 'Denominator': [4, ['unsigned long']], 'Numerator': [0, ['unsigned long']], }], '_PFNCLIENT': [0xb8, { 'pfnDispatchDefWindowProc': [160, ['pointer64', ['void']]], 'pfnStaticWndProc': [112, ['pointer64', ['void']]], 'pfnDispatchHook': [152, ['pointer64', ['void']]], 'pfnDesktopWndProc': [24, ['pointer64', ['void']]], 'pfnImeWndProc': [120, ['pointer64', ['void']]], 'pfnScrollBarWndProc': [0, ['pointer64', ['void']]], 'pfnEditWndProc': [88, ['pointer64', ['void']]], 'pfnGhostWndProc': [128, ['pointer64', ['void']]], 'pfnMessageWindowProc': [40, ['pointer64', ['void']]], 'pfnSwitchWindowProc': [48, ['pointer64', ['void']]], 'pfnComboListBoxProc': [72, ['pointer64', ['void']]], 'pfnComboBoxWndProc': [64, ['pointer64', ['void']]], 'pfnMDIClientWndProc': [104, ['pointer64', ['void']]], 'pfnDialogWndProc': [80, ['pointer64', ['void']]], 'pfnHkINLPCWPSTRUCT': [136, ['pointer64', ['void']]], 'pfnTitleWndProc': [8, ['pointer64', ['void']]], 'pfnHkINLPCWPRETSTRUCT': [144, ['pointer64', ['void']]], 'pfnButtonWndProc': [56, ['pointer64', ['void']]], 'pfnMenuWndProc': [16, ['pointer64', ['void']]], 'pfnListBoxWndProc': [96, ['pointer64', ['void']]], 'pfnDispatchMessage': [168, ['pointer64', ['void']]], 'pfnDefWindowProc': [32, ['pointer64', ['void']]], 'pfnMDIActivateDlgProc': [176, ['pointer64', ['void']]], }], '_THRDESKHEAD': [0x28, { 'h': [0, ['pointer64', ['void']]], 'pSelf': [32, ['pointer64', ['unsigned char']]], 'rpdesk': [24, ['pointer64', ['tagDESKTOP']]], 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'cLockObj': [8, ['unsigned long']], }], '_D3DKMDT_MONITOR_SOURCE_MODE': [0x60, { 'Origin': [84, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'VideoSignalInfo': [8, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'ColorCoeffDynamicRanges': [68, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'Preference': [88, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], 'Id': [0, ['unsigned long']], 'ColorBasis': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], 'VWPL': [0x10, { 'fTagged': [12, ['long']], 'cElem': [4, ['unsigned long']], 'cThreshhold': [8, ['unsigned long']], 'aElement': [16, ['array', 0, ['VWPLELEMENT']]], 'cPwnd': [0, ['unsigned long']], }], 'tagCURSOR': [0x88, { 'rt': [58, ['unsigned short']], 'head': [0, ['_PROCMARKHEAD']], 'hbmUserAlpha': [112, ['pointer64', ['HBITMAP__']]], 'cx': [124, ['unsigned long']], 'xHotspot': [68, ['short']], 'hbmColor': [80, ['pointer64', ['HBITMAP__']]], 'pcurNext': [32, ['pointer64', ['tagCURSOR']]], 'CURSORF_flags': [64, ['unsigned long']], 'hbmMask': [72, ['pointer64', ['HBITMAP__']]], 'bpp': [120, ['unsigned long']], 'cy': [128, ['unsigned long']], 'strName': [40, ['_UNICODE_STRING']], 'rcBounds': [96, ['tagRECT']], 'atomModName': [56, ['unsigned short']], 'hbmAlpha': [88, ['pointer64', ['HBITMAP__']]], 'yHotspot': [70, ['short']], }], '__unnamed_1203': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'Reserved': [16, ['unsigned short']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'Parameters': [24, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], }], '__unnamed_1207': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'Reserved': [16, ['unsigned short']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'Parameters': [24, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], }], 'HKL__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_1209': [0x18, { 'Length': [0, ['unsigned long']], 'ByteOffset': [16, ['_LARGE_INTEGER']], 'Key': [8, ['unsigned long']], }], 'tagDCE': [0x60, { 'hrgnClipPublic': [48, ['pointer64', ['HRGN__']]], 'pdceNext': [0, ['pointer64', ['tagDCE']]], 'hrgnSavedVis': [56, ['pointer64', ['HRGN__']]], 'pwndRedirect': [32, ['pointer64', ['tagWND']]], 'pMonitor': [88, ['pointer64', ['tagMONITOR']]], 'ppiOwner': [80, ['pointer64', ['tagPROCESSINFO']]], 'pwndOrg': [16, ['pointer64', ['tagWND']]], 'hrgnClip': [40, ['pointer64', ['HRGN__']]], 'hdc': [8, ['pointer64', ['HDC__']]], 'ptiOwner': [72, ['pointer64', ['tagTHREADINFO']]], 'DCX_flags': [64, ['unsigned long']], 'pwndClip': [24, ['pointer64', ['tagWND']]], }], 'tagPROCESS_HID_REQUEST': [0x28, { 'link': [0, ['_LIST_ENTRY']], 'fExclusiveOrphaned': [20, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'spwndTarget': [32, ['pointer64', ['tagWND']]], 'fSinkable': [20, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'pTLCInfo': [24, ['pointer64', ['tagHID_TLC_INFO']]], 'fDevNotify': [20, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'fExSinkable': [20, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'usUsage': [18, ['unsigned short']], 'ptr': [24, ['pointer64', ['void']]], 'pPORequest': [24, ['pointer64', ['tagHID_PAGEONLY_REQUEST']]], 'usUsagePage': [16, ['unsigned short']], }], 'tagWOWTHREADINFO': [0x30, { 'pwtiNext': [0, ['pointer64', ['tagWOWTHREADINFO']]], 'pIdleEvent': [32, ['pointer64', ['_KEVENT']]], 'idParentProcess': [24, ['unsigned long']], 'fAssigned': [40, ['long']], 'idWaitObject': [16, ['unsigned long long']], 'idTask': [8, ['unsigned long']], }], '__unnamed_1962': [0x18, { 'Dma': [0, ['__unnamed_1956']], 'Generic': [0, ['__unnamed_1950']], 'Memory': [0, ['__unnamed_1950']], 'BusNumber': [0, ['__unnamed_1958']], 'Memory48': [0, ['__unnamed_195e']], 'Memory40': [0, ['__unnamed_195c']], 'DevicePrivate': [0, ['__unnamed_180f']], 'ConfigData': [0, ['__unnamed_195a']], 'Memory64': [0, ['__unnamed_1960']], 'Interrupt': [0, ['__unnamed_1954']], 'Port': [0, ['__unnamed_1950']], }], '__unnamed_1960': [0x18, { 'Length64': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment64': [4, ['unsigned long']], }], 'tagSBDATA': [0x10, { 'posMax': [4, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], 'pos': [12, ['long']], }], '__unnamed_1233': [0x20, { 'Interface': [16, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData': [24, ['pointer64', ['void']]], 'Version': [10, ['unsigned short']], 'InterfaceType': [0, ['pointer64', ['_GUID']]], 'Size': [8, ['unsigned short']], }], '__unnamed_1237': [0x8, { 'Capabilities': [0, ['pointer64', ['_DEVICE_CAPABILITIES']]], }], 'tagIMEINFO': [0x1c, { 'fdwProperty': [4, ['unsigned long']], 'fdwSelectCaps': [24, ['unsigned long']], 'fdwUICaps': [16, ['unsigned long']], 'dwPrivateDataSize': [0, ['unsigned long']], 'fdwSCSCaps': [20, ['unsigned long']], 'fdwSentenceCaps': [12, ['unsigned long']], 'fdwConversionCaps': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_SOURCE_MODE': [0x28, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_RMT_UNINITIALIZED', 1: 'D3DKMDT_RMT_GRAPHICS', 2: 'D3DKMDT_RMT_TEXT'}}]], 'Id': [0, ['unsigned long']], 'Format': [8, ['__unnamed_18a1']], }], '_PROCMARKHEAD': [0x20, { 'h': [0, ['pointer64', ['void']]], 'ppi': [24, ['pointer64', ['tagPROCESSINFO']]], 'hTaskWow': [16, ['unsigned long']], 'cLockObj': [8, ['unsigned long']], }], 'tagKBDFILE': [0x78, { 'head': [0, ['_HEAD']], 'awchDllName': [56, ['array', 32, ['wchar']]], 'pKbdTbl': [32, ['pointer64', ['tagKbdLayer']]], 'pkfNext': [16, ['pointer64', ['tagKBDFILE']]], 'pKbdNlsTbl': [48, ['pointer64', ['tagKbdNlsLayer']]], 'hBase': [24, ['pointer64', ['void']]], 'Size': [40, ['unsigned long']], }], 'tagCLIENTINFO': [0xd8, { 'msgDbcsCB': [160, ['tagMSG']], 'dwCompatFlags': [20, ['unsigned long']], 'achDbcsCF': [154, ['array', 2, ['unsigned char']]], 'dwTIFlags': [28, ['unsigned long']], 'pClientThreadInfo': [96, ['pointer64', ['tagCLIENTTHREADINFO']]], 'CodePage': [152, ['unsigned short']], 'dwKeyCache': [112, ['unsigned long']], 'dwHookCurrent': [88, ['unsigned long']], 'afAsyncKeyStateRecentDown': [136, ['array', 8, ['unsigned char']]], 'dwCompatFlags2': [24, ['unsigned long']], 'fsHooks': [56, ['unsigned long']], 'ulClientDelta': [40, ['unsigned long long']], 'pDeskInfo': [32, ['pointer64', ['tagDESKTOPINFO']]], 'dwExpWinVer': [16, ['unsigned long']], 'dwHookData': [104, ['unsigned long long']], 'afAsyncKeyState': [128, ['array', 8, ['unsigned char']]], 'CallbackWnd': [64, ['_CALLBACKWND']], 'lpdwRegisteredClasses': [208, ['pointer64', ['unsigned long']]], 'cInDDEMLCallback': [92, ['long']], 'cSpins': [8, ['unsigned long long']], 'hKL': [144, ['pointer64', ['HKL__']]], 'dwAsyncKeyCache': [124, ['unsigned long']], 'afKeyState': [116, ['array', 8, ['unsigned char']]], 'CI_flags': [0, ['unsigned long long']], 'phkCurrent': [48, ['pointer64', ['tagHOOK']]], }], 'tagCLS': [0xa0, { 'spcur': [120, ['pointer64', ['tagCURSOR']]], 'cbwndExtra': [100, ['long']], 'pclsClone': [72, ['pointer64', ['tagCLS']]], 'lpszClientAnsiMenuName': [40, ['pointer64', ['unsigned char']]], 'pclsBase': [64, ['pointer64', ['tagCLS']]], 'atomNVClassName': [10, ['unsigned short']], 'style': [84, ['unsigned long']], 'pclsNext': [0, ['pointer64', ['tagCLS']]], 'CSF_flags': [34, ['unsigned short']], 'lpfnWndProc': [88, ['pointer64', ['void']]], 'lpszAnsiClassName': [144, ['pointer64', ['unsigned char']]], 'spcpdFirst': [56, ['pointer64', ['_CALLPROCDATA']]], 'lpszClientUnicodeMenuName': [48, ['pointer64', ['unsigned short']]], 'cbclsExtra': [96, ['long']], 'lpszMenuName': [136, ['pointer64', ['unsigned short']]], 'spicnSm': [152, ['pointer64', ['tagCURSOR']]], 'hTaskWow': [32, ['unsigned short']], 'cWndReferenceCount': [80, ['long']], 'hbrBackground': [128, ['pointer64', ['HBRUSH__']]], 'spicn': [112, ['pointer64', ['tagCURSOR']]], 'fnid': [12, ['unsigned short']], 'pdce': [24, ['pointer64', ['tagDCE']]], 'hModule': [104, ['pointer64', ['void']]], 'rpdeskParent': [16, ['pointer64', ['tagDESKTOP']]], 'atomClassName': [8, ['unsigned short']], }], '_DMM_VIDPN_SERIALIZATION': [0xc, { 'PathsFromSourceSerializationOffsets': [8, ['array', 1, ['unsigned long']]], 'NumActiveSources': [4, ['unsigned char']], 'Size': [0, ['unsigned long']], }], 'tagHID_PAGEONLY_REQUEST': [0x18, { 'usUsagePage': [16, ['unsigned short']], 'link': [0, ['_LIST_ENTRY']], 'cRefCount': [20, ['unsigned long']], }], 'tagWINDOWSTATION': [0x98, { 'pClipBase': [88, ['pointer64', ['tagCLIP']]], 'dwSessionId': [0, ['unsigned long']], 'cNumClipFormats': [96, ['unsigned long']], 'luidUser': [136, ['_LUID']], 'pGlobalAtomTable': [120, ['pointer64', ['void']]], 'ptiClipLock': [48, ['pointer64', ['tagTHREADINFO']]], 'dwWSF_Flags': [32, ['unsigned long']], 'rpdeskList': [16, ['pointer64', ['tagDESKTOP']]], 'spklList': [40, ['pointer64', ['tagKL']]], 'spwndClipOpen': [64, ['pointer64', ['tagWND']]], 'luidEndSession': [128, ['_LUID']], 'pTerm': [24, ['pointer64', ['tagTERMINAL']]], 'rpwinstaNext': [8, ['pointer64', ['tagWINDOWSTATION']]], 'spwndClipboardListener': [112, ['pointer64', ['tagWND']]], 'spwndClipViewer': [72, ['pointer64', ['tagWND']]], 'iClipSequenceNumber': [104, ['unsigned long']], 'ptiDrawingClipboard': [56, ['pointer64', ['tagTHREADINFO']]], 'spwndClipOwner': [80, ['pointer64', ['tagWND']]], 'psidUser': [144, ['pointer64', ['void']]], 'iClipSerialNumber': [100, ['unsigned long']], }], '__unnamed_11e4': [0x10, { 'UserApcContext': [8, ['pointer64', ['void']]], 'UserApcRoutine': [0, ['pointer64', ['void']]], 'IssuingProcess': [0, ['pointer64', ['void']]], }], 'tagPROFILEVALUEINFO': [0x10, { 'dwValue': [0, ['unsigned long']], 'uSection': [4, ['unsigned long']], 'pwszKeyName': [8, ['pointer64', ['wchar']]], }], 'tagOEMBITMAPINFO': [0x10, { 'y': [4, ['long']], 'x': [0, ['long']], 'cy': [12, ['long']], 'cx': [8, ['long']], }], '_DMM_COMMITVIDPNREQUEST_SERIALIZATION': [0x1c, { 'RequestDiagInfo': [4, ['_DMM_COMMITVIDPNREQUEST_DIAGINFO']], 'AffectedVidPnSourceId': [0, ['unsigned long']], 'VidPnSerialization': [16, ['_DMM_VIDPN_SERIALIZATION']], }], '_WNDMSG': [0x10, { 'abMsgs': [8, ['pointer64', ['unsigned char']]], 'maxMsgs': [0, ['unsigned long']], }], 'tagTDB': [0x28, { 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'TDB_Flags': [34, ['unsigned short']], 'hTaskWow': [32, ['unsigned short']], 'pwti': [24, ['pointer64', ['tagWOWTHREADINFO']]], 'nEvents': [8, ['long']], 'nPriority': [12, ['long']], 'ptdbNext': [0, ['pointer64', ['tagTDB']]], }], '_LIGATURE1': [0x6, { 'wch': [4, ['array', 1, ['wchar']]], 'VirtualKey': [0, ['unsigned char']], 'ModificationNumber': [2, ['unsigned short']], }], '_D3DKMDT_VIDPN_PRESENT_PATH': [0x168, { 'GammaRamp': [336, ['_D3DKMDT_GAMMA_RAMP']], 'VidPnSourceId': [0, ['unsigned long']], 'Content': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPC_UNINITIALIZED', 1: 'D3DKMDT_VPPC_GRAPHICS', 2: 'D3DKMDT_VPPC_VIDEO', 255: 'D3DKMDT_VPPC_NOTSPECIFIED'}}]], 'VisibleFromActiveBROffset': [36, ['_D3DKMDT_2DREGION']], 'VidPnTargetColorBasis': [44, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], 'ContentTransformation': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION']], 'VidPnTargetId': [4, ['unsigned long']], 'VisibleFromActiveTLOffset': [28, ['_D3DKMDT_2DREGION']], 'CopyProtection': [68, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION']], 'VidPnTargetColorCoeffDynamicRanges': [48, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'ImportanceOrdinal': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPI_UNINITIALIZED', 1: 'D3DKMDT_VPPI_PRIMARY', 2: 'D3DKMDT_VPPI_SECONDARY', 3: 'D3DKMDT_VPPI_TERTIARY', 4: 'D3DKMDT_VPPI_QUATERNARY', 5: 'D3DKMDT_VPPI_QUINARY', 6: 'D3DKMDT_VPPI_SENARY', 7: 'D3DKMDT_VPPI_SEPTENARY', 8: 'D3DKMDT_VPPI_OCTONARY', 9: 'D3DKMDT_VPPI_NONARY', 10: 'D3DKMDT_VPPI_DENARY', 32: 'D3DKMDT_VPPI_MAX', 255: 'D3DKMDT_VPPI_NOTSPECIFIED'}}]], }], '__unnamed_1253': [0x8, { 'PowerSequence': [0, ['pointer64', ['_POWER_SEQUENCE']]], }], '_PROCDESKHEAD': [0x28, { 'h': [0, ['pointer64', ['void']]], 'pSelf': [32, ['pointer64', ['unsigned char']]], 'rpdesk': [24, ['pointer64', ['tagDESKTOP']]], 'hTaskWow': [16, ['unsigned long']], 'cLockObj': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT': [0x4, { 'Rotate270': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'Rotate90': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Rotate180': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], }], '__unnamed_1958': [0x10, { 'MinBusNumber': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], 'Reserved': [12, ['unsigned long']], 'MaxBusNumber': [8, ['unsigned long']], }], '_CONSOLE_CARET_INFO': [0x18, { 'hwnd': [0, ['pointer64', ['HWND__']]], 'rc': [8, ['tagRECT']], }], 'tagPROCESSINFO': [0x300, { 'fHasMagContext': [736, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'hwinsta': [608, ['pointer64', ['HWINSTA__']]], 'ptiList': [256, ['pointer64', ['tagTHREADINFO']]], 'pHidTable': [744, ['pointer64', ['tagPROCESS_HID_TABLE']]], 'W32PF_Flags': [12, ['unsigned long']], 'UserHandleCount': [68, ['long']], 'dwhmodLibLoadedMask': [340, ['unsigned long']], 'GDIBrushAttrFreeList': [208, ['_LIST_ENTRY']], 'hdeskStartup': [328, ['pointer64', ['HDESK__']]], 'dwImeCompatFlags': [696, ['unsigned long']], 'dwRegisteredClasses': [752, ['unsigned long']], 'pBrushAttrList': [48, ['pointer64', ['void']]], 'usi': [708, ['tagUSERSTARTUPINFO']], 'InputIdleEvent': [16, ['pointer64', ['_KEVENT']]], 'W32Pid': [56, ['unsigned long']], 'bmHandleFlags': [648, ['_RTL_BITMAP']], 'UserHandleCountPeak': [72, ['unsigned long']], 'GDIEngUserMemAllocTable': [88, ['_RTL_AVL_TABLE']], 'cSysExpunge': [336, ['unsigned long']], 'pdvList': [632, ['pointer64', ['tagDESKTOPVIEW']]], 'pwpi': [296, ['pointer64', ['tagWOWPROCESSINFO']]], 'ppiNextRunning': [312, ['pointer64', ['tagPROCESSINFO']]], 'Process': [0, ['pointer64', ['_EPROCESS']]], 'pCursorCache': [664, ['pointer64', ['tagCURSOR']]], 'pClientBase': [672, ['pointer64', ['void']]], 'dwLpkEntryPoints': [680, ['unsigned long']], 'GDIDcAttrFreeList': [192, ['_LIST_ENTRY']], 'DxProcess': [248, ['pointer64', ['void']]], 'NextStart': [32, ['pointer64', ['_W32PROCESS']]], 'RefCount': [8, ['unsigned long']], 'dwLayout': [740, ['unsigned long']], 'pclsPublicList': [288, ['pointer64', ['tagCLS']]], 'Unused': [736, ['BitField', {'end_bit': 32, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'GDIPushLock': [80, ['_EX_PUSH_LOCK']], 'hMonitor': [624, ['pointer64', ['HMONITOR__']]], 'ptiMainThread': [264, ['pointer64', ['tagTHREADINFO']]], 'pvwplWndGCList': [760, ['pointer64', ['VWPL']]], 'pW32Job': [688, ['pointer64', ['tagW32JOB']]], 'luidSession': [700, ['_LUID']], 'GDIHandleCount': [60, ['long']], 'cThreads': [320, ['unsigned long']], 'rpdeskStartup': [272, ['pointer64', ['tagDESKTOP']]], 'hSecureGdiSharedHandleTable': [240, ['pointer64', ['void']]], 'pclsPrivateList': [280, ['pointer64', ['tagCLS']]], 'GDIHandleCountPeak': [64, ['unsigned long']], 'StartCursorHideTime': [24, ['unsigned long']], 'ppiNext': [304, ['pointer64', ['tagPROCESSINFO']]], 'Flags': [736, ['unsigned long']], 'dwHotkey': [620, ['unsigned long']], 'amwinsta': [616, ['unsigned long']], 'rpwinsta': [600, ['pointer64', ['tagWINDOWSTATION']]], 'ahmodLibLoaded': [344, ['array', 32, ['pointer64', ['void']]]], 'iClipSerialNumber': [640, ['unsigned long']], 'GDIW32PIDLockedBitmaps': [224, ['_LIST_ENTRY']], 'pDCAttrList': [40, ['pointer64', ['void']]], }], '__unnamed_181b': [0x10, { 'Dma': [0, ['__unnamed_180d']], 'MessageInterrupt': [0, ['__unnamed_180b']], 'Generic': [0, ['__unnamed_1805']], 'Memory': [0, ['__unnamed_1805']], 'BusNumber': [0, ['__unnamed_1811']], 'DeviceSpecificData': [0, ['__unnamed_1813']], 'Memory48': [0, ['__unnamed_1817']], 'Memory40': [0, ['__unnamed_1815']], 'DevicePrivate': [0, ['__unnamed_180f']], 'Memory64': [0, ['__unnamed_1819']], 'Interrupt': [0, ['__unnamed_1807']], 'Port': [0, ['__unnamed_1805']], }], '__unnamed_195e': [0x18, { 'Length48': [0, ['unsigned long']], 'Alignment48': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_195c': [0x18, { 'Length40': [0, ['unsigned long']], 'Alignment40': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_195a': [0xc, { 'Priority': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_125f': [0x10, { 'AllocatedResources': [0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated': [8, ['pointer64', ['_CM_RESOURCE_LIST']]], }], '__unnamed_125b': [0x20, { 'State': [16, ['_POWER_STATE']], 'Type': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'SystemPowerState', 1: 'DevicePowerState'}}]], 'SystemContext': [0, ['unsigned long']], 'ShutdownType': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'}}]], 'SystemPowerStateContext': [0, ['_SYSTEM_POWER_STATE_CONTEXT']], }], 'tagKbdLayer': [0x68, { 'pVkToWcharTable': [8, ['pointer64', ['_VK_TO_WCHAR_TABLE']]], 'pusVSCtoVK': [48, ['pointer64', ['unsigned short']]], 'fLocaleFlags': [80, ['unsigned long']], 'pKeyNamesExt': [32, ['pointer64', ['VSC_LPWSTR']]], 'dwSubType': [100, ['unsigned long']], 'pDeadKey': [16, ['pointer64', ['DEADKEY']]], 'pCharModifiers': [0, ['pointer64', ['MODIFIERS']]], 'pKeyNamesDead': [40, ['pointer64', ['pointer64', ['unsigned short']]]], 'bMaxVSCtoVK': [56, ['unsigned char']], 'pKeyNames': [24, ['pointer64', ['VSC_LPWSTR']]], 'dwType': [96, ['unsigned long']], 'pLigature': [88, ['pointer64', ['_LIGATURE1']]], 'nLgMax': [84, ['unsigned char']], 'pVSCtoVK_E1': [72, ['pointer64', ['_VSC_VK']]], 'pVSCtoVK_E0': [64, ['pointer64', ['_VSC_VK']]], 'cbLgEntry': [85, ['unsigned char']], }], 'HDC__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32AllocStats': [0x20, { 'dwMaxAlloc': [16, ['unsigned long']], 'pHead': [24, ['pointer64', ['tagWin32PoolHead']]], 'dwMaxMem': [0, ['unsigned long long']], 'dwCrtMem': [8, ['unsigned long long']], 'dwCrtAlloc': [20, ['unsigned long']], }], '__unnamed_18c5': [0x4, { 'DefaultBig': [0, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'BaseMiddle': [0, ['BitField', {'end_bit': 8, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Granularity': [0, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'LimitHigh': [0, ['BitField', {'end_bit': 20, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'BaseHigh': [0, ['BitField', {'end_bit': 32, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'Dpl': [0, ['BitField', {'end_bit': 15, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'Type': [0, ['BitField', {'end_bit': 13, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'System': [0, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'Present': [0, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'LongMode': [0, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], }], '__unnamed_1817': [0xc, { 'Length48': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1815': [0xc, { 'Length40': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1813': [0xc, { 'DataSize': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT': [0x4, { 'Centered': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'AspectRatioCenteredMax': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'Stretched': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Custom': [0, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], }], '__unnamed_1956': [0x8, { 'MinimumChannel': [0, ['unsigned long']], 'MaximumChannel': [4, ['unsigned long']], }], '__unnamed_1954': [0x18, { 'AffinityPolicy': [8, ['unsigned short']], 'Group': [10, ['unsigned short']], 'PriorityPolicy': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'}}]], 'MinimumVector': [0, ['unsigned long']], 'MaximumVector': [4, ['unsigned long']], 'TargetedProcessors': [16, ['unsigned long long']], }], 'tagMSG': [0x30, { 'wParam': [16, ['unsigned long long']], 'lParam': [24, ['long long']], 'pt': [36, ['tagPOINT']], 'hwnd': [0, ['pointer64', ['HWND__']]], 'time': [32, ['unsigned long']], 'message': [8, ['unsigned long']], }], '__unnamed_1819': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length64': [8, ['unsigned long']], }], '_DMM_VIDPNSET_SERIALIZATION': [0x8, { 'VidPnOffset': [4, ['array', 1, ['unsigned long']]], 'NumVidPns': [0, ['unsigned char']], }], 'tagWOWPROCESSINFO': [0x48, { 'ptdbHead': [16, ['pointer64', ['tagTDB']]], 'lpfnWowExitTask': [24, ['pointer64', ['void']]], 'CSOwningThread': [56, ['pointer64', ['tagTHREADINFO']]], 'ptiScheduled': [8, ['pointer64', ['tagTHREADINFO']]], 'nSendLock': [48, ['unsigned long']], 'nRecvLock': [52, ['unsigned long']], 'CSLockCount': [64, ['long']], 'hEventWowExecClient': [40, ['pointer64', ['void']]], 'pwpiNext': [0, ['pointer64', ['tagWOWPROCESSINFO']]], 'pEventWowExec': [32, ['pointer64', ['_KEVENT']]], }], 'tagMENU': [0x98, { 'iItem': [44, ['long']], 'head': [0, ['_PROCDESKHEAD']], 'umpm': [132, ['tagUAHMENUPOPUPMETRICS']], 'cItems': [52, ['unsigned long']], 'pParentMenus': [88, ['pointer64', ['tagMENULIST']]], 'fFlags': [40, ['unsigned long']], 'cxMenu': [56, ['unsigned long']], 'dwContextHelpId': [96, ['unsigned long']], 'hbrBack': [112, ['pointer64', ['HBRUSH__']]], 'cxTextAlign': [64, ['unsigned long']], 'cAlloced': [48, ['unsigned long']], 'spwndNotify': [72, ['pointer64', ['tagWND']]], 'dwArrowsOn': [128, ['BitField', {'end_bit': 2, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'iMaxTop': [124, ['long']], 'dwMenuData': [104, ['unsigned long long']], 'cyMenu': [60, ['unsigned long']], 'rgItems': [80, ['pointer64', ['tagITEM']]], 'iTop': [120, ['long']], 'cyMax': [100, ['unsigned long']], }], '_D3DDDI_GAMMA_RAMP_DXGI_1': [0x3024, { 'GammaCurve': [24, ['array', 1025, ['D3DDDI_DXGI_RGB']]], 'Scale': [0, ['D3DDDI_DXGI_RGB']], 'Offset': [12, ['D3DDDI_DXGI_RGB']], }], 'tagPOPUPMENU': [0x58, { 'fUseMonitorRect': [0, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'fDroppedLeft': [0, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'fHierarchyDropped': [0, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'posDropped': [84, ['unsigned long']], 'spwndNextPopup': [24, ['pointer64', ['tagWND']]], 'fIsMenuBar': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'spwndPrevPopup': [32, ['pointer64', ['tagWND']]], 'fHasMenuBar': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'spwndActivePopup': [56, ['pointer64', ['tagWND']]], 'fTrackMouseEvent': [0, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'fNoNotify': [0, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'posSelectedItem': [80, ['unsigned long']], 'fIsSysMenu': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'fFlushDelayedFree': [0, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'ppmDelayedFree': [72, ['pointer64', ['tagPOPUPMENU']]], 'fFreed': [0, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fSynchronous': [0, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'fDropNextPopup': [0, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fRightButton': [0, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'spmenuAlternate': [48, ['pointer64', ['tagMENU']]], 'spmenu': [40, ['pointer64', ['tagMENU']]], 'spwndPopupMenu': [16, ['pointer64', ['tagWND']]], 'fDestroyed': [0, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'iDropDir': [0, ['BitField', {'end_bit': 28, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'ppopupmenuRoot': [64, ['pointer64', ['tagPOPUPMENU']]], 'fFirstClick': [0, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'spwndNotify': [8, ['pointer64', ['tagWND']]], 'fRtoL': [0, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'fIsTrackPopup': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'fSendUninit': [0, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'fShowTimer': [0, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'fInCancel': [0, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'fToggle': [0, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fDelayedFree': [0, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'fHideTimer': [0, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'fAboutToHide': [0, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], }], '_DMM_MONITORDESCRIPTOR_SERIALIZATION': [0x8c, { 'Origin': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'Data': [12, ['array', 128, ['unsigned char']]], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MDT_UNINITIALIZED', 1: 'D3DKMDT_MDT_VESA_EDID_V1_BASEBLOCK', 2: 'D3DKMDT_MDT_VESA_EDID_V1_BLOCKMAP', 255: 'D3DKMDT_MDT_OTHER'}}]], 'Id': [0, ['unsigned long']], }], 'HTOUCHINPUT__': [0x4, { 'unused': [0, ['long']], }], '_VK_VALUES_STRINGS': [0x10, { 'fReserved': [8, ['unsigned char']], 'pszMultiNames': [0, ['pointer64', ['unsigned char']]], }], '_DMM_MONITOR_SOURCE_MODE_SERIALIZATION': [0x68, { 'Info': [0, ['_D3DKMDT_MONITOR_SOURCE_MODE']], 'TimingType': [96, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MTT_UNINITIALIZED', 1: 'D3DKMDT_MTT_ESTABLISHED', 2: 'D3DKMDT_MTT_STANDARD', 3: 'D3DKMDT_MTT_EXTRASTANDARD', 4: 'D3DKMDT_MTT_DETAILED', 5: 'D3DKMDT_MTT_DEFAULTMONITORPROFILE', 6: 'D3DKMDT_MTT_MAXVALID'}}]], }], 'tagSBCALC': [0x40, { 'posMax': [4, ['long']], 'pxThumbTop': [52, ['long']], 'pxThumbBottom': [48, ['long']], 'cpxThumb': [32, ['long']], 'pxMin': [60, ['long']], 'pxStart': [44, ['long']], 'pxDownArrow': [40, ['long']], 'pos': [12, ['long']], 'cpx': [56, ['long']], 'pxBottom': [20, ['long']], 'pxTop': [16, ['long']], 'pxLeft': [24, ['long']], 'pxRight': [28, ['long']], 'pxUpArrow': [36, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], }], 'HIMC__': [0x4, { 'unused': [0, ['long']], }], 'tagSBINFO': [0x24, { 'WSBflags': [0, ['long']], 'Horz': [4, ['tagSBDATA']], 'Vert': [20, ['tagSBDATA']], }], '__unnamed_1211': [0x10, { 'Length': [0, ['unsigned long']], 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], }], '__unnamed_1213': [0x20, { 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'AdvanceOnly': [25, ['unsigned char']], 'ClusterCount': [24, ['unsigned long']], 'Length': [0, ['unsigned long']], 'DeleteHandle': [24, ['pointer64', ['void']]], 'ReplaceIfExists': [24, ['unsigned char']], 'FileObject': [16, ['pointer64', ['_FILE_OBJECT']]], }], '__unnamed_1219': [0x20, { 'Type3InputBuffer': [24, ['pointer64', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'FsControlCode': [16, ['unsigned long']], 'InputBufferLength': [8, ['unsigned long']], }], '__unnamed_1950': [0x18, { 'Length': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment': [4, ['unsigned long']], }], 'tagITEM': [0x90, { 'ulX': [84, ['unsigned long']], 'wID': [8, ['unsigned long']], 'dwItemData': [56, ['unsigned long long']], 'cyItem': [76, ['unsigned long']], 'hbmpChecked': [24, ['pointer64', ['void']]], 'xItem': [64, ['unsigned long']], 'spSubMenu': [16, ['pointer64', ['tagMENU']]], 'hbmpUnchecked': [32, ['pointer64', ['void']]], 'fState': [4, ['unsigned long']], 'dxTab': [80, ['unsigned long']], 'hbmp': [96, ['pointer64', ['HBITMAP__']]], 'yItem': [68, ['unsigned long']], 'fType': [0, ['unsigned long']], 'umim': [112, ['tagUAHMENUITEMMETRICS']], 'cch': [48, ['unsigned long']], 'ulWidth': [88, ['unsigned long']], 'cyBmp': [108, ['long']], 'cxBmp': [104, ['long']], 'lpstr': [40, ['pointer64', ['unsigned short']]], 'cxItem': [72, ['unsigned long']], }], '_VSC_VK': [0x4, { 'Vsc': [0, ['unsigned char']], 'Vk': [2, ['unsigned short']], }], '__unnamed_123f': [0x1, { 'Lock': [0, ['unsigned char']], }], '_DMM_MONITOR_SERIALIZATION': [0x28, { 'FrequencyRangeSetOffset': [28, ['unsigned long']], 'ModePruningAlgorithm': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_MPA_UNINITIALIZED', 1: 'DMM_MPA_GDI', 2: 'DMM_MPA_VISTA', 3: 'DMM_MPA_MAXVALID'}}]], 'VideoPresentTargetId': [4, ['unsigned long']], 'IsSimulatedMonitor': [12, ['unsigned char']], 'SourceModeSetOffset': [24, ['unsigned long']], 'Orientation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MO_UNINITIALIZED', 1: 'D3DKMDT_MO_0DEG', 2: 'D3DKMDT_MO_90DEG', 3: 'D3DKMDT_MO_180DEG', 4: 'D3DKMDT_MO_270DEG'}}]], 'DescriptorSetOffset': [32, ['unsigned long']], 'MonitorPowerState': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'}}]], 'IsUsingDefaultProfile': [13, ['unsigned char']], 'MonitorType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_VMT_UNINITIALIZED', 1: 'DMM_VMT_PHYSICAL_MONITOR', 2: 'DMM_VMT_BOOT_PERSISTENT_MONITOR', 3: 'DMM_VMT_PERSISTENT_MONITOR', 4: 'DMM_VMT_TEMPORARY_MONITOR', 5: 'DMM_VMT_SIMULATED_MONITOR'}}]], 'Size': [0, ['unsigned long']], }], '_VK_TO_WCHARS1': [0x4, { 'Attributes': [1, ['unsigned char']], 'VirtualKey': [0, ['unsigned char']], 'wch': [2, ['array', 1, ['wchar']]], }], '__unnamed_121b': [0x18, { 'Length': [0, ['pointer64', ['_LARGE_INTEGER']]], 'ByteOffset': [16, ['_LARGE_INTEGER']], 'Key': [8, ['unsigned long']], }], '__unnamed_121d': [0x20, { 'Type3InputBuffer': [24, ['pointer64', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'IoControlCode': [16, ['unsigned long']], 'InputBufferLength': [8, ['unsigned long']], }], '__unnamed_121f': [0x10, { 'Length': [8, ['unsigned long']], 'SecurityInformation': [0, ['unsigned long']], }], '_DMM_MONITORFREQUENCYRANGESET_SERIALIZATION': [0x38, { 'NumFrequencyRanges': [0, ['unsigned char']], 'FrequencyRangeSerialization': [8, ['array', 1, ['_D3DKMDT_MONITOR_FREQUENCY_RANGE']]], }], '_D3DKMDT_GAMMA_RAMP': [0x18, { 'Data': [16, ['__unnamed_182e']], 'DataSize': [8, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_GAMMARAMP_UNINITIALIZED', 1: 'D3DDDI_GAMMARAMP_DEFAULT', 2: 'D3DDDI_GAMMARAMP_RGB256x3x16', 3: 'D3DDDI_GAMMARAMP_DXGI_1'}}]], }], '_W32PROCESS': [0x100, { 'GDIPushLock': [80, ['_EX_PUSH_LOCK']], 'DxProcess': [248, ['pointer64', ['void']]], 'pBrushAttrList': [48, ['pointer64', ['void']]], 'Process': [0, ['pointer64', ['_EPROCESS']]], 'NextStart': [32, ['pointer64', ['_W32PROCESS']]], 'GDIW32PIDLockedBitmaps': [224, ['_LIST_ENTRY']], 'RefCount': [8, ['unsigned long']], 'StartCursorHideTime': [24, ['unsigned long']], 'GDIBrushAttrFreeList': [208, ['_LIST_ENTRY']], 'InputIdleEvent': [16, ['pointer64', ['_KEVENT']]], 'W32PF_Flags': [12, ['unsigned long']], 'GDIHandleCount': [60, ['long']], 'hSecureGdiSharedHandleTable': [240, ['pointer64', ['void']]], 'UserHandleCountPeak': [72, ['unsigned long']], 'W32Pid': [56, ['unsigned long']], 'UserHandleCount': [68, ['long']], 'pDCAttrList': [40, ['pointer64', ['void']]], 'GDIEngUserMemAllocTable': [88, ['_RTL_AVL_TABLE']], 'GDIHandleCountPeak': [64, ['unsigned long']], 'GDIDcAttrFreeList': [192, ['_LIST_ENTRY']], }], 'tagSERVERINFO': [0x1220, { 'uiShellMsg': [912, ['unsigned long']], 'atomSysClass': [852, ['array', 25, ['unsigned short']]], 'dtScroll': [2800, ['unsigned long']], 'dwKeyCache': [2952, ['unsigned long']], 'atomIconSmProp': [1356, ['unsigned short']], 'argbSystemUnmatched': [2268, ['array', 31, ['unsigned long']]], 'atomContextHelpIdProp': [1360, ['unsigned short']], 'cySysFontChar': [2832, ['long']], 'mpFnid_serverCBWndProc': [328, ['array', 31, ['unsigned short']]], 'PUSIFlags': [4476, ['unsigned long']], 'dtLBSearch': [2804, ['unsigned long']], 'tmSysFont': [2836, ['tagTEXTMETRICW']], 'ahbrSystem': [2520, ['array', 31, ['pointer64', ['HBRUSH__']]]], 'dwDefaultHeapSize': [908, ['unsigned long']], 'dwSRVIFlags': [0, ['unsigned long']], 'BitsPixel': [4473, ['unsigned char']], 'wMaxLeftOverlapChars': [2820, ['long']], 'dwLastSystemRITEventTickCountUpdate': [4488, ['unsigned long']], 'dpiSystem': [2896, ['tagDPISERVERINFO']], 'hIcoWindows': [2944, ['pointer64', ['HICON__']]], 'dwAsyncKeyCache': [2956, ['unsigned long']], 'dwTagCount': [4632, ['unsigned long']], 'adwDBGTAGFlags': [4492, ['array', 35, ['unsigned long']]], 'aiSysMet': [1880, ['array', 97, ['long']]], 'acAnsiToOem': [1620, ['array', 256, ['unsigned char']]], 'aStoCidPfn': [272, ['array', 7, ['pointer64', ['void']]]], 'dwLastRITEventTickCount': [2792, ['unsigned long']], 'cbHandleTable': [848, ['unsigned long']], 'atomFrostedWindowProp': [1362, ['unsigned short']], 'ucWheelScrollLines': [2812, ['unsigned long']], 'ptCursorReal': [2784, ['tagPOINT']], 'ucWheelScrollChars': [2816, ['unsigned long']], 'acOemToAnsi': [1364, ['array', 256, ['unsigned char']]], 'hbrGray': [2768, ['pointer64', ['HBRUSH__']]], 'BitCount': [4468, ['unsigned short']], 'argbSystem': [2392, ['array', 31, ['unsigned long']]], 'dtCaretBlink': [2808, ['unsigned long']], 'dwInstalledEventHooks': [1876, ['unsigned long']], 'cxSysFontChar': [2828, ['long']], 'wMaxRightOverlapChars': [2824, ['long']], 'oembmi': [2964, ['array', 93, ['tagOEMBITMAPINFO']]], 'apfnClientWorker': [760, ['_PFNCLIENTWORKER']], 'dwDefaultHeapBase': [904, ['unsigned long']], 'apfnClientA': [392, ['_PFNCLIENT']], 'dmLogPixels': [4470, ['unsigned short']], 'nEvents': [2796, ['long']], 'atomIconProp': [1358, ['unsigned short']], 'Planes': [4472, ['unsigned char']], 'apfnClientW': [576, ['_PFNCLIENT']], 'MBStrings': [916, ['array', 11, ['tagMBSTRING']]], 'UILangID': [4484, ['unsigned short']], 'dwRIPFlags': [4636, ['unsigned long']], 'uCaretWidth': [4480, ['unsigned long']], 'cCaptures': [2960, ['unsigned long']], 'cHandleEntries': [8, ['unsigned long long']], 'ptCursor': [2776, ['tagPOINT']], 'hIconSmWindows': [2936, ['pointer64', ['HICON__']]], 'mpFnidPfn': [16, ['array', 32, ['pointer64', ['void']]]], 'rcScreenReal': [4452, ['tagRECT']], }], '_D3DKMDT_VIDEO_SIGNAL_INFO': [0x38, { 'VSyncFreq': [20, ['_D3DDDI_RATIONAL']], 'ActiveSize': [12, ['_D3DKMDT_2DREGION']], 'PixelRate': [40, ['unsigned long long']], 'TotalSize': [4, ['_D3DKMDT_2DREGION']], 'VideoStandard': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VSS_UNINITIALIZED', 1: 'D3DKMDT_VSS_VESA_DMT', 2: 'D3DKMDT_VSS_VESA_GTF', 3: 'D3DKMDT_VSS_VESA_CVT', 4: 'D3DKMDT_VSS_IBM', 5: 'D3DKMDT_VSS_APPLE', 6: 'D3DKMDT_VSS_NTSC_M', 7: 'D3DKMDT_VSS_NTSC_J', 8: 'D3DKMDT_VSS_NTSC_443', 9: 'D3DKMDT_VSS_PAL_B', 10: 'D3DKMDT_VSS_PAL_B1', 11: 'D3DKMDT_VSS_PAL_G', 12: 'D3DKMDT_VSS_PAL_H', 13: 'D3DKMDT_VSS_PAL_I', 14: 'D3DKMDT_VSS_PAL_D', 15: 'D3DKMDT_VSS_PAL_N', 16: 'D3DKMDT_VSS_PAL_NC', 17: 'D3DKMDT_VSS_SECAM_B', 18: 'D3DKMDT_VSS_SECAM_D', 19: 'D3DKMDT_VSS_SECAM_G', 20: 'D3DKMDT_VSS_SECAM_H', 21: 'D3DKMDT_VSS_SECAM_K', 22: 'D3DKMDT_VSS_SECAM_K1', 23: 'D3DKMDT_VSS_SECAM_L', 24: 'D3DKMDT_VSS_SECAM_L1', 25: 'D3DKMDT_VSS_EIA_861', 26: 'D3DKMDT_VSS_EIA_861A', 27: 'D3DKMDT_VSS_EIA_861B', 28: 'D3DKMDT_VSS_PAL_K', 29: 'D3DKMDT_VSS_PAL_K1', 30: 'D3DKMDT_VSS_PAL_L', 31: 'D3DKMDT_VSS_PAL_M', 255: 'D3DKMDT_VSS_OTHER'}}]], 'ScanLineOrdering': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_VSSLO_UNINITIALIZED', 1: 'D3DDDI_VSSLO_PROGRESSIVE', 2: 'D3DDDI_VSSLO_INTERLACED_UPPERFIELDFIRST', 3: 'D3DDDI_VSSLO_INTERLACED_LOWERFIELDFIRST', 255: 'D3DDDI_VSSLO_OTHER'}}]], 'HSyncFreq': [28, ['_D3DDDI_RATIONAL']], }], '__unnamed_11df': [0x8, { 'IrpCount': [0, ['long']], 'SystemBuffer': [0, ['pointer64', ['void']]], 'MasterIrp': [0, ['pointer64', ['_IRP']]], }], 'D3DDDI_DXGI_RGB': [0xc, { 'Blue': [8, ['float']], 'Green': [4, ['float']], 'Red': [0, ['float']], }], '_MAGNIFICATION_INPUT_TRANSFORM': [0x30, { 'rcScreen': [16, ['tagRECT']], 'magFactorX': [40, ['long']], 'magFactorY': [44, ['long']], 'ptiMagThreadInfo': [32, ['pointer64', ['tagTHREADINFO']]], 'rcSource': [0, ['tagRECT']], }], '_D3DKMDT_MONITOR_FREQUENCY_RANGE': [0x30, { 'Origin': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'ConstraintType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MFRC_UNINITIALIZED', 1: 'D3DKMDT_MFRC_ACTIVESIZE', 2: 'D3DKMDT_MFRC_MAXPIXELRATE'}}]], 'RangeLimits': [4, ['_D3DKMDT_FREQUENCY_RANGE']], 'Constraint': [40, ['__unnamed_16c1']], }], '_PFNCLIENTWORKER': [0x58, { 'pfnComboBoxWndProc': [8, ['pointer64', ['void']]], 'pfnMDIClientWndProc': [48, ['pointer64', ['void']]], 'pfnDialogWndProc': [24, ['pointer64', ['void']]], 'pfnStaticWndProc': [56, ['pointer64', ['void']]], 'pfnCtfHookProc': [80, ['pointer64', ['void']]], 'pfnButtonWndProc': [0, ['pointer64', ['void']]], 'pfnImeWndProc': [64, ['pointer64', ['void']]], 'pfnEditWndProc': [32, ['pointer64', ['void']]], 'pfnListBoxWndProc': [40, ['pointer64', ['void']]], 'pfnGhostWndProc': [72, ['pointer64', ['void']]], 'pfnComboListBoxProc': [16, ['pointer64', ['void']]], }], '_DMA_OPERATIONS': [0x80, { 'PutDmaAdapter': [8, ['pointer64', ['void']]], 'FreeMapRegisters': [56, ['pointer64', ['void']]], 'MapTransfer': [64, ['pointer64', ['void']]], 'FreeCommonBuffer': [24, ['pointer64', ['void']]], 'ReadDmaCounter': [80, ['pointer64', ['void']]], 'AllocateCommonBuffer': [16, ['pointer64', ['void']]], 'PutScatterGatherList': [96, ['pointer64', ['void']]], 'CalculateScatterGatherList': [104, ['pointer64', ['void']]], 'BuildMdlFromScatterGatherList': [120, ['pointer64', ['void']]], 'GetScatterGatherList': [88, ['pointer64', ['void']]], 'AllocateAdapterChannel': [32, ['pointer64', ['void']]], 'FreeAdapterChannel': [48, ['pointer64', ['void']]], 'GetDmaAlignment': [72, ['pointer64', ['void']]], 'FlushAdapterBuffers': [40, ['pointer64', ['void']]], 'BuildScatterGatherList': [112, ['pointer64', ['void']]], 'Size': [0, ['unsigned long']], }], '_DXGK_DIAG_HEADER': [0x30, { 'Index': [40, ['unsigned long']], 'ProcessName': [16, ['array', 16, ['unsigned char']]], 'LogTimestamp': [8, ['unsigned long long']], 'ThreadId': [32, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_TYPE_NONE', 1: 'DXGK_DIAG_TYPE_SDC', 2: 'DXGK_DIAG_TYPE_HPD', 3: 'DXGK_DIAG_TYPE_DC_ORIGIN', 4: 'DXGK_DIAG_TYPE_USER_CDS', 5: 'DXGK_DIAG_TYPE_DRV_CDS', 6: 'DXGK_DIAG_TYPE_CODE_POINT', 7: 'DXGK_DIAG_TYPE_QDC', 8: 'DXGK_DIAG_TYPE_MONITOR_MGR', 9: 'DXGK_DIAG_TYPE_CONNECTEDSET_NOT_FOUND', 10: 'DXGK_DIAG_TYPE_DISPDIAG_COLLECTED', 11: 'DXGK_DIAG_TYPE_BML_PACKET', 12: 'DXGK_DIAG_TYPE_BML_PACKET_EX', 13: 'DXGK_DIAG_TYPE_COMMIT_VIDPN_FAILED', 14: 'DXGK_DIAG_TYPE_MAX', -1: 'DXGK_DIAG_TYPE_FORCE_UINT32'}}]], 'WdLogIdx': [44, ['unsigned long']], 'Size': [4, ['unsigned long']], }], '__unnamed_1225': [0x10, { 'DeviceObject': [8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb': [0, ['pointer64', ['_VPB']]], }], '_SM_VALUES_STRINGS': [0x18, { 'StorageType': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'SmStorageActual', 1: 'SmStorageNonActual'}}]], 'pszName': [0, ['pointer64', ['unsigned char']]], 'ulValue': [8, ['unsigned long']], 'RangeType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'SmRangeSharedInfo', 1: 'SmRangeNonSharedInfo', 2: 'SmRangeBool'}}]], }], 'tagTERMINAL': [0x40, { 'spwndDesktopOwner': [8, ['pointer64', ['tagWND']]], 'dwTERMF_Flags': [0, ['unsigned long']], 'dwNestedLevel': [32, ['unsigned long']], 'pqDesktop': [24, ['pointer64', ['tagQ']]], 'pEventInputReady': [56, ['pointer64', ['_KEVENT']]], 'rpdeskDestroy': [48, ['pointer64', ['tagDESKTOP']]], 'ptiDesktop': [16, ['pointer64', ['tagTHREADINFO']]], 'pEventTermInit': [40, ['pointer64', ['_KEVENT']]], }], '_SCATTER_GATHER_LIST': [0x10, { 'Elements': [16, ['array', 0, ['_SCATTER_GATHER_ELEMENT']]], 'Reserved': [8, ['unsigned long long']], 'NumberOfElements': [0, ['unsigned long']], }], 'tagMENULIST': [0x10, { 'pMenu': [8, ['pointer64', ['tagMENU']]], 'pNext': [0, ['pointer64', ['tagMENULIST']]], }], 'tagPOINT': [0x8, { 'y': [4, ['long']], 'x': [0, ['long']], }], 'tagSHAREDINFO': [0x238, { 'psi': [0, ['pointer64', ['tagSERVERINFO']]], 'DefWindowSpecMsgs': [552, ['_WNDMSG']], 'awmControl': [40, ['array', 31, ['_WNDMSG']]], 'ulSharedDelta': [32, ['unsigned long long']], 'pDispInfo': [24, ['pointer64', ['tagDISPLAYINFO']]], 'aheList': [8, ['pointer64', ['_HANDLEENTRY']]], 'DefWindowMsgs': [536, ['_WNDMSG']], 'HeEntrySize': [16, ['unsigned long']], }], 'tagIMC': [0x40, { 'dwClientImcData': [48, ['unsigned long long']], 'head': [0, ['_THRDESKHEAD']], 'hImeWnd': [56, ['pointer64', ['HWND__']]], 'pImcNext': [40, ['pointer64', ['tagIMC']]], }], 'tagKL': [0x78, { 'uNumTbl': [88, ['unsigned long']], 'pklPrev': [24, ['pointer64', ['tagKL']]], 'head': [0, ['_HEAD']], 'pklNext': [16, ['pointer64', ['tagKL']]], 'spkfPrimary': [56, ['pointer64', ['tagKBDFILE']]], 'dwFontSigs': [64, ['unsigned long']], 'dwLastKbdType': [104, ['unsigned long']], 'CodePage': [72, ['unsigned short']], 'dwKL_Flags': [32, ['unsigned long']], 'iBaseCharset': [68, ['unsigned long']], 'dwKLID': [112, ['unsigned long']], 'spkf': [48, ['pointer64', ['tagKBDFILE']]], 'piiex': [80, ['pointer64', ['tagIMEINFOEX']]], 'hkl': [40, ['pointer64', ['HKL__']]], 'pspkfExtra': [96, ['pointer64', ['pointer64', ['tagKBDFILE']]]], 'wchDiacritic': [74, ['wchar']], 'dwLastKbdSubType': [108, ['unsigned long']], }], '__unnamed_182e': [0x8, { 'pRgb256x3x16': [0, ['pointer64', ['_D3DDDI_GAMMA_RAMP_RGB256x3x16']]], 'pRaw': [0, ['pointer64', ['void']]], 'pDxgi1': [0, ['pointer64', ['_D3DDDI_GAMMA_RAMP_DXGI_1']]], }], 'tagCARET': [0x48, { 'iHideLevel': [12, ['long']], 'yOwnDc': [56, ['long']], 'y': [20, ['long']], 'cy': [24, ['long']], 'cx': [28, ['long']], 'hBitmap': [32, ['pointer64', ['HBITMAP__']]], 'cyOwnDc': [64, ['long']], 'fOn': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'hTimer': [40, ['unsigned long long']], 'xOwnDc': [52, ['long']], 'fVisible': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'cxOwnDc': [60, ['long']], 'tid': [48, ['unsigned long']], 'x': [16, ['long']], 'spwnd': [0, ['pointer64', ['tagWND']]], }], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/__init__.py0000644000000000000000000000000013131215405025233 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/win7.py0000644000000000000000000002001013131215405024363 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.gui.constants as consts import volatility.plugins.gui.win32k_core as win32k_core import volatility.plugins.gui.vtypes.win7_sp0_x64_vtypes_gui as win7_sp0_x64_vtypes_gui import volatility.plugins.gui.vtypes.win7_sp0_x86_vtypes_gui as win7_sp0_x86_vtypes_gui import volatility.plugins.gui.vtypes.win7_sp1_x64_vtypes_gui as win7_sp1_x64_vtypes_gui import volatility.plugins.gui.vtypes.win7_sp1_x86_vtypes_gui as win7_sp1_x86_vtypes_gui class Win7SP0x64GuiVTypes(obj.ProfileModification): """Apply the base vtypes for Windows 7 SP0 x64""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x : x == 7600} def modification(self, profile): profile.vtypes.update(win7_sp0_x64_vtypes_gui.win32k_types) class Win7SP1x64GuiVTypes(obj.ProfileModification): """Apply the base vtypes for Windows 7 SP1 x64""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x : x == 7601} def modification(self, profile): profile.vtypes.update(win7_sp1_x64_vtypes_gui.win32k_types) class Win7SP0x86GuiVTypes(obj.ProfileModification): """Apply the base vtypes for Windows 7 SP0 x86""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x : x == 7600} def modification(self, profile): profile.vtypes.update(win7_sp0_x86_vtypes_gui.win32k_types) class Win7SP1x86GuiVTypes(obj.ProfileModification): """Apply the base vtypes for Windows 7 SP1 x86""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x : x == 7601} def modification(self, profile): profile.vtypes.update(win7_sp1_x86_vtypes_gui.win32k_types) class Win7GuiOverlay(obj.ProfileModification): """Apply general overlays for Windows 7""" before = ['Win7SP0x64GuiVTypes', 'Win7SP1x64GuiVTypes', 'Win7SP0x86GuiVTypes', 'Win7SP1x86GuiVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1} def modification(self, profile): profile.merge_overlay({ 'tagHOOK': [ None, { 'flags': [ None, ['Flags', {'bitmap': consts.HOOK_FLAGS}]] }], '_HANDLEENTRY': [ None, { 'bType': [ None, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM_SEVEN)]], }], 'tagWINDOWSTATION' : [ None, { 'pClipBase' : [ None, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], }], 'tagCLIP': [ 16, { 'fmt' : [ None, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]], }]}) class Win7Vista2008x64Timers(obj.ProfileModification): """Apply the tagTIMER for Windows 7, Vista, and 2008 x64""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x >= 6} def modification(self, profile): # http://doxygen.reactos.org/d5/dd0/timer_8h_source.html#l00019 profile.vtypes.update({ 'tagTIMER' : [ None, { 'head' : [ 0x00, ['_HEAD']], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'spwnd' : [ 0x28, ['pointer', ['tagWND']]], 'pti' : [ 0x30, ['pointer', ['tagTHREADINFO']]], 'nID' : [ 0x38, ['unsigned short']], 'cmsCountdown' : [ 0x40, ['unsigned int']], 'cmsRate' : [ 0x44, ['unsigned int']], 'flags' : [ 0x48, ['Flags', {'bitmap': consts.TIMER_FLAGS}]], 'pfn' : [ 0x50, ['pointer', ['void']]], }]}) class Win7Vista2008x86Timers(obj.ProfileModification): """Apply the tagTIMER for Windows 7, Vista, and 2008 x86""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x >= 6} def modification(self, profile): profile.vtypes.update({ 'tagTIMER' : [ None, { 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'pti' : [ 0x18, ['pointer', ['tagTHREADINFO']]], 'spwnd' : [ 0x14, ['pointer', ['tagWND']]], #?? 'nID' : [ 0x1C, ['unsigned short']], 'cmsCountdown' : [ 0x20, ['unsigned int']], 'cmsRate' : [ 0x24, ['unsigned int']], 'flags' : [ 0x28, ['Flags', {'bitmap': consts.TIMER_FLAGS}]], 'pfn' : [ 0x2C, ['pointer', ['void']]], }]}) class _MM_SESSION_SPACE(win32k_core._MM_SESSION_SPACE): #pylint: disable-msg=W0212 """A class for session spaces on Windows 7""" def find_shared_info(self): """The way we find win32k!gSharedInfo on Windows 7 is different than before. For each DWORD in the win32k.sys module's .data section (DWORD-aligned) we check if its the HeEntrySize member of a possible tagSHAREDINFO structure. This should equal the size of a _HANDLEENTRY. The HeEntrySize member didn't exist before Windows 7 thus the need for separate methods.""" handle_table_size = self.obj_vm.profile.\ get_obj_size("_HANDLEENTRY") handle_entry_offset = self.obj_vm.profile.\ get_obj_offset("tagSHAREDINFO", "HeEntrySize") for chunk in self._section_chunks(".data"): if chunk != handle_table_size: continue shared_info = obj.Object("tagSHAREDINFO", offset = chunk.obj_offset - handle_entry_offset, vm = self.obj_vm) if shared_info.is_valid(): return shared_info return obj.NoneObject("Cannot find win32k!gSharedInfo") class tagSHAREDINFO(win32k_core.tagSHAREDINFO): """A class for shared info blocks on Windows 7""" def is_valid(self): """Sanity checks for tagSHAREDINFO""" if not obj.CType.is_valid(self): return False if self.ulSharedDelta != 0: return False if not self.psi.is_valid(): return False return self.psi.cbHandleTable / self.HeEntrySize == self.psi.cHandleEntries class Win7Win32KCoreClasses(obj.ProfileModification): """Apply the core object classes for Windows 7""" before = ["WindowsObjectClasses", "Win32KCoreClasses"] conditions = {'os': lambda x: x == 'windows', 'major' : lambda x : x == 6, 'minor' : lambda x : x == 1} def modification(self, profile): profile.object_classes.update({ '_MM_SESSION_SPACE': _MM_SESSION_SPACE, 'tagSHAREDINFO': tagSHAREDINFO, }) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/vtypes/win7_sp0_x64_vtypes_gui.py0000644000000000000000000041455313131215405030147 0ustar rootrootwin32k_types = { '_HANDLEENTRY': [0x18, { 'pOwner': [8, ['pointer64', ['void']]], 'phead': [0, ['pointer64', ['_HEAD']]], 'bFlags': [17, ['unsigned char']], 'wUniq': [18, ['unsigned short']], 'bType': [16, ['unsigned char']], }], 'tagTOUCHINPUTINFO': [0x50, { 'dwcInputs': [24, ['unsigned long']], 'head': [0, ['_THROBJHEAD']], 'uFlags': [28, ['unsigned long']], 'TouchInput': [32, ['array', 1, ['tagTOUCHINPUT']]], }], 'tagHOOK': [0x60, { 'head': [0, ['_THRDESKHEAD']], 'offPfn': [56, ['unsigned long long']], 'flags': [64, ['unsigned long']], 'fLastHookHung': [88, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'nTimeout': [88, ['BitField', {'end_bit': 7, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'ihmod': [68, ['long']], 'iHook': [48, ['long']], 'ptiHooked': [72, ['pointer64', ['tagTHREADINFO']]], 'phkNext': [40, ['pointer64', ['tagHOOK']]], 'rpdesk': [80, ['pointer64', ['tagDESKTOP']]], }], 'DEADKEY': [0x8, { 'wchComposed': [4, ['wchar']], 'dwBoth': [0, ['unsigned long']], 'uFlags': [6, ['unsigned short']], }], '_W32THREAD': [0x150, { 'pRBRecursionCount': [96, ['unsigned long']], 'iVisRgnUniqueness': [328, ['unsigned long']], 'RefCount': [8, ['unsigned long']], 'pDevHTInfo': [280, ['pointer64', ['void']]], 'pUMPDHeap': [48, ['pointer64', ['void']]], 'pgdiBrushAttr': [32, ['pointer64', ['void']]], 'ulWindowSystemRendering': [324, ['unsigned long']], 'tlSpriteState': [104, ['_TLSPRITESTATE']], 'pdcoRender': [304, ['pointer64', ['void']]], 'bEnableEngUpdateDeviceSurface': [320, ['unsigned char']], 'pdcoAA': [296, ['pointer64', ['void']]], 'pNonRBRecursionCount': [100, ['unsigned long']], 'ptlW32': [16, ['pointer64', ['_TL']]], 'GdiTmpTgoList': [80, ['_LIST_ENTRY']], 'pUMPDObjs': [40, ['pointer64', ['void']]], 'pgdiDcattr': [24, ['pointer64', ['void']]], 'bIncludeSprites': [321, ['unsigned char']], 'pEThread': [0, ['pointer64', ['_ETHREAD']]], 'pSpriteState': [272, ['pointer64', ['void']]], 'pProxyPort': [64, ['pointer64', ['void']]], 'ulDevHTInfoUniqueness': [288, ['unsigned long']], 'pdcoSrc': [312, ['pointer64', ['void']]], 'pUMPDObj': [56, ['pointer64', ['void']]], 'pClientID': [72, ['pointer64', ['void']]], }], 'tagPROPLIST': [0x18, { 'aprop': [8, ['array', 1, ['tagPROP']]], 'cEntries': [0, ['unsigned long']], 'iFirstFree': [4, ['unsigned long']], }], 'tagSVR_INSTANCE_INFO': [0x40, { 'head': [0, ['_THROBJHEAD']], 'next': [24, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'nextInThisThread': [32, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'spwndEvent': [48, ['pointer64', ['tagWND']]], 'afCmd': [40, ['unsigned long']], 'pcii': [56, ['pointer64', ['void']]], }], 'tagDESKTOPINFO': [0xf0, { 'spwndProgman': [192, ['pointer64', ['tagWND']]], 'pvwplMessagePPHandler': [224, ['pointer64', ['VWPL']]], 'pvDesktopLimit': [8, ['pointer64', ['void']]], 'fComposited': [232, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'spwndGestureEngine': [216, ['pointer64', ['tagWND']]], 'pvDesktopBase': [0, ['pointer64', ['void']]], 'spwndShell': [160, ['pointer64', ['tagWND']]], 'ppiShellProcess': [168, ['pointer64', ['tagPROCESSINFO']]], 'pvwplShellHook': [200, ['pointer64', ['VWPL']]], 'fIsDwmDesktop': [232, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'spwndTaskman': [184, ['pointer64', ['tagWND']]], 'aphkStart': [32, ['array', 16, ['pointer64', ['tagHOOK']]]], 'fsHooks': [24, ['unsigned long']], 'cntMBox': [208, ['long']], 'spwndBkGnd': [176, ['pointer64', ['tagWND']]], 'spwnd': [16, ['pointer64', ['tagWND']]], }], 'tagDISPLAYINFO': [0xa8, { 'hDev': [0, ['pointer64', ['void']]], 'SpatialListHead': [144, ['_KLIST_ENTRY']], 'BitCountMax': [130, ['unsigned short']], 'cyGray': [60, ['long']], 'hdcBits': [32, ['pointer64', ['HDC__']]], 'fDesktopIsRect': [132, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'hbmGray': [48, ['pointer64', ['HBITMAP__']]], 'pmdev': [8, ['pointer64', ['void']]], 'cFullScreen': [160, ['short']], 'cxGray': [56, ['long']], 'dmLogPixels': [128, ['unsigned short']], 'hDevInfo': [16, ['pointer64', ['void']]], 'fAnyPalette': [132, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'pspbFirst': [72, ['pointer64', ['tagSPB']]], 'pMonitorPrimary': [88, ['pointer64', ['tagMONITOR']]], 'Spare0': [162, ['short']], 'pMonitorFirst': [96, ['pointer64', ['tagMONITOR']]], 'hdcGray': [40, ['pointer64', ['HDC__']]], 'hrgnScreenReal': [120, ['pointer64', ['HRGN__']]], 'cMonitors': [80, ['unsigned long']], 'hdcScreen': [24, ['pointer64', ['HDC__']]], 'DockThresholdMax': [136, ['unsigned long']], 'rcScreenReal': [104, ['tagRECT']], 'pdceFirst': [64, ['pointer64', ['tagDCE']]], }], '__unnamed_1261': [0x20, { 'Buffer': [24, ['pointer64', ['void']]], 'ProviderId': [0, ['unsigned long long']], 'BufferSize': [16, ['unsigned long']], 'DataPath': [8, ['pointer64', ['void']]], }], '__unnamed_1263': [0x20, { 'Argument4': [24, ['pointer64', ['void']]], 'Argument2': [8, ['pointer64', ['void']]], 'Argument3': [16, ['pointer64', ['void']]], 'Argument1': [0, ['pointer64', ['void']]], }], '__unnamed_1265': [0x20, { 'DeviceIoControl': [0, ['__unnamed_121d']], 'QuerySecurity': [0, ['__unnamed_121f']], 'ReadWriteConfig': [0, ['__unnamed_123d']], 'Create': [0, ['__unnamed_11ff']], 'SetSecurity': [0, ['__unnamed_1221']], 'Write': [0, ['__unnamed_1209']], 'VerifyVolume': [0, ['__unnamed_1225']], 'WMI': [0, ['__unnamed_1261']], 'CreateMailslot': [0, ['__unnamed_1207']], 'FilterResourceRequirements': [0, ['__unnamed_123b']], 'SetFile': [0, ['__unnamed_1213']], 'MountVolume': [0, ['__unnamed_1225']], 'FileSystemControl': [0, ['__unnamed_1219']], 'UsageNotification': [0, ['__unnamed_124b']], 'Scsi': [0, ['__unnamed_1229']], 'WaitWake': [0, ['__unnamed_124f']], 'QueryFile': [0, ['__unnamed_1211']], 'QueryDeviceText': [0, ['__unnamed_1247']], 'CreatePipe': [0, ['__unnamed_1203']], 'Power': [0, ['__unnamed_125b']], 'QueryDeviceRelations': [0, ['__unnamed_122d']], 'Read': [0, ['__unnamed_1209']], 'StartDevice': [0, ['__unnamed_125f']], 'QueryDirectory': [0, ['__unnamed_120d']], 'PowerSequence': [0, ['__unnamed_1253']], 'QueryId': [0, ['__unnamed_1243']], 'LockControl': [0, ['__unnamed_121b']], 'NotifyDirectory': [0, ['__unnamed_120f']], 'QueryInterface': [0, ['__unnamed_1233']], 'Others': [0, ['__unnamed_1263']], 'QueryVolume': [0, ['__unnamed_1217']], 'SetLock': [0, ['__unnamed_123f']], 'DeviceCapabilities': [0, ['__unnamed_1237']], }], '_D3DKMDT_2DREGION': [0x8, { 'cy': [4, ['unsigned long']], 'cx': [0, ['unsigned long']], }], 'tagMONITOR': [0x90, { 'hDev': [80, ['pointer64', ['void']]], 'head': [0, ['_HEAD']], 'hDevReal': [88, ['pointer64', ['void']]], 'rcWorkReal': [44, ['tagRECT']], 'dwMONFlags': [24, ['unsigned long']], 'Spare0': [72, ['short']], 'rcMonitorReal': [28, ['tagRECT']], 'pMonitorNext': [16, ['pointer64', ['tagMONITOR']]], 'Flink': [128, ['pointer64', ['tagMONITOR']]], 'Blink': [136, ['pointer64', ['tagMONITOR']]], 'hrgnMonitorReal': [64, ['pointer64', ['HRGN__']]], 'cWndStack': [74, ['short']], 'DockTargets': [96, ['array', 7, ['array', 4, ['unsigned char']]]], }], '__unnamed_123b': [0x8, { 'IoResourceRequirementList': [0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION': [0x10c, { 'APSTriggerBits': [4, ['unsigned long']], 'CopyProtectionType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPMT_UNINITIALIZED', 1: 'D3DKMDT_VPPMT_NOPROTECTION', 2: 'D3DKMDT_VPPMT_MACROVISION_APSTRIGGER', 3: 'D3DKMDT_VPPMT_MACROVISION_FULLSUPPORT', 255: 'D3DKMDT_VPPMT_NOTSPECIFIED'}}]], 'CopyProtectionSupport': [264, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT']], 'OEMCopyProtection': [8, ['array', 256, ['unsigned char']]], }], 'tagHID_TLC_INFO': [0x28, { 'cExcludeRequest': [32, ['unsigned long']], 'link': [0, ['_LIST_ENTRY']], 'cExcludeOrphaned': [36, ['unsigned long']], 'cUsagePageRequest': [28, ['unsigned long']], 'usUsagePage': [16, ['unsigned short']], 'cDevices': [20, ['unsigned long']], 'cDirectRequest': [24, ['unsigned long']], 'usUsage': [18, ['unsigned short']], }], 'HWND__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION': [0x1b0, { 'TargetMode': [360, ['_D3DKMDT_VIDPN_TARGET_MODE']], 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], }], 'tagQ': [0x158, { 'hwndDblClk': [112, ['pointer64', ['HWND__']]], 'timeDblClk': [108, ['unsigned long']], 'spwndFocus': [72, ['pointer64', ['tagWND']]], 'ExtraInfo': [328, ['long long']], 'cLockCount': [322, ['unsigned short']], 'iCursorLevel': [312, ['long']], 'ptiSysLock': [24, ['pointer64', ['tagTHREADINFO']]], 'caret': [232, ['tagCARET']], 'ptiMouse': [48, ['pointer64', ['tagTHREADINFO']]], 'spwndActivePrev': [88, ['pointer64', ['tagWND']]], 'ptMouseMove': [128, ['tagPOINT']], 'msgDblClk': [100, ['unsigned long']], 'msgJournal': [324, ['unsigned long']], 'ptiKeyboard': [56, ['pointer64', ['tagTHREADINFO']]], 'cThreads': [320, ['unsigned short']], 'QF_flags': [316, ['unsigned long']], 'mlInput': [0, ['tagMLIST']], 'spwndActive': [80, ['pointer64', ['tagWND']]], 'codeCapture': [96, ['unsigned long']], 'idSysLock': [32, ['unsigned long long']], 'spcurCurrent': [304, ['pointer64', ['tagCURSOR']]], 'ulEtwReserved1': [336, ['unsigned long']], 'ptDblClk': [120, ['tagPOINT']], 'xbtnDblClk': [104, ['unsigned short']], 'afKeyRecentDown': [136, ['array', 32, ['unsigned char']]], 'afKeyState': [168, ['array', 64, ['unsigned char']]], 'spwndCapture': [64, ['pointer64', ['tagWND']]], 'idSysPeek': [40, ['unsigned long long']], }], 'tagUSERSTARTUPINFO': [0x1c, { 'wShowWindow': [24, ['unsigned short']], 'dwYSize': [16, ['unsigned long']], 'dwXSize': [12, ['unsigned long']], 'cbReserved2': [26, ['unsigned short']], 'cb': [0, ['unsigned long']], 'dwX': [4, ['unsigned long']], 'dwY': [8, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_DMM_COMMITVIDPNREQUESTSET_SERIALIZATION': [0x8, { 'CommitVidPnRequestOffset': [4, ['array', 1, ['unsigned long']]], 'NumCommitVidPnRequests': [0, ['unsigned char']], }], '__unnamed_1805': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length': [8, ['unsigned long']], }], '_DMM_MONITORDESCRIPTORSET_SERIALIZATION': [0x90, { 'NumDescriptors': [0, ['unsigned char']], 'DescriptorSerialization': [4, ['array', 1, ['_DMM_MONITORDESCRIPTOR_SERIALIZATION']]], }], '_DMM_MONITORSOURCEMODESET_SERIALIZATION': [0x70, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [8, ['array', 1, ['_DMM_MONITOR_SOURCE_MODE_SERIALIZATION']]], }], '_VK_FUNCTION_PARAM': [0x8, { 'NLSFEProcIndex': [0, ['unsigned char']], 'NLSFEProcParam': [4, ['unsigned long']], }], '_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES': [0x10, { 'SecondChannel': [4, ['unsigned long']], 'FourthChannel': [12, ['unsigned long']], 'ThirdChannel': [8, ['unsigned long']], 'FirstChannel': [0, ['unsigned long']], }], 'tagMLIST': [0x18, { 'cMsgs': [16, ['unsigned long']], 'pqmsgRead': [0, ['pointer64', ['tagQMSG']]], 'pqmsgWriteLast': [8, ['pointer64', ['tagQMSG']]], }], '__unnamed_122d': [0x4, { 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'}}]], }], 'tagMENUSTATE': [0x90, { 'fDragAndDrop': [8, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fInsideMenuLoop': [8, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'cxAni': [116, ['long']], 'pGlobalPopupMenu': [0, ['pointer64', ['tagPOPUPMENU']]], 'uDraggingIndex': [88, ['unsigned long']], 'uDraggingHitArea': [80, ['unsigned long long']], 'fNotifyByPos': [8, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'fButtonDown': [8, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'ixAni': [108, ['long']], 'fInCallHandleMenuMessages': [8, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'mnFocus': [20, ['long']], 'iyAni': [112, ['long']], 'dwLockCount': [40, ['unsigned long']], 'fAutoDismiss': [8, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'fIsSysMenu': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'dwAniStartTime': [104, ['unsigned long']], 'pmnsPrev': [48, ['pointer64', ['tagMENUSTATE']]], 'fInEndMenu': [8, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'hbmAni': [128, ['pointer64', ['HBITMAP__']]], 'fIgnoreButtonUp': [8, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'ptButtonDown': [56, ['tagPOINT']], 'hdcWndAni': [96, ['pointer64', ['HDC__']]], 'fAboutToAutoDismiss': [8, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'fMenuStarted': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'uDraggingFlags': [92, ['unsigned long']], 'fUnderline': [8, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'fInDoDragDrop': [8, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'ptiMenuStateOwner': [32, ['pointer64', ['tagTHREADINFO']]], 'uButtonDownIndex': [72, ['unsigned long']], 'fModelessMenu': [8, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'cyAni': [120, ['long']], 'uButtonDownHitArea': [64, ['unsigned long long']], 'fButtonAlwaysDown': [8, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'iAniDropDir': [8, ['BitField', {'end_bit': 24, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'ptMouseLast': [12, ['tagPOINT']], 'hdcAni': [136, ['pointer64', ['HDC__']]], 'vkButtonDown': [76, ['long']], 'fSetCapture': [8, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fDragging': [8, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fActiveNoForeground': [8, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'fMouseOffMenu': [8, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'cmdLast': [24, ['long']], }], 'tagMSGPPINFO': [0x4, { 'dwIndexMsgPP': [0, ['unsigned long']], }], 'VWPLELEMENT': [0x10, { 'DataOrTag': [0, ['unsigned long long']], 'pwnd': [8, ['pointer64', ['tagWND']]], }], '_WM_VALUES_STRINGS': [0x10, { 'pszName': [0, ['pointer64', ['unsigned char']]], 'fInternal': [8, ['unsigned char']], 'fDefined': [9, ['unsigned char']], }], 'tagCLIP': [0x18, { 'fmt': [0, ['unsigned long']], 'fGlobalHandle': [16, ['long']], 'hData': [8, ['pointer64', ['void']]], }], '__unnamed_1229': [0x8, { 'Srb': [0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], }], '_HEAD': [0x10, { 'h': [0, ['pointer64', ['void']]], 'cLockObj': [8, ['unsigned long']], }], '__unnamed_1221': [0x10, { 'SecurityInformation': [0, ['unsigned long']], 'SecurityDescriptor': [8, ['pointer64', ['void']]], }], '__unnamed_11e6': [0x10, { 'AsynchronousParameters': [0, ['__unnamed_11e4']], 'AllocationSize': [0, ['_LARGE_INTEGER']], }], 'tagQMSG': [0x68, { 'FromPen': [84, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'pti': [88, ['pointer64', ['tagTHREADINFO']]], 'ExtraInfo': [64, ['long long']], 'Wow64Message': [84, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'pqmsgPrev': [8, ['pointer64', ['tagQMSG']]], 'NoCoalesce': [84, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'Padding': [80, ['BitField', {'end_bit': 32, 'start_bit': 30, 'native_type': 'unsigned long'}]], 'ptMouseReal': [72, ['tagPOINT']], 'pqmsgNext': [0, ['pointer64', ['tagQMSG']]], 'dwQEvent': [80, ['BitField', {'end_bit': 30, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'MsgPPInfo': [96, ['tagMSGPPINFO']], 'FromTouch': [84, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'msg': [16, ['tagMSG']], }], 'HWINSTA__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32PoolHead': [0x20, { 'pPrev': [8, ['pointer64', ['tagWin32PoolHead']]], 'pTrace': [24, ['pointer64', ['pointer64', ['void']]]], 'pNext': [16, ['pointer64', ['tagWin32PoolHead']]], 'size': [0, ['unsigned long long']], }], 'tagTOUCHINPUT': [0x30, { 'hSource': [8, ['pointer64', ['void']]], 'dwExtraInfo': [32, ['unsigned long long']], 'cxContact': [40, ['unsigned long']], 'dwMask': [24, ['unsigned long']], 'y': [4, ['long']], 'x': [0, ['long']], 'dwID': [16, ['unsigned long']], 'cyContact': [44, ['unsigned long']], 'dwTime': [28, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_CALLBACKWND': [0x18, { 'hwnd': [0, ['pointer64', ['HWND__']]], 'pActCtx': [16, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'pwnd': [8, ['pointer64', ['tagWND']]], }], 'HMONITOR__': [0x4, { 'unused': [0, ['long']], }], '_D3DKMDT_GRAPHICS_RENDERING_FORMAT': [0x20, { 'VisibleRegionSize': [8, ['_D3DKMDT_2DREGION']], 'Stride': [16, ['unsigned long']], 'PixelFormat': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDIFMT_UNKNOWN', 20: 'D3DDDIFMT_R8G8B8', 21: 'D3DDDIFMT_A8R8G8B8', 22: 'D3DDDIFMT_X8R8G8B8', 23: 'D3DDDIFMT_R5G6B5', 24: 'D3DDDIFMT_X1R5G5B5', 25: 'D3DDDIFMT_A1R5G5B5', 26: 'D3DDDIFMT_A4R4G4B4', 27: 'D3DDDIFMT_R3G3B2', 28: 'D3DDDIFMT_A8', 29: 'D3DDDIFMT_A8R3G3B2', 30: 'D3DDDIFMT_X4R4G4B4', 31: 'D3DDDIFMT_A2B10G10R10', 32: 'D3DDDIFMT_A8B8G8R8', 33: 'D3DDDIFMT_X8B8G8R8', 34: 'D3DDDIFMT_G16R16', 35: 'D3DDDIFMT_A2R10G10B10', 36: 'D3DDDIFMT_A16B16G16R16', 40: 'D3DDDIFMT_A8P8', 41: 'D3DDDIFMT_P8', 50: 'D3DDDIFMT_L8', 51: 'D3DDDIFMT_A8L8', 52: 'D3DDDIFMT_A4L4', 60: 'D3DDDIFMT_V8U8', 61: 'D3DDDIFMT_L6V5U5', 62: 'D3DDDIFMT_X8L8V8U8', 63: 'D3DDDIFMT_Q8W8V8U8', 64: 'D3DDDIFMT_V16U16', 65: 'D3DDDIFMT_W11V11U10', 67: 'D3DDDIFMT_A2W10V10U10', 877942852: 'D3DDDIFMT_DXT4', 70: 'D3DDDIFMT_D16_LOCKABLE', 71: 'D3DDDIFMT_D32', 72: 'D3DDDIFMT_S1D15', 73: 'D3DDDIFMT_D15S1', 74: 'D3DDDIFMT_S8D24', 75: 'D3DDDIFMT_D24S8', 76: 'D3DDDIFMT_X8D24', 77: 'D3DDDIFMT_D24X8', 78: 'D3DDDIFMT_X4S4D24', 79: 'D3DDDIFMT_D24X4S4', 80: 'D3DDDIFMT_D16', 81: 'D3DDDIFMT_L16', 82: 'D3DDDIFMT_D32F_LOCKABLE', 83: 'D3DDDIFMT_D24FS8', 84: 'D3DDDIFMT_D32_LOCKABLE', 85: 'D3DDDIFMT_S8_LOCKABLE', 100: 'D3DDDIFMT_VERTEXDATA', 101: 'D3DDDIFMT_INDEX16', 102: 'D3DDDIFMT_INDEX32', 110: 'D3DDDIFMT_Q16W16V16U16', 111: 'D3DDDIFMT_R16F', 112: 'D3DDDIFMT_G16R16F', 113: 'D3DDDIFMT_A16B16G16R16F', 114: 'D3DDDIFMT_R32F', 115: 'D3DDDIFMT_G32R32F', 116: 'D3DDDIFMT_A32B32G32R32F', 117: 'D3DDDIFMT_CxV8U8', 118: 'D3DDDIFMT_A1', 119: 'D3DDDIFMT_A2B10G10R10_XR_BIAS', 150: 'D3DDDIFMT_PICTUREPARAMSDATA', 151: 'D3DDDIFMT_MACROBLOCKDATA', 152: 'D3DDDIFMT_RESIDUALDIFFERENCEDATA', 153: 'D3DDDIFMT_DEBLOCKINGDATA', 154: 'D3DDDIFMT_INVERSEQUANTIZATIONDATA', 155: 'D3DDDIFMT_SLICECONTROLDATA', 156: 'D3DDDIFMT_BITSTREAMDATA', 157: 'D3DDDIFMT_MOTIONVECTORBUFFER', 158: 'D3DDDIFMT_FILMGRAINBUFFER', 159: 'D3DDDIFMT_DXVA_RESERVED9', 160: 'D3DDDIFMT_DXVA_RESERVED10', 161: 'D3DDDIFMT_DXVA_RESERVED11', 162: 'D3DDDIFMT_DXVA_RESERVED12', 163: 'D3DDDIFMT_DXVA_RESERVED13', 164: 'D3DDDIFMT_DXVA_RESERVED14', 165: 'D3DDDIFMT_DXVA_RESERVED15', 166: 'D3DDDIFMT_DXVA_RESERVED16', 167: 'D3DDDIFMT_DXVA_RESERVED17', 168: 'D3DDDIFMT_DXVA_RESERVED18', 169: 'D3DDDIFMT_DXVA_RESERVED19', 170: 'D3DDDIFMT_DXVA_RESERVED20', 171: 'D3DDDIFMT_DXVA_RESERVED21', 172: 'D3DDDIFMT_DXVA_RESERVED22', 173: 'D3DDDIFMT_DXVA_RESERVED23', 174: 'D3DDDIFMT_DXVA_RESERVED24', 175: 'D3DDDIFMT_DXVA_RESERVED25', 176: 'D3DDDIFMT_DXVA_RESERVED26', 177: 'D3DDDIFMT_DXVA_RESERVED27', 178: 'D3DDDIFMT_DXVA_RESERVED28', 179: 'D3DDDIFMT_DXVA_RESERVED29', 180: 'D3DDDIFMT_DXVA_RESERVED30', 181: 'D3DDDIFMT_DXVACOMPBUFFER_MAX', 844388420: 'D3DDDIFMT_DXT2', 199: 'D3DDDIFMT_BINARYBUFFER', 861165636: 'D3DDDIFMT_DXT3', 827611204: 'D3DDDIFMT_DXT1', 827606349: 'D3DDDIFMT_MULTI2_ARGB8', 1195525970: 'D3DDDIFMT_R8G8_B8G8', 1498831189: 'D3DDDIFMT_UYVY', 844715353: 'D3DDDIFMT_YUY2', 894720068: 'D3DDDIFMT_DXT5', 1111970375: 'D3DDDIFMT_G8R8_G8B8', 2147483647: 'D3DDDIFMT_FORCE_UINT'}}]], 'PixelValueAccessMode': [28, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_PVAM_UNINITIALIZED', 1: 'D3DKMDT_PVAM_DIRECT', 2: 'D3DKMDT_PVAM_PRESETPALETTE', 3: 'D3DKMDT_PVAM_MAXVALID'}}]], 'PrimSurfSize': [0, ['_D3DKMDT_2DREGION']], 'ColorBasis': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], '_VK_TO_WCHAR_TABLE': [0x10, { 'pVkToWchars': [0, ['pointer64', ['_VK_TO_WCHARS1']]], 'cbSize': [9, ['unsigned char']], 'nModifications': [8, ['unsigned char']], }], '__unnamed_1153': [0x10, { 'Reserved': [8, ['BitField', {'end_bit': 61, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 25, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'Region': [8, ['BitField', {'end_bit': 64, 'start_bit': 61, 'native_type': 'unsigned long long'}]], 'Init': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'NextEntry': [0, ['BitField', {'end_bit': 64, 'start_bit': 25, 'native_type': 'unsigned long long'}]], }], '__unnamed_1158': [0x10, { 'Reserved': [8, ['BitField', {'end_bit': 4, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 64, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'Init': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'NextEntry': [8, ['BitField', {'end_bit': 64, 'start_bit': 4, 'native_type': 'unsigned long long'}]], }], '_TL': [0x18, { 'pfnFree': [16, ['pointer64', ['void']]], 'pobj': [8, ['pointer64', ['void']]], 'next': [0, ['pointer64', ['_TL']]], }], 'tagTHREADINFO': [0x3a8, { 'pstrAppName': [416, ['pointer64', ['_UNICODE_STRING']]], 'ForceLegacyResizeNCMetr': [520, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'unsigned long long'}]], 'ptl': [336, ['pointer64', ['_TL']]], 'timeLast': [448, ['long']], 'DontJournalAttach': [516, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'ppi': [344, ['pointer64', ['tagPROCESSINFO']]], 'SendMnuDblClk': [516, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'DDENoSync': [520, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long long'}]], 'EditNoMouseHide': [520, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long long'}]], 'pDevHTInfo': [280, ['pointer64', ['void']]], 'OpenGLEMF': [520, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long long'}]], 'dwCompatFlags': [516, ['unsigned long']], 'hTouchInputCurrent': [888, ['pointer64', ['HTOUCHINPUT__']]], 'psmsSent': [424, ['pointer64', ['tagSMS']]], 'cVisWindows': [728, ['unsigned long']], 'hPrevHidData': [880, ['pointer64', ['void']]], 'fsHooks': [552, ['unsigned long']], 'qwCompatFlags2': [520, ['unsigned long long']], 'NoPaddedBorder': [520, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long long'}]], 'NoDrawPatRect': [520, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long long'}]], 'ForceTTGrapchis': [516, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'GetDeviceCaps': [516, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'pgdiBrushAttr': [32, ['pointer64', ['void']]], 'pq': [352, ['pointer64', ['tagQ']]], 'ulWindowSystemRendering': [324, ['unsigned long']], 'dwExpWinVer': [512, ['unsigned long']], 'NoSoftCursOnMoveSize': [520, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long long'}]], 'psmsReceiveList': [440, ['pointer64', ['tagSMS']]], 'sphkCurrent': [560, ['pointer64', ['tagHOOK']]], 'No50ExStyles': [520, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'IgnoreFaults': [516, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long'}]], 'pClientInfo': [400, ['pointer64', ['tagCLIENTINFO']]], 'pdcoSrc': [312, ['pointer64', ['void']]], 'pEventQueueServer': [600, ['pointer64', ['_KEVENT']]], 'DealyHwndShakeChk': [516, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'amdesk': [720, ['unsigned long']], 'fsChangeBitsRemoved': [704, ['unsigned short']], 'psmsCurrent': [432, ['pointer64', ['tagSMS']]], 'NoBatching': [520, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long long'}]], 'StrictLLHook': [520, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long long'}]], 'pdcoRender': [304, ['pointer64', ['void']]], 'NoShadow': [520, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long long'}]], 'EnumHelv': [516, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'fPack': [928, ['BitField', {'end_bit': 28, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'CallTTDevice': [516, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'fsReserveKeys': [708, ['unsigned long']], 'Winver31': [516, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'DisableDBCSProp': [516, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'unsigned long'}]], 'Win30AvgWidth': [516, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'ptlW32': [16, ['pointer64', ['_TL']]], 'AlwaysSendSyncPaint': [516, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'IgnoreNoDiscard': [516, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'NoTimeCbProtect': [520, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long long'}]], 'MsShellDlg': [520, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long long'}]], 'hEventQueueClient': [592, ['pointer64', ['void']]], 'cPaintsReady': [480, ['long']], 'SubtractClips': [516, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'PtiLink': [608, ['_LIST_ENTRY']], 'DpiAware': [520, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long long'}]], 'spklActive': [360, ['pointer64', ['tagKL']]], 'bIncludeSprites': [321, ['unsigned char']], 'mlPost': [680, ['tagMLIST']], 'ptLastReal': [636, ['tagPOINT']], 'fThreadCleanupFinished': [928, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'MultipleBands': [516, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'Random31Ux': [516, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long'}]], 'HackWinFlags': [516, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'pProxyPort': [64, ['pointer64', ['void']]], 'KCOff': [520, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'wParamHkCurrent': [576, ['unsigned long long']], 'readyHead': [912, ['_LIST_ENTRY']], 'UsePrintingEscape': [516, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'NoInitFlagsOnFocus': [520, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long long'}]], 'ForceTextBand': [516, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'pEThread': [0, ['pointer64', ['_ETHREAD']]], 'ptdb': [496, ['pointer64', ['tagTDB']]], 'SpareCompatFlags2': [520, ['BitField', {'end_bit': 64, 'start_bit': 33, 'native_type': 'unsigned long long'}]], 'cWindows': [724, ['unsigned long']], 'cEnterCount': [672, ['long']], 'fETWReserved': [928, ['BitField', {'end_bit': 32, 'start_bit': 29, 'native_type': 'unsigned long'}]], 'dwCompatFlags2': [520, ['unsigned long']], 'NoEMFSpooling': [516, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long'}]], 'pMenuState': [488, ['pointer64', ['tagMENUSTATE']]], 'pRBRecursionCount': [96, ['unsigned long']], 'SmoothScrolling': [516, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'unsigned long'}]], 'iVisRgnUniqueness': [328, ['unsigned long']], 'RefCount': [8, ['unsigned long']], 'Win31DevModeSize': [516, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'pwinsta': [496, ['pointer64', ['tagWINDOWSTATION']]], 'pSBTrack': [584, ['pointer64', ['tagSBTRACK']]], 'ActiveMenus': [520, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long long'}]], 'spwndDefaultIme': [648, ['pointer64', ['tagWND']]], 'NoCustomPaperSize': [520, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long long'}]], 'wchInjected': [706, ['wchar']], 'cTimersReady': [484, ['unsigned long']], 'EditSetTextMunge': [516, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'pUMPDHeap': [48, ['pointer64', ['void']]], 'fgfSwitchInProgressSetter': [928, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'iCursorLevel': [624, ['long']], 'NoScrollBarCtxMenu': [516, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long'}]], 'ulClientDelta': [392, ['unsigned long long']], 'pdcoAA': [296, ['pointer64', ['void']]], 'cNestedStableVisRgn': [908, ['unsigned long']], 'TryExceptCallWndProc': [520, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'cti': [864, ['tagCLIENTTHREADINFO']], 'NcCalcSizeOnMove': [516, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'DisableFontAssoc': [516, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'pcti': [368, ['pointer64', ['tagCLIENTTHREADINFO']]], 'MsgPPInfo': [904, ['tagMSGPPINFO']], 'DDE': [520, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long long'}]], 'ulThreadFlags2': [928, ['unsigned long']], 'tlSpriteState': [104, ['_TLSPRITESTATE']], 'NoCharDeadKey': [520, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long long'}]], 'pqAttach': [528, ['pointer64', ['tagQ']]], 'TTIgnoreRasterDupe': [516, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'aphkStart': [736, ['array', 16, ['pointer64', ['tagHOOK']]]], 'DefaultCharset': [520, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long long'}]], 'idLast': [456, ['unsigned long long']], 'rpdesk': [376, ['pointer64', ['tagDESKTOP']]], 'NoWindowArrangement': [520, ['BitField', {'end_bit': 33, 'start_bit': 32, 'native_type': 'unsigned long long'}]], 'AnimationOff': [520, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'No50ExStyleBits': [520, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long long'}]], 'TransparentBltMirror': [520, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long long'}]], 'DDENoAsyncReg': [520, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long long'}]], 'bEnableEngUpdateDeviceSurface': [320, ['unsigned char']], 'pDeskInfo': [384, ['pointer64', ['tagDESKTOPINFO']]], 'hdesk': [472, ['pointer64', ['HDESK__']]], 'pNonRBRecursionCount': [100, ['unsigned long']], 'MoreExtraWndWords': [516, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'hklPrev': [664, ['pointer64', ['HKL__']]], 'NoGhost': [520, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long long'}]], 'IgnoreTopMost': [516, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'pmsd': [544, ['pointer64', ['_MOVESIZEDATA']]], 'NoHRGN1': [516, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'exitCode': [464, ['long']], 'NoDDETrackDying': [520, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long long'}]], 'ptLast': [628, ['tagPOINT']], 'hGestureInfoCurrent': [896, ['pointer64', ['HGESTUREINFO__']]], 'GdiTmpTgoList': [80, ['_LIST_ENTRY']], 'pUMPDObjs': [40, ['pointer64', ['void']]], 'FontSubs': [520, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long long'}]], 'GiveUpForegound': [520, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long long'}]], 'spDefaultImc': [656, ['pointer64', ['tagIMC']]], 'pgdiDcattr': [24, ['pointer64', ['void']]], 'TIF_flags': [408, ['unsigned long']], 'apEvent': [712, ['pointer64', ['pointer64', ['_KEVENT']]]], 'HardwareMixer': [520, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'unsigned long long'}]], 'pUMPDObj': [56, ['pointer64', ['void']]], 'pSpriteState': [272, ['pointer64', ['void']]], 'EnumTTNotDevice': [516, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'lParamHkCurrent': [568, ['long long']], 'ulDevHTInfoUniqueness': [288, ['unsigned long']], 'ptiSibling': [536, ['pointer64', ['tagTHREADINFO']]], 'psiiList': [504, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'ForceFusion': [520, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long long'}]], 'fSpecialInitialization': [928, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'IncreaseStack': [516, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'pClientID': [72, ['pointer64', ['void']]], }], '_MOVESIZEDATA': [0xf0, { 'fmsKbd': [164, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'fMoveFromMax': [164, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fSnapMoving': [164, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'ptRestore': [156, ['tagPOINT']], 'fUsePreviewRect': [164, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long'}]], 'ptStartHitWindowRelative': [208, ['tagPOINT']], 'CurrentHitTarget': [192, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fHasSoftwareCursor': [164, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long'}]], 'fCheckPtForcefullyRestored': [164, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fSnapMovingTemporaryAllowed': [164, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'Unused': [164, ['BitField', {'end_bit': 32, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'fOffScreen': [164, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'fWindowWasSuperMaximized': [164, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'StartCurrentHitTarget': [176, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fSnapSizing': [164, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fIsMoveSizeLoop': [164, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'rcPreviewCursor': [56, ['tagRECT']], 'dyMouse': [140, ['long']], 'fVerticallyMaximizedRight': [164, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'fTrackCancelled': [164, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'impx': [148, ['long']], 'impy': [152, ['long']], 'fLockWindowUpdate': [164, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'fStartVerticallyMaximizedLeft': [164, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'ptMinTrack': [88, ['tagPOINT']], 'pMonitorCurrentHitTarget': [184, ['pointer64', ['tagMONITOR']]], 'rcWindow': [104, ['tagRECT']], 'pStartMonitorCurrentHitTarget': [168, ['pointer64', ['tagMONITOR']]], 'cmd': [144, ['long']], 'ptMaxTrack': [96, ['tagPOINT']], 'fForceSizing': [164, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'fThresholdSelector': [164, ['BitField', {'end_bit': 18, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'MoveRectStyle': [196, ['Enumeration', {'target': 'long', 'choices': {0: 'MoveRectKeepPositionAtCursor', 1: 'MoveRectMidTopAtCursor', 2: 'MoveRectKeepAspectRatioAtCursor', 3: 'MoveRectSidewiseKeepPositionAtCursor'}}]], 'fDragFullWindows': [164, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'fForeground': [164, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'ulCountDragOutOfLeftRightTarget': [228, ['unsigned long']], 'ptLastTrack': [216, ['tagPOINT']], 'frcNormalCheckPtValid': [164, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'fIsHitPtOffScreen': [164, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'fSnapSizingTemporaryAllowed': [164, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'fInitSize': [164, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'dxMouse': [136, ['long']], 'fStartVerticallyMaximizedRight': [164, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'ulCountDragOutOfTopTarget': [224, ['unsigned long']], 'fVerticallyMaximizedLeft': [164, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'spwnd': [0, ['pointer64', ['tagWND']]], 'fHasPreviewRect': [164, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long'}]], 'rcPreview': [40, ['tagRECT']], 'rcDragCursor': [24, ['tagRECT']], 'Flags': [164, ['unsigned long']], 'ptHitWindowRelative': [200, ['tagPOINT']], 'rcParent': [72, ['tagRECT']], 'ulCountSizeOutOfTopBottomTarget': [232, ['unsigned long']], 'rcNormalStartCheckPt': [120, ['tagRECT']], 'rcDrag': [8, ['tagRECT']], }], '_LARGE_UNICODE_STRING': [0x10, { 'Buffer': [8, ['pointer64', ['unsigned short']]], 'Length': [0, ['unsigned long']], 'MaximumLength': [4, ['BitField', {'end_bit': 31, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'bAnsi': [4, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long'}]], }], 'VSC_LPWSTR': [0x10, { 'vsc': [0, ['unsigned char']], 'pwsz': [8, ['pointer64', ['unsigned short']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION': [0x10, { 'Scaling': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPS_UNINITIALIZED', 1: 'D3DKMDT_VPPS_IDENTITY', 2: 'D3DKMDT_VPPS_CENTERED', 3: 'D3DKMDT_VPPS_STRETCHED', 4: 'D3DKMDT_VPPS_ASPECTRATIOCENTEREDMAX', 5: 'D3DKMDT_VPPS_CUSTOM', 253: 'D3DKMDT_VPPS_RESERVED1', 254: 'D3DKMDT_VPPS_UNPINNED', 255: 'D3DKMDT_VPPS_NOTSPECIFIED'}}]], 'RotationSupport': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT']], 'Rotation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPR_UNINITIALIZED', 1: 'D3DKMDT_VPPR_IDENTITY', 2: 'D3DKMDT_VPPR_ROTATE90', 3: 'D3DKMDT_VPPR_ROTATE180', 4: 'D3DKMDT_VPPR_ROTATE270', 254: 'D3DKMDT_VPPR_UNPINNED', 255: 'D3DKMDT_VPPR_NOTSPECIFIED'}}]], 'ScalingSupport': [4, ['_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT']], }], 'tagUAHMENUPOPUPMETRICS': [0x14, { 'rgcx': [0, ['array', 4, ['long']]], 'fUpdateMaxWidths': [16, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], }], '__unnamed_115b': [0x10, { 'NextEntry': [8, ['BitField', {'end_bit': 64, 'start_bit': 4, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Reserved': [8, ['BitField', {'end_bit': 4, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 64, 'start_bit': 16, 'native_type': 'unsigned long long'}]], }], '_THROBJHEAD': [0x18, { 'h': [0, ['pointer64', ['void']]], 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'cLockObj': [8, ['unsigned long']], }], '_DMM_COFUNCPATHSMODALITY_SERIALIZATION': [0x8, { 'NumPathsFromSource': [0, ['unsigned char']], 'PathAndTargetModeSetOffset': [4, ['array', 1, ['unsigned long']]], }], 'tagSBTRACK': [0x68, { 'spwndSBNotify': [24, ['pointer64', ['tagWND']]], 'hTimerSB': [64, ['unsigned long long']], 'cmdSB': [56, ['unsigned long']], 'xxxpfnSB': [48, ['pointer64', ['void']]], 'fTrackVert': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'posNew': [84, ['long']], 'posOld': [80, ['long']], 'fCtlSB': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'rcTrack': [32, ['tagRECT']], 'fTrackRecalc': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'spwndSB': [16, ['pointer64', ['tagWND']]], 'spwndTrack': [8, ['pointer64', ['tagWND']]], 'dpxThumb': [72, ['long']], 'pxOld': [76, ['long']], 'fHitOld': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'pSBCalc': [96, ['pointer64', ['tagSBCALC']]], 'nBar': [88, ['long']], }], '_DMA_ADAPTER': [0x10, { 'Version': [0, ['unsigned short']], 'DmaOperations': [8, ['pointer64', ['_DMA_OPERATIONS']]], 'Size': [2, ['unsigned short']], }], '__unnamed_1217': [0x10, { 'FsInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'}}]], 'Length': [0, ['unsigned long']], }], 'tagDPISERVERINFO': [0x28, { 'hMsgFont': [16, ['pointer64', ['HFONT__']]], 'hCaptionFont': [8, ['pointer64', ['HFONT__']]], 'gclBorder': [0, ['long']], 'cxMsgFontChar': [24, ['long']], 'wMaxBtnSize': [32, ['unsigned long']], 'cyMsgFontChar': [28, ['long']], }], 'HICON__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNTARGETMODESET_SERIALIZATION': [0x50, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [8, ['array', 1, ['_D3DKMDT_VIDPN_TARGET_MODE']]], }], '__unnamed_16c1': [0x8, { 'ActiveSize': [0, ['_D3DKMDT_2DREGION']], 'MaxPixelRate': [0, ['unsigned long long']], }], '__unnamed_127c': [0x48, { 'Wcb': [0, ['_WAIT_CONTEXT_BLOCK']], 'ListEntry': [0, ['_LIST_ENTRY']], }], '_D3DMATRIX': [0x40, { '_33': [40, ['float']], '_42': [52, ['float']], '_43': [56, ['float']], '_44': [60, ['float']], '_34': [44, ['float']], '_14': [12, ['float']], '_13': [8, ['float']], '_12': [4, ['float']], '_11': [0, ['float']], '_41': [48, ['float']], '_31': [32, ['float']], '_24': [28, ['float']], '_32': [36, ['float']], '_22': [20, ['float']], '_23': [24, ['float']], '_21': [16, ['float']], }], '__unnamed_18a1': [0x20, { 'Text': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_TRF_UNINITIALIZED'}}]], 'Graphics': [0, ['_D3DKMDT_GRAPHICS_RENDERING_FORMAT']], }], 'HGESTUREINFO__': [0x4, { 'unused': [0, ['long']], }], '_VK_TO_FUNCTION_TABLE': [0x84, { 'NLSFEProcType': [1, ['unsigned char']], 'NLSFEProcSwitch': [3, ['unsigned char']], 'Vk': [0, ['unsigned char']], 'NLSFEProcCurrent': [2, ['unsigned char']], 'NLSFEProcAlt': [68, ['array', 8, ['_VK_FUNCTION_PARAM']]], 'NLSFEProc': [4, ['array', 8, ['_VK_FUNCTION_PARAM']]], }], #'__unnamed_16ca': [0x10, { # 'Attrib': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'WCA_UNDEFINED', 1: 'WCA_NCRENDERING_ENABLED', 2: 'WCA_NCRENDERING_POLICY', 3: 'WCA_TRANSITIONS_FORCEDISABLED', 4: 'WCA_ALLOW_NCPAINT', 5: 'WCA_CAPTION_BUTTON_BOUNDS', 6: 'WCA_NONCLIENT_RTL_LAYOUT', 7: 'WCA_FORCE_ICONIC_REPRESENTATION', 8: 'WCA_FLIP3D_POLICY', 9: 'WCA_EXTENDED_FRAME_BOUNDS', 10: 'WCA_HAS_ICONIC_BITMAP', 11: 'WCA_THEME_ATTRIBUTES', 12: 'WCA_NCRENDERING_EXILED', 13: 'WCA_NCADORNMENTINFO', 14: 'WCA_EXCLUDED_FROM_LIVEPREVIEW', 15: 'WCA_VIDEO_OVERLAY_ACTIVE', 16: 'WCA_FORCE_ACTIVEWINDOW_APPEARANCE', 17: 'WCA_DISALLOW_PEEK', 18: 'WCA_LAST'}}]], # 'cbData': [8, ['unsigned long long']], # }], '_DMM_VIDPNPATHANDTARGETMODESET_SERIALIZATION': [0x1b8, { 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], 'TargetModeSet': [360, ['_DMM_VIDPNTARGETMODESET_SERIALIZATION']], }], 'HDESK__': [0x4, { 'unused': [0, ['long']], }], 'VK_TO_BIT': [0x2, { 'Vk': [0, ['unsigned char']], 'ModBits': [1, ['unsigned char']], }], 'tagIMEINFOEX': [0x160, { 'fSysWow64Only': [348, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'wszImeFile': [188, ['array', 80, ['wchar']]], 'fLoadFlag': [76, ['long']], 'hkl': [0, ['pointer64', ['HKL__']]], 'dwImeWinVersion': [84, ['unsigned long']], 'dwProdVersion': [80, ['unsigned long']], 'wszImeDescription': [88, ['array', 50, ['wchar']]], 'fCUASLayer': [348, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'ImeInfo': [8, ['tagIMEINFO']], 'wszUIClass': [36, ['array', 16, ['wchar']]], 'fInitOpen': [72, ['long']], 'fdwInitConvMode': [68, ['unsigned long']], }], '__unnamed_12e0': [0x2c, { 'InitialPrivilegeSet': [0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet': [0, ['_PRIVILEGE_SET']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT': [0x4, { 'MacroVisionFull': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'MacroVisionApsTrigger': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'NoProtection': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Reserved': [0, ['BitField', {'end_bit': 32, 'start_bit': 3, 'native_type': 'unsigned long'}]], }], '_SCATTER_GATHER_ELEMENT': [0x18, { 'Length': [8, ['unsigned long']], 'Reserved': [16, ['unsigned long long']], 'Address': [0, ['_LARGE_INTEGER']], }], 'tagWND': [0x128, { 'bEraseBackground': [40, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'spwndOwner': [104, ['pointer64', ['tagWND']]], 'bWS_EX_LAYERED': [48, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bWS_CLIPCHILDREN': [52, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bMaximizeButtonDown': [44, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'cbwndExtra': [232, ['long']], 'bMakeVisibleWhenUnghosted': [48, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bUIStateActive': [48, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'hMod16': [64, ['unsigned short']], 'bWS_TABSTOP': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bUnused8': [52, ['BitField', {'end_bit': 18, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_EX_NOPARENTNOTIFY': [48, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bForceFullNCPaintClipRgn': [44, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'bDialogWindow': [40, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'lpfnWndProc': [144, ['pointer64', ['void']]], 'bWS_EX_RTLREADING': [48, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'bMinimizeButtonDown': [44, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'bUnused2': [48, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bUnused3': [48, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bUnused4': [48, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bHasMeun': [40, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bUnused6': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bUnused7': [52, ['BitField', {'end_bit': 18, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_SIZEBOX': [52, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'style': [52, ['unsigned long']], 'ppropList': [168, ['pointer64', ['tagPROPLIST']]], 'hrgnNewFrame': [208, ['pointer64', ['HRGN__']]], 'bHasOverlay': [288, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bUnused9': [52, ['BitField', {'end_bit': 19, 'start_bit': 16, 'native_type': 'long'}]], 'bClipboardListener': [288, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bScrollBarLineDownBtnDown': [44, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bReserved3': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bRedirectedForPrint': [288, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bWS_EX_RIGHT': [48, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bStartPaint': [44, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bHasCreatestructName': [40, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bWS_EX_COMPOSITED': [48, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bFullScreen': [44, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'spwndLastActive': [240, ['pointer64', ['tagWND']]], 'hrgnUpdate': [160, ['pointer64', ['HRGN__']]], 'head': [0, ['_THRDESKHEAD']], 'bConsoleWindow': [288, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'bHiddenPopup': [40, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'hrgnClip': [200, ['pointer64', ['HRGN__']]], 'bWS_EX_CONTROLPARENT': [48, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_EX_TOPMOST': [48, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bSendEraseBackground': [40, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bScrollBarLineUpBtnDown': [44, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bWin50Compat': [44, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'bRecievedQuerySuspendMsg': [40, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bMaximizeMonitorRegion': [44, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bLayeredLimbo': [288, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'bRedrawIfHung': [40, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'FullScreenMode': [44, ['BitField', {'end_bit': 27, 'start_bit': 24, 'native_type': 'long'}]], 'bLayeredInvalidate': [288, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bVerticallyMaximizedLeft': [288, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_POPUP': [52, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bWS_EX_CONTEXTHELP': [48, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'dwUserData': [256, ['unsigned long long']], 'bDisabled': [52, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'bAnsiWindowProc': [40, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bWin40Compat': [44, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bWS_EX_NOINHERITLAYOUT': [48, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'rcClient': [128, ['tagRECT']], 'bAnsiCreator': [40, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bAnyScrollButtonDown': [44, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'bWS_EX_LAYOUTRTL': [48, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bUIStateKbdAccelHidden': [48, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bSendSizeMoveMsgs': [40, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'spwndParent': [88, ['pointer64', ['tagWND']]], 'bLinked': [288, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bSendNCPaint': [40, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bToggleTopmost': [40, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'bInternalPaint': [40, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bDestroyed': [40, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bHasClientEdge': [44, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bServerSideWindowProc': [40, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bCaptionTextTruncated': [44, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'rcWindow': [112, ['tagRECT']], 'bEndPaintInvalidate': [44, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bHasPalette': [40, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bHasHorizontalScrollbar': [40, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bUIStateFocusRectHidden': [48, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bReserved1': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_COMPOSITEDCompositing': [48, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bWS_EX_MDICHILD': [48, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bHasVerticalScrollbar': [40, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bReserved2': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWMCreateMsgProcessed': [44, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bMinimized': [52, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bWS_EX_NOACTIVATE': [48, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'bWS_EX_APPWINDOW': [48, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'pSBInfo': [176, ['pointer64', ['tagSBINFO']]], 'bSmallIconFromWMQueryDrag': [44, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bNoNCPaint': [40, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bCloseButtonDown': [44, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bUnused1': [48, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bHasSPB': [40, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_MINIMIZEBOX': [52, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bMaximized': [52, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bScrollBarVerticalTracking': [44, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bWS_CHILD': [52, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bReserved5': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_DLGMODALFRAME': [48, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_TRANSPARENT': [48, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'spmenu': [192, ['pointer64', ['tagMENU']]], 'bWS_THICKFRAME': [52, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bPaintNotProcessed': [40, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bSyncPaintPending': [40, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'pcls': [152, ['pointer64', ['tagCLS']]], 'bLayeredForDWM': [288, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bMsgBox': [40, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'bShellHookRegistered': [44, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'spwndChild': [96, ['pointer64', ['tagWND']]], 'bUnused5': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bHelpButtonDown': [44, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bInDestroy': [44, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'state': [40, ['unsigned long']], 'strName': [216, ['_LARGE_UNICODE_STRING']], 'spwndPrev': [80, ['pointer64', ['tagWND']]], 'bRedrawFrameIfHung': [40, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bWS_EX_LEFTSCROLLBAR': [48, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'bWS_EX_TOOLWINDOW': [48, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_VSCROLL': [52, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bMaximizesToMonitor': [40, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bNoMinmaxAnimatedRects': [44, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'fnid': [66, ['unsigned short']], 'ExStyle': [48, ['unsigned long']], 'bRedirected': [48, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bActiveFrame': [40, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bReserved4': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_WINDOWEDGE': [48, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bReserved6': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bReserved7': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_CLIPSIBLINGS': [52, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'bWS_EX_ACCEPTFILE': [48, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bWS_HSCROLL': [52, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'bUpdateDirty': [40, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'bBeingActivated': [40, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'state2': [44, ['unsigned long']], 'spwndNext': [72, ['pointer64', ['tagWND']]], 'bScrollBarPageDownBtnDown': [44, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bWS_BORDER': [52, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'bWMPaintSent': [44, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bScrollBarPageUpBtnDown': [44, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'pTransform': [272, ['pointer64', ['_D3DMATRIX']]], 'bWS_MAXIMIZEBOX': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bVisible': [52, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bVerticallyMaximizedRight': [288, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bWin31Compat': [44, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bWS_EX_STATICEDGE': [48, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bForceMenuDraw': [40, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bForceNCPaint': [44, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'ExStyle2': [288, ['unsigned long']], 'bOldUI': [44, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bWS_DLGFRAME': [52, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bHIGHDPI_UNAWARE_Unused': [288, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bWS_SYSMENU': [52, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'spwndClipboardListenerNext': [280, ['pointer64', ['tagWND']]], 'hModule': [56, ['pointer64', ['void']]], 'bWS_EX_NOPADDEDBORDER': [48, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'pActCtx': [264, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'bBottomMost': [44, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'spmenuSys': [184, ['pointer64', ['tagMENU']]], 'bRecievedSuspendMsg': [40, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bWS_EX_CLIENTEDGE': [48, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bHasCaption': [40, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'hImc': [248, ['pointer64', ['HIMC__']]], 'bChildNoActivate': [288, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bWS_GROUP': [52, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], }], 'tagUAHMENUITEMMETRICS': [0x20, { 'rgsizeBar': [0, ['array', 2, ['tagSIZE']]], 'rgsizePopup': [0, ['array', 4, ['tagSIZE']]], }], '_DXGK_DIAG_CODE_POINT_PACKET': [0x40, { 'Header': [0, ['_DXGK_DIAG_HEADER']], 'Param3': [60, ['unsigned long']], 'Param1': [52, ['unsigned long']], 'CodePointType': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_CODE_POINT_TYPE_NONE', 1: 'DXGK_DIAG_CODE_POINT_TYPE_RECOMMEND_FUNC_VIDPN', 2: 'DXGK_DIAG_CODE_POINT_TYPE_OS_RECOMMENDED_VIDPN', 3: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_LOG_FAILURE', 4: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_INVALIDATE_ERROR', 5: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_LOG_FAILURE', 7: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_FAILURE_DB', 8: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_BTL', 9: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_DB', 10: 'DXGK_DIAG_CODE_POINT_TYPE_QDC_LOG_FAILURE', 11: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_GDI', 12: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_GDI', 13: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_MONITOR', 14: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_MONITOR', 15: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_DIM_MONITOR', 16: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_UNDIM_MONITOR', 17: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BACKTRACK', 18: 'DXGK_DIAG_CODE_POINT_TYPE_BML_CLOSEST_TARGET_MODE', 19: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_SOURCE_MODE', 20: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_TARGET_MODE', 21: 'DXGK_DIAG_CODE_POINT_TYPE_BML_SOURCE_MODE_NOT_PINNED', 22: 'DXGK_DIAG_CODE_POINT_TYPE_BML_TARGET_MODE_NOT_PINNED', 23: 'DXGK_DIAG_CODE_POINT_TYPE_BML_RESTARTED', 24: 'DXGK_DIAG_CODE_POINT_TYPE_TDR', 25: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_EVENT_NOTIFICATION', 26: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEMDEV_USE_DEFAULT_MODE', 27: 'DXGK_DIAG_CODE_POINT_TYPE_CONNECTED_SET_LOG_FAILURE', 28: 'DXGK_DIAG_CODE_POINT_TYPE_INVALIDATE_DXGK_MODE_CACHE', 29: 'DXGK_DIAG_CODE_POINT_TYPE_REBUILD_DXGK_MODE_CACHE', 30: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_RELAX_REFRESH_MATCH', 31: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_CCDBML_FAIL_VISTABML_SUCCESSED', 32: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_SOURCE_MODE', 33: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_TARGET_MODE', 34: 'DXGK_DIAG_CODE_POINT_TYPE_ADD_DEVICE', 35: 'DXGK_DIAG_CODE_POINT_TYPE_START_ADAPTER', 36: 'DXGK_DIAG_CODE_POINT_TYPE_STOP_ADAPTER', 37: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING', 38: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING_TARGET', 39: 'DXGK_DIAG_CODE_POINT_TYPE_INDICATE_CHILD_STATUS', 40: 'DXGK_DIAG_CODE_POINT_TYPE_HANDLE_IRP', 41: 'DXGK_DIAG_CODE_POINT_TYPE_CHANGE_UNSUPPORTED_MONITOR_MODE_FLAG', 42: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_NOTIFY_CALLBACK', 43: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_DISABLEGDI', 44: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_ENABLEGDI', 45: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_MODESWITCH', 46: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_SYNC_MONITOR_EVENT', 47: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_NOTIFY_GDI', 48: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_ENABLE_VGA', 49: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_TDR_SWITCH_GDI', 50: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_CREATE_DEVICE_FAILED', 51: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DEVICE_REMOVED', 52: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DRVASSERTMODE_TRUE_FAILED', 53: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_RECREATE_DEVICE_FAILED', 54: 'DXGK_DIAG_CODE_POINT_TYPE_CDD_MAPSHADOWBUFFER_FAILED', 55: 'DXGK_DIAG_CODE_POINT_TYPE_COMMIT_VIDPN_LOG_FAILURE', 56: 'DXGK_DIAG_CODE_POINT_TYPE_DRIVER_RECOMMEND_LOG_FAILURE', 57: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_ENFORCED_CLONE_PATH_INVALID_SOURCE_IDX', 58: 'DXGK_DIAG_CODE_POINT_TYPE_DRVPROBEANDCAPTURE_FAILED', 59: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKCDDENABLE_OPTIMIZED_MODE_CHANGE', 60: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKSETDISPLAYMODE_OPTIMIZED_MODE_CHANGE', 61: 'DXGK_DIAG_CODE_POINT_TYPE_MON_DEPART_GETRECENTTOP_FAIL', 62: 'DXGK_DIAG_CODE_POINT_TYPE_MON_ARRIVE_INC_ADD_FAIL', 63: 'DXGK_DIAG_CODE_POINT_TYPE_CCD_DATABASE_PERSIST', 64: 'DXGK_DIAG_CODE_POINT_TYPE_MAX', -1: 'DXGK_DIAG_CODE_POINT_TYPE_FORCE_UINT32'}}]], 'Param2': [56, ['unsigned long']], }], 'tagW32JOB': [0x40, { 'restrictions': [24, ['unsigned long']], 'Job': [8, ['pointer64', ['_EJOB']]], 'ughCrt': [48, ['unsigned long']], 'pgh': [56, ['pointer64', ['unsigned long long']]], 'ppiTable': [40, ['pointer64', ['pointer64', ['tagPROCESSINFO']]]], 'ughMax': [52, ['unsigned long']], 'pAtomTable': [16, ['pointer64', ['void']]], 'uProcessCount': [28, ['unsigned long']], 'uMaxProcesses': [32, ['unsigned long']], 'pNext': [0, ['pointer64', ['tagW32JOB']]], }], 'tagMBSTRING': [0x28, { 'szName': [0, ['array', 15, ['wchar']]], 'uID': [32, ['unsigned long']], 'uStr': [36, ['unsigned long']], }], '_D3DKMDT_VIDPN_TARGET_MODE': [0x48, { 'VideoSignalInfo': [8, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'Id': [0, ['unsigned long']], 'Preference': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], }], '__unnamed_124f': [0x4, { 'PowerState': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'}}]], }], '__unnamed_124b': [0x10, { 'Type': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'}}]], 'Reserved': [1, ['array', 3, ['unsigned char']]], 'InPath': [0, ['unsigned char']], }], 'tagDESKTOP': [0xe0, { 'spmenuVScroll': [80, ['pointer64', ['tagMENU']]], 'dwMouseHoverTime': [212, ['unsigned long']], 'rpwinstaParent': [32, ['pointer64', ['tagWINDOWSTATION']]], 'spmenuDialogSys': [64, ['pointer64', ['tagMENU']]], 'spwndForeground': [88, ['pointer64', ['tagWND']]], 'spmenuHScroll': [72, ['pointer64', ['tagMENU']]], 'spwndTooltip': [112, ['pointer64', ['tagWND']]], 'dwSessionId': [0, ['unsigned long']], 'pDeskInfo': [8, ['pointer64', ['tagDESKTOPINFO']]], 'spwndMessage': [104, ['pointer64', ['tagWND']]], 'cciConsole': [144, ['_CONSOLE_CARET_INFO']], 'PtiList': [168, ['_LIST_ENTRY']], 'spwndTray': [96, ['pointer64', ['tagWND']]], 'rpdeskNext': [24, ['pointer64', ['tagDESKTOP']]], 'dwDTFlags': [40, ['unsigned long']], 'pMagInputTransform': [216, ['pointer64', ['_MAGNIFICATION_INPUT_TRANSFORM']]], 'spwndTrack': [184, ['pointer64', ['tagWND']]], 'htEx': [192, ['long']], 'ulHeapSize': [136, ['unsigned long']], 'pheapDesktop': [128, ['pointer64', ['tagWIN32HEAP']]], 'hsectionDesktop': [120, ['pointer64', ['void']]], 'rcMouseHover': [196, ['tagRECT']], 'dwDesktopId': [48, ['unsigned long long']], 'spmenuSys': [56, ['pointer64', ['tagMENU']]], 'pDispInfo': [16, ['pointer64', ['tagDISPLAYINFO']]], }], 'tagPOOLRECORD': [0x40, { 'ExtraData': [0, ['pointer64', ['void']]], 'trace': [16, ['array', 6, ['pointer64', ['void']]]], 'size': [8, ['unsigned long long']], }], 'tagSPB': [0x40, { 'hbm': [16, ['pointer64', ['HBITMAP__']]], 'hrgn': [40, ['pointer64', ['HRGN__']]], 'ulSaveId': [56, ['unsigned long long']], 'flags': [48, ['unsigned long']], 'rc': [24, ['tagRECT']], 'pspbNext': [0, ['pointer64', ['tagSPB']]], 'spwnd': [8, ['pointer64', ['tagWND']]], }], '_DMM_COMMITVIDPNREQUEST_DIAGINFO': [0xc, { 'CleanupAfterFailedCommitVidPn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned char'}]], 'ModeChangeRequestId': [8, ['unsigned long']], 'ReclaimClonedTarget': [4, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned char'}]], 'ForceAllActiveVidPnModeListInvalidation': [4, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned char'}]], }], 'HFONT__': [0x4, { 'unused': [0, ['long']], }], 'tagTEXTMETRICW': [0x3c, { 'tmCharSet': [56, ['unsigned char']], 'tmDigitizedAspectY': [40, ['long']], 'tmStruckOut': [54, ['unsigned char']], 'tmItalic': [52, ['unsigned char']], 'tmDigitizedAspectX': [36, ['long']], 'tmWeight': [28, ['long']], 'tmFirstChar': [44, ['wchar']], 'tmOverhang': [32, ['long']], 'tmDescent': [8, ['long']], 'tmPitchAndFamily': [55, ['unsigned char']], 'tmDefaultChar': [48, ['wchar']], 'tmLastChar': [46, ['wchar']], 'tmBreakChar': [50, ['wchar']], 'tmMaxCharWidth': [24, ['long']], 'tmUnderlined': [53, ['unsigned char']], 'tmInternalLeading': [12, ['long']], 'tmAscent': [4, ['long']], 'tmHeight': [0, ['long']], 'tmAveCharWidth': [20, ['long']], 'tmExternalLeading': [16, ['long']], }], '_KLIST_ENTRY': [0x10, { 'Flink': [0, ['pointer64', ['_KLIST_ENTRY']]], 'Blink': [8, ['pointer64', ['_KLIST_ENTRY']]], }], '__unnamed_1247': [0x10, { 'DeviceTextType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'}}]], 'LocaleId': [8, ['unsigned long']], }], 'tagPROP': [0x10, { 'fs': [10, ['unsigned short']], 'hData': [0, ['pointer64', ['void']]], 'atomKey': [8, ['unsigned short']], }], '__unnamed_1243': [0x4, { 'IdType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'}}]], }], '__unnamed_123d': [0x20, { 'Buffer': [8, ['pointer64', ['void']]], 'WhichSpace': [0, ['unsigned long']], 'Length': [24, ['unsigned long']], 'Offset': [16, ['unsigned long']], }], 'tagCLIENTTHREADINFO': [0x10, { 'fsWakeMask': [10, ['unsigned short']], 'CTIF_flags': [0, ['unsigned long']], 'fsWakeBits': [6, ['unsigned short']], 'fsWakeBitsJournal': [8, ['unsigned short']], 'fsChangeBits': [4, ['unsigned short']], 'tickLastMsgChecked': [12, ['unsigned long']], }], 'tagKbdNlsLayer': [0x20, { 'OEMIdentifier': [0, ['unsigned short']], 'NumOfVkToF': [4, ['unsigned long']], 'pusMouseVKey': [24, ['pointer64', ['unsigned short']]], 'NumOfMouseVKey': [16, ['long']], 'pVkToF': [8, ['pointer64', ['_VK_TO_FUNCTION_TABLE']]], 'LayoutInformation': [2, ['unsigned short']], }], 'HBITMAP__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_11ff': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'EaLength': [24, ['unsigned long']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'FileAttributes': [16, ['unsigned short']], }], 'tagPROCESS_HID_TABLE': [0x68, { 'UsagePageLast': [96, ['unsigned short']], 'fExclusiveMouseSink': [100, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'fRawKeyboardSink': [100, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'fAppKeys': [100, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'fCaptureMouse': [100, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'fNoLegacyMouse': [100, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'UsageLast': [98, ['unsigned short']], 'fRawKeyboard': [100, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'fNoLegacyKeyboard': [100, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'nSinks': [80, ['long']], 'fNoHotKeys': [100, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'spwndTargetMouse': [64, ['pointer64', ['tagWND']]], 'spwndTargetKbd': [72, ['pointer64', ['tagWND']]], 'UsagePageList': [32, ['_LIST_ENTRY']], 'link': [0, ['_LIST_ENTRY']], 'fExclusiveKeyboardSink': [100, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'pLastRequest': [88, ['pointer64', ['tagPROCESS_HID_REQUEST']]], 'ExclusionList': [48, ['_LIST_ENTRY']], 'fRawMouse': [100, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'fRawMouseSink': [100, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'InclusionList': [16, ['_LIST_ENTRY']], }], '__unnamed_1809': [0x10, { 'Affinity': [8, ['unsigned long long']], 'Vector': [4, ['unsigned long']], 'Group': [0, ['unsigned short']], 'MessageCount': [2, ['unsigned short']], }], '_KFLOATING_SAVE': [0x4, { 'Dummy': [0, ['unsigned long']], }], 'tagRECT': [0x10, { 'top': [4, ['long']], 'right': [8, ['long']], 'bottom': [12, ['long']], 'left': [0, ['long']], }], '__unnamed_1807': [0x10, { 'Affinity': [8, ['unsigned long long']], 'Vector': [4, ['unsigned long']], 'Group': [2, ['unsigned short']], 'Level': [0, ['unsigned short']], }], 'HBRUSH__': [0x4, { 'unused': [0, ['long']], }], '_TLSPRITESTATE': [0xa8, { 'flOriginalSurfFlags': [4, ['unsigned long']], 'iSpriteType': [16, ['unsigned long']], 'pfnSaveScreenBits': [144, ['pointer64', ['void']]], 'bInsideDriverCall': [0, ['unsigned char']], 'pfnStrokePath': [48, ['pointer64', ['void']]], 'pfnTransparentBlt': [112, ['pointer64', ['void']]], 'pfnPaint': [64, ['pointer64', ['void']]], 'pfnFillPath': [56, ['pointer64', ['void']]], 'pfnStretchBltROP': [152, ['pointer64', ['void']]], 'iType': [24, ['unsigned long']], 'pfnPlgBlt': [128, ['pointer64', ['void']]], 'pfnCopyBits': [80, ['pointer64', ['void']]], 'pState': [32, ['pointer64', ['void']]], 'iOriginalType': [8, ['unsigned long']], 'pfnTextOut': [96, ['pointer64', ['void']]], 'pfnDrawStream': [160, ['pointer64', ['void']]], 'pfnStrokeAndFillPath': [40, ['pointer64', ['void']]], 'pfnLineTo': [104, ['pointer64', ['void']]], 'pfnStretchBlt': [88, ['pointer64', ['void']]], 'pfnGradientFill': [136, ['pointer64', ['void']]], 'pfnAlphaBlend': [120, ['pointer64', ['void']]], 'flags': [20, ['unsigned long']], 'flSpriteSurfFlags': [12, ['unsigned long']], 'pfnBitBlt': [72, ['pointer64', ['void']]], }], 'tagSMS': [0x70, { 'wParam': [72, ['unsigned long long']], 'lParam': [80, ['long long']], 'lRet': [56, ['long long']], 'psmsReceiveNext': [8, ['pointer64', ['tagSMS']]], 'tSent': [64, ['unsigned long']], 'psmsNext': [0, ['pointer64', ['tagSMS']]], 'ptiCallBackSender': [48, ['pointer64', ['tagTHREADINFO']]], 'ptiReceiver': [24, ['pointer64', ['tagTHREADINFO']]], 'lpResultCallBack': [32, ['pointer64', ['void']]], 'message': [88, ['unsigned long']], 'dwData': [40, ['unsigned long long']], 'ptiSender': [16, ['pointer64', ['tagTHREADINFO']]], 'flags': [68, ['unsigned long']], 'pvCapture': [104, ['pointer64', ['void']]], 'spwnd': [96, ['pointer64', ['tagWND']]], }], '_D3DKMDT_FREQUENCY_RANGE': [0x20, { 'MinVSyncFreq': [0, ['_D3DDDI_RATIONAL']], 'MaxVSyncFreq': [8, ['_D3DDDI_RATIONAL']], 'MaxHSyncFreq': [24, ['_D3DDDI_RATIONAL']], 'MinHSyncFreq': [16, ['_D3DDDI_RATIONAL']], }], '__unnamed_11f8': [0x58, { 'Apc': [0, ['_KAPC']], 'CompletionKey': [0, ['pointer64', ['void']]], 'Overlay': [0, ['__unnamed_11f5']], }], '__unnamed_18bf': [0x4, { 'BaseMiddle': [0, ['unsigned char']], 'BaseHigh': [3, ['unsigned char']], 'Flags1': [1, ['unsigned char']], 'Flags2': [2, ['unsigned char']], }], '__unnamed_11f5': [0x50, { 'AuxiliaryBuffer': [40, ['pointer64', ['unsigned char']]], 'Thread': [32, ['pointer64', ['_ETHREAD']]], 'OriginalFileObject': [72, ['pointer64', ['_FILE_OBJECT']]], 'DeviceQueueEntry': [0, ['_KDEVICE_QUEUE_ENTRY']], 'PacketType': [64, ['unsigned long']], 'CurrentStackLocation': [64, ['pointer64', ['_IO_STACK_LOCATION']]], 'ListEntry': [48, ['_LIST_ENTRY']], 'DriverContext': [0, ['array', 4, ['pointer64', ['void']]]], }], 'HRGN__': [0x4, { 'unused': [0, ['long']], }], 'tagSIZE': [0x8, { 'cy': [4, ['long']], 'cx': [0, ['long']], }], 'tagDESKTOPVIEW': [0x18, { 'ulClientDelta': [16, ['unsigned long long']], 'pdesk': [8, ['pointer64', ['tagDESKTOP']]], 'pdvNext': [0, ['pointer64', ['tagDESKTOPVIEW']]], }], '__unnamed_180b': [0x10, { 'Translated': [0, ['__unnamed_1807']], 'Raw': [0, ['__unnamed_1809']], }], '__unnamed_180d': [0xc, { 'Reserved1': [8, ['unsigned long']], 'Port': [4, ['unsigned long']], 'Channel': [0, ['unsigned long']], }], 'MODIFIERS': [0x10, { 'wMaxModBits': [8, ['unsigned short']], 'pVkToBit': [0, ['pointer64', ['VK_TO_BIT']]], 'ModNumber': [10, ['array', 0, ['unsigned char']]], }], '__unnamed_120f': [0x10, { 'CompletionFilter': [8, ['unsigned long']], 'Length': [0, ['unsigned long']], }], '__unnamed_120d': [0x20, { 'Length': [0, ['unsigned long']], 'FileIndex': [24, ['unsigned long']], 'FileInformationClass': [16, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'FileName': [8, ['pointer64', ['_UNICODE_STRING']]], }], '_DMM_VIDPNPATHSFROMSOURCE_SERIALIZATION': [0x1e0, { 'PathAndTargetModeSerialization': [48, ['array', 1, ['_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION']]], 'NumPathsFromSource': [40, ['unsigned char']], 'SourceMode': [0, ['_D3DKMDT_VIDPN_SOURCE_MODE']], }], '_D3DDDI_GAMMA_RAMP_RGB256x3x16': [0x600, { 'Blue': [1024, ['array', 256, ['unsigned short']]], 'Green': [512, ['array', 256, ['unsigned short']]], 'Red': [0, ['array', 256, ['unsigned short']]], }], '_CALLPROCDATA': [0x40, { 'head': [0, ['_PROCDESKHEAD']], 'pfnClientPrevious': [48, ['unsigned long long']], 'wType': [56, ['unsigned short']], 'spcpdNext': [40, ['pointer64', ['_CALLPROCDATA']]], }], '_D3DDDI_RATIONAL': [0x8, { 'Denominator': [4, ['unsigned long']], 'Numerator': [0, ['unsigned long']], }], '_PFNCLIENT': [0xb8, { 'pfnDispatchDefWindowProc': [160, ['pointer64', ['void']]], 'pfnStaticWndProc': [112, ['pointer64', ['void']]], 'pfnDispatchHook': [152, ['pointer64', ['void']]], 'pfnDesktopWndProc': [24, ['pointer64', ['void']]], 'pfnImeWndProc': [120, ['pointer64', ['void']]], 'pfnScrollBarWndProc': [0, ['pointer64', ['void']]], 'pfnEditWndProc': [88, ['pointer64', ['void']]], 'pfnGhostWndProc': [128, ['pointer64', ['void']]], 'pfnMessageWindowProc': [40, ['pointer64', ['void']]], 'pfnSwitchWindowProc': [48, ['pointer64', ['void']]], 'pfnComboListBoxProc': [72, ['pointer64', ['void']]], 'pfnComboBoxWndProc': [64, ['pointer64', ['void']]], 'pfnMDIClientWndProc': [104, ['pointer64', ['void']]], 'pfnDialogWndProc': [80, ['pointer64', ['void']]], 'pfnHkINLPCWPSTRUCT': [136, ['pointer64', ['void']]], 'pfnTitleWndProc': [8, ['pointer64', ['void']]], 'pfnHkINLPCWPRETSTRUCT': [144, ['pointer64', ['void']]], 'pfnButtonWndProc': [56, ['pointer64', ['void']]], 'pfnMenuWndProc': [16, ['pointer64', ['void']]], 'pfnListBoxWndProc': [96, ['pointer64', ['void']]], 'pfnDispatchMessage': [168, ['pointer64', ['void']]], 'pfnDefWindowProc': [32, ['pointer64', ['void']]], 'pfnMDIActivateDlgProc': [176, ['pointer64', ['void']]], }], '_THRDESKHEAD': [0x28, { 'h': [0, ['pointer64', ['void']]], 'pSelf': [32, ['pointer64', ['unsigned char']]], 'rpdesk': [24, ['pointer64', ['tagDESKTOP']]], 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'cLockObj': [8, ['unsigned long']], }], '_D3DKMDT_MONITOR_SOURCE_MODE': [0x60, { 'Origin': [84, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'VideoSignalInfo': [8, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'ColorCoeffDynamicRanges': [68, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'Preference': [88, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], 'Id': [0, ['unsigned long']], 'ColorBasis': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], 'VWPL': [0x10, { 'fTagged': [12, ['long']], 'cElem': [4, ['unsigned long']], 'cThreshhold': [8, ['unsigned long']], 'aElement': [16, ['array', 0, ['VWPLELEMENT']]], 'cPwnd': [0, ['unsigned long']], }], 'tagCURSOR': [0x88, { 'rt': [58, ['unsigned short']], 'head': [0, ['_PROCMARKHEAD']], 'hbmUserAlpha': [112, ['pointer64', ['HBITMAP__']]], 'cx': [124, ['unsigned long']], 'xHotspot': [68, ['short']], 'hbmColor': [80, ['pointer64', ['HBITMAP__']]], 'pcurNext': [32, ['pointer64', ['tagCURSOR']]], 'CURSORF_flags': [64, ['unsigned long']], 'hbmMask': [72, ['pointer64', ['HBITMAP__']]], 'bpp': [120, ['unsigned long']], 'cy': [128, ['unsigned long']], 'strName': [40, ['_UNICODE_STRING']], 'rcBounds': [96, ['tagRECT']], 'atomModName': [56, ['unsigned short']], 'hbmAlpha': [88, ['pointer64', ['HBITMAP__']]], 'yHotspot': [70, ['short']], }], '__unnamed_1203': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'Reserved': [16, ['unsigned short']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'Parameters': [24, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], }], '__unnamed_1207': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'Reserved': [16, ['unsigned short']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'Parameters': [24, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], }], 'HKL__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_1209': [0x18, { 'Length': [0, ['unsigned long']], 'ByteOffset': [16, ['_LARGE_INTEGER']], 'Key': [8, ['unsigned long']], }], 'tagDCE': [0x60, { 'hrgnClipPublic': [48, ['pointer64', ['HRGN__']]], 'pdceNext': [0, ['pointer64', ['tagDCE']]], 'hrgnSavedVis': [56, ['pointer64', ['HRGN__']]], 'pwndRedirect': [32, ['pointer64', ['tagWND']]], 'pMonitor': [88, ['pointer64', ['tagMONITOR']]], 'ppiOwner': [80, ['pointer64', ['tagPROCESSINFO']]], 'pwndOrg': [16, ['pointer64', ['tagWND']]], 'hrgnClip': [40, ['pointer64', ['HRGN__']]], 'hdc': [8, ['pointer64', ['HDC__']]], 'ptiOwner': [72, ['pointer64', ['tagTHREADINFO']]], 'DCX_flags': [64, ['unsigned long']], 'pwndClip': [24, ['pointer64', ['tagWND']]], }], 'tagPROCESS_HID_REQUEST': [0x28, { 'link': [0, ['_LIST_ENTRY']], 'fExclusiveOrphaned': [20, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'spwndTarget': [32, ['pointer64', ['tagWND']]], 'fSinkable': [20, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'pTLCInfo': [24, ['pointer64', ['tagHID_TLC_INFO']]], 'fDevNotify': [20, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'fExSinkable': [20, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'usUsage': [18, ['unsigned short']], 'ptr': [24, ['pointer64', ['void']]], 'pPORequest': [24, ['pointer64', ['tagHID_PAGEONLY_REQUEST']]], 'usUsagePage': [16, ['unsigned short']], }], 'tagWOWTHREADINFO': [0x28, { 'idParentProcess': [24, ['unsigned long']], 'pwtiNext': [0, ['pointer64', ['tagWOWTHREADINFO']]], 'idTask': [8, ['unsigned long']], 'pIdleEvent': [32, ['pointer64', ['_KEVENT']]], 'idWaitObject': [16, ['unsigned long long']], }], '__unnamed_1962': [0x18, { 'Dma': [0, ['__unnamed_1956']], 'Generic': [0, ['__unnamed_1950']], 'Memory': [0, ['__unnamed_1950']], 'BusNumber': [0, ['__unnamed_1958']], 'Memory48': [0, ['__unnamed_195e']], 'Memory40': [0, ['__unnamed_195c']], 'DevicePrivate': [0, ['__unnamed_180f']], 'ConfigData': [0, ['__unnamed_195a']], 'Memory64': [0, ['__unnamed_1960']], 'Interrupt': [0, ['__unnamed_1954']], 'Port': [0, ['__unnamed_1950']], }], '__unnamed_1960': [0x18, { 'Length64': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment64': [4, ['unsigned long']], }], 'tagSBDATA': [0x10, { 'posMax': [4, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], 'pos': [12, ['long']], }], '__unnamed_1233': [0x20, { 'Interface': [16, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData': [24, ['pointer64', ['void']]], 'Version': [10, ['unsigned short']], 'InterfaceType': [0, ['pointer64', ['_GUID']]], 'Size': [8, ['unsigned short']], }], '__unnamed_1237': [0x8, { 'Capabilities': [0, ['pointer64', ['_DEVICE_CAPABILITIES']]], }], 'tagIMEINFO': [0x1c, { 'fdwProperty': [4, ['unsigned long']], 'fdwSelectCaps': [24, ['unsigned long']], 'fdwUICaps': [16, ['unsigned long']], 'dwPrivateDataSize': [0, ['unsigned long']], 'fdwSCSCaps': [20, ['unsigned long']], 'fdwSentenceCaps': [12, ['unsigned long']], 'fdwConversionCaps': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_SOURCE_MODE': [0x28, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_RMT_UNINITIALIZED', 1: 'D3DKMDT_RMT_GRAPHICS', 2: 'D3DKMDT_RMT_TEXT'}}]], 'Id': [0, ['unsigned long']], 'Format': [8, ['__unnamed_18a1']], }], '_PROCMARKHEAD': [0x20, { 'h': [0, ['pointer64', ['void']]], 'ppi': [24, ['pointer64', ['tagPROCESSINFO']]], 'hTaskWow': [16, ['unsigned long']], 'cLockObj': [8, ['unsigned long']], }], 'tagKBDFILE': [0x78, { 'head': [0, ['_HEAD']], 'awchDllName': [56, ['array', 32, ['wchar']]], 'pKbdTbl': [32, ['pointer64', ['tagKbdLayer']]], 'pkfNext': [16, ['pointer64', ['tagKBDFILE']]], 'pKbdNlsTbl': [48, ['pointer64', ['tagKbdNlsLayer']]], 'hBase': [24, ['pointer64', ['void']]], 'Size': [40, ['unsigned long']], }], 'tagCLIENTINFO': [0xd8, { 'msgDbcsCB': [160, ['tagMSG']], 'dwCompatFlags': [20, ['unsigned long']], 'achDbcsCF': [154, ['array', 2, ['unsigned char']]], 'dwTIFlags': [28, ['unsigned long']], 'pClientThreadInfo': [96, ['pointer64', ['tagCLIENTTHREADINFO']]], 'CodePage': [152, ['unsigned short']], 'dwKeyCache': [112, ['unsigned long']], 'dwHookCurrent': [88, ['unsigned long']], 'afAsyncKeyStateRecentDown': [136, ['array', 8, ['unsigned char']]], 'dwCompatFlags2': [24, ['unsigned long']], 'fsHooks': [56, ['unsigned long']], 'ulClientDelta': [40, ['unsigned long long']], 'pDeskInfo': [32, ['pointer64', ['tagDESKTOPINFO']]], 'dwExpWinVer': [16, ['unsigned long']], 'dwHookData': [104, ['unsigned long long']], 'afAsyncKeyState': [128, ['array', 8, ['unsigned char']]], 'CallbackWnd': [64, ['_CALLBACKWND']], 'lpdwRegisteredClasses': [208, ['pointer64', ['unsigned long']]], 'cInDDEMLCallback': [92, ['long']], 'cSpins': [8, ['unsigned long long']], 'hKL': [144, ['pointer64', ['HKL__']]], 'dwAsyncKeyCache': [124, ['unsigned long']], 'afKeyState': [116, ['array', 8, ['unsigned char']]], 'CI_flags': [0, ['unsigned long long']], 'phkCurrent': [48, ['pointer64', ['tagHOOK']]], }], 'tagCLS': [0xa0, { 'spcur': [120, ['pointer64', ['tagCURSOR']]], 'cbwndExtra': [100, ['long']], 'pclsClone': [72, ['pointer64', ['tagCLS']]], 'lpszClientAnsiMenuName': [40, ['pointer64', ['unsigned char']]], 'pclsBase': [64, ['pointer64', ['tagCLS']]], 'atomNVClassName': [10, ['unsigned short']], 'style': [84, ['unsigned long']], 'pclsNext': [0, ['pointer64', ['tagCLS']]], 'CSF_flags': [34, ['unsigned short']], 'lpfnWndProc': [88, ['pointer64', ['void']]], 'lpszAnsiClassName': [144, ['pointer64', ['unsigned char']]], 'spcpdFirst': [56, ['pointer64', ['_CALLPROCDATA']]], 'lpszClientUnicodeMenuName': [48, ['pointer64', ['unsigned short']]], 'cbclsExtra': [96, ['long']], 'lpszMenuName': [136, ['pointer64', ['unsigned short']]], 'spicnSm': [152, ['pointer64', ['tagCURSOR']]], 'hTaskWow': [32, ['unsigned short']], 'cWndReferenceCount': [80, ['long']], 'hbrBackground': [128, ['pointer64', ['HBRUSH__']]], 'spicn': [112, ['pointer64', ['tagCURSOR']]], 'fnid': [12, ['unsigned short']], 'pdce': [24, ['pointer64', ['tagDCE']]], 'hModule': [104, ['pointer64', ['void']]], 'rpdeskParent': [16, ['pointer64', ['tagDESKTOP']]], 'atomClassName': [8, ['unsigned short']], }], '_DMM_VIDPN_SERIALIZATION': [0xc, { 'PathsFromSourceSerializationOffsets': [8, ['array', 1, ['unsigned long']]], 'NumActiveSources': [4, ['unsigned char']], 'Size': [0, ['unsigned long']], }], 'tagHID_PAGEONLY_REQUEST': [0x18, { 'usUsagePage': [16, ['unsigned short']], 'link': [0, ['_LIST_ENTRY']], 'cRefCount': [20, ['unsigned long']], }], 'tagWINDOWSTATION': [0x98, { 'pClipBase': [88, ['pointer64', ['tagCLIP']]], 'dwSessionId': [0, ['unsigned long']], 'cNumClipFormats': [96, ['unsigned long']], 'luidUser': [136, ['_LUID']], 'pGlobalAtomTable': [120, ['pointer64', ['void']]], 'ptiClipLock': [48, ['pointer64', ['tagTHREADINFO']]], 'dwWSF_Flags': [32, ['unsigned long']], 'rpdeskList': [16, ['pointer64', ['tagDESKTOP']]], 'spklList': [40, ['pointer64', ['tagKL']]], 'spwndClipOpen': [64, ['pointer64', ['tagWND']]], 'luidEndSession': [128, ['_LUID']], 'pTerm': [24, ['pointer64', ['tagTERMINAL']]], 'rpwinstaNext': [8, ['pointer64', ['tagWINDOWSTATION']]], 'spwndClipboardListener': [112, ['pointer64', ['tagWND']]], 'spwndClipViewer': [72, ['pointer64', ['tagWND']]], 'iClipSequenceNumber': [104, ['unsigned long']], 'ptiDrawingClipboard': [56, ['pointer64', ['tagTHREADINFO']]], 'spwndClipOwner': [80, ['pointer64', ['tagWND']]], 'psidUser': [144, ['pointer64', ['void']]], 'iClipSerialNumber': [100, ['unsigned long']], }], '__unnamed_11e4': [0x10, { 'UserApcContext': [8, ['pointer64', ['void']]], 'UserApcRoutine': [0, ['pointer64', ['void']]], 'IssuingProcess': [0, ['pointer64', ['void']]], }], 'tagPROFILEVALUEINFO': [0x10, { 'dwValue': [0, ['unsigned long']], 'uSection': [4, ['unsigned long']], 'pwszKeyName': [8, ['pointer64', ['wchar']]], }], 'tagOEMBITMAPINFO': [0x10, { 'y': [4, ['long']], 'x': [0, ['long']], 'cy': [12, ['long']], 'cx': [8, ['long']], }], '_DMM_COMMITVIDPNREQUEST_SERIALIZATION': [0x1c, { 'RequestDiagInfo': [4, ['_DMM_COMMITVIDPNREQUEST_DIAGINFO']], 'AffectedVidPnSourceId': [0, ['unsigned long']], 'VidPnSerialization': [16, ['_DMM_VIDPN_SERIALIZATION']], }], '_WNDMSG': [0x10, { 'abMsgs': [8, ['pointer64', ['unsigned char']]], 'maxMsgs': [0, ['unsigned long']], }], 'tagTDB': [0x28, { 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'TDB_Flags': [34, ['unsigned short']], 'hTaskWow': [32, ['unsigned short']], 'pwti': [24, ['pointer64', ['tagWOWTHREADINFO']]], 'nEvents': [8, ['long']], 'nPriority': [12, ['long']], 'ptdbNext': [0, ['pointer64', ['tagTDB']]], }], '_LIGATURE1': [0x6, { 'wch': [4, ['array', 1, ['wchar']]], 'VirtualKey': [0, ['unsigned char']], 'ModificationNumber': [2, ['unsigned short']], }], '_D3DKMDT_VIDPN_PRESENT_PATH': [0x168, { 'GammaRamp': [336, ['_D3DKMDT_GAMMA_RAMP']], 'VidPnSourceId': [0, ['unsigned long']], 'Content': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPC_UNINITIALIZED', 1: 'D3DKMDT_VPPC_GRAPHICS', 2: 'D3DKMDT_VPPC_VIDEO', 255: 'D3DKMDT_VPPC_NOTSPECIFIED'}}]], 'VisibleFromActiveBROffset': [36, ['_D3DKMDT_2DREGION']], 'VidPnTargetColorBasis': [44, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], 'ContentTransformation': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION']], 'VidPnTargetId': [4, ['unsigned long']], 'VisibleFromActiveTLOffset': [28, ['_D3DKMDT_2DREGION']], 'CopyProtection': [68, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION']], 'VidPnTargetColorCoeffDynamicRanges': [48, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'ImportanceOrdinal': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPI_UNINITIALIZED', 1: 'D3DKMDT_VPPI_PRIMARY', 2: 'D3DKMDT_VPPI_SECONDARY', 3: 'D3DKMDT_VPPI_TERTIARY', 4: 'D3DKMDT_VPPI_QUATERNARY', 5: 'D3DKMDT_VPPI_QUINARY', 6: 'D3DKMDT_VPPI_SENARY', 7: 'D3DKMDT_VPPI_SEPTENARY', 8: 'D3DKMDT_VPPI_OCTONARY', 9: 'D3DKMDT_VPPI_NONARY', 10: 'D3DKMDT_VPPI_DENARY', 32: 'D3DKMDT_VPPI_MAX', 255: 'D3DKMDT_VPPI_NOTSPECIFIED'}}]], }], '__unnamed_1253': [0x8, { 'PowerSequence': [0, ['pointer64', ['_POWER_SEQUENCE']]], }], '_PROCDESKHEAD': [0x28, { 'h': [0, ['pointer64', ['void']]], 'pSelf': [32, ['pointer64', ['unsigned char']]], 'rpdesk': [24, ['pointer64', ['tagDESKTOP']]], 'hTaskWow': [16, ['unsigned long']], 'cLockObj': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT': [0x4, { 'Rotate270': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'Rotate90': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Rotate180': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], }], '__unnamed_1958': [0x10, { 'MinBusNumber': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], 'Reserved': [12, ['unsigned long']], 'MaxBusNumber': [8, ['unsigned long']], }], '_CONSOLE_CARET_INFO': [0x18, { 'hwnd': [0, ['pointer64', ['HWND__']]], 'rc': [8, ['tagRECT']], }], 'tagPROCESSINFO': [0x300, { 'fHasMagContext': [736, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'hwinsta': [608, ['pointer64', ['HWINSTA__']]], 'ptiList': [256, ['pointer64', ['tagTHREADINFO']]], 'pHidTable': [744, ['pointer64', ['tagPROCESS_HID_TABLE']]], 'W32PF_Flags': [12, ['unsigned long']], 'UserHandleCount': [68, ['long']], 'dwhmodLibLoadedMask': [340, ['unsigned long']], 'GDIBrushAttrFreeList': [208, ['_LIST_ENTRY']], 'hdeskStartup': [328, ['pointer64', ['HDESK__']]], 'dwImeCompatFlags': [696, ['unsigned long']], 'dwRegisteredClasses': [752, ['unsigned long']], 'pBrushAttrList': [48, ['pointer64', ['void']]], 'usi': [708, ['tagUSERSTARTUPINFO']], 'InputIdleEvent': [16, ['pointer64', ['_KEVENT']]], 'W32Pid': [56, ['unsigned long']], 'bmHandleFlags': [648, ['_RTL_BITMAP']], 'UserHandleCountPeak': [72, ['unsigned long']], 'GDIEngUserMemAllocTable': [88, ['_RTL_AVL_TABLE']], 'cSysExpunge': [336, ['unsigned long']], 'pdvList': [632, ['pointer64', ['tagDESKTOPVIEW']]], 'pwpi': [296, ['pointer64', ['tagWOWPROCESSINFO']]], 'ppiNextRunning': [312, ['pointer64', ['tagPROCESSINFO']]], 'Process': [0, ['pointer64', ['_EPROCESS']]], 'pCursorCache': [664, ['pointer64', ['tagCURSOR']]], 'pClientBase': [672, ['pointer64', ['void']]], 'dwLpkEntryPoints': [680, ['unsigned long']], 'GDIDcAttrFreeList': [192, ['_LIST_ENTRY']], 'DxProcess': [248, ['pointer64', ['void']]], 'NextStart': [32, ['pointer64', ['_W32PROCESS']]], 'RefCount': [8, ['unsigned long']], 'dwLayout': [740, ['unsigned long']], 'pclsPublicList': [288, ['pointer64', ['tagCLS']]], 'Unused': [736, ['BitField', {'end_bit': 32, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'GDIPushLock': [80, ['_EX_PUSH_LOCK']], 'hMonitor': [624, ['pointer64', ['HMONITOR__']]], 'ptiMainThread': [264, ['pointer64', ['tagTHREADINFO']]], 'pvwplWndGCList': [760, ['pointer64', ['VWPL']]], 'pW32Job': [688, ['pointer64', ['tagW32JOB']]], 'luidSession': [700, ['_LUID']], 'GDIHandleCount': [60, ['long']], 'cThreads': [320, ['unsigned long']], 'rpdeskStartup': [272, ['pointer64', ['tagDESKTOP']]], 'hSecureGdiSharedHandleTable': [240, ['pointer64', ['void']]], 'pclsPrivateList': [280, ['pointer64', ['tagCLS']]], 'GDIHandleCountPeak': [64, ['unsigned long']], 'StartCursorHideTime': [24, ['unsigned long']], 'ppiNext': [304, ['pointer64', ['tagPROCESSINFO']]], 'Flags': [736, ['unsigned long']], 'dwHotkey': [620, ['unsigned long']], 'amwinsta': [616, ['unsigned long']], 'rpwinsta': [600, ['pointer64', ['tagWINDOWSTATION']]], 'ahmodLibLoaded': [344, ['array', 32, ['pointer64', ['void']]]], 'iClipSerialNumber': [640, ['unsigned long']], 'GDIW32PIDLockedBitmaps': [224, ['_LIST_ENTRY']], 'pDCAttrList': [40, ['pointer64', ['void']]], }], '__unnamed_181b': [0x10, { 'Dma': [0, ['__unnamed_180d']], 'MessageInterrupt': [0, ['__unnamed_180b']], 'Generic': [0, ['__unnamed_1805']], 'Memory': [0, ['__unnamed_1805']], 'BusNumber': [0, ['__unnamed_1811']], 'DeviceSpecificData': [0, ['__unnamed_1813']], 'Memory48': [0, ['__unnamed_1817']], 'Memory40': [0, ['__unnamed_1815']], 'DevicePrivate': [0, ['__unnamed_180f']], 'Memory64': [0, ['__unnamed_1819']], 'Interrupt': [0, ['__unnamed_1807']], 'Port': [0, ['__unnamed_1805']], }], '__unnamed_195e': [0x18, { 'Length48': [0, ['unsigned long']], 'Alignment48': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_195c': [0x18, { 'Length40': [0, ['unsigned long']], 'Alignment40': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_195a': [0xc, { 'Priority': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_125f': [0x10, { 'AllocatedResources': [0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated': [8, ['pointer64', ['_CM_RESOURCE_LIST']]], }], '__unnamed_125b': [0x20, { 'State': [16, ['_POWER_STATE']], 'Type': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'SystemPowerState', 1: 'DevicePowerState'}}]], 'SystemContext': [0, ['unsigned long']], 'ShutdownType': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'}}]], 'SystemPowerStateContext': [0, ['_SYSTEM_POWER_STATE_CONTEXT']], }], 'tagKbdLayer': [0x68, { 'pVkToWcharTable': [8, ['pointer64', ['_VK_TO_WCHAR_TABLE']]], 'pusVSCtoVK': [48, ['pointer64', ['unsigned short']]], 'fLocaleFlags': [80, ['unsigned long']], 'pKeyNamesExt': [32, ['pointer64', ['VSC_LPWSTR']]], 'dwSubType': [100, ['unsigned long']], 'pDeadKey': [16, ['pointer64', ['DEADKEY']]], 'pCharModifiers': [0, ['pointer64', ['MODIFIERS']]], 'pKeyNamesDead': [40, ['pointer64', ['pointer64', ['unsigned short']]]], 'bMaxVSCtoVK': [56, ['unsigned char']], 'pKeyNames': [24, ['pointer64', ['VSC_LPWSTR']]], 'dwType': [96, ['unsigned long']], 'pLigature': [88, ['pointer64', ['_LIGATURE1']]], 'nLgMax': [84, ['unsigned char']], 'pVSCtoVK_E1': [72, ['pointer64', ['_VSC_VK']]], 'pVSCtoVK_E0': [64, ['pointer64', ['_VSC_VK']]], 'cbLgEntry': [85, ['unsigned char']], }], 'HDC__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32AllocStats': [0x20, { 'dwMaxAlloc': [16, ['unsigned long']], 'pHead': [24, ['pointer64', ['tagWin32PoolHead']]], 'dwMaxMem': [0, ['unsigned long long']], 'dwCrtMem': [8, ['unsigned long long']], 'dwCrtAlloc': [20, ['unsigned long']], }], '__unnamed_18c5': [0x4, { 'DefaultBig': [0, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'BaseMiddle': [0, ['BitField', {'end_bit': 8, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Granularity': [0, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'LimitHigh': [0, ['BitField', {'end_bit': 20, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'BaseHigh': [0, ['BitField', {'end_bit': 32, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'Dpl': [0, ['BitField', {'end_bit': 15, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'Type': [0, ['BitField', {'end_bit': 13, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'System': [0, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'Present': [0, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'LongMode': [0, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], }], '__unnamed_1817': [0xc, { 'Length48': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1815': [0xc, { 'Length40': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1813': [0xc, { 'DataSize': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT': [0x4, { 'Centered': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'AspectRatioCenteredMax': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'Stretched': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Custom': [0, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], }], '__unnamed_1811': [0xc, { 'Start': [0, ['unsigned long']], 'Length': [4, ['unsigned long']], 'Reserved': [8, ['unsigned long']], }], '__unnamed_1956': [0x8, { 'MinimumChannel': [0, ['unsigned long']], 'MaximumChannel': [4, ['unsigned long']], }], '__unnamed_1954': [0x18, { 'AffinityPolicy': [8, ['unsigned short']], 'Group': [10, ['unsigned short']], 'PriorityPolicy': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'}}]], 'MinimumVector': [0, ['unsigned long']], 'MaximumVector': [4, ['unsigned long']], 'TargetedProcessors': [16, ['unsigned long long']], }], 'tagMSG': [0x30, { 'wParam': [16, ['unsigned long long']], 'lParam': [24, ['long long']], 'pt': [36, ['tagPOINT']], 'hwnd': [0, ['pointer64', ['HWND__']]], 'time': [32, ['unsigned long']], 'message': [8, ['unsigned long']], }], '__unnamed_1819': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length64': [8, ['unsigned long']], }], '_DMM_VIDPNSET_SERIALIZATION': [0x8, { 'VidPnOffset': [4, ['array', 1, ['unsigned long']]], 'NumVidPns': [0, ['unsigned char']], }], 'tagWOWPROCESSINFO': [0x48, { 'ptdbHead': [16, ['pointer64', ['tagTDB']]], 'lpfnWowExitTask': [24, ['pointer64', ['void']]], 'CSOwningThread': [56, ['pointer64', ['tagTHREADINFO']]], 'ptiScheduled': [8, ['pointer64', ['tagTHREADINFO']]], 'nSendLock': [48, ['unsigned long']], 'nRecvLock': [52, ['unsigned long']], 'CSLockCount': [64, ['long']], 'hEventWowExecClient': [40, ['pointer64', ['void']]], 'pwpiNext': [0, ['pointer64', ['tagWOWPROCESSINFO']]], 'pEventWowExec': [32, ['pointer64', ['_KEVENT']]], }], 'tagMENU': [0x98, { 'iItem': [44, ['long']], 'head': [0, ['_PROCDESKHEAD']], 'umpm': [132, ['tagUAHMENUPOPUPMETRICS']], 'cItems': [52, ['unsigned long']], 'pParentMenus': [88, ['pointer64', ['tagMENULIST']]], 'fFlags': [40, ['unsigned long']], 'cxMenu': [56, ['unsigned long']], 'dwContextHelpId': [96, ['unsigned long']], 'hbrBack': [112, ['pointer64', ['HBRUSH__']]], 'cxTextAlign': [64, ['unsigned long']], 'cAlloced': [48, ['unsigned long']], 'spwndNotify': [72, ['pointer64', ['tagWND']]], 'dwArrowsOn': [128, ['BitField', {'end_bit': 2, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'iMaxTop': [124, ['long']], 'dwMenuData': [104, ['unsigned long long']], 'cyMenu': [60, ['unsigned long']], 'rgItems': [80, ['pointer64', ['tagITEM']]], 'iTop': [120, ['long']], 'cyMax': [100, ['unsigned long']], }], '_D3DDDI_GAMMA_RAMP_DXGI_1': [0x3024, { 'GammaCurve': [24, ['array', 1025, ['D3DDDI_DXGI_RGB']]], 'Scale': [0, ['D3DDDI_DXGI_RGB']], 'Offset': [12, ['D3DDDI_DXGI_RGB']], }], 'tagPOPUPMENU': [0x58, { 'fUseMonitorRect': [0, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'fDroppedLeft': [0, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'fHierarchyDropped': [0, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'posDropped': [84, ['unsigned long']], 'spwndNextPopup': [24, ['pointer64', ['tagWND']]], 'fIsMenuBar': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'spwndPrevPopup': [32, ['pointer64', ['tagWND']]], 'fHasMenuBar': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'spwndActivePopup': [56, ['pointer64', ['tagWND']]], 'fTrackMouseEvent': [0, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'fNoNotify': [0, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'posSelectedItem': [80, ['unsigned long']], 'fIsSysMenu': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'fFlushDelayedFree': [0, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'ppmDelayedFree': [72, ['pointer64', ['tagPOPUPMENU']]], 'fFreed': [0, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fSynchronous': [0, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'fDropNextPopup': [0, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fRightButton': [0, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'spmenuAlternate': [48, ['pointer64', ['tagMENU']]], 'spmenu': [40, ['pointer64', ['tagMENU']]], 'spwndPopupMenu': [16, ['pointer64', ['tagWND']]], 'fDestroyed': [0, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'iDropDir': [0, ['BitField', {'end_bit': 28, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'ppopupmenuRoot': [64, ['pointer64', ['tagPOPUPMENU']]], 'fFirstClick': [0, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'spwndNotify': [8, ['pointer64', ['tagWND']]], 'fRtoL': [0, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'fIsTrackPopup': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'fSendUninit': [0, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'fShowTimer': [0, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'fInCancel': [0, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'fToggle': [0, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fDelayedFree': [0, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'fHideTimer': [0, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'fAboutToHide': [0, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], }], '_DMM_MONITORDESCRIPTOR_SERIALIZATION': [0x8c, { 'Origin': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'Data': [12, ['array', 128, ['unsigned char']]], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MDT_UNINITIALIZED', 1: 'D3DKMDT_MDT_VESA_EDID_V1_BASEBLOCK', 2: 'D3DKMDT_MDT_VESA_EDID_V1_BLOCKMAP', 255: 'D3DKMDT_MDT_OTHER'}}]], 'Id': [0, ['unsigned long']], }], 'HTOUCHINPUT__': [0x4, { 'unused': [0, ['long']], }], '_VK_VALUES_STRINGS': [0x10, { 'fReserved': [8, ['unsigned char']], 'pszMultiNames': [0, ['pointer64', ['unsigned char']]], }], '_DMM_MONITOR_SOURCE_MODE_SERIALIZATION': [0x68, { 'Info': [0, ['_D3DKMDT_MONITOR_SOURCE_MODE']], 'TimingType': [96, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MTT_UNINITIALIZED', 1: 'D3DKMDT_MTT_ESTABLISHED', 2: 'D3DKMDT_MTT_STANDARD', 3: 'D3DKMDT_MTT_EXTRASTANDARD', 4: 'D3DKMDT_MTT_DETAILED', 5: 'D3DKMDT_MTT_DEFAULTMONITORPROFILE', 6: 'D3DKMDT_MTT_MAXVALID'}}]], }], 'tagSBCALC': [0x40, { 'posMax': [4, ['long']], 'pxThumbTop': [52, ['long']], 'pxThumbBottom': [48, ['long']], 'cpxThumb': [32, ['long']], 'pxMin': [60, ['long']], 'pxStart': [44, ['long']], 'pxDownArrow': [40, ['long']], 'pos': [12, ['long']], 'cpx': [56, ['long']], 'pxBottom': [20, ['long']], 'pxTop': [16, ['long']], 'pxLeft': [24, ['long']], 'pxRight': [28, ['long']], 'pxUpArrow': [36, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], }], 'HIMC__': [0x4, { 'unused': [0, ['long']], }], 'tagSBINFO': [0x24, { 'WSBflags': [0, ['long']], 'Horz': [4, ['tagSBDATA']], 'Vert': [20, ['tagSBDATA']], }], '__unnamed_1211': [0x10, { 'Length': [0, ['unsigned long']], 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], }], '__unnamed_1213': [0x20, { 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'AdvanceOnly': [25, ['unsigned char']], 'ClusterCount': [24, ['unsigned long']], 'Length': [0, ['unsigned long']], 'DeleteHandle': [24, ['pointer64', ['void']]], 'ReplaceIfExists': [24, ['unsigned char']], 'FileObject': [16, ['pointer64', ['_FILE_OBJECT']]], }], '__unnamed_1219': [0x20, { 'Type3InputBuffer': [24, ['pointer64', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'FsControlCode': [16, ['unsigned long']], 'InputBufferLength': [8, ['unsigned long']], }], '__unnamed_1950': [0x18, { 'Length': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment': [4, ['unsigned long']], }], 'tagITEM': [0x90, { 'ulX': [84, ['unsigned long']], 'wID': [8, ['unsigned long']], 'dwItemData': [56, ['unsigned long long']], 'cyItem': [76, ['unsigned long']], 'hbmpChecked': [24, ['pointer64', ['void']]], 'xItem': [64, ['unsigned long']], 'spSubMenu': [16, ['pointer64', ['tagMENU']]], 'hbmpUnchecked': [32, ['pointer64', ['void']]], 'fState': [4, ['unsigned long']], 'dxTab': [80, ['unsigned long']], 'hbmp': [96, ['pointer64', ['HBITMAP__']]], 'yItem': [68, ['unsigned long']], 'fType': [0, ['unsigned long']], 'umim': [112, ['tagUAHMENUITEMMETRICS']], 'cch': [48, ['unsigned long']], 'ulWidth': [88, ['unsigned long']], 'cyBmp': [108, ['long']], 'cxBmp': [104, ['long']], 'lpstr': [40, ['pointer64', ['unsigned short']]], 'cxItem': [72, ['unsigned long']], }], '_VSC_VK': [0x4, { 'Vsc': [0, ['unsigned char']], 'Vk': [2, ['unsigned short']], }], '__unnamed_123f': [0x1, { 'Lock': [0, ['unsigned char']], }], '_DMM_MONITOR_SERIALIZATION': [0x28, { 'FrequencyRangeSetOffset': [28, ['unsigned long']], 'ModePruningAlgorithm': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_MPA_UNINITIALIZED', 1: 'DMM_MPA_GDI', 2: 'DMM_MPA_VISTA', 3: 'DMM_MPA_MAXVALID'}}]], 'VideoPresentTargetId': [4, ['unsigned long']], 'IsSimulatedMonitor': [12, ['unsigned char']], 'SourceModeSetOffset': [24, ['unsigned long']], 'Orientation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MO_UNINITIALIZED', 1: 'D3DKMDT_MO_0DEG', 2: 'D3DKMDT_MO_90DEG', 3: 'D3DKMDT_MO_180DEG', 4: 'D3DKMDT_MO_270DEG'}}]], 'DescriptorSetOffset': [32, ['unsigned long']], 'MonitorPowerState': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'}}]], 'IsUsingDefaultProfile': [13, ['unsigned char']], 'MonitorType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_VMT_UNINITIALIZED', 1: 'DMM_VMT_PHYSICAL_MONITOR', 2: 'DMM_VMT_BOOT_PERSISTENT_MONITOR', 3: 'DMM_VMT_PERSISTENT_MONITOR', 4: 'DMM_VMT_TEMPORARY_MONITOR', 5: 'DMM_VMT_SIMULATED_MONITOR'}}]], 'Size': [0, ['unsigned long']], }], '_VK_TO_WCHARS1': [0x4, { 'Attributes': [1, ['unsigned char']], 'VirtualKey': [0, ['unsigned char']], 'wch': [2, ['array', 1, ['wchar']]], }], '__unnamed_121b': [0x18, { 'Length': [0, ['pointer64', ['_LARGE_INTEGER']]], 'ByteOffset': [16, ['_LARGE_INTEGER']], 'Key': [8, ['unsigned long']], }], '__unnamed_121d': [0x20, { 'Type3InputBuffer': [24, ['pointer64', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'IoControlCode': [16, ['unsigned long']], 'InputBufferLength': [8, ['unsigned long']], }], '__unnamed_121f': [0x10, { 'Length': [8, ['unsigned long']], 'SecurityInformation': [0, ['unsigned long']], }], '_DMM_MONITORFREQUENCYRANGESET_SERIALIZATION': [0x38, { 'NumFrequencyRanges': [0, ['unsigned char']], 'FrequencyRangeSerialization': [8, ['array', 1, ['_D3DKMDT_MONITOR_FREQUENCY_RANGE']]], }], '_D3DKMDT_GAMMA_RAMP': [0x18, { 'Data': [16, ['__unnamed_182e']], 'DataSize': [8, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_GAMMARAMP_UNINITIALIZED', 1: 'D3DDDI_GAMMARAMP_DEFAULT', 2: 'D3DDDI_GAMMARAMP_RGB256x3x16', 3: 'D3DDDI_GAMMARAMP_DXGI_1'}}]], }], '_W32PROCESS': [0x100, { 'GDIPushLock': [80, ['_EX_PUSH_LOCK']], 'DxProcess': [248, ['pointer64', ['void']]], 'pBrushAttrList': [48, ['pointer64', ['void']]], 'Process': [0, ['pointer64', ['_EPROCESS']]], 'NextStart': [32, ['pointer64', ['_W32PROCESS']]], 'GDIW32PIDLockedBitmaps': [224, ['_LIST_ENTRY']], 'RefCount': [8, ['unsigned long']], 'StartCursorHideTime': [24, ['unsigned long']], 'GDIBrushAttrFreeList': [208, ['_LIST_ENTRY']], 'InputIdleEvent': [16, ['pointer64', ['_KEVENT']]], 'W32PF_Flags': [12, ['unsigned long']], 'GDIHandleCount': [60, ['long']], 'hSecureGdiSharedHandleTable': [240, ['pointer64', ['void']]], 'UserHandleCountPeak': [72, ['unsigned long']], 'W32Pid': [56, ['unsigned long']], 'UserHandleCount': [68, ['long']], 'pDCAttrList': [40, ['pointer64', ['void']]], 'GDIEngUserMemAllocTable': [88, ['_RTL_AVL_TABLE']], 'GDIHandleCountPeak': [64, ['unsigned long']], 'GDIDcAttrFreeList': [192, ['_LIST_ENTRY']], }], 'tagSERVERINFO': [0x1220, { 'uiShellMsg': [912, ['unsigned long']], 'atomSysClass': [852, ['array', 25, ['unsigned short']]], 'dtScroll': [2800, ['unsigned long']], 'dwKeyCache': [2952, ['unsigned long']], 'atomIconSmProp': [1356, ['unsigned short']], 'argbSystemUnmatched': [2268, ['array', 31, ['unsigned long']]], 'atomContextHelpIdProp': [1360, ['unsigned short']], 'cySysFontChar': [2832, ['long']], 'mpFnid_serverCBWndProc': [328, ['array', 31, ['unsigned short']]], 'PUSIFlags': [4476, ['unsigned long']], 'dtLBSearch': [2804, ['unsigned long']], 'tmSysFont': [2836, ['tagTEXTMETRICW']], 'ahbrSystem': [2520, ['array', 31, ['pointer64', ['HBRUSH__']]]], 'dwDefaultHeapSize': [908, ['unsigned long']], 'dwSRVIFlags': [0, ['unsigned long']], 'BitsPixel': [4473, ['unsigned char']], 'wMaxLeftOverlapChars': [2820, ['long']], 'dwLastSystemRITEventTickCountUpdate': [4488, ['unsigned long']], 'dpiSystem': [2896, ['tagDPISERVERINFO']], 'hIcoWindows': [2944, ['pointer64', ['HICON__']]], 'dwAsyncKeyCache': [2956, ['unsigned long']], 'dwTagCount': [4632, ['unsigned long']], 'adwDBGTAGFlags': [4492, ['array', 35, ['unsigned long']]], 'aiSysMet': [1880, ['array', 97, ['long']]], 'acAnsiToOem': [1620, ['array', 256, ['unsigned char']]], 'aStoCidPfn': [272, ['array', 7, ['pointer64', ['void']]]], 'dwLastRITEventTickCount': [2792, ['unsigned long']], 'cbHandleTable': [848, ['unsigned long']], 'atomFrostedWindowProp': [1362, ['unsigned short']], 'ucWheelScrollLines': [2812, ['unsigned long']], 'ptCursorReal': [2784, ['tagPOINT']], 'ucWheelScrollChars': [2816, ['unsigned long']], 'acOemToAnsi': [1364, ['array', 256, ['unsigned char']]], 'hbrGray': [2768, ['pointer64', ['HBRUSH__']]], 'BitCount': [4468, ['unsigned short']], 'argbSystem': [2392, ['array', 31, ['unsigned long']]], 'dtCaretBlink': [2808, ['unsigned long']], 'dwInstalledEventHooks': [1876, ['unsigned long']], 'cxSysFontChar': [2828, ['long']], 'wMaxRightOverlapChars': [2824, ['long']], 'oembmi': [2964, ['array', 93, ['tagOEMBITMAPINFO']]], 'apfnClientWorker': [760, ['_PFNCLIENTWORKER']], 'dwDefaultHeapBase': [904, ['unsigned long']], 'apfnClientA': [392, ['_PFNCLIENT']], 'dmLogPixels': [4470, ['unsigned short']], 'nEvents': [2796, ['long']], 'atomIconProp': [1358, ['unsigned short']], 'Planes': [4472, ['unsigned char']], 'apfnClientW': [576, ['_PFNCLIENT']], 'MBStrings': [916, ['array', 11, ['tagMBSTRING']]], 'UILangID': [4484, ['unsigned short']], 'dwRIPFlags': [4636, ['unsigned long']], 'uCaretWidth': [4480, ['unsigned long']], 'cCaptures': [2960, ['unsigned long']], 'cHandleEntries': [8, ['unsigned long long']], 'ptCursor': [2776, ['tagPOINT']], 'hIconSmWindows': [2936, ['pointer64', ['HICON__']]], 'mpFnidPfn': [16, ['array', 32, ['pointer64', ['void']]]], 'rcScreenReal': [4452, ['tagRECT']], }], '_D3DKMDT_VIDEO_SIGNAL_INFO': [0x38, { 'VSyncFreq': [20, ['_D3DDDI_RATIONAL']], 'ActiveSize': [12, ['_D3DKMDT_2DREGION']], 'PixelRate': [40, ['unsigned long long']], 'TotalSize': [4, ['_D3DKMDT_2DREGION']], 'VideoStandard': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VSS_UNINITIALIZED', 1: 'D3DKMDT_VSS_VESA_DMT', 2: 'D3DKMDT_VSS_VESA_GTF', 3: 'D3DKMDT_VSS_VESA_CVT', 4: 'D3DKMDT_VSS_IBM', 5: 'D3DKMDT_VSS_APPLE', 6: 'D3DKMDT_VSS_NTSC_M', 7: 'D3DKMDT_VSS_NTSC_J', 8: 'D3DKMDT_VSS_NTSC_443', 9: 'D3DKMDT_VSS_PAL_B', 10: 'D3DKMDT_VSS_PAL_B1', 11: 'D3DKMDT_VSS_PAL_G', 12: 'D3DKMDT_VSS_PAL_H', 13: 'D3DKMDT_VSS_PAL_I', 14: 'D3DKMDT_VSS_PAL_D', 15: 'D3DKMDT_VSS_PAL_N', 16: 'D3DKMDT_VSS_PAL_NC', 17: 'D3DKMDT_VSS_SECAM_B', 18: 'D3DKMDT_VSS_SECAM_D', 19: 'D3DKMDT_VSS_SECAM_G', 20: 'D3DKMDT_VSS_SECAM_H', 21: 'D3DKMDT_VSS_SECAM_K', 22: 'D3DKMDT_VSS_SECAM_K1', 23: 'D3DKMDT_VSS_SECAM_L', 24: 'D3DKMDT_VSS_SECAM_L1', 25: 'D3DKMDT_VSS_EIA_861', 26: 'D3DKMDT_VSS_EIA_861A', 27: 'D3DKMDT_VSS_EIA_861B', 28: 'D3DKMDT_VSS_PAL_K', 29: 'D3DKMDT_VSS_PAL_K1', 30: 'D3DKMDT_VSS_PAL_L', 31: 'D3DKMDT_VSS_PAL_M', 255: 'D3DKMDT_VSS_OTHER'}}]], 'ScanLineOrdering': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_VSSLO_UNINITIALIZED', 1: 'D3DDDI_VSSLO_PROGRESSIVE', 2: 'D3DDDI_VSSLO_INTERLACED_UPPERFIELDFIRST', 3: 'D3DDDI_VSSLO_INTERLACED_LOWERFIELDFIRST', 255: 'D3DDDI_VSSLO_OTHER'}}]], 'HSyncFreq': [28, ['_D3DDDI_RATIONAL']], }], '__unnamed_11df': [0x8, { 'IrpCount': [0, ['long']], 'SystemBuffer': [0, ['pointer64', ['void']]], 'MasterIrp': [0, ['pointer64', ['_IRP']]], }], 'D3DDDI_DXGI_RGB': [0xc, { 'Blue': [8, ['float']], 'Green': [4, ['float']], 'Red': [0, ['float']], }], '_MAGNIFICATION_INPUT_TRANSFORM': [0x30, { 'rcScreen': [16, ['tagRECT']], 'magFactorX': [40, ['long']], 'magFactorY': [44, ['long']], 'ptiMagThreadInfo': [32, ['pointer64', ['tagTHREADINFO']]], 'rcSource': [0, ['tagRECT']], }], '_D3DKMDT_MONITOR_FREQUENCY_RANGE': [0x30, { 'Origin': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'ConstraintType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MFRC_UNINITIALIZED', 1: 'D3DKMDT_MFRC_ACTIVESIZE', 2: 'D3DKMDT_MFRC_MAXPIXELRATE'}}]], 'RangeLimits': [4, ['_D3DKMDT_FREQUENCY_RANGE']], 'Constraint': [40, ['__unnamed_16c1']], }], '_PFNCLIENTWORKER': [0x58, { 'pfnComboBoxWndProc': [8, ['pointer64', ['void']]], 'pfnMDIClientWndProc': [48, ['pointer64', ['void']]], 'pfnDialogWndProc': [24, ['pointer64', ['void']]], 'pfnStaticWndProc': [56, ['pointer64', ['void']]], 'pfnCtfHookProc': [80, ['pointer64', ['void']]], 'pfnButtonWndProc': [0, ['pointer64', ['void']]], 'pfnImeWndProc': [64, ['pointer64', ['void']]], 'pfnEditWndProc': [32, ['pointer64', ['void']]], 'pfnListBoxWndProc': [40, ['pointer64', ['void']]], 'pfnGhostWndProc': [72, ['pointer64', ['void']]], 'pfnComboListBoxProc': [16, ['pointer64', ['void']]], }], '_DMA_OPERATIONS': [0x80, { 'PutDmaAdapter': [8, ['pointer64', ['void']]], 'FreeMapRegisters': [56, ['pointer64', ['void']]], 'MapTransfer': [64, ['pointer64', ['void']]], 'FreeCommonBuffer': [24, ['pointer64', ['void']]], 'ReadDmaCounter': [80, ['pointer64', ['void']]], 'AllocateCommonBuffer': [16, ['pointer64', ['void']]], 'PutScatterGatherList': [96, ['pointer64', ['void']]], 'CalculateScatterGatherList': [104, ['pointer64', ['void']]], 'BuildMdlFromScatterGatherList': [120, ['pointer64', ['void']]], 'GetScatterGatherList': [88, ['pointer64', ['void']]], 'AllocateAdapterChannel': [32, ['pointer64', ['void']]], 'FreeAdapterChannel': [48, ['pointer64', ['void']]], 'GetDmaAlignment': [72, ['pointer64', ['void']]], 'FlushAdapterBuffers': [40, ['pointer64', ['void']]], 'BuildScatterGatherList': [112, ['pointer64', ['void']]], 'Size': [0, ['unsigned long']], }], '_DXGK_DIAG_HEADER': [0x30, { 'Index': [40, ['unsigned long']], 'ProcessName': [16, ['array', 16, ['unsigned char']]], 'LogTimestamp': [8, ['unsigned long long']], 'ThreadId': [32, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_TYPE_NONE', 1: 'DXGK_DIAG_TYPE_SDC', 2: 'DXGK_DIAG_TYPE_HPD', 3: 'DXGK_DIAG_TYPE_DC_ORIGIN', 4: 'DXGK_DIAG_TYPE_USER_CDS', 5: 'DXGK_DIAG_TYPE_DRV_CDS', 6: 'DXGK_DIAG_TYPE_CODE_POINT', 7: 'DXGK_DIAG_TYPE_QDC', 8: 'DXGK_DIAG_TYPE_MONITOR_MGR', 9: 'DXGK_DIAG_TYPE_CONNECTEDSET_NOT_FOUND', 10: 'DXGK_DIAG_TYPE_DISPDIAG_COLLECTED', 11: 'DXGK_DIAG_TYPE_BML_PACKET', 12: 'DXGK_DIAG_TYPE_BML_PACKET_EX', 13: 'DXGK_DIAG_TYPE_COMMIT_VIDPN_FAILED', 14: 'DXGK_DIAG_TYPE_MAX', -1: 'DXGK_DIAG_TYPE_FORCE_UINT32'}}]], 'WdLogIdx': [44, ['unsigned long']], 'Size': [4, ['unsigned long']], }], '__unnamed_1225': [0x10, { 'DeviceObject': [8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb': [0, ['pointer64', ['_VPB']]], }], '_SM_VALUES_STRINGS': [0x18, { 'StorageType': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'SmStorageActual', 1: 'SmStorageNonActual'}}]], 'pszName': [0, ['pointer64', ['unsigned char']]], 'ulValue': [8, ['unsigned long']], 'RangeType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'SmRangeSharedInfo', 1: 'SmRangeNonSharedInfo', 2: 'SmRangeBool'}}]], }], 'tagTERMINAL': [0x40, { 'spwndDesktopOwner': [8, ['pointer64', ['tagWND']]], 'dwTERMF_Flags': [0, ['unsigned long']], 'dwNestedLevel': [32, ['unsigned long']], 'pqDesktop': [24, ['pointer64', ['tagQ']]], 'pEventInputReady': [56, ['pointer64', ['_KEVENT']]], 'rpdeskDestroy': [48, ['pointer64', ['tagDESKTOP']]], 'ptiDesktop': [16, ['pointer64', ['tagTHREADINFO']]], 'pEventTermInit': [40, ['pointer64', ['_KEVENT']]], }], '_SCATTER_GATHER_LIST': [0x10, { 'Elements': [16, ['array', 0, ['_SCATTER_GATHER_ELEMENT']]], 'Reserved': [8, ['unsigned long long']], 'NumberOfElements': [0, ['unsigned long']], }], 'tagMENULIST': [0x10, { 'pMenu': [8, ['pointer64', ['tagMENU']]], 'pNext': [0, ['pointer64', ['tagMENULIST']]], }], 'tagPOINT': [0x8, { 'y': [4, ['long']], 'x': [0, ['long']], }], 'tagSHAREDINFO': [0x238, { 'psi': [0, ['pointer64', ['tagSERVERINFO']]], 'DefWindowSpecMsgs': [552, ['_WNDMSG']], 'awmControl': [40, ['array', 31, ['_WNDMSG']]], 'ulSharedDelta': [32, ['unsigned long long']], 'pDispInfo': [24, ['pointer64', ['tagDISPLAYINFO']]], 'aheList': [8, ['pointer64', ['_HANDLEENTRY']]], 'DefWindowMsgs': [536, ['_WNDMSG']], 'HeEntrySize': [16, ['unsigned long']], }], 'tagIMC': [0x40, { 'dwClientImcData': [48, ['unsigned long long']], 'head': [0, ['_THRDESKHEAD']], 'hImeWnd': [56, ['pointer64', ['HWND__']]], 'pImcNext': [40, ['pointer64', ['tagIMC']]], }], 'tagKL': [0x78, { 'uNumTbl': [88, ['unsigned long']], 'pklPrev': [24, ['pointer64', ['tagKL']]], 'head': [0, ['_HEAD']], 'pklNext': [16, ['pointer64', ['tagKL']]], 'spkfPrimary': [56, ['pointer64', ['tagKBDFILE']]], 'dwFontSigs': [64, ['unsigned long']], 'dwLastKbdType': [104, ['unsigned long']], 'CodePage': [72, ['unsigned short']], 'dwKL_Flags': [32, ['unsigned long']], 'iBaseCharset': [68, ['unsigned long']], 'dwKLID': [112, ['unsigned long']], 'spkf': [48, ['pointer64', ['tagKBDFILE']]], 'piiex': [80, ['pointer64', ['tagIMEINFOEX']]], 'hkl': [40, ['pointer64', ['HKL__']]], 'pspkfExtra': [96, ['pointer64', ['pointer64', ['tagKBDFILE']]]], 'wchDiacritic': [74, ['wchar']], 'dwLastKbdSubType': [108, ['unsigned long']], }], '__unnamed_182e': [0x8, { 'pRgb256x3x16': [0, ['pointer64', ['_D3DDDI_GAMMA_RAMP_RGB256x3x16']]], 'pRaw': [0, ['pointer64', ['void']]], 'pDxgi1': [0, ['pointer64', ['_D3DDDI_GAMMA_RAMP_DXGI_1']]], }], 'tagCARET': [0x48, { 'iHideLevel': [12, ['long']], 'yOwnDc': [56, ['long']], 'y': [20, ['long']], 'cy': [24, ['long']], 'cx': [28, ['long']], 'hBitmap': [32, ['pointer64', ['HBITMAP__']]], 'cyOwnDc': [64, ['long']], 'fOn': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'hTimer': [40, ['unsigned long long']], 'xOwnDc': [52, ['long']], 'fVisible': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'cxOwnDc': [60, ['long']], 'tid': [48, ['unsigned long']], 'x': [16, ['long']], 'spwnd': [0, ['pointer64', ['tagWND']]], }], } volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/messagehooks.py0000644000000000000000000002627513131215405024660 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.utils as utils import volatility.plugins.gui.atoms as atoms import volatility.plugins.gui.constants as consts import volatility.plugins.gui.sessions as sessions # Offsets to (_catomSysTableEntries, _aatomSysLoaded) in win32k.sys. We use # this for translating the ihmod value into a fully-qualified DLL path name # used by messagehooks and eventhooks plugins. If the values for your system # aren't in the list, the plugins will still work, but the names of the Hook # Module will not be available. message_offsets_x86 = [ (0x001ab0a0, 0x001ab060), # ? (shylock.dmp) (0x001aaea0, 0x001aae60), # 5.1.2600.6033 (XP SP3) (0x001ac640, 0x001ac600), # 5.1.2600.6149 (XP) (0x001a9400, 0x001a93c0), # 5.1.2600.5512 (XP SP3) (0x001a9220, 0x001a91e0), # 5.1.2600.3335 (XP SP2) (0x001a6f00, 0x001a6ec0), # 5.1.2600.2180 (XP SP2) (0x001a0338, 0x001a03c0), # ? (W2K3 SP0) (0x001b5600, 0x001b55c0), # 5.2.3790.4980 (W2K3 SP2) (0x001b1440, 0x001b1400), # 5.2.3790.1830 (W2K3 SP1) (0x001de0e0, 0x001de0a0), # 6.0.6000.16386 (Vista SP0) (0x001e01e0, 0x001e01a0), # 6.0.6002.18005 (Vista SP2) (0x001df0e0, 0x001df0a0), # 6.0.6001.18000 (W2K8 SP1) (0x00219800, 0x002197C0), # 6.1.7600.16385 (Win 7 SP0) (0x0021e800, 0x0021e7c0), # 6.1.7600.16988 (Win 7 SP0) (0x0021a900, 0x0021a8c0), # 6.1.7601.17514 (Win 7 SP1) ] message_offsets_x64 = [ (0x003b3880, 0x003b3840), # 5.2.3790.1830 (W2K3 SP1 / XP SP1) (0x003b4880, 0x003b4840), # 5.2.3790.3959 (W2K3 SP2 / XP SP2) (0x0028ba20, 0x0028b9e0), # 6.0.6000.16386 (Vista SP0) (0x00288a20, 0x002889e0), # 6.0.6001.18000 (Vista SP1 / W2K8 SP1) (0x00289c20, 0x00289be0), # 6.0.6002.18005 (Vista SP2 / W2K8 SP2) (0x002da480, 0x002da440), # 6.1.7600.16385 (Win 7 SP0) (0x002db6a0, 0x002db660), # 6.1.7601.17514 (Win 7 SP1) (0x002e08a0, 0x002e0860), # 6.1.7601.17842 (W2K8 R2 SP1) (0x002e06a0, 0x002e0660), # ?? (W2K8 R2 SP1) ] class MessageHooks(atoms.Atoms, sessions.SessionsMixin): """List desktop and thread window message hooks""" def calculate(self): # Get all the atom tables and window stations atom_tables = dict((atom_table, winsta) for (atom_table, winsta) in atoms.Atoms(self._config).calculate()) # Unique window stations window_stations = [ winsta for winsta in atom_tables.values() if winsta] for winsta in window_stations: yield winsta, atom_tables def translate_atom(self, winsta, atom_tables, atom_id): """ Translate an atom into an atom name. @param winsta: a tagWINDOWSTATION in the proper session space @param atom_tables: a dictionary with _RTL_ATOM_TABLE instances as the keys and owning window stations as the values. @param index: the index into the atom handle table. """ # First check the default atoms if consts.DEFAULT_ATOMS.has_key(atom_id): return consts.DEFAULT_ATOMS[atom_id].Name # A list of tables to search. The session atom tables # have priority and will be searched first. table_list = [ table for (table, window_station) in atom_tables.items() if window_station == None ] table_list.append(winsta.AtomTable) ## Fixme: the session atom tables are found via physical ## AS pool tag scanning, and there's no good way (afaik) ## to associate the table with its session. Thus if more ## than one session has atoms with the same id but different ## values, then we could possibly select the wrong one. for table in table_list: atom = table.find_atom(atom_id) if atom: return atom.Name return obj.NoneObject("Cannot translate atom {0:#x}".format(atom_id)) def translate_hmod(self, winsta, atom_tables, index): """ Translate an ihmod (index into a handle table) into an atom. This requires locating the win32k!_aatomSysLoaded symbol. If the symbol cannot be found, we'll just report back the ihmod value. @param winsta: a tagWINDOWSTATION in the proper session space @param atom_tables: a dictionary with _RTL_ATOM_TABLE instances as the keys and owning window stations as the values. @param index: the index into the atom handle table. """ # No need to translate these if index == -1: return "(Current Module)" # To get an _MM_SESSION_SPACE we first start with a # kernel AS and walk processes. kernel_space = utils.load_as(self._config) session = self.find_session_space( kernel_space, winsta.dwSessionId) # Report back the ihmod value if we fail if not session: return hex(index) if winsta.obj_vm.profile.metadata.get('memory_model', '32bit') == '32bit': message_offsets = message_offsets_x86 else: message_offsets = message_offsets_x64 # Iterate over the possible offsets for win32k globals for (count_offset, table_offset) in message_offsets: # This is _catomSysTableEntries count = obj.Object("unsigned long", offset = session.Win32KBase + count_offset, vm = session.obj_vm) # We fail for this offset if the count is unreadable, # its greater than 32, or its less than the requested # handle table index. if (count == None or count == 0 or count > 32 or count <= index): continue # An array of atom IDs atomlist = obj.Object("Array", targetType = "unsigned short", offset = session.Win32KBase + table_offset, count = count, vm = session.obj_vm) # Our last sanity check is that the number of valid # atoms equals the claimed number of atoms. This check # is currently commented out because on at least one image # (shylock.dmp), the count is 3 but there are only 2 valid # atoms, thus we end up skipping it. #valid_entries = len([atom for atom in atoms if atom != 0]) #if count != valid_entries: # continue # We can stop after finding a potential atom atom_id = atomlist[index] # Attempt to translate the atom into a module name module = self.translate_atom(winsta, atom_tables, atom_id) if module: return module # Report back the ihmod value if we fail return hex(index) def render_text(self, outfd, data): """Render output in table form""" self.table_header(outfd, [("Offset(V)", "[addrpad]"), ("Sess", "<6"), ("Desktop", "20"), ("Thread", "30"), ("Filter", "20"), ("Flags", "20"), ("Function", "[addrpad]"), ("Module", ""), ]) for winsta, atom_tables in data: for desk in winsta.desktops(): for name, hook in desk.hooks(): module = self.translate_hmod(winsta, atom_tables, hook.ihmod) self.table_row(outfd, hook.obj_offset, winsta.dwSessionId, "{0}\\{1}".format(winsta.Name, desk.Name), "", name, str(hook.flags), hook.offPfn, module, ) for thrd in desk.threads(): info = "{0} ({1} {2})".format( thrd.pEThread.Cid.UniqueThread, thrd.ppi.Process.ImageFileName, thrd.ppi.Process.UniqueProcessId ) for name, hook in thrd.hooks(): module = self.translate_hmod(winsta, atom_tables, hook.ihmod) self.table_row(outfd, hook.obj_offset, winsta.dwSessionId, "{0}\\{1}".format(winsta.Name, desk.Name), info, name, str(hook.flags), hook.offPfn, module, ) def render_block(self, outfd, data): """Render output as a block""" def write_block(outfd, winsta, desk, hook, module, thread): outfd.write("{0:<10} : {1:#x}\n".format("Offset(V)", hook.obj_offset)) outfd.write("{0:<10} : {1}\n".format("Session", winsta.dwSessionId)) outfd.write("{0:<10} : {1}\n".format("Desktop", "{0}\\{1}".format(winsta.Name, desk.Name))) outfd.write("{0:<10} : {1}\n".format("Thread", thread)) outfd.write("{0:<10} : {1}\n".format("Filter", name)) outfd.write("{0:<10} : {1}\n".format("Flags", str(hook.flags))) outfd.write("{0:<10} : {1:#x}\n".format("Procedure", hook.offPfn)) outfd.write("{0:<10} : {1}\n".format("ihmod", hook.ihmod)) outfd.write("{0:<10} : {1}\n\n".format("Module", module)) for winsta, atom_tables in data: for desk in winsta.desktops(): for name, hook in desk.hooks(): module = self.translate_hmod(winsta, atom_tables, hook.ihmod) write_block(outfd, winsta, desk, hook, module, "") for thrd in desk.threads(): info = "{0} ({1} {2})".format( thrd.pEThread.Cid.UniqueThread, thrd.ppi.Process.ImageFileName, thrd.ppi.Process.UniqueProcessId ) for name, hook in thrd.hooks(): module = self.translate_hmod(winsta, atom_tables, hook.ihmod) write_block(outfd, winsta, desk, hook, module, info) volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/__init__.py0000644000000000000000000000000013131215405023701 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/eventhooks.py0000644000000000000000000000507613131215405024351 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.gui.sessions as sessions class EventHooks(sessions.Sessions): """Print details on windows event hooks""" def render_text(self, outfd, data): for session in data: shared_info = session.find_shared_info() if not shared_info: continue filters = [lambda x : str(x.bType) == "TYPE_WINEVENTHOOK"] for handle in shared_info.handles(filters): outfd.write("Handle: {0:#x}, Object: {1:#x}, Session: {2}\n".format( handle.phead.h if handle.phead else 0, handle.phead.v(), session.SessionId)) outfd.write("Type: {0}, Flags: {1}, Thread: {2}, Process: {3}\n".format( handle.bType, handle.bFlags, handle.Thread.Cid.UniqueThread, handle.Process.UniqueProcessId, )) event_hook = handle.reference_object() outfd.write("eventMin: {0:#x} {1}\neventMax: {2:#x} {3}\n".format( event_hook.eventMin.v(), str(event_hook.eventMin), event_hook.eventMax.v(), str(event_hook.eventMax), )) outfd.write("Flags: {0}, offPfn: {1:#x}, idProcess: {2}, idThread: {3}\n".format( event_hook.dwFlags, event_hook.offPfn, event_hook.idProcess, event_hook.idThread, )) ## Work out the WindowStation\Desktop path by the handle ## owner (thread or process) outfd.write("ihmod: {0}\n".format(event_hook.ihmod)) outfd.write("\n") volatility_2.6+git20170711.b3db0cc/volatility/plugins/gui/editbox.py0000644000000000000000000004247413131215405023625 0ustar rootroot# Volatility EditBox plugin # # Author: Bridgey the Geek # # This plugin is free software; you can redistribute it and/or modify # it under the terms of GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This plugin is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PRACTICAL PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this plugin. If not, see . # # This work heavily inspired by GDI Utilities from Dr Brendan Dolan-Gavitt PhD. # # # The iteration of the Windows objects is borrowed from the Windows plugin. # # # This plugin wouldn't exist without the assistance of those on the volusers # mailing list . """ @author : Bridgey the Geek @license : GPL 2 or later @contact : bridgeythegeek@gmail.com """ import os import volatility.debug as debug import volatility.obj as obj import volatility.utils as utils import volatility.plugins.common as common import volatility.plugins.gui.messagehooks as messagehooks import volatility.win32 as win32 supported_controls = { 'edit' : 'COMCTL_EDIT', 'listbox': 'COMCTL_LISTBOX', } editbox_vtypes_xp_x86 = { 'COMCTL_EDIT': [0xEE, { 'hBuf': [0x00, ['unsigned long']], 'hWnd': [0x38, ['unsigned long']], 'parenthWnd': [0x58, ['unsigned long']], 'nChars': [0x0C, ['unsigned long']], 'selStart': [0x14, ['unsigned long']], 'selEnd': [0x18, ['unsigned long']], 'pwdChar': [0x30, ['unsigned short']], 'undoBuf': [0x80, ['unsigned long']], 'undoPos': [0x84, ['long']], 'undoLen': [0x88, ['long']], 'bEncKey': [0xEC, ['unsigned char']], }], 'COMCTL_LISTBOX': [0x40, { 'hWnd': [0x00, ['unsigned long']], 'parenthWnd': [0x04, ['unsigned long']], 'atomHandle': [0x08, ['unsigned long']], 'firstVisibleRow': [0x10, ['unsigned long']], 'caretPos': [0x14, ['long']], 'rowsVisible': [0x1C, ['unsigned long']], 'itemCount': [0x20, ['unsigned long']], 'stringsStart': [0x2C, ['unsigned long']], 'stringsLength': [0x34, ['unsigned long']] }], } editbox_vtypes_xp_x64 = { 'COMCTL_EDIT': [ 0x142, { 'hBuf': [0x00, ['unsigned long']], 'hWnd': [0x40, ['unsigned long']], 'parenthWnd': [0x60, ['unsigned long']], 'nChars': [0x10, ['unsigned long']], 'selStart': [0x18, ['unsigned long']], 'selEnd': [0x20, ['unsigned long']], 'pwdChar': [0x34, ['unsigned short']], 'undoBuf': [0xA8, ['address']], 'undoPos': [0xB0, ['long']], 'undoLen': [0xB4, ['long']], 'bEncKey': [0x140, ['unsigned char']] }], 'COMCTL_LISTBOX': [ 0x100, { 'hWnd': [0x00, ['unsigned long']], 'parenthWnd': [0x08, ['unsigned long']], 'firstVisibleRow': [0x20, ['unsigned long']], 'caretPos': [0x28, ['unsigned long']], 'rowsVisible': [0x2C, ['unsigned long']], 'itemCount': [0x30, ['unsigned long']], 'stringsStart': [0x40, ['address']], 'stringsLength': [0x4C, ['unsigned long']] }], } editbox_vtypes_vista7810_x86 = { 'COMCTL_EDIT': [0xF6, { 'hBuf': [0x00, ['unsigned long']], 'hWnd': [0x38, ['unsigned long']], 'parenthWnd': [0x58, ['unsigned long']], 'nChars': [0x0C, ['unsigned long']], 'selStart': [0x14, ['unsigned long']], 'selEnd': [0x18, ['unsigned long']], 'pwdChar': [0x30, ['unsigned short']], 'undoBuf': [0x88, ['unsigned long']], 'undoPos': [0x8C, ['long']], 'undoLen': [0x90, ['long']], 'bEncKey': [0xF4, ['unsigned char']], }], 'COMCTL_LISTBOX': [0x40, { 'hWnd': [0x00, ['unsigned long']], 'parenthWnd': [0x04, ['unsigned long']], 'atomHandle': [0x08, ['unsigned long']], 'firstVisibleRow': [0x10, ['unsigned long']], 'caretPos': [0x14, ['long']], 'rowsVisible': [0x1C, ['unsigned long']], 'itemCount': [0x20, ['unsigned long']], 'stringsStart': [0x2C, ['unsigned long']], 'stringsLength': [0x34, ['unsigned long']] }], } editbox_vtypes_vista7810_x64 = { 'COMCTL_EDIT': [0x142, { 'hBuf': [0x00, ['unsigned long']], 'hWnd': [0x40, ['unsigned long']], 'parenthWnd': [0x60, ['unsigned long']], 'nChars': [0x10, ['unsigned long']], 'selStart': [0x18, ['unsigned long']], 'selEnd': [0x20, ['unsigned long']], 'pwdChar': [0x34, ['unsigned short']], 'undoBuf': [0xA8, ['address']], 'undoPos': [0xB0, ['long']], 'undoLen': [0xB4, ['long']], 'bEncKey': [0x140, ['unsigned char']], }], 'COMCTL_LISTBOX': [0x54, { 'hWnd': [0x00, ['unsigned long']], 'parenthWnd': [0x08, ['unsigned long']], 'firstVisibleRow': [0x20, ['unsigned long']], 'caretPos': [0x28, ['unsigned long']], 'rowsVisible': [0x2C, ['unsigned long']], 'itemCount': [0x30, ['unsigned long']], 'stringsStart': [0x40, ['address']], 'stringsLength': [0x4C, ['unsigned long']] }], } class COMCTL_EDIT(obj.CType): """Methods for the Edit structure""" def __str__(self): """String representation of the Edit""" _MAX_OUT = 50 text = self.get_text(no_crlf=True) text = '{}...'.format(text[:_MAX_OUT - 3]) if len(text) > _MAX_OUT else text undo = self.get_undo(no_crlf=True) undo = '{}...'.format(undo[:_MAX_OUT - 3]) if len(undo) > _MAX_OUT else undo return '<{0}(Text="{1}", Len={2}, Pwd={3}, Undo="{4}", UndoLen={5})>'.format( self.__class__.__name__, text, self.nChars, self.is_pwd(), undo, self.undoLen) def get_text(self, no_crlf=False): """Get the text from the control :param no_crlf: :return: """ if self.nChars < 1: return '' text_deref = obj.Object('unsigned long', offset=self.hBuf, vm=self.obj_vm) raw = self.obj_vm.read(text_deref, self.nChars * 2) if not self.pwdChar == 0x00: # Is a password dialog raw = COMCTL_EDIT.rtl_run_decode_unicode_string(self.bEncKey, raw) if no_crlf: return raw.decode('utf-16').replace('\r\n', '.') else: return raw.decode('utf-16') def get_undo(self, no_crlf=False): """Get the contents of the undo buffer :param no_crlf: :return: """ if self.undoLen < 1: return '' if no_crlf: return self.obj_vm.read(self.undoBuf, self.undoLen * 2).decode('utf-16').replace('\r\n', '.') else: return self.obj_vm.read(self.undoBuf, self.undoLen * 2).decode('utf-16') def is_pwd(self): """Is this a password control? :return: """ return self.pwdChar != 0x00 def dump_meta(self, outfd): """Dumps the meta data of the control @param outfd: """ outfd.write('nChars : {}\n'.format(self.nChars)) outfd.write('selStart : {}\n'.format(self.selStart)) outfd.write('selEnd : {}\n'.format(self.selEnd)) outfd.write('isPwdControl : {}\n'.format(self.is_pwd())) outfd.write('undoPos : {}\n'.format(self.undoPos)) outfd.write('undoLen : {}\n'.format(self.undoLen)) outfd.write('address-of undoBuf: {:#x}\n'.format(self.undoBuf)) outfd.write('undoBuf : {}\n'.format(self.get_undo(no_crlf=True))) def dump_data(self, outfd): """Dumps the data of the control @param outfd: """ outfd.write('{}\n'.format(self.get_text())) @staticmethod def rtl_run_decode_unicode_string(key, data): s = ''.join([chr(ord(data[i - 1]) ^ ord(data[i]) ^ key) for i in range(1, len(data))]) s = chr(ord(data[0]) ^ (key | 0x43)) + s return s class COMCTL_LISTBOX(obj.CType): """Methods for the Listbox structure""" def __str__(self): """String representation of the Listbox""" _MAX_OUT = 50 text = self.get_text(joiner='|') text = '{}...'.format(text[:_MAX_OUT - 3]) if len(text) > _MAX_OUT else text return '<{0}(Text="{1}", Items={2}, Caret={3}>'.format( self.__class__.__name__, text, self.itemCount, self.caretPos) def get_text(self, joiner='\n'): """Get the text from the control @param joiner: @return: """ if self.stringsLength < 1: return '' raw = self.obj_vm.read(self.stringsStart, self.stringsLength) return joiner.join(split_null_strings(raw)) def dump_meta(self, outfd): """Dumps the meta data of the control @param outfd: """ outfd.write('firstVisibleRow : {}\n'.format(self.firstVisibleRow)) outfd.write('caretPos : {}\n'.format(self.caretPos)) outfd.write('rowsVisible : {}\n'.format(self.rowsVisible)) outfd.write('itemCount : {}\n'.format(self.itemCount)) outfd.write('stringsStart : {:#x}\n'.format(self.stringsStart)) outfd.write('stringsLength : {}\n'.format(self.stringsLength)) def dump_data(self, outfd): """Dumps the data of the control @param outfd: """ outfd.write('{}\n'.format(self.get_text())) def split_null_strings(data): """Splits a concatenation of null-terminated utf-16 strings @param data: """ strings = [] start = 0 for i in xrange(0, len(data), 2): if data[i] == '\x00' and data[i+1] == '\x00': strings.append(data[start:i]) start = i+2 return [s.decode('utf-16') for s in strings] def dump_to_file(ctrl, pid, proc_name, folder): """Dumps the data of the control to a file @param ctrl: @param pid: @param proc_name: @param folder: """ ctrl_safe_name = str(ctrl.__class__.__name__).split('_')[-1].lower() file_name = '{0}_{1}_{2}_{3:#x}.txt'.format(pid, proc_name, ctrl_safe_name, ctrl.v()) with open(os.path.join(folder, file_name), 'wb') as out_file: out_file.write(ctrl.get_text()) class Editbox(common.AbstractWindowsCommand): """Displays information about Edit controls. (Listbox experimental.)""" # Add the classes for the structures editbox_classes = { 'COMCTL_EDIT' : COMCTL_EDIT, 'COMCTL_LISTBOX': COMCTL_LISTBOX, } def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) # Filter specific processes config.add_option('PID', short_option='p', default=None, help='Operate on these Process IDs (comma-separated)', action='store', type='str') config.add_option('DUMP-DIR', short_option='D', default=None, help='Save the found text to files in this folder', action='store', type='str') self.fake_32bit = False @staticmethod def apply_types(addr_space, meta=None): """Add the correct vtypes and classes for the profile @param addr_space: @param meta: """ if not meta: meta = addr_space.profile.metadata if meta['os'] == 'windows': if meta['major'] == 5: if meta['memory_model'] == '32bit': addr_space.profile.vtypes.update(editbox_vtypes_xp_x86) elif meta['memory_model'] == '64bit': addr_space.profile.vtypes.update(editbox_vtypes_xp_x64) else: debug.error("The selected address space is not supported") addr_space.profile.compile() elif meta['major'] == 6: if meta['memory_model'] == '32bit': addr_space.profile.vtypes.update(editbox_vtypes_vista7810_x86) elif meta['memory_model'] == '64bit': addr_space.profile.vtypes.update(editbox_vtypes_vista7810_x64) else: debug.error("The selected address space is not supported") addr_space.profile.compile() else: debug.error("The selected address space is not supported") else: debug.error("The selected address space is not supported") def calculate(self): """Parse the control structures""" # Check the output folder exists if self._config.DUMP_DIR and not os.path.isdir(self._config.dump_dir): debug.error('{0} is not a directory'.format(self._config.dump_dir)) # Apply the correct vtypes for the profile addr_space = utils.load_as(self._config) addr_space.profile.object_classes.update(Editbox.editbox_classes) self.apply_types(addr_space) # Build a list of tasks tasks = win32.tasks.pslist(addr_space) if self._config.PID: pids = [int(p) for p in self._config.PID.split(',')] the_tasks = [t for t in tasks if t.UniqueProcessId in pids] else: the_tasks = [t for t in tasks] # In case no PIDs found if len(the_tasks) < 1: return # Iterate through all the window objects matching for supported controls mh = messagehooks.MessageHooks(self._config) for winsta, atom_tables in mh.calculate(): for desktop in winsta.desktops(): for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd): if wnd.Process in the_tasks: atom_class = mh.translate_atom(winsta, atom_tables, wnd.ClassAtom) if atom_class: atom_class = str(atom_class) if '!' in atom_class: comctl_class = atom_class.split('!')[-1].lower() if comctl_class in supported_controls: # Do we need to fake being 32bit for Wow? if wnd.Process.IsWow64 and not self.fake_32bit: meta = addr_space.profile.metadata meta['memory_model'] = '32bit' self.apply_types(addr_space, meta) self.fake_32bit = True elif not wnd.Process.IsWow64 and self.fake_32bit: self.apply_types(addr_space) self.fake_32bit = False context = '{0}\\{1}\\{2}'.format(winsta.dwSessionId, winsta.Name, desktop.Name) task_vm = wnd.Process.get_process_address_space() wndextra_offset = wnd.v() + addr_space.profile.get_obj_size('tagWND') wndextra = obj.Object('address', offset=wndextra_offset, vm=task_vm) ctrl = obj.Object(supported_controls[comctl_class], offset=wndextra, vm=task_vm) if self._config.DUMP_DIR: dump_to_file(ctrl, wnd.Process.UniqueProcessId, wnd.Process.ImageFileName, self._config.DUMP_DIR) yield context, atom_class, wnd.Process.UniqueProcessId, \ wnd.Process.ImageFileName, wnd.Process.IsWow64, ctrl def render_table(self, outfd, data): """Output the results as a table @param outfd: @param data: """ self.table_header(outfd, [ ('PID', '6'), ('Process', '14'), ('Control', ""), ]) for context, atom_class, pid, proc_name, is_wow64, ctrl in data: # context, atom_class and is_wow64 are ignored self.table_row(outfd, pid, proc_name, str(ctrl)) def render_text(self, outfd, data): """Output the results as a text report @param outfd: @param data: """ for context, atom_class, pid, proc_name, is_wow64, ctrl in data: outfd.write('{}\n'.format('*' * 30)) outfd.write('Wnd Context : {}\n'.format(context)) outfd.write('Process ID : {}\n'.format(pid)) outfd.write('ImageFileName : {}\n'.format(proc_name)) outfd.write('IsWow64 : {}\n'.format('Yes' if is_wow64 else 'No')) outfd.write('atom_class : {}\n'.format(atom_class)) outfd.write('value-of WndExtra : {:#x}\n'.format(ctrl.v())) ctrl.dump_meta(outfd) outfd.write('{}\n'.format('-' * 25)) ctrl.dump_data(outfd) volatility_2.6+git20170711.b3db0cc/volatility/plugins/getservicesids.py0000644000000000000000000012005313131215405024414 0ustar rootroot# Volatility # Copyright (C) 2011-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (Gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ import volatility.win32.rawreg as rawreg import volatility.debug as debug import volatility.plugins.registry.registryapi as registryapi import volatility.plugins.common as common from volatility.renderers import TreeGrid import hashlib import struct # This is a dictionary of default services from Vista+ machines servicesids = { 'S-1-5-80-3476726845-1218940557-3240126423-1396283824-3706223860': '.NET CLR Data', 'S-1-5-80-3749761688-76038143-2425834820-4129736068-309120712': '.NET CLR Networking', 'S-1-5-80-603392709-3706100282-1779817366-3290147925-2109454977': '.NET Data Provider for Oracle', 'S-1-5-80-1168016597-2140435647-491797002-352772175-817350590': '.NET Data Provider for SqlServer', 'S-1-5-80-255220978-1106536095-1636044468-311807000-281316439': '.NETFramework', 'S-1-5-80-799694863-4024754253-4060439485-3284853837-2852070736': '1394ohci', 'S-1-5-80-550892281-1246201444-2906082186-2301917840-2280485454': 'ACPI', 'S-1-5-80-2750316143-92726786-3671103447-4285640526-595803658': 'AcpiPmi', 'S-1-5-80-4277731759-3688284049-1726419820-405794046-874834352': 'adp94xx', 'S-1-5-80-1668430318-2462354215-3771841206-4231263990-2365432302': 'adpahci', 'S-1-5-80-1558789706-915067316-2610504951-4085128407-2746609837': 'adpu320', 'S-1-5-80-2580340827-1408356417-1236233457-3361088231-1362281560': 'adsi', 'S-1-5-80-1452425288-2709461340-3274533413-2407537074-986069024': 'AeLookupSvc', 'S-1-5-80-958185937-3813565417-3041720555-255702914-2218388865': 'AFD', 'S-1-5-80-1478021307-2683864309-2840291008-2654641652-1914939368': 'agp440', 'S-1-5-80-2964793103-1312530465-1873688160-795174673-2945876561': 'aic78xx', 'S-1-5-80-2387347252-3645287876-2469496166-3824418187-3586569773': 'ALG', 'S-1-5-80-1587539839-2488332913-1287008632-3751426284-4220573165': 'aliide', 'S-1-5-80-2808999507-317517852-2612044860-3916887390-3713671788': 'amdagp', 'S-1-5-80-4100430975-1934021090-490597466-3817433801-2954987127': 'amdide', 'S-1-5-80-2291534435-3322220689-2735625597-3465650106-1340236923': 'AmdK8', 'S-1-5-80-4046459391-4016695280-780100908-1621843708-2839135617': 'AmdPPM', 'S-1-5-80-1967003600-1747618720-202510732-1118110944-2056302645': 'amdsata', 'S-1-5-80-3946629880-3877146532-1020811794-3209710663-3707805237': 'amdsbs', 'S-1-5-80-2663151763-304964558-3327380674-1150567875-3378868591': 'amdxata', 'S-1-5-80-4206070390-3011771559-4179333097-3486196663-2896243697': 'AppID', 'S-1-5-80-2078495744-2416903469-4072184685-3943858305-976987417': 'AppIDSvc', 'S-1-5-80-1345931346-2714066941-3624776837-1617505694-3927660246': 'Appinfo', 'S-1-5-80-3213379692-3546485254-1309469428-3810262102-2442199571': 'AppMgmt', 'S-1-5-80-2586396289-3967100905-3140788560-3910242148-3554126937': 'arc', 'S-1-5-80-4275531960-1601664531-2254151532-3075236607-956726506': 'arcsas', 'S-1-5-80-3772676405-1029441937-3739550121-1000989080-3364480489': 'AsyncMac', 'S-1-5-80-3126347352-2401679295-1536073615-3396758597-3783091149': 'atapi', 'S-1-5-80-1580948945-3239616721-2529237571-3761093093-1214243633': 'AudioEndpointBuilder', 'S-1-5-80-2676549577-1911656217-2625096541-4178041876-1366760775': 'Audiosrv', 'S-1-5-80-1058592404-331734164-3167594226-3910907650-1299295147': 'AxInstSV', 'S-1-5-80-1401731874-3996074688-1963706087-3130220608-1140295258': 'b06bdrv', 'S-1-5-80-528874604-3378394362-3426265968-3876211711-2956305666': 'b57nd60x', 'S-1-5-80-2490514847-2461341327-10008697-1811907875-602803682': 'BattC', 'S-1-5-80-2962817144-200689703-2266453665-3849882635-1986547430': 'BDESVC', 'S-1-5-80-3186183977-1861961257-3523979229-167170737-1516062821': 'Beep', 'S-1-5-80-1383147646-27650227-2710666058-1662982300-1023958487': 'BFE', 'S-1-5-80-864916184-135290571-3087830041-1716922880-4237303741': 'BITS', 'S-1-5-80-3199704608-2688121514-1535149675-608666402-3313731745': 'blbdrive', 'S-1-5-80-26818074-245702967-483560604-1005139437-3076944027': 'bowser', 'S-1-5-80-1926592986-1411939489-3259133927-4064956769-2216240612': 'BrFiltLo', 'S-1-5-80-3843808474-1199403037-3395254522-1605808544-3221186762': 'BrFiltUp', 'S-1-5-80-764937145-223273921-1726433829-265908364-3948077829': 'Browser', 'S-1-5-80-3715020542-2003794336-3716799247-4001019941-1245790858': 'Brserid', 'S-1-5-80-4014097382-2743177720-3750454595-1699596626-866516122': 'BrSerWdm', 'S-1-5-80-1195671069-1048138941-897119314-1432864274-834752102': 'BrUsbMdm', 'S-1-5-80-1736549233-1399426098-2600293700-2473969234-3259996387': 'BrUsbSer', 'S-1-5-80-505608135-4274227953-3632766965-1888639892-3184055934': 'BTHMODEM', 'S-1-5-80-1409084391-1870647740-2731517552-2815089321-2189562539': 'BTHPORT', 'S-1-5-80-2586557155-168560303-1373426920-983201488-1499765686': 'bthserv', 'S-1-5-80-3223837281-1527595016-2901219760-1358189227-808820507': 'cdfs', 'S-1-5-80-364680967-1232085744-2960737863-915504889-2752576923': 'cdrom', 'S-1-5-80-3256172449-2363790065-3617575471-4144056108-756904704': 'CertPropSvc', 'S-1-5-80-4066704878-4231214995-2335031091-3527122690-1574766183': 'circlass', 'S-1-5-80-1506673549-1532669541-769420574-1605323189-863873827': 'CLFS', 'S-1-5-80-776041216-1751974135-1557427478-1892253070-796752000': 'clr_optimization_v2.0.50727_32', 'S-1-5-80-452204072-1743664639-1560983493-2640850116-597529692': 'CmBatt', 'S-1-5-80-979911607-31916023-2827320217-2656655436-259985251': 'cmdide', 'S-1-5-80-3573738861-3694853854-361022443-2442358023-2743921644': 'CNG', 'S-1-5-80-3960644792-2999129865-644014482-29643289-3842828219': 'Compbatt', 'S-1-5-80-832194277-1022982267-2217674263-2896671990-3011983110': 'CompositeBus', 'S-1-5-80-593875016-1044814911-1112741138-2143646632-2690613739': 'COMSysApp', 'S-1-5-80-3158764370-1001901224-1854525633-1718604346-2756706540': 'crcdisk', 'S-1-5-80-3747264324-1669729390-1715156009-1010652712-2439569381': 'Crusoe', 'S-1-5-80-3020380856-1381845346-309829523-1810616773-418643442': 'crypt32', 'S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459': 'CryptSvc', 'S-1-5-80-3601020880-2087999432-167179594-730776211-2997520967': 'CSC', 'S-1-5-80-1987853863-1639573247-1110726908-1137832616-3599624523': 'CscService', 'S-1-5-80-1564160128-141119064-743480990-78466790-746535033': 'DCLocator', 'S-1-5-80-1601830629-990752416-3372939810-977361409-3075122917': 'DcomLaunch', 'S-1-5-80-654447679-1163530548-981569129-3608673666-3128964045': 'defragsvc', 'S-1-5-80-3837255464-839197112-3211601036-3795322556-2690640524': 'DfsC', 'S-1-5-80-1267473060-1890374259-1137250836-544356534-2546457154': 'DFSR', 'S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582': 'Dhcp', 'S-1-5-80-2142581517-3954605861-2373846864-2138305209-1019737370': 'discache', 'S-1-5-80-1827140278-1118305254-4004251663-1512899043-4081885502': 'Disk', 'S-1-5-80-859482183-879914841-863379149-1145462774-2388618682': 'Dnscache', 'S-1-5-80-3787436395-2174616005-3003730137-1094982900-1570567328': 'dot3svc', 'S-1-5-80-2970612574-78537857-698502321-558674196-1451644582': 'DPS', 'S-1-5-80-338020179-181244551-1629881386-919369987-4169324252': 'drmkaud', 'S-1-5-80-3820654016-1545322283-1804062181-1022271772-3696306321': 'DXGKrnl', 'S-1-5-80-2212058837-3965059022-779215765-3282659977-917192320': 'E1G60', 'S-1-5-80-3578261754-285310837-913589462-2834155770-667502746': 'EapHost', 'S-1-5-80-2437473203-2648204866-3612751994-635271166-3967841232': 'Ecache', 'S-1-5-80-1191957972-1903257272-3657591267-1787121440-2523964525': 'ebdrv', 'S-1-5-80-730263862-4055390735-403826019-1175694336-1277635259': 'EFS', 'S-1-5-80-567955335-3455378119-3305749985-2554534624-1867504835': 'ehRecvr', 'S-1-5-80-3864065939-1897331054-469427076-3133256761-1570309435': 'ehSched', 'S-1-5-80-2913099195-3001839937-1914692661-1563395363-459793767': 'ehstart', 'S-1-5-80-3118383011-3159412168-3368304685-4081854189-1392756948': 'elxstor', 'S-1-5-80-1436322865-2295268783-31549072-3549518694-69512146': 'EmdCache', 'S-1-5-80-557382581-4103702789-1349398007-826115979-1301810884': 'EMDMgmt', 'S-1-5-80-1580004045-3657569029-3054886754-3760858607-1347140441': 'ErrDev', 'S-1-5-80-1163726475-4032819940-2637749356-1655080563-3495319901': 'ESENT', 'S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122': 'eventlog', 'S-1-5-80-1772571935-1555666882-3369284645-1675012128-2386634627': 'EventSystem', 'S-1-5-80-339744372-1785209941-194342311-2969164887-2874010346': 'exfat', 'S-1-5-80-3825849991-4144931059-247537738-1429287757-2349637904': 'fastfat', 'S-1-5-80-2117685068-4011115449-2646761356-2137676340-222423812': 'Fax', 'S-1-5-80-678085088-615808128-1967178352-3804608619-208504977': 'fdc', 'S-1-5-80-364023826-931424190-487969545-1024119571-74567675': 'fdPHost', 'S-1-5-80-3215268152-2863950836-530904203-4246843131-2183915461': 'FDResPub', 'S-1-5-80-3048209083-3162952562-941345871-1437532549-835501875': 'FileInfo', 'S-1-5-80-1352441077-2188484239-1994186818-620473926-3758853310': 'Filetrace', 'S-1-5-80-2678475722-3718149211-1393662077-3558562392-2203603517': 'flpydisk', 'S-1-5-80-916285479-1714977700-1732101595-331036679-1735462769': 'FltMgr', 'S-1-5-80-3655275221-2954682349-3644260495-855223267-1438849333': 'FontCache', 'S-1-5-80-3782458156-2098404076-3767342964-3617937256-1389734963': 'FontCache3.0.0.0', 'S-1-5-80-4244156434-496195918-1908400060-3754471672-3389379472': 'FsDepends', 'S-1-5-80-1638897150-273717933-3197303335-567190659-606579740': 'Fs_Rec', 'S-1-5-80-221025945-1494805562-2841517651-3196795133-192498206': 'fvevol', 'S-1-5-80-1150850083-1108777032-2236282716-3985597815-2701820264': 'gagp30kx', 'S-1-5-80-2024188204-2445810227-898691311-2942020084-762398166': 'gpsvc', 'S-1-5-80-2384017851-2441776339-3346382083-2430645704-3475981877': 'hcw85cir', 'S-1-5-80-2193151998-1100362924-2192368770-2985476713-896696503': 'HDAudBus', 'S-1-5-80-1648434057-4219984261-1802816958-334501717-1769477291': 'HidBatt', 'S-1-5-80-191977210-1053814073-2805336524-1775407748-120039257': 'HidBth', 'S-1-5-80-498696395-104441048-3395182230-3082814586-1375447691': 'HidIr', 'S-1-5-80-89818136-74175777-88572358-3912780041-2421659406': 'hidserv', 'S-1-5-80-1586586559-167648910-1414982260-3863830924-1724542190': 'HidUsb', 'S-1-5-80-1373701630-3910968185-3388013410-2492353-937432973': 'hkmsvc', 'S-1-5-80-2291748755-1591405548-1905550586-2340871825-1258388485': 'HpCISSs', 'S-1-5-80-4028305664-2774326660-44957573-2454826285-2129126537': 'HomeGroupListener', 'S-1-5-80-2620923248-4247863784-3378508180-2659151310-2535246811': 'HomeGroupProvider', 'S-1-5-80-3952044490-1864224763-1322162546-396143671-1619397437': 'HpSAMD', 'S-1-5-80-3734987283-965611577-2130035942-3636592211-2616856863': 'HTTP', 'S-1-5-80-970016657-3034632851-3048190821-4182690298-3323420226': 'i2omp', 'S-1-5-80-3096896632-2411553352-2084109408-2930423838-4282791216': 'hwpolicy', 'S-1-5-80-738727139-3255065492-2264176241-1836141076-1899426695': 'i8042prt', 'S-1-5-80-1156567179-1019273932-444819734-1772733284-2107707318': 'iaStorV', 'S-1-5-80-2984992224-2588614340-2167448307-2303456600-125847566': 'idsvc', 'S-1-5-80-3218395955-317132717-2440444880-267201483-2700625476': 'iirsp', 'S-1-5-80-698886940-375981264-2691324669-2937073286-3841916615': 'IKEEXT', 'S-1-5-80-3217419572-1740605331-1127140686-2317006352-2064317000': 'inetaccs', 'S-1-5-80-3664101217-2276051299-423734030-2746486177-2766044424': 'intelide', 'S-1-5-80-817570274-767070440-2629795609-3336305482-1678804590': 'intelppm', 'S-1-5-80-2506443892-94066030-1663014834-2885971264-4189966690': 'IPBusEnum', 'S-1-5-80-2750735467-3008441591-3989401642-3215998983-1344927289': 'IpFilterDriver', 'S-1-5-80-62724632-2456781206-3863850748-1496050881-1042387526': 'iphlpsvc', 'S-1-5-80-1361160473-1867727628-1338406996-3302040194-2851723982': 'IpInIp', 'S-1-5-80-2771164118-4094026282-2266286801-3306161409-3436440840': 'IPMIDRV', 'S-1-5-80-2368102602-26431353-856636621-1497418614-482242802': 'IPNAT', 'S-1-5-80-433158070-3235422099-1317741036-1922328546-1834106188': 'IRENUM', 'S-1-5-80-1308614567-1511795785-2741360970-8197000-3264788676': 'isapnp', 'S-1-5-80-1446792217-3918178545-2165441202-3760590537-1875255596': 'iScsiPrt', 'S-1-5-80-2249099846-2157059493-1994460756-1924820827-2369096692': 'iteatapi', 'S-1-5-80-750512324-770881543-4197932906-3645560491-3779161573': 'iteraid', 'S-1-5-80-1974511938-2400693546-1685170019-203554928-1466978163': 'kbdclass', 'S-1-5-80-3058542000-3285469617-40650340-3734485625-1920508542': 'kbdhid', 'S-1-5-80-1206118541-1677721718-2423781911-3372378849-3903984073': 'KeyIso', 'S-1-5-80-3810688523-3855579666-1860693470-2666993558-46302070': 'KSecDD', 'S-1-5-80-638937566-1168471176-3064579757-2631269312-170126454': 'KSecPkg', 'S-1-5-80-2818357584-3387065753-4000393942-342927828-138088443': 'KtmRm', 'S-1-5-80-879696042-2351668846-370232824-2524288904-4023536711': 'LanmanServer', 'S-1-5-80-719998295-2833700043-1566817583-4093942769-1414026312': 'LanmanWorkstation', 'S-1-5-80-3356507721-3148410333-1453554623-2317622189-363686743': 'ldap', 'S-1-5-80-1339741203-2503426401-303705627-250156843-1210515524': 'lltdio', 'S-1-5-80-940647296-341435850-43817331-158078607-2483727905': 'lltdsvc', 'S-1-5-80-172094073-716411664-54255058-185476446-2329512179': 'lmhosts', 'S-1-5-80-1037107160-813189200-1860894220-2610408748-1807657940': 'Lsa', 'S-1-5-80-973905250-3368826558-2408393701-2645888229-3042295110': 'LSI_FC', 'S-1-5-80-3066312493-2787136058-3895654580-111488809-2262703568': 'LSI_SAS', 'S-1-5-80-935126585-3333887566-2369146147-2658756633-3860083864': 'LSI_SAS2', 'S-1-5-80-702453548-2563122194-4165184037-877730421-2039909086': 'LSI_SCSI', 'S-1-5-80-381203785-1552481550-3565819581-4159540168-38965703': 'luafv', 'S-1-5-80-3770938798-2726624435-2075025292-3280341113-3618470894': 'Mcx2Svc', 'S-1-5-80-1503963800-3543347063-2443146678-2767313893-605308357': 'megasas', 'S-1-5-80-4024713676-1017792628-381990976-3540878265-1306153904': 'MegaSR', 'S-1-5-80-2799810402-4136494038-1094338311-2889966999-3154753985': 'MMCSS', 'S-1-5-80-2005225957-2795451222-469338742-3947262705-2044891099': 'Modem', 'S-1-5-80-4207690787-1085901060-2295361997-2227230598-1253819078': 'monitor', 'S-1-5-80-675551267-1826535266-117093185-28668227-296166608': 'mouclass', 'S-1-5-80-3854853272-3832246511-1244659077-3165440039-2262758429': 'mouhid', 'S-1-5-80-3601998905-441174471-4117363912-32772110-2632366064': 'mountmgr', 'S-1-5-80-4261667920-1220466518-1749771309-2316901739-273317064': 'mpio', 'S-1-5-80-3142377179-3443479297-2149323391-1756545698-484011292': 'mpsdrv', 'S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052': 'MpsSvc', 'S-1-5-80-2250298043-1491746124-3447101336-2334414474-2555807208': 'Mraid35x', 'S-1-5-80-2688027615-1506195528-3802338144-777155390-618458321': 'MRxDAV', 'S-1-5-80-2162099894-1456621096-2119874347-3743340265-2368304946': 'mrxsmb', 'S-1-5-80-2676550360-252586896-1701879715-2742386574-1171030092': 'mrxsmb10', 'S-1-5-80-3970894941-767821303-4047113619-2738918178-2351404876': 'mrxsmb20', 'S-1-5-80-276420989-3971400029-4249224515-3588854300-972083571': 'msahci', 'S-1-5-80-827450036-3359053657-3286484322-221598818-2985401197': 'msdsm', 'S-1-5-80-3960419045-2460139048-4046793004-1809597027-2250574426': 'MSDTC', 'S-1-5-80-1515650939-3601430262-2496924429-640160050-3998290523': 'MSDTC Bridge 3.0.0.0', 'S-1-5-80-3825916667-3375043415-3384654478-3177665693-2200644784': 'Msfs', 'S-1-5-80-4064639957-1408283007-2091294018-2122350837-1986927883': 'mshidkmdf', 'S-1-5-80-537088188-2896597613-2307397767-3752262660-2081934664': 'msisadrv', 'S-1-5-80-917953661-2020045820-2727011118-2260243830-4032185929': 'MSiSCSI', 'S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966': 'msiserver', 'S-1-5-80-1314579368-1827054856-3801607513-4137797117-3785845944': 'MSKSSRV', 'S-1-5-80-3515336427-2373706795-1189292716-3451446183-2383180522': 'MSPCLOCK', 'S-1-5-80-2550581486-1497628998-1973453189-3108482975-2816921478': 'MSPQM', 'S-1-5-80-4273119239-1126992662-2069961181-78804100-786965295': 'MsRPC', 'S-1-5-80-2731410647-2404537004-1422510964-3385838496-1398925663': 'MSSCNTRS', 'S-1-5-80-2379877105-2122874852-2028670630-1350450415-3977667049': 'mssmbios', 'S-1-5-80-294111013-494549581-4136661504-3518049416-761106507': 'MSTEE', 'S-1-5-80-772196467-3194495650-2141286422-1986870660-3602995159': 'MTConfig', 'S-1-5-80-2851636321-923882121-3805946377-1773657562-2703951580': 'Mup', 'S-1-5-80-2006800713-1441093265-249754844-3404434343-1444102779': 'napagent', 'S-1-5-80-3451137062-797777108-3464068327-231871278-2024511519': 'NativeWifiP', 'S-1-5-80-2183409222-222800135-1539000935-3109909370-1207982808': 'NDIS', 'S-1-5-80-1310191460-362243386-72972191-123604350-1188038626': 'NdisCap', 'S-1-5-80-3307576507-4040802919-832577921-47721884-821370673': 'NdisTapi', 'S-1-5-80-2426641292-1095310648-1538795067-2456674997-547968854': 'Ndisuio', 'S-1-5-80-3137956796-3050520361-1309400342-955303752-3583020413': 'NdisWan', 'S-1-5-80-3999445478-1493703614-491198216-2250085872-3662815299': 'NDProxy', 'S-1-5-80-298519744-3326885196-200884095-1345730765-1206919721': 'NetBIOS', 'S-1-5-80-3481163626-3922336224-2171110286-845444925-873416656': 'NetBT', 'S-1-5-80-1589317753-1926951874-3424712441-2302911845-2572860984': 'Netlogon', 'S-1-5-80-2898649604-2335086160-1904548223-3761738420-3855444835': 'Netman', 'S-1-5-80-3635958274-2059881490-2225992882-984577281-633327304': 'netprofm', 'S-1-5-80-1773860938-1487242074-882566118-4272343956-2175834232': 'NetTcpPortSharing', 'S-1-5-80-3739586395-593861784-2557645679-4197025642-341497066': 'nfrd960', 'S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453': 'NlaSvc', 'S-1-5-80-1093399993-2276725296-2148262981-2274078422-4284582767': 'Npfs', 'S-1-5-80-2310782386-4237065203-3688974353-390202159-3511571085': 'nsi', 'S-1-5-80-4100249314-4086313984-28913695-873679419-2144728263': 'nsiproxy', 'S-1-5-80-1664281202-2302623734-631624840-3461998672-2259661997': 'NTDS', 'S-1-5-80-1256884789-1691082103-446998474-1367286246-1639025938': 'Ntfs', 'S-1-5-80-2470698091-2858014709-2643764839-982706939-3434751516': 'ntrigdigi', 'S-1-5-80-2407861648-785230825-3529290450-2326204529-1810679516': 'Null', 'S-1-5-80-3495072887-919096479-2204902451-1048921326-800355041': 'nvraid', 'S-1-5-80-3611874924-3178792031-3565391826-286563291-3680247785': 'nvstor', 'S-1-5-80-2661219475-1923594960-1294537542-2454943126-82436970': 'nv_agp', 'S-1-5-80-4169196349-563482612-2169411968-43761830-802868667': 'NwlnkFlt', 'S-1-5-80-1643415749-1981533051-3884744798-2669202348-601031005': 'NwlnkFwd', 'S-1-5-80-1196941233-2569882653-2923823926-962244991-4277418': 'ohci1394', 'S-1-5-80-967499406-1694984581-2959056265-2481940682-939264259': 'p2pimsvc', 'S-1-5-80-1971585524-2528565899-3324366483-1300752743-2325226580': 'p2psvc', 'S-1-5-80-3473791808-4104434288-1928902041-1743473672-1277326840': 'Parport', 'S-1-5-80-156989346-1343554423-902067029-1673992682-1866693543': 'partmgr', 'S-1-5-80-4196153372-502005009-1971508045-3354250645-3015555128': 'Parvdm', 'S-1-5-80-1948712186-1330865447-943413596-1669284603-1648638051': 'PcaSvc', 'S-1-5-80-2069178898-4023461412-1711560041-390887617-271771820': 'pci', 'S-1-5-80-4052642423-944120264-588619640-546327341-1110646568': 'pciide', 'S-1-5-80-2795309555-3957969320-2916397881-2593713121-382316838': 'pcmcia', 'S-1-5-80-59707871-3298565586-1716270302-948228651-1074156479': 'pcw', 'S-1-5-80-1570874813-103103538-3327933986-104584388-2119773521': 'PEAUTH', 'S-1-5-80-3124040864-3101396827-3094488734-3028845762-1939139329': 'PeerDistSvc', 'S-1-5-80-4023986828-1464965280-3211893748-414212150-4115790068': 'PerfDisk', 'S-1-5-80-2413971036-1590988147-3808667159-2204172745-1373631640': 'PerfNet', 'S-1-5-80-3515570427-2977692895-3762163048-1504969852-99088878': 'PerfOS', 'S-1-5-80-3544016446-4087985546-3773506770-1472693371-3235341583': 'PerfProc', 'S-1-5-80-2661322625-712705077-2999183737-3043590567-590698655': 'pla', 'S-1-5-80-1981970923-922788642-3535304421-2999920573-318732269': 'PlugPlay', 'S-1-5-80-3141781312-1794533130-3616533224-2008760771-2116720301': 'PNRPAutoReg', 'S-1-5-80-372467825-374176116-1198570892-3192490889-1232022613': 'PNRPsvc', 'S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853': 'PolicyAgent', 'S-1-5-80-4126081702-1836807445-3803306975-1029803806-2479180530': 'PortProxy', 'S-1-5-80-2343416411-2961288913-598565901-392633850-2111459193': 'Power', 'S-1-5-80-3735226416-1729687437-1959510470-190511368-398645692': 'PptpMiniport', 'S-1-5-80-3367479018-119754134-174380200-3035551807-2744700953': 'Processor', 'S-1-5-80-2422153244-111630262-1029994140-3645224535-4078427153': 'PROCEXP', 'S-1-5-80-3816717743-33564931-1112267079-3548917561-928358339': 'ProfSvc', 'S-1-5-80-656433041-336319937-100815201-2263438610-4002557366': 'ProtectedStorage', 'S-1-5-80-133730547-3458667493-930392497-3658715967-3359215708': 'Psched', 'S-1-5-80-1010784341-3590640432-2144716203-2371202623-2111191834': 'ql2300', 'S-1-5-80-3680784227-2138494325-1045417256-846249285-1494284974': 'ql40xx', 'S-1-5-80-1659118645-3148100556-861291880-3953320898-4045657812': 'QWAVE', 'S-1-5-80-3324762131-3390532780-137711907-1761928331-1932425801': 'QWAVEdrv', 'S-1-5-80-951069737-1097907447-3199478753-2018050253-2083677786': 'RasAcd', 'S-1-5-80-4022575210-2284560452-710265691-3594820739-387418549': 'RasAgileVpn', 'S-1-5-80-1802467488-1541022566-2033325545-854566965-652742428': 'RasAuto', 'S-1-5-80-1290287420-3502600185-382990664-1700026297-1337626153': 'Rasl2tp', 'S-1-5-80-4176366874-305252471-2256717057-2714189771-3552532790': 'RasMan', 'S-1-5-80-4122454071-3550668693-4211410744-1298358403-2272725717': 'RasPppoe', 'S-1-5-80-1331337031-2474836174-2661672254-391271513-2096420174': 'RasSstp', 'S-1-5-80-2489667-2470848582-3865645512-452901963-4178804252': 'rdbss', 'S-1-5-80-3687944073-3313860148-3136628839-3387249243-1709534714': 'rdpbus', 'S-1-5-80-2431288241-149984296-2543083935-4067350611-1975817884': 'RDPCDD', 'S-1-5-80-981872547-3861006530-3984275202-4085961120-2027028908': 'RDPDD', 'S-1-5-80-23661045-4033652049-3526044993-1401805078-1749661838': 'RDPDR', 'S-1-5-80-3464459778-79086046-1894495498-3954672505-2750168721': 'RDPENCDD', 'S-1-5-80-191927475-3325244020-2133763035-2511185485-3827563125': 'RDPNP', 'S-1-5-80-1432111213-2818786930-2152807080-3377190559-901933699': 'RDPREFMP', 'S-1-5-80-1857653372-1313752195-3783661666-502273730-1171188227': 'RDPWD', 'S-1-5-80-3474873350-2412947251-3085823233-2315640422-3546857610': 'rdyboost', 'S-1-5-80-1954729425-4294152082-187165618-318331177-3831297489': 'RemoteAccess', 'S-1-5-80-2822507136-3601578665-1013168651-121944544-1825232178': 'RemoteRegistry', 'S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162': 'RpcEptMapper', 'S-1-5-80-4056015446-1496461683-1723632270-3351149576-1119802320': 'RpcLocator', 'S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080': 'RpcSs', 'S-1-5-80-25112808-303066962-2306571906-3820953744-554449017': 'rspndr', 'S-1-5-80-3189092957-1825937568-2097962828-592273195-15751640': 's3cap', 'S-1-5-80-3453257571-682267348-3447719424-2810041157-893746920': 'SamSs', 'S-1-5-80-2172748946-1139208647-3745649895-1734051075-2323558886': 'sbp2port', 'S-1-5-80-1209419826-1829913269-3824447628-1153237837-3789837839': 'SCardSvr', 'S-1-5-80-3145502940-3408664484-1477142494-2517801300-3177717725': 'scfilter', 'S-1-5-80-4125092361-1567024937-842823819-2091237918-836075745': 'Schedule', 'S-1-5-80-1691538513-4084330536-1620899472-1113280783-3554754292': 'SCPolicySvc', 'S-1-5-80-2983134835-1185273323-1712700529-1489848661-2325612824': 'SDRSVC', 'S-1-5-80-1722176216-3611007545-3657005850-3814612847-1080390000': 'secdrv', 'S-1-5-80-1399994486-219206332-302438500-304602034-1537790326': 'seclogon', 'S-1-5-80-4259241309-1822918763-1176128033-1339750638-3428293995': 'SENS', 'S-1-5-80-3168472476-176724102-2968832672-2340942973-2241613192': 'SensrSvc', 'S-1-5-80-1658387481-2925800327-3198882180-3147662777-2274689045': 'Serenum', 'S-1-5-80-3562253942-857828347-2712713407-944836455-3636585461': 'Serial', 'S-1-5-80-3369720968-4228855631-3683183521-2094993598-1022421131': 'sermouse', 'S-1-5-80-675414407-775065359-1035864904-999747831-2072146957': 'ServiceModelEndpoint 3.0.0.0', 'S-1-5-80-1904953591-2738210791-1061154185-3936071259-221446881': 'ServiceModelOperation 3.0.0.0', 'S-1-5-80-297390187-2405189348-2222284465-2989988878-4218767654': 'ServiceModelService 3.0.0.0', 'S-1-5-80-4022436659-1090538466-1613889075-870485073-3428993833': 'SessionEnv', 'S-1-5-80-1220365695-3871163487-2301282001-885120026-718998505': 'sffdisk', 'S-1-5-80-1593449009-2408870187-1077724223-1518188577-3728252823': 'sffp_mmc', 'S-1-5-80-1659054941-531967795-1983128084-3748020815-2241757750': 'sffp_sd', 'S-1-5-80-1407380289-3518059920-3931497022-2754447733-2222417609': 'sfloppy', 'S-1-5-80-2009329905-444645132-2728249442-922493431-93864177': 'SharedAccess', 'S-1-5-80-1690854464-3758363787-3981977099-3843555589-1401248062': 'ShellHWDetection', 'S-1-5-80-2037654479-150732571-4235160932-1988269395-3027078133': 'sisagp', 'S-1-5-80-2290943609-1211775869-3660739483-1432647055-1639441565': 'SiSRaid2', 'S-1-5-80-1016766434-4163349990-2054491751-1265000292-413406215': 'SiSRaid4', 'S-1-5-80-2119565420-4155874467-2934723793-509086461-374458824': 'slsvc', 'S-1-5-80-429025866-4105586292-427562881-1309981334-1060966148': 'SLUINotify', 'S-1-5-80-97513841-1071082959-3069755588-526311685-2961431215': 'Smb', 'S-1-5-80-2400470686-1781479961-2091307112-2920730856-2901594176': 'SMSvcHost 3.0.0.0', 'S-1-5-80-3964583643-2633443559-2834438935-3739664028-1580655619': 'SNMPTRAP', 'S-1-5-80-2246094146-3761615012-3991572358-959820157-1291755210': 'spldr', 'S-1-5-80-3951239711-1671533544-1416304335-3763227691-3930497994': 'Spooler', 'S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628': 'sppsvc', 'S-1-5-80-2105443381-1869407242-828286827-1344996006-2512971347': 'sppuinotify', 'S-1-5-80-3318989984-2647182497-3022510041-1919214433-3551303480': 'srv', 'S-1-5-80-1034188721-156321652-2901307485-3049929104-2850741453': 'srv2', 'S-1-5-80-385674269-2427993094-4248660116-187565782-2803330530': 'srvnet', 'S-1-5-80-486568272-975562994-1883531608-2732234258-332540751': 'SSDPSRV', 'S-1-5-80-3435701886-799518250-3791383489-3228296122-2938884314': 'SstpSvc', 'S-1-5-80-2502136977-515215333-1091199184-4078967732-698071891': 'stexstor', 'S-1-5-80-3182985763-1431228038-2757062859-428472846-3914011746': 'StiSvc', 'S-1-5-80-3877927215-2009774003-1789373229-1350139498-1490546062': 'storflt', 'S-1-5-80-3355894222-2288616474-3163838539-1515771758-43395969': 'StorSvc', 'S-1-5-80-2227193670-1472088527-4216801891-1255609005-3742950393': 'storvsc', 'S-1-5-80-2499453150-1816575225-2698105218-861119070-2299588587': 'swenum', 'S-1-5-80-1614360071-3471039648-1078047007-3707138327-1664821506': 'swprv', 'S-1-5-80-3277458932-3608563558-2424252742-1006353051-3439664691': 'Symc8xx', 'S-1-5-80-714262929-1152213303-426872964-3738532716-4000887735': 'Sym_hi', 'S-1-5-80-73616012-2741736120-1450548080-3749295283-3869351969': 'Sym_u3', 'S-1-5-80-2590341223-3996088049-3993122417-23640849-324535191': 'SysMain', 'S-1-5-80-949921180-3923668869-394927020-528789358-3592448931': 'TabletInputService', 'S-1-5-80-4230913304-2206818457-801678004-120036174-1892434133': 'TapiSrv', 'S-1-5-80-4167276341-681140529-2035857140-584847688-708058301': 'TBS', 'S-1-5-80-2869215396-3426808149-752611693-425565463-2833823703': 'Tcpip', 'S-1-5-80-842221325-3630721446-2015653073-424833842-1069621030': 'TCPIP6', 'S-1-5-80-1243767512-207181711-1639953288-846964026-179032965': 'TCPIP6TUNNEL', 'S-1-5-80-183440435-3873164873-1814133288-2746138770-1127128543': 'tcpipreg', 'S-1-5-80-517380867-1805075581-15937331-3649701458-2279870393': 'TCPIPTUNNEL', 'S-1-5-80-1205525636-1316560639-1871536985-2915653626-3847227622': 'TDPIPE', 'S-1-5-80-2653571336-860310240-1707811817-3246300807-2032786575': 'TDTCP', 'S-1-5-80-1811008277-2130293716-2312968959-3698054739-726352487': 'tdx', 'S-1-5-80-600900383-3940208308-3622757659-1160125390-3717916961': 'TermDD', 'S-1-5-80-446051430-1559341753-4161941529-1950928533-810483104': 'TermService', 'S-1-5-80-1189432293-2777010110-2640223427-1344437502-1956879817': 'Themes', 'S-1-5-80-56840347-690487168-3179794702-1332568925-762031181': 'THREADORDER', 'S-1-5-80-537470750-3688389562-3749243086-269898693-579266445': 'TPAutoConnSvc', 'S-1-5-80-1495131930-2676463755-2136540566-1190107536-2533052015': 'TPVCGateway', 'S-1-5-80-768763963-4214222998-2156221936-2953597973-713500239': 'TrkWks', 'S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464': 'TrustedInstaller', 'S-1-5-80-602153688-1728218534-2156437410-2444491971-1703742505': 'TSDDD', 'S-1-5-80-3250179172-3414919659-2784612865-1947102831-1832745880': 'tssecsrv', 'S-1-5-80-3666930311-739912689-1101093007-1147922636-412121971': 'tunmp', 'S-1-5-80-3579196564-3960183121-2393617881-1570124860-2153905208': 'tunnel', 'S-1-5-80-3249175164-480052304-527258952-251146422-1017202920': 'uagp35', 'S-1-5-80-4290168682-2694755981-2883756118-2205499398-4079537721': 'udfs', 'S-1-5-80-2413584400-2834772909-3391057178-2993126719-4094614649': 'UGatherer', 'S-1-5-80-900581847-2069635957-4095211819-2149323943-1216697729': 'UGTHRSVC', 'S-1-5-80-997887591-2350776071-3817597635-4146973621-2526406719': 'UI0Detect', 'S-1-5-80-4194149548-235381792-2829184477-3934495640-667433095': 'uliagpkx', 'S-1-5-80-2051301031-3598501189-881763489-2611917303-2352103085': 'uliahci', 'S-1-5-80-4294381996-3573690956-4084941264-2318251564-135754816': 'UlSata', 'S-1-5-80-2849548708-3602852847-3953931013-1110249439-3333230880': 'ulsata2', 'S-1-5-80-3018007626-163191633-622627787-1206491734-2917835273': 'umbus', 'S-1-5-80-2029728201-2796881031-2302868875-2454600822-1203790938': 'UmPass', 'S-1-5-80-2014626298-1656748749-3847481816-918933055-2469338456': 'UmRdpService', 'S-1-5-80-448846144-1414373772-1578130625-718576682-2306699751': 'upnphost', 'S-1-5-80-3724553804-53543757-2557641770-141295351-1687883918': 'usb', 'S-1-5-80-4022141922-741376770-3260236731-1675477288-3792235576': 'usbccgp', 'S-1-5-80-2601879200-4032607390-2815923362-3101623786-2213233685': 'usbcir', 'S-1-5-80-1032545752-2203350250-1701939687-317337126-3231707909': 'usbehci', 'S-1-5-80-676136802-2607101929-335774531-4135730467-913299484': 'usbhub', 'S-1-5-80-3434778094-456680973-2488395463-338906152-1015349184': 'usbohci', 'S-1-5-80-3620574345-1163766744-4010839292-3531329841-768311061': 'usbprint', 'S-1-5-80-376233901-499118290-773318279-1925188704-297947815': 'USBSTOR', 'S-1-5-80-2717376493-4290053016-2054941639-3048903775-1780974753': 'usbuhci', 'S-1-5-80-2815190569-4075358141-1041947382-2198045348-980246365': 'UxSms', 'S-1-5-80-2901324718-895851292-2096622302-170690027-1637913602': 'VaultSvc', 'S-1-5-80-2236596344-777810374-464678914-301799185-133794676': 'vdrvroot', 'S-1-5-80-2196396108-1448510645-203779624-3888580976-3789157697': 'vds', 'S-1-5-80-1636345116-1749775499-167646407-1402041886-784684825': 'vga', 'S-1-5-80-1604054522-1120073184-2766342441-3740248177-2194771659': 'VgaSave', 'S-1-5-80-2349230263-3936233330-585165183-483748113-2063106807': 'vhdmp', 'S-1-5-80-269018121-2628019534-3958128902-1689023713-3977233287': 'viaagp', 'S-1-5-80-702914695-4281403409-954615538-3988029004-192649218': 'ViaC7', 'S-1-5-80-3488702259-1115883433-1783531185-1350626685-2323838072': 'viaide', 'S-1-5-80-3414199520-1924951526-579304523-1555932441-262361574': 'vm3dmp', 'S-1-5-80-3316781363-2712907428-2579548995-1296955556-57435734': 'VMAUDIO', 'S-1-5-80-394042835-174396444-3357755573-789530950-2357907384': 'vmbus', 'S-1-5-80-3485585108-3288609388-3381644673-894183282-3425970148': 'VMBusHID', 'S-1-5-80-2053731399-3564616636-592537298-4187980385-3071434599': 'vmci', 'S-1-5-80-4081816966-3135276745-2345987325-2511854693-3099376874': 'vmdebug', 'S-1-5-80-2844247271-1920892496-2185725435-2733799570-1491885128': 'vmhgfs', 'S-1-5-80-2713566713-2012099321-1704287870-164250842-2950185051': 'VMMEMCTL', 'S-1-5-80-616456234-2657522756-2692773202-1293725715-2143369223': 'vmmouse', 'S-1-5-80-470576323-3739623512-411527224-1524486745-930631467': 'vmrawdsk', 'S-1-5-80-994229404-1081919929-268374983-1858992150-4232923339': 'VMTools', 'S-1-5-80-3615470141-4057994987-1930054357-1444440834-2714780835': 'VMUpgradeHelper', 'S-1-5-80-3972256235-858188783-2536722634-3029314587-3393749697': 'vmvss', 'S-1-5-80-1570634675-3893565091-22195573-2267868061-2898682217': 'volmgr', 'S-1-5-80-2228288927-839465256-4097931996-4258784654-3424789253': 'volmgrx', 'S-1-5-80-2161309226-1540144261-2901834345-3792977468-1183436922': 'volsnap', 'S-1-5-80-1269120828-58111527-683397690-4062780901-3407528550': 'vsmraid', 'S-1-5-80-3195062495-2862850656-3724129271-1847284719-4038691091': 'VSS', 'S-1-5-80-4271242282-3170619077-2600330701-1558677754-1139114601': 'vwifibus', 'S-1-5-80-4267341169-2882910712-659946508-2704364837-2204554466': 'W32Time', 'S-1-5-80-989796750-4090848350-2040919084-978865222-2182970707': 'W3SVC', 'S-1-5-80-1272828037-3321607953-1682131387-4084423848-3273467238': 'WacomPen', 'S-1-5-80-145391760-3682396335-1395736941-2543690743-1822485816': 'WANARP', 'S-1-5-80-3957613141-1606606214-622769385-3049525404-2510868034': 'Wanarpv6', 'S-1-5-80-1549550529-11381693-4027442525-4081535042-2424139505': 'wbengine', 'S-1-5-80-1577343513-2244782562-3500840712-2807016722-4230555396': 'WbioSrvc', 'S-1-5-80-1555863574-1012459212-3842453055-37978308-1142448422': 'wcncsvc', 'S-1-5-80-4064017820-1559943312-846267769-2219870576-1957141527': 'WcsPlugInService', 'S-1-5-80-3405261312-3324525412-773550320-3159108954-1126011555': 'Wd', 'S-1-5-80-2731089040-2526960094-3333867314-868407530-1311763772': 'Wdf01000', 'S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420': 'WdiServiceHost', 'S-1-5-80-3524758515-3090971750-345616940-2322499744-3530715838': 'WdiSystemHost', 'S-1-5-80-324959683-3395802011-921526492-919036580-1730255754': 'WebClient', 'S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517': 'Wecsvc', 'S-1-5-80-3594706986-2537596223-181334840-1741483385-1351671666': 'wercplsupport', 'S-1-5-80-3299868208-4286319593-1091140620-3583751967-1732444380': 'WerSvc', 'S-1-5-80-2019001281-2253379323-945087313-3738653069-3773415333': 'WfpLwf', 'S-1-5-80-4016954646-3779912912-520790876-2627662839-2216516612': 'WIMMount', 'S-1-5-80-1367312344-4235937835-3348187091-2947416599-1643272376': 'win32dd', 'S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736': 'WinDefend', 'S-1-5-80-3760743496-293058752-544796799-945139227-648175845': 'Windows Workflow Foundation 3.0.0.0', 'S-1-5-80-2455429942-3131183193-3617688776-595395669-3772047725': 'WinHttpAutoProxySvc', 'S-1-5-80-3750560858-172214265-3889451188-1914796615-4100997547': 'Winmgmt', 'S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970': 'WinRM', 'S-1-5-80-3758380775-581010763-2947690711-3499621892-3054972477': 'Winsock', 'S-1-5-80-197470898-1564017914-2276667423-138762734-2890991316': 'WinSock2', 'S-1-5-80-1428027539-3309602793-2678353003-1498846795-3763184142': 'Wlansvc', 'S-1-5-80-404760553-4074834012-3606039051-2170089041-3496108291': 'WmiAcpi', 'S-1-5-80-1672893355-2301755825-1450106782-2724904875-1401714515': 'WmiApRpl', 'S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601': 'wmiApSrv', 'S-1-5-80-2375682873-768044350-3534595160-1005545032-2873800392': 'WMPNetworkSvc', 'S-1-5-80-2153317275-3787551921-2333987345-3394040919-509713777': 'WPCSvc', 'S-1-5-80-113310567-2163499630-2787090463-221477905-209227094': 'WPDBusEnum', 'S-1-5-80-1339864866-2803517768-580965624-1158720225-1206284216': 'ws2ifsl', 'S-1-5-80-3232712927-1625117661-2590453128-1738570065-3637376297': 'wscsvc', 'S-1-5-80-117416528-2204451360-1913602512-1355018040-1234992034': 'WSearch', 'S-1-5-80-1961591210-2878639619-2091680054-2529124376-3572759234': 'WSearchIdxPi', 'S-1-5-80-1014140700-3308905587-3330345912-272242898-93311788': 'wuauserv', 'S-1-5-80-69171120-2364612362-2758615892-3595098197-2063739924': 'WudfPf', 'S-1-5-80-1839061227-813336325-324579571-4216704371-1399658985': 'WUDFRd', 'S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709': 'wudfsvc', 'S-1-5-80-3981856537-581775623-1136376035-2066872258-409572886': 'WwanSvc', 'S-1-5-80-2933569122-2468899862-1495779727-289297006-142656920': 'xmlprov', } def createservicesid(svc): """ Calculate the Service SID """ uni = ''.join([c + '\x00' for c in svc]) sha = hashlib.sha1(uni.upper()).digest() # pylint: disable-msg=E1101 dec = list() for i in range(5): ## The use of struct here is OK. It doesn't make much sense ## to leverage obj.Object inside this loop. dec.append(struct.unpack('. # import volatility.utils as utils import volatility.obj as obj import volatility.debug as debug import volatility.plugins.common as common import volatility.plugins.malware.devicetree as dtree import volatility.win32.modules as modules import volatility.win32.tasks as tasks from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class drivermodule(common.AbstractWindowsCommand): """Associate driver objects to kernel modules""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('ADDR', short_option = 'a', default = None, help = 'Show info on module at or containing this address', action = 'store', type = 'int') def calculate(self): addr_space = utils.load_as(self._config) modlist = list(modules.lsmod(addr_space)) mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist) mod_addrs = sorted(mods.keys()) drivers = dtree.DriverIrp(self._config).calculate() found_driver = "UNKNOWN" if self._config.ADDR: find_address = self._config.ADDR found_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address)) if found_module: found_module = found_module.BaseDllName or found_module.FullDllName else: found_module = "UNKNOWN" for driver in drivers: if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize: header = driver.get_object_header() found_driver = header.NameInfo.Name break yield (found_module, found_driver) else: for driver in drivers: driver_name = str(driver.get_object_header().NameInfo.Name or '') service_key = str(driver.DriverExtension.ServiceKeyName or '') driver_name3 = str(driver.DriverName or '') owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart)) if owning_module: module_name = owning_module.BaseDllName or owning_module.FullDllName else: module_name = "UNKNOWN" yield (module_name, driver_name, service_key, driver_name3) def generator(self, data): for module_name, driver_name, service_key, driver_name3 in data: yield( 0, [str(module_name), str(driver_name), str(service_key), str(driver_name3)]) def unified_output(self, data): return TreeGrid([("Module", str), ("Driver", str), ("Alt. Name", str), ("Service Key", str)], self.generator(data)) def render_text(self, outfd, data): self.table_header(outfd, [("Module", "36"), ("Driver", "24"), ("Alt. Name", "24"), ("Service Key", "")]) for module_name, driver_name, service_key, driver_name3 in data: self.table_row(outfd, module_name, driver_name, service_key, driver_name3) volatility_2.6+git20170711.b3db0cc/volatility/plugins/strings.py0000644000000000000000000002552613131215405023073 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2009 Timothy D. Morgan (strings optimization) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.win32 as win32 import volatility.debug as debug import volatility.utils as utils import volatility.plugins.common as common import volatility.plugins.taskmods as taskmods import volatility.plugins.filescan as filescan from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class Strings(common.AbstractWindowsCommand): """Match physical offsets to virtual addresses (may take a while, VERY verbose)""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('STRING-FILE', short_option = 's', default = None, help = 'File output in strings format (offset:string)', action = 'store', type = 'str') config.add_option("SCAN", short_option = 'S', default = False, action = 'store_true', help = 'Use PSScan if no offset is provided') config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS offset (in hex) in the physical address space', action = 'store', type = 'int') config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') config.add_option('LOOKUP-PID', short_option = 'L', default = False, action = 'store_true', help = 'Lookup the ImageFileName of PIDs') def get_processes(self, addr_space): """Enumerate processes based on user options. :param addr_space | :returns """ bounce_back = taskmods.DllList.virtual_process_from_physical_offset if self._config.OFFSET != None: tasks = [bounce_back(addr_space, self._config.OFFSET)] elif self._config.SCAN: procs = list(filescan.PSScan(self._config).calculate()) tasks = [] for task in procs: tasks.append(bounce_back(addr_space, task.obj_offset)) else: tasks = win32.tasks.pslist(addr_space) try: if self._config.PID is not None: pidlist = [int(p) for p in self._config.PID.split(',')] tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist] except (ValueError, TypeError): debug.error("Invalid PID {0}".format(self._config.PID)) return tasks @classmethod def get_modules(cls, addr_space): """Enumerate the kernel modules. :param addr_space | :returns """ modules = win32.modules.lsmod(addr_space) mask = addr_space.address_mask mods = dict((mask(mod.DllBase), mod) for mod in modules) mod_addrs = sorted(mods.keys()) return (mods, mod_addrs) @classmethod def find_module(cls, mods, mod_addrs, addr_space, vpage): """Determine which module owns a virtual page. :param mods | mod_addrs | addr_space | vpage | :returns <_LDR_DATA_TABLE_ENTRY> || None """ mask = addr_space.address_mask return win32.tasks.find_module(mods, mod_addrs, mask(vpage)) @classmethod def get_module_name(cls, module): """Get the name of a kernel module. :param module | <_LDR_DATA_TABLE_ENTRY> :returns """ return str(module.BaseDllName or '') @classmethod def get_task_pid(cls, task): """Get the PID of a process. :param task | <_EPROCESS> :returns """ return task.UniqueProcessId def calculate(self): if (self._config.STRING_FILE is None or not os.path.exists(self._config.STRING_FILE)): debug.error("Strings file not found") addr_space = utils.load_as(self._config) layers = [addr_space] base = addr_space.base while base: layers.append(base) base = base.base if len(layers) > 2: debug.error("Raw memory needed, got {0} (convert with imagecopy)".format(layers[1].__class__.__name__)) tasks = self.get_processes(addr_space) stringlist = open(self._config.STRING_FILE, "r") reverse_map = self.get_reverse_map(addr_space, tasks) for line in stringlist: try: (offsetString, string) = self.parse_line(line) offset = int(offsetString) except ValueError: debug.error("String file format invalid.") pids = ["FREE MEMORY:-1"] if reverse_map.has_key(offset & 0xFFFFFFFFFFFFF000): if self._config.LOOKUP_PID: pids = ["{0}{2}:{1:08x}".format( pid[0], pid[2] | (offset & 0xFFF), '' if not pid[1] else '={}'.format(pid[1]) ) for pid in reverse_map[offset & 0xFFFFFFFFFFFFF000][1:]] else: pids = ["{0}:{1:08x}".format( pid[0], pid[2] | (offset & 0xFFF) ) for pid in reverse_map[offset & 0xFFFFFFFFFFFFF000][1:]] yield offset, pids, "{0}".format(string.strip()) @classmethod def parse_line(cls, line): """Parses a line of strings. :param cls | line | :returns """ # Remove any leading spaces to handle nasty strings output line = line.lstrip() maxlen = len(line) split_char = ' ' for char in [' ', ':']: charpos = line.find(char) if charpos < maxlen and charpos > 0: split_char = char maxlen = charpos return tuple(line.split(split_char, 1)) @classmethod def get_reverse_map(cls, addr_space, tasks): """Generates a reverse mapping of physical addresses to the kernel and/or tasks. :param addr_space | tasks | :returns """ # ASSUMPTION: no pages mapped in kernel and userland # XXX: Can we eliminate the above assumption? It seems like the only change needed for # that would be to store a boolean with each pid/vaddr pair... # # XXX: The following code still fails to represent information about larger pages in # the final output. The output implies that addresses in a large page are # really stored in one or more 4k pages. This is no different from the old # version of the code, but in this version it could be corrected easily by # recording vpage instead of vpage+i in the reverse map. -- TDM reverse_map = {} (mods, mod_addrs) = cls.get_modules(addr_space) debug.debug("Calculating kernel mapping...\n") available_pages = addr_space.get_available_pages() for (vpage, vpage_size) in available_pages: kpage = addr_space.vtop(vpage) for i in range(0, vpage_size, 0x1000): # Since the output will always be mutable, we # don't need to reinsert into the list pagelist = reverse_map.get(kpage + i, None) if pagelist is None: pagelist = [True] reverse_map[kpage + i] = pagelist # Try to lookup the owning kernel module module = cls.find_module(mods, mod_addrs, addr_space, vpage + i) if module: hint = cls.get_module_name(module) else: hint = 'kernel' pagelist.append((hint, None, vpage + i)) # None is placeholder (used by tasks) debug.debug("Calculating task mappings...\n") for task in tasks: task_space = task.get_process_address_space() debug.debug(" Task {0} ...".format(cls.get_task_pid(task))) process_id = cls.get_task_pid(task) try: available_pages = task_space.get_available_pages() for (vpage, vpage_size) in available_pages: physpage = task_space.vtop(vpage) for i in range(0, vpage_size, 0x1000): # Since the output will always be mutable, we # don't need to reinsert into the list pagelist = reverse_map.get(physpage + i, None) if pagelist is None: pagelist = [False] reverse_map[physpage + i] = pagelist if not pagelist[0]: pagelist.append((process_id, task.ImageFileName, vpage + i)) except (AttributeError, ValueError, TypeError): # Handle most errors, but not all of them continue return reverse_map def unified_output(self, data): return TreeGrid([("Offset(P)", Address), ("Attribution", str), ("Offset(V)", Address), ("String", str)], self.generator(data)) def generator(self, data): for offset, pids, string in data: for p in pids: item, addr = p.split(":") yield (0, [Address(offset), str(item), Address(int(addr, 16)), str(string)]) def render_text(self, outfd, data): for offset, pids, string in data: outfd.write("{0} [{1}] {2}\n".format(offset, ' '.join(pids), string)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/joblinks.py0000644000000000000000000001446013131215405023210 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ import volatility.plugins.taskmods as taskmods from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class JobLinks(taskmods.DllList): """ Print process job link information""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, cache_invalidator = False, help = "Display physical offsets instead of virtual", action = "store_true") def unified_output(self, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" return TreeGrid([("Offset{0}".format(offsettype), Address), ("Name", str), ("PID", int), ("PPID", int), ("Sess", int), ("JobSess", int), ("Wow64", int), ("Total", int), ("Active", int), ("Term", int), ("Joblink", str), ("Process", str),], self.generator(data)) def generator(self, data): for task in data: job = task.Job.dereference() if job: if not self._config.PHYSICAL_OFFSET: offset = task.obj_offset else: offset = task.obj_vm.vtop(task.obj_offset) yield (0, [ Address(offset), str(task.ImageFileName), int(task.UniqueProcessId), int(task.InheritedFromUniqueProcessId), int(task.SessionId), int(job.SessionId), int(task.IsWow64), int(job.TotalProcesses), int(job.ActiveProcesses), int(job.TotalTerminatedProcesses), "-", "(Original Process)"]) for item in job.ProcessListHead.list_of_type("_EPROCESS", "JobLinks"): if not self._config.PHYSICAL_OFFSET: offset = item.obj_offset else: offset = item.obj_vm.vtop(item.obj_offset) path = str(item.ImageFileName) if item.Peb: path = str(item.Peb.ProcessParameters.ImagePathName.v().encode("utf8", "ignore")) yield (0, [ Address(offset), str(item.ImageFileName), int(item.UniqueProcessId), int(item.InheritedFromUniqueProcessId), int(item.SessionId), 0, int(item.IsWow64), 0, 0, 0, "Yes", path]) def render_text(self, outfd, data): header = "*" * 107 offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("Name", "20s"), ("PID", ">6"), ("PPID", ">6"), ("Sess", ">6"), ("JobSess", ">7"), ("Wow64", ">6"), ("Total", ">6"), ("Active", ">6"), ("Term", ">6"), ("JobLink", ">8"), ("Process", "")] ) for task in data: job = task.Job.dereference() if job: if not self._config.PHYSICAL_OFFSET: offset = task.obj_offset else: offset = task.obj_vm.vtop(task.obj_offset) self.table_row(outfd, offset, task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, task.SessionId, job.SessionId, task.IsWow64, job.TotalProcesses, job.ActiveProcesses, job.TotalTerminatedProcesses, "-", "(Original Process)") for item in job.ProcessListHead.list_of_type("_EPROCESS", "JobLinks"): if not self._config.PHYSICAL_OFFSET: offset = item.obj_offset else: offset = item.obj_vm.vtop(item.obj_offset) self.table_row(outfd, offset, item.ImageFileName, item.UniqueProcessId, item.InheritedFromUniqueProcessId, item.SessionId, "-", item.IsWow64, "-", "-", "-", "Yes", item.Peb.ProcessParameters.ImagePathName.v().encode("utf8", "ignore")) outfd.write("{0}\n".format(header)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/vboxinfo.py0000644000000000000000000000426313131215405023227 0ustar rootroot# Volatility # Copyright (C) 2009-2012 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # from volatility import renderers from volatility.commands import Command import volatility.plugins.crashinfo as crashinfo from volatility.renderers.basic import Address, Hex class VBoxInfo(crashinfo.CrashInfo): """Dump virtualbox information""" target_as = ['VirtualBoxCoreDumpElf64'] def unified_output(self, data): return renderers.TreeGrid([("FileOffset", Address), ("Memory Offset", Address), ("Size", Hex)], self.generator(data)) def generator(self, data): for memory_offset, file_offset, length in data.get_runs(): yield (0, [Address(file_offset), Address(memory_offset), Hex(length)]) def render_text(self, outfd, data): header = data.get_header() outfd.write("Magic: {0:#x}\n".format(header.u32Magic)) outfd.write("Format: {0:#x}\n".format(header.u32FmtVersion)) outfd.write("VirtualBox {0}.{1}.{2} (revision {3})\n".format( header.Major, header.Minor, header.Build, header.u32VBoxRevision)) outfd.write("CPUs: {0}\n\n".format(header.cCpus)) Command.render_text(self, outfd, data) class QemuInfo(VBoxInfo): """Dump Qemu information""" target_as = ['QemuCoreDumpElf'] def render_text(self, outfd, data): Command.render_text(self, outfd, data)volatility_2.6+git20170711.b3db0cc/volatility/plugins/sockscan.py0000644000000000000000000001062213131215405023175 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This module implements the fast socket scanning @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 from volatility import renderers import volatility.poolscan as poolscan import volatility.plugins.common as common import volatility.protos as protos from volatility.renderers.basic import Address class PoolScanSocket(poolscan.PoolScanner): """Pool scanner for tcp socket objects""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.struct_name = "_ADDRESS_OBJECT" self.pooltag = "TCPA" self.checks = [('CheckPoolSize', dict(condition = lambda x: x >= 0x15C)), ('CheckPoolType', dict(non_paged = True, free = True)), ## Valid sockets have time > 0 #('CheckSocketCreateTime', dict(condition = lambda x: x > 0)), ('CheckPoolIndex', dict(value = lambda x : x < 5)) ] class SockScan(common.AbstractScanCommand): """Pool scanner for tcp socket objects""" scanners = [PoolScanSocket] # Declare meta information associated with this plugin meta_info = dict( author = 'Brendan Dolan-Gavitt', copyright = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', contact = 'bdolangavitt@wesleyan.edu', license = 'GNU General Public License 2.0', url = 'http://moyix.blogspot.com/', os = 'WIN_32_XP_SP2', version = '1.0', ) @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) text_sort_column = "port" def unified_output(self, data): return renderers.TreeGrid([(self.offset_column(), Address), ('PID', int), ('Port', int), ('Proto', int), ('Protocol', str), ('Address', str), ('Create Time', str) ], self.generator(data)) def generator(self, data): for sock_obj in data: yield (0, [Address(sock_obj.obj_offset), int(sock_obj.Pid), int(sock_obj.LocalPort), int(sock_obj.Protocol), str(protos.protos.get(sock_obj.Protocol.v(), "-")), str(sock_obj.LocalIpAddress), str(sock_obj.CreateTime)]) def render_text(self, outfd, data): self.table_header(outfd, [(self.offset_column(), '[addrpad]'), ('PID', '>8'), ('Port', '>6'), ('Proto', '>6'), ('Protocol', '15'), ('Address', '15'), ('Create Time', '') ]) for sock_obj in data: self.table_row(outfd, sock_obj.obj_offset, sock_obj.Pid, sock_obj.LocalPort, sock_obj.Protocol, protos.protos.get(sock_obj.Protocol.v(), "-"), sock_obj.LocalIpAddress, sock_obj.CreateTime) volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/0000755000000000000000000000000013131215405023127 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/paged.py0000644000000000000000000001613113131215405024563 0ustar rootroot# Volatility # Copyright (c) 2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #import fractions import volatility.addrspace as addrspace import volatility.obj as obj class AbstractPagedMemory(addrspace.AbstractVirtualAddressSpace): """ Class to handle all the details of a paged virtual address space Note: Pages can be of any size """ checkname = "Intel" def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs): ## We must be stacked on someone else: self.as_assert(base, "No base Address Space") addrspace.AbstractVirtualAddressSpace.__init__(self, base, config, *args, **kwargs) ## We can not stack on someone with a dtb self.as_assert(not (hasattr(base, 'paging_address_space') and base.paging_address_space), "Can not stack over another paging address space") self.dtb = dtb or self.load_dtb() # No need to set the base or dtb, it's already been by the inherited class self.as_assert(self.dtb != None, "No valid DTB found") if not skip_as_check: volmag = obj.VolMagic(self) if hasattr(volmag, self.checkname): self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check") else: self.as_assert(False, "Profile does not have valid Address Space check") # Reserved for future use #self.pagefile = config.PAGEFILE self.name = 'Kernel AS' def is_user_page(self, entry): """True if the page is accessible to ring 3 code""" raise NotImplementedError def is_supervisor_page(self, entry): """True if the page is /only/ accessible to ring 0 code""" raise NotImplementedError def is_writeable(self, entry): """True if the page can be written to""" raise NotImplementedError def is_dirty(self, entry): """True if the page has been written to""" raise NotImplementedError def is_nx(self, entry): """True if the page /cannot/ be executed""" raise NotImplementedError def is_accessed(self, entry): """True if the page has been accessed""" raise NotImplementedError def is_copyonwrite(self, entry): """True if the page is copy-on-write""" raise NotImplementedError def is_prototype(self, entry): """True if the page is a prototype PTE""" raise NotImplementedError def load_dtb(self): """Loads the DTB as quickly as possible from the config, then the base, then searching for it""" try: # If the user has manually specified one, then shortcircuit to that one if self._config.DTB: raise AttributeError ## Try to be lazy and see if someone else found dtb for ## us: return self.base.dtb except AttributeError: ## Ok so we need to find our dtb ourselves: dtb = obj.VolMagic(self.base).DTB.v() if dtb: ## Make sure to save dtb for other AS's ## Will this have an effect on following ASes attempts if this fails? self.base.dtb = dtb return dtb def __getstate__(self): result = addrspace.BaseAddressSpace.__getstate__(self) result['dtb'] = self.dtb return result @staticmethod def register_options(config): config.add_option("DTB", type = 'int', default = 0, help = "DTB Address") def vtop(self, addr): """Abstract function that converts virtual (paged) addresses to physical addresses""" pass def get_available_pages(self): """A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset""" pass def get_available_allocs(self): return self.get_available_pages() def get_available_addresses(self): """A generator that returns (addr, size) for each valid address block""" runLength = None currentOffset = None for (offset, size) in self.get_available_pages(): if (runLength == None): runLength = size currentOffset = offset else: if (offset <= (currentOffset + runLength)): runLength += (currentOffset + runLength - offset) + size else: yield (currentOffset, runLength) runLength = size currentOffset = offset if (runLength != None and currentOffset != None): yield (currentOffset, runLength) raise StopIteration def is_valid_address(self, vaddr): """Returns whether a virtual address is valid""" if vaddr == None or vaddr < 0: return False try: paddr = self.vtop(vaddr) except BaseException: return False if paddr == None: return False return self.base.is_valid_address(paddr) class AbstractWritablePagedMemory(AbstractPagedMemory): """ Mixin class that can be used to add write functionality to any standard address space that supports write() and vtop(). """ def write(self, vaddr, buf): """Writes the data from buf to the vaddr specified Note: writes are not transactionaly, meaning if they can write half the data and then fail""" if not self._config.WRITE: return False if not self.alignment_gcd or not self.minimum_size: self.calculate_alloc_stats() position = vaddr length = len(buf) remaining = len(buf) # For each allocation... while remaining > 0: # Determine whether we're within an alloc or not alloc_remaining = (self.alignment_gcd - (vaddr % self.alignment_gcd)) # Try to jump out early paddr = self.translate(position) datalen = min(remaining, alloc_remaining) if paddr is None: return False result = self.base.write(paddr, buf[:datalen]) if not result: return False buf = buf[datalen:] position += datalen remaining -= datalen assert (vaddr + length == position + remaining), "Address + length != position + remaining (" + hex(vaddr + length) + " != " + hex(position + remaining) + ") in " + self.base.__class__.__name__ return True volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/lime.py0000644000000000000000000000616113131215405024433 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Authors: # attc - atcuno@gmail.com # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.addrspace as addrspace import volatility.debug as debug class LimeTypes(obj.ProfileModification): def modification(self, profile): profile.vtypes.update({ 'lime_header': [ 0x20, { 'magic': [0x0, ['unsigned int']], 'version': [0x4, ['unsigned int']], 'start': [0x8, ['unsigned long long']], 'end': [0x10, ['unsigned long long']], 'reserved': [0x18, ['unsigned long long']], }], }) class LimeAddressSpace(addrspace.AbstractRunBasedMemory): """ Address space for Lime """ order = 2 def __init__(self, base, config, *args, **kwargs): self.as_assert(base, "lime: need base") addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs) sig = base.read(0, 4) ## ARM processors are bi-endian, but little is the default and currently ## the only mode we support; unless it comes a common request. if sig == '\x4c\x69\x4d\x45': debug.debug("Big-endian ARM not supported, please submit a feature request") self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature") self.addr_cache = {} self.parse_lime() def parse_lime(self): offset = 0 header = obj.Object("lime_header", offset = offset, vm = self.base) while header.magic.v() == 0x4c694d45: #print "new segment at %x end %x size: %d offset %d | %x" % (header.start, header.end, header.end - header.start, offset, offset) # Since these values will be used a lot, make sure they aren't reread (ie, no objects in the runs list) seg = (int(header.start), offset + self.profile.get_obj_size("lime_header"), header.end - header.start + 1) self.runs.append(seg) offset = offset + seg[2] + self.profile.get_obj_size("lime_header") header = obj.Object("lime_header", offset = offset, vm = self.base) def translate(self, addr): """Find the offset in the file where a memory address can be found. @param addr: a memory address """ firstram = self.runs[0][0] if addr < firstram: addr = firstram + addr return addrspace.AbstractRunBasedMemory.translate(self, addr) volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/elfcoredump.py0000644000000000000000000001245613131215405026016 0ustar rootroot# Volatility # Copyright (C) 2007-2014 Volatility Foundation # # Authors: # phil@teuwen.org (Philippe Teuwen) # espen@mrfjo.org (Espen Fjellvaer Olsen) # justincapella@gmail.com (Justin Capella) # michael.ligh@mnin.org (Michael Ligh) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # References: # VirtualBox core format: # http://www.virtualbox.org/manual/ch12.html#guestcoreformat # http://www.virtualbox.org/svn/vbox/trunk/include/VBox/vmm/dbgfcorefmt.h # http://www.virtualbox.org/svn/vbox/trunk/src/VBox/VMM/VMMR3/DBGFCoreWrite.cpp import volatility.obj as obj import volatility.addrspace as addrspace #pylint: disable-msg=C0111 NT_VBOXCORE = 0xb00 NT_VBOXCPU = 0xb01 DBGFCORE_MAGIC = 0xc01ac0de DBGFCORE_FMT_VERSION = 0x00010000 NT_QEMUCORE = 0x1 class DBGFCOREDESCRIPTOR(obj.CType): """A class for VBox core dump descriptors""" @property def Major(self): return (self.u32VBoxVersion >> 24) & 0xFF @property def Minor(self): return (self.u32VBoxVersion >> 16) & 0xFF @property def Build(self): return self.u32VBoxVersion & 0xFFFF class VirtualBoxModification(obj.ProfileModification): def modification(self, profile): profile.vtypes.update({ 'DBGFCOREDESCRIPTOR' : [ 24, { 'u32Magic' : [ 0, ['unsigned int']], 'u32FmtVersion' : [ 4, ['unsigned int']], 'cbSelf' : [ 8, ['unsigned int']], 'u32VBoxVersion' : [ 12, ['unsigned int']], 'u32VBoxRevision' : [ 16, ['unsigned int']], 'cCpus' : [ 20, ['unsigned int']], }]}) profile.object_classes.update({'DBGFCOREDESCRIPTOR': DBGFCOREDESCRIPTOR}) class VirtualBoxCoreDumpElf64(addrspace.AbstractRunBasedMemory): """ This AS supports VirtualBox ELF64 coredump format """ order = 30 def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs) ## Quick test (before instantiating an object) ## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB ## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'], "ELF Header signature invalid") ## Base AS should be a file AS elf = obj.Object("elf_hdr", offset = 0, vm = base) ## Make sure its a core dump self.as_assert(str(elf.e_type) == 'ET_CORE', "ELF type is not a Core file") ## Tuple of (physical memory address, file offset, length) self.runs = [] ## The PT_NOTE core descriptor structure self.header = None for phdr in elf.program_headers(): ## The first note should be the VBCORE segment if str(phdr.p_type) == 'PT_NOTE': note = obj.Object("elf_note", offset = phdr.p_offset, vm = base, parent = phdr) self.check_note(note) continue # Only keep load segments with valid file sizes if (str(phdr.p_type) != 'PT_LOAD' or phdr.p_filesz == 0 or phdr.p_filesz != phdr.p_memsz): continue self.runs.append((int(phdr.p_paddr), int(phdr.p_offset), int(phdr.p_memsz))) self.validate() def check_note(self, note): """Check the Note type""" if note.namesz == 'VBCORE' and note.n_type == NT_VBOXCORE: self.header = note.cast_descsz("DBGFCOREDESCRIPTOR") def validate(self): self.as_assert(self.header, 'ELF error: did not find any PT_NOTE segment with VBCORE') self.as_assert(self.header.u32Magic == DBGFCORE_MAGIC, 'Could not find VBox core magic signature') self.as_assert(self.header.u32FmtVersion & 0xFFFFFFF0 == DBGFCORE_FMT_VERSION, 'Unknown VBox core format version') self.as_assert(self.runs, 'ELF error: did not find any LOAD segment with main RAM') class QemuCoreDumpElf(VirtualBoxCoreDumpElf64): """ This AS supports Qemu ELF32 and ELF64 coredump format """ def check_note(self, note): """Check the Note type""" if str(note.namesz) == 'CORE' and note.n_type == NT_QEMUCORE: ## Fake the header since we don't know what structure ## Qemu uses. It just has to pass the assertion check. self.header = 1 def validate(self): self.as_assert(self.header, 'ELF error: did not find any PT_NOTE segment with CORE') self.as_assert(self.runs, 'ELF error: did not find any LOAD segment with main RAM')volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/amd64.py0000644000000000000000000003307113131215405024420 0ustar rootroot# Volatility # Copyright (C) 2013 Volatility Foundation # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.addrspaces.paged as paged import volatility.obj as obj import struct ptrs_page = 2048 entry_size = 8 pde_shift = 21 ptrs_per_pde = 512 page_shift = 12 ptrs_per_pae_pgd = 512 ptrs_per_pae_pte = 512 class AMD64PagedMemory(paged.AbstractWritablePagedMemory): """ Standard AMD 64-bit address space. This class implements the AMD64/IA-32E paging address space. It is responsible for translating each virtual (linear) address to a physical address. This is accomplished using hierachical paging structures. Every paging structure is 4096 bytes and is composed of entries. Each entry is 64 bits. The first paging structure is located at the physical address found in CR3 (dtb). Additional Resources: - Intel(R) 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide. Section 4.3 http://www.intel.com/products/processor/manuals/index.htm - AMD64 Architecture Programmer's Manual Volume 2: System Programming http://support.amd.com/us/Processor_TechDocs/24593_APM_v2.pdf - N. Petroni, A. Walters, T. Fraser, and W. Arbaugh, "FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory" ,Digital Investigation Journal 3(4):197-210, December 2006. (submitted February 2006) - N. P. Maclean, "Acquisition and Analysis of Windows Memory," University of Strathclyde, Glasgow, April 2006. - Russinovich, M., & Solomon, D., & Ionescu, A. "Windows Internals, 5th Edition", Microsoft Press, 2009. """ order = 60 pae = False checkname = 'AMD64ValidAS' paging_address_space = True minimum_size = 0x1000 alignment_gcd = 0x1000 _longlong_struct = struct.Struct("> 39 def get_pml4e(self, vaddr): ''' This method returns the Page Map Level 4 (PML4) entry for the virtual address. Bits 47:39 are used to the select the appropriate 8 byte entry in the Page Map Level 4 Table. "Bits 51:12 are from CR3" [Intel] "Bits 11:3 are bits 47:39 of the linear address" [Intel] "Bits 2:0 are 0" [Intel] ''' pml4e_paddr = (self.dtb & 0xffffffffff000) | ((vaddr & 0xff8000000000) >> 36) return self.read_long_long_phys(pml4e_paddr) def get_pdpi(self, vaddr, pml4e): ''' This method returns the Page Directory Pointer entry for the virtual address. Bits 32:30 are used to select the appropriate 8 byte entry in the Page Directory Pointer table. "Bits 51:12 are from the PML4E" [Intel] "Bits 11:3 are bits 38:30 of the linear address" [Intel] "Bits 2:0 are all 0" [Intel] ''' pdpte_paddr = (pml4e & 0xffffffffff000) | ((vaddr & 0x7FC0000000) >> 27) return self.read_long_long_phys(pdpte_paddr) def get_1GB_paddr(self, vaddr, pdpte): ''' If the Page Directory Pointer Table entry represents a 1-GByte page, this method extracts the physical address of the page. "Bits 51:30 are from the PDPTE" [Intel] "Bits 29:0 are from the original linear address" [Intel] ''' return (pdpte & 0xfffffc0000000) | (vaddr & 0x3fffffff) def pde_index(self, vaddr): return (vaddr >> pde_shift) & (ptrs_per_pde - 1) def pdba_base(self, pdpe): return pdpe & 0xFFFFFFFFFF000 def get_pgd(self, vaddr, pdpe): pgd_entry = self.pdba_base(pdpe) + self.pde_index(vaddr) * entry_size return self.read_long_long_phys(pgd_entry) def pte_index(self, vaddr): return (vaddr >> page_shift) & (ptrs_per_pde - 1) def ptba_base(self, pde): return pde & 0xFFFFFFFFFF000 def get_pte(self, vaddr, pgd): pgd_val = self.ptba_base(pgd) + self.pte_index(vaddr) * entry_size return self.read_long_long_phys(pgd_val) def pte_pfn(self, pte): return pte & 0xFFFFFFFFFF000 def get_paddr(self, vaddr, pte): return self.pte_pfn(pte) | (vaddr & ((1 << page_shift) - 1)) def vtop(self, vaddr): ''' This method translates an address in the virtual address space to its associated physical address. Invalid entries should be handled with operating system abstractions. ''' vaddr = long(vaddr) retVal = None pml4e = self.get_pml4e(vaddr) if not self.entry_present(pml4e): return None pdpe = self.get_pdpi(vaddr, pml4e) if not self.entry_present(pdpe): return retVal if self.page_size_flag(pdpe): return self.get_1GB_paddr(vaddr, pdpe) pgd = self.get_pgd(vaddr, pdpe) if self.entry_present(pgd): if self.page_size_flag(pgd): retVal = self.get_2MB_paddr(vaddr, pgd) else: pte = self.get_pte(vaddr, pgd) if self.entry_present(pte): retVal = self.get_paddr(vaddr, pte) return retVal def read_long_long_phys(self, addr): ''' This method returns a 64-bit little endian unsigned integer from the specified address in the physical address space. If the address cannot be accessed, then the method returns None. This code was derived directly from legacyintel.py ''' try: string = self.base.read(addr, 8) except IOError: string = None if not string: return obj.NoneObject("Unable to read_long_long_phys at " + hex(addr)) longlongval, = self._longlong_struct.unpack(string) return longlongval def get_available_pages(self, with_pte = False): ''' This method generates a list of pages that are available within the address space. The entries in are composed of the virtual address of the page and the size of the particular page (address, size). It walks the 0x1000/0x8 (0x200) entries in each Page Map, Page Directory, and Page Table to determine which pages are accessible. ''' # read the full pml4 pml4 = self.base.read(self.dtb & 0xffffffffff000, 0x200 * 8) if pml4 is None: return # unpack all entries pml4_entries = struct.unpack('<512Q', pml4) for pml4e in range(0, 0x200): vaddr = pml4e << 39 pml4e_value = pml4_entries[pml4e] if not self.entry_present(pml4e_value): continue pdpt_base = (pml4e_value & 0xffffffffff000) pdpt = self.base.read(pdpt_base, 0x200 * 8) if pdpt is None: continue pdpt_entries = struct.unpack('<512Q', pdpt) for pdpte in range(0, 0x200): vaddr = (pml4e << 39) | (pdpte << 30) pdpte_value = pdpt_entries[pdpte] if not self.entry_present(pdpte_value): continue if self.page_size_flag(pdpte_value): if with_pte: yield (pdpte_value, vaddr, 0x40000000) else: yield (vaddr, 0x40000000) continue pd_base = self.pdba_base(pdpte_value) pd = self.base.read(pd_base, 0x200 * 8) if pd is None: continue pd_entries = struct.unpack('<512Q', pd) prev_pd_entry = None for j in range(0, 0x200): soffset = (j * 0x200 * 0x200 * 8) entry = pd_entries[j] if self.skip_duplicate_entries and entry == prev_pd_entry: continue prev_pd_entry = entry if self.entry_present(entry) and self.page_size_flag(entry): if with_pte: yield (entry, vaddr + soffset, 0x200000) else: yield (vaddr + soffset, 0x200000) elif self.entry_present(entry): pt_base = entry & 0xFFFFFFFFFF000 pt = self.base.read(pt_base, 0x200 * 8) if pt is None: continue pt_entries = struct.unpack('<512Q', pt) prev_pt_entry = None for k in range(0, 0x200): pt_entry = pt_entries[k] if self.skip_duplicate_entries and pt_entry == prev_pt_entry: continue prev_pt_entry = pt_entry if self.entry_present(pt_entry): if with_pte: yield (pt_entry, vaddr + soffset + k * 0x1000, 0x1000) else: yield (vaddr + soffset + k * 0x1000, 0x1000) @classmethod def address_mask(cls, addr): return addr & 0xffffffffffff class WindowsAMD64PagedMemory(AMD64PagedMemory): """Windows-specific AMD 64-bit address space. This class is a specialized version of AMD64PagedMemory that leverages Windows-specific paging logic. """ order = 55 def is_valid_profile(self, profile): ''' This method checks to make sure the address space is being used with a Windows profile. ''' valid = AMD64PagedMemory.is_valid_profile(self, profile) return valid and profile.metadata.get('os', 'Unknown').lower() == 'windows' def entry_present(self, entry): present = AMD64PagedMemory.entry_present(self, entry) # The page is in transition and not a prototype. # Thus, we will treat it as present. return present or ((entry & (1 << 11)) and not (entry & (1 << 10))) class SkipDuplicatesAMD64PagedMemory(WindowsAMD64PagedMemory): """Windows 8/10-specific AMD 64-bit address space. This class is used to filter out large sections of kernel mappings that are duplicates in recent versions of Windows 8/10. """ order = 53 skip_duplicate_entries = True def is_valid_profile(self, profile): ''' This address space should only be used with recent Windows 8/10 profiles ''' valid = WindowsAMD64PagedMemory.is_valid_profile(self, profile) major = profile.metadata.get('major', 0) minor = profile.metadata.get('minor', 0) return valid and major >= 6 and minor >= 2 class LinuxAMD64PagedMemory(AMD64PagedMemory): """Linux-specific AMD 64-bit address space. This class is a specialized version of AMD64PagedMemory that leverages Linux-specific paging logic. """ order = 55 def is_valid_profile(self, profile): ''' This method checks to make sure the address space is being used with a Linux profile. ''' valid = AMD64PagedMemory.is_valid_profile(self, profile) return valid and profile.metadata.get('os', 'Unknown').lower() == 'linux' def entry_present(self, entry): present = AMD64PagedMemory.entry_present(self, entry) # Linux pages that have had mprotect(...PROT_NONE) called on them # have the present bit cleared and global bit set return present or (entry & (1 << 8)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/intel.py0000644000000000000000000003001013131215405024606 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2004,2005,2006 4tphi Research # # Authors: # {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) # Michael Cohen # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import struct import volatility.plugins.addrspaces.paged as paged import volatility.obj as obj entry_size = 8 pointer_size = 4 page_shift = 12 ptrs_per_pte = 1024 ptrs_per_pgd = 1024 ptrs_per_pae_pte = 512 ptrs_per_pae_pgd = 512 ptrs_per_pdpi = 4 pgdir_shift = 22 pdpi_shift = 30 pdptb_shift = 5 pde_shift = 21 ptrs_per_pde = 512 ptrs_page = 2048 class IA32PagedMemory(paged.AbstractWritablePagedMemory): """ Standard IA-32 paging address space. This class implements the IA-32 paging address space. It is responsible for translating each virtual (linear) address to a physical address. This is accomplished using hierachical paging structures. Every paging structure is 4096 bytes and is composed of entries. Each entry is 32 bits. The first paging structure is located at the physical address found in CR3 (dtb). Additional Resources: - Intel(R) 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide. Section 4.3 http://www.intel.com/products/processor/manuals/index.htm - AMD64 Architecture Programmer's Manual Volume 2: System Programming http://support.amd.com/us/Processor_TechDocs/24593_APM_v2.pdf - N. Petroni, A. Walters, T. Fraser, and W. Arbaugh, "FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory" ,Digital Investigation Journal 3(4):197-210, December 2006. (submitted February 2006) - N. P. Maclean, "Acquisition and Analysis of Windows Memory," University of Strathclyde, Glasgow, April 2006. - Russinovich, M., & Solomon, D., & Ionescu, A. "Windows Internals, 5th Edition", Microsoft Press, 2009. """ order = 70 pae = False paging_address_space = True checkname = 'IA32ValidAS' # Hardcoded page info to avoid expensive recalculation minimum_size = 0x1000 alignment_gcd = 0x1000 _long_struct = struct.Struct('> pgdir_shift) & (ptrs_per_pgd - 1) def get_pgd(self, vaddr): pgd_entry = self.dtb + self.pgd_index(vaddr) * pointer_size return self.read_long_phys(pgd_entry) def pte_pfn(self, pte): return pte >> page_shift def pte_index(self, pte): return (pte >> page_shift) & (ptrs_per_pte - 1) def get_pte(self, vaddr, pgd): pgd_val = pgd & ~((1 << page_shift) - 1) pgd_val = pgd_val + self.pte_index(vaddr) * pointer_size return self.read_long_phys(pgd_val) def get_paddr(self, vaddr, pte): return (self.pte_pfn(pte) << page_shift) | (vaddr & ((1 << page_shift) - 1)) def get_four_meg_paddr(self, vaddr, pgd_entry): return (pgd_entry & ((ptrs_per_pgd - 1) << 22)) | (vaddr & ~((ptrs_per_pgd - 1) << 22)) def vtop(self, vaddr): retVal = None pgd = self.get_pgd(vaddr) if self.entry_present(pgd): if self.page_size_flag(pgd): retVal = self.get_four_meg_paddr(vaddr, pgd) else: pte = self.get_pte(vaddr, pgd) if not pte: return None if self.entry_present(pte): retVal = self.get_paddr(vaddr, pte) return retVal def read_long_phys(self, addr): try: string = self.base.read(addr, 4) except IOError: string = None if not string: return obj.NoneObject("Unable to read_long_phys at " + hex(addr)) longval, = self._long_struct.unpack(string) return longval def get_available_pages(self, with_pte = False): pgd_curr = self.dtb for i in range(0, ptrs_per_pgd): start = (i * ptrs_per_pgd * ptrs_per_pte * 4) entry = self.read_long_phys(pgd_curr) pgd_curr = pgd_curr + 4 if self.entry_present(entry) and self.page_size_flag(entry): if with_pte: yield (entry, start, 0x400000) else: yield (start, 0x400000) elif self.entry_present(entry): pte_curr = entry & ~((1 << page_shift) - 1) for j in range(0, ptrs_per_pte): pte_entry = self.read_long_phys(pte_curr) pte_curr = pte_curr + 4 if self.entry_present(pte_entry): if with_pte: yield (pte_entry, start + j * 0x1000, 0x1000) else: yield (start + j * 0x1000, 0x1000) class IA32PagedMemoryPae(IA32PagedMemory): """ This class implements the IA-32 PAE paging address space. It is responsible for translating each 32-bit virtual (linear) address to a 52-bit physical address. When PAE paging is in use, CR3 references the base of a 32-Byte Page Directory Pointer Table. Additional Resources: - Intel(R) 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide. Section 4.3 http://www.intel.com/products/processor/manuals/index.htm - N. Petroni, A. Walters, T. Fraser, and W. Arbaugh, "FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory" ,Digital Investigation Journal 3(4):197-210, December 2006. (submitted February 2006) - N. P. Maclean, "Acquisition and Analysis of Windows Memory," University of Strathclyde, Glasgow, April 2006. - Russinovich, M., & Solomon, D., & Ionescu, A. "Windows Internals, 5th Edition", Microsoft Press, 2009. """ order = 60 pae = True _longlong_struct = struct.Struct('> pdpi_shift) def get_pdpi(self, vaddr): pdpi_entry = self.get_pdptb(self.dtb) + self.pdpi_index(vaddr) * entry_size return self._read_long_long_phys(pdpi_entry) def pde_index(self, vaddr): return (vaddr >> pde_shift) & (ptrs_per_pde - 1) def pdba_base(self, pdpe): return pdpe & 0xFFFFFFFFFF000 def get_pgd(self, vaddr, pdpe): pgd_entry = self.pdba_base(pdpe) + self.pde_index(vaddr) * entry_size return self._read_long_long_phys(pgd_entry) def pte_pfn(self, pte): return pte & 0xFFFFFFFFFF000 def pte_index(self, vaddr): return (vaddr >> page_shift) & (ptrs_per_pde - 1) def ptba_base(self, pde): return pde & 0xFFFFFFFFFF000 def get_pte(self, vaddr, pgd): pgd_val = self.ptba_base(pgd) + self.pte_index(vaddr) * entry_size return self._read_long_long_phys(pgd_val) def get_paddr(self, vaddr, pte): return self.pte_pfn(pte) | (vaddr & ((1 << page_shift) - 1)) def get_large_paddr(self, vaddr, pgd_entry): return (pgd_entry & 0xFFFFFFFE00000) | (vaddr & ~((ptrs_page - 1) << 21)) def vtop(self, vaddr): retVal = None pdpe = self.get_pdpi(vaddr) if not self.entry_present(pdpe): return retVal pgd = self.get_pgd(vaddr, pdpe) if self.entry_present(pgd): if self.page_size_flag(pgd): retVal = self.get_large_paddr(vaddr, pgd) else: pte = self.get_pte(vaddr, pgd) if self.entry_present(pte): retVal = self.get_paddr(vaddr, pte) return retVal def _read_long_long_phys(self, addr): if not addr: return obj.NoneObject("Unable to read None") try: string = self.base.read(addr, 8) except IOError: string = None if not string: return obj.NoneObject("Unable to read base AS at " + hex(addr)) longlongval, = self._longlong_struct.unpack(string) return longlongval def get_available_pages(self, with_pte = False): pdpi_base = self.get_pdptb(self.dtb) for i in range(0, ptrs_per_pdpi): start = (i * ptrs_per_pae_pgd * ptrs_per_pae_pgd * ptrs_per_pae_pte * 8) pdpi_entry = pdpi_base + i * entry_size pdpe = self._read_long_long_phys(pdpi_entry) if not self.entry_present(pdpe): continue pgd_curr = self.pdba_base(pdpe) for j in range(0, ptrs_per_pae_pgd): soffset = start + (j * ptrs_per_pae_pgd * ptrs_per_pae_pte * 8) entry = self._read_long_long_phys(pgd_curr) pgd_curr = pgd_curr + 8 if self.entry_present(entry) and self.page_size_flag(entry): if with_pte: yield (entry, soffset, 0x200000) else: yield (soffset, 0x200000) elif self.entry_present(entry): pte_curr = entry & ~((1 << page_shift) - 1) for k in range(0, ptrs_per_pae_pte): pte_entry = self._read_long_long_phys(pte_curr) pte_curr = pte_curr + 8 if self.entry_present(pte_entry): if with_pte: yield (pte_entry, soffset + k * 0x1000, 0x1000) else: yield (soffset + k * 0x1000, 0x1000) volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/crash.py0000644000000000000000000000573113131215405024607 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2005,2006,2007 4tphi Research # # Authors: # {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ An AS for processing crash dumps """ import struct import volatility.obj as obj import volatility.addrspace as addrspace #pylint: disable-msg=C0111 page_shift = 12 class WindowsCrashDumpSpace32(addrspace.AbstractRunBasedMemory): """ This AS supports windows Crash Dump format """ order = 30 dumpsig = 'PAGEDUMP' headertype = "_DMP_HEADER" headerpages = 1 _long_struct = struct.Struct("=I") def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs) ## Must start with the magic PAGEDUMP self.as_assert((base.read(0, 8) == self.dumpsig), "Header signature invalid") self.as_assert(self.profile.has_type(self.headertype), self.headertype + " not available in profile") self.header = obj.Object(self.headertype, 0, base) self.as_assert((self.header.DumpType == 0x1), "Unsupported dump format") offset = self.headerpages for x in self.header.PhysicalMemoryBlockBuffer.Run: self.runs.append((x.BasePage.v() * 0x1000, offset * 0x1000, x.PageCount.v() * 0x1000)) offset += x.PageCount.v() self.dtb = self.header.DirectoryTableBase.v() def get_header(self): return self.header def get_base(self): return self.base def read_long(self, addr): _baseaddr = self.translate(addr) string = self.read(addr, 4) if not string: return obj.NoneObject("Could not read data at " + str(addr)) longval, = self._long_struct.unpack(string) return longval def get_available_addresses(self): """ This returns the ranges of valid addresses """ for run in self.runs: yield (run[0], run[2]) def close(self): self.base.close() class WindowsCrashDumpSpace64(WindowsCrashDumpSpace32): """ This AS supports windows Crash Dump format """ order = 30 dumpsig = 'PAGEDU64' headertype = "_DMP_HEADER64" headerpages = 2 volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/vmem.py0000644000000000000000000001136713131215405024455 0ustar rootroot# Volatility # # Authors: # Sebastien Bourdon-Richard # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA # """ @author: Sebastien Bourdon-Richard @license: GNU General Public License 2.0 or later """ import volatility.addrspace as addrspace import sys, urllib, copy, os import volatility.plugins.addrspaces.vmware as vmware import volatility.plugins.addrspaces.standard as standard import volatility.obj as obj class VMWareMetaAddressSpace(addrspace.AbstractRunBasedMemory): """ This AS supports the VMEM format with VMSN/VMSS metadata """ order = 30 vmem_address_space = True PAGE_SIZE = 4096 def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs) base_vmem = (hasattr(base, 'vmem_address_space') and base.vmem_address_space) self.as_assert(not base_vmem, "Can not stack over another vmem") base_page = (hasattr(base, 'paging_address_space') and base.paging_address_space) self.as_assert(not base_page, "Can not stack over another paging address space") self.as_assert(config.LOCATION.startswith("file://"), 'Location is not of file scheme') ## Build a path to the vmss - it should be relative ## to the vmem and have the same base name location = urllib.url2pathname(config.LOCATION[7:]) path = os.path.splitext(location)[0] vmss = path + ".vmss" vmsn = path + ".vmsn" if os.path.isfile(vmss): metadata = vmss elif os.path.isfile(vmsn): metadata = vmsn else: raise addrspace.ASAssertionError('VMware metadata file is not available') self.as_assert(location != metadata, 'VMware metadata file already detected') ## This is a tuple of (physical memory offset, file offset, length) self.runs = [] ## Second AS for VMSN/VMSS manipulation vmMetaConfig = copy.deepcopy(config) vmMetaConfig.LOCATION = "file://" + metadata meta_space = standard.FileAddressSpace(None, vmMetaConfig) header = obj.Object("_VMWARE_HEADER", offset = 0, vm = meta_space) self.as_assert(header.Magic in [0xbed2bed0, 0xbad1bad1, 0xbed2bed2, 0xbed3bed3], "Invalid VMware signature: {0:#x}".format(header.Magic)) get_tag = vmware.VMWareAddressSpace.get_tag ## The number of memory regions contained in the file region_count = get_tag(header, grp_name = "memory", tag_name = "regionsCount", data_type = "unsigned int") if region_count.is_valid() and region_count != 0: ## Create multiple runs - one for each region in the header ## Code from vmware.py for i in range(region_count): memory_offset = get_tag(header, grp_name = "memory", tag_name = "regionPPN", indices = [i], data_type = "unsigned int") * self.PAGE_SIZE file_offset = get_tag(header, grp_name = "memory", tag_name = "regionPageNum", indices = [i], data_type = "unsigned int") * self.PAGE_SIZE length = get_tag(header, grp_name = "memory", tag_name = "regionSize", indices = [i], data_type = "unsigned int") * self.PAGE_SIZE self.runs.append((memory_offset, file_offset, length)) else: self.as_assert(False, 'Region count is not valid or 0') ## Make sure we found at least one memory run self.as_assert(len(self.runs) > 0, "Cannot find any memory run information") self.header = header volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/standard.py0000644000000000000000000001247613131215405025313 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2004,2005,2006 4tphi Research # # Authors: # {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) # Michael Cohen # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ These are standard address spaces supported by Volatility """ import struct import volatility.addrspace as addrspace import volatility.debug as debug #pylint: disable-msg=W0611 import urllib import os #pylint: disable-msg=C0111 def write_callback(option, _opt_str, _value, parser, *_args, **_kwargs): """Callback function to ensure that write support is only enabled if user repeats a long string This call back checks whether the user really wants write support and then either enables it (for all future parses) by changing the option to store_true, or disables it permanently by ensuring all future attempts to store the value store_false. """ if not hasattr(parser.values, 'write'): # We don't want to use config.outfile, since this should always be seen by the user option.dest = "write" option.action = "store_false" parser.values.write = False for _ in range(3): testphrase = "Yes, I want to enable write support" response = raw_input("Write support requested. Please type \"" + testphrase + "\" below precisely (case-sensitive):\n") if response == testphrase: option.action = "store_true" parser.values.write = True return print "Write support disabled." class FileAddressSpace(addrspace.BaseAddressSpace): """ This is a direct file AS. For this AS to be instantiated, we need 1) A valid config.LOCATION (starting with file://) 2) no one else has picked the AS before us 3) base == None (we dont operate on anyone else so we need to be right at the bottom of the AS stack.) """ ## We should be the AS of last resort order = 100 def __init__(self, base, config, layered = False, **kwargs): addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) self.as_assert(base == None or layered, 'Must be first Address Space') self.as_assert(config.LOCATION.startswith("file://"), 'Location is not of file scheme') path = urllib.url2pathname(config.LOCATION[7:]) self.as_assert(os.path.exists(path), 'Filename must be specified and exist') self.name = os.path.abspath(path) self.fname = self.name self.mode = 'rb' if config.WRITE: self.mode += '+' self.fhandle = open(self.fname, self.mode) self.fhandle.seek(0, 2) self.fsize = self.fhandle.tell() self._long_struct = struct.Struct("=I") # Abstract Classes cannot register options, and since this checks config.WRITE in __init__, we define the option here @staticmethod def register_options(config): config.add_option("WRITE", short_option = 'w', action = "callback", default = False, help = "Enable write support", callback = write_callback) def fread(self, length): length = int(length) return self.fhandle.read(length) def read(self, addr, length): addr, length = int(addr), int(length) try: self.fhandle.seek(addr) except (IOError, OverflowError): return None data = self.fhandle.read(length) if len(data) == 0: return None return data def zread(self, addr, length): data = self.read(addr, length) if data is None: data = "\x00" * length elif len(data) != length: data += "\x00" * (length - len(data)) return data def read_long(self, addr): string = self.read(addr, 4) longval, = self._long_struct.unpack(string) return longval def get_available_addresses(self): # Since the second parameter is the length of the run # not the end location, it must be set to fsize, not fsize - 1 yield (0, self.fsize) def is_valid_address(self, addr): if addr == None: return False return 0 <= addr < self.fsize def close(self): self.fhandle.close() def write(self, addr, data): if not self._config.WRITE: return False try: self.fhandle.seek(addr) self.fhandle.write(data) except IOError: return False return True def __eq__(self, other): return self.__class__ == other.__class__ and self.base == other.base and hasattr(other, "fname") and self.fname == other.fname volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/vmware.py0000644000000000000000000002447513131215405025016 0ustar rootroot# VMware snapshot file parser # Copyright (C) 2012 Nir Izraeli (nirizr at gmail dot com) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Nir Izraeli @license: GNU General Public License 2.0 @contact: nirizr@gmail.com This Address Space for Volatility is based on Nir's vmsnparser: http://code.google.com/p/vmsnparser. It was converted by MHL. """ import volatility.addrspace as addrspace import volatility.obj as obj class _VMWARE_HEADER(obj.CType): """A class for VMware VMSS/VMSN files""" @property def Version(self): """The vmss/vmsn storage format version""" return self.Magic & 0xF class _VMWARE_GROUP(obj.CType): """A class for VMware Groups""" def _get_header(self): """Lookup the parent VMware header object""" parent = self.obj_parent while parent.obj_name != '_VMWARE_HEADER': parent = parent.obj_parent return parent @property def Tags(self): """Generator for tags objects""" tag = obj.Object("_VMWARE_TAG", offset = self.TagsOffset, vm = self.obj_vm, parent = self._get_header()) while not (tag.Flags == 0 and tag.NameLength == 0): yield tag ## Determine the address of the next tag tag = obj.Object("_VMWARE_TAG", vm = self.obj_vm, parent = self._get_header(), offset = tag.RealDataOffset + tag.DataDiskSize) class _VMWARE_TAG(obj.CType): """A class for VMware Tags""" def _size_type(self): """Depending on the version, the 'real' data size field is either 4 or 8 bytes""" if self.obj_parent.Version == 0: obj_type = 'unsigned int' else: obj_type = 'unsigned long long' return obj_type @property def OriginalDataOffset(self): """Determine the offset to this tag's data""" return (self.Name.obj_offset + self.NameLength + (self.TagIndices.count * self.obj_vm.profile.get_obj_size("unsigned int"))) @property def RealDataOffset(self): """Determine the real offset to this tag's data""" if self.OriginalDataSize in (62, 63): ## Add the original offset plus the two 32- or 64-bit lengths offset = (self.OriginalDataOffset + (self.obj_vm.profile.get_obj_size(self._size_type()) * 2)) ## There is a 16-bit padding value padlen = obj.Object("unsigned short", offset = offset, vm = self.obj_vm) ## Final result is the offset after the pad, plus the padding value return offset + 2 + padlen else: return self.OriginalDataOffset @property def OriginalDataSize(self): return self.Flags & 0x3F @property def DataDiskSize(self): """Get the tag's data size on disk""" # these are special data sizes that signal a longer data stream if self.OriginalDataSize in (62, 63): return obj.Object(self._size_type(), offset = self.OriginalDataOffset, vm = self.obj_vm) else: return self.OriginalDataSize @property def DataMemSize(self): """Get the tag's data size in memory""" if self.OriginalDataSize in (62, 63): return obj.Object(self._size_type(), offset = self.OriginalDataOffset + \ self.obj_vm.profile.get_obj_size(self._size_type()), vm = self.obj_vm) else: return self.OriginalDataSize def cast_as(self, cast_type): """Cast the data in a tag as a specific type""" return obj.Object(cast_type, offset = self.RealDataOffset, vm = self.obj_vm) class VMwareVTypesModification(obj.ProfileModification): """Apply the necessary VTypes for parsing VMware headers""" def modification(self, profile): profile.vtypes.update({ '_VMWARE_HEADER' : [ 12, { 'Magic' : [ 0, ['unsigned int']], 'GroupCount' : [ 8, ['unsigned int']], 'Groups' : [ 12, ['array', lambda x : x.GroupCount, ['_VMWARE_GROUP']]], }], '_VMWARE_GROUP' : [ 80, { 'Name' : [ 0, ['String', dict(length = 64, encoding = 'utf8')]], 'TagsOffset' : [ 64, ['unsigned long long']], }], '_VMWARE_TAG' : [ None, { 'Flags' : [ 0, ['unsigned char']], 'NameLength' : [ 1, ['unsigned char']], 'Name' : [ 2, ['String', dict(length = lambda x : x.NameLength, encoding = 'utf8')]], 'TagIndices' : [ lambda x : x.obj_offset + 2 + x.NameLength, ['array', lambda x : (x.Flags >> 6) & 0x3, ['unsigned int']]], }], }) profile.object_classes.update({ '_VMWARE_HEADER': _VMWARE_HEADER, '_VMWARE_GROUP': _VMWARE_GROUP, '_VMWARE_TAG': _VMWARE_TAG }) class VMWareAddressSpace(addrspace.AbstractRunBasedMemory): """ This AS supports VMware snapshot (VMSS) and saved state (VMSS) files """ order = 30 PAGE_SIZE = 4096 def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) ## This is a tuple of (physical memory offset, file offset, length) self.runs = [] ## A VMware header is found at offset zero of the file self.header = obj.Object("_VMWARE_HEADER", offset = 0, vm = base) self.as_assert(self.header.Magic in [0xbed2bed0, 0xbad1bad1, 0xbed2bed2, 0xbed3bed3], "Invalid VMware signature: {0:#x}".format(self.header.Magic)) ## The number of memory regions contained in the file region_count = self.get_tag(self.header, grp_name = "memory", tag_name = "regionsCount", data_type = "unsigned int") if not region_count.is_valid() or region_count == 0: ## Create a single run from the main memory region memory_tag = self.get_tag(self.header, grp_name = "memory", tag_name = "Memory") self.as_assert(memory_tag != None, "Cannot find the single-region Memory tag") self.runs.append((0, memory_tag.RealDataOffset, memory_tag.DataDiskSize)) else: ## Create multiple runs - one for each region in the header for i in range(region_count): memory_tag = self.get_tag(self.header, grp_name = "memory", tag_name = "Memory", indices = [0, 0]) self.as_assert(memory_tag != None, "Cannot find the Memory tag") memory_offset = self.get_tag(self.header, grp_name = "memory", tag_name = "regionPPN", indices = [i], data_type = "unsigned int") * self.PAGE_SIZE file_offset = self.get_tag(self.header, grp_name = "memory", tag_name = "regionPageNum", indices = [i], data_type = "unsigned int") * \ self.PAGE_SIZE + memory_tag.RealDataOffset length = self.get_tag(self.header, grp_name = "memory", tag_name = "regionSize", indices = [i], data_type = "unsigned int") * self.PAGE_SIZE self.runs.append((memory_offset, file_offset, length)) ## Make sure we found at least one memory run self.as_assert(len(self.runs) > 0, "Cannot find any memory run information") @staticmethod def get_tag(header, grp_name, tag_name, indices = None, data_type = None): """Get a tag from the VMware headers @param grp_name: the group name (from _VMWARE_GROUP.Name) @param tag_name: the tag name (from _VMWARE_TAG.Name) @param indices: a group can contain multiple tags of the same name, and tags can also contain meta-tags. this parameter lets you specify which tag or meta-tag exactly to operate on. for example the 3rd CR register (CR3) of the first CPU would use [0][3] indices. If this parameter is None, then you just match on grp_name and tag_name. @param data_type: the type of data depends on the purpose of the tag. If you supply this parameter, the function returns an object of the specified type (for example an int or long). If not supplied, you just get back the _VMWARE_TAG object itself. """ for group in header.Groups: ## Match on the group's name if str(group.Name) != grp_name: continue ## Iterate the tags looking for a matchah for tag in group.Tags: if str(tag.Name) != tag_name: continue ## If a set of indices was supplied, make sure it matches if indices and tag.TagIndices != indices: continue ## If a data type is specified, cast the Tag and return the ## object. Otherwise return the Tag object itself. if data_type: return tag.cast_as(data_type) else: return tag return obj.NoneObject("Cannot find [{0}][{1}]".format(grp_name, tag_name)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/hibernate.py0000644000000000000000000002755513131215405025460 0ustar rootroot# Volatility # # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # Code found in WindowsHiberFileSpace32 for parsing meta information # is inspired by the work of Matthieu Suiche: http://sandman.msuiche.net/. # A special thanks to Matthieu for all his help integrating # this code in Volatility. """ A Hiber file Address Space """ import volatility.addrspace as addrspace import volatility.obj as obj import volatility.win32.xpress as xpress import struct #pylint: disable-msg=C0111 PAGE_SIZE = 0x1000 page_shift = 12 class Store(object): def __init__(self, limit = 50): self.limit = limit self.cache = {} self.seq = [] self.size = 0 def put(self, key, item): self.cache[key] = item self.size += len(item) self.seq.append(key) if len(self.seq) >= self.limit: key = self.seq.pop(0) self.size -= len(self.cache[key]) del self.cache[key] def get(self, key): return self.cache[key] class WindowsHiberFileSpace32(addrspace.BaseAddressSpace): """ This is a hibernate address space for windows hibernation files. In order for us to work we need to: 1) have a valid baseAddressSpace 2) the first 4 bytes must be 'hibr' or 'wake' otherwise we bruteforce to find self.header.FirstTablePage in _get_first_table_page() this occurs with a zeroed PO_MEMORY_IMAGE header """ order = 10 def __init__(self, base, config, **kwargs): self.as_assert(base, "No base Address Space") addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) self.runs = [] self.PageDict = {} self.HighestPage = 0 self.PageIndex = 0 self.AddressList = [] self.LookupCache = {} self.PageCache = Store(50) self.MemRangeCnt = 0 self.entry_count = 0xFF self._long_struct = struct.Struct("=I") # Extract header information self.as_assert(self.profile.has_type("PO_MEMORY_IMAGE"), "PO_MEMORY_IMAGE is not available in profile") self.header = obj.Object('PO_MEMORY_IMAGE', 0, base) ## Is the signature right? if self.header.Signature.lower() not in ['hibr', 'wake']: self.header = obj.NoneObject("Invalid hibernation header") volmag = obj.VolMagic(base) self.entry_count = volmag.HibrEntryCount.v() PROC_PAGE = volmag.HibrProcPage.v() # Check it's definitely a hibernation file pageno = self._get_first_table_page() self.as_assert(pageno is not None, "No xpress signature found") self.as_assert(pageno <= 10, "Bad profile for PO_MEMORY_RANGE") # Extract processor state self.ProcState = obj.Object("_KPROCESSOR_STATE", PROC_PAGE * 4096, base) ## This is a pointer to the page table - any ASs above us dont ## need to search for it. self.dtb = self.ProcState.SpecialRegisters.Cr3.v() # This is a lengthy process, it was cached, but it may be best to delay this # until it's absolutely necessary and/or convert it into a generator... self.build_page_cache() def _get_first_table_page(self): if self.header != None: return self.header.FirstTablePage for i in range(10): if self.base.read(i * PAGE_SIZE, 8) == "\x81\x81xpress": return i - 1 return None def build_page_cache(self): XpressIndex = 0 XpressHeader = obj.Object("_IMAGE_XPRESS_HEADER", (self._get_first_table_page() + 1) * 4096, self.base) XpressBlockSize = self.get_xpress_block_size(XpressHeader) MemoryArrayOffset = self._get_first_table_page() * 4096 while MemoryArrayOffset: MemoryArray = obj.Object('_PO_MEMORY_RANGE_ARRAY', MemoryArrayOffset, self.base) EntryCount = MemoryArray.MemArrayLink.EntryCount.v() for i in MemoryArray.RangeTable: start = i.StartPage.v() end = i.EndPage.v() LocalPageCnt = end - start self.as_assert((LocalPageCnt > 0), "Negative Page Count Range") if end > self.HighestPage: self.HighestPage = end self.AddressList.append((start * 0x1000, LocalPageCnt * 0x1000)) for j in range(0, LocalPageCnt): if (XpressIndex and ((XpressIndex % 0x10) == 0)): XpressHeader, XpressBlockSize = \ self.next_xpress(XpressHeader, XpressBlockSize) PageNumber = start + j XpressPage = XpressIndex % 0x10 if XpressHeader.obj_offset not in self.PageDict: self.PageDict[XpressHeader.obj_offset] = [ (PageNumber, XpressBlockSize, XpressPage)] else: self.PageDict[XpressHeader.obj_offset].append( (PageNumber, XpressBlockSize, XpressPage)) ## Update the lookup cache self.LookupCache[PageNumber] = ( XpressHeader.obj_offset, XpressBlockSize, XpressPage) self.PageIndex += 1 XpressIndex += 1 NextTable = MemoryArray.MemArrayLink.NextTable.v() # This entry count (EntryCount) should probably be calculated if (NextTable and (EntryCount == self.entry_count)): MemoryArrayOffset = NextTable * 0x1000 self.MemRangeCnt += 1 XpressHeader, XpressBlockSize = \ self.next_xpress(XpressHeader, XpressBlockSize) # Make sure the xpress block is after the Memory Table while (XpressHeader.obj_offset < MemoryArrayOffset): XpressHeader, XpressBlockSize = \ self.next_xpress(XpressHeader, 0) XpressIndex = 0 else: MemoryArrayOffset = 0 def next_xpress(self, XpressHeader, XpressBlockSize): XpressHeaderOffset = XpressBlockSize + XpressHeader.obj_offset + \ XpressHeader.size() ## We only search this far BLOCKSIZE = 1024 original_offset = XpressHeaderOffset while 1: data = self.base.read(XpressHeaderOffset, BLOCKSIZE) Magic_offset = data.find("\x81\x81xpress") if Magic_offset >= 0: XpressHeaderOffset += Magic_offset break else: XpressHeaderOffset += len(data) ## Only search this far in advance if XpressHeaderOffset - original_offset > 10240: return None, None XpressHeader = obj.Object("_IMAGE_XPRESS_HEADER", XpressHeaderOffset, self.base) XpressBlockSize = self.get_xpress_block_size(XpressHeader) return XpressHeader, XpressBlockSize def get_xpress_block_size(self, xpress_header): u0B = xpress_header.u0B.v() << 24 u0A = xpress_header.u0A.v() << 16 u09 = xpress_header.u09.v() << 8 Size = u0B + u0A + u09 Size = Size >> 10 Size = Size + 1 if ((Size % 8) == 0): return Size return (Size & ~7) + 8 def get_header(self): return self.header def get_base(self): return self.base def is_paging(self): return (self.ProcState.SpecialRegisters.Cr0.v() >> 31) & 1 def is_pse(self): return (self.ProcState.SpecialRegisters.Cr4.v() >> 4) & 1 def is_pae(self): return (self.ProcState.SpecialRegisters.Cr4.v() >> 5) & 1 def get_addr(self, addr): page = addr >> page_shift if page in self.LookupCache: (hoffset, size, pageoffset) = self.LookupCache[page] return hoffset, size, pageoffset return None, None, None def get_block_offset(self, _xb, addr): page = addr >> page_shift if page in self.LookupCache: (_hoffset, _size, pageoffset) = self.LookupCache[page] return pageoffset return None def is_valid_address(self, addr): XpressHeaderOffset, _XpressBlockSize, _XpressPage = self.get_addr(addr) return XpressHeaderOffset != None def read_xpress(self, baddr, BlockSize): try: return self.PageCache.get(baddr) except KeyError: data_read = self.base.read(baddr, BlockSize) if BlockSize == 0x10000: data_uz = data_read else: data_uz = xpress.xpress_decode(data_read) self.PageCache.put(baddr, data_uz) return data_uz def _partial_read(self, addr, len): """ A function which reads as much as possible from the current page. May return a short read. """ ## The offset within the page where we start page_offset = (addr & 0x00000FFF) ## How much data can we satisfy? available = min(PAGE_SIZE - page_offset, len) ImageXpressHeader, BlockSize, XpressPage = self.get_addr(addr) if not ImageXpressHeader: return None baddr = ImageXpressHeader + 0x20 data = self.read_xpress(baddr, BlockSize) ## Each block decompressed contains 2**page_shift pages. We ## need to know which page to use here. offset = XpressPage * 0x1000 + page_offset return data[offset:offset + available] def read(self, addr, length, zread = False): result = '' while length > 0: data = self._partial_read(addr, length) if not data: break addr += len(data) length -= len(data) result += data if result == '': if zread: return ('\0' * length) result = obj.NoneObject("Unable to read data at " + str(addr) + " for length " + str(length)) return result def zread(self, addr, length): stuff_read = self.read(addr, length, zread = True) return stuff_read def read_long(self, addr): _baseaddr = self.get_addr(addr) string = self.read(addr, 4) if not string: return obj.NoneObject("Could not read long at " + str(addr)) longval, = self._long_struct.unpack(string) return longval def get_available_pages(self): page_list = [] for _i, xb in enumerate(self.PageDict.keys()): for page, _size, _offset in self.PageDict[xb]: page_list.append([page * 0x1000, 0x1000]) return page_list def get_address_range(self): """ This relates to the logical address range that is indexable """ size = self.HighestPage * 0x1000 + 0x1000 return [0, size] def check_address_range(self, addr): memrange = self.get_address_range() if addr < memrange[0] or addr > memrange[1]: raise IOError def get_available_addresses(self): """ This returns the ranges of valid addresses """ for i in self.AddressList: yield i def close(self): self.base.close() volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/macho.py0000644000000000000000000000552613131215405024600 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import struct import volatility.plugins.addrspaces.standard as standard import volatility.obj as obj import volatility.addrspace as addrspace class MachOAddressSpace(addrspace.AbstractRunBasedMemory): """ Address space for mach-o files to support atc-ny memory reader The created mach-o file has a bunch of segments that contain the address of the section and the size From there we can translate between incoming address requests to memory contents """ order = 1 pae = True checkname = 'MachOValidAS' def __init__(self, base, config, *args, **kwargs): self.as_assert(base, "mac: need base") addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs) sig = base.read(0, 4) if sig == '\xce\xfa\xed\xfe': self.bits = 32 elif sig == '\xcf\xfa\xed\xfe': self.bits = 64 else: self.as_assert(0, "MachO Header signature invalid") self.runs = [] self.header = None self.addr_cache = {} self.parse_macho() def get_object_name(self, object): if self.bits == 64 and object in ["mach_header", "segment_command", "section"]: object = object + "_64" return object def get_available_addresses(self): for vmaddr, _, vmsize in self.runs: yield vmaddr, vmsize def get_header(self): return self.header def parse_macho(self): self.runs = [] header_name = self.get_object_name("mach_header") header_size = self.profile.get_obj_size(header_name) self.header = obj.Object(header_name, 0, self.base) offset = header_size self.segs = [] for i in xrange(0, self.header.ncmds): structname = self.get_object_name("segment_command") seg = obj.Object(structname, offset, self.base) self.segs.append(seg) # Since these values will be used a lot, make sure they aren't reread (ie, no objects in the runs list) run = (int(seg.vmaddr), int(seg.fileoff), int(seg.vmsize)) self.runs.append(run) offset = offset + seg.cmdsize volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/crashbmp.py0000755000000000000000000001237713131215405025315 0ustar rootroot# Volatility # Copyright (C) 2014 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ An AS for processing Windows Bitmap crash dumps """ import struct import volatility.obj as obj import volatility.addrspace as addrspace import volatility.plugins.addrspaces.crash as crash #pylint: disable-msg=C0111 class BitmapDmpVTypes(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == "64bit"} def modification(self, profile): profile.vtypes.update({ '_FULL_DUMP64' : [ 0x38, { 'Signature' : [ 0x0, ['array', 4, ['unsigned char']]], 'ValidDump' : [ 0x4, ['array', 4, ['unsigned char']]], 'DumpOptions' : [ 0x8, ['unsigned long long']], 'HeaderSize' : [ 0x20, ['unsigned long long']], 'BitmapSize' : [ 0x28, ['unsigned long long']], 'Pages' : [ 0x30, ['unsigned long long']], 'Buffer' : [ 0x38, ['array', lambda x: (x.BitmapSize+7) / 0x8, ['unsigned char']]], 'Buffer2' : [ 0x38, ['array', lambda x: (x.BitmapSize + 31) / 32, ['unsigned long']]], } ], }) class WindowsCrashDumpSpace64BitMap(crash.WindowsCrashDumpSpace32): """ This AS supports Windows BitMap Crash Dump format """ order = 29 dumpsig = 'PAGEDU64' headertype = "_DMP_HEADER64" headerpages = 0x13 bitmaphdroffset = 0x2000 def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs) ## Must start with the magic PAGEDUMP self.as_assert((base.read(0, 8) == self.dumpsig), "Header signature invalid") self.as_assert(self.profile.has_type(self.headertype), self.headertype + " not available in profile") self.header = obj.Object(self.headertype, 0, base) # This address space supports Windows Bitmap crash dump files # which, based on empirical tests, have a DumpType of 0x5. self.as_assert((self.header.DumpType == 5), "Unsupported dump format") # Instantiate the Summary/Full Bitmap header self.bitmaphdr = obj.Object("_FULL_DUMP64", self.bitmaphdroffset, base) # Create a cached version of the Header/Bitmap to reduce I/O fdmp_buff = base.read(self.bitmaphdroffset, self.bitmaphdr.HeaderSize-self.bitmaphdroffset) bufferas = addrspace.BufferAddressSpace(self._config, data = fdmp_buff) self.bitmaphdr2 = obj.Object('_FULL_DUMP64', vm = bufferas, offset = 0) firstbit = None # First bit in a run firstoffset = 0 # File offset of first bit lastbit = None # Last bit in a run lastbitseen = 0 # Most recent bit processed offset = self.bitmaphdr2.HeaderSize # Size of file headers for i in range(0, ((self.bitmaphdr2.BitmapSize + 31) / 32)): if self.bitmaphdr.Buffer2[i] == 0: if firstbit != None: lastbit = ((i - 1) * 32) + 31 self.runs.append((firstbit * 0x1000, firstoffset, (lastbit - firstbit + 1) * 0x1000)) firstbit = None elif self.bitmaphdr.Buffer2[i] == 0xFFFFFFFF: if firstbit == None: firstoffset = offset firstbit = i * 32 offset = offset + (32 * 0x1000) else: wordoffset = i * 32 for j in range(0, 32): BitAddr = wordoffset + j ByteOffset = BitAddr >> 3 ByteAddress = (self.bitmaphdr2.Buffer[ByteOffset]) ShiftCount = (BitAddr & 0x7) if ((ByteAddress >> ShiftCount) & 1): if firstbit == None: firstoffset = offset firstbit = BitAddr offset = offset + 0x1000 else: if firstbit != None: lastbit = BitAddr - 1 self.runs.append((firstbit * 0x1000, firstoffset, (lastbit - firstbit + 1) * 0x1000)) firstbit = None lastbitseen = (i * 32) + 31 if firstbit != None: self.runs.append((firstbit * 0x1000, firstoffset, (lastbitseen - firstbit + 1) * 0x1000)) self.dtb = self.header.DirectoryTableBase.v() volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/__init__.py0000644000000000000000000000000013131215405025226 0ustar rootrootvolatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/hpak.py0000644000000000000000000001075113131215405024430 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import zlib import volatility.obj as obj import volatility.plugins.addrspaces.standard as standard class HPAKVTypes(obj.ProfileModification): def modification(self, profile): profile.vtypes.update({ 'HPAK_HEADER' : [ 0x20, { 'Magic' : [ 0, ['String', dict(length = 4)]], }], 'HPAK_SECTION': [ 0xE0, { 'Header' : [ 0, ['String', dict(length = 32)]], 'Compressed' : [ 0x8C, ['unsigned int']], 'Length' : [ 0x98, ['unsigned long long']], 'Offset' : [ 0xA8, ['unsigned long long']], 'NextSection' : [ 0xB0, ['unsigned long long']], 'CompressedSize' : [ 0xB8, ['unsigned long long']], 'Name' : [ 0xD4, ['String', dict(length = 12)]], }], }) profile.object_classes.update({'HPAK_HEADER': HPAK_HEADER}) class HPAK_HEADER(obj.CType): """A class for B.S. Hairy headers""" def Sections(self): ## The initial section object section = obj.Object("HPAK_SECTION", offset = self.obj_vm.profile.get_obj_size("HPAK_HEADER"), vm = self.obj_vm) ## Iterate through the sections while section.is_valid(): yield section section = section.NextSection.dereference_as("HPAK_SECTION") class HPAKAddressSpace(standard.FileAddressSpace): """ This AS supports the HPAK format """ order = 30 def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") standard.FileAddressSpace.__init__(self, base, config, layered = True, **kwargs) self.header = obj.Object("HPAK_HEADER", offset = 0, vm = base) ## Check the magic self.as_assert(self.header.Magic == 'HPAK', "Invalid magic found") self.physmem = None ## cycle though looking for the PHYSDUMP header for section in self.header.Sections(): if str(section.Header) == "HPAKSECTHPAK_SECTION_PHYSDUMP": self.physmem = section break self.as_assert(self.physmem is not None, "Cannot find the PHYSDUMP section") def read(self, addr, length): return self.base.read(addr + self.physmem.Offset, length) def zread(self, addr, length): return self.base.zread(addr + self.physmem.Offset, length) def is_valid_address(self, addr): return self.base.is_valid_address(addr + self.physmem.Offset) def get_header(self): return self.header def convert_to_raw(self, outfd): """The standard imageinfo plugin won't work on hpak images so we provide this method. It wraps the zlib compression if necessary""" zlibdec = zlib.decompressobj(16 + zlib.MAX_WBITS) if self.physmem.Compressed == 1: length = self.physmem.CompressedSize else: length = self.physmem.Length chunk_size = 4096 chunks = length / chunk_size def get_chunk(addr, size): data = self.base.read(addr, size) if self.physmem.Compressed == 1: data = zlibdec.decompress(data) return data for i in range(chunks): addr = self.physmem.Offset + i * chunk_size data = get_chunk(addr, chunk_size) outfd.write(data) leftover = length % chunk_size if leftover > 0: data = get_chunk(addr + chunk_size, leftover) outfd.write(data) return True volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/arm.py0000644000000000000000000001411413131215405024261 0ustar rootroot# Volatility # # Authors: # attc - atcuno@gmail.com # Joe Sylve - joe.sylve@gmail.com # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import struct import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.plugins.addrspaces.paged as paged class ArmAddressSpace(paged.AbstractWritablePagedMemory): """Address space for ARM processors""" order = 800 pae = False paging_address_space = True checkname = 'ArmValidAS' minimum_size = 0x1000 alignment_gcd = 0x1000 _long_struct = struct.Struct("> 20) # 1st Level Descriptor def pde_value(self, vaddr): return self.read_long_phys(self.dtb | (self.pde_index(vaddr) << 2)) # 2nd Level Page Table Index (Course Pages) def pde2_index(self, vaddr): return ((vaddr >> 12) & 0x0FF) # 2nd Level Page Table Descriptor (Course Pages) def pde2_value(self, vaddr, pde): return self.read_long_phys((pde & 0xFFFFFC00) | (self.pde2_index(vaddr) << 2)) # 2nd Level Page Table Index (Fine Pages) def pde2_index_fine(self, vaddr): return ((vaddr >> 10) & 0x3FF) # 2nd Level Page Table Descriptor (Fine Pages) def pde2_value_fine(self, vaddr, pde): return self.read_long_phys((pde & 0xFFFFF000) | (self.pde2_index_fine(vaddr) << 2)) def get_pte(self, vaddr, pde_value): # page table if (pde_value & 0b11) == 0b00: # If bits[1:0] == 0b00, the associated modified virtual addresses are unmapped, # and attempts to access them generate a translation fault debug.debug("get_pte: invalid pde_value {0:x}".format(pde_value)) return None elif (pde_value & 0b11) == 0b10: # If bits[1:0] == 0b10, the entry is a section descriptor for its associated modified virtual addresses. # If bit[18] is set, optional supersections are used, which we don't support yet issuper = int(pde_value & (1 << 18)) if issuper: # TODO: Implement Supersection support if needed debug.warning("supersection found") return None else: return ((pde_value & 0xFFE00000) | (vaddr & 0x1FFFFF)) elif (pde_value & 0b11) == 0b01: # If bits[1:0] == 0b01, the entry gives the physical address of a coarse second-level table, that specifies # how the associated 1MB modified virtual address range is mapped. pde2_value = self.pde2_value(vaddr, pde_value) if not pde2_value: debug.debug("no pde2_value", 4) return None if (pde2_value & 0b11) == 0b01: # 64K large pages return ((pde2_value & 0xFFFF0000) | (vaddr & 0x0000FFFF)) elif (pde2_value & 0b11) == 0b10 or (pde2_value & 0b11) == 0b11: # 4K small pages return ((pde2_value & 0xFFFFF000) | (vaddr & 0x00000FFF)) else: debug.warning("get_pte: invalid course pde2_value {0:x}".format(pde2_value)) return None elif (pde_value & 0b11) == 0b11: # If bits[1:0] == 0b11, the entry gives the physical address of a fine second-level table. A fine # second-level page table specifies how the associated 1MB modified virtual address range is mapped. pde2_value = self.pde2_value_fine(vaddr, pde_value) if not pde2_value: debug.debug("no pde2_value", 4) return None if (pde2_value & 0b11) == 0b01: # 64K large pages return ((pde2_value & 0xFFFF0000) | (vaddr & 0x0000FFFF)) elif (pde2_value & 0b11) == 0b10: # 4K small pages return ((pde2_value & 0xFFFFF000) | (vaddr & 0x00000FFF)) elif (pde2_value & 0b11) == 0b11: #1k tiny pages return ((pde2_value & 0xFFFFFC00) | (vaddr & 0x3FF)) else: debug.warning("get_pte: invalid fine pde2_value {0:x}".format(pde2_value)) return None def vtop(self, vaddr): debug.debug("\n--vtop start: {0:x}".format(vaddr), 4) pde_value = self.pde_value(vaddr) if not pde_value: debug.debug("no pde_value", 4) return None debug.debug("!!!pde_value: {0:x}".format(pde_value), 4) pte_value = self.get_pte(vaddr, pde_value) return pte_value # FIXME # this is supposed to return all valid physical addresses based on the current dtb # this (may?) be painful to write due to ARM's different page table types and having small & large pages inside of those def get_available_pages(self): for i in xrange(0, (2 ** 32) - 1, 4096): yield (i, 0x1000) volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/ieee1394.py0000644000000000000000000002214713131215405024737 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import time import volatility.debug as debug import urlparse import volatility.addrspace as addrspace # TODO: Remove this once we no longer support old/broken versions of urlparse (2.6.2) check = urlparse.urlsplit("firewire://method/0") urlparse_broken = False if check[1] != 'method': urlparse_broken = True def FirewireRW(netloc, location): if netloc in fw_implementations: return fw_implementations[netloc](location) return None class FWRaw1394(object): def __init__(self, location): locarr = location.split('/') self.bus = locarr[0] self.node = locarr[1] self._node = None def is_valid(self): """Initializes the firewire implementation""" self._node = None try: h = firewire.Host() self._node = h[self.bus][self.node] return True, "Valid" except IndexError: return False, "Firewire node " + str(self.node) + " on bus " + str(self.bus) + " was not accessible" except IOError, e: return False, "Firewire device IO error - " + str(e) return False, "Unknown Error occurred" def read(self, addr, length): """Reads bytes from the specified address""" return self._node.read(addr, length) def write(self, addr, buf): """Writes buf bytes at addr""" return self._node.write(addr, buf) class FWForensic1394(object): def __init__(self, location): """Initializes the firewire implementation""" self.location = location.strip('/') debug.info("Waiting for 5s firewire to settle") self._bus = forensic1394.Bus() self._bus.enable_sbp2() time.sleep(5) self._device = None def is_valid(self): try: devices = self._bus.devices() # FIXME: Base the device off the location rather than hardcoded first remote device self._device = devices[int(self.location)] # Cetain Firewire cards misreport their maximum request size, notably Ricoh onboard chipsets # Uncomment the line below for such broken hardware # self._device._request_size = 1024 if not self._device.isopen(): self._device.open() # The device requires time to settle before it can be used return True, "Valid" except IOError, e: print repr(e) return False, "Forensic1394 returned an exception: " + str(e) return False, "Unknown Error occurred" def read(self, addr, length): """Reads bytes from the specified address""" return self._device.read(addr, length) def write(self, addr, buf): """Writes buf bytes at addr""" return self._device.write(addr, buf) class FirewireAddressSpace(addrspace.BaseAddressSpace): """A physical layer address space that provides access via firewire""" ## We should be *almost* the AS of last resort order = 99 def __init__(self, base, config, **kargs): self.as_assert(base == None, 'Must be first Address Space') try: (scheme, netloc, path, _, _, _) = urlparse.urlparse(config.LOCATION) self.as_assert(scheme == 'firewire', 'Not a firewire URN') if urlparse_broken: if path.startswith('//') and path[2:].find('/') > 0: firstslash = path[2:].find('/') netloc = path[2:firstslash + 2] path = path[firstslash + 3:] self._fwimpl = FirewireRW(netloc, path) except (AttributeError, ValueError): self.as_assert(False, "Unable to parse {0} as a URL".format(config.LOCATION)) addrspace.BaseAddressSpace.__init__(self, base, config, **kargs) self.as_assert(self._fwimpl is not None, "Unable to locate {0} implementation.".format(netloc)) valid, reason = self._fwimpl.is_valid() self.as_assert(valid, reason) # We have a list of exclusions because we know that trying to read anything in these sections # will cause the target machine to bluescreen # Exceptions are in the form (start, length, "Reason") self._exclusions = sorted([(0xa0000, 0xfffff - 0xa0000, "Upper Memory Area")]) self.name = "Firewire using " + str(netloc) + " at " + str(path) # We have no way of knowing how big a firewire space is... # Set it to the maximum for the moment # TODO: Find a way of determining the size safely and reliably from the space itself self.size = 0xFFFFFFFF def intervals(self, start, size): """Returns a list of intervals, from start of length size, that do not include the exclusions""" return self._intervals(sorted(self._exclusions), start, size + start, []) def _intervals(self, exclusions, start, end, accumulator): """Accepts a sorted list of intervals and a start and end This will return a list of intervals between start and end that does not contain any of the intervals in the list of exclusions. """ if not len(exclusions): # We're done return accumulator + [(start, end - start)] e = exclusions[0] estart = e[0] eend = e[1] + estart # e and range overlap if (eend < start or estart > end): # Ignore this exclusion return self._intervals(exclusions[1:], start, end, accumulator) if estart < start: if eend < end: # Covers the start of the remaining length return self._intervals(exclusions[1:], eend, end, accumulator) else: # Covers the entire remaining area return accumulator else: if eend < end: # Covers a section of the remaining length return self._intervals(exclusions[1:], eend, end, accumulator + [(start, estart - start)]) else: # Covers the end of the remaining length return accumulator + [(start, estart - start)] def read(self, offset, length): """Reads a specified size in bytes from the current offset Fills any excluded holes with zeros (so in that sense, similar to zread) """ ints = self.intervals(offset, length) output = "\x00" * length try: for i in ints: datstart, datlen = i[0], i[1] if datlen > 0: # node.read won't work on 0 byte readdata = self._fwimpl.read(datstart, datlen) # I'm not sure why, but sometimes readdata comes out longer than the requested size # We just truncate it to the right length output = output[:datstart - offset] + readdata[:datlen] + output[(datstart - offset) + datlen:] except IOError, e: print repr(e) raise RuntimeError("Failed to read from firewire device") self.as_assert(len(output) == length, "Firewire read lengths failed to match") return output def zread(self, offset, length): """ Delegate padded reads to normal read, since errors reading the physical address should probably be reported back to the user """ return self.read(offset, length) def write(self, offset, data): """Writes a specified size in bytes""" if not self._config.WRITE: return False ints = self.intervals(offset, len(data)) try: for i in ints: datstart, datlen = i[0], i[1] if datlen > 0: self._fwimpl.write(datstart, data[(datstart - offset):(datstart - offset) + datlen]) except IOError: raise RuntimeError("Failed to write to the firewire device") return True def get_address_range(self): """Returns the size of the address range""" return [0, self.size - 1] def get_available_addresses(self): """Returns a list of available addresses""" for i in self.intervals(0, self.size): yield i fw_implementations = {} try: import firewire #pylint: disable-msg=F0401 fw_implementations['raw1394'] = FWRaw1394 except ImportError: pass try: import forensic1394 #pylint: disable-msg=F0401 fw_implementations['forensic1394'] = FWForensic1394 except ImportError: pass if not len(fw_implementations): FirewireAddressSpace = None volatility_2.6+git20170711.b3db0cc/volatility/plugins/addrspaces/osxpmemelf.py0000644000000000000000000000505113131215405025661 0ustar rootroot# Volatility # Copyright (C) 2007-2014 Volatility Foundation # # Authors: # phil@teuwen.org (Philippe Teuwen) # espen@mrfjo.org (Espen Fjellvaer Olsen) # justincapella@gmail.com (Justin Capella) # michael.ligh@mnin.org (Michael Ligh) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # References: # VirtualBox core format: # http://www.virtualbox.org/manual/ch12.html#guestcoreformat # http://www.virtualbox.org/svn/vbox/trunk/include/VBox/vmm/dbgfcorefmt.h # http://www.virtualbox.org/svn/vbox/trunk/src/VBox/VMM/VMMR3/DBGFCoreWrite.cpp import volatility.obj as obj import volatility.addrspace as addrspace #pylint: disable-msg=C0111 class OSXPmemELF(addrspace.AbstractRunBasedMemory): """ This AS supports VirtualBox ELF64 coredump format """ order = 90 def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs) ## Quick test (before instantiating an object) ## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB ## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'], "ELF Header signature invalid") ## Base AS should be a file AS elf = obj.Object("elf_hdr", offset = 0, vm = base) ## The PT_NOTE core descriptor structure self.header = None for phdr in elf.program_headers(): # Only keep load segments with valid file sizes if (str(phdr.p_type) != 'PT_LOAD' or phdr.p_filesz == 0 or phdr.p_filesz != phdr.p_memsz): continue self.runs.append((int(phdr.p_paddr), int(phdr.p_offset), int(phdr.p_memsz))) self.as_assert(len(self.runs) > 0, "No PT_LOAD segments found") volatility_2.6+git20170711.b3db0cc/volatility/plugins/timeliner.py0000644000000000000000000006674613131215405023403 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie@memoryanalysis.net @organization: Volatility Foundation """ import volatility.plugins.common as common import volatility.plugins.registry.registryapi as registryapi import volatility.plugins.taskmods as taskmods import volatility.plugins.registry.shimcache as shimcache import volatility.plugins.filescan as filescan import volatility.plugins.sockets as sockets import volatility.plugins.sockscan as sockscan import volatility.plugins.modscan as modscan import volatility.plugins.moddump as moddump import volatility.plugins.netscan as netscan import volatility.plugins.evtlogs as evtlogs import volatility.plugins.malware.psxview as psxview import volatility.plugins.malware.malfind as malfind import volatility.plugins.malware.timers as timers import volatility.plugins.registry.userassist as userassist import volatility.plugins.imageinfo as imageinfo import volatility.win32.rawreg as rawreg import volatility.addrspace as addrspace import volatility.win32.tasks as tasks import volatility.utils as utils import volatility.protos as protos import volatility.plugins.iehistory as iehistory import os, sys, ntpath import struct import volatility.debug as debug import volatility.obj as obj import datetime from volatility.renderers import TreeGrid class Win7LdrDataTableEntry(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 1} def modification(self, profile): overlay = {'_LDR_DATA_TABLE_ENTRY': [ None, { 'LoadTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], # these timestamps need more research for format #'_MMSUPPORT': [ None, { # 'LastTrimStamp': [ None, ['None', dict(is_utc = True)]], # }], #'_MMPTE_TIMESTAMP': [ None, { # 'GlobalTimeStamp' : [ None, ['None', dict(is_utc = True)]], # }], } profile.merge_overlay(overlay) class Win7SP1CMHIVE(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 1, 'build': lambda x: x >= 7601} def modification(self, profile): overlay = {'_CMHIVE': [ None, { 'LastWriteTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }]} profile.merge_overlay(overlay) class WinXPTrim(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, } def modification(self, profile): overlay = {'_MMSUPPORT': [ None, { 'LastTrimTime': [ None, ['WinTimeStamp', dict(is_utc = True)]], }], } profile.merge_overlay(overlay) class WinAllTime(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows',} def modification(self, profile): overlay = {'_HBASE_BLOCK': [ None, { 'TimeStamp' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], '_CM_KEY_CONTROL_BLOCK': [ None, { 'KcbLastWriteTime': [ None, ['WinTimeStamp', dict(is_utc = True)]], }], '_IMAGE_DEBUG_DIRECTORY': [ None, { 'TimeDateStamp': [ None, ['UnixTimeStamp', dict(is_utc = True)]], }], } profile.merge_overlay(overlay) class TimeLiner(common.AbstractWindowsCommand): """ Creates a timeline from various artifacts in memory """ def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.remove_option("SAVE-EVT") config.remove_option("HIVE-OFFSET") config.remove_option("KEY") config.remove_option("BASE") config.remove_option("REGEX") config.remove_option("IGNORE-CASE") config.remove_option("DUMP-DIR") config.remove_option("OFFSET") config.remove_option("PID") config.remove_option("UNSAFE") self.types = ["Process", "Socket", "Shimcache", "Userassist", "IEHistory", "Thread", "Symlink", "Timer", "_CM_KEY_BODY", "LoadTime", "TimeDateStamp", "_HBASE_BLOCK", "_CMHIVE", "EvtLog", "ImageDate"] config.add_option('HIVE', short_option = 'H', help = 'Gather Timestamps from a Particular Registry Hive', type = 'str') config.add_option('USER', short_option = 'U', help = 'Gather Timestamps from a Particular User\'s Hive(s)', type = 'str') config.add_option("MACHINE", default = "", help = "Machine name to add to timeline header") config.add_option("TYPE", default = "".join([",".join(x for x in sorted(self.types))]), help = "Type of artifact to use in timeline (default is all, but \"Registry\")") def unified_output(self, data): return TreeGrid([("Start", str), ("Header", str), ("Item", str), ("Details", str)], self.generator(data)) def generator(self, data): for line in data: yield (0, line.split("|")) # leaving render_text in for now def render_text(self, outfd, data): for line in data: if line != None: outfd.write("{0}\n".format(line)) def render_body(self, outfd, data): for line in data: if line != None: outfd.write(line) def getoutput(self, header, start, end = None, body = False): if body: try: if end == None: return "0|{0}|0|---------------|0|0|0|{1}|{1}|{1}|{1}\n".format(header, start.v()) else: return "0|{0}|0|---------------|0|0|0|{1}|{2}|{1}|{1}\n".format(header, start.v(), end.v()) except ValueError, ve: return "0|{0}|0|---------------|0|0|0|{1}|{1}|{1}|{1}\n".format(header, 0) else: try: if end == None or end.v() == 0: return "{0}|{1}".format(start, header) else: return "{0}|{1} End: {2}".format(start, header, end) except ValueError, ve: return "{0}|{1}".format(-1, header) def calculate(self): if (self._config.HIVE or self._config.USER) and "Registry" not in self._config.TYPE: debug.error("You must use --registry in conjuction with -H/--hive and/or -U/--user") if self._config.TYPE != None: for t in self._config.TYPE.split(","): if t.strip() not in self.types and t.strip() != "Registry": debug.error("You have entered an incorrect type: {0}".format(t)) addr_space = utils.load_as(self._config) version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) pids = {} #dictionary of process IDs/ImageFileName body = False if self._config.OUTPUT == "body": body = True if self._config.MACHINE != "": self._config.update("MACHINE", "{0} ".format(self._config.MACHINE)) if "ImageDate" in self._config.TYPE: im = imageinfo.ImageInfo(self._config).get_image_time(addr_space) yield self.getoutput("[{0}LIVE RESPONSE]{1} (System time){1}".format( self._config.MACHINE, "" if body else "|"), im['ImageDatetime'], body = body) if version <= (6, 1) and "IEHistory" in self._config.TYPE: self._config.update("LEAK", True) data = iehistory.IEHistory(self._config).calculate() for process, record in data: ## Extended fields are available for these records if record.obj_name == "_URL_RECORD": line = "[{6}IEHISTORY]{0} {1}->{5}{0} PID: {2}/Cache type \"{3}\" at {4:#x}".format( "" if body else "|", process.ImageFileName, process.UniqueProcessId, record.Signature, record.obj_offset, record.Url, self._config.MACHINE) yield self.getoutput(line, record.LastModified, end = record.LastAccessed, body = body) self._config.remove_option("REDR") self._config.remove_option("LEAK") psx = [] if "Process" in self._config.Type or "TimeDateStamp" in self._config.Type or \ "LoadTime" in self._config.Type or "_CM_KEY_BODY" in self._config.Type: psx = psxview.PsXview(self._config).calculate() for offset, eprocess, ps_sources in psx: pids[eprocess.UniqueProcessId.v()] = eprocess.ImageFileName if "Process" in self._config.TYPE: line = "[{5}PROCESS]{0} {1}{0} PID: {2}/PPID: {3}/POffset: 0x{4:08x}".format( "" if body else "|", eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, offset, self._config.MACHINE) yield self.getoutput(line, eprocess.CreateTime, end = eprocess.ExitTime, body = body) if not hasattr(eprocess.obj_vm, "vtop"): eprocess = taskmods.DllList(self._config).virtual_process_from_physical_offset(addr_space, eprocess.obj_offset) if eprocess == None: continue else: ps_ad = eprocess.get_process_address_space() if ps_ad == None: continue if version[0] == 5 and "Process" in self._config.TYPE: line = "[{5}PROCESS LastTrimTime]{0} {1}{0} PID: {2}/PPID: {3}/POffset: 0x{4:08x}".format( "" if body else "|", eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, offset, self._config.MACHINE) yield self.getoutput(line, eprocess.Vm.LastTrimTime, body = body) if eprocess.ObjectTable.HandleTableList and "_CM_KEY_BODY" in self._config.TYPE: for handle in eprocess.ObjectTable.handles(): if not handle.is_valid(): continue name = "" object_type = handle.get_object_type() if object_type == "Key": key_obj = handle.dereference_as("_CM_KEY_BODY") name = key_obj.full_key_name() line = "[{6}Handle (Key)]{0} {1}{0} {2} PID: {3}/PPID: {4}/POffset: 0x{5:08x}".format( "" if body else "|", name, eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, offset, self._config.MACHINE) yield self.getoutput(line, key_obj.KeyControlBlock.KcbLastWriteTime, body = body) if eprocess.Peb == None or eprocess.Peb.ImageBaseAddress == None: continue # Get DLL PE timestamps for Wow64 processes (excluding 64-bit ones) if eprocess.IsWow64 and "TimeDateStamp" in self._config.TYPE: for vad, address_space in eprocess.get_vads(vad_filter = eprocess._mapped_file_filter): if vad.FileObject.FileName: name = str(vad.FileObject.FileName).lower() basename = ntpath.basename(name) if not basename.endswith("dll") or basename in ["wow64cpu.dll", "ntdll.dll", "wow64.dll", "wow64win.dll"]: continue data = ps_ad.zread(vad.Start, vad.Length) bufferas = addrspace.BufferAddressSpace(self._config, data = data) try: pe_file = obj.Object("_IMAGE_DOS_HEADER", offset = 0, vm = bufferas) header = pe_file.get_nt_header() except ValueError, ve: continue line = "[{7}PE HEADER 32-bit (dll)]{0} {4}{0} Process: {1}/PID: {2}/PPID: {3}/Process POffset: 0x{5:08x}/DLL Base: 0x{6:08x}".format( "" if body else "|", eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, basename, offset, vad.Start, self._config.MACHINE) yield self.getoutput(line, header.FileHeader.TimeDateStamp, body = body) # get DLL PE timestamps mods = dict() if "TimeDateStamp" in self._config.TYPE or "LoadTime" in self._config.TYPE: mods = dict((mod.DllBase.v(), mod) for mod in eprocess.get_load_modules()) for mod in mods.values(): basename = str(mod.BaseDllName or "") if basename == str(eprocess.ImageFileName): line = "[{7}PE HEADER (exe)]{0} {4}{0} Process: {1}/PID: {2}/PPID: {3}/Process POffset: 0x{5:08x}/DLL Base: 0x{6:08x}".format( "" if body else "|", eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, basename, offset, mod.DllBase.v(), self._config.MACHINE) else: line = "[{7}PE HEADER (dll)]{0} {4}{0} Process: {1}/PID: {2}/PPID: {3}/Process POffset: 0x{5:08x}/DLL Base: 0x{6:08x}".format( "" if body else "|", eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, basename, offset, mod.DllBase.v(), self._config.MACHINE) if "TimeDateStamp" in self._config.TYPE: yield self.getoutput(line, mod.TimeDateStamp, body = body) line2 = "[{7}PE DEBUG]{0} {4}{0} Process: {1}/PID: {2}/PPID: {3}/Process POffset: 0x{5:08x}/DLL Base: 0x{6:08x}".format( "" if body else "|", eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, basename, offset, mod.DllBase.v(), self._config.MACHINE) yield self.getoutput(line2, mod.get_debug_directory().TimeDateStamp, body = body) if hasattr(mod, "LoadTime") and "LoadTime" in self._config.TYPE: temp = line.replace("[{0}PE HEADER ".format(self._config.MACHINE), "[{0}DLL LOADTIME ".format(self._config.MACHINE)) yield self.getoutput(temp, mod.LoadTime, body = body) # Get Sockets and Evtlogs XP/2k3 only if version[0] == 5: #socks = sockets.Sockets(self._config).calculate() socks = [] if "Socket" in self._config.TYPE: socks = sockscan.SockScan(self._config).calculate() # you can use sockscan instead if you uncomment for sock in socks: la = "{0}:{1}".format(sock.LocalIpAddress, sock.LocalPort) line = "[{6}SOCKET]{0} LocalIP: {2}/Protocol: {3}({4}){0} PID: {1}/POffset: 0x{5:#010x}".format( "" if body else "|", sock.Pid, la, sock.Protocol, protos.protos.get(sock.Protocol.v(), "-"), sock.obj_offset, self._config.MACHINE) yield self.getoutput(line, sock.CreateTime, body = body) stuff = [] if "EvtLog" in self._config.TYPE: evt = evtlogs.EvtLogs(self._config) stuff = evt.calculate() for name, buf in stuff: for fields in evt.parse_evt_info(name, buf, rawtime = True): line = "[{8}EVT LOG]{0} {1}{0} {2}/{3}/{4}/{5}/{6}/{7}".format("" if body else "|", fields[1], fields[2], fields[3], fields[4], fields[5], fields[6], fields[7], self._config.MACHINE) yield self.getoutput(line, fields[0], body = body) elif version <= (6, 1): # Vista+ nets = [] if "Socket" in self._config.TYPE: nets = netscan.Netscan(self._config).calculate() for net_object, proto, laddr, lport, raddr, rport, state in nets: conn = "{0}:{1} -> {2}:{3}".format(laddr, lport, raddr, rport) line = "[{6}NETWORK CONNECTION]{0} {2}{0} {1}/{3}/{4}/{5:<#10x}".format( "" if body else "|", net_object.Owner.UniqueProcessId, conn, proto, state, net_object.obj_offset, self._config.MACHINE) yield self.getoutput(line, net_object.CreateTime, body = body) # Get threads threads = [] if "Thread" in self._config.TYPE: threads = modscan.ThrdScan(self._config).calculate() for thread in threads: image = pids.get(thread.Cid.UniqueProcess.v(), "UNKNOWN") line = "[{4}THREAD]{0} {1}{0} PID: {2}/TID: {3}".format( "" if body else "|", image, thread.Cid.UniqueProcess, thread.Cid.UniqueThread, self._config.MACHINE) yield self.getoutput(line, thread.CreateTime, end = thread.ExitTime, body = body) data = [] if "Symlink" in self._config.TYPE: data = filescan.SymLinkScan(self._config).calculate() for link in data: objct = link.get_object_header() line = "[{6}SYMLINK]{0} {1}->{2}{0} POffset: {3}/Ptr: {4}/Hnd: {5}".format( "" if body else "|", str(objct.NameInfo.Name or ''), str(link.LinkTarget or ''), link.obj_offset, objct.PointerCount, objct.HandleCount, self._config.MACHINE) yield self.getoutput(line, link.CreationTime, body = body) data = [] if "TimeDateStamp" in self._config.TYPE: data = moddump.ModDump(self._config).calculate() for aspace, procs, mod_base, mod_name in data: mod_name = str(mod_name or '') space = tasks.find_space(aspace, procs, mod_base) if space != None: try: pe_file = obj.Object("_IMAGE_DOS_HEADER", offset = mod_base, vm = space) header = pe_file.get_nt_header() except ValueError, ve: continue line = "[{3}PE HEADER (module)]{0} {1}{0} Base: {2:#010x}".format( "" if body else "|", mod_name, mod_base, self._config.MACHINE) yield self.getoutput(line, header.FileHeader.TimeDateStamp, body = body) uastuff = [] if "Userassist" in self._config.TYPE: uastuff = userassist.UserAssist(self._config).calculate() for win7, reg, key in uastuff: ts = "{0}".format(key.LastWriteTime) for v in rawreg.values(key): tp, dat = rawreg.value_data(v) subname = v.Name if tp == 'REG_BINARY': dat_raw = dat try: subname = subname.encode('rot_13') except UnicodeDecodeError: pass if win7: guid = subname.split("\\")[0] if guid in userassist.folder_guids: subname = subname.replace(guid, userassist.folder_guids[guid]) bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw) uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas) ID = "N/A" count = "N/A" fc = "N/A" tf = "N/A" lw = "N/A" if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None: continue else: if hasattr(uadata, "ID"): ID = "{0}".format(uadata.ID) if hasattr(uadata, "Count"): count = "{0}".format(uadata.Count) else: count = "{0}".format(uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5) if hasattr(uadata, "FocusCount"): seconds = (uadata.FocusTime + 500) / 1000.0 time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime fc = "{0}".format(uadata.FocusCount) tf = "{0}".format(time) lw = "{0}".format(uadata.LastUpdated) subname = subname.replace("|", "%7c") line = "[{7}USER ASSIST]{0} {2}{0} Registry: {1}/ID: {3}/Count: {4}/FocusCount: {5}/TimeFocused: {6}".format( "" if body else "|", reg, subname, ID, count, fc, tf, self._config.MACHINE) yield self.getoutput(line, uadata.LastUpdated, body = body) shimdata = [] if "Shimcache" in self._config.TYPE: shimdata = shimcache.ShimCache(self._config).calculate() for path, lm, lu in shimdata: line = "[{2}SHIMCACHE]{0} {1}{0} ".format( "" if body else "|", path, self._config.MACHINE) if lu: yield self.getoutput(line, lm, end = lu, body = body) else: yield self.getoutput(line, lm, body = body) if "_HBASE_BLOCK" in self._config.TYPE or "_CMHIVE" in self._config.TYPE or "Registry" in self._config.TYPE: regapi = registryapi.RegistryApi(self._config) for o in regapi.all_offsets: if "_HBASE_BLOCK" in self._config.TYPE: line = "[{2}_HBASE_BLOCK TimeStamp]{0} {1}{0} ".format( "" if body else "|", regapi.all_offsets[o], self._config.MACHINE) h = obj.Object("_HHIVE", o, addr_space) yield self.getoutput(line, h.BaseBlock.TimeStamp, body = body) if "_CMHIVE" in self._config.TYPE and version[0] == 6 and addr_space.profile.metadata.get('build', 0) >= 7601: line = line = "[{2}_CMHIVE LastWriteTime]{0} {1}{0} ".format( "" if body else "|", regapi.all_offsets[o], self._config.MACHINE) cmhive = obj.Object("_CMHIVE", o, addr_space) yield self.getoutput(line, cmhive.LastWriteTime, body = body) if "Registry" in self._config.TYPE: regapi.reset_current() regdata = regapi.reg_get_all_keys(self._config.HIVE, self._config.USER, reg = True, rawtime = True) for lwtime, reg, item in regdata: item = item.replace("|", "%7c") line = "[{3}REGISTRY]{0} {2}{0} Registry: {1}".format( "" if body else "|", reg, item, self._config.MACHINE) yield self.getoutput(line, lwtime, body = body) if "Timer" in self._config.TYPE: volmagic = obj.VolMagic(addr_space) KUSER_SHARED_DATA = obj.Object("_KUSER_SHARED_DATA", offset = volmagic.KUSER_SHARED_DATA.v(), vm = addr_space) interrupt = (KUSER_SHARED_DATA.InterruptTime.High1Time << 32) | KUSER_SHARED_DATA.InterruptTime.LowPart now = KUSER_SHARED_DATA.SystemTime.as_windows_timestamp() data = timers.Timers(self._config).calculate() for timer, module in data: signaled = "-" if timer.Header.SignalState.v(): signaled = "Yes" module_name = "UNKNOWN" if module: module_name = str(module.BaseDllName or '') try: # human readable time taken from http://computer.forensikblog.de/en/2011/10/timers-and-times.html bufferas = addrspace.BufferAddressSpace(self._config, data = struct.pack(' # Copyright (C) 2009-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andreas Schuster @license: GNU General Public License 2.0 @contact: a.schuster@forensikblog.de @organization: http://computer.forensikblog.de/en/ """ import volatility.plugins.common as common import volatility.obj as obj import volatility.poolscan as poolscan import volatility.utils as utils from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class PoolScanFile(poolscan.PoolScanner): """Pool scanner for file objects""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.struct_name = "_FILE_OBJECT" self.object_type = "File" self.pooltag = obj.VolMagic(address_space).FilePoolTag.v() size = 0x98 # self.address_space.profile.get_obj_size("_FILE_OBJECT") self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= size)), ('CheckPoolType', dict(paged = False, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = lambda x : x < 5)), ] class FileScan(common.AbstractScanCommand): """Pool scanner for file objects""" scanners = [PoolScanFile] # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'Andreas Schuster' meta_info['copyright'] = 'Copyright (c) 2009 Andreas Schuster' meta_info['contact'] = 'a.schuster@forensikblog.de' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://computer.forensikblog.de/en/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '0.1' def render_text(self, outfd, data): self.table_header(outfd, [(self.offset_column(), '#018x'), ('#Ptr', '>6'), ('#Hnd', '>6'), ('Access', '>6'), ('Name', '') ]) for file in data: header = file.get_object_header() self.table_row(outfd, file.obj_offset, header.PointerCount, header.HandleCount, file.access_string(), str(file.file_name_with_device() or '')) def unified_output(self, data): return TreeGrid([(self.offset_column(), Address), ("Pointers", int), ("Handles", int), ("Access", str), ("Name", str)], self.generator(data)) def generator(self, data): for file in data: header = file.get_object_header() yield (0, [Address(file.obj_offset), int(header.PointerCount), int(header.HandleCount), str(file.access_string()), str(file.file_name_with_device() or '')]) class PoolScanDriver(poolscan.PoolScanner): """Pool scanner for driver objects""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.struct_name = "_DRIVER_OBJECT" self.object_type = "Driver" # due to the placement of the driver extension, we # use the top down approach instead of bottom-up. self.use_top_down = True self.pooltag = obj.VolMagic(address_space).DriverPoolTag.v() size = 0xf8 # self.address_space.profile.get_obj_size("_DRIVER_OBJECT") self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= size)), ('CheckPoolType', dict(paged = False, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = lambda x : x < 5)), ] class DriverScan(common.AbstractScanCommand): """Pool scanner for driver objects""" scanners = [PoolScanDriver] def unified_output(self, data): return TreeGrid([(self.offset_column(), Address), ("Pointers", int), ("Handles", int), ("Start", Address), ("Size", int), ("Service Key", str), ("Name", str), ("Driver Name", str)], self.generator(data)) def generator(self, data): for driver in data: header = driver.get_object_header() yield (0, [Address(driver.obj_offset), int(header.PointerCount), int(header.HandleCount), Address(driver.DriverStart), int(driver.DriverSize), str(driver.DriverExtension.ServiceKeyName or ''), str(header.NameInfo.Name or ''), str(driver.DriverName or '')]) def render_text(self, outfd, data): self.table_header(outfd, [(self.offset_column(), '#018x'), ('#Ptr', '>8'), ('#Hnd', '>8'), ('Start', '[addrpad]'), ('Size', '[addr]'), ('Service Key', '20'), ('Name', '12'), ('Driver Name', '') ]) for driver in data: header = driver.get_object_header() self.table_row(outfd, driver.obj_offset, header.PointerCount, header.HandleCount, driver.DriverStart, driver.DriverSize, str(driver.DriverExtension.ServiceKeyName or ''), str(header.NameInfo.Name or ''), str(driver.DriverName or '')) class PoolScanSymlink(poolscan.PoolScanner): """Pool scanner for symlink objects""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.struct_name = "_OBJECT_SYMBOLIC_LINK" self.object_type = "SymbolicLink" self.pooltag = obj.VolMagic(address_space).SymlinkPoolTag.v() size = 0x48 # self.address_space.profile.get_obj_size("_OBJECT_SYMBOLIC_LINK") self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= size)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ] class SymLinkScan(common.AbstractScanCommand): """Pool scanner for symlink objects""" scanners = [PoolScanSymlink] def unified_output(self, data): return TreeGrid([(self.offset_column(), Address), ("Pointers", int), ("Handles", int), ("Creation Time", str), ("Origin", str), ("Target", str)], self.generator(data)) def generator(self, data): for link in data: header = link.get_object_header() yield (0, [Address(link.obj_offset), int(header.PointerCount), int(header.HandleCount), str(link.CreationTime or ''), str(header.NameInfo.Name or ''), str(link.LinkTarget or '')]) def render_text(self, outfd, data): self.table_header(outfd, [(self.offset_column(), '#018x'), ('#Ptr', '>6'), ('#Hnd', '>6'), ('Creation time', '30'), ('From', '<20'), ('To', '60'), ]) for link in data: header = link.get_object_header() self.table_row(outfd, link.obj_offset, header.PointerCount, header.HandleCount, link.CreationTime or '', str(header.NameInfo.Name or ''), str(link.LinkTarget or '')) class PoolScanMutant(poolscan.PoolScanner): """Pool scanner for mutex objects""" def __init__(self, address_space, **kwargs): poolscan.PoolScanner.__init__(self, address_space, **kwargs) self.struct_name = "_KMUTANT" self.object_type = "Mutant" self.pooltag = obj.VolMagic(address_space).MutexPoolTag.v() size = 0x40 # self.address_space.profile.get_obj_size("_KMUTANT") self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= size)), ('CheckPoolType', dict(paged = False, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = lambda x : x < 5)), ] class MutantScan(common.AbstractScanCommand): """Pool scanner for mutex objects""" scanners = [PoolScanMutant] def __init__(self, config, *args, **kwargs): common.AbstractScanCommand.__init__(self, config, *args, **kwargs) config.add_option("SILENT", short_option = 's', default = False, action = 'store_true', help = 'Suppress less meaningful results') def unified_output(self, data): return TreeGrid([(self.offset_column(), Address), ("Pointers", int), ("Handles", int), ("Signal", str), ("Thread", Address), ("CID", str), ("Name", str)], self.generator(data)) def generator(self, data): for mutant in data: header = mutant.get_object_header() if mutant.OwnerThread.is_valid(): thread = mutant.OwnerThread.dereference_as('_ETHREAD') CID = "{0}:{1}".format(thread.Cid.UniqueProcess, thread.Cid.UniqueThread) else: CID = "" yield (0, [Address(mutant.obj_offset), int(header.PointerCount), int(header.HandleCount), str(mutant.Header.SignalState), Address(mutant.OwnerThread), str(CID), str(header.NameInfo.Name or '')]) def render_text(self, outfd, data): self.table_header(outfd, [(self.offset_column(), '#018x'), ('#Ptr', '>8'), ('#Hnd', '>8'), ('Signal', '4'), ('Thread', '[addrpad]'), ('CID', '>9'), ('Name', '') ]) for mutant in data: header = mutant.get_object_header() if mutant.OwnerThread.is_valid(): thread = mutant.OwnerThread.dereference_as('_ETHREAD') CID = "{0}:{1}".format(thread.Cid.UniqueProcess, thread.Cid.UniqueThread) else: CID = "" self.table_row(outfd, mutant.obj_offset, header.PointerCount, header.HandleCount, mutant.Header.SignalState, mutant.OwnerThread, CID, str(header.NameInfo.Name or '')) class PoolScanProcess(poolscan.PoolScanner): """Pool scanner for process objects""" def __init__(self, address_space, **kwargs): poolscan.PoolScanner.__init__(self, address_space, **kwargs) self.struct_name = "_EPROCESS" self.object_type = "Process" # this allows us to find terminated processes self.skip_type_check = True self.pooltag = obj.VolMagic(address_space).ProcessPoolTag.v() size = 0x1ae # self.address_space.profile.get_obj_size("_EPROCESS") self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= size)), ('CheckPoolType', dict(paged = False, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = lambda x : x < 5)), ] class PSScan(common.AbstractScanCommand): """Pool scanner for process objects""" scanners = [PoolScanProcess] # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'AAron Walters' meta_info['copyright'] = 'Copyright (c) 2011 Volatility Foundation' meta_info['contact'] = 'awalters@4tphi.net' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'https://www.volatilityfoundation.org/' meta_info['os'] = ['Win7SP0x86', 'WinXPSP3x86'] meta_info['version'] = '0.1' def calculate(self): # start with a physical space so we can find processes without a DTB addr_space = utils.load_as(self._config, astype = 'physical') meta = addr_space.profile.metadata win10 = (meta.get("major"), meta.get("minor")) == (6, 4) # if the user selected virtual space or if we're on win10, switch # to a virtual kernel space if self._config.VIRTUAL or win10: addr_space = utils.load_as(self._config) return self.scan_results(addr_space) def render_dot(self, outfd, data): objects = set() links = set() for eprocess in data: label = "{0} | {1} |".format(eprocess.UniqueProcessId, eprocess.ImageFileName) if eprocess.ExitTime: label += "exited\\n{0}".format(eprocess.ExitTime) options = ' style = "filled" fillcolor = "lightgray" ' else: label += "running" options = '' objects.add('pid{0} [label="{1}" shape="record" {2}];\n'.format(eprocess.UniqueProcessId, label, options)) links.add("pid{0} -> pid{1} [];\n".format(eprocess.InheritedFromUniqueProcessId, eprocess.UniqueProcessId)) ## Now write the dot file outfd.write("digraph processtree { \ngraph [rankdir = \"TB\"];\n") for link in links: outfd.write(link) for item in objects: outfd.write(item) outfd.write("}") def unified_output(self, data): return TreeGrid([(self.offset_column(), Address), ("Name", str), ("PID", int), ("PPID", int), ("PDB", Address), ("Time Created", str), ("Time Exited", str)], self.generator(data)) def generator(self, data): for eprocess in data: yield (0, [Address(eprocess.obj_offset), str(eprocess.ImageFileName), int(eprocess.UniqueProcessId), int(eprocess.InheritedFromUniqueProcessId), Address(eprocess.Pcb.DirectoryTableBase), str(eprocess.CreateTime or ''), str(eprocess.ExitTime or '')]) def render_text(self, outfd, data): self.table_header(outfd, [(self.offset_column(), '#018x'), ('Name', '16'), ('PID', '>6'), ('PPID', '>6'), ('PDB', '[addrpad]'), ('Time created', '30'), ('Time exited', '30') ]) for eprocess in data: self.table_row(outfd, eprocess.obj_offset, eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, eprocess.Pcb.DirectoryTableBase, eprocess.CreateTime or '', eprocess.ExitTime or '') volatility_2.6+git20170711.b3db0cc/volatility/plugins/notepad.py0000644000000000000000000002174213131215405023030 0ustar rootroot# Volatility # # Authors: # Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.obj as obj import volatility.utils as utils import volatility.plugins.taskmods as taskmods from volatility.renderers import TreeGrid #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _HEAP(obj.CType): """ A Heap on XP and 2003 """ def is_valid(self): return obj.CType.is_valid(self) and self.Signature == 0xeeffeeff def segments(self): """ A list of the _HEAP_SEGMENTs. This is an array of pointers so we have to deref before returning or the caller will be calling is_valid on the pointer and not the object. """ return [seg.dereference() for seg in self.Segments if seg != 0] class _HEAP_SEGMENT(obj.CType): """ A Heap Segment on XP and 2003 """ def is_valid(self): return obj.CType.is_valid(self) and self.Signature == 0xffeeffee def heap_entries(self): """Enumerate the heaps in this segment. ##FIXME: * Raise ValueError if corruptions are detected. * Should we start at FirstEntry or Entry? """ next = self.Entry #FirstEntry.dereference() last = self.LastValidEntry.dereference() chunk_size = self.obj_vm.profile.get_obj_size("_HEAP_ENTRY") while (next and next.obj_offset < last.obj_offset): yield next next = obj.Object("_HEAP_ENTRY", offset = next.obj_offset + next.Size * chunk_size, vm = next.obj_vm) class _HEAP_ENTRY(obj.CType): """ A Heap Entry """ def get_data(self): chunk_size = self.obj_vm.profile.get_obj_size("_HEAP_ENTRY") return self.obj_vm.zread( self.obj_offset + chunk_size, self.Size * chunk_size ) def get_extra(self): chunk_size = self.obj_vm.profile.get_obj_size("_HEAP_ENTRY") return obj.Object("_HEAP_ENTRY_EXTRA", offset = self.obj_offset + (chunk_size * (self.Size - 1)), vm = self.obj_vm) #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class XPHeapModification(obj.ProfileModification): before = ["WindowsObjectClasses"] conditions = {'os': lambda x: x == 'windows', 'major': lambda x : x == 5, 'memory_model' : lambda x : x == '32bit'} def modification(self, profile): heap_flags = { 'HEAP_NO_SERIALIZE': 0, 'HEAP_GROWABLE': 1, 'HEAP_GENERATE_EXCEPTIONS': 2, 'HEAP_ZERO_MEMORY': 3, 'HEAP_REALLOC_IN_PLACE_ONLY': 4, 'HEAP_TAIL_CHECKING_ENABLED': 5, 'HEAP_FREE_CHECKING_ENABLED': 6, 'HEAP_DISABLE_COALESCE_ON_FREE': 7, 'HEAP_SETTABLE_USER_VALUE': 8, 'HEAP_CREATE_ALIGN_16': 16, 'HEAP_CREATE_ENABLE_TRACING': 17, 'HEAP_CREATE_ENABLE_EXECUTE': 18, 'HEAP_FLAG_PAGE_ALLOCS': 24, 'HEAP_PROTECTION_ENABLED': 25, 'HEAP_CAPTURE_STACK_BACKTRACES': 27, 'HEAP_SKIP_VALIDATION_CHECKS': 28, 'HEAP_VALIDATE_ALL_ENABLED': 29, 'HEAP_VALIDATE_PARAMETERS_ENABLED': 30, 'HEAP_LOCK_USER_ALLOCATED': 31, } entry_flags = { #'HEAP_ENTRY_BUSY': 0, "busy": 0, #'HEAP_ENTRY_EXTRA_PRESENT': 1, "extra": 1, #'HEAP_ENTRY_FILL_PATTERN': 2, "fill": 2, #'HEAP_ENTRY_VIRTUAL_ALLOC': 3, "virtual": 3, #'HEAP_ENTRY_LAST_ENTRY': 4, "last": 4, #'HEAP_ENTRY_SETTABLE_FLAG1': 5, "flag1": 5, #'HEAP_ENTRY_SETTABLE_FLAG2': 6, "flag2": 6, #'HEAP_ENTRY_SETTABLE_FLAG3': 7 "flag3": 7 } profile.merge_overlay({ '_HEAP': [ None, { 'Flags': [ None, ['Flags', {'bitmap': heap_flags}]], 'ForceFlags': [ None, ['Flags', {'bitmap': heap_flags}]], }], '_HEAP_FREE_ENTRY': [ None, { 'Flags': [ None, ['Flags', {'target': 'unsigned char', 'bitmap': entry_flags}]], }], '_HEAP_ENTRY': [ None, { 'Flags': [ None, ['Flags', {'target': 'unsigned char', 'bitmap': entry_flags}]], }], '_HEAP_SEGMENT': [ None, { 'Flags': [ None, ['Flags', {'bitmap': {'HEAP_USER_ALLOCATED': 0}}]], }], }) profile.object_classes.update({ '_HEAP_ENTRY': _HEAP_ENTRY, '_HEAP': _HEAP, '_HEAP_SEGMENT': _HEAP_SEGMENT, }) class Notepad(taskmods.DllList): """List currently displayed notepad text""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option("DUMP-DIR", short_option = "D", default = None, help = "Dump binary data to this directory") @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) def unified_output(self, data): return TreeGrid([("Process", str), ("PID", int), ("Text", str), ], self.generator(data)) def generator(self, data): for task in data: # only looking for notepad if str(task.ImageFileName).lower() != "notepad.exe": continue process_id = task.UniqueProcessId entry_size = task.obj_vm.profile.get_obj_size("_HEAP_ENTRY") heap = task.Peb.ProcessHeap.dereference_as("_HEAP") for segment in heap.segments(): for entry in segment.heap_entries(): # the extra heap data is present if "extra" not in str(entry.Flags): continue text = obj.Object("String", offset = entry.obj_offset + entry_size, vm = task.get_process_address_space(), length = entry.Size * entry_size, encoding = "utf16") if not text or len(text) == 0: continue else: display_text = text yield(0, ['notepad.exe', int(process_id), str(display_text)]) def render_text(self, outfd, data): for task in data: # only looking for notepad if str(task.ImageFileName).lower() != "notepad.exe": continue outfd.write("Process: {0}\n".format(task.UniqueProcessId)) entry_size = task.obj_vm.profile.get_obj_size("_HEAP_ENTRY") heap = task.Peb.ProcessHeap.dereference_as("_HEAP") for segment in heap.segments(): for entry in segment.heap_entries(): # the extra heap data is present if "extra" not in str(entry.Flags): continue text = obj.Object("String", offset = entry.obj_offset + entry_size, vm = task.get_process_address_space(), length = entry.Size * entry_size, encoding = "utf16") if not text or len(text) == 0: continue if self._config.DUMP_DIR: name = "notepad.{0}.txt".format(task.UniqueProcessId) path = os.path.join(self._config.DUMP_DIR, name) with open(path, "wb") as handle: handle.write(entry.get_data()) outfd.write("Dumped To: {0}\n".format(path)) outfd.write("Text:\n{0}\n\n".format(text)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/connscan.py0000644000000000000000000000707013131215405023176 0ustar rootroot# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This module implements the fast connection scanning @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.poolscan as poolscan import volatility.plugins.common as common from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class PoolScanConn(poolscan.PoolScanner): """Pool scanner for tcp connections""" def __init__(self, address_space): poolscan.PoolScanner.__init__(self, address_space) self.struct_name = "_TCPT_OBJECT" self.pooltag = "TCPT" self.checks = [ ('CheckPoolSize', dict(condition = lambda x: x >= 0x198)), ('CheckPoolType', dict(non_paged = True, free = True)), ('CheckPoolIndex', dict(value = lambda x : x < 5)), ] class ConnScan(common.AbstractScanCommand): """Pool scanner for tcp connections""" scanners = [PoolScanConn] meta_info = dict( author = 'Brendan Dolan-Gavitt', copyright = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', contact = 'bdolangavitt@wesleyan.edu', license = 'GNU General Public License 2.0', url = 'http://moyix.blogspot.com/', os = 'WIN_32_XP_SP2', version = '1.0', ) @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) def render_text(self, outfd, data): self.table_header(outfd, [(self.offset_column(), "[addrpad]"), ("Local Address", "25"), ("Remote Address", "25"), ("Pid", "") ]) for tcp_obj in data: local = "{0}:{1}".format(tcp_obj.LocalIpAddress, tcp_obj.LocalPort) remote = "{0}:{1}".format(tcp_obj.RemoteIpAddress, tcp_obj.RemotePort) self.table_row(outfd, tcp_obj.obj_offset, local, remote, tcp_obj.Pid) def unified_output(self, data): return TreeGrid([("Offset(P)", Address), ("LocalAddress", str), ("RemoteAddress", str), ("PID", int)], self.generator(data)) def generator(self, data): for conn in data: local = "{0}:{1}".format(conn.LocalIpAddress, conn.LocalPort) remote = "{0}:{1}".format(conn.RemoteIpAddress, conn.RemotePort) yield (0, [Address(conn.obj_offset), str(local), str(remote), int(conn.Pid)]) volatility_2.6+git20170711.b3db0cc/volatility/plugins/fileparam.py0000644000000000000000000000346013131215405023333 0ustar rootroot# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.conf as conf import urllib import sys import os ## This is required to ensure that LOCATION is defined here import volatility.debug as debug import volatility.addrspace as addrspace #pylint: disable-msg=W0611 config = conf.ConfObject() def set_location(_option, _opt_str, value, parser): """Sets the location variable in the parser to the filename in question""" if not os.path.exists(os.path.abspath(value)): debug.error("The requested file doesn't exist") if parser.values.location == None: slashes = "//" # Windows pathname2url decides to convert C:\blah to ///C:/blah # So to keep the URLs correct, we only add file: rather than file:// if sys.platform.startswith('win'): slashes = "" parser.values.location = "file:" + slashes + urllib.pathname2url(os.path.abspath(value)) config.add_option("FILENAME", default = None, action = "callback", callback = set_location, type = 'str', short_option = 'f', nargs = 1, help = "Filename to use when opening an image") volatility_2.6+git20170711.b3db0cc/volatility/plugins/iehistory.py0000644000000000000000000002707513131215405023422 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # ## http://www.docslide.com/forensic-analysis-of-internet-explorer-activity-files/ ## http://libmsiecf.googlecode.com/files/MSIE%20Cache%20File%20%28index.dat%29%20format.pdf import volatility.obj as obj import volatility.plugins.taskmods as taskmods import volatility.utils as utils import volatility.win32.tasks as tasks import volatility.debug as debug from volatility.renderers import TreeGrid from volatility.renderers.basic import Address class _URL_RECORD(obj.CType): """A class for URL and LEAK records""" def is_valid(self): ret = False if obj.CType.is_valid(self) and self.Length > 0 and self.Length < 32768: if not str(self.LastModified).startswith("1970-01-01") and str(self.LastModified) != "-": if not str(self.LastAccessed).startswith("1970-01-01") and str(self.LastAccessed) != "-": ret = True return ret @property def Length(self): return self.m('Length') * 0x80 def has_data(self): """Determine if a record has data""" ## for LEAK records the DataOffset is sometimes 0xdeadbeef return (self.DataOffset > 0 and self.DataOffset < self.Length and not self.Url.split(":")[0] in ["PrivacIE", "ietld", "iecompat", "Visited"]) class _DEST_RECORD(obj.CType): def is_valid(self): ret = False if obj.CType.is_valid(self) and self.LastModified.is_valid() and self.LastAccessed.is_valid(): if not str(self.LastModified).startswith("1970-01-01") and str(self.LastModified) != "-": if not str(self.LastAccessed).startswith("1970-01-01") and str(self.LastAccessed) != "-": if 1999 < self.LastModified.as_datetime().year < 2075 and 1999 < self.LastAccessed.as_datetime().year < 2075 and self.URLStart.is_valid(): ret = True return ret def url_and_title(self): url_buf = self.obj_vm.zread(self.URLStart.obj_offset, 4096) url = "" title = "" # look for where url ends idx = url_buf.find("\x00\x00") if idx > 0: idx = idx + 2 tmpurl = url_buf[:idx] for u in tmpurl: if 31 < ord(u) < 127: url = url + u idx2 = url_buf[idx:].find("\x00\x00") if idx2 > 0: tmptitle = url_buf[idx:idx+idx2+2] for t in tmptitle: if 31 < ord(t) < 127: title = title + t return url, title @property def Url(self): return self.url_and_title()[0] class IEHistoryVTypes(obj.ProfileModification): """Apply structures for IE history parsing""" conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.vtypes.update({ '_URL_RECORD' : [ None, { 'Signature' : [ 0, ['String', dict(length = 4)]], 'Length' : [ 0x4, ['unsigned int']], 'LastModified' : [ 0x08, ['WinTimeStamp', dict(is_utc = True)]], # secondary 'LastAccessed' : [ 0x10, ['WinTimeStamp', dict(is_utc = True)]], # primary 'UrlOffset' : [ 0x34, ['unsigned char']], 'FileOffset' : [ 0x3C, ['unsigned int']], 'DataOffset' : [ 0x44, ['unsigned int']], 'DataSize': [ 0x48, ['unsigned int']], 'Url' : [ lambda x : x.obj_offset + x.UrlOffset, ['String', dict(length = 4096)]], 'File' : [ lambda x : x.obj_offset + x.FileOffset, ['String', dict(length = 4096)]], 'Data' : [ lambda x : x.obj_offset + x.DataOffset, ['String', dict(length = 4096)]], }], '_REDR_RECORD' : [ None, { 'Signature' : [ 0, ['String', dict(length = 4)]], 'Length' : [ 0x4, ['unsigned int']], 'Url' : [ 0x10, ['String', dict(length = 4096)]], }], '_DEST_RECORD' : [None, { 'Signature' : [ 0, ['String', dict(length = 4)]], 'LastModified' : [ 28, ['WinTimeStamp', dict(is_utc = True)]], 'LastAccessed' : [ 36, ['WinTimeStamp', dict(is_utc = True)]], 'URLStart' : [ 94, ['unsigned char']], }], }) profile.object_classes.update({ '_URL_RECORD' : _URL_RECORD, '_REDR_RECORD': _URL_RECORD, '_DEST_RECORD' : _DEST_RECORD, }) class IEHistory(taskmods.DllList): """Reconstruct Internet Explorer cache / history""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option("LEAK", short_option = 'L', default = False, action = 'store_true', help = 'Find LEAK records (deleted)') config.add_option("REDR", short_option = 'R', default = False, action = 'store_true', help = 'Find REDR records (redirected)') @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'unknown') == 'windows' def calculate(self): ## Select the tags to scan for. Always find visited URLs, ## but make freed and redirected records optional. tags = ["URL ", "DEST"] if self._config.LEAK: tags.append("LEAK") if self._config.REDR: tags.append("REDR") tags = ["DEST"] ## Define the record type based on the tag tag_records = { "URL " : "_URL_RECORD", "LEAK" : "_URL_RECORD", "REDR" : "_REDR_RECORD", "DEST" : "_DEST_RECORD"} vad_filter = lambda x : (hasattr(x, 'ControlArea') and str(x.FileObject.FileName or '').endswith("index.dat")) or (x.VadFlags.Protection.v() == 4) ## Enumerate processes based on the --pid and --offset for proc in taskmods.DllList(self._config).calculate(): ## Acquire a process specific AS ps_as = proc.get_process_address_space() for hit in proc.search_process_memory(tags, vad_filter = vad_filter): ## Get a preview of the data to see what tag was detected tag = ps_as.read(hit, 4) ## Create the appropriate object type based on the tag record = obj.Object(tag_records[tag], offset = hit, vm = ps_as) if record.is_valid(): yield proc, record def unified_output(self, data): return TreeGrid([("Process", str), ("PID", int), ("CacheType", str), ("Offset", Address), ("RecordLength", int), ("Location", str), ("LastModified", str), ("LastAccessed", str), ("Length", int), ("FileOffset", Address), ("DataOffset", Address), ("DataSize", int), ("File", str), ("Data", str)], self.generator(data)) def generator(self, data): for process, record in data: lm = -1 la = -1 length = -1 fileoffset = -1 dataoffset = -1 datasize = -1 thefile = "" thedata = "" if record.obj_name == "_URL_RECORD": lm = str(record.LastModified) la = str(record.LastAccessed) length = int(record.Length) fileoffset = int(record.FileOffset) dataoffset = int(record.DataOffset) datasize = int(record.DataSize) if record.FileOffset > 0: thefile = str(record.File or "") if record.has_data(): thedata = str(record.Data or "") yield (0, [str(process.ImageFileName), int(process.UniqueProcessId), str(record.Signature), Address(record.obj_offset), int(record.Length), str(record.Url), str(lm), str(la), int(length), Address(fileoffset), Address(dataoffset), int(datasize), str(thefile), str(thedata)]) def render_text(self, outfd, data): for process, record in data: if record.obj_name == "_DEST_RECORD": url, title = record.url_and_title() if len(url) > 4: outfd.write("*" * 50 + "\n") outfd.write("Process: {0} {1}\n".format(process.UniqueProcessId, process.ImageFileName)) outfd.write("Cache type \"{0}\" at {1:#x}\n".format(record.Signature, record.obj_offset)) outfd.write("Last modified: {0}\n".format(record.LastModified)) outfd.write("Last accessed: {0}\n".format(record.LastAccessed)) outfd.write("URL: {0}\n".format(url)) if len(title) > 4: outfd.write("Title: {0}\n".format(title)) else: outfd.write("*" * 50 + "\n") outfd.write("Process: {0} {1}\n".format(process.UniqueProcessId, process.ImageFileName)) outfd.write("Cache type \"{0}\" at {1:#x}\n".format(record.Signature, record.obj_offset)) outfd.write("Record length: {0:#x}\n".format(record.Length)) outfd.write("Location: {0}\n".format(record.Url)) ## Extended fields are available for these records if record.obj_name == "_URL_RECORD": outfd.write("Last modified: {0}\n".format(record.LastModified)) outfd.write("Last accessed: {0}\n".format(record.LastAccessed)) outfd.write("File Offset: {0:#x}, Data Offset: {1:#x}, Data Length: {2:#x}\n".format(record.Length, record.FileOffset, record.DataOffset, record.DataSize)) if record.FileOffset > 0: outfd.write("File: {0}\n".format(record.File)) if record.has_data(): outfd.write("Data: {0}\n".format(record.Data)) def render_csv(self, outfd, data): for process, record in data: if record.obj_name == "_URL_RECORD": t1 = str(record.LastModified or '') t2 = str(record.LastAccessed or '') else: t1 = t2 = "" outfd.write("{0},{1},{2},{3}\n".format(record.Signature, t1.strip(), t2.strip(), record.Url)) volatility_2.6+git20170711.b3db0cc/volatility/plugins/raw2dmp.py0000644000000000000000000001666113131215405022756 0ustar rootroot# Volatility # Copyright (C) 2009-2013 Volatility Foundation # Copyright (C) Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.obj as obj import volatility.utils as utils import volatility.addrspace as addrspace import volatility.plugins.imagecopy as imagecopy class Raw2dmp(imagecopy.ImageCopy): """Converts a physical memory sample to a windbg crash dump""" def calculate(self): config = self._config output = self._config.OUTPUT_IMAGE return self.convert_to_crash(config, output) @staticmethod def convert_to_crash(config, output): blocksize = config.BLOCKSIZE config.WRITE = True pspace = utils.load_as(config, astype = 'physical') vspace = utils.load_as(config) memory_model = pspace.profile.metadata.get('memory_model', '32bit') if memory_model == "64bit": header_format = '_DMP_HEADER64' else: header_format = '_DMP_HEADER' headerlen = pspace.profile.get_obj_size(header_format) headerspace = addrspace.BufferAddressSpace(config, 0, "PAGE" * (headerlen / 4)) header = obj.Object(header_format, offset = 0, vm = headerspace) kuser = obj.Object("_KUSER_SHARED_DATA", offset = obj.VolMagic(vspace).KUSER_SHARED_DATA.v(), vm = vspace) kdbg = obj.VolMagic(vspace).KDBG.v() if not kdbg: raise RuntimeError("Couldn't find KDBG block. Wrong profile?") # Scanning the memory region near KDDEBUGGER_DATA64 for # DBGKD_GET_VERSION64 dbgkd = kdbg.dbgkd_version64() if not dbgkd: raise RuntimeError("Couldn't find _DBGKD_GET_VERSION64.") # Set the correct file magic for i in range(len("PAGE")): header.Signature[i] = [ ord(x) for x in "PAGE"][i] # Write the KeDebuggerDataBlock and ValidDump headers dumptext = "DUMP" header.KdDebuggerDataBlock = kdbg.obj_offset if memory_model == "64bit": dumptext = "DU64" header.KdDebuggerDataBlock = kdbg.obj_offset | 0xFFFF000000000000 for i in range(len(dumptext)): header.ValidDump[i] = ord(dumptext[i]) # The PaeEnabled member is essential for x86 crash files if memory_model == "32bit": if hasattr(vspace, "pae") and vspace.pae == True: header.PaeEnabled = 0x1 else: header.PaeEnabled = 0x0 # Set members of the crash header header.MajorVersion = dbgkd.MajorVersion header.MinorVersion = dbgkd.MinorVersion header.DirectoryTableBase = vspace.dtb header.PfnDataBase = kdbg.MmPfnDatabase header.PsLoadedModuleList = kdbg.PsLoadedModuleList header.PsActiveProcessHead = kdbg.PsActiveProcessHead header.MachineImageType = dbgkd.MachineType headerspace.write(header.DumpType.obj_offset, "\x01\x00\x00\x00") # Find the number of processors header.NumberProcessors = len(list(kdbg.kpcrs())) # In MS crash dumps, SystemTime will not be set. It will # represent the "Debug session time:". We are # using the member to represent the time the sample was # collected. header.SystemTime = kuser.SystemTime.as_windows_timestamp() # Zero out the BugCheck members header.BugCheckCode = 0x00000000 header.BugCheckCodeParameter[0] = 0x00000000 header.BugCheckCodeParameter[1] = 0x00000000 header.BugCheckCodeParameter[2] = 0x00000000 header.BugCheckCodeParameter[3] = 0x00000000 # Set the sample run information. We used to take the sum of the size # of all runs, but that assumed the base layer was raw. In the case # of base layers such as ELF64 core dump or any other run-based address # space that may have holes for device memory, that would fail because # any runs after the first hole would then be at the wrong offset. last_run = list(pspace.get_available_addresses())[-1] num_pages = (last_run[0] + last_run[1]) / 0x1000 header.PhysicalMemoryBlockBuffer.NumberOfRuns = 0x00000001 header.PhysicalMemoryBlockBuffer.NumberOfPages = num_pages header.PhysicalMemoryBlockBuffer.Run[0].BasePage = 0x0000000000000000 header.PhysicalMemoryBlockBuffer.Run[0].PageCount = num_pages header.RequiredDumpSpace = (num_pages + 2) * 0x1000 # Zero out the remaining non-essential fields ContextRecordOffset = headerspace.profile.get_obj_offset(header_format, "ContextRecord") ExceptionOffset = headerspace.profile.get_obj_offset(header_format, "Exception") headerspace.write(ContextRecordOffset, "\x00" * (ExceptionOffset - ContextRecordOffset)) # Set the "converted" comment CommentOffset = headerspace.profile.get_obj_offset(header_format, "Comment") headerspace.write(CommentOffset, "File was converted with Volatility" + "\x00") # Yield the header yield 0, headerlen, headerspace.read(0, headerlen) # Write the main body for s, l in pspace.get_available_addresses(): for i in range(s, s + l, blocksize): len_to_read = min(blocksize, s + l - i) yield i + headerlen, len_to_read, pspace.read(i, len_to_read) # Reset the config so volatility opens the crash dump config.LOCATION = "file://" + output # Crash virtual space crash_vspace = utils.load_as(config) # The KDBG in the new crash dump crash_kdbg = obj.VolMagic(crash_vspace).KDBG.v() # The KPCR for the first CPU kpcr = list(crash_kdbg.kpcrs())[0] # Set the CPU CONTEXT properly for the architecure if memory_model == "32bit": kpcr.PrcbData.ProcessorState.ContextFrame.SegGs = 0x00 kpcr.PrcbData.ProcessorState.ContextFrame.SegCs = 0x08 kpcr.PrcbData.ProcessorState.ContextFrame.SegDs = 0x23 kpcr.PrcbData.ProcessorState.ContextFrame.SegEs = 0x23 kpcr.PrcbData.ProcessorState.ContextFrame.SegFs = 0x30 kpcr.PrcbData.ProcessorState.ContextFrame.SegSs = 0x10 else: kpcr.Prcb.ProcessorState.ContextFrame.SegGs = 0x00 kpcr.Prcb.ProcessorState.ContextFrame.SegCs = 0x18 kpcr.Prcb.ProcessorState.ContextFrame.SegDs = 0x2b kpcr.Prcb.ProcessorState.ContextFrame.SegEs = 0x2b kpcr.Prcb.ProcessorState.ContextFrame.SegFs = 0x53 kpcr.Prcb.ProcessorState.ContextFrame.SegSs = 0x18 # Write the decoded KDBG block so Windbg can interpret it properly if hasattr(kdbg, 'block_encoded') and kdbg.block_encoded: crash_vspace.write(crash_kdbg.obj_offset, kdbg.obj_vm.data) volatility_2.6+git20170711.b3db0cc/volatility/plugins/heaps.py0000644000000000000000000000245213131215405022473 0ustar rootroot# Volatility # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA import volatility.obj as obj #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class HeapModification(obj.ProfileModification): before = ["WindowsObjectClasses"] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.merge_overlay({ '_PEB': [ None, { 'ProcessHeaps': [ None, ['pointer', ['array', lambda x : x.NumberOfHeaps, ['pointer', ['_HEAP']]]]], }], }) volatility_2.6+git20170711.b3db0cc/volatility/protos.py0000644000000000000000000001442213131215405021240 0ustar rootrootprotos = { 0:"HOPOPT", 1:"ICMP", 2:"IGMP", 3:"GGP", 4:"IPv4", 5:"ST", 6:"TCP", 7:"CBT", 8:"EGP", 9:"IGP", 10:"BBN-RCC-MON", 11:"NVP-II", 12:"PUP", 13:"ARGUS", 14:"EMCON", 15:"XNET", 16:"CHAOS", 17:"UDP", 18:"MUX", 19:"DCN-MEAS", 20:"HMP", 21:"PRM", 22:"XNS-IDP", 23:"TRUNK-1", 24:"TRUNK-2", 25:"LEAF-1", 26:"LEAF-2", 27:"RDP", 28:"IRTP", 29:"ISO-TP4", 30:"NETBLT", 31:"MFE-NSP", 32:"MERIT-INP", 33:"DCCP", 34:"3PC", 35:"IDPR", 36:"XTP", 37:"DDP", 38:"IDPR-CMTP", 39:"TP++", 40:"IL", 41:"IPv6", 42:"SDRP", 43:"IPv6-Route", 44:"IPv6-Frag", 45:"IDRP", 46:"RSVP", 47:"GRE", 48:"DSR", 49:"BNA", 50:"ESP", 51:"AH", 52:"I-NLSP", 53:"SWIPE", 54:"NARP", 55:"MOBILE", 56:"TLSP", 57:"SKIP", 58:"IPv6-ICMP", 59:"IPv6-NoNxt", 60:"IPv6-Opts", 61:"Host-interal", 62:"CFTP", 63:"Local Network", 64:"SAT-EXPAK", 65:"KRYPTOLAN", 66:"RVD", 67:"IPPC", 68:"Dist-FS", 69:"SAT-MON", 70:"VISA", 71:"IPCV", 72:"CPNX", 73:"CPHB", 74:"WSN", 75:"PVP", 76:"BR-SAT-MON", 77:"SUN-ND", 78:"WB-MON", 79:"WB-EXPAK", 80:"ISO-IP", 81:"VMTP", 82:"SECURE-VMTP", 83:"VINES", 84:"TTP", 84:"IPTM", 85:"NSFNET-IGP", 86:"DGP", 87:"TCF", 88:"EIGRP", 89:"OSPFIGP", 90:"Sprite-RPC", 91:"LARP", 92:"MTP", 93:"AX.25", 94:"IPIP", 95:"MICP", 96:"SCC-SP", 97:"ETHERIP", 98:"ENCAP", 99:"Encryption", 100:"GMTP", 101:"IFMP", 102:"PNNI", 103:"PIM", 104:"ARIS", 105:"SCPS", 106:"QNX", 107:"A/N", 108:"IPComp", 109:"SNP", 110:"Compaq-Peer", 111:"IPX-in-IP", 112:"VRRP", 113:"PGM", 114:"0-hop", 115:"L2TP", 116:"DDX", 117:"IATP", 118:"STP", 119:"SRP", 120:"UTI", 121:"SMP", 122:"SM", 123:"PTP", 124:"ISIS over IPv4", 125:"FIRE", 126:"CRTP", 127:"CRUDP", 128:"SSCOPMCE", 129:"IPLT", 130:"SPS", 131:"PIPE", 132:"SCTP", 133:"FC", 134:"RSVP-E2E-IGNORE", 135:"Mobility Header", 136:"UDPLite", 137:"MPLS-in-IP", 138:"manet", 139:"HIP", 140:"Shim6", 141:"WESP", 142:"ROHC", 143:"Unassigned", 144:"Unassigned", 145:"Unassigned", 146:"Unassigned", 147:"Unassigned", 148:"Unassigned", 149:"Unassigned", 150:"Unassigned", 151:"Unassigned", 152:"Unassigned", 153:"Unassigned", 154:"Unassigned", 155:"Unassigned", 156:"Unassigned", 157:"Unassigned", 158:"Unassigned", 159:"Unassigned", 160:"Unassigned", 161:"Unassigned", 162:"Unassigned", 163:"Unassigned", 164:"Unassigned", 165:"Unassigned", 166:"Unassigned", 167:"Unassigned", 168:"Unassigned", 169:"Unassigned", 170:"Unassigned", 171:"Unassigned", 172:"Unassigned", 173:"Unassigned", 174:"Unassigned", 175:"Unassigned", 176:"Unassigned", 177:"Unassigned", 178:"Unassigned", 179:"Unassigned", 180:"Unassigned", 181:"Unassigned", 182:"Unassigned", 183:"Unassigned", 184:"Unassigned", 185:"Unassigned", 186:"Unassigned", 187:"Unassigned", 188:"Unassigned", 189:"Unassigned", 190:"Unassigned", 191:"Unassigned", 192:"Unassigned", 193:"Unassigned", 194:"Unassigned", 195:"Unassigned", 196:"Unassigned", 197:"Unassigned", 198:"Unassigned", 199:"Unassigned", 200:"Unassigned", 201:"Unassigned", 202:"Unassigned", 203:"Unassigned", 204:"Unassigned", 205:"Unassigned", 206:"Unassigned", 207:"Unassigned", 208:"Unassigned", 209:"Unassigned", 210:"Unassigned", 211:"Unassigned", 212:"Unassigned", 213:"Unassigned", 214:"Unassigned", 215:"Unassigned", 216:"Unassigned", 217:"Unassigned", 218:"Unassigned", 219:"Unassigned", 220:"Unassigned", 221:"Unassigned", 222:"Unassigned", 223:"Unassigned", 224:"Unassigned", 225:"Unassigned", 226:"Unassigned", 227:"Unassigned", 228:"Unassigned", 229:"Unassigned", 230:"Unassigned", 231:"Unassigned", 232:"Unassigned", 233:"Unassigned", 234:"Unassigned", 235:"Unassigned", 236:"Unassigned", 237:"Unassigned", 238:"Unassigned", 239:"Unassigned", 240:"Unassigned", 241:"Unassigned", 242:"Unassigned", 243:"Unassigned", 244:"Unassigned", 245:"Unassigned", 246:"Unassigned", 247:"Unassigned", 248:"Unassigned", 249:"Unassigned", 250:"Unassigned", 251:"Unassigned", 252:"Unassigned", 253:"Experimental", 254:"Experimental", 255:"Reserved", } volatility_2.6+git20170711.b3db0cc/volatility/cache.py0000644000000000000000000005771013131215405020764 0ustar rootroot# This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . """ This module implements the volatility caching subsystem. The volatility caching subsystem has the following design goals: 1) Ability to cache arbitrary objects - The allows complex objects to be cached for later retrieval. For example, objects may be as simple as constants for KPCR addresses, to entire x86 page translation tables, or even hibernation decompression datastructures. To achieve this we use the standard python pickle system. In many use cases, the cache needs to facilitate persistant memoising of functions and generators (more on that below). 2) Cached objects are stored by a hierarchical key namespace. Keys are specified in a URL notation. By default, relative URLs are interpreted relative to the memory image location (the value of the --location option). This scheme allows us to specify both global (per installation) and per image keys. For example given an image located in /tmp/foobar.img: - file:///tmp/foobar.img/kernel/debugging/KPCR refers to this image's KPCR location. - file:///tmp/foobar.img/address_spaces/memory_translation/pdpte refers to the cached page tables. - http://www.volatility.org/schema#configuration/renderer specifies the currently configured renderer (i.e. its a global setting). 3) Storage of the cache is abstracted and selectable via the --cache_engine configuration variable. This allows the separation from the concerete storage of the cache and the abstraction of the cache in a running process. Abstraction of Cache -------------------- Within the running volatiltiy framework the cache appears as an abstract tree with nodes inherited from the CacheNode class: class CacheNode(object): def __init__(self, name, parent, payload = None): ''' Creates a new Cache node under the parent. The new node will carry the specified payload ''' def __str__(self): ''' Produce a human readable version of the payload ''' def set_payload(self, payload): ''' Update the current payload with the new specified payload ''' def dump(self): ''' Dump the node to disk for later retrieval. This is normally called when the process has exited. ''' def get_payload(self): ''' retrieve this node's payload ''' In order to check the cache, plugins issue the Cache.Check() function: def Check(path, callback = None, cls = CacheNode): ''' Traverse the cache tree and retrieve the stored CacheNode. If there is no such stored CacheNode and callback is specified, attempt to create it using the cache_node_class with the payload returned from the callback. If callback is not specified we just return None. Decorators ---------- You can also use the cache decorator to cache the results of any function - this is probably the easiest way to apply caching to existing code. For example, suppose we want to cache the results of the psscan plugin: class PSScan(commands.Command): .... @cache("/scanners/psscan") def calculate(self): ..... This will automatically create the CacheNode at the specified tree location (note that since the URL is given as a relative URL it is based at the current value of the --location - that means it applies to the current memory image only). Note that since calculate() returns a generator, the decorator will also return a generator - It will not iterate over the calculate method unnecessarily, but will yield results immediately. This does not compromise performance in the case of a cache miss. Unfortunately this also means that if the generator is stopped prematurely, we are unable to cache the result set in the general case. This is the only caveat on caching generators. Storage classes --------------- The cache system discussed above can be thought of as an abstract construct in the process memory. To make it persistant on disk we have the storage class (which can be selected using the --cache_engine directive). The following cache engines are implemented: File Storage ============ This is the default cache engine. We simply maintain a directory structure which corresponds to the URL of the key after applying the appropriate filesystem safe escaping operation. Objects are stored in stand alone files using the pickle module. Zip Storage =========== This storage is essentially the same as the File storage above, except that the cache directory for each image file is maintained in a Zip file stored at the --cache_direcory directive with the same filename as the image and a .zip extension. Use cases --------- The following common use cases are discussed: 1) Dynamic address spaces. In some address spaces memory address mappings can not be cached since they change all the time. For example in the firewire address space, it is incorrect to cache any page translations or scanning results etc. This is easily achieved by having the firewire address space store a BlockingCacheNode() instance at critical tree nodes. These prevent new nodes from being inserted into the tree and force a cache miss whenever any keys are searched under these nodes. Note that this still allows the cache to store the locations of things which might not change, even for live memory analysis, such as KPCR locations. 2) History logging and audit logs. Currently volatility works by running the framework multiple times on the same plugin with different command line options. This can be audited using the caching system by storing the current command line in a specific location using a specific CacheNode. This implementation can be used to append new commandlines to the same key. Configuration options can also become sticky in this way and remember the same values they had previously. This avoid users having to append many command line arguements (i.e. having to specify --profile, --kpcr, --dtb on every command line). 3) Unit tests. Unit tests can be easily implemented using the caching subsystem as follows: - A test() method is added to each plugin. Usually this is actually the same as calculate(). - This method is decorated to be cached under the "/tests/pluginname" key (i.e. relative to the current image). The CacheNode implementation is TestCacheNode which implements a special update_payload() method. The TestCacheNode also ensures that cache miss always occurs (by implementing a get_payload() method which returns None). - The update_payload() method ensures that the old payload and the new payloads are the same (if they are generators we ensure each member is the same as well - using the __eq__ method). The overall result is that unit tests can be run on any image as normal. If the particular test was never run on the image, we just cache the result of the plugin. If on the other hand, the result was already run on this image, the old result is compared to the new result and if a discrepancy is detected, an exception is raised. This testing framework is easy to implement and automatically guards against regression bugs. Since we use the __eq__ method of arbitrary objects, its also not limited to testing text string matches. For example, the object framework defines two objects are being equal if they are of the same type and they point at the same address. Even if the textual representation of the object's printouts has changed between versions, as long as the same objects are found in both cases no regressions will be reported. 4) Reporting framework. By having a persistant caching framework we now have the concept of a volatility analysis session. In other words, each new execution of volatility adds new information to what we know about the image. This new information is stored in the cache tree. We can actually produce a full report from the cache tree by traversing all the CacheNodes and calling their __str__() methods. If caching is introduced via decorators, the CacheNode already knows about the render() method of the plugin and can automatically generate the output from the plugin (this is very fast as the calculate is received from the cache). We therefore can generate a full report of all the plugins very quickly automatically. By default CacheNodes have an empty __str__() methods, so things like pas2kas lookup tables are not reported. Specialised reporting functions can be made if needed by implementing __str__() functions as needed. """ import types import os import urlparse import volatility.conf as conf import volatility.obj as obj import volatility.debug as debug import volatility.exceptions as exceptions import cPickle as pickle config = conf.ConfObject() ## Where to stick the cache default_cache_location = os.path.join((os.environ.get("XDG_CACHE_HOME") or os.path.expanduser("~/.cache")), "volatility") config.add_option("CACHE-DIRECTORY", default = default_cache_location, cache_invalidator = False, help = "Directory where cache files are stored") class CacheContainsGenerator(exceptions.VolatilityException): """Exception raised when the cache contains a generator""" pass class InvalidCache(Exception): """Exception raised when the cache item is determined to be invalid.""" pass class CacheNode(object): """ Base class for Cache nodes """ def __init__(self, name, stem, storage = None, payload = None, invalidator = None): ''' Creates a new Cache node under the parent. The new node will carry the specified payload ''' self.name = name self.payload = payload self.storage = storage self.stem = stem # This object encapsulate the running environment. If the # environment during the time of unpickling differs from the # environment during the time of pickling we refuse to # unpickle this object, and the cache misses. We dont really # do anything with it, just have it serialised as well. self.invalidator = invalidator def __getitem__(self, item = ''): item_url = "{0}/{1}".format(self.stem, item) ## Try to load it from the storage manager try: result = self.storage.load(item_url) if result: return result except Exception, e: raise KeyError(e) ## Make a new empty Node instead on demand raise KeyError("item not found") def __str__(self): ''' Produce a human readable version of the payload. ''' return '' def _find_generators(self, item): """ A recursive function to flatten generators into lists """ try: result = [] # Make sure dicts aren't flattened to lists if isinstance(item, dict): result = {} for i in item: result[self._find_generators(i)] = self._find_generators(item[i]) return result # Since NoneObjects and strings are both iterable, treat them specially if isinstance(item, obj.NoneObject) or isinstance(item, str): return item if isinstance(item, types.GeneratorType): raise CacheContainsGenerator for x in iter(item): flat_x = self._find_generators(x) result.append(flat_x) return result except TypeError: return item def set_payload(self, payload): ''' Update the current payload with the new specified payload ''' try: self.payload = self._find_generators(payload) except CacheContainsGenerator: # This only works because None payload cached results are rerun self.payload = None def dump(self): ''' Dump the node to disk for later retrieval. This is normally called when the process has exited. ''' if self.payload: self.storage.dump(self.stem, self) def get_payload(self): """Retrieve this node's payload""" return self.payload class BlockingNode(CacheNode): """Node that fails on all cache attempts and no-ops on cache storage attempts""" def __init__(self, name, stem, **kwargs): CacheNode.__init__(self, name, stem, **kwargs) def __getitem__(self, item = ''): return BlockingNode(item, '/'.join((self.stem, item))) def dump(self): """Ensure nothing gets dumped""" pass def get_payload(self): """Do not set a payload for a blocked cache node""" pass class Invalidator(object): """ The Invalidator encapsulates program state to control invalidation of the cache. 1) This object registers callbacks using the add_condition() method. 2) Prior to serialising the cache object the callbacks are called returning a signature dict. 3) When unpickling the cached object, we call the invalidator to produce a signature dict again, and compare this to the pickled version. The purpose of the callbacks is to represent a signature of the current state of execution. If the signature changes, the cache is invalidated. """ def __init__(self): self.callbacks = {} def add_condition(self, key, callback): """Callback will be stored under key and should return a string. """ self.callbacks[key] = callback def __setstate__(self, state): ## We do not actually have any callbacks here - we must use ## the global cache invalidator. We cant really get away from ## having a global invalidator. for k, v in CACHE.invalidator.callbacks.items(): # TODO: Determine what happens if the state or current callbacks # contain a key that's not in the other if k in state and v() != state[k]: debug.debug("Invaliding cache... {0} (Running) != {1} (Stored) on key {2}".format(v(), state[k], k)) raise InvalidCache("Running environment inconsistant " "with pickled environment - " "invalidating cache.") def __getstate__(self): """When pickling ourselves we call our callbacks to provide a dict of strings (our state signature). This dict should reflect all of our running state at the moment. This will then be compared to the state signature when unpickling and if its different we invalidate the cache. """ result = {} for k, v in CACHE.invalidator.callbacks.items(): result[k] = v() debug.debug("Pickling State signature: {0}".format(result)) return result class CacheTree(object): """ An abstract structure which represents the cache tree """ def __init__(self, storage = None, cls = CacheNode, invalidator = None): self.storage = storage self.cls = cls self.invalidator = invalidator self.root = self.cls('', '', storage = storage, invalidator = invalidator) def __getitem__(self, path): """Pythonic interface to the cache""" return self.check(path, cls = self.cls) def invalidate_on(self, key, callback): self.invalidator.add_condition(key, callback) def check(self, path, callback = None, cls = CacheNode): """ Retrieves the node at the path specified """ # Abort if we haven't been given a location if not config.LOCATION: return None ## Normalise the path path = urlparse.urljoin(config.LOCATION + "/", path) elements = path.split("/") current = self.root for e in elements: try: current = current[e] except KeyError: if current.stem: next_stem = '/'.join((current.stem, e)) else: next_stem = e payload = None if callback is not None: payload = callback() node = cls(e, next_stem, storage = self.storage, payload = payload, invalidator = self.invalidator) current = node return current class CacheStorage(object): """ The base class for implementation storing the cache. """ ## Characters allowed in filenames (/'s are allowed since we're dealing with URLs only) printables = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_./" def encode(self, string): result = '' for x in string: if x in self.printables: result += x else: result += "%{0:02X}".format(ord(x)) return result def filename(self, url): if url.startswith(config.LOCATION): # Encode just the path part, since everything else is taken from relatively safe/already used data path = self.encode(url[len(config.LOCATION):]) else: raise exceptions.CacheRelativeURLException("Storing non relative URLs is not supported now ({0})".format(url)) # Join together the bits we need, and abspath it to ensure it's right for the OS it's on path = os.path.abspath(os.path.sep.join([config.CACHE_DIRECTORY, os.path.basename(config.LOCATION) + ".cache", path + '.pickle'])) return path def load(self, url): filename = self.filename(url) debug.debug("Loading from {0}".format(filename)) data = open(filename).read() debug.trace(level = 3) return pickle.loads(data) def dump(self, url, payload): # TODO: Ensure a better check for ieee1394/non-cachable address spaces than a bad URL try: filename = self.filename(url) except exceptions.CacheRelativeURLException: debug.debug("NOT Dumping url {0} - relative URLs are not yet supported".format(url)) return ## Check that the directory exists directory = os.path.dirname(filename) if not os.access(directory, os.R_OK | os.W_OK | os.X_OK): os.makedirs(directory) ## Ensure that the payload is flattened - i.e. all generators are converted to lists for pickling try: data = pickle.dumps(payload) debug.debug("Dumping filename {0}".format(filename)) fd = open(filename, 'w') fd.write(data) fd.close() except (pickle.PickleError, TypeError): # Do nothing if the pickle fails debug.debug("NOT Dumping filename {0} - contained a non-picklable class".format(filename)) ## This is the central cache object CACHE = CacheTree(CacheStorage(), BlockingNode, invalidator = Invalidator()) def enable_caching(_option, _opt_str, _value, _parser): """Turns off caching by replacing the tree with one that only takes BlockingNodes""" debug.debug("Enabling Caching") # Feels filthy using the global keyword, # but I can't figure another way to ensure that # the code gets called and overwrites the outer scope global CACHE CACHE = CacheTree(CacheStorage(), invalidator = Invalidator()) config.CACHE = True config.add_option("CACHE", default = False, action = 'callback', cache_invalidator = False, callback = enable_caching, help = "Use caching") class CacheDecorator(object): """ This decorator will memoise a function in the cache """ def __init__(self, path): """Wraps a function in a cache decorator. The results of the function will be cached and memoised. Further calls to the function will retrieve the result from the cache. Cached objects are stored with the specified path as a key. Args: path: Key for storage into the cache. If this is callable, it will be called with the function's args and is expected to return a string which will be used as a path. Returns: A decorator. Example: Suppose the calculate function is decorated: @CacheDecorator(lambda self: "tests/pslist/pid{0}/".format(self._config.PID)) def calculate(self): .... Note the use of the callback to finely tune the cache key depending on external variables. """ self.path = path self.node = None def generate(self, path, g): """ Special handling for generators. We pass each iteration back immediately, and keep it in a list. Note that if the generator is aborted, the cache is not dumped. """ payload = [] for x in g: payload.append(x) yield x self.dump(path, payload) def dump(self, path, payload): self.node = CACHE[path] self.node.set_payload(payload) self.node.dump() def _cachewrapper(self, f, s, *args, **kwargs): """Wrapper for caching function calls""" ## See if the path is callable: if callable(self.path): path = self.path(s, *args, **kwargs) else: path = self.path ## Check if the result can be retrieved self.node = CACHE[path] # If this test goes away, we need to change the set_payload exception check # to act on dump instead of just the payload if self.node: payload = self.node.get_payload() if payload: return payload result = f(s, *args, **kwargs) ## If the wrapped function is a generator we need to ## handle it especially if isinstance(result, types.GeneratorType): return self.generate(path, result) self.dump(path, result) return result def __call__(self, f): def wrapper(s, *args, **kwargs): if config.CACHE: return self._cachewrapper(f, s, *args, **kwargs) return f(s, *args, **kwargs) return wrapper class TestDecorator(CacheDecorator): """This decorator is just like a CacheDecorator, but will *always* cache fully""" def __call__(self, f): def wrapper(s, *args, **kwargs): return self._cachewrapper(f, s, *args, **kwargs) return wrapper class Testable(object): """ This is a mixin that makes a class response to the unit tests It must be inheritted *after* the command class """ def calculate(self): """Empty function used to allow mixin""" def _flatten(self, item): """Flattens an item, including all generators""" try: # Make sure dicts aren't flattened to lists if isinstance(item, dict): result = {} for i in item: result[self._flatten(i)] = self._flatten(item[i]) return result for x in iter(item): flat_x = self._flatten(x) return flat_x except TypeError: return item ## This forces the test to be memoised with a key name derived from the class name @TestDecorator(lambda self: "tests/unittests/{0}".format(self.__class__.__name__)) def test(self): ## This forces iteration over all keys - this is required in order ## to flatten the full list for the cache ## We must ensure config.CACHE is False here, otherwise the change isn't registered in this module config.CACHE = False return self._flatten(self.calculate()) volatility_2.6+git20170711.b3db0cc/volatility/exceptions.py0000644000000000000000000000334413131215405022074 0ustar rootroot# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # class VolatilityException(Exception): """Generic Volatility Specific exception, to help differentiate from other exceptions""" def __init__(self, *args, **kwargs): Exception.__init__(self, *args, **kwargs) class AddrSpaceError(VolatilityException): """Address Space Exception, so we can catch and deal with it in the main program""" def __init__(self): self.reasons = [] VolatilityException.__init__(self, "No suitable address space mapping found") def append_reason(self, driver, reason): self.reasons.append((driver, reason)) def __str__(self): result = VolatilityException.__str__(self) + "\nTried to open image as:\n" #pylint: disable-msg=E1101 for k, v in self.reasons: result += " {0}: {1}\n".format(k, v) return result class CacheRelativeURLException(VolatilityException): """Exception for gracefully not saving Relative URLs in the cache""" class SanityCheckException(VolatilityException): """Exception for failed sanity checks (which can potentially be disabled)""" volatility_2.6+git20170711.b3db0cc/volatility/conf.py0000755000000000000000000003563713131215405020655 0ustar rootroot## This file was taken from PyFlag http://www.pyflag.net/ # Michael Cohen # David Collett # # ****************************************************** # Version: FLAG $Version: 0.87-pre1 Date: Thu Jun 12 00:48:38 EST 2008$ # ****************************************************** # # * This program is free software; you can redistribute it and/or # * modify it under the terms of the GNU General Public License # * as published by the Free Software Foundation; either version 2 # * of the License, or (at your option) any later version. # * # * This program is distributed in the hope that it will be useful, # * but WITHOUT ANY WARRANTY; without even the implied warranty of # * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # * GNU General Public License for more details. # * # * You should have received a copy of the GNU General Public License # * along with this program; if not, write to the Free Software # * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # ****************************************************** #pylint: disable-msg=C0111 """ Configuration modules for pyflag. PyFlag is a complex package and requires a flexible configuration system. The following are the requirements of the configuration system: 1) Configuration must be available from a number of sources: - Autoconf must be able to set things like the python path (in case pyflag is installed to a different prefix) - Users must be able to configure the installed system for their specific requirements. - Unconfigured parameters must be resolved at run time through the GUI and saved. 2) Configuration must be able to apply to cases specifically. 3) Because pyflag is modular, configuration variables might be required for each module. This means that definitions and declarations of configuration variables must be distributed in each plugin. These goals are achieved by the use of multiple sources of configuration information: - The system wide configuration file is this file: conf.py. It is generated from the build system from conf.py.in by substituting autoconfigured variables into it. It contains the most basic settings related to the installation, e.g. which python interpreted is used, where the python modules are installed etc. In particular it refers to the location of the system configuration file (usually found in /usr/local/etc/pyflagrc, or in /etc/pyflagrc). - The sysconfig file contains things like where the upload directory is, where to store temporary files etc. These are mainly installation wide settings which are expected to be modified by the administrator. Note that if you want the GUI to manipulate this file it needs to be writable by the user running the GUI. - Finally a conf table in each case is used to provide a per case configuration """ import ConfigParser import optparse import os import sys default_config = "/etc/volatilityrc" class PyFlagOptionParser(optparse.OptionParser): final = False help_hooks = [] def _process_args(self, largs, rargs, values): try: return optparse.OptionParser._process_args(self, largs, rargs, values) except (optparse.BadOptionError, optparse.OptionValueError), err: if self.final: raise err def error(self, msg): ## We cant emit errors about missing parameters until we are ## sure that all modules have registered all their parameters if self.final: return optparse.OptionParser.error(self, msg) else: raise RuntimeError(msg) def print_help(self, file = sys.stdout): optparse.OptionParser.print_help(self, file) for cb in self.help_hooks: file.write(cb()) class ConfObject(object): """ This is a singleton class to manage the configuration. This means it can be instantiated many times, but each instance refers to the global configuration (which is set in class variables). NOTE: The class attributes have static dicts assigned to facilitate singleton behaviour. This means all future instances will have the same dicts. """ optparser = PyFlagOptionParser(add_help_option = False, version = False, ) initialised = False ## This is the globals dictionary which will be used for ## evaluating the configuration directives. g_dict = dict(__builtins__ = None) ## These are the options derived by reading any config files cnf_opts = {} ## Command line opts opts = {} args = None default_opts = {} docstrings = {} ## These are the actual options returned by the optparser: optparse_opts = None ## Filename where the configuration file is: _filename = None _filenames = [] ## These parameters can not be updated by the GUI (but will be ## propagated into new configuration files) readonly = {} ## Absolute parameters can only be set by the code or command ## lines, they can not be over ridden in the configuration ## file. This ensures that only configuration files dont mask new ## options (e.g. schema version) _absolute = {} ## A list of option names: options = [] ## Cache variants: There are configuration options which ## encapsulate the state of the running program. If any of these ## change all caches will be invalidated. cache_invalidators = {} def __init__(self): """ This is a singleton object kept in the class """ if not ConfObject.initialised: self.optparser.add_option("-h", "--help", action = "store_true", default = False, help = "list all available options and their default values. Default values may be set in the configuration file (" + default_config + ")") ConfObject.initialised = True def set_usage(self, usage = None, version = None): if usage: self.optparser.set_usage(usage) if version: self.optparser.version = version def add_file(self, filename, _type = 'init'): """ Adds a new file to parse """ self._filenames.append(filename) self.cnf_opts.clear() for f in self._filenames: try: conf_parser = ConfigParser.ConfigParser() conf_parser.read(f) for k, v in conf_parser.items('DEFAULT'): ## Absolute parameters are protected from ## configuration files: if k in self._absolute.keys(): continue try: v = eval(v, self.g_dict) except Exception, _e: pass ## update the configured options self.cnf_opts[k] = v except IOError: print "Unable to open {0}".format(f) ConfObject._filename = filename def print_help(self): return self.optparser.print_help() def add_help_hook(self, cb): """ Adds an epilog to the help message """ self.optparser.help_hooks.append(cb) def set_help_hook(self, cb): self.optparser.help_hooks = [cb] def parse_options(self, final = True): """ Parses the options from command line and any conf files currently added. The final parameter should be only called from main programs at the point where they are prepared for us to call exit if required; (For example when we detect the -h parameter). """ self.optparser.final = final ## Parse the command line options: try: (opts, args) = self.optparser.parse_args() self.opts.clear() ## Update our cmdline dict: for k in dir(opts): v = getattr(opts, k) if k in self.options and not v == None: self.opts[k] = v except UnboundLocalError: raise RuntimeError("Unknown option - use -h to see help") ## If error() was called we catch it here except RuntimeError: opts = {} ## This gives us as much as was parsed so far args = self.optparser.largs self.optparse_opts = opts self.args = args if final: ## Reparse the config file again: self.add_file(self._filename) try: ## Help can only be set on the command line if getattr(self.optparse_opts, "help"): ## Populate the metavars with the default values: for opt in self.optparser.option_list: try: opt.metavar = "{0}".format((getattr(self, opt.dest) or opt.dest.upper())) except Exception, _e: pass self.optparser.print_help() sys.exit(0) except AttributeError: pass ## Set the cache invalidators on the cache now: import volatility.cache as cache for k, v in self.cache_invalidators.items(): cache.CACHE.invalidate_on(k, v) def remove_option(self, option): """ Removes options both from the config file parser and the command line parser This should only by used on options *before* they have been read, otherwise things could get very confusing. """ option = option.lower() if option in self.cache_invalidators: del self.cache_invalidators[option] normalized_option = option.replace("-", "_") if normalized_option not in self.options: return self.options.remove(normalized_option) if normalized_option in self.readonly: del self.readonly[normalized_option] if normalized_option in self.default_opts: del self.default_opts[normalized_option] if normalized_option in self._absolute: del self._absolute[normalized_option] del self.docstrings[normalized_option] self.optparser.remove_option("--{0}".format(option)) try: self.parse_options(False) except AttributeError: pass def add_option(self, option, short_option = None, cache_invalidator = True, **args): """ Adds options both to the config file parser and the command line parser. Args: option: The long option name. short_option: An optional short option. cache_invalidator: If set, when this option changes all caches are invalidated. """ option = option.lower() if cache_invalidator: self.cache_invalidators[option] = lambda : self.get_value(option) normalized_option = option.replace("-", "_") if normalized_option in self.options: return self.options.append(normalized_option) ## If this is read only we store it in a special dict try: if args['readonly']: self.readonly[normalized_option] = args['default'] del args['readonly'] except KeyError: pass ## If there is a default specified, we update our defaults dict: try: default = args['default'] try: default = eval(default, self.g_dict) except: pass self.default_opts[normalized_option] = default del args['default'] except KeyError: pass try: self._absolute[normalized_option] = args['absolute'] del args['absolute'] except KeyError: pass self.docstrings[normalized_option] = args.get('help', None) if short_option: self.optparser.add_option("-{0}".format(short_option), "--{0}".format(option), **args) else: self.optparser.add_option("--{0}".format(option), **args) ## update the command line parser ## We have to do the try-catch for python 2.4 support of short ## arguments. It can be removed when python 2.5 is a requirement try: self.parse_options(False) except AttributeError: pass def update(self, key, value): """ This can be used by scripts to force a value of an option """ self.readonly[key.lower()] = value def get_value(self, key): return getattr(self, key.replace("-", "_")) def __getattr__(self, attr): ## If someone is looking for a configuration parameter but ## we have not parsed anything yet - do so now. if self.opts == None: self.parse_options(False) ## Maybe its a class method? try: return super(ConfObject, self).__getattribute__(attr) except AttributeError: pass ## Is it a ready only parameter (i.e. can not be overridden by ## the config file) try: return self.readonly[attr.lower()] except KeyError: pass ## Try to find the attribute in the command line options: try: return self.opts[attr.lower()] except KeyError: pass ## Has it already been parsed? try: tmp = getattr(self.optparser.values, attr.lower()) if tmp: return tmp except AttributeError: pass ## Was it given in the environment? try: return os.environ["VOLATILITY_" + attr.upper()] except KeyError: pass ## No - try the configuration file: try: return self.cnf_opts[attr.lower()] except KeyError: pass ## No - is there a default for it? try: return self.default_opts[attr.lower()] except KeyError: pass ## Maybe its just a command line option: try: if not attr.startswith("_") and self.optparse_opts: return getattr(self.optparse_opts, attr.lower()) except AttributeError: pass raise AttributeError("Parameter {0} is not configured - try setting it on the command line (-h for help)".format(attr)) class DummyConfig(ConfObject): pass config = ConfObject() if os.access(default_config, os.R_OK): config.add_file(default_config) else: config.add_file("volatilityrc") default_conf_path = ".volatilityrc" try: default_conf_path = os.environ['HOME'] + '/.volatilityrc' except KeyError: pass config.add_option("CONF-FILE", default = default_conf_path, cache_invalidator = False, help = "User based configuration file") config.add_file(config.CONF_FILE) volatility_2.6+git20170711.b3db0cc/volatility/validity.py0000644000000000000000000000306313131215405021536 0ustar rootroot""" Created on 4 May 2013 @author: mike """ class ValidityRoutines(object): """Class to hold all validation routines, such as type checking""" def type_check(self, value, valid_type): """Checks that value is an instance of valid_type, and returns value if it is, or throws a TypeError otherwise :param value: The value of which to validate the type :type value: object :param valid_type: The type against which to validate :type valid_type: type """ assert isinstance(value, valid_type), self.__class__.__name__ + " expected " + \ valid_type.__name__ + ", not " + type(value).__name__ return value def class_check(self, klass, valid_class): """Checks that class is an instance of valid_class, and returns klass if it is, or throws a TypeError otherwise :param klass: Class to validate :type klass: class :param valid_class: Valid class against which to check class validity :type valid_class: class """ assert issubclass(klass, valid_class), self.__class__.__name__ + " expected " + \ valid_class.__name__ + ", not " + klass.__name__ def confirm(self, assertion, error): """Acts like an assertion, but will not be disabled when __debug__ is disabled""" if not assertion: if error is None: error = "An unspecified Assertion was not met in " + self.__class__.__name__ raise AssertionError(error) volatility_2.6+git20170711.b3db0cc/volatility/commands.py0000644000000000000000000003147213131215405021517 0ustar rootroot# Volatility # Copyright (C) 2008-2015 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import sys import textwrap import time import volatility.debug as debug import volatility.fmtspec as fmtspec import volatility.obj as obj import volatility.registry as registry import volatility.renderers as renderers import volatility.addrspace as addrspace from volatility.renderers.basic import Address, Address64, Hex, Bytes from volatility.renderers.dot import DotRenderer from volatility.renderers.html import HTMLRenderer, JSONRenderer from volatility.renderers.sqlite import SqliteRenderer from volatility.renderers.text import TextRenderer, FormatCellRenderer, GrepTextRenderer from volatility.renderers.xlsx import XLSXRenderer class Command(object): """ Base class for each plugin command """ op = "" opts = "" args = "" cmdname = "" # meta_info will be removed meta_info = {} # Make these class variables so they can be modified across every plugin elide_data = True tablesep = " " text_sort_column = None def __init__(self, config, *_args, **_kwargs): """ Constructor uses args as an initializer. It creates an instance of OptionParser, populates the options, and finally parses the command line. Options are stored in the self.opts attribute. """ self._config = config self._formatlist = [] @staticmethod def register_options(config): """Registers options into a config object provided""" config.add_option("OUTPUT", default = 'text', cache_invalidator = False, help = "Output in this format (support is module specific, see the Module Output Options below)") config.add_option("OUTPUT-FILE", default = None, cache_invalidator = False, help = "Write output in this file") config.add_option("VERBOSE", default = 0, action = 'count', cache_invalidator = False, short_option = 'v', help = 'Verbose information') @classmethod def help(cls): """ This function returns a string that will be displayed when a user lists available plugins. """ try: return textwrap.dedent(cls.__doc__) except (AttributeError, TypeError): return "" @staticmethod def is_valid_profile(profile): return True def calculate(self): """ This function is responsible for performing all calculations We should not have any output functions (e.g. print) in this function at all. If this function is expected to take a long time to return some data, the function should return a generator. """ def execute(self): """ Executes the plugin command.""" # Check we can support the plugins profs = registry.get_plugin_classes(obj.Profile) # force user to give a profile if a plugin # other than kdbgscan or imageinfo are given: plugin_name = self.__class__.__name__.lower() if plugin_name != "mac_get_profile": if self._config.PROFILE == None: if plugin_name in ["kdbgscan", "imageinfo"]: self._config.update("PROFILE", "WinXPSP2x86") else: debug.error("You must set a profile!") if self._config.PROFILE not in profs: debug.error("Invalid profile " + self._config.PROFILE + " selected") if not self.is_valid_profile(profs[self._config.PROFILE]()): debug.error("This command does not support the profile " + self._config.PROFILE) # # Executing plugins is done in two stages - first we calculate data = self.calculate() ## Then we render the result in some way based on the ## requested output mode: function_name = "render_{0}".format(self._config.OUTPUT) if not self._config.OUTPUT == "sqlite" and self._config.OUTPUT_FILE: out_file = '{0}_{1}.txt'.format(time.strftime('%Y%m%d%H%M%S'), plugin_name) if self._config.OUTPUT_FILE == '.' else self._config.OUTPUT_FILE if os.path.exists(out_file): debug.error("File " + out_file + " already exists. Cowardly refusing to overwrite it...") print 'Outputting to: {0}'.format(out_file) outfd = open(out_file, 'wb') else: outfd = sys.stdout try: func = getattr(self, function_name) except AttributeError: ## Try to find out what formats are supported result = [] for x in dir(self): if x.startswith("render_"): _a, b = x.split("_", 1) result.append(b) print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result) return func(outfd, data) def _formatlookup(self, profile, code): """Code to turn profile specific values into format specifications""" code = code or "" if not code.startswith('['): return code # Strip off the square brackets code = code[1:-1].lower() if code.startswith('addr'): spec = fmtspec.FormatSpec("#10x") if profile.metadata.get('memory_model', '32bit') == '64bit': spec.minwidth += 8 if 'pad' in code: spec.fill = "0" spec.align = spec.align if spec.align else "=" else: # Non-padded addresses will come out as numbers, # so titles should align > spec.align = ">" return spec.to_string() # Something went wrong debug.warning("Unknown table format specification: " + code) return "" def _elide(self, string, length): """Adds three dots in the middle of a string if it is longer than length""" # Only elide data if we've been asked to (which we are by default) if not self.elide_data: return string if length == -1: return string if len(string) < length: return (" " * (length - len(string))) + string elif len(string) == length: return string else: if length < 5: debug.error("Cannot elide a string to length less than 5") even = ((length + 1) % 2) length = (length - 3) / 2 return string[:length + even] + "..." + string[-length:] def format_value(self, value, fmt): """ Formats an individual field using the table formatting codes""" profile = addrspace.BufferAddressSpace(self._config).profile return ("{0:" + self._formatlookup(profile, fmt) + "}").format(value) def table_header(self, outfd, title_format_list = None): """Table header renders the title row of a table This also stores the header types to ensure everything is formatted appropriately. It must be a list of tuples rather than a dict for ordering purposes. """ titles = [] rules = [] self._formatlist = [] profile = addrspace.BufferAddressSpace(self._config).profile for (k, v) in title_format_list: spec = fmtspec.FormatSpec(self._formatlookup(profile, v)) # If spec.minwidth = -1, this field is unbounded length if spec.minwidth != -1: spec.minwidth = max(spec.minwidth, len(k)) # Get the title specification to follow the alignment of the field titlespec = fmtspec.FormatSpec(formtype = 's', minwidth = max(spec.minwidth, len(k))) titlespec.align = spec.align if spec.align in "<>^" else "<" # Add this to the titles, rules, and formatspecs lists titles.append(("{0:" + titlespec.to_string() + "}").format(k)) rules.append("-" * titlespec.minwidth) self._formatlist.append(spec) # Write out the titles and line rules if outfd: outfd.write(self.tablesep.join(titles) + "\n") outfd.write(self.tablesep.join(rules) + "\n") def table_row(self, outfd, *args): """Outputs a single row of a table""" reslist = [] if len(args) > len(self._formatlist): debug.error("Too many values for the table") for index in range(len(args)): spec = self._formatlist[index] result = self._elide(("{0:" + spec.to_string() + "}").format(args[index]), spec.minwidth) reslist.append(result) outfd.write(self.tablesep.join(reslist) + "\n") text_stock_renderers = {Hex: "#x", Address: "#8x", Address64: "#16x", int: "", str: "<", float: ".2", Bytes: ""} def text_cell_renderers(self, columns): """Returns default renderers for the columns listed""" renderlist = [FormatCellRenderer("")] * len(columns) # FIXME: Really, this should be handled by the plugin knowing what type of AS each object comes from # However, as a nasty workaround, we can force all x64 profiles to produce addresses that are 64-bit in length # It does not deal with PAE address spaces, or WoW64 addresses, or anything else weird or wonderful # This will NOT be in volatility 3.0 x64 = False if self._config.PROFILE.endswith("x64"): x64 = True for column in columns: if not isinstance(column, renderers.Column): raise TypeError("Columns must be a list of Column objects") columntype = column.type if not x64 or column.type != Address else Address64 renderlist[column.index] = FormatCellRenderer(self.text_stock_renderers[columntype]) return renderlist def unified_output(self, data): raise NotImplementedError("Rendering using the unified output format has not been implemented for this plugin.") def _render(self, outfd, renderer, data): output = self.unified_output(data) if isinstance(output, renderers.TreeGrid): renderer.render(outfd, output) else: raise TypeError("Unified Output must return a TreeGrid object") def render_text(self, outfd, data): self._render(outfd, TextRenderer(self.text_cell_renderers, sort_column = self.text_sort_column, config = self._config), data) def render_greptext(self, outfd, data): try: self._render(outfd, GrepTextRenderer(self.text_cell_renderers, sort_column = self.text_sort_column), data) except NotImplementedError, why: debug.error(why) except TypeError, why: debug.error(why) def render_json(self, outfd, data): try: self._render(outfd, JSONRenderer(), data) except NotImplementedError, why: debug.error(why) except TypeError, why: debug.error(why) def render_sqlite(self, outfd, data): try: self._render(outfd, SqliteRenderer(self.__class__.__name__, self._config), data) except NotImplementedError, why: debug.error(why) except TypeError, why: debug.error(why) def render_dot(self, outfd, data): try: self._render(outfd, DotRenderer(self.text_cell_renderers, self._config), data) except NotImplementedError, why: debug.error(why) except TypeError, why: debug.error(why) def render_html(self, outfd, data): try: self._render(outfd, HTMLRenderer(), data) except NotImplementedError, why: debug.error(why) except TypeError, why: debug.error(why) def render_xlsx(self, outfd, data): try: self._render(outfd, XLSXRenderer(self.text_cell_renderers, self._config), data) except NotImplementedError, why: debug.error(why) except TypeError, why: debug.error(why) volatility_2.6+git20170711.b3db0cc/volatility/registry.py0000644000000000000000000001505313131215405021563 0ustar rootroot# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Derived from source in PyFlag developed by: # Copyright 2004: Commonwealth of Australia. # Michael Cohen # David Collett # # Subclassing plugin code developed by: # # Mike Auty # # ****************************************************** # Version: FLAG $Version: 0.84RC4 Date: Wed May 30 20:48:31 EST 2007$ # ****************************************************** # # * This program is free software; you can redistribute it and/or # * modify it under the terms of the GNU General Public License # * as published by the Free Software Foundation; either version 2 # * of the License, or (at your option) any later version. # * # * This program is distributed in the hope that it will be useful, # * but WITHOUT ANY WARRANTY; without even the implied warranty of # * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # * GNU General Public License for more details. # * # * You should have received a copy of the GNU General Public License # * along with this program; if not, write to the Free Software # * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # ***************************************************** #pylint: disable-msg=C0111 """ This module implements a class registry. We scan the memory_plugins directory for all python files and add those classes which should be registered into their own lookup tables. These are then ordered as required. The rest of Volatility will then call onto the registered classes when needed. This mechanism allows us to reorganise the code according to functionality. For example we may include a Scanner, Report and File classes in the same plugin and have them all automatically loaded. """ import os, zipfile import volatility.debug as debug import volatility.plugins as plugins class PluginImporter(object): """This class searches through a comma-separated list of plugins and imports all classes found, based on their path and a fixed prefix. """ def __init__(self): """Gathers all the plugins from config.PLUGINS Determines their namespaces and maintains a dictionary of modules to filepaths Then imports all modules found """ self.modnames = {} # Handle additional plugins for path in plugins.__path__: path = os.path.abspath(path) for relfile in self.walkzip(path): module_path, ext = os.path.splitext(relfile) namespace = ".".join(['volatility.plugins'] + [ x for x in module_path.split(os.path.sep) if x ]) #Lose the extension for the module name if ext in [".py", ".pyc", ".pyo"]: filepath = os.path.join(path, relfile) # Handle Init files initstr = '.__init__' if namespace.endswith(initstr): self.modnames[namespace[:-len(initstr)]] = filepath else: self.modnames[namespace] = filepath self.run_imports() def walkzip(self, path): """Walks a path independent of whether it includes a zipfile or not""" if os.path.exists(path) and os.path.isdir(path): for dirpath, _dirnames, filenames in os.walk(path): for filename in filenames: # Run through files as we always used to yield os.path.join(dirpath[len(path) + len(os.path.sep):], filename) else: index = -1 zippath = None while path.find(os.path.sep, index + 1) > -1: index = path.find(os.path.sep, index + 1) if zipfile.is_zipfile(path[:index]): zippath = path[:index] break else: if zipfile.is_zipfile(path): zippath = path # Now yield the files if zippath: zipf = zipfile.ZipFile(zippath) prefix = path[len(zippath):].strip(os.path.sep) # If there's a prefix, ensure it ends in a slash if len(prefix): prefix += os.path.sep for fn in zipf.namelist(): # Zipfiles seem to always list contents using / as their separator fn = fn.replace('/', os.path.sep) if fn.startswith(prefix) and not fn.endswith(os.path.sep): # We're a file in the zipfile yield fn[len(prefix):] def run_imports(self): """Imports all the already found modules""" for i in self.modnames.keys(): if self.modnames[i] is not None: try: __import__(i) except Exception, e: print "*** Failed to import " + i + " (" + str(e.__class__.__name__) + ": " + str(e) + ")" # This is too early to have had the debug filter lowered to include debugging messages debug.post_mortem(2) def _get_subclasses(cls): """ Run through subclasses of a particular class This returns all classes descended from the main class, _including_ the main class itself. If showall is set to False (the default) then classes starting with Abstract will not be returned. """ for i in cls.__subclasses__(): for c in _get_subclasses(i): yield c yield cls def get_plugin_classes(cls, showall = False, lower = False): """Returns a dictionary of plugins""" # Plugins all make use of the Abstract concept result = {} for plugin in set(_get_subclasses(cls)): if showall or not (plugin.__name__.startswith("Abstract") or plugin == cls): # FIXME: This is due to not having done things correctly at the start if not showall and plugin.__name__ in ['BufferAddressSpace', 'HiveFileAddressSpace', 'HiveAddressSpace']: continue name = plugin.__name__.split('.')[-1] if lower: name = name.lower() if name not in result: result[name] = plugin else: raise Exception("Object {0} has already been defined by {1}".format(name, plugin)) return result def register_global_options(config, cls): ## Register all register_options for the various classes for m in get_plugin_classes(cls, True).values(): if hasattr(m, 'register_options'): m.register_options(config) volatility_2.6+git20170711.b3db0cc/volatility/poolscan.py0000644000000000000000000003601313131215405021530 0ustar rootroot# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.scan as scan import volatility.constants as constants import volatility.utils as utils import volatility.obj as obj import volatility.registry as registry #-------------------------------------------------------------------------------- # A multi-concurrent pool scanner #-------------------------------------------------------------------------------- class MultiPoolScanner(object): """An optimized scanner for pool tags""" def __init__(self, needles = None): self.needles = needles self.overlap = 20 def scan(self, address_space, offset = None, maxlen = None): if offset is None: current_offset = 0 else: current_offset = offset for (range_start, range_size) in sorted(address_space.get_available_addresses()): # Jump to the next available point to scan from # self.base_offset jumps up to be at least range_start current_offset = max(range_start, current_offset) range_end = range_start + range_size # If we have a maximum length, we make sure it's less than the range_end if maxlen is not None: range_end = min(range_end, current_offset + maxlen) while (current_offset < range_end): # We've now got range_start <= self.base_offset < range_end # Figure out how much data to read l = min(constants.SCAN_BLOCKSIZE + self.overlap, range_end - current_offset) data = address_space.zread(current_offset, l) for needle in self.needles: for addr in utils.iterfind(data, needle): # this scanner yields the matched pool tag as well as # the offset, to save the caller from having to perform # another .read() just to see which tag was matched yield data[addr:addr+4], addr + current_offset current_offset += min(constants.SCAN_BLOCKSIZE, l) #-------------------------------------------------------------------------------- # The main interface / API for concurrent scans #-------------------------------------------------------------------------------- class MultiScanInterface(object): """An interface into a scanner that can find multiple pool tags in a single pass through an address space.""" def __init__(self, addr_space, scanners = [], scan_virtual = False, show_unalloc = False, use_top_down = False, start_offset = None, max_length = None): """An interface into the multiple concurrent pool scanner. @param addr_space: a Volatility address space @param scanners: a list of PoolScanner classes to scan for. @param scan_virtual: True to scan in virtual/kernel space or False to scan at the physical layer. @param show_unalloc: True to skip unallocated objects whose _OBJECT_TYPE structure are 0xbad0b0b0. @param use_topdown: True to carve objects out of the pool using the top-down approach or False to use the bottom-up trick. @param start_offset: the starting offset to begin scanning. @param max_length: the size in bytes to scan from the start. """ self.scanners = scanners self.scan_virtual = scan_virtual self.show_unalloc = show_unalloc self.use_top_down = use_top_down self.start_offset = start_offset self.max_length = max_length self.address_space = addr_space self.pool_alignment = obj.VolMagic(self.address_space).PoolAlignment.v() def _check_pool_size(self, check, pool_header): """An alternate to the existing CheckPoolSize class. This prevents us from create a second copy of the _POOL_HEADER object which is quite unnecessary. @param check: a dictionary of arguments for the check @param pool_header: the target _POOL_HEADER to check """ condition = check["condition"] block_size = pool_header.BlockSize.v() return condition(block_size * self.pool_alignment) def _check_pool_type(self, check, pool_header): """An alternate to the existing CheckPoolType class. This prevents us from create a second copy of the _POOL_HEADER object which is quite unnecessary. @param check: a dictionary of arguments for the check @param pool_header: the target _POOL_HEADER to check """ try: paged = check["paged"] except KeyError: paged = False try: non_paged = check["non_paged"] except KeyError: non_paged = False try: free = check["free"] except KeyError: free = False return ((non_paged and pool_header.NonPagedPool) or (free and pool_header.FreePool) or (paged and pool_header.PagedPool)) def _check_pool_index(self, check, pool_header): """An alternate to the existing CheckPoolIndex class. This prevents us from create a second copy of the _POOL_HEADER object which is quite unnecessary. @param check: a dictionary of arguments for the check @param pool_header: the target _POOL_HEADER to check """ value = check["value"] if callable(value): return value(pool_header.PoolIndex) else: return pool_header.PoolIndex == check["value"] def _run_all_checks(self, checks, pool_header): """Execute all constraint checks. @param checks: a dictionary with check names as keys and another dictionary of arguments as the values. @param pool_header: the target _POOL_HEADER to check @returns False if any checks fail, otherwise True. """ for check, args in checks: if check == "CheckPoolSize": if not self._check_pool_size(args, pool_header): return False elif check == "CheckPoolType": if not self._check_pool_type(args, pool_header): return False elif check == "CheckPoolIndex": if not self._check_pool_index(args, pool_header): return False else: custom_check = registry.get_plugin_classes(scan.ScannerCheck)[check](pool_header.obj_vm, **args) return custom_check.check(pool_header.PoolTag.obj_offset) return True def scan(self): # determine if we're using windows 10 meta = self.address_space.profile.metadata win10 = (meta.get("major"), meta.get("minor")) == (6, 4) if self.scan_virtual or win10: space = self.address_space else: space = self.address_space.physical_space() if win10: cookie = obj.VolMagic(space).ObHeaderCookie.v() # create instances of the various scanners linked # to the desired address space scanners = [scanner(space) for scanner in self.scanners] # extract the initial pool tags as the list of needles needles = dict((scanner.pooltag, scanner) for scanner in scanners) # an instance of the multi pool scanner scanner = MultiPoolScanner(needles = [scanner.pooltag for scanner in scanners]) pool_tag_offset = space.profile.get_obj_offset("_POOL_HEADER", "PoolTag") for tag, offset in scanner.scan(address_space = space, offset = self.start_offset, maxlen = self.max_length): # a pool header at this offset but native kernel space pool = obj.Object("_POOL_HEADER", offset = offset - pool_tag_offset, vm = space, native_vm = self.address_space) # retrieve the scanner object from the tag scanobj = needles[tag] # pass the pool header to the checks if not self._run_all_checks(checks = scanobj.checks, pool_header = pool): continue # we use these approaches per scanner or if the user specifies use_top_down = scanobj.use_top_down or self.use_top_down skip_type_check = scanobj.skip_type_check or self.show_unalloc result = pool.get_object(struct_name = scanobj.struct_name, object_type = scanobj.object_type, use_top_down = use_top_down, skip_type_check = skip_type_check) if scanobj.padding > 0: result = obj.Object(scanobj.struct_name, offset = result.obj_offset + scanobj.padding, vm = result.obj_vm, native_vm = result.obj_native_vm) # let the object determine if its valid or not if result.is_valid(): yield result #-------------------------------------------------------------------------------- # The base pool scanner class #-------------------------------------------------------------------------------- class PoolScanner(object): """A generic pool scanner class""" def __init__(self, address_space): self.address_space = address_space # the name of a structure which exists in the pool (i.e. _EPROCESS) self.struct_name = "" # an executive object type name (i.e. File, Mutant) self.object_type = "" # use the top down approach (otherwise the bottom-up) self.use_top_down = False # show unallocated objects (0xbad0b0b0) self.skip_type_check = False # the four-byte ASCII pool tag self.pooltag = None # a list of checks to be performed in the supplied order self.checks = [] # number of bytes between the end of the pool header and # start of the structure contained within. currently only # used for atom tables. self.padding = 0 ## The following are checks for pool scanners. class PoolTagCheck(scan.ScannerCheck): """ This scanner checks for the occurance of a pool tag """ def __init__(self, address_space, tag = None, **kwargs): scan.ScannerCheck.__init__(self, address_space, **kwargs) self.tag = tag def skip(self, data, offset): try: nextval = data.index(self.tag, offset + 1) return nextval - offset except ValueError: ## Substring is not found - skip to the end of this data buffer return len(data) - offset def check(self, offset): data = self.address_space.read(offset, len(self.tag)) return data == self.tag class CheckPoolType(scan.ScannerCheck): """ Check the pool type """ def __init__(self, address_space, paged = False, non_paged = False, free = False, **kwargs): scan.ScannerCheck.__init__(self, address_space, **kwargs) self.non_paged = non_paged self.paged = paged self.free = free def check(self, offset): pool_hdr = obj.Object('_POOL_HEADER', vm = self.address_space, offset = offset - 4) return ((self.non_paged and pool_hdr.NonPagedPool) or (self.free and pool_hdr.FreePool) or (self.paged and pool_hdr.PagedPool)) class CheckPoolSize(scan.ScannerCheck): """ Check pool block size """ def __init__(self, address_space, condition = (lambda x: x == 8), **kwargs): scan.ScannerCheck.__init__(self, address_space, **kwargs) self.condition = condition def check(self, offset): pool_hdr = obj.Object('_POOL_HEADER', vm = self.address_space, offset = offset - 4) block_size = pool_hdr.BlockSize.v() pool_alignment = obj.VolMagic(self.address_space).PoolAlignment.v() return self.condition(block_size * pool_alignment) class SinglePoolScanner(scan.BaseScanner): def object_offset(self, found, address_space): """ The name of this function "object_offset" can be misleading depending on how its used. Even before removing the preambles (r1324), it may not always return the offset of an object. Here are the rules: If you subclass PoolScanner and do not override this function, it will return the offset of _POOL_HEADER. If you do override this function, it should be used to calculate and return the offset of your desired object within the pool. Thus there are two different ways it can be done. Example 1. For an example of subclassing PoolScanner and not overriding this function, see filescan.PoolScanFile. In this case, the plugin (filescan.FileScan) treats the offset returned by this function as the start of _POOL_HEADER and then works out the object from the bottom up: for offset in PoolScanFile().scan(address_space): pool_obj = obj.Object("_POOL_HEADER", vm = address_space, offset = offset) ## ## Work out objects base here ## Example 2. For an example of subclassing PoolScanner and overriding this function, see filescan.PoolScanProcess. In this case, the "work" described above is done here (in the sublcassed object_offset). Thus in the plugin (filescan.PSScan) it can directly instantiate _EPROCESS from the offset we return. for offset in PoolScanProcess().scan(address_space): eprocess = obj.Object('_EPROCESS', vm = address_space, native_vm = kernel_as, offset = offset) """ ## Subtract the offset of the PoolTag member to get the start ## of _POOL_HEADER. This is done because PoolScanners search ## for the PoolTag. return found - self.buffer.profile.get_obj_offset('_POOL_HEADER', 'PoolTag') def scan(self, address_space, offset = 0, maxlen = None): for i in scan.BaseScanner.scan(self, address_space, offset, maxlen): yield self.object_offset(i, address_space) volatility_2.6+git20170711.b3db0cc/CHANGELOG.txt0000644000000000000000000005642713131215405017203 0ustar rootrootChangelog As of Volatility 2.4, all changes are now tracked on the GitHub site: https://github.com/volatilityfoundation/volatility Volatility 2.0-2.3: all changes were tracked on the Google Code site: http://code.google.com/p/volatility/source/list 04.8.2009 Volatility-1.3.1 moyix * Update: Introduce BufferAddressSpace and refactor * Files: forensics/addrspace.py forensics/object.py Description: Added a new BufferAddressSpace class that acts like a regular FileAddressSpace, but can be instantiated from a string buffer. This allows any function that expects an address space to work on a buffer instead. Also refactored the *_buf functions in object.py to use this class instead (reduces code duplication). Thanks to Michael Cohen for the idea. 04.8.2009 Volatility-1.3.1 moyix * Update: Add support for inactive hiberfiles to hibinfo * Files: forensics/win32/hiber_addrspace.py Description: Added the ability to convert hibernation files that are in the "inactive" state (their first page is zeroed) to dd format. It is still not possible to run Volatility directly on such files, but they can now be converted for analysis. Thanks to Jon Evans for the suggestion. 04.8.2009 Volatility-1.3.1 moyix * Update: Pool scanning enhancements * Files: forensics/win32/scan2.py forensics/object.py Description: Incorporated new functions written by Andreas Schuster to allow more fine-grained checks in pool scanners, and modularize some of the accessors (get_poolsize, get_poolsize, etc.). The patch also adds read_unicode_string_buf and read_string_buf, which operate on string buffers. Thanks to Andreas Schuster for the patch. 04.7.2009 Volatility-1.3 awalters * Update: Handle table parsing * Files: forensics/win32/handles.py Description: Updated handle parsing code to fix typo. It was not adding the correct offset for Level 3 tables. It was also not traversing all the entries. Thanks to Brendan Dolan-Gavitt. 04.7.2009 Volatility-1.3 awalters * Update: Network Offsets * Files: forensics/win32/network.py Description: Added new offset updates. Thanks to Jun Koi. 03.17.2009 Volatility-1.3 awalters * Update: x86.py robustness * Files: forensics/x86.py Description: Added more robustness to the x86 address space. This time it focused on PAE. Certain samples were reading outside of the physical address space. Thanks to Brendan Dolan-Gavitt for patch. 03.17.2009 Volatility-1.3.1 awalters * Bug: Hiberfil Address space w * Files: forensics\win32\hiber_addrspace.py Description: Needed to import the PAE address space. This only meant that hibinfo was having some issue. It would still process hiberfil's just fine. Thanks to Andreas Schuster for the bug report. 03.17.2009 Volatility-1.3.1 awalters * Update: New version of tcp driver needed new offsets in SP3 * Files: forensics/win32/network.py forensics/win32/scan2.py forensics/win32/scan.py Description: Added new offsets to network to handle new driver. Updated scan2 and scan as well to support new pool allocation size. Thanks to Brendan Dolan-Gavitt. 02.22.2009 Volatility-1.3.1 awalters * Update: procdump check peb * Files: vmodules.py Description: Added a check to make sure that the PEB is memory resident. 02.05.2009 Volatility-1.3.1 awalters * Update: Handle parsing * Files: forensics/win32/handles.py vmodules.py Description: Updated handle parsing code to correctly handle middle and upper layer handles in multi-level schemes. Also changed files to now use the common parsing code. 12.11.2008 Volatility-1.3.1 awalters * Update: Plugin Generators * Files: forensics/commands.py memory_plugins/example4.py vutils.py Description: Added the ability to use generators in your plugins. This is extremely powerful and allows us to support arbitrary output formats. Thanks to Michael Cohen for the patch. 12.11.2008 Volatility-1.3.1 awalters * Update: Object Inheritance * Files: forensics/object2.py forensics/registry.py memory_plugins/example3.py Description: Plugins creators are now able to express an inheritance order associated with an object. The default is the Profile objects. This fixes a problem associated with collisions. Thanks to Cameron C Caffee for the bug report and thanks to Brendan Dolan-Gavitt and Michael Cohen for insightful discussions. 12.10.2008 Volatility-1.3.1 awalters * Update: lists.py * Files: forensics/win32/lists.py Description: Added Brendan Dolan-Gavitt lists.py file for traversing kernel linked lists. Thanks Brendan. 12.06.2008 Volatility-1.3.1 awalters * Bug: Crashdump base address space * Files: forensics/win32/tasks.py Description: Changed find_csdversion so that it does not pass in the filename. Made fname an optional parameter to process_addr_space since it is no longer being used and only maintained for backward compatibility. Thanks to Richard Austin for the bug report. 11.25.2008 Volatility-1.3.1 awalters * Bug: modules_list * Files: forensics/win32/modules.py Description: Added a check to make sure both PsLoadedModuleList and this module were defined. 11.25.2008 Volatility-1.3.1 awalters * Update: Tabs and spaces * Files: Too Many Description: Spent some quality time with the tab nanny. 11.25.2008 Volatility-1.3.1 awalters * Bug: Added more checks for registry objects * Files: forensics/win32/registry.py Description: Added more checks in print_entry_keys for invalid pages. Some of the key path was crossing page boundaries so more checks needed to be added. Thanks to Christian Herndler for the bug report. 11.22.2008 Volatility-1.3.1 awalters * Update: get_obj_offset no longer modifies passed in list * Files: forensics/object.py Description: get_obj_offset previously modified the passed-in list used to represent type information. Now it works on a copy to prevent unexpected behavior. Thanks to Brendan Dolan-Gavitt for the update. 11.17.2008 Volatility-1.3.1 awalters * Bug: Checks to make sure KeyControlBlock is a valid address * Files: forensics/win32/registry.py Description: print_entry_keys has been updated to check that KeyControlBlock is a valid address. Thanks to Christian Herndler for the bug report and Brendan Dolan-Gavitt for the bug fix. 11.15.2008 Volatility-1.3.1 awalters * Update: removed sha module from crashdump * Files: forensics/win32/crashdump.py Description: Removed the attempt to import the sha module since it generates a warning with Python 2.6. Thanks to STC for reporting the issue. 11.14.2008 Volatility-1.3.1 awalters * Bug: added more checks in object parsing for invalid pages * Files: forensics/win32/handles.py forensics/win32/registry.py vmodules.py Description: Added more checks for invalid pages while processing the object directory. Thanks to Christian Herndler for the bug report. 11.03.2008 Volatility-1.3.1 awalters * Bug: Python 2.5 finally * Files: vmodules.py Description: Removed the finally clause that is only available in Python 2.5. Thanks to Cameron Caffee for the bug report and Brendan Dolan-Gavitt for the bug fix. 10.17.2008 Volatility-1.3.1 awalters * Bug: Checking for invalid pages * Files: forensics/object2.py Description: Added more checks to object2 to makes sure the addresses being accessed are valid. If not, then they now return a None. Thanks to Jesse Kornblum for submitting a patch. 9.27.2008 Volatility-1.3.1 awalters * Update: plugin directory now relative to registry * Files: forensics/registry.py Description: The plugin search is now performed relative to registry.py. Thanks to Michael Cohen for the patch. 9.4.2008 Volatility-1.3.1 awalters * Bug: length bug in hiberaddrspace * Files: forensics\win32\hiber_addrspace.py Description: We were referencing an undefined length variable. Thanks to Andreas Schuster for sending the patch. 9.4.2008 Volatility-1.3.1 awalters * Update: Find the plugin modules * Files: forensics/registry.py Description: Added the absolute path to search for dynamic plugins. This allows volatility to be called from anywhere on the system. Thanks to Andreas Schuster for sending the patch. 8.14.2008 Volatility-1.3 awalters * Update: x86.py robustness * Files: forensics/x86.py Description: Added more robustness to the x86 address space. Thanks to Brendan Dolan-Gavitt for sending in a bug report. 8.14.2008 Volatility-1.3 awalters * Update: Standardized _LDR_MODULE -> _LDR_DATA_TABLE_ENTRY * Files: forensics/win32/modules.py forensics/win32/scan.py forensics/win32/scan2.py Description: Changed the data type names to make them more standardized across operating system versions. Thanks Brendan Dolan-Gavitt for sending in update request. 6.26.2008 Volatility-1.3 awalters * Bug: regobjkey initialize list * Files: vmodules.py Description: When specifying a offset for regobjkey the list had not been initialized yet. Thanks to Brendan Dolan-Gavitt for sending in a bug report. 6.24.2008 Volatility-1.3 awalters * Update: 64-bit hosts * Files: forensics/object.py forensics/win32/crashdump.py forensics/win32/scan2.py forensics/win32/network.py forensics/win32/executable.py Description: Updated so that modules will work correctly when run from 64-bit hosts using python 2.5. Thanks to sham for sending in the bug report. 6.23.2008 Volatility-1.3 awalters * Bug: Non-resident Vad address * Files: forensics/win32/vad.py vmodules.py Description: Updated the vad modules to handle invalid addresses in low memory situations. Thanks to Bryan D. Payne for sending in a bug report. 6.23.2008 Volatility-1.3 awalters * Bug: Handle count paged * Files: forensics/win32/tasks.py Description: Received a sample where the ObjectTable was not a valid address. Added a check to make sure it is valid. Thanks to Bryan D. Payne for sending in a bug report. 6.22.2008 Volatility-1.3 awalters * Update: Ident info * Files: forensics/win32/tasks.py vutils.py Description: Updated ident command so that it correctly finds the version of XP, now that we have support for SP3. Thanks to jeremie0 for noticing and to Brendan Dolan-Gavitt for helping with the fix. 6.11.2008 Volatility-1.3 awalters * Update: Array Types * Files: forensics/object2.py Description: Changed arrays so that they now return objects in cases where they are not native types. Thanks to Brendan Dolan-Gavitt for the update! 6.8.2008 Volatility-1.3 awalters * Bug: Invalid page directories * Files: vmodules.py Description: Added code to catch the cases when we encounter invalid page directories. Thanks to both Angelo Cavallini and Brendan Dolan-Gavitt for reporting this bug. 6.8.2008 Volatility-1.3 awalters * Update: potential bad string characters (unicode escaping) * Files: forensics/win32/scan2.py forensics/object.py Description: Attempting to standardize error handling related to unicode conversions. Thus we are now passing an explicit error string argument. Thanks to Brendan Dolan-Gavitt. 6.8.2008 Volatility-1.3 awalters * Update: psscan2 check_dtb * Files: forensics/win32/scan2.py Description: Added a check from psscan to psscan2 in the check_dtb constraint to make sure the DTB had a value. Thanks Andreas Schuster! 6.7.2008 Volatility-1.3 awalters * Update: SP3 support * Files: forensics/win32/network.py Description: Made changes to support SP3. 5.21.2008 Volatility-1.3 awalters * Update: Changed create_addr_space api * Files: forensics/win32/tasks.py memory_objects/Windows/xp_sp2.py memory_plugins/example2.py memory_plugins/example3.py vmodules.py Description: Changed the create_addr_space API so that it does not require types or filname. This was an artifact of the way the function used to work. 5.17.2008 Volatility-1.3 awalters * Feature: New Object Model * Files: forensics/registry.py memory_objects/Windows/xp_sp2.py memory_plugins/example3.py forensics/object2.py forensics/win32/meta_info.py vutils.py Description: Added a new object model to make navigating the data structures more intuitive. All future modules will be transition to use this new model. Thanks to Brendan Dolan-Gavitt for all his help! 5.14.2008 Volatility-1.3 awalters * Feature: Plugin Architecture * Files: forensics/commands.py forensics/registry.py volatility memory_plugins/example1.py memory_plugins/example2.py Description: Added an entirely new plugin infrastructure. Now it is possible to load the commands dynamically just by adding them to the correct directory. This will allow people to support their own modules. This work is based on a similar registry implementation found in PyFlag. Thanks to Michael Cohen and David Collett for the great work they have done and help getting this code integrated. 5.13.2008 Volatility-1.3 awalters * Feature: Hiberfil support * Files: vmodules.py volatility forensics/win32/hiber_addrspace.py forensics/win32/xpress.py forensics/win32/scan.py forensics/win32/network.py forensics/win32/datetime.py Description: Added native hiberfil support. Also added the ability to convert from hiberfil to linear format. Now all the commands can be run against hiberfils natively. This is accomplished through the new hiberfil address space. Thanks to Matthieu Suiche and Brendan Dolan-Gavitt for all the great work they have done with hiberfil parsing and the xpress compression algorithm. 5.13.2008 Volatility-1.3 awalters * Feature: New scanning infrastructure * Files: vmodules.py volatility forensics/win32/scan2.py forensics/win32/globals.py forensics/win32/crash_addrspace.py forensics/win32/datetime.py Description: Added an entirely new OO scanning infrastructure. This allows for extremely fast scanning and easier scanning across the logical address spaces. As part of this we also ported the scanning modules over to the new infrastructure. Thanks to Michael Cohen and Andreas Schuster for the help and ideas to get this working! 5.7.2008 Volatility-1.3 awalters * Bug: get_available_addresses * Files: forensics/x86.py vmodules.py volatility Description: Fixed an off by 1 error in get_available_address for non-pae machines that seemed to have crept back in. Also changed the name of usrdmp to memdmp since it is really dumping a processes addressable memory. Thanks Eoghan Casey! 4.30.2008 Volatility-1.3 awalters * New Module: procdump * Files: forensics/win32/executable.py vtypes.py vmodules.py Description: Added a new module that will allow the analyst to extract the executable from memory for further analysis. Thanks to Brendan Dolan-Gavitt for all your hard work! 4.28.2008 Volatility-1.3 awalters * Bug: open registry keys * Files: forensics/win32/handles.py Description: During testing Brendan found a bug when processing object types. It would have been possible to enumerate KeyedEvents. Thanks Brendan Dolan-Gavitt! 4.28.2008 Volatility-1.3 awalters * New Module: regobjkey * Files: vmodules.py forensics/win32/registry.py forensics/win32/handles.py vtypes.py Description: Added a new module that will allow an analyst to dump the open registry keys found in the object table. Thanks to Brendan Dolan-Gavitt for his contributions! 4.27.2008 Volatility-1.3 awalters * Feature: psscan dot format * Files: vmodules.py forensics/win32/scan.py Description: Added the ability to print the output of psscan in dot format. Similar to that available by ptfinder by Andreas Schuster. This was requested by Eoghan Casey. 4.23.2008 Volatility-1.3 awalters * Useability: Pass pid or EPROCESS offset Files: vmodules.py forensics/win32/handles.py Description: Added the ability to dump files and dlllist by pid or EPROCESS offset. One reason this was asked for was to deal with data only attacks which may remove the process from process list. Thanks to Eoghan Casey for the feedback! 4.23.2008 Volatility-1.3 awalters * New Modules: dmp2raw, raw2dmp Files: vtypes.py vmodules.py forensics/win32/crashdump.py forensics/win32/info.py forensics/win32/tasks.py Description: Added modules to convert from raw dumps to crash dumps and vice versa. Thanks to Andreas Schuster for helping to get this started and thanks to Brendan Dolan-Gavitt for helping get it perfected! 4.23.2008 Volatility-1.3 awalters * Optimization: KUSER_SHARED_DATA Files: vmodules.py Description: Changed KUSER_SHARED_DATA in get_image_info and get_datetime to point to 0xFFDF0000 instead of 0x7ffe0000. Thanks Brendan Dolan-Gavitt! 4.1.2008 Volatility-1.2.3pre awalters * Bug: socket crash Files: forensics/win32/network.py Description: In get_open_sockets, we needed to make sure that the AddrObjAddr and AddrTableSize were not none and if they were fail gracefully. Thanks to Eoghan Casey for the bug report. 3.3.2008 Volatility-1.2.3pre awalters * Bug: get_obj_offset() non-builtin Files: forensics/object.py Description: Modified get_obj_offset to support arrays of non-builtin types. Thanks Brendan Dolan-Gavitt! 2.27.2008 Volatility-1.2.3pre awalters * Bug: Not traversing complete module list Files: forensics/win32/modules.py Description: Traversing the module list should not stop when it reaches a None but continue to the next module 2.27.2008 Volatility-1.2.3pre awalters * Bug: is_valid_address(addr) Files: forensics/addrspace.py forensics/x86.py Description: is_valid_address was failing to check if addr was None. This was found by analyzing hiberfile images. Thanks to Brendan Dolan-Gavitt and Andreas Schuster for helping me find the problem! 2.25.2008 Volatility-1.2.3pre awalters * Bug: hidden processes Files: vmodules.py Description: Both usrdmp and memmap were unable to handle hidden processes. They can now be passed the offset to an EPROCESS object. Thanks to Eoghan Casey for the bug report. 12.28.2007 Volatility-1.2.3pre awalters * Bug: 64 bit Files: forensics/addrspace.py forensics/object.py forensics/win32/scan.py forensics/x86.py forensics/win32/crash_addrspace.py Description: Fixed a bug that occurs when people are running Python 2.5 on a 64 bit OS. Python 2.5 changed the way that Python native types are stored and thus changed the unpack usage. Thanks to Jamie Levy and students! 11.28.2007 Volatility-1.2.2pre awalters * Bug: memmap Files: vmodules.py Description: mem_map fixed so that you can specifiy a particular process. 11.28.2007 Volatility-1.2.2pre awalters * Bug: dtb_aligned Files: forensics/win32/scan.py Description: On systems using PAE, EPROCESS.DirectoryTableBase actually points to the base of the page directory pointer array. Thanks Andreas Schuster. 11.27.2007 Volatility-1.2.2pre awalters * Optimization: find_dtb Files: forensics/win32/tasks.py Description: Dramatically reduced the time for find_dtb. Thanks Michael Cohen. 09.21.2007 Volatility-1.2.1pre awalters * New Module: usrdmp Files: vmodules.py Description: Dumps a processes address space. Thanks Eoghan Casey. 09.20.2007 Volatility-1.2pre awalters * New Module: modscan Files: vmodules.py forensics/win32/scan.py forensics/win32/globals.py Description: Performs a linear scan for memory resident Windows modules. Contributed by Andreas Schuster. * New Module: memmap Files: vmodules.py forensics/x86.py Description: Provides a map of the virtual to physical address translations within a particular address space. Based on similar tools by Andreas Schuster (memdump.pl) and Brendan Dolan-Gavitt (memdump.py). * New Module: dmpchk Files: vmodules.py forensics/win32/crash_addrspace.py Description: Prints auxiliary information about the crash dump file. * New Module: WindowsCrashDumpSpace32 Files: forensics/x86.py forensics/win32/crash_addrspace.py Description: Provides the ability to use crash dumps as input to Volatility. This is accomplished through the use of stackable address spaces. Contributions from Andreas Schuster. * New Feature: get_available_pages() Files: forensics/x86.py Description: This functions allows an investigator to find all available pages within a particular address space. Thanks Brendan Dolan-Gavitt. * New Feature: zread() Files: forensics/x86.py forensics/addrspace.py forensics/win32/crash_addrspace.py Description: Added the ability to continuing reading even if pages are unavailable. Invalid pages are replaced with zeros. Thanks Brendan Dolan-Gavitt. 07.31.2007 Volatility-1.1.1 awalters * Virtual Address Descriptor modules: vadinfo, vaddump, vadwalk. Based on the research of Brendan Dolan-Gavitt to be presented at DFRWS 2007 * Constraint based linear scanning framework. New modules include psscan, thrdscan, sockscan, connscan. Inspired by the work of Andreas Schuster. * Completely open source. No third-party closed source dependencies. * Auto-identification speed enhancements * Bug fixes in network and socket modules * Removed symbol dependencies * Multiprocessor support volatility_2.6+git20170711.b3db0cc/README.txt0000644000000000000000000007621013131215405016641 0ustar rootroot============================================================================ Volatility Framework - Volatile memory extraction utility framework ============================================================================ The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. The Volatility distribution is available from: http://www.volatilityfoundation.org/#!releases/component_71401 Volatility should run on any platform that supports Python (http://www.python.org) Volatility supports investigations of the following memory images: Windows: * 32-bit Windows XP Service Pack 2 and 3 * 32-bit Windows 2003 Server Service Pack 0, 1, 2 * 32-bit Windows Vista Service Pack 0, 1, 2 * 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0) * 32-bit Windows 7 Service Pack 0, 1 * 32-bit Windows 8, 8.1, and 8.1 Update 1 * 32-bit Windows 10 (initial support) * 64-bit Windows XP Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows Vista Service Pack 0, 1, 2 * 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2008 R2 Server Service Pack 0 and 1 * 64-bit Windows 7 Service Pack 0 and 1 * 64-bit Windows 8, 8.1, and 8.1 Update 1 * 64-bit Windows Server 2012 and 2012 R2 * 64-bit Windows 10 (including at least 10.0.14393) * 64-bit Windows Server 2016 (including at least 10.0.14393.0) Note: Please see the guidelines at the following link for notes on compatibility with recently patched Windows 7 (or later) memory samples: https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles Linux: * 32-bit Linux kernels 2.6.11 to 4.2.3 * 64-bit Linux kernels 2.6.11 to 4.2.3 * OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc Mac OSX: * 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) * 32-bit 10.6.x Snow Leopard * 64-bit 10.6.x Snow Leopard * 32-bit 10.7.x Lion * 64-bit 10.7.x Lion * 64-bit 10.8.x Mountain Lion (there is no 32-bit version) * 64-bit 10.9.x Mavericks (there is no 32-bit version) * 64-bit 10.10.x Yosemite (there is no 32-bit version) * 64-bit 10.11.x El Capitan (there is no 32-bit version) * 64-bit 10.12.x Sierra (there is no 32-bit version) Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available. If you would like suggestions about suitable acquisition solutions, please contact us at: volatility (at) volatilityfoundation (dot) org Volatility supports a variety of sample file formats and the ability to convert between these formats: - Raw linear sample (dd) - Hibernation file (from Windows 7 and earlier) - Crash dump file - VirtualBox ELF64 core dump - VMware saved state and snapshot files - EWF format (E01) - LiME format - Mach-O file format - QEMU virtual machine dumps - Firewire - HPAK (FDPro) For a more detailed list of capabilities, see the following: https://github.com/volatilityfoundation/volatility/wiki Also see the community plugins repository: https://github.com/volatilityfoundation/community Example Data ============ If you want to give Volatility a try, you can download exemplar memory images from the following url: https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples Mailing Lists ============= Mailing lists to support the users and developers of Volatility can be found at the following address: http://lists.volatilesystems.com/mailman/listinfo Contact ======= For information or requests, contact: Volatility Foundation Web: http://www.volatilityfoundation.org http://volatility-labs.blogspot.com http://volatility.tumblr.com Email: volatility (at) volatilityfoundation (dot) org IRC: #volatility on freenode Twitter: @volatility Requirements ============ - Python 2.6 or later, but not 3.0. http://www.python.org Some plugins may have other requirements which can be found at: https://github.com/volatilityfoundation/volatility/wiki/Installation Quick Start =========== 1. Unpack the latest version of Volatility from volatilityfoundation.org 2. To see available options, run "python vol.py -h" or "python vol.py --info" Example: $ python vol.py --info Volatility Foundation Volatility Framework 2.6 Address Spaces -------------- AMD64PagedMemory - Standard AMD 64-bit address space. ArmAddressSpace - Address space for ARM processors FileAddressSpace - This is a direct file AS. HPAKAddressSpace - This AS supports the HPAK format IA32PagedMemory - Standard IA-32 paging address space. IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible LimeAddressSpace - Address space for Lime LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space. MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader OSXPmemELF - This AS supports VirtualBox ELF64 coredump format QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space. WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space. WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files. Profiles -------- VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win10x64 - A Profile for Windows 10 x64 Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23) Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16) Win10x86 - A Profile for Windows 10 x86 Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28) Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16) Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09) Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 Win2012R2x64 - A Profile for Windows Server 2012 R2 x64 Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13) Win2012x64 - A Profile for Windows Server 2012 x64 Win2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16) Win7SP0x64 - A Profile for Windows 7 SP0 x64 Win7SP0x86 - A Profile for Windows 7 SP0 x86 Win7SP1x64 - A Profile for Windows 7 SP1 x64 Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09) Win7SP1x86 - A Profile for Windows 7 SP1 x86 Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09) Win81U1x64 - A Profile for Windows 8.1 Update 1 x64 Win81U1x86 - A Profile for Windows 8.1 Update 1 x86 Win8SP0x64 - A Profile for Windows 8 x64 Win8SP0x86 - A Profile for Windows 8 x86 Win8SP1x64 - A Profile for Windows 8.1 x64 Win8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13) Win8SP1x86 - A Profile for Windows 8.1 x86 WinXPSP1x64 - A Profile for Windows XP SP1 x64 WinXPSP2x64 - A Profile for Windows XP SP2 x64 WinXPSP2x86 - A Profile for Windows XP SP2 x86 WinXPSP3x86 - A Profile for Windows XP SP3 x86 Plugins ------- amcache - Print AmCache information apihooks - Detect API hooks in process and kernel memory atoms - Print session and window station atom tables atomscan - Pool scanner for atom tables auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv bigpools - Dump the big page pools using BigPagePoolScanner bioskbd - Reads the keyboard buffer from Real Mode memory cachedump - Dumps cached domain hashes from memory callbacks - Print system-wide notification routines clipboard - Extract the contents of the windows clipboard cmdline - Display process command-line arguments cmdscan - Extract command history by scanning for _COMMAND_HISTORY connections - Print list of open connections [Windows XP and 2003 Only] connscan - Pool scanner for tcp connections consoles - Extract command history by scanning for _CONSOLE_INFORMATION crashinfo - Dump crash-dump information deskscan - Poolscaner for tagDESKTOP (desktops) devicetree - Show device tree dlldump - Dump DLLs from a process address space dlllist - Print list of loaded dlls for each process driverirp - Driver IRP hook detection drivermodule - Associate driver objects to kernel modules driverscan - Pool scanner for driver objects dumpcerts - Dump RSA private and public SSL keys dumpfiles - Extract memory mapped and cached files dumpregistry - Dumps registry files out to disk editbox - Displays information about Edit controls. (Listbox experimental.) envars - Display process environment variables eventhooks - Print details on windows event hooks evtlogs - Extract Windows Event Logs (XP/2003 only) filescan - Pool scanner for file objects gahti - Dump the USER handle type information gditimers - Print installed GDI timers and callbacks gdt - Display Global Descriptor Table getservicesids - Get the names of services in the Registry and return Calculated SID getsids - Print the SIDs owning each process handles - Print list of open handles for each process hashdump - Dumps passwords hashes (LM/NTLM) from memory hibinfo - Dump hibernation file information hivedump - Prints out a hive hivelist - Print list of registry hives. hivescan - Pool scanner for registry hives hpakextract - Extract physical memory from an HPAK file hpakinfo - Info on an HPAK file idt - Display Interrupt Descriptor Table iehistory - Reconstruct Internet Explorer cache / history imagecopy - Copies a physical address space out as a raw DD image imageinfo - Identify information for the image impscan - Scan for calls to imported functions joblinks - Print process job link information kdbgscan - Search for and dump potential KDBG values kpcrscan - Search for and dump potential KPCR values ldrmodules - Detect unlinked DLLs limeinfo - Dump Lime file format information linux_apihooks - Checks for userland apihooks linux_arp - Print the ARP table linux_aslr_shift - Automatically detect the Linux ASLR shift linux_banner - Prints the Linux banner information linux_bash - Recover bash history from bash process memory linux_bash_env - Recover a process' dynamic environment variables linux_bash_hash - Recover bash hash table from bash process memory linux_check_afinfo - Verifies the operation function pointers of network protocols linux_check_creds - Checks if any processes are sharing credential structures linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking linux_check_fop - Check file operation structures for rootkit modifications linux_check_idt - Checks if the IDT has been altered linux_check_inline_kernel - Check for inline kernel hooks linux_check_modules - Compares module list to sysfs info, if available linux_check_syscall - Checks if the system call table has been altered linux_check_syscall_arm - Checks if the system call table has been altered linux_check_tty - Checks tty devices for hooks linux_cpuinfo - Prints info about each active processor linux_dentry_cache - Gather files from the dentry cache linux_dmesg - Gather dmesg buffer linux_dump_map - Writes selected memory mappings to disk linux_dynamic_env - Recover a process' dynamic environment variables linux_elfs - Find ELF binaries in process mappings linux_enumerate_files - Lists files referenced by the filesystem cache linux_find_file - Lists and recovers files from memory linux_getcwd - Lists current working directory of each process linux_hidden_modules - Carves memory to find hidden kernel modules linux_ifconfig - Gathers active interfaces linux_info_regs - It's like 'info registers' in GDB. It prints out all the linux_iomem - Provides output similar to /proc/iomem linux_kernel_opened_files - Lists files that are opened from within the kernel linux_keyboard_notifiers - Parses the keyboard notifier call chain linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl linux_library_list - Lists libraries loaded into a process linux_librarydump - Dumps shared libraries in process memory to disk linux_list_raw - List applications with promiscuous sockets linux_lsmod - Gather loaded kernel modules linux_lsof - Lists file descriptors and their path linux_malfind - Looks for suspicious process mappings linux_memmap - Dumps the memory map for linux tasks linux_moddump - Extract loaded kernel modules linux_mount - Gather mounted fs/devices linux_mount_cache - Gather mounted fs/devices from kmem_cache linux_netfilter - Lists Netfilter hooks linux_netscan - Carves for network connection structures linux_netstat - Lists open sockets linux_pidhashtable - Enumerates processes through the PID hash table linux_pkt_queues - Writes per-process packet queues out to disk linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images linux_proc_maps - Gathers process memory maps linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree linux_procdump - Dumps a process's executable image to disk linux_process_hollow - Checks for signs of process hollowing linux_psaux - Gathers processes along with full command line and start time linux_psenv - Gathers processes along with their static environment variables linux_pslist - Gather active tasks by walking the task_struct->task list linux_pslist_cache - Gather tasks from the kmem_cache linux_psscan - Scan physical memory for processes linux_pstree - Shows the parent/child relationship between processes linux_psxview - Find hidden processes with various process listings linux_recover_filesystem - Recovers the entire cached file system from memory linux_route_cache - Recovers the routing cache from memory linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache linux_slabinfo - Mimics /proc/slabinfo on a running machine linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) linux_threads - Prints threads of processes linux_tmpfs - Recovers tmpfs filesystems from memory linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases linux_vma_cache - Gather VMAs from the vm_area_struct cache linux_volshell - Shell in the memory image linux_yarascan - A shell in the Linux memory image lsadump - Dump (decrypted) LSA secrets from the registry mac_adium - Lists Adium messages mac_apihooks - Checks for API hooks in processes mac_apihooks_kernel - Checks to see if system call and kernel functions are hooked mac_arp - Prints the arp table mac_bash - Recover bash history from bash process memory mac_bash_env - Recover bash's environment variables mac_bash_hash - Recover bash hash table from bash process memory mac_calendar - Gets calendar events from Calendar.app mac_check_fop - Validate File Operation Pointers mac_check_mig_table - Lists entires in the kernel's MIG table mac_check_syscall_shadow - Looks for shadow system call tables mac_check_syscalls - Checks to see if system call table entries are hooked mac_check_sysctl - Checks for unknown sysctl handlers mac_check_trap_table - Checks to see if mach trap table entries are hooked mac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pages mac_contacts - Gets contact names from Contacts.app mac_dead_procs - Prints terminated/de-allocated processes mac_dead_sockets - Prints terminated/de-allocated network sockets mac_dead_vnodes - Lists freed vnode structures mac_devfs - Lists files in the file cache mac_dmesg - Prints the kernel debug buffer mac_dump_file - Dumps a specified file mac_dump_maps - Dumps memory ranges of process(es), optionally including pages in compressed swap mac_dyld_maps - Gets memory maps of processes from dyld data structures mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images mac_get_profile - Automatically detect Mac profiles mac_ifconfig - Lists network interface information for all devices mac_interest_handlers - Lists IOKit Interest Handlers mac_ip_filters - Reports any hooked IP filters mac_kernel_classes - Lists loaded c++ classes in the kernel mac_kevents - Show parent/child relationship of processes mac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl mac_librarydump - Dumps the executable of a process mac_list_files - Lists files in the file cache mac_list_kauth_listeners - Lists Kauth Scope listeners mac_list_kauth_scopes - Lists Kauth Scopes and their status mac_list_raw - List applications with promiscuous sockets mac_list_sessions - Enumerates sessions mac_list_zones - Prints active zones mac_lsmod - Lists loaded kernel modules mac_lsmod_iokit - Lists loaded kernel modules through IOkit mac_lsmod_kext_map - Lists loaded kernel modules mac_lsof - Lists per-process opened files mac_machine_info - Prints machine information about the sample mac_malfind - Looks for suspicious process mappings mac_memdump - Dump addressable memory pages to a file mac_moddump - Writes the specified kernel extension to disk mac_mount - Prints mounted device information mac_netstat - Lists active per-process network connections mac_network_conns - Lists network connections from kernel network structures mac_notesapp - Finds contents of Notes messages mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext) mac_orphan_threads - Lists threads that don't map back to known modules/processes mac_pgrp_hash_table - Walks the process group hash table mac_pid_hash_table - Walks the pid hash table mac_print_boot_cmdline - Prints kernel boot arguments mac_proc_maps - Gets memory maps of processes mac_procdump - Dumps the executable of a process mac_psaux - Prints processes with arguments in user land (**argv) mac_psenv - Prints processes with environment in user land (**envp) mac_pslist - List Running Processes mac_pstree - Show parent/child relationship of processes mac_psxview - Find hidden processes with various process listings mac_recover_filesystem - Recover the cached filesystem mac_route - Prints the routing table mac_socket_filters - Reports socket filters mac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) mac_tasks - List Active Tasks mac_threads - List Process Threads mac_threads_simple - Lists threads along with their start time and priority mac_timers - Reports timers set by kernel drivers mac_trustedbsd - Lists malicious trustedbsd policies mac_version - Prints the Mac version mac_vfsevents - Lists processes filtering file system events mac_volshell - Shell in the memory image mac_yarascan - Scan memory for yara signatures machoinfo - Dump Mach-O file format information malfind - Find hidden and injected code mbrparser - Scans for and parses potential Master Boot Records (MBRs) memdump - Dump the addressable memory for a process memmap - Print the memory map messagehooks - List desktop and thread window message hooks mftparser - Scans for and parses potential MFT entries moddump - Dump a kernel driver to an executable file sample modscan - Pool scanner for kernel modules modules - Print list of loaded modules multiscan - Scan for various objects at once mutantscan - Pool scanner for mutex objects netscan - Scan a Vista (or later) image for connections and sockets notepad - List currently displayed notepad text objtypescan - Scan for Windows object type objects patcher - Patches memory based on page scans poolpeek - Configurable pool scanner plugin pooltracker - Show a summary of pool tag usage printkey - Print a registry key, and its subkeys and values privs - Display process privileges procdump - Dump a process to an executable file sample pslist - Print all running processes by following the EPROCESS lists psscan - Pool scanner for process objects pstree - Print process list as a tree psxview - Find hidden processes with various process listings qemuinfo - Dump Qemu information raw2dmp - Converts a physical memory sample to a windbg crash dump screenshot - Save a pseudo-screenshot based on GDI windows servicediff - List Windows services (ala Plugx) sessions - List details on _MM_SESSION_SPACE (user logon sessions) shellbags - Prints ShellBags info shimcache - Parses the Application Compatibility Shim Cache registry key shutdowntime - Print ShutdownTime of machine from registry sockets - Print list of open sockets sockscan - Pool scanner for tcp socket objects ssdt - Display SSDT entries strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan - Scan for Windows services symlinkscan - Pool scanner for symlink objects thrdscan - Pool scanner for thread objects threads - Investigate _ETHREAD and _KTHREADs timeliner - Creates a timeline from various artifacts in memory timers - Print kernel timers and associated module DPCs truecryptmaster - Recover TrueCrypt 7.1a Master Keys truecryptpassphrase - TrueCrypt Cached Passphrase Finder truecryptsummary - TrueCrypt Summary unloadedmodules - Print list of unloaded modules userassist - Print userassist registry keys and information userhandles - Dump the USER handle tables vaddump - Dumps out the vad sections to a file vadinfo - Dump the VAD info vadtree - Walk the VAD tree and display in tree format vadwalk - Walk the VAD tree vboxinfo - Dump virtualbox information verinfo - Prints out the version information from PE images vmwareinfo - Dump VMware VMSS/VMSN information volshell - Shell in the memory image win10cookie - Find the ObHeaderCookie value for Windows 10 windows - Print Desktop Windows (verbose details) wintree - Print Z-Order Desktop Windows Tree wndscan - Pool scanner for window stations yarascan - Scan process or kernel memory with Yara signatures 3. To get more information on a Windows memory sample and to make sure Volatility supports that sample type, run 'python vol.py imageinfo -f ' or 'python vol.py kdbgscan -f ' Example: $ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw Volatility Foundation Volatility Framework 2.6 Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64) AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw) PAE type : PAE DTB : 0x187000L KDBG : 0xf800016460a0 Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80001647d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2012-03-24 19:30:53 UTC+0000 Image local date and time : 2012-03-25 03:30:53 +0800 If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing Windows 7 or later memory samples, please see the guidelines here: https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles 4. Run some other plugins. -f is a required option for all plugins. Some also require/accept other options. Run "python vol.py -h" for more information on a particular command. A Command Reference wiki is also available on the GitHub site: https://github.com/volatilityfoundation/volatility/wiki as well as Basic Usage: https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage Licensing and Copyright ======================= Copyright (C) 2007-2016 Volatility Foundation All Rights Reserved Volatility is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Volatility is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Volatility. If not, see . Bugs and Support ================ There is no support provided with Volatility. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. If you think you've found a bug, please report it at: https://github.com/volatilityfoundation/volatility/issues In order to help us solve your issues as quickly as possible, please include the following information when filing a bug: * The version of volatility you're using * The operating system used to run volatility * The version of python used to run volatility * The suspected operating system of the memory image * The complete command line you used to run volatility Depending on the operating system of the memory image, you may need to provide additional information, such as: For Windows: * The suspected Service Pack of the memory image For Linux: * The suspected kernel version of the memory image Other options for communication can be found at: https://github.com/volatilityfoundation/volatility/wiki Missing or Truncated Information ================================ Volatility Foundation makes no claims about the validity or correctness of the output of Volatility. Many factors may contribute to the incorrectness of output from Volatility including, but not limited to, malicious modifications to the operating system, incomplete information due to swapping, and information corruption on image acquisition. Command Reference ==================== The following url contains a reference of all commands supported by Volatility. https://github.com/volatilityfoundation/volatility/wiki volatility_2.6+git20170711.b3db0cc/LICENSE.txt0000644000000000000000000003542713131215405016773 0ustar rootroot GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS volatility_2.6+git20170711.b3db0cc/PKG-INFO0000644000000000000000000000037613131215405016240 0ustar rootrootMetadata-Version: 1.0 Name: Volatility Version: GC1 Summary: Volatility -- Volatile memory framwork Home-page: http://www.volatilityfoundation.org Author: AAron Walters Author-email: awalters@4tphi.net License: GPL Description: UNKNOWN Platform: UNKNOWN volatility_2.6+git20170711.b3db0cc/tools/0000755000000000000000000000000013131215405016275 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/tools/vtype_diff.py0000755000000000000000000001636613131215405021025 0ustar rootroot#!/usr/bin/env python # -*- mode: python; -*- # # Volatility # Authors: # Brendan Dolan-Gavitt # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: brendandg@gatech.edu @organization: Georgia Institute of Technology """ from optparse import OptionParser import hashlib, os, sys class VtypeHolder(object): unstable_var_prefix = "unknown_" def __init__(self): self.vtypes = None self.arrayname = None self.filename = None self.namemap = {} self.dellist = [] self.basis = None def _rename_types(self, vtypes, namemap): # Apply the namemap within the types for t in vtypes: for m in vtypes[t][1]: memb = vtypes[t][1][m] d = self._get_deepest(memb) if d in namemap: vtypes[t][1][m] = self._deep_replace(memb, d, namemap[d]) # Rename the types themselves for n in namemap: if n in vtypes: vtypes[namemap[n]] = vtypes[n] del vtypes[n] return vtypes def _deep_replace(self, t, search, repl): if t == search: return repl elif isinstance(t, list): return [self._deep_replace(x, search, repl) for x in t] else: return t def _get_deepest(self, t): if isinstance(t, list): if len(t) == 1: return t[0] else: for part in t: res = self._get_deepest(part) if res: return res return None return None def _tuplify(self, types, t): if isinstance(t, list) or isinstance(t, tuple): return tuple(sorted([self._tuplify(types, x) for x in t])) elif isinstance(t, dict): return self._tuplify(types, t.items()) elif isinstance(t, str) and t.startswith(self.unstable_var_prefix): return self._tuplify(types, types[t]) else: return t def as_string(self, msizes = True): if not self.vtypes: return "" arrayname = self.arrayname if self.basis: arrayname += "_additions" output = arrayname + " = {\n" for t in sorted(self.vtypes): output += " '{0}': [ {1:#x}, {{\n".format(t, self.vtypes[t][0]) for m in sorted(self.vtypes[t][1], key = lambda m: self.vtypes[t][1][m][0]): if msizes: output += " '{0}': [{1:#x}, {2}],\n".format(m, self.vtypes[t][1][m][0], self.vtypes[t][1][m][1]) else: output += " '{0}': [None, {1}],\n".format(m, self.vtypes[t][1][m][1]) output += " }],\n" output += "}\n" if self.basis: fn, an = self.basis fn = os.path.splitext(os.path.basename(fn))[0] output += "\n# We must use deepcopy to avoid overlays affecting multiple profiles\nimport copy\n" output += "import {0}\n".format(fn) output += "{0} = copy.deepcopy({1}.{2})\n".format(self.arrayname, fn, an) if self.dellist: for i in self.dellist: output += "del {0}['{1}']\n".format(self.arrayname, i) output += "{0}.update({1})\n".format(self.arrayname, arrayname) return output def load(self, filename): self.filename = filename locs, globs = {}, {} execfile(filename, globs, locs) for i in locs.keys(): if i.endswith('_types'): self.arrayname = i self.vtypes = locs[self.arrayname] def canonicalize(self): if not self.vtypes: return False namemap = {} unnamed = [t for t in self.vtypes if t.startswith(self.unstable_var_prefix)] # Create the namemap for t in unnamed: newname = "__volstablename_" + hashlib.md5(str(self._tuplify(self.vtypes, self.vtypes[t]))).hexdigest() #pylint: disable-msg=E1101 if t in namemap: print "Conflicting names for {0}: {1} and {2}".format(t, newname, self.namemap[t]) if newname in self.vtypes: print "Constructed name for {0} ({1}) already exists in vtypes".format(t, newname) namemap[t] = newname self.namemap = namemap self.vtypes = self._rename_types(self.vtypes, namemap) def decanonicalize(self, namemap = None): if not self.vtypes: return False if not namemap: namemap = self.namemap # reverse the namemap newnamemap = {} for i in namemap: newnamemap[namemap[i]] = i # Rename the types self.vtypes = self._rename_types(self.vtypes, newnamemap) # Rename the dellist members dellist = [ newnamemap[x] if x in newnamemap else x for x in self.dellist] self.dellist = dellist def diff(self, base): """Compresses these vtypes based on another vtypes""" self.basis = base.filename, base.arrayname removelist = [] for i in base.vtypes: if i in self.vtypes: inithash = hashlib.md5(str(self._tuplify(base.vtypes, base.vtypes[i]))).hexdigest() #pylint: disable-msg=E1101 diffhash = hashlib.md5(str(self._tuplify(self.vtypes, self.vtypes[i]))).hexdigest() #pylint: disable-msg=E1101 if inithash == diffhash: removelist.append(i) else: self.dellist.append(i) for i in removelist: del self.vtypes[i] if __name__ == '__main__': usage = "usage: %prog [options] " parser = OptionParser(usage = usage) (opts, args) = parser.parse_args() if len(args) != 2: parser.error("Must provide both vtypes files.") # Ensure these can import any modules they require sys.path.append(os.path.dirname(args[0])) sys.path.append(os.path.dirname(args[1])) ### Rename 1 v1 = VtypeHolder() v1.load(args[0]) v1.canonicalize() ### Rename 2 v2 = VtypeHolder() v2.load(args[1]) v2.canonicalize() ### Compress v2.diff(v1) v2.decanonicalize(v1.namemap) # Verify that no two names map to the same value for conflict in v1.namemap: if conflict in v2.namemap: if v1.namemap[conflict] != v2.namemap[conflict]: ### Remove possible conflicting unnamed offsets in original naming convention del v2.namemap[conflict] v2.decanonicalize(v2.namemap) ### Print types print v2.as_string() volatility_2.6+git20170711.b3db0cc/tools/linux/0000755000000000000000000000000013131215405017434 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/tools/linux/module.c0000644000000000000000000003727513131215405021103 0ustar rootroot/* This module does absolutely nothings at all. We just build it with debugging symbols and then read the DWARF symbols from it. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,11,0) #include struct lockref lockref; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,26) #include #else #include #endif #include #include #include #include #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20) #include struct pid_namespace pid_namespace; #endif #ifdef CONFIG_NETFILTER #include struct nf_hook_ops nf_hook_ops; struct nf_sockopt_ops nf_sockopt_ops; #ifdef CONFIG_NETFILTER_XTABLES #include struct xt_table xt_table; #endif #endif #include #include #include #include #include #include struct atomic_notifier_head atomic_notifier_head; #include struct tty_driver tty_driver; #include struct tty_struct tty_struct; struct udp_seq_afinfo udp_seq_afinfo; struct tcp_seq_afinfo tcp_seq_afinfo; struct files_struct files_struct; #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19) struct uts_namespace uts_namespace; #endif struct sock sock; struct inet_sock inet_sock; struct vfsmount vfsmount; struct in_device in_device; struct fib_table fib_table; struct unix_sock unix_sock; struct pid pid; struct radix_tree_root radix_tree_root; #ifdef CONFIG_NET_SCHED #include struct Qdisc qdisc; #endif struct inet_protosw inet_protosw; /******************************************************************** The following structs are not defined in headers, so we cant import them. Hopefully they dont change too much. *********************************************************************/ struct kthread_create_info { /* Information passed to kthread() from kthreadd. */ int (*threadfn)(void *data); void *data; int node; /* Result passed back to kthread_create() from kthreadd. */ struct task_struct *result; struct completion done; struct list_head list; }; struct kthread_create_info kthread_create_info; #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24) #include #endif #include #include #include #include #define EMBEDDED_HASH_SIZE (L1_CACHE_BYTES / sizeof(struct hlist_head)) #define __rcu struct fn_zone { struct fn_zone *fz_next; /* Next not empty zone */ struct hlist_head *fz_hash; /* Hash table pointer */ seqlock_t fz_lock; u32 fz_hashmask; /* (fz_divisor - 1) */ u8 fz_order; /* Zone order (0..32) */ u8 fz_revorder; /* 32 - fz_order */ __be32 fz_mask; /* inet_make_mask(order) */ struct hlist_head fz_embedded_hash[EMBEDDED_HASH_SIZE]; int fz_nent; /* Number of entries */ int fz_divisor; /* Hash size (mask+1) */ } fn_zone; struct fn_hash { struct fn_zone *fn_zones[33]; struct fn_zone *fn_zone_list; } fn_hash; struct fib_alias { struct list_head fa_list; struct fib_info *fa_info; u8 fa_tos; u8 fa_type; u8 fa_scope; u8 fa_state; #ifdef CONFIG_IP_FIB_TRIE struct rcu_head rcu; #endif }; struct fib_node { struct hlist_node fn_hash; struct list_head fn_alias; __be32 fn_key; struct fib_alias fn_embedded_alias; }; struct fib_node fib_node; struct fib_alias fib_alias; struct rt_hash_bucket { struct rtable __rcu *chain; } rt_hash_bucket; #ifndef RADIX_TREE_MAP_SHIFT #define RADIX_TREE_MAP_SHIFT (CONFIG_BASE_SMALL ? 4 : 6) #define RADIX_TREE_MAP_SIZE (1UL << RADIX_TREE_MAP_SHIFT) #define RADIX_TREE_MAP_MASK (RADIX_TREE_MAP_SIZE-1) #define RADIX_TREE_TAG_LONGS ((RADIX_TREE_MAP_SIZE + BITS_PER_LONG - 1) / BITS_PER_LONG) #define RADIX_TREE_MAX_TAGS 2 struct radix_tree_node { unsigned int height; /* Height from the bottom */ unsigned int count; struct rcu_head rcu_head; void *slots[RADIX_TREE_MAP_SIZE]; unsigned long tags[RADIX_TREE_MAX_TAGS][RADIX_TREE_TAG_LONGS]; }; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25) #define OUR_OWN_MOD_STRUCTS #endif #if LINUX_VERSION_CODE == KERNEL_VERSION(2,6,18) #define OUR_OWN_MOD_STRUCTS #endif #ifdef OUR_OWN_MOD_STRUCTS struct module_sect_attr { struct module_attribute mattr; char *name; unsigned long address; }; struct module_sect_attrs { struct attribute_group grp; unsigned int nsections; struct module_sect_attr attrs[0]; }; struct module_sect_attrs module_sect_attrs; #else struct module_sections module_sect_attrs; #endif struct module_kobject module_kobject; #ifdef CONFIG_SLAB #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,31) #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) /* * struct kmem_cache * * manages a cache. */ struct kmem_cache { /* 1) per-cpu data, touched during every alloc/free */ struct array_cache *array[NR_CPUS]; /* 2) Cache tunables. Protected by cache_chain_mutex */ unsigned int batchcount; unsigned int limit; unsigned int shared; unsigned int buffer_size; u32 reciprocal_buffer_size; /* 3) touched by every alloc & free from the backend */ unsigned int flags; /* constant flags */ unsigned int num; /* # of objs per slab */ /* 4) cache_grow/shrink */ /* order of pgs per slab (2^n) */ unsigned int gfporder; /* force GFP flags, e.g. GFP_DMA */ gfp_t gfpflags; size_t colour; /* cache colouring range */ unsigned int colour_off; /* colour offset */ struct kmem_cache *slabp_cache; unsigned int slab_size; unsigned int dflags; /* dynamic flags */ /* constructor func */ void (*ctor)(void *obj); /* 5) cache creation/removal */ const char *name; struct list_head next; /* 6) statistics */ #if STATS unsigned long num_active; unsigned long num_allocations; unsigned long high_mark; unsigned long grown; unsigned long reaped; unsigned long errors; unsigned long max_freeable; unsigned long node_allocs; unsigned long node_frees; unsigned long node_overflow; atomic_t allochit; atomic_t allocmiss; atomic_t freehit; atomic_t freemiss; #endif #if DEBUG /* * If debugging is enabled, then the allocator can add additional * fields and/or padding to every object. buffer_size contains the total * object size including these internal fields, the following two * variables contain the offset to the user object and its size. */ int obj_offset; int obj_size; #endif /* * We put nodelists[] at the end of kmem_cache, because we want to size * this array to nr_node_ids slots instead of MAX_NUMNODES * (see kmem_cache_init()) * We still use [MAX_NUMNODES] and not [1] or [0] because cache_cache * is statically defined, so we reserve the max number of nodes. */ struct kmem_list3 *nodelists[MAX_NUMNODES]; /* * Do not add fields after nodelists[] */ }; #else struct kmem_cache { /* 1) per-cpu data, touched during every alloc/free */ struct array_cache *array[NR_CPUS]; /* 2) Cache tunables. Protected by cache_chain_mutex */ unsigned int batchcount; unsigned int limit; unsigned int shared; unsigned int buffer_size; /* 3) touched by every alloc & free from the backend */ struct kmem_list3 *nodelists[MAX_NUMNODES]; unsigned int flags; /* constant flags */ unsigned int num; /* # of objs per slab */ /* 4) cache_grow/shrink */ /* order of pgs per slab (2^n) */ unsigned int gfporder; /* force GFP flags, e.g. GFP_DMA */ gfp_t gfpflags; size_t colour; /* cache colouring range */ unsigned int colour_off; /* colour offset */ struct kmem_cache *slabp_cache; unsigned int slab_size; unsigned int dflags; /* dynamic flags */ /* constructor func */ void (*ctor) (void *, struct kmem_cache *, unsigned long); /* de-constructor func */ void (*dtor) (void *, struct kmem_cache *, unsigned long); /* 5) cache creation/removal */ const char *name; struct list_head next; /* 6) statistics */ #if STATS unsigned long num_active; unsigned long num_allocations; unsigned long high_mark; unsigned long grown; unsigned long reaped; unsigned long errors; unsigned long max_freeable; unsigned long node_allocs; unsigned long node_frees; unsigned long node_overflow; atomic_t allochit; atomic_t allocmiss; atomic_t freehit; atomic_t freemiss; #endif #if DEBUG /* * If debugging is enabled, then the allocator can add additional * fields and/or padding to every object. buffer_size contains the total * object size including these internal fields, the following two * variables contain the offset to the user object and its size. */ int obj_offset; int obj_size; #endif }; #endif /*kmem_cache decl*/ struct kmem_cache kmem_cache; #endif struct kmem_list3 { struct list_head slabs_partial; /* partial list first, better asm code */ struct list_head slabs_full; struct list_head slabs_free; unsigned long free_objects; unsigned int free_limit; unsigned int colour_next; /* Per-node cache coloring */ spinlock_t list_lock; struct array_cache *shared; /* shared per node */ struct array_cache **alien; /* on other nodes */ unsigned long next_reap; /* updated without locking */ int free_touched; /* updated without locking */ }; struct kmem_list3 kmem_list3; struct slab { struct list_head list; unsigned long colouroff; void *s_mem; /* including colour offset */ unsigned int inuse; /* num of objs active in slab */ unsigned int free; unsigned short nodeid; }; struct slab slab; #endif #if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,31) #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,7,0) /* Starting with Linux kernel 3.7 the struct timekeeper is defined in include/linux/timekeeper_internal.h */ #include #else /* Before Linux kernel 3.7 the struct timekeeper has to be taken from kernel/time/timekeeping.c */ typedef u64 cycle_t; struct timekeeper { /* Current clocksource used for timekeeping. */ struct clocksource *clock; /* NTP adjusted clock multiplier */ u32 mult; /* The shift value of the current clocksource. */ int shift; /* Number of clock cycles in one NTP interval. */ cycle_t cycle_interval; /* Number of clock shifted nano seconds in one NTP interval. */ u64 xtime_interval; /* shifted nano seconds left over when rounding cycle_interval */ s64 xtime_remainder; /* Raw nano seconds accumulated per NTP interval. */ u32 raw_interval; /* Clock shifted nano seconds remainder not stored in xtime.tv_nsec. */ u64 xtime_nsec; /* Difference between accumulated time and NTP time in ntp * shifted nano seconds. */ s64 ntp_error; /* Shift conversion between clock shifted nano seconds and * ntp shifted nano seconds. */ int ntp_error_shift; /* The current time */ struct timespec xtime; /* * wall_to_monotonic is what we need to add to xtime (or xtime corrected * for sub jiffie times) to get to monotonic time. Monotonic is pegged * at zero at system boot time, so wall_to_monotonic will be negative, * however, we will ALWAYS keep the tv_nsec part positive so we can use * the usual normalization. * * wall_to_monotonic is moved after resume from suspend for the * monotonic time not to jump. We need to add total_sleep_time to * wall_to_monotonic to get the real boot based time offset. * * - wall_to_monotonic is no longer the boot time, getboottime must be * used instead. */ struct timespec wall_to_monotonic; /* time spent in suspend */ struct timespec total_sleep_time; /* The raw monotonic time for the CLOCK_MONOTONIC_RAW posix clock. */ struct timespec raw_time; /* Offset clock monotonic -> clock realtime */ ktime_t offs_real; /* Offset clock monotonic -> clock boottime */ ktime_t offs_boot; /* Seqlock for all timekeeper values */ seqlock_t lock; }; #endif struct timekeeper my_timekeeper; struct log { u64 ts_nsec; /* timestamp in nanoseconds */ u16 len; /* length of entire record */ u16 text_len; /* length of text buffer */ u16 dict_len; /* length of dictionary buffer */ u8 facility; /* syslog facility */ u8 flags:5; /* internal record flags */ u8 level:3; /* syslog level */ }; struct log my_log; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,3,0) struct mnt_namespace { atomic_t count; struct mount * root; struct list_head list; wait_queue_head_t poll; int event; }; struct mnt_pcp { int mnt_count; int mnt_writers; }; struct mount { struct list_head mnt_hash; struct mount *mnt_parent; struct dentry *mnt_mountpoint; struct vfsmount mnt; #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,13,0) struct callback_head rcu; #endif #ifdef CONFIG_SMP struct mnt_pcp __percpu *mnt_pcp; #if LINUX_VERSION_CODE < KERNEL_VERSION(3,6,0) atomic_t mnt_longterm; /* how many of the refs are longterm */ #endif #else int mnt_count; int mnt_writers; #endif struct list_head mnt_mounts; /* list of children, anchored here */ struct list_head mnt_child; /* and going through their mnt_child */ struct list_head mnt_instance; /* mount instance on sb->s_mounts */ const char *mnt_devname; /* Name of device e.g. /dev/dsk/hda1 */ struct list_head mnt_list; struct list_head mnt_expire; /* link in fs-specific expiry list */ struct list_head mnt_share; /* circular list of shared mounts */ struct list_head mnt_slave_list;/* list of slave mounts */ struct list_head mnt_slave; /* slave list entry */ struct mount *mnt_master; /* slave is on master->mnt_slave_list */ struct mnt_namespace *mnt_ns; /* containing namespace */ #ifdef CONFIG_FSNOTIFY struct hlist_head mnt_fsnotify_marks; __u32 mnt_fsnotify_mask; #endif int mnt_id; /* mount identifier */ int mnt_group_id; /* peer group identifier */ int mnt_expiry_mark; /* true if marked for expiry */ int mnt_pinned; int mnt_ghosts; }; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,13,0) struct proc_dir_entry { unsigned int low_ino; umode_t mode; nlink_t nlink; kuid_t uid; kgid_t gid; loff_t size; const struct inode_operations *proc_iops; const struct file_operations *proc_fops; struct proc_dir_entry *next, *parent, *subdir; void *data; atomic_t count; /* use count */ atomic_t in_use; /* number of callers into module in progress; */ /* negative -> it's going away RSN */ struct completion *pde_unload_completion; struct list_head pde_openers; /* who did ->open, but not ->release */ spinlock_t pde_unload_lock; /* proc_fops checks and pde_users bumps */ u8 namelen; char name[]; }; #endif struct resource resource; volatility_2.6+git20170711.b3db0cc/tools/linux/kcore/0000755000000000000000000000000013131215405020537 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/tools/linux/kcore/elf.h0000644000000000000000000034553113131215405021471 0ustar rootroot/* This file defines standard ELF types, structures, and macros. Copyright (C) 1995-2003,2004,2005,2006,2007,2008,2009,2010 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ #ifndef _ELF_H #define _ELF_H 1 #include __BEGIN_DECLS /* Standard ELF types. */ #include /* Type for a 16-bit quantity. */ typedef uint16_t Elf32_Half; typedef uint16_t Elf64_Half; /* Types for signed and unsigned 32-bit quantities. */ typedef uint32_t Elf32_Word; typedef int32_t Elf32_Sword; typedef uint32_t Elf64_Word; typedef int32_t Elf64_Sword; /* Types for signed and unsigned 64-bit quantities. */ typedef uint64_t Elf32_Xword; typedef int64_t Elf32_Sxword; typedef uint64_t Elf64_Xword; typedef int64_t Elf64_Sxword; /* Type of addresses. */ typedef uint32_t Elf32_Addr; typedef uint64_t Elf64_Addr; /* Type of file offsets. */ typedef uint32_t Elf32_Off; typedef uint64_t Elf64_Off; /* Type for section indices, which are 16-bit quantities. */ typedef uint16_t Elf32_Section; typedef uint16_t Elf64_Section; /* Type for version symbol information. */ typedef Elf32_Half Elf32_Versym; typedef Elf64_Half Elf64_Versym; /* The ELF file header. This appears at the start of every ELF file. */ #define EI_NIDENT (16) typedef struct { unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */ Elf32_Half e_type; /* Object file type */ Elf32_Half e_machine; /* Architecture */ Elf32_Word e_version; /* Object file version */ Elf32_Addr e_entry; /* Entry point virtual address */ Elf32_Off e_phoff; /* Program header table file offset */ Elf32_Off e_shoff; /* Section header table file offset */ Elf32_Word e_flags; /* Processor-specific flags */ Elf32_Half e_ehsize; /* ELF header size in bytes */ Elf32_Half e_phentsize; /* Program header table entry size */ Elf32_Half e_phnum; /* Program header table entry count */ Elf32_Half e_shentsize; /* Section header table entry size */ Elf32_Half e_shnum; /* Section header table entry count */ Elf32_Half e_shstrndx; /* Section header string table index */ } Elf32_Ehdr; typedef struct { unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */ Elf64_Half e_type; /* Object file type */ Elf64_Half e_machine; /* Architecture */ Elf64_Word e_version; /* Object file version */ Elf64_Addr e_entry; /* Entry point virtual address */ Elf64_Off e_phoff; /* Program header table file offset */ Elf64_Off e_shoff; /* Section header table file offset */ Elf64_Word e_flags; /* Processor-specific flags */ Elf64_Half e_ehsize; /* ELF header size in bytes */ Elf64_Half e_phentsize; /* Program header table entry size */ Elf64_Half e_phnum; /* Program header table entry count */ Elf64_Half e_shentsize; /* Section header table entry size */ Elf64_Half e_shnum; /* Section header table entry count */ Elf64_Half e_shstrndx; /* Section header string table index */ } Elf64_Ehdr; /* Fields in the e_ident array. The EI_* macros are indices into the array. The macros under each EI_* macro are the values the byte may have. */ #define EI_MAG0 0 /* File identification byte 0 index */ #define ELFMAG0 0x7f /* Magic number byte 0 */ #define EI_MAG1 1 /* File identification byte 1 index */ #define ELFMAG1 'E' /* Magic number byte 1 */ #define EI_MAG2 2 /* File identification byte 2 index */ #define ELFMAG2 'L' /* Magic number byte 2 */ #define EI_MAG3 3 /* File identification byte 3 index */ #define ELFMAG3 'F' /* Magic number byte 3 */ /* Conglomeration of the identification bytes, for easy testing as a word. */ #define ELFMAG "\177ELF" #define SELFMAG 4 #define EI_CLASS 4 /* File class byte index */ #define ELFCLASSNONE 0 /* Invalid class */ #define ELFCLASS32 1 /* 32-bit objects */ #define ELFCLASS64 2 /* 64-bit objects */ #define ELFCLASSNUM 3 #define EI_DATA 5 /* Data encoding byte index */ #define ELFDATANONE 0 /* Invalid data encoding */ #define ELFDATA2LSB 1 /* 2's complement, little endian */ #define ELFDATA2MSB 2 /* 2's complement, big endian */ #define ELFDATANUM 3 #define EI_VERSION 6 /* File version byte index */ /* Value must be EV_CURRENT */ #define EI_OSABI 7 /* OS ABI identification */ #define ELFOSABI_NONE 0 /* UNIX System V ABI */ #define ELFOSABI_SYSV 0 /* Alias. */ #define ELFOSABI_HPUX 1 /* HP-UX */ #define ELFOSABI_NETBSD 2 /* NetBSD. */ #define ELFOSABI_GNU 3 /* GNU. */ #define ELFOSABI_LINUX 3 /* Alias for ELFOSABI_GNU. */ #define ELFOSABI_SOLARIS 6 /* Sun Solaris. */ #define ELFOSABI_AIX 7 /* IBM AIX. */ #define ELFOSABI_IRIX 8 /* SGI Irix. */ #define ELFOSABI_FREEBSD 9 /* FreeBSD. */ #define ELFOSABI_TRU64 10 /* Compaq TRU64 UNIX. */ #define ELFOSABI_MODESTO 11 /* Novell Modesto. */ #define ELFOSABI_OPENBSD 12 /* OpenBSD. */ #define ELFOSABI_ARM_AEABI 64 /* ARM EABI */ #define ELFOSABI_ARM 97 /* ARM */ #define ELFOSABI_STANDALONE 255 /* Standalone (embedded) application */ #define EI_ABIVERSION 8 /* ABI version */ #define EI_PAD 9 /* Byte index of padding bytes */ /* Legal values for e_type (object file type). */ #define ET_NONE 0 /* No file type */ #define ET_REL 1 /* Relocatable file */ #define ET_EXEC 2 /* Executable file */ #define ET_DYN 3 /* Shared object file */ #define ET_CORE 4 /* Core file */ #define ET_NUM 5 /* Number of defined types */ #define ET_LOOS 0xfe00 /* OS-specific range start */ #define ET_HIOS 0xfeff /* OS-specific range end */ #define ET_LOPROC 0xff00 /* Processor-specific range start */ #define ET_HIPROC 0xffff /* Processor-specific range end */ /* Legal values for e_machine (architecture). */ #define EM_NONE 0 /* No machine */ #define EM_M32 1 /* AT&T WE 32100 */ #define EM_SPARC 2 /* SUN SPARC */ #define EM_386 3 /* Intel 80386 */ #define EM_68K 4 /* Motorola m68k family */ #define EM_88K 5 /* Motorola m88k family */ #define EM_860 7 /* Intel 80860 */ #define EM_MIPS 8 /* MIPS R3000 big-endian */ #define EM_S370 9 /* IBM System/370 */ #define EM_MIPS_RS3_LE 10 /* MIPS R3000 little-endian */ #define EM_PARISC 15 /* HPPA */ #define EM_VPP500 17 /* Fujitsu VPP500 */ #define EM_SPARC32PLUS 18 /* Sun's "v8plus" */ #define EM_960 19 /* Intel 80960 */ #define EM_PPC 20 /* PowerPC */ #define EM_PPC64 21 /* PowerPC 64-bit */ #define EM_S390 22 /* IBM S390 */ #define EM_V800 36 /* NEC V800 series */ #define EM_FR20 37 /* Fujitsu FR20 */ #define EM_RH32 38 /* TRW RH-32 */ #define EM_RCE 39 /* Motorola RCE */ #define EM_ARM 40 /* ARM */ #define EM_FAKE_ALPHA 41 /* Digital Alpha */ #define EM_SH 42 /* Hitachi SH */ #define EM_SPARCV9 43 /* SPARC v9 64-bit */ #define EM_TRICORE 44 /* Siemens Tricore */ #define EM_ARC 45 /* Argonaut RISC Core */ #define EM_H8_300 46 /* Hitachi H8/300 */ #define EM_H8_300H 47 /* Hitachi H8/300H */ #define EM_H8S 48 /* Hitachi H8S */ #define EM_H8_500 49 /* Hitachi H8/500 */ #define EM_IA_64 50 /* Intel Merced */ #define EM_MIPS_X 51 /* Stanford MIPS-X */ #define EM_COLDFIRE 52 /* Motorola Coldfire */ #define EM_68HC12 53 /* Motorola M68HC12 */ #define EM_MMA 54 /* Fujitsu MMA Multimedia Accelerator*/ #define EM_PCP 55 /* Siemens PCP */ #define EM_NCPU 56 /* Sony nCPU embeeded RISC */ #define EM_NDR1 57 /* Denso NDR1 microprocessor */ #define EM_STARCORE 58 /* Motorola Start*Core processor */ #define EM_ME16 59 /* Toyota ME16 processor */ #define EM_ST100 60 /* STMicroelectronic ST100 processor */ #define EM_TINYJ 61 /* Advanced Logic Corp. Tinyj emb.fam*/ #define EM_X86_64 62 /* AMD x86-64 architecture */ #define EM_PDSP 63 /* Sony DSP Processor */ #define EM_FX66 66 /* Siemens FX66 microcontroller */ #define EM_ST9PLUS 67 /* STMicroelectronics ST9+ 8/16 mc */ #define EM_ST7 68 /* STmicroelectronics ST7 8 bit mc */ #define EM_68HC16 69 /* Motorola MC68HC16 microcontroller */ #define EM_68HC11 70 /* Motorola MC68HC11 microcontroller */ #define EM_68HC08 71 /* Motorola MC68HC08 microcontroller */ #define EM_68HC05 72 /* Motorola MC68HC05 microcontroller */ #define EM_SVX 73 /* Silicon Graphics SVx */ #define EM_ST19 74 /* STMicroelectronics ST19 8 bit mc */ #define EM_VAX 75 /* Digital VAX */ #define EM_CRIS 76 /* Axis Communications 32-bit embedded processor */ #define EM_JAVELIN 77 /* Infineon Technologies 32-bit embedded processor */ #define EM_FIREPATH 78 /* Element 14 64-bit DSP Processor */ #define EM_ZSP 79 /* LSI Logic 16-bit DSP Processor */ #define EM_MMIX 80 /* Donald Knuth's educational 64-bit processor */ #define EM_HUANY 81 /* Harvard University machine-independent object files */ #define EM_PRISM 82 /* SiTera Prism */ #define EM_AVR 83 /* Atmel AVR 8-bit microcontroller */ #define EM_FR30 84 /* Fujitsu FR30 */ #define EM_D10V 85 /* Mitsubishi D10V */ #define EM_D30V 86 /* Mitsubishi D30V */ #define EM_V850 87 /* NEC v850 */ #define EM_M32R 88 /* Mitsubishi M32R */ #define EM_MN10300 89 /* Matsushita MN10300 */ #define EM_MN10200 90 /* Matsushita MN10200 */ #define EM_PJ 91 /* picoJava */ #define EM_OPENRISC 92 /* OpenRISC 32-bit embedded processor */ #define EM_ARC_A5 93 /* ARC Cores Tangent-A5 */ #define EM_XTENSA 94 /* Tensilica Xtensa Architecture */ #define EM_NUM 95 /* If it is necessary to assign new unofficial EM_* values, please pick large random numbers (0x8523, 0xa7f2, etc.) to minimize the chances of collision with official or non-GNU unofficial values. */ #define EM_ALPHA 0x9026 /* Legal values for e_version (version). */ #define EV_NONE 0 /* Invalid ELF version */ #define EV_CURRENT 1 /* Current version */ #define EV_NUM 2 /* Section header. */ typedef struct { Elf32_Word sh_name; /* Section name (string tbl index) */ Elf32_Word sh_type; /* Section type */ Elf32_Word sh_flags; /* Section flags */ Elf32_Addr sh_addr; /* Section virtual addr at execution */ Elf32_Off sh_offset; /* Section file offset */ Elf32_Word sh_size; /* Section size in bytes */ Elf32_Word sh_link; /* Link to another section */ Elf32_Word sh_info; /* Additional section information */ Elf32_Word sh_addralign; /* Section alignment */ Elf32_Word sh_entsize; /* Entry size if section holds table */ } Elf32_Shdr; typedef struct { Elf64_Word sh_name; /* Section name (string tbl index) */ Elf64_Word sh_type; /* Section type */ Elf64_Xword sh_flags; /* Section flags */ Elf64_Addr sh_addr; /* Section virtual addr at execution */ Elf64_Off sh_offset; /* Section file offset */ Elf64_Xword sh_size; /* Section size in bytes */ Elf64_Word sh_link; /* Link to another section */ Elf64_Word sh_info; /* Additional section information */ Elf64_Xword sh_addralign; /* Section alignment */ Elf64_Xword sh_entsize; /* Entry size if section holds table */ } Elf64_Shdr; /* Special section indices. */ #define SHN_UNDEF 0 /* Undefined section */ #define SHN_LORESERVE 0xff00 /* Start of reserved indices */ #define SHN_LOPROC 0xff00 /* Start of processor-specific */ #define SHN_BEFORE 0xff00 /* Order section before all others (Solaris). */ #define SHN_AFTER 0xff01 /* Order section after all others (Solaris). */ #define SHN_HIPROC 0xff1f /* End of processor-specific */ #define SHN_LOOS 0xff20 /* Start of OS-specific */ #define SHN_HIOS 0xff3f /* End of OS-specific */ #define SHN_ABS 0xfff1 /* Associated symbol is absolute */ #define SHN_COMMON 0xfff2 /* Associated symbol is common */ #define SHN_XINDEX 0xffff /* Index is in extra table. */ #define SHN_HIRESERVE 0xffff /* End of reserved indices */ /* Legal values for sh_type (section type). */ #define SHT_NULL 0 /* Section header table entry unused */ #define SHT_PROGBITS 1 /* Program data */ #define SHT_SYMTAB 2 /* Symbol table */ #define SHT_STRTAB 3 /* String table */ #define SHT_RELA 4 /* Relocation entries with addends */ #define SHT_HASH 5 /* Symbol hash table */ #define SHT_DYNAMIC 6 /* Dynamic linking information */ #define SHT_NOTE 7 /* Notes */ #define SHT_NOBITS 8 /* Program space with no data (bss) */ #define SHT_REL 9 /* Relocation entries, no addends */ #define SHT_SHLIB 10 /* Reserved */ #define SHT_DYNSYM 11 /* Dynamic linker symbol table */ #define SHT_INIT_ARRAY 14 /* Array of constructors */ #define SHT_FINI_ARRAY 15 /* Array of destructors */ #define SHT_PREINIT_ARRAY 16 /* Array of pre-constructors */ #define SHT_GROUP 17 /* Section group */ #define SHT_SYMTAB_SHNDX 18 /* Extended section indeces */ #define SHT_NUM 19 /* Number of defined types. */ #define SHT_LOOS 0x60000000 /* Start OS-specific. */ #define SHT_GNU_ATTRIBUTES 0x6ffffff5 /* Object attributes. */ #define SHT_GNU_HASH 0x6ffffff6 /* GNU-style hash table. */ #define SHT_GNU_LIBLIST 0x6ffffff7 /* Prelink library list */ #define SHT_CHECKSUM 0x6ffffff8 /* Checksum for DSO content. */ #define SHT_LOSUNW 0x6ffffffa /* Sun-specific low bound. */ #define SHT_SUNW_move 0x6ffffffa #define SHT_SUNW_COMDAT 0x6ffffffb #define SHT_SUNW_syminfo 0x6ffffffc #define SHT_GNU_verdef 0x6ffffffd /* Version definition section. */ #define SHT_GNU_verneed 0x6ffffffe /* Version needs section. */ #define SHT_GNU_versym 0x6fffffff /* Version symbol table. */ #define SHT_HISUNW 0x6fffffff /* Sun-specific high bound. */ #define SHT_HIOS 0x6fffffff /* End OS-specific type */ #define SHT_LOPROC 0x70000000 /* Start of processor-specific */ #define SHT_HIPROC 0x7fffffff /* End of processor-specific */ #define SHT_LOUSER 0x80000000 /* Start of application-specific */ #define SHT_HIUSER 0x8fffffff /* End of application-specific */ /* Legal values for sh_flags (section flags). */ #define SHF_WRITE (1 << 0) /* Writable */ #define SHF_ALLOC (1 << 1) /* Occupies memory during execution */ #define SHF_EXECINSTR (1 << 2) /* Executable */ #define SHF_MERGE (1 << 4) /* Might be merged */ #define SHF_STRINGS (1 << 5) /* Contains nul-terminated strings */ #define SHF_INFO_LINK (1 << 6) /* `sh_info' contains SHT index */ #define SHF_LINK_ORDER (1 << 7) /* Preserve order after combining */ #define SHF_OS_NONCONFORMING (1 << 8) /* Non-standard OS specific handling required */ #define SHF_GROUP (1 << 9) /* Section is member of a group. */ #define SHF_TLS (1 << 10) /* Section hold thread-local data. */ #define SHF_MASKOS 0x0ff00000 /* OS-specific. */ #define SHF_MASKPROC 0xf0000000 /* Processor-specific */ #define SHF_ORDERED (1 << 30) /* Special ordering requirement (Solaris). */ #define SHF_EXCLUDE (1 << 31) /* Section is excluded unless referenced or allocated (Solaris).*/ /* Section group handling. */ #define GRP_COMDAT 0x1 /* Mark group as COMDAT. */ /* Symbol table entry. */ typedef struct { Elf32_Word st_name; /* Symbol name (string tbl index) */ Elf32_Addr st_value; /* Symbol value */ Elf32_Word st_size; /* Symbol size */ unsigned char st_info; /* Symbol type and binding */ unsigned char st_other; /* Symbol visibility */ Elf32_Section st_shndx; /* Section index */ } Elf32_Sym; typedef struct { Elf64_Word st_name; /* Symbol name (string tbl index) */ unsigned char st_info; /* Symbol type and binding */ unsigned char st_other; /* Symbol visibility */ Elf64_Section st_shndx; /* Section index */ Elf64_Addr st_value; /* Symbol value */ Elf64_Xword st_size; /* Symbol size */ } Elf64_Sym; /* The syminfo section if available contains additional information about every dynamic symbol. */ typedef struct { Elf32_Half si_boundto; /* Direct bindings, symbol bound to */ Elf32_Half si_flags; /* Per symbol flags */ } Elf32_Syminfo; typedef struct { Elf64_Half si_boundto; /* Direct bindings, symbol bound to */ Elf64_Half si_flags; /* Per symbol flags */ } Elf64_Syminfo; /* Possible values for si_boundto. */ #define SYMINFO_BT_SELF 0xffff /* Symbol bound to self */ #define SYMINFO_BT_PARENT 0xfffe /* Symbol bound to parent */ #define SYMINFO_BT_LOWRESERVE 0xff00 /* Beginning of reserved entries */ /* Possible bitmasks for si_flags. */ #define SYMINFO_FLG_DIRECT 0x0001 /* Direct bound symbol */ #define SYMINFO_FLG_PASSTHRU 0x0002 /* Pass-thru symbol for translator */ #define SYMINFO_FLG_COPY 0x0004 /* Symbol is a copy-reloc */ #define SYMINFO_FLG_LAZYLOAD 0x0008 /* Symbol bound to object to be lazy loaded */ /* Syminfo version values. */ #define SYMINFO_NONE 0 #define SYMINFO_CURRENT 1 #define SYMINFO_NUM 2 /* How to extract and insert information held in the st_info field. */ #define ELF32_ST_BIND(val) (((unsigned char) (val)) >> 4) #define ELF32_ST_TYPE(val) ((val) & 0xf) #define ELF32_ST_INFO(bind, type) (((bind) << 4) + ((type) & 0xf)) /* Both Elf32_Sym and Elf64_Sym use the same one-byte st_info field. */ #define ELF64_ST_BIND(val) ELF32_ST_BIND (val) #define ELF64_ST_TYPE(val) ELF32_ST_TYPE (val) #define ELF64_ST_INFO(bind, type) ELF32_ST_INFO ((bind), (type)) /* Legal values for ST_BIND subfield of st_info (symbol binding). */ #define STB_LOCAL 0 /* Local symbol */ #define STB_GLOBAL 1 /* Global symbol */ #define STB_WEAK 2 /* Weak symbol */ #define STB_NUM 3 /* Number of defined types. */ #define STB_LOOS 10 /* Start of OS-specific */ #define STB_GNU_UNIQUE 10 /* Unique symbol. */ #define STB_HIOS 12 /* End of OS-specific */ #define STB_LOPROC 13 /* Start of processor-specific */ #define STB_HIPROC 15 /* End of processor-specific */ /* Legal values for ST_TYPE subfield of st_info (symbol type). */ #define STT_NOTYPE 0 /* Symbol type is unspecified */ #define STT_OBJECT 1 /* Symbol is a data object */ #define STT_FUNC 2 /* Symbol is a code object */ #define STT_SECTION 3 /* Symbol associated with a section */ #define STT_FILE 4 /* Symbol's name is file name */ #define STT_COMMON 5 /* Symbol is a common data object */ #define STT_TLS 6 /* Symbol is thread-local data object*/ #define STT_NUM 7 /* Number of defined types. */ #define STT_LOOS 10 /* Start of OS-specific */ #define STT_GNU_IFUNC 10 /* Symbol is indirect code object */ #define STT_HIOS 12 /* End of OS-specific */ #define STT_LOPROC 13 /* Start of processor-specific */ #define STT_HIPROC 15 /* End of processor-specific */ /* Symbol table indices are found in the hash buckets and chain table of a symbol hash table section. This special index value indicates the end of a chain, meaning no further symbols are found in that bucket. */ #define STN_UNDEF 0 /* End of a chain. */ /* How to extract and insert information held in the st_other field. */ #define ELF32_ST_VISIBILITY(o) ((o) & 0x03) /* For ELF64 the definitions are the same. */ #define ELF64_ST_VISIBILITY(o) ELF32_ST_VISIBILITY (o) /* Symbol visibility specification encoded in the st_other field. */ #define STV_DEFAULT 0 /* Default symbol visibility rules */ #define STV_INTERNAL 1 /* Processor specific hidden class */ #define STV_HIDDEN 2 /* Sym unavailable in other modules */ #define STV_PROTECTED 3 /* Not preemptible, not exported */ /* Relocation table entry without addend (in section of type SHT_REL). */ typedef struct { Elf32_Addr r_offset; /* Address */ Elf32_Word r_info; /* Relocation type and symbol index */ } Elf32_Rel; /* I have seen two different definitions of the Elf64_Rel and Elf64_Rela structures, so we'll leave them out until Novell (or whoever) gets their act together. */ /* The following, at least, is used on Sparc v9, MIPS, and Alpha. */ typedef struct { Elf64_Addr r_offset; /* Address */ Elf64_Xword r_info; /* Relocation type and symbol index */ } Elf64_Rel; /* Relocation table entry with addend (in section of type SHT_RELA). */ typedef struct { Elf32_Addr r_offset; /* Address */ Elf32_Word r_info; /* Relocation type and symbol index */ Elf32_Sword r_addend; /* Addend */ } Elf32_Rela; typedef struct { Elf64_Addr r_offset; /* Address */ Elf64_Xword r_info; /* Relocation type and symbol index */ Elf64_Sxword r_addend; /* Addend */ } Elf64_Rela; /* How to extract and insert information held in the r_info field. */ #define ELF32_R_SYM(val) ((val) >> 8) #define ELF32_R_TYPE(val) ((val) & 0xff) #define ELF32_R_INFO(sym, type) (((sym) << 8) + ((type) & 0xff)) #define ELF64_R_SYM(i) ((i) >> 32) #define ELF64_R_TYPE(i) ((i) & 0xffffffff) #define ELF64_R_INFO(sym,type) ((((Elf64_Xword) (sym)) << 32) + (type)) /* Program segment header. */ typedef struct { Elf32_Word p_type; /* Segment type */ Elf32_Off p_offset; /* Segment file offset */ Elf32_Addr p_vaddr; /* Segment virtual address */ Elf32_Addr p_paddr; /* Segment physical address */ Elf32_Word p_filesz; /* Segment size in file */ Elf32_Word p_memsz; /* Segment size in memory */ Elf32_Word p_flags; /* Segment flags */ Elf32_Word p_align; /* Segment alignment */ } Elf32_Phdr; typedef struct { Elf64_Word p_type; /* Segment type */ Elf64_Word p_flags; /* Segment flags */ Elf64_Off p_offset; /* Segment file offset */ Elf64_Addr p_vaddr; /* Segment virtual address */ Elf64_Addr p_paddr; /* Segment physical address */ Elf64_Xword p_filesz; /* Segment size in file */ Elf64_Xword p_memsz; /* Segment size in memory */ Elf64_Xword p_align; /* Segment alignment */ } Elf64_Phdr; /* Special value for e_phnum. This indicates that the real number of program headers is too large to fit into e_phnum. Instead the real value is in the field sh_info of section 0. */ #define PN_XNUM 0xffff /* Legal values for p_type (segment type). */ #define PT_NULL 0 /* Program header table entry unused */ #define PT_LOAD 1 /* Loadable program segment */ #define PT_DYNAMIC 2 /* Dynamic linking information */ #define PT_INTERP 3 /* Program interpreter */ #define PT_NOTE 4 /* Auxiliary information */ #define PT_SHLIB 5 /* Reserved */ #define PT_PHDR 6 /* Entry for header table itself */ #define PT_TLS 7 /* Thread-local storage segment */ #define PT_NUM 8 /* Number of defined types */ #define PT_LOOS 0x60000000 /* Start of OS-specific */ #define PT_GNU_EH_FRAME 0x6474e550 /* GCC .eh_frame_hdr segment */ #define PT_GNU_STACK 0x6474e551 /* Indicates stack executability */ #define PT_GNU_RELRO 0x6474e552 /* Read-only after relocation */ #define PT_LOSUNW 0x6ffffffa #define PT_SUNWBSS 0x6ffffffa /* Sun Specific segment */ #define PT_SUNWSTACK 0x6ffffffb /* Stack segment */ #define PT_HISUNW 0x6fffffff #define PT_HIOS 0x6fffffff /* End of OS-specific */ #define PT_LOPROC 0x70000000 /* Start of processor-specific */ #define PT_HIPROC 0x7fffffff /* End of processor-specific */ /* Legal values for p_flags (segment flags). */ #define PF_X (1 << 0) /* Segment is executable */ #define PF_W (1 << 1) /* Segment is writable */ #define PF_R (1 << 2) /* Segment is readable */ #define PF_MASKOS 0x0ff00000 /* OS-specific */ #define PF_MASKPROC 0xf0000000 /* Processor-specific */ /* Legal values for note segment descriptor types for core files. */ #define NT_PRSTATUS 1 /* Contains copy of prstatus struct */ #define NT_FPREGSET 2 /* Contains copy of fpregset struct */ #define NT_PRPSINFO 3 /* Contains copy of prpsinfo struct */ #define NT_PRXREG 4 /* Contains copy of prxregset struct */ #define NT_TASKSTRUCT 4 /* Contains copy of task structure */ #define NT_PLATFORM 5 /* String from sysinfo(SI_PLATFORM) */ #define NT_AUXV 6 /* Contains copy of auxv array */ #define NT_GWINDOWS 7 /* Contains copy of gwindows struct */ #define NT_ASRS 8 /* Contains copy of asrset struct */ #define NT_PSTATUS 10 /* Contains copy of pstatus struct */ #define NT_PSINFO 13 /* Contains copy of psinfo struct */ #define NT_PRCRED 14 /* Contains copy of prcred struct */ #define NT_UTSNAME 15 /* Contains copy of utsname struct */ #define NT_LWPSTATUS 16 /* Contains copy of lwpstatus struct */ #define NT_LWPSINFO 17 /* Contains copy of lwpinfo struct */ #define NT_PRFPXREG 20 /* Contains copy of fprxregset struct */ #define NT_PRXFPREG 0x46e62b7f /* Contains copy of user_fxsr_struct */ #define NT_PPC_VMX 0x100 /* PowerPC Altivec/VMX registers */ #define NT_PPC_SPE 0x101 /* PowerPC SPE/EVR registers */ #define NT_PPC_VSX 0x102 /* PowerPC VSX registers */ #define NT_386_TLS 0x200 /* i386 TLS slots (struct user_desc) */ #define NT_386_IOPERM 0x201 /* x86 io permission bitmap (1=deny) */ #define NT_X86_XSTATE 0x202 /* x86 extended state using xsave */ /* Legal values for the note segment descriptor types for object files. */ #define NT_VERSION 1 /* Contains a version string. */ /* Dynamic section entry. */ typedef struct { Elf32_Sword d_tag; /* Dynamic entry type */ union { Elf32_Word d_val; /* Integer value */ Elf32_Addr d_ptr; /* Address value */ } d_un; } Elf32_Dyn; typedef struct { Elf64_Sxword d_tag; /* Dynamic entry type */ union { Elf64_Xword d_val; /* Integer value */ Elf64_Addr d_ptr; /* Address value */ } d_un; } Elf64_Dyn; /* Legal values for d_tag (dynamic entry type). */ #define DT_NULL 0 /* Marks end of dynamic section */ #define DT_NEEDED 1 /* Name of needed library */ #define DT_PLTRELSZ 2 /* Size in bytes of PLT relocs */ #define DT_PLTGOT 3 /* Processor defined value */ #define DT_HASH 4 /* Address of symbol hash table */ #define DT_STRTAB 5 /* Address of string table */ #define DT_SYMTAB 6 /* Address of symbol table */ #define DT_RELA 7 /* Address of Rela relocs */ #define DT_RELASZ 8 /* Total size of Rela relocs */ #define DT_RELAENT 9 /* Size of one Rela reloc */ #define DT_STRSZ 10 /* Size of string table */ #define DT_SYMENT 11 /* Size of one symbol table entry */ #define DT_INIT 12 /* Address of init function */ #define DT_FINI 13 /* Address of termination function */ #define DT_SONAME 14 /* Name of shared object */ #define DT_RPATH 15 /* Library search path (deprecated) */ #define DT_SYMBOLIC 16 /* Start symbol search here */ #define DT_REL 17 /* Address of Rel relocs */ #define DT_RELSZ 18 /* Total size of Rel relocs */ #define DT_RELENT 19 /* Size of one Rel reloc */ #define DT_PLTREL 20 /* Type of reloc in PLT */ #define DT_DEBUG 21 /* For debugging; unspecified */ #define DT_TEXTREL 22 /* Reloc might modify .text */ #define DT_JMPREL 23 /* Address of PLT relocs */ #define DT_BIND_NOW 24 /* Process relocations of object */ #define DT_INIT_ARRAY 25 /* Array with addresses of init fct */ #define DT_FINI_ARRAY 26 /* Array with addresses of fini fct */ #define DT_INIT_ARRAYSZ 27 /* Size in bytes of DT_INIT_ARRAY */ #define DT_FINI_ARRAYSZ 28 /* Size in bytes of DT_FINI_ARRAY */ #define DT_RUNPATH 29 /* Library search path */ #define DT_FLAGS 30 /* Flags for the object being loaded */ #define DT_ENCODING 32 /* Start of encoded range */ #define DT_PREINIT_ARRAY 32 /* Array with addresses of preinit fct*/ #define DT_PREINIT_ARRAYSZ 33 /* size in bytes of DT_PREINIT_ARRAY */ #define DT_NUM 34 /* Number used */ #define DT_LOOS 0x6000000d /* Start of OS-specific */ #define DT_HIOS 0x6ffff000 /* End of OS-specific */ #define DT_LOPROC 0x70000000 /* Start of processor-specific */ #define DT_HIPROC 0x7fffffff /* End of processor-specific */ #define DT_PROCNUM DT_MIPS_NUM /* Most used by any processor */ /* DT_* entries which fall between DT_VALRNGHI & DT_VALRNGLO use the Dyn.d_un.d_val field of the Elf*_Dyn structure. This follows Sun's approach. */ #define DT_VALRNGLO 0x6ffffd00 #define DT_GNU_PRELINKED 0x6ffffdf5 /* Prelinking timestamp */ #define DT_GNU_CONFLICTSZ 0x6ffffdf6 /* Size of conflict section */ #define DT_GNU_LIBLISTSZ 0x6ffffdf7 /* Size of library list */ #define DT_CHECKSUM 0x6ffffdf8 #define DT_PLTPADSZ 0x6ffffdf9 #define DT_MOVEENT 0x6ffffdfa #define DT_MOVESZ 0x6ffffdfb #define DT_FEATURE_1 0x6ffffdfc /* Feature selection (DTF_*). */ #define DT_POSFLAG_1 0x6ffffdfd /* Flags for DT_* entries, effecting the following DT_* entry. */ #define DT_SYMINSZ 0x6ffffdfe /* Size of syminfo table (in bytes) */ #define DT_SYMINENT 0x6ffffdff /* Entry size of syminfo */ #define DT_VALRNGHI 0x6ffffdff #define DT_VALTAGIDX(tag) (DT_VALRNGHI - (tag)) /* Reverse order! */ #define DT_VALNUM 12 /* DT_* entries which fall between DT_ADDRRNGHI & DT_ADDRRNGLO use the Dyn.d_un.d_ptr field of the Elf*_Dyn structure. If any adjustment is made to the ELF object after it has been built these entries will need to be adjusted. */ #define DT_ADDRRNGLO 0x6ffffe00 #define DT_GNU_HASH 0x6ffffef5 /* GNU-style hash table. */ #define DT_TLSDESC_PLT 0x6ffffef6 #define DT_TLSDESC_GOT 0x6ffffef7 #define DT_GNU_CONFLICT 0x6ffffef8 /* Start of conflict section */ #define DT_GNU_LIBLIST 0x6ffffef9 /* Library list */ #define DT_CONFIG 0x6ffffefa /* Configuration information. */ #define DT_DEPAUDIT 0x6ffffefb /* Dependency auditing. */ #define DT_AUDIT 0x6ffffefc /* Object auditing. */ #define DT_PLTPAD 0x6ffffefd /* PLT padding. */ #define DT_MOVETAB 0x6ffffefe /* Move table. */ #define DT_SYMINFO 0x6ffffeff /* Syminfo table. */ #define DT_ADDRRNGHI 0x6ffffeff #define DT_ADDRTAGIDX(tag) (DT_ADDRRNGHI - (tag)) /* Reverse order! */ #define DT_ADDRNUM 11 /* The versioning entry types. The next are defined as part of the GNU extension. */ #define DT_VERSYM 0x6ffffff0 #define DT_RELACOUNT 0x6ffffff9 #define DT_RELCOUNT 0x6ffffffa /* These were chosen by Sun. */ #define DT_FLAGS_1 0x6ffffffb /* State flags, see DF_1_* below. */ #define DT_VERDEF 0x6ffffffc /* Address of version definition table */ #define DT_VERDEFNUM 0x6ffffffd /* Number of version definitions */ #define DT_VERNEED 0x6ffffffe /* Address of table with needed versions */ #define DT_VERNEEDNUM 0x6fffffff /* Number of needed versions */ #define DT_VERSIONTAGIDX(tag) (DT_VERNEEDNUM - (tag)) /* Reverse order! */ #define DT_VERSIONTAGNUM 16 /* Sun added these machine-independent extensions in the "processor-specific" range. Be compatible. */ #define DT_AUXILIARY 0x7ffffffd /* Shared object to load before self */ #define DT_FILTER 0x7fffffff /* Shared object to get values from */ #define DT_EXTRATAGIDX(tag) ((Elf32_Word)-((Elf32_Sword) (tag) <<1>>1)-1) #define DT_EXTRANUM 3 /* Values of `d_un.d_val' in the DT_FLAGS entry. */ #define DF_ORIGIN 0x00000001 /* Object may use DF_ORIGIN */ #define DF_SYMBOLIC 0x00000002 /* Symbol resolutions starts here */ #define DF_TEXTREL 0x00000004 /* Object contains text relocations */ #define DF_BIND_NOW 0x00000008 /* No lazy binding for this object */ #define DF_STATIC_TLS 0x00000010 /* Module uses the static TLS model */ /* State flags selectable in the `d_un.d_val' element of the DT_FLAGS_1 entry in the dynamic section. */ #define DF_1_NOW 0x00000001 /* Set RTLD_NOW for this object. */ #define DF_1_GLOBAL 0x00000002 /* Set RTLD_GLOBAL for this object. */ #define DF_1_GROUP 0x00000004 /* Set RTLD_GROUP for this object. */ #define DF_1_NODELETE 0x00000008 /* Set RTLD_NODELETE for this object.*/ #define DF_1_LOADFLTR 0x00000010 /* Trigger filtee loading at runtime.*/ #define DF_1_INITFIRST 0x00000020 /* Set RTLD_INITFIRST for this object*/ #define DF_1_NOOPEN 0x00000040 /* Set RTLD_NOOPEN for this object. */ #define DF_1_ORIGIN 0x00000080 /* $ORIGIN must be handled. */ #define DF_1_DIRECT 0x00000100 /* Direct binding enabled. */ #define DF_1_TRANS 0x00000200 #define DF_1_INTERPOSE 0x00000400 /* Object is used to interpose. */ #define DF_1_NODEFLIB 0x00000800 /* Ignore default lib search path. */ #define DF_1_NODUMP 0x00001000 /* Object can't be dldump'ed. */ #define DF_1_CONFALT 0x00002000 /* Configuration alternative created.*/ #define DF_1_ENDFILTEE 0x00004000 /* Filtee terminates filters search. */ #define DF_1_DISPRELDNE 0x00008000 /* Disp reloc applied at build time. */ #define DF_1_DISPRELPND 0x00010000 /* Disp reloc applied at run-time. */ /* Flags for the feature selection in DT_FEATURE_1. */ #define DTF_1_PARINIT 0x00000001 #define DTF_1_CONFEXP 0x00000002 /* Flags in the DT_POSFLAG_1 entry effecting only the next DT_* entry. */ #define DF_P1_LAZYLOAD 0x00000001 /* Lazyload following object. */ #define DF_P1_GROUPPERM 0x00000002 /* Symbols from next object are not generally available. */ /* Version definition sections. */ typedef struct { Elf32_Half vd_version; /* Version revision */ Elf32_Half vd_flags; /* Version information */ Elf32_Half vd_ndx; /* Version Index */ Elf32_Half vd_cnt; /* Number of associated aux entries */ Elf32_Word vd_hash; /* Version name hash value */ Elf32_Word vd_aux; /* Offset in bytes to verdaux array */ Elf32_Word vd_next; /* Offset in bytes to next verdef entry */ } Elf32_Verdef; typedef struct { Elf64_Half vd_version; /* Version revision */ Elf64_Half vd_flags; /* Version information */ Elf64_Half vd_ndx; /* Version Index */ Elf64_Half vd_cnt; /* Number of associated aux entries */ Elf64_Word vd_hash; /* Version name hash value */ Elf64_Word vd_aux; /* Offset in bytes to verdaux array */ Elf64_Word vd_next; /* Offset in bytes to next verdef entry */ } Elf64_Verdef; /* Legal values for vd_version (version revision). */ #define VER_DEF_NONE 0 /* No version */ #define VER_DEF_CURRENT 1 /* Current version */ #define VER_DEF_NUM 2 /* Given version number */ /* Legal values for vd_flags (version information flags). */ #define VER_FLG_BASE 0x1 /* Version definition of file itself */ #define VER_FLG_WEAK 0x2 /* Weak version identifier */ /* Versym symbol index values. */ #define VER_NDX_LOCAL 0 /* Symbol is local. */ #define VER_NDX_GLOBAL 1 /* Symbol is global. */ #define VER_NDX_LORESERVE 0xff00 /* Beginning of reserved entries. */ #define VER_NDX_ELIMINATE 0xff01 /* Symbol is to be eliminated. */ /* Auxialiary version information. */ typedef struct { Elf32_Word vda_name; /* Version or dependency names */ Elf32_Word vda_next; /* Offset in bytes to next verdaux entry */ } Elf32_Verdaux; typedef struct { Elf64_Word vda_name; /* Version or dependency names */ Elf64_Word vda_next; /* Offset in bytes to next verdaux entry */ } Elf64_Verdaux; /* Version dependency section. */ typedef struct { Elf32_Half vn_version; /* Version of structure */ Elf32_Half vn_cnt; /* Number of associated aux entries */ Elf32_Word vn_file; /* Offset of filename for this dependency */ Elf32_Word vn_aux; /* Offset in bytes to vernaux array */ Elf32_Word vn_next; /* Offset in bytes to next verneed entry */ } Elf32_Verneed; typedef struct { Elf64_Half vn_version; /* Version of structure */ Elf64_Half vn_cnt; /* Number of associated aux entries */ Elf64_Word vn_file; /* Offset of filename for this dependency */ Elf64_Word vn_aux; /* Offset in bytes to vernaux array */ Elf64_Word vn_next; /* Offset in bytes to next verneed entry */ } Elf64_Verneed; /* Legal values for vn_version (version revision). */ #define VER_NEED_NONE 0 /* No version */ #define VER_NEED_CURRENT 1 /* Current version */ #define VER_NEED_NUM 2 /* Given version number */ /* Auxiliary needed version information. */ typedef struct { Elf32_Word vna_hash; /* Hash value of dependency name */ Elf32_Half vna_flags; /* Dependency specific information */ Elf32_Half vna_other; /* Unused */ Elf32_Word vna_name; /* Dependency name string offset */ Elf32_Word vna_next; /* Offset in bytes to next vernaux entry */ } Elf32_Vernaux; typedef struct { Elf64_Word vna_hash; /* Hash value of dependency name */ Elf64_Half vna_flags; /* Dependency specific information */ Elf64_Half vna_other; /* Unused */ Elf64_Word vna_name; /* Dependency name string offset */ Elf64_Word vna_next; /* Offset in bytes to next vernaux entry */ } Elf64_Vernaux; /* Legal values for vna_flags. */ #define VER_FLG_WEAK 0x2 /* Weak version identifier */ /* Auxiliary vector. */ /* This vector is normally only used by the program interpreter. The usual definition in an ABI supplement uses the name auxv_t. The vector is not usually defined in a standard file, but it can't hurt. We rename it to avoid conflicts. The sizes of these types are an arrangement between the exec server and the program interpreter, so we don't fully specify them here. */ typedef struct { uint32_t a_type; /* Entry type */ union { uint32_t a_val; /* Integer value */ /* We use to have pointer elements added here. We cannot do that, though, since it does not work when using 32-bit definitions on 64-bit platforms and vice versa. */ } a_un; } Elf32_auxv_t; typedef struct { uint64_t a_type; /* Entry type */ union { uint64_t a_val; /* Integer value */ /* We use to have pointer elements added here. We cannot do that, though, since it does not work when using 32-bit definitions on 64-bit platforms and vice versa. */ } a_un; } Elf64_auxv_t; /* Legal values for a_type (entry type). */ #define AT_NULL 0 /* End of vector */ #define AT_IGNORE 1 /* Entry should be ignored */ #define AT_EXECFD 2 /* File descriptor of program */ #define AT_PHDR 3 /* Program headers for program */ #define AT_PHENT 4 /* Size of program header entry */ #define AT_PHNUM 5 /* Number of program headers */ #define AT_PAGESZ 6 /* System page size */ #define AT_BASE 7 /* Base address of interpreter */ #define AT_FLAGS 8 /* Flags */ #define AT_ENTRY 9 /* Entry point of program */ #define AT_NOTELF 10 /* Program is not ELF */ #define AT_UID 11 /* Real uid */ #define AT_EUID 12 /* Effective uid */ #define AT_GID 13 /* Real gid */ #define AT_EGID 14 /* Effective gid */ #define AT_CLKTCK 17 /* Frequency of times() */ /* Some more special a_type values describing the hardware. */ #define AT_PLATFORM 15 /* String identifying platform. */ #define AT_HWCAP 16 /* Machine dependent hints about processor capabilities. */ /* This entry gives some information about the FPU initialization performed by the kernel. */ #define AT_FPUCW 18 /* Used FPU control word. */ /* Cache block sizes. */ #define AT_DCACHEBSIZE 19 /* Data cache block size. */ #define AT_ICACHEBSIZE 20 /* Instruction cache block size. */ #define AT_UCACHEBSIZE 21 /* Unified cache block size. */ /* A special ignored value for PPC, used by the kernel to control the interpretation of the AUXV. Must be > 16. */ #define AT_IGNOREPPC 22 /* Entry should be ignored. */ #define AT_SECURE 23 /* Boolean, was exec setuid-like? */ #define AT_BASE_PLATFORM 24 /* String identifying real platforms.*/ #define AT_RANDOM 25 /* Address of 16 random bytes. */ #define AT_EXECFN 31 /* Filename of executable. */ /* Pointer to the global system page used for system calls and other nice things. */ #define AT_SYSINFO 32 #define AT_SYSINFO_EHDR 33 /* Shapes of the caches. Bits 0-3 contains associativity; bits 4-7 contains log2 of line size; mask those to get cache size. */ #define AT_L1I_CACHESHAPE 34 #define AT_L1D_CACHESHAPE 35 #define AT_L2_CACHESHAPE 36 #define AT_L3_CACHESHAPE 37 /* Note section contents. Each entry in the note section begins with a header of a fixed form. */ typedef struct { Elf32_Word n_namesz; /* Length of the note's name. */ Elf32_Word n_descsz; /* Length of the note's descriptor. */ Elf32_Word n_type; /* Type of the note. */ } Elf32_Nhdr; typedef struct { Elf64_Word n_namesz; /* Length of the note's name. */ Elf64_Word n_descsz; /* Length of the note's descriptor. */ Elf64_Word n_type; /* Type of the note. */ } Elf64_Nhdr; /* Known names of notes. */ /* Solaris entries in the note section have this name. */ #define ELF_NOTE_SOLARIS "SUNW Solaris" /* Note entries for GNU systems have this name. */ #define ELF_NOTE_GNU "GNU" /* Defined types of notes for Solaris. */ /* Value of descriptor (one word) is desired pagesize for the binary. */ #define ELF_NOTE_PAGESIZE_HINT 1 /* Defined note types for GNU systems. */ /* ABI information. The descriptor consists of words: word 0: OS descriptor word 1: major version of the ABI word 2: minor version of the ABI word 3: subminor version of the ABI */ #define NT_GNU_ABI_TAG 1 #define ELF_NOTE_ABI NT_GNU_ABI_TAG /* Old name. */ /* Known OSes. These values can appear in word 0 of an NT_GNU_ABI_TAG note section entry. */ #define ELF_NOTE_OS_LINUX 0 #define ELF_NOTE_OS_GNU 1 #define ELF_NOTE_OS_SOLARIS2 2 #define ELF_NOTE_OS_FREEBSD 3 /* Synthetic hwcap information. The descriptor begins with two words: word 0: number of entries word 1: bitmask of enabled entries Then follow variable-length entries, one byte followed by a '\0'-terminated hwcap name string. The byte gives the bit number to test if enabled, (1U << bit) & bitmask. */ #define NT_GNU_HWCAP 2 /* Build ID bits as generated by ld --build-id. The descriptor consists of any nonzero number of bytes. */ #define NT_GNU_BUILD_ID 3 /* Version note generated by GNU gold containing a version string. */ #define NT_GNU_GOLD_VERSION 4 /* Move records. */ typedef struct { Elf32_Xword m_value; /* Symbol value. */ Elf32_Word m_info; /* Size and index. */ Elf32_Word m_poffset; /* Symbol offset. */ Elf32_Half m_repeat; /* Repeat count. */ Elf32_Half m_stride; /* Stride info. */ } Elf32_Move; typedef struct { Elf64_Xword m_value; /* Symbol value. */ Elf64_Xword m_info; /* Size and index. */ Elf64_Xword m_poffset; /* Symbol offset. */ Elf64_Half m_repeat; /* Repeat count. */ Elf64_Half m_stride; /* Stride info. */ } Elf64_Move; /* Macro to construct move records. */ #define ELF32_M_SYM(info) ((info) >> 8) #define ELF32_M_SIZE(info) ((unsigned char) (info)) #define ELF32_M_INFO(sym, size) (((sym) << 8) + (unsigned char) (size)) #define ELF64_M_SYM(info) ELF32_M_SYM (info) #define ELF64_M_SIZE(info) ELF32_M_SIZE (info) #define ELF64_M_INFO(sym, size) ELF32_M_INFO (sym, size) /* Motorola 68k specific definitions. */ /* Values for Elf32_Ehdr.e_flags. */ #define EF_CPU32 0x00810000 /* m68k relocs. */ #define R_68K_NONE 0 /* No reloc */ #define R_68K_32 1 /* Direct 32 bit */ #define R_68K_16 2 /* Direct 16 bit */ #define R_68K_8 3 /* Direct 8 bit */ #define R_68K_PC32 4 /* PC relative 32 bit */ #define R_68K_PC16 5 /* PC relative 16 bit */ #define R_68K_PC8 6 /* PC relative 8 bit */ #define R_68K_GOT32 7 /* 32 bit PC relative GOT entry */ #define R_68K_GOT16 8 /* 16 bit PC relative GOT entry */ #define R_68K_GOT8 9 /* 8 bit PC relative GOT entry */ #define R_68K_GOT32O 10 /* 32 bit GOT offset */ #define R_68K_GOT16O 11 /* 16 bit GOT offset */ #define R_68K_GOT8O 12 /* 8 bit GOT offset */ #define R_68K_PLT32 13 /* 32 bit PC relative PLT address */ #define R_68K_PLT16 14 /* 16 bit PC relative PLT address */ #define R_68K_PLT8 15 /* 8 bit PC relative PLT address */ #define R_68K_PLT32O 16 /* 32 bit PLT offset */ #define R_68K_PLT16O 17 /* 16 bit PLT offset */ #define R_68K_PLT8O 18 /* 8 bit PLT offset */ #define R_68K_COPY 19 /* Copy symbol at runtime */ #define R_68K_GLOB_DAT 20 /* Create GOT entry */ #define R_68K_JMP_SLOT 21 /* Create PLT entry */ #define R_68K_RELATIVE 22 /* Adjust by program base */ #define R_68K_TLS_GD32 25 /* 32 bit GOT offset for GD */ #define R_68K_TLS_GD16 26 /* 16 bit GOT offset for GD */ #define R_68K_TLS_GD8 27 /* 8 bit GOT offset for GD */ #define R_68K_TLS_LDM32 28 /* 32 bit GOT offset for LDM */ #define R_68K_TLS_LDM16 29 /* 16 bit GOT offset for LDM */ #define R_68K_TLS_LDM8 30 /* 8 bit GOT offset for LDM */ #define R_68K_TLS_LDO32 31 /* 32 bit module-relative offset */ #define R_68K_TLS_LDO16 32 /* 16 bit module-relative offset */ #define R_68K_TLS_LDO8 33 /* 8 bit module-relative offset */ #define R_68K_TLS_IE32 34 /* 32 bit GOT offset for IE */ #define R_68K_TLS_IE16 35 /* 16 bit GOT offset for IE */ #define R_68K_TLS_IE8 36 /* 8 bit GOT offset for IE */ #define R_68K_TLS_LE32 37 /* 32 bit offset relative to static TLS block */ #define R_68K_TLS_LE16 38 /* 16 bit offset relative to static TLS block */ #define R_68K_TLS_LE8 39 /* 8 bit offset relative to static TLS block */ #define R_68K_TLS_DTPMOD32 40 /* 32 bit module number */ #define R_68K_TLS_DTPREL32 41 /* 32 bit module-relative offset */ #define R_68K_TLS_TPREL32 42 /* 32 bit TP-relative offset */ /* Keep this the last entry. */ #define R_68K_NUM 43 /* Intel 80386 specific definitions. */ /* i386 relocs. */ #define R_386_NONE 0 /* No reloc */ #define R_386_32 1 /* Direct 32 bit */ #define R_386_PC32 2 /* PC relative 32 bit */ #define R_386_GOT32 3 /* 32 bit GOT entry */ #define R_386_PLT32 4 /* 32 bit PLT address */ #define R_386_COPY 5 /* Copy symbol at runtime */ #define R_386_GLOB_DAT 6 /* Create GOT entry */ #define R_386_JMP_SLOT 7 /* Create PLT entry */ #define R_386_RELATIVE 8 /* Adjust by program base */ #define R_386_GOTOFF 9 /* 32 bit offset to GOT */ #define R_386_GOTPC 10 /* 32 bit PC relative offset to GOT */ #define R_386_32PLT 11 #define R_386_TLS_TPOFF 14 /* Offset in static TLS block */ #define R_386_TLS_IE 15 /* Address of GOT entry for static TLS block offset */ #define R_386_TLS_GOTIE 16 /* GOT entry for static TLS block offset */ #define R_386_TLS_LE 17 /* Offset relative to static TLS block */ #define R_386_TLS_GD 18 /* Direct 32 bit for GNU version of general dynamic thread local data */ #define R_386_TLS_LDM 19 /* Direct 32 bit for GNU version of local dynamic thread local data in LE code */ #define R_386_16 20 #define R_386_PC16 21 #define R_386_8 22 #define R_386_PC8 23 #define R_386_TLS_GD_32 24 /* Direct 32 bit for general dynamic thread local data */ #define R_386_TLS_GD_PUSH 25 /* Tag for pushl in GD TLS code */ #define R_386_TLS_GD_CALL 26 /* Relocation for call to __tls_get_addr() */ #define R_386_TLS_GD_POP 27 /* Tag for popl in GD TLS code */ #define R_386_TLS_LDM_32 28 /* Direct 32 bit for local dynamic thread local data in LE code */ #define R_386_TLS_LDM_PUSH 29 /* Tag for pushl in LDM TLS code */ #define R_386_TLS_LDM_CALL 30 /* Relocation for call to __tls_get_addr() in LDM code */ #define R_386_TLS_LDM_POP 31 /* Tag for popl in LDM TLS code */ #define R_386_TLS_LDO_32 32 /* Offset relative to TLS block */ #define R_386_TLS_IE_32 33 /* GOT entry for negated static TLS block offset */ #define R_386_TLS_LE_32 34 /* Negated offset relative to static TLS block */ #define R_386_TLS_DTPMOD32 35 /* ID of module containing symbol */ #define R_386_TLS_DTPOFF32 36 /* Offset in TLS block */ #define R_386_TLS_TPOFF32 37 /* Negated offset in static TLS block */ /* 38? */ #define R_386_TLS_GOTDESC 39 /* GOT offset for TLS descriptor. */ #define R_386_TLS_DESC_CALL 40 /* Marker of call through TLS descriptor for relaxation. */ #define R_386_TLS_DESC 41 /* TLS descriptor containing pointer to code and to argument, returning the TLS offset for the symbol. */ #define R_386_IRELATIVE 42 /* Adjust indirectly by program base */ /* Keep this the last entry. */ #define R_386_NUM 43 /* SUN SPARC specific definitions. */ /* Legal values for ST_TYPE subfield of st_info (symbol type). */ #define STT_SPARC_REGISTER 13 /* Global register reserved to app. */ /* Values for Elf64_Ehdr.e_flags. */ #define EF_SPARCV9_MM 3 #define EF_SPARCV9_TSO 0 #define EF_SPARCV9_PSO 1 #define EF_SPARCV9_RMO 2 #define EF_SPARC_LEDATA 0x800000 /* little endian data */ #define EF_SPARC_EXT_MASK 0xFFFF00 #define EF_SPARC_32PLUS 0x000100 /* generic V8+ features */ #define EF_SPARC_SUN_US1 0x000200 /* Sun UltraSPARC1 extensions */ #define EF_SPARC_HAL_R1 0x000400 /* HAL R1 extensions */ #define EF_SPARC_SUN_US3 0x000800 /* Sun UltraSPARCIII extensions */ /* SPARC relocs. */ #define R_SPARC_NONE 0 /* No reloc */ #define R_SPARC_8 1 /* Direct 8 bit */ #define R_SPARC_16 2 /* Direct 16 bit */ #define R_SPARC_32 3 /* Direct 32 bit */ #define R_SPARC_DISP8 4 /* PC relative 8 bit */ #define R_SPARC_DISP16 5 /* PC relative 16 bit */ #define R_SPARC_DISP32 6 /* PC relative 32 bit */ #define R_SPARC_WDISP30 7 /* PC relative 30 bit shifted */ #define R_SPARC_WDISP22 8 /* PC relative 22 bit shifted */ #define R_SPARC_HI22 9 /* High 22 bit */ #define R_SPARC_22 10 /* Direct 22 bit */ #define R_SPARC_13 11 /* Direct 13 bit */ #define R_SPARC_LO10 12 /* Truncated 10 bit */ #define R_SPARC_GOT10 13 /* Truncated 10 bit GOT entry */ #define R_SPARC_GOT13 14 /* 13 bit GOT entry */ #define R_SPARC_GOT22 15 /* 22 bit GOT entry shifted */ #define R_SPARC_PC10 16 /* PC relative 10 bit truncated */ #define R_SPARC_PC22 17 /* PC relative 22 bit shifted */ #define R_SPARC_WPLT30 18 /* 30 bit PC relative PLT address */ #define R_SPARC_COPY 19 /* Copy symbol at runtime */ #define R_SPARC_GLOB_DAT 20 /* Create GOT entry */ #define R_SPARC_JMP_SLOT 21 /* Create PLT entry */ #define R_SPARC_RELATIVE 22 /* Adjust by program base */ #define R_SPARC_UA32 23 /* Direct 32 bit unaligned */ /* Additional Sparc64 relocs. */ #define R_SPARC_PLT32 24 /* Direct 32 bit ref to PLT entry */ #define R_SPARC_HIPLT22 25 /* High 22 bit PLT entry */ #define R_SPARC_LOPLT10 26 /* Truncated 10 bit PLT entry */ #define R_SPARC_PCPLT32 27 /* PC rel 32 bit ref to PLT entry */ #define R_SPARC_PCPLT22 28 /* PC rel high 22 bit PLT entry */ #define R_SPARC_PCPLT10 29 /* PC rel trunc 10 bit PLT entry */ #define R_SPARC_10 30 /* Direct 10 bit */ #define R_SPARC_11 31 /* Direct 11 bit */ #define R_SPARC_64 32 /* Direct 64 bit */ #define R_SPARC_OLO10 33 /* 10bit with secondary 13bit addend */ #define R_SPARC_HH22 34 /* Top 22 bits of direct 64 bit */ #define R_SPARC_HM10 35 /* High middle 10 bits of ... */ #define R_SPARC_LM22 36 /* Low middle 22 bits of ... */ #define R_SPARC_PC_HH22 37 /* Top 22 bits of pc rel 64 bit */ #define R_SPARC_PC_HM10 38 /* High middle 10 bit of ... */ #define R_SPARC_PC_LM22 39 /* Low miggle 22 bits of ... */ #define R_SPARC_WDISP16 40 /* PC relative 16 bit shifted */ #define R_SPARC_WDISP19 41 /* PC relative 19 bit shifted */ #define R_SPARC_GLOB_JMP 42 /* was part of v9 ABI but was removed */ #define R_SPARC_7 43 /* Direct 7 bit */ #define R_SPARC_5 44 /* Direct 5 bit */ #define R_SPARC_6 45 /* Direct 6 bit */ #define R_SPARC_DISP64 46 /* PC relative 64 bit */ #define R_SPARC_PLT64 47 /* Direct 64 bit ref to PLT entry */ #define R_SPARC_HIX22 48 /* High 22 bit complemented */ #define R_SPARC_LOX10 49 /* Truncated 11 bit complemented */ #define R_SPARC_H44 50 /* Direct high 12 of 44 bit */ #define R_SPARC_M44 51 /* Direct mid 22 of 44 bit */ #define R_SPARC_L44 52 /* Direct low 10 of 44 bit */ #define R_SPARC_REGISTER 53 /* Global register usage */ #define R_SPARC_UA64 54 /* Direct 64 bit unaligned */ #define R_SPARC_UA16 55 /* Direct 16 bit unaligned */ #define R_SPARC_TLS_GD_HI22 56 #define R_SPARC_TLS_GD_LO10 57 #define R_SPARC_TLS_GD_ADD 58 #define R_SPARC_TLS_GD_CALL 59 #define R_SPARC_TLS_LDM_HI22 60 #define R_SPARC_TLS_LDM_LO10 61 #define R_SPARC_TLS_LDM_ADD 62 #define R_SPARC_TLS_LDM_CALL 63 #define R_SPARC_TLS_LDO_HIX22 64 #define R_SPARC_TLS_LDO_LOX10 65 #define R_SPARC_TLS_LDO_ADD 66 #define R_SPARC_TLS_IE_HI22 67 #define R_SPARC_TLS_IE_LO10 68 #define R_SPARC_TLS_IE_LD 69 #define R_SPARC_TLS_IE_LDX 70 #define R_SPARC_TLS_IE_ADD 71 #define R_SPARC_TLS_LE_HIX22 72 #define R_SPARC_TLS_LE_LOX10 73 #define R_SPARC_TLS_DTPMOD32 74 #define R_SPARC_TLS_DTPMOD64 75 #define R_SPARC_TLS_DTPOFF32 76 #define R_SPARC_TLS_DTPOFF64 77 #define R_SPARC_TLS_TPOFF32 78 #define R_SPARC_TLS_TPOFF64 79 #define R_SPARC_GOTDATA_HIX22 80 #define R_SPARC_GOTDATA_LOX10 81 #define R_SPARC_GOTDATA_OP_HIX22 82 #define R_SPARC_GOTDATA_OP_LOX10 83 #define R_SPARC_GOTDATA_OP 84 #define R_SPARC_H34 85 #define R_SPARC_SIZE32 86 #define R_SPARC_SIZE64 87 #define R_SPARC_JMP_IREL 248 #define R_SPARC_IRELATIVE 249 #define R_SPARC_GNU_VTINHERIT 250 #define R_SPARC_GNU_VTENTRY 251 #define R_SPARC_REV32 252 /* Keep this the last entry. */ #define R_SPARC_NUM 253 /* For Sparc64, legal values for d_tag of Elf64_Dyn. */ #define DT_SPARC_REGISTER 0x70000001 #define DT_SPARC_NUM 2 /* Bits present in AT_HWCAP on SPARC. */ #define HWCAP_SPARC_FLUSH 1 /* The CPU supports flush insn. */ #define HWCAP_SPARC_STBAR 2 #define HWCAP_SPARC_SWAP 4 #define HWCAP_SPARC_MULDIV 8 #define HWCAP_SPARC_V9 16 /* The CPU is v9, so v8plus is ok. */ #define HWCAP_SPARC_ULTRA3 32 #define HWCAP_SPARC_BLKINIT 64 /* Sun4v with block-init/load-twin. */ #define HWCAP_SPARC_N2 128 /* MIPS R3000 specific definitions. */ /* Legal values for e_flags field of Elf32_Ehdr. */ #define EF_MIPS_NOREORDER 1 /* A .noreorder directive was used */ #define EF_MIPS_PIC 2 /* Contains PIC code */ #define EF_MIPS_CPIC 4 /* Uses PIC calling sequence */ #define EF_MIPS_XGOT 8 #define EF_MIPS_64BIT_WHIRL 16 #define EF_MIPS_ABI2 32 #define EF_MIPS_ABI_ON32 64 #define EF_MIPS_ARCH 0xf0000000 /* MIPS architecture level */ /* Legal values for MIPS architecture level. */ #define EF_MIPS_ARCH_1 0x00000000 /* -mips1 code. */ #define EF_MIPS_ARCH_2 0x10000000 /* -mips2 code. */ #define EF_MIPS_ARCH_3 0x20000000 /* -mips3 code. */ #define EF_MIPS_ARCH_4 0x30000000 /* -mips4 code. */ #define EF_MIPS_ARCH_5 0x40000000 /* -mips5 code. */ #define EF_MIPS_ARCH_32 0x60000000 /* MIPS32 code. */ #define EF_MIPS_ARCH_64 0x70000000 /* MIPS64 code. */ /* The following are non-official names and should not be used. */ #define E_MIPS_ARCH_1 0x00000000 /* -mips1 code. */ #define E_MIPS_ARCH_2 0x10000000 /* -mips2 code. */ #define E_MIPS_ARCH_3 0x20000000 /* -mips3 code. */ #define E_MIPS_ARCH_4 0x30000000 /* -mips4 code. */ #define E_MIPS_ARCH_5 0x40000000 /* -mips5 code. */ #define E_MIPS_ARCH_32 0x60000000 /* MIPS32 code. */ #define E_MIPS_ARCH_64 0x70000000 /* MIPS64 code. */ /* Special section indices. */ #define SHN_MIPS_ACOMMON 0xff00 /* Allocated common symbols */ #define SHN_MIPS_TEXT 0xff01 /* Allocated test symbols. */ #define SHN_MIPS_DATA 0xff02 /* Allocated data symbols. */ #define SHN_MIPS_SCOMMON 0xff03 /* Small common symbols */ #define SHN_MIPS_SUNDEFINED 0xff04 /* Small undefined symbols */ /* Legal values for sh_type field of Elf32_Shdr. */ #define SHT_MIPS_LIBLIST 0x70000000 /* Shared objects used in link */ #define SHT_MIPS_MSYM 0x70000001 #define SHT_MIPS_CONFLICT 0x70000002 /* Conflicting symbols */ #define SHT_MIPS_GPTAB 0x70000003 /* Global data area sizes */ #define SHT_MIPS_UCODE 0x70000004 /* Reserved for SGI/MIPS compilers */ #define SHT_MIPS_DEBUG 0x70000005 /* MIPS ECOFF debugging information*/ #define SHT_MIPS_REGINFO 0x70000006 /* Register usage information */ #define SHT_MIPS_PACKAGE 0x70000007 #define SHT_MIPS_PACKSYM 0x70000008 #define SHT_MIPS_RELD 0x70000009 #define SHT_MIPS_IFACE 0x7000000b #define SHT_MIPS_CONTENT 0x7000000c #define SHT_MIPS_OPTIONS 0x7000000d /* Miscellaneous options. */ #define SHT_MIPS_SHDR 0x70000010 #define SHT_MIPS_FDESC 0x70000011 #define SHT_MIPS_EXTSYM 0x70000012 #define SHT_MIPS_DENSE 0x70000013 #define SHT_MIPS_PDESC 0x70000014 #define SHT_MIPS_LOCSYM 0x70000015 #define SHT_MIPS_AUXSYM 0x70000016 #define SHT_MIPS_OPTSYM 0x70000017 #define SHT_MIPS_LOCSTR 0x70000018 #define SHT_MIPS_LINE 0x70000019 #define SHT_MIPS_RFDESC 0x7000001a #define SHT_MIPS_DELTASYM 0x7000001b #define SHT_MIPS_DELTAINST 0x7000001c #define SHT_MIPS_DELTACLASS 0x7000001d #define SHT_MIPS_DWARF 0x7000001e /* DWARF debugging information. */ #define SHT_MIPS_DELTADECL 0x7000001f #define SHT_MIPS_SYMBOL_LIB 0x70000020 #define SHT_MIPS_EVENTS 0x70000021 /* Event section. */ #define SHT_MIPS_TRANSLATE 0x70000022 #define SHT_MIPS_PIXIE 0x70000023 #define SHT_MIPS_XLATE 0x70000024 #define SHT_MIPS_XLATE_DEBUG 0x70000025 #define SHT_MIPS_WHIRL 0x70000026 #define SHT_MIPS_EH_REGION 0x70000027 #define SHT_MIPS_XLATE_OLD 0x70000028 #define SHT_MIPS_PDR_EXCEPTION 0x70000029 /* Legal values for sh_flags field of Elf32_Shdr. */ #define SHF_MIPS_GPREL 0x10000000 /* Must be part of global data area */ #define SHF_MIPS_MERGE 0x20000000 #define SHF_MIPS_ADDR 0x40000000 #define SHF_MIPS_STRINGS 0x80000000 #define SHF_MIPS_NOSTRIP 0x08000000 #define SHF_MIPS_LOCAL 0x04000000 #define SHF_MIPS_NAMES 0x02000000 #define SHF_MIPS_NODUPE 0x01000000 /* Symbol tables. */ /* MIPS specific values for `st_other'. */ #define STO_MIPS_DEFAULT 0x0 #define STO_MIPS_INTERNAL 0x1 #define STO_MIPS_HIDDEN 0x2 #define STO_MIPS_PROTECTED 0x3 #define STO_MIPS_PLT 0x8 #define STO_MIPS_SC_ALIGN_UNUSED 0xff /* MIPS specific values for `st_info'. */ #define STB_MIPS_SPLIT_COMMON 13 /* Entries found in sections of type SHT_MIPS_GPTAB. */ typedef union { struct { Elf32_Word gt_current_g_value; /* -G value used for compilation */ Elf32_Word gt_unused; /* Not used */ } gt_header; /* First entry in section */ struct { Elf32_Word gt_g_value; /* If this value were used for -G */ Elf32_Word gt_bytes; /* This many bytes would be used */ } gt_entry; /* Subsequent entries in section */ } Elf32_gptab; /* Entry found in sections of type SHT_MIPS_REGINFO. */ typedef struct { Elf32_Word ri_gprmask; /* General registers used */ Elf32_Word ri_cprmask[4]; /* Coprocessor registers used */ Elf32_Sword ri_gp_value; /* $gp register value */ } Elf32_RegInfo; /* Entries found in sections of type SHT_MIPS_OPTIONS. */ typedef struct { unsigned char kind; /* Determines interpretation of the variable part of descriptor. */ unsigned char size; /* Size of descriptor, including header. */ Elf32_Section section; /* Section header index of section affected, 0 for global options. */ Elf32_Word info; /* Kind-specific information. */ } Elf_Options; /* Values for `kind' field in Elf_Options. */ #define ODK_NULL 0 /* Undefined. */ #define ODK_REGINFO 1 /* Register usage information. */ #define ODK_EXCEPTIONS 2 /* Exception processing options. */ #define ODK_PAD 3 /* Section padding options. */ #define ODK_HWPATCH 4 /* Hardware workarounds performed */ #define ODK_FILL 5 /* record the fill value used by the linker. */ #define ODK_TAGS 6 /* reserve space for desktop tools to write. */ #define ODK_HWAND 7 /* HW workarounds. 'AND' bits when merging. */ #define ODK_HWOR 8 /* HW workarounds. 'OR' bits when merging. */ /* Values for `info' in Elf_Options for ODK_EXCEPTIONS entries. */ #define OEX_FPU_MIN 0x1f /* FPE's which MUST be enabled. */ #define OEX_FPU_MAX 0x1f00 /* FPE's which MAY be enabled. */ #define OEX_PAGE0 0x10000 /* page zero must be mapped. */ #define OEX_SMM 0x20000 /* Force sequential memory mode? */ #define OEX_FPDBUG 0x40000 /* Force floating point debug mode? */ #define OEX_PRECISEFP OEX_FPDBUG #define OEX_DISMISS 0x80000 /* Dismiss invalid address faults? */ #define OEX_FPU_INVAL 0x10 #define OEX_FPU_DIV0 0x08 #define OEX_FPU_OFLO 0x04 #define OEX_FPU_UFLO 0x02 #define OEX_FPU_INEX 0x01 /* Masks for `info' in Elf_Options for an ODK_HWPATCH entry. */ #define OHW_R4KEOP 0x1 /* R4000 end-of-page patch. */ #define OHW_R8KPFETCH 0x2 /* may need R8000 prefetch patch. */ #define OHW_R5KEOP 0x4 /* R5000 end-of-page patch. */ #define OHW_R5KCVTL 0x8 /* R5000 cvt.[ds].l bug. clean=1. */ #define OPAD_PREFIX 0x1 #define OPAD_POSTFIX 0x2 #define OPAD_SYMBOL 0x4 /* Entry found in `.options' section. */ typedef struct { Elf32_Word hwp_flags1; /* Extra flags. */ Elf32_Word hwp_flags2; /* Extra flags. */ } Elf_Options_Hw; /* Masks for `info' in ElfOptions for ODK_HWAND and ODK_HWOR entries. */ #define OHWA0_R4KEOP_CHECKED 0x00000001 #define OHWA1_R4KEOP_CLEAN 0x00000002 /* MIPS relocs. */ #define R_MIPS_NONE 0 /* No reloc */ #define R_MIPS_16 1 /* Direct 16 bit */ #define R_MIPS_32 2 /* Direct 32 bit */ #define R_MIPS_REL32 3 /* PC relative 32 bit */ #define R_MIPS_26 4 /* Direct 26 bit shifted */ #define R_MIPS_HI16 5 /* High 16 bit */ #define R_MIPS_LO16 6 /* Low 16 bit */ #define R_MIPS_GPREL16 7 /* GP relative 16 bit */ #define R_MIPS_LITERAL 8 /* 16 bit literal entry */ #define R_MIPS_GOT16 9 /* 16 bit GOT entry */ #define R_MIPS_PC16 10 /* PC relative 16 bit */ #define R_MIPS_CALL16 11 /* 16 bit GOT entry for function */ #define R_MIPS_GPREL32 12 /* GP relative 32 bit */ #define R_MIPS_SHIFT5 16 #define R_MIPS_SHIFT6 17 #define R_MIPS_64 18 #define R_MIPS_GOT_DISP 19 #define R_MIPS_GOT_PAGE 20 #define R_MIPS_GOT_OFST 21 #define R_MIPS_GOT_HI16 22 #define R_MIPS_GOT_LO16 23 #define R_MIPS_SUB 24 #define R_MIPS_INSERT_A 25 #define R_MIPS_INSERT_B 26 #define R_MIPS_DELETE 27 #define R_MIPS_HIGHER 28 #define R_MIPS_HIGHEST 29 #define R_MIPS_CALL_HI16 30 #define R_MIPS_CALL_LO16 31 #define R_MIPS_SCN_DISP 32 #define R_MIPS_REL16 33 #define R_MIPS_ADD_IMMEDIATE 34 #define R_MIPS_PJUMP 35 #define R_MIPS_RELGOT 36 #define R_MIPS_JALR 37 #define R_MIPS_TLS_DTPMOD32 38 /* Module number 32 bit */ #define R_MIPS_TLS_DTPREL32 39 /* Module-relative offset 32 bit */ #define R_MIPS_TLS_DTPMOD64 40 /* Module number 64 bit */ #define R_MIPS_TLS_DTPREL64 41 /* Module-relative offset 64 bit */ #define R_MIPS_TLS_GD 42 /* 16 bit GOT offset for GD */ #define R_MIPS_TLS_LDM 43 /* 16 bit GOT offset for LDM */ #define R_MIPS_TLS_DTPREL_HI16 44 /* Module-relative offset, high 16 bits */ #define R_MIPS_TLS_DTPREL_LO16 45 /* Module-relative offset, low 16 bits */ #define R_MIPS_TLS_GOTTPREL 46 /* 16 bit GOT offset for IE */ #define R_MIPS_TLS_TPREL32 47 /* TP-relative offset, 32 bit */ #define R_MIPS_TLS_TPREL64 48 /* TP-relative offset, 64 bit */ #define R_MIPS_TLS_TPREL_HI16 49 /* TP-relative offset, high 16 bits */ #define R_MIPS_TLS_TPREL_LO16 50 /* TP-relative offset, low 16 bits */ #define R_MIPS_GLOB_DAT 51 #define R_MIPS_COPY 126 #define R_MIPS_JUMP_SLOT 127 /* Keep this the last entry. */ #define R_MIPS_NUM 128 /* Legal values for p_type field of Elf32_Phdr. */ #define PT_MIPS_REGINFO 0x70000000 /* Register usage information */ #define PT_MIPS_RTPROC 0x70000001 /* Runtime procedure table. */ #define PT_MIPS_OPTIONS 0x70000002 /* Special program header types. */ #define PF_MIPS_LOCAL 0x10000000 /* Legal values for d_tag field of Elf32_Dyn. */ #define DT_MIPS_RLD_VERSION 0x70000001 /* Runtime linker interface version */ #define DT_MIPS_TIME_STAMP 0x70000002 /* Timestamp */ #define DT_MIPS_ICHECKSUM 0x70000003 /* Checksum */ #define DT_MIPS_IVERSION 0x70000004 /* Version string (string tbl index) */ #define DT_MIPS_FLAGS 0x70000005 /* Flags */ #define DT_MIPS_BASE_ADDRESS 0x70000006 /* Base address */ #define DT_MIPS_MSYM 0x70000007 #define DT_MIPS_CONFLICT 0x70000008 /* Address of CONFLICT section */ #define DT_MIPS_LIBLIST 0x70000009 /* Address of LIBLIST section */ #define DT_MIPS_LOCAL_GOTNO 0x7000000a /* Number of local GOT entries */ #define DT_MIPS_CONFLICTNO 0x7000000b /* Number of CONFLICT entries */ #define DT_MIPS_LIBLISTNO 0x70000010 /* Number of LIBLIST entries */ #define DT_MIPS_SYMTABNO 0x70000011 /* Number of DYNSYM entries */ #define DT_MIPS_UNREFEXTNO 0x70000012 /* First external DYNSYM */ #define DT_MIPS_GOTSYM 0x70000013 /* First GOT entry in DYNSYM */ #define DT_MIPS_HIPAGENO 0x70000014 /* Number of GOT page table entries */ #define DT_MIPS_RLD_MAP 0x70000016 /* Address of run time loader map. */ #define DT_MIPS_DELTA_CLASS 0x70000017 /* Delta C++ class definition. */ #define DT_MIPS_DELTA_CLASS_NO 0x70000018 /* Number of entries in DT_MIPS_DELTA_CLASS. */ #define DT_MIPS_DELTA_INSTANCE 0x70000019 /* Delta C++ class instances. */ #define DT_MIPS_DELTA_INSTANCE_NO 0x7000001a /* Number of entries in DT_MIPS_DELTA_INSTANCE. */ #define DT_MIPS_DELTA_RELOC 0x7000001b /* Delta relocations. */ #define DT_MIPS_DELTA_RELOC_NO 0x7000001c /* Number of entries in DT_MIPS_DELTA_RELOC. */ #define DT_MIPS_DELTA_SYM 0x7000001d /* Delta symbols that Delta relocations refer to. */ #define DT_MIPS_DELTA_SYM_NO 0x7000001e /* Number of entries in DT_MIPS_DELTA_SYM. */ #define DT_MIPS_DELTA_CLASSSYM 0x70000020 /* Delta symbols that hold the class declaration. */ #define DT_MIPS_DELTA_CLASSSYM_NO 0x70000021 /* Number of entries in DT_MIPS_DELTA_CLASSSYM. */ #define DT_MIPS_CXX_FLAGS 0x70000022 /* Flags indicating for C++ flavor. */ #define DT_MIPS_PIXIE_INIT 0x70000023 #define DT_MIPS_SYMBOL_LIB 0x70000024 #define DT_MIPS_LOCALPAGE_GOTIDX 0x70000025 #define DT_MIPS_LOCAL_GOTIDX 0x70000026 #define DT_MIPS_HIDDEN_GOTIDX 0x70000027 #define DT_MIPS_PROTECTED_GOTIDX 0x70000028 #define DT_MIPS_OPTIONS 0x70000029 /* Address of .options. */ #define DT_MIPS_INTERFACE 0x7000002a /* Address of .interface. */ #define DT_MIPS_DYNSTR_ALIGN 0x7000002b #define DT_MIPS_INTERFACE_SIZE 0x7000002c /* Size of the .interface section. */ #define DT_MIPS_RLD_TEXT_RESOLVE_ADDR 0x7000002d /* Address of rld_text_rsolve function stored in GOT. */ #define DT_MIPS_PERF_SUFFIX 0x7000002e /* Default suffix of dso to be added by rld on dlopen() calls. */ #define DT_MIPS_COMPACT_SIZE 0x7000002f /* (O32)Size of compact rel section. */ #define DT_MIPS_GP_VALUE 0x70000030 /* GP value for aux GOTs. */ #define DT_MIPS_AUX_DYNAMIC 0x70000031 /* Address of aux .dynamic. */ /* The address of .got.plt in an executable using the new non-PIC ABI. */ #define DT_MIPS_PLTGOT 0x70000032 /* The base of the PLT in an executable using the new non-PIC ABI if that PLT is writable. For a non-writable PLT, this is omitted or has a zero value. */ #define DT_MIPS_RWPLT 0x70000034 #define DT_MIPS_NUM 0x35 /* Legal values for DT_MIPS_FLAGS Elf32_Dyn entry. */ #define RHF_NONE 0 /* No flags */ #define RHF_QUICKSTART (1 << 0) /* Use quickstart */ #define RHF_NOTPOT (1 << 1) /* Hash size not power of 2 */ #define RHF_NO_LIBRARY_REPLACEMENT (1 << 2) /* Ignore LD_LIBRARY_PATH */ #define RHF_NO_MOVE (1 << 3) #define RHF_SGI_ONLY (1 << 4) #define RHF_GUARANTEE_INIT (1 << 5) #define RHF_DELTA_C_PLUS_PLUS (1 << 6) #define RHF_GUARANTEE_START_INIT (1 << 7) #define RHF_PIXIE (1 << 8) #define RHF_DEFAULT_DELAY_LOAD (1 << 9) #define RHF_REQUICKSTART (1 << 10) #define RHF_REQUICKSTARTED (1 << 11) #define RHF_CORD (1 << 12) #define RHF_NO_UNRES_UNDEF (1 << 13) #define RHF_RLD_ORDER_SAFE (1 << 14) /* Entries found in sections of type SHT_MIPS_LIBLIST. */ typedef struct { Elf32_Word l_name; /* Name (string table index) */ Elf32_Word l_time_stamp; /* Timestamp */ Elf32_Word l_checksum; /* Checksum */ Elf32_Word l_version; /* Interface version */ Elf32_Word l_flags; /* Flags */ } Elf32_Lib; typedef struct { Elf64_Word l_name; /* Name (string table index) */ Elf64_Word l_time_stamp; /* Timestamp */ Elf64_Word l_checksum; /* Checksum */ Elf64_Word l_version; /* Interface version */ Elf64_Word l_flags; /* Flags */ } Elf64_Lib; /* Legal values for l_flags. */ #define LL_NONE 0 #define LL_EXACT_MATCH (1 << 0) /* Require exact match */ #define LL_IGNORE_INT_VER (1 << 1) /* Ignore interface version */ #define LL_REQUIRE_MINOR (1 << 2) #define LL_EXPORTS (1 << 3) #define LL_DELAY_LOAD (1 << 4) #define LL_DELTA (1 << 5) /* Entries found in sections of type SHT_MIPS_CONFLICT. */ typedef Elf32_Addr Elf32_Conflict; /* HPPA specific definitions. */ /* Legal values for e_flags field of Elf32_Ehdr. */ #define EF_PARISC_TRAPNIL 0x00010000 /* Trap nil pointer dereference. */ #define EF_PARISC_EXT 0x00020000 /* Program uses arch. extensions. */ #define EF_PARISC_LSB 0x00040000 /* Program expects little endian. */ #define EF_PARISC_WIDE 0x00080000 /* Program expects wide mode. */ #define EF_PARISC_NO_KABP 0x00100000 /* No kernel assisted branch prediction. */ #define EF_PARISC_LAZYSWAP 0x00400000 /* Allow lazy swapping. */ #define EF_PARISC_ARCH 0x0000ffff /* Architecture version. */ /* Defined values for `e_flags & EF_PARISC_ARCH' are: */ #define EFA_PARISC_1_0 0x020b /* PA-RISC 1.0 big-endian. */ #define EFA_PARISC_1_1 0x0210 /* PA-RISC 1.1 big-endian. */ #define EFA_PARISC_2_0 0x0214 /* PA-RISC 2.0 big-endian. */ /* Additional section indeces. */ #define SHN_PARISC_ANSI_COMMON 0xff00 /* Section for tenatively declared symbols in ANSI C. */ #define SHN_PARISC_HUGE_COMMON 0xff01 /* Common blocks in huge model. */ /* Legal values for sh_type field of Elf32_Shdr. */ #define SHT_PARISC_EXT 0x70000000 /* Contains product specific ext. */ #define SHT_PARISC_UNWIND 0x70000001 /* Unwind information. */ #define SHT_PARISC_DOC 0x70000002 /* Debug info for optimized code. */ /* Legal values for sh_flags field of Elf32_Shdr. */ #define SHF_PARISC_SHORT 0x20000000 /* Section with short addressing. */ #define SHF_PARISC_HUGE 0x40000000 /* Section far from gp. */ #define SHF_PARISC_SBP 0x80000000 /* Static branch prediction code. */ /* Legal values for ST_TYPE subfield of st_info (symbol type). */ #define STT_PARISC_MILLICODE 13 /* Millicode function entry point. */ #define STT_HP_OPAQUE (STT_LOOS + 0x1) #define STT_HP_STUB (STT_LOOS + 0x2) /* HPPA relocs. */ #define R_PARISC_NONE 0 /* No reloc. */ #define R_PARISC_DIR32 1 /* Direct 32-bit reference. */ #define R_PARISC_DIR21L 2 /* Left 21 bits of eff. address. */ #define R_PARISC_DIR17R 3 /* Right 17 bits of eff. address. */ #define R_PARISC_DIR17F 4 /* 17 bits of eff. address. */ #define R_PARISC_DIR14R 6 /* Right 14 bits of eff. address. */ #define R_PARISC_PCREL32 9 /* 32-bit rel. address. */ #define R_PARISC_PCREL21L 10 /* Left 21 bits of rel. address. */ #define R_PARISC_PCREL17R 11 /* Right 17 bits of rel. address. */ #define R_PARISC_PCREL17F 12 /* 17 bits of rel. address. */ #define R_PARISC_PCREL14R 14 /* Right 14 bits of rel. address. */ #define R_PARISC_DPREL21L 18 /* Left 21 bits of rel. address. */ #define R_PARISC_DPREL14R 22 /* Right 14 bits of rel. address. */ #define R_PARISC_GPREL21L 26 /* GP-relative, left 21 bits. */ #define R_PARISC_GPREL14R 30 /* GP-relative, right 14 bits. */ #define R_PARISC_LTOFF21L 34 /* LT-relative, left 21 bits. */ #define R_PARISC_LTOFF14R 38 /* LT-relative, right 14 bits. */ #define R_PARISC_SECREL32 41 /* 32 bits section rel. address. */ #define R_PARISC_SEGBASE 48 /* No relocation, set segment base. */ #define R_PARISC_SEGREL32 49 /* 32 bits segment rel. address. */ #define R_PARISC_PLTOFF21L 50 /* PLT rel. address, left 21 bits. */ #define R_PARISC_PLTOFF14R 54 /* PLT rel. address, right 14 bits. */ #define R_PARISC_LTOFF_FPTR32 57 /* 32 bits LT-rel. function pointer. */ #define R_PARISC_LTOFF_FPTR21L 58 /* LT-rel. fct ptr, left 21 bits. */ #define R_PARISC_LTOFF_FPTR14R 62 /* LT-rel. fct ptr, right 14 bits. */ #define R_PARISC_FPTR64 64 /* 64 bits function address. */ #define R_PARISC_PLABEL32 65 /* 32 bits function address. */ #define R_PARISC_PLABEL21L 66 /* Left 21 bits of fdesc address. */ #define R_PARISC_PLABEL14R 70 /* Right 14 bits of fdesc address. */ #define R_PARISC_PCREL64 72 /* 64 bits PC-rel. address. */ #define R_PARISC_PCREL22F 74 /* 22 bits PC-rel. address. */ #define R_PARISC_PCREL14WR 75 /* PC-rel. address, right 14 bits. */ #define R_PARISC_PCREL14DR 76 /* PC rel. address, right 14 bits. */ #define R_PARISC_PCREL16F 77 /* 16 bits PC-rel. address. */ #define R_PARISC_PCREL16WF 78 /* 16 bits PC-rel. address. */ #define R_PARISC_PCREL16DF 79 /* 16 bits PC-rel. address. */ #define R_PARISC_DIR64 80 /* 64 bits of eff. address. */ #define R_PARISC_DIR14WR 83 /* 14 bits of eff. address. */ #define R_PARISC_DIR14DR 84 /* 14 bits of eff. address. */ #define R_PARISC_DIR16F 85 /* 16 bits of eff. address. */ #define R_PARISC_DIR16WF 86 /* 16 bits of eff. address. */ #define R_PARISC_DIR16DF 87 /* 16 bits of eff. address. */ #define R_PARISC_GPREL64 88 /* 64 bits of GP-rel. address. */ #define R_PARISC_GPREL14WR 91 /* GP-rel. address, right 14 bits. */ #define R_PARISC_GPREL14DR 92 /* GP-rel. address, right 14 bits. */ #define R_PARISC_GPREL16F 93 /* 16 bits GP-rel. address. */ #define R_PARISC_GPREL16WF 94 /* 16 bits GP-rel. address. */ #define R_PARISC_GPREL16DF 95 /* 16 bits GP-rel. address. */ #define R_PARISC_LTOFF64 96 /* 64 bits LT-rel. address. */ #define R_PARISC_LTOFF14WR 99 /* LT-rel. address, right 14 bits. */ #define R_PARISC_LTOFF14DR 100 /* LT-rel. address, right 14 bits. */ #define R_PARISC_LTOFF16F 101 /* 16 bits LT-rel. address. */ #define R_PARISC_LTOFF16WF 102 /* 16 bits LT-rel. address. */ #define R_PARISC_LTOFF16DF 103 /* 16 bits LT-rel. address. */ #define R_PARISC_SECREL64 104 /* 64 bits section rel. address. */ #define R_PARISC_SEGREL64 112 /* 64 bits segment rel. address. */ #define R_PARISC_PLTOFF14WR 115 /* PLT-rel. address, right 14 bits. */ #define R_PARISC_PLTOFF14DR 116 /* PLT-rel. address, right 14 bits. */ #define R_PARISC_PLTOFF16F 117 /* 16 bits LT-rel. address. */ #define R_PARISC_PLTOFF16WF 118 /* 16 bits PLT-rel. address. */ #define R_PARISC_PLTOFF16DF 119 /* 16 bits PLT-rel. address. */ #define R_PARISC_LTOFF_FPTR64 120 /* 64 bits LT-rel. function ptr. */ #define R_PARISC_LTOFF_FPTR14WR 123 /* LT-rel. fct. ptr., right 14 bits. */ #define R_PARISC_LTOFF_FPTR14DR 124 /* LT-rel. fct. ptr., right 14 bits. */ #define R_PARISC_LTOFF_FPTR16F 125 /* 16 bits LT-rel. function ptr. */ #define R_PARISC_LTOFF_FPTR16WF 126 /* 16 bits LT-rel. function ptr. */ #define R_PARISC_LTOFF_FPTR16DF 127 /* 16 bits LT-rel. function ptr. */ #define R_PARISC_LORESERVE 128 #define R_PARISC_COPY 128 /* Copy relocation. */ #define R_PARISC_IPLT 129 /* Dynamic reloc, imported PLT */ #define R_PARISC_EPLT 130 /* Dynamic reloc, exported PLT */ #define R_PARISC_TPREL32 153 /* 32 bits TP-rel. address. */ #define R_PARISC_TPREL21L 154 /* TP-rel. address, left 21 bits. */ #define R_PARISC_TPREL14R 158 /* TP-rel. address, right 14 bits. */ #define R_PARISC_LTOFF_TP21L 162 /* LT-TP-rel. address, left 21 bits. */ #define R_PARISC_LTOFF_TP14R 166 /* LT-TP-rel. address, right 14 bits.*/ #define R_PARISC_LTOFF_TP14F 167 /* 14 bits LT-TP-rel. address. */ #define R_PARISC_TPREL64 216 /* 64 bits TP-rel. address. */ #define R_PARISC_TPREL14WR 219 /* TP-rel. address, right 14 bits. */ #define R_PARISC_TPREL14DR 220 /* TP-rel. address, right 14 bits. */ #define R_PARISC_TPREL16F 221 /* 16 bits TP-rel. address. */ #define R_PARISC_TPREL16WF 222 /* 16 bits TP-rel. address. */ #define R_PARISC_TPREL16DF 223 /* 16 bits TP-rel. address. */ #define R_PARISC_LTOFF_TP64 224 /* 64 bits LT-TP-rel. address. */ #define R_PARISC_LTOFF_TP14WR 227 /* LT-TP-rel. address, right 14 bits.*/ #define R_PARISC_LTOFF_TP14DR 228 /* LT-TP-rel. address, right 14 bits.*/ #define R_PARISC_LTOFF_TP16F 229 /* 16 bits LT-TP-rel. address. */ #define R_PARISC_LTOFF_TP16WF 230 /* 16 bits LT-TP-rel. address. */ #define R_PARISC_LTOFF_TP16DF 231 /* 16 bits LT-TP-rel. address. */ #define R_PARISC_GNU_VTENTRY 232 #define R_PARISC_GNU_VTINHERIT 233 #define R_PARISC_TLS_GD21L 234 /* GD 21-bit left. */ #define R_PARISC_TLS_GD14R 235 /* GD 14-bit right. */ #define R_PARISC_TLS_GDCALL 236 /* GD call to __t_g_a. */ #define R_PARISC_TLS_LDM21L 237 /* LD module 21-bit left. */ #define R_PARISC_TLS_LDM14R 238 /* LD module 14-bit right. */ #define R_PARISC_TLS_LDMCALL 239 /* LD module call to __t_g_a. */ #define R_PARISC_TLS_LDO21L 240 /* LD offset 21-bit left. */ #define R_PARISC_TLS_LDO14R 241 /* LD offset 14-bit right. */ #define R_PARISC_TLS_DTPMOD32 242 /* DTP module 32-bit. */ #define R_PARISC_TLS_DTPMOD64 243 /* DTP module 64-bit. */ #define R_PARISC_TLS_DTPOFF32 244 /* DTP offset 32-bit. */ #define R_PARISC_TLS_DTPOFF64 245 /* DTP offset 32-bit. */ #define R_PARISC_TLS_LE21L R_PARISC_TPREL21L #define R_PARISC_TLS_LE14R R_PARISC_TPREL14R #define R_PARISC_TLS_IE21L R_PARISC_LTOFF_TP21L #define R_PARISC_TLS_IE14R R_PARISC_LTOFF_TP14R #define R_PARISC_TLS_TPREL32 R_PARISC_TPREL32 #define R_PARISC_TLS_TPREL64 R_PARISC_TPREL64 #define R_PARISC_HIRESERVE 255 /* Legal values for p_type field of Elf32_Phdr/Elf64_Phdr. */ #define PT_HP_TLS (PT_LOOS + 0x0) #define PT_HP_CORE_NONE (PT_LOOS + 0x1) #define PT_HP_CORE_VERSION (PT_LOOS + 0x2) #define PT_HP_CORE_KERNEL (PT_LOOS + 0x3) #define PT_HP_CORE_COMM (PT_LOOS + 0x4) #define PT_HP_CORE_PROC (PT_LOOS + 0x5) #define PT_HP_CORE_LOADABLE (PT_LOOS + 0x6) #define PT_HP_CORE_STACK (PT_LOOS + 0x7) #define PT_HP_CORE_SHM (PT_LOOS + 0x8) #define PT_HP_CORE_MMF (PT_LOOS + 0x9) #define PT_HP_PARALLEL (PT_LOOS + 0x10) #define PT_HP_FASTBIND (PT_LOOS + 0x11) #define PT_HP_OPT_ANNOT (PT_LOOS + 0x12) #define PT_HP_HSL_ANNOT (PT_LOOS + 0x13) #define PT_HP_STACK (PT_LOOS + 0x14) #define PT_PARISC_ARCHEXT 0x70000000 #define PT_PARISC_UNWIND 0x70000001 /* Legal values for p_flags field of Elf32_Phdr/Elf64_Phdr. */ #define PF_PARISC_SBP 0x08000000 #define PF_HP_PAGE_SIZE 0x00100000 #define PF_HP_FAR_SHARED 0x00200000 #define PF_HP_NEAR_SHARED 0x00400000 #define PF_HP_CODE 0x01000000 #define PF_HP_MODIFY 0x02000000 #define PF_HP_LAZYSWAP 0x04000000 #define PF_HP_SBP 0x08000000 /* Alpha specific definitions. */ /* Legal values for e_flags field of Elf64_Ehdr. */ #define EF_ALPHA_32BIT 1 /* All addresses must be < 2GB. */ #define EF_ALPHA_CANRELAX 2 /* Relocations for relaxing exist. */ /* Legal values for sh_type field of Elf64_Shdr. */ /* These two are primerily concerned with ECOFF debugging info. */ #define SHT_ALPHA_DEBUG 0x70000001 #define SHT_ALPHA_REGINFO 0x70000002 /* Legal values for sh_flags field of Elf64_Shdr. */ #define SHF_ALPHA_GPREL 0x10000000 /* Legal values for st_other field of Elf64_Sym. */ #define STO_ALPHA_NOPV 0x80 /* No PV required. */ #define STO_ALPHA_STD_GPLOAD 0x88 /* PV only used for initial ldgp. */ /* Alpha relocs. */ #define R_ALPHA_NONE 0 /* No reloc */ #define R_ALPHA_REFLONG 1 /* Direct 32 bit */ #define R_ALPHA_REFQUAD 2 /* Direct 64 bit */ #define R_ALPHA_GPREL32 3 /* GP relative 32 bit */ #define R_ALPHA_LITERAL 4 /* GP relative 16 bit w/optimization */ #define R_ALPHA_LITUSE 5 /* Optimization hint for LITERAL */ #define R_ALPHA_GPDISP 6 /* Add displacement to GP */ #define R_ALPHA_BRADDR 7 /* PC+4 relative 23 bit shifted */ #define R_ALPHA_HINT 8 /* PC+4 relative 16 bit shifted */ #define R_ALPHA_SREL16 9 /* PC relative 16 bit */ #define R_ALPHA_SREL32 10 /* PC relative 32 bit */ #define R_ALPHA_SREL64 11 /* PC relative 64 bit */ #define R_ALPHA_GPRELHIGH 17 /* GP relative 32 bit, high 16 bits */ #define R_ALPHA_GPRELLOW 18 /* GP relative 32 bit, low 16 bits */ #define R_ALPHA_GPREL16 19 /* GP relative 16 bit */ #define R_ALPHA_COPY 24 /* Copy symbol at runtime */ #define R_ALPHA_GLOB_DAT 25 /* Create GOT entry */ #define R_ALPHA_JMP_SLOT 26 /* Create PLT entry */ #define R_ALPHA_RELATIVE 27 /* Adjust by program base */ #define R_ALPHA_TLS_GD_HI 28 #define R_ALPHA_TLSGD 29 #define R_ALPHA_TLS_LDM 30 #define R_ALPHA_DTPMOD64 31 #define R_ALPHA_GOTDTPREL 32 #define R_ALPHA_DTPREL64 33 #define R_ALPHA_DTPRELHI 34 #define R_ALPHA_DTPRELLO 35 #define R_ALPHA_DTPREL16 36 #define R_ALPHA_GOTTPREL 37 #define R_ALPHA_TPREL64 38 #define R_ALPHA_TPRELHI 39 #define R_ALPHA_TPRELLO 40 #define R_ALPHA_TPREL16 41 /* Keep this the last entry. */ #define R_ALPHA_NUM 46 /* Magic values of the LITUSE relocation addend. */ #define LITUSE_ALPHA_ADDR 0 #define LITUSE_ALPHA_BASE 1 #define LITUSE_ALPHA_BYTOFF 2 #define LITUSE_ALPHA_JSR 3 #define LITUSE_ALPHA_TLS_GD 4 #define LITUSE_ALPHA_TLS_LDM 5 /* Legal values for d_tag of Elf64_Dyn. */ #define DT_ALPHA_PLTRO (DT_LOPROC + 0) #define DT_ALPHA_NUM 1 /* PowerPC specific declarations */ /* Values for Elf32/64_Ehdr.e_flags. */ #define EF_PPC_EMB 0x80000000 /* PowerPC embedded flag */ /* Cygnus local bits below */ #define EF_PPC_RELOCATABLE 0x00010000 /* PowerPC -mrelocatable flag*/ #define EF_PPC_RELOCATABLE_LIB 0x00008000 /* PowerPC -mrelocatable-lib flag */ /* PowerPC relocations defined by the ABIs */ #define R_PPC_NONE 0 #define R_PPC_ADDR32 1 /* 32bit absolute address */ #define R_PPC_ADDR24 2 /* 26bit address, 2 bits ignored. */ #define R_PPC_ADDR16 3 /* 16bit absolute address */ #define R_PPC_ADDR16_LO 4 /* lower 16bit of absolute address */ #define R_PPC_ADDR16_HI 5 /* high 16bit of absolute address */ #define R_PPC_ADDR16_HA 6 /* adjusted high 16bit */ #define R_PPC_ADDR14 7 /* 16bit address, 2 bits ignored */ #define R_PPC_ADDR14_BRTAKEN 8 #define R_PPC_ADDR14_BRNTAKEN 9 #define R_PPC_REL24 10 /* PC relative 26 bit */ #define R_PPC_REL14 11 /* PC relative 16 bit */ #define R_PPC_REL14_BRTAKEN 12 #define R_PPC_REL14_BRNTAKEN 13 #define R_PPC_GOT16 14 #define R_PPC_GOT16_LO 15 #define R_PPC_GOT16_HI 16 #define R_PPC_GOT16_HA 17 #define R_PPC_PLTREL24 18 #define R_PPC_COPY 19 #define R_PPC_GLOB_DAT 20 #define R_PPC_JMP_SLOT 21 #define R_PPC_RELATIVE 22 #define R_PPC_LOCAL24PC 23 #define R_PPC_UADDR32 24 #define R_PPC_UADDR16 25 #define R_PPC_REL32 26 #define R_PPC_PLT32 27 #define R_PPC_PLTREL32 28 #define R_PPC_PLT16_LO 29 #define R_PPC_PLT16_HI 30 #define R_PPC_PLT16_HA 31 #define R_PPC_SDAREL16 32 #define R_PPC_SECTOFF 33 #define R_PPC_SECTOFF_LO 34 #define R_PPC_SECTOFF_HI 35 #define R_PPC_SECTOFF_HA 36 /* PowerPC relocations defined for the TLS access ABI. */ #define R_PPC_TLS 67 /* none (sym+add)@tls */ #define R_PPC_DTPMOD32 68 /* word32 (sym+add)@dtpmod */ #define R_PPC_TPREL16 69 /* half16* (sym+add)@tprel */ #define R_PPC_TPREL16_LO 70 /* half16 (sym+add)@tprel@l */ #define R_PPC_TPREL16_HI 71 /* half16 (sym+add)@tprel@h */ #define R_PPC_TPREL16_HA 72 /* half16 (sym+add)@tprel@ha */ #define R_PPC_TPREL32 73 /* word32 (sym+add)@tprel */ #define R_PPC_DTPREL16 74 /* half16* (sym+add)@dtprel */ #define R_PPC_DTPREL16_LO 75 /* half16 (sym+add)@dtprel@l */ #define R_PPC_DTPREL16_HI 76 /* half16 (sym+add)@dtprel@h */ #define R_PPC_DTPREL16_HA 77 /* half16 (sym+add)@dtprel@ha */ #define R_PPC_DTPREL32 78 /* word32 (sym+add)@dtprel */ #define R_PPC_GOT_TLSGD16 79 /* half16* (sym+add)@got@tlsgd */ #define R_PPC_GOT_TLSGD16_LO 80 /* half16 (sym+add)@got@tlsgd@l */ #define R_PPC_GOT_TLSGD16_HI 81 /* half16 (sym+add)@got@tlsgd@h */ #define R_PPC_GOT_TLSGD16_HA 82 /* half16 (sym+add)@got@tlsgd@ha */ #define R_PPC_GOT_TLSLD16 83 /* half16* (sym+add)@got@tlsld */ #define R_PPC_GOT_TLSLD16_LO 84 /* half16 (sym+add)@got@tlsld@l */ #define R_PPC_GOT_TLSLD16_HI 85 /* half16 (sym+add)@got@tlsld@h */ #define R_PPC_GOT_TLSLD16_HA 86 /* half16 (sym+add)@got@tlsld@ha */ #define R_PPC_GOT_TPREL16 87 /* half16* (sym+add)@got@tprel */ #define R_PPC_GOT_TPREL16_LO 88 /* half16 (sym+add)@got@tprel@l */ #define R_PPC_GOT_TPREL16_HI 89 /* half16 (sym+add)@got@tprel@h */ #define R_PPC_GOT_TPREL16_HA 90 /* half16 (sym+add)@got@tprel@ha */ #define R_PPC_GOT_DTPREL16 91 /* half16* (sym+add)@got@dtprel */ #define R_PPC_GOT_DTPREL16_LO 92 /* half16* (sym+add)@got@dtprel@l */ #define R_PPC_GOT_DTPREL16_HI 93 /* half16* (sym+add)@got@dtprel@h */ #define R_PPC_GOT_DTPREL16_HA 94 /* half16* (sym+add)@got@dtprel@ha */ /* The remaining relocs are from the Embedded ELF ABI, and are not in the SVR4 ELF ABI. */ #define R_PPC_EMB_NADDR32 101 #define R_PPC_EMB_NADDR16 102 #define R_PPC_EMB_NADDR16_LO 103 #define R_PPC_EMB_NADDR16_HI 104 #define R_PPC_EMB_NADDR16_HA 105 #define R_PPC_EMB_SDAI16 106 #define R_PPC_EMB_SDA2I16 107 #define R_PPC_EMB_SDA2REL 108 #define R_PPC_EMB_SDA21 109 /* 16 bit offset in SDA */ #define R_PPC_EMB_MRKREF 110 #define R_PPC_EMB_RELSEC16 111 #define R_PPC_EMB_RELST_LO 112 #define R_PPC_EMB_RELST_HI 113 #define R_PPC_EMB_RELST_HA 114 #define R_PPC_EMB_BIT_FLD 115 #define R_PPC_EMB_RELSDA 116 /* 16 bit relative offset in SDA */ /* Diab tool relocations. */ #define R_PPC_DIAB_SDA21_LO 180 /* like EMB_SDA21, but lower 16 bit */ #define R_PPC_DIAB_SDA21_HI 181 /* like EMB_SDA21, but high 16 bit */ #define R_PPC_DIAB_SDA21_HA 182 /* like EMB_SDA21, adjusted high 16 */ #define R_PPC_DIAB_RELSDA_LO 183 /* like EMB_RELSDA, but lower 16 bit */ #define R_PPC_DIAB_RELSDA_HI 184 /* like EMB_RELSDA, but high 16 bit */ #define R_PPC_DIAB_RELSDA_HA 185 /* like EMB_RELSDA, adjusted high 16 */ /* GNU extension to support local ifunc. */ #define R_PPC_IRELATIVE 248 /* GNU relocs used in PIC code sequences. */ #define R_PPC_REL16 249 /* half16 (sym+add-.) */ #define R_PPC_REL16_LO 250 /* half16 (sym+add-.)@l */ #define R_PPC_REL16_HI 251 /* half16 (sym+add-.)@h */ #define R_PPC_REL16_HA 252 /* half16 (sym+add-.)@ha */ /* This is a phony reloc to handle any old fashioned TOC16 references that may still be in object files. */ #define R_PPC_TOC16 255 /* PowerPC specific values for the Dyn d_tag field. */ #define DT_PPC_GOT (DT_LOPROC + 0) #define DT_PPC_NUM 1 /* PowerPC64 relocations defined by the ABIs */ #define R_PPC64_NONE R_PPC_NONE #define R_PPC64_ADDR32 R_PPC_ADDR32 /* 32bit absolute address */ #define R_PPC64_ADDR24 R_PPC_ADDR24 /* 26bit address, word aligned */ #define R_PPC64_ADDR16 R_PPC_ADDR16 /* 16bit absolute address */ #define R_PPC64_ADDR16_LO R_PPC_ADDR16_LO /* lower 16bits of address */ #define R_PPC64_ADDR16_HI R_PPC_ADDR16_HI /* high 16bits of address. */ #define R_PPC64_ADDR16_HA R_PPC_ADDR16_HA /* adjusted high 16bits. */ #define R_PPC64_ADDR14 R_PPC_ADDR14 /* 16bit address, word aligned */ #define R_PPC64_ADDR14_BRTAKEN R_PPC_ADDR14_BRTAKEN #define R_PPC64_ADDR14_BRNTAKEN R_PPC_ADDR14_BRNTAKEN #define R_PPC64_REL24 R_PPC_REL24 /* PC-rel. 26 bit, word aligned */ #define R_PPC64_REL14 R_PPC_REL14 /* PC relative 16 bit */ #define R_PPC64_REL14_BRTAKEN R_PPC_REL14_BRTAKEN #define R_PPC64_REL14_BRNTAKEN R_PPC_REL14_BRNTAKEN #define R_PPC64_GOT16 R_PPC_GOT16 #define R_PPC64_GOT16_LO R_PPC_GOT16_LO #define R_PPC64_GOT16_HI R_PPC_GOT16_HI #define R_PPC64_GOT16_HA R_PPC_GOT16_HA #define R_PPC64_COPY R_PPC_COPY #define R_PPC64_GLOB_DAT R_PPC_GLOB_DAT #define R_PPC64_JMP_SLOT R_PPC_JMP_SLOT #define R_PPC64_RELATIVE R_PPC_RELATIVE #define R_PPC64_UADDR32 R_PPC_UADDR32 #define R_PPC64_UADDR16 R_PPC_UADDR16 #define R_PPC64_REL32 R_PPC_REL32 #define R_PPC64_PLT32 R_PPC_PLT32 #define R_PPC64_PLTREL32 R_PPC_PLTREL32 #define R_PPC64_PLT16_LO R_PPC_PLT16_LO #define R_PPC64_PLT16_HI R_PPC_PLT16_HI #define R_PPC64_PLT16_HA R_PPC_PLT16_HA #define R_PPC64_SECTOFF R_PPC_SECTOFF #define R_PPC64_SECTOFF_LO R_PPC_SECTOFF_LO #define R_PPC64_SECTOFF_HI R_PPC_SECTOFF_HI #define R_PPC64_SECTOFF_HA R_PPC_SECTOFF_HA #define R_PPC64_ADDR30 37 /* word30 (S + A - P) >> 2 */ #define R_PPC64_ADDR64 38 /* doubleword64 S + A */ #define R_PPC64_ADDR16_HIGHER 39 /* half16 #higher(S + A) */ #define R_PPC64_ADDR16_HIGHERA 40 /* half16 #highera(S + A) */ #define R_PPC64_ADDR16_HIGHEST 41 /* half16 #highest(S + A) */ #define R_PPC64_ADDR16_HIGHESTA 42 /* half16 #highesta(S + A) */ #define R_PPC64_UADDR64 43 /* doubleword64 S + A */ #define R_PPC64_REL64 44 /* doubleword64 S + A - P */ #define R_PPC64_PLT64 45 /* doubleword64 L + A */ #define R_PPC64_PLTREL64 46 /* doubleword64 L + A - P */ #define R_PPC64_TOC16 47 /* half16* S + A - .TOC */ #define R_PPC64_TOC16_LO 48 /* half16 #lo(S + A - .TOC.) */ #define R_PPC64_TOC16_HI 49 /* half16 #hi(S + A - .TOC.) */ #define R_PPC64_TOC16_HA 50 /* half16 #ha(S + A - .TOC.) */ #define R_PPC64_TOC 51 /* doubleword64 .TOC */ #define R_PPC64_PLTGOT16 52 /* half16* M + A */ #define R_PPC64_PLTGOT16_LO 53 /* half16 #lo(M + A) */ #define R_PPC64_PLTGOT16_HI 54 /* half16 #hi(M + A) */ #define R_PPC64_PLTGOT16_HA 55 /* half16 #ha(M + A) */ #define R_PPC64_ADDR16_DS 56 /* half16ds* (S + A) >> 2 */ #define R_PPC64_ADDR16_LO_DS 57 /* half16ds #lo(S + A) >> 2 */ #define R_PPC64_GOT16_DS 58 /* half16ds* (G + A) >> 2 */ #define R_PPC64_GOT16_LO_DS 59 /* half16ds #lo(G + A) >> 2 */ #define R_PPC64_PLT16_LO_DS 60 /* half16ds #lo(L + A) >> 2 */ #define R_PPC64_SECTOFF_DS 61 /* half16ds* (R + A) >> 2 */ #define R_PPC64_SECTOFF_LO_DS 62 /* half16ds #lo(R + A) >> 2 */ #define R_PPC64_TOC16_DS 63 /* half16ds* (S + A - .TOC.) >> 2 */ #define R_PPC64_TOC16_LO_DS 64 /* half16ds #lo(S + A - .TOC.) >> 2 */ #define R_PPC64_PLTGOT16_DS 65 /* half16ds* (M + A) >> 2 */ #define R_PPC64_PLTGOT16_LO_DS 66 /* half16ds #lo(M + A) >> 2 */ /* PowerPC64 relocations defined for the TLS access ABI. */ #define R_PPC64_TLS 67 /* none (sym+add)@tls */ #define R_PPC64_DTPMOD64 68 /* doubleword64 (sym+add)@dtpmod */ #define R_PPC64_TPREL16 69 /* half16* (sym+add)@tprel */ #define R_PPC64_TPREL16_LO 70 /* half16 (sym+add)@tprel@l */ #define R_PPC64_TPREL16_HI 71 /* half16 (sym+add)@tprel@h */ #define R_PPC64_TPREL16_HA 72 /* half16 (sym+add)@tprel@ha */ #define R_PPC64_TPREL64 73 /* doubleword64 (sym+add)@tprel */ #define R_PPC64_DTPREL16 74 /* half16* (sym+add)@dtprel */ #define R_PPC64_DTPREL16_LO 75 /* half16 (sym+add)@dtprel@l */ #define R_PPC64_DTPREL16_HI 76 /* half16 (sym+add)@dtprel@h */ #define R_PPC64_DTPREL16_HA 77 /* half16 (sym+add)@dtprel@ha */ #define R_PPC64_DTPREL64 78 /* doubleword64 (sym+add)@dtprel */ #define R_PPC64_GOT_TLSGD16 79 /* half16* (sym+add)@got@tlsgd */ #define R_PPC64_GOT_TLSGD16_LO 80 /* half16 (sym+add)@got@tlsgd@l */ #define R_PPC64_GOT_TLSGD16_HI 81 /* half16 (sym+add)@got@tlsgd@h */ #define R_PPC64_GOT_TLSGD16_HA 82 /* half16 (sym+add)@got@tlsgd@ha */ #define R_PPC64_GOT_TLSLD16 83 /* half16* (sym+add)@got@tlsld */ #define R_PPC64_GOT_TLSLD16_LO 84 /* half16 (sym+add)@got@tlsld@l */ #define R_PPC64_GOT_TLSLD16_HI 85 /* half16 (sym+add)@got@tlsld@h */ #define R_PPC64_GOT_TLSLD16_HA 86 /* half16 (sym+add)@got@tlsld@ha */ #define R_PPC64_GOT_TPREL16_DS 87 /* half16ds* (sym+add)@got@tprel */ #define R_PPC64_GOT_TPREL16_LO_DS 88 /* half16ds (sym+add)@got@tprel@l */ #define R_PPC64_GOT_TPREL16_HI 89 /* half16 (sym+add)@got@tprel@h */ #define R_PPC64_GOT_TPREL16_HA 90 /* half16 (sym+add)@got@tprel@ha */ #define R_PPC64_GOT_DTPREL16_DS 91 /* half16ds* (sym+add)@got@dtprel */ #define R_PPC64_GOT_DTPREL16_LO_DS 92 /* half16ds (sym+add)@got@dtprel@l */ #define R_PPC64_GOT_DTPREL16_HI 93 /* half16 (sym+add)@got@dtprel@h */ #define R_PPC64_GOT_DTPREL16_HA 94 /* half16 (sym+add)@got@dtprel@ha */ #define R_PPC64_TPREL16_DS 95 /* half16ds* (sym+add)@tprel */ #define R_PPC64_TPREL16_LO_DS 96 /* half16ds (sym+add)@tprel@l */ #define R_PPC64_TPREL16_HIGHER 97 /* half16 (sym+add)@tprel@higher */ #define R_PPC64_TPREL16_HIGHERA 98 /* half16 (sym+add)@tprel@highera */ #define R_PPC64_TPREL16_HIGHEST 99 /* half16 (sym+add)@tprel@highest */ #define R_PPC64_TPREL16_HIGHESTA 100 /* half16 (sym+add)@tprel@highesta */ #define R_PPC64_DTPREL16_DS 101 /* half16ds* (sym+add)@dtprel */ #define R_PPC64_DTPREL16_LO_DS 102 /* half16ds (sym+add)@dtprel@l */ #define R_PPC64_DTPREL16_HIGHER 103 /* half16 (sym+add)@dtprel@higher */ #define R_PPC64_DTPREL16_HIGHERA 104 /* half16 (sym+add)@dtprel@highera */ #define R_PPC64_DTPREL16_HIGHEST 105 /* half16 (sym+add)@dtprel@highest */ #define R_PPC64_DTPREL16_HIGHESTA 106 /* half16 (sym+add)@dtprel@highesta */ /* GNU extension to support local ifunc. */ #define R_PPC64_JMP_IREL 247 #define R_PPC64_IRELATIVE 248 #define R_PPC64_REL16 249 /* half16 (sym+add-.) */ #define R_PPC64_REL16_LO 250 /* half16 (sym+add-.)@l */ #define R_PPC64_REL16_HI 251 /* half16 (sym+add-.)@h */ #define R_PPC64_REL16_HA 252 /* half16 (sym+add-.)@ha */ /* PowerPC64 specific values for the Dyn d_tag field. */ #define DT_PPC64_GLINK (DT_LOPROC + 0) #define DT_PPC64_OPD (DT_LOPROC + 1) #define DT_PPC64_OPDSZ (DT_LOPROC + 2) #define DT_PPC64_NUM 3 /* ARM specific declarations */ /* Processor specific flags for the ELF header e_flags field. */ #define EF_ARM_RELEXEC 0x01 #define EF_ARM_HASENTRY 0x02 #define EF_ARM_INTERWORK 0x04 #define EF_ARM_APCS_26 0x08 #define EF_ARM_APCS_FLOAT 0x10 #define EF_ARM_PIC 0x20 #define EF_ARM_ALIGN8 0x40 /* 8-bit structure alignment is in use */ #define EF_ARM_NEW_ABI 0x80 #define EF_ARM_OLD_ABI 0x100 #define EF_ARM_SOFT_FLOAT 0x200 #define EF_ARM_VFP_FLOAT 0x400 #define EF_ARM_MAVERICK_FLOAT 0x800 /* Other constants defined in the ARM ELF spec. version B-01. */ /* NB. These conflict with values defined above. */ #define EF_ARM_SYMSARESORTED 0x04 #define EF_ARM_DYNSYMSUSESEGIDX 0x08 #define EF_ARM_MAPSYMSFIRST 0x10 #define EF_ARM_EABIMASK 0XFF000000 /* Constants defined in AAELF. */ #define EF_ARM_BE8 0x00800000 #define EF_ARM_LE8 0x00400000 #define EF_ARM_EABI_VERSION(flags) ((flags) & EF_ARM_EABIMASK) #define EF_ARM_EABI_UNKNOWN 0x00000000 #define EF_ARM_EABI_VER1 0x01000000 #define EF_ARM_EABI_VER2 0x02000000 #define EF_ARM_EABI_VER3 0x03000000 #define EF_ARM_EABI_VER4 0x04000000 #define EF_ARM_EABI_VER5 0x05000000 /* Additional symbol types for Thumb. */ #define STT_ARM_TFUNC STT_LOPROC /* A Thumb function. */ #define STT_ARM_16BIT STT_HIPROC /* A Thumb label. */ /* ARM-specific values for sh_flags */ #define SHF_ARM_ENTRYSECT 0x10000000 /* Section contains an entry point */ #define SHF_ARM_COMDEF 0x80000000 /* Section may be multiply defined in the input to a link step. */ /* ARM-specific program header flags */ #define PF_ARM_SB 0x10000000 /* Segment contains the location addressed by the static base. */ #define PF_ARM_PI 0x20000000 /* Position-independent segment. */ #define PF_ARM_ABS 0x40000000 /* Absolute segment. */ /* Processor specific values for the Phdr p_type field. */ #define PT_ARM_EXIDX (PT_LOPROC + 1) /* ARM unwind segment. */ /* Processor specific values for the Shdr sh_type field. */ #define SHT_ARM_EXIDX (SHT_LOPROC + 1) /* ARM unwind section. */ #define SHT_ARM_PREEMPTMAP (SHT_LOPROC + 2) /* Preemption details. */ #define SHT_ARM_ATTRIBUTES (SHT_LOPROC + 3) /* ARM attributes section. */ /* ARM relocs. */ #define R_ARM_NONE 0 /* No reloc */ #define R_ARM_PC24 1 /* PC relative 26 bit branch */ #define R_ARM_ABS32 2 /* Direct 32 bit */ #define R_ARM_REL32 3 /* PC relative 32 bit */ #define R_ARM_PC13 4 #define R_ARM_ABS16 5 /* Direct 16 bit */ #define R_ARM_ABS12 6 /* Direct 12 bit */ #define R_ARM_THM_ABS5 7 #define R_ARM_ABS8 8 /* Direct 8 bit */ #define R_ARM_SBREL32 9 #define R_ARM_THM_PC22 10 #define R_ARM_THM_PC8 11 #define R_ARM_AMP_VCALL9 12 #define R_ARM_SWI24 13 #define R_ARM_THM_SWI8 14 #define R_ARM_XPC25 15 #define R_ARM_THM_XPC22 16 #define R_ARM_TLS_DTPMOD32 17 /* ID of module containing symbol */ #define R_ARM_TLS_DTPOFF32 18 /* Offset in TLS block */ #define R_ARM_TLS_TPOFF32 19 /* Offset in static TLS block */ #define R_ARM_COPY 20 /* Copy symbol at runtime */ #define R_ARM_GLOB_DAT 21 /* Create GOT entry */ #define R_ARM_JUMP_SLOT 22 /* Create PLT entry */ #define R_ARM_RELATIVE 23 /* Adjust by program base */ #define R_ARM_GOTOFF 24 /* 32 bit offset to GOT */ #define R_ARM_GOTPC 25 /* 32 bit PC relative offset to GOT */ #define R_ARM_GOT32 26 /* 32 bit GOT entry */ #define R_ARM_PLT32 27 /* 32 bit PLT address */ #define R_ARM_ALU_PCREL_7_0 32 #define R_ARM_ALU_PCREL_15_8 33 #define R_ARM_ALU_PCREL_23_15 34 #define R_ARM_LDR_SBREL_11_0 35 #define R_ARM_ALU_SBREL_19_12 36 #define R_ARM_ALU_SBREL_27_20 37 #define R_ARM_GNU_VTENTRY 100 #define R_ARM_GNU_VTINHERIT 101 #define R_ARM_THM_PC11 102 /* thumb unconditional branch */ #define R_ARM_THM_PC9 103 /* thumb conditional branch */ #define R_ARM_TLS_GD32 104 /* PC-rel 32 bit for global dynamic thread local data */ #define R_ARM_TLS_LDM32 105 /* PC-rel 32 bit for local dynamic thread local data */ #define R_ARM_TLS_LDO32 106 /* 32 bit offset relative to TLS block */ #define R_ARM_TLS_IE32 107 /* PC-rel 32 bit for GOT entry of static TLS block offset */ #define R_ARM_TLS_LE32 108 /* 32 bit offset relative to static TLS block */ #define R_ARM_RXPC25 249 #define R_ARM_RSBREL32 250 #define R_ARM_THM_RPC22 251 #define R_ARM_RREL32 252 #define R_ARM_RABS22 253 #define R_ARM_RPC24 254 #define R_ARM_RBASE 255 /* Keep this the last entry. */ #define R_ARM_NUM 256 /* IA-64 specific declarations. */ /* Processor specific flags for the Ehdr e_flags field. */ #define EF_IA_64_MASKOS 0x0000000f /* os-specific flags */ #define EF_IA_64_ABI64 0x00000010 /* 64-bit ABI */ #define EF_IA_64_ARCH 0xff000000 /* arch. version mask */ /* Processor specific values for the Phdr p_type field. */ #define PT_IA_64_ARCHEXT (PT_LOPROC + 0) /* arch extension bits */ #define PT_IA_64_UNWIND (PT_LOPROC + 1) /* ia64 unwind bits */ #define PT_IA_64_HP_OPT_ANOT (PT_LOOS + 0x12) #define PT_IA_64_HP_HSL_ANOT (PT_LOOS + 0x13) #define PT_IA_64_HP_STACK (PT_LOOS + 0x14) /* Processor specific flags for the Phdr p_flags field. */ #define PF_IA_64_NORECOV 0x80000000 /* spec insns w/o recovery */ /* Processor specific values for the Shdr sh_type field. */ #define SHT_IA_64_EXT (SHT_LOPROC + 0) /* extension bits */ #define SHT_IA_64_UNWIND (SHT_LOPROC + 1) /* unwind bits */ /* Processor specific flags for the Shdr sh_flags field. */ #define SHF_IA_64_SHORT 0x10000000 /* section near gp */ #define SHF_IA_64_NORECOV 0x20000000 /* spec insns w/o recovery */ /* Processor specific values for the Dyn d_tag field. */ #define DT_IA_64_PLT_RESERVE (DT_LOPROC + 0) #define DT_IA_64_NUM 1 /* IA-64 relocations. */ #define R_IA64_NONE 0x00 /* none */ #define R_IA64_IMM14 0x21 /* symbol + addend, add imm14 */ #define R_IA64_IMM22 0x22 /* symbol + addend, add imm22 */ #define R_IA64_IMM64 0x23 /* symbol + addend, mov imm64 */ #define R_IA64_DIR32MSB 0x24 /* symbol + addend, data4 MSB */ #define R_IA64_DIR32LSB 0x25 /* symbol + addend, data4 LSB */ #define R_IA64_DIR64MSB 0x26 /* symbol + addend, data8 MSB */ #define R_IA64_DIR64LSB 0x27 /* symbol + addend, data8 LSB */ #define R_IA64_GPREL22 0x2a /* @gprel(sym + add), add imm22 */ #define R_IA64_GPREL64I 0x2b /* @gprel(sym + add), mov imm64 */ #define R_IA64_GPREL32MSB 0x2c /* @gprel(sym + add), data4 MSB */ #define R_IA64_GPREL32LSB 0x2d /* @gprel(sym + add), data4 LSB */ #define R_IA64_GPREL64MSB 0x2e /* @gprel(sym + add), data8 MSB */ #define R_IA64_GPREL64LSB 0x2f /* @gprel(sym + add), data8 LSB */ #define R_IA64_LTOFF22 0x32 /* @ltoff(sym + add), add imm22 */ #define R_IA64_LTOFF64I 0x33 /* @ltoff(sym + add), mov imm64 */ #define R_IA64_PLTOFF22 0x3a /* @pltoff(sym + add), add imm22 */ #define R_IA64_PLTOFF64I 0x3b /* @pltoff(sym + add), mov imm64 */ #define R_IA64_PLTOFF64MSB 0x3e /* @pltoff(sym + add), data8 MSB */ #define R_IA64_PLTOFF64LSB 0x3f /* @pltoff(sym + add), data8 LSB */ #define R_IA64_FPTR64I 0x43 /* @fptr(sym + add), mov imm64 */ #define R_IA64_FPTR32MSB 0x44 /* @fptr(sym + add), data4 MSB */ #define R_IA64_FPTR32LSB 0x45 /* @fptr(sym + add), data4 LSB */ #define R_IA64_FPTR64MSB 0x46 /* @fptr(sym + add), data8 MSB */ #define R_IA64_FPTR64LSB 0x47 /* @fptr(sym + add), data8 LSB */ #define R_IA64_PCREL60B 0x48 /* @pcrel(sym + add), brl */ #define R_IA64_PCREL21B 0x49 /* @pcrel(sym + add), ptb, call */ #define R_IA64_PCREL21M 0x4a /* @pcrel(sym + add), chk.s */ #define R_IA64_PCREL21F 0x4b /* @pcrel(sym + add), fchkf */ #define R_IA64_PCREL32MSB 0x4c /* @pcrel(sym + add), data4 MSB */ #define R_IA64_PCREL32LSB 0x4d /* @pcrel(sym + add), data4 LSB */ #define R_IA64_PCREL64MSB 0x4e /* @pcrel(sym + add), data8 MSB */ #define R_IA64_PCREL64LSB 0x4f /* @pcrel(sym + add), data8 LSB */ #define R_IA64_LTOFF_FPTR22 0x52 /* @ltoff(@fptr(s+a)), imm22 */ #define R_IA64_LTOFF_FPTR64I 0x53 /* @ltoff(@fptr(s+a)), imm64 */ #define R_IA64_LTOFF_FPTR32MSB 0x54 /* @ltoff(@fptr(s+a)), data4 MSB */ #define R_IA64_LTOFF_FPTR32LSB 0x55 /* @ltoff(@fptr(s+a)), data4 LSB */ #define R_IA64_LTOFF_FPTR64MSB 0x56 /* @ltoff(@fptr(s+a)), data8 MSB */ #define R_IA64_LTOFF_FPTR64LSB 0x57 /* @ltoff(@fptr(s+a)), data8 LSB */ #define R_IA64_SEGREL32MSB 0x5c /* @segrel(sym + add), data4 MSB */ #define R_IA64_SEGREL32LSB 0x5d /* @segrel(sym + add), data4 LSB */ #define R_IA64_SEGREL64MSB 0x5e /* @segrel(sym + add), data8 MSB */ #define R_IA64_SEGREL64LSB 0x5f /* @segrel(sym + add), data8 LSB */ #define R_IA64_SECREL32MSB 0x64 /* @secrel(sym + add), data4 MSB */ #define R_IA64_SECREL32LSB 0x65 /* @secrel(sym + add), data4 LSB */ #define R_IA64_SECREL64MSB 0x66 /* @secrel(sym + add), data8 MSB */ #define R_IA64_SECREL64LSB 0x67 /* @secrel(sym + add), data8 LSB */ #define R_IA64_REL32MSB 0x6c /* data 4 + REL */ #define R_IA64_REL32LSB 0x6d /* data 4 + REL */ #define R_IA64_REL64MSB 0x6e /* data 8 + REL */ #define R_IA64_REL64LSB 0x6f /* data 8 + REL */ #define R_IA64_LTV32MSB 0x74 /* symbol + addend, data4 MSB */ #define R_IA64_LTV32LSB 0x75 /* symbol + addend, data4 LSB */ #define R_IA64_LTV64MSB 0x76 /* symbol + addend, data8 MSB */ #define R_IA64_LTV64LSB 0x77 /* symbol + addend, data8 LSB */ #define R_IA64_PCREL21BI 0x79 /* @pcrel(sym + add), 21bit inst */ #define R_IA64_PCREL22 0x7a /* @pcrel(sym + add), 22bit inst */ #define R_IA64_PCREL64I 0x7b /* @pcrel(sym + add), 64bit inst */ #define R_IA64_IPLTMSB 0x80 /* dynamic reloc, imported PLT, MSB */ #define R_IA64_IPLTLSB 0x81 /* dynamic reloc, imported PLT, LSB */ #define R_IA64_COPY 0x84 /* copy relocation */ #define R_IA64_SUB 0x85 /* Addend and symbol difference */ #define R_IA64_LTOFF22X 0x86 /* LTOFF22, relaxable. */ #define R_IA64_LDXMOV 0x87 /* Use of LTOFF22X. */ #define R_IA64_TPREL14 0x91 /* @tprel(sym + add), imm14 */ #define R_IA64_TPREL22 0x92 /* @tprel(sym + add), imm22 */ #define R_IA64_TPREL64I 0x93 /* @tprel(sym + add), imm64 */ #define R_IA64_TPREL64MSB 0x96 /* @tprel(sym + add), data8 MSB */ #define R_IA64_TPREL64LSB 0x97 /* @tprel(sym + add), data8 LSB */ #define R_IA64_LTOFF_TPREL22 0x9a /* @ltoff(@tprel(s+a)), imm2 */ #define R_IA64_DTPMOD64MSB 0xa6 /* @dtpmod(sym + add), data8 MSB */ #define R_IA64_DTPMOD64LSB 0xa7 /* @dtpmod(sym + add), data8 LSB */ #define R_IA64_LTOFF_DTPMOD22 0xaa /* @ltoff(@dtpmod(sym + add)), imm22 */ #define R_IA64_DTPREL14 0xb1 /* @dtprel(sym + add), imm14 */ #define R_IA64_DTPREL22 0xb2 /* @dtprel(sym + add), imm22 */ #define R_IA64_DTPREL64I 0xb3 /* @dtprel(sym + add), imm64 */ #define R_IA64_DTPREL32MSB 0xb4 /* @dtprel(sym + add), data4 MSB */ #define R_IA64_DTPREL32LSB 0xb5 /* @dtprel(sym + add), data4 LSB */ #define R_IA64_DTPREL64MSB 0xb6 /* @dtprel(sym + add), data8 MSB */ #define R_IA64_DTPREL64LSB 0xb7 /* @dtprel(sym + add), data8 LSB */ #define R_IA64_LTOFF_DTPREL22 0xba /* @ltoff(@dtprel(s+a)), imm22 */ /* SH specific declarations */ /* Processor specific flags for the ELF header e_flags field. */ #define EF_SH_MACH_MASK 0x1f #define EF_SH_UNKNOWN 0x0 #define EF_SH1 0x1 #define EF_SH2 0x2 #define EF_SH3 0x3 #define EF_SH_DSP 0x4 #define EF_SH3_DSP 0x5 #define EF_SH4AL_DSP 0x6 #define EF_SH3E 0x8 #define EF_SH4 0x9 #define EF_SH2E 0xb #define EF_SH4A 0xc #define EF_SH2A 0xd #define EF_SH4_NOFPU 0x10 #define EF_SH4A_NOFPU 0x11 #define EF_SH4_NOMMU_NOFPU 0x12 #define EF_SH2A_NOFPU 0x13 #define EF_SH3_NOMMU 0x14 #define EF_SH2A_SH4_NOFPU 0x15 #define EF_SH2A_SH3_NOFPU 0x16 #define EF_SH2A_SH4 0x17 #define EF_SH2A_SH3E 0x18 /* SH relocs. */ #define R_SH_NONE 0 #define R_SH_DIR32 1 #define R_SH_REL32 2 #define R_SH_DIR8WPN 3 #define R_SH_IND12W 4 #define R_SH_DIR8WPL 5 #define R_SH_DIR8WPZ 6 #define R_SH_DIR8BP 7 #define R_SH_DIR8W 8 #define R_SH_DIR8L 9 #define R_SH_SWITCH16 25 #define R_SH_SWITCH32 26 #define R_SH_USES 27 #define R_SH_COUNT 28 #define R_SH_ALIGN 29 #define R_SH_CODE 30 #define R_SH_DATA 31 #define R_SH_LABEL 32 #define R_SH_SWITCH8 33 #define R_SH_GNU_VTINHERIT 34 #define R_SH_GNU_VTENTRY 35 #define R_SH_TLS_GD_32 144 #define R_SH_TLS_LD_32 145 #define R_SH_TLS_LDO_32 146 #define R_SH_TLS_IE_32 147 #define R_SH_TLS_LE_32 148 #define R_SH_TLS_DTPMOD32 149 #define R_SH_TLS_DTPOFF32 150 #define R_SH_TLS_TPOFF32 151 #define R_SH_GOT32 160 #define R_SH_PLT32 161 #define R_SH_COPY 162 #define R_SH_GLOB_DAT 163 #define R_SH_JMP_SLOT 164 #define R_SH_RELATIVE 165 #define R_SH_GOTOFF 166 #define R_SH_GOTPC 167 /* Keep this the last entry. */ #define R_SH_NUM 256 /* S/390 specific definitions. */ /* Valid values for the e_flags field. */ #define EF_S390_HIGH_GPRS 0x00000001 /* High GPRs kernel facility needed. */ /* Additional s390 relocs */ #define R_390_NONE 0 /* No reloc. */ #define R_390_8 1 /* Direct 8 bit. */ #define R_390_12 2 /* Direct 12 bit. */ #define R_390_16 3 /* Direct 16 bit. */ #define R_390_32 4 /* Direct 32 bit. */ #define R_390_PC32 5 /* PC relative 32 bit. */ #define R_390_GOT12 6 /* 12 bit GOT offset. */ #define R_390_GOT32 7 /* 32 bit GOT offset. */ #define R_390_PLT32 8 /* 32 bit PC relative PLT address. */ #define R_390_COPY 9 /* Copy symbol at runtime. */ #define R_390_GLOB_DAT 10 /* Create GOT entry. */ #define R_390_JMP_SLOT 11 /* Create PLT entry. */ #define R_390_RELATIVE 12 /* Adjust by program base. */ #define R_390_GOTOFF32 13 /* 32 bit offset to GOT. */ #define R_390_GOTPC 14 /* 32 bit PC relative offset to GOT. */ #define R_390_GOT16 15 /* 16 bit GOT offset. */ #define R_390_PC16 16 /* PC relative 16 bit. */ #define R_390_PC16DBL 17 /* PC relative 16 bit shifted by 1. */ #define R_390_PLT16DBL 18 /* 16 bit PC rel. PLT shifted by 1. */ #define R_390_PC32DBL 19 /* PC relative 32 bit shifted by 1. */ #define R_390_PLT32DBL 20 /* 32 bit PC rel. PLT shifted by 1. */ #define R_390_GOTPCDBL 21 /* 32 bit PC rel. GOT shifted by 1. */ #define R_390_64 22 /* Direct 64 bit. */ #define R_390_PC64 23 /* PC relative 64 bit. */ #define R_390_GOT64 24 /* 64 bit GOT offset. */ #define R_390_PLT64 25 /* 64 bit PC relative PLT address. */ #define R_390_GOTENT 26 /* 32 bit PC rel. to GOT entry >> 1. */ #define R_390_GOTOFF16 27 /* 16 bit offset to GOT. */ #define R_390_GOTOFF64 28 /* 64 bit offset to GOT. */ #define R_390_GOTPLT12 29 /* 12 bit offset to jump slot. */ #define R_390_GOTPLT16 30 /* 16 bit offset to jump slot. */ #define R_390_GOTPLT32 31 /* 32 bit offset to jump slot. */ #define R_390_GOTPLT64 32 /* 64 bit offset to jump slot. */ #define R_390_GOTPLTENT 33 /* 32 bit rel. offset to jump slot. */ #define R_390_PLTOFF16 34 /* 16 bit offset from GOT to PLT. */ #define R_390_PLTOFF32 35 /* 32 bit offset from GOT to PLT. */ #define R_390_PLTOFF64 36 /* 16 bit offset from GOT to PLT. */ #define R_390_TLS_LOAD 37 /* Tag for load insn in TLS code. */ #define R_390_TLS_GDCALL 38 /* Tag for function call in general dynamic TLS code. */ #define R_390_TLS_LDCALL 39 /* Tag for function call in local dynamic TLS code. */ #define R_390_TLS_GD32 40 /* Direct 32 bit for general dynamic thread local data. */ #define R_390_TLS_GD64 41 /* Direct 64 bit for general dynamic thread local data. */ #define R_390_TLS_GOTIE12 42 /* 12 bit GOT offset for static TLS block offset. */ #define R_390_TLS_GOTIE32 43 /* 32 bit GOT offset for static TLS block offset. */ #define R_390_TLS_GOTIE64 44 /* 64 bit GOT offset for static TLS block offset. */ #define R_390_TLS_LDM32 45 /* Direct 32 bit for local dynamic thread local data in LE code. */ #define R_390_TLS_LDM64 46 /* Direct 64 bit for local dynamic thread local data in LE code. */ #define R_390_TLS_IE32 47 /* 32 bit address of GOT entry for negated static TLS block offset. */ #define R_390_TLS_IE64 48 /* 64 bit address of GOT entry for negated static TLS block offset. */ #define R_390_TLS_IEENT 49 /* 32 bit rel. offset to GOT entry for negated static TLS block offset. */ #define R_390_TLS_LE32 50 /* 32 bit negated offset relative to static TLS block. */ #define R_390_TLS_LE64 51 /* 64 bit negated offset relative to static TLS block. */ #define R_390_TLS_LDO32 52 /* 32 bit offset relative to TLS block. */ #define R_390_TLS_LDO64 53 /* 64 bit offset relative to TLS block. */ #define R_390_TLS_DTPMOD 54 /* ID of module containing symbol. */ #define R_390_TLS_DTPOFF 55 /* Offset in TLS block. */ #define R_390_TLS_TPOFF 56 /* Negated offset in static TLS block. */ #define R_390_20 57 /* Direct 20 bit. */ #define R_390_GOT20 58 /* 20 bit GOT offset. */ #define R_390_GOTPLT20 59 /* 20 bit offset to jump slot. */ #define R_390_TLS_GOTIE20 60 /* 20 bit GOT offset for static TLS block offset. */ /* Keep this the last entry. */ #define R_390_NUM 61 /* CRIS relocations. */ #define R_CRIS_NONE 0 #define R_CRIS_8 1 #define R_CRIS_16 2 #define R_CRIS_32 3 #define R_CRIS_8_PCREL 4 #define R_CRIS_16_PCREL 5 #define R_CRIS_32_PCREL 6 #define R_CRIS_GNU_VTINHERIT 7 #define R_CRIS_GNU_VTENTRY 8 #define R_CRIS_COPY 9 #define R_CRIS_GLOB_DAT 10 #define R_CRIS_JUMP_SLOT 11 #define R_CRIS_RELATIVE 12 #define R_CRIS_16_GOT 13 #define R_CRIS_32_GOT 14 #define R_CRIS_16_GOTPLT 15 #define R_CRIS_32_GOTPLT 16 #define R_CRIS_32_GOTREL 17 #define R_CRIS_32_PLT_GOTREL 18 #define R_CRIS_32_PLT_PCREL 19 #define R_CRIS_NUM 20 /* AMD x86-64 relocations. */ #define R_X86_64_NONE 0 /* No reloc */ #define R_X86_64_64 1 /* Direct 64 bit */ #define R_X86_64_PC32 2 /* PC relative 32 bit signed */ #define R_X86_64_GOT32 3 /* 32 bit GOT entry */ #define R_X86_64_PLT32 4 /* 32 bit PLT address */ #define R_X86_64_COPY 5 /* Copy symbol at runtime */ #define R_X86_64_GLOB_DAT 6 /* Create GOT entry */ #define R_X86_64_JUMP_SLOT 7 /* Create PLT entry */ #define R_X86_64_RELATIVE 8 /* Adjust by program base */ #define R_X86_64_GOTPCREL 9 /* 32 bit signed PC relative offset to GOT */ #define R_X86_64_32 10 /* Direct 32 bit zero extended */ #define R_X86_64_32S 11 /* Direct 32 bit sign extended */ #define R_X86_64_16 12 /* Direct 16 bit zero extended */ #define R_X86_64_PC16 13 /* 16 bit sign extended pc relative */ #define R_X86_64_8 14 /* Direct 8 bit sign extended */ #define R_X86_64_PC8 15 /* 8 bit sign extended pc relative */ #define R_X86_64_DTPMOD64 16 /* ID of module containing symbol */ #define R_X86_64_DTPOFF64 17 /* Offset in module's TLS block */ #define R_X86_64_TPOFF64 18 /* Offset in initial TLS block */ #define R_X86_64_TLSGD 19 /* 32 bit signed PC relative offset to two GOT entries for GD symbol */ #define R_X86_64_TLSLD 20 /* 32 bit signed PC relative offset to two GOT entries for LD symbol */ #define R_X86_64_DTPOFF32 21 /* Offset in TLS block */ #define R_X86_64_GOTTPOFF 22 /* 32 bit signed PC relative offset to GOT entry for IE symbol */ #define R_X86_64_TPOFF32 23 /* Offset in initial TLS block */ #define R_X86_64_PC64 24 /* PC relative 64 bit */ #define R_X86_64_GOTOFF64 25 /* 64 bit offset to GOT */ #define R_X86_64_GOTPC32 26 /* 32 bit signed pc relative offset to GOT */ #define R_X86_64_GOT64 27 /* 64-bit GOT entry offset */ #define R_X86_64_GOTPCREL64 28 /* 64-bit PC relative offset to GOT entry */ #define R_X86_64_GOTPC64 29 /* 64-bit PC relative offset to GOT */ #define R_X86_64_GOTPLT64 30 /* like GOT64, says PLT entry needed */ #define R_X86_64_PLTOFF64 31 /* 64-bit GOT relative offset to PLT entry */ #define R_X86_64_SIZE32 32 /* Size of symbol plus 32-bit addend */ #define R_X86_64_SIZE64 33 /* Size of symbol plus 64-bit addend */ #define R_X86_64_GOTPC32_TLSDESC 34 /* GOT offset for TLS descriptor. */ #define R_X86_64_TLSDESC_CALL 35 /* Marker for call through TLS descriptor. */ #define R_X86_64_TLSDESC 36 /* TLS descriptor. */ #define R_X86_64_IRELATIVE 37 /* Adjust indirectly by program base */ #define R_X86_64_NUM 38 /* AM33 relocations. */ #define R_MN10300_NONE 0 /* No reloc. */ #define R_MN10300_32 1 /* Direct 32 bit. */ #define R_MN10300_16 2 /* Direct 16 bit. */ #define R_MN10300_8 3 /* Direct 8 bit. */ #define R_MN10300_PCREL32 4 /* PC-relative 32-bit. */ #define R_MN10300_PCREL16 5 /* PC-relative 16-bit signed. */ #define R_MN10300_PCREL8 6 /* PC-relative 8-bit signed. */ #define R_MN10300_GNU_VTINHERIT 7 /* Ancient C++ vtable garbage... */ #define R_MN10300_GNU_VTENTRY 8 /* ... collection annotation. */ #define R_MN10300_24 9 /* Direct 24 bit. */ #define R_MN10300_GOTPC32 10 /* 32-bit PCrel offset to GOT. */ #define R_MN10300_GOTPC16 11 /* 16-bit PCrel offset to GOT. */ #define R_MN10300_GOTOFF32 12 /* 32-bit offset from GOT. */ #define R_MN10300_GOTOFF24 13 /* 24-bit offset from GOT. */ #define R_MN10300_GOTOFF16 14 /* 16-bit offset from GOT. */ #define R_MN10300_PLT32 15 /* 32-bit PCrel to PLT entry. */ #define R_MN10300_PLT16 16 /* 16-bit PCrel to PLT entry. */ #define R_MN10300_GOT32 17 /* 32-bit offset to GOT entry. */ #define R_MN10300_GOT24 18 /* 24-bit offset to GOT entry. */ #define R_MN10300_GOT16 19 /* 16-bit offset to GOT entry. */ #define R_MN10300_COPY 20 /* Copy symbol at runtime. */ #define R_MN10300_GLOB_DAT 21 /* Create GOT entry. */ #define R_MN10300_JMP_SLOT 22 /* Create PLT entry. */ #define R_MN10300_RELATIVE 23 /* Adjust by program base. */ #define R_MN10300_NUM 24 /* M32R relocs. */ #define R_M32R_NONE 0 /* No reloc. */ #define R_M32R_16 1 /* Direct 16 bit. */ #define R_M32R_32 2 /* Direct 32 bit. */ #define R_M32R_24 3 /* Direct 24 bit. */ #define R_M32R_10_PCREL 4 /* PC relative 10 bit shifted. */ #define R_M32R_18_PCREL 5 /* PC relative 18 bit shifted. */ #define R_M32R_26_PCREL 6 /* PC relative 26 bit shifted. */ #define R_M32R_HI16_ULO 7 /* High 16 bit with unsigned low. */ #define R_M32R_HI16_SLO 8 /* High 16 bit with signed low. */ #define R_M32R_LO16 9 /* Low 16 bit. */ #define R_M32R_SDA16 10 /* 16 bit offset in SDA. */ #define R_M32R_GNU_VTINHERIT 11 #define R_M32R_GNU_VTENTRY 12 /* M32R relocs use SHT_RELA. */ #define R_M32R_16_RELA 33 /* Direct 16 bit. */ #define R_M32R_32_RELA 34 /* Direct 32 bit. */ #define R_M32R_24_RELA 35 /* Direct 24 bit. */ #define R_M32R_10_PCREL_RELA 36 /* PC relative 10 bit shifted. */ #define R_M32R_18_PCREL_RELA 37 /* PC relative 18 bit shifted. */ #define R_M32R_26_PCREL_RELA 38 /* PC relative 26 bit shifted. */ #define R_M32R_HI16_ULO_RELA 39 /* High 16 bit with unsigned low */ #define R_M32R_HI16_SLO_RELA 40 /* High 16 bit with signed low */ #define R_M32R_LO16_RELA 41 /* Low 16 bit */ #define R_M32R_SDA16_RELA 42 /* 16 bit offset in SDA */ #define R_M32R_RELA_GNU_VTINHERIT 43 #define R_M32R_RELA_GNU_VTENTRY 44 #define R_M32R_REL32 45 /* PC relative 32 bit. */ #define R_M32R_GOT24 48 /* 24 bit GOT entry */ #define R_M32R_26_PLTREL 49 /* 26 bit PC relative to PLT shifted */ #define R_M32R_COPY 50 /* Copy symbol at runtime */ #define R_M32R_GLOB_DAT 51 /* Create GOT entry */ #define R_M32R_JMP_SLOT 52 /* Create PLT entry */ #define R_M32R_RELATIVE 53 /* Adjust by program base */ #define R_M32R_GOTOFF 54 /* 24 bit offset to GOT */ #define R_M32R_GOTPC24 55 /* 24 bit PC relative offset to GOT */ #define R_M32R_GOT16_HI_ULO 56 /* High 16 bit GOT entry with unsigned low */ #define R_M32R_GOT16_HI_SLO 57 /* High 16 bit GOT entry with signed low */ #define R_M32R_GOT16_LO 58 /* Low 16 bit GOT entry */ #define R_M32R_GOTPC_HI_ULO 59 /* High 16 bit PC relative offset to GOT with unsigned low */ #define R_M32R_GOTPC_HI_SLO 60 /* High 16 bit PC relative offset to GOT with signed low */ #define R_M32R_GOTPC_LO 61 /* Low 16 bit PC relative offset to GOT */ #define R_M32R_GOTOFF_HI_ULO 62 /* High 16 bit offset to GOT with unsigned low */ #define R_M32R_GOTOFF_HI_SLO 63 /* High 16 bit offset to GOT with signed low */ #define R_M32R_GOTOFF_LO 64 /* Low 16 bit offset to GOT */ #define R_M32R_NUM 256 /* Keep this the last entry. */ __END_DECLS #endif /* elf.h */ volatility_2.6+git20170711.b3db0cc/tools/linux/kcore/getkcore.c0000644000000000000000000001716713131215405022522 0ustar rootroot/* Author: Andrew Case / andrew@dfir.org License: GPLv2 TOOLS PURPOSE: 64-bit Linux Physical Memory Acquistion from Userland NOT FOR PUBLIC RELEASE: This file is not to be distributed publicly until the release of the Art of Memory Forensics is published A cleaned up version of it will be released with the book's materials ACQUISTION ALGORITHM: This script relies on the static virtual mapping of all RAM kept by x64 Linux systems. This mapping is illustrated here: http://lxr.free-electrons.com/source/Documentation/x86/x86_64/mm.txt To reach these mappings we use the /proc/kcore file. This file exposes all of physical memory (including hardware devices) as ELF sections of a core dump file. To acquire memory, the script first parses /proc/iomem and determines ranges of "System RAM". It then parses the sections of /proc/kcore and matches "System RAM" regions to those found in the kcore file. This matching is possible by using the static offset (0xffff880000000000) of the virtual mapping of RAM. See the _find_kcore_sections function for this algorithm Each RAM region found is then written to a LiME formatted file so that it can be immediately analyzed with Volatility. */ #define _LARGEFILE64_SOURCE #include #include #include #include #include #include #include #include #include #include "elf.h" #include "getkcore.h" static int debug = 0; // how much data is read at once from /proc/kcore static unsigned int chunk_size = 10000000; void _debug_msg(const char *format,...) { if (debug) { va_list va; va_start(va,format); vfprintf(stderr,format,va); va_end(va); printf("\n"); } } void _die(const char* format,...) { va_list va; va_start(va,format); vfprintf(stderr,format,va); va_end(va); printf("\n"); exit(1); } void _do_startup_checks(void) { if (getuid() != 0) _die("This program must be run as root"); if (access("/proc/kcore", F_OK) == -1) _die("/proc/kcore does not exist"); } void _write_lime_header(int out_fd, unsigned long long phys_off, unsigned long long size) { lime_range l; l.magic = 0x4C694D45; l.version = 1; l.s_addr = phys_off; l.e_addr = phys_off + size - 1; memset(&l.reserved, 0x00, sizeof(l.reserved)); _debug_msg("_write_lime_header: Made lime header for start: %llx end: %llx", l.s_addr, l.e_addr); if (write(out_fd, &l, sizeof(l)) != sizeof(l)) _die("_write_lime_header: Error writing header for offset: %x", phys_off); } void _read_write_region(int kcore_fd, int out_fd, Elf64_Phdr *p, unsigned long long phys_start, unsigned char *read_buf) { unsigned long long wrote; unsigned long long left; unsigned long long to_read; unsigned long long rw_sz; // seek to the offset where the region is if (lseek64(kcore_fd, p->p_offset, 0) != (off_t)p->p_offset) _die("_read_write_region: Unable to seek to file offset %llx", p->p_offset); wrote = 0; // read & write the region while (wrote < p->p_memsz) { memset(read_buf, 0x00, chunk_size); left = p->p_memsz - wrote; if (left < chunk_size) to_read = left; else to_read = chunk_size; rw_sz = read(kcore_fd, read_buf, to_read); if (rw_sz != to_read) _die("_read_write_region: Requested to read %llx bytes from %llx | %llx but received %llx", to_read, phys_start, phys_start + wrote, rw_sz); rw_sz = write(out_fd, read_buf, to_read); if (rw_sz != to_read) _die("_read_write_region: Requested to write %llx bytes from %llx | %llx but wrote %llx", to_read, phys_start, phys_start + wrote, rw_sz); wrote = wrote + to_read; } printf("Wrote %llu bytes from %llx\n", wrote, phys_start); } void _process_header(int kcore_fd, int out_fd, unsigned long long phdr_addr, unsigned long long phys_start, unsigned char *read_buf) { Elf64_Phdr p; if (lseek64(kcore_fd, phdr_addr, 0) != (off_t)phdr_addr) _die("_process_header: Unable to seek to program header's offset: %x", phdr_addr); if (read(kcore_fd, &p, sizeof(p)) != sizeof(p)) _die("_process_header: Unable to read program header: %x | %x\n", phdr_addr, phys_start); if (phys_start + 0xffff880000000000 == p.p_vaddr) { _write_lime_header(out_fd, phys_start, p.p_memsz); _read_write_region(kcore_fd, out_fd, &p, phys_start, read_buf); } } void _write_region(int kcore_fd, int out_fd, unsigned long long phys_start, unsigned char *read_buf) { Elf64_Ehdr h; unsigned short i; if (lseek64(kcore_fd, 0, 0) != 0) _die("_write_region: Unable to seek to offset 0"); if (read(kcore_fd, &h, sizeof(h)) != sizeof(h)) _die("_write_region: Unable to read ELF header for offset: %llx\n", phys_start); for (i = 0; i < h.e_phnum; i++) _process_header(kcore_fd, out_fd, h.e_phoff + (i * sizeof(Elf64_Phdr)), phys_start, read_buf); } char *_read_proc_iomem(void) { int fd; off_t size; char *contents; fd = open("/proc/iomem", O_RDONLY); if (fd == -1) _die("_read_proc_iomem: Unable to open /proc/iomem"); size = 1000000; contents = malloc(size + 2); if (contents == NULL) _die("_read_proc_iomem: Unable to allocate buffer for reading /proc/iomem"); *(contents + size + 1) = 0x00; if (read(fd, contents, size) < 1) _die("_read_proc_iomem: Unable to read /proc/iomem"); close(fd); return contents; } // Parses /proc/iomem and calls _write_region with each found void _dump_ranges(int kcore_fd, int out_fd, unsigned char *read_buf) { off_t size; off_t curoff; char *contents; char *cur; char *curn; char *intbuf; char *dash; unsigned long long start; unsigned long long end; contents = _read_proc_iomem(); curoff = 0; size = strlen(contents); while (curoff < size) { // break up by newline cur = contents + curoff; curn = strstr(cur, "\n"); if (curn == NULL) break; *curn = 0x00; // skip to next line if not RAM if (strstr(cur, "System RAM") == NULL) { curoff = curoff + curn - cur + 1; continue; } // 00100000-3fedffff : System RAM intbuf = strstr(cur, " "); dash = strstr(cur, "-"); if (intbuf == NULL || dash == NULL || intbuf < dash) _die("parse_proc_iomem: Line broke parser: %s", cur); *dash = 0x00; *intbuf = 0x00; start = strtoull(cur, NULL, 16); end = strtoull(dash + 1, NULL, 16); _debug_msg("Found RAM at start: %llx end: %llx", start, end); _write_region(kcore_fd, out_fd, start, read_buf); curoff = curoff + curn - cur + 1; } } int create_memory_dump(char *outfile) { int kcore_fd; int out_fd; unsigned char *read_buf; read_buf = malloc(chunk_size); if (read_buf == NULL) _die("_create_memory_dump: Unable to allocate /proc/kcore read buffer"); _do_startup_checks(); kcore_fd = open("/proc/kcore", O_RDONLY); if (kcore_fd == -1) _die("create_memory_dump: Unable to open /proc/kcore for reading"); out_fd = open(outfile, O_WRONLY|O_CREAT, 0700); _dump_ranges(kcore_fd, out_fd, read_buf); close(kcore_fd); close(out_fd); return 0; } int main(int argc, char **argv) { if (argc < 2) _die("Usage: ./getkcore "); create_memory_dump(argv[1]); return 0; } volatility_2.6+git20170711.b3db0cc/tools/linux/kcore/Makefile0000644000000000000000000000015313131215405022176 0ustar rootrootCC=gcc all: getkcore getkcore: getkcore.c gcc -o getkcore getkcore.c -Wall -Wextra clean: rm getkcore volatility_2.6+git20170711.b3db0cc/tools/linux/kcore/getkcore.h0000644000000000000000000000035613131215405022517 0ustar rootroot#ifndef _GETKCORE_H #define _GETKCORE_H typedef struct { unsigned int magic; unsigned int version; unsigned long long s_addr; unsigned long long e_addr; unsigned char reserved[8]; } __attribute__ ((__packed__)) lime_range; #endif volatility_2.6+git20170711.b3db0cc/tools/linux/Makefile.enterprise0000644000000000000000000000047213131215405023256 0ustar rootrootobj-m += module.o KDIR ?= /lib/modules/3.5.0-23-generic/build -include version.mk all: dwarf dwarf: module.c $(MAKE) -C $(KDIR) CONFIG_DEBUG_INFO=y M="$(PWD)" modules dwarfdump -di module.ko > module.dwarf $(MAKE) -C $(KDIR) M="$(PWD)" clean clean: $(MAKE) -C $(KDIR) M="$(PWD)" clean rm -f module.dwarf volatility_2.6+git20170711.b3db0cc/tools/linux/Makefile0000644000000000000000000000060013131215405021070 0ustar rootrootobj-m += module.o KDIR ?= / KVER ?= $(shell uname -r) -include version.mk all: dwarf dwarf: module.c $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y M="$(PWD)" modules dwarfdump -di module.ko > module.dwarf $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M="$(PWD)" clean clean: $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M="$(PWD)" clean rm -f module.dwarf volatility_2.6+git20170711.b3db0cc/tools/doxygen/0000755000000000000000000000000013131215405017752 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/tools/doxygen/d3/0000755000000000000000000000000013131215405020260 5ustar rootrootvolatility_2.6+git20170711.b3db0cc/tools/doxygen/d3/tree.html0000644000000000000000000001054113131215405022106 0ustar rootroot volatility_2.6+git20170711.b3db0cc/tools/doxygen/d3/createtree.py0000644000000000000000000000155313131215405022761 0ustar rootrootimport os import json ''' Author: Gleeda modified from: http://stackoverflow.com/questions/25226208/represent-directory-tree-as-json Quick and Dirty. Run from the Volatility root directory and redirect: python createtree.py > OUTPUT/d3/vol.json ''' link = "https://github.com/volatilityfoundation/volatility/blob/master/" ignore = [".git", "doxygen", ".gitignore", ".gitattributes"] def path_to_dict(path): if path == ".": d = {'name': os.path.basename("root")} else: d = {'name': os.path.basename(path)} d['link'] = str(link + path).replace("/.", "") if os.path.isdir(path): d['type'] = "directory" d['children'] = [path_to_dict(os.path.join(path, x)) for x in os.listdir(path) if x not in ignore] else: d['type'] = "file" return d print json.dumps(path_to_dict('.')) volatility_2.6+git20170711.b3db0cc/tools/doxygen/vol.png0000644000000000000000000006076213131215405021273 0ustar rootrootPNG  IHDR~JiCCPICC ProfileX YgT˲sAr9#3*Q$ **"&E0  $TP{}{J?$7vmnMjgp\g*40 b+ԙ`G!OT{b5$((vP[: P>kLꠉqmG JP- ED:קءFoo]nB B|*.O߻9z$lN3z.:ޖ C @(Xh[wZĂ Kpjg >HVkH_}AVkV0>!Éhb,Y 5~txp8S1NA!EfwLJaaSa9po;$++*0b`FVc Ê%F Ga??z$IRW0"Vi P?5y^mt7~u x+:Af0CrrJ JHDEĆU8,Of5a},Gz z bP.X@tpfp^ ġO @h]`́ pn F=D@I`'e(8N3<@' ` pl`5A-„p |"( j6bX"!HF (R4 mB#,B(fJ%RC,P T *::ECnQy2iЬh4Z mAѱt9݄~@/W18 # ǧ) ㇉Ŝb1O0EO,-+a]A$l.[mXqb8U87p4>\5w 7-x^ o' 9Mc[w**>**c*wH,rFTSQSPkPPSPQ~Dz@#h LB0FBCC#HNcGBAs=IU"#Qh@$&뉷ω_hiiEiuiii6ޡNb"ɐHtR%NN΋.2#zjzQzz2nJ L 6  f񌢌F9'0N3 N10e11122g`^dadQbqfIfd2fe5c g-b:M--17v.v]faFam81vI8{84 .qFqKrsq^1óʫ[{wO/&? 8nEnS5A1A',fWB!5@R.Ea>a+g_P&*&"WMtF]L,Uؘ8xxS DDĠ$JRY2XRJJE*DZjhvmFz҉g'eXe,edd> ˺S ;%RQ\>KCBSEZEctv%%)cJϔ*w)oĪ4̪ V1٪SUWOWT_Pш׸ISZ3LQsfOk jj&}OhOujuttutI/ߢ@`-CaQqcA Ƌ&&i&LŦf8t&/k̝vFvJJIaq&0K.$kKvGONF=gsI{5 +W,/_(WX^o<x`HAȃ#:gJJRKYj-/-(Z]WT~0p#G++V >:\_\]_ڿ1cMyq"ijZ򓸓'ߝr>{ZtCg]aF}d3 ܍EgQgΞ<7x|{tSM3ksp!E#,.u]VtEJU SKA+ҚҺ6>tjWfG5kY ȹy3[ nOwywzi]@EϽw޼uO}mT+]"!!hX$ma2Z3?(]UޣbʭVI=YCOd{6:m; n6U6%阳/Y[6YU[tNc89.knڃIck{o_A@J`Pc~Rd@8G]$:kT`̵Sqr[1)v]52<2dQ3[6O$1?]d}Хؽksca#&G+ԫI]rPeiYYQy#)QG*C2o8qVdɩ'WIg8%8P=dlub'hjoiҁ)u]M[QztT=ػ^j_v zDpHg}8&rSByb]"^"brbŃ$ro2ղe%fKl%^ve{=|meF=]U㬦~?ji+utFtSxmlS1id:gVkin1bYf`Mggmiծ>Acg.En-b2Ɯd]7vwɸِU#hd6i~E{pھ\-:qpwG!C#eʻUϪ玭Ui"%˶WZ~oWQqBgk7n.6г[ާxiAzOGŸ斿RFy'T8 w8P 0wQDɿXb@h p8,@IyFbry¡Q8T5m}]"*'s3Ua_4p5úOJUOE]L!h9J$-R5zS XlXz~g`bMɓȫ`PpvQe< _I=)mmke˵ȧ)++))+}RnW)QMQWԐdNҒѮԕۯgɈʘńÔL\2ug;!{C\~VO^o|pd_[ `#J#?F4c^$'J]YMܳ74op_ābCxerm)yu+g>=xިҥwWfZwLw.dmpǫǧסOCG*COb^P4y-ifއOkU~u۵W6ݔZ?(#9I)3 C\uW`"VSR2|@ѡQl%[4} Q`L}%TFTԲԍ 9%D[4m2TF'@w__2$12193}`B`9*z-G'3-(na1 ^W>vrB@YQO1%藼 bE2;eu JlK*U{Zk5inOnoPhXgj|u>IK6aGojqWAPVO=>C.<@ ଐ[aQѩ1钢 %ܭ~*+4'-w!?U_uUrß+.V&TkqVdubg.4:B%-ֵNp孥ݾw5 -7i 207 177 Sk-@IDATx|G*eU[e=B @ %|;h(ᎻK8rRҀ%qdInj^3ZVJhyyyfyu].K/K)B= z 0._v:\Rma \u0|=FpIa1pz h c@mA *^8Ҥ=`iN5//`dd{2Vu޽a80.K I~hѢ/})22?wF; '~ѝ;wرCs|&.}>1zOgx` s%$::x8Np;>86$Ɛ^aŏcyl1)=7*-@ģ'Zmnx!Q x"F (uvv1P3pF}8cnnnzFj;s Ps9$ū'\JII9{ʕ+ai 39Qm<0`cӧO??/g2ۛoOzƍ7x\pȑ#'H ۼhS K>|{ OBDD(&m5>>T`;;\KK 0)HҒ҆# _kjjOOOOHH>uꔂ&md\EEE__>S}{/\s5UUUhuDLn>K5kG>(L'%% MC?`cccll, r{?~k_>Tt2 lU jg]w_1LNNFQ)7YJe,,,n͈i8O65 /~Vai(er*P:!CD*UTYzbno}mٲ4O#hVYY?\v1#l6bZM ~g~ɇD~___cs]uU111pEo PZgy{2O`E ,pp#E@6$ {ST@l fڻx8(yb>Ew^MQv Ԁ "P/iӦD]]]^)(~ozlj&؁6 ^,>S#:>ڠ:| b3!x' P8s +R/##ɓ'o}sWvT& ?WY`*ݭAEHjMԭ[!Er[_$ĚnPCC+cA@ @ a=7 e۶mc g A~x~qx|clV&(Bir$88({L-[r.uA {nbw}7Q ā "_yum߾(x#( )9G9-i*ft>i))I(J>b籜<'[baq;@PpEH±և]y ,IX,bǺJ7K$"Z^$9/rVGY?boQyK =.oCVWWw aKF\*:Gf@@%? [o w?aOON(O @1 F+3$ |p*CpM7R{m7@yebR-BBcD(Ta3f$A#Jσi [C4ŖkJd,5Df^r>M{ Y@mqU+7nCV* 2ٽabTj )*hd1PS$'قWiSiw\9i=*!{HEqSoMd.M% kh Ú & PHekƊ+v]Aa0d^ Tž5u 0ݹ\v3AV9u漘؂*~1pZrd[UVnUΡw MAEH?$8\GGPc»TR`:'N\#5<%" .בcGX(|hl,:WD '.zoA)Qd0r(\A~a Jrź*1#H[ɝ 5NXWL00qsUz7' MEP"3062.<L;ПUSTQ1LִM'Ovw(ZM-`&*W#c¼*LCm Fl )o}pãI'smO5!F'1r_^f;xL%<>5%ooxcdBJBmfeݐ'؂o!6bHSSc)xF*u Mt}.Wf3KL2[U@Ef+T ʙ{ɍ%ZSh! 5A3'xmPH bz D0L: ;>NM?Tzz2 ^,2iˎ8u]Y mވfxTѤ 1j{@,P0ك$٫mo}e}]Ȩ>X4FhW\-}bL2P9~imwwմ[p׶N5%&uZ}ehcy*k\!x-޲BjhSTe;~R0W'<>nJMhSxU썬 FSks`q8feߒFkVj:pt־@ڤ}F;i˖̌ UUq휠MJuS!v 5MRhIAtEbs<鉉[^Ws<ʝfR$s:]lM+:|[& nO93tdڱb%EoDFݬӽ_>j0$iC9V6] x)RIꌟ!ɣt6E<8Lq >%2[?A﮿|`xRӞѴ?\;o99ɛG#mNwuCq/ȓ"ogm4dkZI{33%PEiEG\g^Sרn$G+ # Gx OIR/alCq#9XHD4Bn߷3M'bcձEXOteWUo\M|2āZFaYSRN;L7W,V+Ҵ6?2J#25U3h5`T*0d!6ɠG't`!DѲ|OLH<|s5muݑ 2x8ܹ8:BA^OT-/\8uYYJj# fW_RrczKB9jhSDbH롁mYc.x0 lb.+ؑ{ؚ{<\]sfƀvpx2afK)"/g#g¨H(LBax&j>b" M@%ǯ]<]p!.NQp`WP/д7ٹ3.}7pFWQbKMxJ  ٪yx|\wPC= g^ކAI1 *r@ţeKvq.&_=zP<ܼT `'? ~xvT&??͊sԅ % V]7 78h4?+|Qntf9ohԴeobfs 1|CCGvD-%W'6C?n(\?9yD#+5 XΎoX82uثJ1:)T&O~򓔥W[oU(eD$QTUVT4,M+.'Bՠ2CaԄhjI*(kx֮[kN{uMq"a7^P;(wnzMJrLBg@ctp "|bc1x0Lp'Zoȱ~`EZ@ZŪzM a "L56l _Y erF$ xT?'B><+(@lp H8x(0@ȏ~-rr:=ZZa;׿t/6`#!Zx "clmm%ow $& x89_? {CTiu~MPcJO~[Bb85Q)l43xS8i&ŚlU<%.@!| [ ̏hOYC-O=FL1x9Yn<>&<%21%AL< 6(ʼAy 5x|ź𳐊`e)4`y(~Ž& bP8&m"`PB'*/ڠ+lLpXׂ/~@P|Y*3Y08B# [l"?k@y*]y6 1 =f^([l|Mp}6a]s56nXd) x-blywF 9`e2"Ƨ:ΐT94!ޒa?lg˚BJ2rF'|K|f$5GMT2"b_}/iT*|f8RС :E09 \M[/.R+ؙ˗%?vҥH[+%SSdLqMc<h#ރo9rԫŸ{Wm(ӟyIP|*U"iFQc.;oOJ(1Y]K/RchsYbtRd-t4iP>0(<:}T>}WmM:i'uegzeIKq9l|`+!z@*zssg Q5{DzU 3ذYu{_\.=ty&G8wo[*8c&Dw^X/)/ךrs [iK_{gBՓǑ<ԟJbc{bc'.[^и 1,hDyJ L\H,ȌuI]##d(P]=7H3G;q»J:5p'Kq$k%bx_h;0&._!vމ| X_ C3椳;V0YRqbzLy؞F#1ɛwmJpD'KQk΁#^{ApϬ(MT? A_3RR1Nc1&8ϭ~ Ԏ$x4HAlLck%xTB1Hy%>?Մ,ڻ-jCEނF3f̘]P1h zny5~R[H5#*IFF 8k{on.ʙpw$Ǐg^!h34Zw^bck~{oM׋)MΊ{%ÂEڅ]acl .턮 ݰd 10w'5QCĿOE'l|& 4]L[ەv-"#ɍ u 5ӯ 8M'7_\Oq߫s/cƈaȈ[}EL;%cßd.)ُշt2©'uvȇ[DnXI_W[3Q zY\pԢhs{Vj}TDgj"hP|]C%U( meeMG.ܰ);j@iQf“pV;-Pē*+"kl74zI7gʮ؇qq29j3+#gu5Y)>6|Ꚏd%Kw@yzHJt7im=/>15R"LF~9~Hͧβe=l`Ky7ٓ=&״1%h̨X¦)R8JTփ1Fodl.*r4}_6M% TK?WQ֊jlql2GD## ##̑hma22*%ŋs)'Nd]# XmmFj ć>8@? 1q##=O :j`6"!m 3v?86|8cwN:T].Bl {nÑiN$vPhZŒm&&J  "{*_,NO33du022~sQafda+̧dHKɈfJbS }Vg6)VdMQX"#sݿNNZvh }:zj|)f3 I.rwԬB&(. ^ 1Il[;%p)aiv;ք#:/:[&/?^.7EŦ[9.rU%#J/U3&&v7ҼD!Ķ,êW[[ YT9`=0l ?P?l8qA6MJyT)FWV $g{M@$Đ^%y#?.웉/w{ !-wD&kvp\\UvMݬh/KZΧttPC%O0W] Zd;v`(iLWh2cI /0pB$k0m3 A9)7|C21JxUɠHG(+1Qa$iQ]<1D˖8cw&(b#t+ !zIYF}QۉE_o|P4T)@J"*HJ ]rgcw^ol>"ѫpËت~R35Ef>qs4`*>fW %ݙB\ʥ=ENB eYKXo\8X^\썣UL =KfwL*flWnˬHi˴c.ChC{bcWYTim#6+<UyE"&m)J-=M;0G6I-%9@i\ؐc"+ )(6G 6lܷ& 9WØ5c3P'jH. mB? O7b4AM95;en{G/S;\׳`w Ym!V_5-~O%e^b@} hE>] RӒn?-i"xQwYl&Q]uةqjP@}hxgijFG-/n\!N"ۛޏ%PHV}W^>9> ?X&|&h$s%J;,I#~XH. m))F{±9\Z@$3;g룣b|Gfn;h5-eĦ?Վ'3#ĐO!& y(6+!:! Лy/cq=Jo.**%I3- xD}+iyEZCq,U/I7dk1;mddoy1G EX 㩘]k23JxA8&RfJNk͋5`܊ %r^U2D"C;Q&fA*QPW~]&r'oI^D隮Ga~$*r$6&;KhdnZpݶؘaN?AMi<^/m\[ڍ62 rIzw-K]^&ڣ QcohS6׉~2> _X'XZ[KV]*h:U84(b,퟾-Rzkuqho ma o e{}+ƊZnO"bbqRӢ>t&GY9VʋD7@65aOv`53+Ͼ*J8d|!eHS(qhcPo9lU"D.5z A $YI閻o_Ʀp`=ZIK>D_#yjtI(4YPƜ dFK2ԝyB>BEf3Pv=%kfz KՂY,P^uY 5bn?´^+a`u:3X)ibSS zx m R1_1*ne]U#F-llQ#VʓQ~.8E ;wS1Țgb>"w|8f-Zv&T?o\vs~᢭[[w| `DEEfuDY;[}zħ{<0HEƲR1lDN`h-?}w/cZ#]5-2:.ʈIVHHNL7J| 5Q|䩥_Uɼi1F/ >tG֭Ϭ*mhAYfKFcm} A](++$6M} Op~&jRfmBQBaa&i V_\ ;#h1Cf锄0x})GEtڅ1 莮⛛WHƖ$&N&9Jv;.%~Q%G̣?#abl&F{ƮG:T!UԲˆ”ESD \A&PIH1VJTqu"P<ܸu=˽HԹeێ40MivhǠvx V h1ΏϪҞ\1cshްLX 6ETȨ/C9L$N0>}5v,%.Hg&#wI_ymDꊊ&skQņі]([鹐D Mp&{oK?z/hNwe(p\qQgAʈv7#ڒS ܷH]&-/Sl; R鹚CE[6VVUKpoƒF1/V>dilePhPqLrnDBCo[[$A,FTň/z[!giƝ;O4.K)02ɾA:8OF,7;@of4Ѳ^MQ3%t椸 ).:qh͌}yiنgiVof rVBMa}(F^z4E0Y@PjjKMmv3u r)L|0(8+%6l'h!~SYiEfs{?ѡOKW +(GdQRb"m EOCo|oWho`Bu[u6Ef˶#hwL{ɿ2@TYxyLRiehiX|a+bqR .V "xG/LK{m5dLgm,bmٳ%ޞc[{%l?mUy"&@#ڴ篺UXl(FGOJb$4 5t]ٛdSF['+//. 鬠M!r_:~͉YZN_,)Y;3_1z>xLYA\D1Mkf73ZliC1؆o0!^^"WSF[@ .PSfsx!CQM֜9f'3Kp̴;'Z {wt6hp3FLCAt[f)L(o m;ӓeeҿ;wٛM37Ʊȗ10>d|) 7EaLܩ5SdPˡNX3UL>mVV= L*?R˓imJprf^q8*Ϭ42 mv%rBVuC>;;̱\h-24žbIANf9oxU~v ՟پ*SLp<; B3S57hh?sd_l8 Y$bc͕͕Rf4t Y'X؞BFa6tϊ_y_ogh gauHv{ Yp~=F_ogh gauHv{ Yp~==WIENDB`volatility_2.6+git20170711.b3db0cc/tools/doxygen/config0000644000000000000000000030463413131215405021154 0ustar rootroot# Doxyfile 1.8.7 # This file describes the settings to be used by the documentation system # doxygen (www.doxygen.org) for a project. # # All text after a double hash (##) is considered a comment and is placed in # front of the TAG it is preceding. # # All text after a single hash (#) is considered a comment and will be ignored. # The format is: # TAG = value [value, ...] # For lists, items can also be appended using: # TAG += value [value, ...] # Values that contain spaces should be placed between quotes (\" \"). #--------------------------------------------------------------------------- # Project related configuration options #--------------------------------------------------------------------------- # This tag specifies the encoding used for all characters in the config file # that follow. The default is UTF-8 which is also the encoding used for all text # before the first occurrence of this tag. Doxygen uses libiconv (or the iconv # built into libc) for the transcoding. See http://www.gnu.org/software/libiconv # for the list of possible encodings. # The default value is: UTF-8. DOXYFILE_ENCODING = UTF-8 # The PROJECT_NAME tag is a single word (or a sequence of words surrounded by # double-quotes, unless you are using Doxywizard) that should identify the # project for which the documentation is generated. This name is used in the # title of most generated pages and in a few other places. # The default value is: My Project. PROJECT_NAME = "The Volatility Framework" # The PROJECT_NUMBER tag can be used to enter a project or revision number. This # could be handy for archiving the generated documentation or if some version # control system is used. PROJECT_NUMBER = # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a # quick idea about the purpose of the project. Keep the description short. PROJECT_BRIEF = # With the PROJECT_LOGO tag one can specify an logo or icon that is included in # the documentation. The maximum height of the logo should not exceed 55 pixels # and the maximum width should not exceed 200 pixels. Doxygen will copy the logo # to the output directory. PROJECT_LOGO = ./tools/doxygen/vol.png # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path # into which the generated documentation will be written. If a relative path is # entered, it will be relative to the location where doxygen was started. If # left blank the current directory will be used. OUTPUT_DIRECTORY = ./tools/doxygen/output # If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub- # directories (in 2 levels) under the output directory of each output format and # will distribute the generated files over these directories. Enabling this # option can be useful when feeding doxygen a huge amount of source files, where # putting all generated files in the same directory would otherwise causes # performance problems for the file system. # The default value is: NO. CREATE_SUBDIRS = YES # If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII # characters to appear in the names of generated files. If set to NO, non-ASCII # characters will be escaped, for example _xE3_x81_x84 will be used for Unicode # U+3044. # The default value is: NO. ALLOW_UNICODE_NAMES = NO # The OUTPUT_LANGUAGE tag is used to specify the language in which all # documentation generated by doxygen is written. Doxygen will use this # information to generate all constant output in the proper language. # Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese, # Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States), # Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian, # Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages), # Korean, Korean-en (Korean with English messages), Latvian, Lithuanian, # Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian, # Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish, # Ukrainian and Vietnamese. # The default value is: English. OUTPUT_LANGUAGE = English # If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member # descriptions after the members that are listed in the file and class # documentation (similar to Javadoc). Set to NO to disable this. # The default value is: YES. BRIEF_MEMBER_DESC = YES # If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief # description of a member or function before the detailed description # # Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the # brief descriptions will be completely suppressed. # The default value is: YES. REPEAT_BRIEF = YES # This tag implements a quasi-intelligent brief description abbreviator that is # used to form the text in various listings. Each string in this list, if found # as the leading text of the brief description, will be stripped from the text # and the result, after processing the whole list, is used as the annotated # text. Otherwise, the brief description is used as-is. If left blank, the # following values are used ($name is automatically replaced with the name of # the entity):The $name class, The $name widget, The $name file, is, provides, # specifies, contains, represents, a, an and the. ABBREVIATE_BRIEF = # If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then # doxygen will generate a detailed section even if there is only a brief # description. # The default value is: NO. ALWAYS_DETAILED_SEC = NO # If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all # inherited members of a class in the documentation of that class as if those # members were ordinary class members. Constructors, destructors and assignment # operators of the base classes will not be shown. # The default value is: NO. INLINE_INHERITED_MEMB = NO # If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path # before files name in the file list and in the header files. If set to NO the # shortest path that makes the file name unique will be used # The default value is: YES. FULL_PATH_NAMES = YES # The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path. # Stripping is only done if one of the specified strings matches the left-hand # part of the path. The tag can be used to show relative paths in the file list. # If left blank the directory from which doxygen is run is used as the path to # strip. # # Note that you can specify absolute paths here, but also relative paths, which # will be relative from the directory where doxygen is started. # This tag requires that the tag FULL_PATH_NAMES is set to YES. STRIP_FROM_PATH = # The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the # path mentioned in the documentation of a class, which tells the reader which # header file to include in order to use a class. If left blank only the name of # the header file containing the class definition is used. Otherwise one should # specify the list of include paths that are normally passed to the compiler # using the -I flag. STRIP_FROM_INC_PATH = # If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but # less readable) file names. This can be useful is your file systems doesn't # support long names like on DOS, Mac, or CD-ROM. # The default value is: NO. SHORT_NAMES = NO # If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the # first line (until the first dot) of a Javadoc-style comment as the brief # description. If set to NO, the Javadoc-style will behave just like regular Qt- # style comments (thus requiring an explicit @brief command for a brief # description.) # The default value is: NO. JAVADOC_AUTOBRIEF = NO # If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first # line (until the first dot) of a Qt-style comment as the brief description. If # set to NO, the Qt-style will behave just like regular Qt-style comments (thus # requiring an explicit \brief command for a brief description.) # The default value is: NO. QT_AUTOBRIEF = NO # The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a # multi-line C++ special comment block (i.e. a block of //! or /// comments) as # a brief description. This used to be the default behavior. The new default is # to treat a multi-line C++ comment block as a detailed description. Set this # tag to YES if you prefer the old behavior instead. # # Note that setting this tag to YES also means that rational rose comments are # not recognized any more. # The default value is: NO. MULTILINE_CPP_IS_BRIEF = NO # If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the # documentation from any documented member that it re-implements. # The default value is: YES. INHERIT_DOCS = YES # If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a # new page for each member. If set to NO, the documentation of a member will be # part of the file/class/namespace that contains it. # The default value is: NO. SEPARATE_MEMBER_PAGES = NO # The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen # uses this value to replace tabs by spaces in code fragments. # Minimum value: 1, maximum value: 16, default value: 4. TAB_SIZE = 4 # This tag can be used to specify a number of aliases that act as commands in # the documentation. An alias has the form: # name=value # For example adding # "sideeffect=@par Side Effects:\n" # will allow you to put the command \sideeffect (or @sideeffect) in the # documentation, which will result in a user-defined paragraph with heading # "Side Effects:". You can put \n's in the value part of an alias to insert # newlines. ALIASES = # This tag can be used to specify a number of word-keyword mappings (TCL only). # A mapping has the form "name=value". For example adding "class=itcl::class" # will allow you to use the command class in the itcl::class meaning. TCL_SUBST = # Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources # only. Doxygen will then generate output that is more tailored for C. For # instance, some of the names that are used will be different. The list of all # members will be omitted, etc. # The default value is: NO. OPTIMIZE_OUTPUT_FOR_C = NO # Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or # Python sources only. Doxygen will then generate output that is more tailored # for that language. For instance, namespaces will be presented as packages, # qualified scopes will look different, etc. # The default value is: NO. OPTIMIZE_OUTPUT_JAVA = NO # Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran # sources. Doxygen will then generate output that is tailored for Fortran. # The default value is: NO. OPTIMIZE_FOR_FORTRAN = NO # Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL # sources. Doxygen will then generate output that is tailored for VHDL. # The default value is: NO. OPTIMIZE_OUTPUT_VHDL = NO # Doxygen selects the parser to use depending on the extension of the files it # parses. With this tag you can assign which parser to use for a given # extension. Doxygen has a built-in mapping, but you can override or extend it # using this tag. The format is ext=language, where ext is a file extension, and # language is one of the parsers supported by doxygen: IDL, Java, Javascript, # C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran: # FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran: # Fortran. In the later case the parser tries to guess whether the code is fixed # or free formatted code, this is the default for Fortran type files), VHDL. For # instance to make doxygen treat .inc files as Fortran files (default is PHP), # and .f files as C (default is Fortran), use: inc=Fortran f=C. # # Note For files without extension you can use no_extension as a placeholder. # # Note that for custom extensions you also need to set FILE_PATTERNS otherwise # the files are not read by doxygen. EXTENSION_MAPPING = # If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments # according to the Markdown format, which allows for more readable # documentation. See http://daringfireball.net/projects/markdown/ for details. # The output of markdown processing is further processed by doxygen, so you can # mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in # case of backward compatibilities issues. # The default value is: YES. MARKDOWN_SUPPORT = YES # When enabled doxygen tries to link words that correspond to documented # classes, or namespaces to their corresponding documentation. Such a link can # be prevented in individual cases by by putting a % sign in front of the word # or globally by setting AUTOLINK_SUPPORT to NO. # The default value is: YES. AUTOLINK_SUPPORT = YES # If you use STL classes (i.e. std::string, std::vector, etc.) but do not want # to include (a tag file for) the STL sources as input, then you should set this # tag to YES in order to let doxygen match functions declarations and # definitions whose arguments contain STL classes (e.g. func(std::string); # versus func(std::string) {}). This also make the inheritance and collaboration # diagrams that involve STL classes more complete and accurate. # The default value is: NO. BUILTIN_STL_SUPPORT = NO # If you use Microsoft's C++/CLI language, you should set this option to YES to # enable parsing support. # The default value is: NO. CPP_CLI_SUPPORT = NO # Set the SIP_SUPPORT tag to YES if your project consists of sip (see: # http://www.riverbankcomputing.co.uk/software/sip/intro) sources only. Doxygen # will parse them like normal C++ but will assume all classes use public instead # of private inheritance when no explicit protection keyword is present. # The default value is: NO. SIP_SUPPORT = NO # For Microsoft's IDL there are propget and propput attributes to indicate # getter and setter methods for a property. Setting this option to YES will make # doxygen to replace the get and set methods by a property in the documentation. # This will only work if the methods are indeed getting or setting a simple # type. If this is not the case, or you want to show the methods anyway, you # should set this option to NO. # The default value is: YES. IDL_PROPERTY_SUPPORT = YES # If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC # tag is set to YES, then doxygen will reuse the documentation of the first # member in the group (if any) for the other members of the group. By default # all members of a group must be documented explicitly. # The default value is: NO. DISTRIBUTE_GROUP_DOC = NO # Set the SUBGROUPING tag to YES to allow class member groups of the same type # (for instance a group of public functions) to be put as a subgroup of that # type (e.g. under the Public Functions section). Set it to NO to prevent # subgrouping. Alternatively, this can be done per class using the # \nosubgrouping command. # The default value is: YES. SUBGROUPING = YES # When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions # are shown inside the group in which they are included (e.g. using \ingroup) # instead of on a separate page (for HTML and Man pages) or section (for LaTeX # and RTF). # # Note that this feature does not work in combination with # SEPARATE_MEMBER_PAGES. # The default value is: NO. INLINE_GROUPED_CLASSES = NO # When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions # with only public data fields or simple typedef fields will be shown inline in # the documentation of the scope in which they are defined (i.e. file, # namespace, or group documentation), provided this scope is documented. If set # to NO, structs, classes, and unions are shown on a separate page (for HTML and # Man pages) or section (for LaTeX and RTF). # The default value is: NO. INLINE_SIMPLE_STRUCTS = NO # When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or # enum is documented as struct, union, or enum with the name of the typedef. So # typedef struct TypeS {} TypeT, will appear in the documentation as a struct # with name TypeT. When disabled the typedef will appear as a member of a file, # namespace, or class. And the struct will be named TypeS. This can typically be # useful for C code in case the coding convention dictates that all compound # types are typedef'ed and only the typedef is referenced, never the tag name. # The default value is: NO. TYPEDEF_HIDES_STRUCT = NO # The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This # cache is used to resolve symbols given their name and scope. Since this can be # an expensive process and often the same symbol appears multiple times in the # code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small # doxygen will become slower. If the cache is too large, memory is wasted. The # cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range # is 0..9, the default is 0, corresponding to a cache size of 2^16=65536 # symbols. At the end of a run doxygen will report the cache usage and suggest # the optimal cache size from a speed point of view. # Minimum value: 0, maximum value: 9, default value: 0. LOOKUP_CACHE_SIZE = 0 #--------------------------------------------------------------------------- # Build related configuration options #--------------------------------------------------------------------------- # If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in # documentation are documented, even if no documentation was available. Private # class members and static file members will be hidden unless the # EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES. # Note: This will also disable the warnings about undocumented members that are # normally produced when WARNINGS is set to YES. # The default value is: NO. EXTRACT_ALL = NO # If the EXTRACT_PRIVATE tag is set to YES all private members of a class will # be included in the documentation. # The default value is: NO. EXTRACT_PRIVATE = NO # If the EXTRACT_PACKAGE tag is set to YES all members with package or internal # scope will be included in the documentation. # The default value is: NO. EXTRACT_PACKAGE = NO # If the EXTRACT_STATIC tag is set to YES all static members of a file will be # included in the documentation. # The default value is: NO. EXTRACT_STATIC = NO # If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined # locally in source files will be included in the documentation. If set to NO # only classes defined in header files are included. Does not have any effect # for Java sources. # The default value is: YES. EXTRACT_LOCAL_CLASSES = YES # This flag is only useful for Objective-C code. When set to YES local methods, # which are defined in the implementation section but not in the interface are # included in the documentation. If set to NO only methods in the interface are # included. # The default value is: NO. EXTRACT_LOCAL_METHODS = NO # If this flag is set to YES, the members of anonymous namespaces will be # extracted and appear in the documentation as a namespace called # 'anonymous_namespace{file}', where file will be replaced with the base name of # the file that contains the anonymous namespace. By default anonymous namespace # are hidden. # The default value is: NO. EXTRACT_ANON_NSPACES = NO # If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all # undocumented members inside documented classes or files. If set to NO these # members will be included in the various overviews, but no documentation # section is generated. This option has no effect if EXTRACT_ALL is enabled. # The default value is: NO. HIDE_UNDOC_MEMBERS = NO # If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all # undocumented classes that are normally visible in the class hierarchy. If set # to NO these classes will be included in the various overviews. This option has # no effect if EXTRACT_ALL is enabled. # The default value is: NO. HIDE_UNDOC_CLASSES = NO # If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend # (class|struct|union) declarations. If set to NO these declarations will be # included in the documentation. # The default value is: NO. HIDE_FRIEND_COMPOUNDS = NO # If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any # documentation blocks found inside the body of a function. If set to NO these # blocks will be appended to the function's detailed documentation block. # The default value is: NO. HIDE_IN_BODY_DOCS = NO # The INTERNAL_DOCS tag determines if documentation that is typed after a # \internal command is included. If the tag is set to NO then the documentation # will be excluded. Set it to YES to include the internal documentation. # The default value is: NO. INTERNAL_DOCS = NO # If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file # names in lower-case letters. If set to YES upper-case letters are also # allowed. This is useful if you have classes or files whose names only differ # in case and if your file system supports case sensitive file names. Windows # and Mac users are advised to set this option to NO. # The default value is: system dependent. CASE_SENSE_NAMES = NO # If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with # their full class and namespace scopes in the documentation. If set to YES the # scope will be hidden. # The default value is: NO. HIDE_SCOPE_NAMES = NO # If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of # the files that are included by a file in the documentation of that file. # The default value is: YES. SHOW_INCLUDE_FILES = YES # If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each # grouped member an include statement to the documentation, telling the reader # which file to include in order to use the member. # The default value is: NO. SHOW_GROUPED_MEMB_INC = NO # If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include # files with double quotes in the documentation rather than with sharp brackets. # The default value is: NO. FORCE_LOCAL_INCLUDES = NO # If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the # documentation for inline members. # The default value is: YES. INLINE_INFO = YES # If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the # (detailed) documentation of file and class members alphabetically by member # name. If set to NO the members will appear in declaration order. # The default value is: YES. SORT_MEMBER_DOCS = YES # If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief # descriptions of file, namespace and class members alphabetically by member # name. If set to NO the members will appear in declaration order. Note that # this will also influence the order of the classes in the class list. # The default value is: NO. SORT_BRIEF_DOCS = NO # If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the # (brief and detailed) documentation of class members so that constructors and # destructors are listed first. If set to NO the constructors will appear in the # respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS. # Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief # member documentation. # Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting # detailed member documentation. # The default value is: NO. SORT_MEMBERS_CTORS_1ST = NO # If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy # of group names into alphabetical order. If set to NO the group names will # appear in their defined order. # The default value is: NO. SORT_GROUP_NAMES = NO # If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by # fully-qualified names, including namespaces. If set to NO, the class list will # be sorted only by class name, not including the namespace part. # Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. # Note: This option applies only to the class list, not to the alphabetical # list. # The default value is: NO. SORT_BY_SCOPE_NAME = NO # If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper # type resolution of all parameters of a function it will reject a match between # the prototype and the implementation of a member function even if there is # only one candidate or it is obvious which candidate to choose by doing a # simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still # accept a match between prototype and implementation in such cases. # The default value is: NO. STRICT_PROTO_MATCHING = NO # The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the # todo list. This list is created by putting \todo commands in the # documentation. # The default value is: YES. GENERATE_TODOLIST = YES # The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the # test list. This list is created by putting \test commands in the # documentation. # The default value is: YES. GENERATE_TESTLIST = YES # The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug # list. This list is created by putting \bug commands in the documentation. # The default value is: YES. GENERATE_BUGLIST = YES # The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO) # the deprecated list. This list is created by putting \deprecated commands in # the documentation. # The default value is: YES. GENERATE_DEPRECATEDLIST= YES # The ENABLED_SECTIONS tag can be used to enable conditional documentation # sections, marked by \if ... \endif and \cond # ... \endcond blocks. ENABLED_SECTIONS = # The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the # initial value of a variable or macro / define can have for it to appear in the # documentation. If the initializer consists of more lines than specified here # it will be hidden. Use a value of 0 to hide initializers completely. The # appearance of the value of individual variables and macros / defines can be # controlled using \showinitializer or \hideinitializer command in the # documentation regardless of this setting. # Minimum value: 0, maximum value: 10000, default value: 30. MAX_INITIALIZER_LINES = 30 # Set the SHOW_USED_FILES tag to NO to disable the list of files generated at # the bottom of the documentation of classes and structs. If set to YES the list # will mention the files that were used to generate the documentation. # The default value is: YES. SHOW_USED_FILES = YES # Set the SHOW_FILES tag to NO to disable the generation of the Files page. This # will remove the Files entry from the Quick Index and from the Folder Tree View # (if specified). # The default value is: YES. SHOW_FILES = YES # Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces # page. This will remove the Namespaces entry from the Quick Index and from the # Folder Tree View (if specified). # The default value is: YES. SHOW_NAMESPACES = YES # The FILE_VERSION_FILTER tag can be used to specify a program or script that # doxygen should invoke to get the current version for each file (typically from # the version control system). Doxygen will invoke the program by executing (via # popen()) the command command input-file, where command is the value of the # FILE_VERSION_FILTER tag, and input-file is the name of an input file provided # by doxygen. Whatever the program writes to standard output is used as the file # version. For an example see the documentation. FILE_VERSION_FILTER = # The LAYOUT_FILE tag can be used to specify a layout file which will be parsed # by doxygen. The layout file controls the global structure of the generated # output files in an output format independent way. To create the layout file # that represents doxygen's defaults, run doxygen with the -l option. You can # optionally specify a file name after the option, if omitted DoxygenLayout.xml # will be used as the name of the layout file. # # Note that if you run doxygen from a directory containing a file called # DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE # tag is left empty. LAYOUT_FILE = # The CITE_BIB_FILES tag can be used to specify one or more bib files containing # the reference definitions. This must be a list of .bib files. The .bib # extension is automatically appended if omitted. This requires the bibtex tool # to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info. # For LaTeX the style of the bibliography can be controlled using # LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the # search path. Do not use file names with spaces, bibtex cannot handle them. See # also \cite for info how to create references. CITE_BIB_FILES = #--------------------------------------------------------------------------- # Configuration options related to warning and progress messages #--------------------------------------------------------------------------- # The QUIET tag can be used to turn on/off the messages that are generated to # standard output by doxygen. If QUIET is set to YES this implies that the # messages are off. # The default value is: NO. QUIET = NO # The WARNINGS tag can be used to turn on/off the warning messages that are # generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES # this implies that the warnings are on. # # Tip: Turn warnings on while writing the documentation. # The default value is: YES. WARNINGS = YES # If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate # warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag # will automatically be disabled. # The default value is: YES. WARN_IF_UNDOCUMENTED = YES # If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for # potential errors in the documentation, such as not documenting some parameters # in a documented function, or documenting parameters that don't exist or using # markup commands wrongly. # The default value is: YES. WARN_IF_DOC_ERROR = YES # This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that # are documented, but have no documentation for their parameters or return # value. If set to NO doxygen will only warn about wrong or incomplete parameter # documentation, but not about the absence of documentation. # The default value is: NO. WARN_NO_PARAMDOC = NO # The WARN_FORMAT tag determines the format of the warning messages that doxygen # can produce. The string should contain the $file, $line, and $text tags, which # will be replaced by the file and line number from which the warning originated # and the warning text. Optionally the format may contain $version, which will # be replaced by the version of the file (if it could be obtained via # FILE_VERSION_FILTER) # The default value is: $file:$line: $text. WARN_FORMAT = "$file:$line: $text" # The WARN_LOGFILE tag can be used to specify a file to which warning and error # messages should be written. If left blank the output is written to standard # error (stderr). WARN_LOGFILE = #--------------------------------------------------------------------------- # Configuration options related to the input files #--------------------------------------------------------------------------- # The INPUT tag is used to specify the files and/or directories that contain # documented source files. You may enter file names like myfile.cpp or # directories like /usr/src/myproject. Separate the files or directories with # spaces. # Note: If this tag is empty the current directory is searched. INPUT = . # This tag can be used to specify the character encoding of the source files # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses # libiconv (or the iconv built into libc) for the transcoding. See the libiconv # documentation (see: http://www.gnu.org/software/libiconv) for the list of # possible encodings. # The default value is: UTF-8. INPUT_ENCODING = UTF-8 # If the value of the INPUT tag contains directories, you can use the # FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and # *.h) to filter out the source-files in the directories. If left blank the # following patterns are tested:*.c, *.cc, *.cxx, *.cpp, *.c++, *.java, *.ii, # *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp, # *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown, # *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf, # *.qsf, *.as and *.js. FILE_PATTERNS = *.py # The RECURSIVE tag can be used to specify whether or not subdirectories should # be searched for input files as well. # The default value is: NO. RECURSIVE = YES # The EXCLUDE tag can be used to specify files and/or directories that should be # excluded from the INPUT source files. This way you can easily exclude a # subdirectory from a directory tree whose root is specified with the INPUT tag. # # Note that relative paths are relative to the directory from which doxygen is # run. EXCLUDE = # The EXCLUDE_SYMLINKS tag can be used to select whether or not files or # directories that are symbolic links (a Unix file system feature) are excluded # from the input. # The default value is: NO. EXCLUDE_SYMLINKS = NO # If the value of the INPUT tag contains directories, you can use the # EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude # certain files from those directories. # # Note that the wildcards are matched against the file with absolute path, so to # exclude all test directories for example use the pattern */test/* EXCLUDE_PATTERNS = # The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names # (namespaces, classes, functions, etc.) that should be excluded from the # output. The symbol name can be a fully qualified name, a word, or if the # wildcard * is used, a substring. Examples: ANamespace, AClass, # AClass::ANamespace, ANamespace::*Test # # Note that the wildcards are matched against the file with absolute path, so to # exclude all test directories use the pattern */test/* EXCLUDE_SYMBOLS = # The EXAMPLE_PATH tag can be used to specify one or more files or directories # that contain example code fragments that are included (see the \include # command). EXAMPLE_PATH = # If the value of the EXAMPLE_PATH tag contains directories, you can use the # EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and # *.h) to filter out the source-files in the directories. If left blank all # files are included. EXAMPLE_PATTERNS = # If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be # searched for input files to be used with the \include or \dontinclude commands # irrespective of the value of the RECURSIVE tag. # The default value is: NO. EXAMPLE_RECURSIVE = NO # The IMAGE_PATH tag can be used to specify one or more files or directories # that contain images that are to be included in the documentation (see the # \image command). IMAGE_PATH = # The INPUT_FILTER tag can be used to specify a program that doxygen should # invoke to filter for each input file. Doxygen will invoke the filter program # by executing (via popen()) the command: # # # # where is the value of the INPUT_FILTER tag, and is the # name of an input file. Doxygen will then use the output that the filter # program writes to standard output. If FILTER_PATTERNS is specified, this tag # will be ignored. # # Note that the filter must not add or remove lines; it is applied before the # code is scanned, but not when the output code is generated. If lines are added # or removed, the anchors will not be placed correctly. INPUT_FILTER = /usr/local/bin/doxypy.py # The FILTER_PATTERNS tag can be used to specify filters on a per file pattern # basis. Doxygen will compare the file name with each pattern and apply the # filter if there is a match. The filters are a list of the form: pattern=filter # (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how # filters are used. If the FILTER_PATTERNS tag is empty or if none of the # patterns match the file name, INPUT_FILTER is applied. FILTER_PATTERNS = # If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using # INPUT_FILTER ) will also be used to filter the input files that are used for # producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES). # The default value is: NO. FILTER_SOURCE_FILES = YES # The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file # pattern. A pattern will override the setting for FILTER_PATTERN (if any) and # it is also possible to disable source filtering for a specific pattern using # *.ext= (so without naming a filter). # This tag requires that the tag FILTER_SOURCE_FILES is set to YES. FILTER_SOURCE_PATTERNS = # If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that # is part of the input, its contents will be placed on the main page # (index.html). This can be useful if you have a project on for instance GitHub # and want to reuse the introduction page also for the doxygen output. USE_MDFILE_AS_MAINPAGE = #--------------------------------------------------------------------------- # Configuration options related to source browsing #--------------------------------------------------------------------------- # If the SOURCE_BROWSER tag is set to YES then a list of source files will be # generated. Documented entities will be cross-referenced with these sources. # # Note: To get rid of all source code in the generated output, make sure that # also VERBATIM_HEADERS is set to NO. # The default value is: NO. SOURCE_BROWSER = NO # Setting the INLINE_SOURCES tag to YES will include the body of functions, # classes and enums directly into the documentation. # The default value is: NO. INLINE_SOURCES = NO # Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any # special comment blocks from generated source code fragments. Normal C, C++ and # Fortran comments will always remain visible. # The default value is: YES. STRIP_CODE_COMMENTS = YES # If the REFERENCED_BY_RELATION tag is set to YES then for each documented # function all documented functions referencing it will be listed. # The default value is: NO. REFERENCED_BY_RELATION = NO # If the REFERENCES_RELATION tag is set to YES then for each documented function # all documented entities called/used by that function will be listed. # The default value is: NO. REFERENCES_RELATION = NO # If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set # to YES, then the hyperlinks from functions in REFERENCES_RELATION and # REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will # link to the documentation. # The default value is: YES. REFERENCES_LINK_SOURCE = YES # If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the # source code will show a tooltip with additional information such as prototype, # brief description and links to the definition and documentation. Since this # will make the HTML file larger and loading of large files a bit slower, you # can opt to disable this feature. # The default value is: YES. # This tag requires that the tag SOURCE_BROWSER is set to YES. SOURCE_TOOLTIPS = YES # If the USE_HTAGS tag is set to YES then the references to source code will # point to the HTML generated by the htags(1) tool instead of doxygen built-in # source browser. The htags tool is part of GNU's global source tagging system # (see http://www.gnu.org/software/global/global.html). You will need version # 4.8.6 or higher. # # To use it do the following: # - Install the latest version of global # - Enable SOURCE_BROWSER and USE_HTAGS in the config file # - Make sure the INPUT points to the root of the source tree # - Run doxygen as normal # # Doxygen will invoke htags (and that will in turn invoke gtags), so these # tools must be available from the command line (i.e. in the search path). # # The result: instead of the source browser generated by doxygen, the links to # source code will now point to the output of htags. # The default value is: NO. # This tag requires that the tag SOURCE_BROWSER is set to YES. USE_HTAGS = NO # If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a # verbatim copy of the header file for each class for which an include is # specified. Set to NO to disable this. # See also: Section \class. # The default value is: YES. VERBATIM_HEADERS = YES #--------------------------------------------------------------------------- # Configuration options related to the alphabetical class index #--------------------------------------------------------------------------- # If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all # compounds will be generated. Enable this if the project contains a lot of # classes, structs, unions or interfaces. # The default value is: YES. ALPHABETICAL_INDEX = YES # The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in # which the alphabetical index list will be split. # Minimum value: 1, maximum value: 20, default value: 5. # This tag requires that the tag ALPHABETICAL_INDEX is set to YES. COLS_IN_ALPHA_INDEX = 5 # In case all classes in a project start with a common prefix, all classes will # be put under the same header in the alphabetical index. The IGNORE_PREFIX tag # can be used to specify a prefix (or a list of prefixes) that should be ignored # while generating the index headers. # This tag requires that the tag ALPHABETICAL_INDEX is set to YES. IGNORE_PREFIX = #--------------------------------------------------------------------------- # Configuration options related to the HTML output #--------------------------------------------------------------------------- # If the GENERATE_HTML tag is set to YES doxygen will generate HTML output # The default value is: YES. GENERATE_HTML = YES # The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a # relative path is entered the value of OUTPUT_DIRECTORY will be put in front of # it. # The default directory is: html. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_OUTPUT = html # The HTML_FILE_EXTENSION tag can be used to specify the file extension for each # generated HTML page (for example: .htm, .php, .asp). # The default value is: .html. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_FILE_EXTENSION = .html # The HTML_HEADER tag can be used to specify a user-defined HTML header file for # each generated HTML page. If the tag is left blank doxygen will generate a # standard header. # # To get valid HTML the header file that includes any scripts and style sheets # that doxygen needs, which is dependent on the configuration options used (e.g. # the setting GENERATE_TREEVIEW). It is highly recommended to start with a # default header using # doxygen -w html new_header.html new_footer.html new_stylesheet.css # YourConfigFile # and then modify the file new_header.html. See also section "Doxygen usage" # for information on how to generate the default header that doxygen normally # uses. # Note: The header is subject to change so you typically have to regenerate the # default header when upgrading to a newer version of doxygen. For a description # of the possible markers and block names see the documentation. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_HEADER = # The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each # generated HTML page. If the tag is left blank doxygen will generate a standard # footer. See HTML_HEADER for more information on how to generate a default # footer and what special commands can be used inside the footer. See also # section "Doxygen usage" for information on how to generate the default footer # that doxygen normally uses. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_FOOTER = # The HTML_STYLESHEET tag can be used to specify a user-defined cascading style # sheet that is used by each HTML page. It can be used to fine-tune the look of # the HTML output. If left blank doxygen will generate a default style sheet. # See also section "Doxygen usage" for information on how to generate the style # sheet that doxygen normally uses. # Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as # it is more robust and this tag (HTML_STYLESHEET) will in the future become # obsolete. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_STYLESHEET = # The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user- # defined cascading style sheet that is included after the standard style sheets # created by doxygen. Using this option one can overrule certain style aspects. # This is preferred over using HTML_STYLESHEET since it does not replace the # standard style sheet and is therefor more robust against future updates. # Doxygen will copy the style sheet file to the output directory. For an example # see the documentation. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_EXTRA_STYLESHEET = # The HTML_EXTRA_FILES tag can be used to specify one or more extra images or # other source files which should be copied to the HTML output directory. Note # that these files will be copied to the base HTML output directory. Use the # $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these # files. In the HTML_STYLESHEET file, use the file name only. Also note that the # files will be copied as-is; there are no commands or markers available. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_EXTRA_FILES = # The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen # will adjust the colors in the stylesheet and background images according to # this color. Hue is specified as an angle on a colorwheel, see # http://en.wikipedia.org/wiki/Hue for more information. For instance the value # 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300 # purple, and 360 is red again. # Minimum value: 0, maximum value: 359, default value: 220. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_COLORSTYLE_HUE = 220 # The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors # in the HTML output. For a value of 0 the output will use grayscales only. A # value of 255 will produce the most vivid colors. # Minimum value: 0, maximum value: 255, default value: 100. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_COLORSTYLE_SAT = 100 # The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the # luminance component of the colors in the HTML output. Values below 100 # gradually make the output lighter, whereas values above 100 make the output # darker. The value divided by 100 is the actual gamma applied, so 80 represents # a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not # change the gamma. # Minimum value: 40, maximum value: 240, default value: 80. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_COLORSTYLE_GAMMA = 80 # If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML # page will contain the date and time when the page was generated. Setting this # to NO can help when comparing the output of multiple runs. # The default value is: YES. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_TIMESTAMP = YES # If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML # documentation will contain sections that can be hidden and shown after the # page has loaded. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_DYNAMIC_SECTIONS = NO # With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries # shown in the various tree structured indices initially; the user can expand # and collapse entries dynamically later on. Doxygen will expand the tree to # such a level that at most the specified number of entries are visible (unless # a fully collapsed tree already exceeds this amount). So setting the number of # entries 1 will produce a full collapsed tree by default. 0 is a special value # representing an infinite number of entries and will result in a full expanded # tree by default. # Minimum value: 0, maximum value: 9999, default value: 100. # This tag requires that the tag GENERATE_HTML is set to YES. HTML_INDEX_NUM_ENTRIES = 100 # If the GENERATE_DOCSET tag is set to YES, additional index files will be # generated that can be used as input for Apple's Xcode 3 integrated development # environment (see: http://developer.apple.com/tools/xcode/), introduced with # OSX 10.5 (Leopard). To create a documentation set, doxygen will generate a # Makefile in the HTML output directory. Running make will produce the docset in # that directory and running make install will install the docset in # ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at # startup. See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html # for more information. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_DOCSET = NO # This tag determines the name of the docset feed. A documentation feed provides # an umbrella under which multiple documentation sets from a single provider # (such as a company or product suite) can be grouped. # The default value is: Doxygen generated docs. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_FEEDNAME = "Doxygen generated docs" # This tag specifies a string that should uniquely identify the documentation # set bundle. This should be a reverse domain-name style string, e.g. # com.mycompany.MyDocSet. Doxygen will append .docset to the name. # The default value is: org.doxygen.Project. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_BUNDLE_ID = org.doxygen.Project # The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify # the documentation publisher. This should be a reverse domain-name style # string, e.g. com.mycompany.MyDocSet.documentation. # The default value is: org.doxygen.Publisher. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_PUBLISHER_ID = org.doxygen.Publisher # The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher. # The default value is: Publisher. # This tag requires that the tag GENERATE_DOCSET is set to YES. DOCSET_PUBLISHER_NAME = Publisher # If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three # additional HTML index files: index.hhp, index.hhc, and index.hhk. The # index.hhp is a project file that can be read by Microsoft's HTML Help Workshop # (see: http://www.microsoft.com/en-us/download/details.aspx?id=21138) on # Windows. # # The HTML Help Workshop contains a compiler that can convert all HTML output # generated by doxygen into a single compiled HTML file (.chm). Compiled HTML # files are now used as the Windows 98 help format, and will replace the old # Windows help format (.hlp) on all Windows platforms in the future. Compressed # HTML files also contain an index, a table of contents, and you can search for # words in the documentation. The HTML workshop also contains a viewer for # compressed HTML files. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_HTMLHELP = NO # The CHM_FILE tag can be used to specify the file name of the resulting .chm # file. You can add a path in front of the file if the result should not be # written to the html output directory. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. CHM_FILE = # The HHC_LOCATION tag can be used to specify the location (absolute path # including file name) of the HTML help compiler ( hhc.exe). If non-empty # doxygen will try to run the HTML help compiler on the generated index.hhp. # The file has to be specified with full path. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. HHC_LOCATION = # The GENERATE_CHI flag controls if a separate .chi index file is generated ( # YES) or that it should be included in the master .chm file ( NO). # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. GENERATE_CHI = NO # The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc) # and project file content. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. CHM_INDEX_ENCODING = # The BINARY_TOC flag controls whether a binary table of contents is generated ( # YES) or a normal table of contents ( NO) in the .chm file. Furthermore it # enables the Previous and Next buttons. # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. BINARY_TOC = NO # The TOC_EXPAND flag can be set to YES to add extra items for group members to # the table of contents of the HTML help documentation and to the tree view. # The default value is: NO. # This tag requires that the tag GENERATE_HTMLHELP is set to YES. TOC_EXPAND = YES # If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and # QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that # can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help # (.qch) of the generated HTML documentation. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_QHP = NO # If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify # the file name of the resulting .qch file. The path specified is relative to # the HTML output folder. # This tag requires that the tag GENERATE_QHP is set to YES. QCH_FILE = # The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help # Project output. For more information please see Qt Help Project / Namespace # (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#namespace). # The default value is: org.doxygen.Project. # This tag requires that the tag GENERATE_QHP is set to YES. QHP_NAMESPACE = org.doxygen.Project # The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt # Help Project output. For more information please see Qt Help Project / Virtual # Folders (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#virtual- # folders). # The default value is: doc. # This tag requires that the tag GENERATE_QHP is set to YES. QHP_VIRTUAL_FOLDER = doc # If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom # filter to add. For more information please see Qt Help Project / Custom # Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom- # filters). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_CUST_FILTER_NAME = # The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the # custom filter to add. For more information please see Qt Help Project / Custom # Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom- # filters). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_CUST_FILTER_ATTRS = # The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this # project's filter section matches. Qt Help Project / Filter Attributes (see: # http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes). # This tag requires that the tag GENERATE_QHP is set to YES. QHP_SECT_FILTER_ATTRS = # The QHG_LOCATION tag can be used to specify the location of Qt's # qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the # generated .qhp file. # This tag requires that the tag GENERATE_QHP is set to YES. QHG_LOCATION = # If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be # generated, together with the HTML files, they form an Eclipse help plugin. To # install this plugin and make it available under the help contents menu in # Eclipse, the contents of the directory containing the HTML and XML files needs # to be copied into the plugins directory of eclipse. The name of the directory # within the plugins directory should be the same as the ECLIPSE_DOC_ID value. # After copying Eclipse needs to be restarted before the help appears. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_ECLIPSEHELP = NO # A unique identifier for the Eclipse help plugin. When installing the plugin # the directory name containing the HTML and XML files should also have this # name. Each documentation set should have its own identifier. # The default value is: org.doxygen.Project. # This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES. ECLIPSE_DOC_ID = org.doxygen.Project # If you want full control over the layout of the generated HTML pages it might # be necessary to disable the index and replace it with your own. The # DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top # of each HTML page. A value of NO enables the index and the value YES disables # it. Since the tabs in the index contain the same information as the navigation # tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. DISABLE_INDEX = YES # The GENERATE_TREEVIEW tag is used to specify whether a tree-like index # structure should be generated to display hierarchical information. If the tag # value is set to YES, a side panel will be generated containing a tree-like # index structure (just like the one that is generated for HTML Help). For this # to work a browser that supports JavaScript, DHTML, CSS and frames is required # (i.e. any modern browser). Windows users are probably better off using the # HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can # further fine-tune the look of the index. As an example, the default style # sheet generated by doxygen has an example that shows how to put an image at # the root of the tree instead of the PROJECT_NAME. Since the tree basically has # the same information as the tab index, you could consider setting # DISABLE_INDEX to YES when enabling this option. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. GENERATE_TREEVIEW = YES # The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that # doxygen will group on one line in the generated HTML documentation. # # Note that a value of 0 will completely suppress the enum values from appearing # in the overview section. # Minimum value: 0, maximum value: 20, default value: 4. # This tag requires that the tag GENERATE_HTML is set to YES. ENUM_VALUES_PER_LINE = 4 # If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used # to set the initial width (in pixels) of the frame in which the tree is shown. # Minimum value: 0, maximum value: 1500, default value: 250. # This tag requires that the tag GENERATE_HTML is set to YES. TREEVIEW_WIDTH = 250 # When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to # external symbols imported via tag files in a separate window. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. EXT_LINKS_IN_WINDOW = NO # Use this tag to change the font size of LaTeX formulas included as images in # the HTML documentation. When you change the font size after a successful # doxygen run you need to manually remove any form_*.png images from the HTML # output directory to force them to be regenerated. # Minimum value: 8, maximum value: 50, default value: 10. # This tag requires that the tag GENERATE_HTML is set to YES. FORMULA_FONTSIZE = 10 # Use the FORMULA_TRANPARENT tag to determine whether or not the images # generated for formulas are transparent PNGs. Transparent PNGs are not # supported properly for IE 6.0, but are supported on all modern browsers. # # Note that when changing this option you need to delete any form_*.png files in # the HTML output directory before the changes have effect. # The default value is: YES. # This tag requires that the tag GENERATE_HTML is set to YES. FORMULA_TRANSPARENT = YES # Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see # http://www.mathjax.org) which uses client side Javascript for the rendering # instead of using prerendered bitmaps. Use this if you do not have LaTeX # installed or if you want to formulas look prettier in the HTML output. When # enabled you may also need to install MathJax separately and configure the path # to it using the MATHJAX_RELPATH option. # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. USE_MATHJAX = NO # When MathJax is enabled you can set the default output format to be used for # the MathJax output. See the MathJax site (see: # http://docs.mathjax.org/en/latest/output.html) for more details. # Possible values are: HTML-CSS (which is slower, but has the best # compatibility), NativeMML (i.e. MathML) and SVG. # The default value is: HTML-CSS. # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_FORMAT = HTML-CSS # When MathJax is enabled you need to specify the location relative to the HTML # output directory using the MATHJAX_RELPATH option. The destination directory # should contain the MathJax.js script. For instance, if the mathjax directory # is located at the same level as the HTML output directory, then # MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax # Content Delivery Network so you can quickly see the result without installing # MathJax. However, it is strongly recommended to install a local copy of # MathJax from http://www.mathjax.org before deployment. # The default value is: http://cdn.mathjax.org/mathjax/latest. # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest # The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax # extension names that should be enabled during MathJax rendering. For example # MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_EXTENSIONS = # The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces # of code that will be used on startup of the MathJax code. See the MathJax site # (see: http://docs.mathjax.org/en/latest/output.html) for more details. For an # example see the documentation. # This tag requires that the tag USE_MATHJAX is set to YES. MATHJAX_CODEFILE = # When the SEARCHENGINE tag is enabled doxygen will generate a search box for # the HTML output. The underlying search engine uses javascript and DHTML and # should work on any modern browser. Note that when using HTML help # (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET) # there is already a search function so this one should typically be disabled. # For large projects the javascript based search engine can be slow, then # enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to # search using the keyboard; to jump to the search box use + S # (what the is depends on the OS and browser, but it is typically # , /